--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Lenny Szubowicz <lszubowi@redhat.com>
+Date: Tue, 27 Mar 2018 09:56:40 -0400
+Subject: ACPI: acpi_pad: Fix memory leak in power saving threads
+
+From: Lenny Szubowicz <lszubowi@redhat.com>
+
+[ Upstream commit 8b29d29abc484d638213dd79a18a95ae7e5bb402 ]
+
+Fix once per second (round_robin_time) memory leak of about 1 KB in
+each acpi_pad kernel idling thread that is activated.
+
+Found by testing with kmemleak.
+
+Signed-off-by: Lenny Szubowicz <lszubowi@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpi_pad.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/acpi/acpi_pad.c
++++ b/drivers/acpi/acpi_pad.c
+@@ -110,6 +110,7 @@ static void round_robin_cpu(unsigned int
+ cpumask_andnot(tmp, cpu_online_mask, pad_busy_cpus);
+ if (cpumask_empty(tmp)) {
+ mutex_unlock(&round_robin_lock);
++ free_cpumask_var(tmp);
+ return;
+ }
+ for_each_cpu(cpu, tmp) {
+@@ -127,6 +128,8 @@ static void round_robin_cpu(unsigned int
+ mutex_unlock(&round_robin_lock);
+
+ set_cpus_allowed_ptr(current, cpumask_of(preferred_cpu));
++
++ free_cpumask_var(tmp);
+ }
+
+ static void exit_round_robin(unsigned int tsk_index)
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Seunghun Han <kkamagui@gmail.com>
+Date: Wed, 14 Mar 2018 16:12:56 -0700
+Subject: ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c
+
+From: Seunghun Han <kkamagui@gmail.com>
+
+[ Upstream commit 97f3c0a4b0579b646b6b10ae5a3d59f0441cc12c ]
+
+I found an ACPI cache leak in ACPI early termination and boot continuing case.
+
+When early termination occurs due to malicious ACPI table, Linux kernel
+terminates ACPI function and continues to boot process. While kernel terminates
+ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.
+
+Boot log of ACPI operand cache leak is as follows:
+>[ 0.464168] ACPI: Added _OSI(Module Device)
+>[ 0.467022] ACPI: Added _OSI(Processor Device)
+>[ 0.469376] ACPI: Added _OSI(3.0 _SCP Extensions)
+>[ 0.471647] ACPI: Added _OSI(Processor Aggregator Device)
+>[ 0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
+>[ 0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461)
+>[ 0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
+>[ 0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543)
+>[ 0.497683] ACPI: Interpreter enabled
+>[ 0.499385] ACPI: (supports S0)
+>[ 0.501151] ACPI: Using IOAPIC for interrupt routing
+>[ 0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
+>[ 0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461)
+>[ 0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
+>[ 0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543)
+>[ 0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991)
+>[ 0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
+>[ 0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
+>[ 0.526795] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006
+>[ 0.529668] Call Trace:
+>[ 0.530811] ? dump_stack+0x5c/0x81
+>[ 0.532240] ? kmem_cache_destroy+0x1aa/0x1c0
+>[ 0.533905] ? acpi_os_delete_cache+0xa/0x10
+>[ 0.535497] ? acpi_ut_delete_caches+0x3f/0x7b
+>[ 0.537237] ? acpi_terminate+0xa/0x14
+>[ 0.538701] ? acpi_init+0x2af/0x34f
+>[ 0.540008] ? acpi_sleep_proc_init+0x27/0x27
+>[ 0.541593] ? do_one_initcall+0x4e/0x1a0
+>[ 0.543008] ? kernel_init_freeable+0x19e/0x21f
+>[ 0.546202] ? rest_init+0x80/0x80
+>[ 0.547513] ? kernel_init+0xa/0x100
+>[ 0.548817] ? ret_from_fork+0x25/0x30
+>[ 0.550587] vgaarb: loaded
+>[ 0.551716] EDAC MC: Ver: 3.0.0
+>[ 0.553744] PCI: Probing PCI hardware
+>[ 0.555038] PCI host bridge to bus 0000:00
+> ... Continue to boot and log is omitted ...
+
+I analyzed this memory leak in detail and found acpi_ns_evaluate() function
+only removes Info->return_object in AE_CTRL_RETURN_VALUE case. But, when errors
+occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->return_object is
+also not null. Therefore, this causes acpi operand memory leak.
+
+This cache leak causes a security threat because an old kernel (<= 4.9) shows
+memory locations of kernel functions in stack dump. Some malicious users
+could use this information to neutralize kernel ASLR.
+
+I made a patch to fix ACPI operand cache leak.
+
+Signed-off-by: Seunghun Han <kkamagui@gmail.com>
+Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpica/nseval.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/acpi/acpica/nseval.c
++++ b/drivers/acpi/acpica/nseval.c
+@@ -308,6 +308,14 @@ acpi_status acpi_ns_evaluate(struct acpi
+ /* Map AE_CTRL_RETURN_VALUE to AE_OK, we are done with it */
+
+ status = AE_OK;
++ } else if (ACPI_FAILURE(status)) {
++
++ /* If return_object exists, delete it */
++
++ if (info->return_object) {
++ acpi_ut_remove_reference(info->return_object);
++ info->return_object = NULL;
++ }
+ }
+
+ ACPI_DEBUG_PRINT((ACPI_DB_NAMES,
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Erik Schmauss <erik.schmauss@intel.com>
+Date: Wed, 14 Mar 2018 16:13:08 -0700
+Subject: ACPICA: Events: add a return on failure from acpi_hw_register_read
+
+From: Erik Schmauss <erik.schmauss@intel.com>
+
+[ Upstream commit b4c0de312613ca676db5bd7e696a44b56795612a ]
+
+This ensures that acpi_ev_fixed_event_detect() does not use fixed_status
+and and fixed_enable as uninitialized variables.
+
+Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpica/evevent.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/acpi/acpica/evevent.c
++++ b/drivers/acpi/acpica/evevent.c
+@@ -204,6 +204,7 @@ u32 acpi_ev_fixed_event_detect(void)
+ u32 fixed_status;
+ u32 fixed_enable;
+ u32 i;
++ acpi_status status;
+
+ ACPI_FUNCTION_NAME(ev_fixed_event_detect);
+
+@@ -211,8 +212,12 @@ u32 acpi_ev_fixed_event_detect(void)
+ * Read the fixed feature status and enable registers, as all the cases
+ * depend on their values. Ignore errors here.
+ */
+- (void)acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status);
+- (void)acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable);
++ status = acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status);
++ status |=
++ acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable);
++ if (ACPI_FAILURE(status)) {
++ return (int_status);
++ }
+
+ ACPI_DEBUG_PRINT((ACPI_DB_INTERRUPTS,
+ "Fixed Event Block: Enable %08X Status %08X\n",
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Bob Moore <robert.moore@intel.com>
+Date: Wed, 14 Mar 2018 16:13:01 -0700
+Subject: ACPICA: Fix memory leak on unusual memory leak
+
+From: Bob Moore <robert.moore@intel.com>
+
+[ Upstream commit 1c29c372b2d1d2415601041532745ce859f24126 ]
+
+Fixes a single-object memory leak on a store-to-reference method
+invocation. ACPICA BZ 1439.
+
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpica/psargs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/acpi/acpica/psargs.c
++++ b/drivers/acpi/acpica/psargs.c
+@@ -890,6 +890,10 @@ acpi_ps_get_next_arg(struct acpi_walk_st
+ ACPI_POSSIBLE_METHOD_CALL);
+
+ if (arg->common.aml_opcode == AML_INT_METHODCALL_OP) {
++
++ /* Free method call op and corresponding namestring sub-ob */
++
++ acpi_ps_free_op(arg->common.value.arg);
+ acpi_ps_free_op(arg);
+ arg = NULL;
+ walk_state->arg_count = 1;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Nobutaka Okabe <nob77413@gmail.com>
+Date: Fri, 23 Mar 2018 19:18:22 +0900
+Subject: ALSA: usb-audio: Add native DSD support for Luxman DA-06
+
+From: Nobutaka Okabe <nob77413@gmail.com>
+
+[ Upstream commit 71426535f49fe6034d0e0db77608b91a0c1a022d ]
+
+Add native DSD support quirk for Luxman DA-06 DAC, by adding the
+PID/VID 1852:5065.
+
+Rename "is_marantz_denon_dac()" function to "is_itf_usb_dsd_2alts_dac()"
+to cover broader device family sharing the same USB audio
+implementation(*).
+For the same reason, rename "is_teac_dsd_dac()" function to
+"is_itf_usb_dsd_3alts_dac()".
+
+(*)
+These devices have the same USB controller "ITF-USB DSD", supplied by
+INTERFACE Co., Ltd.
+"ITF-USB DSD" USB controller has two patterns,
+
+Pattern 1. (2 altsets version)
+- Altset 0: for control
+- Altset 1: for stream (S32)
+- Altset 2: for stream (S32, DSD_U32)
+
+Pattern 2. (3 altsets version)
+- Altset 0: for control
+- Altset 1: for stream (S16)
+- Altset 2: for stream (S32)
+- Altset 3: for stream (S32, DSD_U32)
+
+"is_itf_usb_dsd_2alts_dac()" returns true, if the DAC has "Pattern 1"
+USB controller, and "is_itf_usb_dsd_3alts_dac()" returns true, if
+"Pattern2".
+
+Signed-off-by: Nobutaka Okabe <nob77413@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/quirks.c | 29 ++++++++++++++++-------------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1149,24 +1149,27 @@ bool snd_usb_get_sample_rate_quirk(struc
+ return false;
+ }
+
+-/* Marantz/Denon USB DACs need a vendor cmd to switch
++/* ITF-USB DSD based DACs need a vendor cmd to switch
+ * between PCM and native DSD mode
++ * (2 altsets version)
+ */
+-static bool is_marantz_denon_dac(unsigned int id)
++static bool is_itf_usb_dsd_2alts_dac(unsigned int id)
+ {
+ switch (id) {
+ case USB_ID(0x154e, 0x1003): /* Denon DA-300USB */
+ case USB_ID(0x154e, 0x3005): /* Marantz HD-DAC1 */
+ case USB_ID(0x154e, 0x3006): /* Marantz SA-14S1 */
++ case USB_ID(0x1852, 0x5065): /* Luxman DA-06 */
+ return true;
+ }
+ return false;
+ }
+
+-/* TEAC UD-501/UD-503/NT-503 USB DACs need a vendor cmd to switch
+- * between PCM/DOP and native DSD mode
++/* ITF-USB DSD based DACs need a vendor cmd to switch
++ * between PCM and native DSD mode
++ * (3 altsets version)
+ */
+-static bool is_teac_dsd_dac(unsigned int id)
++static bool is_itf_usb_dsd_3alts_dac(unsigned int id)
+ {
+ switch (id) {
+ case USB_ID(0x0644, 0x8043): /* TEAC UD-501/UD-503/NT-503 */
+@@ -1183,7 +1186,7 @@ int snd_usb_select_mode_quirk(struct snd
+ struct usb_device *dev = subs->dev;
+ int err;
+
+- if (is_marantz_denon_dac(subs->stream->chip->usb_id)) {
++ if (is_itf_usb_dsd_2alts_dac(subs->stream->chip->usb_id)) {
+ /* First switch to alt set 0, otherwise the mode switch cmd
+ * will not be accepted by the DAC
+ */
+@@ -1204,7 +1207,7 @@ int snd_usb_select_mode_quirk(struct snd
+ break;
+ }
+ mdelay(20);
+- } else if (is_teac_dsd_dac(subs->stream->chip->usb_id)) {
++ } else if (is_itf_usb_dsd_3alts_dac(subs->stream->chip->usb_id)) {
+ /* Vendor mode switch cmd is required. */
+ switch (fmt->altsetting) {
+ case 3: /* DSD mode (DSD_U32) requested */
+@@ -1300,10 +1303,10 @@ void snd_usb_ctl_msg_quirk(struct usb_de
+ (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS)
+ mdelay(20);
+
+- /* Marantz/Denon devices with USB DAC functionality need a delay
++ /* ITF-USB DSD based DACs functionality need a delay
+ * after each class compliant request
+ */
+- if (is_marantz_denon_dac(chip->usb_id)
++ if (is_itf_usb_dsd_2alts_dac(chip->usb_id)
+ && (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS)
+ mdelay(20);
+
+@@ -1390,14 +1393,14 @@ u64 snd_usb_interface_dsd_format_quirks(
+ break;
+ }
+
+- /* Denon/Marantz devices with USB DAC functionality */
+- if (is_marantz_denon_dac(chip->usb_id)) {
++ /* ITF-USB DSD based DACs (2 altsets version) */
++ if (is_itf_usb_dsd_2alts_dac(chip->usb_id)) {
+ if (fp->altsetting == 2)
+ return SNDRV_PCM_FMTBIT_DSD_U32_BE;
+ }
+
+- /* TEAC devices with USB DAC functionality */
+- if (is_teac_dsd_dac(chip->usb_id)) {
++ /* ITF-USB DSD based DACs (3 altsets version) */
++ if (is_itf_usb_dsd_3alts_dac(chip->usb_id)) {
+ if (fp->altsetting == 3)
+ return SNDRV_PCM_FMTBIT_DSD_U32_BE;
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 8 Mar 2018 08:26:48 +0100
+Subject: ALSA: vmaster: Propagate slave error
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 2e2c177ca84aff092c3c96714b0f6a12900f3946 ]
+
+In slave_update() of vmaster code ignores the error from the slave
+get() callback and copies the values. It's not only about the missing
+error code but also that this may potentially lead to a leak of
+uninitialized variables when the slave get() don't clear them.
+
+This patch fixes slave_update() not to copy the potentially
+uninitialized values when an error is returned from the slave get()
+callback, and to propagate the error value properly.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/vmaster.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/sound/core/vmaster.c
++++ b/sound/core/vmaster.c
+@@ -68,10 +68,13 @@ static int slave_update(struct link_slav
+ return -ENOMEM;
+ uctl->id = slave->slave.id;
+ err = slave->slave.get(&slave->slave, uctl);
++ if (err < 0)
++ goto error;
+ for (ch = 0; ch < slave->info.count; ch++)
+ slave->vals[ch] = uctl->value.integer.value[ch];
++ error:
+ kfree(uctl);
+- return 0;
++ return err < 0 ? err : 0;
+ }
+
+ /* get the slave ctl info and save the initial values */
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Date: Tue, 10 Apr 2018 16:30:23 -0700
+Subject: ARM: CMA: avoid double mapping to the CMA area if CONFIG_HIGHMEM=y
+
+From: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+
+[ Upstream commit 3d2054ad8c2d5100b68b0c0405f89fd90bf4107b ]
+
+CMA area is now managed by the separate zone, ZONE_MOVABLE, to fix many
+MM related problems. In this implementation, if CONFIG_HIGHMEM = y,
+then ZONE_MOVABLE is considered as HIGHMEM and the memory of the CMA
+area is also considered as HIGHMEM. That means that they are considered
+as the page without direct mapping. However, CMA area could be in a
+lowmem and the memory could have direct mapping.
+
+In ARM, when establishing a new mapping for DMA, direct mapping should
+be cleared since two mapping with different cache policy could cause
+unknown problem. With this patch, PageHighmem() for the CMA memory
+located in lowmem returns true so that the function for DMA mapping
+cannot notice whether it needs to clear direct mapping or not,
+correctly. To handle this situation, this patch always clears direct
+mapping for such CMA memory.
+
+Link: http://lkml.kernel.org/r/1512114786-5085-4-git-send-email-iamjoonsoo.kim@lge.com
+Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Tested-by: Tony Lindgren <tony@atomide.com>
+Cc: "Aneesh Kumar K . V" <aneesh.kumar@linux.vnet.ibm.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Laura Abbott <lauraa@codeaurora.org>
+Cc: Marek Szyprowski <m.szyprowski@samsung.com>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Michal Nazarewicz <mina86@mina86.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mm/dma-mapping.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/mm/dma-mapping.c
++++ b/arch/arm/mm/dma-mapping.c
+@@ -466,6 +466,12 @@ void __init dma_contiguous_early_fixup(p
+ void __init dma_contiguous_remap(void)
+ {
+ int i;
++
++ if (!dma_mmu_remap_num)
++ return;
++
++ /* call flush_cache_all() since CMA area would be large enough */
++ flush_cache_all();
+ for (i = 0; i < dma_mmu_remap_num; i++) {
+ phys_addr_t start = dma_mmu_remap[i].base;
+ phys_addr_t end = start + dma_mmu_remap[i].size;
+@@ -498,7 +504,15 @@ void __init dma_contiguous_remap(void)
+ flush_tlb_kernel_range(__phys_to_virt(start),
+ __phys_to_virt(end));
+
+- iotable_init(&map, 1);
++ /*
++ * All the memory in CMA region will be on ZONE_MOVABLE.
++ * If that zone is considered as highmem, the memory in CMA
++ * region is also considered as highmem even if it's
++ * physical address belong to lowmem. In this case,
++ * re-mapping isn't required.
++ */
++ if (!is_highmem_idx(ZONE_MOVABLE))
++ iotable_init(&map, 1);
+ }
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: David Lechner <david@lechnology.com>
+Date: Mon, 15 Jan 2018 11:29:31 -0600
+Subject: ARM: davinci_all_defconfig: set CONFIG_DAVINCI_WATCHDOG=y
+
+From: David Lechner <david@lechnology.com>
+
+[ Upstream commit 35ba26772c827dbfc03be8adc3af8ff0d294b38f ]
+
+This changes CONFIG_DAVINCI_WATCHDOG from a module to a compiled-in
+option. Since the reset function has been moved out of the mach code in
+commit 94f2e94514e5 ("ARM: davinci: remove watchdog reset") and into the
+watchdog driver, devices cannot reboot unless the watchdog driver is
+loaded, so make it a compiled-in option so that we can always reboot, even
+when modules are not loaded.
+
+Cc: Sekhar Nori <nsekhar@ti.com>
+Suggested-by: Adam Ford <aford173@gmail.com>
+Signed-off-by: David Lechner <david@lechnology.com>
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/configs/davinci_all_defconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/configs/davinci_all_defconfig
++++ b/arch/arm/configs/davinci_all_defconfig
+@@ -128,7 +128,7 @@ CONFIG_POWER_RESET=y
+ CONFIG_POWER_RESET_GPIO=y
+ CONFIG_BATTERY_LEGO_EV3=m
+ CONFIG_WATCHDOG=y
+-CONFIG_DAVINCI_WATCHDOG=m
++CONFIG_DAVINCI_WATCHDOG=y
+ CONFIG_MFD_DM355EVM_MSP=y
+ CONFIG_TPS6507X=y
+ CONFIG_REGULATOR=y
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Peter Rosin <peda@axentia.se>
+Date: Tue, 16 Jan 2018 17:06:17 +0100
+Subject: ARM: dts: at91: nattis: use the correct compatible for the eeprom
+
+From: Peter Rosin <peda@axentia.se>
+
+[ Upstream commit 6b65933008a6bbe5ff79a344b41175826848682d ]
+
+The used part does contain an eeprom compatible with an Atmel 24c02
+chip and it is from NXP, but it is not called 24c02. It's actually a
+se97b chip. Adjust the compatible accordingly.
+
+Fixes: 0e4323899973 ("ARM: dts: at91: add devicetree for the Axentia Nattis with Natte power")
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/at91-nattis-2-natte-2.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/at91-nattis-2-natte-2.dts
++++ b/arch/arm/boot/dts/at91-nattis-2-natte-2.dts
+@@ -146,7 +146,7 @@
+ };
+
+ eeprom@50 {
+- compatible = "nxp,24c02";
++ compatible = "nxp,se97b", "atmel,24c02";
+ reg = <0x50>;
+ pagesize = <16>;
+ };
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Peter Rosin <peda@axentia.se>
+Date: Tue, 16 Jan 2018 17:06:18 +0100
+Subject: ARM: dts: at91: tse850: use the correct compatible for the eeprom
+
+From: Peter Rosin <peda@axentia.se>
+
+[ Upstream commit 7981190fb5dd710dea08c2613cee3d05e795ca5e ]
+
+The used part does contain an eeprom compatible with an Atmel 24c02
+chip and it is from NXP, but it is not called 24c02. It's actually a
+se97b chip. Adjust the compatible accordingly.
+
+Fixes: 21dd0ece34c2 ("ARM: dts: at91: add devicetree for the Axentia TSE-850")
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/at91-tse850-3.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/at91-tse850-3.dts
++++ b/arch/arm/boot/dts/at91-tse850-3.dts
+@@ -246,7 +246,7 @@
+ };
+
+ eeprom@50 {
+- compatible = "nxp,24c02", "atmel,24c02";
++ compatible = "nxp,se97b", "atmel,24c02";
+ reg = <0x50>;
+ pagesize = <16>;
+ };
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Henry Zhang <henryzhang62@gmail.com>
+Date: Wed, 17 Jan 2018 18:41:33 -0800
+Subject: ARM: dts: bcm283x: Fix pin function of JTAG pins
+
+From: Henry Zhang <henryzhang62@gmail.com>
+
+[ Upstream commit 1a012cb2569f2031b3636232c3ab21c20c92d281 ]
+
+BCM2835 ARM Peripherals doc shows gpio pins 4, 5, 6, 12 and 13
+carry altenate function, ALT5 for ARM JTAG
+
+Fixes: 21ff843931b2 ("ARM: dts: bcm283x: Define standard pinctrl groups in the gpio node.")
+
+Signed-off-by: Henry Zhang <henryzhang62@gmail.com>
+Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/bcm283x.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/bcm283x.dtsi
++++ b/arch/arm/boot/dts/bcm283x.dtsi
+@@ -252,7 +252,7 @@
+
+ jtag_gpio4: jtag_gpio4 {
+ brcm,pins = <4 5 6 12 13>;
+- brcm,function = <BCM2835_FSEL_ALT4>;
++ brcm,function = <BCM2835_FSEL_ALT5>;
+ };
+ jtag_gpio22: jtag_gpio22 {
+ brcm,pins = <22 23 24 25 26 27>;
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Fri, 16 Feb 2018 11:55:34 +0100
+Subject: ARM: dts: bcm283x: Fix probing of bcm2835-i2s
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+[ Upstream commit 79c81facdc0b43b1cef37b8d5689a8c8b78f8be0 ]
+
+Since 517e7a1537a ("ASoC: bcm2835: move to use the clock framework")
+the bcm2835-i2s requires a clock as DT property. Unfortunately
+the necessary DT change has never been applied. While we are at it
+also fix the first PCM register range to cover the PCM_GRAY register.
+
+Fixes: 517e7a1537a ("ASoC: bcm2835: move to use the clock framework")
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Tested-by: Matthias Reichl <hias@horus.com>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/bcm283x.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/bcm283x.dtsi
++++ b/arch/arm/boot/dts/bcm283x.dtsi
+@@ -397,8 +397,8 @@
+
+ i2s: i2s@7e203000 {
+ compatible = "brcm,bcm2835-i2s";
+- reg = <0x7e203000 0x20>,
+- <0x7e101098 0x02>;
++ reg = <0x7e203000 0x24>;
++ clocks = <&clocks BCM2835_CLOCK_PCM>;
+
+ dmas = <&dma 2>,
+ <&dma 3>;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Ravikumar Kattekola <rk@ti.com>
+Date: Tue, 6 Feb 2018 18:28:02 +0530
+Subject: ARM: dts: dra71-evm: Correct evm_sd regulator max voltage
+
+From: Ravikumar Kattekola <rk@ti.com>
+
+[ Upstream commit f4aa1bd5b4fc80f5f4ecd184caad832fd62c25f7 ]
+
+Correct vpo_sd_1v8_3v3 regulator max voltage to 3.3V
+
+Fixes: 9868bc585ae2 ("ARM: dts: Add support for dra718-evm")
+Signed-off-by: Ravikumar Kattekola <rk@ti.com>
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/dra71-evm.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/dra71-evm.dts
++++ b/arch/arm/boot/dts/dra71-evm.dts
+@@ -24,13 +24,13 @@
+
+ regulator-name = "vddshv8";
+ regulator-min-microvolt = <1800000>;
+- regulator-max-microvolt = <3000000>;
++ regulator-max-microvolt = <3300000>;
+ regulator-boot-on;
+ vin-supply = <&evm_5v0>;
+
+ gpios = <&gpio7 11 GPIO_ACTIVE_HIGH>;
+ states = <1800000 0x0
+- 3000000 0x1>;
++ 3300000 0x1>;
+ };
+
+ evm_1v8_sw: fixedregulator-evm_1v8 {
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Aapo Vienamo <aapo@tuxera.com>
+Date: Wed, 31 Jan 2018 14:34:07 +0000
+Subject: ARM: dts: imx7d: cl-som-imx7: fix pinctrl_enet
+
+From: Aapo Vienamo <aapo@tuxera.com>
+
+[ Upstream commit 2bada7ac1fdcbf79a9689bd2ff65fa515ca7a31f ]
+
+The missing last digit of the CONFIG values is added. Looks like a typo
+of some sort when comparing to the downstream dt. This fixes
+intermittent behavior behaviour of the ethernet controllers.
+
+Signed-off-by: Aapo Vienamo <aapo@tuxera.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/imx7d-cl-som-imx7.dts | 52 ++++++++++++++++----------------
+ 1 file changed, 26 insertions(+), 26 deletions(-)
+
+--- a/arch/arm/boot/dts/imx7d-cl-som-imx7.dts
++++ b/arch/arm/boot/dts/imx7d-cl-som-imx7.dts
+@@ -213,37 +213,37 @@
+ &iomuxc {
+ pinctrl_enet1: enet1grp {
+ fsl,pins = <
+- MX7D_PAD_SD2_CD_B__ENET1_MDIO 0x3
+- MX7D_PAD_SD2_WP__ENET1_MDC 0x3
+- MX7D_PAD_ENET1_RGMII_TXC__ENET1_RGMII_TXC 0x1
+- MX7D_PAD_ENET1_RGMII_TD0__ENET1_RGMII_TD0 0x1
+- MX7D_PAD_ENET1_RGMII_TD1__ENET1_RGMII_TD1 0x1
+- MX7D_PAD_ENET1_RGMII_TD2__ENET1_RGMII_TD2 0x1
+- MX7D_PAD_ENET1_RGMII_TD3__ENET1_RGMII_TD3 0x1
+- MX7D_PAD_ENET1_RGMII_TX_CTL__ENET1_RGMII_TX_CTL 0x1
+- MX7D_PAD_ENET1_RGMII_RXC__ENET1_RGMII_RXC 0x1
+- MX7D_PAD_ENET1_RGMII_RD0__ENET1_RGMII_RD0 0x1
+- MX7D_PAD_ENET1_RGMII_RD1__ENET1_RGMII_RD1 0x1
+- MX7D_PAD_ENET1_RGMII_RD2__ENET1_RGMII_RD2 0x1
+- MX7D_PAD_ENET1_RGMII_RD3__ENET1_RGMII_RD3 0x1
+- MX7D_PAD_ENET1_RGMII_RX_CTL__ENET1_RGMII_RX_CTL 0x1
++ MX7D_PAD_SD2_CD_B__ENET1_MDIO 0x30
++ MX7D_PAD_SD2_WP__ENET1_MDC 0x30
++ MX7D_PAD_ENET1_RGMII_TXC__ENET1_RGMII_TXC 0x11
++ MX7D_PAD_ENET1_RGMII_TD0__ENET1_RGMII_TD0 0x11
++ MX7D_PAD_ENET1_RGMII_TD1__ENET1_RGMII_TD1 0x11
++ MX7D_PAD_ENET1_RGMII_TD2__ENET1_RGMII_TD2 0x11
++ MX7D_PAD_ENET1_RGMII_TD3__ENET1_RGMII_TD3 0x11
++ MX7D_PAD_ENET1_RGMII_TX_CTL__ENET1_RGMII_TX_CTL 0x11
++ MX7D_PAD_ENET1_RGMII_RXC__ENET1_RGMII_RXC 0x11
++ MX7D_PAD_ENET1_RGMII_RD0__ENET1_RGMII_RD0 0x11
++ MX7D_PAD_ENET1_RGMII_RD1__ENET1_RGMII_RD1 0x11
++ MX7D_PAD_ENET1_RGMII_RD2__ENET1_RGMII_RD2 0x11
++ MX7D_PAD_ENET1_RGMII_RD3__ENET1_RGMII_RD3 0x11
++ MX7D_PAD_ENET1_RGMII_RX_CTL__ENET1_RGMII_RX_CTL 0x11
+ >;
+ };
+
+ pinctrl_enet2: enet2grp {
+ fsl,pins = <
+- MX7D_PAD_EPDC_GDSP__ENET2_RGMII_TXC 0x1
+- MX7D_PAD_EPDC_SDCE2__ENET2_RGMII_TD0 0x1
+- MX7D_PAD_EPDC_SDCE3__ENET2_RGMII_TD1 0x1
+- MX7D_PAD_EPDC_GDCLK__ENET2_RGMII_TD2 0x1
+- MX7D_PAD_EPDC_GDOE__ENET2_RGMII_TD3 0x1
+- MX7D_PAD_EPDC_GDRL__ENET2_RGMII_TX_CTL 0x1
+- MX7D_PAD_EPDC_SDCE1__ENET2_RGMII_RXC 0x1
+- MX7D_PAD_EPDC_SDCLK__ENET2_RGMII_RD0 0x1
+- MX7D_PAD_EPDC_SDLE__ENET2_RGMII_RD1 0x1
+- MX7D_PAD_EPDC_SDOE__ENET2_RGMII_RD2 0x1
+- MX7D_PAD_EPDC_SDSHR__ENET2_RGMII_RD3 0x1
+- MX7D_PAD_EPDC_SDCE0__ENET2_RGMII_RX_CTL 0x1
++ MX7D_PAD_EPDC_GDSP__ENET2_RGMII_TXC 0x11
++ MX7D_PAD_EPDC_SDCE2__ENET2_RGMII_TD0 0x11
++ MX7D_PAD_EPDC_SDCE3__ENET2_RGMII_TD1 0x11
++ MX7D_PAD_EPDC_GDCLK__ENET2_RGMII_TD2 0x11
++ MX7D_PAD_EPDC_GDOE__ENET2_RGMII_TD3 0x11
++ MX7D_PAD_EPDC_GDRL__ENET2_RGMII_TX_CTL 0x11
++ MX7D_PAD_EPDC_SDCE1__ENET2_RGMII_RXC 0x11
++ MX7D_PAD_EPDC_SDCLK__ENET2_RGMII_RD0 0x11
++ MX7D_PAD_EPDC_SDLE__ENET2_RGMII_RD1 0x11
++ MX7D_PAD_EPDC_SDOE__ENET2_RGMII_RD2 0x11
++ MX7D_PAD_EPDC_SDSHR__ENET2_RGMII_RD3 0x11
++ MX7D_PAD_EPDC_SDCE0__ENET2_RGMII_RX_CTL 0x11
+ >;
+ };
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Suman Anna <s-anna@ti.com>
+Date: Mon, 5 Mar 2018 16:18:49 -0800
+Subject: ARM: dts: keystone-k2e-clocks: Fix missing unit address separator
+
+From: Suman Anna <s-anna@ti.com>
+
+[ Upstream commit 5a3a03905a433216f517babd0a343ae7265e9ca1 ]
+
+Commit 95d8b41c765b ("ARM: dts: keystone-k2e-clocks: Add missing unit
+name to clock nodes that have regs") fixed the unit names on various
+clock nodes but missed out adding the unit address separator on the
+clkhyperlink0 clock node. Fix the same.
+
+Fixes: 95d8b41c765b ("ARM: dts: keystone-k2e-clocks: Add missing unit name to clock nodes that have regs")
+Signed-off-by: Suman Anna <s-anna@ti.com>
+Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/keystone-k2e-clocks.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/keystone-k2e-clocks.dtsi
++++ b/arch/arm/boot/dts/keystone-k2e-clocks.dtsi
+@@ -42,7 +42,7 @@ clocks {
+ domain-id = <0>;
+ };
+
+- clkhyperlink0: clkhyperlink02350030 {
++ clkhyperlink0: clkhyperlink0@2350030 {
+ #clock-cells = <0>;
+ compatible = "ti,keystone,psc-clock";
+ clocks = <&chipclk12>;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Esben Haabendal <eha@deif.com>
+Date: Fri, 6 Apr 2018 14:46:35 +0200
+Subject: ARM: dts: ls1021a: Specify TBIPA register address
+
+From: Esben Haabendal <eha@deif.com>
+
+[ Upstream commit 5571196135abb6d51e01592812997403c136067c ]
+
+The current (mildly evil) fsl_pq_mdio code uses an undocumented shadow of
+the TBIPA register on LS1021A, which happens to be read-only.
+Changing TBI PHY address therefore does not work on LS1021A.
+
+The real (and documented) address of the TBIPA registere lies in the eTSEC
+block and not in MDIO/MII, which is read/write, so using that fixes
+the problem.
+
+Signed-off-by: Esben Haabendal <eha@deif.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/ls1021a.dtsi | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/ls1021a.dtsi
++++ b/arch/arm/boot/dts/ls1021a.dtsi
+@@ -587,7 +587,8 @@
+ device_type = "mdio";
+ #address-cells = <1>;
+ #size-cells = <0>;
+- reg = <0x0 0x2d24000 0x0 0x4000>;
++ reg = <0x0 0x2d24000 0x0 0x4000>,
++ <0x0 0x2d10030 0x0 0x4>;
+ };
+
+ ptp_clock@2d10e00 {
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Date: Sat, 13 Jan 2018 01:14:23 +0200
+Subject: ARM: dts: porter: Fix HDMI output routing
+
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+
+[ Upstream commit d4b78db6ac3e084e2bdc57d5518bd247c727f396 ]
+
+The HDMI encoder is connected to the RGB output of the DU, which is
+port@0, not port@1. Fix the incorrect DT description.
+
+Fixes: c5af8a4248d3 ("ARM: dts: porter: add DU DT support")
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/r8a7791-porter.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/r8a7791-porter.dts
++++ b/arch/arm/boot/dts/r8a7791-porter.dts
+@@ -425,7 +425,7 @@
+ "dclkin.0", "dclkin.1";
+
+ ports {
+- port@1 {
++ port@0 {
+ endpoint {
+ remote-endpoint = <&adv7511_in>;
+ };
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Philipp Puschmann <pp@emlix.com>
+Date: Fri, 23 Mar 2018 10:22:15 +0100
+Subject: arm: dts: socfpga: fix GIC PPI warning
+
+From: Philipp Puschmann <pp@emlix.com>
+
+[ Upstream commit 6d97d5aba08b26108f95dc9fb7bbe4d9436c769c ]
+
+Fixes the warning "GIC: PPI13 is secure or misconfigured" by
+changing the interrupt type from level_low to edge_raising
+
+Signed-off-by: Philipp Puschmann <pp@emlix.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/socfpga.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/socfpga.dtsi
++++ b/arch/arm/boot/dts/socfpga.dtsi
+@@ -831,7 +831,7 @@
+ timer@fffec600 {
+ compatible = "arm,cortex-a9-twd-timer";
+ reg = <0xfffec600 0x100>;
+- interrupts = <1 13 0xf04>;
++ interrupts = <1 13 0xf01>;
+ clocks = <&mpu_periph_clk>;
+ };
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Ilia Lin <ilialin@codeaurora.org>
+Date: Tue, 23 Jan 2018 09:36:18 +0200
+Subject: arm64: dts: qcom: Fix SPI5 config on MSM8996
+
+From: Ilia Lin <ilialin@codeaurora.org>
+
+[ Upstream commit e723795c702b52cfceb3bb3faa63059eb4658313 ]
+
+Set correct clocks and interrupt values.
+Fixes the incorrect SPI master configuration. This is
+mandatory to make the SPI5 interface functional.
+
+Signed-off-by: Ilia Lin <ilialin@codeaurora.org>
+Signed-off-by: Andy Gross <andy.gross@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/qcom/msm8996.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi
+@@ -497,8 +497,8 @@
+ blsp2_spi5: spi@75ba000{
+ compatible = "qcom,spi-qup-v2.2.1";
+ reg = <0x075ba000 0x600>;
+- interrupts = <GIC_SPI 107 IRQ_TYPE_LEVEL_HIGH>;
+- clocks = <&gcc GCC_BLSP2_QUP5_SPI_APPS_CLK>,
++ interrupts = <GIC_SPI 106 IRQ_TYPE_LEVEL_HIGH>;
++ clocks = <&gcc GCC_BLSP2_QUP6_SPI_APPS_CLK>,
+ <&gcc GCC_BLSP2_AHB_CLK>;
+ clock-names = "core", "iface";
+ pinctrl-names = "default", "sleep";
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Sun, 3 Dec 2017 17:50:00 +0000
+Subject: arm64: insn: Allow ADD/SUB (immediate) with LSL #12
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+[ Upstream commit 11d764079c9f25d1da8e10906d54da7fefec5844 ]
+
+The encoder for ADD/SUB (immediate) can only cope with 12bit
+immediates, while there is an encoding for a 12bit immediate shifted
+by 12 bits to the left.
+
+Let's fix this small oversight by allowing the LSL_12 bit to be set.
+
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/insn.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/kernel/insn.c
++++ b/arch/arm64/kernel/insn.c
+@@ -35,6 +35,7 @@
+
+ #define AARCH64_INSN_SF_BIT BIT(31)
+ #define AARCH64_INSN_N_BIT BIT(22)
++#define AARCH64_INSN_LSL_12 BIT(22)
+
+ static int aarch64_insn_encoding_class[] = {
+ AARCH64_INSN_CLS_UNKNOWN,
+@@ -899,9 +900,18 @@ u32 aarch64_insn_gen_add_sub_imm(enum aa
+ return AARCH64_BREAK_FAULT;
+ }
+
++ /* We can't encode more than a 24bit value (12bit + 12bit shift) */
++ if (imm & ~(BIT(24) - 1))
++ goto out;
++
++ /* If we have something in the top 12 bits... */
+ if (imm & ~(SZ_4K - 1)) {
+- pr_err("%s: invalid immediate encoding %d\n", __func__, imm);
+- return AARCH64_BREAK_FAULT;
++ /* ... and in the low 12 bits -> error */
++ if (imm & (SZ_4K - 1))
++ goto out;
++
++ imm >>= 12;
++ insn |= AARCH64_INSN_LSL_12;
+ }
+
+ insn = aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RD, insn, dst);
+@@ -909,6 +919,10 @@ u32 aarch64_insn_gen_add_sub_imm(enum aa
+ insn = aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RN, insn, src);
+
+ return aarch64_insn_encode_immediate(AARCH64_INSN_IMM_12, insn, imm);
++
++out:
++ pr_err("%s: invalid immediate encoding %d\n", __func__, imm);
++ return AARCH64_BREAK_FAULT;
+ }
+
+ u32 aarch64_insn_gen_bitfield(enum aarch64_insn_register dst,
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Nicolin Chen <nicoleotsuka@gmail.com>
+Date: Mon, 12 Feb 2018 14:03:12 -0800
+Subject: ASoC: fsl_ssi: Maintain a mask of active streams
+
+From: Nicolin Chen <nicoleotsuka@gmail.com>
+
+[ Upstream commit e0582731abe004163e78ad2dac4cd1196db0908f ]
+
+Checking TE and RE bits in SCR register doesn't work for AC97 mode
+which enables SSIEN, TE and RE in the fsl_ssi_setup_ac97() that's
+called during probe().
+
+So when running into the trigger(), it will always get the result
+of both TE and RE being enabled already, even if actually there is
+no active stream.
+
+This patch fixes this issue by adding a variable to log the active
+streams manually.
+
+Signed-off-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Tested-by: Caleb Crome <caleb@crome.org>
+Tested-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+Reviewed-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/fsl/fsl_ssi.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/sound/soc/fsl/fsl_ssi.c
++++ b/sound/soc/fsl/fsl_ssi.c
+@@ -201,6 +201,7 @@ struct fsl_ssi_soc_data {
+ * @cpu_dai_drv: CPU DAI driver for this device
+ *
+ * @dai_fmt: DAI configuration this device is currently used with
++ * @streams: Mask of current active streams: BIT(TX) and BIT(RX)
+ * @i2s_net: I2S and Network mode configurations of SCR register
+ * @use_dma: DMA is used or FIQ with stream filter
+ * @use_dual_fifo: DMA with support for dual FIFO mode
+@@ -245,6 +246,7 @@ struct fsl_ssi {
+ struct snd_soc_dai_driver cpu_dai_drv;
+
+ unsigned int dai_fmt;
++ u8 streams;
+ u8 i2s_net;
+ bool use_dma;
+ bool use_dual_fifo;
+@@ -440,15 +442,14 @@ static void fsl_ssi_fifo_clear(struct fs
+ static void fsl_ssi_config(struct fsl_ssi *ssi, bool enable,
+ struct fsl_ssi_regvals *vals)
+ {
++ int dir = (&ssi->regvals[TX] == vals) ? TX : RX;
+ struct regmap *regs = ssi->regs;
+ struct fsl_ssi_regvals *avals;
+ int nr_active_streams;
+- u32 scr;
+ int keep_active;
+
+- regmap_read(regs, REG_SSI_SCR, &scr);
+-
+- nr_active_streams = !!(scr & SSI_SCR_TE) + !!(scr & SSI_SCR_RE);
++ nr_active_streams = !!(ssi->streams & BIT(TX)) +
++ !!(ssi->streams & BIT(RX));
+
+ if (nr_active_streams - 1 > 0)
+ keep_active = 1;
+@@ -470,6 +471,9 @@ static void fsl_ssi_config(struct fsl_ss
+ keep_active);
+ /* Safely disable SCR register for the stream */
+ regmap_update_bits(regs, REG_SSI_SCR, scr, 0);
++
++ /* Log the disabled stream to the mask */
++ ssi->streams &= ~BIT(dir);
+ }
+
+ /*
+@@ -545,6 +549,9 @@ config_done:
+ }
+ /* Enable all remaining bits */
+ regmap_update_bits(regs, REG_SSI_SCR, vals->scr, vals->scr);
++
++ /* Log the enabled stream to the mask */
++ ssi->streams |= BIT(dir);
+ }
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Ezequiel Garcia <ezequiel@collabora.co.uk>
+Date: Tue, 20 Mar 2018 13:03:31 -0300
+Subject: ASoC: rockchip: rk3288-hdmi-analog: Select needed codecs
+
+From: Ezequiel Garcia <ezequiel@collabora.co.uk>
+
+[ Upstream commit b1d0db067fbe2598d62b248beea5d705a0ea7642 ]
+
+The driver does not select all the codec drivers that needs.
+Fix it by selecting the analog and HDMI codecs.
+
+Cc: Sjoerd Simons <sjoerd.simons@collabora.co.uk>
+Signed-off-by: Ezequiel Garcia <ezequiel@collabora.co.uk>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/rockchip/Kconfig | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/soc/rockchip/Kconfig
++++ b/sound/soc/rockchip/Kconfig
+@@ -56,6 +56,9 @@ config SND_SOC_RK3288_HDMI_ANALOG
+ depends on SND_SOC_ROCKCHIP && I2C && GPIOLIB && CLKDEV_LOOKUP
+ select SND_SOC_ROCKCHIP_I2S
+ select SND_SOC_HDMI_CODEC
++ select SND_SOC_ES8328_I2C
++ select SND_SOC_ES8328_SPI if SPI_MASTER
++ select DRM_DW_HDMI_I2S_AUDIO if DRM_DW_HDMI
+ help
+ Say Y or M here if you want to add support for SoC audio on Rockchip
+ RK3288 boards using an analog output and the built-in HDMI audio.
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Date: Mon, 5 Feb 2018 16:43:56 +0100
+Subject: ASoC: samsung: i2s: Ensure the RCLK rate is properly determined
+
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+
+[ Upstream commit 647d04f8e07afc7c3b7a42b3ee01a8b28db29631 ]
+
+If the RCLK mux clock configuration is specified in DT and no set_sysclk()
+callback is used in the sound card driver the sclk_srcrate field will remain
+set to 0, leading to an incorrect PSR divider setting.
+To fix this the frequency value is retrieved from the CLK_I2S_RCLK_SRC clock,
+so the actual RCLK mux selection is taken into account.
+
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Acked-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/samsung/i2s.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/samsung/i2s.c
++++ b/sound/soc/samsung/i2s.c
+@@ -656,8 +656,12 @@ static int i2s_set_fmt(struct snd_soc_da
+ tmp |= mod_slave;
+ break;
+ case SND_SOC_DAIFMT_CBS_CFS:
+- /* Set default source clock in Master mode */
+- if (i2s->rclk_srcrate == 0)
++ /*
++ * Set default source clock in Master mode, only when the
++ * CLK_I2S_RCLK_SRC clock is not exposed so we ensure any
++ * clock configuration assigned in DT is not overwritten.
++ */
++ if (i2s->rclk_srcrate == 0 && i2s->clk_data.clks == NULL)
+ i2s_set_sysclk(dai, SAMSUNG_I2S_RCLKSRC_0,
+ 0, SND_SOC_CLOCK_IN);
+ break;
+@@ -881,6 +885,11 @@ static int config_setup(struct i2s_dai *
+ return 0;
+
+ if (!(i2s->quirks & QUIRK_NO_MUXPSR)) {
++ struct clk *rclksrc = i2s->clk_table[CLK_I2S_RCLK_SRC];
++
++ if (i2s->rclk_srcrate == 0 && rclksrc && !IS_ERR(rclksrc))
++ i2s->rclk_srcrate = clk_get_rate(rclksrc);
++
+ psr = i2s->rclk_srcrate / i2s->frmclk / rfs;
+ writel(((psr - 1) << 8) | PSR_PSREN, i2s->addr + I2SPSR);
+ dev_dbg(&i2s->pdev->dev,
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Date: Wed, 14 Mar 2018 17:41:13 +0100
+Subject: ASoC: samsung: odroid: Fix 32000 sample rate handling
+
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+
+[ Upstream commit 1d22c337dc8f3a25638f7262e7bcb5729a34d140 ]
+
+In case of sample rates lower than 44100 currently there is too low MCLK
+frequency set for the CODEC. Playback fails with following errors:
+
+$ speaker-test -c2 -t sine -f 1500 -l2 -r 32000
+
+Sine wave rate is 1500.0000Hz
+Rate set to 32000Hz (requested 32000Hz)
+Buffer size range from 128 to 131072
+Period size range from 64 to 65536
+Using max buffer size 131072
+Periods = 4
+Unable to set hw params for playback: Invalid argument
+Setting of hwparams failed: Invalid argument
+
+[ 497.883700] max98090 1-0010: Invalid master clock frequency
+
+To fix this the I2S root clock's frequency is increased, depending
+on sampling rate.
+
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Acked-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/samsung/odroid.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/sound/soc/samsung/odroid.c
++++ b/sound/soc/samsung/odroid.c
+@@ -36,23 +36,26 @@ static int odroid_card_hw_params(struct
+ {
+ struct snd_soc_pcm_runtime *rtd = substream->private_data;
+ struct odroid_priv *priv = snd_soc_card_get_drvdata(rtd->card);
+- unsigned int pll_freq, rclk_freq;
++ unsigned int pll_freq, rclk_freq, rfs;
+ int ret;
+
+ switch (params_rate(params)) {
+- case 32000:
+ case 64000:
+- pll_freq = 131072006U;
++ pll_freq = 196608001U;
++ rfs = 384;
+ break;
+ case 44100:
+ case 88200:
+ case 176400:
+ pll_freq = 180633609U;
++ rfs = 512;
+ break;
++ case 32000:
+ case 48000:
+ case 96000:
+ case 192000:
+ pll_freq = 196608001U;
++ rfs = 512;
+ break;
+ default:
+ return -EINVAL;
+@@ -67,7 +70,7 @@ static int odroid_card_hw_params(struct
+ * frequency values due to the EPLL output frequency not being exact
+ * multiple of the audio sampling rate.
+ */
+- rclk_freq = params_rate(params) * 256 + 1;
++ rclk_freq = params_rate(params) * rfs + 1;
+
+ ret = clk_set_rate(priv->sclk_i2s, rclk_freq);
+ if (ret < 0)
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Date: Fri, 9 Mar 2018 11:11:17 -0800
+Subject: ASoC: topology: create TLV data for dapm widgets
+
+From: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+
+[ Upstream commit bde8b3887add8368ecf0ca71117baf2fd56a6fc9 ]
+
+This patch adds the change required to create the TLV data
+for dapm widget kcontrols from topology. This also fixes the following
+TLV read error shown in amixer while showing the card control contents.
+"amixer: Control hw:1 element TLV read error: No such device or address"
+
+Signed-off-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/soc-topology.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/soc/soc-topology.c
++++ b/sound/soc/soc-topology.c
+@@ -1276,6 +1276,9 @@ static struct snd_kcontrol_new *soc_tplg
+ kfree(sm);
+ continue;
+ }
++
++ /* create any TLV data */
++ soc_tplg_create_tlv(tplg, &kc[i], &mc->hdr);
+ }
+ return kc;
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Anilkumar Kolli <akolli@codeaurora.org>
+Date: Wed, 28 Mar 2018 12:19:40 +0300
+Subject: ath10k: advertize beacon_int_min_gcd
+
+From: Anilkumar Kolli <akolli@codeaurora.org>
+
+[ Upstream commit 8ebee73b574ad3dd1f14d461f65ceaffbd637650 ]
+
+This patch fixes regression caused by 0c317a02ca98
+("cfg80211: support virtual interfaces with different beacon intervals"),
+with this change cfg80211 expects the driver to advertize
+'beacon_int_min_gcd' to support different beacon intervals in multivap
+scenario. This support is added for, QCA988X/QCA99X0/QCA9984/QCA4019.
+
+Verifed AP + mesh bring up on QCA9984 with beacon interval 100msec and
+1000msec respectively.
+Frimware: firmware-5.bin_10.4-3.5.3-00053
+
+Fixes: 0c317a02ca98 ("cfg80211: support virtual interfaces with different beacon intervals")
+Signed-off-by: Anilkumar Kolli <akolli@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -7873,6 +7873,7 @@ static const struct ieee80211_iface_comb
+ .max_interfaces = 8,
+ .num_different_channels = 1,
+ .beacon_int_infra_match = true,
++ .beacon_int_min_gcd = 1,
+ #ifdef CONFIG_ATH10K_DFS_CERTIFIED
+ .radar_detect_widths = BIT(NL80211_CHAN_WIDTH_20_NOHT) |
+ BIT(NL80211_CHAN_WIDTH_20) |
+@@ -7996,6 +7997,7 @@ static const struct ieee80211_iface_comb
+ .max_interfaces = 16,
+ .num_different_channels = 1,
+ .beacon_int_infra_match = true,
++ .beacon_int_min_gcd = 1,
+ #ifdef CONFIG_ATH10K_DFS_CERTIFIED
+ .radar_detect_widths = BIT(NL80211_CHAN_WIDTH_20_NOHT) |
+ BIT(NL80211_CHAN_WIDTH_20) |
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Karthikeyan Periyasamy <periyasa@codeaurora.org>
+Date: Mon, 12 Mar 2018 17:09:40 +0530
+Subject: ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk)
+
+From: Karthikeyan Periyasamy <periyasa@codeaurora.org>
+
+[ Upstream commit 8b2d93dd22615cb7f3046a5a2083a6f8bb8052ed ]
+
+When attempt to run worker (ath10k_sta_rc_update_wk) after the station object
+(ieee80211_sta) delete will trigger the kernel panic.
+
+This problem arise in AP + Mesh configuration, Where the current node AP VAP
+and neighbor node mesh VAP MAC address are same. When the current mesh node
+try to establish the mesh link with neighbor node, driver peer creation for
+the neighbor mesh node fails due to duplication MAC address. Already the AP
+VAP created with same MAC address.
+
+It is caused by the following scenario steps.
+
+Steps:
+1. In above condition, ath10k driver sta_state callback (ath10k_sta_state)
+ fails to do the state change for a station from IEEE80211_STA_NOTEXIST
+ to IEEE80211_STA_NONE due to peer creation fails. Sta_state callback is
+ called from ieee80211_add_station() to handle the new station
+ (neighbor mesh node) request from the wpa_supplicant.
+2. Concurrently ath10k receive the sta_rc_update callback notification from
+ the mesh_neighbour_update() to handle the beacon frames of the above
+ neighbor mesh node. since its atomic callback, ath10k driver queue the
+ work (ath10k_sta_rc_update_wk) to handle rc update.
+3. Due to driver sta_state callback fails (step 1), mac80211 free the station
+ object.
+4. When the worker (ath10k_sta_rc_update_wk) scheduled to run, it will access
+ the station object which is already deleted. so it will trigger kernel
+ panic.
+
+Added the peer exist check in sta_rc_update callback before queue the work.
+
+Kernel Panic log:
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000000
+pgd = c0204000
+[00000000] *pgd=00000000
+Internal error: Oops: 17 [#1] PREEMPT SMP ARM
+CPU: 1 PID: 1833 Comm: kworker/u4:2 Not tainted 3.14.77 #1
+task: dcef0000 ti: d72b6000 task.ti: d72b6000
+PC is at pwq_activate_delayed_work+0x10/0x40
+LR is at pwq_activate_delayed_work+0xc/0x40
+pc : [<c023f988>] lr : [<c023f984>] psr: 40000193
+sp : d72b7f18 ip : 0000007a fp : d72b6000
+r10: 00000000 r9 : dd404414 r8 : d8c31998
+r7 : d72b6038 r6 : 00000004 r5 : d4907ec8 r4 : dcee1300
+r3 : ffffffe0 r2 : 00000000 r1 : 00000001 r0 : 00000000
+Flags: nZcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
+Control: 10c5787d Table: 595bc06a DAC: 00000015
+...
+Process kworker/u4:2 (pid: 1833, stack limit = 0xd72b6238)
+Stack: (0xd72b7f18 to 0xd72b8000)
+7f00: 00000001 dcee1300
+7f20: 00000001 c02410dc d8c31980 dd404400 dd404400 c0242790 d8c31980 00000089
+7f40: 00000000 d93e1340 00000000 d8c31980 c0242568 00000000 00000000 00000000
+7f60: 00000000 c02474dc 00000000 00000000 000000f8 d8c31980 00000000 00000000
+7f80: d72b7f80 d72b7f80 00000000 00000000 d72b7f90 d72b7f90 d72b7fac d93e1340
+7fa0: c0247404 00000000 00000000 c0208d20 00000000 00000000 00000000 00000000
+7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
+[<c023f988>] (pwq_activate_delayed_work) from [<c02410dc>] (pwq_dec_nr_in_flight+0x58/0xc4)
+[<c02410dc>] (pwq_dec_nr_in_flight) from [<c0242790>] (worker_thread+0x228/0x360)
+[<c0242790>] (worker_thread) from [<c02474dc>] (kthread+0xd8/0xec)
+[<c02474dc>] (kthread) from [<c0208d20>] (ret_from_fork+0x14/0x34)
+Code: e92d4038 e1a05000 ebffffbc[69210.619376] SMP: failed to stop secondary CPUs
+Rebooting in 3 seconds..
+
+Signed-off-by: Karthikeyan Periyasamy <periyasa@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -7084,10 +7084,20 @@ static void ath10k_sta_rc_update(struct
+ {
+ struct ath10k *ar = hw->priv;
+ struct ath10k_sta *arsta = (struct ath10k_sta *)sta->drv_priv;
++ struct ath10k_vif *arvif = (void *)vif->drv_priv;
++ struct ath10k_peer *peer;
+ u32 bw, smps;
+
+ spin_lock_bh(&ar->data_lock);
+
++ peer = ath10k_peer_find(ar, arvif->vdev_id, sta->addr);
++ if (!peer) {
++ spin_unlock_bh(&ar->data_lock);
++ ath10k_warn(ar, "mac sta rc update failed to find peer %pM on vdev %i\n",
++ sta->addr, arvif->vdev_id);
++ return;
++ }
++
+ ath10k_dbg(ar, ATH10K_DBG_MAC,
+ "mac sta rc update for %pM changed %08x bw %d nss %d smps %d\n",
+ sta->addr, changed, sta->bandwidth, sta->rx_nss,
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Sebastian Gottschall <s.gottschall@dd-wrt.com>
+Date: Sat, 3 Mar 2018 05:10:44 +0100
+Subject: ath9k: fix crash in spectral scan
+
+From: Sebastian Gottschall <s.gottschall@dd-wrt.com>
+
+[ Upstream commit 221b6ec69ed9c56b6cd9a124a387a9472f14284e ]
+
+Fixes crash seen on arm smp systems (gateworks ventana imx6):
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000014
+pgd = 80004000
+[00000014] *pgd=00000000
+Internal error: Oops - BUG: 17 [#1] PREEMPT SMP ARM
+Modules linked in: ip6table_filter nf_conntrack_ipv6 ip6_tables nf_log_ipv6 nf_defrag_ipv6 shortcut_fe ipcomp6 xfrm_ipcomp xfrm6_tunnel xfrm6_mode_tunnel xfrm6_mode_transport xfrm6_mode_ro xfrm6_mode_beet ip6_tunnel tunnel6 mip6 ah6 esp6 xfrm_algo sit ip_tunnel tunnel4 ipv6 ath10k_pci ath10k_core ath9k ath mac80211 cfg80211 compat ath_pci ath_hal(P) caamalg authencesn authenc caamrng caamhash caam_jr caam cdc_ncm usbnet usbcore sky2 imx2_wdt
+CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: P 4.9.85 #19
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+task: bf064980 task.stack: bf07c000
+PC is at relay_buf_full+0xc/0x30
+LR is at _674+0x740/0xf10 [ath9k]
+pc : [<8018bce0>] lr : [<7f1aa604>] psr: 80000013
+sp : bf07dbf0 ip : bf07dc00 fp : bf07dbfc
+r10: 0000003f r9 : bf130e00 r8 : 809044b0
+r7 : 00000000 r6 : be67a9f0 r5 : 00000000 r4 : 809043e4
+r3 : c0864c24 r2 : 00000000 r1 : 00000004 r0 : 00000000
+Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
+Control: 10c5387d Table: 4e6a004a DAC: 00000055
+Process ksoftirqd/0 (pid: 3, stack limit = 0xbf07c210)
+Stack: (0xbf07dbf0 to 0xbf07e000)
+dbe0: bf07dd04 bf07dc00 7f1aa604 8018bce0
+dc00: 00004014 be59e010 bf07dc34 bf07dc18 7f1a7084 7f19c07c be59c010 be6470a0
+dc20: 0000096c be648954 bf07dc6c bf07dc38 7f1c286c bf07dd90 bf07dc5c bf07dc48
+dc40: 8029ea4c 0000003c 00000001 be59c010 00000094 00000000 00000000 00000000
+dc60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+dc80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+dca0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+dcc0: 00000000 00000000 00000000 00000000 00000000 00000000 8010ef24 00000030
+dce0: be94f5e8 be6485a0 bddf0200 be59c010 be6465a0 be6415a0 bf07ddf4 bf07dd08
+dd00: 7f1cf800 7f1aa55c 1fc38c4c 00000000 bf07dd58 cccccccd 66666667 be640bc0
+dd20: bf07dd54 be6415a0 1fc38c4c 00000000 00000000 be59c038 be67a9c0 be59e010
+dd40: be67a9f0 be647170 8090c904 be59c010 00000000 00000001 1fc38e84 00000000
+dd60: be640bc0 bddf0200 00000200 00000010 0000003f 00000002 20000013 be59c010
+dd80: 8092d940 bf7ca2c0 bf07ddb4 bf07dd98 1fc38c4c 2602003f 0100ff1b 80ff1b00
+dda0: 00808080 00000000 00000000 80808080 80808080 80808080 80808080 00008080
+ddc0: 00000000 00000000 7f1b62b8 00000002 be6470ec be6470f0 00000000 bf07de98
+dde0: 8092d940 be6415a0 bf07de94 bf07ddf8 7f1d1ed8 7f1cf1fc 00000000 00000000
+de00: bf7cc4c0 00000400 be6470f0 bf07de18 8015165c be59c010 8090453c 8090453c
+de20: bf07dec4 be6465a0 8014f614 80148884 0000619a 00000001 bf07c000 00000100
+de40: bf07de78 00000001 7f327850 00000002 afb50401 bf064980 bf07de9c bf07de68
+de60: bf064a00 803cc668 bf064a00 be6470b4 be6470b8 80844180 00000000 bf07de98
+de80: 8092d940 bf07c000 bf07dec4 bf07de98 80124d18 7f1d1c44 80124c94 00000000
+dea0: 00000006 80902098 80902080 40000006 00000100 bf07c000 bf07df24 bf07dec8
+dec0: 8012501c 80124ca0 bf7cc4c0 bf064980 be95e1c0 04208040 80902d00 000061c7
+dee0: 0000000a 80600b54 8092d940 808441f8 80902080 bf07dec8 bf03b200 bf07c000
+df00: bf03b200 8090fe54 00000000 00000000 00000000 00000000 bf07df34 bf07df28
+df20: 80125148 80124f28 bf07df5c bf07df38 8013deb4 8012511c 00000000 bf03b240
+df40: bf03b200 8013dc90 00000000 00000000 bf07dfac bf07df60 8013ad40 8013dc9c
+df60: 70448040 00000001 00000000 bf03b200 00000000 00030003 bf07df78 bf07df78
+df80: 00000000 00000000 bf07df88 bf07df88 bf03b240 8013ac48 00000000 00000000
+dfa0: 00000000 bf07dfb0 80107760 8013ac54 00000000 00000000 00000000 00000000
+dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+dfe0: 00000000 00000000 00000000 00000000 00000013 00000000 8c120004 1190ad04
+Backtrace:
+[<8018bcd4>] (relay_buf_full) from [<7f1aa604>] (_674+0x740/0xf10 [ath9k])
+[<7f1aa550>] (_674 [ath9k]) from [<7f1cf800>] (_582+0x14b4/0x3708 [ath9k])
+ r10:be6415a0 r9:be6465a0 r8:be59c010 r7:bddf0200 r6:be6485a0 r5:be94f5e8
+ r4:00000030
+[<7f1cf1f0>] (_582 [ath9k]) from [<7f1d1ed8>] (_735+0x2a0/0xec4 [ath9k])
+ r10:be6415a0 r9:8092d940 r8:bf07de98 r7:00000000 r6:be6470f0 r5:be6470ec
+ r4:00000002
+[<7f1d1c38>] (_735 [ath9k]) from [<80124d18>] (tasklet_action+0x84/0xf8)
+ r10:bf07c000 r9:8092d940 r8:bf07de98 r7:00000000 r6:80844180 r5:be6470b8
+ r4:be6470b4
+[<80124c94>] (tasklet_action) from [<8012501c>] (__do_softirq+0x100/0x1f4)
+ r10:bf07c000 r9:00000100 r8:40000006 r7:80902080 r6:80902098 r5:00000006
+ r4:00000000 r3:80124c94
+[<80124f1c>] (__do_softirq) from [<80125148>] (run_ksoftirqd+0x38/0x4c)
+ r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:8090fe54 r5:bf03b200
+ r4:bf07c000
+[<80125110>] (run_ksoftirqd) from [<8013deb4>] (smpboot_thread_fn+0x224/0x260)
+[<8013dc90>] (smpboot_thread_fn) from [<8013ad40>] (kthread+0xf8/0x100)
+ r9:00000000 r8:00000000 r7:8013dc90 r6:bf03b200 r5:bf03b240 r4:00000000
+[<8013ac48>] (kthread) from [<80107760>] (ret_from_fork+0x14/0x34)
+ r7:00000000 r6:00000000 r5:8013ac48 r4:bf03b240
+Code: e89da800 e1a0c00d e92dd800 e24cb004 (e5901014)
+---[ end trace dddf11ac9111b272 ]---
+Kernel panic - not syncing: Fatal exception in interrupt
+CPU1: stopping
+CPU: 1 PID: 0 Comm: swapper/1 Tainted: P D 4.9.85 #19
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+Backtrace:
+[<8010a708>] (dump_backtrace) from [<8010a99c>] (show_stack+0x18/0x1c)
+ r7:bf093f58 r6:20000193 r5:809168e8 r4:00000000
+[<8010a984>] (show_stack) from [<802a09c4>] (dump_stack+0x94/0xa8)
+[<802a0930>] (dump_stack) from [<8010d184>] (handle_IPI+0xe8/0x180)
+ r7:bf093f58 r6:00000000 r5:00000001 r4:808478c4
+[<8010d09c>] (handle_IPI) from [<801013e8>] (gic_handle_irq+0x78/0x7c)
+ r7:f4000100 r6:bf093f58 r5:f400010c r4:8090467c
+[<80101370>] (gic_handle_irq) from [<8010b378>] (__irq_svc+0x58/0x8c)
+Exception stack(0xbf093f58 to 0xbf093fa0)
+3f40: bf7d62a0 00000000
+3f60: 0010a5f4 80113460 bf092000 809043e4 00000002 80904434 bf092008 412fc09a
+3f80: 00000000 bf093fb4 bf093fb8 bf093fa8 8010804c 80108050 60000013 ffffffff
+ r9:bf092000 r8:bf092008 r7:bf093f8c r6:ffffffff r5:60000013 r4:80108050
+[<80108014>] (arch_cpu_idle) from [<80553c2c>] (default_idle_call+0x30/0x34)
+[<80553bfc>] (default_idle_call) from [<80158394>] (cpu_startup_entry+0xc4/0xfc)
+[<801582d0>] (cpu_startup_entry) from [<8010ce40>] (secondary_start_kernel+0x168/0x174)
+ r7:8092d2f8 r4:80913568
+[<8010ccd8>] (secondary_start_kernel) from [<10101488>] (0x10101488)
+ r5:00000055 r4:4f07806a
+Rebooting in 10 seconds..
+Reboot failed -- System halted
+
+Signed-off-by: Sebastian Gottschall <s.gottschall@dd-wrt.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath9k/common-spectral.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath9k/common-spectral.c
++++ b/drivers/net/wireless/ath/ath9k/common-spectral.c
+@@ -479,14 +479,16 @@ ath_cmn_is_fft_buf_full(struct ath_spec_
+ {
+ int i = 0;
+ int ret = 0;
++ struct rchan_buf *buf;
+ struct rchan *rc = spec_priv->rfs_chan_spec_scan;
+
+- for_each_online_cpu(i)
+- ret += relay_buf_full(*per_cpu_ptr(rc->buf, i));
++ for_each_possible_cpu(i) {
++ if ((buf = *per_cpu_ptr(rc->buf, i))) {
++ ret += relay_buf_full(buf);
++ }
++ }
+
+- i = num_online_cpus();
+-
+- if (ret == i)
++ if (ret)
+ return 1;
+ else
+ return 0;
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Richard Guy Briggs <rgb@redhat.com>
+Date: Wed, 21 Feb 2018 04:30:07 -0500
+Subject: audit: return on memory error to avoid null pointer dereference
+
+From: Richard Guy Briggs <rgb@redhat.com>
+
+[ Upstream commit 23138ead270045f1b3e912e667967b6094244999 ]
+
+If there is a memory allocation error when trying to change an audit
+kernel feature value, the ignored allocation error will trigger a NULL
+pointer dereference oops on subsequent use of that pointer. Return
+instead.
+
+Passes audit-testsuite.
+See: https://github.com/linux-audit/audit-kernel/issues/76
+
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+[PM: not necessary (other funcs check for NULL), but a good practice]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/audit.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -1058,6 +1058,8 @@ static void audit_log_feature_change(int
+ return;
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
++ if (!ab)
++ return;
+ audit_log_task_info(ab, current);
+ audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d",
+ audit_feature_names[which], !!old_feature, !!new_feature,
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Coly Li <colyli@suse.de>
+Date: Sun, 18 Mar 2018 17:36:14 -0700
+Subject: bcache: fix cached_dev->count usage for bch_cache_set_error()
+
+From: Coly Li <colyli@suse.de>
+
+[ Upstream commit 804f3c6981f5e4a506a8f14dc284cb218d0659ae ]
+
+When bcache metadata I/O fails, bcache will call bch_cache_set_error()
+to retire the whole cache set. The expected behavior to retire a cache
+set is to unregister the cache set, and unregister all backing device
+attached to this cache set, then remove sysfs entries of the cache set
+and all attached backing devices, finally release memory of structs
+cache_set, cache, cached_dev and bcache_device.
+
+In my testing when journal I/O failure triggered by disconnected cache
+device, sometimes the cache set cannot be retired, and its sysfs
+entry /sys/fs/bcache/<uuid> still exits and the backing device also
+references it. This is not expected behavior.
+
+When metadata I/O failes, the call senquence to retire whole cache set is,
+ bch_cache_set_error()
+ bch_cache_set_unregister()
+ bch_cache_set_stop()
+ __cache_set_unregister() <- called as callback by calling
+ clousre_queue(&c->caching)
+ cache_set_flush() <- called as a callback when refcount
+ of cache_set->caching is 0
+ cache_set_free() <- called as a callback when refcount
+ of catch_set->cl is 0
+ bch_cache_set_release() <- called as a callback when refcount
+ of catch_set->kobj is 0
+
+I find if kernel thread bch_writeback_thread() quits while-loop when
+kthread_should_stop() is true and searched_full_index is false, clousre
+callback cache_set_flush() set by continue_at() will never be called. The
+result is, bcache fails to retire whole cache set.
+
+cache_set_flush() will be called when refcount of closure c->caching is 0,
+and in function bcache_device_detach() refcount of closure c->caching is
+released to 0 by clousre_put(). In metadata error code path, function
+bcache_device_detach() is called by cached_dev_detach_finish(). This is a
+callback routine being called when cached_dev->count is 0. This refcount
+is decreased by cached_dev_put().
+
+The above dependence indicates, cache_set_flush() will be called when
+refcount of cache_set->cl is 0, and refcount of cache_set->cl to be 0
+when refcount of cache_dev->count is 0.
+
+The reason why sometimes cache_dev->count is not 0 (when metadata I/O fails
+and bch_cache_set_error() called) is, in bch_writeback_thread(), refcount
+of cache_dev is not decreased properly.
+
+In bch_writeback_thread(), cached_dev_put() is called only when
+searched_full_index is true and cached_dev->writeback_keys is empty, a.k.a
+there is no dirty data on cache. In most of run time it is correct, but
+when bch_writeback_thread() quits the while-loop while cache is still
+dirty, current code forget to call cached_dev_put() before this kernel
+thread exits. This is why sometimes cache_set_flush() is not executed and
+cache set fails to be retired.
+
+The reason to call cached_dev_put() in bch_writeback_rate() is, when the
+cache device changes from clean to dirty, cached_dev_get() is called, to
+make sure during writeback operatiions both backing and cache devices
+won't be released.
+
+Adding following code in bch_writeback_thread() does not work,
+ static int bch_writeback_thread(void *arg)
+ }
+
++ if (atomic_read(&dc->has_dirty))
++ cached_dev_put()
++
+ return 0;
+ }
+because writeback kernel thread can be waken up and start via sysfs entry:
+ echo 1 > /sys/block/bcache<N>/bcache/writeback_running
+It is difficult to check whether backing device is dirty without race and
+extra lock. So the above modification will introduce potential refcount
+underflow in some conditions.
+
+The correct fix is, to take cached dev refcount when creating the kernel
+thread, and put it before the kernel thread exits. Then bcache does not
+need to take a cached dev refcount when cache turns from clean to dirty,
+or to put a cached dev refcount when cache turns from ditry to clean. The
+writeback kernel thread is alwasy safe to reference data structure from
+cache set, cache and cached device (because a refcount of cache device is
+taken for it already), and no matter the kernel thread is stopped by I/O
+errors or system reboot, cached_dev->count can always be used correctly.
+
+The patch is simple, but understanding how it works is quite complicated.
+
+Changelog:
+v2: set dc->writeback_thread to NULL in this patch, as suggested by Hannes.
