--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 2 Nov 2017 15:27:48 +0000
+Subject: afs: Connect up the CB.ProbeUuid
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit f4b3526d83c40dd8bf5948b9d7a1b2c340f0dcc8 ]
+
+The handler for the CB.ProbeUuid operation in the cache manager is
+implemented, but isn't listed in the switch-statement of operation
+selection, so won't be used. Fix this by adding it.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/cmservice.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/afs/cmservice.c
++++ b/fs/afs/cmservice.c
+@@ -115,6 +115,9 @@ bool afs_cm_incoming_call(struct afs_cal
+ case CBProbe:
+ call->type = &afs_SRXCBProbe;
+ return true;
++ case CBProbeUuid:
++ call->type = &afs_SRXCBProbeUuid;
++ return true;
+ case CBTellMeAboutYourself:
+ call->type = &afs_SRXCBTellMeAboutYourself;
+ return true;
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Mon, 20 Feb 2017 12:30:11 +0000
+Subject: arm: KVM: Survive unknown traps from guests
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+
+[ Upstream commit f050fe7a9164945dd1c28be05bf00e8cfb082ccf ]
+
+Currently we BUG() if we see a HSR.EC value we don't recognise. As
+configurable disables/enables are added to the architecture (controlled
+by RES1/RES0 bits respectively), with associated synchronous exceptions,
+it may be possible for a guest to trigger exceptions with classes that
+we don't recognise.
+
+While we can't service these exceptions in a manner useful to the guest,
+we can avoid bringing down the host. Per ARM DDI 0406C.c, all currently
+unallocated HSR EC encodings are reserved, and per ARM DDI
+0487A.k_iss10775, page G6-4395, EC values within the range 0x00 - 0x2c
+are reserved for future use with synchronous exceptions, and EC values
+within the range 0x2d - 0x3f may be used for either synchronous or
+asynchronous exceptions.
+
+The patch makes KVM handle any unknown EC by injecting an UNDEFINED
+exception into the guest, with a corresponding (ratelimited) warning in
+the host dmesg. We could later improve on this with with a new (opt-in)
+exit to the host userspace.
+
+Cc: Dave Martin <dave.martin@arm.com>
+Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/include/asm/kvm_arm.h | 1 +
+ arch/arm/kvm/handle_exit.c | 19 ++++++++++++-------
+ 2 files changed, 13 insertions(+), 7 deletions(-)
+
+--- a/arch/arm/include/asm/kvm_arm.h
++++ b/arch/arm/include/asm/kvm_arm.h
+@@ -208,6 +208,7 @@
+ #define HSR_EC_IABT_HYP (0x21)
+ #define HSR_EC_DABT (0x24)
+ #define HSR_EC_DABT_HYP (0x25)
++#define HSR_EC_MAX (0x3f)
+
+ #define HSR_WFI_IS_WFE (1U << 0)
+
+--- a/arch/arm/kvm/handle_exit.c
++++ b/arch/arm/kvm/handle_exit.c
+@@ -98,7 +98,19 @@ static int kvm_handle_wfx(struct kvm_vcp
+ return 1;
+ }
+
++static int kvm_handle_unknown_ec(struct kvm_vcpu *vcpu, struct kvm_run *run)
++{
++ u32 hsr = kvm_vcpu_get_hsr(vcpu);
++
++ kvm_pr_unimpl("Unknown exception class: hsr: %#08x\n",
++ hsr);
++
++ kvm_inject_undefined(vcpu);
++ return 1;
++}
++
+ static exit_handle_fn arm_exit_handlers[] = {
++ [0 ... HSR_EC_MAX] = kvm_handle_unknown_ec,
+ [HSR_EC_WFI] = kvm_handle_wfx,
+ [HSR_EC_CP15_32] = kvm_handle_cp15_32,
+ [HSR_EC_CP15_64] = kvm_handle_cp15_64,
+@@ -120,13 +132,6 @@ static exit_handle_fn kvm_get_exit_handl
+ {
+ u8 hsr_ec = kvm_vcpu_trap_get_class(vcpu);
+
+- if (hsr_ec >= ARRAY_SIZE(arm_exit_handlers) ||
+- !arm_exit_handlers[hsr_ec]) {
+- kvm_err("Unknown exception class: hsr: %#08x\n",
+- (unsigned int)kvm_vcpu_get_hsr(vcpu));
+- BUG();
+- }
+-
+ return arm_exit_handlers[hsr_ec];
+ }
+
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Tue, 14 Nov 2017 13:42:38 +0530
+Subject: atm: horizon: Fix irq release error
+
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+
+
+[ Upstream commit bde533f2ea607cbbbe76ef8738b36243939a7bc2 ]
+
+atm_dev_register() can fail here and passed parameters to free irq
+which is not initialised. Initialization of 'dev->irq' happened after
+the 'goto out_free_irq'. So using 'irq' insted of 'dev->irq' in
+free_irq().
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/atm/horizon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/atm/horizon.c
++++ b/drivers/atm/horizon.c
+@@ -2828,7 +2828,7 @@ out:
+ return err;
+
+ out_free_irq:
+- free_irq(dev->irq, dev);
++ free_irq(irq, dev);
+ out_free:
+ kfree(dev);
+ out_release:
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Paul Moore <paul@paul-moore.com>
+Date: Fri, 1 Sep 2017 09:44:34 -0400
+Subject: audit: ensure that 'audit=1' actually enables audit for PID 1
+
+From: Paul Moore <paul@paul-moore.com>
+
+
+[ Upstream commit 173743dd99a49c956b124a74c8aacb0384739a4c ]
+
+Prior to this patch we enabled audit in audit_init(), which is too
+late for PID 1 as the standard initcalls are run after the PID 1 task
+is forked. This means that we never allocate an audit_context (see
+audit_alloc()) for PID 1 and therefore miss a lot of audit events
+generated by PID 1.
+
+This patch enables audit as early as possible to help ensure that when
+PID 1 is forked it can allocate an audit_context if required.
+
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/audit.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -79,13 +79,13 @@ static int audit_initialized;
+ #define AUDIT_OFF 0
+ #define AUDIT_ON 1
+ #define AUDIT_LOCKED 2
+-u32 audit_enabled;
+-u32 audit_ever_enabled;
++u32 audit_enabled = AUDIT_OFF;
++u32 audit_ever_enabled = !!AUDIT_OFF;
+
+ EXPORT_SYMBOL_GPL(audit_enabled);
+
+ /* Default state when kernel boots without any parameters. */
+-static u32 audit_default;
++static u32 audit_default = AUDIT_OFF;
+
+ /* If auditing cannot proceed, audit_failure selects what happens. */
+ static u32 audit_failure = AUDIT_FAIL_PRINTK;
+@@ -1173,8 +1173,6 @@ static int __init audit_init(void)
+ skb_queue_head_init(&audit_skb_queue);
+ skb_queue_head_init(&audit_skb_hold_queue);
+ audit_initialized = AUDIT_INITIALIZED;
+- audit_enabled = audit_default;
+- audit_ever_enabled |= !!audit_default;
+
+ audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
+
+@@ -1191,6 +1189,8 @@ static int __init audit_enable(char *str
+ audit_default = !!simple_strtol(str, NULL, 0);
+ if (!audit_default)
+ audit_initialized = AUDIT_DISABLED;
++ audit_enabled = audit_default;
++ audit_ever_enabled = !!audit_enabled;
+
+ pr_info("%s\n", audit_default ?
+ "enabled (after initialization)" : "disabled (until reboot)");
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 8 Mar 2017 14:56:05 +0100
+Subject: axonram: Fix gendisk handling
+
+From: Jan Kara <jack@suse.cz>
+
+
+[ Upstream commit 672a2c87c83649fb0167202342ce85af9a3b4f1c ]
+
+It is invalid to call del_gendisk() when disk->queue is NULL. Fix error
+handling in axon_ram_probe() to avoid doing that.
