--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Tue, 2 Jan 2018 16:26:31 +0100
+Subject: ACPI: EC: Fix debugfs_create_*() usage
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+
+[ Upstream commit 3522f867c13b63cf62acdf1b8ca5664c549a716a ]
+
+acpi_ec.gpe is "unsigned long", hence treating it as "u32" would expose
+the wrong half on big-endian 64-bit systems. Fix this by changing its
+type to "u32" and removing the cast, as all other code already uses u32
+or sometimes even only u8.
+
+Fixes: 1195a098168fcacf (ACPI: Provide /sys/kernel/debug/ec/...)
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/ec.c | 2 +-
+ drivers/acpi/ec_sys.c | 2 +-
+ drivers/acpi/internal.h | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -1518,7 +1518,7 @@ static int acpi_ec_setup(struct acpi_ec
+ }
+
+ acpi_handle_info(ec->handle,
+- "GPE=0x%lx, EC_CMD/EC_SC=0x%lx, EC_DATA=0x%lx\n",
++ "GPE=0x%x, EC_CMD/EC_SC=0x%lx, EC_DATA=0x%lx\n",
+ ec->gpe, ec->command_addr, ec->data_addr);
+ return ret;
+ }
+--- a/drivers/acpi/ec_sys.c
++++ b/drivers/acpi/ec_sys.c
+@@ -128,7 +128,7 @@ static int acpi_ec_add_debugfs(struct ac
+ return -ENOMEM;
+ }
+
+- if (!debugfs_create_x32("gpe", 0444, dev_dir, (u32 *)&first_ec->gpe))
++ if (!debugfs_create_x32("gpe", 0444, dev_dir, &first_ec->gpe))
+ goto error;
+ if (!debugfs_create_bool("use_global_lock", 0444, dev_dir,
+ &first_ec->global_lock))
+--- a/drivers/acpi/internal.h
++++ b/drivers/acpi/internal.h
+@@ -158,7 +158,7 @@ static inline void acpi_early_processor_
+ -------------------------------------------------------------------------- */
+ struct acpi_ec {
+ acpi_handle handle;
+- unsigned long gpe;
++ u32 gpe;
+ unsigned long command_addr;
+ unsigned long data_addr;
+ bool global_lock;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 23 Dec 2017 19:41:47 +0100
+Subject: ACPI / video: Default lcd_only to true on Win8-ready and newer machines
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit 5928c281524fe451114e04f1dfa11246a37e859f ]
+
+We're seeing a lot of bogus backlight interfaces on newer machines without
+a LCD such as desktops, servers and HDMI sticks. This causes userspace to
+show a non-functional brightness slider in e.g. the GNOME3 system menu,
+which is undesirable. And, in general, we should simply just not register
+a non functional backlight interface.
+
+Checking the LCD flag causes the bogus acpi_video backlight interfaces to
+go away (on the machines this was tested on).
+
+This change sets the lcd_only option by default on any machines which
+are Win8-ready, to fix this.
+
+This is not entirely without a risk of regressions, but video_detect.c
+already prefers native-backlight interfaces over the acpi_video one
+on Win8-ready machines, calling acpi_video_unregister_backlight() as soon
+as a native interface shows up. This is done because the ACPI backlight
+interface often is broken on Win8-ready machines, because win8 does not
+seem to actually use it.
+
+So in practice we already end up not registering the ACPI backlight
+interface on (most) Win8-ready machines with a LCD panel, thus this
+change does not change anything for (most) machines with a LCD panel
+and on machines without a LCD panel we actually don't want to register
+any backlight interfaces.
+
+This has been tested on the following machines and fixes a bogus backlight
+interface showing up there:
+ - Desktop with an Asrock B150M Pro4S/D3 m.b. using i5-6500 builtin gfx
+ - Intel Compute Stick STK1AW32SC
+ - Meegopad T08 HDMI stick
+
+Bogus backlight interfaces have also been reported on:
+ - Desktop with Asus H87I-Plus m.b.
+ - Desktop with ASRock B75M-ITX m.b.
+ - Desktop with Gigabyte Z87-D3HP m.b.
+ - Dell PowerEdge T20 desktop
+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1097436
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1133327
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1133329
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1133646
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpi_video.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/acpi/acpi_video.c
++++ b/drivers/acpi/acpi_video.c
+@@ -87,8 +87,8 @@ MODULE_PARM_DESC(report_key_events,
+ static bool device_id_scheme = false;
+ module_param(device_id_scheme, bool, 0444);
+
+-static bool only_lcd = false;
+-module_param(only_lcd, bool, 0444);
++static int only_lcd = -1;
++module_param(only_lcd, int, 0444);
+
+ static int register_count;
+ static DEFINE_MUTEX(register_count_mutex);
+@@ -2082,6 +2082,16 @@ int acpi_video_register(void)
+ goto leave;
+ }
+
++ /*
++ * We're seeing a lot of bogus backlight interfaces on newer machines
++ * without a LCD such as desktops, servers and HDMI sticks. Checking
++ * the lcd flag fixes this, so enable this on any machines which are
++ * win8 ready (where we also prefer the native backlight driver, so
++ * normally the acpi_video code should not register there anyways).
++ */
++ if (only_lcd == -1)
++ only_lcd = acpi_osi_is_win8();
++
+ dmi_check_system(video_dmi_table);
+
+ ret = acpi_bus_register_driver(&acpi_video_bus);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Bob Moore <robert.moore@intel.com>
+Date: Mon, 5 Jun 2017 16:40:34 +0800
+Subject: ACPICA: Disassembler: Abort on an invalid/unknown AML opcode
+
+From: Bob Moore <robert.moore@intel.com>
+
+
+[ Upstream commit 6f0527b77d9e0129dd8e50945b0d610ed943d6b2 ]
+
+ACPICA commit ed0389cb11a61e63c568ac1f67948fc6a7bd1aeb
+
+An invalid opcode indicates something seriously wrong with the
+input AML file. The AML parser is immediately confused and lost,
+causing the resulting parse tree to be ill-formed. The actual
+disassembly can then cause numerous unrelated errors and faults.
+
+This change aborts the disassembly upon discovery of such an
+opcode during the AML parse phase.
+
+Link: https://github.com/acpica/acpica/commit/ed0389cb
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Lv Zheng <lv.zheng@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpica/psobject.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/acpi/acpica/psobject.c
++++ b/drivers/acpi/acpica/psobject.c
+@@ -121,6 +121,9 @@ static acpi_status acpi_ps_get_aml_opcod
+ (u32)(aml_offset +
+ sizeof(struct acpi_table_header)));
+
++ ACPI_ERROR((AE_INFO,
++ "Aborting disassembly, AML byte code is corrupt"));
++
+ /* Dump the context surrounding the invalid opcode */
+
+ acpi_ut_dump_buffer(((u8 *)walk_state->parser_state.
+@@ -129,6 +132,14 @@ static acpi_status acpi_ps_get_aml_opcod
+ sizeof(struct acpi_table_header) -
+ 16));
+ acpi_os_printf(" */\n");
++
++ /*
++ * Just abort the disassembly, cannot continue because the
++ * parser is essentially lost. The disassembler can then
++ * randomly fail because an ill-constructed parse tree
++ * can result.
++ */
++ return_ACPI_STATUS(AE_AML_BAD_OPCODE);
+ #endif
+ }
+
+@@ -293,6 +304,9 @@ acpi_ps_create_op(struct acpi_walk_state
+ if (status == AE_CTRL_PARSE_CONTINUE) {
+ return_ACPI_STATUS(AE_CTRL_PARSE_CONTINUE);
+ }
++ if (ACPI_FAILURE(status)) {
++ return_ACPI_STATUS(status);
++ }
+
+ /* Create Op structure and append to parent's argument list */
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Lv Zheng <lv.zheng@intel.com>
+Date: Mon, 5 Jun 2017 16:40:02 +0800
+Subject: ACPICA: Events: Add runtime stub support for event APIs
+
+From: Lv Zheng <lv.zheng@intel.com>
+
+
+[ Upstream commit 861ba6351c520328e94a78c923b415faa9116287 ]
+
+ACPICA commit 99bc3beca92c6574ea1d69de42e54f872e6373ce
+
+It is reported that on Linux, RTC driver complains wrong errors on
+hardware reduced platform:
+ [ 4.085420] ACPI Warning: Could not enable fixed event - real_time_clock (4) (20160422/evxface-654)
+
+This patch fixes this by correctly adding runtime reduced hardware check.
+Reported by Chandan Tagore, fixed by Lv Zheng.
+
+Link: https://github.com/acpica/acpica/commit/99bc3bec
+Tested-by: Chandan Tagore <tagore.chandan@gmail.com>
+Signed-off-by: Lv Zheng <lv.zheng@intel.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpica/evxfevnt.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/acpi/acpica/evxfevnt.c
++++ b/drivers/acpi/acpica/evxfevnt.c
+@@ -180,6 +180,12 @@ acpi_status acpi_enable_event(u32 event,
+
+ ACPI_FUNCTION_TRACE(acpi_enable_event);
+
++ /* If Hardware Reduced flag is set, there are no fixed events */
++
++ if (acpi_gbl_reduced_hardware) {
++ return_ACPI_STATUS(AE_OK);
++ }
++
+ /* Decode the Fixed Event */
+
+ if (event > ACPI_EVENT_MAX) {
+@@ -237,6 +243,12 @@ acpi_status acpi_disable_event(u32 event
+
+ ACPI_FUNCTION_TRACE(acpi_disable_event);
+
++ /* If Hardware Reduced flag is set, there are no fixed events */
++
++ if (acpi_gbl_reduced_hardware) {
++ return_ACPI_STATUS(AE_OK);
++ }
++
+ /* Decode the Fixed Event */
+
+ if (event > ACPI_EVENT_MAX) {
+@@ -290,6 +302,12 @@ acpi_status acpi_clear_event(u32 event)
+
+ ACPI_FUNCTION_TRACE(acpi_clear_event);
+
++ /* If Hardware Reduced flag is set, there are no fixed events */
++
++ if (acpi_gbl_reduced_hardware) {
++ return_ACPI_STATUS(AE_OK);
++ }
++
+ /* Decode the Fixed Event */
+
+ if (event > ACPI_EVENT_MAX) {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Lv Zheng <lv.zheng@intel.com>
+Date: Mon, 5 Jun 2017 16:39:56 +0800
+Subject: ACPICA: OSL: Add support to exclude stdarg.h
+
+From: Lv Zheng <lv.zheng@intel.com>
+
+
+[ Upstream commit 84676b87b27d8aefafb9f712a5b444938f284513 ]
+
+ACPICA commit e2df7455a9a4301b03668e4c9c02c7a564cc841c
+
+Some hosts may choose not to include stdarg.h, implementing a
+configurability in acgcc.h, allowing OSen like Solaris to exclude stdarg.h.
+This patch also fixes acintel.h accordingly without providing builtin
+support as Intel compiler is similar as GCC. Reported by Dana Myers, fixed
+by Lv Zheng.
+
+Link: https://github.com/acpica/acpica/commit/e2df7455
+Reported-by: Dana Myers <dana.myers@oracle.com>
+Signed-off-by: Lv Zheng <lv.zheng@intel.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/acpi/platform/acgcc.h | 10 ++++++++++
+ include/acpi/platform/acintel.h | 2 ++
+ 2 files changed, 12 insertions(+)
+
+--- a/include/acpi/platform/acgcc.h
++++ b/include/acpi/platform/acgcc.h
+@@ -48,7 +48,17 @@
+ * Use compiler specific <stdarg.h> is a good practice for even when
+ * -nostdinc is specified (i.e., ACPI_USE_STANDARD_HEADERS undefined.
+ */
++#ifndef va_arg
++#ifdef ACPI_USE_BUILTIN_STDARG
++typedef __builtin_va_list va_list;
++#define va_start(v, l) __builtin_va_start(v, l)
++#define va_end(v) __builtin_va_end(v)
++#define va_arg(v, l) __builtin_va_arg(v, l)
++#define va_copy(d, s) __builtin_va_copy(d, s)
++#else
+ #include <stdarg.h>
++#endif
++#endif
+
+ #define ACPI_INLINE __inline__
+
+--- a/include/acpi/platform/acintel.h
++++ b/include/acpi/platform/acintel.h
+@@ -48,7 +48,9 @@
+ * Use compiler specific <stdarg.h> is a good practice for even when
+ * -nostdinc is specified (i.e., ACPI_USE_STANDARD_HEADERS undefined.
+ */
++#ifndef va_arg
+ #include <stdarg.h>
++#endif
+
+ /* Configuration specific to Intel 64-bit C compiler */
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Fri, 5 May 2017 07:40:42 +0200
+Subject: af_key: Fix slab-out-of-bounds in pfkey_compile_policy.
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+
+[ Upstream commit d90c902449a7561f1b1d58ba5a0d11728ce8b0b2 ]
+
+The sadb_x_sec_len is stored in the unit 'byte divided by eight'.
+So we have to multiply this value by eight before we can do
+size checks. Otherwise we may get a slab-out-of-bounds when
+we memcpy the user sec_ctx.
+
+Fixes: df71837d502 ("[LSM-IPSec]: Security association restriction.")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/key/af_key.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -3305,7 +3305,7 @@ static struct xfrm_policy *pfkey_compile
+ p += pol->sadb_x_policy_len*8;
+ sec_ctx = (struct sadb_x_sec_ctx *)p;
+ if (len < pol->sadb_x_policy_len*8 +
+- sec_ctx->sadb_x_sec_len) {
++ sec_ctx->sadb_x_sec_len*8) {
+ *dir = -EINVAL;
+ goto out;
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Suman Anna <s-anna@ti.com>
+Date: Tue, 16 May 2017 17:13:45 -0500
+Subject: ARM: davinci: da8xx: Create DSP device only when assigned memory
+
+From: Suman Anna <s-anna@ti.com>
+
+
+[ Upstream commit f97f03578b997a8ec2b9bc4928f958a865137268 ]
+
+The DSP device on Davinci platforms does not have an MMU and requires
+specific DDR memory to boot. This memory is reserved using the rproc_mem
+kernel boot parameter and is assigned to the device on non-DT boots.
+The remoteproc core uses the DMA API and so will fall back to assigning
+random memory if this memory is not assigned to the device, but the DSP
+remote processor boot will not be successful in such cases. So, check
+that memory has been reserved and assigned to the device specifically
+before even creating the DSP device.
+
+Signed-off-by: Suman Anna <s-anna@ti.com>
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-davinci/devices-da8xx.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/arm/mach-davinci/devices-da8xx.c
++++ b/arch/arm/mach-davinci/devices-da8xx.c
+@@ -821,6 +821,8 @@ static struct platform_device da8xx_dsp
+ .resource = da8xx_rproc_resources,
+ };
+
++static bool rproc_mem_inited __initdata;
++
+ #if IS_ENABLED(CONFIG_DA8XX_REMOTEPROC)
+
+ static phys_addr_t rproc_base __initdata;
+@@ -859,6 +861,8 @@ void __init da8xx_rproc_reserve_cma(void
+ ret = dma_declare_contiguous(&da8xx_dsp.dev, rproc_size, rproc_base, 0);
+ if (ret)
+ pr_err("%s: dma_declare_contiguous failed %d\n", __func__, ret);
++ else
++ rproc_mem_inited = true;
+ }
+
+ #else
+@@ -873,6 +877,12 @@ int __init da8xx_register_rproc(void)
+ {
+ int ret;
+
++ if (!rproc_mem_inited) {
++ pr_warn("%s: memory not reserved for DSP, not registering DSP device\n",
++ __func__);
++ return -ENOMEM;
++ }
++
+ ret = platform_device_register(&da8xx_dsp);
+ if (ret)
+ pr_err("%s: can't register DSP device: %d\n", __func__, ret);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Thu, 1 Jun 2017 12:27:00 +0200
+Subject: ARM: dts: armadillo800eva: Split LCD mux and gpio
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+
+[ Upstream commit 13132b3f44d3600983aceb7e9920b8ebb55a7cf8 ]
+
+Configuration of the lcd0 pinmux group and GPIO hog for the external
+GPIO mux are done using a single device node, causing the "output-high"
+property to be applied to both. This will fail for the pinmux group,
+but doesn't cause any harm, as the failure is ignored silently.
+
+However, after "pinctrl: sh-pfc: propagate errors on group config", the
+failure will become fatal, leading to a broken display:
+
+ sh-pfc e6050000.pin-controller: pin_config_group_set op failed for group 102
+ sh-pfc e6050000.pin-controller: Error applying setting, reverse things back
+ sh-pfc e6050000.pin-controller: failed to select default state
+
+Move the GPIO hog to its own node to fix this.
+
+Fixes: ffd2f9a5afb730b9 ("ARM: shmobile: armadillo800eva dts: Add pinctrl and gpio-hog for lcdc0")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/r8a7740-armadillo800eva.dts | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm/boot/dts/r8a7740-armadillo800eva.dts
++++ b/arch/arm/boot/dts/r8a7740-armadillo800eva.dts
+@@ -266,7 +266,9 @@
+ lcd0_pins: lcd0 {
+ groups = "lcd0_data24_0", "lcd0_lclk_1", "lcd0_sync";
+ function = "lcd0";
++ };
+
++ lcd0_mux {
+ /* DBGMD/LCDC0/FSIA MUX */
+ gpio-hog;
+ gpios = <176 0>;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Fabio Estevam <fabio.estevam@nxp.com>
+Date: Wed, 12 Apr 2017 18:31:18 -0300
+Subject: ARM: dts: imx53-qsrb: Pulldown PMIC IRQ pin
+
+From: Fabio Estevam <fabio.estevam@nxp.com>
+
+
+[ Upstream commit 2fe4bff3516924a37e083e3211364abe59db1161 ]
+
+Currently the following errors are seen:
+
+[ 14.015056] mc13xxx 0-0008: Failed to read IRQ status: -6
+[ 27.321093] mc13xxx 0-0008: Failed to read IRQ status: -6
+[ 27.411681] mc13xxx 0-0008: Failed to read IRQ status: -6
+[ 27.456281] mc13xxx 0-0008: Failed to read IRQ status: -6
+[ 30.527106] mc13xxx 0-0008: Failed to read IRQ status: -6
+[ 36.596900] mc13xxx 0-0008: Failed to read IRQ status: -6
+
+Also when reading the interrupts via 'cat /proc/interrupts' the
+PMIC GPIO interrupt counter does not stop increasing.
+
+The reason for the storm of interrupts is that the PUS field of
+register IOMUXC_SW_PAD_CTL_PAD_CSI0_DAT5 is currently configured as:
+10 : 100k pullup
+
+and the PMIC interrupt is being registered as IRQ_TYPE_LEVEL_HIGH type,
+which is the correct type as per the MC34708 datasheet.
+
+Use the default power on value for the IOMUX, which sets PUS field as:
+00: 360k pull down
+
+This prevents the spurious PMIC interrupts from happening.
+
+Commit e1ffceb078c6 ("ARM: imx53: qsrb: fix PMIC interrupt level")
+correctly described the irq type as IRQ_TYPE_LEVEL_HIGH, but
+missed to update the IOMUX of the PMIC GPIO as pull down.
+
+Fixes: e1ffceb078c6 ("ARM: imx53: qsrb: fix PMIC interrupt level")
+Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/imx53-qsrb.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/imx53-qsrb.dts
++++ b/arch/arm/boot/dts/imx53-qsrb.dts
+@@ -23,7 +23,7 @@
+ imx53-qsrb {
+ pinctrl_pmic: pmicgrp {
+ fsl,pins = <
+- MX53_PAD_CSI0_DAT5__GPIO5_23 0x1e4 /* IRQ */
++ MX53_PAD_CSI0_DAT5__GPIO5_23 0x1c4 /* IRQ */
+ >;
+ };
+ };
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Fabio Estevam <fabio.estevam@nxp.com>
+Date: Sun, 14 May 2017 11:50:50 -0300
+Subject: ARM: dts: imx6qdl-wandboard: Fix audio channel swap
+
+From: Fabio Estevam <fabio.estevam@nxp.com>
+
+
+[ Upstream commit 79935915300c5eb88a0e94fa9148a7505c14a02a ]
+
+When running a stress playback/stop loop test on a mx6wandboard channel
+swaps can be noticed randomly.
+
+Increasing the SGTL5000 LRCLK pad strength to its maximum value fixes
+the issue, so add the 'lrclk-strength' property to avoid the audio
+channel swaps.
+
+Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/imx6qdl-wandboard.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/boot/dts/imx6qdl-wandboard.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-wandboard.dtsi
+@@ -88,6 +88,7 @@
+ clocks = <&clks IMX6QDL_CLK_CKO>;
+ VDDA-supply = <®_2p5v>;
+ VDDIO-supply = <®_3p3v>;
++ lrclk-strength = <3>;
+ };
+ };
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Date: Thu, 16 Nov 2017 13:15:26 +0100
+Subject: ARM: dts: ls1021a: add "fsl,ls1021a-esdhc" compatible string to esdhc node
+
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+
+
+[ Upstream commit d5c7b4d5ac2237a6da7ced3adfe6b8bf769f8cc6 ]
+
+Commit a22950c888e3 (mmc: sdhci-of-esdhc: add quirk
+SDHCI_QUIRK_BROKEN_TIMEOUT_VAL for ls1021a) added logic to the driver to
+enable the broken timeout val quirk for ls1021a, but did not add the
+corresponding compatible string to the device tree, so it didn't really
+have any effect. Fix that.
+
+Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/ls1021a.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/ls1021a.dtsi
++++ b/arch/arm/boot/dts/ls1021a.dtsi
+@@ -146,7 +146,7 @@
+ };
+
+ esdhc: esdhc@1560000 {
+- compatible = "fsl,esdhc";
++ compatible = "fsl,ls1021a-esdhc", "fsl,esdhc";
+ reg = <0x0 0x1560000 0x0 0x10000>;
+ interrupts = <GIC_SPI 94 IRQ_TYPE_LEVEL_HIGH>;
+ clock-frequency = <0>;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Christian Lamparter <chunkeey@googlemail.com>
+Date: Tue, 2 May 2017 21:19:24 +0200
+Subject: ARM: dts: qcom: ipq4019: fix i2c_0 node
+
+From: Christian Lamparter <chunkeey@googlemail.com>
+
+
+[ Upstream commit 650df439cfb96c303328935559b2d06127a5a0b0 ]
+
+This patch fixes two typos in the i2c_0 node for the ipq4019.
+The reg property length is just 0x600. The core clock is
+GCC_BLSP1_QUP1_I2C_APPS_CLK. GCC_BLSP1_QUP2_I2C_APPS_CLK is
+used by the second i2c.
+
+Fixes: e76b4284b520ba3 ("qcom: ipq4019: add i2c node to ipq4019 SoC and DK01 device tree")
+Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
+Signed-off-by: Andy Gross <andy.gross@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/qcom-ipq4019.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/qcom-ipq4019.dtsi
++++ b/arch/arm/boot/dts/qcom-ipq4019.dtsi
+@@ -154,10 +154,10 @@
+
+ i2c_0: i2c@78b7000 {
+ compatible = "qcom,i2c-qup-v2.2.1";
+- reg = <0x78b7000 0x6000>;
++ reg = <0x78b7000 0x600>;
+ interrupts = <GIC_SPI 97 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&gcc GCC_BLSP1_AHB_CLK>,
+- <&gcc GCC_BLSP1_QUP2_I2C_APPS_CLK>;
++ <&gcc GCC_BLSP1_QUP1_I2C_APPS_CLK>;
+ clock-names = "iface", "core";
+ #address-cells = <1>;
+ #size-cells = <0>;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Sugar Zhang <sugar.zhang@rock-chips.com>
+Date: Wed, 17 May 2017 17:52:24 +0800
+Subject: ARM: dts: rockchip: fix rk322x i2s1 pinctrl error
+
+From: Sugar Zhang <sugar.zhang@rock-chips.com>
+
+
+[ Upstream commit 9d420e9b4140f8938ad6aa0d29e2428a2af6122b ]
+
+Refer to Chapter 5.3.2 of rk3229 TRM, we can see that GPIO1A[2,4,5]
+using RK_FUNC_2 not RK_FUNC_1. This patch fixes it.
+
+Signed-off-by: Sugar Zhang <sugar.zhang@rock-chips.com>
+Signed-off-by: Frank Wang <frank.wang@rock-chips.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/rk322x.dtsi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/arm/boot/dts/rk322x.dtsi
++++ b/arch/arm/boot/dts/rk322x.dtsi
+@@ -617,9 +617,9 @@
+ <0 12 RK_FUNC_1 &pcfg_pull_none>,
+ <0 13 RK_FUNC_1 &pcfg_pull_none>,
+ <0 14 RK_FUNC_1 &pcfg_pull_none>,
+- <1 2 RK_FUNC_1 &pcfg_pull_none>,
+- <1 4 RK_FUNC_1 &pcfg_pull_none>,
+- <1 5 RK_FUNC_1 &pcfg_pull_none>;
++ <1 2 RK_FUNC_2 &pcfg_pull_none>,
++ <1 4 RK_FUNC_2 &pcfg_pull_none>,
++ <1 5 RK_FUNC_2 &pcfg_pull_none>;
+ };
+ };
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Leonard Crestez <leonard.crestez@nxp.com>
+Date: Tue, 6 Jun 2017 20:50:42 +0300
+Subject: ARM: imx: Add MXC_CPU_IMX6ULL and cpu_is_imx6ull
+
+From: Leonard Crestez <leonard.crestez@nxp.com>
+
+
+[ Upstream commit b3ea575770c7eeb259c77b6861cd14d00eb309df ]
+
+Support for imx6ull is already present but it's based on
+of_machine_is_compatible("fsl,imx6ull") checks. Add it to the MXC_CPU_*
+enumeration as well.
+
+This also fixes /sys/devices/soc0/soc_id reading "Unknown".
+
+Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
+Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-imx/cpu.c | 3 +++
+ arch/arm/mach-imx/mxc.h | 6 ++++++
+ 2 files changed, 9 insertions(+)
+
+--- a/arch/arm/mach-imx/cpu.c
++++ b/arch/arm/mach-imx/cpu.c
+@@ -131,6 +131,9 @@ struct device * __init imx_soc_device_in
+ case MXC_CPU_IMX6UL:
+ soc_id = "i.MX6UL";
+ break;
++ case MXC_CPU_IMX6ULL:
++ soc_id = "i.MX6ULL";
++ break;
+ case MXC_CPU_IMX7D:
+ soc_id = "i.MX7D";
+ break;
+--- a/arch/arm/mach-imx/mxc.h
++++ b/arch/arm/mach-imx/mxc.h
+@@ -39,6 +39,7 @@
+ #define MXC_CPU_IMX6SX 0x62
+ #define MXC_CPU_IMX6Q 0x63
+ #define MXC_CPU_IMX6UL 0x64
++#define MXC_CPU_IMX6ULL 0x65
+ #define MXC_CPU_IMX7D 0x72
+
+ #define IMX_DDR_TYPE_LPDDR2 1
+@@ -73,6 +74,11 @@ static inline bool cpu_is_imx6ul(void)
+ return __mxc_cpu_type == MXC_CPU_IMX6UL;
+ }
+
++static inline bool cpu_is_imx6ull(void)
++{
++ return __mxc_cpu_type == MXC_CPU_IMX6ULL;
++}
++
+ static inline bool cpu_is_imx6q(void)
+ {
+ return __mxc_cpu_type == MXC_CPU_IMX6Q;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Will Deacon <will.deacon@arm.com>
+Date: Wed, 5 Apr 2017 11:14:05 +0100
+Subject: arm64: futex: Fix undefined behaviour with FUTEX_OP_OPARG_SHIFT usage
+
+From: Will Deacon <will.deacon@arm.com>
+
+
+[ Upstream commit 5f16a046f8e144c294ef98cd29d9458b5f8273e5 ]
+
+FUTEX_OP_OPARG_SHIFT instructs the futex code to treat the 12-bit oparg
+field as a shift value, potentially leading to a left shift value that
+is negative or with an absolute value that is significantly larger then
+the size of the type. UBSAN chokes with:
+
+================================================================================
+UBSAN: Undefined behaviour in ./arch/arm64/include/asm/futex.h:60:13
+shift exponent -1 is negative
+CPU: 1 PID: 1449 Comm: syz-executor0 Not tainted 4.11.0-rc4-00005-g977eb52-dirty #11
+Hardware name: linux,dummy-virt (DT)
+Call trace:
+[<ffff200008094778>] dump_backtrace+0x0/0x538 arch/arm64/kernel/traps.c:73
+[<ffff200008094cd0>] show_stack+0x20/0x30 arch/arm64/kernel/traps.c:228
+[<ffff200008c194a8>] __dump_stack lib/dump_stack.c:16 [inline]
+[<ffff200008c194a8>] dump_stack+0x120/0x188 lib/dump_stack.c:52
+[<ffff200008cc24b8>] ubsan_epilogue+0x18/0x98 lib/ubsan.c:164
+[<ffff200008cc3098>] __ubsan_handle_shift_out_of_bounds+0x250/0x294 lib/ubsan.c:421
+[<ffff20000832002c>] futex_atomic_op_inuser arch/arm64/include/asm/futex.h:60 [inline]
+[<ffff20000832002c>] futex_wake_op kernel/futex.c:1489 [inline]
+[<ffff20000832002c>] do_futex+0x137c/0x1740 kernel/futex.c:3231
+[<ffff200008320504>] SYSC_futex kernel/futex.c:3281 [inline]
+[<ffff200008320504>] SyS_futex+0x114/0x268 kernel/futex.c:3249
+[<ffff200008084770>] el0_svc_naked+0x24/0x28
+================================================================================
+syz-executor1 uses obsolete (PF_INET,SOCK_PACKET)
+sock: process `syz-executor0' is using obsolete setsockopt SO_BSDCOMPAT
+
+This patch attempts to fix some of this by:
+
+ * Making encoded_op an unsigned type, so we can shift it left even if
+ the top bit is set.
+
+ * Casting to signed prior to shifting right when extracting oparg
+ and cmparg
+
+ * Consider only the bottom 5 bits of oparg when using it as a left-shift
+ value.
+
+Whilst I think this catches all of the issues, I'd much prefer to remove
+this stuff, as I think it's unused and the bugs are copy-pasted between
+a bunch of architectures.
+
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/futex.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/arm64/include/asm/futex.h
++++ b/arch/arm64/include/asm/futex.h
+@@ -51,16 +51,16 @@
+ : "memory")
+
+ static inline int
+-futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
++futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr)
+ {
+ int op = (encoded_op >> 28) & 7;
+ int cmp = (encoded_op >> 24) & 15;
+- int oparg = (encoded_op << 8) >> 20;
+- int cmparg = (encoded_op << 20) >> 20;
++ int oparg = (int)(encoded_op << 8) >> 20;
++ int cmparg = (int)(encoded_op << 20) >> 20;
+ int oldval = 0, ret, tmp;
+
+ if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
+- oparg = 1 << oparg;
++ oparg = 1U << (oparg & 0x1f);
+
+ if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+ return -EFAULT;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Fri, 19 May 2017 16:42:00 +0100
+Subject: arm64: kernel: restrict /dev/mem read() calls to linear region
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+
+[ Upstream commit 1151f838cb626005f4d69bf675dacaaa5ea909d6 ]
+
+When running lscpu on an AArch64 system that has SMBIOS version 2.0
+tables, it will segfault in the following way:
+
+ Unable to handle kernel paging request at virtual address ffff8000bfff0000
+ pgd = ffff8000f9615000
+ [ffff8000bfff0000] *pgd=0000000000000000
+ Internal error: Oops: 96000007 [#1] PREEMPT SMP
+ Modules linked in:
+ CPU: 0 PID: 1284 Comm: lscpu Not tainted 4.11.0-rc3+ #103
+ Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
+ task: ffff8000fa78e800 task.stack: ffff8000f9780000
+ PC is at __arch_copy_to_user+0x90/0x220
+ LR is at read_mem+0xcc/0x140
+
+This is caused by the fact that lspci issues a read() on /dev/mem at the
+offset where it expects to find the SMBIOS structure array. However, this
+region is classified as EFI_RUNTIME_SERVICE_DATA (as per the UEFI spec),
+and so it is omitted from the linear mapping.
+
+So let's restrict /dev/mem read/write access to those areas that are
+covered by the linear region.
+
+Reported-by: Alexander Graf <agraf@suse.de>
+Fixes: 4dffbfc48d65 ("arm64/efi: mark UEFI reserved regions as MEMBLOCK_NOMAP")
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/mm/mmap.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+--- a/arch/arm64/mm/mmap.c
++++ b/arch/arm64/mm/mmap.c
+@@ -18,6 +18,7 @@
+
+ #include <linux/elf.h>
+ #include <linux/fs.h>
++#include <linux/memblock.h>
+ #include <linux/mm.h>
+ #include <linux/mman.h>
+ #include <linux/export.h>
+@@ -102,12 +103,18 @@ void arch_pick_mmap_layout(struct mm_str
+ */
+ int valid_phys_addr_range(phys_addr_t addr, size_t size)
+ {
+- if (addr < PHYS_OFFSET)
+- return 0;
+- if (addr + size > __pa(high_memory - 1) + 1)
+- return 0;
+-
+- return 1;
++ /*
++ * Check whether addr is covered by a memory region without the
++ * MEMBLOCK_NOMAP attribute, and whether that region covers the
++ * entire range. In theory, this could lead to false negatives
++ * if the range is covered by distinct but adjacent memory regions
++ * that only differ in other attributes. However, few of such
++ * attributes have been defined, and it is debatable whether it
++ * follows that /dev/mem read() calls should be able traverse
++ * such boundaries.
++ */
++ return memblock_is_region_memory(addr, size) &&
++ memblock_is_map_memory(addr);
+ }
+
+ /*
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Timmy Li <lixiaoping3@huawei.com>
+Date: Mon, 22 May 2017 16:48:28 +0100
+Subject: ARM64: PCI: Fix struct acpi_pci_root_ops allocation failure path
+
+From: Timmy Li <lixiaoping3@huawei.com>
+
+
+[ Upstream commit 717902cc93118119a6fce7765da6cf2786987418 ]
+
+Commit 093d24a20442 ("arm64: PCI: Manage controller-specific data on
+per-controller basis") added code to allocate ACPI PCI root_ops
+dynamically on a per host bridge basis but failed to update the
+corresponding memory allocation failure path in pci_acpi_scan_root()
+leading to a potential memory leakage.
+
+Fix it by adding the required kfree call.
+
+Fixes: 093d24a20442 ("arm64: PCI: Manage controller-specific data on per-controller basis")
+Reviewed-by: Tomasz Nowicki <tn@semihalf.com>
+Signed-off-by: Timmy Li <lixiaoping3@huawei.com>
+[lorenzo.pieralisi@arm.com: refactored code, rewrote commit log]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+CC: Will Deacon <will.deacon@arm.com>
+CC: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/pci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/pci.c
++++ b/arch/arm64/kernel/pci.c
+@@ -175,8 +175,10 @@ struct pci_bus *pci_acpi_scan_root(struc
+ return NULL;
+
+ root_ops = kzalloc_node(sizeof(*root_ops), GFP_KERNEL, node);
+- if (!root_ops)
++ if (!root_ops) {
++ kfree(ri);
+ return NULL;
++ }
+
+ ri->cfg = pci_acpi_setup_ecam_mapping(root);
+ if (!ri->cfg) {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Ganapatrao Kulkarni <ganapatrao.kulkarni@cavium.com>
+Date: Tue, 2 May 2017 21:59:34 +0530
+Subject: arm64: perf: Ignore exclude_hv when kernel is running in HYP
+
+From: Ganapatrao Kulkarni <ganapatrao.kulkarni@cavium.com>
+
+
+[ Upstream commit 78a19cfdf37d19002c83c8790853c1cc10feccdc ]
+
+commit d98ecdaca296 ("arm64: perf: Count EL2 events if the kernel is
+running in HYP") returns -EINVAL when perf system call perf_event_open is
+called with exclude_hv != exclude_kernel. This change breaks applications
+on VHE enabled ARMv8.1 platforms. The issue was observed with HHVM
+application, which calls perf_event_open with exclude_hv = 1 and
+exclude_kernel = 0.
+
+There is no separate hypervisor privilege level when VHE is enabled, the
+host kernel runs at EL2. So when VHE is enabled, we should ignore
+exclude_hv from the application. This behaviour is consistent with PowerPC
+where the exclude_hv is ignored when the hypervisor is not present and with
+x86 where this flag is ignored.
+
+Signed-off-by: Ganapatrao Kulkarni <ganapatrao.kulkarni@cavium.com>
+[will: added comment to justify the behaviour of exclude_hv]
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/perf_event.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+--- a/arch/arm64/kernel/perf_event.c
++++ b/arch/arm64/kernel/perf_event.c
+@@ -871,15 +871,24 @@ static int armv8pmu_set_event_filter(str
+
+ if (attr->exclude_idle)
+ return -EPERM;
+- if (is_kernel_in_hyp_mode() &&
+- attr->exclude_kernel != attr->exclude_hv)
+- return -EINVAL;
++
++ /*
++ * If we're running in hyp mode, then we *are* the hypervisor.
++ * Therefore we ignore exclude_hv in this configuration, since
++ * there's no hypervisor to sample anyway. This is consistent
++ * with other architectures (x86 and Power).
++ */
++ if (is_kernel_in_hyp_mode()) {
++ if (!attr->exclude_kernel)
++ config_base |= ARMV8_PMU_INCLUDE_EL2;
++ } else {
++ if (attr->exclude_kernel)
++ config_base |= ARMV8_PMU_EXCLUDE_EL1;
++ if (!attr->exclude_hv)
++ config_base |= ARMV8_PMU_INCLUDE_EL2;
++ }
+ if (attr->exclude_user)
+ config_base |= ARMV8_PMU_EXCLUDE_EL0;
+- if (!is_kernel_in_hyp_mode() && attr->exclude_kernel)
+- config_base |= ARMV8_PMU_EXCLUDE_EL1;
+- if (!attr->exclude_hv)
+- config_base |= ARMV8_PMU_INCLUDE_EL2;
+
+ /*
+ * Install the filter into config_base as this is used to
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Ihar Hrachyshka <ihrachys@redhat.com>
+Date: Tue, 16 May 2017 07:53:43 -0700
+Subject: arp: honour gratuitous ARP _replies_
+
+From: Ihar Hrachyshka <ihrachys@redhat.com>
+
+
+[ Upstream commit 23d268eb240954e6e78f7cfab04f2b1e79f84489 ]
+
+When arp_accept is 1, gratuitous ARPs are supposed to override matching
+entries irrespective of whether they arrive during locktime. This was
+implemented in commit 56022a8fdd87 ("ipv4: arp: update neighbour address
+when a gratuitous arp is received and arp_accept is set")
+
+There is a glitch in the patch though. RFC 2002, section 4.6, "ARP,
+Proxy ARP, and Gratuitous ARP", defines gratuitous ARPs so that they can
+be either of Request or Reply type. Those Reply gratuitous ARPs can be
+triggered with standard tooling, for example, arping -A option does just
+that.
+
+This patch fixes the glitch, making both Request and Reply flavours of
+gratuitous ARPs to behave identically.
+
+As per RFC, if gratuitous ARPs are of Reply type, their Target Hardware
+Address field should also be set to the link-layer address to which this
+cache entry should be updated. The field is present in ARP over Ethernet
+but not in IEEE 1394. In this patch, I don't consider any broadcasted
+ARP replies as gratuitous if the field is not present, to conform the
+standard. It's not clear whether there is such a thing for IEEE 1394 as
+a gratuitous ARP reply; until it's cleared up, we will ignore such
+broadcasts. Note that they will still update existing ARP cache entries,
+assuming they arrive out of locktime time interval.
+
+Signed-off-by: Ihar Hrachyshka <ihrachys@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/arp.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/arp.c
++++ b/net/ipv4/arp.c
+@@ -658,6 +658,7 @@ static int arp_process(struct net *net,
+ unsigned char *arp_ptr;
+ struct rtable *rt;
+ unsigned char *sha;
++ unsigned char *tha = NULL;
+ __be32 sip, tip;
+ u16 dev_type = dev->type;
+ int addr_type;
+@@ -729,6 +730,7 @@ static int arp_process(struct net *net,
+ break;
+ #endif
+ default:
++ tha = arp_ptr;
+ arp_ptr += dev->addr_len;
+ }
+ memcpy(&tip, arp_ptr, 4);
+@@ -847,8 +849,18 @@ static int arp_process(struct net *net,
+ It is possible, that this option should be enabled for some
+ devices (strip is candidate)
+ */
+- is_garp = arp->ar_op == htons(ARPOP_REQUEST) && tip == sip &&
+- addr_type == RTN_UNICAST;
++ is_garp = tip == sip && addr_type == RTN_UNICAST;
++
++ /* Unsolicited ARP _replies_ also require target hwaddr to be
++ * the same as source.
++ */
++ if (is_garp && arp->ar_op == htons(ARPOP_REPLY))
++ is_garp =
++ /* IPv4 over IEEE 1394 doesn't provide target
++ * hardware address field in its ARP payload.
++ */
++ tha &&
++ !memcmp(tha, sha, dev->addr_len);
+
+ if (!n &&
+ ((arp->ar_op == htons(ARPOP_REPLY) &&
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 2 Jan 2018 19:53:14 +0100
+Subject: ASoC: Intel: cht_bsw_rt5645: Analog Mic support
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit b70b309950418437bbd2a30afd169c4f09dee3e5 ]
+
+Various Cherry Trail boards with a rt5645 codec have an analog mic
+connected to IN2P + IN2N. The mic on this boards also needs micbias to
+be enabled, on some boards micbias1 is used and on others micbias2, so
+we enable both.
+
+This commit adds a new "Int Analog Mic" DAPM widget for this, so that we
+do not end up enabling micbias on boards with a digital mic which uses
+the already present "Int Mic" widget. Some existing UCM files already
+refer to "Int Mic" for their "Internal Analog Microphones" SectionDevice,
+but these don't work anyways since they enable the RECMIX BST1 Switch
+instead of the BST2 switch.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/intel/boards/cht_bsw_rt5645.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/sound/soc/intel/boards/cht_bsw_rt5645.c
++++ b/sound/soc/intel/boards/cht_bsw_rt5645.c
+@@ -111,6 +111,7 @@ static const struct snd_soc_dapm_widget
+ SND_SOC_DAPM_HP("Headphone", NULL),
+ SND_SOC_DAPM_MIC("Headset Mic", NULL),
+ SND_SOC_DAPM_MIC("Int Mic", NULL),
++ SND_SOC_DAPM_MIC("Int Analog Mic", NULL),
+ SND_SOC_DAPM_SPK("Ext Spk", NULL),
+ SND_SOC_DAPM_SUPPLY("Platform Clock", SND_SOC_NOPM, 0, 0,
+ platform_clock_control, SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD),
+@@ -121,6 +122,8 @@ static const struct snd_soc_dapm_route c
+ {"IN1N", NULL, "Headset Mic"},
+ {"DMIC L1", NULL, "Int Mic"},
+ {"DMIC R1", NULL, "Int Mic"},
++ {"IN2P", NULL, "Int Analog Mic"},
++ {"IN2N", NULL, "Int Analog Mic"},
+ {"Headphone", NULL, "HPOL"},
+ {"Headphone", NULL, "HPOR"},
+ {"Ext Spk", NULL, "SPOL"},
+@@ -134,6 +137,9 @@ static const struct snd_soc_dapm_route c
+ {"Headphone", NULL, "Platform Clock"},
+ {"Headset Mic", NULL, "Platform Clock"},
+ {"Int Mic", NULL, "Platform Clock"},
++ {"Int Analog Mic", NULL, "Platform Clock"},
++ {"Int Analog Mic", NULL, "micbias1"},
++ {"Int Analog Mic", NULL, "micbias2"},
+ {"Ext Spk", NULL, "Platform Clock"},
+ };
+
+@@ -162,6 +168,7 @@ static const struct snd_kcontrol_new cht
+ SOC_DAPM_PIN_SWITCH("Headphone"),
+ SOC_DAPM_PIN_SWITCH("Headset Mic"),
+ SOC_DAPM_PIN_SWITCH("Int Mic"),
++ SOC_DAPM_PIN_SWITCH("Int Analog Mic"),
+ SOC_DAPM_PIN_SWITCH("Ext Spk"),
+ };
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Pardha Saradhi K <pardha.saradhi.kesapragada@intel.com>
+Date: Tue, 2 Jan 2018 14:59:57 +0530
+Subject: ASoC: Intel: Skylake: Disable clock gating during firmware and library download
+
+From: Pardha Saradhi K <pardha.saradhi.kesapragada@intel.com>
+
+
+[ Upstream commit d5cc0a1fcbb5ddbef9fdd4c4a978da3254ddbf37 ]
+
+During firmware and library download, sometimes it is observed that
+firmware and library download is timed-out resulting into probe failure.
+
+This patch disables dynamic clock gating while firmware and library
+download.
+
+Signed-off-by: Pardha Saradhi K <pardha.saradhi.kesapragada@intel.com>
+Signed-off-by: Sanyog Kale <sanyog.r.kale@intel.com>
+Signed-off-by: Guneshwor Singh <guneshwor.o.singh@intel.com>
+Acked-By: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/intel/skylake/skl-messages.c | 4 ++++
+ sound/soc/intel/skylake/skl-pcm.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+--- a/sound/soc/intel/skylake/skl-messages.c
++++ b/sound/soc/intel/skylake/skl-messages.c
+@@ -331,7 +331,11 @@ int skl_resume_dsp(struct skl *skl)
+ if (skl->skl_sst->is_first_boot == true)
+ return 0;
+
++ /* disable dynamic clock gating during fw and lib download */
++ ctx->enable_miscbdcge(ctx->dev, false);
++
+ ret = skl_dsp_wake(ctx->dsp);
++ ctx->enable_miscbdcge(ctx->dev, true);
+ if (ret < 0)
+ return ret;
+
+--- a/sound/soc/intel/skylake/skl-pcm.c
++++ b/sound/soc/intel/skylake/skl-pcm.c
+@@ -1191,7 +1191,11 @@ static int skl_platform_soc_probe(struct
+ return -EIO;
+ }
+
++ /* disable dynamic clock gating during fw and lib download */
++ skl->skl_sst->enable_miscbdcge(platform->dev, false);
++
+ ret = ops->init_fw(platform->dev, skl->skl_sst);
++ skl->skl_sst->enable_miscbdcge(platform->dev, true);
+ if (ret < 0) {
+ dev_err(platform->dev, "Failed to boot first fw: %d\n", ret);
+ return ret;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sat, 6 Jan 2018 21:18:24 +0100
+Subject: ASoC: Intel: sst: Fix the return value of 'sst_send_byte_stream_mrfld()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit eaadb1caa966a91128297b754e90b7c92b350a00 ]
+
+In some error handling paths, an error code is assiegned to 'ret'.
+However, the function always return 0.
+
+Fix it and return the error code if such an error paths is taken.
+
+Fixes: 3d9ff34622ba ("ASoC: Intel: sst: add stream operations")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/intel/atom/sst/sst_stream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/intel/atom/sst/sst_stream.c
++++ b/sound/soc/intel/atom/sst/sst_stream.c
+@@ -221,7 +221,7 @@ int sst_send_byte_stream_mrfld(struct in
+ sst_free_block(sst_drv_ctx, block);
+ out:
+ test_and_clear_bit(pvt_id, &sst_drv_ctx->pvt_id);
+- return 0;
++ return ret;
+ }
+
+ /*
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Date: Wed, 24 May 2017 01:17:10 +0000
+Subject: ASoC: rsnd: SSI PIO adjust to 24bit mode
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+
+[ Upstream commit 7819a942de7b993771bd9377babc80485fe7606b ]
+
+commit 90431eb49bff ("ASoC: rsnd: don't use PDTA bit for 24bit on SSI")
+fixups 24bit mode data alignment, but PIO was not cared.
+This patch fixes PIO mode 24bit data alignment
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/sh/rcar/ssi.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/sh/rcar/ssi.c
++++ b/sound/soc/sh/rcar/ssi.c
+@@ -552,6 +552,13 @@ static void __rsnd_ssi_interrupt(struct
+ struct snd_pcm_runtime *runtime = rsnd_io_to_runtime(io);
+ u32 *buf = (u32 *)(runtime->dma_area +
+ rsnd_dai_pointer_offset(io, 0));
++ int shift = 0;
++
++ switch (runtime->sample_bits) {
++ case 32:
++ shift = 8;
++ break;
++ }
+
+ /*
+ * 8/16/32 data can be assesse to TDR/RDR register
+@@ -559,9 +566,9 @@ static void __rsnd_ssi_interrupt(struct
+ * see rsnd_ssi_init()
+ */
+ if (rsnd_io_is_play(io))
+- rsnd_mod_write(mod, SSITDR, *buf);
++ rsnd_mod_write(mod, SSITDR, (*buf) << shift);
+ else
+- *buf = rsnd_mod_read(mod, SSIRDR);
++ *buf = (rsnd_mod_read(mod, SSIRDR) >> shift);
+
+ elapsed = rsnd_dai_pointer_update(io, sizeof(*buf));
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Stefan Agner <stefan@agner.ch>
+Date: Mon, 15 May 2017 14:00:31 -0700
+Subject: ASoC: simple-card: fix mic jack initialization
+
+From: Stefan Agner <stefan@agner.ch>
+
+
+[ Upstream commit f746aa5e8636c83e53bbb2d988bb614f732b2b80 ]
+
+Initialize asoc_simple_card_init_mic with the correct struct
+asoc_simple_jack.
+
+Fixes: 9eac361877b3 ("ASoC: simple-card: add new asoc_simple_jack and use it")
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/generic/simple-card.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/generic/simple-card.c
++++ b/sound/soc/generic/simple-card.c
+@@ -201,7 +201,7 @@ static int asoc_simple_card_dai_init(str
+ if (ret < 0)
+ return ret;
+
+- ret = asoc_simple_card_init_mic(rtd->card, &priv->hp_jack, PREFIX);
++ ret = asoc_simple_card_init_mic(rtd->card, &priv->mic_jack, PREFIX);
+ if (ret < 0)
+ return ret;
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Anup Patel <anup.patel@broadcom.com>
+Date: Mon, 15 May 2017 10:34:53 +0530
+Subject: async_tx: Fix DMA_PREP_FENCE usage in do_async_gen_syndrome()
+
+From: Anup Patel <anup.patel@broadcom.com>
+
+
+[ Upstream commit baae03a0e2497f49704628fd0aaf993cf98e1b99 ]
+
+The DMA_PREP_FENCE is to be used when preparing Tx descriptor if output
+of Tx descriptor is to be used by next/dependent Tx descriptor.
+
+The DMA_PREP_FENSE will not be set correctly in do_async_gen_syndrome()
+when calling dma->device_prep_dma_pq() under following conditions:
+1. ASYNC_TX_FENCE not set in submit->flags
+2. DMA_PREP_FENCE not set in dma_flags
+3. src_cnt (= (disks - 2)) is greater than dma_maxpq(dma, dma_flags)
+
+This patch fixes DMA_PREP_FENCE usage in do_async_gen_syndrome() taking
+inspiration from do_async_xor() implementation.
+
+Signed-off-by: Anup Patel <anup.patel@broadcom.com>
+Reviewed-by: Ray Jui <ray.jui@broadcom.com>
+Reviewed-by: Scott Branden <scott.branden@broadcom.com>
+Acked-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/async_tx/async_pq.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/crypto/async_tx/async_pq.c
++++ b/crypto/async_tx/async_pq.c
+@@ -62,9 +62,6 @@ do_async_gen_syndrome(struct dma_chan *c
+ dma_addr_t dma_dest[2];
+ int src_off = 0;
+
+- if (submit->flags & ASYNC_TX_FENCE)
+- dma_flags |= DMA_PREP_FENCE;
+-
+ while (src_cnt > 0) {
+ submit->flags = flags_orig;
+ pq_src_cnt = min(src_cnt, dma_maxpq(dma, dma_flags));
+@@ -83,6 +80,8 @@ do_async_gen_syndrome(struct dma_chan *c
+ if (cb_fn_orig)
+ dma_flags |= DMA_PREP_INTERRUPT;
+ }
++ if (submit->flags & ASYNC_TX_FENCE)
++ dma_flags |= DMA_PREP_FENCE;
+
+ /* Drivers force forward progress in case they can not provide
+ * a descriptor
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Date: Tue, 16 May 2017 14:06:12 +0200
+Subject: ata: libahci: properly propagate return value of platform_get_irq()
+
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+
+[ Upstream commit c034640a32f8456018d9c8c83799ead683046b95 ]
+
+When platform_get_irq() fails, it returns an error code, which
+libahci_platform and replaces it by -EINVAL. This commit fixes that by
+propagating the error code. It fixes the situation where
+platform_get_irq() returns -EPROBE_DEFER because the interrupt
+controller is not available yet, and generally looks like the right
+thing to do.
+
+We pay attention to not show the "no irq" message when we are in an
+EPROBE_DEFER situation, because the driver probing will be retried
+later on, once the interrupt controller becomes available to provide
+the interrupt.
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libahci_platform.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/libahci_platform.c
++++ b/drivers/ata/libahci_platform.c
+@@ -514,8 +514,9 @@ int ahci_platform_init_host(struct platf
+
+ irq = platform_get_irq(pdev, 0);
+ if (irq <= 0) {
+- dev_err(dev, "no irq\n");
+- return -EINVAL;
++ if (irq != -EPROBE_DEFER)
++ dev_err(dev, "no irq\n");
++ return irq;
+ }
+
+ hpriv->irq = irq;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Anilkumar Kolli <akolli@qti.qualcomm.com>
+Date: Wed, 31 May 2017 14:21:27 +0300
+Subject: ath10k: add BMI parameters to fix calibration from DT/pre-cal
+
+From: Anilkumar Kolli <akolli@qti.qualcomm.com>
+
+
+[ Upstream commit a9f5f287fa1d47d61dfa8b60f94831174b2ea4d0 ]
+
+QCA99X0, QCA9888, QCA9984 supports calibration data in
+either OTP or DT/pre-cal file. Current ath10k supports
+Calibration data from OTP only.
+
+If caldata is loaded from DT/pre-cal file, fetching board id
+and applying calibration parameters like tx power gets failed.
+
+error log:
+[ 15.733663] ath10k_pci 0000:01:00.0: failed to fetch board file: -2
+[ 15.741474] ath10k_pci 0000:01:00.0: could not probe fw (-2)
+
+This patch adds calibration data support from DT/pre-cal
+file. Below parameters are used to get board id and
+applying calibration parameters from cal data.
+
+ EEPROM[OTP] FLASH[DT/pre-cal file]
+Cal param 0x700 0x10000
+Board id 0x10 0x8000
+
+Tested on QCA9888 with pre-cal file.
+
+Signed-off-by: Anilkumar Kolli <akolli@qti.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/bmi.h | 2 ++
+ drivers/net/wireless/ath/ath10k/core.c | 16 +++++++++++++---
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/bmi.h
++++ b/drivers/net/wireless/ath/ath10k/bmi.h
+@@ -83,6 +83,8 @@ enum bmi_cmd_id {
+ #define BMI_NVRAM_SEG_NAME_SZ 16
+
+ #define BMI_PARAM_GET_EEPROM_BOARD_ID 0x10
++#define BMI_PARAM_GET_FLASH_BOARD_ID 0x8000
++#define BMI_PARAM_FLASH_SECTION_ALL 0x10000
+
+ #define ATH10K_BMI_BOARD_ID_FROM_OTP_MASK 0x7c00
+ #define ATH10K_BMI_BOARD_ID_FROM_OTP_LSB 10
+--- a/drivers/net/wireless/ath/ath10k/core.c
++++ b/drivers/net/wireless/ath/ath10k/core.c
+@@ -652,7 +652,7 @@ static int ath10k_core_get_board_id_from
+ {
+ u32 result, address;
+ u8 board_id, chip_id;
+- int ret;
++ int ret, bmi_board_id_param;
+
+ address = ar->hw_params.patch_load_addr;
+
+@@ -676,8 +676,13 @@ static int ath10k_core_get_board_id_from
+ return ret;
+ }
+
+- ret = ath10k_bmi_execute(ar, address, BMI_PARAM_GET_EEPROM_BOARD_ID,
+- &result);
++ if (ar->cal_mode == ATH10K_PRE_CAL_MODE_DT ||
++ ar->cal_mode == ATH10K_PRE_CAL_MODE_FILE)
++ bmi_board_id_param = BMI_PARAM_GET_FLASH_BOARD_ID;
++ else
++ bmi_board_id_param = BMI_PARAM_GET_EEPROM_BOARD_ID;
++
++ ret = ath10k_bmi_execute(ar, address, bmi_board_id_param, &result);
+ if (ret) {
+ ath10k_err(ar, "could not execute otp for board id check: %d\n",
+ ret);
+@@ -739,6 +744,11 @@ static int ath10k_download_and_run_otp(s
+ return ret;
+ }
+
++ /* As of now pre-cal is valid for 10_4 variants */
++ if (ar->cal_mode == ATH10K_PRE_CAL_MODE_DT ||
++ ar->cal_mode == ATH10K_PRE_CAL_MODE_FILE)
++ bmi_otp_exe_param = BMI_PARAM_FLASH_SECTION_ALL;
++
+ ret = ath10k_bmi_execute(ar, address, bmi_otp_exe_param, &result);
+ if (ret) {
+ ath10k_err(ar, "could not execute otp (%d)\n", ret);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 3 May 2017 15:26:00 +0100
+Subject: ath5k: fix memory leak on buf on failed eeprom read
+
+From: Colin Ian King <colin.king@canonical.com>
+
+
+[ Upstream commit 8fed6823e06e43ee9cf7c0ffecec2f9111ce6201 ]
+
+The AR5K_EEPROM_READ macro returns with -EIO if a read error
+occurs causing a memory leak on the allocated buffer buf. Fix
+this by explicitly calling ath5k_hw_nvram_read and exiting on
+the via the freebuf label that performs the necessary free'ing
+of buf when a read error occurs.
+
+Detected by CoverityScan, CID#1248782 ("Resource Leak")
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath5k/debug.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath5k/debug.c
++++ b/drivers/net/wireless/ath/ath5k/debug.c
+@@ -939,7 +939,10 @@ static int open_file_eeprom(struct inode
+ }
+
+ for (i = 0; i < eesize; ++i) {
+- AR5K_EEPROM_READ(i, val);
++ if (!ath5k_hw_nvram_read(ah, i, &val)) {
++ ret = -EIO;
++ goto freebuf;
++ }
+ buf[i] = val;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Date: Wed, 17 May 2017 21:55:07 +0100
+Subject: backlight: Report error on failure
+
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+
+
+[ Upstream commit 7e715c2d9c27c23f3187454157c58cf292ed103e ]
+
+It is possible to update the backlight power and the brightness using
+the sysfs and on writing it either returns the count or if the callback
+function does not exist then returns the error code 'ENXIO'.
+
+We have a situation where the userspace client is writing to the sysfs
+to update the power and since the callback function exists the client
+receives the return value as count and considers the operation to be
+successful. That is correct as the write to the sysfs was successful.
+But there is no way to know if the actual operation was done or not.
+
+backlight_update_status() returns the error code if it fails. Pass that
+to the userspace client who is trying to update the power so that the
+client knows that the operation failed.
+
+Signed-off-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
+Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/backlight/backlight.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/drivers/video/backlight/backlight.c
++++ b/drivers/video/backlight/backlight.c
+@@ -134,7 +134,7 @@ static ssize_t bl_power_store(struct dev
+ {
+ int rc;
+ struct backlight_device *bd = to_backlight_device(dev);
+- unsigned long power;
++ unsigned long power, old_power;
+
+ rc = kstrtoul(buf, 0, &power);
+ if (rc)
+@@ -145,10 +145,16 @@ static ssize_t bl_power_store(struct dev
+ if (bd->ops) {
+ pr_debug("set power to %lu\n", power);
+ if (bd->props.power != power) {
++ old_power = bd->props.power;
+ bd->props.power = power;
+- backlight_update_status(bd);
++ rc = backlight_update_status(bd);
++ if (rc)
++ bd->props.power = old_power;
++ else
++ rc = count;
++ } else {
++ rc = count;
+ }
+- rc = count;
+ }
+ mutex_unlock(&bd->ops_lock);
+
+@@ -176,8 +182,7 @@ int backlight_device_set_brightness(stru
+ else {
+ pr_debug("set brightness to %lu\n", brightness);
+ bd->props.brightness = brightness;
+- backlight_update_status(bd);
+- rc = 0;
++ rc = backlight_update_status(bd);
+ }
+ }
+ mutex_unlock(&bd->ops_lock);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Robert Jarzmik <robert.jarzmik@free.fr>
+Date: Thu, 28 Dec 2017 09:27:41 +0100
+Subject: backlight: tdo24m: Fix the SPI CS between transfers
+
+From: Robert Jarzmik <robert.jarzmik@free.fr>
+
+
+[ Upstream commit 2023b0524a6310e9ea80daf085f51c71bff9289f ]
+
+Currently the LCD display (TD035S) on the cm-x300 platform is broken and
+remains blank.
+
+The TD0245S specification requires that the chipselect is toggled
+between commands sent to the panel. This was also the purpose of the
+former patch of commit f64dcac0b124 ("backlight: tdo24m: ensure chip
+select changes between transfers").
+
+Unfortunately, the "cs_change" field of a SPI transfer is
+misleading. Its true meaning is that for a SPI message holding multiple
+transfers, the chip select is toggled between each transfer, but for the
+last transfer it remains asserted.
+
+In this driver, all the SPI messages contain exactly one transfer, which
+means that each transfer is the last of its message, and as a
+consequence the chip select is never toggled.
+
+Actually, there was a second bug hidding the first one, hence the
+problem was not seen until v4.6. This problem was fixed by commit
+a52db659c79c ("spi: pxa2xx: Fix cs_change management") for PXA based
+boards.
+
+This fix makes the TD035S work again on a cm-x300 board. The same
+applies to other PXA boards, ie. corgi and tosa.
+
+Fixes: a52db659c79c ("spi: pxa2xx: Fix cs_change management")
+Reported-by: Andrea Adami <andrea.adami@gmail.com>
+Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/backlight/corgi_lcd.c | 2 +-
+ drivers/video/backlight/tdo24m.c | 2 +-
+ drivers/video/backlight/tosa_lcd.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/video/backlight/corgi_lcd.c
++++ b/drivers/video/backlight/corgi_lcd.c
+@@ -177,7 +177,7 @@ static int corgi_ssp_lcdtg_send(struct c
+ struct spi_message msg;
+ struct spi_transfer xfer = {
+ .len = 1,
+- .cs_change = 1,
++ .cs_change = 0,
+ .tx_buf = lcd->buf,
+ };
+
+--- a/drivers/video/backlight/tdo24m.c
++++ b/drivers/video/backlight/tdo24m.c
+@@ -369,7 +369,7 @@ static int tdo24m_probe(struct spi_devic
+
+ spi_message_init(m);
+
+- x->cs_change = 1;
++ x->cs_change = 0;
+ x->tx_buf = &lcd->buf[0];
+ spi_message_add_tail(x, m);
+
+--- a/drivers/video/backlight/tosa_lcd.c
++++ b/drivers/video/backlight/tosa_lcd.c
+@@ -49,7 +49,7 @@ static int tosa_tg_send(struct spi_devic
+ struct spi_message msg;
+ struct spi_transfer xfer = {
+ .len = 1,
+- .cs_change = 1,
++ .cs_change = 0,
+ .tx_buf = buf,
+ };
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Tang Junhui <tang.junhui@zte.com.cn>
+Date: Mon, 8 Jan 2018 12:21:21 -0800
+Subject: bcache: segregate flash only volume write streams
+
+From: Tang Junhui <tang.junhui@zte.com.cn>
+
+
+[ Upstream commit 4eca1cb28d8b0574ca4f1f48e9331c5f852d43b9 ]
+
+In such scenario that there are some flash only volumes
+, and some cached devices, when many tasks request these devices in
+writeback mode, the write IOs may fall to the same bucket as bellow:
+| cached data | flash data | cached data | cached data| flash data|
+then after writeback of these cached devices, the bucket would
+be like bellow bucket:
+| free | flash data | free | free | flash data |
+
+So, there are many free space in this bucket, but since data of flash
+only volumes still exists, so this bucket cannot be reclaimable,
+which would cause waste of bucket space.
+
+In this patch, we segregate flash only volume write streams from
+cached devices, so data from flash only volumes and cached devices
+can store in different buckets.
+
+Compare to v1 patch, this patch do not add a additionally open bucket
+list, and it is try best to segregate flash only volume write streams
+from cached devices, sectors of flash only volumes may still be mixed
+with dirty sectors of cached device, but the number is very small.
+
+[mlyle: fixed commit log formatting, permissions, line endings]
+
+Signed-off-by: Tang Junhui <tang.junhui@zte.com.cn>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Signed-off-by: Michael Lyle <mlyle@lyle.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/alloc.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/drivers/md/bcache/alloc.c
++++ b/drivers/md/bcache/alloc.c
+@@ -512,15 +512,21 @@ struct open_bucket {
+
+ /*
+ * We keep multiple buckets open for writes, and try to segregate different
+- * write streams for better cache utilization: first we look for a bucket where
+- * the last write to it was sequential with the current write, and failing that
+- * we look for a bucket that was last used by the same task.
++ * write streams for better cache utilization: first we try to segregate flash
++ * only volume write streams from cached devices, secondly we look for a bucket
++ * where the last write to it was sequential with the current write, and
++ * failing that we look for a bucket that was last used by the same task.
+ *
+ * The ideas is if you've got multiple tasks pulling data into the cache at the
+ * same time, you'll get better cache utilization if you try to segregate their
+ * data and preserve locality.
+ *
+- * For example, say you've starting Firefox at the same time you're copying a
++ * For example, dirty sectors of flash only volume is not reclaimable, if their
++ * dirty sectors mixed with dirty sectors of cached device, such buckets will
++ * be marked as dirty and won't be reclaimed, though the dirty data of cached
++ * device have been written back to backend device.
++ *
++ * And say you've starting Firefox at the same time you're copying a
+ * bunch of files. Firefox will likely end up being fairly hot and stay in the
+ * cache awhile, but the data you copied might not be; if you wrote all that
+ * data to the same buckets it'd get invalidated at the same time.
+@@ -537,7 +543,10 @@ static struct open_bucket *pick_data_buc
+ struct open_bucket *ret, *ret_task = NULL;
+
+ list_for_each_entry_reverse(ret, &c->data_buckets, list)
+- if (!bkey_cmp(&ret->key, search))
++ if (UUID_FLASH_ONLY(&c->uuids[KEY_INODE(&ret->key)]) !=
++ UUID_FLASH_ONLY(&c->uuids[KEY_INODE(search)]))
++ continue;
++ else if (!bkey_cmp(&ret->key, search))
+ goto found;
+ else if (ret->last_write_point == write_point)
+ ret_task = ret;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Tang Junhui <tang.junhui@zte.com.cn>
+Date: Mon, 8 Jan 2018 12:21:19 -0800
+Subject: bcache: stop writeback thread after detaching
+
+From: Tang Junhui <tang.junhui@zte.com.cn>
+
+
+[ Upstream commit 8d29c4426b9f8afaccf28de414fde8a722b35fdf ]
+
+Currently, when a cached device detaching from cache, writeback thread is
+not stopped, and writeback_rate_update work is not canceled. For example,
+after the following command:
+echo 1 >/sys/block/sdb/bcache/detach
+you can still see the writeback thread. Then you attach the device to the
+cache again, bcache will create another writeback thread, for example,
+after below command:
+echo ba0fb5cd-658a-4533-9806-6ce166d883b9 > /sys/block/sdb/bcache/attach
+then you will see 2 writeback threads.
+This patch stops writeback thread and cancels writeback_rate_update work
+when cached device detaching from cache.
+
+Compare with patch v1, this v2 patch moves code down into the register
+lock for safety in case of any future changes as Coly and Mike suggested.
+
+[edit by mlyle: commit log spelling/formatting]
+
+Signed-off-by: Tang Junhui <tang.junhui@zte.com.cn>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Signed-off-by: Michael Lyle <mlyle@lyle.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/super.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -892,6 +892,12 @@ static void cached_dev_detach_finish(str
+
+ mutex_lock(&bch_register_lock);
+
++ cancel_delayed_work_sync(&dc->writeback_rate_update);
++ if (!IS_ERR_OR_NULL(dc->writeback_thread)) {
++ kthread_stop(dc->writeback_thread);
++ dc->writeback_thread = NULL;
++ }
++
+ memset(&dc->sb.set_uuid, 0, 16);
+ SET_BDEV_STATE(&dc->sb, BDEV_STATE_NONE);
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+Date: Wed, 10 May 2017 19:20:44 +0400
+Subject: bio-integrity: Do not allocate integrity context for bio w/o data
+
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+
+
+[ Upstream commit 3116a23bb30272d74ea81baf5d0ee23f602dd15b ]
+
+If bio has no data, such as ones from blkdev_issue_flush(),
+then we have nothing to protect.
+
+This patch prevent bugon like follows:
+
+kfree_debugcheck: out of range ptr ac1fa1d106742a5ah
+kernel BUG at mm/slab.c:2773!
+invalid opcode: 0000 [#1] SMP
+Modules linked in: bcache
+CPU: 0 PID: 4428 Comm: xfs_io Tainted: G W 4.11.0-rc4-ext4-00041-g2ef0043-dirty #43
+Hardware name: Virtuozzo KVM, BIOS seabios-1.7.5-11.vz7.4 04/01/2014
+task: ffff880137786440 task.stack: ffffc90000ba8000
+RIP: 0010:kfree_debugcheck+0x25/0x2a
+RSP: 0018:ffffc90000babde0 EFLAGS: 00010082
+RAX: 0000000000000034 RBX: ac1fa1d106742a5a RCX: 0000000000000007
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88013f3ccb40
+RBP: ffffc90000babde8 R08: 0000000000000000 R09: 0000000000000000
+R10: 00000000fcb76420 R11: 00000000725172ed R12: 0000000000000282
+R13: ffffffff8150e766 R14: ffff88013a145e00 R15: 0000000000000001
+FS: 00007fb09384bf40(0000) GS:ffff88013f200000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fd0172f9e40 CR3: 0000000137fa9000 CR4: 00000000000006f0
+Call Trace:
+ kfree+0xc8/0x1b3
+ bio_integrity_free+0xc3/0x16b
+ bio_free+0x25/0x66
+ bio_put+0x14/0x26
+ blkdev_issue_flush+0x7a/0x85
+ blkdev_fsync+0x35/0x42
+ vfs_fsync_range+0x8e/0x9f
+ vfs_fsync+0x1c/0x1e
+ do_fsync+0x31/0x4a
+ SyS_fsync+0x10/0x14
+ entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/bio-integrity.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/block/bio-integrity.c
++++ b/block/bio-integrity.c
+@@ -175,6 +175,9 @@ bool bio_integrity_enabled(struct bio *b
+ if (!bio_is_rw(bio))
+ return false;
+
++ if (!bio_sectors(bio))
++ return false;
++
+ /* Already protected? */
+ if (bio_integrity(bio))
+ return false;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Ming Lei <ming.lei@redhat.com>
+Date: Tue, 9 Jan 2018 21:28:29 +0800
+Subject: blk-mq: fix kernel oops in blk_mq_tag_idle()
+
+From: Ming Lei <ming.lei@redhat.com>
+
+
+[ Upstream commit 8ab0b7dc73e1b3e2987d42554b2bff503f692772 ]
+
+HW queues may be unmapped in some cases, such as blk_mq_update_nr_hw_queues(),
+then we need to check it before calling blk_mq_tag_idle(), otherwise
+the following kernel oops can be triggered, so fix it by checking if
+the hw queue is unmapped since it doesn't make sense to idle the tags
+any more after hw queues are unmapped.
+
+[ 440.771298] Workqueue: nvme-wq nvme_rdma_del_ctrl_work [nvme_rdma]
+[ 440.779104] task: ffff894bae755ee0 ti: ffff893bf9bc8000 task.ti: ffff893bf9bc8000
+[ 440.788359] RIP: 0010:[<ffffffffb730e2b4>] [<ffffffffb730e2b4>] __blk_mq_tag_idle+0x24/0x40
+[ 440.798697] RSP: 0018:ffff893bf9bcbd10 EFLAGS: 00010286
+[ 440.805538] RAX: 0000000000000000 RBX: ffff895bb131dc00 RCX: 000000000000011f
+[ 440.814426] RDX: 00000000ffffffff RSI: 0000000000000120 RDI: ffff895bb131dc00
+[ 440.823301] RBP: ffff893bf9bcbd10 R08: 000000000001b860 R09: 4a51d361c00c0000
+[ 440.832193] R10: b5907f32b4cc7003 R11: ffffd6cabfb57000 R12: ffff894bafd1e008
+[ 440.841091] R13: 0000000000000001 R14: ffff895baf770000 R15: 0000000000000080
+[ 440.849988] FS: 0000000000000000(0000) GS:ffff894bbdcc0000(0000) knlGS:0000000000000000
+[ 440.859955] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 440.867274] CR2: 0000000000000008 CR3: 000000103d098000 CR4: 00000000001407e0
+[ 440.876169] Call Trace:
+[ 440.879818] [<ffffffffb7309d68>] blk_mq_exit_hctx+0xd8/0xe0
+[ 440.887051] [<ffffffffb730dc40>] blk_mq_free_queue+0xf0/0x160
+[ 440.894465] [<ffffffffb72ff679>] blk_cleanup_queue+0xd9/0x150
+[ 440.901881] [<ffffffffc08a802b>] nvme_ns_remove+0x5b/0xb0 [nvme_core]
+[ 440.910068] [<ffffffffc08a811b>] nvme_remove_namespaces+0x3b/0x60 [nvme_core]
+[ 440.919026] [<ffffffffc08b817b>] __nvme_rdma_remove_ctrl+0x2b/0xb0 [nvme_rdma]
+[ 440.928079] [<ffffffffc08b8237>] nvme_rdma_del_ctrl_work+0x17/0x20 [nvme_rdma]
+[ 440.937126] [<ffffffffb70ab58a>] process_one_work+0x17a/0x440
+[ 440.944517] [<ffffffffb70ac3a8>] worker_thread+0x278/0x3c0
+[ 440.951607] [<ffffffffb70ac130>] ? manage_workers.isra.24+0x2a0/0x2a0
+[ 440.959760] [<ffffffffb70b352f>] kthread+0xcf/0xe0
+[ 440.966055] [<ffffffffb70b3460>] ? insert_kthread_work+0x40/0x40
+[ 440.973715] [<ffffffffb76d8658>] ret_from_fork+0x58/0x90
+[ 440.980586] [<ffffffffb70b3460>] ? insert_kthread_work+0x40/0x40
+[ 440.988229] Code: 5b 41 5c 5d c3 66 90 0f 1f 44 00 00 48 8b 87 20 01 00 00 f0 0f ba 77 40 01 19 d2 85 d2 75 08 c3 0f 1f 80 00 00 00 00 55 48 89 e5 <f0> ff 48 08 48 8d 78 10 e8 7f 0f 05 00 5d c3 0f 1f 00 66 2e 0f
+[ 441.011620] RIP [<ffffffffb730e2b4>] __blk_mq_tag_idle+0x24/0x40
+[ 441.019301] RSP <ffff893bf9bcbd10>
+[ 441.024052] CR2: 0000000000000008
+
+Reported-by: Zhang Yi <yizhan@redhat.com>
+Tested-by: Zhang Yi <yizhan@redhat.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -1592,7 +1592,8 @@ static void blk_mq_exit_hctx(struct requ
+ {
+ unsigned flush_start_tag = set->queue_depth;
+
+- blk_mq_tag_idle(hctx);
++ if (blk_mq_hw_queue_mapped(hctx))
++ blk_mq_tag_idle(hctx);
+
+ if (set->ops->exit_request)
+ set->ops->exit_request(set->driver_data,
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Ming Lei <ming.lei@redhat.com>
+Date: Sat, 6 Jan 2018 16:27:40 +0800
+Subject: blk-mq: fix race between updating nr_hw_queues and switching io sched
+
+From: Ming Lei <ming.lei@redhat.com>
+
+
+[ Upstream commit fb350e0ad99359768e1e80b4784692031ec340e4 ]
+
+In both elevator_switch_mq() and blk_mq_update_nr_hw_queues(), sched tags
+can be allocated, and q->nr_hw_queue is used, and race is inevitable, for
+example: blk_mq_init_sched() may trigger use-after-free on hctx, which is
+freed in blk_mq_realloc_hw_ctxs() when nr_hw_queues is decreased.
+
+This patch fixes the race be holding q->sysfs_lock.
+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reported-by: Yi Zhang <yi.zhang@redhat.com>
+Tested-by: Yi Zhang <yi.zhang@redhat.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -1907,6 +1907,9 @@ static void blk_mq_realloc_hw_ctxs(struc
+ struct blk_mq_hw_ctx **hctxs = q->queue_hw_ctx;
+
+ blk_mq_sysfs_unregister(q);
++
++ /* protect against switching io scheduler */
++ mutex_lock(&q->sysfs_lock);
+ for (i = 0; i < set->nr_hw_queues; i++) {
+ int node;
+
+@@ -1956,6 +1959,7 @@ static void blk_mq_realloc_hw_ctxs(struc
+ }
+ }
+ q->nr_hw_queues = i;
++ mutex_unlock(&q->sysfs_lock);
+ blk_mq_sysfs_register(q);
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Wen Xiong <wenxiong@linux.vnet.ibm.com>
+Date: Wed, 10 May 2017 08:54:11 -0500
+Subject: blk-mq: NVMe 512B/4K+T10 DIF/DIX format returns I/O error on dd with split op
+
+From: Wen Xiong <wenxiong@linux.vnet.ibm.com>
+
+
+[ Upstream commit f36ea50ca0043e7b1204feaf1d2ba6bd68c08d36 ]
+
+When formatting NVMe to 512B/4K + T10 DIf/DIX, dd with split op returns
+"Input/output error". Looks block layer split the bio after calling
+bio_integrity_prep(bio). This patch fixes the issue.
+
+Below is how we debug this issue:
+(1)format nvme to 4K block # size with type 2 DIF
+(2)dd with block size bigger than 1024k.
+oflag=direct
+dd: error writing '/dev/nvme0n1': Input/output error
+
+We added some debug code in nvme device driver. It showed us the first
+op and the second op have the same bi and pi address. This is not
+correct.
+
+1st op: nvme0n1 Op:Wr slba 0x505 length 0x100, PI ctrl=0x1400,
+ dsmgmt=0x0, AT=0x0 & RT=0x505
+ Guard 0x00b1, AT 0x0000, RT physical 0x00000505 RT virtual 0x00002828
+
+2nd op: nvme0n1 Op:Wr slba 0x605 length 0x1, PI ctrl=0x1400, dsmgmt=0x0,
+ AT=0x0 & RT=0x605 ==> This op fails and subsequent 5 retires..
+ Guard 0x00b1, AT 0x0000, RT physical 0x00000605 RT virtual 0x00002828
+
+With the fix, It showed us both of the first op and the second op have
+correct bi and pi address.
+
+1st op: nvme2n1 Op:Wr slba 0x505 length 0x100, PI ctrl=0x1400,
+ dsmgmt=0x0, AT=0x0 & RT=0x505
+ Guard 0x5ccb, AT 0x0000, RT physical 0x00000505 RT virtual
+ 0x00002828
+2nd op: nvme2n1 Op:Wr slba 0x605 length 0x1, PI ctrl=0x1400, dsmgmt=0x0,
+ AT=0x0 & RT=0x605
+ Guard 0xab4c, AT 0x0000, RT physical 0x00000605 RT virtual
+ 0x00003028
+
+Signed-off-by: Wen Xiong <wenxiong@linux.vnet.ibm.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -1265,13 +1265,13 @@ static blk_qc_t blk_mq_make_request(stru
+
+ blk_queue_bounce(q, &bio);
+
++ blk_queue_split(q, &bio, q->bio_split);
++
+ if (bio_integrity_enabled(bio) && bio_integrity_prep(bio)) {
+ bio_io_error(bio);
+ return BLK_QC_T_NONE;
+ }
+
+- blk_queue_split(q, &bio, q->bio_split);
+-
+ if (!is_flush_fua && !blk_queue_nomerges(q) &&
+ blk_attempt_plug_merge(q, bio, &request_count, &same_queue_rq))
+ return BLK_QC_T_NONE;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 23 May 2017 17:28:36 +0300
+Subject: block: fix an error code in add_partition()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 7bd897cfce1eb373892d35d7f73201b0f9b221c4 ]
+
+We don't set an error code on this path. It means that we return NULL
+instead of an error pointer and the caller does a NULL dereference.
+
+Fixes: 6d1d8050b4bc ("block, partition: add partition_meta_info to hd_struct")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/partition-generic.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/block/partition-generic.c
++++ b/block/partition-generic.c
+@@ -321,8 +321,10 @@ struct hd_struct *add_partition(struct g
+
+ if (info) {
+ struct partition_meta_info *pinfo = alloc_part_info(disk);
+- if (!pinfo)
++ if (!pinfo) {
++ err = -ENOMEM;
+ goto out_free_stats;
++ }
+ memcpy(pinfo, info, sizeof(*info));
+ p->info = pinfo;
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Marcel Holtmann <marcel@holtmann.org>
+Date: Fri, 9 Jun 2017 18:43:56 +0200
+Subject: Bluetooth: Send HCI Set Event Mask Page 2 command only when needed
+
+From: Marcel Holtmann <marcel@holtmann.org>
+
+
+[ Upstream commit 313f6888c8fbb1bc8b36c9012ce4e1de848df696 ]
+
+The Broadcom BCM20702 Bluetooth controller in ThinkPad-T530 devices
+report support for the Set Event Mask Page 2 command, but actually do
+return an error when trying to use it.
+
+ < HCI Command: Read Local Supported Commands (0x04|0x0002) plen 0
+ > HCI Event: Command Complete (0x0e) plen 68
+ Read Local Supported Commands (0x04|0x0002) ncmd 1
+ Status: Success (0x00)
+ Commands: 162 entries
+ ...
+ Set Event Mask Page 2 (Octet 22 - Bit 2)
+ ...
+
+ < HCI Command: Set Event Mask Page 2 (0x03|0x0063) plen 8
+ Mask: 0x0000000000000000
+ > HCI Event: Command Complete (0x0e) plen 4
+ Set Event Mask Page 2 (0x03|0x0063) ncmd 1
+ Status: Unknown HCI Command (0x01)
+
+Since these controllers do not support any feature that would require
+the event mask page 2 to be modified, it is safe to not send this
+command at all. The default value is all bits set to zero.
+
+T: Bus=01 Lev=02 Prnt=02 Port=03 Cnt=03 Dev#= 9 Spd=12 MxCh= 0
+D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=0a5c ProdID=21e6 Rev= 1.12
+S: Manufacturer=Broadcom Corp
+S: Product=BCM20702A0
+S: SerialNumber=F82FA8E8CFC0
+C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr= 0mA
+I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
+E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
+E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
+E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+I: If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
+E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+I: If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
+E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+I: If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
+E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+I: If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
+E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=btusb
+E: Ad=84(I) Atr=02(Bulk) MxPS= 32 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 32 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
+
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Reported-by: Sedat Dilek <sedat.dilek@gmail.com>
+Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
+Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_core.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -548,6 +548,7 @@ static void hci_set_event_mask_page_2(st
+ {
+ struct hci_dev *hdev = req->hdev;
+ u8 events[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
++ bool changed = false;
+
+ /* If Connectionless Slave Broadcast master role is supported
+ * enable all necessary events for it.