+v1: initial version for review.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Cc: Michael Lyle <mlyle@lyle.org>
+Cc: Junhui Tang <tang.junhui@zte.com.cn>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/super.c | 1 -
+ drivers/md/bcache/writeback.c | 11 ++++++++---
+ drivers/md/bcache/writeback.h | 2 --
+ 3 files changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1065,7 +1065,6 @@ int bch_cached_dev_attach(struct cached_
+ if (BDEV_STATE(&dc->sb) == BDEV_STATE_DIRTY) {
+ bch_sectors_dirty_init(&dc->disk);
+ atomic_set(&dc->has_dirty, 1);
+- refcount_inc(&dc->count);
+ bch_writeback_queue(dc);
+ }
+
+--- a/drivers/md/bcache/writeback.c
++++ b/drivers/md/bcache/writeback.c
+@@ -578,7 +578,7 @@ static int bch_writeback_thread(void *ar
+
+ if (kthread_should_stop()) {
+ set_current_state(TASK_RUNNING);
+- return 0;
++ break;
+ }
+
+ schedule();
+@@ -591,7 +591,6 @@ static int bch_writeback_thread(void *ar
+ if (searched_full_index &&
+ RB_EMPTY_ROOT(&dc->writeback_keys.keys)) {
+ atomic_set(&dc->has_dirty, 0);
+- cached_dev_put(dc);
+ SET_BDEV_STATE(&dc->sb, BDEV_STATE_CLEAN);
+ bch_write_bdev_super(dc, NULL);
+ /*
+@@ -620,6 +619,9 @@ static int bch_writeback_thread(void *ar
+ }
+ }
+
++ dc->writeback_thread = NULL;
++ cached_dev_put(dc);
++
+ return 0;
+ }
+
+@@ -683,10 +685,13 @@ int bch_cached_dev_writeback_start(struc
+ if (!dc->writeback_write_wq)
+ return -ENOMEM;
+
++ cached_dev_get(dc);
+ dc->writeback_thread = kthread_create(bch_writeback_thread, dc,
+ "bcache_writeback");
+- if (IS_ERR(dc->writeback_thread))
++ if (IS_ERR(dc->writeback_thread)) {
++ cached_dev_put(dc);
+ return PTR_ERR(dc->writeback_thread);
++ }
+
+ schedule_delayed_work(&dc->writeback_rate_update,
+ dc->writeback_rate_update_seconds * HZ);
+--- a/drivers/md/bcache/writeback.h
++++ b/drivers/md/bcache/writeback.h
+@@ -105,8 +105,6 @@ static inline void bch_writeback_add(str
+ {
+ if (!atomic_read(&dc->has_dirty) &&
+ !atomic_xchg(&dc->has_dirty, 1)) {
+- refcount_inc(&dc->count);
+-
+ if (BDEV_STATE(&dc->sb) != BDEV_STATE_DIRTY) {
+ SET_BDEV_STATE(&dc->sb, BDEV_STATE_DIRTY);
+ /* XXX: should do this synchronously */
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Coly Li <colyli@suse.de>
+Date: Sun, 18 Mar 2018 17:36:15 -0700
+Subject: bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set
+
+From: Coly Li <colyli@suse.de>
+
+[ Upstream commit fadd94e05c02afec7b70b0b14915624f1782f578 ]
+
+In patch "bcache: fix cached_dev->count usage for bch_cache_set_error()",
+cached_dev_get() is called when creating dc->writeback_thread, and
+cached_dev_put() is called when exiting dc->writeback_thread. This
+modification works well unless people detach the bcache device manually by
+ 'echo 1 > /sys/block/bcache<N>/bcache/detach'
+Because this sysfs interface only calls bch_cached_dev_detach() which wakes
+up dc->writeback_thread but does not stop it. The reason is, before patch
+"bcache: fix cached_dev->count usage for bch_cache_set_error()", inside
+bch_writeback_thread(), if cache is not dirty after writeback,
+cached_dev_put() will be called here. And in cached_dev_make_request() when
+a new write request makes cache from clean to dirty, cached_dev_get() will
+be called there. Since we don't operate dc->count in these locations,
+refcount d->count cannot be dropped after cache becomes clean, and
+cached_dev_detach_finish() won't be called to detach bcache device.
+
+This patch fixes the issue by checking whether BCACHE_DEV_DETACHING is
+set inside bch_writeback_thread(). If this bit is set and cache is clean
+(no existing writeback_keys), break the while-loop, call cached_dev_put()
+and quit the writeback thread.
+
+Please note if cache is still dirty, even BCACHE_DEV_DETACHING is set the
+writeback thread should continue to perform writeback, this is the original
+design of manually detach.
+
+It is safe to do the following check without locking, let me explain why,
++ if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) &&
++ (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) {
+
+If the kenrel thread does not sleep and continue to run due to conditions
+are not updated in time on the running CPU core, it just consumes more CPU
+cycles and has no hurt. This should-sleep-but-run is safe here. We just
+focus on the should-run-but-sleep condition, which means the writeback
+thread goes to sleep in mistake while it should continue to run.
+1, First of all, no matter the writeback thread is hung or not,
+ kthread_stop() from cached_dev_detach_finish() will wake up it and
+ terminate by making kthread_should_stop() return true. And in normal
+ run time, bit on index BCACHE_DEV_DETACHING is always cleared, the
+ condition
+ !test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)
+ is always true and can be ignored as constant value.
+2, If one of the following conditions is true, the writeback thread should
+ go to sleep,
+ "!atomic_read(&dc->has_dirty)" or "!dc->writeback_running)"
+ each of them independently controls the writeback thread should sleep or
+ not, let's analyse them one by one.
+2.1 condition "!atomic_read(&dc->has_dirty)"
+ If dc->has_dirty is set from 0 to 1 on another CPU core, bcache will
+ call bch_writeback_queue() immediately or call bch_writeback_add() which
+ indirectly calls bch_writeback_queue() too. In bch_writeback_queue(),
+ wake_up_process(dc->writeback_thread) is called. It sets writeback
+ thread's task state to TASK_RUNNING and following an implicit memory
+ barrier, then tries to wake up the writeback thread.
+ In writeback thread, its task state is set to TASK_INTERRUPTIBLE before
+ doing the condition check. If other CPU core sets the TASK_RUNNING state
+ after writeback thread setting TASK_INTERRUPTIBLE, the writeback thread
+ will be scheduled to run very soon because its state is not
+ TASK_INTERRUPTIBLE. If other CPU core sets the TASK_RUNNING state before
+ writeback thread setting TASK_INTERRUPTIBLE, the implict memory barrier
+ of wake_up_process() will make sure modification of dc->has_dirty on
+ other CPU core is updated and observed on the CPU core of writeback
+ thread. Therefore the condition check will correctly be false, and
+ continue writeback code without sleeping.
+2.2 condition "!dc->writeback_running)"
+ dc->writeback_running can be changed via sysfs file, every time it is
+ modified, a following bch_writeback_queue() is alwasy called. So the
+ change is always observed on the CPU core of writeback thread. If
+ dc->writeback_running is changed from 0 to 1 on other CPU core, this
+ condition check will observe the modification and allow writeback
+ thread to continue to run without sleeping.
+Now we can see, even without a locking protection, multiple conditions
+check is safe here, no deadlock or process hang up will happen.
+
+I compose a separte patch because that patch "bcache: fix cached_dev->count
+usage for bch_cache_set_error()" already gets a "Reviewed-by:" from Hannes
+Reinecke. Also this fix is not trivial and good for a separate patch.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Cc: Hannes Reinecke <hare@suse.com>
+Cc: Huijun Tang <tang.junhui@zte.com.cn>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/writeback.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/bcache/writeback.c
++++ b/drivers/md/bcache/writeback.c
+@@ -565,9 +565,15 @@ static int bch_writeback_thread(void *ar
+ while (!kthread_should_stop()) {
+ down_write(&dc->writeback_lock);
+ set_current_state(TASK_INTERRUPTIBLE);
+- if (!atomic_read(&dc->has_dirty) ||
+- (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) &&
+- !dc->writeback_running)) {
++ /*
++ * If the bache device is detaching, skip here and continue
++ * to perform writeback. Otherwise, if no dirty data on cache,
++ * or there is dirty data on cache but writeback is disabled,
++ * the writeback thread should sleep here and wait for others
++ * to wake up it.
++ */
++ if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) &&
++ (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) {
+ up_write(&dc->writeback_lock);
+
+ if (kthread_should_stop()) {
+@@ -588,6 +594,14 @@ static int bch_writeback_thread(void *ar
+ cached_dev_put(dc);
+ SET_BDEV_STATE(&dc->sb, BDEV_STATE_CLEAN);
+ bch_write_bdev_super(dc, NULL);
++ /*
++ * If bcache device is detaching via sysfs interface,
++ * writeback thread should stop after there is no dirty
++ * data on cache. BCACHE_DEV_DETACHING flag is set in
++ * bch_cached_dev_detach().
++ */
++ if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags))
++ break;
+ }
+
+ up_write(&dc->writeback_lock);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Coly Li <colyli@suse.de>
+Date: Sun, 18 Mar 2018 17:36:16 -0700
+Subject: bcache: stop dc->writeback_rate_update properly
+
+From: Coly Li <colyli@suse.de>
+
+[ Upstream commit 3fd47bfe55b00d5ac7b0a44c9301c07be39b1082 ]
+
+struct delayed_work writeback_rate_update in struct cache_dev is a delayed
+worker to call function update_writeback_rate() in period (the interval is
+defined by dc->writeback_rate_update_seconds).
+
+When a metadate I/O error happens on cache device, bcache error handling
+routine bch_cache_set_error() will call bch_cache_set_unregister() to
+retire whole cache set. On the unregister code path, this delayed work is
+stopped by calling cancel_delayed_work_sync(&dc->writeback_rate_update).
+
+dc->writeback_rate_update is a special delayed work from others in bcache.
+In its routine update_writeback_rate(), this delayed work is re-armed
+itself. That means when cancel_delayed_work_sync() returns, this delayed
+work can still be executed after several seconds defined by
+dc->writeback_rate_update_seconds.
+
+The problem is, after cancel_delayed_work_sync() returns, the cache set
+unregister code path will continue and release memory of struct cache set.
+Then the delayed work is scheduled to run, __update_writeback_rate()
+will reference the already released cache_set memory, and trigger a NULL
+pointer deference fault.
+
+This patch introduces two more bcache device flags,
+- BCACHE_DEV_WB_RUNNING
+ bit set: bcache device is in writeback mode and running, it is OK for
+ dc->writeback_rate_update to re-arm itself.
+ bit clear:bcache device is trying to stop dc->writeback_rate_update,
+ this delayed work should not re-arm itself and quit.
+- BCACHE_DEV_RATE_DW_RUNNING
+ bit set: routine update_writeback_rate() is executing.
+ bit clear: routine update_writeback_rate() quits.
+
+This patch also adds a function cancel_writeback_rate_update_dwork() to
+wait for dc->writeback_rate_update quits before cancel it by calling
+cancel_delayed_work_sync(). In order to avoid a deadlock by unexpected
+quit dc->writeback_rate_update, after time_out seconds this function will
+give up and continue to call cancel_delayed_work_sync().
+
+And here I explain how this patch stops self re-armed delayed work properly
+with the above stuffs.
+
+update_writeback_rate() sets BCACHE_DEV_RATE_DW_RUNNING at its beginning
+and clears BCACHE_DEV_RATE_DW_RUNNING at its end. Before calling
+cancel_writeback_rate_update_dwork() clear flag BCACHE_DEV_WB_RUNNING.
+
+Before calling cancel_delayed_work_sync() wait utill flag
+BCACHE_DEV_RATE_DW_RUNNING is clear. So when calling
+cancel_delayed_work_sync(), dc->writeback_rate_update must be already re-
+armed, or quite by seeing BCACHE_DEV_WB_RUNNING cleared. In both cases
+delayed work routine update_writeback_rate() won't be executed after
+cancel_delayed_work_sync() returns.
+
+Inside update_writeback_rate() before calling schedule_delayed_work(), flag
+BCACHE_DEV_WB_RUNNING is checked before. If this flag is cleared, it means
+someone is about to stop the delayed work. Because flag
+BCACHE_DEV_RATE_DW_RUNNING is set already and cancel_delayed_work_sync()
+has to wait for this flag to be cleared, we don't need to worry about race
+condition here.
+
+If update_writeback_rate() is scheduled to run after checking
+BCACHE_DEV_RATE_DW_RUNNING and before calling cancel_delayed_work_sync()
+in cancel_writeback_rate_update_dwork(), it is also safe. Because at this
+moment BCACHE_DEV_WB_RUNNING is cleared with memory barrier. As I mentioned
+previously, update_writeback_rate() will see BCACHE_DEV_WB_RUNNING is clear
+and quit immediately.
+
+Because there are more dependences inside update_writeback_rate() to struct
+cache_set memory, dc->writeback_rate_update is not a simple self re-arm
+delayed work. After trying many different methods (e.g. hold dc->count, or
+use locks), this is the only way I can find which works to properly stop
+dc->writeback_rate_update delayed work.
+
+Changelog:
+v3: change values of BCACHE_DEV_WB_RUNNING and BCACHE_DEV_RATE_DW_RUNNING
+ to bit index, for test_bit().
+v2: Try to fix the race issue which is pointed out by Junhui.
+v1: The initial version for review
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Reviewed-by: Junhui Tang <tang.junhui@zte.com.cn>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Cc: Michael Lyle <mlyle@lyle.org>
+Cc: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/bcache.h | 9 +++++----
+ drivers/md/bcache/super.c | 38 ++++++++++++++++++++++++++++++++++----
+ drivers/md/bcache/sysfs.c | 3 ++-
+ drivers/md/bcache/writeback.c | 29 ++++++++++++++++++++++++++++-
+ 4 files changed, 69 insertions(+), 10 deletions(-)
+
+--- a/drivers/md/bcache/bcache.h
++++ b/drivers/md/bcache/bcache.h
+@@ -258,10 +258,11 @@ struct bcache_device {
+ struct gendisk *disk;
+
+ unsigned long flags;
+-#define BCACHE_DEV_CLOSING 0
+-#define BCACHE_DEV_DETACHING 1
+-#define BCACHE_DEV_UNLINK_DONE 2
+-
++#define BCACHE_DEV_CLOSING 0
++#define BCACHE_DEV_DETACHING 1
++#define BCACHE_DEV_UNLINK_DONE 2
++#define BCACHE_DEV_WB_RUNNING 3
++#define BCACHE_DEV_RATE_DW_RUNNING 4
+ unsigned nr_stripes;
+ unsigned stripe_size;
+ atomic_t *stripe_sectors_dirty;
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -899,6 +899,31 @@ void bch_cached_dev_run(struct cached_de
+ pr_debug("error creating sysfs link");
+ }
+
++/*
++ * If BCACHE_DEV_RATE_DW_RUNNING is set, it means routine of the delayed
++ * work dc->writeback_rate_update is running. Wait until the routine
++ * quits (BCACHE_DEV_RATE_DW_RUNNING is clear), then continue to
++ * cancel it. If BCACHE_DEV_RATE_DW_RUNNING is not clear after time_out
++ * seconds, give up waiting here and continue to cancel it too.
++ */
++static void cancel_writeback_rate_update_dwork(struct cached_dev *dc)
++{
++ int time_out = WRITEBACK_RATE_UPDATE_SECS_MAX * HZ;
++
++ do {
++ if (!test_bit(BCACHE_DEV_RATE_DW_RUNNING,
++ &dc->disk.flags))
++ break;
++ time_out--;
++ schedule_timeout_interruptible(1);
++ } while (time_out > 0);
++
++ if (time_out == 0)
++ pr_warn("give up waiting for dc->writeback_write_update to quit");
++
++ cancel_delayed_work_sync(&dc->writeback_rate_update);
++}
++
+ static void cached_dev_detach_finish(struct work_struct *w)
+ {
+ struct cached_dev *dc = container_of(w, struct cached_dev, detach);
+@@ -911,7 +936,9 @@ static void cached_dev_detach_finish(str
+
+ mutex_lock(&bch_register_lock);
+
+- cancel_delayed_work_sync(&dc->writeback_rate_update);
++ if (test_and_clear_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags))
++ cancel_writeback_rate_update_dwork(dc);
++
+ if (!IS_ERR_OR_NULL(dc->writeback_thread)) {
+ kthread_stop(dc->writeback_thread);
+ dc->writeback_thread = NULL;
+@@ -954,6 +981,7 @@ void bch_cached_dev_detach(struct cached
+ closure_get(&dc->disk.cl);
+
+ bch_writeback_queue(dc);
++
+ cached_dev_put(dc);
+ }
+
+@@ -1092,14 +1120,16 @@ static void cached_dev_free(struct closu
+ {
+ struct cached_dev *dc = container_of(cl, struct cached_dev, disk.cl);
+
+- cancel_delayed_work_sync(&dc->writeback_rate_update);
++ mutex_lock(&bch_register_lock);
++
++ if (test_and_clear_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags))
++ cancel_writeback_rate_update_dwork(dc);
++
+ if (!IS_ERR_OR_NULL(dc->writeback_thread))
+ kthread_stop(dc->writeback_thread);
+ if (dc->writeback_write_wq)
+ destroy_workqueue(dc->writeback_write_wq);
+
+- mutex_lock(&bch_register_lock);
+-
+ if (atomic_read(&dc->running))
+ bd_unlink_disk_holder(dc->bdev, dc->disk.disk);
+ bcache_device_free(&dc->disk);
+--- a/drivers/md/bcache/sysfs.c
++++ b/drivers/md/bcache/sysfs.c
+@@ -309,7 +309,8 @@ STORE(bch_cached_dev)
+ bch_writeback_queue(dc);
+
+ if (attr == &sysfs_writeback_percent)
+- schedule_delayed_work(&dc->writeback_rate_update,
++ if (!test_and_set_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags))
++ schedule_delayed_work(&dc->writeback_rate_update,
+ dc->writeback_rate_update_seconds * HZ);
+
+ mutex_unlock(&bch_register_lock);
+--- a/drivers/md/bcache/writeback.c
++++ b/drivers/md/bcache/writeback.c
+@@ -115,6 +115,21 @@ static void update_writeback_rate(struct
+ struct cached_dev,
+ writeback_rate_update);
+
++ /*
++ * should check BCACHE_DEV_RATE_DW_RUNNING before calling
++ * cancel_delayed_work_sync().
++ */
++ set_bit(BCACHE_DEV_RATE_DW_RUNNING, &dc->disk.flags);
++ /* paired with where BCACHE_DEV_RATE_DW_RUNNING is tested */
++ smp_mb();
++
++ if (!test_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags)) {
++ clear_bit(BCACHE_DEV_RATE_DW_RUNNING, &dc->disk.flags);
++ /* paired with where BCACHE_DEV_RATE_DW_RUNNING is tested */
++ smp_mb();
++ return;
++ }
++
+ down_read(&dc->writeback_lock);
+
+ if (atomic_read(&dc->has_dirty) &&
+@@ -123,8 +138,18 @@ static void update_writeback_rate(struct
+
+ up_read(&dc->writeback_lock);
+
+- schedule_delayed_work(&dc->writeback_rate_update,
++ if (test_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags)) {
++ schedule_delayed_work(&dc->writeback_rate_update,
+ dc->writeback_rate_update_seconds * HZ);
++ }
++
++ /*
++ * should check BCACHE_DEV_RATE_DW_RUNNING before calling
++ * cancel_delayed_work_sync().
++ */
++ clear_bit(BCACHE_DEV_RATE_DW_RUNNING, &dc->disk.flags);
++ /* paired with where BCACHE_DEV_RATE_DW_RUNNING is tested */
++ smp_mb();
+ }
+
+ static unsigned writeback_delay(struct cached_dev *dc, unsigned sectors)
+@@ -675,6 +700,7 @@ void bch_cached_dev_writeback_init(struc
+ dc->writeback_rate_p_term_inverse = 40;
+ dc->writeback_rate_i_term_inverse = 10000;
+
++ WARN_ON(test_and_clear_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags));
+ INIT_DELAYED_WORK(&dc->writeback_rate_update, update_writeback_rate);
+ }
+
+@@ -693,6 +719,7 @@ int bch_cached_dev_writeback_start(struc
+ return PTR_ERR(dc->writeback_thread);
+ }
+
++ WARN_ON(test_and_set_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags));
+ schedule_delayed_work(&dc->writeback_rate_update,
+ dc->writeback_rate_update_seconds * HZ);
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Wed, 28 Feb 2018 10:15:33 -0800
+Subject: block: Fix a race between request queue removal and the block cgroup controller
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+[ Upstream commit a063057d7c731cffa7d10740e8ebc2970df8dbb3 ]
+
+Avoid that the following race can occur:
+
+blk_cleanup_queue() blkcg_print_blkgs()
+ spin_lock_irq(lock) (1) spin_lock_irq(blkg->q->queue_lock) (2,5)
+ q->queue_lock = &q->__queue_lock (3)
+ spin_unlock_irq(lock) (4)
+ spin_unlock_irq(blkg->q->queue_lock) (6)
+
+(1) take driver lock;
+(2) busy loop for driver lock;
+(3) override driver lock with internal lock;
+(4) unlock driver lock;
+(5) can take driver lock now;
+(6) but unlock internal lock.
+
+This change is safe because only the SCSI core and the NVME core keep
+a reference on a request queue after having called blk_cleanup_queue().
+Neither driver accesses any of the removed data structures between its
+blk_cleanup_queue() and blk_put_queue() calls.
+
+Reported-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Jan Kara <jack@suse.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-core.c | 31 +++++++++++++++++++++++++++++++
+ block/blk-sysfs.c | 7 -------
+ 2 files changed, 31 insertions(+), 7 deletions(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -723,6 +723,37 @@ void blk_cleanup_queue(struct request_qu
+ del_timer_sync(&q->backing_dev_info->laptop_mode_wb_timer);
+ blk_sync_queue(q);
+
++ /*
++ * I/O scheduler exit is only safe after the sysfs scheduler attribute
++ * has been removed.
++ */
++ WARN_ON_ONCE(q->kobj.state_in_sysfs);
++
++ /*
++ * Since the I/O scheduler exit code may access cgroup information,
++ * perform I/O scheduler exit before disassociating from the block
++ * cgroup controller.
++ */
++ if (q->elevator) {
++ ioc_clear_queue(q);
++ elevator_exit(q, q->elevator);
++ q->elevator = NULL;
++ }
++
++ /*
++ * Remove all references to @q from the block cgroup controller before
++ * restoring @q->queue_lock to avoid that restoring this pointer causes
++ * e.g. blkcg_print_blkgs() to crash.
++ */
++ blkcg_exit_queue(q);
++
++ /*
++ * Since the cgroup code may dereference the @q->backing_dev_info
++ * pointer, only decrease its reference count after having removed the
++ * association with the block cgroup controller.
++ */
++ bdi_put(q->backing_dev_info);
++
+ if (q->mq_ops)
+ blk_mq_free_queue(q);
+ percpu_ref_exit(&q->q_usage_counter);
+--- a/block/blk-sysfs.c
++++ b/block/blk-sysfs.c
+@@ -798,13 +798,6 @@ static void __blk_release_queue(struct w
+ if (test_bit(QUEUE_FLAG_POLL_STATS, &q->queue_flags))
+ blk_stat_remove_callback(q, q->poll_cb);
+ blk_stat_free_callback(q->poll_cb);
+- bdi_put(q->backing_dev_info);
+- blkcg_exit_queue(q);
+-
+- if (q->elevator) {
+- ioc_clear_queue(q);
+- elevator_exit(q, q->elevator);
+- }
+
+ blk_free_queue_stats(q->stats);
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Ming Lei <ming.lei@redhat.com>
+Date: Tue, 6 Mar 2018 12:07:13 +0800
+Subject: block: null_blk: fix 'Invalid parameters' when loading module
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 66231ad3e2886ba99fbf440cea44cab547e5163f ]
+
+On ARM64, the default page size has been 64K on some distributions, and
+we should allow ARM64 people to play null_blk.
+
+This patch fixes the issue by extend page bitmap size for supporting
+other non-4KB PAGE_SIZE.
+
+Cc: Bart Van Assche <Bart.VanAssche@wdc.com>
+Cc: Shaohua Li <shli@kernel.org>
+Cc: Kyungchan Koh <kkc6196@fb.com>,
+Cc: weiping zhang <zhangweiping@didichuxing.com>
+Cc: Yi Zhang <yi.zhang@redhat.com>
+Reported-by: Yi Zhang <yi.zhang@redhat.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/null_blk.c | 46 +++++++++++++++++++++++++---------------------
+ 1 file changed, 25 insertions(+), 21 deletions(-)
+
+--- a/drivers/block/null_blk.c
++++ b/drivers/block/null_blk.c
+@@ -72,6 +72,7 @@ enum nullb_device_flags {
+ NULLB_DEV_FL_CACHE = 3,
+ };
+
++#define MAP_SZ ((PAGE_SIZE >> SECTOR_SHIFT) + 2)
+ /*
+ * nullb_page is a page in memory for nullb devices.
+ *
+@@ -86,10 +87,10 @@ enum nullb_device_flags {
+ */
+ struct nullb_page {
+ struct page *page;
+- unsigned long bitmap;
++ DECLARE_BITMAP(bitmap, MAP_SZ);
+ };
+-#define NULLB_PAGE_LOCK (sizeof(unsigned long) * 8 - 1)
+-#define NULLB_PAGE_FREE (sizeof(unsigned long) * 8 - 2)
++#define NULLB_PAGE_LOCK (MAP_SZ - 1)
++#define NULLB_PAGE_FREE (MAP_SZ - 2)
+
+ struct nullb_device {
+ struct nullb *nullb;
+@@ -728,7 +729,7 @@ static struct nullb_page *null_alloc_pag
+ if (!t_page->page)
+ goto out_freepage;
+
+- t_page->bitmap = 0;
++ memset(t_page->bitmap, 0, sizeof(t_page->bitmap));
+ return t_page;
+ out_freepage:
+ kfree(t_page);
+@@ -738,13 +739,20 @@ out:
+
+ static void null_free_page(struct nullb_page *t_page)
+ {
+- __set_bit(NULLB_PAGE_FREE, &t_page->bitmap);
+- if (test_bit(NULLB_PAGE_LOCK, &t_page->bitmap))
++ __set_bit(NULLB_PAGE_FREE, t_page->bitmap);
++ if (test_bit(NULLB_PAGE_LOCK, t_page->bitmap))
+ return;
+ __free_page(t_page->page);
+ kfree(t_page);
+ }
+
++static bool null_page_empty(struct nullb_page *page)
++{
++ int size = MAP_SZ - 2;
++
++ return find_first_bit(page->bitmap, size) == size;
++}
++
+ static void null_free_sector(struct nullb *nullb, sector_t sector,
+ bool is_cache)
+ {
+@@ -759,9 +767,9 @@ static void null_free_sector(struct null
+
+ t_page = radix_tree_lookup(root, idx);
+ if (t_page) {
+- __clear_bit(sector_bit, &t_page->bitmap);
++ __clear_bit(sector_bit, t_page->bitmap);
+
+- if (!t_page->bitmap) {
++ if (null_page_empty(t_page)) {
+ ret = radix_tree_delete_item(root, idx, t_page);
+ WARN_ON(ret != t_page);
+ null_free_page(ret);
+@@ -832,7 +840,7 @@ static struct nullb_page *__null_lookup_
+ t_page = radix_tree_lookup(root, idx);
+ WARN_ON(t_page && t_page->page->index != idx);
+
+- if (t_page && (for_write || test_bit(sector_bit, &t_page->bitmap)))
++ if (t_page && (for_write || test_bit(sector_bit, t_page->bitmap)))
+ return t_page;
+
+ return NULL;
+@@ -895,10 +903,10 @@ static int null_flush_cache_page(struct
+
+ t_page = null_insert_page(nullb, idx << PAGE_SECTORS_SHIFT, true);
+
+- __clear_bit(NULLB_PAGE_LOCK, &c_page->bitmap);
+- if (test_bit(NULLB_PAGE_FREE, &c_page->bitmap)) {
++ __clear_bit(NULLB_PAGE_LOCK, c_page->bitmap);
++ if (test_bit(NULLB_PAGE_FREE, c_page->bitmap)) {
+ null_free_page(c_page);
+- if (t_page && t_page->bitmap == 0) {
++ if (t_page && null_page_empty(t_page)) {
+ ret = radix_tree_delete_item(&nullb->dev->data,
+ idx, t_page);
+ null_free_page(t_page);
+@@ -914,11 +922,11 @@ static int null_flush_cache_page(struct
+
+ for (i = 0; i < PAGE_SECTORS;
+ i += (nullb->dev->blocksize >> SECTOR_SHIFT)) {
+- if (test_bit(i, &c_page->bitmap)) {
++ if (test_bit(i, c_page->bitmap)) {
+ offset = (i << SECTOR_SHIFT);
+ memcpy(dst + offset, src + offset,
+ nullb->dev->blocksize);
+- __set_bit(i, &t_page->bitmap);
++ __set_bit(i, t_page->bitmap);
+ }
+ }
+
+@@ -955,10 +963,10 @@ again:
+ * We found the page which is being flushed to disk by other
+ * threads
+ */
+- if (test_bit(NULLB_PAGE_LOCK, &c_pages[i]->bitmap))
++ if (test_bit(NULLB_PAGE_LOCK, c_pages[i]->bitmap))
+ c_pages[i] = NULL;
+ else
+- __set_bit(NULLB_PAGE_LOCK, &c_pages[i]->bitmap);
++ __set_bit(NULLB_PAGE_LOCK, c_pages[i]->bitmap);
+ }
+
+ one_round = 0;
+@@ -1011,7 +1019,7 @@ static int copy_to_nullb(struct nullb *n
+ kunmap_atomic(dst);
+ kunmap_atomic(src);
+
+- __set_bit(sector & SECTOR_MASK, &t_page->bitmap);
++ __set_bit(sector & SECTOR_MASK, t_page->bitmap);
+
+ if (is_fua)
+ null_free_sector(nullb, sector, true);
+@@ -1802,10 +1810,6 @@ static int __init null_init(void)
+ struct nullb *nullb;
+ struct nullb_device *dev;
+
+- /* check for nullb_page.bitmap */
+- if (sizeof(unsigned long) * 8 - 2 < (PAGE_SIZE >> SECTOR_SHIFT))
+- return -EINVAL;
+-
+ if (g_bs > PAGE_SIZE) {
+ pr_warn("null_blk: invalid block size\n");
+ pr_warn("null_blk: defaults block size to %lu\n", PAGE_SIZE);
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Sun, 11 Feb 2018 12:24:32 -0600
+Subject: Bluetooth: btusb: Add device ID for RTL8822BE
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+[ Upstream commit fed03fe7e55b7dc16077f672bd9d7bbe92b3a691 ]
+
+The Asus Z370-I contains a Realtek RTL8822BE device with an associated
+BT chip using a USB ID of 0b05:185c. This device is added to the driver.
+
+Signed-off-by: Hon Weng Chong <honwchong@gmail.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btusb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -377,6 +377,9 @@ static const struct usb_device_id blackl
+ { USB_DEVICE(0x13d3, 0x3461), .driver_info = BTUSB_REALTEK },
+ { USB_DEVICE(0x13d3, 0x3462), .driver_info = BTUSB_REALTEK },
+
++ /* Additional Realtek 8822BE Bluetooth devices */
++ { USB_DEVICE(0x0b05, 0x185c), .driver_info = BTUSB_REALTEK },
++
+ /* Silicon Wave based devices */
+ { USB_DEVICE(0x0c10, 0x0000), .driver_info = BTUSB_SWAVE },
+
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Tedd Ho-Jeong An <tedd.an@intel.com>
+Date: Mon, 5 Feb 2018 14:20:36 -0800
+Subject: Bluetooth: btusb: Add support for Intel Bluetooth device 22560 [8087:0026]
+
+From: Tedd Ho-Jeong An <tedd.an@intel.com>
+
+[ Upstream commit 1ce0cec1c14cda7e514fa21b36c0f035203b447d ]
+
+The Intel Bluetooth device 22560 family (HarrisonPeak, QnJ, and IcyPeak)
+use the same firmware loading mechanism as previous generation,
+so include new USB product ID and whitelist the hardware variant.
+
+T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 16 Spd=12 MxCh= 0
+D: Ver= 2.01 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=8087 ProdID=0026 Rev= 0.01
+C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
+I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=1ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms
+
+Signed-off-by: Tedd Ho-Jeong An <tedd.an@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btusb.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -340,6 +340,7 @@ static const struct usb_device_id blackl
+
+ /* Intel Bluetooth devices */
+ { USB_DEVICE(0x8087, 0x0025), .driver_info = BTUSB_INTEL_NEW },
++ { USB_DEVICE(0x8087, 0x0026), .driver_info = BTUSB_INTEL_NEW },
+ { USB_DEVICE(0x8087, 0x07da), .driver_info = BTUSB_CSR },
+ { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL },
+ { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL },
+@@ -2079,6 +2080,8 @@ static int btusb_setup_intel_new(struct
+ case 0x0c: /* WsP */
+ case 0x11: /* JfP */
+ case 0x12: /* ThP */
++ case 0x13: /* HrP */
++ case 0x14: /* QnJ, IcP */
+ break;
+ default:
+ BT_ERR("%s: Unsupported Intel hardware variant (%u)",
+@@ -2171,6 +2174,8 @@ static int btusb_setup_intel_new(struct
+ break;
+ case 0x11: /* JfP */
+ case 0x12: /* ThP */
++ case 0x13: /* HrP */
++ case 0x14: /* QnJ, IcP */
+ snprintf(fwname, sizeof(fwname), "intel/ibt-%u-%u-%u.sfi",
+ le16_to_cpu(ver.hw_variant),
+ le16_to_cpu(ver.hw_revision),
+@@ -2202,6 +2207,8 @@ static int btusb_setup_intel_new(struct
+ break;
+ case 0x11: /* JfP */
+ case 0x12: /* ThP */
++ case 0x13: /* HrP */
++ case 0x14: /* QnJ, IcP */
+ snprintf(fwname, sizeof(fwname), "intel/ibt-%u-%u-%u.ddc",
+ le16_to_cpu(ver.hw_variant),
+ le16_to_cpu(ver.hw_revision),
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Vicente Bergas <vicencb@gmail.com>
+Date: Tue, 20 Mar 2018 19:41:10 +0100
+Subject: Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB
+
+From: Vicente Bergas <vicencb@gmail.com>
+
+[ Upstream commit a41e0796396eeceff673af4a38feaee149c6ff86 ]
+
+This WiFi/Bluetooth USB dongle uses a Realtek chipset, so, use btrtl for it.
+
+Product information:
+https://wikidevi.com/wiki/Edimax_EW-7611ULB
+
+>From /sys/kernel/debug/usb/devices
+T: Bus=02 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0
+D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=7392 ProdID=a611 Rev= 2.00
+S: Manufacturer=Realtek
+S: Product=Edimax Wi-Fi N150 Bluetooth4.0 USB Adapter
+S: SerialNumber=00e04c000001
+C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=500mA
+A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01
+I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+I:* If#= 2 Alt= 0 #EPs= 6 Cls=ff(vend.) Sub=ff Prot=ff Driver=rtl8723bu
+E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=500us
+E: Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Tested-by: Vicente Bergas <vicencb@gmail.com>
+Signed-off-by: Vicente Bergas <vicencb@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btusb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -367,6 +367,9 @@ static const struct usb_device_id blackl
+ { USB_DEVICE(0x13d3, 0x3459), .driver_info = BTUSB_REALTEK },
+ { USB_DEVICE(0x13d3, 0x3494), .driver_info = BTUSB_REALTEK },
+
++ /* Additional Realtek 8723BU Bluetooth devices */
++ { USB_DEVICE(0x7392, 0xa611), .driver_info = BTUSB_REALTEK },
++
+ /* Additional Realtek 8821AE Bluetooth devices */
+ { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK },
+ { USB_DEVICE(0x13d3, 0x3414), .driver_info = BTUSB_REALTEK },
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Scott Branden <scott.branden@broadcom.com>
+Date: Sat, 31 Mar 2018 13:54:09 -0400
+Subject: bnxt_en: fix clear flags in ethtool reset handling
+
+From: Scott Branden <scott.branden@broadcom.com>
+
+[ Upstream commit 2373d8d6a7932d28b8e31ea2a70bf6c002d97ac8 ]
+
+Clear flags when reset command processed successfully for components
+specified.
+
+Fixes: 6502ad5963a5 ("bnxt_en: Add ETH_RESET_AP support")
+Signed-off-by: Scott Branden <scott.branden@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+@@ -2552,16 +2552,20 @@ static int bnxt_reset(struct net_device
+ return -EOPNOTSUPP;
+
+ rc = bnxt_firmware_reset(dev, BNXT_FW_RESET_CHIP);
+- if (!rc)
++ if (!rc) {
+ netdev_info(dev, "Reset request successful. Reload driver to complete reset\n");
++ *flags = 0;
++ }
+ } else if (*flags == ETH_RESET_AP) {
+ /* This feature is not supported in older firmware versions */
+ if (bp->hwrm_spec_code < 0x10803)
+ return -EOPNOTSUPP;
+
+ rc = bnxt_firmware_reset(dev, BNXT_FW_RESET_AP);
+- if (!rc)
++ if (!rc) {
+ netdev_info(dev, "Reset Application Processor request successful.\n");
++ *flags = 0;
++ }
+ } else {
+ rc = -EINVAL;
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
+Date: Wed, 11 Apr 2018 11:50:15 -0400
+Subject: bnxt_en: Ignore src port field in decap filter nodes
+
+From: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
+
+[ Upstream commit 479ca3bf91da971fcefc003cf5773e8d7db24794 ]
+
+The driver currently uses src port field (along with other fields) in the
+decap tunnel key, while looking up and adding tunnel nodes. This leads to
+redundant cfa_decap_filter_alloc() requests to the FW and flow-miss in the
+flow engine. Fix this by ignoring the src port field in decap tunnel nodes.
+
+Fixes: f484f6782e01 ("bnxt_en: add hwrm FW cmds for cfa_encap_record and decap_filter")
+Signed-off-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c
+@@ -992,8 +992,10 @@ static int bnxt_tc_get_decap_handle(stru
+
+ /* Check if there's another flow using the same tunnel decap.
+ * If not, add this tunnel to the table and resolve the other
+- * tunnel header fileds
++ * tunnel header fileds. Ignore src_port in the tunnel_key,
++ * since it is not required for decap filters.
+ */
++ decap_key->tp_src = 0;
+ decap_node = bnxt_tc_get_tunnel_node(bp, &tc_info->decap_table,
+ &tc_info->decap_ht_params,
+ decap_key);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Liu Bo <bo.liu@linux.alibaba.com>
+Date: Tue, 3 Apr 2018 01:59:48 +0800
+Subject: Btrfs: bail out on error during replay_dir_deletes
+
+From: Liu Bo <bo.liu@linux.alibaba.com>
+
+[ Upstream commit b98def7ca6e152ee55e36863dddf6f41f12d1dc6 ]
+
+If errors were returned by btrfs_next_leaf(), replay_dir_deletes needs
+to bail out, otherwise @ret would be forced to be 0 after 'break;' and
+the caller won't be aware of it.
+
+Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations")
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -2356,8 +2356,10 @@ again:
+ nritems = btrfs_header_nritems(path->nodes[0]);
+ if (path->slots[0] >= nritems) {
+ ret = btrfs_next_leaf(root, path);
+- if (ret)
++ if (ret == 1)
+ break;
++ else if (ret < 0)
++ goto out;
+ }
+ btrfs_item_key_to_cpu(path->nodes[0], &found_key,
+ path->slots[0]);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Liu Bo <bo.liu@linux.alibaba.com>
+Date: Sat, 31 Mar 2018 06:11:56 +0800
+Subject: Btrfs: clean up resources during umount after trans is aborted
+
+From: Liu Bo <bo.liu@linux.alibaba.com>
+
+[ Upstream commit af7227338135d2f1b1552bf9a6d43e02dcba10b9 ]
+
+Currently if some fatal errors occur, like all IO get -EIO, resources
+would be cleaned up when
+a) transaction is being committed or
+b) BTRFS_FS_STATE_ERROR is set
+
+However, in some rare cases, resources may be left alone after transaction
+gets aborted and umount may run into some ASSERT(), e.g.
+ASSERT(list_empty(&block_group->dirty_list));
+
+For case a), in btrfs_commit_transaciton(), there're several places at the
+beginning where we just call btrfs_end_transaction() without cleaning up
+resources. For case b), it is possible that the trans handle doesn't have
+any dirty stuff, then only trans hanlde is marked as aborted while
+BTRFS_FS_STATE_ERROR is not set, so resources remain in memory.
+
+This makes btrfs also check BTRFS_FS_STATE_TRANS_ABORTED to make sure that
+all resources won't stay in memory after umount.
+
+Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/disk-io.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -3735,7 +3735,8 @@ void close_ctree(struct btrfs_fs_info *f
+ btrfs_err(fs_info, "commit super ret %d", ret);
+ }
+
+- if (test_bit(BTRFS_FS_STATE_ERROR, &fs_info->fs_state))
++ if (test_bit(BTRFS_FS_STATE_ERROR, &fs_info->fs_state) ||
++ test_bit(BTRFS_FS_STATE_TRANS_ABORTED, &fs_info->fs_state))
+ btrfs_error_commit_super(fs_info);
+
+ kthread_stop(fs_info->transaction_kthread);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Filipe Manana <fdmanana@suse.com>
+Date: Mon, 26 Mar 2018 23:59:12 +0100
+Subject: Btrfs: fix copy_items() return value when logging an inode
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 8434ec46c6e3232cebc25a910363b29f5c617820 ]
+
+When logging an inode, at tree-log.c:copy_items(), if we call
+btrfs_next_leaf() at the loop which checks for the need to log holes, we
+need to make sure copy_items() returns the value 1 to its caller and
+not 0 (on success). This is because the path the caller passed was
+released and is now different from what is was before, and the caller
+expects a return value of 0 to mean both success and that the path
+has not changed, while a return value of 1 means both success and
+signals the caller that it can not reuse the path, it has to perform
+another tree search.
+
+Even though this is a case that should not be triggered on normal
+circumstances or very rare at least, its consequences can be very
+unpredictable (especially when replaying a log tree).
+
+Fixes: 16e7549f045d ("Btrfs: incompatible format change to remove hole extents")
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -4005,6 +4005,7 @@ fill_holes:
+ ASSERT(ret == 0);
+ src = src_path->nodes[0];
+ i = 0;
++ need_find_last_extent = true;
+ }
+
+ btrfs_item_key_to_cpu(src, &key, i);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Fri, 16 Mar 2018 14:36:27 -0400
+Subject: btrfs: fix lockdep splat in btrfs_alloc_subvolume_writers
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+[ Upstream commit 8a5a916d9a35e13576d79cc16e24611821b13e34 ]
+
+While running btrfs/011, I hit the following lockdep splat.
+
+This is the important bit:
+ pcpu_alloc+0x1ac/0x5e0
+ __percpu_counter_init+0x4e/0xb0
+ btrfs_init_fs_root+0x99/0x1c0 [btrfs]
+ btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs]
+ resolve_indirect_refs+0x130/0x830 [btrfs]
+ find_parent_nodes+0x69e/0xff0 [btrfs]
+ btrfs_find_all_roots_safe+0xa0/0x110 [btrfs]
+ btrfs_find_all_roots+0x50/0x70 [btrfs]
+ btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs]
+ btrfs_commit_transaction+0x3ce/0x9b0 [btrfs]
+
+The percpu_counter_init call in btrfs_alloc_subvolume_writers
+uses GFP_KERNEL, which we can't do during transaction commit.
+
+This switches it to GFP_NOFS.
+
+========================================================
+WARNING: possible irq lock inversion dependency detected
+4.12.14-kvmsmall #8 Tainted: G W
+--------------------------------------------------------
+kswapd0/50 just changed the state of lock:
+ (&delayed_node->mutex){+.+.-.}, at: [<ffffffffc06994fa>] __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
+but this lock took another, RECLAIM_FS-unsafe lock in the past:
+ (pcpu_alloc_mutex){+.+.+.}
+
+and interrupts could create inverse lock ordering between them.
+
+other info that might help us debug this:
+Chain exists of:
+ &delayed_node->mutex --> &found->groups_sem --> pcpu_alloc_mutex
+
+ Possible interrupt unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(pcpu_alloc_mutex);
+ local_irq_disable();
+ lock(&delayed_node->mutex);
+ lock(&found->groups_sem);
+ <Interrupt>
+ lock(&delayed_node->mutex);
+
+ *** DEADLOCK ***
+
+2 locks held by kswapd0/50:
+ #0: (shrinker_rwsem){++++..}, at: [<ffffffff811dc11f>] shrink_slab+0x7f/0x5b0
+ #1: (&type->s_umount_key#30){+++++.}, at: [<ffffffff8126dec6>] trylock_super+0x16/0x50
+
+the shortest dependencies between 2nd lock and 1st lock:
+ -> (pcpu_alloc_mutex){+.+.+.} ops: 4904 {
+ HARDIRQ-ON-W at:
+ __mutex_lock+0x4e/0x8c0
+ pcpu_alloc+0x1ac/0x5e0
+ alloc_kmem_cache_cpus.isra.70+0x25/0xa0
+ __do_tune_cpucache+0x2c/0x220
+ do_tune_cpucache+0x26/0xc0
+ enable_cpucache+0x6d/0xf0
+ kmem_cache_init_late+0x42/0x75
+ start_kernel+0x343/0x4cb
+ x86_64_start_kernel+0x127/0x134
+ secondary_startup_64+0xa5/0xb0
+ SOFTIRQ-ON-W at:
+ __mutex_lock+0x4e/0x8c0
+ pcpu_alloc+0x1ac/0x5e0
+ alloc_kmem_cache_cpus.isra.70+0x25/0xa0
+ __do_tune_cpucache+0x2c/0x220
+ do_tune_cpucache+0x26/0xc0
+ enable_cpucache+0x6d/0xf0
+ kmem_cache_init_late+0x42/0x75
+ start_kernel+0x343/0x4cb
+ x86_64_start_kernel+0x127/0x134
+ secondary_startup_64+0xa5/0xb0
+ RECLAIM_FS-ON-W at:
+ __kmalloc+0x47/0x310
+ pcpu_extend_area_map+0x2b/0xc0
+ pcpu_alloc+0x3ec/0x5e0
+ alloc_kmem_cache_cpus.isra.70+0x25/0xa0
+ __do_tune_cpucache+0x2c/0x220
+ do_tune_cpucache+0x26/0xc0
+ enable_cpucache+0x6d/0xf0
+ __kmem_cache_create+0x1bf/0x390
+ create_cache+0xba/0x1b0
+ kmem_cache_create+0x1f8/0x2b0
+ ksm_init+0x6f/0x19d
+ do_one_initcall+0x50/0x1b0
+ kernel_init_freeable+0x201/0x289
+ kernel_init+0xa/0x100
+ ret_from_fork+0x3a/0x50
+ INITIAL USE at:
+ __mutex_lock+0x4e/0x8c0
+ pcpu_alloc+0x1ac/0x5e0
+ alloc_kmem_cache_cpus.isra.70+0x25/0xa0
+ setup_cpu_cache+0x2f/0x1f0
+ __kmem_cache_create+0x1bf/0x390
+ create_boot_cache+0x8b/0xb1
+ kmem_cache_init+0xa1/0x19e
+ start_kernel+0x270/0x4cb
+ x86_64_start_kernel+0x127/0x134
+ secondary_startup_64+0xa5/0xb0
+ }
+ ... key at: [<ffffffff821d8e70>] pcpu_alloc_mutex+0x70/0xa0
+ ... acquired at:
+ pcpu_alloc+0x1ac/0x5e0
+ __percpu_counter_init+0x4e/0xb0
+ btrfs_init_fs_root+0x99/0x1c0 [btrfs]
+ btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs]
+ resolve_indirect_refs+0x130/0x830 [btrfs]
+ find_parent_nodes+0x69e/0xff0 [btrfs]
+ btrfs_find_all_roots_safe+0xa0/0x110 [btrfs]
+ btrfs_find_all_roots+0x50/0x70 [btrfs]
+ btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs]
+ btrfs_commit_transaction+0x3ce/0x9b0 [btrfs]
+ transaction_kthread+0x176/0x1b0 [btrfs]
+ kthread+0x102/0x140
+ ret_from_fork+0x3a/0x50
+
+ -> (&fs_info->commit_root_sem){++++..} ops: 1566382 {
+ HARDIRQ-ON-W at:
+ down_write+0x3e/0xa0
+ cache_block_group+0x287/0x420 [btrfs]
+ find_free_extent+0x106c/0x12d0 [btrfs]
+ btrfs_reserve_extent+0xd8/0x170 [btrfs]
+ cow_file_range.isra.66+0x133/0x470 [btrfs]
+ run_delalloc_range+0x121/0x410 [btrfs]
+ writepage_delalloc.isra.50+0xfe/0x180 [btrfs]
+ __extent_writepage+0x19a/0x360 [btrfs]
+ extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs]
+ extent_writepages+0x4d/0x60 [btrfs]
+ do_writepages+0x1a/0x70
+ __filemap_fdatawrite_range+0xa7/0xe0
+ btrfs_rename+0x5ee/0xdb0 [btrfs]
+ vfs_rename+0x52a/0x7e0
+ SyS_rename+0x351/0x3b0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ HARDIRQ-ON-R at:
+ down_read+0x35/0x90
+ caching_thread+0x57/0x560 [btrfs]
+ normal_work_helper+0x1c0/0x5e0 [btrfs]
+ process_one_work+0x1e0/0x5c0
+ worker_thread+0x44/0x390
+ kthread+0x102/0x140
+ ret_from_fork+0x3a/0x50
+ SOFTIRQ-ON-W at:
+ down_write+0x3e/0xa0
+ cache_block_group+0x287/0x420 [btrfs]
+ find_free_extent+0x106c/0x12d0 [btrfs]
+ btrfs_reserve_extent+0xd8/0x170 [btrfs]
+ cow_file_range.isra.66+0x133/0x470 [btrfs]
+ run_delalloc_range+0x121/0x410 [btrfs]
+ writepage_delalloc.isra.50+0xfe/0x180 [btrfs]
+ __extent_writepage+0x19a/0x360 [btrfs]
+ extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs]
+ extent_writepages+0x4d/0x60 [btrfs]
+ do_writepages+0x1a/0x70
+ __filemap_fdatawrite_range+0xa7/0xe0
+ btrfs_rename+0x5ee/0xdb0 [btrfs]
+ vfs_rename+0x52a/0x7e0
+ SyS_rename+0x351/0x3b0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ SOFTIRQ-ON-R at:
+ down_read+0x35/0x90
+ caching_thread+0x57/0x560 [btrfs]
+ normal_work_helper+0x1c0/0x5e0 [btrfs]
+ process_one_work+0x1e0/0x5c0
+ worker_thread+0x44/0x390
+ kthread+0x102/0x140
+ ret_from_fork+0x3a/0x50
+ INITIAL USE at:
+ down_write+0x3e/0xa0
+ cache_block_group+0x287/0x420 [btrfs]
+ find_free_extent+0x106c/0x12d0 [btrfs]
+ btrfs_reserve_extent+0xd8/0x170 [btrfs]
+ cow_file_range.isra.66+0x133/0x470 [btrfs]
+ run_delalloc_range+0x121/0x410 [btrfs]
+ writepage_delalloc.isra.50+0xfe/0x180 [btrfs]
+ __extent_writepage+0x19a/0x360 [btrfs]
+ extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs]
+ extent_writepages+0x4d/0x60 [btrfs]
+ do_writepages+0x1a/0x70
+ __filemap_fdatawrite_range+0xa7/0xe0
+ btrfs_rename+0x5ee/0xdb0 [btrfs]
+ vfs_rename+0x52a/0x7e0
+ SyS_rename+0x351/0x3b0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ }
+ ... key at: [<ffffffffc0729578>] __key.61970+0x0/0xfffffffffff9aa88 [btrfs]
+ ... acquired at:
+ cache_block_group+0x287/0x420 [btrfs]
+ find_free_extent+0x106c/0x12d0 [btrfs]
+ btrfs_reserve_extent+0xd8/0x170 [btrfs]
+ btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs]
+ btrfs_create_tree+0xbb/0x2a0 [btrfs]
+ btrfs_create_uuid_tree+0x37/0x140 [btrfs]
+ open_ctree+0x23c0/0x2660 [btrfs]
+ btrfs_mount+0xd36/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ btrfs_mount+0x18c/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ do_mount+0x1c1/0xcc0
+ SyS_mount+0x7e/0xd0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+ -> (&found->groups_sem){++++..} ops: 2134587 {
+ HARDIRQ-ON-W at:
+ down_write+0x3e/0xa0
+ __link_block_group+0x34/0x130 [btrfs]
+ btrfs_read_block_groups+0x33d/0x7b0 [btrfs]
+ open_ctree+0x2054/0x2660 [btrfs]
+ btrfs_mount+0xd36/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ btrfs_mount+0x18c/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ do_mount+0x1c1/0xcc0
+ SyS_mount+0x7e/0xd0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ HARDIRQ-ON-R at:
+ down_read+0x35/0x90
+ btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs]
+ open_ctree+0x207b/0x2660 [btrfs]
+ btrfs_mount+0xd36/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ btrfs_mount+0x18c/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ do_mount+0x1c1/0xcc0
+ SyS_mount+0x7e/0xd0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ SOFTIRQ-ON-W at:
+ down_write+0x3e/0xa0
+ __link_block_group+0x34/0x130 [btrfs]
+ btrfs_read_block_groups+0x33d/0x7b0 [btrfs]
+ open_ctree+0x2054/0x2660 [btrfs]
+ btrfs_mount+0xd36/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ btrfs_mount+0x18c/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ do_mount+0x1c1/0xcc0
+ SyS_mount+0x7e/0xd0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ SOFTIRQ-ON-R at:
+ down_read+0x35/0x90
+ btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs]
+ open_ctree+0x207b/0x2660 [btrfs]
+ btrfs_mount+0xd36/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ btrfs_mount+0x18c/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ do_mount+0x1c1/0xcc0
+ SyS_mount+0x7e/0xd0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ INITIAL USE at:
+ down_write+0x3e/0xa0
+ __link_block_group+0x34/0x130 [btrfs]
+ btrfs_read_block_groups+0x33d/0x7b0 [btrfs]
+ open_ctree+0x2054/0x2660 [btrfs]
+ btrfs_mount+0xd36/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ btrfs_mount+0x18c/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ do_mount+0x1c1/0xcc0
+ SyS_mount+0x7e/0xd0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ }
+ ... key at: [<ffffffffc0729488>] __key.59101+0x0/0xfffffffffff9ab78 [btrfs]
+ ... acquired at:
+ find_free_extent+0xcb4/0x12d0 [btrfs]
+ btrfs_reserve_extent+0xd8/0x170 [btrfs]
+ btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs]
+ __btrfs_cow_block+0x110/0x5b0 [btrfs]
+ btrfs_cow_block+0xd7/0x290 [btrfs]
+ btrfs_search_slot+0x1f6/0x960 [btrfs]
+ btrfs_lookup_inode+0x2a/0x90 [btrfs]
+ __btrfs_update_delayed_inode+0x65/0x210 [btrfs]
+ btrfs_commit_inode_delayed_inode+0x121/0x130 [btrfs]
+ btrfs_evict_inode+0x3fe/0x6a0 [btrfs]
+ evict+0xc4/0x190
+ __dentry_kill+0xbf/0x170
+ dput+0x2ae/0x2f0
+ SyS_rename+0x2a6/0x3b0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+-> (&delayed_node->mutex){+.+.-.} ops: 5580204 {
+ HARDIRQ-ON-W at:
+ __mutex_lock+0x4e/0x8c0
+ btrfs_delayed_update_inode+0x46/0x6e0 [btrfs]
+ btrfs_update_inode+0x83/0x110 [btrfs]
+ btrfs_dirty_inode+0x62/0xe0 [btrfs]
+ touch_atime+0x8c/0xb0
+ do_generic_file_read+0x818/0xb10
+ __vfs_read+0xdc/0x150
+ vfs_read+0x8a/0x130
+ SyS_read+0x45/0xa0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ SOFTIRQ-ON-W at:
+ __mutex_lock+0x4e/0x8c0
+ btrfs_delayed_update_inode+0x46/0x6e0 [btrfs]
+ btrfs_update_inode+0x83/0x110 [btrfs]
+ btrfs_dirty_inode+0x62/0xe0 [btrfs]
+ touch_atime+0x8c/0xb0
+ do_generic_file_read+0x818/0xb10
+ __vfs_read+0xdc/0x150
+ vfs_read+0x8a/0x130
+ SyS_read+0x45/0xa0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ IN-RECLAIM_FS-W at:
+ __mutex_lock+0x4e/0x8c0
+ __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
+ btrfs_evict_inode+0x22c/0x6a0 [btrfs]
+ evict+0xc4/0x190
+ dispose_list+0x35/0x50
+ prune_icache_sb+0x42/0x50
+ super_cache_scan+0x139/0x190
+ shrink_slab+0x262/0x5b0
+ shrink_node+0x2eb/0x2f0
+ kswapd+0x2eb/0x890
+ kthread+0x102/0x140
+ ret_from_fork+0x3a/0x50
+ INITIAL USE at:
+ __mutex_lock+0x4e/0x8c0
+ btrfs_delayed_update_inode+0x46/0x6e0 [btrfs]
+ btrfs_update_inode+0x83/0x110 [btrfs]
+ btrfs_dirty_inode+0x62/0xe0 [btrfs]
+ touch_atime+0x8c/0xb0
+ do_generic_file_read+0x818/0xb10
+ __vfs_read+0xdc/0x150
+ vfs_read+0x8a/0x130
+ SyS_read+0x45/0xa0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ }
+ ... key at: [<ffffffffc072d488>] __key.56935+0x0/0xfffffffffff96b78 [btrfs]
+ ... acquired at:
+ __lock_acquire+0x264/0x11c0
+ lock_acquire+0xbd/0x1e0
+ __mutex_lock+0x4e/0x8c0
+ __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
+ btrfs_evict_inode+0x22c/0x6a0 [btrfs]
+ evict+0xc4/0x190
+ dispose_list+0x35/0x50
+ prune_icache_sb+0x42/0x50
+ super_cache_scan+0x139/0x190
+ shrink_slab+0x262/0x5b0
+ shrink_node+0x2eb/0x2f0
+ kswapd+0x2eb/0x890
+ kthread+0x102/0x140
+ ret_from_fork+0x3a/0x50
+
+stack backtrace:
+CPU: 1 PID: 50 Comm: kswapd0 Tainted: G W 4.12.14-kvmsmall #8 SLE15 (unreleased)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
+Call Trace:
+ dump_stack+0x78/0xb7
+ print_irq_inversion_bug.part.38+0x19f/0x1aa
+ check_usage_forwards+0x102/0x120
+ ? ret_from_fork+0x3a/0x50
+ ? check_usage_backwards+0x110/0x110
+ mark_lock+0x16c/0x270
+ __lock_acquire+0x264/0x11c0
+ ? pagevec_lookup_entries+0x1a/0x30
+ ? truncate_inode_pages_range+0x2b3/0x7f0
+ lock_acquire+0xbd/0x1e0
+ ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
+ __mutex_lock+0x4e/0x8c0
+ ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
+ ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
+ ? btrfs_evict_inode+0x1f6/0x6a0 [btrfs]
+ __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
+ btrfs_evict_inode+0x22c/0x6a0 [btrfs]
+ evict+0xc4/0x190
+ dispose_list+0x35/0x50
+ prune_icache_sb+0x42/0x50
+ super_cache_scan+0x139/0x190
+ shrink_slab+0x262/0x5b0
+ shrink_node+0x2eb/0x2f0
+ kswapd+0x2eb/0x890
+ kthread+0x102/0x140
+ ? mem_cgroup_shrink_node+0x2c0/0x2c0
+ ? kthread_create_on_node+0x40/0x40
+ ret_from_fork+0x3a/0x50
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Reviewed-by: Liu Bo <bo.liu@linux.alibaba.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/disk-io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -1108,7 +1108,7 @@ static struct btrfs_subvolume_writers *b
+ if (!writers)
+ return ERR_PTR(-ENOMEM);
+
+- ret = percpu_counter_init(&writers->counter, 0, GFP_KERNEL);
++ ret = percpu_counter_init(&writers->counter, 0, GFP_NOFS);
+ if (ret < 0) {
+ kfree(writers);
+ return ERR_PTR(ret);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Filipe Manana <fdmanana@suse.com>
+Date: Thu, 5 Apr 2018 22:55:12 +0100
+Subject: Btrfs: fix loss of prealloc extents past i_size after fsync log replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 471d557afed155b85da237ec46c549f443eeb5de ]
+
+Currently if we allocate extents beyond an inode's i_size (through the
+fallocate system call) and then fsync the file, we log the extents but
+after a power failure we replay them and then immediately drop them.
+This behaviour happens since about 2009, commit c71bf099abdd ("Btrfs:
+Avoid orphan inodes cleanup while replaying log"), because it marks
+the inode as an orphan instead of dropping any extents beyond i_size
+before replaying logged extents, so after the log replay, and while
+the mount operation is still ongoing, we find the inode marked as an
+orphan and then perform a truncation (drop extents beyond the inode's
+i_size). Because the processing of orphan inodes is still done
+right after replaying the log and before the mount operation finishes,
+the intention of that commit does not make any sense (at least as
+of today). However reverting that behaviour is not enough, because
+we can not simply discard all extents beyond i_size and then replay
+logged extents, because we risk dropping extents beyond i_size created
+in past transactions, for example:
+
+ add prealloc extent beyond i_size
+ fsync - clears the flag BTRFS_INODE_NEEDS_FULL_SYNC from the inode
+ transaction commit
+ add another prealloc extent beyond i_size
+ fsync - triggers the fast fsync path
+ power failure
+
+In that scenario, we would drop the first extent and then replay the
+second one. To fix this just make sure that all prealloc extents
+beyond i_size are logged, and if we find too many (which is far from
+a common case), fallback to a full transaction commit (like we do when
+logging regular extents in the fast fsync path).
+
+Trivial reproducer:
+
+ $ mkfs.btrfs -f /dev/sdb
+ $ mount /dev/sdb /mnt
+ $ xfs_io -f -c "pwrite -S 0xab 0 256K" /mnt/foo
+ $ sync
+ $ xfs_io -c "falloc -k 256K 1M" /mnt/foo
+ $ xfs_io -c "fsync" /mnt/foo
+ <power failure>
+
+ # mount to replay log
+ $ mount /dev/sdb /mnt
+ # at this point the file only has one extent, at offset 0, size 256K
+
+A test case for fstests follows soon, covering multiple scenarios that
+involve adding prealloc extents with previous shrinking truncates and
+without such truncates.
+
+Fixes: c71bf099abdd ("Btrfs: Avoid orphan inodes cleanup while replaying log")
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 58 insertions(+), 5 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -2461,13 +2461,41 @@ static int replay_one_buffer(struct btrf
+ if (ret)
+ break;
+
+- /* for regular files, make sure corresponding
+- * orphan item exist. extents past the new EOF
+- * will be truncated later by orphan cleanup.
++ /*
++ * Before replaying extents, truncate the inode to its
++ * size. We need to do it now and not after log replay
++ * because before an fsync we can have prealloc extents
++ * added beyond the inode's i_size. If we did it after,
++ * through orphan cleanup for example, we would drop
++ * those prealloc extents just after replaying them.
+ */
+ if (S_ISREG(mode)) {
+- ret = insert_orphan_item(wc->trans, root,
+- key.objectid);
++ struct inode *inode;
++ u64 from;
++
++ inode = read_one_inode(root, key.objectid);
++ if (!inode) {
++ ret = -EIO;
++ break;
++ }
++ from = ALIGN(i_size_read(inode),
++ root->fs_info->sectorsize);
++ ret = btrfs_drop_extents(wc->trans, root, inode,
++ from, (u64)-1, 1);
++ /*
++ * If the nlink count is zero here, the iput
++ * will free the inode. We bump it to make
++ * sure it doesn't get freed until the link
++ * count fixup is done.
++ */
++ if (!ret) {
++ if (inode->i_nlink == 0)
++ inc_nlink(inode);
++ /* Update link count and nbytes. */
++ ret = btrfs_update_inode(wc->trans,
++ root, inode);
++ }
++ iput(inode);
+ if (ret)
+ break;
+ }
+@@ -4321,6 +4349,31 @@ static int btrfs_log_changed_extents(str
+ num++;
+ }
+
++ /*
++ * Add all prealloc extents beyond the inode's i_size to make sure we
++ * don't lose them after doing a fast fsync and replaying the log.
++ */
++ if (inode->flags & BTRFS_INODE_PREALLOC) {
++ struct rb_node *node;
++
++ for (node = rb_last(&tree->map); node; node = rb_prev(node)) {
++ em = rb_entry(node, struct extent_map, rb_node);
++ if (em->start < i_size_read(&inode->vfs_inode))
++ break;
++ if (!list_empty(&em->list))
++ continue;
++ /* Same as above loop. */
++ if (++num > 32768) {
++ list_del_init(&tree->modified_extents);
++ ret = -EFBIG;
++ goto process;
++ }
++ refcount_inc(&em->refs);
++ set_bit(EXTENT_FLAG_LOGGING, &em->flags);
++ list_add_tail(&em->list, &extents);
++ }
++ }
++
+ list_sort(NULL, &extents, extent_cmp);
+ btrfs_get_logged_extents(inode, logged_list, logged_start, logged_end);
+ /*
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Anand Jain <anand.jain@oracle.com>
+Date: Sat, 24 Feb 2018 19:43:56 +0800
+Subject: btrfs: fix null pointer deref when target device is missing
+
+From: Anand Jain <anand.jain@oracle.com>
+
+[ Upstream commit acf18c56fdcb952a06650282192e3b4ca1855c5e ]
+
+The replace target device can be missing when mounted with -o degraded,
+but we wont allocate a missing btrfs_device to it. So check the device
+before accessing.
+
+BUG: unable to handle kernel NULL pointer dereference at 00000000000000b0
+IP: btrfs_destroy_dev_replace_tgtdev+0x43/0xf0 [btrfs]
+Call Trace:
+btrfs_dev_replace_cancel+0x15f/0x180 [btrfs]
+btrfs_ioctl+0x2216/0x2590 [btrfs]
+do_vfs_ioctl+0x625/0x650
+SyS_ioctl+0x4e/0x80
+do_syscall_64+0x5d/0x160
+entry_SYSCALL64_slow_path+0x25/0x25
+
+This patch has been moved in front of patch "btrfs: log, when replace,
+is canceled by the user" that could reproduce the crash if the system
+reboots inside btrfs_dev_replace_start before the
+btrfs_dev_replace_finishing call.
+
+ $ mkfs /dev/sda
+ $ mount /dev/sda mnt
+ $ btrfs replace start /dev/sda /dev/sdb
+ <insert reboot>
+ $ mount po degraded /dev/sdb mnt
+ <crash>
+
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+[ added reproducer description from mail ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/dev-replace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/dev-replace.c
++++ b/fs/btrfs/dev-replace.c
+@@ -307,7 +307,7 @@ void btrfs_after_dev_replace_commit(stru
+
+ static char* btrfs_dev_name(struct btrfs_device *device)
+ {
+- if (test_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state))
++ if (!device || test_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state))
+ return "<missing disk>";
+ else
+ return rcu_str_deref(device->name);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Liu Bo <bo.liu@linux.alibaba.com>
+Date: Tue, 3 Apr 2018 01:59:47 +0800
+Subject: Btrfs: fix NULL pointer dereference in log_dir_items
+
+From: Liu Bo <bo.liu@linux.alibaba.com>
+
+[ Upstream commit 80c0b4210a963e31529e15bf90519708ec947596 ]
+
+0, 1 and <0 can be returned by btrfs_next_leaf(), and when <0 is
+returned, path->nodes[0] could be NULL, log_dir_items lacks such a
+check for <0 and we may run into a null pointer dereference panic.
+
+Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations")
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -3548,8 +3548,11 @@ static noinline int log_dir_items(struct
+ * from this directory and from this transaction
+ */
+ ret = btrfs_next_leaf(root, path);
+- if (ret == 1) {
+- last_offset = (u64)-1;
++ if (ret) {
++ if (ret == 1)
++ last_offset = (u64)-1;
++ else
++ err = ret;
+ goto done;
+ }
+ btrfs_item_key_to_cpu(path->nodes[0], &tmp, path->slots[0]);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Nikolay Borisov <nborisov@suse.com>
+Date: Thu, 5 Apr 2018 10:40:15 +0300
+Subject: btrfs: Fix possible softlock on single core machines
+
+From: Nikolay Borisov <nborisov@suse.com>
+
+[ Upstream commit 1e1c50a929bc9e49bc3f9935b92450d9e69f8158 ]
+
+do_chunk_alloc implements a loop checking whether there is a pending
+chunk allocation and if so causes the caller do loop. Generally this
+loop is executed only once, however testing with btrfs/072 on a single
+core vm machines uncovered an extreme case where the system could loop
+indefinitely. This is due to a missing cond_resched when loop which
+doesn't give a chance to the previous chunk allocator finish its job.
+
+The fix is to simply add the missing cond_resched.
+
+Fixes: 6d74119f1a3e ("Btrfs: avoid taking the chunk_mutex in do_chunk_alloc")
+Signed-off-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent-tree.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -4650,6 +4650,7 @@ again:
+ if (wait_for_alloc) {
+ mutex_unlock(&fs_info->chunk_mutex);
+ wait_for_alloc = 0;
++ cond_resched();
+ goto again;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Qu Wenruo <wqu@suse.com>
+Date: Tue, 19 Dec 2017 15:44:54 +0800
+Subject: btrfs: qgroup: Fix root item corruption when multiple same source snapshots are created with quota enabled
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 4d31778aa2fa342f5f92ca4025b293a1729161d1 ]
+
+When multiple pending snapshots referring to the same source subvolume
+are executed, enabled quota will cause root item corruption, where root
+items are using old bytenr (no backref in extent tree).
+
+This can be triggered by fstests btrfs/152.
+
+The cause is when source subvolume is still dirty, extra commit
+(simplied transaction commit) of qgroup_account_snapshot() can skip
+dirty roots not recorded in current transaction, making root item of
+source subvolume not updated.
+
+Fix it by forcing recording source subvolume in current transaction
+before qgroup sub-transaction commit.
+
+Reported-by: Justin Maggard <jmaggard@netgear.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/transaction.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -319,7 +319,7 @@ static int record_root_in_trans(struct b
+ if ((test_bit(BTRFS_ROOT_REF_COWS, &root->state) &&
+ root->last_trans < trans->transid) || force) {
+ WARN_ON(root == fs_info->extent_root);
+- WARN_ON(root->commit_root != root->node);
++ WARN_ON(!force && root->commit_root != root->node);
+
+ /*
+ * see below for IN_TRANS_SETUP usage rules
+@@ -1366,6 +1366,14 @@ static int qgroup_account_snapshot(struc
+ return 0;
+
+ /*
++ * Ensure dirty @src will be commited. Or, after comming
++ * commit_fs_roots() and switch_commit_roots(), any dirty but not
++ * recorded root will never be updated again, causing an outdated root
++ * item.
++ */
++ record_root_in_trans(trans, src, 1);
++
++ /*
+ * We are going to commit transaction, see btrfs_commit_transaction()
+ * comment for reason locking tree_log_mutex
+ */
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Qu Wenruo <wqu@suse.com>
+Date: Tue, 27 Mar 2018 20:44:18 +0800
+Subject: btrfs: tests/qgroup: Fix wrong tree backref level
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 3c0efdf03b2d127f0e40e30db4e7aa0429b1b79a ]
+
+The extent tree of the test fs is like the following:
+
+ BTRFS info (device (null)): leaf 16327509003777336587 total ptrs 1 free space 3919
+ item 0 key (4096 168 4096) itemoff 3944 itemsize 51
+ extent refs 1 gen 1 flags 2
+ tree block key (68719476736 0 0) level 1
+ ^^^^^^^
+ ref#0: tree block backref root 5
+
+And it's using an empty tree for fs tree, so there is no way that its
+level can be 1.
+
+For REAL (created by mkfs) fs tree backref with no skinny metadata, the
+result should look like:
+
+ item 3 key (30408704 EXTENT_ITEM 4096) itemoff 3845 itemsize 51
+ refs 1 gen 4 flags TREE_BLOCK
+ tree block key (256 INODE_ITEM 0) level 0
+ ^^^^^^^
+ tree block backref root 5
+
+Fix the level to 0, so it won't break later tree level checker.
+
+Fixes: faa2dbf004e8 ("Btrfs: add sanity tests for new qgroup accounting code")
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tests/qgroup-tests.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/tests/qgroup-tests.c
++++ b/fs/btrfs/tests/qgroup-tests.c
+@@ -63,7 +63,7 @@ static int insert_normal_tree_ref(struct
+ btrfs_set_extent_generation(leaf, item, 1);
+ btrfs_set_extent_flags(leaf, item, BTRFS_EXTENT_FLAG_TREE_BLOCK);
+ block_info = (struct btrfs_tree_block_info *)(item + 1);
+- btrfs_set_tree_block_level(leaf, block_info, 1);
++ btrfs_set_tree_block_level(leaf, block_info, 0);
+ iref = (struct btrfs_extent_inline_ref *)(block_info + 1);
+ if (parent > 0) {
+ btrfs_set_extent_inline_ref_type(leaf, iref,
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Maurizio Lombardi <mlombard@redhat.com>
+Date: Fri, 9 Mar 2018 13:59:06 +0100
+Subject: cdrom: do not call check_disk_change() inside cdrom_open()
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 2bbea6e117357d17842114c65e9a9cf2d13ae8a3 ]
+
+when mounting an ISO filesystem sometimes (very rarely)
+the system hangs because of a race condition between two tasks.
