--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Fri, 20 Jul 2018 20:17:35 -0700
+Subject: arch/hexagon: fix kernel/dma.c build warning
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 200f351e27f014fcbf69b544b0b4b72aeaf45fd3 ]
+
+Fix build warning in arch/hexagon/kernel/dma.c by casting a void *
+to unsigned long to match the function parameter type.
+
+../arch/hexagon/kernel/dma.c: In function 'arch_dma_alloc':
+../arch/hexagon/kernel/dma.c:51:5: warning: passing argument 2 of 'gen_pool_add' makes integer from pointer without a cast [enabled by default]
+../include/linux/genalloc.h:112:19: note: expected 'long unsigned int' but argument is of type 'void *'
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Cc: Rich Felker <dalias@libc.org>
+Cc: linux-sh@vger.kernel.org
+Patch-mainline: linux-kernel @ 07/20/2018, 20:17
+[rkuo@codeaurora.org: fixed architecture name]
+Signed-off-by: Richard Kuo <rkuo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/hexagon/kernel/dma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/hexagon/kernel/dma.c
++++ b/arch/hexagon/kernel/dma.c
+@@ -60,7 +60,7 @@ static void *hexagon_dma_alloc_coherent(
+ panic("Can't create %s() memory pool!", __func__);
+ else
+ gen_pool_add(coherent_pool,
+- pfn_to_virt(max_low_pfn),
++ (unsigned long)pfn_to_virt(max_low_pfn),
+ hexagon_coherent_pool_size, -1);
+ }
+
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
+Date: Sun, 9 Sep 2018 17:47:31 +0200
+Subject: arm64: jump_label.h: use asm_volatile_goto macro instead of "asm goto"
+
+From: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
+
+[ Upstream commit 13aceef06adfaf93d52e01e28a8bc8a0ad471d83 ]
+
+All other uses of "asm goto" go through asm_volatile_goto, which avoids
+a miscompile when using GCC < 4.8.2. Replace our open-coded "asm goto"
+statements with the asm_volatile_goto macro to avoid issues with older
+toolchains.
+
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/jump_label.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/jump_label.h
++++ b/arch/arm64/include/asm/jump_label.h
+@@ -28,7 +28,7 @@
+
+ static __always_inline bool arch_static_branch(struct static_key *key, bool branch)
+ {
+- asm goto("1: nop\n\t"
++ asm_volatile_goto("1: nop\n\t"
+ ".pushsection __jump_table, \"aw\"\n\t"
+ ".align 3\n\t"
+ ".quad 1b, %l[l_yes], %c0\n\t"
+@@ -42,7 +42,7 @@ l_yes:
+
+ static __always_inline bool arch_static_branch_jump(struct static_key *key, bool branch)
+ {
+- asm goto("1: b %l[l_yes]\n\t"
++ asm_volatile_goto("1: b %l[l_yes]\n\t"
+ ".pushsection __jump_table, \"aw\"\n\t"
+ ".align 3\n\t"
+ ".quad 1b, %l[l_yes], %c0\n\t"
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Andrew Murray <andrew.murray@arm.com>
+Date: Thu, 13 Sep 2018 13:48:27 +0100
+Subject: asm-generic: io: Fix ioport_map() for !CONFIG_GENERIC_IOMAP && CONFIG_INDIRECT_PIO
+
+From: Andrew Murray <andrew.murray@arm.com>
+
+[ Upstream commit 500dd232449e7c07500e713dc6970aa713f8e4f1 ]
+
+The !CONFIG_GENERIC_IOMAP version of ioport_map uses MMIO_UPPER_LIMIT to
+prevent users from making I/O accesses outside the expected I/O range -
+however it erroneously treats MMIO_UPPER_LIMIT as a mask which is
+contradictory to its other users.
+
+The introduction of CONFIG_INDIRECT_PIO, which subtracts an arbitrary
+amount from IO_SPACE_LIMIT to form MMIO_UPPER_LIMIT, results in ioport_map
+mangling the given port rather than capping it.
+
+We address this by aligning more closely with the CONFIG_GENERIC_IOMAP
+implementation of ioport_map by using the comparison operator and
+returning NULL where the port exceeds MMIO_UPPER_LIMIT. Though note that
+we preserve the existing behavior of masking with IO_SPACE_LIMIT such that
+we don't break existing buggy drivers that somehow rely on this masking.
+
+Fixes: 5745392e0c2b ("PCI: Apply the new generic I/O management on PCI IO hosts")
+Reported-by: Will Deacon <will.deacon@arm.com>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Andrew Murray <andrew.murray@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/asm-generic/io.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/asm-generic/io.h
++++ b/include/asm-generic/io.h
+@@ -1026,7 +1026,8 @@ static inline void __iomem *ioremap_wt(p
+ #define ioport_map ioport_map
+ static inline void __iomem *ioport_map(unsigned long port, unsigned int nr)
+ {
+- return PCI_IOBASE + (port & MMIO_UPPER_LIMIT);
++ port &= IO_SPACE_LIMIT;
++ return (port > MMIO_UPPER_LIMIT) ? NULL : PCI_IOBASE + port;
+ }
+ #endif
+
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Somnath Kotur <somnath.kotur@broadcom.com>
+Date: Wed, 5 Sep 2018 13:20:34 +0530
+Subject: bnxt_re: Fix couple of memory leaks that could lead to IOMMU call traces
+
+From: Somnath Kotur <somnath.kotur@broadcom.com>
+
+[ Upstream commit f40f299bbe806a2e2c8b0d7cdda822fa3bdd171b ]
+
+1. DMA-able memory allocated for Shadow QP was not being freed.
+2. bnxt_qplib_alloc_qp_hdr_buf() had a bug wherein the SQ pointer was
+ erroneously pointing to the RQ. But since the corresponding
+ free_qp_hdr_buf() was correct, memory being free was less than what was
+ allocated.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Signed-off-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 ++
+ drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -844,6 +844,8 @@ int bnxt_re_destroy_qp(struct ib_qp *ib_
+ "Failed to destroy Shadow QP");
+ return rc;
+ }
++ bnxt_qplib_free_qp_res(&rdev->qplib_res,
++ &rdev->qp1_sqp->qplib_qp);
+ mutex_lock(&rdev->qp_lock);
+ list_del(&rdev->qp1_sqp->list);
+ atomic_dec(&rdev->qp_count);
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+@@ -196,7 +196,7 @@ static int bnxt_qplib_alloc_qp_hdr_buf(s
+ struct bnxt_qplib_qp *qp)
+ {
+ struct bnxt_qplib_q *rq = &qp->rq;
+- struct bnxt_qplib_q *sq = &qp->rq;
++ struct bnxt_qplib_q *sq = &qp->sq;
+ int rc = 0;
+
+ if (qp->sq_hdr_buf_size && sq->hwq.max_elements) {
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 6 Sep 2018 12:47:01 +0300
+Subject: cifs: read overflow in is_valid_oplock_break()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 097f5863b1a0c9901f180bbd56ae7d630655faaa ]
+
+We need to verify that the "data_offset" is within bounds.
+
+Reported-by: Dr Silvio Cesare of InfoSect <silvio.cesare@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/misc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/cifs/misc.c
++++ b/fs/cifs/misc.c
+@@ -404,9 +404,17 @@ is_valid_oplock_break(char *buffer, stru
+ (struct smb_com_transaction_change_notify_rsp *)buf;
+ struct file_notify_information *pnotify;
+ __u32 data_offset = 0;
++ size_t len = srv->total_read - sizeof(pSMBr->hdr.smb_buf_length);
++
+ if (get_bcc(buf) > sizeof(struct file_notify_information)) {
+ data_offset = le32_to_cpu(pSMBr->DataOffset);
+
++ if (data_offset >
++ len - sizeof(struct file_notify_information)) {
++ cifs_dbg(FYI, "invalid data_offset %u\n",
++ data_offset);
++ return true;
++ }
+ pnotify = (struct file_notify_information *)
+ ((char *)&pSMBr->hdr.Protocol + data_offset);
+ cifs_dbg(FYI, "dnotify on %s Action: 0x%x\n",
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Heinz Mauelshagen <heinzm@redhat.com>
+Date: Thu, 6 Sep 2018 22:54:29 +0200
+Subject: dm raid: fix RAID leg rebuild errors
+
+From: Heinz Mauelshagen <heinzm@redhat.com>
+
+[ Upstream commit 36a240a706d43383bbdd377522501ddd2e5771f6 ]
+
+On fast devices such as NVMe, a flaw in rs_get_progress() results in
+false target status output when userspace lvm2 requests leg rebuilds
+(symptom of the failure is device health chars 'aaaaaaaa' instead of
+expected 'aAaAAAAA' causing lvm2 to fail).
+
+The correct sync action state definitions already exist in
+decipher_sync_action() so fix rs_get_progress() to use it.
+
+Change decipher_sync_action() to return an enum rather than a string for
+the sync states and call it from rs_get_progress(). Introduce
+sync_str() to translate from enum to the string that is needed by
+raid_status().
+
+Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-raid.c | 80 +++++++++++++++++++++++++++++----------------------
+ 1 file changed, 46 insertions(+), 34 deletions(-)
+
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -3332,32 +3332,53 @@ static int raid_map(struct dm_target *ti
+ return DM_MAPIO_SUBMITTED;
+ }
+
+-/* Return string describing the current sync action of @mddev */
+-static const char *decipher_sync_action(struct mddev *mddev, unsigned long recovery)
++/* Return sync state string for @state */
++enum sync_state { st_frozen, st_reshape, st_resync, st_check, st_repair, st_recover, st_idle };
++static const char *sync_str(enum sync_state state)
++{
++ /* Has to be in above sync_state order! */
++ static const char *sync_strs[] = {
++ "frozen",
++ "reshape",
++ "resync",
++ "check",
++ "repair",
++ "recover",
++ "idle"
++ };
++
++ return __within_range(state, 0, ARRAY_SIZE(sync_strs) - 1) ? sync_strs[state] : "undef";
++};
++
++/* Return enum sync_state for @mddev derived from @recovery flags */
++static const enum sync_state decipher_sync_action(struct mddev *mddev, unsigned long recovery)
+ {
+ if (test_bit(MD_RECOVERY_FROZEN, &recovery))
+- return "frozen";
++ return st_frozen;
+
+- /* The MD sync thread can be done with io but still be running */
++ /* The MD sync thread can be done with io or be interrupted but still be running */
+ if (!test_bit(MD_RECOVERY_DONE, &recovery) &&
+ (test_bit(MD_RECOVERY_RUNNING, &recovery) ||
+ (!mddev->ro && test_bit(MD_RECOVERY_NEEDED, &recovery)))) {
+ if (test_bit(MD_RECOVERY_RESHAPE, &recovery))
+- return "reshape";
++ return st_reshape;
+
+ if (test_bit(MD_RECOVERY_SYNC, &recovery)) {
+ if (!test_bit(MD_RECOVERY_REQUESTED, &recovery))
+- return "resync";
+- else if (test_bit(MD_RECOVERY_CHECK, &recovery))
+- return "check";
+- return "repair";
++ return st_resync;
++ if (test_bit(MD_RECOVERY_CHECK, &recovery))
++ return st_check;
++ return st_repair;
+ }
+
+ if (test_bit(MD_RECOVERY_RECOVER, &recovery))
+- return "recover";
++ return st_recover;
++
++ if (mddev->reshape_position != MaxSector)
++ return st_reshape;
+ }
+
+- return "idle";
++ return st_idle;
+ }
+
+ /*
+@@ -3391,6 +3412,7 @@ static sector_t rs_get_progress(struct r
+ sector_t resync_max_sectors)
+ {
+ sector_t r;
++ enum sync_state state;
+ struct mddev *mddev = &rs->md;
+
+ clear_bit(RT_FLAG_RS_IN_SYNC, &rs->runtime_flags);
+@@ -3401,20 +3423,14 @@ static sector_t rs_get_progress(struct r
+ set_bit(RT_FLAG_RS_IN_SYNC, &rs->runtime_flags);
+
+ } else {
+- if (!test_bit(__CTR_FLAG_NOSYNC, &rs->ctr_flags) &&
+- !test_bit(MD_RECOVERY_INTR, &recovery) &&
+- (test_bit(MD_RECOVERY_NEEDED, &recovery) ||
+- test_bit(MD_RECOVERY_RESHAPE, &recovery) ||
+- test_bit(MD_RECOVERY_RUNNING, &recovery)))
+- r = mddev->curr_resync_completed;
+- else
++ state = decipher_sync_action(mddev, recovery);
++
++ if (state == st_idle && !test_bit(MD_RECOVERY_INTR, &recovery))
+ r = mddev->recovery_cp;
++ else
++ r = mddev->curr_resync_completed;
+
+- if (r >= resync_max_sectors &&
+- (!test_bit(MD_RECOVERY_REQUESTED, &recovery) ||
+- (!test_bit(MD_RECOVERY_FROZEN, &recovery) &&
+- !test_bit(MD_RECOVERY_NEEDED, &recovery) &&
+- !test_bit(MD_RECOVERY_RUNNING, &recovery)))) {
++ if (state == st_idle && r >= resync_max_sectors) {
+ /*
+ * Sync complete.
+ */
+@@ -3422,24 +3438,20 @@ static sector_t rs_get_progress(struct r
+ if (test_bit(MD_RECOVERY_RECOVER, &recovery))
+ set_bit(RT_FLAG_RS_IN_SYNC, &rs->runtime_flags);
+
+- } else if (test_bit(MD_RECOVERY_RECOVER, &recovery)) {
++ } else if (state == st_recover)
+ /*
+ * In case we are recovering, the array is not in sync
+ * and health chars should show the recovering legs.
+ */
+ ;
+-
+- } else if (test_bit(MD_RECOVERY_SYNC, &recovery) &&
+- !test_bit(MD_RECOVERY_REQUESTED, &recovery)) {
++ else if (state == st_resync)
+ /*
+ * If "resync" is occurring, the raid set
+ * is or may be out of sync hence the health
+ * characters shall be 'a'.
+ */
+ set_bit(RT_FLAG_RS_RESYNCING, &rs->runtime_flags);
+-
+- } else if (test_bit(MD_RECOVERY_RESHAPE, &recovery) &&
+- !test_bit(MD_RECOVERY_REQUESTED, &recovery)) {
++ else if (state == st_reshape)
+ /*
+ * If "reshape" is occurring, the raid set
+ * is or may be out of sync hence the health
+@@ -3447,7 +3459,7 @@ static sector_t rs_get_progress(struct r
+ */
+ set_bit(RT_FLAG_RS_RESYNCING, &rs->runtime_flags);
+
+- } else if (test_bit(MD_RECOVERY_REQUESTED, &recovery)) {
++ else if (state == st_check || state == st_repair)
+ /*
+ * If "check" or "repair" is occurring, the raid set has
+ * undergone an initial sync and the health characters
+@@ -3455,12 +3467,12 @@ static sector_t rs_get_progress(struct r
+ */
+ set_bit(RT_FLAG_RS_IN_SYNC, &rs->runtime_flags);
+
+- } else {
++ else {
+ struct md_rdev *rdev;
+
+ /*
+ * We are idle and recovery is needed, prevent 'A' chars race
+- * caused by components still set to in-sync by constrcuctor.
++ * caused by components still set to in-sync by constructor.
+ */
+ if (test_bit(MD_RECOVERY_NEEDED, &recovery))
+ set_bit(RT_FLAG_RS_RESYNCING, &rs->runtime_flags);
+@@ -3524,7 +3536,7 @@ static void raid_status(struct dm_target
+ progress = rs_get_progress(rs, recovery, resync_max_sectors);
+ resync_mismatches = (mddev->last_sync_action && !strcasecmp(mddev->last_sync_action, "check")) ?
+ atomic64_read(&mddev->resync_mismatches) : 0;
+- sync_action = decipher_sync_action(&rs->md, recovery);
++ sync_action = sync_str(decipher_sync_action(&rs->md, recovery));
+
+ /* HM FIXME: do we want another state char for raid0? It shows 'D'/'A'/'-' now */
+ for (i = 0; i < rs->raid_disks; i++)
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Heinz Mauelshagen <heinzm@redhat.com>
+Date: Thu, 6 Sep 2018 18:33:40 +0200
+Subject: dm raid: fix rebuild of specific devices by updating superblock
+
+From: Heinz Mauelshagen <heinzm@redhat.com>
+
+[ Upstream commit c44a5ee803d2b7ed8c2e6ce24a5c4dd60778886e ]
+
+Update superblock when particular devices are requested via rebuild
+(e.g. lvconvert --replace ...) to avoid spurious failure with the "New
+device injected into existing raid set without 'delta_disks' or
+'rebuild' parameter specified" error message.
+
+Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-raid.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -3126,6 +3126,11 @@ static int raid_ctr(struct dm_target *ti
+ set_bit(RT_FLAG_UPDATE_SBS, &rs->runtime_flags);
+ rs_set_new(rs);
+ } else if (rs_is_recovering(rs)) {
++ /* Rebuild particular devices */
++ if (test_bit(__CTR_FLAG_REBUILD, &rs->ctr_flags)) {
++ set_bit(RT_FLAG_UPDATE_SBS, &rs->runtime_flags);
++ rs_setup_recovery(rs, MaxSector);
++ }
+ /* A recovering raid set may be resized */
+ ; /* skip setup rs */
+ } else if (rs_is_reshaping(rs)) {
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Heinz Mauelshagen <heinzm@redhat.com>
+Date: Thu, 6 Sep 2018 18:33:38 +0200
+Subject: dm raid: fix reshape race on small devices
+
+From: Heinz Mauelshagen <heinzm@redhat.com>
+
+[ Upstream commit 38b0bd0cda07d34ad6f145fce675ead74739c44e ]
+
+Loading a new mapping table, the dm-raid target's constructor
+retrieves the volatile reshaping state from the raid superblocks.
+
+When the new table is activated in a following resume, the actual
+reshape position is retrieved. The reshape driven by the previous
+mapping can already have finished on small and/or fast devices thus
+updating raid superblocks about the new raid layout.
+
+This causes the actual array state (e.g. stripe size reshape finished)
+to be inconsistent with the one in the new mapping, causing hangs with
+left behind devices.
+
+This race does not occur with usual raid device sizes but with small
+ones (e.g. those created by the lvm2 test suite).
+
+Fix by no longer transferring stale/inconsistent raid_set state during
+preresume.
+
+Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-raid.c | 48 +-----------------------------------------------
+ 1 file changed, 1 insertion(+), 47 deletions(-)
+
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -29,9 +29,6 @@
+ */
+ #define MIN_RAID456_JOURNAL_SPACE (4*2048)
+
+-/* Global list of all raid sets */
+-static LIST_HEAD(raid_sets);
+-
+ static bool devices_handle_discard_safely = false;
+
+ /*
+@@ -227,7 +224,6 @@ struct rs_layout {
+
+ struct raid_set {
+ struct dm_target *ti;
+- struct list_head list;
+
+ uint32_t stripe_cache_entries;
+ unsigned long ctr_flags;
+@@ -273,19 +269,6 @@ static void rs_config_restore(struct rai
+ mddev->new_chunk_sectors = l->new_chunk_sectors;
+ }
+
+-/* Find any raid_set in active slot for @rs on global list */
+-static struct raid_set *rs_find_active(struct raid_set *rs)
+-{
+- struct raid_set *r;
+- struct mapped_device *md = dm_table_get_md(rs->ti->table);
+-
+- list_for_each_entry(r, &raid_sets, list)
+- if (r != rs && dm_table_get_md(r->ti->table) == md)
+- return r;
+-
+- return NULL;
+-}
+-
+ /* raid10 algorithms (i.e. formats) */
+ #define ALGORITHM_RAID10_DEFAULT 0
+ #define ALGORITHM_RAID10_NEAR 1
+@@ -764,7 +747,6 @@ static struct raid_set *raid_set_alloc(s
+
+ mddev_init(&rs->md);
+
+- INIT_LIST_HEAD(&rs->list);
+ rs->raid_disks = raid_devs;
+ rs->delta_disks = 0;
+
+@@ -782,9 +764,6 @@ static struct raid_set *raid_set_alloc(s
+ for (i = 0; i < raid_devs; i++)
+ md_rdev_init(&rs->dev[i].rdev);
+
+- /* Add @rs to global list. */
+- list_add(&rs->list, &raid_sets);
+-
+ /*
+ * Remaining items to be initialized by further RAID params:
+ * rs->md.persistent
+@@ -797,7 +776,7 @@ static struct raid_set *raid_set_alloc(s
+ return rs;
+ }
+
+-/* Free all @rs allocations and remove it from global list. */
++/* Free all @rs allocations */
+ static void raid_set_free(struct raid_set *rs)
+ {
+ int i;
+@@ -815,8 +794,6 @@ static void raid_set_free(struct raid_se
+ dm_put_device(rs->ti, rs->dev[i].data_dev);
+ }
+
+- list_del(&rs->list);
+-
+ kfree(rs);
+ }
+
+@@ -3947,29 +3924,6 @@ static int raid_preresume(struct dm_targ
+ if (test_and_set_bit(RT_FLAG_RS_PRERESUMED, &rs->runtime_flags))
+ return 0;
+
+- if (!test_bit(__CTR_FLAG_REBUILD, &rs->ctr_flags)) {
+- struct raid_set *rs_active = rs_find_active(rs);
+-
+- if (rs_active) {
+- /*
+- * In case no rebuilds have been requested
+- * and an active table slot exists, copy
+- * current resynchonization completed and
+- * reshape position pointers across from
+- * suspended raid set in the active slot.
+- *
+- * This resumes the new mapping at current
+- * offsets to continue recover/reshape without
+- * necessarily redoing a raid set partially or
+- * causing data corruption in case of a reshape.
+- */
+- if (rs_active->md.curr_resync_completed != MaxSector)
+- mddev->curr_resync_completed = rs_active->md.curr_resync_completed;
+- if (rs_active->md.reshape_position != MaxSector)
+- mddev->reshape_position = rs_active->md.reshape_position;
+- }
+- }
+-
+ /*
+ * The superblocks need to be updated on disk if the
+ * array is new or new devices got added (thus zeroed
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Heinz Mauelshagen <heinzm@redhat.com>
+Date: Thu, 6 Sep 2018 18:33:39 +0200
+Subject: dm raid: fix stripe adding reshape deadlock
+
+From: Heinz Mauelshagen <heinzm@redhat.com>
+
+[ Upstream commit 644e2537fdc77baeeefc829524937bca64329f82 ]
+
+When initiating a stripe adding reshape, a deadlock between
+md_stop_writes() waiting for the sync thread to stop and the running
+sync thread waiting for inactive stripes occurs (this frequently happens
+on single-core but rarely on multi-core systems).
+
+Fix this deadlock by setting MD_RECOVERY_WAIT to have the main MD
+resynchronization thread worker (md_do_sync()) bail out when initiating
+the reshape via constructor arguments.
+
+Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-raid.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -3869,14 +3869,13 @@ static int rs_start_reshape(struct raid_
+ struct mddev *mddev = &rs->md;
+ struct md_personality *pers = mddev->pers;
+
++ /* Don't allow the sync thread to work until the table gets reloaded. */
++ set_bit(MD_RECOVERY_WAIT, &mddev->recovery);
++
+ r = rs_setup_reshape(rs);
+ if (r)
+ return r;
+
+- /* Need to be resumed to be able to start reshape, recovery is frozen until raid_resume() though */
+- if (test_and_clear_bit(RT_FLAG_RS_SUSPENDED, &rs->runtime_flags))
+- mddev_resume(mddev);
+-
+ /*
+ * Check any reshape constraints enforced by the personalility
+ *
+@@ -3900,10 +3899,6 @@ static int rs_start_reshape(struct raid_
+ }
+ }
+
+- /* Suspend because a resume will happen in raid_resume() */
+- set_bit(RT_FLAG_RS_SUSPENDED, &rs->runtime_flags);
+- mddev_suspend(mddev);
+-
+ /*
+ * Now reshape got set up, update superblocks to
+ * reflect the fact so that a table reload will
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Joe Thornber <ejt@redhat.com>
+Date: Mon, 10 Sep 2018 16:50:09 +0100
+Subject: dm thin metadata: try to avoid ever aborting transactions
+
+From: Joe Thornber <ejt@redhat.com>
+
+[ Upstream commit 3ab91828166895600efd9cdc3a0eb32001f7204a ]
+
+Committing a transaction can consume some metadata of it's own, we now
+reserve a small amount of metadata to cover this. Free metadata
+reported by the kernel will not include this reserve.
+
+If any of the reserve has been used after a commit we enter a new
+internal state PM_OUT_OF_METADATA_SPACE. This is reported as
+PM_READ_ONLY, so no userland changes are needed. If the metadata
+device is resized the pool will move back to PM_WRITE.
+
+These changes mean we never need to abort and rollback a transaction due
+to running out of metadata space. This is particularly important
+because there have been a handful of reports of data corruption against
+DM thin-provisioning that can all be attributed to the thin-pool having
+ran out of metadata space.
