--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Timo Wischer <twischer@de.adit-jv.com>
+Date: Tue, 10 Jul 2018 17:28:45 +0200
+Subject: ALSA: pcm: Fix snd_interval_refine first/last with open min/max
+
+From: Timo Wischer <twischer@de.adit-jv.com>
+
+[ Upstream commit ff2d6acdf6f13d9f8fdcd890844c6d7535ac1f10 ]
+
+Without this commit the following intervals [x y), (x y) were be
+replaced to (y-1 y) by snd_interval_refine_last(). This was also done
+if y-1 is part of the previous interval.
+With this changes it will be replaced with [y-1 y) in case of y-1 is
+part of the previous interval. A similar behavior will be used for
+snd_interval_refine_first().
+
+This commit adapts the changes for alsa-lib of commit
+9bb985c ("pcm: snd_interval_refine_first/last: exclude value only if
+also excluded before")
+
+Signed-off-by: Timo Wischer <twischer@de.adit-jv.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/pcm_lib.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/sound/core/pcm_lib.c
++++ b/sound/core/pcm_lib.c
+@@ -626,27 +626,33 @@ EXPORT_SYMBOL(snd_interval_refine);
+
+ static int snd_interval_refine_first(struct snd_interval *i)
+ {
++ const unsigned int last_max = i->max;
++
+ if (snd_BUG_ON(snd_interval_empty(i)))
+ return -EINVAL;
+ if (snd_interval_single(i))
+ return 0;
+ i->max = i->min;
+- i->openmax = i->openmin;
+- if (i->openmax)
++ if (i->openmin)
+ i->max++;
++ /* only exclude max value if also excluded before refine */
++ i->openmax = (i->openmax && i->max >= last_max);
+ return 1;
+ }
+
+ static int snd_interval_refine_last(struct snd_interval *i)
+ {
++ const unsigned int last_min = i->min;
++
+ if (snd_BUG_ON(snd_interval_empty(i)))
+ return -EINVAL;
+ if (snd_interval_single(i))
+ return 0;
+ i->min = i->max;
+- i->openmin = i->openmax;
+- if (i->openmin)
++ if (i->openmax)
+ i->min--;
++ /* only exclude min value if also excluded before refine */
++ i->openmin = (i->openmin && i->min <= last_min);
+ return 1;
+ }
+
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Nicholas Mc Guire <hofrat@osadl.org>
+Date: Thu, 12 Jul 2018 11:28:23 +0200
+Subject: ARM: hisi: check of_iomap and fix missing of_node_put
+
+From: Nicholas Mc Guire <hofrat@osadl.org>
+
+[ Upstream commit 81646a3d39ef14749301374a3a0b8311384cd412 ]
+
+of_find_compatible_node() returns a device node with refcount incremented
+and thus needs an explicit of_node_put(). Further relying on an unchecked
+of_iomap() which can return NULL is problematic here, after all ctrl_base
+is critical enough for hix5hd2_set_cpu() to call BUG() if not available
+so a check seems mandated here.
+
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+0002 Fixes: commit 06cc5c1d4d73 ("ARM: hisi: enable hix5hd2 SoC")
+Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-hisi/hotplug.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/arch/arm/mach-hisi/hotplug.c
++++ b/arch/arm/mach-hisi/hotplug.c
+@@ -180,11 +180,15 @@ static bool hix5hd2_hotplug_init(void)
+ struct device_node *np;
+
+ np = of_find_compatible_node(NULL, NULL, "hisilicon,cpuctrl");
+- if (np) {
+- ctrl_base = of_iomap(np, 0);
+- return true;
+- }
+- return false;
++ if (!np)
++ return false;
++
++ ctrl_base = of_iomap(np, 0);
++ of_node_put(np);
++ if (!ctrl_base)
++ return false;
++
++ return true;
+ }
+
+ void hix5hd2_set_cpu(int cpu, bool enable)
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Nicholas Mc Guire <hofrat@osadl.org>
+Date: Thu, 12 Jul 2018 11:28:22 +0200
+Subject: ARM: hisi: fix error handling and missing of_node_put
+
+From: Nicholas Mc Guire <hofrat@osadl.org>
+
+[ Upstream commit 9f30b5ae0585ca5234fe979294b8f897299dec99 ]
+
+of_iomap() can return NULL which seems critical here and thus should be
+explicitly flagged so that the cause of system halting can be understood.
+As of_find_compatible_node() is returning a device node with refcount
+incremented it must be explicitly decremented here.
+
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Fixes: commit 7fda91e73155 ("ARM: hisi: enable smp for HiP01")
+Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-hisi/hotplug.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/arm/mach-hisi/hotplug.c
++++ b/arch/arm/mach-hisi/hotplug.c
+@@ -226,10 +226,10 @@ void hip01_set_cpu(int cpu, bool enable)
+
+ if (!ctrl_base) {
+ np = of_find_compatible_node(NULL, NULL, "hisilicon,hip01-sysctrl");
+- if (np)
+- ctrl_base = of_iomap(np, 0);
+- else
+- BUG();
++ BUG_ON(!np);
++ ctrl_base = of_iomap(np, 0);
++ of_node_put(np);
++ BUG_ON(!ctrl_base);
+ }
+
+ if (enable) {
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Nicholas Mc Guire <hofrat@osadl.org>
+Date: Thu, 12 Jul 2018 11:28:24 +0200
+Subject: ARM: hisi: handle of_iomap and fix missing of_node_put
+
+From: Nicholas Mc Guire <hofrat@osadl.org>
+
+[ Upstream commit d396cb185c0337aae5664b250cdd9a73f6eb1503 ]
+
+Relying on an unchecked of_iomap() which can return NULL is problematic
+here, an explicit check seems mandatory. Also the call to
+of_find_compatible_node() returns a device node with refcount incremented
+therefor an explicit of_node_put() is needed here.
+
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Fixes: commit 22bae4290457 ("ARM: hi3xxx: add hotplug support")
+Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-hisi/hotplug.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+--- a/arch/arm/mach-hisi/hotplug.c
++++ b/arch/arm/mach-hisi/hotplug.c
+@@ -148,13 +148,20 @@ static int hi3xxx_hotplug_init(void)
+ struct device_node *node;
+
+ node = of_find_compatible_node(NULL, NULL, "hisilicon,sysctrl");
+- if (node) {
+- ctrl_base = of_iomap(node, 0);
+- id = HI3620_CTRL;
+- return 0;
++ if (!node) {
++ id = ERROR_CTRL;
++ return -ENOENT;
+ }
+- id = ERROR_CTRL;
+- return -ENOENT;
++
++ ctrl_base = of_iomap(node, 0);
++ of_node_put(node);
++ if (!ctrl_base) {
++ id = ERROR_CTRL;
++ return -ENOMEM;
++ }
++
++ id = HI3620_CTRL;
++ return 0;
+ }
+
+ void hi3xxx_set_cpu(int cpu, bool enable)
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Ryder Lee <ryder.lee@mediatek.com>
+Date: Mon, 16 Jul 2018 22:59:09 +0800
+Subject: arm64: dts: mt7622: update a clock property for UART0
+
+From: Ryder Lee <ryder.lee@mediatek.com>
+
+[ Upstream commit 2b519747ae4859e886c37834d766fe0c7d8d82e2 ]
+
+The input clock of UART0 should be CLK_PERI_UART0_PD.
+
+Fixes: 13f36c326cef ("arm64: dts: mt7622: turn uart0 clock to real ones")
+Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/mediatek/mt7622.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/mediatek/mt7622.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt7622.dtsi
+@@ -331,7 +331,7 @@
+ reg = <0 0x11002000 0 0x400>;
+ interrupts = <GIC_SPI 91 IRQ_TYPE_LEVEL_LOW>;
+ clocks = <&topckgen CLK_TOP_UART_SEL>,
+- <&pericfg CLK_PERI_UART1_PD>;
++ <&pericfg CLK_PERI_UART0_PD>;
+ clock-names = "baud", "bus";
+ status = "disabled";
+ };
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Fri, 25 May 2018 11:10:06 +0530
+Subject: arm64: dts: uniphier: Add missing cooling device properties for CPUs
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+[ Upstream commit af0e09d0c6762e486b0eb5cc4737396964c34fad ]
+
+The cooling device properties, like "#cooling-cells" and
+"dynamic-power-coefficient", should either be present for all the CPUs
+of a cluster or none. If these are present only for a subset of CPUs of
+a cluster then things will start falling apart as soon as the CPUs are
+brought online in a different order. For example, this will happen
+because the operating system looks for such properties in the CPU node
+it is trying to bring up, so that it can register a cooling device.
+
+Add such missing properties.
+
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/socionext/uniphier-ld20.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/boot/dts/socionext/uniphier-ld20.dtsi
++++ b/arch/arm64/boot/dts/socionext/uniphier-ld20.dtsi
+@@ -58,6 +58,7 @@
+ clocks = <&sys_clk 32>;
+ enable-method = "psci";
+ operating-points-v2 = <&cluster0_opp>;
++ #cooling-cells = <2>;
+ };
+
+ cpu2: cpu@100 {
+@@ -77,6 +78,7 @@
+ clocks = <&sys_clk 33>;
+ enable-method = "psci";
+ operating-points-v2 = <&cluster1_opp>;
++ #cooling-cells = <2>;
+ };
+ };
+
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Tue, 10 Jul 2018 09:58:03 +0100
+Subject: arm64: perf: Disable PMU while processing counter overflows
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+[ Upstream commit 3cce50dfec4a5b0414c974190940f47dd32c6dee ]
+
+The arm64 PMU updates the event counters and reprograms the
+counters in the overflow IRQ handler without disabling the
+PMU. This could potentially cause skews in for group counters,
+where the overflowed counters may potentially loose some event
+counts, while they are reprogrammed. To prevent this, disable
+the PMU while we process the counter overflows and enable it
+right back when we are done.
+
+This patch also moves the PMU stop/start routines to avoid a
+forward declaration.
+
+Suggested-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/perf_event.c | 50 ++++++++++++++++++++++-------------------
+ 1 file changed, 28 insertions(+), 22 deletions(-)
+
+--- a/arch/arm64/kernel/perf_event.c
++++ b/arch/arm64/kernel/perf_event.c
+@@ -670,6 +670,28 @@ static void armv8pmu_disable_event(struc
+ raw_spin_unlock_irqrestore(&events->pmu_lock, flags);
+ }
+
++static void armv8pmu_start(struct arm_pmu *cpu_pmu)
++{
++ unsigned long flags;
++ struct pmu_hw_events *events = this_cpu_ptr(cpu_pmu->hw_events);
++
++ raw_spin_lock_irqsave(&events->pmu_lock, flags);
++ /* Enable all counters */
++ armv8pmu_pmcr_write(armv8pmu_pmcr_read() | ARMV8_PMU_PMCR_E);
++ raw_spin_unlock_irqrestore(&events->pmu_lock, flags);
++}
++
++static void armv8pmu_stop(struct arm_pmu *cpu_pmu)
++{
++ unsigned long flags;
++ struct pmu_hw_events *events = this_cpu_ptr(cpu_pmu->hw_events);
++
++ raw_spin_lock_irqsave(&events->pmu_lock, flags);
++ /* Disable all counters */
++ armv8pmu_pmcr_write(armv8pmu_pmcr_read() & ~ARMV8_PMU_PMCR_E);
++ raw_spin_unlock_irqrestore(&events->pmu_lock, flags);
++}
++
+ static irqreturn_t armv8pmu_handle_irq(struct arm_pmu *cpu_pmu)
+ {
+ u32 pmovsr;
+@@ -694,6 +716,11 @@ static irqreturn_t armv8pmu_handle_irq(s
+ */
+ regs = get_irq_regs();
+
++ /*
++ * Stop the PMU while processing the counter overflows
++ * to prevent skews in group events.
++ */
++ armv8pmu_stop(cpu_pmu);
+ for (idx = 0; idx < cpu_pmu->num_events; ++idx) {
+ struct perf_event *event = cpuc->events[idx];
+ struct hw_perf_event *hwc;
+@@ -718,6 +745,7 @@ static irqreturn_t armv8pmu_handle_irq(s
+ if (perf_event_overflow(event, &data, regs))
+ cpu_pmu->disable(event);
+ }
++ armv8pmu_start(cpu_pmu);
+
+ /*
+ * Handle the pending perf events.
+@@ -731,28 +759,6 @@ static irqreturn_t armv8pmu_handle_irq(s
+ return IRQ_HANDLED;
+ }
+
+-static void armv8pmu_start(struct arm_pmu *cpu_pmu)
+-{
+- unsigned long flags;
+- struct pmu_hw_events *events = this_cpu_ptr(cpu_pmu->hw_events);
+-
+- raw_spin_lock_irqsave(&events->pmu_lock, flags);
+- /* Enable all counters */
+- armv8pmu_pmcr_write(armv8pmu_pmcr_read() | ARMV8_PMU_PMCR_E);
+- raw_spin_unlock_irqrestore(&events->pmu_lock, flags);
+-}
+-
+-static void armv8pmu_stop(struct arm_pmu *cpu_pmu)
+-{
+- unsigned long flags;
+- struct pmu_hw_events *events = this_cpu_ptr(cpu_pmu->hw_events);
+-
+- raw_spin_lock_irqsave(&events->pmu_lock, flags);
+- /* Disable all counters */
+- armv8pmu_pmcr_write(armv8pmu_pmcr_read() & ~ARMV8_PMU_PMCR_E);
+- raw_spin_unlock_irqrestore(&events->pmu_lock, flags);
+-}
+-
+ static int armv8pmu_get_event_idx(struct pmu_hw_events *cpuc,
+ struct perf_event *event)
+ {
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Sat, 14 Jul 2018 16:01:06 +0100
+Subject: ASoC: hdmi-codec: fix routing
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit d30e23d69981a4b665f5ce8711335df986576389 ]
+
+Commit 943fa0228252 ("ASoC: hdmi-codec: Use different name for playback
+streams") broke hdmi-codec's routing between it's output "TX" widget
+and the S/PDIF or I2S streams by renaming the streams.
+
+Whether an error occurs or not is dependent on whether there is another
+widget called "Playback" registered by some other component - if there
+is, that widget will be (incorrectly) bound to the HDMI codec's "TX"
+output widget. If we end up connecting "TX" incorrectly, it can result
+in components not being started, causing no audio output.
+
+Since the I2S and S/PDIF streams now have different names, we can't
+use a static route at component level to describe the relationship, so
+arrange to dynamically create the route when the DAI driver is probed.
+
+Fixes: 943fa0228252 ("ASoC: hdmi-codec: Use different name for playback streams")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/hdmi-codec.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+--- a/sound/soc/codecs/hdmi-codec.c
++++ b/sound/soc/codecs/hdmi-codec.c
+@@ -291,10 +291,6 @@ static const struct snd_soc_dapm_widget
+ SND_SOC_DAPM_OUTPUT("TX"),
+ };
+
+-static const struct snd_soc_dapm_route hdmi_routes[] = {
+- { "TX", NULL, "Playback" },
+-};
+-
+ enum {
+ DAI_ID_I2S = 0,
+ DAI_ID_SPDIF,
+@@ -689,9 +685,23 @@ static int hdmi_codec_pcm_new(struct snd
+ return snd_ctl_add(rtd->card->snd_card, kctl);
+ }
+
++static int hdmi_dai_probe(struct snd_soc_dai *dai)
++{
++ struct snd_soc_dapm_context *dapm;
++ struct snd_soc_dapm_route route = {
++ .sink = "TX",
++ .source = dai->driver->playback.stream_name,
++ };
++
++ dapm = snd_soc_component_get_dapm(dai->component);
++
++ return snd_soc_dapm_add_routes(dapm, &route, 1);
++}
++
+ static const struct snd_soc_dai_driver hdmi_i2s_dai = {
+ .name = "i2s-hifi",
+ .id = DAI_ID_I2S,
++ .probe = hdmi_dai_probe,
+ .playback = {
+ .stream_name = "I2S Playback",
+ .channels_min = 2,
+@@ -707,6 +717,7 @@ static const struct snd_soc_dai_driver h
+ static const struct snd_soc_dai_driver hdmi_spdif_dai = {
+ .name = "spdif-hifi",
+ .id = DAI_ID_SPDIF,
++ .probe = hdmi_dai_probe,
+ .playback = {
+ .stream_name = "SPDIF Playback",
+ .channels_min = 2,
+@@ -733,8 +744,6 @@ static int hdmi_of_xlate_dai_id(struct s
+ static const struct snd_soc_component_driver hdmi_driver = {
+ .dapm_widgets = hdmi_widgets,
+ .num_dapm_widgets = ARRAY_SIZE(hdmi_widgets),
+- .dapm_routes = hdmi_routes,
+- .num_dapm_routes = ARRAY_SIZE(hdmi_routes),
+ .of_xlate_dai_id = hdmi_of_xlate_dai_id,
+ .idle_bias_on = 1,
+ .use_pmdown_time = 1,
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 13 Jul 2018 18:05:57 +0300
+Subject: ASoC: qdsp6: q6afe-dai: fix a range check in of_q6afe_parse_dai_data()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit b8110a87b75f948d978c06e130cc68026645c4a1 ]
+
+The main thing is that the data->priv[] array has AFE_PORT_MAX elements
+so the > condition should be >=. But we may as well check for negative
+values as well just to be safe.
+
+Fixes: 24c4cbcfac09 ("ASoC: qdsp6: q6afe: Add q6afe dai driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/qdsp6/q6afe-dai.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/qcom/qdsp6/q6afe-dai.c
++++ b/sound/soc/qcom/qdsp6/q6afe-dai.c
+@@ -1180,7 +1180,7 @@ static void of_q6afe_parse_dai_data(stru
+ int id, i, num_lines;
+
+ ret = of_property_read_u32(node, "reg", &id);
+- if (ret || id > AFE_PORT_MAX) {
++ if (ret || id < 0 || id >= AFE_PORT_MAX) {
+ dev_err(dev, "valid dai id not found:%d\n", ret);
+ continue;
+ }
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Thu, 5 Jul 2018 00:59:31 +0200
+Subject: ASoC: rt5651: Fix workqueue cancel vs irq free race on remove
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 8d2d7bcdc1645dc243f7735278675b083c0e506c ]
+
+On removal we must free the IRQ *before* cancelling the jack-detect work,
+so that the jack-detect work cannot be rescheduled by the IRQ.
+
+Before this commit we were cancelling the jack-detect work from the
+driver remove callback, while relying on devm to free the IRQ, which
+happens after the remove callback.
+
+This is the wrong order. This commit uses a devm-action to register
+a devm callback which cancels the work, before requesting the IRQ
+(devm tears things down in reverse order). This also allows us to
+remove the now empty remove driver callback.
+
+Cc: Carlo Caione <carlo@endlessm.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/rt5651.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+--- a/sound/soc/codecs/rt5651.c
++++ b/sound/soc/codecs/rt5651.c
+@@ -1696,6 +1696,13 @@ static irqreturn_t rt5651_irq(int irq, v
+ return IRQ_HANDLED;
+ }
+
++static void rt5651_cancel_work(void *data)
++{
++ struct rt5651_priv *rt5651 = data;
++
++ cancel_work_sync(&rt5651->jack_detect_work);
++}
++
+ static int rt5651_set_jack(struct snd_soc_component *component,
+ struct snd_soc_jack *hp_jack, void *data)
+ {
+@@ -2036,6 +2043,11 @@ static int rt5651_i2c_probe(struct i2c_c
+
+ INIT_WORK(&rt5651->jack_detect_work, rt5651_jack_detect_work);
+
++ /* Make sure work is stopped on probe-error / remove */
++ ret = devm_add_action_or_reset(&i2c->dev, rt5651_cancel_work, rt5651);
++ if (ret)
++ return ret;
++
+ ret = devm_snd_soc_register_component(&i2c->dev,
+ &soc_component_dev_rt5651,
+ rt5651_dai, ARRAY_SIZE(rt5651_dai));
+@@ -2043,15 +2055,6 @@ static int rt5651_i2c_probe(struct i2c_c
+ return ret;
+ }
+
+-static int rt5651_i2c_remove(struct i2c_client *i2c)
+-{
+- struct rt5651_priv *rt5651 = i2c_get_clientdata(i2c);
+-
+- cancel_work_sync(&rt5651->jack_detect_work);
+-
+- return 0;
+-}
+-
+ static struct i2c_driver rt5651_i2c_driver = {
+ .driver = {
+ .name = "rt5651",
+@@ -2059,7 +2062,6 @@ static struct i2c_driver rt5651_i2c_driv
+ .of_match_table = of_match_ptr(rt5651_of_match),
+ },
+ .probe = rt5651_i2c_probe,
+- .remove = rt5651_i2c_remove,
+ .id_table = rt5651_i2c_id,
+ };
+ module_i2c_driver(rt5651_i2c_driver);
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Ronny Chevalier <ronny.chevalier@hp.com>
+Date: Wed, 11 Jul 2018 14:39:37 +0200
+Subject: audit: fix use-after-free in audit_add_watch
+
+From: Ronny Chevalier <ronny.chevalier@hp.com>
+
+[ Upstream commit baa2a4fdd525c8c4b0f704d20457195b29437839 ]
+
+audit_add_watch stores locally krule->watch without taking a reference
+on watch. Then, it calls audit_add_to_parent, and uses the watch stored
+locally.
+
+Unfortunately, it is possible that audit_add_to_parent updates
+krule->watch.
+When it happens, it also drops a reference of watch which
+could free the watch.
+
+How to reproduce (with KASAN enabled):
+
+ auditctl -w /etc/passwd -F success=0 -k test_passwd
+ auditctl -w /etc/passwd -F success=1 -k test_passwd2
+
+The second call to auditctl triggers the use-after-free, because
+audit_to_parent updates krule->watch to use a previous existing watch
+and drops the reference to the newly created watch.
+
+To fix the issue, we grab a reference of watch and we release it at the
+end of the function.
+
+Signed-off-by: Ronny Chevalier <ronny.chevalier@hp.com>
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/audit_watch.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/kernel/audit_watch.c
++++ b/kernel/audit_watch.c
+@@ -419,6 +419,13 @@ int audit_add_watch(struct audit_krule *
+ struct path parent_path;
+ int h, ret = 0;
+
++ /*
++ * When we will be calling audit_add_to_parent, krule->watch might have
++ * been updated and watch might have been freed.
++ * So we need to keep a reference of watch.
