--- /dev/null
+From c83532fb0fe053d2e43e9387354cb1b52ba26427 Mon Sep 17 00:00:00 2001
+From: Alexey Brodkin <abrodkin@synopsys.com>
+Date: Thu, 2 Aug 2018 11:50:16 +0300
+Subject: ARC: [plat-axs*]: Enable SWAP
+
+From: Alexey Brodkin <abrodkin@synopsys.com>
+
+commit c83532fb0fe053d2e43e9387354cb1b52ba26427 upstream.
+
+SWAP support on ARC was fixed earlier by
+commit 6e3761145a9b ("ARC: Fix CONFIG_SWAP")
+so now we may safely enable it on platforms that
+have external media like USB and SD-card.
+
+Note: it was already allowed for HSDK
+
+Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
+Cc: stable@vger.kernel.org # 6e3761145a9b: ARC: Fix CONFIG_SWAP
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/configs/axs101_defconfig | 1 -
+ arch/arc/configs/axs103_defconfig | 1 -
+ arch/arc/configs/axs103_smp_defconfig | 1 -
+ 3 files changed, 3 deletions(-)
+
+--- a/arch/arc/configs/axs101_defconfig
++++ b/arch/arc/configs/axs101_defconfig
+@@ -1,5 +1,4 @@
+ CONFIG_DEFAULT_HOSTNAME="ARCLinux"
+-# CONFIG_SWAP is not set
+ CONFIG_SYSVIPC=y
+ CONFIG_POSIX_MQUEUE=y
+ # CONFIG_CROSS_MEMORY_ATTACH is not set
+--- a/arch/arc/configs/axs103_defconfig
++++ b/arch/arc/configs/axs103_defconfig
+@@ -1,5 +1,4 @@
+ CONFIG_DEFAULT_HOSTNAME="ARCLinux"
+-# CONFIG_SWAP is not set
+ CONFIG_SYSVIPC=y
+ CONFIG_POSIX_MQUEUE=y
+ # CONFIG_CROSS_MEMORY_ATTACH is not set
+--- a/arch/arc/configs/axs103_smp_defconfig
++++ b/arch/arc/configs/axs103_smp_defconfig
+@@ -1,5 +1,4 @@
+ CONFIG_DEFAULT_HOSTNAME="ARCLinux"
+-# CONFIG_SWAP is not set
+ CONFIG_SYSVIPC=y
+ CONFIG_POSIX_MQUEUE=y
+ # CONFIG_CROSS_MEMORY_ATTACH is not set
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Date: Mon, 2 Jul 2018 12:01:54 -0700
+Subject: ata: libahci: Allow reconfigure of DEVSLP register
+
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+
+[ Upstream commit 11c291461b6ea8d1195a96d6bba6673a94aacebc ]
+
+There are two modes in which DEVSLP can be entered. The OS initiated or
+hardware autonomous.
+
+In hardware autonomous mode, BIOS configures the AHCI controller and the
+device to enable DEVSLP. But they may not be ideal for all cases. So in
+this case, OS should be able to reconfigure DEVSLP register.
+
+Currently if the DEVSLP is already enabled, we can't set again as it will
+simply return. There are some systems where the firmware is setting high
+DITO by default, in this case we can't modify here to correct settings.
+With the default in several seconds, we are not able to transition to
+DEVSLP.
+
+This change will allow reconfiguration of devslp register if DITO is
+different.
+
+Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libahci.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/drivers/ata/libahci.c
++++ b/drivers/ata/libahci.c
+@@ -2096,7 +2096,7 @@ static void ahci_set_aggressive_devslp(s
+ struct ahci_host_priv *hpriv = ap->host->private_data;
+ void __iomem *port_mmio = ahci_port_base(ap);
+ struct ata_device *dev = ap->link.device;
+- u32 devslp, dm, dito, mdat, deto;
++ u32 devslp, dm, dito, mdat, deto, dito_conf;
+ int rc;
+ unsigned int err_mask;
+
+@@ -2120,8 +2120,15 @@ static void ahci_set_aggressive_devslp(s
+ return;
+ }
+
+- /* device sleep was already enabled */
+- if (devslp & PORT_DEVSLP_ADSE)
++ dm = (devslp & PORT_DEVSLP_DM_MASK) >> PORT_DEVSLP_DM_OFFSET;
++ dito = devslp_idle_timeout / (dm + 1);
++ if (dito > 0x3ff)
++ dito = 0x3ff;
++
++ dito_conf = (devslp >> PORT_DEVSLP_DITO_OFFSET) & 0x3FF;
++
++ /* device sleep was already enabled and same dito */
++ if ((devslp & PORT_DEVSLP_ADSE) && (dito_conf == dito))
+ return;
+
+ /* set DITO, MDAT, DETO and enable DevSlp, need to stop engine first */
+@@ -2129,11 +2136,6 @@ static void ahci_set_aggressive_devslp(s
+ if (rc)
+ return;
+
+- dm = (devslp & PORT_DEVSLP_DM_MASK) >> PORT_DEVSLP_DM_OFFSET;
+- dito = devslp_idle_timeout / (dm + 1);
+- if (dito > 0x3ff)
+- dito = 0x3ff;
+-
+ /* Use the nominal value 10 ms if the read MDAT is zero,
+ * the nominal value of DETO is 20 ms.
+ */
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Date: Mon, 2 Jul 2018 12:01:53 -0700
+Subject: ata: libahci: Correct setting of DEVSLP register
+
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+
+[ Upstream commit 2dbb3ec29a6c069035857a2fc4c24e80e5dfe3cc ]
+
+We have seen that on some platforms, SATA device never show any DEVSLP
+residency. This prevent power gating of SATA IP, which prevent system
+to transition to low power mode in systems with SLP_S0 aka modern
+standby systems. The PHY logic is off only in DEVSLP not in slumber.
+Reference:
+https://www.intel.com/content/dam/www/public/us/en/documents/datasheets
+/332995-skylake-i-o-platform-datasheet-volume-1.pdf
+Section 28.7.6.1
+
+Here driver is trying to do read-modify-write the devslp register. But
+not resetting the bits for which this driver will modify values (DITO,
+MDAT and DETO). So simply reset those bits before updating to new values.
+
+Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libahci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/ata/libahci.c
++++ b/drivers/ata/libahci.c
+@@ -2153,6 +2153,8 @@ static void ahci_set_aggressive_devslp(s
+ deto = 20;
+ }
+
++ /* Make dito, mdat, deto bits to 0s */
++ devslp &= ~GENMASK_ULL(24, 2);
+ devslp |= ((dito << PORT_DEVSLP_DITO_OFFSET) |
+ (mdat << PORT_DEVSLP_MDAT_OFFSET) |
+ (deto << PORT_DEVSLP_DETO_OFFSET) |
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Surabhi Vishnoi <svishnoi@codeaurora.org>
+Date: Wed, 25 Jul 2018 10:59:41 +0300
+Subject: ath10k: disable bundle mgmt tx completion event support
+
+From: Surabhi Vishnoi <svishnoi@codeaurora.org>
+
+[ Upstream commit 673bc519c55843c68c3aecff71a4101e79d28d2b ]
+
+The tx completion of multiple mgmt frames can be bundled
+in a single event and sent by the firmware to host, if this
+capability is not disabled explicitly by the host. If the host
+cannot handle the bundled mgmt tx completion, this capability
+support needs to be disabled in the wmi init cmd, sent to the firmware.
+
+Add the host capability indication flag in the wmi ready command,
+to let firmware know the features supported by the host driver.
+This field is ignored if it is not supported by firmware.
+
+Set the host capability indication flag(i.e. host_capab) to zero,
+for disabling the support of bundle mgmt tx completion. This will
+indicate the firmware to send completion event for every mgmt tx
+completion, instead of bundling them together and sending in a single
+event.
+
+Tested HW: WCN3990
+Tested FW: WLAN.HL.2.0-01188-QCAHLSWMTPLZ-1
+
+Signed-off-by: Surabhi Vishnoi <svishnoi@codeaurora.org>
+Signed-off-by: Rakesh Pillai <pillair@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/wmi-tlv.c | 5 +++++
+ drivers/net/wireless/ath/ath10k/wmi-tlv.h | 5 +++++
+ 2 files changed, 10 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+@@ -1451,6 +1451,11 @@ static struct sk_buff *ath10k_wmi_tlv_op
+ cfg->keep_alive_pattern_size = __cpu_to_le32(0);
+ cfg->max_tdls_concurrent_sleep_sta = __cpu_to_le32(1);
+ cfg->max_tdls_concurrent_buffer_sta = __cpu_to_le32(1);
++ cfg->wmi_send_separate = __cpu_to_le32(0);
++ cfg->num_ocb_vdevs = __cpu_to_le32(0);
++ cfg->num_ocb_channels = __cpu_to_le32(0);
++ cfg->num_ocb_schedules = __cpu_to_le32(0);
++ cfg->host_capab = __cpu_to_le32(0);
+
+ ath10k_wmi_put_host_mem_chunks(ar, chunks);
+
+--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.h
++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.h
+@@ -1228,6 +1228,11 @@ struct wmi_tlv_resource_config {
+ __le32 keep_alive_pattern_size;
+ __le32 max_tdls_concurrent_sleep_sta;
+ __le32 max_tdls_concurrent_buffer_sta;
++ __le32 wmi_send_separate;
++ __le32 num_ocb_vdevs;
++ __le32 num_ocb_channels;
++ __le32 num_ocb_schedules;
++ __le32 host_capab;
+ } __packed;
+
+ struct wmi_tlv_init_cmd {
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Date: Thu, 26 Jul 2018 15:59:48 +0200
+Subject: ath10k: prevent active scans on potential unusable channels
+
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+
+[ Upstream commit 3f259111583801013cb605bb4414aa529adccf1c ]
+
+The QCA4019 hw1.0 firmware 10.4-3.2.1-00050 and 10.4-3.5.3-00053 (and most
+likely all other) seem to ignore the WMI_CHAN_FLAG_DFS flag during the
+scan. This results in transmission (probe requests) on channels which are
+not "available" for transmissions.
+
+Since the firmware is closed source and nothing can be done from our side
+to fix the problem in it, the driver has to work around this problem. The
+WMI_CHAN_FLAG_PASSIVE seems to be interpreted by the firmware to not
+scan actively on a channel unless an AP was detected on it. Simple probe
+requests will then be transmitted by the STA on the channel.
+
+ath10k must therefore also use this flag when it queues a radar channel for
+scanning. This should reduce the chance of an active scan when the channel
+might be "unusable" for transmissions.
+
+Fixes: e8a50f8ba44b ("ath10k: introduce DFS implementation")
+Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -3074,6 +3074,13 @@ static int ath10k_update_channel_list(st
+ passive = channel->flags & IEEE80211_CHAN_NO_IR;
+ ch->passive = passive;
+
++ /* the firmware is ignoring the "radar" flag of the
++ * channel and is scanning actively using Probe Requests
++ * on "Radar detection"/DFS channels which are not
++ * marked as "available"
++ */
++ ch->passive |= ch->chan_radar;
++
+ ch->freq = channel->center_freq;
+ ch->band_center_freq1 = channel->center_freq;
+ ch->min_power = 0;
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Felix Fietkau <nbd@nbd.name>
+Date: Mon, 30 Jul 2018 21:31:23 +0300
+Subject: ath9k: report tx status on EOSP
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 36e14a787dd0b459760de3622e9709edb745a6af ]
+
+Fixes missed indications of end of U-APSD service period to mac80211
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath9k/xmit.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath9k/xmit.c
++++ b/drivers/net/wireless/ath/ath9k/xmit.c
+@@ -86,7 +86,8 @@ static void ath_tx_status(struct ieee802
+ struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+ struct ieee80211_sta *sta = info->status.status_driver_data[0];
+
+- if (info->flags & IEEE80211_TX_CTL_REQ_TX_STATUS) {
++ if (info->flags & (IEEE80211_TX_CTL_REQ_TX_STATUS |
++ IEEE80211_TX_STATUS_EOSP)) {
+ ieee80211_tx_status(hw, skb);
+ return;
+ }
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Felix Fietkau <nbd@nbd.name>
+Date: Mon, 30 Jul 2018 21:31:28 +0300
+Subject: ath9k_hw: fix channel maximum power level test
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 461d8a6bb9879b0e619752d040292e67aa06f1d2 ]
+
+The tx power applied by set_txpower is limited by the CTL (conformance
+test limit) entries in the EEPROM. These can change based on the user
+configured regulatory domain.
+Depending on the EEPROM data this can cause the tx power to become too
+limited, if the original regdomain CTLs impose lower limits than the CTLs
+of the user configured regdomain.
+
+To fix this issue, set the initial channel limits without any CTL
+restrictions and only apply the CTL at run time when setting the channel
+and the real tx power.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath9k/hw.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath9k/hw.c
++++ b/drivers/net/wireless/ath/ath9k/hw.c
+@@ -2915,16 +2915,19 @@ void ath9k_hw_apply_txpower(struct ath_h
+ struct ath_regulatory *reg = ath9k_hw_regulatory(ah);
+ struct ieee80211_channel *channel;
+ int chan_pwr, new_pwr;
++ u16 ctl = NO_CTL;
+
+ if (!chan)
+ return;
+
++ if (!test)
++ ctl = ath9k_regd_get_ctl(reg, chan);
++
+ channel = chan->chan;
+ chan_pwr = min_t(int, channel->max_power * 2, MAX_RATE_POWER);
+ new_pwr = min_t(int, chan_pwr, reg->power_limit);
+
+- ah->eep_ops->set_txpower(ah, chan,
+- ath9k_regd_get_ctl(reg, chan),
++ ah->eep_ops->set_txpower(ah, chan, ctl,
+ get_antenna_gain(ah, chan), new_pwr, test);
+ }
+
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Ming Lei <ming.lei@redhat.com>
+Date: Thu, 2 Aug 2018 18:23:26 +0800
+Subject: blk-mq: fix updating tags depth
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 75d6e175fc511e95ae3eb8f708680133bc211ed3 ]
+
+The passed 'nr' from userspace represents the total depth, meantime
+inside 'struct blk_mq_tags', 'nr_tags' stores the total tag depth,
+and 'nr_reserved_tags' stores the reserved part.
+
+There are two issues in blk_mq_tag_update_depth() now:
+
+1) for growing tags, we should have used the passed 'nr', and keep the
+number of reserved tags not changed.
+
+2) the passed 'nr' should have been used for checking against
+'tags->nr_tags', instead of number of the normal part.
+
+This patch fixes the above two cases, and avoids kernel crash caused
+by wrong resizing sbitmap queue.
+
+Cc: "Ewan D. Milne" <emilne@redhat.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Bart Van Assche <bart.vanassche@sandisk.com>
+Cc: Omar Sandoval <osandov@fb.com>
+Tested by: Marco Patalano <mpatalan@redhat.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq-tag.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/block/blk-mq-tag.c
++++ b/block/blk-mq-tag.c
+@@ -416,8 +416,6 @@ int blk_mq_tag_update_depth(struct blk_m
+ if (tdepth <= tags->nr_reserved_tags)
+ return -EINVAL;
+
+- tdepth -= tags->nr_reserved_tags;
+-
+ /*
+ * If we are allowed to grow beyond the original size, allocate
+ * a new set of tags before freeing the old one.
+@@ -437,7 +435,8 @@ int blk_mq_tag_update_depth(struct blk_m
+ if (tdepth > 16 * BLKDEV_MAX_RQ)
+ return -EINVAL;
+
+- new = blk_mq_alloc_rq_map(set, hctx->queue_num, tdepth, 0);
++ new = blk_mq_alloc_rq_map(set, hctx->queue_num, tdepth,
++ tags->nr_reserved_tags);
+ if (!new)
+ return -ENOMEM;
+ ret = blk_mq_alloc_rqs(set, new, hctx->queue_num, tdepth);
+@@ -454,7 +453,8 @@ int blk_mq_tag_update_depth(struct blk_m
+ * Don't need (or can't) update reserved tags here, they
+ * remain static and should never need resizing.
+ */
+- sbitmap_queue_resize(&tags->bitmap_tags, tdepth);
++ sbitmap_queue_resize(&tags->bitmap_tags,
++ tdepth - tags->nr_reserved_tags);
+ }
+
+ return 0;
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Johan Hedberg <johan.hedberg@intel.com>
+Date: Sat, 4 Aug 2018 23:40:26 +0300
+Subject: Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV
+
+From: Johan Hedberg <johan.hedberg@intel.com>
+
+[ Upstream commit 6c3711ec64fd23a9abc8aaf59a9429569a6282df ]
+
+This driver was recently updated to use serdev, so add the appropriate
+dependency. Without this one can get compiler warnings like this if
+CONFIG_SERIAL_DEV_BUS is not enabled:
+
+ CC [M] drivers/bluetooth/hci_h5.o
+drivers/bluetooth/hci_h5.c:934:36: warning: ‘h5_serdev_driver’ defined but not used [-Wunused-variable]
+ static struct serdev_device_driver h5_serdev_driver = {
+ ^~~~~~~~~~~~~~~~
+
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/bluetooth/Kconfig
++++ b/drivers/bluetooth/Kconfig
+@@ -146,6 +146,7 @@ config BT_HCIUART_LL
+ config BT_HCIUART_3WIRE
+ bool "Three-wire UART (H5) protocol support"
+ depends on BT_HCIUART
++ depends on BT_HCIUART_SERDEV
+ help
+ The HCI Three-wire UART Transport Layer makes it possible to
+ user the Bluetooth HCI over a serial port interface. The HCI
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Marcel Holtmann <marcel@holtmann.org>
+Date: Mon, 30 Jul 2018 13:57:41 +0200
+Subject: Bluetooth: hidp: Fix handling of strncpy for hid->name information
+
+From: Marcel Holtmann <marcel@holtmann.org>
+
+[ Upstream commit b3cadaa485f0c20add1644a5c877b0765b285c0c ]
+
+This fixes two issues with setting hid->name information.
+
+ CC net/bluetooth/hidp/core.o
+In function ‘hidp_setup_hid’,
+ inlined from ‘hidp_session_dev_init’ at net/bluetooth/hidp/core.c:815:9,
+ inlined from ‘hidp_session_new’ at net/bluetooth/hidp/core.c:953:8,
+ inlined from ‘hidp_connection_add’ at net/bluetooth/hidp/core.c:1366:8:
+net/bluetooth/hidp/core.c:778:2: warning: ‘strncpy’ output may be truncated copying 127 bytes from a string of length 127 [-Wstringop-truncation]
+ strncpy(hid->name, req->name, sizeof(req->name) - 1);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ CC net/bluetooth/hidp/core.o
+net/bluetooth/hidp/core.c: In function ‘hidp_setup_hid’:
+net/bluetooth/hidp/core.c:778:38: warning: argument to ‘sizeof’ in ‘strncpy’ call is the same expression as the source; did you mean to use the size of the destination? [-Wsizeof-pointer-memaccess]
+ strncpy(hid->name, req->name, sizeof(req->name));
+ ^
+
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hidp/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -775,7 +775,7 @@ static int hidp_setup_hid(struct hidp_se
+ hid->version = req->version;
+ hid->country = req->country;
+
+- strncpy(hid->name, req->name, sizeof(req->name) - 1);
++ strncpy(hid->name, req->name, sizeof(hid->name));
+
+ snprintf(hid->phys, sizeof(hid->phys), "%pMR",
+ &l2cap_pi(session->ctrl_sock->sk)->chan->src);
--- /dev/null
+From 6e36719fbe90213fbba9f50093fa2d4d69b0e93c Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 15 Jan 2018 17:07:22 +0100
+Subject: crypto: aes-generic - fix aes-generic regression on powerpc
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 6e36719fbe90213fbba9f50093fa2d4d69b0e93c upstream.
+
+My last bugfix added -Os on the command line, which unfortunately caused
+a build regression on powerpc in some configurations.
+
+I've done some more analysis of the original problem and found slightly
+different workaround that avoids this regression and also results in
+better performance on gcc-7.0: -fcode-hoisting is an optimization step
+that got added in gcc-7 and that for all gcc-7 versions causes worse
+performance.
+
+This disables -fcode-hoisting on all compilers that understand the option.
+For gcc-7.1 and 7.2 I found the same performance as my previous patch
+(using -Os), in gcc-7.0 it was even better. On gcc-8 I could see no
+change in performance from this patch. In theory, code hoisting should
+not be able make things better for the AES cipher, so leaving it
+disabled for gcc-8 only serves to simplify the Makefile change.
+
+Reported-by: kbuild test robot <fengguang.wu@intel.com>
+Link: https://www.mail-archive.com/linux-crypto@vger.kernel.org/msg30418.html
+Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83356
+Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83651
+Fixes: 148b974deea9 ("crypto: aes-generic - build with -Os on gcc-7+")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: Horia Geanta <horia.geanta@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/crypto/Makefile
++++ b/crypto/Makefile
+@@ -98,7 +98,7 @@ obj-$(CONFIG_CRYPTO_TWOFISH_COMMON) += t
+ obj-$(CONFIG_CRYPTO_SERPENT) += serpent_generic.o
+ CFLAGS_serpent_generic.o := $(call cc-option,-fsched-pressure) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149
+ obj-$(CONFIG_CRYPTO_AES) += aes_generic.o
+-CFLAGS_aes_generic.o := $(call cc-ifversion, -ge, 0701, -Os) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83356
++CFLAGS_aes_generic.o := $(call cc-option,-fno-code-hoisting) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83356
+ obj-$(CONFIG_CRYPTO_AES_TI) += aes_ti.o
+ obj-$(CONFIG_CRYPTO_CAMELLIA) += camellia_generic.o
+ obj-$(CONFIG_CRYPTO_CAST_COMMON) += cast_common.o
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: John Pittman <jpittman@redhat.com>
+Date: Thu, 21 Jun 2018 17:35:33 -0400
+Subject: dm cache: only allow a single io_mode cache feature to be requested
+
+From: John Pittman <jpittman@redhat.com>
+
+[ Upstream commit af9313c32c0fa2a0ac3b113669273833d60cc9de ]
+
+More than one io_mode feature can be requested when creating a dm cache
+device (as is: last one wins). The io_mode selections are incompatible
+with one another, we should force them to be selected exclusively. Add
+a counter to check for more than one io_mode selection.
