--- /dev/null
+From eb33c358a1aab43a70edad48d37279c9a3a24f8b Mon Sep 17 00:00:00 2001
+From: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Date: Thu, 29 Nov 2018 09:55:59 +0000
+Subject: ACPI/IORT: Fix iort_get_platform_device_domain() uninitialized
+ pointer value
+
+[ Upstream commit ea2412dc21cc790335d319181dddc43682aef164 ]
+
+Running the Clang static analyzer on IORT code detected the following
+error:
+
+Logic error: Branch condition evaluates to a garbage value
+
+in
+
+iort_get_platform_device_domain()
+
+If the named component associated with a given device has no IORT
+mappings, iort_get_platform_device_domain() exits its MSI mapping loop
+with msi_parent pointer containing garbage, which can lead to erroneous
+code path execution.
+
+Initialize the msi_parent pointer, fixing the bug.
+
+Fixes: d4f54a186667 ("ACPI: platform: setup MSI domain for ACPI based
+platform device")
+Reported-by: Patrick Bellasi <patrick.bellasi@arm.com>
+Reviewed-by: Hanjun Guo <hanjun.guo@linaro.org>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Cc: Sudeep Holla <sudeep.holla@arm.com>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/arm64/iort.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c
+index 08f26db2da7e..e938576e58cb 100644
+--- a/drivers/acpi/arm64/iort.c
++++ b/drivers/acpi/arm64/iort.c
+@@ -700,7 +700,7 @@ static void iort_set_device_domain(struct device *dev,
+ */
+ static struct irq_domain *iort_get_platform_device_domain(struct device *dev)
+ {
+- struct acpi_iort_node *node, *msi_parent;
++ struct acpi_iort_node *node, *msi_parent = NULL;
+ struct fwnode_handle *iort_fwnode;
+ struct acpi_iort_its_group *its;
+ int i;
+--
+2.19.1
+
--- /dev/null
+From 1844d539f4dfa95f4118b54816b540e014cefc29 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 13 Nov 2018 23:20:21 +0000
+Subject: afs: Fix validation/callback interaction
+
+[ Upstream commit ae3b7361dc0ee9a425bf7d77ce211f533500b39b ]
+
+When afs_validate() is called to validate a vnode (inode), there are two
+unhandled cases in the fastpath at the top of the function:
+
+ (1) If the vnode is promised (AFS_VNODE_CB_PROMISED is set), the break
+ counters match and the data has expired, then there's an implicit case
+ in which the vnode needs revalidating.
+
+ This has no consequences since the default "valid = false" set at the
+ top of the function happens to do the right thing.
+
+ (2) If the vnode is not promised and it hasn't been deleted
+ (AFS_VNODE_DELETED is not set) then there's a default case we're not
+ handling in which the vnode is invalid. If the vnode is invalid, we
+ need to bring cb_s_break and cb_v_break up to date before we refetch
+ the status.
+
+ As a consequence, once the server loses track of the client
+ (ie. sufficient time has passed since we last sent it an operation),
+ it will send us a CB.InitCallBackState* operation when we next try to
+ talk to it. This calls afs_init_callback_state() which increments
+ afs_server::cb_s_break, but this then doesn't propagate to the
+ afs_vnode record.
+
+ The result being that every afs_validate() call thereafter sends a
+ status fetch operation to the server.
+
+Clarify and fix this by:
+
+ (A) Setting valid in all the branches rather than initialising it at the
+ top so that the compiler catches where we've missed.
+
+ (B) Restructuring the logic in the 'promised' branch so that we set valid
+ to false if the callback is due to expire (or has expired) and so that
+ the final case is that the vnode is still valid.
+
+ (C) Adding an else-statement that ups cb_s_break and cb_v_break if the
+ promised and deleted cases don't match.
+
+Fixes: c435ee34551e ("afs: Overhaul the callback handling")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/inode.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/fs/afs/inode.c b/fs/afs/inode.c
+index 479b7fdda124..071075d775a9 100644
+--- a/fs/afs/inode.c
++++ b/fs/afs/inode.c
+@@ -379,7 +379,7 @@ void afs_zap_data(struct afs_vnode *vnode)
+ int afs_validate(struct afs_vnode *vnode, struct key *key)
+ {
+ time64_t now = ktime_get_real_seconds();
+- bool valid = false;
++ bool valid;
+ int ret;
+
+ _enter("{v={%x:%u} fl=%lx},%x",
+@@ -399,15 +399,21 @@ int afs_validate(struct afs_vnode *vnode, struct key *key)
+ vnode->cb_v_break = vnode->volume->cb_v_break;
+ valid = false;
+ } else if (vnode->status.type == AFS_FTYPE_DIR &&
+- test_bit(AFS_VNODE_DIR_VALID, &vnode->flags) &&
+- vnode->cb_expires_at - 10 > now) {
+- valid = true;
+- } else if (!test_bit(AFS_VNODE_ZAP_DATA, &vnode->flags) &&
+- vnode->cb_expires_at - 10 > now) {
++ (!test_bit(AFS_VNODE_DIR_VALID, &vnode->flags) ||
++ vnode->cb_expires_at - 10 <= now)) {
++ valid = false;
++ } else if (test_bit(AFS_VNODE_ZAP_DATA, &vnode->flags) ||
++ vnode->cb_expires_at - 10 <= now) {
++ valid = false;
++ } else {
+ valid = true;
+ }
+ } else if (test_bit(AFS_VNODE_DELETED, &vnode->flags)) {
+ valid = true;
++ } else {
++ vnode->cb_s_break = vnode->cb_interest->server->cb_s_break;
++ vnode->cb_v_break = vnode->volume->cb_v_break;
++ valid = false;
+ }
+
+ read_sequnlock_excl(&vnode->cb_lock);
+--
+2.19.1
+
--- /dev/null
+From c43bb2ffdba06a58c8f031b19d7db6f5d6e6259c Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Sat, 17 Nov 2018 07:43:42 -0700
+Subject: aio: fix failure to put the file pointer
+
+[ Upstream commit 53fffe29a9e664a999dd3787e4428da8c30533e0 ]
+
+If the ioprio capability check fails, we return without putting
+the file pointer.
+
+Fixes: d9a08a9e616b ("fs: Add aio iopriority support")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/aio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/aio.c b/fs/aio.c
+index b9350f3360c6..04c4d6218978 100644
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -1436,6 +1436,7 @@ static int aio_prep_rw(struct kiocb *req, struct iocb *iocb)
+ ret = ioprio_check_cap(iocb->aio_reqprio);
+ if (ret) {
+ pr_debug("aio ioprio check cap error: %d\n", ret);
++ fput(req->ki_filp);
+ return ret;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From b4a058e11778693f2d7ba962f888813eae6c247b Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Wed, 28 Nov 2018 17:11:26 +0800
+Subject: ALSA: usb-audio: Add vendor and product name for Dell WD19 Dock
+
+[ Upstream commit 8159a6a4a7d2a092d5375f695ecfca22b4562b5f ]
+
+Like the Dell WD15 Dock, the WD19 Dock (0bda:402e) doens't provide
+useful string for the vendor and product names too. In order to share
+the UCM with WD15, here we keep the profile_name same as the WD15.
+
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/quirks-table.h | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h
+index 08aa78007020..1c73b9ed44a6 100644
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -3387,5 +3387,15 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"),
+ .ifnum = QUIRK_NO_INTERFACE
+ }
+ },
++/* Dell WD19 Dock */
++{
++ USB_DEVICE(0x0bda, 0x402e),
++ .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
++ .vendor_name = "Dell",
++ .product_name = "WD19 Dock",
++ .profile_name = "Dell-WD15-Dock",
++ .ifnum = QUIRK_NO_INTERFACE
++ }
++},
+
+ #undef USB_DEVICE_VENDOR_SPEC
+--
+2.19.1
+
--- /dev/null
+From 217e4d85d891eccf34f46e85b76de5843b739bac Mon Sep 17 00:00:00 2001
+From: Adam Ford <aford173@gmail.com>
+Date: Sun, 28 Oct 2018 15:13:48 -0500
+Subject: ARM: dts: am3517: Fix pinmuxing for CD on MMC1
+
+[ Upstream commit e7f4ffffa972db4820c23ff9831a6a4f3f6d8cc5 ]
+
+The MMC1 is active low, not active high. For some reason,
+this worked with different combination of U-Boot and kernels,
+but it's supposed to be active low and is currently broken.
+
+Fixes: cfaa856a2510 ("ARM: dts: am3517: Add pinmuxing, CD and
+WP for MMC1") #kernel 4.18+
+
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/am3517-evm.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/am3517-evm.dts b/arch/arm/boot/dts/am3517-evm.dts
+index 1d158cfda15f..c45aef806870 100644
+--- a/arch/arm/boot/dts/am3517-evm.dts
++++ b/arch/arm/boot/dts/am3517-evm.dts
+@@ -227,7 +227,7 @@
+ vmmc-supply = <&vmmc_fixed>;
+ bus-width = <4>;
+ wp-gpios = <&gpio4 30 GPIO_ACTIVE_HIGH>; /* gpio_126 */
+- cd-gpios = <&gpio4 31 GPIO_ACTIVE_HIGH>; /* gpio_127 */
++ cd-gpios = <&gpio4 31 GPIO_ACTIVE_LOW>; /* gpio_127 */
+ };
+
+ &mmc3 {
+--
+2.19.1
+
--- /dev/null
+From daaa2401404b998a91c3754a1c5c95d95b815b2e Mon Sep 17 00:00:00 2001
+From: Adam Ford <aford173@gmail.com>
+Date: Sun, 28 Oct 2018 15:34:21 -0500
+Subject: ARM: dts: am3517-som: Fix WL127x Wifi interrupt
+
+[ Upstream commit 419b194cdedc76d0d3cd5b0900db0fa8177c4a52 ]
+
+At the same time the AM3517 EVM was gaining WiFi support,
+separate patches were introduced to move the interrupt
+from HIGH to RISING. Because they overlapped, this was not
+done to the AM3517-EVM. This patch fixes Kernel 4.19+
+
+Fixes: 6bf5e3410f19 ("ARM: dts: am3517-som: Add WL127x Wifi")
+
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/am3517-som.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/am3517-som.dtsi b/arch/arm/boot/dts/am3517-som.dtsi
+index dae6e458e59f..b1c988eed87c 100644
+--- a/arch/arm/boot/dts/am3517-som.dtsi
++++ b/arch/arm/boot/dts/am3517-som.dtsi
+@@ -163,7 +163,7 @@
+ compatible = "ti,wl1271";
+ reg = <2>;
+ interrupt-parent = <&gpio6>;
+- interrupts = <10 IRQ_TYPE_LEVEL_HIGH>; /* gpio_170 */
++ interrupts = <10 IRQ_TYPE_EDGE_RISING>; /* gpio_170 */
+ ref-clock-frequency = <26000000>;
+ tcxo-clock-frequency = <26000000>;
+ };
+--
+2.19.1
+
--- /dev/null
+From d9c51d3a71436881a4f5f3037bc861037489c25f Mon Sep 17 00:00:00 2001
+From: Romain Izard <romain.izard.pro@gmail.com>
+Date: Tue, 20 Nov 2018 17:57:37 +0100
+Subject: ARM: dts: at91: sama5d2: use the divided clock for SMC
+
+[ Upstream commit 4ab7ca092c3c7ac8b16aa28eba723a8868f82f14 ]
+
+The SAMA5D2 is different from SAMA5D3 and SAMA5D4, as there are two
+different clocks for the peripherals in the SoC. The Static Memory
+controller is connected to the divided master clock.
+
+Unfortunately, the device tree does not correctly show this and uses the
+master clock directly. This clock is then used by the code for the NAND
+controller to calculate the timings for the controller, and we end up with
+slow NAND Flash access.
+
+Fix the device tree, and the performance of Flash access is improved.
+
+Signed-off-by: Romain Izard <romain.izard.pro@gmail.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/sama5d2.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/sama5d2.dtsi b/arch/arm/boot/dts/sama5d2.dtsi
+index 61f68e5c48e9..b405992eb601 100644
+--- a/arch/arm/boot/dts/sama5d2.dtsi
++++ b/arch/arm/boot/dts/sama5d2.dtsi
+@@ -308,7 +308,7 @@
+ 0x1 0x0 0x60000000 0x10000000
+ 0x2 0x0 0x70000000 0x10000000
+ 0x3 0x0 0x80000000 0x10000000>;
+- clocks = <&mck>;
++ clocks = <&h32ck>;
+ status = "disabled";
+
+ nand_controller: nand-controller {
+--
+2.19.1
+
--- /dev/null
+From 2eabbdfd02f281c324d6fddfb7d2cf202c2d9489 Mon Sep 17 00:00:00 2001
+From: Adam Ford <aford173@gmail.com>
+Date: Sun, 28 Oct 2018 15:29:27 -0500
+Subject: ARM: dts: logicpd-somlv: Fix interrupt on mmc3_dat1
+
+[ Upstream commit 3d8b804bc528d3720ec0c39c212af92dafaf6e84 ]
+
+The interrupt on mmc3_dat1 is wrong which prevents this from
+appearing in /proc/interrupts.
+
+Fixes: ab8dd3aed011 ("ARM: DTS: Add minimal Support for Logic PD
+DM3730 SOM-LV") #Kernel 4.9+
+
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/logicpd-som-lv.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/logicpd-som-lv.dtsi b/arch/arm/boot/dts/logicpd-som-lv.dtsi
+index ac343330d0c8..98b682a8080c 100644
+--- a/arch/arm/boot/dts/logicpd-som-lv.dtsi
++++ b/arch/arm/boot/dts/logicpd-som-lv.dtsi
+@@ -129,7 +129,7 @@
+ };
+
+ &mmc3 {
+- interrupts-extended = <&intc 94 &omap3_pmx_core2 0x46>;
++ interrupts-extended = <&intc 94 &omap3_pmx_core 0x136>;
+ pinctrl-0 = <&mmc3_pins &wl127x_gpio>;
+ pinctrl-names = "default";
+ vmmc-supply = <&wl12xx_vmmc>;
+--
+2.19.1
+
--- /dev/null
+From f519b2e3e1eb90b58853ff03e596e1f8eeff4fad Mon Sep 17 00:00:00 2001
+From: Adam Ford <aford173@gmail.com>
+Date: Sun, 28 Oct 2018 15:28:32 -0500
+Subject: ARM: dts: LogicPD Torpedo: Fix mmc3_dat1 interrupt
+
+[ Upstream commit 6809564d64ff1301d44c13334cc0e8369e825a20 ]
+
+When the Torpedo was first introduced back at Kernel 4.2,
+the interrupt extended flag has been set incorrectly.
+
+It was subsequently moved, so this patch corrects Kernel
+4.18+
+
+Fixes: a38867305203 ("ARM: dts: Move move WiFi bindings to
+logicpd-torpedo-37xx-devkit") # v4.18+
+
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/logicpd-torpedo-37xx-devkit.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/logicpd-torpedo-37xx-devkit.dts b/arch/arm/boot/dts/logicpd-torpedo-37xx-devkit.dts
+index 9d5d53fbe9c0..c39cf2ca54da 100644
+--- a/arch/arm/boot/dts/logicpd-torpedo-37xx-devkit.dts
++++ b/arch/arm/boot/dts/logicpd-torpedo-37xx-devkit.dts
+@@ -35,7 +35,7 @@
+ * jumpering combinations for the long run.
+ */
+ &mmc3 {
+- interrupts-extended = <&intc 94 &omap3_pmx_core2 0x46>;
++ interrupts-extended = <&intc 94 &omap3_pmx_core 0x136>;
+ pinctrl-0 = <&mmc3_pins &mmc3_core2_pins>;
+ pinctrl-names = "default";
+ vmmc-supply = <&wl12xx_vmmc>;
+--
+2.19.1
+
--- /dev/null
+From 5389060d245b661aca161b96933863137d5eb1ee Mon Sep 17 00:00:00 2001
+From: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Date: Wed, 7 Nov 2018 22:30:31 +0100
+Subject: ARM: OMAP1: ams-delta: Fix possible use of uninitialized field
+
+[ Upstream commit cec83ff1241ec98113a19385ea9e9cfa9aa4125b ]
+
+While playing with initialization order of modem device, it has been
+discovered that under some circumstances (early console init, I
+believe) its .pm() callback may be called before the
+uart_port->private_data pointer is initialized from
+plat_serial8250_port->private_data, resulting in NULL pointer
+dereference. Fix it by checking for uninitialized pointer before using
+it in modem_pm().
+
+Fixes: aabf31737a6a ("ARM: OMAP1: ams-delta: update the modem to use regulator API")
+Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap1/board-ams-delta.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm/mach-omap1/board-ams-delta.c b/arch/arm/mach-omap1/board-ams-delta.c
+index dd28d2614d7f..d10d8831f527 100644
+--- a/arch/arm/mach-omap1/board-ams-delta.c
++++ b/arch/arm/mach-omap1/board-ams-delta.c
+@@ -726,6 +726,9 @@ static void modem_pm(struct uart_port *port, unsigned int state, unsigned old)
+ struct modem_private_data *priv = port->private_data;
+ int ret;
+
++ if (!priv)
++ return;
++
+ if (IS_ERR(priv->regulator))
+ return;
+
+--
+2.19.1
+
--- /dev/null
+From 4f69d6aff7f4064dbfb26c48e9497c009c7df43a Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Wed, 17 Oct 2018 17:54:00 -0700
+Subject: ARM: OMAP2+: prm44xx: Fix section annotation on
+ omap44xx_prm_enable_io_wakeup
+
+[ Upstream commit eef3dc34a1e0b01d53328b88c25237bcc7323777 ]
+
+When building the kernel with Clang, the following section mismatch
+warning appears:
+
+WARNING: vmlinux.o(.text+0x38b3c): Section mismatch in reference from
+the function omap44xx_prm_late_init() to the function
+.init.text:omap44xx_prm_enable_io_wakeup()
+The function omap44xx_prm_late_init() references
+the function __init omap44xx_prm_enable_io_wakeup().
+This is often because omap44xx_prm_late_init lacks a __init
+annotation or the annotation of omap44xx_prm_enable_io_wakeup is wrong.
+
+Remove the __init annotation from omap44xx_prm_enable_io_wakeup so there
+is no more mismatch.
+
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap2/prm44xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-omap2/prm44xx.c b/arch/arm/mach-omap2/prm44xx.c
+index 7b95729e8359..38a1be6c3694 100644
+--- a/arch/arm/mach-omap2/prm44xx.c
++++ b/arch/arm/mach-omap2/prm44xx.c
+@@ -351,7 +351,7 @@ static void omap44xx_prm_reconfigure_io_chain(void)
+ * to occur, WAKEUPENABLE bits must be set in the pad mux registers, and
+ * omap44xx_prm_reconfigure_io_chain() must be called. No return value.
+ */
+-static void __init omap44xx_prm_enable_io_wakeup(void)
++static void omap44xx_prm_enable_io_wakeup(void)
+ {
+ s32 inst = omap4_prmst_get_prm_dev_inst();
+
+--
+2.19.1
+
--- /dev/null
+From d3d7cce7ee2fc18c9682b6edcbd3e50eea7fc2e1 Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+Date: Fri, 2 Nov 2018 14:45:32 -0700
+Subject: arm64: dts: sdm845-mtp: Reserve reserved gpios
+
+[ Upstream commit 5f8d3ab136d0ccb59c4d628d8f85e0d8f2761d07 ]
+
+With the introduction of commit 3edfb7bd76bd ("gpiolib: Show correct
+direction from the beginning") the gpiolib will attempt to read the
+direction of all pins, which triggers a read from protected register
+regions.
+
+The pins 0 through 3 and 81 through 84 are protected, so mark these as
+reserved.
+
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Reviewed-by: Stephen Boyd <sboyd@kernel.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Andy Gross <andy.gross@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sdm845-mtp.dts | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/qcom/sdm845-mtp.dts b/arch/arm64/boot/dts/qcom/sdm845-mtp.dts
+index 6d651f314193..6921f8dc5ebb 100644
+--- a/arch/arm64/boot/dts/qcom/sdm845-mtp.dts
++++ b/arch/arm64/boot/dts/qcom/sdm845-mtp.dts
+@@ -31,6 +31,10 @@
+ status = "okay";
+ };
+
++&tlmm {
++ gpio-reserved-ranges = <0 4>, <81 4>;
++};
++
+ &uart9 {
+ status = "okay";
+ };
+--
+2.19.1
+
--- /dev/null
+From 8313511d7735170f77365d85bb49a20b74b8f683 Mon Sep 17 00:00:00 2001
+From: Keyon Jie <yang.jie@linux.intel.com>
+Date: Fri, 16 Nov 2018 18:47:04 -0600
+Subject: ASoC: acpi: fix: continue searching when machine is ignored
+
+[ Upstream commit a3e620f8422832afd832ad5e20aa97d0c72bada8 ]
+
+The machine_quirk may return NULL which means the acpi entries should be
+skipped and search for next matched entry is needed, here add return
+check here and continue for NULL case.
+
+Signed-off-by: Keyon Jie <yang.jie@linux.intel.com>
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-acpi.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/soc-acpi.c b/sound/soc/soc-acpi.c
+index b8e72b52db30..4fb29f0e561e 100644
+--- a/sound/soc/soc-acpi.c
++++ b/sound/soc/soc-acpi.c
+@@ -10,11 +10,17 @@ struct snd_soc_acpi_mach *
+ snd_soc_acpi_find_machine(struct snd_soc_acpi_mach *machines)
+ {
+ struct snd_soc_acpi_mach *mach;
++ struct snd_soc_acpi_mach *mach_alt;
+
+ for (mach = machines; mach->id[0]; mach++) {
+ if (acpi_dev_present(mach->id, NULL, -1)) {
+- if (mach->machine_quirk)
+- mach = mach->machine_quirk(mach);
++ if (mach->machine_quirk) {
++ mach_alt = mach->machine_quirk(mach);
++ if (!mach_alt)
++ continue; /* not full match, ignore */
++ mach = mach_alt;
++ }
++
+ return mach;
+ }
+ }
+--
+2.19.1
+
--- /dev/null
+From 5add10a494771d00ee2da25715cf54848a69237b Mon Sep 17 00:00:00 2001
+From: Tzung-Bi Shih <tzungbi@google.com>
+Date: Wed, 14 Nov 2018 17:06:13 +0800
+Subject: ASoC: dapm: Recalculate audio map forcely when card instantiated
+
+[ Upstream commit 882eab6c28d23a970ae73b7eb831b169a672d456 ]
+
+Audio map are possible in wrong state before card->instantiated has
+been set to true. Imaging the following examples:
+
+time 1: at the beginning
+
+ in:-1 in:-1 in:-1 in:-1
+ out:-1 out:-1 out:-1 out:-1
+ SIGGEN A B Spk
+
+time 2: after someone called snd_soc_dapm_new_widgets()
+(e.g. create_fill_widget_route_map() in sound/soc/codecs/hdac_hdmi.c)
+
+ in:1 in:0 in:0 in:0
+ out:0 out:0 out:0 out:1
+ SIGGEN A B Spk
+
+time 3: routes added
+
+ in:1 in:0 in:0 in:0
+ out:0 out:0 out:0 out:1
+ SIGGEN -----> A -----> B ---> Spk
+
+In the end, the path should be powered on but it did not. At time 3,
+"in" of SIGGEN and "out" of Spk did not propagate to their neighbors
+because snd_soc_dapm_add_path() will not invalidate the paths if
+the card has not instantiated (i.e. card->instantiated is false).
+To correct the state of audio map, recalculate the whole map forcely.
+
+Signed-off-by: Tzung-Bi Shih <tzungbi@google.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index 473eefe8658e..62aa320c2070 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -2126,6 +2126,7 @@ static int snd_soc_instantiate_card(struct snd_soc_card *card)
+ }
+
+ card->instantiated = 1;
++ dapm_mark_endpoints_dirty(card);
+ snd_soc_dapm_sync(&card->dapm);
+ mutex_unlock(&card->mutex);
+ mutex_unlock(&client_mutex);
+--
+2.19.1
+
--- /dev/null
+From 8d43187e6809fe4f1095cffe12fead9c446ea427 Mon Sep 17 00:00:00 2001
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Date: Fri, 9 Nov 2018 13:39:23 -0600
+Subject: ASoC: Intel: Power down links before turning off display audio power
+
+[ Upstream commit 4c10473d6ddf12ec124c9ff71a5d23bb5388478b ]
+
+On certain platforms, Display HDMI HDA codec was not going to sleep state
+after the use when links are powered down after turning off the display
+power. As per the HW recommendation, links are powered down before turning
+off the display power to ensure that the codec goes to sleep state.
+
+This patch was updated from an earlier version submitted upstream [1]
+which conflicted with the changes merged for HDaudio codec support
+with the Intel DSP.
+
+[1] https://patchwork.kernel.org/patch/10540213/
+
+Signed-off-by: Sriram Periyasamy <sriramx.periyasamy@intel.com>
+Signed-off-by: Sanyog Kale <sanyog.r.kale@intel.com>
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/hdac_hdmi.c | 11 +++++------
+ sound/soc/intel/skylake/skl.c | 12 ++++++------
+ 2 files changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/sound/soc/codecs/hdac_hdmi.c b/sound/soc/codecs/hdac_hdmi.c
+index 7b8533abf637..b61d518f4fef 100644
+--- a/sound/soc/codecs/hdac_hdmi.c
++++ b/sound/soc/codecs/hdac_hdmi.c
+@@ -2184,11 +2184,6 @@ static int hdac_hdmi_runtime_suspend(struct device *dev)
+ */
+ snd_hdac_codec_read(hdev, hdev->afg, 0, AC_VERB_SET_POWER_STATE,
+ AC_PWRST_D3);
+- err = snd_hdac_display_power(bus, false);
+- if (err < 0) {
+- dev_err(dev, "Cannot turn on display power on i915\n");
+- return err;
+- }
+
+ hlink = snd_hdac_ext_bus_get_link(bus, dev_name(dev));
+ if (!hlink) {
+@@ -2198,7 +2193,11 @@ static int hdac_hdmi_runtime_suspend(struct device *dev)
+
+ snd_hdac_ext_bus_link_put(bus, hlink);
+
+- return 0;
++ err = snd_hdac_display_power(bus, false);
++ if (err < 0)
++ dev_err(dev, "Cannot turn off display power on i915\n");
++
++ return err;
+ }
+
+ static int hdac_hdmi_runtime_resume(struct device *dev)
+diff --git a/sound/soc/intel/skylake/skl.c b/sound/soc/intel/skylake/skl.c
+index 1d17be0f78a0..50f16a0f6535 100644
+--- a/sound/soc/intel/skylake/skl.c
++++ b/sound/soc/intel/skylake/skl.c
+@@ -752,6 +752,12 @@ static void skl_probe_work(struct work_struct *work)
+ }
+ }
+
++ /*
++ * we are done probing so decrement link counts
++ */
++ list_for_each_entry(hlink, &bus->hlink_list, list)
++ snd_hdac_ext_bus_link_put(bus, hlink);
++
+ if (IS_ENABLED(CONFIG_SND_SOC_HDAC_HDMI)) {
+ err = snd_hdac_display_power(bus, false);
+ if (err < 0) {
+@@ -761,12 +767,6 @@ static void skl_probe_work(struct work_struct *work)
+ }
+ }
+
+- /*
+- * we are done probing so decrement link counts
+- */
+- list_for_each_entry(hlink, &bus->hlink_list, list)
+- snd_hdac_ext_bus_link_put(bus, hlink);
+-
+ /* configure PM */
+ pm_runtime_put_noidle(bus->dev);
+ pm_runtime_allow(bus->dev);
+--
+2.19.1
+
--- /dev/null
+From 4ec85beb0a8f315511f549d5696af79450ca13db Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Wed, 14 Nov 2018 14:58:20 +0200
+Subject: ASoC: omap-abe-twl6040: Fix missing audio card caused by deferred
+ probing
+
+[ Upstream commit 76836fd354922ebe4798a64fda01f8dc6a8b0984 ]
+
+The machine driver fails to probe in next-20181113 with:
+
+[ 2.539093] omap-abe-twl6040 sound: ASoC: CODEC DAI twl6040-legacy not registered
+[ 2.546630] omap-abe-twl6040 sound: devm_snd_soc_register_card() failed: -517
+...
+[ 3.693206] omap-abe-twl6040 sound: ASoC: Both platform name/of_node are set for TWL6040
+[ 3.701446] omap-abe-twl6040 sound: ASoC: failed to init link TWL6040
+[ 3.708007] omap-abe-twl6040 sound: devm_snd_soc_register_card() failed: -22
+[ 3.715148] omap-abe-twl6040: probe of sound failed with error -22
+
+Bisect pointed to a merge commit:
+first bad commit: [0f688ab20a540aafa984c5dbd68a71debebf4d7f] Merge remote-tracking branch 'net-next/master'
+
+and a diff between a working kernel does not reveal anything which would
+explain the change in behavior.
+
+Further investigation showed that on the second try of loading fails
+because the dai_link->platform is no longer NULL and it might be pointing
+to uninitialized memory.
+
+The fix is to move the snd_soc_dai_link and snd_soc_card inside of the
+abe_twl6040 struct, which is dynamically allocated every time the driver
+probes.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/omap/omap-abe-twl6040.c | 67 +++++++++++++------------------
+ 1 file changed, 29 insertions(+), 38 deletions(-)
+
+diff --git a/sound/soc/omap/omap-abe-twl6040.c b/sound/soc/omap/omap-abe-twl6040.c
+index d5ae9eb8c756..fed45b41f9d3 100644
+--- a/sound/soc/omap/omap-abe-twl6040.c
++++ b/sound/soc/omap/omap-abe-twl6040.c
+@@ -36,6 +36,8 @@
+ #include "../codecs/twl6040.h"
+
+ struct abe_twl6040 {
++ struct snd_soc_card card;
++ struct snd_soc_dai_link dai_links[2];
+ int jack_detection; /* board can detect jack events */
+ int mclk_freq; /* MCLK frequency speed for twl6040 */
+ };
+@@ -208,40 +210,10 @@ static int omap_abe_dmic_init(struct snd_soc_pcm_runtime *rtd)
+ ARRAY_SIZE(dmic_audio_map));
+ }
+
+-/* Digital audio interface glue - connects codec <--> CPU */
+-static struct snd_soc_dai_link abe_twl6040_dai_links[] = {
+- {
+- .name = "TWL6040",
+- .stream_name = "TWL6040",
+- .codec_dai_name = "twl6040-legacy",
+- .codec_name = "twl6040-codec",
+- .init = omap_abe_twl6040_init,
+- .ops = &omap_abe_ops,
+- },
+- {
+- .name = "DMIC",
+- .stream_name = "DMIC Capture",
+- .codec_dai_name = "dmic-hifi",
+- .codec_name = "dmic-codec",
+- .init = omap_abe_dmic_init,
+- .ops = &omap_abe_dmic_ops,
+- },
+-};
+-
+-/* Audio machine driver */
+-static struct snd_soc_card omap_abe_card = {
+- .owner = THIS_MODULE,
+-
+- .dapm_widgets = twl6040_dapm_widgets,
+- .num_dapm_widgets = ARRAY_SIZE(twl6040_dapm_widgets),
+- .dapm_routes = audio_map,
+- .num_dapm_routes = ARRAY_SIZE(audio_map),
+-};
+-
+ static int omap_abe_probe(struct platform_device *pdev)
+ {
+ struct device_node *node = pdev->dev.of_node;
+- struct snd_soc_card *card = &omap_abe_card;
++ struct snd_soc_card *card;
+ struct device_node *dai_node;
+ struct abe_twl6040 *priv;
+ int num_links = 0;
+@@ -252,12 +224,18 @@ static int omap_abe_probe(struct platform_device *pdev)
+ return -ENODEV;
+ }
+
+- card->dev = &pdev->dev;
+-
+ priv = devm_kzalloc(&pdev->dev, sizeof(struct abe_twl6040), GFP_KERNEL);
+ if (priv == NULL)
+ return -ENOMEM;
+
++ card = &priv->card;
++ card->dev = &pdev->dev;
++ card->owner = THIS_MODULE;
++ card->dapm_widgets = twl6040_dapm_widgets;
++ card->num_dapm_widgets = ARRAY_SIZE(twl6040_dapm_widgets);
++ card->dapm_routes = audio_map;
++ card->num_dapm_routes = ARRAY_SIZE(audio_map);
++
+ if (snd_soc_of_parse_card_name(card, "ti,model")) {
+ dev_err(&pdev->dev, "Card name is not provided\n");
+ return -ENODEV;
+@@ -274,14 +252,27 @@ static int omap_abe_probe(struct platform_device *pdev)
+ dev_err(&pdev->dev, "McPDM node is not provided\n");
+ return -EINVAL;
+ }
+- abe_twl6040_dai_links[0].cpu_of_node = dai_node;
+- abe_twl6040_dai_links[0].platform_of_node = dai_node;
++
++ priv->dai_links[0].name = "DMIC";
++ priv->dai_links[0].stream_name = "TWL6040";
++ priv->dai_links[0].cpu_of_node = dai_node;
++ priv->dai_links[0].platform_of_node = dai_node;
++ priv->dai_links[0].codec_dai_name = "twl6040-legacy";
++ priv->dai_links[0].codec_name = "twl6040-codec";
++ priv->dai_links[0].init = omap_abe_twl6040_init;
++ priv->dai_links[0].ops = &omap_abe_ops;
+
+ dai_node = of_parse_phandle(node, "ti,dmic", 0);
+ if (dai_node) {
+ num_links = 2;
+- abe_twl6040_dai_links[1].cpu_of_node = dai_node;
+- abe_twl6040_dai_links[1].platform_of_node = dai_node;
++ priv->dai_links[1].name = "TWL6040";
++ priv->dai_links[1].stream_name = "DMIC Capture";
++ priv->dai_links[1].cpu_of_node = dai_node;
++ priv->dai_links[1].platform_of_node = dai_node;
++ priv->dai_links[1].codec_dai_name = "dmic-hifi";
++ priv->dai_links[1].codec_name = "dmic-codec";
++ priv->dai_links[1].init = omap_abe_dmic_init;
++ priv->dai_links[1].ops = &omap_abe_dmic_ops;
+ } else {
+ num_links = 1;
+ }
+@@ -300,7 +291,7 @@ static int omap_abe_probe(struct platform_device *pdev)
+ return -ENODEV;
+ }
+
+- card->dai_link = abe_twl6040_dai_links;
++ card->dai_link = priv->dai_links;
+ card->num_links = num_links;
+
+ snd_soc_card_set_drvdata(card, priv);
+--
+2.19.1
+
--- /dev/null
+From 518c3d10766fa7ffba1659678f47ba99c4c1af16 Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Wed, 14 Nov 2018 13:06:23 +0200
+Subject: ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE
+
+[ Upstream commit ffdcc3638c58d55a6fa68b6e5dfd4fb4109652eb ]
+
+We need to block sleep states which would require longer time to leave than
+the time the DMA must react to the DMA request in order to keep the FIFO
+serviced without overrun.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Acked-by: Jarkko Nikula <jarkko.nikula@bitmer.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/omap/omap-dmic.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/sound/soc/omap/omap-dmic.c b/sound/soc/omap/omap-dmic.c
+index fe966272bd0c..cba9645b6487 100644
+--- a/sound/soc/omap/omap-dmic.c
++++ b/sound/soc/omap/omap-dmic.c
+@@ -48,6 +48,8 @@ struct omap_dmic {
+ struct device *dev;
+ void __iomem *io_base;
+ struct clk *fclk;
++ struct pm_qos_request pm_qos_req;
++ int latency;
+ int fclk_freq;
+ int out_freq;
+ int clk_div;
+@@ -124,6 +126,8 @@ static void omap_dmic_dai_shutdown(struct snd_pcm_substream *substream,
+
+ mutex_lock(&dmic->mutex);
+
++ pm_qos_remove_request(&dmic->pm_qos_req);
++
+ if (!dai->active)
+ dmic->active = 0;
+
+@@ -228,6 +232,8 @@ static int omap_dmic_dai_hw_params(struct snd_pcm_substream *substream,
+ /* packet size is threshold * channels */
+ dma_data = snd_soc_dai_get_dma_data(dai, substream);
+ dma_data->maxburst = dmic->threshold * channels;
++ dmic->latency = (OMAP_DMIC_THRES_MAX - dmic->threshold) * USEC_PER_SEC /
++ params_rate(params);
+
+ return 0;
+ }
+@@ -238,6 +244,9 @@ static int omap_dmic_dai_prepare(struct snd_pcm_substream *substream,
+ struct omap_dmic *dmic = snd_soc_dai_get_drvdata(dai);
+ u32 ctrl;
+
++ if (pm_qos_request_active(&dmic->pm_qos_req))
++ pm_qos_update_request(&dmic->pm_qos_req, dmic->latency);
++
+ /* Configure uplink threshold */
+ omap_dmic_write(dmic, OMAP_DMIC_FIFO_CTRL_REG, dmic->threshold);
+
+--
+2.19.1
+
--- /dev/null
+From a466847241853ff2cfa7b9c0a89ff5bbf73e89cd Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Wed, 14 Nov 2018 13:06:21 +0200
+Subject: ASoC: omap-mcbsp: Fix latency value calculation for pm_qos
+
+[ Upstream commit dd2f52d8991af9fe0928d59ec502ba52be7bc38d ]
+
+The latency number is in usec for the pm_qos. Correct the calculation to
+give us the time in usec
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Acked-by: Jarkko Nikula <jarkko.nikula@bitmer.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/omap/omap-mcbsp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/omap/omap-mcbsp.c b/sound/soc/omap/omap-mcbsp.c
+index d0ebb6b9bfac..2d6decbfc99e 100644
+--- a/sound/soc/omap/omap-mcbsp.c
++++ b/sound/soc/omap/omap-mcbsp.c
+@@ -308,9 +308,9 @@ static int omap_mcbsp_dai_hw_params(struct snd_pcm_substream *substream,
+ pkt_size = channels;
+ }
+
+- latency = ((((buffer_size - pkt_size) / channels) * 1000)
+- / (params->rate_num / params->rate_den));
+-
++ latency = (buffer_size - pkt_size) / channels;
++ latency = latency * USEC_PER_SEC /
++ (params->rate_num / params->rate_den);
+ mcbsp->latency[substream->stream] = latency;
+
+ omap_mcbsp_set_threshold(substream, pkt_size);
+--
+2.19.1
+
--- /dev/null
+From dc36d5423e671bec4551d73d2b50529dc4256f7e Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Wed, 14 Nov 2018 13:06:22 +0200
+Subject: ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with
+ CPU_IDLE
+
+[ Upstream commit 373a500e34aea97971c9d71e45edad458d3da98f ]
+
+We need to block sleep states which would require longer time to leave than
+the time the DMA must react to the DMA request in order to keep the FIFO
+serviced without under of overrun.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Acked-by: Jarkko Nikula <jarkko.nikula@bitmer.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/omap/omap-mcpdm.c | 43 ++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 42 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/omap/omap-mcpdm.c b/sound/soc/omap/omap-mcpdm.c
+index 4c1be36c2207..7d5bdc5a2890 100644
+--- a/sound/soc/omap/omap-mcpdm.c
++++ b/sound/soc/omap/omap-mcpdm.c
+@@ -54,6 +54,8 @@ struct omap_mcpdm {
+ unsigned long phys_base;
+ void __iomem *io_base;
+ int irq;
++ struct pm_qos_request pm_qos_req;
++ int latency[2];
+
+ struct mutex mutex;
+
+@@ -277,6 +279,9 @@ static void omap_mcpdm_dai_shutdown(struct snd_pcm_substream *substream,
+ struct snd_soc_dai *dai)
+ {
+ struct omap_mcpdm *mcpdm = snd_soc_dai_get_drvdata(dai);
++ int tx = (substream->stream == SNDRV_PCM_STREAM_PLAYBACK);
++ int stream1 = tx ? SNDRV_PCM_STREAM_PLAYBACK : SNDRV_PCM_STREAM_CAPTURE;
++ int stream2 = tx ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
+
+ mutex_lock(&mcpdm->mutex);
+
+@@ -289,6 +294,14 @@ static void omap_mcpdm_dai_shutdown(struct snd_pcm_substream *substream,
+ }
+ }
+
++ if (mcpdm->latency[stream2])
++ pm_qos_update_request(&mcpdm->pm_qos_req,
++ mcpdm->latency[stream2]);
++ else if (mcpdm->latency[stream1])
++ pm_qos_remove_request(&mcpdm->pm_qos_req);
++
++ mcpdm->latency[stream1] = 0;
++
+ mutex_unlock(&mcpdm->mutex);
+ }
+
+@@ -300,7 +313,7 @@ static int omap_mcpdm_dai_hw_params(struct snd_pcm_substream *substream,
+ int stream = substream->stream;
+ struct snd_dmaengine_dai_dma_data *dma_data;
+ u32 threshold;
+- int channels;
++ int channels, latency;
+ int link_mask = 0;
+
+ channels = params_channels(params);
+@@ -344,14 +357,25 @@ static int omap_mcpdm_dai_hw_params(struct snd_pcm_substream *substream,
+
+ dma_data->maxburst =
+ (MCPDM_DN_THRES_MAX - threshold) * channels;
++ latency = threshold;
+ } else {
+ /* If playback is not running assume a stereo stream to come */
+ if (!mcpdm->config[!stream].link_mask)
+ mcpdm->config[!stream].link_mask = (0x3 << 3);
+
+ dma_data->maxburst = threshold * channels;
++ latency = (MCPDM_DN_THRES_MAX - threshold);
+ }
+
++ /*
++ * The DMA must act to a DMA request within latency time (usec) to avoid
++ * under/overflow
++ */
++ mcpdm->latency[stream] = latency * USEC_PER_SEC / params_rate(params);
++
++ if (!mcpdm->latency[stream])
++ mcpdm->latency[stream] = 10;
++
+ /* Check if we need to restart McPDM with this stream */
+ if (mcpdm->config[stream].link_mask &&
+ mcpdm->config[stream].link_mask != link_mask)
+@@ -366,6 +390,20 @@ static int omap_mcpdm_prepare(struct snd_pcm_substream *substream,
+ struct snd_soc_dai *dai)
+ {
+ struct omap_mcpdm *mcpdm = snd_soc_dai_get_drvdata(dai);
++ struct pm_qos_request *pm_qos_req = &mcpdm->pm_qos_req;
++ int tx = (substream->stream == SNDRV_PCM_STREAM_PLAYBACK);
++ int stream1 = tx ? SNDRV_PCM_STREAM_PLAYBACK : SNDRV_PCM_STREAM_CAPTURE;
++ int stream2 = tx ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
++ int latency = mcpdm->latency[stream2];
++
++ /* Prevent omap hardware from hitting off between FIFO fills */
++ if (!latency || mcpdm->latency[stream1] < latency)
++ latency = mcpdm->latency[stream1];
++
++ if (pm_qos_request_active(pm_qos_req))
++ pm_qos_update_request(pm_qos_req, latency);
++ else if (latency)
++ pm_qos_add_request(pm_qos_req, PM_QOS_CPU_DMA_LATENCY, latency);
+
+ if (!omap_mcpdm_active(mcpdm)) {
+ omap_mcpdm_start(mcpdm);
+@@ -427,6 +465,9 @@ static int omap_mcpdm_remove(struct snd_soc_dai *dai)
+ free_irq(mcpdm->irq, (void *)mcpdm);
+ pm_runtime_disable(mcpdm->dev);
+
++ if (pm_qos_request_active(&mcpdm->pm_qos_req))
++ pm_qos_remove_request(&mcpdm->pm_qos_req);
++
+ return 0;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 459b736c3e3dc1e480d5f21efd3430a2c46d74d8 Mon Sep 17 00:00:00 2001
+From: Rohit kumar <rohitkr@codeaurora.org>
+Date: Thu, 8 Nov 2018 19:11:40 +0530
+Subject: ASoC: qcom: Set dai_link id to each dai_link
+
+[ Upstream commit 67fd1437d11620de8768b22fe20942e752ed52e9 ]
+
+Frontend dai_link id is used for closing ADM sessions.