+
+PID: 6766 TASK: ffff88007b2a6dd0 CPU: 0 COMMAND: "mount"
+ #0 [ffff880078447ae0] __schedule at ffffffff8168d605
+ #1 [ffff880078447b48] schedule_preempt_disabled at ffffffff8168ed49
+ #2 [ffff880078447b58] __mutex_lock_slowpath at ffffffff8168c995
+ #3 [ffff880078447bb8] mutex_lock at ffffffff8168bdef
+ #4 [ffff880078447bd0] sr_block_ioctl at ffffffffa00b6818 [sr_mod]
+ #5 [ffff880078447c10] blkdev_ioctl at ffffffff812fea50
+ #6 [ffff880078447c70] ioctl_by_bdev at ffffffff8123a8b3
+ #7 [ffff880078447c90] isofs_fill_super at ffffffffa04fb1e1 [isofs]
+ #8 [ffff880078447da8] mount_bdev at ffffffff81202570
+ #9 [ffff880078447e18] isofs_mount at ffffffffa04f9828 [isofs]
+#10 [ffff880078447e28] mount_fs at ffffffff81202d09
+#11 [ffff880078447e70] vfs_kern_mount at ffffffff8121ea8f
+#12 [ffff880078447ea8] do_mount at ffffffff81220fee
+#13 [ffff880078447f28] sys_mount at ffffffff812218d6
+#14 [ffff880078447f80] system_call_fastpath at ffffffff81698c49
+ RIP: 00007fd9ea914e9a RSP: 00007ffd5d9bf648 RFLAGS: 00010246
+ RAX: 00000000000000a5 RBX: ffffffff81698c49 RCX: 0000000000000010
+ RDX: 00007fd9ec2bc210 RSI: 00007fd9ec2bc290 RDI: 00007fd9ec2bcf30
+ RBP: 0000000000000000 R8: 0000000000000000 R9: 0000000000000010
+ R10: 00000000c0ed0001 R11: 0000000000000206 R12: 00007fd9ec2bc040
+ R13: 00007fd9eb6b2380 R14: 00007fd9ec2bc210 R15: 00007fd9ec2bcf30
+ ORIG_RAX: 00000000000000a5 CS: 0033 SS: 002b
+
+This task was trying to mount the cdrom. It allocated and configured a
+super_block struct and owned the write-lock for the super_block->s_umount
+rwsem. While exclusively owning the s_umount lock, it called
+sr_block_ioctl and waited to acquire the global sr_mutex lock.
+
+PID: 6785 TASK: ffff880078720fb0 CPU: 0 COMMAND: "systemd-udevd"
+ #0 [ffff880078417898] __schedule at ffffffff8168d605
+ #1 [ffff880078417900] schedule at ffffffff8168dc59
+ #2 [ffff880078417910] rwsem_down_read_failed at ffffffff8168f605
+ #3 [ffff880078417980] call_rwsem_down_read_failed at ffffffff81328838
+ #4 [ffff8800784179d0] down_read at ffffffff8168cde0
+ #5 [ffff8800784179e8] get_super at ffffffff81201cc7
+ #6 [ffff880078417a10] __invalidate_device at ffffffff8123a8de
+ #7 [ffff880078417a40] flush_disk at ffffffff8123a94b
+ #8 [ffff880078417a88] check_disk_change at ffffffff8123ab50
+ #9 [ffff880078417ab0] cdrom_open at ffffffffa00a29e1 [cdrom]
+#10 [ffff880078417b68] sr_block_open at ffffffffa00b6f9b [sr_mod]
+#11 [ffff880078417b98] __blkdev_get at ffffffff8123ba86
+#12 [ffff880078417bf0] blkdev_get at ffffffff8123bd65
+#13 [ffff880078417c78] blkdev_open at ffffffff8123bf9b
+#14 [ffff880078417c90] do_dentry_open at ffffffff811fc7f7
+#15 [ffff880078417cd8] vfs_open at ffffffff811fc9cf
+#16 [ffff880078417d00] do_last at ffffffff8120d53d
+#17 [ffff880078417db0] path_openat at ffffffff8120e6b2
+#18 [ffff880078417e48] do_filp_open at ffffffff8121082b
+#19 [ffff880078417f18] do_sys_open at ffffffff811fdd33
+#20 [ffff880078417f70] sys_open at ffffffff811fde4e
+#21 [ffff880078417f80] system_call_fastpath at ffffffff81698c49
+ RIP: 00007f29438b0c20 RSP: 00007ffc76624b78 RFLAGS: 00010246
+ RAX: 0000000000000002 RBX: ffffffff81698c49 RCX: 0000000000000000
+ RDX: 00007f2944a5fa70 RSI: 00000000000a0800 RDI: 00007f2944a5fa70
+ RBP: 00007f2944a5f540 R8: 0000000000000000 R9: 0000000000000020
+ R10: 00007f2943614c40 R11: 0000000000000246 R12: ffffffff811fde4e
+ R13: ffff880078417f78 R14: 000000000000000c R15: 00007f2944a4b010
+ ORIG_RAX: 0000000000000002 CS: 0033 SS: 002b
+
+This task tried to open the cdrom device, the sr_block_open function
+acquired the global sr_mutex lock. The call to check_disk_change()
+then saw an event flag indicating a possible media change and tried
+to flush any cached data for the device.
+As part of the flush, it tried to acquire the super_block->s_umount
+lock associated with the cdrom device.
+This was the same super_block as created and locked by the previous task.
+
+The first task acquires the s_umount lock and then the sr_mutex_lock;
+the second task acquires the sr_mutex_lock and then the s_umount lock.
+
+This patch fixes the issue by moving check_disk_change() out of
+cdrom_open() and let the caller take care of it.
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/paride/pcd.c | 2 ++
+ drivers/cdrom/cdrom.c | 3 ---
+ drivers/cdrom/gdrom.c | 3 +++
+ drivers/ide/ide-cd.c | 2 ++
+ drivers/scsi/sr.c | 2 ++
+ 5 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/block/paride/pcd.c
++++ b/drivers/block/paride/pcd.c
+@@ -230,6 +230,8 @@ static int pcd_block_open(struct block_d
+ struct pcd_unit *cd = bdev->bd_disk->private_data;
+ int ret;
+
++ check_disk_change(bdev);
++
+ mutex_lock(&pcd_mutex);
+ ret = cdrom_open(&cd->info, bdev, mode);
+ mutex_unlock(&pcd_mutex);
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -1152,9 +1152,6 @@ int cdrom_open(struct cdrom_device_info
+
+ cd_dbg(CD_OPEN, "entering cdrom_open\n");
+
+- /* open is event synchronization point, check events first */
+- check_disk_change(bdev);
+-
+ /* if this was a O_NONBLOCK open and we should honor the flags,
+ * do a quick open without drive/disc integrity checks. */
+ cdi->use_count++;
+--- a/drivers/cdrom/gdrom.c
++++ b/drivers/cdrom/gdrom.c
+@@ -497,6 +497,9 @@ static const struct cdrom_device_ops gdr
+ static int gdrom_bdops_open(struct block_device *bdev, fmode_t mode)
+ {
+ int ret;
++
++ check_disk_change(bdev);
++
+ mutex_lock(&gdrom_mutex);
+ ret = cdrom_open(gd.cd_info, bdev, mode);
+ mutex_unlock(&gdrom_mutex);
+--- a/drivers/ide/ide-cd.c
++++ b/drivers/ide/ide-cd.c
+@@ -1613,6 +1613,8 @@ static int idecd_open(struct block_devic
+ struct cdrom_info *info;
+ int rc = -ENXIO;
+
++ check_disk_change(bdev);
++
+ mutex_lock(&ide_cd_mutex);
+ info = ide_cd_get(bdev->bd_disk);
+ if (!info)
+--- a/drivers/scsi/sr.c
++++ b/drivers/scsi/sr.c
+@@ -525,6 +525,8 @@ static int sr_block_open(struct block_de
+ struct scsi_cd *cd;
+ int ret = -ENXIO;
+
++ check_disk_change(bdev);
++
+ mutex_lock(&sr_mutex);
+ cd = scsi_cd_get(bdev->bd_disk);
+ if (cd) {
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Wed, 14 Mar 2018 08:28:31 +0800
+Subject: clk: Don't show the incorrect clock phase
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+[ Upstream commit 1f9c63e8de3d7b377c9d74e4a17524cfb60e6384 ]
+
+It's found that the clock phase output from clk_summary is
+wrong compared to the actual phase reading from the register.
+
+cat /sys/kernel/debug/clk/clk_summary | grep sdio_sample
+sdio_sample 0 1 0 50000000 0 -22
+
+It exposes an issue that clk core, clk_core_get_phase, always
+returns the cached core->phase which should be either updated
+by calling clk_set_phase or directly from the first place the
+clk was registered.
+
+When registering the clk, the core->phase geting from ->get_phase()
+may return negative value indicating error. This is quite common
+since the clk's phase may be highly related to its parent chain,
+but it was temporarily orphan when registered, since its parent
+chains hadn't be ready at that time, so the clk drivers decide to
+return error in this case. However, if no clk_set_phase is called or
+maybe the ->set_phase() isn't even implemented, the core->phase would
+never be updated. This is wrong, and we should try to update it when
+all its parent chains are settled down, like the way of updating clock
+rate for that. But it's not deserved to complicate the code now and
+just update it anyway when calling clk_core_get_phase, which would be
+much simple and enough.
+
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Acked-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/clk.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/clk/clk.c
++++ b/drivers/clk/clk.c
+@@ -2375,6 +2375,9 @@ static int clk_core_get_phase(struct clk
+ int ret;
+
+ clk_prepare_lock();
++ /* Always try to update cached phase if possible */
++ if (core->ops->get_phase)
++ core->phase = core->ops->get_phase(core->hw);
+ ret = core->phase;
+ clk_prepare_unlock();
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 20 Feb 2018 16:15:21 +0100
+Subject: clk: hisilicon: mark wdt_mux_p[] as const
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit df934cbcbff7afbc024bf05f02615917c61f6470 ]
+
+The symbol is in the __initconst section but not marked init, which
+caused a warning when building with LTO.
+
+This makes it 'const' as was obviously intended.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Fixes: c80dfd9bf54e ("clk: hisilicon: add CRG driver for Hi3516CV300 SoC")
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/hisilicon/crg-hi3516cv300.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/hisilicon/crg-hi3516cv300.c
++++ b/drivers/clk/hisilicon/crg-hi3516cv300.c
+@@ -204,7 +204,7 @@ static const struct hisi_crg_funcs hi351
+ /* hi3516CV300 sysctrl CRG */
+ #define HI3516CV300_SYSCTRL_NR_CLKS 16
+
+-static const char *wdt_mux_p[] __initconst = { "3m", "apb" };
++static const char *const wdt_mux_p[] __initconst = { "3m", "apb" };
+ static u32 wdt_mux_table[] = {0, 1};
+
+ static const struct hisi_mux_clock hi3516cv300_sysctrl_mux_clks[] = {
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Fri, 19 Jan 2018 16:55:29 +0100
+Subject: clk: meson: axg: add the fractional part of the fixed_pll
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit 6b71aceceb09918daf37a40a1221077599040be3 ]
+
+The fixed_pll also has a fractional part. On axg s400 board, without
+this parameter, the calculated rate is off by ~8Mhz (0,4%). The fixed_pll
+being the root of the peripheral clock tree, this error is propagated to
+the rest of the clocks
+
+Adding the definition of the parameter fixes the problem
+
+Fixes: 78b4af312f91 ("clk: meson-axg: add clock controller drivers")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/meson/axg.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/clk/meson/axg.c
++++ b/drivers/clk/meson/axg.c
+@@ -129,6 +129,11 @@ static struct meson_clk_pll axg_fixed_pl
+ .shift = 16,
+ .width = 2,
+ },
++ .frac = {
++ .reg_off = HHI_MPLL_CNTL2,
++ .shift = 0,
++ .width = 12,
++ },
+ .lock = &meson_clk_lock,
+ .hw.init = &(struct clk_init_data){
+ .name = "fixed_pll",
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Yixun Lan <yixun.lan@amlogic.com>
+Date: Fri, 19 Jan 2018 10:09:26 +0800
+Subject: clk: meson: axg: fix the od shift of the sys_pll
+
+From: Yixun Lan <yixun.lan@amlogic.com>
+
+[ Upstream commit 2fa9b361e500a0e092a9525afbd6a3a363ffa5f0 ]
+
+According to the datasheet, the od shift of sys_pll is actually 16.
+
+Fixes: 78b4af312f91 ('clk: meson-axg: add clock controller drivers')
+Signed-off-by: Yixun Lan <yixun.lan@amlogic.com>
+[fixed commit message]
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/meson/axg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/meson/axg.c
++++ b/drivers/clk/meson/axg.c
+@@ -151,7 +151,7 @@ static struct meson_clk_pll axg_sys_pll
+ },
+ .od = {
+ .reg_off = HHI_SYS_PLL_CNTL,
+- .shift = 10,
++ .shift = 16,
+ .width = 2,
+ },
+ .rate_table = sys_pll_rate_table,
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Wed, 21 Mar 2018 10:39:19 +0800
+Subject: clk: rockchip: Fix wrong parent for SDMMC phase clock for rk3228
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+[ Upstream commit 4b0556a441dd37e598887215bc89b49a6ef525b3 ]
+
+commit c420c1e4db22 ("clk: rockchip: Prevent calculating mmc phase
+if clock rate is zero") catches one gremlin again for clk-rk3228.c
+that the parent of SDMMC phase clock should be sclk_sdmmc0, but not
+sclk_sdmmc. However, the naming of the sdmmc clocks varies in the
+manual with the card clock having the 0 while the hclk is named
+without appended 0. So standardize one one format to prevent
+confusion, as there also is only one (non-sdio) mmc controller on
+the soc.
+
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/rockchip/clk-rk3228.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/rockchip/clk-rk3228.c
++++ b/drivers/clk/rockchip/clk-rk3228.c
+@@ -387,7 +387,7 @@ static struct rockchip_clk_branch rk3228
+ RK2928_CLKSEL_CON(23), 5, 2, MFLAGS, 0, 6, DFLAGS,
+ RK2928_CLKGATE_CON(2), 15, GFLAGS),
+
+- COMPOSITE(SCLK_SDMMC, "sclk_sdmmc0", mux_mmc_src_p, 0,
++ COMPOSITE(SCLK_SDMMC, "sclk_sdmmc", mux_mmc_src_p, 0,
+ RK2928_CLKSEL_CON(11), 8, 2, MFLAGS, 0, 8, DFLAGS,
+ RK2928_CLKGATE_CON(2), 11, GFLAGS),
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Mon, 5 Mar 2018 11:25:58 +0800
+Subject: clk: rockchip: Prevent calculating mmc phase if clock rate is zero
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+[ Upstream commit 4bf59902b50012b1dddeeaa23b217d9c4956cdda ]
+
+The MMC sample and drv clock for rockchip platforms are derived from
+the bus clock output to the MMC/SDIO card. So it should never happens
+that the clk rate is zero given it should inherits the clock rate from
+its parent. If something goes wrong and makes the clock rate to be zero,
+the calculation would be wrong but may still make the mmc tuning process
+work luckily. However it makes people harder to debug when the following
+data transfer is unstable.
+
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/rockchip/clk-mmc-phase.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/drivers/clk/rockchip/clk-mmc-phase.c
++++ b/drivers/clk/rockchip/clk-mmc-phase.c
+@@ -58,6 +58,12 @@ static int rockchip_mmc_get_phase(struct
+ u16 degrees;
+ u32 delay_num = 0;
+
++ /* See the comment for rockchip_mmc_set_phase below */
++ if (!rate) {
++ pr_err("%s: invalid clk rate\n", __func__);
++ return -EINVAL;
++ }
++
+ raw_value = readl(mmc_clock->reg) >> (mmc_clock->shift);
+
+ degrees = (raw_value & ROCKCHIP_MMC_DEGREE_MASK) * 90;
+@@ -84,6 +90,23 @@ static int rockchip_mmc_set_phase(struct
+ u32 raw_value;
+ u32 delay;
+
++ /*
++ * The below calculation is based on the output clock from
++ * MMC host to the card, which expects the phase clock inherits
++ * the clock rate from its parent, namely the output clock
++ * provider of MMC host. However, things may go wrong if
++ * (1) It is orphan.
++ * (2) It is assigned to the wrong parent.
++ *
++ * This check help debug the case (1), which seems to be the
++ * most likely problem we often face and which makes it difficult
++ * for people to debug unstable mmc tuning results.
++ */
++ if (!rate) {
++ pr_err("%s: invalid clk rate\n", __func__);
++ return -EINVAL;
++ }
++
+ nineties = degrees / 90;
+ remainder = (degrees % 90);
+
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Andrzej Hajda <a.hajda@samsung.com>
+Date: Fri, 16 Feb 2018 15:57:48 +0100
+Subject: clk: samsung: exynos3250: Fix PLL rates
+
+From: Andrzej Hajda <a.hajda@samsung.com>
+
+[ Upstream commit a8321e7887410a2b2e80ab89d1ef7b30562658ea ]
+
+Rates declared in PLL rate tables should match exactly rates calculated
+from PLL coefficients. If that is not the case, rate of the PLL's child clock
+might be set not as expected. For instance, if in the PLL rates table we have
+a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate
+callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate
+will return 393216003. If we now attempt to set rate of a PLL's child divider
+clock to 393216000/2 its rate will be 131072001, rather than 196608000.
+That is, the divider will be set to 3 instead of 2, because 393216003/2 is
+greater than 196608000.
+
+To fix this issue declared rates are changed to exactly match rates generated
+by the PLL, as calculated from the P, M, S, K coefficients.
+
+In this patch an erroneous P value for 74176002 output frequency is also
+corrected.
+
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Acked-by: Tomasz Figa <tomasz.figa@gmail.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/samsung/clk-exynos3250.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/clk/samsung/clk-exynos3250.c
++++ b/drivers/clk/samsung/clk-exynos3250.c
+@@ -698,7 +698,7 @@ static const struct samsung_pll_rate_tab
+ PLL_36XX_RATE(144000000, 96, 2, 3, 0),
+ PLL_36XX_RATE( 96000000, 128, 2, 4, 0),
+ PLL_36XX_RATE( 84000000, 112, 2, 4, 0),
+- PLL_36XX_RATE( 80000004, 106, 2, 4, 43691),
++ PLL_36XX_RATE( 80000003, 106, 2, 4, 43691),
+ PLL_36XX_RATE( 73728000, 98, 2, 4, 19923),
+ PLL_36XX_RATE( 67737598, 270, 3, 5, 62285),
+ PLL_36XX_RATE( 65535999, 174, 2, 5, 49982),
+@@ -734,7 +734,7 @@ static const struct samsung_pll_rate_tab
+ PLL_36XX_RATE(148352005, 98, 2, 3, 59070),
+ PLL_36XX_RATE(108000000, 144, 2, 4, 0),
+ PLL_36XX_RATE( 74250000, 99, 2, 4, 0),
+- PLL_36XX_RATE( 74176002, 98, 3, 4, 59070),
++ PLL_36XX_RATE( 74176002, 98, 2, 4, 59070),
+ PLL_36XX_RATE( 54054000, 216, 3, 5, 14156),
+ PLL_36XX_RATE( 54000000, 144, 2, 5, 0),
+ { /* sentinel */ }
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Andrzej Hajda <a.hajda@samsung.com>
+Date: Fri, 16 Feb 2018 15:57:49 +0100
+Subject: clk: samsung: exynos5250: Fix PLL rates
+
+From: Andrzej Hajda <a.hajda@samsung.com>
+
+[ Upstream commit 2ac051eeabaa411ef89ae7cd5bb8e60cb41ad780 ]
+
+Rates declared in PLL rate tables should match exactly rates calculated
+from PLL coefficients. If that is not the case, rate of the PLL's child clock
+might be set not as expected. For instance, if in the PLL rates table we have
+a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate
+callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate
+will return 393216003. If we now attempt to set rate of a PLL's child divider
+clock to 393216000/2 its rate will be 131072001, rather than 196608000.
+That is, the divider will be set to 3 instead of 2, because 393216003/2 is
+greater than 196608000.
+
+To fix this issue declared rates are changed to exactly match rates generated
+by the PLL, as calculated from the P, M, S, K coefficients.
+
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Acked-by: Tomasz Figa <tomasz.figa@gmail.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/samsung/clk-exynos5250.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/clk/samsung/clk-exynos5250.c
++++ b/drivers/clk/samsung/clk-exynos5250.c
+@@ -711,13 +711,13 @@ static const struct samsung_pll_rate_tab
+ /* sorted in descending order */
+ /* PLL_36XX_RATE(rate, m, p, s, k) */
+ PLL_36XX_RATE(192000000, 64, 2, 2, 0),
+- PLL_36XX_RATE(180633600, 90, 3, 2, 20762),
++ PLL_36XX_RATE(180633605, 90, 3, 2, 20762),
+ PLL_36XX_RATE(180000000, 90, 3, 2, 0),
+ PLL_36XX_RATE(73728000, 98, 2, 4, 19923),
+- PLL_36XX_RATE(67737600, 90, 2, 4, 20762),
++ PLL_36XX_RATE(67737602, 90, 2, 4, 20762),
+ PLL_36XX_RATE(49152000, 98, 3, 4, 19923),
+- PLL_36XX_RATE(45158400, 90, 3, 4, 20762),
+- PLL_36XX_RATE(32768000, 131, 3, 5, 4719),
++ PLL_36XX_RATE(45158401, 90, 3, 4, 20762),
++ PLL_36XX_RATE(32768001, 131, 3, 5, 4719),
+ { },
+ };
+
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Andrzej Hajda <a.hajda@samsung.com>
+Date: Fri, 16 Feb 2018 15:57:50 +0100
+Subject: clk: samsung: exynos5260: Fix PLL rates
+
+From: Andrzej Hajda <a.hajda@samsung.com>
+
+[ Upstream commit cdb68fbd4e7962be742c4f29475220c5bf28d8a5 ]
+
+Rates declared in PLL rate tables should match exactly rates calculated from
+the PLL coefficients. If that is not the case, rate of the PLL's child clock
+might be set not as expected. For instance, if in the PLL rates table we have
+a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate
+callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate
+will return 393216003. If we now attempt to set rate of a PLL's child divider
+clock to 393216000/2 its rate will be 131072001, rather than 196608000.
+That is, the divider will be set to 3 instead of 2, because 393216003/2 is
+greater than 196608000.
+
+To fix this issue declared rates are changed to exactly match rates generated
+by the PLL, as calculated from the P, M, S, K coefficients.
+
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Acked-by: Tomasz Figa <tomasz.figa@gmail.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/samsung/clk-exynos5260.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/samsung/clk-exynos5260.c
++++ b/drivers/clk/samsung/clk-exynos5260.c
+@@ -65,7 +65,7 @@ static const struct samsung_pll_rate_tab
+ PLL_36XX_RATE(480000000, 160, 2, 2, 0),
+ PLL_36XX_RATE(432000000, 144, 2, 2, 0),
+ PLL_36XX_RATE(400000000, 200, 3, 2, 0),
+- PLL_36XX_RATE(394073130, 459, 7, 2, 49282),
++ PLL_36XX_RATE(394073128, 459, 7, 2, 49282),
+ PLL_36XX_RATE(333000000, 111, 2, 2, 0),
+ PLL_36XX_RATE(300000000, 100, 2, 2, 0),
+ PLL_36XX_RATE(266000000, 266, 3, 3, 0),
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Andrzej Hajda <a.hajda@samsung.com>
+Date: Fri, 16 Feb 2018 15:57:51 +0100
+Subject: clk: samsung: exynos5433: Fix PLL rates
+
+From: Andrzej Hajda <a.hajda@samsung.com>
+
+[ Upstream commit ab0447845cffc0fd752df2ccd6b4e34006000ce4 ]
+
+Rates declared in PLL rate tables should match exactly rates calculated from
+the PLL coefficients. If that is not the case, rate of the PLL's child clock
+might be set not as expected. For instance, if in the PLL rates table we have
+a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate
+callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate
+will return 393216003. If we now attempt to set rate of a PLL's child divider
+clock to 393216000/2 its rate will be 131072001, rather than 196608000.
+That is, the divider will be set to 3 instead of 2, because 393216003/2 is
+greater than 196608000.
+
+To fix this issue declared rates are changed to exactly match rates generated
+by the PLL, as calculated from the P, M, S, K coefficients.
+
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Acked-by: Tomasz Figa <tomasz.figa@gmail.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/samsung/clk-exynos5433.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/clk/samsung/clk-exynos5433.c
++++ b/drivers/clk/samsung/clk-exynos5433.c
+@@ -729,7 +729,7 @@ static const struct samsung_pll_rate_tab
+ PLL_35XX_RATE(800000000U, 400, 6, 1),
+ PLL_35XX_RATE(733000000U, 733, 12, 1),
+ PLL_35XX_RATE(700000000U, 175, 3, 1),
+- PLL_35XX_RATE(667000000U, 222, 4, 1),
++ PLL_35XX_RATE(666000000U, 222, 4, 1),
+ PLL_35XX_RATE(633000000U, 211, 4, 1),
+ PLL_35XX_RATE(600000000U, 500, 5, 2),
+ PLL_35XX_RATE(552000000U, 460, 5, 2),
+@@ -757,12 +757,12 @@ static const struct samsung_pll_rate_tab
+ /* AUD_PLL */
+ static const struct samsung_pll_rate_table exynos5433_aud_pll_rates[] __initconst = {
+ PLL_36XX_RATE(400000000U, 200, 3, 2, 0),
+- PLL_36XX_RATE(393216000U, 197, 3, 2, -25690),
++ PLL_36XX_RATE(393216003U, 197, 3, 2, -25690),
+ PLL_36XX_RATE(384000000U, 128, 2, 2, 0),
+- PLL_36XX_RATE(368640000U, 246, 4, 2, -15729),
+- PLL_36XX_RATE(361507200U, 181, 3, 2, -16148),
+- PLL_36XX_RATE(338688000U, 113, 2, 2, -6816),
+- PLL_36XX_RATE(294912000U, 98, 1, 3, 19923),
++ PLL_36XX_RATE(368639991U, 246, 4, 2, -15729),
++ PLL_36XX_RATE(361507202U, 181, 3, 2, -16148),
++ PLL_36XX_RATE(338687988U, 113, 2, 2, -6816),
++ PLL_36XX_RATE(294912002U, 98, 1, 3, 19923),
+ PLL_36XX_RATE(288000000U, 96, 1, 3, 0),
+ PLL_36XX_RATE(252000000U, 84, 1, 3, 0),
+ { /* sentinel */ }
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Andrzej Hajda <a.hajda@samsung.com>
+Date: Fri, 16 Feb 2018 15:57:52 +0100
+Subject: clk: samsung: exynos7: Fix PLL rates
+
+From: Andrzej Hajda <a.hajda@samsung.com>
+
+[ Upstream commit 7e4db0c2836e892766565965207eee051c8037b9 ]
+
+Rates declared in PLL rate tables should match exactly rates calculated from
+the PLL coefficients. If that is not the case, rate of the PLL's child clock
+might be set not as expected. For instance, if in the PLL rates table we have
+a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate
+callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate
+will return 393216003. If we now attempt to set rate of a PLL's child divider
+clock to 393216000/2 its rate will be 131072001, rather than 196608000.
+That is, the divider will be set to 3 instead of 2, because 393216003/2 is
+greater than 196608000.
+
+To fix this issue declared rates are changed to exactly match rates generated
+by the PLL, as calculated from the P, M, S, K coefficients.
+
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Acked-by: Tomasz Figa <tomasz.figa@gmail.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/samsung/clk-exynos7.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/samsung/clk-exynos7.c
++++ b/drivers/clk/samsung/clk-exynos7.c
+@@ -140,7 +140,7 @@ static const struct samsung_div_clock to
+ };
+
+ static const struct samsung_pll_rate_table pll1460x_24mhz_tbl[] __initconst = {
+- PLL_36XX_RATE(491520000, 20, 1, 0, 31457),
++ PLL_36XX_RATE(491519897, 20, 1, 0, 31457),
+ {},
+ };
+
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Andrzej Hajda <a.hajda@samsung.com>
+Date: Fri, 16 Feb 2018 15:57:53 +0100
+Subject: clk: samsung: s3c2410: Fix PLL rates
+
+From: Andrzej Hajda <a.hajda@samsung.com>
+
+[ Upstream commit 179db533c08431f509a3823077549773d519358b ]
+
+Rates declared in PLL rate tables should match exactly rates calculated from
+the PLL coefficients. If that is not the case, rate of the PLL's child clock
+might be set not as expected. For instance, if in the PLL rates table we have
+a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate
+callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate
+will return 393216003. If we now attempt to set rate of a PLL's child divider
+clock to 393216000/2 its rate will be 131072001, rather than 196608000.
+That is, the divider will be set to 3 instead of 2, because 393216003/2 is
+greater than 196608000.
+
+To fix this issue declared rates are changed to exactly match rates generated
+by the PLL, as calculated from the P, M, S, K coefficients.
+
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Acked-by: Tomasz Figa <tomasz.figa@gmail.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/samsung/clk-s3c2410.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/clk/samsung/clk-s3c2410.c
++++ b/drivers/clk/samsung/clk-s3c2410.c
+@@ -168,7 +168,7 @@ static struct samsung_pll_rate_table pll
+ PLL_35XX_RATE(226000000, 105, 1, 1),
+ PLL_35XX_RATE(210000000, 132, 2, 1),
+ /* 2410 common */
+- PLL_35XX_RATE(203000000, 161, 3, 1),
++ PLL_35XX_RATE(202800000, 161, 3, 1),
+ PLL_35XX_RATE(192000000, 88, 1, 1),
+ PLL_35XX_RATE(186000000, 85, 1, 1),
+ PLL_35XX_RATE(180000000, 82, 1, 1),
+@@ -178,18 +178,18 @@ static struct samsung_pll_rate_table pll
+ PLL_35XX_RATE(147000000, 90, 2, 1),
+ PLL_35XX_RATE(135000000, 82, 2, 1),
+ PLL_35XX_RATE(124000000, 116, 1, 2),
+- PLL_35XX_RATE(118000000, 150, 2, 2),
++ PLL_35XX_RATE(118500000, 150, 2, 2),
+ PLL_35XX_RATE(113000000, 105, 1, 2),
+- PLL_35XX_RATE(101000000, 127, 2, 2),
++ PLL_35XX_RATE(101250000, 127, 2, 2),
+ PLL_35XX_RATE(90000000, 112, 2, 2),
+- PLL_35XX_RATE(85000000, 105, 2, 2),
++ PLL_35XX_RATE(84750000, 105, 2, 2),
+ PLL_35XX_RATE(79000000, 71, 1, 2),
+- PLL_35XX_RATE(68000000, 82, 2, 2),
+- PLL_35XX_RATE(56000000, 142, 2, 3),
++ PLL_35XX_RATE(67500000, 82, 2, 2),
++ PLL_35XX_RATE(56250000, 142, 2, 3),
+ PLL_35XX_RATE(48000000, 120, 2, 3),
+- PLL_35XX_RATE(51000000, 161, 3, 3),
++ PLL_35XX_RATE(50700000, 161, 3, 3),
+ PLL_35XX_RATE(45000000, 82, 1, 3),
+- PLL_35XX_RATE(34000000, 82, 2, 3),
++ PLL_35XX_RATE(33750000, 82, 2, 3),
+ { /* sentinel */ },
+ };
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Marcel Ziswiler <marcel@ziswiler.com>
+Date: Fri, 23 Feb 2018 00:04:51 +0100
+Subject: clk: tegra: Fix pll_u rate configuration
+
+From: Marcel Ziswiler <marcel@ziswiler.com>
+
+[ Upstream commit c35b518f9ba06c9de79fb3ff62eed7462d804995 ]
+
+Turns out latest upstream U-Boot does not configure/enable pll_u which
+leaves it at some default rate of 500 kHz:
+
+root@apalis-t30:~# cat /sys/kernel/debug/clk/clk_summary | grep pll_u
+ pll_u 3 3 0 500000 0
+
+Of course this won't quite work leading to the following messages:
+
+[ 6.559593] usb 2-1: new full-speed USB device number 2 using tegra-
+ehci
+[ 11.759173] usb 2-1: device descriptor read/64, error -110
+[ 27.119453] usb 2-1: device descriptor read/64, error -110
+[ 27.389217] usb 2-1: new full-speed USB device number 3 using tegra-
+ehci
+[ 32.559454] usb 2-1: device descriptor read/64, error -110
+[ 47.929777] usb 2-1: device descriptor read/64, error -110
+[ 48.049658] usb usb2-port1: attempt power cycle
+[ 48.759475] usb 2-1: new full-speed USB device number 4 using tegra-
+ehci
+[ 59.349457] usb 2-1: device not accepting address 4, error -110
+[ 59.509449] usb 2-1: new full-speed USB device number 5 using tegra-
+ehci
+[ 70.069457] usb 2-1: device not accepting address 5, error -110
+[ 70.079721] usb usb2-port1: unable to enumerate USB device
+
+Fix this by actually allowing the rate also being set from within
+the Linux kernel.
+
+Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Tested-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/tegra/clk-pll.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/clk/tegra/clk-pll.c
++++ b/drivers/clk/tegra/clk-pll.c
+@@ -1151,6 +1151,8 @@ static const struct clk_ops tegra_clk_pl
+ .enable = clk_pllu_enable,
+ .disable = clk_pll_disable,
+ .recalc_rate = clk_pll_recalc_rate,
++ .round_rate = clk_pll_round_rate,
++ .set_rate = clk_pll_set_rate,
+ };
+
+ static int _pll_fixed_mdiv(struct tegra_clk_pll_params *pll_params,
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Tero Kristo <t-kristo@ti.com>
+Date: Tue, 27 Mar 2018 20:47:04 +0300
+Subject: clk: ti: fix flag space conflict with clkctrl clocks
+
+From: Tero Kristo <t-kristo@ti.com>
+
+[ Upstream commit 269bd202bc0fd04e841cb123867fd3f49e04ace9 ]
+
+The introduction of support for CLK_SET_RATE_PARENT flag for clkctrl
+clocks used a generic clock flag, which causes a conflict with the
+rest of the clkctrl flags, namely the NO_IDLEST flag. This can cause
+boot failures on certain platforms where this flag is introduced, by
+omitting the wait for the clockctrl module to be fully enabled before
+proceeding with rest of the code.
+
+Fix this by moving all the clkctrl specific flags to their own bit-range.
+
+Signed-off-by: Tero Kristo <t-kristo@ti.com>
+Fixes: 49159a9dc3da ("clk: ti: add support for CLK_SET_RATE_PARENT flag")
+Reported-by: Christophe Lyon <christophe.lyon@linaro.org>
+Tested-by: Tony Lindgren <tony@atomide.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/ti/clock.h | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/clk/ti/clock.h
++++ b/drivers/clk/ti/clock.h
+@@ -74,6 +74,11 @@ enum {
+ #define CLKF_CORE (1 << 9)
+ #define CLKF_J_TYPE (1 << 10)
+
++/* CLKCTRL flags */
++#define CLKF_SW_SUP BIT(5)
++#define CLKF_HW_SUP BIT(6)
++#define CLKF_NO_IDLEST BIT(7)
++
+ #define CLK(dev, con, ck) \
+ { \
+ .lk = { \
+@@ -183,10 +188,6 @@ extern const struct omap_clkctrl_data am
+ extern const struct omap_clkctrl_data dm814_clkctrl_data[];
+ extern const struct omap_clkctrl_data dm816_clkctrl_data[];
+
+-#define CLKF_SW_SUP BIT(0)
+-#define CLKF_HW_SUP BIT(1)
+-#define CLKF_NO_IDLEST BIT(2)
+-
+ typedef void (*ti_of_clk_init_cb_t)(void *, struct device_node *);
+
+ struct clk *ti_clk_register(struct device *dev, struct clk_hw *hw,
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Leo Yan <leo.yan@linaro.org>
+Date: Tue, 13 Mar 2018 11:24:30 -0600
+Subject: coresight: Use %px to print pcsr instead of %p
+
+From: Leo Yan <leo.yan@linaro.org>
+
+[ Upstream commit 831c326fcd0e8e2a6ece952f898a1ec9b1dc1004 ]
+
+Commit ad67b74d2469 ("printk: hash addresses printed with %p") lets
+printk specifier %p to hash all addresses before printing, this was
+resulting in the high 32 bits of pcsr can only output zeros. So
+module cannot completely print pc value and it's pointless for debugging
+purpose.
+
+This patch fixes this by using %px to print pcsr instead.
+
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight-cpu-debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/coresight/coresight-cpu-debug.c
++++ b/drivers/hwtracing/coresight/coresight-cpu-debug.c
+@@ -315,7 +315,7 @@ static void debug_dump_regs(struct debug
+ }
+
+ pc = debug_adjust_pc(drvdata);
+- dev_emerg(dev, " EDPCSR: [<%p>] %pS\n", (void *)pc, (void *)pc);
++ dev_emerg(dev, " EDPCSR: [<%px>] %pS\n", (void *)pc, (void *)pc);
+
+ if (drvdata->edcidsr_present)
+ dev_emerg(dev, " EDCIDSR: %08x\n", drvdata->edcidsr);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Shunyong Yang <shunyong.yang@hxt-semitech.com>
+Date: Fri, 6 Apr 2018 10:43:49 +0800
+Subject: cpufreq: CPPC: Initialize shared perf capabilities of CPUs
+
+From: Shunyong Yang <shunyong.yang@hxt-semitech.com>
+
+[ Upstream commit 8913315e9459b146e5888ab5138e10daa061b885 ]
+
+When multiple CPUs are related in one cpufreq policy, the first online
+CPU will be chosen by default to handle cpufreq operations. Let's take
+cpu0 and cpu1 as an example.
+
+When cpu0 is offline, policy->cpu will be shifted to cpu1. cpu1's perf
+capabilities should be initialized. Otherwise, perf capabilities are 0s
+and speed change can not take effect.
+
+This patch copies perf capabilities of the first online CPU to other
+shared CPUs when policy shared type is CPUFREQ_SHARED_TYPE_ANY.
+
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Shunyong Yang <shunyong.yang@hxt-semitech.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cppc_cpufreq.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/cpufreq/cppc_cpufreq.c
++++ b/drivers/cpufreq/cppc_cpufreq.c
+@@ -167,9 +167,19 @@ static int cppc_cpufreq_cpu_init(struct
+ NSEC_PER_USEC;
+ policy->shared_type = cpu->shared_type;
+
+- if (policy->shared_type == CPUFREQ_SHARED_TYPE_ANY)
++ if (policy->shared_type == CPUFREQ_SHARED_TYPE_ANY) {
++ int i;
++
+ cpumask_copy(policy->cpus, cpu->shared_cpu_map);
+- else if (policy->shared_type == CPUFREQ_SHARED_TYPE_ALL) {
++
++ for_each_cpu(i, policy->cpus) {
++ if (unlikely(i == policy->cpu))
++ continue;
++
++ memcpy(&all_cpu_data[i]->perf_caps, &cpu->perf_caps,
++ sizeof(cpu->perf_caps));
++ }
++ } else if (policy->shared_type == CPUFREQ_SHARED_TYPE_ALL) {
+ /* Support only SW_ANY for now. */
+ pr_debug("Unsupported CPU co-ord type\n");
+ return -EFAULT;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Chunyu Hu <chuhu@redhat.com>
+Date: Mon, 5 Mar 2018 13:40:38 +0800
+Subject: cpufreq: cppc_cpufreq: Fix cppc_cpufreq_init() failure path
+
+From: Chunyu Hu <chuhu@redhat.com>
+
+[ Upstream commit 55b55abc17f238c61921360e61dde90dd9a326d1 ]
+
+Kmemleak reported the below leak. When cppc_cpufreq_init went into
+failure path, the cpu mask is not freed. After fix, this report is
+gone. And to avaoid potential NULL pointer reference, check the cpu
+value first.
+
+unreferenced object 0xffff800fd5ea4880 (size 128):
+ comm "swapper/0", pid 1, jiffies 4294939510 (age 668.680s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 .... ...........
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffff0000082c4ae4>] __kmalloc_node+0x278/0x634
+ [<ffff0000088f4a74>] alloc_cpumask_var_node+0x28/0x60
+ [<ffff0000088f4af0>] zalloc_cpumask_var+0x14/0x1c
+ [<ffff000008d20254>] cppc_cpufreq_init+0xd0/0x19c
+ [<ffff000008083828>] do_one_initcall+0xec/0x15c
+ [<ffff000008cd1018>] kernel_init_freeable+0x1f4/0x2a4
+ [<ffff0000089099b0>] kernel_init+0x18/0x10c
+ [<ffff000008084d50>] ret_from_fork+0x10/0x18
+ [<ffffffffffffffff>] 0xffffffffffffffff
+
+Signed-off-by: Chunyu Hu <chuhu@redhat.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cppc_cpufreq.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/cpufreq/cppc_cpufreq.c
++++ b/drivers/cpufreq/cppc_cpufreq.c
+@@ -243,8 +243,13 @@ static int __init cppc_cpufreq_init(void
+ return ret;
+
+ out:
+- for_each_possible_cpu(i)
+- kfree(all_cpu_data[i]);
++ for_each_possible_cpu(i) {
++ cpu = all_cpu_data[i];
++ if (!cpu)
++ break;
++ free_cpumask_var(cpu->shared_cpu_map);
++ kfree(cpu);
++ }
+
+ kfree(all_cpu_data);
+ return -ENODEV;
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Thu, 22 Feb 2018 11:29:43 +0530
+Subject: cpufreq: Reorder cpufreq_online() error code path
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+[ Upstream commit b24b6478e65f140610ab1ffaadc7bc6bf0be8aad ]
+
+Ideally the de-allocation of resources should happen in the exact
+opposite order in which they were allocated. It helps maintain the code
+in long term, even if nothing really breaks with incorrect ordering.
+
+That wasn't followed in cpufreq_online() and it has some
+inconsistencies. For example, the symlinks were created from within
+the locked region while they are removed only after putting the locks.
+Also ->exit() should have been called only after the symlinks are
+removed and the lock is dropped, as that was the case when ->init()
+was first called.
+
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+[ rjw: Subject ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cpufreq.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -1327,14 +1327,14 @@ static int cpufreq_online(unsigned int c
+ return 0;
+
+ out_exit_policy:
++ for_each_cpu(j, policy->real_cpus)
++ remove_cpu_dev_symlink(policy, get_cpu_device(j));
++
+ up_write(&policy->rwsem);
+
+ if (cpufreq_driver->exit)
+ cpufreq_driver->exit(policy);
+
+- for_each_cpu(j, policy->real_cpus)
+- remove_cpu_dev_symlink(policy, get_cpu_device(j));
+-
+ out_free_policy:
+ cpufreq_policy_free(policy);
+ return ret;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Apr 2018 13:42:36 -0700
+Subject: crypto: af_alg - fix possible uninit-value in alg_bind()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a466856e0b7ab269cdf9461886d007e88ff575b0 ]
+
+syzbot reported :
+
+BUG: KMSAN: uninit-value in alg_bind+0xe3/0xd90 crypto/af_alg.c:162
+
+We need to check addr_len before dereferencing sa (or uaddr)
+
+Fixes: bb30b8848c85 ("crypto: af_alg - whitelist mask and type")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Stephan Mueller <smueller@chronox.de>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/af_alg.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -158,16 +158,16 @@ static int alg_bind(struct socket *sock,
+ void *private;
+ int err;
+
+- /* If caller uses non-allowed flag, return error. */
+- if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed))
+- return -EINVAL;
+-
+ if (sock->state == SS_CONNECTED)
+ return -EINVAL;
+
+ if (addr_len < sizeof(*sa))
+ return -EINVAL;
+
++ /* If caller uses non-allowed flag, return error. */
++ if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed))
++ return -EINVAL;
++
+ sa->salg_type[sizeof(sa->salg_type) - 1] = 0;
+ sa->salg_name[sizeof(sa->salg_name) + addr_len - sizeof(*sa) - 1] = 0;
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Fri, 23 Feb 2018 10:01:40 +0100
+Subject: crypto: atmel-aes - fix the keys zeroing on errors
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit 5d804a5157dbaa64872a675923ae87161165c66b ]
+
+The Atmel AES driver uses memzero_explicit on the keys on error, but the
+variable zeroed isn't the right one because of a typo. Fix this by using
+the right variable.
+
+Fixes: 89a82ef87e01 ("crypto: atmel-authenc - add support to authenc(hmac(shaX), Y(aes)) modes")
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/atmel-aes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/atmel-aes.c
++++ b/drivers/crypto/atmel-aes.c
+@@ -2155,7 +2155,7 @@ static int atmel_aes_authenc_setkey(stru
+
+ badkey:
+ crypto_aead_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
+- memzero_explicit(&key, sizeof(keys));
++ memzero_explicit(&keys, sizeof(keys));
+ return -EINVAL;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Fri, 23 Feb 2018 23:33:07 +0100
+Subject: crypto: ccp - don't disable interrupts while setting up debugfs
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 79eb382b5e06a6dca5806465d7195d686a463ab0 ]
+
+I don't why we need take a single write lock and disable interrupts
+while setting up debugfs. This is what what happens when we try anyway:
+
+|ccp 0000:03:00.2: enabling device (0000 -> 0002)
+|BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:69
+|in_atomic(): 1, irqs_disabled(): 1, pid: 3, name: kworker/0:0
+|irq event stamp: 17150
+|hardirqs last enabled at (17149): [<0000000097a18c49>] restore_regs_and_return_to_kernel+0x0/0x23
+|hardirqs last disabled at (17150): [<000000000773b3a9>] _raw_write_lock_irqsave+0x1b/0x50
+|softirqs last enabled at (17148): [<0000000064d56155>] __do_softirq+0x3b8/0x4c1
+|softirqs last disabled at (17125): [<0000000092633c18>] irq_exit+0xb1/0xc0
+|CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.16.0-rc2+ #30
+|Workqueue: events work_for_cpu_fn
+|Call Trace:
+| dump_stack+0x7d/0xb6
+| ___might_sleep+0x1eb/0x250
+| down_write+0x17/0x60
+| start_creating+0x4c/0xe0
+| debugfs_create_dir+0x9/0x100
+| ccp5_debugfs_setup+0x191/0x1b0
+| ccp5_init+0x8a7/0x8c0
+| ccp_dev_init+0xb8/0xe0
+| sp_init+0x6c/0x90
+| sp_pci_probe+0x26e/0x590
+| local_pci_probe+0x3f/0x90
+| work_for_cpu_fn+0x11/0x20
+| process_one_work+0x1ff/0x650
+| worker_thread+0x1d4/0x3a0
+| kthread+0xfe/0x130
+| ret_from_fork+0x27/0x50
+
+If any locking is required, a simple mutex will do it.
+
+Cc: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Acked-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/ccp/ccp-debugfs.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/crypto/ccp/ccp-debugfs.c
++++ b/drivers/crypto/ccp/ccp-debugfs.c
+@@ -278,7 +278,7 @@ static const struct file_operations ccp_
+ };
+
+ static struct dentry *ccp_debugfs_dir;
+-static DEFINE_RWLOCK(ccp_debugfs_lock);
++static DEFINE_MUTEX(ccp_debugfs_lock);
+
+ #define MAX_NAME_LEN 20
+
+@@ -290,16 +290,15 @@ void ccp5_debugfs_setup(struct ccp_devic
+ struct dentry *debugfs_stats;
+ struct dentry *debugfs_q_instance;
+ struct dentry *debugfs_q_stats;
+- unsigned long flags;
+ int i;
+
+ if (!debugfs_initialized())
+ return;
+
+- write_lock_irqsave(&ccp_debugfs_lock, flags);
++ mutex_lock(&ccp_debugfs_lock);
+ if (!ccp_debugfs_dir)
+ ccp_debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL);
+- write_unlock_irqrestore(&ccp_debugfs_lock, flags);
++ mutex_unlock(&ccp_debugfs_lock);
+ if (!ccp_debugfs_dir)
+ return;
+
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Tue, 13 Feb 2018 09:26:51 +0100
+Subject: crypto: inside-secure - do not overwrite the threshold value
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit e1d24c0bb76648cdf789b168defb6e31adb0b1b1 ]
+
+This patch fixes the Inside Secure SafeXcel driver not to overwrite the
+interrupt threshold value. In certain cases the value of this register,
+which controls when to fire an interrupt, was overwritten. This lead to
+packet not being processed or acked as the driver never was aware of
+their completion.
+
+This patch fixes this behaviour by not setting the threshold when
+requests are being processed by the engine.
+
+Fixes: dc7e28a3286e ("crypto: inside-secure - dequeue all requests at once")
+Suggested-by: Ofer Heifetz <oferh@marvell.com>
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/inside-secure/safexcel.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/crypto/inside-secure/safexcel.c
++++ b/drivers/crypto/inside-secure/safexcel.c
+@@ -523,8 +523,7 @@ finalize:
+
+ if (!priv->ring[ring].busy) {
+ nreq -= safexcel_try_push_requests(priv, ring, nreq);
+- if (nreq)
+- priv->ring[ring].busy = true;
++ priv->ring[ring].busy = true;
+ }
+
+ priv->ring[ring].requests_left += nreq;
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Tue, 13 Feb 2018 09:26:54 +0100
+Subject: crypto: inside-secure - do not process request if no command was issued
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit 95831ceafc0de7d94a5fe86ebb1c2042317cc2cd ]
+
+This patch adds a check in the SafeXcel dequeue function, to avoid
+processing request further if no hardware command was issued. This can
+happen in certain cases where the ->send() function caches all the data
+that would have been send.
+
+Fixes: 809778e02cd4 ("crypto: inside-secure - fix hash when length is a multiple of a block")
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/inside-secure/safexcel.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/crypto/inside-secure/safexcel.c
++++ b/drivers/crypto/inside-secure/safexcel.c
+@@ -490,6 +490,15 @@ handle_req:
+ if (backlog)
+ backlog->complete(backlog, -EINPROGRESS);
+
++ /* In case the send() helper did not issue any command to push
++ * to the engine because the input data was cached, continue to
++ * dequeue other requests as this is valid and not an error.
++ */
++ if (!commands && !results) {
++ kfree(request);
++ continue;
++ }
++
+ spin_lock_bh(&priv->ring[ring].egress_lock);
+ list_add_tail(&request->list, &priv->ring[ring].list);
+ spin_unlock_bh(&priv->ring[ring].egress_lock);
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Tue, 13 Feb 2018 09:26:53 +0100
+Subject: crypto: inside-secure - fix the cache_len computation
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit 666a9c70b04fccabde5cea5e680ae1ae92460a62 ]
+
+This patch fixes the cache length computation as cache_len could end up
+being a negative value. The check between the queued size and the
+block size is updated to reflect the caching mechanism which can cache
+up to a full block size (included!).
+
+Fixes: 809778e02cd4 ("crypto: inside-secure - fix hash when length is a multiple of a block")
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/inside-secure/safexcel_hash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/inside-secure/safexcel_hash.c
++++ b/drivers/crypto/inside-secure/safexcel_hash.c
+@@ -187,7 +187,7 @@ static int safexcel_ahash_send_req(struc
+ int i, queued, len, cache_len, extra, n_cdesc = 0, ret = 0;
+
+ queued = len = req->len - req->processed;
+- if (queued < crypto_ahash_blocksize(ahash))
++ if (queued <= crypto_ahash_blocksize(ahash))
+ cache_len = queued;
+ else
+ cache_len = queued - areq->nbytes;
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Tue, 13 Feb 2018 09:26:52 +0100
+Subject: crypto: inside-secure - fix the extra cache computation
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit c1a8fa6e240ed4b99778d48ab790743565cb61c8 ]
+
+This patch fixes the extra cache computation when the queued data is a
+multiple of a block size. This fixes the hash support in some cases.
+
+Fixes: 809778e02cd4 ("crypto: inside-secure - fix hash when length is a multiple of a block")
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/inside-secure/safexcel_hash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/inside-secure/safexcel_hash.c
++++ b/drivers/crypto/inside-secure/safexcel_hash.c
+@@ -201,7 +201,7 @@ static int safexcel_ahash_send_req(struc
+ /* If this is not the last request and the queued data
+ * is a multiple of a block, cache the last one for now.
+ */
+- extra = queued - crypto_ahash_blocksize(ahash);
++ extra = crypto_ahash_blocksize(ahash);
+
+ if (extra) {
+ sg_pcopy_to_buffer(areq->src, sg_nents(areq->src),
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Tue, 13 Feb 2018 09:26:55 +0100
+Subject: crypto: inside-secure - fix the invalidation step during cra_exit
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit b7007dbccd92f7b8c00e590020bee542a48c6a2c ]
+
+When exiting a transformation, the cra_exit() helper is called in each
+driver providing one. The Inside Secure SafeXcel driver has one, which
+is responsible of freeing some areas and of sending one invalidation
+request to the crypto engine, to invalidate the context that was used
+during the transformation.
+
+We could see in some setups (when lots of transformations were being
+used with a short lifetime, and hence lots of cra_exit() calls) NULL
+pointer dereferences and other weird issues. All these issues were
+coming from accessing the tfm context.
+
+The issue is the invalidation request completion is checked using a
+wait_for_completion_interruptible() call in both the cipher and hash
+cra_exit() helpers. In some cases this was interrupted while the
+invalidation request wasn't processed yet. And then cra_exit() returned,
+and its caller was freeing the tfm instance. Only then the request was
+being handled by the SafeXcel driver, which lead to the said issues.
+
+This patch fixes this by using wait_for_completion() calls in these
+specific cases.
+
+Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver")
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/inside-secure/safexcel_cipher.c | 2 +-
+ drivers/crypto/inside-secure/safexcel_hash.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/inside-secure/safexcel_cipher.c
++++ b/drivers/crypto/inside-secure/safexcel_cipher.c
+@@ -456,7 +456,7 @@ static int safexcel_cipher_exit_inv(stru
+ queue_work(priv->ring[ring].workqueue,
+ &priv->ring[ring].work_data.work);
+
+- wait_for_completion_interruptible(&result.completion);
++ wait_for_completion(&result.completion);
+
+ if (result.error) {
+ dev_warn(priv->dev,
+--- a/drivers/crypto/inside-secure/safexcel_hash.c
++++ b/drivers/crypto/inside-secure/safexcel_hash.c
+@@ -496,7 +496,7 @@ static int safexcel_ahash_exit_inv(struc
+ queue_work(priv->ring[ring].workqueue,
+ &priv->ring[ring].work_data.work);
+
+- wait_for_completion_interruptible(&result.completion);
++ wait_for_completion(&result.completion);
+
+ if (result.error) {
+ dev_warn(priv->dev, "hash: completion error (%d)\n",
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Mon, 19 Mar 2018 09:21:13 +0100
+Subject: crypto: inside-secure - move the digest to the request context
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit b869648c060fbb00bf6578d13cbe83e6f85914bc ]
+
+This patches moves the digest information from the transformation
+context to the request context. This fixes cases where HMAC init
+functions were called and override the digest value for a short period
+of time, as the HMAC init functions call the SHA init one which reset
+the value. This lead to a small percentage of HMAC being incorrectly
+computed under heavy load.
+
+Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver")
+Suggested-by: Ofer Heifetz <oferh@marvell.com>
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+[Ofer here did all the work, from seeing the issue to understanding the
+root cause. I only made the patch.]
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/inside-secure/safexcel_hash.c | 30 ++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+--- a/drivers/crypto/inside-secure/safexcel_hash.c
++++ b/drivers/crypto/inside-secure/safexcel_hash.c
+@@ -21,7 +21,6 @@ struct safexcel_ahash_ctx {
+ struct safexcel_crypto_priv *priv;
+
+ u32 alg;
+- u32 digest;
+
+ u32 ipad[SHA1_DIGEST_SIZE / sizeof(u32)];
+ u32 opad[SHA1_DIGEST_SIZE / sizeof(u32)];
+@@ -35,6 +34,8 @@ struct safexcel_ahash_req {
+
+ int nents;
+
++ u32 digest;
++
+ u8 state_sz; /* expected sate size, only set once */
+ u32 state[SHA256_DIGEST_SIZE / sizeof(u32)] __aligned(sizeof(u32));
+
+@@ -49,6 +50,8 @@ struct safexcel_ahash_export_state {
+ u64 len;
+ u64 processed;
+
++ u32 digest;
++
+ u32 state[SHA256_DIGEST_SIZE / sizeof(u32)];
+ u8 cache[SHA256_BLOCK_SIZE];
+ };
+@@ -82,9 +85,9 @@ static void safexcel_context_control(str
+
+ cdesc->control_data.control0 |= CONTEXT_CONTROL_TYPE_HASH_OUT;
+ cdesc->control_data.control0 |= ctx->alg;
+- cdesc->control_data.control0 |= ctx->digest;
++ cdesc->control_data.control0 |= req->digest;
+
+- if (ctx->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED) {
++ if (req->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED) {
+ if (req->processed) {
+ if (ctx->alg == CONTEXT_CONTROL_CRYPTO_ALG_SHA1)
+ cdesc->control_data.control0 |= CONTEXT_CONTROL_SIZE(6);
+@@ -112,7 +115,7 @@ static void safexcel_context_control(str
+ if (req->finish)
+ ctx->base.ctxr->data[i] = cpu_to_le32(req->processed / blocksize);
+ }
+- } else if (ctx->digest == CONTEXT_CONTROL_DIGEST_HMAC) {
++ } else if (req->digest == CONTEXT_CONTROL_DIGEST_HMAC) {
+ cdesc->control_data.control0 |= CONTEXT_CONTROL_SIZE(10);
+
+ memcpy(ctx->base.ctxr->data, ctx->ipad, digestsize);
+@@ -550,7 +553,7 @@ static int safexcel_ahash_enqueue(struct
+ if (ctx->base.ctxr) {
+ if (priv->version == EIP197 &&
+ !ctx->base.needs_inv && req->processed &&
+- ctx->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED)
++ req->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED)
+ /* We're still setting needs_inv here, even though it is
+ * cleared right away, because the needs_inv flag can be
+ * set in other functions and we want to keep the same
+@@ -585,7 +588,6 @@ static int safexcel_ahash_enqueue(struct
+
+ static int safexcel_ahash_update(struct ahash_request *areq)
+ {
+- struct safexcel_ahash_ctx *ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(areq));
+ struct safexcel_ahash_req *req = ahash_request_ctx(areq);
+ struct crypto_ahash *ahash = crypto_ahash_reqtfm(areq);
+
+@@ -601,7 +603,7 @@ static int safexcel_ahash_update(struct
+ * We're not doing partial updates when performing an hmac request.
+ * Everything will be handled by the final() call.
+ */
+- if (ctx->digest == CONTEXT_CONTROL_DIGEST_HMAC)
++ if (req->digest == CONTEXT_CONTROL_DIGEST_HMAC)
+ return 0;
+
+ if (req->hmac)
+@@ -660,6 +662,8 @@ static int safexcel_ahash_export(struct
+ export->len = req->len;
+ export->processed = req->processed;
+
++ export->digest = req->digest;
++
+ memcpy(export->state, req->state, req->state_sz);
+ memcpy(export->cache, req->cache, crypto_ahash_blocksize(ahash));
+
+@@ -680,6 +684,8 @@ static int safexcel_ahash_import(struct
+ req->len = export->len;
+ req->processed = export->processed;
+
++ req->digest = export->digest;
++
+ memcpy(req->cache, export->cache, crypto_ahash_blocksize(ahash));
+ memcpy(req->state, export->state, req->state_sz);
+
+@@ -716,7 +722,7 @@ static int safexcel_sha1_init(struct aha
+ req->state[4] = SHA1_H4;
+
+ ctx->alg = CONTEXT_CONTROL_CRYPTO_ALG_SHA1;
+- ctx->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED;
++ req->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED;
+ req->state_sz = SHA1_DIGEST_SIZE;
+
+ return 0;
+@@ -783,10 +789,10 @@ struct safexcel_alg_template safexcel_al
+
+ static int safexcel_hmac_sha1_init(struct ahash_request *areq)
+ {
+- struct safexcel_ahash_ctx *ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(areq));
++ struct safexcel_ahash_req *req = ahash_request_ctx(areq);
+
+ safexcel_sha1_init(areq);
+- ctx->digest = CONTEXT_CONTROL_DIGEST_HMAC;
++ req->digest = CONTEXT_CONTROL_DIGEST_HMAC;
+ return 0;
+ }
+
+@@ -1024,7 +1030,7 @@ static int safexcel_sha256_init(struct a
+ req->state[7] = SHA256_H7;
+
+ ctx->alg = CONTEXT_CONTROL_CRYPTO_ALG_SHA256;
+- ctx->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED;
++ req->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED;
+ req->state_sz = SHA256_DIGEST_SIZE;
+
+ return 0;
+@@ -1086,7 +1092,7 @@ static int safexcel_sha224_init(struct a
+ req->state[7] = SHA224_H7;
+
+ ctx->alg = CONTEXT_CONTROL_CRYPTO_ALG_SHA224;
+- ctx->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED;
++ req->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED;
+ req->state_sz = SHA256_DIGEST_SIZE;
+
+ return 0;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Mon, 26 Feb 2018 14:45:12 +0100
+Subject: crypto: inside-secure - wait for the request to complete if in the backlog
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit 4dc5475ae0375ea4f9283dfd9b2ddc91b20d4c4b ]
+
+This patch updates the safexcel_hmac_init_pad() function to also wait
+for completion when the digest return code is -EBUSY, as it would mean
+the request is in the backlog to be processed later.
+
+Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver")
+Suggested-by: Ofer Heifetz <oferh@marvell.com>
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/inside-secure/safexcel_hash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/inside-secure/safexcel_hash.c
++++ b/drivers/crypto/inside-secure/safexcel_hash.c
+@@ -845,7 +845,7 @@ static int safexcel_hmac_init_pad(struct
+ init_completion(&result.completion);
+
+ ret = crypto_ahash_digest(areq);
+- if (ret == -EINPROGRESS) {
++ if (ret == -EINPROGRESS || ret == -EBUSY) {
+ wait_for_completion_interruptible(&result.completion);
+ ret = result.error;
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Peter Robinson <pbrobinson@gmail.com>
+Date: Sun, 11 Feb 2018 23:15:37 +0000
+Subject: crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss
+
+From: Peter Robinson <pbrobinson@gmail.com>
+
+[ Upstream commit 7c73cf4cc2ac16465f5102437dc0a12d66671bd6 ]
+
+The MODULE_ALIAS is required to enable the sun4i-ss driver to load
+automatically when built at a module. Tested on a Cubietruck.
+
+Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator")
+Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/sunxi-ss/sun4i-ss-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/crypto/sunxi-ss/sun4i-ss-core.c
++++ b/drivers/crypto/sunxi-ss/sun4i-ss-core.c
+@@ -451,6 +451,7 @@ static struct platform_driver sun4i_ss_d
+
+ module_platform_driver(sun4i_ss_driver);
+
++MODULE_ALIAS("platform:sun4i-ss");
+ MODULE_DESCRIPTION("Allwinner Security System cryptographic accelerator");
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Corentin LABBE <clabbe.montjoie@gmail.com>");
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Arjun Vynipadath <arjun@chelsio.com>
+Date: Thu, 15 Mar 2018 17:34:14 +0530
+Subject: cxgb4: Fix queue free path of ULD drivers
+
+From: Arjun Vynipadath <arjun@chelsio.com>
+
+[ Upstream commit d7cb44496a9bb458632cb3c18acb08949c210448 ]
+
+Setting sge_uld_rxq_info to NULL in free_queues_uld().
+We are referencing sge_uld_rxq_info in cxgb_up(). This
+will fix a panic when interface is brought up after a
+ULDq creation failure.
+
+Fixes: 94cdb8bb993a (cxgb4: Add support for dynamic allocation
+ of resources for ULD)
+Signed-off-by: Arjun Vynipadath <arjun@chelsio.com>
+Signed-off-by: Casey Leedom <leedom@chelsio.com>
+Signed-off-by: Ganesh Goudhar <ganeshgr@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
+@@ -342,6 +342,7 @@ static void free_queues_uld(struct adapt
+ {
+ struct sge_uld_rxq_info *rxq_info = adap->sge.uld_rxq_info[uld_type];
+
++ adap->sge.uld_rxq_info[uld_type] = NULL;
+ kfree(rxq_info->rspq_id);
+ kfree(rxq_info->uldrxq);
+ kfree(rxq_info);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Arjun Vynipadath <arjun@chelsio.com>
+Date: Fri, 23 Mar 2018 15:25:10 +0530
+Subject: cxgb4: Setup FW queues before registering netdev
+
+From: Arjun Vynipadath <arjun@chelsio.com>
+
+[ Upstream commit 843bd7db79c861b49e2912d723625f5fa8e94502 ]
+
+When NetworkManager is enabled, there are chances that interface up
+is called even before probe completes. This means we have not yet
+allocated the FW sge queues, hence rest of ingress queue allocation
+wont be proper. Fix this by calling setup_fw_sge_queues() before
+register_netdev().
+
+Fixes: 0fbc81b3ad51 ('chcr/cxgb4i/cxgbit/RDMA/cxgb4: Allocate resources dynamically for all cxgb4 ULD's')
+Signed-off-by: Arjun Vynipadath <arjun@chelsio.com>
+Signed-off-by: Casey Leedom <leedom@chelsio.com>
+Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+@@ -833,8 +833,6 @@ static int setup_fw_sge_queues(struct ad
+
+ err = t4_sge_alloc_rxq(adap, &s->fw_evtq, true, adap->port[0],
+ adap->msi_idx, NULL, fwevtq_handler, NULL, -1);
+- if (err)
+- t4_free_sge_resources(adap);
+ return err;
+ }
+
+@@ -5474,6 +5472,13 @@ static int init_one(struct pci_dev *pdev
+ if (err)
+ goto out_free_dev;
+
++ err = setup_fw_sge_queues(adapter);
++ if (err) {
++ dev_err(adapter->pdev_dev,
++ "FW sge queue allocation failed, err %d", err);
++ goto out_free_dev;
++ }
++
+ /*
+ * The card is now ready to go. If any errors occur during device
+ * registration we do not fail the whole card but rather proceed only
+@@ -5522,10 +5527,10 @@ static int init_one(struct pci_dev *pdev
+ cxgb4_ptp_init(adapter);
+
+ print_adapter_info(adapter);
+- setup_fw_sge_queues(adapter);
+ return 0;
+
+ out_free_dev:
++ t4_free_sge_resources(adapter);
+ free_some_resources(adapter);
+ if (adapter->flags & USING_MSIX)
+ free_msix_info(adapter);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+Date: Thu, 15 Feb 2018 21:19:24 +0530
+Subject: cxl: Check if PSL data-cache is available before issue flush request
+
+From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+
+[ Upstream commit 94322ed8e857e3b2a33cf75118051af9baaa110f ]
+
+PSL9D doesn't have a data-cache that needs to be flushed before
+resetting the card. However when cxl tries to flush data-cache on such
+a card, it times-out as PSL_Control register never indicates flush
+operation complete due to missing data-cache. This is usually
+indicated in the kernel logs with this message:
+
+"WARNING: cache flush timed out"
+
+To fix this the patch checks PSL_Debug register CDC-Field(BIT:27)
+which indicates the absence of a data-cache and sets a flag
+'no_data_cache' in 'struct cxl_native' to indicate this. When
+cxl_data_cache_flush() is called it checks the flag and if set bails
+out early without requesting a data-cache flush operation to the PSL.
+
+Signed-off-by: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+Acked-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Acked-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/cxl/cxl.h | 4 ++++
+ drivers/misc/cxl/native.c | 11 ++++++++++-
+ drivers/misc/cxl/pci.c | 19 +++++++++++++------
+ 3 files changed, 27 insertions(+), 7 deletions(-)
+
+--- a/drivers/misc/cxl/cxl.h
++++ b/drivers/misc/cxl/cxl.h
+@@ -369,6 +369,9 @@ static const cxl_p2n_reg_t CXL_PSL_WED_A
+ #define CXL_PSL_TFC_An_AE (1ull << (63-30)) /* Restart PSL with address error */
+ #define CXL_PSL_TFC_An_R (1ull << (63-31)) /* Restart PSL transaction */
+
++/****** CXL_PSL_DEBUG *****************************************************/
++#define CXL_PSL_DEBUG_CDC (1ull << (63-27)) /* Coherent Data cache support */
++
+ /****** CXL_XSL9_IERAT_ERAT - CAIA 2 **********************************/
+ #define CXL_XSL9_IERAT_MLPID (1ull << (63-0)) /* Match LPID */
+ #define CXL_XSL9_IERAT_MPID (1ull << (63-1)) /* Match PID */
+@@ -669,6 +672,7 @@ struct cxl_native {
+ irq_hw_number_t err_hwirq;
+ unsigned int err_virq;
+ u64 ps_off;
++ bool no_data_cache; /* set if no data cache on the card */
+ const struct cxl_service_layer_ops *sl_ops;
+ };
+
+--- a/drivers/misc/cxl/native.c
++++ b/drivers/misc/cxl/native.c
+@@ -353,8 +353,17 @@ int cxl_data_cache_flush(struct cxl *ada
+ u64 reg;
+ unsigned long timeout = jiffies + (HZ * CXL_TIMEOUT);
+
+- pr_devel("Flushing data cache\n");
++ /*
++ * Do a datacache flush only if datacache is available.
++ * In case of PSL9D datacache absent hence flush operation.
++ * would timeout.
++ */
++ if (adapter->native->no_data_cache) {
++ pr_devel("No PSL data cache. Ignoring cache flush req.\n");
++ return 0;
++ }
+
++ pr_devel("Flushing data cache\n");
+ reg = cxl_p1_read(adapter, CXL_PSL_Control);
+ reg |= CXL_PSL_Control_Fr;
+ cxl_p1_write(adapter, CXL_PSL_Control, reg);
+--- a/drivers/misc/cxl/pci.c
++++ b/drivers/misc/cxl/pci.c
+@@ -456,6 +456,7 @@ static int init_implementation_adapter_r
+ u64 chipid;
+ u32 phb_index;
+ u64 capp_unit_id;
++ u64 psl_debug;
+ int rc;
+
+ rc = cxl_calc_capp_routing(dev, &chipid, &phb_index, &capp_unit_id);
+@@ -506,6 +507,16 @@ static int init_implementation_adapter_r
+ } else
+ cxl_p1_write(adapter, CXL_PSL9_DEBUG, 0x4000000000000000ULL);
+
++ /*
++ * Check if PSL has data-cache. We need to flush adapter datacache
++ * when as its about to be removed.
++ */
++ psl_debug = cxl_p1_read(adapter, CXL_PSL9_DEBUG);
++ if (psl_debug & CXL_PSL_DEBUG_CDC) {
++ dev_dbg(&dev->dev, "No data-cache present\n");
++ adapter->native->no_data_cache = true;
++ }
++
+ return 0;
+ }
+
+@@ -1449,10 +1460,8 @@ int cxl_pci_reset(struct cxl *adapter)
+
+ /*
+ * The adapter is about to be reset, so ignore errors.
+- * Not supported on P9 DD1
+ */
+- if ((cxl_is_power8()) || (!(cxl_is_power9_dd1())))
+- cxl_data_cache_flush(adapter);
++ cxl_data_cache_flush(adapter);
+
+ /* pcie_warm_reset requests a fundamental pci reset which includes a
+ * PERST assert/deassert. PERST triggers a loading of the image
+@@ -1936,10 +1945,8 @@ static void cxl_pci_remove_adapter(struc
+
+ /*
+ * Flush adapter datacache as its about to be removed.
+- * Not supported on P9 DD1.
+ */
+- if ((cxl_is_power8()) || (!(cxl_is_power9_dd1())))
+- cxl_data_cache_flush(adapter);
++ cxl_data_cache_flush(adapter);
+
+ cxl_deconfigure_adapter(adapter);
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Apr 2018 13:42:41 -0700
+Subject: dccp: initialize ireq->ir_mark
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b855ff827476adbdc2259e9895681d82b7b26065 ]
+
+syzbot reported an uninit-value read of skb->mark in iptable_mangle_hook()
+
+Thanks to the nice report, I tracked the problem to dccp not caring
+of ireq->ir_mark for passive sessions.