+
+Fixes: 629d0a8a1a10 ("dm cache metadata: add "metadata2" feature")
+Signed-off-by: John Pittman <jpittman@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-cache-target.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/md/dm-cache-target.c
++++ b/drivers/md/dm-cache-target.c
+@@ -2330,7 +2330,7 @@ static int parse_features(struct cache_a
+ {0, 2, "Invalid number of cache feature arguments"},
+ };
+
+- int r;
++ int r, mode_ctr = 0;
+ unsigned argc;
+ const char *arg;
+ struct cache_features *cf = &ca->features;
+@@ -2344,14 +2344,20 @@ static int parse_features(struct cache_a
+ while (argc--) {
+ arg = dm_shift_arg(as);
+
+- if (!strcasecmp(arg, "writeback"))
++ if (!strcasecmp(arg, "writeback")) {
+ cf->io_mode = CM_IO_WRITEBACK;
++ mode_ctr++;
++ }
+
+- else if (!strcasecmp(arg, "writethrough"))
++ else if (!strcasecmp(arg, "writethrough")) {
+ cf->io_mode = CM_IO_WRITETHROUGH;
++ mode_ctr++;
++ }
+
+- else if (!strcasecmp(arg, "passthrough"))
++ else if (!strcasecmp(arg, "passthrough")) {
+ cf->io_mode = CM_IO_PASSTHROUGH;
++ mode_ctr++;
++ }
+
+ else if (!strcasecmp(arg, "metadata2"))
+ cf->metadata_version = 2;
+@@ -2362,6 +2368,11 @@ static int parse_features(struct cache_a
+ }
+ }
+
++ if (mode_ctr > 1) {
++ *error = "Duplicate cache io_mode features requested";
++ return -EINVAL;
++ }
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Michael Kelley <mikelley@microsoft.com>
+Date: Thu, 2 Aug 2018 03:08:25 +0000
+Subject: Drivers: hv: vmbus: Cleanup synic memory free path
+
+From: Michael Kelley <mikelley@microsoft.com>
+
+[ Upstream commit 572086325ce9a9e348b8748e830653f3959e88b6 ]
+
+clk_evt memory is not being freed when the synic is shutdown
+or when there is an allocation error. Add the appropriate
+kfree() call, along with a comment to clarify how the memory
+gets freed after an allocation error. Make the free path
+consistent by removing checks for NULL since kfree() and
+free_page() already do the check.
+
+Signed-off-by: Michael Kelley <mikelley@microsoft.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hv/hv.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/hv/hv.c
++++ b/drivers/hv/hv.c
+@@ -196,6 +196,10 @@ int hv_synic_alloc(void)
+
+ return 0;
+ err:
++ /*
++ * Any memory allocations that succeeded will be freed when
++ * the caller cleans up by calling hv_synic_free()
++ */
+ return -ENOMEM;
+ }
+
+@@ -208,12 +212,10 @@ void hv_synic_free(void)
+ struct hv_per_cpu_context *hv_cpu
+ = per_cpu_ptr(hv_context.cpu_context, cpu);
+
+- if (hv_cpu->synic_event_page)
+- free_page((unsigned long)hv_cpu->synic_event_page);
+- if (hv_cpu->synic_message_page)
+- free_page((unsigned long)hv_cpu->synic_message_page);
+- if (hv_cpu->post_msg_page)
+- free_page((unsigned long)hv_cpu->post_msg_page);
++ kfree(hv_cpu->clk_evt);
++ free_page((unsigned long)hv_cpu->synic_event_page);
++ free_page((unsigned long)hv_cpu->synic_message_page);
++ free_page((unsigned long)hv_cpu->post_msg_page);
+ }
+
+ kfree(hv_context.hv_numa_map);
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Sat, 4 Aug 2018 14:20:40 -0700
+Subject: ethtool: Remove trailing semicolon for static inline
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit d89d41556141a527030a15233135ba622ba3350d ]
+
+Android's header sanitization tool chokes on static inline functions having a
+trailing semicolon, leading to an incorrectly parsed header file. While the
+tool should obviously be fixed, also fix the header files for the two affected
+functions: ethtool_get_flow_spec_ring() and ethtool_get_flow_spec_ring_vf().
+
+Fixes: 8cf6f497de40 ("ethtool: Add helper routines to pass vf to rx_flow_spec")
+Reporetd-by: Blair Prescott <blair.prescott@broadcom.com>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/ethtool.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/uapi/linux/ethtool.h
++++ b/include/uapi/linux/ethtool.h
+@@ -898,13 +898,13 @@ struct ethtool_rx_flow_spec {
+ static inline __u64 ethtool_get_flow_spec_ring(__u64 ring_cookie)
+ {
+ return ETHTOOL_RX_FLOW_SPEC_RING & ring_cookie;
+-};
++}
+
+ static inline __u64 ethtool_get_flow_spec_ring_vf(__u64 ring_cookie)
+ {
+ return (ETHTOOL_RX_FLOW_SPEC_RING_VF & ring_cookie) >>
+ ETHTOOL_RX_FLOW_SPEC_RING_VF_OFF;
+-};
++}
+
+ /**
+ * struct ethtool_rxnfc - command to get or set RX flow classification rules
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Yunlong Song <yunlong.song@huawei.com>
+Date: Thu, 12 Jul 2018 23:09:26 +0800
+Subject: f2fs: do not set free of current section
+
+From: Yunlong Song <yunlong.song@huawei.com>
+
+[ Upstream commit 3611ce9911267cb93d364bd71ddea6821278d11f ]
+
+For the case when sbi->segs_per_sec > 1, take section:segment = 5 for
+example, if segment 1 is just used and allocate new segment 2, and the
+blocks of segment 1 is invalidated, at this time, the previous code will
+use __set_test_and_free to free the free_secmap and free_sections++,
+this is not correct since it is still a current section, so fix it.
+
+Signed-off-by: Yunlong Song <yunlong.song@huawei.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/segment.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/f2fs/segment.h
++++ b/fs/f2fs/segment.h
+@@ -414,6 +414,8 @@ static inline void __set_test_and_free(s
+ if (test_and_clear_bit(segno, free_i->free_segmap)) {
+ free_i->free_segments++;
+
++ if (IS_CURSEC(sbi, secno))
++ goto skip_free;
+ next = find_next_bit(free_i->free_segmap,
+ start_segno + sbi->segs_per_sec, start_segno);
+ if (next >= start_segno + sbi->segs_per_sec) {
+@@ -421,6 +423,7 @@ static inline void __set_test_and_free(s
+ free_i->free_sections++;
+ }
+ }
++skip_free:
+ spin_unlock(&free_i->segmap_lock);
+ }
+
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Fri, 6 Jul 2018 20:50:57 -0700
+Subject: f2fs: fix defined but not used build warnings
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit cb15d1e43db0a6341c1e26ac6a2c74e61b74f1aa ]
+
+Fix build warnings in f2fs when CONFIG_PROC_FS is not enabled
+by marking the unused functions as __maybe_unused.
+
+../fs/f2fs/sysfs.c:519:12: warning: 'segment_info_seq_show' defined but not used [-Wunused-function]
+../fs/f2fs/sysfs.c:546:12: warning: 'segment_bits_seq_show' defined but not used [-Wunused-function]
+../fs/f2fs/sysfs.c:570:12: warning: 'iostat_info_seq_show' defined but not used [-Wunused-function]
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Jaegeuk Kim <jaegeuk@kernel.org>
+Cc: Chao Yu <yuchao0@huawei.com>
+Cc: linux-f2fs-devel@lists.sourceforge.net
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/sysfs.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/fs/f2fs/sysfs.c
++++ b/fs/f2fs/sysfs.c
+@@ -9,6 +9,7 @@
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
++#include <linux/compiler.h>
+ #include <linux/proc_fs.h>
+ #include <linux/f2fs_fs.h>
+ #include <linux/seq_file.h>
+@@ -381,7 +382,8 @@ static struct kobject f2fs_feat = {
+ .kset = &f2fs_kset,
+ };
+
+-static int segment_info_seq_show(struct seq_file *seq, void *offset)
++static int __maybe_unused segment_info_seq_show(struct seq_file *seq,
++ void *offset)
+ {
+ struct super_block *sb = seq->private;
+ struct f2fs_sb_info *sbi = F2FS_SB(sb);
+@@ -408,7 +410,8 @@ static int segment_info_seq_show(struct
+ return 0;
+ }
+
+-static int segment_bits_seq_show(struct seq_file *seq, void *offset)
++static int __maybe_unused segment_bits_seq_show(struct seq_file *seq,
++ void *offset)
+ {
+ struct super_block *sb = seq->private;
+ struct f2fs_sb_info *sbi = F2FS_SB(sb);
+@@ -432,7 +435,8 @@ static int segment_bits_seq_show(struct
+ return 0;
+ }
+
+-static int iostat_info_seq_show(struct seq_file *seq, void *offset)
++static int __maybe_unused iostat_info_seq_show(struct seq_file *seq,
++ void *offset)
+ {
+ struct super_block *sb = seq->private;
+ struct f2fs_sb_info *sbi = F2FS_SB(sb);
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Chao Yu <yuchao0@huawei.com>
+Date: Fri, 27 Jul 2018 18:15:14 +0800
+Subject: f2fs: fix to active page in lru list for read path
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit 82cf4f132e6d16dca6fc3bd955019246141bc645 ]
+
+If config CONFIG_F2FS_FAULT_INJECTION is on, for both read or write path
+we will call find_lock_page() to get the page, but for read path, it
+missed to passing FGP_ACCESSED to allocator to active the page in LRU
+list, result in being reclaimed in advance incorrectly, fix it.
+
+Reported-by: Xianrong Zhou <zhouxianrong@huawei.com>
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/f2fs.h | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -1766,8 +1766,13 @@ static inline struct page *f2fs_grab_cac
+ pgoff_t index, bool for_write)
+ {
+ #ifdef CONFIG_F2FS_FAULT_INJECTION
+- struct page *page = find_lock_page(mapping, index);
++ struct page *page;
+
++ if (!for_write)
++ page = find_get_page_flags(mapping, index,
++ FGP_LOCK | FGP_ACCESSED);
++ else
++ page = find_lock_page(mapping, index);
+ if (page)
+ return page;
+
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Chao Yu <yuchao0@huawei.com>
+Date: Sat, 30 Jun 2018 18:13:40 +0800
+Subject: f2fs: fix to do sanity check with reserved blkaddr of inline inode
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit 4dbe38dc386910c668c75ae616b99b823b59f3eb ]
+
+As Wen Xu reported in bugzilla, after image was injected with random data
+by fuzzing, inline inode would contain invalid reserved blkaddr, then
+during inline conversion, we will encounter illegal memory accessing
+reported by KASAN, the root cause of this is when writing out converted
+inline page, we will use invalid reserved blkaddr to update sit bitmap,
+result in accessing memory beyond sit bitmap boundary.
+
+In order to fix this issue, let's do sanity check with reserved block
+address of inline inode to avoid above condition.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200179
+
+[ 1428.846352] BUG: KASAN: use-after-free in update_sit_entry+0x80/0x7f0
+[ 1428.846618] Read of size 4 at addr ffff880194483540 by task a.out/2741
+
+[ 1428.846855] CPU: 0 PID: 2741 Comm: a.out Tainted: G W 4.17.0+ #1
+[ 1428.846858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
+[ 1428.846860] Call Trace:
+[ 1428.846868] dump_stack+0x71/0xab
+[ 1428.846875] print_address_description+0x6b/0x290
+[ 1428.846881] kasan_report+0x28e/0x390
+[ 1428.846888] ? update_sit_entry+0x80/0x7f0
+[ 1428.846898] update_sit_entry+0x80/0x7f0
+[ 1428.846906] f2fs_allocate_data_block+0x6db/0xc70
+[ 1428.846914] ? f2fs_get_node_info+0x14f/0x590
+[ 1428.846920] do_write_page+0xc8/0x150
+[ 1428.846928] f2fs_outplace_write_data+0xfe/0x210
+[ 1428.846935] ? f2fs_do_write_node_page+0x170/0x170
+[ 1428.846941] ? radix_tree_tag_clear+0xff/0x130
+[ 1428.846946] ? __mod_node_page_state+0x22/0xa0
+[ 1428.846951] ? inc_zone_page_state+0x54/0x100
+[ 1428.846956] ? __test_set_page_writeback+0x336/0x5d0
+[ 1428.846964] f2fs_convert_inline_page+0x407/0x6d0
+[ 1428.846971] ? f2fs_read_inline_data+0x3b0/0x3b0
+[ 1428.846978] ? __get_node_page+0x335/0x6b0
+[ 1428.846987] f2fs_convert_inline_inode+0x41b/0x500
+[ 1428.846994] ? f2fs_convert_inline_page+0x6d0/0x6d0
+[ 1428.847000] ? kasan_unpoison_shadow+0x31/0x40
+[ 1428.847005] ? kasan_kmalloc+0xa6/0xd0
+[ 1428.847024] f2fs_file_mmap+0x79/0xc0
+[ 1428.847029] mmap_region+0x58b/0x880
+[ 1428.847037] ? arch_get_unmapped_area+0x370/0x370
+[ 1428.847042] do_mmap+0x55b/0x7a0
+[ 1428.847048] vm_mmap_pgoff+0x16f/0x1c0
+[ 1428.847055] ? vma_is_stack_for_current+0x50/0x50
+[ 1428.847062] ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160
+[ 1428.847068] ? do_sys_open+0x206/0x2a0
+[ 1428.847073] ? __fget+0xb4/0x100
+[ 1428.847079] ksys_mmap_pgoff+0x278/0x360
+[ 1428.847085] ? find_mergeable_anon_vma+0x50/0x50
+[ 1428.847091] do_syscall_64+0x73/0x160
+[ 1428.847098] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 1428.847102] RIP: 0033:0x7fb1430766ba
+[ 1428.847103] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
+[ 1428.847162] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
+[ 1428.847167] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba
+[ 1428.847170] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
+[ 1428.847173] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
+[ 1428.847176] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
+[ 1428.847179] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
+
+[ 1428.847252] Allocated by task 2683:
+[ 1428.847372] kasan_kmalloc+0xa6/0xd0
+[ 1428.847380] kmem_cache_alloc+0xc8/0x1e0
+[ 1428.847385] getname_flags+0x73/0x2b0
+[ 1428.847390] user_path_at_empty+0x1d/0x40
+[ 1428.847395] vfs_statx+0xc1/0x150
+[ 1428.847401] __do_sys_newlstat+0x7e/0xd0
+[ 1428.847405] do_syscall_64+0x73/0x160
+[ 1428.847411] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+[ 1428.847466] Freed by task 2683:
+[ 1428.847566] __kasan_slab_free+0x137/0x190
+[ 1428.847571] kmem_cache_free+0x85/0x1e0
+[ 1428.847575] filename_lookup+0x191/0x280
+[ 1428.847580] vfs_statx+0xc1/0x150
+[ 1428.847585] __do_sys_newlstat+0x7e/0xd0
+[ 1428.847590] do_syscall_64+0x73/0x160
+[ 1428.847596] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+[ 1428.847648] The buggy address belongs to the object at ffff880194483300
+ which belongs to the cache names_cache of size 4096
+[ 1428.847946] The buggy address is located 576 bytes inside of
+ 4096-byte region [ffff880194483300, ffff880194484300)
+[ 1428.848234] The buggy address belongs to the page:
+[ 1428.848366] page:ffffea0006512000 count:1 mapcount:0 mapping:ffff8801f3586380 index:0x0 compound_mapcount: 0
+[ 1428.848606] flags: 0x17fff8000008100(slab|head)
+[ 1428.848737] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f3586380
+[ 1428.848931] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
+[ 1428.849122] page dumped because: kasan: bad access detected
+
+[ 1428.849305] Memory state around the buggy address:
+[ 1428.849436] ffff880194483400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 1428.849620] ffff880194483480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 1428.849804] >ffff880194483500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 1428.849985] ^
+[ 1428.850120] ffff880194483580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 1428.850303] ffff880194483600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 1428.850498] ==================================================================
+
+Reported-by: Wen Xu <wen.xu@gatech.edu>
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/inline.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/fs/f2fs/inline.c
++++ b/fs/f2fs/inline.c
+@@ -128,6 +128,16 @@ int f2fs_convert_inline_page(struct dnod
+ if (err)
+ return err;
+
++ if (unlikely(dn->data_blkaddr != NEW_ADDR)) {
++ f2fs_put_dnode(dn);
++ set_sbi_flag(fio.sbi, SBI_NEED_FSCK);
++ f2fs_msg(fio.sbi->sb, KERN_WARNING,
++ "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, "
++ "run fsck to fix.",
++ __func__, dn->inode->i_ino, dn->data_blkaddr);
++ return -EINVAL;
++ }
++
+ f2fs_bug_on(F2FS_P_SB(page), PageWriteback(page));
+
+ read_inline_data(page, dn->inode_page);
+@@ -365,6 +375,17 @@ static int f2fs_move_inline_dirents(stru
+ if (err)
+ goto out;
+
++ if (unlikely(dn.data_blkaddr != NEW_ADDR)) {
++ f2fs_put_dnode(&dn);
++ set_sbi_flag(F2FS_P_SB(page), SBI_NEED_FSCK);
++ f2fs_msg(F2FS_P_SB(page)->sb, KERN_WARNING,
++ "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, "
++ "run fsck to fix.",
++ __func__, dir->i_ino, dn.data_blkaddr);
++ err = -EINVAL;
++ goto out;
++ }
++
+ f2fs_wait_on_page_writeback(page, DATA, true);
+ zero_user_segment(page, MAX_INLINE_DATA(dir), PAGE_SIZE);
+
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Chao Yu <yuchao0@huawei.com>
+Date: Sat, 23 Jun 2018 11:25:19 +0800
+Subject: f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit c77ec61ca0a49544ca81881cc5d5529858f7e196 ]
+
+This patch adds to do sanity check with {sit,nat}_ver_bitmap_bytesize
+during mount, in order to avoid accessing across cache boundary with
+this abnormal bitmap size.
+
+- Overview
+buffer overrun in build_sit_info() when mounting a crafted f2fs image
+
+- Reproduce
+
+- Kernel message
+[ 548.580867] F2FS-fs (loop0): Invalid log blocks per segment (8201)
+
+[ 548.580877] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
+[ 548.584979] ==================================================================
+[ 548.586568] BUG: KASAN: use-after-free in kmemdup+0x36/0x50
+[ 548.587715] Read of size 64 at addr ffff8801e9c265ff by task mount/1295
+
+[ 548.589428] CPU: 1 PID: 1295 Comm: mount Not tainted 4.18.0-rc1+ #4
+[ 548.589432] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
+[ 548.589438] Call Trace:
+[ 548.589474] dump_stack+0x7b/0xb5
+[ 548.589487] print_address_description+0x70/0x290
+[ 548.589492] kasan_report+0x291/0x390
+[ 548.589496] ? kmemdup+0x36/0x50
+[ 548.589509] check_memory_region+0x139/0x190
+[ 548.589514] memcpy+0x23/0x50
+[ 548.589518] kmemdup+0x36/0x50
+[ 548.589545] f2fs_build_segment_manager+0x8fa/0x3410
+[ 548.589551] ? __asan_loadN+0xf/0x20
+[ 548.589560] ? f2fs_sanity_check_ckpt+0x1be/0x240
+[ 548.589566] ? f2fs_flush_sit_entries+0x10c0/0x10c0
+[ 548.589587] ? __put_user_ns+0x40/0x40
+[ 548.589604] ? find_next_bit+0x57/0x90
+[ 548.589610] f2fs_fill_super+0x194b/0x2b40
+[ 548.589617] ? f2fs_commit_super+0x1b0/0x1b0
+[ 548.589637] ? set_blocksize+0x90/0x140
+[ 548.589651] mount_bdev+0x1c5/0x210
+[ 548.589655] ? f2fs_commit_super+0x1b0/0x1b0
+[ 548.589667] f2fs_mount+0x15/0x20
+[ 548.589672] mount_fs+0x60/0x1a0
+[ 548.589683] ? alloc_vfsmnt+0x309/0x360
+[ 548.589688] vfs_kern_mount+0x6b/0x1a0
+[ 548.589699] do_mount+0x34a/0x18c0
+[ 548.589710] ? lockref_put_or_lock+0xcf/0x160
+[ 548.589716] ? copy_mount_string+0x20/0x20
+[ 548.589728] ? memcg_kmem_put_cache+0x1b/0xa0
+[ 548.589734] ? kasan_check_write+0x14/0x20
+[ 548.589740] ? _copy_from_user+0x6a/0x90
+[ 548.589744] ? memdup_user+0x42/0x60
+[ 548.589750] ksys_mount+0x83/0xd0
+[ 548.589755] __x64_sys_mount+0x67/0x80
+[ 548.589781] do_syscall_64+0x78/0x170
+[ 548.589797] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 548.589820] RIP: 0033:0x7f76fc331b9a
+[ 548.589821] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
+[ 548.589880] RSP: 002b:00007ffd4f0a0e48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
+[ 548.589890] RAX: ffffffffffffffda RBX: 000000000146c030 RCX: 00007f76fc331b9a
+[ 548.589892] RDX: 000000000146c210 RSI: 000000000146df30 RDI: 0000000001474ec0
+[ 548.589895] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
+[ 548.589897] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001474ec0
+[ 548.589900] R13: 000000000146c210 R14: 0000000000000000 R15: 0000000000000003
+
+[ 548.590242] The buggy address belongs to the page:
+[ 548.591243] page:ffffea0007a70980 count:0 mapcount:0 mapping:0000000000000000 index:0x0
+[ 548.592886] flags: 0x2ffff0000000000()
+[ 548.593665] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
+[ 548.595258] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+[ 548.603713] page dumped because: kasan: bad access detected
+
+[ 548.605203] Memory state around the buggy address:
+[ 548.606198] ffff8801e9c26480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 548.607676] ffff8801e9c26500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 548.609157] >ffff8801e9c26580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 548.610629] ^
+[ 548.612088] ffff8801e9c26600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 548.613674] ffff8801e9c26680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 548.615141] ==================================================================
+[ 548.616613] Disabling lock debugging due to kernel taint
+[ 548.622871] WARNING: CPU: 1 PID: 1295 at mm/page_alloc.c:4065 __alloc_pages_slowpath+0xe4a/0x1420
+[ 548.622878] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
+[ 548.623217] CPU: 1 PID: 1295 Comm: mount Tainted: G B 4.18.0-rc1+ #4
+[ 548.623219] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
+[ 548.623226] RIP: 0010:__alloc_pages_slowpath+0xe4a/0x1420
+[ 548.623227] Code: ff ff 01 89 85 c8 fe ff ff e9 91 fc ff ff 41 89 c5 e9 5c fc ff ff 0f 0b 89 f8 25 ff ff f7 ff 89 85 8c fe ff ff e9 d5 f2 ff ff <0f> 0b e9 65 f2 ff ff 65 8b 05 38 81 d2 47 f6 c4 01 74 1c 65 48 8b
+[ 548.623281] RSP: 0018:ffff8801f28c7678 EFLAGS: 00010246
+[ 548.623284] RAX: 0000000000000000 RBX: 00000000006040c0 RCX: ffffffffb82f73b7
+[ 548.623287] RDX: 1ffff1003e518eeb RSI: 000000000000000c RDI: 0000000000000000
+[ 548.623290] RBP: ffff8801f28c7880 R08: 0000000000000000 R09: ffffed0047fff2c5
+[ 548.623292] R10: 0000000000000001 R11: ffffed0047fff2c4 R12: ffff8801e88de040
+[ 548.623295] R13: 00000000006040c0 R14: 000000000000000c R15: ffff8801f28c7938
+[ 548.623299] FS: 00007f76fca51840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
+[ 548.623302] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 548.623304] CR2: 00007f19b9171760 CR3: 00000001ed952000 CR4: 00000000000006e0
+[ 548.623317] Call Trace:
+[ 548.623325] ? kasan_check_read+0x11/0x20
+[ 548.623330] ? __zone_watermark_ok+0x92/0x240
+[ 548.623336] ? get_page_from_freelist+0x1c3/0x1d90
+[ 548.623347] ? _raw_spin_lock_irqsave+0x2a/0x60
+[ 548.623353] ? warn_alloc+0x250/0x250
+[ 548.623358] ? save_stack+0x46/0xd0
+[ 548.623361] ? kasan_kmalloc+0xad/0xe0
+[ 548.623366] ? __isolate_free_page+0x2a0/0x2a0
+[ 548.623370] ? mount_fs+0x60/0x1a0
+[ 548.623374] ? vfs_kern_mount+0x6b/0x1a0
+[ 548.623378] ? do_mount+0x34a/0x18c0
+[ 548.623383] ? ksys_mount+0x83/0xd0
+[ 548.623387] ? __x64_sys_mount+0x67/0x80
+[ 548.623391] ? do_syscall_64+0x78/0x170
+[ 548.623396] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 548.623401] __alloc_pages_nodemask+0x3c5/0x400
+[ 548.623407] ? __alloc_pages_slowpath+0x1420/0x1420
+[ 548.623412] ? __mutex_lock_slowpath+0x20/0x20
+[ 548.623417] ? kvmalloc_node+0x31/0x80
+[ 548.623424] alloc_pages_current+0x75/0x110
+[ 548.623436] kmalloc_order+0x24/0x60
+[ 548.623442] kmalloc_order_trace+0x24/0xb0
+[ 548.623448] __kmalloc_track_caller+0x207/0x220
+[ 548.623455] ? f2fs_build_node_manager+0x399/0xbb0
+[ 548.623460] kmemdup+0x20/0x50
+[ 548.623465] f2fs_build_node_manager+0x399/0xbb0
+[ 548.623470] f2fs_fill_super+0x195e/0x2b40
+[ 548.623477] ? f2fs_commit_super+0x1b0/0x1b0
+[ 548.623481] ? set_blocksize+0x90/0x140
+[ 548.623486] mount_bdev+0x1c5/0x210
+[ 548.623489] ? f2fs_commit_super+0x1b0/0x1b0
+[ 548.623495] f2fs_mount+0x15/0x20
+[ 548.623498] mount_fs+0x60/0x1a0
+[ 548.623503] ? alloc_vfsmnt+0x309/0x360
+[ 548.623508] vfs_kern_mount+0x6b/0x1a0
+[ 548.623513] do_mount+0x34a/0x18c0
+[ 548.623518] ? lockref_put_or_lock+0xcf/0x160
+[ 548.623523] ? copy_mount_string+0x20/0x20
+[ 548.623528] ? memcg_kmem_put_cache+0x1b/0xa0
+[ 548.623533] ? kasan_check_write+0x14/0x20
+[ 548.623537] ? _copy_from_user+0x6a/0x90
+[ 548.623542] ? memdup_user+0x42/0x60
+[ 548.623547] ksys_mount+0x83/0xd0
+[ 548.623552] __x64_sys_mount+0x67/0x80
+[ 548.623557] do_syscall_64+0x78/0x170
+[ 548.623562] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 548.623566] RIP: 0033:0x7f76fc331b9a
+[ 548.623567] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
+[ 548.623632] RSP: 002b:00007ffd4f0a0e48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
+[ 548.623636] RAX: ffffffffffffffda RBX: 000000000146c030 RCX: 00007f76fc331b9a
+[ 548.623639] RDX: 000000000146c210 RSI: 000000000146df30 RDI: 0000000001474ec0
+[ 548.623641] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
+[ 548.623643] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001474ec0
+[ 548.623646] R13: 000000000146c210 R14: 0000000000000000 R15: 0000000000000003
+[ 548.623650] ---[ end trace 4ce02f25ff7d3df5 ]---
+[ 548.623656] F2FS-fs (loop0): Failed to initialize F2FS node manager
+[ 548.627936] F2FS-fs (loop0): Invalid log blocks per segment (8201)
+
+[ 548.627940] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
+[ 548.635835] F2FS-fs (loop0): Failed to initialize F2FS node manager
+
+- Location
+https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.c#L3578
+
+ sit_i->sit_bitmap = kmemdup(src_bitmap, bitmap_size, GFP_KERNEL);
+
+Buffer overrun happens when doing memcpy. I suspect there is missing (inconsistent) checks on bitmap_size.