+@@ -557,6 +558,7 @@ static void hci_set_event_mask_page_2(st
+ events[1] |= 0x80; /* Synchronization Train Complete */
+ events[2] |= 0x10; /* Slave Page Response Timeout */
+ events[2] |= 0x20; /* CSB Channel Map Change */
++ changed = true;
+ }
+
+ /* If Connectionless Slave Broadcast slave role is supported
+@@ -567,13 +569,24 @@ static void hci_set_event_mask_page_2(st
+ events[2] |= 0x02; /* CSB Receive */
+ events[2] |= 0x04; /* CSB Timeout */
+ events[2] |= 0x08; /* Truncated Page Complete */
++ changed = true;
+ }
+
+ /* Enable Authenticated Payload Timeout Expired event if supported */
+- if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING)
++ if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING) {
+ events[2] |= 0x80;
++ changed = true;
++ }
+
+- hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events);
++ /* Some Broadcom based controllers indicate support for Set Event
++ * Mask Page 2 command, but then actually do not support it. Since
++ * the default value is all bits set to zero, the command is only
++ * required if the event mask has to be changed. In case no change
++ * to the event mask is needed, skip this command.
++ */
++ if (changed)
++ hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2,
++ sizeof(events), events);
+ }
+
+ static int hci_init3_req(struct hci_request *req, unsigned long opt)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 5 May 2017 15:25:32 -0700
+Subject: bna: Avoid reading past end of buffer
+
+From: Kees Cook <keescook@chromium.org>
+
+
+[ Upstream commit 9e4eb1ce472fbf7b007f23c88ec11c37265e401c ]
+
+Using memcpy() from a string that is shorter than the length copied means
+the destination buffer is being filled with arbitrary data from the kernel
+rodata segment. Instead, use strncpy() which will fill the trailing bytes
+with zeros.
+
+This was found with the future CONFIG_FORTIFY_SOURCE feature.
+
+Cc: Daniel Micay <danielmicay@gmail.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/brocade/bna/bfa_ioc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/brocade/bna/bfa_ioc.c
++++ b/drivers/net/ethernet/brocade/bna/bfa_ioc.c
+@@ -2845,7 +2845,7 @@ bfa_ioc_get_adapter_optrom_ver(struct bf
+ static void
+ bfa_ioc_get_adapter_manufacturer(struct bfa_ioc *ioc, char *manufacturer)
+ {
+- memcpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN);
++ strncpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN);
+ }
+
+ static void
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: "Mintz, Yuval" <Yuval.Mintz@cavium.com>
+Date: Fri, 9 Jun 2017 17:17:01 +0300
+Subject: bnx2x: Allow vfs to disable txvlan offload
+
+From: "Mintz, Yuval" <Yuval.Mintz@cavium.com>
+
+
+[ Upstream commit 92f85f05caa51d844af6ea14ffbc7a786446a644 ]
+
+VF clients are configured as enforced, meaning firmware is validating
+the correctness of their ethertype/vid during transmission.
+Once txvlan is disabled, VF would start getting SKBs for transmission
+here vlan is on the payload - but it'll pass the packet's ethertype
+instead of the vid, leading to firmware declaring it as malicious.
+
+Signed-off-by: Yuval Mintz <Yuval.Mintz@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -3887,15 +3887,26 @@ netdev_tx_t bnx2x_start_xmit(struct sk_b
+ /* when transmitting in a vf, start bd must hold the ethertype
+ * for fw to enforce it
+ */
++ u16 vlan_tci = 0;
+ #ifndef BNX2X_STOP_ON_ERROR
+- if (IS_VF(bp))
++ if (IS_VF(bp)) {
+ #endif
+- tx_start_bd->vlan_or_ethertype =
+- cpu_to_le16(ntohs(eth->h_proto));
++ /* Still need to consider inband vlan for enforced */
++ if (__vlan_get_tag(skb, &vlan_tci)) {
++ tx_start_bd->vlan_or_ethertype =
++ cpu_to_le16(ntohs(eth->h_proto));
++ } else {
++ tx_start_bd->bd_flags.as_bitfield |=
++ (X_ETH_INBAND_VLAN <<
++ ETH_TX_BD_FLAGS_VLAN_MODE_SHIFT);
++ tx_start_bd->vlan_or_ethertype =
++ cpu_to_le16(vlan_tci);
++ }
+ #ifndef BNX2X_STOP_ON_ERROR
+- else
++ } else {
+ /* used by FW for packet accounting */
+ tx_start_bd->vlan_or_ethertype = cpu_to_le16(pkt_prod);
++ }
+ #endif
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Nithin Sujir <nsujir@tintri.com>
+Date: Wed, 24 May 2017 19:45:17 -0700
+Subject: bonding: Don't update slave->link until ready to commit
+
+From: Nithin Sujir <nsujir@tintri.com>
+
+
+[ Upstream commit 797a93647a48d6cb8a20641a86a71713a947f786 ]
+
+In the loadbalance arp monitoring scheme, when a slave link change is
+detected, the slave->link is immediately updated and slave_state_changed
+is set. Later down the function, the rtnl_lock is acquired and the
+changes are committed, updating the bond link state.
+
+However, the acquisition of the rtnl_lock can fail. The next time the
+monitor runs, since slave->link is already updated, it determines that
+link is unchanged. This results in the bond link state permanently out
+of sync with the slave link.
+
+This patch modifies bond_loadbalance_arp_mon() to handle link changes
+identical to bond_ab_arp_{inspect/commit}(). The new link state is
+maintained in slave->new_link until we're ready to commit at which point
+it's copied into slave->link.
+
+NOTE: miimon_{inspect/commit}() has a more complex state machine
+requiring the use of the bond_{propose,commit}_link_state() functions
+which maintains the intermediate state in slave->link_new_state. The arp
+monitors don't require that.
+
+Testing: This bug is very easy to reproduce with the following steps.
+1. In a loop, toggle a slave link of a bond slave interface.
+2. In a separate loop, do ifconfig up/down of an unrelated interface to
+create contention for rtnl_lock.
+Within a few iterations, the bond link goes out of sync with the slave
+link.
+
+Signed-off-by: Nithin Nayak Sujir <nsujir@tintri.com>
+Cc: Mahesh Bandewar <maheshb@google.com>
+Cc: Jay Vosburgh <jay.vosburgh@canonical.com>
+Acked-by: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2605,11 +2605,13 @@ static void bond_loadbalance_arp_mon(str
+ bond_for_each_slave_rcu(bond, slave, iter) {
+ unsigned long trans_start = dev_trans_start(slave->dev);
+
++ slave->new_link = BOND_LINK_NOCHANGE;
++
+ if (slave->link != BOND_LINK_UP) {
+ if (bond_time_in_interval(bond, trans_start, 1) &&
+ bond_time_in_interval(bond, slave->last_rx, 1)) {
+
+- slave->link = BOND_LINK_UP;
++ slave->new_link = BOND_LINK_UP;
+ slave_state_changed = 1;
+
+ /* primary_slave has no meaning in round-robin
+@@ -2636,7 +2638,7 @@ static void bond_loadbalance_arp_mon(str
+ if (!bond_time_in_interval(bond, trans_start, 2) ||
+ !bond_time_in_interval(bond, slave->last_rx, 2)) {
+
+- slave->link = BOND_LINK_DOWN;
++ slave->new_link = BOND_LINK_DOWN;
+ slave_state_changed = 1;
+
+ if (slave->link_failure_count < UINT_MAX)
+@@ -2667,6 +2669,11 @@ static void bond_loadbalance_arp_mon(str
+ if (!rtnl_trylock())
+ goto re_arm;
+
++ bond_for_each_slave(bond, slave, iter) {
++ if (slave->new_link != BOND_LINK_NOCHANGE)
++ slave->link = slave->new_link;
++ }
++
+ if (slave_state_changed) {
+ bond_slave_state_change(bond);
+ if (BOND_MODE(bond) == BOND_MODE_XOR)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 9 May 2017 18:14:01 +0100
+Subject: btrfs: fix incorrect error return ret being passed to mapping_set_error
+
+From: Colin Ian King <colin.king@canonical.com>
+
+
+[ Upstream commit bff5baf8aa37a97293725a16c03f49872249c07e ]
+
+The setting of return code ret should be based on the error code
+passed into function end_extent_writepage and not on ret. Thanks
+to Liu Bo for spotting this mistake in the original fix I submitted.
+
+Detected by CoverityScan, CID#1414312 ("Logically dead code")
+
+Fixes: 5dca6eea91653e ("Btrfs: mark mapping with error flag to report errors to userspace")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent_io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -2453,7 +2453,7 @@ void end_extent_writepage(struct page *p
+ if (!uptodate) {
+ ClearPageUptodate(page);
+ SetPageError(page);
+- ret = ret < 0 ? ret : -EIO;
++ ret = err < 0 ? err : -EIO;
+ mapping_set_error(page->mapping, ret);
+ }
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Doug Berger <opendmb@gmail.com>
+Date: Wed, 29 Mar 2017 17:29:10 -0700
+Subject: bus: brcmstb_gisb: correct support for 64-bit address output
+
+From: Doug Berger <opendmb@gmail.com>
+
+
+[ Upstream commit 0c2aa0e4b308815e877601845c1a89913f9bd2b9 ]
+
+The GISB bus can support addresses beyond 32-bits. So this commit
+corrects support for reading a captured 64-bit address into a 64-bit
+variable by obtaining the high bits from the ARB_ERR_CAP_HI_ADDR
+register (when present) and then outputting the full 64-bit value.
+
+It also removes unused definitions.
+
+Fixes: 44127b771d9c ("bus: add Broadcom GISB bus arbiter timeout/error handler")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Acked-by: Gregory Fong <gregory.0xf0@gmail.com>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/brcmstb_gisb.c | 36 ++++++++++++++++++++----------------
+ 1 file changed, 20 insertions(+), 16 deletions(-)
+
+--- a/drivers/bus/brcmstb_gisb.c
++++ b/drivers/bus/brcmstb_gisb.c
+@@ -37,8 +37,6 @@
+ #define ARB_ERR_CAP_CLEAR (1 << 0)
+ #define ARB_ERR_CAP_STATUS_TIMEOUT (1 << 12)
+ #define ARB_ERR_CAP_STATUS_TEA (1 << 11)
+-#define ARB_ERR_CAP_STATUS_BS_SHIFT (1 << 2)
+-#define ARB_ERR_CAP_STATUS_BS_MASK 0x3c
+ #define ARB_ERR_CAP_STATUS_WRITE (1 << 1)
+ #define ARB_ERR_CAP_STATUS_VALID (1 << 0)
+
+@@ -47,7 +45,6 @@ enum {
+ ARB_ERR_CAP_CLR,
+ ARB_ERR_CAP_HI_ADDR,
+ ARB_ERR_CAP_ADDR,
+- ARB_ERR_CAP_DATA,
+ ARB_ERR_CAP_STATUS,
+ ARB_ERR_CAP_MASTER,
+ };
+@@ -57,7 +54,6 @@ static const int gisb_offsets_bcm7038[]
+ [ARB_ERR_CAP_CLR] = 0x0c4,
+ [ARB_ERR_CAP_HI_ADDR] = -1,
+ [ARB_ERR_CAP_ADDR] = 0x0c8,
+- [ARB_ERR_CAP_DATA] = 0x0cc,
+ [ARB_ERR_CAP_STATUS] = 0x0d0,
+ [ARB_ERR_CAP_MASTER] = -1,
+ };
+@@ -67,7 +63,6 @@ static const int gisb_offsets_bcm7400[]
+ [ARB_ERR_CAP_CLR] = 0x0c8,
+ [ARB_ERR_CAP_HI_ADDR] = -1,
+ [ARB_ERR_CAP_ADDR] = 0x0cc,
+- [ARB_ERR_CAP_DATA] = 0x0d0,
+ [ARB_ERR_CAP_STATUS] = 0x0d4,
+ [ARB_ERR_CAP_MASTER] = 0x0d8,
+ };
+@@ -77,7 +72,6 @@ static const int gisb_offsets_bcm7435[]
+ [ARB_ERR_CAP_CLR] = 0x168,
+ [ARB_ERR_CAP_HI_ADDR] = -1,
+ [ARB_ERR_CAP_ADDR] = 0x16c,
+- [ARB_ERR_CAP_DATA] = 0x170,
+ [ARB_ERR_CAP_STATUS] = 0x174,
+ [ARB_ERR_CAP_MASTER] = 0x178,
+ };
+@@ -87,7 +81,6 @@ static const int gisb_offsets_bcm7445[]
+ [ARB_ERR_CAP_CLR] = 0x7e4,
+ [ARB_ERR_CAP_HI_ADDR] = 0x7e8,
+ [ARB_ERR_CAP_ADDR] = 0x7ec,
+- [ARB_ERR_CAP_DATA] = 0x7f0,
+ [ARB_ERR_CAP_STATUS] = 0x7f4,
+ [ARB_ERR_CAP_MASTER] = 0x7f8,
+ };
+@@ -109,9 +102,13 @@ static u32 gisb_read(struct brcmstb_gisb
+ {
+ int offset = gdev->gisb_offsets[reg];
+
+- /* return 1 if the hardware doesn't have ARB_ERR_CAP_MASTER */
+- if (offset == -1)
+- return 1;
++ if (offset < 0) {
++ /* return 1 if the hardware doesn't have ARB_ERR_CAP_MASTER */
++ if (reg == ARB_ERR_CAP_MASTER)
++ return 1;
++ else
++ return 0;
++ }
+
+ if (gdev->big_endian)
+ return ioread32be(gdev->base + offset);
+@@ -119,6 +116,16 @@ static u32 gisb_read(struct brcmstb_gisb
+ return ioread32(gdev->base + offset);
+ }
+
++static u64 gisb_read_address(struct brcmstb_gisb_arb_device *gdev)
++{
++ u64 value;
++
++ value = gisb_read(gdev, ARB_ERR_CAP_ADDR);
++ value |= (u64)gisb_read(gdev, ARB_ERR_CAP_HI_ADDR) << 32;
++
++ return value;
++}
++
+ static void gisb_write(struct brcmstb_gisb_arb_device *gdev, u32 val, int reg)
+ {
+ int offset = gdev->gisb_offsets[reg];
+@@ -185,7 +192,7 @@ static int brcmstb_gisb_arb_decode_addr(
+ const char *reason)
+ {
+ u32 cap_status;
+- unsigned long arb_addr;
++ u64 arb_addr;
+ u32 master;
+ const char *m_name;
+ char m_fmt[11];
+@@ -197,10 +204,7 @@ static int brcmstb_gisb_arb_decode_addr(
+ return 1;
+
+ /* Read the address and master */
+- arb_addr = gisb_read(gdev, ARB_ERR_CAP_ADDR) & 0xffffffff;
+-#if (IS_ENABLED(CONFIG_PHYS_ADDR_T_64BIT))
+- arb_addr |= (u64)gisb_read(gdev, ARB_ERR_CAP_HI_ADDR) << 32;
+-#endif
++ arb_addr = gisb_read_address(gdev);
+ master = gisb_read(gdev, ARB_ERR_CAP_MASTER);
+
+ m_name = brcmstb_gisb_master_to_str(gdev, master);
+@@ -209,7 +213,7 @@ static int brcmstb_gisb_arb_decode_addr(
+ m_name = m_fmt;
+ }
+
+- pr_crit("%s: %s at 0x%lx [%c %s], core: %s\n",
++ pr_crit("%s: %s at 0x%llx [%c %s], core: %s\n",
+ __func__, reason, arb_addr,
+ cap_status & ARB_ERR_CAP_STATUS_WRITE ? 'W' : 'R',
+ cap_status & ARB_ERR_CAP_STATUS_TIMEOUT ? "timeout" : "",
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Doug Berger <opendmb@gmail.com>
+Date: Wed, 29 Mar 2017 17:29:09 -0700
+Subject: bus: brcmstb_gisb: Use register offsets with writes too
+
+From: Doug Berger <opendmb@gmail.com>
+
+
+[ Upstream commit 856c7ccb9ce7a061f04bdf586f649cb93654e294 ]
+
+This commit corrects the bug introduced in commit f80835875d3d
+("bus: brcmstb_gisb: Look up register offsets in a table") such
+that gisb_write() translates the register enumeration into an
+offset from the base address for writes as well as reads.
+
+Fixes: f80835875d3d ("bus: brcmstb_gisb: Look up register offsets in a table")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Acked-by: Gregory Fong <gregory.0xf0@gmail.com>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/brcmstb_gisb.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/bus/brcmstb_gisb.c
++++ b/drivers/bus/brcmstb_gisb.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2014 Broadcom Corporation
++ * Copyright (C) 2014-2017 Broadcom
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+@@ -127,9 +127,9 @@ static void gisb_write(struct brcmstb_gi
+ return;
+
+ if (gdev->big_endian)
+- iowrite32be(val, gdev->base + reg);
++ iowrite32be(val, gdev->base + offset);
+ else
+- iowrite32(val, gdev->base + reg);
++ iowrite32(val, gdev->base + offset);
+ }
+
+ static ssize_t gisb_arb_get_timeout(struct device *dev,
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 4 May 2017 08:42:30 +0200
+Subject: cfg80211: make RATE_INFO_BW_20 the default
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+
+[ Upstream commit 842be75c77cb72ee546a2b19da9c285fb3ded660 ]
+
+Due to the way I did the RX bitrate conversions in mac80211 with
+spatch, going setting flags to setting the value, many drivers now
+don't set the bandwidth value for 20 MHz, since with the flags it
+wasn't necessary to (there was no 20 MHz flag, only the others.)
+
+Rather than go through and try to fix up all the drivers, instead
+renumber the enum so that 20 MHz, which is the typical bandwidth,
+actually has the value 0, making those drivers all work again.
+
+If VHT was hit used with a driver not reporting it, e.g. iwlmvm,
+this manifested in hitting the bandwidth warning in
+cfg80211_calculate_bitrate_vht().
+
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Tested-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/cfg80211.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -947,9 +947,9 @@ enum rate_info_flags {
+ * @RATE_INFO_BW_160: 160 MHz bandwidth
+ */
+ enum rate_info_bw {
++ RATE_INFO_BW_20 = 0,
+ RATE_INFO_BW_5,
+ RATE_INFO_BW_10,
+- RATE_INFO_BW_20,
+ RATE_INFO_BW_40,
+ RATE_INFO_BW_80,
+ RATE_INFO_BW_160,
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Rabin Vincent <rabinv@axis.com>
+Date: Wed, 3 May 2017 17:17:21 +0200
+Subject: CIFS: silence lockdep splat in cifs_relock_file()
+
+From: Rabin Vincent <rabinv@axis.com>
+
+
+[ Upstream commit 560d388950ceda5e7c7cdef7f3d9a8ff297bbf9d ]
+
+cifs_relock_file() can perform a down_write() on the inode's lock_sem even
+though it was already performed in cifs_strict_readv(). Lockdep complains
+about this. AFAICS, there is no problem here, and lockdep just needs to be
+told that this nesting is OK.
+
+ =============================================
+ [ INFO: possible recursive locking detected ]
+ 4.11.0+ #20 Not tainted
+ ---------------------------------------------
+ cat/701 is trying to acquire lock:
+ (&cifsi->lock_sem){++++.+}, at: cifs_reopen_file+0x7a7/0xc00
+
+ but task is already holding lock:
+ (&cifsi->lock_sem){++++.+}, at: cifs_strict_readv+0x177/0x310
+
+ other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&cifsi->lock_sem);
+ lock(&cifsi->lock_sem);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+ 1 lock held by cat/701:
+ #0: (&cifsi->lock_sem){++++.+}, at: cifs_strict_readv+0x177/0x310
+
+ stack backtrace:
+ CPU: 0 PID: 701 Comm: cat Not tainted 4.11.0+ #20
+ Call Trace:
+ dump_stack+0x85/0xc2
+ __lock_acquire+0x17dd/0x2260
+ ? trace_hardirqs_on_thunk+0x1a/0x1c
+ ? preempt_schedule_irq+0x6b/0x80
+ lock_acquire+0xcc/0x260
+ ? lock_acquire+0xcc/0x260
+ ? cifs_reopen_file+0x7a7/0xc00
+ down_read+0x2d/0x70
+ ? cifs_reopen_file+0x7a7/0xc00
+ cifs_reopen_file+0x7a7/0xc00
+ ? printk+0x43/0x4b
+ cifs_readpage_worker+0x327/0x8a0
+ cifs_readpage+0x8c/0x2a0
+ generic_file_read_iter+0x692/0xd00
+ cifs_strict_readv+0x29f/0x310
+ generic_file_splice_read+0x11c/0x1c0
+ do_splice_to+0xa5/0xc0
+ splice_direct_to_actor+0xfa/0x350
+ ? generic_pipe_buf_nosteal+0x10/0x10
+ do_splice_direct+0xb5/0xe0
+ do_sendfile+0x278/0x3a0
+ SyS_sendfile64+0xc4/0xe0
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+
+Signed-off-by: Rabin Vincent <rabinv@axis.com>
+Acked-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -589,7 +589,7 @@ cifs_relock_file(struct cifsFileInfo *cf
+ struct cifs_tcon *tcon = tlink_tcon(cfile->tlink);
+ int rc = 0;
+
+- down_read(&cinode->lock_sem);
++ down_read_nested(&cinode->lock_sem, SINGLE_DEPTH_NESTING);
+ if (cinode->can_cache_brlcks) {
+ /* can cache locks - no need to relock */
+ up_read(&cinode->lock_sem);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Date: Fri, 12 May 2017 16:25:30 +0200
+Subject: clk: at91: fix clk-generated parenting
+
+From: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+
+
+[ Upstream commit 8e56133e5c7b7a7a97f6a92d92f664d5ecd30745 ]
+
+clk_generated_startup is called after clk_hw_register. So the first call to
+get_parent will not have the correct value (i.e. 0) and because this is
+cached, it may never be updated.
+
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Fixes: df70aeef6083 ("clk: at91: add generated clock driver")
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/at91/clk-generated.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/clk/at91/clk-generated.c
++++ b/drivers/clk/at91/clk-generated.c
+@@ -260,13 +260,12 @@ at91_clk_register_generated(struct regma
+ gck->lock = lock;
+ gck->range = *range;
+
++ clk_generated_startup(gck);
+ hw = &gck->hw;
+ ret = clk_hw_register(NULL, &gck->hw);
+ if (ret) {
+ kfree(gck);
+ hw = ERR_PTR(ret);
+- } else
+- clk_generated_startup(gck);
+
+ return hw;
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Bryan O'Donoghue <pure.logic@nexus-software.ie>
+Date: Mon, 15 May 2017 11:58:59 +0100
+Subject: clk: Fix __set_clk_rates error print-string
+
+From: Bryan O'Donoghue <pure.logic@nexus-software.ie>
+
+
+[ Upstream commit ee177c5d6369f8e5d3e4793dce501cf4431313a1 ]
+
+When failing to set a clock the printout emitted is incorrect.
+"u32 rate" is formatted as %d and should be %u whereas "unsigned long
+clk_set_rate()" is formatted as %ld and should be %lu as per
+Documentation/printk-formats.txt.
+
+Fixes: 2885c3b2a3da ("clk: Show correct information when fail to set clock rate")
+Signed-off-by: Bryan O'Donoghue <pure.logic@nexus-software.ie>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/clk-conf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/clk-conf.c
++++ b/drivers/clk/clk-conf.c
+@@ -106,7 +106,7 @@ static int __set_clk_rates(struct device
+
+ rc = clk_set_rate(clk, rate);
+ if (rc < 0)
+- pr_err("clk: couldn't set %s clk rate to %d (%d), current rate: %ld\n",
++ pr_err("clk: couldn't set %s clk rate to %u (%d), current rate: %lu\n",
+ __clk_get_name(clk), rate, rc,
+ clk_get_rate(clk));
+ clk_put(clk);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Sun, 4 Jun 2017 20:33:39 +0200
+Subject: clk: meson: meson8b: add compatibles for Meson8 and Meson8m2
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+
+[ Upstream commit 855f06a1009faabb0c6a3e9b49d115496d325856 ]
+
+The clock controller on Meson8, Meson8b and Meson8m2 is very similar
+based on the code from the Amlogic GPL kernel sources. Add separate
+compatibles for each SoC to make sure that we can easily implement
+all the small differences for each SoC later on.
+
+In general the Meson8 and Meson8m2 seem to be almost identical as they
+even share the same mach-meson8 directory in Amlogic's GPL kernel
+sources.
+The main clocks on Meson8, Meson8b and Meson8m2 are very similar,
+because they are all using the same PLL values, 90% of the clock gates
+are the same (the actual diffstat of the mach-meson8/clock.c and
+mach-meson8b/clock.c files is around 30 to 40 lines, when excluding
+all commented out code).
+The difference between the Meson8 and Meson8b clock gates seem to be:
+- Meson8 has AIU_PCLK, HDMI_RX, VCLK2_ENCT, VCLK2_ENCL, UART3,
+ CSI_DIG_CLKIN gates which don't seem to be available on Meson8b
+- the gate on Meson8 for bit 7 seems to be named "_1200XXX" instead
+ of "PERIPHS_TOP" (on Meson8b)
+- Meson8b has a SANA gate which doesn't seem to exist on Meson8 (or
+ on Meson8 the same bit is used by the UART3 gate in Amlogic's GPL
+ kernel sources)
+None of these gates is added for now, since it's unclear whether these
+definitions are actually correct (the VCLK2_ENCT gate for example is
+defined, but only used in some commented block).
+
+The main difference between all three SoCs seem to be the video (VPU)
+clocks. Apart from different supported clock rates (according to vpu.c
+in mach-meson8 and mach-meson8b from Amlogic's GPL kernel sources) the
+most notable difference is that Meson8m2 has a GP_PLL clock and a mux
+(probably the same as on the Meson GX SoCs) to support glitch-free
+(clock rate) switching.
+None of these VPU clocks are not supported by our mainline meson8b
+clock driver yet though.
+
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Acked-by: Rob Herring <robh@kernel.org>
+Acked-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/clock/amlogic,meson8b-clkc.txt | 11 ++++++----
+ drivers/clk/meson/Kconfig | 6 ++---
+ drivers/clk/meson/meson8b.c | 5 +++-
+ 3 files changed, 14 insertions(+), 8 deletions(-)
+
+--- a/Documentation/devicetree/bindings/clock/amlogic,meson8b-clkc.txt
++++ b/Documentation/devicetree/bindings/clock/amlogic,meson8b-clkc.txt
+@@ -1,11 +1,14 @@
+-* Amlogic Meson8b Clock and Reset Unit
++* Amlogic Meson8, Meson8b and Meson8m2 Clock and Reset Unit
+
+-The Amlogic Meson8b clock controller generates and supplies clock to various
+-controllers within the SoC.
++The Amlogic Meson8 / Meson8b / Meson8m2 clock controller generates and
++supplies clock to various controllers within the SoC.
+
+ Required Properties:
+
+-- compatible: should be "amlogic,meson8b-clkc"
++- compatible: must be one of:
++ - "amlogic,meson8-clkc" for Meson8 (S802) SoCs
++ - "amlogic,meson8b-clkc" for Meson8 (S805) SoCs
++ - "amlogic,meson8m2-clkc" for Meson8m2 (S812) SoCs
+ - reg: it must be composed by two tuples:
+ 0) physical base address of the xtal register and length of memory
+ mapped region.
+--- a/drivers/clk/meson/Kconfig
++++ b/drivers/clk/meson/Kconfig
+@@ -7,9 +7,9 @@ config COMMON_CLK_MESON8B
+ bool
+ depends on COMMON_CLK_AMLOGIC
+ help
+- Support for the clock controller on AmLogic S805 devices, aka
+- meson8b. Say Y if you want peripherals and CPU frequency scaling to
+- work.
++ Support for the clock controller on AmLogic S802 (Meson8),
++ S805 (Meson8b) and S812 (Meson8m2) devices. Say Y if you
++ want peripherals and CPU frequency scaling to work.
+
+ config COMMON_CLK_GXBB
+ bool
+--- a/drivers/clk/meson/meson8b.c
++++ b/drivers/clk/meson/meson8b.c
+@@ -1,5 +1,6 @@
+ /*
+- * AmLogic S805 / Meson8b Clock Controller Driver
++ * AmLogic S802 (Meson8) / S805 (Meson8b) / S812 (Meson8m2) Clock Controller
++ * Driver
+ *
+ * Copyright (c) 2015 Endless Mobile, Inc.
+ * Author: Carlo Caione <carlo@endlessm.com>
+@@ -661,7 +662,9 @@ iounmap:
+ }
+
+ static const struct of_device_id meson8b_clkc_match_table[] = {
++ { .compatible = "amlogic,meson8-clkc" },
+ { .compatible = "amlogic,meson8b-clkc" },
++ { .compatible = "amlogic,meson8m2-clkc" },
+ { }
+ };
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 29 Mar 2017 17:22:44 +0200
+Subject: clk: renesas: rcar-gen2: Fix PLL0 on R-Car V2H and E2
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+
+[ Upstream commit b7c563c489e94417efbad68d057ea5d2030ae44c ]
+
+R-Car V2H and E2 do not have the PLL0CR register, but use a fixed
+multiplier (depending on mode pins) and divider.
+
+This corrects the clock rate of "pll0" (PLL0 VCO after post divider) on
+R-Car V2H and E2 from 1.5 GHz to 1 GHz.
+
+Inspired by Sergei Shtylyov's work for the common R-Car Gen2 and RZ/G
+Clock Pulse Generator support core.
+
+Fixes: 7c4163aae3d8e5b9 ("ARM: dts: r8a7792: initial SoC device tree")
+Fixes: 0dce5454d5c25858 ("ARM: shmobile: Initial r8a7794 SoC device tree")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/renesas/clk-rcar-gen2.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+--- a/drivers/clk/renesas/clk-rcar-gen2.c
++++ b/drivers/clk/renesas/clk-rcar-gen2.c
+@@ -271,11 +271,14 @@ struct cpg_pll_config {
+ unsigned int extal_div;
+ unsigned int pll1_mult;
+ unsigned int pll3_mult;
++ unsigned int pll0_mult; /* For R-Car V2H and E2 only */
+ };
+
+ static const struct cpg_pll_config cpg_pll_configs[8] __initconst = {
+- { 1, 208, 106 }, { 1, 208, 88 }, { 1, 156, 80 }, { 1, 156, 66 },
+- { 2, 240, 122 }, { 2, 240, 102 }, { 2, 208, 106 }, { 2, 208, 88 },
++ { 1, 208, 106, 200 }, { 1, 208, 88, 200 },
++ { 1, 156, 80, 150 }, { 1, 156, 66, 150 },
++ { 2, 240, 122, 230 }, { 2, 240, 102, 230 },
++ { 2, 208, 106, 200 }, { 2, 208, 88, 200 },
+ };
+
+ /* SDHI divisors */
+@@ -297,6 +300,12 @@ static const struct clk_div_table cpg_sd
+
+ static u32 cpg_mode __initdata;
+
++static const char * const pll0_mult_match[] = {
++ "renesas,r8a7792-cpg-clocks",
++ "renesas,r8a7794-cpg-clocks",
++ NULL
++};
++
+ static struct clk * __init
+ rcar_gen2_cpg_register_clock(struct device_node *np, struct rcar_gen2_cpg *cpg,
+ const struct cpg_pll_config *config,
+@@ -317,9 +326,15 @@ rcar_gen2_cpg_register_clock(struct devi
+ * clock implementation and we currently have no need to change
+ * the multiplier value.
+ */
+- u32 value = clk_readl(cpg->reg + CPG_PLL0CR);
++ if (of_device_compatible_match(np, pll0_mult_match)) {
++ /* R-Car V2H and E2 do not have PLL0CR */
++ mult = config->pll0_mult;
++ div = 3;
++ } else {
++ u32 value = clk_readl(cpg->reg + CPG_PLL0CR);
++ mult = ((value >> 24) & ((1 << 7) - 1)) + 1;
++ }
+ parent_name = "main";
+- mult = ((value >> 24) & ((1 << 7) - 1)) + 1;
+ } else if (!strcmp(name, "pll1")) {
+ parent_name = "main";
+ mult = config->pll1_mult / 2;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Thu, 18 May 2017 17:19:28 +0100
+Subject: clk: scpi: fix return type of __scpi_dvfs_round_rate
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+
+[ Upstream commit 7374aec95636ca39409545eba4ef5ff3125c2346 ]
+
+The frequencies above the maximum value of signed integer(i.e. 2^31 -1)
+will overflow with the current code.
+
+This patch fixes the return type of __scpi_dvfs_round_rate from 'int'
+to 'unsigned long'.
+
+Fixes: cd52c2a4b5c4 ("clk: add support for clocks provided by SCP(System Control Processor)")
+Cc: Michael Turquette <mturquette@baylibre.com>
+Cc: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/clk-scpi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/clk/clk-scpi.c
++++ b/drivers/clk/clk-scpi.c
+@@ -71,15 +71,15 @@ static const struct clk_ops scpi_clk_ops
+ };
+
+ /* find closest match to given frequency in OPP table */
+-static int __scpi_dvfs_round_rate(struct scpi_clk *clk, unsigned long rate)
++static long __scpi_dvfs_round_rate(struct scpi_clk *clk, unsigned long rate)
+ {
+ int idx;
+- u32 fmin = 0, fmax = ~0, ftmp;
++ unsigned long fmin = 0, fmax = ~0, ftmp;
+ const struct scpi_opp *opp = clk->info->opps;
+
+ for (idx = 0; idx < clk->info->count; idx++, opp++) {
+ ftmp = opp->freq;
+- if (ftmp >= (u32)rate) {
++ if (ftmp >= rate) {
+ if (ftmp <= fmax)
+ fmax = ftmp;
+ break;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Mon, 5 Jun 2017 14:15:03 -0600
+Subject: coresight: Fix reference count for software sources
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+
+[ Upstream commit 022aa1a81b778789ee7cf3124595854276a0330d ]
+
+For software sources (i.e STM), there could be multiple agents
+generating the trace data, unlike the ETMs. So we need to
+properly do the accounting for the active number of users
+to disable the device when the last user goes away. Right
+now, the reference counting is broken for sources as we skip
+the actions when we detect that the source is enabled.
+
+This patch fixes the problem by adding the refcounting for
+software sources, even when they are enabled.
+
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Reported-by: Robert Walker <robert.walker@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/hwtracing/coresight/coresight.c
++++ b/drivers/hwtracing/coresight/coresight.c
+@@ -498,6 +498,9 @@ int coresight_enable(struct coresight_de
+ {
+ int cpu, ret = 0;
+ struct list_head *path;
++ enum coresight_dev_subtype_source subtype;
++
++ subtype = csdev->subtype.source_subtype;
+
+ mutex_lock(&coresight_mutex);
+
+@@ -505,8 +508,16 @@ int coresight_enable(struct coresight_de
+ if (ret)
+ goto out;
+
+- if (csdev->enable)
++ if (csdev->enable) {
++ /*
++ * There could be multiple applications driving the software
++ * source. So keep the refcount for each such user when the
++ * source is already enabled.
++ */
++ if (subtype == CORESIGHT_DEV_SUBTYPE_SOURCE_SOFTWARE)
++ atomic_inc(csdev->refcnt);
+ goto out;
++ }
+
+ path = coresight_build_path(csdev);
+ if (IS_ERR(path)) {
+@@ -523,7 +534,7 @@ int coresight_enable(struct coresight_de
+ if (ret)
+ goto err_source;
+
+- switch (csdev->subtype.source_subtype) {
++ switch (subtype) {
+ case CORESIGHT_DEV_SUBTYPE_SOURCE_PROC:
+ /*
+ * When working from sysFS it is important to keep track
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Mon, 5 Jun 2017 14:15:09 -0600
+Subject: coresight: tmc: Configure DMA mask appropriately
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+
+[ Upstream commit a3959c50b02f57df4c4e4f14f632220f1c0b1f79 ]
+
+Before making any DMA API calls, the ETR driver should really be setting
+its masks to ensure that DMA is possible. Especially since it can
+address more than the 32-bit default mask set by the AMBA bus code.
+
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Tested-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight-tmc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/hwtracing/coresight/coresight-tmc.c
++++ b/drivers/hwtracing/coresight/coresight-tmc.c
+@@ -362,6 +362,13 @@ static int tmc_probe(struct amba_device
+ desc.type = CORESIGHT_DEV_TYPE_SINK;
+ desc.subtype.sink_subtype = CORESIGHT_DEV_SUBTYPE_SINK_BUFFER;
+ desc.ops = &tmc_etr_cs_ops;
++ /*
++ * ETR configuration uses a 40-bit AXI master in place of
++ * the embedded SRAM of ETB/ETF.
++ */
++ ret = dma_set_mask_and_coherent(dev, DMA_BIT_MASK(40));
++ if (ret)
++ goto out;
+ } else {
+ desc.type = CORESIGHT_DEV_TYPE_LINKSINK;
+ desc.subtype.link_subtype = CORESIGHT_DEV_SUBTYPE_LINK_FIFO;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 24 May 2017 10:15:43 +0200
+Subject: cpuhotplug: Link lock stacks for hotplug callbacks
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+
+[ Upstream commit 49dfe2a6779717d9c18395684ee31bdc98b22e53 ]
+
+The CPU hotplug callbacks are not covered by lockdep versus the cpu hotplug
+rwsem.
+
+CPU0 CPU1
+cpuhp_setup_state(STATE, startup, teardown);
+ cpus_read_lock();
+ invoke_callback_on_ap();
+ kick_hotplug_thread(ap);
+ wait_for_completion(); hotplug_thread_fn()
+ lock(m);
+ do_stuff();
+ unlock(m);
+
+Lockdep does not know about this dependency and will not trigger on the
+following code sequence:
+
+ lock(m);
+ cpus_read_lock();
+
+Add a lockdep map and connect the initiators lock chain with the hotplug
+thread lock chain, so potential deadlocks can be detected.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Acked-by: Ingo Molnar <mingo@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sebastian Siewior <bigeasy@linutronix.de>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Link: http://lkml.kernel.org/r/20170524081549.709375845@linutronix.de
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cpu.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -63,6 +63,12 @@ struct cpuhp_cpu_state {
+
+ static DEFINE_PER_CPU(struct cpuhp_cpu_state, cpuhp_state);
+
++#if defined(CONFIG_LOCKDEP) && defined(CONFIG_SMP)
++static struct lock_class_key cpuhp_state_key;
++static struct lockdep_map cpuhp_state_lock_map =
++ STATIC_LOCKDEP_MAP_INIT("cpuhp_state", &cpuhp_state_key);
++#endif
++
+ /**
+ * cpuhp_step - Hotplug state machine step
+ * @name: Name of the step
+@@ -563,6 +569,7 @@ static void cpuhp_thread_fun(unsigned in
+
+ st->should_run = false;
+
++ lock_map_acquire(&cpuhp_state_lock_map);
+ /* Single callback invocation for [un]install ? */
+ if (st->single) {
+ if (st->cb_state < CPUHP_AP_ONLINE) {
+@@ -594,6 +601,7 @@ static void cpuhp_thread_fun(unsigned in
+ else if (st->state > st->target)
+ ret = cpuhp_ap_offline(cpu, st);
+ }
++ lock_map_release(&cpuhp_state_lock_map);
+ st->result = ret;
+ complete(&st->done);
+ }
+@@ -608,6 +616,9 @@ cpuhp_invoke_ap_callback(int cpu, enum c
+ if (!cpu_online(cpu))
+ return 0;
+
++ lock_map_acquire(&cpuhp_state_lock_map);
++ lock_map_release(&cpuhp_state_lock_map);
++
+ /*
+ * If we are up and running, use the hotplug thread. For early calls
+ * we invoke the thread function directly.
+@@ -651,6 +662,8 @@ static int cpuhp_kick_ap_work(unsigned i
+ enum cpuhp_state state = st->state;
+
+ trace_cpuhp_enter(cpu, st->target, state, cpuhp_kick_ap_work);
++ lock_map_acquire(&cpuhp_state_lock_map);
++ lock_map_release(&cpuhp_state_lock_map);
+ __cpuhp_kick_ap_work(st);
+ wait_for_completion(&st->done);
+ trace_cpuhp_exit(cpu, st->state, state, st->result);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+Date: Sun, 11 Jun 2017 14:28:54 +0200
+Subject: cpuidle: dt: Add missing 'of_node_put()'
+
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit b2cdd8e1b54849477a32d820acc2e87828a38f3d ]
+
+'of_node_put()' should be called on pointer returned by
+'of_parse_phandle()' when done. In this function this is done in all path
+except this 'continue', so add it.
+
+Fixes: 97735da074fd (drivers: cpuidle: Add status property to ARM idle states)
+Signed-off-by: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpuidle/dt_idle_states.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/cpuidle/dt_idle_states.c
++++ b/drivers/cpuidle/dt_idle_states.c
+@@ -174,8 +174,10 @@ int dt_init_idle_driver(struct cpuidle_d
+ if (!state_node)
+ break;
+
+- if (!of_device_is_available(state_node))
++ if (!of_device_is_available(state_node)) {
++ of_node_put(state_node);
+ continue;
++ }
+
+ if (!idle_state_valid(state_node, i, cpumask)) {
+ pr_warn("%s idle state not valid, bailing out\n",
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Tero Kristo <t-kristo@ti.com>
+Date: Wed, 24 May 2017 10:35:32 +0300
+Subject: crypto: omap-sham - buffer handling fixes for hashing later
+
+From: Tero Kristo <t-kristo@ti.com>
+
+
+[ Upstream commit 5d78d57ede8f9e7f656c610ed25be7be337e0529 ]
+
+Currently, the hash later code only handles the cases when we have
+either new data coming in with the request or old data in the buffer,
+but not the combination when we have both. Fix this by changing the
+ordering of the code a bit and handling both cases properly
+simultaneously if needed. Also, fix an issue with omap_sham_update
+that surfaces with this fix, so that the code checks the bufcnt
+instead of total data amount against buffer length to avoid any
+buffer overflows.
+
+Signed-off-by: Tero Kristo <t-kristo@ti.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/omap-sham.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+--- a/drivers/crypto/omap-sham.c
++++ b/drivers/crypto/omap-sham.c
+@@ -873,14 +873,21 @@ static int omap_sham_prepare_request(str
+ }
+
+ if (hash_later) {
+- if (req->nbytes) {
+- scatterwalk_map_and_copy(rctx->buffer, req->src,
+- req->nbytes - hash_later,
+- hash_later, 0);
+- } else {
++ int offset = 0;
++
++ if (hash_later > req->nbytes) {
+ memcpy(rctx->buffer, rctx->buffer + xmit_len,
+- hash_later);
++ hash_later - req->nbytes);
++ offset = hash_later - req->nbytes;
++ }
++
++ if (req->nbytes) {
++ scatterwalk_map_and_copy(rctx->buffer + offset,
++ req->src,
++ offset + req->nbytes -
++ hash_later, hash_later, 0);
+ }
++
+ rctx->bufcnt = hash_later;
+ } else {
+ rctx->bufcnt = 0;
+@@ -1189,11 +1196,10 @@ static int omap_sham_update(struct ahash
+ if (!req->nbytes)
+ return 0;
+
+- if (ctx->total + req->nbytes < ctx->buflen) {
++ if (ctx->bufcnt + req->nbytes <= ctx->buflen) {
+ scatterwalk_map_and_copy(ctx->buffer + ctx->bufcnt, req->src,
+ 0, req->nbytes, 0);
+ ctx->bufcnt += req->nbytes;
+- ctx->total += req->nbytes;
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Tero Kristo <t-kristo@ti.com>
+Date: Wed, 24 May 2017 10:35:33 +0300
+Subject: crypto: omap-sham - fix closing of hash with separate finalize call
+
+From: Tero Kristo <t-kristo@ti.com>
+
+
+[ Upstream commit 898d86a565925f09de3d0b30cf3b47ec2e409680 ]
+
+Currently there is an interesting corner case failure with omap-sham
+driver, if the finalize call is done separately with no data, but
+all previous data has already been processed. In this case, it is not
+possible to close the hash with the hardware without providing any data,
+so we get incorrect results. Fix this by adjusting the size of data
+sent to the hardware crypto engine in case the non-final data size falls
+on the block size boundary, by reducing the amount of data sent by one
+full block. This makes it sure that we always have some data available
+for the finalize call and we can close the hash properly.
+
+Signed-off-by: Tero Kristo <t-kristo@ti.com>
+Reported-by: Aparna Balasubramanian <aparnab@ti.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/omap-sham.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/omap-sham.c
++++ b/drivers/crypto/omap-sham.c
+@@ -750,7 +750,10 @@ static int omap_sham_align_sgs(struct sc
+ if (final)
+ new_len = DIV_ROUND_UP(new_len, bs) * bs;
+ else
+- new_len = new_len / bs * bs;
++ new_len = (new_len - 1) / bs * bs;
++
++ if (nbytes != new_len)
++ list_ok = false;
+
+ while (nbytes > 0 && sg_tmp) {
+ n++;
+@@ -846,6 +849,8 @@ static int omap_sham_prepare_request(str
+ xmit_len = DIV_ROUND_UP(xmit_len, bs) * bs;
+ else
+ xmit_len = xmit_len / bs * bs;
++ } else if (!final) {
++ xmit_len -= bs;
+ }
+
+ hash_later = rctx->total - xmit_len;
+@@ -1137,7 +1142,7 @@ retry:
+ ctx = ahash_request_ctx(req);
+
+ err = omap_sham_prepare_request(req, ctx->op == OP_UPDATE);
+- if (err)
++ if (err || !ctx->total)
+ goto err1;
+
+ dev_dbg(dd->dev, "handling new req, op: %lu, nbytes: %d\n",
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 23 Apr 2017 10:06:36 -0300
+Subject: [media] cx25840: fix unchecked return values
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 35378ce143071c2a6bad4b59a000e9b9f8f6ea67 ]
+
+In functions cx25840_initialize(), cx231xx_initialize(), and
+cx23885_initialize(), the return value of create_singlethread_workqueue()
+is used without validation. This may result in NULL dereference and cause
+kernel crash. This patch fixes it.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/cx25840/cx25840-core.c | 36 ++++++++++++++++++-------------
+ 1 file changed, 21 insertions(+), 15 deletions(-)
+
+--- a/drivers/media/i2c/cx25840/cx25840-core.c
++++ b/drivers/media/i2c/cx25840/cx25840-core.c
+@@ -420,11 +420,13 @@ static void cx25840_initialize(struct i2
+ INIT_WORK(&state->fw_work, cx25840_work_handler);
+ init_waitqueue_head(&state->fw_wait);
+ q = create_singlethread_workqueue("cx25840_fw");
+- prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
+- queue_work(q, &state->fw_work);
+- schedule();
+- finish_wait(&state->fw_wait, &wait);
+- destroy_workqueue(q);
++ if (q) {
++ prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
++ queue_work(q, &state->fw_work);
++ schedule();
++ finish_wait(&state->fw_wait, &wait);
++ destroy_workqueue(q);
++ }
+
+ /* 6. */
+ cx25840_write(client, 0x115, 0x8c);
+@@ -634,11 +636,13 @@ static void cx23885_initialize(struct i2
+ INIT_WORK(&state->fw_work, cx25840_work_handler);
+ init_waitqueue_head(&state->fw_wait);
+ q = create_singlethread_workqueue("cx25840_fw");
+- prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
+- queue_work(q, &state->fw_work);
+- schedule();
+- finish_wait(&state->fw_wait, &wait);
+- destroy_workqueue(q);
++ if (q) {
++ prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
++ queue_work(q, &state->fw_work);
++ schedule();
++ finish_wait(&state->fw_wait, &wait);
++ destroy_workqueue(q);
++ }
+
+ /* Call the cx23888 specific std setup func, we no longer rely on
+ * the generic cx24840 func.
+@@ -752,11 +756,13 @@ static void cx231xx_initialize(struct i2
+ INIT_WORK(&state->fw_work, cx25840_work_handler);
+ init_waitqueue_head(&state->fw_wait);
+ q = create_singlethread_workqueue("cx25840_fw");
+- prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
+- queue_work(q, &state->fw_work);
+- schedule();
+- finish_wait(&state->fw_wait, &wait);
+- destroy_workqueue(q);
++ if (q) {
++ prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
++ queue_work(q, &state->fw_work);
++ schedule();
++ finish_wait(&state->fw_wait, &wait);
++ destroy_workqueue(q);
++ }
+
+ cx25840_std_setup(client);
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Ganesh Goudar <ganeshgr@chelsio.com>
+Date: Wed, 31 May 2017 19:10:21 +0530
+Subject: cxgb4: fix incorrect cim_la output for T6
+
+From: Ganesh Goudar <ganeshgr@chelsio.com>
+
+
+[ Upstream commit a97051f4553551d13e586ab3cb6ae13093a44a81 ]
+
+take care of UpDbgLaRdPtr[0-3] restriction for T6.
+
+Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
+@@ -8088,7 +8088,16 @@ int t4_cim_read_la(struct adapter *adap,
+ ret = t4_cim_read(adap, UP_UP_DBG_LA_DATA_A, 1, &la_buf[i]);
+ if (ret)
+ break;
+- idx = (idx + 1) & UPDBGLARDPTR_M;
++
++ /* Bits 0-3 of UpDbgLaRdPtr can be between 0000 to 1001 to
++ * identify the 32-bit portion of the full 312-bit data
++ */
++ if (is_t6(adap->params.chip) && (idx & 0xf) >= 9)
++ idx = (idx & 0xff0) + 0x10;
++ else
++ idx++;
++ /* address can't exceed 0xfff */
++ idx &= UPDBGLARDPTR_M;
+ }
+ restart:
+ if (cfg & UPDBGLAEN_F) {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Arjun Vynipadath <arjun@chelsio.com>
+Date: Tue, 30 May 2017 13:30:24 +0530
+Subject: cxgb4: Fix netdev_features flag
+
+From: Arjun Vynipadath <arjun@chelsio.com>
+
+
+[ Upstream commit 90592b9a35836bacd34d92a3aba7958756b6a7c0 ]
+
+GRO is not supported by Chelsio HW when rx_csum is disabled.
+Update the netdev features flag when rx_csum is modified.
+
+Signed-off-by: Arjun Vynipadath <arjun@chelsio.com>
+Signed-off-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+@@ -2742,6 +2742,16 @@ static int cxgb_setup_tc(struct net_devi
+ return -EOPNOTSUPP;
+ }
+
++static netdev_features_t cxgb_fix_features(struct net_device *dev,
++ netdev_features_t features)
++{
++ /* Disable GRO, if RX_CSUM is disabled */
++ if (!(features & NETIF_F_RXCSUM))
++ features &= ~NETIF_F_GRO;
++
++ return features;
++}
++
+ static const struct net_device_ops cxgb4_netdev_ops = {
+ .ndo_open = cxgb_open,
+ .ndo_stop = cxgb_close,
+@@ -2766,6 +2776,7 @@ static const struct net_device_ops cxgb4
+ #endif
+ .ndo_set_tx_maxrate = cxgb_set_tx_maxrate,
+ .ndo_setup_tc = cxgb_setup_tc,
++ .ndo_fix_features = cxgb_fix_features,
+ };
+
+ #ifdef CONFIG_PCI_IOV
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Arjun Vynipadath <arjun@chelsio.com>
+Date: Tue, 30 May 2017 18:06:06 +0530
+Subject: cxgb4: FW upgrade fixes
+
+From: Arjun Vynipadath <arjun@chelsio.com>
+
+
+[ Upstream commit 26747211486c5bc7dd014c3caab206576e00c0d0 ]
+
+Disable FW_OK flag while flashing Firmware. This will help to fix any
+potential mailbox timeouts during Firmware flash.
+
+Grab new devlog parameters after Firmware restart. When we FLASH new
+Firmware onto an adapter, the new Firmware may have the Firmware Device Log
+located at a different memory address or have a different size for it.
+
+Signed-off-by: Arjun Vynipadath <arjun@chelsio.com>
+Signed-off-by: Casey Leedom <leedom@chelsio.com>
+Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
+@@ -6185,13 +6185,18 @@ int t4_fw_upgrade(struct adapter *adap,
+ if (!t4_fw_matches_chip(adap, fw_hdr))
+ return -EINVAL;
+
++ /* Disable FW_OK flag so that mbox commands with FW_OK flag set
++ * wont be sent when we are flashing FW.
++ */
++ adap->flags &= ~FW_OK;
++
+ ret = t4_fw_halt(adap, mbox, force);
+ if (ret < 0 && !force)
+- return ret;
++ goto out;
+
+ ret = t4_load_fw(adap, fw_data, size);
+ if (ret < 0)
+- return ret;
++ goto out;
+
+ /*
+ * Older versions of the firmware don't understand the new
+@@ -6202,7 +6207,17 @@ int t4_fw_upgrade(struct adapter *adap,
+ * its header flags to see if it advertises the capability.
+ */
+ reset = ((be32_to_cpu(fw_hdr->flags) & FW_HDR_FLAGS_RESET_HALT) == 0);
+- return t4_fw_restart(adap, mbox, reset);
++ ret = t4_fw_restart(adap, mbox, reset);
++
++ /* Grab potentially new Firmware Device Log parameters so we can see
++ * how healthy the new Firmware is. It's okay to contact the new
++ * Firmware for these parameters even though, as far as it's
++ * concerned, we've never said "HELLO" to it ...
++ */
++ (void)t4_init_devlog_params(adap);
++out:
++ adap->flags |= FW_OK;
++ return ret;
+ }
+
+ /**
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Arjun Vynipadath <arjun@chelsio.com>
+Date: Wed, 10 Jan 2018 12:02:13 +0530
+Subject: cxgb4vf: Fix SGE FL buffer initialization logic for 64K pages
+
+From: Arjun Vynipadath <arjun@chelsio.com>
+
+
+[ Upstream commit ea0a42109aee7b92e631c4eb3f2219fadf58acdd ]
+
+We'd come in with SGE_FL_BUFFER_SIZE[0] and [1] both equal to 64KB and
+the extant logic would flag that as an error. This was already fixed in
+cxgb4 driver with "92ddcc7 cxgb4: Fix some small bugs in
+t4_sge_init_soft() when our Page Size is 64KB".
+
+Original Work by: Casey Leedom <leedom@chelsio.com>
+Signed-off-by: Arjun Vynipadath <arjun@chelsio.com>
+Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4vf/sge.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4vf/sge.c
++++ b/drivers/net/ethernet/chelsio/cxgb4vf/sge.c
+@@ -2616,8 +2616,8 @@ void t4vf_sge_stop(struct adapter *adapt
+ int t4vf_sge_init(struct adapter *adapter)
+ {
+ struct sge_params *sge_params = &adapter->params.sge;
+- u32 fl0 = sge_params->sge_fl_buffer_size[0];
+- u32 fl1 = sge_params->sge_fl_buffer_size[1];
++ u32 fl_small_pg = sge_params->sge_fl_buffer_size[0];
++ u32 fl_large_pg = sge_params->sge_fl_buffer_size[1];
+ struct sge *s = &adapter->sge;
+
+ /*
+@@ -2625,9 +2625,20 @@ int t4vf_sge_init(struct adapter *adapte
+ * the Physical Function Driver. Ideally we should be able to deal
+ * with _any_ configuration. Practice is different ...
+ */
+- if (fl0 != PAGE_SIZE || (fl1 != 0 && fl1 <= fl0)) {
++
++ /* We only bother using the Large Page logic if the Large Page Buffer
++ * is larger than our Page Size Buffer.
++ */
++ if (fl_large_pg <= fl_small_pg)
++ fl_large_pg = 0;
++
++ /* The Page Size Buffer must be exactly equal to our Page Size and the
++ * Large Page Size Buffer should be 0 (per above) or a power of 2.
++ */
++ if (fl_small_pg != PAGE_SIZE ||
++ (fl_large_pg & (fl_large_pg - 1)) != 0) {
+ dev_err(adapter->pdev_dev, "bad SGE FL buffer sizes [%d, %d]\n",
+- fl0, fl1);
++ fl_small_pg, fl_large_pg);
+ return -EINVAL;
+ }
+ if ((sge_params->sge_control & RXPKTCPLMODE_F) !=
+@@ -2639,8 +2650,8 @@ int t4vf_sge_init(struct adapter *adapte
+ /*
+ * Now translate the adapter parameters into our internal forms.
+ */
+- if (fl1)
+- s->fl_pg_order = ilog2(fl1) - PAGE_SHIFT;
++ if (fl_large_pg)
++ s->fl_pg_order = ilog2(fl_large_pg) - PAGE_SHIFT;
+ s->stat_len = ((sge_params->sge_control & EGRSTATUSPAGESIZE_F)
+ ? 128 : 64);
+ s->pktshift = PKTSHIFT_G(sge_params->sge_control);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 5 May 2017 08:34:58 +0300
+Subject: cxl: Unlock on error in probe
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 58d876fa7181f2f393190c1d32c056b5a9d34aa2 ]
+
+We should unlock if get_cxl_adapter() fails.
+
+Fixes: 594ff7d067ca ("cxl: Support to flash a new image on the adapter from a guest")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/cxl/flash.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/misc/cxl/flash.c
++++ b/drivers/misc/cxl/flash.c
+@@ -401,8 +401,10 @@ static int device_open(struct inode *ino
+ if (down_interruptible(&sem) != 0)
+ return -EPERM;
+
+- if (!(adapter = get_cxl_adapter(adapter_num)))
+- return -ENODEV;
++ if (!(adapter = get_cxl_adapter(adapter_num))) {
++ rc = -ENODEV;
++ goto err_unlock;
++ }
+
+ file->private_data = adapter;
+ continue_token = 0;
+@@ -446,6 +448,8 @@ err1:
+ free_page((unsigned long) le);
+ err:
+ put_device(&adapter->dev);
++err_unlock:
++ up(&sem);
+
+ return rc;
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Wed, 24 May 2017 12:09:53 +0530
+Subject: dmaengine: imx-sdma: Handle return value of clk_prepare_enable
+
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+
+
+[ Upstream commit fb9caf370f4d0457789d13a1a1b110a8db846e5e ]
+
+clk_prepare_enable() can fail here and we must check its return value.
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/imx-sdma.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+--- a/drivers/dma/imx-sdma.c
++++ b/drivers/dma/imx-sdma.c
+@@ -1755,19 +1755,26 @@ static int sdma_probe(struct platform_de
+ if (IS_ERR(sdma->clk_ahb))
+ return PTR_ERR(sdma->clk_ahb);
+
+- clk_prepare(sdma->clk_ipg);
+- clk_prepare(sdma->clk_ahb);
++ ret = clk_prepare(sdma->clk_ipg);
++ if (ret)
++ return ret;
++
++ ret = clk_prepare(sdma->clk_ahb);
++ if (ret)
++ goto err_clk;
+
+ ret = devm_request_irq(&pdev->dev, irq, sdma_int_handler, 0, "sdma",
+ sdma);
+ if (ret)
+- return ret;
++ goto err_irq;
+
+ sdma->irq = irq;
+
+ sdma->script_addrs = kzalloc(sizeof(*sdma->script_addrs), GFP_KERNEL);
+- if (!sdma->script_addrs)
+- return -ENOMEM;
++ if (!sdma->script_addrs) {
++ ret = -ENOMEM;
++ goto err_irq;
++ }
+
+ /* initially no scripts available */
+ saddr_arr = (s32 *)sdma->script_addrs;
+@@ -1882,6 +1889,10 @@ err_register:
+ dma_async_device_unregister(&sdma->dma_device);
+ err_init:
+ kfree(sdma->script_addrs);
++err_irq:
++ clk_unprepare(sdma->clk_ahb);
++err_clk:
++ clk_unprepare(sdma->clk_ipg);
+ return ret;
+ }
+
+@@ -1893,6 +1904,8 @@ static int sdma_remove(struct platform_d
+ devm_free_irq(&pdev->dev, sdma->irq, sdma);
+ dma_async_device_unregister(&sdma->dma_device);
+ kfree(sdma->script_addrs);
++ clk_unprepare(sdma->clk_ahb);
++ clk_unprepare(sdma->clk_ipg);
+ /* Kill the tasklet */
+ for (i = 0; i < MAX_DMA_CHANNELS; i++) {
+ struct sdma_channel *sdmac = &sdma->channel[i];
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 8 May 2017 15:55:14 -0700
+Subject: drivers/misc/vmw_vmci/vmci_queue_pair.c: fix a couple integer overflow tests
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 146180c052a00172f4dc08eaade836fd02f61fb5 ]
+
+The "DIV_ROUND_UP(size, PAGE_SIZE)" operation can overflow if "size" is
+more than ULLONG_MAX - PAGE_SIZE.
+
+Link: http://lkml.kernel.org/r/20170322111950.GA11279@mwanda
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Jorgen Hansen <jhansen@vmware.com>
+Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/vmw_vmci/vmci_queue_pair.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c
++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c
+@@ -298,8 +298,11 @@ static void *qp_alloc_queue(u64 size, u3
+ size_t pas_size;
+ size_t vas_size;
+ size_t queue_size = sizeof(*queue) + sizeof(*queue->kernel_if);
+- const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
++ u64 num_pages;
+
++ if (size > SIZE_MAX - PAGE_SIZE)
++ return NULL;
++ num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
+ if (num_pages >
+ (SIZE_MAX - queue_size) /
+ (sizeof(*queue->kernel_if->u.g.pas) +
+@@ -624,9 +627,12 @@ static struct vmci_queue *qp_host_alloc_
+ {
+ struct vmci_queue *queue;
+ size_t queue_page_size;
+- const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
++ u64 num_pages;
+ const size_t queue_size = sizeof(*queue) + sizeof(*(queue->kernel_if));
+
++ if (size > SIZE_MAX - PAGE_SIZE)
++ return NULL;
++ num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
+ if (num_pages > (SIZE_MAX - queue_size) /
+ sizeof(*queue->kernel_if->u.h.page))
+ return NULL;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 14 Jun 2017 13:58:53 +0300
+Subject: drm/amdkfd: NULL dereference involving create_process()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit b312b2b25b6ac9e2eb03f4ca651b33108752de3a ]
+
+We accidentally return ERR_PTR(0) which is NULL. The caller is not
+expecting that and it leads to an Oops.
+
+Fixes: dd59239a9862 ("amdkfd: init aperture once per process")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_process.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
+@@ -317,7 +317,8 @@ static struct kfd_process *create_proces
+
+ /* init process apertures*/
+ process->is_32bit_user_mode = in_compat_syscall();
+- if (kfd_init_apertures(process) != 0)
++ err = kfd_init_apertures(process);
++ if (err != 0)
+ goto err_init_apretures;
+
+ return process;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Jordan Crouse <jcrouse@codeaurora.org>
+Date: Mon, 8 May 2017 14:34:57 -0600
+Subject: drm/msm: Take the mutex before calling msm_gem_new_impl
+
+From: Jordan Crouse <jcrouse@codeaurora.org>
+
+
+[ Upstream commit 90dd57de4a043f642179b1323a31ca3ced826611 ]
+
+Amongst its other duties, msm_gem_new_impl adds the newly created
+GEM object to the shared inactive list which may also be actively
+modifiying the list during submission. All the paths to modify
+the list are protected by the mutex except for the one through
+msm_gem_import which can end up causing list corruption.
+
+Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
+[add extra WARN_ON(!mutex_is_locked(&dev->struct_mutex))]
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_gem.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/msm/msm_gem.c
++++ b/drivers/gpu/drm/msm/msm_gem.c
+@@ -770,6 +770,8 @@ static int msm_gem_new_impl(struct drm_d
+ unsigned sz;
+ bool use_vram = false;
+
++ WARN_ON(!mutex_is_locked(&dev->struct_mutex));
++
+ switch (flags & MSM_BO_CACHE_MASK) {
+ case MSM_BO_UNCACHED:
+ case MSM_BO_CACHED:
+@@ -863,7 +865,11 @@ struct drm_gem_object *msm_gem_import(st
+
+ size = PAGE_ALIGN(dmabuf->size);
+
++ /* Take mutex so we can modify the inactive list in msm_gem_new_impl */
++ mutex_lock(&dev->struct_mutex);
+ ret = msm_gem_new_impl(dev, size, MSM_BO_WC, dmabuf->resv, &obj);
++ mutex_unlock(&dev->struct_mutex);
++
+ if (ret)
+ goto fail;
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Date: Thu, 18 May 2017 11:51:51 +0300
+Subject: drm/omap: fix tiled buffer stride calculations
+
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+
+
+[ Upstream commit cc8dd7661ccc2d8dc88921da8e6cc7c2fcdb0341 ]
+
+omap_gem uses page alignment for buffer stride. The related calculations
+are a bit off, though, as byte stride of 4096 gets aligned to 8192,
+instead of 4096.
+
+This patch changes the code to use DIV_ROUND_UP(), which fixes those
+calculations and makes them more readable.
+
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/omapdrm/omap_gem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/omapdrm/omap_gem.c
++++ b/drivers/gpu/drm/omapdrm/omap_gem.c
+@@ -195,7 +195,7 @@ static void evict_entry(struct drm_gem_o
+ size_t size = PAGE_SIZE * n;
+ loff_t off = mmap_offset(obj) +
+ (entry->obj_pgoff << PAGE_SHIFT);
+- const int m = 1 + ((omap_obj->width << fmt) / PAGE_SIZE);
++ const int m = DIV_ROUND_UP(omap_obj->width << fmt, PAGE_SIZE);
+
+ if (m > 1) {
+ int i;
+@@ -442,7 +442,7 @@ static int fault_2d(struct drm_gem_objec
+ * into account in some of the math, so figure out virtual stride
+ * in pages
+ */
+- const int m = 1 + ((omap_obj->width << fmt) / PAGE_SIZE);
++ const int m = DIV_ROUND_UP(omap_obj->width << fmt, PAGE_SIZE);
+
+ /* We don't use vmf->pgoff since that has the fake offset: */
+ pgoff = ((unsigned long)vmf->virtual_address -
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+Date: Sat, 27 May 2017 18:09:32 +0200
+Subject: drm/sun4i: Ignore the generic connectors for components
+
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+
+
+[ Upstream commit 49baeb074783f5bdf770dc9fac5fbb2837190583 ]
+
+The generic connectors such as hdmi-connector doesn't have any driver in,
+so if they are added to the component list, we will be waiting forever for
+a non-existing driver to probe.
+
+Add a list of the connectors we want to ignore when building our component
+list.
+
+Reviewed-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/sun4i/sun4i_drv.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/gpu/drm/sun4i/sun4i_drv.c
++++ b/drivers/gpu/drm/sun4i/sun4i_drv.c
+@@ -212,6 +212,11 @@ static const struct component_master_ops
+ .unbind = sun4i_drv_unbind,
+ };
+
++static bool sun4i_drv_node_is_connector(struct device_node *node)
++{
++ return of_device_is_compatible(node, "hdmi-connector");
++}
++
+ static bool sun4i_drv_node_is_frontend(struct device_node *node)
+ {
+ return of_device_is_compatible(node, "allwinner,sun5i-a13-display-frontend") ||
+@@ -252,6 +257,13 @@ static int sun4i_drv_add_endpoints(struc
+ !of_device_is_available(node))
+ return 0;
+
++ /*
++ * The connectors will be the last nodes in our pipeline, we
++ * can just bail out.
++ */
++ if (sun4i_drv_node_is_connector(node))
++ return 0;
++
+ if (!sun4i_drv_node_is_frontend(node)) {
+ /* Add current component */
+ DRM_DEBUG_DRIVER("Adding component %s\n",
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Fri, 12 May 2017 14:38:03 +0200
+Subject: drm/vc4: Fix resource leak in 'vc4_get_hang_state_ioctl()' in error handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit d0b1d259a4b58b21a21ea82d7174bf7ea825e9cc ]
+
+If one 'drm_gem_handle_create()' fails, we leak somes handles and some
+memory.
+
+In order to fix it:
+ - move the 'free(bo_state)' at the end of the function so that it is also
+ called in the eror handling path. This has the side effect to also try
+ to free it if the first 'kcalloc' fails. This is harmless.
+ - add a new label, err_delete_handle, in order to delete already
+ allocated handles in error handling path
+ - remove the now useless 'err' label
+
+The way the code is now written will also delete the handles if the
+'copy_to_user()' call fails.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Link: http://patchwork.freedesktop.org/patch/msgid/20170512123803.1886-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -110,8 +110,8 @@ vc4_get_hang_state_ioctl(struct drm_devi
+ &handle);
+
+ if (ret) {
+- state->bo_count = i - 1;
+- goto err;
++ state->bo_count = i;
++ goto err_delete_handle;
+ }
+ bo_state[i].handle = handle;
+ bo_state[i].paddr = vc4_bo->base.paddr;
+@@ -123,13 +123,16 @@ vc4_get_hang_state_ioctl(struct drm_devi
+ state->bo_count * sizeof(*bo_state)))
+ ret = -EFAULT;
+
+- kfree(bo_state);
++err_delete_handle:
++ if (ret) {
++ for (i = 0; i < state->bo_count; i++)
++ drm_gem_handle_delete(file_priv, bo_state[i].handle);
++ }
+
+ err_free:
+-
+ vc4_free_hang_state(dev, kernel_state);
++ kfree(bo_state);
+
+-err:
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+Date: Sat, 27 May 2017 18:09:34 +0200
+Subject: dt-bindings: display: sun4i: Add allwinner,tcon-channel property
+
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+
+
+[ Upstream commit 22662f12768f971809b478386d9cc4947d00497a ]
+
+The Allwinner Timings Controller has two, mutually exclusive, channels.
+When the binding has been introduced, it was assumed that there would be
+only a single user per channel in the system.
+
+While this is likely for the channel 0 which only connects to LCD displays,
+it turns out that the channel 1 can be connected to multiple controllers in
+the SoC (HDMI and TV encoders for example). And while the simultaneous use
+of HDMI and TV outputs cannot be achieved, switching from one to the other
+at runtime definitely sounds plausible.
+
+Add an extra property, allwinner,tcon-channel, to specify for a given
+endpoint which TCON channel it is connected to, while falling back to the
+previous mechanism if that property is missing.
+
+Acked-by: Chen-Yu Tsai <wens@csie.org>
+Acked-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/display/sunxi/sun4i-drm.txt | 11 ++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/Documentation/devicetree/bindings/display/sunxi/sun4i-drm.txt
++++ b/Documentation/devicetree/bindings/display/sunxi/sun4i-drm.txt
+@@ -47,10 +47,13 @@ Required properties:
+ Documentation/devicetree/bindings/media/video-interfaces.txt. The
+ first port should be the input endpoint, the second one the output
+
+- The output should have two endpoints. The first is the block
+- connected to the TCON channel 0 (usually a panel or a bridge), the
+- second the block connected to the TCON channel 1 (usually the TV
+- encoder)
++ The output may have multiple endpoints. The TCON has two channels,
++ usually with the first channel being used for the panels interfaces
++ (RGB, LVDS, etc.), and the second being used for the outputs that
++ require another controller (TV Encoder, HDMI, etc.). The endpoints
++ will take an extra property, allwinner,tcon-channel, to specify the
++ channel the endpoint is associated to. If that property is not
++ present, the endpoint number will be used as the channel number.
+
+ On SoCs other than the A33, there is one more clock required:
+ - 'tcon-ch1': The clock driving the TCON channel 1
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Jacob Keller <jacob.e.keller@intel.com>
+Date: Wed, 3 May 2017 10:28:50 -0700
+Subject: e1000e: fix race condition around skb_tstamp_tx()
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+
+[ Upstream commit 5012863b7347866764c4a4e58b62fb05346b0d06 ]
+
+The e1000e driver and related hardware has a limitation on Tx PTP
+packets which requires we limit to timestamping a single packet at once.
+We do this by verifying that we never request a new Tx timestamp while
+we still have a tx_hwtstamp_skb pointer.
+
+Unfortunately the driver suffers from a race condition around this. The
+tx_hwtstamp_skb pointer is not set to NULL until after skb_tstamp_tx()
+is called. This function notifies the stack and applications of a new
+timestamp. Even a well behaved application that only sends a new request
+when the first one is finished might be woken up and possibly send
+a packet before we can free the timestamp in the driver again. The
+result is that we needlessly ignore some Tx timestamp requests in this
+corner case.
+
+Fix this by assigning the tx_hwtstamp_skb pointer prior to calling
+skb_tstamp_tx() and use a temporary pointer to hold the timestamped skb
+until that function finishes. This ensures that the application is not
+woken up until the driver is ready to begin timestamping a new packet.
+
+This ensures that well behaved applications do not accidentally race
+with condition to skip Tx timestamps. Obviously an application which
+sends multiple Tx timestamp requests at once will still only timestamp
+one packet at a time. Unfortunately there is nothing we can do about
+this.
+
+Reported-by: David Mirabito <davidm@metamako.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/e1000e/netdev.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -1182,6 +1182,7 @@ static void e1000e_tx_hwtstamp_work(stru
+ struct e1000_hw *hw = &adapter->hw;
+
+ if (er32(TSYNCTXCTL) & E1000_TSYNCTXCTL_VALID) {
++ struct sk_buff *skb = adapter->tx_hwtstamp_skb;
+ struct skb_shared_hwtstamps shhwtstamps;
+ u64 txstmp;
+
+@@ -1190,9 +1191,14 @@ static void e1000e_tx_hwtstamp_work(stru
+
+ e1000e_systim_to_hwtstamp(adapter, &shhwtstamps, txstmp);
+
+- skb_tstamp_tx(adapter->tx_hwtstamp_skb, &shhwtstamps);
+- dev_kfree_skb_any(adapter->tx_hwtstamp_skb);
++ /* Clear the global tx_hwtstamp_skb pointer and force writes
++ * prior to notifying the stack of a Tx timestamp.
++ */
+ adapter->tx_hwtstamp_skb = NULL;
++ wmb(); /* force write prior to skb_tstamp_tx */
++
++ skb_tstamp_tx(skb, &shhwtstamps);
++ dev_kfree_skb_any(skb);
+ } else if (time_after(jiffies, adapter->tx_hwtstamp_start
+ + adapter->tx_timeout_factor * HZ)) {
+ dev_kfree_skb_any(adapter->tx_hwtstamp_skb);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Wed, 31 May 2017 18:50:43 +0300
+Subject: e1000e: Undo e1000e_pm_freeze if __e1000_shutdown fails
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+
+[ Upstream commit 833521ebc65b1c3092e5c0d8a97092f98eec595d ]
+
+An error during suspend (e100e_pm_suspend),
+
+[ 429.994338] ACPI : EC: event blocked
+[ 429.994633] e1000e: EEE TX LPI TIMER: 00000011
+[ 430.955451] pci_pm_suspend(): e1000e_pm_suspend+0x0/0x30 [e1000e] returns -2
+[ 430.955454] dpm_run_callback(): pci_pm_suspend+0x0/0x140 returns -2
+[ 430.955458] PM: Device 0000:00:19.0 failed to suspend async: error -2
+[ 430.955581] PM: Some devices failed to suspend, or early wake event detected
+[ 430.957709] ACPI : EC: event unblocked
+
+lead to complete failure:
+
+[ 432.585002] ------------[ cut here ]------------
+[ 432.585013] WARNING: CPU: 3 PID: 8372 at kernel/irq/manage.c:1478 __free_irq+0x9f/0x280
+[ 432.585015] Trying to free already-free IRQ 20
+[ 432.585016] Modules linked in: cdc_ncm usbnet x86_pkg_temp_thermal intel_powerclamp coretemp mii crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep lpc_ich snd_hda_core snd_pcm mei_me mei sdhci_pci sdhci i915 mmc_core e1000e ptp pps_core prime_numbers
+[ 432.585042] CPU: 3 PID: 8372 Comm: kworker/u16:40 Tainted: G U 4.10.0-rc8-CI-Patchwork_3870+ #1
+[ 432.585044] Hardware name: LENOVO 2356GCG/2356GCG, BIOS G7ET31WW (1.13 ) 07/02/2012
+[ 432.585050] Workqueue: events_unbound async_run_entry_fn
+[ 432.585051] Call Trace:
+[ 432.585058] dump_stack+0x67/0x92
+[ 432.585062] __warn+0xc6/0xe0
+[ 432.585065] warn_slowpath_fmt+0x4a/0x50
+[ 432.585070] ? _raw_spin_lock_irqsave+0x49/0x60
+[ 432.585072] __free_irq+0x9f/0x280
+[ 432.585075] free_irq+0x34/0x80
+[ 432.585089] e1000_free_irq+0x65/0x70 [e1000e]
+[ 432.585098] e1000e_pm_freeze+0x7a/0xb0 [e1000e]
+[ 432.585106] e1000e_pm_suspend+0x21/0x30 [e1000e]
+[ 432.585113] pci_pm_suspend+0x71/0x140
+[ 432.585118] dpm_run_callback+0x6f/0x330
+[ 432.585122] ? pci_pm_freeze+0xe0/0xe0
+[ 432.585125] __device_suspend+0xea/0x330
+[ 432.585128] async_suspend+0x1a/0x90
+[ 432.585132] async_run_entry_fn+0x34/0x160
+[ 432.585137] process_one_work+0x1f4/0x6d0
+[ 432.585140] ? process_one_work+0x16e/0x6d0
+[ 432.585143] worker_thread+0x49/0x4a0
+[ 432.585145] kthread+0x107/0x140
+[ 432.585148] ? process_one_work+0x6d0/0x6d0
+[ 432.585150] ? kthread_create_on_node+0x40/0x40
+[ 432.585154] ret_from_fork+0x2e/0x40
+[ 432.585156] ---[ end trace 6712df7f8c4b9124 ]---
+
+The unwind failures stems from commit 2800209994f8 ("e1000e: Refactor PM
+flows"), but it may be a later patch that introduced the non-recoverable
+behaviour.
+
+Fixes: 2800209994f8 ("e1000e: Refactor PM flows")
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99847
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/e1000e/netdev.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -6651,12 +6651,17 @@ static int e1000e_pm_thaw(struct device
+ static int e1000e_pm_suspend(struct device *dev)
+ {
+ struct pci_dev *pdev = to_pci_dev(dev);
++ int rc;
+
+ e1000e_flush_lpic(pdev);
+
+ e1000e_pm_freeze(dev);
+
+- return __e1000_shutdown(pdev, false);
++ rc = __e1000_shutdown(pdev, false);
++ if (rc)
++ e1000e_pm_thaw(dev);
++
++ return rc;
+ }
+
+ static int e1000e_pm_resume(struct device *dev)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 7 Jan 2018 21:54:00 +0100
+Subject: EDAC, mv64x60: Fix an error handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 68fa24f9121c04ef146b5158f538c8b32f285be5 ]
+
+We should not call edac_mc_del_mc() if a corresponding call to
+edac_mc_add_mc() has not been performed yet.
+
+So here, we should go to err instead of err2 to branch at the right
+place of the error handling path.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20180107205400.14068-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/mv64x60_edac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/edac/mv64x60_edac.c
++++ b/drivers/edac/mv64x60_edac.c
+@@ -759,7 +759,7 @@ static int mv64x60_mc_err_probe(struct p
+ /* Non-ECC RAM? */
+ printk(KERN_WARNING "%s: No ECC DIMMs discovered\n", __func__);
+ res = -ENODEV;
+- goto err2;
++ goto err;
+ }
+
+ edac_dbg(3, "init mci\n");
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Eryu Guan <eguan@redhat.com>
+Date: Wed, 24 May 2017 18:02:20 -0400
+Subject: ext4: fix off-by-one on max nr_pages in ext4_find_unwritten_pgoff()
+
+From: Eryu Guan <eguan@redhat.com>
+
+
+[ Upstream commit 624327f8794704c5066b11a52f9da6a09dce7f9a ]
+
+ext4_find_unwritten_pgoff() is used to search for offset of hole or
+data in page range [index, end] (both inclusive), and the max number
+of pages to search should be at least one, if end == index.
+Otherwise the only page is missed and no hole or data is found,
+which is not correct.
+
+When block size is smaller than page size, this can be demonstrated
+by preallocating a file with size smaller than page size and writing
+data to the last block. E.g. run this xfs_io command on a 1k block
+size ext4 on x86_64 host.
+
+ # xfs_io -fc "falloc 0 3k" -c "pwrite 2k 1k" \
+ -c "seek -d 0" /mnt/ext4/testfile
+ wrote 1024/1024 bytes at offset 2048
+ 1 KiB, 1 ops; 0.0000 sec (42.459 MiB/sec and 43478.2609 ops/sec)
+ Whence Result
+ DATA EOF
+
+Data at offset 2k was missed, and lseek(2) returned ENXIO.
+
+This is unconvered by generic/285 subtest 07 and 08 on ppc64 host,
+where pagesize is 64k. Because a recent change to generic/285
+reduced the preallocated file size to smaller than 64k.
+
+Signed-off-by: Eryu Guan <eguan@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/file.c
++++ b/fs/ext4/file.c
+@@ -429,7 +429,7 @@ static int ext4_find_unwritten_pgoff(str
+ int i, num;
+ unsigned long nr_pages;
+
+- num = min_t(pgoff_t, end - index, PAGEVEC_SIZE);
++ num = min_t(pgoff_t, end - index, PAGEVEC_SIZE - 1) + 1;
+ nr_pages = pagevec_lookup(&pvec, inode->i_mapping, index,
+ (pgoff_t)num);
+ if (nr_pages == 0)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Sun, 21 May 2017 22:35:23 -0400
+Subject: ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+
+[ Upstream commit 9651e6b2e20648d04d5e1fe6479a3056047e8781 ]
+
+I've got another report about breaking ext4 by ENOMEM error returned from
+ext4_mb_load_buddy() caused by memory shortage in memory cgroup.
+This time inside ext4_discard_preallocations().
+
+This patch replaces ext4_error() with ext4_warning() where errors returned
+from ext4_mb_load_buddy() are not fatal and handled by caller:
+* ext4_mb_discard_group_preallocations() - called before generating ENOSPC,
+ we'll try to discard other group or return ENOSPC into user-space.
+* ext4_trim_all_free() - just stop trimming and return ENOMEM from ioctl.
+
+Some callers cannot handle errors, thus __GFP_NOFAIL is used for them:
+* ext4_discard_preallocations()
+* ext4_mb_discard_lg_preallocations()
+
+Fixes: adb7ef600cc9 ("ext4: use __GFP_NOFAIL in ext4_free_blocks()")
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/mballoc.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -3877,7 +3877,8 @@ ext4_mb_discard_group_preallocations(str
+
+ err = ext4_mb_load_buddy(sb, group, &e4b);
+ if (err) {
+- ext4_error(sb, "Error loading buddy information for %u", group);
++ ext4_warning(sb, "Error %d loading buddy information for %u",
++ err, group);
+ put_bh(bitmap_bh);
+ return 0;
+ }
+@@ -4034,10 +4035,11 @@ repeat:
+ BUG_ON(pa->pa_type != MB_INODE_PA);
+ group = ext4_get_group_number(sb, pa->pa_pstart);
+
+- err = ext4_mb_load_buddy(sb, group, &e4b);
++ err = ext4_mb_load_buddy_gfp(sb, group, &e4b,
++ GFP_NOFS|__GFP_NOFAIL);
+ if (err) {
+- ext4_error(sb, "Error loading buddy information for %u",
+- group);
++ ext4_error(sb, "Error %d loading buddy information for %u",
++ err, group);
+ continue;
+ }
+
+@@ -4293,11 +4295,14 @@ ext4_mb_discard_lg_preallocations(struct
+ spin_unlock(&lg->lg_prealloc_lock);
+
+ list_for_each_entry_safe(pa, tmp, &discard_list, u.pa_tmp_list) {
++ int err;
+
+ group = ext4_get_group_number(sb, pa->pa_pstart);
+- if (ext4_mb_load_buddy(sb, group, &e4b)) {
+- ext4_error(sb, "Error loading buddy information for %u",
+- group);
++ err = ext4_mb_load_buddy_gfp(sb, group, &e4b,
++ GFP_NOFS|__GFP_NOFAIL);
++ if (err) {
++ ext4_error(sb, "Error %d loading buddy information for %u",
++ err, group);
+ continue;
+ }
+ ext4_lock_group(sb, group);
+@@ -5117,8 +5122,8 @@ ext4_trim_all_free(struct super_block *s
+
+ ret = ext4_mb_load_buddy(sb, group, &e4b);
+ if (ret) {
+- ext4_error(sb, "Error in loading buddy "
+- "information for %u", group);
++ ext4_warning(sb, "Error %d loading buddy information for %u",
++ ret, group);
+ return ret;
+ }
+ bitmap = e4b.bd_bitmap;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: James Wang <jnwang@suse.com>
+Date: Thu, 8 Jun 2017 14:52:51 +0800
+Subject: Fix loop device flush before configure v3
+
+From: James Wang <jnwang@suse.com>
+
+
+[ Upstream commit 6460495709aeb651896bc8e5c134b2e4ca7d34a8 ]
+
+While installing SLES-12 (based on v4.4), I found that the installer
+will stall for 60+ seconds during LVM disk scan. The root cause was
+determined to be the removal of a bound device check in loop_flush()
+by commit b5dd2f6047ca ("block: loop: improve performance via blk-mq").