++ */
++ audit_get_watch(watch);
++
+ mutex_unlock(&audit_filter_mutex);
+
+ /* Avoid calling path_lookup under audit_filter_mutex. */
+@@ -427,8 +434,10 @@ int audit_add_watch(struct audit_krule *
+ /* caller expects mutex locked */
+ mutex_lock(&audit_filter_mutex);
+
+- if (ret)
++ if (ret) {
++ audit_put_watch(watch);
+ return ret;
++ }
+
+ /* either find an old parent or attach a new one */
+ parent = audit_find_parent(d_backing_inode(parent_path.dentry));
+@@ -446,6 +455,7 @@ int audit_add_watch(struct audit_krule *
+ *list = &audit_inode_hash[h];
+ error:
+ path_put(&parent_path);
++ audit_put_watch(watch);
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: "Maciej W. Rozycki" <macro@mips.com>
+Date: Tue, 15 May 2018 23:32:45 +0100
+Subject: binfmt_elf: Respect error return from `regset->active'
+
+From: "Maciej W. Rozycki" <macro@mips.com>
+
+[ Upstream commit 2f819db565e82e5f73cd42b39925098986693378 ]
+
+The regset API documented in <linux/regset.h> defines -ENODEV as the
+result of the `->active' handler to be used where the feature requested
+is not available on the hardware found. However code handling core file
+note generation in `fill_thread_core_info' interpretes any non-zero
+result from the `->active' handler as the regset requested being active.
+Consequently processing continues (and hopefully gracefully fails later
+on) rather than being abandoned right away for the regset requested.
+
+Fix the problem then by making the code proceed only if a positive
+result is returned from the `->active' handler.
+
+Signed-off-by: Maciej W. Rozycki <macro@mips.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: 4206d3aa1978 ("elf core dump: notes user_regset")
+Patchwork: https://patchwork.linux-mips.org/patch/19332/
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-fsdevel@vger.kernel.org
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/binfmt_elf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -1751,7 +1751,7 @@ static int fill_thread_core_info(struct
+ const struct user_regset *regset = &view->regsets[i];
+ do_thread_regset_writeback(t->task, regset);
+ if (regset->core_note_type && regset->get &&
+- (!regset->active || regset->active(t->task, regset))) {
++ (!regset->active || regset->active(t->task, regset) > 0)) {
+ int ret;
+ size_t size = regset_size(t->task, regset);
+ void *data = kmalloc(size, GFP_KERNEL);
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Ming Lei <ming.lei@redhat.com>
+Date: Mon, 25 Jun 2018 19:31:49 +0800
+Subject: blk-mq: avoid to synchronize rcu inside blk_cleanup_queue()
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 1311326cf4755c7ffefd20f576144ecf46d9906b ]
+
+SCSI probing may synchronously create and destroy a lot of request_queues
+for non-existent devices. Any synchronize_rcu() in queue creation or
+destroy path may introduce long latency during booting, see detailed
+description in comment of blk_register_queue().
+
+This patch removes one synchronize_rcu() inside blk_cleanup_queue()
+for this case, commit c2856ae2f315d75(blk-mq: quiesce queue before freeing queue)
+needs synchronize_rcu() for implementing blk_mq_quiesce_queue(), but
+when queue isn't initialized, it isn't necessary to do that since
+only pass-through requests are involved, no original issue in
+scsi_execute() at all.
+
+Without this patch and previous one, it may take more 20+ seconds for
+virtio-scsi to complete disk probe. With the two patches, the time becomes
+less than 100ms.
+
+Fixes: c2856ae2f315d75 ("blk-mq: quiesce queue before freeing queue")
+Reported-by: Andrew Jones <drjones@redhat.com>
+Cc: Omar Sandoval <osandov@fb.com>
+Cc: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: linux-scsi@vger.kernel.org
+Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Tested-by: Andrew Jones <drjones@redhat.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-core.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -791,9 +791,13 @@ void blk_cleanup_queue(struct request_qu
+ * make sure all in-progress dispatch are completed because
+ * blk_freeze_queue() can only complete all requests, and
+ * dispatch may still be in-progress since we dispatch requests
+- * from more than one contexts
++ * from more than one contexts.
++ *
++ * No need to quiesce queue if it isn't initialized yet since
++ * blk_freeze_queue() should be enough for cases of passthrough
++ * request.
+ */
+- if (q->mq_ops)
++ if (q->mq_ops && blk_queue_init_done(q))
+ blk_mq_quiesce_queue(q);
+
+ /* for synchronous bio-based driver finish in-flight integrity i/o */
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Ming Lei <ming.lei@redhat.com>
+Date: Mon, 2 Jul 2018 17:35:59 +0800
+Subject: blk-mq: only attempt to merge bio if there is rq in sw queue
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit b04f50ab8a74129b3041a2836c33c916be3c6667 ]
+
+Only attempt to merge bio iff the ctx->rq_list isn't empty, because:
+
+1) for high-performance SSD, most of times dispatch may succeed, then
+there may be nothing left in ctx->rq_list, so don't try to merge over
+sw queue if it is empty, then we can save one acquiring of ctx->lock
+
+2) we can't expect good merge performance on per-cpu sw queue, and missing
+one merge on sw queue won't be a big deal since tasks can be scheduled from
+one CPU to another.
+
+Cc: Laurence Oberman <loberman@redhat.com>
+Cc: Omar Sandoval <osandov@fb.com>
+Cc: Bart Van Assche <bart.vanassche@wdc.com>
+Tested-by: Kashyap Desai <kashyap.desai@broadcom.com>
+Reported-by: Kashyap Desai <kashyap.desai@broadcom.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq-sched.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/block/blk-mq-sched.c
++++ b/block/blk-mq-sched.c
+@@ -339,7 +339,8 @@ bool __blk_mq_sched_bio_merge(struct req
+ return e->type->ops.mq.bio_merge(hctx, bio);
+ }
+
+- if (hctx->flags & BLK_MQ_F_SHOULD_MERGE) {
++ if ((hctx->flags & BLK_MQ_F_SHOULD_MERGE) &&
++ !list_empty_careful(&ctx->rq_list)) {
+ /* default per sw-queue merge */
+ spin_lock(&ctx->lock);
+ ret = blk_mq_attempt_merge(q, ctx, bio);
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Fri, 6 Jul 2018 20:49:19 -0700
+Subject: block/DAC960.c: fix defined but not used build warnings
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 3993e501bf853cce85c5114a704b86b8f486790c ]
+
+Fix build warnings in DAC960.c when CONFIG_PROC_FS is not enabled
+by marking the unused functions as __maybe_unused.
+
+../drivers/block/DAC960.c:6429:12: warning: 'dac960_proc_show' defined but not used [-Wunused-function]
+../drivers/block/DAC960.c:6449:12: warning: 'dac960_initial_status_proc_show' defined but not used [-Wunused-function]
+../drivers/block/DAC960.c:6456:12: warning: 'dac960_current_status_proc_show' defined but not used [-Wunused-function]
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: linux-block@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/DAC960.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/block/DAC960.c
++++ b/drivers/block/DAC960.c
+@@ -21,6 +21,7 @@
+ #define DAC960_DriverDate "21 Aug 2007"
+
+
++#include <linux/compiler.h>
+ #include <linux/module.h>
+ #include <linux/types.h>
+ #include <linux/miscdevice.h>
+@@ -6426,7 +6427,7 @@ static bool DAC960_V2_ExecuteUserCommand
+ return true;
+ }
+
+-static int dac960_proc_show(struct seq_file *m, void *v)
++static int __maybe_unused dac960_proc_show(struct seq_file *m, void *v)
+ {
+ unsigned char *StatusMessage = "OK\n";
+ int ControllerNumber;
+@@ -6446,14 +6447,16 @@ static int dac960_proc_show(struct seq_f
+ return 0;
+ }
+
+-static int dac960_initial_status_proc_show(struct seq_file *m, void *v)
++static int __maybe_unused dac960_initial_status_proc_show(struct seq_file *m,
++ void *v)
+ {
+ DAC960_Controller_T *Controller = (DAC960_Controller_T *)m->private;
+ seq_printf(m, "%.*s", Controller->InitialStatusLength, Controller->CombinedStatusBuffer);
+ return 0;
+ }
+
+-static int dac960_current_status_proc_show(struct seq_file *m, void *v)
++static int __maybe_unused dac960_current_status_proc_show(struct seq_file *m,
++ void *v)
+ {
+ DAC960_Controller_T *Controller = (DAC960_Controller_T *) m->private;
+ unsigned char *StatusMessage =
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Philipp Puschmann <pp@emlix.com>
+Date: Tue, 17 Jul 2018 13:41:12 +0200
+Subject: Bluetooth: Use lock_sock_nested in bt_accept_enqueue
+
+From: Philipp Puschmann <pp@emlix.com>
+
+[ Upstream commit b71c69c26b4916d11b8d403d8e667bbd191f1b8f ]
+
+Fixes this warning that was provoked by a pairing:
+
+[60258.016221] WARNING: possible recursive locking detected
+[60258.021558] 4.15.0-RD1812-BSP #1 Tainted: G O
+[60258.027146] --------------------------------------------
+[60258.032464] kworker/u5:0/70 is trying to acquire lock:
+[60258.037609] (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}, at: [<87759073>] bt_accept_enqueue+0x3c/0x74
+[60258.046863]
+[60258.046863] but task is already holding lock:
+[60258.052704] (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}, at: [<d22d7106>] l2cap_sock_new_connection_cb+0x1c/0x88
+[60258.062905]
+[60258.062905] other info that might help us debug this:
+[60258.069441] Possible unsafe locking scenario:
+[60258.069441]
+[60258.075368] CPU0
+[60258.077821] ----
+[60258.080272] lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP);
+[60258.085510] lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP);
+[60258.090748]
+[60258.090748] *** DEADLOCK ***
+[60258.090748]
+[60258.096676] May be due to missing lock nesting notation
+[60258.096676]
+[60258.103472] 5 locks held by kworker/u5:0/70:
+[60258.107747] #0: ((wq_completion)%shdev->name#2){+.+.}, at: [<9460d092>] process_one_work+0x130/0x4fc
+[60258.117263] #1: ((work_completion)(&hdev->rx_work)){+.+.}, at: [<9460d092>] process_one_work+0x130/0x4fc
+[60258.126942] #2: (&conn->chan_lock){+.+.}, at: [<7877c8c3>] l2cap_connect+0x80/0x4f8
+[60258.134806] #3: (&chan->lock/2){+.+.}, at: [<2e16c724>] l2cap_connect+0x8c/0x4f8
+[60258.142410] #4: (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}, at: [<d22d7106>] l2cap_sock_new_connection_cb+0x1c/0x88
+[60258.153043]
+[60258.153043] stack backtrace:
+[60258.157413] CPU: 1 PID: 70 Comm: kworker/u5:0 Tainted: G O 4.15.0-RD1812-BSP #1
+[60258.165945] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+[60258.172485] Workqueue: hci0 hci_rx_work
+[60258.176331] Backtrace:
+[60258.178797] [<8010c9fc>] (dump_backtrace) from [<8010ccbc>] (show_stack+0x18/0x1c)
+[60258.186379] r7:80e55fe4 r6:80e55fe4 r5:20050093 r4:00000000
+[60258.192058] [<8010cca4>] (show_stack) from [<809864e8>] (dump_stack+0xb0/0xdc)
+[60258.199301] [<80986438>] (dump_stack) from [<8016ecc8>] (__lock_acquire+0xffc/0x11d4)
+[60258.207144] r9:5e2bb019 r8:630f974c r7:ba8a5940 r6:ba8a5ed8 r5:815b5220 r4:80fa081c
+[60258.214901] [<8016dccc>] (__lock_acquire) from [<8016f620>] (lock_acquire+0x78/0x98)
+[60258.222655] r10:00000040 r9:00000040 r8:808729f0 r7:00000001 r6:00000000 r5:60050013
+[60258.230491] r4:00000000
+[60258.233045] [<8016f5a8>] (lock_acquire) from [<806ee974>] (lock_sock_nested+0x64/0x88)
+[60258.240970] r7:00000000 r6:b796e870 r5:00000001 r4:b796e800
+[60258.246643] [<806ee910>] (lock_sock_nested) from [<808729f0>] (bt_accept_enqueue+0x3c/0x74)
+[60258.255004] r8:00000001 r7:ba7d3c00 r6:ba7d3ea4 r5:ba7d2000 r4:b796e800
+[60258.261717] [<808729b4>] (bt_accept_enqueue) from [<808aa39c>] (l2cap_sock_new_connection_cb+0x68/0x88)
+[60258.271117] r5:b796e800 r4:ba7d2000
+[60258.274708] [<808aa334>] (l2cap_sock_new_connection_cb) from [<808a294c>] (l2cap_connect+0x190/0x4f8)
+[60258.283933] r5:00000001 r4:ba6dce00
+[60258.287524] [<808a27bc>] (l2cap_connect) from [<808a4a14>] (l2cap_recv_frame+0x744/0x2cf8)
+[60258.295800] r10:ba6dcf24 r9:00000004 r8:b78d8014 r7:00000004 r6:bb05d000 r5:00000004
+[60258.303635] r4:bb05d008
+[60258.306183] [<808a42d0>] (l2cap_recv_frame) from [<808a7808>] (l2cap_recv_acldata+0x210/0x214)
+[60258.314805] r10:b78e7800 r9:bb05d960 r8:00000001 r7:bb05d000 r6:0000000c r5:b7957a80
+[60258.322641] r4:ba6dce00
+[60258.325188] [<808a75f8>] (l2cap_recv_acldata) from [<8087630c>] (hci_rx_work+0x35c/0x4e8)
+[60258.333374] r6:80e5743c r5:bb05d7c8 r4:b7957a80
+[60258.338004] [<80875fb0>] (hci_rx_work) from [<8013dc7c>] (process_one_work+0x1a4/0x4fc)
+[60258.346018] r10:00000001 r9:00000000 r8:baabfef8 r7:ba997500 r6:baaba800 r5:baaa5d00
+[60258.353853] r4:bb05d7c8
+[60258.356401] [<8013dad8>] (process_one_work) from [<8013e028>] (worker_thread+0x54/0x5cc)
+[60258.364503] r10:baabe038 r9:baaba834 r8:80e05900 r7:00000088 r6:baaa5d18 r5:baaba800
+[60258.372338] r4:baaa5d00
+[60258.374888] [<8013dfd4>] (worker_thread) from [<801448f8>] (kthread+0x134/0x160)
+[60258.382295] r10:ba8310b8 r9:bb07dbfc r8:8013dfd4 r7:baaa5d00 r6:00000000 r5:baaa8ac0
+[60258.390130] r4:ba831080
+[60258.392682] [<801447c4>] (kthread) from [<801080b4>] (ret_from_fork+0x14/0x20)
+[60258.399915] r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:801447c4
+[60258.407751] r4:baaa8ac0 r3:baabe000
+
+Signed-off-by: Philipp Puschmann <pp@emlix.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/af_bluetooth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bluetooth/af_bluetooth.c
++++ b/net/bluetooth/af_bluetooth.c
+@@ -159,7 +159,7 @@ void bt_accept_enqueue(struct sock *pare
+ BT_DBG("parent %p, sk %p", parent, sk);
+
+ sock_hold(sk);
+- lock_sock(sk);
++ lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
+ list_add_tail(&bt_sk(sk)->accept_q, &bt_sk(parent)->accept_q);
+ bt_sk(sk)->parent = parent;
+ release_sock(sk);
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Roman Gushchin <guro@fb.com>
+Date: Fri, 13 Jul 2018 12:41:11 -0700
+Subject: bpf: fix rcu annotations in compute_effective_progs()
+
+From: Roman Gushchin <guro@fb.com>
+
+[ Upstream commit 3960f4fd6585608e8cc285d9665821985494e147 ]
+
+The progs local variable in compute_effective_progs() is marked
+as __rcu, which is not correct. This is a local pointer, which
+is initialized by bpf_prog_array_alloc(), which also now
+returns a generic non-rcu pointer.
+
+The real rcu-protected pointer is *array (array is a pointer
+to an RCU-protected pointer), so the assignment should be performed
+using rcu_assign_pointer().
+
+Fixes: 324bda9e6c5a ("bpf: multi program support for cgroup+bpf")
+Signed-off-by: Roman Gushchin <guro@fb.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/cgroup.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/kernel/bpf/cgroup.c
++++ b/kernel/bpf/cgroup.c
+@@ -95,7 +95,7 @@ static int compute_effective_progs(struc
+ enum bpf_attach_type type,
+ struct bpf_prog_array __rcu **array)
+ {
+- struct bpf_prog_array __rcu *progs;
++ struct bpf_prog_array *progs;
+ struct bpf_prog_list *pl;
+ struct cgroup *p = cgrp;
+ int cnt = 0;
+@@ -120,13 +120,12 @@ static int compute_effective_progs(struc
+ &p->bpf.progs[type], node) {
+ if (!pl->prog)
+ continue;
+- rcu_dereference_protected(progs, 1)->
+- progs[cnt++] = pl->prog;
++ progs->progs[cnt++] = pl->prog;
+ }
+ p = cgroup_parent(p);
+ } while (p);
+
+- *array = progs;
++ rcu_assign_pointer(*array, progs);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Mikko Perttunen <mperttunen@nvidia.com>
+Date: Fri, 29 Jun 2018 17:38:14 +0300
+Subject: clk: tegra: bpmp: Don't crash when a clock fails to register
+
+From: Mikko Perttunen <mperttunen@nvidia.com>
+
+[ Upstream commit f7b3182232c82bb9769e2d5471d702bae2972d2b ]
+
+When registering clocks, we just skip any that fail to register
+(leaving a NULL hole in the clock table). However, our of_xlate
+function still tries to dereference each entry while looking for
+the clock with the requested id, causing a crash if any clocks
+failed to register. Add a check to of_xlate to skip any NULL
+clocks.
+
+Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
+Acked-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/tegra/clk-bpmp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/clk/tegra/clk-bpmp.c
++++ b/drivers/clk/tegra/clk-bpmp.c
+@@ -586,9 +586,15 @@ static struct clk_hw *tegra_bpmp_clk_of_
+ unsigned int id = clkspec->args[0], i;
+ struct tegra_bpmp *bpmp = data;
+
+- for (i = 0; i < bpmp->num_clocks; i++)
+- if (bpmp->clocks[i]->id == id)
+- return &bpmp->clocks[i]->hw;
++ for (i = 0; i < bpmp->num_clocks; i++) {
++ struct tegra_bpmp_clk *clk = bpmp->clocks[i];
++
++ if (!clk)
++ continue;
++
++ if (clk->id == id)
++ return &clk->hw;
++ }
+
+ return NULL;
+ }
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Mike Christie <mchristi@redhat.com>
+Date: Sun, 15 Jul 2018 18:16:17 -0500
+Subject: configfs: fix registered group removal
+
+From: Mike Christie <mchristi@redhat.com>
+
+[ Upstream commit cc57c07343bd071cdf1915a91a24ab7d40c9b590 ]
+
+This patch fixes a bug where configfs_register_group had added
+a group in a tree, and userspace has done a rmdir on a dir somewhere
+above that group and we hit a kernel crash. The problem is configfs_rmdir
+will detach everything under it and unlink groups on the default_groups
+list. It will not unlink groups added with configfs_register_group so when
+configfs_unregister_group is called to drop its references to the group/items
+we crash when we try to access the freed dentrys.
+
+The patch just adds a check for if a rmdir has been done above
+us and if so just does the unlink part of unregistration.
+
+Sorry if you are getting this multiple times. I thouhgt I sent
+this to some of you and lkml, but I do not see it.
+
+Signed-off-by: Mike Christie <mchristi@redhat.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Joel Becker <jlbec@evilplan.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/configfs/dir.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/fs/configfs/dir.c
++++ b/fs/configfs/dir.c
+@@ -1777,6 +1777,16 @@ void configfs_unregister_group(struct co
+ struct dentry *dentry = group->cg_item.ci_dentry;
+ struct dentry *parent = group->cg_item.ci_parent->ci_dentry;
+
++ mutex_lock(&subsys->su_mutex);
++ if (!group->cg_item.ci_parent->ci_group) {
++ /*
++ * The parent has already been unlinked and detached
++ * due to a rmdir.
++ */
++ goto unlink_group;
++ }
++ mutex_unlock(&subsys->su_mutex);
++
+ inode_lock_nested(d_inode(parent), I_MUTEX_PARENT);
+ spin_lock(&configfs_dirent_lock);
+ configfs_detach_prep(dentry, NULL);
+@@ -1791,6 +1801,7 @@ void configfs_unregister_group(struct co
+ dput(dentry);
+
+ mutex_lock(&subsys->su_mutex);
++unlink_group:
+ unlink_group(group);
+ mutex_unlock(&subsys->su_mutex);
+ }
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Wed, 11 Jul 2018 13:40:14 -0600
+Subject: coresight: ETM: Add support for Arm Cortex-A73 and Cortex-A35
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+[ Upstream commit 5cedd22370a0a460b663c06de1fc10b4ba3c5d0b ]
+
+Add ETM PIDs of the Arm cortex-A CPUs to the white list of ETMs.
+While at it add a helper macro to make it easier to add the new
+entries.
+
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight-etm4x.c | 31 +++++++++++---------------
+ 1 file changed, 14 insertions(+), 17 deletions(-)
+
+--- a/drivers/hwtracing/coresight/coresight-etm4x.c
++++ b/drivers/hwtracing/coresight/coresight-etm4x.c
+@@ -1027,7 +1027,8 @@ static int etm4_probe(struct amba_device
+ }
+
+ pm_runtime_put(&adev->dev);
+- dev_info(dev, "%s initialized\n", (char *)id->data);
++ dev_info(dev, "CPU%d: ETM v%d.%d initialized\n",
++ drvdata->cpu, drvdata->arch >> 4, drvdata->arch & 0xf);
+
+ if (boot_enable) {
+ coresight_enable(drvdata->csdev);
+@@ -1045,23 +1046,19 @@ err_arch_supported:
+ return ret;
+ }
+
++#define ETM4x_AMBA_ID(pid) \
++ { \
++ .id = pid, \
++ .mask = 0x000fffff, \
++ }
++
+ static const struct amba_id etm4_ids[] = {
+- { /* ETM 4.0 - Cortex-A53 */
+- .id = 0x000bb95d,
+- .mask = 0x000fffff,
+- .data = "ETM 4.0",
+- },
+- { /* ETM 4.0 - Cortex-A57 */
+- .id = 0x000bb95e,
+- .mask = 0x000fffff,
+- .data = "ETM 4.0",
+- },
+- { /* ETM 4.0 - A72, Maia, HiSilicon */
+- .id = 0x000bb95a,
+- .mask = 0x000fffff,
+- .data = "ETM 4.0",
+- },
+- { 0, 0},
++ ETM4x_AMBA_ID(0x000bb95d), /* Cortex-A53 */
++ ETM4x_AMBA_ID(0x000bb95e), /* Cortex-A57 */
++ ETM4x_AMBA_ID(0x000bb95a), /* Cortex-A72 */
++ ETM4x_AMBA_ID(0x000bb959), /* Cortex-A73 */
++ ETM4x_AMBA_ID(0x000bb9da), /* Cortex-A35 */
++ {},
+ };
+
+ static struct amba_driver etm4x_driver = {
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Wed, 11 Jul 2018 13:40:28 -0600
+Subject: coresight: Handle errors in finding input/output ports
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+[ Upstream commit fe470f5f7f684ed15bc49b6183a64237547910ff ]
+
+If we fail to find the input / output port for a LINK component
+while enabling a path, we should fail gracefully rather than
+assuming port "0".