+During concurrent usecase when one session is closed,
+it closes other ADM session associated with other usecase
+too. Dai_link->id should always point to Frontend dai id.
+Set cpu_dai id as dai_link id to fix the issue.
+
+Signed-off-by: Rohit kumar <rohitkr@codeaurora.org>
+Acked-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/qcom/common.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/qcom/common.c b/sound/soc/qcom/common.c
+index eb1b9da05dd4..4715527054e5 100644
+--- a/sound/soc/qcom/common.c
++++ b/sound/soc/qcom/common.c
+@@ -13,6 +13,7 @@ int qcom_snd_parse_of(struct snd_soc_card *card)
+ struct device_node *cpu = NULL;
+ struct device *dev = card->dev;
+ struct snd_soc_dai_link *link;
++ struct of_phandle_args args;
+ int ret, num_links;
+
+ ret = snd_soc_of_parse_card_name(card, "model");
+@@ -47,12 +48,14 @@ int qcom_snd_parse_of(struct snd_soc_card *card)
+ goto err;
+ }
+
+- link->cpu_of_node = of_parse_phandle(cpu, "sound-dai", 0);
+- if (!link->cpu_of_node) {
++ ret = of_parse_phandle_with_args(cpu, "sound-dai",
++ "#sound-dai-cells", 0, &args);
++ if (ret) {
+ dev_err(card->dev, "error getting cpu phandle\n");
+- ret = -EINVAL;
+ goto err;
+ }
++ link->cpu_of_node = args.np;
++ link->id = args.args[0];
+
+ ret = snd_soc_of_get_dai_name(cpu, &link->cpu_dai_name);
+ if (ret) {
+--
+2.19.1
+
--- /dev/null
+From b9dfc0db344bb5045042696ed6e9dbdd4fe4949a Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Tue, 6 Nov 2018 11:38:57 +0000
+Subject: ASoC: qdsp6: q6afe-dai: Fix the dai widgets
+
+[ Upstream commit e14856f6cfbb1b96aa45a68f188b147b5bde76b4 ]
+
+For some reason the dapm widgets are incorrectly defined from the start,
+Not sure how we ended up with such thing. Fix them now!
+
+Without this fix the backend dais are always powered up even if there
+is no active stream.
+
+Reported-by: Jimmy Cheng-Yi Chiang <cychiang@google.com>
+Reported-by: Rohit kumar <rohitkr@codeaurora.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/qcom/qdsp6/q6afe-dai.c | 208 +++++++++++++++----------------
+ 1 file changed, 104 insertions(+), 104 deletions(-)
+
+diff --git a/sound/soc/qcom/qdsp6/q6afe-dai.c b/sound/soc/qcom/qdsp6/q6afe-dai.c
+index 60ff4a2d3577..8f6c8fc073a9 100644
+--- a/sound/soc/qcom/qdsp6/q6afe-dai.c
++++ b/sound/soc/qcom/qdsp6/q6afe-dai.c
+@@ -1112,204 +1112,204 @@ static int q6afe_of_xlate_dai_name(struct snd_soc_component *component,
+ }
+
+ static const struct snd_soc_dapm_widget q6afe_dai_widgets[] = {
+- SND_SOC_DAPM_AIF_OUT("HDMI_RX", "HDMI Playback", 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_0_RX", "Slimbus Playback", 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_1_RX", "Slimbus1 Playback", 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_2_RX", "Slimbus2 Playback", 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_3_RX", "Slimbus3 Playback", 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_4_RX", "Slimbus4 Playback", 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_5_RX", "Slimbus5 Playback", 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_6_RX", "Slimbus6 Playback", 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_0_TX", "Slimbus Capture", 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_1_TX", "Slimbus1 Capture", 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_2_TX", "Slimbus2 Capture", 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_3_TX", "Slimbus3 Capture", 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_4_TX", "Slimbus4 Capture", 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_5_TX", "Slimbus5 Capture", 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_6_TX", "Slimbus6 Capture", 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("QUAT_MI2S_RX", "Quaternary MI2S Playback",
++ SND_SOC_DAPM_AIF_IN("HDMI_RX", NULL, 0, 0, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_0_RX", NULL, 0, 0, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_1_RX", NULL, 0, 0, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_2_RX", NULL, 0, 0, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_3_RX", NULL, 0, 0, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_4_RX", NULL, 0, 0, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_5_RX", NULL, 0, 0, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_6_RX", NULL, 0, 0, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_0_TX", NULL, 0, 0, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_1_TX", NULL, 0, 0, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_2_TX", NULL, 0, 0, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_3_TX", NULL, 0, 0, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_4_TX", NULL, 0, 0, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_5_TX", NULL, 0, 0, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_6_TX", NULL, 0, 0, 0, 0),
++ SND_SOC_DAPM_AIF_IN("QUAT_MI2S_RX", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("QUAT_MI2S_TX", "Quaternary MI2S Capture",
++ SND_SOC_DAPM_AIF_OUT("QUAT_MI2S_TX", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("TERT_MI2S_RX", "Tertiary MI2S Playback",
++ SND_SOC_DAPM_AIF_IN("TERT_MI2S_RX", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("TERT_MI2S_TX", "Tertiary MI2S Capture",
++ SND_SOC_DAPM_AIF_OUT("TERT_MI2S_TX", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SEC_MI2S_RX", "Secondary MI2S Playback",
++ SND_SOC_DAPM_AIF_IN("SEC_MI2S_RX", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SEC_MI2S_TX", "Secondary MI2S Capture",
++ SND_SOC_DAPM_AIF_OUT("SEC_MI2S_TX", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SEC_MI2S_RX_SD1",
++ SND_SOC_DAPM_AIF_IN("SEC_MI2S_RX_SD1",
+ "Secondary MI2S Playback SD1",
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("PRI_MI2S_RX", "Primary MI2S Playback",
++ SND_SOC_DAPM_AIF_IN("PRI_MI2S_RX", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("PRI_MI2S_TX", "Primary MI2S Capture",
++ SND_SOC_DAPM_AIF_OUT("PRI_MI2S_TX", NULL,
+ 0, 0, 0, 0),
+
+- SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_RX_0", "Primary TDM0 Playback",
++ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_0", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_RX_1", "Primary TDM1 Playback",
++ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_1", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_RX_2", "Primary TDM2 Playback",
++ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_2", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_RX_3", "Primary TDM3 Playback",
++ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_3", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_RX_4", "Primary TDM4 Playback",
++ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_4", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_RX_5", "Primary TDM5 Playback",
++ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_5", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_RX_6", "Primary TDM6 Playback",
++ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_6", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_RX_7", "Primary TDM7 Playback",
++ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_7", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_TX_0", "Primary TDM0 Capture",
++ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_0", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_TX_1", "Primary TDM1 Capture",
++ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_1", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_TX_2", "Primary TDM2 Capture",
++ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_2", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_TX_3", "Primary TDM3 Capture",
++ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_3", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_TX_4", "Primary TDM4 Capture",
++ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_4", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_TX_5", "Primary TDM5 Capture",
++ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_5", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_TX_6", "Primary TDM6 Capture",
++ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_6", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_TX_7", "Primary TDM7 Capture",
++ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_7", NULL,
+ 0, 0, 0, 0),
+
+- SND_SOC_DAPM_AIF_OUT("SEC_TDM_RX_0", "Secondary TDM0 Playback",
++ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_0", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SEC_TDM_RX_1", "Secondary TDM1 Playback",
++ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_1", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SEC_TDM_RX_2", "Secondary TDM2 Playback",
++ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_2", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SEC_TDM_RX_3", "Secondary TDM3 Playback",
++ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_3", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SEC_TDM_RX_4", "Secondary TDM4 Playback",
++ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_4", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SEC_TDM_RX_5", "Secondary TDM5 Playback",
++ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_5", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SEC_TDM_RX_6", "Secondary TDM6 Playback",
++ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_6", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SEC_TDM_RX_7", "Secondary TDM7 Playback",
++ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_7", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SEC_TDM_TX_0", "Secondary TDM0 Capture",
++ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_0", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SEC_TDM_TX_1", "Secondary TDM1 Capture",
++ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_1", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SEC_TDM_TX_2", "Secondary TDM2 Capture",
++ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_2", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SEC_TDM_TX_3", "Secondary TDM3 Capture",
++ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_3", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SEC_TDM_TX_4", "Secondary TDM4 Capture",
++ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_4", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SEC_TDM_TX_5", "Secondary TDM5 Capture",
++ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_5", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SEC_TDM_TX_6", "Secondary TDM6 Capture",
++ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_6", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SEC_TDM_TX_7", "Secondary TDM7 Capture",
++ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_7", NULL,
+ 0, 0, 0, 0),
+
+- SND_SOC_DAPM_AIF_OUT("TERT_TDM_RX_0", "Tertiary TDM0 Playback",
++ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_0", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("TERT_TDM_RX_1", "Tertiary TDM1 Playback",
++ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_1", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("TERT_TDM_RX_2", "Tertiary TDM2 Playback",
++ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_2", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("TERT_TDM_RX_3", "Tertiary TDM3 Playback",
++ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_3", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("TERT_TDM_RX_4", "Tertiary TDM4 Playback",
++ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_4", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("TERT_TDM_RX_5", "Tertiary TDM5 Playback",
++ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_5", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("TERT_TDM_RX_6", "Tertiary TDM6 Playback",
++ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_6", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("TERT_TDM_RX_7", "Tertiary TDM7 Playback",
++ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_7", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("TERT_TDM_TX_0", "Tertiary TDM0 Capture",
++ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_0", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("TERT_TDM_TX_1", "Tertiary TDM1 Capture",
++ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_1", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("TERT_TDM_TX_2", "Tertiary TDM2 Capture",
++ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_2", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("TERT_TDM_TX_3", "Tertiary TDM3 Capture",
++ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_3", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("TERT_TDM_TX_4", "Tertiary TDM4 Capture",
++ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_4", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("TERT_TDM_TX_5", "Tertiary TDM5 Capture",
++ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_5", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("TERT_TDM_TX_6", "Tertiary TDM6 Capture",
++ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_6", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("TERT_TDM_TX_7", "Tertiary TDM7 Capture",
++ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_7", NULL,
+ 0, 0, 0, 0),
+
+- SND_SOC_DAPM_AIF_OUT("QUAT_TDM_RX_0", "Quaternary TDM0 Playback",
++ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_0", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("QUAT_TDM_RX_1", "Quaternary TDM1 Playback",
++ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_1", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("QUAT_TDM_RX_2", "Quaternary TDM2 Playback",
++ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_2", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("QUAT_TDM_RX_3", "Quaternary TDM3 Playback",
++ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_3", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("QUAT_TDM_RX_4", "Quaternary TDM4 Playback",
++ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_4", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("QUAT_TDM_RX_5", "Quaternary TDM5 Playback",
++ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_5", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("QUAT_TDM_RX_6", "Quaternary TDM6 Playback",
++ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_6", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("QUAT_TDM_RX_7", "Quaternary TDM7 Playback",
++ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_7", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("QUAT_TDM_TX_0", "Quaternary TDM0 Capture",
++ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_0", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("QUAT_TDM_TX_1", "Quaternary TDM1 Capture",
++ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_1", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("QUAT_TDM_TX_2", "Quaternary TDM2 Capture",
++ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_2", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("QUAT_TDM_TX_3", "Quaternary TDM3 Capture",
++ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_3", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("QUAT_TDM_TX_4", "Quaternary TDM4 Capture",
++ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_4", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("QUAT_TDM_TX_5", "Quaternary TDM5 Capture",
++ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_5", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("QUAT_TDM_TX_6", "Quaternary TDM6 Capture",
++ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_6", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("QUAT_TDM_TX_7", "Quaternary TDM7 Capture",
++ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_7", NULL,
+ 0, 0, 0, 0),
+
+- SND_SOC_DAPM_AIF_OUT("QUIN_TDM_RX_0", "Quinary TDM0 Playback",
++ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_0", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("QUIN_TDM_RX_1", "Quinary TDM1 Playback",
++ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_1", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("QUIN_TDM_RX_2", "Quinary TDM2 Playback",
++ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_2", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("QUIN_TDM_RX_3", "Quinary TDM3 Playback",
++ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_3", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("QUIN_TDM_RX_4", "Quinary TDM4 Playback",
++ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_4", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("QUIN_TDM_RX_5", "Quinary TDM5 Playback",
++ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_5", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("QUIN_TDM_RX_6", "Quinary TDM6 Playback",
++ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_6", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("QUIN_TDM_RX_7", "Quinary TDM7 Playback",
++ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_7", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("QUIN_TDM_TX_0", "Quinary TDM0 Capture",
++ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_0", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("QUIN_TDM_TX_1", "Quinary TDM1 Capture",
++ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_1", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("QUIN_TDM_TX_2", "Quinary TDM2 Capture",
++ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_2", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("QUIN_TDM_TX_3", "Quinary TDM3 Capture",
++ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_3", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("QUIN_TDM_TX_4", "Quinary TDM4 Capture",
++ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_4", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("QUIN_TDM_TX_5", "Quinary TDM5 Capture",
++ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_5", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("QUIN_TDM_TX_6", "Quinary TDM6 Capture",
++ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_6", NULL,
+ 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("QUIN_TDM_TX_7", "Quinary TDM7 Capture",
++ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_7", NULL,
+ 0, 0, 0, 0),
+ };
+
+--
+2.19.1
+
--- /dev/null
+From 74b7a90dceac1a76917588c3b6be7dad7ab803cc Mon Sep 17 00:00:00 2001
+From: Rohit kumar <rohitkr@codeaurora.org>
+Date: Thu, 1 Nov 2018 17:21:07 +0530
+Subject: ASoC: qdsp6: q6afe: Fix wrong MI2S SD line mask
+
+[ Upstream commit 112b57fa737445b2361be332ce8cc0fd3e2b994e ]
+
+SD line mask for MI2S starts from BIT 0 instead of BIT 1.
+Fix all bit mask for MI2S SD lines.
+
+Signed-off-by: Rohit kumar <rohitkr@codeaurora.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/qcom/qdsp6/q6afe.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/sound/soc/qcom/qdsp6/q6afe.c b/sound/soc/qcom/qdsp6/q6afe.c
+index 000775b4bba8..829b5e987b2a 100644
+--- a/sound/soc/qcom/qdsp6/q6afe.c
++++ b/sound/soc/qcom/qdsp6/q6afe.c
+@@ -49,14 +49,14 @@
+ #define AFE_PORT_I2S_SD1 0x2
+ #define AFE_PORT_I2S_SD2 0x3
+ #define AFE_PORT_I2S_SD3 0x4
+-#define AFE_PORT_I2S_SD0_MASK BIT(0x1)
+-#define AFE_PORT_I2S_SD1_MASK BIT(0x2)
+-#define AFE_PORT_I2S_SD2_MASK BIT(0x3)
+-#define AFE_PORT_I2S_SD3_MASK BIT(0x4)
+-#define AFE_PORT_I2S_SD0_1_MASK GENMASK(2, 1)
+-#define AFE_PORT_I2S_SD2_3_MASK GENMASK(4, 3)
+-#define AFE_PORT_I2S_SD0_1_2_MASK GENMASK(3, 1)
+-#define AFE_PORT_I2S_SD0_1_2_3_MASK GENMASK(4, 1)
++#define AFE_PORT_I2S_SD0_MASK BIT(0x0)
++#define AFE_PORT_I2S_SD1_MASK BIT(0x1)
++#define AFE_PORT_I2S_SD2_MASK BIT(0x2)
++#define AFE_PORT_I2S_SD3_MASK BIT(0x3)
++#define AFE_PORT_I2S_SD0_1_MASK GENMASK(1, 0)
++#define AFE_PORT_I2S_SD2_3_MASK GENMASK(3, 2)
++#define AFE_PORT_I2S_SD0_1_2_MASK GENMASK(2, 0)
++#define AFE_PORT_I2S_SD0_1_2_3_MASK GENMASK(3, 0)
+ #define AFE_PORT_I2S_QUAD01 0x5
+ #define AFE_PORT_I2S_QUAD23 0x6
+ #define AFE_PORT_I2S_6CHS 0x7
+--
+2.19.1
+
--- /dev/null
+From d41d5ef7811fee66a2323ed1831921a83996beb8 Mon Sep 17 00:00:00 2001
+From: Katsuhiro Suzuki <katsuhiro@katsuster.net>
+Date: Sun, 11 Nov 2018 00:18:44 +0900
+Subject: ASoC: rockchip: add missing slave_config setting for I2S
+
+[ Upstream commit 16a8ee4c80b45984b6de1f90a49edcf336b7c621 ]
+
+This patch adds missing prepare_sleve_config that is needed for
+setup the DMA slave channel for I2S.
+
+Signed-off-by: Katsuhiro Suzuki <katsuhiro@katsuster.net>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/rockchip/rockchip_pcm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/rockchip/rockchip_pcm.c b/sound/soc/rockchip/rockchip_pcm.c
+index f77538319221..7029e0b85f9e 100644
+--- a/sound/soc/rockchip/rockchip_pcm.c
++++ b/sound/soc/rockchip/rockchip_pcm.c
+@@ -32,6 +32,7 @@ static const struct snd_pcm_hardware snd_rockchip_hardware = {
+
+ static const struct snd_dmaengine_pcm_config rk_dmaengine_pcm_config = {
+ .pcm_hardware = &snd_rockchip_hardware,
++ .prepare_slave_config = snd_dmaengine_pcm_prepare_slave_config,
+ .prealloc_buffer_size = 32 * 1024,
+ };
+
+--
+2.19.1
+
--- /dev/null
+From 2a3b31f5ba09ddced70072625fab8fea54ba35b8 Mon Sep 17 00:00:00 2001
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Date: Wed, 31 Oct 2018 00:48:12 +0000
+Subject: ASoC: rsnd: fixup clock start checker
+
+[ Upstream commit 3ee9a76a8c5a10e1bfb04b81db767c6d562ddaf3 ]
+
+commit 4d230d12710646 ("ASoC: rsnd: fixup not to call clk_get/set under
+non-atomic") fixuped clock start timing. But it exchanged clock start
+checker from ssi->usrcnt to ssi->rate.
+
+Current rsnd_ssi_master_clk_start() is called from .prepare,
+but some player (for example GStreamer) might calls it many times.
+In such case, the checker might returns error even though it was not
+error. It should check ssi->usrcnt instead of ssi->rate.
+This patch fixup it. Without this patch, GStreamer can't switch
+48kHz / 44.1kHz.
+
+Reported-by: Yusuke Goda <yusuke.goda.sx@renesas.com>
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Tested-by: Yusuke Goda <yusuke.goda.sx@renesas.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sh/rcar/ssi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/sh/rcar/ssi.c b/sound/soc/sh/rcar/ssi.c
+index 3f880ec66459..a566dae3ec8a 100644
+--- a/sound/soc/sh/rcar/ssi.c
++++ b/sound/soc/sh/rcar/ssi.c
+@@ -283,7 +283,7 @@ static int rsnd_ssi_master_clk_start(struct rsnd_mod *mod,
+ if (rsnd_ssi_is_multi_slave(mod, io))
+ return 0;
+
+- if (ssi->rate) {
++ if (ssi->usrcnt > 1) {
+ if (ssi->rate != rate) {
+ dev_err(dev, "SSI parent/child should use same rate\n");
+ return -EINVAL;
+--
+2.19.1
+
--- /dev/null
+From 7798407fa8c9dde56bde0e22bafd1520f5662ae7 Mon Sep 17 00:00:00 2001
+From: Vasily Khoruzhick <anarsoul@gmail.com>
+Date: Thu, 8 Nov 2018 20:31:35 -0800
+Subject: ASoC: sun8i-codec: fix crash on module removal
+
+[ Upstream commit 278df5e5527b633f4882f1680ad58b62a7c07bfe ]
+
+drvdata is actually sun8i_codec, not snd_soc_card, so it crashes
+when calling snd_soc_card_get_drvdata().
+
+Drop card and scodec vars anyway since we don't need to
+disable/unprepare clocks - it's already done by calling
+runtime_suspend()
+
+Drop clk_disable_unprepare() calls for the same reason.
+
+Fixes: 36c684936fae7 ("ASoC: Add sun8i digital audio codec")
+Signed-off-by: Vasily Khoruzhick <anarsoul@gmail.com>
+Acked-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sunxi/sun8i-codec.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/sound/soc/sunxi/sun8i-codec.c b/sound/soc/sunxi/sun8i-codec.c
+index fb37dd927e33..bf615fa16dc8 100644
+--- a/sound/soc/sunxi/sun8i-codec.c
++++ b/sound/soc/sunxi/sun8i-codec.c
+@@ -589,16 +589,10 @@ static int sun8i_codec_probe(struct platform_device *pdev)
+
+ static int sun8i_codec_remove(struct platform_device *pdev)
+ {
+- struct snd_soc_card *card = platform_get_drvdata(pdev);
+- struct sun8i_codec *scodec = snd_soc_card_get_drvdata(card);
+-
+ pm_runtime_disable(&pdev->dev);
+ if (!pm_runtime_status_suspended(&pdev->dev))
+ sun8i_codec_runtime_suspend(&pdev->dev);
+
+- clk_disable_unprepare(scodec->clk_module);
+- clk_disable_unprepare(scodec->clk_bus);
+-
+ return 0;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 86614b1ecb60bd19f94b5937bfa01d9185c76f88 Mon Sep 17 00:00:00 2001
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+Date: Mon, 12 Nov 2018 13:36:38 +0000
+Subject: ASoC: wm_adsp: Fix dma-unsafe read of scratch registers
+
+[ Upstream commit 20e00db2f59bdddf8a8e241473ef8be94631d3ae ]
+
+Stack memory isn't DMA-safe so it isn't safe to use either
+regmap_raw_read or regmap_bulk_read to read into stack memory.
+
+The two functions to read the scratch registers were using
+stack memory and regmap_raw_read. It's not worth allocating
+memory just for this trivial read, and it isn't time-critical.
+A simple regmap_read for each register is sufficient.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wm_adsp.c | 37 ++++++++++++++++++++-----------------
+ 1 file changed, 20 insertions(+), 17 deletions(-)
+
+diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c
+index f61656070225..4d3ec295679d 100644
+--- a/sound/soc/codecs/wm_adsp.c
++++ b/sound/soc/codecs/wm_adsp.c
+@@ -765,38 +765,41 @@ static unsigned int wm_adsp_region_to_reg(struct wm_adsp_region const *mem,
+
+ static void wm_adsp2_show_fw_status(struct wm_adsp *dsp)
+ {
+- u16 scratch[4];
++ unsigned int scratch[4];
++ unsigned int addr = dsp->base + ADSP2_SCRATCH0;
++ unsigned int i;
+ int ret;
+
+- ret = regmap_raw_read(dsp->regmap, dsp->base + ADSP2_SCRATCH0,
+- scratch, sizeof(scratch));
+- if (ret) {
+- adsp_err(dsp, "Failed to read SCRATCH regs: %d\n", ret);
+- return;
++ for (i = 0; i < ARRAY_SIZE(scratch); ++i) {
++ ret = regmap_read(dsp->regmap, addr + i, &scratch[i]);
++ if (ret) {
++ adsp_err(dsp, "Failed to read SCRATCH%u: %d\n", i, ret);
++ return;
++ }
+ }
+
+ adsp_dbg(dsp, "FW SCRATCH 0:0x%x 1:0x%x 2:0x%x 3:0x%x\n",
+- be16_to_cpu(scratch[0]),
+- be16_to_cpu(scratch[1]),
+- be16_to_cpu(scratch[2]),
+- be16_to_cpu(scratch[3]));
++ scratch[0], scratch[1], scratch[2], scratch[3]);
+ }
+
+ static void wm_adsp2v2_show_fw_status(struct wm_adsp *dsp)
+ {
+- u32 scratch[2];
++ unsigned int scratch[2];
+ int ret;
+
+- ret = regmap_raw_read(dsp->regmap, dsp->base + ADSP2V2_SCRATCH0_1,
+- scratch, sizeof(scratch));
+-
++ ret = regmap_read(dsp->regmap, dsp->base + ADSP2V2_SCRATCH0_1,
++ &scratch[0]);
+ if (ret) {
+- adsp_err(dsp, "Failed to read SCRATCH regs: %d\n", ret);
++ adsp_err(dsp, "Failed to read SCRATCH0_1: %d\n", ret);
+ return;
+ }
+
+- scratch[0] = be32_to_cpu(scratch[0]);
+- scratch[1] = be32_to_cpu(scratch[1]);
++ ret = regmap_read(dsp->regmap, dsp->base + ADSP2V2_SCRATCH2_3,
++ &scratch[1]);
++ if (ret) {
++ adsp_err(dsp, "Failed to read SCRATCH2_3: %d\n", ret);
++ return;
++ }
+
+ adsp_dbg(dsp, "FW SCRATCH 0:0x%x 1:0x%x 2:0x%x 3:0x%x\n",
+ scratch[0] & 0xFFFF,
+--
+2.19.1
+
--- /dev/null
+From 4d09bea1feaec0a217ab901fda7a75a0b4a34c3d Mon Sep 17 00:00:00 2001
+From: Roman Gushchin <guroan@gmail.com>
+Date: Wed, 14 Nov 2018 10:00:34 -0800
+Subject: bpf: allocate local storage buffers using GFP_ATOMIC
+
+[ Upstream commit 569a933b03f3c48b392fe67c0086b3a6b9306b5a ]
+
+Naresh reported an issue with the non-atomic memory allocation of
+cgroup local storage buffers:
+
+[ 73.047526] BUG: sleeping function called from invalid context at
+/srv/oe/build/tmp-rpb-glibc/work-shared/intel-corei7-64/kernel-source/mm/slab.h:421
+[ 73.060915] in_atomic(): 1, irqs_disabled(): 0, pid: 3157, name: test_cgroup_sto
+[ 73.068342] INFO: lockdep is turned off.
+[ 73.072293] CPU: 2 PID: 3157 Comm: test_cgroup_sto Not tainted
+4.20.0-rc2-next-20181113 #1
+[ 73.080548] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS
+2.0b 07/27/2017
+[ 73.088018] Call Trace:
+[ 73.090463] dump_stack+0x70/0xa5
+[ 73.093783] ___might_sleep+0x152/0x240
+[ 73.097619] __might_sleep+0x4a/0x80
+[ 73.101191] __kmalloc_node+0x1cf/0x2f0
+[ 73.105031] ? cgroup_storage_update_elem+0x46/0x90
+[ 73.109909] cgroup_storage_update_elem+0x46/0x90
+
+cgroup_storage_update_elem() (as well as other update map update
+callbacks) is called with disabled preemption, so GFP_ATOMIC
+allocation should be used: e.g. alloc_htab_elem() in hashtab.c.
+
+Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Signed-off-by: Roman Gushchin <guro@fb.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/local_storage.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/local_storage.c b/kernel/bpf/local_storage.c
+index 830d7f095748..fc1605aee5ea 100644
+--- a/kernel/bpf/local_storage.c
++++ b/kernel/bpf/local_storage.c
+@@ -138,7 +138,8 @@ static int cgroup_storage_update_elem(struct bpf_map *map, void *_key,
+ return -ENOENT;
+
+ new = kmalloc_node(sizeof(struct bpf_storage_buffer) +
+- map->value_size, __GFP_ZERO | GFP_USER,
++ map->value_size,
++ __GFP_ZERO | GFP_ATOMIC | __GFP_NOWARN,
+ map->numa_node);
+ if (!new)
+ return -ENOMEM;
+--
+2.19.1
+
--- /dev/null
+From 4233cd140e00454aa2de06f8f7c0f9778ce1e0b7 Mon Sep 17 00:00:00 2001
+From: Martynas Pumputis <m@lambda.lt>
+Date: Fri, 23 Nov 2018 17:43:26 +0100
+Subject: bpf: fix check of allowed specifiers in bpf_trace_printk
+
+[ Upstream commit 1efb6ee3edea57f57f9fb05dba8dcb3f7333f61f ]
+
+A format string consisting of "%p" or "%s" followed by an invalid
+specifier (e.g. "%p%\n" or "%s%") could pass the check which
+would make format_decode (lib/vsprintf.c) to warn.
+
+Fixes: 9c959c863f82 ("tracing: Allow BPF programs to call bpf_trace_printk()")
+Reported-by: syzbot+1ec5c5ec949c4adaa0c4@syzkaller.appspotmail.com
+Signed-off-by: Martynas Pumputis <m@lambda.lt>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/bpf_trace.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index 08fcfe440c63..9864a35c8bb5 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -196,11 +196,13 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1,
+ i++;
+ } else if (fmt[i] == 'p' || fmt[i] == 's') {
+ mod[fmt_cnt]++;
+- i++;
+- if (!isspace(fmt[i]) && !ispunct(fmt[i]) && fmt[i] != 0)
++ /* disallow any further format extensions */
++ if (fmt[i + 1] != 0 &&
++ !isspace(fmt[i + 1]) &&
++ !ispunct(fmt[i + 1]))
+ return -EINVAL;
+ fmt_cnt++;
+- if (fmt[i - 1] == 's') {
++ if (fmt[i] == 's') {
+ if (str_seen)
+ /* allow only one '%s' per fmt string */
+ return -EINVAL;
+--
+2.19.1
+
--- /dev/null
+From 70d42cd259e02cb2f982091c524c51720e9a65cf Mon Sep 17 00:00:00 2001
+From: Robbie Ko <robbieko@synology.com>
+Date: Wed, 14 Nov 2018 18:32:37 +0000
+Subject: Btrfs: send, fix infinite loop due to directory rename dependencies
+
+[ Upstream commit a4390aee72713d9e73f1132bcdeb17d72fbbf974 ]
+
+When doing an incremental send, due to the need of delaying directory move
+(rename) operations we can end up in infinite loop at
+apply_children_dir_moves().
+
+An example scenario that triggers this problem is described below, where
+directory names correspond to the numbers of their respective inodes.
+
+Parent snapshot:
+
+ .
+ |--- 261/
+ |--- 271/
+ |--- 266/
+ |--- 259/
+ |--- 260/
+ | |--- 267
+ |
+ |--- 264/
+ | |--- 258/
+ | |--- 257/
+ |
+ |--- 265/
+ |--- 268/
+ |--- 269/
+ | |--- 262/
+ |
+ |--- 270/
+ |--- 272/
+ | |--- 263/
+ | |--- 275/
+ |
+ |--- 274/
+ |--- 273/
+
+Send snapshot:
+
+ .
+ |-- 275/
+ |-- 274/
+ |-- 273/
+ |-- 262/
+ |-- 269/
+ |-- 258/
+ |-- 271/
+ |-- 268/
+ |-- 267/
+ |-- 270/
+ |-- 259/
+ | |-- 265/
+ |
+ |-- 272/
+ |-- 257/
+ |-- 260/
+ |-- 264/
+ |-- 263/
+ |-- 261/
+ |-- 266/
+
+When processing inode 257 we delay its move (rename) operation because its
+new parent in the send snapshot, inode 272, was not yet processed. Then
+when processing inode 272, we delay the move operation for that inode
+because inode 274 is its ancestor in the send snapshot. Finally we delay
+the move operation for inode 274 when processing it because inode 275 is
+its new parent in the send snapshot and was not yet moved.
+
+When finishing processing inode 275, we start to do the move operations
+that were previously delayed (at apply_children_dir_moves()), resulting in
+the following iterations:
+
+1) We issue the move operation for inode 274;
+
+2) Because inode 262 depended on the move operation of inode 274 (it was
+ delayed because 274 is its ancestor in the send snapshot), we issue the
+ move operation for inode 262;
+
+3) We issue the move operation for inode 272, because it was delayed by
+ inode 274 too (ancestor of 272 in the send snapshot);
+
+4) We issue the move operation for inode 269 (it was delayed by 262);
+
+5) We issue the move operation for inode 257 (it was delayed by 272);
+
+6) We issue the move operation for inode 260 (it was delayed by 272);
+
+7) We issue the move operation for inode 258 (it was delayed by 269);
+
+8) We issue the move operation for inode 264 (it was delayed by 257);
+
+9) We issue the move operation for inode 271 (it was delayed by 258);
+
+10) We issue the move operation for inode 263 (it was delayed by 264);
+
+11) We issue the move operation for inode 268 (it was delayed by 271);
+
+12) We verify if we can issue the move operation for inode 270 (it was
+ delayed by 271). We detect a path loop in the current state, because
+ inode 267 needs to be moved first before we can issue the move
+ operation for inode 270. So we delay again the move operation for
+ inode 270, this time we will attempt to do it after inode 267 is
+ moved;
+
+13) We issue the move operation for inode 261 (it was delayed by 263);
+
+14) We verify if we can issue the move operation for inode 266 (it was
+ delayed by 263). We detect a path loop in the current state, because
+ inode 270 needs to be moved first before we can issue the move
+ operation for inode 266. So we delay again the move operation for
+ inode 266, this time we will attempt to do it after inode 270 is
+ moved (its move operation was delayed in step 12);
+
+15) We issue the move operation for inode 267 (it was delayed by 268);
+
+16) We verify if we can issue the move operation for inode 266 (it was
+ delayed by 270). We detect a path loop in the current state, because
+ inode 270 needs to be moved first before we can issue the move
+ operation for inode 266. So we delay again the move operation for
+ inode 266, this time we will attempt to do it after inode 270 is
+ moved (its move operation was delayed in step 12). So here we added
+ again the same delayed move operation that we added in step 14;
+
+17) We attempt again to see if we can issue the move operation for inode
+ 266, and as in step 16, we realize we can not due to a path loop in
+ the current state due to a dependency on inode 270. Again we delay
+ inode's 266 rename to happen after inode's 270 move operation, adding
+ the same dependency to the empty stack that we did in steps 14 and 16.
+ The next iteration will pick the same move dependency on the stack
+ (the only entry) and realize again there is still a path loop and then
+ again the same dependency to the stack, over and over, resulting in
+ an infinite loop.
+
+So fix this by preventing adding the same move dependency entries to the
+stack by removing each pending move record from the red black tree of
+pending moves. This way the next call to get_pending_dir_moves() will
+not return anything for the current parent inode.
+
+A test case for fstests, with this reproducer, follows soon.
+
+Signed-off-by: Robbie Ko <robbieko@synology.com>
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+[Wrote changelog with example and more clear explanation]
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index ba8950bfd9c7..84cb6e5ef36c 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -3344,7 +3344,8 @@ static void free_pending_move(struct send_ctx *sctx, struct pending_dir_move *m)
+ kfree(m);
+ }
+
+-static void tail_append_pending_moves(struct pending_dir_move *moves,
++static void tail_append_pending_moves(struct send_ctx *sctx,
++ struct pending_dir_move *moves,
+ struct list_head *stack)
+ {
+ if (list_empty(&moves->list)) {
+@@ -3355,6 +3356,10 @@ static void tail_append_pending_moves(struct pending_dir_move *moves,
+ list_add_tail(&moves->list, stack);
+ list_splice_tail(&list, stack);
+ }
++ if (!RB_EMPTY_NODE(&moves->node)) {
++ rb_erase(&moves->node, &sctx->pending_dir_moves);
++ RB_CLEAR_NODE(&moves->node);
++ }
+ }
+
+ static int apply_children_dir_moves(struct send_ctx *sctx)
+@@ -3369,7 +3374,7 @@ static int apply_children_dir_moves(struct send_ctx *sctx)
+ return 0;
+
+ INIT_LIST_HEAD(&stack);
+- tail_append_pending_moves(pm, &stack);
++ tail_append_pending_moves(sctx, pm, &stack);
+
+ while (!list_empty(&stack)) {
+ pm = list_first_entry(&stack, struct pending_dir_move, list);
+@@ -3380,7 +3385,7 @@ static int apply_children_dir_moves(struct send_ctx *sctx)
+ goto out;
+ pm = get_pending_dir_moves(sctx, parent_ino);
+ if (pm)
+- tail_append_pending_moves(pm, &stack);
++ tail_append_pending_moves(sctx, pm, &stack);
+ }
+ return 0;
+
+--
+2.19.1
+
--- /dev/null
+From e8a038ec54774a0123d08c067c9bd605e6867040 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon, 24 Sep 2018 10:33:44 -0700
+Subject: cachefiles: Explicitly cast enumerated type in put_object
+
+[ Upstream commit b7e768b7e3522695ed36dcb48ecdcd344bd30a9b ]
+
+Clang warns when one enumerated type is implicitly converted to another.
+
+fs/cachefiles/namei.c:247:50: warning: implicit conversion from
+enumeration type 'enum cachefiles_obj_ref_trace' to different
+enumeration type 'enum fscache_obj_ref_trace' [-Wenum-conversion]
+ cache->cache.ops->put_object(&xobject->fscache,
+cachefiles_obj_put_wait_retry);
+
+Silence this warning by explicitly casting to fscache_obj_ref_trace,
+which is also done in put_object.
+
+Reported-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cachefiles/namei.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c
+index 95983c744164..5ab411d4bc59 100644
+--- a/fs/cachefiles/namei.c
++++ b/fs/cachefiles/namei.c
+@@ -244,11 +244,13 @@ static int cachefiles_mark_object_active(struct cachefiles_cache *cache,
+
+ ASSERT(!test_bit(CACHEFILES_OBJECT_ACTIVE, &xobject->flags));
+
+- cache->cache.ops->put_object(&xobject->fscache, cachefiles_obj_put_wait_retry);
++ cache->cache.ops->put_object(&xobject->fscache,
++ (enum fscache_obj_ref_trace)cachefiles_obj_put_wait_retry);
+ goto try_again;
+
+ requeue:
+- cache->cache.ops->put_object(&xobject->fscache, cachefiles_obj_put_wait_timeo);
++ cache->cache.ops->put_object(&xobject->fscache,
++ (enum fscache_obj_ref_trace)cachefiles_obj_put_wait_timeo);
+ _leave(" = -ETIMEDOUT");
+ return -ETIMEDOUT;
+ }
+--
+2.19.1
+
--- /dev/null
+From ddec8f24cf7baee5f9839109234c32a351b8d9d7 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 27 Nov 2018 16:34:55 +0000
+Subject: cachefiles: Fix an assertion failure when trying to update a failed
+ object
+
+[ Upstream commit e6bc06faf64a83384cc0abc537df954c9d3ff942 ]
+
+If cachefiles gets an error other then ENOENT when trying to look up an
+object in the cache (in this case, EACCES), the object state machine will
+eventually transition to the DROP_OBJECT state.