+
+Restoring this check, examining ->lo_state as set by loop_set_fd()
+eliminates the bad behavior.
+
+Test method:
+modprobe loop max_loop=64
+dd if=/dev/zero of=disk bs=512 count=200K
+for((i=0;i<4;i++))do losetup -f disk; done
+mkfs.ext4 -F /dev/loop0
+for((i=0;i<4;i++))do mkdir t$i; mount /dev/loop$i t$i;done
+for f in `ls /dev/loop[0-9]*|sort`; do \
+ echo $f; dd if=$f of=/dev/null bs=512 count=1; \
+ done
+
+Test output: stock patched
+/dev/loop0 18.1217e-05 8.3842e-05
+/dev/loop1 6.1114e-05 0.000147979
+/dev/loop10 0.414701 0.000116564
+/dev/loop11 0.7474 6.7942e-05
+/dev/loop12 0.747986 8.9082e-05
+/dev/loop13 0.746532 7.4799e-05
+/dev/loop14 0.480041 9.3926e-05
+/dev/loop15 1.26453 7.2522e-05
+
+Note that from loop10 onward, the device is not mounted, yet the
+stock kernel consumes several orders of magnitude more wall time
+than it does for a mounted device.
+(Thanks for Mike Galbraith <efault@gmx.de>, give a changelog review.)
+
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: James Wang <jnwang@suse.com>
+Fixes: b5dd2f6047ca ("block: loop: improve performance via blk-mq")
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/loop.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -612,6 +612,9 @@ static int loop_switch(struct loop_devic
+ */
+ static int loop_flush(struct loop_device *lo)
+ {
++ /* loop not yet configured, no running thread, nothing to flush */
++ if (lo->lo_state != Lo_bound)
++ return 0;
+ return loop_switch(lo, NULL);
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Michael Schmitz <schmitzmic@gmail.com>
+Date: Sun, 30 Apr 2017 19:49:21 +1200
+Subject: fix race in drivers/char/random.c:get_reg()
+
+From: Michael Schmitz <schmitzmic@gmail.com>
+
+
+[ Upstream commit 9dfa7bba35ac08a63565d58c454dccb7e1bb0a08 ]
+
+get_reg() can be reentered on architectures with prioritized interrupts
+(m68k in this case), causing f->reg_index to be incremented after the
+range check. Out of bounds memory access past the pt_regs struct results.
+This will go mostly undetected unless access is beyond end of memory.
+
+Prevent the race by disabling interrupts in get_reg().
+
+Tested on m68k (Atari Falcon, and ARAnyM emulator).
+
+Kudos to Geert Uytterhoeven for helping to trace this race.
+
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1115,12 +1115,16 @@ static void add_interrupt_bench(cycles_t
+ static __u32 get_reg(struct fast_pool *f, struct pt_regs *regs)
+ {
+ __u32 *ptr = (__u32 *) regs;
++ unsigned long flags;
+
+ if (regs == NULL)
+ return 0;
++ local_irq_save(flags);
+ if (f->reg_idx >= sizeof(struct pt_regs) / sizeof(__u32))
+ f->reg_idx = 0;
+- return *(ptr + f->reg_idx++);
++ ptr += f->reg_idx++;
++ local_irq_restore(flags);
++ return *ptr;
+ }
+
+ void add_interrupt_randomness(int irq, int irq_flags)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Date: Wed, 31 May 2017 22:21:03 +0200
+Subject: Fix serial console on SNI RM400 machines
+
+From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+
+
+[ Upstream commit e279e6d98e0cf2c2fe008b3c29042b92f0e17b1d ]
+
+sccnxp driver doesn't get the correct uart clock rate, if CONFIG_HAVE_CLOCK
+is disabled. Correct usage of clk API to make it work with/without it.
+
+Fixes: 90efa75f7ab0 (serial: sccnxp: Using CLK API for getting UART clock)
+
+Suggested-by: Russell King - ARM Linux <linux@armlinux.org.uk>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/sccnxp.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/drivers/tty/serial/sccnxp.c
++++ b/drivers/tty/serial/sccnxp.c
+@@ -884,14 +884,19 @@ static int sccnxp_probe(struct platform_
+
+ clk = devm_clk_get(&pdev->dev, NULL);
+ if (IS_ERR(clk)) {
+- if (PTR_ERR(clk) == -EPROBE_DEFER) {
+- ret = -EPROBE_DEFER;
++ ret = PTR_ERR(clk);
++ if (ret == -EPROBE_DEFER)
+ goto err_out;
+- }
++ uartclk = 0;
++ } else {
++ clk_prepare_enable(clk);
++ uartclk = clk_get_rate(clk);
++ }
++
++ if (!uartclk) {
+ dev_notice(&pdev->dev, "Using default clock frequency\n");
+ uartclk = s->chip->freq_std;
+- } else
+- uartclk = clk_get_rate(clk);
++ }
+
+ /* Check input frequency */
+ if ((uartclk < s->chip->freq_min) || (uartclk > s->chip->freq_max)) {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Holger Brunck <holger.brunck@keymile.com>
+Date: Wed, 17 May 2017 17:24:37 +0200
+Subject: fsl/qe: add bit description for SYNL register for GUMR
+
+From: Holger Brunck <holger.brunck@keymile.com>
+
+
+[ Upstream commit c7f235a7c2d09b1b83671ba2d93ebee981554467 ]
+
+Add the bitmask for the two bit SYNL register according to the QUICK
+Engine Reference Manual.
+
+Signed-off-by: Holger Brunck <holger.brunck@keymile.com>
+Cc: Zhao Qiang <qiang.zhao@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/soc/fsl/qe/qe.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/include/soc/fsl/qe/qe.h
++++ b/include/soc/fsl/qe/qe.h
+@@ -668,6 +668,10 @@ struct ucc_slow_pram {
+ #define UCC_FAST_GUMR_CTSS 0x00800000
+ #define UCC_FAST_GUMR_TXSY 0x00020000
+ #define UCC_FAST_GUMR_RSYN 0x00010000
++#define UCC_FAST_GUMR_SYNL_MASK 0x0000C000
++#define UCC_FAST_GUMR_SYNL_16 0x0000C000
++#define UCC_FAST_GUMR_SYNL_8 0x00008000
++#define UCC_FAST_GUMR_SYNL_AUTO 0x00004000
+ #define UCC_FAST_GUMR_RTSM 0x00002000
+ #define UCC_FAST_GUMR_REVD 0x00000400
+ #define UCC_FAST_GUMR_ENR 0x00000020
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Girish Moodalbail <girish.moodalbail@oracle.com>
+Date: Thu, 8 Jun 2017 17:07:48 -0700
+Subject: geneve: add missing rx stats accounting
+
+From: Girish Moodalbail <girish.moodalbail@oracle.com>
+
+
+[ Upstream commit fe741e2362f33bbea813bcc3a921de356c6653db ]
+
+There are few places on the receive path where packet drops and packet
+errors were not accounted for. This patch fixes that issue.
+
+Signed-off-by: Girish Moodalbail <girish.moodalbail@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/geneve.c | 36 ++++++++++++++++++++++++------------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -209,6 +209,7 @@ static void geneve_rx(struct geneve_dev
+ struct genevehdr *gnvh = geneve_hdr(skb);
+ struct metadata_dst *tun_dst = NULL;
+ struct pcpu_sw_netstats *stats;
++ unsigned int len;
+ int err = 0;
+ void *oiph;
+
+@@ -222,8 +223,10 @@ static void geneve_rx(struct geneve_dev
+ tun_dst = udp_tun_rx_dst(skb, geneve_get_sk_family(gs), flags,
+ vni_to_tunnel_id(gnvh->vni),
+ gnvh->opt_len * 4);
+- if (!tun_dst)
++ if (!tun_dst) {
++ geneve->dev->stats.rx_dropped++;
+ goto drop;
++ }
+ /* Update tunnel dst according to Geneve options. */
+ ip_tunnel_info_opts_set(&tun_dst->u.tun_info,
+ gnvh->options, gnvh->opt_len * 4);
+@@ -231,8 +234,11 @@ static void geneve_rx(struct geneve_dev
+ /* Drop packets w/ critical options,
+ * since we don't support any...
+ */
+- if (gnvh->critical)
++ if (gnvh->critical) {
++ geneve->dev->stats.rx_frame_errors++;
++ geneve->dev->stats.rx_errors++;
+ goto drop;
++ }
+ }
+
+ skb_reset_mac_header(skb);
+@@ -243,8 +249,10 @@ static void geneve_rx(struct geneve_dev
+ skb_dst_set(skb, &tun_dst->dst);
+
+ /* Ignore packet loops (and multicast echo) */
+- if (ether_addr_equal(eth_hdr(skb)->h_source, geneve->dev->dev_addr))
++ if (ether_addr_equal(eth_hdr(skb)->h_source, geneve->dev->dev_addr)) {
++ geneve->dev->stats.rx_errors++;
+ goto drop;
++ }
+
+ oiph = skb_network_header(skb);
+ skb_reset_network_header(skb);
+@@ -276,13 +284,15 @@ static void geneve_rx(struct geneve_dev
+ }
+ }
+
+- stats = this_cpu_ptr(geneve->dev->tstats);
+- u64_stats_update_begin(&stats->syncp);
+- stats->rx_packets++;
+- stats->rx_bytes += skb->len;
+- u64_stats_update_end(&stats->syncp);
+-
+- gro_cells_receive(&geneve->gro_cells, skb);
++ len = skb->len;
++ err = gro_cells_receive(&geneve->gro_cells, skb);
++ if (likely(err == NET_RX_SUCCESS)) {
++ stats = this_cpu_ptr(geneve->dev->tstats);
++ u64_stats_update_begin(&stats->syncp);
++ stats->rx_packets++;
++ stats->rx_bytes += len;
++ u64_stats_update_end(&stats->syncp);
++ }
+ return;
+ drop:
+ /* Consume bad packet */
+@@ -332,7 +342,7 @@ static int geneve_udp_encap_recv(struct
+ struct geneve_sock *gs;
+ int opts_len;
+
+- /* Need Geneve and inner Ethernet header to be present */
++ /* Need UDP and Geneve header to be present */
+ if (unlikely(!pskb_may_pull(skb, GENEVE_BASE_HLEN)))
+ goto drop;
+
+@@ -355,8 +365,10 @@ static int geneve_udp_encap_recv(struct
+ opts_len = geneveh->opt_len * 4;
+ if (iptunnel_pull_header(skb, GENEVE_BASE_HLEN + opts_len,
+ htons(ETH_P_TEB),
+- !net_eq(geneve->net, dev_net(geneve->dev))))
++ !net_eq(geneve->net, dev_net(geneve->dev)))) {
++ geneve->dev->stats.rx_dropped++;
+ goto drop;
++ }
+
+ geneve_rx(geneve, gs, skb);
+ return 0;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 13 May 2017 14:39:53 +0200
+Subject: gpio: crystalcove: Do not write regular gpio registers for virtual GPIOs
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit 9a752b4c9ab924033bfdb8784c680d50b2bd5684 ]
+
+The Crystal Cove PMIC has 16 real GPIOs but the ACPI code for devices
+with this PMIC may address up to 95 GPIOs, these extra GPIOs are
+called virtual GPIOs and are used by the ACPI code as a method of
+accessing various non GPIO bits of PMIC.
+
+Commit dcdc3018d635 ("gpio: crystalcove: support virtual GPIO") added
+dummy support for these to avoid a bunch of ACPI errors, but instead of
+ignoring writes / reads to them by doing:
+
+if (gpio >= CRYSTALCOVE_GPIO_NUM)
+ return 0;
+
+It accidentally introduced the following wrong check:
+
+if (gpio > CRYSTALCOVE_VGPIO_NUM)
+ return 0;
+
+Which means that attempts by the ACPI code to access these gpios
+causes some arbitrary gpio to get touched through for example
+GPIO1P0CTLO + gpionr % 8.
+
+Since we do support input/output (but not interrupts) on the 0x5e
+virtual GPIO, this commit makes to_reg return -ENOTSUPP for unsupported
+virtual GPIOs so as to not have to check for (gpio >= CRYSTALCOVE_GPIO_NUM
+&& gpio != 0x5e) everywhere and to make it easier to add support for more
+virtual GPIOs in the future.
+
+It then adds a check for to_reg returning an error to all callers where
+this may happen fixing the ACPI code accessing virtual GPIOs accidentally
+causing changes to real GPIOs.
+
+Fixes: dcdc3018d635 ("gpio: crystalcove: support virtual GPIO")
+Cc: Aaron Lu <aaron.lu@intel.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-crystalcove.c | 54 ++++++++++++++++++++++++++--------------
+ 1 file changed, 36 insertions(+), 18 deletions(-)
+
+--- a/drivers/gpio/gpio-crystalcove.c
++++ b/drivers/gpio/gpio-crystalcove.c
+@@ -90,8 +90,18 @@ static inline int to_reg(int gpio, enum
+ {
+ int reg;
+
+- if (gpio == 94)
+- return GPIOPANELCTL;
++ if (gpio >= CRYSTALCOVE_GPIO_NUM) {
++ /*
++ * Virtual GPIO called from ACPI, for now we only support
++ * the panel ctl.
++ */
++ switch (gpio) {
++ case 0x5e:
++ return GPIOPANELCTL;
++ default:
++ return -EOPNOTSUPP;
++ }
++ }
+
+ if (reg_type == CTRL_IN) {
+ if (gpio < 8)
+@@ -130,36 +140,36 @@ static void crystalcove_update_irq_ctrl(
+ static int crystalcove_gpio_dir_in(struct gpio_chip *chip, unsigned gpio)
+ {
+ struct crystalcove_gpio *cg = gpiochip_get_data(chip);
++ int reg = to_reg(gpio, CTRL_OUT);
+
+- if (gpio > CRYSTALCOVE_VGPIO_NUM)
++ if (reg < 0)
+ return 0;
+
+- return regmap_write(cg->regmap, to_reg(gpio, CTRL_OUT),
+- CTLO_INPUT_SET);
++ return regmap_write(cg->regmap, reg, CTLO_INPUT_SET);
+ }
+
+ static int crystalcove_gpio_dir_out(struct gpio_chip *chip, unsigned gpio,
+ int value)
+ {
+ struct crystalcove_gpio *cg = gpiochip_get_data(chip);
++ int reg = to_reg(gpio, CTRL_OUT);
+
+- if (gpio > CRYSTALCOVE_VGPIO_NUM)
++ if (reg < 0)
+ return 0;
+
+- return regmap_write(cg->regmap, to_reg(gpio, CTRL_OUT),
+- CTLO_OUTPUT_SET | value);
++ return regmap_write(cg->regmap, reg, CTLO_OUTPUT_SET | value);
+ }
+
+ static int crystalcove_gpio_get(struct gpio_chip *chip, unsigned gpio)
+ {
+ struct crystalcove_gpio *cg = gpiochip_get_data(chip);
+- int ret;
+ unsigned int val;
++ int ret, reg = to_reg(gpio, CTRL_IN);
+
+- if (gpio > CRYSTALCOVE_VGPIO_NUM)
++ if (reg < 0)
+ return 0;
+
+- ret = regmap_read(cg->regmap, to_reg(gpio, CTRL_IN), &val);
++ ret = regmap_read(cg->regmap, reg, &val);
+ if (ret)
+ return ret;
+
+@@ -170,14 +180,15 @@ static void crystalcove_gpio_set(struct
+ unsigned gpio, int value)
+ {
+ struct crystalcove_gpio *cg = gpiochip_get_data(chip);
++ int reg = to_reg(gpio, CTRL_OUT);
+
+- if (gpio > CRYSTALCOVE_VGPIO_NUM)
++ if (reg < 0)
+ return;
+
+ if (value)
+- regmap_update_bits(cg->regmap, to_reg(gpio, CTRL_OUT), 1, 1);
++ regmap_update_bits(cg->regmap, reg, 1, 1);
+ else
+- regmap_update_bits(cg->regmap, to_reg(gpio, CTRL_OUT), 1, 0);
++ regmap_update_bits(cg->regmap, reg, 1, 0);
+ }
+
+ static int crystalcove_irq_type(struct irq_data *data, unsigned type)
+@@ -185,6 +196,9 @@ static int crystalcove_irq_type(struct i
+ struct crystalcove_gpio *cg =
+ gpiochip_get_data(irq_data_get_irq_chip_data(data));
+
++ if (data->hwirq >= CRYSTALCOVE_GPIO_NUM)
++ return 0;
++
+ switch (type) {
+ case IRQ_TYPE_NONE:
+ cg->intcnt_value = CTLI_INTCNT_DIS;
+@@ -235,8 +249,10 @@ static void crystalcove_irq_unmask(struc
+ struct crystalcove_gpio *cg =
+ gpiochip_get_data(irq_data_get_irq_chip_data(data));
+
+- cg->set_irq_mask = false;
+- cg->update |= UPDATE_IRQ_MASK;
++ if (data->hwirq < CRYSTALCOVE_GPIO_NUM) {
++ cg->set_irq_mask = false;
++ cg->update |= UPDATE_IRQ_MASK;
++ }
+ }
+
+ static void crystalcove_irq_mask(struct irq_data *data)
+@@ -244,8 +260,10 @@ static void crystalcove_irq_mask(struct
+ struct crystalcove_gpio *cg =
+ gpiochip_get_data(irq_data_get_irq_chip_data(data));
+
+- cg->set_irq_mask = true;
+- cg->update |= UPDATE_IRQ_MASK;
++ if (data->hwirq < CRYSTALCOVE_GPIO_NUM) {
++ cg->set_irq_mask = true;
++ cg->update |= UPDATE_IRQ_MASK;
++ }
+ }
+
+ static struct irq_chip crystalcove_irqchip = {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Thu, 4 Jan 2018 22:31:11 +0100
+Subject: gpio: label descriptors using the device name
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+
+[ Upstream commit 24e78079bf2250874e33da2e7cfbb6db72d3caf4 ]
+
+Some GPIO lines appear named "?" in the lsgpio dump due to their
+requesting drivers not passing a reasonable label.
+
+Most typically this happens if a device tree node just defines
+gpios = <...> and not foo-gpios = <...>, the former gets named
+"foo" and the latter gets named "?".
+
+However the struct device passed in is always valid so let's
+just label the GPIO with dev_name() on the device if no proper
+label was passed.
+
+Cc: Reported-by: Jason Kridner <jkridner@beagleboard.org>
+Reported-by: Jason Kridner <jkridner@beagleboard.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -3231,7 +3231,8 @@ struct gpio_desc *__must_check gpiod_get
+ return desc;
+ }
+
+- status = gpiod_request(desc, con_id);
++ /* If a connection label was passed use that, else use the device name as label */
++ status = gpiod_request(desc, con_id ? con_id : dev_name(dev));
+ if (status < 0)
+ return ERR_PTR(status);
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Firo Yang <firogm@gmail.com>
+Date: Fri, 26 May 2017 22:37:38 +0800
+Subject: hdlcdrv: Fix divide by zero in hdlcdrv_ioctl
+
+From: Firo Yang <firogm@gmail.com>
+
+
+[ Upstream commit fb3ce90b7d7761b6f7f28f0ff5c456ef6b5229a1 ]
+
+syszkaller fuzzer triggered a divide by zero, when set calibration
+through ioctl().
+
+To fix it, test 'bitrate' if it is negative or 0, just return -EINVAL.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Firo Yang <firogm@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hamradio/hdlcdrv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/hamradio/hdlcdrv.c
++++ b/drivers/net/hamradio/hdlcdrv.c
+@@ -576,6 +576,8 @@ static int hdlcdrv_ioctl(struct net_devi
+ case HDLCDRVCTL_CALIBRATE:
+ if(!capable(CAP_SYS_RAWIO))
+ return -EPERM;
++ if (s->par.bitrate <= 0)
++ return -EINVAL;
+ if (bi.data.calibrate > INT_MAX / s->par.bitrate)
+ return -EINVAL;
+ s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 9 May 2017 10:04:36 +0200
+Subject: HID: i2c: Call acpi_device_fix_up_power for ACPI-enumerated devices
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit f3d3eab667de62572376abb1aa26316191c39929 ]
+
+For ACPI devices which do not have a _PSC method, the ACPI subsys cannot
+query their initial state at boot, so these devices are assumed to have
+been put in D0 by the BIOS, but for touchscreens that is not always true.
+
+This commit adds a call to acpi_device_fix_up_power to explicitly put
+devices without a _PSC method into D0 state (for devices with a _PSC
+method it is a nop). Note we only need to do this on probe, after a
+resume the ACPI subsys knows the device is in D3 and will properly
+put it in D0.
+
+This fixes the SIS0817 i2c-hid touchscreen on a Peaq C1010 2-in-1
+device failing to probe with a "hid_descr_cmd failed" error.
+
+Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/i2c-hid/i2c-hid.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -968,6 +968,15 @@ static int i2c_hid_acpi_pdata(struct i2c
+ return ret < 0 && ret != -ENXIO ? ret : 0;
+ }
+
++static void i2c_hid_acpi_fix_up_power(struct device *dev)
++{
++ acpi_handle handle = ACPI_HANDLE(dev);
++ struct acpi_device *adev;
++
++ if (handle && acpi_bus_get_device(handle, &adev) == 0)
++ acpi_device_fix_up_power(adev);
++}
++
+ static const struct acpi_device_id i2c_hid_acpi_match[] = {
+ {"ACPI0C50", 0 },
+ {"PNP0C50", 0 },
+@@ -980,6 +989,8 @@ static inline int i2c_hid_acpi_pdata(str
+ {
+ return -ENODEV;
+ }
++
++static inline void i2c_hid_acpi_fix_up_power(struct device *dev) {}
+ #endif
+
+ #ifdef CONFIG_OF
+@@ -1082,6 +1093,8 @@ static int i2c_hid_probe(struct i2c_clie
+ if (ret < 0)
+ goto err;
+
++ i2c_hid_acpi_fix_up_power(&client->dev);
++
+ pm_runtime_get_noresume(&client->dev);
+ pm_runtime_set_active(&client->dev);
+ pm_runtime_enable(&client->dev);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: "Karicheri, Muralidharan" <m-karicheri2@ti.com>
+Date: Mon, 12 Jun 2017 15:06:26 -0400
+Subject: hsr: fix incorrect warning
+
+From: "Karicheri, Muralidharan" <m-karicheri2@ti.com>
+
+
+[ Upstream commit 675c8da049fd6556eb2d6cdd745fe812752f07a8 ]
+
+When HSR interface is setup using ip link command, an annoying warning
+appears with the trace as below:-
+
+[ 203.019828] hsr_get_node: Non-HSR frame
+[ 203.019833] Modules linked in:
+[ 203.019848] CPU: 0 PID: 158 Comm: sd-resolve Tainted: G W 4.12.0-rc3-00052-g9fa6bf70 #2
+[ 203.019853] Hardware name: Generic DRA74X (Flattened Device Tree)
+[ 203.019869] [<c0110280>] (unwind_backtrace) from [<c010c2f4>] (show_stack+0x10/0x14)
+[ 203.019880] [<c010c2f4>] (show_stack) from [<c04b9f64>] (dump_stack+0xac/0xe0)
+[ 203.019894] [<c04b9f64>] (dump_stack) from [<c01374e8>] (__warn+0xd8/0x104)
+[ 203.019907] [<c01374e8>] (__warn) from [<c0137548>] (warn_slowpath_fmt+0x34/0x44)
+root@am57xx-evm:~# [ 203.019921] [<c0137548>] (warn_slowpath_fmt) from [<c081126c>] (hsr_get_node+0x148/0x170)
+[ 203.019932] [<c081126c>] (hsr_get_node) from [<c0814240>] (hsr_forward_skb+0x110/0x7c0)
+[ 203.019942] [<c0814240>] (hsr_forward_skb) from [<c0811d64>] (hsr_dev_xmit+0x2c/0x34)
+[ 203.019954] [<c0811d64>] (hsr_dev_xmit) from [<c06c0828>] (dev_hard_start_xmit+0xc4/0x3bc)
+[ 203.019963] [<c06c0828>] (dev_hard_start_xmit) from [<c06c13d8>] (__dev_queue_xmit+0x7c4/0x98c)
+[ 203.019974] [<c06c13d8>] (__dev_queue_xmit) from [<c0782f54>] (ip6_finish_output2+0x330/0xc1c)
+[ 203.019983] [<c0782f54>] (ip6_finish_output2) from [<c0788f0c>] (ip6_output+0x58/0x454)
+[ 203.019994] [<c0788f0c>] (ip6_output) from [<c07b16cc>] (mld_sendpack+0x420/0x744)
+
+As this is an expected path to hsr_get_node() with frame coming from
+the master interface, add a check to ensure packet is not from the
+master port and then warn.
+
+Signed-off-by: Murali Karicheri <m-karicheri2@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/hsr/hsr_forward.c | 3 +--
+ net/hsr/hsr_framereg.c | 9 +++++++--
+ net/hsr/hsr_framereg.h | 2 +-
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+
+--- a/net/hsr/hsr_forward.c
++++ b/net/hsr/hsr_forward.c
+@@ -324,8 +324,7 @@ static int hsr_fill_frame_info(struct hs
+ unsigned long irqflags;
+
+ frame->is_supervision = is_supervision_frame(port->hsr, skb);
+- frame->node_src = hsr_get_node(&port->hsr->node_db, skb,
+- frame->is_supervision);
++ frame->node_src = hsr_get_node(port, skb, frame->is_supervision);
+ if (frame->node_src == NULL)
+ return -1; /* Unknown node and !is_supervision, or no mem */
+
+--- a/net/hsr/hsr_framereg.c
++++ b/net/hsr/hsr_framereg.c
+@@ -158,9 +158,10 @@ struct hsr_node *hsr_add_node(struct lis
+
+ /* Get the hsr_node from which 'skb' was sent.
+ */
+-struct hsr_node *hsr_get_node(struct list_head *node_db, struct sk_buff *skb,
++struct hsr_node *hsr_get_node(struct hsr_port *port, struct sk_buff *skb,
+ bool is_sup)
+ {
++ struct list_head *node_db = &port->hsr->node_db;
+ struct hsr_node *node;
+ struct ethhdr *ethhdr;
+ u16 seq_out;
+@@ -186,7 +187,11 @@ struct hsr_node *hsr_get_node(struct lis
+ */
+ seq_out = hsr_get_skb_sequence_nr(skb) - 1;
+ } else {
+- WARN_ONCE(1, "%s: Non-HSR frame\n", __func__);
++ /* this is called also for frames from master port and
++ * so warn only for non master ports
++ */
++ if (port->type != HSR_PT_MASTER)
++ WARN_ONCE(1, "%s: Non-HSR frame\n", __func__);
+ seq_out = HSR_SEQNR_START;
+ }
+
+--- a/net/hsr/hsr_framereg.h
++++ b/net/hsr/hsr_framereg.h
+@@ -18,7 +18,7 @@ struct hsr_node;
+
+ struct hsr_node *hsr_add_node(struct list_head *node_db, unsigned char addr[],
+ u16 seq_out);
+-struct hsr_node *hsr_get_node(struct list_head *node_db, struct sk_buff *skb,
++struct hsr_node *hsr_get_node(struct hsr_port *port, struct sk_buff *skb,
+ bool is_sup);
+ void hsr_handle_sup_frame(struct sk_buff *skb, struct hsr_node *node_curr,
+ struct hsr_port *port);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Maciej Purski <m.purski@samsung.com>
+Date: Wed, 22 Nov 2017 16:32:15 +0100
+Subject: hwmon: (ina2xx) Make calibration register value fixed
+
+From: Maciej Purski <m.purski@samsung.com>
+
+
+[ Upstream commit 5d389b125186cf254ad5b8015763ac07c151aea4 ]
+
+Calibration register is used for calculating current register in
+hardware according to datasheet:
+current = shunt_volt * calib_register / 2048 (ina 226)
+current = shunt_volt * calib_register / 4096 (ina 219)
+
+Fix calib_register value to 2048 for ina226 and 4096 for ina 219 in
+order to avoid truncation error and provide best precision allowed
+by shunt_voltage measurement. Make current scale value follow changes
+of shunt_resistor from sysfs as calib_register value is now fixed.
+
+Power_lsb value should also follow shunt_resistor changes as stated in
+datasheet:
+power_lsb = 25 * current_lsb (ina 226)
+power_lsb = 20 * current_lsb (ina 219)
+
+Signed-off-by: Maciej Purski <m.purski@samsung.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/ina2xx.c | 87 ++++++++++++++++++++++++++++---------------------
+ 1 file changed, 50 insertions(+), 37 deletions(-)
+
+--- a/drivers/hwmon/ina2xx.c
++++ b/drivers/hwmon/ina2xx.c
+@@ -94,18 +94,20 @@ enum ina2xx_ids { ina219, ina226 };
+
+ struct ina2xx_config {
+ u16 config_default;
+- int calibration_factor;
++ int calibration_value;
+ int registers;
+ int shunt_div;
+ int bus_voltage_shift;
+ int bus_voltage_lsb; /* uV */
+- int power_lsb; /* uW */
++ int power_lsb_factor;
+ };
+
+ struct ina2xx_data {
+ const struct ina2xx_config *config;
+
+ long rshunt;
++ long current_lsb_uA;
++ long power_lsb_uW;
+ struct mutex config_lock;
+ struct regmap *regmap;
+
+@@ -115,21 +117,21 @@ struct ina2xx_data {
+ static const struct ina2xx_config ina2xx_config[] = {
+ [ina219] = {
+ .config_default = INA219_CONFIG_DEFAULT,
+- .calibration_factor = 40960000,
++ .calibration_value = 4096,
+ .registers = INA219_REGISTERS,
+ .shunt_div = 100,
+ .bus_voltage_shift = 3,
+ .bus_voltage_lsb = 4000,
+- .power_lsb = 20000,
++ .power_lsb_factor = 20,
+ },
+ [ina226] = {
+ .config_default = INA226_CONFIG_DEFAULT,
+- .calibration_factor = 5120000,
++ .calibration_value = 2048,
+ .registers = INA226_REGISTERS,
+ .shunt_div = 400,
+ .bus_voltage_shift = 0,
+ .bus_voltage_lsb = 1250,
+- .power_lsb = 25000,
++ .power_lsb_factor = 25,
+ },
+ };
+
+@@ -168,12 +170,16 @@ static u16 ina226_interval_to_reg(int in
+ return INA226_SHIFT_AVG(avg_bits);
+ }
+
++/*
++ * Calibration register is set to the best value, which eliminates
++ * truncation errors on calculating current register in hardware.
++ * According to datasheet (eq. 3) the best values are 2048 for
++ * ina226 and 4096 for ina219. They are hardcoded as calibration_value.
++ */
+ static int ina2xx_calibrate(struct ina2xx_data *data)
+ {
+- u16 val = DIV_ROUND_CLOSEST(data->config->calibration_factor,
+- data->rshunt);
+-
+- return regmap_write(data->regmap, INA2XX_CALIBRATION, val);
++ return regmap_write(data->regmap, INA2XX_CALIBRATION,
++ data->config->calibration_value);
+ }
+
+ /*
+@@ -186,10 +192,6 @@ static int ina2xx_init(struct ina2xx_dat
+ if (ret < 0)
+ return ret;
+
+- /*
+- * Set current LSB to 1mA, shunt is in uOhms
+- * (equation 13 in datasheet).
+- */
+ return ina2xx_calibrate(data);
+ }
+
+@@ -267,15 +269,15 @@ static int ina2xx_get_value(struct ina2x
+ val = DIV_ROUND_CLOSEST(val, 1000);
+ break;
+ case INA2XX_POWER:
+- val = regval * data->config->power_lsb;
++ val = regval * data->power_lsb_uW;
+ break;
+ case INA2XX_CURRENT:
+- /* signed register, LSB=1mA (selected), in mA */
+- val = (s16)regval;
++ /* signed register, result in mA */
++ val = regval * data->current_lsb_uA;
++ val = DIV_ROUND_CLOSEST(val, 1000);
+ break;
+ case INA2XX_CALIBRATION:
+- val = DIV_ROUND_CLOSEST(data->config->calibration_factor,
+- regval);
++ val = regval;
+ break;
+ default:
+ /* programmer goofed */
+@@ -303,9 +305,32 @@ static ssize_t ina2xx_show_value(struct
+ ina2xx_get_value(data, attr->index, regval));
+ }
+
+-static ssize_t ina2xx_set_shunt(struct device *dev,
+- struct device_attribute *da,
+- const char *buf, size_t count)
++/*
++ * In order to keep calibration register value fixed, the product
++ * of current_lsb and shunt_resistor should also be fixed and equal
++ * to shunt_voltage_lsb = 1 / shunt_div multiplied by 10^9 in order
++ * to keep the scale.
++ */
++static int ina2xx_set_shunt(struct ina2xx_data *data, long val)
++{
++ unsigned int dividend = DIV_ROUND_CLOSEST(1000000000,
++ data->config->shunt_div);
++ if (val <= 0 || val > dividend)
++ return -EINVAL;
++
++ mutex_lock(&data->config_lock);
++ data->rshunt = val;
++ data->current_lsb_uA = DIV_ROUND_CLOSEST(dividend, val);
++ data->power_lsb_uW = data->config->power_lsb_factor *
++ data->current_lsb_uA;
++ mutex_unlock(&data->config_lock);
++
++ return 0;
++}
++
++static ssize_t ina2xx_store_shunt(struct device *dev,
++ struct device_attribute *da,
++ const char *buf, size_t count)
+ {
+ unsigned long val;
+ int status;
+@@ -315,18 +340,9 @@ static ssize_t ina2xx_set_shunt(struct d
+ if (status < 0)
+ return status;
+
+- if (val == 0 ||
+- /* Values greater than the calibration factor make no sense. */
+- val > data->config->calibration_factor)
+- return -EINVAL;
+-
+- mutex_lock(&data->config_lock);
+- data->rshunt = val;
+- status = ina2xx_calibrate(data);
+- mutex_unlock(&data->config_lock);
++ status = ina2xx_set_shunt(data, val);
+ if (status < 0)
+ return status;
+-
+ return count;
+ }
+
+@@ -386,7 +402,7 @@ static SENSOR_DEVICE_ATTR(power1_input,
+
+ /* shunt resistance */
+ static SENSOR_DEVICE_ATTR(shunt_resistor, S_IRUGO | S_IWUSR,
+- ina2xx_show_value, ina2xx_set_shunt,
++ ina2xx_show_value, ina2xx_store_shunt,
+ INA2XX_CALIBRATION);
+
+ /* update interval (ina226 only) */
+@@ -441,10 +457,7 @@ static int ina2xx_probe(struct i2c_clien
+ val = INA2XX_RSHUNT_DEFAULT;
+ }
+
+- if (val <= 0 || val > data->config->calibration_factor)
+- return -ENODEV;
+-
+- data->rshunt = val;
++ ina2xx_set_shunt(data, val);
+
+ ina2xx_regmap_config.max_register = data->config->registers;
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Peter Rosin <peda@axentia.se>
+Date: Sun, 7 May 2017 07:16:30 +0200
+Subject: i2c: mux: reg: put away the parent i2c adapter on probe failure
+
+From: Peter Rosin <peda@axentia.se>
+
+
+[ Upstream commit 68118e0e73aa3a6291c8b9eb1ee708e05f110cea ]
+
+It is only prudent to let go of resources that are not used.
+
+Fixes: b3fdd32799d8 ("i2c: mux: Add register-based mux i2c-mux-reg")
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/muxes/i2c-mux-reg.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/drivers/i2c/muxes/i2c-mux-reg.c
++++ b/drivers/i2c/muxes/i2c-mux-reg.c
+@@ -196,20 +196,25 @@ static int i2c_mux_reg_probe(struct plat
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ mux->data.reg_size = resource_size(res);
+ mux->data.reg = devm_ioremap_resource(&pdev->dev, res);
+- if (IS_ERR(mux->data.reg))
+- return PTR_ERR(mux->data.reg);
++ if (IS_ERR(mux->data.reg)) {
++ ret = PTR_ERR(mux->data.reg);
++ goto err_put_parent;
++ }
+ }
+
+ if (mux->data.reg_size != 4 && mux->data.reg_size != 2 &&
+ mux->data.reg_size != 1) {
+ dev_err(&pdev->dev, "Invalid register size\n");
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err_put_parent;
+ }
+
+ muxc = i2c_mux_alloc(parent, &pdev->dev, mux->data.n_values, 0, 0,
+ i2c_mux_reg_select, NULL);
+- if (!muxc)
+- return -ENOMEM;
++ if (!muxc) {
++ ret = -ENOMEM;
++ goto err_put_parent;
++ }
+ muxc->priv = mux;
+
+ platform_set_drvdata(pdev, muxc);
+@@ -235,6 +240,8 @@ static int i2c_mux_reg_probe(struct plat
+
+ add_adapter_failed:
+ i2c_mux_del_adapters(muxc);
++err_put_parent:
++ i2c_put_adapter(parent);
+
+ return ret;
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Date: Fri, 28 Apr 2017 16:53:16 -0700
+Subject: i40evf: fix merge error in older patch
+
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+
+
+[ Upstream commit 155b0f690051345deefc653774b739c786067d61 ]
+
+This patch fixes a missing line that was missed while merging,
+which results in a driver feature in the VF not working to
+enable RSS as a negotiated feature.
+
+Fixes: 43a3d9ba34c9c ("i40evf: Allow PF driver to configure RSS")
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40evf/i40evf_virtchnl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/intel/i40evf/i40evf_virtchnl.c
++++ b/drivers/net/ethernet/intel/i40evf/i40evf_virtchnl.c
+@@ -154,6 +154,7 @@ int i40evf_send_vf_config_msg(struct i40
+ adapter->current_op = I40E_VIRTCHNL_OP_GET_VF_RESOURCES;
+ adapter->aq_required &= ~I40EVF_FLAG_AQ_GET_CONFIG;
+ caps = I40E_VIRTCHNL_VF_OFFLOAD_L2 |
++ I40E_VIRTCHNL_VF_OFFLOAD_RSS_PF |
+ I40E_VIRTCHNL_VF_OFFLOAD_RSS_AQ |
+ I40E_VIRTCHNL_VF_OFFLOAD_RSS_REG |
+ I40E_VIRTCHNL_VF_OFFLOAD_VLAN |
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+Date: Fri, 22 Dec 2017 09:46:56 -0600
+Subject: i40iw: Correct Q1/XF object count equation
+
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+
+
+[ Upstream commit fe99afd1febd74e0ef1fed7e3283f09effe1f4f0 ]
+
+Lower Inbound RDMA Read Queue (Q1) object count by a factor of 2
+as it is incorrectly doubled. Also, round up Q1 and Transmit FIFO (XF)
+object count to power of 2 to satisfy hardware requirement.
+
+Fixes: 86dbcd0f12e9 ("i40iw: add file to handle cqp calls")
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/i40iw/i40iw_ctrl.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/i40iw/i40iw_ctrl.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_ctrl.c
+@@ -3644,8 +3644,10 @@ enum i40iw_status_code i40iw_config_fpm_
+ hmc_info->hmc_obj[I40IW_HMC_IW_APBVT_ENTRY].cnt = 1;
+ hmc_info->hmc_obj[I40IW_HMC_IW_MR].cnt = mrwanted;
+
+- hmc_info->hmc_obj[I40IW_HMC_IW_XF].cnt = I40IW_MAX_WQ_ENTRIES * qpwanted;
+- hmc_info->hmc_obj[I40IW_HMC_IW_Q1].cnt = 4 * I40IW_MAX_IRD_SIZE * qpwanted;
++ hmc_info->hmc_obj[I40IW_HMC_IW_XF].cnt =
++ roundup_pow_of_two(I40IW_MAX_WQ_ENTRIES * qpwanted);
++ hmc_info->hmc_obj[I40IW_HMC_IW_Q1].cnt =
++ roundup_pow_of_two(2 * I40IW_MAX_IRD_SIZE * qpwanted);
+ hmc_info->hmc_obj[I40IW_HMC_IW_XFFL].cnt =
+ hmc_info->hmc_obj[I40IW_HMC_IW_XF].cnt / hmc_fpm_misc->xf_block_size;
+ hmc_info->hmc_obj[I40IW_HMC_IW_Q1FL].cnt =
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+Date: Fri, 22 Dec 2017 09:46:59 -0600
+Subject: i40iw: Fix sequence number for the first partial FPDU
+
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+
+
+[ Upstream commit df8b13a1b23356d01dfc4647a5629cdb0f4ce566 ]
+
+Partial FPDU processing is broken as the sequence number
+for the first partial FPDU is wrong due to incorrect
+Q2 buffer offset. The offset should be 64 rather than 16.
+
+Fixes: 786c6adb3a94 ("i40iw: add puda code")
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/i40iw/i40iw_d.h | 1 +
+ drivers/infiniband/hw/i40iw/i40iw_puda.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/i40iw/i40iw_d.h
++++ b/drivers/infiniband/hw/i40iw/i40iw_d.h
+@@ -86,6 +86,7 @@
+ #define RDMA_OPCODE_MASK 0x0f
+ #define RDMA_READ_REQ_OPCODE 1
+ #define Q2_BAD_FRAME_OFFSET 72
++#define Q2_FPSN_OFFSET 64
+ #define CQE_MAJOR_DRV 0x8000
+
+ #define I40IW_TERM_SENT 0x01
+--- a/drivers/infiniband/hw/i40iw/i40iw_puda.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_puda.c
+@@ -1320,7 +1320,7 @@ static void i40iw_ieq_handle_exception(s
+ u32 *hw_host_ctx = (u32 *)qp->hw_host_ctx;
+ u32 rcv_wnd = hw_host_ctx[23];
+ /* first partial seq # in q2 */
+- u32 fps = qp->q2_buf[16];
++ u32 fps = *(u32 *)(qp->q2_buf + Q2_FPSN_OFFSET);
+ struct list_head *rxlist = &pfpdu->rxlist;
+ struct list_head *plist;
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Mon, 18 Dec 2017 19:57:06 -0800
+Subject: IB/rdmavt: Allocate CQ memory on the correct node
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+
+[ Upstream commit db9a2c6f9b6196b889b98e961cb9a37617b11ccf ]
+
+CQ allocation does not ensure that completion queue entries
+and the completion queue structure are allocated on the correct
+numa node.
+
+Fix by allocating the rvt_cq and kernel CQ entries on the device node,
+leaving the user CQ entries on the default local node. Also ensure
+CQ resizes use the correct allocator when extending a CQ.
+
+Reviewed-by: Sebastian Sanchez <sebastian.sanchez@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/sw/rdmavt/cq.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/sw/rdmavt/cq.c
++++ b/drivers/infiniband/sw/rdmavt/cq.c
+@@ -197,7 +197,7 @@ struct ib_cq *rvt_create_cq(struct ib_de
+ return ERR_PTR(-EINVAL);
+
+ /* Allocate the completion queue structure. */
+- cq = kzalloc(sizeof(*cq), GFP_KERNEL);
++ cq = kzalloc_node(sizeof(*cq), GFP_KERNEL, rdi->dparms.node);
+ if (!cq)
+ return ERR_PTR(-ENOMEM);
+
+@@ -213,7 +213,9 @@ struct ib_cq *rvt_create_cq(struct ib_de
+ sz += sizeof(struct ib_uverbs_wc) * (entries + 1);
+ else
+ sz += sizeof(struct ib_wc) * (entries + 1);
+- wc = vmalloc_user(sz);
++ wc = udata ?
++ vmalloc_user(sz) :
++ vzalloc_node(sz, rdi->dparms.node);
+ if (!wc) {
+ ret = ERR_PTR(-ENOMEM);
+ goto bail_cq;
+@@ -368,7 +370,9 @@ int rvt_resize_cq(struct ib_cq *ibcq, in
+ sz += sizeof(struct ib_uverbs_wc) * (cqe + 1);
+ else
+ sz += sizeof(struct ib_wc) * (cqe + 1);
+- wc = vmalloc_user(sz);
++ wc = udata ?
++ vmalloc_user(sz) :
++ vzalloc_node(sz, rdi->dparms.node);
+ if (!wc)
+ return -ENOMEM;
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+Date: Thu, 4 May 2017 15:50:54 -0700
+Subject: IB/srpt: Avoid that aborting a command triggers a kernel warning
+
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+
+
+[ Upstream commit bd2c52d733f126ff75f99c537a27655b2db07e28 ]
+
+Avoid that the following warning is triggered:
+
+WARNING: CPU: 10 PID: 166 at ../drivers/infiniband/ulp/srpt/ib_srpt.c:2674 srpt_release_cmd+0x139/0x140 [ib_srpt]
+CPU: 10 PID: 166 Comm: kworker/u24:8 Not tainted 4.9.4-1-default #1
+Workqueue: tmr-fileio target_tmr_work [target_core_mod]
+Call Trace:
+ [<ffffffffaa3c4f70>] dump_stack+0x63/0x83
+ [<ffffffffaa0844eb>] __warn+0xcb/0xf0
+ [<ffffffffaa0845dd>] warn_slowpath_null+0x1d/0x20
+ [<ffffffffc06ba429>] srpt_release_cmd+0x139/0x140 [ib_srpt]
+ [<ffffffffc06e4377>] target_release_cmd_kref+0xb7/0x120 [target_core_mod]
+ [<ffffffffc06e4d7f>] target_put_sess_cmd+0x2f/0x60 [target_core_mod]
+ [<ffffffffc06e15e0>] core_tmr_lun_reset+0x340/0x790 [target_core_mod]
+ [<ffffffffc06e4816>] target_tmr_work+0xe6/0x140 [target_core_mod]
+ [<ffffffffaa09e4d3>] process_one_work+0x1f3/0x4d0
+ [<ffffffffaa09e7f8>] worker_thread+0x48/0x4e0
+ [<ffffffffaa09e7b0>] ? process_one_work+0x4d0/0x4d0
+ [<ffffffffaa0a46da>] kthread+0xca/0xe0
+ [<ffffffffaa0a4610>] ? kthread_park+0x60/0x60
+ [<ffffffffaa71b775>] ret_from_fork+0x25/0x30
+
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Cc: Doug Ledford <dledford@redhat.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: David Disseldorp <ddiss@suse.de>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -2666,7 +2666,8 @@ static void srpt_release_cmd(struct se_c
+ struct srpt_rdma_ch *ch = ioctx->ch;
+ unsigned long flags;
+
+- WARN_ON(ioctx->state != SRPT_STATE_DONE);
++ WARN_ON_ONCE(ioctx->state != SRPT_STATE_DONE &&
++ !(ioctx->cmd.transport_state & CMD_T_ABORTED));
+
+ if (ioctx->n_rw_ctx) {
+ srpt_free_rw_ctxs(ch, ioctx);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+Date: Thu, 4 May 2017 15:50:53 -0700
+Subject: IB/srpt: Fix abort handling
+
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+
+
+[ Upstream commit 55d694275f41a1c0eef4ef49044ff29bc3999490 ]
+
+Let the target core check the CMD_T_ABORTED flag instead of the SRP
+target driver. Hence remove the transport_check_aborted_status()
+call. Since state == SRPT_STATE_CMD_RSP_SENT is something that really
+should not happen, do not try to recover if srpt_queue_response() is
+called for an I/O context that is in that state. This patch is a bug
+fix because the srpt_abort_cmd() call is misplaced - if that function
+is called from srpt_queue_response() it should either be called
+before the command state is changed or after the response has been
+sent.
+
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Cc: Doug Ledford <dledford@redhat.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Andy Grover <agrover@redhat.com>
+Cc: David Disseldorp <ddiss@suse.de>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -2292,12 +2292,8 @@ static void srpt_queue_response(struct s
+ }
+ spin_unlock_irqrestore(&ioctx->spinlock, flags);
+
+- if (unlikely(transport_check_aborted_status(&ioctx->cmd, false)
+- || WARN_ON_ONCE(state == SRPT_STATE_CMD_RSP_SENT))) {
+- atomic_inc(&ch->req_lim_delta);
+- srpt_abort_cmd(ioctx);
++ if (unlikely(WARN_ON_ONCE(state == SRPT_STATE_CMD_RSP_SENT)))
+ return;
+- }
+
+ /* For read commands, transfer the data to the initiator. */
+ if (ioctx->cmd.data_direction == DMA_FROM_DEVICE &&
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Jacob Keller <jacob.e.keller@intel.com>
+Date: Wed, 3 May 2017 10:28:52 -0700
+Subject: igb: fix race condition with PTP_TX_IN_PROGRESS bits
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+
+[ Upstream commit 4ccdc013b0ae04755a8f7905e0525955d52a77d0 ]
+
+Hardware related to the igb driver has a limitation of only handling one
+Tx timestamp at a time. Thus, the driver uses a state bit lock to
+enforce that only one timestamp request is honored at a time.
+
+Unfortunately this suffers from a simple race condition. The bit lock is
+not cleared until after skb_tstamp_tx() is called notifying the stack of
+a new Tx timestamp. Even a well behaved application which sends only one
+timestamp request at once and waits for a response might wake up and
+send a new packet before the bit lock is cleared. This results in
+needlessly dropping some Tx timestamp requests.
+
+We can fix this by unlocking the state bit as soon as we read the
+Timestamp register, as this is the first point at which it is safe to
+unlock.
+
+To avoid issues with the skb pointer, we'll use a copy of the pointer
+and set the global variable in the driver structure to NULL first. This
+ensures that the next timestamp request does not modify our local copy
+of the skb pointer.
+
+This ensures that well behaved applications do not accidentally race
+with the unlock bit. Obviously an application which sends multiple Tx
+timestamp requests at once will still only timestamp one packet at
+a time. Unfortunately there is nothing we can do about this.
+
+Reported-by: David Mirabito <davidm@metamako.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/igb/igb_ptp.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/igb/igb_ptp.c
++++ b/drivers/net/ethernet/intel/igb/igb_ptp.c
+@@ -721,6 +721,7 @@ void igb_ptp_rx_hang(struct igb_adapter
+ **/
+ static void igb_ptp_tx_hwtstamp(struct igb_adapter *adapter)
+ {
++ struct sk_buff *skb = adapter->ptp_tx_skb;
+ struct e1000_hw *hw = &adapter->hw;
+ struct skb_shared_hwtstamps shhwtstamps;
+ u64 regval;
+@@ -748,10 +749,17 @@ static void igb_ptp_tx_hwtstamp(struct i
+ shhwtstamps.hwtstamp =
+ ktime_add_ns(shhwtstamps.hwtstamp, adjust);
+
+- skb_tstamp_tx(adapter->ptp_tx_skb, &shhwtstamps);
+- dev_kfree_skb_any(adapter->ptp_tx_skb);
++ /* Clear the lock early before calling skb_tstamp_tx so that
++ * applications are not woken up before the lock bit is clear. We use
++ * a copy of the skb pointer to ensure other threads can't change it
++ * while we're notifying the stack.
++ */
+ adapter->ptp_tx_skb = NULL;
+ clear_bit_unlock(__IGB_PTP_TX_IN_PROGRESS, &adapter->state);
++
++ /* Notify the stack and free the skb after we've unlocked */
++ skb_tstamp_tx(skb, &shhwtstamps);
++ dev_kfree_skb_any(skb);
+ }
+
+ /**
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Date: Fri, 19 May 2017 17:48:00 +0300
+Subject: iio: hi8435: avoid garbage event at first enable
+
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+
+
+[ Upstream commit ee19ac340c5fdfd89c6348be4563453c61ab54a9 ]
+
+Currently, driver generates events for channels if new reading differs
+from previous one. This "previous value" is initialized to zero, which
+results into event if value is constant-one.
+
+Fix that by initializing "previous value" by reading at event enable
+time.
+
+This provides reliable sequence for userspace:
+- enable event,
+- AFTER THAT read current value,
+- AFTER THAT each event will correspond to change.
+
+Signed-off-by: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/hi8435.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/adc/hi8435.c
++++ b/drivers/iio/adc/hi8435.c
+@@ -121,10 +121,21 @@ static int hi8435_write_event_config(str
+ enum iio_event_direction dir, int state)
+ {
+ struct hi8435_priv *priv = iio_priv(idev);
++ int ret;
++ u32 tmp;
++
++ if (state) {
++ ret = hi8435_readl(priv, HI8435_SO31_0_REG, &tmp);
++ if (ret < 0)
++ return ret;
++ if (tmp & BIT(chan->channel))
++ priv->event_prev_val |= BIT(chan->channel);
++ else
++ priv->event_prev_val &= ~BIT(chan->channel);
+
+- priv->event_scan_mask &= ~BIT(chan->channel);
+- if (state)
+ priv->event_scan_mask |= BIT(chan->channel);
++ } else
++ priv->event_scan_mask &= ~BIT(chan->channel);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Date: Fri, 19 May 2017 17:48:02 +0300
+Subject: iio: hi8435: cleanup reset gpio
+
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+
+
+[ Upstream commit 61305664a542f874283f74bf0b27ddb31f5045d7 ]
+
+Reset GPIO is active low.
+
+Currently driver uses gpiod_set_value(1) to clean reset, which depends
+on device tree to contain GPIO_ACTIVE_HIGH - that does not match reality.
+
+This fixes driver to use _raw version of gpiod_set_value() to enforce
+active-low semantics despite of what's written in device tree. Allowing
+device tree to override that only opens possibility for errors and does
+not add any value.
+
+Additionally, use _cansleep version to make things work with i2c-gpio
+and other sleeping gpio drivers.
+
+Signed-off-by: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/hi8435.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/iio/adc/hi8435.c
++++ b/drivers/iio/adc/hi8435.c
+@@ -453,13 +453,15 @@ static int hi8435_probe(struct spi_devic
+ priv->spi = spi;
+
+ reset_gpio = devm_gpiod_get(&spi->dev, NULL, GPIOD_OUT_LOW);
+- if (IS_ERR(reset_gpio)) {
+- /* chip s/w reset if h/w reset failed */
++ if (!IS_ERR(reset_gpio)) {
++ /* need >=100ns low pulse to reset chip */
++ gpiod_set_raw_value_cansleep(reset_gpio, 0);
++ udelay(1);
++ gpiod_set_raw_value_cansleep(reset_gpio, 1);
++ } else {
++ /* s/w reset chip if h/w reset is not available */
+ hi8435_writeb(priv, HI8435_CTRL_REG, HI8435_CTRL_SRST);
+ hi8435_writeb(priv, HI8435_CTRL_REG, 0);
+- } else {
+- udelay(5);
+- gpiod_set_value(reset_gpio, 1);
+ }
+
+ spi_set_drvdata(spi, idev);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Mikko Koivunen <mikko.koivunen@fi.rohmeurope.com>
+Date: Thu, 18 May 2017 15:12:50 +0300
+Subject: iio: light: rpr0521 poweroff for probe fails
+
+From: Mikko Koivunen <mikko.koivunen@fi.rohmeurope.com>
+
+
+[ Upstream commit 12d74949133e2450533894ea01ce0c56646ce006 ]
+
+Set sensor measurement off after probe fail in pm_runtime_set_active() or
+iio_device_register(). Without this change sensor measurement stays on
+even though probe fails on these calls.
+
+This is maybe rare case, but causes constant power drain without any
+benefits when it happens. Power drain is 20-500uA, typically 180uA.
+
+Signed-off-by: Mikko Koivunen <mikko.koivunen@fi.rohmeurope.com>
+Acked-by: Daniel Baluta <daniel.baluta@nxp.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/rpr0521.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/light/rpr0521.c
++++ b/drivers/iio/light/rpr0521.c
+@@ -510,13 +510,26 @@ static int rpr0521_probe(struct i2c_clie
+
+ ret = pm_runtime_set_active(&client->dev);
+ if (ret < 0)
+- return ret;
++ goto err_poweroff;
+
+ pm_runtime_enable(&client->dev);
+ pm_runtime_set_autosuspend_delay(&client->dev, RPR0521_SLEEP_DELAY_MS);
+ pm_runtime_use_autosuspend(&client->dev);
+
+- return iio_device_register(indio_dev);
++ ret = iio_device_register(indio_dev);
++ if (ret)
++ goto err_pm_disable;
++
++ return 0;
++
++err_pm_disable:
++ pm_runtime_disable(&client->dev);
++ pm_runtime_set_suspended(&client->dev);
++ pm_runtime_put_noidle(&client->dev);
++err_poweroff:
++ rpr0521_poweroff(data);
++
++ return ret;
+ }
+
+ static int rpr0521_remove(struct i2c_client *client)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
+Date: Tue, 6 Jun 2017 22:51:24 +0200
+Subject: iio: magnetometer: st_magn_spi: fix spi_device_id table
+
+From: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
+
+
+[ Upstream commit c83761ff0aac954aa368c623bb0f0d1a3214e834 ]
+
+Remove LSM303DLHC, LSM303DLM from st_magn_id_table since LSM303DL series
+does not support spi interface
+
+Fixes: 872e79add756 (iio: magn: Add STMicroelectronics magn driver)
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@st.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/magnetometer/st_magn_spi.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/iio/magnetometer/st_magn_spi.c
++++ b/drivers/iio/magnetometer/st_magn_spi.c
+@@ -48,8 +48,6 @@ static int st_magn_spi_remove(struct spi
+ }
+
+ static const struct spi_device_id st_magn_id_table[] = {
+- { LSM303DLHC_MAGN_DEV_NAME },
+- { LSM303DLM_MAGN_DEV_NAME },
+ { LIS3MDL_MAGN_DEV_NAME },
+ { LSM303AGR_MAGN_DEV_NAME },
+ {},
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Nicholas Mc Guire <der.herr@hofr.at>
+Date: Sun, 14 May 2017 10:43:55 +0200
+Subject: iio: pressure: zpa2326: report interrupted case as failure
+
+From: Nicholas Mc Guire <der.herr@hofr.at>
+
+
+[ Upstream commit e7215fe4d51e69c9d2608ad0c409d48e844d0adc ]
+
+If the timeout-case prints a warning message then probably the interrupted
+case should also. Further, wait_for_completion_interruptible_timeout()
+returns long not int.
+
+Fixes: commit 03b262f2bbf4 ("iio:pressure: initial zpa2326 barometer support")
+Signed-off-by: Nicholas Mc Guire <der.herr@hofr.at>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/pressure/zpa2326.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+--- a/drivers/iio/pressure/zpa2326.c
++++ b/drivers/iio/pressure/zpa2326.c
+@@ -871,12 +871,13 @@ static int zpa2326_wait_oneshot_completi
+ {
+ int ret;
+ unsigned int val;
++ long timeout;
+
+ zpa2326_dbg(indio_dev, "waiting for one shot completion interrupt");
+
+- ret = wait_for_completion_interruptible_timeout(
++ timeout = wait_for_completion_interruptible_timeout(
+ &private->data_ready, ZPA2326_CONVERSION_JIFFIES);
+- if (ret > 0)
++ if (timeout > 0)
+ /*
+ * Interrupt handler completed before timeout: return operation
+ * status.
+@@ -886,13 +887,16 @@ static int zpa2326_wait_oneshot_completi
+ /* Clear all interrupts just to be sure. */
+ regmap_read(private->regmap, ZPA2326_INT_SOURCE_REG, &val);
+
+- if (!ret)
++ if (!timeout) {
+ /* Timed out. */
++ zpa2326_warn(indio_dev, "no one shot interrupt occurred (%ld)",
++ timeout);
+ ret = -ETIME;
+-
+- if (ret != -ERESTARTSYS)
+- zpa2326_warn(indio_dev, "no one shot interrupt occurred (%d)",
+- ret);
++ } else if (timeout < 0) {
++ zpa2326_warn(indio_dev,
++ "wait for one shot interrupt cancelled");
++ ret = -ERESTARTSYS;
++ }
+
+ return ret;
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 19 Dec 2014 12:57:49 -0800
+Subject: Input: elan_i2c - check if device is there before really probing
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+
+[ Upstream commit c5928551fd41b2eecdad78fa2be2a4a13ed5fde9 ]
+
+Before trying to properly initialize the touchpad and generate bunch of
+errors, let's first see it there is anything at the given address. If we
+get error, fail silently with -ENXIO.
+
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/mouse/elan_i2c_core.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1082,6 +1082,13 @@ static int elan_probe(struct i2c_client
+ return error;
+ }
+
++ /* Make sure there is something at this address */
++ error = i2c_smbus_read_byte(client);
++ if (error < 0) {
++ dev_dbg(&client->dev, "nothing at this address: %d\n", error);
++ return -ENXIO;
++ }
++
+ /* Initialize the touchpad. */
+ error = elan_initialize(data);
+ if (error)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: KT Liao <kt.liao@emc.com.tw>
+Date: Thu, 25 May 2017 10:06:21 -0700
+Subject: Input: elan_i2c - clear INT before resetting controller
+
+From: KT Liao <kt.liao@emc.com.tw>
+
+
+[ Upstream commit 4b3c7dbbfff0673e8a89575414b864d8b001d3bb ]
+
+Some old touchpad FWs need to have interrupt cleared before issuing reset
+command after updating firmware. We clear interrupt by attempting to read
+full report from the controller, and discarding any data read.
+
+Signed-off-by: KT Liao <kt.liao@emc.com.tw>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/mouse/elan_i2c_i2c.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/mouse/elan_i2c_i2c.c
++++ b/drivers/input/mouse/elan_i2c_i2c.c
+@@ -557,7 +557,14 @@ static int elan_i2c_finish_fw_update(str
+ long ret;
+ int error;
+ int len;
+- u8 buffer[ETP_I2C_INF_LENGTH];
++ u8 buffer[ETP_I2C_REPORT_LEN];
++
++ len = i2c_master_recv(client, buffer, ETP_I2C_REPORT_LEN);
++ if (len != ETP_I2C_REPORT_LEN) {
++ error = len < 0 ? len : -EIO;
++ dev_warn(dev, "failed to read I2C data after FW WDT reset: %d (%d)\n",
++ error, len);
++ }
+
+ reinit_completion(completion);
+ enable_irq(client->irq);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: KT Liao <kt.liao@emc.com.tw>
+Date: Mon, 12 Dec 2016 11:03:42 -0800
+Subject: Input: elantech - force relative mode on a certain module
+
+From: KT Liao <kt.liao@emc.com.tw>
+
+
+[ Upstream commit d899520b0431e70279bfb5066ecb6dc91d0b7072 ]
+
+One of Elan modules with sample version is 0x74 and hw_version is 0x03 has
+a bug in absolute mode implementation, so let it run in default PS/2
+relative mode.
+
+Signed-off-by: KT Liao <kt.liao@emc.com.tw>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/mouse/elantech.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -1711,6 +1711,17 @@ int elantech_init(struct psmouse *psmous
+ etd->samples[0], etd->samples[1], etd->samples[2]);
+ }
+
++ if (etd->samples[1] == 0x74 && etd->hw_version == 0x03) {
++ /*
++ * This module has a bug which makes absolute mode
++ * unusable, so let's abort so we'll be using standard
++ * PS/2 protocol.
++ */
++ psmouse_info(psmouse,
++ "absolute mode broken, forcing standard PS/2 protocol\n");
++ goto init_fail;
++ }
++
+ if (elantech_set_absolute_mode(psmouse)) {
+ psmouse_err(psmouse,
+ "failed to put touchpad into absolute mode.\n");
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 12 Jan 2018 00:36:48 -0800
+Subject: Input: goodix - disable IRQs while suspended
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit faec44b6838312484d63e82286087cf2d5ebb891 ]
+
+We should not try to do any i2c transfers before the controller is
+resumed (which happens before our resume method gets called).
+
+So we need to disable our IRQ while suspended to enforce this. The
+code paths for devices with GPIOs for the int and reset pins already
+disable the IRQ the through goodix_free_irq().
+
+This commit also disables the IRQ while suspended for devices without
+GPIOs for the int and reset pins.
+
+This fixes the i2c bus sometimes getting stuck after a suspend/resume
+causing the touchscreen to sometimes not work after a suspend/resume.
+This has been tested on a GPD pocked device.
+
+BugLink: https://github.com/nexus511/gpd-ubuntu-packages/issues/10
+BugLink: https://www.reddit.com/r/GPDPocket/comments/7niut2/fix_for_broken_touch_after_resume_all_linux/
+Tested-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Bastien Nocera <hadess@hadess.net>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/goodix.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/touchscreen/goodix.c
++++ b/drivers/input/touchscreen/goodix.c
+@@ -778,8 +778,10 @@ static int __maybe_unused goodix_suspend
+ int error;
+
+ /* We need gpio pins to suspend/resume */
+- if (!ts->gpiod_int || !ts->gpiod_rst)
++ if (!ts->gpiod_int || !ts->gpiod_rst) {
++ disable_irq(client->irq);
+ return 0;
++ }
+
+ wait_for_completion(&ts->firmware_loading_complete);
+
+@@ -819,8 +821,10 @@ static int __maybe_unused goodix_resume(
+ struct goodix_ts_data *ts = i2c_get_clientdata(client);
+ int error;
+
+- if (!ts->gpiod_int || !ts->gpiod_rst)
++ if (!ts->gpiod_int || !ts->gpiod_rst) {
++ enable_irq(client->irq);
+ return 0;
++ }
+
+ /*
+ * Exit sleep mode by outputting HIGH level to INT pin
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Liam McBirnie <mcbirnie.l@gmail.com>
+Date: Thu, 1 Jun 2017 15:36:01 +1000
+Subject: ip6_tunnel: fix traffic class routing for tunnels
+
+From: Liam McBirnie <mcbirnie.l@gmail.com>
+
+
+[ Upstream commit 5f733ee68f9a4df94775299ac6a7ab260704f6ed ]
+
+ip6_route_output() requires that the flowlabel contains the traffic
+class for policy routing.
+
+Commit 0e9a709560db ("ip6_tunnel, ip6_gre: fix setting of DSCP on
+encapsulated packets") removed the code which previously added the
+traffic class to the flowlabel.
+
+The traffic class is added here because only route lookup needs the
+flowlabel to contain the traffic class.
+
+Fixes: 0e9a709560db ("ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets")
+Signed-off-by: Liam McBirnie <liam.mcbirnie@boeing.com>
+Acked-by: Peter Dawson <peter.a.dawson@boeing.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1097,6 +1097,9 @@ int ip6_tnl_xmit(struct sk_buff *skb, st
+
+ if (!dst) {
+ route_lookup:
++ /* add dsfield to flowlabel for route lookup */
++ fl6->flowlabel = ip6_make_flowinfo(dsfield, fl6->flowlabel);
++
+ dst = ip6_route_output(net, NULL, fl6);
+
+ if (dst->error)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 5 May 2017 08:33:24 +0300
+Subject: ipmi_ssif: unlock on allocation failure
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit cf9806f32ef63b745f2486e0dbb2ac21f4ca44f0 ]
+
+We should unlock and re-enable IRQs if this allocation fails.
+
+Fixes: 259307074bfc ("ipmi: Add SMBus interface driver (SSIF) ")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_ssif.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/char/ipmi/ipmi_ssif.c
++++ b/drivers/char/ipmi/ipmi_ssif.c
+@@ -409,6 +409,7 @@ static void start_event_fetch(struct ssi
+ msg = ipmi_alloc_smi_msg();
+ if (!msg) {
+ ssif_info->ssif_state = SSIF_NORMAL;
++ ipmi_ssif_unlock_cond(ssif_info, flags);
+ return;
+ }
+
+@@ -431,6 +432,7 @@ static void start_recv_msg_fetch(struct
+ msg = ipmi_alloc_smi_msg();
+ if (!msg) {
+ ssif_info->ssif_state = SSIF_NORMAL;
++ ipmi_ssif_unlock_cond(ssif_info, flags);
+ return;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Thomas Winter <Thomas.Winter@alliedtelesis.co.nz>
+Date: Tue, 16 May 2017 10:14:44 +1200
+Subject: ipmr: vrf: Find VIFs using the actual device
+
+From: Thomas Winter <Thomas.Winter@alliedtelesis.co.nz>
+
+
+[ Upstream commit bcfc7d33110b0f33069d74138eeb7ca9acbb3c85 ]
+
+The skb->dev that is passed into ip_mr_input is
+the loX device for VRFs. When we lookup a vif
+for this dev, none is found as we do not create
+vifs for loopbacks. Instead lookup a vif for the
+actual device that the packet was received on,
+eg the vlan.
+
+Signed-off-by: Thomas Winter <Thomas.Winter@alliedtelesis.co.nz>
+cc: David Ahern <dsa@cumulusnetworks.com>
+cc: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+cc: roopa <roopa@cumulusnetworks.com>
+Acked-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ipmr.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/ipmr.c
++++ b/net/ipv4/ipmr.c
+@@ -1929,6 +1929,20 @@ int ip_mr_input(struct sk_buff *skb)
+ struct net *net = dev_net(skb->dev);
+ int local = skb_rtable(skb)->rt_flags & RTCF_LOCAL;
+ struct mr_table *mrt;
++ struct net_device *dev;
++
++ /* skb->dev passed in is the loX master dev for vrfs.
++ * As there are no vifs associated with loopback devices,
++ * get the proper interface that does have a vif associated with it.
++ */
++ dev = skb->dev;
++ if (netif_is_l3_master(skb->dev)) {
++ dev = dev_get_by_index_rcu(net, IPCB(skb)->iif);
++ if (!dev) {
++ kfree_skb(skb);
++ return -ENODEV;
++ }
++ }
+
+ /* Packet is looped back after forward, it should not be
+ * forwarded second time, but still can be delivered locally.
+@@ -1966,7 +1980,7 @@ int ip_mr_input(struct sk_buff *skb)
+ /* already under rcu_read_lock() */
+ cache = ipmr_cache_find(mrt, ip_hdr(skb)->saddr, ip_hdr(skb)->daddr);
+ if (!cache) {
+- int vif = ipmr_find_vif(mrt, skb->dev);
++ int vif = ipmr_find_vif(mrt, dev);
+
+ if (vif >= 0)
+ cache = ipmr_cache_find_any(mrt, ip_hdr(skb)->daddr,
+@@ -1986,7 +2000,7 @@ int ip_mr_input(struct sk_buff *skb)
+ }
+
+ read_lock(&mrt_lock);
+- vif = ipmr_find_vif(mrt, skb->dev);
++ vif = ipmr_find_vif(mrt, dev);
+ if (vif >= 0) {
+ int err2 = ipmr_cache_unresolved(mrt, vif, skb);
+ read_unlock(&mrt_lock);
--- /dev/null
+From 3f29770723fe498a5c5f57c3a31a996ebdde03e1 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 4 Jun 2017 04:16:23 +0200
+Subject: ipsec: check return value of skb_to_sgvec always
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+commit 3f29770723fe498a5c5f57c3a31a996ebdde03e1 upstream.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[natechancellor: Adjusted context due to lack of fca11ebde3f0]
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/ah4.c | 8 ++++++--
+ net/ipv4/esp4.c | 13 ++++++++-----
+ net/ipv6/ah6.c | 8 ++++++--
+ net/ipv6/esp6.c | 12 ++++++++----
+ 4 files changed, 28 insertions(+), 13 deletions(-)
+
+--- a/net/ipv4/ah4.c
++++ b/net/ipv4/ah4.c
+@@ -220,7 +220,9 @@ static int ah_output(struct xfrm_state *
+ ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
+
+ sg_init_table(sg, nfrags + sglists);
+- skb_to_sgvec_nomark(skb, sg, 0, skb->len);
++ err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
++ if (unlikely(err < 0))
++ goto out_free;
+
+ if (x->props.flags & XFRM_STATE_ESN) {
+ /* Attach seqhi sg right after packet payload */
+@@ -393,7 +395,9 @@ static int ah_input(struct xfrm_state *x
+ skb_push(skb, ihl);
+
+ sg_init_table(sg, nfrags + sglists);
+- skb_to_sgvec_nomark(skb, sg, 0, skb->len);
++ err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
++ if (unlikely(err < 0))
++ goto out_free;
+
+ if (x->props.flags & XFRM_STATE_ESN) {
+ /* Attach seqhi sg right after packet payload */
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -268,10 +268,11 @@ static int esp_output(struct xfrm_state
+ esph->spi = x->id.spi;
+
+ sg_init_table(sg, nfrags);
+- skb_to_sgvec(skb, sg,
+- (unsigned char *)esph - skb->data,
+- assoclen + ivlen + clen + alen);
+-
++ err = skb_to_sgvec(skb, sg,
++ (unsigned char *)esph - skb->data,
++ assoclen + ivlen + clen + alen);
++ if (unlikely(err < 0))
++ goto error;
+ aead_request_set_crypt(req, sg, sg, ivlen + clen, iv);
+ aead_request_set_ad(req, assoclen);
+
+@@ -481,7 +482,9 @@ static int esp_input(struct xfrm_state *
+ }
+
+ sg_init_table(sg, nfrags);
+- skb_to_sgvec(skb, sg, 0, skb->len);
++ err = skb_to_sgvec(skb, sg, 0, skb->len);
++ if (unlikely(err < 0))
++ goto out;
+
+ aead_request_set_crypt(req, sg, sg, elen + ivlen, iv);
+ aead_request_set_ad(req, assoclen);
+--- a/net/ipv6/ah6.c
++++ b/net/ipv6/ah6.c
+@@ -423,7 +423,9 @@ static int ah6_output(struct xfrm_state
+ ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
+
+ sg_init_table(sg, nfrags + sglists);
+- skb_to_sgvec_nomark(skb, sg, 0, skb->len);
++ err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
++ if (unlikely(err < 0))
++ goto out_free;
+
+ if (x->props.flags & XFRM_STATE_ESN) {
+ /* Attach seqhi sg right after packet payload */
+@@ -603,7 +605,9 @@ static int ah6_input(struct xfrm_state *
+ ip6h->hop_limit = 0;
+
+ sg_init_table(sg, nfrags + sglists);
+- skb_to_sgvec_nomark(skb, sg, 0, skb->len);
++ err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
++ if (unlikely(err < 0))
++ goto out_free;
+
+ if (x->props.flags & XFRM_STATE_ESN) {
+ /* Attach seqhi sg right after packet payload */
+--- a/net/ipv6/esp6.c
++++ b/net/ipv6/esp6.c
+@@ -248,9 +248,11 @@ static int esp6_output(struct xfrm_state
+ esph->spi = x->id.spi;
+
+ sg_init_table(sg, nfrags);
+- skb_to_sgvec(skb, sg,
+- (unsigned char *)esph - skb->data,
+- assoclen + ivlen + clen + alen);
++ err = skb_to_sgvec(skb, sg,
++ (unsigned char *)esph - skb->data,
++ assoclen + ivlen + clen + alen);
++ if (unlikely(err < 0))
++ goto error;
+
+ aead_request_set_crypt(req, sg, sg, ivlen + clen, iv);
+ aead_request_set_ad(req, assoclen);
+@@ -423,7 +425,9 @@ static int esp6_input(struct xfrm_state
+ }
+
+ sg_init_table(sg, nfrags);
+- skb_to_sgvec(skb, sg, 0, skb->len);
++ ret = skb_to_sgvec(skb, sg, 0, skb->len);
++ if (unlikely(ret < 0))
++ goto out;
+
+ aead_request_set_crypt(req, sg, sg, elen + ivlen, iv);
+ aead_request_set_ad(req, assoclen);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Mahesh Bandewar <maheshb@google.com>
+Date: Fri, 12 May 2017 17:03:39 -0700
+Subject: ipv6: avoid dad-failures for addresses with NODAD
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+
+[ Upstream commit 66eb9f86e50547ec2a8ff7a75997066a74ef584b ]
+
+Every address gets added with TENTATIVE flag even for the addresses with
+IFA_F_NODAD flag and dad-work is scheduled for them. During this DAD process
+we realize it's an address with NODAD and complete the process without
+sending any probe. However the TENTATIVE flags stays on the
+address for sometime enough to cause misinterpretation when we receive a NS.
+While processing NS, if the address has TENTATIVE flag, we mark it DADFAILED
+and endup with an address that was originally configured as NODAD with
+DADFAILED.
+
+We can't avoid scheduling dad_work for addresses with NODAD but we can
+avoid adding TENTATIVE flag to avoid this racy situation.
+
+Signed-off-by: Mahesh Bandewar <maheshb@google.com>
+Acked-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -988,7 +988,10 @@ ipv6_add_addr(struct inet6_dev *idev, co
+ INIT_HLIST_NODE(&ifa->addr_lst);
+ ifa->scope = scope;
+ ifa->prefix_len = pfxlen;
+- ifa->flags = flags | IFA_F_TENTATIVE;
++ ifa->flags = flags;
++ /* No need to add the TENTATIVE flag for addresses with NODAD */
++ if (!(flags & IFA_F_NODAD))
++ ifa->flags |= IFA_F_TENTATIVE;
+ ifa->valid_lft = valid_lft;
+ ifa->prefered_lft = prefered_lft;
+ ifa->cstamp = ifa->tstamp = jiffies;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Shanker Donthineni <shankerd@codeaurora.org>
+Date: Tue, 5 Dec 2017 13:16:21 -0600
+Subject: irqchip/gic-v3: Fix the driver probe() fail due to disabled GICC entry
+
+From: Shanker Donthineni <shankerd@codeaurora.org>
+
+
+[ Upstream commit ebe2f8718007d5a1238bb3cb8141b5bb2b4d5773 ]
+
+The ACPI specification says OS shouldn't attempt to use GICC configuration
+parameters if the flag ACPI_MADT_ENABLED is cleared. The ARM64-SMP code
+skips the disabled GICC entries but not causing any issue. However the
+current GICv3 driver probe bails out causing kernel panic() instead of
+skipping the disabled GICC interfaces. This issue happens on systems
+where redistributor regions are not in the always-on power domain and
+one of GICC interface marked with ACPI_MADT_ENABLED=0.
+
+This patch does the two things to fix the panic.
+ - Don't return an error in gic_acpi_match_gicc() for disabled GICC entry.
+ - No need to keep GICR region information for disabled GICC entry.
+
+Observed kernel crash on QDF2400 platform GICC entry is disabled.
+Kernel crash traces:
+ Kernel panic - not syncing: No interrupt controller found.
+ CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.13.5 #26
+ [<ffff000008087770>] dump_backtrace+0x0/0x218
+ [<ffff0000080879dc>] show_stack+0x14/0x20
+ [<ffff00000883b078>] dump_stack+0x98/0xb8
+ [<ffff0000080c5c14>] panic+0x118/0x26c
+ [<ffff000008b62348>] init_IRQ+0x24/0x2c
+ [<ffff000008b609fc>] start_kernel+0x230/0x394
+ [<ffff000008b601e4>] __primary_switched+0x64/0x6c
+ ---[ end Kernel panic - not syncing: No interrupt controller found.
+
+Disabled GICC subtable example:
+ Subtable Type : 0B [Generic Interrupt Controller]
+ Length : 50
+ Reserved : 0000
+ CPU Interface Number : 0000003D
+ Processor UID : 0000003D
+ Flags (decoded below) : 00000000
+ Processor Enabled : 0
+ Performance Interrupt Trig Mode : 0
+ Virtual GIC Interrupt Trig Mode : 0
+ Parking Protocol Version : 00000000
+ Performance Interrupt : 00000017
+ Parked Address : 0000000000000000
+ Base Address : 0000000000000000
+ Virtual GIC Base Address : 0000000000000000
+ Hypervisor GIC Base Address : 0000000000000000
+ Virtual GIC Interrupt : 00000019
+ Redistributor Base Address : 0000FFFF88F40000
+ ARM MPIDR : 000000000000000D
+ Efficiency Class : 00
+ Reserved : 000000
+Signed-off-by: Shanker Donthineni <shankerd@codeaurora.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-gic-v3.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/irqchip/irq-gic-v3.c
++++ b/drivers/irqchip/irq-gic-v3.c
+@@ -1250,6 +1250,10 @@ gic_acpi_parse_madt_gicc(struct acpi_sub
+ u32 size = reg == GIC_PIDR2_ARCH_GICv4 ? SZ_64K * 4 : SZ_64K * 2;
+ void __iomem *redist_base;
+
++ /* GICC entry which has !ACPI_MADT_ENABLED is not unusable so skip */
++ if (!(gicc->flags & ACPI_MADT_ENABLED))
++ return 0;
++
+ redist_base = ioremap(gicc->gicr_base_address, size);
+ if (!redist_base)
+ return -ENOMEM;
+@@ -1299,6 +1303,13 @@ static int __init gic_acpi_match_gicc(st
+ if ((gicc->flags & ACPI_MADT_ENABLED) && gicc->gicr_base_address)
+ return 0;
+
++ /*
++ * It's perfectly valid firmware can pass disabled GICC entry, driver
++ * should not treat as errors, skip the entry instead of probe fail.
++ */
++ if (!(gicc->flags & ACPI_MADT_ENABLED))
++ return 0;
++
+ return -ENODEV;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: MaJun <majun258@huawei.com>
+Date: Fri, 12 May 2017 11:55:28 +0800
+Subject: irqchip/mbigen: Fix the clear register offset calculation
+
+From: MaJun <majun258@huawei.com>
+
+
+[ Upstream commit 9459a04b6a5a09967eec94a1b66f0a74312819d9 ]
+
+The register array offset for clearing an interrupt is calculated by:
+
+ offset = (hwirq - RESERVED_IRQ_PER_MBIGEN_CHIP) / 32;
+
+This is wrong because the clear register array includes the reserved
+interrupts. So the clear operation ends up in the wrong register.
+
+This went unnoticed so far, because the hardware clears the real bit
+through a timeout mechanism when the hardware is configured in debug
+mode. That debug mode was enabled on early generations of the hardware, so
+the problem was papered over.
+
+On newer hardware with updated firmware the debug mode was disabled, so the
+bits did not get cleared which causes the system to malfunction.
+
+Remove the subtraction of RESERVED_IRQ_PER_MBIGEN_CHIP, so the correct
+register is accessed.
+
+[ tglx: Rewrote changelog ]
+
+Fixes: a6c2f87b8820 ("irqchip/mbigen: Implement the mbigen irq chip operation functions")
+Signed-off-by: MaJun <majun258@huawei.com>
+Signed-off-by: Hanjun Guo <hanjun.guo@linaro.org>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: linuxarm@huawei.com
+Cc: Wei Yongjun <weiyongjun1@huawei.com>
+Link: http://lkml.kernel.org/r/1494561328-39514-4-git-send-email-guohanjun@huawei.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-mbigen.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/irqchip/irq-mbigen.c
++++ b/drivers/irqchip/irq-mbigen.c
+@@ -105,10 +105,7 @@ static inline void get_mbigen_type_reg(i
+ static inline void get_mbigen_clear_reg(irq_hw_number_t hwirq,
+ u32 *mask, u32 *addr)
+ {
+- unsigned int ofst;
+-
+- hwirq -= RESERVED_IRQ_PER_MBIGEN_CHIP;
+- ofst = hwirq / 32 * 4;
++ unsigned int ofst = (hwirq / 32) * 4;
+
+ *mask = 1 << (hwirq % 32);
+ *addr = ofst + REG_MBIGEN_CLEAR_OFFSET;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Luca Coelho <luciano.coelho@intel.com>
+Date: Tue, 25 Apr 2017 10:18:10 +0300
+Subject: iwlwifi: fix min API version for 7265D, 3168, 8000 and 8265
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+
+[ Upstream commit 15098803d38778070b8edfa5a3d5fc4fef10d0a1 ]
+
+In a previous commit, we removed support for API versions earlier than
+22 for these NICs. By mistake, the *_UCODE_API_MIN definitions were
+set to 17. Fix that.