+
+Also del_gendisk() does not drop a reference to gendisk allocated by
+alloc_disk(). That has to be done by put_disk(). Add that call where
+needed.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/sysdev/axonram.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/sysdev/axonram.c
++++ b/arch/powerpc/sysdev/axonram.c
+@@ -283,7 +283,9 @@ failed:
+ if (bank->disk->major > 0)
+ unregister_blkdev(bank->disk->major,
+ bank->disk->disk_name);
+- del_gendisk(bank->disk);
++ if (bank->disk->flags & GENHD_FL_UP)
++ del_gendisk(bank->disk);
++ put_disk(bank->disk);
+ }
+ device->dev.platform_data = NULL;
+ if (bank->io_addr != 0)
+@@ -308,6 +310,7 @@ axon_ram_remove(struct platform_device *
+ device_remove_file(&device->dev, &dev_attr_ecc);
+ free_irq(bank->irq_id, device);
+ del_gendisk(bank->disk);
++ put_disk(bank->disk);
+ iounmap((void __iomem *) bank->io_addr);
+ kfree(bank);
+
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Fri, 3 Mar 2017 17:08:30 +0100
+Subject: bnx2x: fix possible overrun of VFPF multicast addresses array
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+
+[ Upstream commit 22118d861cec5da6ed525aaf12a3de9bfeffc58f ]
+
+It is too late to check for the limit of the number of VF multicast
+addresses after they have already been copied to the req->multicast[]
+array, possibly overflowing it.
+
+Do the check before copying.
+
+Also fix the error path to not skip unlocking vf2pf_mutex.
+
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c
+@@ -826,7 +826,7 @@ int bnx2x_vfpf_set_mcast(struct net_devi
+ struct bnx2x *bp = netdev_priv(dev);
+ struct vfpf_set_q_filters_tlv *req = &bp->vf2pf_mbox->req.set_q_filters;
+ struct pfvf_general_resp_tlv *resp = &bp->vf2pf_mbox->resp.general_resp;
+- int rc, i = 0;
++ int rc = 0, i = 0;
+ struct netdev_hw_addr *ha;
+
+ if (bp->state != BNX2X_STATE_OPEN) {
+@@ -841,6 +841,15 @@ int bnx2x_vfpf_set_mcast(struct net_devi
+ /* Get Rx mode requested */
+ DP(NETIF_MSG_IFUP, "dev->flags = %x\n", dev->flags);
+
++ /* We support PFVF_MAX_MULTICAST_PER_VF mcast addresses tops */
++ if (netdev_mc_count(dev) > PFVF_MAX_MULTICAST_PER_VF) {
++ DP(NETIF_MSG_IFUP,
++ "VF supports not more than %d multicast MAC addresses\n",
++ PFVF_MAX_MULTICAST_PER_VF);
++ rc = -EINVAL;
++ goto out;
++ }
++
+ netdev_for_each_mc_addr(ha, dev) {
+ DP(NETIF_MSG_IFUP, "Adding mcast MAC: %pM\n",
+ bnx2x_mc_addr(ha));
+@@ -848,16 +857,6 @@ int bnx2x_vfpf_set_mcast(struct net_devi
+ i++;
+ }
+
+- /* We support four PFVF_MAX_MULTICAST_PER_VF mcast
+- * addresses tops
+- */
+- if (i >= PFVF_MAX_MULTICAST_PER_VF) {
+- DP(NETIF_MSG_IFUP,
+- "VF supports not more than %d multicast MAC addresses\n",
+- PFVF_MAX_MULTICAST_PER_VF);
+- return -EINVAL;
+- }
+-
+ req->n_multicast = i;
+ req->flags |= VFPF_SET_Q_FILTERS_MULTICAST_CHANGED;
+ req->vf_qid = 0;
+@@ -882,7 +881,7 @@ int bnx2x_vfpf_set_mcast(struct net_devi
+ out:
+ bnx2x_vfpf_finalize(bp, &req->first_tlv);
+
+- return 0;
++ return rc;
+ }
+
+ int bnx2x_vfpf_storm_rx_mode(struct bnx2x *bp)
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Sun, 5 Mar 2017 19:14:07 +0200
+Subject: crypto: s5p-sss - Fix completing crypto request in IRQ handler
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+
+[ Upstream commit 07de4bc88ce6a4d898cad9aa4c99c1df7e87702d ]
+
+In a regular interrupt handler driver was finishing the crypt/decrypt
+request by calling complete on crypto request. This is disallowed since
+converting to skcipher in commit b286d8b1a690 ("crypto: skcipher - Add
+skcipher walk interface") and causes a warning:
+ WARNING: CPU: 0 PID: 0 at crypto/skcipher.c:430 skcipher_walk_first+0x13c/0x14c
+
+The interrupt is marked shared but in fact there are no other users
+sharing it. Thus the simplest solution seems to be to just use a
+threaded interrupt handler, after converting it to oneshot.
+
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/s5p-sss.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/s5p-sss.c
++++ b/drivers/crypto/s5p-sss.c
+@@ -682,8 +682,9 @@ static int s5p_aes_probe(struct platform
+ dev_warn(dev, "feed control interrupt is not available.\n");
+ goto err_irq;
+ }
+- err = devm_request_irq(dev, pdata->irq_fc, s5p_aes_interrupt,
+- IRQF_SHARED, pdev->name, pdev);
++ err = devm_request_threaded_irq(dev, pdata->irq_fc, NULL,
++ s5p_aes_interrupt, IRQF_ONESHOT,
++ pdev->name, pdev);
+ if (err < 0) {
+ dev_warn(dev, "feed control interrupt is not available.\n");
+ goto err_irq;
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Fri, 17 Nov 2017 15:27:35 -0800
+Subject: dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+
+[ Upstream commit 1f3c790bd5989fcfec9e53ad8fa09f5b740c958f ]
+
+line-range is supposed to treat "1-" as "1-endoffile", so
+handle the special case by setting last_lineno to UINT_MAX.
+
+Fixes this error:
+
+ dynamic_debug:ddebug_parse_query: last-line:0 < 1st-line:1
+ dynamic_debug:ddebug_exec_query: query parse failed
+
+Link: http://lkml.kernel.org/r/10a6a101-e2be-209f-1f41-54637824788e@infradead.org
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Acked-by: Jason Baron <jbaron@akamai.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/dynamic_debug.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/lib/dynamic_debug.c
++++ b/lib/dynamic_debug.c
+@@ -353,6 +353,10 @@ static int ddebug_parse_query(char *word
+ if (parse_lineno(last, &query->last_lineno) < 0)
+ return -EINVAL;
+
++ /* special case for last lineno not specified */
++ if (query->last_lineno == 0)
++ query->last_lineno = UINT_MAX;
++
+ if (query->last_lineno < query->first_lineno) {
+ pr_err("last-line:%d < 1st-line:%d\n",
+ query->last_lineno,
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+Date: Wed, 28 Jun 2017 20:57:29 -0400
+Subject: EDAC, i5000, i5400: Fix definition of NRECMEMB register
+
+From: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+
+
+[ Upstream commit a8c8261425649da58bdf08221570e5335ad33a31 ]
+
+In the i5000 and i5400 drivers, the NRECMEMB register is defined as a
+16-bit value, which results in wrong shifts in the code, as reported by
+sparse.
+
+In the datasheets ([1], section 3.9.22.20 and [2], section 3.9.22.21),
+this register is a 32-bit register. A u32 value for the register fixes
+the wrong shifts warnings and matches the datasheet.
+
+Also fix the mask to access to the CAS bits [27:16] in the i5000 driver.