+
+Reported by Wen Xu (wen.xu@gatech.edu) from SSLab, Gatech.
+
+Reported-by: Wen Xu <wen.xu@gatech.edu>
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/super.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1883,12 +1883,17 @@ int sanity_check_ckpt(struct f2fs_sb_inf
+ struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi);
+ unsigned int ovp_segments, reserved_segments;
+ unsigned int main_segs, blocks_per_seg;
++ unsigned int sit_segs, nat_segs;
++ unsigned int sit_bitmap_size, nat_bitmap_size;
++ unsigned int log_blocks_per_seg;
+ int i;
+
+ total = le32_to_cpu(raw_super->segment_count);
+ fsmeta = le32_to_cpu(raw_super->segment_count_ckpt);
+- fsmeta += le32_to_cpu(raw_super->segment_count_sit);
+- fsmeta += le32_to_cpu(raw_super->segment_count_nat);
++ sit_segs = le32_to_cpu(raw_super->segment_count_sit);
++ fsmeta += sit_segs;
++ nat_segs = le32_to_cpu(raw_super->segment_count_nat);
++ fsmeta += nat_segs;
+ fsmeta += le32_to_cpu(ckpt->rsvd_segment_count);
+ fsmeta += le32_to_cpu(raw_super->segment_count_ssa);
+
+@@ -1919,6 +1924,18 @@ int sanity_check_ckpt(struct f2fs_sb_inf
+ return 1;
+ }
+
++ sit_bitmap_size = le32_to_cpu(ckpt->sit_ver_bitmap_bytesize);
++ nat_bitmap_size = le32_to_cpu(ckpt->nat_ver_bitmap_bytesize);
++ log_blocks_per_seg = le32_to_cpu(raw_super->log_blocks_per_seg);
++
++ if (sit_bitmap_size != ((sit_segs / 2) << log_blocks_per_seg) / 8 ||
++ nat_bitmap_size != ((nat_segs / 2) << log_blocks_per_seg) / 8) {
++ f2fs_msg(sbi->sb, KERN_ERR,
++ "Wrong bitmap size: sit: %u, nat:%u",
++ sit_bitmap_size, nat_bitmap_size);
++ return 1;
++ }
++
+ if (unlikely(f2fs_cp_error(sbi))) {
+ f2fs_msg(sbi->sb, KERN_ERR, "A bug case: need to run fsck");
+ return 1;
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Chao Yu <yuchao0@huawei.com>
+Date: Wed, 4 Jul 2018 21:20:05 +0800
+Subject: f2fs: fix to skip GC if type in SSA and SIT is inconsistent
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit 10d255c3540239c7920f52d2eb223756e186af56 ]
+
+If segment type in SSA and SIT is inconsistent, we will encounter below
+BUG_ON during GC, to avoid this panic, let's just skip doing GC on such
+segment.
+
+The bug is triggered with image reported in below link:
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200223
+
+[ 388.060262] ------------[ cut here ]------------
+[ 388.060268] kernel BUG at /home/y00370721/git/devf2fs/gc.c:989!
+[ 388.061172] invalid opcode: 0000 [#1] SMP
+[ 388.061773] Modules linked in: f2fs(O) bluetooth ecdh_generic xt_tcpudp iptable_filter ip_tables x_tables lp ttm drm_kms_helper drm intel_rapl sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel fb_sys_fops ppdev aes_x86_64 syscopyarea crypto_simd sysfillrect parport_pc joydev sysimgblt glue_helper parport cryptd i2c_piix4 serio_raw mac_hid btrfs hid_generic usbhid hid raid6_pq psmouse pata_acpi floppy
+[ 388.064247] CPU: 7 PID: 4151 Comm: f2fs_gc-7:0 Tainted: G O 4.13.0-rc1+ #26
+[ 388.065306] Hardware name: Xen HVM domU, BIOS 4.1.2_115-900.260_ 11/06/2015
+[ 388.066058] task: ffff880201583b80 task.stack: ffffc90004d7c000
+[ 388.069948] RIP: 0010:do_garbage_collect+0xcc8/0xcd0 [f2fs]
+[ 388.070766] RSP: 0018:ffffc90004d7fc68 EFLAGS: 00010202
+[ 388.071783] RAX: ffff8801ed227000 RBX: 0000000000000001 RCX: ffffea0007b489c0
+[ 388.072700] RDX: ffff880000000000 RSI: 0000000000000001 RDI: ffffea0007b489c0
+[ 388.073607] RBP: ffffc90004d7fd58 R08: 0000000000000003 R09: ffffea0007b489dc
+[ 388.074619] R10: 0000000000000000 R11: 0052782ab317138d R12: 0000000000000018
+[ 388.075625] R13: 0000000000000018 R14: ffff880211ceb000 R15: ffff880211ceb000
+[ 388.076687] FS: 0000000000000000(0000) GS:ffff880214fc0000(0000) knlGS:0000000000000000
+[ 388.083277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 388.084536] CR2: 0000000000e18c60 CR3: 00000001ecf2e000 CR4: 00000000001406e0
+[ 388.085748] Call Trace:
+[ 388.086690] ? find_next_bit+0xb/0x10
+[ 388.088091] f2fs_gc+0x1a8/0x9d0 [f2fs]
+[ 388.088888] ? lock_timer_base+0x7d/0xa0
+[ 388.090213] ? try_to_del_timer_sync+0x44/0x60
+[ 388.091698] gc_thread_func+0x342/0x4b0 [f2fs]
+[ 388.092892] ? wait_woken+0x80/0x80
+[ 388.094098] kthread+0x109/0x140
+[ 388.095010] ? f2fs_gc+0x9d0/0x9d0 [f2fs]
+[ 388.096043] ? kthread_park+0x60/0x60
+[ 388.097281] ret_from_fork+0x25/0x30
+[ 388.098401] Code: ff ff 48 83 e8 01 48 89 44 24 58 e9 27 f8 ff ff 48 83 e8 01 e9 78 fc ff ff 48 8d 78 ff e9 17 fb ff ff 48 83 ef 01 e9 4d f4 ff ff <0f> 0b 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 56 41 55
+[ 388.100864] RIP: do_garbage_collect+0xcc8/0xcd0 [f2fs] RSP: ffffc90004d7fc68
+[ 388.101810] ---[ end trace 81c73d6e6b7da61d ]---
+
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/gc.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/gc.c
++++ b/fs/f2fs/gc.c
+@@ -958,7 +958,13 @@ static int do_garbage_collect(struct f2f
+ goto next;
+
+ sum = page_address(sum_page);
+- f2fs_bug_on(sbi, type != GET_SUM_TYPE((&sum->footer)));
++ if (type != GET_SUM_TYPE((&sum->footer))) {
++ f2fs_msg(sbi->sb, KERN_ERR, "Inconsistent segment (%u) "
++ "type [%d, %d] in SSA and SIT",
++ segno, type, GET_SUM_TYPE((&sum->footer)));
++ set_sbi_flag(sbi, SBI_NEED_FSCK);
++ goto next;
++ }
+
+ /*
+ * this is to avoid deadlock:
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Chao Yu <yuchao0@huawei.com>
+Date: Thu, 21 Jun 2018 22:38:28 +0800
+Subject: f2fs: fix to wait on page writeback before updating page
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit 6aead1617b3adf2b7e2c56f0f13e4e0ee42ebb4a ]
+
+In error path of f2fs_move_rehashed_dirents, inode page could be writeback
+state, so we should wait on inode page writeback before updating it.
+
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/inline.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/f2fs/inline.c
++++ b/fs/f2fs/inline.c
+@@ -502,6 +502,7 @@ static int f2fs_move_rehashed_dirents(st
+ return 0;
+ recover:
+ lock_page(ipage);
++ f2fs_wait_on_page_writeback(ipage, NODE, true);
+ memcpy(inline_dentry, backup_dentry, MAX_INLINE_DATA(dir));
+ f2fs_i_depth_write(dir, 0);
+ f2fs_i_size_write(dir, MAX_INLINE_DATA(dir));
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 20 Jun 2018 13:39:53 +0300
+Subject: f2fs: Fix uninitialized return in f2fs_ioc_shutdown()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 2a96d8ad94ce57cb0072f7a660b1039720c47716 ]
+
+"ret" can be uninitialized on the success path when "in ==
+F2FS_GOING_DOWN_FULLSYNC".
+
+Fixes: 60b2b4ee2bc0 ("f2fs: Fix deadlock in shutdown ioctl")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -1803,7 +1803,7 @@ static int f2fs_ioc_shutdown(struct file
+ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+ struct super_block *sb = sbi->sb;
+ __u32 in;
+- int ret;
++ int ret = 0;
+
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Chao Yu <yuchao0@huawei.com>
+Date: Wed, 4 Jul 2018 18:04:10 +0800
+Subject: f2fs: try grabbing node page lock aggressively in sync scenario
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit 4b270a8cc5047682f0a3f3f9af3b498408dbd2bc ]
+
+In synchronous scenario, like in checkpoint(), we are going to flush
+dirty node pages to device synchronously, we can easily failed
+writebacking node page due to trylock_page() failure, especially in
+condition of intensive lock competition, which can cause long latency
+of checkpoint(). So let's use lock_page() in synchronous scenario to
+avoid this issue.
+
+Signed-off-by: Yunlei He <heyunlei@huawei.com>
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/node.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -1610,7 +1610,9 @@ next_step:
+ !is_cold_node(page)))
+ continue;
+ lock_node:
+- if (!trylock_page(page))
++ if (wbc->sync_mode == WB_SYNC_ALL)
++ lock_page(page);
++ else if (!trylock_page(page))
+ continue;
+
+ if (unlikely(page->mapping != NODE_MAPPING(sbi))) {
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Anton Vasilyev <vasilyev@ispras.ru>
+Date: Tue, 24 Jul 2018 18:10:38 +0300
+Subject: firmware: vpd: Fix section enabled flag on vpd_section_destroy
+
+From: Anton Vasilyev <vasilyev@ispras.ru>
+
+[ Upstream commit 45ca3f76de0507ecf143f770570af2942f263812 ]
+
+static struct ro_vpd and rw_vpd are initialized by vpd_sections_init()
+in vpd_probe() based on header's ro and rw sizes.
+In vpd_remove() vpd_section_destroy() performs deinitialization based
+on enabled flag, which is set to true by vpd_sections_init().
+This leads to call of vpd_section_destroy() on already destroyed section
+for probe-release-probe-release sequence if first probe performs
+ro_vpd initialization and second probe does not initialize it.
+
+The patch adds changing enabled flag on vpd_section_destroy and adds
+cleanup on the error path of vpd_sections_init.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/google/vpd.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/firmware/google/vpd.c
++++ b/drivers/firmware/google/vpd.c
+@@ -246,6 +246,7 @@ static int vpd_section_destroy(struct vp
+ sysfs_remove_bin_file(vpd_kobj, &sec->bin_attr);
+ kfree(sec->raw_name);
+ memunmap(sec->baseaddr);
++ sec->enabled = false;
+ }
+
+ return 0;
+@@ -279,8 +280,10 @@ static int vpd_sections_init(phys_addr_t
+ ret = vpd_section_init("rw", &rw_vpd,
+ physaddr + sizeof(struct vpd_cbmem) +
+ header.ro_size, header.rw_size);
+- if (ret)
++ if (ret) {
++ vpd_section_destroy(&ro_vpd);
+ return ret;
++ }
+ }
+
+ return 0;
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Anton Vasilyev <vasilyev@ispras.ru>
+Date: Mon, 23 Jul 2018 19:53:30 +0300
+Subject: gpio: ml-ioh: Fix buffer underwrite on probe error path
+
+From: Anton Vasilyev <vasilyev@ispras.ru>
+
+[ Upstream commit 4bf4eed44bfe288f459496eaf38089502ef91a79 ]
+
+If ioh_gpio_probe() fails on devm_irq_alloc_descs() then chip may point
+to any element of chip_save array, so reverse iteration from pointer chip
+may become chip_save[-1] and gpiochip_remove() will operate with wrong
+memory.
+
+The patch fix the error path of ioh_gpio_probe() to correctly bypass
+chip_save array.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-ml-ioh.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-ml-ioh.c
++++ b/drivers/gpio/gpio-ml-ioh.c
+@@ -497,9 +497,10 @@ static int ioh_gpio_probe(struct pci_dev
+ return 0;
+
+ err_gpiochip_add:
++ chip = chip_save;
+ while (--i >= 0) {
+- chip--;
+ gpiochip_remove(&chip->gpio);
++ chip++;
+ }
+ kfree(chip_save);
+
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Thu, 2 Aug 2018 14:11:44 +0300
+Subject: gpio: tegra: Move driver registration to subsys_init level
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+[ Upstream commit 40b25bce0adbe641a744d1291bc0e51fb7f3c3d8 ]
+
+There is a bug in regards to deferred probing within the drivers core
+that causes GPIO-driver to suspend after its users. The bug appears if
+GPIO-driver probe is getting deferred, which happens after introducing
+dependency on PINCTRL-driver for the GPIO-driver by defining "gpio-ranges"
+property in device-tree. The bug in the drivers core is old (more than 4
+years now) and is well known, unfortunately there is no easy fix for it.
+The good news is that we can workaround the deferred probe issue by
+changing GPIO / PINCTRL drivers registration order and hence by moving
+PINCTRL driver registration to the arch_init level and GPIO to the
+subsys_init.
+
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-tegra.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-tegra.c
++++ b/drivers/gpio/gpio-tegra.c
+@@ -728,4 +728,4 @@ static int __init tegra_gpio_init(void)
+ {
+ return platform_driver_register(&tegra_gpio_driver);
+ }
+-postcore_initcall(tegra_gpio_init);
++subsys_initcall(tegra_gpio_init);
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Philipp Zabel <p.zabel@pengutronix.de>
+Date: Thu, 21 Jun 2018 21:13:38 +0200
+Subject: gpu: ipu-v3: default to id 0 on missing OF alias
+
+From: Philipp Zabel <p.zabel@pengutronix.de>
+
+[ Upstream commit 2d87e6c1b99c402360fdfe19ce4f579ab2f96adf ]
+
+This is better than storing -ENODEV in the id number. This fixes SoCs
+with only one IPU that don't specify an IPU alias in the device tree.
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/ipu-v3/ipu-common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/ipu-v3/ipu-common.c
++++ b/drivers/gpu/ipu-v3/ipu-common.c
+@@ -1401,6 +1401,8 @@ static int ipu_probe(struct platform_dev
+ return -ENODEV;
+
+ ipu->id = of_alias_get_id(np, "ipu");
++ if (ipu->id < 0)
++ ipu->id = 0;
+
+ if (of_device_is_compatible(np, "fsl,imx6qp-ipu") &&
+ IS_ENABLED(CONFIG_DRM)) {
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com>
+Date: Tue, 24 Jul 2018 13:36:15 -0700
+Subject: i2c: aspeed: Add an explicit type casting for *get_clk_reg_val
+
+From: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com>
+
+[ Upstream commit 5799c4b2f1dbc0166d9b1d94443deaafc6e7a070 ]
+
+This commit fixes this sparse warning:
+drivers/i2c/busses/i2c-aspeed.c:875:38: warning: incorrect type in assignment (different modifiers)
+drivers/i2c/busses/i2c-aspeed.c:875:38: expected unsigned int ( *get_clk_reg_val )( ... )
+drivers/i2c/busses/i2c-aspeed.c:875:38: got void const *const data
+
+Reported-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com>
+Reviewed-by: Brendan Higgins <brendanhiggins@google.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-aspeed.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-aspeed.c
++++ b/drivers/i2c/busses/i2c-aspeed.c
+@@ -859,7 +859,7 @@ static int aspeed_i2c_probe_bus(struct p
+ if (!match)
+ bus->get_clk_reg_val = aspeed_i2c_24xx_get_clk_reg_val;
+ else
+- bus->get_clk_reg_val = match->data;
++ bus->get_clk_reg_val = (u32 (*)(u32))match->data;
+
+ /* Initialize the I2C adapter */
+ spin_lock_init(&bus->lock);
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Nick Dyer <nick.dyer@itdev.co.uk>
+Date: Fri, 27 Jul 2018 11:44:20 -0700
+Subject: Input: atmel_mxt_ts - only use first T9 instance
+
+From: Nick Dyer <nick.dyer@itdev.co.uk>
+
+[ Upstream commit 36f5d9ef26e52edff046b4b097855db89bf0cd4a ]
+
+The driver only registers one input device, which uses the screen
+parameters from the first T9 instance. The first T63 instance also uses
+those parameters.
+
+It is incorrect to send input reports from the second instances of these
+objects if they are enabled: the input scaling will be wrong and the
+positions will be mashed together.
+
+This also causes problems on Android if the number of slots exceeds 32.
+
+In the future, this could be handled by looking for enabled touch object
+instances and creating an input device for each one.
+
+Signed-off-by: Nick Dyer <nick.dyer@itdev.co.uk>
+Acked-by: Benson Leung <bleung@chromium.org>
+Acked-by: Yufeng Shen <miletus@chromium.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/atmel_mxt_ts.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/input/touchscreen/atmel_mxt_ts.c
++++ b/drivers/input/touchscreen/atmel_mxt_ts.c
+@@ -1647,10 +1647,11 @@ static int mxt_parse_object_table(struct
+ break;
+ case MXT_TOUCH_MULTI_T9:
+ data->multitouch = MXT_TOUCH_MULTI_T9;
++ /* Only handle messages from first T9 instance */
+ data->T9_reportid_min = min_id;
+- data->T9_reportid_max = max_id;
+- data->num_touchids = object->num_report_ids
+- * mxt_obj_instances(object);
++ data->T9_reportid_max = min_id +
++ object->num_report_ids - 1;
++ data->num_touchids = object->num_report_ids;
+ break;
+ case MXT_SPT_MESSAGECOUNT_T44:
+ data->T44_address = object->start_address;
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 20 Jul 2018 18:16:59 +0200
+Subject: iommu/ipmmu-vmsa: Fix allocation in atomic context
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 46583e8c48c5a094ba28060615b3a7c8c576690f ]
+
+When attaching a device to an IOMMU group with
+CONFIG_DEBUG_ATOMIC_SLEEP=y:
+
+ BUG: sleeping function called from invalid context at mm/slab.h:421
+ in_atomic(): 1, irqs_disabled(): 128, pid: 61, name: kworker/1:1
+ ...
+ Call trace:
+ ...
+ arm_lpae_alloc_pgtable+0x114/0x184
+ arm_64_lpae_alloc_pgtable_s1+0x2c/0x128
+ arm_32_lpae_alloc_pgtable_s1+0x40/0x6c
+ alloc_io_pgtable_ops+0x60/0x88
+ ipmmu_attach_device+0x140/0x334
+
+ipmmu_attach_device() takes a spinlock, while arm_lpae_alloc_pgtable()
+allocates memory using GFP_KERNEL. Originally, the ipmmu-vmsa driver
+had its own custom page table allocation implementation using
+GFP_ATOMIC, hence the spinlock was fine.