+
+Fixes: 4b87e5af638b ("iwlwifi: remove support for fw older than -17 and -22")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/iwl-7000.c | 4 ++--
+ drivers/net/wireless/intel/iwlwifi/iwl-8000.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-7000.c
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-7000.c
+@@ -79,8 +79,8 @@
+ /* Lowest firmware API version supported */
+ #define IWL7260_UCODE_API_MIN 17
+ #define IWL7265_UCODE_API_MIN 17
+-#define IWL7265D_UCODE_API_MIN 17
+-#define IWL3168_UCODE_API_MIN 20
++#define IWL7265D_UCODE_API_MIN 22
++#define IWL3168_UCODE_API_MIN 22
+
+ /* NVM versions */
+ #define IWL7260_NVM_VERSION 0x0a1d
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-8000.c
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-8000.c
+@@ -74,8 +74,8 @@
+ #define IWL8265_UCODE_API_MAX 26
+
+ /* Lowest firmware API version supported */
+-#define IWL8000_UCODE_API_MIN 17
+-#define IWL8265_UCODE_API_MIN 20
++#define IWL8000_UCODE_API_MIN 22
++#define IWL8265_UCODE_API_MIN 22
+
+ /* NVM versions */
+ #define IWL8000_NVM_VERSION 0x0a1d
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Haim Dreyfuss <haim.dreyfuss@intel.com>
+Date: Thu, 16 Mar 2017 17:26:03 +0200
+Subject: iwlwifi: mvm: Fix command queue number on d0i3 flow
+
+From: Haim Dreyfuss <haim.dreyfuss@intel.com>
+
+
+[ Upstream commit c72c37b7f392ad7edc10b6092fa48c632ba6f4ed ]
+
+During d0i3 flow we flush all the queue except from the command queue.
+Currently, in this flow the command queue is hard coded to 9.
+In DQA the command queue number has changed from 9 to 0.
+Fix that.
+
+This fixes a problem in runtime PM resume flow.
+
+Fixes: 097129c9e625 ("iwlwifi: mvm: move cmd queue to be #0 in dqa mode")
+Signed-off-by: Haim Dreyfuss <haim.dreyfuss@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+@@ -1666,8 +1666,11 @@ int iwl_mvm_find_free_queue(struct iwl_m
+ */
+ static inline u32 iwl_mvm_flushable_queues(struct iwl_mvm *mvm)
+ {
++ u32 cmd_queue = iwl_mvm_is_dqa_supported(mvm) ? IWL_MVM_DQA_CMD_QUEUE :
++ IWL_MVM_CMD_QUEUE;
++
+ return ((BIT(mvm->cfg->base_params->num_of_queues) - 1) &
+- ~BIT(IWL_MVM_CMD_QUEUE));
++ ~BIT(cmd_queue));
+ }
+
+ static inline
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Wed, 29 Mar 2017 10:21:09 +0300
+Subject: iwlwifi: mvm: fix firmware debug restart recording
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+
+[ Upstream commit addce854f164a68da9cb158e2e7e447705068549 ]
+
+When we want to stop the recording of the firmware debug
+and restart it later without reloading the firmware we
+don't need to resend the configuration that comes with
+host commands.
+Sending those commands confused the hardware and led to
+an NMI 0x66.
+
+Change the flow as following:
+* read the relevant registers (DBGC_IN_SAMPLE, DBGC_OUT_CTRL)
+* clear those registers
+* wait for the hardware to complete its write to the buffer
+* get the data
+* restore the value of those registers (to restart the
+ recording)
+
+For early start (where the configuration is already
+compiled in the firmware), we don't need to set those
+registers after the firmware has been loaded, but only
+when we want to restart the recording without having
+restarted the firmware.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/iwl-prph.h | 1
+ drivers/net/wireless/intel/iwlwifi/mvm/fw-dbg.c | 12 ---------
+ drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 1
+ drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 32 ++++++++++++++++++------
+ 4 files changed, 27 insertions(+), 19 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-prph.h
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-prph.h
+@@ -369,6 +369,7 @@
+ #define MON_DMARB_RD_DATA_ADDR (0xa03c5c)
+
+ #define DBGC_IN_SAMPLE (0xa03c00)
++#define DBGC_OUT_CTRL (0xa03c0c)
+
+ /* enable the ID buf for read */
+ #define WFPM_PS_CTL_CLR 0xA0300C
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw-dbg.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw-dbg.c
+@@ -914,14 +914,6 @@ int iwl_mvm_fw_dbg_collect_trig(struct i
+ return 0;
+ }
+
+-static inline void iwl_mvm_restart_early_start(struct iwl_mvm *mvm)
+-{
+- if (mvm->cfg->device_family == IWL_DEVICE_FAMILY_7000)
+- iwl_clear_bits_prph(mvm->trans, MON_BUFF_SAMPLE_CTL, 0x100);
+- else
+- iwl_write_prph(mvm->trans, DBGC_IN_SAMPLE, 1);
+-}
+-
+ int iwl_mvm_start_fw_dbg_conf(struct iwl_mvm *mvm, u8 conf_id)
+ {
+ u8 *ptr;
+@@ -935,10 +927,8 @@ int iwl_mvm_start_fw_dbg_conf(struct iwl
+ /* EARLY START - firmware's configuration is hard coded */
+ if ((!mvm->fw->dbg_conf_tlv[conf_id] ||
+ !mvm->fw->dbg_conf_tlv[conf_id]->num_of_hcmds) &&
+- conf_id == FW_DBG_START_FROM_ALIVE) {
+- iwl_mvm_restart_early_start(mvm);
++ conf_id == FW_DBG_START_FROM_ALIVE)
+ return 0;
+- }
+
+ if (!mvm->fw->dbg_conf_tlv[conf_id])
+ return -EINVAL;
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+@@ -1687,6 +1687,7 @@ void iwl_mvm_enable_ac_txq(struct iwl_mv
+ static inline void iwl_mvm_stop_device(struct iwl_mvm *mvm)
+ {
+ mvm->ucode_loaded = false;
++ mvm->fw_dbg_conf = FW_DBG_INVALID;
+ iwl_trans_stop_device(mvm->trans);
+ }
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+@@ -1118,21 +1118,37 @@ static void iwl_mvm_fw_error_dump_wk(str
+
+ mutex_lock(&mvm->mutex);
+
+- /* stop recording */
+ if (mvm->cfg->device_family == IWL_DEVICE_FAMILY_7000) {
++ /* stop recording */
+ iwl_set_bits_prph(mvm->trans, MON_BUFF_SAMPLE_CTL, 0x100);
++
++ iwl_mvm_fw_error_dump(mvm);
++
++ /* start recording again if the firmware is not crashed */
++ if (!test_bit(STATUS_FW_ERROR, &mvm->trans->status) &&
++ mvm->fw->dbg_dest_tlv)
++ iwl_clear_bits_prph(mvm->trans,
++ MON_BUFF_SAMPLE_CTL, 0x100);
+ } else {
++ u32 in_sample = iwl_read_prph(mvm->trans, DBGC_IN_SAMPLE);
++ u32 out_ctrl = iwl_read_prph(mvm->trans, DBGC_OUT_CTRL);
++
++ /* stop recording */
+ iwl_write_prph(mvm->trans, DBGC_IN_SAMPLE, 0);
+- /* wait before we collect the data till the DBGC stop */
+ udelay(100);
+- }
++ iwl_write_prph(mvm->trans, DBGC_OUT_CTRL, 0);
++ /* wait before we collect the data till the DBGC stop */
++ udelay(500);
+
+- iwl_mvm_fw_error_dump(mvm);
++ iwl_mvm_fw_error_dump(mvm);
+
+- /* start recording again if the firmware is not crashed */
+- WARN_ON_ONCE((!test_bit(STATUS_FW_ERROR, &mvm->trans->status)) &&
+- mvm->fw->dbg_dest_tlv &&
+- iwl_mvm_start_fw_dbg_conf(mvm, mvm->fw_dbg_conf));
++ /* start recording again if the firmware is not crashed */
++ if (!test_bit(STATUS_FW_ERROR, &mvm->trans->status) &&
++ mvm->fw->dbg_dest_tlv) {
++ iwl_write_prph(mvm->trans, DBGC_IN_SAMPLE, in_sample);
++ iwl_write_prph(mvm->trans, DBGC_OUT_CTRL, out_ctrl);
++ }
++ }
+
+ mutex_unlock(&mvm->mutex);
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Luca Coelho <luciano.coelho@intel.com>
+Date: Fri, 24 Mar 2017 11:01:45 +0200
+Subject: iwlwifi: pcie: only use d0i3 in suspend/resume if system_pm is set to d0i3
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+
+[ Upstream commit e4c49c4937951de1cdbe35572ade40c948dec1e1 ]
+
+We only need to handle d0i3 entry and exit during suspend resume if
+system_pm is set to IWL_PLAT_PM_MODE_D0I3, otherwise d0i3 entry
+failures will cause suspend to fail.
+
+This fixes https://bugzilla.kernel.org/show_bug.cgi?id=194791
+
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+@@ -2824,7 +2824,8 @@ static struct iwl_trans_dump_data
+ #ifdef CONFIG_PM_SLEEP
+ static int iwl_trans_pcie_suspend(struct iwl_trans *trans)
+ {
+- if (trans->runtime_pm_mode == IWL_PLAT_PM_MODE_D0I3)
++ if (trans->runtime_pm_mode == IWL_PLAT_PM_MODE_D0I3 &&
++ (trans->system_pm_mode == IWL_PLAT_PM_MODE_D0I3))
+ return iwl_pci_fw_enter_d0i3(trans);
+
+ return 0;
+@@ -2832,7 +2833,8 @@ static int iwl_trans_pcie_suspend(struct
+
+ static void iwl_trans_pcie_resume(struct iwl_trans *trans)
+ {
+- if (trans->runtime_pm_mode == IWL_PLAT_PM_MODE_D0I3)
++ if (trans->runtime_pm_mode == IWL_PLAT_PM_MODE_D0I3 &&
++ (trans->system_pm_mode == IWL_PLAT_PM_MODE_D0I3))
+ iwl_pci_fw_exit_d0i3(trans);
+ }
+ #endif /* CONFIG_PM_SLEEP */
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 22 Mar 2017 22:00:10 +0100
+Subject: iwlwifi: tt: move ucode_loaded check under mutex
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+
+[ Upstream commit d9954405758a0cbbe258d9b4d4dc12a06fa48a28 ]
+
+The ucode_loaded check should be under the mutex, since it can
+otherwise change state after we looked at it and before we got
+the mutex. Fix that.
+
+Fixes: 5c89e7bc557e ("iwlwifi: mvm: add registration to cooling device")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/tt.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tt.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tt.c
+@@ -790,11 +790,13 @@ static int iwl_mvm_tcool_set_cur_state(s
+ struct iwl_mvm *mvm = (struct iwl_mvm *)(cdev->devdata);
+ int ret;
+
+- if (!mvm->ucode_loaded || !(mvm->cur_ucode == IWL_UCODE_REGULAR))
+- return -EIO;
+-
+ mutex_lock(&mvm->mutex);
+
++ if (!mvm->ucode_loaded || !(mvm->cur_ucode == IWL_UCODE_REGULAR)) {
++ ret = -EIO;
++ goto unlock;
++ }
++
+ if (new_state >= ARRAY_SIZE(iwl_mvm_cdev_budgets)) {
+ ret = -EINVAL;
+ goto unlock;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: James Morse <james.morse@arm.com>
+Date: Tue, 25 Apr 2017 18:02:44 +0100
+Subject: KVM: arm: Restore banked registers and physical timer access on hyp_panic()
+
+From: James Morse <james.morse@arm.com>
+
+
+[ Upstream commit d2e19368848ce6065daa785efca26faed54732b6 ]
+
+When KVM panics, it hurridly restores the host context and parachutes
+into the host's panic() code. This looks like it was copied from arm64,
+the 32bit KVM panic code needs to restore the host's banked registers
+too.
+
+At some point panic() touches the physical timer/counter, this will
+trap back to HYP. If we're lucky, we panic again.
+
+Add a __timer_save_state() call to KVMs hyp_panic() path, this saves the
+guest registers and disables the traps for the host.
+
+Fixes: c36b6db5f3e4 ("ARM: KVM: Add panic handling code")
+Signed-off-by: James Morse <james.morse@arm.com>
+Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+Reviewed-by: Christoffer Dall <cdall@linaro.org>
+Signed-off-by: Christoffer Dall <cdall@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/kvm/hyp/switch.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm/kvm/hyp/switch.c
++++ b/arch/arm/kvm/hyp/switch.c
+@@ -237,8 +237,10 @@ void __hyp_text __noreturn __hyp_panic(i
+
+ vcpu = (struct kvm_vcpu *)read_sysreg(HTPIDR);
+ host_ctxt = kern_hyp_va(vcpu->arch.host_cpu_context);
++ __timer_save_state(vcpu);
+ __deactivate_traps(vcpu);
+ __deactivate_vm(vcpu);
++ __banked_restore_state(host_ctxt);
+ __sysreg_restore_state(host_ctxt);
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: James Morse <james.morse@arm.com>
+Date: Tue, 25 Apr 2017 18:02:45 +0100
+Subject: KVM: arm64: Restore host physical timer access on hyp_panic()
+
+From: James Morse <james.morse@arm.com>
+
+
+[ Upstream commit e8ec032b182cd4841605de4fc297a8edffe55972 ]
+
+When KVM panics, it hurridly restores the host context and parachutes
+into the host's panic() code. At some point panic() touches the physical
+timer/counter. Unless we are an arm64 system with VHE, this traps back
+to EL2. If we're lucky, we panic again.
+
+Add a __timer_save_state() call to KVMs hyp_panic() path, this saves the
+guest registers and disables the traps for the host.
+
+Fixes: 53fd5b6487e4 ("arm64: KVM: Add panic handling")
+Signed-off-by: James Morse <james.morse@arm.com>
+Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+Reviewed-by: Christoffer Dall <cdall@linaro.org>
+Signed-off-by: Christoffer Dall <cdall@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/hyp/switch.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm64/kvm/hyp/switch.c
++++ b/arch/arm64/kvm/hyp/switch.c
+@@ -404,6 +404,7 @@ void __hyp_text __noreturn __hyp_panic(v
+
+ vcpu = (struct kvm_vcpu *)read_sysreg(tpidr_el2);
+ host_ctxt = kern_hyp_va(vcpu->arch.host_cpu_context);
++ __timer_save_state(vcpu);
+ __deactivate_traps(vcpu);
+ __deactivate_vm(vcpu);
+ __sysreg_restore_host_state(host_ctxt);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: "Jan H. Schönherr" <jschoenh@amazon.de>
+Date: Sat, 20 May 2017 13:22:56 +0200
+Subject: KVM: nVMX: Fix handling of lmsw instruction
+
+From: "Jan H. Schönherr" <jschoenh@amazon.de>
+
+
+[ Upstream commit e1d39b17e044e8ae819827810d87d809ba5f58c0 ]
+
+The decision whether or not to exit from L2 to L1 on an lmsw instruction is
+based on bogus values: instead of using the information encoded within the
+exit qualification, it uses the data also used for the mov-to-cr
+instruction, which boils down to using whatever is in %eax at that point.
+
+Use the correct values instead.
+
+Without this fix, an L1 may not get notified when a 32-bit Linux L2
+switches its secondary CPUs to protected mode; the L1 is only notified on
+the next modification of CR0. This short time window poses a problem, when
+there is some other reason to exit to L1 in between. Then, L2 will be
+resumed in real mode and chaos ensues.
+
+Signed-off-by: Jan H. Schönherr <jschoenh@amazon.de>
+Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7924,11 +7924,13 @@ static bool nested_vmx_exit_handled_cr(s
+ {
+ unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
+ int cr = exit_qualification & 15;
+- int reg = (exit_qualification >> 8) & 15;
+- unsigned long val = kvm_register_readl(vcpu, reg);
++ int reg;
++ unsigned long val;
+
+ switch ((exit_qualification >> 4) & 3) {
+ case 0: /* mov to cr */
++ reg = (exit_qualification >> 8) & 15;
++ val = kvm_register_readl(vcpu, reg);
+ switch (cr) {
+ case 0:
+ if (vmcs12->cr0_guest_host_mask &
+@@ -7983,6 +7985,7 @@ static bool nested_vmx_exit_handled_cr(s
+ * lmsw can change bits 1..3 of cr0, and only set bit 0 of
+ * cr0. Other attempted changes are ignored, with no exit.
+ */
++ val = (exit_qualification >> LMSW_SOURCE_DATA_SHIFT) & 0x0f;
+ if (vmcs12->cr0_guest_host_mask & 0xe &
+ (val ^ vmcs12->cr0_read_shadow))
+ return true;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Jim Mattson <jmattson@google.com>
+Date: Thu, 1 Jun 2017 12:44:46 -0700
+Subject: KVM: nVMX: Update vmcs12->guest_linear_address on nested VM-exit
+
+From: Jim Mattson <jmattson@google.com>
+
+
+[ Upstream commit d281e13b0bfe745a21061a194e386a949784393f ]
+
+The guest-linear address field is set for VM exits due to attempts to
+execute LMSW with a memory operand and VM exits due to attempts to
+execute INS or OUTS for which the relevant segment is usable,
+regardless of whether or not EPT is in use.
+
+Fixes: 119a9c01a5922 ("KVM: nVMX: pass valid guest linear-address to the L1")
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -10664,8 +10664,7 @@ static void prepare_vmcs12(struct kvm_vc
+ vmcs12->guest_pdptr3 = vmcs_read64(GUEST_PDPTR3);
+ }
+
+- if (nested_cpu_has_ept(vmcs12))
+- vmcs12->guest_linear_address = vmcs_readl(GUEST_LINEAR_ADDRESS);
++ vmcs12->guest_linear_address = vmcs_readl(GUEST_LINEAR_ADDRESS);
+
+ if (nested_cpu_has_vid(vmcs12))
+ vmcs12->guest_intr_status = vmcs_read16(GUEST_INTR_STATUS);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Thu, 11 May 2017 11:33:30 +1000
+Subject: KVM: PPC: Book3S PR: Check copy_to/from_user return values
+
+From: Paul Mackerras <paulus@ozlabs.org>
+
+
+[ Upstream commit 67325e988faea735d663799b6d152b5f4254093c ]
+
+The PR KVM implementation of the PAPR HPT hypercalls (H_ENTER etc.)
+access an image of the HPT in userspace memory using copy_from_user
+and copy_to_user. Recently, the declarations of those functions were
+annotated to indicate that the return value must be checked. Since
+this code doesn't currently check the return value, this causes
+compile warnings like the ones shown below, and since on PPC the
+default is to compile arch/powerpc with -Werror, this causes the
+build to fail.
+
+To fix this, we check the return values, and if non-zero, fail the
+hypercall being processed with a H_FUNCTION error return value.
+There is really no good error return value to use since PAPR didn't
+envisage the possibility that the hypervisor may not be able to access
+the guest's HPT, and H_FUNCTION (function not supported) seems as
+good as any.
+
+The typical compile warnings look like this:
+
+ CC arch/powerpc/kvm/book3s_pr_papr.o
+/home/paulus/kernel/kvm/arch/powerpc/kvm/book3s_pr_papr.c: In function ‘kvmppc_h_pr_enter’:
+/home/paulus/kernel/kvm/arch/powerpc/kvm/book3s_pr_papr.c:53:2: error: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result [-Werror=unused-result]
+ copy_from_user(pteg, (void __user *)pteg_addr, sizeof(pteg));
+ ^
+/home/paulus/kernel/kvm/arch/powerpc/kvm/book3s_pr_papr.c:74:2: error: ignoring return value of ‘copy_to_user’, declared with attribute warn_unused_result [-Werror=unused-result]
+ copy_to_user((void __user *)pteg_addr, hpte, HPTE_SIZE);
+ ^
+
+... etc.
+
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kvm/book3s_pr_papr.c | 34 ++++++++++++++++++++++++++--------
+ 1 file changed, 26 insertions(+), 8 deletions(-)
+
+--- a/arch/powerpc/kvm/book3s_pr_papr.c
++++ b/arch/powerpc/kvm/book3s_pr_papr.c
+@@ -50,7 +50,9 @@ static int kvmppc_h_pr_enter(struct kvm_
+ pteg_addr = get_pteg_addr(vcpu, pte_index);
+
+ mutex_lock(&vcpu->kvm->arch.hpt_mutex);
+- copy_from_user(pteg, (void __user *)pteg_addr, sizeof(pteg));
++ ret = H_FUNCTION;
++ if (copy_from_user(pteg, (void __user *)pteg_addr, sizeof(pteg)))
++ goto done;
+ hpte = pteg;
+
+ ret = H_PTEG_FULL;
+@@ -71,7 +73,9 @@ static int kvmppc_h_pr_enter(struct kvm_
+ hpte[0] = cpu_to_be64(kvmppc_get_gpr(vcpu, 6));
+ hpte[1] = cpu_to_be64(kvmppc_get_gpr(vcpu, 7));
+ pteg_addr += i * HPTE_SIZE;
+- copy_to_user((void __user *)pteg_addr, hpte, HPTE_SIZE);
++ ret = H_FUNCTION;
++ if (copy_to_user((void __user *)pteg_addr, hpte, HPTE_SIZE))
++ goto done;
+ kvmppc_set_gpr(vcpu, 4, pte_index | i);
+ ret = H_SUCCESS;
+
+@@ -93,7 +97,9 @@ static int kvmppc_h_pr_remove(struct kvm
+
+ pteg = get_pteg_addr(vcpu, pte_index);
+ mutex_lock(&vcpu->kvm->arch.hpt_mutex);
+- copy_from_user(pte, (void __user *)pteg, sizeof(pte));
++ ret = H_FUNCTION;
++ if (copy_from_user(pte, (void __user *)pteg, sizeof(pte)))
++ goto done;
+ pte[0] = be64_to_cpu((__force __be64)pte[0]);
+ pte[1] = be64_to_cpu((__force __be64)pte[1]);
+
+@@ -103,7 +109,9 @@ static int kvmppc_h_pr_remove(struct kvm
+ ((flags & H_ANDCOND) && (pte[0] & avpn) != 0))
+ goto done;
+
+- copy_to_user((void __user *)pteg, &v, sizeof(v));
++ ret = H_FUNCTION;
++ if (copy_to_user((void __user *)pteg, &v, sizeof(v)))
++ goto done;
+
+ rb = compute_tlbie_rb(pte[0], pte[1], pte_index);
+ vcpu->arch.mmu.tlbie(vcpu, rb, rb & 1 ? true : false);
+@@ -171,7 +179,10 @@ static int kvmppc_h_pr_bulk_remove(struc
+ }
+
+ pteg = get_pteg_addr(vcpu, tsh & H_BULK_REMOVE_PTEX);
+- copy_from_user(pte, (void __user *)pteg, sizeof(pte));
++ if (copy_from_user(pte, (void __user *)pteg, sizeof(pte))) {
++ ret = H_FUNCTION;
++ break;
++ }
+ pte[0] = be64_to_cpu((__force __be64)pte[0]);
+ pte[1] = be64_to_cpu((__force __be64)pte[1]);
+
+@@ -184,7 +195,10 @@ static int kvmppc_h_pr_bulk_remove(struc
+ tsh |= H_BULK_REMOVE_NOT_FOUND;
+ } else {
+ /* Splat the pteg in (userland) hpt */
+- copy_to_user((void __user *)pteg, &v, sizeof(v));
++ if (copy_to_user((void __user *)pteg, &v, sizeof(v))) {
++ ret = H_FUNCTION;
++ break;
++ }
+
+ rb = compute_tlbie_rb(pte[0], pte[1],
+ tsh & H_BULK_REMOVE_PTEX);
+@@ -211,7 +225,9 @@ static int kvmppc_h_pr_protect(struct kv
+
+ pteg = get_pteg_addr(vcpu, pte_index);
+ mutex_lock(&vcpu->kvm->arch.hpt_mutex);
+- copy_from_user(pte, (void __user *)pteg, sizeof(pte));
++ ret = H_FUNCTION;
++ if (copy_from_user(pte, (void __user *)pteg, sizeof(pte)))
++ goto done;
+ pte[0] = be64_to_cpu((__force __be64)pte[0]);
+ pte[1] = be64_to_cpu((__force __be64)pte[1]);
+
+@@ -234,7 +250,9 @@ static int kvmppc_h_pr_protect(struct kv
+ vcpu->arch.mmu.tlbie(vcpu, rb, rb & 1 ? true : false);
+ pte[0] = (__force u64)cpu_to_be64(pte[0]);
+ pte[1] = (__force u64)cpu_to_be64(pte[1]);
+- copy_to_user((void __user *)pteg, pte, sizeof(pte));
++ ret = H_FUNCTION;
++ if (copy_to_user((void __user *)pteg, pte, sizeof(pte)))
++ goto done;
+ ret = H_SUCCESS;
+
+ done:
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Roman Pen <roman.penyaev@profitbricks.com>
+Date: Thu, 1 Jun 2017 10:55:03 +0200
+Subject: KVM: SVM: do not zero out segment attributes if segment is unusable or not present
+
+From: Roman Pen <roman.penyaev@profitbricks.com>
+
+
+[ Upstream commit d9c1b5431d5f0e07575db785a022bce91051ac1d ]
+
+This is a fix for the problem [1], where VMCB.CPL was set to 0 and interrupt
+was taken on userspace stack. The root cause lies in the specific AMD CPU
+behaviour which manifests itself as unusable segment attributes on SYSRET.
+The corresponding work around for the kernel is the following:
+
+61f01dd941ba ("x86_64, asm: Work around AMD SYSRET SS descriptor attribute issue")
+
+In other turn virtualization side treated unusable segment incorrectly and
+restored CPL from SS attributes, which were zeroed out few lines above.
+
+In current patch it is assured only that P bit is cleared in VMCB.save state
+and segment attributes are not zeroed out if segment is not presented or is
+unusable, therefore CPL can be safely restored from DPL field.
+
+This is only one part of the fix, since QEMU side should be fixed accordingly
+not to zero out attributes on its side. Corresponding patch will follow.
+
+[1] Message id: CAJrWOzD6Xq==b-zYCDdFLgSRMPM-NkNuTSDFEtX=7MreT45i7Q@mail.gmail.com
+
+Signed-off-by: Roman Pen <roman.penyaev@profitbricks.com>
+Signed-off-by: Mikhail Sennikovskii <mikhail.sennikovskii@profitbricks.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim KrÄmář <rkrcmar@redhat.com>
+Cc: kvm@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm.c | 24 +++++++++++-------------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -1879,6 +1879,7 @@ static void svm_get_segment(struct kvm_v
+ */
+ if (var->unusable)
+ var->db = 0;
++ /* This is symmetric with svm_set_segment() */
+ var->dpl = to_svm(vcpu)->vmcb->save.cpl;
+ break;
+ }
+@@ -2024,18 +2025,14 @@ static void svm_set_segment(struct kvm_v
+ s->base = var->base;
+ s->limit = var->limit;
+ s->selector = var->selector;
+- if (var->unusable)
+- s->attrib = 0;
+- else {
+- s->attrib = (var->type & SVM_SELECTOR_TYPE_MASK);
+- s->attrib |= (var->s & 1) << SVM_SELECTOR_S_SHIFT;
+- s->attrib |= (var->dpl & 3) << SVM_SELECTOR_DPL_SHIFT;
+- s->attrib |= (var->present & 1) << SVM_SELECTOR_P_SHIFT;
+- s->attrib |= (var->avl & 1) << SVM_SELECTOR_AVL_SHIFT;
+- s->attrib |= (var->l & 1) << SVM_SELECTOR_L_SHIFT;
+- s->attrib |= (var->db & 1) << SVM_SELECTOR_DB_SHIFT;
+- s->attrib |= (var->g & 1) << SVM_SELECTOR_G_SHIFT;
+- }
++ s->attrib = (var->type & SVM_SELECTOR_TYPE_MASK);
++ s->attrib |= (var->s & 1) << SVM_SELECTOR_S_SHIFT;
++ s->attrib |= (var->dpl & 3) << SVM_SELECTOR_DPL_SHIFT;
++ s->attrib |= ((var->present & 1) && !var->unusable) << SVM_SELECTOR_P_SHIFT;
++ s->attrib |= (var->avl & 1) << SVM_SELECTOR_AVL_SHIFT;
++ s->attrib |= (var->l & 1) << SVM_SELECTOR_L_SHIFT;
++ s->attrib |= (var->db & 1) << SVM_SELECTOR_DB_SHIFT;
++ s->attrib |= (var->g & 1) << SVM_SELECTOR_G_SHIFT;
+
+ /*
+ * This is always accurate, except if SYSRET returned to a segment
+@@ -2044,7 +2041,8 @@ static void svm_set_segment(struct kvm_v
+ * would entail passing the CPL to userspace and back.
+ */
+ if (seg == VCPU_SREG_SS)
+- svm->vmcb->save.cpl = (s->attrib >> SVM_SELECTOR_DPL_SHIFT) & 3;
++ /* This is symmetric with svm_get_segment() */
++ svm->vmcb->save.cpl = (var->dpl & 3);
+
+ mark_dirty(svm->vmcb, VMCB_SEG);
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Sat, 20 May 2017 20:32:32 -0700
+Subject: KVM: X86: Fix preempt the preemption timer cancel
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+
+[ Upstream commit 5acc1ca4fb15f00bfa3d4046e35ca381bc25d580 ]
+
+Preemption can occur during cancel preemption timer, and there will be
+inconsistent status in lapic, vmx and vmcs field.
+
+ CPU0 CPU1
+
+ preemption timer vmexit
+ handle_preemption_timer(vCPU0)
+ kvm_lapic_expired_hv_timer
+ vmx_cancel_hv_timer
+ vmx->hv_deadline_tsc = -1
+ vmcs_clear_bits
+ /* hv_timer_in_use still true */
+ sched_out
+ sched_in
+ kvm_arch_vcpu_load
+ vmx_set_hv_timer
+ write vmx->hv_deadline_tsc
+ vmcs_set_bits
+ /* back in kvm_lapic_expired_hv_timer */
+ hv_timer_in_use = false
+ ...
+ vmx_vcpu_run
+ vmx_arm_hv_run
+ write preemption timer deadline
+ spurious preemption timer vmexit
+ handle_preemption_timer(vCPU0)
+ kvm_lapic_expired_hv_timer
+ WARN_ON(!apic->lapic_timer.hv_timer_in_use);
+
+This can be reproduced sporadically during boot of L2 on a
+preemptible L1, causing a splat on L1.
+
+ WARNING: CPU: 3 PID: 1952 at arch/x86/kvm/lapic.c:1529 kvm_lapic_expired_hv_timer+0xb5/0xd0 [kvm]
+ CPU: 3 PID: 1952 Comm: qemu-system-x86 Not tainted 4.12.0-rc1+ #24 RIP: 0010:kvm_lapic_expired_hv_timer+0xb5/0xd0 [kvm]
+ Call Trace:
+ handle_preemption_timer+0xe/0x20 [kvm_intel]
+ vmx_handle_exit+0xc9/0x15f0 [kvm_intel]
+ ? lock_acquire+0xdb/0x250
+ ? lock_acquire+0xdb/0x250
+ ? kvm_arch_vcpu_ioctl_run+0xdf3/0x1ce0 [kvm]
+ kvm_arch_vcpu_ioctl_run+0xe55/0x1ce0 [kvm]
+ kvm_vcpu_ioctl+0x384/0x7b0 [kvm]
+ ? kvm_vcpu_ioctl+0x384/0x7b0 [kvm]
+ ? __fget+0xf3/0x210
+ do_vfs_ioctl+0xa4/0x700
+ ? __fget+0x114/0x210
+ SyS_ioctl+0x79/0x90
+ do_syscall_64+0x8f/0x750
+ ? trace_hardirqs_on_thunk+0x1a/0x1c
+ entry_SYSCALL64_slow_path+0x25/0x25
+
+This patch fixes it by disabling preemption while cancelling
+preemption timer. This way cancel_hv_timer is atomic with
+respect to kvm_arch_vcpu_load.
+
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/lapic.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -1363,8 +1363,10 @@ EXPORT_SYMBOL_GPL(kvm_lapic_hv_timer_in_
+
+ static void cancel_hv_tscdeadline(struct kvm_lapic *apic)
+ {
++ preempt_disable();
+ kvm_x86_ops->cancel_hv_timer(apic->vcpu);
+ apic->lapic_timer.hv_timer_in_use = false;
++ preempt_enable();
+ }
+
+ void kvm_lapic_expired_hv_timer(struct kvm_vcpu *vcpu)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Fri, 22 Dec 2017 15:10:17 +0100
+Subject: l2tp: fix missing print session offset info
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+
+[ Upstream commit 820da5357572715c6235ba3b3daa2d5b43a1198f ]
+
+Report offset parameter in L2TP_CMD_SESSION_GET command if
+it has been configured by userspace
+
+Fixes: 309795f4bec ("l2tp: Add netlink control API for L2TP")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_netlink.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/l2tp/l2tp_netlink.c
++++ b/net/l2tp/l2tp_netlink.c
+@@ -750,6 +750,8 @@ static int l2tp_nl_session_send(struct s
+
+ if ((session->ifname[0] &&
+ nla_put_string(skb, L2TP_ATTR_IFNAME, session->ifname)) ||
++ (session->offset &&
++ nla_put_u16(skb, L2TP_ATTR_OFFSET, session->offset)) ||
+ (session->cookie_len &&
+ nla_put(skb, L2TP_ATTR_COOKIE, session->cookie_len,
+ &session->cookie[0])) ||
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Tin Huynh <tnhuynh@apm.com>
+Date: Mon, 22 May 2017 16:19:20 +0700
+Subject: leds: pca955x: Correct I2C Functionality
+
+From: Tin Huynh <tnhuynh@apm.com>
+
+
+[ Upstream commit aace34c0bb8ea3c8bdcec865b6a4be4db0a68e33 ]
+
+The driver checks an incorrect flag of functionality of adapter.
+When a driver requires i2c_smbus_read_byte_data and
+i2c_smbus_write_byte_data, it should check I2C_FUNC_SMBUS_BYTE_DATA
+instead I2C_FUNC_I2C.
+This patch fixes the problem.
+
+Signed-off-by: Tin Huynh <tnhuynh@apm.com>
+Signed-off-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/leds/leds-pca955x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/leds/leds-pca955x.c
++++ b/drivers/leds/leds-pca955x.c
+@@ -266,7 +266,7 @@ static int pca955x_probe(struct i2c_clie
+ "slave address 0x%02x\n",
+ id->name, chip->bits, client->addr);
+
+- if (!i2c_check_functionality(adapter, I2C_FUNC_I2C))
++ if (!i2c_check_functionality(adapter, I2C_FUNC_SMBUS_BYTE_DATA))
+ return -EIO;
+
+ if (pdata) {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 23 May 2017 17:25:10 +0300
+Subject: libceph: NULL deref on crush_decode() error path
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 293dffaad8d500e1a5336eeb90d544cf40d4fbd8 ]
+
+If there is not enough space then ceph_decode_32_safe() does a goto bad.
+We need to return an error code in that situation. The current code
+returns ERR_PTR(0) which is NULL. The callers are not expecting that
+and it results in a NULL dereference.
+
+Fixes: f24e9980eb86 ("ceph: OSD client")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/osdmap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -295,6 +295,7 @@ static struct crush_map *crush_decode(vo
+ u32 yes;
+ struct crush_rule *r;
+
++ err = -EINVAL;
+ ceph_decode_32_safe(p, end, yes, bad);
+ if (!yes) {
+ dout("crush_decode NO rule %d off %x %p to %p\n",
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Tue, 28 Mar 2017 21:25:08 -0400
+Subject: lockd: fix lockd shutdown race
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+
+[ Upstream commit efda760fe95ea15291853c8fa9235c32d319cd98 ]
+
+As reported by David Jeffery: "a signal was sent to lockd while lockd
+was shutting down from a request to stop nfs. The signal causes lockd
+to call restart_grace() which puts the lockd_net structure on the grace
+list. If this signal is received at the wrong time, it will occur after
+lockd_down_net() has called locks_end_grace() but before
+lockd_down_net() stops the lockd thread. This leads to lockd putting
+the lockd_net structure back on the grace list, then exiting without
+anything removing it from the list."
+
+So, perform the final locks_end_grace() from the the lockd thread; this
+ensures it's serialized with respect to restart_grace().
+
+Reported-by: David Jeffery <djeffery@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/lockd/svc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/lockd/svc.c
++++ b/fs/lockd/svc.c
+@@ -132,6 +132,8 @@ lockd(void *vrqstp)
+ {
+ int err = 0;
+ struct svc_rqst *rqstp = vrqstp;
++ struct net *net = &init_net;
++ struct lockd_net *ln = net_generic(net, lockd_net_id);
+
+ /* try_to_freeze() is called from svc_recv() */
+ set_freezable();
+@@ -176,6 +178,8 @@ lockd(void *vrqstp)
+ if (nlmsvc_ops)
+ nlmsvc_invalidate_all();
+ nlm_shutdown_hosts();
++ cancel_delayed_work_sync(&ln->grace_period_end);
++ locks_end_grace(&ln->lockd_manager);
+ return 0;
+ }
+
+@@ -270,8 +274,6 @@ static void lockd_down_net(struct svc_se
+ if (ln->nlmsvc_users) {
+ if (--ln->nlmsvc_users == 0) {
+ nlm_shutdown_hosts_net(net);
+- cancel_delayed_work_sync(&ln->grace_period_end);
+- locks_end_grace(&ln->lockd_manager);
+ svc_shutdown_net(serv, net);
+ dprintk("lockd_down_net: per-net data destroyed; net=%p\n", net);
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Luca Coelho <luciano.coelho@intel.com>
+Date: Tue, 2 May 2017 17:56:21 +0300
+Subject: mac80211: bail out from prep_connection() if a reconfig is ongoing
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+
+[ Upstream commit f8860ce836f2d502b07ef99559707fe55d90f5bc ]
+
+If ieee80211_hw_restart() is called during authentication, the
+authentication process will continue, causing the driver to be called
+in a wrong state. This ultimately causes an oops in the iwlwifi
+driver (at least).
+
+This fixes bugzilla 195299 partly.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195299
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mlme.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -4332,6 +4332,10 @@ static int ieee80211_prep_connection(str
+ if (WARN_ON(!ifmgd->auth_data && !ifmgd->assoc_data))
+ return -EINVAL;
+
++ /* If a reconfig is happening, bail out */
++ if (local->in_reconfig)
++ return -EBUSY;
++
+ if (assoc) {
+ rcu_read_lock();
+ have_sta = sta_info_get(sdata, cbss->bssid);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: "Peter Große" <pegro@friiks.de>
+Date: Wed, 13 Dec 2017 18:29:46 +0100
+Subject: mac80211: Fix setting TX power on monitor interfaces
+
+From: "Peter Große" <pegro@friiks.de>
+
+
+[ Upstream commit 3a3713ec360138f806c6fc368d1de570f692b347 ]
+
+Instead of calling ieee80211_recalc_txpower on monitor interfaces
+directly, call it using the virtual monitor interface, if one exists.
+
+In case of a single monitor interface given, reject setting TX power,
+if no virtual monitor interface exists.
+
+That being checked, don't warn in ieee80211_bss_info_change_notify,
+after setting TX power on a monitor interface.
+
+Fixes warning:
+------------[ cut here ]------------
+ WARNING: CPU: 0 PID: 2193 at net/mac80211/driver-ops.h:167
+ ieee80211_bss_info_change_notify+0x111/0x190 Modules linked in: uvcvideo
+ videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core
+rndis_host cdc_ether usbnet mii tp_smapi(O) thinkpad_ec(O) ohci_hcd vboxpci(O)
+ vboxnetadp(O) vboxnetflt(O) v boxdrv(O) x86_pkg_temp_thermal kvm_intel kvm
+ irqbypass iwldvm iwlwifi ehci_pci ehci_hcd tpm_tis tpm_tis_core tpm CPU: 0
+ PID: 2193 Comm: iw Tainted: G O 4.12.12-gentoo #2 task:
+ ffff880186fd5cc0 task.stack: ffffc90001b54000 RIP:
+ 0010:ieee80211_bss_info_change_notify+0x111/0x190 RSP: 0018:ffffc90001b57a10
+ EFLAGS: 00010246 RAX: 0000000000000006 RBX: ffff8801052ce840 RCX:
+ 0000000000000064 RDX: 00000000fffffffc RSI: 0000000000040000 RDI:
+ ffff8801052ce840 RBP: ffffc90001b57a38 R08: 0000000000000062 R09:
+ 0000000000000000 R10: ffff8802144b5000 R11: ffff880049dc4614 R12:
+ 0000000000040000 R13: 0000000000000064 R14: ffff8802105f0760 R15:
+ ffffc90001b57b48 FS: 00007f92644b4580(0000) GS:ffff88021e200000(0000)
+ knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f9263c109f0 CR3: 00000001df850000 CR4: 00000000000406f0
+ Call Trace:
+ ieee80211_recalc_txpower+0x33/0x40
+ ieee80211_set_tx_power+0x40/0x180
+ nl80211_set_wiphy+0x32e/0x950
+
+Reported-by: Peter Große <pegro@friiks.de>
+Signed-off-by: Peter Große <pegro@friiks.de>
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c | 28 +++++++++++++++++++++++++++-
+ net/mac80211/driver-ops.h | 3 ++-
+ 2 files changed, 29 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -2341,10 +2341,17 @@ static int ieee80211_set_tx_power(struct
+ struct ieee80211_sub_if_data *sdata;
+ enum nl80211_tx_power_setting txp_type = type;
+ bool update_txp_type = false;
++ bool has_monitor = false;
+
+ if (wdev) {
+ sdata = IEEE80211_WDEV_TO_SUB_IF(wdev);
+
++ if (sdata->vif.type == NL80211_IFTYPE_MONITOR) {
++ sdata = rtnl_dereference(local->monitor_sdata);
++ if (!sdata)
++ return -EOPNOTSUPP;
++ }
++
+ switch (type) {
+ case NL80211_TX_POWER_AUTOMATIC:
+ sdata->user_power_level = IEEE80211_UNSET_POWER_LEVEL;
+@@ -2383,15 +2390,34 @@ static int ieee80211_set_tx_power(struct
+
+ mutex_lock(&local->iflist_mtx);
+ list_for_each_entry(sdata, &local->interfaces, list) {
++ if (sdata->vif.type == NL80211_IFTYPE_MONITOR) {
++ has_monitor = true;
++ continue;
++ }
+ sdata->user_power_level = local->user_power_level;
+ if (txp_type != sdata->vif.bss_conf.txpower_type)
+ update_txp_type = true;
+ sdata->vif.bss_conf.txpower_type = txp_type;
+ }
+- list_for_each_entry(sdata, &local->interfaces, list)
++ list_for_each_entry(sdata, &local->interfaces, list) {
++ if (sdata->vif.type == NL80211_IFTYPE_MONITOR)
++ continue;
+ ieee80211_recalc_txpower(sdata, update_txp_type);
++ }
+ mutex_unlock(&local->iflist_mtx);
+
++ if (has_monitor) {
++ sdata = rtnl_dereference(local->monitor_sdata);
++ if (sdata) {
++ sdata->user_power_level = local->user_power_level;
++ if (txp_type != sdata->vif.bss_conf.txpower_type)
++ update_txp_type = true;
++ sdata->vif.bss_conf.txpower_type = txp_type;
++
++ ieee80211_recalc_txpower(sdata, update_txp_type);
++ }
++ }
++
+ return 0;
+ }
+
+--- a/net/mac80211/driver-ops.h
++++ b/net/mac80211/driver-ops.h
+@@ -164,7 +164,8 @@ static inline void drv_bss_info_changed(
+ if (WARN_ON_ONCE(sdata->vif.type == NL80211_IFTYPE_P2P_DEVICE ||
+ sdata->vif.type == NL80211_IFTYPE_NAN ||
+ (sdata->vif.type == NL80211_IFTYPE_MONITOR &&
+- !sdata->vif.mu_mimo_owner)))
++ !sdata->vif.mu_mimo_owner &&
++ !(changed & BSS_CHANGED_TXPOWER))))
+ return;
+
+ if (!check_sdata_in_driver(sdata))
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 4 Jun 2017 04:16:25 +0200
+Subject: macsec: check return value of skb_to_sgvec always
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+
+[ Upstream commit cda7ea6903502af34015000e16be290a79f07638 ]
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -742,7 +742,12 @@ static struct sk_buff *macsec_encrypt(st
+ macsec_fill_iv(iv, secy->sci, pn);
+
+ sg_init_table(sg, ret);
+- skb_to_sgvec(skb, sg, 0, skb->len);
++ ret = skb_to_sgvec(skb, sg, 0, skb->len);
++ if (unlikely(ret < 0)) {
++ macsec_txsa_put(tx_sa);
++ kfree_skb(skb);
++ return ERR_PTR(ret);
++ }
+
+ if (tx_sc->encrypt) {
+ int len = skb->len - macsec_hdr_len(sci_present) -
+@@ -949,7 +954,11 @@ static struct sk_buff *macsec_decrypt(st
+ macsec_fill_iv(iv, sci, ntohl(hdr->packet_number));
+
+ sg_init_table(sg, ret);
+- skb_to_sgvec(skb, sg, 0, skb->len);
++ ret = skb_to_sgvec(skb, sg, 0, skb->len);
++ if (unlikely(ret < 0)) {
++ kfree_skb(skb);
++ return ERR_PTR(ret);
++ }
+
+ if (hdr->tci_an & MACSEC_TCI_E) {
+ /* confidentiality: ethernet + macsec header
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: A Sun <as1033x@comcast.net>
+Date: Sun, 26 Mar 2017 15:33:07 -0300
+Subject: [media] mceusb: sporadic RX truncation corruption fix
+
+From: A Sun <as1033x@comcast.net>
+
+
+[ Upstream commit 8e175b22e8640bf3a58e071af54190b909e4a944 ]
+
+Intermittent RX truncation and loss of IR received data. This resulted
+in receive stream synchronization errors where driver attempted to
+incorrectly parse IR data (eg 0x90 below) as command response.
+
+[ 3969.139898] mceusb 1-1.2:1.0: processed IR data
+[ 3969.151315] mceusb 1-1.2:1.0: rx data: 00 90 (length=2)
+[ 3969.151321] mceusb 1-1.2:1.0: Unknown command 0x00 0x90
+[ 3969.151336] mceusb 1-1.2:1.0: rx data: 98 0a 8d 0a 8e 0a 8e 0a 8e 0a 8e 0a 9a 0a 8e 0a 0b 3a 8e 00 80 41 59 00 00 (length=25)
+[ 3969.151341] mceusb 1-1.2:1.0: Raw IR data, 24 pulse/space samples
+[ 3969.151348] mceusb 1-1.2:1.0: Storing space with duration 500000
+
+Bug trigger appears to be normal, but heavy, IR receiver use.
+
+Signed-off-by: A Sun <as1033x@comcast.net>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/mceusb.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/rc/mceusb.c
++++ b/drivers/media/rc/mceusb.c
+@@ -1381,8 +1381,13 @@ static int mceusb_dev_probe(struct usb_i
+ goto rc_dev_fail;
+
+ /* wire up inbound data handler */
+- usb_fill_int_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp,
+- mceusb_dev_recv, ir, ep_in->bInterval);
++ if (usb_endpoint_xfer_int(ep_in))
++ usb_fill_int_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp,
++ mceusb_dev_recv, ir, ep_in->bInterval);
++ else
++ usb_fill_bulk_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp,
++ mceusb_dev_recv, ir);
++
+ ir->urb_in->transfer_dma = ir->dma_in;
+ ir->urb_in->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Guoqing Jiang <gqjiang@suse.com>
+Date: Tue, 16 May 2017 14:01:25 +0800
+Subject: md-cluster: fix potential lock issue in add_new_disk
+
+From: Guoqing Jiang <gqjiang@suse.com>
+
+
+[ Upstream commit 2dffdc0724004f38f5e39907747b53e4b0d80e59 ]
+
+The add_new_disk returns with communication locked if
+__sendmsg returns failure, fix it with call unlock_comm
+before return.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+CC: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Signed-off-by: Guoqing Jiang <gqjiang@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md-cluster.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/md-cluster.c
++++ b/drivers/md/md-cluster.c
+@@ -1122,8 +1122,10 @@ static int add_new_disk(struct mddev *md
+ cmsg.raid_slot = cpu_to_le32(rdev->desc_nr);
+ lock_comm(cinfo);
+ ret = __sendmsg(cinfo, &cmsg);
+- if (ret)
++ if (ret) {
++ unlock_comm(cinfo);
+ return ret;
++ }
+ cinfo->no_new_dev_lockres->flags |= DLM_LKF_NOQUEUE;
+ ret = dlm_lock_sync(cinfo->no_new_dev_lockres, DLM_LOCK_EX);
+ cinfo->no_new_dev_lockres->flags &= ~DLM_LKF_NOQUEUE;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Julia Cartwright <julia@ni.com>
+Date: Fri, 28 Apr 2017 12:41:02 -0500
+Subject: md/raid5: make use of spin_lock_irq over local_irq_disable + spin_lock
+
+From: Julia Cartwright <julia@ni.com>
+
+
+[ Upstream commit 3d05f3aed5d721c2c77d20288c29ab26c6193ed5 ]
+
+On mainline, there is no functional difference, just less code, and
+symmetric lock/unlock paths.
+
+On PREEMPT_RT builds, this fixes the following warning, seen by
+Alexander GQ Gerasiov, due to the sleeping nature of spinlocks.
+
+ BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:993
+ in_atomic(): 0, irqs_disabled(): 1, pid: 58, name: kworker/u12:1
+ CPU: 5 PID: 58 Comm: kworker/u12:1 Tainted: G W 4.9.20-rt16-stand6-686 #1
+ Hardware name: Supermicro SYS-5027R-WRF/X9SRW-F, BIOS 3.2a 10/28/2015
+ Workqueue: writeback wb_workfn (flush-253:0)
+ Call Trace:
+ dump_stack+0x47/0x68
+ ? migrate_enable+0x4a/0xf0
+ ___might_sleep+0x101/0x180
+ rt_spin_lock+0x17/0x40
+ add_stripe_bio+0x4e3/0x6c0 [raid456]
+ ? preempt_count_add+0x42/0xb0
+ raid5_make_request+0x737/0xdd0 [raid456]
+
+Reported-by: Alexander GQ Gerasiov <gq@redlab-i.ru>
+Tested-by: Alexander GQ Gerasiov <gq@redlab-i.ru>
+Signed-off-by: Julia Cartwright <julia@ni.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid5.c | 17 +++++++----------
+ 1 file changed, 7 insertions(+), 10 deletions(-)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -110,8 +110,7 @@ static inline void unlock_device_hash_lo
+ static inline void lock_all_device_hash_locks_irq(struct r5conf *conf)
+ {
+ int i;
+- local_irq_disable();
+- spin_lock(conf->hash_locks);
++ spin_lock_irq(conf->hash_locks);
+ for (i = 1; i < NR_STRIPE_HASH_LOCKS; i++)
+ spin_lock_nest_lock(conf->hash_locks + i, conf->hash_locks);
+ spin_lock(&conf->device_lock);
+@@ -121,9 +120,9 @@ static inline void unlock_all_device_has
+ {
+ int i;
+ spin_unlock(&conf->device_lock);
+- for (i = NR_STRIPE_HASH_LOCKS; i; i--)
+- spin_unlock(conf->hash_locks + i - 1);
+- local_irq_enable();
++ for (i = NR_STRIPE_HASH_LOCKS - 1; i; i--)
++ spin_unlock(conf->hash_locks + i);
++ spin_unlock_irq(conf->hash_locks);
+ }
+
+ /* bio's attached to a stripe+device for I/O are linked together in bi_sector
+@@ -732,12 +731,11 @@ static bool is_full_stripe_write(struct
+
+ static void lock_two_stripes(struct stripe_head *sh1, struct stripe_head *sh2)
+ {
+- local_irq_disable();
+ if (sh1 > sh2) {
+- spin_lock(&sh2->stripe_lock);
++ spin_lock_irq(&sh2->stripe_lock);
+ spin_lock_nested(&sh1->stripe_lock, 1);
+ } else {
+- spin_lock(&sh1->stripe_lock);
++ spin_lock_irq(&sh1->stripe_lock);
+ spin_lock_nested(&sh2->stripe_lock, 1);
+ }
+ }
+@@ -745,8 +743,7 @@ static void lock_two_stripes(struct stri
+ static void unlock_two_stripes(struct stripe_head *sh1, struct stripe_head *sh2)
+ {
+ spin_unlock(&sh1->stripe_lock);
+- spin_unlock(&sh2->stripe_lock);
+- local_irq_enable();
++ spin_unlock_irq(&sh2->stripe_lock);
+ }
+
+ /* Only freshly new full stripe normal write stripe can be added to a batch list */
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Jon Mason <jon.mason@broadcom.com>
+Date: Wed, 10 May 2017 11:20:27 -0400
+Subject: mdio: mux: Correct mdio_mux_init error path issues
+
+From: Jon Mason <jon.mason@broadcom.com>
+
+
+[ Upstream commit b60161668199ac62011c024adc9e66713b9554e7 ]
+
+There is a potential unnecessary refcount decrement on error path of
+put_device(&pb->mii_bus->dev), as it is possible to avoid the
+of_mdio_find_bus() call if mux_bus is specified by the calling function.
+
+The same put_device() is not called in the error path if the
+devm_kzalloc of pb fails. This caused the variable used in the
+put_device() to be changed, as the pb pointer was obviously not set up.
+
+There is an unnecessary of_node_get() on child_bus_node if the
+of_mdiobus_register() is successful, as the
+for_each_available_child_of_node() automatically increments this.
+Thus the refcount on this node will always be +1 more than it should be.
+
+There is no of_node_put() on child_bus_node if the of_mdiobus_register()
+call fails.
+
+Finally, it is lacking devm_kfree() of pb in the error path. While this
+might not be technically necessary, it was present in other parts of the
+function. So, I am adding it where necessary to make it uniform.
+
+Signed-off-by: Jon Mason <jon.mason@broadcom.com>
+Fixes: f20e6657a875 ("mdio: mux: Enhanced MDIO mux framework for integrated multiplexers")
+Fixes: 0ca2997d1452 ("netdev/of/phy: Add MDIO bus multiplexer support.")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mdio-mux.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/phy/mdio-mux.c
++++ b/drivers/net/phy/mdio-mux.c
+@@ -122,10 +122,9 @@ int mdio_mux_init(struct device *dev,
+ pb = devm_kzalloc(dev, sizeof(*pb), GFP_KERNEL);
+ if (pb == NULL) {
+ ret_val = -ENOMEM;
+- goto err_parent_bus;
++ goto err_pb_kz;
+ }
+
+-
+ pb->switch_data = data;
+ pb->switch_fn = switch_fn;
+ pb->current_child = -1;
+@@ -154,6 +153,7 @@ int mdio_mux_init(struct device *dev,
+ cb->mii_bus = mdiobus_alloc();
+ if (!cb->mii_bus) {
+ ret_val = -ENOMEM;
++ devm_kfree(dev, cb);
+ of_node_put(child_bus_node);
+ break;
+ }
+@@ -169,8 +169,8 @@ int mdio_mux_init(struct device *dev,
+ if (r) {
+ mdiobus_free(cb->mii_bus);
+ devm_kfree(dev, cb);
++ of_node_put(child_bus_node);
+ } else {
+- of_node_get(child_bus_node);
+ cb->next = pb->children;
+ pb->children = cb;
+ }
+@@ -181,9 +181,11 @@ int mdio_mux_init(struct device *dev,
+ return 0;
+ }
+
++ devm_kfree(dev, pb);
++err_pb_kz:
+ /* balance the reference of_mdio_find_bus() took */
+- put_device(&pb->mii_bus->dev);
+-
++ if (!mux_bus)
++ put_device(&parent_bus->dev);
+ err_parent_bus:
+ of_node_put(parent_bus_node);
+ return ret_val;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Julia Lawall <julia.lawall@lip6.fr>
+Date: Fri, 12 May 2017 22:54:23 +0800
+Subject: mdio: mux: fix device_node_continue.cocci warnings
+
+From: Julia Lawall <julia.lawall@lip6.fr>
+
+
+[ Upstream commit 8c977f5a856a7276450ddf3a7b57b4a8815b63f9 ]
+
+Device node iterators put the previous value of the index variable, so an
+explicit put causes a double put.
+
+In particular, of_mdiobus_register can fail before doing anything
+interesting, so one could view it as a no-op from the reference count
+point of view.
+
+Generated by: scripts/coccinelle/iterators/device_node_continue.cocci
+
+CC: Jon Mason <jon.mason@broadcom.com>
+Signed-off-by: Julia Lawall <julia.lawall@lip6.fr>
+Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mdio-mux.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/phy/mdio-mux.c
++++ b/drivers/net/phy/mdio-mux.c
+@@ -169,7 +169,6 @@ int mdio_mux_init(struct device *dev,
+ if (r) {
+ mdiobus_free(cb->mii_bus);
+ devm_kfree(dev, cb);
+- of_node_put(child_bus_node);
+ } else {
+ cb->next = pb->children;
+ pb->children = cb;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Date: Thu, 28 Dec 2017 09:16:47 -0500
+Subject: media: videobuf2-core: don't go out of the buffer range
+
+From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+
+
+[ Upstream commit df93dc61b0d8b19a5c9db545cf3fcc24f88dfde4 ]
+
+Currently, there's no check if an invalid buffer range
+is passed. However, while testing DVB memory mapped apps,
+I got this:
+
+ videobuf2_core: VB: num_buffers -2143943680, buffer 33, index -2143943647
+ unable to handle kernel paging request at ffff888b773c0890
+ IP: __vb2_queue_alloc+0x134/0x4e0 [videobuf2_core]
+ PGD 4142c7067 P4D 4142c7067 PUD 0
+ Oops: 0002 [#1] SMP
+ Modules linked in: xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill ecdh_generic binfmt_misc rc_dvbsky sp2 ts2020 intel_rapl x86_pkg_temp_thermal dvb_usb_dvbsky intel_powerclamp dvb_usb_v2 coretemp m88ds3103 kvm_intel i2c_mux dvb_core snd_hda_codec_hdmi crct10dif_pclmul crc32_pclmul videobuf2_vmalloc videobuf2_memops snd_hda_intel ghash_clmulni_intel videobuf2_core snd_hda_codec rc_core mei_me intel_cstate snd_hwdep snd_hda_core videodev intel_uncore snd_pcm mei media tpm_tis tpm_tis_core intel_rapl_perf tpm snd_timer lpc_ich snd soundcore kvm irqbypass libcrc32c i915 i2c_algo_bit drm_kms_helper
+ e1000e ptp drm crc32c_intel video pps_core
+ CPU: 3 PID: 1776 Comm: dvbv5-zap Not tainted 4.14.0+ #78
+ Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
+ task: ffff88877c73bc80 task.stack: ffffb7c402418000
+ RIP: 0010:__vb2_queue_alloc+0x134/0x4e0 [videobuf2_core]
+ RSP: 0018:ffffb7c40241bc60 EFLAGS: 00010246
+ RAX: 0000000080360421 RBX: 0000000000000021 RCX: 000000000000000a
+ RDX: ffffb7c40241bcf4 RSI: ffff888780362c60 RDI: ffff888796d8e130
+ RBP: ffffb7c40241bcc8 R08: 0000000000000316 R09: 0000000000000004
+ R10: ffff888780362c00 R11: 0000000000000001 R12: 000000000002f000
+ R13: ffff8887758be700 R14: 0000000000021000 R15: 0000000000000001
+ FS: 00007f2849024740(0000) GS:ffff888796d80000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: ffff888b773c0890 CR3: 000000043beb2005 CR4: 00000000003606e0
+ Call Trace:
+ vb2_core_reqbufs+0x226/0x420 [videobuf2_core]
+ dvb_vb2_reqbufs+0x2d/0xc0 [dvb_core]
+ dvb_dvr_do_ioctl+0x98/0x1d0 [dvb_core]
+ dvb_usercopy+0x53/0x1b0 [dvb_core]
+ ? dvb_demux_ioctl+0x20/0x20 [dvb_core]
+ ? tty_ldisc_deref+0x16/0x20
+ ? tty_write+0x1f9/0x310
+ ? process_echoes+0x70/0x70
+ dvb_dvr_ioctl+0x15/0x20 [dvb_core]
+ do_vfs_ioctl+0xa5/0x600
+ SyS_ioctl+0x79/0x90
+ entry_SYSCALL_64_fastpath+0x1a/0xa5
+ RIP: 0033:0x7f28486f7ea7
+ RSP: 002b:00007ffc13b2db18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+ RAX: ffffffffffffffda RBX: 000055b10fc06130 RCX: 00007f28486f7ea7
+ RDX: 00007ffc13b2db48 RSI: 00000000c0086f3c RDI: 0000000000000007
+ RBP: 0000000000000203 R08: 000055b10df1e02c R09: 000000000000002e
+ R10: 0036b42415108357 R11: 0000000000000246 R12: 0000000000000000
+ R13: 00007f2849062f60 R14: 00000000000001f1 R15: 00007ffc13b2da54
+ Code: 74 0a 60 8b 0a 48 83 c0 30 48 83 c2 04 89 48 d0 89 48 d4 48 39 f0 75 eb 41 8b 42 08 83 7d d4 01 41 c7 82 ec 01 00 00 ff ff ff ff <4d> 89 94 c5 88 00 00 00 74 14 83 c3 01 41 39 dc 0f 85 f1 fe ff
+ RIP: __vb2_queue_alloc+0x134/0x4e0 [videobuf2_core] RSP: ffffb7c40241bc60
+ CR2: ffff888b773c0890
+
+So, add a sanity check in order to prevent going past array.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/videobuf2-core.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/media/v4l2-core/videobuf2-core.c
++++ b/drivers/media/v4l2-core/videobuf2-core.c
+@@ -334,6 +334,10 @@ static int __vb2_queue_alloc(struct vb2_
+ struct vb2_buffer *vb;
+ int ret;
+
++ /* Ensure that q->num_buffers+num_buffers is below VB2_MAX_FRAME */
++ num_buffers = min_t(unsigned int, num_buffers,
++ VB2_MAX_FRAME - q->num_buffers);
++
+ for (buffer = 0; buffer < num_buffers; ++buffer) {
+ /* Allocate videobuf buffer structures */
+ vb = kzalloc(q->buf_struct_size, GFP_KERNEL);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Date: Thu, 8 Jun 2017 15:20:32 +0200
+Subject: MIPS: kprobes: flush_insn_slot should flush only if probe initialised
+
+From: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+
+
+[ Upstream commit 698b851073ddf5a894910d63ca04605e0473414e ]
+
+When ftrace is used with kprobes, it is possible for a kprobe to contain
+an invalid location (ie. only initialised to 0 and not to a specific
+location in the code). Trying to perform a cache flush on such location
+leads to a crash r4k_flush_icache_range().
+
+Fixes: c1bf207d6ee1 ("MIPS: kprobe: Add support.")
+Signed-off-by: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16296/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/include/asm/kprobes.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/include/asm/kprobes.h
++++ b/arch/mips/include/asm/kprobes.h
+@@ -40,7 +40,8 @@ typedef union mips_instruction kprobe_op
+
+ #define flush_insn_slot(p) \
+ do { \
+- flush_icache_range((unsigned long)p->addr, \
++ if (p->addr) \
++ flush_icache_range((unsigned long)p->addr, \
+ (unsigned long)p->addr + \
+ (MAX_INSN_SIZE * sizeof(kprobe_opcode_t))); \
+ } while (0)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Date: Tue, 11 Apr 2017 09:00:36 +0200
+Subject: MIPS: mm: adjust PKMAP location
+
+From: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+
+
+[ Upstream commit c56e7a4c3e77f6fbd9b55c06c14eda65aae58958 ]
+
+Space reserved for PKMap should span from PKMAP_BASE to FIXADDR_START.
+For large page sizes this is not the case as eg. for 64k pages the range
+currently defined is from 0xfe000000 to 0x102000000(!!) which obviously
+isn't right.
+Remove the hardcoded location and set the BASE address as an offset from
+FIXADDR_START.
+
+Since all PKMAP ptes have to be placed in a contiguous memory, ensure
+that this is the case by placing them all in a single page. This is
+achieved by aligning the end address to pkmap pages count pages.
+
+Signed-off-by: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/15950/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/include/asm/pgtable-32.h | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/include/asm/pgtable-32.h
++++ b/arch/mips/include/asm/pgtable-32.h
+@@ -18,6 +18,10 @@
+
+ #include <asm-generic/pgtable-nopmd.h>
+
++#ifdef CONFIG_HIGHMEM
++#include <asm/highmem.h>
++#endif
++
+ extern int temp_tlb_entry;
+
+ /*
+@@ -61,7 +65,8 @@ extern int add_temporary_entry(unsigned
+
+ #define VMALLOC_START MAP_BASE
+
+-#define PKMAP_BASE (0xfe000000UL)
++#define PKMAP_END ((FIXADDR_START) & ~((LAST_PKMAP << PAGE_SHIFT)-1))
++#define PKMAP_BASE (PKMAP_END - PAGE_SIZE * LAST_PKMAP)
+
+ #ifdef CONFIG_HIGHMEM
+ # define VMALLOC_END (PKMAP_BASE-2*PAGE_SIZE)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Date: Tue, 11 Apr 2017 09:00:34 +0200
+Subject: MIPS: mm: fixed mappings: correct initialisation
+
+From: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+
+
+[ Upstream commit 71eb989ab5a110df8bcbb9609bacde73feacbedd ]
+
+fixrange_init operates at PMD-granularity and expects the addresses to
+be PMD-size aligned, but currently that might not be the case for
+PKMAP_BASE unless it is defined properly, so ensure a correct alignment
+is used before passing the address to fixrange_init.
+
+fixed mappings: only align the start address that is passed to
+fixrange_init rather than the value before adding the size, as we may
+end up with uninitialised upper part of the range.
+
+Signed-off-by: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/15948/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/mm/pgtable-32.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/mips/mm/pgtable-32.c
++++ b/arch/mips/mm/pgtable-32.c
+@@ -51,15 +51,15 @@ void __init pagetable_init(void)
+ /*
+ * Fixed mappings:
+ */
+- vaddr = __fix_to_virt(__end_of_fixed_addresses - 1) & PMD_MASK;
+- fixrange_init(vaddr, vaddr + FIXADDR_SIZE, pgd_base);
++ vaddr = __fix_to_virt(__end_of_fixed_addresses - 1);
++ fixrange_init(vaddr & PMD_MASK, vaddr + FIXADDR_SIZE, pgd_base);
+
+ #ifdef CONFIG_HIGHMEM
+ /*
+ * Permanent kmaps:
+ */
+ vaddr = PKMAP_BASE;
+- fixrange_init(vaddr, vaddr + PAGE_SIZE*LAST_PKMAP, pgd_base);
++ fixrange_init(vaddr & PMD_MASK, vaddr + PAGE_SIZE*LAST_PKMAP, pgd_base);
+
+ pgd = swapper_pg_dir + __pgd_offset(vaddr);
+ pud = pud_offset(pgd, vaddr);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Jia-Ju Bai <baijiaju1990@163.com>
+Date: Wed, 31 May 2017 15:08:25 +0800
+Subject: mISDN: Fix a sleep-in-atomic bug
+
+From: Jia-Ju Bai <baijiaju1990@163.com>
+
+
+[ Upstream commit 93818da5eed63fbc17b64080406ea53b86b23309 ]
+
+The driver may sleep under a read spin lock, and the function call path is:
+send_socklist (acquire the lock by read_lock)
+ skb_copy(GFP_KERNEL) --> may sleep
+
+To fix it, the "GFP_KERNEL" is replaced with "GFP_ATOMIC".
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/mISDN/stack.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/isdn/mISDN/stack.c
++++ b/drivers/isdn/mISDN/stack.c
+@@ -72,7 +72,7 @@ send_socklist(struct mISDN_sock_list *sl
+ if (sk->sk_state != MISDN_BOUND)
+ continue;
+ if (!cskb)
+- cskb = skb_copy(skb, GFP_KERNEL);
++ cskb = skb_copy(skb, GFP_ATOMIC);
+ if (!cskb) {
+ printk(KERN_WARNING "%s no skb\n", __func__);
+ break;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Jesper Dangaard Brouer <brouer@redhat.com>
+Date: Mon, 22 May 2017 20:13:07 +0200
+Subject: mlx5: fix bug reading rss_hash_type from CQE
+
+From: Jesper Dangaard Brouer <brouer@redhat.com>
+
+
+[ Upstream commit 12e8b570e732eaa5eae3a2895ba3fbcf91bde2b4 ]
+
+Masks for extracting part of the Completion Queue Entry (CQE)
+field rss_hash_type was swapped, namely CQE_RSS_HTYPE_IP and
+CQE_RSS_HTYPE_L4.
+
+The bug resulted in setting skb->l4_hash, even-though the
+rss_hash_type indicated that hash was NOT computed over the
+L4 (UDP or TCP) part of the packet.
+
+Added comments from the datasheet, to make it more clear what
+these masks are selecting.
+
+Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Acked-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/mlx5/device.h | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/include/linux/mlx5/device.h
++++ b/include/linux/mlx5/device.h
+@@ -750,8 +750,14 @@ enum {
+ };
+
+ enum {
+- CQE_RSS_HTYPE_IP = 0x3 << 6,
+- CQE_RSS_HTYPE_L4 = 0x3 << 2,
++ CQE_RSS_HTYPE_IP = 0x3 << 2,
++ /* cqe->rss_hash_type[3:2] - IP destination selected for hash
++ * (00 = none, 01 = IPv4, 10 = IPv6, 11 = Reserved)
++ */
++ CQE_RSS_HTYPE_L4 = 0x3 << 6,
++ /* cqe->rss_hash_type[7:6] - L4 destination selected for hash
++ * (00 = none, 01 = TCP. 10 = UDP, 11 = IPSEC.SPI
++ */
+ };
+
+ enum {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Thu, 18 May 2017 13:03:52 +0200
+Subject: mlxsw: spectrum: Avoid possible NULL pointer dereference
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+
+[ Upstream commit c0e01eac7ada785fdeaea1ae5476ec1cf3b00374 ]
+
+In case we got an FDB notification for a port that doesn't exist we
+execute an FDB entry delete to prevent it from re-appearing the next
+time we poll for notifications.
+
+If the operation failed we would trigger a NULL pointer dereference as
+'mlxsw_sp_port' is NULL.
+
+Fix it by reporting the error using the underlying bus device instead.
+
+Fixes: 12f1501e7511 ("mlxsw: spectrum: remove FDB entry in case we get unknown object notification")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
+@@ -1448,8 +1448,7 @@ do_fdb_op:
+ err = mlxsw_sp_port_fdb_uc_op(mlxsw_sp, local_port, mac, fid,
+ adding, true);
+ if (err) {
+- if (net_ratelimit())
+- netdev_err(mlxsw_sp_port->dev, "Failed to set FDB entry\n");
++ dev_err_ratelimited(mlxsw_sp->bus_info->dev, "Failed to set FDB entry\n");
+ return;
+ }
+
+@@ -1509,8 +1508,7 @@ do_fdb_op:
+ err = mlxsw_sp_port_fdb_uc_lag_op(mlxsw_sp, lag_id, mac, fid, lag_vid,
+ adding, true);
+ if (err) {
+- if (net_ratelimit())
+- netdev_err(mlxsw_sp_port->dev, "Failed to set FDB entry\n");
++ dev_err_ratelimited(mlxsw_sp->bus_info->dev, "Failed to set FDB entry\n");
+ return;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Reza Arbab <arbab@linux.vnet.ibm.com>
+Date: Fri, 12 May 2017 15:46:32 -0700
+Subject: mm, vmstat: Remove spurious WARN() during zoneinfo print
+
+From: Reza Arbab <arbab@linux.vnet.ibm.com>
+
+
+[ Upstream commit 8d35bb310698c69d73073b26fc581f2e3f7f621d ]
+
+After commit e2ecc8a79ed4 ("mm, vmstat: print non-populated zones in
+zoneinfo"), /proc/zoneinfo will show unpopulated zones.
+
+A memoryless node, having no populated zones at all, was previously
+ignored, but will now trigger the WARN() in is_zone_first_populated().
+
+Remove this warning, as its only purpose was to warn of a situation that
+has since been enabled.
+
+Aside: The "per-node stats" are still printed under the first populated
+zone, but that's not necessarily the first stanza any more. I'm not
+sure which criteria is more important with regard to not breaking
+parsers, but it looks a little weird to the eye.
+
+Fixes: e2ecc8a79ed4 ("mm, vmstat: print node-based stats in zoneinfo file")
+Link: http://lkml.kernel.org/r/1493854905-10918-1-git-send-email-arbab@linux.vnet.ibm.com
+Signed-off-by: Reza Arbab <arbab@linux.vnet.ibm.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Anshuman Khandual <khandual@linux.vnet.ibm.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/vmstat.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/mm/vmstat.c
++++ b/mm/vmstat.c
+@@ -1351,8 +1351,6 @@ static bool is_zone_first_populated(pg_d
+ return zone == compare;
+ }
+
+- /* The zone must be somewhere! */
+- WARN_ON_ONCE(1);
+ return false;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Miquel Raynal <miquel.raynal@free-electrons.com>
+Date: Thu, 11 Jan 2018 21:39:20 +0100
+Subject: mtd: mtd_oobtest: Handle bitflips during reads
+
+From: Miquel Raynal <miquel.raynal@free-electrons.com>
+
+
+[ Upstream commit 12663b442e5ac5aa3d6097cd3f287c71ba46d26e ]
+
+Reads from NAND devices usually trigger bitflips, this is an expected
+behavior. While bitflips are under a given threshold, the MTD core
+returns 0. However, when the number of corrected bitflips is above this
+same threshold, -EUCLEAN is returned to inform the upper layer that this
+block is slightly dying and soon the ECC engine will be overtaken so
+actions should be taken to move the data out of it.
+
+This particular condition should not be treated like an error and the
+test should continue.
+
+Signed-off-by: Miquel Raynal <miquel.raynal@free-electrons.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/tests/oobtest.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/drivers/mtd/tests/oobtest.c
++++ b/drivers/mtd/tests/oobtest.c
+@@ -193,6 +193,9 @@ static int verify_eraseblock(int ebnum)
+ ops.datbuf = NULL;
+ ops.oobbuf = readbuf;
+ err = mtd_read_oob(mtd, addr, &ops);
++ if (mtd_is_bitflip(err))
++ err = 0;
++
+ if (err || ops.oobretlen != use_len) {
+ pr_err("error: readoob failed at %#llx\n",
+ (long long)addr);
+@@ -227,6 +230,9 @@ static int verify_eraseblock(int ebnum)
+ ops.datbuf = NULL;
+ ops.oobbuf = readbuf;
+ err = mtd_read_oob(mtd, addr, &ops);
++ if (mtd_is_bitflip(err))
++ err = 0;
++
+ if (err || ops.oobretlen != mtd->oobavail) {
+ pr_err("error: readoob failed at %#llx\n",
+ (long long)addr);
+@@ -286,6 +292,9 @@ static int verify_eraseblock_in_one_go(i
+
+ /* read entire block's OOB at one go */
+ err = mtd_read_oob(mtd, addr, &ops);
++ if (mtd_is_bitflip(err))
++ err = 0;
++
+ if (err || ops.oobretlen != len) {
+ pr_err("error: readoob failed at %#llx\n",
+ (long long)addr);
+@@ -527,6 +536,9 @@ static int __init mtd_oobtest_init(void)
+ pr_info("attempting to start read past end of OOB\n");
+ pr_info("an error is expected...\n");
+ err = mtd_read_oob(mtd, addr0, &ops);
++ if (mtd_is_bitflip(err))
++ err = 0;
++
+ if (err) {
+ pr_info("error occurred as expected\n");
+ err = 0;
+@@ -571,6 +583,9 @@ static int __init mtd_oobtest_init(void)
+ pr_info("attempting to read past end of device\n");
+ pr_info("an error is expected...\n");
+ err = mtd_read_oob(mtd, mtd->size - mtd->writesize, &ops);
++ if (mtd_is_bitflip(err))
++ err = 0;
++
+ if (err) {
+ pr_info("error occurred as expected\n");
+ err = 0;
+@@ -615,6 +630,9 @@ static int __init mtd_oobtest_init(void)
+ pr_info("attempting to read past end of device\n");
+ pr_info("an error is expected...\n");
+ err = mtd_read_oob(mtd, mtd->size - mtd->writesize, &ops);
++ if (mtd_is_bitflip(err))
++ err = 0;
++
+ if (err) {
+ pr_info("error occurred as expected\n");
+ err = 0;
+@@ -684,6 +702,9 @@ static int __init mtd_oobtest_init(void)
+ ops.datbuf = NULL;
+ ops.oobbuf = readbuf;
+ err = mtd_read_oob(mtd, addr, &ops);
++ if (mtd_is_bitflip(err))
++ err = 0;
++
+ if (err)
+ goto out;
+ if (memcmpshow(addr, readbuf, writebuf,
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Thu, 25 May 2017 13:50:20 +0900
+Subject: mtd: nand: check ecc->total sanity in nand_scan_tail
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+
+[ Upstream commit 79e0348c4e24fd1affdcf055e0269755580e0fcc ]
+
+Drivers are supposed to set correct ecc->{size,strength,bytes} before
+calling nand_scan_tail(), but it does not complain about ecc->total
+bigger than oobsize.
+
+In this case, chip->scan_bbt() crashes due to memory corruption, but
+it is hard to debug. It would be kind to fail it earlier with a clear
+message.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/nand_base.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/mtd/nand/nand_base.c
++++ b/drivers/mtd/nand/nand_base.c
+@@ -4785,6 +4785,11 @@ int nand_scan_tail(struct mtd_info *mtd)
+ goto err_free;
+ }
+ ecc->total = ecc->steps * ecc->bytes;
++ if (ecc->total > mtd->oobsize) {
++ WARN(1, "Total number of ECC bytes exceeded oobsize\n");
++ ret = -EINVAL;
++ goto err_free;
++ }
+
+ /*
+ * The number of bytes available for a client to place data into
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Mon, 10 Apr 2017 10:35:17 +0200
+Subject: mtd: nand: gpmi: Fix gpmi_nand_init() error path
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+
+[ Upstream commit 4d02423e9afe6c46142ce98bbcaf5167316dbfbf ]
+
+The GPMI driver is wrongly assuming that nand_release() can safely be
+called on an uninitialized/unregistered NAND device.
+
+Add a new err_nand_cleanup label in the error path and only execute if
+nand_scan_tail() succeeded.
+
+Note that we now call nand_cleanup() instead of nand_release()
+(nand_release() is actually grouping the mtd_device_unregister() and
+nand_cleanup() in one call) because there's no point in trying to
+unregister a device that has never been registered.
+
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Reviewed-by: Marek Vasut <marek.vasut@gmail.com>
+Acked-by: Han Xu <han.xu@nxp.com>
+Reviewed-by: Marek Vasut <marek.vasut@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
++++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
+@@ -2047,18 +2047,20 @@ static int gpmi_nand_init(struct gpmi_na
+
+ ret = nand_boot_init(this);
+ if (ret)
+- goto err_out;
++ goto err_nand_cleanup;
+ ret = chip->scan_bbt(mtd);
+ if (ret)
+- goto err_out;
++ goto err_nand_cleanup;
+
+ ret = mtd_device_register(mtd, NULL, 0);
+ if (ret)
+- goto err_out;
++ goto err_nand_cleanup;
+ return 0;
+
++err_nand_cleanup:
++ nand_cleanup(chip);
+ err_out:
+- gpmi_nand_exit(this);
++ gpmi_free_dma_buffer(this);
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Ihar Hrachyshka <ihrachys@redhat.com>
+Date: Tue, 16 May 2017 08:44:24 -0700
+Subject: neighbour: update neigh timestamps iff update is effective
+
+From: Ihar Hrachyshka <ihrachys@redhat.com>
+
+
+[ Upstream commit 77d7123342dcf6442341b67816321d71da8b2b16 ]
+
+It's a common practice to send gratuitous ARPs after moving an
+IP address to another device to speed up healing of a service. To
+fulfill service availability constraints, the timing of network peers
+updating their caches to point to a new location of an IP address can be
+particularly important.
+
+Sometimes neigh_update calls won't touch neither lladdr nor state, for
+example if an update arrives in locktime interval. The neigh->updated
+value is tested by the protocol specific neigh code, which in turn
+will influence whether NEIGH_UPDATE_F_OVERRIDE gets set in the
+call to neigh_update() or not. As a result, we may effectively ignore
+the update request, bailing out of touching the neigh entry, except that
+we still bump its timestamps inside neigh_update.
+
+This may be a problem for updates arriving in quick succession. For
+example, consider the following scenario:
+
+A service is moved to another device with its IP address. The new device
+sends three gratuitous ARP requests into the network with ~1 seconds
+interval between them. Just before the first request arrives to one of
+network peer nodes, its neigh entry for the IP address transitions from
+STALE to DELAY. This transition, among other things, updates
+neigh->updated. Once the kernel receives the first gratuitous ARP, it
+ignores it because its arrival time is inside the locktime interval. The
+kernel still bumps neigh->updated. Then the second gratuitous ARP
+request arrives, and it's also ignored because it's still in the (new)
+locktime interval. Same happens for the third request. The node
+eventually heals itself (after delay_first_probe_time seconds since the
+initial transition to DELAY state), but it just wasted some time and
+require a new ARP request/reply round trip. This unfortunate behaviour
+both puts more load on the network, as well as reduces service
+availability.
+
+This patch changes neigh_update so that it bumps neigh->updated (as well
+as neigh->confirmed) only once we are sure that either lladdr or entry
+state will change). In the scenario described above, it means that the
+second gratuitous ARP request will actually update the entry lladdr.
+
+Ideally, we would update the neigh entry on the very first gratuitous
+ARP request. The locktime mechanism is designed to ignore ARP updates in
+a short timeframe after a previous ARP update was honoured by the kernel
+layer. This would require tracking timestamps for state transitions
+separately from timestamps when actual updates are received. This would
+probably involve changes in neighbour struct. Therefore, the patch
+doesn't tackle the issue of the first gratuitous APR ignored, leaving
+it for a follow-up.
+
+Signed-off-by: Ihar Hrachyshka <ihrachys@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -1130,10 +1130,6 @@ int neigh_update(struct neighbour *neigh
+ lladdr = neigh->ha;
+ }
+
+- if (new & NUD_CONNECTED)
+- neigh->confirmed = jiffies;
+- neigh->updated = jiffies;
+-
+ /* If entry was valid and address is not changed,
+ do not change entry state, if new one is STALE.
+ */
+@@ -1155,6 +1151,16 @@ int neigh_update(struct neighbour *neigh
+ }
+ }
+
++ /* Update timestamps only once we know we will make a change to the
++ * neighbour entry. Otherwise we risk to move the locktime window with
++ * noop updates and ignore relevant ARP updates.