+
+BUG: KMSAN: uninit-value in ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:66 [inline]
+BUG: KMSAN: uninit-value in iptable_mangle_hook+0x5e5/0x720 net/ipv4/netfilter/iptable_mangle.c:84
+CPU: 0 PID: 5300 Comm: syz-executor3 Not tainted 4.16.0+ #81
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:66 [inline]
+ iptable_mangle_hook+0x5e5/0x720 net/ipv4/netfilter/iptable_mangle.c:84
+ nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline]
+ nf_hook_slow+0x158/0x3d0 net/netfilter/core.c:483
+ nf_hook include/linux/netfilter.h:243 [inline]
+ __ip_local_out net/ipv4/ip_output.c:113 [inline]
+ ip_local_out net/ipv4/ip_output.c:122 [inline]
+ ip_queue_xmit+0x1d21/0x21c0 net/ipv4/ip_output.c:504
+ dccp_transmit_skb+0x15eb/0x1900 net/dccp/output.c:142
+ dccp_xmit_packet+0x814/0x9e0 net/dccp/output.c:281
+ dccp_write_xmit+0x20f/0x480 net/dccp/output.c:363
+ dccp_sendmsg+0x12ca/0x12d0 net/dccp/proto.c:818
+ inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
+ __sys_sendmsg net/socket.c:2080 [inline]
+ SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
+ SyS_sendmsg+0x54/0x80 net/socket.c:2087
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x455259
+RSP: 002b:00007f1a4473dc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007f1a4473e6d4 RCX: 0000000000455259
+RDX: 0000000000000000 RSI: 0000000020b76fc8 RDI: 0000000000000015
+RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 00000000000004f0 R14: 00000000006fa720 R15: 0000000000000000
+
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
+ __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
+ ip_queue_xmit+0x1e35/0x21c0 net/ipv4/ip_output.c:502
+ dccp_transmit_skb+0x15eb/0x1900 net/dccp/output.c:142
+ dccp_xmit_packet+0x814/0x9e0 net/dccp/output.c:281
+ dccp_write_xmit+0x20f/0x480 net/dccp/output.c:363
+ dccp_sendmsg+0x12ca/0x12d0 net/dccp/proto.c:818
+ inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
+ __sys_sendmsg net/socket.c:2080 [inline]
+ SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
+ SyS_sendmsg+0x54/0x80 net/socket.c:2087
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
+ __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
+ inet_csk_clone_lock+0x503/0x580 net/ipv4/inet_connection_sock.c:797
+ dccp_create_openreq_child+0x7f/0x890 net/dccp/minisocks.c:92
+ dccp_v4_request_recv_sock+0x22c/0xe90 net/dccp/ipv4.c:408
+ dccp_v6_request_recv_sock+0x290/0x2000 net/dccp/ipv6.c:414
+ dccp_check_req+0x7b9/0x8f0 net/dccp/minisocks.c:197
+ dccp_v4_rcv+0x12e4/0x2630 net/dccp/ipv4.c:840
+ ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257
+ dst_input include/net/dst.h:449 [inline]
+ ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
+ __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
+ __netif_receive_skb net/core/dev.c:4627 [inline]
+ process_backlog+0x62d/0xe20 net/core/dev.c:5307
+ napi_poll net/core/dev.c:5705 [inline]
+ net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
+ __do_softirq+0x56d/0x93d kernel/softirq.c:285
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
+ reqsk_alloc include/net/request_sock.h:88 [inline]
+ inet_reqsk_alloc+0xc4/0x7f0 net/ipv4/tcp_input.c:6145
+ dccp_v4_conn_request+0x5cc/0x1770 net/dccp/ipv4.c:600
+ dccp_v6_conn_request+0x299/0x1880 net/dccp/ipv6.c:317
+ dccp_rcv_state_process+0x2ea/0x2410 net/dccp/input.c:612
+ dccp_v4_do_rcv+0x229/0x340 net/dccp/ipv4.c:682
+ dccp_v6_do_rcv+0x16d/0x1220 net/dccp/ipv6.c:578
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __sk_receive_skb+0x60e/0xf20 net/core/sock.c:513
+ dccp_v4_rcv+0x24d4/0x2630 net/dccp/ipv4.c:874
+ ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257
+ dst_input include/net/dst.h:449 [inline]
+ ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
+ __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
+ __netif_receive_skb net/core/dev.c:4627 [inline]
+ process_backlog+0x62d/0xe20 net/core/dev.c:5307
+ napi_poll net/core/dev.c:5705 [inline]
+ net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
+ __do_softirq+0x56d/0x93d kernel/softirq.c:285
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/ipv4.c | 1 +
+ net/dccp/ipv6.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/net/dccp/ipv4.c
++++ b/net/dccp/ipv4.c
+@@ -614,6 +614,7 @@ int dccp_v4_conn_request(struct sock *sk
+ ireq = inet_rsk(req);
+ sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr);
+ sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr);
++ ireq->ir_mark = inet_request_mark(sk, skb);
+ ireq->ireq_family = AF_INET;
+ ireq->ir_iif = sk->sk_bound_dev_if;
+
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -351,6 +351,7 @@ static int dccp_v6_conn_request(struct s
+ ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
+ ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
+ ireq->ireq_family = AF_INET6;
++ ireq->ir_mark = inet_request_mark(sk, skb);
+
+ if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) ||
+ np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Qi Hou <qi.hou@windriver.com>
+Date: Tue, 6 Mar 2018 09:13:37 +0800
+Subject: dmaengine: pl330: fix a race condition in case of threaded irqs
+
+From: Qi Hou <qi.hou@windriver.com>
+
+[ Upstream commit a3ca831249ca8c4c226e4ceafee04e280152e59d ]
+
+When booting up with "threadirqs" in command line, all irq handlers of the DMA
+controller pl330 will be threaded forcedly. These threads will race for the same
+list, pl330->req_done.
+
+Before the callback, the spinlock was released. And after it, the spinlock was
+taken. This opened an race window where another threaded irq handler could steal
+the spinlock and be permitted to delete entries of the list, pl330->req_done.
+
+If the later deleted an entry that was still referred to by the former, there would
+be a kernel panic when the former was scheduled and tried to get the next sibling
+of the deleted entry.
+
+The scenario could be depicted as below:
+
+ Thread: T1 pl330->req_done Thread: T2
+ | | |
+ | -A-B-C-D- |
+ Locked | |
+ | | Waiting
+ Del A | |
+ | -B-C-D- |
+ Unlocked | |
+ | | Locked
+ Waiting | |
+ | | Del B
+ | | |
+ | -C-D- Unlocked
+ Waiting | |
+ |
+ Locked
+ |
+ get C via B
+ \
+ - Kernel panic
+
+The kernel panic looked like as below:
+
+Unable to handle kernel paging request at virtual address dead000000000108
+pgd = ffffff8008c9e000
+[dead000000000108] *pgd=000000027fffe003, *pud=000000027fffe003, *pmd=0000000000000000
+Internal error: Oops: 96000044 [#1] PREEMPT SMP
+Modules linked in:
+CPU: 0 PID: 85 Comm: irq/59-66330000 Not tainted 4.8.24-WR9.0.0.12_standard #2
+Hardware name: Broadcom NS2 SVK (DT)
+task: ffffffc1f5cc3c00 task.stack: ffffffc1f5ce0000
+PC is at pl330_irq_handler+0x27c/0x390
+LR is at pl330_irq_handler+0x2a8/0x390
+pc : [<ffffff80084cb694>] lr : [<ffffff80084cb6c0>] pstate: 800001c5
+sp : ffffffc1f5ce3d00
+x29: ffffffc1f5ce3d00 x28: 0000000000000140
+x27: ffffffc1f5c530b0 x26: dead000000000100
+x25: dead000000000200 x24: 0000000000418958
+x23: 0000000000000001 x22: ffffffc1f5ccd668
+x21: ffffffc1f5ccd590 x20: ffffffc1f5ccd418
+x19: dead000000000060 x18: 0000000000000001
+x17: 0000000000000007 x16: 0000000000000001
+x15: ffffffffffffffff x14: ffffffffffffffff
+x13: ffffffffffffffff x12: 0000000000000000
+x11: 0000000000000001 x10: 0000000000000840
+x9 : ffffffc1f5ce0000 x8 : ffffffc1f5cc3338
+x7 : ffffff8008ce2020 x6 : 0000000000000000
+x5 : 0000000000000000 x4 : 0000000000000001
+x3 : dead000000000200 x2 : dead000000000100
+x1 : 0000000000000140 x0 : ffffffc1f5ccd590
+
+Process irq/59-66330000 (pid: 85, stack limit = 0xffffffc1f5ce0020)
+Stack: (0xffffffc1f5ce3d00 to 0xffffffc1f5ce4000)
+3d00: ffffffc1f5ce3d80 ffffff80080f09d0 ffffffc1f5ca0c00 ffffffc1f6f7c600
+3d20: ffffffc1f5ce0000 ffffffc1f6f7c600 ffffffc1f5ca0c00 ffffff80080f0998
+3d40: ffffffc1f5ce0000 ffffff80080f0000 0000000000000000 0000000000000000
+3d60: ffffff8008ce202c ffffff8008ce2020 ffffffc1f5ccd668 ffffffc1f5c530b0
+3d80: ffffffc1f5ce3db0 ffffff80080f0d70 ffffffc1f5ca0c40 0000000000000001
+3da0: ffffffc1f5ce0000 ffffff80080f0cfc ffffffc1f5ce3e20 ffffff80080bf4f8
+3dc0: ffffffc1f5ca0c80 ffffff8008bf3798 ffffff8008955528 ffffffc1f5ca0c00
+3de0: ffffff80080f0c30 0000000000000000 0000000000000000 0000000000000000
+3e00: 0000000000000000 0000000000000000 0000000000000000 ffffff80080f0b68
+3e20: 0000000000000000 ffffff8008083690 ffffff80080bf420 ffffffc1f5ca0c80
+3e40: 0000000000000000 0000000000000000 0000000000000000 ffffff80080cb648
+3e60: ffffff8008b1c780 0000000000000000 0000000000000000 ffffffc1f5ca0c00
+3e80: ffffffc100000000 ffffff8000000000 ffffffc1f5ce3e90 ffffffc1f5ce3e90
+3ea0: 0000000000000000 ffffff8000000000 ffffffc1f5ce3eb0 ffffffc1f5ce3eb0
+3ec0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+3ee0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+3f00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+3f20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+3f40: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+3f60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+3f80: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+3fa0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+3fc0: 0000000000000000 0000000000000005 0000000000000000 0000000000000000
+3fe0: 0000000000000000 0000000000000000 0000000275ce3ff0 0000000275ce3ff8
+Call trace:
+Exception stack(0xffffffc1f5ce3b30 to 0xffffffc1f5ce3c60)
+3b20: dead000000000060 0000008000000000
+3b40: ffffffc1f5ce3d00 ffffff80084cb694 0000000000000008 0000000000000e88
+3b60: ffffffc1f5ce3bb0 ffffff80080dac68 ffffffc1f5ce3b90 ffffff8008826fe4
+3b80: 00000000000001c0 00000000000001c0 ffffffc1f5ce3bb0 ffffff800848dfcc
+3ba0: 0000000000020000 ffffff8008b15ae4 ffffffc1f5ce3c00 ffffff800808f000
+3bc0: 0000000000000010 ffffff80088377f0 ffffffc1f5ccd590 0000000000000140
+3be0: dead000000000100 dead000000000200 0000000000000001 0000000000000000
+3c00: 0000000000000000 ffffff8008ce2020 ffffffc1f5cc3338 ffffffc1f5ce0000
+3c20: 0000000000000840 0000000000000001 0000000000000000 ffffffffffffffff
+3c40: ffffffffffffffff ffffffffffffffff 0000000000000001 0000000000000007
+[<ffffff80084cb694>] pl330_irq_handler+0x27c/0x390
+[<ffffff80080f09d0>] irq_forced_thread_fn+0x38/0x88
+[<ffffff80080f0d70>] irq_thread+0x140/0x200
+[<ffffff80080bf4f8>] kthread+0xd8/0xf0
+[<ffffff8008083690>] ret_from_fork+0x10/0x40
+Code: f2a00838 f9405763 aa1c03e1 aa1503e0 (f9000443)
+---[ end trace f50005726d31199c ]---
+Kernel panic - not syncing: Fatal exception in interrupt
+SMP: stopping secondary CPUs
+SMP: failed to stop secondary CPUs 0-1
+Kernel Offset: disabled
+Memory Limit: none
+---[ end Kernel panic - not syncing: Fatal exception in interrupt
+
+To fix this, re-start with the list-head after dropping the lock then
+re-takeing it.
+
+Reviewed-by: Frank Mori Hess <fmh6jj@gmail.com>
+Tested-by: Frank Mori Hess <fmh6jj@gmail.com>
+Signed-off-by: Qi Hou <qi.hou@windriver.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/pl330.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/dma/pl330.c
++++ b/drivers/dma/pl330.c
+@@ -1510,7 +1510,7 @@ static void pl330_dotask(unsigned long d
+ /* Returns 1 if state was updated, 0 otherwise */
+ static int pl330_update(struct pl330_dmac *pl330)
+ {
+- struct dma_pl330_desc *descdone, *tmp;
++ struct dma_pl330_desc *descdone;
+ unsigned long flags;
+ void __iomem *regs;
+ u32 val;
+@@ -1588,7 +1588,9 @@ static int pl330_update(struct pl330_dma
+ }
+
+ /* Now that we are in no hurry, do the callbacks */
+- list_for_each_entry_safe(descdone, tmp, &pl330->req_done, rqd) {
++ while (!list_empty(&pl330->req_done)) {
++ descdone = list_first_entry(&pl330->req_done,
++ struct dma_pl330_desc, rqd);
+ list_del(&descdone->rqd);
+ spin_unlock_irqrestore(&pl330->lock, flags);
+ dma_pl330_rqcb(descdone, PL330_ERR_NONE);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Thu, 15 Feb 2018 12:25:09 +0000
+Subject: dmaengine: qcom: bam_dma: get num-channels and num-ees from dt
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 ]
+
+When Linux is master of BAM, it can directly read registers to know number
+of supported channels, however when its remotely controlled reading these
+registers would trigger a crash if the BAM is not yet initialized or
+powered up on the remote side.
+
+This patch allows driver to read num-channels and num-ees from Device Tree
+for remotely controlled BAM.
+
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/qcom/bam_dma.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+--- a/drivers/dma/qcom/bam_dma.c
++++ b/drivers/dma/qcom/bam_dma.c
+@@ -393,6 +393,7 @@ struct bam_device {
+ struct device_dma_parameters dma_parms;
+ struct bam_chan *channels;
+ u32 num_channels;
++ u32 num_ees;
+
+ /* execution environment ID, from DT */
+ u32 ee;
+@@ -1128,15 +1129,19 @@ static int bam_init(struct bam_device *b
+ u32 val;
+
+ /* read revision and configuration information */
+- val = readl_relaxed(bam_addr(bdev, 0, BAM_REVISION)) >> NUM_EES_SHIFT;
+- val &= NUM_EES_MASK;
++ if (!bdev->num_ees) {
++ val = readl_relaxed(bam_addr(bdev, 0, BAM_REVISION));
++ bdev->num_ees = (val >> NUM_EES_SHIFT) & NUM_EES_MASK;
++ }
+
+ /* check that configured EE is within range */
+- if (bdev->ee >= val)
++ if (bdev->ee >= bdev->num_ees)
+ return -EINVAL;
+
+- val = readl_relaxed(bam_addr(bdev, 0, BAM_NUM_PIPES));
+- bdev->num_channels = val & BAM_NUM_PIPES_MASK;
++ if (!bdev->num_channels) {
++ val = readl_relaxed(bam_addr(bdev, 0, BAM_NUM_PIPES));
++ bdev->num_channels = val & BAM_NUM_PIPES_MASK;
++ }
+
+ if (bdev->controlled_remotely)
+ return 0;
+@@ -1232,6 +1237,18 @@ static int bam_dma_probe(struct platform
+ bdev->controlled_remotely = of_property_read_bool(pdev->dev.of_node,
+ "qcom,controlled-remotely");
+
++ if (bdev->controlled_remotely) {
++ ret = of_property_read_u32(pdev->dev.of_node, "num-channels",
++ &bdev->num_channels);
++ if (ret)
++ dev_err(bdev->dev, "num-channels unspecified in dt\n");
++
++ ret = of_property_read_u32(pdev->dev.of_node, "qcom,num-ees",
++ &bdev->num_ees);
++ if (ret)
++ dev_err(bdev->dev, "num-ees unspecified in dt\n");
++ }
++
+ bdev->bamclk = devm_clk_get(bdev->dev, "bam_clk");
+ if (IS_ERR(bdev->bamclk))
+ return PTR_ERR(bdev->bamclk);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Fri, 2 Feb 2018 19:05:15 +0900
+Subject: dmaengine: rcar-dmac: Check the done lists in rcar_dmac_chan_get_residue()
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit 3e081628d510b2ddbe493371d9c574d9275da17e ]
+
+This patch fixes an issue that a race condition happens between a client
+driver and the rcar-dmac driver:
+
+- The rcar_dmac_isr_transfer_end() is called.
+ - The done list appears, and desc.running is the next active list.
+- rcar_dmac_chan_get_residue() is called by a client driver before
+ rcar_dmac_isr_channel_thread() is called.
+ - The rcar_dmac_chan_get_residue() will not find any descriptors.
+ - And, the following WARNING happens:
+ WARN(1, "No descriptor for cookie!");
+
+The sh-sci driver with HSCIF (921,600bps) on R-Car H3 can cause this
+situation.
+So, this patch checks the done lists in rcar_dmac_chan_get_residue()
+and returns zero if the done lists has the argument cookie.
+
+Tested-by: Nguyen Viet Dung <dung.nguyen.aj@renesas.com>
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/sh/rcar-dmac.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/dma/sh/rcar-dmac.c
++++ b/drivers/dma/sh/rcar-dmac.c
+@@ -1301,8 +1301,17 @@ static unsigned int rcar_dmac_chan_get_r
+ * If the cookie doesn't correspond to the currently running transfer
+ * then the descriptor hasn't been processed yet, and the residue is
+ * equal to the full descriptor size.
++ * Also, a client driver is possible to call this function before
++ * rcar_dmac_isr_channel_thread() runs. In this case, the "desc.running"
++ * will be the next descriptor, and the done list will appear. So, if
++ * the argument cookie matches the done list's cookie, we can assume
++ * the residue is zero.
+ */
+ if (cookie != desc->async_tx.cookie) {
++ list_for_each_entry(desc, &chan->desc.done, node) {
++ if (cookie == desc->async_tx.cookie)
++ return 0;
++ }
+ list_for_each_entry(desc, &chan->desc.pending, node) {
+ if (cookie == desc->async_tx.cookie)
+ return desc->size;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Thu, 29 Mar 2018 18:53:32 +0200
+Subject: dmaengine: rcar-dmac: Fix too early/late system suspend/resume callbacks
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 73dcc666d6bd0db56cd556010f93d8f04c1cc70c ]
+
+If serial console wake-up is enabled ("echo enabled >
+/sys/.../ttySC0/power/wakeup"), and any serial input is received while
+the system is suspended, serial port input no longer works after system
+resume.
+
+Note that:
+ 1) The system can still be woken up using the serial console,
+ 2) Serial port input keeps working if the system is woken up in some
+ other way (e.g. Wake-on-LAN or gpio-keys), and no serial input was
+ received while suspended.
+
+To fix this, replace SET_LATE_SYSTEM_SLEEP_PM_OPS() by
+SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(), as the callbacks installed by the
+former happen too early resp. late in the suspend resp. resume process.
+
+Reported-by: RVC test team via Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Fixes: 1131b0a4af911de5 ("dmaengine: rcar-dmac: Make DMAC reinit during system resume explicit")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/sh/rcar-dmac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/dma/sh/rcar-dmac.c
++++ b/drivers/dma/sh/rcar-dmac.c
+@@ -1677,8 +1677,8 @@ static const struct dev_pm_ops rcar_dmac
+ * - Wait for the current transfer to complete and stop the device,
+ * - Resume transfers, if any.
+ */
+- SET_LATE_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend,
+- pm_runtime_force_resume)
++ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend,
++ pm_runtime_force_resume)
+ SET_RUNTIME_PM_OPS(rcar_dmac_runtime_suspend, rcar_dmac_runtime_resume,
+ NULL)
+ };
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Esben Haabendal <eha@deif.com>
+Date: Sun, 8 Apr 2018 22:17:01 +0200
+Subject: dp83640: Ensure against premature access to PHY registers after reset
+
+From: Esben Haabendal <eha@deif.com>
+
+[ Upstream commit 76327a35caabd1a932e83d6a42b967aa08584e5d ]
+
+The datasheet specifies a 3uS pause after performing a software
+reset. The default implementation of genphy_soft_reset() does not
+provide this, so implement soft_reset with the needed pause.
+
+Signed-off-by: Esben Haabendal <eha@deif.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/dp83640.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/net/phy/dp83640.c
++++ b/drivers/net/phy/dp83640.c
+@@ -1207,6 +1207,23 @@ static void dp83640_remove(struct phy_de
+ kfree(dp83640);
+ }
+
++static int dp83640_soft_reset(struct phy_device *phydev)
++{
++ int ret;
++
++ ret = genphy_soft_reset(phydev);
++ if (ret < 0)
++ return ret;
++
++ /* From DP83640 datasheet: "Software driver code must wait 3 us
++ * following a software reset before allowing further serial MII
++ * operations with the DP83640."
++ */
++ udelay(10); /* Taking udelay inaccuracy into account */
++
++ return 0;
++}
++
+ static int dp83640_config_init(struct phy_device *phydev)
+ {
+ struct dp83640_private *dp83640 = phydev->priv;
+@@ -1501,6 +1518,7 @@ static struct phy_driver dp83640_driver
+ .flags = PHY_HAS_INTERRUPT,
+ .probe = dp83640_probe,
+ .remove = dp83640_remove,
++ .soft_reset = dp83640_soft_reset,
+ .config_init = dp83640_config_init,
+ .ack_interrupt = dp83640_ack_interrupt,
+ .config_intr = dp83640_config_intr,
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Jake Moroni <mail@jakemoroni.com>
+Date: Sun, 18 Feb 2018 15:26:04 -0500
+Subject: dpaa_eth: fix pause capability advertisement logic
+
+From: Jake Moroni <mail@jakemoroni.com>
+
+[ Upstream commit 3021efb440d02bf5b952b6d151c7ffee9bdd49fe ]
+
+The ADVERTISED_Asym_Pause bit was being improperly set when both
+rx and tx pause were enabled. When rx and tx are both enabled, only
+the ADVERTISED_Pause bit is supposed to be set.
+
+Signed-off-by: Jake Moroni <mail@jakemoroni.com>
+Acked-by: Madalin Bucur <madalin.bucur@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
+@@ -211,7 +211,7 @@ static int dpaa_set_pauseparam(struct ne
+ if (epause->rx_pause)
+ newadv = ADVERTISED_Pause | ADVERTISED_Asym_Pause;
+ if (epause->tx_pause)
+- newadv |= ADVERTISED_Asym_Pause;
++ newadv ^= ADVERTISED_Asym_Pause;
+
+ oldadv = phydev->advertising &
+ (ADVERTISED_Pause | ADVERTISED_Asym_Pause);
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Madalin Bucur <madalin.bucur@nxp.com>
+Date: Mon, 26 Feb 2018 11:24:01 -0600
+Subject: dpaa_eth: fix SG mapping
+
+From: Madalin Bucur <madalin.bucur@nxp.com>
+
+[ Upstream commit 120d75ecf043044554abbba8507f6d22e4715beb ]
+
+An issue in the code mapping the skb fragments into
+scatter-gather frames was evidentiated by netperf
+TCP_SENDFILE tests. The size was set wrong for all
+fragments but the first, affecting the transmission
+of any skb with more than one fragment.
+
+Signed-off-by: Madalin Bucur <madalin.bucur@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+@@ -1916,8 +1916,10 @@ static int skb_to_sg_fd(struct dpaa_priv
+ goto csum_failed;
+ }
+
++ /* SGT[0] is used by the linear part */
+ sgt = (struct qm_sg_entry *)(sgt_buf + priv->tx_headroom);
+- qm_sg_entry_set_len(&sgt[0], skb_headlen(skb));
++ frag_len = skb_headlen(skb);
++ qm_sg_entry_set_len(&sgt[0], frag_len);
+ sgt[0].bpid = FSL_DPAA_BPID_INV;
+ sgt[0].offset = 0;
+ addr = dma_map_single(dev, skb->data,
+@@ -1930,9 +1932,9 @@ static int skb_to_sg_fd(struct dpaa_priv
+ qm_sg_entry_set64(&sgt[0], addr);
+
+ /* populate the rest of SGT entries */
+- frag = &skb_shinfo(skb)->frags[0];
+- frag_len = frag->size;
+- for (i = 1; i <= nr_frags; i++, frag++) {
++ for (i = 0; i < nr_frags; i++) {
++ frag = &skb_shinfo(skb)->frags[i];
++ frag_len = frag->size;
+ WARN_ON(!skb_frag_page(frag));
+ addr = skb_frag_dma_map(dev, frag, 0,
+ frag_len, dma_dir);
+@@ -1942,15 +1944,16 @@ static int skb_to_sg_fd(struct dpaa_priv
+ goto sg_map_failed;
+ }
+
+- qm_sg_entry_set_len(&sgt[i], frag_len);
+- sgt[i].bpid = FSL_DPAA_BPID_INV;
+- sgt[i].offset = 0;
++ qm_sg_entry_set_len(&sgt[i + 1], frag_len);
++ sgt[i + 1].bpid = FSL_DPAA_BPID_INV;
++ sgt[i + 1].offset = 0;
+
+ /* keep the offset in the address */
+- qm_sg_entry_set64(&sgt[i], addr);
+- frag_len = frag->size;
++ qm_sg_entry_set64(&sgt[i + 1], addr);
+ }
+- qm_sg_entry_set_f(&sgt[i - 1], frag_len);
++
++ /* Set the final bit in the last used entry of the SGT */
++ qm_sg_entry_set_f(&sgt[nr_frags], frag_len);
+
+ qm_fd_set_sg(fd, priv->tx_headroom, skb->len);
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Fri, 16 Mar 2018 22:17:28 +0200
+Subject: drivers: macintosh: rack-meter: really fix bogus memsets
+
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+
+[ Upstream commit e283655b5abe26462d53d5196f186c5e8863af3b ]
+
+We should zero an array using sizeof instead of number of elements.
+
+Fixes the following compiler (GCC 7.3.0) warnings:
+
+drivers/macintosh/rack-meter.c: In function 'rackmeter_do_pause':
+drivers/macintosh/rack-meter.c:157:2: warning: 'memset' used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size]
+drivers/macintosh/rack-meter.c:158:2: warning: 'memset' used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size]
+
+Fixes: 4f7bef7a9f69 ("drivers: macintosh: rack-meter: fix bogus memsets")
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/macintosh/rack-meter.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/macintosh/rack-meter.c
++++ b/drivers/macintosh/rack-meter.c
+@@ -154,8 +154,8 @@ static void rackmeter_do_pause(struct ra
+ DBDMA_DO_STOP(rm->dma_regs);
+ return;
+ }
+- memset(rdma->buf1, 0, ARRAY_SIZE(rdma->buf1));
+- memset(rdma->buf2, 0, ARRAY_SIZE(rdma->buf2));
++ memset(rdma->buf1, 0, sizeof(rdma->buf1));
++ memset(rdma->buf2, 0, sizeof(rdma->buf2));
+
+ rm->dma_buf_v->mark = 0;
+
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Tao <xtao@amd.com>
+Date: Thu, 8 Feb 2018 16:04:25 -0500
+Subject: drm/amd/display: Set vsc pack revision when DPCD revision is >= 1.2
+
+From: Tao <xtao@amd.com>
+
+[ Upstream commit 3b94a4007dcfd4ac5780cd3d8a2d99979c966073 ]
+
+Brightness couldn't change when booting up in DC mode.
+It was because "psr_enabled" flag was not set to true before
+setting vsc packet revision, causing packet rev setup was skipped.
+Now instead of checking the psr flag, it checks if the DPCD_REV >= 1.2
+and set the vsc packet revision.
+
+Signed-off-by: Tao <xtao@amd.com>
+Reviewed-by: Tony Cheng <Tony.Cheng@amd.com>
+Acked-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+@@ -35,6 +35,7 @@
+ #include "core_types.h"
+ #include "set_mode_types.h"
+ #include "virtual/virtual_stream_encoder.h"
++#include "dpcd_defs.h"
+
+ #include "dce80/dce80_resource.h"
+ #include "dce100/dce100_resource.h"
+@@ -2428,7 +2429,8 @@ static void set_vsc_info_packet(
+ unsigned int vscPacketRevision = 0;
+ unsigned int i;
+
+- if (stream->sink->link->psr_enabled) {
++ /*VSC packet set to 2 when DP revision >= 1.2*/
++ if (stream->sink->link->dpcd_caps.dpcd_rev.raw >= DPCD_REV_12) {
+ vscPacketRevision = 2;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Monk Liu <Monk.Liu@amd.com>
+Date: Tue, 23 Jan 2018 18:26:20 +0800
+Subject: drm/amdgpu: adjust timeout for ib_ring_tests(v2)
+
+From: Monk Liu <Monk.Liu@amd.com>
+
+[ Upstream commit dbf797655a43c6318ebb90b899e6583fcadc6472 ]
+
+issue:
+sometime GFX/MM ib test hit timeout under SRIOV env, root cause
+is that engine doesn't come back soon enough so the current
+IB test considered as timed out.
+
+fix:
+for SRIOV GFX IB test wait time need to be expanded a lot during
+SRIOV runtimei mode since it couldn't really begin before GFX engine
+come back.
+
+for SRIOV MM IB test it always need more time since MM scheduling
+is not go together with GFX engine, it is controled by h/w MM
+scheduler so no matter runtime or exclusive mode MM IB test
+always need more time.
+
+v2:
+use ring type instead of idx to judge
+
+Signed-off-by: Monk Liu <Monk.Liu@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 33 ++++++++++++++++++++++++++++++++-
+ 1 file changed, 32 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c
+@@ -321,14 +321,45 @@ int amdgpu_ib_ring_tests(struct amdgpu_d
+ {
+ unsigned i;
+ int r, ret = 0;
++ long tmo_gfx, tmo_mm;
++
++ tmo_mm = tmo_gfx = AMDGPU_IB_TEST_TIMEOUT;
++ if (amdgpu_sriov_vf(adev)) {
++ /* for MM engines in hypervisor side they are not scheduled together
++ * with CP and SDMA engines, so even in exclusive mode MM engine could
++ * still running on other VF thus the IB TEST TIMEOUT for MM engines
++ * under SR-IOV should be set to a long time. 8 sec should be enough
++ * for the MM comes back to this VF.
++ */
++ tmo_mm = 8 * AMDGPU_IB_TEST_TIMEOUT;
++ }
++
++ if (amdgpu_sriov_runtime(adev)) {
++ /* for CP & SDMA engines since they are scheduled together so
++ * need to make the timeout width enough to cover the time
++ * cost waiting for it coming back under RUNTIME only
++ */
++ tmo_gfx = 8 * AMDGPU_IB_TEST_TIMEOUT;
++ }
+
+ for (i = 0; i < AMDGPU_MAX_RINGS; ++i) {
+ struct amdgpu_ring *ring = adev->rings[i];
++ long tmo;
+
+ if (!ring || !ring->ready)
+ continue;
+
+- r = amdgpu_ring_test_ib(ring, AMDGPU_IB_TEST_TIMEOUT);
++ /* MM engine need more time */
++ if (ring->funcs->type == AMDGPU_RING_TYPE_UVD ||
++ ring->funcs->type == AMDGPU_RING_TYPE_VCE ||
++ ring->funcs->type == AMDGPU_RING_TYPE_UVD_ENC ||
++ ring->funcs->type == AMDGPU_RING_TYPE_VCN_DEC ||
++ ring->funcs->type == AMDGPU_RING_TYPE_VCN_ENC)
++ tmo = tmo_mm;
++ else
++ tmo = tmo_gfx;
++
++ r = amdgpu_ring_test_ib(ring, tmo);
+ if (r) {
+ ring->ready = false;
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Emily Deng <Emily.Deng@amd.com>
+Date: Wed, 7 Mar 2018 09:47:43 +0800
+Subject: drm/amdgpu: Clean sdma wptr register when only enable wptr polling
+
+From: Emily Deng <Emily.Deng@amd.com>
+
+[ Upstream commit 4062119b9d958df33bcda703dc3ac646908fa861 ]
+
+The sdma wptr polling memory is not fast enough, then the sdma
+wptr register will be random, and not equal to sdma rptr, which
+will cause sdma engine hang when load driver, so clean up the sdma
+wptr directly to fix this issue.
+
+v2:add comment above the code and correct coding style
+
+Reviewed-by: Xiangliang Yu <Xiangliang.Yu@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Emily Deng <Emily.Deng@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/sdma_v3_0.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/sdma_v3_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v3_0.c
+@@ -719,14 +719,17 @@ static int sdma_v3_0_gfx_resume(struct a
+ WREG32(mmSDMA0_GFX_RB_WPTR_POLL_ADDR_HI + sdma_offsets[i],
+ upper_32_bits(wptr_gpu_addr));
+ wptr_poll_cntl = RREG32(mmSDMA0_GFX_RB_WPTR_POLL_CNTL + sdma_offsets[i]);
+- if (ring->use_pollmem)
++ if (ring->use_pollmem) {
++ /*wptr polling is not enogh fast, directly clean the wptr register */
++ WREG32(mmSDMA0_GFX_RB_WPTR + sdma_offsets[i], 0);
+ wptr_poll_cntl = REG_SET_FIELD(wptr_poll_cntl,
+ SDMA0_GFX_RB_WPTR_POLL_CNTL,
+ ENABLE, 1);
+- else
++ } else {
+ wptr_poll_cntl = REG_SET_FIELD(wptr_poll_cntl,
+ SDMA0_GFX_RB_WPTR_POLL_CNTL,
+ ENABLE, 0);
++ }
+ WREG32(mmSDMA0_GFX_RB_WPTR_POLL_CNTL + sdma_offsets[i], wptr_poll_cntl);
+
+ /* enable DMA RB */
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Monk Liu <Monk.Liu@amd.com>
+Date: Mon, 29 Jan 2018 19:24:32 +0800
+Subject: drm/amdgpu: disable GFX ring and disable PQ wptr in hw_fini
+
+From: Monk Liu <Monk.Liu@amd.com>
+
+[ Upstream commit 9f0178fb67699992d38601cb923b434f9986dd68 ]
+
+otherwise there will be DMAR reading error comes out from CP since
+GFX is still alive and CPC's WPTR_POLL is still enabled, which would
+lead to DMAR read error.
+
+fix:
+we can hault CPG after hw_fini, but cannot halt CPC becaues KIQ
+stil need to be alive to let RLCV invoke, but its WPTR_POLL could
+be disabled.
+
+Signed-off-by: Monk Liu <Monk.Liu@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+@@ -2954,7 +2954,13 @@ static int gfx_v9_0_hw_fini(void *handle
+ gfx_v9_0_kcq_disable(&adev->gfx.kiq.ring, &adev->gfx.compute_ring[i]);
+
+ if (amdgpu_sriov_vf(adev)) {
+- pr_debug("For SRIOV client, shouldn't do anything.\n");
++ gfx_v9_0_cp_gfx_enable(adev, false);
++ /* must disable polling for SRIOV when hw finished, otherwise
++ * CPC engine may still keep fetching WB address which is already
++ * invalid after sw finished and trigger DMAR reading error in
++ * hypervisor side.
++ */
++ WREG32_FIELD15(GC, 0, CP_PQ_WPTR_POLL_CNTL, EN, 0);
+ return 0;
+ }
+ gfx_v9_0_cp_enable(adev, false);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Oded Gabbay <oded.gabbay@gmail.com>
+Date: Thu, 15 Mar 2018 10:08:35 +0200
+Subject: drm/amdkfd: add missing include of mm.h
+
+From: Oded Gabbay <oded.gabbay@gmail.com>
+
+[ Upstream commit 7420f482ea5163bf6dae39a5c7628d5397cd6307 ]
+
+This patch fixes kernel build in ARCH=frv
+
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
+@@ -26,6 +26,7 @@
+ #define AMDGPU_AMDKFD_H_INCLUDED
+
+ #include <linux/types.h>
++#include <linux/mm.h>
+ #include <linux/mmu_context.h>
+ #include <kgd_kfd_interface.h>
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Mon, 5 Mar 2018 11:17:02 +0100
+Subject: drm/bridge: sii902x: Retry status read after DDI I2C
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 2e7a66a8b5ebf1b04a866e5d7c981640f7f62934 ]
+
+The following happens when connection a DVI output driven
+from the SiI9022 using a DVI-to-VGA adapter plug:
+
+i2c i2c-0: sendbytes: NAK bailout.
+i2c i2c-0: sendbytes: NAK bailout.
+
+Then no picture. Apparently the I2C engine inside the SiI9022
+is not smart enough to try to fall back to DDC I2C. Or the
+vendor have not integrated the electronics properly. I don't
+know which one it is.
+
+After this, the I2C bus seems stalled and the first attempt to
+read the status register fails, and the code returns with
+negative return value, and the display fails to initialized.
+
+Instead, retry status readout five times and continue even
+if this fails.
+
+Tested on the ARM Versatile Express with a DVI-to-VGA
+connector, it now gives picture.
+
+Introduce a helper struct device *dev variable to make
+the code more readable.
+
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Reviewed-by: Liviu Dudau <Liviu.Dudau@arm.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180305101702.13441-1-linus.walleij@linaro.org
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/bridge/sii902x.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/bridge/sii902x.c
++++ b/drivers/gpu/drm/bridge/sii902x.c
+@@ -137,7 +137,9 @@ static int sii902x_get_modes(struct drm_
+ struct sii902x *sii902x = connector_to_sii902x(connector);
+ struct regmap *regmap = sii902x->regmap;
+ u32 bus_format = MEDIA_BUS_FMT_RGB888_1X24;
++ struct device *dev = &sii902x->i2c->dev;
+ unsigned long timeout;
++ unsigned int retries;
+ unsigned int status;
+ struct edid *edid;
+ int num = 0;
+@@ -159,7 +161,7 @@ static int sii902x_get_modes(struct drm_
+ time_before(jiffies, timeout));
+
+ if (!(status & SII902X_SYS_CTRL_DDC_BUS_GRTD)) {
+- dev_err(&sii902x->i2c->dev, "failed to acquire the i2c bus\n");
++ dev_err(dev, "failed to acquire the i2c bus\n");
+ return -ETIMEDOUT;
+ }
+
+@@ -179,9 +181,19 @@ static int sii902x_get_modes(struct drm_
+ if (ret)
+ return ret;
+
+- ret = regmap_read(regmap, SII902X_SYS_CTRL_DATA, &status);
++ /*
++ * Sometimes the I2C bus can stall after failure to use the
++ * EDID channel. Retry a few times to see if things clear
++ * up, else continue anyway.
++ */
++ retries = 5;
++ do {
++ ret = regmap_read(regmap, SII902X_SYS_CTRL_DATA,
++ &status);
++ retries--;
++ } while (ret && retries);
+ if (ret)
+- return ret;
++ dev_err(dev, "failed to read status (%d)\n", ret);
+
+ ret = regmap_update_bits(regmap, SII902X_SYS_CTRL_DATA,
+ SII902X_SYS_CTRL_DDC_BUS_REQ |
+@@ -201,7 +213,7 @@ static int sii902x_get_modes(struct drm_
+
+ if (status & (SII902X_SYS_CTRL_DDC_BUS_REQ |
+ SII902X_SYS_CTRL_DDC_BUS_GRTD)) {
+- dev_err(&sii902x->i2c->dev, "failed to release the i2c bus\n");
++ dev_err(dev, "failed to release the i2c bus\n");
+ return -ETIMEDOUT;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Mon, 12 Mar 2018 21:15:08 +0100
+Subject: drm/meson: Fix an un-handled error path in 'meson_drv_bind_master()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit e770f6bf18182bc3af6ceec30189b6c323cbc157 ]
+
+'drm_vblank_init()' can fail. So handle this (unlikely) error.
+
+Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/6cbf3d70ac3904489c7194c895225c4103aebb96.1520885192.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/meson/meson_drv.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/meson/meson_drv.c
++++ b/drivers/gpu/drm/meson/meson_drv.c
+@@ -230,7 +230,10 @@ static int meson_drv_bind_master(struct
+
+ priv->vsync_irq = platform_get_irq(pdev, 0);
+
+- drm_vblank_init(drm, 1);
++ ret = drm_vblank_init(drm, 1);
++ if (ret)
++ goto free_drm;
++
+ drm_mode_config_init(drm);
+ drm->mode_config.max_width = 3840;
+ drm->mode_config.max_height = 2160;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Mon, 12 Mar 2018 21:15:10 +0100
+Subject: drm/meson: Fix some error handling paths in 'meson_drv_bind_master()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 2c18107b9d58972588cd45d89b8f58d0f033c110 ]
+
+If one of these functions fail, we whould free 'drm', as alreadry done in
+the other error handling paths, below and above.
+
+Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/df47e03d36c2cf7bc37ec3105fc47c16555bd946.1520885192.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/meson/meson_drv.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/meson/meson_drv.c
++++ b/drivers/gpu/drm/meson/meson_drv.c
+@@ -189,35 +189,43 @@ static int meson_drv_bind_master(struct
+
+ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "vpu");
+ regs = devm_ioremap_resource(dev, res);
+- if (IS_ERR(regs))
+- return PTR_ERR(regs);
++ if (IS_ERR(regs)) {
++ ret = PTR_ERR(regs);
++ goto free_drm;
++ }
+
+ priv->io_base = regs;
+
+ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "hhi");
+ /* Simply ioremap since it may be a shared register zone */
+ regs = devm_ioremap(dev, res->start, resource_size(res));
+- if (!regs)
+- return -EADDRNOTAVAIL;
++ if (!regs) {
++ ret = -EADDRNOTAVAIL;
++ goto free_drm;
++ }
+
+ priv->hhi = devm_regmap_init_mmio(dev, regs,
+ &meson_regmap_config);
+ if (IS_ERR(priv->hhi)) {
+ dev_err(&pdev->dev, "Couldn't create the HHI regmap\n");
+- return PTR_ERR(priv->hhi);
++ ret = PTR_ERR(priv->hhi);
++ goto free_drm;
+ }
+
+ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "dmc");
+ /* Simply ioremap since it may be a shared register zone */
+ regs = devm_ioremap(dev, res->start, resource_size(res));
+- if (!regs)
+- return -EADDRNOTAVAIL;
++ if (!regs) {
++ ret = -EADDRNOTAVAIL;
++ goto free_drm;
++ }
+
+ priv->dmc = devm_regmap_init_mmio(dev, regs,
+ &meson_regmap_config);
+ if (IS_ERR(priv->dmc)) {
+ dev_err(&pdev->dev, "Couldn't create the DMC regmap\n");
+- return PTR_ERR(priv->dmc);
++ ret = PTR_ERR(priv->dmc);
++ goto free_drm;
+ }
+
+ priv->vsync_irq = platform_get_irq(pdev, 0);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Benoit Parrot <bparrot@ti.com>
+Date: Mon, 16 May 2016 16:42:50 -0500
+Subject: drm/omap: Add pclk setting case when channel is DSS_WB
+
+From: Benoit Parrot <bparrot@ti.com>
+
+[ Upstream commit 9deb5ad3c47ead2b3c63e44435e9eff0f6f38835 ]
+
+In dispc_set_ovl_common() we need to initialize pclk to a valid
+value when we use WB in capture mode (i.e. mem_2_mem is false).
+Otherwise dispc_ovl_calc_scaling() fails.
+
+Signed-off-by: Benoit Parrot <bparrot@ti.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/omapdrm/dss/dispc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/omapdrm/dss/dispc.c
++++ b/drivers/gpu/drm/omapdrm/dss/dispc.c
+@@ -2489,6 +2489,10 @@ static int dispc_ovl_setup_common(enum o
+ unsigned long pclk = dispc_plane_pclk_rate(plane);
+ unsigned long lclk = dispc_plane_lclk_rate(plane);
+
++ /* when setting up WB, dispc_plane_pclk_rate() returns 0 */
++ if (plane == OMAP_DSS_WB)
++ pclk = vm->pixelclock;
++
+ if (paddr == 0 && rotation_type != OMAP_DSS_ROT_TILER)
+ return -EINVAL;
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Date: Sun, 11 Feb 2018 15:07:44 +0200
+Subject: drm: omapdrm: dss: Move initialization code from component bind to probe
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit 215003b4ae1d47035092fef73b6a22aa82037091 ]
+
+There's no reason to delay initialization of most of the driver (such as
+mapping memory I/O, getting clocks or enabling runtime PM) to the
+component master bind handler.
+
+This additionally fixes a real PM issue caused enabling runtime PM in
+the bind handler.
+
+The bind handler performs the following sequence of PM operations:
+
+ pm_runtime_enable(dev);
+ pm_runtime_get_sync(dev);
+
+ ... (access the hardware to read the device revision) ...
+
+ pm_runtime_put_sync(dev);
+
+If a failure occurs at this point, the error path calls
+pm_runtime_disable() to balance the pm_runtime_enable() call.
+
+To understand the problem, it should be noted that the bind handler is
+called when one of the component registers itself, which happens in the
+component's probe handler. Furthermore, as the components are children
+of the DSS, the device core calls pm_runtime_get_sync() on the DSS
+platform device before calling the component's probe handler. This
+increases the DSS power usage count but doesn't runtime resume the
+device, as runtime PM is disabled at that point.
+
+The bind handler is thus called with runtime PM disabled, with the
+device runtime suspended, but with the power usage count larger than 0.
+The pm_runtime_get_sync() call will thus further increase the power
+usage count and runtime resume the device. The pm_runtime_put_sync()
+handler will decrease the power usage count to a non-zero value and will
+thus not suspend the device. Finally, the pm_runtime_disable() call will
+disable runtime PM, preventing the pm_runtime_put() call in the device
+core from runtime suspending the device. The DSS device is thus left
+powered on.
+
+To fix this, move the initialization code from the bind handler to the
+probe handler.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/omapdrm/dss/dss.c | 193 ++++++++++++++++++++------------------
+ 1 file changed, 104 insertions(+), 89 deletions(-)
+
+--- a/drivers/gpu/drm/omapdrm/dss/dss.c
++++ b/drivers/gpu/drm/omapdrm/dss/dss.c
+@@ -1300,88 +1300,18 @@ static const struct soc_device_attribute
+
+ static int dss_bind(struct device *dev)
+ {
+- struct platform_device *pdev = to_platform_device(dev);
+- struct resource *dss_mem;
+- u32 rev;
+ int r;
+
+- dss_mem = platform_get_resource(dss.pdev, IORESOURCE_MEM, 0);
+- dss.base = devm_ioremap_resource(&pdev->dev, dss_mem);
+- if (IS_ERR(dss.base))
+- return PTR_ERR(dss.base);
+-
+- r = dss_get_clocks();
++ r = component_bind_all(dev, NULL);
+ if (r)
+ return r;
+
+- r = dss_setup_default_clock();
+- if (r)
+- goto err_setup_clocks;
+-
+- r = dss_video_pll_probe(pdev);
+- if (r)
+- goto err_pll_init;
+-
+- r = dss_init_ports(pdev);
+- if (r)
+- goto err_init_ports;
+-
+- pm_runtime_enable(&pdev->dev);
+-
+- r = dss_runtime_get();
+- if (r)
+- goto err_runtime_get;
+-
+- dss.dss_clk_rate = clk_get_rate(dss.dss_clk);
+-
+- /* Select DPLL */
+- REG_FLD_MOD(DSS_CONTROL, 0, 0, 0);
+-
+- dss_select_dispc_clk_source(DSS_CLK_SRC_FCK);
+-
+-#ifdef CONFIG_OMAP2_DSS_VENC
+- REG_FLD_MOD(DSS_CONTROL, 1, 4, 4); /* venc dac demen */
+- REG_FLD_MOD(DSS_CONTROL, 1, 3, 3); /* venc clock 4x enable */
+- REG_FLD_MOD(DSS_CONTROL, 0, 2, 2); /* venc clock mode = normal */
+-#endif
+- dss.dsi_clk_source[0] = DSS_CLK_SRC_FCK;
+- dss.dsi_clk_source[1] = DSS_CLK_SRC_FCK;
+- dss.dispc_clk_source = DSS_CLK_SRC_FCK;
+- dss.lcd_clk_source[0] = DSS_CLK_SRC_FCK;
+- dss.lcd_clk_source[1] = DSS_CLK_SRC_FCK;
+-
+- rev = dss_read_reg(DSS_REVISION);
+- pr_info("OMAP DSS rev %d.%d\n", FLD_GET(rev, 7, 4), FLD_GET(rev, 3, 0));
+-
+- dss_runtime_put();
+-
+- r = component_bind_all(&pdev->dev, NULL);
+- if (r)
+- goto err_component;
+-
+- dss_debugfs_create_file("dss", dss_dump_regs);
+-
+ pm_set_vt_switch(0);
+
+ omapdss_gather_components(dev);
+ omapdss_set_is_initialized(true);
+
+ return 0;
+-
+-err_component:
+-err_runtime_get:
+- pm_runtime_disable(&pdev->dev);
+- dss_uninit_ports(pdev);
+-err_init_ports:
+- if (dss.video1_pll)
+- dss_video_pll_uninit(dss.video1_pll);
+-
+- if (dss.video2_pll)
+- dss_video_pll_uninit(dss.video2_pll);
+-err_pll_init:
+-err_setup_clocks:
+- dss_put_clocks();
+- return r;
+ }
+
+ static void dss_unbind(struct device *dev)
+@@ -1391,18 +1321,6 @@ static void dss_unbind(struct device *de
+ omapdss_set_is_initialized(false);
+
+ component_unbind_all(&pdev->dev, NULL);
+-
+- if (dss.video1_pll)
+- dss_video_pll_uninit(dss.video1_pll);
+-
+- if (dss.video2_pll)
+- dss_video_pll_uninit(dss.video2_pll);
+-
+- dss_uninit_ports(pdev);
+-
+- pm_runtime_disable(&pdev->dev);
+-
+- dss_put_clocks();
+ }
+
+ static const struct component_master_ops dss_component_ops = {
+@@ -1434,10 +1352,46 @@ static int dss_add_child_component(struc
+ return 0;
+ }
+
++static int dss_probe_hardware(void)
++{
++ u32 rev;
++ int r;
++
++ r = dss_runtime_get();
++ if (r)
++ return r;
++
++ dss.dss_clk_rate = clk_get_rate(dss.dss_clk);
++
++ /* Select DPLL */
++ REG_FLD_MOD(DSS_CONTROL, 0, 0, 0);
++
++ dss_select_dispc_clk_source(DSS_CLK_SRC_FCK);
++
++#ifdef CONFIG_OMAP2_DSS_VENC
++ REG_FLD_MOD(DSS_CONTROL, 1, 4, 4); /* venc dac demen */
++ REG_FLD_MOD(DSS_CONTROL, 1, 3, 3); /* venc clock 4x enable */
++ REG_FLD_MOD(DSS_CONTROL, 0, 2, 2); /* venc clock mode = normal */
++#endif
++ dss.dsi_clk_source[0] = DSS_CLK_SRC_FCK;
++ dss.dsi_clk_source[1] = DSS_CLK_SRC_FCK;
++ dss.dispc_clk_source = DSS_CLK_SRC_FCK;
++ dss.lcd_clk_source[0] = DSS_CLK_SRC_FCK;
++ dss.lcd_clk_source[1] = DSS_CLK_SRC_FCK;
++
++ rev = dss_read_reg(DSS_REVISION);
++ pr_info("OMAP DSS rev %d.%d\n", FLD_GET(rev, 7, 4), FLD_GET(rev, 3, 0));
++
++ dss_runtime_put();
++
++ return 0;
++}
++
+ static int dss_probe(struct platform_device *pdev)
+ {
+ const struct soc_device_attribute *soc;
+ struct component_match *match = NULL;
++ struct resource *dss_mem;
+ int r;
+
+ dss.pdev = pdev;
+@@ -1458,20 +1412,69 @@ static int dss_probe(struct platform_dev
+ else
+ dss.feat = of_match_device(dss_of_match, &pdev->dev)->data;
+
+- r = dss_initialize_debugfs();
++ /* Map I/O registers, get and setup clocks. */
++ dss_mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ dss.base = devm_ioremap_resource(&pdev->dev, dss_mem);
++ if (IS_ERR(dss.base))
++ return PTR_ERR(dss.base);
++
++ r = dss_get_clocks();
+ if (r)
+ return r;
+
+- /* add all the child devices as components */
++ r = dss_setup_default_clock();
++ if (r)
++ goto err_put_clocks;
++
++ /* Setup the video PLLs and the DPI and SDI ports. */
++ r = dss_video_pll_probe(pdev);
++ if (r)
++ goto err_put_clocks;
++
++ r = dss_init_ports(pdev);
++ if (r)
++ goto err_uninit_plls;
++
++ /* Enable runtime PM and probe the hardware. */
++ pm_runtime_enable(&pdev->dev);
++
++ r = dss_probe_hardware();
++ if (r)
++ goto err_pm_runtime_disable;
++
++ /* Initialize debugfs. */
++ r = dss_initialize_debugfs();
++ if (r)
++ goto err_pm_runtime_disable;
++
++ dss_debugfs_create_file("dss", dss_dump_regs);
++
++ /* Add all the child devices as components. */
+ device_for_each_child(&pdev->dev, &match, dss_add_child_component);
+
+ r = component_master_add_with_match(&pdev->dev, &dss_component_ops, match);
+- if (r) {
+- dss_uninitialize_debugfs();
+- return r;
+- }
++ if (r)
++ goto err_uninit_debugfs;
+
+ return 0;
++
++err_uninit_debugfs:
++ dss_uninitialize_debugfs();
++
++err_pm_runtime_disable:
++ pm_runtime_disable(&pdev->dev);
++ dss_uninit_ports(pdev);
++
++err_uninit_plls:
++ if (dss.video1_pll)
++ dss_video_pll_uninit(dss.video1_pll);
++ if (dss.video2_pll)
++ dss_video_pll_uninit(dss.video2_pll);
++
++err_put_clocks:
++ dss_put_clocks();
++
++ return r;
+ }
+
+ static int dss_remove(struct platform_device *pdev)
+@@ -1480,6 +1483,18 @@ static int dss_remove(struct platform_de
+
+ dss_uninitialize_debugfs();
+
++ pm_runtime_disable(&pdev->dev);
++
++ dss_uninit_ports(pdev);
++
++ if (dss.video1_pll)
++ dss_video_pll_uninit(dss.video1_pll);
++
++ if (dss.video2_pll)
++ dss_video_pll_uninit(dss.video2_pll);
++
++ dss_put_clocks();
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Eric Anholt <eric@anholt.net>
+Date: Fri, 9 Mar 2018 15:33:32 -0800
+Subject: drm/panel: simple: Fix the bus format for the Ontat panel
+
+From: Eric Anholt <eric@anholt.net>
+
+[ Upstream commit 5651e5e094591f479adad5830ac1bc45196a39b3 ]
+
+This fixes bad color output. When I was first testing the device I
+had the DPI hardware set to 666 mode, but apparently in the refactor
+to use the bus_format information from the panel driver, I failed to
+actually update the panel.
+
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Fixes: e8b6f561b2ee ("drm/panel: simple: Add the 7" DPI panel from Adafruit")
+Cc: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180309233332.1769-1-eric@anholt.net
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/panel/panel-simple.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/panel/panel-simple.c
++++ b/drivers/gpu/drm/panel/panel-simple.c
+@@ -1597,7 +1597,7 @@ static const struct panel_desc ontat_yx7
+ .width = 154,
+ .height = 83,
+ },
+- .bus_format = MEDIA_BUS_FMT_RGB888_1X24,
++ .bus_format = MEDIA_BUS_FMT_RGB666_1X18,
+ };
+
+ static const struct drm_display_mode ortustech_com43h4m85ulc_mode = {
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Fri, 12 Jan 2018 23:12:05 +0300
+Subject: drm: rcar-du: lvds: Fix LVDS startup on R-Car Gen2
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+[ Upstream commit 8525d04ba8a6a9ecfa4bd619c988ca873a5fc2a4 ]
+
+According to the latest revision 2.00 of the R-Car Gen2 manual, the LVDS
+and the bias circuit must be enabled after the LVDS I/O pins are
+enabled, not before. Fix the Gen2 LVDS startup sequence accordingly.
+
+While at it, also fix the comment preceding the first LVDCR0 write that
+still talks about hardcoding the LVDS mode 0.
+
+Fixes: 90374b5c25c9 ("drm/rcar-du: Add internal LVDS encoder support")
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Tested-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c
++++ b/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c
+@@ -59,11 +59,8 @@ static void rcar_du_lvdsenc_start_gen2(s
+
+ rcar_lvds_write(lvds, LVDPLLCR, pllcr);
+
+- /*
+- * Select the input, hardcode mode 0, enable LVDS operation and turn
+- * bias circuitry on.
+- */
+- lvdcr0 = (lvds->mode << LVDCR0_LVMD_SHIFT) | LVDCR0_BEN | LVDCR0_LVEN;
++ /* Select the input and set the LVDS mode. */
++ lvdcr0 = lvds->mode << LVDCR0_LVMD_SHIFT;
+ if (rcrtc->index == 2)
+ lvdcr0 |= LVDCR0_DUSEL;
+ rcar_lvds_write(lvds, LVDCR0, lvdcr0);
+@@ -74,6 +71,10 @@ static void rcar_du_lvdsenc_start_gen2(s
+ LVDCR1_CHSTBY_GEN2(1) | LVDCR1_CHSTBY_GEN2(0) |
+ LVDCR1_CLKSTBY_GEN2);
+
++ /* Enable LVDS operation and turn bias circuitry on. */
++ lvdcr0 |= LVDCR0_BEN | LVDCR0_LVEN;
++ rcar_lvds_write(lvds, LVDCR0, lvdcr0);
++
+ /*
+ * Turn the PLL on, wait for the startup delay, and turn the output
+ * on.
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Fri, 12 Jan 2018 23:12:04 +0300
+Subject: drm: rcar-du: lvds: Fix LVDS startup on R-Car Gen3
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+[ Upstream commit 796ceb9269626afaed3b4955c40d2c3d7a8c5d01 ]
+
+According to the latest revisions of the R-Car Gen3 manual, the LVDS mode
+must be set before the LVDS I/O pins are enabled, not after -- fix the
+Gen3 LVDS startup sequence accordingly.
+
+Fixes: e947eccbeba4 ("drm: rcar-du: Add support for LVDS mode selection")
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+[Updated comment in rcar_du_lvdsenc_start_gen3()]
+[Moved Gen2 startup comment update to separate commit]
+[Fixed =| typo]
+Tested-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c
++++ b/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c
+@@ -95,7 +95,7 @@ static void rcar_du_lvdsenc_start_gen3(s
+ u32 lvdcr0;
+ u32 pllcr;
+
+- /* PLL clock configuration */
++ /* Set the PLL clock configuration and LVDS mode. */
+ if (freq < 42000)
+ pllcr = LVDPLLCR_PLLDIVCNT_42M;
+ else if (freq < 85000)
+@@ -107,6 +107,9 @@ static void rcar_du_lvdsenc_start_gen3(s
+
+ rcar_lvds_write(lvds, LVDPLLCR, pllcr);
+
++ lvdcr0 = lvds->mode << LVDCR0_LVMD_SHIFT;
++ rcar_lvds_write(lvds, LVDCR0, lvdcr0);
++
+ /* Turn all the channels on. */
+ rcar_lvds_write(lvds, LVDCR1,
+ LVDCR1_CHSTBY_GEN3(3) | LVDCR1_CHSTBY_GEN3(2) |
+@@ -117,7 +120,7 @@ static void rcar_du_lvdsenc_start_gen3(s
+ * Turn the PLL on, set it to LVDS normal mode, wait for the startup
+ * delay and turn the output on.
+ */
+- lvdcr0 = (lvds->mode << LVDCR0_LVMD_SHIFT) | LVDCR0_PLLON;
++ lvdcr0 |= LVDCR0_PLLON;
+ rcar_lvds_write(lvds, LVDCR0, lvdcr0);
+
+ lvdcr0 |= LVDCR0_PWD;
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: "Ørjan Eide" <orjan.eide@arm.com>
+Date: Tue, 30 Jan 2018 21:28:33 +0100
+Subject: drm/rockchip: Respect page offset for PRIME mmap calls
+
+From: "Ørjan Eide" <orjan.eide@arm.com>
+
+[ Upstream commit 57de50af162b67612da99207b061ade3239e57db ]
+
+When mapping external DMA-bufs through the PRIME mmap call, we might be
+given an offset which has to be respected. However for the internal DRM
+GEM mmap path, we have to ignore the fake mmap offset used to identify
+the buffer only. Currently the code always zeroes out vma->vm_pgoff,
+which breaks the former.
+
+This patch fixes the problem by moving the vm_pgoff assignment to a
+function that is used only for GEM mmap path, so that the PRIME path
+retains the original offset.
+
+Cc: Daniel Kurtz <djkurtz@chromium.org>
+Signed-off-by: Ørjan Eide <orjan.eide@arm.com>
+Signed-off-by: Tomasz Figa <tfiga@chromium.org>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Thierry Escande <thierry.escande@collabora.com>
+Tested-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180130202913.28724-4-thierry.escande@collabora.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
+@@ -262,7 +262,6 @@ static int rockchip_drm_gem_object_mmap(
+ * VM_PFNMAP flag that was set by drm_gem_mmap_obj()/drm_gem_mmap().
+ */
+ vma->vm_flags &= ~VM_PFNMAP;
+- vma->vm_pgoff = 0;
+
+ if (rk_obj->pages)
+ ret = rockchip_drm_gem_object_mmap_iommu(obj, vma);
+@@ -297,6 +296,12 @@ int rockchip_gem_mmap(struct file *filp,
+ if (ret)
+ return ret;
+
++ /*
++ * Set vm_pgoff (used as a fake buffer offset by DRM) to 0 and map the
++ * whole buffer from the start.
++ */
++ vma->vm_pgoff = 0;
++
+ obj = vma->vm_private_data;
+
+ return rockchip_drm_gem_object_mmap(obj, vma);
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
+Date: Fri, 2 Feb 2018 21:12:53 -0800
+Subject: drm/vblank: Data type fixes for 64-bit vblank sequences.
+
+From: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
+
+[ Upstream commit 3b765c0b765d2cc03ef02276f1af2658a03b3ced ]
+
+drm_vblank_count() has an u32 type returning what is a 64-bit vblank count.
+The effect of this is when drm_wait_vblank_ioctl() tries to widen the user
+space requested vblank sequence using this clipped 32-bit count(when the
+value is >= 2^32) as reference, the requested sequence remains a 32-bit
+value and gets queued like that. However, the code that checks if the
+requested sequence has passed compares this against the 64-bit vblank
+count.
+
+With drm_vblank_count() returning all bits of the vblank count, update
+drm_crtc_accurate_vblank_count() so that drm_crtc_arm_vblank_event() queues
+the correct sequence. Otherwise, this leads to prolonged waits for a vblank
+sequence when the current count is >=2^32.
+
+Finally, fix drm_wait_one_vblank() too.
+
+v2: Commit message fix (Keith)
+ Squash commits (Rodrigo)
+
+Fixes: 570e86963a51 ("drm: Widen vblank count to 64-bits [v3]")
+Cc: Keith Packard <keithp@keithp.com>
+Cc: Michel Dänzer <michel@daenzer.net>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Reviewed-by: Keith Packard <keithp@keithp.com>
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180203051302.9974-1-dhinakaran.pandiyan@intel.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_vblank.c | 8 ++++----
+ include/drm/drm_vblank.h | 2 +-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/drm_vblank.c
++++ b/drivers/gpu/drm/drm_vblank.c
+@@ -271,7 +271,7 @@ static void drm_update_vblank_count(stru
+ store_vblank(dev, pipe, diff, t_vblank, cur_vblank);
+ }
+
+-static u32 drm_vblank_count(struct drm_device *dev, unsigned int pipe)
++static u64 drm_vblank_count(struct drm_device *dev, unsigned int pipe)
+ {
+ struct drm_vblank_crtc *vblank = &dev->vblank[pipe];
+
+@@ -292,11 +292,11 @@ static u32 drm_vblank_count(struct drm_d
+ * This is mostly useful for hardware that can obtain the scanout position, but
+ * doesn't have a hardware frame counter.
+ */
+-u32 drm_crtc_accurate_vblank_count(struct drm_crtc *crtc)
++u64 drm_crtc_accurate_vblank_count(struct drm_crtc *crtc)
+ {
+ struct drm_device *dev = crtc->dev;
+ unsigned int pipe = drm_crtc_index(crtc);
+- u32 vblank;
++ u64 vblank;
+ unsigned long flags;
+
+ WARN_ONCE(drm_debug & DRM_UT_VBL && !dev->driver->get_vblank_timestamp,
+@@ -1055,7 +1055,7 @@ void drm_wait_one_vblank(struct drm_devi
+ {
+ struct drm_vblank_crtc *vblank = &dev->vblank[pipe];
+ int ret;
+- u32 last;
++ u64 last;
+
+ if (WARN_ON(pipe >= dev->num_crtcs))
+ return;
+--- a/include/drm/drm_vblank.h
++++ b/include/drm/drm_vblank.h
+@@ -179,7 +179,7 @@ void drm_crtc_wait_one_vblank(struct drm
+ void drm_crtc_vblank_off(struct drm_crtc *crtc);
+ void drm_crtc_vblank_reset(struct drm_crtc *crtc);
+ void drm_crtc_vblank_on(struct drm_crtc *crtc);
+-u32 drm_crtc_accurate_vblank_count(struct drm_crtc *crtc);
++u64 drm_crtc_accurate_vblank_count(struct drm_crtc *crtc);
+
+ bool drm_calc_vbltimestamp_from_scanoutpos(struct drm_device *dev,
+ unsigned int pipe, int *max_error,
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Thomas Hellstrom <thellstrom@vmware.com>
+Date: Thu, 22 Mar 2018 10:35:18 +0100
+Subject: drm/vmwgfx: Unpin the screen object backup buffer when not used
+
+From: Thomas Hellstrom <thellstrom@vmware.com>
+
+[ Upstream commit 20fb5a635a0c8478ac98f15cfafc2ea83df29565 ]
+
+We were relying on the pinned screen object backup buffer to be destroyed
+when not used. But if we hold a copy of the atomic state, like when
+hibernating, the backup buffer might not be destroyed since it's
+refcounted by the atomic state. This causes us to hibernate with a
+buffer pinned in VRAM.
+
+Fix this by only having the buffer pinned when it is actually used by a
+screen object.
+
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Reviewed-by: Brian Paul <brianp@vmware.com>
+Reviewed-by: Sinclair Yeh <syeh@vmware.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c
+@@ -453,7 +453,11 @@ vmw_sou_primary_plane_cleanup_fb(struct
+ struct drm_plane_state *old_state)
+ {
+ struct vmw_plane_state *vps = vmw_plane_state_to_vps(old_state);
++ struct drm_crtc *crtc = plane->state->crtc ?
++ plane->state->crtc : old_state->crtc;
+
++ if (vps->dmabuf)
++ vmw_dmabuf_unpin(vmw_priv(crtc->dev), vps->dmabuf, false);
+ vmw_dmabuf_unreference(&vps->dmabuf);
+ vps->dmabuf_size = 0;
+
+@@ -491,10 +495,17 @@ vmw_sou_primary_plane_prepare_fb(struct
+ }
+
+ size = new_state->crtc_w * new_state->crtc_h * 4;
++ dev_priv = vmw_priv(crtc->dev);
+
+ if (vps->dmabuf) {
+- if (vps->dmabuf_size == size)
+- return 0;
++ if (vps->dmabuf_size == size) {
++ /*
++ * Note that this might temporarily up the pin-count
++ * to 2, until cleanup_fb() is called.
++ */
++ return vmw_dmabuf_pin_in_vram(dev_priv, vps->dmabuf,
++ true);
++ }
+
+ vmw_dmabuf_unreference(&vps->dmabuf);
+ vps->dmabuf_size = 0;
+@@ -504,7 +515,6 @@ vmw_sou_primary_plane_prepare_fb(struct
+ if (!vps->dmabuf)
+ return -ENOMEM;
+
+- dev_priv = vmw_priv(crtc->dev);
+ vmw_svga_enable(dev_priv);
+
+ /* After we have alloced the backing store might not be able to
+@@ -515,13 +525,16 @@ vmw_sou_primary_plane_prepare_fb(struct
+ &vmw_vram_ne_placement,
+ false, &vmw_dmabuf_bo_free);
+ vmw_overlay_resume_all(dev_priv);
+-
+- if (ret != 0)
++ if (ret) {
+ vps->dmabuf = NULL; /* vmw_dmabuf_init frees on error */
+- else
+- vps->dmabuf_size = size;
++ return ret;
++ }
+
+- return ret;
++ /*
++ * TTM already thinks the buffer is pinned, but make sure the
++ * pin_count is upped.
++ */
++ return vmw_dmabuf_pin_in_vram(dev_priv, vps->dmabuf, true);
+ }
+
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Icenowy Zheng <icenowy@aosc.io>
+Date: Fri, 16 Mar 2018 22:02:12 +0800
+Subject: dt-bindings: add device tree binding for Allwinner H6 main CCU
+
+From: Icenowy Zheng <icenowy@aosc.io>
+
+[ Upstream commit 2e08e4d2ff488424919d69dd211ac860a019ac1d ]
+
+The Allwinner H6 main CCU uses the internal oscillator of the SoC, which
+is different with old SoCs' main CCU.
+
+Add device tree binding for the Allwinner H6 main CCU.
+
+Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/clock/sunxi-ccu.txt | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/Documentation/devicetree/bindings/clock/sunxi-ccu.txt
++++ b/Documentation/devicetree/bindings/clock/sunxi-ccu.txt
+@@ -20,6 +20,7 @@ Required properties :
+ - "allwinner,sun50i-a64-ccu"
+ - "allwinner,sun50i-a64-r-ccu"
+ - "allwinner,sun50i-h5-ccu"
++ - "allwinner,sun50i-h6-ccu"
+ - "nextthing,gr8-ccu"
+
+ - reg: Must contain the registers base address and length
+@@ -31,6 +32,9 @@ Required properties :
+ - #clock-cells : must contain 1
+ - #reset-cells : must contain 1
+
++For the main CCU on H6, one more clock is needed:
++- "iosc": the SoC's internal frequency oscillator
++
+ For the PRCM CCUs on A83T/H3/A64, two more clocks are needed:
+ - "pll-periph": the SoC's peripheral PLL from the main CCU
+ - "iosc": the SoC's internal frequency oscillator
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Archit Taneja <architt@codeaurora.org>
+Date: Wed, 17 Jan 2018 15:04:46 +0530
+Subject: dt-bindings: display: msm/dsi: Fix the PHY regulator supply props
+
+From: Archit Taneja <architt@codeaurora.org>
+
+[ Upstream commit 8c4905fd4939c59e0f7993ba34883e328eef4b59 ]
+
+The PHY regulator supply names vary across different PHY versions.
+Mention explicitly which PHYs require which supplies.
+
+Cc: Rob Herring <robh@kernel.org>
+Cc: devicetree@vger.kernel.org
+Signed-off-by: Archit Taneja <architt@codeaurora.org>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/display/msm/dsi.txt | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/Documentation/devicetree/bindings/display/msm/dsi.txt
++++ b/Documentation/devicetree/bindings/display/msm/dsi.txt
+@@ -102,7 +102,11 @@ Required properties:
+ - clocks: Phandles to device clocks. See [1] for details on clock bindings.
+ - clock-names: the following clocks are required:
+ * "iface"
++ For 28nm HPM/LP, 28nm 8960 PHYs:
+ - vddio-supply: phandle to vdd-io regulator device node
++ For 20nm PHY:
++- vddio-supply: phandle to vdd-io regulator device node
++- vcca-supply: phandle to vcca regulator device node
+
+ Optional properties:
+ - qcom,dsi-phy-regulator-ldo-mode: Boolean value indicating if the LDO mode PHY
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Thu, 8 Mar 2018 08:00:09 +0000
+Subject: efi/arm*: Only register page tables when they exist
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 6b31a2fa1e8f7bc6c2a474b4a12dad7a145cf83d ]
+
+Currently the arm/arm64 runtime code registers the runtime servies
+pagetables with ptdump regardless of whether runtime services page
+tables have been created.