+
+Signed-off-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-thin-metadata.c | 36 ++++++++++++++++++++
+ drivers/md/dm-thin.c | 73 +++++++++++++++++++++++++++++++++++++-----
+ 2 files changed, 100 insertions(+), 9 deletions(-)
+
+--- a/drivers/md/dm-thin-metadata.c
++++ b/drivers/md/dm-thin-metadata.c
+@@ -189,6 +189,12 @@ struct dm_pool_metadata {
+ sector_t data_block_size;
+
+ /*
++ * We reserve a section of the metadata for commit overhead.
++ * All reported space does *not* include this.
++ */
++ dm_block_t metadata_reserve;
++
++ /*
+ * Set if a transaction has to be aborted but the attempt to roll back
+ * to the previous (good) transaction failed. The only pool metadata
+ * operation possible in this state is the closing of the device.
+@@ -816,6 +822,22 @@ static int __commit_transaction(struct d
+ return dm_tm_commit(pmd->tm, sblock);
+ }
+
++static void __set_metadata_reserve(struct dm_pool_metadata *pmd)
++{
++ int r;
++ dm_block_t total;
++ dm_block_t max_blocks = 4096; /* 16M */
++
++ r = dm_sm_get_nr_blocks(pmd->metadata_sm, &total);
++ if (r) {
++ DMERR("could not get size of metadata device");
++ pmd->metadata_reserve = max_blocks;
++ } else {
++ sector_div(total, 10);
++ pmd->metadata_reserve = min(max_blocks, total);
++ }
++}
++
+ struct dm_pool_metadata *dm_pool_metadata_open(struct block_device *bdev,
+ sector_t data_block_size,
+ bool format_device)
+@@ -849,6 +871,8 @@ struct dm_pool_metadata *dm_pool_metadat
+ return ERR_PTR(r);
+ }
+
++ __set_metadata_reserve(pmd);
++
+ return pmd;
+ }
+
+@@ -1820,6 +1844,13 @@ int dm_pool_get_free_metadata_block_coun
+ down_read(&pmd->root_lock);
+ if (!pmd->fail_io)
+ r = dm_sm_get_nr_free(pmd->metadata_sm, result);
++
++ if (!r) {
++ if (*result < pmd->metadata_reserve)
++ *result = 0;
++ else
++ *result -= pmd->metadata_reserve;
++ }
+ up_read(&pmd->root_lock);
+
+ return r;
+@@ -1932,8 +1963,11 @@ int dm_pool_resize_metadata_dev(struct d
+ int r = -EINVAL;
+
+ down_write(&pmd->root_lock);
+- if (!pmd->fail_io)
++ if (!pmd->fail_io) {
+ r = __resize_space_map(pmd->metadata_sm, new_count);
++ if (!r)
++ __set_metadata_reserve(pmd);
++ }
+ up_write(&pmd->root_lock);
+
+ return r;
+--- a/drivers/md/dm-thin.c
++++ b/drivers/md/dm-thin.c
+@@ -200,7 +200,13 @@ struct dm_thin_new_mapping;
+ enum pool_mode {
+ PM_WRITE, /* metadata may be changed */
+ PM_OUT_OF_DATA_SPACE, /* metadata may be changed, though data may not be allocated */
++
++ /*
++ * Like READ_ONLY, except may switch back to WRITE on metadata resize. Reported as READ_ONLY.
++ */
++ PM_OUT_OF_METADATA_SPACE,
+ PM_READ_ONLY, /* metadata may not be changed */
++
+ PM_FAIL, /* all I/O fails */
+ };
+
+@@ -1388,7 +1394,35 @@ static void set_pool_mode(struct pool *p
+
+ static void requeue_bios(struct pool *pool);
+
+-static void check_for_space(struct pool *pool)
++static bool is_read_only_pool_mode(enum pool_mode mode)
++{
++ return (mode == PM_OUT_OF_METADATA_SPACE || mode == PM_READ_ONLY);
++}
++
++static bool is_read_only(struct pool *pool)
++{
++ return is_read_only_pool_mode(get_pool_mode(pool));
++}
++
++static void check_for_metadata_space(struct pool *pool)
++{
++ int r;
++ const char *ooms_reason = NULL;
++ dm_block_t nr_free;
++
++ r = dm_pool_get_free_metadata_block_count(pool->pmd, &nr_free);
++ if (r)
++ ooms_reason = "Could not get free metadata blocks";
++ else if (!nr_free)
++ ooms_reason = "No free metadata blocks";
++
++ if (ooms_reason && !is_read_only(pool)) {
++ DMERR("%s", ooms_reason);
++ set_pool_mode(pool, PM_OUT_OF_METADATA_SPACE);
++ }
++}
++
++static void check_for_data_space(struct pool *pool)
+ {
+ int r;
+ dm_block_t nr_free;
+@@ -1414,14 +1448,16 @@ static int commit(struct pool *pool)
+ {
+ int r;
+
+- if (get_pool_mode(pool) >= PM_READ_ONLY)
++ if (get_pool_mode(pool) >= PM_OUT_OF_METADATA_SPACE)
+ return -EINVAL;
+
+ r = dm_pool_commit_metadata(pool->pmd);
+ if (r)
+ metadata_operation_failed(pool, "dm_pool_commit_metadata", r);
+- else
+- check_for_space(pool);
++ else {
++ check_for_metadata_space(pool);
++ check_for_data_space(pool);
++ }
+
+ return r;
+ }
+@@ -1487,6 +1523,19 @@ static int alloc_data_block(struct thin_
+ return r;
+ }
+
++ r = dm_pool_get_free_metadata_block_count(pool->pmd, &free_blocks);
++ if (r) {
++ metadata_operation_failed(pool, "dm_pool_get_free_metadata_block_count", r);
++ return r;
++ }
++
++ if (!free_blocks) {
++ /* Let's commit before we use up the metadata reserve. */
++ r = commit(pool);
++ if (r)
++ return r;
++ }
++
+ return 0;
+ }
+
+@@ -1518,6 +1567,7 @@ static blk_status_t should_error_unservi
+ case PM_OUT_OF_DATA_SPACE:
+ return pool->pf.error_if_no_space ? BLK_STS_NOSPC : 0;
+
++ case PM_OUT_OF_METADATA_SPACE:
+ case PM_READ_ONLY:
+ case PM_FAIL:
+ return BLK_STS_IOERR;
+@@ -2481,8 +2531,9 @@ static void set_pool_mode(struct pool *p
+ error_retry_list(pool);
+ break;
+
++ case PM_OUT_OF_METADATA_SPACE:
+ case PM_READ_ONLY:
+- if (old_mode != new_mode)
++ if (!is_read_only_pool_mode(old_mode))
+ notify_of_pool_mode_change(pool, "read-only");
+ dm_pool_metadata_read_only(pool->pmd);
+ pool->process_bio = process_bio_read_only;
+@@ -3420,6 +3471,10 @@ static int maybe_resize_metadata_dev(str
+ DMINFO("%s: growing the metadata device from %llu to %llu blocks",
+ dm_device_name(pool->pool_md),
+ sb_metadata_dev_size, metadata_dev_size);
++
++ if (get_pool_mode(pool) == PM_OUT_OF_METADATA_SPACE)
++ set_pool_mode(pool, PM_WRITE);
++
+ r = dm_pool_resize_metadata_dev(pool->pmd, metadata_dev_size);
+ if (r) {
+ metadata_operation_failed(pool, "dm_pool_resize_metadata_dev", r);
+@@ -3724,7 +3779,7 @@ static int pool_message(struct dm_target
+ struct pool_c *pt = ti->private;
+ struct pool *pool = pt->pool;
+
+- if (get_pool_mode(pool) >= PM_READ_ONLY) {
++ if (get_pool_mode(pool) >= PM_OUT_OF_METADATA_SPACE) {
+ DMERR("%s: unable to service pool target messages in READ_ONLY or FAIL mode",
+ dm_device_name(pool->pool_md));
+ return -EOPNOTSUPP;
+@@ -3798,6 +3853,7 @@ static void pool_status(struct dm_target
+ dm_block_t nr_blocks_data;
+ dm_block_t nr_blocks_metadata;
+ dm_block_t held_root;
++ enum pool_mode mode;
+ char buf[BDEVNAME_SIZE];
+ char buf2[BDEVNAME_SIZE];
+ struct pool_c *pt = ti->private;
+@@ -3868,9 +3924,10 @@ static void pool_status(struct dm_target
+ else
+ DMEMIT("- ");
+
+- if (pool->pf.mode == PM_OUT_OF_DATA_SPACE)
++ mode = get_pool_mode(pool);
++ if (mode == PM_OUT_OF_DATA_SPACE)
+ DMEMIT("out_of_data_space ");
+- else if (pool->pf.mode == PM_READ_ONLY)
++ else if (is_read_only_pool_mode(mode))
+ DMEMIT("ro ");
+ else
+ DMEMIT("rw ");
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: "Christian König" <christian.koenig@amd.com>
+Date: Mon, 10 Sep 2018 15:52:55 +0200
+Subject: drm/amdgpu: fix error handling in amdgpu_cs_user_fence_chunk
+
+From: "Christian König" <christian.koenig@amd.com>
+
+[ Upstream commit 0165de983272d1fae0809ed9db47c46a412279bc ]
+
+Slowly leaking memory one page at a time :)
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+@@ -38,6 +38,7 @@ static int amdgpu_cs_user_fence_chunk(st
+ {
+ struct drm_gem_object *gobj;
+ unsigned long size;
++ int r;
+
+ gobj = drm_gem_object_lookup(p->filp, data->handle);
+ if (gobj == NULL)
+@@ -49,20 +50,26 @@ static int amdgpu_cs_user_fence_chunk(st
+ p->uf_entry.tv.shared = true;
+ p->uf_entry.user_pages = NULL;
+
+- size = amdgpu_bo_size(p->uf_entry.robj);
+- if (size != PAGE_SIZE || (data->offset + 8) > size)
+- return -EINVAL;
+-
+- *offset = data->offset;
+-
+ drm_gem_object_put_unlocked(gobj);
+
++ size = amdgpu_bo_size(p->uf_entry.robj);
++ if (size != PAGE_SIZE || (data->offset + 8) > size) {
++ r = -EINVAL;
++ goto error_unref;
++ }
++
+ if (amdgpu_ttm_tt_get_usermm(p->uf_entry.robj->tbo.ttm)) {
+- amdgpu_bo_unref(&p->uf_entry.robj);
+- return -EINVAL;
++ r = -EINVAL;
++ goto error_unref;
+ }
+
++ *offset = data->offset;
++
+ return 0;
++
++error_unref:
++ amdgpu_bo_unref(&p->uf_entry.robj);
++ return r;
+ }
+
+ static int amdgpu_cs_parser_init(struct amdgpu_cs_parser *p, void *data)
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Tao Zhou <tao.zhou1@amd.com>
+Date: Fri, 7 Sep 2018 13:50:31 +0800
+Subject: drm/amdgpu: Fix SDMA hang in prt mode v2
+
+From: Tao Zhou <tao.zhou1@amd.com>
+
+[ Upstream commit 68ebc13ea40656fddd3803735d621921a2d74a5e ]
+
+Fix SDMA hang in prt mode, clear XNACK_WATERMARK in reg SDMA0_UTCL1_WATERMK to avoid the issue
+
+Affected ASICs: VEGA10 VEGA12 RV1 RV2
+
+v2: add reg clear for SDMA1
+
+Signed-off-by: Tao Zhou <tao.zhou1@amd.com>
+Tested-by: Yukun Li <yukun1.li@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
+@@ -67,6 +67,7 @@ static const struct soc15_reg_golden gol
+ SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_RLC1_IB_CNTL, 0x800f0100, 0x00000100),
+ SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_RLC1_RB_WPTR_POLL_CNTL, 0x0000fff0, 0x00403000),
+ SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_UTCL1_PAGE, 0x000003ff, 0x000003c0),
++ SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_UTCL1_WATERMK, 0xfc000000, 0x00000000),
+ SOC15_REG_GOLDEN_VALUE(SDMA1, 0, mmSDMA1_CHICKEN_BITS, 0xfe931f07, 0x02831f07),
+ SOC15_REG_GOLDEN_VALUE(SDMA1, 0, mmSDMA1_CLK_CTRL, 0xffffffff, 0x3f000100),
+ SOC15_REG_GOLDEN_VALUE(SDMA1, 0, mmSDMA1_GFX_IB_CNTL, 0x800f0100, 0x00000100),
+@@ -78,7 +79,8 @@ static const struct soc15_reg_golden gol
+ SOC15_REG_GOLDEN_VALUE(SDMA1, 0, mmSDMA1_RLC0_RB_WPTR_POLL_CNTL, 0x0000fff0, 0x00403000),
+ SOC15_REG_GOLDEN_VALUE(SDMA1, 0, mmSDMA1_RLC1_IB_CNTL, 0x800f0100, 0x00000100),
+ SOC15_REG_GOLDEN_VALUE(SDMA1, 0, mmSDMA1_RLC1_RB_WPTR_POLL_CNTL, 0x0000fff0, 0x00403000),
+- SOC15_REG_GOLDEN_VALUE(SDMA1, 0, mmSDMA1_UTCL1_PAGE, 0x000003ff, 0x000003c0)
++ SOC15_REG_GOLDEN_VALUE(SDMA1, 0, mmSDMA1_UTCL1_PAGE, 0x000003ff, 0x000003c0),
++ SOC15_REG_GOLDEN_VALUE(SDMA1, 0, mmSDMA1_UTCL1_WATERMK, 0xfc000000, 0x00000000)
+ };
+
+ static const struct soc15_reg_golden golden_settings_sdma_vg10[] = {
+@@ -106,7 +108,8 @@ static const struct soc15_reg_golden gol
+ SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_RLC0_RB_WPTR_POLL_CNTL, 0xfffffff7, 0x00403000),
+ SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_RLC1_IB_CNTL, 0x800f0111, 0x00000100),
+ SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_RLC1_RB_WPTR_POLL_CNTL, 0xfffffff7, 0x00403000),
+- SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_UTCL1_PAGE, 0x000003ff, 0x000003c0)
++ SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_UTCL1_PAGE, 0x000003ff, 0x000003c0),
++ SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_UTCL1_WATERMK, 0xfc000000, 0x00000000)
+ };
+
+ static const struct soc15_reg_golden golden_settings_sdma_4_2[] =
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Ben Skeggs <bskeggs@redhat.com>
+Date: Tue, 4 Sep 2018 15:57:09 +1000
+Subject: drm/nouveau/disp: fix DP disable race
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+[ Upstream commit e04cfdc9b7398c60dbc70212415ea63b6c6a93ae ]
+
+If a HPD pulse signalling the need to retrain the link occurs between
+the KMS driver releasing the output and the supervisor interrupt that
+finishes the teardown, it was possible get a NULL-ptr deref.
+
+Avoid this by marking the link as inactive earlier.
+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nvkm/engine/disp/dp.c | 17 ++++++++++++-----
+ drivers/gpu/drm/nouveau/nvkm/engine/disp/nv50.c | 6 +++---
+ drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c | 2 ++
+ drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h | 3 ++-
+ 4 files changed, 19 insertions(+), 9 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dp.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dp.c
+@@ -412,14 +412,10 @@ nvkm_dp_train(struct nvkm_dp *dp, u32 da
+ }
+
+ static void
+-nvkm_dp_release(struct nvkm_outp *outp, struct nvkm_ior *ior)
++nvkm_dp_disable(struct nvkm_outp *outp, struct nvkm_ior *ior)
+ {
+ struct nvkm_dp *dp = nvkm_dp(outp);
+
+- /* Prevent link from being retrained if sink sends an IRQ. */
+- atomic_set(&dp->lt.done, 0);
+- ior->dp.nr = 0;
+-
+ /* Execute DisableLT script from DP Info Table. */
+ nvbios_init(&ior->disp->engine.subdev, dp->info.script[4],
+ init.outp = &dp->outp.info;
+@@ -428,6 +424,16 @@ nvkm_dp_release(struct nvkm_outp *outp,
+ );
+ }
+
++static void
++nvkm_dp_release(struct nvkm_outp *outp)
++{
++ struct nvkm_dp *dp = nvkm_dp(outp);
++
++ /* Prevent link from being retrained if sink sends an IRQ. */
++ atomic_set(&dp->lt.done, 0);
++ dp->outp.ior->dp.nr = 0;
++}
++
+ static int
+ nvkm_dp_acquire(struct nvkm_outp *outp)
+ {
+@@ -576,6 +582,7 @@ nvkm_dp_func = {
+ .fini = nvkm_dp_fini,
+ .acquire = nvkm_dp_acquire,
+ .release = nvkm_dp_release,
++ .disable = nvkm_dp_disable,
+ };
+
+ static int
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/nv50.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/nv50.c
+@@ -501,11 +501,11 @@ nv50_disp_super_2_0(struct nv50_disp *di
+ nv50_disp_super_ied_off(head, ior, 2);
+
+ /* If we're shutting down the OR's only active head, execute
+- * the output path's release function.
++ * the output path's disable function.
+ */
+ if (ior->arm.head == (1 << head->id)) {
+- if ((outp = ior->arm.outp) && outp->func->release)
+- outp->func->release(outp, ior);
++ if ((outp = ior->arm.outp) && outp->func->disable)
++ outp->func->disable(outp, ior);
+ }
+ }
+
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c
+@@ -93,6 +93,8 @@ nvkm_outp_release(struct nvkm_outp *outp
+ if (ior) {
+ outp->acquired &= ~user;
+ if (!outp->acquired) {
++ if (outp->func->release && outp->ior)
++ outp->func->release(outp);
+ outp->ior->asy.outp = NULL;
+ outp->ior = NULL;
+ }
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h
+@@ -41,7 +41,8 @@ struct nvkm_outp_func {
+ void (*init)(struct nvkm_outp *);
+ void (*fini)(struct nvkm_outp *);
+ int (*acquire)(struct nvkm_outp *);
+- void (*release)(struct nvkm_outp *, struct nvkm_ior *);
++ void (*release)(struct nvkm_outp *);
++ void (*disable)(struct nvkm_outp *, struct nvkm_ior *);
+ };
+
+ #define OUTP_MSG(o,l,f,a...) do { \
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Ben Skeggs <bskeggs@redhat.com>
+Date: Tue, 4 Sep 2018 15:57:11 +1000
+Subject: drm/nouveau/disp/gm200-: enforce identity-mapped SOR assignment for LVDS/eDP panels
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+[ Upstream commit 53b0cc46f27cfc2cadca609b503a7d92b5185a47 ]
+
+Fixes eDP backlight issues on more recent laptops.
+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c | 14 ++++++++++++++
+ drivers/gpu/drm/nouveau/nvkm/engine/disp/ior.h | 1 +
+ drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c | 15 ++++++++++++---
+ drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h | 1 +
+ 4 files changed, 28 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c
+@@ -275,6 +275,7 @@ nvkm_disp_oneinit(struct nvkm_engine *en
+ struct nvkm_outp *outp, *outt, *pair;
+ struct nvkm_conn *conn;
+ struct nvkm_head *head;
++ struct nvkm_ior *ior;
+ struct nvbios_connE connE;
+ struct dcb_output dcbE;
+ u8 hpd = 0, ver, hdr;
+@@ -399,6 +400,19 @@ nvkm_disp_oneinit(struct nvkm_engine *en
+ return ret;
+ }
+
++ /* Enforce identity-mapped SOR assignment for panels, which have
++ * certain bits (ie. backlight controls) wired to a specific SOR.
++ */
++ list_for_each_entry(outp, &disp->outp, head) {
++ if (outp->conn->info.type == DCB_CONNECTOR_LVDS ||
++ outp->conn->info.type == DCB_CONNECTOR_eDP) {
++ ior = nvkm_ior_find(disp, SOR, ffs(outp->info.or) - 1);
++ if (!WARN_ON(!ior))
++ ior->identity = true;
++ outp->identity = true;
++ }
++ }
++
+ i = 0;
+ list_for_each_entry(head, &disp->head, head)
+ i = max(i, head->id + 1);
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/ior.h
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/ior.h
+@@ -16,6 +16,7 @@ struct nvkm_ior {
+ char name[8];
+
+ struct list_head head;
++ bool identity;
+
+ struct nvkm_ior_state {
+ struct nvkm_outp *outp;
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c
+@@ -129,17 +129,26 @@ nvkm_outp_acquire(struct nvkm_outp *outp
+ if (proto == UNKNOWN)
+ return -ENOSYS;
+
++ /* Deal with panels requiring identity-mapped SOR assignment. */
++ if (outp->identity) {
++ ior = nvkm_ior_find(outp->disp, SOR, ffs(outp->info.or) - 1);
++ if (WARN_ON(!ior))
++ return -ENOSPC;
++ return nvkm_outp_acquire_ior(outp, user, ior);
++ }
++
+ /* First preference is to reuse the OR that is currently armed
+ * on HW, if any, in order to prevent unnecessary switching.
+ */
+ list_for_each_entry(ior, &outp->disp->ior, head) {
+- if (!ior->asy.outp && ior->arm.outp == outp)
++ if (!ior->identity && !ior->asy.outp && ior->arm.outp == outp)
+ return nvkm_outp_acquire_ior(outp, user, ior);
+ }
+
+ /* Failing that, a completely unused OR is the next best thing. */
+ list_for_each_entry(ior, &outp->disp->ior, head) {
+- if (!ior->asy.outp && ior->type == type && !ior->arm.outp &&
++ if (!ior->identity &&
++ !ior->asy.outp && ior->type == type && !ior->arm.outp &&
+ (ior->func->route.set || ior->id == __ffs(outp->info.or)))
+ return nvkm_outp_acquire_ior(outp, user, ior);
+ }
+@@ -148,7 +157,7 @@ nvkm_outp_acquire(struct nvkm_outp *outp
+ * but will be released during the next modeset.
+ */
+ list_for_each_entry(ior, &outp->disp->ior, head) {
+- if (!ior->asy.outp && ior->type == type &&
++ if (!ior->identity && !ior->asy.outp && ior->type == type &&
+ (ior->func->route.set || ior->id == __ffs(outp->info.or)))
+ return nvkm_outp_acquire_ior(outp, user, ior);
+ }
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h
+@@ -17,6 +17,7 @@ struct nvkm_outp {
+
+ struct list_head head;
+ struct nvkm_conn *conn;
++ bool identity;
+
+ /* Assembly state. */
+ #define NVKM_OUTP_PRIV 1
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Ben Skeggs <bskeggs@redhat.com>
+Date: Tue, 28 Aug 2018 14:10:34 +1000
+Subject: drm/nouveau: fix oops in client init failure path
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+[ Upstream commit a43b16dda2d7485f5c5aed075c1dc9785e339515 ]
+
+The NV_ERROR macro requires drm->client to be initialised, which it may not
+be at this stage of the init process.
+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
+@@ -230,7 +230,7 @@ nouveau_cli_init(struct nouveau_drm *drm
+ mutex_unlock(&drm->master.lock);
+ }
+ if (ret) {
+- NV_ERROR(drm, "Client allocation failed: %d\n", ret);
++ NV_PRINTK(err, cli, "Client allocation failed: %d\n", ret);
+ goto done;
+ }
+
+@@ -240,37 +240,37 @@ nouveau_cli_init(struct nouveau_drm *drm
+ }, sizeof(struct nv_device_v0),
+ &cli->device);
+ if (ret) {
+- NV_ERROR(drm, "Device allocation failed: %d\n", ret);
++ NV_PRINTK(err, cli, "Device allocation failed: %d\n", ret);
+ goto done;
+ }
+
+ ret = nvif_mclass(&cli->device.object, mmus);
+ if (ret < 0) {
+- NV_ERROR(drm, "No supported MMU class\n");
++ NV_PRINTK(err, cli, "No supported MMU class\n");
+ goto done;
+ }
+
+ ret = nvif_mmu_init(&cli->device.object, mmus[ret].oclass, &cli->mmu);
+ if (ret) {
+- NV_ERROR(drm, "MMU allocation failed: %d\n", ret);
++ NV_PRINTK(err, cli, "MMU allocation failed: %d\n", ret);
+ goto done;
+ }
+
+ ret = nvif_mclass(&cli->mmu.object, vmms);
+ if (ret < 0) {
+- NV_ERROR(drm, "No supported VMM class\n");
++ NV_PRINTK(err, cli, "No supported VMM class\n");
+ goto done;
+ }
+
+ ret = nouveau_vmm_init(cli, vmms[ret].oclass, &cli->vmm);
+ if (ret) {
+- NV_ERROR(drm, "VMM allocation failed: %d\n", ret);
++ NV_PRINTK(err, cli, "VMM allocation failed: %d\n", ret);
+ goto done;
+ }
+
+ ret = nvif_mclass(&cli->mmu.object, mems);
+ if (ret < 0) {
+- NV_ERROR(drm, "No supported MEM class\n");
++ NV_PRINTK(err, cli, "No supported MEM class\n");
+ goto done;
+ }
+
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Ben Skeggs <bskeggs@redhat.com>
+Date: Tue, 28 Aug 2018 14:10:42 +1000
+Subject: drm/nouveau/mmu: don't attempt to dereference vmm without valid instance pointer
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+[ Upstream commit 51ed833c881b9d96557c773f6a37018d79e29a46 ]
+
+Fixes oopses in certain failure paths.