+
+Fix this by replacing the spinlock by a mutex, like the arm-smmu driver
+does.
+
+Fixes: f20ed39f53145e45 ("iommu/ipmmu-vmsa: Use the ARM LPAE page table allocator")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/ipmmu-vmsa.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/iommu/ipmmu-vmsa.c
++++ b/drivers/iommu/ipmmu-vmsa.c
+@@ -54,7 +54,7 @@ struct ipmmu_vmsa_domain {
+ struct io_pgtable_ops *iop;
+
+ unsigned int context_id;
+- spinlock_t lock; /* Protects mappings */
++ struct mutex mutex; /* Protects mappings */
+ };
+
+ struct ipmmu_vmsa_iommu_priv {
+@@ -523,7 +523,7 @@ static struct iommu_domain *__ipmmu_doma
+ if (!domain)
+ return NULL;
+
+- spin_lock_init(&domain->lock);
++ mutex_init(&domain->mutex);
+
+ return &domain->io_domain;
+ }
+@@ -548,7 +548,6 @@ static int ipmmu_attach_device(struct io
+ struct iommu_fwspec *fwspec = dev->iommu_fwspec;
+ struct ipmmu_vmsa_device *mmu = priv->mmu;
+ struct ipmmu_vmsa_domain *domain = to_vmsa_domain(io_domain);
+- unsigned long flags;
+ unsigned int i;
+ int ret = 0;
+
+@@ -557,7 +556,7 @@ static int ipmmu_attach_device(struct io
+ return -ENXIO;
+ }
+
+- spin_lock_irqsave(&domain->lock, flags);
++ mutex_lock(&domain->mutex);
+
+ if (!domain->mmu) {
+ /* The domain hasn't been used yet, initialize it. */
+@@ -574,7 +573,7 @@ static int ipmmu_attach_device(struct io
+ } else
+ dev_info(dev, "Reusing IPMMU context %u\n", domain->context_id);
+
+- spin_unlock_irqrestore(&domain->lock, flags);
++ mutex_unlock(&domain->mutex);
+
+ if (ret < 0)
+ return ret;
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Finn Thain <fthain@telegraphics.com.au>
+Date: Mon, 2 Jul 2018 04:21:18 -0400
+Subject: macintosh/via-pmu: Add missing mmio accessors
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit 576d5290d678a651b9f36050fc1717e0573aca13 ]
+
+Add missing in_8() accessors to init_pmu() and pmu_sr_intr().
+
+This fixes several sparse warnings:
+drivers/macintosh/via-pmu.c:536:29: warning: dereference of noderef expression
+drivers/macintosh/via-pmu.c:537:33: warning: dereference of noderef expression
+drivers/macintosh/via-pmu.c:1455:17: warning: dereference of noderef expression
+drivers/macintosh/via-pmu.c:1456:69: warning: dereference of noderef expression
+
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/macintosh/via-pmu.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/macintosh/via-pmu.c
++++ b/drivers/macintosh/via-pmu.c
+@@ -532,8 +532,9 @@ init_pmu(void)
+ int timeout;
+ struct adb_request req;
+
+- out_8(&via[B], via[B] | TREQ); /* negate TREQ */
+- out_8(&via[DIRB], (via[DIRB] | TREQ) & ~TACK); /* TACK in, TREQ out */
++ /* Negate TREQ. Set TACK to input and TREQ to output. */
++ out_8(&via[B], in_8(&via[B]) | TREQ);
++ out_8(&via[DIRB], (in_8(&via[DIRB]) | TREQ) & ~TACK);
+
+ pmu_request(&req, NULL, 2, PMU_SET_INTR_MASK, pmu_intr_mask);
+ timeout = 100000;
+@@ -1455,8 +1456,8 @@ pmu_sr_intr(void)
+ struct adb_request *req;
+ int bite = 0;
+
+- if (via[B] & TREQ) {
+- printk(KERN_ERR "PMU: spurious SR intr (%x)\n", via[B]);
++ if (in_8(&via[B]) & TREQ) {
++ printk(KERN_ERR "PMU: spurious SR intr (%x)\n", in_8(&via[B]));
+ out_8(&via[IFR], SR_INT);
+ return NULL;
+ }
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: BingJing Chang <bingjingc@synology.com>
+Date: Wed, 1 Aug 2018 17:08:36 +0800
+Subject: md/raid5: fix data corruption of replacements after originals dropped
+
+From: BingJing Chang <bingjingc@synology.com>
+
+[ Upstream commit d63e2fc804c46e50eee825c5d3a7228e07048b47 ]
+
+During raid5 replacement, the stripes can be marked with R5_NeedReplace
+flag. Data can be read from being-replaced devices and written to
+replacing spares without reading all other devices. (It's 'replace'
+mode. s.replacing = 1) If a being-replaced device is dropped, the
+replacement progress will be interrupted and resumed with pure recovery
+mode. However, existing stripes before being interrupted cannot read
+from the dropped device anymore. It prints lots of WARN_ON messages.
+And it results in data corruption because existing stripes write
+problematic data into its replacement device and update the progress.
+
+\# Erase disks (1MB + 2GB)
+dd if=/dev/zero of=/dev/sda bs=1MB count=2049
+dd if=/dev/zero of=/dev/sdb bs=1MB count=2049
+dd if=/dev/zero of=/dev/sdc bs=1MB count=2049
+dd if=/dev/zero of=/dev/sdd bs=1MB count=2049
+mdadm -C /dev/md0 -amd -R -l5 -n3 -x0 /dev/sd[abc] -z 2097152
+\# Ensure array stores non-zero data
+dd if=/root/data_4GB.iso of=/dev/md0 bs=1MB
+\# Start replacement
+mdadm /dev/md0 -a /dev/sdd
+mdadm /dev/md0 --replace /dev/sda
+
+Then, Hot-plug out /dev/sda during recovery, and wait for recovery done.
+echo check > /sys/block/md0/md/sync_action
+cat /sys/block/md0/md/mismatch_cnt # it will be greater than 0.
+
+Soon after you hot-plug out /dev/sda, you will see many WARN_ON
+messages. The replacement recovery will be interrupted shortly. After
+the recovery finishes, it will result in data corruption.
+
+Actually, it's just an unhandled case of replacement. In commit
+<f94c0b6658c7> (md/raid5: fix interaction of 'replace' and 'recovery'.),
+if a NeedReplace device is not UPTODATE then that is an error, the
+commit just simply print WARN_ON but also mark these corrupted stripes
+with R5_WantReplace. (it means it's ready for writes.)
+
+To fix this case, we can leverage 'sync and replace' mode mentioned in
+commit <9a3e1101b827> (md/raid5: detect and handle replacements during
+recovery.). We can add logics to detect and use 'sync and replace' mode
+for these stripes.
+
+Reported-by: Alex Chen <alexchen@synology.com>
+Reviewed-by: Alex Wu <alexwu@synology.com>
+Reviewed-by: Chung-Chiang Cheng <cccheng@synology.com>
+Signed-off-by: BingJing Chang <bingjingc@synology.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid5.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -4516,6 +4516,12 @@ static void analyse_stripe(struct stripe
+ s->failed++;
+ if (rdev && !test_bit(Faulty, &rdev->flags))
+ do_recovery = 1;
++ else if (!rdev) {
++ rdev = rcu_dereference(
++ conf->disks[i].replacement);
++ if (rdev && !test_bit(Faulty, &rdev->flags))
++ do_recovery = 1;
++ }
+ }
+
+ if (test_bit(R5_InJournal, &dev->flags))
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Todor Tomov <todor.tomov@linaro.org>
+Date: Wed, 25 Jul 2018 12:38:20 -0400
+Subject: media: camss: csid: Configure data type and decode format properly
+
+From: Todor Tomov <todor.tomov@linaro.org>
+
+[ Upstream commit c628e78899ff8006b5f9d8206da54ed3bb994342 ]
+
+The CSID decodes the input data stream. When the input comes from
+the Test Generator the format of the stream is set on the source
+media pad. When the input comes from the CSIPHY the format is the
+one on the sink media pad. Use the proper format for each case.
+
+Signed-off-by: Todor Tomov <todor.tomov@linaro.org>
+Signed-off-by: Hans Verkuil <hansverk@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/camss-8x16/camss-csid.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/drivers/media/platform/qcom/camss-8x16/camss-csid.c
++++ b/drivers/media/platform/qcom/camss-8x16/camss-csid.c
+@@ -392,9 +392,6 @@ static int csid_set_stream(struct v4l2_s
+ !media_entity_remote_pad(&csid->pads[MSM_CSID_PAD_SINK]))
+ return -ENOLINK;
+
+- dt = csid_get_fmt_entry(csid->fmt[MSM_CSID_PAD_SRC].code)->
+- data_type;
+-
+ if (tg->enabled) {
+ /* Config Test Generator */
+ struct v4l2_mbus_framefmt *f =
+@@ -416,6 +413,9 @@ static int csid_set_stream(struct v4l2_s
+ writel_relaxed(val, csid->base +
+ CAMSS_CSID_TG_DT_n_CGG_0(0));
+
++ dt = csid_get_fmt_entry(
++ csid->fmt[MSM_CSID_PAD_SRC].code)->data_type;
++
+ /* 5:0 data type */
+ val = dt;
+ writel_relaxed(val, csid->base +
+@@ -425,6 +425,9 @@ static int csid_set_stream(struct v4l2_s
+ val = tg->payload_mode;
+ writel_relaxed(val, csid->base +
+ CAMSS_CSID_TG_DT_n_CGG_2(0));
++
++ df = csid_get_fmt_entry(
++ csid->fmt[MSM_CSID_PAD_SRC].code)->decode_format;
+ } else {
+ struct csid_phy_config *phy = &csid->phy;
+
+@@ -439,13 +442,16 @@ static int csid_set_stream(struct v4l2_s
+
+ writel_relaxed(val,
+ csid->base + CAMSS_CSID_CORE_CTRL_1);
++
++ dt = csid_get_fmt_entry(
++ csid->fmt[MSM_CSID_PAD_SINK].code)->data_type;
++ df = csid_get_fmt_entry(
++ csid->fmt[MSM_CSID_PAD_SINK].code)->decode_format;
+ }
+
+ /* Config LUT */
+
+ dt_shift = (cid % 4) * 8;
+- df = csid_get_fmt_entry(csid->fmt[MSM_CSID_PAD_SINK].code)->
+- decode_format;
+
+ val = readl_relaxed(csid->base + CAMSS_CSID_CID_LUT_VC_n(vc));
+ val &= ~(0xff << dt_shift);
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Anton Vasilyev <vasilyev@ispras.ru>
+Date: Fri, 27 Jul 2018 07:52:20 -0400
+Subject: media: davinci: vpif_display: Mix memory leak on probe error path
+
+From: Anton Vasilyev <vasilyev@ispras.ru>
+
+[ Upstream commit 61e641f36ed81ae473177c085f0bfd83ad3b55ed ]
+
+If vpif_probe() fails on v4l2_device_register() then memory allocated
+at initialize_vpif() for global vpif_obj.dev[i] become unreleased.
+
+The patch adds deallocation of vpif_obj.dev[i] on the error path and
+removes duplicated check on platform_data presence.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/davinci/vpif_display.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+--- a/drivers/media/platform/davinci/vpif_display.c
++++ b/drivers/media/platform/davinci/vpif_display.c
+@@ -1114,6 +1114,14 @@ vpif_init_free_channel_objects:
+ return err;
+ }
+
++static void free_vpif_objs(void)
++{
++ int i;
++
++ for (i = 0; i < VPIF_DISPLAY_MAX_DEVICES; i++)
++ kfree(vpif_obj.dev[i]);
++}
++
+ static int vpif_async_bound(struct v4l2_async_notifier *notifier,
+ struct v4l2_subdev *subdev,
+ struct v4l2_async_subdev *asd)
+@@ -1250,11 +1258,6 @@ static __init int vpif_probe(struct plat
+ return -EINVAL;
+ }
+
+- if (!pdev->dev.platform_data) {
+- dev_warn(&pdev->dev, "Missing platform data. Giving up.\n");
+- return -EINVAL;
+- }
+-
+ vpif_dev = &pdev->dev;
+ err = initialize_vpif();
+
+@@ -1266,7 +1269,7 @@ static __init int vpif_probe(struct plat
+ err = v4l2_device_register(vpif_dev, &vpif_obj.v4l2_dev);
+ if (err) {
+ v4l2_err(vpif_dev->driver, "Error registering v4l2 device\n");
+- return err;
++ goto vpif_free;
+ }
+
+ while ((res = platform_get_resource(pdev, IORESOURCE_IRQ, res_idx))) {
+@@ -1309,7 +1312,10 @@ static __init int vpif_probe(struct plat
+ if (vpif_obj.sd[i])
+ vpif_obj.sd[i]->grp_id = 1 << i;
+ }
+- vpif_probe_complete();
++ err = vpif_probe_complete();
++ if (err) {
++ goto probe_subdev_out;
++ }
+ } else {
+ vpif_obj.notifier.subdevs = vpif_obj.config->asd;
+ vpif_obj.notifier.num_subdevs = vpif_obj.config->asd_sizes[0];
+@@ -1330,6 +1336,8 @@ probe_subdev_out:
+ kfree(vpif_obj.sd);
+ vpif_unregister:
+ v4l2_device_unregister(&vpif_obj.v4l2_dev);
++vpif_free:
++ free_vpif_objs();
+
+ return err;
+ }
+@@ -1351,8 +1359,8 @@ static int vpif_remove(struct platform_d
+ ch = vpif_obj.dev[i];
+ /* Unregister video device */
+ video_unregister_device(&ch->video_dev);
+- kfree(vpif_obj.dev[i]);
+ }
++ free_vpif_objs();
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Anton Vasilyev <vasilyev@ispras.ru>
+Date: Mon, 23 Jul 2018 13:04:54 -0400
+Subject: media: dw2102: Fix memleak on sequence of probes
+
+From: Anton Vasilyev <vasilyev@ispras.ru>
+
+[ Upstream commit 299c7007e93645067e1d2743f4e50156de78c4ff ]
+
+Each call to dw2102_probe() allocates memory by kmemdup for structures
+p1100, s660, p7500 and s421, but there is no their deallocation.
+dvb_usb_device_init() copies the corresponding structure into
+dvb_usb_device->props, so there is no use of original structure after
+dvb_usb_device_init().
+
+The patch moves structures from global scope to local and adds their
+deallocation.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/dvb-usb/dw2102.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb/dw2102.c
++++ b/drivers/media/usb/dvb-usb/dw2102.c
+@@ -2103,14 +2103,12 @@ static struct dvb_usb_device_properties
+ }
+ };
+
+-static struct dvb_usb_device_properties *p1100;
+ static const struct dvb_usb_device_description d1100 = {
+ "Prof 1100 USB ",
+ {&dw2102_table[PROF_1100], NULL},
+ {NULL},
+ };
+
+-static struct dvb_usb_device_properties *s660;
+ static const struct dvb_usb_device_description d660 = {
+ "TeVii S660 USB",
+ {&dw2102_table[TEVII_S660], NULL},
+@@ -2129,14 +2127,12 @@ static const struct dvb_usb_device_descr
+ {NULL},
+ };
+
+-static struct dvb_usb_device_properties *p7500;
+ static const struct dvb_usb_device_description d7500 = {
+ "Prof 7500 USB DVB-S2",
+ {&dw2102_table[PROF_7500], NULL},
+ {NULL},
+ };
+
+-static struct dvb_usb_device_properties *s421;
+ static const struct dvb_usb_device_description d421 = {
+ "TeVii S421 PCI",
+ {&dw2102_table[TEVII_S421], NULL},
+@@ -2336,6 +2332,11 @@ static int dw2102_probe(struct usb_inter
+ const struct usb_device_id *id)
+ {
+ int retval = -ENOMEM;
++ struct dvb_usb_device_properties *p1100;
++ struct dvb_usb_device_properties *s660;
++ struct dvb_usb_device_properties *p7500;
++ struct dvb_usb_device_properties *s421;
++
+ p1100 = kmemdup(&s6x0_properties,
+ sizeof(struct dvb_usb_device_properties), GFP_KERNEL);
+ if (!p1100)
+@@ -2404,8 +2405,16 @@ static int dw2102_probe(struct usb_inter
+ 0 == dvb_usb_device_init(intf, &t220_properties,
+ THIS_MODULE, NULL, adapter_nr) ||
+ 0 == dvb_usb_device_init(intf, &tt_s2_4600_properties,
+- THIS_MODULE, NULL, adapter_nr))
++ THIS_MODULE, NULL, adapter_nr)) {
++
++ /* clean up copied properties */
++ kfree(s421);
++ kfree(p7500);
++ kfree(s660);
++ kfree(p1100);
++
+ return 0;
++ }
+
+ retval = -ENODEV;
+ kfree(s421);
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Katsuhiro Suzuki <suzuki.katsuhiro@socionext.com>
+Date: Mon, 28 May 2018 21:09:20 -0400
+Subject: media: helene: fix xtal frequency setting at power on
+
+From: Katsuhiro Suzuki <suzuki.katsuhiro@socionext.com>
+
+[ Upstream commit a00e5f074b3f3cd39d1ccdc53d4d805b014df3f3 ]
+
+This patch fixes crystal frequency setting when power on this device.
+
+Signed-off-by: Katsuhiro Suzuki <suzuki.katsuhiro@socionext.com>
+Acked-by: Abylay Ospan <aospan@netup.ru>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-frontends/helene.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-frontends/helene.c
++++ b/drivers/media/dvb-frontends/helene.c
+@@ -897,7 +897,10 @@ static int helene_x_pon(struct helene_pr
+ helene_write_regs(priv, 0x99, cdata, sizeof(cdata));
+
+ /* 0x81 - 0x94 */
+- data[0] = 0x18; /* xtal 24 MHz */
++ if (priv->xtal == SONY_HELENE_XTAL_16000)
++ data[0] = 0x10; /* xtal 16 MHz */
++ else
++ data[0] = 0x18; /* xtal 24 MHz */
+ data[1] = (uint8_t)(0x80 | (0x04 & 0x1F)); /* 4 x 25 = 100uA */
+ data[2] = (uint8_t)(0x80 | (0x26 & 0x7F)); /* 38 x 0.25 = 9.5pF */
+ data[3] = 0x80; /* REFOUT signal output 500mVpp */
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Date: Tue, 5 Jun 2018 09:33:59 -0400
+Subject: media: s5p-mfc: Fix buffer look up in s5p_mfc_handle_frame_{new, copy_time} functions
+
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+
+[ Upstream commit 4faeaf9c0f4581667ce5826f9c90c4fd463ef086 ]
+
+Look up of buffers in s5p_mfc_handle_frame_new, s5p_mfc_handle_frame_copy_time
+functions is not working properly for DMA addresses above 2 GiB. As a result
+flags and timestamp of returned buffers are not set correctly and it breaks
+operation of GStreamer/OMX plugins which rely on the CAPTURE buffer queue
+flags.
+
+Due to improper return type of the get_dec_y_adr, get_dspl_y_adr callbacks
+and sign bit extension these callbacks return incorrect address values,
+e.g. 0xfffffffffefc0000 instead of 0x00000000fefc0000. Then the statement:
+
+"if (vb2_dma_contig_plane_dma_addr(&dst_buf->b->vb2_buf, 0) == dec_y_addr)"
+
+is always false, which breaks looking up capture queue buffers.
+
+To ensure proper matching by address u32 type is used for the DMA
+addresses. This should work on all related SoCs, since the MFC DMA
+address width is not larger than 32-bit.
+
+Changes done in this patch are minimal as there is a larger patch series
+pending refactoring the whole driver.
+
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+@@ -254,24 +254,24 @@ static void s5p_mfc_handle_frame_all_ext
+ static void s5p_mfc_handle_frame_copy_time(struct s5p_mfc_ctx *ctx)
+ {
+ struct s5p_mfc_dev *dev = ctx->dev;
+- struct s5p_mfc_buf *dst_buf, *src_buf;
+- size_t dec_y_addr;
++ struct s5p_mfc_buf *dst_buf, *src_buf;
++ u32 dec_y_addr;
+ unsigned int frame_type;
+
+ /* Make sure we actually have a new frame before continuing. */
+ frame_type = s5p_mfc_hw_call(dev->mfc_ops, get_dec_frame_type, dev);
+ if (frame_type == S5P_FIMV_DECODE_FRAME_SKIPPED)
+ return;
+- dec_y_addr = s5p_mfc_hw_call(dev->mfc_ops, get_dec_y_adr, dev);
++ dec_y_addr = (u32)s5p_mfc_hw_call(dev->mfc_ops, get_dec_y_adr, dev);
+
+ /* Copy timestamp / timecode from decoded src to dst and set
+ appropriate flags. */
+ src_buf = list_entry(ctx->src_queue.next, struct s5p_mfc_buf, list);
+ list_for_each_entry(dst_buf, &ctx->dst_queue, list) {
+- if (vb2_dma_contig_plane_dma_addr(&dst_buf->b->vb2_buf, 0)
+- == dec_y_addr) {
+- dst_buf->b->timecode =
+- src_buf->b->timecode;
++ u32 addr = (u32)vb2_dma_contig_plane_dma_addr(&dst_buf->b->vb2_buf, 0);
++
++ if (addr == dec_y_addr) {
++ dst_buf->b->timecode = src_buf->b->timecode;
+ dst_buf->b->vb2_buf.timestamp =
+ src_buf->b->vb2_buf.timestamp;
+ dst_buf->b->flags &=
+@@ -307,10 +307,10 @@ static void s5p_mfc_handle_frame_new(str
+ {
+ struct s5p_mfc_dev *dev = ctx->dev;
+ struct s5p_mfc_buf *dst_buf;
+- size_t dspl_y_addr;
++ u32 dspl_y_addr;
+ unsigned int frame_type;
+
+- dspl_y_addr = s5p_mfc_hw_call(dev->mfc_ops, get_dspl_y_adr, dev);
++ dspl_y_addr = (u32)s5p_mfc_hw_call(dev->mfc_ops, get_dspl_y_adr, dev);
+ if (IS_MFCV6_PLUS(dev))
+ frame_type = s5p_mfc_hw_call(dev->mfc_ops,
+ get_disp_frame_type, ctx);
+@@ -329,9 +329,10 @@ static void s5p_mfc_handle_frame_new(str
+ /* The MFC returns address of the buffer, now we have to
+ * check which videobuf does it correspond to */
+ list_for_each_entry(dst_buf, &ctx->dst_queue, list) {
++ u32 addr = (u32)vb2_dma_contig_plane_dma_addr(&dst_buf->b->vb2_buf, 0);
++
+ /* Check if this is the buffer we're looking for */
+- if (vb2_dma_contig_plane_dma_addr(&dst_buf->b->vb2_buf, 0)
+- == dspl_y_addr) {
++ if (addr == dspl_y_addr) {
+ list_del(&dst_buf->list);
+ ctx->dst_queue_cnt--;
+ dst_buf->b->sequence = ctx->sequence;
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Zumeng Chen <zumeng.chen@gmail.com>
+Date: Wed, 4 Jul 2018 12:35:29 +0800
+Subject: mfd: ti_am335x_tscadc: Fix struct clk memory leak
+
+From: Zumeng Chen <zumeng.chen@gmail.com>
+
+[ Upstream commit c2b1509c77a99a0dcea0a9051ca743cb88385f50 ]
+
+Use devm_elk_get() to let Linux manage struct clk memory to avoid the following
+memory leakage report:
+
+unreferenced object 0xdd75efc0 (size 64):
+ comm "systemd-udevd", pid 186, jiffies 4294945126 (age 1195.750s)
+ hex dump (first 32 bytes):
+ 61 64 63 5f 74 73 63 5f 66 63 6b 00 00 00 00 00 adc_tsc_fck.....