+
+[1]: https://www.intel.com/content/dam/doc/datasheet/5000p-5000v-5000z-chipset-memory-controller-hub-datasheet.pdf
+[2]: https://www.intel.se/content/dam/doc/datasheet/5400-chipset-memory-controller-hub-datasheet.pdf
+
+Signed-off-by: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20170629005729.8478-1-jeremy.lefaure@lse.epita.fr
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/i5000_edac.c | 6 +++---
+ drivers/edac/i5400_edac.c | 4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/edac/i5000_edac.c
++++ b/drivers/edac/i5000_edac.c
+@@ -227,7 +227,7 @@
+ #define NREC_RDWR(x) (((x)>>11) & 1)
+ #define NREC_RANK(x) (((x)>>8) & 0x7)
+ #define NRECMEMB 0xC0
+-#define NREC_CAS(x) (((x)>>16) & 0xFFFFFF)
++#define NREC_CAS(x) (((x)>>16) & 0xFFF)
+ #define NREC_RAS(x) ((x) & 0x7FFF)
+ #define NRECFGLOG 0xC4
+ #define NREEECFBDA 0xC8
+@@ -371,7 +371,7 @@ struct i5000_error_info {
+ /* These registers are input ONLY if there was a
+ * Non-Recoverable Error */
+ u16 nrecmema; /* Non-Recoverable Mem log A */
+- u16 nrecmemb; /* Non-Recoverable Mem log B */
++ u32 nrecmemb; /* Non-Recoverable Mem log B */
+
+ };
+
+@@ -407,7 +407,7 @@ static void i5000_get_error_info(struct
+ NERR_FAT_FBD, &info->nerr_fat_fbd);
+ pci_read_config_word(pvt->branchmap_werrors,
+ NRECMEMA, &info->nrecmema);
+- pci_read_config_word(pvt->branchmap_werrors,
++ pci_read_config_dword(pvt->branchmap_werrors,
+ NRECMEMB, &info->nrecmemb);
+
+ /* Clear the error bits, by writing them back */
+--- a/drivers/edac/i5400_edac.c
++++ b/drivers/edac/i5400_edac.c
+@@ -368,7 +368,7 @@ struct i5400_error_info {
+
+ /* These registers are input ONLY if there was a Non-Rec Error */
+ u16 nrecmema; /* Non-Recoverable Mem log A */
+- u16 nrecmemb; /* Non-Recoverable Mem log B */
++ u32 nrecmemb; /* Non-Recoverable Mem log B */
+
+ };
+
+@@ -458,7 +458,7 @@ static void i5400_get_error_info(struct
+ NERR_FAT_FBD, &info->nerr_fat_fbd);
+ pci_read_config_word(pvt->branchmap_werrors,
+ NRECMEMA, &info->nrecmema);
+- pci_read_config_word(pvt->branchmap_werrors,
++ pci_read_config_dword(pvt->branchmap_werrors,
+ NRECMEMB, &info->nrecmemb);
+
+ /* Clear the error bits, by writing them back */
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+Date: Wed, 8 Mar 2017 20:18:09 -0500
+Subject: EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro
+
+From: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+
+
+[ Upstream commit e61555c29c28a4a3b6ba6207f4a0883ee236004d ]
+
+The MTR_DRAM_WIDTH macro returns the data width. It is sometimes used
+as if it returned a boolean true if the width if 8. Fix the tests where
+MTR_DRAM_WIDTH is misused.
+
+Signed-off-by: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20170309011809.8340-1-jeremy.lefaure@lse.epita.fr
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/i5000_edac.c | 2 +-
+ drivers/edac/i5400_edac.c | 5 +++--
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/edac/i5000_edac.c
++++ b/drivers/edac/i5000_edac.c
+@@ -1293,7 +1293,7 @@ static int i5000_init_csrows(struct mem_
+ dimm->mtype = MEM_FB_DDR2;
+
+ /* ask what device type on this row */
+- if (MTR_DRAM_WIDTH(mtr))
++ if (MTR_DRAM_WIDTH(mtr) == 8)
+ dimm->dtype = DEV_X8;
+ else
+ dimm->dtype = DEV_X4;
+--- a/drivers/edac/i5400_edac.c
++++ b/drivers/edac/i5400_edac.c
+@@ -1207,13 +1207,14 @@ static int i5400_init_dimms(struct mem_c
+
+ dimm->nr_pages = size_mb << 8;
+ dimm->grain = 8;
+- dimm->dtype = MTR_DRAM_WIDTH(mtr) ? DEV_X8 : DEV_X4;
++ dimm->dtype = MTR_DRAM_WIDTH(mtr) == 8 ?
++ DEV_X8 : DEV_X4;
+ dimm->mtype = MEM_FB_DDR2;
+ /*
+ * The eccc mechanism is SDDC (aka SECC), with
+ * is similar to Chipkill.
+ */
+- dimm->edac_mode = MTR_DRAM_WIDTH(mtr) ?
++ dimm->edac_mode = MTR_DRAM_WIDTH(mtr) == 8 ?
+ EDAC_S8ECD8ED : EDAC_S4ECD4ED;
+ ndimms++;
+ }
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Chris Brandt <chris.brandt@renesas.com>
+Date: Mon, 6 Mar 2017 15:20:51 -0500
+Subject: i2c: riic: fix restart condition
+
+From: Chris Brandt <chris.brandt@renesas.com>
+
+
+[ Upstream commit 2501c1bb054290679baad0ff7f4f07c714251f4c ]
+
+While modifying the driver to use the STOP interrupt, the completion of the
+intermediate transfers need to wake the driver back up in order to initiate
+the next transfer (restart condition). Otherwise you get never ending
+interrupts and only the first transfer sent.
+
+Fixes: 71ccea095ea1 ("i2c: riic: correctly finish transfers")
+Reported-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Chris Brandt <chris.brandt@renesas.com>
+Tested-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-riic.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-riic.c
++++ b/drivers/i2c/busses/i2c-riic.c
+@@ -218,8 +218,12 @@ static irqreturn_t riic_tend_isr(int irq
+ }
+
+ if (riic->is_last || riic->err) {
+- riic_clear_set_bit(riic, 0, ICIER_SPIE, RIIC_ICIER);
++ riic_clear_set_bit(riic, ICIER_TEIE, ICIER_SPIE, RIIC_ICIER);
+ writeb(ICCR2_SP, riic->base + RIIC_ICCR2);
++ } else {
++ /* Transfer is complete, but do not send STOP */
++ riic_clear_set_bit(riic, ICIER_TEIE, 0, RIIC_ICIER);
++ complete(&riic->msg_done);
+ }
+
+ return IRQ_HANDLED;
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Mark Bloch <markb@mellanox.com>
+Date: Thu, 2 Nov 2017 15:22:26 +0200
+Subject: IB/mlx4: Increase maximal message size under UD QP
+
+From: Mark Bloch <markb@mellanox.com>
+
+
+[ Upstream commit 5f22a1d87c5315a98981ecf93cd8de226cffe6ca ]
+
+Maximal message should be used as a limit to the max message payload allowed,
+without the headers. The ConnectX-3 check is done against this value includes
+the headers. When the payload is 4K this will cause the NIC to drop packets.
+
+Increase maximal message to 8K as workaround, this shouldn't change current
+behaviour because we continue to set the MTU to 4k.
+
+To reproduce;
+set MTU to 4296 on the corresponding interface, for example:
+ifconfig eth0 mtu 4296 (both server and client)
+
+On server:
+ib_send_bw -c UD -d mlx4_0 -s 4096 -n 1000000 -i1 -m 4096
+
+On client:
+ib_send_bw -d mlx4_0 -c UD <server_ip> -s 4096 -n 1000000 -i 1 -m 4096
+
+Fixes: 6e0d733d9215 ("IB/mlx4: Allow 4K messages for UD QPs")
+Signed-off-by: Mark Bloch <markb@mellanox.com>
+Reviewed-by: Majd Dibbiny <majd@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx4/qp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx4/qp.c
++++ b/drivers/infiniband/hw/mlx4/qp.c
+@@ -1465,7 +1465,7 @@ static int __mlx4_ib_modify_qp(struct ib
+ context->mtu_msgmax = (IB_MTU_4096 << 5) |
+ ilog2(dev->dev->caps.max_gso_sz);
+ else
+- context->mtu_msgmax = (IB_MTU_4096 << 5) | 12;
++ context->mtu_msgmax = (IB_MTU_4096 << 5) | 13;
+ } else if (attr_mask & IB_QP_PATH_MTU) {
+ if (attr->path_mtu < IB_MTU_256 || attr->path_mtu > IB_MTU_4096) {
+ pr_err("path MTU (%u) is invalid\n",
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Majd Dibbiny <majd@mellanox.com>
+Date: Mon, 30 Oct 2017 14:23:13 +0200
+Subject: IB/mlx5: Assign send CQ and recv CQ of UMR QP
+
+From: Majd Dibbiny <majd@mellanox.com>
+
+
+[ Upstream commit 31fde034a8bd964a5c7c1a5663fc87a913158db2 ]
+
+The UMR's QP is created by calling mlx5_ib_create_qp directly, and
+therefore the send CQ and the recv CQ on the ibqp weren't assigned.