+
+As efi_mm.pgd is NULL in these cases, attempting to dump the efi page
+tables results in a NULL pointer dereference in the ptdump code:
+
+/sys/kernel/debug# cat efi_page_tables
+[ 479.522600] Unable to handle kernel NULL pointer dereference at virtual address 00000000
+[ 479.522715] Mem abort info:
+[ 479.522764] ESR = 0x96000006
+[ 479.522850] Exception class = DABT (current EL), IL = 32 bits
+[ 479.522899] SET = 0, FnV = 0
+[ 479.522937] EA = 0, S1PTW = 0
+[ 479.528200] Data abort info:
+[ 479.528230] ISV = 0, ISS = 0x00000006
+[ 479.528317] CM = 0, WnR = 0
+[ 479.528317] user pgtable: 4k pages, 48-bit VAs, pgd = 0000000064ab0cb0
+[ 479.528449] [0000000000000000] *pgd=00000000fbbe4003, *pud=00000000fb66e003, *pmd=0000000000000000
+[ 479.528600] Internal error: Oops: 96000006 [#1] PREEMPT SMP
+[ 479.528664] Modules linked in:
+[ 479.528699] CPU: 0 PID: 2457 Comm: cat Not tainted 4.15.0-rc3-00065-g2ad2ee7ecb5c-dirty #7
+[ 479.528799] Hardware name: FVP Base (DT)
+[ 479.528899] pstate: 00400009 (nzcv daif +PAN -UAO)
+[ 479.528941] pc : walk_pgd.isra.1+0x20/0x1d0
+[ 479.529011] lr : ptdump_walk_pgd+0x30/0x50
+[ 479.529105] sp : ffff00000bf4bc20
+[ 479.529185] x29: ffff00000bf4bc20 x28: 0000ffff9d22e000
+[ 479.529271] x27: 0000000000020000 x26: ffff80007b4c63c0
+[ 479.529358] x25: 00000000014000c0 x24: ffff80007c098900
+[ 479.529445] x23: ffff00000bf4beb8 x22: 0000000000000000
+[ 479.529532] x21: ffff00000bf4bd70 x20: 0000000000000001
+[ 479.529618] x19: ffff00000bf4bcb0 x18: 0000000000000000
+[ 479.529760] x17: 000000000041a1c8 x16: ffff0000082139d8
+[ 479.529800] x15: 0000ffff9d3c6030 x14: 0000ffff9d2527f4
+[ 479.529924] x13: 00000000000003f3 x12: 0000000000000038
+[ 479.530000] x11: 0000000000000003 x10: 0101010101010101
+[ 479.530099] x9 : 0000000017e94050 x8 : 000000000000003f
+[ 479.530226] x7 : 0000000000000000 x6 : 0000000000000000
+[ 479.530313] x5 : 0000000000000001 x4 : 0000000000000000
+[ 479.530416] x3 : ffff000009069fd8 x2 : 0000000000000000
+[ 479.530500] x1 : 0000000000000000 x0 : 0000000000000000
+[ 479.530599] Process cat (pid: 2457, stack limit = 0x000000005d1b0e6f)
+[ 479.530660] Call trace:
+[ 479.530746] walk_pgd.isra.1+0x20/0x1d0
+[ 479.530833] ptdump_walk_pgd+0x30/0x50
+[ 479.530907] ptdump_show+0x10/0x20
+[ 479.530920] seq_read+0xc8/0x470
+[ 479.531023] full_proxy_read+0x60/0x90
+[ 479.531100] __vfs_read+0x18/0x100
+[ 479.531180] vfs_read+0x88/0x160
+[ 479.531267] SyS_read+0x48/0xb0
+[ 479.531299] el0_svc_naked+0x20/0x24
+[ 479.531400] Code: 91400420 f90033a0 a90707a2 f9403fa0 (f9400000)
+[ 479.531499] ---[ end trace bfe8e28d8acb2b67 ]---
+Segmentation fault
+
+Let's avoid this problem by only registering the tables after their
+successful creation, which is also less confusing when EFI runtime
+services are not in use.
+
+Reported-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20180308080020.22828-2-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/arm-runtime.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/firmware/efi/arm-runtime.c
++++ b/drivers/firmware/efi/arm-runtime.c
+@@ -54,6 +54,9 @@ static struct ptdump_info efi_ptdump_inf
+
+ static int __init ptdump_init(void)
+ {
++ if (!efi_enabled(EFI_RUNTIME_SERVICES))
++ return 0;
++
+ return ptdump_debugfs_register(&efi_ptdump_info, "efi_page_tables");
+ }
+ device_initcall(ptdump_init);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Date: Thu, 1 Mar 2018 11:07:23 -0800
+Subject: enic: enable rq before updating rq descriptors
+
+From: Govindarajulu Varadarajan <gvaradar@cisco.com>
+
+[ Upstream commit e8588e268509292550634d9a35f2723a207683b2 ]
+
+rq should be enabled before posting the buffers to rq desc. If not hw sees
+stale value and casuses DMAR errors.
+
+Signed-off-by: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cisco/enic/enic_main.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -1898,6 +1898,8 @@ static int enic_open(struct net_device *
+ }
+
+ for (i = 0; i < enic->rq_count; i++) {
++ /* enable rq before updating rq desc */
++ vnic_rq_enable(&enic->rq[i]);
+ vnic_rq_fill(&enic->rq[i], enic_rq_alloc_buf);
+ /* Need at least one buffer on ring to get going */
+ if (vnic_rq_desc_used(&enic->rq[i]) == 0) {
+@@ -1909,8 +1911,6 @@ static int enic_open(struct net_device *
+
+ for (i = 0; i < enic->wq_count; i++)
+ vnic_wq_enable(&enic->wq[i]);
+- for (i = 0; i < enic->rq_count; i++)
+- vnic_rq_enable(&enic->rq[i]);
+
+ if (!enic_is_dynamic(enic) && !enic_is_sriov_vf(enic))
+ enic_dev_add_station_addr(enic);
+@@ -1936,8 +1936,12 @@ static int enic_open(struct net_device *
+ return 0;
+
+ err_out_free_rq:
+- for (i = 0; i < enic->rq_count; i++)
++ for (i = 0; i < enic->rq_count; i++) {
++ err = vnic_rq_disable(&enic->rq[i]);
++ if (err)
++ return err;
+ vnic_rq_clean(&enic->rq[i], enic_free_rq_buf);
++ }
+ enic_dev_notify_unset(enic);
+ err_out_free_intr:
+ enic_unset_affinity_hint(enic);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Thu, 22 Mar 2018 11:59:00 -0400
+Subject: ext4: don't complain about incorrect features when probing
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+[ Upstream commit 0d9366d67bcf066b028e57d09c9a86ce879bcc28 ]
+
+If mount is auto-probing for filesystem type, it will try various
+filesystems in order, with the MS_SILENT flag set. We get
+that flag as the silent arg to ext4_fill_super.
+
+If we're probing (silent==1) then don't complain about feature
+incompatibilities that are found if it looks like it's actually
+a different valid extN type - failed probes should be silent
+in this case.
+
+If the on-disk features are unknown even to ext4, then complain.
+
+Reported-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
+Tested-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3663,6 +3663,12 @@ static int ext4_fill_super(struct super_
+ ext4_msg(sb, KERN_INFO, "mounting ext2 file system "
+ "using the ext4 subsystem");
+ else {
++ /*
++ * If we're probing be silent, if this looks like
++ * it's actually an ext[34] filesystem.
++ */
++ if (silent && ext4_feature_set_ok(sb, sb_rdonly(sb)))
++ goto failed_mount;
+ ext4_msg(sb, KERN_ERR, "couldn't mount as ext2 due "
+ "to feature incompatibilities");
+ goto failed_mount;
+@@ -3674,6 +3680,12 @@ static int ext4_fill_super(struct super_
+ ext4_msg(sb, KERN_INFO, "mounting ext3 file system "
+ "using the ext4 subsystem");
+ else {
++ /*
++ * If we're probing be silent, if this looks like
++ * it's actually an ext4 filesystem.
++ */
++ if (silent && ext4_feature_set_ok(sb, sb_rdonly(sb)))
++ goto failed_mount;
+ ext4_msg(sb, KERN_ERR, "couldn't mount as ext3 due "
+ "to feature incompatibilities");
+ goto failed_mount;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Chao Yu <yuchao0@huawei.com>
+Date: Sat, 27 Jan 2018 17:29:49 +0800
+Subject: f2fs: fix to check extent cache in f2fs_drop_extent_tree
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit bf617f7a92edc6bb2909db2bfa4576f50b280ee5 ]
+
+If noextent_cache mount option is on, we will never initialize extent tree
+in inode, but still we're going to access it in f2fs_drop_extent_tree,
+result in kernel panic as below:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
+ IP: _raw_write_lock+0xc/0x30
+ Call Trace:
+ ? f2fs_drop_extent_tree+0x41/0x70 [f2fs]
+ f2fs_fallocate+0x5a0/0xdd0 [f2fs]
+ ? common_file_perm+0x47/0xc0
+ ? apparmor_file_permission+0x1a/0x20
+ vfs_fallocate+0x15b/0x290
+ SyS_fallocate+0x44/0x70
+ do_syscall_64+0x6e/0x160
+ entry_SYSCALL64_slow_path+0x25/0x25
+
+This patch fixes to check extent cache status before using in
+f2fs_drop_extent_tree.
+
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/extent_cache.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/f2fs/extent_cache.c
++++ b/fs/f2fs/extent_cache.c
+@@ -706,6 +706,9 @@ void f2fs_drop_extent_tree(struct inode
+ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+ struct extent_tree *et = F2FS_I(inode)->extent_tree;
+
++ if (!f2fs_may_extent_tree(inode))
++ return;
++
+ set_inode_flag(inode, FI_NO_EXTENT);
+
+ write_lock(&et->lock);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Chao Yu <yuchao0@huawei.com>
+Date: Wed, 31 Jan 2018 09:30:34 +0800
+Subject: f2fs: fix to clear CP_TRIMMED_FLAG
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit cd36d7a17f9da68be9aa67185ba3ad7969934a19 ]
+
+Once CP_TRIMMED_FLAG is set, after a reboot, we will never issue discard
+before LBA becomes invalid again, fix it by clearing the flag in
+checkpoint without CP_TRIMMED reason.
+
+Fixes: 1f43e2ad7bff ("f2fs: introduce CP_TRIMMED_FLAG to avoid unneeded discard")
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/checkpoint.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/f2fs/checkpoint.c
++++ b/fs/f2fs/checkpoint.c
+@@ -1136,6 +1136,8 @@ static void update_ckpt_flags(struct f2f
+
+ if (cpc->reason & CP_TRIMMED)
+ __set_ckpt_flags(ckpt, CP_TRIMMED_FLAG);
++ else
++ __clear_ckpt_flags(ckpt, CP_TRIMMED_FLAG);
+
+ if (cpc->reason & CP_UMOUNT)
+ __set_ckpt_flags(ckpt, CP_UMOUNT_FLAG);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Chao Yu <yuchao0@huawei.com>
+Date: Sun, 25 Feb 2018 23:38:21 +0800
+Subject: f2fs: fix to set KEEP_SIZE bit in f2fs_zero_range
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit 17cd07ae95073c298af92c1ba14ac58ce84de33b ]
+
+As Jayashree Mohan reported:
+
+A simple workload to reproduce this would be :
+1. create foo
+2. Write (8K - 16K) // foo size = 16K now
+3. fsync()
+4. falloc zero_range , keep_size (4202496 - 4210688) // foo size must be 16K
+5. fdatasync()
+Crash now
+
+On recovery, we see that the file size is 4210688 and not 16K, which
+violates the semantics of keep_size flag. We have a test case to
+reproduce this using CrashMonkey on 4.15 kernel. Try this out by
+simply running :
+ ./c_harness -f /dev/sda -d /dev/cow_ram0 -t f2fs -e 102400 -P -v
+ tests/generic_468_zero.so
+
+The root cause is that we miss to set KEEP_SIZE bit correctly in zero_range
+when zeroing block cross EOF with FALLOC_FL_KEEP_SIZE, let's fix this
+missing case.
+
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/file.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -1348,8 +1348,12 @@ static int f2fs_zero_range(struct inode
+ }
+
+ out:
+- if (!(mode & FALLOC_FL_KEEP_SIZE) && i_size_read(inode) < new_size)
+- f2fs_i_size_write(inode, new_size);
++ if (new_size > i_size_read(inode)) {
++ if (mode & FALLOC_FL_KEEP_SIZE)
++ file_set_keep_isize(inode);
++ else
++ f2fs_i_size_write(inode, new_size);
++ }
+ out_sem:
+ up_write(&F2FS_I(inode)->i_mmap_sem);
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Gao Xiang <hsiangkao@aol.com>
+Date: Sat, 10 Feb 2018 12:12:51 +0800
+Subject: f2fs: flush cp pack except cp pack 2 page at first
+
+From: Gao Xiang <hsiangkao@aol.com>
+
+[ Upstream commit 46706d5917f4457a6befe7a39a15c89dbb1ce9ca ]
+
+Previously, we attempt to flush the whole cp pack in a single bio,
+however, when suddenly powering off at this time, we could get into
+an extreme scenario that cp pack 1 page and cp pack 2 page are updated
+and latest, but payload or current summaries are still partially
+outdated. (see reliable write in the UFS specification)
+
+This patch submits the whole cp pack except cp pack 2 page at first,
+and then writes the cp pack 2 page with an extra independent
+bio with pre-io barrier.
+
+Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/checkpoint.c | 69 ++++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 46 insertions(+), 23 deletions(-)
+
+--- a/fs/f2fs/checkpoint.c
++++ b/fs/f2fs/checkpoint.c
+@@ -1162,6 +1162,39 @@ static void update_ckpt_flags(struct f2f
+ spin_unlock_irqrestore(&sbi->cp_lock, flags);
+ }
+
++static void commit_checkpoint(struct f2fs_sb_info *sbi,
++ void *src, block_t blk_addr)
++{
++ struct writeback_control wbc = {
++ .for_reclaim = 0,
++ };
++
++ /*
++ * pagevec_lookup_tag and lock_page again will take
++ * some extra time. Therefore, update_meta_pages and
++ * sync_meta_pages are combined in this function.
++ */
++ struct page *page = grab_meta_page(sbi, blk_addr);
++ int err;
++
++ memcpy(page_address(page), src, PAGE_SIZE);
++ set_page_dirty(page);
++
++ f2fs_wait_on_page_writeback(page, META, true);
++ f2fs_bug_on(sbi, PageWriteback(page));
++ if (unlikely(!clear_page_dirty_for_io(page)))
++ f2fs_bug_on(sbi, 1);
++
++ /* writeout cp pack 2 page */
++ err = __f2fs_write_meta_page(page, &wbc, FS_CP_META_IO);
++ f2fs_bug_on(sbi, err);
++
++ f2fs_put_page(page, 0);
++
++ /* submit checkpoint (with barrier if NOBARRIER is not set) */
++ f2fs_submit_merged_write(sbi, META_FLUSH);
++}
++
+ static int do_checkpoint(struct f2fs_sb_info *sbi, struct cp_control *cpc)
+ {
+ struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi);
+@@ -1264,16 +1297,6 @@ static int do_checkpoint(struct f2fs_sb_
+ }
+ }
+
+- /* need to wait for end_io results */
+- wait_on_all_pages_writeback(sbi);
+- if (unlikely(f2fs_cp_error(sbi)))
+- return -EIO;
+-
+- /* flush all device cache */
+- err = f2fs_flush_device_cache(sbi);
+- if (err)
+- return err;
+-
+ /* write out checkpoint buffer at block 0 */
+ update_meta_page(sbi, ckpt, start_blk++);
+
+@@ -1301,26 +1324,26 @@ static int do_checkpoint(struct f2fs_sb_
+ start_blk += NR_CURSEG_NODE_TYPE;
+ }
+
+- /* writeout checkpoint block */
+- update_meta_page(sbi, ckpt, start_blk);
++ /* update user_block_counts */
++ sbi->last_valid_block_count = sbi->total_valid_block_count;
++ percpu_counter_set(&sbi->alloc_valid_block_count, 0);
+
+- /* wait for previous submitted node/meta pages writeback */
++ /* Here, we have one bio having CP pack except cp pack 2 page */
++ sync_meta_pages(sbi, META, LONG_MAX, FS_CP_META_IO);
++
++ /* wait for previous submitted meta pages writeback */
+ wait_on_all_pages_writeback(sbi);
+
+ if (unlikely(f2fs_cp_error(sbi)))
+ return -EIO;
+
+- filemap_fdatawait_range(NODE_MAPPING(sbi), 0, LLONG_MAX);
+- filemap_fdatawait_range(META_MAPPING(sbi), 0, LLONG_MAX);
+-
+- /* update user_block_counts */
+- sbi->last_valid_block_count = sbi->total_valid_block_count;
+- percpu_counter_set(&sbi->alloc_valid_block_count, 0);
+-
+- /* Here, we only have one bio having CP pack */
+- sync_meta_pages(sbi, META_FLUSH, LONG_MAX, FS_CP_META_IO);
++ /* flush all device cache */
++ err = f2fs_flush_device_cache(sbi);
++ if (err)
++ return err;
+
+- /* wait for previous submitted meta pages writeback */
++ /* barrier and flush checkpoint cp pack 2 page if it can */
++ commit_checkpoint(sbi, ckpt, start_blk);
+ wait_on_all_pages_writeback(sbi);
+
+ release_ino_entry(sbi, false);
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 21 Feb 2018 14:10:59 +0100
+Subject: fanotify: Avoid lost events due to ENOMEM for unlimited queues
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 1f5eaa90010ed7cf0ae90a526c48657d02c6086f ]
+
+Fanotify queues of unlimited length do not expect events can be lost.
+Since these queues are used for system auditing and other security
+related tasks, loosing events can even have security implications.
+Currently, since the allocation is small (32-bytes), it cannot fail
+however when we start accounting events in memcgs, allocation can start
+failing. So avoid loosing events due to failure to allocate memory by
+making event allocation use __GFP_NOFAIL.
+
+Reviewed-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/notify/fanotify/fanotify.c | 19 ++++++++++++++-----
+ fs/notify/fanotify/fanotify.h | 3 ++-
+ fs/notify/fanotify/fanotify_user.c | 2 +-
+ 3 files changed, 17 insertions(+), 7 deletions(-)
+
+--- a/fs/notify/fanotify/fanotify.c
++++ b/fs/notify/fanotify/fanotify.c
+@@ -135,23 +135,32 @@ static bool fanotify_should_send_event(s
+ return false;
+ }
+
+-struct fanotify_event_info *fanotify_alloc_event(struct inode *inode, u32 mask,
++struct fanotify_event_info *fanotify_alloc_event(struct fsnotify_group *group,
++ struct inode *inode, u32 mask,
+ const struct path *path)
+ {
+ struct fanotify_event_info *event;
++ gfp_t gfp = GFP_KERNEL;
++
++ /*
++ * For queues with unlimited length lost events are not expected and
++ * can possibly have security implications. Avoid losing events when
++ * memory is short.
++ */
++ if (group->max_events == UINT_MAX)
++ gfp |= __GFP_NOFAIL;
+
+ if (fanotify_is_perm_event(mask)) {
+ struct fanotify_perm_event_info *pevent;
+
+- pevent = kmem_cache_alloc(fanotify_perm_event_cachep,
+- GFP_KERNEL);
++ pevent = kmem_cache_alloc(fanotify_perm_event_cachep, gfp);
+ if (!pevent)
+ return NULL;
+ event = &pevent->fae;
+ pevent->response = 0;
+ goto init;
+ }
+- event = kmem_cache_alloc(fanotify_event_cachep, GFP_KERNEL);
++ event = kmem_cache_alloc(fanotify_event_cachep, gfp);
+ if (!event)
+ return NULL;
+ init: __maybe_unused
+@@ -206,7 +215,7 @@ static int fanotify_handle_event(struct
+ return 0;
+ }
+
+- event = fanotify_alloc_event(inode, mask, data);
++ event = fanotify_alloc_event(group, inode, mask, data);
+ ret = -ENOMEM;
+ if (unlikely(!event))
+ goto finish;
+--- a/fs/notify/fanotify/fanotify.h
++++ b/fs/notify/fanotify/fanotify.h
+@@ -52,5 +52,6 @@ static inline struct fanotify_event_info
+ return container_of(fse, struct fanotify_event_info, fse);
+ }
+
+-struct fanotify_event_info *fanotify_alloc_event(struct inode *inode, u32 mask,
++struct fanotify_event_info *fanotify_alloc_event(struct fsnotify_group *group,
++ struct inode *inode, u32 mask,
+ const struct path *path);
+--- a/fs/notify/fanotify/fanotify_user.c
++++ b/fs/notify/fanotify/fanotify_user.c
+@@ -757,7 +757,7 @@ SYSCALL_DEFINE2(fanotify_init, unsigned
+ group->fanotify_data.user = user;
+ atomic_inc(&user->fanotify_listeners);
+
+- oevent = fanotify_alloc_event(NULL, FS_Q_OVERFLOW, NULL);
++ oevent = fanotify_alloc_event(group, NULL, FS_Q_OVERFLOW, NULL);
+ if (unlikely(!oevent)) {
+ fd = -ENOMEM;
+ goto out_destroy_group;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Jean Delvare <jdelvare@suse.de>
+Date: Fri, 13 Apr 2018 15:37:59 +0200
+Subject: firmware: dmi_scan: Fix UUID length safety check
+
+From: Jean Delvare <jdelvare@suse.de>
+
+[ Upstream commit 90fe6f8ff00a07641ca893d64f75ca22ce77cca2 ]
+
+The test which ensures that the DMI type 1 structure is long enough
+to hold the UUID is off by one. It would fail if the structure is
+exactly 24 bytes long, while that's sufficient to hold the UUID.
+
+I don't expect this bug to cause problem in practice because all
+implementations I have seen had length 8, 25 or 27 bytes, in line
+with the SMBIOS specifications. But let's fix it still.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Fixes: a814c3597a6b ("firmware: dmi_scan: Check DMI structure length")
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/dmi_scan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/firmware/dmi_scan.c
++++ b/drivers/firmware/dmi_scan.c
+@@ -186,7 +186,7 @@ static void __init dmi_save_uuid(const s
+ char *s;
+ int is_ff = 1, is_00 = 1, i;
+
+- if (dmi_ident[slot] || dm->length <= index + 16)
++ if (dmi_ident[slot] || dm->length < index + 16)
+ return;
+
+ d = (u8 *) dm + index;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: "Luis R. Rodriguez" <mcgrof@kernel.org>
+Date: Sat, 10 Mar 2018 06:14:56 -0800
+Subject: firmware: fix checking for return values for fw_add_devm_name()
+
+From: "Luis R. Rodriguez" <mcgrof@kernel.org>
+
+[ Upstream commit d15d7311550983be97dca44ad68cbc2ca001297b ]
+
+Currently fw_add_devm_name() returns 1 if the firmware cache
+was already set. This makes it complicated for us to check for
+correctness. It is actually non-fatal if the firmware cache
+is already setup, so just return 0, and simplify the checkers.
+
+fw_add_devm_name() adds device's name onto the devres for the
+device so that prior to suspend we cache the firmware onto memory,
+so that on resume the firmware is reliably available. We never
+were checking for success for this call though, meaning in some
+really rare cases we my have never setup the firmware cache for
+a device, which could in turn make resume fail.
+
+This is all theoretical, no known issues have been reported.
+This small issue has been present way since the addition of the
+devres firmware cache names on v3.7.
+
+Fixes: f531f05ae9437 ("firmware loader: store firmware name into devres list")
+Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/firmware_class.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/base/firmware_class.c
++++ b/drivers/base/firmware_class.c
+@@ -524,7 +524,7 @@ static int fw_add_devm_name(struct devic
+
+ fwn = fw_find_devm_name(dev, name);
+ if (fwn)
+- return 1;
++ return 0;
+
+ fwn = devres_alloc(fw_name_devm_release, sizeof(struct fw_name_devm),
+ GFP_KERNEL);
+@@ -552,6 +552,7 @@ static int assign_fw(struct firmware *fw
+ unsigned int opt_flags)
+ {
+ struct fw_priv *fw_priv = fw->priv;
++ int ret;
+
+ mutex_lock(&fw_lock);
+ if (!fw_priv->size || fw_state_is_aborted(fw_priv)) {
+@@ -568,8 +569,13 @@ static int assign_fw(struct firmware *fw
+ */
+ /* don't cache firmware handled without uevent */
+ if (device && (opt_flags & FW_OPT_UEVENT) &&
+- !(opt_flags & FW_OPT_NOCACHE))
+- fw_add_devm_name(device, fw_priv->fw_name);
++ !(opt_flags & FW_OPT_NOCACHE)) {
++ ret = fw_add_devm_name(device, fw_priv->fw_name);
++ if (ret) {
++ mutex_unlock(&fw_lock);
++ return ret;
++ }
++ }
+
+ /*
+ * After caching firmware image is started, let it piggyback
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Carlos Maiolino <cmaiolino@redhat.com>
+Date: Tue, 10 Apr 2018 22:39:04 -0700
+Subject: Force log to disk before reading the AGF during a fstrim
+
+From: Carlos Maiolino <cmaiolino@redhat.com>
+
+[ Upstream commit 8c81dd46ef3c416b3b95e3020fb90dbd44e6140b ]
+
+Forcing the log to disk after reading the agf is wrong, we might be
+calling xfs_log_force with XFS_LOG_SYNC with a metadata lock held.
+
+This can cause a deadlock when racing a fstrim with a filesystem
+shutdown.
+
+The deadlock has been identified due a miscalculation bug in device-mapper
+dm-thin, which returns lack of space to its users earlier than the device itself
+really runs out of space, changing the device-mapper volume into an error state.
+
+The problem happened while filling the filesystem with a single file,
+triggering the bug in device-mapper, consequently causing an IO error
+and shutting down the filesystem.
+
+If such file is removed, and fstrim executed before the XFS finishes the
+shut down process, the fstrim process will end up holding the buffer
+lock, and going to sleep on the cil wait queue.
+
+At this point, the shut down process will try to wake up all the threads
+waiting on the cil wait queue, but for this, it will try to hold the
+same buffer log already held my the fstrim, locking up the filesystem.
+
+Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_discard.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/fs/xfs/xfs_discard.c
++++ b/fs/xfs/xfs_discard.c
+@@ -50,19 +50,19 @@ xfs_trim_extents(
+
+ pag = xfs_perag_get(mp, agno);
+
+- error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp);
+- if (error || !agbp)
+- goto out_put_perag;
+-
+- cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT);
+-
+ /*
+ * Force out the log. This means any transactions that might have freed
+- * space before we took the AGF buffer lock are now on disk, and the
++ * space before we take the AGF buffer lock are now on disk, and the
+ * volatile disk cache is flushed.
+ */
+ xfs_log_force(mp, XFS_LOG_SYNC);
+
++ error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp);
++ if (error || !agbp)
++ goto out_put_perag;
++
++ cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT);
++
+ /*
+ * Look up the longest btree in the AGF and start with it.
+ */
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Danilo Krummrich <danilokrummrich@dk-develop.de>
+Date: Tue, 10 Apr 2018 16:31:38 -0700
+Subject: fs/proc/proc_sysctl.c: fix potential page fault while unregistering sysctl table
+
+From: Danilo Krummrich <danilokrummrich@dk-develop.de>
+
+[ Upstream commit a0b0d1c345d0317efe594df268feb5ccc99f651e ]
+
+proc_sys_link_fill_cache() does not take currently unregistering sysctl
+tables into account, which might result into a page fault in
+sysctl_follow_link() - add a check to fix it.
+
+This bug has been present since v3.4.
+
+Link: http://lkml.kernel.org/r/20180228013506.4915-1-danilokrummrich@dk-develop.de
+Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets")
+Signed-off-by: Danilo Krummrich <danilokrummrich@dk-develop.de>
+Acked-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: "Luis R . Rodriguez" <mcgrof@kernel.org>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/proc_sysctl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -707,7 +707,10 @@ static bool proc_sys_link_fill_cache(str
+ struct ctl_table *table)
+ {
+ bool ret = true;
++
+ head = sysctl_head_grab(head);
++ if (IS_ERR(head))
++ return false;
+
+ if (S_ISLNK(table->mode)) {
+ /* It is not an error if we can not follow the link ignore it */
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 4 Apr 2018 13:41:26 +0100
+Subject: fscache: Fix hanging wait on page discarded by writeback
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 2c98425720233ae3e135add0c7e869b32913502f ]
+
+If the fscache asynchronous write operation elects to discard a page that's
+pending storage to the cache because the page would be over the store limit
+then it needs to wake the page as someone may be waiting on completion of
+the write.
+
+The problem is that the store limit may be updated by a different
+asynchronous operation - and so may miss the write - and that the store
+limit may not even get updated until later by the netfs.
+
+Fix the kernel hang by making fscache_write_op() mark as written any pages
+that are over the limit.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fscache/page.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/fscache/page.c
++++ b/fs/fscache/page.c
+@@ -776,6 +776,7 @@ static void fscache_write_op(struct fsca
+
+ _enter("{OP%x,%d}", op->op.debug_id, atomic_read(&op->op.usage));
+
++again:
+ spin_lock(&object->lock);
+ cookie = object->cookie;
+
+@@ -816,10 +817,6 @@ static void fscache_write_op(struct fsca
+ goto superseded;
+ page = results[0];
+ _debug("gang %d [%lx]", n, page->index);
+- if (page->index >= op->store_limit) {
+- fscache_stat(&fscache_n_store_pages_over_limit);
+- goto superseded;
+- }
+
+ radix_tree_tag_set(&cookie->stores, page->index,
+ FSCACHE_COOKIE_STORING_TAG);
+@@ -829,6 +826,9 @@ static void fscache_write_op(struct fsca
+ spin_unlock(&cookie->stores_lock);
+ spin_unlock(&object->lock);
+
++ if (page->index >= op->store_limit)
++ goto discard_page;
++
+ fscache_stat(&fscache_n_store_pages);
+ fscache_stat(&fscache_n_cop_write_page);
+ ret = object->cache->ops->write_page(op, page);
+@@ -844,6 +844,11 @@ static void fscache_write_op(struct fsca
+ _leave("");
+ return;
+
++discard_page:
++ fscache_stat(&fscache_n_store_pages_over_limit);
++ fscache_end_page_write(object, page);
++ goto again;
++
+ superseded:
+ /* this writer is going away and there aren't any more things to
+ * write */
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 4 Apr 2018 12:40:07 +0200
+Subject: genirq/affinity: Don't return with empty affinity masks on error
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 0211e12dd0a5385ecffd3557bc570dbad7fcf245 ]
+
+When the allocation of node_to_possible_cpumask fails, then
+irq_create_affinity_masks() returns with a pointer to the empty affinity
+masks array, which will cause malfunction.
+
+Reorder the allocations so the masks array allocation comes last and every
+failure path returns NULL.
+
+Fixes: 9a0ef98e186d ("genirq/affinity: Assign vectors to all present CPUs")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Christoph Hellwig <hch@infradead.org>
+Cc: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/irq/affinity.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/kernel/irq/affinity.c
++++ b/kernel/irq/affinity.c
+@@ -108,7 +108,7 @@ irq_create_affinity_masks(int nvecs, con
+ int affv = nvecs - affd->pre_vectors - affd->post_vectors;
+ int last_affv = affv + affd->pre_vectors;
+ nodemask_t nodemsk = NODE_MASK_NONE;
+- struct cpumask *masks;
++ struct cpumask *masks = NULL;
+ cpumask_var_t nmsk, *node_to_possible_cpumask;
+
+ /*
+@@ -121,13 +121,13 @@ irq_create_affinity_masks(int nvecs, con
+ if (!zalloc_cpumask_var(&nmsk, GFP_KERNEL))
+ return NULL;
+
+- masks = kcalloc(nvecs, sizeof(*masks), GFP_KERNEL);
+- if (!masks)
+- goto out;
+-
+ node_to_possible_cpumask = alloc_node_to_possible_cpumask();
+ if (!node_to_possible_cpumask)
+- goto out;
++ goto outcpumsk;
++
++ masks = kcalloc(nvecs, sizeof(*masks), GFP_KERNEL);
++ if (!masks)
++ goto outnodemsk;
+
+ /* Fill out vectors at the beginning that don't need affinity */
+ for (curvec = 0; curvec < affd->pre_vectors; curvec++)
+@@ -192,8 +192,9 @@ done:
+ /* Fill out vectors at the end that don't need affinity */
+ for (; curvec < nvecs; curvec++)
+ cpumask_copy(masks + curvec, irq_default_affinity);
++outnodemsk:
+ free_node_to_possible_cpumask(node_to_possible_cpumask);
+-out:
++outcpumsk:
+ free_cpumask_var(nmsk);
+ return masks;
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Fri, 23 Mar 2018 07:33:25 -0700
+Subject: gfs2: Check for the end of metadata in punch_hole
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit bb491ce67aa7c1635e5ae4f2f304a7d13d3dbe71 ]
+
+When punching a hole or truncating an inode down to a given size, also
+check if the truncate point / start of the hole is within the range we
+have metadata for. Otherwise, we can end up freeing blocks that
+shouldn't be freed, corrupting the inode, or crashing the machine when
+trying to punch a hole into the void.
+
+When growing an inode via truncate, we set the new size but we don't
+allocate additional levels of indirect blocks and grow the inode height.
+When shrinking that inode again, the new size may still point beyond the
+end of the inode's metadata.
+
+Fixes xfstest generic/476.
+
+Debugged-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/gfs2/bmap.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/fs/gfs2/bmap.c
++++ b/fs/gfs2/bmap.c
+@@ -1344,6 +1344,7 @@ static inline bool walk_done(struct gfs2
+ static int punch_hole(struct gfs2_inode *ip, u64 offset, u64 length)
+ {
+ struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode);
++ u64 maxsize = sdp->sd_heightsize[ip->i_height];
+ struct metapath mp = {};
+ struct buffer_head *dibh, *bh;
+ struct gfs2_holder rd_gh;
+@@ -1359,6 +1360,14 @@ static int punch_hole(struct gfs2_inode
+ u64 prev_bnr = 0;
+ __be64 *start, *end;
+
++ if (offset >= maxsize) {
++ /*
++ * The starting point lies beyond the allocated meta-data;
++ * there are no blocks do deallocate.
++ */
++ return 0;
++ }
++
+ /*
+ * The start position of the hole is defined by lblock, start_list, and
+ * start_aligned. The end position of the hole is defined by lend,
+@@ -1372,7 +1381,6 @@ static int punch_hole(struct gfs2_inode
+ */
+
+ if (length) {
+- u64 maxsize = sdp->sd_heightsize[ip->i_height];
+ u64 end_offset = offset + length;
+ u64 lend;
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Tue, 20 Feb 2018 08:03:24 -0700
+Subject: gfs2: Fix fallocate chunk size
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit 174d1232ebc84fcde8f5889d1171c9c7e74a10a7 ]
+
+The chunk size of allocations in __gfs2_fallocate is calculated
+incorrectly. The size can collapse, causing __gfs2_fallocate to
+allocate one block at a time, which is very inefficient. This needs
+fixing in two places:
+
+In gfs2_quota_lock_check, always set ap->allowed to UINT_MAX to indicate
+that there is no quota limit. This fixes callers that rely on
+ap->allowed to be set even when quotas are off.
+
+In __gfs2_fallocate, reset max_blks to UINT_MAX in each iteration of the
+loop to make sure that allocation limits from one resource group won't
+spill over into another resource group.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/gfs2/file.c | 5 +++--
+ fs/gfs2/quota.h | 2 ++
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/gfs2/file.c
++++ b/fs/gfs2/file.c
+@@ -809,7 +809,7 @@ static long __gfs2_fallocate(struct file
+ struct gfs2_inode *ip = GFS2_I(inode);
+ struct gfs2_alloc_parms ap = { .aflags = 0, };
+ unsigned int data_blocks = 0, ind_blocks = 0, rblocks;
+- loff_t bytes, max_bytes, max_blks = UINT_MAX;
++ loff_t bytes, max_bytes, max_blks;
+ int error;
+ const loff_t pos = offset;
+ const loff_t count = len;
+@@ -861,7 +861,8 @@ static long __gfs2_fallocate(struct file
+ return error;
+ /* ap.allowed tells us how many blocks quota will allow
+ * us to write. Check if this reduces max_blks */
+- if (ap.allowed && ap.allowed < max_blks)
++ max_blks = UINT_MAX;
++ if (ap.allowed)
+ max_blks = ap.allowed;
+
+ error = gfs2_inplace_reserve(ip, &ap);
+--- a/fs/gfs2/quota.h
++++ b/fs/gfs2/quota.h
+@@ -45,6 +45,8 @@ static inline int gfs2_quota_lock_check(
+ {
+ struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode);
+ int ret;
++
++ ap->allowed = UINT_MAX; /* Assume we are permitted a whole lot */
+ if (sdp->sd_args.ar_quota == GFS2_QUOTA_OFF)
+ return 0;
+ ret = gfs2_quota_lock(ip, NO_UID_QUOTA_CHANGE, NO_GID_QUOTA_CHANGE);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Haiyang Zhang <haiyangz@microsoft.com>
+Date: Thu, 22 Mar 2018 12:01:13 -0700
+Subject: hv_netvsc: Fix the return status in RX path
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+[ Upstream commit 5c71dadbb45970a8f0544a27ae8f1cbd9750e516 ]
+
+As defined in hyperv_net.h, the NVSP_STAT_SUCCESS is one not zero.
+Some functions returns 0 when it actually means NVSP_STAT_SUCCESS.
+This patch fixes them.
+
+In netvsc_receive(), it puts the last RNDIS packet's receive status
+for all packets in a vmxferpage which may contain multiple RNDIS
+packets.
+This patch puts NVSP_STAT_FAIL in the receive completion if one of
+the packets in a vmxferpage fails.
+
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc.c | 8 ++++++--
+ drivers/net/hyperv/netvsc_drv.c | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 4 ++--
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/hyperv/netvsc.c
++++ b/drivers/net/hyperv/netvsc.c
+@@ -1078,10 +1078,14 @@ static int netvsc_receive(struct net_dev
+ void *data = recv_buf
+ + vmxferpage_packet->ranges[i].byte_offset;
+ u32 buflen = vmxferpage_packet->ranges[i].byte_count;
++ int ret;
+
+ /* Pass it to the upper layer */
+- status = rndis_filter_receive(ndev, net_device,
+- channel, data, buflen);
++ ret = rndis_filter_receive(ndev, net_device,
++ channel, data, buflen);
++
++ if (unlikely(ret != NVSP_STAT_SUCCESS))
++ status = NVSP_STAT_FAIL;
+ }
+
+ enq_receive_complete(ndev, net_device, q_idx,
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -831,7 +831,7 @@ int netvsc_recv_callback(struct net_devi
+ u64_stats_update_end(&rx_stats->syncp);
+
+ napi_gro_receive(&nvchan->napi, skb);
+- return 0;
++ return NVSP_STAT_SUCCESS;
+ }
+
+ static void netvsc_get_drvinfo(struct net_device *net,
+--- a/drivers/net/hyperv/rndis_filter.c
++++ b/drivers/net/hyperv/rndis_filter.c
+@@ -434,10 +434,10 @@ int rndis_filter_receive(struct net_devi
+ "unhandled rndis message (type %u len %u)\n",
+ rndis_msg->ndis_msg_type,
+ rndis_msg->msg_len);
+- break;
++ return NVSP_STAT_FAIL;
+ }
+
+- return 0;
++ return NVSP_STAT_SUCCESS;
+ }
+
+ static int rndis_filter_query_device(struct rndis_device *dev,
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Mon, 26 Mar 2018 19:50:31 -0700
+Subject: hwmon: (nct6775) Fix writing pwmX_mode
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 415eb2a1aaa4881cf85bd86c683356fdd8094a23 ]
+
+pwmX_mode is defined in the ABI as 0=DC mode, 1=pwm mode. The chip
+register bit is set to 1 for DC mode. This got mixed up, and writing
+1 into pwmX_mode resulted in DC mode enabled. Fix it up by using
+the ABI definition throughout the driver for consistency.
+
+Fixes: 77eb5b3703d99 ("hwmon: (nct6775) Add support for pwm, pwm_mode, ... ")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/nct6775.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/hwmon/nct6775.c
++++ b/drivers/hwmon/nct6775.c
+@@ -1469,7 +1469,7 @@ static void nct6775_update_pwm(struct de
+ duty_is_dc = data->REG_PWM_MODE[i] &&
+ (nct6775_read_value(data, data->REG_PWM_MODE[i])
+ & data->PWM_MODE_MASK[i]);
+- data->pwm_mode[i] = duty_is_dc;
++ data->pwm_mode[i] = !duty_is_dc;
+
+ fanmodecfg = nct6775_read_value(data, data->REG_FAN_MODE[i]);
+ for (j = 0; j < ARRAY_SIZE(data->REG_PWM); j++) {
+@@ -2350,7 +2350,7 @@ show_pwm_mode(struct device *dev, struct
+ struct nct6775_data *data = nct6775_update_device(dev);
+ struct sensor_device_attribute *sattr = to_sensor_dev_attr(attr);
+
+- return sprintf(buf, "%d\n", !data->pwm_mode[sattr->index]);
++ return sprintf(buf, "%d\n", data->pwm_mode[sattr->index]);
+ }
+
+ static ssize_t
+@@ -2371,9 +2371,9 @@ store_pwm_mode(struct device *dev, struc
+ if (val > 1)
+ return -EINVAL;
+
+- /* Setting DC mode is not supported for all chips/channels */
++ /* Setting DC mode (0) is not supported for all chips/channels */
+ if (data->REG_PWM_MODE[nr] == 0) {
+- if (val)
++ if (!val)
+ return -EINVAL;
+ return count;
+ }
+@@ -2382,7 +2382,7 @@ store_pwm_mode(struct device *dev, struc
+ data->pwm_mode[nr] = val;
+ reg = nct6775_read_value(data, data->REG_PWM_MODE[nr]);
+ reg &= ~data->PWM_MODE_MASK[nr];
+- if (val)
++ if (!val)
+ reg |= data->PWM_MODE_MASK[nr];
+ nct6775_write_value(data, data->REG_PWM_MODE[nr], reg);
+ mutex_unlock(&data->update_lock);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Sat, 10 Mar 2018 17:55:47 -0800
+Subject: hwmon: (pmbus/adm1275) Accept negative page register values
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit ecb29abd4cb0670c616fb563a078f25d777ce530 ]
+
+A negative page register value means that no page needs to be
+selected. This is used by status register read operations and needs
+to be accepted. The failure to do so so results in missed status
+and limit registers.
+
+Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/pmbus/adm1275.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/hwmon/pmbus/adm1275.c
++++ b/drivers/hwmon/pmbus/adm1275.c
+@@ -154,7 +154,7 @@ static int adm1275_read_word_data(struct
+ const struct adm1275_data *data = to_adm1275_data(info);
+ int ret = 0;
+
+- if (page)
++ if (page > 0)
+ return -ENXIO;
+
+ switch (reg) {
+@@ -240,7 +240,7 @@ static int adm1275_write_word_data(struc
+ const struct adm1275_data *data = to_adm1275_data(info);
+ int ret;
+
+- if (page)
++ if (page > 0)
+ return -ENXIO;
+
+ switch (reg) {
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Sat, 10 Mar 2018 17:49:47 -0800
+Subject: hwmon: (pmbus/max8688) Accept negative page register values
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit a46f8cd696624ef757be0311eb28f119c36778e8 ]
+
+A negative page register value means that no page needs to be
+selected. This is used by status register evaluations and needs
+to be accepted.
+
+Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/pmbus/max8688.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwmon/pmbus/max8688.c
++++ b/drivers/hwmon/pmbus/max8688.c
+@@ -45,7 +45,7 @@ static int max8688_read_word_data(struct
+ {
+ int ret;
+
+- if (page)
++ if (page > 0)
+ return -ENXIO;
+
+ switch (reg) {
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Mon, 12 Feb 2018 21:11:36 +0100
+Subject: hwrng: bcm2835 - Handle deferred clock properly
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+[ Upstream commit 7b4c5d30d0bd2b22c09d4d993a76e0973a873891 ]
+
+In case the probe of the clock is deferred, we would assume it is
+optional. This is wrong, so defer the probe of this driver until
+the clock is available.
+
+Fixes: 791af4f4907a ("hwrng: bcm2835 - Manage an optional clock")
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/hw_random/bcm2835-rng.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/char/hw_random/bcm2835-rng.c
++++ b/drivers/char/hw_random/bcm2835-rng.c
+@@ -163,6 +163,8 @@ static int bcm2835_rng_probe(struct plat
+
+ /* Clock is optional on most platforms */
+ priv->clk = devm_clk_get(dev, NULL);
++ if (IS_ERR(priv->clk) && PTR_ERR(priv->clk) == -EPROBE_DEFER)
++ return -EPROBE_DEFER;
+
+ priv->rng.name = pdev->name;
+ priv->rng.init = bcm2835_rng_init;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: "lionel.debieve@st.com" <lionel.debieve@st.com>
+Date: Thu, 15 Feb 2018 14:03:08 +0100
+Subject: hwrng: stm32 - add reset during probe
+
+From: "lionel.debieve@st.com" <lionel.debieve@st.com>
+
+[ Upstream commit 326ed382256475aa4b8b7eae8a2f60689fd25e78 ]
+
+Avoid issue when probing the RNG without
+reset if bad status has been detected previously
+
+Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/hw_random/stm32-rng.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/char/hw_random/stm32-rng.c
++++ b/drivers/char/hw_random/stm32-rng.c
+@@ -21,6 +21,7 @@
+ #include <linux/of_address.h>
+ #include <linux/of_platform.h>
+ #include <linux/pm_runtime.h>
++#include <linux/reset.h>
+ #include <linux/slab.h>
+
+ #define RNG_CR 0x00
+@@ -46,6 +47,7 @@ struct stm32_rng_private {
+ struct hwrng rng;
+ void __iomem *base;
+ struct clk *clk;
++ struct reset_control *rst;
+ };
+
+ static int stm32_rng_read(struct hwrng *rng, void *data, size_t max, bool wait)
+@@ -140,6 +142,13 @@ static int stm32_rng_probe(struct platfo
+ if (IS_ERR(priv->clk))
+ return PTR_ERR(priv->clk);
+
++ priv->rst = devm_reset_control_get(&ofdev->dev, NULL);
++ if (!IS_ERR(priv->rst)) {
++ reset_control_assert(priv->rst);
++ udelay(2);
++ reset_control_deassert(priv->rst);
++ }
++
+ dev_set_drvdata(dev, priv);
+
+ priv->rng.name = dev_driver_string(dev),
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Sun, 3 Dec 2017 22:40:50 +0100
+Subject: i2c: core: report OF style module alias for devices registered via OF
+
+From: Javier Martinez Canillas <javierm@redhat.com>
+
+[ Upstream commit af503716ac1444db61d80cb6d17cfe62929c21df ]
+
+The buses should honor the firmware interface used to register the device,
+but the I2C core reports a MODALIAS of the form i2c:<device> even for I2C
+devices registered via OF.
+
+This means that user-space will never get an OF stype uevent MODALIAS even
+when the drivers modules contain aliases exported from both the I2C and OF
+device ID tables. For example, an Atmel maXTouch Touchscreen registered by
+a DT node with compatible "atmel,maxtouch" has the following module alias:
+
+$ cat /sys/class/i2c-adapter/i2c-8/8-004b/modalias
+i2c:maxtouch
+
+So udev won't be able to auto-load a module for an OF-only device driver.
+Many OF-only drivers duplicate the OF device ID table entries in an I2C ID
+table only has a workaround for how the I2C core reports the module alias.
+
+This patch changes the I2C core to report an OF related MODALIAS uevent if
+the device was registered via OF. So for the previous example, after this
+patch, the reported MODALIAS for the Atmel maXTouch will be the following:
+
+$ cat /sys/class/i2c-adapter/i2c-8/8-004b/modalias
+of:NtrackpadT<NULL>Catmel,maxtouch
+
+NOTE: This patch may break out-of-tree drivers that were relying on this
+ behavior, and only had an I2C device ID table even when the device
+ was registered via OF. There are no remaining drivers in mainline
+ that do this, but out-of-tree drivers have to be fixed and define
+ a proper OF device ID table to have module auto-loading working.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Tested-by: Dmitry Mastykin <mastichi@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/i2c-core-base.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/i2c/i2c-core-base.c
++++ b/drivers/i2c/i2c-core-base.c
+@@ -124,6 +124,10 @@ static int i2c_device_uevent(struct devi
+ struct i2c_client *client = to_i2c_client(dev);
+ int rc;
+
++ rc = of_device_uevent_modalias(dev, env);
++ if (rc != -ENODEV)
++ return rc;
++
+ rc = acpi_device_uevent_modalias(dev, env);
+ if (rc != -ENODEV)
+ return rc;
+@@ -439,6 +443,10 @@ show_modalias(struct device *dev, struct
+ struct i2c_client *client = to_i2c_client(dev);
+ int len;
+
++ len = of_device_modalias(dev, buf, PAGE_SIZE);
++ if (len != -ENODEV)
++ return len;
++
+ len = acpi_device_modalias(dev, buf, PAGE_SIZE -1);
+ if (len != -ENODEV)
+ return len;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Gregory CLEMENT <gregory.clement@bootlin.com>
+Date: Wed, 14 Mar 2018 18:03:40 +0100
+Subject: i2c: mv64xxx: Apply errata delay only in standard mode
+
+From: Gregory CLEMENT <gregory.clement@bootlin.com>
+
+[ Upstream commit 31184d8c6ea49ea0676d100cdd7e1f102ad025b5 ]
+
+The errata FE-8471889 description has been updated. There is still a
+timing violation for repeated start. But the errata now states that it
+was only the case for the Standard mode (100 kHz), in Fast mode (400 kHz)
+there is no issue.
+
+This patch limit the errata fix to the Standard mode.
+
+It has been tesed successfully on the clearfog (Aramda 388 based board).
+
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-mv64xxx.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-mv64xxx.c
++++ b/drivers/i2c/busses/i2c-mv64xxx.c
+@@ -845,12 +845,16 @@ mv64xxx_of_config(struct mv64xxx_i2c_dat
+ */
+ if (of_device_is_compatible(np, "marvell,mv78230-i2c")) {
+ drv_data->offload_enabled = true;
+- drv_data->errata_delay = true;
++ /* The delay is only needed in standard mode (100kHz) */
++ if (bus_freq <= 100000)
++ drv_data->errata_delay = true;
+ }
+
+ if (of_device_is_compatible(np, "marvell,mv78230-a0-i2c")) {
+ drv_data->offload_enabled = false;
+- drv_data->errata_delay = true;
++ /* The delay is only needed in standard mode (100kHz) */
++ if (bus_freq <= 100000)
++ drv_data->errata_delay = true;
+ }
+
+ if (of_device_is_compatible(np, "allwinner,sun6i-a31-i2c"))
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Filip Sadowski <filip.sadowski@intel.com>
+Date: Fri, 29 Dec 2017 08:50:05 -0500
+Subject: i40e: Add delay after EMP reset for firmware to recover
+
+From: Filip Sadowski <filip.sadowski@intel.com>
+
+[ Upstream commit 1fa51a650e1deb50410677f1bd6c0ce17aa48a49 ]
+
+This patch adds necessary delay for 4.33 firmware to recover after
+EMP reset. Without this patch driver occasionally reinitializes
+structures too quickly to communicate with firmware after EMP reset
+causing AdminQ to timeout.
+
+Signed-off-by: Filip Sadowski <filip.sadowski@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -9215,6 +9215,17 @@ static void i40e_rebuild(struct i40e_pf
+ }
+ i40e_get_oem_version(&pf->hw);
+
++ if (test_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state) &&
++ ((hw->aq.fw_maj_ver == 4 && hw->aq.fw_min_ver <= 33) ||
++ hw->aq.fw_maj_ver < 4) && hw->mac.type == I40E_MAC_XL710) {
++ /* The following delay is necessary for 4.33 firmware and older
++ * to recover after EMP reset. 200 ms should suffice but we
++ * put here 300 ms to be sure that FW is ready to operate
++ * after reset.
++ */
++ mdelay(300);
++ }
++
+ /* re-verify the eeprom if we just had an EMP reset */
+ if (test_and_clear_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state))
+ i40e_verify_eeprom(pf);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Jacob Keller <jacob.e.keller@intel.com>
+Date: Fri, 16 Mar 2018 01:26:35 -0700
+Subject: i40e: hold the RTNL lock while changing interrupt schemes
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit f0ee70a042e267a517e943220e18ae62d3c1995a ]
+
+When we suspend and resume, we need to clear and re-enable the interrupt
+scheme. This was previously not done while holding the RTNL lock, which
+could be problematic, because we are actually destroying and re-creating
+queues.
+
+Hold the RTNL lock for the entire sequence of preparing for reset, and
+when resuming. This additionally protects the flags related to interrupt
+scheme under RTNL lock so that their modification is properly threaded.
+
+This is part of a larger effort to remove the need for cmpxchg64 in
+i40e_set_priv_flags().
+
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -14216,7 +14216,13 @@ static int __maybe_unused i40e_suspend(s
+ if (pf->wol_en && (pf->hw_features & I40E_HW_WOL_MC_MAGIC_PKT_WAKE))
+ i40e_enable_mc_magic_wake(pf);
+
+- i40e_prep_for_reset(pf, false);
++ /* Since we're going to destroy queues during the
++ * i40e_clear_interrupt_scheme() we should hold the RTNL lock for this
++ * whole section
++ */
++ rtnl_lock();
++
++ i40e_prep_for_reset(pf, true);
+
+ wr32(hw, I40E_PFPM_APM, (pf->wol_en ? I40E_PFPM_APM_APME_MASK : 0));
+ wr32(hw, I40E_PFPM_WUFC, (pf->wol_en ? I40E_PFPM_WUFC_MAG_MASK : 0));
+@@ -14228,6 +14234,8 @@ static int __maybe_unused i40e_suspend(s
+ */
+ i40e_clear_interrupt_scheme(pf);
+
++ rtnl_unlock();
++
+ return 0;
+ }
+
+@@ -14245,6 +14253,11 @@ static int __maybe_unused i40e_resume(st
+ if (!test_bit(__I40E_SUSPENDED, pf->state))
+ return 0;
+
++ /* We need to hold the RTNL lock prior to restoring interrupt schemes,
++ * since we're going to be restoring queues
++ */
++ rtnl_lock();
++
+ /* We cleared the interrupt scheme when we suspended, so we need to
+ * restore it now to resume device functionality.
+ */
+@@ -14255,7 +14268,9 @@ static int __maybe_unused i40e_resume(st
+ }
+
+ clear_bit(__I40E_DOWN, pf->state);
+- i40e_reset_and_rebuild(pf, false, false);
++ i40e_reset_and_rebuild(pf, false, true);
++
++ rtnl_unlock();
+
+ /* Clear suspended state last after everything is recovered */
+ clear_bit(__I40E_SUSPENDED, pf->state);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Parav Pandit <parav@mellanox.com>
+Date: Tue, 13 Mar 2018 16:06:14 +0200
+Subject: IB/core: Honor port_num while resolving GID for IB link layer
+
+From: Parav Pandit <parav@mellanox.com>
+
+[ Upstream commit 563c4ba3bd2b8b0b21c65669ec2226b1cfa1138b ]
+
+ah_attr contains the port number to which cm_id is bound. However, while
+searching for GID table for matching GID entry, the port number is
+ignored.
+
+This could cause the wrong GID to be used when the ah_attr is converted to
+an AH.
+
+Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/multicast.c | 24 +++++++++++-------------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+--- a/drivers/infiniband/core/multicast.c
++++ b/drivers/infiniband/core/multicast.c
+@@ -724,21 +724,19 @@ int ib_init_ah_from_mcmember(struct ib_d
+ {
+ int ret;
+ u16 gid_index;
+- u8 p;
+
+- if (rdma_protocol_roce(device, port_num)) {
+- ret = ib_find_cached_gid_by_port(device, &rec->port_gid,
+- gid_type, port_num,
+- ndev,
+- &gid_index);
+- } else if (rdma_protocol_ib(device, port_num)) {
+- ret = ib_find_cached_gid(device, &rec->port_gid,
+- IB_GID_TYPE_IB, NULL, &p,
+- &gid_index);
+- } else {
+- ret = -EINVAL;
+- }
++ /* GID table is not based on the netdevice for IB link layer,
++ * so ignore ndev during search.
++ */
++ if (rdma_protocol_ib(device, port_num))
++ ndev = NULL;
++ else if (!rdma_protocol_roce(device, port_num))
++ return -EINVAL;
+
++ ret = ib_find_cached_gid_by_port(device, &rec->port_gid,
++ gid_type, port_num,
++ ndev,
++ &gid_index);
+ if (ret)
+ return ret;
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Honggang Li <honli@redhat.com>
+Date: Fri, 16 Mar 2018 10:37:13 +0800
+Subject: IB/mlx5: Set the default active rate and width to QDR and 4X
+
+From: Honggang Li <honli@redhat.com>
+
+[ Upstream commit 7672ed33c4c15dbe9d56880683baaba4227cf940 ]
+
+Before commit f1b65df5a232 ("IB/mlx5: Add support for active_width and
+active_speed in RoCE"), the mlx5_ib driver set the default active_width
+and active_speed to IB_WIDTH_4X and IB_SPEED_QDR.
+
+When the RoCE port is down, the RoCE port does not negotiate the active
+width with the remote side, causing the active width to be zero. When
+running userspace ibstat to view the port status, ibstat will panic as it
+reads an invalid width from sys file.
+
+This patch restores the original behavior.
+
+Fixes: f1b65df5a232 ("IB/mlx5: Add support for active_width and active_speed in RoCE").
+Signed-off-by: Honggang Li <honli@redhat.com>
+Reviewed-by: Hal Rosenstock <hal@mellanox.com>
+Reviewed-by: Noa Osherovich <noaos@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -388,6 +388,9 @@ static int mlx5_query_port_roce(struct i
+ if (err)
+ goto out;
+
++ props->active_width = IB_WIDTH_4X;
++ props->active_speed = IB_SPEED_QDR;
++
+ translate_eth_proto_oper(eth_prot_oper, &props->active_speed,
+ &props->active_width);
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Mikhail Malygin <mikhail@malygin.me>
+Date: Mon, 2 Apr 2018 12:26:59 +0300
+Subject: IB/rxe: Fix for oops in rxe_register_device on ppc64le arch
+
+From: Mikhail Malygin <mikhail@malygin.me>
+
+[ Upstream commit efc365e7290d040fbd43f60b0e97653489a739d4 ]
+
+On ppc64le arch rxe_add command causes oops in kernel log:
+
+[ 92.495140] Oops: Kernel access of bad area, sig: 11 [#1]
+[ 92.499710] SMP NR_CPUS=2048 NUMA pSeries
+[ 92.499792] Modules linked in: ipt_MASQUERADE(E) nf_nat_masquerade_ipv4(E) nf_conntrack_netlink(E) nfnetlink(E) xfrm_user(E) iptable
+_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) xt_addrtype(E) iptable_filter(E) ip_tables(E) xt_conntrack(E) x_tables(E)
+ nf_nat(E) nf_conntrack(E) br_netfilter(E) bridge(E) stp(E) llc(E) overlay(E) af_packet(E) rpcrdma(E) ib_isert(E) iscsi_target_mod(E) i
+b_iser(E) libiscsi(E) ib_srpt(E) target_core_mod(E) ib_srp(E) ib_ipoib(E) rdma_ucm(E) ib_ucm(E) ib_uverbs(E) ib_umad(E) bochs_drm(E) tt
+m(E) drm_kms_helper(E) syscopyarea(E) sysfillrect(E) sysimgblt(E) fb_sys_fops(E) drm(E) agpgart(E) virtio_rng(E) virtio_console(E) rtc_
+generic(E) dm_ec(OEN) ttln_rdma(OEN) rdma_cm(E) configfs(E) iw_cm(E) ib_cm(E) rdma_rxe(E) ip6_udp_tunnel(E) udp_tunnel(E) ib_core(E) ql
+a2xxx(E)
+[ 92.499832] scsi_transport_fc(E) nvme_fc(E) nvme_fabrics(E) nvme_core(E) ipmi_watchdog(E) ipmi_ssif(E) ipmi_poweroff(E) ipmi_powernv(EX) ipmi_devintf(E) ipmi_msghandler(E) dummy(E) ext4(E) crc16(E) jbd2(E) mbcache(E) dm_service_time(E) scsi_transport_iscsi(E) sd_mod(E) sr_mod(E) cdrom(E) hid_generic(E) usbhid(E) virtio_blk(E) virtio_scsi(E) virtio_net(E) ibmvscsi(EX) scsi_transport_srp(E) xhci_pci(E) xhci_hcd(E) usbcore(E) usb_common(E) virtio_pci(E) virtio_ring(E) virtio(E) sunrpc(E) dm_mirror(E) dm_region_hash(E) dm_log(E) sg(E) dm_multipath(E) dm_mod(E) scsi_dh_rdac(E) scsi_dh_emc(E) scsi_dh_alua(E) scsi_mod(E) autofs4(E)
+[ 92.499834] Supported: No, Unsupported modules are loaded
+[ 92.499839] CPU: 3 PID: 5576 Comm: sh Tainted: G OE NX 4.4.120-ttln.17-default #1
+[ 92.499841] task: c0000000afe8a490 ti: c0000000beba8000 task.ti: c0000000beba8000
+[ 92.499842] NIP: c00000000008ba3c LR: c000000000027644 CTR: c00000000008ba10
+[ 92.499844] REGS: c0000000bebab750 TRAP: 0300 Tainted: G OE NX (4.4.120-ttln.17-default)
+[ 92.499850] MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 28424428 XER: 20000000
+[ 92.499871] CFAR: 0000000000002424 DAR: 0000000000000208 DSISR: 40000000 SOFTE: 1
+ GPR00: c000000000027644 c0000000bebab9d0 c000000000f09700 0000000000000000
+ GPR04: d0000000043d7192 0000000000000002 000000000000001a fffffffffffffffe
+ GPR08: 000000000000009c c00000000008ba10 d0000000043e5848 d0000000043d3828
+ GPR12: c00000000008ba10 c000000007a02400 0000000010062e38 0000010020388860
+ GPR16: 0000000000000000 0000000000000000 00000100203885f0 00000000100f6c98
+ GPR20: c0000000b3f1fcc0 c0000000b3f1fc48 c0000000b3f1fbd0 c0000000b3f1fb58
+ GPR24: c0000000b3f1fae0 c0000000b3f1fa68 00000000000005dc c0000000b3f1f9f0
+ GPR28: d0000000043e5848 c0000000b3f1f900 c0000000b3f1f320 c0000000b3f1f000
+[ 92.499881] NIP [c00000000008ba3c] dma_get_required_mask_pSeriesLP+0x2c/0x1a0
+[ 92.499885] LR [c000000000027644] dma_get_required_mask+0x44/0xac
+[ 92.499886] Call Trace:
+[ 92.499891] [c0000000bebab9d0] [c0000000bebaba30] 0xc0000000bebaba30 (unreliable)
+[ 92.499894] [c0000000bebaba10] [c000000000027644] dma_get_required_mask+0x44/0xac
+[ 92.499904] [c0000000bebaba30] [d0000000043cb4b4] rxe_register_device+0xc4/0x430 [rdma_rxe]
+[ 92.499910] [c0000000bebabab0] [d0000000043c06c8] rxe_add+0x448/0x4e0 [rdma_rxe]
+[ 92.499915] [c0000000bebabb30] [d0000000043d28dc] rxe_net_add+0x4c/0xf0 [rdma_rxe]
+[ 92.499921] [c0000000bebabb60] [d0000000043d305c] rxe_param_set_add+0x6c/0x1ac [rdma_rxe]
+[ 92.499924] [c0000000bebabbf0] [c0000000000e78c0] param_attr_store+0xa0/0x180
+[ 92.499927] [c0000000bebabc70] [c0000000000e6448] module_attr_store+0x48/0x70
+[ 92.499932] [c0000000bebabc90] [c000000000391f60] sysfs_kf_write+0x70/0xb0
+[ 92.499935] [c0000000bebabcb0] [c000000000390f1c] kernfs_fop_write+0x18c/0x1e0
+[ 92.499939] [c0000000bebabd00] [c0000000002e22ac] __vfs_write+0x4c/0x1d0
+[ 92.499942] [c0000000bebabd90] [c0000000002e2f94] vfs_write+0xc4/0x200
+[ 92.499945] [c0000000bebabde0] [c0000000002e488c] SyS_write+0x6c/0x110
+[ 92.499948] [c0000000bebabe30] [c000000000009384] system_call+0x38/0xe4
+[ 92.499949] Instruction dump:
+[ 92.499954] 4e800020 3c4c00e8 3842dcf0 7c0802a6 f8010010 60000000 7c0802a6 fba1ffe8
+[ 92.499958] fbc1fff0 fbe1fff8 f8010010 f821ffc1 <e9230208> 7c7e1b78 2fa90000 419e0078
+[ 92.499962] ---[ end trace bed077e15eb420cf ]---
+
+It fails in dma_get_required_mask, that has ppc-specific implementation,
+and fail if provided device argument is NULL
+
+Signed-off-by: Mikhail Malygin <mikhail@malygin.me>
+Reviewed-by: Yonatan Cohen <yonatanc@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/sw/rxe/rxe_verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/sw/rxe/rxe_verbs.c
++++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
+@@ -1206,7 +1206,7 @@ int rxe_register_device(struct rxe_dev *
+ rxe->ndev->dev_addr);
+ dev->dev.dma_ops = &dma_virt_ops;
+ dma_coerce_mask_and_coherent(&dev->dev,
+- dma_get_required_mask(dev->dev.parent));
++ dma_get_required_mask(&dev->dev));
+
+ dev->uverbs_abi_ver = RXE_UVERBS_ABI_VERSION;
+ dev->uverbs_cmd_mask = BIT_ULL(IB_USER_VERBS_CMD_GET_CONTEXT)
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Date: Mon, 26 Feb 2018 18:10:56 -0600
+Subject: ibmvnic: Allocate statistics buffers during probe
+
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+
+[ Upstream commit 53cc7721fdf12e649994cfb7d8f562acb0e4510b ]
+
+Currently, buffers holding individual queue statistics are allocated
+when the device is opened. If an ibmvnic interface is hotplugged or
+initialized but never opened, an attempt to get statistics with
+ethtool will result in a kernel panic.
+
+Since the driver allocates a constant number, the maximum supported
+queues, of buffers, these can be allocated during device probe and
+freed when the device is hot-unplugged or the module is removed.
+
+Signed-off-by: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -812,8 +812,6 @@ static void release_resources(struct ibm
+ release_tx_pools(adapter);
+ release_rx_pools(adapter);
+
+- release_stats_token(adapter);
+- release_stats_buffers(adapter);
+ release_error_buffers(adapter);
+
+ if (adapter->napi) {
+@@ -953,14 +951,6 @@ static int init_resources(struct ibmvnic
+ if (rc)
+ return rc;
+
+- rc = init_stats_buffers(adapter);
+- if (rc)
+- return rc;
+-
+- rc = init_stats_token(adapter);
+- if (rc)
+- return rc;
+-
+ adapter->vpd = kzalloc(sizeof(*adapter->vpd), GFP_KERNEL);
+ if (!adapter->vpd)
+ return -ENOMEM;
+@@ -4390,6 +4380,14 @@ static int ibmvnic_init(struct ibmvnic_a
+ release_crq_queue(adapter);
+ }
+
++ rc = init_stats_buffers(adapter);
++ if (rc)
++ return rc;
++
++ rc = init_stats_token(adapter);
++ if (rc)
++ return rc;
++
+ return rc;
+ }
+
+@@ -4497,6 +4495,9 @@ static int ibmvnic_remove(struct vio_dev
+ release_sub_crqs(adapter);
+ release_crq_queue(adapter);
+
++ release_stats_token(adapter);
++ release_stats_buffers(adapter);
++
+ adapter->state = VNIC_REMOVED;
+
+ mutex_unlock(&adapter->reset_lock);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: John Allen <jallen@linux.vnet.ibm.com>
+Date: Wed, 14 Mar 2018 10:41:29 -0500
+Subject: ibmvnic: Fix reset return from closed state
+
+From: John Allen <jallen@linux.vnet.ibm.com>
+
+[ Upstream commit e676d81c8990f511d60698a1a8abaa438b3f9d3d ]
+
+The case in which we handle a reset from the state where the device is
+closed seems to be bugged for all types of reset. For most types of reset
+we currently exit the reset routine correctly, but don't set the state to
+indicate that we are back in the "closed" state. For some specific cases,
+we don't exit the reset routine at all and resetting will cause a closed
+device to be opened.
+
+This patch fixes the problem by unconditionally checking the reset_state
+and correctly setting the adapter state before returning.
+
+Signed-off-by: John Allen <jallen@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1699,12 +1699,14 @@ static int do_reset(struct ibmvnic_adapt
+ rc = reset_rx_pools(adapter);
+ if (rc)
+ return rc;
+-
+- if (reset_state == VNIC_CLOSED)
+- return 0;
+ }
+ }
+
++ adapter->state = VNIC_CLOSED;
++
++ if (reset_state == VNIC_CLOSED)
++ return 0;
++
+ rc = __ibmvnic_open(netdev);
+ if (rc) {
+ if (list_empty(&adapter->rwi_list))
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Date: Mon, 26 Feb 2018 18:10:55 -0600
+Subject: ibmvnic: Fix TX descriptor tracking again
+
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+
+[ Upstream commit ecba616e041e64840d14e294b089ca355614b7fb ]
+
+Sorry, the previous change introduced a race condition between
+transmit completion processing and tracking TX descriptors. If a
+completion is received before the number of descriptors is logged,
+the number of descriptors will be add but not removed. After enough
+times, this could halt the transmit queue forever.
+
+Log the number of descriptors used by a transmit before sending.
+I stress tested the fix on two different systems running over the
+weekend without any issues.
+
+Signed-off-by: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1457,6 +1457,7 @@ static int ibmvnic_xmit(struct sk_buff *
+ if ((*hdrs >> 7) & 1) {
+ build_hdr_descs_arr(tx_buff, &num_entries, *hdrs);
+ tx_crq.v1.n_crq_elem = num_entries;
++ tx_buff->num_entries = num_entries;
+ tx_buff->indir_arr[0] = tx_crq;
+ tx_buff->indir_dma = dma_map_single(dev, tx_buff->indir_arr,
+ sizeof(tx_buff->indir_arr),
+@@ -1475,6 +1476,7 @@ static int ibmvnic_xmit(struct sk_buff *
+ (u64)tx_buff->indir_dma,
+ (u64)num_entries);
+ } else {
++ tx_buff->num_entries = num_entries;
+ lpar_rc = send_subcrq(adapter, handle_array[queue_num],
+ &tx_crq);
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Date: Fri, 6 Apr 2018 18:37:03 -0500
+Subject: ibmvnic: Zero used TX descriptor counter on reset
+
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+
+[ Upstream commit 41f714672f93608751dbd2fa2291d476a8ff0150 ]
+
+The counter that tracks used TX descriptors pending completion
+needs to be zeroed as part of a device reset. This change fixes
+a bug causing transmit queues to be stopped unnecessarily and in
+some cases a transmit queue stall and timeout reset. If the counter
+is not reset, the remaining descriptors will not be "removed",
+effectively reducing queue capacity. If the queue is over half full,
+it will cause the queue to stall if stopped.
+
+Signed-off-by: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -2266,6 +2266,7 @@ static int reset_one_sub_crq_queue(struc
+ }
+
+ memset(scrq->msgs, 0, 4 * PAGE_SIZE);
++ atomic_set(&scrq->used, 0);
+ scrq->cur = 0;
+
+ rc = h_reg_sub_crq(adapter->vdev->unit_address, scrq->msg_token,
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Harry Morris <h.morris@cascoda.com>
+Date: Wed, 28 Mar 2018 11:54:27 +0100
+Subject: ieee802154: ca8210: fix uninitialised data read
+
+From: Harry Morris <h.morris@cascoda.com>
+
+[ Upstream commit 86674a97f5055f4c7f406563408096e8cf9364ff ]
+
+In ca8210_test_int_user_write() a user can request the transfer of a
+frame with a length field (command.length) that is longer than the
+actual buffer provided (len). In this scenario the driver will copy
+the buffer contents into the uninitialised command[] buffer, then
+transfer <data.length> bytes over the SPI even though only <len> bytes
+had been populated, potentially leaking sensitive kernel memory.
+
+Also the first 6 bytes of the command buffer must be initialised in case
+a malformed, short packet is written and the uninitialised bytes are
+read in ca8210_test_check_upstream.