++ */
++ if (new != old || lladdr != neigh->ha) {
++ if (new & NUD_CONNECTED)
++ neigh->confirmed = jiffies;
++ neigh->updated = jiffies;
++ }
++
+ if (new != old) {
+ neigh_del_timer(neigh);
+ if (new & NUD_PROBE)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Jim Baxter <jim_baxter@mentor.com>
+Date: Mon, 8 May 2017 13:49:57 +0100
+Subject: net: cdc_ncm: Fix TX zero padding
+
+From: Jim Baxter <jim_baxter@mentor.com>
+
+
+[ Upstream commit aeca3a77b1e0ed06a095933b89c86aed007383eb ]
+
+The zero padding that is added to NTB's does
+not zero the memory correctly.
+This is because the skb_put modifies the value
+of skb_out->len which results in the memset
+command not setting any memory to zero as
+(ctx->tx_max - skb_out->len) == 0.
+
+I have resolved this by storing the size of
+the memory to be zeroed before the skb_put
+and using this in the memset call.
+
+Signed-off-by: Jim Baxter <jim_baxter@mentor.com>
+Reviewed-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/cdc_ncm.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -1118,6 +1118,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev
+ u16 n = 0, index, ndplen;
+ u8 ready2send = 0;
+ u32 delayed_ndp_size;
++ size_t padding_count;
+
+ /* When our NDP gets written in cdc_ncm_ndp(), then skb_out->len gets updated
+ * accordingly. Otherwise, we should check here.
+@@ -1274,11 +1275,13 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev
+ * a ZLP after full sized NTBs.
+ */
+ if (!(dev->driver_info->flags & FLAG_SEND_ZLP) &&
+- skb_out->len > ctx->min_tx_pkt)
+- memset(skb_put(skb_out, ctx->tx_max - skb_out->len), 0,
+- ctx->tx_max - skb_out->len);
+- else if (skb_out->len < ctx->tx_max && (skb_out->len % dev->maxpacket) == 0)
++ skb_out->len > ctx->min_tx_pkt) {
++ padding_count = ctx->tx_max - skb_out->len;
++ memset(skb_put(skb_out, padding_count), 0, padding_count);
++ } else if (skb_out->len < ctx->tx_max &&
++ (skb_out->len % dev->maxpacket) == 0) {
+ *skb_put(skb_out, 1) = 0; /* force short packet */
++ }
+
+ /* set final frame length */
+ nth16 = (struct usb_cdc_ncm_nth16 *)skb_out->data;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Christian Lamparter <chunkeey@googlemail.com>
+Date: Wed, 7 Jun 2017 15:51:15 +0200
+Subject: net: emac: fix reset timeout with AR8035 phy
+
+From: Christian Lamparter <chunkeey@googlemail.com>
+
+
+[ Upstream commit 19d90ece81da802207a9b91ce95a29fbdc40626e ]
+
+This patch fixes a problem where the AR8035 PHY can't be
+detected on an Cisco Meraki MR24, if the ethernet cable is
+not connected on boot.
+
+Russell Senior provided steps to reproduce the issue:
+|Disconnect ethernet cable, apply power, wait until device has booted,
+|plug in ethernet, check for interfaces, no eth0 is listed.
+|
+|This appears to be a problem during probing of the AR8035 Phy chip.
+|When ethernet has no link, the phy detection fails, and eth0 is not
+|created. Plugging ethernet later has no effect, because there is no
+|interface as far as the kernel is concerned. The relevant part of
+|the boot log looks like this:
+|this is the failing case:
+|
+|[ 0.876611] /plb/opb/emac-rgmii@ef601500: input 0 in RGMII mode
+|[ 0.882532] /plb/opb/ethernet@ef600c00: reset timeout
+|[ 0.888546] /plb/opb/ethernet@ef600c00: can't find PHY!
+|and the succeeding case:
+|
+|[ 0.876672] /plb/opb/emac-rgmii@ef601500: input 0 in RGMII mode
+|[ 0.883952] eth0: EMAC-0 /plb/opb/ethernet@ef600c00, MAC 00:01:..
+|[ 0.890822] eth0: found Atheros 8035 Gigabit Ethernet PHY (0x01)
+
+Based on the comment and the commit message of
+commit 23fbb5a87c56 ("emac: Fix EMAC soft reset on 460EX/GT").
+This is because the AR8035 PHY doesn't provide the TX Clock,
+if the ethernet cable is not attached. This causes the reset
+to timeout and the PHY detection code in emac_init_phy() is
+unable to detect the AR8035 PHY. As a result, the emac driver
+bails out early and the user left with no ethernet.
+
+In order to stay compatible with existing configurations, the driver
+tries the current reset approach at first. Only if the first attempt
+timed out, it does perform one more retry with the clock temporarily
+switched to the internal source for just the duration of the reset.
+
+LEDE-Bug: #687 <https://bugs.lede-project.org/index.php?do=details&task_id=687>
+
+Cc: Chris Blake <chrisrblake93@gmail.com>
+Reported-by: Russell Senior <russell@personaltelco.net>
+Fixes: 23fbb5a87c56e98 ("emac: Fix EMAC soft reset on 460EX/GT")
+Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/emac/core.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/ibm/emac/core.c
++++ b/drivers/net/ethernet/ibm/emac/core.c
+@@ -342,6 +342,7 @@ static int emac_reset(struct emac_instan
+ {
+ struct emac_regs __iomem *p = dev->emacp;
+ int n = 20;
++ bool __maybe_unused try_internal_clock = false;
+
+ DBG(dev, "reset" NL);
+
+@@ -354,6 +355,7 @@ static int emac_reset(struct emac_instan
+ }
+
+ #ifdef CONFIG_PPC_DCR_NATIVE
++do_retry:
+ /*
+ * PPC460EX/GT Embedded Processor Advanced User's Manual
+ * section 28.10.1 Mode Register 0 (EMACx_MR0) states:
+@@ -361,10 +363,19 @@ static int emac_reset(struct emac_instan
+ * of the EMAC. If none is present, select the internal clock
+ * (SDR0_ETH_CFG[EMACx_PHY_CLK] = 1).
+ * After a soft reset, select the external clock.
++ *
++ * The AR8035-A PHY Meraki MR24 does not provide a TX Clk if the
++ * ethernet cable is not attached. This causes the reset to timeout
++ * and the PHY detection code in emac_init_phy() is unable to
++ * communicate and detect the AR8035-A PHY. As a result, the emac
++ * driver bails out early and the user has no ethernet.
++ * In order to stay compatible with existing configurations, the
++ * driver will temporarily switch to the internal clock, after
++ * the first reset fails.
+ */
+ if (emac_has_feature(dev, EMAC_FTR_460EX_PHY_CLK_FIX)) {
+- if (dev->phy_address == 0xffffffff &&
+- dev->phy_map == 0xffffffff) {
++ if (try_internal_clock || (dev->phy_address == 0xffffffff &&
++ dev->phy_map == 0xffffffff)) {
+ /* No PHY: select internal loop clock before reset */
+ dcri_clrset(SDR0, SDR0_ETH_CFG,
+ 0, SDR0_ETH_CFG_ECS << dev->cell_index);
+@@ -382,8 +393,15 @@ static int emac_reset(struct emac_instan
+
+ #ifdef CONFIG_PPC_DCR_NATIVE
+ if (emac_has_feature(dev, EMAC_FTR_460EX_PHY_CLK_FIX)) {
+- if (dev->phy_address == 0xffffffff &&
+- dev->phy_map == 0xffffffff) {
++ if (!n && !try_internal_clock) {
++ /* first attempt has timed out. */
++ n = 20;
++ try_internal_clock = true;
++ goto do_retry;
++ }
++
++ if (try_internal_clock || (dev->phy_address == 0xffffffff &&
++ dev->phy_map == 0xffffffff)) {
+ /* No PHY: restore external clock source after reset */
+ dcri_clrset(SDR0, SDR0_ETH_CFG,
+ SDR0_ETH_CFG_ECS << dev->cell_index, 0);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Netanel Belgazal <netanel@amazon.com>
+Date: Sun, 11 Jun 2017 15:42:45 +0300
+Subject: net: ena: add missing return when ena_com_get_io_handlers() fails
+
+From: Netanel Belgazal <netanel@amazon.com>
+
+
+[ Upstream commit 2d2c600a917127f16f179d5a88fc44ba3ed263ed ]
+
+Fixes: 1738cd3ed342 ("Add a driver for Amazon Elastic Network Adapters (ENA)")
+Signed-off-by: Netanel Belgazal <netanel@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -1542,6 +1542,7 @@ static int ena_create_io_tx_queue(struct
+ "Failed to get TX queue handlers. TX queue num %d rc: %d\n",
+ qid, rc);
+ ena_com_destroy_io_queue(ena_dev, ena_qid);
++ return rc;
+ }
+
+ ena_com_update_numa_node(tx_ring->ena_com_io_cq, ctx.numa_node);
+@@ -1606,6 +1607,7 @@ static int ena_create_io_rx_queue(struct
+ "Failed to get RX queue handlers. RX queue num %d rc: %d\n",
+ qid, rc);
+ ena_com_destroy_io_queue(ena_dev, ena_qid);
++ return rc;
+ }
+
+ ena_com_update_numa_node(rx_ring->ena_com_io_cq, ctx.numa_node);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Netanel Belgazal <netanel@amazon.com>
+Date: Sun, 11 Jun 2017 15:42:47 +0300
+Subject: net: ena: add missing unmap bars on device removal
+
+From: Netanel Belgazal <netanel@amazon.com>
+
+
+[ Upstream commit 0857d92f71b6cb75281fde913554b2d5436c394b ]
+
+This patch also change the mapping functions to devm_ functions
+
+Fixes: 1738cd3ed342 ("Add a driver for Amazon Elastic Network Adapters (ENA)")
+Signed-off-by: Netanel Belgazal <netanel@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -2808,6 +2808,11 @@ static void ena_release_bars(struct ena_
+ {
+ int release_bars;
+
++ if (ena_dev->mem_bar)
++ devm_iounmap(&pdev->dev, ena_dev->mem_bar);
++
++ devm_iounmap(&pdev->dev, ena_dev->reg_bar);
++
+ release_bars = pci_select_bars(pdev, IORESOURCE_MEM) & ENA_BAR_MASK;
+ pci_release_selected_regions(pdev, release_bars);
+ }
+@@ -2895,8 +2900,9 @@ static int ena_probe(struct pci_dev *pde
+ goto err_free_ena_dev;
+ }
+
+- ena_dev->reg_bar = ioremap(pci_resource_start(pdev, ENA_REG_BAR),
+- pci_resource_len(pdev, ENA_REG_BAR));
++ ena_dev->reg_bar = devm_ioremap(&pdev->dev,
++ pci_resource_start(pdev, ENA_REG_BAR),
++ pci_resource_len(pdev, ENA_REG_BAR));
+ if (!ena_dev->reg_bar) {
+ dev_err(&pdev->dev, "failed to remap regs bar\n");
+ rc = -EFAULT;
+@@ -2916,8 +2922,9 @@ static int ena_probe(struct pci_dev *pde
+ ena_set_push_mode(pdev, ena_dev, &get_feat_ctx);
+
+ if (ena_dev->tx_mem_queue_type == ENA_ADMIN_PLACEMENT_POLICY_DEV) {
+- ena_dev->mem_bar = ioremap_wc(pci_resource_start(pdev, ENA_MEM_BAR),
+- pci_resource_len(pdev, ENA_MEM_BAR));
++ ena_dev->mem_bar = devm_ioremap_wc(&pdev->dev,
++ pci_resource_start(pdev, ENA_MEM_BAR),
++ pci_resource_len(pdev, ENA_MEM_BAR));
+ if (!ena_dev->mem_bar) {
+ rc = -EFAULT;
+ goto err_device_destroy;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Netanel Belgazal <netanel@amazon.com>
+Date: Sun, 11 Jun 2017 15:42:49 +0300
+Subject: net: ena: disable admin msix while working in polling mode
+
+From: Netanel Belgazal <netanel@amazon.com>
+
+
+[ Upstream commit a2cc5198dac102775b21787752a2e0afe44ad311 ]
+
+Fixes: 1738cd3ed342 ("Add a driver for Amazon Elastic Network Adapters (ENA)")
+Signed-off-by: Netanel Belgazal <netanel@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_com.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/ethernet/amazon/ena/ena_com.c
++++ b/drivers/net/ethernet/amazon/ena/ena_com.c
+@@ -61,6 +61,8 @@
+
+ #define ENA_MMIO_READ_TIMEOUT 0xFFFFFFFF
+
++#define ENA_REGS_ADMIN_INTR_MASK 1
++
+ /*****************************************************************************/
+ /*****************************************************************************/
+ /*****************************************************************************/
+@@ -1448,6 +1450,12 @@ void ena_com_admin_destroy(struct ena_co
+
+ void ena_com_set_admin_polling_mode(struct ena_com_dev *ena_dev, bool polling)
+ {
++ u32 mask_value = 0;
++
++ if (polling)
++ mask_value = ENA_REGS_ADMIN_INTR_MASK;
++
++ writel(mask_value, ena_dev->reg_bar + ENA_REGS_INTR_MASK_OFF);
+ ena_dev->admin_queue.polling = polling;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Netanel Belgazal <netanel@amazon.com>
+Date: Sun, 11 Jun 2017 15:42:46 +0300
+Subject: net: ena: fix race condition between submit and completion admin command
+
+From: Netanel Belgazal <netanel@amazon.com>
+
+
+[ Upstream commit 661d2b0ccef6a63f48b61105cf7be17403d1db01 ]
+
+Bug:
+"Completion context is occupied" error printout will be noticed in
+dmesg.
+This error will cause the admin command to fail, which will lead to
+an ena_probe() failure or a watchdog reset (depends on which admin
+command failed).
+
+Root cause:
+__ena_com_submit_admin_cmd() is the function that submits new entries to
+the admin queue.
+The function have a check that makes sure the queue is not full and the
+function does not override any outstanding command.
+It uses head and tail indexes for this check.
+The head is increased by ena_com_handle_admin_completion() which runs
+from interrupt context, and the tail index is increased by the submit
+function (the function is running under ->q_lock, so there is no risk
+of multithread increment).
+Each command is associated with a completion context. This context
+allocated before call to __ena_com_submit_admin_cmd() and freed by
+ena_com_wait_and_process_admin_cq_interrupts(), right after the command
+was completed.
+
+This can lead to a state where the head was increased, the check passed,
+but the completion context is still in use.
+
+Solution:
+Use the atomic variable ->outstanding_cmds instead of using the head and
+the tail indexes.
+This variable is safe for use since it is bumped in get_comp_ctx() in
+__ena_com_submit_admin_cmd() and is freed by comp_ctxt_release()
+
+Fixes: 1738cd3ed342 ("Add a driver for Amazon Elastic Network Adapters (ENA)")
+Signed-off-by: Netanel Belgazal <netanel@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_com.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/amazon/ena/ena_com.c
++++ b/drivers/net/ethernet/amazon/ena/ena_com.c
+@@ -232,11 +232,9 @@ static struct ena_comp_ctx *__ena_com_su
+ tail_masked = admin_queue->sq.tail & queue_size_mask;
+
+ /* In case of queue FULL */
+- cnt = admin_queue->sq.tail - admin_queue->sq.head;
++ cnt = atomic_read(&admin_queue->outstanding_cmds);
+ if (cnt >= admin_queue->q_depth) {
+- pr_debug("admin queue is FULL (tail %d head %d depth: %d)\n",
+- admin_queue->sq.tail, admin_queue->sq.head,
+- admin_queue->q_depth);
++ pr_debug("admin queue is full.\n");
+ admin_queue->stats.out_of_space++;
+ return ERR_PTR(-ENOSPC);
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Netanel Belgazal <netanel@amazon.com>
+Date: Sun, 11 Jun 2017 15:42:43 +0300
+Subject: net: ena: fix rare uncompleted admin command false alarm
+
+From: Netanel Belgazal <netanel@amazon.com>
+
+
+[ Upstream commit a77c1aafcc906f657d1a0890c1d898be9ee1d5c9 ]
+
+The current flow to detect admin completion is:
+while (command_not_completed) {
+ if (timeout)
+ error
+
+ check_for_completion()
+ sleep()
+ }
+So in case the sleep took more than the timeout
+(in case the thread/workqueue was not scheduled due to higher priority
+task or prolonged VMexit), the driver can detect a stall even if
+the completion is present.
+
+The fix changes the order of this function to first check for
+completion and only after that check if the timeout expired.
+
+Fixes: 1738cd3ed342 ("Add a driver for Amazon Elastic Network Adapters (ENA)")
+Signed-off-by: Netanel Belgazal <netanel@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_com.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/ethernet/amazon/ena/ena_com.c
++++ b/drivers/net/ethernet/amazon/ena/ena_com.c
+@@ -508,15 +508,20 @@ static int ena_com_comp_status_to_errno(
+ static int ena_com_wait_and_process_admin_cq_polling(struct ena_comp_ctx *comp_ctx,
+ struct ena_com_admin_queue *admin_queue)
+ {
+- unsigned long flags;
+- u32 start_time;
++ unsigned long flags, timeout;
+ int ret;
+
+- start_time = ((u32)jiffies_to_usecs(jiffies));
++ timeout = jiffies + ADMIN_CMD_TIMEOUT_US;
+
+- while (comp_ctx->status == ENA_CMD_SUBMITTED) {
+- if ((((u32)jiffies_to_usecs(jiffies)) - start_time) >
+- ADMIN_CMD_TIMEOUT_US) {
++ while (1) {
++ spin_lock_irqsave(&admin_queue->q_lock, flags);
++ ena_com_handle_admin_completion(admin_queue);
++ spin_unlock_irqrestore(&admin_queue->q_lock, flags);
++
++ if (comp_ctx->status != ENA_CMD_SUBMITTED)
++ break;
++
++ if (time_is_before_jiffies(timeout)) {
+ pr_err("Wait for completion (polling) timeout\n");
+ /* ENA didn't have any completion */
+ spin_lock_irqsave(&admin_queue->q_lock, flags);
+@@ -528,10 +533,6 @@ static int ena_com_wait_and_process_admi
+ goto err;
+ }
+
+- spin_lock_irqsave(&admin_queue->q_lock, flags);
+- ena_com_handle_admin_completion(admin_queue);
+- spin_unlock_irqrestore(&admin_queue->q_lock, flags);
+-
+ msleep(100);
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Grygorii Strashko <grygorii.strashko@ti.com>
+Date: Mon, 8 May 2017 14:21:21 -0500
+Subject: net: ethernet: ti: cpsw: adjust cpsw fifos depth for fullduplex flow control
+
+From: Grygorii Strashko <grygorii.strashko@ti.com>
+
+
+[ Upstream commit 48f5bccc60675f8426a6159935e8636a1fd89f56 ]
+
+When users set flow control using ethtool the bits are set properly in the
+CPGMAC_SL MACCONTROL register, but the FIFO depth in the respective Port n
+Maximum FIFO Blocks (Pn_MAX_BLKS) registers remains set to the minimum size
+reset value. When receive flow control is enabled on a port, the port's
+associated FIFO block allocation must be adjusted. The port RX allocation
+must increase to accommodate the flow control runout. The TRM recommends
+numbers of 5 or 6.
+
+Hence, apply required Port FIFO configuration to
+Pn_MAX_BLKS.Pn_TX_MAX_BLKS=0xF and Pn_MAX_BLKS.Pn_RX_MAX_BLKS=0x5 during
+interface initialization.
+
+Cc: Schuyler Patton <spatton@ti.com>
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/cpsw.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/net/ethernet/ti/cpsw.c
++++ b/drivers/net/ethernet/ti/cpsw.c
+@@ -282,6 +282,10 @@ struct cpsw_ss_regs {
+ /* Bit definitions for the CPSW1_TS_SEQ_LTYPE register */
+ #define CPSW_V1_SEQ_ID_OFS_SHIFT 16
+
++#define CPSW_MAX_BLKS_TX 15
++#define CPSW_MAX_BLKS_TX_SHIFT 4
++#define CPSW_MAX_BLKS_RX 5
++
+ struct cpsw_host_regs {
+ u32 max_blks;
+ u32 blk_cnt;
+@@ -1160,11 +1164,23 @@ static void cpsw_slave_open(struct cpsw_
+ switch (cpsw->version) {
+ case CPSW_VERSION_1:
+ slave_write(slave, TX_PRIORITY_MAPPING, CPSW1_TX_PRI_MAP);
++ /* Increase RX FIFO size to 5 for supporting fullduplex
++ * flow control mode
++ */
++ slave_write(slave,
++ (CPSW_MAX_BLKS_TX << CPSW_MAX_BLKS_TX_SHIFT) |
++ CPSW_MAX_BLKS_RX, CPSW1_MAX_BLKS);
+ break;
+ case CPSW_VERSION_2:
+ case CPSW_VERSION_3:
+ case CPSW_VERSION_4:
+ slave_write(slave, TX_PRIORITY_MAPPING, CPSW2_TX_PRI_MAP);
++ /* Increase RX FIFO size to 5 for supporting fullduplex
++ * flow control mode
++ */
++ slave_write(slave,
++ (CPSW_MAX_BLKS_TX << CPSW_MAX_BLKS_TX_SHIFT) |
++ CPSW_MAX_BLKS_RX, CPSW2_MAX_BLKS);
+ break;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Fabio Estevam <fabio.estevam@nxp.com>
+Date: Fri, 9 Jun 2017 22:37:22 -0300
+Subject: net: fec: Add a fec_enet_clear_ethtool_stats() stub for CONFIG_M5272
+
+From: Fabio Estevam <fabio.estevam@nxp.com>
+
+
+[ Upstream commit bf292f1b2c813f1d6ac49b04bd1a9863d8314266 ]
+
+Commit 2b30842b23b9 ("net: fec: Clear and enable MIB counters on imx51")
+introduced fec_enet_clear_ethtool_stats(), but missed to add a stub
+for the CONFIG_M5272=y case, causing build failure for the
+m5272c3_defconfig.
+
+Add the missing empty stub to fix the build failure.
+
+Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -2371,6 +2371,10 @@ static int fec_enet_get_sset_count(struc
+ static inline void fec_enet_update_ethtool_stats(struct net_device *dev)
+ {
+ }
++
++static inline void fec_enet_clear_ethtool_stats(struct net_device *dev)
++{
++}
+ #endif /* !defined(CONFIG_M5272) */
+
+ static int fec_enet_nway_reset(struct net_device *dev)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+Date: Tue, 30 May 2017 17:38:43 -0500
+Subject: net: freescale: fix potential null pointer dereference
+
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+
+
+[ Upstream commit 06d2d6431bc8d41ef5ffd8bd4b52cea9f72aed22 ]
+
+Add NULL check before dereferencing pointer _id_ in order to avoid
+a potential NULL pointer dereference.
+
+Addresses-Coverity-ID: 1397995
+Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/fsl_pq_mdio.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/fsl_pq_mdio.c
++++ b/drivers/net/ethernet/freescale/fsl_pq_mdio.c
+@@ -381,7 +381,7 @@ static int fsl_pq_mdio_probe(struct plat
+ {
+ const struct of_device_id *id =
+ of_match_device(fsl_pq_mdio_match, &pdev->dev);
+- const struct fsl_pq_mdio_data *data = id->data;
++ const struct fsl_pq_mdio_data *data;
+ struct device_node *np = pdev->dev.of_node;
+ struct resource res;
+ struct device_node *tbi;
+@@ -389,6 +389,13 @@ static int fsl_pq_mdio_probe(struct plat
+ struct mii_bus *new_bus;
+ int err;
+
++ if (!id) {
++ dev_err(&pdev->dev, "Failed to match device\n");
++ return -ENODEV;
++ }
++
++ data = id->data;
++
+ dev_dbg(&pdev->dev, "found %s compatible node\n", id->compatible);
+
+ new_bus = mdiobus_alloc_size(sizeof(*priv));
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Lin Zhang <xiaolou4617@gmail.com>
+Date: Tue, 23 May 2017 13:29:39 +0800
+Subject: net: ieee802154: fix net_device reference release too early
+
+From: Lin Zhang <xiaolou4617@gmail.com>
+
+
+[ Upstream commit a611c58b3d42a92e6b23423e166dd17c0c7fffce ]
+
+This patch fixes the kernel oops when release net_device reference in
+advance. In function raw_sendmsg(i think the dgram_sendmsg has the same
+problem), there is a race condition between dev_put and dev_queue_xmit
+when the device is gong that maybe lead to dev_queue_ximt to see
+an illegal net_device pointer.
+
+My test kernel is 3.13.0-32 and because i am not have a real 802154
+device, so i change lowpan_newlink function to this:
+
+ /* find and hold real wpan device */
+ real_dev = dev_get_by_index(src_net, nla_get_u32(tb[IFLA_LINK]));
+ if (!real_dev)
+ return -ENODEV;
+// if (real_dev->type != ARPHRD_IEEE802154) {
+// dev_put(real_dev);
+// return -EINVAL;
+// }
+ lowpan_dev_info(dev)->real_dev = real_dev;
+ lowpan_dev_info(dev)->fragment_tag = 0;
+ mutex_init(&lowpan_dev_info(dev)->dev_list_mtx);
+
+Also, in order to simulate preempt, i change the raw_sendmsg function
+to this:
+
+ skb->dev = dev;
+ skb->sk = sk;
+ skb->protocol = htons(ETH_P_IEEE802154);
+ dev_put(dev);
+ //simulate preempt
+ schedule_timeout_uninterruptible(30 * HZ);
+ err = dev_queue_xmit(skb);
+ if (err > 0)
+ err = net_xmit_errno(err);
+
+and this is my userspace test code named test_send_data:
+
+int main(int argc, char **argv)
+{
+ char buf[127];
+ int sockfd;
+ sockfd = socket(AF_IEEE802154, SOCK_RAW, 0);
+ if (sockfd < 0) {
+ printf("create sockfd error: %s\n", strerror(errno));
+ return -1;
+ }
+ send(sockfd, buf, sizeof(buf), 0);
+ return 0;
+}
+
+This is my test case:
+
+root@zhanglin-x-computer:~/develop/802154# uname -a
+Linux zhanglin-x-computer 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15
+03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
+root@zhanglin-x-computer:~/develop/802154# ip link add link eth0 name
+lowpan0 type lowpan
+root@zhanglin-x-computer:~/develop/802154#
+//keep the lowpan0 device down
+root@zhanglin-x-computer:~/develop/802154# ./test_send_data &
+//wait a while
+root@zhanglin-x-computer:~/develop/802154# ip link del link dev lowpan0
+//the device is gone
+//oops
+[381.303307] general protection fault: 0000 [#1]SMP
+[381.303407] Modules linked in: af_802154 6lowpan bnep rfcomm
+bluetooth nls_iso8859_1 snd_hda_codec_hdmi snd_hda_codec_realtek
+rts5139(C) snd_hda_intel
+snd_had_codec snd_hwdep snd_pcm snd_page_alloc snd_seq_midi
+snd_seq_midi_event snd_rawmidi snd_req intel_rapl snd_seq_device
+coretemp i915 kvm_intel
+kvm snd_timer snd crct10dif_pclmul crc32_pclmul ghash_clmulni_intel
+cypted drm_kms_helper drm i2c_algo_bit soundcore video mac_hid
+parport_pc ppdev ip parport hid_generic
+usbhid hid ahci r8169 mii libahdi
+[381.304286] CPU:1 PID: 2524 Commm: 1 Tainted: G C 0 3.13.0-32-generic
+[381.304409] Hardware name: Haier Haier DT Computer/Haier DT Codputer,
+BIOS FIBT19H02_X64 06/09/2014
+[381.304546] tasks: ffff000096965fc0 ti: ffffB0013779c000 task.ti:
+ffffB8013779c000
+[381.304659] RIP: 0010:[<ffffffff01621fe1>] [<ffffffff81621fe1>]
+__dev_queue_ximt+0x61/0x500
+[381.304798] RSP: 0018:ffffB8013779dca0 EFLAGS: 00010202
+[381.304880] RAX: 272b031d57565351 RBX: 0000000000000000 RCX: ffff8800968f1a00
+[381.304987] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800968f1a00
+[381.305095] RBP: ffff8e013773dce0 R08: 0000000000000266 R09: 0000000000000004
+[381.305202] R10: 0000000000000004 R11: 0000000000000005 R12: ffff88013902e000
+[381.305310] R13: 000000000000007f R14: 000000000000007f R15: ffff8800968f1a00
+[381.305418] FS: 00007fc57f50f740(0000) GS: ffff88013fc80000(0000)
+knlGS: 0000000000000000
+[381.305540] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[381.305627] CR2: 00007fad0841c000 CR3: 00000001368dd000 CR4: 00000000001007e0
+[361.905734] Stack:
+[381.305768] 00000000002052d0 000000003facb30a ffff88013779dcc0
+ffff880137764000
+[381.305898] ffff88013779de70 000000000000007f 000000000000007f
+ffff88013902e000
+[381.306026] ffff88013779dcf0 ffffffff81622490 ffff88013779dd39
+ffffffffa03af9f1
+[381.306155] Call Trace:
+[381.306202] [<ffffffff81622490>] dev_queue_xmit+0x10/0x20
+[381.306294] [<ffffffffa03af9f1>] raw_sendmsg+0x1b1/0x270 [af_802154]
+[381.306396] [<ffffffffa03af054>] ieee802154_sock_sendmsg+0x14/0x20 [af_802154]
+[381.306512] [<ffffffff816079eb>] sock_sendmsg+0x8b/0xc0
+[381.306600] [<ffffffff811d52a5>] ? __d_alloc+0x25/0x180
+[381.306687] [<ffffffff811a1f56>] ? kmem_cache_alloc_trace+0x1c6/0x1f0
+[381.306791] [<ffffffff81607b91>] SYSC_sendto+0x121/0x1c0
+[381.306878] [<ffffffff8109ddf4>] ? vtime_account_user+x54/0x60
+[381.306975] [<ffffffff81020d45>] ? syscall_trace_enter+0x145/0x250
+[381.307073] [<ffffffff816086ae>] SyS_sendto+0xe/0x10
+[381.307156] [<ffffffff8172c87f>] tracesys+0xe1/0xe6
+[381.307233] Code: c6 a1 a4 ff 41 8b 57 78 49 8b 47 20 85 d2 48 8b 80
+78 07 00 00 75 21 49 8b 57 18 48 85 d2 74 18 48 85 c0 74 13 8b 92 ac
+01 00 00 <3b> 50 10 73 08 8b 44 90 14 41 89 47 78 41 f6 84 24 d5 00 00
+00
+[381.307801] RIP [<ffffffff81621fe1>] _dev_queue_xmit+0x61/0x500
+[381.307901] RSP <ffff88013779dca0>
+[381.347512] Kernel panic - not syncing: Fatal exception in interrupt
+[381.347747] drm_kms_helper: panic occurred, switching back to text console
+
+In my opinion, there is always exist a chance that the device is gong
+before call dev_queue_xmit.
+
+I think the latest kernel is have the same problem and that
+dev_put should be behind of the dev_queue_xmit.
+
+Signed-off-by: Lin Zhang <xiaolou4617@gmail.com>
+Acked-by: Stefan Schmidt <stefan@osg.samsung.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/socket.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/ieee802154/socket.c
++++ b/net/ieee802154/socket.c
+@@ -304,12 +304,12 @@ static int raw_sendmsg(struct sock *sk,
+ skb->sk = sk;
+ skb->protocol = htons(ETH_P_IEEE802154);
+
+- dev_put(dev);
+-
+ err = dev_queue_xmit(skb);
+ if (err > 0)
+ err = net_xmit_errno(err);
+
++ dev_put(dev);
++
+ return err ?: size;
+
+ out_skb:
+@@ -693,12 +693,12 @@ static int dgram_sendmsg(struct sock *sk
+ skb->sk = sk;
+ skb->protocol = htons(ETH_P_IEEE802154);
+
+- dev_put(dev);
+-
+ err = dev_queue_xmit(skb);
+ if (err > 0)
+ err = net_xmit_errno(err);
+
++ dev_put(dev);
++
+ return err ?: size;
+
+ out_skb:
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: linzhang <xiaolou4617@gmail.com>
+Date: Thu, 25 May 2017 14:07:18 +0800
+Subject: net: llc: add lock_sock in llc_ui_bind to avoid a race condition
+
+From: linzhang <xiaolou4617@gmail.com>
+
+
+[ Upstream commit 0908cf4dfef35fc6ac12329007052ebe93ff1081 ]
+
+There is a race condition in llc_ui_bind if two or more processes/threads
+try to bind a same socket.
+
+If more processes/threads bind a same socket success that will lead to
+two problems, one is this action is not what we expected, another is
+will lead to kernel in unstable status or oops(in my simple test case,
+cause llc2.ko can't unload).
+
+The current code is test SOCK_ZAPPED bit to avoid a process to
+bind a same socket twice but that is can't avoid more processes/threads
+try to bind a same socket at the same time.
+
+So, add lock_sock in llc_ui_bind like others, such as llc_ui_connect.
+
+Signed-off-by: Lin Zhang <xiaolou4617@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/llc/af_llc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -309,6 +309,8 @@ static int llc_ui_bind(struct socket *so
+ int rc = -EINVAL;
+
+ dprintk("%s: binding %02X\n", __func__, addr->sllc_sap);
++
++ lock_sock(sk);
+ if (unlikely(!sock_flag(sk, SOCK_ZAPPED) || addrlen != sizeof(*addr)))
+ goto out;
+ rc = -EAFNOSUPPORT;
+@@ -380,6 +382,7 @@ static int llc_ui_bind(struct socket *so
+ out_put:
+ llc_sap_put(sap);
+ out:
++ release_sock(sk);
+ return rc;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Ido Shamay <idos@mellanox.com>
+Date: Mon, 5 Jun 2017 10:44:56 +0300
+Subject: net/mlx4: Check if Granular QoS per VF has been enabled before updating QP qos_vport
+
+From: Ido Shamay <idos@mellanox.com>
+
+
+[ Upstream commit 269f9883fe254d109afdfc657875c456d6fabb08 ]
+
+The Granular QoS per VF feature must be enabled in FW before it can be
+used.
+
+Thus, the driver cannot modify a QP's qos_vport value (via the UPDATE_QP FW
+command) if the feature has not been enabled -- the FW returns an error if
+this is attempted.
+
+Fixes: 08068cd5683f ("net/mlx4: Added qos_vport QP configuration in VST mode")
+Signed-off-by: Ido Shamay <idos@mellanox.com>
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/qp.c | 6 ++++++
+ drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 16 +++++++++++-----
+ 2 files changed, 17 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/qp.c
++++ b/drivers/net/ethernet/mellanox/mlx4/qp.c
+@@ -487,6 +487,12 @@ int mlx4_update_qp(struct mlx4_dev *dev,
+ }
+
+ if (attr & MLX4_UPDATE_QP_QOS_VPORT) {
++ if (!(dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_QOS_VPP)) {
++ mlx4_warn(dev, "Granular QoS per VF is not enabled\n");
++ err = -EOPNOTSUPP;
++ goto out;
++ }
++
+ qp_mask |= 1ULL << MLX4_UPD_QP_MASK_QOS_VPP;
+ cmd->qp_context.qos_vport = params->qos_vport;
+ }
+--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
++++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
+@@ -5214,6 +5214,13 @@ void mlx4_delete_all_resources_for_slave
+ mutex_unlock(&priv->mfunc.master.res_tracker.slave_list[slave].mutex);
+ }
+
++static void update_qos_vpp(struct mlx4_update_qp_context *ctx,
++ struct mlx4_vf_immed_vlan_work *work)
++{
++ ctx->qp_mask |= cpu_to_be64(1ULL << MLX4_UPD_QP_MASK_QOS_VPP);
++ ctx->qp_context.qos_vport = work->qos_vport;
++}
++
+ void mlx4_vf_immed_vlan_work_handler(struct work_struct *_work)
+ {
+ struct mlx4_vf_immed_vlan_work *work =
+@@ -5328,11 +5335,10 @@ void mlx4_vf_immed_vlan_work_handler(str
+ qp->sched_queue & 0xC7;
+ upd_context->qp_context.pri_path.sched_queue |=
+ ((work->qos & 0x7) << 3);
+- upd_context->qp_mask |=
+- cpu_to_be64(1ULL <<
+- MLX4_UPD_QP_MASK_QOS_VPP);
+- upd_context->qp_context.qos_vport =
+- work->qos_vport;
++
++ if (dev->caps.flags2 &
++ MLX4_DEV_CAP_FLAG2_QOS_VPP)
++ update_qos_vpp(upd_context, work);
+ }
+
+ err = mlx4_cmd(dev, mailbox->dma,
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Talat Batheesh <talatb@mellanox.com>
+Date: Sun, 4 Jun 2017 14:30:07 +0300
+Subject: net/mlx4: Fix the check in attaching steering rules
+
+From: Talat Batheesh <talatb@mellanox.com>
+
+
+[ Upstream commit 6dc06c08bef1c746ff8da33dab677cfbacdcad32 ]
+
+Our previous patch (cited below) introduced a regression
+for RAW Eth QPs.
+
+Fix it by checking if the QP number provided by user-space
+exists, hence allowing steering rules to be added for valid
+QPs only.
+
+Fixes: 89c557687a32 ("net/mlx4_en: Avoid adding steering rules with invalid ring")
+Reported-by: Or Gerlitz <gerlitz.or@gmail.com>
+Signed-off-by: Talat Batheesh <talatb@mellanox.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Acked-by: Or Gerlitz <ogerlitz@mellanox.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 5 -----
+ drivers/net/ethernet/mellanox/mlx4/mcg.c | 15 +++++++++++----
+ drivers/net/ethernet/mellanox/mlx4/qp.c | 13 +++++++++++++
+ include/linux/mlx4/qp.h | 1 +
+ 4 files changed, 25 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+@@ -1520,11 +1520,6 @@ static int mlx4_en_flow_replace(struct n
+ qpn = priv->drop_qp.qpn;
+ else if (cmd->fs.ring_cookie & EN_ETHTOOL_QP_ATTACH) {
+ qpn = cmd->fs.ring_cookie & (EN_ETHTOOL_QP_ATTACH - 1);
+- if (qpn < priv->rss_map.base_qpn ||
+- qpn >= priv->rss_map.base_qpn + priv->rx_ring_num) {
+- en_warn(priv, "rxnfc: QP (0x%x) doesn't exist\n", qpn);
+- return -EINVAL;
+- }
+ } else {
+ if (cmd->fs.ring_cookie >= priv->rx_ring_num) {
+ en_warn(priv, "rxnfc: RX ring (%llu) doesn't exist\n",
+--- a/drivers/net/ethernet/mellanox/mlx4/mcg.c
++++ b/drivers/net/ethernet/mellanox/mlx4/mcg.c
+@@ -35,6 +35,7 @@
+ #include <linux/etherdevice.h>
+
+ #include <linux/mlx4/cmd.h>
++#include <linux/mlx4/qp.h>
+ #include <linux/export.h>
+
+ #include "mlx4.h"
+@@ -985,16 +986,21 @@ int mlx4_flow_attach(struct mlx4_dev *de
+ if (IS_ERR(mailbox))
+ return PTR_ERR(mailbox);
+
++ if (!mlx4_qp_lookup(dev, rule->qpn)) {
++ mlx4_err_rule(dev, "QP doesn't exist\n", rule);
++ ret = -EINVAL;
++ goto out;
++ }
++
+ trans_rule_ctrl_to_hw(rule, mailbox->buf);
+
+ size += sizeof(struct mlx4_net_trans_rule_hw_ctrl);
+
+ list_for_each_entry(cur, &rule->list, list) {
+ ret = parse_trans_rule(dev, cur, mailbox->buf + size);
+- if (ret < 0) {
+- mlx4_free_cmd_mailbox(dev, mailbox);
+- return ret;
+- }
++ if (ret < 0)
++ goto out;
++
+ size += ret;
+ }
+
+@@ -1021,6 +1027,7 @@ int mlx4_flow_attach(struct mlx4_dev *de
+ }
+ }
+
++out:
+ mlx4_free_cmd_mailbox(dev, mailbox);
+
+ return ret;
+--- a/drivers/net/ethernet/mellanox/mlx4/qp.c
++++ b/drivers/net/ethernet/mellanox/mlx4/qp.c
+@@ -387,6 +387,19 @@ static void mlx4_qp_free_icm(struct mlx4
+ __mlx4_qp_free_icm(dev, qpn);
+ }
+
++struct mlx4_qp *mlx4_qp_lookup(struct mlx4_dev *dev, u32 qpn)
++{
++ struct mlx4_qp_table *qp_table = &mlx4_priv(dev)->qp_table;
++ struct mlx4_qp *qp;
++
++ spin_lock(&qp_table->lock);
++
++ qp = __mlx4_qp_lookup(dev, qpn);
++
++ spin_unlock(&qp_table->lock);
++ return qp;
++}
++
+ int mlx4_qp_alloc(struct mlx4_dev *dev, int qpn, struct mlx4_qp *qp, gfp_t gfp)
+ {
+ struct mlx4_priv *priv = mlx4_priv(dev);
+--- a/include/linux/mlx4/qp.h
++++ b/include/linux/mlx4/qp.h
+@@ -470,6 +470,7 @@ struct mlx4_update_qp_params {
+ u16 rate_val;
+ };
+
++struct mlx4_qp *mlx4_qp_lookup(struct mlx4_dev *dev, u32 qpn);
+ int mlx4_update_qp(struct mlx4_dev *dev, u32 qpn,
+ enum mlx4_update_qp_attr attr,
+ struct mlx4_update_qp_params *params);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Talat Batheesh <talatb@mellanox.com>
+Date: Tue, 9 May 2017 14:45:23 +0300
+Subject: net/mlx4_en: Avoid adding steering rules with invalid ring
+
+From: Talat Batheesh <talatb@mellanox.com>
+
+
+[ Upstream commit 89c557687a32c294e9d25670a96e9287c09f2d5f ]
+
+Inserting steering rules with illegal ring is an invalid operation,
+block it.
+
+Fixes: 820672812f82 ('net/mlx4_en: Manage flow steering rules with ethtool')
+Signed-off-by: Talat Batheesh <talatb@mellanox.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+@@ -1520,6 +1520,11 @@ static int mlx4_en_flow_replace(struct n
+ qpn = priv->drop_qp.qpn;
+ else if (cmd->fs.ring_cookie & EN_ETHTOOL_QP_ATTACH) {
+ qpn = cmd->fs.ring_cookie & (EN_ETHTOOL_QP_ATTACH - 1);
++ if (qpn < priv->rss_map.base_qpn ||
++ qpn >= priv->rss_map.base_qpn + priv->rx_ring_num) {
++ en_warn(priv, "rxnfc: QP (0x%x) doesn't exist\n", qpn);
++ return -EINVAL;
++ }
+ } else {
+ if (cmd->fs.ring_cookie >= priv->rx_ring_num) {
+ en_warn(priv, "rxnfc: RX ring (%llu) doesn't exist\n",
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Moni Shoua <monis@mellanox.com>
+Date: Thu, 28 Dec 2017 16:26:11 +0200
+Subject: net/mlx4_en: Change default QoS settings
+
+From: Moni Shoua <monis@mellanox.com>
+
+
+[ Upstream commit a42b63c1ac1986f17f71bc91a6b0aaa14d4dae71 ]
+
+Change the default mapping between TC and TCG as follows:
+
+Prio | TC/TCG
+ | from to
+ | (set by FW) (set by SW)
+---------+-----------------------------------
+0 | 0/0 0/7
+1 | 1/0 0/6
+2 | 2/0 0/5
+3 | 3/0 0/4
+4 | 4/0 0/3
+5 | 5/0 0/2
+6 | 6/0 0/1
+7 | 7/0 0/0
+
+These new settings cause that a pause frame for any prio stops
+traffic for all prios.
+
+Fixes: 564c274c3df0 ("net/mlx4_en: DCB QoS support")
+Signed-off-by: Moni Shoua <monis@mellanox.com>
+Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c | 5 +++++
+ drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 7 +++++++
+ drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 1 +
+ 3 files changed, 13 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c
+@@ -310,6 +310,7 @@ static int mlx4_en_ets_validate(struct m
+ }
+
+ switch (ets->tc_tsa[i]) {
++ case IEEE_8021QAZ_TSA_VENDOR:
+ case IEEE_8021QAZ_TSA_STRICT:
+ break;
+ case IEEE_8021QAZ_TSA_ETS:
+@@ -347,6 +348,10 @@ static int mlx4_en_config_port_scheduler
+ /* higher TC means higher priority => lower pg */
+ for (i = IEEE_8021QAZ_MAX_TCS - 1; i >= 0; i--) {
+ switch (ets->tc_tsa[i]) {
++ case IEEE_8021QAZ_TSA_VENDOR:
++ pg[i] = MLX4_EN_TC_VENDOR;
++ tc_tx_bw[i] = MLX4_EN_BW_MAX;
++ break;
+ case IEEE_8021QAZ_TSA_STRICT:
+ pg[i] = num_strict++;
+ tc_tx_bw[i] = MLX4_EN_BW_MAX;
+--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+@@ -3125,6 +3125,13 @@ int mlx4_en_init_netdev(struct mlx4_en_d
+ priv->msg_enable = MLX4_EN_MSG_LEVEL;
+ #ifdef CONFIG_MLX4_EN_DCB
+ if (!mlx4_is_slave(priv->mdev->dev)) {
++ u8 prio;
++
++ for (prio = 0; prio < IEEE_8021QAZ_MAX_TCS; ++prio) {
++ priv->ets.prio_tc[prio] = prio;
++ priv->ets.tc_tsa[prio] = IEEE_8021QAZ_TSA_VENDOR;
++ }
++
+ priv->dcbx_cap = DCB_CAP_DCBX_VER_CEE | DCB_CAP_DCBX_HOST |
+ DCB_CAP_DCBX_VER_IEEE;
+ priv->flags |= MLX4_EN_DCB_ENABLED;
+--- a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h
++++ b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h
+@@ -472,6 +472,7 @@ struct mlx4_en_frag_info {
+ #define MLX4_EN_BW_MIN 1
+ #define MLX4_EN_BW_MAX 100 /* Utilize 100% of the line */
+
++#define MLX4_EN_TC_VENDOR 0
+ #define MLX4_EN_TC_ETS 7
+
+ enum dcb_pfc_type {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 29 May 2017 15:00:17 +0200
+Subject: net/mlx5: avoid build warning for uniprocessor
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+
+[ Upstream commit f0d7ae95fff4ab444b8433f07afc4b077ef1a285 ]
+
+Building the driver with CONFIG_SMP disabled results in a harmless
+warning:
+
+ethernet/mellanox/mlx5/core/main.c: In function 'mlx5_irq_set_affinity_hint':
+ethernet/mellanox/mlx5/core/main.c:615:6: error: unused variable 'irq' [-Werror=unused-variable]
+
+It's better to express the conditional compilation using IS_ENABLED()
+here, as that lets the compiler see what the intented use for the variable
+is, and that it can be silently discarded.
+
+Fixes: b665d98edc9a ("net/mlx5: Tolerate irq_set_affinity_hint() failures")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -557,10 +557,9 @@ static int mlx5_irq_set_affinity_hint(st
+ cpumask_set_cpu(cpumask_local_spread(i, priv->numa_node),
+ priv->irq_info[i].mask);
+
+-#ifdef CONFIG_SMP
+- if (irq_set_affinity_hint(irq, priv->irq_info[i].mask))
++ if (IS_ENABLED(CONFIG_SMP) &&
++ irq_set_affinity_hint(irq, priv->irq_info[i].mask))
+ mlx5_core_warn(mdev, "irq_set_affinity_hint failed, irq 0x%.4x", irq);
+-#endif
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Tariq Toukan <tariqt@mellanox.com>
+Date: Thu, 18 May 2017 13:34:43 +0300
+Subject: net/mlx5: Tolerate irq_set_affinity_hint() failures
+
+From: Tariq Toukan <tariqt@mellanox.com>
+
+
+[ Upstream commit b665d98edc9ab295169be2fc5bb4e89a46de0a1a ]
+
+Add tolerance to failures of irq_set_affinity_hint().
+Its role is to give hints that optimizes performance,
+and should not block the driver load.
+
+In non-SMP systems, functionality is not available as
+there is a single core, and all these calls definitely
+fail. Hence, do not call the function and avoid the
+warning prints.
+
+Fixes: db058a186f98 ("net/mlx5_core: Set irq affinity hints")
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Cc: kernel-team@fb.com
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -548,7 +548,6 @@ static int mlx5_irq_set_affinity_hint(st
+ struct mlx5_priv *priv = &mdev->priv;
+ struct msix_entry *msix = priv->msix_arr;
+ int irq = msix[i + MLX5_EQ_VEC_COMP_BASE].vector;
+- int err;
+
+ if (!zalloc_cpumask_var(&priv->irq_info[i].mask, GFP_KERNEL)) {
+ mlx5_core_warn(mdev, "zalloc_cpumask_var failed");
+@@ -558,18 +557,12 @@ static int mlx5_irq_set_affinity_hint(st
+ cpumask_set_cpu(cpumask_local_spread(i, priv->numa_node),
+ priv->irq_info[i].mask);
+
+- err = irq_set_affinity_hint(irq, priv->irq_info[i].mask);
+- if (err) {
+- mlx5_core_warn(mdev, "irq_set_affinity_hint failed,irq 0x%.4x",
+- irq);
+- goto err_clear_mask;
+- }
++#ifdef CONFIG_SMP
++ if (irq_set_affinity_hint(irq, priv->irq_info[i].mask))
++ mlx5_core_warn(mdev, "irq_set_affinity_hint failed, irq 0x%.4x", irq);
++#endif
+
+ return 0;
+-
+-err_clear_mask:
+- free_cpumask_var(priv->irq_info[i].mask);
+- return err;
+ }
+
+ static void mlx5_irq_clear_affinity_hint(struct mlx5_core_dev *mdev, int i)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Roman Kapl <roman.kapl@sysgo.com>
+Date: Wed, 24 May 2017 10:22:22 +0200
+Subject: net: move somaxconn init from sysctl code
+
+From: Roman Kapl <roman.kapl@sysgo.com>
+
+
+[ Upstream commit 7c3f1875c66fbc19762760097cabc91849ea0bbb ]
+
+The default value for somaxconn is set in sysctl_core_net_init(), but this
+function is not called when kernel is configured without CONFIG_SYSCTL.
+
+This results in the kernel not being able to accept TCP connections,
+because the backlog has zero size. Usually, the user ends up with:
+"TCP: request_sock_TCP: Possible SYN flooding on port 7. Dropping request. Check SNMP counters."
+If SYN cookies are not enabled the connection is rejected.
+
+Before ef547f2ac16 (tcp: remove max_qlen_log), the effects were less
+severe, because the backlog was always at least eight slots long.
+
+Signed-off-by: Roman Kapl <roman.kapl@sysgo.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/net_namespace.c | 19 +++++++++++++++++++
+ net/core/sysctl_net_core.c | 2 --
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+--- a/net/core/net_namespace.c
++++ b/net/core/net_namespace.c
+@@ -312,6 +312,25 @@ out_undo:
+ goto out;
+ }
+
++static int __net_init net_defaults_init_net(struct net *net)
++{
++ net->core.sysctl_somaxconn = SOMAXCONN;
++ return 0;
++}
++
++static struct pernet_operations net_defaults_ops = {
++ .init = net_defaults_init_net,
++};
++
++static __init int net_defaults_init(void)
++{
++ if (register_pernet_subsys(&net_defaults_ops))
++ panic("Cannot initialize net default settings");
++
++ return 0;
++}
++
++core_initcall(net_defaults_init);
+
+ #ifdef CONFIG_NET_NS
+ static struct ucounts *inc_net_namespaces(struct user_namespace *ns)
+--- a/net/core/sysctl_net_core.c
++++ b/net/core/sysctl_net_core.c
+@@ -438,8 +438,6 @@ static __net_init int sysctl_core_net_in
+ {
+ struct ctl_table *tbl;
+
+- net->core.sysctl_somaxconn = SOMAXCONN;
+-
+ tbl = netns_core_table;
+ if (!net_eq(net, &init_net)) {
+ tbl = kmemdup(tbl, sizeof(netns_core_table), GFP_KERNEL);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Mon, 5 Jun 2017 12:22:55 +0100
+Subject: net: phy: avoid genphy_aneg_done() for PHYs without clause 22 support
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+
+[ Upstream commit 41408ad519f7a2a1c5229e61f2a97f4df1b61adc ]
+
+Avoid calling genphy_aneg_done() for PHYs that do not implement the
+Clause 22 register set.
+
+Clause 45 PHYs may implement the Clause 22 register set along with the
+Clause 22 extension MMD. Hence, we can't simply block access to the
+Clause 22 functions based on the PHY being a Clause 45 PHY.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phy.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/phy/phy.c
++++ b/drivers/net/phy/phy.c
+@@ -148,6 +148,12 @@ static inline int phy_aneg_done(struct p
+ if (phydev->drv->aneg_done)
+ return phydev->drv->aneg_done(phydev);
+
++ /* Avoid genphy_aneg_done() if the Clause 45 PHY does not
++ * implement Clause 22 registers
++ */
++ if (phydev->is_c45 && !(phydev->c45_ids.devices_in_package & BIT(0)))
++ return -EINVAL;
++
+ return genphy_aneg_done(phydev);
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Leonard Crestez <leonard.crestez@nxp.com>
+Date: Wed, 31 May 2017 13:29:30 +0300
+Subject: net: phy: micrel: Restore led_mode and clk_sel on resume
+
+From: Leonard Crestez <leonard.crestez@nxp.com>
+
+
+[ Upstream commit 79e498a9c7da0737829ff864aae44df434105676 ]
+
+These bits seem to be lost after a suspend/resume cycle so just set them
+again. Do this by splitting the handling of these bits into a function
+that is also called on resume.
+
+This patch fixes ethernet suspend/resume on imx6ul-14x14-evk boards.
+
+Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/micrel.c | 42 ++++++++++++++++++++++++++++--------------
+ 1 file changed, 28 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/phy/micrel.c
++++ b/drivers/net/phy/micrel.c
+@@ -268,23 +268,12 @@ out:
+ return ret;
+ }
+
+-static int kszphy_config_init(struct phy_device *phydev)
++/* Some config bits need to be set again on resume, handle them here. */
++static int kszphy_config_reset(struct phy_device *phydev)
+ {
+ struct kszphy_priv *priv = phydev->priv;
+- const struct kszphy_type *type;
+ int ret;
+
+- if (!priv)
+- return 0;
+-
+- type = priv->type;
+-
+- if (type->has_broadcast_disable)
+- kszphy_broadcast_disable(phydev);
+-
+- if (type->has_nand_tree_disable)
+- kszphy_nand_tree_disable(phydev);
+-
+ if (priv->rmii_ref_clk_sel) {
+ ret = kszphy_rmii_clk_sel(phydev, priv->rmii_ref_clk_sel_val);
+ if (ret) {
+@@ -295,7 +284,7 @@ static int kszphy_config_init(struct phy
+ }
+
+ if (priv->led_mode >= 0)
+- kszphy_setup_led(phydev, type->led_mode_reg, priv->led_mode);
++ kszphy_setup_led(phydev, priv->type->led_mode_reg, priv->led_mode);
+
+ if (phy_interrupt_is_valid(phydev)) {
+ int ctl = phy_read(phydev, MII_BMCR);
+@@ -311,6 +300,25 @@ static int kszphy_config_init(struct phy
+ return 0;
+ }
+
++static int kszphy_config_init(struct phy_device *phydev)
++{
++ struct kszphy_priv *priv = phydev->priv;
++ const struct kszphy_type *type;
++
++ if (!priv)
++ return 0;
++
++ type = priv->type;
++
++ if (type->has_broadcast_disable)
++ kszphy_broadcast_disable(phydev);
++
++ if (type->has_nand_tree_disable)
++ kszphy_nand_tree_disable(phydev);
++
++ return kszphy_config_reset(phydev);
++}
++
+ static int ksz8041_config_init(struct phy_device *phydev)
+ {
+ struct device_node *of_node = phydev->mdio.dev.of_node;
+@@ -715,8 +723,14 @@ static int kszphy_suspend(struct phy_dev
+
+ static int kszphy_resume(struct phy_device *phydev)
+ {
++ int ret;
++
+ genphy_resume(phydev);
+
++ ret = kszphy_config_reset(phydev);
++ if (ret)
++ return ret;
++
+ /* Enable PHY Interrupts */
+ if (phy_interrupt_is_valid(phydev)) {
+ phydev->interrupts = PHY_INTERRUPT_ENABLED;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Tue, 9 May 2017 15:40:38 +0200
+Subject: net: qca_spi: Fix alignment issues in rx path
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+
+[ Upstream commit 8d66c30b12ed3cb533696dea8b9a9eadd5da426a ]
+
+The qca_spi driver causes alignment issues on ARM devices.
+So fix this by using netdev_alloc_skb_ip_align().
+
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qualcomm/qca_spi.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/qualcomm/qca_spi.c
++++ b/drivers/net/ethernet/qualcomm/qca_spi.c
+@@ -296,8 +296,9 @@ qcaspi_receive(struct qcaspi *qca)
+
+ /* Allocate rx SKB if we don't have one available. */
+ if (!qca->rx_skb) {
+- qca->rx_skb = netdev_alloc_skb(net_dev,
+- net_dev->mtu + VLAN_ETH_HLEN);
++ qca->rx_skb = netdev_alloc_skb_ip_align(net_dev,
++ net_dev->mtu +
++ VLAN_ETH_HLEN);
+ if (!qca->rx_skb) {
+ netdev_dbg(net_dev, "out of RX resources\n");
+ qca->stats.out_of_mem++;
+@@ -377,7 +378,7 @@ qcaspi_receive(struct qcaspi *qca)
+ qca->rx_skb, qca->rx_skb->dev);
+ qca->rx_skb->ip_summed = CHECKSUM_UNNECESSARY;
+ netif_rx_ni(qca->rx_skb);
+- qca->rx_skb = netdev_alloc_skb(net_dev,
++ qca->rx_skb = netdev_alloc_skb_ip_align(net_dev,
+ net_dev->mtu + VLAN_ETH_HLEN);
+ if (!qca->rx_skb) {
+ netdev_dbg(net_dev, "out of RX resources\n");
+@@ -759,7 +760,8 @@ qcaspi_netdev_init(struct net_device *de
+ if (!qca->rx_buffer)
+ return -ENOBUFS;
+
+- qca->rx_skb = netdev_alloc_skb(dev, qca->net_dev->mtu + VLAN_ETH_HLEN);
++ qca->rx_skb = netdev_alloc_skb_ip_align(dev, qca->net_dev->mtu +
++ VLAN_ETH_HLEN);
+ if (!qca->rx_skb) {
+ kfree(qca->rx_buffer);
+ netdev_info(qca->net_dev, "Failed to allocate RX sk_buff.\n");
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Holger Brunck <holger.brunck@keymile.com>
+Date: Wed, 17 May 2017 17:24:35 +0200
+Subject: net/wan/fsl_ucc_hdlc: fix incorrect memory allocation
+
+From: Holger Brunck <holger.brunck@keymile.com>
+
+
+[ Upstream commit 5b8aad93c52bdda6a731cab8497998cfa0f2df07 ]
+
+We need space for the struct qe_bd and not for a pointer to this struct.
+
+Signed-off-by: Holger Brunck <holger.brunck@keymile.com>
+Cc: Zhao Qiang <qiang.zhao@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/fsl_ucc_hdlc.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wan/fsl_ucc_hdlc.c
++++ b/drivers/net/wan/fsl_ucc_hdlc.c
+@@ -137,7 +137,7 @@ static int uhdlc_init(struct ucc_hdlc_pr
+ priv->tx_ring_size = TX_BD_RING_LEN;
+ /* Alloc Rx BD */
+ priv->rx_bd_base = dma_alloc_coherent(priv->dev,
+- RX_BD_RING_LEN * sizeof(struct qe_bd *),
++ RX_BD_RING_LEN * sizeof(struct qe_bd),
+ &priv->dma_rx_bd, GFP_KERNEL);
+
+ if (!priv->rx_bd_base) {
+@@ -148,7 +148,7 @@ static int uhdlc_init(struct ucc_hdlc_pr
+
+ /* Alloc Tx BD */
+ priv->tx_bd_base = dma_alloc_coherent(priv->dev,
+- TX_BD_RING_LEN * sizeof(struct qe_bd *),
++ TX_BD_RING_LEN * sizeof(struct qe_bd),
+ &priv->dma_tx_bd, GFP_KERNEL);
+
+ if (!priv->tx_bd_base) {
+@@ -295,11 +295,11 @@ free_ucc_pram:
+ qe_muram_free(priv->ucc_pram_offset);
+ free_tx_bd:
+ dma_free_coherent(priv->dev,
+- TX_BD_RING_LEN * sizeof(struct qe_bd *),
++ TX_BD_RING_LEN * sizeof(struct qe_bd),
+ priv->tx_bd_base, priv->dma_tx_bd);
+ free_rx_bd:
+ dma_free_coherent(priv->dev,
+- RX_BD_RING_LEN * sizeof(struct qe_bd *),
++ RX_BD_RING_LEN * sizeof(struct qe_bd),
+ priv->rx_bd_base, priv->dma_rx_bd);
+ free_uccf:
+ ucc_fast_free(priv->uccf);
+@@ -688,7 +688,7 @@ static void uhdlc_memclean(struct ucc_hd
+
+ if (priv->rx_bd_base) {
+ dma_free_coherent(priv->dev,
+- RX_BD_RING_LEN * sizeof(struct qe_bd *),
++ RX_BD_RING_LEN * sizeof(struct qe_bd),
+ priv->rx_bd_base, priv->dma_rx_bd);
+
+ priv->rx_bd_base = NULL;
+@@ -697,7 +697,7 @@ static void uhdlc_memclean(struct ucc_hd
+
+ if (priv->tx_bd_base) {
+ dma_free_coherent(priv->dev,
+- TX_BD_RING_LEN * sizeof(struct qe_bd *),
++ TX_BD_RING_LEN * sizeof(struct qe_bd),
+ priv->tx_bd_base, priv->dma_tx_bd);
+
+ priv->tx_bd_base = NULL;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Holger Brunck <holger.brunck@keymile.com>
+Date: Mon, 22 May 2017 09:31:15 +0200
+Subject: net/wan/fsl_ucc_hdlc: fix muram allocation error
+
+From: Holger Brunck <holger.brunck@keymile.com>
+
+
+[ Upstream commit 85deed56032b6c98b541895bfda9bdd74f6ed987 ]
+
+sizeof(priv->ucc_pram) is 4 as it is the size of a pointer, but we want
+to reserve space for the struct ucc_hdlc_param.
+
+Signed-off-by: Holger Brunck <holger.brunck@keymile.com>
+Cc: Zhao Qiang <qiang.zhao@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/fsl_ucc_hdlc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wan/fsl_ucc_hdlc.c
++++ b/drivers/net/wan/fsl_ucc_hdlc.c
+@@ -158,7 +158,7 @@ static int uhdlc_init(struct ucc_hdlc_pr
+ }
+
+ /* Alloc parameter ram for ucc hdlc */
+- priv->ucc_pram_offset = qe_muram_alloc(sizeof(priv->ucc_pram),
++ priv->ucc_pram_offset = qe_muram_alloc(sizeof(struct ucc_hdlc_param),
+ ALIGNMENT_OF_UCC_HDLC_PRAM);
+
+ if (priv->ucc_pram_offset < 0) {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Holger Brunck <holger.brunck@keymile.com>
+Date: Wed, 17 May 2017 17:24:33 +0200
+Subject: net/wan/fsl_ucc_hdlc: fix unitialized variable warnings
+
+From: Holger Brunck <holger.brunck@keymile.com>
+
+
+[ Upstream commit 66bb144bd9096dd5268ef736ba769b8b6f4ef100 ]
+
+This fixes the following compiler warnings:
+drivers/net/wan/fsl_ucc_hdlc.c: In function 'ucc_hdlc_poll':
+warning: 'skb' may be used uninitialized in this function
+[-Wmaybe-uninitialized]
+ skb->mac_header = skb->data - skb->head;
+
+and
+
+drivers/net/wan/fsl_ucc_hdlc.c: In function 'ucc_hdlc_probe':
+drivers/net/wan/fsl_ucc_hdlc.c:1127:3: warning: 'utdm' may be used
+uninitialized in this function [-Wmaybe-uninitialized]
+ kfree(utdm);
+
+Signed-off-by: Holger Brunck <holger.brunck@keymile.com>
+Cc: Zhao Qiang <qiang.zhao@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/fsl_ucc_hdlc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wan/fsl_ucc_hdlc.c
++++ b/drivers/net/wan/fsl_ucc_hdlc.c
+@@ -454,7 +454,7 @@ static int hdlc_tx_done(struct ucc_hdlc_
+ static int hdlc_rx_done(struct ucc_hdlc_private *priv, int rx_work_limit)
+ {
+ struct net_device *dev = priv->ndev;
+- struct sk_buff *skb;
++ struct sk_buff *skb = NULL;
+ hdlc_device *hdlc = dev_to_hdlc(dev);
+ struct qe_bd *bd;
+ u32 bd_status;
+@@ -1002,7 +1002,7 @@ static int ucc_hdlc_probe(struct platfor
+ struct device_node *np = pdev->dev.of_node;
+ struct ucc_hdlc_private *uhdlc_priv = NULL;
+ struct ucc_tdm_info *ut_info;
+- struct ucc_tdm *utdm;
++ struct ucc_tdm *utdm = NULL;
+ struct resource res;
+ struct net_device *dev;
+ hdlc_device *hdlc;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: linzhang <xiaolou4617@gmail.com>
+Date: Wed, 17 May 2017 12:05:07 +0800
+Subject: net: x25: fix one potential use-after-free issue
+
+From: linzhang <xiaolou4617@gmail.com>
+
+
+[ Upstream commit 64df6d525fcff1630098db9238bfd2b3e092d5c1 ]
+
+The function x25_init is not properly unregister related resources
+on error handler.It is will result in kernel oops if x25_init init
+failed, so add properly unregister call on error handler.
+
+Also, i adjust the coding style and make x25_register_sysctl properly
+return failure.
+
+Signed-off-by: linzhang <xiaolou4617@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/x25.h | 4 ++--
+ net/x25/af_x25.c | 24 ++++++++++++++++--------
+ net/x25/sysctl_net_x25.c | 5 ++++-
+ 3 files changed, 22 insertions(+), 11 deletions(-)
+
+--- a/include/net/x25.h
++++ b/include/net/x25.h
+@@ -298,10 +298,10 @@ void x25_check_rbuf(struct sock *);
+
+ /* sysctl_net_x25.c */
+ #ifdef CONFIG_SYSCTL
+-void x25_register_sysctl(void);
++int x25_register_sysctl(void);
+ void x25_unregister_sysctl(void);
+ #else
+-static inline void x25_register_sysctl(void) {};
++static inline int x25_register_sysctl(void) { return 0; };
+ static inline void x25_unregister_sysctl(void) {};
+ #endif /* CONFIG_SYSCTL */
+
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -1790,32 +1790,40 @@ void x25_kill_by_neigh(struct x25_neigh
+
+ static int __init x25_init(void)
+ {
+- int rc = proto_register(&x25_proto, 0);
++ int rc;
+
+- if (rc != 0)
++ rc = proto_register(&x25_proto, 0);
++ if (rc)
+ goto out;
+
+ rc = sock_register(&x25_family_ops);
+- if (rc != 0)
++ if (rc)
+ goto out_proto;
+
+ dev_add_pack(&x25_packet_type);
+
+ rc = register_netdevice_notifier(&x25_dev_notifier);
+- if (rc != 0)
++ if (rc)
+ goto out_sock;
+
+- pr_info("Linux Version 0.2\n");
++ rc = x25_register_sysctl();
++ if (rc)
++ goto out_dev;
+
+- x25_register_sysctl();
+ rc = x25_proc_init();
+- if (rc != 0)
+- goto out_dev;
++ if (rc)
++ goto out_sysctl;
++
++ pr_info("Linux Version 0.2\n");
++
+ out:
+ return rc;
++out_sysctl:
++ x25_unregister_sysctl();
+ out_dev:
+ unregister_netdevice_notifier(&x25_dev_notifier);
+ out_sock:
++ dev_remove_pack(&x25_packet_type);
+ sock_unregister(AF_X25);
+ out_proto:
+ proto_unregister(&x25_proto);
+--- a/net/x25/sysctl_net_x25.c
++++ b/net/x25/sysctl_net_x25.c
+@@ -73,9 +73,12 @@ static struct ctl_table x25_table[] = {
+ { 0, },
+ };
+
+-void __init x25_register_sysctl(void)
++int __init x25_register_sysctl(void)
+ {
+ x25_table_header = register_net_sysctl(&init_net, "net/x25", x25_table);
++ if (!x25_table_header)
++ return -ENOMEM;
++ return 0;
+ }
+
+ void x25_unregister_sysctl(void)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Florian Westphal <fw@strlen.de>
+Date: Sun, 21 May 2017 12:52:56 +0200
+Subject: netfilter: conntrack: don't call iter for non-confirmed conntracks
+
+From: Florian Westphal <fw@strlen.de>
+
+
+[ Upstream commit b0feacaad13a0aa9657c37ed80991575981e2e3b ]
+
+nf_ct_iterate_cleanup_net currently calls iter() callback also for
+conntracks on the unconfirmed list, but this is unsafe.
+
+Acesses to nf_conn are fine, but some users access the extension area
+in the iter() callback, but that does only work reliably for confirmed
+conntracks (ct->ext can be reallocated at any time for unconfirmed
+conntrack).
+
+The seond issue is that there is a short window where a conntrack entry
+is neither on the list nor in the table: To confirm an entry, it is first
+removed from the unconfirmed list, then insert into the table.
+
+Fix this by iterating the unconfirmed list first and marking all entries
+as dying, then wait for rcu grace period.
+
+This makes sure all entries that were about to be confirmed either are
+in the main table, or will be dropped soon.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_core.c | 39 ++++++++++++++++++++++++++++----------
+ 1 file changed, 29 insertions(+), 10 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -1542,7 +1542,6 @@ get_next_corpse(struct net *net, int (*i
+ struct nf_conntrack_tuple_hash *h;
+ struct nf_conn *ct;
+ struct hlist_nulls_node *n;
+- int cpu;
+ spinlock_t *lockp;
+
+ for (; *bucket < nf_conntrack_htable_size; (*bucket)++) {
+@@ -1564,24 +1563,40 @@ get_next_corpse(struct net *net, int (*i
+ cond_resched();
+ }
+
++ return NULL;
++found:
++ atomic_inc(&ct->ct_general.use);
++ spin_unlock(lockp);
++ local_bh_enable();
++ return ct;
++}
++
++static void
++__nf_ct_unconfirmed_destroy(struct net *net)
++{
++ int cpu;
++
+ for_each_possible_cpu(cpu) {
+- struct ct_pcpu *pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu);
++ struct nf_conntrack_tuple_hash *h;
++ struct hlist_nulls_node *n;
++ struct ct_pcpu *pcpu;
++
++ pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu);
+
+ spin_lock_bh(&pcpu->lock);
+ hlist_nulls_for_each_entry(h, n, &pcpu->unconfirmed, hnnode) {
++ struct nf_conn *ct;
++
+ ct = nf_ct_tuplehash_to_ctrack(h);
+- if (iter(ct, data))
+- set_bit(IPS_DYING_BIT, &ct->status);
++
++ /* we cannot call iter() on unconfirmed list, the
++ * owning cpu can reallocate ct->ext at any time.
++ */
++ set_bit(IPS_DYING_BIT, &ct->status);
+ }
+ spin_unlock_bh(&pcpu->lock);
+ cond_resched();
+ }
+- return NULL;
+-found:
+- atomic_inc(&ct->ct_general.use);
+- spin_unlock(lockp);
+- local_bh_enable();
+- return ct;
+ }
+
+ void nf_ct_iterate_cleanup(struct net *net,
+@@ -1596,6 +1611,10 @@ void nf_ct_iterate_cleanup(struct net *n
+ if (atomic_read(&net->ct.count) == 0)
+ return;
+
++ __nf_ct_unconfirmed_destroy(net);
++
++ synchronize_net();
++
+ while ((ct = get_next_corpse(net, iter, data, &bucket)) != NULL) {
+ /* Time to push up daises... */
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Liping Zhang <zlpnobody@gmail.com>
+Date: Sun, 21 May 2017 07:22:49 +0800
+Subject: netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize
+
+From: Liping Zhang <zlpnobody@gmail.com>
+
+
+[ Upstream commit fefa92679dbe0c613e62b6c27235dcfbe9640ad1 ]
+
+If nf_conntrack_htable_size was adjusted by the user during the ct
+dump operation, we may invoke nf_ct_put twice for the same ct, i.e.
+the "last" ct. This will cause the ct will be freed but still linked
+in hash buckets.
+
+It's very easy to reproduce the problem by the following commands:
+ # while : ; do
+ echo $RANDOM > /proc/sys/net/netfilter/nf_conntrack_buckets
+ done
+ # while : ; do
+ conntrack -L
+ done
+ # iperf -s 127.0.0.1 &
+ # iperf -c 127.0.0.1 -P 60 -t 36000
+
+After a while, the system will hang like this:
+ NMI watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [bash:20184]
+ NMI watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [iperf:20382]
+ ...
+
+So at last if we find cb->args[1] is equal to "last", this means hash
+resize happened, then we can set cb->args[1] to 0 to fix the above
+issue.
+
+Fixes: d205dc40798d ("[NETFILTER]: ctnetlink: fix deadlock in table dumping")
+Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -890,8 +890,13 @@ restart:
+ }
+ out:
+ local_bh_enable();
+- if (last)
++ if (last) {
++ /* nf ct hash resize happened, now clear the leftover. */
++ if ((struct nf_conn *)cb->args[1] == last)
++ cb->args[1] = 0;
++
+ nf_ct_put(last);
++ }
+
+ while (i) {
+ i--;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 9 May 2017 17:19:42 +0100
+Subject: netxen_nic: set rcode to the return status from the call to netxen_issue_cmd
+
+From: Colin Ian King <colin.king@canonical.com>
+
+
+[ Upstream commit 0fe20fafd1791f993806d417048213ec57b81045 ]
+
+Currently rcode is being initialized to NX_RCODE_SUCCESS and later it
+is checked to see if it is not NX_RCODE_SUCCESS which is never true. It
+appears that there is an unintentional missing assignment of rcode from
+the return of the call to netxen_issue_cmd() that was dropped in
+an earlier fix, so add it in.
+
+Detected by CoverityScan, CID#401900 ("Logically dead code")
+
+Fixes: 2dcd5d95ad6b2 ("netxen_nic: fix cdrp race condition")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c
++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c
+@@ -247,7 +247,7 @@ nx_fw_cmd_set_mtu(struct netxen_adapter
+ cmd.req.arg3 = 0;
+
+ if (recv_ctx->state == NX_HOST_CTX_STATE_ACTIVE)
+- netxen_issue_cmd(adapter, &cmd);
++ rcode = netxen_issue_cmd(adapter, &cmd);
+
+ if (rcode != NX_RCODE_SUCCESS)
+ return -EIO;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Thu, 4 May 2017 13:44:04 -0400
+Subject: NFSv4.1: RECLAIM_COMPLETE must handle NFS4ERR_CONN_NOT_BOUND_TO_SESSION
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+
+[ Upstream commit 0048fdd06614a4ea088f9fcad11511956b795698 ]
+
+If the server returns NFS4ERR_CONN_NOT_BOUND_TO_SESSION because we
+are trunking, then RECLAIM_COMPLETE must handle that by calling
+nfs4_schedule_session_recovery() and then retrying.
+
+Reported-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Tested-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 7 ++++++-
+ fs/nfs/nfs4state.c | 10 +++++++---
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -8173,6 +8173,12 @@ static int nfs41_reclaim_complete_handle
+ /* fall through */
+ case -NFS4ERR_RETRY_UNCACHED_REP:
+ return -EAGAIN;
++ case -NFS4ERR_BADSESSION:
++ case -NFS4ERR_DEADSESSION:
++ case -NFS4ERR_CONN_NOT_BOUND_TO_SESSION:
++ nfs4_schedule_session_recovery(clp->cl_session,
++ task->tk_status);
++ break;
+ default:
+ nfs4_schedule_lease_recovery(clp);
+ }
+@@ -8251,7 +8257,6 @@ static int nfs41_proc_reclaim_complete(s
+ if (status == 0)
+ status = task->tk_status;
+ rpc_put_task(task);
+- return 0;
+ out:
+ dprintk("<-- %s status=%d\n", __func__, status);
+ return status;
+--- a/fs/nfs/nfs4state.c
++++ b/fs/nfs/nfs4state.c
+@@ -1637,13 +1637,14 @@ static void nfs4_state_start_reclaim_reb
+ nfs4_state_mark_reclaim_helper(clp, nfs4_state_mark_reclaim_reboot);
+ }
+
+-static void nfs4_reclaim_complete(struct nfs_client *clp,
++static int nfs4_reclaim_complete(struct nfs_client *clp,
+ const struct nfs4_state_recovery_ops *ops,
+ struct rpc_cred *cred)
+ {
+ /* Notify the server we're done reclaiming our state */
+ if (ops->reclaim_complete)
+- (void)ops->reclaim_complete(clp, cred);
++ return ops->reclaim_complete(clp, cred);
++ return 0;
+ }
+
+ static void nfs4_clear_reclaim_server(struct nfs_server *server)
+@@ -1690,13 +1691,16 @@ static void nfs4_state_end_reclaim_reboo
+ {
+ const struct nfs4_state_recovery_ops *ops;
+ struct rpc_cred *cred;
++ int err;
+
+ if (!nfs4_state_clear_reclaim_reboot(clp))
+ return;
+ ops = clp->cl_mvops->reboot_recovery_ops;
+ cred = nfs4_get_clid_cred(clp);
+- nfs4_reclaim_complete(clp, ops, cred);
++ err = nfs4_reclaim_complete(clp, ops, cred);
+ put_rpccred(cred);
++ if (err == -NFS4ERR_CONN_NOT_BOUND_TO_SESSION)
++ set_bit(NFS4CLNT_RECLAIM_REBOOT, &clp->cl_state);
+ }
+
+ static void nfs4_state_start_reclaim_nograce(struct nfs_client *clp)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Tue, 9 May 2017 15:47:15 -0400
+Subject: NFSv4.1: Work around a Linux server bug...
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+
+[ Upstream commit f4b23de3dda1536590787c9e5c3d16b8738ab108 ]
+
+It turns out the Linux server has a bug in its implementation of
+supattr_exclcreat; it returns the set of all attributes, whether
+or not they are supported by minor version 1.
+In order to avoid a regression, we therefore apply the supported_attrs
+as a mask on top of whatever the server sent us.
+
+Reported-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3300,6 +3300,7 @@ static int _nfs4_server_capabilities(str
+ .rpc_resp = &res,
+ };
+ int status;
++ int i;
+
+ bitmask[0] = FATTR4_WORD0_SUPPORTED_ATTRS |
+ FATTR4_WORD0_FH_EXPIRE_TYPE |
+@@ -3365,8 +3366,13 @@ static int _nfs4_server_capabilities(str
+ server->cache_consistency_bitmask[0] &= FATTR4_WORD0_CHANGE|FATTR4_WORD0_SIZE;
+ server->cache_consistency_bitmask[1] &= FATTR4_WORD1_TIME_METADATA|FATTR4_WORD1_TIME_MODIFY;
+ server->cache_consistency_bitmask[2] = 0;
++
++ /* Avoid a regression due to buggy server */
++ for (i = 0; i < ARRAY_SIZE(res.exclcreat_bitmask); i++)
++ res.exclcreat_bitmask[i] &= res.attr_bitmask[i];
+ memcpy(server->exclcreat_bitmask, res.exclcreat_bitmask,
+ sizeof(server->exclcreat_bitmask));
++
+ server->acl_bitmask = res.acl_bitmask;
+ server->fh_expire_type = res.fh_expire_type;
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Ming Lei <ming.lei@redhat.com>
+Date: Fri, 2 Jun 2017 16:32:08 +0800
+Subject: nvme: fix hang in remove path
+
+From: Ming Lei <ming.lei@redhat.com>
+
+
+[ Upstream commit 82654b6b8ef8b93ee87a97fc562f87f081fc2f91 ]
+
+We need to start admin queues too in nvme_kill_queues()
+for avoiding hang in remove path[1].
+
+This patch is very similar with 806f026f9b901eaf(nvme: use
+blk_mq_start_hw_queues() in nvme_kill_queues()).
+
+[1] hang stack trace
+[<ffffffff813c9716>] blk_execute_rq+0x56/0x80
+[<ffffffff815cb6e9>] __nvme_submit_sync_cmd+0x89/0xf0
+[<ffffffff815ce7be>] nvme_set_features+0x5e/0x90
+[<ffffffff815ce9f6>] nvme_configure_apst+0x166/0x200
+[<ffffffff815cef45>] nvme_set_latency_tolerance+0x35/0x50
+[<ffffffff8157bd11>] apply_constraint+0xb1/0xc0
+[<ffffffff8157cbb4>] dev_pm_qos_constraints_destroy+0xf4/0x1f0
+[<ffffffff8157b44a>] dpm_sysfs_remove+0x2a/0x60
+[<ffffffff8156d951>] device_del+0x101/0x320
+[<ffffffff8156db8a>] device_unregister+0x1a/0x60
+[<ffffffff8156dc4c>] device_destroy+0x3c/0x50
+[<ffffffff815cd295>] nvme_uninit_ctrl+0x45/0xa0
+[<ffffffff815d4858>] nvme_remove+0x78/0x110
+[<ffffffff81452b69>] pci_device_remove+0x39/0xb0
+[<ffffffff81572935>] device_release_driver_internal+0x155/0x210
+[<ffffffff81572a02>] device_release_driver+0x12/0x20
+[<ffffffff815d36fb>] nvme_remove_dead_ctrl_work+0x6b/0x70
+[<ffffffff810bf3bc>] process_one_work+0x18c/0x3a0
+[<ffffffff810bf61e>] worker_thread+0x4e/0x3b0
+[<ffffffff810c5ac9>] kthread+0x109/0x140
+[<ffffffff8185800c>] ret_from_fork+0x2c/0x40
+[<ffffffffffffffff>] 0xffffffffffffffff
+
+Fixes: c5552fde102fc("nvme: Enable autonomous power state transitions")
+Reported-by: Rakesh Pandit <rakesh@tuxera.com>
+Tested-by: Rakesh Pandit <rakesh@tuxera.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/core.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -2040,6 +2040,10 @@ void nvme_kill_queues(struct nvme_ctrl *
+ struct nvme_ns *ns;
+
+ mutex_lock(&ctrl->namespaces_mutex);
++
++ /* Forcibly start all queues to avoid having stuck requests */
++ blk_mq_start_hw_queues(ctrl->admin_q);
++
+ list_for_each_entry(ns, &ctrl->namespaces, list) {
+ /*
+ * Revalidating a dead namespace sets capacity to 0. This will
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Rakesh Pandit <rakesh@tuxera.com>
+Date: Mon, 5 Jun 2017 14:43:11 +0300
+Subject: nvme-pci: fix multiple ctrl removal scheduling
+
+From: Rakesh Pandit <rakesh@tuxera.com>
+
+
+[ Upstream commit 82b057caefaff2a891f821a617d939f46e03e844 ]
+
+Commit c5f6ce97c1210 tries to address multiple resets but fails as
+work_busy doesn't involve any synchronization and can fail. This is
+reproducible easily as can be seen by WARNING below which is triggered
+with line:
+
+WARN_ON(dev->ctrl.state == NVME_CTRL_RESETTING)
+
+Allowing multiple resets can result in multiple controller removal as
+well if different conditions inside nvme_reset_work fail and which
+might deadlock on device_release_driver.