+
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/hwtracing/coresight/coresight.c
++++ b/drivers/hwtracing/coresight/coresight.c
+@@ -108,7 +108,7 @@ static int coresight_find_link_inport(st
+ dev_err(&csdev->dev, "couldn't find inport, parent: %s, child: %s\n",
+ dev_name(&parent->dev), dev_name(&csdev->dev));
+
+- return 0;
++ return -ENODEV;
+ }
+
+ static int coresight_find_link_outport(struct coresight_device *csdev,
+@@ -126,7 +126,7 @@ static int coresight_find_link_outport(s
+ dev_err(&csdev->dev, "couldn't find outport, parent: %s, child: %s\n",
+ dev_name(&csdev->dev), dev_name(&child->dev));
+
+- return 0;
++ return -ENODEV;
+ }
+
+ static int coresight_enable_sink(struct coresight_device *csdev, u32 mode)
+@@ -179,6 +179,9 @@ static int coresight_enable_link(struct
+ else
+ refport = 0;
+
++ if (refport < 0)
++ return refport;
++
+ if (atomic_inc_return(&csdev->refcnt[refport]) == 1) {
+ if (link_ops(csdev)->enable) {
+ ret = link_ops(csdev)->enable(csdev, inport, outport);
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Wed, 11 Jul 2018 13:40:35 -0600
+Subject: coresight: tpiu: Fix disabling timeouts
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit ccff2dfaceaca4517432f5c149594215fe9098cc ]
+
+Probing the TPIU driver under UBSan triggers an out-of-bounds shift
+warning in coresight_timeout():
+
+...
+[ 5.677530] UBSAN: Undefined behaviour in drivers/hwtracing/coresight/coresight.c:929:16
+[ 5.685542] shift exponent 64 is too large for 64-bit type 'long unsigned int'
+...
+
+On closer inspection things are exponentially out of whack because we're
+passing a bitmask where a bit number should be. Amusingly, it seems that
+both calls will find their expected values by sheer luck and appear to
+succeed: 1 << FFCR_FON_MAN ends up at bit 64 which whilst undefined
+evaluates as zero in practice, while 1 << FFSR_FT_STOPPED finds bit 2
+(TCPresent) which apparently is usually tied high.
+
+Following the examples of other drivers, define separate FOO and FOO_BIT
+macros for masks vs. indices, and put things right.
+
+CC: Robert Walker <robert.walker@arm.com>
+CC: Mike Leach <mike.leach@linaro.org>
+CC: Mathieu Poirier <mathieu.poirier@linaro.org>
+Fixes: 11595db8e17f ("coresight: Fix disabling of CoreSight TPIU")
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight-tpiu.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/hwtracing/coresight/coresight-tpiu.c
++++ b/drivers/hwtracing/coresight/coresight-tpiu.c
+@@ -40,8 +40,9 @@
+
+ /** register definition **/
+ /* FFSR - 0x300 */
+-#define FFSR_FT_STOPPED BIT(1)
++#define FFSR_FT_STOPPED_BIT 1
+ /* FFCR - 0x304 */
++#define FFCR_FON_MAN_BIT 6
+ #define FFCR_FON_MAN BIT(6)
+ #define FFCR_STOP_FI BIT(12)
+
+@@ -86,9 +87,9 @@ static void tpiu_disable_hw(struct tpiu_
+ /* Generate manual flush */
+ writel_relaxed(FFCR_STOP_FI | FFCR_FON_MAN, drvdata->base + TPIU_FFCR);
+ /* Wait for flush to complete */
+- coresight_timeout(drvdata->base, TPIU_FFCR, FFCR_FON_MAN, 0);
++ coresight_timeout(drvdata->base, TPIU_FFCR, FFCR_FON_MAN_BIT, 0);
+ /* Wait for formatter to stop */
+- coresight_timeout(drvdata->base, TPIU_FFSR, FFSR_FT_STOPPED, 1);
++ coresight_timeout(drvdata->base, TPIU_FFSR, FFSR_FT_STOPPED_BIT, 1);
+
+ CS_LOCK(drvdata->base);
+ }
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Mon, 2 Jul 2018 18:18:03 +0900
+Subject: dmaengine: sh: rcar-dmac: avoid to write CHCR.TE to 1 if TCR is set to 0
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit 538603c6026ce769eec633bb79349f5f287519c7 ]
+
+This patch fixes an issue that unexpected retransfering happens
+if TCR is set to 0 before rcar_dmac_sync_tcr() writes DE bit to
+the CHCR register. For example, sh-sci driver can reproduce this
+issue like below:
+
+ In rx_timer_fn(): /* CHCR DE bit may be set to 1 */
+ dmaengine_tx_status()
+ rcar_dmac_tx_status()
+ rcar_dmac_chan_get_residue()
+ rcar_dmac_sync_tcr() /* TCR is possible to be set to 0 */
+
+According to the description of commit 73a47bd0da66 ("dmaengine:
+rcar-dmac: use TCRB instead of TCR for residue"), "this buffered data
+will be transferred if CHCR::DE bit was cleared". So, this patch
+doesn't need to check TCRB register.
+
+Fixes: 73a47bd0da66 ("dmaengine: rcar-dmac: use TCRB instead of TCR for residue")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/sh/rcar-dmac.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/dma/sh/rcar-dmac.c
++++ b/drivers/dma/sh/rcar-dmac.c
+@@ -774,8 +774,9 @@ static void rcar_dmac_sync_tcr(struct rc
+ /* make sure all remaining data was flushed */
+ rcar_dmac_chcr_de_barrier(chan);
+
+- /* back DE */
+- rcar_dmac_chan_write(chan, RCAR_DMACHCR, chcr);
++ /* back DE if remain data exists */
++ if (rcar_dmac_chan_read(chan, RCAR_DMATCR))
++ rcar_dmac_chan_write(chan, RCAR_DMACHCR, chcr);
+ }
+
+ static void rcar_dmac_chan_halt(struct rcar_dmac_chan *chan)
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Eric Yang <Eric.Yang2@amd.com>
+Date: Tue, 12 Jun 2018 18:37:12 -0400
+Subject: drm/amd/display: support access ddc for mst branch
+
+From: Eric Yang <Eric.Yang2@amd.com>
+
+[ Upstream commit 0a14544661fad1606cc96aece30b2950fd9c4c81 ]
+
+[Why]
+Megachip dockings accesses ddc line through display driver when
+installing FW. Previously, we would fail every transaction because
+link attached to mst branch did not have their ddc transaction type
+set.
+
+[How]
+Set ddc transaction type when mst branch is connected.
+
+Signed-off-by: Eric Yang <Eric.Yang2@amd.com>
+Reviewed-by: Charlene Liu <Charlene.Liu@amd.com>
+Acked-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_link.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
+@@ -497,6 +497,10 @@ static bool detect_dp(
+ sink_caps->signal = SIGNAL_TYPE_DISPLAY_PORT_MST;
+ link->type = dc_connection_mst_branch;
+
++ dal_ddc_service_set_transaction_type(
++ link->ddc,
++ sink_caps->transaction_type);
++
+ /*
+ * This call will initiate MST topology discovery. Which
+ * will detect MST ports and add new DRM connector DRM
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Harry Wentland <harry.wentland@amd.com>
+Date: Mon, 9 Jul 2018 13:48:12 -0400
+Subject: drm/amd/pp: Send khz clock values to DC for smu7/8
+
+From: Harry Wentland <harry.wentland@amd.com>
+
+[ Upstream commit c3cb424a086921f6bb0449b10d998352a756d6d5 ]
+
+The previous change wasn't covering smu 7 and 8 and therefore DC was
+seeing wrong clock values.
+
+This fixes an issue where the pipes seem to hang with a 4k DP and 1080p
+HDMI display.
+
+Fixes: c3df50abc84b ("drm/amd/pp: Convert clock unit to KHz as defined")
+Signed-off-by: Harry Wentland <harry.wentland@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Cc:rex.zhu@amd.com
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c | 8 ++++----
+ drivers/gpu/drm/amd/powerplay/hwmgr/smu8_hwmgr.c | 6 +++---
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c
++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c
+@@ -4555,12 +4555,12 @@ static int smu7_get_sclks(struct pp_hwmg
+ return -EINVAL;
+ dep_sclk_table = table_info->vdd_dep_on_sclk;
+ for (i = 0; i < dep_sclk_table->count; i++)
+- clocks->clock[i] = dep_sclk_table->entries[i].clk;
++ clocks->clock[i] = dep_sclk_table->entries[i].clk * 10;
+ clocks->count = dep_sclk_table->count;
+ } else if (hwmgr->pp_table_version == PP_TABLE_V0) {
+ sclk_table = hwmgr->dyn_state.vddc_dependency_on_sclk;
+ for (i = 0; i < sclk_table->count; i++)
+- clocks->clock[i] = sclk_table->entries[i].clk;
++ clocks->clock[i] = sclk_table->entries[i].clk * 10;
+ clocks->count = sclk_table->count;
+ }
+
+@@ -4592,7 +4592,7 @@ static int smu7_get_mclks(struct pp_hwmg
+ return -EINVAL;
+ dep_mclk_table = table_info->vdd_dep_on_mclk;
+ for (i = 0; i < dep_mclk_table->count; i++) {
+- clocks->clock[i] = dep_mclk_table->entries[i].clk;
++ clocks->clock[i] = dep_mclk_table->entries[i].clk * 10;
+ clocks->latency[i] = smu7_get_mem_latency(hwmgr,
+ dep_mclk_table->entries[i].clk);
+ }
+@@ -4600,7 +4600,7 @@ static int smu7_get_mclks(struct pp_hwmg
+ } else if (hwmgr->pp_table_version == PP_TABLE_V0) {
+ mclk_table = hwmgr->dyn_state.vddc_dependency_on_mclk;
+ for (i = 0; i < mclk_table->count; i++)
+- clocks->clock[i] = mclk_table->entries[i].clk;
++ clocks->clock[i] = mclk_table->entries[i].clk * 10;
+ clocks->count = mclk_table->count;
+ }
+ return 0;
+--- a/drivers/gpu/drm/amd/powerplay/hwmgr/smu8_hwmgr.c
++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/smu8_hwmgr.c
+@@ -1605,17 +1605,17 @@ static int smu8_get_clock_by_type(struct
+ switch (type) {
+ case amd_pp_disp_clock:
+ for (i = 0; i < clocks->count; i++)
+- clocks->clock[i] = data->sys_info.display_clock[i];
++ clocks->clock[i] = data->sys_info.display_clock[i] * 10;
+ break;
+ case amd_pp_sys_clock:
+ table = hwmgr->dyn_state.vddc_dependency_on_sclk;
+ for (i = 0; i < clocks->count; i++)
+- clocks->clock[i] = table->entries[i].clk;
++ clocks->clock[i] = table->entries[i].clk * 10;
+ break;
+ case amd_pp_mem_clock:
+ clocks->count = SMU8_NUM_NBPMEMORYCLOCK;
+ for (i = 0; i < clocks->count; i++)
+- clocks->clock[i] = data->sys_info.nbp_memory_clock[clocks->count - 1 - i];
++ clocks->clock[i] = data->sys_info.nbp_memory_clock[clocks->count - 1 - i] * 10;
+ break;
+ default:
+ return -1;
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Wei Lu <wei.lu2@amd.com>
+Date: Wed, 11 Jul 2018 22:32:47 -0400
+Subject: drm/amdkfd: Fix error codes in kfd_get_process
+
+From: Wei Lu <wei.lu2@amd.com>
+
+[ Upstream commit e47cb828eb3fca3e8999a0b9aa053dda18552071 ]
+
+Return ERR_PTR(-EINVAL) if kfd_get_process fails to find the process.
+This fixes kernel oopses when a child process calls KFD ioctls with
+a file descriptor inherited from the parent process.
+
+Signed-off-by: Wei Lu <wei.lu2@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_process.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
+@@ -244,6 +244,8 @@ struct kfd_process *kfd_get_process(cons
+ return ERR_PTR(-EINVAL);
+
+ process = find_process(thread);
++ if (!process)
++ return ERR_PTR(-EINVAL);
+
+ return process;
+ }
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Shaoyun Liu <Shaoyun.Liu@amd.com>
+Date: Wed, 11 Jul 2018 22:33:01 -0400
+Subject: drm/amdkfd: Fix kernel queue 64 bit doorbell offset calculation
+
+From: Shaoyun Liu <Shaoyun.Liu@amd.com>
+
+[ Upstream commit 951df6d9cfd07f205f1905bf3b27d994612e0614 ]
+
+The bitmap index calculation should reverse the logic used on allocation
+so it will clear the same bit used on allocation
+
+Signed-off-by: Shaoyun Liu <Shaoyun.Liu@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_doorbell.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_doorbell.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_doorbell.c
+@@ -188,9 +188,9 @@ void __iomem *kfd_get_kernel_doorbell(st
+ *doorbell_off = kfd->doorbell_id_offset + inx;
+
+ pr_debug("Get kernel queue doorbell\n"
+- " doorbell offset == 0x%08X\n"
+- " kernel address == %p\n",
+- *doorbell_off, (kfd->doorbell_kernel_ptr + inx));
++ " doorbell offset == 0x%08X\n"
++ " doorbell index == 0x%x\n",
++ *doorbell_off, inx);
+
+ return kfd->doorbell_kernel_ptr + inx;
+ }
+@@ -199,7 +199,8 @@ void kfd_release_kernel_doorbell(struct
+ {
+ unsigned int inx;
+
+- inx = (unsigned int)(db_addr - kfd->doorbell_kernel_ptr);
++ inx = (unsigned int)(db_addr - kfd->doorbell_kernel_ptr)
++ * sizeof(u32) / kfd->device_info->doorbell_size;
+
+ mutex_lock(&kfd->doorbell_mutex);
+ __clear_bit(inx, kfd->doorbell_available_index);
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Karol Herbst <karolherbst@gmail.com>
+Date: Sat, 14 Jul 2018 12:52:09 +0200
+Subject: drm/nouveau/debugfs: Wake up GPU before doing any reclocking
+
+From: Karol Herbst <karolherbst@gmail.com>
+
+[ Upstream commit eaeb9010bb4bcdc20e58254fa42f3fe730a7f908 ]
+
+Fixes various reclocking related issues on prime systems.
+
+Signed-off-by: Karol Herbst <karolherbst@gmail.com>
+Signed-off-by: Martin Peres <martin.peres@free.fr>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_debugfs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_debugfs.c
++++ b/drivers/gpu/drm/nouveau/nouveau_debugfs.c
+@@ -160,7 +160,11 @@ nouveau_debugfs_pstate_set(struct file *
+ args.ustate = value;
+ }
+
++ ret = pm_runtime_get_sync(drm->dev);
++ if (IS_ERR_VALUE(ret) && ret != -EACCES)
++ return ret;
+ ret = nvif_mthd(ctrl, NVIF_CONTROL_PSTATE_USER, &args, sizeof(args));
++ pm_runtime_put_autosuspend(drm->dev);
+ if (ret < 0)
+ return ret;
+
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Lyude Paul <lyude@redhat.com>
+Date: Thu, 12 Jul 2018 13:02:52 -0400
+Subject: drm/nouveau: Fix runtime PM leak in drm_open()
+
+From: Lyude Paul <lyude@redhat.com>
+
+[ Upstream commit 922a8c82fafdec99688bbaea6c5889f562a42cdc ]
+
+Noticed this as I was skimming through, if we fail to allocate memory
+for cli we'll end up returning without dropping the runtime PM ref we
+got. Additionally, we'll even return the wrong return code! (ret most
+likely will == 0 here, we want -ENOMEM).
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Reviewed-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
+@@ -908,8 +908,10 @@ nouveau_drm_open(struct drm_device *dev,
+ get_task_comm(tmpname, current);
+ snprintf(name, sizeof(name), "%s[%d]", tmpname, pid_nr(fpriv->pid));
+
+- if (!(cli = kzalloc(sizeof(*cli), GFP_KERNEL)))
+- return ret;
++ if (!(cli = kzalloc(sizeof(*cli), GFP_KERNEL))) {
++ ret = -ENOMEM;
++ goto done;
++ }
+
+ ret = nouveau_cli_init(drm, name, cli);
+ if (ret)
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Thierry Reding <treding@nvidia.com>
+Date: Wed, 30 May 2018 16:06:25 +0200
+Subject: drm/nouveau: tegra: Detach from ARM DMA/IOMMU mapping
+
+From: Thierry Reding <treding@nvidia.com>
+
+[ Upstream commit b59fb482b52269977ee5de205308e5b236a03917 ]
+
+Depending on the kernel configuration, early ARM architecture setup code
+may have attached the GPU to a DMA/IOMMU mapping that transparently uses
+the IOMMU to back the DMA API. Tegra requires special handling for IOMMU
+backed buffers (a special bit in the GPU's MMU page tables indicates the
+memory path to take: via the SMMU or directly to the memory controller).
+Transparently backing DMA memory with an IOMMU prevents Nouveau from
+properly handling such memory accesses and causes memory access faults.
+
+As a side-note: buffers other than those allocated in instance memory
+don't need to be physically contiguous from the GPU's perspective since
+the GPU can map them into contiguous buffers using its own MMU. Mapping
+these buffers through the IOMMU is unnecessary and will even lead to
+performance degradation because of the additional translation. One
+exception to this are compressible buffers which need large pages. In
+order to enable these large pages, multiple small pages will have to be
+combined into one large (I/O virtually contiguous) mapping via the
+IOMMU. However, that is a topic outside the scope of this fix and isn't
+currently supported. An implementation will want to explicitly create
+these large pages in the Nouveau driver, so detaching from a DMA/IOMMU
+mapping would still be required.
+
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Acked-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Tested-by: Nicolas Chauvet <kwizart@gmail.com>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c
+@@ -23,6 +23,10 @@
+ #ifdef CONFIG_NOUVEAU_PLATFORM_DRIVER
+ #include "priv.h"
+
++#if IS_ENABLED(CONFIG_ARM_DMA_USE_IOMMU)
++#include <asm/dma-iommu.h>
++#endif
++
+ static int
+ nvkm_device_tegra_power_up(struct nvkm_device_tegra *tdev)
+ {
+@@ -105,6 +109,15 @@ nvkm_device_tegra_probe_iommu(struct nvk
+ unsigned long pgsize_bitmap;
+ int ret;
+
++#if IS_ENABLED(CONFIG_ARM_DMA_USE_IOMMU)
++ if (dev->archdata.mapping) {
++ struct dma_iommu_mapping *mapping = to_dma_iommu_mapping(dev);
++
++ arm_iommu_detach_device(dev);
++ arm_iommu_release_mapping(mapping);
++ }
++#endif
++
+ if (!tdev->func->iommu_bit)
+ return;
+
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Jul 2018 12:38:09 +0300
+Subject: drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit cd0e0ca69109d025b1a1b6609f70682db62138b0 ]
+
+The ARRAY_SIZE() macro is type size_t. If s6e8aa0_dcs_read() returns a
+negative error code, then "ret < ARRAY_SIZE(id)" is false because the
+negative error code is type promoted to a high positive value.
+
+Fixes: 02051ca06371 ("drm/panel: add S6E8AA0 driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Andrzej Hajda <a.hajda@samsung.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180704093807.s3lqsb2v6dg2k43d@kili.mountain
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/panel/panel-samsung-s6e8aa0.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/panel/panel-samsung-s6e8aa0.c
++++ b/drivers/gpu/drm/panel/panel-samsung-s6e8aa0.c
+@@ -823,7 +823,7 @@ static void s6e8aa0_read_mtp_id(struct s
+ int ret, i;
+
+ ret = s6e8aa0_dcs_read(ctx, 0xd1, id, ARRAY_SIZE(id));
+- if (ret < ARRAY_SIZE(id) || id[0] == 0x00) {
++ if (ret < 0 || ret < ARRAY_SIZE(id) || id[0] == 0x00) {
+ dev_err(ctx->dev, "read id failed\n");
+ ctx->error = -EIO;
+ return;
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Mon, 16 Jul 2018 23:25:07 +0800
+Subject: efi/esrt: Only call efi_mem_reserve() for boot services memory
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+[ Upstream commit 61f0d55569463a1af897117ff47d202b0ccb2e24 ]
+
+The following commit:
+
+ 7e1550b8f208 ("efi: Drop type and attribute checks in efi_mem_desc_lookup()")
+
+refactored the implementation of efi_mem_desc_lookup() so that the type
+check is moved to the callers, one of which is the x86 version of
+efi_arch_mem_reserve(), where we added a modified check that only takes
+EFI_BOOT_SERVICES_DATA regions into account.
+
+This is reasonable, since it is the only memory type that requires this,
+but doing so uncovered some unexpected behavior in the ESRT code, which
+permits the ESRT table to reside in other types of memory than what the
+UEFI spec mandates (i.e., EFI_BOOT_SERVICES_DATA), and unconditionally
+calls efi_mem_reserve() on the region in question. This may result in
+errors such as
+
+ esrt: Reserving ESRT space from 0x000000009c810318 to 0x000000009c810350.
+ efi: Failed to lookup EFI memory descriptor for 0x000000009c810318
+
+when the ESRT table is not in EFI_BOOT_SERVICES_DATA memory, but we try
+to reserve it nonetheless.
+
+So make the call to efi_mem_reserve() conditional on the memory type.
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Jones <pjones@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/esrt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/firmware/efi/esrt.c
++++ b/drivers/firmware/efi/esrt.c
+@@ -326,7 +326,8 @@ void __init efi_esrt_init(void)
+
+ end = esrt_data + size;
+ pr_info("Reserving ESRT space from %pa to %pa.\n", &esrt_data, &end);
+- efi_mem_reserve(esrt_data, esrt_data_size);
++ if (md.type == EFI_BOOT_SERVICES_DATA)
++ efi_mem_reserve(esrt_data, esrt_data_size);
+
+ pr_debug("esrt-init: loaded.\n");
+ }
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Matthew Garrett <mjg59@google.com>
+Date: Fri, 8 Jun 2018 14:57:42 -0700
+Subject: evm: Don't deadlock if a crypto algorithm is unavailable
+
+From: Matthew Garrett <mjg59@google.com>
+
+[ Upstream commit e2861fa71641c6414831d628a1f4f793b6562580 ]
+
+When EVM attempts to appraise a file signed with a crypto algorithm the
+kernel doesn't have support for, it will cause the kernel to trigger a
+module load. If the EVM policy includes appraisal of kernel modules this
+will in turn call back into EVM - since EVM is holding a lock until the
+crypto initialisation is complete, this triggers a deadlock. Add a
+CRYPTO_NOLOAD flag and skip module loading if it's set, and add that flag
+in the EVM case in order to fail gracefully with an error message
+instead of deadlocking.