+
+Reported-by: Domen Puncer Kugler <domen.puncer@samsung.com>
+Signed-off-by: Harry Morris <h.morris@cascoda.com>
+Tested-by: Harry Morris <h.morris@cascoda.com>
+Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ieee802154/ca8210.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ieee802154/ca8210.c
++++ b/drivers/net/ieee802154/ca8210.c
+@@ -2493,13 +2493,14 @@ static ssize_t ca8210_test_int_user_writ
+ struct ca8210_priv *priv = filp->private_data;
+ u8 command[CA8210_SPI_BUF_SIZE];
+
+- if (len > CA8210_SPI_BUF_SIZE) {
++ memset(command, SPI_IDLE, 6);
++ if (len > CA8210_SPI_BUF_SIZE || len < 2) {
+ dev_warn(
+ &priv->spi->dev,
+- "userspace requested erroneously long write (%zu)\n",
++ "userspace requested erroneous write length (%zu)\n",
+ len
+ );
+- return -EMSGSIZE;
++ return -EBADE;
+ }
+
+ ret = copy_from_user(command, in_buf, len);
+@@ -2511,6 +2512,13 @@ static ssize_t ca8210_test_int_user_writ
+ );
+ return -EIO;
+ }
++ if (len != command[1] + 2) {
++ dev_err(
++ &priv->spi->dev,
++ "write len does not match packet length field\n"
++ );
++ return -EBADE;
++ }
+
+ ret = ca8210_test_check_upstream(command, priv->spi);
+ if (ret == 0) {
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Sat, 10 Mar 2018 23:07:34 -0500
+Subject: ima: clear IMA_HASH
+
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+
+[ Upstream commit a9a4935d44b58c858a81393694bc232a96cdcbd4 ]
+
+The IMA_APPRAISE and IMA_HASH policies overlap. Clear IMA_HASH properly.
+
+Fixes: da1b0029f527 ("ima: support new "hash" and "dont_hash" policy actions")
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/integrity/ima/ima_policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -384,7 +384,7 @@ int ima_match_policy(struct inode *inode
+ action |= entry->action & IMA_DO_MASK;
+ if (entry->action & IMA_APPRAISE) {
+ action |= get_subaction(entry, func);
+- action ^= IMA_HASH;
++ action &= ~IMA_HASH;
+ }
+
+ if (entry->action & IMA_DO_MASK)
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Petr Vorel <pvorel@suse.cz>
+Date: Fri, 23 Mar 2018 14:41:08 +0100
+Subject: ima: Fallback to the builtin hash algorithm
+
+From: Petr Vorel <pvorel@suse.cz>
+
+[ Upstream commit ab60368ab6a452466885ef4edf0cefd089465132 ]
+
+IMA requires having it's hash algorithm be compiled-in due to it's
+early use. The default IMA algorithm is protected by Kconfig to be
+compiled-in.
+
+The ima_hash kernel parameter allows to choose the hash algorithm. When
+the specified algorithm is not available or available as a module, IMA
+initialization fails, which leads to a kernel panic (mknodat syscall calls
+ima_post_path_mknod()). Therefore as fallback we force IMA to use
+the default builtin Kconfig hash algorithm.
+
+Fixed crash:
+
+$ grep CONFIG_CRYPTO_MD4 .config
+CONFIG_CRYPTO_MD4=m
+
+[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.12.14-2.3-default root=UUID=74ae8202-9ca7-4e39-813b-22287ec52f7a video=1024x768-16 plymouth.ignore-serial-consoles console=ttyS0 console=tty resume=/dev/disk/by-path/pci-0000:00:07.0-part3 splash=silent showopts ima_hash=md4
+...
+[ 1.545190] ima: Can not allocate md4 (reason: -2)
+...
+[ 2.610120] BUG: unable to handle kernel NULL pointer dereference at (null)
+[ 2.611903] IP: ima_match_policy+0x23/0x390
+[ 2.612967] PGD 0 P4D 0
+[ 2.613080] Oops: 0000 [#1] SMP
+[ 2.613080] Modules linked in: autofs4
+[ 2.613080] Supported: Yes
+[ 2.613080] CPU: 0 PID: 1 Comm: systemd Not tainted 4.12.14-2.3-default #1
+[ 2.613080] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
+[ 2.613080] task: ffff88003e2d0040 task.stack: ffffc90000190000
+[ 2.613080] RIP: 0010:ima_match_policy+0x23/0x390
+[ 2.613080] RSP: 0018:ffffc90000193e88 EFLAGS: 00010296
+[ 2.613080] RAX: 0000000000000000 RBX: 000000000000000c RCX: 0000000000000004
+[ 2.613080] RDX: 0000000000000010 RSI: 0000000000000001 RDI: ffff880037071728
+[ 2.613080] RBP: 0000000000008000 R08: 0000000000000000 R09: 0000000000000000
+[ 2.613080] R10: 0000000000000008 R11: 61c8864680b583eb R12: 00005580ff10086f
+[ 2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000008000
+[ 2.613080] FS: 00007f5c1da08940(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
+[ 2.613080] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 2.613080] CR2: 0000000000000000 CR3: 0000000037002000 CR4: 00000000003406f0
+[ 2.613080] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 2.613080] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 2.613080] Call Trace:
+[ 2.613080] ? shmem_mknod+0xbf/0xd0
+[ 2.613080] ima_post_path_mknod+0x1c/0x40
+[ 2.613080] SyS_mknod+0x210/0x220
+[ 2.613080] entry_SYSCALL_64_fastpath+0x1a/0xa5
+[ 2.613080] RIP: 0033:0x7f5c1bfde570
+[ 2.613080] RSP: 002b:00007ffde1c90dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000085
+[ 2.613080] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5c1bfde570
+[ 2.613080] RDX: 0000000000000000 RSI: 0000000000008000 RDI: 00005580ff10086f
+[ 2.613080] RBP: 00007ffde1c91040 R08: 00005580ff10086f R09: 0000000000000000
+[ 2.613080] R10: 0000000000104000 R11: 0000000000000246 R12: 00005580ffb99660
+[ 2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
+[ 2.613080] Code: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 57 41 56 44 8d 14 09 41 55 41 54 55 53 44 89 d3 09 cb 48 83 ec 38 48 8b 05 c5 03 29 01 <4c> 8b 20 4c 39 e0 0f 84 d7 01 00 00 4c 89 44 24 08 89 54 24 20
+[ 2.613080] RIP: ima_match_policy+0x23/0x390 RSP: ffffc90000193e88
+[ 2.613080] CR2: 0000000000000000
+[ 2.613080] ---[ end trace 9a9f0a8a73079f6a ]---
+[ 2.673052] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
+[ 2.673052]
+[ 2.675337] Kernel Offset: disabled
+[ 2.676405] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
+
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/integrity/ima/ima_crypto.c | 2 ++
+ security/integrity/ima/ima_main.c | 13 +++++++++++++
+ 2 files changed, 15 insertions(+)
+
+--- a/security/integrity/ima/ima_crypto.c
++++ b/security/integrity/ima/ima_crypto.c
+@@ -73,6 +73,8 @@ int __init ima_init_crypto(void)
+ hash_algo_name[ima_hash_algo], rc);
+ return rc;
+ }
++ pr_info("Allocated hash algorithm: %s\n",
++ hash_algo_name[ima_hash_algo]);
+ return 0;
+ }
+
+--- a/security/integrity/ima/ima_main.c
++++ b/security/integrity/ima/ima_main.c
+@@ -16,6 +16,9 @@
+ * implements the IMA hooks: ima_bprm_check, ima_file_mmap,
+ * and ima_file_check.
+ */
++
++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
++
+ #include <linux/module.h>
+ #include <linux/file.h>
+ #include <linux/binfmts.h>
+@@ -472,6 +475,16 @@ static int __init init_ima(void)
+ ima_init_template_list();
+ hash_setup(CONFIG_IMA_DEFAULT_HASH);
+ error = ima_init();
++
++ if (error && strcmp(hash_algo_name[ima_hash_algo],
++ CONFIG_IMA_DEFAULT_HASH) != 0) {
++ pr_info("Allocating %s failed, going to use default hash algorithm %s\n",
++ hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH);
++ hash_setup_done = 0;
++ hash_setup(CONFIG_IMA_DEFAULT_HASH);
++ error = ima_init();
++ }
++
+ if (!error) {
+ ima_initialized = 1;
+ ima_update_policy_flag();
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Jiandi An <anjiandi@codeaurora.org>
+Date: Tue, 6 Mar 2018 23:26:26 -0600
+Subject: ima: Fix Kconfig to select TPM 2.0 CRB interface
+
+From: Jiandi An <anjiandi@codeaurora.org>
+
+[ Upstream commit fac37c628fd5d68fd7298d9b57ae8601ee1b4723 ]
+
+TPM_CRB driver provides TPM CRB 2.0 support. If it is built as a
+module, the TPM chip is registered after IMA init. tpm_pcr_read() in
+IMA fails and displays the following message even though eventually
+there is a TPM chip on the system.
+
+ima: No TPM chip found, activating TPM-bypass! (rc=-19)
+
+Fix IMA Kconfig to select TPM_CRB so TPM_CRB driver is built in the kernel
+and initializes before IMA.
+
+Signed-off-by: Jiandi An <anjiandi@codeaurora.org>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/integrity/ima/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/security/integrity/ima/Kconfig
++++ b/security/integrity/ima/Kconfig
+@@ -10,6 +10,7 @@ config IMA
+ select CRYPTO_HASH_INFO
+ select TCG_TPM if HAS_IOMEM && !UML
+ select TCG_TIS if TCG_TPM && X86
++ select TCG_CRB if TCG_TPM && ACPI
+ select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
+ help
+ The Trusted Computing Group(TCG) runtime Integrity
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Thu, 1 Mar 2018 10:15:32 +0200
+Subject: intel_th: Use correct method of finding hub
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+[ Upstream commit 9ad577087165478c9d9be82b15ed9bf2db5835f5 ]
+
+Since commit 8edc514b01e9 ("intel_th: Make SOURCE devices children of the
+root device") the hub is not the parent of SOURCE devices any more, so the
+new helper function should be used for that instead of always using the
+parent. The intel_th_set_output() path, however, still uses the old
+logic, leading to the hub driver structure being aliased with something
+else, like struct pci_driver or struct acpi_driver, and an incorrect call
+to an address inferred from that, potentially resulting in a crash.
+
+Fixes: 8edc514b01e9 ("intel_th: Make SOURCE devices children of the root device")
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/intel_th/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/intel_th/core.c
++++ b/drivers/hwtracing/intel_th/core.c
+@@ -935,7 +935,7 @@ EXPORT_SYMBOL_GPL(intel_th_trace_disable
+ int intel_th_set_output(struct intel_th_device *thdev,
+ unsigned int master)
+ {
+- struct intel_th_device *hub = to_intel_th_device(thdev->dev.parent);
++ struct intel_th_device *hub = to_intel_th_hub(thdev);
+ struct intel_th_driver *hubdrv = to_intel_th_driver(hub->dev.driver);
+
+ if (!hubdrv->set_output)
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Thu, 22 Mar 2018 16:22:33 +0100
+Subject: iommu/amd: Take into account that alloc_dev_data() may return NULL
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 39ffe39545cd5cb5b8cee9f0469165cf24dc62c2 ]
+
+find_dev_data() does not check whether the return value alloc_dev_data()
+is NULL. This was okay once because the pointer was returned once as-is.
+Since commit df3f7a6e8e85 ("iommu/amd: Use is_attach_deferred
+call-back") the pointer may be used within find_dev_data() so a NULL
+check is required.
+
+Cc: Baoquan He <bhe@redhat.com>
+Fixes: df3f7a6e8e85 ("iommu/amd: Use is_attach_deferred call-back")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/amd_iommu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -310,6 +310,8 @@ static struct iommu_dev_data *find_dev_d
+
+ if (dev_data == NULL) {
+ dev_data = alloc_dev_data(devid);
++ if (!dev_data)
++ return NULL;
+
+ if (translation_pre_enabled(iommu))
+ dev_data->defer_attach = true;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Yong Wu <yong.wu@mediatek.com>
+Date: Sun, 18 Mar 2018 09:52:54 +0800
+Subject: iommu/mediatek: Fix protect memory setting
+
+From: Yong Wu <yong.wu@mediatek.com>
+
+[ Upstream commit 70ca608b2ec6dafa6bb1c2b0691852fc78f8f717 ]
+
+In MediaTek's IOMMU design, When a iommu translation fault occurs
+(HW can NOT translate the destination address to a valid physical
+address), the IOMMU HW output the dirty data into a special memory
+to avoid corrupting the main memory, this is called "protect memory".
+the register(0x114) for protect memory is a little different between
+mt8173 and mt2712.
+
+In the mt8173, bit[30:6] in the register represents [31:7] of the
+physical address. In the 4GB mode, the register bit[31] should be 1.
+While in the mt2712, the bits don't shift. bit[31:7] in the register
+represents [31:7] in the physical address, and bit[1:0] in the
+register represents bit[33:32] of the physical address if it has.
+
+Fixes: e6dec9230862 ("iommu/mediatek: Add mt2712 IOMMU support")
+Reported-by: Honghui Zhang <honghui.zhang@mediatek.com>
+Signed-off-by: Yong Wu <yong.wu@mediatek.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/mtk_iommu.c | 15 ++++++++++-----
+ drivers/iommu/mtk_iommu.h | 1 +
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+--- a/drivers/iommu/mtk_iommu.c
++++ b/drivers/iommu/mtk_iommu.c
+@@ -60,7 +60,7 @@
+ (((prot) & 0x3) << F_MMU_TF_PROTECT_SEL_SHIFT(data))
+
+ #define REG_MMU_IVRP_PADDR 0x114
+-#define F_MMU_IVRP_PA_SET(pa, ext) (((pa) >> 1) | ((!!(ext)) << 31))
++
+ #define REG_MMU_VLD_PA_RNG 0x118
+ #define F_MMU_VLD_PA_RNG(EA, SA) (((EA) << 8) | (SA))
+
+@@ -539,8 +539,13 @@ static int mtk_iommu_hw_init(const struc
+ F_INT_PRETETCH_TRANSATION_FIFO_FAULT;
+ writel_relaxed(regval, data->base + REG_MMU_INT_MAIN_CONTROL);
+
+- writel_relaxed(F_MMU_IVRP_PA_SET(data->protect_base, data->enable_4GB),
+- data->base + REG_MMU_IVRP_PADDR);
++ if (data->m4u_plat == M4U_MT8173)
++ regval = (data->protect_base >> 1) | (data->enable_4GB << 31);
++ else
++ regval = lower_32_bits(data->protect_base) |
++ upper_32_bits(data->protect_base);
++ writel_relaxed(regval, data->base + REG_MMU_IVRP_PADDR);
++
+ if (data->enable_4GB && data->m4u_plat != M4U_MT8173) {
+ /*
+ * If 4GB mode is enabled, the validate PA range is from
+@@ -695,6 +700,7 @@ static int __maybe_unused mtk_iommu_susp
+ reg->ctrl_reg = readl_relaxed(base + REG_MMU_CTRL_REG);
+ reg->int_control0 = readl_relaxed(base + REG_MMU_INT_CONTROL0);
+ reg->int_main_control = readl_relaxed(base + REG_MMU_INT_MAIN_CONTROL);
++ reg->ivrp_paddr = readl_relaxed(base + REG_MMU_IVRP_PADDR);
+ clk_disable_unprepare(data->bclk);
+ return 0;
+ }
+@@ -717,8 +723,7 @@ static int __maybe_unused mtk_iommu_resu
+ writel_relaxed(reg->ctrl_reg, base + REG_MMU_CTRL_REG);
+ writel_relaxed(reg->int_control0, base + REG_MMU_INT_CONTROL0);
+ writel_relaxed(reg->int_main_control, base + REG_MMU_INT_MAIN_CONTROL);
+- writel_relaxed(F_MMU_IVRP_PA_SET(data->protect_base, data->enable_4GB),
+- base + REG_MMU_IVRP_PADDR);
++ writel_relaxed(reg->ivrp_paddr, base + REG_MMU_IVRP_PADDR);
+ if (data->m4u_dom)
+ writel(data->m4u_dom->cfg.arm_v7s_cfg.ttbr[0],
+ base + REG_MMU_PT_BASE_ADDR);
+--- a/drivers/iommu/mtk_iommu.h
++++ b/drivers/iommu/mtk_iommu.h
+@@ -32,6 +32,7 @@ struct mtk_iommu_suspend_reg {
+ u32 ctrl_reg;
+ u32 int_control0;
+ u32 int_main_control;
++ u32 ivrp_paddr;
+ };
+
+ enum mtk_iommu_plat {
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Davidlohr Bueso <dave@stgolabs.net>
+Date: Tue, 10 Apr 2018 16:35:30 -0700
+Subject: ipc/msg: introduce msgctl(MSG_STAT_ANY)
+
+From: Davidlohr Bueso <dave@stgolabs.net>
+
+[ Upstream commit 23c8cec8cf679b10997a512abb1e86f0cedc42ba ]
+
+There is a permission discrepancy when consulting msq ipc object
+metadata between /proc/sysvipc/msg (0444) and the MSG_STAT shmctl
+command. The later does permission checks for the object vs S_IRUGO.
+As such there can be cases where EACCESS is returned via syscall but the
+info is displayed anyways in the procfs files.
+
+While this might have security implications via info leaking (albeit no
+writing to the msq metadata), this behavior goes way back and showing
+all the objects regardless of the permissions was most likely an
+overlook - so we are stuck with it. Furthermore, modifying either the
+syscall or the procfs file can cause userspace programs to break (ie
+ipcs). Some applications require getting the procfs info (without root
+privileges) and can be rather slow in comparison with a syscall -- up to
+500x in some reported cases for shm.
+
+This patch introduces a new MSG_STAT_ANY command such that the msq ipc
+object permissions are ignored, and only audited instead. In addition,
+I've left the lsm security hook checks in place, as if some policy can
+block the call, then the user has no other choice than just parsing the
+procfs file.
+
+Link: http://lkml.kernel.org/r/20180215162458.10059-4-dave@stgolabs.net
+Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
+Reported-by: Robert Kettler <robert.kettler@outlook.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Cc: Michael Kerrisk <mtk.manpages@gmail.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/msg.h | 1 +
+ ipc/msg.c | 17 ++++++++++++-----
+ security/selinux/hooks.c | 1 +
+ security/smack/smack_lsm.c | 1 +
+ 4 files changed, 15 insertions(+), 5 deletions(-)
+
+--- a/include/uapi/linux/msg.h
++++ b/include/uapi/linux/msg.h
+@@ -7,6 +7,7 @@
+ /* ipcs ctl commands */
+ #define MSG_STAT 11
+ #define MSG_INFO 12
++#define MSG_STAT_ANY 13
+
+ /* msgrcv options */
+ #define MSG_NOERROR 010000 /* no error if message is too big */
+--- a/ipc/msg.c
++++ b/ipc/msg.c
+@@ -483,14 +483,14 @@ static int msgctl_stat(struct ipc_namesp
+ memset(p, 0, sizeof(*p));
+
+ rcu_read_lock();
+- if (cmd == MSG_STAT) {
++ if (cmd == MSG_STAT || cmd == MSG_STAT_ANY) {
+ msq = msq_obtain_object(ns, msqid);
+ if (IS_ERR(msq)) {
+ err = PTR_ERR(msq);
+ goto out_unlock;
+ }
+ id = msq->q_perm.id;
+- } else {
++ } else { /* IPC_STAT */
+ msq = msq_obtain_object_check(ns, msqid);
+ if (IS_ERR(msq)) {
+ err = PTR_ERR(msq);
+@@ -498,9 +498,14 @@ static int msgctl_stat(struct ipc_namesp
+ }
+ }
+
+- err = -EACCES;
+- if (ipcperms(ns, &msq->q_perm, S_IRUGO))
+- goto out_unlock;
++ /* see comment for SHM_STAT_ANY */
++ if (cmd == MSG_STAT_ANY)
++ audit_ipc_obj(&msq->q_perm);
++ else {
++ err = -EACCES;
++ if (ipcperms(ns, &msq->q_perm, S_IRUGO))
++ goto out_unlock;
++ }
+
+ err = security_msg_queue_msgctl(msq, cmd);
+ if (err)
+@@ -558,6 +563,7 @@ SYSCALL_DEFINE3(msgctl, int, msqid, int,
+ return err;
+ }
+ case MSG_STAT: /* msqid is an index rather than a msg queue id */
++ case MSG_STAT_ANY:
+ case IPC_STAT:
+ err = msgctl_stat(ns, msqid, cmd, &msqid64);
+ if (err < 0)
+@@ -671,6 +677,7 @@ COMPAT_SYSCALL_DEFINE3(msgctl, int, msqi
+ }
+ case IPC_STAT:
+ case MSG_STAT:
++ case MSG_STAT_ANY:
+ err = msgctl_stat(ns, msqid, cmd, &msqid64);
+ if (err < 0)
+ return err;
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -5590,6 +5590,7 @@ static int selinux_msg_queue_msgctl(stru
+ SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
+ case IPC_STAT:
+ case MSG_STAT:
++ case MSG_STAT_ANY:
+ perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
+ break;
+ case IPC_SET:
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -3294,6 +3294,7 @@ static int smack_msg_queue_msgctl(struct
+ switch (cmd) {
+ case IPC_STAT:
+ case MSG_STAT:
++ case MSG_STAT_ANY:
+ may = MAY_READ;
+ break;
+ case IPC_SET:
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Kamlakant Patel <kamlakant.patel@cavium.com>
+Date: Tue, 13 Mar 2018 16:32:27 +0530
+Subject: ipmi_ssif: Fix kernel panic at msg_done_handler
+
+From: Kamlakant Patel <kamlakant.patel@cavium.com>
+
+[ Upstream commit f002612b9d86613bc6fde0a444e0095225f6053e ]
+
+This happens when BMC doesn't return any data and the code is trying
+to print the value of data[2].
+
+Getting following crash:
+[ 484.728410] Unable to handle kernel NULL pointer dereference at virtual address 00000002
+[ 484.736496] pgd = ffff0000094a2000
+[ 484.739885] [00000002] *pgd=00000047fcffe003, *pud=00000047fcffd003, *pmd=0000000000000000
+[ 484.748158] Internal error: Oops: 96000005 [#1] SMP
+[...]
+[ 485.101451] Call trace:
+[...]
+[ 485.188473] [<ffff000000a46e68>] msg_done_handler+0x668/0x700 [ipmi_ssif]
+[ 485.195249] [<ffff000000a456b8>] ipmi_ssif_thread+0x110/0x128 [ipmi_ssif]
+[ 485.202038] [<ffff0000080f1430>] kthread+0x108/0x138
+[ 485.206994] [<ffff0000080838e0>] ret_from_fork+0x10/0x30
+[ 485.212294] Code: aa1903e1 aa1803e0 b900227f 95fef6a5 (39400aa3)
+
+Adding a check to validate the data len before printing data[2] to fix this issue.
+
+Signed-off-by: Kamlakant Patel <kamlakant.patel@cavium.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_ssif.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_ssif.c
++++ b/drivers/char/ipmi/ipmi_ssif.c
+@@ -761,7 +761,7 @@ static void msg_done_handler(struct ssif
+ ssif_info->ssif_state = SSIF_NORMAL;
+ ipmi_ssif_unlock_cond(ssif_info, flags);
+ pr_warn(PFX "Error getting flags: %d %d, %x\n",
+- result, len, data[2]);
++ result, len, (len >= 3) ? data[2] : 0);
+ } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2
+ || data[1] != IPMI_GET_MSG_FLAGS_CMD) {
+ /*
+@@ -783,7 +783,7 @@ static void msg_done_handler(struct ssif
+ if ((result < 0) || (len < 3) || (data[2] != 0)) {
+ /* Error clearing flags */
+ pr_warn(PFX "Error clearing flags: %d %d, %x\n",
+- result, len, data[2]);
++ result, len, (len >= 3) ? data[2] : 0);
+ } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2
+ || data[1] != IPMI_CLEAR_MSG_FLAGS_CMD) {
+ pr_warn(PFX "Invalid response clearing flags: %x %x\n",
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Luca Coelho <luciano.coelho@intel.com>
+Date: Mon, 18 Dec 2017 20:13:07 +0200
+Subject: iwlwifi: mvm: check if mac80211_queue is valid in iwl_mvm_disable_txq
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+[ Upstream commit 9a233bb8025105db9a60b5d761005cc5a6c77f3d ]
+
+Sometimes iwl_mvm_disable_txq() may be called with mac80211_queue ==
+IEEE80211_INVAL_HW_QUEUE, and this would cause us to use BIT(0xFF)
+which is way too large for the u16 we used to store it in
+hw_queue_to_mac820211. If this happens the following UBSAN warning
+will be generated:
+
+[ 167.185167] UBSAN: Undefined behaviour in drivers/net/wireless/intel/iwlwifi/mvm/utils.c:838:5
+[ 167.185171] shift exponent 255 is too large for 64-bit type 'long unsigned int'
+
+Fix that by checking that it is not IEEE80211_INVAL_HW_QUEUE and,
+while at it, add a warning if the queue number is larger than
+IEEE80211_MAX_QUEUES.
+
+Fixes: 34e10860ae8d ("iwlwifi: mvm: remove references to queue_info in new TX path")
+Reported-by: Paul Menzel <pmenzel+linux-wireless@molgen.mpg.de>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/utils.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/utils.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/utils.c
+@@ -800,12 +800,19 @@ int iwl_mvm_disable_txq(struct iwl_mvm *
+ .scd_queue = queue,
+ .action = SCD_CFG_DISABLE_QUEUE,
+ };
+- bool remove_mac_queue = true;
++ bool remove_mac_queue = mac80211_queue != IEEE80211_INVAL_HW_QUEUE;
+ int ret;
+
++ if (WARN_ON(remove_mac_queue && mac80211_queue >= IEEE80211_MAX_QUEUES))
++ return -EINVAL;
++
+ if (iwl_mvm_has_new_tx_api(mvm)) {
+ spin_lock_bh(&mvm->queue_info_lock);
+- mvm->hw_queue_to_mac80211[queue] &= ~BIT(mac80211_queue);
++
++ if (remove_mac_queue)
++ mvm->hw_queue_to_mac80211[queue] &=
++ ~BIT(mac80211_queue);
++
+ spin_unlock_bh(&mvm->queue_info_lock);
+
+ iwl_trans_txq_free(mvm->trans, queue);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Sara Sharon <sara.sharon@intel.com>
+Date: Tue, 19 Dec 2017 09:19:32 +0200
+Subject: iwlwifi: mvm: take RCU lock before dereferencing
+
+From: Sara Sharon <sara.sharon@intel.com>
+
+[ Upstream commit f4f155e5ec04d381b2f0870817d93dbdc259aa63 ]
+
+RCU isn't properly locked.
+
+Fixes: 46d372af9935 ("iwlwifi: mvm: rs: new rate scale API - add FW notifications")
+Signed-off-by: Sara Sharon <sara.sharon@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/rs-fw.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs-fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs-fw.c
+@@ -234,13 +234,15 @@ void iwl_mvm_tlc_update_notif(struct iwl
+ struct iwl_mvm_sta *mvmsta;
+ struct iwl_lq_sta_rs_fw *lq_sta;
+
++ rcu_read_lock();
++
+ notif = (void *)pkt->data;
+ mvmsta = iwl_mvm_sta_from_staid_rcu(mvm, notif->sta_id);
+
+ if (!mvmsta) {
+ IWL_ERR(mvm, "Invalid sta id (%d) in FW TLC notification\n",
+ notif->sta_id);
+- return;
++ goto out;
+ }
+
+ lq_sta = &mvmsta->lq_sta.rs_fw;
+@@ -251,6 +253,8 @@ void iwl_mvm_tlc_update_notif(struct iwl
+ IWL_DEBUG_RATE(mvm, "new rate_n_flags: 0x%X\n",
+ lq_sta->last_rate_n_flags);
+ }
++out:
++ rcu_read_unlock();
+ }
+
+ void rs_fw_rate_init(struct iwl_mvm *mvm, struct ieee80211_sta *sta,
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Jacob Keller <jacob.e.keller@intel.com>
+Date: Mon, 29 Jan 2018 15:57:48 -0800
+Subject: ixgbe: prevent ptp_rx_hang from running when in FILTER_ALL mode
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit 6704a3abf4cf4181a1ee64f5db4969347b88ca1d ]
+
+On hardware which supports timestamping all packets, the timestamps are
+recorded in the packet buffer, and the driver no longer uses or reads
+the registers. This makes the logic for checking and clearing Rx
+timestamp hangs meaningless.
+
+If we run the ixgbe_ptp_rx_hang() function in this case, then the driver
+will continuously spam the log output with "Clearing Rx timestamp hang".
+These messages are spurious, and confusing to end users.
+
+The original code in commit a9763f3cb54c ("ixgbe: Update PTP to support
+X550EM_x devices", 2015-12-03) did have a flag PTP_RX_TIMESTAMP_IN_REGISTER
+which was intended to be used to avoid the Rx timestamp hang check,
+however it did not actually check the flag before calling the function.
+
+Do so now in order to stop the checks and prevent the spurious log
+messages.
+
+Fixes: a9763f3cb54c ("ixgbe: Update PTP to support X550EM_x devices", 2015-12-03)
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -7711,7 +7711,8 @@ static void ixgbe_service_task(struct wo
+
+ if (test_bit(__IXGBE_PTP_RUNNING, &adapter->state)) {
+ ixgbe_ptp_overflow_check(adapter);
+- ixgbe_ptp_rx_hang(adapter);
++ if (adapter->flags & IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER)
++ ixgbe_ptp_rx_hang(adapter);
+ ixgbe_ptp_tx_hang(adapter);
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Tue, 10 Apr 2018 16:30:35 -0700
+Subject: kasan: fix invalid-free test crashing the kernel
+
+From: Andrey Konovalov <andreyknvl@google.com>
+
+[ Upstream commit 91c93ed07f04f5b32a30321d522d8ca9504745bf ]
+
+When an invalid-free is triggered by one of the KASAN tests, the object
+doesn't actually get freed. This later leads to a BUG failure in
+kmem_cache_destroy that checks that there are no allocated objects in
+the cache that is being destroyed.
+
+Fix this by calling kmem_cache_free with the proper object address after
+the call that triggers invalid-free.
+
+Link: http://lkml.kernel.org/r/286eaefc0a6c3fa9b83b87e7d6dc0fbb5b5c9926.1519924383.git.andreyknvl@google.com
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: Nick Terrell <terrelln@fb.com>
+Cc: Chris Mason <clm@fb.com>
+Cc: Yury Norov <ynorov@caviumnetworks.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: "Luis R . Rodriguez" <mcgrof@kernel.org>
+Cc: Palmer Dabbelt <palmer@dabbelt.com>
+Cc: "Paul E . McKenney" <paulmck@linux.vnet.ibm.com>
+Cc: Jeff Layton <jlayton@redhat.com>
+Cc: "Jason A . Donenfeld" <Jason@zx2c4.com>
+Cc: Kostya Serebryany <kcc@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/test_kasan.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/lib/test_kasan.c
++++ b/lib/test_kasan.c
+@@ -567,7 +567,15 @@ static noinline void __init kmem_cache_i
+ return;
+ }
+
++ /* Trigger invalid free, the object doesn't get freed */
+ kmem_cache_free(cache, p + 1);
++
++ /*
++ * Properly free the object to prevent the "Objects remaining in
++ * test_cache on __kmem_cache_shutdown" BUG failure.
++ */
++ kmem_cache_free(cache, p);
++
+ kmem_cache_destroy(cache);
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Tue, 10 Apr 2018 16:30:31 -0700
+Subject: kasan, slub: fix handling of kasan_slab_free hook
+
+From: Andrey Konovalov <andreyknvl@google.com>
+
+[ Upstream commit c3895391df385c6628638f014c87e16f5e2efd45 ]
+
+The kasan_slab_free hook's return value denotes whether the reuse of a
+slab object must be delayed (e.g. when the object is put into memory
+qurantine).
+
+The current way SLUB handles this hook is by ignoring its return value
+and hardcoding checks similar (but not exactly the same) to the ones
+performed in kasan_slab_free, which is prone to making mistakes.
+
+The main difference between the hardcoded checks and the ones in
+kasan_slab_free is whether we want to perform a free in case when an
+invalid-free or a double-free was detected (we don't).
+
+This patch changes the way SLUB handles this by:
+1. taking into account the return value of kasan_slab_free for each of
+ the objects, that are being freed;
+2. reconstructing the freelist of objects to exclude the ones, whose
+ reuse must be delayed.
+
+[andreyknvl@google.com: eliminate unnecessary branch in slab_free]
+ Link: http://lkml.kernel.org/r/a62759a2545fddf69b0c034547212ca1eb1b3ce2.1520359686.git.andreyknvl@google.com
+Link: http://lkml.kernel.org/r/083f58501e54731203801d899632d76175868e97.1519400992.git.andreyknvl@google.com
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Kostya Serebryany <kcc@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/slub.c | 57 ++++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 34 insertions(+), 23 deletions(-)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -1362,10 +1362,8 @@ static __always_inline void kfree_hook(v
+ kasan_kfree_large(x, _RET_IP_);
+ }
+
+-static __always_inline void *slab_free_hook(struct kmem_cache *s, void *x)
++static __always_inline bool slab_free_hook(struct kmem_cache *s, void *x)
+ {
+- void *freeptr;
+-
+ kmemleak_free_recursive(x, s->flags);
+
+ /*
+@@ -1385,17 +1383,12 @@ static __always_inline void *slab_free_h
+ if (!(s->flags & SLAB_DEBUG_OBJECTS))
+ debug_check_no_obj_freed(x, s->object_size);
+
+- freeptr = get_freepointer(s, x);
+- /*
+- * kasan_slab_free() may put x into memory quarantine, delaying its
+- * reuse. In this case the object's freelist pointer is changed.
+- */
+- kasan_slab_free(s, x, _RET_IP_);
+- return freeptr;
++ /* KASAN might put x into memory quarantine, delaying its reuse */
++ return kasan_slab_free(s, x, _RET_IP_);
+ }
+
+-static inline void slab_free_freelist_hook(struct kmem_cache *s,
+- void *head, void *tail)
++static inline bool slab_free_freelist_hook(struct kmem_cache *s,
++ void **head, void **tail)
+ {
+ /*
+ * Compiler cannot detect this function can be removed if slab_free_hook()
+@@ -1406,13 +1399,33 @@ static inline void slab_free_freelist_ho
+ defined(CONFIG_DEBUG_OBJECTS_FREE) || \
+ defined(CONFIG_KASAN)
+
+- void *object = head;
+- void *tail_obj = tail ? : head;
+- void *freeptr;
++ void *object;
++ void *next = *head;
++ void *old_tail = *tail ? *tail : *head;
++
++ /* Head and tail of the reconstructed freelist */
++ *head = NULL;
++ *tail = NULL;
+
+ do {
+- freeptr = slab_free_hook(s, object);
+- } while ((object != tail_obj) && (object = freeptr));
++ object = next;
++ next = get_freepointer(s, object);
++ /* If object's reuse doesn't have to be delayed */
++ if (!slab_free_hook(s, object)) {
++ /* Move object to the new freelist */
++ set_freepointer(s, object, *head);
++ *head = object;
++ if (!*tail)
++ *tail = object;
++ }
++ } while (object != old_tail);
++
++ if (*head == *tail)
++ *tail = NULL;
++
++ return *head != NULL;
++#else
++ return true;
+ #endif
+ }
+
+@@ -2965,14 +2978,12 @@ static __always_inline void slab_free(st
+ void *head, void *tail, int cnt,
+ unsigned long addr)
+ {
+- slab_free_freelist_hook(s, head, tail);
+ /*
+- * slab_free_freelist_hook() could have put the items into quarantine.
+- * If so, no need to free them.
++ * With KASAN enabled slab_free_freelist_hook modifies the freelist
++ * to remove objects, whose reuse must be delayed.
+ */
+- if (s->flags & SLAB_KASAN && !(s->flags & SLAB_TYPESAFE_BY_RCU))
+- return;
+- do_slab_free(s, page, head, tail, cnt, addr);
++ if (slab_free_freelist_hook(s, &head, &tail))
++ do_slab_free(s, page, head, tail, cnt, addr);
+ }
+
+ #ifdef CONFIG_KASAN
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Fri, 8 Dec 2017 10:19:19 -0800
+Subject: kdb: make "mdr" command repeat
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 1e0ce03bf142454f38a5fc050bf4fd698d2d36d8 ]
+
+The "mdr" command should repeat (continue) when only Enter/Return
+is pressed, so make it do so.
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Daniel Thompson <daniel.thompson@linaro.org>
+Cc: Jason Wessel <jason.wessel@windriver.com>
+Cc: kgdb-bugreport@lists.sourceforge.net
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/debug/kdb/kdb_main.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+--- a/kernel/debug/kdb/kdb_main.c
++++ b/kernel/debug/kdb/kdb_main.c
+@@ -1566,6 +1566,7 @@ static int kdb_md(int argc, const char *
+ int symbolic = 0;
+ int valid = 0;
+ int phys = 0;
++ int raw = 0;
+
+ kdbgetintenv("MDCOUNT", &mdcount);
+ kdbgetintenv("RADIX", &radix);
+@@ -1575,9 +1576,10 @@ static int kdb_md(int argc, const char *
+ repeat = mdcount * 16 / bytesperword;
+
+ if (strcmp(argv[0], "mdr") == 0) {
+- if (argc != 2)
++ if (argc == 2 || (argc == 0 && last_addr != 0))
++ valid = raw = 1;
++ else
+ return KDB_ARGCOUNT;
+- valid = 1;
+ } else if (isdigit(argv[0][2])) {
+ bytesperword = (int)(argv[0][2] - '0');
+ if (bytesperword == 0) {
+@@ -1613,7 +1615,10 @@ static int kdb_md(int argc, const char *
+ radix = last_radix;
+ bytesperword = last_bytesperword;
+ repeat = last_repeat;
+- mdcount = ((repeat * bytesperword) + 15) / 16;
++ if (raw)
++ mdcount = repeat;
++ else
++ mdcount = ((repeat * bytesperword) + 15) / 16;
+ }
+
+ if (argc) {
+@@ -1630,7 +1635,10 @@ static int kdb_md(int argc, const char *
+ diag = kdbgetularg(argv[nextarg], &val);
+ if (!diag) {
+ mdcount = (int) val;
+- repeat = mdcount * 16 / bytesperword;
++ if (raw)
++ repeat = mdcount;
++ else
++ repeat = mdcount * 16 / bytesperword;
+ }
+ }
+ if (argc >= nextarg+1) {
+@@ -1640,8 +1648,15 @@ static int kdb_md(int argc, const char *
+ }
+ }
+
+- if (strcmp(argv[0], "mdr") == 0)
+- return kdb_mdr(addr, mdcount);
++ if (strcmp(argv[0], "mdr") == 0) {
++ int ret;
++ last_addr = addr;
++ ret = kdb_mdr(addr, mdcount);
++ last_addr += mdcount;
++ last_repeat = mdcount;
++ last_bytesperword = bytesperword; // to make REPEAT happy
++ return ret;
++ }
+
+ switch (radix) {
+ case 10:
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Fri, 9 Feb 2018 14:01:33 +0100
+Subject: KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+[ Upstream commit 0bcc3fb95b97ac2ca223a5a870287b37f56265ac ]
+
+Devices which use level-triggered interrupts under Windows 2016 with
+Hyper-V role enabled don't work: Windows disables EOI broadcast in SPIV
+unconditionally. Our in-kernel IOAPIC implementation emulates an old IOAPIC
+version which has no EOI register so EOI never happens.
+
+The issue was discovered and discussed a while ago:
+https://www.spinics.net/lists/kvm/msg148098.html
+
+While this is a guest OS bug (it should check that IOAPIC has the required
+capabilities before disabling EOI broadcast) we can workaround it in KVM:
+advertising DIRECTED_EOI with in-kernel IOAPIC makes little sense anyway.
+
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/lapic.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -321,8 +321,16 @@ void kvm_apic_set_version(struct kvm_vcp
+ if (!lapic_in_kernel(vcpu))
+ return;
+
++ /*
++ * KVM emulates 82093AA datasheet (with in-kernel IOAPIC implementation)
++ * which doesn't have EOI register; Some buggy OSes (e.g. Windows with
++ * Hyper-V role) disable EOI broadcast in lapic not checking for IOAPIC
++ * version first and level-triggered interrupts never get EOIed in
++ * IOAPIC.
++ */
+ feat = kvm_find_cpuid_entry(apic->vcpu, 0x1, 0);
+- if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31))))
++ if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31))) &&
++ !ioapic_in_kernel(vcpu->kvm))
+ v |= APIC_LVR_DIRECTED_EOI;
+ kvm_lapic_set_reg(apic, APIC_LVR, v);
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Fri, 23 Mar 2018 09:34:00 -0700
+Subject: KVM: VMX: raise internal error for exception during invalid protected mode state
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+[ Upstream commit add5ff7a216ee545a214013f26d1ef2f44a9c9f8 ]
+
+Exit to userspace with KVM_INTERNAL_ERROR_EMULATION if we encounter
+an exception in Protected Mode while emulating guest due to invalid
+guest state. Unlike Big RM, KVM doesn't support emulating exceptions
+in PM, i.e. PM exceptions are always injected via the VMCS. Because
+we will never do VMRESUME due to emulation_required, the exception is
+never realized and we'll keep emulating the faulting instruction over
+and over until we receive a signal.
+
+Exit to userspace iff there is a pending exception, i.e. don't exit
+simply on a requested event. The purpose of this check and exit is to
+aid in debugging a guest that is in all likelihood already doomed.
+Invalid guest state in PM is extremely limited in normal operation,
+e.g. it generally only occurs for a few instructions early in BIOS,
+and any exception at this time is all but guaranteed to be fatal.
+Non-vectored interrupts, e.g. INIT, SIPI and SMI, can be cleanly
+handled/emulated, while checking for vectored interrupts, e.g. INTR
+and NMI, without hitting false positives would add a fair amount of
+complexity for almost no benefit (getting hit by lightning seems
+more likely than encountering this specific scenario).
+
+Add a WARN_ON_ONCE to vmx_queue_exception() if we try to inject an
+exception via the VMCS and emulation_required is true.
+
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2555,6 +2555,8 @@ static void vmx_queue_exception(struct k
+ return;
+ }
+
++ WARN_ON_ONCE(vmx->emulation_required);
++
+ if (kvm_exception_is_soft(nr)) {
+ vmcs_write32(VM_ENTRY_INSTRUCTION_LEN,
+ vmx->vcpu.arch.event_exit_inst_len);
+@@ -6849,12 +6851,12 @@ static int handle_invalid_guest_state(st
+ goto out;
+ }
+
+- if (err != EMULATE_DONE) {
+- vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
+- vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
+- vcpu->run->internal.ndata = 0;
+- return 0;
+- }
++ if (err != EMULATE_DONE)
++ goto emulation_error;
++
++ if (vmx->emulation_required && !vmx->rmode.vm86_active &&
++ vcpu->arch.exception.pending)
++ goto emulation_error;
+
+ if (vcpu->arch.halt_request) {
+ vcpu->arch.halt_request = 0;
+@@ -6870,6 +6872,12 @@ static int handle_invalid_guest_state(st
+
+ out:
+ return ret;
++
++emulation_error:
++ vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
++ vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
++ vcpu->run->internal.ndata = 0;
++ return 0;
+ }
+
+ static int __grow_ple_window(int val)
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Alexander Graf <agraf@suse.de>
+Date: Wed, 4 Apr 2018 00:19:35 +0200
+Subject: lan78xx: Connect phy early
+
+From: Alexander Graf <agraf@suse.de>
+
+[ Upstream commit 92571a1aae40d291158d16e7142637908220f470 ]
+
+When using wicked with a lan78xx device attached to the system, we
+end up with ethtool commands issued on the device before an ifup
+got issued. That lead to the following crash:
+
+ Unable to handle kernel NULL pointer dereference at virtual address 0000039c
+ pgd = ffff800035b30000
+ [0000039c] *pgd=0000000000000000
+ Internal error: Oops: 96000004 [#1] SMP
+ Modules linked in: [...]
+ Supported: Yes
+ CPU: 3 PID: 638 Comm: wickedd Tainted: G E 4.12.14-0-default #1
+ Hardware name: raspberrypi rpi/rpi, BIOS 2018.03-rc2 02/21/2018
+ task: ffff800035e74180 task.stack: ffff800036718000
+ PC is at phy_ethtool_ksettings_get+0x20/0x98
+ LR is at lan78xx_get_link_ksettings+0x44/0x60 [lan78xx]
+ pc : [<ffff0000086f7f30>] lr : [<ffff000000dcca84>] pstate: 20000005
+ sp : ffff80003671bb20
+ x29: ffff80003671bb20 x28: ffff800035e74180
+ x27: ffff000008912000 x26: 000000000000001d
+ x25: 0000000000000124 x24: ffff000008f74d00
+ x23: 0000004000114809 x22: 0000000000000000
+ x21: ffff80003671bbd0 x20: 0000000000000000
+ x19: ffff80003671bbd0 x18: 000000000000040d
+ x17: 0000000000000001 x16: 0000000000000000
+ x15: 0000000000000000 x14: ffffffffffffffff
+ x13: 0000000000000000 x12: 0000000000000020
+ x11: 0101010101010101 x10: fefefefefefefeff
+ x9 : 7f7f7f7f7f7f7f7f x8 : fefefeff31677364
+ x7 : 0000000080808080 x6 : ffff80003671bc9c
+ x5 : ffff80003671b9f8 x4 : ffff80002c296190
+ x3 : 0000000000000000 x2 : 0000000000000000
+ x1 : ffff80003671bbd0 x0 : ffff80003671bc00
+ Process wickedd (pid: 638, stack limit = 0xffff800036718000)
+ Call trace:
+ Exception stack(0xffff80003671b9e0 to 0xffff80003671bb20)
+ b9e0: ffff80003671bc00 ffff80003671bbd0 0000000000000000 0000000000000000
+ ba00: ffff80002c296190 ffff80003671b9f8 ffff80003671bc9c 0000000080808080
+ ba20: fefefeff31677364 7f7f7f7f7f7f7f7f fefefefefefefeff 0101010101010101
+ ba40: 0000000000000020 0000000000000000 ffffffffffffffff 0000000000000000
+ ba60: 0000000000000000 0000000000000001 000000000000040d ffff80003671bbd0
+ ba80: 0000000000000000 ffff80003671bbd0 0000000000000000 0000004000114809
+ baa0: ffff000008f74d00 0000000000000124 000000000000001d ffff000008912000
+ bac0: ffff800035e74180 ffff80003671bb20 ffff000000dcca84 ffff80003671bb20
+ bae0: ffff0000086f7f30 0000000020000005 ffff80002c296000 ffff800035223900
+ bb00: 0000ffffffffffff 0000000000000000 ffff80003671bb20 ffff0000086f7f30
+ [<ffff0000086f7f30>] phy_ethtool_ksettings_get+0x20/0x98
+ [<ffff000000dcca84>] lan78xx_get_link_ksettings+0x44/0x60 [lan78xx]
+ [<ffff0000087cbc40>] ethtool_get_settings+0x68/0x210
+ [<ffff0000087cc0d4>] dev_ethtool+0x214/0x2180
+ [<ffff0000087e5008>] dev_ioctl+0x400/0x630
+ [<ffff00000879dd00>] sock_do_ioctl+0x70/0x88
+ [<ffff00000879f5f8>] sock_ioctl+0x208/0x368
+ [<ffff0000082cde10>] do_vfs_ioctl+0xb0/0x848
+ [<ffff0000082ce634>] SyS_ioctl+0x8c/0xa8
+ Exception stack(0xffff80003671bec0 to 0xffff80003671c000)
+ bec0: 0000000000000009 0000000000008946 0000fffff4e841d0 0000aa0032687465
+ bee0: 0000aaaafa2319d4 0000fffff4e841d4 0000000032687465 0000000032687465
+ bf00: 000000000000001d 7f7fff7f7f7f7f7f 72606b622e71ff4c 7f7f7f7f7f7f7f7f
+ bf20: 0101010101010101 0000000000000020 ffffffffffffffff 0000ffff7f510c68
+ bf40: 0000ffff7f6a9d18 0000ffff7f44ce30 000000000000040d 0000ffff7f6f98f0
+ bf60: 0000fffff4e842c0 0000000000000001 0000aaaafa2c2e00 0000ffff7f6ab000
+ bf80: 0000fffff4e842c0 0000ffff7f62a000 0000aaaafa2b9f20 0000aaaafa2c2e00
+ bfa0: 0000fffff4e84818 0000fffff4e841a0 0000ffff7f5ad0cc 0000fffff4e841a0
+ bfc0: 0000ffff7f44ce3c 0000000080000000 0000000000000009 000000000000001d
+ bfe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+
+The culprit is quite simple: The driver tries to access the phy left and right,
+but only actually has a working reference to it when the device is up.
+
+The fix thus is quite simple too: Get a reference to the phy on probe already
+and keep it even when the device is going down.
+
+With this patch applied, I can successfully run wicked on my system and bring
+the interface up and down as many times as I want, without getting NULL pointer
+dereferences in between.
+
+Signed-off-by: Alexander Graf <agraf@suse.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/lan78xx.c | 34 ++++++++++++++++++----------------
+ 1 file changed, 18 insertions(+), 16 deletions(-)
+
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -2083,10 +2083,6 @@ static int lan78xx_phy_init(struct lan78
+
+ dev->fc_autoneg = phydev->autoneg;
+
+- phy_start(phydev);
+-
+- netif_dbg(dev, ifup, dev->net, "phy initialised successfully");
+-
+ return 0;
+
+ error:
+@@ -2523,9 +2519,9 @@ static int lan78xx_open(struct net_devic
+ if (ret < 0)
+ goto done;
+
+- ret = lan78xx_phy_init(dev);
+- if (ret < 0)
+- goto done;
++ phy_start(net->phydev);
++
++ netif_dbg(dev, ifup, dev->net, "phy initialised successfully");
+
+ /* for Link Check */
+ if (dev->urb_intr) {
+@@ -2586,13 +2582,8 @@ static int lan78xx_stop(struct net_devic
+ if (timer_pending(&dev->stat_monitor))
+ del_timer_sync(&dev->stat_monitor);
+
+- phy_unregister_fixup_for_uid(PHY_KSZ9031RNX, 0xfffffff0);
+- phy_unregister_fixup_for_uid(PHY_LAN8835, 0xfffffff0);
+-
+- phy_stop(net->phydev);
+- phy_disconnect(net->phydev);
+-
+- net->phydev = NULL;
++ if (net->phydev)
++ phy_stop(net->phydev);
+
+ clear_bit(EVENT_DEV_OPEN, &dev->flags);
+ netif_stop_queue(net);
+@@ -3507,8 +3498,13 @@ static void lan78xx_disconnect(struct us
+ return;
+
+ udev = interface_to_usbdev(intf);
+-
+ net = dev->net;
++
++ phy_unregister_fixup_for_uid(PHY_KSZ9031RNX, 0xfffffff0);
++ phy_unregister_fixup_for_uid(PHY_LAN8835, 0xfffffff0);
++
++ phy_disconnect(net->phydev);
++
+ unregister_netdev(net);
+
+ cancel_delayed_work_sync(&dev->wq);
+@@ -3664,8 +3660,14 @@ static int lan78xx_probe(struct usb_inte
+ pm_runtime_set_autosuspend_delay(&udev->dev,
+ DEFAULT_AUTOSUSPEND_DELAY);
+
++ ret = lan78xx_phy_init(dev);
++ if (ret < 0)
++ goto out4;
++
+ return 0;
+
++out4:
++ unregister_netdev(netdev);
+ out3:
+ lan78xx_unbind(dev, intf);
+ out2:
+@@ -4013,7 +4015,7 @@ static int lan78xx_reset_resume(struct u
+
+ lan78xx_reset(dev);
+
+- lan78xx_phy_init(dev);
++ phy_start(dev->net->phydev);
+
+ return lan78xx_resume(intf);
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Omar Sandoval <osandov@fb.com>
+Date: Mon, 26 Mar 2018 21:39:11 -0700
+Subject: loop: don't call into filesystem while holding lo_ctl_mutex
+
+From: Omar Sandoval <osandov@fb.com>
+
+[ Upstream commit 2d1d4c1e591fd40bd7dafd868a249d7d00e215d5 ]
+
+We hit an issue where a loop device on NFS was stuck in
+loop_get_status() doing vfs_getattr() after the NFS server died, which
+caused a pile-up of uninterruptible processes waiting on lo_ctl_mutex.
+There's no reason to hold this lock while we wait on the filesystem;
+let's drop it so that other processes can do their thing. We need to
+grab a reference on lo_backing_file while we use it, and we can get rid
+of the check on lo_device, which has been unnecessary since commit
+a34c0ae9ebd6 ("[PATCH] loop: remove the bio remapping capability") in
+the linux-history tree.
+
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/loop.c | 38 ++++++++++++++++++++++++--------------
+ 1 file changed, 24 insertions(+), 14 deletions(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1171,21 +1171,17 @@ loop_set_status(struct loop_device *lo,
+ static int
+ loop_get_status(struct loop_device *lo, struct loop_info64 *info)
+ {
+- struct file *file = lo->lo_backing_file;
++ struct file *file;
+ struct kstat stat;
+- int error;
++ int ret;
+
+- if (lo->lo_state != Lo_bound)
++ if (lo->lo_state != Lo_bound) {
++ mutex_unlock(&lo->lo_ctl_mutex);
+ return -ENXIO;
+- error = vfs_getattr(&file->f_path, &stat,
+- STATX_INO, AT_STATX_SYNC_AS_STAT);
+- if (error)
+- return error;
++ }
++
+ memset(info, 0, sizeof(*info));
+ info->lo_number = lo->lo_number;
+- info->lo_device = huge_encode_dev(stat.dev);
+- info->lo_inode = stat.ino;
+- info->lo_rdevice = huge_encode_dev(lo->lo_device ? stat.rdev : stat.dev);
+ info->lo_offset = lo->lo_offset;
+ info->lo_sizelimit = lo->lo_sizelimit;
+ info->lo_flags = lo->lo_flags;
+@@ -1198,7 +1194,19 @@ loop_get_status(struct loop_device *lo,
+ memcpy(info->lo_encrypt_key, lo->lo_encrypt_key,
+ lo->lo_encrypt_key_size);
+ }
+- return 0;
++
++ /* Drop lo_ctl_mutex while we call into the filesystem. */
++ file = get_file(lo->lo_backing_file);
++ mutex_unlock(&lo->lo_ctl_mutex);
++ ret = vfs_getattr(&file->f_path, &stat, STATX_INO,
++ AT_STATX_SYNC_AS_STAT);
++ if (!ret) {
++ info->lo_device = huge_encode_dev(stat.dev);
++ info->lo_inode = stat.ino;
++ info->lo_rdevice = huge_encode_dev(stat.rdev);
++ }
++ fput(file);
++ return ret;
+ }
+
+ static void
+@@ -1378,7 +1386,8 @@ static int lo_ioctl(struct block_device
+ break;
+ case LOOP_GET_STATUS:
+ err = loop_get_status_old(lo, (struct loop_info __user *) arg);
+- break;
++ /* loop_get_status() unlocks lo_ctl_mutex */
++ goto out_unlocked;
+ case LOOP_SET_STATUS64:
+ err = -EPERM;
+ if ((mode & FMODE_WRITE) || capable(CAP_SYS_ADMIN))
+@@ -1387,7 +1396,8 @@ static int lo_ioctl(struct block_device
+ break;
+ case LOOP_GET_STATUS64:
+ err = loop_get_status64(lo, (struct loop_info64 __user *) arg);
+- break;
++ /* loop_get_status() unlocks lo_ctl_mutex */
++ goto out_unlocked;
+ case LOOP_SET_CAPACITY:
+ err = -EPERM;
+ if ((mode & FMODE_WRITE) || capable(CAP_SYS_ADMIN))
+@@ -1548,7 +1558,7 @@ static int lo_compat_ioctl(struct block_
+ mutex_lock(&lo->lo_ctl_mutex);
+ err = loop_get_status_compat(
+ lo, (struct compat_loop_info __user *) arg);
+- mutex_unlock(&lo->lo_ctl_mutex);
++ /* loop_get_status() unlocks lo_ctl_mutex */
+ break;
+ case LOOP_SET_CAPACITY:
+ case LOOP_CLR_FD:
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Greg Ungerer <gerg@linux-m68k.org>
+Date: Wed, 28 Mar 2018 17:12:18 +1000
+Subject: m68k: set dma and coherent masks for platform FEC ethernets
+
+From: Greg Ungerer <gerg@linux-m68k.org>
+
+[ Upstream commit f61e64310b75733d782e930d1fb404b84699eed6 ]
+
+As of commit 205e1b7f51e4 ("dma-mapping: warn when there is no
+coherent_dma_mask") the Freescale FEC driver is issuing the following
+warning on driver initialization on ColdFire systems:
+
+WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516 0x40159e20
+Modules linked in:
+CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc7-dirty #4
+Stack from 41833dd8:
+ 41833dd8 40259c53 40025534 40279e26 00000003 00000000 4004e514 41827000
+ 400255de 40244e42 00000204 40159e20 00000009 00000000 00000000 4024531d
+ 40159e20 40244e42 00000204 00000000 00000000 00000000 00000007 00000000
+ 00000000 40279e26 4028d040 40226576 4003ae88 40279e26 418273f6 41833ef8
+ 7fffffff 418273f2 41867028 4003c9a2 4180ac6c 00000004 41833f8c 4013e71c
+ 40279e1c 40279e26 40226c16 4013ced2 40279e26 40279e58 4028d040 00000000
+Call Trace:
+ [<40025534>] 0x40025534
+ [<4004e514>] 0x4004e514
+ [<400255de>] 0x400255de
+ [<40159e20>] 0x40159e20
+ [<40159e20>] 0x40159e20
+
+It is not fatal, the driver and the system continue to function normally.
+
+As per the warning the coherent_dma_mask is not set on this device.
+There is nothing special about the DMA memory coherency on this hardware
+so we can just set the mask to 32bits in the platform data for the FEC
+ethernet devices.
+
+Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/m68k/coldfire/device.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/arch/m68k/coldfire/device.c
++++ b/arch/m68k/coldfire/device.c
+@@ -135,7 +135,11 @@ static struct platform_device mcf_fec0 =
+ .id = 0,
+ .num_resources = ARRAY_SIZE(mcf_fec0_resources),
+ .resource = mcf_fec0_resources,
+- .dev.platform_data = FEC_PDATA,
++ .dev = {
++ .dma_mask = &mcf_fec0.dev.coherent_dma_mask,
++ .coherent_dma_mask = DMA_BIT_MASK(32),
++ .platform_data = FEC_PDATA,
++ }
+ };
+
+ #ifdef MCFFEC_BASE1
+@@ -167,7 +171,11 @@ static struct platform_device mcf_fec1 =
+ .id = 1,
+ .num_resources = ARRAY_SIZE(mcf_fec1_resources),
+ .resource = mcf_fec1_resources,
+- .dev.platform_data = FEC_PDATA,
++ .dev = {
++ .dma_mask = &mcf_fec1.dev.coherent_dma_mask,
++ .coherent_dma_mask = DMA_BIT_MASK(32),
++ .platform_data = FEC_PDATA,
++ }
+ };
+ #endif /* MCFFEC_BASE1 */
+ #endif /* CONFIG_FEC */
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 26 Mar 2018 16:21:04 +0300
+Subject: mac80211: don't WARN on bad WMM parameters from buggy APs
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit c470bdc1aaf36669e04ba65faf1092b2d1c6cabe ]
+
+Apparently, some APs are buggy enough to send a zeroed
+WMM IE. Don't WARN on this since this is not caused by a bug
+on the client's system.
+
+This aligns the condition of the WARNING in drv_conf_tx
+with the validity check in ieee80211_sta_wmm_params.
+We will now pick the default values whenever we get
+a zeroed WMM IE.
+
+This has been reported here:
+https://bugzilla.kernel.org/show_bug.cgi?id=199161
+
+Fixes: f409079bb678 ("mac80211: sanity check CW_min/CW_max towards driver")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mlme.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1786,7 +1786,8 @@ static bool ieee80211_sta_wmm_params(str
+ params[ac].acm = acm;
+ params[ac].uapsd = uapsd;
+
+- if (params[ac].cw_min > params[ac].cw_max) {
++ if (params->cw_min == 0 ||
++ params[ac].cw_min > params[ac].cw_max) {
+ sdata_info(sdata,
+ "AP has invalid WMM params (CWmin/max=%d/%d for ACI %d), using defaults\n",
+ params[ac].cw_min, params[ac].cw_max, aci);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Pierre Bourdon <delroth@google.com>
+Date: Tue, 20 Feb 2018 16:03:18 +0100
+Subject: max17042: propagate of_node to power supply device
+
+From: Pierre Bourdon <delroth@google.com>
+
+[ Upstream commit 66ec32fc7cd116dab5c02603ea8ec28ff92da3b5 ]
+
+max17042_get_status uses the core power_supply_am_i_supplied. That
+function relies on DT properties to figure out the power supply
+topology, and will error out without DT.
+
+Fixes max17042 battery status being reported as "unknown".
+
+Signed-off-by: Pierre Bourdon <delroth@google.com>
+Signed-off-by: Andre Heider <a.heider@gmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/max17042_battery.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/power/supply/max17042_battery.c
++++ b/drivers/power/supply/max17042_battery.c
+@@ -1053,6 +1053,7 @@ static int max17042_probe(struct i2c_cli
+
+ i2c_set_clientdata(client, chip);
+ psy_cfg.drv_data = chip;
++ psy_cfg.of_node = dev->of_node;
+
+ /* When current is not measured,
+ * CURRENT_NOW and CURRENT_AVG properties should be invisible. */
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Brad Love <brad@nextdimension.cc>
+Date: Tue, 6 Mar 2018 14:15:37 -0500
+Subject: media: cx23885: Override 888 ImpactVCBe crystal frequency
+
+From: Brad Love <brad@nextdimension.cc>
+
+[ Upstream commit 779c79d4b833ec646b0aed878da38edb45bbe156 ]
+
+Hauppauge produced a revision of ImpactVCBe using an 888,
+with a 25MHz crystal, instead of using the default third
+overtone 50Mhz crystal. This overrides that frequency so
+that the cx25840 is properly configured. Without the proper
+crystal setup the cx25840 cannot load the firmware or
+decode video.
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/cx23885/cx23885-core.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/media/pci/cx23885/cx23885-core.c
++++ b/drivers/media/pci/cx23885/cx23885-core.c
+@@ -873,6 +873,16 @@ static int cx23885_dev_setup(struct cx23
+ if (cx23885_boards[dev->board].clk_freq > 0)
+ dev->clk_freq = cx23885_boards[dev->board].clk_freq;
+
++ if (dev->board == CX23885_BOARD_HAUPPAUGE_IMPACTVCBE &&
++ dev->pci->subsystem_device == 0x7137) {
++ /* Hauppauge ImpactVCBe device ID 0x7137 is populated
++ * with an 888, and a 25Mhz crystal, instead of the
++ * usual third overtone 50Mhz. The default clock rate must
++ * be overridden so the cx25840 is properly configured
++ */
++ dev->clk_freq = 25000000;
++ }
++
+ dev->pci_bus = dev->pci->bus->number;
+ dev->pci_slot = PCI_SLOT(dev->pci->devfn);
+ cx23885_irq_add(dev, 0x001f00);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Brad Love <brad@nextdimension.cc>
+Date: Tue, 6 Mar 2018 14:15:36 -0500
+Subject: media: cx23885: Set subdev host data to clk_freq pointer
+
+From: Brad Love <brad@nextdimension.cc>
+
+[ Upstream commit 5ceade1d97fc6687e050c44c257382c192f56276 ]
+
+Currently clk_freq is ignored entirely, because the cx235840 driver
+configures the xtal at the chip defaults. This is an issue if a
+board is produced with a non-default frequency crystal. If clk_freq
+is not zero the cx25840 will attempt to use the setting provided,
+or fall back to defaults otherwise.
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/cx23885/cx23885-cards.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/media/pci/cx23885/cx23885-cards.c
++++ b/drivers/media/pci/cx23885/cx23885-cards.c
+@@ -2286,6 +2286,10 @@ void cx23885_card_setup(struct cx23885_d
+ &dev->i2c_bus[2].i2c_adap,
+ "cx25840", 0x88 >> 1, NULL);
+ if (dev->sd_cx25840) {
++ /* set host data for clk_freq configuration */
++ v4l2_set_subdev_hostdata(dev->sd_cx25840,
++ &dev->clk_freq);
++
+ dev->sd_cx25840->grp_id = CX23885_HW_AV_CORE;
+ v4l2_subdev_call(dev->sd_cx25840, core, load_fw);
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 31 Jan 2018 12:33:09 -0500
+Subject: media: cx25821: prevent out-of-bounds read on array card
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 67300abdbe9f1717532aaf4e037222762716d0f6 ]
+
+Currently an out of range dev->nr is detected by just reporting the
+issue and later on an out-of-bounds read on array card occurs because
+of this. Fix this by checking the upper range of dev->nr with the size
+of array card (removes the hard coded size), move this check earlier
+and also exit with the error -ENOSYS to avoid the later out-of-bounds
+array read.
+
+Detected by CoverityScan, CID#711191 ("Out-of-bounds-read")
+
+Fixes: commit 02b20b0b4cde ("V4L/DVB (12730): Add conexant cx25821 driver")
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+[hans.verkuil@cisco.com: %ld -> %zd]
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/cx25821/cx25821-core.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/pci/cx25821/cx25821-core.c
++++ b/drivers/media/pci/cx25821/cx25821-core.c
+@@ -867,6 +867,10 @@ static int cx25821_dev_setup(struct cx25
+ dev->nr = ++cx25821_devcount;
+ sprintf(dev->name, "cx25821[%d]", dev->nr);
+
++ if (dev->nr >= ARRAY_SIZE(card)) {
++ CX25821_INFO("dev->nr >= %zd", ARRAY_SIZE(card));
++ return -ENODEV;
++ }
+ if (dev->pci->device != 0x8210) {
+ pr_info("%s(): Exiting. Incorrect Hardware device = 0x%02x\n",
+ __func__, dev->pci->device);
+@@ -882,9 +886,6 @@ static int cx25821_dev_setup(struct cx25
+ dev->channels[i].sram_channels = &cx25821_sram_channels[i];
+ }
+
+- if (dev->nr > 1)
+- CX25821_INFO("dev->nr > 1!");
+-
+ /* board config */
+ dev->board = 1; /* card[dev->nr]; */
+ dev->_max_num_decoders = MAX_DECODERS;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Brad Love <brad@nextdimension.cc>
+Date: Thu, 4 Jan 2018 19:04:15 -0500
+Subject: media: em28xx: Add Hauppauge SoloHD/DualHD bulk models
+
+From: Brad Love <brad@nextdimension.cc>
+
+[ Upstream commit f2a326c928cca1f5e36a3dceaf66e8c6b34e9cb8 ]
+
+Add additional pids to driver list
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Reviewed-by: Michael Ira Krufky <mkrufky@linuxtv.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/em28xx/em28xx-cards.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+--- a/drivers/media/usb/em28xx/em28xx-cards.c
++++ b/drivers/media/usb/em28xx/em28xx-cards.c
+@@ -507,8 +507,10 @@ static struct em28xx_reg_seq plex_px_bcu
+ };
+
+ /*
+- * 2040:0265 Hauppauge WinTV-dualHD DVB
+- * 2040:026d Hauppauge WinTV-dualHD ATSC/QAM
++ * 2040:0265 Hauppauge WinTV-dualHD DVB Isoc
++ * 2040:8265 Hauppauge WinTV-dualHD DVB Bulk
++ * 2040:026d Hauppauge WinTV-dualHD ATSC/QAM Isoc
++ * 2040:826d Hauppauge WinTV-dualHD ATSC/QAM Bulk
+ * reg 0x80/0x84:
+ * GPIO_0: Yellow LED tuner 1, 0=on, 1=off
+ * GPIO_1: Green LED tuner 1, 0=on, 1=off
+@@ -2391,7 +2393,8 @@ struct em28xx_board em28xx_boards[] = {
+ .has_dvb = 1,
+ },
+ /*
+- * 2040:0265 Hauppauge WinTV-dualHD (DVB version).
++ * 2040:0265 Hauppauge WinTV-dualHD (DVB version) Isoc.
++ * 2040:8265 Hauppauge WinTV-dualHD (DVB version) Bulk.
+ * Empia EM28274, 2x Silicon Labs Si2168, 2x Silicon Labs Si2157
+ */
+ [EM28174_BOARD_HAUPPAUGE_WINTV_DUALHD_DVB] = {
+@@ -2406,7 +2409,8 @@ struct em28xx_board em28xx_boards[] = {
+ .leds = hauppauge_dualhd_leds,
+ },
+ /*
+- * 2040:026d Hauppauge WinTV-dualHD (model 01595 - ATSC/QAM).
++ * 2040:026d Hauppauge WinTV-dualHD (model 01595 - ATSC/QAM) Isoc.
++ * 2040:826d Hauppauge WinTV-dualHD (model 01595 - ATSC/QAM) Bulk.
+ * Empia EM28274, 2x LG LGDT3306A, 2x Silicon Labs Si2157
+ */
+ [EM28174_BOARD_HAUPPAUGE_WINTV_DUALHD_01595] = {
+@@ -2547,8 +2551,12 @@ struct usb_device_id em28xx_id_table[] =
+ .driver_info = EM2883_BOARD_HAUPPAUGE_WINTV_HVR_850 },
+ { USB_DEVICE(0x2040, 0x0265),
+ .driver_info = EM28174_BOARD_HAUPPAUGE_WINTV_DUALHD_DVB },
++ { USB_DEVICE(0x2040, 0x8265),
++ .driver_info = EM28174_BOARD_HAUPPAUGE_WINTV_DUALHD_DVB },
+ { USB_DEVICE(0x2040, 0x026d),
+ .driver_info = EM28174_BOARD_HAUPPAUGE_WINTV_DUALHD_01595 },
++ { USB_DEVICE(0x2040, 0x826d),
++ .driver_info = EM28174_BOARD_HAUPPAUGE_WINTV_DUALHD_01595 },
+ { USB_DEVICE(0x0438, 0xb002),
+ .driver_info = EM2880_BOARD_AMD_ATI_TV_WONDER_HD_600 },
+ { USB_DEVICE(0x2001, 0xf112),
+@@ -2609,7 +2617,11 @@ struct usb_device_id em28xx_id_table[] =
+ .driver_info = EM28178_BOARD_PCTV_461E },
+ { USB_DEVICE(0x2013, 0x025f),
+ .driver_info = EM28178_BOARD_PCTV_292E },
+- { USB_DEVICE(0x2040, 0x0264), /* Hauppauge WinTV-soloHD */
++ { USB_DEVICE(0x2040, 0x0264), /* Hauppauge WinTV-soloHD Isoc */
++ .driver_info = EM28178_BOARD_PCTV_292E },
++ { USB_DEVICE(0x2040, 0x8264), /* Hauppauge OEM Generic WinTV-soloHD Bulk */
++ .driver_info = EM28178_BOARD_PCTV_292E },
++ { USB_DEVICE(0x2040, 0x8268), /* Hauppauge Retail WinTV-soloHD Bulk */
+ .driver_info = EM28178_BOARD_PCTV_292E },
+ { USB_DEVICE(0x0413, 0x6f07),
+ .driver_info = EM2861_BOARD_LEADTEK_VC100 },
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Brad Love <brad@nextdimension.cc>
+Date: Thu, 4 Jan 2018 19:04:13 -0500
+Subject: media: em28xx: USB bulk packet size fix
+
+From: Brad Love <brad@nextdimension.cc>
+
+[ Upstream commit c7c7e8d7803406daa21e96d00c357de8b77b6764 ]
+
+Hauppauge em28xx bulk devices exhibit continuity errors and corrupted
+packets, when run in VMWare virtual machines. Unknown if other
+manufacturers bulk models exhibit the same issue. KVM/Qemu is unaffected.
+
+According to documentation the maximum packet multiplier for em28xx in bulk
+transfer mode is 256 * 188 bytes. This changes the size of bulk transfers
+to maximum supported value and have a bonus beneficial alignment.
+
+Before:
+
+After:
+
+This sets up USB to expect just as many bytes as the em28xx is set to emit.
+
+Successful usage under load afterwards natively and in both VMWare
+and KVM/Qemu virtual machines.
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Reviewed-by: Michael Ira Krufky <mkrufky@linuxtv.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/em28xx/em28xx.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/em28xx/em28xx.h
++++ b/drivers/media/usb/em28xx/em28xx.h
+@@ -191,7 +191,7 @@
+ USB 2.0 spec says bulk packet size is always 512 bytes
+ */
+ #define EM28XX_BULK_PACKET_MULTIPLIER 384
+-#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 384
++#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 94
+
+ #define EM28XX_INTERLACED_DEFAULT 1
+
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Kieran Bingham <kieran.bingham@ideasonboard.com>
+Date: Mon, 8 Jan 2018 13:14:04 -0500
+Subject: media: i2c: adv748x: fix HDMI field heights
+
+From: Kieran Bingham <kieran.bingham@ideasonboard.com>
+
+[ Upstream commit 9f564184e6cc21a86c26bab920afac1bab7653ff ]
+
+The ADV748x handles interlaced media using V4L2_FIELD_ALTERNATE field
+types. The correct specification for the height on the mbus is the
+image height, in this instance, the field height.