+
+This state invokes fscache_drop_object() which tries to sync the auxiliary
+data with the cache (this is done lazily since commit 402cb8dda949d) on an
+incomplete cache object struct.
+
+The problem comes when cachefiles_update_object_xattr() is called to
+rewrite the xattr holding the data. There's an assertion there that the
+cache object points to a dentry as we're going to update its xattr. The
+assertion trips, however, as dentry didn't get set.
+
+Fix the problem by skipping the update in cachefiles if the object doesn't
+refer to a dentry. A better way to do it could be to skip the update from
+the DROP_OBJECT state handler in fscache, but that might deny the cache the
+opportunity to update intermediate state.
+
+If this error occurs, the kernel log includes lines that look like the
+following:
+
+ CacheFiles: Lookup failed error -13
+ CacheFiles:
+ CacheFiles: Assertion failed
+ ------------[ cut here ]------------
+ kernel BUG at fs/cachefiles/xattr.c:138!
+ ...
+ Workqueue: fscache_object fscache_object_work_func [fscache]
+ RIP: 0010:cachefiles_update_object_xattr.cold.4+0x18/0x1a [cachefiles]
+ ...
+ Call Trace:
+ cachefiles_update_object+0xdd/0x1c0 [cachefiles]
+ fscache_update_aux_data+0x23/0x30 [fscache]
+ fscache_drop_object+0x18e/0x1c0 [fscache]
+ fscache_object_work_func+0x74/0x2b0 [fscache]
+ process_one_work+0x18d/0x340
+ worker_thread+0x2e/0x390
+ ? pwq_unbound_release_workfn+0xd0/0xd0
+ kthread+0x112/0x130
+ ? kthread_bind+0x30/0x30
+ ret_from_fork+0x35/0x40
+
+Note that there are actually two issues here: (1) EACCES happened on a
+cache object and (2) an oops occurred. I think that the second is a
+consequence of the first (it certainly looks like it ought to be). This
+patch only deals with the second.
+
+Fixes: 402cb8dda949 ("fscache: Attach the index key and aux data to the cookie")
+Reported-by: Zhibin Li <zhibli@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cachefiles/xattr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/cachefiles/xattr.c b/fs/cachefiles/xattr.c
+index 0a29a00aed2e..511e6c68156a 100644
+--- a/fs/cachefiles/xattr.c
++++ b/fs/cachefiles/xattr.c
+@@ -135,7 +135,8 @@ int cachefiles_update_object_xattr(struct cachefiles_object *object,
+ struct dentry *dentry = object->dentry;
+ int ret;
+
+- ASSERT(dentry);
++ if (!dentry)
++ return -ESTALE;
+
+ _enter("%p,#%d", object, auxdata->len);
+
+--
+2.19.1
+
--- /dev/null
+From 50c4d248e42c43c37acb459ef0695db34b71ef87 Mon Sep 17 00:00:00 2001
+From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+Date: Mon, 24 Sep 2018 12:02:39 +1000
+Subject: cachefiles: Fix page leak in cachefiles_read_backing_file while
+ vmscan is active
+
+[ Upstream commit 9a24ce5b66f9c8190d63b15f4473600db4935f1f ]
+
+[Description]
+
+In a heavily loaded system where the system pagecache is nearing memory
+limits and fscache is enabled, pages can be leaked by fscache while trying
+read pages from cachefiles backend. This can happen because two
+applications can be reading same page from a single mount, two threads can
+be trying to read the backing page at same time. This results in one of
+the threads finding that a page for the backing file or netfs file is
+already in the radix tree. During the error handling cachefiles does not
+clean up the reference on backing page, leading to page leak.
+
+[Fix]
+The fix is straightforward, to decrement the reference when error is
+encountered.
+
+ [dhowells: Note that I've removed the clearance and put of newpage as
+ they aren't attested in the commit message and don't appear to actually
+ achieve anything since a new page is only allocated is newpage!=NULL and
+ any residual new page is cleared before returning.]
+
+[Testing]
+I have tested the fix using following method for 12+ hrs.
+
+1) mkdir -p /mnt/nfs ; mount -o vers=3,fsc <server_ip>:/export /mnt/nfs
+2) create 10000 files of 2.8MB in a NFS mount.
+3) start a thread to simulate heavy VM presssure
+ (while true ; do echo 3 > /proc/sys/vm/drop_caches ; sleep 1 ; done)&
+4) start multiple parallel reader for data set at same time
+ find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
+ find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
+ find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
+ ..
+ ..
+ find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
+ find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
+5) finally check using cat /proc/fs/fscache/stats | grep -i pages ;
+ free -h , cat /proc/meminfo and page-types -r -b lru
+ to ensure all pages are freed.
+
+Reviewed-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Shantanu Goel <sgoel01@yahoo.com>
+Signed-off-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+[dja: forward ported to current upstream]
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cachefiles/rdwr.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c
+index 40f7595aad10..db233588a69a 100644
+--- a/fs/cachefiles/rdwr.c
++++ b/fs/cachefiles/rdwr.c
+@@ -535,7 +535,10 @@ static int cachefiles_read_backing_file(struct cachefiles_object *object,
+ netpage->index, cachefiles_gfp);
+ if (ret < 0) {
+ if (ret == -EEXIST) {
++ put_page(backpage);
++ backpage = NULL;
+ put_page(netpage);
++ netpage = NULL;
+ fscache_retrieval_complete(op, 1);
+ continue;
+ }
+@@ -608,7 +611,10 @@ static int cachefiles_read_backing_file(struct cachefiles_object *object,
+ netpage->index, cachefiles_gfp);
+ if (ret < 0) {
+ if (ret == -EEXIST) {
++ put_page(backpage);
++ backpage = NULL;
+ put_page(netpage);
++ netpage = NULL;
+ fscache_retrieval_complete(op, 1);
+ continue;
+ }
+--
+2.19.1
+
--- /dev/null
+From 58e64214a7b5424f5f2d839270428056ac313523 Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@gmx.us>
+Date: Fri, 30 Nov 2018 14:09:48 -0800
+Subject: debugobjects: avoid recursive calls with kmemleak
+
+[ Upstream commit 8de456cf87ba863e028c4dd01bae44255ce3d835 ]
+
+CONFIG_DEBUG_OBJECTS_RCU_HEAD does not play well with kmemleak due to
+recursive calls.
+
+fill_pool
+ kmemleak_ignore
+ make_black_object
+ put_object
+ __call_rcu (kernel/rcu/tree.c)
+ debug_rcu_head_queue
+ debug_object_activate
+ debug_object_init
+ fill_pool
+ kmemleak_ignore
+ make_black_object
+ ...
+
+So add SLAB_NOLEAKTRACE to kmem_cache_create() to not register newly
+allocated debug objects at all.
+
+Link: http://lkml.kernel.org/r/20181126165343.2339-1-cai@gmx.us
+Signed-off-by: Qian Cai <cai@gmx.us>
+Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
+Acked-by: Waiman Long <longman@redhat.com>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Yang Shi <yang.shi@linux.alibaba.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/debugobjects.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/lib/debugobjects.c b/lib/debugobjects.c
+index 70935ed91125..14afeeb7d6ef 100644
+--- a/lib/debugobjects.c
++++ b/lib/debugobjects.c
+@@ -135,7 +135,6 @@ static void fill_pool(void)
+ if (!new)
+ return;
+
+- kmemleak_ignore(new);
+ raw_spin_lock_irqsave(&pool_lock, flags);
+ hlist_add_head(&new->node, &obj_pool);
+ debug_objects_allocated++;
+@@ -1128,7 +1127,6 @@ static int __init debug_objects_replace_static_objects(void)
+ obj = kmem_cache_zalloc(obj_cache, GFP_KERNEL);
+ if (!obj)
+ goto free;
+- kmemleak_ignore(obj);
+ hlist_add_head(&obj->node, &objects);
+ }
+
+@@ -1184,7 +1182,8 @@ void __init debug_objects_mem_init(void)
+
+ obj_cache = kmem_cache_create("debug_objects_cache",
+ sizeof (struct debug_obj), 0,
+- SLAB_DEBUG_OBJECTS, NULL);
++ SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE,
++ NULL);
+
+ if (!obj_cache || debug_objects_replace_static_objects()) {
+ debug_objects_enabled = 0;
+--
+2.19.1
+
--- /dev/null
+From 827c50b9f40faec7daf548d8f31d745ce3dcaf93 Mon Sep 17 00:00:00 2001
+From: shaoyunl <shaoyun.liu@amd.com>
+Date: Thu, 22 Nov 2018 11:45:24 -0500
+Subject: drm/amdgpu: Add delay after enable RLC ucode
+
+[ Upstream commit ad97d9de45835b6a0f71983b0ae0cffd7306730a ]
+
+Driver shouldn't try to access any GFX registers until RLC is idle.
+During the test, it took 12 seconds for RLC to clear the BUSY bit
+in RLC_GPM_STAT register which is un-acceptable for driver.
+As per RLC engineer, it would take RLC Ucode less than 10,000 GFXCLK
+cycles to finish its critical section. In a lowest 300M enginer clock
+setting(default from vbios), 50 us delay is enough.
+
+This commit fix the hang when RLC introduce the work around for XGMI
+which requires more cycles to setup more registers than normal
+
+Signed-off-by: shaoyunl <shaoyun.liu@amd.com>
+Acked-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+index ef00d14f8645..325e2213cac5 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+@@ -2243,12 +2243,13 @@ static void gfx_v9_0_rlc_start(struct amdgpu_device *adev)
+ #endif
+
+ WREG32_FIELD15(GC, 0, RLC_CNTL, RLC_ENABLE_F32, 1);
++ udelay(50);
+
+ /* carrizo do enable cp interrupt after cp inited */
+- if (!(adev->flags & AMD_IS_APU))
++ if (!(adev->flags & AMD_IS_APU)) {
+ gfx_v9_0_enable_gui_idle_interrupt(adev, true);
+-
+- udelay(50);
++ udelay(50);
++ }
+
+ #ifdef AMDGPU_RLC_DEBUG_RETRY
+ /* RLC_GPM_GENERAL_6 : RLC Ucode version */
+--
+2.19.1
+
--- /dev/null
+From d3c8d93d380cf583b41e211518598c1fd11427a0 Mon Sep 17 00:00:00 2001
+From: "Y.C. Chen" <yc_chen@aspeedtech.com>
+Date: Thu, 22 Nov 2018 11:56:28 +0800
+Subject: drm/ast: fixed reading monitor EDID not stable issue
+
+[ Upstream commit 300625620314194d9e6d4f6dda71f2dc9cf62d9f ]
+
+v1: over-sample data to increase the stability with some specific monitors
+v2: refine to avoid infinite loop
+v3: remove un-necessary "volatile" declaration
+
+[airlied: fix two checkpatch warnings]
+
+Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1542858988-1127-1-git-send-email-yc_chen@aspeedtech.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/ast/ast_mode.c | 36 ++++++++++++++++++++++++++++------
+ 1 file changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/ast/ast_mode.c b/drivers/gpu/drm/ast/ast_mode.c
+index 7c6ac3cadb6b..8bb355d5d43d 100644
+--- a/drivers/gpu/drm/ast/ast_mode.c
++++ b/drivers/gpu/drm/ast/ast_mode.c
+@@ -973,9 +973,21 @@ static int get_clock(void *i2c_priv)
+ {
+ struct ast_i2c_chan *i2c = i2c_priv;
+ struct ast_private *ast = i2c->dev->dev_private;
+- uint32_t val;
++ uint32_t val, val2, count, pass;
++
++ count = 0;
++ pass = 0;
++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01;
++ do {
++ val2 = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01;
++ if (val == val2) {
++ pass++;
++ } else {
++ pass = 0;
++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01;
++ }
++ } while ((pass < 5) && (count++ < 0x10000));
+
+- val = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4;
+ return val & 1 ? 1 : 0;
+ }
+
+@@ -983,9 +995,21 @@ static int get_data(void *i2c_priv)
+ {
+ struct ast_i2c_chan *i2c = i2c_priv;
+ struct ast_private *ast = i2c->dev->dev_private;
+- uint32_t val;
++ uint32_t val, val2, count, pass;
++
++ count = 0;
++ pass = 0;
++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01;
++ do {
++ val2 = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01;
++ if (val == val2) {
++ pass++;
++ } else {
++ pass = 0;
++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01;
++ }
++ } while ((pass < 5) && (count++ < 0x10000));
+
+- val = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5;
+ return val & 1 ? 1 : 0;
+ }
+
+@@ -998,7 +1022,7 @@ static void set_clock(void *i2c_priv, int clock)
+
+ for (i = 0; i < 0x10000; i++) {
+ ujcrb7 = ((clock & 0x01) ? 0 : 1);
+- ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xfe, ujcrb7);
++ ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xf4, ujcrb7);
+ jtemp = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x01);
+ if (ujcrb7 == jtemp)
+ break;
+@@ -1014,7 +1038,7 @@ static void set_data(void *i2c_priv, int data)
+
+ for (i = 0; i < 0x10000; i++) {
+ ujcrb7 = ((data & 0x01) ? 0 : 1) << 2;
+- ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xfb, ujcrb7);
++ ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xf1, ujcrb7);
+ jtemp = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x04);
+ if (ujcrb7 == jtemp)
+ break;
+--
+2.19.1
+
--- /dev/null
+From 2eb71633ee7efa791841a2571b36dcc5c3f6d0e8 Mon Sep 17 00:00:00 2001
+From: Christian Hewitt <christianshewitt@gmail.com>
+Date: Wed, 21 Nov 2018 13:39:29 +0400
+Subject: drm/meson: add support for 1080p25 mode
+
+[ Upstream commit 31e1ab494559fb46de304cc6c2aed1528f94b298 ]
+
+This essential mode for PAL users is missing, so add it.
+
+Fixes: 335e3713afb87 ("drm/meson: Add support for HDMI venc modes and settings")
+Signed-off-by: Christian Hewitt <christianshewitt@gmail.com>
+Acked-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1542793169-13008-1-git-send-email-christianshewitt@gmail.com
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_venc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/meson/meson_venc.c b/drivers/gpu/drm/meson/meson_venc.c
+index 14aac661f38b..7a3a6ed9f27b 100644
+--- a/drivers/gpu/drm/meson/meson_venc.c
++++ b/drivers/gpu/drm/meson/meson_venc.c
+@@ -715,6 +715,7 @@ struct meson_hdmi_venc_vic_mode {
+ { 5, &meson_hdmi_encp_mode_1080i60 },
+ { 20, &meson_hdmi_encp_mode_1080i50 },
+ { 32, &meson_hdmi_encp_mode_1080p24 },
++ { 33, &meson_hdmi_encp_mode_1080p50 },
+ { 34, &meson_hdmi_encp_mode_1080p30 },
+ { 31, &meson_hdmi_encp_mode_1080p50 },
+ { 16, &meson_hdmi_encp_mode_1080p60 },
+--
+2.19.1
+
--- /dev/null
+From e840124b0666cdd77b6667e5ebb1f2b8f168439c Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Fri, 23 Nov 2018 15:56:33 +0800
+Subject: exportfs: do not read dentry after free
+
+[ Upstream commit 2084ac6c505a58f7efdec13eba633c6aaa085ca5 ]
+
+The function dentry_connected calls dput(dentry) to drop the previously
+acquired reference to dentry. In this case, dentry can be released.
+After that, IS_ROOT(dentry) checks the condition
+(dentry == dentry->d_parent), which may result in a use-after-free bug.
+This patch directly compares dentry with its parent obtained before
+dropping the reference.
+
+Fixes: a056cc8934c("exportfs: stop retrying once we race with
+rename/remove")
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/exportfs/expfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c
+index 645158dc33f1..63707abcbeb3 100644
+--- a/fs/exportfs/expfs.c
++++ b/fs/exportfs/expfs.c
+@@ -77,7 +77,7 @@ static bool dentry_connected(struct dentry *dentry)
+ struct dentry *parent = dget_parent(dentry);
+
+ dput(dentry);
+- if (IS_ROOT(dentry)) {
++ if (dentry == parent) {
+ dput(parent);
+ return false;
+ }
+--
+2.19.1
+
--- /dev/null
+From 6666d1050d29fdf595827f9ce2b305efb4c5bd09 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 17 Jul 2018 09:53:42 +0100
+Subject: fscache, cachefiles: remove redundant variable 'cache'
+
+[ Upstream commit 31ffa563833576bd49a8bf53120568312755e6e2 ]
+
+Variable 'cache' is being assigned but is never used hence it is
+redundant and can be removed.
+
+Cleans up clang warning:
+warning: variable 'cache' set but not used [-Wunused-but-set-variable]
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cachefiles/rdwr.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c
+index db233588a69a..8a577409d030 100644
+--- a/fs/cachefiles/rdwr.c
++++ b/fs/cachefiles/rdwr.c
+@@ -968,11 +968,8 @@ void cachefiles_uncache_page(struct fscache_object *_object, struct page *page)
+ __releases(&object->fscache.cookie->lock)
+ {
+ struct cachefiles_object *object;
+- struct cachefiles_cache *cache;
+
+ object = container_of(_object, struct cachefiles_object, fscache);
+- cache = container_of(object->fscache.cache,
+- struct cachefiles_cache, cache);
+
+ _enter("%p,{%lu}", object, page->index);
+
+--
+2.19.1
+
--- /dev/null
+From 4f9798644aa313f0534e361d0f59847ee43973a8 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 26 Oct 2018 17:16:29 +1100
+Subject: fscache: fix race between enablement and dropping of object
+
+[ Upstream commit c5a94f434c82529afda290df3235e4d85873c5b4 ]
+
+It was observed that a process blocked indefintely in
+__fscache_read_or_alloc_page(), waiting for FSCACHE_COOKIE_LOOKING_UP
+to be cleared via fscache_wait_for_deferred_lookup().
+
+At this time, ->backing_objects was empty, which would normaly prevent
+__fscache_read_or_alloc_page() from getting to the point of waiting.
+This implies that ->backing_objects was cleared *after*
+__fscache_read_or_alloc_page was was entered.
+
+When an object is "killed" and then "dropped",
+FSCACHE_COOKIE_LOOKING_UP is cleared in fscache_lookup_failure(), then
+KILL_OBJECT and DROP_OBJECT are "called" and only in DROP_OBJECT is
+->backing_objects cleared. This leaves a window where
+something else can set FSCACHE_COOKIE_LOOKING_UP and
+__fscache_read_or_alloc_page() can start waiting, before
+->backing_objects is cleared
+
+There is some uncertainty in this analysis, but it seems to be fit the
+observations. Adding the wake in this patch will be handled correctly
+by __fscache_read_or_alloc_page(), as it checks if ->backing_objects
+is empty again, after waiting.
+
+Customer which reported the hang, also report that the hang cannot be
+reproduced with this fix.
+
+The backtrace for the blocked process looked like:
+
+PID: 29360 TASK: ffff881ff2ac0f80 CPU: 3 COMMAND: "zsh"
+ #0 [ffff881ff43efbf8] schedule at ffffffff815e56f1
+ #1 [ffff881ff43efc58] bit_wait at ffffffff815e64ed
+ #2 [ffff881ff43efc68] __wait_on_bit at ffffffff815e61b8
+ #3 [ffff881ff43efca0] out_of_line_wait_on_bit at ffffffff815e625e
+ #4 [ffff881ff43efd08] fscache_wait_for_deferred_lookup at ffffffffa04f2e8f [fscache]
+ #5 [ffff881ff43efd18] __fscache_read_or_alloc_page at ffffffffa04f2ffe [fscache]
+ #6 [ffff881ff43efd58] __nfs_readpage_from_fscache at ffffffffa0679668 [nfs]
+ #7 [ffff881ff43efd78] nfs_readpage at ffffffffa067092b [nfs]
+ #8 [ffff881ff43efda0] generic_file_read_iter at ffffffff81187a73
+ #9 [ffff881ff43efe50] nfs_file_read at ffffffffa066544b [nfs]
+#10 [ffff881ff43efe70] __vfs_read at ffffffff811fc756
+#11 [ffff881ff43efee8] vfs_read at ffffffff811fccfa
+#12 [ffff881ff43eff18] sys_read at ffffffff811fda62
+#13 [ffff881ff43eff50] entry_SYSCALL_64_fastpath at ffffffff815e986e
+
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fscache/object.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/fscache/object.c b/fs/fscache/object.c
+index 9edc920f651f..6d9cb1719de5 100644
+--- a/fs/fscache/object.c
++++ b/fs/fscache/object.c
+@@ -730,6 +730,9 @@ static const struct fscache_state *fscache_drop_object(struct fscache_object *ob
+
+ if (awaken)
+ wake_up_bit(&cookie->flags, FSCACHE_COOKIE_INVALIDATING);
++ if (test_and_clear_bit(FSCACHE_COOKIE_LOOKING_UP, &cookie->flags))
++ wake_up_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP);
++
+
+ /* Prevent a race with our last child, which has to signal EV_CLEARED
+ * before dropping our spinlock.
+--
+2.19.1
+
--- /dev/null
+From da05fc423ed975225c330cda1817d74329cf3b2f Mon Sep 17 00:00:00 2001
+From: "kiran.modukuri" <kiran.modukuri@gmail.com>
+Date: Mon, 26 Nov 2018 15:41:48 +0000
+Subject: fscache: Fix race in fscache_op_complete() due to split atomic_sub &
+ read
+
+[ Upstream commit 3f2b7b9035107d6096ea438ea3d97dcf0481b6d2 ]
+
+The code in fscache_retrieval_complete is using atomic_sub followed by an
+atomic_read:
+
+ atomic_sub(n_pages, &op->n_pages);
+ if (atomic_read(&op->n_pages) <= 0)
+ fscache_op_complete(&op->op, true);
+
+This causes two threads doing a decrement of n_pages to race with each
+other seeing the op->refcount 0 at same time - and they end up calling
+fscache_op_complete() in both the threads leading to an assertion failure.
+
+Fix this by using atomic_sub_return_relaxed() instead of two calls. Note
+that I'm using 'relaxed' rather than, say, 'release' as there aren't
+multiple variables that appear to need ordering across the release.
+
+The oops looks something like:
+
+FS-Cache: Assertion failed
+FS-Cache: 0 > 0 is false
+...
+kernel BUG at /usr/src/linux-4.4.0/fs/fscache/operation.c:449!
+...
+Workqueue: fscache_operation fscache_op_work_func [fscache]
+...
+RIP: 0010:[<ffffffffc037eacd>] fscache_op_complete+0x10d/0x180 [fscache]
+...
+Call Trace:
+ [<ffffffffc1464cf9>] cachefiles_read_copier+0x3a9/0x410 [cachefiles]
+ [<ffffffffc037e272>] fscache_op_work_func+0x22/0x50 [fscache]
+ [<ffffffff81096da0>] process_one_work+0x150/0x3f0
+ [<ffffffff8109751a>] worker_thread+0x11a/0x470
+ [<ffffffff81808e59>] ? __schedule+0x359/0x980
+ [<ffffffff81097400>] ? rescuer_thread+0x310/0x310
+ [<ffffffff8109cdd6>] kthread+0xd6/0xf0
+ [<ffffffff8109cd00>] ? kthread_park+0x60/0x60
+ [<ffffffff8180d0cf>] ret_from_fork+0x3f/0x70
+ [<ffffffff8109cd00>] ? kthread_park+0x60/0x60
+
+This seen this in 4.4.x kernels and the same bug affects fscache in latest
+upstreams kernels.
+
+Fixes: 1bb4b7f98f36 ("FS-Cache: The retrieval remaining-pages counter needs to be atomic_t")
+Signed-off-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/fscache-cache.h | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/include/linux/fscache-cache.h b/include/linux/fscache-cache.h
+index 34cf0fdd7dc7..610815e3f1aa 100644
+--- a/include/linux/fscache-cache.h
++++ b/include/linux/fscache-cache.h
+@@ -196,8 +196,7 @@ static inline void fscache_enqueue_retrieval(struct fscache_retrieval *op)
+ static inline void fscache_retrieval_complete(struct fscache_retrieval *op,
+ int n_pages)
+ {
+- atomic_sub(n_pages, &op->n_pages);
+- if (atomic_read(&op->n_pages) <= 0)
++ if (atomic_sub_return_relaxed(n_pages, &op->n_pages) <= 0)
+ fscache_op_complete(&op->op, false);
+ }
+
+--
+2.19.1
+
--- /dev/null
+From c0f8a06fdb21bf218bc3fc010ee1f75137dda66a Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 14 Aug 2018 00:37:18 +0200
+Subject: fsi: master-ast-cf: select GENERIC_ALLOCATOR
+
+[ Upstream commit 64999fa7aa2c076ec6d05aee481f11f5296ceb8c ]
+
+In randconfig builds without CONFIG_GENERIC_ALLOCATOR, this driver
+fails to link:
+
+ERROR: "gen_pool_alloc_algo" [drivers/fsi/fsi-master-ast-cf.ko] undefined!
+ERROR: "gen_pool_fixed_alloc" [drivers/fsi/fsi-master-ast-cf.ko] undefined!
+ERROR: "of_gen_pool_get" [drivers/fsi/fsi-master-ast-cf.ko] undefined!
+ERROR: "gen_pool_free" [drivers/fsi/fsi-master-ast-cf.ko] undefined!
+
+Select the dependency as all other users do.
+
+Fixes: 6a794a27daca ("fsi: master-ast-cf: Add new FSI master using Aspeed ColdFire")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/fsi/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/fsi/Kconfig b/drivers/fsi/Kconfig
+index af3a20dd5aa4..99c99a5d57fe 100644
+--- a/drivers/fsi/Kconfig
++++ b/drivers/fsi/Kconfig
+@@ -46,6 +46,7 @@ config FSI_MASTER_AST_CF
+ tristate "FSI master based on Aspeed ColdFire coprocessor"
+ depends on GPIOLIB
+ depends on GPIO_ASPEED
++ select GENERIC_ALLOCATOR
+ ---help---
+ This option enables a FSI master using the AST2400 and AST2500 GPIO
+ lines driven by the internal ColdFire coprocessor. This requires
+--
+2.19.1
+
--- /dev/null
+From 8d5b5385c2f0469fc4aaaec837de3770eb02f878 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Fri, 30 Nov 2018 14:09:14 -0800
+Subject: hfs: do not free node before using
+
+[ Upstream commit ce96a407adef126870b3f4a1b73529dd8aa80f49 ]
+
+hfs_bmap_free() frees the node via hfs_bnode_put(node). However, it
+then reads node->this when dumping error message on an error path, which
+may result in a use-after-free bug. This patch frees the node only when
+it is never again used.
+
+Link: http://lkml.kernel.org/r/1542963889-128825-1-git-send-email-bianpan2016@163.com
+Fixes: a1185ffa2fc ("HFS rewrite")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Joe Perches <joe@perches.com>
+Cc: Ernesto A. Fernandez <ernesto.mnd.fernandez@gmail.com>
+Cc: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/btree.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c
+index 374b5688e29e..9bdff5e40626 100644
+--- a/fs/hfs/btree.c
++++ b/fs/hfs/btree.c
+@@ -329,13 +329,14 @@ void hfs_bmap_free(struct hfs_bnode *node)
+
+ nidx -= len * 8;
+ i = node->next;
+- hfs_bnode_put(node);
+ if (!i) {
+ /* panic */;
+ pr_crit("unable to free bnode %u. bmap not found!\n",
+ node->this);
++ hfs_bnode_put(node);
+ return;
+ }
++ hfs_bnode_put(node);
+ node = hfs_bnode_find(tree, i);
+ if (IS_ERR(node))
+ return;
+--
+2.19.1
+
--- /dev/null
+From 9eb2900004b9eae8c22d2afdbf29882154966501 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Fri, 30 Nov 2018 14:09:18 -0800
+Subject: hfsplus: do not free node before using
+
+[ Upstream commit c7d7d620dcbd2a1c595092280ca943f2fced7bbd ]
+
+hfs_bmap_free() frees node via hfs_bnode_put(node). However it then
+reads node->this when dumping error message on an error path, which may
+result in a use-after-free bug. This patch frees node only when it is
+never used.
+
+Link: http://lkml.kernel.org/r/1543053441-66942-1-git-send-email-bianpan2016@163.com
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Ernesto A. Fernandez <ernesto.mnd.fernandez@gmail.com>
+Cc: Joe Perches <joe@perches.com>
+Cc: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/btree.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
+index de14b2b6881b..3de3bc4918b5 100644
+--- a/fs/hfsplus/btree.c
++++ b/fs/hfsplus/btree.c
+@@ -454,14 +454,15 @@ void hfs_bmap_free(struct hfs_bnode *node)
+
+ nidx -= len * 8;
+ i = node->next;
+- hfs_bnode_put(node);
+ if (!i) {
+ /* panic */;
+ pr_crit("unable to free bnode %u. "
+ "bmap not found!\n",
+ node->this);
++ hfs_bnode_put(node);
+ return;
+ }
++ hfs_bnode_put(node);
+ node = hfs_bnode_find(tree, i);
+ if (IS_ERR(node))
+ return;
+--
+2.19.1
+
--- /dev/null
+From d89e1a4c2b1bcc9ce077262abe18121284ea16eb Mon Sep 17 00:00:00 2001
+From: Nicolin Chen <nicoleotsuka@gmail.com>
+Date: Tue, 13 Nov 2018 19:48:54 -0800
+Subject: hwmon: (ina2xx) Fix current value calculation
+
+[ Upstream commit 38cd989ee38c16388cde89db5b734f9d55b905f9 ]
+
+The current register (04h) has a sign bit at MSB. The comments
+for this calculation also mention that it's a signed register.
+
+However, the regval is unsigned type so result of calculation
+turns out to be an incorrect value when current is negative.
+
+This patch simply fixes this by adding a casting to s16.
+
+Fixes: 5d389b125186c ("hwmon: (ina2xx) Make calibration register value fixed")
+Signed-off-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/ina2xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/ina2xx.c b/drivers/hwmon/ina2xx.c
+index c2252cf452f5..07ee19573b3f 100644
+--- a/drivers/hwmon/ina2xx.c
++++ b/drivers/hwmon/ina2xx.c
+@@ -274,7 +274,7 @@ static int ina2xx_get_value(struct ina2xx_data *data, u8 reg,
+ break;
+ case INA2XX_CURRENT:
+ /* signed register, result in mA */
+- val = regval * data->current_lsb_uA;
++ val = (s16)regval * data->current_lsb_uA;
+ val = DIV_ROUND_CLOSEST(val, 1000);
+ break;
+ case INA2XX_CALIBRATION:
+--
+2.19.1
+
--- /dev/null
+From a5620f19d11da3c6ffc610239906515cbf10364b Mon Sep 17 00:00:00 2001
+From: Nicolin Chen <nicoleotsuka@gmail.com>
+Date: Fri, 9 Nov 2018 16:42:14 -0800
+Subject: hwmon (ina2xx) Fix NULL id pointer in probe()
+
+[ Upstream commit 70df9ebbd82c794ddfbb49d45b337f18d5588dc2 ]
+
+When using DT configurations, the id pointer might turn out to
+be NULL. Then the driver encounters NULL pointer access:
+
+ Unable to handle kernel read from unreadable memory at vaddr 00000018
+ [...]
+ PC is at ina2xx_probe+0x114/0x200
+ LR is at ina2xx_probe+0x10c/0x200
+ [...]
+ Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
+
+The reason is that i2c core returns the id pointer by matching
+id_table with client->name, while the client->name is actually
+using the name from the first string in the DT compatible list,
+not the best one. So i2c core would fail to match the id_table
+if the best matched compatible string isn't the first one, and
+then would return a NULL id pointer.
+
+This probably should be fixed in i2c core. But it doesn't hurt
+to make the driver robust. So this patch fixes it by using the
+"chip" that's added to unify both DT and non-DT configurations.
+
+Additionally, since id pointer could be null, so as id->name:
+ ina2xx 10-0047: power monitor (null) (Rshunt = 1000 uOhm)
+ ina2xx 10-0048: power monitor (null) (Rshunt = 10000 uOhm)
+
+So this patch also fixes NULL name pointer, using client->name
+to play safe and to align with hwmon->name.
+
+Fixes: bd0ddd4d0883 ("hwmon: (ina2xx) Add OF device ID table")
+Signed-off-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/ina2xx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/ina2xx.c b/drivers/hwmon/ina2xx.c
+index 71d3445ba869..c2252cf452f5 100644
+--- a/drivers/hwmon/ina2xx.c
++++ b/drivers/hwmon/ina2xx.c
+@@ -491,7 +491,7 @@ static int ina2xx_probe(struct i2c_client *client,
+ }
+
+ data->groups[group++] = &ina2xx_group;
+- if (id->driver_data == ina226)
++ if (chip == ina226)
+ data->groups[group++] = &ina226_group;
+
+ hwmon_dev = devm_hwmon_device_register_with_groups(dev, client->name,
+@@ -500,7 +500,7 @@ static int ina2xx_probe(struct i2c_client *client,
+ return PTR_ERR(hwmon_dev);
+
+ dev_info(dev, "power monitor %s (Rshunt = %li uOhm)\n",
+- id->name, data->rshunt);
++ client->name, data->rshunt);
+
+ return 0;
+ }
+--
+2.19.1
+
--- /dev/null
+From e74fe3b18642646f5fc9028ffb58ddb69216151e Mon Sep 17 00:00:00 2001
+From: Vadim Pasternak <vadimp@mellanox.com>
+Date: Fri, 16 Nov 2018 13:47:11 +0000
+Subject: hwmon: (mlxreg-fan) Fix macros for tacho fault reading
+
+[ Upstream commit 243cfe3fb8978c7eec24511aba7dac98819ed896 ]
+
+Fix macros for tacometer fault reading.
+This fix is relevant for three Mellanox systems MQMB7, MSN37, MSN34,
+which are about to be released to the customers.
+At the moment, none of them is at customers sites.
+
+Fixes: 65afb4c8e7e4 ("hwmon: (mlxreg-fan) Add support for Mellanox FAN driver")
+Signed-off-by: Vadim Pasternak <vadimp@mellanox.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/mlxreg-fan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/mlxreg-fan.c b/drivers/hwmon/mlxreg-fan.c
+index de46577c7d5a..d8fa4bea4bc8 100644
+--- a/drivers/hwmon/mlxreg-fan.c
++++ b/drivers/hwmon/mlxreg-fan.c
+@@ -51,7 +51,7 @@
+ */
+ #define MLXREG_FAN_GET_RPM(rval, d, s) (DIV_ROUND_CLOSEST(15000000 * 100, \
+ ((rval) + (s)) * (d)))
+-#define MLXREG_FAN_GET_FAULT(val, mask) (!!((val) ^ (mask)))
++#define MLXREG_FAN_GET_FAULT(val, mask) (!((val) ^ (mask)))
+ #define MLXREG_FAN_PWM_DUTY2STATE(duty) (DIV_ROUND_CLOSEST((duty) * \
+ MLXREG_FAN_MAX_STATE, \
+ MLXREG_FAN_MAX_DUTY))
+--
+2.19.1
+
--- /dev/null
+From d28d3f1f607e956446e584ea82fe836bfe0fa376 Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Sun, 11 Nov 2018 13:01:11 +0100
+Subject: hwmon: (raspberrypi) Fix initial notify
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 35fdc3902179366489a12cae4cb3ccc3b95f0afe ]
+
+In case an under-voltage happens before probing the driver wont
+write the critical warning into the kernel log. So don't init
+of last_throttled during probe and fix this issue.
+
+Fixes: 74d1e007915f ("hwmon: Add support for RPi voltage sensor")
+Reported-by: "Noralf Trønnes" <noralf@tronnes.org>
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/raspberrypi-hwmon.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/drivers/hwmon/raspberrypi-hwmon.c b/drivers/hwmon/raspberrypi-hwmon.c
+index be5ba4690895..0d0457245e7d 100644
+--- a/drivers/hwmon/raspberrypi-hwmon.c
++++ b/drivers/hwmon/raspberrypi-hwmon.c
+@@ -115,7 +115,6 @@ static int rpi_hwmon_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+ struct rpi_hwmon_data *data;
+- int ret;
+
+ data = devm_kzalloc(dev, sizeof(*data), GFP_KERNEL);
+ if (!data)
+@@ -124,11 +123,6 @@ static int rpi_hwmon_probe(struct platform_device *pdev)
+ /* Parent driver assure that firmware is correct */
+ data->fw = dev_get_drvdata(dev->parent);
+
+- /* Init throttled */
+- ret = rpi_firmware_property(data->fw, RPI_FIRMWARE_GET_THROTTLED,
+- &data->last_throttled,
+- sizeof(data->last_throttled));
+-
+ data->hwmon_dev = devm_hwmon_device_register_with_info(dev, "rpi_volt",
+ data,
+ &rpi_chip_info,
+--
+2.19.1
+
--- /dev/null
+From 8fccc4e864ec621dc7af94a5031bbedb8e74d425 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Thu, 15 Nov 2018 10:44:57 +0800
+Subject: hwmon: (w83795) temp4_type has writable permission
+
+[ Upstream commit 09aaf6813cfca4c18034fda7a43e68763f34abb1 ]
+
+Both datasheet and comments of store_temp_mode() tell us that temp1~4_type
+is writable, so fix it.
+
+Signed-off-by: Yao Wang <wangyao@lemote.com>
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Fixes: 39deb6993e7c (" hwmon: (w83795) Simplify temperature sensor type handling")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/w83795.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/w83795.c b/drivers/hwmon/w83795.c
+index 49276bbdac3d..1bb80f992aa8 100644
+--- a/drivers/hwmon/w83795.c
++++ b/drivers/hwmon/w83795.c
+@@ -1691,7 +1691,7 @@ store_sf_setup(struct device *dev, struct device_attribute *attr,
+ * somewhere else in the code
+ */
+ #define SENSOR_ATTR_TEMP(index) { \
+- SENSOR_ATTR_2(temp##index##_type, S_IRUGO | (index < 4 ? S_IWUSR : 0), \
++ SENSOR_ATTR_2(temp##index##_type, S_IRUGO | (index < 5 ? S_IWUSR : 0), \
+ show_temp_mode, store_temp_mode, NOT_USED, index - 1), \
+ SENSOR_ATTR_2(temp##index##_input, S_IRUGO, show_temp, \
+ NULL, TEMP_READ, index - 1), \
+--
+2.19.1
+
--- /dev/null
+From ee96ae20d8b7ee24f8a8fc240767ea1a5697bbf9 Mon Sep 17 00:00:00 2001
+From: Artemy Kovalyov <artemyko@mellanox.com>
+Date: Sun, 25 Nov 2018 20:34:26 +0200
+Subject: IB/mlx5: Fix page fault handling for MW
+
+[ Upstream commit 75b7b86bdb0df37e08e44b6c1f99010967f81944 ]
+
+Memory windows are implemented with an indirect MKey, when a page fault
+event comes for a MW Mkey we need to find the MR at the end of the list of
+the indirect MKeys by iterating on all items from the first to the last.
+
+The offset calculated during this process has to be zeroed after the first
+iteration or the next iteration will start from a wrong address, resulting
+incorrect ODP faulting behavior.
+
+Fixes: db570d7deafb ("IB/mlx5: Add ODP support to MW")
+Signed-off-by: Artemy Kovalyov <artemyko@mellanox.com>
+Signed-off-by: Moni Shoua <monis@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/odp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/mlx5/odp.c b/drivers/infiniband/hw/mlx5/odp.c
+index d216e0d2921d..9e1cac8cb260 100644
+--- a/drivers/infiniband/hw/mlx5/odp.c
++++ b/drivers/infiniband/hw/mlx5/odp.c
+@@ -724,6 +724,7 @@ static int pagefault_single_data_segment(struct mlx5_ib_dev *dev,
+ head = frame;
+
+ bcnt -= frame->bcnt;
++ offset = 0;
+ }
+ break;
+
+--
+2.19.1
+
--- /dev/null
+From 14a9b22a882094265cb0597aa5c71913d2b56dd8 Mon Sep 17 00:00:00 2001
+From: Yunjian Wang <wangyunjian@huawei.com>
+Date: Tue, 6 Nov 2018 16:27:12 +0800
+Subject: igb: fix uninitialized variables
+
+[ Upstream commit e4c39f7926b4de355f7df75651d75003806aae09 ]
+
+This patch fixes the variable 'phy_word' may be used uninitialized.