+
+[ 480.327007] WARNING: CPU: 3 PID: 150 at drivers/nvme/host/pci.c:1900 nvme_reset_work+0x36c/0xec0
+[ 480.327008] Modules linked in: rfcomm fuse nf_conntrack_netbios_ns nf_conntrack_broadcast...
+[ 480.327044] btusb videobuf2_core ghash_clmulni_intel snd_hwdep cfg80211 acer_wmi hci_uart..
+[ 480.327065] CPU: 3 PID: 150 Comm: kworker/u16:2 Not tainted 4.12.0-rc1+ #13
+[ 480.327065] Hardware name: Acer Predator G9-591/Mustang_SLS, BIOS V1.10 03/03/2016
+[ 480.327066] Workqueue: nvme nvme_reset_work
+[ 480.327067] task: ffff880498ad8000 task.stack: ffffc90002218000
+[ 480.327068] RIP: 0010:nvme_reset_work+0x36c/0xec0
+[ 480.327069] RSP: 0018:ffffc9000221bdb8 EFLAGS: 00010246
+[ 480.327070] RAX: 0000000000460000 RBX: ffff880498a98128 RCX: dead000000000200
+[ 480.327070] RDX: 0000000000000001 RSI: ffff8804b1028020 RDI: ffff880498a98128
+[ 480.327071] RBP: ffffc9000221be50 R08: 0000000000000000 R09: 0000000000000000
+[ 480.327071] R10: ffffc90001963ce8 R11: 000000000000020d R12: ffff880498a98000
+[ 480.327072] R13: ffff880498a53500 R14: ffff880498a98130 R15: ffff880498a98128
+[ 480.327072] FS: 0000000000000000(0000) GS:ffff8804c1cc0000(0000) knlGS:0000000000000000
+[ 480.327073] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 480.327074] CR2: 00007ffcf3c37f78 CR3: 0000000001e09000 CR4: 00000000003406e0
+[ 480.327074] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 480.327075] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 480.327075] Call Trace:
+[ 480.327079] ? __switch_to+0x227/0x400
+[ 480.327081] process_one_work+0x18c/0x3a0
+[ 480.327082] worker_thread+0x4e/0x3b0
+[ 480.327084] kthread+0x109/0x140
+[ 480.327085] ? process_one_work+0x3a0/0x3a0
+[ 480.327087] ? kthread_park+0x60/0x60
+[ 480.327102] ret_from_fork+0x2c/0x40
+[ 480.327103] Code: e8 5a dc ff ff 85 c0 41 89 c1 0f.....
+
+This patch addresses the problem by using state of controller to
+decide whether reset should be queued or not as state change is
+synchronizated using controller spinlock. Also cancel_work_sync is
+used to make sure remove cancels the reset_work and waits for it to
+finish. This patch also changes return value from -ENODEV to more
+appropriate -EBUSY if nvme_reset fails to change state.
+
+Fixes: c5f6ce97c1210 ("nvme: don't schedule multiple resets")
+Signed-off-by: Rakesh Pandit <rakesh@tuxera.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/pci.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -1263,7 +1263,7 @@ static bool nvme_should_reset(struct nvm
+ bool nssro = dev->subsystem && (csts & NVME_CSTS_NSSRO);
+
+ /* If there is a reset ongoing, we shouldn't reset again. */
+- if (work_busy(&dev->reset_work))
++ if (dev->ctrl.state == NVME_CTRL_RESETTING)
+ return false;
+
+ /* We shouldn't reset unless the controller is on fatal error state
+@@ -1755,7 +1755,7 @@ static void nvme_reset_work(struct work_
+ struct nvme_dev *dev = container_of(work, struct nvme_dev, reset_work);
+ int result = -ENODEV;
+
+- if (WARN_ON(dev->ctrl.state == NVME_CTRL_RESETTING))
++ if (WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING))
+ goto out;
+
+ /*
+@@ -1765,9 +1765,6 @@ static void nvme_reset_work(struct work_
+ if (dev->ctrl.ctrl_config & NVME_CC_ENABLE)
+ nvme_dev_disable(dev, false);
+
+- if (!nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_RESETTING))
+- goto out;
+-
+ result = nvme_pci_enable(dev);
+ if (result)
+ goto out;
+@@ -1841,8 +1838,8 @@ static int nvme_reset(struct nvme_dev *d
+ {
+ if (!dev->ctrl.admin_q || blk_queue_dying(dev->ctrl.admin_q))
+ return -ENODEV;
+- if (work_busy(&dev->reset_work))
+- return -ENODEV;
++ if (!nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_RESETTING))
++ return -EBUSY;
+ if (!queue_work(nvme_workq, &dev->reset_work))
+ return -EBUSY;
+ return 0;
+@@ -1944,6 +1941,7 @@ static int nvme_probe(struct pci_dev *pd
+ if (result)
+ goto release_pools;
+
++ nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_RESETTING);
+ dev_info(dev->ctrl.device, "pci function %s\n", dev_name(&pdev->dev));
+
+ queue_work(nvme_workq, &dev->reset_work);
+@@ -1987,6 +1985,7 @@ static void nvme_remove(struct pci_dev *
+
+ nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DELETING);
+
++ cancel_work_sync(&dev->reset_work);
+ pci_set_drvdata(pdev, NULL);
+
+ if (!pci_device_is_present(pdev)) {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Mon, 29 May 2017 15:15:27 +0200
+Subject: ovl: filter trusted xattr for non-admin
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+
+[ Upstream commit a082c6f680da298cf075886ff032f32ccb7c5e1a ]
+
+Filesystems filter out extended attributes in the "trusted." domain for
+unprivlieged callers.
+
+Overlay calls underlying filesystem's method with elevated privs, so need
+to do the filtering in overlayfs too.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/inode.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -227,6 +227,16 @@ int ovl_xattr_get(struct dentry *dentry,
+ return res;
+ }
+
++static bool ovl_can_list(const char *s)
++{
++ /* List all non-trusted xatts */
++ if (strncmp(s, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) != 0)
++ return true;
++
++ /* Never list trusted.overlay, list other trusted for superuser only */
++ return !ovl_is_private_xattr(s) && capable(CAP_SYS_ADMIN);
++}
++
+ ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size)
+ {
+ struct dentry *realdentry = ovl_dentry_real(dentry);
+@@ -250,7 +260,7 @@ ssize_t ovl_listxattr(struct dentry *den
+ return -EIO;
+
+ len -= slen;
+- if (ovl_is_private_xattr(s)) {
++ if (!ovl_can_list(s)) {
+ res -= slen;
+ memmove(s, s + slen, len);
+ } else {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Mon, 24 Apr 2017 19:54:13 +0300
+Subject: ovl: persistent inode numbers for upper hardlinks
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+
+[ Upstream commit 5b6c9053fb38a66fd5c6177fcf5022b24767811a ]
+
+An upper type non directory dentry that is a copy up target
+should have a reference to its lower copy up origin.
+
+There are three ways for an upper type dentry to be instantiated:
+1. A lower type dentry that is being copied up
+2. An entry that is found in upper dir by ovl_lookup()
+3. A negative dentry is hardlinked to an upper type dentry
+
+In the first case, the lower reference is set before copy up.
+In the second case, the lower reference is found by ovl_lookup().
+In the last case of hardlinked upper dentry, it is not easy to
+update the lower reference of the negative dentry. Instead,
+drop the newly hardlinked negative dentry from dcache and let
+the next access call ovl_lookup() to find its lower reference.
+
+This makes sure that the inode number reported by stat(2) after
+the hardlink is created is the same inode number that will be
+reported by stat(2) after mount cycle, which is the inode number
+of the lower copy up origin of the hardlink source.
+
+NOTE that this does not fix breaking of lower hardlinks on copy
+up, but only fixes the case of lower nlink == 1, whose upper copy
+up inode is hardlinked in upper dir.
+
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/dir.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/overlayfs/dir.c
++++ b/fs/overlayfs/dir.c
+@@ -180,6 +180,9 @@ static void ovl_instantiate(struct dentr
+ inc_nlink(inode);
+ }
+ d_instantiate(dentry, inode);
++ /* Force lookup of new upper hardlink to find its lower */
++ if (hardlink)
++ d_drop(dentry);
+ }
+
+ static int ovl_create_upper(struct dentry *dentry, struct inode *inode,
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Christoph Hellwig <hch@lst.de>
+Date: Sat, 20 May 2017 18:59:54 +0200
+Subject: PCI/msi: fix the pci_alloc_irq_vectors_affinity stub
+
+From: Christoph Hellwig <hch@lst.de>
+
+
+[ Upstream commit 83b4605b0c16cde5b00c8cf192408d51eab75402 ]
+
+We need to return an error for any call that asks for MSI / MSI-X
+vectors only, so that non-trivial fallback logic can work properly.
+
+Also valid dev->irq and use the "correct" errno value based on feedback
+from Linus.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reported-by: Steven Rostedt <rostedt@goodmis.org>
+Fixes: aff17164 ("PCI: Provide sensible IRQ vector alloc/free routines")
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/pci.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -1348,9 +1348,9 @@ static inline int pci_alloc_irq_vectors(
+ unsigned int min_vecs, unsigned int max_vecs,
+ unsigned int flags)
+ {
+- if (min_vecs > 1)
+- return -EINVAL;
+- return 1;
++ if ((flags & PCI_IRQ_LEGACY) && min_vecs == 1 && dev->irq)
++ return 1;
++ return -ENOSPC;
+ }
+ static inline void pci_free_irq_vectors(struct pci_dev *dev)
+ {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Will Deacon <will.deacon@arm.com>
+Date: Tue, 9 May 2017 18:00:04 +0100
+Subject: perf/callchain: Force USER_DS when invoking perf_callchain_user()
+
+From: Will Deacon <will.deacon@arm.com>
+
+
+[ Upstream commit 88b0193d9418c00340e45e0a913a0813bc6c8c96 ]
+
+Perf can generate and record a user callchain in response to a synchronous
+request, such as a tracepoint firing. If this happens under set_fs(KERNEL_DS),
+then we can end up walking the user stack (and dereferencing/saving whatever we
+find there) without the protections usually afforded by checks such as
+access_ok.
+
+Rather than play whack-a-mole with each architecture's stack unwinding
+implementation, fix the root of the problem by ensuring that we force USER_DS
+when invoking perf_callchain_user from the perf core.
+
+Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/events/callchain.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/kernel/events/callchain.c
++++ b/kernel/events/callchain.c
+@@ -227,12 +227,18 @@ get_perf_callchain(struct pt_regs *regs,
+ }
+
+ if (regs) {
++ mm_segment_t fs;
++
+ if (crosstask)
+ goto exit_put;
+
+ if (add_mark)
+ perf_callchain_store_context(&ctx, PERF_CONTEXT_USER);
++
++ fs = get_fs();
++ set_fs(USER_DS);
+ perf_callchain_user(&ctx, regs);
++ set_fs(fs);
+ }
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Tue, 30 May 2017 11:45:12 +0200
+Subject: perf/core: Correct event creation with PERF_FORMAT_GROUP
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+
+[ Upstream commit ba5213ae6b88fb170c4771fef6553f759c7d8cdd ]
+
+Andi was asking about PERF_FORMAT_GROUP vs inherited events, which led
+to the discovery of a bug from commit:
+
+ 3dab77fb1bf8 ("perf: Rework/fix the whole read vs group stuff")
+
+ - PERF_SAMPLE_GROUP = 1U << 4,
+ + PERF_SAMPLE_READ = 1U << 4,
+
+ - if (attr->inherit && (attr->sample_type & PERF_SAMPLE_GROUP))
+ + if (attr->inherit && (attr->read_format & PERF_FORMAT_GROUP))
+
+is a clear fail :/
+
+While this changes user visible behaviour; it was previously possible
+to create an inherited event with PERF_SAMPLE_READ; this is deemed
+acceptible because its results were always incorrect.
+
+Reported-by: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vince@deater.net>
+Fixes: 3dab77fb1bf8 ("perf: Rework/fix the whole read vs group stuff")
+Link: http://lkml.kernel.org/r/20170530094512.dy2nljns2uq7qa3j@hirez.programming.kicks-ass.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/events/core.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -5669,9 +5669,6 @@ static void perf_output_read_one(struct
+ __output_copy(handle, values, n * sizeof(u64));
+ }
+
+-/*
+- * XXX PERF_FORMAT_GROUP vs inherited events seems difficult.
+- */
+ static void perf_output_read_group(struct perf_output_handle *handle,
+ struct perf_event *event,
+ u64 enabled, u64 running)
+@@ -5716,6 +5713,13 @@ static void perf_output_read_group(struc
+ #define PERF_FORMAT_TOTAL_TIMES (PERF_FORMAT_TOTAL_TIME_ENABLED|\
+ PERF_FORMAT_TOTAL_TIME_RUNNING)
+
++/*
++ * XXX PERF_SAMPLE_READ vs inherited events seems difficult.
++ *
++ * The problem is that its both hard and excessively expensive to iterate the
++ * child list, not to mention that its impossible to IPI the children running
++ * on another CPU, from interrupt/NMI context.
++ */
+ static void perf_output_read(struct perf_output_handle *handle,
+ struct perf_event *event)
+ {
+@@ -9259,9 +9263,10 @@ perf_event_alloc(struct perf_event_attr
+ local64_set(&hwc->period_left, hwc->sample_period);
+
+ /*
+- * we currently do not support PERF_FORMAT_GROUP on inherited events
++ * We currently do not support PERF_SAMPLE_READ on inherited events.
++ * See perf_output_read().
+ */
+- if (attr->inherit && (attr->read_format & PERF_FORMAT_GROUP))
++ if (attr->inherit && (attr->sample_type & PERF_SAMPLE_READ))
+ goto err_ns;
+
+ if (!has_branch_stack(event))
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 22 May 2017 12:04:18 +0300
+Subject: perf/core: Fix error handling in perf_event_alloc()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 36cc2b9222b5106de34085c4dd8635ac67ef5cba ]
+
+We don't set an error code here which means that perf_event_alloc()
+returns ERR_PTR(0) (in other words NULL). The callers are not expecting
+that and would Oops.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: 375637bc5249 ("perf/core: Introduce address range filtering")
+Link: http://lkml.kernel.org/r/20170522090418.hvs6icgpdo53wkn5@mwanda
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/events/core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -9289,8 +9289,10 @@ perf_event_alloc(struct perf_event_attr
+ event->addr_filters_offs = kcalloc(pmu->nr_addr_filters,
+ sizeof(unsigned long),
+ GFP_KERNEL);
+- if (!event->addr_filters_offs)
++ if (!event->addr_filters_offs) {
++ err = -ENOMEM;
+ goto err_per_task;
++ }
+
+ /* force hw sync on the address filters */
+ event->addr_filters_gen = 1;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Namhyung Kim <namhyung@kernel.org>
+Date: Wed, 31 May 2017 21:01:03 +0900
+Subject: perf header: Set proper module name when build-id event found
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+
+[ Upstream commit 1deec1bd96ccd8beb04d2112a6d12fe20505c3a6 ]
+
+When perf processes build-id event, it creates DSOs with the build-id.
+But it didn't set the module short name (like '[module-name]') so when
+processing a kernel mmap event of the module, it cannot found the DSO as
+it only checks the short names.
+
+That leads for perf to create a same DSO without the build-id info and
+it'll lookup the system path even if the DSO is already in the build-id
+cache. After kernel was updated, perf cannot find the DSO and cannot
+show symbols in it anymore.
+
+You can see this if you have an old data file (w/ old kernel version):
+
+ $ perf report -i perf.data.old -v |& grep scsi_mod
+ build id event received for /lib/modules/3.19.2-1-ARCH/kernel/drivers/scsi/scsi_mod.ko.gz : cafe1ce6ca13a98a5d9ed3425cde249e57a27fc1
+ Failed to open /lib/modules/3.19.2-1-ARCH/kernel/drivers/scsi/scsi_mod.ko.gz, continuing without symbols
+ ...
+
+The second message didn't show the build-id. With this patch:
+
+ $ perf report -i perf.data.old -v |& grep scsi_mod
+ build id event received for /lib/modules/3.19.2-1-ARCH/kernel/drivers/scsi/scsi_mod.ko.gz: cafe1ce6ca13a98a5d9ed3425cde249e57a27fc1
+ /lib/modules/3.19.2-1-ARCH/kernel/drivers/scsi/scsi_mod.ko.gz with build id cafe1ce6ca13a98a5d9ed3425cde249e57a27fc1 not found, continuing without symbols
+ ...
+
+Now it shows the build-id but still cannot load the symbol table. This
+is a different problem which will be fixed in the next patch.
+
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Andi Kleen <andi@firstfloor.org>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: kernel-team@lge.com
+Link: http://lkml.kernel.org/r/20170531120105.21731-1-namhyung@kernel.org
+[ Fix the build on older compilers (debian <= 8, fedora <= 21, etc) wrt kmod_path var init ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/header.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/util/header.c
++++ b/tools/perf/util/header.c
+@@ -1454,8 +1454,16 @@ static int __event_process_build_id(stru
+
+ dso__set_build_id(dso, &bev->build_id);
+
+- if (!is_kernel_module(filename, cpumode))
+- dso->kernel = dso_type;
++ if (dso_type != DSO_TYPE_USER) {
++ struct kmod_path m = { .name = NULL, };
++
++ if (!kmod_path__parse_name(&m, filename) && m.kmod)
++ dso__set_short_name(dso, strdup(m.name), true);
++ else
++ dso->kernel = dso_type;
++
++ free(m.name);
++ }
+
+ build_id__sprintf(dso->build_id, sizeof(dso->build_id),
+ sbuild_id);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Sat, 9 Dec 2017 01:26:46 +0900
+Subject: perf probe: Add warning message if there is unexpected event name
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+
+[ Upstream commit 9f5c6d8777a2d962b0eeacb2a16f37da6bea545b ]
+
+This improve the error message so that user can know event-name error
+before writing new events to kprobe-events interface.
+
+E.g.
+ ======
+ #./perf probe -x /lib64/libc-2.25.so malloc_get_state*
+ Internal error: "malloc_get_state@GLIBC_2" is an invalid event name.
+ Error: Failed to add events.
+ ======
+
+Reported-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Acked-by: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+Reviewed-by: Thomas Richter <tmricht@linux.vnet.ibm.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Paul Clarke <pc@us.ibm.com>
+Cc: bhargavb <bhargavaramudu@gmail.com>
+Cc: linux-rt-users@vger.kernel.org
+Link: http://lkml.kernel.org/r/151275040665.24652.5188568529237584489.stgit@devbox
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/probe-event.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/tools/perf/util/probe-event.c
++++ b/tools/perf/util/probe-event.c
+@@ -2609,6 +2609,14 @@ static int get_new_event_name(char *buf,
+
+ out:
+ free(nbase);
++
++ /* Final validation */
++ if (ret >= 0 && !is_c_func_name(buf)) {
++ pr_warning("Internal error: \"%s\" is an invalid event name.\n",
++ buf);
++ ret = -EINVAL;
++ }
++
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Milian Wolff <milian.wolff@kdab.com>
+Date: Fri, 2 Jun 2017 16:37:52 +0200
+Subject: perf report: Ensure the perf DSO mapping matches what libdw sees
+
+From: Milian Wolff <milian.wolff@kdab.com>
+
+
+[ Upstream commit 2538b9e2450ae255337c04356e9e0f8cb9ec48d9 ]
+
+In some situations the libdw unwinder stopped working properly. I.e.
+with libunwind we see:
+
+~~~~~
+heaptrack_gui 2228 135073.400112: 641314 cycles:
+ e8ed _dl_fixup (/usr/lib/ld-2.25.so)
+ 15f06 _dl_runtime_resolve_sse_vex (/usr/lib/ld-2.25.so)
+ ed94c KDynamicJobTracker::KDynamicJobTracker (/home/milian/projects/compiled/kf5/lib64/libKF5KIOWidgets.so.5.35.0)
+ 608f3 _GLOBAL__sub_I_kdynamicjobtracker.cpp (/home/milian/projects/compiled/kf5/lib64/libKF5KIOWidgets.so.5.35.0)
+ f199 call_init.part.0 (/usr/lib/ld-2.25.so)
+ f2a5 _dl_init (/usr/lib/ld-2.25.so)
+ db9 _dl_start_user (/usr/lib/ld-2.25.so)
+~~~~~
+
+But with libdw and without this patch this sample is not properly
+unwound:
+
+~~~~~
+heaptrack_gui 2228 135073.400112: 641314 cycles:
+ e8ed _dl_fixup (/usr/lib/ld-2.25.so)
+ 15f06 _dl_runtime_resolve_sse_vex (/usr/lib/ld-2.25.so)
+ ed94c KDynamicJobTracker::KDynamicJobTracker (/home/milian/projects/compiled/kf5/lib64/libKF5KIOWidgets.so.5.35.0)
+~~~~~
+
+Debug output showed me that libdw found a module for the last frame
+address, but it thinks it belongs to /usr/lib/ld-2.25.so. This patch
+double-checks what libdw sees and what perf knows. If the mappings
+mismatch, we now report the elf known to perf. This fixes the situation
+above, and the libdw unwinder produces the same stack as libunwind.
+
+Signed-off-by: Milian Wolff <milian.wolff@kdab.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: http://lkml.kernel.org/r/20170602143753.16907-1-milian.wolff@kdab.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/unwind-libdw.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/tools/perf/util/unwind-libdw.c
++++ b/tools/perf/util/unwind-libdw.c
+@@ -38,6 +38,14 @@ static int __report_module(struct addr_l
+ return 0;
+
+ mod = dwfl_addrmodule(ui->dwfl, ip);
++ if (mod) {
++ Dwarf_Addr s;
++
++ dwfl_module_info(mod, NULL, &s, NULL, NULL, NULL, NULL, NULL);
++ if (s != al->map->start)
++ mod = 0;
++ }
++
+ if (!mod)
+ mod = dwfl_report_elf(ui->dwfl, dso->short_name,
+ dso->long_name, -1, al->map->start,
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Milian Wolff <milian.wolff@kdab.com>
+Date: Wed, 24 May 2017 15:21:25 +0900
+Subject: perf report: Fix off-by-one for non-activation frames
+
+From: Milian Wolff <milian.wolff@kdab.com>
+
+
+[ Upstream commit 1982ad48fc82c284a5cc55697a012d3357e84d01 ]
+
+As the documentation for dwfl_frame_pc says, frames that
+are no activation frames need to have their program counter
+decremented by one to properly find the function of the caller.
+
+This fixes many cases where perf report currently attributes
+the cost to the next line. I.e. I have code like this:
+
+~~~~~~~~~~~~~~~
+ #include <thread>
+ #include <chrono>
+
+ using namespace std;
+
+ int main()
+ {
+ this_thread::sleep_for(chrono::milliseconds(1000));
+ this_thread::sleep_for(chrono::milliseconds(100));
+ this_thread::sleep_for(chrono::milliseconds(10));
+
+ return 0;
+ }
+~~~~~~~~~~~~~~~
+
+Now compile and record it:
+
+~~~~~~~~~~~~~~~
+ g++ -std=c++11 -g -O2 test.cpp
+ echo 1 | sudo tee /proc/sys/kernel/sched_schedstats
+ perf record \
+ --event sched:sched_stat_sleep \
+ --event sched:sched_process_exit \
+ --event sched:sched_switch --call-graph=dwarf \
+ --output perf.data.raw \
+ ./a.out
+ echo 0 | sudo tee /proc/sys/kernel/sched_schedstats
+ perf inject --sched-stat --input perf.data.raw --output perf.data
+~~~~~~~~~~~~~~~
+
+Before this patch, the report clearly shows the off-by-one issue.
+Most notably, the last sleep invocation is incorrectly attributed
+to the "return 0;" line:
+
+~~~~~~~~~~~~~~~
+ Overhead Source:Line
+ ........ ...........
+
+ 100.00% core.c:0
+ |
+ ---__schedule core.c:0
+ schedule
+ do_nanosleep hrtimer.c:0
+ hrtimer_nanosleep
+ sys_nanosleep
+ entry_SYSCALL_64_fastpath .tmp_entry_64.o:0
+ __nanosleep_nocancel .:0
+ std::this_thread::sleep_for<long, std::ratio<1l, 1000l> > thread:323
+ |
+ |--90.08%--main test.cpp:9
+ | __libc_start_main
+ | _start
+ |
+ |--9.01%--main test.cpp:10
+ | __libc_start_main
+ | _start
+ |
+ --0.91%--main test.cpp:13
+ __libc_start_main
+ _start
+~~~~~~~~~~~~~~~
+
+With this patch here applied, the issue is fixed. The report becomes
+much more usable:
+
+~~~~~~~~~~~~~~~
+ Overhead Source:Line
+ ........ ...........
+
+ 100.00% core.c:0
+ |
+ ---__schedule core.c:0
+ schedule
+ do_nanosleep hrtimer.c:0
+ hrtimer_nanosleep
+ sys_nanosleep
+ entry_SYSCALL_64_fastpath .tmp_entry_64.o:0
+ __nanosleep_nocancel .:0
+ std::this_thread::sleep_for<long, std::ratio<1l, 1000l> > thread:323
+ |
+ |--90.08%--main test.cpp:8
+ | __libc_start_main
+ | _start
+ |
+ |--9.01%--main test.cpp:9
+ | __libc_start_main
+ | _start
+ |
+ --0.91%--main test.cpp:10
+ __libc_start_main
+ _start
+~~~~~~~~~~~~~~~
+
+Similarly it works for signal frames:
+
+~~~~~~~~~~~~~~~
+ __noinline void bar(void)
+ {
+ volatile long cnt = 0;
+
+ for (cnt = 0; cnt < 100000000; cnt++);
+ }
+
+ __noinline void foo(void)
+ {
+ bar();
+ }
+
+ void sig_handler(int sig)
+ {
+ foo();
+ }
+
+ int main(void)
+ {
+ signal(SIGUSR1, sig_handler);
+ raise(SIGUSR1);
+
+ foo();
+ return 0;
+ }
+~~~~~~~~~~~~~~~~
+
+Before, the report wrongly points to `signal.c:29` after raise():
+
+~~~~~~~~~~~~~~~~
+ $ perf report --stdio --no-children -g srcline -s srcline
+ ...
+ 100.00% signal.c:11
+ |
+ ---bar signal.c:11
+ |
+ |--50.49%--main signal.c:29
+ | __libc_start_main
+ | _start
+ |
+ --49.51%--0x33a8f
+ raise .:0
+ main signal.c:29
+ __libc_start_main
+ _start
+~~~~~~~~~~~~~~~~
+
+With this patch in, the issue is fixed and we instead get:
+
+~~~~~~~~~~~~~~~~
+ 100.00% signal signal [.] bar
+ |
+ ---bar signal.c:11
+ |
+ |--50.49%--main signal.c:29
+ | __libc_start_main
+ | _start
+ |
+ --49.51%--0x33a8f
+ raise .:0
+ main signal.c:27
+ __libc_start_main
+ _start
+~~~~~~~~~~~~~~~~
+
+Note how this patch fixes this issue for both unwinding methods, i.e.
+both dwfl and libunwind. The former case is straight-forward thanks
+to dwfl_frame_pc(). For libunwind, we replace the functionality via
+unw_is_signal_frame() for any but the very first frame.
+
+Signed-off-by: Milian Wolff <milian.wolff@kdab.com>
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Yao Jin <yao.jin@linux.intel.com>
+Cc: kernel-team@lge.com
+Link: http://lkml.kernel.org/r/20170524062129.32529-4-namhyung@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/unwind-libdw.c | 6 +++++-
+ tools/perf/util/unwind-libunwind-local.c | 11 +++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/util/unwind-libdw.c
++++ b/tools/perf/util/unwind-libdw.c
+@@ -167,12 +167,16 @@ frame_callback(Dwfl_Frame *state, void *
+ {
+ struct unwind_info *ui = arg;
+ Dwarf_Addr pc;
++ bool isactivation;
+
+- if (!dwfl_frame_pc(state, &pc, NULL)) {
++ if (!dwfl_frame_pc(state, &pc, &isactivation)) {
+ pr_err("%s", dwfl_errmsg(-1));
+ return DWARF_CB_ABORT;
+ }
+
++ if (!isactivation)
++ --pc;
++
+ return entry(pc, ui) || !(--ui->max_stack) ?
+ DWARF_CB_ABORT : DWARF_CB_OK;
+ }
+--- a/tools/perf/util/unwind-libunwind-local.c
++++ b/tools/perf/util/unwind-libunwind-local.c
+@@ -646,6 +646,17 @@ static int get_entries(struct unwind_inf
+
+ while (!ret && (unw_step(&c) > 0) && i < max_stack) {
+ unw_get_reg(&c, UNW_REG_IP, &ips[i]);
++
++ /*
++ * Decrement the IP for any non-activation frames.
++ * this is required to properly find the srcline
++ * for caller frames.
++ * See also the documentation for dwfl_frame_pc(),
++ * which this code tries to replicate.
++ */
++ if (unw_is_signal_frame(&c) <= 0)
++ --ips[i];
++
+ ++i;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Namhyung Kim <namhyung@kernel.org>
+Date: Thu, 8 Jun 2017 16:31:07 +0900
+Subject: perf tests: Decompress kernel module before objdump
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+
+[ Upstream commit 94df1040b1e6aacd8dec0ba3c61d7e77cd695f26 ]
+
+If a kernel modules is compressed, it should be decompressed before
+running objdump to parse binary data correctly. This fixes a failure of
+object code reading test for me.
+
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Wang Nan <wangnan0@huawei.com>
+Cc: kernel-team@lge.com
+Link: http://lkml.kernel.org/r/20170608073109.30699-8-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/tests/code-reading.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/tests/code-reading.c
++++ b/tools/perf/tests/code-reading.c
+@@ -224,6 +224,8 @@ static int read_object_code(u64 addr, si
+ unsigned char buf2[BUFSZ];
+ size_t ret_len;
+ u64 objdump_addr;
++ const char *objdump_name;
++ char decomp_name[KMOD_DECOMP_LEN];
+ int ret;
+
+ pr_debug("Reading object code for memory address: %#"PRIx64"\n", addr);
+@@ -284,9 +286,25 @@ static int read_object_code(u64 addr, si
+ state->done[state->done_cnt++] = al.map->start;
+ }
+
++ objdump_name = al.map->dso->long_name;
++ if (dso__needs_decompress(al.map->dso)) {
++ if (dso__decompress_kmodule_path(al.map->dso, objdump_name,
++ decomp_name,
++ sizeof(decomp_name)) < 0) {
++ pr_debug("decompression failed\n");
++ return -1;
++ }
++
++ objdump_name = decomp_name;
++ }
++
+ /* Read the object code using objdump */
+ objdump_addr = map__rip_2objdump(al.map, al.addr);
+- ret = read_via_objdump(al.map->dso->long_name, objdump_addr, buf2, len);
++ ret = read_via_objdump(objdump_name, objdump_addr, buf2, len);
++
++ if (dso__needs_decompress(al.map->dso))
++ unlink(objdump_name);
++
+ if (ret > 0) {
+ /*
+ * The kernel maps are inaccurate - assume objdump is right in
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Namhyung Kim <namhyung@kernel.org>
+Date: Thu, 8 Jun 2017 16:31:05 +0900
+Subject: perf tools: Decompress kernel module when reading DSO data
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+
+[ Upstream commit 1d6b3c9ba756a5134fd7ad1959acac776d17404b ]
+
+Currently perf decompresses kernel modules when loading the symbol table
+but it missed to do it when reading raw data.
+
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Wang Nan <wangnan0@huawei.com>
+Cc: kernel-team@lge.com
+Link: http://lkml.kernel.org/r/20170608073109.30699-6-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/dso.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/tools/perf/util/dso.c
++++ b/tools/perf/util/dso.c
+@@ -366,7 +366,23 @@ static int __open_dso(struct dso *dso, s
+ if (!is_regular_file(name))
+ return -EINVAL;
+
++ if (dso__needs_decompress(dso)) {
++ char newpath[KMOD_DECOMP_LEN];
++ size_t len = sizeof(newpath);
++
++ if (dso__decompress_kmodule_path(dso, name, newpath, len) < 0) {
++ free(name);
++ return -dso->load_errno;
++ }
++
++ strcpy(name, newpath);
++ }
++
+ fd = do_open(name);
++
++ if (dso__needs_decompress(dso))
++ unlink(name);
++
+ free(name);
+ return fd;
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Tue, 9 Jan 2018 14:39:23 +0100
+Subject: perf tools: Fix copyfile_offset update of output offset
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+
+[ Upstream commit fa1195ccc0af2d121abe0fe266a1caee8c265eea ]
+
+We need to increase output offset in each iteration, not decrease it as
+we currently do.
+
+I guess we were lucky to finish in most cases in first iteration, so the
+bug never showed. However it shows a lot when working with big (~4GB)
+size data.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Fixes: 9c9f5a2f1944 ("perf tools: Introduce copyfile_offset() function")
+Link: http://lkml.kernel.org/r/20180109133923.25406-1-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/util/util.c
++++ b/tools/perf/util/util.c
+@@ -207,7 +207,7 @@ int copyfile_offset(int ifd, loff_t off_
+
+ size -= ret;
+ off_in += ret;
+- off_out -= ret;
++ off_out += ret;
+ }
+ munmap(ptr, off_in + size);
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Wed, 31 May 2017 13:35:57 +0200
+Subject: perf trace: Add mmap alias for s390
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+
+[ Upstream commit 54265664c15a68905d8d67d19205e9a767636434 ]
+
+The s390 architecture maps sys_mmap (nr 90) into sys_old_mmap. For this
+reason perf trace can't find the proper syscall event to get args format
+from and displays it wrongly as 'continued'.
+
+To fix that fill the "alias" field with "old_mmap" for trace's mmap record
+to get the correct translation.
+
+Before:
+ 0.042 ( 0.011 ms): vest/43052 fstat(statbuf: 0x3ffff89fd90 ) = 0
+ 0.042 ( 0.028 ms): vest/43052 ... [continued]: mmap()) = 0x3fffd6e2000
+ 0.072 ( 0.025 ms): vest/43052 read(buf: 0x3fffd6e2000, count: 4096 ) = 6
+
+After:
+ 0.045 ( 0.011 ms): fstat(statbuf: 0x3ffff8a0930 ) = 0
+ 0.057 ( 0.018 ms): mmap(arg: 0x3ffff8a0858 ) = 0x3fffd14a000
+ 0.076 ( 0.025 ms): read(buf: 0x3fffd14a000, count: 4096 ) = 6
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Link: http://lkml.kernel.org/r/20170531113557.19175-1-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/builtin-trace.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/tools/perf/builtin-trace.c
++++ b/tools/perf/builtin-trace.c
+@@ -679,6 +679,10 @@ static struct syscall_fmt {
+ { .name = "mlockall", .errmsg = true,
+ .arg_scnprintf = { [0] = SCA_HEX, /* addr */ }, },
+ { .name = "mmap", .hexret = true,
++/* The standard mmap maps to old_mmap on s390x */
++#if defined(__s390x__)
++ .alias = "old_mmap",
++#endif
+ .arg_scnprintf = { [0] = SCA_HEX, /* addr */
+ [2] = SCA_MMAP_PROT, /* prot */
+ [3] = SCA_MMAP_FLAGS, /* flags */ }, },
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+Date: Mon, 8 May 2017 15:56:34 -0700
+Subject: pidns: disable pid allocation if pid_ns_prepare_proc() is failed in alloc_pid()
+
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+
+
+[ Upstream commit 8896c23d2ef803f1883fea73117a435925c2b4c4 ]
+
+alloc_pidmap() advances pid_namespace::last_pid. When first pid
+allocation fails, then next created process will have pid 2 and
+pid_ns_prepare_proc() won't be called. So, pid_namespace::proc_mnt will
+never be initialized (not to mention that there won't be a child
+reaper).
+
+I saw crash stack of such case on kernel 3.10:
+
+ BUG: unable to handle kernel NULL pointer dereference at (null)
+ IP: proc_flush_task+0x8f/0x1b0
+ Call Trace:
+ release_task+0x3f/0x490
+ wait_consider_task.part.10+0x7ff/0xb00
+ do_wait+0x11f/0x280
+ SyS_wait4+0x7d/0x110
+
+We may fix this by restore of last_pid in 0 or by prohibiting of futher
+allocations. Since there was a similar issue in Oleg Nesterov's commit
+314a8ad0f18a ("pidns: fix free_pid() to handle the first fork failure").
+and it was fixed via prohibiting allocation, let's follow this way, and
+do the same.
+
+Link: http://lkml.kernel.org/r/149201021004.4863.6762095011554287922.stgit@localhost.localdomain
+Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
+Cc: Andrei Vagin <avagin@virtuozzo.com>
+Cc: Andreas Gruenbacher <agruenba@redhat.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Paul Moore <paul@paul-moore.com>
+Cc: Eric Biederman <ebiederm@xmission.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Serge Hallyn <serge@hallyn.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/pid.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/pid.c
++++ b/kernel/pid.c
+@@ -322,8 +322,10 @@ struct pid *alloc_pid(struct pid_namespa
+ }
+
+ if (unlikely(is_child_reaper(pid))) {
+- if (pid_ns_prepare_proc(ns))
++ if (pid_ns_prepare_proc(ns)) {
++ disable_pid_allocation(ns);
+ goto out_free;
++ }
+ }
+
+ get_pid_ns(ns);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 1 Jan 2018 13:23:57 +0100
+Subject: pinctrl: baytrail: Enable glitch filter for GPIOs used as interrupts
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit 9291c65b01d1c67ebd56644cb19317ad665c44b3 ]
+
+On some systems, some PCB traces attached to GpioInts are routed in such
+a way that they pick up enough interference to constantly (many times per
+second) trigger.
+
+Enabling glitch-filtering fixes this.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/intel/pinctrl-baytrail.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/pinctrl/intel/pinctrl-baytrail.c
++++ b/drivers/pinctrl/intel/pinctrl-baytrail.c
+@@ -46,6 +46,9 @@
+ #define BYT_TRIG_POS BIT(25)
+ #define BYT_TRIG_LVL BIT(24)
+ #define BYT_DEBOUNCE_EN BIT(20)
++#define BYT_GLITCH_FILTER_EN BIT(19)
++#define BYT_GLITCH_F_SLOW_CLK BIT(17)
++#define BYT_GLITCH_F_FAST_CLK BIT(16)
+ #define BYT_PULL_STR_SHIFT 9
+ #define BYT_PULL_STR_MASK (3 << BYT_PULL_STR_SHIFT)
+ #define BYT_PULL_STR_2K (0 << BYT_PULL_STR_SHIFT)
+@@ -1579,6 +1582,9 @@ static int byt_irq_type(struct irq_data
+ */
+ value &= ~(BYT_DIRECT_IRQ_EN | BYT_TRIG_POS | BYT_TRIG_NEG |
+ BYT_TRIG_LVL);
++ /* Enable glitch filtering */
++ value |= BYT_GLITCH_FILTER_EN | BYT_GLITCH_F_SLOW_CLK |
++ BYT_GLITCH_F_FAST_CLK;
+
+ writel(value, reg);
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Wed, 7 Jun 2017 07:44:20 +0200
+Subject: pinctrl: meson-gxbb: remove non-existing pin GPIOX_22
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+
+[ Upstream commit 4c8127cb523982e0a474ad80b14b665dc2f37b3b ]
+
+After commit 34e61801a3b9 "pinctrl: meson-gxbb: Add missing GPIODV_18
+pin entry" I started to get the following warning:
+
+"meson-pinctrl c8834000.periphs:pinctrl@4b0: names 119 do not match
+number of GPIOs 120"
+
+It turned out that not the mentioned commit has a problem, it just
+revealed another problem which had existed before.
+
+There is no PIN GPIOX_22 on Meson GXBB.
+
+Fixes: 468c234f9ed7 ("pinctrl: amlogic: Add support for Amlogic Meson GXBB SoC")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/meson/pinctrl-meson-gxbb.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/pinctrl/meson/pinctrl-meson-gxbb.c
++++ b/drivers/pinctrl/meson/pinctrl-meson-gxbb.c
+@@ -138,7 +138,6 @@ static const struct pinctrl_pin_desc mes
+ MESON_PIN(GPIOX_19, EE_OFF),
+ MESON_PIN(GPIOX_20, EE_OFF),
+ MESON_PIN(GPIOX_21, EE_OFF),
+- MESON_PIN(GPIOX_22, EE_OFF),
+
+ MESON_PIN(GPIOCLK_0, EE_OFF),
+ MESON_PIN(GPIOCLK_1, EE_OFF),
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+Date: Wed, 6 Dec 2017 14:20:15 -0600
+Subject: PM / devfreq: Fix potential NULL pointer dereference in governor_store
+
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+
+
+[ Upstream commit 63f1e05f7fe9ca509c60154d6a833abf96eecdc9 ]
+
+df->governor is being dereferenced before it is null checked,
+hence there is a potential null pointer dereference.
+
+Notice that df->governor is being null checked at line 1004:
+if (df->governor) {, which implies it might be null.
+
+Fix this by null checking df->governor before dereferencing it.
+
+Addresses-Coverity-ID: 1401988 ("Dereference before null check")
+Fixes: bcf23c79c4e4 ("PM / devfreq: Fix available_governor sysfs")
+Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: MyungJoo Ham <myungjoo.ham@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/devfreq/devfreq.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -943,7 +943,8 @@ static ssize_t governor_store(struct dev
+ if (df->governor == governor) {
+ ret = 0;
+ goto out;
+- } else if (df->governor->immutable || governor->immutable) {
++ } else if ((df->governor && df->governor->immutable) ||
++ governor->immutable) {
+ ret = -EINVAL;
+ goto out;
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sat, 20 May 2017 00:31:12 +0300
+Subject: pNFS/flexfiles: missing error code in ff_layout_alloc_lseg()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 662f9a105b4322b8559d448f86110e6ec24b8738 ]
+
+If xdr_inline_decode() fails then we end up returning ERR_PTR(0). The
+caller treats NULL returns as -ENOMEM so it doesn't really hurt runtime,
+but obviously we intended to set an error code here.
+
+Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayout.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/nfs/flexfilelayout/flexfilelayout.c
++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
+@@ -475,6 +475,7 @@ ff_layout_alloc_lseg(struct pnfs_layout_
+ goto out_err_free;
+
+ /* fh */
++ rc = -EIO;
+ p = xdr_inline_decode(&stream, 4);
+ if (!p)
+ goto out_err_free;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 10 May 2017 22:40:06 +0300
+Subject: PowerCap: Fix an error code in powercap_register_zone()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 216c4e9db4c9d1d2a382b42880442dc632cd47d9 ]
+
+In the current code we accidentally return the successful result from
+idr_alloc() instead of a negative error pointer. The caller is looking
+for an error pointer and so it treats the returned value as a valid
+pointer.
+
+This one might be a bit serious because if it lets people get around the
+kernel's protection for remapping NULL. I'm not sure.
+
+Fixes: 75d2364ea0ca (PowerCap: Add class driver)
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/powercap/powercap_sys.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/powercap/powercap_sys.c
++++ b/drivers/powercap/powercap_sys.c
+@@ -538,6 +538,7 @@ struct powercap_zone *powercap_register_
+
+ power_zone->id = result;
+ idr_init(&power_zone->idr);
++ result = -ENOMEM;
+ power_zone->name = kstrdup(name, GFP_KERNEL);
+ if (!power_zone->name)
+ goto err_name_alloc;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Fri, 10 Mar 2017 11:37:01 +0100
+Subject: powerpc/8xx: fix mpc8xx_get_irq() return on no irq
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+
+[ Upstream commit 3c29b6038828c1f4c9ecbfec14d4fc5e25f1c947 ]
+
+IRQ 0 is a valid HW interrupt. So get_irq() shall return 0 when
+there is no irq, instead of returning irq_linear_revmap(... ,0)
+
+Fixes: f2a0bd3753dad ("[POWERPC] 8xx: powerpc port of core CPM PIC")
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/sysdev/mpc8xx_pic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/sysdev/mpc8xx_pic.c
++++ b/arch/powerpc/sysdev/mpc8xx_pic.c
+@@ -79,7 +79,7 @@ unsigned int mpc8xx_get_irq(void)
+ irq = in_be32(&siu_reg->sc_sivec) >> 26;
+
+ if (irq == PIC_VEC_SPURRIOUS)
+- irq = 0;
++ return 0;
+
+ return irq_linear_revmap(mpc8xx_pic_host, irq);
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Ivan Mikhaylov <ivan@de.ibm.com>
+Date: Fri, 19 May 2017 18:47:05 +0300
+Subject: powerpc/[booke|4xx]: Don't clobber TCR[WP] when setting TCR[DIE]
+
+From: Ivan Mikhaylov <ivan@de.ibm.com>
+
+
+[ Upstream commit 6e2f03e292ef46eed2b31b0a344a91d514f9cd81 ]
+
+Prevent a kernel panic caused by unintentionally clearing TCR watchdog
+bits. At this point in the kernel boot, the watchdog may have already
+been enabled by u-boot. The original code's attempt to write to the TCR
+register results in an inadvertent clearing of the watchdog
+configuration bits, causing the 476 to reset.
+
+Signed-off-by: Ivan Mikhaylov <ivan@de.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/time.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/kernel/time.c
++++ b/arch/powerpc/kernel/time.c
+@@ -719,12 +719,20 @@ static int __init get_freq(char *name, i
+ static void start_cpu_decrementer(void)
+ {
+ #if defined(CONFIG_BOOKE) || defined(CONFIG_40x)
++ unsigned int tcr;
++
+ /* Clear any pending timer interrupts */
+ mtspr(SPRN_TSR, TSR_ENW | TSR_WIS | TSR_DIS | TSR_FIS);
+
+- /* Enable decrementer interrupt */
+- mtspr(SPRN_TCR, TCR_DIE);
+-#endif /* defined(CONFIG_BOOKE) || defined(CONFIG_40x) */
++ tcr = mfspr(SPRN_TCR);
++ /*
++ * The watchdog may have already been enabled by u-boot. So leave
++ * TRC[WP] (Watchdog Period) alone.
++ */
++ tcr &= TCR_WP_MASK; /* Clear all bits except for TCR[WP] */
++ tcr |= TCR_DIE; /* Enable decrementer */
++ mtspr(SPRN_TCR, tcr);
++#endif
+ }
+
+ void __init generic_calibrate_decr(void)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Thu, 18 May 2017 20:37:31 +1000
+Subject: powerpc/mm: Fix virt_addr_valid() etc. on 64-bit hash
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+
+[ Upstream commit e41e53cd4fe331d0d1f06f8e4ed7e2cc63ee2c34 ]
+
+virt_addr_valid() is supposed to tell you if it's OK to call virt_to_page() on
+an address. What this means in practice is that it should only return true for
+addresses in the linear mapping which are backed by a valid PFN.
+
+We are failing to properly check that the address is in the linear mapping,
+because virt_to_pfn() will return a valid looking PFN for more or less any
+address. That bug is actually caused by __pa(), used in virt_to_pfn().
+
+eg: __pa(0xc000000000010000) = 0x10000 # Good
+ __pa(0xd000000000010000) = 0x10000 # Bad!
+ __pa(0x0000000000010000) = 0x10000 # Bad!
+
+This started happening after commit bdbc29c19b26 ("powerpc: Work around gcc
+miscompilation of __pa() on 64-bit") (Aug 2013), where we changed the definition
+of __pa() to work around a GCC bug. Prior to that we subtracted PAGE_OFFSET from
+the value passed to __pa(), meaning __pa() of a 0xd or 0x0 address would give
+you something bogus back.
+
+Until we can verify if that GCC bug is no longer an issue, or come up with
+another solution, this commit does the minimal fix to make virt_addr_valid()
+work, by explicitly checking that the address is in the linear mapping region.
+
+Fixes: bdbc29c19b26 ("powerpc: Work around gcc miscompilation of __pa() on 64-bit")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Reviewed-by: Paul Mackerras <paulus@ozlabs.org>
+Reviewed-by: Balbir Singh <bsingharora@gmail.com>
+Tested-by: Breno Leitao <breno.leitao@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/page.h | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/arch/powerpc/include/asm/page.h
++++ b/arch/powerpc/include/asm/page.h
+@@ -132,7 +132,19 @@ extern long long virt_phys_offset;
+ #define virt_to_pfn(kaddr) (__pa(kaddr) >> PAGE_SHIFT)
+ #define virt_to_page(kaddr) pfn_to_page(virt_to_pfn(kaddr))
+ #define pfn_to_kaddr(pfn) __va((pfn) << PAGE_SHIFT)
++
++#ifdef CONFIG_PPC_BOOK3S_64
++/*
++ * On hash the vmalloc and other regions alias to the kernel region when passed
++ * through __pa(), which virt_to_pfn() uses. That means virt_addr_valid() can
++ * return true for some vmalloc addresses, which is incorrect. So explicitly
++ * check that the address is in the kernel region.
++ */
++#define virt_addr_valid(kaddr) (REGION_ID(kaddr) == KERNEL_REGION_ID && \
++ pfn_valid(virt_to_pfn(kaddr)))
++#else
+ #define virt_addr_valid(kaddr) pfn_valid(virt_to_pfn(kaddr))
++#endif
+
+ /*
+ * On Book-E parts we need __va to parse the device tree and we can't
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Wed, 10 May 2017 16:57:49 +1000
+Subject: powerpc/modules: If mprofile-kernel is enabled add it to vermagic
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+
+[ Upstream commit 43e24e82f35291d4c1ca78877ce1b20d3aeb78f1 ]
+
+On powerpc we can build the kernel with two different ABIs for mcount(), which
+is used by ftrace. Kernels built with one ABI do not know how to load modules
+built with the other ABI. The new style ABI is called "mprofile-kernel", for
+want of a better name.
+
+Currently if we build a module using the old style ABI, and the kernel with
+mprofile-kernel, when we load the module we'll oops something like:
+
+ # insmod autofs4-no-mprofile-kernel.ko
+ ftrace-powerpc: Unexpected instruction f8810028 around bl _mcount
+ ------------[ cut here ]------------
+ WARNING: CPU: 6 PID: 3759 at ../kernel/trace/ftrace.c:2024 ftrace_bug+0x2b8/0x3c0
+ CPU: 6 PID: 3759 Comm: insmod Not tainted 4.11.0-rc3-gcc-5.4.1-00017-g5a61ef74f269 #11
+ ...
+ NIP [c0000000001eaa48] ftrace_bug+0x2b8/0x3c0
+ LR [c0000000001eaff8] ftrace_process_locs+0x4a8/0x590
+ Call Trace:
+ alloc_pages_current+0xc4/0x1d0 (unreliable)
+ ftrace_process_locs+0x4a8/0x590
+ load_module+0x1c8c/0x28f0
+ SyS_finit_module+0x110/0x140
+ system_call+0x38/0xfc
+ ...
+ ftrace failed to modify
+ [<d000000002a31024>] 0xd000000002a31024
+ actual: 35:65:00:48
+
+We can avoid this by including in the vermagic whether the kernel/module was
+built with mprofile-kernel. Which results in:
+
+ # insmod autofs4-pg.ko
+ autofs4: version magic
+ '4.11.0-rc3-gcc-5.4.1-00017-g5a61ef74f269 SMP mod_unload modversions '
+ should be
+ '4.11.0-rc3-gcc-5.4.1-00017-g5a61ef74f269-dirty SMP mod_unload modversions mprofile-kernel'
+ insmod: ERROR: could not insert module autofs4-pg.ko: Invalid module format
+
+Fixes: 8c50b72a3b4f ("powerpc/ftrace: Add Kconfig & Make glue for mprofile-kernel")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Acked-by: Balbir Singh <bsingharora@gmail.com>
+Acked-by: Jessica Yu <jeyu@redhat.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/module.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/powerpc/include/asm/module.h
++++ b/arch/powerpc/include/asm/module.h
+@@ -14,6 +14,10 @@
+ #include <asm-generic/module.h>
+
+
++#ifdef CC_USING_MPROFILE_KERNEL
++#define MODULE_ARCH_VERMAGIC "mprofile-kernel"
++#endif
++
+ #ifndef __powerpc64__
+ /*
+ * Thanks to Paul M for explaining this.
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Mon, 29 May 2017 20:26:07 +1000
+Subject: powerpc/spufs: Fix coredump of SPU contexts
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+
+[ Upstream commit 99acc9bede06bbb2662aafff51f5b9e529fa845e ]
+
+If a process dumps core while it has SPU contexts active then we have
+code to also dump information about the SPU contexts.
+
+Unfortunately it's been broken for 3 1/2 years, and we didn't notice. In
+commit 7b1f4020d0d1 ("spufs: get rid of dump_emit() wrappers") the nread
+variable was removed and rc used instead. That means when the loop exits
+successfully, rc has the number of bytes read, but it's then used as the
+return value for the function, which should return 0 on success.
+
+So fix it by setting rc = 0 before returning in the success case.
+
+Fixes: 7b1f4020d0d1 ("spufs: get rid of dump_emit() wrappers")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Acked-by: Jeremy Kerr <jk@ozlabs.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/cell/spufs/coredump.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/powerpc/platforms/cell/spufs/coredump.c
++++ b/arch/powerpc/platforms/cell/spufs/coredump.c
+@@ -175,6 +175,8 @@ static int spufs_arch_write_note(struct
+ skip = roundup(cprm->pos - total + sz, 4) - cprm->pos;
+ if (!dump_skip(cprm, skip))
+ goto Eio;
++
++ rc = 0;
+ out:
+ free_page((unsigned long)buf);
+ return rc;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Petr Cvek <petr.cvek@tul.cz>
+Date: Mon, 24 Apr 2017 22:51:58 -0300
+Subject: [media] pxa_camera: fix module remove codepath for v4l2 clock
+
+From: Petr Cvek <petr.cvek@tul.cz>
+
+
+[ Upstream commit e3b4d10cc057522353c4a02f2f90dca6a52e006f ]
+
+The conversion from soc_camera omitted a correct handling of the clock
+gating for a sensor. When the pxa_camera driver module was removed it
+tried to unregister clk, but this caused a similar warning:
+
+ WARNING: CPU: 0 PID: 6740 at drivers/media/v4l2-core/v4l2-clk.c:278
+ v4l2_clk_unregister(): Refusing to unregister ref-counted 0-0030 clock!
+
+The clock was at time still refcounted by the sensor driver. Before
+the removing of the pxa_camera the clock must be dropped by the sensor
+driver. This should be triggered by v4l2_async_notifier_unregister() call
+which removes sensor driver module too, calls unbind() function and then
+tries to probe sensor driver again. Inside unbind() we can safely
+unregister the v4l2 clock as the sensor driver got removed. The original
+v4l2_clk_unregister() should be put inside test as the clock can be
+already unregistered from unbind(). If there was not any bound sensor
+the clock is still present.
+
+The codepath is practically a copy from the old soc_camera. The bug was
+tested with a pxa_camera+ov9640 combination during the conversion
+of the ov9640 from the soc_camera.
+
+Signed-off-by: Petr Cvek <petr.cvek@tul.cz>
+Tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/pxa_camera.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/pxa_camera.c
++++ b/drivers/media/platform/pxa_camera.c
+@@ -2169,6 +2169,12 @@ static void pxa_camera_sensor_unbind(str
+ pxa_dma_stop_channels(pcdev);
+
+ pxa_camera_destroy_formats(pcdev);
++
++ if (pcdev->mclk_clk) {
++ v4l2_clk_unregister(pcdev->mclk_clk);
++ pcdev->mclk_clk = NULL;
++ }
++
+ video_unregister_device(&pcdev->vdev);
+ pcdev->sensor = NULL;
+
+@@ -2495,7 +2501,13 @@ static int pxa_camera_remove(struct plat
+ dma_release_channel(pcdev->dma_chans[1]);
+ dma_release_channel(pcdev->dma_chans[2]);
+
+- v4l2_clk_unregister(pcdev->mclk_clk);
++ v4l2_async_notifier_unregister(&pcdev->notifier);
++
++ if (pcdev->mclk_clk) {
++ v4l2_clk_unregister(pcdev->mclk_clk);
++ pcdev->mclk_clk = NULL;
++ }
++
+ v4l2_device_unregister(&pcdev->v4l2_dev);
+
+ dev_info(&pdev->dev, "PXA Camera driver unloaded\n");
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Ram Amrani <Ram.Amrani@cavium.com>
+Date: Tue, 9 May 2017 15:07:50 +0300
+Subject: qed: Correct doorbell configuration for !4Kb pages
+
+From: Ram Amrani <Ram.Amrani@cavium.com>
+
+
+[ Upstream commit a82dadbce47395747824971db08a128130786fdc ]
+
+When configuring the doorbell DPI address, driver aligns the start
+address to 4KB [HW-pages] instead of host PAGE_SIZE.
+As a result, RoCE applications might receive addresses which are
+unaligned to pages [when PAGE_SIZE > 4KB], which is a security risk.
+
+Fixes: 51ff17251c9c ("qed: Add support for RoCE hw init")
+Signed-off-by: Ram Amrani <Ram.Amrani@cavium.com>
+Signed-off-by: Yuval Mintz <Yuval.Mintz@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+@@ -850,7 +850,7 @@ qed_hw_init_pf_doorbell_bar(struct qed_h
+ NULL) +
+ qed_cxt_get_proto_cid_count(p_hwfn, PROTOCOLID_ETH,
+ NULL);
+- norm_regsize = roundup(QED_PF_DEMS_SIZE * non_pwm_conn, 4096);
++ norm_regsize = roundup(QED_PF_DEMS_SIZE * non_pwm_conn, PAGE_SIZE);
+ min_addr_reg1 = norm_regsize / 4096;
+ pwm_regsize = db_bar_size - norm_regsize;
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: "sudarsana.kalluru@cavium.com" <sudarsana.kalluru@cavium.com>
+Date: Thu, 4 May 2017 08:15:04 -0700
+Subject: qed: Fix overriding of supported autoneg value.
+
+From: "sudarsana.kalluru@cavium.com" <sudarsana.kalluru@cavium.com>
+
+
+[ Upstream commit 34f9199ce7b7e5c641b96e928bd60e086bf7f278 ]
+
+Driver currently uses advertised-autoneg value to populate the
+supported-autoneg field. When advertised field is updated, user gets
+the same value for supported field. Supported-autoneg value need to be
+populated from the link capabilities value returned by the MFW.
+
+Signed-off-by: Sudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
+Signed-off-by: Yuval Mintz <Yuval.Mintz@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_dev.c | 3 +++
+ drivers/net/ethernet/qlogic/qed/qed_main.c | 6 +++++-
+ drivers/net/ethernet/qlogic/qed/qed_mcp.h | 1 +
+ 3 files changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+@@ -1628,6 +1628,9 @@ static int qed_hw_get_nvm_info(struct qe
+ DP_NOTICE(p_hwfn, "Unknown Speed in 0x%08x\n", link_temp);
+ }
+
++ p_hwfn->mcp_info->link_capabilities.default_speed_autoneg =
++ link->speed.autoneg;
++
+ link_temp &= NVM_CFG1_PORT_DRV_FLOW_CONTROL_MASK;
+ link_temp >>= NVM_CFG1_PORT_DRV_FLOW_CONTROL_OFFSET;
+ link->pause.autoneg = !!(link_temp &
+--- a/drivers/net/ethernet/qlogic/qed/qed_main.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c
+@@ -1240,7 +1240,7 @@ static void qed_fill_link(struct qed_hwf
+
+ /* TODO - at the moment assume supported and advertised speed equal */
+ if_link->supported_caps = QED_LM_FIBRE_BIT;
+- if (params.speed.autoneg)
++ if (link_caps.default_speed_autoneg)
+ if_link->supported_caps |= QED_LM_Autoneg_BIT;
+ if (params.pause.autoneg ||
+ (params.pause.forced_rx && params.pause.forced_tx))
+@@ -1250,6 +1250,10 @@ static void qed_fill_link(struct qed_hwf
+ if_link->supported_caps |= QED_LM_Pause_BIT;
+
+ if_link->advertised_caps = if_link->supported_caps;
++ if (params.speed.autoneg)
++ if_link->advertised_caps |= QED_LM_Autoneg_BIT;
++ else
++ if_link->advertised_caps &= ~QED_LM_Autoneg_BIT;
+ if (params.speed.advertised_speeds &
+ NVM_CFG1_PORT_DRV_SPEED_CAPABILITY_MASK_1G)
+ if_link->advertised_caps |= QED_LM_1000baseT_Half_BIT |
+--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.h
++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.h
+@@ -35,6 +35,7 @@ struct qed_mcp_link_params {
+
+ struct qed_mcp_link_capabilities {
+ u32 speed_capabilities;
++ bool default_speed_autoneg;
+ };
+
+ struct qed_mcp_link_state {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Jia-Ju Bai <baijiaju1990@163.com>
+Date: Thu, 1 Jun 2017 16:18:10 +0800
+Subject: qlcnic: Fix a sleep-in-atomic bug in qlcnic_82xx_hw_write_wx_2M and qlcnic_82xx_hw_read_wx_2M
+
+From: Jia-Ju Bai <baijiaju1990@163.com>
+
+
+[ Upstream commit 5ea6d691aac6c93b790f0905e3460d44cc4c449b ]
+
+The driver may sleep under a write spin lock, and the function
+call path is:
+qlcnic_82xx_hw_write_wx_2M (acquire the lock by write_lock_irqsave)
+ crb_win_lock
+ qlcnic_pcie_sem_lock
+ usleep_range
+qlcnic_82xx_hw_read_wx_2M (acquire the lock by write_lock_irqsave)
+ crb_win_lock
+ qlcnic_pcie_sem_lock
+ usleep_range
+
+To fix it, the usleep_range is replaced with udelay.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c
+@@ -341,7 +341,7 @@ qlcnic_pcie_sem_lock(struct qlcnic_adapt
+ }
+ return -EIO;
+ }
+- usleep_range(1000, 1500);
++ udelay(1200);
+ }
+
+ if (id_reg)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 5 May 2017 15:34:34 -0700
+Subject: qlge: Avoid reading past end of buffer
+
+From: Kees Cook <keescook@chromium.org>
+
+
+[ Upstream commit df5303a8aa9a0a6934f4cea7427f1edf771f21c2 ]
+
+Using memcpy() from a string that is shorter than the length copied means
+the destination buffer is being filled with arbitrary data from the kernel
+rodata segment. Instead, use strncpy() which will fill the trailing bytes
+with zeros.
+
+This was found with the future CONFIG_FORTIFY_SOURCE feature.
+
+Cc: Daniel Micay <danielmicay@gmail.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qlge/qlge_dbg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c
++++ b/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c
+@@ -765,7 +765,7 @@ int ql_core_dump(struct ql_adapter *qdev
+ sizeof(struct mpi_coredump_global_header);
+ mpi_coredump->mpi_global_header.imageSize =
+ sizeof(struct ql_mpi_coredump);
+- memcpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
++ strncpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
+ sizeof(mpi_coredump->mpi_global_header.idString));
+
+ /* Get generic NIC reg dump */
+@@ -1255,7 +1255,7 @@ static void ql_gen_reg_dump(struct ql_ad
+ sizeof(struct mpi_coredump_global_header);
+ mpi_coredump->mpi_global_header.imageSize =
+ sizeof(struct ql_reg_dump);
+- memcpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
++ strncpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
+ sizeof(mpi_coredump->mpi_global_header.idString));
+
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 5 May 2017 15:38:41 -0700
+Subject: ray_cs: Avoid reading past end of buffer
+
+From: Kees Cook <keescook@chromium.org>
+
+
+[ Upstream commit e48d661eb13f2f83861428f001c567fdb3f317e8 ]
+
+Using memcpy() from a buffer that is shorter than the length copied means
+the destination buffer is being filled with arbitrary data from the kernel
+rodata segment. In this case, the source was made longer, since it did not
+match the destination structure size. Additionally removes a needless cast.
+
+This was found with the future CONFIG_FORTIFY_SOURCE feature.
+
+Cc: Daniel Micay <danielmicay@gmail.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ray_cs.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ray_cs.c
++++ b/drivers/net/wireless/ray_cs.c
+@@ -247,7 +247,10 @@ static const UCHAR b4_default_startup_pa
+ 0x04, 0x08, /* Noise gain, limit offset */
+ 0x28, 0x28, /* det rssi, med busy offsets */
+ 7, /* det sync thresh */
+- 0, 2, 2 /* test mode, min, max */
++ 0, 2, 2, /* test mode, min, max */
++ 0, /* rx/tx delay */
++ 0, 0, 0, 0, 0, 0, /* current BSS id */
++ 0 /* hop set */
+ };
+
+ /*===========================================================================*/
+@@ -598,7 +601,7 @@ static void init_startup_params(ray_dev_
+ * a_beacon_period = hops a_beacon_period = KuS
+ *//* 64ms = 010000 */
+ if (local->fw_ver == 0x55) {
+- memcpy((UCHAR *) &local->sparm.b4, b4_default_startup_parms,
++ memcpy(&local->sparm.b4, b4_default_startup_parms,
+ sizeof(struct b4_startup_params));
+ /* Translate sane kus input values to old build 4/5 format */
+ /* i = hop time in uS truncated to 3 bytes */
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: "Steven L. Roberts" <robers97@gmail.com>
+Date: Wed, 10 May 2017 10:54:12 -0500
+Subject: RDMA/hfi1: fix array termination by appending NULL to attr array
+
+From: "Steven L. Roberts" <robers97@gmail.com>
+
+
+[ Upstream commit c4dd4b69f55abcc8dd079f8de55d9d8c2ddbefce ]
+
+This fixes a kernel panic when loading the hfi driver as a dynamic module.
+
+Signed-off-by: Steven L Roberts <robers97@gmail.com>
+Reviewed-by: Leon Romanovsky <leon@kernel.org>
+Acked-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/hfi1/sysfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/hfi1/sysfs.c
++++ b/drivers/infiniband/hw/hfi1/sysfs.c
+@@ -196,7 +196,8 @@ static const struct sysfs_ops port_cc_sy
+ };
+
+ static struct attribute *port_cc_default_attributes[] = {
+- &cc_prescan_attr.attr
++ &cc_prescan_attr.attr,
++ NULL
+ };
+
+ static struct kobj_type port_cc_ktype = {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Raju Rangoju <rajur@chelsio.com>
+Date: Mon, 15 May 2017 06:40:39 +0000
+Subject: RDMA/iw_cxgb4: Avoid touch after free error in ARP failure handlers
+
+From: Raju Rangoju <rajur@chelsio.com>
+
+
+[ Upstream commit 1dad0ebeea1cd890b8892523f736916e245b0aef ]
+
+The patch 761e19a504af (RDMA/iw_cxgb4: Handle return value of
+c4iw_ofld_send() in abort_arp_failure()) from May 6, 2016
+leads to the following static checker warning:
+ drivers/infiniband/hw/cxgb4/cm.c:575 abort_arp_failure()
+ warn: passing freed memory 'skb'
+
+Also fixes skb leak when l2t resolution fails
+
+Fixes: 761e19a504afa55 (RDMA/iw_cxgb4: Handle return value of
+c4iw_ofld_send() in abort_arp_failure())
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Raju Rangoju <rajur@chelsio.com>
+Reviewed-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -488,6 +488,7 @@ static int _put_ep_safe(struct c4iw_dev
+
+ ep = *((struct c4iw_ep **)(skb->cb + 2 * sizeof(void *)));
+ release_ep_resources(ep);
++ kfree_skb(skb);
+ return 0;
+ }
+
+@@ -498,6 +499,7 @@ static int _put_pass_ep_safe(struct c4iw
+ ep = *((struct c4iw_ep **)(skb->cb + 2 * sizeof(void *)));
+ c4iw_put_ep(&ep->parent_ep->com);
+ release_ep_resources(ep);
++ kfree_skb(skb);
+ return 0;
+ }
+
+@@ -569,11 +571,13 @@ static void abort_arp_failure(void *hand
+
+ PDBG("%s rdev %p\n", __func__, rdev);
+ req->cmd = CPL_ABORT_NO_RST;
++ skb_get(skb);
+ ret = c4iw_ofld_send(rdev, skb);
+ if (ret) {
+ __state_set(&ep->com, DEAD);
+ queue_arp_failure_cpl(ep, skb, FAKE_CPL_PUT_EP_SAFE);
+- }
++ } else
++ kfree_skb(skb);
+ }
+
+ static int send_flowc(struct c4iw_ep *ep)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Date: Fri, 22 Dec 2017 09:38:59 -0800
+Subject: rds; Reset rs->rs_bound_addr in rds_add_bound() failure path
+
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+
+
+[ Upstream commit 7ae0c649c47f1c5d2db8cee6dd75855970af1669 ]
+
+If the rds_sock is not added to the bind_hash_table, we must
+reset rs_bound_addr so that rds_remove_bound will not trip on
+this rds_sock.
+
+rds_add_bound() does a rds_sock_put() in this failure path, so
+failing to reset rs_bound_addr will result in a socket refcount
+bug, and will trigger a WARN_ON with the stack shown below when
+the application subsequently tries to close the PF_RDS socket.
+
+ WARNING: CPU: 20 PID: 19499 at net/rds/af_rds.c:496 \
+ rds_sock_destruct+0x15/0x30 [rds]
+ :
+ __sk_destruct+0x21/0x190
+ rds_remove_bound.part.13+0xb6/0x140 [rds]
+ rds_release+0x71/0x120 [rds]
+ sock_release+0x1a/0x70
+ sock_close+0xe/0x20
+ __fput+0xd5/0x210
+ task_work_run+0x82/0xa0
+ do_exit+0x2ce/0xb30
+ ? syscall_trace_enter+0x1cc/0x2b0
+ do_group_exit+0x39/0xa0
+ SyS_exit_group+0x10/0x10
+ do_syscall_64+0x61/0x1a0
+
+Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/bind.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rds/bind.c
++++ b/net/rds/bind.c
+@@ -114,6 +114,7 @@ static int rds_add_bound(struct rds_sock
+ rs, &addr, (int)ntohs(*port));
+ break;
+ } else {
++ rs->rs_bound_addr = 0;
+ rds_sock_put(rs);
+ ret = -ENOMEM;
+ break;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Tue, 19 Dec 2017 12:33:56 +0100
+Subject: rt2x00: do not pause queue unconditionally on error path
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+
+[ Upstream commit 6dd80efd75ce7c2dbd9f117cf585ee2b33a42ee1 ]
+
+Pausing queue without checking threshold is racy with txdone path.
+Moreover we do not need pause queue on any error, but only if queue
+is full - in case when we send RTS frame ( other cases of almost full
+queue are already handled in rt2x00queue_write_tx_frame() ).
+
+Patch fixes of theoretically possible problem of pausing empty
+queue.
+
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Tested-by: Enrico Mioso <mrkiko.rs@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ralink/rt2x00/rt2x00mac.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
+@@ -142,15 +142,25 @@ void rt2x00mac_tx(struct ieee80211_hw *h
+ if (!rt2x00dev->ops->hw->set_rts_threshold &&
+ (tx_info->control.rates[0].flags & (IEEE80211_TX_RC_USE_RTS_CTS |
+ IEEE80211_TX_RC_USE_CTS_PROTECT))) {
+- if (rt2x00queue_available(queue) <= 1)
+- goto exit_fail;
++ if (rt2x00queue_available(queue) <= 1) {
++ /*
++ * Recheck for full queue under lock to avoid race
++ * conditions with rt2x00lib_txdone().
++ */
++ spin_lock(&queue->tx_lock);
++ if (rt2x00queue_threshold(queue))
++ rt2x00queue_pause_queue(queue);
++ spin_unlock(&queue->tx_lock);
++
++ goto exit_free_skb;
++ }
+
+ if (rt2x00mac_tx_rts_cts(rt2x00dev, queue, skb))
+- goto exit_fail;
++ goto exit_free_skb;
+ }
+
+ if (unlikely(rt2x00queue_write_tx_frame(queue, skb, control->sta, false)))
+- goto exit_fail;
++ goto exit_free_skb;
+
+ /*
+ * Pausing queue has to be serialized with rt2x00lib_txdone(). Note
+@@ -164,10 +174,6 @@ void rt2x00mac_tx(struct ieee80211_hw *h
+
+ return;
+
+- exit_fail:
+- spin_lock(&queue->tx_lock);
+- rt2x00queue_pause_queue(queue);
+- spin_unlock(&queue->tx_lock);
+ exit_free_skb:
+ ieee80211_free_txskb(hw, skb);
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+Date: Fri, 19 May 2017 22:18:55 +0530
+Subject: rtc: interface: Validate alarm-time before handling rollover
+
+From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+
+
+[ Upstream commit da96aea0ed177105cb13ee83b328f6c61e061d3f ]
+
+In function __rtc_read_alarm() its possible for an alarm time-stamp to
+be invalid even after replacing missing components with current
+time-stamp. The condition 'alarm->time.tm_year < 70' will trigger this
+case and will cause the call to 'rtc_tm_to_time64(&alarm->time)'
+return a negative value for variable t_alm.
+
+While handling alarm rollover this negative t_alm (assumed to seconds
+offset from '1970-01-01 00:00:00') is converted back to rtc_time via
+rtc_time64_to_tm() which results in this error log with seemingly
+garbage values:
+
+"rtc rtc0: invalid alarm value: -2-1--1041528741
+2005511117:71582844:32"
+
+This error was generated when the rtc driver (rtc-opal in this case)
+returned an alarm time-stamp of '00-00-00 00:00:00' to indicate that
+the alarm is disabled. Though I have submitted a separate fix for the
+rtc-opal driver, this issue may potentially impact other
+existing/future rtc drivers.
+
+To fix this issue the patch validates the alarm time-stamp just after
+filling up the missing datetime components and if rtc_valid_tm() still
+reports it to be invalid then bails out of the function without
+handling the rollover.
+
+Reported-by: Steve Best <sbest@redhat.com>
+Signed-off-by: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/interface.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/rtc/interface.c
++++ b/drivers/rtc/interface.c
+@@ -227,6 +227,13 @@ int __rtc_read_alarm(struct rtc_device *
+ missing = year;
+ }
+
++ /* Can't proceed if alarm is still invalid after replacing
++ * missing fields.
++ */
++ err = rtc_valid_tm(&alarm->time);
++ if (err)
++ goto done;
++
+ /* with luck, no rollover is needed */
+ t_now = rtc_tm_to_time64(&now);
+ t_alm = rtc_tm_to_time64(&alarm->time);
+@@ -278,9 +285,9 @@ int __rtc_read_alarm(struct rtc_device *
+ dev_warn(&rtc->dev, "alarm rollover not handled\n");
+ }
+
+-done:
+ err = rtc_valid_tm(&alarm->time);
+
++done:
+ if (err) {
+ dev_warn(&rtc->dev, "invalid alarm value: %d-%d-%d %d:%d:%d\n",
+ alarm->time.tm_year + 1900, alarm->time.tm_mon + 1,
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Gary Bisson <gary.bisson@boundarydevices.com>
+Date: Tue, 25 Apr 2017 16:45:15 +0200
+Subject: rtc: m41t80: fix SQW dividers override when setting a date
+
+From: Gary Bisson <gary.bisson@boundarydevices.com>
+
+
+[ Upstream commit 0f546b058b86ea2f661cc7a6e931cee5a29959ef ]
+
+This patch is only relevant for RTC with the SQ_ALT feature which
+means the clock output frequency divider is stored in the weekday
+register.
+
+Current implementation discards the previous dividers value and clear
+them as soon as the time is set.
+
+Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-m41t80.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/rtc/rtc-m41t80.c
++++ b/drivers/rtc/rtc-m41t80.c
+@@ -168,6 +168,7 @@ static int m41t80_get_datetime(struct i2
+ /* Sets the given date and time to the real time clock. */
+ static int m41t80_set_datetime(struct i2c_client *client, struct rtc_time *tm)
+ {
++ struct m41t80_data *clientdata = i2c_get_clientdata(client);
+ unsigned char buf[8];
+ int err, flags;
+
+@@ -183,6 +184,17 @@ static int m41t80_set_datetime(struct i2
+ buf[M41T80_REG_YEAR] = bin2bcd(tm->tm_year - 100);
+ buf[M41T80_REG_WDAY] = tm->tm_wday;
+
++ /* If the square wave output is controlled in the weekday register */
++ if (clientdata->features & M41T80_FEATURE_SQ_ALT) {
++ int val;
++
++ val = i2c_smbus_read_byte_data(client, M41T80_REG_WDAY);
++ if (val < 0)
++ return val;
++
++ buf[M41T80_REG_WDAY] |= (val & 0xf0);
++ }
++
+ err = i2c_smbus_write_i2c_block_data(client, M41T80_REG_SSEC,
+ sizeof(buf), buf);
+ if (err < 0) {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+Date: Fri, 19 May 2017 15:35:09 +0530
+Subject: rtc: opal: Handle disabled TPO in opal_get_tpo_time()
+
+From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+
+
+[ Upstream commit 6dc1cf6f932bb0ea4d8f5e913a0a401ecacd2f03 ]
+
+On PowerNV platform when Timed-Power-On(TPO) is disabled, read of
+stored TPO yields value with all date components set to '0' inside
+opal_get_tpo_time(). The function opal_to_tm() then converts it to an
+offset from year 1900 yielding alarm-time == "1900-00-01
+00:00:00". This causes problems with __rtc_read_alarm() that
+expecting an offset from "1970-00-01 00:00:00" and returned alarm-time
+results in a -ve value for time64_t. Which ultimately results in this
+error reported in kernel logs with a seemingly garbage value:
+
+"rtc rtc0: invalid alarm value: -2-1--1041528741
+2005511117:71582844:32"
+
+We fix this by explicitly handling the case of all alarm date-time
+components being '0' inside opal_get_tpo_time() and returning -ENOENT
+in such a case. This signals generic rtc that no alarm is set and it
+bails out from the alarm initialization flow without reporting the
+above error.
+
+Signed-off-by: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+Reported-by: Steve Best <sbest@redhat.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-opal.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/rtc/rtc-opal.c
++++ b/drivers/rtc/rtc-opal.c
+@@ -150,6 +150,16 @@ static int opal_get_tpo_time(struct devi
+
+ y_m_d = be32_to_cpu(__y_m_d);
+ h_m_s_ms = ((u64)be32_to_cpu(__h_m) << 32);
++
++ /* check if no alarm is set */
++ if (y_m_d == 0 && h_m_s_ms == 0) {
++ pr_debug("No alarm is set\n");
++ rc = -ENOENT;
++ goto exit;
++ } else {
++ pr_debug("Alarm set to %x %llx\n", y_m_d, h_m_s_ms);
++ }
++
+ opal_to_tm(y_m_d, h_m_s_ms, &alarm->time);
+
+ exit:
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 23 Apr 2017 13:43:24 +0800
+Subject: rtc: snvs: fix an incorrect check of return value
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 758929005f06f954b7e1c87a1c9fdb44157b228f ]
+
+Function devm_regmap_init_mmio() returns an ERR_PTR on error. However,
+in function snvs_rtc_probe() its return value is checked against NULL.
+This patch fixes it by checking the return value with IS_ERR().
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-snvs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/rtc/rtc-snvs.c
++++ b/drivers/rtc/rtc-snvs.c
+@@ -257,7 +257,7 @@ static int snvs_rtc_probe(struct platfor
+ of_property_read_u32(pdev->dev.of_node, "offset", &data->offset);
+ }
+
+- if (!data->regmap) {
++ if (IS_ERR(data->regmap)) {
+ dev_err(&pdev->dev, "Can't find snvs syscon\n");
+ return -ENODEV;
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Stefan Haberland <sth@linux.vnet.ibm.com>
+Date: Thu, 18 May 2017 13:24:45 +0200
+Subject: s390/dasd: fix hanging safe offline
+
+From: Stefan Haberland <sth@linux.vnet.ibm.com>
+
+
+[ Upstream commit e8ac01555d9e464249e8bb122337d6d6e5589ccc ]
+
+The safe offline processing may hang forever because it waits for I/O
+which can not be started because of the offline flag that prevents new
+I/O from being started.
+
+Allow I/O to be started during safe offline processing because in this
+special case we take care that the queues are empty before throwing away
+the device.
+
+Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/block/dasd.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/s390/block/dasd.c
++++ b/drivers/s390/block/dasd.c
+@@ -1950,8 +1950,12 @@ static int __dasd_device_is_unusable(str
+ {
+ int mask = ~(DASD_STOPPED_DC_WAIT | DASD_UNRESUMED_PM);
+
+- if (test_bit(DASD_FLAG_OFFLINE, &device->flags)) {
+- /* dasd is being set offline. */
++ if (test_bit(DASD_FLAG_OFFLINE, &device->flags) &&
++ !test_bit(DASD_FLAG_SAFE_OFFLINE_RUNNING, &device->flags)) {
++ /*
++ * dasd is being set offline
++ * but it is no safe offline where we have to allow I/O
++ */
+ return 1;
+ }
+ if (device->stopped) {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Thu, 4 May 2017 09:42:22 +0200
+Subject: s390: move _text symbol to address higher than zero
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+
+[ Upstream commit d04a4c76f71dd5335f8e499b59617382d84e2b8d ]
+
+The perf tool assumes that kernel symbols are never present at address
+zero. In fact it assumes if functions that map symbols to addresses
+return zero, that the symbol was not found.
+
+Given that s390's _text symbol historically is located at address zero
+this yields at least a couple of false errors and warnings in one of
+perf's test cases about not present symbols ("perf test 1").
+
+To fix this simply move the _text symbol to address 0x200, just behind
+the initial psw and channel program located at the beginning of the
+kernel image. This is now hard coded within the linker script.
+
+I tried a nicer solution which moves the initial psw and channel
+program into an own section. However that would move the symbols
+within the "real" head.text section to different addresses, since the
+".org" statements within head.S are relative to the head.text
+section. If there is a new section in front, everything else will be
+moved. Alternatively I could have adjusted all ".org" statements. But
+this current solution seems to be the easiest one, since nobody really
+cares where the _text symbol is actually located.
+
+Reported-by: Zvonko Kosic <zkosic@linux.vnet.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/vmlinux.lds.S | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/kernel/vmlinux.lds.S
++++ b/arch/s390/kernel/vmlinux.lds.S
+@@ -31,8 +31,14 @@ SECTIONS
+ {
+ . = 0x00000000;
+ .text : {
+- _text = .; /* Text and read-only data */
++ /* Text and read-only data */
+ HEAD_TEXT
++ /*
++ * E.g. perf doesn't like symbols starting at address zero,
++ * therefore skip the initial PSW and channel program located
++ * at address zero and let _text start at 0x200.
++ */
++ _text = 0x200;
+ TEXT_TEXT
+ SCHED_TEXT
+ CPUIDLE_TEXT
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Daniel Bristot de Oliveira <bristot@redhat.com>
+Date: Mon, 29 May 2017 16:24:03 +0200
+Subject: sched/deadline: Use the revised wakeup rule for suspending constrained dl tasks
+
+From: Daniel Bristot de Oliveira <bristot@redhat.com>
+
+
+[ Upstream commit 3effcb4247e74a51f5d8b775a1ee4abf87cc089a ]
+
+We have been facing some problems with self-suspending constrained
+deadline tasks. The main reason is that the original CBS was not
+designed for such sort of tasks.
+
+One problem reported by Xunlei Pang takes place when a task
+suspends, and then is awakened before the deadline, but so close
+to the deadline that its remaining runtime can cause the task
+to have an absolute density higher than allowed. In such situation,
+the original CBS assumes that the task is facing an early activation,
+and so it replenishes the task and set another deadline, one deadline
+in the future. This rule works fine for implicit deadline tasks.
+Moreover, it allows the system to adapt the period of a task in which
+the external event source suffered from a clock drift.
+
+However, this opens the window for bandwidth leakage for constrained
+deadline tasks. For instance, a task with the following parameters:
+
+ runtime = 5 ms
+ deadline = 7 ms
+ [density] = 5 / 7 = 0.71
+ period = 1000 ms
+
+If the task runs for 1 ms, and then suspends for another 1ms,
+it will be awakened with the following parameters:
+
+ remaining runtime = 4
+ laxity = 5
+
+presenting a absolute density of 4 / 5 = 0.80.