+
+The AFE component already correctly adjusts the height on the mbus, but
+the HDMI component got left behind.
+
+Adjust the mbus height to correctly describe the image height of the
+fields when processing interlaced video for HDMI pipelines.
+
+Fixes: 3e89586a64df ("media: i2c: adv748x: add adv748x driver")
+
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/adv748x/adv748x-hdmi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/i2c/adv748x/adv748x-hdmi.c
++++ b/drivers/media/i2c/adv748x/adv748x-hdmi.c
+@@ -105,6 +105,9 @@ static void adv748x_hdmi_fill_format(str
+
+ fmt->width = hdmi->timings.bt.width;
+ fmt->height = hdmi->timings.bt.height;
++
++ if (fmt->field == V4L2_FIELD_ALTERNATE)
++ fmt->height /= 2;
+ }
+
+ static void adv748x_fill_optional_dv_timings(struct v4l2_dv_timings *timings)
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Brad Love <brad@nextdimension.cc>
+Date: Fri, 5 Jan 2018 09:57:13 -0500
+Subject: media: lgdt3306a: Fix a double kfree on i2c device remove
+
+From: Brad Love <brad@nextdimension.cc>
+
+[ Upstream commit 94448e21cf08b10f7dc7acdaca387594370396b0 ]
+
+Both lgdt33606a_release and lgdt3306a_remove kfree state, but _release is
+called first, then _remove operates on states members before kfree'ing it.
+This can lead to random oops/GPF/etc on USB disconnect.
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-frontends/lgdt3306a.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-frontends/lgdt3306a.c
++++ b/drivers/media/dvb-frontends/lgdt3306a.c
+@@ -1768,7 +1768,13 @@ static void lgdt3306a_release(struct dvb
+ struct lgdt3306a_state *state = fe->demodulator_priv;
+
+ dbg_info("\n");
+- kfree(state);
++
++ /*
++ * If state->muxc is not NULL, then we are an i2c device
++ * and lgdt3306a_remove will clean up state
++ */
++ if (!state->muxc)
++ kfree(state);
+ }
+
+ static const struct dvb_frontend_ops lgdt3306a_ops;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Brad Love <brad@nextdimension.cc>
+Date: Fri, 5 Jan 2018 09:57:12 -0500
+Subject: media: lgdt3306a: Fix module count mismatch on usb unplug
+
+From: Brad Love <brad@nextdimension.cc>
+
+[ Upstream commit 835d66173a38538c072a7c393d02360dcfac8582 ]
+
+When used as an i2c device there is a module usage count mismatch on
+removal, preventing the driver from being used thereafter. dvb_attach
+increments the usage count so it is properly balanced on removal.
+
+On disconnect of Hauppauge SoloHD/DualHD before:
+
+lsmod | grep lgdt3306a
+lgdt3306a 28672 -1
+i2c_mux 16384 1 lgdt3306a
+
+On disconnect of Hauppauge SoloHD/DualHD after:
+
+lsmod | grep lgdt3306a
+lgdt3306a 28672 0
+i2c_mux 16384 1 lgdt3306a
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-frontends/lgdt3306a.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-frontends/lgdt3306a.c
++++ b/drivers/media/dvb-frontends/lgdt3306a.c
+@@ -2175,7 +2175,7 @@ static int lgdt3306a_probe(struct i2c_cl
+ sizeof(struct lgdt3306a_config));
+
+ config->i2c_addr = client->addr;
+- fe = lgdt3306a_attach(config, client->adapter);
++ fe = dvb_attach(lgdt3306a_attach, config, client->adapter);
+ if (fe == NULL) {
+ ret = -ENODEV;
+ goto err_fe;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Mon, 19 Mar 2018 12:14:17 -0400
+Subject: media: ov5645: add missing of_node_put() in error path
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+[ Upstream commit 06fe932307d58108a11c3e603517dd2a73a57b80 ]
+
+The device node obtained with of_graph_get_next_endpoint() should be
+released by calling of_node_put(). But it was not released when
+v4l2_fwnode_endpoint_parse() failed.
+
+This change moves the of_node_put() call before the error check and
+fixes the issue.
+
+Cc: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Acked-by: Todor Tomov <todor.tomov@linaro.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ov5645.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/i2c/ov5645.c
++++ b/drivers/media/i2c/ov5645.c
+@@ -1131,13 +1131,14 @@ static int ov5645_probe(struct i2c_clien
+
+ ret = v4l2_fwnode_endpoint_parse(of_fwnode_handle(endpoint),
+ &ov5645->ep);
++
++ of_node_put(endpoint);
++
+ if (ret < 0) {
+ dev_err(dev, "parsing endpoint node failed\n");
+ return ret;
+ }
+
+- of_node_put(endpoint);
+-
+ if (ov5645->ep.bus_type != V4L2_MBUS_CSI2) {
+ dev_err(dev, "invalid bus type, must be CSI2\n");
+ return -EINVAL;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 16 Jan 2018 16:52:15 -0500
+Subject: media: s3c-camif: fix out-of-bounds array access
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit a398e043637a4819a0e96467bfecaabf3224dd62 ]
+
+While experimenting with older compiler versions, I ran
+into a warning that no longer shows up on gcc-4.8 or newer:
+
+drivers/media/platform/s3c-camif/camif-capture.c: In function '__camif_subdev_try_format':
+drivers/media/platform/s3c-camif/camif-capture.c:1265:25: error: array subscript is below array bounds
+
+This is an off-by-one bug, leading to an access before the start of the
+array, while newer compilers silently assume this undefined behavior
+cannot happen and leave the loop at index 0 if no other entry matches.
+
+As Sylvester explains, we actually need to ensure that the
+value is within the range, so this reworks the loop to be
+easier to parse correctly, and an additional check to fall
+back on the first format value for any unexpected input.
+
+I found an existing gcc bug for it and added a reduced version
+of the function there.
+
+Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69249#c3
+Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface")
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/s3c-camif/camif-capture.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/platform/s3c-camif/camif-capture.c
++++ b/drivers/media/platform/s3c-camif/camif-capture.c
+@@ -1256,16 +1256,17 @@ static void __camif_subdev_try_format(st
+ {
+ const struct s3c_camif_variant *variant = camif->variant;
+ const struct vp_pix_limits *pix_lim;
+- int i = ARRAY_SIZE(camif_mbus_formats);
++ unsigned int i;
+
+ /* FIXME: constraints against codec or preview path ? */
+ pix_lim = &variant->vp_pix_limits[VP_CODEC];
+
+- while (i-- >= 0)
++ for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++)
+ if (camif_mbus_formats[i] == mf->code)
+ break;
+
+- mf->code = camif_mbus_formats[i];
++ if (i == ARRAY_SIZE(camif_mbus_formats))
++ mf->code = camif_mbus_formats[0];
+
+ if (pad == CAMIF_SD_PAD_SINK) {
+ v4l_bound_align_image(&mf->width, 8, CAMIF_MAX_PIX_WIDTH,
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Date: Sun, 3 Dec 2017 05:06:57 -0500
+Subject: media: v4l: vsp1: Fix display stalls when requesting too many inputs
+
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+
+[ Upstream commit 5e3e4cb5e24b92773b194aa90066170b12133bc6 ]
+
+Make sure we don't accept more inputs than the hardware can handle. This
+is a temporary fix to avoid display stall, we need to instead allocate
+the BRU or BRS to display pipelines dynamically based on the number of
+planes they each use.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/vsp1/vsp1_drm.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/media/platform/vsp1/vsp1_drm.c
++++ b/drivers/media/platform/vsp1/vsp1_drm.c
+@@ -530,6 +530,15 @@ void vsp1_du_atomic_flush(struct device
+ struct vsp1_rwpf *rpf = vsp1->rpf[i];
+ unsigned int j;
+
++ /*
++ * Make sure we don't accept more inputs than the hardware can
++ * handle. This is a temporary fix to avoid display stall, we
++ * need to instead allocate the BRU or BRS to display pipelines
++ * dynamically based on the number of planes they each use.
++ */
++ if (pipe->num_inputs >= pipe->bru->source_pad)
++ pipe->inputs[i] = NULL;
++
+ if (!pipe->inputs[i])
+ continue;
+
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Tue, 6 Feb 2018 03:02:23 -0500
+Subject: media: vb2: Fix videobuf2 to map correct area
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit d13a0139d7874a0577b5955d6eed895517d23b72 ]
+
+Fixes vb2_vmalloc_get_userptr() to ioremap correct area.
+Since the current code does ioremap the page address, if the offset > 0,
+it does not do ioremap the last page and results in kernel panic.
+
+This fixes to pass the size + offset to ioremap so that ioremap
+can map correct area. Also, this uses __pfn_to_phys() to get the physical
+address of given PFN.
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Reported-by: Takao Orito <orito.takao@socionext.com>
+Reported-by: Fumihiro ATSUMI <atsumi@infinitegra.co.jp>
+Reviewed-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/common/videobuf2/videobuf2-vmalloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/common/videobuf2/videobuf2-vmalloc.c
++++ b/drivers/media/common/videobuf2/videobuf2-vmalloc.c
+@@ -106,7 +106,7 @@ static void *vb2_vmalloc_get_userptr(str
+ if (nums[i-1] + 1 != nums[i])
+ goto fail_map;
+ buf->vaddr = (__force void *)
+- ioremap_nocache(nums[0] << PAGE_SHIFT, size);
++ ioremap_nocache(__pfn_to_phys(nums[0]), size + offset);
+ } else {
+ buf->vaddr = vm_map_ram(frame_vector_pages(vec), n_pages, -1,
+ PAGE_KERNEL);
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Thu, 1 Feb 2018 02:36:33 -0500
+Subject: media: vivid: fix incorrect capabilities for radio
+
+From: Hans Verkuil <hverkuil@xs4all.nl>
+
+[ Upstream commit 65243386f41d38460bfd4375d231a7c0346d0401 ]
+
+The vivid driver has two custom controls that change the behavior of RDS.
+Depending on the control setting the V4L2_CAP_READWRITE capability is toggled.
+However, after an earlier commit the capability was no longer set correctly.
+This is now fixed.
+
+Fixes: 9765a32cd8 ("vivid: set device_caps in video_device")
+
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/vivid/vivid-ctrls.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/platform/vivid/vivid-ctrls.c
++++ b/drivers/media/platform/vivid/vivid-ctrls.c
+@@ -1208,6 +1208,7 @@ static int vivid_radio_rx_s_ctrl(struct
+ v4l2_ctrl_activate(dev->radio_rx_rds_ta, dev->radio_rx_rds_controls);
+ v4l2_ctrl_activate(dev->radio_rx_rds_tp, dev->radio_rx_rds_controls);
+ v4l2_ctrl_activate(dev->radio_rx_rds_ms, dev->radio_rx_rds_controls);
++ dev->radio_rx_dev.device_caps = dev->radio_rx_caps;
+ break;
+ case V4L2_CID_RDS_RECEPTION:
+ dev->radio_rx_rds_enabled = ctrl->val;
+@@ -1282,6 +1283,7 @@ static int vivid_radio_tx_s_ctrl(struct
+ dev->radio_tx_caps &= ~V4L2_CAP_READWRITE;
+ if (!dev->radio_tx_rds_controls)
+ dev->radio_tx_caps |= V4L2_CAP_READWRITE;
++ dev->radio_tx_dev.device_caps = dev->radio_tx_caps;
+ break;
+ case V4L2_CID_RDS_TX_PTY:
+ if (dev->radio_rx_rds_controls)
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Michal Hocko <mhocko@suse.com>
+Date: Tue, 10 Apr 2018 16:29:52 -0700
+Subject: memcg: fix per_node_info cleanup
+
+From: Michal Hocko <mhocko@suse.com>
+
+[ Upstream commit 4eaf431f6f71bbed40a4c733ffe93a7e8cedf9d9 ]
+
+syzbot has triggered a NULL ptr dereference when allocation fault
+injection enforces a failure and alloc_mem_cgroup_per_node_info
+initializes memcg->nodeinfo only half way through.
+
+But __mem_cgroup_free still tries to free all per-node data and
+dereferences pn->lruvec_stat_cpu unconditioanlly even if the specific
+per-node data hasn't been initialized.
+
+The bug is quite unlikely to hit because small allocations do not fail
+and we would need quite some numa nodes to make struct
+mem_cgroup_per_node large enough to cross the costly order.
+
+Link: http://lkml.kernel.org/r/20180406100906.17790-1-mhocko@kernel.org
+Reported-by: syzbot+8a5de3cce7cdc70e9ebe@syzkaller.appspotmail.com
+Fixes: 00f3ca2c2d66 ("mm: memcontrol: per-lruvec stats infrastructure")
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memcontrol.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -4108,6 +4108,9 @@ static void free_mem_cgroup_per_node_inf
+ {
+ struct mem_cgroup_per_node *pn = memcg->nodeinfo[node];
+
++ if (!pn)
++ return;
++
+ free_percpu(pn->lruvec_stat_cpu);
+ kfree(pn);
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Mathias Kresin <dev@kresin.me>
+Date: Thu, 11 May 2017 08:18:24 +0200
+Subject: MIPS: ath79: Fix AR724X_PLL_REG_PCIE_CONFIG offset
+
+From: Mathias Kresin <dev@kresin.me>
+
+[ Upstream commit 05454c1bde91fb013c0431801001da82947e6b5a ]
+
+According to the QCA u-boot source the "PCIE Phase Lock Loop
+Configuration (PCIE_PLL_CONFIG)" register is for all SoCs except the
+QCA955X and QCA956X at offset 0x10.
+
+Since the PCIE PLL config register is only defined for the AR724x fix
+only this value. The value is wrong since the day it was added and isn't
+used by any driver yet.
+
+Signed-off-by: Mathias Kresin <dev@kresin.me>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16048/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/include/asm/mach-ath79/ar71xx_regs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/include/asm/mach-ath79/ar71xx_regs.h
++++ b/arch/mips/include/asm/mach-ath79/ar71xx_regs.h
+@@ -167,7 +167,7 @@
+ #define AR71XX_AHB_DIV_MASK 0x7
+
+ #define AR724X_PLL_REG_CPU_CONFIG 0x00
+-#define AR724X_PLL_REG_PCIE_CONFIG 0x18
++#define AR724X_PLL_REG_PCIE_CONFIG 0x10
+
+ #define AR724X_PLL_FB_SHIFT 0
+ #define AR724X_PLL_FB_MASK 0x3ff
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Joe Perches <joe@perches.com>
+Date: Tue, 5 Dec 2017 23:04:58 -0800
+Subject: MIPS: Octeon: Fix logging messages with spurious periods after newlines
+
+From: Joe Perches <joe@perches.com>
+
+[ Upstream commit db6775ca6e0353d2618ca7d5e210fc36ad43bbd4 ]
+
+Using a period after a newline causes bad output.
+
+Fixes: 64b139f97c01 ("MIPS: OCTEON: irq: add CIB and other fixes")
+Signed-off-by: Joe Perches <joe@perches.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/17886/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/cavium-octeon/octeon-irq.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/mips/cavium-octeon/octeon-irq.c
++++ b/arch/mips/cavium-octeon/octeon-irq.c
+@@ -2271,7 +2271,7 @@ static int __init octeon_irq_init_cib(st
+
+ parent_irq = irq_of_parse_and_map(ciu_node, 0);
+ if (!parent_irq) {
+- pr_err("ERROR: Couldn't acquire parent_irq for %s\n.",
++ pr_err("ERROR: Couldn't acquire parent_irq for %s\n",
+ ciu_node->name);
+ return -EINVAL;
+ }
+@@ -2283,7 +2283,7 @@ static int __init octeon_irq_init_cib(st
+
+ addr = of_get_address(ciu_node, 0, NULL, NULL);
+ if (!addr) {
+- pr_err("ERROR: Couldn't acquire reg(0) %s\n.", ciu_node->name);
++ pr_err("ERROR: Couldn't acquire reg(0) %s\n", ciu_node->name);
+ return -EINVAL;
+ }
+ host_data->raw_reg = (u64)phys_to_virt(
+@@ -2291,7 +2291,7 @@ static int __init octeon_irq_init_cib(st
+
+ addr = of_get_address(ciu_node, 1, NULL, NULL);
+ if (!addr) {
+- pr_err("ERROR: Couldn't acquire reg(1) %s\n.", ciu_node->name);
++ pr_err("ERROR: Couldn't acquire reg(1) %s\n", ciu_node->name);
+ return -EINVAL;
+ }
+ host_data->en_reg = (u64)phys_to_virt(
+@@ -2299,7 +2299,7 @@ static int __init octeon_irq_init_cib(st
+
+ r = of_property_read_u32(ciu_node, "cavium,max-bits", &val);
+ if (r) {
+- pr_err("ERROR: Couldn't read cavium,max-bits from %s\n.",
++ pr_err("ERROR: Couldn't read cavium,max-bits from %s\n",
+ ciu_node->name);
+ return r;
+ }
+@@ -2309,7 +2309,7 @@ static int __init octeon_irq_init_cib(st
+ &octeon_irq_domain_cib_ops,
+ host_data);
+ if (!cib_domain) {
+- pr_err("ERROR: Couldn't irq_domain_add_linear()\n.");
++ pr_err("ERROR: Couldn't irq_domain_add_linear()\n");
+ return -ENOMEM;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Huang Ying <ying.huang@intel.com>
+Date: Thu, 5 Apr 2018 16:23:20 -0700
+Subject: mm: fix races between address_space dereference and free in page_evicatable
+
+From: Huang Ying <ying.huang@intel.com>
+
+[ Upstream commit e92bb4dd9673945179b1fc738c9817dd91bfb629 ]
+
+When page_mapping() is called and the mapping is dereferenced in
+page_evicatable() through shrink_active_list(), it is possible for the
+inode to be truncated and the embedded address space to be freed at the
+same time. This may lead to the following race.
+
+CPU1 CPU2
+
+truncate(inode) shrink_active_list()
+ ... page_evictable(page)
+ truncate_inode_page(mapping, page);
+ delete_from_page_cache(page)
+ spin_lock_irqsave(&mapping->tree_lock, flags);
+ __delete_from_page_cache(page, NULL)
+ page_cache_tree_delete(..)
+ ... mapping = page_mapping(page);
+ page->mapping = NULL;
+ ...
+ spin_unlock_irqrestore(&mapping->tree_lock, flags);
+ page_cache_free_page(mapping, page)
+ put_page(page)
+ if (put_page_testzero(page)) -> false
+- inode now has no pages and can be freed including embedded address_space
+
+ mapping_unevictable(mapping)
+ test_bit(AS_UNEVICTABLE, &mapping->flags);
+- we've dereferenced mapping which is potentially already free.
+
+Similar race exists between swap cache freeing and page_evicatable()
+too.
+
+The address_space in inode and swap cache will be freed after a RCU
+grace period. So the races are fixed via enclosing the page_mapping()
+and address_space usage in rcu_read_lock/unlock(). Some comments are
+added in code to make it clear what is protected by the RCU read lock.
+
+Link: http://lkml.kernel.org/r/20180212081227.1940-1-ying.huang@intel.com
+Signed-off-by: "Huang, Ying" <ying.huang@intel.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: "Huang, Ying" <ying.huang@intel.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/vmscan.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -3896,7 +3896,13 @@ int node_reclaim(struct pglist_data *pgd
+ */
+ int page_evictable(struct page *page)
+ {
+- return !mapping_unevictable(page_mapping(page)) && !PageMlocked(page);
++ int ret;
++
++ /* Prevent address_space of inode and swap cache from being freed */
++ rcu_read_lock();
++ ret = !mapping_unevictable(page_mapping(page)) && !PageMlocked(page);
++ rcu_read_unlock();
++ return ret;
+ }
+
+ #ifdef CONFIG_SHMEM
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
+Date: Thu, 5 Apr 2018 16:25:41 -0700
+Subject: mm/ksm: fix interaction with THP
+
+From: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
+
+[ Upstream commit 77da2ba0648a4fd52e5ff97b8b2b8dd312aec4b0 ]
+
+This patch fixes a corner case for KSM. When two pages belong or
+belonged to the same transparent hugepage, and they should be merged,
+KSM fails to split the page, and therefore no merging happens.
+
+This bug can be reproduced by:
+* making sure ksm is running (in case disabling ksmtuned)
+* enabling transparent hugepages
+* allocating a THP-aligned 1-THP-sized buffer
+ e.g. on amd64: posix_memalign(&p, 1<<21, 1<<21)
+* filling it with the same values
+ e.g. memset(p, 42, 1<<21)
+* performing madvise to make it mergeable
+ e.g. madvise(p, 1<<21, MADV_MERGEABLE)
+* waiting for KSM to perform a few scans
+
+The expected outcome is that the all the pages get merged (1 shared and
+the rest sharing); the actual outcome is that no pages get merged (1
+unshared and the rest volatile)
+
+The reason of this behaviour is that we increase the reference count
+once for both pages we want to merge, but if they belong to the same
+hugepage (or compound page), the reference counter used in both cases is
+the one of the head of the compound page. This means that
+split_huge_page will find a value of the reference counter too high and
+will fail.
+
+This patch solves this problem by testing if the two pages to merge
+belong to the same hugepage when attempting to merge them. If so, the
+hugepage is split safely. This means that the hugepage is not split if
+not necessary.
+
+Link: http://lkml.kernel.org/r/1521548069-24758-1-git-send-email-imbrenda@linux.vnet.ibm.com
+Signed-off-by: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
+Co-authored-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/ksm.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+--- a/mm/ksm.c
++++ b/mm/ksm.c
+@@ -2089,8 +2089,22 @@ static void cmp_and_merge_page(struct pa
+ tree_rmap_item =
+ unstable_tree_search_insert(rmap_item, page, &tree_page);
+ if (tree_rmap_item) {
++ bool split;
++
+ kpage = try_to_merge_two_pages(rmap_item, page,
+ tree_rmap_item, tree_page);
++ /*
++ * If both pages we tried to merge belong to the same compound
++ * page, then we actually ended up increasing the reference
++ * count of the same compound page twice, and split_huge_page
++ * failed.
++ * Here we set a flag if that happened, and we use it later to
++ * try split_huge_page again. Since we call put_page right
++ * afterwards, the reference count will be correct and
++ * split_huge_page should succeed.
++ */
++ split = PageTransCompound(page)
++ && compound_head(page) == compound_head(tree_page);
+ put_page(tree_page);
+ if (kpage) {
+ /*
+@@ -2117,6 +2131,20 @@ static void cmp_and_merge_page(struct pa
+ break_cow(tree_rmap_item);
+ break_cow(rmap_item);
+ }
++ } else if (split) {
++ /*
++ * We are here if we tried to merge two pages and
++ * failed because they both belonged to the same
++ * compound page. We will split the page now, but no
++ * merging will take place.
++ * We do not want to add the cost of a full lock; if
++ * the page is locked, it is better to skip it and
++ * perhaps try again later.
++ */
++ if (!trylock_page(page))
++ return;
++ split_huge_page(page);
++ unlock_page(page);
+ }
+ }
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Yang Shi <yang.shi@linux.alibaba.com>
+Date: Thu, 5 Apr 2018 16:22:35 -0700
+Subject: mm: thp: fix potential clearing to referenced flag in page_idle_clear_pte_refs_one()
+
+From: Yang Shi <yang.shi@linux.alibaba.com>
+
+[ Upstream commit f0849ac0b8e072073ec5fcc7fadd05a77434364e ]
+
+For PTE-mapped THP, the compound THP has not been split to normal 4K
+pages yet, the whole THP is considered referenced if any one of sub page
+is referenced.
+
+When walking PTE-mapped THP by pvmw, all relevant PTEs will be checked
+to retrieve referenced bit. But, the current code just returns the
+result of the last PTE. If the last PTE has not referenced, the
+referenced flag will be cleared.
+
+Just set referenced when ptep{pmdp}_clear_young_notify() returns true.
+
+Link: http://lkml.kernel.org/r/1518212451-87134-1-git-send-email-yang.shi@linux.alibaba.com
+Signed-off-by: Yang Shi <yang.shi@linux.alibaba.com>
+Reported-by: Gang Deng <gavin.dg@linux.alibaba.com>
+Suggested-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/page_idle.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/mm/page_idle.c
++++ b/mm/page_idle.c
+@@ -65,11 +65,15 @@ static bool page_idle_clear_pte_refs_one
+ while (page_vma_mapped_walk(&pvmw)) {
+ addr = pvmw.address;
+ if (pvmw.pte) {
+- referenced = ptep_clear_young_notify(vma, addr,
+- pvmw.pte);
++ /*
++ * For PTE-mapped THP, one sub page is referenced,
++ * the whole THP is referenced.
++ */
++ if (ptep_clear_young_notify(vma, addr, pvmw.pte))
++ referenced = true;
+ } else if (IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE)) {
+- referenced = pmdp_clear_young_notify(vma, addr,
+- pvmw.pmd);
++ if (pmdp_clear_young_notify(vma, addr, pvmw.pmd))
++ referenced = true;
+ } else {
+ /* unexpected pmd-mapped page? */
+ WARN_ON_ONCE(1);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Sat, 17 Mar 2018 12:29:27 +0100
+Subject: mt76x2: fix possible NULL pointer dereferencing in mt76x2_tx()
+
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+
+[ Upstream commit 6958b027435aa54d82bbef09a007fd287f439977 ]
+
+Fix a theoretical NULL pointer dereferencing in mt76x2_tx routine that
+can occurs for injected frames in a monitor vif since vif pointer could
+be NULL for that interfaces
+
+Fixes: 23405236460b ("mt76: fix transmission of encrypted mgmt frames")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Acked-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76x2_tx.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt76x2_tx.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76x2_tx.c
+@@ -36,9 +36,12 @@ void mt76x2_tx(struct ieee80211_hw *hw,
+
+ msta = (struct mt76x2_sta *) control->sta->drv_priv;
+ wcid = &msta->wcid;
++ /* sw encrypted frames */
++ if (!info->control.hw_key && wcid->hw_key_idx != -1)
++ control->sta = NULL;
+ }
+
+- if (vif || (!info->control.hw_key && wcid->hw_key_idx != -1)) {
++ if (vif && !control->sta) {
+ struct mt76x2_vif *mvif;
+
+ mvif = (struct mt76x2_vif *) vif->drv_priv;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Sat, 17 Mar 2018 15:01:39 +0100
+Subject: mt76x2: fix warning in ieee80211_get_key_rx_seq()
+
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+
+[ Upstream commit c03a5aacde0c86f6dabab8f17a6d1911ee13b6c4 ]
+
+Fall back to software encryption for hw unsupported ciphers in order
+to fix the following warning in ieee80211_get_key_rx_seq routine:
+
+WARNING: CPU: 1 PID: 1277 at backports-2017-11-01/net/mac80211/key.c:
+1010 mt76_wcid_key_setup+0x6c/0x138 [mt76]
+CPU: 1 PID: 1277 Comm: hostapd Tainted: G W 4.9.86 #0
+Stack : 00000000 00000000 80527b4a 00000042 80523824 00000000 00000000 80520000
+ 8fd79a9c 804bbda7 80454c84 00000001 000004fd 80523824 8f7e4ba0 8eceda12
+ 00000010 8006af94 00000001 80520000 804c1f04 804c1f08 80459890 8ec999b4
+ 00000003 800a7840 8f7e4ba0 8eceda12 8121de20 00000000 00000001 00c999b4
+ 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+ ...
+Call Trace:
+[<8000f52c>] show_stack+0x70/0x8c
+[<801d8d04>] dump_stack+0x94/0xd0
+[<8002bcd4>] __warn+0x110/0x118
+[<8002bd70>] warn_slowpath_null+0x1c/0x2c
+[<8f0415cc>] mt76_wcid_key_setup+0x6c/0x138 [mt76]
+[<8f1311b4>] mt76x2_dma_cleanup+0xa38/0x1048 [mt76x2e]
+
+Fixes: 30ce7f4456ae ("mt76: validate rx CCMP PN")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Acked-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76x2_main.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt76x2_main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76x2_main.c
+@@ -336,6 +336,17 @@ mt76x2_set_key(struct ieee80211_hw *hw,
+ int idx = key->keyidx;
+ int ret;
+
++ /* fall back to sw encryption for unsupported ciphers */
++ switch (key->cipher) {
++ case WLAN_CIPHER_SUITE_WEP40:
++ case WLAN_CIPHER_SUITE_WEP104:
++ case WLAN_CIPHER_SUITE_TKIP:
++ case WLAN_CIPHER_SUITE_CCMP:
++ break;
++ default:
++ return -EOPNOTSUPP;
++ }
++
+ /*
+ * The hardware does not support per-STA RX GTK, fall back
+ * to software mode for these.
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Sun, 1 Apr 2018 10:26:29 -0700
+Subject: net: bgmac: Correctly annotate register space
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 16a1c0646e55c3345bce8e4edfc06ad119d27c04 ]
+
+All the members: base, idm_base and nicpm_base should be annotated with
+__iomem since they are pointers to register space. This fixes a bunch of
+sparse reported warnings.
+
+Fixes: f6a95a24957a ("net: ethernet: bgmac: Add platform device support")
+Fixes: dd5c5d037f5e ("net: ethernet: bgmac: add NS2 support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bgmac.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bgmac.h
++++ b/drivers/net/ethernet/broadcom/bgmac.h
+@@ -479,9 +479,9 @@ struct bgmac_rx_header {
+ struct bgmac {
+ union {
+ struct {
+- void *base;
+- void *idm_base;
+- void *nicpm_base;
++ void __iomem *base;
++ void __iomem *idm_base;
++ void __iomem *nicpm_base;
+ } plat;
+ struct {
+ struct bcma_device *core;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Sun, 1 Apr 2018 10:26:30 -0700
+Subject: net: bgmac: Fix endian access in bgmac_dma_tx_ring_free()
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 60d6e6f0b9e422dd01aeda39257ee0428e5e2a3f ]
+
+bgmac_dma_tx_ring_free() assigns the ctl1 word which is a litle endian
+32-bit word without using proper accessors, fix this, and because a
+length cannot be negative, use unsigned int while at it.
+
+Fixes: 9cde94506eac ("bgmac: implement scatter/gather support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bgmac.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bgmac.c
++++ b/drivers/net/ethernet/broadcom/bgmac.c
+@@ -533,7 +533,8 @@ static void bgmac_dma_tx_ring_free(struc
+ int i;
+
+ for (i = 0; i < BGMAC_TX_RING_SLOTS; i++) {
+- int len = dma_desc[i].ctl1 & BGMAC_DESC_CTL1_LEN;
++ u32 ctl1 = le32_to_cpu(dma_desc[i].ctl1);
++ unsigned int len = ctl1 & BGMAC_DESC_CTL1_LEN;
+
+ slot = &ring->slots[i];
+ dev_kfree_skb(slot->skb);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Fuyun Liang <liangfuyun1@huawei.com>
+Date: Sat, 24 Mar 2018 11:32:44 +0800
+Subject: net: hns3: fix for returning wrong value problem in hns3_get_rss_indir_size
+
+From: Fuyun Liang <liangfuyun1@huawei.com>
+
+[ Upstream commit da44a00f06df1f823ea449065e79581ee624de4b ]
+
+The return type of hns3_get_rss_indir_size is u32. But a negative value is
+returned. This patch fixes it by replacing the negative value with zero.
+
+Signed-off-by: Fuyun Liang <liangfuyun1@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+@@ -709,7 +709,7 @@ static u32 hns3_get_rss_indir_size(struc
+
+ if (!h->ae_algo || !h->ae_algo->ops ||
+ !h->ae_algo->ops->get_rss_indir_size)
+- return -EOPNOTSUPP;
++ return 0;
+
+ return h->ae_algo->ops->get_rss_indir_size(h);
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Fuyun Liang <liangfuyun1@huawei.com>
+Date: Sat, 24 Mar 2018 11:32:43 +0800
+Subject: net: hns3: fix for returning wrong value problem in hns3_get_rss_key_size
+
+From: Fuyun Liang <liangfuyun1@huawei.com>
+
+[ Upstream commit 3bd6d258b1d5f76744567855d1376358a94f127d ]
+
+The return type of hns3_get_rss_key_size is u32. But a negative value is
+returned. This patch fixes it by replacing the negative value with zero.
+
+Signed-off-by: Fuyun Liang <liangfuyun1@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+@@ -698,7 +698,7 @@ static u32 hns3_get_rss_key_size(struct
+
+ if (!h->ae_algo || !h->ae_algo->ops ||
+ !h->ae_algo->ops->get_rss_key_size)
+- return -EOPNOTSUPP;
++ return 0;
+
+ return h->ae_algo->ops->get_rss_key_size(h);
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Fuyun Liang <liangfuyun1@huawei.com>
+Date: Sat, 24 Mar 2018 11:32:45 +0800
+Subject: net: hns3: fix for the wrong shift problem in hns3_set_txbd_baseinfo
+
+From: Fuyun Liang <liangfuyun1@huawei.com>
+
+[ Upstream commit 3c8f5c0339515202e8662b6e3ae36a7b16610caf ]
+
+Third parameter of hnae_set_field is shift, But a mask is given. This
+patch fixes it by replacing HNS3_TXD_BDTYPE_M with HNS3_TXD_BDTYPE_S.
+
+Signed-off-by: Fuyun Liang <liangfuyun1@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -747,7 +747,7 @@ static void hns3_set_txbd_baseinfo(u16 *
+ {
+ /* Config bd buffer end */
+ hnae_set_field(*bdtp_fe_sc_vld_ra_ri, HNS3_TXD_BDTYPE_M,
+- HNS3_TXD_BDTYPE_M, 0);
++ HNS3_TXD_BDTYPE_S, 0);
+ hnae_set_bit(*bdtp_fe_sc_vld_ra_ri, HNS3_TXD_FE_B, !!frag_end);
+ hnae_set_bit(*bdtp_fe_sc_vld_ra_ri, HNS3_TXD_VLD_B, 1);
+ hnae_set_field(*bdtp_fe_sc_vld_ra_ri, HNS3_TXD_SC_M, HNS3_TXD_SC_S, 0);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Tue, 2 Jan 2018 16:49:56 +0200
+Subject: net/mlx5: Protect from command bit overflow
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+[ Upstream commit 957f6ba8adc7be401a74ccff427e4cfd88d3bfcb ]
+
+The system with CONFIG_UBSAN enabled on produces the following error
+during driver initialization. The reason to it that max_reg_cmds can be
+larger enough to cause to "1 << max_reg_cmds" overflow the unsigned long.
+
+================================================================================
+UBSAN: Undefined behaviour in drivers/net/ethernet/mellanox/mlx5/core/cmd.c:1805:42
+signed integer overflow:
+-2147483648 - 1 cannot be represented in type 'int'
+CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2-00032-g06cda2358d9b-dirty #724
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
+Call Trace:
+ dump_stack+0xe9/0x18f
+ ? dma_virt_alloc+0x81/0x81
+ ubsan_epilogue+0xe/0x4e
+ handle_overflow+0x187/0x20c
+ mlx5_cmd_init+0x73a/0x12b0
+ mlx5_load_one+0x1c3d/0x1d30
+ init_one+0xd02/0xf10
+ pci_device_probe+0x26c/0x3b0
+ driver_probe_device+0x622/0xb40
+ __driver_attach+0x175/0x1b0
+ bus_for_each_dev+0xef/0x190
+ bus_add_driver+0x2db/0x490
+ driver_register+0x16b/0x1e0
+ __pci_register_driver+0x177/0x1b0
+ init+0x6d/0x92
+ do_one_initcall+0x15b/0x270
+ kernel_init_freeable+0x2d8/0x3d0
+ kernel_init+0x14/0x190
+ ret_from_fork+0x24/0x30
+================================================================================
+
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -1802,7 +1802,7 @@ int mlx5_cmd_init(struct mlx5_core_dev *
+
+ cmd->checksum_disabled = 1;
+ cmd->max_reg_cmds = (1 << cmd->log_sz) - 1;
+- cmd->bitmask = (1 << cmd->max_reg_cmds) - 1;
++ cmd->bitmask = (1UL << cmd->max_reg_cmds) - 1;
+
+ cmd->cmdif_rev = ioread32be(&dev->iseg->cmdif_rev_fw_sub) >> 16;
+ if (cmd->cmdif_rev > CMD_IF_REV) {
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Eran Ben Elisha <eranbe@mellanox.com>
+Date: Tue, 16 Jan 2018 17:25:06 +0200
+Subject: net/mlx5e: Move all TX timeout logic to be under state lock
+
+From: Eran Ben Elisha <eranbe@mellanox.com>
+
+[ Upstream commit bfc647d52e67dc756c605e9a50d45b71054c2533 ]
+
+Driver callback for handling TX timeout should access some internal
+resources (SQ, CQ) in order to decide if the tx timeout work should be
+scheduled. These resources might be unavailable if channels are closed
+in parallel (ifdown for example).
+
+The state lock is the mechanism to protect from such races.
+Move all TX timeout logic to be in the work under a state lock.
+
+In addition, Move the work from the global WQ to mlx5e WQ to make sure
+this work is flushed when device is detached..
+
+Also, move the mlx5e_tx_timeout_work code to be next to the TX timeout
+NDO for better code locality.
+
+Fixes: 3947ca185999 ("net/mlx5e: Implement ndo_tx_timeout callback")
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 61 ++++++++++++----------
+ 1 file changed, 34 insertions(+), 27 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -153,26 +153,6 @@ static void mlx5e_update_carrier_work(st
+ mutex_unlock(&priv->state_lock);
+ }
+
+-static void mlx5e_tx_timeout_work(struct work_struct *work)
+-{
+- struct mlx5e_priv *priv = container_of(work, struct mlx5e_priv,
+- tx_timeout_work);
+- int err;
+-
+- rtnl_lock();
+- mutex_lock(&priv->state_lock);
+- if (!test_bit(MLX5E_STATE_OPENED, &priv->state))
+- goto unlock;
+- mlx5e_close_locked(priv->netdev);
+- err = mlx5e_open_locked(priv->netdev);
+- if (err)
+- netdev_err(priv->netdev, "mlx5e_open_locked failed recovering from a tx_timeout, err(%d).\n",
+- err);
+-unlock:
+- mutex_unlock(&priv->state_lock);
+- rtnl_unlock();
+-}
+-
+ void mlx5e_update_stats(struct mlx5e_priv *priv)
+ {
+ int i;
+@@ -3632,13 +3612,19 @@ static bool mlx5e_tx_timeout_eq_recover(
+ return true;
+ }
+
+-static void mlx5e_tx_timeout(struct net_device *dev)
++static void mlx5e_tx_timeout_work(struct work_struct *work)
+ {
+- struct mlx5e_priv *priv = netdev_priv(dev);
++ struct mlx5e_priv *priv = container_of(work, struct mlx5e_priv,
++ tx_timeout_work);
++ struct net_device *dev = priv->netdev;
+ bool reopen_channels = false;
+- int i;
++ int i, err;
+
+- netdev_err(dev, "TX timeout detected\n");
++ rtnl_lock();
++ mutex_lock(&priv->state_lock);
++
++ if (!test_bit(MLX5E_STATE_OPENED, &priv->state))
++ goto unlock;
+
+ for (i = 0; i < priv->channels.num * priv->channels.params.num_tc; i++) {
+ struct netdev_queue *dev_queue = netdev_get_tx_queue(dev, i);
+@@ -3646,7 +3632,9 @@ static void mlx5e_tx_timeout(struct net_
+
+ if (!netif_xmit_stopped(dev_queue))
+ continue;
+- netdev_err(dev, "TX timeout on queue: %d, SQ: 0x%x, CQ: 0x%x, SQ Cons: 0x%x SQ Prod: 0x%x, usecs since last trans: %u\n",
++
++ netdev_err(dev,
++ "TX timeout on queue: %d, SQ: 0x%x, CQ: 0x%x, SQ Cons: 0x%x SQ Prod: 0x%x, usecs since last trans: %u\n",
+ i, sq->sqn, sq->cq.mcq.cqn, sq->cc, sq->pc,
+ jiffies_to_usecs(jiffies - dev_queue->trans_start));
+
+@@ -3659,8 +3647,27 @@ static void mlx5e_tx_timeout(struct net_
+ }
+ }
+
+- if (reopen_channels && test_bit(MLX5E_STATE_OPENED, &priv->state))
+- schedule_work(&priv->tx_timeout_work);
++ if (!reopen_channels)
++ goto unlock;
++
++ mlx5e_close_locked(dev);
++ err = mlx5e_open_locked(dev);
++ if (err)
++ netdev_err(priv->netdev,
++ "mlx5e_open_locked failed recovering from a tx_timeout, err(%d).\n",
++ err);
++
++unlock:
++ mutex_unlock(&priv->state_lock);
++ rtnl_unlock();
++}
++
++static void mlx5e_tx_timeout(struct net_device *dev)
++{
++ struct mlx5e_priv *priv = netdev_priv(dev);
++
++ netdev_err(dev, "TX timeout detected\n");
++ queue_work(priv->wq, &priv->tx_timeout_work);
+ }
+
+ static int mlx5e_xdp_set(struct net_device *netdev, struct bpf_prog *prog)
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Sinan Kaya <okaya@codeaurora.org>
+Date: Sun, 25 Mar 2018 10:39:19 -0400
+Subject: net: qlge: Eliminate duplicate barriers on weakly-ordered archs
+
+From: Sinan Kaya <okaya@codeaurora.org>
+
+[ Upstream commit e42d8cee343a545ac2d9557a3b28708bbca2bd31 ]
+
+Code includes wmb() followed by writel(). writel() already has a barrier on
+some architectures like arm64.
+
+This ends up CPU observing two barriers back to back before executing the
+register write.
+
+Create a new wrapper function with relaxed write operator. Use the new
+wrapper when a write is following a wmb().
+
+Signed-off-by: Sinan Kaya <okaya@codeaurora.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qlge/qlge.h | 16 ++++++++++++++++
+ drivers/net/ethernet/qlogic/qlge/qlge_main.c | 3 ++-
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/qlge/qlge.h
++++ b/drivers/net/ethernet/qlogic/qlge/qlge.h
+@@ -2185,6 +2185,22 @@ static inline void ql_write_db_reg(u32 v
+ }
+
+ /*
++ * Doorbell Registers:
++ * Doorbell registers are virtual registers in the PCI memory space.
++ * The space is allocated by the chip during PCI initialization. The
++ * device driver finds the doorbell address in BAR 3 in PCI config space.
++ * The registers are used to control outbound and inbound queues. For
++ * example, the producer index for an outbound queue. Each queue uses
++ * 1 4k chunk of memory. The lower half of the space is for outbound
++ * queues. The upper half is for inbound queues.
++ * Caller has to guarantee ordering.
++ */
++static inline void ql_write_db_reg_relaxed(u32 val, void __iomem *addr)
++{
++ writel_relaxed(val, addr);
++}
++
++/*
+ * Shadow Registers:
+ * Outbound queues have a consumer index that is maintained by the chip.
+ * Inbound queues have a producer index that is maintained by the chip.
+--- a/drivers/net/ethernet/qlogic/qlge/qlge_main.c
++++ b/drivers/net/ethernet/qlogic/qlge/qlge_main.c
+@@ -2700,7 +2700,8 @@ static netdev_tx_t qlge_send(struct sk_b
+ tx_ring->prod_idx = 0;
+ wmb();
+
+- ql_write_db_reg(tx_ring->prod_idx, tx_ring->prod_idx_db_reg);
++ ql_write_db_reg_relaxed(tx_ring->prod_idx, tx_ring->prod_idx_db_reg);
++ mmiowb();
+ netif_printk(qdev, tx_queued, KERN_DEBUG, qdev->ndev,
+ "tx queued, slot %d, len %d\n",
+ tx_ring->prod_idx, skb->len);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 23 Mar 2018 23:51:57 +0000
+Subject: net: qualcomm: rmnet: check for null ep to avoid null pointer dereference
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 0c29ba1b43df1eb7d8beb03fc929d2dac4c15f7e ]
+
+The call to rmnet_get_endpoint can potentially return NULL so check
+for this to avoid any subsequent null pointer dereferences on a NULL
+ep.
+
+Detected by CoverityScan, CID#1465385 ("Dereference null return value")
+
+Fixes: 23790ef12082 ("net: qualcomm: rmnet: Allow to configure flags for existing devices")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
++++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
+@@ -307,6 +307,8 @@ static int rmnet_changelink(struct net_d
+ if (data[IFLA_VLAN_ID]) {
+ mux_id = nla_get_u16(data[IFLA_VLAN_ID]);
+ ep = rmnet_get_endpoint(port, priv->mux_id);
++ if (!ep)
++ return -ENODEV;
+
+ hlist_del_init_rcu(&ep->hlnode);
+ hlist_add_head_rcu(&ep->hlnode, &port->muxed_ep[mux_id]);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Ursula Braun <ubraun@linux.vnet.ibm.com>
+Date: Wed, 14 Mar 2018 11:01:00 +0100
+Subject: net/smc: pay attention to MAX_ORDER for CQ entries
+
+From: Ursula Braun <ubraun@linux.vnet.ibm.com>
+
+[ Upstream commit c9f4c6cf53bfafb639386a4c094929f13f573e04 ]
+
+smc allocates a certain number of CQ entries for used RoCE devices. For
+mlx5 devices the chosen constant number results in a large allocation
+causing this warning:
+
+[13355.124656] WARNING: CPU: 3 PID: 16535 at mm/page_alloc.c:3883 __alloc_pages_nodemask+0x2be/0x10c0
+[13355.124657] Modules linked in: smc_diag(O) smc(O) xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ip6table_filter ip6_tables iptable_filter mlx5_ib ib_core sunrpc mlx5_core s390_trng rng_core ghash_s390 prng aes_s390 des_s390 des_generic sha512_s390 sha256_s390 sha1_s390 sha_common ptp pps_core eadm_sch dm_multipath dm_mod vhost_net tun vhost tap sch_fq_codel kvm ip_tables x_tables autofs4 [last unloaded: smc]
+[13355.124672] CPU: 3 PID: 16535 Comm: kworker/3:0 Tainted: G O 4.14.0uschi #1
+[13355.124673] Hardware name: IBM 3906 M04 704 (LPAR)
+[13355.124675] Workqueue: events smc_listen_work [smc]
+[13355.124677] task: 00000000e2f22100 task.stack: 0000000084720000
+[13355.124678] Krnl PSW : 0704c00180000000 000000000029da76 (__alloc_pages_nodemask+0x2be/0x10c0)
+[13355.124681] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3
+[13355.124682] Krnl GPRS: 0000000000000000 00550e00014080c0 0000000000000000 0000000000000001
+[13355.124684] 000000000029d8b6 00000000f3bfd710 0000000000000000 00000000014080c0
+[13355.124685] 0000000000000009 00000000ec277a00 0000000000200000 0000000000000000
+[13355.124686] 0000000000000000 00000000000001ff 000000000029d8b6 0000000084723720
+[13355.124708] Krnl Code: 000000000029da6a: a7110200 tmll %r1,512
+ 000000000029da6e: a774ff29 brc 7,29d8c0
+ #000000000029da72: a7f40001 brc 15,29da74
+ >000000000029da76: a7f4ff25 brc 15,29d8c0
+ 000000000029da7a: a7380000 lhi %r3,0
+ 000000000029da7e: a7f4fef1 brc 15,29d860
+ 000000000029da82: 5820f0c4 l %r2,196(%r15)
+ 000000000029da86: a53e0048 llilh %r3,72
+[13355.124720] Call Trace:
+[13355.124722] ([<000000000029d8b6>] __alloc_pages_nodemask+0xfe/0x10c0)
+[13355.124724] [<000000000013bd1e>] s390_dma_alloc+0x6e/0x148
+[13355.124733] [<000003ff802eeba6>] mlx5_dma_zalloc_coherent_node+0x8e/0xe0 [mlx5_core]
+[13355.124740] [<000003ff802eee18>] mlx5_buf_alloc_node+0x70/0x108 [mlx5_core]
+[13355.124744] [<000003ff804eb410>] mlx5_ib_create_cq+0x558/0x898 [mlx5_ib]
+[13355.124749] [<000003ff80407d40>] ib_create_cq+0x48/0x88 [ib_core]
+[13355.124751] [<000003ff80109fba>] smc_ib_setup_per_ibdev+0x52/0x118 [smc]
+[13355.124753] [<000003ff8010bcb6>] smc_conn_create+0x65e/0x728 [smc]
+[13355.124755] [<000003ff801081a2>] smc_listen_work+0x2d2/0x540 [smc]
+[13355.124756] [<0000000000162c66>] process_one_work+0x1be/0x440
+[13355.124758] [<0000000000162f40>] worker_thread+0x58/0x458
+[13355.124759] [<0000000000169e7e>] kthread+0x14e/0x168
+[13355.124760] [<00000000009ce8be>] kernel_thread_starter+0x6/0xc
+[13355.124762] [<00000000009ce8b8>] kernel_thread_starter+0x0/0xc
+[13355.124762] Last Breaking-Event-Address:
+[13355.124764] [<000000000029da72>] __alloc_pages_nodemask+0x2ba/0x10c0
+[13355.124764] ---[ end trace 34be38b581c0b585 ]---
+
+This patch reduces the smc constant for the maximum number of allocated
+completion queue entries SMC_MAX_CQE by 2 to avoid high round up values
+in the mlx5 code, and reduces the number of allocated completion queue
+entries even more, if the final allocation for an mlx5 device hits the
+MAX_ORDER limit.
+
+Reported-by: Ihnken Menssen <menssen@de.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/smc_ib.c | 10 +++++++++-
+ net/smc/smc_wr.h | 1 -
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/net/smc/smc_ib.c
++++ b/net/smc/smc_ib.c
+@@ -23,6 +23,8 @@
+ #include "smc_wr.h"
+ #include "smc.h"
+
++#define SMC_MAX_CQE 32766 /* max. # of completion queue elements */
++
+ #define SMC_QP_MIN_RNR_TIMER 5
+ #define SMC_QP_TIMEOUT 15 /* 4096 * 2 ** timeout usec */
+ #define SMC_QP_RETRY_CNT 7 /* 7: infinite */
+@@ -438,9 +440,15 @@ out:
+ long smc_ib_setup_per_ibdev(struct smc_ib_device *smcibdev)
+ {
+ struct ib_cq_init_attr cqattr = {
+- .cqe = SMC_WR_MAX_CQE, .comp_vector = 0 };
++ .cqe = SMC_MAX_CQE, .comp_vector = 0 };
++ int cqe_size_order, smc_order;
+ long rc;
+
++ /* the calculated number of cq entries fits to mlx5 cq allocation */
++ cqe_size_order = cache_line_size() == 128 ? 7 : 6;
++ smc_order = MAX_ORDER - cqe_size_order - 1;
++ if (SMC_MAX_CQE + 2 > (0x00000001 << smc_order) * PAGE_SIZE)
++ cqattr.cqe = (0x00000001 << smc_order) * PAGE_SIZE - 2;
+ smcibdev->roce_cq_send = ib_create_cq(smcibdev->ibdev,
+ smc_wr_tx_cq_handler, NULL,
+ smcibdev, &cqattr);
+--- a/net/smc/smc_wr.h
++++ b/net/smc/smc_wr.h
+@@ -19,7 +19,6 @@
+ #include "smc.h"
+ #include "smc_core.h"
+
+-#define SMC_WR_MAX_CQE 32768 /* max. # of completion queue elements */
+ #define SMC_WR_BUF_CNT 16 /* # of ctrl buffers per link */
+
+ #define SMC_WR_TX_WAIT_FREE_SLOT_TIME (10 * HZ)
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Niklas Cassel <niklas.cassel@axis.com>
+Date: Mon, 19 Feb 2018 18:11:13 +0100
+Subject: net: stmmac: call correct function in stmmac_mac_config_rx_queues_routing()
+
+From: Niklas Cassel <niklas.cassel@axis.com>
+
+[ Upstream commit 13138de01400762f706c5e956e70660770d61962 ]
+
+stmmac_mac_config_rx_queues_routing() incorrectly calls rx_queue_prio()
+instead of rx_queue_routing().
+
+This looks like a copy paste issue, since
+stmmac_mac_config_rx_queues_prio() already calls rx_queue_prio(),
+and both stmmac_mac_config_rx_queues_routing() and
+stmmac_mac_config_rx_queues_prio() are very similar in structure.
+
+Fixes: abe80fdc6ee6 ("net: stmmac: RX queue routing configuration")
+Signed-off-by: Niklas Cassel <niklas.cassel@axis.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -2435,7 +2435,7 @@ static void stmmac_mac_config_rx_queues_
+ continue;
+
+ packet = priv->plat->rx_queues_cfg[queue].pkt_route;
+- priv->hw->mac->rx_queue_prio(priv->hw, packet, queue);
++ priv->hw->mac->rx_queue_routing(priv->hw, packet, queue);
+ }
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Niklas Cassel <niklas.cassel@axis.com>
+Date: Mon, 26 Feb 2018 22:47:08 +0100
+Subject: net: stmmac: ensure that the device has released ownership before reading data
+
+From: Niklas Cassel <niklas.cassel@axis.com>
+
+[ Upstream commit a6b25da5e7ba212af5826a662e6a035a79bffabd ]
+
+According to Documentation/memory-barriers.txt, we need to use a
+dma_rmb() after reading the status/own bit, to ensure that all
+descriptor fields are read after reading the own bit.
+
+This way, we ensure that the DMA engine is done with the DMA
+descriptor before we read the other descriptor fields, e.g. reading
+the tx hardware timestamp (if PTP is enabled).
+
+Signed-off-by: Niklas Cassel <niklas.cassel@axis.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -1843,6 +1843,11 @@ static void stmmac_tx_clean(struct stmma
+ if (unlikely(status & tx_dma_own))
+ break;
+
++ /* Make sure descriptor fields are read after reading
++ * the own bit.
++ */
++ dma_rmb();
++
+ /* Just consider the last segment and ...*/
+ if (likely(!(status & tx_not_ls))) {
+ /* ... verify the status error condition */
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Niklas Cassel <niklas.cassel@axis.com>
+Date: Mon, 26 Feb 2018 22:47:06 +0100
+Subject: net: stmmac: ensure that the MSS desc is the last desc to set the own bit
+
+From: Niklas Cassel <niklas.cassel@axis.com>
+
+[ Upstream commit 15d2ee42a3087089e73ad52fd8c1b37ab496b87c ]
+
+A dma_wmb() is used to guarantee the ordering, with respect to
+other writes, to cache coherent DMA memory.
+
+There is a dma_wmb() in prepare_tx_desc()/prepare_tso_tx_desc() which
+ensures that TDES0/1/2 is written before TDES3 (which contains the own
+bit), for First Desc.
+
+However, in the rare case that MSS changes, there will be a MSS
+context descriptor in front of the regular DMA descriptors:
+
+<MSS desc> <- DMA Next Descriptor
+<First Desc>
+<desc n>
+<Last Desc>
+
+Thus, for this special case, we need a dma_wmb()
+after prepare_tso_tx_desc()/before writing the own bit to the MSS desc,
+so that we flush the write to TDES3 for First Desc,
+in order to ensure that the MSS descriptor is the last descriptor to
+set the own bit.
+
+Signed-off-by: Niklas Cassel <niklas.cassel@axis.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -2985,8 +2985,15 @@ static netdev_tx_t stmmac_tso_xmit(struc
+ tcp_hdrlen(skb) / 4, (skb->len - proto_hdr_len));
+
+ /* If context desc is used to change MSS */
+- if (mss_desc)
++ if (mss_desc) {
++ /* Make sure that first descriptor has been completely
++ * written, including its own bit. This is because MSS is
++ * actually before first descriptor, so we need to make
++ * sure that MSS's own bit is the last thing written.
++ */
++ dma_wmb();
+ priv->hw->desc->set_tx_owner(mss_desc);
++ }
+
+ /* The own bit must be the latest setting done when prepare the
+ * descriptor and then barrier is needed to make sure that
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Richard Haines <richard_c_haines@btinternet.com>
+Date: Mon, 13 Nov 2017 20:54:22 +0000
+Subject: netlabel: If PF_INET6, check sk_buff ip header version
+
+From: Richard Haines <richard_c_haines@btinternet.com>
+
+[ Upstream commit 213d7f94775322ba44e0bbb55ec6946e9de88cea ]
+
+When resolving a fallback label, check the sk_buff version as it
+is possible (e.g. SCTP) to have family = PF_INET6 while
+receiving ip_hdr(skb)->version = 4.
+
+Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlabel/netlabel_unlabeled.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/netlabel/netlabel_unlabeled.c
++++ b/net/netlabel/netlabel_unlabeled.c
+@@ -1472,6 +1472,16 @@ int netlbl_unlabel_getattr(const struct
+ iface = rcu_dereference(netlbl_unlhsh_def);
+ if (iface == NULL || !iface->valid)
+ goto unlabel_getattr_nolabel;
++
++#if IS_ENABLED(CONFIG_IPV6)
++ /* When resolving a fallback label, check the sk_buff version as
++ * it is possible (e.g. SCTP) to have family = PF_INET6 while
++ * receiving ip_hdr(skb)->version = 4.
++ */
++ if (family == PF_INET6 && ip_hdr(skb)->version == 4)
++ family = PF_INET;
++#endif /* IPv6 */
++
+ switch (family) {
+ case PF_INET: {
+ struct iphdr *hdr4;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Thu, 12 Apr 2018 09:16:06 -0600
+Subject: nvme: don't send keep-alives to the discovery controller
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+[ Upstream commit 74c6c71530847808d4e3be7b205719270efee80c ]
+
+NVMe over Fabrics 1.0 Section 5.2 "Discovery Controller Properties and
+Command Support" Figure 31 "Discovery Controller – Admin Commands"
+explicitly listst all commands but "Get Log Page" and "Identify" as
+reserved, but NetApp report the Linux host is sending Keep Alive
+commands to the discovery controller, which is a violation of the
+Spec.
+
+We're already checking for discovery controllers when configuring the
+keep alive timeout but when creating a discovery controller we're not
+hard wiring the keep alive timeout to 0 and thus remain on
+NVME_DEFAULT_KATO for the discovery controller.
+
+This can be easily remproduced when issuing a direct connect to the
+discovery susbsystem using:
+'nvme connect [...] --nqn=nqn.2014-08.org.nvmexpress.discovery'
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Fixes: 07bfcd09a288 ("nvme-fabrics: add a generic NVMe over Fabrics library")
+Reported-by: Martin George <marting@netapp.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/fabrics.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/fabrics.c
++++ b/drivers/nvme/host/fabrics.c
+@@ -608,8 +608,10 @@ static int nvmf_parse_options(struct nvm
+ opts->discovery_nqn =
+ !(strcmp(opts->subsysnqn,
+ NVME_DISC_SUBSYS_NAME));
+- if (opts->discovery_nqn)
++ if (opts->discovery_nqn) {
++ opts->kato = 0;
+ opts->nr_io_queues = 0;
++ }
+ break;
+ case NVMF_OPT_TRADDR:
+ p = match_strdup(args);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: James Smart <jsmart2021@gmail.com>
+Date: Thu, 12 Apr 2018 09:16:15 -0600
+Subject: nvme: expand nvmf_check_if_ready checks
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit bb06ec31452fb2da1594f88035c2ecea4e0652f4 ]
+
+The nvmf_check_if_ready() checks that were added are very simplistic.
+As such, the routine allows a lot of cases to fail ios during windows
+of reset or re-connection. In cases where there are not multi-path
+options present, the error goes back to the callee - the filesystem
+or application. Not good.
+
+The common routine was rewritten and calling syntax slightly expanded
+so that per-transport is_ready routines don't need to be present.
+The transports now call the routine directly. The routine is now a
+fabrics routine rather than an inline function.
+
+The routine now looks at controller state to decide the action to
+take. Some states mandate io failure. Others define the condition where
+a command can be accepted. When the decision is unclear, a generic
+queue-or-reject check is made to look for failfast or multipath ios and
+only fails the io if it is so marked. Otherwise, the io will be queued
+and wait for the controller state to resolve.
+
+Admin commands issued via ioctl share a live admin queue with commands
+from the transport for controller init. The ioctls could be intermixed
+with the initialization commands. It's possible for the ioctl cmd to
+be issued prior to the controller being enabled. To block this, the
+ioctl admin commands need to be distinguished from admin commands used
+for controller init. Added a USERCMD nvme_req(req)->rq_flags bit to
+reflect this division and set it on ioctls requests. As the
+nvmf_check_if_ready() routine is called prior to nvme_setup_cmd(),
+ensure that commands allocated by the ioctl path (actually anything
+in core.c) preps the nvme_req(req) before starting the io. This will
+preserve the USERCMD flag during execution and/or retry.
+
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.e>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/core.c | 17 ++++++---
+ drivers/nvme/host/fabrics.c | 79 ++++++++++++++++++++++++++++++++++++++++++++
+ drivers/nvme/host/fabrics.h | 33 +-----------------
+ drivers/nvme/host/fc.c | 12 +-----
+ drivers/nvme/host/nvme.h | 1
+ drivers/nvme/host/rdma.c | 14 +------
+ drivers/nvme/target/loop.c | 11 +-----
+ 7 files changed, 101 insertions(+), 66 deletions(-)
+
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -378,6 +378,15 @@ static void nvme_put_ns(struct nvme_ns *
+ kref_put(&ns->kref, nvme_free_ns);
+ }
+
++static inline void nvme_clear_nvme_request(struct request *req)
++{
++ if (!(req->rq_flags & RQF_DONTPREP)) {
++ nvme_req(req)->retries = 0;
++ nvme_req(req)->flags = 0;
++ req->rq_flags |= RQF_DONTPREP;
++ }
++}
++
+ struct request *nvme_alloc_request(struct request_queue *q,
+ struct nvme_command *cmd, blk_mq_req_flags_t flags, int qid)
+ {
+@@ -394,6 +403,7 @@ struct request *nvme_alloc_request(struc
+ return req;
+
+ req->cmd_flags |= REQ_FAILFAST_DRIVER;
++ nvme_clear_nvme_request(req);
+ nvme_req(req)->cmd = cmd;
+
+ return req;
+@@ -610,11 +620,7 @@ blk_status_t nvme_setup_cmd(struct nvme_
+ {
+ blk_status_t ret = BLK_STS_OK;
+
+- if (!(req->rq_flags & RQF_DONTPREP)) {
+- nvme_req(req)->retries = 0;
+- nvme_req(req)->flags = 0;
+- req->rq_flags |= RQF_DONTPREP;
+- }
++ nvme_clear_nvme_request(req);
+
+ switch (req_op(req)) {
+ case REQ_OP_DRV_IN:
+@@ -744,6 +750,7 @@ static int nvme_submit_user_cmd(struct r
+ return PTR_ERR(req);
+
+ req->timeout = timeout ? timeout : ADMIN_TIMEOUT;
++ nvme_req(req)->flags |= NVME_REQ_USERCMD;
+
+ if (ubuffer && bufflen) {
+ ret = blk_rq_map_user(q, req, NULL, ubuffer, bufflen,
+--- a/drivers/nvme/host/fabrics.c
++++ b/drivers/nvme/host/fabrics.c
+@@ -536,6 +536,85 @@ static struct nvmf_transport_ops *nvmf_l
+ return NULL;
+ }
+
++blk_status_t nvmf_check_if_ready(struct nvme_ctrl *ctrl, struct request *rq,
++ bool queue_live, bool is_connected)
++{
++ struct nvme_command *cmd = nvme_req(rq)->cmd;
++
++ if (likely(ctrl->state == NVME_CTRL_LIVE && is_connected))
++ return BLK_STS_OK;
++
++ switch (ctrl->state) {
++ case NVME_CTRL_DELETING:
++ goto reject_io;
++
++ case NVME_CTRL_NEW:
++ case NVME_CTRL_CONNECTING:
++ if (!is_connected)
++ /*
++ * This is the case of starting a new
++ * association but connectivity was lost
++ * before it was fully created. We need to
++ * error the commands used to initialize the
++ * controller so the reconnect can go into a
++ * retry attempt. The commands should all be
++ * marked REQ_FAILFAST_DRIVER, which will hit
++ * the reject path below. Anything else will
++ * be queued while the state settles.
++ */
++ goto reject_or_queue_io;
++
++ if ((queue_live &&
++ !(nvme_req(rq)->flags & NVME_REQ_USERCMD)) ||
++ (!queue_live && blk_rq_is_passthrough(rq) &&
++ cmd->common.opcode == nvme_fabrics_command &&
++ cmd->fabrics.fctype == nvme_fabrics_type_connect))
++ /*
++ * If queue is live, allow only commands that
++ * are internally generated pass through. These
++ * are commands on the admin queue to initialize
++ * the controller. This will reject any ioctl
++ * admin cmds received while initializing.
++ *
++ * If the queue is not live, allow only a
++ * connect command. This will reject any ioctl
++ * admin cmd as well as initialization commands
++ * if the controller reverted the queue to non-live.
++ */
++ return BLK_STS_OK;
++
++ /*
++ * fall-thru to the reject_or_queue_io clause
++ */
++ break;
++
++ /* these cases fall-thru
++ * case NVME_CTRL_LIVE:
++ * case NVME_CTRL_RESETTING:
++ */
++ default:
++ break;
++ }
++
++reject_or_queue_io:
++ /*
++ * Any other new io is something we're not in a state to send
++ * to the device. Default action is to busy it and retry it
++ * after the controller state is recovered. However, anything
++ * marked for failfast or nvme multipath is immediately failed.
++ * Note: commands used to initialize the controller will be
++ * marked for failfast.
++ * Note: nvme cli/ioctl commands are marked for failfast.
++ */
++ if (!blk_noretry_request(rq) && !(rq->cmd_flags & REQ_NVME_MPATH))
++ return BLK_STS_RESOURCE;
++
++reject_io:
++ nvme_req(rq)->status = NVME_SC_ABORT_REQ;
++ return BLK_STS_IOERR;
++}
++EXPORT_SYMBOL_GPL(nvmf_check_if_ready);
++
+ static const match_table_t opt_tokens = {
+ { NVMF_OPT_TRANSPORT, "transport=%s" },
+ { NVMF_OPT_TRADDR, "traddr=%s" },
+--- a/drivers/nvme/host/fabrics.h
++++ b/drivers/nvme/host/fabrics.h
+@@ -157,36 +157,7 @@ void nvmf_unregister_transport(struct nv
+ void nvmf_free_options(struct nvmf_ctrl_options *opts);
+ int nvmf_get_address(struct nvme_ctrl *ctrl, char *buf, int size);
+ bool nvmf_should_reconnect(struct nvme_ctrl *ctrl);
+-
+-static inline blk_status_t nvmf_check_init_req(struct nvme_ctrl *ctrl,
+- struct request *rq)
+-{
+- struct nvme_command *cmd = nvme_req(rq)->cmd;
+-
+- /*
+- * We cannot accept any other command until the connect command has
+- * completed, so only allow connect to pass.
+- */
+- if (!blk_rq_is_passthrough(rq) ||
+- cmd->common.opcode != nvme_fabrics_command ||
+- cmd->fabrics.fctype != nvme_fabrics_type_connect) {
+- /*
+- * Connecting state means transport disruption or initial
+- * establishment, which can take a long time and even might
+- * fail permanently, fail fast to give upper layers a chance
+- * to failover.
+- * Deleting state means that the ctrl will never accept commands
+- * again, fail it permanently.
+- */
+- if (ctrl->state == NVME_CTRL_CONNECTING ||
+- ctrl->state == NVME_CTRL_DELETING) {
+- nvme_req(rq)->status = NVME_SC_ABORT_REQ;
+- return BLK_STS_IOERR;
+- }
+- return BLK_STS_RESOURCE; /* try again later */
+- }
+-
+- return BLK_STS_OK;
+-}
++blk_status_t nvmf_check_if_ready(struct nvme_ctrl *ctrl,
++ struct request *rq, bool queue_live, bool is_connected);
+
+ #endif /* _NVME_FABRICS_H */
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -2284,14 +2284,6 @@ nvme_fc_start_fcp_op(struct nvme_fc_ctrl
+ return BLK_STS_OK;
+ }
+
+-static inline blk_status_t nvme_fc_is_ready(struct nvme_fc_queue *queue,
+- struct request *rq)
+-{
+- if (unlikely(!test_bit(NVME_FC_Q_LIVE, &queue->flags)))
+- return nvmf_check_init_req(&queue->ctrl->ctrl, rq);
+- return BLK_STS_OK;
+-}
+-
+ static blk_status_t
+ nvme_fc_queue_rq(struct blk_mq_hw_ctx *hctx,
+ const struct blk_mq_queue_data *bd)
+@@ -2307,7 +2299,9 @@ nvme_fc_queue_rq(struct blk_mq_hw_ctx *h
+ u32 data_len;
+ blk_status_t ret;
+
+- ret = nvme_fc_is_ready(queue, rq);
++ ret = nvmf_check_if_ready(&queue->ctrl->ctrl, rq,
++ test_bit(NVME_FC_Q_LIVE, &queue->flags),
++ ctrl->rport->remoteport.port_state == FC_OBJSTATE_ONLINE);
+ if (unlikely(ret))
+ return ret;
+
+--- a/drivers/nvme/host/nvme.h
++++ b/drivers/nvme/host/nvme.h
+@@ -104,6 +104,7 @@ struct nvme_request {
+
+ enum {
+ NVME_REQ_CANCELLED = (1 << 0),
++ NVME_REQ_USERCMD = (1 << 1),
+ };
+
+ static inline struct nvme_request *nvme_req(struct request *req)
+--- a/drivers/nvme/host/rdma.c
++++ b/drivers/nvme/host/rdma.c
+@@ -1594,17 +1594,6 @@ nvme_rdma_timeout(struct request *rq, bo
+ return BLK_EH_HANDLED;
+ }
+
+-/*
+- * We cannot accept any other command until the Connect command has completed.
+- */
+-static inline blk_status_t
+-nvme_rdma_is_ready(struct nvme_rdma_queue *queue, struct request *rq)
+-{
+- if (unlikely(!test_bit(NVME_RDMA_Q_LIVE, &queue->flags)))
+- return nvmf_check_init_req(&queue->ctrl->ctrl, rq);
+- return BLK_STS_OK;
+-}
+-
+ static blk_status_t nvme_rdma_queue_rq(struct blk_mq_hw_ctx *hctx,
+ const struct blk_mq_queue_data *bd)
+ {
+@@ -1620,7 +1609,8 @@ static blk_status_t nvme_rdma_queue_rq(s
+
+ WARN_ON_ONCE(rq->tag < 0);
+
+- ret = nvme_rdma_is_ready(queue, rq);
++ ret = nvmf_check_if_ready(&queue->ctrl->ctrl, rq,
++ test_bit(NVME_RDMA_Q_LIVE, &queue->flags), true);
+ if (unlikely(ret))
+ return ret;
+
+--- a/drivers/nvme/target/loop.c
++++ b/drivers/nvme/target/loop.c
+@@ -149,14 +149,6 @@ nvme_loop_timeout(struct request *rq, bo
+ return BLK_EH_HANDLED;
+ }
+
+-static inline blk_status_t nvme_loop_is_ready(struct nvme_loop_queue *queue,
+- struct request *rq)
+-{
+- if (unlikely(!test_bit(NVME_LOOP_Q_LIVE, &queue->flags)))
+- return nvmf_check_init_req(&queue->ctrl->ctrl, rq);
+- return BLK_STS_OK;
+-}
+-
+ static blk_status_t nvme_loop_queue_rq(struct blk_mq_hw_ctx *hctx,
+ const struct blk_mq_queue_data *bd)
+ {
+@@ -166,7 +158,8 @@ static blk_status_t nvme_loop_queue_rq(s
+ struct nvme_loop_iod *iod = blk_mq_rq_to_pdu(req);
+ blk_status_t ret;
+
+- ret = nvme_loop_is_ready(queue, req);
++ ret = nvmf_check_if_ready(&queue->ctrl->ctrl, req,
++ test_bit(NVME_LOOP_Q_LIVE, &queue->flags), true);
+ if (unlikely(ret))
+ return ret;
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: "Jarosław Janik" <jaroslaw.janik@gmail.com>
+Date: Sun, 11 Mar 2018 19:51:56 +0100
+Subject: nvme-pci: disable APST for Samsung NVMe SSD 960 EVO + ASUS PRIME Z370-A
+
+From: "Jarosław Janik" <jaroslaw.janik@gmail.com>
+
+[ Upstream commit 467c77d4cbefaaf65e2f44fe102d543a52fcae5b ]
+
+Yet another "incompatible" Samsung NVMe SSD 960 EVO and Asus motherboard
+combination. 960 EVO device disappears from PCIe bus within few minutes
+after boot-up when APST is in use and never gets back. Forcing
+NVME_QUIRK_NO_APST is the only way to make this drive work with this
+particular motherboard. NVME_QUIRK_NO_DEEPEST_PS doesn't work, upgrading
+motherboard's BIOS didn't help either.