+
+Assign them right after calling the mlx5_ib_create_qp to assure
+that any access to those pointers will work as expected and won't
+crash the system as might happen as part of reset flow.
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: Majd Dibbiny <majd@mellanox.com>
+Reviewed-by: Yishai Hadas <yishaih@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -1099,6 +1099,8 @@ static int create_umr_res(struct mlx5_ib
+ qp->real_qp = qp;
+ qp->uobject = NULL;
+ qp->qp_type = MLX5_IB_QPT_REG_UMR;
++ qp->send_cq = init_attr->send_cq;
++ qp->recv_cq = init_attr->recv_cq;
+
+ attr->qp_state = IB_QPS_INIT;
+ attr->port_num = 1;
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Sun, 5 Mar 2017 12:34:53 -0800
+Subject: ipv6: reorder icmpv6_init() and ip6_mr_init()
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit 15e668070a64bb97f102ad9cf3bccbca0545cda8 ]
+
+Andrey reported the following kernel crash:
+
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 0 PID: 14446 Comm: syz-executor6 Not tainted 4.10.0+ #82
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+task: ffff88001f311700 task.stack: ffff88001f6e8000
+RIP: 0010:ip6mr_sk_done+0x15a/0x3d0 net/ipv6/ip6mr.c:1618
+RSP: 0018:ffff88001f6ef418 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: 1ffff10003edde8c RCX: ffffc900043ee000
+RDX: 0000000000000004 RSI: ffffffff83e3b3f8 RDI: 0000000000000020
+RBP: ffff88001f6ef508 R08: fffffbfff0dcc5d8 R09: 0000000000000000
+R10: ffffffff86e62ec0 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: ffff88001f6ef4e0 R15: ffff8800380a0040
+FS: 00007f7a52cec700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000000061c500 CR3: 000000001f1ae000 CR4: 00000000000006f0
+DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
+Call Trace:
+ rawv6_close+0x4c/0x80 net/ipv6/raw.c:1217
+ inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
+ inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432
+ sock_release+0x8d/0x1e0 net/socket.c:597
+ __sock_create+0x39d/0x880 net/socket.c:1226
+ sock_create_kern+0x3f/0x50 net/socket.c:1243
+ inet_ctl_sock_create+0xbb/0x280 net/ipv4/af_inet.c:1526
+ icmpv6_sk_init+0x163/0x500 net/ipv6/icmp.c:954
+ ops_init+0x10a/0x550 net/core/net_namespace.c:115
+ setup_net+0x261/0x660 net/core/net_namespace.c:291
+ copy_net_ns+0x27e/0x540 net/core/net_namespace.c:396
+9pnet_virtio: no channels available for device ./file1
+ create_new_namespaces+0x437/0x9b0 kernel/nsproxy.c:106
+ unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
+ SYSC_unshare kernel/fork.c:2281 [inline]
+ SyS_unshare+0x64e/0x1000 kernel/fork.c:2231
+ entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+This is because net->ipv6.mr6_tables is not initialized at that point,
+ip6mr_rules_init() is not called yet, therefore on the error path when
+we iterator the list, we trigger this oops. Fix this by reordering
+ip6mr_rules_init() before icmpv6_sk_init().
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/af_inet6.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -887,12 +887,12 @@ static int __init inet6_init(void)
+ err = register_pernet_subsys(&inet6_net_ops);
+ if (err)
+ goto register_pernet_fail;
+- err = icmpv6_init();
+- if (err)
+- goto icmp_fail;
+ err = ip6_mr_init();
+ if (err)
+ goto ipmr_fail;
++ err = icmpv6_init();
++ if (err)
++ goto icmp_fail;
+ err = ndisc_init();
+ if (err)
+ goto ndisc_fail;
+@@ -1010,10 +1010,10 @@ igmp_fail:
+ ndisc_cleanup();
+ ndisc_fail:
+ ip6_mr_cleanup();
+-ipmr_fail:
+- icmpv6_cleanup();
+ icmp_fail:
+ unregister_pernet_subsys(&inet6_net_ops);
++ipmr_fail:
++ icmpv6_cleanup();
+ register_pernet_fail:
+ sock_unregister(PF_INET6);
+ rtnl_unregister_all(PF_INET6);
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Franck Demathieu <fdemathieu@gmail.com>
+Date: Mon, 6 Mar 2017 14:41:06 +0100
+Subject: irqchip/crossbar: Fix incorrect type of register size
+
+From: Franck Demathieu <fdemathieu@gmail.com>
+
+
+[ Upstream commit 4b9de5da7e120c7f02395da729f0ec77ce7a6044 ]
+
+The 'size' variable is unsigned according to the dt-bindings.
+As this variable is used as integer in other places, create a new variable
+that allows to fix the following sparse issue (-Wtypesign):
+
+ drivers/irqchip/irq-crossbar.c:279:52: warning: incorrect type in argument 3 (different signedness)
+ drivers/irqchip/irq-crossbar.c:279:52: expected unsigned int [usertype] *out_value
+ drivers/irqchip/irq-crossbar.c:279:52: got int *<noident>
+
+Signed-off-by: Franck Demathieu <fdemathieu@gmail.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-crossbar.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/irqchip/irq-crossbar.c
++++ b/drivers/irqchip/irq-crossbar.c
+@@ -176,7 +176,7 @@ static const struct irq_domain_ops routa
+ static int __init crossbar_of_init(struct device_node *node)
+ {
+ int i, size, reserved = 0;
+- u32 max = 0, entry;
++ u32 max = 0, entry, reg_size;
+ const __be32 *irqsr;
+ int ret = -ENOMEM;
+
+@@ -253,9 +253,9 @@ static int __init crossbar_of_init(struc
+ if (!cb->register_offsets)
+ goto err_irq_map;
+
+- of_property_read_u32(node, "ti,reg-size", &size);
++ of_property_read_u32(node, "ti,reg-size", ®_size);
+
+- switch (size) {
++ switch (reg_size) {
+ case 1:
+ cb->write = crossbar_writeb;
+ break;
+@@ -281,7 +281,7 @@ static int __init crossbar_of_init(struc
+ continue;
+
+ cb->register_offsets[i] = reserved;
+- reserved += size;
++ reserved += reg_size;
+ }
+
+ of_property_read_u32(node, "ti,irqs-safe-map", &cb->safe_map);
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Mon, 6 Mar 2017 04:03:28 -0800
+Subject: KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+
+[ Upstream commit 2f707d97982286b307ef2a9b034e19aabc1abb56 ]
+
+Reported by syzkaller:
+
+ WARNING: CPU: 1 PID: 27742 at arch/x86/kvm/vmx.c:11029
+ nested_vmx_vmexit+0x5c35/0x74d0 arch/x86/kvm/vmx.c:11029
+ CPU: 1 PID: 27742 Comm: a.out Not tainted 4.10.0+ #229
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:15 [inline]
+ dump_stack+0x2ee/0x3ef lib/dump_stack.c:51
+ panic+0x1fb/0x412 kernel/panic.c:179
+ __warn+0x1c4/0x1e0 kernel/panic.c:540
+ warn_slowpath_null+0x2c/0x40 kernel/panic.c:583
+ nested_vmx_vmexit+0x5c35/0x74d0 arch/x86/kvm/vmx.c:11029
+ vmx_leave_nested arch/x86/kvm/vmx.c:11136 [inline]
+ vmx_set_msr+0x1565/0x1910 arch/x86/kvm/vmx.c:3324
+ kvm_set_msr+0xd4/0x170 arch/x86/kvm/x86.c:1099
+ do_set_msr+0x11e/0x190 arch/x86/kvm/x86.c:1128
+ __msr_io arch/x86/kvm/x86.c:2577 [inline]
+ msr_io+0x24b/0x450 arch/x86/kvm/x86.c:2614
+ kvm_arch_vcpu_ioctl+0x35b/0x46a0 arch/x86/kvm/x86.c:3497
+ kvm_vcpu_ioctl+0x232/0x1120 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2721
+ vfs_ioctl fs/ioctl.c:43 [inline]
+ do_vfs_ioctl+0x1bf/0x1790 fs/ioctl.c:683
+ SYSC_ioctl fs/ioctl.c:698 [inline]
+ SyS_ioctl+0x8f/0xc0 fs/ioctl.c:689
+ entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+The syzkaller folks reported a nested_run_pending warning during userspace
+clear VMX capability which is exposed to L1 before.