+ 00 00 00 00 92 03 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<c0a15260>] kmemleak_alloc+0x40/0x74
+ [<c0287a10>] __kmalloc_track_caller+0x198/0x388
+ [<c0255610>] kstrdup+0x40/0x5c
+ [<c025565c>] kstrdup_const+0x30/0x3c
+ [<c0636630>] __clk_create_clk+0x60/0xac
+ [<c0630918>] clk_get_sys+0x74/0x144
+ [<c0630cdc>] clk_get+0x5c/0x68
+ [<bf0ac540>] ti_tscadc_probe+0x260/0x468 [ti_am335x_tscadc]
+ [<c06f3c0c>] platform_drv_probe+0x60/0xac
+ [<c06f1abc>] driver_probe_device+0x214/0x2dc
+ [<c06f1c18>] __driver_attach+0x94/0xc0
+ [<c06efe2c>] bus_for_each_dev+0x90/0xa0
+ [<c06f1470>] driver_attach+0x28/0x30
+ [<c06f1030>] bus_add_driver+0x184/0x1ec
+ [<c06f2b74>] driver_register+0xb0/0xf0
+ [<c06f3b4c>] __platform_driver_register+0x40/0x54
+
+Signed-off-by: Zumeng Chen <zumeng.chen@gmail.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mfd/ti_am335x_tscadc.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/mfd/ti_am335x_tscadc.c
++++ b/drivers/mfd/ti_am335x_tscadc.c
+@@ -210,14 +210,13 @@ static int ti_tscadc_probe(struct platfo
+ * The TSC_ADC_SS controller design assumes the OCP clock is
+ * at least 6x faster than the ADC clock.
+ */
+- clk = clk_get(&pdev->dev, "adc_tsc_fck");
++ clk = devm_clk_get(&pdev->dev, "adc_tsc_fck");
+ if (IS_ERR(clk)) {
+ dev_err(&pdev->dev, "failed to get TSC fck\n");
+ err = PTR_ERR(clk);
+ goto err_disable_clk;
+ }
+ clock_rate = clk_get_rate(clk);
+- clk_put(clk);
+ tscadc->clk_div = clock_rate / ADC_CLK;
+
+ /* TSCADC_CLKDIV needs to be configured to the value minus 1 */
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Paul Burton <paul.burton@mips.com>
+Date: Fri, 27 Jul 2018 18:23:19 -0700
+Subject: MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET
+
+From: Paul Burton <paul.burton@mips.com>
+
+[ Upstream commit 0494d7ffdcebc6935410ea0719b24ab626675351 ]
+
+isa_virt_to_bus() & isa_bus_to_virt() claim to treat ISA bus addresses
+as being identical to physical addresses, but they fail to do so in the
+presence of a non-zero PHYS_OFFSET.
+
+Correct this by having them use virt_to_phys() & phys_to_virt(), which
+consolidates the calculations to one place & ensures that ISA bus
+addresses do indeed match physical addresses.
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/20047/
+Cc: James Hogan <jhogan@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: Vladimir Kondratiev <vladimir.kondratiev@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/include/asm/io.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/mips/include/asm/io.h
++++ b/arch/mips/include/asm/io.h
+@@ -141,14 +141,14 @@ static inline void * phys_to_virt(unsign
+ /*
+ * ISA I/O bus memory addresses are 1:1 with the physical address.
+ */
+-static inline unsigned long isa_virt_to_bus(volatile void * address)
++static inline unsigned long isa_virt_to_bus(volatile void *address)
+ {
+- return (unsigned long)address - PAGE_OFFSET;
++ return virt_to_phys(address);
+ }
+
+-static inline void * isa_bus_to_virt(unsigned long address)
++static inline void *isa_bus_to_virt(unsigned long address)
+ {
+- return (void *)(address + PAGE_OFFSET);
++ return phys_to_virt(address);
+ }
+
+ #define isa_page_to_bus page_to_phys
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Nicholas Mc Guire <hofrat@osadl.org>
+Date: Wed, 11 Jul 2018 20:32:45 +0200
+Subject: MIPS: generic: fix missing of_node_put()
+
+From: Nicholas Mc Guire <hofrat@osadl.org>
+
+[ Upstream commit 28ec2238f37e72a3a40a7eb46893e7651bcc40a6 ]
+
+of_find_compatible_node() returns a device_node pointer with refcount
+incremented and must be decremented explicitly.
+ As this code is using the result only to check presence of the interrupt
+controller (!NULL) but not actually using the result otherwise the
+refcount can be decremented here immediately again.
+
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/19820/
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/generic/init.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/mips/generic/init.c
++++ b/arch/mips/generic/init.c
+@@ -204,6 +204,7 @@ void __init arch_init_irq(void)
+ "mti,cpu-interrupt-controller");
+ if (!cpu_has_veic && !intc_node)
+ mips_cpu_irq_init();
++ of_node_put(intc_node);
+
+ irqchip_init();
+ }
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Nicholas Mc Guire <hofrat@osadl.org>
+Date: Sat, 16 Jun 2018 09:06:33 +0200
+Subject: MIPS: Octeon: add missing of_node_put()
+
+From: Nicholas Mc Guire <hofrat@osadl.org>
+
+[ Upstream commit b1259519e618d479ede8a0db5474b3aff99f5056 ]
+
+The call to of_find_node_by_name returns a node pointer with refcount
+incremented thus it must be explicitly decremented here after the last
+usage.
+
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/19558/
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/cavium-octeon/octeon-platform.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/mips/cavium-octeon/octeon-platform.c
++++ b/arch/mips/cavium-octeon/octeon-platform.c
+@@ -322,6 +322,7 @@ static int __init octeon_ehci_device_ini
+ return 0;
+
+ pd = of_find_device_by_node(ehci_node);
++ of_node_put(ehci_node);
+ if (!pd)
+ return 0;
+
+@@ -384,6 +385,7 @@ static int __init octeon_ohci_device_ini
+ return 0;
+
+ pd = of_find_device_by_node(ohci_node);
++ of_node_put(ohci_node);
+ if (!pd)
+ return 0;
+
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Paul Burton <paul.burton@imgtec.com>
+Date: Fri, 25 Nov 2016 18:46:09 +0000
+Subject: MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON
+
+From: Paul Burton <paul.burton@imgtec.com>
+
+[ Upstream commit d4da0e97baea8768b3d66ccef3967bebd50dfc3b ]
+
+If a driver causes DMA cache maintenance with a zero length then we
+currently BUG and kill the kernel. As this is a scenario that we may
+well be able to recover from, WARN & return in the condition instead.
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Patchwork: https://patchwork.linux-mips.org/patch/14623/
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/mm/c-r4k.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/mm/c-r4k.c
++++ b/arch/mips/mm/c-r4k.c
+@@ -835,7 +835,8 @@ static void r4k_flush_icache_user_range(
+ static void r4k_dma_cache_wback_inv(unsigned long addr, unsigned long size)
+ {
+ /* Catch bad driver code */
+- BUG_ON(size == 0);
++ if (WARN_ON(size == 0))
++ return;
+
+ preempt_disable();
+ if (cpu_has_inclusive_pcaches) {
+@@ -871,7 +872,8 @@ static void r4k_dma_cache_wback_inv(unsi
+ static void r4k_dma_cache_inv(unsigned long addr, unsigned long size)
+ {
+ /* Catch bad driver code */
+- BUG_ON(size == 0);
++ if (WARN_ON(size == 0))
++ return;
+
+ preempt_disable();
+ if (cpu_has_inclusive_pcaches) {
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 2 Aug 2018 11:42:22 +0300
+Subject: misc: mic: SCIF Fix scif_get_new_port() error handling
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit a39284ae9d2ad09975c8ae33f1bd0f05fbfbf6ee ]
+
+There are only 2 callers of scif_get_new_port() and both appear to get
+the error handling wrong. Both treat zero returns as error, but it
+actually returns negative error codes and >= 0 on success.
+
+Fixes: e9089f43c9a7 ("misc: mic: SCIF open close bind and listen APIs")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mic/scif/scif_api.c | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+--- a/drivers/misc/mic/scif/scif_api.c
++++ b/drivers/misc/mic/scif/scif_api.c
+@@ -370,11 +370,10 @@ int scif_bind(scif_epd_t epd, u16 pn)
+ goto scif_bind_exit;
+ }
+ } else {
+- pn = scif_get_new_port();
+- if (!pn) {
+- ret = -ENOSPC;
++ ret = scif_get_new_port();
++ if (ret < 0)
+ goto scif_bind_exit;
+- }
++ pn = ret;
+ }
+
+ ep->state = SCIFEP_BOUND;
+@@ -648,13 +647,12 @@ int __scif_connect(scif_epd_t epd, struc
+ err = -EISCONN;
+ break;
+ case SCIFEP_UNBOUND:
+- ep->port.port = scif_get_new_port();
+- if (!ep->port.port) {
+- err = -ENOSPC;
+- } else {
+- ep->port.node = scif_info.nodeid;
+- ep->conn_async_state = ASYNC_CONN_IDLE;
+- }
++ err = scif_get_new_port();
++ if (err < 0)
++ break;
++ ep->port.port = err;
++ ep->port.node = scif_info.nodeid;
++ ep->conn_async_state = ASYNC_CONN_IDLE;
+ /* Fall through */
+ case SCIFEP_BOUND:
+ /*
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Anton Vasilyev <vasilyev@ispras.ru>
+Date: Fri, 27 Jul 2018 18:45:36 +0300
+Subject: misc: ti-st: Fix memory leak in the error path of probe()
+
+From: Anton Vasilyev <vasilyev@ispras.ru>
+
+[ Upstream commit 81ae962d7f180c0092859440c82996cccb254976 ]
+
+Free resources instead of direct return of the error code if kim_probe
+fails.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/ti-st/st_kim.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/misc/ti-st/st_kim.c
++++ b/drivers/misc/ti-st/st_kim.c
+@@ -756,14 +756,14 @@ static int kim_probe(struct platform_dev
+ err = gpio_request(kim_gdata->nshutdown, "kim");
+ if (unlikely(err)) {
+ pr_err(" gpio %d request failed ", kim_gdata->nshutdown);
+- return err;
++ goto err_sysfs_group;
+ }
+
+ /* Configure nShutdown GPIO as output=0 */
+ err = gpio_direction_output(kim_gdata->nshutdown, 0);
+ if (unlikely(err)) {
+ pr_err(" unable to configure gpio %d", kim_gdata->nshutdown);
+- return err;
++ goto err_sysfs_group;
+ }
+ /* get reference of pdev for request_firmware
+ */
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Petr Machata <petrm@mellanox.com>
+Date: Fri, 27 Jul 2018 15:26:55 +0300
+Subject: net: dcb: For wild-card lookups, use priority -1, not 0
+
+From: Petr Machata <petrm@mellanox.com>
+
+[ Upstream commit 08193d1a893c802c4b807e4d522865061f4e9f4f ]
+
+The function dcb_app_lookup walks the list of specified DCB APP entries,
+looking for one that matches a given criteria: ifindex, selector,
+protocol ID and optionally also priority. The "don't care" value for
+priority is set to 0, because that priority has not been allowed under
+CEE regime, which predates the IEEE standardization.
+
+Under IEEE, 0 is a valid priority number. But because dcb_app_lookup
+considers zero a wild card, attempts to add an APP entry with priority 0
+fail when other entries exist for a given ifindex / selector / PID
+triplet.
+
+Fix by changing the wild-card value to -1.
+
+Signed-off-by: Petr Machata <petrm@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dcb/dcbnl.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -1765,7 +1765,7 @@ static struct dcb_app_type *dcb_app_look
+ if (itr->app.selector == app->selector &&
+ itr->app.protocol == app->protocol &&
+ itr->ifindex == ifindex &&
+- (!prio || itr->app.priority == prio))
++ ((prio == -1) || itr->app.priority == prio))
+ return itr;
+ }
+
+@@ -1800,7 +1800,8 @@ u8 dcb_getapp(struct net_device *dev, st
+ u8 prio = 0;
+
+ spin_lock_bh(&dcb_lock);
+- if ((itr = dcb_app_lookup(app, dev->ifindex, 0)))
++ itr = dcb_app_lookup(app, dev->ifindex, -1);
++ if (itr)
+ prio = itr->app.priority;
+ spin_unlock_bh(&dcb_lock);
+
+@@ -1828,7 +1829,8 @@ int dcb_setapp(struct net_device *dev, s
+
+ spin_lock_bh(&dcb_lock);
+ /* Search for existing match and replace */
+- if ((itr = dcb_app_lookup(new, dev->ifindex, 0))) {
++ itr = dcb_app_lookup(new, dev->ifindex, -1);
++ if (itr) {
+ if (new->priority)
+ itr->app.priority = new->priority;
+ else {
+@@ -1861,7 +1863,8 @@ u8 dcb_ieee_getapp_mask(struct net_devic
+ u8 prio = 0;
+
+ spin_lock_bh(&dcb_lock);
+- if ((itr = dcb_app_lookup(app, dev->ifindex, 0)))
++ itr = dcb_app_lookup(app, dev->ifindex, -1);
++ if (itr)
+ prio |= 1 << itr->app.priority;
+ spin_unlock_bh(&dcb_lock);
+
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Yelena Krivosheev <yelena@marvell.com>
+Date: Wed, 18 Jul 2018 18:10:51 +0200
+Subject: net: mvneta: fix mtu change on port without link
+
+From: Yelena Krivosheev <yelena@marvell.com>
+
+[ Upstream commit 8466baf788ec3e18836bd9c91ba0b1a07af25878 ]
+
+It is incorrect to enable TX/RX queues (call by mvneta_port_up()) for
+port without link. Indeed MTU change for interface without link causes TX
+queues to stuck.
+
+Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP
+network unit")
+Signed-off-by: Yelena Krivosheev <yelena@marvell.com>
+[gregory.clement: adding Fixes tags and rewording commit log]
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -3195,7 +3195,6 @@ static int mvneta_change_mtu(struct net_
+
+ on_each_cpu(mvneta_percpu_enable, pp, true);
+ mvneta_start_dev(pp);
+- mvneta_port_up(pp);
+
+ netdev_update_features(dev);
+
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Arun Parameswaran <arun.parameswaran@broadcom.com>
+Date: Wed, 1 Aug 2018 17:53:47 -0700
+Subject: net: phy: Fix the register offsets in Broadcom iProc mdio mux driver
+
+From: Arun Parameswaran <arun.parameswaran@broadcom.com>
+
+[ Upstream commit 77fefa93bfebe4df44f154f2aa5938e32630d0bf ]
+
+Modify the register offsets in the Broadcom iProc mdio mux to start
+from the top of the register address space.
+
+Earlier, the base address pointed to the end of the block's register
+space. The base address will now point to the start of the mdio's
+address space. The offsets have been fixed to match this.
+
+Signed-off-by: Arun Parameswaran <arun.parameswaran@broadcom.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mdio-mux-bcm-iproc.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/phy/mdio-mux-bcm-iproc.c
++++ b/drivers/net/phy/mdio-mux-bcm-iproc.c
+@@ -22,7 +22,7 @@
+ #include <linux/mdio-mux.h>
+ #include <linux/delay.h>
+
+-#define MDIO_PARAM_OFFSET 0x00
++#define MDIO_PARAM_OFFSET 0x23c
+ #define MDIO_PARAM_MIIM_CYCLE 29
+ #define MDIO_PARAM_INTERNAL_SEL 25
+ #define MDIO_PARAM_BUS_ID 22
+@@ -30,20 +30,22 @@
+ #define MDIO_PARAM_PHY_ID 16
+ #define MDIO_PARAM_PHY_DATA 0
+
+-#define MDIO_READ_OFFSET 0x04
++#define MDIO_READ_OFFSET 0x240
+ #define MDIO_READ_DATA_MASK 0xffff
+-#define MDIO_ADDR_OFFSET 0x08
++#define MDIO_ADDR_OFFSET 0x244
+
+-#define MDIO_CTRL_OFFSET 0x0C
++#define MDIO_CTRL_OFFSET 0x248
+ #define MDIO_CTRL_WRITE_OP 0x1
+ #define MDIO_CTRL_READ_OP 0x2
+
+-#define MDIO_STAT_OFFSET 0x10
++#define MDIO_STAT_OFFSET 0x24c
+ #define MDIO_STAT_DONE 1
+
+ #define BUS_MAX_ADDR 32
+ #define EXT_BUS_START_ADDR 16
+
++#define MDIO_REG_ADDR_SPACE_SIZE 0x250
++
+ struct iproc_mdiomux_desc {
+ void *mux_handle;
+ void __iomem *base;
+@@ -169,6 +171,14 @@ static int mdio_mux_iproc_probe(struct p
+ md->dev = &pdev->dev;
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ if (res->start & 0xfff) {
++ /* For backward compatibility in case the
++ * base address is specified with an offset.
++ */
++ dev_info(&pdev->dev, "fix base address in dt-blob\n");
++ res->start &= ~0xfff;
++ res->end = res->start + MDIO_REG_ADDR_SPACE_SIZE - 1;
++ }
+ md->base = devm_ioremap_resource(&pdev->dev, res);
+ if (IS_ERR(md->base)) {
+ dev_err(&pdev->dev, "failed to ioremap register\n");
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Olga Kornievskaia <kolga@netapp.com>
+Date: Thu, 26 Jul 2018 16:04:47 -0400
+Subject: NFSv4.0 fix client reference leak in callback
+
+From: Olga Kornievskaia <kolga@netapp.com>
+
+[ Upstream commit 32cd3ee511f4e07ca25d71163b50e704808d22f4 ]
+
+If there is an error during processing of a callback message, it leads
+to refrence leak on the client structure and eventually an unclean
+superblock.
+
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/callback_xdr.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/fs/nfs/callback_xdr.c
++++ b/fs/nfs/callback_xdr.c
+@@ -904,16 +904,21 @@ static __be32 nfs4_callback_compound(str
+
+ if (hdr_arg.minorversion == 0) {
+ cps.clp = nfs4_find_client_ident(SVC_NET(rqstp), hdr_arg.cb_ident);
+- if (!cps.clp || !check_gss_callback_principal(cps.clp, rqstp))
++ if (!cps.clp || !check_gss_callback_principal(cps.clp, rqstp)) {
++ if (cps.clp)
++ nfs_put_client(cps.clp);
+ goto out_invalidcred;
++ }
+ }
+
+ cps.minorversion = hdr_arg.minorversion;
+ hdr_res.taglen = hdr_arg.taglen;
+ hdr_res.tag = hdr_arg.tag;
+- if (encode_compound_hdr_res(&xdr_out, &hdr_res) != 0)
++ if (encode_compound_hdr_res(&xdr_out, &hdr_res) != 0) {
++ if (cps.clp)
++ nfs_put_client(cps.clp);
+ return rpc_system_err;
+-
++ }
+ while (status == 0 && nops != hdr_arg.nops) {
+ status = process_op(nops, rqstp, &xdr_in,
+ rqstp->rq_argp, &xdr_out, rqstp->rq_resp,
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Thu, 12 Jul 2018 14:19:03 -0400
+Subject: NFSv4.1: Fix a potential layoutget/layoutrecall deadlock
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit bd3d16a887b0c19a2a20d35ffed499e3a3637feb ]
+
+If the client is sending a layoutget, but the server issues a callback
+to recall what it thinks may be an outstanding layout, then we may find
+an uninitialised layout attached to the inode due to the layoutget.
+In that case, it is appropriate to return NFS4ERR_NOMATCHING_LAYOUT
+rather than NFS4ERR_DELAY, as the latter can end up deadlocking.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/callback_proc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/callback_proc.c
++++ b/fs/nfs/callback_proc.c
+@@ -213,9 +213,9 @@ static u32 pnfs_check_callback_stateid(s
+ {
+ u32 oldseq, newseq;
+
+- /* Is the stateid still not initialised? */
++ /* Is the stateid not initialised? */
+ if (!pnfs_layout_is_valid(lo))
+- return NFS4ERR_DELAY;
++ return NFS4ERR_NOMATCHING_LAYOUT;
+
+ /* Mismatched stateid? */
+ if (!nfs4_stateid_match_other(&lo->plh_stateid, new))
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Mauricio Faria de Oliveira <mfo@canonical.com>
+Date: Wed, 25 Jul 2018 22:46:29 -0300
+Subject: partitions/aix: append null character to print data from disk
+
+From: Mauricio Faria de Oliveira <mfo@canonical.com>
+
+[ Upstream commit d43fdae7bac2def8c4314b5a49822cb7f08a45f1 ]
+
+Even if properly initialized, the lvname array (i.e., strings)
+is read from disk, and might contain corrupt data (e.g., lack
+the null terminating character for strings).
+
+So, make sure the partition name string used in pr_warn() has
+the null terminating character.
+
+Fixes: 6ceea22bbbc8 ("partitions: add aix lvm partition support files")
+Suggested-by: Daniel J. Axtens <daniel.axtens@canonical.com>
+Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/partitions/aix.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/block/partitions/aix.c
++++ b/block/partitions/aix.c
+@@ -282,10 +282,14 @@ int aix_partition(struct parsed_partitio
+ next_lp_ix += 1;
+ }
+ for (i = 0; i < state->limit; i += 1)
+- if (lvip[i].pps_found && !lvip[i].lv_is_contiguous)
++ if (lvip[i].pps_found && !lvip[i].lv_is_contiguous) {
++ char tmp[sizeof(n[i].name) + 1]; // null char
++
++ snprintf(tmp, sizeof(tmp), "%s", n[i].name);
+ pr_warn("partition %s (%u pp's found) is "
+ "not contiguous\n",
+- n[i].name, lvip[i].pps_found);
++ tmp, lvip[i].pps_found);
++ }
+ kfree(pvd);
+ }
+ kfree(n);
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Mauricio Faria de Oliveira <mfo@canonical.com>
+Date: Wed, 25 Jul 2018 22:46:28 -0300
+Subject: partitions/aix: fix usage of uninitialized lv_info and lvname structures
+
+From: Mauricio Faria de Oliveira <mfo@canonical.com>
+
+[ Upstream commit 14cb2c8a6c5dae57ee3e2da10fa3db2b9087e39e ]
+
+The if-block that sets a successful return value in aix_partition()
+uses 'lvip[].pps_per_lv' and 'n[].name' potentially uninitialized.