+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
+@@ -1423,7 +1423,7 @@ nvkm_vmm_get(struct nvkm_vmm *vmm, u8 pa
+ void
+ nvkm_vmm_part(struct nvkm_vmm *vmm, struct nvkm_memory *inst)
+ {
+- if (vmm->func->part && inst) {
++ if (inst && vmm->func->part) {
+ mutex_lock(&vmm->mutex);
+ vmm->func->part(vmm, inst);
+ mutex_unlock(&vmm->mutex);
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Ben Skeggs <bskeggs@redhat.com>
+Date: Tue, 4 Sep 2018 15:56:57 +1000
+Subject: drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+[ Upstream commit 0a6986c6595e9afd20ff7280dab36431c1e467f8 ]
+
+This Falcon application doesn't appear to be present on some newer
+systems, so let's not fail init if we can't find it.
+
+TBD: is there a way to determine whether it *should* be there?
+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nvkm/subdev/devinit/gm200.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/devinit/gm200.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/devinit/gm200.c
+@@ -158,7 +158,8 @@ gm200_devinit_post(struct nvkm_devinit *
+ }
+
+ /* load and execute some other ucode image (bios therm?) */
+- return pmu_load(init, 0x01, post, NULL, NULL);
++ pmu_load(init, 0x01, post, NULL, NULL);
++ return 0;
+ }
+
+ static const struct nvkm_devinit_func
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Stephen Rothwell <sfr@canb.auug.org.au>
+Date: Mon, 3 Sep 2018 13:15:58 +1000
+Subject: fs/cifs: suppress a string overflow warning
+
+From: Stephen Rothwell <sfr@canb.auug.org.au>
+
+[ Upstream commit bcfb84a996f6fa90b5e6e2954b2accb7a4711097 ]
+
+A powerpc build of cifs with gcc v8.2.0 produces this warning:
+
+fs/cifs/cifssmb.c: In function ‘CIFSSMBNegotiate’:
+fs/cifs/cifssmb.c:605:3: warning: ‘strncpy’ writing 16 bytes into a region of size 1 overflows the destination [-Wstringop-overflow=]
+ strncpy(pSMB->DialectsArray+count, protocols[i].name, 16);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Since we are already doing a strlen() on the source, change the strncpy
+to a memcpy().
+
+Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifssmb.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -601,10 +601,15 @@ CIFSSMBNegotiate(const unsigned int xid,
+ }
+
+ count = 0;
++ /*
++ * We know that all the name entries in the protocols array
++ * are short (< 16 bytes anyway) and are NUL terminated.
++ */
+ for (i = 0; i < CIFS_NUM_PROT; i++) {
+- strncpy(pSMB->DialectsArray+count, protocols[i].name, 16);
+- count += strlen(protocols[i].name) + 1;
+- /* null at end of source and target buffers anyway */
++ size_t len = strlen(protocols[i].name) + 1;
++
++ memcpy(pSMB->DialectsArray+count, protocols[i].name, len);
++ count += len;
+ }
+ inc_rfc1001_len(pSMB, count);
+ pSMB->ByteCount = cpu_to_le16(count);
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Sun, 22 Jul 2018 16:03:58 -0700
+Subject: hexagon: modify ffs() and fls() to return int
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 5c41aaad409c097cf1ef74f2c649fed994744ef5 ]
+
+Building drivers/mtd/nand/raw/nandsim.c on arch/hexagon/ produces a
+printk format build warning. This is due to hexagon's ffs() being
+coded as returning long instead of int.
+
+Fix the printk format warning by changing all of hexagon's ffs() and
+fls() functions to return int instead of long. The variables that
+they return are already int instead of long. This return type
+matches the return type in <asm-generic/bitops/>.
+
+../drivers/mtd/nand/raw/nandsim.c: In function 'init_nandsim':
+../drivers/mtd/nand/raw/nandsim.c:760:2: warning: format '%u' expects argument of type 'unsigned int', but argument 2 has type 'long int' [-Wformat]
+
+There are no ffs() or fls() allmodconfig build errors after making this
+change.
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Richard Kuo <rkuo@codeaurora.org>
+Cc: linux-hexagon@vger.kernel.org
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Patch-mainline: linux-kernel @ 07/22/2018, 16:03
+Signed-off-by: Richard Kuo <rkuo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/hexagon/include/asm/bitops.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/hexagon/include/asm/bitops.h
++++ b/arch/hexagon/include/asm/bitops.h
+@@ -211,7 +211,7 @@ static inline long ffz(int x)
+ * This is defined the same way as ffs.
+ * Note fls(0) = 0, fls(1) = 1, fls(0x80000000) = 32.
+ */
+-static inline long fls(int x)
++static inline int fls(int x)
+ {
+ int r;
+
+@@ -232,7 +232,7 @@ static inline long fls(int x)
+ * the libc and compiler builtin ffs routines, therefore
+ * differs in spirit from the above ffz (man ffs).
+ */
+-static inline long ffs(int x)
++static inline int ffs(int x)
+ {
+ int r;
+
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Sean O'Brien <seobrien@chromium.org>
+Date: Mon, 27 Aug 2018 13:02:15 -0700
+Subject: HID: add support for Apple Magic Keyboards
+
+From: Sean O'Brien <seobrien@chromium.org>
+
+[ Upstream commit ee345492437043a79db058a3d4f029ebcb52089a ]
+
+USB device
+ Vendor 05ac (Apple)
+ Device 026c (Magic Keyboard with Numeric Keypad)
+
+Bluetooth devices
+ Vendor 004c (Apple)
+ Device 0267 (Magic Keyboard)
+ Device 026c (Magic Keyboard with Numeric Keypad)
+
+Support already exists for the Magic Keyboard over USB connection.
+Add support for the Magic Keyboard over Bluetooth connection, and for
+the Magic Keyboard with Numeric Keypad over Bluetooth and USB
+connection.
+
+Signed-off-by: Sean O'Brien <seobrien@chromium.org>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-apple.c | 9 ++++++++-
+ drivers/hid/hid-ids.h | 2 ++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-apple.c
++++ b/drivers/hid/hid-apple.c
+@@ -335,7 +335,8 @@ static int apple_input_mapping(struct hi
+ struct hid_field *field, struct hid_usage *usage,
+ unsigned long **bit, int *max)
+ {
+- if (usage->hid == (HID_UP_CUSTOM | 0x0003)) {
++ if (usage->hid == (HID_UP_CUSTOM | 0x0003) ||
++ usage->hid == (HID_UP_MSVENDOR | 0x0003)) {
+ /* The fn key on Apple USB keyboards */
+ set_bit(EV_REP, hi->input->evbit);
+ hid_map_usage_clear(hi, usage, bit, max, EV_KEY, KEY_FN);
+@@ -472,6 +473,12 @@ static const struct hid_device_id apple_
+ .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_ANSI),
+ .driver_data = APPLE_HAS_FN },
++ { HID_BLUETOOTH_DEVICE(BT_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_ANSI),
++ .driver_data = APPLE_HAS_FN },
++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_NUMPAD_ANSI),
++ .driver_data = APPLE_HAS_FN },
++ { HID_BLUETOOTH_DEVICE(BT_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_NUMPAD_ANSI),
++ .driver_data = APPLE_HAS_FN },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING_ANSI),
+ .driver_data = APPLE_HAS_FN },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING_ISO),
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -88,6 +88,7 @@
+ #define USB_DEVICE_ID_ANTON_TOUCH_PAD 0x3101
+
+ #define USB_VENDOR_ID_APPLE 0x05ac
++#define BT_VENDOR_ID_APPLE 0x004c
+ #define USB_DEVICE_ID_APPLE_MIGHTYMOUSE 0x0304
+ #define USB_DEVICE_ID_APPLE_MAGICMOUSE 0x030d
+ #define USB_DEVICE_ID_APPLE_MAGICTRACKPAD 0x030e
+@@ -157,6 +158,7 @@
+ #define USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_ISO 0x0256
+ #define USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_JIS 0x0257
+ #define USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_ANSI 0x0267
++#define USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_NUMPAD_ANSI 0x026c
+ #define USB_DEVICE_ID_APPLE_WELLSPRING8_ANSI 0x0290
+ #define USB_DEVICE_ID_APPLE_WELLSPRING8_ISO 0x0291
+ #define USB_DEVICE_ID_APPLE_WELLSPRING8_JIS 0x0292
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Harry Mallon <hjmallon@gmail.com>
+Date: Tue, 28 Aug 2018 22:51:29 +0100
+Subject: HID: hid-saitek: Add device ID for RAT 7 Contagion
+
+From: Harry Mallon <hjmallon@gmail.com>
+
+[ Upstream commit 43822c98f2ebb2cbd5e467ab72bbcdae7f0caa22 ]
+
+Signed-off-by: Harry Mallon <hjmallon@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-saitek.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -951,6 +951,7 @@
+ #define USB_DEVICE_ID_SAITEK_RUMBLEPAD 0xff17
+ #define USB_DEVICE_ID_SAITEK_PS1000 0x0621
+ #define USB_DEVICE_ID_SAITEK_RAT7_OLD 0x0ccb
++#define USB_DEVICE_ID_SAITEK_RAT7_CONTAGION 0x0ccd
+ #define USB_DEVICE_ID_SAITEK_RAT7 0x0cd7
+ #define USB_DEVICE_ID_SAITEK_RAT9 0x0cfa
+ #define USB_DEVICE_ID_SAITEK_MMO7 0x0cd0
+--- a/drivers/hid/hid-saitek.c
++++ b/drivers/hid/hid-saitek.c
+@@ -183,6 +183,8 @@ static const struct hid_device_id saitek
+ .driver_data = SAITEK_RELEASE_MODE_RAT7 },
+ { HID_USB_DEVICE(USB_VENDOR_ID_SAITEK, USB_DEVICE_ID_SAITEK_RAT7),
+ .driver_data = SAITEK_RELEASE_MODE_RAT7 },
++ { HID_USB_DEVICE(USB_VENDOR_ID_SAITEK, USB_DEVICE_ID_SAITEK_RAT7_CONTAGION),
++ .driver_data = SAITEK_RELEASE_MODE_RAT7 },
+ { HID_USB_DEVICE(USB_VENDOR_ID_SAITEK, USB_DEVICE_ID_SAITEK_RAT9),
+ .driver_data = SAITEK_RELEASE_MODE_RAT7 },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MADCATZ, USB_DEVICE_ID_MADCATZ_RAT9),
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Thu, 6 Sep 2018 10:55:18 +0800
+Subject: HID: i2c-hid: Don't reset device upon system resume
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 52cf93e63ee672a92f349edc6ddad86ec8808fd8 ]
+
+Raydium touchscreen triggers interrupt storm after system-wide suspend:
+
+ [ 179.085033] i2c_hid i2c-CUST0000:00: i2c_hid_get_input: incomplete report (58/65535)
+
+According to Raydium, Windows driver does not reset the device after system
+resume.
+
+The HID over I2C spec does specify a reset should be used at intialization, but
+it doesn't specify if reset is required for system suspend.
+
+Tested this patch on other i2c-hid touchpanels I have and those touchpanels do
+work after S3 without doing reset. If any regression happens to other
+touchpanel vendors, we can use quirk for Raydium devices.
+
+There's still one device uses I2C_HID_QUIRK_RESEND_REPORT_DESCR so keep it
+there.
+
+Cc: Aaron Ma <aaron.ma@canonical.com>
+Cc: AceLan Kao <acelan.kao@canonical.com>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-ids.h | 4 ----
+ drivers/hid/i2c-hid/i2c-hid.c | 13 +++++++------
+ 2 files changed, 7 insertions(+), 10 deletions(-)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -528,10 +528,6 @@
+ #define I2C_VENDOR_ID_HANTICK 0x0911
+ #define I2C_PRODUCT_ID_HANTICK_5288 0x5288
+
+-#define I2C_VENDOR_ID_RAYD 0x2386
+-#define I2C_PRODUCT_ID_RAYD_3118 0x3118
+-#define I2C_PRODUCT_ID_RAYD_4B33 0x4B33
+-
+ #define USB_VENDOR_ID_HANWANG 0x0b57
+ #define USB_DEVICE_ID_HANWANG_TABLET_FIRST 0x5000
+ #define USB_DEVICE_ID_HANWANG_TABLET_LAST 0x8fff
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -170,12 +170,8 @@ static const struct i2c_hid_quirks {
+ I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV },
+ { I2C_VENDOR_ID_HANTICK, I2C_PRODUCT_ID_HANTICK_5288,
+ I2C_HID_QUIRK_NO_IRQ_AFTER_RESET },
+- { I2C_VENDOR_ID_RAYD, I2C_PRODUCT_ID_RAYD_3118,
+- I2C_HID_QUIRK_RESEND_REPORT_DESCR },
+ { USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS10FB_TOUCH,
+ I2C_HID_QUIRK_RESEND_REPORT_DESCR },
+- { I2C_VENDOR_ID_RAYD, I2C_PRODUCT_ID_RAYD_4B33,
+- I2C_HID_QUIRK_RESEND_REPORT_DESCR },
+ { 0, 0 }
+ };
+
+@@ -1237,11 +1233,16 @@ static int i2c_hid_resume(struct device
+ pm_runtime_enable(dev);
+
+ enable_irq(client->irq);
+- ret = i2c_hid_hwreset(client);
++
++ /* Instead of resetting device, simply powers the device on. This
++ * solves "incomplete reports" on Raydium devices 2386:3118 and
++ * 2386:4B33
++ */
++ ret = i2c_hid_set_power(client, I2C_HID_PWR_ON);
+ if (ret)
+ return ret;
+
+- /* RAYDIUM device (2386:3118) need to re-send report descr cmd
++ /* Some devices need to re-send report descr cmd
+ * after resume, after this it will be back normal.
+ * otherwise it issues too many incomplete reports.
+ */
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Andreas Bosch <linux@progandy.de>
+Date: Fri, 17 Aug 2018 22:16:00 +0200
+Subject: HID: intel-ish-hid: Enable Sunrise Point-H ish driver
+
+From: Andreas Bosch <linux@progandy.de>
+
+[ Upstream commit e0ab8b26aa9661df0541a657e2b2416d90488809 ]
+
+Added PCI ID for Sunrise Point-H ISH.
+
+Signed-off-by: Andreas Bosch <linux@progandy.de>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/intel-ish-hid/ipc/hw-ish.h | 1 +
+ drivers/hid/intel-ish-hid/ipc/pci-ish.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/hid/intel-ish-hid/ipc/hw-ish.h
++++ b/drivers/hid/intel-ish-hid/ipc/hw-ish.h
+@@ -29,6 +29,7 @@
+ #define CNL_Ax_DEVICE_ID 0x9DFC
+ #define GLK_Ax_DEVICE_ID 0x31A2
+ #define CNL_H_DEVICE_ID 0xA37C
++#define SPT_H_DEVICE_ID 0xA135
+
+ #define REVISION_ID_CHT_A0 0x6
+ #define REVISION_ID_CHT_Ax_SI 0x0
+--- a/drivers/hid/intel-ish-hid/ipc/pci-ish.c
++++ b/drivers/hid/intel-ish-hid/ipc/pci-ish.c
+@@ -38,6 +38,7 @@ static const struct pci_device_id ish_pc
+ {PCI_DEVICE(PCI_VENDOR_ID_INTEL, CNL_Ax_DEVICE_ID)},
+ {PCI_DEVICE(PCI_VENDOR_ID_INTEL, GLK_Ax_DEVICE_ID)},
+ {PCI_DEVICE(PCI_VENDOR_ID_INTEL, CNL_H_DEVICE_ID)},
++ {PCI_DEVICE(PCI_VENDOR_ID_INTEL, SPT_H_DEVICE_ID)},
+ {0, }
+ };
+ MODULE_DEVICE_TABLE(pci, ish_pci_tbl);
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 18 Aug 2018 10:12:08 +0200
+Subject: HID: sensor-hub: Restore fixup for Lenovo ThinkPad Helix 2 sensor hub report
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit ade573eb1e03d1ee5abcb3359b1259469ab6e8ed ]
+
+Commit b0f847e16c1e ("HID: hid-sensor-hub: Force logical minimum to 1 for
+power and report state") not only replaced the descriptor fixup done for
+devices with the HID_SENSOR_HUB_ENUM_QUIRK with a generic fix, but also
+accidentally removed the unrelated descriptor fixup for the Lenovo ThinkPad
+Helix 2 sensor hub. This commit restores this fixup.
+
+Restoring this fixup not only fixes the Lenovo ThinkPad Helix 2's sensors,
+but also the Lenovo ThinkPad 8's sensors.
+
+Fixes: b0f847e16c1e ("HID: hid-sensor-hub: Force logical minimum ...")
+Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Cc: Fernando D S Lima <fernandodsl@gmail.com>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-sensor-hub.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/drivers/hid/hid-sensor-hub.c
++++ b/drivers/hid/hid-sensor-hub.c
+@@ -579,6 +579,28 @@ void sensor_hub_device_close(struct hid_
+ }
+ EXPORT_SYMBOL_GPL(sensor_hub_device_close);
+
++static __u8 *sensor_hub_report_fixup(struct hid_device *hdev, __u8 *rdesc,
++ unsigned int *rsize)
++{
++ /*
++ * Checks if the report descriptor of Thinkpad Helix 2 has a logical
++ * minimum for magnetic flux axis greater than the maximum.
++ */
++ if (hdev->product == USB_DEVICE_ID_TEXAS_INSTRUMENTS_LENOVO_YOGA &&
++ *rsize == 2558 && rdesc[913] == 0x17 && rdesc[914] == 0x40 &&
++ rdesc[915] == 0x81 && rdesc[916] == 0x08 &&
++ rdesc[917] == 0x00 && rdesc[918] == 0x27 &&
++ rdesc[921] == 0x07 && rdesc[922] == 0x00) {
++ /* Sets negative logical minimum for mag x, y and z */
++ rdesc[914] = rdesc[935] = rdesc[956] = 0xc0;
++ rdesc[915] = rdesc[936] = rdesc[957] = 0x7e;
++ rdesc[916] = rdesc[937] = rdesc[958] = 0xf7;
++ rdesc[917] = rdesc[938] = rdesc[959] = 0xff;
++ }
++
++ return rdesc;
++}
++
+ static int sensor_hub_probe(struct hid_device *hdev,
+ const struct hid_device_id *id)
+ {
+@@ -743,6 +765,7 @@ static struct hid_driver sensor_hub_driv
+ .probe = sensor_hub_probe,
+ .remove = sensor_hub_remove,
+ .raw_event = sensor_hub_raw_event,
++ .report_fixup = sensor_hub_report_fixup,
+ #ifdef CONFIG_PM
+ .suspend = sensor_hub_suspend,
+ .resume = sensor_hub_resume,
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Fri, 31 Aug 2018 10:51:14 +0200
+Subject: iio: imu: st_lsm6dsx: take into account ts samples in wm configuration
+
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+
+[ Upstream commit a13bf65f3f2e36008ea60b49d3bda2527e09fd9c ]
+
+Take into account hw timer samples in pattern length computation done
+in st_lsm6dsx_update_watermark routine for watermark configuration.
+Moreover use samples in pattern (sip) already computed in
+st_lsm6dsx_update_decimators routine
+
+Fixes: 213451076bd3 ("iio: imu: st_lsm6dsx: add hw timestamp support")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
+@@ -187,12 +187,15 @@ static int st_lsm6dsx_set_fifo_odr(struc
+
+ int st_lsm6dsx_update_watermark(struct st_lsm6dsx_sensor *sensor, u16 watermark)
+ {
+- u16 fifo_watermark = ~0, cur_watermark, sip = 0, fifo_th_mask;
++ u16 fifo_watermark = ~0, cur_watermark, fifo_th_mask;
+ struct st_lsm6dsx_hw *hw = sensor->hw;
+ struct st_lsm6dsx_sensor *cur_sensor;
+ int i, err, data;
+ __le16 wdata;
+
++ if (!hw->sip)
++ return 0;
++
+ for (i = 0; i < ST_LSM6DSX_ID_MAX; i++) {
+ cur_sensor = iio_priv(hw->iio_devs[i]);
+
+@@ -203,14 +206,10 @@ int st_lsm6dsx_update_watermark(struct s
+ : cur_sensor->watermark;
+
+ fifo_watermark = min_t(u16, fifo_watermark, cur_watermark);
+- sip += cur_sensor->sip;
+ }
+
+- if (!sip)
+- return 0;
+-
+- fifo_watermark = max_t(u16, fifo_watermark, sip);
+- fifo_watermark = (fifo_watermark / sip) * sip;
++ fifo_watermark = max_t(u16, fifo_watermark, hw->sip);
++ fifo_watermark = (fifo_watermark / hw->sip) * hw->sip;
+ fifo_watermark = fifo_watermark * hw->settings->fifo_ops.th_wl;
+
+ err = regmap_read(hw->regmap, hw->settings->fifo_ops.fifo_th.addr + 1,
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Netanel Belgazal <netanel@amazon.com>
+Date: Sun, 9 Sep 2018 08:15:22 +0000
+Subject: net: ena: fix device destruction to gracefully free resources
+
+From: Netanel Belgazal <netanel@amazon.com>
+
+[ Upstream commit cfa324a514233b28a6934de619183eee941f02d7 ]
+
+When ena_destroy_device() is called from ena_suspend(), the device is
+still reachable from the driver. Therefore, the driver can send a command
+to the device to free all resources.
+However, in all other cases of calling ena_destroy_device(), the device is
+potentially in an error state and unreachable from the driver. In these
+cases the driver must not send commands to the device.
+
+The current implementation does not request resource freeing from the
+device even when possible. We add the graceful parameter to
+ena_destroy_device() to enable resource freeing when possible, and
+use it in ena_suspend().
+
+Signed-off-by: Netanel Belgazal <netanel@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -76,7 +76,7 @@ MODULE_DEVICE_TABLE(pci, ena_pci_tbl);
+
+ static int ena_rss_init_default(struct ena_adapter *adapter);
+ static void check_for_admin_com_state(struct ena_adapter *adapter);
+-static void ena_destroy_device(struct ena_adapter *adapter);
++static void ena_destroy_device(struct ena_adapter *adapter, bool graceful);
+ static int ena_restore_device(struct ena_adapter *adapter);
+
+ static void ena_tx_timeout(struct net_device *dev)
+@@ -1900,7 +1900,7 @@ static int ena_close(struct net_device *
+ "Destroy failure, restarting device\n");
+ ena_dump_stats_to_dmesg(adapter);
+ /* rtnl lock already obtained in dev_ioctl() layer */
+- ena_destroy_device(adapter);
++ ena_destroy_device(adapter, false);
+ ena_restore_device(adapter);
+ }
+
+@@ -2549,7 +2549,7 @@ err_disable_msix:
+ return rc;
+ }
+
+-static void ena_destroy_device(struct ena_adapter *adapter)
++static void ena_destroy_device(struct ena_adapter *adapter, bool graceful)
+ {
+ struct net_device *netdev = adapter->netdev;
+ struct ena_com_dev *ena_dev = adapter->ena_dev;
+@@ -2562,7 +2562,8 @@ static void ena_destroy_device(struct en
+ dev_up = test_bit(ENA_FLAG_DEV_UP, &adapter->flags);
+ adapter->dev_up_before_reset = dev_up;
+
+- ena_com_set_admin_running_state(ena_dev, false);
++ if (!graceful)
++ ena_com_set_admin_running_state(ena_dev, false);
+
+ if (test_bit(ENA_FLAG_DEV_UP, &adapter->flags))
+ ena_down(adapter);
+@@ -2664,7 +2665,7 @@ static void ena_fw_reset_device(struct w
+ return;
+ }
+ rtnl_lock();
+- ena_destroy_device(adapter);
++ ena_destroy_device(adapter, false);
+ ena_restore_device(adapter);
+ rtnl_unlock();
+ }
+@@ -3466,7 +3467,7 @@ static int ena_suspend(struct pci_dev *p
+ "ignoring device reset request as the device is being suspended\n");
+ clear_bit(ENA_FLAG_TRIGGER_RESET, &adapter->flags);
+ }
+- ena_destroy_device(adapter);
++ ena_destroy_device(adapter, true);
+ rtnl_unlock();
+ return 0;
+ }
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Netanel Belgazal <netanel@amazon.com>
+Date: Sun, 9 Sep 2018 08:15:21 +0000
+Subject: net: ena: fix driver when PAGE_SIZE == 64kB
+
+From: Netanel Belgazal <netanel@amazon.com>
+
+[ Upstream commit ef5b0771d247379c90c8bf1332ff32f7f74bff7f ]
+
+The buffer length field in the ena rx descriptor is 16 bit, and the
+current driver passes a full page in each ena rx descriptor.
+When PAGE_SIZE equals 64kB or more, the buffer length field becomes
+zero.