+
+Signed-off-by: Matthew Garrett <mjg59@google.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/api.c | 2 +-
+ include/linux/crypto.h | 5 +++++
+ security/integrity/evm/evm_crypto.c | 3 ++-
+ 3 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/crypto/api.c
++++ b/crypto/api.c
+@@ -229,7 +229,7 @@ static struct crypto_alg *crypto_larval_
+ mask &= ~(CRYPTO_ALG_LARVAL | CRYPTO_ALG_DEAD);
+
+ alg = crypto_alg_lookup(name, type, mask);
+- if (!alg) {
++ if (!alg && !(mask & CRYPTO_NOLOAD)) {
+ request_module("crypto-%s", name);
+
+ if (!((type ^ CRYPTO_ALG_NEED_FALLBACK) & mask &
+--- a/include/linux/crypto.h
++++ b/include/linux/crypto.h
+@@ -113,6 +113,11 @@
+ #define CRYPTO_ALG_OPTIONAL_KEY 0x00004000
+
+ /*
++ * Don't trigger module loading
++ */
++#define CRYPTO_NOLOAD 0x00008000
++
++/*
+ * Transform masks and values (for crt_flags).
+ */
+ #define CRYPTO_TFM_NEED_KEY 0x00000001
+--- a/security/integrity/evm/evm_crypto.c
++++ b/security/integrity/evm/evm_crypto.c
+@@ -97,7 +97,8 @@ static struct shash_desc *init_desc(char
+ mutex_lock(&mutex);
+ if (*tfm)
+ goto out;
+- *tfm = crypto_alloc_shash(algo, 0, CRYPTO_ALG_ASYNC);
++ *tfm = crypto_alloc_shash(algo, 0,
++ CRYPTO_ALG_ASYNC | CRYPTO_NOLOAD);
+ if (IS_ERR(*tfm)) {
+ rc = PTR_ERR(*tfm);
+ pr_err("Can not allocate %s (reason: %ld)\n", algo, rc);
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Fri, 6 Jul 2018 16:47:34 -0700
+Subject: f2fs: do checkpoint in kill_sb
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+[ Upstream commit 1cb50f87e10696e8cc61fb62d0d948e11b0e6dc1 ]
+
+When unmounting f2fs in force mode, we can get it stuck by io_schedule()
+by some pending IOs in meta_inode.
+
+io_schedule+0xd/0x30
+wait_on_page_bit_common+0xc6/0x130
+__filemap_fdatawait_range+0xbd/0x100
+filemap_fdatawait_keep_errors+0x15/0x40
+sync_inodes_sb+0x1cf/0x240
+sync_filesystem+0x52/0x90
+generic_shutdown_super+0x1d/0x110
+kill_f2fs_super+0x28/0x80 [f2fs]
+deactivate_locked_super+0x35/0x60
+cleanup_mnt+0x36/0x70
+task_work_run+0x79/0xa0
+exit_to_usermode_loop+0x62/0x70
+do_syscall_64+0xdb/0xf0
+entry_SYSCALL_64_after_hwframe+0x44/0xa9
+0xffffffffffffffff
+
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/super.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -3106,9 +3106,19 @@ static struct dentry *f2fs_mount(struct
+ static void kill_f2fs_super(struct super_block *sb)
+ {
+ if (sb->s_root) {
+- set_sbi_flag(F2FS_SB(sb), SBI_IS_CLOSE);
+- f2fs_stop_gc_thread(F2FS_SB(sb));
+- f2fs_stop_discard_thread(F2FS_SB(sb));
++ struct f2fs_sb_info *sbi = F2FS_SB(sb);
++
++ set_sbi_flag(sbi, SBI_IS_CLOSE);
++ f2fs_stop_gc_thread(sbi);
++ f2fs_stop_discard_thread(sbi);
++
++ if (is_sbi_flag_set(sbi, SBI_IS_DIRTY) ||
++ !is_set_ckpt_flags(sbi, CP_UMOUNT_FLAG)) {
++ struct cp_control cpc = {
++ .reason = CP_UMOUNT,
++ };
++ f2fs_write_checkpoint(sbi, &cpc);
++ }
+ }
+ kill_block_super(sb);
+ }
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Wed, 11 Jul 2018 13:19:38 +0000
+Subject: gpio: pxa: Fix potential NULL dereference
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 9506755633d0b32ef76f67c345000178e9b0dfc4 ]
+
+platform_get_resource() may fail and return NULL, so we should
+better check it's return value to avoid a NULL pointer dereference
+a bit later in the code.
+
+This is detected by Coccinelle semantic patch.
+
+@@
+expression pdev, res, n, t, e, e1, e2;
+@@
+
+res = platform_get_resource(pdev, t, n);
++ if (!res)
++ return -EINVAL;
+... when != res == NULL
+e = devm_ioremap(e1, res->start, e2);
+
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-pxa.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpio/gpio-pxa.c
++++ b/drivers/gpio/gpio-pxa.c
+@@ -665,6 +665,8 @@ static int pxa_gpio_probe(struct platfor
+ pchip->irq0 = irq0;
+ pchip->irq1 = irq1;
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ if (!res)
++ return -EINVAL;
+ gpio_reg_base = devm_ioremap(&pdev->dev, res->start,
+ resource_size(res));
+ if (!gpio_reg_base)
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Bartosz Golaszewski <brgl@bgdev.pl>
+Date: Mon, 16 Jul 2018 10:34:23 +0200
+Subject: gpiolib: don't allow userspace to set values of input lines
+
+From: Bartosz Golaszewski <brgl@bgdev.pl>
+
+[ Upstream commit e5332d5437764f775cf4e3b8ca3bf592af063a02 ]
+
+User space can currently both read and set values of input lines using
+the character device. This was not allowed by the old sysfs interface
+nor is it a correct behavior.
+
+Check the first descriptor in the set for the OUT flag when asked to
+set values and return -EPERM if the line is input.
+
+Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -449,7 +449,13 @@ static long linehandle_ioctl(struct file
+
+ return 0;
+ } else if (cmd == GPIOHANDLE_SET_LINE_VALUES_IOCTL) {
+- /* TODO: check if descriptors are really output */
++ /*
++ * All line descriptors were created at once with the same
++ * flags so just check if the first one is really output.
++ */
++ if (!test_bit(FLAG_IS_OUT, &lh->descs[0]->flags))
++ return -EPERM;
++
+ if (copy_from_user(&ghd, ip, sizeof(ghd)))
+ return -EFAULT;
+
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Mon, 9 Jul 2018 21:47:27 +0300
+Subject: gpiolib: Mark gpio_suffixes array with __maybe_unused
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit b23ec59926faf05b0c43680d05671c484e810ac4 ]
+
+Since we put static variable to a header file it's copied to each module
+that includes the header. But not all of them are actually used it.
+
+Mark gpio_suffixes array with __maybe_unused to hide a compiler warning:
+
+In file included from
+drivers/gpio/gpiolib-legacy.c:6:0:
+drivers/gpio/gpiolib.h:95:27: warning: ‘gpio_suffixes’ defined but not used [-Wunused-const-variable=]
+ static const char * const gpio_suffixes[] = { "gpios", "gpio" };
+ ^~~~~~~~~~~~~
+In file included from drivers/gpio/gpiolib-devprop.c:17:0:
+drivers/gpio/gpiolib.h:95:27: warning: ‘gpio_suffixes’ defined but not used [-Wunused-const-variable=]
+ static const char * const gpio_suffixes[] = { "gpios", "gpio" };
+ ^~~~~~~~~~~~~
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpiolib.h
++++ b/drivers/gpio/gpiolib.h
+@@ -92,7 +92,7 @@ struct acpi_gpio_info {
+ };
+
+ /* gpio suffixes used for ACPI and device tree lookup */
+-static const char * const gpio_suffixes[] = { "gpios", "gpio" };
++static __maybe_unused const char * const gpio_suffixes[] = { "gpios", "gpio" };
+
+ #ifdef CONFIG_OF_GPIO
+ struct gpio_desc *of_find_gpio(struct device *dev,
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Tue, 3 Jul 2018 03:38:31 +0300
+Subject: gpiolib: Respect error code of ->get_direction()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 36b312792b97933dc07abe074f50941199bd357c ]
+
+In case we try to lock GPIO pin as IRQ when something going wrong
+we print a misleading message.
+
+Correct this by checking an error code from ->get_direction() in
+gpiochip_lock_as_irq() and printing a corresponding message.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -3257,6 +3257,12 @@ int gpiochip_lock_as_irq(struct gpio_chi
+ if (!chip->can_sleep && chip->get_direction) {
+ int dir = chip->get_direction(chip, offset);
+
++ if (dir < 0) {
++ chip_err(chip, "%s: cannot get GPIO direction\n",
++ __func__);
++ return dir;
++ }
++
+ if (dir)
+ clear_bit(FLAG_IS_OUT, &desc->flags);
+ else
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
+Date: Thu, 3 May 2018 18:29:36 +0200
+Subject: gpu: ipu-v3: csi: pass back mbus_code_to_bus_cfg error codes
+
+From: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
+
+[ Upstream commit d36d0e6309dd8137cf438cbb680e72eb63c81425 ]
+
+mbus_code_to_bus_cfg() can fail on unknown mbus codes; pass back the
+error to the caller.
+
+Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
+Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
+[p.zabel@pengutronix.de - renamed rc to ret for consistency]
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/ipu-v3/ipu-csi.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/ipu-v3/ipu-csi.c
++++ b/drivers/gpu/ipu-v3/ipu-csi.c
+@@ -318,13 +318,17 @@ static int mbus_code_to_bus_cfg(struct i
+ /*
+ * Fill a CSI bus config struct from mbus_config and mbus_framefmt.
+ */
+-static void fill_csi_bus_cfg(struct ipu_csi_bus_config *csicfg,
++static int fill_csi_bus_cfg(struct ipu_csi_bus_config *csicfg,
+ struct v4l2_mbus_config *mbus_cfg,
+ struct v4l2_mbus_framefmt *mbus_fmt)
+ {
++ int ret;
++
+ memset(csicfg, 0, sizeof(*csicfg));
+
+- mbus_code_to_bus_cfg(csicfg, mbus_fmt->code);
++ ret = mbus_code_to_bus_cfg(csicfg, mbus_fmt->code);
++ if (ret < 0)
++ return ret;
+
+ switch (mbus_cfg->type) {
+ case V4L2_MBUS_PARALLEL:
+@@ -356,6 +360,8 @@ static void fill_csi_bus_cfg(struct ipu_
+ /* will never get here, keep compiler quiet */
+ break;
+ }
++
++ return 0;
+ }
+
+ int ipu_csi_init_interface(struct ipu_csi *csi,
+@@ -365,8 +371,11 @@ int ipu_csi_init_interface(struct ipu_cs
+ struct ipu_csi_bus_config cfg;
+ unsigned long flags;
+ u32 width, height, data = 0;
++ int ret;
+
+- fill_csi_bus_cfg(&cfg, mbus_cfg, mbus_fmt);
++ ret = fill_csi_bus_cfg(&cfg, mbus_cfg, mbus_fmt);
++ if (ret < 0)
++ return ret;
+
+ /* set default sensor frame width and height */
+ width = mbus_fmt->width;
+@@ -587,11 +596,14 @@ int ipu_csi_set_mipi_datatype(struct ipu
+ struct ipu_csi_bus_config cfg;
+ unsigned long flags;
+ u32 temp;
++ int ret;
+
+ if (vc > 3)
+ return -EINVAL;
+
+- mbus_code_to_bus_cfg(&cfg, mbus_fmt->code);
++ ret = mbus_code_to_bus_cfg(&cfg, mbus_fmt->code);
++ if (ret < 0)
++ return ret;
+
+ spin_lock_irqsave(&csi->lock, flags);
+
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Jann Horn <jannh@google.com>
+Date: Fri, 6 Jul 2018 22:48:03 +0200
+Subject: IB/mlx5: fix uaccess beyond "count" in debugfs read/write handlers
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit 60e6627f12a78203a093ca05b7bca15627747d81 ]
+
+In general, accessing userspace memory beyond the length of the supplied
+buffer in VFS read/write handlers can lead to both kernel memory corruption
+(via kernel_read()/kernel_write(), which can e.g. be triggered via
+sys_splice()) and privilege escalation inside userspace.
+
+In this case, the affected files are in debugfs (and should therefore only
+be accessible to root), and the read handlers check that *pos is zero
+(meaning that at least sys_splice() can't trigger kernel memory
+corruption). Because of the root requirement, this is not a security fix,
+but rather a cleanup.
+
+For the read handlers, fix it by using simple_read_from_buffer() instead
+of custom logic. Add min() calls to the write handlers.
+
+Fixes: 4a2da0b8c078 ("IB/mlx5: Add debug control parameters for congestion control")
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: Jann Horn <jannh@google.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx5/cong.c | 9 +--------
+ drivers/infiniband/hw/mlx5/mr.c | 32 ++++++++------------------------
+ 2 files changed, 9 insertions(+), 32 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx5/cong.c
++++ b/drivers/infiniband/hw/mlx5/cong.c
+@@ -359,9 +359,6 @@ static ssize_t get_param(struct file *fi
+ int ret;
+ char lbuf[11];
+
+- if (*pos)
+- return 0;
+-
+ ret = mlx5_ib_get_cc_params(param->dev, param->port_num, offset, &var);
+ if (ret)
+ return ret;
+@@ -370,11 +367,7 @@ static ssize_t get_param(struct file *fi
+ if (ret < 0)
+ return ret;
+
+- if (copy_to_user(buf, lbuf, ret))
+- return -EFAULT;
+-
+- *pos += ret;
+- return ret;
++ return simple_read_from_buffer(buf, count, pos, lbuf, ret);
+ }
+
+ static const struct file_operations dbg_cc_fops = {
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -271,16 +271,16 @@ static ssize_t size_write(struct file *f
+ {
+ struct mlx5_cache_ent *ent = filp->private_data;
+ struct mlx5_ib_dev *dev = ent->dev;
+- char lbuf[20];
++ char lbuf[20] = {0};
+ u32 var;
+ int err;
+ int c;
+
+- if (copy_from_user(lbuf, buf, sizeof(lbuf)))
++ count = min(count, sizeof(lbuf) - 1);
++ if (copy_from_user(lbuf, buf, count))
+ return -EFAULT;
+
+ c = order2idx(dev, ent->order);
+- lbuf[sizeof(lbuf) - 1] = 0;
+
+ if (sscanf(lbuf, "%u", &var) != 1)
+ return -EINVAL;
+@@ -310,19 +310,11 @@ static ssize_t size_read(struct file *fi
+ char lbuf[20];
+ int err;
+
+- if (*pos)
+- return 0;
+-
+ err = snprintf(lbuf, sizeof(lbuf), "%d\n", ent->size);
+ if (err < 0)
+ return err;
+
+- if (copy_to_user(buf, lbuf, err))
+- return -EFAULT;
+-
+- *pos += err;
+-
+- return err;
++ return simple_read_from_buffer(buf, count, pos, lbuf, err);
+ }
+
+ static const struct file_operations size_fops = {
+@@ -337,16 +329,16 @@ static ssize_t limit_write(struct file *
+ {
+ struct mlx5_cache_ent *ent = filp->private_data;
+ struct mlx5_ib_dev *dev = ent->dev;
+- char lbuf[20];
++ char lbuf[20] = {0};
+ u32 var;
+ int err;
+ int c;
+
+- if (copy_from_user(lbuf, buf, sizeof(lbuf)))
++ count = min(count, sizeof(lbuf) - 1);
++ if (copy_from_user(lbuf, buf, count))
+ return -EFAULT;
+
+ c = order2idx(dev, ent->order);
+- lbuf[sizeof(lbuf) - 1] = 0;
+
+ if (sscanf(lbuf, "%u", &var) != 1)
+ return -EINVAL;
+@@ -372,19 +364,11 @@ static ssize_t limit_read(struct file *f
+ char lbuf[20];
+ int err;
+
+- if (*pos)
+- return 0;
+-
+ err = snprintf(lbuf, sizeof(lbuf), "%d\n", ent->limit);
+ if (err < 0)
+ return err;
+
+- if (copy_to_user(buf, lbuf, err))
+- return -EFAULT;
+-
+- *pos += err;
+-
+- return err;
++ return simple_read_from_buffer(buf, count, pos, lbuf, err);
+ }
+
+ static const struct file_operations limit_fops = {
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Thu, 5 Jul 2018 10:51:35 -0700
+Subject: IB/nes: Fix a compiler warning
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+[ Upstream commit 4c5743bc4fe3233cecc1c184a773c79c8ee45bbe ]
+
+Avoid that the following compiler warning is reported when building with
+W=1:
+
+drivers/infiniband/hw/nes/nes_hw.c:646:51: warning: suggest braces around empty body in an 'if' statement [-Wempty-body]
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/nes/nes.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/nes/nes.h
++++ b/drivers/infiniband/hw/nes/nes.h
+@@ -159,7 +159,7 @@ do { \
+
+ #define NES_EVENT_TIMEOUT 1200000
+ #else
+-#define nes_debug(level, fmt, args...)
++#define nes_debug(level, fmt, args...) do {} while (0)
+ #define assert(expr) do {} while (0)
+
+ #define NES_EVENT_TIMEOUT 100000
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Peter Rosin <peda@axentia.se>
+Date: Wed, 20 Jun 2018 07:17:56 +0200
+Subject: input: rohm_bu21023: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT)
+
+From: Peter Rosin <peda@axentia.se>
+
+[ Upstream commit 193c2a07cfaacb9249ab0e3d34bce32490879355 ]
+
+Locking the root adapter for __i2c_transfer will deadlock if the
+device sits behind a mux-locked I2C mux. Switch to the finer-grained
+i2c_lock_bus with the I2C_LOCK_SEGMENT flag. If the device does not
+sit behind a mux-locked mux, the two locking variants are equivalent.
+
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/rohm_bu21023.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/touchscreen/rohm_bu21023.c
++++ b/drivers/input/touchscreen/rohm_bu21023.c
+@@ -304,7 +304,7 @@ static int rohm_i2c_burst_read(struct i2
+ msg[1].len = len;
+ msg[1].buf = buf;
+
+- i2c_lock_adapter(adap);
++ i2c_lock_bus(adap, I2C_LOCK_SEGMENT);
+
+ for (i = 0; i < 2; i++) {
+ if (__i2c_transfer(adap, &msg[i], 1) < 0) {
+@@ -313,7 +313,7 @@ static int rohm_i2c_burst_read(struct i2
+ }
+ }
+
+- i2c_unlock_adapter(adap);
++ i2c_unlock_bus(adap, I2C_LOCK_SEGMENT);
+
+ return ret;
+ }
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Wed, 20 Jun 2018 18:42:58 +1000
+Subject: KVM: PPC: Book3S: Fix matching of hardware and emulated TCE tables
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+[ Upstream commit 76346cd93a5eca33700f82685d56172dd65d4c0a ]
+
+When attaching a hardware table to LIOBN in KVM, we match table parameters
+such as page size, table offset and table size. However the tables are
+created via very different paths - VFIO and KVM - and the VFIO path goes
+through the platform code which has minimum TCE page size requirement
+(which is 4K but since we allocate memory by pages and cannot avoid
+alignment anyway, we align to 64k pages for powernv_defconfig).
+
+So when we match the tables, one might be bigger that the other which
+means the hardware table cannot get attached to LIOBN and DMA mapping
+fails.
+
+This removes the table size alignment from the guest visible table.
+This does not affect the memory allocation which is still aligned -
+kvmppc_tce_pages() takes care of this.
+
+This relaxes the check we do when attaching tables to allow the hardware
+table be bigger than the guest visible table.
+
+Ideally we want the KVM table to cover the same space as the hardware
+table does but since the hardware table may use multiple levels, and
+all levels must use the same table size (IODA2 design), the area it can
+actually cover might get very different from the window size which
+the guest requested, even though the guest won't map it all.
+
+Fixes: ca1fc489cf "KVM: PPC: Book3S: Allow backing bigger guest IOMMU pages with smaller physical pages"
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kvm/book3s_64_vio.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/kvm/book3s_64_vio.c
++++ b/arch/powerpc/kvm/book3s_64_vio.c
+@@ -180,7 +180,7 @@ extern long kvm_spapr_tce_attach_iommu_g
+ if ((tbltmp->it_page_shift <= stt->page_shift) &&
+ (tbltmp->it_offset << tbltmp->it_page_shift ==
+ stt->offset << stt->page_shift) &&
+- (tbltmp->it_size << tbltmp->it_page_shift ==
++ (tbltmp->it_size << tbltmp->it_page_shift >=
+ stt->size << stt->page_shift)) {
+ /*
+ * Reference the table to avoid races with
+@@ -296,7 +296,7 @@ long kvm_vm_ioctl_create_spapr_tce(struc
+ {
+ struct kvmppc_spapr_tce_table *stt = NULL;
+ struct kvmppc_spapr_tce_table *siter;
+- unsigned long npages, size;
++ unsigned long npages, size = args->size;
+ int ret = -ENOMEM;
+ int i;
+
+@@ -304,7 +304,6 @@ long kvm_vm_ioctl_create_spapr_tce(struc
+ (args->offset + args->size > (ULLONG_MAX >> args->page_shift)))
+ return -EINVAL;
+
+- size = _ALIGN_UP(args->size, PAGE_SIZE >> 3);
+ npages = kvmppc_tce_pages(size);
+ ret = kvmppc_account_memlimit(kvmppc_stt_pages(npages), true);
+ if (ret)
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Nicholas Mc Guire <hofrat@osadl.org>
+Date: Sat, 7 Jul 2018 08:53:07 +0200
+Subject: KVM: PPC: Book3S HV: Add of_node_put() in success path
+
+From: Nicholas Mc Guire <hofrat@osadl.org>
+
+[ Upstream commit 51eaa08f029c7343df846325d7cf047be8b96e81 ]
+
+The call to of_find_compatible_node() is returning a pointer with
+incremented refcount so it must be explicitly decremented after the
+last use. As here it is only being used for checking of node presence
+but the result is not actually used in the success path it can be
+dropped immediately.
+
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Fixes: commit f725758b899f ("KVM: PPC: Book3S HV: Use OPAL XICS emulation on POWER9")
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kvm/book3s_hv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -4562,6 +4562,8 @@ static int kvmppc_book3s_init_hv(void)
+ pr_err("KVM-HV: Cannot determine method for accessing XICS\n");
+ return -ENODEV;
+ }
++ /* presence of intc confirmed - node can be dropped again */
++ of_node_put(np);
+ }
+ #endif
+
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Hans Holmberg <hans.holmberg@cnexlabs.com>
+Date: Fri, 13 Jul 2018 10:48:45 +0200
+Subject: lightnvm: pblk: assume that chunks are closed on 1.2 devices
+
+From: Hans Holmberg <hans.holmberg@cnexlabs.com>
+
+[ Upstream commit f6352103d2e0ad2d2066725eb19bfdfb8763239b ]
+
+We can't know if a block is closed or not on 1.2 devices, so assume
+closed state to make sure that blocks are erased before writing.