+
+In this case, the original CBS would assume the task had an early
+wakeup. Then, CBS will reset the runtime, and the absolute deadline will
+be postponed by one relative deadline, allowing the task to run.
+
+The problem is that, if the task runs this pattern forever, it will keep
+receiving bandwidth, being able to run 1ms every 2ms. Following this
+behavior, the task would be able to run 500 ms in 1 sec. Thus running
+more than the 5 ms / 1 sec the admission control allowed it to run.
+
+Trying to address the self-suspending case, Luca Abeni, Giuseppe
+Lipari, and Juri Lelli [1] revisited the CBS in order to deal with
+self-suspending tasks. In the new approach, rather than
+replenishing/postponing the absolute deadline, the revised wakeup rule
+adjusts the remaining runtime, reducing it to fit into the allowed
+density.
+
+A revised version of the idea is:
+
+At a given time t, the maximum absolute density of a task cannot be
+higher than its relative density, that is:
+
+ runtime / (deadline - t) <= dl_runtime / dl_deadline
+
+Knowing the laxity of a task (deadline - t), it is possible to move
+it to the other side of the equality, thus enabling to define max
+remaining runtime a task can use within the absolute deadline, without
+over-running the allowed density:
+
+ runtime = (dl_runtime / dl_deadline) * (deadline - t)
+
+For instance, in our previous example, the task could still run:
+
+ runtime = ( 5 / 7 ) * 5
+ runtime = 3.57 ms
+
+Without causing damage for other deadline tasks. It is note worthy
+that the laxity cannot be negative because that would cause a negative
+runtime. Thus, this patch depends on the patch:
+
+ df8eac8cafce ("sched/deadline: Throttle a constrained deadline task activated after the deadline")
+
+Which throttles a constrained deadline task activated after the
+deadline.
+
+Finally, it is also possible to use the revised wakeup rule for
+all other tasks, but that would require some more discussions
+about pros and cons.
+
+Reported-by: Xunlei Pang <xpang@redhat.com>
+Signed-off-by: Daniel Bristot de Oliveira <bristot@redhat.com>
+[peterz: replaced dl_is_constrained with dl_is_implicit]
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Juri Lelli <juri.lelli@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Luca Abeni <luca.abeni@santannapisa.it>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Romulo Silva de Oliveira <romulo.deoliveira@ufsc.br>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tommaso Cucinotta <tommaso.cucinotta@sssup.it>
+Link: http://lkml.kernel.org/r/5c800ab3a74a168a84ee5f3f84d12a02e11383be.1495803804.git.bristot@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/sched.h | 1
+ kernel/sched/core.c | 2
+ kernel/sched/deadline.c | 98 ++++++++++++++++++++++++++++++++++++++++++------
+ 3 files changed, 89 insertions(+), 12 deletions(-)
+
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -1412,6 +1412,7 @@ struct sched_dl_entity {
+ u64 dl_deadline; /* relative deadline of each instance */
+ u64 dl_period; /* separation of two instances (period) */
+ u64 dl_bw; /* dl_runtime / dl_deadline */
++ u64 dl_density; /* dl_runtime / dl_deadline */
+
+ /*
+ * Actual scheduling parameters. Initialized with the values above,
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -2184,6 +2184,7 @@ void __dl_clear_params(struct task_struc
+ dl_se->dl_period = 0;
+ dl_se->flags = 0;
+ dl_se->dl_bw = 0;
++ dl_se->dl_density = 0;
+
+ dl_se->dl_throttled = 0;
+ dl_se->dl_yielded = 0;
+@@ -3912,6 +3913,7 @@ __setparam_dl(struct task_struct *p, con
+ dl_se->dl_period = attr->sched_period ?: dl_se->dl_deadline;
+ dl_se->flags = attr->sched_flags;
+ dl_se->dl_bw = to_ratio(dl_se->dl_period, dl_se->dl_runtime);
++ dl_se->dl_density = to_ratio(dl_se->dl_deadline, dl_se->dl_runtime);
+
+ /*
+ * Changing the parameters of a task is 'tricky' and we're not doing
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -484,13 +484,84 @@ static bool dl_entity_overflow(struct sc
+ }
+
+ /*
+- * When a -deadline entity is queued back on the runqueue, its runtime and
+- * deadline might need updating.
++ * Revised wakeup rule [1]: For self-suspending tasks, rather then
++ * re-initializing task's runtime and deadline, the revised wakeup
++ * rule adjusts the task's runtime to avoid the task to overrun its
++ * density.
+ *
+- * The policy here is that we update the deadline of the entity only if:
+- * - the current deadline is in the past,
+- * - using the remaining runtime with the current deadline would make
+- * the entity exceed its bandwidth.
++ * Reasoning: a task may overrun the density if:
++ * runtime / (deadline - t) > dl_runtime / dl_deadline
++ *
++ * Therefore, runtime can be adjusted to:
++ * runtime = (dl_runtime / dl_deadline) * (deadline - t)
++ *
++ * In such way that runtime will be equal to the maximum density
++ * the task can use without breaking any rule.
++ *
++ * [1] Luca Abeni, Giuseppe Lipari, and Juri Lelli. 2015. Constant
++ * bandwidth server revisited. SIGBED Rev. 11, 4 (January 2015), 19-24.
++ */
++static void
++update_dl_revised_wakeup(struct sched_dl_entity *dl_se, struct rq *rq)
++{
++ u64 laxity = dl_se->deadline - rq_clock(rq);
++
++ /*
++ * If the task has deadline < period, and the deadline is in the past,
++ * it should already be throttled before this check.
++ *
++ * See update_dl_entity() comments for further details.
++ */
++ WARN_ON(dl_time_before(dl_se->deadline, rq_clock(rq)));
++
++ dl_se->runtime = (dl_se->dl_density * laxity) >> 20;
++}
++
++/*
++ * Regarding the deadline, a task with implicit deadline has a relative
++ * deadline == relative period. A task with constrained deadline has a
++ * relative deadline <= relative period.
++ *
++ * We support constrained deadline tasks. However, there are some restrictions
++ * applied only for tasks which do not have an implicit deadline. See
++ * update_dl_entity() to know more about such restrictions.
++ *
++ * The dl_is_implicit() returns true if the task has an implicit deadline.
++ */
++static inline bool dl_is_implicit(struct sched_dl_entity *dl_se)
++{
++ return dl_se->dl_deadline == dl_se->dl_period;
++}
++
++/*
++ * When a deadline entity is placed in the runqueue, its runtime and deadline
++ * might need to be updated. This is done by a CBS wake up rule. There are two
++ * different rules: 1) the original CBS; and 2) the Revisited CBS.
++ *
++ * When the task is starting a new period, the Original CBS is used. In this
++ * case, the runtime is replenished and a new absolute deadline is set.
++ *
++ * When a task is queued before the begin of the next period, using the
++ * remaining runtime and deadline could make the entity to overflow, see
++ * dl_entity_overflow() to find more about runtime overflow. When such case
++ * is detected, the runtime and deadline need to be updated.
++ *
++ * If the task has an implicit deadline, i.e., deadline == period, the Original
++ * CBS is applied. the runtime is replenished and a new absolute deadline is
++ * set, as in the previous cases.
++ *
++ * However, the Original CBS does not work properly for tasks with
++ * deadline < period, which are said to have a constrained deadline. By
++ * applying the Original CBS, a constrained deadline task would be able to run
++ * runtime/deadline in a period. With deadline < period, the task would
++ * overrun the runtime/period allowed bandwidth, breaking the admission test.
++ *
++ * In order to prevent this misbehave, the Revisited CBS is used for
++ * constrained deadline tasks when a runtime overflow is detected. In the
++ * Revisited CBS, rather than replenishing & setting a new absolute deadline,
++ * the remaining runtime of the task is reduced to avoid runtime overflow.
++ * Please refer to the comments update_dl_revised_wakeup() function to find
++ * more about the Revised CBS rule.
+ */
+ static void update_dl_entity(struct sched_dl_entity *dl_se,
+ struct sched_dl_entity *pi_se)
+@@ -500,6 +571,14 @@ static void update_dl_entity(struct sche
+
+ if (dl_time_before(dl_se->deadline, rq_clock(rq)) ||
+ dl_entity_overflow(dl_se, pi_se, rq_clock(rq))) {
++
++ if (unlikely(!dl_is_implicit(dl_se) &&
++ !dl_time_before(dl_se->deadline, rq_clock(rq)) &&
++ !dl_se->dl_boosted)){
++ update_dl_revised_wakeup(dl_se, rq);
++ return;
++ }
++
+ dl_se->deadline = rq_clock(rq) + pi_se->dl_deadline;
+ dl_se->runtime = pi_se->dl_runtime;
+ }
+@@ -961,11 +1040,6 @@ static void dequeue_dl_entity(struct sch
+ __dequeue_dl_entity(dl_se);
+ }
+
+-static inline bool dl_is_constrained(struct sched_dl_entity *dl_se)
+-{
+- return dl_se->dl_deadline < dl_se->dl_period;
+-}
+-
+ static void enqueue_task_dl(struct rq *rq, struct task_struct *p, int flags)
+ {
+ struct task_struct *pi_task = rt_mutex_get_top_task(p);
+@@ -997,7 +1071,7 @@ static void enqueue_task_dl(struct rq *r
+ * If that is the case, the task will be throttled and
+ * the replenishment timer will be set to the next period.
+ */
+- if (!p->dl.dl_throttled && dl_is_constrained(&p->dl))
++ if (!p->dl.dl_throttled && !dl_is_implicit(&p->dl))
+ dl_check_constrained_dl(&p->dl);
+
+ /*
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Vlastimil Babka <vbabka@suse.cz>
+Date: Mon, 15 May 2017 15:13:16 +0200
+Subject: sched/numa: Use down_read_trylock() for the mmap_sem
+
+From: Vlastimil Babka <vbabka@suse.cz>
+
+
+[ Upstream commit 8655d5497735b288f8a9b458bd22e7d1bf95bb61 ]
+
+A customer has reported a soft-lockup when running an intensive
+memory stress test, where the trace on multiple CPU's looks like this:
+
+ RIP: 0010:[<ffffffff810c53fe>]
+ [<ffffffff810c53fe>] native_queued_spin_lock_slowpath+0x10e/0x190
+...
+ Call Trace:
+ [<ffffffff81182d07>] queued_spin_lock_slowpath+0x7/0xa
+ [<ffffffff811bc331>] change_protection_range+0x3b1/0x930
+ [<ffffffff811d4be8>] change_prot_numa+0x18/0x30
+ [<ffffffff810adefe>] task_numa_work+0x1fe/0x310
+ [<ffffffff81098322>] task_work_run+0x72/0x90
+
+Further investigation showed that the lock contention here is pmd_lock().
+
+The task_numa_work() function makes sure that only one thread is let to perform
+the work in a single scan period (via cmpxchg), but if there's a thread with
+mmap_sem locked for writing for several periods, multiple threads in
+task_numa_work() can build up a convoy waiting for mmap_sem for read and then
+all get unblocked at once.
+
+This patch changes the down_read() to the trylock version, which prevents the
+build up. For a workload experiencing mmap_sem contention, it's probably better
+to postpone the NUMA balancing work anyway. This seems to have fixed the soft
+lockups involving pmd_lock(), which is in line with the convoy theory.
+
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Rik van Riel <riel@redhat.com>
+Acked-by: Mel Gorman <mgorman@techsingularity.net>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20170515131316.21909-1-vbabka@suse.cz
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/fair.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -2429,7 +2429,8 @@ void task_numa_work(struct callback_head
+ return;
+
+
+- down_read(&mm->mmap_sem);
++ if (!down_read_trylock(&mm->mmap_sem))
++ return;
+ vma = find_vma(mm, start);
+ if (!vma) {
+ reset_ptenuma_scan(p);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Maurizio Lombardi <mlombard@redhat.com>
+Date: Wed, 24 May 2017 14:09:44 +0200
+Subject: scsi: bnx2fc: fix race condition in bnx2fc_get_host_stats()
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+
+[ Upstream commit c2dd893a3b0772d1c680e109b9d5715d7f73022b ]
+
+If multiple tasks attempt to read the stats, it may happen that the
+start_req_done completion is re-initialized while still being used by
+another task, causing a list corruption.
+
+This patch fixes the bug by adding a mutex to serialize the calls to
+bnx2fc_get_host_stats().
+
+WARNING: at lib/list_debug.c:48 list_del+0x6e/0xa0() (Not tainted)
+Hardware name: PowerEdge R820
+list_del corruption. prev->next should be ffff882035627d90, but was ffff884069541588
+
+Pid: 40267, comm: perl Not tainted 2.6.32-642.3.1.el6.x86_64 #1
+Call Trace:
+ [<ffffffff8107c691>] ? warn_slowpath_common+0x91/0xe0
+ [<ffffffff8107c796>] ? warn_slowpath_fmt+0x46/0x60
+ [<ffffffff812ad16e>] ? list_del+0x6e/0xa0
+ [<ffffffff81547eed>] ? wait_for_common+0x14d/0x180
+ [<ffffffff8106c4a0>] ? default_wake_function+0x0/0x20
+ [<ffffffff81547fd3>] ? wait_for_completion_timeout+0x13/0x20
+ [<ffffffffa05410b1>] ? bnx2fc_get_host_stats+0xa1/0x280 [bnx2fc]
+ [<ffffffffa04cf630>] ? fc_stat_show+0x90/0xc0 [scsi_transport_fc]
+ [<ffffffffa04cf8b6>] ? show_fcstat_tx_frames+0x16/0x20 [scsi_transport_fc]
+ [<ffffffff8137c647>] ? dev_attr_show+0x27/0x50
+ [<ffffffff8113b9be>] ? __get_free_pages+0xe/0x50
+ [<ffffffff812170e1>] ? sysfs_read_file+0x111/0x200
+ [<ffffffff8119a305>] ? vfs_read+0xb5/0x1a0
+ [<ffffffff8119b0b6>] ? fget_light_pos+0x16/0x50
+ [<ffffffff8119a651>] ? sys_read+0x51/0xb0
+ [<ffffffff810ee1fe>] ? __audit_syscall_exit+0x25e/0x290
+ [<ffffffff8100b0d2>] ? system_call_fastpath+0x16/0x1b
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Acked-by: Chad Dupuis <chad.dupuis@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/bnx2fc/bnx2fc.h | 1 +
+ drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/bnx2fc/bnx2fc.h
++++ b/drivers/scsi/bnx2fc/bnx2fc.h
+@@ -191,6 +191,7 @@ struct bnx2fc_hba {
+ struct bnx2fc_cmd_mgr *cmd_mgr;
+ spinlock_t hba_lock;
+ struct mutex hba_mutex;
++ struct mutex hba_stats_mutex;
+ unsigned long adapter_state;
+ #define ADAPTER_STATE_UP 0
+ #define ADAPTER_STATE_GOING_DOWN 1
+--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
+@@ -670,15 +670,17 @@ static struct fc_host_statistics *bnx2fc
+ if (!fw_stats)
+ return NULL;
+
++ mutex_lock(&hba->hba_stats_mutex);
++
+ bnx2fc_stats = fc_get_host_stats(shost);
+
+ init_completion(&hba->stat_req_done);
+ if (bnx2fc_send_stat_req(hba))
+- return bnx2fc_stats;
++ goto unlock_stats_mutex;
+ rc = wait_for_completion_timeout(&hba->stat_req_done, (2 * HZ));
+ if (!rc) {
+ BNX2FC_HBA_DBG(lport, "FW stat req timed out\n");
+- return bnx2fc_stats;
++ goto unlock_stats_mutex;
+ }
+ BNX2FC_STATS(hba, rx_stat2, fc_crc_cnt);
+ bnx2fc_stats->invalid_crc_count += hba->bfw_stats.fc_crc_cnt;
+@@ -700,6 +702,9 @@ static struct fc_host_statistics *bnx2fc
+
+ memcpy(&hba->prev_stats, hba->stats_buffer,
+ sizeof(struct fcoe_statistics_params));
++
++unlock_stats_mutex:
++ mutex_unlock(&hba->hba_stats_mutex);
+ return bnx2fc_stats;
+ }
+
+@@ -1348,6 +1353,7 @@ static struct bnx2fc_hba *bnx2fc_hba_cre
+ }
+ spin_lock_init(&hba->hba_lock);
+ mutex_init(&hba->hba_mutex);
++ mutex_init(&hba->hba_stats_mutex);
+
+ hba->cnic = cnic;
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Varun Prakash <varun@chelsio.com>
+Date: Wed, 17 May 2017 20:30:43 +0530
+Subject: scsi: csiostor: fix use after free in csio_hw_use_fwconfig()
+
+From: Varun Prakash <varun@chelsio.com>
+
+
+[ Upstream commit a351e40b6de550049423a26f7ded7b639e363d89 ]
+
+mbp pointer is passed to csio_hw_validate_caps() so call mempool_free()
+after calling csio_hw_validate_caps().
+
+Signed-off-by: Varun Prakash <varun@chelsio.com>
+Fixes: 541c571fa2fd ("csiostor:Use firmware version from cxgb4/t4fw_version.h")
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/csiostor/csio_hw.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/csiostor/csio_hw.c
++++ b/drivers/scsi/csiostor/csio_hw.c
+@@ -1769,7 +1769,6 @@ csio_hw_use_fwconfig(struct csio_hw *hw,
+ goto bye;
+ }
+
+- mempool_free(mbp, hw->mb_mempool);
+ if (finicsum != cfcsum) {
+ csio_warn(hw,
+ "Config File checksum mismatch: csum=%#x, computed=%#x\n",
+@@ -1780,6 +1779,10 @@ csio_hw_use_fwconfig(struct csio_hw *hw,
+ rv = csio_hw_validate_caps(hw, mbp);
+ if (rv != 0)
+ goto bye;
++
++ mempool_free(mbp, hw->mb_mempool);
++ mbp = NULL;
++
+ /*
+ * Note that we're operating with parameters
+ * not supplied by the driver, rather than from hard-wired
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Rafael David Tinoco <rafael.tinoco@canonical.com>
+Date: Thu, 7 Dec 2017 19:59:13 -0200
+Subject: scsi: libiscsi: Allow sd_shutdown on bad transport
+
+From: Rafael David Tinoco <rafael.tinoco@canonical.com>
+
+
+[ Upstream commit d754941225a7dbc61f6dd2173fa9498049f9a7ee ]
+
+If, for any reason, userland shuts down iscsi transport interfaces
+before proper logouts - like when logging in to LUNs manually, without
+logging out on server shutdown, or when automated scripts can't
+umount/logout from logged LUNs - kernel will hang forever on its
+sd_sync_cache() logic, after issuing the SYNCHRONIZE_CACHE cmd to all
+still existent paths.
+
+PID: 1 TASK: ffff8801a69b8000 CPU: 1 COMMAND: "systemd-shutdow"
+ #0 [ffff8801a69c3a30] __schedule at ffffffff8183e9ee
+ #1 [ffff8801a69c3a80] schedule at ffffffff8183f0d5
+ #2 [ffff8801a69c3a98] schedule_timeout at ffffffff81842199
+ #3 [ffff8801a69c3b40] io_schedule_timeout at ffffffff8183e604
+ #4 [ffff8801a69c3b70] wait_for_completion_io_timeout at ffffffff8183fc6c
+ #5 [ffff8801a69c3bd0] blk_execute_rq at ffffffff813cfe10
+ #6 [ffff8801a69c3c88] scsi_execute at ffffffff815c3fc7
+ #7 [ffff8801a69c3cc8] scsi_execute_req_flags at ffffffff815c60fe
+ #8 [ffff8801a69c3d30] sd_sync_cache at ffffffff815d37d7
+ #9 [ffff8801a69c3da8] sd_shutdown at ffffffff815d3c3c
+
+This happens because iscsi_eh_cmd_timed_out(), the transport layer
+timeout helper, would tell the queue timeout function (scsi_times_out)
+to reset the request timer over and over, until the session state is
+back to logged in state. Unfortunately, during server shutdown, this
+might never happen again.
+
+Other option would be "not to handle" the issue in the transport
+layer. That would trigger the error handler logic, which would also need
+the session state to be logged in again.
+
+Best option, for such case, is to tell upper layers that the command was
+handled during the transport layer error handler helper, marking it as
+DID_NO_CONNECT, which will allow completion and inform about the
+problem.
+
+After the session was marked as ISCSI_STATE_FAILED, due to the first
+timeout during the server shutdown phase, all subsequent cmds will fail
+to be queued, allowing upper logic to fail faster.
+
+Signed-off-by: Rafael David Tinoco <rafael.tinoco@canonical.com>
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/libiscsi.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/libiscsi.c
++++ b/drivers/scsi/libiscsi.c
+@@ -1695,6 +1695,15 @@ int iscsi_queuecommand(struct Scsi_Host
+ */
+ switch (session->state) {
+ case ISCSI_STATE_FAILED:
++ /*
++ * cmds should fail during shutdown, if the session
++ * state is bad, allowing completion to happen
++ */
++ if (unlikely(system_state != SYSTEM_RUNNING)) {
++ reason = FAILURE_SESSION_FAILED;
++ sc->result = DID_NO_CONNECT << 16;
++ break;
++ }
+ case ISCSI_STATE_IN_RECOVERY:
+ reason = FAILURE_SESSION_IN_RECOVERY;
+ sc->result = DID_IMM_RETRY << 16;
+@@ -1980,6 +1989,19 @@ static enum blk_eh_timer_return iscsi_eh
+
+ if (session->state != ISCSI_STATE_LOGGED_IN) {
+ /*
++ * During shutdown, if session is prematurely disconnected,
++ * recovery won't happen and there will be hung cmds. Not
++ * handling cmds would trigger EH, also bad in this case.
++ * Instead, handle cmd, allow completion to happen and let
++ * upper layer to deal with the result.
++ */
++ if (unlikely(system_state != SYSTEM_RUNNING)) {
++ sc->result = DID_NO_CONNECT << 16;
++ ISCSI_DBG_EH(session, "sc on shutdown, handled\n");
++ rc = BLK_EH_HANDLED;
++ goto done;
++ }
++ /*
+ * We are probably in the middle of iscsi recovery so let
+ * that complete and handle the error.
+ */
+@@ -2083,7 +2105,7 @@ done:
+ task->last_timeout = jiffies;
+ spin_unlock(&session->frwd_lock);
+ ISCSI_DBG_EH(session, "return %s\n", rc == BLK_EH_RESET_TIMER ?
+- "timer reset" : "nh");
++ "timer reset" : "shutdown or nh");
+ return rc;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Jason Yan <yanaijie@huawei.com>
+Date: Thu, 4 Jan 2018 21:04:32 +0800
+Subject: scsi: libsas: fix error when getting phy events
+
+From: Jason Yan <yanaijie@huawei.com>
+
+
+[ Upstream commit 2b23d9509fd7174b362482cf5f3b5f9a2265bc33 ]
+
+The intend purpose here was to goto out if smp_execute_task() returned
+error. Obviously something got screwed up. We will never get these link
+error statistics below:
+
+~:/sys/class/sas_phy/phy-1:0:12 # cat invalid_dword_count
+0
+~:/sys/class/sas_phy/phy-1:0:12 # cat running_disparity_error_count
+0
+~:/sys/class/sas_phy/phy-1:0:12 # cat loss_of_dword_sync_count
+0
+~:/sys/class/sas_phy/phy-1:0:12 # cat phy_reset_problem_count
+0
+
+Obviously we should goto error handler if smp_execute_task() returns
+non-zero.
+
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+CC: John Garry <john.garry@huawei.com>
+CC: chenqilin <chenqilin2@huawei.com>
+CC: chenxiang <chenxiang66@hisilicon.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/libsas/sas_expander.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -675,7 +675,7 @@ int sas_smp_get_phy_events(struct sas_ph
+ res = smp_execute_task(dev, req, RPEL_REQ_SIZE,
+ resp, RPEL_RESP_SIZE);
+
+- if (!res)
++ if (res)
+ goto out;
+
+ phy->invalid_dword_count = scsi_to_u32(&resp[12]);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Jason Yan <yanaijie@huawei.com>
+Date: Thu, 4 Jan 2018 21:04:31 +0800
+Subject: scsi: libsas: fix memory leak in sas_smp_get_phy_events()
+
+From: Jason Yan <yanaijie@huawei.com>
+
+
+[ Upstream commit 4a491b1ab11ca0556d2fda1ff1301e862a2d44c4 ]
+
+We've got a memory leak with the following producer:
+
+while true;
+do cat /sys/class/sas_phy/phy-1:0:12/invalid_dword_count >/dev/null;
+done
+
+The buffer req is allocated and not freed after we return. Fix it.
+
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+CC: John Garry <john.garry@huawei.com>
+CC: chenqilin <chenqilin2@huawei.com>
+CC: chenxiang <chenxiang66@hisilicon.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/libsas/sas_expander.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -684,6 +684,7 @@ int sas_smp_get_phy_events(struct sas_ph
+ phy->phy_reset_problem_count = scsi_to_u32(&resp[24]);
+
+ out:
++ kfree(req);
+ kfree(resp);
+ return res;
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: chenxiang <chenxiang66@hisilicon.com>
+Date: Thu, 4 Jan 2018 21:04:33 +0800
+Subject: scsi: libsas: initialize sas_phy status according to response of DISCOVER
+
+From: chenxiang <chenxiang66@hisilicon.com>
+
+
+[ Upstream commit affc67788fe5dfffad5cda3d461db5cf2b2ff2b0 ]
+
+The status of SAS PHY is in sas_phy->enabled. There is an issue that the
+status of a remote SAS PHY may be initialized incorrectly: if disable
+remote SAS PHY through sysfs interface (such as echo 0 >
+/sys/class/sas_phy/phy-1:0:0/enable), then reboot the system, and we
+will find the status of remote SAS PHY which is disabled before is
+1 (cat /sys/class/sas_phy/phy-1:0:0/enable). But actually the status of
+remote SAS PHY is disabled and the device attached is not found.
+
+In SAS protocol, NEGOTIATED LOGICAL LINK RATE field of DISCOVER response
+is 0x1 when remote SAS PHY is disabled. So initialize sas_phy->enabled
+according to the value of NEGOTIATED LOGICAL LINK RATE field.
+
+Signed-off-by: chenxiang <chenxiang66@hisilicon.com>
+Reviewed-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/libsas/sas_expander.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -282,6 +282,7 @@ static void sas_set_ex_phy(struct domain
+ phy->phy->minimum_linkrate = dr->pmin_linkrate;
+ phy->phy->maximum_linkrate = dr->pmax_linkrate;
+ phy->phy->negotiated_linkrate = phy->linkrate;
++ phy->phy->enabled = (phy->linkrate != SAS_PHY_DISABLED);
+
+ skip:
+ if (new_phy)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Chaitra P B <chaitra.basappa@broadcom.com>
+Date: Wed, 27 Dec 2017 23:09:11 -0800
+Subject: scsi: mpt3sas: Proper handling of set/clear of "ATA command pending" flag.
+
+From: Chaitra P B <chaitra.basappa@broadcom.com>
+
+
+[ Upstream commit f49d4aed1315a7b766d855f1367142e682b0cc87 ]
+
+1. In IO path, setting of "ATA command pending" flag early before device
+ removal, invalid device handle etc., checks causes any new commands
+ to be always returned with SAM_STAT_BUSY and when the driver removes
+ the drive the SML issues SYNC Cache command and that command is
+ always returned with SAM_STAT_BUSY and thus making SYNC Cache command
+ to requeued.
+
+2. If the driver gets an ATA PT command for a SATA drive then the driver
+ set "ATA command pending" flag in device specific data structure not
+ to allow any further commands until the ATA PT command is completed.
+ However, after setting the flag if the driver decides to return the
+ command back to upper layers without actually issuing to the firmware
+ (i.e., returns from qcmd failure return paths) then the corresponding
+ flag is not cleared and this prevents the driver from sending any new
+ commands to the drive.
+
+This patch fixes above two issues by setting of "ATA command pending"
+flag after checking for whether device deleted, invalid device handle,
+device busy with task management. And by setting "ATA command pending"
+flag to false in all of the qcmd failure return paths after setting the
+flag.
+
+Signed-off-by: Chaitra P B <chaitra.basappa@broadcom.com>
+Signed-off-by: Suganath Prabu S <suganath-prabu.subramani@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 28 +++++++++++++++-------------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -4065,19 +4065,6 @@ scsih_qcmd(struct Scsi_Host *shost, stru
+ return 0;
+ }
+
+- /*
+- * Bug work around for firmware SATL handling. The loop
+- * is based on atomic operations and ensures consistency
+- * since we're lockless at this point
+- */
+- do {
+- if (test_bit(0, &sas_device_priv_data->ata_command_pending)) {
+- scmd->result = SAM_STAT_BUSY;
+- scmd->scsi_done(scmd);
+- return 0;
+- }
+- } while (_scsih_set_satl_pending(scmd, true));
+-
+ sas_target_priv_data = sas_device_priv_data->sas_target;
+
+ /* invalid device handle */
+@@ -4103,6 +4090,19 @@ scsih_qcmd(struct Scsi_Host *shost, stru
+ sas_device_priv_data->block)
+ return SCSI_MLQUEUE_DEVICE_BUSY;
+
++ /*
++ * Bug work around for firmware SATL handling. The loop
++ * is based on atomic operations and ensures consistency
++ * since we're lockless at this point
++ */
++ do {
++ if (test_bit(0, &sas_device_priv_data->ata_command_pending)) {
++ scmd->result = SAM_STAT_BUSY;
++ scmd->scsi_done(scmd);
++ return 0;
++ }
++ } while (_scsih_set_satl_pending(scmd, true));
++
+ if (scmd->sc_data_direction == DMA_FROM_DEVICE)
+ mpi_control = MPI2_SCSIIO_CONTROL_READ;
+ else if (scmd->sc_data_direction == DMA_TO_DEVICE)
+@@ -4124,6 +4124,7 @@ scsih_qcmd(struct Scsi_Host *shost, stru
+ if (!smid) {
+ pr_err(MPT3SAS_FMT "%s: failed obtaining a smid\n",
+ ioc->name, __func__);
++ _scsih_set_satl_pending(scmd, false);
+ goto out;
+ }
+ mpi_request = mpt3sas_base_get_msg_frame(ioc, smid);
+@@ -4154,6 +4155,7 @@ scsih_qcmd(struct Scsi_Host *shost, stru
+ if (mpi_request->DataLength) {
+ if (ioc->build_sg_scmd(ioc, scmd, smid)) {
+ mpt3sas_base_free_smid(ioc, smid);
++ _scsih_set_satl_pending(scmd, false);
+ goto out;
+ }
+ } else
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sat, 10 Jun 2017 14:56:56 +0800
+Subject: sctp: fix recursive locking warning in sctp_do_peeloff
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 6dfe4b97e08ec3d1a593fdaca099f0ef0a3a19e6 ]
+
+Dmitry got the following recursive locking report while running syzkaller
+fuzzer, the Call Trace:
+ __dump_stack lib/dump_stack.c:16 [inline]
+ dump_stack+0x2ee/0x3ef lib/dump_stack.c:52
+ print_deadlock_bug kernel/locking/lockdep.c:1729 [inline]
+ check_deadlock kernel/locking/lockdep.c:1773 [inline]
+ validate_chain kernel/locking/lockdep.c:2251 [inline]
+ __lock_acquire+0xef2/0x3430 kernel/locking/lockdep.c:3340
+ lock_acquire+0x2a1/0x630 kernel/locking/lockdep.c:3755
+ lock_sock_nested+0xcb/0x120 net/core/sock.c:2536
+ lock_sock include/net/sock.h:1460 [inline]
+ sctp_close+0xcd/0x9d0 net/sctp/socket.c:1497
+ inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
+ inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432
+ sock_release+0x8d/0x1e0 net/socket.c:597
+ __sock_create+0x38b/0x870 net/socket.c:1226
+ sock_create+0x7f/0xa0 net/socket.c:1237
+ sctp_do_peeloff+0x1a2/0x440 net/sctp/socket.c:4879
+ sctp_getsockopt_peeloff net/sctp/socket.c:4914 [inline]
+ sctp_getsockopt+0x111a/0x67e0 net/sctp/socket.c:6628
+ sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2690
+ SYSC_getsockopt net/socket.c:1817 [inline]
+ SyS_getsockopt+0x240/0x380 net/socket.c:1799
+ entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+This warning is caused by the lock held by sctp_getsockopt() is on one
+socket, while the other lock that sctp_close() is getting later is on
+the newly created (which failed) socket during peeloff operation.
+
+This patch is to avoid this warning by use lock_sock with subclass
+SINGLE_DEPTH_NESTING as Wang Cong and Marcelo's suggestion.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Suggested-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Suggested-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1519,7 +1519,7 @@ static void sctp_close(struct sock *sk,
+
+ pr_debug("%s: sk:%p, timeout:%ld\n", __func__, sk, timeout);
+
+- lock_sock(sk);
++ lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
+ sk->sk_shutdown = SHUTDOWN_MASK;
+ sk->sk_state = SCTP_SS_CLOSING;
+
+@@ -1569,7 +1569,7 @@ static void sctp_close(struct sock *sk,
+ * held and that should be grabbed before socket lock.
+ */
+ spin_lock_bh(&net->sctp.addr_wq_lock);
+- bh_lock_sock(sk);
++ bh_lock_sock_nested(sk);
+
+ /* Hold the sock, since sk_common_release() will put sock_put()
+ * and we have just a little more cleanup.
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Thu, 11 Jan 2018 15:51:58 +0200
+Subject: sdhci: Advertise 2.0v supply on SDIO host controller
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+
+[ Upstream commit 2a609abe71ca59e4bd7139e161eaca2144ae6f2e ]
+
+On Intel Edison the Broadcom Wi-Fi card, which is connected to SDIO,
+requires 2.0v, while the host, according to Intel Merrifield TRM,
+supports 1.8v supply only.
+
+The card announces itself as
+
+ mmc2: new ultra high speed DDR50 SDIO card at address 0001
+
+Introduce a custom OCR mask for SDIO host controller on Intel Merrifield
+and add a special case to sdhci_set_power_noreg() to override 2.0v supply
+by enforcing 1.8v power choice.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-pci-core.c | 2 ++
+ drivers/mmc/host/sdhci.c | 7 +++++++
+ 2 files changed, 9 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-pci-core.c
++++ b/drivers/mmc/host/sdhci-pci-core.c
+@@ -492,6 +492,8 @@ static int intel_mrfld_mmc_probe_slot(st
+ slot->host->quirks2 |= SDHCI_QUIRK2_NO_1_8_V;
+ break;
+ case INTEL_MRFLD_SDIO:
++ /* Advertise 2.0v for compatibility with the SDIO card's OCR */
++ slot->host->ocr_mask = MMC_VDD_20_21 | MMC_VDD_165_195;
+ slot->host->mmc->caps |= MMC_CAP_NONREMOVABLE |
+ MMC_CAP_POWER_OFF_CARD;
+ break;
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -1404,6 +1404,13 @@ void sdhci_set_power_noreg(struct sdhci_
+ if (mode != MMC_POWER_OFF) {
+ switch (1 << vdd) {
+ case MMC_VDD_165_195:
++ /*
++ * Without a regulator, SDHCI does not support 2.0v
++ * so we only get here if the driver deliberately
++ * added the 2.0v range to ocr_avail. Map it to 1.8v
++ * for the purpose of turning on the power.
++ */
++ case MMC_VDD_20_21:
+ pwr = SDHCI_POWER_180;
+ break;
+ case MMC_VDD_29_30:
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: "Mickaël Salaün" <mic@digikod.net>
+Date: Sun, 11 Jun 2017 14:32:58 +0200
+Subject: selftests: kselftest_harness: Fix compile warning
+
+From: "Mickaël Salaün" <mic@digikod.net>
+
+
+[ Upstream commit 34a048cc06802556e5f96f325dc32cc2f6a11225 ]
+
+Do not confuse the compiler with a semicolon preceding a block. Replace
+the semicolon with an empty block to avoid a warning:
+
+ gcc -Wl,-no-as-needed -Wall -lpthread seccomp_bpf.c -o /.../linux/tools/testing/selftests/seccomp/seccomp_bpf
+ In file included from seccomp_bpf.c:40:0:
+ seccomp_bpf.c: In function ‘change_syscall’:
+ ../kselftest_harness.h:558:2: warning: this ‘for’ clause does not guard... [-Wmisleading-indentation]
+ for (; _metadata->trigger; _metadata->trigger = __bail(_assert))
+ ^
+ ../kselftest_harness.h:574:14: note: in expansion of macro ‘OPTIONAL_HANDLER’
+ } while (0); OPTIONAL_HANDLER(_assert)
+ ^~~~~~~~~~~~~~~~
+ ../kselftest_harness.h:440:2: note: in expansion of macro ‘__EXPECT’
+ __EXPECT(expected, seen, ==, 0)
+ ^~~~~~~~
+ seccomp_bpf.c:1313:2: note: in expansion of macro ‘EXPECT_EQ’
+ EXPECT_EQ(0, ret);
+ ^~~~~~~~~
+ seccomp_bpf.c:1317:2: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the ‘for’
+ {
+ ^
+
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Shuah Khan <shuahkh@osg.samsung.com>
+Cc: Will Drewry <wad@chromium.org>
+Acked-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/seccomp/seccomp_bpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
+@@ -1318,7 +1318,7 @@ void change_syscall(struct __test_metada
+ iov.iov_len = sizeof(regs);
+ ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov);
+ #endif
+- EXPECT_EQ(0, ret);
++ EXPECT_EQ(0, ret) {}
+
+ #if defined(__x86_64__) || defined(__i386__) || defined(__powerpc__) || \
+ defined(__s390__) || defined(__hppa__)
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Fri, 19 May 2017 11:29:04 +1000
+Subject: selftests/powerpc: Fix TM resched DSCR test with some compilers
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+
+[ Upstream commit fe06fe860250a4f01d0eaf70a2563b1997174a74 ]
+
+The tm-resched-dscr test has started failing sometimes, depending on
+what compiler it's built with, eg:
+
+ test: tm_resched_dscr
+ Check DSCR TM context switch: tm-resched-dscr: tm-resched-dscr.c:76: test_body: Assertion `rv' failed.
+ !! child died by signal 6
+
+When it fails we see that the compiler doesn't initialise rv to 1 before
+entering the inline asm block. Although that's counter intuitive, it
+is allowed because we tell the compiler that the inline asm will write
+to rv (using "=r"), meaning the original value is irrelevant.
+
+Marking it as a read/write parameter would presumably work, but it seems
+simpler to fix it by setting the initial value of rv in the inline asm.
+
+Fixes: 96d016108640 ("powerpc: Correct DSCR during TM context switch")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Acked-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/powerpc/tm/tm-resched-dscr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c
++++ b/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c
+@@ -42,12 +42,12 @@ int test_body(void)
+ printf("Check DSCR TM context switch: ");
+ fflush(stdout);
+ for (;;) {
+- rv = 1;
+ asm __volatile__ (
+ /* set a known value into the DSCR */
+ "ld 3, %[dscr1];"
+ "mtspr %[sprn_dscr], 3;"
+
++ "li %[rv], 1;"
+ /* start and suspend a transaction */
+ "tbegin.;"
+ "beq 1f;"
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Stephen Smalley <sds@tycho.nsa.gov>
+Date: Fri, 12 May 2017 12:41:24 -0400
+Subject: selinux: do not check open permission on sockets
+
+From: Stephen Smalley <sds@tycho.nsa.gov>
+
+
+[ Upstream commit ccb544781d34afdb73a9a73ae53035d824d193bf ]
+
+open permission is currently only defined for files in the kernel
+(COMMON_FILE_PERMS rather than COMMON_FILE_SOCK_PERMS). Construction of
+an artificial test case that tries to open a socket via /proc/pid/fd will
+generate a recvfrom avc denial because recvfrom and open happen to map to
+the same permission bit in socket vs file classes.
+
+open of a socket via /proc/pid/fd is not supported by the kernel regardless
+and will ultimately return ENXIO. But we hit the permission check first and
+can thus produce these odd/misleading denials. Omit the open check when
+operating on a socket.
+
+Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/hooks.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -2033,8 +2033,9 @@ static inline u32 file_to_av(struct file
+ static inline u32 open_file_to_av(struct file *file)
+ {
+ u32 av = file_to_av(file);
++ struct inode *inode = file_inode(file);
+
+- if (selinux_policycap_openperm)
++ if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
+ av |= FILE__OPEN;
+
+ return av;
+@@ -3031,6 +3032,7 @@ static int selinux_inode_permission(stru
+ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
+ {
+ const struct cred *cred = current_cred();
++ struct inode *inode = d_backing_inode(dentry);
+ unsigned int ia_valid = iattr->ia_valid;
+ __u32 av = FILE__WRITE;
+
+@@ -3046,8 +3048,10 @@ static int selinux_inode_setattr(struct
+ ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
+ return dentry_has_perm(cred, dentry, FILE__SETATTR);
+
+- if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
+- && !(ia_valid & ATTR_FILE))
++ if (selinux_policycap_openperm &&
++ inode->i_sb->s_magic != SOCKFS_MAGIC &&
++ (ia_valid & ATTR_SIZE) &&
++ !(ia_valid & ATTR_FILE))
+ av |= FILE__OPEN;
+
+ return dentry_has_perm(cred, dentry, av);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Vignesh R <vigneshr@ti.com>
+Date: Sat, 22 Apr 2017 18:37:19 +0530
+Subject: serial: 8250: omap: Disable DMA for console UART
+
+From: Vignesh R <vigneshr@ti.com>
+
+
+[ Upstream commit 84b40e3b57eef1417479c00490dd4c9f6e5ffdbc ]
+
+Kernel always writes log messages to console via
+serial8250_console_write()->serial8250_console_putchar() which directly
+accesses UART_TX register _without_ using DMA.
+
+But, if other processes like systemd using same UART port, then these
+writes are handled by a different code flow using 8250_omap driver where
+there is provision to use DMA.
+
+It seems that it is possible that both DMA and CPU might simultaneously
+put data to UART FIFO and lead to potential loss of data due to FIFO
+overflow and weird data corruption. This happens when both kernel
+console and userspace tries to write simultaneously to the same UART
+port. Therefore, disable DMA on kernel console port to avoid potential
+race between CPU and DMA.
+
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_omap.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/tty/serial/8250/8250_omap.c
++++ b/drivers/tty/serial/8250/8250_omap.c
+@@ -613,6 +613,10 @@ static int omap_8250_startup(struct uart
+ up->lsr_saved_flags = 0;
+ up->msr_saved_flags = 0;
+
++ /* Disable DMA for console UART */
++ if (uart_console(port))
++ up->dma = NULL;
++
+ if (up->dma) {
+ ret = serial8250_request_dma(up);
+ if (ret) {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Tue, 25 Apr 2017 20:15:35 +0200
+Subject: serial: sh-sci: Fix race condition causing garbage during shutdown
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+
+[ Upstream commit 1cf4a7efdc71cab84c42cfea7200608711ea954f ]
+
+If DMA is enabled and used, a burst of old data may be seen on the
+serial console during "poweroff" or "reboot". uart_flush_buffer()
+clears the circular buffer, but sci_port.tx_dma_len is not reset.
+This leads to a circular buffer overflow, dumping (UART_XMIT_SIZE -
+sci_port.tx_dma_len) bytes.
+
+To fix this, add a .flush_buffer() callback that resets
+sci_port.tx_dma_len.
+
+Inspired by commit 31ca2c63fdc0aee7 ("tty/serial: atmel: fix race
+condition (TX+DMA)").
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/sh-sci.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -1545,7 +1545,16 @@ static void sci_free_dma(struct uart_por
+ if (s->chan_rx)
+ sci_rx_dma_release(s, false);
+ }
+-#else
++
++static void sci_flush_buffer(struct uart_port *port)
++{
++ /*
++ * In uart_flush_buffer(), the xmit circular buffer has just been
++ * cleared, so we have to reset tx_dma_len accordingly.
++ */
++ to_sci_port(port)->tx_dma_len = 0;
++}
++#else /* !CONFIG_SERIAL_SH_SCI_DMA */
+ static inline void sci_request_dma(struct uart_port *port)
+ {
+ }
+@@ -1553,7 +1562,9 @@ static inline void sci_request_dma(struc
+ static inline void sci_free_dma(struct uart_port *port)
+ {
+ }
+-#endif
++
++#define sci_flush_buffer NULL
++#endif /* !CONFIG_SERIAL_SH_SCI_DMA */
+
+ static irqreturn_t sci_rx_interrupt(int irq, void *ptr)
+ {
+@@ -2551,6 +2562,7 @@ static const struct uart_ops sci_uart_op
+ .break_ctl = sci_break_ctl,
+ .startup = sci_startup,
+ .shutdown = sci_shutdown,
++ .flush_buffer = sci_flush_buffer,
+ .set_termios = sci_set_termios,
+ .pm = sci_pm,
+ .type = sci_type,
--- /dev/null
+qed-fix-overriding-of-supported-autoneg-value.patch
+cfg80211-make-rate_info_bw_20-the-default.patch
+md-raid5-make-use-of-spin_lock_irq-over-local_irq_disable-spin_lock.patch
+rtc-snvs-fix-an-incorrect-check-of-return-value.patch
+x86-asm-don-t-use-rbp-as-a-temporary-register-in-csum_partial_copy_generic.patch
+x86-mm-kaslr-use-the-_asm_mul-macro-for-multiplication-to-work-around-clang-incompatibility.patch
+ovl-persistent-inode-numbers-for-upper-hardlinks.patch
+nfsv4.1-reclaim_complete-must-handle-nfs4err_conn_not_bound_to_session.patch
+x86-boot-declare-error-as-noreturn.patch
+ib-srpt-fix-abort-handling.patch
+ib-srpt-avoid-that-aborting-a-command-triggers-a-kernel-warning.patch
+af_key-fix-slab-out-of-bounds-in-pfkey_compile_policy.patch
+mac80211-bail-out-from-prep_connection-if-a-reconfig-is-ongoing.patch
+bna-avoid-reading-past-end-of-buffer.patch
+qlge-avoid-reading-past-end-of-buffer.patch
+ubi-fastmap-fix-slab-corruption.patch
+ipmi_ssif-unlock-on-allocation-failure.patch
+net-cdc_ncm-fix-tx-zero-padding.patch
+net-ethernet-ti-cpsw-adjust-cpsw-fifos-depth-for-fullduplex-flow-control.patch
+lockd-fix-lockd-shutdown-race.patch
+drivers-misc-vmw_vmci-vmci_queue_pair.c-fix-a-couple-integer-overflow-tests.patch
+pidns-disable-pid-allocation-if-pid_ns_prepare_proc-is-failed-in-alloc_pid.patch
+s390-move-_text-symbol-to-address-higher-than-zero.patch
+net-mlx4_en-avoid-adding-steering-rules-with-invalid-ring.patch
+qed-correct-doorbell-configuration-for-4kb-pages.patch
+nfsv4.1-work-around-a-linux-server-bug.patch
+cifs-silence-lockdep-splat-in-cifs_relock_file.patch
+perf-callchain-force-user_ds-when-invoking-perf_callchain_user.patch
+blk-mq-nvme-512b-4k-t10-dif-dix-format-returns-i-o-error-on-dd-with-split-op.patch
+net-qca_spi-fix-alignment-issues-in-rx-path.patch
+netxen_nic-set-rcode-to-the-return-status-from-the-call-to-netxen_issue_cmd.patch
+mdio-mux-correct-mdio_mux_init-error-path-issues.patch
+input-elan_i2c-check-if-device-is-there-before-really-probing.patch
+input-elantech-force-relative-mode-on-a-certain-module.patch
+kvm-ppc-book3s-pr-check-copy_to-from_user-return-values.patch
+irqchip-mbigen-fix-the-clear-register-offset-calculation.patch
+vmxnet3-ensure-that-adapter-is-in-proper-state-during-force_close.patch
+mm-vmstat-remove-spurious-warn-during-zoneinfo-print.patch
+smb2-fix-share-type-handling.patch
+bus-brcmstb_gisb-use-register-offsets-with-writes-too.patch
+bus-brcmstb_gisb-correct-support-for-64-bit-address-output.patch
+powercap-fix-an-error-code-in-powercap_register_zone.patch
+iio-pressure-zpa2326-report-interrupted-case-as-failure.patch
+arm-dts-imx53-qsrb-pulldown-pmic-irq-pin.patch
+staging-wlan-ng-prism2mgmt.c-fixed-a-double-endian-conversion-before-calling-hfa384x_drvr_setconfig16-also-fixes-relative-sparse-warning.patch
+clk-renesas-rcar-gen2-fix-pll0-on-r-car-v2h-and-e2.patch
+x86-tsc-provide-tsc-unstable-boot-parameter.patch
+powerpc-modules-if-mprofile-kernel-is-enabled-add-it-to-vermagic.patch
+arm-dts-imx6qdl-wandboard-fix-audio-channel-swap.patch
+i2c-mux-reg-put-away-the-parent-i2c-adapter-on-probe-failure.patch
+arm64-perf-ignore-exclude_hv-when-kernel-is-running-in-hyp.patch
+mdio-mux-fix-device_node_continue.cocci-warnings.patch
+ipv6-avoid-dad-failures-for-addresses-with-nodad.patch
+async_tx-fix-dma_prep_fence-usage-in-do_async_gen_syndrome.patch
+kvm-arm-restore-banked-registers-and-physical-timer-access-on-hyp_panic.patch
+kvm-arm64-restore-host-physical-timer-access-on-hyp_panic.patch
+usb-dwc3-keystone-check-return-value.patch
+btrfs-fix-incorrect-error-return-ret-being-passed-to-mapping_set_error.patch
+ata-libahci-properly-propagate-return-value-of-platform_get_irq.patch
+ipmr-vrf-find-vifs-using-the-actual-device.patch
+uio-fix-incorrect-memory-leak-cleanup.patch
+neighbour-update-neigh-timestamps-iff-update-is-effective.patch
+arp-honour-gratuitous-arp-_replies_.patch
+arm-dts-rockchip-fix-rk322x-i2s1-pinctrl-error.patch
+usb-chipidea-properly-handle-host-or-gadget-initialization-failure.patch
+pxa_camera-fix-module-remove-codepath-for-v4l2-clock.patch
+usb-ene_usb6250-fix-first-command-execution.patch
+net-x25-fix-one-potential-use-after-free-issue.patch
+usb-ene_usb6250-fix-scsi-residue-overwriting.patch
+serial-8250-omap-disable-dma-for-console-uart.patch
+serial-sh-sci-fix-race-condition-causing-garbage-during-shutdown.patch
+net-wan-fsl_ucc_hdlc-fix-unitialized-variable-warnings.patch
+net-wan-fsl_ucc_hdlc-fix-incorrect-memory-allocation.patch
+fsl-qe-add-bit-description-for-synl-register-for-gumr.patch
+sh_eth-use-platform-device-for-printing-before-register_netdev.patch
+mlxsw-spectrum-avoid-possible-null-pointer-dereference.patch
+scsi-csiostor-fix-use-after-free-in-csio_hw_use_fwconfig.patch
+powerpc-mm-fix-virt_addr_valid-etc.-on-64-bit-hash.patch
+ath5k-fix-memory-leak-on-buf-on-failed-eeprom-read.patch
+selftests-powerpc-fix-tm-resched-dscr-test-with-some-compilers.patch
+xfrm-fix-state-migration-copy-replay-sequence-numbers.patch
+asoc-simple-card-fix-mic-jack-initialization.patch
+iio-hi8435-avoid-garbage-event-at-first-enable.patch
+iio-hi8435-cleanup-reset-gpio.patch
+iio-light-rpr0521-poweroff-for-probe-fails.patch
+ext4-handle-the-rest-of-ext4_mb_load_buddy-enomem-errors.patch
+md-cluster-fix-potential-lock-issue-in-add_new_disk.patch
+arm-davinci-da8xx-create-dsp-device-only-when-assigned-memory.patch
+ray_cs-avoid-reading-past-end-of-buffer.patch
+net-wan-fsl_ucc_hdlc-fix-muram-allocation-error.patch
+leds-pca955x-correct-i2c-functionality.patch
+perf-core-fix-error-handling-in-perf_event_alloc.patch
+sched-numa-use-down_read_trylock-for-the-mmap_sem.patch
+gpio-crystalcove-do-not-write-regular-gpio-registers-for-virtual-gpios.patch
+net-mlx5-tolerate-irq_set_affinity_hint-failures.patch
+selinux-do-not-check-open-permission-on-sockets.patch
+block-fix-an-error-code-in-add_partition.patch
+mlx5-fix-bug-reading-rss_hash_type-from-cqe.patch
+net-ieee802154-fix-net_device-reference-release-too-early.patch
+libceph-null-deref-on-crush_decode-error-path.patch
+perf-report-fix-off-by-one-for-non-activation-frames.patch
+netfilter-ctnetlink-fix-incorrect-nf_ct_put-during-hash-resize.patch
+pnfs-flexfiles-missing-error-code-in-ff_layout_alloc_lseg.patch
+asoc-rsnd-ssi-pio-adjust-to-24bit-mode.patch
+scsi-bnx2fc-fix-race-condition-in-bnx2fc_get_host_stats.patch
+fix-race-in-drivers-char-random.c-get_reg.patch
+ext4-fix-off-by-one-on-max-nr_pages-in-ext4_find_unwritten_pgoff.patch
+arm64-pci-fix-struct-acpi_pci_root_ops-allocation-failure-path.patch
+tcp-better-validation-of-received-ack-sequences.patch
+net-move-somaxconn-init-from-sysctl-code.patch
+input-elan_i2c-clear-int-before-resetting-controller.patch
+bonding-don-t-update-slave-link-until-ready-to-commit.patch
+cpuhotplug-link-lock-stacks-for-hotplug-callbacks.patch
+pci-msi-fix-the-pci_alloc_irq_vectors_affinity-stub.patch
+kvm-x86-fix-preempt-the-preemption-timer-cancel.patch
+kvm-nvmx-fix-handling-of-lmsw-instruction.patch
+net-llc-add-lock_sock-in-llc_ui_bind-to-avoid-a-race-condition.patch
+drm-msm-take-the-mutex-before-calling-msm_gem_new_impl.patch
+i40iw-fix-sequence-number-for-the-first-partial-fpdu.patch
+i40iw-correct-q1-xf-object-count-equation.patch
+arm-dts-ls1021a-add-fsl-ls1021a-esdhc-compatible-string-to-esdhc-node.patch
+thermal-power_allocator-fix-one-race-condition-issue-for-thermal_instances-list.patch
+perf-probe-add-warning-message-if-there-is-unexpected-event-name.patch
+l2tp-fix-missing-print-session-offset-info.patch
+rds-reset-rs-rs_bound_addr-in-rds_add_bound-failure-path.patch
+acpi-video-default-lcd_only-to-true-on-win8-ready-and-newer-machines.patch
+net-mlx4_en-change-default-qos-settings.patch
+vfs-close-race-between-getcwd-and-d_move.patch
+pm-devfreq-fix-potential-null-pointer-dereference-in-governor_store.patch
+hwmon-ina2xx-make-calibration-register-value-fixed.patch
+media-videobuf2-core-don-t-go-out-of-the-buffer-range.patch
+asoc-intel-skylake-disable-clock-gating-during-firmware-and-library-download.patch
+asoc-intel-cht_bsw_rt5645-analog-mic-support.patch
+scsi-libiscsi-allow-sd_shutdown-on-bad-transport.patch
+scsi-mpt3sas-proper-handling-of-set-clear-of-ata-command-pending-flag.patch
+irqchip-gic-v3-fix-the-driver-probe-fail-due-to-disabled-gicc-entry.patch
+acpi-ec-fix-debugfs_create_-usage.patch
+mac80211-fix-setting-tx-power-on-monitor-interfaces.patch
+vfb-fix-video-mode-and-line_length-being-set-when-loaded.patch
+gpio-label-descriptors-using-the-device-name.patch
+ib-rdmavt-allocate-cq-memory-on-the-correct-node.patch
+blk-mq-fix-race-between-updating-nr_hw_queues-and-switching-io-sched.patch
+backlight-tdo24m-fix-the-spi-cs-between-transfers.patch
+pinctrl-baytrail-enable-glitch-filter-for-gpios-used-as-interrupts.patch
+asoc-intel-sst-fix-the-return-value-of-sst_send_byte_stream_mrfld.patch
+rt2x00-do-not-pause-queue-unconditionally-on-error-path.patch
+wl1251-check-return-from-call-to-wl1251_acx_arp_ip_filter.patch
+hdlcdrv-fix-divide-by-zero-in-hdlcdrv_ioctl.patch
+x86-efi-disable-runtime-services-on-kexec-kernel-if-booted-with-efi-old_map.patch
+netfilter-conntrack-don-t-call-iter-for-non-confirmed-conntracks.patch
+hid-i2c-call-acpi_device_fix_up_power-for-acpi-enumerated-devices.patch
+ovl-filter-trusted-xattr-for-non-admin.patch
+powerpc-don-t-clobber-tcr-when-setting-tcr.patch
+dmaengine-imx-sdma-handle-return-value-of-clk_prepare_enable.patch
+backlight-report-error-on-failure.patch
+arm64-futex-fix-undefined-behaviour-with-futex_op_oparg_shift-usage.patch
+net-mlx5-avoid-build-warning-for-uniprocessor.patch
+cxgb4-fw-upgrade-fixes.patch
+cxgb4-fix-netdev_features-flag.patch
+rtc-m41t80-fix-sqw-dividers-override-when-setting-a-date.patch
+i40evf-fix-merge-error-in-older-patch.patch
+rtc-opal-handle-disabled-tpo-in-opal_get_tpo_time.patch
+rtc-interface-validate-alarm-time-before-handling-rollover.patch
+sunrpc-ensure-correct-error-is-reported-by-xs_tcp_setup_socket.patch
+net-freescale-fix-potential-null-pointer-dereference.patch
+clk-at91-fix-clk-generated-parenting.patch
+drm-sun4i-ignore-the-generic-connectors-for-components.patch
+dt-bindings-display-sun4i-add-allwinner-tcon-channel-property.patch
+mtd-nand-gpmi-fix-gpmi_nand_init-error-path.patch
+mtd-nand-check-ecc-total-sanity-in-nand_scan_tail.patch
+kvm-svm-do-not-zero-out-segment-attributes-if-segment-is-unusable-or-not-present.patch
+clk-scpi-fix-return-type-of-__scpi_dvfs_round_rate.patch
+clk-fix-__set_clk_rates-error-print-string.patch
+powerpc-spufs-fix-coredump-of-spu-contexts.patch
+drm-amdkfd-null-dereference-involving-create_process.patch
+ath10k-add-bmi-parameters-to-fix-calibration-from-dt-pre-cal.patch
+perf-trace-add-mmap-alias-for-s390.patch
+qlcnic-fix-a-sleep-in-atomic-bug-in-qlcnic_82xx_hw_write_wx_2m-and-qlcnic_82xx_hw_read_wx_2m.patch
+arm64-kernel-restrict-dev-mem-read-calls-to-linear-region.patch
+misdn-fix-a-sleep-in-atomic-bug.patch
+net-phy-micrel-restore-led_mode-and-clk_sel-on-resume.patch
+rdma-iw_cxgb4-avoid-touch-after-free-error-in-arp-failure-handlers.patch
+rdma-hfi1-fix-array-termination-by-appending-null-to-attr-array.patch
+drm-omap-fix-tiled-buffer-stride-calculations.patch
+powerpc-8xx-fix-mpc8xx_get_irq-return-on-no-irq.patch
+cxgb4-fix-incorrect-cim_la-output-for-t6.patch
+fix-serial-console-on-sni-rm400-machines.patch
+bio-integrity-do-not-allocate-integrity-context-for-bio-w-o-data.patch
+ip6_tunnel-fix-traffic-class-routing-for-tunnels.patch
+skbuff-return-emsgsize-in-skb_to_sgvec-to-prevent-overflow.patch
+macsec-check-return-value-of-skb_to_sgvec-always.patch
+sit-reload-iphdr-in-ipip6_rcv.patch
+net-mlx4-fix-the-check-in-attaching-steering-rules.patch
+net-mlx4-check-if-granular-qos-per-vf-has-been-enabled-before-updating-qp-qos_vport.patch
+perf-header-set-proper-module-name-when-build-id-event-found.patch
+perf-report-ensure-the-perf-dso-mapping-matches-what-libdw-sees.patch
+iwlwifi-mvm-fix-firmware-debug-restart-recording.patch
+watchdog-f71808e_wdt-add-f71868-support.patch
+iwlwifi-mvm-fix-command-queue-number-on-d0i3-flow.patch
+iwlwifi-tt-move-ucode_loaded-check-under-mutex.patch
+iwlwifi-pcie-only-use-d0i3-in-suspend-resume-if-system_pm-is-set-to-d0i3.patch
+iwlwifi-fix-min-api-version-for-7265d-3168-8000-and-8265.patch
+tags-honor-compiled_source-with-apart-output-directory.patch
+arm-dts-qcom-ipq4019-fix-i2c_0-node.patch
+e1000e-fix-race-condition-around-skb_tstamp_tx.patch
+igb-fix-race-condition-with-ptp_tx_in_progress-bits.patch
+cxl-unlock-on-error-in-probe.patch
+cx25840-fix-unchecked-return-values.patch
+mceusb-sporadic-rx-truncation-corruption-fix.patch
+net-phy-avoid-genphy_aneg_done-for-phys-without-clause-22-support.patch
+arm-imx-add-mxc_cpu_imx6ull-and-cpu_is_imx6ull.patch
+nvme-pci-fix-multiple-ctrl-removal-scheduling.patch
+nvme-fix-hang-in-remove-path.patch
+kvm-nvmx-update-vmcs12-guest_linear_address-on-nested-vm-exit.patch
+e1000e-undo-e1000e_pm_freeze-if-__e1000_shutdown-fails.patch
+perf-core-correct-event-creation-with-perf_format_group.patch
+sched-deadline-use-the-revised-wakeup-rule-for-suspending-constrained-dl-tasks.patch
+mips-mm-fixed-mappings-correct-initialisation.patch
+mips-mm-adjust-pkmap-location.patch
+mips-kprobes-flush_insn_slot-should-flush-only-if-probe-initialised.patch
+arm-dts-armadillo800eva-split-lcd-mux-and-gpio.patch
+fix-loop-device-flush-before-configure-v3.patch
+net-emac-fix-reset-timeout-with-ar8035-phy.patch
+perf-tools-decompress-kernel-module-when-reading-dso-data.patch
+perf-tests-decompress-kernel-module-before-objdump.patch
+skbuff-only-inherit-relevant-tx_flags.patch
+xen-avoid-type-warning-in-xchg_xen_ulong.patch
+x.509-fix-error-code-in-x509_cert_parse.patch
+pinctrl-meson-gxbb-remove-non-existing-pin-gpiox_22.patch
+coresight-fix-reference-count-for-software-sources.patch
+coresight-tmc-configure-dma-mask-appropriately.patch
+stmmac-fix-ptp-header-for-gmac3-hw-timestamp.patch
+geneve-add-missing-rx-stats-accounting.patch
+crypto-omap-sham-buffer-handling-fixes-for-hashing-later.patch
+crypto-omap-sham-fix-closing-of-hash-with-separate-finalize-call.patch
+bnx2x-allow-vfs-to-disable-txvlan-offload.patch
+sctp-fix-recursive-locking-warning-in-sctp_do_peeloff.patch
+net-fec-add-a-fec_enet_clear_ethtool_stats-stub-for-config_m5272.patch
+sparc64-ldc-abort-during-vds-iso-boot.patch
+iio-magnetometer-st_magn_spi-fix-spi_device_id-table.patch
+net-ena-fix-rare-uncompleted-admin-command-false-alarm.patch
+net-ena-fix-race-condition-between-submit-and-completion-admin-command.patch
+net-ena-add-missing-return-when-ena_com_get_io_handlers-fails.patch
+net-ena-add-missing-unmap-bars-on-device-removal.patch
+net-ena-disable-admin-msix-while-working-in-polling-mode.patch
+clk-meson-meson8b-add-compatibles-for-meson8-and-meson8m2.patch
+bluetooth-send-hci-set-event-mask-page-2-command-only-when-needed.patch
+cpuidle-dt-add-missing-of_node_put.patch
+acpica-osl-add-support-to-exclude-stdarg.h.patch
+acpica-events-add-runtime-stub-support-for-event-apis.patch
+acpica-disassembler-abort-on-an-invalid-unknown-aml-opcode.patch
+s390-dasd-fix-hanging-safe-offline.patch
+vxlan-dont-migrate-permanent-fdb-entries-during-learn.patch
+hsr-fix-incorrect-warning.patch
+selftests-kselftest_harness-fix-compile-warning.patch
+drm-vc4-fix-resource-leak-in-vc4_get_hang_state_ioctl-in-error-handling-path.patch
+bcache-stop-writeback-thread-after-detaching.patch
+bcache-segregate-flash-only-volume-write-streams.patch
+scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_events.patch
+scsi-libsas-fix-error-when-getting-phy-events.patch
+scsi-libsas-initialize-sas_phy-status-according-to-response-of-discover.patch
+blk-mq-fix-kernel-oops-in-blk_mq_tag_idle.patch
+tty-n_gsm-allow-adm-response-in-addition-to-ua-for-control-dlci.patch
+edac-mv64x60-fix-an-error-handling-path.patch
+cxgb4vf-fix-sge-fl-buffer-initialization-logic-for-64k-pages.patch
+sdhci-advertise-2.0v-supply-on-sdio-host-controller.patch
+input-goodix-disable-irqs-while-suspended.patch
+mtd-mtd_oobtest-handle-bitflips-during-reads.patch
+perf-tools-fix-copyfile_offset-update-of-output-offset.patch
+signal-metag-document-a-conflict-with-si_user-with-sigfpe.patch
+signal-powerpc-document-conflicts-with-si_user-and-sigfpe-and-sigtrap.patch
+signal-arm-document-conflicts-with-si_user-and-sigfpe.patch
+ipsec-check-return-value-of-skb_to_sgvec-always.patch
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Thu, 18 May 2017 15:01:34 +0200
+Subject: sh_eth: Use platform device for printing before register_netdev()
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+
+[ Upstream commit 5f5c5449acad0cd3322e53e1ac68c044483b0aa5 ]
+
+The MDIO initialization failure message is printed using the network
+device, before it has been registered, leading to:
+
+ (null): failed to initialise MDIO
+
+Use the platform device instead to fix this:
+
+ sh-eth ee700000.ethernet: failed to initialise MDIO
+
+Fixes: daacf03f0bbfefee ("sh_eth: Register MDIO bus before registering the network device")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -3133,7 +3133,7 @@ static int sh_eth_drv_probe(struct platf
+ /* MDIO bus init */
+ ret = sh_mdio_init(mdp, pd);
+ if (ret) {
+- dev_err(&ndev->dev, "failed to initialise MDIO\n");
++ dev_err(&pdev->dev, "failed to initialise MDIO\n");
+ goto out_release;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Thu, 17 Aug 2017 17:07:46 -0500
+Subject: signal/arm: Document conflicts with SI_USER and SIGFPE
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+
+[ Upstream commit 7771c66457004977b616bab785209f49d164f527 ]
+
+Setting si_code to 0 results in a userspace seeing an si_code of 0.
+This is the same si_code as SI_USER. Posix and common sense requires
+that SI_USER not be a signal specific si_code. As such this use of 0
+for the si_code is a pretty horribly broken ABI.
+
+Further use of si_code == 0 guaranteed that copy_siginfo_to_user saw a
+value of __SI_KILL and now sees a value of SIL_KILL with the result
+that uid and pid fields are copied and which might copying the si_addr
+field by accident but certainly not by design. Making this a very
+flakey implementation.
+
+Utilizing FPE_FIXME, siginfo_layout will now return SIL_FAULT and the
+appropriate fields will be reliably copied.
+
+Possible ABI fixes includee:
+- Send the signal without siginfo
+- Don't generate a signal
+- Possibly assign and use an appropriate si_code
+- Don't handle cases which can't happen
+
+Cc: Russell King <rmk@flint.arm.linux.org.uk>
+Cc: linux-arm-kernel@lists.infradead.org
+Ref: 451436b7bbb2 ("[ARM] Add support code for ARM hardware vector floating point")
+History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/include/uapi/asm/siginfo.h | 13 +++++++++++++
+ arch/arm/vfp/vfpmodule.c | 2 +-
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+ create mode 100644 arch/arm/include/uapi/asm/siginfo.h
+
+--- /dev/null
++++ b/arch/arm/include/uapi/asm/siginfo.h
+@@ -0,0 +1,13 @@
++#ifndef __ASM_SIGINFO_H
++#define __ASM_SIGINFO_H
++
++#include <asm-generic/siginfo.h>
++
++/*
++ * SIGFPE si_codes
++ */
++#ifdef __KERNEL__
++#define FPE_FIXME 0 /* Broken dup of SI_USER */
++#endif /* __KERNEL__ */
++
++#endif
+--- a/arch/arm/vfp/vfpmodule.c
++++ b/arch/arm/vfp/vfpmodule.c
+@@ -257,7 +257,7 @@ static void vfp_raise_exceptions(u32 exc
+
+ if (exceptions == VFP_EXCEPTION_ERROR) {
+ vfp_panic("unhandled bounce", inst);
+- vfp_raise_sigfpe(0, regs);
++ vfp_raise_sigfpe(FPE_FIXME, regs);
+ return;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Tue, 1 Aug 2017 10:37:40 -0500
+Subject: signal/metag: Document a conflict with SI_USER with SIGFPE
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+
+[ Upstream commit b80328be53c215346b153769267b38f531d89b4f ]
+
+Setting si_code to 0 results in a userspace seeing an si_code of 0.
+This is the same si_code as SI_USER. Posix and common sense requires
+that SI_USER not be a signal specific si_code. As such this use of 0
+for the si_code is a pretty horribly broken ABI.
+
+Further use of si_code == 0 guaranteed that copy_siginfo_to_user saw a
+value of __SI_KILL and now sees a value of SIL_KILL with the result
+hat uid and pid fields are copied and which might copying the si_addr
+field by accident but certainly not by design. Making this a very
+flakey implementation.
+
+Utilizing FPE_FIXME siginfo_layout will now return SIL_FAULT and the
+appropriate fields will reliably be copied.
+
+Possible ABI fixes includee:
+ - Send the signal without siginfo
+ - Don't generate a signal
+ - Possibly assign and use an appropriate si_code
+ - Don't handle cases which can't happen
+
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-metag@vger.kernel.org
+Ref: ac919f0883e5 ("metag: Traps")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/metag/include/uapi/asm/siginfo.h | 7 +++++++
+ arch/metag/kernel/traps.c | 2 +-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/arch/metag/include/uapi/asm/siginfo.h
++++ b/arch/metag/include/uapi/asm/siginfo.h
+@@ -5,4 +5,11 @@
+
+ #include <asm-generic/siginfo.h>
+
++/*
++ * SIGFPE si_codes
++ */
++#ifdef __KERNEL__
++#define FPE_FIXME 0 /* Broken dup of SI_USER */
++#endif /* __KERNEL__ */
++
+ #endif
+--- a/arch/metag/kernel/traps.c
++++ b/arch/metag/kernel/traps.c
+@@ -732,7 +732,7 @@ TBIRES fpe_handler(TBIRES State, int Sig
+ else if (error_state & TXSTAT_FPE_INEXACT_BIT)
+ info.si_code = FPE_FLTRES;
+ else
+- info.si_code = 0;
++ info.si_code = FPE_FIXME;
+ info.si_errno = 0;
+ info.si_addr = (__force void __user *)regs->ctx.CurrPC;
+ force_sig_info(SIGFPE, &info, current);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Sat, 19 Aug 2017 15:26:01 -0500
+Subject: signal/powerpc: Document conflicts with SI_USER and SIGFPE and SIGTRAP
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+
+[ Upstream commit cf4674c46c66e45f238f8f7e81af2a444b970c0a ]
+
+Setting si_code to 0 results in a userspace seeing an si_code of 0.
+This is the same si_code as SI_USER. Posix and common sense requires
+that SI_USER not be a signal specific si_code. As such this use of 0
+for the si_code is a pretty horribly broken ABI.
+
+Further use of si_code == 0 guaranteed that copy_siginfo_to_user saw a
+value of __SI_KILL and now sees a value of SIL_KILL with the result
+that uid and pid fields are copied and which might copying the si_addr
+field by accident but certainly not by design. Making this a very
+flakey implementation.
+
+Utilizing FPE_FIXME and TRAP_FIXME, siginfo_layout() will now return
+SIL_FAULT and the appropriate fields will be reliably copied.
+
+Possible ABI fixes includee:
+- Send the signal without siginfo
+- Don't generate a signal
+- Possibly assign and use an appropriate si_code
+- Don't handle cases which can't happen
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Kumar Gala <kumar.gala@freescale.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: linuxppc-dev@lists.ozlabs.org
+Ref: 9bad068c24d7 ("[PATCH] ppc32: support for e500 and 85xx")
+Ref: 0ed70f6105ef ("PPC32: Provide proper siginfo information on various exceptions.")
+History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/uapi/asm/siginfo.h | 15 +++++++++++++++
+ arch/powerpc/kernel/traps.c | 10 +++++-----
+ 2 files changed, 20 insertions(+), 5 deletions(-)
+
+--- a/arch/powerpc/include/uapi/asm/siginfo.h
++++ b/arch/powerpc/include/uapi/asm/siginfo.h
+@@ -17,4 +17,19 @@
+ #undef NSIGTRAP
+ #define NSIGTRAP 4
+
++/*
++ * SIGFPE si_codes
++ */
++#ifdef __KERNEL__
++#define FPE_FIXME 0 /* Broken dup of SI_USER */
++#endif /* __KERNEL__ */
++
++/*
++ * SIGTRAP si_codes
++ */
++#ifdef __KERNEL__
++#define TRAP_FIXME 0 /* Broken dup of SI_USER */
++#endif /* __KERNEL__ */
++
++
+ #endif /* _ASM_POWERPC_SIGINFO_H */
+--- a/arch/powerpc/kernel/traps.c
++++ b/arch/powerpc/kernel/traps.c
+@@ -793,7 +793,7 @@ void unknown_exception(struct pt_regs *r
+ printk("Bad trap at PC: %lx, SR: %lx, vector=%lx\n",
+ regs->nip, regs->msr, regs->trap);
+
+- _exception(SIGTRAP, regs, 0, 0);
++ _exception(SIGTRAP, regs, TRAP_FIXME, 0);
+
+ exception_exit(prev_state);
+ }
+@@ -815,7 +815,7 @@ bail:
+
+ void RunModeException(struct pt_regs *regs)
+ {
+- _exception(SIGTRAP, regs, 0, 0);
++ _exception(SIGTRAP, regs, TRAP_FIXME, 0);
+ }
+
+ void single_step_exception(struct pt_regs *regs)
+@@ -851,7 +851,7 @@ static void emulate_single_step(struct p
+
+ static inline int __parse_fpscr(unsigned long fpscr)
+ {
+- int ret = 0;
++ int ret = FPE_FIXME;
+
+ /* Invalid operation */
+ if ((fpscr & FPSCR_VE) && (fpscr & FPSCR_VX))
+@@ -1855,7 +1855,7 @@ void SPEFloatingPointException(struct pt
+ extern int do_spe_mathemu(struct pt_regs *regs);
+ unsigned long spefscr;
+ int fpexc_mode;
+- int code = 0;
++ int code = FPE_FIXME;
+ int err;
+
+ flush_spe_to_thread(current);
+@@ -1924,7 +1924,7 @@ void SPEFloatingPointRoundException(stru
+ printk(KERN_ERR "unrecognized spe instruction "
+ "in %s at %lx\n", current->comm, regs->nip);
+ } else {
+- _exception(SIGFPE, regs, 0, regs->nip);
++ _exception(SIGFPE, regs, FPE_FIXME, regs->nip);
+ return;
+ }
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Date: Sun, 4 Jun 2017 14:43:43 +0800
+Subject: sit: reload iphdr in ipip6_rcv
+
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+
+
+[ Upstream commit b699d0035836f6712917a41e7ae58d84359b8ff9 ]
+
+Since iptunnel_pull_header() can call pskb_may_pull(),
+we must reload any pointer that was related to skb->head.
+
+Fixes: a09a4c8dd1ec ("tunnels: Remove encapsulation offloads on decap")
+Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/sit.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -657,6 +657,7 @@ static int ipip6_rcv(struct sk_buff *skb
+ if (iptunnel_pull_header(skb, 0, htons(ETH_P_IPV6),
+ !net_eq(tunnel->net, dev_net(tunnel->dev))))
+ goto out;
++ iph = ip_hdr(skb);
+
+ err = IP_ECN_decapsulate(iph, skb);
+ if (unlikely(err)) {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Willem de Bruijn <willemb@google.com>
+Date: Thu, 8 Jun 2017 11:35:03 -0400
+Subject: skbuff: only inherit relevant tx_flags
+
+From: Willem de Bruijn <willemb@google.com>
+
+
+[ Upstream commit fff88030b3ff930ca7a3d74acfee0472f33887ea ]
+
+When inheriting tx_flags from one skbuff to another, always apply a
+mask to avoid overwriting unrelated other bits in the field.
+
+The two SKBTX_SHARED_FRAG cases clears all other bits. In practice,
+tx_flags are zero at this point now. But this is fragile. Timestamp
+flags are set, for instance, if in tcp_gso_segment, after this clear
+in skb_segment.
+
+The SKBTX_ANY_TSTAMP mask in __skb_tstamp_tx ensures that new
+skbs do not accidentally inherit flags such as SKBTX_SHARED_FRAG.
+
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -2615,7 +2615,8 @@ void skb_split(struct sk_buff *skb, stru
+ {
+ int pos = skb_headlen(skb);
+
+- skb_shinfo(skb1)->tx_flags = skb_shinfo(skb)->tx_flags & SKBTX_SHARED_FRAG;
++ skb_shinfo(skb1)->tx_flags |= skb_shinfo(skb)->tx_flags &
++ SKBTX_SHARED_FRAG;
+ if (len < pos) /* Split line is inside header. */
+ skb_split_inside_header(skb, skb1, len, pos);
+ else /* Second chunk has no header, nothing to copy. */
+@@ -3228,8 +3229,8 @@ normal:
+ skb_copy_from_linear_data_offset(head_skb, offset,
+ skb_put(nskb, hsize), hsize);
+
+- skb_shinfo(nskb)->tx_flags = skb_shinfo(head_skb)->tx_flags &
+- SKBTX_SHARED_FRAG;
++ skb_shinfo(nskb)->tx_flags |= skb_shinfo(head_skb)->tx_flags &
++ SKBTX_SHARED_FRAG;
+
+ while (pos < offset + len) {
+ if (i >= nfrags) {
+@@ -3881,7 +3882,8 @@ void __skb_tstamp_tx(struct sk_buff *ori
+ return;
+
+ if (tsonly) {
+- skb_shinfo(skb)->tx_flags = skb_shinfo(orig_skb)->tx_flags;
++ skb_shinfo(skb)->tx_flags |= skb_shinfo(orig_skb)->tx_flags &
++ SKBTX_ANY_TSTAMP;
+ skb_shinfo(skb)->tskey = skb_shinfo(orig_skb)->tskey;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 4 Jun 2017 04:16:22 +0200
+Subject: skbuff: return -EMSGSIZE in skb_to_sgvec to prevent overflow
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+
+[ Upstream commit 48a1df65334b74bd7531f932cca5928932abf769 ]
+
+This is a defense-in-depth measure in response to bugs like
+4d6fa57b4dab ("macsec: avoid heap overflow in skb_to_sgvec"). There's
+not only a potential overflow of sglist items, but also a stack overflow
+potential, so we fix this by limiting the amount of recursion this function
+is allowed to do. Not actually providing a bounded base case is a future
+disaster that we can easily avoid here.
+
+As a small matter of house keeping, we take this opportunity to move the
+documentation comment over the actual function the documentation is for.
+
+While this could be implemented by using an explicit stack of skbuffs,
+when implementing this, the function complexity increased considerably,
+and I don't think such complexity and bloat is actually worth it. So,
+instead I built this and tested it on x86, x86_64, ARM, ARM64, and MIPS,
+and measured the stack usage there. I also reverted the recent MIPS
+changes that give it a separate IRQ stack, so that I could experience
+some worst-case situations. I found that limiting it to 24 layers deep
+yielded a good stack usage with room for safety, as well as being much
+deeper than any driver actually ever creates.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Sabrina Dubroca <sd@queasysnail.net>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 8 +++---
+ net/core/skbuff.c | 65 +++++++++++++++++++++++++++++++------------------
+ 2 files changed, 46 insertions(+), 27 deletions(-)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -984,10 +984,10 @@ struct sk_buff *skb_realloc_headroom(str
+ unsigned int headroom);
+ struct sk_buff *skb_copy_expand(const struct sk_buff *skb, int newheadroom,
+ int newtailroom, gfp_t priority);
+-int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
+- int offset, int len);
+-int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset,
+- int len);
++int __must_check skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
++ int offset, int len);
++int __must_check skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg,
++ int offset, int len);
+ int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer);
+ int skb_pad(struct sk_buff *skb, int pad);
+ #define dev_kfree_skb(a) consume_skb(a)
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3475,24 +3475,18 @@ void __init skb_init(void)
+ NULL);
+ }
+
+-/**
+- * skb_to_sgvec - Fill a scatter-gather list from a socket buffer
+- * @skb: Socket buffer containing the buffers to be mapped
+- * @sg: The scatter-gather list to map into
+- * @offset: The offset into the buffer's contents to start mapping
+- * @len: Length of buffer space to be mapped
+- *
+- * Fill the specified scatter-gather list with mappings/pointers into a
+- * region of the buffer space attached to a socket buffer.
+- */
+ static int
+-__skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
++__skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len,
++ unsigned int recursion_level)
+ {
+ int start = skb_headlen(skb);
+ int i, copy = start - offset;
+ struct sk_buff *frag_iter;
+ int elt = 0;
+
++ if (unlikely(recursion_level >= 24))
++ return -EMSGSIZE;
++
+ if (copy > 0) {
+ if (copy > len)
+ copy = len;
+@@ -3511,6 +3505,8 @@ __skb_to_sgvec(struct sk_buff *skb, stru
+ end = start + skb_frag_size(&skb_shinfo(skb)->frags[i]);
+ if ((copy = end - offset) > 0) {
+ skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
++ if (unlikely(elt && sg_is_last(&sg[elt - 1])))
++ return -EMSGSIZE;
+
+ if (copy > len)
+ copy = len;
+@@ -3525,16 +3521,22 @@ __skb_to_sgvec(struct sk_buff *skb, stru
+ }
+
+ skb_walk_frags(skb, frag_iter) {
+- int end;
++ int end, ret;
+
+ WARN_ON(start > offset + len);
+
+ end = start + frag_iter->len;
+ if ((copy = end - offset) > 0) {
++ if (unlikely(elt && sg_is_last(&sg[elt - 1])))
++ return -EMSGSIZE;
++
+ if (copy > len)
+ copy = len;
+- elt += __skb_to_sgvec(frag_iter, sg+elt, offset - start,
+- copy);
++ ret = __skb_to_sgvec(frag_iter, sg+elt, offset - start,
++ copy, recursion_level + 1);
++ if (unlikely(ret < 0))
++ return ret;
++ elt += ret;
+ if ((len -= copy) == 0)
+ return elt;
+ offset += copy;
+@@ -3545,6 +3547,31 @@ __skb_to_sgvec(struct sk_buff *skb, stru
+ return elt;
+ }
+
++/**
++ * skb_to_sgvec - Fill a scatter-gather list from a socket buffer
++ * @skb: Socket buffer containing the buffers to be mapped
++ * @sg: The scatter-gather list to map into
++ * @offset: The offset into the buffer's contents to start mapping
++ * @len: Length of buffer space to be mapped
++ *
++ * Fill the specified scatter-gather list with mappings/pointers into a
++ * region of the buffer space attached to a socket buffer. Returns either
++ * the number of scatterlist items used, or -EMSGSIZE if the contents
++ * could not fit.