+To solve this issue, limit the ena Rx descriptor to use 16kB even
+when allocating 64kB kernel pages. This change would not impact ena
+device functionality, as 16kB is still larger than maximum MTU.
+
+Signed-off-by: Netanel Belgazal <netanel@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 10 +++++-----
+ drivers/net/ethernet/amazon/ena/ena_netdev.h | 11 +++++++++++
+ 2 files changed, 16 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -461,7 +461,7 @@ static inline int ena_alloc_rx_page(stru
+ return -ENOMEM;
+ }
+
+- dma = dma_map_page(rx_ring->dev, page, 0, PAGE_SIZE,
++ dma = dma_map_page(rx_ring->dev, page, 0, ENA_PAGE_SIZE,
+ DMA_FROM_DEVICE);
+ if (unlikely(dma_mapping_error(rx_ring->dev, dma))) {
+ u64_stats_update_begin(&rx_ring->syncp);
+@@ -478,7 +478,7 @@ static inline int ena_alloc_rx_page(stru
+ rx_info->page_offset = 0;
+ ena_buf = &rx_info->ena_buf;
+ ena_buf->paddr = dma;
+- ena_buf->len = PAGE_SIZE;
++ ena_buf->len = ENA_PAGE_SIZE;
+
+ return 0;
+ }
+@@ -495,7 +495,7 @@ static void ena_free_rx_page(struct ena_
+ return;
+ }
+
+- dma_unmap_page(rx_ring->dev, ena_buf->paddr, PAGE_SIZE,
++ dma_unmap_page(rx_ring->dev, ena_buf->paddr, ENA_PAGE_SIZE,
+ DMA_FROM_DEVICE);
+
+ __free_page(page);
+@@ -916,10 +916,10 @@ static struct sk_buff *ena_rx_skb(struct
+ do {
+ dma_unmap_page(rx_ring->dev,
+ dma_unmap_addr(&rx_info->ena_buf, paddr),
+- PAGE_SIZE, DMA_FROM_DEVICE);
++ ENA_PAGE_SIZE, DMA_FROM_DEVICE);
+
+ skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, rx_info->page,
+- rx_info->page_offset, len, PAGE_SIZE);
++ rx_info->page_offset, len, ENA_PAGE_SIZE);
+
+ netif_dbg(rx_ring->adapter, rx_status, rx_ring->netdev,
+ "rx skb updated. len %d. data_len %d\n",
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.h
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.h
+@@ -355,4 +355,15 @@ void ena_dump_stats_to_buf(struct ena_ad
+
+ int ena_get_sset_count(struct net_device *netdev, int sset);
+
++/* The ENA buffer length fields is 16 bit long. So when PAGE_SIZE == 64kB the
++ * driver passas 0.
++ * Since the max packet size the ENA handles is ~9kB limit the buffer length to
++ * 16kB.
++ */
++#if PAGE_SIZE > SZ_16K
++#define ENA_PAGE_SIZE SZ_16K
++#else
++#define ENA_PAGE_SIZE PAGE_SIZE
++#endif
++
+ #endif /* !(ENA_H) */
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Netanel Belgazal <netanel@amazon.com>
+Date: Sun, 9 Sep 2018 08:15:25 +0000
+Subject: net: ena: fix missing calls to READ_ONCE
+
+From: Netanel Belgazal <netanel@amazon.com>
+
+[ Upstream commit 28abf4e9c9201eda5c4d29ea609d07e877b464b8 ]
+
+Add READ_ONCE calls where necessary (for example when iterating
+over a memory field that gets updated by the hardware).
+
+Signed-off-by: Netanel Belgazal <netanel@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_com.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/amazon/ena/ena_com.c
++++ b/drivers/net/ethernet/amazon/ena/ena_com.c
+@@ -459,7 +459,7 @@ static void ena_com_handle_admin_complet
+ cqe = &admin_queue->cq.entries[head_masked];
+
+ /* Go over all the completions */
+- while ((cqe->acq_common_descriptor.flags &
++ while ((READ_ONCE(cqe->acq_common_descriptor.flags) &
+ ENA_ADMIN_ACQ_COMMON_DESC_PHASE_MASK) == phase) {
+ /* Do not read the rest of the completion entry before the
+ * phase bit was validated
+@@ -637,7 +637,7 @@ static u32 ena_com_reg_bar_read32(struct
+
+ mmiowb();
+ for (i = 0; i < timeout; i++) {
+- if (read_resp->req_id == mmio_read->seq_num)
++ if (READ_ONCE(read_resp->req_id) == mmio_read->seq_num)
+ break;
+
+ udelay(1);
+@@ -1796,8 +1796,8 @@ void ena_com_aenq_intr_handler(struct en
+ aenq_common = &aenq_e->aenq_common_desc;
+
+ /* Go over all the events */
+- while ((aenq_common->flags & ENA_ADMIN_AENQ_COMMON_DESC_PHASE_MASK) ==
+- phase) {
++ while ((READ_ONCE(aenq_common->flags) &
++ ENA_ADMIN_AENQ_COMMON_DESC_PHASE_MASK) == phase) {
+ pr_debug("AENQ! Group[%x] Syndrom[%x] timestamp: [%llus]\n",
+ aenq_common->group, aenq_common->syndrom,
+ (u64)aenq_common->timestamp_low +
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Netanel Belgazal <netanel@amazon.com>
+Date: Sun, 9 Sep 2018 08:15:24 +0000
+Subject: net: ena: fix missing lock during device destruction
+
+From: Netanel Belgazal <netanel@amazon.com>
+
+[ Upstream commit 944b28aa2982b4590d4d4dfc777cf85135dca2c0 ]
+
+acquire the rtnl_lock during device destruction to avoid
+using partially destroyed device.
+
+ena_remove() shares almost the same logic as ena_destroy_device(),
+so use ena_destroy_device() and avoid duplications.
+
+Signed-off-by: Netanel Belgazal <netanel@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 20 +++++++-------------
+ 1 file changed, 7 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -3420,24 +3420,18 @@ static void ena_remove(struct pci_dev *p
+
+ unregister_netdev(netdev);
+
+- /* Reset the device only if the device is running. */
++ /* If the device is running then we want to make sure the device will be
++ * reset to make sure no more events will be issued by the device.
++ */
+ if (test_bit(ENA_FLAG_DEVICE_RUNNING, &adapter->flags))
+- ena_com_dev_reset(ena_dev, adapter->reset_reason);
++ set_bit(ENA_FLAG_TRIGGER_RESET, &adapter->flags);
+
+- ena_free_mgmnt_irq(adapter);
+-
+- ena_disable_msix(adapter);
++ rtnl_lock();
++ ena_destroy_device(adapter, true);
++ rtnl_unlock();
+
+ free_netdev(netdev);
+
+- ena_com_mmio_reg_read_request_destroy(ena_dev);
+-
+- ena_com_abort_admin_commands(ena_dev);
+-
+- ena_com_wait_for_abort_completion(ena_dev);
+-
+- ena_com_admin_destroy(ena_dev);
+-
+ ena_com_rss_destroy(ena_dev);
+
+ ena_com_delete_debug_area(ena_dev);
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Netanel Belgazal <netanel@amazon.com>
+Date: Sun, 9 Sep 2018 08:15:23 +0000
+Subject: net: ena: fix potential double ena_destroy_device()
+
+From: Netanel Belgazal <netanel@amazon.com>
+
+[ Upstream commit fe870c77efdf8682252545cbd3d29800d8379efc ]
+
+ena_destroy_device() can potentially be called twice.
+To avoid this, check that the device is running and
+only then proceed destroying it.
+
+Signed-off-by: Netanel Belgazal <netanel@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -2555,6 +2555,9 @@ static void ena_destroy_device(struct en
+ struct ena_com_dev *ena_dev = adapter->ena_dev;
+ bool dev_up;
+
++ if (!test_bit(ENA_FLAG_DEVICE_RUNNING, &adapter->flags))
++ return;
++
+ netif_carrier_off(netdev);
+
+ del_timer_sync(&adapter->timer_service);
+@@ -2591,6 +2594,7 @@ static void ena_destroy_device(struct en
+ adapter->reset_reason = ENA_REGS_RESET_NORMAL;
+
+ clear_bit(ENA_FLAG_TRIGGER_RESET, &adapter->flags);
++ clear_bit(ENA_FLAG_DEVICE_RUNNING, &adapter->flags);
+ }
+
+ static int ena_restore_device(struct ena_adapter *adapter)
+@@ -2635,6 +2639,7 @@ static int ena_restore_device(struct ena
+ }
+ }
+
++ set_bit(ENA_FLAG_DEVICE_RUNNING, &adapter->flags);
+ mod_timer(&adapter->timer_service, round_jiffies(jiffies + HZ));
+ dev_err(&pdev->dev, "Device reset completed successfully\n");
+
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Netanel Belgazal <netanel@amazon.com>
+Date: Sun, 9 Sep 2018 08:15:20 +0000
+Subject: net: ena: fix surprise unplug NULL dereference kernel crash
+
+From: Netanel Belgazal <netanel@amazon.com>
+
+[ Upstream commit 772ed869f535b4ec2b134645c951ff22de4d3f79 ]
+
+Starting with driver version 1.5.0, in case of a surprise device
+unplug, there is a race caused by invoking ena_destroy_device()
+from two different places. As a result, the readless register might
+be accessed after it was destroyed.
+
+Signed-off-by: Netanel Belgazal <netanel@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -3408,12 +3408,12 @@ static void ena_remove(struct pci_dev *p
+ netdev->rx_cpu_rmap = NULL;
+ }
+ #endif /* CONFIG_RFS_ACCEL */
+-
+- unregister_netdev(netdev);
+ del_timer_sync(&adapter->timer_service);
+
+ cancel_work_sync(&adapter->reset_task);
+
++ unregister_netdev(netdev);
++
+ /* Reset the device only if the device is running. */
+ if (test_bit(ENA_FLAG_DEVICE_RUNNING, &adapter->flags))
+ ena_com_dev_reset(ena_dev, adapter->reset_reason);
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Daniel Jurgens <danielj@mellanox.com>
+Date: Mon, 27 Aug 2018 09:09:46 -0500
+Subject: net/mlx5: Consider PCI domain in search for next dev
+
+From: Daniel Jurgens <danielj@mellanox.com>
+
+[ Upstream commit df7ddb2396cd162e64aaff9401be05e31e438961 ]
+
+The PCI BDF is not unique. PCI domain must also be considered when
+searching for the next physical device during lag setup. Example below:
+
+mlx5_core 0000:01:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(128) RxCqeCmprss(0)
+mlx5_core 0000:01:00.1: MLX5E: StrdRq(1) RqSz(8) StrdSz(128) RxCqeCmprss(0)
+mlx5_core 0001:01:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(128) RxCqeCmprss(0)
+mlx5_core 0001:01:00.1: MLX5E: StrdRq(1) RqSz(8) StrdSz(128) RxCqeCmprss(0)
+
+Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
+Reviewed-by: Aviv Heller <avivh@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/dev.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c
+@@ -396,16 +396,17 @@ void mlx5_remove_dev_by_protocol(struct
+ }
+ }
+
+-static u16 mlx5_gen_pci_id(struct mlx5_core_dev *dev)
++static u32 mlx5_gen_pci_id(struct mlx5_core_dev *dev)
+ {
+- return (u16)((dev->pdev->bus->number << 8) |
++ return (u32)((pci_domain_nr(dev->pdev->bus) << 16) |
++ (dev->pdev->bus->number << 8) |
+ PCI_SLOT(dev->pdev->devfn));
+ }
+
+ /* Must be called with intf_mutex held */
+ struct mlx5_core_dev *mlx5_get_next_phys_dev(struct mlx5_core_dev *dev)
+ {
+- u16 pci_id = mlx5_gen_pci_id(dev);
++ u32 pci_id = mlx5_gen_pci_id(dev);
+ struct mlx5_core_dev *res = NULL;
+ struct mlx5_core_dev *tmp_dev;
+ struct mlx5_priv *priv;
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri, 31 Aug 2018 12:36:01 +0200
+Subject: netfilter: conntrack: timeout interface depend on CONFIG_NF_CONNTRACK_TIMEOUT
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit a874752a10da113f513980e28f562d946d3f829d ]
+
+Now that cttimeout support for nft_ct is in place, these should depend
+on CONFIG_NF_CONNTRACK_TIMEOUT otherwise we can crash when dumping the
+policy if this option is not enabled.
+
+[ 71.600121] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+[...]
+[ 71.600141] CPU: 3 PID: 7612 Comm: nft Not tainted 4.18.0+ #246
+[...]
+[ 71.600188] Call Trace:
+[ 71.600201] ? nft_ct_timeout_obj_dump+0xc6/0xf0 [nft_ct]
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 8 ++++----
+ net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 8 ++++----
+ net/netfilter/nf_conntrack_proto_dccp.c | 12 ++++++------
+ net/netfilter/nf_conntrack_proto_generic.c | 8 ++++----
+ net/netfilter/nf_conntrack_proto_gre.c | 8 ++++----
+ net/netfilter/nf_conntrack_proto_sctp.c | 14 +++++++-------
+ net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++------
+ net/netfilter/nf_conntrack_proto_udp.c | 20 ++++++++++----------
+ 8 files changed, 45 insertions(+), 45 deletions(-)
+
+--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
++++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+@@ -269,7 +269,7 @@ static unsigned int icmp_nlattr_tuple_si
+ }
+ #endif
+
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+
+ #include <linux/netfilter/nfnetlink.h>
+ #include <linux/netfilter/nfnetlink_cttimeout.h>
+@@ -307,7 +307,7 @@ static const struct nla_policy
+ icmp_timeout_nla_policy[CTA_TIMEOUT_ICMP_MAX+1] = {
+ [CTA_TIMEOUT_ICMP_TIMEOUT] = { .type = NLA_U32 },
+ };
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+
+ #ifdef CONFIG_SYSCTL
+ static struct ctl_table icmp_sysctl_table[] = {
+@@ -369,7 +369,7 @@ const struct nf_conntrack_l4proto nf_con
+ .nlattr_to_tuple = icmp_nlattr_to_tuple,
+ .nla_policy = icmp_nla_policy,
+ #endif
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+ .ctnl_timeout = {
+ .nlattr_to_obj = icmp_timeout_nlattr_to_obj,
+ .obj_to_nlattr = icmp_timeout_obj_to_nlattr,
+@@ -377,7 +377,7 @@ const struct nf_conntrack_l4proto nf_con
+ .obj_size = sizeof(unsigned int),
+ .nla_policy = icmp_timeout_nla_policy,
+ },
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+ .init_net = icmp_init_net,
+ .get_net_proto = icmp_get_net_proto,
+ };
+--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
++++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+@@ -270,7 +270,7 @@ static unsigned int icmpv6_nlattr_tuple_
+ }
+ #endif
+
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+
+ #include <linux/netfilter/nfnetlink.h>
+ #include <linux/netfilter/nfnetlink_cttimeout.h>
+@@ -308,7 +308,7 @@ static const struct nla_policy
+ icmpv6_timeout_nla_policy[CTA_TIMEOUT_ICMPV6_MAX+1] = {
+ [CTA_TIMEOUT_ICMPV6_TIMEOUT] = { .type = NLA_U32 },
+ };
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+
+ #ifdef CONFIG_SYSCTL
+ static struct ctl_table icmpv6_sysctl_table[] = {
+@@ -368,7 +368,7 @@ const struct nf_conntrack_l4proto nf_con
+ .nlattr_to_tuple = icmpv6_nlattr_to_tuple,
+ .nla_policy = icmpv6_nla_policy,
+ #endif
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+ .ctnl_timeout = {
+ .nlattr_to_obj = icmpv6_timeout_nlattr_to_obj,
+ .obj_to_nlattr = icmpv6_timeout_obj_to_nlattr,
+@@ -376,7 +376,7 @@ const struct nf_conntrack_l4proto nf_con
+ .obj_size = sizeof(unsigned int),
+ .nla_policy = icmpv6_timeout_nla_policy,
+ },
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+ .init_net = icmpv6_init_net,
+ .get_net_proto = icmpv6_get_net_proto,
+ };
+--- a/net/netfilter/nf_conntrack_proto_dccp.c
++++ b/net/netfilter/nf_conntrack_proto_dccp.c
+@@ -699,7 +699,7 @@ static int nlattr_to_dccp(struct nlattr
+ }
+ #endif
+
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+
+ #include <linux/netfilter/nfnetlink.h>
+ #include <linux/netfilter/nfnetlink_cttimeout.h>
+@@ -750,7 +750,7 @@ dccp_timeout_nla_policy[CTA_TIMEOUT_DCCP
+ [CTA_TIMEOUT_DCCP_CLOSING] = { .type = NLA_U32 },
+ [CTA_TIMEOUT_DCCP_TIMEWAIT] = { .type = NLA_U32 },
+ };
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+
+ #ifdef CONFIG_SYSCTL
+ /* template, data assigned later */
+@@ -883,7 +883,7 @@ const struct nf_conntrack_l4proto nf_con
+ .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
+ .nla_policy = nf_ct_port_nla_policy,
+ #endif
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+ .ctnl_timeout = {
+ .nlattr_to_obj = dccp_timeout_nlattr_to_obj,
+ .obj_to_nlattr = dccp_timeout_obj_to_nlattr,
+@@ -891,7 +891,7 @@ const struct nf_conntrack_l4proto nf_con
+ .obj_size = sizeof(unsigned int) * CT_DCCP_MAX,
+ .nla_policy = dccp_timeout_nla_policy,
+ },
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+ .init_net = dccp_init_net,
+ .get_net_proto = dccp_get_net_proto,
+ };
+@@ -919,7 +919,7 @@ const struct nf_conntrack_l4proto nf_con
+ .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
+ .nla_policy = nf_ct_port_nla_policy,
+ #endif
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+ .ctnl_timeout = {
+ .nlattr_to_obj = dccp_timeout_nlattr_to_obj,
+ .obj_to_nlattr = dccp_timeout_obj_to_nlattr,
+@@ -927,7 +927,7 @@ const struct nf_conntrack_l4proto nf_con
+ .obj_size = sizeof(unsigned int) * CT_DCCP_MAX,
+ .nla_policy = dccp_timeout_nla_policy,
+ },
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+ .init_net = dccp_init_net,
+ .get_net_proto = dccp_get_net_proto,
+ };
+--- a/net/netfilter/nf_conntrack_proto_generic.c
++++ b/net/netfilter/nf_conntrack_proto_generic.c
+@@ -79,7 +79,7 @@ static bool generic_new(struct nf_conn *
+ return ret;
+ }
+
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+
+ #include <linux/netfilter/nfnetlink.h>
+ #include <linux/netfilter/nfnetlink_cttimeout.h>
+@@ -119,7 +119,7 @@ static const struct nla_policy
+ generic_timeout_nla_policy[CTA_TIMEOUT_GENERIC_MAX+1] = {
+ [CTA_TIMEOUT_GENERIC_TIMEOUT] = { .type = NLA_U32 },
+ };
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+
+ #ifdef CONFIG_SYSCTL
+ static struct ctl_table generic_sysctl_table[] = {
+@@ -172,7 +172,7 @@ const struct nf_conntrack_l4proto nf_con
+ .packet = generic_packet,
+ .get_timeouts = generic_get_timeouts,
+ .new = generic_new,
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+ .ctnl_timeout = {
+ .nlattr_to_obj = generic_timeout_nlattr_to_obj,
+ .obj_to_nlattr = generic_timeout_obj_to_nlattr,
+@@ -180,7 +180,7 @@ const struct nf_conntrack_l4proto nf_con
+ .obj_size = sizeof(unsigned int),
+ .nla_policy = generic_timeout_nla_policy,
+ },
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+ .init_net = generic_init_net,
+ .get_net_proto = generic_get_net_proto,
+ };
+--- a/net/netfilter/nf_conntrack_proto_gre.c
++++ b/net/netfilter/nf_conntrack_proto_gre.c
+@@ -289,7 +289,7 @@ static void gre_destroy(struct nf_conn *
+ nf_ct_gre_keymap_destroy(master);
+ }
+
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+
+ #include <linux/netfilter/nfnetlink.h>
+ #include <linux/netfilter/nfnetlink_cttimeout.h>
+@@ -336,7 +336,7 @@ gre_timeout_nla_policy[CTA_TIMEOUT_GRE_M
+ [CTA_TIMEOUT_GRE_UNREPLIED] = { .type = NLA_U32 },
+ [CTA_TIMEOUT_GRE_REPLIED] = { .type = NLA_U32 },
+ };
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+
+ static int gre_init_net(struct net *net, u_int16_t proto)
+ {
+@@ -371,7 +371,7 @@ static const struct nf_conntrack_l4proto
+ .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
+ .nla_policy = nf_ct_port_nla_policy,
+ #endif
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+ .ctnl_timeout = {
+ .nlattr_to_obj = gre_timeout_nlattr_to_obj,
+ .obj_to_nlattr = gre_timeout_obj_to_nlattr,
+@@ -379,7 +379,7 @@ static const struct nf_conntrack_l4proto
+ .obj_size = sizeof(unsigned int) * GRE_CT_MAX,
+ .nla_policy = gre_timeout_nla_policy,
+ },
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+ .net_id = &proto_gre_net_id,
+ .init_net = gre_init_net,
+ };
+--- a/net/netfilter/nf_conntrack_proto_sctp.c
++++ b/net/netfilter/nf_conntrack_proto_sctp.c
+@@ -615,7 +615,7 @@ static int nlattr_to_sctp(struct nlattr
+ }
+ #endif
+
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+
+ #include <linux/netfilter/nfnetlink.h>
+ #include <linux/netfilter/nfnetlink_cttimeout.h>
+@@ -668,7 +668,7 @@ sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP
+ [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 },
+ [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 },
+ };
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+
+
+ #ifdef CONFIG_SYSCTL
+@@ -800,7 +800,7 @@ const struct nf_conntrack_l4proto nf_con
+ .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
+ .nla_policy = nf_ct_port_nla_policy,
+ #endif
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+ .ctnl_timeout = {
+ .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
+ .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
+@@ -808,7 +808,7 @@ const struct nf_conntrack_l4proto nf_con
+ .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
+ .nla_policy = sctp_timeout_nla_policy,
+ },
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+ .init_net = sctp_init_net,
+ .get_net_proto = sctp_get_net_proto,
+ };
+@@ -836,7 +836,8 @@ const struct nf_conntrack_l4proto nf_con
+ .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
+ .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
+ .nla_policy = nf_ct_port_nla_policy,
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#endif
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+ .ctnl_timeout = {
+ .nlattr_to_obj = sctp_timeout_nlattr_to_obj,
+ .obj_to_nlattr = sctp_timeout_obj_to_nlattr,
+@@ -844,8 +845,7 @@ const struct nf_conntrack_l4proto nf_con
+ .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
+ .nla_policy = sctp_timeout_nla_policy,
+ },
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+-#endif
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+ .init_net = sctp_init_net,
+ .get_net_proto = sctp_get_net_proto,
+ };
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -1305,7 +1305,7 @@ static unsigned int tcp_nlattr_tuple_siz
+ }
+ #endif
+
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+
+ #include <linux/netfilter/nfnetlink.h>
+ #include <linux/netfilter/nfnetlink_cttimeout.h>
+@@ -1415,7 +1415,7 @@ static const struct nla_policy tcp_timeo
+ [CTA_TIMEOUT_TCP_RETRANS] = { .type = NLA_U32 },
+ [CTA_TIMEOUT_TCP_UNACK] = { .type = NLA_U32 },
+ };
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+
+ #ifdef CONFIG_SYSCTL
+ static struct ctl_table tcp_sysctl_table[] = {
+@@ -1578,7 +1578,7 @@ const struct nf_conntrack_l4proto nf_con
+ .nlattr_size = TCP_NLATTR_SIZE,
+ .nla_policy = nf_ct_port_nla_policy,
+ #endif
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+ .ctnl_timeout = {
+ .nlattr_to_obj = tcp_timeout_nlattr_to_obj,
+ .obj_to_nlattr = tcp_timeout_obj_to_nlattr,
+@@ -1587,7 +1587,7 @@ const struct nf_conntrack_l4proto nf_con
+ TCP_CONNTRACK_TIMEOUT_MAX,
+ .nla_policy = tcp_timeout_nla_policy,
+ },
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+ .init_net = tcp_init_net,
+ .get_net_proto = tcp_get_net_proto,
+ };
+@@ -1616,7 +1616,7 @@ const struct nf_conntrack_l4proto nf_con
+ .nlattr_tuple_size = tcp_nlattr_tuple_size,
+ .nla_policy = nf_ct_port_nla_policy,
+ #endif
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+ .ctnl_timeout = {
+ .nlattr_to_obj = tcp_timeout_nlattr_to_obj,
+ .obj_to_nlattr = tcp_timeout_obj_to_nlattr,
+@@ -1625,7 +1625,7 @@ const struct nf_conntrack_l4proto nf_con
+ TCP_CONNTRACK_TIMEOUT_MAX,
+ .nla_policy = tcp_timeout_nla_policy,
+ },
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+ .init_net = tcp_init_net,
+ .get_net_proto = tcp_get_net_proto,
+ };
+--- a/net/netfilter/nf_conntrack_proto_udp.c
++++ b/net/netfilter/nf_conntrack_proto_udp.c
+@@ -192,7 +192,7 @@ static int udp_error(struct net *net, st
+ return NF_ACCEPT;
+ }
+
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+
+ #include <linux/netfilter/nfnetlink.h>
+ #include <linux/netfilter/nfnetlink_cttimeout.h>
+@@ -239,7 +239,7 @@ udp_timeout_nla_policy[CTA_TIMEOUT_UDP_M
+ [CTA_TIMEOUT_UDP_UNREPLIED] = { .type = NLA_U32 },
+ [CTA_TIMEOUT_UDP_REPLIED] = { .type = NLA_U32 },
+ };
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+
+ #ifdef CONFIG_SYSCTL
+ static struct ctl_table udp_sysctl_table[] = {
+@@ -313,7 +313,7 @@ const struct nf_conntrack_l4proto nf_con
+ .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
+ .nla_policy = nf_ct_port_nla_policy,
+ #endif
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+ .ctnl_timeout = {
+ .nlattr_to_obj = udp_timeout_nlattr_to_obj,
+ .obj_to_nlattr = udp_timeout_obj_to_nlattr,
+@@ -321,7 +321,7 @@ const struct nf_conntrack_l4proto nf_con
+ .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
+ .nla_policy = udp_timeout_nla_policy,
+ },
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+ .init_net = udp_init_net,
+ .get_net_proto = udp_get_net_proto,
+ };
+@@ -345,7 +345,7 @@ const struct nf_conntrack_l4proto nf_con
+ .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
+ .nla_policy = nf_ct_port_nla_policy,
+ #endif
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+ .ctnl_timeout = {
+ .nlattr_to_obj = udp_timeout_nlattr_to_obj,
+ .obj_to_nlattr = udp_timeout_obj_to_nlattr,
+@@ -353,7 +353,7 @@ const struct nf_conntrack_l4proto nf_con
+ .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
+ .nla_policy = udp_timeout_nla_policy,
+ },
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+ .init_net = udp_init_net,
+ .get_net_proto = udp_get_net_proto,
+ };
+@@ -377,7 +377,7 @@ const struct nf_conntrack_l4proto nf_con
+ .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
+ .nla_policy = nf_ct_port_nla_policy,
+ #endif
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+ .ctnl_timeout = {
+ .nlattr_to_obj = udp_timeout_nlattr_to_obj,
+ .obj_to_nlattr = udp_timeout_obj_to_nlattr,
+@@ -385,7 +385,7 @@ const struct nf_conntrack_l4proto nf_con
+ .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
+ .nla_policy = udp_timeout_nla_policy,
+ },
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+ .init_net = udp_init_net,
+ .get_net_proto = udp_get_net_proto,
+ };
+@@ -409,7 +409,7 @@ const struct nf_conntrack_l4proto nf_con
+ .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
+ .nla_policy = nf_ct_port_nla_policy,
+ #endif
+-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
++#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+ .ctnl_timeout = {
+ .nlattr_to_obj = udp_timeout_nlattr_to_obj,
+ .obj_to_nlattr = udp_timeout_obj_to_nlattr,
+@@ -417,7 +417,7 @@ const struct nf_conntrack_l4proto nf_con
+ .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
+ .nla_policy = udp_timeout_nla_policy,
+ },
+-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
++#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+ .init_net = udp_init_net,
+ .get_net_proto = udp_get_net_proto,
+ };
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Florian Westphal <fw@strlen.de>
+Date: Sat, 25 Aug 2018 01:14:46 +0200
+Subject: netfilter: kconfig: nat related expression depend on nftables core
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit e0758412208960be9de11e6d2350c81ffd88410f ]
+
+NF_TABLES_IPV4 is now boolean so it is possible to set
+
+NF_TABLES=m
+NF_TABLES_IPV4=y
+NFT_CHAIN_NAT_IPV4=y
+
+which causes:
+nft_chain_nat_ipv4.c:(.text+0x6d): undefined reference to `nft_do_chain'
+
+Wrap NFT_CHAIN_NAT_IPV4 and related nat expressions with NF_TABLES to
+restore the dependency.