+
+Fixes: 32ef9412c114 ("lightnvm: pblk: implement get log report chunk")
+Signed-off-by: Hans Holmberg <hans.holmberg@cnexlabs.com>
+Signed-off-by: Matias Bjørling <mb@lightnvm.io>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/lightnvm/pblk-init.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/lightnvm/pblk-init.c
++++ b/drivers/lightnvm/pblk-init.c
+@@ -716,10 +716,11 @@ static int pblk_setup_line_meta_12(struc
+
+ /*
+ * In 1.2 spec. chunk state is not persisted by the device. Thus
+- * some of the values are reset each time pblk is instantiated.
++ * some of the values are reset each time pblk is instantiated,
++ * so we have to assume that the block is closed.
+ */
+ if (lun_bb_meta[line->id] == NVM_BLK_T_FREE)
+- chunk->state = NVM_CHK_ST_FREE;
++ chunk->state = NVM_CHK_ST_CLOSED;
+ else
+ chunk->state = NVM_CHK_ST_OFFLINE;
+
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: "Matias Bjørling" <mb@lightnvm.io>
+Date: Fri, 13 Jul 2018 10:48:38 +0200
+Subject: lightnvm: pblk: enable line minor version detection
+
+From: "Matias Bjørling" <mb@lightnvm.io>
+
+[ Upstream commit 99b8dad1b6e52721904220322a947f7b75056303 ]
+
+When recovering a line, an extra check was added when debugging was
+active, such that minor version where also checked. Unfortunately,
+this used the ifdef NVM_DEBUG, which is not correct.
+
+Instead use the proper DEBUG def, and now that it compiles, also fix
+the variable.
+
+Signed-off-by: Matias Bjørling <mb@lightnvm.io>
+Fixes: d0ab0b1ab991f ("lightnvm: pblk: check data lines version on recovery")
+Reviewed-by: Javier González <javier@cnexlabs.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/lightnvm/pblk-recovery.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/lightnvm/pblk-recovery.c
++++ b/drivers/lightnvm/pblk-recovery.c
+@@ -742,9 +742,10 @@ static int pblk_recov_check_line_version
+ return 1;
+ }
+
+-#ifdef NVM_DEBUG
++#ifdef CONFIG_NVM_PBLK_DEBUG
+ if (header->version_minor > EMETA_VERSION_MINOR)
+- pr_info("pblk: newer line minor version found: %d\n", line_v);
++ pr_info("pblk: newer line minor version found: %d\n",
++ header->version_minor);
+ #endif
+
+ return 0;
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Rick Farrington <ricardo.farrington@cavium.com>
+Date: Fri, 13 Jul 2018 12:50:21 -0700
+Subject: liquidio: fix hang when re-binding VF host drv after running DPDK VF driver
+
+From: Rick Farrington <ricardo.farrington@cavium.com>
+
+[ Upstream commit ac13d6d8eaded15c67265eafc32f439ea3a0ac4a ]
+
+When configuring SLI_PKTn_OUTPUT_CONTROL, VF driver was assuming that IPTR
+mode was disabled by reset, which was not true. Since DPDK driver had
+set IPTR mode previously, the VF driver (which uses buf-ptr-only mode) was
+not properly handling DROQ packets (i.e. it saw zero-length packets).
+
+This represented an invalid hardware configuration which the driver could
+not handle.
+
+Signed-off-by: Rick Farrington <ricardo.farrington@cavium.com>
+Signed-off-by: Felix Manlunas <felix.manlunas@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c | 3 +++
+ drivers/net/ethernet/cavium/liquidio/cn23xx_vf_device.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c
++++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c
+@@ -493,6 +493,9 @@ static void cn23xx_pf_setup_global_outpu
+ for (q_no = srn; q_no < ern; q_no++) {
+ reg_val = octeon_read_csr(oct, CN23XX_SLI_OQ_PKT_CONTROL(q_no));
+
++ /* clear IPTR */
++ reg_val &= ~CN23XX_PKT_OUTPUT_CTL_IPTR;
++
+ /* set DPTR */
+ reg_val |= CN23XX_PKT_OUTPUT_CTL_DPTR;
+
+--- a/drivers/net/ethernet/cavium/liquidio/cn23xx_vf_device.c
++++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_vf_device.c
+@@ -165,6 +165,9 @@ static void cn23xx_vf_setup_global_outpu
+ reg_val =
+ octeon_read_csr(oct, CN23XX_VF_SLI_OQ_PKT_CONTROL(q_no));
+
++ /* clear IPTR */
++ reg_val &= ~CN23XX_PKT_OUTPUT_CTL_IPTR;
++
+ /* set DPTR */
+ reg_val |= CN23XX_PKT_OUTPUT_CTL_DPTR;
+
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Peter Rosin <peda@axentia.se>
+Date: Wed, 20 Jun 2018 07:18:02 +0200
+Subject: mfd: 88pm860x-i2c: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT)
+
+From: Peter Rosin <peda@axentia.se>
+
+[ Upstream commit 8c8f74f327a76604a499fad8c54c15e1c0ee8051 ]
+
+Locking the root adapter for __i2c_transfer will deadlock if the
+device sits behind a mux-locked I2C mux. Switch to the finer-grained
+i2c_lock_bus with the I2C_LOCK_SEGMENT flag. If the device does not
+sit behind a mux-locked mux, the two locking variants are equivalent.
+
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Acked-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mfd/88pm860x-i2c.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/mfd/88pm860x-i2c.c
++++ b/drivers/mfd/88pm860x-i2c.c
+@@ -146,14 +146,14 @@ int pm860x_page_reg_write(struct i2c_cli
+ unsigned char zero;
+ int ret;
+
+- i2c_lock_adapter(i2c->adapter);
++ i2c_lock_bus(i2c->adapter, I2C_LOCK_SEGMENT);
+ read_device(i2c, 0xFA, 0, &zero);
+ read_device(i2c, 0xFB, 0, &zero);
+ read_device(i2c, 0xFF, 0, &zero);
+ ret = write_device(i2c, reg, 1, &data);
+ read_device(i2c, 0xFE, 0, &zero);
+ read_device(i2c, 0xFC, 0, &zero);
+- i2c_unlock_adapter(i2c->adapter);
++ i2c_unlock_bus(i2c->adapter, I2C_LOCK_SEGMENT);
+ return ret;
+ }
+ EXPORT_SYMBOL(pm860x_page_reg_write);
+@@ -164,14 +164,14 @@ int pm860x_page_bulk_read(struct i2c_cli
+ unsigned char zero = 0;
+ int ret;
+
+- i2c_lock_adapter(i2c->adapter);
++ i2c_lock_bus(i2c->adapter, I2C_LOCK_SEGMENT);
+ read_device(i2c, 0xfa, 0, &zero);
+ read_device(i2c, 0xfb, 0, &zero);
+ read_device(i2c, 0xff, 0, &zero);
+ ret = read_device(i2c, reg, count, buf);
+ read_device(i2c, 0xFE, 0, &zero);
+ read_device(i2c, 0xFC, 0, &zero);
+- i2c_unlock_adapter(i2c->adapter);
++ i2c_unlock_bus(i2c->adapter, I2C_LOCK_SEGMENT);
+ return ret;
+ }
+ EXPORT_SYMBOL(pm860x_page_bulk_read);
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Paul Burton <paul.burton@mips.com>
+Date: Mon, 16 Jul 2018 08:26:36 -0700
+Subject: MIPS: loongson64: cs5536: Fix PCI_OHCI_INT_REG reads
+
+From: Paul Burton <paul.burton@mips.com>
+
+[ Upstream commit cd87668d601f622e0ebcfea4f78d116d5f572f4d ]
+
+The PCI_OHCI_INT_REG case in pci_ohci_read_reg() contains the following
+if statement:
+
+ if ((lo & 0x00000f00) == CS5536_USB_INTR)
+
+CS5536_USB_INTR expands to the constant 11, which gives us the following
+condition which can never evaluate true:
+
+ if ((lo & 0xf00) == 11)
+
+At least when using GCC 8.1.0 this falls foul of the tautoligcal-compare
+warning, and since the code is built with the -Werror flag the build
+fails.
+
+Fix this by shifting lo right by 8 bits in order to match the
+corresponding PCI_OHCI_INT_REG case in pci_ohci_write_reg().
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/19861/
+Cc: Huacai Chen <chenhc@lemote.com>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/loongson64/common/cs5536/cs5536_ohci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/loongson64/common/cs5536/cs5536_ohci.c
++++ b/arch/mips/loongson64/common/cs5536/cs5536_ohci.c
+@@ -138,7 +138,7 @@ u32 pci_ohci_read_reg(int reg)
+ break;
+ case PCI_OHCI_INT_REG:
+ _rdmsr(DIVIL_MSR_REG(PIC_YSEL_LOW), &hi, &lo);
+- if ((lo & 0x00000f00) == CS5536_USB_INTR)
++ if (((lo >> PIC_YSEL_LOW_USB_SHIFT) & 0xf) == CS5536_USB_INTR)
+ conf_data = 1;
+ break;
+ default:
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Stefan Agner <stefan@agner.ch>
+Date: Thu, 5 Jul 2018 14:18:19 +0200
+Subject: mmc: sdhci: do not try to use 3.3V signaling if not supported
+
+From: Stefan Agner <stefan@agner.ch>
+
+[ Upstream commit 1b5190c2e74c47ebe4bcecf7a072358ad9f1feaa ]
+
+For eMMC devices it is valid to only support 1.8V signaling. When
+vqmmc is set to a fixed 1.8V regulator the stack tries to set 3.3V
+initially and prints the following warning:
+ mmc1: Switching to 3.3V signalling voltage failed
+
+Clear the MMC_SIGNAL_VOLTAGE_330 flag in case 3.3V is signaling is
+not available. This prevents the stack from even trying to use
+3.3V signaling and avoids the above warning.
+
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -3734,14 +3734,21 @@ int sdhci_setup_host(struct sdhci_host *
+ mmc_gpio_get_cd(host->mmc) < 0)
+ mmc->caps |= MMC_CAP_NEEDS_POLL;
+
+- /* If vqmmc regulator and no 1.8V signalling, then there's no UHS */
+ if (!IS_ERR(mmc->supply.vqmmc)) {
+ ret = regulator_enable(mmc->supply.vqmmc);
++
++ /* If vqmmc provides no 1.8V signalling, then there's no UHS */
+ if (!regulator_is_supported_voltage(mmc->supply.vqmmc, 1700000,
+ 1950000))
+ host->caps1 &= ~(SDHCI_SUPPORT_SDR104 |
+ SDHCI_SUPPORT_SDR50 |
+ SDHCI_SUPPORT_DDR50);
++
++ /* In eMMC case vqmmc might be a fixed 1.8V regulator */
++ if (!regulator_is_supported_voltage(mmc->supply.vqmmc, 2700000,
++ 3600000))
++ host->flags &= ~SDHCI_SIGNALING_330;
++
+ if (ret) {
+ pr_warn("%s: Failed to enable vqmmc regulator: %d\n",
+ mmc_hostname(mmc), ret);
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+Date: Wed, 4 Jul 2018 14:34:20 +0300
+Subject: mmc: sdhci-of-esdhc: set proper dma mask for ls104x chips
+
+From: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+
+[ Upstream commit 5552d7ad596c3fea953f40fef74170ce0760c04d ]
+
+SDHCI controller in ls1043a and ls1046a generate 40-bit wide addresses
+when doing DMA. Make sure that the corresponding dma mask is correctly
+configured.
+
+Context: when enabling smmu on these chips the following problem is
+encountered: the smmu input address size is 48 bits so the dma mappings
+for sdhci end up 48-bit wide. However, on these chips sdhci only use
+40-bits of that address size when doing dma.
+So you end up with a 48-bit address translation in smmu but the device
+generates transactions with clipped 40-bit addresses, thus smmu context
+faults are triggered. Setting up the correct dma mask fixes this
+situation.
+
+Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-of-esdhc.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-of-esdhc.c
++++ b/drivers/mmc/host/sdhci-of-esdhc.c
+@@ -22,6 +22,7 @@
+ #include <linux/sys_soc.h>
+ #include <linux/clk.h>
+ #include <linux/ktime.h>
++#include <linux/dma-mapping.h>
+ #include <linux/mmc/host.h>
+ #include "sdhci-pltfm.h"
+ #include "sdhci-esdhc.h"
+@@ -427,6 +428,11 @@ static void esdhc_of_adma_workaround(str
+ static int esdhc_of_enable_dma(struct sdhci_host *host)
+ {
+ u32 value;
++ struct device *dev = mmc_dev(host->mmc);
++
++ if (of_device_is_compatible(dev->of_node, "fsl,ls1043a-esdhc") ||
++ of_device_is_compatible(dev->of_node, "fsl,ls1046a-esdhc"))
++ dma_set_mask_and_coherent(dev, DMA_BIT_MASK(40));
+
+ value = sdhci_readl(host, ESDHC_DMA_SYSCTL);
+ value |= ESDHC_DMA_SNOOP;
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Stefan Agner <stefan@agner.ch>
+Date: Thu, 12 Jul 2018 09:39:02 +0200
+Subject: mmc: tegra: prevent HS200 on Tegra 3
+
+From: Stefan Agner <stefan@agner.ch>
+
+[ Upstream commit 127407e36f4fe3a1d5e8b9998b479956ce83a7dc ]
+
+The stack assumes that SDHC controller which support SD3.0 (SDR104) do
+support HS200. This is not the case for Tegra 3, which does support SD
+3.0
+but only supports eMMC spec 4.41.
+
+Use SDHCI_QUIRK2_BROKEN_HS200 to indicate that the controller does not
+support HS200.
+
+Note that commit 156e14b126ff ("mmc: sdhci: fix caps2 for HS200") added
+the tie between SD3.0 (SDR104) and HS200. I don't think that this is
+necessarly true. It is fully legitimate to support SD3.0 and not support
+HS200. The quirk naming suggests something is broken in the controller,
+but this is not the case: The controller simply does not support HS200.
+
+Fixes: 7ad2ed1dfcbe ("mmc: tegra: enable UHS-I modes")
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Tested-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-tegra.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-tegra.c
++++ b/drivers/mmc/host/sdhci-tegra.c
+@@ -334,7 +334,8 @@ static const struct sdhci_pltfm_data sdh
+ SDHCI_QUIRK_NO_HISPD_BIT |
+ SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC |
+ SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN,
+- .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN,
++ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN |
++ SDHCI_QUIRK2_BROKEN_HS200,
+ .ops = &tegra_sdhci_ops,
+ };
+
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Jann Horn <jannh@google.com>
+Date: Sat, 7 Jul 2018 05:37:22 +0200
+Subject: mtdchar: fix overflows in adjustment of `count`
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit 6c6bc9ea84d0008024606bf5ba10519e20d851bf ]
+
+The first checks in mtdchar_read() and mtdchar_write() attempt to limit
+`count` such that `*ppos + count <= mtd->size`. However, they ignore the
+possibility of `*ppos > mtd->size`, allowing the calculation of `count` to
+wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the
+pread/pwrite syscalls bypass this.
+
+I haven't found any codepath on which this actually causes dangerous
+behavior, but it seems like a sensible change anyway.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/mtdchar.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/mtdchar.c
++++ b/drivers/mtd/mtdchar.c
+@@ -160,8 +160,12 @@ static ssize_t mtdchar_read(struct file
+
+ pr_debug("MTD_read\n");
+
+- if (*ppos + count > mtd->size)
+- count = mtd->size - *ppos;
++ if (*ppos + count > mtd->size) {
++ if (*ppos < mtd->size)
++ count = mtd->size - *ppos;
++ else
++ count = 0;
++ }
+
+ if (!count)
+ return 0;
+@@ -246,7 +250,7 @@ static ssize_t mtdchar_write(struct file
+
+ pr_debug("MTD_write\n");
+
+- if (*ppos == mtd->size)
++ if (*ppos >= mtd->size)
+ return -ENOSPC;
+
+ if (*ppos + count > mtd->size)
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Wed, 11 Jul 2018 21:32:43 +0200
+Subject: net: gemini: Allow multiple ports to instantiate
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 60cc7767b901dd1e3f70755c3d2505556ba487c2 ]
+
+The code was not tested with two ports actually in use at
+the same time. (I blame this on lack of actual hardware using
+that feature.) Now after locating a system using both ports,
+add necessary fix to make both ports come up.
+
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cortina/gemini.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/cortina/gemini.c
++++ b/drivers/net/ethernet/cortina/gemini.c
+@@ -1753,7 +1753,10 @@ static int gmac_open(struct net_device *
+ phy_start(netdev->phydev);
+
+ err = geth_resize_freeq(port);
+- if (err) {
++ /* It's fine if it's just busy, the other port has set up
++ * the freeq in that case.
++ */
++ if (err && (err != -EBUSY)) {
+ netdev_err(netdev, "could not resize freeq\n");
+ goto err_stop_phy;
+ }
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Yunsheng Lin <linyunsheng@huawei.com>
+Date: Mon, 16 Jul 2018 16:36:25 +0100
+Subject: net: hns3: Fix for reset_level default assignment probelm
+
+From: Yunsheng Lin <linyunsheng@huawei.com>
+
+[ Upstream commit 82b5321460005ac5d34996e17f5a51a4004a1e14 ]
+
+handle->reset_level is assigned to HNAE3_NONE_RESET when client is
+initialized, if a tx timeout happens right after initialization,
+then handle->reset_level is not resetted to HNAE3_FUNC_RESET in
+hclge_reset_event, which will cause reset event not properly
+handled problem.
+
+This patch fixes it by setting handle->reset_level properly when
+client is initialized.
+
+Fixes: 6d4c3981a8d8 ("net: hns3: Changes to make enet watchdog timeout func common for PF/VF")
+Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Salil Mehta <salil.mehta@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -3081,7 +3081,6 @@ static int hns3_client_init(struct hnae3
+ priv->dev = &pdev->dev;
+ priv->netdev = netdev;
+ priv->ae_handle = handle;
+- priv->ae_handle->reset_level = HNAE3_NONE_RESET;
+ priv->ae_handle->last_reset_time = jiffies;
+ priv->tx_timeout_count = 0;
+
+@@ -3102,6 +3101,11 @@ static int hns3_client_init(struct hnae3
+ /* Carrier off reporting is important to ethtool even BEFORE open */
+ netif_carrier_off(netdev);
+
++ if (handle->flags & HNAE3_SUPPORT_VF)
++ handle->reset_level = HNAE3_VF_RESET;
++ else
++ handle->reset_level = HNAE3_FUNC_RESET;
++
+ ret = hns3_get_ring_config(priv);
+ if (ret) {
+ ret = -ENOMEM;
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Huazhong Tan <tanhuazhong@huawei.com>
+Date: Mon, 16 Jul 2018 16:36:23 +0100
+Subject: net: hns3: Fix return value error in hns3_reset_notify_down_enet
+
+From: Huazhong Tan <tanhuazhong@huawei.com>
+
+[ Upstream commit 6b1385cc251ae9f26b720fa5c8c00bf19af336ae ]
+
+When doing reset, netdev has not been brought up is not an error,
+it means that we do not need do the stop operation, so just return
+zero.
+
+Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Salil Mehta <salil.mehta@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -3422,7 +3422,7 @@ static int hns3_reset_notify_down_enet(s
+ struct net_device *ndev = kinfo->netdev;
+
+ if (!netif_running(ndev))
+- return -EIO;
++ return 0;
+
+ return hns3_nic_net_stop(ndev);
+ }
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Huazhong Tan <tanhuazhong@huawei.com>
+Date: Mon, 16 Jul 2018 16:36:20 +0100
+Subject: net: hns3: Reset net device with rtnl_lock
+
+From: Huazhong Tan <tanhuazhong@huawei.com>
+
+[ Upstream commit 6d4fab39533f1bcd933d82d1667ceea93e4de260 ]
+
+Since current locking was not covering certain code where
+netdev was being accessed or manipulated, this patch fixes
+it.
+
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Salil Mehta <salil.mehta@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -2825,15 +2825,13 @@ static void hclge_clear_reset_cause(stru
+ static void hclge_reset(struct hclge_dev *hdev)
+ {
+ /* perform reset of the stack & ae device for a client */
+-
++ rtnl_lock();
+ hclge_notify_client(hdev, HNAE3_DOWN_CLIENT);
+
+ if (!hclge_reset_wait(hdev)) {
+- rtnl_lock();
+ hclge_notify_client(hdev, HNAE3_UNINIT_CLIENT);
+ hclge_reset_ae_dev(hdev->ae_dev);
+ hclge_notify_client(hdev, HNAE3_INIT_CLIENT);
+- rtnl_unlock();
+
+ hclge_clear_reset_cause(hdev);
+ } else {
+@@ -2843,6 +2841,7 @@ static void hclge_reset(struct hclge_dev
+ }
+
+ hclge_notify_client(hdev, HNAE3_UP_CLIENT);
++ rtnl_unlock();
+ }
+
+ static void hclge_reset_event(struct hnae3_handle *handle)
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Noa Osherovich <noaos@mellanox.com>
+Date: Mon, 16 Jul 2018 18:35:34 -0700
+Subject: net/mlx5: Add missing SET_DRIVER_VERSION command translation
+
+From: Noa Osherovich <noaos@mellanox.com>
+
+[ Upstream commit 0f4039104ee61e14ac4771a2181c2a20572f4ec9 ]
+
+When translating command opcodes to a string, SET_DRIVER_VERSION
+command was missing.
+
+Fixes: 42ca502e179d0 ('net/mlx5_core: Use a macro in mlx5_command_str()')
+Signed-off-by: Noa Osherovich <noaos@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -452,6 +452,7 @@ const char *mlx5_command_str(int command
+ MLX5_COMMAND_STR_CASE(SET_HCA_CAP);
+ MLX5_COMMAND_STR_CASE(QUERY_ISSI);
+ MLX5_COMMAND_STR_CASE(SET_ISSI);
++ MLX5_COMMAND_STR_CASE(SET_DRIVER_VERSION);
+ MLX5_COMMAND_STR_CASE(CREATE_MKEY);
+ MLX5_COMMAND_STR_CASE(QUERY_MKEY);
+ MLX5_COMMAND_STR_CASE(DESTROY_MKEY);
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Date: Thu, 12 Jul 2018 13:54:12 +0200
+Subject: net: mvpp2: make sure we use single queue mode on PPv2.1
+
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+
+[ Upstream commit 1e27a628e3f444f53ab8099dfb31c5156e38d112 ]
+
+The PPv2 driver defines 2 "queue_modes" :
+ - QDIST_SINGLE_MODE, where each port share one rx queue vector
+ between all CPUs
+ - QDIST_MULTI_MODE, where each port has one rx queue vector per CPU.
+
+Multi queue mode isn't available on PPv2.1, make sure we fallback to
+single mode when running on this revision.