+
+For example, if 'numlvs' is zero or alloc_lvn() fails, neither is
+initialized, but are used anyway if alloc_pvd() succeeds after it.
+
+So, make the alloc_pvd() call conditional on their initialization.
+
+This has been hit when attaching an apparently corrupted/stressed
+AIX LUN, misleading the kernel to pr_warn() invalid data and hang.
+
+ [...] partition (null) (11 pp's found) is not contiguous
+ [...] partition (null) (2 pp's found) is not contiguous
+ [...] partition (null) (3 pp's found) is not contiguous
+ [...] partition (null) (64 pp's found) is not contiguous
+
+Fixes: 6ceea22bbbc8 ("partitions: add aix lvm partition support files")
+Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/partitions/aix.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/block/partitions/aix.c
++++ b/block/partitions/aix.c
+@@ -178,7 +178,7 @@ int aix_partition(struct parsed_partitio
+ u32 vgda_sector = 0;
+ u32 vgda_len = 0;
+ int numlvs = 0;
+- struct pvd *pvd;
++ struct pvd *pvd = NULL;
+ struct lv_info {
+ unsigned short pps_per_lv;
+ unsigned short pps_found;
+@@ -232,10 +232,11 @@ int aix_partition(struct parsed_partitio
+ if (lvip[i].pps_per_lv)
+ foundlvs += 1;
+ }
++ /* pvd loops depend on n[].name and lvip[].pps_per_lv */
++ pvd = alloc_pvd(state, vgda_sector + 17);
+ }
+ put_dev_sector(sect);
+ }
+- pvd = alloc_pvd(state, vgda_sector + 17);
+ if (pvd) {
+ int numpps = be16_to_cpu(pvd->pp_count);
+ int psn_part1 = be32_to_cpu(pvd->psn_part1);
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Tue, 24 Jul 2018 08:20:08 +0200
+Subject: perf c2c report: Fix crash for empty browser
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit 73978332572ccf5e364c31e9a70ba953f8202b46 ]
+
+'perf c2c' scans read/write accesses and tries to find false sharing
+cases, so when the events it wants were not asked for or ended up not
+taking place, we get no histograms.
+
+So do not try to display entry details if there's not any. Currently
+this ends up in crash:
+
+ $ perf c2c report # then press 'd'
+ perf: Segmentation fault
+ $
+
+Committer testing:
+
+Before:
+
+Record a perf.data file without events of interest to 'perf c2c report',
+then call it and press 'd':
+
+ # perf record sleep 1
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 0.001 MB perf.data (6 samples) ]
+ # perf c2c report
+ perf: Segmentation fault
+ -------- backtrace --------
+ perf[0x5b1d2a]
+ /lib64/libc.so.6(+0x346df)[0x7fcb566e36df]
+ perf[0x46fcae]
+ perf[0x4a9f1e]
+ perf[0x4aa220]
+ perf(main+0x301)[0x42c561]
+ /lib64/libc.so.6(__libc_start_main+0xe9)[0x7fcb566cff29]
+ perf(_start+0x29)[0x42c999]
+ #
+
+After the patch the segfault doesn't take place, a follow up patch to
+tell the user why nothing changes when 'd' is pressed would be good.
+
+Reported-by: rodia@autistici.org
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Don Zickus <dzickus@redhat.com>
+Cc: Joe Mario <jmario@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Fixes: f1c5fd4d0bb9 ("perf c2c report: Add TUI cacheline browser")
+Link: http://lkml.kernel.org/r/20180724062008.26126-1-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/builtin-c2c.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/tools/perf/builtin-c2c.c
++++ b/tools/perf/builtin-c2c.c
+@@ -2229,6 +2229,9 @@ static int perf_c2c__browse_cacheline(st
+ " s Togle full lenght of symbol and source line columns \n"
+ " q Return back to cacheline list \n";
+
++ if (!he)
++ return 0;
++
+ /* Display compact version first. */
+ c2c.symbol_full = false;
+
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Mon, 9 Jul 2018 07:15:22 -0700
+Subject: perf evlist: Fix error out while applying initial delay and LBR
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 95035c5e167ae6e740b1ddd30210ae0eaf39a5db ]
+
+'perf record' will error out if both --delay and LBR are applied.
+
+For example:
+
+ # perf record -D 1000 -a -e cycles -j any -- sleep 2
+ Error:
+ dummy:HG: PMU Hardware doesn't support sampling/overflow-interrupts.
+ Try 'perf stat'
+ #
+
+A dummy event is added implicitly for initial delay, which has the same
+configurations as real sampling events. The dummy event is a software
+event. If LBR is configured, perf must error out.
+
+The dummy event will only be used to track PERF_RECORD_MMAP while perf
+waits for the initial delay to enable the real events. The BRANCH_STACK
+bit can be safely cleared for the dummy event.
+
+After applying the patch:
+
+ # perf record -D 1000 -a -e cycles -j any -- sleep 2
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 1.054 MB perf.data (828 samples) ]
+ #
+
+Reported-by: Sunil K Pandey <sunil.k.pandey@intel.com>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/1531145722-16404-1-git-send-email-kan.liang@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/evsel.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/tools/perf/util/evsel.c
++++ b/tools/perf/util/evsel.c
+@@ -824,6 +824,12 @@ static void apply_config_terms(struct pe
+ }
+ }
+
++static bool is_dummy_event(struct perf_evsel *evsel)
++{
++ return (evsel->attr.type == PERF_TYPE_SOFTWARE) &&
++ (evsel->attr.config == PERF_COUNT_SW_DUMMY);
++}
++
+ /*
+ * The enable_on_exec/disabled value strategy:
+ *
+@@ -1054,6 +1060,14 @@ void perf_evsel__config(struct perf_evse
+ else
+ perf_evsel__reset_sample_bit(evsel, PERIOD);
+ }
++
++ /*
++ * For initial_delay, a dummy event is added implicitly.
++ * The software event will trigger -EOPNOTSUPP error out,
++ * if BRANCH_STACK bit is set.
++ */
++ if (opts->initial_delay && is_dummy_event(evsel))
++ perf_evsel__reset_sample_bit(evsel, BRANCH_STACK);
+ }
+
+ static int perf_evsel__alloc_fd(struct perf_evsel *evsel, int ncpus, int nthreads)
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Fri, 22 Sep 2017 13:20:43 +0200
+Subject: perf tools: Allow overriding MAX_NR_CPUS at compile time
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+[ Upstream commit 21b8732eb4479b579bda9ee38e62b2c312c2a0e5 ]
+
+After update of kernel, the perf tool doesn't run anymore on my 32MB RAM
+powerpc board, but still runs on a 128MB RAM board:
+
+ ~# strace perf
+ execve("/usr/sbin/perf", ["perf"], [/* 12 vars */]) = -1 ENOMEM (Cannot allocate memory)
+ --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} ---
+ +++ killed by SIGSEGV +++
+ Segmentation fault
+
+objdump -x shows that .bss section has a huge size of 24Mbytes:
+
+ 27 .bss 016baca8 101cebb8 101cebb8 001cd988 2**3
+
+With especially the following objects having quite big size:
+
+ 10205f80 l O .bss 00140000 runtime_cycles_stats
+ 10345f80 l O .bss 00140000 runtime_stalled_cycles_front_stats
+ 10485f80 l O .bss 00140000 runtime_stalled_cycles_back_stats
+ 105c5f80 l O .bss 00140000 runtime_branches_stats
+ 10705f80 l O .bss 00140000 runtime_cacherefs_stats
+ 10845f80 l O .bss 00140000 runtime_l1_dcache_stats
+ 10985f80 l O .bss 00140000 runtime_l1_icache_stats
+ 10ac5f80 l O .bss 00140000 runtime_ll_cache_stats
+ 10c05f80 l O .bss 00140000 runtime_itlb_cache_stats
+ 10d45f80 l O .bss 00140000 runtime_dtlb_cache_stats
+ 10e85f80 l O .bss 00140000 runtime_cycles_in_tx_stats
+ 10fc5f80 l O .bss 00140000 runtime_transaction_stats
+ 11105f80 l O .bss 00140000 runtime_elision_stats
+ 11245f80 l O .bss 00140000 runtime_topdown_total_slots
+ 11385f80 l O .bss 00140000 runtime_topdown_slots_retired
+ 114c5f80 l O .bss 00140000 runtime_topdown_slots_issued
+ 11605f80 l O .bss 00140000 runtime_topdown_fetch_bubbles
+ 11745f80 l O .bss 00140000 runtime_topdown_recovery_bubbles
+
+This is due to commit 4d255766d28b1 ("perf: Bump max number of cpus
+to 1024"), because many tables are sized with MAX_NR_CPUS
+
+This patch gives the opportunity to redefine MAX_NR_CPUS via
+
+ $ make EXTRA_CFLAGS=-DMAX_NR_CPUS=1
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: linuxppc-dev@lists.ozlabs.org
+Link: http://lkml.kernel.org/r/20170922112043.8349468C57@po15668-vm-win7.idsi0.si.c-s.fr
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/perf.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/tools/perf/perf.h
++++ b/tools/perf/perf.h
+@@ -24,7 +24,9 @@ static inline unsigned long long rdclock
+ return ts.tv_sec * 1000000000ULL + ts.tv_nsec;
+ }
+
++#ifndef MAX_NR_CPUS
+ #define MAX_NR_CPUS 1024
++#endif
+
+ extern const char *input_name;
+ extern bool perf_host, perf_guest;
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Daniel Kurtz <djkurtz@chromium.org>
+Date: Mon, 16 Jul 2018 18:57:18 -0600
+Subject: pinctrl/amd: only handle irq if it is pending and unmasked
+
+From: Daniel Kurtz <djkurtz@chromium.org>
+
+[ Upstream commit 8bbed1eef001fdfc0ee9595f64cc4f769d265af4 ]
+
+The AMD pinctrl driver demultiplexes GPIO interrupts and fires off their
+individual handlers.
+
+If one of these GPIO irqs is configured as a level interrupt, and its
+downstream handler is a threaded ONESHOT interrupt, the GPIO interrupt
+source is masked by handle_level_irq() until the eventual return of the
+threaded irq handler. During this time the level GPIO interrupt status
+will still report as high until the actual gpio source is cleared - both
+in the individual GPIO interrupt status bit (INTERRUPT_STS_OFF) and in
+its corresponding "WAKE_INT_STATUS_REG" bit.
+
+Thus, if another GPIO interrupt occurs during this time,
+amd_gpio_irq_handler() will see that the (masked-and-not-yet-cleared)
+level irq is still pending and incorrectly call its handler again.
+
+To fix this, have amd_gpio_irq_handler() check for both interrupts status
+and mask before calling generic_handle_irq().
+
+Note: Is it possible that this bug was the source of the interrupt storm
+on Ryzen when using chained interrupts before commit ba714a9c1dea85
+("pinctrl/amd: Use regular interrupt instead of chained")?
+
+Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-amd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/pinctrl-amd.c
++++ b/drivers/pinctrl/pinctrl-amd.c
+@@ -530,7 +530,8 @@ static irqreturn_t amd_gpio_irq_handler(
+ /* Each status bit covers four pins */
+ for (i = 0; i < 4; i++) {
+ regval = readl(regs + i);
+- if (!(regval & PIN_IRQ_PENDING))
++ if (!(regval & PIN_IRQ_PENDING) ||
++ !(regval & BIT(INTERRUPT_MASK_OFF)))
+ continue;
+ irq = irq_find_mapping(gc->irqdomain, irqnr + i);
+ generic_handle_irq(irq);
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 19 Jul 2018 11:16:48 +0300
+Subject: pinctrl: imx: off by one in imx_pinconf_group_dbg_show()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit b4859f3edb47825f62d1b2efdd75fe7945996f49 ]
+
+The > should really be >= here. It's harmless because
+pinctrl_generic_get_group() will return a NULL if group is invalid.
+
+Fixes: ae75ff814538 ("pinctrl: pinctrl-imx: add imx pinctrl core driver")
+Reported-by: Dong Aisheng <aisheng.dong@nxp.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/freescale/pinctrl-imx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/freescale/pinctrl-imx.c
++++ b/drivers/pinctrl/freescale/pinctrl-imx.c
+@@ -389,7 +389,7 @@ static void imx_pinconf_group_dbg_show(s
+ const char *name;
+ int i, ret;
+
+- if (group > pctldev->num_groups)
++ if (group >= pctldev->num_groups)
+ return;
+
+ seq_printf(s, "\n");
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Jinbum Park <jinb.park7@gmail.com>
+Date: Sat, 28 Jul 2018 13:20:44 +0900
+Subject: pktcdvd: Fix possible Spectre-v1 for pkt_devs
+
+From: Jinbum Park <jinb.park7@gmail.com>
+
+[ Upstream commit 55690c07b44a82cc3359ce0c233f4ba7d80ba145 ]
+
+User controls @dev_minor which to be used as index of pkt_devs.
+So, It can be exploited via Spectre-like attack. (speculative execution)
+
+This kind of attack leaks address of pkt_devs, [1]
+It leads an attacker to bypass security mechanism such as KASLR.
+
+So sanitize @dev_minor before using it to prevent attack.
+
+[1] https://github.com/jinb-park/linux-exploit/
+tree/master/exploit-remaining-spectre-gadget/leak_pkt_devs.c
+
+Signed-off-by: Jinbum Park <jinb.park7@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/pktcdvd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/pktcdvd.c
++++ b/drivers/block/pktcdvd.c
+@@ -67,7 +67,7 @@
+ #include <scsi/scsi.h>
+ #include <linux/debugfs.h>
+ #include <linux/device.h>
+-
++#include <linux/nospec.h>
+ #include <linux/uaccess.h>
+
+ #define DRIVER_NAME "pktcdvd"
+@@ -2231,6 +2231,8 @@ static struct pktcdvd_device *pkt_find_d
+ {
+ if (dev_minor >= MAX_WRITERS)
+ return NULL;
++
++ dev_minor = array_index_nospec(dev_minor, MAX_WRITERS);
+ return pkt_devs[dev_minor];
+ }
+
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Reza Arbab <arbab@linux.ibm.com>
+Date: Thu, 2 Aug 2018 23:03:36 -0500
+Subject: powerpc/powernv: Fix concurrency issue with npu->mmio_atsd_usage
+
+From: Reza Arbab <arbab@linux.ibm.com>
+
+[ Upstream commit 9eab9901b015f489199105c470de1ffc337cfabb ]
+
+We've encountered a performance issue when multiple processors stress
+{get,put}_mmio_atsd_reg(). These functions contend for
+mmio_atsd_usage, an unsigned long used as a bitmask.
+
+The accesses to mmio_atsd_usage are done using test_and_set_bit_lock()
+and clear_bit_unlock(). As implemented, both of these will require
+a (successful) stwcx to that same cache line.
+
+What we end up with is thread A, attempting to unlock, being slowed by
+other threads repeatedly attempting to lock. A's stwcx instructions
+fail and retry because the memory reservation is lost every time a
+different thread beats it to the punch.
+
+There may be a long-term way to fix this at a larger scale, but for
+now resolve the immediate problem by gating our call to
+test_and_set_bit_lock() with one to test_bit(), which is obviously
+implemented without using a store.
+
+Fixes: 1ab66d1fbada ("powerpc/powernv: Introduce address translation services for Nvlink2")
+Signed-off-by: Reza Arbab <arbab@linux.ibm.com>
+Acked-by: Alistair Popple <alistair@popple.id.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/npu-dma.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/platforms/powernv/npu-dma.c
++++ b/arch/powerpc/platforms/powernv/npu-dma.c
+@@ -427,8 +427,9 @@ static int get_mmio_atsd_reg(struct npu
+ int i;
+
+ for (i = 0; i < npu->mmio_atsd_count; i++) {
+- if (!test_and_set_bit_lock(i, &npu->mmio_atsd_usage))
+- return i;
++ if (!test_bit(i, &npu->mmio_atsd_usage))
++ if (!test_and_set_bit_lock(i, &npu->mmio_atsd_usage))
++ return i;
+ }
+
+ return -ENOSPC;
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Parav Pandit <parav@mellanox.com>
+Date: Mon, 16 Jul 2018 11:50:13 +0300
+Subject: RDMA/cma: Do not ignore net namespace for unbound cm_id
+
+From: Parav Pandit <parav@mellanox.com>
+
+[ Upstream commit 643d213a9a034fa04f5575a40dfc8548e33ce04f ]
+
+Currently if the cm_id is not bound to any netdevice, than for such cm_id,
+net namespace is ignored; which is incorrect.
+
+Regardless of cm_id bound to a netdevice or not, net namespace must
+match. When a cm_id is bound to a netdevice, in such case net namespace
+and netdevice both must match.
+
+Fixes: 4c21b5bcef73 ("IB/cma: Add net_dev and private data checks to RDMA CM")
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/cma.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -1459,9 +1459,16 @@ static bool cma_match_net_dev(const stru
+ (addr->src_addr.ss_family == AF_IB ||
+ cma_protocol_roce_dev_port(id->device, port_num));
+
+- return !addr->dev_addr.bound_dev_if ||
+- (net_eq(dev_net(net_dev), addr->dev_addr.net) &&
+- addr->dev_addr.bound_dev_if == net_dev->ifindex);
++ /*
++ * Net namespaces must match, and if the listner is listening
++ * on a specific netdevice than netdevice must match as well.
++ */
++ if (net_eq(dev_net(net_dev), addr->dev_addr.net) &&
++ (!!addr->dev_addr.bound_dev_if ==
++ (addr->dev_addr.bound_dev_if == net_dev->ifindex)))
++ return true;
++ else
++ return false;
+ }
+
+ static struct rdma_id_private *cma_find_listener(
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Fri, 15 Jun 2018 10:59:39 +0100
+Subject: rpmsg: core: add support to power domains for devices
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit fe782affd0f440a4e60e2cc81b8f2eccb2923113 ]
+
+Some of the rpmsg devices need to switch on power domains to communicate
+with remote processor. For example on Qualcomm DB820c platform LPASS
+power domain needs to switched on for any kind of audio services.
+This patch adds the missing power domain support in rpmsg core.
+
+Without this patch attempting to play audio via QDSP on DB820c would
+reboot the system.
+
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rpmsg/rpmsg_core.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/rpmsg/rpmsg_core.c
++++ b/drivers/rpmsg/rpmsg_core.c
+@@ -23,6 +23,7 @@
+ #include <linux/module.h>
+ #include <linux/rpmsg.h>
+ #include <linux/of_device.h>
++#include <linux/pm_domain.h>
+ #include <linux/slab.h>
+
+ #include "rpmsg_internal.h"
+@@ -418,6 +419,10 @@ static int rpmsg_dev_probe(struct device
+ struct rpmsg_endpoint *ept = NULL;
+ int err;
+
++ err = dev_pm_domain_attach(dev, true);
++ if (err)
++ goto out;
++
+ if (rpdrv->callback) {
+ strncpy(chinfo.name, rpdev->id.name, RPMSG_NAME_SIZE);
+ chinfo.src = rpdev->src;
+@@ -459,6 +464,8 @@ static int rpmsg_dev_remove(struct devic
+
+ rpdrv->remove(rpdev);
+
++ dev_pm_domain_detach(dev, true);
++
+ if (rpdev->ept)
+ rpmsg_destroy_ept(rpdev->ept);
+
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Anton Vasilyev <vasilyev@ispras.ru>
+Date: Fri, 27 Jul 2018 16:51:57 +0300
+Subject: scsi: 3ware: fix return 0 on the error path of probe
+
+From: Anton Vasilyev <vasilyev@ispras.ru>
+
+[ Upstream commit 4dc98c1995482262e70e83ef029135247fafe0f2 ]
+
+tw_probe() returns 0 in case of fail of tw_initialize_device_extension(),
+pci_resource_start() or tw_reset_sequence() and releases resources.
+twl_probe() returns 0 in case of fail of twl_initialize_device_extension(),
+pci_iomap() and twl_reset_sequence(). twa_probe() returns 0 in case of
+fail of tw_initialize_device_extension(), ioremap() and
+twa_reset_sequence().
+
+The patch adds retval initialization for these cases.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Acked-by: Adam Radford <aradford@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/3w-9xxx.c | 6 +++++-
+ drivers/scsi/3w-sas.c | 3 +++
+ drivers/scsi/3w-xxxx.c | 2 ++
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/3w-9xxx.c
++++ b/drivers/scsi/3w-9xxx.c
+@@ -2042,6 +2042,7 @@ static int twa_probe(struct pci_dev *pde
+
+ if (twa_initialize_device_extension(tw_dev)) {
+ TW_PRINTK(tw_dev->host, TW_DRIVER, 0x25, "Failed to initialize device extension");
++ retval = -ENOMEM;
+ goto out_free_device_extension;
+ }
+
+@@ -2064,6 +2065,7 @@ static int twa_probe(struct pci_dev *pde
+ tw_dev->base_addr = ioremap(mem_addr, mem_len);
+ if (!tw_dev->base_addr) {
+ TW_PRINTK(tw_dev->host, TW_DRIVER, 0x35, "Failed to ioremap");
++ retval = -ENOMEM;
+ goto out_release_mem_region;
+ }
+
+@@ -2071,8 +2073,10 @@ static int twa_probe(struct pci_dev *pde
+ TW_DISABLE_INTERRUPTS(tw_dev);
+
+ /* Initialize the card */
+- if (twa_reset_sequence(tw_dev, 0))
++ if (twa_reset_sequence(tw_dev, 0)) {
++ retval = -ENOMEM;
+ goto out_iounmap;
++ }
+
+ /* Set host specific parameters */
+ if ((pdev->device == PCI_DEVICE_ID_3WARE_9650SE) ||
+--- a/drivers/scsi/3w-sas.c
++++ b/drivers/scsi/3w-sas.c
+@@ -1597,6 +1597,7 @@ static int twl_probe(struct pci_dev *pde
+
+ if (twl_initialize_device_extension(tw_dev)) {
+ TW_PRINTK(tw_dev->host, TW_DRIVER, 0x1a, "Failed to initialize device extension");
++ retval = -ENOMEM;
+ goto out_free_device_extension;
+ }
+
+@@ -1611,6 +1612,7 @@ static int twl_probe(struct pci_dev *pde
+ tw_dev->base_addr = pci_iomap(pdev, 1, 0);
+ if (!tw_dev->base_addr) {
+ TW_PRINTK(tw_dev->host, TW_DRIVER, 0x1c, "Failed to ioremap");
++ retval = -ENOMEM;
+ goto out_release_mem_region;
+ }
+
+@@ -1620,6 +1622,7 @@ static int twl_probe(struct pci_dev *pde
+ /* Initialize the card */
+ if (twl_reset_sequence(tw_dev, 0)) {
+ TW_PRINTK(tw_dev->host, TW_DRIVER, 0x1d, "Controller reset failed during probe");
++ retval = -ENOMEM;
+ goto out_iounmap;
+ }
+
+--- a/drivers/scsi/3w-xxxx.c
++++ b/drivers/scsi/3w-xxxx.c
+@@ -2280,6 +2280,7 @@ static int tw_probe(struct pci_dev *pdev
+
+ if (tw_initialize_device_extension(tw_dev)) {
+ printk(KERN_WARNING "3w-xxxx: Failed to initialize device extension.");
++ retval = -ENOMEM;
+ goto out_free_device_extension;
+ }
+
+@@ -2294,6 +2295,7 @@ static int tw_probe(struct pci_dev *pdev
+ tw_dev->base_addr = pci_resource_start(pdev, 0);
+ if (!tw_dev->base_addr) {
+ printk(KERN_WARNING "3w-xxxx: Failed to get io address.");
++ retval = -ENOMEM;
+ goto out_release_mem_region;
+ }
+
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Mike Christie <mchristi@redhat.com>
+Date: Thu, 2 Aug 2018 12:12:20 -0500
+Subject: scsi: target: fix __transport_register_session locking
+
+From: Mike Christie <mchristi@redhat.com>
+
+[ Upstream commit 6a64f6e1591322beb8ce16e952a53582caf2a15c ]
+
+When __transport_register_session is called from transport_register_session
+irqs will already have been disabled, so we do not want the unlock irq call
+to enable them until the higher level has done the final
+spin_unlock_irqrestore/ spin_unlock_irq.