+
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Fixes: 02c7b25e5f54 ("netfilter: nf_tables: build-in filter chain type")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/netfilter/Kconfig | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/netfilter/Kconfig
++++ b/net/ipv4/netfilter/Kconfig
+@@ -122,6 +122,10 @@ config NF_NAT_IPV4
+
+ if NF_NAT_IPV4
+
++config NF_NAT_MASQUERADE_IPV4
++ bool
++
++if NF_TABLES
+ config NFT_CHAIN_NAT_IPV4
+ depends on NF_TABLES_IPV4
+ tristate "IPv4 nf_tables nat chain support"
+@@ -131,9 +135,6 @@ config NFT_CHAIN_NAT_IPV4
+ packet transformations such as the source, destination address and
+ source and destination ports.
+
+-config NF_NAT_MASQUERADE_IPV4
+- bool
+-
+ config NFT_MASQ_IPV4
+ tristate "IPv4 masquerading support for nf_tables"
+ depends on NF_TABLES_IPV4
+@@ -151,6 +152,7 @@ config NFT_REDIR_IPV4
+ help
+ This is the expression that provides IPv4 redirect support for
+ nf_tables.
++endif # NF_TABLES
+
+ config NF_NAT_SNMP_BASIC
+ tristate "Basic SNMP-ALG support"
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Sun, 26 Aug 2018 02:35:44 +0900
+Subject: netfilter: nf_tables: release chain in flushing set
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 7acfda539c0b9636a58bfee56abfb3aeee806d96 ]
+
+When element of verdict map is deleted, the delete routine should
+release chain. however, flush element of verdict map routine doesn't
+release chain.
+
+test commands:
+ %nft add table ip filter
+ %nft add chain ip filter c1
+ %nft add map ip filter map1 { type ipv4_addr : verdict \; }
+ %nft add element ip filter map1 { 1 : jump c1 }
+ %nft flush map ip filter map1
+ %nft flush ruleset
+
+splat looks like:
+[ 4895.170899] kernel BUG at net/netfilter/nf_tables_api.c:1415!
+[ 4895.178114] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
+[ 4895.178880] CPU: 0 PID: 1670 Comm: nft Not tainted 4.18.0+ #55
+[ 4895.178880] RIP: 0010:nf_tables_chain_destroy.isra.28+0x39/0x220 [nf_tables]
+[ 4895.178880] Code: fc ff df 53 48 89 fb 48 83 c7 50 48 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 09 3c 03 7f 05 e8 3e 4c 25 e1 8b 43 50 85 c0 74 02 <0f> 0b 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02
+[ 4895.228342] RSP: 0018:ffff88010b98f4c0 EFLAGS: 00010202
+[ 4895.234841] RAX: 0000000000000001 RBX: ffff8801131c6968 RCX: ffff8801146585b0
+[ 4895.234841] RDX: 1ffff10022638d37 RSI: ffff8801191a9348 RDI: ffff8801131c69b8
+[ 4895.234841] RBP: ffff8801146585a8 R08: 1ffff1002323526a R09: 0000000000000000
+[ 4895.234841] R10: 0000000000000000 R11: 0000000000000000 R12: dead000000000200
+[ 4895.234841] R13: dead000000000100 R14: ffffffffa3638af8 R15: dffffc0000000000
+[ 4895.234841] FS: 00007f6d188e6700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000
+[ 4895.234841] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 4895.234841] CR2: 00007ffe72b8df88 CR3: 000000010e2d4000 CR4: 00000000001006f0
+[ 4895.234841] Call Trace:
+[ 4895.234841] nf_tables_commit+0x2704/0x2c70 [nf_tables]
+[ 4895.234841] ? nfnetlink_rcv_batch+0xa4f/0x11b0 [nfnetlink]
+[ 4895.234841] ? nf_tables_setelem_notify.constprop.48+0x1a0/0x1a0 [nf_tables]
+[ 4895.323824] ? __lock_is_held+0x9d/0x130
+[ 4895.323824] ? kasan_unpoison_shadow+0x30/0x40
+[ 4895.333299] ? kasan_kmalloc+0xa9/0xc0
+[ 4895.333299] ? kmem_cache_alloc_trace+0x2c0/0x310
+[ 4895.333299] ? nfnetlink_rcv_batch+0xa4f/0x11b0 [nfnetlink]
+[ 4895.333299] nfnetlink_rcv_batch+0xdb9/0x11b0 [nfnetlink]
+[ 4895.333299] ? debug_show_all_locks+0x290/0x290
+[ 4895.333299] ? nfnetlink_net_init+0x150/0x150 [nfnetlink]
+[ 4895.333299] ? sched_clock_cpu+0xe5/0x170
+[ 4895.333299] ? sched_clock_local+0xff/0x130
+[ 4895.333299] ? sched_clock_cpu+0xe5/0x170
+[ 4895.333299] ? find_held_lock+0x39/0x1b0
+[ 4895.333299] ? sched_clock_local+0xff/0x130
+[ 4895.333299] ? memset+0x1f/0x40
+[ 4895.333299] ? nla_parse+0x33/0x260
+[ 4895.333299] ? ns_capable_common+0x6e/0x110
+[ 4895.333299] nfnetlink_rcv+0x2c0/0x310 [nfnetlink]
+[ ... ]
+
+Fixes: 591054469b3e ("netfilter: nf_tables: revisit chain/object refcounting from elements")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -4582,6 +4582,7 @@ static int nft_flush_set(const struct nf
+ }
+ set->ndeact++;
+
++ nft_set_elem_deactivate(ctx->net, set, elem);
+ nft_trans_elem_set(trans) = set;
+ nft_trans_elem(trans) = *elem;
+ list_add_tail(&trans->list, &ctx->net->nft.commit_list);
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Michal 'vorner' Vaner <michal.vaner@avast.com>
+Date: Tue, 4 Sep 2018 13:25:44 +0200
+Subject: netfilter: nfnetlink_queue: Solve the NFQUEUE/conntrack clash for NF_REPEAT
+
+From: Michal 'vorner' Vaner <michal.vaner@avast.com>
+
+[ Upstream commit ad18d7bf68a3da860ebb62a59c449804a6d237b4 ]
+
+NF_REPEAT places the packet at the beginning of the iptables chain
+instead of accepting or rejecting it right away. The packet however will
+reach the end of the chain and continue to the end of iptables
+eventually, so it needs the same handling as NF_ACCEPT and NF_DROP.
+
+Fixes: 368982cd7d1b ("netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks")
+Signed-off-by: Michal 'vorner' Vaner <michal.vaner@avast.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nfnetlink_queue.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netfilter/nfnetlink_queue.c
++++ b/net/netfilter/nfnetlink_queue.c
+@@ -233,6 +233,7 @@ static void nfqnl_reinject(struct nf_que
+ int err;
+
+ if (verdict == NF_ACCEPT ||
++ verdict == NF_REPEAT ||
+ verdict == NF_STOP) {
+ rcu_read_lock();
+ ct_hook = rcu_dereference(nf_ct_hook);
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 22 Aug 2018 11:33:27 +0200
+Subject: netfilter: xt_checksum: ignore gso skbs
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 10568f6c5761db24249c610c94d6e44d5505a0ba ]
+
+Satish Patel reports a skb_warn_bad_offload() splat caused
+by -j CHECKSUM rules:
+
+-A POSTROUTING -p tcp -m tcp --sport 80 -j CHECKSUM
+
+The CHECKSUM target has never worked with GSO skbs, and the above rule
+makes no sense as kernel will handle checksum updates on transmit.
+
+Unfortunately, there are 3rd party tools that install such rules, so we
+cannot reject this from the config plane without potential breakage.
+
+Amend Kconfig text to clarify that the CHECKSUM target is only useful
+in virtualized environments, where old dhcp clients that use AF_PACKET
+used to discard UDP packets with a 'bad' header checksum and add a
+one-time warning in case such rule isn't restricted to UDP.
+
+v2: check IP6T_F_PROTO flag before cmp (Michal Kubecek)
+
+Reported-by: Satish Patel <satish.txt@gmail.com>
+Reported-by: Markos Chandras <markos.chandras@suse.com>
+Reported-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/Kconfig | 12 ++++++------
+ net/netfilter/xt_CHECKSUM.c | 22 +++++++++++++++++++++-
+ 2 files changed, 27 insertions(+), 7 deletions(-)
+
+--- a/net/netfilter/Kconfig
++++ b/net/netfilter/Kconfig
+@@ -740,13 +740,13 @@ config NETFILTER_XT_TARGET_CHECKSUM
+ depends on NETFILTER_ADVANCED
+ ---help---
+ This option adds a `CHECKSUM' target, which can be used in the iptables mangle
+- table.
++ table to work around buggy DHCP clients in virtualized environments.
+
+- You can use this target to compute and fill in the checksum in
+- a packet that lacks a checksum. This is particularly useful,
+- if you need to work around old applications such as dhcp clients,
+- that do not work well with checksum offloads, but don't want to disable
+- checksum offload in your device.
++ Some old DHCP clients drop packets because they are not aware
++ that the checksum would normally be offloaded to hardware and
++ thus should be considered valid.
++ This target can be used to fill in the checksum using iptables
++ when such packets are sent via a virtual network device.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
+--- a/net/netfilter/xt_CHECKSUM.c
++++ b/net/netfilter/xt_CHECKSUM.c
+@@ -16,6 +16,9 @@
+ #include <linux/netfilter/x_tables.h>
+ #include <linux/netfilter/xt_CHECKSUM.h>
+
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv6/ip6_tables.h>
++
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Michael S. Tsirkin <mst@redhat.com>");
+ MODULE_DESCRIPTION("Xtables: checksum modification");
+@@ -25,7 +28,7 @@ MODULE_ALIAS("ip6t_CHECKSUM");
+ static unsigned int
+ checksum_tg(struct sk_buff *skb, const struct xt_action_param *par)
+ {
+- if (skb->ip_summed == CHECKSUM_PARTIAL)
++ if (skb->ip_summed == CHECKSUM_PARTIAL && !skb_is_gso(skb))
+ skb_checksum_help(skb);
+
+ return XT_CONTINUE;
+@@ -34,6 +37,8 @@ checksum_tg(struct sk_buff *skb, const s
+ static int checksum_tg_check(const struct xt_tgchk_param *par)
+ {
+ const struct xt_CHECKSUM_info *einfo = par->targinfo;
++ const struct ip6t_ip6 *i6 = par->entryinfo;
++ const struct ipt_ip *i4 = par->entryinfo;
+
+ if (einfo->operation & ~XT_CHECKSUM_OP_FILL) {
+ pr_info_ratelimited("unsupported CHECKSUM operation %x\n",
+@@ -43,6 +48,21 @@ static int checksum_tg_check(const struc
+ if (!einfo->operation)
+ return -EINVAL;
+
++ switch (par->family) {
++ case NFPROTO_IPV4:
++ if (i4->proto == IPPROTO_UDP &&
++ (i4->invflags & XT_INV_PROTO) == 0)
++ return 0;
++ break;
++ case NFPROTO_IPV6:
++ if ((i6->flags & IP6T_F_PROTO) &&
++ i6->proto == IPPROTO_UDP &&
++ (i6->invflags & XT_INV_PROTO) == 0)
++ return 0;
++ break;
++ }
++
++ pr_warn_once("CHECKSUM should be avoided. If really needed, restrict with \"-p udp\" and only use in OUTPUT\n");
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Martin Willi <martin@strongswan.org>
+Date: Wed, 22 Aug 2018 10:27:17 +0200
+Subject: netfilter: xt_cluster: add dependency on conntrack module
+
+From: Martin Willi <martin@strongswan.org>
+
+[ Upstream commit c1dc2912059901f97345d9e10c96b841215fdc0f ]
+
+The cluster match requires conntrack for matching packets. If the
+netns does not have conntrack hooks registered, the match does not
+work at all.
+
+Implicitly load the conntrack hook for the family, exactly as many
+other extensions do. This ensures that the match works even if the
+hooks have not been registered by other means.
+
+Signed-off-by: Martin Willi <martin@strongswan.org>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/xt_cluster.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/xt_cluster.c
++++ b/net/netfilter/xt_cluster.c
+@@ -125,6 +125,7 @@ xt_cluster_mt(const struct sk_buff *skb,
+ static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
+ {
+ struct xt_cluster_match_info *info = par->matchinfo;
++ int ret;
+
+ if (info->total_nodes > XT_CLUSTER_NODES_MAX) {
+ pr_info_ratelimited("you have exceeded the maximum number of cluster nodes (%u > %u)\n",
+@@ -135,7 +136,17 @@ static int xt_cluster_mt_checkentry(cons
+ pr_info_ratelimited("node mask cannot exceed total number of nodes\n");
+ return -EDOM;
+ }
+- return 0;
++
++ ret = nf_ct_netns_get(par->net, par->family);
++ if (ret < 0)
++ pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
++ par->family);
++ return ret;
++}
++
++static void xt_cluster_mt_destroy(const struct xt_mtdtor_param *par)
++{
++ nf_ct_netns_put(par->net, par->family);
+ }
+
+ static struct xt_match xt_cluster_match __read_mostly = {
+@@ -144,6 +155,7 @@ static struct xt_match xt_cluster_match
+ .match = xt_cluster_mt,
+ .checkentry = xt_cluster_mt_checkentry,
+ .matchsize = sizeof(struct xt_cluster_match_info),
++ .destroy = xt_cluster_mt_destroy,
+ .me = THIS_MODULE,
+ };
+
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Wed, 5 Sep 2018 11:41:31 -0700
+Subject: netfilter: xt_hashlimit: use s->file instead of s->private
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 1286df269f498165061e0cf8092ca212545dbb5a ]
+
+After switching to the new procfs API, it is supposed to
+retrieve the private pointer from PDE_DATA(file_inode(s->file)),
+s->private is no longer referred.
+
+Fixes: 1cd671827290 ("netfilter/x_tables: switch to proc_create_seq_private")
+Reported-by: Sami Farin <hvtaifwkbgefbaei@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Christoph Hellwig <hch@lst.de>
+Tested-by: Sami Farin <hvtaifwkbgefbaei@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/xt_hashlimit.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/net/netfilter/xt_hashlimit.c
++++ b/net/netfilter/xt_hashlimit.c
+@@ -1057,7 +1057,7 @@ static struct xt_match hashlimit_mt_reg[
+ static void *dl_seq_start(struct seq_file *s, loff_t *pos)
+ __acquires(htable->lock)
+ {
+- struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private));
++ struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
+ unsigned int *bucket;
+
+ spin_lock_bh(&htable->lock);
+@@ -1074,7 +1074,7 @@ static void *dl_seq_start(struct seq_fil
+
+ static void *dl_seq_next(struct seq_file *s, void *v, loff_t *pos)
+ {
+- struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private));
++ struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
+ unsigned int *bucket = v;
+
+ *pos = ++(*bucket);
+@@ -1088,7 +1088,7 @@ static void *dl_seq_next(struct seq_file
+ static void dl_seq_stop(struct seq_file *s, void *v)
+ __releases(htable->lock)
+ {
+- struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private));
++ struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
+ unsigned int *bucket = v;
+
+ if (!IS_ERR(bucket))
+@@ -1130,7 +1130,7 @@ static void dl_seq_print(struct dsthash_
+ static int dl_seq_real_show_v2(struct dsthash_ent *ent, u_int8_t family,
+ struct seq_file *s)
+ {
+- struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->private));
++ struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file));
+
+ spin_lock(&ent->lock);
+ /* recalculate to show accurate numbers */
+@@ -1145,7 +1145,7 @@ static int dl_seq_real_show_v2(struct ds
+ static int dl_seq_real_show_v1(struct dsthash_ent *ent, u_int8_t family,
+ struct seq_file *s)
+ {
+- struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->private));
++ struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file));
+
+ spin_lock(&ent->lock);
+ /* recalculate to show accurate numbers */
+@@ -1160,7 +1160,7 @@ static int dl_seq_real_show_v1(struct ds
+ static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family,
+ struct seq_file *s)
+ {
+- struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->private));
++ struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file));
+
+ spin_lock(&ent->lock);
+ /* recalculate to show accurate numbers */
+@@ -1174,7 +1174,7 @@ static int dl_seq_real_show(struct dstha
+
+ static int dl_seq_show_v2(struct seq_file *s, void *v)
+ {
+- struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private));
++ struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
+ unsigned int *bucket = (unsigned int *)v;
+ struct dsthash_ent *ent;
+
+@@ -1188,7 +1188,7 @@ static int dl_seq_show_v2(struct seq_fil
+
+ static int dl_seq_show_v1(struct seq_file *s, void *v)
+ {
+- struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private));
++ struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
+ unsigned int *bucket = v;
+ struct dsthash_ent *ent;
+
+@@ -1202,7 +1202,7 @@ static int dl_seq_show_v1(struct seq_fil
+
+ static int dl_seq_show(struct seq_file *s, void *v)
+ {
+- struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private));
++ struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
+ unsigned int *bucket = v;
+ struct dsthash_ent *ent;
+
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Mon, 3 Sep 2018 03:47:07 -0700
+Subject: nvmet-rdma: fix possible bogus dereference under heavy load
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit 8407879c4e0d7731f6e7e905893cecf61a7762c7 ]
+
+Currently we always repost the recv buffer before we send a response
+capsule back to the host. Since ordering is not guaranteed for send
+and recv completions, it is posible that we will receive a new request
+from the host before we got a send completion for the response capsule.
+
+Today, we pre-allocate 2x rsps the length of the queue, but in reality,
+under heavy load there is nothing that is really preventing the gap to
+expand until we exhaust all our rsps.
+
+To fix this, if we don't have any pre-allocated rsps left, we dynamically
+allocate a rsp and make sure to free it when we are done. If under memory
+pressure we fail to allocate a rsp, we silently drop the command and
+wait for the host to retry.
+
+Reported-by: Steve Wise <swise@opengridcomputing.com>
+Tested-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+[hch: dropped a superflous assignment]
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/target/rdma.c | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+--- a/drivers/nvme/target/rdma.c
++++ b/drivers/nvme/target/rdma.c
+@@ -65,6 +65,7 @@ struct nvmet_rdma_rsp {
+
+ struct nvmet_req req;
+
++ bool allocated;
+ u8 n_rdma;
+ u32 flags;
+ u32 invalidate_rkey;
+@@ -166,11 +167,19 @@ nvmet_rdma_get_rsp(struct nvmet_rdma_que
+ unsigned long flags;
+
+ spin_lock_irqsave(&queue->rsps_lock, flags);
+- rsp = list_first_entry(&queue->free_rsps,
++ rsp = list_first_entry_or_null(&queue->free_rsps,
+ struct nvmet_rdma_rsp, free_list);
+- list_del(&rsp->free_list);
++ if (likely(rsp))
++ list_del(&rsp->free_list);
+ spin_unlock_irqrestore(&queue->rsps_lock, flags);
+
++ if (unlikely(!rsp)) {
++ rsp = kmalloc(sizeof(*rsp), GFP_KERNEL);
++ if (unlikely(!rsp))
++ return NULL;
++ rsp->allocated = true;
++ }
++
+ return rsp;
+ }
+
+@@ -179,6 +188,11 @@ nvmet_rdma_put_rsp(struct nvmet_rdma_rsp
+ {
+ unsigned long flags;
+
++ if (rsp->allocated) {
++ kfree(rsp);
++ return;
++ }
++
+ spin_lock_irqsave(&rsp->queue->rsps_lock, flags);
+ list_add_tail(&rsp->free_list, &rsp->queue->free_rsps);
+ spin_unlock_irqrestore(&rsp->queue->rsps_lock, flags);
+@@ -702,6 +716,15 @@ static void nvmet_rdma_recv_done(struct
+
+ cmd->queue = queue;
+ rsp = nvmet_rdma_get_rsp(queue);
++ if (unlikely(!rsp)) {
++ /*
++ * we get here only under memory pressure,
++ * silently drop and have the host retry
++ * as we can't even fail it.
++ */
++ nvmet_rdma_post_recv(queue->dev, cmd);
++ return;
++ }
+ rsp->queue = queue;
+ rsp->cmd = cmd;
+ rsp->flags = 0;
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Kim Phillips <kim.phillips@arm.com>
+Date: Mon, 27 Aug 2018 12:53:40 -0500
+Subject: perf annotate: Fix parsing aarch64 branch instructions after objdump update
+
+From: Kim Phillips <kim.phillips@arm.com>
+
+[ Upstream commit 4e67b2a5df5d3f341776d12ee575e00ca3ef92de ]
+
+Starting with binutils 2.28, aarch64 objdump adds comments to the
+disassembly output to show the alternative names of a condition code
+[1].
+
+It is assumed that commas in objdump comments could occur in other
+arches now or in the future, so this fix is arch-independent.