+
+Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -5011,6 +5011,12 @@ static int mvpp2_probe(struct platform_d
+ (unsigned long)of_device_get_match_data(&pdev->dev);
+ }
+
++ /* multi queue mode isn't supported on PPV2.1, fallback to single
++ * mode
++ */
++ if (priv->hw_version == MVPP21)
++ queue_mode = MVPP2_QDIST_SINGLE_MODE;
++
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ base = devm_ioremap_resource(&pdev->dev, res);
+ if (IS_ERR(base))
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+Date: Thu, 12 Jul 2018 22:29:55 +0100
+Subject: parport: sunbpp: fix error return code
+
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+
+[ Upstream commit faa1a47388b33623e4d504c23569188907b039a0 ]
+
+Return an error code on failure. Change leading spaces to tab on the
+first if.
+
+Problem found using Coccinelle.
+
+Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/parport/parport_sunbpp.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/parport/parport_sunbpp.c
++++ b/drivers/parport/parport_sunbpp.c
+@@ -286,12 +286,16 @@ static int bpp_probe(struct platform_dev
+
+ ops = kmemdup(&parport_sunbpp_ops, sizeof(struct parport_operations),
+ GFP_KERNEL);
+- if (!ops)
++ if (!ops) {
++ err = -ENOMEM;
+ goto out_unmap;
++ }
+
+ dprintk(("register_port\n"));
+- if (!(p = parport_register_port((unsigned long)base, irq, dma, ops)))
++ if (!(p = parport_register_port((unsigned long)base, irq, dma, ops))) {
++ err = -ENOMEM;
+ goto out_free_ops;
++ }
+
+ p->size = size;
+ p->dev = &op->dev;
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Douglas Anderson <dianders@chromium.org>
+Date: Mon, 2 Jul 2018 15:59:38 -0700
+Subject: pinctrl: msm: Fix msm_config_group_get() to be compliant
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 05e0c828955c1cab58dd71a04539442e5375d917 ]
+
+If you do this on an sdm845 board:
+ cat /sys/kernel/debug/pinctrl/3400000.pinctrl/pinconf-groups
+
+...it looks like nonsense. For every pin you see listed:
+ input bias bus hold, input bias disabled, input bias pull down, input bias pull up
+
+That's because msm_config_group_get() isn't complying with the rules
+that pinconf_generic_dump_one() expects. Specifically for boolean
+parameters (anything with a "struct pin_config_item" where has_arg is
+false) the function expects that the function should return its value
+not through the "config" parameter but should return "0" if the value
+is set and "-EINVAL" if the value isn't set.
+
+Let's fix this.
+
+>From a quick sample of other pinctrl drivers, it appears to be
+tradition to also return 1 through the config parameter for these
+boolean parameters when they exist. I'm not one to knock tradition,
+so I'll follow tradition and return 1 in these cases. While I'm at
+it, I'll also continue searching for four leaf clovers, kocking on
+wood three times, and trying not to break mirrors.
+
+Fixes: f365be092572 ("pinctrl: Add Qualcomm TLMM driver")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/qcom/pinctrl-msm.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/pinctrl/qcom/pinctrl-msm.c
++++ b/drivers/pinctrl/qcom/pinctrl-msm.c
+@@ -250,22 +250,30 @@ static int msm_config_group_get(struct p
+ /* Convert register value to pinconf value */
+ switch (param) {
+ case PIN_CONFIG_BIAS_DISABLE:
+- arg = arg == MSM_NO_PULL;
++ if (arg != MSM_NO_PULL)
++ return -EINVAL;
++ arg = 1;
+ break;
+ case PIN_CONFIG_BIAS_PULL_DOWN:
+- arg = arg == MSM_PULL_DOWN;
++ if (arg != MSM_PULL_DOWN)
++ return -EINVAL;
++ arg = 1;
+ break;
+ case PIN_CONFIG_BIAS_BUS_HOLD:
+ if (pctrl->soc->pull_no_keeper)
+ return -ENOTSUPP;
+
+- arg = arg == MSM_KEEPER;
++ if (arg != MSM_KEEPER)
++ return -EINVAL;
++ arg = 1;
+ break;
+ case PIN_CONFIG_BIAS_PULL_UP:
+ if (pctrl->soc->pull_no_keeper)
+ arg = arg == MSM_PULL_UP_NO_KEEPER;
+ else
+ arg = arg == MSM_PULL_UP;
++ if (!arg)
++ return -EINVAL;
+ break;
+ case PIN_CONFIG_DRIVE_STRENGTH:
+ arg = msm_regval_to_drive(arg);
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Sean Wang <sean.wang@mediatek.com>
+Date: Thu, 12 Jul 2018 13:50:00 +0800
+Subject: pinctrl: mt7622: Fix probe fail by misuse the selector
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit 238262af08a20e5f1932fcf606b8b84370ac8b77 ]
+
+After the commit acf137951367 ("pinctrl: core: Return selector to the
+pinctrl driver") and the commit 47f1242d19c3 ("pinctrl: pinmux: Return
+selector to the pinctrl driver"), it's necessary to add the fixes
+needed for the pin controller drivers to use the appropriate returned
+selector for a negative error number returned in case of the fail at
+these functions. Otherwise, the driver would have a failed probe and
+that causes boot message cannot correctly output and devices fail
+to acquire their own pins.
+
+Cc: Kevin Hilman <khilman@baylibre.com>
+Fixes: acf137951367 ("pinctrl: core: Return selector to the pinctrl driver")
+Fixes: 47f1242d19c3 ("pinctrl: pinmux: Return selector to the pinctrl driver")
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/mediatek/pinctrl-mt7622.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/mediatek/pinctrl-mt7622.c
++++ b/drivers/pinctrl/mediatek/pinctrl-mt7622.c
+@@ -1537,7 +1537,7 @@ static int mtk_build_groups(struct mtk_p
+ err = pinctrl_generic_add_group(hw->pctrl, group->name,
+ group->pins, group->num_pins,
+ group->data);
+- if (err) {
++ if (err < 0) {
+ dev_err(hw->dev, "Failed to register group %s\n",
+ group->name);
+ return err;
+@@ -1558,7 +1558,7 @@ static int mtk_build_functions(struct mt
+ func->group_names,
+ func->num_group_names,
+ func->data);
+- if (err) {
++ if (err < 0) {
+ dev_err(hw->dev, "Failed to register function %s\n",
+ func->name);
+ return err;
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Tony Lindgren <tony@atomide.com>
+Date: Thu, 5 Jul 2018 02:10:15 -0700
+Subject: pinctrl: pinmux: Return selector to the pinctrl driver
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit f913cfce4ee49a3382a9ff95696f49a46e56e974 ]
+
+We must return the selector from pinmux_generic_add_function() so
+pin controller device drivers can remove the right group if needed
+for deferred probe for example. And we now must make sure that a
+proper name is passed so we can use it to check if the entry already
+exists.
+
+Note that fixes are also needed for the pin controller drivers to
+use the selector value.
+
+Fixes: a76edc89b100 ("pinctrl: core: Add generic pinctrl functions for
+managing groups")
+Reported-by: H. Nikolaus Schaller <hns@goldelico.com>
+Cc: Christ van Willegen <cvwillegen@gmail.com>
+Cc: Haojian Zhuang <haojian.zhuang@linaro.org>
+Cc: Jacopo Mondi <jacopo+renesas@jmondi.org>
+Cc: Paul Cercueil <paul@crapouillou.net>
+Cc: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Tested-By: H. Nikolaus Schaller <hns@goldelico.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinmux.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/pinctrl/pinmux.c
++++ b/drivers/pinctrl/pinmux.c
+@@ -308,7 +308,6 @@ static int pinmux_func_name_to_selector(
+ selector++;
+ }
+
+- dev_err(pctldev->dev, "function '%s' not supported\n", function);
+ return -EINVAL;
+ }
+
+@@ -775,6 +774,16 @@ int pinmux_generic_add_function(struct p
+ void *data)
+ {
+ struct function_desc *function;
++ int selector;
++
++ if (!name)
++ return -EINVAL;
++
++ selector = pinmux_func_name_to_selector(pctldev, name);
++ if (selector >= 0)
++ return selector;
++
++ selector = pctldev->num_functions;
+
+ function = devm_kzalloc(pctldev->dev, sizeof(*function), GFP_KERNEL);
+ if (!function)
+@@ -785,12 +794,11 @@ int pinmux_generic_add_function(struct p
+ function->num_group_names = num_groups;
+ function->data = data;
+
+- radix_tree_insert(&pctldev->pin_function_tree, pctldev->num_functions,
+- function);
++ radix_tree_insert(&pctldev->pin_function_tree, selector, function);
+
+ pctldev->num_functions++;
+
+- return 0;
++ return selector;
+ }
+ EXPORT_SYMBOL_GPL(pinmux_generic_add_function);
+
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Douglas Anderson <dianders@chromium.org>
+Date: Mon, 2 Jul 2018 15:59:39 -0700
+Subject: pinctrl: qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 1cf86bc21257a330e3af51f2a4e885f1a705f6a5 ]
+
+If you do this on an sdm845 board:
+ grep "" /sys/kernel/debug/pinctrl/*spmi:pmic*/pinconf-groups
+
+...it looks like nonsense. For every pin you see listed:
+ input bias disabled, input bias high impedance, input bias pull down, input bias pull up, ...
+
+That's because pmic_gpio_config_get() isn't complying with the rules
+that pinconf_generic_dump_one() expects. Specifically for boolean
+parameters (anything with a "struct pin_config_item" where has_arg is
+false) the function expects that the function should return its value
+not through the "config" parameter but should return "0" if the value
+is set and "-EINVAL" if the value isn't set.
+
+Let's fix this.
+
+>From a quick sample of other pinctrl drivers, it appears to be
+tradition to also return 1 through the config parameter for these
+boolean parameters when they exist. I'm not one to knock tradition,
+so I'll follow tradition and return 1 in these cases. While I'm at
+it, I'll also continue searching for four leaf clovers, kocking on
+wood three times, and trying not to break mirrors.
+
+NOTE: This also fixes an apparent typo for reading
+PIN_CONFIG_BIAS_DISABLE where the old driver was accidentally
+using "=" instead of "==" and thus was setting some internal
+state when you tried to query PIN_CONFIG_BIAS_DISABLE. Oops.
+
+Fixes: eadff3024472 ("pinctrl: Qualcomm SPMI PMIC GPIO pin controller driver")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/qcom/pinctrl-spmi-gpio.c | 32 +++++++++++++++++++++++--------
+ 1 file changed, 24 insertions(+), 8 deletions(-)
+
+--- a/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c
++++ b/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c
+@@ -390,31 +390,47 @@ static int pmic_gpio_config_get(struct p
+
+ switch (param) {
+ case PIN_CONFIG_DRIVE_PUSH_PULL:
+- arg = pad->buffer_type == PMIC_GPIO_OUT_BUF_CMOS;
++ if (pad->buffer_type != PMIC_GPIO_OUT_BUF_CMOS)
++ return -EINVAL;
++ arg = 1;
+ break;
+ case PIN_CONFIG_DRIVE_OPEN_DRAIN:
+- arg = pad->buffer_type == PMIC_GPIO_OUT_BUF_OPEN_DRAIN_NMOS;
++ if (pad->buffer_type != PMIC_GPIO_OUT_BUF_OPEN_DRAIN_NMOS)
++ return -EINVAL;
++ arg = 1;
+ break;
+ case PIN_CONFIG_DRIVE_OPEN_SOURCE:
+- arg = pad->buffer_type == PMIC_GPIO_OUT_BUF_OPEN_DRAIN_PMOS;
++ if (pad->buffer_type != PMIC_GPIO_OUT_BUF_OPEN_DRAIN_PMOS)
++ return -EINVAL;
++ arg = 1;
+ break;
+ case PIN_CONFIG_BIAS_PULL_DOWN:
+- arg = pad->pullup == PMIC_GPIO_PULL_DOWN;
++ if (pad->pullup != PMIC_GPIO_PULL_DOWN)
++ return -EINVAL;
++ arg = 1;
+ break;
+ case PIN_CONFIG_BIAS_DISABLE:
+- arg = pad->pullup = PMIC_GPIO_PULL_DISABLE;
++ if (pad->pullup != PMIC_GPIO_PULL_DISABLE)
++ return -EINVAL;
++ arg = 1;
+ break;
+ case PIN_CONFIG_BIAS_PULL_UP:
+- arg = pad->pullup == PMIC_GPIO_PULL_UP_30;
++ if (pad->pullup != PMIC_GPIO_PULL_UP_30)
++ return -EINVAL;
++ arg = 1;
+ break;
+ case PIN_CONFIG_BIAS_HIGH_IMPEDANCE:
+- arg = !pad->is_enabled;
++ if (pad->is_enabled)
++ return -EINVAL;
++ arg = 1;
+ break;
+ case PIN_CONFIG_POWER_SOURCE:
+ arg = pad->power_source;
+ break;
+ case PIN_CONFIG_INPUT_ENABLE:
+- arg = pad->input_enabled;
++ if (!pad->input_enabled)
++ return -EINVAL;
++ arg = 1;
+ break;
+ case PIN_CONFIG_OUTPUT:
+ arg = pad->out_value;
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Tony Lindgren <tony@atomide.com>
+Date: Thu, 5 Jul 2018 02:10:17 -0700
+Subject: pinctrl: rza1: Fix selector use for groups and functions
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit dc4003d260594aa300028c3c5d040c5719abd19b ]
+
+We must use a mutex around the generic_add functions and save the
+function and group selector in case we need to remove them. Otherwise
+the selector use will be racy for deferred probe at least.
+
+Fixes: 5a49b644b307 ("pinctrl: Renesas RZ/A1 pin and gpio controller")
+Reported-by: H. Nikolaus Schaller <hns@goldelico.com>
+Cc: Christ van Willegen <cvwillegen@gmail.com>
+Cc: Haojian Zhuang <haojian.zhuang@linaro.org>
+Cc: Paul Cercueil <paul@crapouillou.net>
+Cc: Sean Wang <sean.wang@mediatek.com>
+Acked-by: Jacopo Mondi <jacopo@jmondi.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Tested-By: H. Nikolaus Schaller <hns@goldelico.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-rza1.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-rza1.c
++++ b/drivers/pinctrl/pinctrl-rza1.c
+@@ -1006,6 +1006,7 @@ static int rza1_dt_node_to_map(struct pi
+ const char *grpname;
+ const char **fngrps;
+ int ret, npins;
++ int gsel, fsel;
+
+ npins = rza1_dt_node_pin_count(np);
+ if (npins < 0) {
+@@ -1055,18 +1056,19 @@ static int rza1_dt_node_to_map(struct pi
+ fngrps[0] = grpname;
+
+ mutex_lock(&rza1_pctl->mutex);
+- ret = pinctrl_generic_add_group(pctldev, grpname, grpins, npins,
+- NULL);
+- if (ret) {
++ gsel = pinctrl_generic_add_group(pctldev, grpname, grpins, npins,
++ NULL);
++ if (gsel < 0) {
+ mutex_unlock(&rza1_pctl->mutex);
+- return ret;
++ return gsel;
+ }
+
+- ret = pinmux_generic_add_function(pctldev, grpname, fngrps, 1,
+- mux_confs);
+- if (ret)
++ fsel = pinmux_generic_add_function(pctldev, grpname, fngrps, 1,
++ mux_confs);
++ if (fsel < 0) {
++ ret = fsel;
+ goto remove_group;
+- mutex_unlock(&rza1_pctl->mutex);
++ }
+
+ dev_info(rza1_pctl->dev, "Parsed function and group %s with %d pins\n",
+ grpname, npins);
+@@ -1083,15 +1085,15 @@ static int rza1_dt_node_to_map(struct pi
+ (*map)->data.mux.group = np->name;
+ (*map)->data.mux.function = np->name;
+ *num_maps = 1;
++ mutex_unlock(&rza1_pctl->mutex);
+
+ return 0;
+
+ remove_function:
+- mutex_lock(&rza1_pctl->mutex);
+- pinmux_generic_remove_last_function(pctldev);
++ pinmux_generic_remove_function(pctldev, fsel);
+
+ remove_group:
+- pinctrl_generic_remove_last_group(pctldev);
++ pinctrl_generic_remove_group(pctldev, gsel);
+ mutex_unlock(&rza1_pctl->mutex);
+
+ dev_info(rza1_pctl->dev, "Unable to parse function and group %s\n",
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Fri, 30 Mar 2018 17:14:03 +0530
+Subject: PM / devfreq: use put_device() instead of kfree()
+
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+
+[ Upstream commit 2d803dc8f7a5f622ac47c3b650834ada3a2659b9 ]
+
+Never directly free @dev after calling device_register() or
+device_unregister(), even if device_register() returned an error.
+Always use put_device() to give up the reference initialized.
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: MyungJoo Ham <myungjoo.ham@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/devfreq/devfreq.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -625,7 +625,8 @@ struct devfreq *devfreq_add_device(struc
+ err = device_register(&devfreq->dev);
+ if (err) {
+ mutex_unlock(&devfreq->lock);
+- goto err_dev;
++ put_device(&devfreq->dev);
++ goto err_out;
+ }
+
+ devfreq->trans_table =
+@@ -672,6 +673,7 @@ err_init:
+ mutex_unlock(&devfreq_list_lock);
+
+ device_unregister(&devfreq->dev);
++ devfreq = NULL;
+ err_dev:
+ if (devfreq)
+ kfree(devfreq);
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
+Date: Fri, 25 May 2018 19:23:09 -0700
+Subject: rcu: Fix grace-period hangs due to race with CPU offline
+
+From: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
+
+[ Upstream commit 1e64b15a4b102e1cd059d4d798b7a78f93341333 ]
+
+Without special fail-safe quiescent-state-propagation checks, grace-period
+hangs can result from the following scenario:
+
+1. CPU 1 goes offline.
+
+2. Because CPU 1 is the only CPU in the system blocking the current
+ grace period, the grace period ends as soon as
+ rcu_cleanup_dying_idle_cpu()'s call to rcu_report_qs_rnp()
+ returns.
+
+3. At this point, the leaf rcu_node structure's ->lock is no longer
+ held: rcu_report_qs_rnp() has released it, as it must in order
+ to awaken the RCU grace-period kthread.
+
+4. At this point, that same leaf rcu_node structure's ->qsmaskinitnext
+ field still records CPU 1 as being online. This is absolutely
+ necessary because the scheduler uses RCU (in this case on the
+ wake-up path while awakening RCU's grace-period kthread), and
+ ->qsmaskinitnext contains RCU's idea as to which CPUs are online.
+ Therefore, invoking rcu_report_qs_rnp() after clearing CPU 1's
+ bit from ->qsmaskinitnext would result in a lockdep-RCU splat
+ due to RCU being used from an offline CPU.
+
+5. RCU's grace-period kthread awakens, sees that the old grace period
+ has completed and that a new one is needed. It therefore starts
+ a new grace period, but because CPU 1's leaf rcu_node structure's
+ ->qsmaskinitnext field still shows CPU 1 as being online, this new
+ grace period is initialized to wait for a quiescent state from the
+ now-offline CPU 1.
+
+6. Without the fail-safe force-quiescent-state checks, there would
+ be no quiescent state from the now-offline CPU 1, which would
+ eventually result in RCU CPU stall warnings and memory exhaustion.
+
+It would be good to get rid of the special fail-safe quiescent-state
+propagation checks, and thus it would be good to fix things so that
+the above scenario cannot happen. This commit therefore adds a new
+->ofl_lock to the rcu_state structure. This lock is held by rcu_gp_init()
+across the applying of buffered online and offline operations to the
+rcu_node tree, and it is also held by rcu_cleanup_dying_idle_cpu()
+when buffering a new offline operation. This prevents rcu_gp_init()
+from acquiring the leaf rcu_node structure's lock during the interval
+between when rcu_cleanup_dying_idle_cpu() invokes rcu_report_qs_rnp(),
+which releases ->lock and the re-acquisition of that same lock.
+This in turn prevents the failure scenario outlined above, and will
+hopefully eventually allow removal of the offline-CPU checks from the
+force-quiescent-state code path.
+
+Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/rcu/tree.c | 6 ++++++
+ kernel/rcu/tree.h | 4 ++++
+ 2 files changed, 10 insertions(+)
+
+--- a/kernel/rcu/tree.c
++++ b/kernel/rcu/tree.c
+@@ -102,6 +102,7 @@ struct rcu_state sname##_state = { \
+ .abbr = sabbr, \
+ .exp_mutex = __MUTEX_INITIALIZER(sname##_state.exp_mutex), \
+ .exp_wake_mutex = __MUTEX_INITIALIZER(sname##_state.exp_wake_mutex), \
++ .ofl_lock = __SPIN_LOCK_UNLOCKED(sname##_state.ofl_lock), \
+ }
+
+ RCU_STATE_INITIALIZER(rcu_sched, 's', call_rcu_sched);
+@@ -1925,11 +1926,13 @@ static bool rcu_gp_init(struct rcu_state
+ */
+ rcu_for_each_leaf_node(rsp, rnp) {
+ rcu_gp_slow(rsp, gp_preinit_delay);
++ spin_lock(&rsp->ofl_lock);
+ raw_spin_lock_irq_rcu_node(rnp);
+ if (rnp->qsmaskinit == rnp->qsmaskinitnext &&
+ !rnp->wait_blkd_tasks) {
+ /* Nothing to do on this leaf rcu_node structure. */
+ raw_spin_unlock_irq_rcu_node(rnp);
++ spin_unlock(&rsp->ofl_lock);
+ continue;
+ }
+
+@@ -1964,6 +1967,7 @@ static bool rcu_gp_init(struct rcu_state
+ }
+
+ raw_spin_unlock_irq_rcu_node(rnp);
++ spin_unlock(&rsp->ofl_lock);
+ }
+
+ /*
+@@ -3725,9 +3729,11 @@ static void rcu_cleanup_dying_idle_cpu(i
+
+ /* Remove outgoing CPU from mask in the leaf rcu_node structure. */
+ mask = rdp->grpmask;
++ spin_lock(&rsp->ofl_lock);
+ raw_spin_lock_irqsave_rcu_node(rnp, flags); /* Enforce GP memory-order guarantee. */
+ rnp->qsmaskinitnext &= ~mask;
+ raw_spin_unlock_irqrestore_rcu_node(rnp, flags);
++ spin_unlock(&rsp->ofl_lock);
+ }
+
+ /*
+--- a/kernel/rcu/tree.h
++++ b/kernel/rcu/tree.h
+@@ -384,6 +384,10 @@ struct rcu_state {
+ const char *name; /* Name of structure. */
+ char abbr; /* Abbreviated name. */
+ struct list_head flavors; /* List of RCU flavors. */
++
++ spinlock_t ofl_lock ____cacheline_internodealigned_in_smp;
++ /* Synchronize offline with */
++ /* GP pre-initialization. */
+ };
+
+ /* Values for rcu_state structure's gp_flags field. */
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 18 Jun 2018 16:47:34 +0200
+Subject: rcutorture: Use monotonic timestamp for stall detection
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 622be33fcbc93e9b672b99ed338369eb5e843ac3 ]
+
+The get_seconds() call is deprecated because it overflows on 32-bit
+architectures. The algorithm in rcu_torture_stall() can deal with
+the overflow, but another problem here is that using a CLOCK_REALTIME
+stamp can lead to a false-positive stall warning when a settimeofday()
+happens concurrently.