+
+This has __transport_register_session use the save/restore call.
+
+Signed-off-by: Mike Christie <mchristi@redhat.com>
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_transport.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -317,6 +317,7 @@ void __transport_register_session(
+ {
+ const struct target_core_fabric_ops *tfo = se_tpg->se_tpg_tfo;
+ unsigned char buf[PR_REG_ISID_LEN];
++ unsigned long flags;
+
+ se_sess->se_tpg = se_tpg;
+ se_sess->fabric_sess_ptr = fabric_sess_ptr;
+@@ -353,7 +354,7 @@ void __transport_register_session(
+ se_sess->sess_bin_isid = get_unaligned_be64(&buf[0]);
+ }
+
+- spin_lock_irq(&se_nacl->nacl_sess_lock);
++ spin_lock_irqsave(&se_nacl->nacl_sess_lock, flags);
+ /*
+ * The se_nacl->nacl_sess pointer will be set to the
+ * last active I_T Nexus for each struct se_node_acl.
+@@ -362,7 +363,7 @@ void __transport_register_session(
+
+ list_add_tail(&se_sess->sess_acl_list,
+ &se_nacl->acl_sess_list);
+- spin_unlock_irq(&se_nacl->nacl_sess_lock);
++ spin_unlock_irqrestore(&se_nacl->nacl_sess_lock, flags);
+ }
+ list_add_tail(&se_sess->sess_list, &se_tpg->tpg_sess_list);
+
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Roman Gushchin <guro@fb.com>
+Date: Thu, 2 Aug 2018 15:47:10 -0700
+Subject: selftests/bpf: fix a typo in map in map test
+
+From: Roman Gushchin <guro@fb.com>
+
+[ Upstream commit 0069fb854364da79fd99236ea620affc8e1152d5 ]
+
+Commit fbeb1603bf4e ("bpf: verifier: MOV64 don't mark dst reg unbounded")
+revealed a typo in commit fb30d4b71214 ("bpf: Add tests for map-in-map"):
+BPF_MOV64_REG(BPF_REG_0, 0) was used instead of
+BPF_MOV64_IMM(BPF_REG_0, 0).
+
+I've noticed the problem by running bpf kselftests.
+
+Fixes: fb30d4b71214 ("bpf: Add tests for map-in-map")
+Signed-off-by: Roman Gushchin <guro@fb.com>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Cc: Arthur Fabre <afabre@cloudflare.com>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/bpf/test_verifier.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/tools/testing/selftests/bpf/test_verifier.c
++++ b/tools/testing/selftests/bpf/test_verifier.c
+@@ -5895,7 +5895,7 @@ static struct bpf_test tests[] = {
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+ BPF_FUNC_map_lookup_elem),
+- BPF_MOV64_REG(BPF_REG_0, 0),
++ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+ .fixup_map_in_map = { 3 },
+@@ -5918,7 +5918,7 @@ static struct bpf_test tests[] = {
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+ BPF_FUNC_map_lookup_elem),
+- BPF_MOV64_REG(BPF_REG_0, 0),
++ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+ .fixup_map_in_map = { 3 },
+@@ -5941,7 +5941,7 @@ static struct bpf_test tests[] = {
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+ BPF_FUNC_map_lookup_elem),
+- BPF_MOV64_REG(BPF_REG_0, 0),
++ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+ .fixup_map_in_map = { 3 },
x86-microcode-make-sure-boot_cpu_data.microcode-is-up-to-date.patch
x86-microcode-update-the-new-microcode-revision-unconditionally.patch
switchtec-fix-spectre-v1-vulnerability.patch
+crypto-aes-generic-fix-aes-generic-regression-on-powerpc.patch
+tpm-separate-cmd_ready-go_idle-from-runtime_pm.patch
+arc-enable-swap.patch
+misc-mic-scif-fix-scif_get_new_port-error-handling.patch
+ethtool-remove-trailing-semicolon-for-static-inline.patch
+i2c-aspeed-add-an-explicit-type-casting-for-get_clk_reg_val.patch
+bluetooth-h5-fix-missing-dependency-on-bt_hciuart_serdev.patch
+gpio-tegra-move-driver-registration-to-subsys_init-level.patch
+powerpc-powernv-fix-concurrency-issue-with-npu-mmio_atsd_usage.patch
+selftests-bpf-fix-a-typo-in-map-in-map-test.patch
+media-davinci-vpif_display-mix-memory-leak-on-probe-error-path.patch
+media-dw2102-fix-memleak-on-sequence-of-probes.patch
+net-phy-fix-the-register-offsets-in-broadcom-iproc-mdio-mux-driver.patch
+blk-mq-fix-updating-tags-depth.patch
+scsi-target-fix-__transport_register_session-locking.patch
+md-raid5-fix-data-corruption-of-replacements-after-originals-dropped.patch
+timers-clear-timer_base-must_forward_clk-with-timer_base-lock-held.patch
+media-camss-csid-configure-data-type-and-decode-format-properly.patch
+gpu-ipu-v3-default-to-id-0-on-missing-of-alias.patch
+misc-ti-st-fix-memory-leak-in-the-error-path-of-probe.patch
+uio-potential-double-frees-if-__uio_register_device-fails.patch
+firmware-vpd-fix-section-enabled-flag-on-vpd_section_destroy.patch
+drivers-hv-vmbus-cleanup-synic-memory-free-path.patch
+tty-rocket-fix-possible-buffer-overwrite-on-register_pci.patch
+f2fs-fix-to-active-page-in-lru-list-for-read-path.patch
+f2fs-do-not-set-free-of-current-section.patch
+f2fs-fix-defined-but-not-used-build-warnings.patch
+perf-tools-allow-overriding-max_nr_cpus-at-compile-time.patch
+nfsv4.0-fix-client-reference-leak-in-callback.patch
+perf-c2c-report-fix-crash-for-empty-browser.patch
+perf-evlist-fix-error-out-while-applying-initial-delay-and-lbr.patch
+macintosh-via-pmu-add-missing-mmio-accessors.patch
+ath9k-report-tx-status-on-eosp.patch
+ath9k_hw-fix-channel-maximum-power-level-test.patch
+ath10k-prevent-active-scans-on-potential-unusable-channels.patch
+wlcore-set-rx_status-boottime_ns-field-on-rx.patch
+rpmsg-core-add-support-to-power-domains-for-devices.patch
+mips-fix-isa-virt-bus-conversion-for-non-zero-phys_offset.patch
+ata-libahci-allow-reconfigure-of-devslp-register.patch
+ata-libahci-correct-setting-of-devslp-register.patch
+scsi-3ware-fix-return-0-on-the-error-path-of-probe.patch
+tools-testing-nvdimm-kaddr-and-pfn-can-be-null-to-direct_access.patch
+ath10k-disable-bundle-mgmt-tx-completion-event-support.patch
+bluetooth-hidp-fix-handling-of-strncpy-for-hid-name-information.patch
+x86-mm-remove-in_nmi-warning-from-vmalloc_fault.patch
+x86-kexec-allocate-8k-pgds-for-pti.patch
+pinctrl-imx-off-by-one-in-imx_pinconf_group_dbg_show.patch
+gpio-ml-ioh-fix-buffer-underwrite-on-probe-error-path.patch
+pinctrl-amd-only-handle-irq-if-it-is-pending-and-unmasked.patch
+net-mvneta-fix-mtu-change-on-port-without-link.patch
+f2fs-try-grabbing-node-page-lock-aggressively-in-sync-scenario.patch
+pktcdvd-fix-possible-spectre-v1-for-pkt_devs.patch
+f2fs-fix-to-skip-gc-if-type-in-ssa-and-sit-is-inconsistent.patch
+tpm_tis_spi-pass-the-spi-irq-down-to-the-driver.patch
+tpm-tpm_i2c_infineon-switch-to-i2c_lock_bus-...-i2c_lock_segment.patch
+f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of-inline-inode.patch
+mips-octeon-add-missing-of_node_put.patch
+mips-generic-fix-missing-of_node_put.patch
+net-dcb-for-wild-card-lookups-use-priority-1-not-0.patch
+dm-cache-only-allow-a-single-io_mode-cache-feature-to-be-requested.patch
+input-atmel_mxt_ts-only-use-first-t9-instance.patch
+media-s5p-mfc-fix-buffer-look-up-in-s5p_mfc_handle_frame_-new-copy_time-functions.patch
+partitions-aix-append-null-character-to-print-data-from-disk.patch
+partitions-aix-fix-usage-of-uninitialized-lv_info-and-lvname-structures.patch
+media-helene-fix-xtal-frequency-setting-at-power-on.patch
+f2fs-fix-to-wait-on-page-writeback-before-updating-page.patch
+f2fs-fix-uninitialized-return-in-f2fs_ioc_shutdown.patch
+iommu-ipmmu-vmsa-fix-allocation-in-atomic-context.patch
+mfd-ti_am335x_tscadc-fix-struct-clk-memory-leak.patch
+f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch
+nfsv4.1-fix-a-potential-layoutget-layoutrecall-deadlock.patch
+mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch
+rdma-cma-do-not-ignore-net-namespace-for-unbound-cm_id.patch
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Gaurav Kohli <gkohli@codeaurora.org>
+Date: Thu, 2 Aug 2018 14:21:03 +0530
+Subject: timers: Clear timer_base::must_forward_clk with timer_base::lock held
+
+From: Gaurav Kohli <gkohli@codeaurora.org>
+
+[ Upstream commit 363e934d8811d799c88faffc5bfca782fd728334 ]
+
+timer_base::must_forward_clock is indicating that the base clock might be
+stale due to a long idle sleep.
+
+The forwarding of the base clock takes place in the timer softirq or when a
+timer is enqueued to a base which is idle. If the enqueue of timer to an
+idle base happens from a remote CPU, then the following race can happen:
+
+ CPU0 CPU1
+ run_timer_softirq mod_timer
+
+ base = lock_timer_base(timer);
+ base->must_forward_clk = false
+ if (base->must_forward_clk)
+ forward(base); -> skipped
+
+ enqueue_timer(base, timer, idx);
+ -> idx is calculated high due to
+ stale base
+ unlock_timer_base(timer);
+ base = lock_timer_base(timer);
+ forward(base);
+
+The root cause is that timer_base::must_forward_clk is cleared outside the
+timer_base::lock held region, so the remote queuing CPU observes it as
+cleared, but the base clock is still stale. This can cause large
+granularity values for timers, i.e. the accuracy of the expiry time
+suffers.
+
+Prevent this by clearing the flag with timer_base::lock held, so that the
+forwarding takes place before the cleared flag is observable by a remote
+CPU.
+
+Signed-off-by: Gaurav Kohli <gkohli@codeaurora.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: john.stultz@linaro.org
+Cc: sboyd@kernel.org
+Cc: linux-arm-msm@vger.kernel.org
+Link: https://lkml.kernel.org/r/1533199863-22748-1-git-send-email-gkohli@codeaurora.org
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/time/timer.c | 29 ++++++++++++++++-------------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -1609,6 +1609,22 @@ static inline void __run_timers(struct t
+
+ raw_spin_lock_irq(&base->lock);
+
++ /*
++ * timer_base::must_forward_clk must be cleared before running
++ * timers so that any timer functions that call mod_timer() will
++ * not try to forward the base. Idle tracking / clock forwarding
++ * logic is only used with BASE_STD timers.
++ *
++ * The must_forward_clk flag is cleared unconditionally also for
++ * the deferrable base. The deferrable base is not affected by idle
++ * tracking and never forwarded, so clearing the flag is a NOOP.
++ *
++ * The fact that the deferrable base is never forwarded can cause
++ * large variations in granularity for deferrable timers, but they
++ * can be deferred for long periods due to idle anyway.
++ */
++ base->must_forward_clk = false;
++
+ while (time_after_eq(jiffies, base->clk)) {
+
+ levels = collect_expired_timers(base, heads);
+@@ -1628,19 +1644,6 @@ static __latent_entropy void run_timer_s
+ {
+ struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]);
+
+- /*
+- * must_forward_clk must be cleared before running timers so that any
+- * timer functions that call mod_timer will not try to forward the
+- * base. idle trcking / clock forwarding logic is only used with
+- * BASE_STD timers.
+- *
+- * The deferrable base does not do idle tracking at all, so we do
+- * not forward it. This can result in very large variations in
+- * granularity for deferrable timers, but they can be deferred for
+- * long periods due to idle.
+- */
+- base->must_forward_clk = false;
+-
+ __run_timers(base);
+ if (IS_ENABLED(CONFIG_NO_HZ_COMMON))
+ __run_timers(this_cpu_ptr(&timer_bases[BASE_DEF]));
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Huaisheng Ye <yehs1@lenovo.com>
+Date: Mon, 30 Jul 2018 15:15:45 +0800
+Subject: tools/testing/nvdimm: kaddr and pfn can be NULL to ->direct_access()
+
+From: Huaisheng Ye <yehs1@lenovo.com>
+
+[ Upstream commit 45df5d3dc0c7289c1e67afe6d2ba806ad5174314 ]
+
+The mock / test version of pmem_direct_access() needs to check the
+validity of pointers kaddr and pfn for NULL assignment. If anyone
+equals to NULL, it doesn't need to calculate the value.
+
+If pointer equals to NULL, that is to say callers may have no need for
+kaddr or pfn, so this patch is prepared for allowing them to pass in
+NULL instead of having to pass in a local pointer or variable that
+they then just throw away.
+
+Suggested-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Huaisheng Ye <yehs1@lenovo.com>
+Reviewed-by: Ross Zwisler <ross.zwisler@linux.intel.com>
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/nvdimm/pmem-dax.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/nvdimm/pmem-dax.c
++++ b/tools/testing/nvdimm/pmem-dax.c
+@@ -31,17 +31,21 @@ long __pmem_direct_access(struct pmem_de
+ if (get_nfit_res(pmem->phys_addr + offset)) {
+ struct page *page;
+
+- *kaddr = pmem->virt_addr + offset;
++ if (kaddr)
++ *kaddr = pmem->virt_addr + offset;
+ page = vmalloc_to_page(pmem->virt_addr + offset);
+- *pfn = page_to_pfn_t(page);
++ if (pfn)
++ *pfn = page_to_pfn_t(page);
+ pr_debug_ratelimited("%s: pmem: %p pgoff: %#lx pfn: %#lx\n",
+ __func__, pmem, pgoff, page_to_pfn(page));
+
+ return 1;
+ }
+
+- *kaddr = pmem->virt_addr + offset;
+- *pfn = phys_to_pfn_t(pmem->phys_addr + offset, pmem->pfn_flags);
++ if (kaddr)
++ *kaddr = pmem->virt_addr + offset;
++ if (pfn)
++ *pfn = phys_to_pfn_t(pmem->phys_addr + offset, pmem->pfn_flags);
+
+ /*
+ * If badblocks are present, limit known good range to the
--- /dev/null
+From 627448e85c766587f6fdde1ea3886d6615081c77 Mon Sep 17 00:00:00 2001
+From: Tomas Winkler <tomas.winkler@intel.com>
+Date: Thu, 28 Jun 2018 18:13:33 +0300
+Subject: tpm: separate cmd_ready/go_idle from runtime_pm
+
+From: Tomas Winkler <tomas.winkler@intel.com>
+
+commit 627448e85c766587f6fdde1ea3886d6615081c77 upstream.
+
+Fix tpm ptt initialization error:
+tpm tpm0: A TPM error (378) occurred get tpm pcr allocation.
+
+We cannot use go_idle cmd_ready commands via runtime_pm handles
+as with the introduction of localities this is no longer an optional
+feature, while runtime pm can be not enabled.
+Though cmd_ready/go_idle provides a power saving, it's also a part of
+TPM2 protocol and should be called explicitly.
+This patch exposes cmd_read/go_idle via tpm class ops and removes
+runtime pm support as it is not used by any driver.
+
+When calling from nested context always use both flags:
+TPM_TRANSMIT_UNLOCKED and TPM_TRANSMIT_RAW. Both are needed to resolve
+tpm spaces and locality request recursive calls to tpm_transmit().
+TPM_TRANSMIT_RAW should never be used standalone as it will fail
+on double locking. While TPM_TRANSMIT_UNLOCKED standalone should be
+called from non-recursive locked contexts.
+
+New wrappers are added tpm_cmd_ready() and tpm_go_idle() to
+streamline tpm_try_transmit code.
+
+tpm_crb no longer needs own power saving functions and can drop using
+tpm_pm_suspend/resume.
+
+This patch cannot be really separated from the locality fix.
+Fixes: 888d867df441 (tpm: cmd_ready command can be issued only after granting locality)
+
+Cc: stable@vger.kernel.org
+Fixes: 888d867df441 (tpm: cmd_ready command can be issued only after granting locality)
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm-interface.c | 50 +++++++++++++++----
+ drivers/char/tpm/tpm.h | 12 +++-
+ drivers/char/tpm/tpm2-space.c | 16 +++---
+ drivers/char/tpm/tpm_crb.c | 101 ++++++++++-----------------------------
+ include/linux/tpm.h | 2
+ 5 files changed, 90 insertions(+), 91 deletions(-)
+
+--- a/drivers/char/tpm/tpm-interface.c
++++ b/drivers/char/tpm/tpm-interface.c
+@@ -369,10 +369,13 @@ err_len:
+ return -EINVAL;
+ }
+
+-static int tpm_request_locality(struct tpm_chip *chip)
++static int tpm_request_locality(struct tpm_chip *chip, unsigned int flags)
+ {
+ int rc;
+
++ if (flags & TPM_TRANSMIT_RAW)
++ return 0;
++
+ if (!chip->ops->request_locality)
+ return 0;
+
+@@ -385,10 +388,13 @@ static int tpm_request_locality(struct t
+ return 0;
+ }
+
+-static void tpm_relinquish_locality(struct tpm_chip *chip)
++static void tpm_relinquish_locality(struct tpm_chip *chip, unsigned int flags)
+ {
+ int rc;
+
++ if (flags & TPM_TRANSMIT_RAW)
++ return;
++
+ if (!chip->ops->relinquish_locality)
+ return;
+
+@@ -399,6 +405,28 @@ static void tpm_relinquish_locality(stru
+ chip->locality = -1;
+ }
+
++static int tpm_cmd_ready(struct tpm_chip *chip, unsigned int flags)
++{
++ if (flags & TPM_TRANSMIT_RAW)
++ return 0;
++
++ if (!chip->ops->cmd_ready)
++ return 0;
++
++ return chip->ops->cmd_ready(chip);
++}
++
++static int tpm_go_idle(struct tpm_chip *chip, unsigned int flags)
++{
++ if (flags & TPM_TRANSMIT_RAW)
++ return 0;
++
++ if (!chip->ops->go_idle)
++ return 0;
++
++ return chip->ops->go_idle(chip);
++}
++
+ static ssize_t tpm_try_transmit(struct tpm_chip *chip,
+ struct tpm_space *space,
+ u8 *buf, size_t bufsiz,
+@@ -449,14 +477,15 @@ static ssize_t tpm_try_transmit(struct t
+ /* Store the decision as chip->locality will be changed. */
+ need_locality = chip->locality == -1;
+
+- if (!(flags & TPM_TRANSMIT_RAW) && need_locality) {
+- rc = tpm_request_locality(chip);
++ if (need_locality) {
++ rc = tpm_request_locality(chip, flags);
+ if (rc < 0)
+ goto out_no_locality;
+ }
+
+- if (chip->dev.parent)
+- pm_runtime_get_sync(chip->dev.parent);
++ rc = tpm_cmd_ready(chip, flags);
++ if (rc)
++ goto out;
+
+ rc = tpm2_prepare_space(chip, space, ordinal, buf);
+ if (rc)
+@@ -516,13 +545,16 @@ out_recv:
+ }
+
+ rc = tpm2_commit_space(chip, space, ordinal, buf, &len);
++ if (rc)
++ dev_err(&chip->dev, "tpm2_commit_space: error %d\n", rc);
+
+ out:
+- if (chip->dev.parent)
+- pm_runtime_put_sync(chip->dev.parent);
++ rc = tpm_go_idle(chip, flags);
++ if (rc)
++ goto out;
+
+ if (need_locality)
+- tpm_relinquish_locality(chip);
++ tpm_relinquish_locality(chip, flags);
+
+ out_no_locality:
+ if (chip->ops->clk_enable != NULL)
+--- a/drivers/char/tpm/tpm.h
++++ b/drivers/char/tpm/tpm.h
+@@ -511,9 +511,17 @@ extern const struct file_operations tpm_
+ extern const struct file_operations tpmrm_fops;
+ extern struct idr dev_nums_idr;
+
++/**
++ * enum tpm_transmit_flags
++ *
++ * @TPM_TRANSMIT_UNLOCKED: used to lock sequence of tpm_transmit calls.
++ * @TPM_TRANSMIT_RAW: prevent recursive calls into setup steps
++ * (go idle, locality,..). Always use with UNLOCKED
++ * as it will fail on double locking.