+
+The fix could have been done with arm64 specific jump__parse and
+jump__scnprintf functions, but the jump__scnprintf instruction would
+have to have its comment character be a literal, since the scnprintf
+functions cannot receive a struct arch easily.
+
+This inconvenience also applies to the generic jump__scnprintf, which is
+why we add a raw_comment pointer to struct ins_operands, so the __parse
+function assigns it to be re-used by its corresponding __scnprintf
+function.
+
+Example differences in 'perf annotate --stdio2' output on an aarch64
+perf.data file:
+
+BEFORE: → b.cs ffff200008133d1c <unwind_frame+0x18c> // b.hs, dffff7ecc47b
+AFTER : ↓ b.cs 18c
+
+BEFORE: → b.cc ffff200008d8d9cc <get_alloc_profile+0x31c> // b.lo, b.ul, dffff727295b
+AFTER : ↓ b.cc 31c
+
+The branch target labels 18c and 31c also now appear in the output:
+
+BEFORE: add x26, x29, #0x80
+AFTER : 18c: add x26, x29, #0x80
+
+BEFORE: add x21, x21, #0x8
+AFTER : 31c: add x21, x21, #0x8
+
+The Fixes: tag below is added so stable branches will get the update; it
+doesn't necessarily mean that commit was broken at the time, rather it
+didn't withstand the aarch64 objdump update.
+
+Tested no difference in output for sample x86_64, power arch perf.data files.
+
+[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=bb7eff5206e4795ac79c177a80fe9f4630aaf730
+
+Signed-off-by: Kim Phillips <kim.phillips@arm.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Anton Blanchard <anton@samba.org>
+Cc: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Cc: Taeung Song <treeze.taeung@gmail.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Fixes: b13bbeee5ee6 ("perf annotate: Fix branch instruction with multiple operands")
+Link: http://lkml.kernel.org/r/20180827125340.a2f7e291901d17cea05daba4@arm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/annotate.c | 22 +++++++++++++++++++++-
+ tools/perf/util/annotate.h | 1 +
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/util/annotate.c
++++ b/tools/perf/util/annotate.c
+@@ -281,7 +281,19 @@ bool ins__is_call(const struct ins *ins)
+ return ins->ops == &call_ops || ins->ops == &s390_call_ops;
+ }
+
+-static int jump__parse(struct arch *arch __maybe_unused, struct ins_operands *ops, struct map_symbol *ms)
++/*
++ * Prevents from matching commas in the comment section, e.g.:
++ * ffff200008446e70: b.cs ffff2000084470f4 <generic_exec_single+0x314> // b.hs, b.nlast
++ */
++static inline const char *validate_comma(const char *c, struct ins_operands *ops)
++{
++ if (ops->raw_comment && c > ops->raw_comment)
++ return NULL;
++
++ return c;
++}
++
++static int jump__parse(struct arch *arch, struct ins_operands *ops, struct map_symbol *ms)
+ {
+ struct map *map = ms->map;
+ struct symbol *sym = ms->sym;
+@@ -290,6 +302,10 @@ static int jump__parse(struct arch *arch
+ };
+ const char *c = strchr(ops->raw, ',');
+ u64 start, end;
++
++ ops->raw_comment = strchr(ops->raw, arch->objdump.comment_char);
++ c = validate_comma(c, ops);
++
+ /*
+ * Examples of lines to parse for the _cpp_lex_token@@Base
+ * function:
+@@ -309,6 +325,7 @@ static int jump__parse(struct arch *arch
+ ops->target.addr = strtoull(c, NULL, 16);
+ if (!ops->target.addr) {
+ c = strchr(c, ',');
++ c = validate_comma(c, ops);
+ if (c++ != NULL)
+ ops->target.addr = strtoull(c, NULL, 16);
+ }
+@@ -366,9 +383,12 @@ static int jump__scnprintf(struct ins *i
+ return scnprintf(bf, size, "%-6s %s", ins->name, ops->target.sym->name);
+
+ c = strchr(ops->raw, ',');
++ c = validate_comma(c, ops);
++
+ if (c != NULL) {
+ const char *c2 = strchr(c + 1, ',');
+
++ c2 = validate_comma(c2, ops);
+ /* check for 3-op insn */
+ if (c2 != NULL)
+ c = c2;
+--- a/tools/perf/util/annotate.h
++++ b/tools/perf/util/annotate.h
+@@ -21,6 +21,7 @@ struct ins {
+
+ struct ins_operands {
+ char *raw;
++ char *raw_comment;
+ struct {
+ char *raw;
+ char *name;
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: "Martin Liška" <mliska@suse.cz>
+Date: Thu, 23 Aug 2018 14:29:34 +0200
+Subject: perf annotate: Properly interpret indirect call
+
+From: "Martin Liška" <mliska@suse.cz>
+
+[ Upstream commit 1dc27f63303db58ce1b1a6932d1825305f86d574 ]
+
+The patch changes the parsing of:
+
+ callq *0x8(%rbx)
+
+from:
+
+ 0.26 │ → callq *8
+
+to:
+
+ 0.26 │ → callq *0x8(%rbx)
+
+in this case an address is followed by a register, thus one can't parse
+only the address.
+
+Committer testing:
+
+1) run 'perf record sleep 10'
+2) before applying the patch, run:
+
+ perf annotate --stdio2 > /tmp/before
+
+3) after applying the patch, run:
+
+ perf annotate --stdio2 > /tmp/after
+
+4) diff /tmp/before /tmp/after:
+# --- /tmp/before 2018-08-28 11:16:03.238384143 -0300
+# +++ /tmp/after 2018-08-28 11:15:39.335341042 -0300
+# @@ -13274,7 +13274,7 @@
+# ↓ jle 128
+# hash_value = hash_table->hash_func (key);
+# mov 0x8(%rsp),%rdi
+# - 0.91 → callq *30
+# + 0.91 → callq *0x30(%r12)
+# mov $0x2,%r8d
+# cmp $0x2,%eax
+# node_hash = hash_table->hashes[node_index];
+# @@ -13848,7 +13848,7 @@
+# mov %r14,%rdi
+# sub %rbx,%r13
+# mov %r13,%rdx
+# - → callq *38
+# + → callq *0x38(%r15)
+# cmp %rax,%r13
+# 1.91 ↓ je 240
+# 1b4: mov $0xffffffff,%r13d
+# @@ -14026,7 +14026,7 @@
+# mov %rcx,-0x500(%rbp)
+# mov %r15,%rsi
+# mov %r14,%rdi
+# - → callq *38
+# + → callq *0x38(%rax)
+# mov -0x500(%rbp),%rcx
+# cmp %rax,%rcx
+# ↓ jne 9b0
+<SNIP tons of other such cases>
+
+Signed-off-by: Martin Liška <mliska@suse.cz>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Tested-by: Kim Phillips <kim.phillips@arm.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Link: http://lkml.kernel.org/r/bd1f3932-be2b-85f9-7582-111ee0a43b07@suse.cz
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/annotate.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/util/annotate.c
++++ b/tools/perf/util/annotate.c
+@@ -245,8 +245,14 @@ find_target:
+
+ indirect_call:
+ tok = strchr(endptr, '*');
+- if (tok != NULL)
+- ops->target.addr = strtoull(tok + 1, NULL, 16);
++ if (tok != NULL) {
++ endptr++;
++
++ /* Indirect call can use a non-rip register and offset: callq *0x8(%rbx).
++ * Do not parse such instruction. */
++ if (strstr(endptr, "(%r") == NULL)
++ ops->target.addr = strtoull(endptr, NULL, 16);
++ }
+ goto find_target;
+ }
+
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Hisao Tanabe <xtanabe@gmail.com>
+Date: Sat, 25 Aug 2018 00:45:56 +0900
+Subject: perf evsel: Fix potential null pointer dereference in perf_evsel__new_idx()
+
+From: Hisao Tanabe <xtanabe@gmail.com>
+
+[ Upstream commit fd8d2702791a970c751f8b526a17d8e725a05b46 ]
+
+If evsel is NULL, we should return NULL to avoid a NULL pointer
+dereference a bit later in the code.
+
+Signed-off-by: Hisao Tanabe <xtanabe@gmail.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Wang Nan <wangnan0@huawei.com>
+Fixes: 03e0a7df3efd ("perf tools: Introduce bpf-output event")
+LPU-Reference: 20180824154556.23428-1-xtanabe@gmail.com
+Link: https://lkml.kernel.org/n/tip-e5plzjhx6595a5yjaf22jss3@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/evsel.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/util/evsel.c
++++ b/tools/perf/util/evsel.c
+@@ -251,8 +251,9 @@ struct perf_evsel *perf_evsel__new_idx(s
+ {
+ struct perf_evsel *evsel = zalloc(perf_evsel__object.size);
+
+- if (evsel != NULL)
+- perf_evsel__init(evsel, attr, idx);
++ if (!evsel)
++ return NULL;
++ perf_evsel__init(evsel, attr, idx);
+
+ if (perf_evsel__is_bpf_output(evsel)) {
+ evsel->attr.sample_type |= (PERF_SAMPLE_RAW | PERF_SAMPLE_TIME |
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Sandipan Das <sandipan@linux.ibm.com>
+Date: Tue, 28 Aug 2018 14:38:48 +0530
+Subject: perf probe powerpc: Ignore SyS symbols irrespective of endianness
+
+From: Sandipan Das <sandipan@linux.ibm.com>
+
+[ Upstream commit fa694160cca6dbba17c57dc7efec5f93feaf8795 ]
+
+This makes sure that the SyS symbols are ignored for any powerpc system,
+not just the big endian ones.
+
+Reported-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Sandipan Das <sandipan@linux.ibm.com>
+Reviewed-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
+Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Fixes: fb6d59423115 ("perf probe ppc: Use the right prefix when ignoring SyS symbols on ppc")
+Link: http://lkml.kernel.org/r/20180828090848.1914-1-sandipan@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/arch/powerpc/util/sym-handling.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/arch/powerpc/util/sym-handling.c
++++ b/tools/perf/arch/powerpc/util/sym-handling.c
+@@ -22,15 +22,16 @@ bool elf__needs_adjust_symbols(GElf_Ehdr
+
+ #endif
+
+-#if !defined(_CALL_ELF) || _CALL_ELF != 2
+ int arch__choose_best_symbol(struct symbol *syma,
+ struct symbol *symb __maybe_unused)
+ {
+ char *sym = syma->name;
+
++#if !defined(_CALL_ELF) || _CALL_ELF != 2
+ /* Skip over any initial dot */
+ if (*sym == '.')
+ sym++;
++#endif
+
+ /* Avoid "SyS" kernel syscall aliases */
+ if (strlen(sym) >= 3 && !strncmp(sym, "SyS", 3))
+@@ -41,6 +42,7 @@ int arch__choose_best_symbol(struct symb
+ return SYMBOL_A;
+ }
+
++#if !defined(_CALL_ELF) || _CALL_ELF != 2
+ /* Allow matching against dot variants */
+ int arch__compare_symbol_names(const char *namea, const char *nameb)
+ {
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Chris Phlipot <cphlipot0@gmail.com>
+Date: Tue, 28 Aug 2018 23:19:54 -0700
+Subject: perf util: Fix bad memory access in trace info.
+
+From: Chris Phlipot <cphlipot0@gmail.com>
+
+[ Upstream commit a72f64261359b7451f8478f2a2bf357b4e6c757f ]
+
+In the write to the output_fd in the error condition of
+record_saved_cmdline(), we are writing 8 bytes from a memory location on
+the stack that contains a primitive that is only 4 bytes in size.
+Change the primitive to 8 bytes in size to match the size of the write
+in order to avoid reading unknown memory from the stack.
+
+Signed-off-by: Chris Phlipot <cphlipot0@gmail.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20180829061954.18871-1-cphlipot0@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/trace-event-info.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/util/trace-event-info.c
++++ b/tools/perf/util/trace-event-info.c
+@@ -377,7 +377,7 @@ out:
+
+ static int record_saved_cmdline(void)
+ {
+- unsigned int size;
++ unsigned long long size;
+ char *path;
+ struct stat st;
+ int ret, err = 0;
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Jacek Tomaka <jacek.tomaka@poczta.fm>
+Date: Thu, 2 Aug 2018 09:38:30 +0800
+Subject: perf/x86/intel: Add support/quirk for the MISPREDICT bit on Knights Landing CPUs
+
+From: Jacek Tomaka <jacek.tomaka@poczta.fm>
+
+[ Upstream commit 16160c1946b702dcfa95ef63389a56deb2f1c7cb ]
+
+Problem: perf did not show branch predicted/mispredicted bit in brstack.
+
+Output of perf -F brstack for profile collected
+
+Before:
+
+ 0x4fdbcd/0x4fdc03/-/-/-/0
+ 0x45f4c1/0x4fdba0/-/-/-/0
+ 0x45f544/0x45f4bb/-/-/-/0
+ 0x45f555/0x45f53c/-/-/-/0
+ 0x7f66901cc24b/0x45f555/-/-/-/0
+ 0x7f66901cc22e/0x7f66901cc23d/-/-/-/0
+ 0x7f66901cc1ff/0x7f66901cc20f/-/-/-/0
+ 0x7f66901cc1e8/0x7f66901cc1fc/-/-/-/0
+
+After:
+
+ 0x4fdbcd/0x4fdc03/P/-/-/0
+ 0x45f4c1/0x4fdba0/P/-/-/0
+ 0x45f544/0x45f4bb/P/-/-/0
+ 0x45f555/0x45f53c/P/-/-/0
+ 0x7f66901cc24b/0x45f555/P/-/-/0
+ 0x7f66901cc22e/0x7f66901cc23d/P/-/-/0
+ 0x7f66901cc1ff/0x7f66901cc20f/P/-/-/0
+ 0x7f66901cc1e8/0x7f66901cc1fc/P/-/-/0
+
+Cause:
+
+As mentioned in Software Development Manual vol 3, 17.4.8.1,
+IA32_PERF_CAPABILITIES[5:0] indicates the format of the address that is
+stored in the LBR stack. Knights Landing reports 1 (LBR_FORMAT_LIP) as
+its format. Despite that, registers containing FROM address of the branch,
+do have MISPREDICT bit but because of the format indicated in
+IA32_PERF_CAPABILITIES[5:0], LBR did not read MISPREDICT bit.
+
+Solution:
+
+Teach LBR about above Knights Landing quirk and make it read MISPREDICT bit.
+
+Signed-off-by: Jacek Tomaka <jacek.tomaka@poczta.fm>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20180802013830.10600-1-jacekt@dugeo.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/lbr.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/x86/events/intel/lbr.c
++++ b/arch/x86/events/intel/lbr.c
+@@ -1250,4 +1250,8 @@ void intel_pmu_lbr_init_knl(void)
+
+ x86_pmu.lbr_sel_mask = LBR_SEL_MASK;
+ x86_pmu.lbr_sel_map = snb_lbr_sel_map;
++
++ /* Knights Landing does have MISPREDICT bit */
++ if (x86_pmu.intel_cap.lbr_format == LBR_FORMAT_LIP)
++ x86_pmu.intel_cap.lbr_format = LBR_FORMAT_EIP_FLAGS;
+ }
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Stephen Boyd <swboyd@chromium.org>
+Date: Thu, 16 Aug 2018 13:06:46 -0700
+Subject: pinctrl: msm: Really mask level interrupts to prevent latching
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+[ Upstream commit b55326dc969ea2d704a008d9a97583b128f54f4f ]
+
+The interrupt controller hardware in this pin controller has two status
+enable bits. The first "normal" status enable bit enables or disables
+the summary interrupt line being raised when a gpio interrupt triggers
+and the "raw" status enable bit allows or prevents the hardware from
+latching an interrupt into the status register for a gpio interrupt.
+Currently we just toggle the "normal" status enable bit in the mask and
+unmask ops so that the summary irq interrupt going to the CPU's
+interrupt controller doesn't trigger for the masked gpio interrupt.
+
+For a level triggered interrupt, the flow would be as follows: the pin
+controller sees the interrupt, latches the status into the status
+register, raises the summary irq to the CPU, summary irq handler runs
+and calls handle_level_irq(), handle_level_irq() masks and acks the gpio
+interrupt, the interrupt handler runs, and finally unmask the interrupt.
+When the interrupt handler completes, we expect that the interrupt line
+level will go back to the deasserted state so the genirq code can unmask
+the interrupt without it triggering again.
+
+If we only mask the interrupt by clearing the "normal" status enable bit
+then we'll ack the interrupt but it will continue to show up as pending
+in the status register because the raw status bit is enabled, the
+hardware hasn't deasserted the line, and thus the asserted state latches
+into the status register again. When the hardware deasserts the
+interrupt the pin controller still thinks there is a pending unserviced
+level interrupt because it latched it earlier. This behavior causes
+software to see an extra interrupt for level type interrupts each time
+the interrupt is handled.
+
+Let's fix this by clearing the raw status enable bit for level type
+interrupts so that the hardware stops latching the status of the
+interrupt after we ack it. We don't do this for edge type interrupts
+because it seems that toggling the raw status enable bit for edge type
+interrupts causes spurious edge interrupts.
+
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/qcom/pinctrl-msm.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/drivers/pinctrl/qcom/pinctrl-msm.c
++++ b/drivers/pinctrl/qcom/pinctrl-msm.c
+@@ -634,6 +634,29 @@ static void msm_gpio_irq_mask(struct irq
+ raw_spin_lock_irqsave(&pctrl->lock, flags);
+
+ val = readl(pctrl->regs + g->intr_cfg_reg);
++ /*
++ * There are two bits that control interrupt forwarding to the CPU. The
++ * RAW_STATUS_EN bit causes the level or edge sensed on the line to be
++ * latched into the interrupt status register when the hardware detects
++ * an irq that it's configured for (either edge for edge type or level
++ * for level type irq). The 'non-raw' status enable bit causes the
++ * hardware to assert the summary interrupt to the CPU if the latched
++ * status bit is set. There's a bug though, the edge detection logic
++ * seems to have a problem where toggling the RAW_STATUS_EN bit may
++ * cause the status bit to latch spuriously when there isn't any edge
++ * so we can't touch that bit for edge type irqs and we have to keep
++ * the bit set anyway so that edges are latched while the line is masked.
++ *
++ * To make matters more complicated, leaving the RAW_STATUS_EN bit
++ * enabled all the time causes level interrupts to re-latch into the
++ * status register because the level is still present on the line after
++ * we ack it. We clear the raw status enable bit during mask here and
++ * set the bit on unmask so the interrupt can't latch into the hardware
++ * while it's masked.
++ */
++ if (irqd_get_trigger_type(d) & IRQ_TYPE_LEVEL_MASK)
++ val &= ~BIT(g->intr_raw_status_bit);
++
+ val &= ~BIT(g->intr_enable_bit);
+ writel(val, pctrl->regs + g->intr_cfg_reg);
+
+@@ -655,6 +678,7 @@ static void msm_gpio_irq_unmask(struct i
+ raw_spin_lock_irqsave(&pctrl->lock, flags);
+
+ val = readl(pctrl->regs + g->intr_cfg_reg);
++ val |= BIT(g->intr_raw_status_bit);
+ val |= BIT(g->intr_enable_bit);
+ writel(val, pctrl->regs + g->intr_cfg_reg);
+
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 11 Sep 2018 01:51:43 +0800
+Subject: r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 6ad569019999300afd8e614d296fdc356550b77f ]
+
+After system suspend, sometimes the r8169 doesn't work when ethernet
+cable gets pluggued.
+
+This issue happens because rtl_reset_work() doesn't get called from
+rtl8169_runtime_resume(), after system suspend.
+
+In rtl_task(), RTL_FLAG_TASK_* only gets cleared if this condition is
+met:
+if (!netif_running(dev) ||
+ !test_bit(RTL_FLAG_TASK_ENABLED, tp->wk.flags))
+ ...
+
+If RTL_FLAG_TASK_ENABLED was cleared during system suspend while
+RTL_FLAG_TASK_RESET_PENDING was set, the next rtl_schedule_task() won't
+schedule task as the flag is still there.
+
+So in addition to clearing RTL_FLAG_TASK_ENABLED, also clears other
+flags.
+
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/r8169.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -730,7 +730,7 @@ struct rtl8169_tc_offsets {
+ };
+
+ enum rtl_flag {
+- RTL_FLAG_TASK_ENABLED,
++ RTL_FLAG_TASK_ENABLED = 0,
+ RTL_FLAG_TASK_SLOW_PENDING,
+ RTL_FLAG_TASK_RESET_PENDING,
+ RTL_FLAG_TASK_PHY_PENDING,
+@@ -7125,7 +7125,8 @@ static int rtl8169_close(struct net_devi
+ rtl8169_update_counters(tp);
+
+ rtl_lock_work(tp);
+- clear_bit(RTL_FLAG_TASK_ENABLED, tp->wk.flags);
++ /* Clear all task flags */
++ bitmap_zero(tp->wk.flags, RTL_FLAG_MAX);
+
+ rtl8169_down(dev);
+ rtl_unlock_work(tp);
+@@ -7301,7 +7302,9 @@ static void rtl8169_net_suspend(struct n
+
+ rtl_lock_work(tp);
+ napi_disable(&tp->napi);
+- clear_bit(RTL_FLAG_TASK_ENABLED, tp->wk.flags);
++ /* Clear all task flags */
++ bitmap_zero(tp->wk.flags, RTL_FLAG_MAX);
++
+ rtl_unlock_work(tp);
+
+ rtl_pll_power_down(tp);
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
+Date: Fri, 7 Sep 2018 20:15:22 +0200
+Subject: r8169: set TxConfig register after TX / RX is enabled, just like RxConfig
+
+From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
+
+[ Upstream commit f74dd480cf4e31e12971c58a1d832044db945670 ]
+
+Commit 3559d81e76bf ("r8169: simplify rtl_hw_start_8169") changed order of
+two register writes:
+1) Caused RxConfig to be written before TX / RX is enabled,
+2) Caused TxConfig to be written before TX / RX is enabled.
+
+At least on XIDs 10000000 ("RTL8169sb/8110sb") and
+18000000 ("RTL8169sc/8110sc") such writes are ignored by the chip, leaving
+values in these registers intact.
+
+Change 1) was reverted by
+commit 05212ba8132b42 ("r8169: set RxConfig after tx/rx is enabled for RTL8169sb/8110sb devices"),
+however change 2) wasn't.
+
+In practice, this caused TxConfig's "InterFrameGap time" and "Max DMA Burst
+Size per Tx DMA Burst" bits to be zero dramatically reducing TX performance
+(in my tests it dropped from around 500Mbps to around 50Mbps).
+
+This patch fixes the issue by moving TxConfig register write a bit later in
+the code so it happens after TX / RX is already enabled.
+
+Fixes: 05212ba8132b42 ("r8169: set RxConfig after tx/rx is enabled for RTL8169sb/8110sb devices")
+Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/r8169.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -5150,13 +5150,13 @@ static void rtl_hw_start(struct rtl8169
+
+ rtl_set_rx_max_size(tp);
+ rtl_set_rx_tx_desc_registers(tp);
+- rtl_set_tx_config_registers(tp);
+ RTL_W8(tp, Cfg9346, Cfg9346_Lock);
+
+ /* Initially a 10 us delay. Turned it into a PCI commit. - FR */
+ RTL_R8(tp, IntrMask);
+ RTL_W8(tp, ChipCmd, CmdTxEnb | CmdRxEnb);
+ rtl_init_rxcfg(tp);
++ rtl_set_tx_config_registers(tp);
+
+ rtl_set_rx_mode(tp->dev);
+ /* no early-rx interrupts */
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Jann Horn <jannh@google.com>
+Date: Mon, 3 Sep 2018 18:54:14 +0200
+Subject: RDMA/ucma: check fd type in ucma_migrate_id()
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit 0d23ba6034b9cf48b8918404367506da3e4b3ee5 ]
+
+The current code grabs the private_data of whatever file descriptor
+userspace has supplied and implicitly casts it to a `struct ucma_file *`,
+potentially causing a type confusion.
+
+This is probably fine in practice because the pointer is only used for
+comparisons, it is never actually dereferenced; and even in the
+comparisons, it is unlikely that a file from another filesystem would have
+a ->private_data pointer that happens to also be valid in this context.
+But ->private_data is not always guaranteed to be a valid pointer to an
+object owned by the file's filesystem; for example, some filesystems just
+cram numbers in there.
+
+Check the type of the supplied file descriptor to be safe, analogous to how
+other places in the kernel do it.