+
+The warning gets thrown while doing
+
+(*(uint32_t*)0x20aecfe8 = (uint32_t)0x1);
+(*(uint32_t*)0x20aecfec = (uint32_t)0x0);
+(*(uint32_t*)0x20aecff0 = (uint32_t)0x3a);
+(*(uint32_t*)0x20aecff4 = (uint32_t)0x0);
+(*(uint64_t*)0x20aecff8 = (uint64_t)0x0);
+r[29] = syscall(__NR_ioctl, r[4], 0x4008ae89ul,
+ 0x20aecfe8ul, 0, 0, 0, 0, 0, 0);
+
+i.e. KVM_SET_MSR ioctl with
+
+struct kvm_msrs {
+ .nmsrs = 1,
+ .pad = 0,
+ .entries = {
+ {.index = MSR_IA32_FEATURE_CONTROL,
+ .reserved = 0,
+ .data = 0}
+ }
+}
+
+The VMLANCH/VMRESUME emulation should be stopped since the CPU is going to
+reset here. This patch resets the nested_run_pending since the CPU is going
+to be reset hence there should be nothing pending.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Suggested-by: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: David Hildenbrand <david@redhat.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -9086,8 +9086,10 @@ static void nested_vmx_vmexit(struct kvm
+ */
+ static void vmx_leave_nested(struct kvm_vcpu *vcpu)
+ {
+- if (is_guest_mode(vcpu))
++ if (is_guest_mode(vcpu)) {
++ to_vmx(vcpu)->nested.nested_run_pending = 0;
+ nested_vmx_vmexit(vcpu, -1, 0, 0);
++ }
+ free_nested(to_vmx(vcpu));
+ }
+
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Stephen Bates <sbates@raithlin.com>
+Date: Fri, 17 Nov 2017 15:28:16 -0800
+Subject: lib/genalloc.c: make the avail variable an atomic_long_t
+
+From: Stephen Bates <sbates@raithlin.com>
+
+
+[ Upstream commit 36a3d1dd4e16bcd0d2ddfb4a2ec7092f0ae0d931 ]
+
+If the amount of resources allocated to a gen_pool exceeds 2^32 then the
+avail atomic overflows and this causes problems when clients try and
+borrow resources from the pool. This is only expected to be an issue on
+64 bit systems.
+
+Add the <linux/atomic.h> header to pull in atomic_long* operations. So
+that 32 bit systems continue to use atomic32_t but 64 bit systems can
+use atomic64_t.
+
+Link: http://lkml.kernel.org/r/1509033843-25667-1-git-send-email-sbates@raithlin.com
+Signed-off-by: Stephen Bates <sbates@raithlin.com>
+Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
+Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Reviewed-by: Daniel Mentz <danielmentz@google.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/genalloc.h | 3 ++-
+ lib/genalloc.c | 10 +++++-----
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+--- a/include/linux/genalloc.h
++++ b/include/linux/genalloc.h
+@@ -31,6 +31,7 @@
+ #define __GENALLOC_H__
+
+ #include <linux/spinlock_types.h>
++#include <linux/atomic.h>
+
+ struct device;
+ struct device_node;
+@@ -66,7 +67,7 @@ struct gen_pool {
+ */
+ struct gen_pool_chunk {
+ struct list_head next_chunk; /* next chunk in pool */
+- atomic_t avail;
++ atomic_long_t avail;
+ phys_addr_t phys_addr; /* physical starting address of memory chunk */
+ unsigned long start_addr; /* start address of memory chunk */
+ unsigned long end_addr; /* end address of memory chunk (inclusive) */
+--- a/lib/genalloc.c
++++ b/lib/genalloc.c
+@@ -194,7 +194,7 @@ int gen_pool_add_virt(struct gen_pool *p
+ chunk->phys_addr = phys;
+ chunk->start_addr = virt;
+ chunk->end_addr = virt + size - 1;
+- atomic_set(&chunk->avail, size);
++ atomic_long_set(&chunk->avail, size);
+
+ spin_lock(&pool->lock);
+ list_add_rcu(&chunk->next_chunk, &pool->chunks);
+@@ -285,7 +285,7 @@ unsigned long gen_pool_alloc(struct gen_
+ nbits = (size + (1UL << order) - 1) >> order;
+ rcu_read_lock();
+ list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk) {
+- if (size > atomic_read(&chunk->avail))
++ if (size > atomic_long_read(&chunk->avail))
+ continue;
+
+ end_bit = chunk_size(chunk) >> order;
+@@ -304,7 +304,7 @@ retry:
+
+ addr = chunk->start_addr + ((unsigned long)start_bit << order);
+ size = nbits << order;
+- atomic_sub(size, &chunk->avail);
++ atomic_long_sub(size, &chunk->avail);
+ break;
+ }
+ rcu_read_unlock();
+@@ -370,7 +370,7 @@ void gen_pool_free(struct gen_pool *pool
+ remain = bitmap_clear_ll(chunk->bits, start_bit, nbits);
+ BUG_ON(remain);
+ size = nbits << order;
+- atomic_add(size, &chunk->avail);
++ atomic_long_add(size, &chunk->avail);
+ rcu_read_unlock();
+ return;
+ }
+@@ -444,7 +444,7 @@ size_t gen_pool_avail(struct gen_pool *p
+
+ rcu_read_lock();
+ list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk)
+- avail += atomic_read(&chunk->avail);
++ avail += atomic_long_read(&chunk->avail);
+ rcu_read_unlock();
+ return avail;
+ }
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 6 Mar 2017 15:26:54 -0500
+Subject: libata: drop WARN from protocol error in ata_sff_qc_issue()
+
+From: Tejun Heo <tj@kernel.org>
+
+
+[ Upstream commit 0580b762a4d6b70817476b90042813f8573283fa ]
+
+ata_sff_qc_issue() expects upper layers to never issue commands on a
+command protocol that it doesn't implement. While the assumption
+holds fine with the usual IO path, nothing filters based on the
+command protocol in the passthrough path (which was added later),
+allowing the warning to be tripped with a passthrough command with the
+right (well, wrong) protocol.
+
+Failing with AC_ERR_SYSTEM is the right thing to do anyway. Remove
+the unnecessary WARN.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Link: http://lkml.kernel.org/r/CACT4Y+bXkvevNZU8uP6X0QVqsj6wNoUA_1exfTSOzc+SmUtMOA@mail.gmail.com
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-sff.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/ata/libata-sff.c
++++ b/drivers/ata/libata-sff.c
+@@ -1480,7 +1480,6 @@ unsigned int ata_sff_qc_issue(struct ata
+ break;
+
+ default:
+- WARN_ON_ONCE(1);
+ return AC_ERR_SYSTEM;
+ }
+
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Mon, 6 Nov 2017 15:28:04 -0500
+Subject: NFS: Fix a typo in nfs_rename()
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+
+[ Upstream commit d803224c84be067754db7fa58a93f36f61566493 ]
+
+On successful rename, the "old_dentry" is retained and is attached to
+the "new_dir", so we need to call nfs_set_verifier() accordingly.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -2063,7 +2063,7 @@ out:
+ if (new_inode != NULL)
+ nfs_drop_nlink(new_inode);
+ d_move(old_dentry, new_dentry);
+- nfs_set_verifier(new_dentry,
++ nfs_set_verifier(old_dentry,
+ nfs_save_change_attribute(new_dir));
+ } else if (error == -ENOENT)
+ nfs_dentry_handle_enoent(old_dentry);
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Sasha Levin <alexander.levin@verizon.com>
+Date: Thu, 7 Dec 2017 23:21:06 -0500
+Subject: Revert "drm/armada: Fix compile fail"
+
+From: Sasha Levin <alexander.levin@verizon.com>
+
+
+This reverts commit 82f260d472c3b4dbb7324624e395c3e91f73a040.
+
+Not required on < 4.10.