+
+Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/e1000_i210.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/e1000_i210.c b/drivers/net/ethernet/intel/igb/e1000_i210.c
+index c54ebedca6da..c393cb2c0f16 100644
+--- a/drivers/net/ethernet/intel/igb/e1000_i210.c
++++ b/drivers/net/ethernet/intel/igb/e1000_i210.c
+@@ -842,6 +842,7 @@ s32 igb_pll_workaround_i210(struct e1000_hw *hw)
+ nvm_word = E1000_INVM_DEFAULT_AL;
+ tmp_nvm = nvm_word | E1000_INVM_PLL_WO_VAL;
+ igb_write_phy_reg_82580(hw, I347AT4_PAGE_SELECT, E1000_PHY_PLL_FREQ_PAGE);
++ phy_word = E1000_PHY_PLL_UNCONF;
+ for (i = 0; i < E1000_MAX_PLL_TRIES; i++) {
+ /* check current state directly from internal PHY */
+ igb_read_phy_reg_82580(hw, E1000_PHY_PLL_FREQ_REG, &phy_word);
+--
+2.19.1
+
--- /dev/null
+From 6eb7c9ff098ab24db87212744846a76db523a86a Mon Sep 17 00:00:00 2001
+From: Li Zhijian <lizhijian@cn.fujitsu.com>
+Date: Fri, 30 Nov 2018 14:10:09 -0800
+Subject: initramfs: clean old path before creating a hardlink
+
+[ Upstream commit 7c0950d455d6ab610d2990a13120f935b75abf2c ]
+
+sys_link() can fail due to the new path already existing. This case
+ofen occurs when we use a concated initrd, for example:
+
+1) prepare a basic rootfs, it contains a regular files rc.local
+lizhijian@:~/yocto-tiny-i386-2016-04-22$ cat etc/rc.local
+ #!/bin/sh
+ echo "Running /etc/rc.local..."
+yocto-tiny-i386-2016-04-22$ find . | sed 's,^\./,,' | cpio -o -H newc | gzip -n -9 >../rootfs.cgz
+
+2) create a extra initrd which also includes a etc/rc.local
+lizhijian@:~/lkp-x86_64/etc$ echo "append initrd" >rc.local
+lizhijian@:~/lkp/lkp-x86_64/etc$ cat rc.local
+append initrd
+lizhijian@:~/lkp/lkp-x86_64/etc$ ln rc.local rc.local.hardlink
+append initrd
+lizhijian@:~/lkp/lkp-x86_64/etc$ stat rc.local rc.local.hardlink
+ File: 'rc.local'
+ Size: 14 Blocks: 8 IO Block: 4096 regular file
+Device: 801h/2049d Inode: 11296086 Links: 2
+Access: (0664/-rw-rw-r--) Uid: ( 1002/lizhijian) Gid: ( 1002/lizhijian)
+Access: 2018-11-15 16:08:28.654464815 +0800
+Modify: 2018-11-15 16:07:57.514903210 +0800
+Change: 2018-11-15 16:08:24.180228872 +0800
+ Birth: -
+ File: 'rc.local.hardlink'
+ Size: 14 Blocks: 8 IO Block: 4096 regular file
+Device: 801h/2049d Inode: 11296086 Links: 2
+Access: (0664/-rw-rw-r--) Uid: ( 1002/lizhijian) Gid: ( 1002/lizhijian)
+Access: 2018-11-15 16:08:28.654464815 +0800
+Modify: 2018-11-15 16:07:57.514903210 +0800
+Change: 2018-11-15 16:08:24.180228872 +0800
+ Birth: -
+
+lizhijian@:~/lkp/lkp-x86_64$ find . | sed 's,^\./,,' | cpio -o -H newc | gzip -n -9 >../rc-local.cgz
+lizhijian@:~/lkp/lkp-x86_64$ gzip -dc ../rc-local.cgz | cpio -t
+.
+etc
+etc/rc.local.hardlink <<< it will be extracted first at this initrd
+etc/rc.local
+
+3) concate 2 initrds and boot
+lizhijian@:~/lkp$ cat rootfs.cgz rc-local.cgz >concate-initrd.cgz
+lizhijian@:~/lkp$ qemu-system-x86_64 -nographic -enable-kvm -cpu host -smp 1 -m 1024 -kernel ~/lkp/linux/arch/x86/boot/bzImage -append "console=ttyS0 earlyprint=ttyS0 ignore_loglevel" -initrd ./concate-initr.cgz -serial stdio -nodefaults
+
+In this case, sys_link(2) will fail and return -EEXIST, so we can only get
+the rc.local at rootfs.cgz instead of rc-local.cgz
+
+[akpm@linux-foundation.org: move code to avoid forward declaration]
+Link: http://lkml.kernel.org/r/1542352368-13299-1-git-send-email-lizhijian@cn.fujitsu.com
+Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
+Cc: Philip Li <philip.li@intel.com>
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Cc: Li Zhijian <zhijianx.li@intel.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ init/initramfs.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/init/initramfs.c b/init/initramfs.c
+index 640557788026..f6f4a1e4cd54 100644
+--- a/init/initramfs.c
++++ b/init/initramfs.c
+@@ -291,16 +291,6 @@ static int __init do_reset(void)
+ return 1;
+ }
+
+-static int __init maybe_link(void)
+-{
+- if (nlink >= 2) {
+- char *old = find_link(major, minor, ino, mode, collected);
+- if (old)
+- return (ksys_link(old, collected) < 0) ? -1 : 1;
+- }
+- return 0;
+-}
+-
+ static void __init clean_path(char *path, umode_t fmode)
+ {
+ struct kstat st;
+@@ -313,6 +303,18 @@ static void __init clean_path(char *path, umode_t fmode)
+ }
+ }
+
++static int __init maybe_link(void)
++{
++ if (nlink >= 2) {
++ char *old = find_link(major, minor, ino, mode, collected);
++ if (old) {
++ clean_path(collected, 0);
++ return (ksys_link(old, collected) < 0) ? -1 : 1;
++ }
++ }
++ return 0;
++}
++
+ static __initdata int wfd;
+
+ static int __init do_name(void)
+--
+2.19.1
+
--- /dev/null
+From b5602aa13f4bc86504c75522bc84b4b10deb5a30 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Thu, 15 Nov 2018 15:14:30 +0800
+Subject: ipvs: call ip_vs_dst_notifier earlier than ipv6_dev_notf
+
+[ Upstream commit 2a31e4bd9ad255ee40809b5c798c4b1c2b09703b ]
+
+ip_vs_dst_event is supposed to clean up all dst used in ipvs'
+destinations when a net dev is going down. But it works only
+when the dst's dev is the same as the dev from the event.
+
+Now with the same priority but late registration,
+ip_vs_dst_notifier is always called later than ipv6_dev_notf
+where the dst's dev is set to lo for NETDEV_DOWN event.
+
+As the dst's dev lo is not the same as the dev from the event
+in ip_vs_dst_event, ip_vs_dst_notifier doesn't actually work.
+Also as these dst have to wait for dest_trash_timer to clean
+them up. It would cause some non-permanent kernel warnings:
+
+ unregister_netdevice: waiting for br0 to become free. Usage count = 3
+
+To fix it, call ip_vs_dst_notifier earlier than ipv6_dev_notf
+by increasing its priority to ADDRCONF_NOTIFY_PRIORITY + 5.
+
+Note that for ipv4 route fib_netdev_notifier doesn't set dst's
+dev to lo in NETDEV_DOWN event, so this fix is only needed when
+IP_VS_IPV6 is defined.
+
+Fixes: 7a4f0761fce3 ("IPVS: init and cleanup restructuring")
+Reported-by: Li Shuang <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 62eefea48973..518364f4abcc 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -3980,6 +3980,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct netns_ipvs *ipvs)
+
+ static struct notifier_block ip_vs_dst_notifier = {
+ .notifier_call = ip_vs_dst_event,
++#ifdef CONFIG_IP_VS_IPV6
++ .priority = ADDRCONF_NOTIFY_PRIORITY + 5,
++#endif
+ };
+
+ int __net_init ip_vs_control_net_init(struct netns_ipvs *ipvs)
+--
+2.19.1
+
--- /dev/null
+From 1aa80f0ab108714eac06af9919ec59a8ad1b56d0 Mon Sep 17 00:00:00 2001
+From: Josh Elsasser <jelsasser@appneta.com>
+Date: Sat, 24 Nov 2018 12:57:33 -0800
+Subject: ixgbe: recognize 1000BaseLX SFP modules as 1Gbps
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit a8bf879af7b1999eba36303ce9cc60e0e7dd816c ]
+
+Add the two 1000BaseLX enum values to the X550's check for 1Gbps modules,
+allowing the core driver code to establish a link over this SFP type.
+
+This is done by the out-of-tree driver but the fix wasn't in mainline.
+
+Fixes: e23f33367882 ("ixgbe: Fix 1G and 10G link stability for X550EM_x SFP+”)
+Fixes: 6a14ee0cfb19 ("ixgbe: Add X550 support function pointers")
+Signed-off-by: Josh Elsasser <jelsasser@appneta.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
+index a8148c7126e5..9772016222c3 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
+@@ -2248,7 +2248,9 @@ static s32 ixgbe_get_link_capabilities_X550em(struct ixgbe_hw *hw,
+ *autoneg = false;
+
+ if (hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core0 ||
+- hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core1) {
++ hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core1 ||
++ hw->phy.sfp_type == ixgbe_sfp_type_1g_lx_core0 ||
++ hw->phy.sfp_type == ixgbe_sfp_type_1g_lx_core1) {
+ *speed = IXGBE_LINK_SPEED_1GB_FULL;
+ return 0;
+ }
+--
+2.19.1
+
--- /dev/null
+From d1c6b074da852de703048d1b0485c2acce367236 Mon Sep 17 00:00:00 2001
+From: Anders Roxell <anders.roxell@linaro.org>
+Date: Fri, 30 Nov 2018 14:10:05 -0800
+Subject: kernel/kcov.c: mark funcs in __sanitizer_cov_trace_pc() as notrace
+
+[ Upstream commit 903e8ff86753e6f327bb92166a0665e4ecb8e2e7 ]
+
+Since __sanitizer_cov_trace_pc() is marked as notrace, function calls in
+__sanitizer_cov_trace_pc() shouldn't be traced either.
+ftrace_graph_caller() gets called for each function that isn't marked
+'notrace', like canonicalize_ip(). This is the call trace from a run:
+
+[ 139.644550] ftrace_graph_caller+0x1c/0x24
+[ 139.648352] canonicalize_ip+0x18/0x28
+[ 139.652313] __sanitizer_cov_trace_pc+0x14/0x58
+[ 139.656184] sched_clock+0x34/0x1e8
+[ 139.659759] trace_clock_local+0x40/0x88
+[ 139.663722] ftrace_push_return_trace+0x8c/0x1f0
+[ 139.667767] prepare_ftrace_return+0xa8/0x100
+[ 139.671709] ftrace_graph_caller+0x1c/0x24
+
+Rework so that check_kcov_mode() and canonicalize_ip() that are called
+from __sanitizer_cov_trace_pc() are also marked as notrace.
+
+Link: http://lkml.kernel.org/r/20181128081239.18317-1-anders.roxell@linaro.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signen-off-by: Anders Roxell <anders.roxell@linaro.org>
+Co-developed-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kcov.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/kcov.c b/kernel/kcov.c
+index 3ebd09efe72a..97959d7b77e2 100644
+--- a/kernel/kcov.c
++++ b/kernel/kcov.c
+@@ -56,7 +56,7 @@ struct kcov {
+ struct task_struct *t;
+ };
+
+-static bool check_kcov_mode(enum kcov_mode needed_mode, struct task_struct *t)
++static notrace bool check_kcov_mode(enum kcov_mode needed_mode, struct task_struct *t)
+ {
+ unsigned int mode;
+
+@@ -78,7 +78,7 @@ static bool check_kcov_mode(enum kcov_mode needed_mode, struct task_struct *t)
+ return mode == needed_mode;
+ }
+
+-static unsigned long canonicalize_ip(unsigned long ip)
++static notrace unsigned long canonicalize_ip(unsigned long ip)
+ {
+ #ifdef CONFIG_RANDOMIZE_BASE
+ ip -= kaslr_offset();
+--
+2.19.1
+
--- /dev/null
+From c6b670be13c881215375233781a2559aea38fad9 Mon Sep 17 00:00:00 2001
+From: Liran Alon <liran.alon@oracle.com>
+Date: Tue, 20 Nov 2018 18:03:25 +0200
+Subject: KVM: VMX: Update shared MSRs to be saved/restored on MSR_EFER.LMA
+ changes
+
+[ Upstream commit f48b4711dd6e1cf282f9dfd159c14a305909c97c ]
+
+When guest transitions from/to long-mode by modifying MSR_EFER.LMA,
+the list of shared MSRs to be saved/restored on guest<->host
+transitions is updated (See vmx_set_efer() call to setup_msrs()).
+
+On every entry to guest, vcpu_enter_guest() calls
+vmx_prepare_switch_to_guest(). This function should also take care
+of setting the shared MSRs to be saved/restored. However, the
+function does nothing in case we are already running with loaded
+guest state (vmx->loaded_cpu_state != NULL).
+
+This means that even when guest modifies MSR_EFER.LMA which results
+in updating the list of shared MSRs, it isn't being taken into account
+by vmx_prepare_switch_to_guest() because it happens while we are
+running with loaded guest state.
+
+To fix above mentioned issue, add a flag to mark that the list of
+shared MSRs has been updated and modify vmx_prepare_switch_to_guest()
+to set shared MSRs when running with host state *OR* list of shared
+MSRs has been updated.
+
+Note that this issue was mistakenly introduced by commit
+678e315e78a7 ("KVM: vmx: add dedicated utility to access guest's
+kernel_gs_base") because previously vmx_set_efer() always called
+vmx_load_host_state() which resulted in vmx_prepare_switch_to_guest() to
+set shared MSRs.
+
+Fixes: 678e315e78a7 ("KVM: vmx: add dedicated utility to access guest's kernel_gs_base")
+Reported-by: Eyal Moscovici <eyal.moscovici@oracle.com>
+Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com>
+Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Liran Alon <liran.alon@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index e55f7a90d4b2..b1aef90aab91 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -962,6 +962,7 @@ struct vcpu_vmx {
+ struct shared_msr_entry *guest_msrs;
+ int nmsrs;
+ int save_nmsrs;
++ bool guest_msrs_dirty;
+ unsigned long host_idt_base;
+ #ifdef CONFIG_X86_64
+ u64 msr_host_kernel_gs_base;
+@@ -2874,6 +2875,20 @@ static void vmx_prepare_switch_to_guest(struct kvm_vcpu *vcpu)
+
+ vmx->req_immediate_exit = false;
+
++ /*
++ * Note that guest MSRs to be saved/restored can also be changed
++ * when guest state is loaded. This happens when guest transitions
++ * to/from long-mode by setting MSR_EFER.LMA.
++ */
++ if (!vmx->loaded_cpu_state || vmx->guest_msrs_dirty) {
++ vmx->guest_msrs_dirty = false;
++ for (i = 0; i < vmx->save_nmsrs; ++i)
++ kvm_set_shared_msr(vmx->guest_msrs[i].index,
++ vmx->guest_msrs[i].data,
++ vmx->guest_msrs[i].mask);
++
++ }
++
+ if (vmx->loaded_cpu_state)
+ return;
+
+@@ -2934,11 +2949,6 @@ static void vmx_prepare_switch_to_guest(struct kvm_vcpu *vcpu)
+ vmcs_writel(HOST_GS_BASE, gs_base);
+ host_state->gs_base = gs_base;
+ }
+-
+- for (i = 0; i < vmx->save_nmsrs; ++i)
+- kvm_set_shared_msr(vmx->guest_msrs[i].index,
+- vmx->guest_msrs[i].data,
+- vmx->guest_msrs[i].mask);
+ }
+
+ static void vmx_prepare_switch_to_host(struct vcpu_vmx *vmx)
+@@ -3418,6 +3428,7 @@ static void setup_msrs(struct vcpu_vmx *vmx)
+ move_msr_up(vmx, index, save_nmsrs++);
+
+ vmx->save_nmsrs = save_nmsrs;
++ vmx->guest_msrs_dirty = true;
+
+ if (cpu_has_vmx_msr_bitmap())
+ vmx_update_msr_bitmap(&vmx->vcpu);
+--
+2.19.1
+
--- /dev/null
+From 4a6844169dbf87a23ac59a11fc696c269d8e5b05 Mon Sep 17 00:00:00 2001
+From: Yi Wang <wang.yi59@zte.com.cn>
+Date: Thu, 8 Nov 2018 16:48:36 +0800
+Subject: KVM: x86: fix empty-body warnings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 354cb410d87314e2eda344feea84809e4261570a ]
+
+We get the following warnings about empty statements when building
+with 'W=1':
+
+arch/x86/kvm/lapic.c:632:53: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
+arch/x86/kvm/lapic.c:1907:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
+arch/x86/kvm/lapic.c:1936:65: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
+arch/x86/kvm/lapic.c:1975:44: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
+
+Rework the debug helper macro to get rid of these warnings.
+
+Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/lapic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
+index 2216d21e955d..3692de84c420 100644
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -55,7 +55,7 @@
+ #define PRIo64 "o"
+
+ /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
+-#define apic_debug(fmt, arg...)
++#define apic_debug(fmt, arg...) do {} while (0)
+
+ /* 14 is the version for Xeon and Pentium 8.4.8*/
+ #define APIC_VERSION (0x14UL | ((KVM_APIC_LVT_NUM - 1) << 16))
+--
+2.19.1
+
--- /dev/null
+From ba15ca978a3292802ca8ef2b6fb1a82e1a20dd6b Mon Sep 17 00:00:00 2001
+From: Wei Yang <richard.weiyang@gmail.com>
+Date: Fri, 30 Nov 2018 14:09:07 -0800
+Subject: mm/page_alloc.c: fix calculation of pgdat->nr_zones
+
+[ Upstream commit 8f416836c0d50b198cad1225132e5abebf8980dc ]
+
+init_currently_empty_zone() will adjust pgdat->nr_zones and set it to
+'zone_idx(zone) + 1' unconditionally. This is correct in the normal
+case, while not exact in hot-plug situation.
+
+This function is used in two places:
+
+ * free_area_init_core()
+ * move_pfn_range_to_zone()
+
+In the first case, we are sure zone index increase monotonically. While
+in the second one, this is under users control.
+
+One way to reproduce this is:
+----------------------------
+
+1. create a virtual machine with empty node1
+
+ -m 4G,slots=32,maxmem=32G \
+ -smp 4,maxcpus=8 \
+ -numa node,nodeid=0,mem=4G,cpus=0-3 \
+ -numa node,nodeid=1,mem=0G,cpus=4-7
+
+2. hot-add cpu 3-7
+
+ cpu-add [3-7]
+
+2. hot-add memory to nod1
+
+ object_add memory-backend-ram,id=ram0,size=1G
+ device_add pc-dimm,id=dimm0,memdev=ram0,node=1
+
+3. online memory with following order
+
+ echo online_movable > memory47/state
+ echo online > memory40/state
+
+After this, node1 will have its nr_zones equals to (ZONE_NORMAL + 1)
+instead of (ZONE_MOVABLE + 1).
+
+Michal said:
+ "Having an incorrect nr_zones might result in all sorts of problems
+ which would be quite hard to debug (e.g. reclaim not considering the
+ movable zone). I do not expect many users would suffer from this it
+ but still this is trivial and obviously right thing to do so
+ backporting to the stable tree shouldn't be harmful (last famous
+ words)"
+
+Link: http://lkml.kernel.org/r/20181117022022.9956-1-richard.weiyang@gmail.com
+Fixes: f1dd2cd13c4b ("mm, memory_hotplug: do not associate hotadded memory to zones until online")
+Signed-off-by: Wei Yang <richard.weiyang@gmail.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Cc: Anshuman Khandual <anshuman.khandual@arm.com>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/page_alloc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/mm/page_alloc.c b/mm/page_alloc.c
+index b721631d78ab..6a62b2421cdf 100644
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -5733,8 +5733,10 @@ void __meminit init_currently_empty_zone(struct zone *zone,
+ unsigned long size)
+ {
+ struct pglist_data *pgdat = zone->zone_pgdat;
++ int zone_idx = zone_idx(zone) + 1;
+
+- pgdat->nr_zones = zone_idx(zone) + 1;
++ if (zone_idx > pgdat->nr_zones)
++ pgdat->nr_zones = zone_idx;
+
+ zone->zone_start_pfn = zone_start_pfn;
+
+--
+2.19.1
+
--- /dev/null
+From e5d98c3955f998d0aac2e8d8cc6f094b9b517069 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Wed, 28 Nov 2018 15:30:24 +0800
+Subject: net: hisilicon: remove unexpected free_netdev
+
+[ Upstream commit c758940158bf29fe14e9d0f89d5848f227b48134 ]
+
+The net device ndev is freed via free_netdev when failing to register
+the device. The control flow then jumps to the error handling code
+block. ndev is used and freed again. Resulting in a use-after-free bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hip04_eth.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c
+index 14374a856d30..6127697ede12 100644
+--- a/drivers/net/ethernet/hisilicon/hip04_eth.c
++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c
+@@ -914,10 +914,8 @@ static int hip04_mac_probe(struct platform_device *pdev)
+ }
+
+ ret = register_netdev(ndev);
+- if (ret) {
+- free_netdev(ndev);
++ if (ret)
+ goto alloc_fail;
+- }
+
+ return 0;
+
+--
+2.19.1
+
--- /dev/null
+From 1774276589c0cb8e7e8ecbed4d8518eb6cc1cc26 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Mon, 26 Nov 2018 15:07:16 +0100
+Subject: net: thunderx: fix NULL pointer dereference in nic_remove
+
+[ Upstream commit 24a6d2dd263bc910de018c78d1148b3e33b94512 ]
+
+Fix a possible NULL pointer dereference in nic_remove routine
+removing the nicpf module if nic_probe fails.
+The issue can be triggered with the following reproducer:
+
+$rmmod nicvf
+$rmmod nicpf
+
+[ 521.412008] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000014
+[ 521.422777] Mem abort info:
+[ 521.425561] ESR = 0x96000004
+[ 521.428624] Exception class = DABT (current EL), IL = 32 bits
+[ 521.434535] SET = 0, FnV = 0
+[ 521.437579] EA = 0, S1PTW = 0
+[ 521.440730] Data abort info:
+[ 521.443603] ISV = 0, ISS = 0x00000004
+[ 521.447431] CM = 0, WnR = 0
+[ 521.450417] user pgtable: 4k pages, 48-bit VAs, pgdp = 0000000072a3da42
+[ 521.457022] [0000000000000014] pgd=0000000000000000
+[ 521.461916] Internal error: Oops: 96000004 [#1] SMP
+[ 521.511801] Hardware name: GIGABYTE H270-T70/MT70-HD0, BIOS T49 02/02/2018
+[ 521.518664] pstate: 80400005 (Nzcv daif +PAN -UAO)
+[ 521.523451] pc : nic_remove+0x24/0x88 [nicpf]
+[ 521.527808] lr : pci_device_remove+0x48/0xd8
+[ 521.532066] sp : ffff000013433cc0
+[ 521.535370] x29: ffff000013433cc0 x28: ffff810f6ac50000
+[ 521.540672] x27: 0000000000000000 x26: 0000000000000000
+[ 521.545974] x25: 0000000056000000 x24: 0000000000000015
+[ 521.551274] x23: ffff8007ff89a110 x22: ffff000001667070
+[ 521.556576] x21: ffff8007ffb170b0 x20: ffff8007ffb17000
+[ 521.561877] x19: 0000000000000000 x18: 0000000000000025
+[ 521.567178] x17: 0000000000000000 x16: 000000000000010ffc33ff98 x8 : 0000000000000000
+[ 521.593683] x7 : 0000000000000000 x6 : 0000000000000001
+[ 521.598983] x5 : 0000000000000002 x4 : 0000000000000003
+[ 521.604284] x3 : ffff8007ffb17184 x2 : ffff8007ffb17184
+[ 521.609585] x1 : ffff000001662118 x0 : ffff000008557be0
+[ 521.614887] Process rmmod (pid: 1897, stack limit = 0x00000000859535c3)
+[ 521.621490] Call trace:
+[ 521.623928] nic_remove+0x24/0x88 [nicpf]
+[ 521.627927] pci_device_remove+0x48/0xd8
+[ 521.631847] device_release_driver_internal+0x1b0/0x248
+[ 521.637062] driver_detach+0x50/0xc0
+[ 521.640628] bus_remove_driver+0x60/0x100
+[ 521.644627] driver_unregister+0x34/0x60
+[ 521.648538] pci_unregister_driver+0x24/0xd8
+[ 521.652798] nic_cleanup_module+0x14/0x111c [nicpf]
+[ 521.657672] __arm64_sys_delete_module+0x150/0x218
+[ 521.662460] el0_svc_handler+0x94/0x110
+[ 521.666287] el0_svc+0x8/0xc
+[ 521.669160] Code: aa1e03e0 9102c295 d503201f f9404eb3 (b9401660)
+
+Fixes: 4863dea3fab0 ("net: Adding support for Cavium ThunderX network controller")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/thunder/nic_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/nic_main.c b/drivers/net/ethernet/cavium/thunder/nic_main.c
+index 55af04fa03a7..6c8dcb65ff03 100644
+--- a/drivers/net/ethernet/cavium/thunder/nic_main.c
++++ b/drivers/net/ethernet/cavium/thunder/nic_main.c
+@@ -1441,6 +1441,9 @@ static void nic_remove(struct pci_dev *pdev)
+ {
+ struct nicpf *nic = pci_get_drvdata(pdev);
+
++ if (!nic)
++ return;
++
+ if (nic->flags & NIC_SRIOV_ENABLED)
+ pci_disable_sriov(pdev);
+
+--
+2.19.1
+
--- /dev/null
+From c6430f7afdfc5bf934af176b551ac8928a567d9d Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Thu, 22 Nov 2018 19:59:46 +0900
+Subject: netfilter: add missing error handling code for register functions
+
+[ Upstream commit 584eab291c67894cb17cc87544b9d086228ea70f ]
+
+register_{netdevice/inetaddr/inet6addr}_notifier may return an error
+value, this patch adds the code to handle these error paths.
+
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/netfilter/ipv4/nf_nat_masquerade.h | 2 +-
+ .../net/netfilter/ipv6/nf_nat_masquerade.h | 2 +-
+ net/ipv4/netfilter/ipt_MASQUERADE.c | 7 ++--
+ net/ipv4/netfilter/nf_nat_masquerade_ipv4.c | 21 +++++++++---
+ net/ipv4/netfilter/nft_masq_ipv4.c | 4 ++-
+ net/ipv6/netfilter/ip6t_MASQUERADE.c | 8 +++--
+ net/ipv6/netfilter/nf_nat_masquerade_ipv6.c | 32 +++++++++++++------
+ net/ipv6/netfilter/nft_masq_ipv6.c | 4 ++-
+ net/netfilter/nft_flow_offload.c | 5 ++-
+ 9 files changed, 63 insertions(+), 22 deletions(-)
+
+diff --git a/include/net/netfilter/ipv4/nf_nat_masquerade.h b/include/net/netfilter/ipv4/nf_nat_masquerade.h
+index cd24be4c4a99..13d55206bb9f 100644
+--- a/include/net/netfilter/ipv4/nf_nat_masquerade.h
++++ b/include/net/netfilter/ipv4/nf_nat_masquerade.h
+@@ -9,7 +9,7 @@ nf_nat_masquerade_ipv4(struct sk_buff *skb, unsigned int hooknum,
+ const struct nf_nat_range2 *range,
+ const struct net_device *out);
+
+-void nf_nat_masquerade_ipv4_register_notifier(void);
++int nf_nat_masquerade_ipv4_register_notifier(void);
+ void nf_nat_masquerade_ipv4_unregister_notifier(void);
+
+ #endif /*_NF_NAT_MASQUERADE_IPV4_H_ */
+diff --git a/include/net/netfilter/ipv6/nf_nat_masquerade.h b/include/net/netfilter/ipv6/nf_nat_masquerade.h
+index 0c3b5ebf0bb8..2917bf95c437 100644
+--- a/include/net/netfilter/ipv6/nf_nat_masquerade.h
++++ b/include/net/netfilter/ipv6/nf_nat_masquerade.h
+@@ -5,7 +5,7 @@
+ unsigned int
+ nf_nat_masquerade_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range,
+ const struct net_device *out);
+-void nf_nat_masquerade_ipv6_register_notifier(void);
++int nf_nat_masquerade_ipv6_register_notifier(void);
+ void nf_nat_masquerade_ipv6_unregister_notifier(void);
+
+ #endif /* _NF_NAT_MASQUERADE_IPV6_H_ */
+diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
+index ce1512b02cb2..fd3f9e8a74da 100644
+--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
++++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
+@@ -81,9 +81,12 @@ static int __init masquerade_tg_init(void)
+ int ret;
+
+ ret = xt_register_target(&masquerade_tg_reg);
++ if (ret)
++ return ret;
+
+- if (ret == 0)
+- nf_nat_masquerade_ipv4_register_notifier();
++ ret = nf_nat_masquerade_ipv4_register_notifier();
++ if (ret)
++ xt_unregister_target(&masquerade_tg_reg);
+
+ return ret;
+ }
+diff --git a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
+index ad3aeff152ed..4a7c1f207d6e 100644
+--- a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
++++ b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
+@@ -133,16 +133,29 @@ static struct notifier_block masq_inet_notifier = {
+
+ static atomic_t masquerade_notifier_refcount = ATOMIC_INIT(0);
+
+-void nf_nat_masquerade_ipv4_register_notifier(void)
++int nf_nat_masquerade_ipv4_register_notifier(void)
+ {
++ int ret;
++
+ /* check if the notifier was already set */
+ if (atomic_inc_return(&masquerade_notifier_refcount) > 1)
+- return;
++ return 0;
+
+ /* Register for device down reports */
+- register_netdevice_notifier(&masq_dev_notifier);
++ ret = register_netdevice_notifier(&masq_dev_notifier);
++ if (ret)
++ goto err_dec;
+ /* Register IP address change reports */
+- register_inetaddr_notifier(&masq_inet_notifier);
++ ret = register_inetaddr_notifier(&masq_inet_notifier);
++ if (ret)
++ goto err_unregister;
++
++ return ret;
++err_unregister:
++ unregister_netdevice_notifier(&masq_dev_notifier);
++err_dec:
++ atomic_dec(&masquerade_notifier_refcount);
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv4_register_notifier);
+
+diff --git a/net/ipv4/netfilter/nft_masq_ipv4.c b/net/ipv4/netfilter/nft_masq_ipv4.c
+index f1193e1e928a..6847de1d1db8 100644
+--- a/net/ipv4/netfilter/nft_masq_ipv4.c
++++ b/net/ipv4/netfilter/nft_masq_ipv4.c
+@@ -69,7 +69,9 @@ static int __init nft_masq_ipv4_module_init(void)
+ if (ret < 0)
+ return ret;
+
+- nf_nat_masquerade_ipv4_register_notifier();
++ ret = nf_nat_masquerade_ipv4_register_notifier();
++ if (ret)
++ nft_unregister_expr(&nft_masq_ipv4_type);
+
+ return ret;
+ }
+diff --git a/net/ipv6/netfilter/ip6t_MASQUERADE.c b/net/ipv6/netfilter/ip6t_MASQUERADE.c
+index 491f808e356a..29c7f1915a96 100644
+--- a/net/ipv6/netfilter/ip6t_MASQUERADE.c
++++ b/net/ipv6/netfilter/ip6t_MASQUERADE.c
+@@ -58,8 +58,12 @@ static int __init masquerade_tg6_init(void)
+ int err;
+
+ err = xt_register_target(&masquerade_tg6_reg);
+- if (err == 0)
+- nf_nat_masquerade_ipv6_register_notifier();
++ if (err)
++ return err;
++
++ err = nf_nat_masquerade_ipv6_register_notifier();
++ if (err)
++ xt_unregister_target(&masquerade_tg6_reg);
+
+ return err;
+ }
+diff --git a/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c b/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c
+index e6eb7cf9b54f..10012fc687b6 100644
+--- a/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c
++++ b/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c
+@@ -120,8 +120,8 @@ static void iterate_cleanup_work(struct work_struct *work)
+ * of ipv6 addresses being deleted), we also need to add an upper
+ * limit to the number of queued work items.
+ */
+-static int masq_inet_event(struct notifier_block *this,
+- unsigned long event, void *ptr)
++static int masq_inet6_event(struct notifier_block *this,
++ unsigned long event, void *ptr)
+ {
+ struct inet6_ifaddr *ifa = ptr;
+ const struct net_device *dev;
+@@ -158,20 +158,34 @@ static int masq_inet_event(struct notifier_block *this,
+ return NOTIFY_DONE;
+ }
+
+-static struct notifier_block masq_inet_notifier = {
+- .notifier_call = masq_inet_event,
++static struct notifier_block masq_inet6_notifier = {
++ .notifier_call = masq_inet6_event,
+ };
+
+ static atomic_t masquerade_notifier_refcount = ATOMIC_INIT(0);
+
+-void nf_nat_masquerade_ipv6_register_notifier(void)
++int nf_nat_masquerade_ipv6_register_notifier(void)
+ {
++ int ret;
++
+ /* check if the notifier is already set */
+ if (atomic_inc_return(&masquerade_notifier_refcount) > 1)
+- return;
++ return 0;
+
+- register_netdevice_notifier(&masq_dev_notifier);
+- register_inet6addr_notifier(&masq_inet_notifier);
++ ret = register_netdevice_notifier(&masq_dev_notifier);
++ if (ret)
++ goto err_dec;
++
++ ret = register_inet6addr_notifier(&masq_inet6_notifier);
++ if (ret)
++ goto err_unregister;
++
++ return ret;
++err_unregister:
++ unregister_netdevice_notifier(&masq_dev_notifier);
++err_dec:
++ atomic_dec(&masquerade_notifier_refcount);
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv6_register_notifier);
+
+@@ -181,7 +195,7 @@ void nf_nat_masquerade_ipv6_unregister_notifier(void)
+ if (atomic_dec_return(&masquerade_notifier_refcount) > 0)
+ return;
+
+- unregister_inet6addr_notifier(&masq_inet_notifier);
++ unregister_inet6addr_notifier(&masq_inet6_notifier);
+ unregister_netdevice_notifier(&masq_dev_notifier);
+ }
+ EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv6_unregister_notifier);
+diff --git a/net/ipv6/netfilter/nft_masq_ipv6.c b/net/ipv6/netfilter/nft_masq_ipv6.c
+index dd0122f3cffe..e06c82e9dfcd 100644
+--- a/net/ipv6/netfilter/nft_masq_ipv6.c
++++ b/net/ipv6/netfilter/nft_masq_ipv6.c
+@@ -70,7 +70,9 @@ static int __init nft_masq_ipv6_module_init(void)
+ if (ret < 0)
+ return ret;
+
+- nf_nat_masquerade_ipv6_register_notifier();
++ ret = nf_nat_masquerade_ipv6_register_notifier();
++ if (ret)
++ nft_unregister_expr(&nft_masq_ipv6_type);
+
+ return ret;
+ }
+diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
+index d6bab8c3cbb0..5fd4c57c79cc 100644
+--- a/net/netfilter/nft_flow_offload.c
++++ b/net/netfilter/nft_flow_offload.c
+@@ -214,7 +214,9 @@ static int __init nft_flow_offload_module_init(void)
+ {
+ int err;
+
+- register_netdevice_notifier(&flow_offload_netdev_notifier);
++ err = register_netdevice_notifier(&flow_offload_netdev_notifier);
++ if (err)
++ goto err;
+
+ err = nft_register_expr(&nft_flow_offload_type);
+ if (err < 0)
+@@ -224,6 +226,7 @@ static int __init nft_flow_offload_module_init(void)
+
+ register_expr:
+ unregister_netdevice_notifier(&flow_offload_netdev_notifier);
++err:
+ return err;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 3de772a245ca92d97209c19dc2258226a38e4c71 Mon Sep 17 00:00:00 2001
+From: Alin Nastac <alin.nastac@gmail.com>
+Date: Wed, 21 Nov 2018 14:00:30 +0100
+Subject: netfilter: ipv6: Preserve link scope traffic original oif
+
+[ Upstream commit 508b09046c0f21678652fb66fd1e9959d55591d2 ]
+
+When ip6_route_me_harder is invoked, it resets outgoing interface of:
+ - link-local scoped packets sent by neighbor discovery
+ - multicast packets sent by MLD host
+ - multicast packets send by MLD proxy daemon that sets outgoing
+ interface through IPV6_PKTINFO ipi6_ifindex
+
+Link-local and multicast packets must keep their original oif after
+ip6_route_me_harder is called.
+
+Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
+index 5ae8e1c51079..8b075f0bc351 100644
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -24,7 +24,8 @@ int ip6_route_me_harder(struct net *net, struct sk_buff *skb)
+ unsigned int hh_len;
+ struct dst_entry *dst;
+ struct flowi6 fl6 = {
+- .flowi6_oif = sk ? sk->sk_bound_dev_if : 0,
++ .flowi6_oif = sk && sk->sk_bound_dev_if ? sk->sk_bound_dev_if :
++ rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0,
+ .flowi6_mark = skb->mark,
+ .flowi6_uid = sock_net_uid(net, sk),
+ .daddr = iph->daddr,
+--
+2.19.1
+
--- /dev/null
+From 9207dc81ad2b5495206d0554c826bf2767ee6535 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Thu, 22 Nov 2018 19:59:57 +0900
+Subject: netfilter: nat: fix double register in masquerade modules
+
+[ Upstream commit 095faf45e64be00bff4da2d6182dface3d69c9b7 ]
+
+There is a reference counter to ensure that masquerade modules register
+notifiers only once. However, the existing reference counter approach is
+not safe, test commands are:
+
+ while :
+ do
+ modprobe ip6t_MASQUERADE &
+ modprobe nft_masq_ipv6 &
+ modprobe -rv ip6t_MASQUERADE &
+ modprobe -rv nft_masq_ipv6 &
+ done
+
+numbers below represent the reference counter.
+--------------------------------------------------------
+CPU0 CPU1 CPU2 CPU3 CPU4
+[insmod] [insmod] [rmmod] [rmmod] [insmod]
+--------------------------------------------------------
+0->1
+register 1->2
+ returns 2->1
+ returns 1->0
+ 0->1
+ register <--
+ unregister
+--------------------------------------------------------
+
+The unregistation of CPU3 should be processed before the
+registration of CPU4.
+
+In order to fix this, use a mutex instead of reference counter.