++ */
+ enum tpm_transmit_flags {
+- TPM_TRANSMIT_UNLOCKED = BIT(0),
+- TPM_TRANSMIT_RAW = BIT(1),
++ TPM_TRANSMIT_UNLOCKED = BIT(0),
++ TPM_TRANSMIT_RAW = BIT(1),
+ };
+
+ ssize_t tpm_transmit(struct tpm_chip *chip, struct tpm_space *space,
+--- a/drivers/char/tpm/tpm2-space.c
++++ b/drivers/char/tpm/tpm2-space.c
+@@ -39,7 +39,8 @@ static void tpm2_flush_sessions(struct t
+ for (i = 0; i < ARRAY_SIZE(space->session_tbl); i++) {
+ if (space->session_tbl[i])
+ tpm2_flush_context_cmd(chip, space->session_tbl[i],
+- TPM_TRANSMIT_UNLOCKED);
++ TPM_TRANSMIT_UNLOCKED |
++ TPM_TRANSMIT_RAW);
+ }
+ }
+
+@@ -84,7 +85,7 @@ static int tpm2_load_context(struct tpm_
+ tpm_buf_append(&tbuf, &buf[*offset], body_size);
+
+ rc = tpm_transmit_cmd(chip, NULL, tbuf.data, PAGE_SIZE, 4,
+- TPM_TRANSMIT_UNLOCKED, NULL);
++ TPM_TRANSMIT_UNLOCKED | TPM_TRANSMIT_RAW, NULL);
+ if (rc < 0) {
+ dev_warn(&chip->dev, "%s: failed with a system error %d\n",
+ __func__, rc);
+@@ -133,7 +134,7 @@ static int tpm2_save_context(struct tpm_
+ tpm_buf_append_u32(&tbuf, handle);
+
+ rc = tpm_transmit_cmd(chip, NULL, tbuf.data, PAGE_SIZE, 0,
+- TPM_TRANSMIT_UNLOCKED, NULL);
++ TPM_TRANSMIT_UNLOCKED | TPM_TRANSMIT_RAW, NULL);
+ if (rc < 0) {
+ dev_warn(&chip->dev, "%s: failed with a system error %d\n",
+ __func__, rc);
+@@ -170,7 +171,8 @@ static void tpm2_flush_space(struct tpm_
+ for (i = 0; i < ARRAY_SIZE(space->context_tbl); i++)
+ if (space->context_tbl[i] && ~space->context_tbl[i])
+ tpm2_flush_context_cmd(chip, space->context_tbl[i],
+- TPM_TRANSMIT_UNLOCKED);
++ TPM_TRANSMIT_UNLOCKED |
++ TPM_TRANSMIT_RAW);
+
+ tpm2_flush_sessions(chip, space);
+ }
+@@ -377,7 +379,8 @@ static int tpm2_map_response_header(stru
+
+ return 0;
+ out_no_slots:
+- tpm2_flush_context_cmd(chip, phandle, TPM_TRANSMIT_UNLOCKED);
++ tpm2_flush_context_cmd(chip, phandle,
++ TPM_TRANSMIT_UNLOCKED | TPM_TRANSMIT_RAW);
+ dev_warn(&chip->dev, "%s: out of slots for 0x%08X\n", __func__,
+ phandle);
+ return -ENOMEM;
+@@ -465,7 +468,8 @@ static int tpm2_save_space(struct tpm_ch
+ return rc;
+
+ tpm2_flush_context_cmd(chip, space->context_tbl[i],
+- TPM_TRANSMIT_UNLOCKED);
++ TPM_TRANSMIT_UNLOCKED |
++ TPM_TRANSMIT_RAW);
+ space->context_tbl[i] = ~0;
+ }
+
+--- a/drivers/char/tpm/tpm_crb.c
++++ b/drivers/char/tpm/tpm_crb.c
+@@ -137,7 +137,7 @@ static bool crb_wait_for_reg_32(u32 __io
+ }
+
+ /**
+- * crb_go_idle - request tpm crb device to go the idle state
++ * __crb_go_idle - request tpm crb device to go the idle state
+ *
+ * @dev: crb device
+ * @priv: crb private data
+@@ -151,7 +151,7 @@ static bool crb_wait_for_reg_32(u32 __io
+ *
+ * Return: 0 always
+ */
+-static int crb_go_idle(struct device *dev, struct crb_priv *priv)
++static int __crb_go_idle(struct device *dev, struct crb_priv *priv)
+ {
+ if ((priv->flags & CRB_FL_ACPI_START) ||
+ (priv->flags & CRB_FL_CRB_SMC_START))
+@@ -166,11 +166,20 @@ static int crb_go_idle(struct device *de
+ dev_warn(dev, "goIdle timed out\n");
+ return -ETIME;
+ }
++
+ return 0;
+ }
+
++static int crb_go_idle(struct tpm_chip *chip)
++{
++ struct device *dev = &chip->dev;
++ struct crb_priv *priv = dev_get_drvdata(dev);
++
++ return __crb_go_idle(dev, priv);
++}
++
+ /**
+- * crb_cmd_ready - request tpm crb device to enter ready state
++ * __crb_cmd_ready - request tpm crb device to enter ready state
+ *
+ * @dev: crb device
+ * @priv: crb private data
+@@ -183,7 +192,7 @@ static int crb_go_idle(struct device *de
+ *
+ * Return: 0 on success -ETIME on timeout;
+ */
+-static int crb_cmd_ready(struct device *dev, struct crb_priv *priv)
++static int __crb_cmd_ready(struct device *dev, struct crb_priv *priv)
+ {
+ if ((priv->flags & CRB_FL_ACPI_START) ||
+ (priv->flags & CRB_FL_CRB_SMC_START))
+@@ -201,6 +210,14 @@ static int crb_cmd_ready(struct device *
+ return 0;
+ }
+
++static int crb_cmd_ready(struct tpm_chip *chip)
++{
++ struct device *dev = &chip->dev;
++ struct crb_priv *priv = dev_get_drvdata(dev);
++
++ return __crb_cmd_ready(dev, priv);
++}
++
+ static int __crb_request_locality(struct device *dev,
+ struct crb_priv *priv, int loc)
+ {
+@@ -393,6 +410,8 @@ static const struct tpm_class_ops tpm_cr
+ .send = crb_send,
+ .cancel = crb_cancel,
+ .req_canceled = crb_req_canceled,
++ .go_idle = crb_go_idle,
++ .cmd_ready = crb_cmd_ready,
+ .request_locality = crb_request_locality,
+ .relinquish_locality = crb_relinquish_locality,
+ .req_complete_mask = CRB_DRV_STS_COMPLETE,
+@@ -508,7 +527,7 @@ static int crb_map_io(struct acpi_device
+ * PTT HW bug w/a: wake up the device to access
+ * possibly not retained registers.
+ */
+- ret = crb_cmd_ready(dev, priv);
++ ret = __crb_cmd_ready(dev, priv);
+ if (ret)
+ return ret;
+
+@@ -553,7 +572,7 @@ out:
+ if (!ret)
+ priv->cmd_size = cmd_size;
+
+- crb_go_idle(dev, priv);
++ __crb_go_idle(dev, priv);
+
+ __crb_relinquish_locality(dev, priv, 0);
+
+@@ -624,32 +643,7 @@ static int crb_acpi_add(struct acpi_devi
+ chip->acpi_dev_handle = device->handle;
+ chip->flags = TPM_CHIP_FLAG_TPM2;
+
+- rc = __crb_request_locality(dev, priv, 0);
+- if (rc)
+- return rc;
+-
+- rc = crb_cmd_ready(dev, priv);
+- if (rc)
+- goto out;
+-
+- pm_runtime_get_noresume(dev);
+- pm_runtime_set_active(dev);
+- pm_runtime_enable(dev);
+-
+- rc = tpm_chip_register(chip);
+- if (rc) {
+- crb_go_idle(dev, priv);
+- pm_runtime_put_noidle(dev);
+- pm_runtime_disable(dev);
+- goto out;
+- }
+-
+- pm_runtime_put_sync(dev);
+-
+-out:
+- __crb_relinquish_locality(dev, priv, 0);
+-
+- return rc;
++ return tpm_chip_register(chip);
+ }
+
+ static int crb_acpi_remove(struct acpi_device *device)
+@@ -659,52 +653,11 @@ static int crb_acpi_remove(struct acpi_d
+
+ tpm_chip_unregister(chip);
+
+- pm_runtime_disable(dev);
+-
+ return 0;
+ }
+
+-static int __maybe_unused crb_pm_runtime_suspend(struct device *dev)
+-{
+- struct tpm_chip *chip = dev_get_drvdata(dev);
+- struct crb_priv *priv = dev_get_drvdata(&chip->dev);
+-
+- return crb_go_idle(dev, priv);
+-}
+-
+-static int __maybe_unused crb_pm_runtime_resume(struct device *dev)
+-{
+- struct tpm_chip *chip = dev_get_drvdata(dev);
+- struct crb_priv *priv = dev_get_drvdata(&chip->dev);
+-
+- return crb_cmd_ready(dev, priv);
+-}
+-
+-static int __maybe_unused crb_pm_suspend(struct device *dev)
+-{
+- int ret;
+-
+- ret = tpm_pm_suspend(dev);
+- if (ret)
+- return ret;
+-
+- return crb_pm_runtime_suspend(dev);
+-}
+-
+-static int __maybe_unused crb_pm_resume(struct device *dev)
+-{
+- int ret;
+-
+- ret = crb_pm_runtime_resume(dev);
+- if (ret)
+- return ret;
+-
+- return tpm_pm_resume(dev);
+-}
+-
+ static const struct dev_pm_ops crb_pm = {
+- SET_SYSTEM_SLEEP_PM_OPS(crb_pm_suspend, crb_pm_resume)
+- SET_RUNTIME_PM_OPS(crb_pm_runtime_suspend, crb_pm_runtime_resume, NULL)
++ SET_SYSTEM_SLEEP_PM_OPS(tpm_pm_suspend, tpm_pm_resume)
+ };
+
+ static const struct acpi_device_id crb_device_ids[] = {
+--- a/include/linux/tpm.h
++++ b/include/linux/tpm.h
+@@ -48,6 +48,8 @@ struct tpm_class_ops {
+ u8 (*status) (struct tpm_chip *chip);
+ bool (*update_timeouts)(struct tpm_chip *chip,
+ unsigned long *timeout_cap);
++ int (*go_idle)(struct tpm_chip *chip);
++ int (*cmd_ready)(struct tpm_chip *chip);
+ int (*request_locality)(struct tpm_chip *chip, int loc);
+ int (*relinquish_locality)(struct tpm_chip *chip, int loc);
+ void (*clk_enable)(struct tpm_chip *chip, bool value);
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Peter Rosin <peda@axentia.se>
+Date: Wed, 20 Jun 2018 07:17:54 +0200
+Subject: tpm/tpm_i2c_infineon: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT)
+
+From: Peter Rosin <peda@axentia.se>
+
+[ Upstream commit bb853aac2c478ce78116128263801189408ad2a8 ]
+
+Locking the root adapter for __i2c_transfer will deadlock if the
+device sits behind a mux-locked I2C mux. Switch to the finer-grained
+i2c_lock_bus with the I2C_LOCK_SEGMENT flag. If the device does not
+sit behind a mux-locked mux, the two locking variants are equivalent.
+
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Tested-by: Alexander Steffen <Alexander.Steffen@infineon.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm_i2c_infineon.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/char/tpm/tpm_i2c_infineon.c
++++ b/drivers/char/tpm/tpm_i2c_infineon.c
+@@ -117,7 +117,7 @@ static int iic_tpm_read(u8 addr, u8 *buf
+ /* Lock the adapter for the duration of the whole sequence. */
+ if (!tpm_dev.client->adapter->algo->master_xfer)
+ return -EOPNOTSUPP;
+- i2c_lock_adapter(tpm_dev.client->adapter);
++ i2c_lock_bus(tpm_dev.client->adapter, I2C_LOCK_SEGMENT);
+
+ if (tpm_dev.chip_type == SLB9645) {
+ /* use a combined read for newer chips
+@@ -192,7 +192,7 @@ static int iic_tpm_read(u8 addr, u8 *buf
+ }
+
+ out:
+- i2c_unlock_adapter(tpm_dev.client->adapter);
++ i2c_unlock_bus(tpm_dev.client->adapter, I2C_LOCK_SEGMENT);
+ /* take care of 'guard time' */
+ usleep_range(SLEEP_DURATION_LOW, SLEEP_DURATION_HI);
+
+@@ -224,7 +224,7 @@ static int iic_tpm_write_generic(u8 addr
+
+ if (!tpm_dev.client->adapter->algo->master_xfer)
+ return -EOPNOTSUPP;
+- i2c_lock_adapter(tpm_dev.client->adapter);
++ i2c_lock_bus(tpm_dev.client->adapter, I2C_LOCK_SEGMENT);
+
+ /* prepend the 'register address' to the buffer */
+ tpm_dev.buf[0] = addr;
+@@ -243,7 +243,7 @@ static int iic_tpm_write_generic(u8 addr
+ usleep_range(sleep_low, sleep_hi);
+ }
+
+- i2c_unlock_adapter(tpm_dev.client->adapter);
++ i2c_unlock_bus(tpm_dev.client->adapter, I2C_LOCK_SEGMENT);
+ /* take care of 'guard time' */
+ usleep_range(SLEEP_DURATION_LOW, SLEEP_DURATION_HI);
+
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Fri, 8 Jun 2018 09:09:07 +0200
+Subject: tpm_tis_spi: Pass the SPI IRQ down to the driver
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 1a339b658d9dbe1471f67b78237cf8fa08bbbeb5 ]
+
+An SPI TPM device managed directly on an embedded board using
+the SPI bus and some GPIO or similar line as IRQ handler will
+pass the IRQn from the TPM device associated with the SPI
+device. This is already handled by the SPI core, so make sure
+to pass this down to the core as well.
+
+(The TPM core habit of using -1 to signal no IRQ is dubious
+(as IRQ 0 is NO_IRQ) but I do not want to mess with that
+semantic in this patch.)
+
+Cc: Mark Brown <broonie@kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm_tis_spi.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/tpm_tis_spi.c
++++ b/drivers/char/tpm/tpm_tis_spi.c
+@@ -188,6 +188,7 @@ static const struct tpm_tis_phy_ops tpm_
+ static int tpm_tis_spi_probe(struct spi_device *dev)
+ {
+ struct tpm_tis_spi_phy *phy;
++ int irq;
+
+ phy = devm_kzalloc(&dev->dev, sizeof(struct tpm_tis_spi_phy),
+ GFP_KERNEL);
+@@ -200,7 +201,13 @@ static int tpm_tis_spi_probe(struct spi_
+ if (!phy->iobuf)
+ return -ENOMEM;
+
+- return tpm_tis_core_init(&dev->dev, &phy->priv, -1, &tpm_spi_phy_ops,
++ /* If the SPI device has an IRQ then use that */
++ if (dev->irq > 0)
++ irq = dev->irq;
++ else
++ irq = -1;
++
++ return tpm_tis_core_init(&dev->dev, &phy->priv, irq, &tpm_spi_phy_ops,
+ NULL);
+ }
+
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Anton Vasilyev <vasilyev@ispras.ru>
+Date: Fri, 27 Jul 2018 16:39:31 +0300
+Subject: tty: rocket: Fix possible buffer overwrite on register_PCI
+
+From: Anton Vasilyev <vasilyev@ispras.ru>
+
+[ Upstream commit 0419056ec8fd01ddf5460d2dba0491aad22657dd ]
+
+If number of isa and pci boards exceed NUM_BOARDS on the path
+rp_init()->init_PCI()->register_PCI() then buffer overwrite occurs
+in register_PCI() on assign rcktpt_io_addr[i].
+
+The patch adds check on upper bound for index of registered
+board in register_PCI.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/rocket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/rocket.c
++++ b/drivers/tty/rocket.c
+@@ -1894,7 +1894,7 @@ static __init int register_PCI(int i, st
+ ByteIO_t UPCIRingInd = 0;
+
+ if (!dev || !pci_match_id(rocket_pci_ids, dev) ||
+- pci_enable_device(dev))
++ pci_enable_device(dev) || i >= NUM_BOARDS)
+ return 0;
+
+ rcktpt_io_addr[i] = pci_resource_start(dev, 0);
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 2 Aug 2018 11:24:47 +0300
+Subject: uio: potential double frees if __uio_register_device() fails
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit f019f07ecf6a6b8bd6d7853bce70925d90af02d1 ]
+
+The uio_unregister_device() function assumes that if "info->uio_dev" is
+non-NULL that means "info" is fully allocated. Setting info->uio_de
+has to be the last thing in the function.
+
+In the current code, if request_threaded_irq() fails then we return with
+info->uio_dev set to non-NULL but info is not fully allocated and it can
+lead to double frees.
+
+Fixes: beafc54c4e2f ("UIO: Add the User IO core code")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/uio/uio.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/uio/uio.c
++++ b/drivers/uio/uio.c
+@@ -841,8 +841,6 @@ int __uio_register_device(struct module
+ if (ret)
+ goto err_uio_dev_add_attributes;
+
+- info->uio_dev = idev;
+-
+ if (info->irq && (info->irq != UIO_IRQ_CUSTOM)) {
+ /*
+ * Note that we deliberately don't use devm_request_irq
+@@ -858,6 +856,7 @@ int __uio_register_device(struct module
+ goto err_request_irq;
+ }
+
++ info->uio_dev = idev;
+ return 0;
+
+ err_request_irq:
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Loic Poulain <loic.poulain@linaro.org>
+Date: Fri, 27 Jul 2018 18:30:23 +0200
+Subject: wlcore: Set rx_status boottime_ns field on rx
+
+From: Loic Poulain <loic.poulain@linaro.org>
+
+[ Upstream commit 37a634f60fd6dfbda2c312657eec7ef0750546e7 ]
+
+When receiving a beacon or probe response, we should update the
+boottime_ns field which is the timestamp the frame was received at.
+(cf mac80211.h)
+
+This fixes a scanning issue with Android since it relies on this
+timestamp to determine when the AP has been seen for the last time
+(via the nl80211 BSS_LAST_SEEN_BOOTTIME parameter).
+
+Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ti/wlcore/rx.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ti/wlcore/rx.c
++++ b/drivers/net/wireless/ti/wlcore/rx.c
+@@ -59,7 +59,7 @@ static u32 wlcore_rx_get_align_buf_size(
+ static void wl1271_rx_status(struct wl1271 *wl,
+ struct wl1271_rx_descriptor *desc,
+ struct ieee80211_rx_status *status,
+- u8 beacon)
++ u8 beacon, u8 probe_rsp)
+ {
+ memset(status, 0, sizeof(struct ieee80211_rx_status));
+
+@@ -106,6 +106,9 @@ static void wl1271_rx_status(struct wl12
+ }
+ }
+
++ if (beacon || probe_rsp)
++ status->boottime_ns = ktime_get_boot_ns();
++
+ if (beacon)
+ wlcore_set_pending_regdomain_ch(wl, (u16)desc->channel,
+ status->band);
+@@ -191,7 +194,8 @@ static int wl1271_rx_handle_data(struct
+ if (ieee80211_is_data_present(hdr->frame_control))
+ is_data = 1;
+
+- wl1271_rx_status(wl, desc, IEEE80211_SKB_RXCB(skb), beacon);
++ wl1271_rx_status(wl, desc, IEEE80211_SKB_RXCB(skb), beacon,
++ ieee80211_is_probe_resp(hdr->frame_control));
+ wlcore_hw_set_rx_csum(wl, desc, skb);
+
+ seq_num = (le16_to_cpu(hdr->seq_ctrl) & IEEE80211_SCTL_SEQ) >> 4;
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Joerg Roedel <jroedel@suse.de>
+Date: Wed, 25 Jul 2018 17:48:03 +0200
+Subject: x86/kexec: Allocate 8k PGDs for PTI
+
+From: Joerg Roedel <jroedel@suse.de>
+
+[ Upstream commit ca38dc8f2724d101038b1205122c93a1c7f38f11 ]
+
+Fuzzing the PTI-x86-32 code with trinity showed unhandled
+kernel paging request oops-messages that looked a lot like
+silent data corruption.
+
+Lot's of debugging and testing lead to the kexec-32bit code,
+which is still allocating 4k PGDs when PTI is enabled. But
+since it uses native_set_pud() to build the page-table, it
+will unevitably call into __pti_set_user_pgtbl(), which
+writes beyond the allocated 4k page.
+
+Use PGD_ALLOCATION_ORDER to allocate PGDs in the kexec code
+to fix the issue.
+
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: David H. Gutteridge <dhgutteridge@sympatico.ca>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: linux-mm@kvack.org
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Jiri Kosina <jkosina@suse.cz>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: David Laight <David.Laight@aculab.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: Eduardo Valentin <eduval@amazon.com>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: aliguori@amazon.com
+Cc: daniel.gruss@iaik.tugraz.at
+Cc: hughd@google.com
+Cc: keescook@google.com
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Waiman Long <llong@redhat.com>
+Cc: Pavel Machek <pavel@ucw.cz>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: joro@8bytes.org
+Link: https://lkml.kernel.org/r/1532533683-5988-4-git-send-email-joro@8bytes.org
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/machine_kexec_32.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/machine_kexec_32.c
++++ b/arch/x86/kernel/machine_kexec_32.c
+@@ -56,7 +56,7 @@ static void load_segments(void)
+
+ static void machine_kexec_free_page_tables(struct kimage *image)
+ {
+- free_page((unsigned long)image->arch.pgd);
++ free_pages((unsigned long)image->arch.pgd, PGD_ALLOCATION_ORDER);
+ image->arch.pgd = NULL;
+ #ifdef CONFIG_X86_PAE
+ free_page((unsigned long)image->arch.pmd0);
+@@ -72,7 +72,8 @@ static void machine_kexec_free_page_tabl
+
+ static int machine_kexec_alloc_page_tables(struct kimage *image)
+ {
+- image->arch.pgd = (pgd_t *)get_zeroed_page(GFP_KERNEL);
++ image->arch.pgd = (pgd_t *)__get_free_pages(GFP_KERNEL | __GFP_ZERO,
++ PGD_ALLOCATION_ORDER);
+ #ifdef CONFIG_X86_PAE
+ image->arch.pmd0 = (pmd_t *)get_zeroed_page(GFP_KERNEL);
+ image->arch.pmd1 = (pmd_t *)get_zeroed_page(GFP_KERNEL);
--- /dev/null
+From foo@baz Mon Sep 17 12:33:31 CEST 2018
+From: Joerg Roedel <jroedel@suse.de>
+Date: Wed, 25 Jul 2018 17:48:01 +0200
+Subject: x86/mm: Remove in_nmi() warning from vmalloc_fault()
+
+From: Joerg Roedel <jroedel@suse.de>
+
+[ Upstream commit 6863ea0cda8725072522cd78bda332d9a0b73150 ]
+
+It is perfectly okay to take page-faults, especially on the
+vmalloc area while executing an NMI handler. Remove the
+warning.
+
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: David H. Gutteridge <dhgutteridge@sympatico.ca>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: linux-mm@kvack.org
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Jiri Kosina <jkosina@suse.cz>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: David Laight <David.Laight@aculab.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: Eduardo Valentin <eduval@amazon.com>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: aliguori@amazon.com
+Cc: daniel.gruss@iaik.tugraz.at
+Cc: hughd@google.com
+Cc: keescook@google.com
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Waiman Long <llong@redhat.com>
+Cc: Pavel Machek <pavel@ucw.cz>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: joro@8bytes.org
+Link: https://lkml.kernel.org/r/1532533683-5988-2-git-send-email-joro@8bytes.org
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/fault.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/arch/x86/mm/fault.c
++++ b/arch/x86/mm/fault.c
+@@ -317,8 +317,6 @@ static noinline int vmalloc_fault(unsign
+ if (!(address >= VMALLOC_START && address < VMALLOC_END))
+ return -1;
+
+- WARN_ON_ONCE(in_nmi());
+-
+ /*
+ * Synchronize this task's top level page-table
+ * with the 'reference' page table.
projects / thirdparty / kernel / stable-queue.git / commitdiff