+
+Using ktime_get_seconds() instead avoids those issues and will never
+overflow. The added cast to 'unsigned long' however is necessary to
+make ULONG_CMP_LT() work correctly.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/rcu/rcutorture.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/kernel/rcu/rcutorture.c
++++ b/kernel/rcu/rcutorture.c
+@@ -1446,7 +1446,7 @@ static int rcu_torture_stall(void *args)
+ VERBOSE_TOROUT_STRING("rcu_torture_stall end holdoff");
+ }
+ if (!kthread_should_stop()) {
+- stop_at = get_seconds() + stall_cpu;
++ stop_at = ktime_get_seconds() + stall_cpu;
+ /* RCU CPU stall is expected behavior in following code. */
+ rcu_read_lock();
+ if (stall_cpu_irqsoff)
+@@ -1455,7 +1455,8 @@ static int rcu_torture_stall(void *args)
+ preempt_disable();
+ pr_alert("rcu_torture_stall start on CPU %d.\n",
+ smp_processor_id());
+- while (ULONG_CMP_LT(get_seconds(), stop_at))
++ while (ULONG_CMP_LT((unsigned long)ktime_get_seconds(),
++ stop_at))
+ continue; /* Induce RCU CPU stall warning. */
+ if (stall_cpu_irqsoff)
+ local_irq_enable();
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Sibi Sankar <sibis@codeaurora.org>
+Date: Mon, 9 Jul 2018 20:42:20 +0530
+Subject: remoteproc: qcom: q6v5-pil: fix modem hang on SDM845 after axis2 clk unvote
+
+From: Sibi Sankar <sibis@codeaurora.org>
+
+[ Upstream commit 7cbb540a3a68e4d4a8bef2d9451afb1635b5d2d3 ]
+
+GCC_MSS_AXIS2 clock is used for disabling boot IMEM (a part of
+AP boot up). With Boot IMEM disable now a part TZ/ATF, AXIS2
+clock is no longer required post AP boot up and expected to
+remain untouched. However if the clock is turned ON after Q6
+is brought out of reset and later turned off, it results in
+modem hang. When Q6 attempts a power collapse the internal
+handshaking to check if AXIS2 is idle never goes through since
+it is turned off preventing the RSC from getting triggered,
+leaving modem in a funky state. Hence removing AXIS2 clk
+enable/disable from the driver.
+
+Reported-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sibi Sankar <sibis@codeaurora.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/qcom_q6v5_pil.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/remoteproc/qcom_q6v5_pil.c
++++ b/drivers/remoteproc/qcom_q6v5_pil.c
+@@ -1370,7 +1370,6 @@ static const struct rproc_hexagon_res sd
+ .hexagon_mba_image = "mba.mbn",
+ .proxy_clk_names = (char*[]){
+ "xo",
+- "axis2",
+ "prng",
+ NULL
+ },
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+Date: Tue, 12 Jun 2018 12:40:03 +0800
+Subject: rtc: bq4802: add error handling for devm_ioremap
+
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+
+[ Upstream commit 7874b919866ba91bac253fa219d3d4c82bb944df ]
+
+When devm_ioremap fails, the lack of error-handling code may
+cause unexpected results.
+
+This patch adds error-handling code after calling devm_ioremap.
+
+Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-bq4802.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/rtc/rtc-bq4802.c
++++ b/drivers/rtc/rtc-bq4802.c
+@@ -162,6 +162,10 @@ static int bq4802_probe(struct platform_
+ } else if (p->r->flags & IORESOURCE_MEM) {
+ p->regs = devm_ioremap(&pdev->dev, p->r->start,
+ resource_size(p->r));
++ if (!p->regs){
++ err = -ENOMEM;
++ goto out;
++ }
+ p->read = bq4802_read_mem;
+ p->write = bq4802_write_mem;
+ } else {
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Andrea Parri <andrea.parri@amarulasolutions.com>
+Date: Mon, 16 Jul 2018 11:06:01 -0700
+Subject: sched/core: Use smp_mb() in wake_woken_function()
+
+From: Andrea Parri <andrea.parri@amarulasolutions.com>
+
+[ Upstream commit 76e079fefc8f62bd9b2cd2950814d1ee806e31a5 ]
+
+wake_woken_function() synchronizes with wait_woken() as follows:
+
+ [wait_woken] [wake_woken_function]
+
+ entry->flags &= ~wq_flag_woken; condition = true;
+ smp_mb(); smp_wmb();
+ if (condition) wq_entry->flags |= wq_flag_woken;
+ break;
+
+This commit replaces the above smp_wmb() with an smp_mb() in order to
+guarantee that either wait_woken() sees the wait condition being true
+or the store to wq_entry->flags in woken_wake_function() follows the
+store in wait_woken() in the coherence order (so that the former can
+eventually be observed by wait_woken()).
+
+The commit also fixes a comment associated to set_current_state() in
+wait_woken(): the comment pairs the barrier in set_current_state() to
+the above smp_wmb(), while the actual pairing involves the barrier in
+set_current_state() and the barrier executed by the try_to_wake_up()
+in wake_woken_function().
+
+Signed-off-by: Andrea Parri <andrea.parri@amarulasolutions.com>
+Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: akiyks@gmail.com
+Cc: boqun.feng@gmail.com
+Cc: dhowells@redhat.com
+Cc: j.alglave@ucl.ac.uk
+Cc: linux-arch@vger.kernel.org
+Cc: luc.maranget@inria.fr
+Cc: npiggin@gmail.com
+Cc: parri.andrea@gmail.com
+Cc: stern@rowland.harvard.edu
+Cc: will.deacon@arm.com
+Link: http://lkml.kernel.org/r/20180716180605.16115-10-paulmck@linux.vnet.ibm.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/wait.c | 47 +++++++++++++++++++++--------------------------
+ 1 file changed, 21 insertions(+), 26 deletions(-)
+
+--- a/kernel/sched/wait.c
++++ b/kernel/sched/wait.c
+@@ -392,35 +392,36 @@ static inline bool is_kthread_should_sto
+ * if (condition)
+ * break;
+ *
+- * p->state = mode; condition = true;
+- * smp_mb(); // A smp_wmb(); // C
+- * if (!wq_entry->flags & WQ_FLAG_WOKEN) wq_entry->flags |= WQ_FLAG_WOKEN;
+- * schedule() try_to_wake_up();
+- * p->state = TASK_RUNNING; ~~~~~~~~~~~~~~~~~~
+- * wq_entry->flags &= ~WQ_FLAG_WOKEN; condition = true;
+- * smp_mb() // B smp_wmb(); // C
+- * wq_entry->flags |= WQ_FLAG_WOKEN;
+- * }
+- * remove_wait_queue(&wq_head, &wait);
++ * // in wait_woken() // in woken_wake_function()
+ *
++ * p->state = mode; wq_entry->flags |= WQ_FLAG_WOKEN;
++ * smp_mb(); // A try_to_wake_up():
++ * if (!(wq_entry->flags & WQ_FLAG_WOKEN)) <full barrier>
++ * schedule() if (p->state & mode)
++ * p->state = TASK_RUNNING; p->state = TASK_RUNNING;
++ * wq_entry->flags &= ~WQ_FLAG_WOKEN; ~~~~~~~~~~~~~~~~~~
++ * smp_mb(); // B condition = true;
++ * } smp_mb(); // C
++ * remove_wait_queue(&wq_head, &wait); wq_entry->flags |= WQ_FLAG_WOKEN;
+ */
+ long wait_woken(struct wait_queue_entry *wq_entry, unsigned mode, long timeout)
+ {
+- set_current_state(mode); /* A */
+ /*
+- * The above implies an smp_mb(), which matches with the smp_wmb() from
+- * woken_wake_function() such that if we observe WQ_FLAG_WOKEN we must
+- * also observe all state before the wakeup.
++ * The below executes an smp_mb(), which matches with the full barrier
++ * executed by the try_to_wake_up() in woken_wake_function() such that
++ * either we see the store to wq_entry->flags in woken_wake_function()
++ * or woken_wake_function() sees our store to current->state.
+ */
++ set_current_state(mode); /* A */
+ if (!(wq_entry->flags & WQ_FLAG_WOKEN) && !is_kthread_should_stop())
+ timeout = schedule_timeout(timeout);
+ __set_current_state(TASK_RUNNING);
+
+ /*
+- * The below implies an smp_mb(), it too pairs with the smp_wmb() from
+- * woken_wake_function() such that we must either observe the wait
+- * condition being true _OR_ WQ_FLAG_WOKEN such that we will not miss
+- * an event.
++ * The below executes an smp_mb(), which matches with the smp_mb() (C)
++ * in woken_wake_function() such that either we see the wait condition
++ * being true or the store to wq_entry->flags in woken_wake_function()
++ * follows ours in the coherence order.
+ */
+ smp_store_mb(wq_entry->flags, wq_entry->flags & ~WQ_FLAG_WOKEN); /* B */
+
+@@ -430,14 +431,8 @@ EXPORT_SYMBOL(wait_woken);
+
+ int woken_wake_function(struct wait_queue_entry *wq_entry, unsigned mode, int sync, void *key)
+ {
+- /*
+- * Although this function is called under waitqueue lock, LOCK
+- * doesn't imply write barrier and the users expects write
+- * barrier semantics on wakeup functions. The following
+- * smp_wmb() is equivalent to smp_wmb() in try_to_wake_up()
+- * and is paired with smp_store_mb() in wait_woken().
+- */
+- smp_wmb(); /* C */
++ /* Pairs with the smp_store_mb() in wait_woken(). */
++ smp_mb(); /* C */
+ wq_entry->flags |= WQ_FLAG_WOKEN;
+
+ return default_wake_function(wq_entry, mode, sync, key);
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Quentin Perret <quentin.perret@arm.com>
+Date: Tue, 12 Jun 2018 12:22:15 +0100
+Subject: sched/fair: Fix util_avg of new tasks for asymmetric systems
+
+From: Quentin Perret <quentin.perret@arm.com>
+
+[ Upstream commit 8fe5c5a937d0f4e84221631833a2718afde52285 ]
+
+When a new task wakes-up for the first time, its initial utilization
+is set to half of the spare capacity of its CPU. The current
+implementation of post_init_entity_util_avg() uses SCHED_CAPACITY_SCALE
+directly as a capacity reference. As a result, on a big.LITTLE system, a
+new task waking up on an idle little CPU will be given ~512 of util_avg,
+even if the CPU's capacity is significantly less than that.
+
+Fix this by computing the spare capacity with arch_scale_cpu_capacity().
+
+Signed-off-by: Quentin Perret <quentin.perret@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Vincent Guittot <vincent.guittot@linaro.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: dietmar.eggemann@arm.com
+Cc: morten.rasmussen@arm.com
+Cc: patrick.bellasi@arm.com
+Link: http://lkml.kernel.org/r/20180612112215.25448-1-quentin.perret@arm.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/fair.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -735,11 +735,12 @@ static void attach_entity_cfs_rq(struct
+ * To solve this problem, we also cap the util_avg of successive tasks to
+ * only 1/2 of the left utilization budget:
+ *
+- * util_avg_cap = (1024 - cfs_rq->avg.util_avg) / 2^n
++ * util_avg_cap = (cpu_scale - cfs_rq->avg.util_avg) / 2^n
+ *
+- * where n denotes the nth task.
++ * where n denotes the nth task and cpu_scale the CPU capacity.
+ *
+- * For example, a simplest series from the beginning would be like:
++ * For example, for a CPU with 1024 of capacity, a simplest series from
++ * the beginning would be like:
+ *
+ * task util_avg: 512, 256, 128, 64, 32, 16, 8, ...
+ * cfs_rq util_avg: 512, 768, 896, 960, 992, 1008, 1016, ...
+@@ -751,7 +752,8 @@ void post_init_entity_util_avg(struct sc
+ {
+ struct cfs_rq *cfs_rq = cfs_rq_of(se);
+ struct sched_avg *sa = &se->avg;
+- long cap = (long)(SCHED_CAPACITY_SCALE - cfs_rq->avg.util_avg) / 2;
++ long cpu_scale = arch_scale_cpu_capacity(NULL, cpu_of(rq_of(cfs_rq)));
++ long cap = (long)(cpu_scale - cfs_rq->avg.util_avg) / 2;
+
+ if (cap > 0) {
+ if (cfs_rq->avg.util_avg != 0) {
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Hannes Reinecke <hare@suse.de>
+Date: Wed, 4 Jul 2018 13:59:16 +0200
+Subject: scsi: libfc: fixup 'sleeping function called from invalid context'
+
+From: Hannes Reinecke <hare@suse.de>
+
+[ Upstream commit fa519f701d27198a2858bb108fc18ea9d8c106a7 ]
+
+fc_rport_login() will be calling mutex_lock() while running inside an
+RCU-protected section, triggering the warning 'sleeping function called
+from invalid context'. To fix this we can drop the rcu functions here
+altogether as the disc mutex protecting the list itself is already held,
+preventing any list manipulation.
+
+Fixes: a407c593398c ("scsi: libfc: Fixup disc_mutex handling")
+Signed-off-by: Hannes Reinecke <hare@suse.com>
+Acked-by: Johannes Thumshirn <jth@kernel.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/libfc/fc_disc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/libfc/fc_disc.c
++++ b/drivers/scsi/libfc/fc_disc.c
+@@ -294,9 +294,11 @@ static void fc_disc_done(struct fc_disc
+ * discovery, reverify or log them in. Otherwise, log them out.
+ * Skip ports which were never discovered. These are the dNS port
+ * and ports which were created by PLOGI.
++ *
++ * We don't need to use the _rcu variant here as the rport list
++ * is protected by the disc mutex which is already held on entry.
+ */
+- rcu_read_lock();
+- list_for_each_entry_rcu(rdata, &disc->rports, peers) {
++ list_for_each_entry(rdata, &disc->rports, peers) {
+ if (!kref_get_unless_zero(&rdata->kref))
+ continue;
+ if (rdata->disc_id) {
+@@ -307,7 +309,6 @@ static void fc_disc_done(struct fc_disc
+ }
+ kref_put(&rdata->kref, fc_rport_destroy);
+ }
+- rcu_read_unlock();
+ mutex_unlock(&disc->disc_mutex);
+ disc->disc_callback(lport, event);
+ mutex_lock(&disc->disc_mutex);
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 26 Jun 2018 08:24:28 -0700
+Subject: scsi: lpfc: Fix NVME Target crash in defer rcv logic
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 6871e8144f935a1f08e7fc6269c894861ce494aa ]
+
+Kernel occasionally crashed with the following
+ops on NVME Target:
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000058
+ IP: [<ffffffffa042ee50>] lpfc_nvmet_defer_rcv+0x50/0x70 [lpfc]
+
+Callback routine was called for deferred rcv when it should be treated as a
+normal rcv.
+
+Added code in callback routine to detect this condition and log a message,
+then bail.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_nvmet.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/lpfc/lpfc_nvmet.c
++++ b/drivers/scsi/lpfc/lpfc_nvmet.c
+@@ -402,6 +402,7 @@ lpfc_nvmet_ctxbuf_post(struct lpfc_hba *
+
+ /* Process FCP command */
+ if (rc == 0) {
++ ctxp->rqb_buffer = NULL;
+ atomic_inc(&tgtp->rcv_fcp_cmd_out);
+ nvmebuf->hrq->rqbp->rqb_free_buffer(phba, nvmebuf);
+ return;
+@@ -1116,8 +1117,17 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_tar
+ lpfc_nvmeio_data(phba, "NVMET DEFERRCV: xri x%x sz %d CPU %02x\n",
+ ctxp->oxid, ctxp->size, smp_processor_id());
+
++ if (!nvmebuf) {
++ lpfc_printf_log(phba, KERN_INFO, LOG_NVME_IOERR,
++ "6425 Defer rcv: no buffer xri x%x: "
++ "flg %x ste %x\n",
++ ctxp->oxid, ctxp->flag, ctxp->state);
++ return;
++ }
++
+ tgtp = phba->targetport->private;
+- atomic_inc(&tgtp->rcv_fcp_cmd_defer);
++ if (tgtp)
++ atomic_inc(&tgtp->rcv_fcp_cmd_defer);
+
+ /* Free the nvmebuf since a new buffer already replaced it */
+ nvmebuf->hrq->rqbp->rqb_free_buffer(phba, nvmebuf);
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 26 Jun 2018 08:24:24 -0700
+Subject: scsi: lpfc: Fix panic if driver unloaded when port is offline
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit d580c6137476ab307a66e278cf7dbc666230f714 ]
+
+System crashes when the lpfc module is unloaded after making the port
+offline
+
+The nvme queue pointers were freed during port offline, but were later
+accessed in pci remove path.
+
+Validate the pointers in pci remove path before accessing them.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_nvme.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/lpfc/lpfc_nvme.c
++++ b/drivers/scsi/lpfc/lpfc_nvme.c
+@@ -2976,7 +2976,7 @@ lpfc_nvme_wait_for_io_drain(struct lpfc_
+ struct lpfc_sli_ring *pring;
+ u32 i, wait_cnt = 0;
+
+- if (phba->sli_rev < LPFC_SLI_REV4)
++ if (phba->sli_rev < LPFC_SLI_REV4 || !phba->sli4_hba.nvme_wq)
+ return;
+
+ /* Cycle through all NVME rings and make sure all outstanding
+@@ -2985,6 +2985,9 @@ lpfc_nvme_wait_for_io_drain(struct lpfc_
+ for (i = 0; i < phba->cfg_nvme_io_channel; i++) {
+ pring = phba->sli4_hba.nvme_wq[i]->pring;
+
++ if (!pring)
++ continue;
++
+ /* Retrieve everything on the txcmplq */
+ while (!list_empty(&pring->txcmplq)) {
+ msleep(LPFC_XRI_EXCH_BUSY_WAIT_T1);
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 17 Jul 2018 10:36:04 -0700
+Subject: security: check for kstrdup() failure in lsm_append()
+
+From: Eric Biggers <ebiggers@google.com>
+
+[ Upstream commit 87ea58433208d17295e200d56be5e2a4fe4ce7d6 ]
+
+lsm_append() should return -ENOMEM if memory allocation failed.
+
+Fixes: d69dece5f5b6 ("LSM: Add /sys/kernel/security/lsm")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/security.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/security/security.c
++++ b/security/security.c
+@@ -118,6 +118,8 @@ static int lsm_append(char *new, char **
+
+ if (*result == NULL) {
+ *result = kstrdup(new, GFP_KERNEL);
++ if (*result == NULL)
++ return -ENOMEM;
+ } else {
+ /* Check if it is the last registered name */
+ if (match_last_lsm(*result, new))
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: John Stultz <john.stultz@linaro.org>
+Date: Tue, 29 May 2018 19:12:18 -0700
+Subject: selftest: timers: Tweak raw_skew to SKIP when ADJ_OFFSET/other clock adjustments are in progress
+
+From: John Stultz <john.stultz@linaro.org>
+
+[ Upstream commit 1416270f4a1ae83ea84156ceba19a66a8f88be1f ]
+
+In the past we've warned when ADJ_OFFSET was in progress, usually
+caused by ntpd or some other time adjusting daemon running in non
+steady sate, which can cause the skew calculations to be
+incorrect.
+
+Thus, this patch checks to see if the clock was being adjusted
+when we fail so that we don't cause false negatives.
+
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Miroslav Lichvar <mlichvar@redhat.com>
+Cc: Richard Cochran <richardcochran@gmail.com>
+Cc: Prarit Bhargava <prarit@redhat.com>
+Cc: Stephen Boyd <sboyd@kernel.org>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: linux-kselftest@vger.kernel.org
+Suggested-by: Miroslav Lichvar <mlichvar@redhat.com>
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+v2: Widened the checks to look for other clock adjustments that
+ could happen, as suggested by Miroslav
+v3: Fixed up commit message
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/timers/raw_skew.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/tools/testing/selftests/timers/raw_skew.c
++++ b/tools/testing/selftests/timers/raw_skew.c
+@@ -134,6 +134,11 @@ int main(int argv, char **argc)
+ printf(" %lld.%i(act)", ppm/1000, abs((int)(ppm%1000)));
+
+ if (llabs(eppm - ppm) > 1000) {
++ if (tx1.offset || tx2.offset ||
++ tx1.freq != tx2.freq || tx1.tick != tx2.tick) {
++ printf(" [SKIP]\n");
++ return ksft_exit_skip("The clock was adjusted externally. Shutdown NTPd or other time sync daemons\n");
++ }
+ printf(" [FAILED]\n");
+ return ksft_exit_fail();
+ }
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Li Zhijian <lizhijian@cn.fujitsu.com>
+Date: Wed, 11 Jul 2018 10:08:00 +0800
+Subject: selftests/android: initialize heap_type to avoid compiling warning
+
+From: Li Zhijian <lizhijian@cn.fujitsu.com>
+
+[ Upstream commit cc7c673032fc7427087e74b75f732b43db38a256 ]
+
+Initialize heap_type to ION_HEAP_TYPE_SYSTEM to avoid "used uninitialized"
+compiler warning. heap_type gets used after initialization, this change is
+to just keep the compiler happy.
+
+root@vm-lkp-nex04-8G-7 ~/linux-v4.18-rc2/tools/testing/selftests/android# make
+make[1]: warning: jobserver unavailable: using -j1. Add '+' to parent make rule.
+make[1]: Entering directory '/root/linux-v4.18-rc2/tools/testing/selftests/android/ion'
+gcc -I. -I../../../../../drivers/staging/android/uapi/ -I../../../../../usr/include/ -Wall -O2 -g ionapp_export.c ipcsocket.c ionutils.c -o ionapp_export
+ionapp_export.c: In function 'main':
+ionapp_export.c:91:2: warning: 'heap_type' may be used uninitialized in
+this function [-Wmaybe-uninitialized]
+ printf("heap_type: %ld, heap_size: %ld\n", heap_type, heap_size);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+CC: Shuah Khan <shuah@kernel.org>
+CC: Pintu Agarwal <pintu.ping@gmail.com>
+Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
+Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/android/ion/ionapp_export.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/testing/selftests/android/ion/ionapp_export.c
++++ b/tools/testing/selftests/android/ion/ionapp_export.c
+@@ -51,6 +51,7 @@ int main(int argc, char *argv[])
+
+ heap_size = 0;
+ flags = 0;
++ heap_type = ION_HEAP_TYPE_SYSTEM;
+
+ while ((opt = getopt(argc, argv, "hi:s:")) != -1) {
+ switch (opt) {
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: "Shuah Khan (Samsung OSG)" <shuah@kernel.org>
+Date: Fri, 22 Jun 2018 11:43:23 -0600
+Subject: selftests: vDSO - fix to return KSFT_SKIP when test couldn't be run
+
+From: "Shuah Khan (Samsung OSG)" <shuah@kernel.org>
+
+[ Upstream commit d2d49495b5c0dffee5c4da5ea12ac0da6679bd08 ]
+
+Fix to return KSFT_SKIP when test couldn't be run because AT_SYSINFO_EHDR
+isn't found and gettimeofday isn't defined.