+
+splat looks like:
+[ 323.869557] watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [modprobe:1381]
+[ 323.869574] Modules linked in: nf_tables(+) nf_nat_ipv6(-) nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 n]
+[ 323.869574] irq event stamp: 194074
+[ 323.898930] hardirqs last enabled at (194073): [<ffffffff90004a0d>] trace_hardirqs_on_thunk+0x1a/0x1c
+[ 323.898930] hardirqs last disabled at (194074): [<ffffffff90004a29>] trace_hardirqs_off_thunk+0x1a/0x1c
+[ 323.898930] softirqs last enabled at (182132): [<ffffffff922006ec>] __do_softirq+0x6ec/0xa3b
+[ 323.898930] softirqs last disabled at (182109): [<ffffffff90193426>] irq_exit+0x1a6/0x1e0
+[ 323.898930] CPU: 0 PID: 1381 Comm: modprobe Not tainted 4.20.0-rc2+ #27
+[ 323.898930] RIP: 0010:raw_notifier_chain_register+0xea/0x240
+[ 323.898930] Code: 3c 03 0f 8e f2 00 00 00 44 3b 6b 10 7f 4d 49 bc 00 00 00 00 00 fc ff df eb 22 48 8d 7b 10 488
+[ 323.898930] RSP: 0018:ffff888101597218 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
+[ 323.898930] RAX: 0000000000000000 RBX: ffffffffc04361c0 RCX: 0000000000000000
+[ 323.898930] RDX: 1ffffffff26132ae RSI: ffffffffc04aa3c0 RDI: ffffffffc04361d0
+[ 323.898930] RBP: ffffffffc04361c8 R08: 0000000000000000 R09: 0000000000000001
+[ 323.898930] R10: ffff8881015972b0 R11: fffffbfff26132c4 R12: dffffc0000000000
+[ 323.898930] R13: 0000000000000000 R14: 1ffff110202b2e44 R15: ffffffffc04aa3c0
+[ 323.898930] FS: 00007f813ed41540(0000) GS:ffff88811ae00000(0000) knlGS:0000000000000000
+[ 323.898930] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 323.898930] CR2: 0000559bf2c9f120 CR3: 000000010bc80000 CR4: 00000000001006f0
+[ 323.898930] Call Trace:
+[ 323.898930] ? atomic_notifier_chain_register+0x2d0/0x2d0
+[ 323.898930] ? down_read+0x150/0x150
+[ 323.898930] ? sched_clock_cpu+0x126/0x170
+[ 323.898930] ? nf_tables_core_module_init+0xe4/0xe4 [nf_tables]
+[ 323.898930] ? nf_tables_core_module_init+0xe4/0xe4 [nf_tables]
+[ 323.898930] register_netdevice_notifier+0xbb/0x790
+[ 323.898930] ? __dev_close_many+0x2d0/0x2d0
+[ 323.898930] ? __mutex_unlock_slowpath+0x17f/0x740
+[ 323.898930] ? wait_for_completion+0x710/0x710
+[ 323.898930] ? nf_tables_core_module_init+0xe4/0xe4 [nf_tables]
+[ 323.898930] ? up_write+0x6c/0x210
+[ 323.898930] ? nf_tables_core_module_init+0xe4/0xe4 [nf_tables]
+[ 324.127073] ? nf_tables_core_module_init+0xe4/0xe4 [nf_tables]
+[ 324.127073] nft_chain_filter_init+0x1e/0xe8a [nf_tables]
+[ 324.127073] nf_tables_module_init+0x37/0x92 [nf_tables]
+[ ... ]
+
+Fixes: 8dd33cc93ec9 ("netfilter: nf_nat: generalize IPv4 masquerading support for nf_tables")
+Fixes: be6b635cd674 ("netfilter: nf_nat: generalize IPv6 masquerading support for nf_tables")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/netfilter/nf_nat_masquerade_ipv4.c | 23 ++++++++++++++-------
+ net/ipv6/netfilter/nf_nat_masquerade_ipv6.c | 23 ++++++++++++++-------
+ 2 files changed, 32 insertions(+), 14 deletions(-)
+
+diff --git a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
+index 4a7c1f207d6e..4c7fcd32f8e6 100644
+--- a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
++++ b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
+@@ -131,15 +131,17 @@ static struct notifier_block masq_inet_notifier = {
+ .notifier_call = masq_inet_event,
+ };
+
+-static atomic_t masquerade_notifier_refcount = ATOMIC_INIT(0);
++static int masq_refcnt;
++static DEFINE_MUTEX(masq_mutex);
+
+ int nf_nat_masquerade_ipv4_register_notifier(void)
+ {
+- int ret;
++ int ret = 0;
+
++ mutex_lock(&masq_mutex);
+ /* check if the notifier was already set */
+- if (atomic_inc_return(&masquerade_notifier_refcount) > 1)
+- return 0;
++ if (++masq_refcnt > 1)
++ goto out_unlock;
+
+ /* Register for device down reports */
+ ret = register_netdevice_notifier(&masq_dev_notifier);
+@@ -150,22 +152,29 @@ int nf_nat_masquerade_ipv4_register_notifier(void)
+ if (ret)
+ goto err_unregister;
+
++ mutex_unlock(&masq_mutex);
+ return ret;
++
+ err_unregister:
+ unregister_netdevice_notifier(&masq_dev_notifier);
+ err_dec:
+- atomic_dec(&masquerade_notifier_refcount);
++ masq_refcnt--;
++out_unlock:
++ mutex_unlock(&masq_mutex);
+ return ret;
+ }
+ EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv4_register_notifier);
+
+ void nf_nat_masquerade_ipv4_unregister_notifier(void)
+ {
++ mutex_lock(&masq_mutex);
+ /* check if the notifier still has clients */
+- if (atomic_dec_return(&masquerade_notifier_refcount) > 0)
+- return;
++ if (--masq_refcnt > 0)
++ goto out_unlock;
+
+ unregister_netdevice_notifier(&masq_dev_notifier);
+ unregister_inetaddr_notifier(&masq_inet_notifier);
++out_unlock:
++ mutex_unlock(&masq_mutex);
+ }
+ EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv4_unregister_notifier);
+diff --git a/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c b/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c
+index 10012fc687b6..37b1d413c825 100644
+--- a/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c
++++ b/net/ipv6/netfilter/nf_nat_masquerade_ipv6.c
+@@ -162,15 +162,17 @@ static struct notifier_block masq_inet6_notifier = {
+ .notifier_call = masq_inet6_event,
+ };
+
+-static atomic_t masquerade_notifier_refcount = ATOMIC_INIT(0);
++static int masq_refcnt;
++static DEFINE_MUTEX(masq_mutex);
+
+ int nf_nat_masquerade_ipv6_register_notifier(void)
+ {
+- int ret;
++ int ret = 0;
+
++ mutex_lock(&masq_mutex);
+ /* check if the notifier is already set */
+- if (atomic_inc_return(&masquerade_notifier_refcount) > 1)
+- return 0;
++ if (++masq_refcnt > 1)
++ goto out_unlock;
+
+ ret = register_netdevice_notifier(&masq_dev_notifier);
+ if (ret)
+@@ -180,22 +182,29 @@ int nf_nat_masquerade_ipv6_register_notifier(void)
+ if (ret)
+ goto err_unregister;
+
++ mutex_unlock(&masq_mutex);
+ return ret;
++
+ err_unregister:
+ unregister_netdevice_notifier(&masq_dev_notifier);
+ err_dec:
+- atomic_dec(&masquerade_notifier_refcount);
++ masq_refcnt--;
++out_unlock:
++ mutex_unlock(&masq_mutex);
+ return ret;
+ }
+ EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv6_register_notifier);
+
+ void nf_nat_masquerade_ipv6_unregister_notifier(void)
+ {
++ mutex_lock(&masq_mutex);
+ /* check if the notifier still has clients */
+- if (atomic_dec_return(&masquerade_notifier_refcount) > 0)
+- return;
++ if (--masq_refcnt > 0)
++ goto out_unlock;
+
+ unregister_inet6addr_notifier(&masq_inet6_notifier);
+ unregister_netdevice_notifier(&masq_dev_notifier);
++out_unlock:
++ mutex_unlock(&masq_mutex);
+ }
+ EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv6_unregister_notifier);
+--
+2.19.1
+
--- /dev/null
+From fc2d841cf9269dfa5146ec7f09a859b0994c3ff0 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Mon, 5 Nov 2018 03:44:11 +0900
+Subject: netfilter: nf_conncount: fix list_del corruption in conn_free
+
+[ Upstream commit 31568ec09ea02a050249921698c9729419539cce ]
+
+nf_conncount_tuple is an element of nft_connlimit and that is deleted by
+conn_free(). Elements can be deleted by both GC routine and data path
+functions (nf_conncount_lookup, nf_conncount_add) and they call
+conn_free() to free elements. But conn_free() only protects lists, not
+each element. So that list_del corruption could occurred.
+
+The conn_free() doesn't check whether element is already deleted. In
+order to protect elements, dead flag is added. If an element is deleted,
+dead flag is set. The only conn_free() can delete elements so that both
+list lock and dead flag are enough to protect it.
+
+test commands:
+ %nft add table ip filter
+ %nft add chain ip filter input { type filter hook input priority 0\; }
+ %nft add rule filter input meter test { ip id ct count over 2 } counter
+
+splat looks like:
+[ 1779.495778] list_del corruption, ffff8800b6e12008->prev is LIST_POISON2 (dead000000000200)
+[ 1779.505453] ------------[ cut here ]------------
+[ 1779.506260] kernel BUG at lib/list_debug.c:50!
+[ 1779.515831] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
+[ 1779.516772] CPU: 0 PID: 33 Comm: kworker/0:2 Not tainted 4.19.0-rc6+ #22
+[ 1779.516772] Workqueue: events_power_efficient nft_rhash_gc [nf_tables_set]
+[ 1779.516772] RIP: 0010:__list_del_entry_valid+0xd8/0x150
+[ 1779.516772] Code: 39 48 83 c4 08 b8 01 00 00 00 5b 5d c3 48 89 ea 48 c7 c7 00 c3 5b 98 e8 0f dc 40 ff 0f 0b 48 c7 c7 60 c3 5b 98 e8 01 dc 40 ff <0f> 0b 48 c7 c7 c0 c3 5b 98 e8 f3 db 40 ff 0f 0b 48 c7 c7 20 c4 5b
+[ 1779.516772] RSP: 0018:ffff880119127420 EFLAGS: 00010286
+[ 1779.516772] RAX: 000000000000004e RBX: dead000000000200 RCX: 0000000000000000
+[ 1779.516772] RDX: 000000000000004e RSI: 0000000000000008 RDI: ffffed0023224e7a
+[ 1779.516772] RBP: ffff88011934bc10 R08: ffffed002367cea9 R09: ffffed002367cea9
+[ 1779.516772] R10: 0000000000000001 R11: ffffed002367cea8 R12: ffff8800b6e12008
+[ 1779.516772] R13: ffff8800b6e12010 R14: ffff88011934bc20 R15: ffff8800b6e12008
+[ 1779.516772] FS: 0000000000000000(0000) GS:ffff88011b200000(0000) knlGS:0000000000000000
+[ 1779.516772] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1779.516772] CR2: 00007fc876534010 CR3: 000000010da16000 CR4: 00000000001006f0
+[ 1779.516772] Call Trace:
+[ 1779.516772] conn_free+0x9f/0x2b0 [nf_conncount]
+[ 1779.516772] ? nf_ct_tmpl_alloc+0x2a0/0x2a0 [nf_conntrack]
+[ 1779.516772] ? nf_conncount_add+0x520/0x520 [nf_conncount]
+[ 1779.516772] ? do_raw_spin_trylock+0x1a0/0x1a0
+[ 1779.516772] ? do_raw_spin_trylock+0x10/0x1a0
+[ 1779.516772] find_or_evict+0xe5/0x150 [nf_conncount]
+[ 1779.516772] nf_conncount_gc_list+0x162/0x360 [nf_conncount]
+[ 1779.516772] ? nf_conncount_lookup+0xee0/0xee0 [nf_conncount]
+[ 1779.516772] ? _raw_spin_unlock_irqrestore+0x45/0x50
+[ 1779.516772] ? trace_hardirqs_off+0x6b/0x220
+[ 1779.516772] ? trace_hardirqs_on_caller+0x220/0x220
+[ 1779.516772] nft_rhash_gc+0x16b/0x540 [nf_tables_set]
+[ ... ]
+
+Fixes: 5c789e131cbb ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conncount.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
+index 71b1f4f99580..cb33709138df 100644
+--- a/net/netfilter/nf_conncount.c
++++ b/net/netfilter/nf_conncount.c
+@@ -49,6 +49,7 @@ struct nf_conncount_tuple {
+ struct nf_conntrack_zone zone;
+ int cpu;
+ u32 jiffies32;
++ bool dead;
+ struct rcu_head rcu_head;
+ };
+
+@@ -106,6 +107,7 @@ nf_conncount_add(struct nf_conncount_list *list,
+ conn->zone = *zone;
+ conn->cpu = raw_smp_processor_id();
+ conn->jiffies32 = (u32)jiffies;
++ conn->dead = false;
+ spin_lock_bh(&list->list_lock);
+ if (list->dead == true) {
+ kmem_cache_free(conncount_conn_cachep, conn);
+@@ -134,12 +136,13 @@ static bool conn_free(struct nf_conncount_list *list,
+
+ spin_lock_bh(&list->list_lock);
+
+- if (list->count == 0) {
++ if (conn->dead) {
+ spin_unlock_bh(&list->list_lock);
+- return free_entry;
++ return free_entry;
+ }
+
+ list->count--;
++ conn->dead = true;
+ list_del_rcu(&conn->node);
+ if (list->count == 0)
+ free_entry = true;
+--
+2.19.1
+
--- /dev/null
+From 3b676aa685ed43e0da4752f3b9f83344560d1e99 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Mon, 5 Nov 2018 03:44:39 +0900
+Subject: netfilter: nf_conncount: fix unexpected permanent node of list.
+
+[ Upstream commit 3c5cdb17c3be76714dfd0d03e384f70579545614 ]
+
+When list->count is 0, the list is deleted by GC. But list->count is
+never reached 0 because initial count value is 1 and it is increased
+when node is inserted. So that initial value of list->count should be 0.
+
+Originally GC always finds zero count list through deleting node and
+decreasing count. However, list may be left empty since node insertion
+may fail eg. allocaton problem. In order to solve this problem, GC
+routine also finds zero count list without deleting node.
+
+Fixes: cb2b36f5a97d ("netfilter: nf_conncount: Switch to plain list")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conncount.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
+index cb33709138df..8acae4a3e4c0 100644
+--- a/net/netfilter/nf_conncount.c
++++ b/net/netfilter/nf_conncount.c
+@@ -144,8 +144,10 @@ static bool conn_free(struct nf_conncount_list *list,
+ list->count--;
+ conn->dead = true;
+ list_del_rcu(&conn->node);
+- if (list->count == 0)
++ if (list->count == 0) {
++ list->dead = true;
+ free_entry = true;
++ }
+
+ spin_unlock_bh(&list->list_lock);
+ call_rcu(&conn->rcu_head, __conn_free);
+@@ -248,7 +250,7 @@ void nf_conncount_list_init(struct nf_conncount_list *list)
+ {
+ spin_lock_init(&list->list_lock);
+ INIT_LIST_HEAD(&list->head);
+- list->count = 1;
++ list->count = 0;
+ list->dead = false;
+ }
+ EXPORT_SYMBOL_GPL(nf_conncount_list_init);
+@@ -262,6 +264,7 @@ bool nf_conncount_gc_list(struct net *net,
+ struct nf_conn *found_ct;
+ unsigned int collected = 0;
+ bool free_entry = false;
++ bool ret = false;
+
+ list_for_each_entry_safe(conn, conn_n, &list->head, node) {
+ found = find_or_evict(net, list, conn, &free_entry);
+@@ -291,7 +294,15 @@ bool nf_conncount_gc_list(struct net *net,
+ if (collected > CONNCOUNT_GC_MAX_NODES)
+ return false;
+ }
+- return false;
++
++ spin_lock_bh(&list->list_lock);
++ if (!list->count) {
++ list->dead = true;
++ ret = true;
++ }
++ spin_unlock_bh(&list->list_lock);
++
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(nf_conncount_gc_list);
+
+@@ -417,6 +428,7 @@ insert_tree(struct net *net,
+ nf_conncount_list_init(&rbconn->list);
+ list_add(&conn->node, &rbconn->list.head);
+ count = 1;
++ rbconn->list.count = count;
+
+ rb_link_node(&rbconn->node, parent, rbnode);
+ rb_insert_color(&rbconn->node, root);
+--
+2.19.1
+
--- /dev/null
+From 46360cc58485b23f37664053c0548527ac15fab9 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Sun, 25 Nov 2018 18:47:13 +0900
+Subject: netfilter: nf_conncount: remove wrong condition check routine
+
+[ Upstream commit 53ca0f2fec39c80ccd19e6e3f30cc8daef174b70 ]
+
+All lists that reach the tree_nodes_free() function have both zero
+counter and true dead flag. The reason for this is that lists to be
+release are selected by nf_conncount_gc_list() which already decrements
+the list counter and sets on the dead flag. Therefore, this if statement
+in tree_nodes_free() is unnecessary and wrong.
+
+Fixes: 31568ec09ea0 ("netfilter: nf_conncount: fix list_del corruption in conn_free")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conncount.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
+index 8acae4a3e4c0..b6d0f6deea86 100644
+--- a/net/netfilter/nf_conncount.c
++++ b/net/netfilter/nf_conncount.c
+@@ -323,11 +323,8 @@ static void tree_nodes_free(struct rb_root *root,
+ while (gc_count) {
+ rbconn = gc_nodes[--gc_count];
+ spin_lock(&rbconn->list.list_lock);
+- if (rbconn->list.count == 0 && rbconn->list.dead == false) {
+- rbconn->list.dead = true;
+- rb_erase(&rbconn->node, root);
+- call_rcu(&rbconn->rcu_head, __tree_nodes_free);
+- }
++ rb_erase(&rbconn->node, root);
++ call_rcu(&rbconn->rcu_head, __tree_nodes_free);
+ spin_unlock(&rbconn->list.list_lock);
+ }
+ }
+--
+2.19.1
+
--- /dev/null
+From 0836e35ed65aaa1e8ef08d8b01b96b3ca87c432d Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Mon, 5 Nov 2018 03:43:19 +0900
+Subject: netfilter: nf_conncount: use spin_lock_bh instead of spin_lock
+
+[ Upstream commit fd3e71a9f71e232181a225301a75936373636ccc ]
+
+conn_free() holds lock with spin_lock() and it is called by both
+nf_conncount_lookup() and nf_conncount_gc_list(). nf_conncount_lookup()
+is called from bottom-half context and nf_conncount_gc_list() from
+process context. So that spin_lock() call is not safe. Hence
+conn_free() should use spin_lock_bh() instead of spin_lock().
+
+test commands:
+ %nft add table ip filter
+ %nft add chain ip filter input { type filter hook input priority 0\; }
+ %nft add rule filter input meter test { ip saddr ct count over 2 } \
+ counter
+
+splat looks like:
+[ 461.996507] ================================
+[ 461.998999] WARNING: inconsistent lock state
+[ 461.998999] 4.19.0-rc6+ #22 Not tainted
+[ 461.998999] --------------------------------
+[ 461.998999] inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
+[ 461.998999] kworker/0:2/134 [HC0[0]:SC0[0]:HE1:SE1] takes:
+[ 461.998999] 00000000a71a559a (&(&list->list_lock)->rlock){+.?.}, at: conn_free+0x69/0x2b0 [nf_conncount]
+[ 461.998999] {IN-SOFTIRQ-W} state was registered at:
+[ 461.998999] _raw_spin_lock+0x30/0x70
+[ 461.998999] nf_conncount_add+0x28a/0x520 [nf_conncount]
+[ 461.998999] nft_connlimit_eval+0x401/0x580 [nft_connlimit]
+[ 461.998999] nft_dynset_eval+0x32b/0x590 [nf_tables]
+[ 461.998999] nft_do_chain+0x497/0x1430 [nf_tables]
+[ 461.998999] nft_do_chain_ipv4+0x255/0x330 [nf_tables]
+[ 461.998999] nf_hook_slow+0xb1/0x160
+[ ... ]
+[ 461.998999] other info that might help us debug this:
+[ 461.998999] Possible unsafe locking scenario:
+[ 461.998999]
+[ 461.998999] CPU0
+[ 461.998999] ----
+[ 461.998999] lock(&(&list->list_lock)->rlock);
+[ 461.998999] <Interrupt>
+[ 461.998999] lock(&(&list->list_lock)->rlock);
+[ 461.998999]
+[ 461.998999] *** DEADLOCK ***
+[ 461.998999]
+[ ... ]
+
+Fixes: 5c789e131cbb ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conncount.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
+index 02ca7df793f5..71b1f4f99580 100644
+--- a/net/netfilter/nf_conncount.c
++++ b/net/netfilter/nf_conncount.c
+@@ -106,15 +106,15 @@ nf_conncount_add(struct nf_conncount_list *list,
+ conn->zone = *zone;
+ conn->cpu = raw_smp_processor_id();
+ conn->jiffies32 = (u32)jiffies;
+- spin_lock(&list->list_lock);
++ spin_lock_bh(&list->list_lock);
+ if (list->dead == true) {
+ kmem_cache_free(conncount_conn_cachep, conn);
+- spin_unlock(&list->list_lock);
++ spin_unlock_bh(&list->list_lock);
+ return NF_CONNCOUNT_SKIP;
+ }
+ list_add_tail(&conn->node, &list->head);
+ list->count++;
+- spin_unlock(&list->list_lock);
++ spin_unlock_bh(&list->list_lock);
+ return NF_CONNCOUNT_ADDED;
+ }
+ EXPORT_SYMBOL_GPL(nf_conncount_add);
+@@ -132,10 +132,10 @@ static bool conn_free(struct nf_conncount_list *list,
+ {
+ bool free_entry = false;
+
+- spin_lock(&list->list_lock);
++ spin_lock_bh(&list->list_lock);
+
+ if (list->count == 0) {
+- spin_unlock(&list->list_lock);
++ spin_unlock_bh(&list->list_lock);
+ return free_entry;
+ }
+
+@@ -144,7 +144,7 @@ static bool conn_free(struct nf_conncount_list *list,
+ if (list->count == 0)
+ free_entry = true;
+
+- spin_unlock(&list->list_lock);
++ spin_unlock_bh(&list->list_lock);
+ call_rcu(&conn->rcu_head, __conn_free);
+ return free_entry;
+ }
+--
+2.19.1
+
--- /dev/null
+From c6bfb45ccb834dfe7970fddc084e7aeb88548377 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Wed, 28 Nov 2018 11:27:28 +0900
+Subject: netfilter: nf_tables: deactivate expressions in rule replecement
+ routine
+
+[ Upstream commit ca08987885a147643817d02bf260bc4756ce8cd4 ]
+
+There is no expression deactivation call from the rule replacement path,
+hence, chain counter is not decremented. A few steps to reproduce the
+problem:
+
+ %nft add table ip filter
+ %nft add chain ip filter c1
+ %nft add chain ip filter c1
+ %nft add rule ip filter c1 jump c2
+ %nft replace rule ip filter c1 handle 3 accept
+ %nft flush ruleset
+
+<jump c2> expression means immediate NFT_JUMP to chain c2.
+Reference count of chain c2 is increased when the rule is added.
+
+When rule is deleted or replaced, the reference counter of c2 should be
+decreased via nft_rule_expr_deactivate() which calls
+nft_immediate_deactivate().
+
+Splat looks like:
+[ 214.396453] WARNING: CPU: 1 PID: 21 at net/netfilter/nf_tables_api.c:1432 nf_tables_chain_destroy.isra.38+0x2f9/0x3a0 [nf_tables]
+[ 214.398983] Modules linked in: nf_tables nfnetlink
+[ 214.398983] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 4.20.0-rc2+ #44
+[ 214.398983] Workqueue: events nf_tables_trans_destroy_work [nf_tables]
+[ 214.398983] RIP: 0010:nf_tables_chain_destroy.isra.38+0x2f9/0x3a0 [nf_tables]
+[ 214.398983] Code: 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 8e 00 00 00 48 8b 7b 58 e8 e1 2c 4e c6 48 89 df e8 d9 2c 4e c6 eb 9a <0f> 0b eb 96 0f 0b e9 7e fe ff ff e8 a7 7e 4e c6 e9 a4 fe ff ff e8
+[ 214.398983] RSP: 0018:ffff8881152874e8 EFLAGS: 00010202
+[ 214.398983] RAX: 0000000000000001 RBX: ffff88810ef9fc28 RCX: ffff8881152876f0
+[ 214.398983] RDX: dffffc0000000000 RSI: 1ffff11022a50ede RDI: ffff88810ef9fc78
+[ 214.398983] RBP: 1ffff11022a50e9d R08: 0000000080000000 R09: 0000000000000000
+[ 214.398983] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff11022a50eba
+[ 214.398983] R13: ffff888114446e08 R14: ffff8881152876f0 R15: ffffed1022a50ed6
+[ 214.398983] FS: 0000000000000000(0000) GS:ffff888116400000(0000) knlGS:0000000000000000
+[ 214.398983] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 214.398983] CR2: 00007fab9bb5f868 CR3: 000000012aa16000 CR4: 00000000001006e0
+[ 214.398983] Call Trace:
+[ 214.398983] ? nf_tables_table_destroy.isra.37+0x100/0x100 [nf_tables]
+[ 214.398983] ? __kasan_slab_free+0x145/0x180
+[ 214.398983] ? nf_tables_trans_destroy_work+0x439/0x830 [nf_tables]
+[ 214.398983] ? kfree+0xdb/0x280
+[ 214.398983] nf_tables_trans_destroy_work+0x5f5/0x830 [nf_tables]
+[ ... ]
+
+Fixes: bb7b40aecbf7 ("netfilter: nf_tables: bogus EBUSY in chain deletions")
+Reported by: Christoph Anton Mitterer <calestyo@scientia.net>
+Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914505
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=201791
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 06ed55cef962..fe0558b15fd3 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -2646,21 +2646,14 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
+ }
+
+ if (nlh->nlmsg_flags & NLM_F_REPLACE) {
+- if (!nft_is_active_next(net, old_rule)) {
+- err = -ENOENT;
+- goto err2;
+- }
+- trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
+- old_rule);
++ trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
+ if (trans == NULL) {
+ err = -ENOMEM;
+ goto err2;
+ }
+- nft_deactivate_next(net, old_rule);
+- chain->use--;
+-
+- if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
+- err = -ENOMEM;
++ err = nft_delrule(&ctx, old_rule);
++ if (err < 0) {
++ nft_trans_destroy(trans);
+ goto err2;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 165ed0da4008dc5ef9ee1e5493e2f669b7475654 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 31 Oct 2018 18:26:20 +0100
+Subject: netfilter: nf_tables: don't skip inactive chains during update
+
+[ Upstream commit 0fb39bbe43d4481fcf300d2b5822de60942fd189 ]
+
+There is no synchronization between packet path and the configuration plane.
+
+The packet path uses two arrays with rules, one contains the current (active)
+generation. The other either contains the last (obsolete) generation or
+the future one.
+
+Consider:
+cpu1 cpu2
+ nft_do_chain(c);
+delete c
+net->gen++;
+ genbit = !!net->gen;
+ rules = c->rg[genbit];
+
+cpu1 ignores c when updating if c is not active anymore in the new
+generation.
+
+On cpu2, we now use rules from wrong generation, as c->rg[old]
+contains the rules matching 'c' whereas c->rg[new] was not updated and
+can even point to rules that have been free'd already, causing a crash.
+
+To fix this, make sure that 'current' to the 'next' generation are
+identical for chains that are going away so that c->rg[new] will just
+use the matching rules even if genbit was incremented already.
+
+Fixes: 0cbc06b3faba7 ("netfilter: nf_tables: remove synchronize_rcu in commit phase")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 2cfb173cd0b2..4c016b49fe2b 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -6277,7 +6277,7 @@ static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
+ call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
+ }
+
+-static void nf_tables_commit_chain_active(struct net *net, struct nft_chain *chain)
++static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
+ {
+ struct nft_rule **g0, **g1;
+ bool next_genbit;
+@@ -6363,11 +6363,8 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
+
+ /* step 2. Make rules_gen_X visible to packet path */
+ list_for_each_entry(table, &net->nft.tables, list) {
+- list_for_each_entry(chain, &table->chains, list) {
+- if (!nft_is_active_next(net, chain))
+- continue;
+- nf_tables_commit_chain_active(net, chain);
+- }
++ list_for_each_entry(chain, &table->chains, list)
++ nf_tables_commit_chain(net, chain);
+ }
+
+ /*
+--
+2.19.1
+
--- /dev/null
+From 82a415c594681097758f4b096bc32592daad0c0e Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 12 Nov 2018 22:43:45 +0100
+Subject: netfilter: nf_tables: fix use-after-free when deleting compat
+ expressions
+
+[ Upstream commit 29e3880109e357fdc607b4393f8308cef6af9413 ]
+
+nft_compat ops do not have static storage duration, unlike all other
+expressions.
+
+When nf_tables_expr_destroy() returns, expr->ops might have been
+free'd already, so we need to store next address before calling
+expression destructor.
+
+For same reason, we can't deref match pointer after nft_xt_put().
+
+This can be easily reproduced by adding msleep() before
+nft_match_destroy() returns.
+
+Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
+Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 5 +++--
+ net/netfilter/nft_compat.c | 3 ++-
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 4c016b49fe2b..06ed55cef962 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -2432,7 +2432,7 @@ static int nf_tables_getrule(struct net *net, struct sock *nlsk,
+ static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
+ struct nft_rule *rule)
+ {
+- struct nft_expr *expr;
++ struct nft_expr *expr, *next;
+
+ lockdep_assert_held(&ctx->net->nft.commit_mutex);
+ /*
+@@ -2441,8 +2441,9 @@ static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
+ */
+ expr = nft_expr_first(rule);
+ while (expr != nft_expr_last(rule) && expr->ops) {
++ next = nft_expr_next(expr);
+ nf_tables_expr_destroy(ctx, expr);
+- expr = nft_expr_next(expr);
++ expr = next;
+ }
+ kfree(rule);
+ }
+diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
+index ad2fe6a7e47d..29d6fc73caf9 100644
+--- a/net/netfilter/nft_compat.c
++++ b/net/netfilter/nft_compat.c
+@@ -501,6 +501,7 @@ __nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr,
+ void *info)
+ {
+ struct xt_match *match = expr->ops->data;
++ struct module *me = match->me;
+ struct xt_mtdtor_param par;
+
+ par.net = ctx->net;
+@@ -511,7 +512,7 @@ __nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr,
+ par.match->destroy(&par);
+
+ if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
+- module_put(match->me);
++ module_put(me);
+ }
+
+ static void
+--
+2.19.1
+
--- /dev/null
+From ca7112daa7952aee536c62f215de77f95ad82fd0 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Fri, 16 Nov 2018 21:32:35 +0900
+Subject: netfilter: xt_hashlimit: fix a possible memory leak in
+ htable_create()
+
+[ Upstream commit b4e955e9f372035361fbc6f07b21fe2cc6a5be4a ]
+
+In the htable_create(), hinfo is allocated by vmalloc()
+So that if error occurred, hinfo should be freed.
+
+Fixes: 11d5f15723c9 ("netfilter: xt_hashlimit: Create revision 2 to support higher pps rates")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_hashlimit.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
+index 3e7d259e5d8d..1ad4017f9b73 100644
+--- a/net/netfilter/xt_hashlimit.c
++++ b/net/netfilter/xt_hashlimit.c
+@@ -295,9 +295,10 @@ static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg,
+
+ /* copy match config into hashtable config */
+ ret = cfg_copy(&hinfo->cfg, (void *)cfg, 3);
+-
+- if (ret)
++ if (ret) {
++ vfree(hinfo);
+ return ret;
++ }
+
+ hinfo->cfg.size = size;
+ if (hinfo->cfg.max == 0)
+@@ -814,7 +815,6 @@ hashlimit_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
+ int ret;
+
+ ret = cfg_copy(&cfg, (void *)&info->cfg, 1);
+-
+ if (ret)
+ return ret;
+
+@@ -830,7 +830,6 @@ hashlimit_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
+ int ret;
+
+ ret = cfg_copy(&cfg, (void *)&info->cfg, 2);
+-
+ if (ret)
+ return ret;
+
+@@ -921,7 +920,6 @@ static int hashlimit_mt_check_v1(const struct xt_mtchk_param *par)
+ return ret;
+
+ ret = cfg_copy(&cfg, (void *)&info->cfg, 1);
+-
+ if (ret)
+ return ret;
+
+@@ -940,7 +938,6 @@ static int hashlimit_mt_check_v2(const struct xt_mtchk_param *par)
+ return ret;
+
+ ret = cfg_copy(&cfg, (void *)&info->cfg, 2);
+-
+ if (ret)
+ return ret;
+
+--
+2.19.1
+
--- /dev/null
+From 3dde7cc41b79a9cfe1f13b998f08805ac10aa8a3 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Fri, 19 Oct 2018 00:27:57 +0900
+Subject: netfilter: xt_RATEEST: remove netns exit routine
+
+[ Upstream commit 0fbcc5b568edab7d848b7c7fa66d44ffbd4133c0 ]
+
+xt_rateest_net_exit() was added to check whether rules are flushed
+successfully. but ->net_exit() callback is called earlier than
+->destroy() callback.
+So that ->net_exit() callback can't check that.
+
+test commands:
+ %ip netns add vm1
+ %ip netns exec vm1 iptables -t mangle -I PREROUTING -p udp \
+ --dport 1111 -j RATEEST --rateest-name ap \
+ --rateest-interval 250ms --rateest-ewma 0.5s
+ %ip netns del vm1
+
+splat looks like:
+[ 668.813518] WARNING: CPU: 0 PID: 87 at net/netfilter/xt_RATEEST.c:210 xt_rateest_net_exit+0x210/0x340 [xt_RATEEST]
+[ 668.813518] Modules linked in: xt_RATEEST xt_tcpudp iptable_mangle bpfilter ip_tables x_tables
+[ 668.813518] CPU: 0 PID: 87 Comm: kworker/u4:2 Not tainted 4.19.0-rc7+ #21
+[ 668.813518] Workqueue: netns cleanup_net
+[ 668.813518] RIP: 0010:xt_rateest_net_exit+0x210/0x340 [xt_RATEEST]
+[ 668.813518] Code: 00 48 8b 85 30 ff ff ff 4c 8b 23 80 38 00 0f 85 24 01 00 00 48 8b 85 30 ff ff ff 4d 85 e4 4c 89 a5 58 ff ff ff c6 00 f8 74 b2 <0f> 0b 48 83 c3 08 4c 39 f3 75 b0 48 b8 00 00 00 00 00 fc ff df 49
+[ 668.813518] RSP: 0018:ffff8801156c73f8 EFLAGS: 00010282
+[ 668.813518] RAX: ffffed0022ad8e85 RBX: ffff880118928e98 RCX: 5db8012a00000000
+[ 668.813518] RDX: ffff8801156c7428 RSI: 00000000cb1d185f RDI: ffff880115663b74
+[ 668.813518] RBP: ffff8801156c74d0 R08: ffff8801156633c0 R09: 1ffff100236440be
+[ 668.813518] R10: 0000000000000001 R11: ffffed002367d852 R12: ffff880115142b08
+[ 668.813518] R13: 1ffff10022ad8e81 R14: ffff880118928ea8 R15: dffffc0000000000
+[ 668.813518] FS: 0000000000000000(0000) GS:ffff88011b200000(0000) knlGS:0000000000000000
+[ 668.813518] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 668.813518] CR2: 0000563aa69f4f28 CR3: 0000000105a16000 CR4: 00000000001006f0
+[ 668.813518] Call Trace:
+[ 668.813518] ? unregister_netdevice_many+0xe0/0xe0
+[ 668.813518] ? xt_rateest_net_init+0x2c0/0x2c0 [xt_RATEEST]
+[ 668.813518] ? default_device_exit+0x1ca/0x270
+[ 668.813518] ? remove_proc_entry+0x1cd/0x390
+[ 668.813518] ? dev_change_net_namespace+0xd00/0xd00
+[ 668.813518] ? __init_waitqueue_head+0x130/0x130
+[ 668.813518] ops_exit_list.isra.10+0x94/0x140
+[ 668.813518] cleanup_net+0x45b/0x900
+[ 668.813518] ? net_drop_ns+0x110/0x110
+[ 668.813518] ? swapgs_restore_regs_and_return_to_usermode+0x3c/0x80
+[ 668.813518] ? save_trace+0x300/0x300
+[ 668.813518] ? lock_acquire+0x196/0x470
+[ 668.813518] ? lock_acquire+0x196/0x470
+[ 668.813518] ? process_one_work+0xb60/0x1de0
+[ 668.813518] ? _raw_spin_unlock_irq+0x29/0x40
+[ 668.813518] ? _raw_spin_unlock_irq+0x29/0x40
+[ 668.813518] ? __lock_acquire+0x4500/0x4500
+[ 668.813518] ? __lock_is_held+0xb4/0x140
+[ 668.813518] process_one_work+0xc13/0x1de0
+[ 668.813518] ? pwq_dec_nr_in_flight+0x3c0/0x3c0
+[ 668.813518] ? set_load_weight+0x270/0x270
+[ ... ]
+
+Fixes: 3427b2ab63fa ("netfilter: make xt_rateest hash table per net")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_RATEEST.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
+index dec843cadf46..9e05c86ba5c4 100644
+--- a/net/netfilter/xt_RATEEST.c
++++ b/net/netfilter/xt_RATEEST.c
+@@ -201,18 +201,8 @@ static __net_init int xt_rateest_net_init(struct net *net)
+ return 0;
+ }
+
+-static void __net_exit xt_rateest_net_exit(struct net *net)
+-{
+- struct xt_rateest_net *xn = net_generic(net, xt_rateest_id);
+- int i;
+-
+- for (i = 0; i < ARRAY_SIZE(xn->hash); i++)
+- WARN_ON_ONCE(!hlist_empty(&xn->hash[i]));
+-}
+-
+ static struct pernet_operations xt_rateest_net_ops = {
+ .init = xt_rateest_net_init,
+- .exit = xt_rateest_net_exit,
+ .id = &xt_rateest_id,
+ .size = sizeof(struct xt_rateest_net),
+ };
+--
+2.19.1
+
--- /dev/null
+From 49e07c35cddfdbb3dde6854c236a07ae7c7de30f Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Wed, 21 Nov 2018 15:17:37 -0800
+Subject: nvme: flush namespace scanning work just before removing namespaces
+
+[ Upstream commit f6c8e432cb0479255322c5d0335b9f1699a0270c ]
+
+nvme_stop_ctrl can be called also for reset flow and there is no need to
+flush the scan_work as namespaces are not being removed. This can cause
+deadlock in rdma, fc and loop drivers since nvme_stop_ctrl barriers
+before controller teardown (and specifically I/O cancellation of the
+scan_work itself) takes place, but the scan_work will be blocked anyways
+so there is no need to flush it.
+
+Instead, move scan_work flush to nvme_remove_namespaces() where it really
+needs to flush.
+
+Reported-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Keith Busch <keith.busch@intel.com>
+Reviewed by: James Smart <jsmart2021@gmail.com>
+Tested-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 0ba301f7e8b4..b7b2659e02fa 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -3308,6 +3308,9 @@ void nvme_remove_namespaces(struct nvme_ctrl *ctrl)
+ struct nvme_ns *ns, *next;
+ LIST_HEAD(ns_list);
+
++ /* prevent racing with ns scanning */
++ flush_work(&ctrl->scan_work);
++
+ /*
+ * The dead states indicates the controller was not gracefully
+ * disconnected. In that case, we won't be able to flush any data while
+@@ -3463,7 +3466,6 @@ void nvme_stop_ctrl(struct nvme_ctrl *ctrl)
+ nvme_mpath_stop(ctrl);
+ nvme_stop_keep_alive(ctrl);
+ flush_work(&ctrl->async_event_work);
+- flush_work(&ctrl->scan_work);
+ cancel_work_sync(&ctrl->fw_act_work);
+ if (ctrl->ops->stop_ctrl)
+ ctrl->ops->stop_ctrl(ctrl);
+--
+2.19.1
+
--- /dev/null
+From a9ff39294bd6e563df8c61d81a170d1e735fc5ad Mon Sep 17 00:00:00 2001
+From: Prabhath Sajeepa <psajeepa@purestorage.com>
+Date: Wed, 28 Nov 2018 11:11:29 -0700
+Subject: nvme-rdma: fix double freeing of async event data
+
+[ Upstream commit 6344d02dc8f886b6bbcd922ae1a17e4a41500f2d ]
+
+Some error paths in configuration of admin queue free data buffer
+associated with async request SQE without resetting the data buffer
+pointer to NULL, This buffer is also freed up again if the controller
+is shutdown or reset.
+
+Signed-off-by: Prabhath Sajeepa <psajeepa@purestorage.com>
+Reviewed-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/rdma.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
+index dc042017c293..b6a28de682e8 100644
+--- a/drivers/nvme/host/rdma.c
++++ b/drivers/nvme/host/rdma.c
+@@ -184,6 +184,7 @@ static int nvme_rdma_alloc_qe(struct ib_device *ibdev, struct nvme_rdma_qe *qe,
+ qe->dma = ib_dma_map_single(ibdev, qe->data, capsule_size, dir);
+ if (ib_dma_mapping_error(ibdev, qe->dma)) {
+ kfree(qe->data);
++ qe->data = NULL;
+ return -ENOMEM;
+ }
+
+@@ -816,6 +817,7 @@ static int nvme_rdma_configure_admin_queue(struct nvme_rdma_ctrl *ctrl,
+ out_free_async_qe:
+ nvme_rdma_free_qe(ctrl->device->dev, &ctrl->async_event_sqe,
+ sizeof(struct nvme_command), DMA_TO_DEVICE);
++ ctrl->async_event_sqe.data = NULL;
+ out_free_queue:
+ nvme_rdma_free_queue(&ctrl->queues[0]);
+ return error;
+--
+2.19.1
+
--- /dev/null
+From 40e6bd729afb999a7de639f4ce456ce465c831da Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Tue, 20 Nov 2018 16:57:54 +0100
+Subject: nvme: warn when finding multi-port subsystems without multipathing
+ enabled
+
+[ Upstream commit 14a1336e6fff47dd1028b484d6c802105c58e2ee ]
+
+Without CONFIG_NVME_MULTIPATH enabled a multi-port subsystem might
+show up as invididual devices and cause problems, warn about it.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/nvme.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
+index bb4a2003c097..60220de2db52 100644
+--- a/drivers/nvme/host/nvme.h
++++ b/drivers/nvme/host/nvme.h
+@@ -537,6 +537,9 @@ static inline void nvme_mpath_check_last_path(struct nvme_ns *ns)
+ static inline int nvme_mpath_init(struct nvme_ctrl *ctrl,
+ struct nvme_id_ctrl *id)
+ {
++ if (ctrl->subsys->cmic & (1 << 3))
++ dev_warn(ctrl->device,
++"Please enable CONFIG_NVME_MULTIPATH for full support of multi-port devices.\n");
+ return 0;
+ }
+ static inline void nvme_mpath_uninit(struct nvme_ctrl *ctrl)
+--
+2.19.1
+
--- /dev/null
+From 361ce06ae59108c91e46920e37e6ca4562a33226 Mon Sep 17 00:00:00 2001
+From: Artem Savkov <asavkov@redhat.com>
+Date: Tue, 20 Nov 2018 11:52:15 -0600
+Subject: objtool: Fix double-free in .cold detection error path
+
+[ Upstream commit 0b9301fb632f7111a3293a30cc5b20f1b82ed08d ]
+
+If read_symbols() fails during second list traversal (the one dealing
+with ".cold" subfunctions) it frees the symbol, but never deletes it
+from the list/hash_table resulting in symbol being freed again in
+elf_close(). Fix it by just returning an error, leaving cleanup to
+elf_close().