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/armada/Makefile | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/gpu/drm/armada/Makefile
++++ b/drivers/gpu/drm/armada/Makefile
+@@ -5,5 +5,3 @@ armada-y += armada_510.o
+ armada-$(CONFIG_DEBUG_FS) += armada_debugfs.o
+
+ obj-$(CONFIG_DRM_ARMADA) := armada.o
+-
+-CFLAGS_armada_trace.o := -I$(src)
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Sasha Levin <alexander.levin@verizon.com>
+Date: Fri, 8 Dec 2017 00:11:47 -0500
+Subject: Revert "s390/kbuild: enable modversions for symbols exported from asm"
+
+From: Sasha Levin <alexander.levin@verizon.com>
+
+
+This reverts commit cabab3f9f5ca077535080b3252e6168935b914af.
+
+Not needed for < 4.9.
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/asm-prototypes.h | 8 --------
+ 1 file changed, 8 deletions(-)
+ delete mode 100644 arch/s390/include/asm/asm-prototypes.h
+
+--- a/arch/s390/include/asm/asm-prototypes.h
++++ /dev/null
+@@ -1,8 +0,0 @@
+-#ifndef _ASM_S390_PROTOTYPES_H
+-
+-#include <linux/kvm_host.h>
+-#include <linux/ftrace.h>
+-#include <asm/fpu/api.h>
+-#include <asm-generic/asm-prototypes.h>
+-
+-#endif /* _ASM_S390_PROTOTYPES_H */
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Fri, 17 Nov 2017 14:27:18 +0800
+Subject: route: also update fnhe_genid when updating a route cache
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit cebe84c6190d741045a322f5343f717139993c08 ]
+
+Now when ip route flush cache and it turn out all fnhe_genid != genid.
+If a redirect/pmtu icmp packet comes and the old fnhe is found and all
+it's members but fnhe_genid will be updated.
+
+Then next time when it looks up route and tries to rebind this fnhe to
+the new dst, the fnhe will be flushed due to fnhe_genid != genid. It
+causes this redirect/pmtu icmp packet acutally not to be applied.
+
+This patch is to also reset fnhe_genid when updating a route cache.
+
+Fixes: 5aad1de5ea2c ("ipv4: use separate genid for next hop exceptions")
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -622,9 +622,12 @@ static void update_or_create_fnhe(struct
+ struct fnhe_hash_bucket *hash;
+ struct fib_nh_exception *fnhe;
+ struct rtable *rt;
++ u32 genid, hval;
+ unsigned int i;
+ int depth;
+- u32 hval = fnhe_hashfun(daddr);
++
++ genid = fnhe_genid(dev_net(nh->nh_dev));
++ hval = fnhe_hashfun(daddr);
+
+ spin_lock_bh(&fnhe_lock);
+
+@@ -647,6 +650,8 @@ static void update_or_create_fnhe(struct
+ }
+
+ if (fnhe) {
++ if (fnhe->fnhe_genid != genid)
++ fnhe->fnhe_genid = genid;
+ if (gw)
+ fnhe->fnhe_gw = gw;
+ if (pmtu) {
+@@ -671,7 +676,7 @@ static void update_or_create_fnhe(struct
+ fnhe->fnhe_next = hash->chain;
+ rcu_assign_pointer(hash->chain, fnhe);
+ }
+- fnhe->fnhe_genid = fnhe_genid(dev_net(nh->nh_dev));
++ fnhe->fnhe_genid = genid;
+ fnhe->fnhe_daddr = daddr;
+ fnhe->fnhe_gw = gw;
+ fnhe->fnhe_pmtu = pmtu;
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Fri, 17 Nov 2017 14:27:06 +0800
+Subject: route: update fnhe_expires for redirect when the fnhe exists
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit e39d5246111399dbc6e11cd39fd8580191b86c47 ]
+
+Now when creating fnhe for redirect, it sets fnhe_expires for this
+new route cache. But when updating the exist one, it doesn't do it.
+It will cause this fnhe never to be expired.
+
+Paolo already noticed it before, in Jianlin's test case, it became
+even worse:
+
+When ip route flush cache, the old fnhe is not to be removed, but
+only clean it's members. When redirect comes again, this fnhe will
+be found and updated, but never be expired due to fnhe_expires not
+being set.
+
+So fix it by simply updating fnhe_expires even it's for redirect.
+
+Fixes: aee06da6726d ("ipv4: use seqlock for nh_exceptions")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -654,10 +654,9 @@ static void update_or_create_fnhe(struct
+ fnhe->fnhe_genid = genid;
+ if (gw)
+ fnhe->fnhe_gw = gw;
+- if (pmtu) {
++ if (pmtu)
+ fnhe->fnhe_pmtu = pmtu;
+- fnhe->fnhe_expires = max(1UL, expires);
+- }
++ fnhe->fnhe_expires = max(1UL, expires);
+ /* Update all cached dsts too */
+ rt = rcu_dereference(fnhe->fnhe_rth_input);
+ if (rt)
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: James Smart <jsmart2021@gmail.com>
+Date: Sat, 4 Mar 2017 09:30:25 -0800
+Subject: scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters
+
+From: James Smart <jsmart2021@gmail.com>
+
+
+[ Upstream commit 5d181531bc6169e19a02a27d202cf0e982db9d0e ]
+
+if REG_VPI fails, the driver was incorrectly issuing INIT_VFI
+(a SLI4 command) on a SLI3 adapter.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_els.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_els.c
++++ b/drivers/scsi/lpfc/lpfc_els.c
+@@ -7265,11 +7265,17 @@ lpfc_cmpl_reg_new_vport(struct lpfc_hba
+ spin_lock_irq(shost->host_lock);
+ vport->fc_flag |= FC_VPORT_NEEDS_REG_VPI;
+ spin_unlock_irq(shost->host_lock);
+- if (vport->port_type == LPFC_PHYSICAL_PORT
+- && !(vport->fc_flag & FC_LOGO_RCVD_DID_CHNG))
+- lpfc_issue_init_vfi(vport);
+- else
++ if (mb->mbxStatus == MBX_NOT_FINISHED)
++ break;
++ if ((vport->port_type == LPFC_PHYSICAL_PORT) &&
++ !(vport->fc_flag & FC_LOGO_RCVD_DID_CHNG)) {
++ if (phba->sli_rev == LPFC_SLI_REV4)
++ lpfc_issue_init_vfi(vport);
++ else
++ lpfc_initial_flogi(vport);
++ } else {
+ lpfc_initial_fdisc(vport);
++ }
+ break;
+ }
+ } else {
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Wed, 15 Nov 2017 16:55:54 +0800
+Subject: sctp: do not free asoc when it is already dead in sctp_sendmsg
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit ca3af4dd28cff4e7216e213ba3b671fbf9f84758 ]
+
+Now in sctp_sendmsg sctp_wait_for_sndbuf could schedule out without
+holding sock sk. It means the current asoc can be freed elsewhere,
+like when receiving an abort packet.
+
+If the asoc is just created in sctp_sendmsg and sctp_wait_for_sndbuf
+returns err, the asoc will be freed again due to new_asoc is not nil.
+An use-after-free issue would be triggered by this.
+
+This patch is to fix it by setting new_asoc with nil if the asoc is
+already dead when cpu schedules back, so that it will not be freed
+again in sctp_sendmsg.
+
+v1->v2:
+ set new_asoc as nil in sctp_sendmsg instead of sctp_wait_for_sndbuf.
+
+Suggested-by: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1950,8 +1950,14 @@ static int sctp_sendmsg(struct kiocb *io
+ timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
+ if (!sctp_wspace(asoc)) {
+ err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
+- if (err)
++ if (err) {
++ if (err == -ESRCH) {
++ /* asoc is already dead. */
++ new_asoc = NULL;
++ err = -EPIPE;
++ }
+ goto out_free;
++ }
+ }
+
+ /* If an address is passed with the sendto/sendmsg call, it is used
+@@ -6999,10 +7005,11 @@ static int sctp_wait_for_sndbuf(struct s
+ for (;;) {
+ prepare_to_wait_exclusive(&asoc->wait, &wait,
+ TASK_INTERRUPTIBLE);
++ if (asoc->base.dead)
++ goto do_dead;
+ if (!*timeo_p)
+ goto do_nonblock;
+- if (sk->sk_err || asoc->state >= SCTP_STATE_SHUTDOWN_PENDING ||
+- asoc->base.dead)
++ if (sk->sk_err || asoc->state >= SCTP_STATE_SHUTDOWN_PENDING)
+ goto do_error;
+ if (signal_pending(current))
+ goto do_interrupted;
+@@ -7027,6 +7034,10 @@ out:
+
+ return err;
+
++do_dead:
++ err = -ESRCH;
++ goto out;
++
+ do_error:
+ err = -EPIPE;
+ goto out;
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Wed, 15 Nov 2017 16:57:26 +0800
+Subject: sctp: use the right sk after waking up from wait_buf sleep
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit cea0cc80a6777beb6eb643d4ad53690e1ad1d4ff ]
+
+Commit dfcb9f4f99f1 ("sctp: deny peeloff operation on asocs with threads
+sleeping on it") fixed the race between peeloff and wait sndbuf by
+checking waitqueue_active(&asoc->wait) in sctp_do_peeloff().