++ */
++int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
++{
++ int nsg = __skb_to_sgvec(skb, sg, offset, len, 0);
++
++ if (nsg <= 0)
++ return nsg;
++
++ sg_mark_end(&sg[nsg - 1]);
++
++ return nsg;
++}
++EXPORT_SYMBOL_GPL(skb_to_sgvec);
++
+ /* As compared with skb_to_sgvec, skb_to_sgvec_nomark only map skb to given
+ * sglist without mark the sg which contain last skb data as the end.
+ * So the caller can mannipulate sg list as will when padding new data after
+@@ -3567,19 +3594,11 @@ __skb_to_sgvec(struct sk_buff *skb, stru
+ int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
+ int offset, int len)
+ {
+- return __skb_to_sgvec(skb, sg, offset, len);
++ return __skb_to_sgvec(skb, sg, offset, len, 0);
+ }
+ EXPORT_SYMBOL_GPL(skb_to_sgvec_nomark);
+
+-int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
+-{
+- int nsg = __skb_to_sgvec(skb, sg, offset, len);
+
+- sg_mark_end(&sg[nsg - 1]);
+-
+- return nsg;
+-}
+-EXPORT_SYMBOL_GPL(skb_to_sgvec);
+
+ /**
+ * skb_cow_data - Check that a socket buffer's data buffers are writable
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Fri, 12 May 2017 17:59:32 +0200
+Subject: SMB2: Fix share type handling
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit cd1230070ae1c12fd34cf6a557bfa81bf9311009 ]
+
+In fs/cifs/smb2pdu.h, we have:
+#define SMB2_SHARE_TYPE_DISK 0x01
+#define SMB2_SHARE_TYPE_PIPE 0x02
+#define SMB2_SHARE_TYPE_PRINT 0x03
+
+Knowing that, with the current code, the SMB2_SHARE_TYPE_PRINT case can
+never trigger and printer share would be interpreted as disk share.
+
+So, test the ShareType value for equality instead.
+
+Fixes: faaf946a7d5b ("CIFS: Add tree connect/disconnect capability for SMB2")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2pdu.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -1151,15 +1151,19 @@ SMB2_tcon(const unsigned int xid, struct
+ goto tcon_exit;
+ }
+
+- if (rsp->ShareType & SMB2_SHARE_TYPE_DISK)
++ switch (rsp->ShareType) {
++ case SMB2_SHARE_TYPE_DISK:
+ cifs_dbg(FYI, "connection to disk share\n");
+- else if (rsp->ShareType & SMB2_SHARE_TYPE_PIPE) {
++ break;
++ case SMB2_SHARE_TYPE_PIPE:
+ tcon->ipc = true;
+ cifs_dbg(FYI, "connection to pipe share\n");
+- } else if (rsp->ShareType & SMB2_SHARE_TYPE_PRINT) {
+- tcon->print = true;
++ break;
++ case SMB2_SHARE_TYPE_PRINT:
++ tcon->ipc = true;
+ cifs_dbg(FYI, "connection to printer\n");
+- } else {
++ break;
++ default:
+ cifs_dbg(VFS, "unknown share type %d\n", rsp->ShareType);
+ rc = -EOPNOTSUPP;
+ goto tcon_error_exit;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Jag Raman <jag.raman@oracle.com>
+Date: Fri, 9 Jun 2017 12:29:31 -0400
+Subject: sparc64: ldc abort during vds iso boot
+
+From: Jag Raman <jag.raman@oracle.com>
+
+
+[ Upstream commit 6c95483b768c62f8ee933ae08a1bdbcb78b5410f ]
+
+Orabug: 20902628
+
+When an ldc control-only packet is received during data exchange in
+read_nonraw(), a new rx head is calculated but the rx queue head is not
+actually advanced (rx_set_head() is not called) and a branch is taken to
+'no_data' at which point two things can happen depending on the value
+of the newly calculated rx head and the current rx tail:
+
+- If the rx queue is determined to be not empty, then the wrong packet
+ is picked up.
+
+- If the rx queue is determined to be empty, then a read error (EAGAIN)
+ is eventually returned since it is falsely assumed that more data was
+ expected.
+
+The fix is to update the rx head and return in case of a control only
+packet during data exchange.
+
+Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>
+Reviewed-by: Aaron Young <aaron.young@oracle.com>
+Reviewed-by: Alexandre Chartre <alexandre.chartre@oracle.com>
+Reviewed-by: Bijan Mottahedeh <bijan.mottahedeh@oracle.com>
+Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/kernel/ldc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/sparc/kernel/ldc.c
++++ b/arch/sparc/kernel/ldc.c
+@@ -1733,9 +1733,14 @@ static int read_nonraw(struct ldc_channe
+
+ lp->rcv_nxt = p->seqid;
+
++ /*
++ * If this is a control-only packet, there is nothing
++ * else to do but advance the rx queue since the packet
++ * was already processed above.
++ */
+ if (!(p->type & LDC_DATA)) {
+ new = rx_advance(lp, new);
+- goto no_data;
++ break;
+ }
+ if (p->stype & (LDC_ACK | LDC_NACK)) {
+ err = data_ack_nack(lp, p);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Andrea della Porta <sfaragnaus@gmail.com>
+Date: Sat, 29 Apr 2017 07:30:23 +0100
+Subject: staging: wlan-ng: prism2mgmt.c: fixed a double endian conversion before calling hfa384x_drvr_setconfig16, also fixes relative sparse warning
+
+From: Andrea della Porta <sfaragnaus@gmail.com>
+
+
+[ Upstream commit dea20579a69ab68cdca6adf79bb7c0c162eb9b72 ]
+
+staging: wlan-ng: prism2mgmt.c: This patches fixes a double endian conversion.
+cpu_to_le16() was called twice first in prism2mgmt_scan and again inside
+hfa384x_drvr_setconfig16() for the same variable, hence it was swapped
+twice. Incidentally, it also fixed the following sparse warning:
+
+drivers/staging/wlan-ng/prism2mgmt.c:173:30: warning: incorrect type in assignment (different base types)
+drivers/staging/wlan-ng/prism2mgmt.c:173:30: expected unsigned short [unsigned] [usertype] word
+drivers/staging/wlan-ng/prism2mgmt.c:173:30: got restricted __le16 [usertype] <noident>
+
+Unfortunately, only compile tested.
+
+Signed-off-by: Andrea della Porta <sfaragnaus@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/wlan-ng/prism2mgmt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/wlan-ng/prism2mgmt.c
++++ b/drivers/staging/wlan-ng/prism2mgmt.c
+@@ -169,7 +169,7 @@ int prism2mgmt_scan(struct wlandevice *w
+ hw->ident_sta_fw.variant) >
+ HFA384x_FIRMWARE_VERSION(1, 5, 0)) {
+ if (msg->scantype.data != P80211ENUM_scantype_active)
+- word = cpu_to_le16(msg->maxchanneltime.data);
++ word = msg->maxchanneltime.data;
+ else
+ word = 0;
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Mario Molitor <mario_molitor@web.de>
+Date: Thu, 8 Jun 2017 22:41:02 +0200
+Subject: stmmac: fix ptp header for GMAC3 hw timestamp
+
+From: Mario Molitor <mario_molitor@web.de>
+
+
+[ Upstream commit fd6720aefde06eacf17404eed2cad65c6ec103e1 ]
+
+According the CYCLON V documention only the bit 16 of snaptypesel should
+set.
+(more information see Table 17-20 (cv_5v4.pdf) :
+ Timestamp Snapshot Dependency on Register Bits)
+
+Fixes: d2042052a0aa ("stmmac: update the PTP header file")
+Signed-off-by: Mario Molitor <mario_molitor@web.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 15 ++++++++++++---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h | 3 ++-
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -478,7 +478,10 @@ static int stmmac_hwtstamp_ioctl(struct
+ /* PTP v1, UDP, any kind of event packet */
+ config.rx_filter = HWTSTAMP_FILTER_PTP_V1_L4_EVENT;
+ /* take time stamp for all event messages */
+- snap_type_sel = PTP_TCR_SNAPTYPSEL_1;
++ if (priv->plat->has_gmac4)
++ snap_type_sel = PTP_GMAC4_TCR_SNAPTYPSEL_1;
++ else
++ snap_type_sel = PTP_TCR_SNAPTYPSEL_1;
+
+ ptp_over_ipv4_udp = PTP_TCR_TSIPV4ENA;
+ ptp_over_ipv6_udp = PTP_TCR_TSIPV6ENA;
+@@ -510,7 +513,10 @@ static int stmmac_hwtstamp_ioctl(struct
+ config.rx_filter = HWTSTAMP_FILTER_PTP_V2_L4_EVENT;
+ ptp_v2 = PTP_TCR_TSVER2ENA;
+ /* take time stamp for all event messages */
+- snap_type_sel = PTP_TCR_SNAPTYPSEL_1;
++ if (priv->plat->has_gmac4)
++ snap_type_sel = PTP_GMAC4_TCR_SNAPTYPSEL_1;
++ else
++ snap_type_sel = PTP_TCR_SNAPTYPSEL_1;
+
+ ptp_over_ipv4_udp = PTP_TCR_TSIPV4ENA;
+ ptp_over_ipv6_udp = PTP_TCR_TSIPV6ENA;
+@@ -544,7 +550,10 @@ static int stmmac_hwtstamp_ioctl(struct
+ config.rx_filter = HWTSTAMP_FILTER_PTP_V2_EVENT;
+ ptp_v2 = PTP_TCR_TSVER2ENA;
+ /* take time stamp for all event messages */
+- snap_type_sel = PTP_TCR_SNAPTYPSEL_1;
++ if (priv->plat->has_gmac4)
++ snap_type_sel = PTP_GMAC4_TCR_SNAPTYPSEL_1;
++ else
++ snap_type_sel = PTP_TCR_SNAPTYPSEL_1;
+
+ ptp_over_ipv4_udp = PTP_TCR_TSIPV4ENA;
+ ptp_over_ipv6_udp = PTP_TCR_TSIPV6ENA;
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h
+@@ -63,7 +63,8 @@
+ /* Enable Snapshot for Messages Relevant to Master */
+ #define PTP_TCR_TSMSTRENA BIT(15)
+ /* Select PTP packets for Taking Snapshots */
+-#define PTP_TCR_SNAPTYPSEL_1 GENMASK(17, 16)
++#define PTP_TCR_SNAPTYPSEL_1 BIT(16)
++#define PTP_GMAC4_TCR_SNAPTYPSEL_1 GENMASK(17, 16)
+ /* Enable MAC address for PTP Frame Filtering */
+ #define PTP_TCR_TSENMACADDR BIT(18)
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: NeilBrown <neilb@suse.com>
+Date: Thu, 25 May 2017 17:00:32 +1000
+Subject: SUNRPC: ensure correct error is reported by xs_tcp_setup_socket()
+
+From: NeilBrown <neilb@suse.com>
+
+
+[ Upstream commit 6ea44adce91526700535b3150f77f8639ae8c82d ]
+
+If you attempt a TCP mount from an host that is unreachable in a way
+that triggers an immediate error from kernel_connect(), that error
+does not propagate up, instead EAGAIN is reported.
+
+This results in call_connect_status receiving the wrong error.
+
+A case that it easy to demonstrate is to attempt to mount from an
+address that results in ENETUNREACH, but first deleting any default
+route.
+Without this patch, the mount.nfs process is persistently runnable
+and is hard to kill. With this patch it exits as it should.
+
+The problem is caused by the fact that xs_tcp_force_close() eventually
+calls
+ xprt_wake_pending_tasks(xprt, -EAGAIN);
+which causes an error return of -EAGAIN. so when xs_tcp_setup_sock()
+calls
+ xprt_wake_pending_tasks(xprt, status);
+the status is ignored.
+
+Fixes: 4efdd92c9211 ("SUNRPC: Remove TCP client connection reset hack")
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/xprtsock.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -2384,7 +2384,12 @@ static void xs_tcp_setup_socket(struct w
+ case -EHOSTUNREACH:
+ case -EADDRINUSE:
+ case -ENOBUFS:
+- /* retry with existing socket, after a delay */
++ /*
++ * xs_tcp_force_close() wakes tasks with -EIO.
++ * We need to wake them first to ensure the
++ * correct error code.
++ */
++ xprt_wake_pending_tasks(xprt, status);
+ xs_tcp_force_close(xprt);
+ goto out;
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Robert Jarzmik <robert.jarzmik@free.fr>
+Date: Mon, 5 Jun 2017 13:59:15 +0200
+Subject: tags: honor COMPILED_SOURCE with apart output directory
+
+From: Robert Jarzmik <robert.jarzmik@free.fr>
+
+
+[ Upstream commit cbf52a3e6a8a92beec6e0c70abf4111cd8f8faf7 ]
+
+When the kernel is compiled with an "O=" argument, the object files are
+not in the source tree, but in the build tree.
+
+This patch fixes O= build by looking for object files in the build tree.
+
+Fixes: 923e02ecf3f8 ("scripts/tags.sh: Support compiled source")
+Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/tags.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/scripts/tags.sh
++++ b/scripts/tags.sh
+@@ -106,6 +106,7 @@ all_compiled_sources()
+ case "$i" in
+ *.[cS])
+ j=${i/\.[cS]/\.o}
++ j="${j#$tree}"
+ if [ -e $j ]; then
+ echo $i
+ fi
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 23 May 2017 15:24:46 -0700
+Subject: tcp: better validation of received ack sequences
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit d0e1a1b5a833b625c93d3d49847609350ebd79db ]
+
+Paul Fiterau Brostean reported :
+
+<quote>
+Linux TCP stack we analyze exhibits behavior that seems odd to me.
+The scenario is as follows (all packets have empty payloads, no window
+scaling, rcv/snd window size should not be a factor):
+
+ TEST HARNESS (CLIENT) LINUX SERVER
+
+ 1. - LISTEN (server listen,
+then accepts)
+
+ 2. - --> <SEQ=100><CTL=SYN> --> SYN-RECEIVED
+
+ 3. - <-- <SEQ=300><ACK=101><CTL=SYN,ACK> <-- SYN-RECEIVED
+
+ 4. - --> <SEQ=101><ACK=301><CTL=ACK> --> ESTABLISHED
+
+ 5. - <-- <SEQ=301><ACK=101><CTL=FIN,ACK> <-- FIN WAIT-1 (server
+opts to close the data connection calling "close" on the connection
+socket)
+
+ 6. - --> <SEQ=101><ACK=99999><CTL=FIN,ACK> --> CLOSING (client sends
+FIN,ACK with not yet sent acknowledgement number)
+
+ 7. - <-- <SEQ=302><ACK=102><CTL=ACK> <-- CLOSING (ACK is 102
+instead of 101, why?)
+
+... (silence from CLIENT)
+
+ 8. - <-- <SEQ=301><ACK=102><CTL=FIN,ACK> <-- CLOSING
+(retransmission, again ACK is 102)
+
+Now, note that packet 6 while having the expected sequence number,
+acknowledges something that wasn't sent by the server. So I would
+expect
+the packet to maybe prompt an ACK response from the server, and then be
+ignored. Yet it is not ignored and actually leads to an increase of the
+acknowledgement number in the server's retransmission of the FIN,ACK
+packet. The explanation I found is that the FIN in packet 6 was
+processed, despite the acknowledgement number being unacceptable.
+Further experiments indeed show that the server processes this FIN,
+transitioning to CLOSING, then on receiving an ACK for the FIN it had
+send in packet 5, the server (or better said connection) transitions
+from CLOSING to TIME_WAIT (as signaled by netstat).
+
+</quote>
+
+Indeed, tcp_rcv_state_process() calls tcp_ack() but
+does not exploit the @acceptable status but for TCP_SYN_RECV
+state.
+
+What we want here is to send a challenge ACK, if not in TCP_SYN_RECV
+state. TCP_FIN_WAIT1 state is not the only state we should fix.
+
+Add a FLAG_NO_CHALLENGE_ACK so that tcp_rcv_state_process()
+can choose to send a challenge ACK and discard the packet instead
+of wrongly change socket state.
+
+With help from Neal Cardwell.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Paul Fiterau Brostean <p.fiterau-brostean@science.ru.nl>
+Cc: Neal Cardwell <ncardwell@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 24 +++++++++++-------------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -115,6 +115,7 @@ int sysctl_tcp_invalid_ratelimit __read_
+ #define FLAG_DSACKING_ACK 0x800 /* SACK blocks contained D-SACK info */
+ #define FLAG_SACK_RENEGING 0x2000 /* snd_una advanced to a sacked seq */
+ #define FLAG_UPDATE_TS_RECENT 0x4000 /* tcp_replace_ts_recent() */
++#define FLAG_NO_CHALLENGE_ACK 0x8000 /* do not call tcp_send_challenge_ack() */
+
+ #define FLAG_ACKED (FLAG_DATA_ACKED|FLAG_SYN_ACKED)
+ #define FLAG_NOT_DUP (FLAG_DATA|FLAG_WIN_UPDATE|FLAG_ACKED)
+@@ -3618,7 +3619,8 @@ static int tcp_ack(struct sock *sk, cons
+ if (before(ack, prior_snd_una)) {
+ /* RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation] */
+ if (before(ack, prior_snd_una - tp->max_window)) {
+- tcp_send_challenge_ack(sk, skb);
++ if (!(flag & FLAG_NO_CHALLENGE_ACK))
++ tcp_send_challenge_ack(sk, skb);
+ return -1;
+ }
+ goto old_ack;
+@@ -5969,13 +5971,17 @@ int tcp_rcv_state_process(struct sock *s
+
+ /* step 5: check the ACK field */
+ acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH |
+- FLAG_UPDATE_TS_RECENT) > 0;
++ FLAG_UPDATE_TS_RECENT |
++ FLAG_NO_CHALLENGE_ACK) > 0;
+
++ if (!acceptable) {
++ if (sk->sk_state == TCP_SYN_RECV)
++ return 1; /* send one RST */
++ tcp_send_challenge_ack(sk, skb);
++ goto discard;
++ }
+ switch (sk->sk_state) {
+ case TCP_SYN_RECV:
+- if (!acceptable)
+- return 1;
+-
+ if (!tp->srtt_us)
+ tcp_synack_rtt_meas(sk, req);
+
+@@ -6045,14 +6051,6 @@ int tcp_rcv_state_process(struct sock *s
+ * our SYNACK so stop the SYNACK timer.
+ */
+ if (req) {
+- /* Return RST if ack_seq is invalid.
+- * Note that RFC793 only says to generate a
+- * DUPACK for it but for TCP Fast Open it seems
+- * better to treat this case like TCP_SYN_RECV
+- * above.
+- */
+- if (!acceptable)
+- return 1;
+ /* We no longer need the request sock. */
+ reqsk_fastopen_remove(sk, req, false);
+ tcp_rearm_rto(sk);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Yi Zeng <yizeng@asrmicro.com>
+Date: Tue, 26 Dec 2017 19:22:26 +0800
+Subject: thermal: power_allocator: fix one race condition issue for thermal_instances list
+
+From: Yi Zeng <yizeng@asrmicro.com>
+
+
+[ Upstream commit a5de11d67dcd268b8d0beb73dc374de5e97f0caf ]
+
+When invoking allow_maximum_power and traverse tz->thermal_instances,
+we should grab thermal_zone_device->lock to avoid race condition. For
+example, during the system reboot, if the mali GPU device implements
+device shutdown callback and unregister GPU devfreq cooling device,
+the deleted list head may be accessed to cause panic, as the following
+log shows:
+
+[ 33.551070] c3 25 (kworker/3:0) Unable to handle kernel paging request at virtual address dead000000000070
+[ 33.566708] c3 25 (kworker/3:0) pgd = ffffffc0ed290000
+[ 33.572071] c3 25 (kworker/3:0) [dead000000000070] *pgd=00000001ed292003, *pud=00000001ed292003, *pmd=0000000000000000
+[ 33.581515] c3 25 (kworker/3:0) Internal error: Oops: 96000004 [#1] PREEMPT SMP
+[ 33.599761] c3 25 (kworker/3:0) CPU: 3 PID: 25 Comm: kworker/3:0 Not tainted 4.4.35+ #912
+[ 33.614137] c3 25 (kworker/3:0) Workqueue: events_freezable thermal_zone_device_check
+[ 33.620245] c3 25 (kworker/3:0) task: ffffffc0f32e4200 ti: ffffffc0f32f0000 task.ti: ffffffc0f32f0000
+[ 33.629466] c3 25 (kworker/3:0) PC is at power_allocator_throttle+0x7c8/0x8a4
+[ 33.636609] c3 25 (kworker/3:0) LR is at power_allocator_throttle+0x808/0x8a4
+[ 33.643742] c3 25 (kworker/3:0) pc : [<ffffff8008683dd0>] lr : [<ffffff8008683e10>] pstate: 20000145
+[ 33.652874] c3 25 (kworker/3:0) sp : ffffffc0f32f3bb0
+[ 34.468519] c3 25 (kworker/3:0) Process kworker/3:0 (pid: 25, stack limit = 0xffffffc0f32f0020)
+[ 34.477220] c3 25 (kworker/3:0) Stack: (0xffffffc0f32f3bb0 to 0xffffffc0f32f4000)
+[ 34.819822] c3 25 (kworker/3:0) Call trace:
+[ 34.824021] c3 25 (kworker/3:0) Exception stack(0xffffffc0f32f39c0 to 0xffffffc0f32f3af0)
+[ 34.924993] c3 25 (kworker/3:0) [<ffffff8008683dd0>] power_allocator_throttle+0x7c8/0x8a4
+[ 34.933184] c3 25 (kworker/3:0) [<ffffff80086807f4>] handle_thermal_trip.part.25+0x70/0x224
+[ 34.941545] c3 25 (kworker/3:0) [<ffffff8008680a68>] thermal_zone_device_update+0xc0/0x20c
+[ 34.949818] c3 25 (kworker/3:0) [<ffffff8008680bd4>] thermal_zone_device_check+0x20/0x2c
+[ 34.957924] c3 25 (kworker/3:0) [<ffffff80080b93a4>] process_one_work+0x168/0x458
+[ 34.965414] c3 25 (kworker/3:0) [<ffffff80080ba068>] worker_thread+0x13c/0x4b4
+[ 34.972650] c3 25 (kworker/3:0) [<ffffff80080c0a4c>] kthread+0xe8/0xfc
+[ 34.979187] c3 25 (kworker/3:0) [<ffffff8008084e90>] ret_from_fork+0x10/0x40
+[ 34.986244] c3 25 (kworker/3:0) Code: f9405e73 eb1302bf d102e273 54ffc460 (b9402a61)
+[ 34.994339] c3 25 (kworker/3:0) ---[ end trace 32057901e3b7e1db ]---
+
+Signed-off-by: Yi Zeng <yizeng@asrmicro.com>
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/power_allocator.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/thermal/power_allocator.c
++++ b/drivers/thermal/power_allocator.c
+@@ -523,6 +523,7 @@ static void allow_maximum_power(struct t
+ struct thermal_instance *instance;
+ struct power_allocator_params *params = tz->governor_data;
+
++ mutex_lock(&tz->lock);
+ list_for_each_entry(instance, &tz->thermal_instances, tz_node) {
+ if ((instance->trip != params->trip_max_desired_temperature) ||
+ (!cdev_is_power_actor(instance->cdev)))
+@@ -534,6 +535,7 @@ static void allow_maximum_power(struct t
+ mutex_unlock(&instance->cdev->lock);
+ thermal_cdev_update(instance->cdev);
+ }
++ mutex_unlock(&tz->lock);
+ }
+
+ /**
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Tony Lindgren <tony@atomide.com>
+Date: Wed, 3 Jan 2018 10:18:03 -0800
+Subject: tty: n_gsm: Allow ADM response in addition to UA for control dlci
+
+From: Tony Lindgren <tony@atomide.com>
+
+
+[ Upstream commit ea3d8465ab9b3e01be329ac5195970a84bef76c5 ]
+
+Some devices have the control dlci stay in ADM mode instead of the UA
+mode. This can seen at least on droid 4 when trying to open the ts
+27.010 mux port. Enabling n_gsm debug mode shows the control dlci
+always respond with DM to SABM instead of UA:
+
+# modprobe n_gsm debug=0xff
+# ldattach -d GSM0710 /dev/ttyS0 &
+gsmld_output: 00000000: f9 03 3f 01 1c f9
+--> 0) C: SABM(P)
+gsmld_receive: 00000000: f9 03 1f 01 36 f9
+<-- 0) C: DM(P)
+...
+$ minicom -D /dev/gsmtty1
+minicom: cannot open /dev/gsmtty1: No error information
+$ strace minicom -D /dev/gsmtty1
+...
+open("/dev/gsmtty1", O_RDWR|O_NOCTTY|O_NONBLOCK|O_LARGEFILE) = -1 EL2HLT
+
+Note that this is different issue from other n_gsm -EL2HLT issues such
+as timeouts when the control dlci does not respond at all.
+
+The ADM mode seems to be a quite common according to "RF Wireless World"
+article "GSM Issue-UE sends SABM and gets a DM response instead of
+UA response":
+
+ This issue is most commonly observed in GSM networks where in UE sends
+ SABM and expects network to send UA response but it ends up receiving
+ DM response from the network. SABM stands for Set asynchronous balanced
+ mode, UA stands for Unnumbered Acknowledge and DA stands for
+ Disconnected Mode.
+
+ An RLP entity can be in one of two modes:
+ - Asynchronous Balanced Mode (ABM)
+ - Asynchronous Disconnected Mode (ADM)
+
+Currently Linux kernel closes the control dlci after several retries
+in gsm_dlci_t1() on DM. This causes n_gsm /dev/gsmtty ports to produce
+error code -EL2HLT when trying to open them as the closing of control
+dlci has already set gsm->dead.
+
+Let's fix the issue by allowing control dlci stay in ADM mode after the
+retries so the /dev/gsmtty ports can be opened and used. It seems that
+it might take several attempts to get any response from the control
+dlci, so it's best to allow ADM mode only after the SABM retries are
+done.
+
+Note that for droid 4 additional patches are needed to mux the ttyS0
+pins and to toggle RTS gpio_149 to wake up the mdm6600 modem are also
+needed to use n_gsm. And the mdm6600 modem needs to be powered on.
+
+Cc: linux-serial@vger.kernel.org
+Cc: Alan Cox <alan@llwyncelyn.cymru>
+Cc: Jiri Prchal <jiri.prchal@aksignal.cz>
+Cc: Jiri Slaby <jslaby@suse.cz>
+Cc: Marcel Partap <mpartap@gmx.net>
+Cc: Michael Scott <michael.scott@linaro.org>
+Cc: Peter Hurley <peter@hurleysoftware.com>
+Cc: Russ Gorby <russ.gorby@intel.com>
+Cc: Sascha Hauer <s.hauer@pengutronix.de>
+Cc: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -1467,6 +1467,10 @@ static void gsm_dlci_open(struct gsm_dlc
+ * in which case an opening port goes back to closed and a closing port
+ * is simply put into closed state (any further frames from the other
+ * end will get a DM response)
++ *
++ * Some control dlci can stay in ADM mode with other dlci working just
++ * fine. In that case we can just keep the control dlci open after the
++ * DLCI_OPENING retries time out.
+ */
+
+ static void gsm_dlci_t1(unsigned long data)
+@@ -1480,8 +1484,15 @@ static void gsm_dlci_t1(unsigned long da
+ if (dlci->retries) {
+ gsm_command(dlci->gsm, dlci->addr, SABM|PF);
+ mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
+- } else
++ } else if (!dlci->addr && gsm->control == (DM | PF)) {
++ if (debug & 8)
++ pr_info("DLCI %d opening in ADM mode.\n",
++ dlci->addr);
++ gsm_dlci_open(dlci);
++ } else {
+ gsm_dlci_close(dlci);
++ }
++
+ break;
+ case DLCI_CLOSING:
+ dlci->retries--;
+@@ -1499,8 +1510,8 @@ static void gsm_dlci_t1(unsigned long da
+ * @dlci: DLCI to open
+ *
+ * Commence opening a DLCI from the Linux side. We issue SABM messages
+- * to the modem which should then reply with a UA, at which point we
+- * will move into open state. Opening is done asynchronously with retry
++ * to the modem which should then reply with a UA or ADM, at which point
++ * we will move into open state. Opening is done asynchronously with retry
+ * running off timers and the responses.
+ */
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Rabin Vincent <rabinv@axis.com>
+Date: Mon, 3 Apr 2017 13:44:11 +0200
+Subject: ubi: fastmap: Fix slab corruption
+
+From: Rabin Vincent <rabinv@axis.com>
+
+
+[ Upstream commit 8a1435880f452430b41374d27ac4a33e7bd381ea ]
+
+Booting with UBI fastmap and SLUB debugging enabled results in the
+following splats. The problem is that ubi_scan_fastmap() moves the
+fastmap blocks from the scan_ai (allocated in scan_fast()) to the ai
+allocated in ubi_attach(). This results in two problems:
+
+ - When the scan_ai is freed, aebs which were allocated from its slab
+ cache are still in use.
+
+ - When the other ai is being destroyed in destroy_ai(), the
+ arguments to kmem_cache_free() call are incorrect since aebs on its
+ ->fastmap list were allocated with a slab cache from a differnt ai.
+
+Fix this by making a copy of the aebs in ubi_scan_fastmap() instead of
+moving them.
+
+ =============================================================================
+ BUG ubi_aeb_slab_cache (Not tainted): Objects remaining in ubi_aeb_slab_cache on __kmem_cache_shutdown()
+ -----------------------------------------------------------------------------
+
+ INFO: Slab 0xbfd2da3c objects=17 used=1 fp=0xb33d7748 flags=0x40000080
+ CPU: 1 PID: 118 Comm: ubiattach Tainted: G B 4.9.15 #3
+ [<80111910>] (unwind_backtrace) from [<8010d498>] (show_stack+0x18/0x1c)
+ [<8010d498>] (show_stack) from [<804a3274>] (dump_stack+0xb4/0xe0)
+ [<804a3274>] (dump_stack) from [<8026c47c>] (slab_err+0x78/0x88)
+ [<8026c47c>] (slab_err) from [<802735bc>] (__kmem_cache_shutdown+0x180/0x3e0)
+ [<802735bc>] (__kmem_cache_shutdown) from [<8024e13c>] (shutdown_cache+0x1c/0x60)
+ [<8024e13c>] (shutdown_cache) from [<8024ed64>] (kmem_cache_destroy+0x19c/0x20c)
+ [<8024ed64>] (kmem_cache_destroy) from [<8057cc14>] (destroy_ai+0x1dc/0x1e8)
+ [<8057cc14>] (destroy_ai) from [<8057f04c>] (ubi_attach+0x3f4/0x450)
+ [<8057f04c>] (ubi_attach) from [<8056fe70>] (ubi_attach_mtd_dev+0x60c/0xff8)
+ [<8056fe70>] (ubi_attach_mtd_dev) from [<80571d78>] (ctrl_cdev_ioctl+0x110/0x2b8)
+ [<80571d78>] (ctrl_cdev_ioctl) from [<8029c77c>] (do_vfs_ioctl+0xac/0xa00)
+ [<8029c77c>] (do_vfs_ioctl) from [<8029d10c>] (SyS_ioctl+0x3c/0x64)
+ [<8029d10c>] (SyS_ioctl) from [<80108860>] (ret_fast_syscall+0x0/0x1c)
+ INFO: Object 0xb33d7e88 @offset=3720
+ INFO: Allocated in scan_peb+0x608/0x81c age=72 cpu=1 pid=118
+ kmem_cache_alloc+0x3b0/0x43c
+ scan_peb+0x608/0x81c
+ ubi_attach+0x124/0x450
+ ubi_attach_mtd_dev+0x60c/0xff8
+ ctrl_cdev_ioctl+0x110/0x2b8
+ do_vfs_ioctl+0xac/0xa00
+ SyS_ioctl+0x3c/0x64
+ ret_fast_syscall+0x0/0x1c
+ kmem_cache_destroy ubi_aeb_slab_cache: Slab cache still has objects
+ CPU: 1 PID: 118 Comm: ubiattach Tainted: G B 4.9.15 #3
+ [<80111910>] (unwind_backtrace) from [<8010d498>] (show_stack+0x18/0x1c)
+ [<8010d498>] (show_stack) from [<804a3274>] (dump_stack+0xb4/0xe0)
+ [<804a3274>] (dump_stack) from [<8024ed80>] (kmem_cache_destroy+0x1b8/0x20c)
+ [<8024ed80>] (kmem_cache_destroy) from [<8057cc14>] (destroy_ai+0x1dc/0x1e8)
+ [<8057cc14>] (destroy_ai) from [<8057f04c>] (ubi_attach+0x3f4/0x450)
+ [<8057f04c>] (ubi_attach) from [<8056fe70>] (ubi_attach_mtd_dev+0x60c/0xff8)
+ [<8056fe70>] (ubi_attach_mtd_dev) from [<80571d78>] (ctrl_cdev_ioctl+0x110/0x2b8)
+ [<80571d78>] (ctrl_cdev_ioctl) from [<8029c77c>] (do_vfs_ioctl+0xac/0xa00)
+ [<8029c77c>] (do_vfs_ioctl) from [<8029d10c>] (SyS_ioctl+0x3c/0x64)
+ [<8029d10c>] (SyS_ioctl) from [<80108860>] (ret_fast_syscall+0x0/0x1c)
+ cache_from_obj: Wrong slab cache. ubi_aeb_slab_cache but object is from ubi_aeb_slab_cache
+ ------------[ cut here ]------------
+ WARNING: CPU: 1 PID: 118 at mm/slab.h:354 kmem_cache_free+0x39c/0x450
+ Modules linked in:
+ CPU: 1 PID: 118 Comm: ubiattach Tainted: G B 4.9.15 #3
+ [<80111910>] (unwind_backtrace) from [<8010d498>] (show_stack+0x18/0x1c)
+ [<8010d498>] (show_stack) from [<804a3274>] (dump_stack+0xb4/0xe0)
+ [<804a3274>] (dump_stack) from [<80120e40>] (__warn+0xf4/0x10c)
+ [<80120e40>] (__warn) from [<80120f20>] (warn_slowpath_null+0x28/0x30)
+ [<80120f20>] (warn_slowpath_null) from [<80271fe0>] (kmem_cache_free+0x39c/0x450)
+ [<80271fe0>] (kmem_cache_free) from [<8057cb88>] (destroy_ai+0x150/0x1e8)
+ [<8057cb88>] (destroy_ai) from [<8057ef1c>] (ubi_attach+0x2c4/0x450)
+ [<8057ef1c>] (ubi_attach) from [<8056fe70>] (ubi_attach_mtd_dev+0x60c/0xff8)
+ [<8056fe70>] (ubi_attach_mtd_dev) from [<80571d78>] (ctrl_cdev_ioctl+0x110/0x2b8)
+ [<80571d78>] (ctrl_cdev_ioctl) from [<8029c77c>] (do_vfs_ioctl+0xac/0xa00)
+ [<8029c77c>] (do_vfs_ioctl) from [<8029d10c>] (SyS_ioctl+0x3c/0x64)
+ [<8029d10c>] (SyS_ioctl) from [<80108860>] (ret_fast_syscall+0x0/0x1c)
+ ---[ end trace 2bd8396277fd0a0b ]---
+ =============================================================================
+ BUG ubi_aeb_slab_cache (Tainted: G B W ): page slab pointer corrupt.
+ -----------------------------------------------------------------------------
+
+ INFO: Allocated in scan_peb+0x608/0x81c age=104 cpu=1 pid=118
+ kmem_cache_alloc+0x3b0/0x43c
+ scan_peb+0x608/0x81c
+ ubi_attach+0x124/0x450
+ ubi_attach_mtd_dev+0x60c/0xff8
+ ctrl_cdev_ioctl+0x110/0x2b8
+ do_vfs_ioctl+0xac/0xa00
+ SyS_ioctl+0x3c/0x64
+ ret_fast_syscall+0x0/0x1c
+ INFO: Slab 0xbfd2da3c objects=17 used=1 fp=0xb33d7748 flags=0x40000081
+ INFO: Object 0xb33d7e88 @offset=3720 fp=0xb33d7da0
+
+ Redzone b33d7e80: cc cc cc cc cc cc cc cc ........
+ Object b33d7e88: 02 00 00 00 01 00 00 00 00 f0 ff 7f ff ff ff ff ................
+ Object b33d7e98: 00 00 00 00 00 00 00 00 bd 16 00 00 00 00 00 00 ................
+ Object b33d7ea8: 00 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 ................
+ Redzone b33d7eb8: cc cc cc cc ....
+ Padding b33d7f60: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
+ CPU: 1 PID: 118 Comm: ubiattach Tainted: G B W 4.9.15 #3
+ [<80111910>] (unwind_backtrace) from [<8010d498>] (show_stack+0x18/0x1c)
+ [<8010d498>] (show_stack) from [<804a3274>] (dump_stack+0xb4/0xe0)
+ [<804a3274>] (dump_stack) from [<80271770>] (free_debug_processing+0x320/0x3c4)
+ [<80271770>] (free_debug_processing) from [<80271ad0>] (__slab_free+0x2bc/0x430)
+ [<80271ad0>] (__slab_free) from [<80272024>] (kmem_cache_free+0x3e0/0x450)
+ [<80272024>] (kmem_cache_free) from [<8057cb88>] (destroy_ai+0x150/0x1e8)
+ [<8057cb88>] (destroy_ai) from [<8057ef1c>] (ubi_attach+0x2c4/0x450)
+ [<8057ef1c>] (ubi_attach) from [<8056fe70>] (ubi_attach_mtd_dev+0x60c/0xff8)
+ [<8056fe70>] (ubi_attach_mtd_dev) from [<80571d78>] (ctrl_cdev_ioctl+0x110/0x2b8)
+ [<80571d78>] (ctrl_cdev_ioctl) from [<8029c77c>] (do_vfs_ioctl+0xac/0xa00)
+ [<8029c77c>] (do_vfs_ioctl) from [<8029d10c>] (SyS_ioctl+0x3c/0x64)
+ [<8029d10c>] (SyS_ioctl) from [<80108860>] (ret_fast_syscall+0x0/0x1c)
+ FIX ubi_aeb_slab_cache: Object at 0xb33d7e88 not freed
+
+Signed-off-by: Rabin Vincent <rabinv@axis.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/ubi/fastmap.c | 33 +++++++++++++++++++++++++++++----
+ 1 file changed, 29 insertions(+), 4 deletions(-)
+
+--- a/drivers/mtd/ubi/fastmap.c
++++ b/drivers/mtd/ubi/fastmap.c
+@@ -828,6 +828,24 @@ static int find_fm_anchor(struct ubi_att
+ return ret;
+ }
+
++static struct ubi_ainf_peb *clone_aeb(struct ubi_attach_info *ai,
++ struct ubi_ainf_peb *old)
++{
++ struct ubi_ainf_peb *new;
++
++ new = ubi_alloc_aeb(ai, old->pnum, old->ec);
++ if (!new)
++ return NULL;
++
++ new->vol_id = old->vol_id;
++ new->sqnum = old->sqnum;
++ new->lnum = old->lnum;
++ new->scrub = old->scrub;
++ new->copy_flag = old->copy_flag;
++
++ return new;
++}
++
+ /**
+ * ubi_scan_fastmap - scan the fastmap.
+ * @ubi: UBI device object
+@@ -847,7 +865,7 @@ int ubi_scan_fastmap(struct ubi_device *
+ struct ubi_vid_hdr *vh;
+ struct ubi_ec_hdr *ech;
+ struct ubi_fastmap_layout *fm;
+- struct ubi_ainf_peb *tmp_aeb, *aeb;
++ struct ubi_ainf_peb *aeb;
+ int i, used_blocks, pnum, fm_anchor, ret = 0;
+ size_t fm_size;
+ __be32 crc, tmp_crc;
+@@ -857,9 +875,16 @@ int ubi_scan_fastmap(struct ubi_device *
+ if (fm_anchor < 0)
+ return UBI_NO_FASTMAP;
+
+- /* Move all (possible) fastmap blocks into our new attach structure. */
+- list_for_each_entry_safe(aeb, tmp_aeb, &scan_ai->fastmap, u.list)
+- list_move_tail(&aeb->u.list, &ai->fastmap);
++ /* Copy all (possible) fastmap blocks into our new attach structure. */
++ list_for_each_entry(aeb, &scan_ai->fastmap, u.list) {
++ struct ubi_ainf_peb *new;
++
++ new = clone_aeb(ai, aeb);
++ if (!new)
++ return -ENOMEM;
++
++ list_add(&new->u.list, &ai->fastmap);
++ }
+
+ down_write(&ubi->fm_protect);
+ memset(ubi->fm_buf, 0, ubi->fm_size);
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Suman Anna <s-anna@ti.com>
+Date: Tue, 9 May 2017 18:58:24 -0500
+Subject: uio: fix incorrect memory leak cleanup
+
+From: Suman Anna <s-anna@ti.com>
+
+
+[ Upstream commit 0d83539092ddb1ab79b4d65bccb866bf07ea2ccd ]
+
+Commit 75f0aef6220d ("uio: fix memory leak") has fixed up some
+memory leaks during the failure paths of the addition of uio
+attributes, but still is not correct entirely. A kobject_uevent()
+failure still needs a kobject_put() and the kobject container
+structure allocation failure before the kobject_init() doesn't
+need a kobject_put(). Fix this properly.
+
+Fixes: 75f0aef6220d ("uio: fix memory leak")
+Signed-off-by: Suman Anna <s-anna@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/uio/uio.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/uio/uio.c
++++ b/drivers/uio/uio.c
+@@ -279,7 +279,7 @@ static int uio_dev_add_attributes(struct
+ map = kzalloc(sizeof(*map), GFP_KERNEL);
+ if (!map) {
+ ret = -ENOMEM;
+- goto err_map_kobj;
++ goto err_map;
+ }
+ kobject_init(&map->kobj, &map_attr_type);
+ map->mem = mem;
+@@ -289,7 +289,7 @@ static int uio_dev_add_attributes(struct
+ goto err_map_kobj;
+ ret = kobject_uevent(&map->kobj, KOBJ_ADD);
+ if (ret)
+- goto err_map;
++ goto err_map_kobj;
+ }
+
+ for (pi = 0; pi < MAX_UIO_PORT_REGIONS; pi++) {
+@@ -308,7 +308,7 @@ static int uio_dev_add_attributes(struct
+ portio = kzalloc(sizeof(*portio), GFP_KERNEL);
+ if (!portio) {
+ ret = -ENOMEM;
+- goto err_portio_kobj;
++ goto err_portio;
+ }
+ kobject_init(&portio->kobj, &portio_attr_type);
+ portio->port = port;
+@@ -319,7 +319,7 @@ static int uio_dev_add_attributes(struct
+ goto err_portio_kobj;
+ ret = kobject_uevent(&portio->kobj, KOBJ_ADD);
+ if (ret)
+- goto err_portio;
++ goto err_portio_kobj;
+ }
+
+ return 0;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Jisheng Zhang <jszhang@marvell.com>
+Date: Wed, 26 Apr 2017 16:59:34 +0800
+Subject: usb: chipidea: properly handle host or gadget initialization failure
+
+From: Jisheng Zhang <jszhang@marvell.com>
+
+
+[ Upstream commit c4a0bbbdb7f6e3c37fa6deb3ef28c5ed99da6175 ]
+
+If ci_hdrc_host_init() or ci_hdrc_gadget_init() returns error and the
+error != -ENXIO, as Peter pointed out, "it stands for initialization
+for host or gadget has failed", so we'd better return failure rather
+continue.
+
+And before destroying the otg, i.e ci_hdrc_otg_destroy(ci), we should
+also check ci->roles[CI_ROLE_GADGET].
+
+Signed-off-by: Jisheng Zhang <jszhang@marvell.com>
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/chipidea/core.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/chipidea/core.c
++++ b/drivers/usb/chipidea/core.c
+@@ -839,7 +839,7 @@ static inline void ci_role_destroy(struc
+ {
+ ci_hdrc_gadget_destroy(ci);
+ ci_hdrc_host_destroy(ci);
+- if (ci->is_otg)
++ if (ci->is_otg && ci->roles[CI_ROLE_GADGET])
+ ci_hdrc_otg_destroy(ci);
+ }
+
+@@ -939,27 +939,35 @@ static int ci_hdrc_probe(struct platform
+ /* initialize role(s) before the interrupt is requested */
+ if (dr_mode == USB_DR_MODE_OTG || dr_mode == USB_DR_MODE_HOST) {
+ ret = ci_hdrc_host_init(ci);
+- if (ret)
+- dev_info(dev, "doesn't support host\n");
++ if (ret) {
++ if (ret == -ENXIO)
++ dev_info(dev, "doesn't support host\n");
++ else
++ goto deinit_phy;
++ }
+ }
+
+ if (dr_mode == USB_DR_MODE_OTG || dr_mode == USB_DR_MODE_PERIPHERAL) {
+ ret = ci_hdrc_gadget_init(ci);
+- if (ret)
+- dev_info(dev, "doesn't support gadget\n");
++ if (ret) {
++ if (ret == -ENXIO)
++ dev_info(dev, "doesn't support gadget\n");
++ else
++ goto deinit_host;
++ }
+ }
+
+ if (!ci->roles[CI_ROLE_HOST] && !ci->roles[CI_ROLE_GADGET]) {
+ dev_err(dev, "no supported roles\n");
+ ret = -ENODEV;
+- goto deinit_phy;
++ goto deinit_gadget;
+ }
+
+ if (ci->is_otg && ci->roles[CI_ROLE_GADGET]) {
+ ret = ci_hdrc_otg_init(ci);
+ if (ret) {
+ dev_err(dev, "init otg fails, ret = %d\n", ret);
+- goto stop;
++ goto deinit_gadget;
+ }
+ }
+
+@@ -1024,7 +1032,12 @@ static int ci_hdrc_probe(struct platform
+
+ ci_extcon_unregister(ci);
+ stop:
+- ci_role_destroy(ci);
++ if (ci->is_otg && ci->roles[CI_ROLE_GADGET])
++ ci_hdrc_otg_destroy(ci);
++deinit_gadget:
++ ci_hdrc_gadget_destroy(ci);
++deinit_host:
++ ci_hdrc_host_destroy(ci);
+ deinit_phy:
+ ci_usb_phy_exit(ci);
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 23 Apr 2017 13:55:13 +0800
+Subject: usb: dwc3: keystone: check return value
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 018047a1dba7636e1f7fdae2cc290a528991d648 ]
+
+Function devm_clk_get() returns an ERR_PTR when it fails. However, in
+function kdwc3_probe(), its return value is not checked, which may
+result in a bad memory access bug. This patch fixes the bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/dwc3-keystone.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/dwc3/dwc3-keystone.c
++++ b/drivers/usb/dwc3/dwc3-keystone.c
+@@ -107,6 +107,10 @@ static int kdwc3_probe(struct platform_d
+ return PTR_ERR(kdwc->usbss);
+
+ kdwc->clk = devm_clk_get(kdwc->dev, "usb");
++ if (IS_ERR(kdwc->clk)) {
++ dev_err(kdwc->dev, "unable to get usb clock\n");
++ return PTR_ERR(kdwc->clk);
++ }
+
+ error = clk_prepare_enable(kdwc->clk);
+ if (error < 0) {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 16 May 2017 11:47:42 -0400
+Subject: USB: ene_usb6250: fix first command execution
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+
+[ Upstream commit 4b309f1c4972c8f09e03ac64fc63510dbf5591a4 ]
+
+In the ene_usb6250 sub-driver for usb-storage, the ene_transport()
+routine is supposed to initialize the driver before executing the
+current command, if the initialization has not already been performed.
+However, a bug in the routine causes it to skip the command after
+doing the initialization. Also, the routine does not return an
+appropriate error code if either the initialization or the command
+fails.
+
+As a result of the first bug, the first command (a SCSI INQUIRY) is
+not carried out. The results can be seen in the system log, in the
+form of a warning message and empty or garbage INQUIRY data:
+
+Apr 18 22:40:08 notebook2 kernel: scsi host6: scsi scan: INQUIRY result too short (5), using 36
+Apr 18 22:40:08 notebook2 kernel: scsi 6:0:0:0: Direct-Access PQ: 0 ANSI: 0
+
+This patch fixes both errors.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-and-tested-by: Andreas Hartmann <andihartmann@01019freenet.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/ene_ub6250.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/storage/ene_ub6250.c
++++ b/drivers/usb/storage/ene_ub6250.c
+@@ -2295,21 +2295,22 @@ static int ms_scsi_irp(struct us_data *u
+
+ static int ene_transport(struct scsi_cmnd *srb, struct us_data *us)
+ {
+- int result = 0;
++ int result = USB_STOR_XFER_GOOD;
+ struct ene_ub6250_info *info = (struct ene_ub6250_info *)(us->extra);
+
+ /*US_DEBUG(usb_stor_show_command(us, srb)); */
+ scsi_set_resid(srb, 0);
+- if (unlikely(!(info->SD_Status.Ready || info->MS_Status.Ready))) {
++ if (unlikely(!(info->SD_Status.Ready || info->MS_Status.Ready)))
+ result = ene_init(us);
+- } else {
++ if (result == USB_STOR_XFER_GOOD) {
++ result = USB_STOR_TRANSPORT_ERROR;
+ if (info->SD_Status.Ready)
+ result = sd_scsi_irp(us, srb);
+
+ if (info->MS_Status.Ready)
+ result = ms_scsi_irp(us, srb);
+ }
+- return 0;
++ return result;
+ }
+
+ static struct scsi_host_template ene_ub6250_host_template;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 16 May 2017 11:47:52 -0400
+Subject: USB: ene_usb6250: fix SCSI residue overwriting
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+
+[ Upstream commit aa18c4b6e0e39bfb00af48734ec24bc189ac9909 ]
+
+In the ene_usb6250 sub-driver for usb-storage, the SCSI residue is not
+reported correctly. The residue is initialized to 0, but this value
+is overwritten whenever the driver sends firmware to the card reader
+before performing the current command. As a result, a valid READ or
+WRITE operation appears to have failed, causing the SCSI core to retry
+the command multiple times and eventually fail.
+
+This patch fixes the problem by resetting the SCSI residue to 0 after
+sending firmware to the device.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-and-tested-by: Andreas Hartmann <andihartmann@01019freenet.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/ene_ub6250.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/storage/ene_ub6250.c
++++ b/drivers/usb/storage/ene_ub6250.c
+@@ -1942,6 +1942,8 @@ static int ene_load_bincode(struct us_da
+ bcb->CDB[0] = 0xEF;
+
+ result = ene_send_scsi_cmd(us, FDIR_WRITE, buf, 0);
++ if (us->srb != NULL)
++ scsi_set_resid(us->srb, 0);
+ info->BIN_FLAG = flag;
+ kfree(buf);
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: "Pieter \\\"PoroCYon\\\" Sluys" <pcy@national.shitposting.agency>
+Date: Thu, 4 Jan 2018 16:53:50 +0100
+Subject: vfb: fix video mode and line_length being set when loaded
+
+From: "Pieter \\\"PoroCYon\\\" Sluys" <pcy@national.shitposting.agency>
+
+
+[ Upstream commit 7b9faf5df0ac495a1a3d7cdb64921c179f9008ac ]
+
+Currently, when loading the vfb module, the newly created fbdev
+has a line_length of 0, and its video mode would be PSEUDOCOLOR
+regardless of color depth. (The former could be worked around by
+calling the FBIOPUT_VSCREENINFO ioctl with having the FBACTIVIATE_FORCE
+flag set.) This patch automatically sets the line_length correctly,
+and the video mode is derived from the bit depth now as well.
+
+Thanks to Geert Uytterhoeven for confirming the bug and helping me with
+the patch.
+
+Output of `fbset -i' before the patch:
+mode "1366x768-60"
+ # D: 72.432 MHz, H: 47.403 kHz, V: 60.004 Hz
+ geometry 1366 768 1366 768 32
+ timings 13806 120 10 14 3 32 5
+ rgba 8/0,8/8,8/16,8/24
+endmode
+
+Frame buffer device information:
+ Name : Virtual FB
+ Address : 0xffffaa1405d85000
+ Size : 4196352
+ Type : PACKED PIXELS
+ Visual : PSEUDOCOLOR
+ XPanStep : 1
+ YPanStep : 1
+ YWrapStep : 1
+ LineLength : 0 <-- note this
+ Accelerator : No
+
+After:
+mode "1366x768-60"
+ # D: 72.432 MHz, H: 47.403 kHz, V: 60.004 Hz
+ geometry 1366 768 1366 768 32
+ timings 13806 120 10 14 3 32 5
+ rgba 8/0,8/8,8/16,8/24
+endmode
+
+Frame buffer device information:
+ Name : Virtual FB
+ Address : 0xffffaa1405d85000
+ Size : 4196352
+ Type : PACKED PIXELS
+ Visual : TRUECOLOR
+ XPanStep : 1
+ YPanStep : 1
+ YWrapStep : 1
+ LineLength : 5464
+ Accelerator : No
+
+Signed-off-by: "Pieter \"PoroCYon\" Sluys" <pcy@national.shitposting.agency>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+[b.zolnierkie: minor fixups]
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/vfb.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/drivers/video/fbdev/vfb.c
++++ b/drivers/video/fbdev/vfb.c
+@@ -239,8 +239,23 @@ static int vfb_check_var(struct fb_var_s
+ */
+ static int vfb_set_par(struct fb_info *info)
+ {
++ switch (info->var.bits_per_pixel) {
++ case 1:
++ info->fix.visual = FB_VISUAL_MONO01;
++ break;
++ case 8:
++ info->fix.visual = FB_VISUAL_PSEUDOCOLOR;
++ break;
++ case 16:
++ case 24:
++ case 32:
++ info->fix.visual = FB_VISUAL_TRUECOLOR;
++ break;
++ }
++
+ info->fix.line_length = get_line_length(info->var.xres_virtual,
+ info->var.bits_per_pixel);
++
+ return 0;
+ }
+
+@@ -450,6 +465,8 @@ static int vfb_probe(struct platform_dev
+ goto err2;
+ platform_set_drvdata(dev, info);
+
++ vfb_set_par(info);
++
+ fb_info(info, "Virtual frame buffer device, using %ldK of video memory\n",
+ videomemorysize >> 10);
+ return 0;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 10 Nov 2017 15:45:41 +1100
+Subject: VFS: close race between getcwd() and d_move()
+
+From: NeilBrown <neilb@suse.com>
+
+
+[ Upstream commit 61647823aa920e395afcce4b57c32afb51456cab ]
+
+d_move() will call __d_drop() and then __d_rehash()
+on the dentry being moved. This creates a small window
+when the dentry appears to be unhashed. Many tests
+of d_unhashed() are made under ->d_lock and so are safe
+from racing with this window, but some aren't.
+In particular, getcwd() calls d_unlinked() (which calls
+d_unhashed()) without d_lock protection, so it can race.
+
+This races has been seen in practice with lustre, which uses d_move() as
+part of name lookup. See:
+ https://jira.hpdd.intel.com/browse/LU-9735
+It could race with a regular rename(), and result in ENOENT instead
+of either the 'before' or 'after' name.
+
+The race can be demonstrated with a simple program which
+has two threads, one renaming a directory back and forth
+while another calls getcwd() within that directory: it should never
+fail, but does. See:
+ https://patchwork.kernel.org/patch/9455345/
+
+We could fix this race by taking d_lock and rechecking when
+d_unhashed() reports true. Alternately when can remove the window,
+which is the approach this patch takes.
+
+___d_drop() is introduce which does *not* clear d_hash.pprev
+so the dentry still appears to be hashed. __d_drop() calls
+___d_drop(), then clears d_hash.pprev.
+__d_move() now uses ___d_drop() and only clears d_hash.pprev
+when not rehashing.
+
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dcache.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -461,9 +461,11 @@ static void dentry_lru_add(struct dentry
+ * d_drop() is used mainly for stuff that wants to invalidate a dentry for some
+ * reason (NFS timeouts or autofs deletes).
+ *
+- * __d_drop requires dentry->d_lock.
++ * __d_drop requires dentry->d_lock
++ * ___d_drop doesn't mark dentry as "unhashed"
++ * (dentry->d_hash.pprev will be LIST_POISON2, not NULL).
+ */
+-void __d_drop(struct dentry *dentry)
++static void ___d_drop(struct dentry *dentry)
+ {
+ if (!d_unhashed(dentry)) {
+ struct hlist_bl_head *b;
+@@ -479,12 +481,17 @@ void __d_drop(struct dentry *dentry)
+
+ hlist_bl_lock(b);
+ __hlist_bl_del(&dentry->d_hash);
+- dentry->d_hash.pprev = NULL;
+ hlist_bl_unlock(b);
+ /* After this call, in-progress rcu-walk path lookup will fail. */
+ write_seqcount_invalidate(&dentry->d_seq);
+ }
+ }
++
++void __d_drop(struct dentry *dentry)
++{
++ ___d_drop(dentry);
++ dentry->d_hash.pprev = NULL;
++}
+ EXPORT_SYMBOL(__d_drop);
+
+ void d_drop(struct dentry *dentry)
+@@ -2378,7 +2385,7 @@ EXPORT_SYMBOL(d_delete);
+ static void __d_rehash(struct dentry *entry)
+ {
+ struct hlist_bl_head *b = d_hash(entry->d_name.hash);
+- BUG_ON(!d_unhashed(entry));
++
+ hlist_bl_lock(b);
+ hlist_bl_add_head_rcu(&entry->d_hash, b);
+ hlist_bl_unlock(b);
+@@ -2815,9 +2822,9 @@ static void __d_move(struct dentry *dent
+ write_seqcount_begin_nested(&target->d_seq, DENTRY_D_LOCK_NESTED);
+
+ /* unhash both */
+- /* __d_drop does write_seqcount_barrier, but they're OK to nest. */
+- __d_drop(dentry);
+- __d_drop(target);
++ /* ___d_drop does write_seqcount_barrier, but they're OK to nest. */
++ ___d_drop(dentry);
++ ___d_drop(target);
+
+ /* Switch the names.. */
+ if (exchange)
+@@ -2829,6 +2836,8 @@ static void __d_move(struct dentry *dent
+ __d_rehash(dentry);
+ if (exchange)
+ __d_rehash(target);
++ else
++ target->d_hash.pprev = NULL;
+
+ /* ... and switch them in the tree */
+ if (IS_ROOT(dentry)) {
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Neil Horman <nhorman@tuxdriver.com>
+Date: Fri, 12 May 2017 12:00:01 -0400
+Subject: vmxnet3: ensure that adapter is in proper state during force_close
+
+From: Neil Horman <nhorman@tuxdriver.com>
+
+
+[ Upstream commit 1c4d5f51a812a82de97beee24f48ed05c65ebda5 ]
+
+There are several paths in vmxnet3, where settings changes cause the
+adapter to be brought down and back up (vmxnet3_set_ringparam among
+them). Should part of the reset operation fail, these paths call
+vmxnet3_force_close, which enables all napi instances prior to calling
+dev_close (with the expectation that vmxnet3_close will then properly
+disable them again). However, vmxnet3_force_close neglects to clear
+VMXNET3_STATE_BIT_QUIESCED prior to calling dev_close. As a result
+vmxnet3_quiesce_dev (called from vmxnet3_close), returns early, and
+leaves all the napi instances in a enabled state while the device itself
+is closed. If a device in this state is activated again, napi_enable
+will be called on already enabled napi_instances, leading to a BUG halt.
+
+The fix is to simply enausre that the QUIESCED bit is cleared in
+vmxnet3_force_close to allow quesence to be completed properly on close.
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+CC: Shrikrishna Khare <skhare@vmware.com>
+CC: "VMware, Inc." <pv-drivers@vmware.com>
+CC: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vmxnet3/vmxnet3_drv.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/vmxnet3/vmxnet3_drv.c
++++ b/drivers/net/vmxnet3/vmxnet3_drv.c
+@@ -2962,6 +2962,11 @@ vmxnet3_force_close(struct vmxnet3_adapt
+ /* we need to enable NAPI, otherwise dev_close will deadlock */
+ for (i = 0; i < adapter->num_rx_queues; i++)
+ napi_enable(&adapter->rx_queue[i].napi);
++ /*
++ * Need to clear the quiesce bit to ensure that vmxnet3_close
++ * can quiesce the device properly
++ */
++ clear_bit(VMXNET3_STATE_BIT_QUIESCED, &adapter->state);
+ dev_close(adapter->netdev);
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Roopa Prabhu <roopa@cumulusnetworks.com>
+Date: Sun, 11 Jun 2017 16:32:50 -0700
+Subject: vxlan: dont migrate permanent fdb entries during learn
+
+From: Roopa Prabhu <roopa@cumulusnetworks.com>
+
+
+[ Upstream commit e0090a9e979de5202c7d16c635dea2f005221073 ]
+
+This patch fixes vxlan_snoop to not move permanent fdb entries
+on learn events. This is consistent with the bridge fdb
+handling of permanent entries.
+
+Fixes: 26a41ae60438 ("vxlan: only migrate dynamic FDB entries")
+Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vxlan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -930,7 +930,7 @@ static bool vxlan_snoop(struct net_devic
+ return false;
+
+ /* Don't migrate static entries, drop packets */
+- if (f->state & NUD_NOARP)
++ if (f->state & (NUD_PERMANENT | NUD_NOARP))
+ return true;
+
+ if (net_ratelimit())
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
+Date: Mon, 17 Apr 2017 22:37:05 +0200
+Subject: watchdog: f71808e_wdt: Add F71868 support
+
+From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
+
+
+[ Upstream commit 166fbcf88fdafa02f784ec25ac64745c716b2de0 ]
+
+This adds support for watchdog part of Fintek F71868 Super I/O chip to
+f71808e_wdt driver.
+
+The F71868 chip is, in general, very similar to a F71869, however it has
+slightly different set of available reset pulse widths.
+
+Tested on MSI A55M-P33 motherboard.
+
+Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/Kconfig | 7 ++++---
+ drivers/watchdog/f71808e_wdt.c | 27 ++++++++++++++++++++-------
+ 2 files changed, 24 insertions(+), 10 deletions(-)
+
+--- a/drivers/watchdog/Kconfig
++++ b/drivers/watchdog/Kconfig
+@@ -799,11 +799,12 @@ config EBC_C384_WDT
+ the timeout module parameter.
+
+ config F71808E_WDT
+- tristate "Fintek F71808E, F71862FG, F71869, F71882FG and F71889FG Watchdog"
++ tristate "Fintek F718xx, F818xx Super I/O Watchdog"
+ depends on X86
+ help
+- This is the driver for the hardware watchdog on the Fintek
+- F71808E, F71862FG, F71869, F71882FG and F71889FG Super I/O controllers.
++ This is the driver for the hardware watchdog on the Fintek F71808E,
++ F71862FG, F71868, F71869, F71882FG, F71889FG, F81865 and F81866
++ Super I/O controllers.
+
+ You can compile this driver directly into the kernel, or use
+ it as a module. The module will be called f71808e_wdt.
+--- a/drivers/watchdog/f71808e_wdt.c
++++ b/drivers/watchdog/f71808e_wdt.c
+@@ -57,6 +57,7 @@
+ #define SIO_F71808_ID 0x0901 /* Chipset ID */
+ #define SIO_F71858_ID 0x0507 /* Chipset ID */
+ #define SIO_F71862_ID 0x0601 /* Chipset ID */
++#define SIO_F71868_ID 0x1106 /* Chipset ID */
+ #define SIO_F71869_ID 0x0814 /* Chipset ID */
+ #define SIO_F71869A_ID 0x1007 /* Chipset ID */
+ #define SIO_F71882_ID 0x0541 /* Chipset ID */
+@@ -101,7 +102,7 @@ MODULE_PARM_DESC(timeout,
+ static unsigned int pulse_width = WATCHDOG_PULSE_WIDTH;
+ module_param(pulse_width, uint, 0);
+ MODULE_PARM_DESC(pulse_width,
+- "Watchdog signal pulse width. 0(=level), 1 ms, 25 ms, 125 ms or 5000 ms"
++ "Watchdog signal pulse width. 0(=level), 1, 25, 30, 125, 150, 5000 or 6000 ms"
+ " (default=" __MODULE_STRING(WATCHDOG_PULSE_WIDTH) ")");
+
+ static unsigned int f71862fg_pin = WATCHDOG_F71862FG_PIN;
+@@ -119,13 +120,14 @@ module_param(start_withtimeout, uint, 0)
+ MODULE_PARM_DESC(start_withtimeout, "Start watchdog timer on module load with"
+ " given initial timeout. Zero (default) disables this feature.");
+
+-enum chips { f71808fg, f71858fg, f71862fg, f71869, f71882fg, f71889fg, f81865,
+- f81866};
++enum chips { f71808fg, f71858fg, f71862fg, f71868, f71869, f71882fg, f71889fg,
++ f81865, f81866};
+
+ static const char *f71808e_names[] = {
+ "f71808fg",
+ "f71858fg",
+ "f71862fg",
++ "f71868",
+ "f71869",
+ "f71882fg",
+ "f71889fg",
+@@ -252,16 +254,23 @@ static int watchdog_set_timeout(int time
+ static int watchdog_set_pulse_width(unsigned int pw)
+ {
+ int err = 0;
++ unsigned int t1 = 25, t2 = 125, t3 = 5000;
++
++ if (watchdog.type == f71868) {
++ t1 = 30;
++ t2 = 150;
++ t3 = 6000;
++ }
+
+ mutex_lock(&watchdog.lock);
+
+- if (pw <= 1) {
++ if (pw <= 1) {
+ watchdog.pulse_val = 0;
+- } else if (pw <= 25) {
++ } else if (pw <= t1) {
+ watchdog.pulse_val = 1;
+- } else if (pw <= 125) {
++ } else if (pw <= t2) {
+ watchdog.pulse_val = 2;
+- } else if (pw <= 5000) {
++ } else if (pw <= t3) {
+ watchdog.pulse_val = 3;
+ } else {
+ pr_err("pulse width out of range\n");
+@@ -354,6 +363,7 @@ static int watchdog_start(void)
+ goto exit_superio;
+ break;
+
++ case f71868:
+ case f71869:
+ /* GPIO14 --> WDTRST# */
+ superio_clear_bit(watchdog.sioaddr, SIO_REG_MFUNCT1, 4);
+@@ -792,6 +802,9 @@ static int __init f71808e_find(int sioad
+ watchdog.type = f71862fg;
+ err = f71862fg_pin_configure(0); /* validate module parameter */
+ break;
++ case SIO_F71868_ID:
++ watchdog.type = f71868;
++ break;
+ case SIO_F71869_ID:
+ case SIO_F71869A_ID:
+ watchdog.type = f71869;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 26 Dec 2017 17:33:18 +0000
+Subject: wl1251: check return from call to wl1251_acx_arp_ip_filter
+
+From: Colin Ian King <colin.king@canonical.com>
+
+
+[ Upstream commit ac1181c60822292176ab96912208ec9f9819faf8 ]
+
+Currently the less than zero error check on ret is incorrect
+as it is checking a far earlier ret assignment rather than the
+return from the call to wl1251_acx_arp_ip_filter. Fix this by
+adding in the missing assginment.
+
+Detected by CoverityScan, CID#1164835 ("Logically dead code")
+
+Fixes: 204cc5c44fb6 ("wl1251: implement hardware ARP filtering")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ti/wl1251/main.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ti/wl1251/main.c
++++ b/drivers/net/wireless/ti/wl1251/main.c
+@@ -1200,8 +1200,7 @@ static void wl1251_op_bss_info_changed(s
+ WARN_ON(wl->bss_type != BSS_TYPE_STA_BSS);
+
+ enable = bss_conf->arp_addr_cnt == 1 && bss_conf->assoc;
+- wl1251_acx_arp_ip_filter(wl, enable, addr);
+-
++ ret = wl1251_acx_arp_ip_filter(wl, enable, addr);
+ if (ret < 0)
+ goto out_sleep;
+ }
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 8 Jun 2017 14:47:49 +0100
+Subject: X.509: Fix error code in x509_cert_parse()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 4e880168e9ffb1cdbdb72b3b48ab0324b30c2d62 ]
+
+We forgot to set the error code on this path so it could result in
+returning NULL which leads to a NULL dereference.
+
+Fixes: db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/asymmetric_keys/x509_cert_parser.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/crypto/asymmetric_keys/x509_cert_parser.c
++++ b/crypto/asymmetric_keys/x509_cert_parser.c
+@@ -102,6 +102,7 @@ struct x509_certificate *x509_cert_parse
+ }
+ }
+
++ ret = -ENOMEM;
+ cert->pub->key = kmemdup(ctx->key, ctx->key_size, GFP_KERNEL);
+ if (!cert->pub->key)
+ goto error_decode;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Thu, 4 May 2017 09:51:40 -0500
+Subject: x86/asm: Don't use RBP as a temporary register in csum_partial_copy_generic()
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+
+[ Upstream commit 42fc6c6cb1662ba2fa727dd01c9473c63be4e3b6 ]
+
+Andrey Konovalov reported the following warning while fuzzing the kernel
+with syzkaller:
+
+ WARNING: kernel stack regs at ffff8800686869f8 in a.out:4933 has bad 'bp' value c3fc855a10167ec0
+
+The unwinder dump revealed that RBP had a bad value when an interrupt
+occurred in csum_partial_copy_generic().
+
+That function saves RBP on the stack and then overwrites it, using it as
+a scratch register. That's problematic because it breaks stack traces
+if an interrupt occurs in the middle of the function.
+
+Replace the usage of RBP with another callee-saved register (R15) so
+stack traces are no longer affected.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: David S . Miller <davem@davemloft.net>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Kostya Serebryany <kcc@google.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vlad Yasevich <vyasevich@gmail.com>
+Cc: linux-sctp@vger.kernel.org
+Cc: netdev <netdev@vger.kernel.org>
+Cc: syzkaller <syzkaller@googlegroups.com>
+Link: http://lkml.kernel.org/r/4b03a961efda5ec9bfe46b7b9c9ad72d1efad343.1493909486.git.jpoimboe@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/lib/csum-copy_64.S | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/lib/csum-copy_64.S
++++ b/arch/x86/lib/csum-copy_64.S
+@@ -55,7 +55,7 @@ ENTRY(csum_partial_copy_generic)
+ movq %r12, 3*8(%rsp)
+ movq %r14, 4*8(%rsp)
+ movq %r13, 5*8(%rsp)
+- movq %rbp, 6*8(%rsp)
++ movq %r15, 6*8(%rsp)
+
+ movq %r8, (%rsp)
+ movq %r9, 1*8(%rsp)
+@@ -74,7 +74,7 @@ ENTRY(csum_partial_copy_generic)
+ /* main loop. clear in 64 byte blocks */
+ /* r9: zero, r8: temp2, rbx: temp1, rax: sum, rcx: saved length */
+ /* r11: temp3, rdx: temp4, r12 loopcnt */
+- /* r10: temp5, rbp: temp6, r14 temp7, r13 temp8 */
++ /* r10: temp5, r15: temp6, r14 temp7, r13 temp8 */
+ .p2align 4
+ .Lloop:
+ source
+@@ -89,7 +89,7 @@ ENTRY(csum_partial_copy_generic)
+ source
+ movq 32(%rdi), %r10
+ source
+- movq 40(%rdi), %rbp
++ movq 40(%rdi), %r15
+ source
+ movq 48(%rdi), %r14
+ source
+@@ -103,7 +103,7 @@ ENTRY(csum_partial_copy_generic)
+ adcq %r11, %rax
+ adcq %rdx, %rax
+ adcq %r10, %rax
+- adcq %rbp, %rax
++ adcq %r15, %rax
+ adcq %r14, %rax
+ adcq %r13, %rax
+
+@@ -121,7 +121,7 @@ ENTRY(csum_partial_copy_generic)
+ dest
+ movq %r10, 32(%rsi)
+ dest
+- movq %rbp, 40(%rsi)
++ movq %r15, 40(%rsi)
+ dest
+ movq %r14, 48(%rsi)
+ dest
+@@ -203,7 +203,7 @@ ENTRY(csum_partial_copy_generic)
+ movq 3*8(%rsp), %r12
+ movq 4*8(%rsp), %r14
+ movq 5*8(%rsp), %r13
+- movq 6*8(%rsp), %rbp
++ movq 6*8(%rsp), %r15
+ addq $7*8, %rsp
+ ret
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 5 May 2017 21:51:16 -0700
+Subject: x86/boot: Declare error() as noreturn
+
+From: Kees Cook <keescook@chromium.org>
+
+
+[ Upstream commit 60854a12d281e2fa25662fa32ac8022bbff17432 ]
+
+The compressed boot function error() is used to halt execution, but it
+wasn't marked with "noreturn". This fixes that in preparation for
+supporting kernel FORTIFY_SOURCE, which uses the noreturn annotation
+on panic, and calls error(). GCC would warn about a noreturn function
+calling a non-noreturn function:
+
+ arch/x86/boot/compressed/misc.c: In function ‘fortify_panic’:
+ arch/x86/boot/compressed/misc.c:416:1: warning: ‘noreturn’ function does return
+ }
+ ^
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Daniel Micay <danielmicay@gmail.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Link: http://lkml.kernel.org/r/20170506045116.GA2879@beast
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/boot/compressed/error.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/boot/compressed/error.h
++++ b/arch/x86/boot/compressed/error.h
+@@ -1,7 +1,9 @@
+ #ifndef BOOT_COMPRESSED_ERROR_H
+ #define BOOT_COMPRESSED_ERROR_H
+
++#include <linux/compiler.h>
++
+ void warn(char *m);
+-void error(char *m);
++void error(char *m) __noreturn;
+
+ #endif /* BOOT_COMPRESSED_ERROR_H */
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Sai Praneeth <sai.praneeth.prakhya@intel.com>
+Date: Fri, 26 May 2017 12:36:49 +0100
+Subject: x86/efi: Disable runtime services on kexec kernel if booted with efi=old_map
+
+From: Sai Praneeth <sai.praneeth.prakhya@intel.com>
+
+
+[ Upstream commit 4e52797d2efefac3271abdc54439a3435abd77b9 ]
+
+Booting kexec kernel with "efi=old_map" in kernel command line hits
+kernel panic as shown below.
+
+ BUG: unable to handle kernel paging request at ffff88007fe78070
+ IP: virt_efi_set_variable.part.7+0x63/0x1b0
+ PGD 7ea28067
+ PUD 7ea2b067
+ PMD 7ea2d067
+ PTE 0
+ [...]
+ Call Trace:
+ virt_efi_set_variable()
+ efi_delete_dummy_variable()
+ efi_enter_virtual_mode()
+ start_kernel()
+ x86_64_start_reservations()
+ x86_64_start_kernel()
+ start_cpu()
+
+[ efi=old_map was never intended to work with kexec. The problem with
+ using efi=old_map is that the virtual addresses are assigned from the
+ memory region used by other kernel mappings; vmalloc() space.
+ Potentially there could be collisions when booting kexec if something
+ else is mapped at the virtual address we allocated for runtime service
+ regions in the initial boot - Matt Fleming ]
+
+Since kexec was never intended to work with efi=old_map, disable
+runtime services in kexec if booted with efi=old_map, so that we don't
+panic.
+
+Tested-by: Lee Chun-Yi <jlee@suse.com>
+Signed-off-by: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+Acked-by: Dave Young <dyoung@redhat.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ravi Shankar <ravi.v.shankar@intel.com>
+Cc: Ricardo Neri <ricardo.neri@intel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20170526113652.21339-4-matt@codeblueprint.co.uk
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/platform/efi/efi.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/platform/efi/efi.c
++++ b/arch/x86/platform/efi/efi.c
+@@ -832,9 +832,11 @@ static void __init kexec_enter_virtual_m
+
+ /*
+ * We don't do virtual mode, since we don't do runtime services, on
+- * non-native EFI
++ * non-native EFI. With efi=old_map, we don't do runtime services in
++ * kexec kernel because in the initial boot something else might
++ * have been mapped at these virtual addresses.
+ */
+- if (!efi_is_native()) {
++ if (!efi_is_native() || efi_enabled(EFI_OLD_MEMMAP)) {
+ efi_memmap_unmap();
+ clear_bit(EFI_RUNTIME_SERVICES, &efi.flags);
+ return;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Matthias Kaehlcke <mka@chromium.org>
+Date: Mon, 1 May 2017 15:47:41 -0700
+Subject: x86/mm/kaslr: Use the _ASM_MUL macro for multiplication to work around Clang incompatibility
+
+From: Matthias Kaehlcke <mka@chromium.org>
+
+
+[ Upstream commit 121843eb02a6e2fa30aefab64bfe183c97230c75 ]
+
+The constraint "rm" allows the compiler to put mix_const into memory.
+When the input operand is a memory location then MUL needs an operand
+size suffix, since Clang can't infer the multiplication width from the
+operand.
+
+Add and use the _ASM_MUL macro which determines the operand size and
+resolves to the NUL instruction with the corresponding suffix.
+
+This fixes the following error when building with clang:
+
+ CC arch/x86/lib/kaslr.o
+ /tmp/kaslr-dfe1ad.s: Assembler messages:
+ /tmp/kaslr-dfe1ad.s:182: Error: no instruction mnemonic suffix given and no register operands; can't size instruction
+
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Cc: Grant Grundler <grundler@chromium.org>
+Cc: Greg Hackmann <ghackmann@google.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michael Davidson <md@google.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20170501224741.133938-1-mka@chromium.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/asm.h | 1 +
+ arch/x86/lib/kaslr.c | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/asm.h
++++ b/arch/x86/include/asm/asm.h
+@@ -34,6 +34,7 @@
+ #define _ASM_ADD __ASM_SIZE(add)
+ #define _ASM_SUB __ASM_SIZE(sub)
+ #define _ASM_XADD __ASM_SIZE(xadd)
++#define _ASM_MUL __ASM_SIZE(mul)
+
+ #define _ASM_AX __ASM_REG(ax)
+ #define _ASM_BX __ASM_REG(bx)
+--- a/arch/x86/lib/kaslr.c
++++ b/arch/x86/lib/kaslr.c
+@@ -5,6 +5,7 @@
+ * kernel starts. This file is included in the compressed kernel and
+ * normally linked in the regular.
+ */
++#include <asm/asm.h>
+ #include <asm/kaslr.h>
+ #include <asm/msr.h>
+ #include <asm/archrandom.h>
+@@ -79,7 +80,7 @@ unsigned long kaslr_get_random_long(cons
+ }
+
+ /* Circular multiply for better bit diffusion */
+- asm("mul %3"
++ asm(_ASM_MUL "%3"
+ : "=a" (random), "=d" (raw)
+ : "a" (random), "rm" (mix_const));
+ random += raw;
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 13 Apr 2017 14:56:44 +0200
+Subject: x86/tsc: Provide 'tsc=unstable' boot parameter
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+
+[ Upstream commit 8309f86cd41e8714526867177facf7a316d9be53 ]
+
+Since the clocksource watchdog will only detect broken TSC after the
+fact, all TSC based clocks will likely have observed non-continuous
+values before/when switching away from TSC.
+
+Therefore only thing to fully avoid random clock movement when your
+BIOS randomly mucks with TSC values from SMI handlers is reporting the
+TSC as unstable at boot.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/tsc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kernel/tsc.c
++++ b/arch/x86/kernel/tsc.c
+@@ -366,6 +366,8 @@ static int __init tsc_setup(char *str)
+ tsc_clocksource_reliable = 1;
+ if (!strncmp(str, "noirqtime", 9))
+ no_sched_irq_time = 1;
++ if (!strcmp(str, "unstable"))
++ mark_tsc_unstable("boot parameter");
+ return 1;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 8 Jun 2017 10:53:10 +0200
+Subject: xen: avoid type warning in xchg_xen_ulong
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+
+[ Upstream commit 9cc91f212111cdcbefa02dcdb7dd443f224bf52c ]
+
+The improved type-checking version of container_of() triggers a warning for
+xchg_xen_ulong, pointing out that 'xen_ulong_t' is unsigned, but atomic64_t
+contains a signed value:
+
+drivers/xen/events/events_2l.c: In function 'evtchn_2l_handle_events':
+drivers/xen/events/events_2l.c:187:1020: error: call to '__compiletime_assert_187' declared with attribute error: pointer type mismatch in container_of()
+
+This adds a cast to work around the warning.
+
+Cc: Ian Abbott <abbotti@mev.co.uk>
+Fixes: 85323a991d40 ("xen: arm: mandate EABI and use generic atomic operations.")
+Fixes: daa2ac80834d ("kernel.h: handle pointers to arrays better in container_of()")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Acked-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/include/asm/xen/events.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/include/asm/xen/events.h
++++ b/arch/arm/include/asm/xen/events.h
+@@ -16,7 +16,7 @@ static inline int xen_irqs_disabled(stru
+ return raw_irqs_disabled_flags(regs->ARM_cpsr);
+ }
+
+-#define xchg_xen_ulong(ptr, val) atomic64_xchg(container_of((ptr), \
++#define xchg_xen_ulong(ptr, val) atomic64_xchg(container_of((long long*)(ptr),\
+ atomic64_t, \
+ counter), (val))
+
--- /dev/null
+From foo@baz Mon Apr 9 17:09:24 CEST 2018
+From: Antony Antony <antony@phenome.org>
+Date: Fri, 19 May 2017 12:47:00 +0200
+Subject: xfrm: fix state migration copy replay sequence numbers
+
+From: Antony Antony <antony@phenome.org>
+
+
+[ Upstream commit a486cd23661c9387fb076c3f6ae8b2aa9d20d54a ]
+
+During xfrm migration copy replay and preplay sequence numbers
+from the previous state.
+
+Here is a tcpdump output showing the problem.
+10.0.10.46 is running vanilla kernel, is the IKE/IPsec responder.
+After the migration it sent wrong sequence number, reset to 1.
+The migration is from 10.0.0.52 to 10.0.0.53.
+
+IP 10.0.0.52.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7cf), length 136
+IP 10.0.10.46.4500 > 10.0.0.52.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x7cf), length 136
+IP 10.0.0.52.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d0), length 136
+IP 10.0.10.46.4500 > 10.0.0.52.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x7d0), length 136
+
+IP 10.0.0.53.4500 > 10.0.10.46.4500: NONESP-encap: isakmp: child_sa inf2[I]
+IP 10.0.10.46.4500 > 10.0.0.53.4500: NONESP-encap: isakmp: child_sa inf2[R]
+IP 10.0.0.53.4500 > 10.0.10.46.4500: NONESP-encap: isakmp: child_sa inf2[I]
+IP 10.0.10.46.4500 > 10.0.0.53.4500: NONESP-encap: isakmp: child_sa inf2[R]
+
+IP 10.0.0.53.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d1), length 136
+
+NOTE: next sequence is wrong 0x1
+
+IP 10.0.10.46.4500 > 10.0.0.53.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x1), length 136
+IP 10.0.0.53.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d2), length 136
+IP 10.0.10.46.4500 > 10.0.0.53.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x2), length 136
+
+Signed-off-by: Antony Antony <antony@phenome.org>
+Reviewed-by: Richard Guy Briggs <rgb@tricolour.ca>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_state.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -1246,6 +1246,8 @@ static struct xfrm_state *xfrm_state_clo
+ x->curlft.add_time = orig->curlft.add_time;
+ x->km.state = orig->km.state;
+ x->km.seq = orig->km.seq;
++ x->replay = orig->replay;
++ x->preplay = orig->preplay;
+
+ return x;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