+
+Signed-off-by: Artem Savkov <asavkov@redhat.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions")
+Link: http://lkml.kernel.org/r/beac5a9b7da9e8be90223459dcbe07766ae437dd.1542736240.git.jpoimboe@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/objtool/elf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c
+index 7ec85d567598..a6f543e0b387 100644
+--- a/tools/objtool/elf.c
++++ b/tools/objtool/elf.c
+@@ -312,7 +312,7 @@ static int read_symbols(struct elf *elf)
+ if (!pfunc) {
+ WARN("%s(): can't find parent function",
+ sym->name);
+- goto err;
++ return -1;
+ }
+
+ sym->pfunc = pfunc;
+--
+2.19.1
+
--- /dev/null
+From 566e76d72bdcab5db30086354c24f6e95ca8839d Mon Sep 17 00:00:00 2001
+From: Artem Savkov <asavkov@redhat.com>
+Date: Tue, 20 Nov 2018 11:52:16 -0600
+Subject: objtool: Fix segfault in .cold detection with -ffunction-sections
+
+[ Upstream commit 22566c1603030f0a036ad564634b064ad1a55db2 ]
+
+Because find_symbol_by_name() traverses the same lists as
+read_symbols(), changing sym->name in place without copying it affects
+the result of find_symbol_by_name(). In the case where a ".cold"
+function precedes its parent in sec->symbol_list, it can result in a
+function being considered a parent of itself. This leads to function
+length being set to 0 and other consequent side-effects including a
+segfault in add_switch_table(). The effects of this bug are only
+visible when building with -ffunction-sections in KCFLAGS.
+
+Fix by copying the search string instead of modifying it in place.
+
+Signed-off-by: Artem Savkov <asavkov@redhat.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions")
+Link: http://lkml.kernel.org/r/910abd6b5a4945130fd44f787c24e07b9e07c8da.1542736240.git.jpoimboe@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/objtool/elf.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c
+index a6f543e0b387..b75d004f6482 100644
+--- a/tools/objtool/elf.c
++++ b/tools/objtool/elf.c
+@@ -31,6 +31,8 @@
+ #include "elf.h"
+ #include "warn.h"
+
++#define MAX_NAME_LEN 128
++
+ struct section *find_section_by_name(struct elf *elf, const char *name)
+ {
+ struct section *sec;
+@@ -298,6 +300,8 @@ static int read_symbols(struct elf *elf)
+ /* Create parent/child links for any cold subfunctions */
+ list_for_each_entry(sec, &elf->sections, list) {
+ list_for_each_entry(sym, &sec->symbol_list, list) {
++ char pname[MAX_NAME_LEN + 1];
++ size_t pnamelen;
+ if (sym->type != STT_FUNC)
+ continue;
+ sym->pfunc = sym->cfunc = sym;
+@@ -305,9 +309,16 @@ static int read_symbols(struct elf *elf)
+ if (!coldstr)
+ continue;
+
+- coldstr[0] = '\0';
+- pfunc = find_symbol_by_name(elf, sym->name);
+- coldstr[0] = '.';
++ pnamelen = coldstr - sym->name;
++ if (pnamelen > MAX_NAME_LEN) {
++ WARN("%s(): parent function name exceeds maximum length of %d characters",
++ sym->name, MAX_NAME_LEN);
++ return -1;
++ }
++
++ strncpy(pname, sym->name, pnamelen);
++ pname[pnamelen] = '\0';
++ pfunc = find_symbol_by_name(elf, pname);
+
+ if (!pfunc) {
+ WARN("%s(): can't find parent function",
+--
+2.19.1
+
--- /dev/null
+From 30bb0e1b2db63dcaae21c43cccd57ce7ab9a0675 Mon Sep 17 00:00:00 2001
+From: Larry Chen <lchen@suse.com>
+Date: Fri, 30 Nov 2018 14:08:56 -0800
+Subject: ocfs2: fix deadlock caused by ocfs2_defrag_extent()
+
+[ Upstream commit e21e57445a64598b29a6f629688f9b9a39e7242a ]
+
+ocfs2_defrag_extent may fall into deadlock.
+
+ocfs2_ioctl_move_extents
+ ocfs2_ioctl_move_extents
+ ocfs2_move_extents
+ ocfs2_defrag_extent
+ ocfs2_lock_allocators_move_extents
+
+ ocfs2_reserve_clusters
+ inode_lock GLOBAL_BITMAP_SYSTEM_INODE
+
+ __ocfs2_flush_truncate_log
+ inode_lock GLOBAL_BITMAP_SYSTEM_INODE
+
+As backtrace shows above, ocfs2_reserve_clusters() will call inode_lock
+against the global bitmap if local allocator has not sufficient cluters.
+Once global bitmap could meet the demand, ocfs2_reserve_cluster will
+return success with global bitmap locked.
+
+After ocfs2_reserve_cluster(), if truncate log is full,
+__ocfs2_flush_truncate_log() will definitely fall into deadlock because
+it needs to inode_lock global bitmap, which has already been locked.
+
+To fix this bug, we could remove from
+ocfs2_lock_allocators_move_extents() the code which intends to lock
+global allocator, and put the removed code after
+__ocfs2_flush_truncate_log().
+
+ocfs2_lock_allocators_move_extents() is referred by 2 places, one is
+here, the other does not need the data allocator context, which means
+this patch does not affect the caller so far.
+
+Link: http://lkml.kernel.org/r/20181101071422.14470-1-lchen@suse.com
+Signed-off-by: Larry Chen <lchen@suse.com>
+Reviewed-by: Changwei Ge <ge.changwei@h3c.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/move_extents.c | 47 +++++++++++++++++++++++------------------
+ 1 file changed, 26 insertions(+), 21 deletions(-)
+
+diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
+index 7eb3b0a6347e..f55f82ca3425 100644
+--- a/fs/ocfs2/move_extents.c
++++ b/fs/ocfs2/move_extents.c
+@@ -156,18 +156,14 @@ static int __ocfs2_move_extent(handle_t *handle,
+ }
+
+ /*
+- * lock allocators, and reserving appropriate number of bits for
+- * meta blocks and data clusters.
+- *
+- * in some cases, we don't need to reserve clusters, just let data_ac
+- * be NULL.
++ * lock allocator, and reserve appropriate number of bits for
++ * meta blocks.
+ */
+-static int ocfs2_lock_allocators_move_extents(struct inode *inode,
++static int ocfs2_lock_meta_allocator_move_extents(struct inode *inode,
+ struct ocfs2_extent_tree *et,
+ u32 clusters_to_move,
+ u32 extents_to_split,
+ struct ocfs2_alloc_context **meta_ac,
+- struct ocfs2_alloc_context **data_ac,
+ int extra_blocks,
+ int *credits)
+ {
+@@ -192,13 +188,6 @@ static int ocfs2_lock_allocators_move_extents(struct inode *inode,
+ goto out;
+ }
+
+- if (data_ac) {
+- ret = ocfs2_reserve_clusters(osb, clusters_to_move, data_ac);
+- if (ret) {
+- mlog_errno(ret);
+- goto out;
+- }
+- }
+
+ *credits += ocfs2_calc_extend_credits(osb->sb, et->et_root_el);
+
+@@ -257,10 +246,10 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context,
+ }
+ }
+
+- ret = ocfs2_lock_allocators_move_extents(inode, &context->et, *len, 1,
+- &context->meta_ac,
+- &context->data_ac,
+- extra_blocks, &credits);
++ ret = ocfs2_lock_meta_allocator_move_extents(inode, &context->et,
++ *len, 1,
++ &context->meta_ac,
++ extra_blocks, &credits);
+ if (ret) {
+ mlog_errno(ret);
+ goto out;
+@@ -283,6 +272,21 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context,
+ }
+ }
+
++ /*
++ * Make sure ocfs2_reserve_cluster is called after
++ * __ocfs2_flush_truncate_log, otherwise, dead lock may happen.
++ *
++ * If ocfs2_reserve_cluster is called
++ * before __ocfs2_flush_truncate_log, dead lock on global bitmap
++ * may happen.
++ *
++ */
++ ret = ocfs2_reserve_clusters(osb, *len, &context->data_ac);
++ if (ret) {
++ mlog_errno(ret);
++ goto out_unlock_mutex;
++ }
++
+ handle = ocfs2_start_trans(osb, credits);
+ if (IS_ERR(handle)) {
+ ret = PTR_ERR(handle);
+@@ -600,9 +604,10 @@ static int ocfs2_move_extent(struct ocfs2_move_extents_context *context,
+ }
+ }
+
+- ret = ocfs2_lock_allocators_move_extents(inode, &context->et, len, 1,
+- &context->meta_ac,
+- NULL, extra_blocks, &credits);
++ ret = ocfs2_lock_meta_allocator_move_extents(inode, &context->et,
++ len, 1,
++ &context->meta_ac,
++ extra_blocks, &credits);
+ if (ret) {
+ mlog_errno(ret);
+ goto out;
+--
+2.19.1
+
--- /dev/null
+From 38a1e411bb4791ccf2a2873e949a7777107ed11e Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Fri, 30 Nov 2018 14:10:54 -0800
+Subject: ocfs2: fix potential use after free
+
+[ Upstream commit 164f7e586739d07eb56af6f6d66acebb11f315c8 ]
+
+ocfs2_get_dentry() calls iput(inode) to drop the reference count of
+inode, and if the reference count hits 0, inode is freed. However, in
+this function, it then reads inode->i_generation, which may result in a
+use after free bug. Move the put operation later.
+
+Link: http://lkml.kernel.org/r/1543109237-110227-1-git-send-email-bianpan2016@163.com
+Fixes: 781f200cb7a("ocfs2: Remove masklog ML_EXPORT.")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Changwei Ge <ge.changwei@h3c.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/export.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ocfs2/export.c b/fs/ocfs2/export.c
+index 9f88188060db..4bf8d5854b27 100644
+--- a/fs/ocfs2/export.c
++++ b/fs/ocfs2/export.c
+@@ -125,10 +125,10 @@ static struct dentry *ocfs2_get_dentry(struct super_block *sb,
+
+ check_gen:
+ if (handle->ih_generation != inode->i_generation) {
+- iput(inode);
+ trace_ocfs2_get_dentry_generation((unsigned long long)blkno,
+ handle->ih_generation,
+ inode->i_generation);
++ iput(inode);
+ result = ERR_PTR(-ESTALE);
+ goto bail;
+ }
+--
+2.19.1
+
--- /dev/null
+From fd803c2b7c2d8e6eae715337960803d44649f3f9 Mon Sep 17 00:00:00 2001
+From: Trent Piepho <tpiepho@impinj.com>
+Date: Mon, 5 Nov 2018 18:11:36 +0000
+Subject: PCI: imx6: Fix link training status detection in link up check
+
+[ Upstream commit 68bc10bf992180f269816ff3d22eb30383138577 ]
+
+This bug was introduced in the interaction for two commits on either
+branch of the merge commit 562df5c8521e ("Merge branch
+'pci/host-designware' into next").
+
+Commit 4d107d3b5a68 ("PCI: imx6: Move link up check into
+imx6_pcie_wait_for_link()"), changed imx6_pcie_wait_for_link() to poll
+the link status register directly, checking for link up and not
+training, and made imx6_pcie_link_up() only check the link up bit (once,
+not a polling loop).
+
+While commit 886bc5ceb5cc ("PCI: designware: Add generic
+dw_pcie_wait_for_link()"), replaced the loop in
+imx6_pcie_wait_for_link() with a call to a new dwc core function, which
+polled imx6_pcie_link_up(), which still checked both link up and not
+training in a loop.
+
+When these two commits were merged, the version of
+imx6_pcie_wait_for_link() from 886bc5ceb5cc was kept, which eliminated
+the link training check placed there by 4d107d3b5a68. However, the
+version of imx6_pcie_link_up() from 4d107d3b5a68 was kept, which
+eliminated the link training check that had been there and was moved to
+imx6_pcie_wait_for_link().
+
+The result was the link training check got lost for the imx6 driver.
+
+Eliminate imx6_pcie_link_up() so that the default handler,
+dw_pcie_link_up(), is used instead. The default handler has the correct
+code, which checks for link up and also that it still is not training,
+fixing the regression.
+
+Fixes: 562df5c8521e ("Merge branch 'pci/host-designware' into next")
+Signed-off-by: Trent Piepho <tpiepho@impinj.com>
+[lorenzo.pieralisi@arm.com: rewrote the commit log]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Lucas Stach <l.stach@pengutronix.de>
+Cc: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Joao Pinto <Joao.Pinto@synopsys.com>
+Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Cc: Richard Zhu <hongxing.zhu@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pci-imx6.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/pci/controller/dwc/pci-imx6.c b/drivers/pci/controller/dwc/pci-imx6.c
+index 4a9a673b4777..975050a69494 100644
+--- a/drivers/pci/controller/dwc/pci-imx6.c
++++ b/drivers/pci/controller/dwc/pci-imx6.c
+@@ -80,8 +80,6 @@ struct imx6_pcie {
+ #define PCIE_PL_PFLR_FORCE_LINK (1 << 15)
+ #define PCIE_PHY_DEBUG_R0 (PL_OFFSET + 0x28)
+ #define PCIE_PHY_DEBUG_R1 (PL_OFFSET + 0x2c)
+-#define PCIE_PHY_DEBUG_R1_XMLH_LINK_IN_TRAINING (1 << 29)
+-#define PCIE_PHY_DEBUG_R1_XMLH_LINK_UP (1 << 4)
+
+ #define PCIE_PHY_CTRL (PL_OFFSET + 0x114)
+ #define PCIE_PHY_CTRL_DATA_LOC 0
+@@ -641,12 +639,6 @@ static int imx6_pcie_host_init(struct pcie_port *pp)
+ return 0;
+ }
+
+-static int imx6_pcie_link_up(struct dw_pcie *pci)
+-{
+- return dw_pcie_readl_dbi(pci, PCIE_PHY_DEBUG_R1) &
+- PCIE_PHY_DEBUG_R1_XMLH_LINK_UP;
+-}
+-
+ static const struct dw_pcie_host_ops imx6_pcie_host_ops = {
+ .host_init = imx6_pcie_host_init,
+ };
+@@ -679,7 +671,7 @@ static int imx6_add_pcie_port(struct imx6_pcie *imx6_pcie,
+ }
+
+ static const struct dw_pcie_ops dw_pcie_ops = {
+- .link_up = imx6_pcie_link_up,
++ /* No special ops needed, but pcie-designware still expects this struct */
+ };
+
+ static int imx6_pcie_probe(struct platform_device *pdev)
+--
+2.19.1
+
--- /dev/null
+From 64c752af476f0cfe9d694a6e1727081aee31bef8 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Mon, 12 Nov 2018 14:00:12 +0100
+Subject: perf tools: Fix crash on synthesizing the unit
+
+[ Upstream commit fb50c09e923870a358d68b0d58891bd145b8d7c7 ]
+
+Adam reported a record command crash for simple session like:
+
+ $ perf record -e cpu-clock ls
+
+with following backtrace:
+
+ Program received signal SIGSEGV, Segmentation fault.
+ 3543 ev = event_update_event__new(size + 1, PERF_EVENT_UPDATE__UNIT, evsel->id[0]);
+ (gdb) bt
+ #0 perf_event__synthesize_event_update_unit
+ #1 0x000000000051e469 in perf_event__synthesize_extra_attr
+ #2 0x00000000004445cb in record__synthesize
+ #3 0x0000000000444bc5 in __cmd_record
+ ...
+
+We synthesize an update event that needs to touch the evsel id array,
+which is not defined at that time. Fix this by forcing the id allocation
+for events with their unit defined.
+
+Reflecting possible read_format ID bit in the attr tests.
+
+Reported-by: Yongxin Liu <yongxin.liu@outlook.com>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Adam Lee <leeadamrobert@gmail.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201477
+Fixes: bfd8f72c2778 ("perf record: Synthesize unit/scale/... in event update")
+Link: http://lkml.kernel.org/r/20181112130012.5424-1-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/attr/base-record | 2 +-
+ tools/perf/util/evsel.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/tests/attr/base-record b/tools/perf/tests/attr/base-record
+index 37940665f736..efd0157b9d22 100644
+--- a/tools/perf/tests/attr/base-record
++++ b/tools/perf/tests/attr/base-record
+@@ -9,7 +9,7 @@ size=112
+ config=0
+ sample_period=*
+ sample_type=263
+-read_format=0
++read_format=0|4
+ disabled=1
+ inherit=1
+ pinned=0
+diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
+index 03a72310315f..e7dbdcc8d465 100644
+--- a/tools/perf/util/evsel.c
++++ b/tools/perf/util/evsel.c
+@@ -1088,7 +1088,7 @@ void perf_evsel__config(struct perf_evsel *evsel, struct record_opts *opts,
+ attr->exclude_user = 1;
+ }
+
+- if (evsel->own_cpus)
++ if (evsel->own_cpus || evsel->unit)
+ evsel->attr.read_format |= PERF_FORMAT_ID;
+
+ /*
+--
+2.19.1
+
--- /dev/null
+From 74ee76b3b9c5cde20a9850ee5401e98bac71bef7 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Thu, 1 Nov 2018 18:00:01 +0100
+Subject: perf tools: Restore proper cwd on return from mnt namespace
+
+[ Upstream commit b01c1f69c8660eaeab7d365cd570103c5c073a02 ]
+
+When reporting on 'record' server we try to retrieve/use the mnt
+namespace of the profiled tasks. We use following API with cookie to
+hold the return namespace, roughly:
+
+ nsinfo__mountns_enter(struct nsinfo *nsi, struct nscookie *nc)
+ setns(newns, 0);
+ ...
+ new ns related open..
+ ...
+ nsinfo__mountns_exit(struct nscookie *nc)
+ setns(nc->oldns)
+
+Once finished we setns to old namespace, which also sets the current
+working directory (cwd) to "/", trashing the cwd we had.
+
+This is mostly fine, because we use absolute paths almost everywhere,
+but it screws up 'perf diff':
+
+ # perf diff
+ failed to open perf.data: No such file or directory (try 'perf record' first)
+ ...
+
+Adding the current working directory to be part of the cookie and
+restoring it in the nsinfo__mountns_exit call.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Krister Johansen <kjlx@templeofstupid.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Fixes: 843ff37bb59e ("perf symbols: Find symbols in different mount namespace")
+Link: http://lkml.kernel.org/r/20181101170001.30019-1-jolsa@kernel.org
+[ No need to check for NULL args for free(), use zfree() for struct members ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/namespaces.c | 17 +++++++++++++++--
+ tools/perf/util/namespaces.h | 1 +
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/namespaces.c b/tools/perf/util/namespaces.c
+index cf8bd123cf73..aed170bd4384 100644
+--- a/tools/perf/util/namespaces.c
++++ b/tools/perf/util/namespaces.c
+@@ -18,6 +18,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <asm/bug.h>
+
+ struct namespaces *namespaces__new(struct namespaces_event *event)
+ {
+@@ -186,6 +187,7 @@ void nsinfo__mountns_enter(struct nsinfo *nsi,
+ char curpath[PATH_MAX];
+ int oldns = -1;
+ int newns = -1;
++ char *oldcwd = NULL;
+
+ if (nc == NULL)
+ return;
+@@ -199,9 +201,13 @@ void nsinfo__mountns_enter(struct nsinfo *nsi,
+ if (snprintf(curpath, PATH_MAX, "/proc/self/ns/mnt") >= PATH_MAX)
+ return;
+
++ oldcwd = get_current_dir_name();
++ if (!oldcwd)
++ return;
++
+ oldns = open(curpath, O_RDONLY);
+ if (oldns < 0)
+- return;
++ goto errout;
+
+ newns = open(nsi->mntns_path, O_RDONLY);
+ if (newns < 0)
+@@ -210,11 +216,13 @@ void nsinfo__mountns_enter(struct nsinfo *nsi,
+ if (setns(newns, CLONE_NEWNS) < 0)
+ goto errout;
+
++ nc->oldcwd = oldcwd;
+ nc->oldns = oldns;
+ nc->newns = newns;
+ return;
+
+ errout:
++ free(oldcwd);
+ if (oldns > -1)
+ close(oldns);
+ if (newns > -1)
+@@ -223,11 +231,16 @@ void nsinfo__mountns_enter(struct nsinfo *nsi,
+
+ void nsinfo__mountns_exit(struct nscookie *nc)
+ {
+- if (nc == NULL || nc->oldns == -1 || nc->newns == -1)
++ if (nc == NULL || nc->oldns == -1 || nc->newns == -1 || !nc->oldcwd)
+ return;
+
+ setns(nc->oldns, CLONE_NEWNS);
+
++ if (nc->oldcwd) {
++ WARN_ON_ONCE(chdir(nc->oldcwd));
++ zfree(&nc->oldcwd);
++ }
++
+ if (nc->oldns > -1) {
+ close(nc->oldns);
+ nc->oldns = -1;
+diff --git a/tools/perf/util/namespaces.h b/tools/perf/util/namespaces.h
+index cae1a9a39722..d5f46c09ea31 100644
+--- a/tools/perf/util/namespaces.h
++++ b/tools/perf/util/namespaces.h
+@@ -38,6 +38,7 @@ struct nsinfo {
+ struct nscookie {
+ int oldns;
+ int newns;
++ char *oldcwd;
+ };
+
+ int nsinfo__init(struct nsinfo *nsi);
+--
+2.19.1
+
--- /dev/null
+From 034b52121d2df30df87b4f8fc1056b2ccd13dfec Mon Sep 17 00:00:00 2001
+From: Manu Gautam <mgautam@codeaurora.org>
+Date: Tue, 16 Oct 2018 12:52:07 +0530
+Subject: phy: qcom-qusb2: Fix HSTX_TRIM tuning with fused value for SDM845
+
+[ Upstream commit c88520db18ba0b9a41326c3b8680e7c09eb4c381 ]
+
+Tune1 register on sdm845 is used to update HSTX_TRIM with fused
+setting. Enable same by specifying update_tune1_with_efuse flag
+for sdm845, otherwise driver ends up programming tune2 register.
+
+Fixes: ef17f6e212ca ("phy: qcom-qusb2: Add QUSB2 PHYs support for sdm845")
+Signed-off-by: Manu Gautam <mgautam@codeaurora.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Acked-by: Vivek Gautam <vivek.gautam@codeaurora.org>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qusb2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c
+index 9d6c88064158..69c92843eb3b 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c
++++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c
+@@ -231,6 +231,7 @@ static const struct qusb2_phy_cfg sdm845_phy_cfg = {
+ .mask_core_ready = CORE_READY_STATUS,
+ .has_pll_override = true,
+ .autoresume_en = BIT(0),
++ .update_tune1_with_efuse = true,
+ };
+
+ static const char * const qusb2_phy_vreg_names[] = {
+--
+2.19.1
+
--- /dev/null
+From 0897707f8a0d1dfb2246258956a198042c91d7a0 Mon Sep 17 00:00:00 2001
+From: Manu Gautam <mgautam@codeaurora.org>
+Date: Tue, 16 Oct 2018 12:52:06 +0530
+Subject: phy: qcom-qusb2: Use HSTX_TRIM fused value as is
+
+[ Upstream commit 6e34d358b24ffc40764eb3681164c79091765429 ]
+
+Fix HSTX_TRIM tuning logic which instead of using fused value
+as HSTX_TRIM, incorrectly performs bitwise OR operation with
+existing default value.
+
+Fixes: ca04d9d3e1b1 ("phy: qcom-qusb2: New driver for QUSB2 PHY on Qcom chips")
+Signed-off-by: Manu Gautam <mgautam@codeaurora.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Acked-by: Vivek Gautam <vivek.gautam@codeaurora.org>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qusb2.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c
+index e70e425f26f5..9d6c88064158 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c
++++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c
+@@ -402,10 +402,10 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy)
+
+ /*
+ * Read efuse register having TUNE2/1 parameter's high nibble.
+- * If efuse register shows value as 0x0, or if we fail to find
+- * a valid efuse register settings, then use default value
+- * as 0xB for high nibble that we have already set while
+- * configuring phy.
++ * If efuse register shows value as 0x0 (indicating value is not
++ * fused), or if we fail to find a valid efuse register setting,
++ * then use default value for high nibble that we have already
++ * set while configuring the phy.
+ */
+ val = nvmem_cell_read(qphy->cell, NULL);
+ if (IS_ERR(val) || !val[0]) {
+@@ -415,12 +415,13 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy)
+
+ /* Fused TUNE1/2 value is the higher nibble only */
+ if (cfg->update_tune1_with_efuse)
+- qusb2_setbits(qphy->base, cfg->regs[QUSB2PHY_PORT_TUNE1],
+- val[0] << 0x4);
++ qusb2_write_mask(qphy->base, cfg->regs[QUSB2PHY_PORT_TUNE1],
++ val[0] << HSTX_TRIM_SHIFT,
++ HSTX_TRIM_MASK);
+ else
+- qusb2_setbits(qphy->base, cfg->regs[QUSB2PHY_PORT_TUNE2],
+- val[0] << 0x4);
+-
++ qusb2_write_mask(qphy->base, cfg->regs[QUSB2PHY_PORT_TUNE2],
++ val[0] << HSTX_TRIM_SHIFT,
++ HSTX_TRIM_MASK);
+ }
+
+ static int qusb2_phy_set_mode(struct phy *phy, enum phy_mode mode)
+--
+2.19.1
+
--- /dev/null
+From 3fcb9164e8f24281fd5d0a57b1d01af1a0a8ba1c Mon Sep 17 00:00:00 2001
+From: Alexey Dobriyan <adobriyan@gmail.com>
+Date: Fri, 30 Nov 2018 14:09:53 -0800
+Subject: proc: fixup map_files test on arm
+
+[ Upstream commit dbd4af54745fc0c805217693c807a3928b2d408b ]
+
+https://bugs.linaro.org/show_bug.cgi?id=3782
+
+Turns out arm doesn't permit mapping address 0, so try minimum virtual
+address instead.
+
+Link: http://lkml.kernel.org/r/20181113165446.GA28157@avx2
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Reported-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
+Tested-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
+Acked-by: Cyrill Gorcunov <gorcunov@gmail.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/proc/proc-self-map-files-002.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/proc/proc-self-map-files-002.c b/tools/testing/selftests/proc/proc-self-map-files-002.c
+index 6f1f4a6e1ecb..85744425b08d 100644
+--- a/tools/testing/selftests/proc/proc-self-map-files-002.c
++++ b/tools/testing/selftests/proc/proc-self-map-files-002.c
+@@ -13,7 +13,7 @@
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+-/* Test readlink /proc/self/map_files/... with address 0. */
++/* Test readlink /proc/self/map_files/... with minimum address. */
+ #include <errno.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+@@ -47,6 +47,11 @@ static void fail(const char *fmt, unsigned long a, unsigned long b)
+ int main(void)
+ {
+ const unsigned int PAGE_SIZE = sysconf(_SC_PAGESIZE);
++#ifdef __arm__
++ unsigned long va = 2 * PAGE_SIZE;
++#else
++ unsigned long va = 0;
++#endif
+ void *p;
+ int fd;
+ unsigned long a, b;
+@@ -55,7 +60,7 @@ int main(void)
+ if (fd == -1)
+ return 1;
+
+- p = mmap(NULL, PAGE_SIZE, PROT_NONE, MAP_PRIVATE|MAP_FILE|MAP_FIXED, fd, 0);
++ p = mmap((void *)va, PAGE_SIZE, PROT_NONE, MAP_PRIVATE|MAP_FILE|MAP_FIXED, fd, 0);
+ if (p == MAP_FAILED) {
+ if (errno == EPERM)
+ return 2;
+--
+2.19.1
+
--- /dev/null
+From a08ea45cb45835fc3734198af3a9a0cd4ff1824c Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 1 Nov 2018 16:17:22 -0700
+Subject: pstore/ram: Correctly calculate usable PRZ bytes
+
+[ Upstream commit 89d328f637b9904b6d4c9af73c8a608b8dd4d6f8 ]
+
+The actual number of bytes stored in a PRZ is smaller than the
+bytes requested by platform data, since there is a header on each
+PRZ. Additionally, if ECC is enabled, there are trailing bytes used
+as well. Normally this mismatch doesn't matter since PRZs are circular
+buffers and the leading "overflow" bytes are just thrown away. However, in
+the case of a compressed record, this rather badly corrupts the results.
+
+This corruption was visible with "ramoops.mem_size=204800 ramoops.ecc=1".
+Any stored crashes would not be uncompressable (producing a pstorefs
+"dmesg-*.enc.z" file), and triggering errors at boot:
+
+ [ 2.790759] pstore: crypto_comp_decompress failed, ret = -22!
+
+Backporting this depends on commit 70ad35db3321 ("pstore: Convert console
+write to use ->write_buf")
+
+Reported-by: Joel Fernandes <joel@joelfernandes.org>
+Fixes: b0aad7a99c1d ("pstore: Add compression support to pstore")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/pstore/ram.c | 15 ++++++---------
+ include/linux/pstore.h | 5 ++++-
+ 2 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c
+index f4fd2e72add4..03cd59375abe 100644
+--- a/fs/pstore/ram.c
++++ b/fs/pstore/ram.c
+@@ -806,17 +806,14 @@ static int ramoops_probe(struct platform_device *pdev)
+
+ cxt->pstore.data = cxt;
+ /*
+- * Console can handle any buffer size, so prefer LOG_LINE_MAX. If we
+- * have to handle dumps, we must have at least record_size buffer. And
+- * for ftrace, bufsize is irrelevant (if bufsize is 0, buf will be
+- * ZERO_SIZE_PTR).
++ * Since bufsize is only used for dmesg crash dumps, it
++ * must match the size of the dprz record (after PRZ header
++ * and ECC bytes have been accounted for).
+ */
+- if (cxt->console_size)
+- cxt->pstore.bufsize = 1024; /* LOG_LINE_MAX */
+- cxt->pstore.bufsize = max(cxt->record_size, cxt->pstore.bufsize);
+- cxt->pstore.buf = kmalloc(cxt->pstore.bufsize, GFP_KERNEL);
++ cxt->pstore.bufsize = cxt->dprzs[0]->buffer_size;
++ cxt->pstore.buf = kzalloc(cxt->pstore.bufsize, GFP_KERNEL);
+ if (!cxt->pstore.buf) {
+- pr_err("cannot allocate pstore buffer\n");
++ pr_err("cannot allocate pstore crash dump buffer\n");
+ err = -ENOMEM;
+ goto fail_clear;
+ }
+diff --git a/include/linux/pstore.h b/include/linux/pstore.h
+index a15bc4d48752..30fcec375a3a 100644
+--- a/include/linux/pstore.h
++++ b/include/linux/pstore.h
+@@ -90,7 +90,10 @@ struct pstore_record {
+ *
+ * @buf_lock: spinlock to serialize access to @buf
+ * @buf: preallocated crash dump buffer
+- * @bufsize: size of @buf available for crash dump writes
++ * @bufsize: size of @buf available for crash dump bytes (must match
++ * smallest number of bytes available for writing to a
++ * backend entry, since compressed bytes don't take kindly
++ * to being truncated)
+ *
+ * @read_mutex: serializes @open, @read, @close, and @erase callbacks
+ * @flags: bitfield of frontends the backend can accept writes for
+--
+2.19.1
+
--- /dev/null
+From acd297eeac40d5d6676403af3c9e4ac8f5f9d176 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Thu, 22 Nov 2018 10:07:12 +0800
+Subject: pvcalls-front: fixes incorrect error handling
+
+[ Upstream commit 975ef94a0284648fb0137bd5e949b18cef604e33 ]
+
+kfree() is incorrectly used to release the pages allocated by
+__get_free_page() and __get_free_pages(). Use the matching deallocators
+i.e., free_page() and free_pages(), respectively.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/pvcalls-front.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/xen/pvcalls-front.c b/drivers/xen/pvcalls-front.c
+index 2f11ca72a281..77224d8f3e6f 100644
+--- a/drivers/xen/pvcalls-front.c
++++ b/drivers/xen/pvcalls-front.c
+@@ -385,8 +385,8 @@ static int create_active(struct sock_mapping *map, int *evtchn)
+ out_error:
+ if (*evtchn >= 0)
+ xenbus_free_evtchn(pvcalls_front_dev, *evtchn);
+- kfree(map->active.data.in);
+- kfree(map->active.ring);
++ free_pages((unsigned long)map->active.data.in, PVCALLS_RING_ORDER);
++ free_page((unsigned long)map->active.ring);
+ return ret;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From d3fa4e9e71c2dec1ea42132a9416b0489088d7fe Mon Sep 17 00:00:00 2001
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+Date: Wed, 21 Nov 2018 00:05:01 -0800
+Subject: RDMA/bnxt_re: Avoid accessing the device structure after it is freed
+
+[ Upstream commit a6c66d6a08b88cc10aca9d3f65cfae31e7652a99 ]
+
+When bnxt_re_ib_reg returns failure, the device structure gets
+freed. Driver tries to access the device pointer
+after it is freed.
+
+[ 4871.034744] Failed to register with netedev: 0xffffffa1
+[ 4871.034765] infiniband (null): Failed to register with IB: 0xffffffea
+[ 4871.046430] ==================================================================
+[ 4871.046437] BUG: KASAN: use-after-free in bnxt_re_task+0x63/0x180 [bnxt_re]
+[ 4871.046439] Write of size 4 at addr ffff880fa8406f48 by task kworker/u48:2/17813
+
+[ 4871.046443] CPU: 20 PID: 17813 Comm: kworker/u48:2 Kdump: loaded Tainted: G B OE 4.20.0-rc1+ #42
+[ 4871.046444] Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.0.4 08/28/2014
+[ 4871.046447] Workqueue: bnxt_re bnxt_re_task [bnxt_re]
+[ 4871.046449] Call Trace:
+[ 4871.046454] dump_stack+0x91/0xeb
+[ 4871.046458] print_address_description+0x6a/0x2a0
+[ 4871.046461] kasan_report+0x176/0x2d0
+[ 4871.046463] ? bnxt_re_task+0x63/0x180 [bnxt_re]
+[ 4871.046466] bnxt_re_task+0x63/0x180 [bnxt_re]
+[ 4871.046470] process_one_work+0x216/0x5b0
+[ 4871.046471] ? process_one_work+0x189/0x5b0
+[ 4871.046475] worker_thread+0x4e/0x3d0
+[ 4871.046479] kthread+0x10e/0x140
+[ 4871.046480] ? process_one_work+0x5b0/0x5b0
+[ 4871.046482] ? kthread_stop+0x220/0x220
+[ 4871.046486] ret_from_fork+0x3a/0x50
+
+[ 4871.046492] The buggy address belongs to the page:
+[ 4871.046494] page:ffffea003ea10180 count:0 mapcount:0 mapping:0000000000000000 index:0x0
+[ 4871.046495] flags: 0x57ffffc0000000()
+[ 4871.046498] raw: 0057ffffc0000000 0000000000000000 ffffea003ea10188 0000000000000000
+[ 4871.046500] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+[ 4871.046501] page dumped because: kasan: bad access detected
+
+Avoid accessing the device structure once it is freed.
+
+Fixes: 497158aa5f52 ("RDMA/bnxt_re: Fix the ib_reg failure cleanup")
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c
+index bb3f16273938..22bd9784fa2e 100644
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -1462,6 +1462,7 @@ static void bnxt_re_task(struct work_struct *work)
+ "Failed to register with IB: %#x", rc);
+ bnxt_re_remove_one(rdev);
+ bnxt_re_dev_unreg(rdev);
++ goto exit;
+ }
+ break;
+ case NETDEV_UP:
+@@ -1485,6 +1486,7 @@ static void bnxt_re_task(struct work_struct *work)
+ }
+ smp_mb__before_atomic();
+ atomic_dec(&rdev->sched_count);
++exit:
+ kfree(re_work);
+ }
+
+--
+2.19.1
+
--- /dev/null
+From b93fd823e2b6acc6ee6b06ad7d8483cc72f3a781 Mon Sep 17 00:00:00 2001
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+Date: Wed, 21 Nov 2018 00:05:00 -0800
+Subject: RDMA/bnxt_re: Fix system hang when registration with L2 driver fails
+
+[ Upstream commit 3c4b1419c33c2417836a63f8126834ee36968321 ]
+
+Driver doesn't release rtnl lock if registration with
+L2 driver (bnxt_re_register_netdev) fais and this causes
+hang while requesting for the next lock.
+
+[ 371.635416] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+[ 371.635417] kworker/u48:1 D 0 634 2 0x80000000
+[ 371.635423] Workqueue: bnxt_re bnxt_re_task [bnxt_re]
+[ 371.635424] Call Trace:
+[ 371.635426] ? __schedule+0x36b/0xbd0
+[ 371.635429] schedule+0x39/0x90
+[ 371.635430] schedule_preempt_disabled+0x11/0x20
+[ 371.635431] __mutex_lock+0x45b/0x9c0
+[ 371.635433] ? __mutex_lock+0x16d/0x9c0
+[ 371.635435] ? bnxt_re_ib_reg+0x2b/0xb30 [bnxt_re]
+[ 371.635438] ? wake_up_klogd+0x37/0x40
+[ 371.635442] bnxt_re_ib_reg+0x2b/0xb30 [bnxt_re]
+[ 371.635447] bnxt_re_task+0xfd/0x180 [bnxt_re]
+[ 371.635449] process_one_work+0x216/0x5b0
+[ 371.635450] ? process_one_work+0x189/0x5b0
+[ 371.635453] worker_thread+0x4e/0x3d0
+[ 371.635455] kthread+0x10e/0x140
+[ 371.635456] ? process_one_work+0x5b0/0x5b0
+[ 371.635458] ? kthread_stop+0x220/0x220
+[ 371.635460] ret_from_fork+0x3a/0x50
+[ 371.635477] INFO: task NetworkManager:1228 blocked for more than 120 seconds.
+[ 371.635478] Tainted: G B OE 4.20.0-rc1+ #42
+[ 371.635479] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+
+Release the rtnl_lock correctly in the failure path.
+
+Fixes: de5c95d0f518 ("RDMA/bnxt_re: Fix system crash during RDMA resource initialization")
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c
+index 85cd1a3593d6..bb3f16273938 100644
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -1252,6 +1252,7 @@ static int bnxt_re_ib_reg(struct bnxt_re_dev *rdev)
+ /* Registered a new RoCE device instance to netdev */
+ rc = bnxt_re_register_netdev(rdev);
+ if (rc) {
++ rtnl_unlock();
+ pr_err("Failed to register with netedev: %#x\n", rc);
+ return -EINVAL;
+ }
+--
+2.19.1
+
--- /dev/null
+From cd9c013241b8c4c9184d162de5bbd056e8c0a5b4 Mon Sep 17 00:00:00 2001
+From: Parav Pandit <parav@mellanox.com>
+Date: Mon, 19 Nov 2018 09:58:24 +0200
+Subject: RDMA/core: Add GIDs while changing MAC addr only for registered ndev
+
+[ Upstream commit d52ef88a9f4be523425730da3239cf87bee936da ]
+
+Currently when MAC address is changed, regardless of the netdev reg_state,
+GID entries are removed and added to reflect the new MAC address and new
+default GID entries.
+
+When a bonding device is used and the underlying PCI device is removed
+several netdevice events are generated. Two events of the interest are
+CHANGEADDR and UNREGISTER event on lower(slave) netdevice of the bond
+netdevice.
+
+Sometimes CHANGEADDR event is generated when netdev state is
+UNREGISTERING (after UNREGISTER event is generated). In this scenario, GID
+entries for default GIDs are added and never deleted because GID entries
+are deleted only when netdev state is < UNREGISTERED.
+
+This leads to non zero reference count on the netdevice. Due to this, PCI
+device unbind operation is getting stuck.
+
+To avoid it, when changing mac address, add GID entries only if netdev is
+in REGISTERED state.