+
+But it actually doesn't work, as even if waitqueue_active returns false
+the waiting sndbuf thread may still not yet hold sk lock. After asoc is
+peeled off, sk is not asoc->base.sk any more, then to hold the old sk
+lock couldn't make assoc safe to access.
+
+This patch is to fix this by changing to hold the new sk lock if sk is
+not asoc->base.sk, meanwhile, also set the sk in sctp_sendmsg with the
+new sk.
+
+With this fix, there is no more race between peeloff and waitbuf, the
+check 'waitqueue_active' in sctp_do_peeloff can be removed.
+
+Thanks Marcelo and Neil for making this clear.
+
+v1->v2:
+ fix it by changing to lock the new sock instead of adding a flag in asoc.
+
+Suggested-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -82,8 +82,8 @@
+ /* Forward declarations for internal helper functions. */
+ static int sctp_writeable(struct sock *sk);
+ static void sctp_wfree(struct sk_buff *skb);
+-static int sctp_wait_for_sndbuf(struct sctp_association *, long *timeo_p,
+- size_t msg_len);
++static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
++ size_t msg_len, struct sock **orig_sk);
+ static int sctp_wait_for_packet(struct sock *sk, int *err, long *timeo_p);
+ static int sctp_wait_for_connect(struct sctp_association *, long *timeo_p);
+ static int sctp_wait_for_accept(struct sock *sk, long timeo);
+@@ -1949,7 +1949,8 @@ static int sctp_sendmsg(struct kiocb *io
+
+ timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
+ if (!sctp_wspace(asoc)) {
+- err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
++ /* sk can be changed by peel off when waiting for buf. */
++ err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len, &sk);
+ if (err) {
+ if (err == -ESRCH) {
+ /* asoc is already dead. */
+@@ -4479,12 +4480,6 @@ int sctp_do_peeloff(struct sock *sk, sct
+ if (!asoc)
+ return -EINVAL;
+
+- /* If there is a thread waiting on more sndbuf space for
+- * sending on this asoc, it cannot be peeled.
+- */
+- if (waitqueue_active(&asoc->wait))
+- return -EBUSY;
+-
+ /* An association cannot be branched off from an already peeled-off
+ * socket, nor is this supported for tcp style sockets.
+ */
+@@ -6988,7 +6983,7 @@ void sctp_sock_rfree(struct sk_buff *skb
+
+ /* Helper function to wait for space in the sndbuf. */
+ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+- size_t msg_len)
++ size_t msg_len, struct sock **orig_sk)
+ {
+ struct sock *sk = asoc->base.sk;
+ int err = 0;
+@@ -7022,11 +7017,17 @@ static int sctp_wait_for_sndbuf(struct s
+ release_sock(sk);
+ current_timeo = schedule_timeout(current_timeo);
+ lock_sock(sk);
++ if (sk != asoc->base.sk) {
++ release_sock(sk);
++ sk = asoc->base.sk;
++ lock_sock(sk);
++ }
+
+ *timeo_p = current_timeo;
+ }
+
+ out:
++ *orig_sk = sk;
+ finish_wait(&asoc->wait, &wait);
+
+ /* Release the association's refcnt. */
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Sachin Sant <sachinp@linux.vnet.ibm.com>
+Date: Sun, 26 Feb 2017 11:38:39 +0530
+Subject: selftest/powerpc: Fix false failures for skipped tests
+
+From: Sachin Sant <sachinp@linux.vnet.ibm.com>
+
+
+[ Upstream commit a6d8a21596df041f36f4c2ccc260c459e3e851f1 ]
+
+Tests under alignment subdirectory are skipped when executed on previous
+generation hardware, but harness still marks them as failed.
+
+ test: test_copy_unaligned
+ tags: git_version:unknown
+ [SKIP] Test skipped on line 26
+ skip: test_copy_unaligned
+ selftests: copy_unaligned [FAIL]
+
+The MAGIC_SKIP_RETURN_VALUE value assigned to rc variable is retained till
+the program exit which causes the test to be marked as failed.
+
+This patch resets the value before returning to the main() routine.
+With this patch the test o/p is as follows:
+
+ test: test_copy_unaligned
+ tags: git_version:unknown
+ [SKIP] Test skipped on line 26
+ skip: test_copy_unaligned
+ selftests: copy_unaligned [PASS]
+
+Signed-off-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/powerpc/harness.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/powerpc/harness.c
++++ b/tools/testing/selftests/powerpc/harness.c
+@@ -105,9 +105,11 @@ int test_harness(int (test_function)(voi
+
+ rc = run_test(test_function, name);
+
+- if (rc == MAGIC_SKIP_RETURN_VALUE)
++ if (rc == MAGIC_SKIP_RETURN_VALUE) {
+ test_skip(name);
+- else
++ /* so that skipped test is not marked as failed */
++ rc = 0;
++ } else
+ test_finish(name, rc);
+
+ return rc;
rds-fix-null-pointer-dereference-in-__rds_rdma_map.patch
sit-update-frag_off-info.patch
net-packet-fix-a-race-in-packet_bind-and-packet_notifier.patch
+revert-drm-armada-fix-compile-fail.patch
+revert-s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch
+selftest-powerpc-fix-false-failures-for-skipped-tests.patch
+usb-gadget-configs-plug-memory-leak.patch
+usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch
+libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch
+workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch
+scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch
+irqchip-crossbar-fix-incorrect-type-of-register-size.patch
+kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch
+arm-kvm-survive-unknown-traps-from-guests.patch
+spi_ks8995-fix-bug-key-accdaa28-not-in-.data.patch
+bnx2x-fix-possible-overrun-of-vfpf-multicast-addresses-array.patch
+ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch
+crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch
+i2c-riic-fix-restart-condition.patch
+axonram-fix-gendisk-handling.patch
+edac-i5000-i5400-fix-use-of-mtr_dram_width-macro.patch
+edac-i5000-i5400-fix-definition-of-nrecmemb-register.patch
+route-also-update-fnhe_genid-when-updating-a-route-cache.patch
+route-update-fnhe_expires-for-redirect-when-the-fnhe-exists.patch
+lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch
+dynamic-debug-howto-fix-optional-omitted-ending-line-number-to-be-large-instead-of-0.patch
+nfs-fix-a-typo-in-nfs_rename.patch
+sunrpc-fix-rpc_task_begin-trace-point.patch
+sparc64-mm-set-fields-in-deferred-pages.patch
+sctp-do-not-free-asoc-when-it-is-already-dead-in-sctp_sendmsg.patch
+sctp-use-the-right-sk-after-waking-up-from-wait_buf-sleep.patch
+atm-horizon-fix-irq-release-error.patch
+xfrm-copy-policy-family-in-clone_policy.patch
+ib-mlx4-increase-maximal-message-size-under-ud-qp.patch
+ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch
+afs-connect-up-the-cb.probeuuid.patch
+audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Pavel Tatashin <pasha.tatashin@oracle.com>
+Date: Wed, 15 Nov 2017 17:36:18 -0800
+Subject: sparc64/mm: set fields in deferred pages
+
+From: Pavel Tatashin <pasha.tatashin@oracle.com>
+
+
+[ Upstream commit 2a20aa171071a334d80c4e5d5af719d8374702fc ]
+
+Without deferred struct page feature (CONFIG_DEFERRED_STRUCT_PAGE_INIT),
+flags and other fields in "struct page"es are never changed prior to
+first initializing struct pages by going through __init_single_page().