+
+Fixes: 88314e4dda1e ("RDMA/cma: add support for rdma_migrate_id()")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/ucma.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -124,6 +124,8 @@ static DEFINE_MUTEX(mut);
+ static DEFINE_IDR(ctx_idr);
+ static DEFINE_IDR(multicast_idr);
+
++static const struct file_operations ucma_fops;
++
+ static inline struct ucma_context *_ucma_find_context(int id,
+ struct ucma_file *file)
+ {
+@@ -1581,6 +1583,10 @@ static ssize_t ucma_migrate_id(struct uc
+ f = fdget(cmd.fd);
+ if (!f.file)
+ return -ENOENT;
++ if (f.file->f_op != &ucma_fops) {
++ ret = -EINVAL;
++ goto file_put;
++ }
+
+ /* Validate current fd and prevent destruction of id. */
+ ctx = ucma_get_ctx(f.file->private_data, cmd.id);
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+Date: Sat, 25 Aug 2018 02:00:48 -0700
+Subject: Revert "iio: temperature: maxim_thermocouple: add MAX31856 part"
+
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+
+[ Upstream commit 65099ea85e885c3ea1272eca8774b771419d8ce8 ]
+
+This reverts commit 535fba29b3e1afef4ba201b3c69a6992583ec0bd.
+
+Seems the submitter (er me, hang head in shame) didn't look at the datasheet
+enough to see that the registers are quite different.
+
+This needs to be reverted because a) would never work b) to open it be added
+to a Maxim RTDs (Resistance Temperature Detectors) under development by author
+
+Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/temperature/maxim_thermocouple.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/iio/temperature/maxim_thermocouple.c
++++ b/drivers/iio/temperature/maxim_thermocouple.c
+@@ -258,7 +258,6 @@ static int maxim_thermocouple_remove(str
+ static const struct spi_device_id maxim_thermocouple_id[] = {
+ {"max6675", MAX6675},
+ {"max31855", MAX31855},
+- {"max31856", MAX31855},
+ {},
+ };
+ MODULE_DEVICE_TABLE(spi, maxim_thermocouple_id);
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Tue, 28 Aug 2018 17:33:46 -0700
+Subject: riscv: Do not overwrite initrd_start and initrd_end
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit e866d3e84eb7c9588afb77604d417e8cc49fe216 ]
+
+setup_initrd() overwrites initrd_start and initrd_end if __initramfs_size
+is larger than 0, which is always true even if there is no embedded
+initramfs. This prevents booting qemu with "-initrd" parameter.
+Overwriting initrd_start and initrd_end is not necessary since
+__initramfs_start and __initramfs_size are used directly in
+populate_rootfs() to load the built-in initramfs, so just drop
+that code.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/setup.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+--- a/arch/riscv/kernel/setup.c
++++ b/arch/riscv/kernel/setup.c
+@@ -64,15 +64,8 @@ atomic_t hart_lottery;
+ #ifdef CONFIG_BLK_DEV_INITRD
+ static void __init setup_initrd(void)
+ {
+- extern char __initramfs_start[];
+- extern unsigned long __initramfs_size;
+ unsigned long size;
+
+- if (__initramfs_size > 0) {
+- initrd_start = (unsigned long)(&__initramfs_start);
+- initrd_end = initrd_start + __initramfs_size;
+- }
+-
+ if (initrd_start >= initrd_end) {
+ printk(KERN_INFO "initrd not found or empty");
+ goto disable;
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Wed, 12 Sep 2018 15:31:35 +0200
+Subject: s390/qeth: don't dump past end of unknown HW header
+
+From: Julian Wiedmann <jwi@linux.ibm.com>
+
+[ Upstream commit 0ac1487c4b2de383b91ecad1be561b8f7a2c15f4 ]
+
+For inbound data with an unsupported HW header format, only dump the
+actual HW header. We have no idea how much payload follows it, and what
+it contains. Worst case, we dump past the end of the Inbound Buffer and
+access whatever is located next in memory.
+
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_l2_main.c | 2 +-
+ drivers/s390/net/qeth_l3_main.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/s390/net/qeth_l2_main.c
++++ b/drivers/s390/net/qeth_l2_main.c
+@@ -425,7 +425,7 @@ static int qeth_l2_process_inbound_buffe
+ default:
+ dev_kfree_skb_any(skb);
+ QETH_CARD_TEXT(card, 3, "inbunkno");
+- QETH_DBF_HEX(CTRL, 3, hdr, QETH_DBF_CTRL_LEN);
++ QETH_DBF_HEX(CTRL, 3, hdr, sizeof(*hdr));
+ continue;
+ }
+ work_done++;
+--- a/drivers/s390/net/qeth_l3_main.c
++++ b/drivers/s390/net/qeth_l3_main.c
+@@ -1390,7 +1390,7 @@ static int qeth_l3_process_inbound_buffe
+ default:
+ dev_kfree_skb_any(skb);
+ QETH_CARD_TEXT(card, 3, "inbunkno");
+- QETH_DBF_HEX(CTRL, 3, hdr, QETH_DBF_CTRL_LEN);
++ QETH_DBF_HEX(CTRL, 3, hdr, sizeof(*hdr));
+ continue;
+ }
+ work_done++;
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Wenjia Zhang <wenjia@linux.ibm.com>
+Date: Wed, 12 Sep 2018 15:31:34 +0200
+Subject: s390/qeth: use vzalloc for QUERY OAT buffer
+
+From: Wenjia Zhang <wenjia@linux.ibm.com>
+
+[ Upstream commit aec45e857c5538664edb76a60dd452e3265f37d1 ]
+
+qeth_query_oat_command() currently allocates the kernel buffer for
+the SIOC_QETH_QUERY_OAT ioctl with kzalloc. So on systems with
+fragmented memory, large allocations may fail (eg. the qethqoat tool by
+default uses 132KB).
+
+Solve this issue by using vzalloc, backing the allocation with
+non-contiguous memory.
+
+Signed-off-by: Wenjia Zhang <wenjia@linux.ibm.com>
+Reviewed-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_core_main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -25,6 +25,7 @@
+ #include <linux/netdevice.h>
+ #include <linux/netdev_features.h>
+ #include <linux/skbuff.h>
++#include <linux/vmalloc.h>
+
+ #include <net/iucv/af_iucv.h>
+ #include <net/dsfield.h>
+@@ -4738,7 +4739,7 @@ static int qeth_query_oat_command(struct
+
+ priv.buffer_len = oat_data.buffer_len;
+ priv.response_len = 0;
+- priv.buffer = kzalloc(oat_data.buffer_len, GFP_KERNEL);
++ priv.buffer = vzalloc(oat_data.buffer_len);
+ if (!priv.buffer) {
+ rc = -ENOMEM;
+ goto out;
+@@ -4779,7 +4780,7 @@ static int qeth_query_oat_command(struct
+ rc = -EFAULT;
+
+ out_free:
+- kfree(priv.buffer);
++ vfree(priv.buffer);
+ out:
+ return rc;
+ }
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Date: Fri, 10 Aug 2018 22:30:18 +0530
+Subject: sched/topology: Set correct NUMA topology type
+
+From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+
+[ Upstream commit e5e96fafd9028b1478b165db78c52d981c14f471 ]
+
+With the following commit:
+
+ 051f3ca02e46 ("sched/topology: Introduce NUMA identity node sched domain")
+
+the scheduler introduced a new NUMA level. However this leads to the NUMA topology
+on 2 node systems to not be marked as NUMA_DIRECT anymore.
+
+After this commit, it gets reported as NUMA_BACKPLANE, because
+sched_domains_numa_level is now 2 on 2 node systems.
+
+Fix this by allowing setting systems that have up to 2 NUMA levels as
+NUMA_DIRECT.
+
+While here remove code that assumes that level can be 0.
+
+Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Andre Wild <wild@linux.vnet.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linuxppc-dev <linuxppc-dev@lists.ozlabs.org>
+Fixes: 051f3ca02e46 "Introduce NUMA identity node sched domain"
+Link: http://lkml.kernel.org/r/1533920419-17410-1-git-send-email-srikar@linux.vnet.ibm.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/topology.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/kernel/sched/topology.c
++++ b/kernel/sched/topology.c
+@@ -1295,7 +1295,7 @@ static void init_numa_topology_type(void
+
+ n = sched_max_numa_distance;
+
+- if (sched_domains_numa_levels <= 1) {
++ if (sched_domains_numa_levels <= 2) {
+ sched_numa_topology_type = NUMA_DIRECT;
+ return;
+ }
+@@ -1380,9 +1380,6 @@ void sched_init_numa(void)
+ break;
+ }
+
+- if (!level)
+- return;
+-
+ /*
+ * 'level' contains the number of unique distances
+ *
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Mike Christie <mchristi@redhat.com>
+Date: Mon, 27 Aug 2018 14:45:16 -0500
+Subject: scsi: iscsi: target: Fix conn_ops double free
+
+From: Mike Christie <mchristi@redhat.com>
+
+[ Upstream commit 05a86e78ea9823ec25b3515db078dd8a76fc263c ]
+
+If iscsi_login_init_conn fails it can free conn_ops.
+__iscsi_target_login_thread will then call iscsi_target_login_sess_out
+which will also free it.
+
+This fixes the problem by organizing conn allocation/setup into parts that
+are needed through the life of the conn and parts that are only needed for
+the login. The free functions then release what was allocated in the alloc
+functions.
+
+With this patch we have:
+
+iscsit_alloc_conn/iscsit_free_conn - allocs/frees the conn we need for the
+entire life of the conn.
+
+iscsi_login_init_conn/iscsi_target_nego_release - allocs/frees the parts
+of the conn that are only needed during login.
+
+Signed-off-by: Mike Christie <mchristi@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/iscsi/iscsi_target.c | 9 -
+ drivers/target/iscsi/iscsi_target_login.c | 141 +++++++++++++++---------------
+ drivers/target/iscsi/iscsi_target_login.h | 2
+ 3 files changed, 77 insertions(+), 75 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -4211,22 +4211,15 @@ int iscsit_close_connection(
+ crypto_free_ahash(tfm);
+ }
+
+- free_cpumask_var(conn->conn_cpumask);
+-
+- kfree(conn->conn_ops);
+- conn->conn_ops = NULL;
+-
+ if (conn->sock)
+ sock_release(conn->sock);
+
+ if (conn->conn_transport->iscsit_free_conn)
+ conn->conn_transport->iscsit_free_conn(conn);
+
+- iscsit_put_transport(conn->conn_transport);
+-
+ pr_debug("Moving to TARG_CONN_STATE_FREE.\n");
+ conn->conn_state = TARG_CONN_STATE_FREE;
+- kfree(conn);
++ iscsit_free_conn(conn);
+
+ spin_lock_bh(&sess->conn_lock);
+ atomic_dec(&sess->nconn);
+--- a/drivers/target/iscsi/iscsi_target_login.c
++++ b/drivers/target/iscsi/iscsi_target_login.c
+@@ -67,45 +67,10 @@ static struct iscsi_login *iscsi_login_i
+ goto out_req_buf;
+ }
+
+- conn->conn_ops = kzalloc(sizeof(struct iscsi_conn_ops), GFP_KERNEL);
+- if (!conn->conn_ops) {
+- pr_err("Unable to allocate memory for"
+- " struct iscsi_conn_ops.\n");
+- goto out_rsp_buf;
+- }
+-
+- init_waitqueue_head(&conn->queues_wq);
+- INIT_LIST_HEAD(&conn->conn_list);
+- INIT_LIST_HEAD(&conn->conn_cmd_list);
+- INIT_LIST_HEAD(&conn->immed_queue_list);
+- INIT_LIST_HEAD(&conn->response_queue_list);
+- init_completion(&conn->conn_post_wait_comp);
+- init_completion(&conn->conn_wait_comp);
+- init_completion(&conn->conn_wait_rcfr_comp);
+- init_completion(&conn->conn_waiting_on_uc_comp);
+- init_completion(&conn->conn_logout_comp);
+- init_completion(&conn->rx_half_close_comp);
+- init_completion(&conn->tx_half_close_comp);
+- init_completion(&conn->rx_login_comp);
+- spin_lock_init(&conn->cmd_lock);
+- spin_lock_init(&conn->conn_usage_lock);
+- spin_lock_init(&conn->immed_queue_lock);
+- spin_lock_init(&conn->nopin_timer_lock);
+- spin_lock_init(&conn->response_queue_lock);
+- spin_lock_init(&conn->state_lock);
+-
+- if (!zalloc_cpumask_var(&conn->conn_cpumask, GFP_KERNEL)) {
+- pr_err("Unable to allocate conn->conn_cpumask\n");
+- goto out_conn_ops;
+- }
+ conn->conn_login = login;
+
+ return login;
+
+-out_conn_ops:
+- kfree(conn->conn_ops);
+-out_rsp_buf:
+- kfree(login->rsp_buf);
+ out_req_buf:
+ kfree(login->req_buf);
+ out_login:
+@@ -1155,6 +1120,75 @@ iscsit_conn_set_transport(struct iscsi_c
+ return 0;
+ }
+
++static struct iscsi_conn *iscsit_alloc_conn(struct iscsi_np *np)
++{
++ struct iscsi_conn *conn;
++
++ conn = kzalloc(sizeof(struct iscsi_conn), GFP_KERNEL);
++ if (!conn) {
++ pr_err("Could not allocate memory for new connection\n");
++ return NULL;
++ }
++ pr_debug("Moving to TARG_CONN_STATE_FREE.\n");
++ conn->conn_state = TARG_CONN_STATE_FREE;
++
++ init_waitqueue_head(&conn->queues_wq);
++ INIT_LIST_HEAD(&conn->conn_list);
++ INIT_LIST_HEAD(&conn->conn_cmd_list);
++ INIT_LIST_HEAD(&conn->immed_queue_list);
++ INIT_LIST_HEAD(&conn->response_queue_list);
++ init_completion(&conn->conn_post_wait_comp);
++ init_completion(&conn->conn_wait_comp);
++ init_completion(&conn->conn_wait_rcfr_comp);
++ init_completion(&conn->conn_waiting_on_uc_comp);
++ init_completion(&conn->conn_logout_comp);
++ init_completion(&conn->rx_half_close_comp);
++ init_completion(&conn->tx_half_close_comp);
++ init_completion(&conn->rx_login_comp);
++ spin_lock_init(&conn->cmd_lock);
++ spin_lock_init(&conn->conn_usage_lock);
++ spin_lock_init(&conn->immed_queue_lock);
++ spin_lock_init(&conn->nopin_timer_lock);
++ spin_lock_init(&conn->response_queue_lock);
++ spin_lock_init(&conn->state_lock);
++
++ timer_setup(&conn->nopin_response_timer,
++ iscsit_handle_nopin_response_timeout, 0);
++ timer_setup(&conn->nopin_timer, iscsit_handle_nopin_timeout, 0);
++
++ if (iscsit_conn_set_transport(conn, np->np_transport) < 0)
++ goto free_conn;
++
++ conn->conn_ops = kzalloc(sizeof(struct iscsi_conn_ops), GFP_KERNEL);
++ if (!conn->conn_ops) {
++ pr_err("Unable to allocate memory for struct iscsi_conn_ops.\n");
++ goto put_transport;
++ }
++
++ if (!zalloc_cpumask_var(&conn->conn_cpumask, GFP_KERNEL)) {
++ pr_err("Unable to allocate conn->conn_cpumask\n");
++ goto free_mask;
++ }
++
++ return conn;
++
++free_mask:
++ free_cpumask_var(conn->conn_cpumask);
++put_transport:
++ iscsit_put_transport(conn->conn_transport);
++free_conn:
++ kfree(conn);
++ return NULL;
++}
++
++void iscsit_free_conn(struct iscsi_conn *conn)
++{
++ free_cpumask_var(conn->conn_cpumask);
++ kfree(conn->conn_ops);
++ iscsit_put_transport(conn->conn_transport);
++ kfree(conn);
++}
++
+ void iscsi_target_login_sess_out(struct iscsi_conn *conn,
+ struct iscsi_np *np, bool zero_tsih, bool new_sess)
+ {
+@@ -1208,10 +1242,6 @@ old_sess_out:
+ crypto_free_ahash(tfm);
+ }
+
+- free_cpumask_var(conn->conn_cpumask);
+-
+- kfree(conn->conn_ops);
+-
+ if (conn->param_list) {
+ iscsi_release_param_list(conn->param_list);
+ conn->param_list = NULL;
+@@ -1229,8 +1259,7 @@ old_sess_out:
+ if (conn->conn_transport->iscsit_free_conn)
+ conn->conn_transport->iscsit_free_conn(conn);
+
+- iscsit_put_transport(conn->conn_transport);
+- kfree(conn);
++ iscsit_free_conn(conn);
+ }
+
+ static int __iscsi_target_login_thread(struct iscsi_np *np)
+@@ -1260,31 +1289,16 @@ static int __iscsi_target_login_thread(s
+ }
+ spin_unlock_bh(&np->np_thread_lock);
+
+- conn = kzalloc(sizeof(struct iscsi_conn), GFP_KERNEL);
++ conn = iscsit_alloc_conn(np);
+ if (!conn) {
+- pr_err("Could not allocate memory for"
+- " new connection\n");
+ /* Get another socket */
+ return 1;
+ }
+- pr_debug("Moving to TARG_CONN_STATE_FREE.\n");
+- conn->conn_state = TARG_CONN_STATE_FREE;
+-
+- timer_setup(&conn->nopin_response_timer,
+- iscsit_handle_nopin_response_timeout, 0);
+- timer_setup(&conn->nopin_timer, iscsit_handle_nopin_timeout, 0);
+-
+- if (iscsit_conn_set_transport(conn, np->np_transport) < 0) {
+- kfree(conn);
+- return 1;
+- }
+
+ rc = np->np_transport->iscsit_accept_np(np, conn);
+ if (rc == -ENOSYS) {
+ complete(&np->np_restart_comp);
+- iscsit_put_transport(conn->conn_transport);
+- kfree(conn);
+- conn = NULL;
++ iscsit_free_conn(conn);
+ goto exit;
+ } else if (rc < 0) {
+ spin_lock_bh(&np->np_thread_lock);
+@@ -1292,17 +1306,13 @@ static int __iscsi_target_login_thread(s
+ np->np_thread_state = ISCSI_NP_THREAD_ACTIVE;
+ spin_unlock_bh(&np->np_thread_lock);
+ complete(&np->np_restart_comp);
+- iscsit_put_transport(conn->conn_transport);
+- kfree(conn);
+- conn = NULL;
++ iscsit_free_conn(conn);
+ /* Get another socket */
+ return 1;
+ }
+ spin_unlock_bh(&np->np_thread_lock);
+- iscsit_put_transport(conn->conn_transport);
+- kfree(conn);
+- conn = NULL;
+- goto out;
++ iscsit_free_conn(conn);
++ return 1;
+ }
+ /*
+ * Perform the remaining iSCSI connection initialization items..
+@@ -1452,7 +1462,6 @@ old_sess_out:
+ tpg_np = NULL;
+ }
+
+-out:
+ return 1;
+
+ exit:
+--- a/drivers/target/iscsi/iscsi_target_login.h
++++ b/drivers/target/iscsi/iscsi_target_login.h
+@@ -19,7 +19,7 @@ extern int iscsi_target_setup_login_sock
+ extern int iscsit_accept_np(struct iscsi_np *, struct iscsi_conn *);
+ extern int iscsit_get_login_rx(struct iscsi_conn *, struct iscsi_login *);
+ extern int iscsit_put_login_tx(struct iscsi_conn *, struct iscsi_login *, u32);
+-extern void iscsit_free_conn(struct iscsi_np *, struct iscsi_conn *);
++extern void iscsit_free_conn(struct iscsi_conn *);
+ extern int iscsit_start_kthreads(struct iscsi_conn *);
+ extern void iscsi_post_login_handler(struct iscsi_np *, struct iscsi_conn *, u8);
+ extern void iscsi_target_login_sess_out(struct iscsi_conn *, struct iscsi_np *,
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Vincent Pelletier <plr.vincent@gmail.com>
+Date: Mon, 27 Aug 2018 14:45:15 -0500
+Subject: scsi: iscsi: target: Set conn->sess to NULL when iscsi_login_set_conn_values fails
+
+From: Vincent Pelletier <plr.vincent@gmail.com>
+
+[ Upstream commit 7915919bb94e12460c58e27c708472e6f85f6699 ]
+
+Fixes a use-after-free reported by KASAN when later
+iscsi_target_login_sess_out gets called and it tries to access
+conn->sess->se_sess:
+
+Disabling lock debugging due to kernel taint
+iSCSI Login timeout on Network Portal [::]:3260
+iSCSI Login negotiation failed.
+==================================================================
+BUG: KASAN: use-after-free in
+iscsi_target_login_sess_out.cold.12+0x58/0xff [iscsi_target_mod]
+Read of size 8 at addr ffff880109d070c8 by task iscsi_np/980
+
+CPU: 1 PID: 980 Comm: iscsi_np Tainted: G O
+4.17.8kasan.sess.connops+ #4
+Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB,
+BIOS 5.6.5 05/19/2014
+Call Trace:
+ dump_stack+0x71/0xac
+ print_address_description+0x65/0x22e
+ ? iscsi_target_login_sess_out.cold.12+0x58/0xff [iscsi_target_mod]
+ kasan_report.cold.6+0x241/0x2fd
+ iscsi_target_login_sess_out.cold.12+0x58/0xff [iscsi_target_mod]
+ iscsi_target_login_thread+0x1086/0x1710 [iscsi_target_mod]
+ ? __sched_text_start+0x8/0x8
+ ? iscsi_target_login_sess_out+0x250/0x250 [iscsi_target_mod]
+ ? __kthread_parkme+0xcc/0x100
+ ? parse_args.cold.14+0xd3/0xd3
+ ? iscsi_target_login_sess_out+0x250/0x250 [iscsi_target_mod]
+ kthread+0x1a0/0x1c0
+ ? kthread_bind+0x30/0x30
+ ret_from_fork+0x35/0x40
+
+Allocated by task 980:
+ kasan_kmalloc+0xbf/0xe0
+ kmem_cache_alloc_trace+0x112/0x210
+ iscsi_target_login_thread+0x816/0x1710 [iscsi_target_mod]
+ kthread+0x1a0/0x1c0
+ ret_from_fork+0x35/0x40
+
+Freed by task 980:
+ __kasan_slab_free+0x125/0x170
+ kfree+0x90/0x1d0
+ iscsi_target_login_thread+0x1577/0x1710 [iscsi_target_mod]
+ kthread+0x1a0/0x1c0
+ ret_from_fork+0x35/0x40
+
+The buggy address belongs to the object at ffff880109d06f00
+ which belongs to the cache kmalloc-512 of size 512
+The buggy address is located 456 bytes inside of
+ 512-byte region [ffff880109d06f00, ffff880109d07100)
+The buggy address belongs to the page:
+page:ffffea0004274180 count:1 mapcount:0 mapping:0000000000000000
+index:0x0 compound_mapcount: 0
+flags: 0x17fffc000008100(slab|head)
+raw: 017fffc000008100 0000000000000000 0000000000000000 00000001000c000c
+raw: dead000000000100 dead000000000200 ffff88011b002e00 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff880109d06f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff880109d07000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff880109d07080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff880109d07100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff880109d07180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+==================================================================
+
+Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
+[rebased against idr/ida changes and to handle ret review comments from Matthew]
+Signed-off-by: Mike Christie <mchristi@redhat.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Reviewed-by: Matthew Wilcox <willy@infradead.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/iscsi/iscsi_target_login.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_login.c
++++ b/drivers/target/iscsi/iscsi_target_login.c
+@@ -310,11 +310,9 @@ static int iscsi_login_zero_tsih_s1(
+ return -ENOMEM;
+ }
+
+- ret = iscsi_login_set_conn_values(sess, conn, pdu->cid);
+- if (unlikely(ret)) {
+- kfree(sess);
+- return ret;
+- }
++ if (iscsi_login_set_conn_values(sess, conn, pdu->cid))
++ goto free_sess;
++
+ sess->init_task_tag = pdu->itt;
+ memcpy(&sess->isid, pdu->isid, 6);
+ sess->exp_cmd_sn = be32_to_cpu(pdu->cmdsn);
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Nilesh Javali <nilesh.javali@cavium.com>
+Date: Wed, 29 Aug 2018 23:55:53 -0700
+Subject: scsi: qedi: Add the CRC size within iSCSI NVM image
+
+From: Nilesh Javali <nilesh.javali@cavium.com>
+
+[ Upstream commit c77a2fa3ff8f73d1a485e67e6f81c64823739d59 ]
+
+The QED driver commit, 1ac4329a1cff ("qed: Add configuration information
+to register dump and debug data"), removes the CRC length validation
+causing nvm_get_image failure while loading qedi driver:
+
+[qed_mcp_get_nvm_image:2700(host_10-0)]Image [0] is too big - 00006008 bytes
+where only 00006004 are available
+[qedi_get_boot_info:2253]:10: Could not get NVM image. ret = -12
+
+Hence add and adjust the CRC size to iSCSI NVM image to read boot info at
+qedi load time.