+
+Fixes: 03db3a2d81e6 ("IB/core: Add RoCE GID table management")
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Mark Bloch <markb@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/roce_gid_mgmt.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/core/roce_gid_mgmt.c b/drivers/infiniband/core/roce_gid_mgmt.c
+index ee366199b169..25d43c8f1c2a 100644
+--- a/drivers/infiniband/core/roce_gid_mgmt.c
++++ b/drivers/infiniband/core/roce_gid_mgmt.c
+@@ -767,8 +767,10 @@ static int netdevice_event(struct notifier_block *this, unsigned long event,
+
+ case NETDEV_CHANGEADDR:
+ cmds[0] = netdev_del_cmd;
+- cmds[1] = add_default_gid_cmd;
+- cmds[2] = add_cmd;
++ if (ndev->reg_state == NETREG_REGISTERED) {
++ cmds[1] = add_default_gid_cmd;
++ cmds[2] = add_cmd;
++ }
+ break;
+
+ case NETDEV_CHANGEUPPER:
+--
+2.19.1
+
--- /dev/null
+From 39ffebbe93980a7688666300a63d6d52b96b4ff4 Mon Sep 17 00:00:00 2001
+From: Yixian Liu <liuyixian@huawei.com>
+Date: Fri, 23 Nov 2018 15:46:07 +0800
+Subject: RDMA/hns: Bugfix pbl configuration for rereg mr
+
+[ Upstream commit ca088320a02537f36c243ac21794525d8eabb3bd ]
+
+Current hns driver assigned the first two PBL page addresses from previous
+registered MR to the hardware when reregister MR changing the memory
+locations occurred. This will lead to PBL addressing error as the PBL has
+already been released. This patch fixes this wrong assignment by using the
+page address from new allocated PBL.
+
+Fixes: a2c80b7b4119 ("RDMA/hns: Add rereg mr support for hip08")
+Signed-off-by: Yixian Liu <liuyixian@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 128 ++++++++++-----------
+ 1 file changed, 60 insertions(+), 68 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 0218c0f8c2a7..a442b29e7611 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -1661,10 +1661,9 @@ static int hns_roce_v2_set_mac(struct hns_roce_dev *hr_dev, u8 phy_port,
+ return hns_roce_cmq_send(hr_dev, &desc, 1);
+ }
+
+-static int hns_roce_v2_write_mtpt(void *mb_buf, struct hns_roce_mr *mr,
+- unsigned long mtpt_idx)
++static int set_mtpt_pbl(struct hns_roce_v2_mpt_entry *mpt_entry,
++ struct hns_roce_mr *mr)
+ {
+- struct hns_roce_v2_mpt_entry *mpt_entry;
+ struct scatterlist *sg;
+ u64 page_addr;
+ u64 *pages;
+@@ -1672,6 +1671,53 @@ static int hns_roce_v2_write_mtpt(void *mb_buf, struct hns_roce_mr *mr,
+ int len;
+ int entry;
+
++ mpt_entry->pbl_size = cpu_to_le32(mr->pbl_size);
++ mpt_entry->pbl_ba_l = cpu_to_le32(lower_32_bits(mr->pbl_ba >> 3));
++ roce_set_field(mpt_entry->byte_48_mode_ba,
++ V2_MPT_BYTE_48_PBL_BA_H_M, V2_MPT_BYTE_48_PBL_BA_H_S,
++ upper_32_bits(mr->pbl_ba >> 3));
++
++ pages = (u64 *)__get_free_page(GFP_KERNEL);
++ if (!pages)
++ return -ENOMEM;
++
++ i = 0;
++ for_each_sg(mr->umem->sg_head.sgl, sg, mr->umem->nmap, entry) {
++ len = sg_dma_len(sg) >> PAGE_SHIFT;
++ for (j = 0; j < len; ++j) {
++ page_addr = sg_dma_address(sg) +
++ (j << mr->umem->page_shift);
++ pages[i] = page_addr >> 6;
++ /* Record the first 2 entry directly to MTPT table */
++ if (i >= HNS_ROCE_V2_MAX_INNER_MTPT_NUM - 1)
++ goto found;
++ i++;
++ }
++ }
++found:
++ mpt_entry->pa0_l = cpu_to_le32(lower_32_bits(pages[0]));
++ roce_set_field(mpt_entry->byte_56_pa0_h, V2_MPT_BYTE_56_PA0_H_M,
++ V2_MPT_BYTE_56_PA0_H_S, upper_32_bits(pages[0]));
++
++ mpt_entry->pa1_l = cpu_to_le32(lower_32_bits(pages[1]));
++ roce_set_field(mpt_entry->byte_64_buf_pa1, V2_MPT_BYTE_64_PA1_H_M,
++ V2_MPT_BYTE_64_PA1_H_S, upper_32_bits(pages[1]));
++ roce_set_field(mpt_entry->byte_64_buf_pa1,
++ V2_MPT_BYTE_64_PBL_BUF_PG_SZ_M,
++ V2_MPT_BYTE_64_PBL_BUF_PG_SZ_S,
++ mr->pbl_buf_pg_sz + PG_SHIFT_OFFSET);
++
++ free_page((unsigned long)pages);
++
++ return 0;
++}
++
++static int hns_roce_v2_write_mtpt(void *mb_buf, struct hns_roce_mr *mr,
++ unsigned long mtpt_idx)
++{
++ struct hns_roce_v2_mpt_entry *mpt_entry;
++ int ret;
++
+ mpt_entry = mb_buf;
+ memset(mpt_entry, 0, sizeof(*mpt_entry));
+
+@@ -1686,7 +1732,6 @@ static int hns_roce_v2_write_mtpt(void *mb_buf, struct hns_roce_mr *mr,
+ mr->pbl_ba_pg_sz + PG_SHIFT_OFFSET);
+ roce_set_field(mpt_entry->byte_4_pd_hop_st, V2_MPT_BYTE_4_PD_M,
+ V2_MPT_BYTE_4_PD_S, mr->pd);
+- mpt_entry->byte_4_pd_hop_st = cpu_to_le32(mpt_entry->byte_4_pd_hop_st);
+
+ roce_set_bit(mpt_entry->byte_8_mw_cnt_en, V2_MPT_BYTE_8_RA_EN_S, 0);
+ roce_set_bit(mpt_entry->byte_8_mw_cnt_en, V2_MPT_BYTE_8_R_INV_EN_S, 1);
+@@ -1700,13 +1745,11 @@ static int hns_roce_v2_write_mtpt(void *mb_buf, struct hns_roce_mr *mr,
+ (mr->access & IB_ACCESS_REMOTE_WRITE ? 1 : 0));
+ roce_set_bit(mpt_entry->byte_8_mw_cnt_en, V2_MPT_BYTE_8_LW_EN_S,
+ (mr->access & IB_ACCESS_LOCAL_WRITE ? 1 : 0));
+- mpt_entry->byte_8_mw_cnt_en = cpu_to_le32(mpt_entry->byte_8_mw_cnt_en);
+
+ roce_set_bit(mpt_entry->byte_12_mw_pa, V2_MPT_BYTE_12_PA_S,
+ mr->type == MR_TYPE_MR ? 0 : 1);
+ roce_set_bit(mpt_entry->byte_12_mw_pa, V2_MPT_BYTE_12_INNER_PA_VLD_S,
+ 1);
+- mpt_entry->byte_12_mw_pa = cpu_to_le32(mpt_entry->byte_12_mw_pa);
+
+ mpt_entry->len_l = cpu_to_le32(lower_32_bits(mr->size));
+ mpt_entry->len_h = cpu_to_le32(upper_32_bits(mr->size));
+@@ -1717,53 +1760,9 @@ static int hns_roce_v2_write_mtpt(void *mb_buf, struct hns_roce_mr *mr,
+ if (mr->type == MR_TYPE_DMA)
+ return 0;
+
+- mpt_entry->pbl_size = cpu_to_le32(mr->pbl_size);
+-
+- mpt_entry->pbl_ba_l = cpu_to_le32(lower_32_bits(mr->pbl_ba >> 3));
+- roce_set_field(mpt_entry->byte_48_mode_ba, V2_MPT_BYTE_48_PBL_BA_H_M,
+- V2_MPT_BYTE_48_PBL_BA_H_S,
+- upper_32_bits(mr->pbl_ba >> 3));
+- mpt_entry->byte_48_mode_ba = cpu_to_le32(mpt_entry->byte_48_mode_ba);
+-
+- pages = (u64 *)__get_free_page(GFP_KERNEL);
+- if (!pages)
+- return -ENOMEM;
+-
+- i = 0;
+- for_each_sg(mr->umem->sg_head.sgl, sg, mr->umem->nmap, entry) {
+- len = sg_dma_len(sg) >> PAGE_SHIFT;
+- for (j = 0; j < len; ++j) {
+- page_addr = sg_dma_address(sg) +
+- (j << mr->umem->page_shift);
+- pages[i] = page_addr >> 6;
+-
+- /* Record the first 2 entry directly to MTPT table */
+- if (i >= HNS_ROCE_V2_MAX_INNER_MTPT_NUM - 1)
+- goto found;
+- i++;
+- }
+- }
++ ret = set_mtpt_pbl(mpt_entry, mr);
+
+-found:
+- mpt_entry->pa0_l = cpu_to_le32(lower_32_bits(pages[0]));
+- roce_set_field(mpt_entry->byte_56_pa0_h, V2_MPT_BYTE_56_PA0_H_M,
+- V2_MPT_BYTE_56_PA0_H_S,
+- upper_32_bits(pages[0]));
+- mpt_entry->byte_56_pa0_h = cpu_to_le32(mpt_entry->byte_56_pa0_h);
+-
+- mpt_entry->pa1_l = cpu_to_le32(lower_32_bits(pages[1]));
+- roce_set_field(mpt_entry->byte_64_buf_pa1, V2_MPT_BYTE_64_PA1_H_M,
+- V2_MPT_BYTE_64_PA1_H_S, upper_32_bits(pages[1]));
+-
+- free_page((unsigned long)pages);
+-
+- roce_set_field(mpt_entry->byte_64_buf_pa1,
+- V2_MPT_BYTE_64_PBL_BUF_PG_SZ_M,
+- V2_MPT_BYTE_64_PBL_BUF_PG_SZ_S,
+- mr->pbl_buf_pg_sz + PG_SHIFT_OFFSET);
+- mpt_entry->byte_64_buf_pa1 = cpu_to_le32(mpt_entry->byte_64_buf_pa1);
+-
+- return 0;
++ return ret;
+ }
+
+ static int hns_roce_v2_rereg_write_mtpt(struct hns_roce_dev *hr_dev,
+@@ -1772,6 +1771,7 @@ static int hns_roce_v2_rereg_write_mtpt(struct hns_roce_dev *hr_dev,
+ u64 size, void *mb_buf)
+ {
+ struct hns_roce_v2_mpt_entry *mpt_entry = mb_buf;
++ int ret = 0;
+
+ if (flags & IB_MR_REREG_PD) {
+ roce_set_field(mpt_entry->byte_4_pd_hop_st, V2_MPT_BYTE_4_PD_M,
+@@ -1784,14 +1784,14 @@ static int hns_roce_v2_rereg_write_mtpt(struct hns_roce_dev *hr_dev,
+ V2_MPT_BYTE_8_BIND_EN_S,
+ (mr_access_flags & IB_ACCESS_MW_BIND ? 1 : 0));
+ roce_set_bit(mpt_entry->byte_8_mw_cnt_en,
+- V2_MPT_BYTE_8_ATOMIC_EN_S,
+- (mr_access_flags & IB_ACCESS_REMOTE_ATOMIC ? 1 : 0));
++ V2_MPT_BYTE_8_ATOMIC_EN_S,
++ mr_access_flags & IB_ACCESS_REMOTE_ATOMIC ? 1 : 0);
+ roce_set_bit(mpt_entry->byte_8_mw_cnt_en, V2_MPT_BYTE_8_RR_EN_S,
+- (mr_access_flags & IB_ACCESS_REMOTE_READ ? 1 : 0));
++ mr_access_flags & IB_ACCESS_REMOTE_READ ? 1 : 0);
+ roce_set_bit(mpt_entry->byte_8_mw_cnt_en, V2_MPT_BYTE_8_RW_EN_S,
+- (mr_access_flags & IB_ACCESS_REMOTE_WRITE ? 1 : 0));
++ mr_access_flags & IB_ACCESS_REMOTE_WRITE ? 1 : 0);
+ roce_set_bit(mpt_entry->byte_8_mw_cnt_en, V2_MPT_BYTE_8_LW_EN_S,
+- (mr_access_flags & IB_ACCESS_LOCAL_WRITE ? 1 : 0));
++ mr_access_flags & IB_ACCESS_LOCAL_WRITE ? 1 : 0);
+ }
+
+ if (flags & IB_MR_REREG_TRANS) {
+@@ -1800,21 +1800,13 @@ static int hns_roce_v2_rereg_write_mtpt(struct hns_roce_dev *hr_dev,
+ mpt_entry->len_l = cpu_to_le32(lower_32_bits(size));
+ mpt_entry->len_h = cpu_to_le32(upper_32_bits(size));
+
+- mpt_entry->pbl_size = cpu_to_le32(mr->pbl_size);
+- mpt_entry->pbl_ba_l =
+- cpu_to_le32(lower_32_bits(mr->pbl_ba >> 3));
+- roce_set_field(mpt_entry->byte_48_mode_ba,
+- V2_MPT_BYTE_48_PBL_BA_H_M,
+- V2_MPT_BYTE_48_PBL_BA_H_S,
+- upper_32_bits(mr->pbl_ba >> 3));
+- mpt_entry->byte_48_mode_ba =
+- cpu_to_le32(mpt_entry->byte_48_mode_ba);
+-
+ mr->iova = iova;
+ mr->size = size;
++
++ ret = set_mtpt_pbl(mpt_entry, mr);
+ }
+
+- return 0;
++ return ret;
+ }
+
+ static void *get_cqe_v2(struct hns_roce_cq *hr_cq, int n)
+--
+2.19.1
+
--- /dev/null
+From 603fc6390c5c85ffd1eddab1d8c812e4b2a76471 Mon Sep 17 00:00:00 2001
+From: Majd Dibbiny <majd@mellanox.com>
+Date: Mon, 5 Nov 2018 08:07:37 +0200
+Subject: RDMA/mlx5: Fix fence type for IB_WR_LOCAL_INV WR
+
+[ Upstream commit 074fca3a18e7e1e0d4d7dcc9d7badc43b90232f4 ]
+
+Currently, for IB_WR_LOCAL_INV WR, when the next fence is None, the
+current fence will be SMALL instead of Normal Fence.
+
+Without this patch krping doesn't work on CX-5 devices and throws
+following error:
+
+The error messages are from CX5 driver are: (from server side)
+[ 710.434014] mlx5_0:dump_cqe:278:(pid 2712): dump error cqe
+[ 710.434016] 00000000 00000000 00000000 00000000
+[ 710.434016] 00000000 00000000 00000000 00000000
+[ 710.434017] 00000000 00000000 00000000 00000000
+[ 710.434018] 00000000 93003204 100000b8 000524d2
+[ 710.434019] krping: cq completion failed with wr_id 0 status 4 opcode 128 vender_err 32
+
+Fixed the logic to set the correct fence type.
+
+Fixes: 6e8484c5cf07 ("RDMA/mlx5: set UMR wqe fence according to HCA cap")
+Signed-off-by: Majd Dibbiny <majd@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/qp.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
+index d53d954ac8af..183fe5c8ceb7 100644
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -4413,17 +4413,18 @@ static int _mlx5_ib_post_send(struct ib_qp *ibqp, const struct ib_send_wr *wr,
+ goto out;
+ }
+
+- if (wr->opcode == IB_WR_LOCAL_INV ||
+- wr->opcode == IB_WR_REG_MR) {
++ if (wr->opcode == IB_WR_REG_MR) {
+ fence = dev->umr_fence;
+ next_fence = MLX5_FENCE_MODE_INITIATOR_SMALL;
+- } else if (wr->send_flags & IB_SEND_FENCE) {
+- if (qp->next_fence)
+- fence = MLX5_FENCE_MODE_SMALL_AND_FENCE;
+- else
+- fence = MLX5_FENCE_MODE_FENCE;
+- } else {
+- fence = qp->next_fence;
++ } else {
++ if (wr->send_flags & IB_SEND_FENCE) {
++ if (qp->next_fence)
++ fence = MLX5_FENCE_MODE_SMALL_AND_FENCE;
++ else
++ fence = MLX5_FENCE_MODE_FENCE;
++ } else {
++ fence = qp->next_fence;
++ }
+ }
+
+ switch (ibqp->qp_type) {
+--
+2.19.1
+
--- /dev/null
+From 2a8d625b5a663d4749ef34030dffd6dea2deeb39 Mon Sep 17 00:00:00 2001
+From: Kamal Heib <kamalheib1@gmail.com>
+Date: Thu, 15 Nov 2018 09:49:38 -0800
+Subject: RDMA/rdmavt: Fix rvt_create_ah function signature
+
+[ Upstream commit 4f32fb921b153ae9ea280e02a3e91509fffc03d3 ]
+
+rdmavt uses a crazy system that looses the type checking when assinging
+functions to struct ib_device function pointers. Because of this the
+signature to this function was not changed when the below commit revised
+things.
+
+Fix the signature so we are not calling a function pointer with a
+mismatched signature.
+
+Fixes: 477864c8fcd9 ("IB/core: Let create_ah return extended response to user")
+Signed-off-by: Kamal Heib <kamalheib1@gmail.com>
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rdmavt/ah.c | 4 +++-
+ drivers/infiniband/sw/rdmavt/ah.h | 3 ++-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rdmavt/ah.c b/drivers/infiniband/sw/rdmavt/ah.c
+index 89ec0f64abfc..084bb4baebb5 100644
+--- a/drivers/infiniband/sw/rdmavt/ah.c
++++ b/drivers/infiniband/sw/rdmavt/ah.c
+@@ -91,13 +91,15 @@ EXPORT_SYMBOL(rvt_check_ah);
+ * rvt_create_ah - create an address handle
+ * @pd: the protection domain
+ * @ah_attr: the attributes of the AH
++ * @udata: pointer to user's input output buffer information.
+ *
+ * This may be called from interrupt context.
+ *
+ * Return: newly allocated ah
+ */
+ struct ib_ah *rvt_create_ah(struct ib_pd *pd,
+- struct rdma_ah_attr *ah_attr)
++ struct rdma_ah_attr *ah_attr,
++ struct ib_udata *udata)
+ {
+ struct rvt_ah *ah;
+ struct rvt_dev_info *dev = ib_to_rvt(pd->device);
+diff --git a/drivers/infiniband/sw/rdmavt/ah.h b/drivers/infiniband/sw/rdmavt/ah.h
+index 16105af99189..25271b48a683 100644
+--- a/drivers/infiniband/sw/rdmavt/ah.h
++++ b/drivers/infiniband/sw/rdmavt/ah.h
+@@ -51,7 +51,8 @@
+ #include <rdma/rdma_vt.h>
+
+ struct ib_ah *rvt_create_ah(struct ib_pd *pd,
+- struct rdma_ah_attr *ah_attr);
++ struct rdma_ah_attr *ah_attr,
++ struct ib_udata *udata);
+ int rvt_destroy_ah(struct ib_ah *ibah);
+ int rvt_modify_ah(struct ib_ah *ibah, struct rdma_ah_attr *ah_attr);
+ int rvt_query_ah(struct ib_ah *ibah, struct rdma_ah_attr *ah_attr);
+--
+2.19.1
+
--- /dev/null
+From f25bbc0b688e702d614d129b205313e00b1ff1f5 Mon Sep 17 00:00:00 2001
+From: Igor Druzhinin <igor.druzhinin@citrix.com>
+Date: Tue, 27 Nov 2018 20:58:21 +0000
+Subject: Revert "xen/balloon: Mark unallocated host memory as UNUSABLE"
+
+[ Upstream commit 123664101aa2156d05251704fc63f9bcbf77741a ]
+
+This reverts commit b3cf8528bb21febb650a7ecbf080d0647be40b9f.
+
+That commit unintentionally broke Xen balloon memory hotplug with
+"hotplug_unpopulated" set to 1. As long as "System RAM" resource
+got assigned under a new "Unusable memory" resource in IO/Mem tree
+any attempt to online this memory would fail due to general kernel
+restrictions on having "System RAM" resources as 1st level only.
+
+The original issue that commit has tried to workaround fa564ad96366
+("x86/PCI: Enable a 64bit BAR on AMD Family 15h (Models 00-1f, 30-3f,
+60-7f)") also got amended by the following 03a551734 ("x86/PCI: Move
+and shrink AMD 64-bit window to avoid conflict") which made the
+original fix to Xen ballooning unnecessary.
+
+Signed-off-by: Igor Druzhinin <igor.druzhinin@citrix.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/enlighten.c | 78 ----------------------------------------
+ arch/x86/xen/setup.c | 6 ++--
+ drivers/xen/balloon.c | 65 +++++----------------------------
+ include/xen/balloon.h | 5 ---
+ 4 files changed, 13 insertions(+), 141 deletions(-)
+
+diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
+index 2eeddd814653..c6c7c9b7b5c1 100644
+--- a/arch/x86/xen/enlighten.c
++++ b/arch/x86/xen/enlighten.c
+@@ -7,7 +7,6 @@
+
+ #include <xen/features.h>
+ #include <xen/page.h>
+-#include <xen/interface/memory.h>
+
+ #include <asm/xen/hypercall.h>
+ #include <asm/xen/hypervisor.h>
+@@ -343,80 +342,3 @@ void xen_arch_unregister_cpu(int num)
+ }
+ EXPORT_SYMBOL(xen_arch_unregister_cpu);
+ #endif
+-
+-#ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG
+-void __init arch_xen_balloon_init(struct resource *hostmem_resource)
+-{
+- struct xen_memory_map memmap;
+- int rc;
+- unsigned int i, last_guest_ram;
+- phys_addr_t max_addr = PFN_PHYS(max_pfn);
+- struct e820_table *xen_e820_table;
+- const struct e820_entry *entry;
+- struct resource *res;
+-
+- if (!xen_initial_domain())
+- return;
+-
+- xen_e820_table = kmalloc(sizeof(*xen_e820_table), GFP_KERNEL);
+- if (!xen_e820_table)
+- return;
+-
+- memmap.nr_entries = ARRAY_SIZE(xen_e820_table->entries);
+- set_xen_guest_handle(memmap.buffer, xen_e820_table->entries);
+- rc = HYPERVISOR_memory_op(XENMEM_machine_memory_map, &memmap);
+- if (rc) {
+- pr_warn("%s: Can't read host e820 (%d)\n", __func__, rc);
+- goto out;
+- }
+-
+- last_guest_ram = 0;
+- for (i = 0; i < memmap.nr_entries; i++) {
+- if (xen_e820_table->entries[i].addr >= max_addr)
+- break;
+- if (xen_e820_table->entries[i].type == E820_TYPE_RAM)
+- last_guest_ram = i;
+- }
+-
+- entry = &xen_e820_table->entries[last_guest_ram];
+- if (max_addr >= entry->addr + entry->size)
+- goto out; /* No unallocated host RAM. */
+-
+- hostmem_resource->start = max_addr;
+- hostmem_resource->end = entry->addr + entry->size;
+-
+- /*
+- * Mark non-RAM regions between the end of dom0 RAM and end of host RAM
+- * as unavailable. The rest of that region can be used for hotplug-based
+- * ballooning.
+- */
+- for (; i < memmap.nr_entries; i++) {
+- entry = &xen_e820_table->entries[i];
+-
+- if (entry->type == E820_TYPE_RAM)
+- continue;
+-
+- if (entry->addr >= hostmem_resource->end)
+- break;
+-
+- res = kzalloc(sizeof(*res), GFP_KERNEL);
+- if (!res)
+- goto out;
+-
+- res->name = "Unavailable host RAM";
+- res->start = entry->addr;
+- res->end = (entry->addr + entry->size < hostmem_resource->end) ?
+- entry->addr + entry->size : hostmem_resource->end;
+- rc = insert_resource(hostmem_resource, res);
+- if (rc) {
+- pr_warn("%s: Can't insert [%llx - %llx) (%d)\n",
+- __func__, res->start, res->end, rc);
+- kfree(res);
+- goto out;
+- }
+- }
+-
+- out:
+- kfree(xen_e820_table);
+-}
+-#endif /* CONFIG_XEN_BALLOON_MEMORY_HOTPLUG */
+diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
+index 1163e33121fb..075ed47993bb 100644
+--- a/arch/x86/xen/setup.c
++++ b/arch/x86/xen/setup.c
+@@ -808,6 +808,7 @@ char * __init xen_memory_setup(void)
+ addr = xen_e820_table.entries[0].addr;
+ size = xen_e820_table.entries[0].size;
+ while (i < xen_e820_table.nr_entries) {
++ bool discard = false;
+
+ chunk_size = size;
+ type = xen_e820_table.entries[i].type;
+@@ -823,10 +824,11 @@ char * __init xen_memory_setup(void)
+ xen_add_extra_mem(pfn_s, n_pfns);
+ xen_max_p2m_pfn = pfn_s + n_pfns;
+ } else
+- type = E820_TYPE_UNUSABLE;
++ discard = true;
+ }
+
+- xen_align_and_add_e820_region(addr, chunk_size, type);
++ if (!discard)
++ xen_align_and_add_e820_region(addr, chunk_size, type);
+
+ addr += chunk_size;
+ size -= chunk_size;
+diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
+index e12bb256036f..7ab6caef599c 100644
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -251,25 +251,10 @@ static void release_memory_resource(struct resource *resource)
+ kfree(resource);
+ }
+
+-/*
+- * Host memory not allocated to dom0. We can use this range for hotplug-based
+- * ballooning.
+- *
+- * It's a type-less resource. Setting IORESOURCE_MEM will make resource
+- * management algorithms (arch_remove_reservations()) look into guest e820,
+- * which we don't want.
+- */
+-static struct resource hostmem_resource = {
+- .name = "Host RAM",
+-};
+-
+-void __attribute__((weak)) __init arch_xen_balloon_init(struct resource *res)
+-{}
+-
+ static struct resource *additional_memory_resource(phys_addr_t size)
+ {
+- struct resource *res, *res_hostmem;
+- int ret = -ENOMEM;
++ struct resource *res;
++ int ret;
+
+ res = kzalloc(sizeof(*res), GFP_KERNEL);
+ if (!res)
+@@ -278,42 +263,13 @@ static struct resource *additional_memory_resource(phys_addr_t size)
+ res->name = "System RAM";
+ res->flags = IORESOURCE_SYSTEM_RAM | IORESOURCE_BUSY;
+
+- res_hostmem = kzalloc(sizeof(*res), GFP_KERNEL);
+- if (res_hostmem) {
+- /* Try to grab a range from hostmem */
+- res_hostmem->name = "Host memory";
+- ret = allocate_resource(&hostmem_resource, res_hostmem,
+- size, 0, -1,
+- PAGES_PER_SECTION * PAGE_SIZE, NULL, NULL);
+- }
+-
+- if (!ret) {
+- /*
+- * Insert this resource into iomem. Because hostmem_resource
+- * tracks portion of guest e820 marked as UNUSABLE noone else
+- * should try to use it.
+- */
+- res->start = res_hostmem->start;
+- res->end = res_hostmem->end;
+- ret = insert_resource(&iomem_resource, res);
+- if (ret < 0) {
+- pr_err("Can't insert iomem_resource [%llx - %llx]\n",
+- res->start, res->end);
+- release_memory_resource(res_hostmem);
+- res_hostmem = NULL;
+- res->start = res->end = 0;
+- }
+- }
+-
+- if (ret) {
+- ret = allocate_resource(&iomem_resource, res,
+- size, 0, -1,
+- PAGES_PER_SECTION * PAGE_SIZE, NULL, NULL);
+- if (ret < 0) {
+- pr_err("Cannot allocate new System RAM resource\n");
+- kfree(res);
+- return NULL;
+- }
++ ret = allocate_resource(&iomem_resource, res,
++ size, 0, -1,
++ PAGES_PER_SECTION * PAGE_SIZE, NULL, NULL);
++ if (ret < 0) {
++ pr_err("Cannot allocate new System RAM resource\n");
++ kfree(res);
++ return NULL;
+ }
+
+ #ifdef CONFIG_SPARSEMEM
+@@ -325,7 +281,6 @@ static struct resource *additional_memory_resource(phys_addr_t size)
+ pr_err("New System RAM resource outside addressable RAM (%lu > %lu)\n",
+ pfn, limit);
+ release_memory_resource(res);
+- release_memory_resource(res_hostmem);
+ return NULL;
+ }
+ }
+@@ -747,8 +702,6 @@ static int __init balloon_init(void)
+ set_online_page_callback(&xen_online_page);
+ register_memory_notifier(&xen_memory_nb);
+ register_sysctl_table(xen_root);
+-
+- arch_xen_balloon_init(&hostmem_resource);
+ #endif
+
+ #ifdef CONFIG_XEN_PV
+diff --git a/include/xen/balloon.h b/include/xen/balloon.h
+index 61f410fd74e4..4914b93a23f2 100644
+--- a/include/xen/balloon.h
++++ b/include/xen/balloon.h
+@@ -44,8 +44,3 @@ static inline void xen_balloon_init(void)
+ {
+ }
+ #endif
+-
+-#ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG
+-struct resource;
+-void arch_xen_balloon_init(struct resource *hostmem_resource);
+-#endif
+--
+2.19.1
+
--- /dev/null
+From 584b9b67c3db2be97d65d4e6731333c4d7e80774 Mon Sep 17 00:00:00 2001
+From: Eric Farman <farman@linux.ibm.com>
+Date: Fri, 9 Nov 2018 03:39:28 +0100
+Subject: s390/cio: Fix cleanup of pfn_array alloc failure
+
+[ Upstream commit 806212f91c874b24cf9eb4a9f180323671b6c5ed ]
+
+If pfn_array_alloc fails somehow, we need to release the pfn_array_table
+that was malloc'd earlier.
+
+Signed-off-by: Eric Farman <farman@linux.ibm.com>
+Message-Id: <20181109023937.96105-2-farman@linux.ibm.com>
+Acked-by: Halil Pasic <pasic@linux.ibm.com>
+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/vfio_ccw_cp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/s390/cio/vfio_ccw_cp.c b/drivers/s390/cio/vfio_ccw_cp.c
+index fd77e46eb3b2..ef5ab45d94b3 100644
+--- a/drivers/s390/cio/vfio_ccw_cp.c
++++ b/drivers/s390/cio/vfio_ccw_cp.c
+@@ -528,7 +528,7 @@ static int ccwchain_fetch_direct(struct ccwchain *chain,
+
+ ret = pfn_array_alloc_pin(pat->pat_pa, cp->mdev, ccw->cda, ccw->count);
+ if (ret < 0)
+- goto out_init;
++ goto out_unpin;
+
+ /* Translate this direct ccw to a idal ccw. */
+ idaws = kcalloc(ret, sizeof(*idaws), GFP_DMA | GFP_KERNEL);
+--
+2.19.1
+
--- /dev/null
+From 20b63fa594c0c294aa8c75d535a3d76ddc717516 Mon Sep 17 00:00:00 2001
+From: Eric Farman <farman@linux.ibm.com>
+Date: Fri, 9 Nov 2018 03:39:29 +0100
+Subject: s390/cio: Fix cleanup when unsupported IDA format is used
+
+[ Upstream commit b89e242eee8d4cd8261d8d821c62c5d1efc454d0 ]
+
+Direct returns from within a loop are rude, but it doesn't mean it gets
+to avoid releasing the memory acquired beforehand.
+
+Signed-off-by: Eric Farman <farman@linux.ibm.com>
+Message-Id: <20181109023937.96105-3-farman@linux.ibm.com>
+Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
+Reviewed-by: Pierre Morel <pmorel@linux.ibm.com>
+Acked-by: Halil Pasic <pasic@linux.ibm.com>
+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/vfio_ccw_cp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/s390/cio/vfio_ccw_cp.c b/drivers/s390/cio/vfio_ccw_cp.c
+index ef5ab45d94b3..70a006ba4d05 100644
+--- a/drivers/s390/cio/vfio_ccw_cp.c
++++ b/drivers/s390/cio/vfio_ccw_cp.c
+@@ -387,8 +387,10 @@ static int ccwchain_calc_length(u64 iova, struct channel_program *cp)
+ * orb specified one of the unsupported formats, we defer
+ * checking for IDAWs in unsupported formats to here.
+ */
+- if ((!cp->orb.cmd.c64 || cp->orb.cmd.i2k) && ccw_is_idal(ccw))
++ if ((!cp->orb.cmd.c64 || cp->orb.cmd.i2k) && ccw_is_idal(ccw)) {
++ kfree(p);
+ return -EOPNOTSUPP;
++ }
+
+ if ((!ccw_is_chain(ccw)) && (!ccw_is_tic(ccw)))
+ break;
+--
+2.19.1
+
--- /dev/null
+From 43a60b563cb5dfd699a691ca94d60cb133e3c5e0 Mon Sep 17 00:00:00 2001
+From: Thomas Richter <tmricht@linux.ibm.com>
+Date: Tue, 13 Nov 2018 15:38:22 +0000
+Subject: s390/cpum_cf: Reject request for sampling in event initialization
+
+[ Upstream commit 613a41b0d16e617f46776a93b975a1eeea96417c ]
+
+On s390 command perf top fails
+[root@s35lp76 perf] # ./perf top -F100000 --stdio
+ Error:
+ cycles: PMU Hardware doesn't support sampling/overflow-interrupts.
+ Try 'perf stat'
+[root@s35lp76 perf] #
+
+Using event -e rb0000 works as designed. Event rb0000 is the event
+number of the sampling facility for basic sampling.
+
+During system start up the following PMUs are installed in the kernel's
+PMU list (from head to tail):
+ cpum_cf --> s390 PMU counter facility device driver
+ cpum_sf --> s390 PMU sampling facility device driver
+ uprobe
+ kprobe
+ tracepoint
+ task_clock
+ cpu_clock
+
+Perf top executes following functions and calls perf_event_open(2) system
+call with different parameters many times:
+
+cmd_top
+--> __cmd_top
+ --> perf_evlist__add_default
+ --> __perf_evlist__add_default
+ --> perf_evlist__new_cycles (creates event type:0 (HW)
+ config 0 (CPU_CYCLES)
+ --> perf_event_attr__set_max_precise_ip
+ Uses perf_event_open(2) to detect correct
+ precise_ip level. Fails 3 times on s390 which is ok.
+
+Then functions cmd_top
+--> __cmd_top
+ --> perf_top__start_counters
+ -->perf_evlist__config
+ --> perf_can_comm_exec
+ --> perf_probe_api
+ This functions test support for the following events:
+ "cycles:u", "instructions:u", "cpu-clock:u" using
+ --> perf_do_probe_api
+ --> perf_event_open_cloexec
+ Test the close on exec flag support with
+ perf_event_open(2).
+ perf_do_probe_api returns true if the event is
+ supported.
+ The function returns true because event cpu-clock is
+ supported by the PMU cpu_clock.
+ This is achieved by many calls to perf_event_open(2).
+
+Function perf_top__start_counters now calls perf_evsel__open() for every
+event, which is the default event cpu_cycles (config:0) and type HARDWARE
+(type:0) which a predfined frequence of 4000.
+
+Given the above order of the PMU list, the PMU cpum_cf gets called first
+and returns 0, which indicates support for this sampling. The event is
+fully allocated in the function perf_event_open (file kernel/event/core.c
+near line 10521 and the following check fails:
+
+ event = perf_event_alloc(&attr, cpu, task, group_leader, NULL,
+ NULL, NULL, cgroup_fd);
+ if (IS_ERR(event)) {
+ err = PTR_ERR(event);
+ goto err_cred;
+ }
+
+ if (is_sampling_event(event)) {
+ if (event->pmu->capabilities & PERF_PMU_CAP_NO_INTERRUPT) {
+ err = -EOPNOTSUPP;
+ goto err_alloc;
+ }
+ }
+
+The check for the interrupt capabilities fails and the system call
+perf_event_open() returns -EOPNOTSUPP (-95).
+
+Add a check to return -ENODEV when sampling is requested in PMU cpum_cf.
+This allows common kernel code in the perf_event_open() system call to
+test the next PMU in above list.
+
+Fixes: 97b1198fece0 (" "s390, perf: Use common PMU interrupt disabled code")
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/perf_cpum_cf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/s390/kernel/perf_cpum_cf.c b/arch/s390/kernel/perf_cpum_cf.c
+index 74091fd3101e..d5523adeddbf 100644
+--- a/arch/s390/kernel/perf_cpum_cf.c
++++ b/arch/s390/kernel/perf_cpum_cf.c
+@@ -346,6 +346,8 @@ static int __hw_perf_event_init(struct perf_event *event)
+ break;
+
+ case PERF_TYPE_HARDWARE:
++ if (is_sampling_event(event)) /* No sampling support */
++ return -ENOENT;
+ ev = attr->config;
+ /* Count user space (problem-state) only */
+ if (!attr->exclude_user && attr->exclude_kernel) {
+--
+2.19.1
+
--- /dev/null
+From ba327f91f72b18437f0978cf06bc21b57085f95b Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 31 Oct 2018 18:26:21 +0100
+Subject: selftests: add script to stress-test nft packet path vs. control
+ plane
+
+[ Upstream commit 25d8bcedbf4329895dbaf9dd67baa6f18dad918c ]
+
+Start flood ping for each cpu while loading/flushing rulesets to make
+sure we do not access already-free'd rules from nf_tables evaluation loop.
+
+Also add this to TARGETS so 'make run_tests' in selftest dir runs it
+automatically.
+
+This would have caught the bug fixed in previous change
+("netfilter: nf_tables: do not skip inactive chains during generation update")
+sooner.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/Makefile | 1 +
+ tools/testing/selftests/netfilter/Makefile | 6 ++
+ tools/testing/selftests/netfilter/config | 2 +
+ .../selftests/netfilter/nft_trans_stress.sh | 78 +++++++++++++++++++
+ 4 files changed, 87 insertions(+)
+ create mode 100644 tools/testing/selftests/netfilter/Makefile
+ create mode 100644 tools/testing/selftests/netfilter/config
+ create mode 100755 tools/testing/selftests/netfilter/nft_trans_stress.sh
+
+diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile
+index f1fe492c8e17..f0017c831e57 100644
+--- a/tools/testing/selftests/Makefile
++++ b/tools/testing/selftests/Makefile
+@@ -24,6 +24,7 @@ TARGETS += memory-hotplug
+ TARGETS += mount
+ TARGETS += mqueue
+ TARGETS += net
++TARGETS += netfilter
+ TARGETS += nsfs
+ TARGETS += powerpc
+ TARGETS += proc
+diff --git a/tools/testing/selftests/netfilter/Makefile b/tools/testing/selftests/netfilter/Makefile
+new file mode 100644
+index 000000000000..47ed6cef93fb
+--- /dev/null
++++ b/tools/testing/selftests/netfilter/Makefile
+@@ -0,0 +1,6 @@
++# SPDX-License-Identifier: GPL-2.0
++# Makefile for netfilter selftests
++
++TEST_PROGS := nft_trans_stress.sh
++
++include ../lib.mk
+diff --git a/tools/testing/selftests/netfilter/config b/tools/testing/selftests/netfilter/config
+new file mode 100644
+index 000000000000..1017313e41a8
+--- /dev/null
++++ b/tools/testing/selftests/netfilter/config
+@@ -0,0 +1,2 @@
++CONFIG_NET_NS=y
++NF_TABLES_INET=y
+diff --git a/tools/testing/selftests/netfilter/nft_trans_stress.sh b/tools/testing/selftests/netfilter/nft_trans_stress.sh
+new file mode 100755
+index 000000000000..f1affd12c4b1
+--- /dev/null
++++ b/tools/testing/selftests/netfilter/nft_trans_stress.sh
+@@ -0,0 +1,78 @@
++#!/bin/bash
++#
++# This test is for stress-testing the nf_tables config plane path vs.
++# packet path processing: Make sure we never release rules that are
++# still visible to other cpus.
++#
++# set -e
++
++# Kselftest framework requirement - SKIP code is 4.