+
+With deferred struct page feature enabled there is a case where we set
+some fields prior to initializing:
+
+mem_init() {
+ register_page_bootmem_info();
+ free_all_bootmem();
+ ...
+}
+
+When register_page_bootmem_info() is called only non-deferred struct
+pages are initialized. But, this function goes through some reserved
+pages which might be part of the deferred, and thus are not yet
+initialized.
+
+mem_init
+register_page_bootmem_info
+register_page_bootmem_info_node
+ get_page_bootmem
+ .. setting fields here ..
+ such as: page->freelist = (void *)type;
+
+free_all_bootmem()
+free_low_memory_core_early()
+ for_each_reserved_mem_region()
+ reserve_bootmem_region()
+ init_reserved_page() <- Only if this is deferred reserved page
+ __init_single_pfn()
+ __init_single_page()
+ memset(0) <-- Loose the set fields here
+
+We end up with similar issue as in the previous patch, where currently
+we do not observe problem as memory is zeroed. But, if flag asserts are
+changed we can start hitting issues.
+
+Also, because in this patch series we will stop zeroing struct page
+memory during allocation, we must make sure that struct pages are
+properly initialized prior to using them.
+
+The deferred-reserved pages are initialized in free_all_bootmem().
+Therefore, the fix is to switch the above calls.
+
+Link: http://lkml.kernel.org/r/20171013173214.27300-4-pasha.tatashin@oracle.com
+Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com>
+Reviewed-by: Steven Sistare <steven.sistare@oracle.com>
+Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Reviewed-by: Bob Picco <bob.picco@oracle.com>
+Acked-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Sam Ravnborg <sam@ravnborg.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/mm/init_64.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/arch/sparc/mm/init_64.c
++++ b/arch/sparc/mm/init_64.c
+@@ -2215,10 +2215,17 @@ void __init mem_init(void)
+ {
+ high_memory = __va(last_valid_pfn << PAGE_SHIFT);
+
+- register_page_bootmem_info();
+ free_all_bootmem();
+
+ /*
++ * Must be done after boot memory is put on freelist, because here we
++ * might set fields in deferred struct pages that have not yet been
++ * initialized, and free_all_bootmem() initializes all the reserved
++ * deferred pages for us.
++ */
++ register_page_bootmem_info();
++
++ /*
+ * Set up the zero page, mark it reserved, so that page count
+ * is not manipulated when freeing the page from user ptes.
+ */
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: "Blomme, Maarten" <Maarten.Blomme@flir.com>
+Date: Thu, 2 Mar 2017 13:08:36 +0100
+Subject: spi_ks8995: fix "BUG: key accdaa28 not in .data!"
+
+From: "Blomme, Maarten" <Maarten.Blomme@flir.com>
+
+
+[ Upstream commit 4342696df764ec65dcdfbd0c10d90ea52505f8ba ]
+
+Signed-off-by: Maarten Blomme <Maarten.Blomme@flir.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/spi_ks8995.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/phy/spi_ks8995.c
++++ b/drivers/net/phy/spi_ks8995.c
+@@ -332,6 +332,7 @@ static int ks8995_probe(struct spi_devic
+ if (err)
+ return err;
+
++ sysfs_attr_init(&ks->regs_attr.attr);
+ err = sysfs_create_bin_file(&spi->dev.kobj, &ks->regs_attr);
+ if (err) {
+ dev_err(&spi->dev, "unable to create sysfs file, err=%d\n",
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Fri, 3 Nov 2017 13:46:06 -0400
+Subject: sunrpc: Fix rpc_task_begin trace point
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+
+[ Upstream commit b2bfe5915d5fe7577221031a39ac722a0a2a1199 ]
+
+The rpc_task_begin trace point always display a task ID of zero.
+Move the trace point call site so that it picks up the new task ID.
+
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/sched.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/sunrpc/sched.c
++++ b/net/sunrpc/sched.c
+@@ -273,10 +273,9 @@ static inline void rpc_task_set_debuginf
+
+ static void rpc_set_active(struct rpc_task *task)
+ {
+- trace_rpc_task_begin(task->tk_client, task, NULL);
+-
+ rpc_task_set_debuginfo(task);
+ set_bit(RPC_TASK_ACTIVE, &task->tk_runstate);
++ trace_rpc_task_begin(task->tk_client, task, NULL);
+ }
+
+ /*
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: John Keeping <john@metanate.com>
+Date: Tue, 28 Feb 2017 10:55:30 +0000
+Subject: usb: gadget: configs: plug memory leak
+
+From: John Keeping <john@metanate.com>
+
+
+[ Upstream commit 38355b2a44776c25b0f2ad466e8c51bb805b3032 ]
+
+When binding a gadget to a device, "name" is stored in gi->udc_name, but
+this does not happen when unregistering and the string is leaked.
+
+Signed-off-by: John Keeping <john@metanate.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/configfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -266,6 +266,7 @@ static ssize_t gadget_dev_desc_UDC_store
+ ret = unregister_gadget(gi);
+ if (ret)
+ goto err;
++ kfree(name);
+ } else {
+ if (gi->udc_name) {
+ ret = -EBUSY;
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Tue, 21 Feb 2017 22:33:11 +0100
+Subject: USB: gadgetfs: Fix a potential memory leak in 'dev_config()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit b6e7aeeaf235901c42ec35de4633c7c69501d303 ]
+
+'kbuf' is allocated just a few lines above using 'memdup_user()'.
+If the 'if (dev->buf)' test fails, this memory is never released.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/legacy/inode.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1921,8 +1921,10 @@ dev_config (struct file *fd, const char
+
+ spin_lock_irq (&dev->lock);
+ value = -EINVAL;
+- if (dev->buf)
++ if (dev->buf) {
++ kfree(kbuf);
+ goto fail;
++ }
+ dev->buf = kbuf;
+
+ /* full or low speed config */
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 6 Mar 2017 15:33:42 -0500
+Subject: workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq
+
+From: Tejun Heo <tj@kernel.org>
+
+
+[ Upstream commit 637fdbae60d6cb9f6e963c1079d7e0445c86ff7d ]
+
+If queue_delayed_work() gets called with NULL @wq, the kernel will
+oops asynchronuosly on timer expiration which isn't too helpful in
+tracking down the offender. This actually happened with smc.
+
+__queue_delayed_work() already does several input sanity checks
+synchronously. Add NULL @wq check.
+
+Reported-by: Dave Jones <davej@codemonkey.org.uk>
+Link: http://lkml.kernel.org/r/20170227171439.jshx3qplflyrgcv7@codemonkey.org.uk
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/workqueue.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -1452,6 +1452,7 @@ static void __queue_delayed_work(int cpu
+ struct timer_list *timer = &dwork->timer;
+ struct work_struct *work = &dwork->work;
+
++ WARN_ON_ONCE(!wq);
+ WARN_ON_ONCE(timer->function != delayed_work_timer_fn ||
+ timer->data != (unsigned long)dwork);
+ WARN_ON_ONCE(timer_pending(timer));
--- /dev/null
+From foo@baz Thu Dec 14 21:30:47 CET 2017
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 10 Nov 2017 14:14:06 +1100
+Subject: xfrm: Copy policy family in clone_policy
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+
+[ Upstream commit 0e74aa1d79a5bbc663e03a2804399cae418a0321 ]
+
+The syzbot found an ancient bug in the IPsec code. When we cloned
+a socket policy (for example, for a child TCP socket derived from a
+listening socket), we did not copy the family field. This results
+in a live policy with a zero family field. This triggers a BUG_ON
+check in the af_key code when the cloned policy is retrieved.
+
+This patch fixes it by copying the family field over.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_policy.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1345,6 +1345,7 @@ static struct xfrm_policy *clone_policy(
+ newp->xfrm_nr = old->xfrm_nr;
+ newp->index = old->index;
+ newp->type = old->type;
++ newp->family = old->family;
+ memcpy(newp->xfrm_vec, old->xfrm_vec,
+ newp->xfrm_nr*sizeof(struct xfrm_tmpl));
+ write_lock_bh(&net->xfrm.xfrm_policy_lock);
projects / thirdparty / kernel / stable-queue.git / commitdiff