+
+Signed-off-by: Nilesh Javali <nilesh.javali@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qedi/qedi.h | 7 ++++++-
+ drivers/scsi/qedi/qedi_main.c | 28 +++++++++++++++-------------
+ 2 files changed, 21 insertions(+), 14 deletions(-)
+
+--- a/drivers/scsi/qedi/qedi.h
++++ b/drivers/scsi/qedi/qedi.h
+@@ -77,6 +77,11 @@ enum qedi_nvm_tgts {
+ QEDI_NVM_TGT_SEC,
+ };
+
++struct qedi_nvm_iscsi_image {
++ struct nvm_iscsi_cfg iscsi_cfg;
++ u32 crc;
++};
++
+ struct qedi_uio_ctrl {
+ /* meta data */
+ u32 uio_hsi_version;
+@@ -294,7 +299,7 @@ struct qedi_ctx {
+ void *bdq_pbl_list;
+ dma_addr_t bdq_pbl_list_dma;
+ u8 bdq_pbl_list_num_entries;
+- struct nvm_iscsi_cfg *iscsi_cfg;
++ struct qedi_nvm_iscsi_image *iscsi_image;
+ dma_addr_t nvm_buf_dma;
+ void __iomem *bdq_primary_prod;
+ void __iomem *bdq_secondary_prod;
+--- a/drivers/scsi/qedi/qedi_main.c
++++ b/drivers/scsi/qedi/qedi_main.c
+@@ -1346,23 +1346,26 @@ exit_setup_int:
+
+ static void qedi_free_nvm_iscsi_cfg(struct qedi_ctx *qedi)
+ {
+- if (qedi->iscsi_cfg)
++ if (qedi->iscsi_image)
+ dma_free_coherent(&qedi->pdev->dev,
+- sizeof(struct nvm_iscsi_cfg),
+- qedi->iscsi_cfg, qedi->nvm_buf_dma);
++ sizeof(struct qedi_nvm_iscsi_image),
++ qedi->iscsi_image, qedi->nvm_buf_dma);
+ }
+
+ static int qedi_alloc_nvm_iscsi_cfg(struct qedi_ctx *qedi)
+ {
+- qedi->iscsi_cfg = dma_zalloc_coherent(&qedi->pdev->dev,
+- sizeof(struct nvm_iscsi_cfg),
+- &qedi->nvm_buf_dma, GFP_KERNEL);
+- if (!qedi->iscsi_cfg) {
++ struct qedi_nvm_iscsi_image nvm_image;
++
++ qedi->iscsi_image = dma_zalloc_coherent(&qedi->pdev->dev,
++ sizeof(nvm_image),
++ &qedi->nvm_buf_dma,
++ GFP_KERNEL);
++ if (!qedi->iscsi_image) {
+ QEDI_ERR(&qedi->dbg_ctx, "Could not allocate NVM BUF.\n");
+ return -ENOMEM;
+ }
+ QEDI_INFO(&qedi->dbg_ctx, QEDI_LOG_INFO,
+- "NVM BUF addr=0x%p dma=0x%llx.\n", qedi->iscsi_cfg,
++ "NVM BUF addr=0x%p dma=0x%llx.\n", qedi->iscsi_image,
+ qedi->nvm_buf_dma);
+
+ return 0;
+@@ -1905,7 +1908,7 @@ qedi_get_nvram_block(struct qedi_ctx *qe
+ struct nvm_iscsi_block *block;
+
+ pf = qedi->dev_info.common.abs_pf_id;
+- block = &qedi->iscsi_cfg->block[0];
++ block = &qedi->iscsi_image->iscsi_cfg.block[0];
+ for (i = 0; i < NUM_OF_ISCSI_PF_SUPPORTED; i++, block++) {
+ flags = ((block->id) & NVM_ISCSI_CFG_BLK_CTRL_FLAG_MASK) >>
+ NVM_ISCSI_CFG_BLK_CTRL_FLAG_OFFSET;
+@@ -2194,15 +2197,14 @@ static void qedi_boot_release(void *data
+ static int qedi_get_boot_info(struct qedi_ctx *qedi)
+ {
+ int ret = 1;
+- u16 len;
+-
+- len = sizeof(struct nvm_iscsi_cfg);
++ struct qedi_nvm_iscsi_image nvm_image;
+
+ QEDI_INFO(&qedi->dbg_ctx, QEDI_LOG_INFO,
+ "Get NVM iSCSI CFG image\n");
+ ret = qedi_ops->common->nvm_get_image(qedi->cdev,
+ QED_NVM_IMAGE_ISCSI_CFG,
+- (char *)qedi->iscsi_cfg, len);
++ (char *)qedi->iscsi_image,
++ sizeof(nvm_image));
+ if (ret)
+ QEDI_ERR(&qedi->dbg_ctx,
+ "Could not get NVM image. ret = %d\n", ret);
afs-fix-cell-specification-to-permit-an-empty-address-list.patch
mm-madvise-madv_dodump-allow-hugetlbfs-pages.patch
bpf-32-bit-rsh-verification-must-truncate-input-before-the-alu-op.patch
+netfilter-xt_cluster-add-dependency-on-conntrack-module.patch
+netfilter-xt_checksum-ignore-gso-skbs.patch
+hid-intel-ish-hid-enable-sunrise-point-h-ish-driver.patch
+hid-add-support-for-apple-magic-keyboards.patch
+usb-gadget-fotg210-udc-fix-memory-leak-of-fotg210-ep.patch
+pinctrl-msm-really-mask-level-interrupts-to-prevent-latching.patch
+hid-hid-saitek-add-device-id-for-rat-7-contagion.patch
+scsi-iscsi-target-set-conn-sess-to-null-when-iscsi_login_set_conn_values-fails.patch
+scsi-iscsi-target-fix-conn_ops-double-free.patch
+scsi-qedi-add-the-crc-size-within-iscsi-nvm-image.patch
+perf-annotate-properly-interpret-indirect-call.patch
+perf-evsel-fix-potential-null-pointer-dereference-in-perf_evsel__new_idx.patch
+perf-util-fix-bad-memory-access-in-trace-info.patch
+perf-probe-powerpc-ignore-sys-symbols-irrespective-of-endianness.patch
+perf-annotate-fix-parsing-aarch64-branch-instructions-after-objdump-update.patch
+netfilter-kconfig-nat-related-expression-depend-on-nftables-core.patch
+netfilter-nf_tables-release-chain-in-flushing-set.patch
+revert-iio-temperature-maxim_thermocouple-add-max31856-part.patch
+iio-imu-st_lsm6dsx-take-into-account-ts-samples-in-wm-configuration.patch
+rdma-ucma-check-fd-type-in-ucma_migrate_id.patch
+riscv-do-not-overwrite-initrd_start-and-initrd_end.patch
+hid-sensor-hub-restore-fixup-for-lenovo-thinkpad-helix-2-sensor-hub-report.patch
+usb-host-xhci-plat-iterate-over-parent-nodes-for-finding-quirks.patch
+usb-yurex-check-for-truncation-in-yurex_read.patch
+nvmet-rdma-fix-possible-bogus-dereference-under-heavy-load.patch
+bnxt_re-fix-couple-of-memory-leaks-that-could-lead-to-iommu-call-traces.patch
+net-mlx5-consider-pci-domain-in-search-for-next-dev.patch
+hid-i2c-hid-don-t-reset-device-upon-system-resume.patch
+dm-raid-fix-reshape-race-on-small-devices.patch
+drm-nouveau-fix-oops-in-client-init-failure-path.patch
+drm-nouveau-mmu-don-t-attempt-to-dereference-vmm-without-valid-instance-pointer.patch
+drm-nouveau-tbddevinit-don-t-fail-when-pmu-pre_os-is-missing-from-vbios.patch
+drm-nouveau-disp-fix-dp-disable-race.patch
+drm-nouveau-disp-gm200-enforce-identity-mapped-sor-assignment-for-lvds-edp-panels.patch
+dm-raid-fix-stripe-adding-reshape-deadlock.patch
+dm-raid-fix-rebuild-of-specific-devices-by-updating-superblock.patch
+dm-raid-fix-raid-leg-rebuild-errors.patch
+r8169-set-txconfig-register-after-tx-rx-is-enabled-just-like-rxconfig.patch
+fs-cifs-suppress-a-string-overflow-warning.patch
+net-ena-fix-surprise-unplug-null-dereference-kernel-crash.patch
+net-ena-fix-driver-when-page_size-64kb.patch
+net-ena-fix-device-destruction-to-gracefully-free-resources.patch
+net-ena-fix-potential-double-ena_destroy_device.patch
+net-ena-fix-missing-lock-during-device-destruction.patch
+net-ena-fix-missing-calls-to-read_once.patch
+perf-x86-intel-add-support-quirk-for-the-mispredict-bit-on-knights-landing-cpus.patch
+sched-topology-set-correct-numa-topology-type.patch
+dm-thin-metadata-try-to-avoid-ever-aborting-transactions.patch
+netfilter-conntrack-timeout-interface-depend-on-config_nf_conntrack_timeout.patch
+netfilter-nfnetlink_queue-solve-the-nfqueue-conntrack-clash-for-nf_repeat.patch
+netfilter-xt_hashlimit-use-s-file-instead-of-s-private.patch
+arch-hexagon-fix-kernel-dma.c-build-warning.patch
+hexagon-modify-ffs-and-fls-to-return-int.patch
+drm-amdgpu-fix-sdma-hang-in-prt-mode-v2.patch
+arm64-jump_label.h-use-asm_volatile_goto-macro-instead-of-asm-goto.patch
+drm-amdgpu-fix-error-handling-in-amdgpu_cs_user_fence_chunk.patch
+r8169-clear-rtl_flag_task_-_pending-when-clearing-rtl_flag_task_enabled.patch
+s390-qeth-use-vzalloc-for-query-oat-buffer.patch
+s390-qeth-don-t-dump-past-end-of-unknown-hw-header.patch
+cifs-read-overflow-in-is_valid_oplock_break.patch
+asm-generic-io-fix-ioport_map-for-config_generic_iomap-config_indirect_pio.patch
+xen-manage-don-t-complain-about-an-empty-value-in-control-sysrq-node.patch
+xen-avoid-crash-in-disable_hotplug_cpu.patch
+xen-fix-gcc-warning-and-remove-duplicate-evtchn_row-evtchn_col-usage.patch
+x86-apm-fix-build-warning-when-proc_fs-is-not-enabled.patch
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Anton Vasilyev <vasilyev@ispras.ru>
+Date: Tue, 7 Aug 2018 14:44:48 +0300
+Subject: usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i]
+
+From: Anton Vasilyev <vasilyev@ispras.ru>
+
+[ Upstream commit c37bd52836296ecc9a0fc8060b819089aebdbcde ]
+
+There is no deallocation of fotg210->ep[i] elements, allocated at
+fotg210_udc_probe.
+
+The patch adds deallocation of fotg210->ep array elements and simplifies
+error path of fotg210_udc_probe().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/fotg210-udc.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/gadget/udc/fotg210-udc.c
++++ b/drivers/usb/gadget/udc/fotg210-udc.c
+@@ -1063,12 +1063,15 @@ static const struct usb_gadget_ops fotg2
+ static int fotg210_udc_remove(struct platform_device *pdev)
+ {
+ struct fotg210_udc *fotg210 = platform_get_drvdata(pdev);
++ int i;
+
+ usb_del_gadget_udc(&fotg210->gadget);
+ iounmap(fotg210->reg);
+ free_irq(platform_get_irq(pdev, 0), fotg210);
+
+ fotg210_ep_free_request(&fotg210->ep[0]->ep, fotg210->ep0_req);
++ for (i = 0; i < FOTG210_MAX_NUM_EP; i++)
++ kfree(fotg210->ep[i]);
+ kfree(fotg210);
+
+ return 0;
+@@ -1099,7 +1102,7 @@ static int fotg210_udc_probe(struct plat
+ /* initialize udc */
+ fotg210 = kzalloc(sizeof(struct fotg210_udc), GFP_KERNEL);
+ if (fotg210 == NULL)
+- goto err_alloc;
++ goto err;
+
+ for (i = 0; i < FOTG210_MAX_NUM_EP; i++) {
+ _ep[i] = kzalloc(sizeof(struct fotg210_ep), GFP_KERNEL);
+@@ -1111,7 +1114,7 @@ static int fotg210_udc_probe(struct plat
+ fotg210->reg = ioremap(res->start, resource_size(res));
+ if (fotg210->reg == NULL) {
+ pr_err("ioremap error.\n");
+- goto err_map;
++ goto err_alloc;
+ }
+
+ spin_lock_init(&fotg210->lock);
+@@ -1159,7 +1162,7 @@ static int fotg210_udc_probe(struct plat
+ fotg210->ep0_req = fotg210_ep_alloc_request(&fotg210->ep[0]->ep,
+ GFP_KERNEL);
+ if (fotg210->ep0_req == NULL)
+- goto err_req;
++ goto err_map;
+
+ fotg210_init(fotg210);
+
+@@ -1187,12 +1190,14 @@ err_req:
+ fotg210_ep_free_request(&fotg210->ep[0]->ep, fotg210->ep0_req);
+
+ err_map:
+- if (fotg210->reg)
+- iounmap(fotg210->reg);
++ iounmap(fotg210->reg);
+
+ err_alloc:
++ for (i = 0; i < FOTG210_MAX_NUM_EP; i++)
++ kfree(fotg210->ep[i]);
+ kfree(fotg210);
+
++err:
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Anurag Kumar Vulisha <anurag.kumar.vulisha@xilinx.com>
+Date: Fri, 31 Aug 2018 17:24:42 +0300
+Subject: usb: host: xhci-plat: Iterate over parent nodes for finding quirks
+
+From: Anurag Kumar Vulisha <anurag.kumar.vulisha@xilinx.com>
+
+[ Upstream commit 222471f7640d9771a993218d825d84825adc805d ]
+
+In xhci_plat_probe() both sysdev and pdev->dev are being used
+for finding quirks. There are some drivers(like dwc3 host.c)
+which adds quirks(like usb3-lpm-capable) into pdev and the logic
+present in xhci_plat_probe() checks for quirks in either sysdev
+or pdev for finding the quirks. Because of this logic, some of
+the quirks are getting missed(usb3-lpm-capable quirk added by dwc3
+host.c driver is getting missed).This patch fixes this by iterating
+over all the available parents for finding the quirks. In this way
+all the quirks which are present in child or parent are correctly
+updated.
+
+Signed-off-by: Anurag Kumar Vulisha <anurag.kumar.vulisha@xilinx.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-plat.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+--- a/drivers/usb/host/xhci-plat.c
++++ b/drivers/usb/host/xhci-plat.c
+@@ -152,7 +152,7 @@ static int xhci_plat_probe(struct platfo
+ {
+ const struct xhci_plat_priv *priv_match;
+ const struct hc_driver *driver;
+- struct device *sysdev;
++ struct device *sysdev, *tmpdev;
+ struct xhci_hcd *xhci;
+ struct resource *res;
+ struct usb_hcd *hcd;
+@@ -272,19 +272,24 @@ static int xhci_plat_probe(struct platfo
+ goto disable_clk;
+ }
+
+- if (device_property_read_bool(sysdev, "usb2-lpm-disable"))
+- xhci->quirks |= XHCI_HW_LPM_DISABLE;
++ /* imod_interval is the interrupt moderation value in nanoseconds. */
++ xhci->imod_interval = 40000;
+
+- if (device_property_read_bool(sysdev, "usb3-lpm-capable"))
+- xhci->quirks |= XHCI_LPM_SUPPORT;
++ /* Iterate over all parent nodes for finding quirks */
++ for (tmpdev = &pdev->dev; tmpdev; tmpdev = tmpdev->parent) {
+
+- if (device_property_read_bool(&pdev->dev, "quirk-broken-port-ped"))
+- xhci->quirks |= XHCI_BROKEN_PORT_PED;
++ if (device_property_read_bool(tmpdev, "usb2-lpm-disable"))
++ xhci->quirks |= XHCI_HW_LPM_DISABLE;
+
+- /* imod_interval is the interrupt moderation value in nanoseconds. */
+- xhci->imod_interval = 40000;
+- device_property_read_u32(sysdev, "imod-interval-ns",
+- &xhci->imod_interval);
++ if (device_property_read_bool(tmpdev, "usb3-lpm-capable"))
++ xhci->quirks |= XHCI_LPM_SUPPORT;
++
++ if (device_property_read_bool(tmpdev, "quirk-broken-port-ped"))
++ xhci->quirks |= XHCI_BROKEN_PORT_PED;
++
++ device_property_read_u32(tmpdev, "imod-interval-ns",
++ &xhci->imod_interval);
++ }
+
+ hcd->usb_phy = devm_usb_get_phy_by_phandle(sysdev, "usb-phy", 0);
+ if (IS_ERR(hcd->usb_phy)) {
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Wed, 15 Aug 2018 21:45:37 +0100
+Subject: USB: yurex: Check for truncation in yurex_read()
+
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+
+[ Upstream commit 14427b86837a4baf1c121934c6599bdb67dfa9fc ]
+
+snprintf() always returns the full length of the string it could have
+printed, even if it was truncated because the buffer was too small.
+So in case the counter value is truncated, we will over-read from
+in_buffer and over-write to the caller's buffer.
+
+I don't think it's actually possible for this to happen, but in case
+truncation occurs, WARN and return -EIO.
+
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/misc/yurex.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/misc/yurex.c
++++ b/drivers/usb/misc/yurex.c
+@@ -413,6 +413,9 @@ static ssize_t yurex_read(struct file *f
+ spin_unlock_irqrestore(&dev->lock, flags);
+ mutex_unlock(&dev->io_mutex);
+
++ if (WARN_ON_ONCE(len >= sizeof(in_buffer)))
++ return -EIO;
++
+ return simple_read_from_buffer(buffer, count, ppos, in_buffer, len);
+ }
+
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Fri, 14 Sep 2018 15:10:29 -0700
+Subject: x86/APM: Fix build warning when PROC_FS is not enabled
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 002b87d2aace62b4f3841c3aa43309d2380092be ]
+
+Fix build warning in apm_32.c when CONFIG_PROC_FS is not enabled:
+
+../arch/x86/kernel/apm_32.c:1643:12: warning: 'proc_apm_show' defined but not used [-Wunused-function]
+ static int proc_apm_show(struct seq_file *m, void *v)
+
+Fixes: 3f3942aca6da ("proc: introduce proc_create_single{,_data}")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Cc: Jiri Kosina <jikos@kernel.org>
+Link: https://lkml.kernel.org/r/be39ac12-44c2-4715-247f-4dcc3c525b8b@infradead.org
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/apm_32.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kernel/apm_32.c
++++ b/arch/x86/kernel/apm_32.c
+@@ -1640,6 +1640,7 @@ static int do_open(struct inode *inode,
+ return 0;
+ }
+
++#ifdef CONFIG_PROC_FS
+ static int proc_apm_show(struct seq_file *m, void *v)
+ {
+ unsigned short bx;
+@@ -1719,6 +1720,7 @@ static int proc_apm_show(struct seq_file
+ units);
+ return 0;
+ }
++#endif
+
+ static int apm(void *unused)
+ {
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Olaf Hering <olaf@aepfle.de>
+Date: Fri, 7 Sep 2018 16:31:35 +0200
+Subject: xen: avoid crash in disable_hotplug_cpu
+
+From: Olaf Hering <olaf@aepfle.de>
+
+[ Upstream commit 3366cdb6d350d95466ee430ac50f3c8415ca8f46 ]
+
+The command 'xl vcpu-set 0 0', issued in dom0, will crash dom0:
+
+BUG: unable to handle kernel NULL pointer dereference at 00000000000002d8
+PGD 0 P4D 0
+Oops: 0000 [#1] PREEMPT SMP NOPTI
+CPU: 7 PID: 65 Comm: xenwatch Not tainted 4.19.0-rc2-1.ga9462db-default #1 openSUSE Tumbleweed (unreleased)
+Hardware name: Intel Corporation S5520UR/S5520UR, BIOS S5500.86B.01.00.0050.050620101605 05/06/2010
+RIP: e030:device_offline+0x9/0xb0
+Code: 77 24 00 e9 ce fe ff ff 48 8b 13 e9 68 ff ff ff 48 8b 13 e9 29 ff ff ff 48 8b 13 e9 ea fe ff ff 90 66 66 66 66 90 41 54 55 53 <f6> 87 d8 02 00 00 01 0f 85 88 00 00 00 48 c7 c2 20 09 60 81 31 f6
+RSP: e02b:ffffc90040f27e80 EFLAGS: 00010203
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: ffff8801f3800000 RSI: ffffc90040f27e70 RDI: 0000000000000000
+RBP: 0000000000000000 R08: ffffffff820e47b3 R09: 0000000000000000
+R10: 0000000000007ff0 R11: 0000000000000000 R12: ffffffff822e6d30
+R13: dead000000000200 R14: dead000000000100 R15: ffffffff8158b4e0
+FS: 00007ffa595158c0(0000) GS:ffff8801f39c0000(0000) knlGS:0000000000000000
+CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000000002d8 CR3: 00000001d9602000 CR4: 0000000000002660
+Call Trace:
+ handle_vcpu_hotplug_event+0xb5/0xc0
+ xenwatch_thread+0x80/0x140
+ ? wait_woken+0x80/0x80
+ kthread+0x112/0x130
+ ? kthread_create_worker_on_cpu+0x40/0x40
+ ret_from_fork+0x3a/0x50
+
+This happens because handle_vcpu_hotplug_event is called twice. In the
+first iteration cpu_present is still true, in the second iteration
+cpu_present is false which causes get_cpu_device to return NULL.
+In case of cpu#0, cpu_online is apparently always true.
+
+Fix this crash by checking if the cpu can be hotplugged, which is false
+for a cpu that was just removed.
+
+Also check if the cpu was actually offlined by device_remove, otherwise
+leave the cpu_present state as it is.
+
+Rearrange to code to do all work with device_hotplug_lock held.
+
+Signed-off-by: Olaf Hering <olaf@aepfle.de>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/cpu_hotplug.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/drivers/xen/cpu_hotplug.c
++++ b/drivers/xen/cpu_hotplug.c
+@@ -19,15 +19,16 @@ static void enable_hotplug_cpu(int cpu)
+
+ static void disable_hotplug_cpu(int cpu)
+ {
+- if (cpu_online(cpu)) {
+- lock_device_hotplug();
++ if (!cpu_is_hotpluggable(cpu))
++ return;
++ lock_device_hotplug();
++ if (cpu_online(cpu))
+ device_offline(get_cpu_device(cpu));
+- unlock_device_hotplug();
+- }
+- if (cpu_present(cpu))
++ if (!cpu_online(cpu) && cpu_present(cpu)) {
+ xen_arch_unregister_cpu(cpu);
+-
+- set_cpu_present(cpu, false);
++ set_cpu_present(cpu, false);
++ }
++ unlock_device_hotplug();
+ }
+
+ static int vcpu_online(unsigned int cpu)
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Josh Abraham <j.abraham1776@gmail.com>
+Date: Wed, 12 Sep 2018 15:13:54 -1000
+Subject: xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage
+
+From: Josh Abraham <j.abraham1776@gmail.com>
+
+[ Upstream commit 4dca864b59dd150a221730775e2f21f49779c135 ]
+
+This patch removes duplicate macro useage in events_base.c.
+
+It also fixes gcc warning:
+variable ‘col’ set but not used [-Wunused-but-set-variable]
+
+Signed-off-by: Joshua Abraham <j.abraham1776@gmail.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/events/events_base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/xen/events/events_base.c
++++ b/drivers/xen/events/events_base.c
+@@ -138,7 +138,7 @@ static int set_evtchn_to_irq(unsigned ev
+ clear_evtchn_to_irq_row(row);
+ }
+
+- evtchn_to_irq[EVTCHN_ROW(evtchn)][EVTCHN_COL(evtchn)] = irq;
++ evtchn_to_irq[row][col] = irq;
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Mon Oct 8 17:39:53 CEST 2018
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Thu, 6 Sep 2018 13:26:08 +0200
+Subject: xen/manage: don't complain about an empty value in control/sysrq node
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+[ Upstream commit 87dffe86d406bee8782cac2db035acb9a28620a7 ]
+
+When guest receives a sysrq request from the host it acknowledges it by
+writing '\0' to control/sysrq xenstore node. This, however, make xenstore
+watch fire again but xenbus_scanf() fails to parse empty value with "%c"
+format string:
+
+ sysrq: SysRq : Emergency Sync
+ Emergency Sync complete
+ xen:manage: Error -34 reading sysrq code in control/sysrq
+
+Ignore -ERANGE the same way we already ignore -ENOENT, empty value in
+control/sysrq is totally legal.
+
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Reviewed-by: Wei Liu <wei.liu2@citrix.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/manage.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/xen/manage.c
++++ b/drivers/xen/manage.c
+@@ -280,9 +280,11 @@ static void sysrq_handler(struct xenbus_
+ /*
+ * The Xenstore watch fires directly after registering it and
+ * after a suspend/resume cycle. So ENOENT is no error but
+- * might happen in those cases.
++ * might happen in those cases. ERANGE is observed when we get
++ * an empty value (''), this happens when we acknowledge the
++ * request by writing '\0' below.
+ */
+- if (err != -ENOENT)
++ if (err != -ENOENT && err != -ERANGE)
+ pr_err("Error %d reading sysrq code in control/sysrq\n",
+ err);
+ xenbus_transaction_end(xbt, 1);
projects / thirdparty / kernel / stable-queue.git / commitdiff