++ksft_skip=4
++
++testns=testns1
++tables="foo bar baz quux"
++
++nft --version > /dev/null 2>&1
++if [ $? -ne 0 ];then
++ echo "SKIP: Could not run test without nft tool"
++ exit $ksft_skip
++fi
++
++ip -Version > /dev/null 2>&1
++if [ $? -ne 0 ];then
++ echo "SKIP: Could not run test without ip tool"
++ exit $ksft_skip
++fi
++
++tmp=$(mktemp)
++
++for table in $tables; do
++ echo add table inet "$table" >> "$tmp"
++ echo flush table inet "$table" >> "$tmp"
++
++ echo "add chain inet $table INPUT { type filter hook input priority 0; }" >> "$tmp"
++ echo "add chain inet $table OUTPUT { type filter hook output priority 0; }" >> "$tmp"
++ for c in $(seq 1 400); do
++ chain=$(printf "chain%03u" "$c")
++ echo "add chain inet $table $chain" >> "$tmp"
++ done
++
++ for c in $(seq 1 400); do
++ chain=$(printf "chain%03u" "$c")
++ for BASE in INPUT OUTPUT; do
++ echo "add rule inet $table $BASE counter jump $chain" >> "$tmp"
++ done
++ echo "add rule inet $table $chain counter return" >> "$tmp"
++ done
++done
++
++ip netns add "$testns"
++ip -netns "$testns" link set lo up
++
++lscpu | grep ^CPU\(s\): | ( read cpu cpunum ;
++cpunum=$((cpunum-1))
++for i in $(seq 0 $cpunum);do
++ mask=$(printf 0x%x $((1<<$i)))
++ ip netns exec "$testns" taskset $mask ping -4 127.0.0.1 -fq > /dev/null &
++ ip netns exec "$testns" taskset $mask ping -6 ::1 -fq > /dev/null &
++done)
++
++sleep 1
++
++for i in $(seq 1 10) ; do ip netns exec "$testns" nft -f "$tmp" & done
++
++for table in $tables;do
++ randsleep=$((RANDOM%10))
++ sleep $randsleep
++ ip netns exec "$testns" nft delete table inet $table 2>/dev/null
++done
++
++randsleep=$((RANDOM%10))
++sleep $randsleep
++
++pkill -9 ping
++
++wait
++
++rm -f "$tmp"
++ip netns del "$testns"
+--
+2.19.1
+
sctp-update-frag_point-when-stream_interleave-is-set.patch
net-restore-call-to-netdev_queue_numa_node_write-when-resetting-xps.patch
net-fix-xps-static_key-accounting.patch
+arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch
+asoc-rsnd-fixup-clock-start-checker.patch
+asoc-qdsp6-q6afe-fix-wrong-mi2s-sd-line-mask.patch
+asoc-qdsp6-q6afe-dai-fix-the-dai-widgets.patch
+staging-rtl8723bs-fix-the-return-value-in-case-of-er.patch
+arm-dts-am3517-fix-pinmuxing-for-cd-on-mmc1.patch
+arm-dts-logicpd-torpedo-fix-mmc3_dat1-interrupt.patch
+arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch
+arm-dts-am3517-som-fix-wl127x-wifi-interrupt.patch
+arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch
+tools-bpftool-prevent-infinite-loop-in-get_fdinfo.patch
+asoc-sun8i-codec-fix-crash-on-module-removal.patch
+arm64-dts-sdm845-mtp-reserve-reserved-gpios.patch
+sysv-return-err-instead-of-0-in-__sysv_write_inode.patch
+netfilter-nf_conncount-use-spin_lock_bh-instead-of-s.patch
+netfilter-nf_conncount-fix-list_del-corruption-in-co.patch
+netfilter-nf_conncount-fix-unexpected-permanent-node.patch
+netfilter-nf_tables-don-t-skip-inactive-chains-durin.patch
+selftests-add-script-to-stress-test-nft-packet-path-.patch
+perf-tools-fix-crash-on-synthesizing-the-unit.patch
+netfilter-xt_rateest-remove-netns-exit-routine.patch
+netfilter-nf_tables-fix-use-after-free-when-deleting.patch
+s390-cio-fix-cleanup-of-pfn_array-alloc-failure.patch
+s390-cio-fix-cleanup-when-unsupported-ida-format-is-.patch
+hwmon-ina2xx-fix-null-id-pointer-in-probe.patch
+hwmon-raspberrypi-fix-initial-notify.patch
+asoc-rockchip-add-missing-slave_config-setting-for-i.patch
+asoc-wm_adsp-fix-dma-unsafe-read-of-scratch-register.patch
+asoc-intel-power-down-links-before-turning-off-displ.patch
+asoc-qcom-set-dai_link-id-to-each-dai_link.patch
+s390-cpum_cf-reject-request-for-sampling-in-event-in.patch
+hwmon-ina2xx-fix-current-value-calculation.patch
+asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch
+asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch
+spi-omap2-mcspi-add-missing-suspend-and-resume-calls.patch
+hwmon-mlxreg-fan-fix-macros-for-tacho-fault-reading.patch
+bpf-allocate-local-storage-buffers-using-gfp_atomic.patch
+aio-fix-failure-to-put-the-file-pointer.patch
+netfilter-xt_hashlimit-fix-a-possible-memory-leak-in.patch
+hwmon-w83795-temp4_type-has-writable-permission.patch
+perf-tools-restore-proper-cwd-on-return-from-mnt-nam.patch
+pci-imx6-fix-link-training-status-detection-in-link-.patch
+asoc-acpi-fix-continue-searching-when-machine-is-ign.patch
+objtool-fix-double-free-in-.cold-detection-error-pat.patch
+objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch
+phy-qcom-qusb2-use-hstx_trim-fused-value-as-is.patch
+phy-qcom-qusb2-fix-hstx_trim-tuning-with-fused-value.patch
+arm-dts-at91-sama5d2-use-the-divided-clock-for-smc.patch
+btrfs-send-fix-infinite-loop-due-to-directory-rename.patch
+rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch
+rdma-core-add-gids-while-changing-mac-addr-only-for-.patch
+rdma-bnxt_re-fix-system-hang-when-registration-with-.patch
+rdma-bnxt_re-avoid-accessing-the-device-structure-af.patch
+rdma-rdmavt-fix-rvt_create_ah-function-signature.patch
+tools-bpftool-fix-potential-null-pointer-dereference.patch
+asoc-omap-mcbsp-fix-latency-value-calculation-for-pm.patch
+asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch
+asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch
+exportfs-do-not-read-dentry-after-free.patch
+rdma-hns-bugfix-pbl-configuration-for-rereg-mr.patch
+bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch
+fsi-master-ast-cf-select-generic_allocator.patch
+ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch
+usb-omap_udc-use-devm_request_irq.patch
+usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch
+usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch
+usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch
+usb-omap_udc-fix-rejection-of-out-transfers-when-dma.patch
+thunderbolt-prevent-root-port-runtime-suspend-during.patch
+drm-meson-add-support-for-1080p25-mode.patch
+netfilter-ipv6-preserve-link-scope-traffic-original-.patch
+ib-mlx5-fix-page-fault-handling-for-mw.patch
+netfilter-add-missing-error-handling-code-for-regist.patch
+netfilter-nat-fix-double-register-in-masquerade-modu.patch
+netfilter-nf_conncount-remove-wrong-condition-check-.patch
+kvm-vmx-update-shared-msrs-to-be-saved-restored-on-m.patch
+kvm-x86-fix-empty-body-warnings.patch
+x86-kvm-vmx-fix-old-style-function-declaration.patch
+net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch
+usb-gadget-u_ether-fix-unsafe-list-iteration.patch
+netfilter-nf_tables-deactivate-expressions-in-rule-r.patch
+alsa-usb-audio-add-vendor-and-product-name-for-dell-.patch
+cachefiles-fix-an-assertion-failure-when-trying-to-u.patch
+fscache-fix-race-in-fscache_op_complete-due-to-split.patch
+cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch
+igb-fix-uninitialized-variables.patch
+ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch
+net-hisilicon-remove-unexpected-free_netdev.patch
+drm-amdgpu-add-delay-after-enable-rlc-ucode.patch
+drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch
+xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch
+revert-xen-balloon-mark-unallocated-host-memory-as-u.patch
+pvcalls-front-fixes-incorrect-error-handling.patch
+pstore-ram-correctly-calculate-usable-prz-bytes.patch
+afs-fix-validation-callback-interaction.patch
+fscache-fix-race-between-enablement-and-dropping-of-.patch
+cachefiles-explicitly-cast-enumerated-type-in-put_ob.patch
+fscache-cachefiles-remove-redundant-variable-cache.patch
+nvme-warn-when-finding-multi-port-subsystems-without.patch
+nvme-flush-namespace-scanning-work-just-before-remov.patch
+nvme-rdma-fix-double-freeing-of-async-event-data.patch
+acpi-iort-fix-iort_get_platform_device_domain-uninit.patch
+ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch
+mm-page_alloc.c-fix-calculation-of-pgdat-nr_zones.patch
+hfs-do-not-free-node-before-using.patch
+hfsplus-do-not-free-node-before-using.patch
+debugobjects-avoid-recursive-calls-with-kmemleak.patch
+proc-fixup-map_files-test-on-arm.patch
+kernel-kcov.c-mark-funcs-in-__sanitizer_cov_trace_pc.patch
+initramfs-clean-old-path-before-creating-a-hardlink.patch
+ocfs2-fix-potential-use-after-free.patch
--- /dev/null
+From a7aeaa076969e02d6a2791c8f6ee3fad6e5720c3 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Thu, 15 Nov 2018 15:59:39 -0800
+Subject: spi: omap2-mcspi: Add missing suspend and resume calls
+
+[ Upstream commit 91b9deefedf4c35a01027ce38bed7299605026a3 ]
+
+I've been wondering still about omap2-mcspi related suspend and resume
+flakeyness and looks like we're missing calls to spi_master_suspend()
+and spi_master_resume(). Adding those and using pm_runtime_force_suspend()
+and pm_runtime_force_resume() makes things work for suspend and resume
+and allows us to stop using noirq suspend and resume.
+
+And while at it, let's use SET_SYSTEM_SLEEP_PM_OPS to simplify things
+further.
+
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-omap2-mcspi.c | 37 +++++++++++++++++++++++------------
+ 1 file changed, 25 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/spi/spi-omap2-mcspi.c b/drivers/spi/spi-omap2-mcspi.c
+index 508c61c669e7..e2be7da74343 100644
+--- a/drivers/spi/spi-omap2-mcspi.c
++++ b/drivers/spi/spi-omap2-mcspi.c
+@@ -1455,13 +1455,26 @@ static int omap2_mcspi_remove(struct platform_device *pdev)
+ /* work with hotplug and coldplug */
+ MODULE_ALIAS("platform:omap2_mcspi");
+
+-#ifdef CONFIG_SUSPEND
+-static int omap2_mcspi_suspend_noirq(struct device *dev)
++static int __maybe_unused omap2_mcspi_suspend(struct device *dev)
+ {
+- return pinctrl_pm_select_sleep_state(dev);
++ struct spi_master *master = dev_get_drvdata(dev);
++ struct omap2_mcspi *mcspi = spi_master_get_devdata(master);
++ int error;
++
++ error = pinctrl_pm_select_sleep_state(dev);
++ if (error)
++ dev_warn(mcspi->dev, "%s: failed to set pins: %i\n",
++ __func__, error);
++
++ error = spi_master_suspend(master);
++ if (error)
++ dev_warn(mcspi->dev, "%s: master suspend failed: %i\n",
++ __func__, error);
++
++ return pm_runtime_force_suspend(dev);
+ }
+
+-static int omap2_mcspi_resume_noirq(struct device *dev)
++static int __maybe_unused omap2_mcspi_resume(struct device *dev)
+ {
+ struct spi_master *master = dev_get_drvdata(dev);
+ struct omap2_mcspi *mcspi = spi_master_get_devdata(master);
+@@ -1472,17 +1485,17 @@ static int omap2_mcspi_resume_noirq(struct device *dev)
+ dev_warn(mcspi->dev, "%s: failed to set pins: %i\n",
+ __func__, error);
+
+- return 0;
+-}
++ error = spi_master_resume(master);
++ if (error)
++ dev_warn(mcspi->dev, "%s: master resume failed: %i\n",
++ __func__, error);
+
+-#else
+-#define omap2_mcspi_suspend_noirq NULL
+-#define omap2_mcspi_resume_noirq NULL
+-#endif
++ return pm_runtime_force_resume(dev);
++}
+
+ static const struct dev_pm_ops omap2_mcspi_pm_ops = {
+- .suspend_noirq = omap2_mcspi_suspend_noirq,
+- .resume_noirq = omap2_mcspi_resume_noirq,
++ SET_SYSTEM_SLEEP_PM_OPS(omap2_mcspi_suspend,
++ omap2_mcspi_resume)
+ .runtime_resume = omap_mcspi_runtime_resume,
+ };
+
+--
+2.19.1
+
--- /dev/null
+From 8352931fe187a9c48862022580aae2727c92035d Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Wed, 17 Oct 2018 10:15:34 +0200
+Subject: staging: rtl8723bs: Fix the return value in case of error in
+ 'rtw_wx_read32()'
+
+[ Upstream commit c3e43d8b958bd6849817393483e805d8638a8ab7 ]
+
+We return 0 unconditionally in 'rtw_wx_read32()'.
+However, 'ret' is set to some error codes in several error handling paths.
+
+Return 'ret' instead to propagate the error code.
+
+Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
+index c38298d960ff..4f120e72c7d2 100644
+--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
++++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
+@@ -2289,7 +2289,7 @@ static int rtw_wx_read32(struct net_device *dev,
+ exit:
+ kfree(ptmp);
+
+- return 0;
++ return ret;
+ }
+
+ static int rtw_wx_write32(struct net_device *dev,
+--
+2.19.1
+
--- /dev/null
+From c0e4de751f2add4158d7a35cffaef265346e2c58 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Sat, 10 Nov 2018 04:13:24 +0000
+Subject: sysv: return 'err' instead of 0 in __sysv_write_inode
+
+[ Upstream commit c4b7d1ba7d263b74bb72e9325262a67139605cde ]
+
+Fixes gcc '-Wunused-but-set-variable' warning:
+
+fs/sysv/inode.c: In function '__sysv_write_inode':
+fs/sysv/inode.c:239:6: warning:
+ variable 'err' set but not used [-Wunused-but-set-variable]
+
+__sysv_write_inode should return 'err' instead of 0
+
+Fixes: 05459ca81ac3 ("repair sysv_write_inode(), switch sysv to simple_fsync()")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/sysv/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/sysv/inode.c b/fs/sysv/inode.c
+index 499a20a5a010..273736f41be3 100644
+--- a/fs/sysv/inode.c
++++ b/fs/sysv/inode.c
+@@ -275,7 +275,7 @@ static int __sysv_write_inode(struct inode *inode, int wait)
+ }
+ }
+ brelse(bh);
+- return 0;
++ return err;
+ }
+
+ int sysv_write_inode(struct inode *inode, struct writeback_control *wbc)
+--
+2.19.1
+
--- /dev/null
+From a8f22d0b719727b629a2d998f33d074b81a77d02 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Mon, 26 Nov 2018 12:47:46 +0300
+Subject: thunderbolt: Prevent root port runtime suspend during NVM upgrade
+
+[ Upstream commit 1830b6eeda1fed42d85f2388f79c926331a9b2d0 ]
+
+During NVM upgrade process the host router is hot-removed for a short
+while. During this time it is possible that the root port is moved into
+D3cold which would be fine if the root port could trigger PME on itself.
+However, many systems actually do not implement it so what happens is
+that the root port goes into D3cold and never wakes up unless userspace
+does PCI config space access, such as running 'lscpi'.
+
+For this reason we explicitly prevent the root port from runtime
+suspending during NVM upgrade.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thunderbolt/switch.c | 40 ++++++++++++++++++++++++++++++++++--
+ 1 file changed, 38 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/thunderbolt/switch.c b/drivers/thunderbolt/switch.c
+index 7442bc4c6433..dd9ae6f5d19c 100644
+--- a/drivers/thunderbolt/switch.c
++++ b/drivers/thunderbolt/switch.c
+@@ -864,6 +864,30 @@ static ssize_t key_store(struct device *dev, struct device_attribute *attr,
+ }
+ static DEVICE_ATTR(key, 0600, key_show, key_store);
+
++static void nvm_authenticate_start(struct tb_switch *sw)
++{
++ struct pci_dev *root_port;
++
++ /*
++ * During host router NVM upgrade we should not allow root port to
++ * go into D3cold because some root ports cannot trigger PME
++ * itself. To be on the safe side keep the root port in D0 during
++ * the whole upgrade process.
++ */
++ root_port = pci_find_pcie_root_port(sw->tb->nhi->pdev);
++ if (root_port)
++ pm_runtime_get_noresume(&root_port->dev);
++}
++
++static void nvm_authenticate_complete(struct tb_switch *sw)
++{
++ struct pci_dev *root_port;
++
++ root_port = pci_find_pcie_root_port(sw->tb->nhi->pdev);
++ if (root_port)
++ pm_runtime_put(&root_port->dev);
++}
++
+ static ssize_t nvm_authenticate_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+@@ -913,10 +937,18 @@ static ssize_t nvm_authenticate_store(struct device *dev,
+
+ sw->nvm->authenticating = true;
+
+- if (!tb_route(sw))
++ if (!tb_route(sw)) {
++ /*
++ * Keep root port from suspending as long as the
++ * NVM upgrade process is running.
++ */
++ nvm_authenticate_start(sw);
+ ret = nvm_authenticate_host(sw);
+- else
++ if (ret)
++ nvm_authenticate_complete(sw);
++ } else {
+ ret = nvm_authenticate_device(sw);
++ }
+ pm_runtime_mark_last_busy(&sw->dev);
+ pm_runtime_put_autosuspend(&sw->dev);
+ }
+@@ -1336,6 +1368,10 @@ static int tb_switch_add_dma_port(struct tb_switch *sw)
+ if (ret <= 0)
+ return ret;
+
++ /* Now we can allow root port to suspend again */
++ if (!tb_route(sw))
++ nvm_authenticate_complete(sw);
++
+ if (status) {
+ tb_sw_info(sw, "switch flash authentication failed\n");
+ tb_switch_set_uuid(sw);
+--
+2.19.1
+
--- /dev/null
+From 32ddf804a888faa0b294a85542ec3dc6a2e127a7 Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+Date: Wed, 21 Nov 2018 13:53:17 -0800
+Subject: tools: bpftool: fix potential NULL pointer dereference in do_load
+
+[ Upstream commit dde7011a824cfa815b03f853ec985ff46b740939 ]
+
+This patch fixes a possible null pointer dereference in
+do_load, detected by the semantic patch deref_null.cocci,
+with the following warning:
+
+./tools/bpf/bpftool/prog.c:1021:23-25: ERROR: map_replace is NULL but dereferenced.
+
+The following code has potential null pointer references:
+881 map_replace = reallocarray(map_replace, old_map_fds + 1,
+882 sizeof(*map_replace));
+883 if (!map_replace) {
+884 p_err("mem alloc failed");
+885 goto err_free_reuse_maps;
+886 }
+
+...
+1019 err_free_reuse_maps:
+1020 for (i = 0; i < old_map_fds; i++)
+1021 close(map_replace[i].fd);
+1022 free(map_replace);
+
+Fixes: 3ff5a4dc5d89 ("tools: bpftool: allow reuse of maps with bpftool prog load")
+Co-developed-by: Wen Yang <wen.yang99@zte.com.cn>
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/prog.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c
+index dce960d22106..0de024a6cc2b 100644
+--- a/tools/bpf/bpftool/prog.c
++++ b/tools/bpf/bpftool/prog.c
+@@ -749,6 +749,7 @@ static int do_load(int argc, char **argv)
+ }
+ NEXT_ARG();
+ } else if (is_prefix(*argv, "map")) {
++ void *new_map_replace;
+ char *endptr, *name;
+ int fd;
+
+@@ -782,12 +783,15 @@ static int do_load(int argc, char **argv)
+ if (fd < 0)
+ goto err_free_reuse_maps;
+
+- map_replace = reallocarray(map_replace, old_map_fds + 1,
+- sizeof(*map_replace));
+- if (!map_replace) {
++ new_map_replace = reallocarray(map_replace,
++ old_map_fds + 1,
++ sizeof(*map_replace));
++ if (!new_map_replace) {
+ p_err("mem alloc failed");
+ goto err_free_reuse_maps;
+ }
++ map_replace = new_map_replace;
++
+ map_replace[old_map_fds].idx = idx;
+ map_replace[old_map_fds].name = name;
+ map_replace[old_map_fds].fd = fd;
+--
+2.19.1
+
--- /dev/null
+From e3eb747cc1fae15b65e871487d91165daa139b21 Mon Sep 17 00:00:00 2001
+From: Quentin Monnet <quentin.monnet@netronome.com>
+Date: Thu, 8 Nov 2018 11:52:25 +0000
+Subject: tools: bpftool: prevent infinite loop in get_fdinfo()
+
+[ Upstream commit 53909030aa29bffe1f8490df62176c2375135652 ]
+
+Function getline() returns -1 on failure to read a line, thus creating
+an infinite loop in get_fdinfo() if the key is not found. Fix it by
+calling the function only as long as we get a strictly positive return
+value.
+
+Found by copying the code for a key which is not always present...
+
+Fixes: 71bb428fe2c1 ("tools: bpf: add bpftool")
+Signed-off-by: Quentin Monnet <quentin.monnet@netronome.com>
+Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c
+index b3a0709ea7ed..fcaf00621102 100644
+--- a/tools/bpf/bpftool/common.c
++++ b/tools/bpf/bpftool/common.c
+@@ -304,7 +304,7 @@ char *get_fdinfo(int fd, const char *key)
+ return NULL;
+ }
+
+- while ((n = getline(&line, &line_n, fdi))) {
++ while ((n = getline(&line, &line_n, fdi)) > 0) {
+ char *value;
+ int len;
+
+--
+2.19.1
+
--- /dev/null
+From 5692f4cae8d11961e3afbe716ad9b91e57f226e2 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Mon, 19 Nov 2018 16:49:05 +0100
+Subject: usb: gadget: u_ether: fix unsafe list iteration
+
+[ Upstream commit c9287fa657b3328b4549c0ab39ea7f197a3d6a50 ]
+
+list_for_each_entry_safe() is not safe for deleting entries from the
+list if the spin lock, which protects it, is released and reacquired during
+the list iteration. Fix this issue by replacing this construction with
+a simple check if list is empty and removing the first entry in each
+iteration. This is almost equivalent to a revert of the commit mentioned in
+the Fixes: tag.
+
+This patch fixes following issue:
+--->8---
+Unable to handle kernel NULL pointer dereference at virtual address 00000104
+pgd = (ptrval)
+[00000104] *pgd=00000000
+Internal error: Oops: 817 [#1] PREEMPT SMP ARM
+Modules linked in:
+CPU: 1 PID: 84 Comm: kworker/1:1 Not tainted 4.20.0-rc2-next-20181114-00009-g8266b35ec404 #1061
+Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
+Workqueue: events eth_work
+PC is at rx_fill+0x60/0xac
+LR is at _raw_spin_lock_irqsave+0x50/0x5c
+pc : [<c065fee0>] lr : [<c0a056b8>] psr: 80000093
+sp : ee7fbee8 ip : 00000100 fp : 00000000
+r10: 006000c0 r9 : c10b0ab0 r8 : ee7eb5c0
+r7 : ee7eb614 r6 : ee7eb5ec r5 : 000000dc r4 : ee12ac00
+r3 : ee12ac24 r2 : 00000200 r1 : 60000013 r0 : ee7eb5ec
+Flags: Nzcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 10c5387d Table: 6d5dc04a DAC: 00000051
+Process kworker/1:1 (pid: 84, stack limit = 0x(ptrval))
+Stack: (0xee7fbee8 to 0xee7fc000)
+...
+[<c065fee0>] (rx_fill) from [<c0143b7c>] (process_one_work+0x200/0x738)
+[<c0143b7c>] (process_one_work) from [<c0144118>] (worker_thread+0x2c/0x4c8)
+[<c0144118>] (worker_thread) from [<c014a8a4>] (kthread+0x128/0x164)
+[<c014a8a4>] (kthread) from [<c01010b4>] (ret_from_fork+0x14/0x20)
+Exception stack(0xee7fbfb0 to 0xee7fbff8)
+...
+---[ end trace 64480bc835eba7d6 ]---
+
+Fixes: fea14e68ff5e ("usb: gadget: u_ether: use better list accessors")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/u_ether.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
+index 1000d864929c..0f026d445e31 100644
+--- a/drivers/usb/gadget/function/u_ether.c
++++ b/drivers/usb/gadget/function/u_ether.c
+@@ -401,12 +401,12 @@ static int alloc_requests(struct eth_dev *dev, struct gether *link, unsigned n)
+ static void rx_fill(struct eth_dev *dev, gfp_t gfp_flags)
+ {
+ struct usb_request *req;
+- struct usb_request *tmp;
+ unsigned long flags;
+
+ /* fill unused rxq slots with some skb */
+ spin_lock_irqsave(&dev->req_lock, flags);
+- list_for_each_entry_safe(req, tmp, &dev->rx_reqs, list) {
++ while (!list_empty(&dev->rx_reqs)) {
++ req = list_first_entry(&dev->rx_reqs, struct usb_request, list);
+ list_del_init(&req->list);
+ spin_unlock_irqrestore(&dev->req_lock, flags);
+
+@@ -1125,7 +1125,6 @@ void gether_disconnect(struct gether *link)
+ {
+ struct eth_dev *dev = link->ioport;
+ struct usb_request *req;
+- struct usb_request *tmp;
+
+ WARN_ON(!dev);
+ if (!dev)
+@@ -1142,7 +1141,8 @@ void gether_disconnect(struct gether *link)
+ */
+ usb_ep_disable(link->in_ep);
+ spin_lock(&dev->req_lock);
+- list_for_each_entry_safe(req, tmp, &dev->tx_reqs, list) {
++ while (!list_empty(&dev->tx_reqs)) {
++ req = list_first_entry(&dev->tx_reqs, struct usb_request, list);
+ list_del(&req->list);
+
+ spin_unlock(&dev->req_lock);
+@@ -1154,7 +1154,8 @@ void gether_disconnect(struct gether *link)
+
+ usb_ep_disable(link->out_ep);
+ spin_lock(&dev->req_lock);
+- list_for_each_entry_safe(req, tmp, &dev->rx_reqs, list) {
++ while (!list_empty(&dev->rx_reqs)) {
++ req = list_first_entry(&dev->rx_reqs, struct usb_request, list);
+ list_del(&req->list);
+
+ spin_unlock(&dev->req_lock);
+--
+2.19.1
+
--- /dev/null
+From 910ee6c9c9fd49a19036d3f7e5aa8950de3d9265 Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sun, 25 Nov 2018 00:17:05 +0200
+Subject: USB: omap_udc: fix crashes on probe error and module removal
+
+[ Upstream commit 99f700366fcea1aa2fa3c49c99f371670c3c62f8 ]
+
+We currently crash if usb_add_gadget_udc_release() fails, since the
+udc->done is not initialized until in the remove function.
+Furthermore, on module removal the udc data is accessed although
+the release function is already triggered by usb_del_gadget_udc()
+early in the function.
+
+Fix by rewriting the release and remove functions, basically moving
+all the cleanup into the release function, and doing the completion
+only in the module removal case.
+
+The patch fixes omap_udc module probe with a failing gadged, and also
+allows the removal of omap_udc. Tested by running "modprobe omap_udc;
+modprobe -r omap_udc" in a loop.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/omap_udc.c | 50 ++++++++++++-------------------
+ 1 file changed, 19 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c
+index 1c77218c82af..240ccba44592 100644
+--- a/drivers/usb/gadget/udc/omap_udc.c
++++ b/drivers/usb/gadget/udc/omap_udc.c
+@@ -2593,9 +2593,22 @@ omap_ep_setup(char *name, u8 addr, u8 type,
+
+ static void omap_udc_release(struct device *dev)
+ {
+- complete(udc->done);
++ pullup_disable(udc);
++ if (!IS_ERR_OR_NULL(udc->transceiver)) {
++ usb_put_phy(udc->transceiver);
++ udc->transceiver = NULL;
++ }
++ omap_writew(0, UDC_SYSCON1);
++ remove_proc_file();
++ if (udc->dc_clk) {
++ if (udc->clk_requested)
++ omap_udc_enable_clock(0);
++ clk_put(udc->hhc_clk);
++ clk_put(udc->dc_clk);
++ }
++ if (udc->done)
++ complete(udc->done);
+ kfree(udc);
+- udc = NULL;
+ }
+
+ static int
+@@ -2900,12 +2913,8 @@ static int omap_udc_probe(struct platform_device *pdev)
+ }
+
+ create_proc_file();
+- status = usb_add_gadget_udc_release(&pdev->dev, &udc->gadget,
+- omap_udc_release);
+- if (!status)
+- return 0;
+-
+- remove_proc_file();
++ return usb_add_gadget_udc_release(&pdev->dev, &udc->gadget,
++ omap_udc_release);
+
+ cleanup1:
+ kfree(udc);
+@@ -2932,36 +2941,15 @@ static int omap_udc_remove(struct platform_device *pdev)
+ {
+ DECLARE_COMPLETION_ONSTACK(done);
+
+- if (!udc)
+- return -ENODEV;
+-
+- usb_del_gadget_udc(&udc->gadget);
+- if (udc->driver)
+- return -EBUSY;
+-
+ udc->done = &done;
+
+- pullup_disable(udc);
+- if (!IS_ERR_OR_NULL(udc->transceiver)) {
+- usb_put_phy(udc->transceiver);
+- udc->transceiver = NULL;
+- }
+- omap_writew(0, UDC_SYSCON1);
+-
+- remove_proc_file();
++ usb_del_gadget_udc(&udc->gadget);
+
+- if (udc->dc_clk) {
+- if (udc->clk_requested)
+- omap_udc_enable_clock(0);
+- clk_put(udc->hhc_clk);
+- clk_put(udc->dc_clk);
+- }
++ wait_for_completion(&done);
+
+ release_mem_region(pdev->resource[0].start,
+ pdev->resource[0].end - pdev->resource[0].start + 1);
+
+- wait_for_completion(&done);
+-
+ return 0;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 7550fda6f46ccec179ca323d0a38f53ae73c3a9e Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sun, 25 Nov 2018 00:17:06 +0200
+Subject: USB: omap_udc: fix omap_udc_start() on 15xx machines
+
+[ Upstream commit 6ca6695f576b8453fe68865e84d25946d63b10ad ]
+
+On OMAP 15xx machines there are no transceivers, and omap_udc_start()
+always fails as it forgot to adjust the default return value.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/omap_udc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c
+index 240ccba44592..33250e569af8 100644
+--- a/drivers/usb/gadget/udc/omap_udc.c
++++ b/drivers/usb/gadget/udc/omap_udc.c
+@@ -2041,7 +2041,7 @@ static inline int machine_without_vbus_sense(void)
+ static int omap_udc_start(struct usb_gadget *g,
+ struct usb_gadget_driver *driver)
+ {
+- int status = -ENODEV;
++ int status;
+ struct omap_ep *ep;
+ unsigned long flags;
+
+@@ -2079,6 +2079,7 @@ static int omap_udc_start(struct usb_gadget *g,
+ goto done;
+ }
+ } else {
++ status = 0;
+ if (can_pullup(udc))
+ pullup_enable(udc);
+ else
+--
+2.19.1
+
--- /dev/null
+From 5b81c8678c8ee48c52de58e85ecb313212f682e0 Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sun, 25 Nov 2018 00:17:08 +0200
+Subject: USB: omap_udc: fix rejection of out transfers when DMA is used
+
+[ Upstream commit 069caf5950dfa75d0526cd89c439ff9d9d3136d8 ]
+
+Commit 387f869d2579 ("usb: gadget: u_ether: conditionally align
+transfer size") started aligning transfer size only if requested,
+breaking omap_udc DMA mode. Set quirk_ep_out_aligned_size to restore
+the old behaviour.
+
+Fixes: 387f869d2579 ("usb: gadget: u_ether: conditionally align transfer size")
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/omap_udc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c
+index 9b23e04c8f02..fcf13ef33b31 100644
+--- a/drivers/usb/gadget/udc/omap_udc.c
++++ b/drivers/usb/gadget/udc/omap_udc.c
+@@ -2642,6 +2642,7 @@ omap_udc_setup(struct platform_device *odev, struct usb_phy *xceiv)
+ udc->gadget.speed = USB_SPEED_UNKNOWN;
+ udc->gadget.max_speed = USB_SPEED_FULL;
+ udc->gadget.name = driver_name;
++ udc->gadget.quirk_ep_out_aligned_size = 1;
+ udc->transceiver = xceiv;
+
+ /* ep0 is special; put it right after the SETUP buffer */
+--
+2.19.1
+
--- /dev/null
+From 112aaf8d7a186deccdf8256ab2dd7caf199a6cef Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sun, 25 Nov 2018 00:17:07 +0200
+Subject: USB: omap_udc: fix USB gadget functionality on Palm Tungsten E
+
+[ Upstream commit 2c2322fbcab8102b8cadc09d66714700a2da42c2 ]
+
+On Palm TE nothing happens when you try to use gadget drivers and plug
+the USB cable. Fix by adding the board to the vbus sense quirk list.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/omap_udc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c
+index 33250e569af8..9b23e04c8f02 100644
+--- a/drivers/usb/gadget/udc/omap_udc.c
++++ b/drivers/usb/gadget/udc/omap_udc.c
+@@ -2033,6 +2033,7 @@ static inline int machine_without_vbus_sense(void)
+ {
+ return machine_is_omap_innovator()
+ || machine_is_omap_osk()
++ || machine_is_omap_palmte()
+ || machine_is_sx1()
+ /* No known omap7xx boards with vbus sense */
+ || cpu_is_omap7xx();
+--
+2.19.1
+
--- /dev/null
+From 71fb97ad5d3b64b08f25517cdb01963fd69989dc Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sun, 25 Nov 2018 00:17:04 +0200
+Subject: USB: omap_udc: use devm_request_irq()
+
+[ Upstream commit 286afdde1640d8ea8916a0f05e811441fbbf4b9d ]
+
+The current code fails to release the third irq on the error path
+(observed by reading the code), and we get also multiple WARNs with
+failing gadget drivers due to duplicate IRQ releases. Fix by using
+devm_request_irq().
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/omap_udc.c | 37 +++++++++----------------------
+ 1 file changed, 10 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c
+index 3a16431da321..1c77218c82af 100644
+--- a/drivers/usb/gadget/udc/omap_udc.c
++++ b/drivers/usb/gadget/udc/omap_udc.c
+@@ -2867,8 +2867,8 @@ static int omap_udc_probe(struct platform_device *pdev)
+ udc->clr_halt = UDC_RESET_EP;
+
+ /* USB general purpose IRQ: ep0, state changes, dma, etc */
+- status = request_irq(pdev->resource[1].start, omap_udc_irq,
+- 0, driver_name, udc);
++ status = devm_request_irq(&pdev->dev, pdev->resource[1].start,
++ omap_udc_irq, 0, driver_name, udc);
+ if (status != 0) {
+ ERR("can't get irq %d, err %d\n",
+ (int) pdev->resource[1].start, status);
+@@ -2876,20 +2876,20 @@ static int omap_udc_probe(struct platform_device *pdev)
+ }
+
+ /* USB "non-iso" IRQ (PIO for all but ep0) */
+- status = request_irq(pdev->resource[2].start, omap_udc_pio_irq,
+- 0, "omap_udc pio", udc);
++ status = devm_request_irq(&pdev->dev, pdev->resource[2].start,
++ omap_udc_pio_irq, 0, "omap_udc pio", udc);
+ if (status != 0) {
+ ERR("can't get irq %d, err %d\n",
+ (int) pdev->resource[2].start, status);
+- goto cleanup2;
++ goto cleanup1;
+ }
+ #ifdef USE_ISO
+- status = request_irq(pdev->resource[3].start, omap_udc_iso_irq,
+- 0, "omap_udc iso", udc);
++ status = devm_request_irq(&pdev->dev, pdev->resource[3].start,
++ omap_udc_iso_irq, 0, "omap_udc iso", udc);
+ if (status != 0) {
+ ERR("can't get irq %d, err %d\n",
+ (int) pdev->resource[3].start, status);
+- goto cleanup3;
++ goto cleanup1;
+ }
+ #endif
+ if (cpu_is_omap16xx() || cpu_is_omap7xx()) {
+@@ -2902,22 +2902,11 @@ static int omap_udc_probe(struct platform_device *pdev)
+ create_proc_file();
+ status = usb_add_gadget_udc_release(&pdev->dev, &udc->gadget,
+ omap_udc_release);
+- if (status)
+- goto cleanup4;
+-
+- return 0;
++ if (!status)
++ return 0;
+
+-cleanup4:
+ remove_proc_file();
+
+-#ifdef USE_ISO
+-cleanup3:
+- free_irq(pdev->resource[2].start, udc);
+-#endif
+-
+-cleanup2:
+- free_irq(pdev->resource[1].start, udc);
+-
+ cleanup1:
+ kfree(udc);
+ udc = NULL;
+@@ -2961,12 +2950,6 @@ static int omap_udc_remove(struct platform_device *pdev)
+
+ remove_proc_file();
+
+-#ifdef USE_ISO
+- free_irq(pdev->resource[3].start, udc);
+-#endif
+- free_irq(pdev->resource[2].start, udc);
+- free_irq(pdev->resource[1].start, udc);
+-
+ if (udc->dc_clk) {
+ if (udc->clk_requested)
+ omap_udc_enable_clock(0);
+--
+2.19.1
+
--- /dev/null
+From 37644e22c64075b6095153c4fb45a9903dba2100 Mon Sep 17 00:00:00 2001
+From: Yi Wang <wang.yi59@zte.com.cn>
+Date: Thu, 8 Nov 2018 11:22:21 +0800
+Subject: x86/kvm/vmx: fix old-style function declaration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 1e4329ee2c52692ea42cc677fb2133519718b34a ]
+
+The inline keyword which is not at the beginning of the function
+declaration may trigger the following build warnings, so let's fix it:
+
+arch/x86/kvm/vmx.c:1309:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration]
+arch/x86/kvm/vmx.c:5947:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration]
+arch/x86/kvm/vmx.c:5985:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration]
+arch/x86/kvm/vmx.c:6023:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration]
+
+Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index b1aef90aab91..c97a9d60d305 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -1285,7 +1285,7 @@ static void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked);
+ static bool nested_vmx_is_page_fault_vmexit(struct vmcs12 *vmcs12,
+ u16 error_code);
+ static void vmx_update_msr_bitmap(struct kvm_vcpu *vcpu);
+-static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bitmap,
++static __always_inline void vmx_disable_intercept_for_msr(unsigned long *msr_bitmap,
+ u32 msr, int type);
+
+ static DEFINE_PER_CPU(struct vmcs *, vmxarea);
+@@ -5935,7 +5935,7 @@ static void free_vpid(int vpid)
+ spin_unlock(&vmx_vpid_lock);
+ }
+
+-static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bitmap,
++static __always_inline void vmx_disable_intercept_for_msr(unsigned long *msr_bitmap,
+ u32 msr, int type)
+ {
+ int f = sizeof(unsigned long);
+@@ -5973,7 +5973,7 @@ static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bit
+ }
+ }
+
+-static void __always_inline vmx_enable_intercept_for_msr(unsigned long *msr_bitmap,
++static __always_inline void vmx_enable_intercept_for_msr(unsigned long *msr_bitmap,
+ u32 msr, int type)
+ {
+ int f = sizeof(unsigned long);
+@@ -6011,7 +6011,7 @@ static void __always_inline vmx_enable_intercept_for_msr(unsigned long *msr_bitm
+ }
+ }
+
+-static void __always_inline vmx_set_intercept_for_msr(unsigned long *msr_bitmap,
++static __always_inline void vmx_set_intercept_for_msr(unsigned long *msr_bitmap,
+ u32 msr, int type, bool value)
+ {
+ if (value)
+--
+2.19.1
+
--- /dev/null
+From 17d803b3196ba92908fa79255737b60664592c9f Mon Sep 17 00:00:00 2001
+From: Srikanth Boddepalli <boddepalli.srikanth@gmail.com>
+Date: Tue, 27 Nov 2018 19:53:27 +0530
+Subject: xen: xlate_mmu: add missing header to fix 'W=1' warning
+
+[ Upstream commit 72791ac854fea36034fa7976b748fde585008e78 ]
+
+Add a missing header otherwise compiler warns about missed prototype:
+
+drivers/xen/xlate_mmu.c:183:5: warning: no previous prototype for 'xen_xlate_unmap_gfn_range?' [-Wmissing-prototypes]
+ int xen_xlate_unmap_gfn_range(struct vm_area_struct *vma,
+ ^~~~~~~~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Srikanth Boddepalli <boddepalli.srikanth@gmail.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Reviewed-by: Joey Pabalinas <joeypabalinas@gmail.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/xlate_mmu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/xen/xlate_mmu.c b/drivers/xen/xlate_mmu.c
+index 23f1387b3ef7..e7df65d32c91 100644
+--- a/drivers/xen/xlate_mmu.c
++++ b/drivers/xen/xlate_mmu.c
+@@ -36,6 +36,7 @@
+ #include <asm/xen/hypervisor.h>
+
+ #include <xen/xen.h>
++#include <xen/xen-ops.h>
+ #include <xen/page.h>
+ #include <xen/interface/xen.h>
+ #include <xen/interface/memory.h>
+--
+2.19.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