+
+Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/vDSO/vdso_test.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/vDSO/vdso_test.c
++++ b/tools/testing/selftests/vDSO/vdso_test.c
+@@ -15,6 +15,8 @@
+ #include <sys/auxv.h>
+ #include <sys/time.h>
+
++#include "../kselftest.h"
++
+ extern void *vdso_sym(const char *version, const char *name);
+ extern void vdso_init_from_sysinfo_ehdr(uintptr_t base);
+ extern void vdso_init_from_auxv(void *auxv);
+@@ -37,7 +39,7 @@ int main(int argc, char **argv)
+ unsigned long sysinfo_ehdr = getauxval(AT_SYSINFO_EHDR);
+ if (!sysinfo_ehdr) {
+ printf("AT_SYSINFO_EHDR is not present!\n");
+- return 0;
++ return KSFT_SKIP;
+ }
+
+ vdso_init_from_sysinfo_ehdr(getauxval(AT_SYSINFO_EHDR));
+@@ -48,7 +50,7 @@ int main(int argc, char **argv)
+
+ if (!gtod) {
+ printf("Could not find %s\n", name);
+- return 1;
++ return KSFT_SKIP;
+ }
+
+ struct timeval tv;
+@@ -59,6 +61,7 @@ int main(int argc, char **argv)
+ (long long)tv.tv_sec, (long long)tv.tv_usec);
+ } else {
+ printf("%s failed\n", name);
++ return KSFT_FAIL;
+ }
+
+ return 0;
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Date: Fri, 13 Jul 2018 16:58:54 +0200
+Subject: serial: 8250: of: Correct of_platform_serial_setup() error handling
+
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+
+[ Upstream commit b29330d829042512fabb2bfa3bbfa32df1115594 ]
+
+Don't dispose IRQ mapping before it has been created.
+
+Fixes: aa9594740 ("serial: 8250_of: Add IO space support")
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_of.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/8250/8250_of.c
++++ b/drivers/tty/serial/8250/8250_of.c
+@@ -124,7 +124,7 @@ static int of_platform_serial_setup(stru
+ dev_warn(&ofdev->dev, "unsupported reg-io-width (%d)\n",
+ prop);
+ ret = -EINVAL;
+- goto err_dispose;
++ goto err_unprepare;
+ }
+ }
+ port->flags |= UPF_IOREMAP;
nfsv4.1-fix-infinite-loop-on-i-o.patch
of-add-helper-to-lookup-compatible-child-node.patch
mmc-meson-mx-sdio-fix-of-child-node-lookup.patch
+binfmt_elf-respect-error-return-from-regset-active.patch
+net-mlx5-add-missing-set_driver_version-command-translation.patch
+arm64-dts-uniphier-add-missing-cooling-device-properties-for-cpus.patch
+audit-fix-use-after-free-in-audit_add_watch.patch
+mtdchar-fix-overflows-in-adjustment-of-count.patch
+vfs-fix-freeze-protection-in-mnt_want_write_file-for-overlayfs.patch
+bpf-fix-rcu-annotations-in-compute_effective_progs.patch
+spi-dw-fix-possible-race-condition.patch
+bluetooth-use-lock_sock_nested-in-bt_accept_enqueue.patch
+evm-don-t-deadlock-if-a-crypto-algorithm-is-unavailable.patch
+kvm-ppc-book3s-hv-add-of_node_put-in-success-path.patch
+security-check-for-kstrdup-failure-in-lsm_append.patch
+pm-devfreq-use-put_device-instead-of-kfree.patch
+kvm-ppc-book3s-fix-matching-of-hardware-and-emulated-tce-tables.patch
+mips-loongson64-cs5536-fix-pci_ohci_int_reg-reads.patch
+configfs-fix-registered-group-removal.patch
+pinctrl-mt7622-fix-probe-fail-by-misuse-the-selector.patch
+pinctrl-rza1-fix-selector-use-for-groups-and-functions.patch
+pinctrl-pinmux-return-selector-to-the-pinctrl-driver.patch
+arm64-dts-mt7622-update-a-clock-property-for-uart0.patch
+sched-core-use-smp_mb-in-wake_woken_function.patch
+efi-esrt-only-call-efi_mem_reserve-for-boot-services-memory.patch
+net-hns3-reset-net-device-with-rtnl_lock.patch
+net-hns3-fix-for-reset_level-default-assignment-probelm.patch
+arm-hisi-handle-of_iomap-and-fix-missing-of_node_put.patch
+arm-hisi-fix-error-handling-and-missing-of_node_put.patch
+net-hns3-fix-return-value-error-in-hns3_reset_notify_down_enet.patch
+arm-hisi-check-of_iomap-and-fix-missing-of_node_put.patch
+liquidio-fix-hang-when-re-binding-vf-host-drv-after-running-dpdk-vf-driver.patch
+gpu-ipu-v3-csi-pass-back-mbus_code_to_bus_cfg-error-codes.patch
+asoc-hdmi-codec-fix-routing.patch
+gpiolib-don-t-allow-userspace-to-set-values-of-input-lines.patch
+serial-8250-of-correct-of_platform_serial_setup-error-handling.patch
+tty-fix-termios-input-speed-encoding-when-using-bother.patch
+tty-fix-termios-input-speed-encoding.patch
+mmc-sdhci-of-esdhc-set-proper-dma-mask-for-ls104x-chips.patch
+mmc-tegra-prevent-hs200-on-tegra-3.patch
+mmc-sdhci-do-not-try-to-use-3.3v-signaling-if-not-supported.patch
+drm-nouveau-fix-runtime-pm-leak-in-drm_open.patch
+drm-nouveau-debugfs-wake-up-gpu-before-doing-any-reclocking.patch
+drm-nouveau-tegra-detach-from-arm-dma-iommu-mapping.patch
+tls-fix-zerocopy_from_iter-iov-handling.patch
+parport-sunbpp-fix-error-return-code.patch
+sched-fair-fix-util_avg-of-new-tasks-for-asymmetric-systems.patch
+coresight-handle-errors-in-finding-input-output-ports.patch
+coresight-tpiu-fix-disabling-timeouts.patch
+coresight-etm-add-support-for-arm-cortex-a73-and-cortex-a35.patch
+f2fs-do-checkpoint-in-kill_sb.patch
+tools-testing-nvdimm-fix-support-for-emulating-controller-temperature.patch
+drm-amd-display-support-access-ddc-for-mst-branch.patch
+asoc-qdsp6-q6afe-dai-fix-a-range-check-in-of_q6afe_parse_dai_data.patch
+lightnvm-pblk-assume-that-chunks-are-closed-on-1.2-devices.patch
+lightnvm-pblk-enable-line-minor-version-detection.patch
+staging-bcm2835-audio-don-t-leak-workqueue-if-open-fails.patch
+gpio-pxa-fix-potential-null-dereference.patch
+gpiolib-mark-gpio_suffixes-array-with-__maybe_unused.patch
+net-gemini-allow-multiple-ports-to-instantiate.patch
+net-mvpp2-make-sure-we-use-single-queue-mode-on-ppv2.1.patch
+rcutorture-use-monotonic-timestamp-for-stall-detection.patch
+mfd-88pm860x-i2c-switch-to-i2c_lock_bus-...-i2c_lock_segment.patch
+input-rohm_bu21023-switch-to-i2c_lock_bus-...-i2c_lock_segment.patch
+rcu-fix-grace-period-hangs-due-to-race-with-cpu-offline.patch
+drm-amdkfd-fix-kernel-queue-64-bit-doorbell-offset-calculation.patch
+drm-amdkfd-fix-error-codes-in-kfd_get_process.patch
+rtc-bq4802-add-error-handling-for-devm_ioremap.patch
+selftests-vdso-fix-to-return-ksft_skip-when-test-couldn-t-be-run.patch
+selftests-android-initialize-heap_type-to-avoid-compiling-warning.patch
+alsa-pcm-fix-snd_interval_refine-first-last-with-open-min-max.patch
+scsi-libfc-fixup-sleeping-function-called-from-invalid-context.patch
+scsi-lpfc-fix-nvme-target-crash-in-defer-rcv-logic.patch
+scsi-lpfc-fix-panic-if-driver-unloaded-when-port-is-offline.patch
+remoteproc-qcom-q6v5-pil-fix-modem-hang-on-sdm845-after-axis2-clk-unvote.patch
+selftest-timers-tweak-raw_skew-to-skip-when-adj_offset-other-clock-adjustments-are-in-progress.patch
+asoc-rt5651-fix-workqueue-cancel-vs-irq-free-race-on-remove.patch
+drm-panel-type-promotion-bug-in-s6e8aa0_read_mtp_id.patch
+arm64-perf-disable-pmu-while-processing-counter-overflows.patch
+drm-amd-pp-send-khz-clock-values-to-dc-for-smu7-8.patch
+dmaengine-sh-rcar-dmac-avoid-to-write-chcr.te-to-1-if-tcr-is-set-to-0.patch
+staging-fsl-dpaa2-eth-fix-dma-mapping-direction.patch
+ib-nes-fix-a-compiler-warning.patch
+block-dac960.c-fix-defined-but-not-used-build-warnings.patch
+ib-mlx5-fix-uaccess-beyond-count-in-debugfs-read-write-handlers.patch
+blk-mq-only-attempt-to-merge-bio-if-there-is-rq-in-sw-queue.patch
+blk-mq-avoid-to-synchronize-rcu-inside-blk_cleanup_queue.patch
+gpiolib-respect-error-code-of-get_direction.patch
+pinctrl-msm-fix-msm_config_group_get-to-be-compliant.patch
+pinctrl-qcom-spmi-gpio-fix-pmic_gpio_config_get-to-be-compliant.patch
+clk-tegra-bpmp-don-t-crash-when-a-clock-fails-to-register.patch
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Tue, 17 Jul 2018 16:23:10 +0200
+Subject: spi: dw: fix possible race condition
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit 66b19d762378785d1568b5650935205edfeb0503 ]
+
+It is possible to get an interrupt as soon as it is requested. dw_spi_irq
+does spi_controller_get_devdata(master) and expects it to be different than
+NULL. However, spi_controller_set_devdata() is called after request_irq(),
+resulting in the following crash:
+
+CPU 0 Unable to handle kernel paging request at virtual address 00000030, epc == 8058e09c, ra == 8018ff90
+[...]
+Call Trace:
+[<8058e09c>] dw_spi_irq+0x8/0x64
+[<8018ff90>] __handle_irq_event_percpu+0x70/0x1d4
+[<80190128>] handle_irq_event_percpu+0x34/0x8c
+[<801901c4>] handle_irq_event+0x44/0x80
+[<801951a8>] handle_level_irq+0xdc/0x194
+[<8018f580>] generic_handle_irq+0x38/0x50
+[<804c6924>] ocelot_irq_handler+0x104/0x1c0
+
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-dw.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-dw.c
++++ b/drivers/spi/spi-dw.c
+@@ -485,6 +485,8 @@ int dw_spi_add_host(struct device *dev,
+ dws->dma_inited = 0;
+ dws->dma_addr = (dma_addr_t)(dws->paddr + DW_SPI_DR);
+
++ spi_controller_set_devdata(master, dws);
++
+ ret = request_irq(dws->irq, dw_spi_irq, IRQF_SHARED, dev_name(dev),
+ master);
+ if (ret < 0) {
+@@ -518,7 +520,6 @@ int dw_spi_add_host(struct device *dev,
+ }
+ }
+
+- spi_controller_set_devdata(master, dws);
+ ret = devm_spi_register_controller(dev, master);
+ if (ret) {
+ dev_err(&master->dev, "problem registering spi master\n");
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Tuomas Tynkkynen <tuomas@tuxera.com>
+Date: Fri, 13 Jul 2018 00:54:17 +0300
+Subject: staging: bcm2835-audio: Don't leak workqueue if open fails
+
+From: Tuomas Tynkkynen <tuomas@tuxera.com>
+
+[ Upstream commit 678c5b119307c40f9a17152512f9c949d0ec7292 ]
+
+Currently, if bcm2835_audio_open() fails partway, the allocated
+workqueue is leaked. Avoid that.
+
+While at it, propagate the return value of
+bcm2835_audio_open_connection() on failure instead of returning -1.
+
+Signed-off-by: Tuomas Tynkkynen <tuomas@tuxera.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c | 16 +++++++-----
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c
++++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c
+@@ -439,16 +439,16 @@ int bcm2835_audio_open(struct bcm2835_al
+ my_workqueue_init(alsa_stream);
+
+ ret = bcm2835_audio_open_connection(alsa_stream);
+- if (ret) {
+- ret = -1;
+- goto exit;
+- }
++ if (ret)
++ goto free_wq;
++
+ instance = alsa_stream->instance;
+ LOG_DBG(" instance (%p)\n", instance);
+
+ if (mutex_lock_interruptible(&instance->vchi_mutex)) {
+ LOG_DBG("Interrupted whilst waiting for lock on (%d)\n", instance->num_connections);
+- return -EINTR;
++ ret = -EINTR;
++ goto free_wq;
+ }
+ vchi_service_use(instance->vchi_handle[0]);
+
+@@ -471,7 +471,11 @@ int bcm2835_audio_open(struct bcm2835_al
+ unlock:
+ vchi_service_release(instance->vchi_handle[0]);
+ mutex_unlock(&instance->vchi_mutex);
+-exit:
++
++free_wq:
++ if (ret)
++ destroy_workqueue(alsa_stream->my_wq);
++
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Ioana Radulescu <ruxandra.radulescu@nxp.com>
+Date: Mon, 9 Jul 2018 10:01:07 -0500
+Subject: staging: fsl-dpaa2/eth: Fix DMA mapping direction
+
+From: Ioana Radulescu <ruxandra.radulescu@nxp.com>
+
+[ Upstream commit 466bcdc1fa303be175c45d054bb00effc575033a ]
+
+We are using DMA_FROM_DEVICE when mapping RX frame buffers,
+but DMA_BIDIRECTIONAL for unmap. Fix the direction for DMA
+unmapping operation.
+
+Fixes: 87eb55e418b7 ("staging: fsl-dpaa2/eth: Fix potential endless loop")
+
+Signed-off-by: Ioana Radulescu <ruxandra.radulescu@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c
++++ b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c
+@@ -767,7 +767,7 @@ static void free_bufs(struct dpaa2_eth_p
+ for (i = 0; i < count; i++) {
+ vaddr = dpaa2_iova_to_virt(priv->iommu_domain, buf_array[i]);
+ dma_unmap_single(dev, buf_array[i], DPAA2_ETH_RX_BUF_SIZE,
+- DMA_BIDIRECTIONAL);
++ DMA_FROM_DEVICE);
+ skb_free_frag(vaddr);
+ }
+ }
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Boris Pismenny <borisp@mellanox.com>
+Date: Fri, 13 Jul 2018 14:33:44 +0300
+Subject: tls: Fix zerocopy_from_iter iov handling
+
+From: Boris Pismenny <borisp@mellanox.com>
+
+[ Upstream commit 4718799817c5a30ae723eda21f3a6c7d8701b1a4 ]
+
+zerocopy_from_iter iterates over the message, but it doesn't revert the
+updates made by the iov iteration. This patch fixes it. Now, the iov can
+be used after calling zerocopy_from_iter.
+
+Fixes: 3c4d75591 ("tls: kernel TLS support")
+Signed-off-by: Boris Pismenny <borisp@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_sw.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -286,7 +286,7 @@ static int zerocopy_from_iter(struct soc
+ int length, int *pages_used,
+ unsigned int *size_used,
+ struct scatterlist *to, int to_max_pages,
+- bool charge)
++ bool charge, bool revert)
+ {
+ struct page *pages[MAX_SKB_FRAGS];
+
+@@ -337,6 +337,8 @@ static int zerocopy_from_iter(struct soc
+ out:
+ *size_used = size;
+ *pages_used = num_elem;
++ if (revert)
++ iov_iter_revert(from, size);
+
+ return rc;
+ }
+@@ -438,7 +440,7 @@ alloc_encrypted:
+ &ctx->sg_plaintext_size,
+ ctx->sg_plaintext_data,
+ ARRAY_SIZE(ctx->sg_plaintext_data),
+- true);
++ true, false);
+ if (ret)
+ goto fallback_to_reg_send;
+
+@@ -826,7 +828,7 @@ int tls_sw_recvmsg(struct sock *sk,
+ err = zerocopy_from_iter(sk, &msg->msg_iter,
+ to_copy, &pages,
+ &chunk, &sgin[1],
+- MAX_SKB_FRAGS, false);
++ MAX_SKB_FRAGS, false, true);
+ if (err < 0)
+ goto fallback_to_reg_recv;
+
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Wed, 13 Jun 2018 14:31:18 -0700
+Subject: tools/testing/nvdimm: Fix support for emulating controller temperature
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+[ Upstream commit e5d772fbe7685aae0dff99f3b54158a0ec32155e ]
+
+In addition to populating the value the payload also needs to set the
+"controller temperature valid" flag.
+
+Fixes: cdd77d3e1930 ("nfit, libnvdimm: deprecate the generic SMART ioctl")
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/nvdimm/test/nfit.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/nvdimm/test/nfit.c
++++ b/tools/testing/nvdimm/test/nfit.c
+@@ -1308,7 +1308,8 @@ static void smart_init(struct nfit_test
+ | ND_INTEL_SMART_ALARM_VALID
+ | ND_INTEL_SMART_USED_VALID
+ | ND_INTEL_SMART_SHUTDOWN_VALID
+- | ND_INTEL_SMART_MTEMP_VALID,
++ | ND_INTEL_SMART_MTEMP_VALID
++ | ND_INTEL_SMART_CTEMP_VALID,
+ .health = ND_INTEL_SMART_NON_CRITICAL_HEALTH,
+ .media_temperature = 23 * 16,
+ .ctrl_temperature = 25 * 16,
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Johan Hovold <johan@kernel.org>
+Date: Sun, 15 Jul 2018 15:39:34 +0200
+Subject: tty: fix termios input-speed encoding when using BOTHER
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 1cee38f0363a88db374e50b232ca17b9a4c12fa0 ]
+
+When the termios CIBAUD bits are left unset (i.e. B0), we use the same
+output and input speed and should leave CIBAUD unchanged.
+
+When the user requests a rate using BOTHER and c_ospeed which the driver
+cannot set exactly, the driver can report back the actual baud rate
+using tty_termios_encode_baud_rate(). If this rate is close enough to a
+standard rate however, we could end up setting CIBAUD to a Bfoo value
+despite the user having left it unset.
+
+This in turn could lead to an unexpected input rate being set on
+subsequent termios updates.
+
+Fix this by using a zero tolerance value also for the input rate when
+CIBAUD is clear so that the matching logic works as expected.
+
+Fixes: 78137e3b34e1 ("[PATCH] tty: improve encode_baud_rate logic")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/tty_baudrate.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/tty_baudrate.c
++++ b/drivers/tty/tty_baudrate.c
+@@ -157,16 +157,20 @@ void tty_termios_encode_baud_rate(struct
+ termios->c_ospeed = obaud;
+
+ #ifdef BOTHER
++ if ((termios->c_cflag >> IBSHIFT) & CBAUD)
++ ibinput = 1; /* An input speed was specified */
++
+ /* If the user asked for a precise weird speed give a precise weird
+ answer. If they asked for a Bfoo speed they may have problems
+ digesting non-exact replies so fuzz a bit */
+
+- if ((termios->c_cflag & CBAUD) == BOTHER)
++ if ((termios->c_cflag & CBAUD) == BOTHER) {
+ oclose = 0;
++ if (!ibinput)
++ iclose = 0;
++ }
+ if (((termios->c_cflag >> IBSHIFT) & CBAUD) == BOTHER)
+ iclose = 0;
+- if ((termios->c_cflag >> IBSHIFT) & CBAUD)
+- ibinput = 1; /* An input speed was specified */
+ #endif
+ termios->c_cflag &= ~CBAUD;
+
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Johan Hovold <johan@kernel.org>
+Date: Sun, 15 Jul 2018 15:39:33 +0200
+Subject: tty: fix termios input-speed encoding
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit fada18c48d774b9e837928ecdce6a5d5fdd11ee7 ]
+
+Make sure to clear the CIBAUD bits before OR-ing the new mask when
+encoding the termios input baud rate.
+
+This could otherwise lead to an incorrect input rate being reported back
+and incidentally set on subsequent termios updates.
+
+Fixes: edc6afc54968 ("[PATCH] tty: switch to ktermios and new framework")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/tty_baudrate.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/tty/tty_baudrate.c
++++ b/drivers/tty/tty_baudrate.c
+@@ -173,6 +173,9 @@ void tty_termios_encode_baud_rate(struct
+ iclose = 0;
+ #endif
+ termios->c_cflag &= ~CBAUD;
++#ifdef IBSHIFT
++ termios->c_cflag &= ~(CBAUD << IBSHIFT);
++#endif
+
+ /*
+ * Our goal is to find a close match to the standard baud rate
--- /dev/null
+From foo@baz Mon Sep 24 09:45:39 CEST 2018
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 18 Jul 2018 15:44:43 +0200
+Subject: vfs: fix freeze protection in mnt_want_write_file() for overlayfs
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+[ Upstream commit a6795a585929d94ca3e931bc8518f8deb8bbe627 ]
+
+The underlying real file used by overlayfs still contains the overlay path.
+This results in mnt_want_write_file() calls by the filesystem getting
+freeze protection on the wrong inode (the overlayfs one instead of the real
+one).
+
+Fix by using file_inode(file)->i_sb instead of file->f_path.mnt->mnt_sb.
+
+Reported-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/namespace.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -446,10 +446,10 @@ int mnt_want_write_file_path(struct file
+ {
+ int ret;
+
+- sb_start_write(file->f_path.mnt->mnt_sb);
++ sb_start_write(file_inode(file)->i_sb);
+ ret = __mnt_want_write_file(file);
+ if (ret)
+- sb_end_write(file->f_path.mnt->mnt_sb);
++ sb_end_write(file_inode(file)->i_sb);
+ return ret;
+ }
+
+@@ -540,7 +540,8 @@ void __mnt_drop_write_file(struct file *
+
+ void mnt_drop_write_file_path(struct file *file)
+ {
+- mnt_drop_write(file->f_path.mnt);
++ __mnt_drop_write_file(file);
++ sb_end_write(file_inode(file)->i_sb);
+ }
+
+ void mnt_drop_write_file(struct file *file)
projects / thirdparty / kernel / stable-queue.git / commitdiff