+Since this is a desktop motherboard, the only drawback of not using APST
+is increased device temperature.
+
+Signed-off-by: Jarosław Janik <jaroslaw.janik@gmail.com>
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/pci.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2461,10 +2461,13 @@ static unsigned long check_vendor_combin
+ } else if (pdev->vendor == 0x144d && pdev->device == 0xa804) {
+ /*
+ * Samsung SSD 960 EVO drops off the PCIe bus after system
+- * suspend on a Ryzen board, ASUS PRIME B350M-A.
++ * suspend on a Ryzen board, ASUS PRIME B350M-A, as well as
++ * within few minutes after bootup on a Coffee Lake board -
++ * ASUS PRIME Z370-A
+ */
+ if (dmi_match(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC.") &&
+- dmi_match(DMI_BOARD_NAME, "PRIME B350M-A"))
++ (dmi_match(DMI_BOARD_NAME, "PRIME B350M-A") ||
++ dmi_match(DMI_BOARD_NAME, "PRIME Z370-A")))
+ return NVME_QUIRK_NO_APST;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: James Smart <jsmart2021@gmail.com>
+Date: Wed, 28 Feb 2018 14:49:10 -0800
+Subject: nvme_fc: fix abort race on teardown with lld reject
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit b12740d316fa89f3f6191b71f986cf3b9383d379 ]
+
+Another abort race: An io request is started, becomes active,
+and is attempted to be started with the lldd. At the same time
+the controller is stopped/torndown and an itterator is run to
+abort the ios. As the io is active, it is added to the outstanding
+aborted io count. However on the original io request thread, the
+driver ends up rejecting the io due to the condition that induced
+the controller teardown. The driver reject path didn't check whether
+it was in the outstanding io count. This left the count outstanding
+stopping controller teardown.
+
+Correct by, in the driver reject case, setting the state to
+inactive and checking whether it was in the outstanding io count.
+
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/fc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -2191,7 +2191,7 @@ nvme_fc_start_fcp_op(struct nvme_fc_ctrl
+ struct nvme_fc_cmd_iu *cmdiu = &op->cmd_iu;
+ struct nvme_command *sqe = &cmdiu->sqe;
+ u32 csn;
+- int ret;
++ int ret, opstate;
+
+ /*
+ * before attempting to send the io, check to see if we believe
+@@ -2269,6 +2269,9 @@ nvme_fc_start_fcp_op(struct nvme_fc_ctrl
+ queue->lldd_handle, &op->fcp_req);
+
+ if (ret) {
++ opstate = atomic_xchg(&op->state, FCPOP_STATE_COMPLETE);
++ __nvme_fc_fcpop_chk_teardowns(ctrl, op, opstate);
++
+ if (!(op->flags & FCOP_FLAGS_AEN))
+ nvme_fc_unmap_data(ctrl, op->rq, op);
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Jun Piao <piaojun@huawei.com>
+Date: Thu, 5 Apr 2018 16:18:48 -0700
+Subject: ocfs2/dlm: don't handle migrate lockres if already in shutdown
+
+From: Jun Piao <piaojun@huawei.com>
+
+[ Upstream commit bb34f24c7d2c98d0c81838a7700e6068325b17a0 ]
+
+We should not handle migrate lockres if we are already in
+'DLM_CTXT_IN_SHUTDOWN', as that will cause lockres remains after leaving
+dlm domain. At last other nodes will get stuck into infinite loop when
+requsting lock from us.
+
+The problem is caused by concurrency umount between nodes. Before
+receiveing N1's DLM_BEGIN_EXIT_DOMAIN_MSG, N2 has picked up N1 as the
+migrate target. So N2 will continue sending lockres to N1 even though
+N1 has left domain.
+
+ N1 N2 (owner)
+ touch file
+
+ access the file,
+ and get pr lock
+
+ begin leave domain and
+ pick up N1 as new owner
+
+ begin leave domain and
+ migrate all lockres done
+
+ begin migrate lockres to N1
+
+ end leave domain, but
+ the lockres left
+ unexpectedly, because
+ migrate task has passed
+
+[piaojun@huawei.com: v3]
+ Link: http://lkml.kernel.org/r/5A9CBD19.5020107@huawei.com
+Link: http://lkml.kernel.org/r/5A99F028.2090902@huawei.com
+Signed-off-by: Jun Piao <piaojun@huawei.com>
+Reviewed-by: Yiwen Jiang <jiangyiwen@huawei.com>
+Reviewed-by: Joseph Qi <jiangqi903@gmail.com>
+Reviewed-by: Changwei Ge <ge.changwei@h3c.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/dlm/dlmdomain.c | 14 --------------
+ fs/ocfs2/dlm/dlmdomain.h | 25 ++++++++++++++++++++++++-
+ fs/ocfs2/dlm/dlmrecovery.c | 9 +++++++++
+ 3 files changed, 33 insertions(+), 15 deletions(-)
+
+--- a/fs/ocfs2/dlm/dlmdomain.c
++++ b/fs/ocfs2/dlm/dlmdomain.c
+@@ -675,20 +675,6 @@ static void dlm_leave_domain(struct dlm_
+ spin_unlock(&dlm->spinlock);
+ }
+
+-int dlm_shutting_down(struct dlm_ctxt *dlm)
+-{
+- int ret = 0;
+-
+- spin_lock(&dlm_domain_lock);
+-
+- if (dlm->dlm_state == DLM_CTXT_IN_SHUTDOWN)
+- ret = 1;
+-
+- spin_unlock(&dlm_domain_lock);
+-
+- return ret;
+-}
+-
+ void dlm_unregister_domain(struct dlm_ctxt *dlm)
+ {
+ int leave = 0;
+--- a/fs/ocfs2/dlm/dlmdomain.h
++++ b/fs/ocfs2/dlm/dlmdomain.h
+@@ -28,7 +28,30 @@
+ extern spinlock_t dlm_domain_lock;
+ extern struct list_head dlm_domains;
+
+-int dlm_shutting_down(struct dlm_ctxt *dlm);
++static inline int dlm_joined(struct dlm_ctxt *dlm)
++{
++ int ret = 0;
++
++ spin_lock(&dlm_domain_lock);
++ if (dlm->dlm_state == DLM_CTXT_JOINED)
++ ret = 1;
++ spin_unlock(&dlm_domain_lock);
++
++ return ret;
++}
++
++static inline int dlm_shutting_down(struct dlm_ctxt *dlm)
++{
++ int ret = 0;
++
++ spin_lock(&dlm_domain_lock);
++ if (dlm->dlm_state == DLM_CTXT_IN_SHUTDOWN)
++ ret = 1;
++ spin_unlock(&dlm_domain_lock);
++
++ return ret;
++}
++
+ void dlm_fire_domain_eviction_callbacks(struct dlm_ctxt *dlm,
+ int node_num);
+
+--- a/fs/ocfs2/dlm/dlmrecovery.c
++++ b/fs/ocfs2/dlm/dlmrecovery.c
+@@ -1378,6 +1378,15 @@ int dlm_mig_lockres_handler(struct o2net
+ if (!dlm_grab(dlm))
+ return -EINVAL;
+
++ if (!dlm_joined(dlm)) {
++ mlog(ML_ERROR, "Domain %s not joined! "
++ "lockres %.*s, master %u\n",
++ dlm->name, mres->lockname_len,
++ mres->lockname, mres->master);
++ dlm_put(dlm);
++ return -EINVAL;
++ }
++
+ BUG_ON(!(mres->flags & (DLM_MRES_RECOVERY|DLM_MRES_MIGRATION)));
+
+ real_master = mres->master;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Helge Deller <deller@gmx.de>
+Date: Sun, 25 Mar 2018 14:04:22 +0200
+Subject: parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit b845f66f78bf42a4ce98e5cfe0e94fab41dd0742 ]
+
+Carlo Pisani noticed that his C3600 workstation behaved unstable during heavy
+I/O on the PCI bus with a VIA VT6421 IDE/SATA PCI card.
+
+To avoid such instability, this patch switches the LBA PCI bus from Hard Fail
+mode into Soft Fail mode. In this mode the bus will return -1UL for timed out
+MMIO transactions, which is exactly how the x86 (and most other architectures)
+PCI busses behave.
+
+This patch is based on a proposal by Grant Grundler and Kyle McMartin 10
+years ago:
+https://www.spinics.net/lists/linux-parisc/msg01027.html
+
+Cc: Carlo Pisani <carlojpisani@gmail.com>
+Cc: Kyle McMartin <kyle@mcmartin.ca>
+Reviewed-by: Grant Grundler <grantgrundler@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/parisc/lba_pci.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/drivers/parisc/lba_pci.c
++++ b/drivers/parisc/lba_pci.c
+@@ -1403,9 +1403,27 @@ lba_hw_init(struct lba_device *d)
+ WRITE_REG32(stat, d->hba.base_addr + LBA_ERROR_CONFIG);
+ }
+
+- /* Set HF mode as the default (vs. -1 mode). */
++
++ /*
++ * Hard Fail vs. Soft Fail on PCI "Master Abort".
++ *
++ * "Master Abort" means the MMIO transaction timed out - usually due to
++ * the device not responding to an MMIO read. We would like HF to be
++ * enabled to find driver problems, though it means the system will
++ * crash with a HPMC.
++ *
++ * In SoftFail mode "~0L" is returned as a result of a timeout on the
++ * pci bus. This is like how PCI busses on x86 and most other
++ * architectures behave. In order to increase compatibility with
++ * existing (x86) PCI hardware and existing Linux drivers we enable
++ * Soft Faul mode on PA-RISC now too.
++ */
+ stat = READ_REG32(d->hba.base_addr + LBA_STAT_CTL);
++#if defined(ENABLE_HARDFAIL)
+ WRITE_REG32(stat | HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL);
++#else
++ WRITE_REG32(stat & ~HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL);
++#endif
+
+ /*
+ ** Writing a zero to STAT_CTL.rf (bit 0) will clear reset signal
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Thomas Vincent-Cross <me@tvc.id.au>
+Date: Tue, 27 Feb 2018 20:20:36 +1100
+Subject: PCI: Add function 1 DMA alias quirk for Marvell 88SE9220
+
+From: Thomas Vincent-Cross <me@tvc.id.au>
+
+[ Upstream commit 832e4e1f76b8a84991e9db56fdcef1ebce839b8b ]
+
+Add Marvell 88SE9220 DMA quirk as found and tested on bug 42679.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=42679
+Signed-off-by: Thomas Vincent-Cross <me@tvc.id.au>
+Signed-off-by: Bjorn Helgaas <helgaas@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/quirks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -3903,6 +3903,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M
+ /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c46 */
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x91a0,
+ quirk_dma_func1_alias);
++/* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c127 */
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9220,
++ quirk_dma_func1_alias);
+ /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c49 */
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230,
+ quirk_dma_func1_alias);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com>
+Date: Wed, 28 Feb 2018 18:32:19 +0100
+Subject: PCI: endpoint: Fix kernel panic after put_device()
+
+From: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com>
+
+[ Upstream commit 9eef6a5c3b0bf90eb292d462ea267bcb6ad1c334 ]
+
+'put_device()' calls the relase function 'pci_epf_dev_release()',
+which already frees 'epf->name' and 'epf'.
+
+Therefore we must not free them again after 'put_device()'.
+
+Fixes: 5e8cb4033807 ("PCI: endpoint: Add EP core layer to enable EP controller and EP functions")
+
+Signed-off-by: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Acked-by: Kishon Vijay Abraham I <kishon@ti.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/endpoint/pci-epf-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/endpoint/pci-epf-core.c
++++ b/drivers/pci/endpoint/pci-epf-core.c
+@@ -243,7 +243,7 @@ struct pci_epf *pci_epf_create(const cha
+
+ put_dev:
+ put_device(dev);
+- kfree(epf->name);
++ return ERR_PTR(ret);
+
+ free_func_name:
+ kfree(func_name);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Date: Sat, 3 Mar 2018 10:53:24 +0100
+Subject: PCI: Restore config space on runtime resume despite being unbound
+
+From: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+
+[ Upstream commit 5775b843a619b3c93f946e2b55a208d9f0f48b59 ]
+
+We leave PCI devices not bound to a driver in D0 during runtime suspend.
+But they may have a parent which is bound and can be transitioned to
+D3cold at runtime. Once the parent goes to D3cold, the unbound child
+may go to D3cold as well. When the child goes to D3cold, its internal
+state, including configuration of BARs, MSI, ASPM, MPS, etc., is lost.
+
+One example are recent hybrid graphics laptops which cut power to the
+discrete GPU when the root port above it goes to ACPI power state D3.
+Users may provoke this by unbinding the GPU driver and allowing runtime
+PM on the GPU via sysfs: The PM core will then treat the GPU as
+"suspended", which in turn allows the root port to runtime suspend,
+causing the power resources listed in its _PR3 object to be powered off.
+The GPU's BARs will be uninitialized when a driver later probes it.
+
+Another example are hybrid graphics laptops where the GPU itself (rather
+than the root port) is capable of runtime suspending to D3cold. If the
+GPU's integrated HDA controller is not bound and the GPU's driver
+decides to runtime suspend to D3cold, the HDA controller's BARs will be
+uninitialized when a driver later probes it.
+
+Fix by saving and restoring config space over a runtime suspend cycle
+even if the device is not bound.
+
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Peter Wu <peter@lekensteyn.nl> # Nvidia Optimus
+Tested-by: Lukas Wunner <lukas@wunner.de> # MacBook Pro
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+[lukas: add commit message, bikeshed code comments for clarity]
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/92fb6e6ae2730915eb733c08e2f76c6a313e3860.1520068884.git.lukas@wunner.de
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pci-driver.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/drivers/pci/pci-driver.c
++++ b/drivers/pci/pci-driver.c
+@@ -1225,11 +1225,14 @@ static int pci_pm_runtime_suspend(struct
+ int error;
+
+ /*
+- * If pci_dev->driver is not set (unbound), the device should
+- * always remain in D0 regardless of the runtime PM status
++ * If pci_dev->driver is not set (unbound), we leave the device in D0,
++ * but it may go to D3cold when the bridge above it runtime suspends.
++ * Save its config space in case that happens.
+ */
+- if (!pci_dev->driver)
++ if (!pci_dev->driver) {
++ pci_save_state(pci_dev);
+ return 0;
++ }
+
+ if (!pm || !pm->runtime_suspend)
+ return -ENOSYS;
+@@ -1277,16 +1280,18 @@ static int pci_pm_runtime_resume(struct
+ const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL;
+
+ /*
+- * If pci_dev->driver is not set (unbound), the device should
+- * always remain in D0 regardless of the runtime PM status
++ * Restoring config space is necessary even if the device is not bound
++ * to a driver because although we left it in D0, it may have gone to
++ * D3cold when the bridge above it runtime suspended.
+ */
++ pci_restore_standard_config(pci_dev);
++
+ if (!pci_dev->driver)
+ return 0;
+
+ if (!pm || !pm->runtime_resume)
+ return -ENOSYS;
+
+- pci_restore_standard_config(pci_dev);
+ pci_fixup_device(pci_fixup_resume_early, pci_dev);
+ pci_enable_wake(pci_dev, PCI_D0, false);
+ pci_fixup_device(pci_fixup_resume, pci_dev);
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Wed, 21 Feb 2018 13:24:16 +0100
+Subject: PCMCIA / PM: Avoid noirq suspend aborts during suspend-to-idle
+
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+
+[ Upstream commit dbdd0f58fd2cdde5cf945c9da67a2d52d32ba550 ]
+
+There is a problem with PCMCIA system resume callbacks with respect
+to suspend-to-idle in which the ->suspend_noirq() callback may be
+invoked after the ->resume_noirq() one without resuming the system
+entirely in some cases. This doesn't work for PCMCIA because of
+the lack of symmetry between its system suspend and system resume
+"noirq" callbacks.
+
+The system resume handling in PCMCIA is split between
+socket_early_resume() and socket_late_resume() which are called in
+different phases of system resume and both need to run for
+socket_suspend() (invoked by the system suspend "noirq" callback)
+to work. Specifically, socket_suspend() returns an error when
+called after socket_early_resume() without socket_late_resume(),
+so if the suspend-to-idle core detects a spurious wakeup event and
+attempts to put the system back to sleep, that is aborted by the
+error coming from socket_suspend().
+
+Avoid that by using a new socket state flag, SOCKET_IN_RESUME,
+to indicate that socket_early_resume() has already run for the
+socket in which case socket_suspend() will do minimum handling
+and return 0.
+
+This change has been tested on my venerable Toshiba Portege R500
+(which is where the problem has been discovered in the first place),
+but admittedly I have no PCMCIA cards to test along with the socket
+itself.
+
+Fixes: 33e4f80ee69b (ACPI / PM: Ignore spurious SCI wakeups from suspend-to-idle)
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+[linux@dominikbrodowski.net: follow same codepaths for both suspend variants; call ->suspend()]
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pcmcia/cs.c | 10 +++++++---
+ drivers/pcmcia/cs_internal.h | 1 +
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/pcmcia/cs.c
++++ b/drivers/pcmcia/cs.c
+@@ -452,17 +452,20 @@ static int socket_insert(struct pcmcia_s
+
+ static int socket_suspend(struct pcmcia_socket *skt)
+ {
+- if (skt->state & SOCKET_SUSPEND)
++ if ((skt->state & SOCKET_SUSPEND) && !(skt->state & SOCKET_IN_RESUME))
+ return -EBUSY;
+
+ mutex_lock(&skt->ops_mutex);
+- skt->suspended_state = skt->state;
++ /* store state on first suspend, but not after spurious wakeups */
++ if (!(skt->state & SOCKET_IN_RESUME))
++ skt->suspended_state = skt->state;
+
+ skt->socket = dead_socket;
+ skt->ops->set_socket(skt, &skt->socket);
+ if (skt->ops->suspend)
+ skt->ops->suspend(skt);
+ skt->state |= SOCKET_SUSPEND;
++ skt->state &= ~SOCKET_IN_RESUME;
+ mutex_unlock(&skt->ops_mutex);
+ return 0;
+ }
+@@ -475,6 +478,7 @@ static int socket_early_resume(struct pc
+ skt->ops->set_socket(skt, &skt->socket);
+ if (skt->state & SOCKET_PRESENT)
+ skt->resume_status = socket_setup(skt, resume_delay);
++ skt->state |= SOCKET_IN_RESUME;
+ mutex_unlock(&skt->ops_mutex);
+ return 0;
+ }
+@@ -484,7 +488,7 @@ static int socket_late_resume(struct pcm
+ int ret = 0;
+
+ mutex_lock(&skt->ops_mutex);
+- skt->state &= ~SOCKET_SUSPEND;
++ skt->state &= ~(SOCKET_SUSPEND | SOCKET_IN_RESUME);
+ mutex_unlock(&skt->ops_mutex);
+
+ if (!(skt->state & SOCKET_PRESENT)) {
+--- a/drivers/pcmcia/cs_internal.h
++++ b/drivers/pcmcia/cs_internal.h
+@@ -70,6 +70,7 @@ struct pccard_resource_ops {
+ /* Flags in socket state */
+ #define SOCKET_PRESENT 0x0008
+ #define SOCKET_INUSE 0x0010
++#define SOCKET_IN_RESUME 0x0040
+ #define SOCKET_SUSPEND 0x0080
+ #define SOCKET_WIN_REQ(i) (0x0100<<(i))
+ #define SOCKET_CARDBUS 0x8000
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Sandipan Das <sandipan@linux.vnet.ibm.com>
+Date: Wed, 4 Apr 2018 23:34:18 +0530
+Subject: perf clang: Add support for recent clang versions
+
+From: Sandipan Das <sandipan@linux.vnet.ibm.com>
+
+[ Upstream commit 7854e499f33fd9c7e63288692ffb754d9b1d02fd ]
+
+The clang API calls used by perf have changed in recent releases and
+builds succeed with libclang-3.9 only. This introduces compatibility
+with libclang-4.0 and above.
+
+Without this patch, we will see the following compilation errors with
+libclang-4.0+:
+
+ util/c++/clang.cpp: In function ‘clang::CompilerInvocation* perf::createCompilerInvocation(llvm::opt::ArgStringList, llvm::StringRef&, clang::DiagnosticsEngine&)’:
+ util/c++/clang.cpp:62:33: error: ‘IK_C’ was not declared in this scope
+ Opts.Inputs.emplace_back(Path, IK_C);
+ ^~~~
+ util/c++/clang.cpp: In function ‘std::unique_ptr<llvm::Module> perf::getModuleFromSource(llvm::opt::ArgStringList, llvm::StringRef, llvm::IntrusiveRefCntPtr<clang::vfs::FileSystem>)’:
+ util/c++/clang.cpp:75:26: error: no matching function for call to ‘clang::CompilerInstance::setInvocation(clang::CompilerInvocation*)’
+ Clang.setInvocation(&*CI);
+ ^
+ In file included from util/c++/clang.cpp:14:0:
+ /usr/include/clang/Frontend/CompilerInstance.h:231:8: note: candidate: void clang::CompilerInstance::setInvocation(std::shared_ptr<clang::CompilerInvocation>)
+ void setInvocation(std::shared_ptr<CompilerInvocation> Value);
+ ^~~~~~~~~~~~~
+
+Committer testing:
+
+Tested on Fedora 27 after installing the clang-devel and llvm-devel
+packages, versions:
+
+ # rpm -qa | egrep llvm\|clang
+ llvm-5.0.1-6.fc27.x86_64
+ clang-libs-5.0.1-5.fc27.x86_64
+ clang-5.0.1-5.fc27.x86_64
+ clang-tools-extra-5.0.1-5.fc27.x86_64
+ llvm-libs-5.0.1-6.fc27.x86_64
+ llvm-devel-5.0.1-6.fc27.x86_64
+ clang-devel-5.0.1-5.fc27.x86_64
+ #
+
+Make sure you don't have some older version lying around in /usr/local,
+etc, then:
+
+ $ make LIBCLANGLLVM=1 -C tools/perf install-bin
+
+And in the end perf will be linked agains these libraries:
+
+ # ldd ~/bin/perf | egrep -i llvm\|clang
+ libclangAST.so.5 => /lib64/libclangAST.so.5 (0x00007f8bb2eb4000)
+ libclangBasic.so.5 => /lib64/libclangBasic.so.5 (0x00007f8bb29e3000)
+ libclangCodeGen.so.5 => /lib64/libclangCodeGen.so.5 (0x00007f8bb23f7000)
+ libclangDriver.so.5 => /lib64/libclangDriver.so.5 (0x00007f8bb2060000)
+ libclangFrontend.so.5 => /lib64/libclangFrontend.so.5 (0x00007f8bb1d06000)
+ libclangLex.so.5 => /lib64/libclangLex.so.5 (0x00007f8bb1a3e000)
+ libclangTooling.so.5 => /lib64/libclangTooling.so.5 (0x00007f8bb17d4000)
+ libclangEdit.so.5 => /lib64/libclangEdit.so.5 (0x00007f8bb15c5000)
+ libclangSema.so.5 => /lib64/libclangSema.so.5 (0x00007f8bb0cc9000)
+ libclangAnalysis.so.5 => /lib64/libclangAnalysis.so.5 (0x00007f8bb0a23000)
+ libclangParse.so.5 => /lib64/libclangParse.so.5 (0x00007f8bb0725000)
+ libclangSerialization.so.5 => /lib64/libclangSerialization.so.5 (0x00007f8bb039a000)
+ libLLVM-5.0.so => /lib64/libLLVM-5.0.so (0x00007f8bace98000)
+ libclangASTMatchers.so.5 => /lib64/../lib64/libclangASTMatchers.so.5 (0x00007f8bab735000)
+ libclangFormat.so.5 => /lib64/../lib64/libclangFormat.so.5 (0x00007f8bab4b2000)
+ libclangRewrite.so.5 => /lib64/../lib64/libclangRewrite.so.5 (0x00007f8bab2a1000)
+ libclangToolingCore.so.5 => /lib64/../lib64/libclangToolingCore.so.5 (0x00007f8bab08e000)
+ #
+
+Signed-off-by: Sandipan Das <sandipan@linux.vnet.ibm.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Fixes: 00b86691c77c ("perf clang: Add builtin clang support ant test case")
+Link: http://lkml.kernel.org/r/20180404180419.19056-2-sandipan@linux.vnet.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/c++/clang.cpp | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/util/c++/clang.cpp
++++ b/tools/perf/util/c++/clang.cpp
+@@ -9,6 +9,7 @@
+ * Copyright (C) 2016 Huawei Inc.
+ */
+
++#include "clang/Basic/Version.h"
+ #include "clang/CodeGen/CodeGenAction.h"
+ #include "clang/Frontend/CompilerInvocation.h"
+ #include "clang/Frontend/CompilerInstance.h"
+@@ -58,7 +59,8 @@ createCompilerInvocation(llvm::opt::ArgS
+
+ FrontendOptions& Opts = CI->getFrontendOpts();
+ Opts.Inputs.clear();
+- Opts.Inputs.emplace_back(Path, IK_C);
++ Opts.Inputs.emplace_back(Path,
++ FrontendOptions::getInputKindForExtension("c"));
+ return CI;
+ }
+
+@@ -71,10 +73,17 @@ getModuleFromSource(llvm::opt::ArgString
+
+ Clang.setVirtualFileSystem(&*VFS);
+
++#if CLANG_VERSION_MAJOR < 4
+ IntrusiveRefCntPtr<CompilerInvocation> CI =
+ createCompilerInvocation(std::move(CFlags), Path,
+ Clang.getDiagnostics());
+ Clang.setInvocation(&*CI);
++#else
++ std::shared_ptr<CompilerInvocation> CI(
++ createCompilerInvocation(std::move(CFlags), Path,
++ Clang.getDiagnostics()));
++ Clang.setInvocation(CI);
++#endif
+
+ std::unique_ptr<CodeGenAction> Act(new EmitLLVMOnlyAction(&*LLVMCtx));
+ if (!Clang.ExecuteAction(*Act))
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: "leilei.lin" <leilei.lin@alibaba-inc.com>
+Date: Tue, 6 Mar 2018 17:36:37 +0800
+Subject: perf/core: Fix installing cgroup events on CPU
+
+From: "leilei.lin" <leilei.lin@alibaba-inc.com>
+
+[ Upstream commit 33801b94741d6c3be9713c10aa627477216c21e2 ]
+
+There's two problems when installing cgroup events on CPUs: firstly
+list_update_cgroup_event() only tries to set cpuctx->cgrp for the
+first event, if that mismatches on @cgrp we'll not try again for later
+additions.
+
+Secondly, when we install a cgroup event into an active context, only
+issue an event reprogram when the event matches the current cgroup
+context. This avoids a pointless event reprogramming.
+
+Signed-off-by: leilei.lin <leilei.lin@alibaba-inc.com>
+[ Improved the changelog and comments. ]
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: brendan.d.gregg@gmail.com
+Cc: eranian@gmail.com
+Cc: linux-kernel@vger.kernel.org
+Cc: yang_oliver@hotmail.com
+Link: http://lkml.kernel.org/r/20180306093637.28247-1-linxiulei@gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/events/core.c | 46 +++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 35 insertions(+), 11 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -948,27 +948,39 @@ list_update_cgroup_event(struct perf_eve
+ if (!is_cgroup_event(event))
+ return;
+
+- if (add && ctx->nr_cgroups++)
+- return;
+- else if (!add && --ctx->nr_cgroups)
+- return;
+ /*
+ * Because cgroup events are always per-cpu events,
+ * this will always be called from the right CPU.
+ */
+ cpuctx = __get_cpu_context(ctx);
+- cpuctx_entry = &cpuctx->cgrp_cpuctx_entry;
+- /* cpuctx->cgrp is NULL unless a cgroup event is active in this CPU .*/
+- if (add) {
++
++ /*
++ * Since setting cpuctx->cgrp is conditional on the current @cgrp
++ * matching the event's cgroup, we must do this for every new event,
++ * because if the first would mismatch, the second would not try again
++ * and we would leave cpuctx->cgrp unset.
++ */
++ if (add && !cpuctx->cgrp) {
+ struct perf_cgroup *cgrp = perf_cgroup_from_task(current, ctx);
+
+- list_add(cpuctx_entry, this_cpu_ptr(&cgrp_cpuctx_list));
+ if (cgroup_is_descendant(cgrp->css.cgroup, event->cgrp->css.cgroup))
+ cpuctx->cgrp = cgrp;
+- } else {
+- list_del(cpuctx_entry);
+- cpuctx->cgrp = NULL;
+ }
++
++ if (add && ctx->nr_cgroups++)
++ return;
++ else if (!add && --ctx->nr_cgroups)
++ return;
++
++ /* no cgroup running */
++ if (!add)
++ cpuctx->cgrp = NULL;
++
++ cpuctx_entry = &cpuctx->cgrp_cpuctx_entry;
++ if (add)
++ list_add(cpuctx_entry, this_cpu_ptr(&cgrp_cpuctx_list));
++ else
++ list_del(cpuctx_entry);
+ }
+
+ #else /* !CONFIG_CGROUP_PERF */
+@@ -2328,6 +2340,18 @@ static int __perf_install_in_context(vo
+ raw_spin_lock(&task_ctx->lock);
+ }
+
++#ifdef CONFIG_CGROUP_PERF
++ if (is_cgroup_event(event)) {
++ /*
++ * If the current cgroup doesn't match the event's
++ * cgroup, we should not try to schedule it.
++ */
++ struct perf_cgroup *cgrp = perf_cgroup_from_task(current, ctx);
++ reprogram = cgroup_is_descendant(cgrp->css.cgroup,
++ event->cgrp->css.cgroup);
++ }
++#endif
++
+ if (reprogram) {
+ ctx_sched_out(ctx, cpuctx, EVENT_TIME);
+ add_event_to_ctx(event, ctx);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Fri, 9 Mar 2018 12:52:04 +0100
+Subject: perf/core: Fix perf_output_read_group()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 9e5b127d6f33468143d90c8a45ca12410e4c3fa7 ]
+
+Mark reported his arm64 perf fuzzer runs sometimes splat like:
+
+ armv8pmu_read_counter+0x1e8/0x2d8
+ armpmu_event_update+0x8c/0x188
+ armpmu_read+0xc/0x18
+ perf_output_read+0x550/0x11e8
+ perf_event_read_event+0x1d0/0x248
+ perf_event_exit_task+0x468/0xbb8
+ do_exit+0x690/0x1310
+ do_group_exit+0xd0/0x2b0
+ get_signal+0x2e8/0x17a8
+ do_signal+0x144/0x4f8
+ do_notify_resume+0x148/0x1e8
+ work_pending+0x8/0x14
+
+which asserts that we only call pmu::read() on ACTIVE events.
+
+The above callchain does:
+
+ perf_event_exit_task()
+ perf_event_exit_task_context()
+ task_ctx_sched_out() // INACTIVE
+ perf_event_exit_event()
+ perf_event_set_state(EXIT) // EXIT
+ sync_child_event()
+ perf_event_read_event()
+ perf_output_read()
+ perf_output_read_group()
+ leader->pmu->read()
+
+Which results in doing a pmu::read() on an !ACTIVE event.
+
+I _think_ this is 'new' since we added attr.inherit_stat, which added
+the perf_event_read_event() to the exit path, without that
+perf_event_read_output() would only trigger from samples and for
+@event to trigger a sample, it's leader _must_ be ACTIVE too.
+
+Still, adding this check makes it consistent with the @sub case for
+the siblings.
+
+Reported-and-Tested-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/events/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -5770,7 +5770,8 @@ static void perf_output_read_group(struc
+ if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING)
+ values[n++] = running;
+
+- if (leader != event)
++ if ((leader != event) &&
++ (leader->state == PERF_EVENT_STATE_ACTIVE))
+ leader->pmu->read(leader);
+
+ values[n++] = perf_event_count(leader);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Mon, 26 Mar 2018 09:42:09 -0400
+Subject: perf mmap: Fix accessing unmapped mmap in perf_mmap__read_done()
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit f58385f629c87a9e210108b39c1f4950d0363ad2 ]
+
+There is a segmentation fault when running 'perf trace'. For example:
+
+ [root@jouet e]# perf trace -e *chdir -o /tmp/bla perf report --ignore-vmlinux -i ../perf.data
+
+The perf_mmap__consume() could unmap the mmap. It needs to check the
+refcnt in perf_mmap__read_done().
+
+Reported-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Wang Nan <wangnan0@huawei.com>
+Fixes: ee023de05f35 ("perf mmap: Introduce perf_mmap__read_done()")
+Link: http://lkml.kernel.org/r/1522071729-16776-1-git-send-email-kan.liang@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/mmap.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/tools/perf/util/mmap.c
++++ b/tools/perf/util/mmap.c
+@@ -344,5 +344,11 @@ out:
+ */
+ void perf_mmap__read_done(struct perf_mmap *map)
+ {
++ /*
++ * Check if event was unmapped due to a POLLHUP/POLLERR.
++ */
++ if (!refcount_read(&map->refcnt))
++ return;
++
+ map->prev = perf_mmap__read_head(map);
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Jiri Olsa <jolsa@redhat.com>
+Date: Fri, 16 Feb 2018 13:36:19 +0100
+Subject: perf report: Fix memory corruption in --branch-history mode --branch-history
+
+From: Jiri Olsa <jolsa@redhat.com>
+
+[ Upstream commit e3ebaa465136ecfedf9c6f4671df02bf625f8125 ]
+
+Jin Yao reported memory corrupton in perf report with
+branch info used for stack trace:
+
+ > Following command lines will cause perf crash.
+
+ > perf record -j call -g -a <application>
+ > perf report --branch-history
+ >
+ > *** Error in `perf': double free or corruption (!prev): 0x00000000104aa040 ***
+ > ======= Backtrace: =========
+ > /lib/x86_64-linux-gnu/libc.so.6(+0x77725)[0x7f6b37254725]
+ > /lib/x86_64-linux-gnu/libc.so.6(+0x7ff4a)[0x7f6b3725cf4a]
+ > /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f6b37260abc]
+ > perf[0x51b914]
+ > perf(hist_entry_iter__add+0x1e5)[0x51f305]
+ > perf[0x43cf01]
+ > perf[0x4fa3bf]
+ > perf[0x4fa923]
+ > perf[0x4fd396]
+ > perf[0x4f9614]
+ > perf(perf_session__process_events+0x89e)[0x4fc38e]
+ > perf(cmd_report+0x15d2)[0x43f202]
+ > perf[0x4a059f]
+ > perf(main+0x631)[0x427b71]
+ > /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f6b371fd830]
+ > perf(_start+0x29)[0x427d89]
+
+For the cumulative output, we allocate the he_cache array based on the
+--max-stack option value and populate it with data from 'callchain_cursor'.
+
+The --max-stack option value does not ensure now the limit for number of
+callchain_cursor nodes, so the cumulative iter code will allocate smaller array
+than it's actually needed and cause above corruption.
+
+I think the --max-stack limit does not apply here anyway, because we add
+callchain data as normal hist entries, while the --max-stack control the limit
+of single entry callchain depth.
+
+Using the callchain_cursor.nr as he_cache array count to fix this. Also
+removing struct hist_entry_iter::max_stack, because there's no longer any use
+for it.
+
+We need more fixes to ensure that the branch stack code follows properly the
+logic of --max-stack, which is not the case at the moment.
+
+Original-patch-by: Jin Yao <yao.jin@linux.intel.com>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Reported-by: Jin Yao <yao.jin@linux.intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20180216123619.GA9945@krava
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/hist.c | 4 +---
+ tools/perf/util/hist.h | 1 -
+ 2 files changed, 1 insertion(+), 4 deletions(-)
+
+--- a/tools/perf/util/hist.c
++++ b/tools/perf/util/hist.c
+@@ -879,7 +879,7 @@ iter_prepare_cumulative_entry(struct his
+ * cumulated only one time to prevent entries more than 100%
+ * overhead.
+ */
+- he_cache = malloc(sizeof(*he_cache) * (iter->max_stack + 1));
++ he_cache = malloc(sizeof(*he_cache) * (callchain_cursor.nr + 1));
+ if (he_cache == NULL)
+ return -ENOMEM;
+
+@@ -1045,8 +1045,6 @@ int hist_entry_iter__add(struct hist_ent
+ if (err)
+ return err;
+
+- iter->max_stack = max_stack_depth;
+-
+ err = iter->ops->prepare_entry(iter, al);
+ if (err)
+ goto out;
+--- a/tools/perf/util/hist.h
++++ b/tools/perf/util/hist.h
+@@ -107,7 +107,6 @@ struct hist_entry_iter {
+ int curr;
+
+ bool hide_unresolved;
+- int max_stack;
+
+ struct perf_evsel *evsel;
+ struct perf_sample *sample;
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Jin Yao <yao.jin@linux.intel.com>
+Date: Mon, 29 Jan 2018 18:57:53 +0800
+Subject: perf report: Fix wrong jump arrow
+
+From: Jin Yao <yao.jin@linux.intel.com>
+
+[ Upstream commit b40982e8468b46b8f7f5bba5a7e541ec04a29d7d ]
+
+When we use perf report interactive annotate view, we can see
+the position of jump arrow is not correct. For example,
+
+1. perf record -b ...
+2. perf report
+3. In interactive mode, select Annotate 'function'
+
+Percent│ IPC Cycle
+ │ if (flag)
+ 1.37 │0.4┌── 1 ↓ je 82
+ │ │ x += x / y + y / x;
+ 0.00 │0.4│ 1310 movsd (%rsp),%xmm0
+ 0.00 │0.4│ 565 movsd 0x8(%rsp),%xmm4
+ │0.4│ movsd 0x8(%rsp),%xmm1
+ │0.4│ movsd (%rsp),%xmm3
+ │0.4│ divsd %xmm4,%xmm0
+ 0.00 │0.4│ 579 divsd %xmm3,%xmm1
+ │0.4│ movsd (%rsp),%xmm2
+ │0.4│ addsd %xmm1,%xmm0
+ │0.4│ addsd %xmm2,%xmm0
+ 0.00 │0.4│ movsd %xmm0,(%rsp)
+ │ │ volatile double x = 1212121212, y = 121212;
+ │ │
+ │ │ s_randseed = time(0);
+ │ │ srand(s_randseed);
+ │ │
+ │ │ for (i = 0; i < 2000000000; i++) {
+ 1.37 │0.4└─→ 82: sub $0x1,%ebx
+ 28.21 │0.48 17 ↑ jne 38
+
+The jump arrow in above example is not correct. It should add the
+width of IPC and Cycle.
+
+With this patch, the result is:
+
+Percent│ IPC Cycle
+ │ if (flag)
+ 1.37 │0.48 1 ┌──je 82
+ │ │ x += x / y + y / x;
+ 0.00 │0.48 1310 │ movsd (%rsp),%xmm0
+ 0.00 │0.48 565 │ movsd 0x8(%rsp),%xmm4
+ │0.48 │ movsd 0x8(%rsp),%xmm1
+ │0.48 │ movsd (%rsp),%xmm3
+ │0.48 │ divsd %xmm4,%xmm0
+ 0.00 │0.48 579 │ divsd %xmm3,%xmm1
+ │0.48 │ movsd (%rsp),%xmm2
+ │0.48 │ addsd %xmm1,%xmm0
+ │0.48 │ addsd %xmm2,%xmm0
+ 0.00 │0.48 │ movsd %xmm0,(%rsp)
+ │ │ volatile double x = 1212121212, y = 121212;
+ │ │
+ │ │ s_randseed = time(0);
+ │ │ srand(s_randseed);
+ │ │
+ │ │ for (i = 0; i < 2000000000; i++) {
+ 1.37 │0.48 82:└─→sub $0x1,%ebx
+ 28.21 │0.48 17 ↑ jne 38
+
+Committer notes:
+
+Please note that only from LBRv5 (according to Jiri) onwards, i.e. >=
+Skylake is that we'll have the cycles counts in each branch record
+entry, so to see the Cycles and IPC columns, and be able to test this
+patch, one need a capable hardware.
+
+While applying this I first tested it on a Broadwell class machine and
+couldn't get those columns, will add code to the annotate browser to
+warn the user about that, i.e. you have branch records, but no cycles,
+use a more recent hardware to get the cycles and IPC columns.
+
+Signed-off-by: Jin Yao <yao.jin@linux.intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jin Yao <yao.jin@intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/1517223473-14750-1-git-send-email-yao.jin@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/ui/browsers/annotate.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/ui/browsers/annotate.c
++++ b/tools/perf/ui/browsers/annotate.c
+@@ -319,6 +319,7 @@ static void annotate_browser__draw_curre
+ struct map_symbol *ms = ab->b.priv;
+ struct symbol *sym = ms->sym;
+ u8 pcnt_width = annotate_browser__pcnt_width(ab);
++ int width = 0;
+
+ /* PLT symbols contain external offsets */
+ if (strstr(sym->name, "@plt"))
+@@ -365,13 +366,17 @@ static void annotate_browser__draw_curre
+ to = (u64)btarget->idx;
+ }
+
++ if (ab->have_cycles)
++ width = IPC_WIDTH + CYCLES_WIDTH;
++
+ ui_browser__set_color(browser, HE_COLORSET_JUMP_ARROWS);
+- __ui_browser__line_arrow(browser, pcnt_width + 2 + ab->addr_width,
++ __ui_browser__line_arrow(browser,
++ pcnt_width + 2 + ab->addr_width + width,
+ from, to);
+
+ if (is_fused(ab, cursor)) {
+ ui_browser__mark_fused(browser,
+- pcnt_width + 3 + ab->addr_width,
++ pcnt_width + 3 + ab->addr_width + width,
+ from - 1,
+ to > from ? true : false);
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Thomas Richter <tmricht@linux.vnet.ibm.com>
+Date: Thu, 8 Mar 2018 15:57:35 +0100
+Subject: perf stat: Fix core dump when flag T is used
+
+From: Thomas Richter <tmricht@linux.vnet.ibm.com>
+
+[ Upstream commit fca32340a5e8b896f57d41fd94b8b1701df25eb1 ]
+
+Executing command 'perf stat -T -- ls' dumps core on x86 and s390.
+
+Here is the call back chain (done on x86):
+
+ # gdb ./perf
+ ....
+ (gdb) r stat -T -- ls
+...
+Program received signal SIGSEGV, Segmentation fault.
+0x00007ffff56d1963 in vasprintf () from /lib64/libc.so.6
+(gdb) where
+ #0 0x00007ffff56d1963 in vasprintf () from /lib64/libc.so.6
+ #1 0x00007ffff56ae484 in asprintf () from /lib64/libc.so.6
+ #2 0x00000000004f1982 in __parse_events_add_pmu (parse_state=0x7fffffffd580,
+ list=0xbfb970, name=0xbf3ef0 "cpu",
+ head_config=0xbfb930, auto_merge_stats=false) at util/parse-events.c:1233
+ #3 0x00000000004f1c8e in parse_events_add_pmu (parse_state=0x7fffffffd580,
+ list=0xbfb970, name=0xbf3ef0 "cpu",
+ head_config=0xbfb930) at util/parse-events.c:1288
+ #4 0x0000000000537ce3 in parse_events_parse (_parse_state=0x7fffffffd580,
+ scanner=0xbf4210) at util/parse-events.y:234
+ #5 0x00000000004f2c7a in parse_events__scanner (str=0x6b66c0
+ "task-clock,{instructions,cycles,cpu/cycles-t/,cpu/tx-start/}",
+ parse_state=0x7fffffffd580, start_token=258) at util/parse-events.c:1673
+ #6 0x00000000004f2e23 in parse_events (evlist=0xbe9990, str=0x6b66c0
+ "task-clock,{instructions,cycles,cpu/cycles-t/,cpu/tx-start/}", err=0x0)
+ at util/parse-events.c:1713
+ #7 0x000000000044e137 in add_default_attributes () at builtin-stat.c:2281
+ #8 0x000000000044f7b5 in cmd_stat (argc=1, argv=0x7fffffffe3b0) at
+ builtin-stat.c:2828
+ #9 0x00000000004c8b0f in run_builtin (p=0xab01a0 <commands+288>, argc=4,
+ argv=0x7fffffffe3b0) at perf.c:297
+ #10 0x00000000004c8d7c in handle_internal_command (argc=4,
+ argv=0x7fffffffe3b0) at perf.c:349
+ #11 0x00000000004c8ece in run_argv (argcp=0x7fffffffe20c,
+ argv=0x7fffffffe200) at perf.c:393
+ #12 0x00000000004c929c in main (argc=4, argv=0x7fffffffe3b0) at perf.c:537
+(gdb)
+
+It turns out that a NULL pointer is referenced. Here are the
+function calls:
+
+ ...
+ cmd_stat()
+ +---> add_default_attributes()
+ +---> parse_events(evsel_list, transaction_attrs, NULL);
+ 3rd parameter set to NULL
+
+Function parse_events(xx, xx, struct parse_events_error *err) dives
+into a bison generated scanner and creates
+parser state information for it first:
+
+ struct parse_events_state parse_state = {
+ .list = LIST_HEAD_INIT(parse_state.list),
+ .idx = evlist->nr_entries,
+ .error = err, <--- NULL POINTER !!!
+ .evlist = evlist,
+ };
+
+Now various functions inside the bison scanner are called to end up in
+__parse_events_add_pmu(struct parse_events_state *parse_state, ..) with
+first parameter being a pointer to above structure definition.
+
+Now the PMU event name is not found (because being executed in a VM) and
+this function tries to create an error message with
+
+ asprintf(&parse_state->error.str, ....)
+
+which references a NULL pointer and dumps core.
+
+Fix this by providing a pointer to the necessary error information
+instead of NULL. Technically only the else part is needed to avoid the
+core dump, just lets be safe...
+
+Signed-off-by: Thomas Richter <tmricht@linux.vnet.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Link: http://lkml.kernel.org/r/20180308145735.64717-1-tmricht@linux.vnet.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/builtin-stat.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/builtin-stat.c
++++ b/tools/perf/builtin-stat.c
+@@ -2274,11 +2274,16 @@ static int add_default_attributes(void)
+ return 0;
+
+ if (transaction_run) {
++ struct parse_events_error errinfo;
++
+ if (pmu_have_event("cpu", "cycles-ct") &&
+ pmu_have_event("cpu", "el-start"))
+- err = parse_events(evsel_list, transaction_attrs, NULL);
++ err = parse_events(evsel_list, transaction_attrs,
++ &errinfo);
+ else
+- err = parse_events(evsel_list, transaction_limited_attrs, NULL);
++ err = parse_events(evsel_list,
++ transaction_limited_attrs,
++ &errinfo);
+ if (err) {
+ fprintf(stderr, "Cannot set up transaction events\n");
+ return -1;
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Thomas Richter <tmricht@linux.vnet.ibm.com>
+Date: Wed, 14 Feb 2018 08:03:03 +0100
+Subject: perf test: Fix test case inet_pton to accept inlines.
+
+From: Thomas Richter <tmricht@linux.vnet.ibm.com>
+
+[ Upstream commit 0f19a038afdc592176c9a302f0d08be6a68ad74a ]
+
+Using Fedora 27 and latest Linux kernel the test case
+trace+probe_libc_inet_pton.sh fails again on s390. This time is the
+inlining of functions which does not match. After an update of the
+glibc (from 2.26-16 to 2.26-24) the output is different
+
+The expected output is:
+
+ __inet_pton (/usr/lib64/libc-2.26.so)
+ gaih_inet (inlined)
+ ....
+
+The actual output is:
+
+ 1 packets transmitted, 1 received, 0% packet loss, time 0ms
+ rtt min/avg/max/mdev = 0.061/0.061/0.061/0.000 ms
+ 0.000 probe_libc:inet_pton:(3ffb2140448))
+ __inet_pton (inlined)
+ gaih_inet.constprop.7 (/usr/lib64/libc-2.26.so)
+ ...
+
+Fix this by being less strict on 'inlined' verses library name and
+accept both
+
+Signed-off-by: Thomas Richter <tmricht@linux.vnet.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Link: http://lkml.kernel.org/r/20180214070303.55757-1-tmricht@linux.vnet.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/tests/shell/trace+probe_libc_inet_pton.sh | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/tools/perf/tests/shell/trace+probe_libc_inet_pton.sh
++++ b/tools/perf/tests/shell/trace+probe_libc_inet_pton.sh
+@@ -21,12 +21,12 @@ trace_libc_inet_pton_backtrace() {
+ expected[3]=".*packets transmitted.*"
+ expected[4]="rtt min.*"
+ expected[5]="[0-9]+\.[0-9]+[[:space:]]+probe_libc:inet_pton:\([[:xdigit:]]+\)"
+- expected[6]=".*inet_pton[[:space:]]\($libc\)$"
++ expected[6]=".*inet_pton[[:space:]]\($libc|inlined\)$"
+ case "$(uname -m)" in
+ s390x)
+ eventattr='call-graph=dwarf'
+- expected[7]="gaih_inet[[:space:]]\(inlined\)$"
+- expected[8]="__GI_getaddrinfo[[:space:]]\(inlined\)$"
++ expected[7]="gaih_inet.*[[:space:]]\($libc|inlined\)$"
++ expected[8]="__GI_getaddrinfo[[:space:]]\($libc|inlined\)$"
+ expected[9]="main[[:space:]]\(.*/bin/ping.*\)$"
+ expected[10]="__libc_start_main[[:space:]]\($libc\)$"
+ expected[11]="_start[[:space:]]\(.*/bin/ping.*\)$"
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Tue, 6 Feb 2018 19:18:12 +0100
+Subject: perf tests: Fix dwarf unwind for stripped binaries
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit fdf7c49c200d1b9909e2204cec5bd68b48605c71 ]
+
+When we strip the perf binary, dwarf unwind test stop
+to work. The reason is that strip will remove static
+function symbols, which we need to check for unwind.
+
+This change will keep this test working in cases where
+the global symbols are put into dynamic symbol table,
+which is the case on x86. It still won't work on powerpc.
+
+Making those 5 local functions global, and adding
+'test_dwarf_unwind__' to their names.
+
+Committer testing:
+
+Before:
+
+ # perf test dwarf
+ 58: DWARF unwind : Ok
+ # strip ~/bin/perf
+ # perf test dwarf
+ 58: DWARF unwind : FAILED!
+ # perf test -v dwarf
+ 58: DWARF unwind :
+ --- start ---
+ test child forked, pid 6590
+ unwind: thread map already set, dso=/home/acme/bin/perf
+ <SNIP>
+ unwind: access_mem addr 0x7ffce6c48098 val 48563f, offset 1144
+ unwind: test__dwarf_unwind:ip = 0x4a54e5 (0xa54e5)
+ got: test__dwarf_unwind 0xa54e5, expecting test__dwarf_unwind
+ unwind: '':ip = 0x4a50bb (0xa50bb)
+ failed: got unresolved address 0xa50bb
+ unwind failed
+ test child finished with -1
+ ---- end ----
+ DWARF unwind: FAILED!
+ #
+
+After:
+
+ # perf test dwarf
+ 58: DWARF unwind : Ok
+ # strip ~/bin/perf
+ # perf test dwarf
+ 58: DWARF unwind : Ok
+ #
+ # perf test -v dwarf
+ 58: DWARF unwind :
+ --- start ---
+ test child forked, pid 7219
+ unwind: thread map already set, dso=/home/acme/bin/perf
+ <SNIP>
+ unwind: access_mem addr 0x7fff007da2c8 val 48575f, offset 1144
+ unwind: test__arch_unwind_sample:ip = 0x589044 (0x189044)
+ got: test__arch_unwind_sample 0x189044, expecting test__arch_unwind_sample
+ unwind: test_dwarf_unwind__thread:ip = 0x4a52f7 (0xa52f7)
+ got: test_dwarf_unwind__thread 0xa52f7, expecting test_dwarf_unwind__thread
+ unwind: test_dwarf_unwind__compare:ip = 0x4a5468 (0xa5468)
+ got: test_dwarf_unwind__compare 0xa5468, expecting test_dwarf_unwind__compare
+ unwind: bsearch:ip = 0x7f6608ae94d8 (0x394d8)
+ got: bsearch 0x394d8, expecting bsearch
+ unwind: test_dwarf_unwind__krava_3:ip = 0x4a54d1 (0xa54d1)
+ got: test_dwarf_unwind__krava_3 0xa54d1, expecting test_dwarf_unwind__krava_3
+ unwind: test_dwarf_unwind__krava_2:ip = 0x4a550b (0xa550b)
+ got: test_dwarf_unwind__krava_2 0xa550b, expecting test_dwarf_unwind__krava_2
+ unwind: test_dwarf_unwind__krava_1:ip = 0x4a554b (0xa554b)
+ got: test_dwarf_unwind__krava_1 0xa554b, expecting test_dwarf_unwind__krava_1
+ unwind: test__dwarf_unwind:ip = 0x4a5605 (0xa5605)
+ got: test__dwarf_unwind 0xa5605, expecting test__dwarf_unwind
+ test child finished with 0
+ ---- end ----
+ DWARF unwind: Ok
+ #
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20180206181813.10943-17-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/tests/dwarf-unwind.c | 46 ++++++++++++++++++++++++++--------------
+ 1 file changed, 30 insertions(+), 16 deletions(-)
+
+--- a/tools/perf/tests/dwarf-unwind.c
++++ b/tools/perf/tests/dwarf-unwind.c
+@@ -37,6 +37,19 @@ static int init_live_machine(struct mach
+ mmap_handler, machine, true, 500);
+ }
+
++/*
++ * We need to keep these functions global, despite the
++ * fact that they are used only locally in this object,
++ * in order to keep them around even if the binary is
++ * stripped. If they are gone, the unwind check for
++ * symbol fails.
++ */
++int test_dwarf_unwind__thread(struct thread *thread);
++int test_dwarf_unwind__compare(void *p1, void *p2);
++int test_dwarf_unwind__krava_3(struct thread *thread);
++int test_dwarf_unwind__krava_2(struct thread *thread);
++int test_dwarf_unwind__krava_1(struct thread *thread);
++
+ #define MAX_STACK 8
+
+ static int unwind_entry(struct unwind_entry *entry, void *arg)
+@@ -45,12 +58,12 @@ static int unwind_entry(struct unwind_en
+ char *symbol = entry->sym ? entry->sym->name : NULL;
+ static const char *funcs[MAX_STACK] = {
+ "test__arch_unwind_sample",
+- "unwind_thread",
+- "compare",
++ "test_dwarf_unwind__thread",
++ "test_dwarf_unwind__compare",
+ "bsearch",
+- "krava_3",
+- "krava_2",
+- "krava_1",
++ "test_dwarf_unwind__krava_3",
++ "test_dwarf_unwind__krava_2",
++ "test_dwarf_unwind__krava_1",
+ "test__dwarf_unwind"
+ };
+ /*
+@@ -77,7 +90,7 @@ static int unwind_entry(struct unwind_en
+ return strcmp((const char *) symbol, funcs[idx]);
+ }
+
+-static noinline int unwind_thread(struct thread *thread)
++noinline int test_dwarf_unwind__thread(struct thread *thread)
+ {
+ struct perf_sample sample;
+ unsigned long cnt = 0;
+@@ -108,7 +121,7 @@ static noinline int unwind_thread(struct
+
+ static int global_unwind_retval = -INT_MAX;
+
+-static noinline int compare(void *p1, void *p2)
++noinline int test_dwarf_unwind__compare(void *p1, void *p2)
+ {
+ /* Any possible value should be 'thread' */
+ struct thread *thread = *(struct thread **)p1;
+@@ -117,17 +130,17 @@ static noinline int compare(void *p1, vo
+ /* Call unwinder twice for both callchain orders. */
+ callchain_param.order = ORDER_CALLER;
+
+- global_unwind_retval = unwind_thread(thread);
++ global_unwind_retval = test_dwarf_unwind__thread(thread);
+ if (!global_unwind_retval) {
+ callchain_param.order = ORDER_CALLEE;
+- global_unwind_retval = unwind_thread(thread);
++ global_unwind_retval = test_dwarf_unwind__thread(thread);
+ }
+ }
+
+ return p1 - p2;
+ }
+
+-static noinline int krava_3(struct thread *thread)
++noinline int test_dwarf_unwind__krava_3(struct thread *thread)
+ {
+ struct thread *array[2] = {thread, thread};
+ void *fp = &bsearch;
+@@ -141,18 +154,19 @@ static noinline int krava_3(struct threa
+ size_t, int (*)(void *, void *));
+
+ _bsearch = fp;
+- _bsearch(array, &thread, 2, sizeof(struct thread **), compare);
++ _bsearch(array, &thread, 2, sizeof(struct thread **),
++ test_dwarf_unwind__compare);
+ return global_unwind_retval;
+ }
+
+-static noinline int krava_2(struct thread *thread)
++noinline int test_dwarf_unwind__krava_2(struct thread *thread)
+ {
+- return krava_3(thread);
++ return test_dwarf_unwind__krava_3(thread);
+ }
+
+-static noinline int krava_1(struct thread *thread)
++noinline int test_dwarf_unwind__krava_1(struct thread *thread)
+ {
+- return krava_2(thread);
++ return test_dwarf_unwind__krava_2(thread);
+ }
+
+ int test__dwarf_unwind(struct test *test __maybe_unused, int subtest __maybe_unused)
+@@ -189,7 +203,7 @@ int test__dwarf_unwind(struct test *test
+ goto out;
+ }
+
+- err = krava_1(thread);
++ err = test_dwarf_unwind__krava_1(thread);
+ thread__put(thread);
+
+ out:
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Thu, 15 Feb 2018 13:26:35 +0100
+Subject: perf tests: Use arch__compare_symbol_names to compare symbols
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit ab6e9a99345131cd8e54268d1d0dc04a33f7ed11 ]
+
+The symbol search called by machine__find_kernel_symbol_by_name is using
+internally arch__compare_symbol_names function to compare 2 symbol
+names, because different archs have different ways of comparing symbols.
+Mostly for skipping '.' prefixes and similar.
+
+In test 1 when we try to find matching symbols in kallsyms and vmlinux,
+by address and by symbol name. When either is found we compare the pair
+symbol names by simple strcmp, which is not good enough for reasons
+explained in previous paragraph.
+
+On powerpc this can cause lockup, because even thought we found the
+pair, the compared names are different and don't match simple strcmp.
+Following code path is executed, that leads to lockup:
+
+ - we find the pair in kallsyms by sym->start
+next_pair:
+ - we compare the names and it fails
+ - we find the pair by sym->name
+ - the pair addresses match so we call goto next_pair
+ because we assume the names match in this case
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Tested-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Fixes: 031b84c407c3 ("perf probe ppc: Enable matching against dot symbols automatically")
+Link: http://lkml.kernel.org/r/20180215122635.24029-10-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/tests/vmlinux-kallsyms.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/tests/vmlinux-kallsyms.c
++++ b/tools/perf/tests/vmlinux-kallsyms.c
+@@ -125,7 +125,7 @@ int test__vmlinux_matches_kallsyms(struc
+
+ if (pair && UM(pair->start) == mem_start) {
+ next_pair:
+- if (strcmp(sym->name, pair->name) == 0) {
++ if (arch__compare_symbol_names(sym->name, pair->name) == 0) {
+ /*
+ * kallsyms don't have the symbol end, so we
+ * set that by using the next symbol start - 1,
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Sandipan Das <sandipan@linux.vnet.ibm.com>
+Date: Wed, 4 Apr 2018 23:34:17 +0530
+Subject: perf tools: Fix perf builds with clang support
+
+From: Sandipan Das <sandipan@linux.vnet.ibm.com>
+
+[ Upstream commit c2fb54a183cfe77c6fdc9d71e2d5299c1c302a6e ]
+
+For libclang, some distro packages provide static libraries (.a) while
+some provide shared libraries (.so). Currently, perf code can only be
+linked with static libraries. This makes perf build possible for both
+cases.
+
+Signed-off-by: Sandipan Das <sandipan@linux.vnet.ibm.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Fixes: d58ac0bf8d1e ("perf build: Add clang and llvm compile and linking support")
+Link: http://lkml.kernel.org/r/20180404180419.19056-1-sandipan@linux.vnet.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/Makefile.perf | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/Makefile.perf
++++ b/tools/perf/Makefile.perf
+@@ -364,7 +364,8 @@ LIBS = -Wl,--whole-archive $(PERFLIBS) $
+
+ ifeq ($(USE_CLANG), 1)
+ CLANGLIBS_LIST = AST Basic CodeGen Driver Frontend Lex Tooling Edit Sema Analysis Parse Serialization
+- LIBCLANG = $(foreach l,$(CLANGLIBS_LIST),$(wildcard $(shell $(LLVM_CONFIG) --libdir)/libclang$(l).a))
++ CLANGLIBS_NOEXT_LIST = $(foreach l,$(CLANGLIBS_LIST),$(shell $(LLVM_CONFIG) --libdir)/libclang$(l))
++ LIBCLANG = $(foreach l,$(CLANGLIBS_NOEXT_LIST),$(wildcard $(l).a $(l).so))
+ LIBS += -Wl,--start-group $(LIBCLANG) -Wl,--end-group
+ endif
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Yisheng Xie <xieyisheng1@huawei.com>
+Date: Mon, 12 Mar 2018 19:25:56 +0800
+Subject: perf top: Fix top.call-graph config option reading
+
+From: Yisheng Xie <xieyisheng1@huawei.com>
+
+[ Upstream commit a3a4a3b37c9b911af4c375b2475cea0fd2b84d38 ]
+
+When trying to add the "call-graph" variable for top into the
+.perfconfig file, like:
+
+ [top]
+ call-graph = fp
+
+I that perf_top_config() do not parse this variable.
+
+Fix it by calling perf_default_config() when the top.call-graph variable
+is set.
+
+Signed-off-by: Yisheng Xie <xieyisheng1@huawei.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Wang Nan <wangnan0@huawei.com>
+Fixes: b8cbb349061e ("perf config: Bring perf_default_config to the very beginning at main()")
+Link: http://lkml.kernel.org/r/1520853957-36106-1-git-send-email-xieyisheng1@huawei.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/builtin-top.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/builtin-top.c
++++ b/tools/perf/builtin-top.c
+@@ -1224,8 +1224,10 @@ parse_callchain_opt(const struct option
+
+ static int perf_top_config(const char *var, const char *value, void *cb __maybe_unused)
+ {
+- if (!strcmp(var, "top.call-graph"))
+- var = "call-graph.record-mode"; /* fall-through */
++ if (!strcmp(var, "top.call-graph")) {
++ var = "call-graph.record-mode";
++ return perf_default_config(var, value, cb);
++ }
+ if (!strcmp(var, "top.children")) {
+ symbol_conf.cumulate_callchain = perf_config_bool(var, value);
+ return 0;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Mon, 12 Feb 2018 14:20:31 -0800
+Subject: perf/x86/intel: Fix event update for auto-reload
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit d31fc13fdcb20e1c317f9a7dd6273c18fbd58308 ]
+
+There is a bug when reading event->count with large PEBS enabled.
+
+Here is an example:
+
+ # ./read_count
+ 0x71f0
+ 0x122c0
+ 0x1000000001c54
+ 0x100000001257d
+ 0x200000000bdc5
+
+In fixed period mode, the auto-reload mechanism could be enabled for
+PEBS events, but the calculation of event->count does not take the
+auto-reload values into account.
+
+Anyone who reads event->count will get the wrong result, e.g x86_pmu_read().
+
+This bug was introduced with the auto-reload mechanism enabled since
+commit:
+
+ 851559e35fd5 ("perf/x86/intel: Use the PEBS auto reload mechanism when possible")
+
+Introduce intel_pmu_save_and_restart_reload() to calculate the
+event->count only for auto-reload.
+
+Since the counter increments a negative counter value and overflows on
+the sign switch, giving the interval:
+
+ [-period, 0]
+
+the difference between two consequtive reads is:
+
+ A) value2 - value1;
+ when no overflows have happened in between,
+ B) (0 - value1) + (value2 - (-period));
+ when one overflow happened in between,
+ C) (0 - value1) + (n - 1) * (period) + (value2 - (-period));
+ when @n overflows happened in between.
+
+Here A) is the obvious difference, B) is the extension to the discrete
+interval, where the first term is to the top of the interval and the
+second term is from the bottom of the next interval and C) the extension
+to multiple intervals, where the middle term is the whole intervals
+covered.
+
+The equation for all cases is:
+
+ value2 - value1 + n * period
+
+Previously the event->count is updated right before the sample output.
+But for case A, there is no PEBS record ready. It needs to be specially
+handled.
+
+Remove the auto-reload code from x86_perf_event_set_period() since
+we'll not longer call that function in this case.
+
+Based-on-code-from: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: acme@kernel.org
+Fixes: 851559e35fd5 ("perf/x86/intel: Use the PEBS auto reload mechanism when possible")
+Link: http://lkml.kernel.org/r/1518474035-21006-2-git-send-email-kan.liang@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/core.c | 15 ++-----
+ arch/x86/events/intel/ds.c | 92 +++++++++++++++++++++++++++++++++++++++++++--
+ 2 files changed, 94 insertions(+), 13 deletions(-)
+
+--- a/arch/x86/events/core.c
++++ b/arch/x86/events/core.c
+@@ -1156,16 +1156,13 @@ int x86_perf_event_set_period(struct per
+
+ per_cpu(pmc_prev_left[idx], smp_processor_id()) = left;
+
+- if (!(hwc->flags & PERF_X86_EVENT_AUTO_RELOAD) ||
+- local64_read(&hwc->prev_count) != (u64)-left) {
+- /*
+- * The hw event starts counting from this event offset,
+- * mark it to be able to extra future deltas:
+- */
+- local64_set(&hwc->prev_count, (u64)-left);
++ /*
++ * The hw event starts counting from this event offset,
++ * mark it to be able to extra future deltas:
++ */
++ local64_set(&hwc->prev_count, (u64)-left);
+
+- wrmsrl(hwc->event_base, (u64)(-left) & x86_pmu.cntval_mask);
+- }
++ wrmsrl(hwc->event_base, (u64)(-left) & x86_pmu.cntval_mask);
+
+ /*
+ * Due to erratum on certan cpu we need
+--- a/arch/x86/events/intel/ds.c
++++ b/arch/x86/events/intel/ds.c
+@@ -1315,17 +1315,84 @@ get_next_pebs_record_by_bit(void *base,
+ return NULL;
+ }
+
++/*
++ * Special variant of intel_pmu_save_and_restart() for auto-reload.
++ */
++static int
++intel_pmu_save_and_restart_reload(struct perf_event *event, int count)
++{
++ struct hw_perf_event *hwc = &event->hw;
++ int shift = 64 - x86_pmu.cntval_bits;
++ u64 period = hwc->sample_period;
++ u64 prev_raw_count, new_raw_count;
++ s64 new, old;
++
++ WARN_ON(!period);
++
++ /*
++ * drain_pebs() only happens when the PMU is disabled.
++ */
++ WARN_ON(this_cpu_read(cpu_hw_events.enabled));
++
++ prev_raw_count = local64_read(&hwc->prev_count);
++ rdpmcl(hwc->event_base_rdpmc, new_raw_count);
++ local64_set(&hwc->prev_count, new_raw_count);
++
++ /*
++ * Since the counter increments a negative counter value and
++ * overflows on the sign switch, giving the interval:
++ *
++ * [-period, 0]
++ *
++ * the difference between two consequtive reads is:
++ *
++ * A) value2 - value1;
++ * when no overflows have happened in between,
++ *
++ * B) (0 - value1) + (value2 - (-period));
++ * when one overflow happened in between,
++ *
++ * C) (0 - value1) + (n - 1) * (period) + (value2 - (-period));
++ * when @n overflows happened in between.
++ *
++ * Here A) is the obvious difference, B) is the extension to the
++ * discrete interval, where the first term is to the top of the
++ * interval and the second term is from the bottom of the next
++ * interval and C) the extension to multiple intervals, where the
++ * middle term is the whole intervals covered.
++ *
++ * An equivalent of C, by reduction, is:
++ *
++ * value2 - value1 + n * period
++ */
++ new = ((s64)(new_raw_count << shift) >> shift);
++ old = ((s64)(prev_raw_count << shift) >> shift);
++ local64_add(new - old + count * period, &event->count);
++
++ perf_event_update_userpage(event);
++
++ return 0;
++}
++
+ static void __intel_pmu_pebs_event(struct perf_event *event,
+ struct pt_regs *iregs,
+ void *base, void *top,
+ int bit, int count)
+ {
++ struct hw_perf_event *hwc = &event->hw;
+ struct perf_sample_data data;
+ struct pt_regs regs;
+ void *at = get_next_pebs_record_by_bit(base, top, bit);
+
+- if (!intel_pmu_save_and_restart(event) &&
+- !(event->hw.flags & PERF_X86_EVENT_AUTO_RELOAD))
++ if (hwc->flags & PERF_X86_EVENT_AUTO_RELOAD) {
++ /*
++ * Now, auto-reload is only enabled in fixed period mode.
++ * The reload value is always hwc->sample_period.
++ * May need to change it, if auto-reload is enabled in
++ * freq mode later.
++ */
++ intel_pmu_save_and_restart_reload(event, count);
++ } else if (!intel_pmu_save_and_restart(event))
+ return;
+
+ while (count > 1) {
+@@ -1377,8 +1444,11 @@ static void intel_pmu_drain_pebs_core(st
+ return;
+
+ n = top - at;
+- if (n <= 0)
++ if (n <= 0) {
++ if (event->hw.flags & PERF_X86_EVENT_AUTO_RELOAD)
++ intel_pmu_save_and_restart_reload(event, 0);
+ return;
++ }
+
+ __intel_pmu_pebs_event(event, iregs, at, top, 0, n);
+ }
+@@ -1401,8 +1471,22 @@ static void intel_pmu_drain_pebs_nhm(str
+
+ ds->pebs_index = ds->pebs_buffer_base;
+
+- if (unlikely(base >= top))
++ if (unlikely(base >= top)) {
++ /*
++ * The drain_pebs() could be called twice in a short period
++ * for auto-reload event in pmu::read(). There are no
++ * overflows have happened in between.
++ * It needs to call intel_pmu_save_and_restart_reload() to
++ * update the event->count for this case.
++ */
++ for_each_set_bit(bit, (unsigned long *)&cpuc->pebs_enabled,
++ x86_pmu.max_pebs_events) {
++ event = cpuc->events[bit];
++ if (event->hw.flags & PERF_X86_EVENT_AUTO_RELOAD)
++ intel_pmu_save_and_restart_reload(event, 0);
++ }
+ return;
++ }
+
+ for (at = base; at < top; at += x86_pmu.pebs_record_size) {
+ struct pebs_record_nhm *p = at;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Thu, 1 Mar 2018 12:54:54 -0500
+Subject: perf/x86/intel: Fix large period handling on Broadwell CPUs
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit f605cfca8c39ffa2b98c06d2b9f30ba64f1e54e3 ]
+
+Large fixed period values could be truncated on Broadwell, for example:
+
+ perf record -e cycles -c 10000000000
+
+Here the fixed period is 0x2540BE400, but the period which finally applied is
+0x540BE400 - which is wrong.
+
+The reason is that x86_pmu::limit_period() uses an u32 parameter, so the
+high 32 bits of 'period' get truncated.
+
+This bug was introduced in:
+
+ commit 294fe0f52a44 ("perf/x86/intel: Add INST_RETIRED.ALL workarounds")
+
+It's safe to use u64 instead of u32:
+
+ - Although the 'left' is s64, the value of 'left' must be positive when
+ calling limit_period().
+
+ - bdw_limit_period() only modifies the lowest 6 bits, it doesn't touch
+ the higher 32 bits.
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: 294fe0f52a44 ("perf/x86/intel: Add INST_RETIRED.ALL workarounds")
+Link: http://lkml.kernel.org/r/1519926894-3520-1-git-send-email-kan.liang@linux.intel.com
+[ Rewrote unacceptably bad changelog. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/core.c | 2 +-
+ arch/x86/events/perf_event.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -3196,7 +3196,7 @@ glp_get_event_constraints(struct cpu_hw_
+ * Therefore the effective (average) period matches the requested period,
+ * despite coarser hardware granularity.
+ */
+-static unsigned bdw_limit_period(struct perf_event *event, unsigned left)
++static u64 bdw_limit_period(struct perf_event *event, u64 left)
+ {
+ if ((event->hw.config & INTEL_ARCH_EVENT_MASK) ==
+ X86_CONFIG(.event=0xc0, .umask=0x01)) {
+--- a/arch/x86/events/perf_event.h
++++ b/arch/x86/events/perf_event.h
+@@ -557,7 +557,7 @@ struct x86_pmu {
+ struct x86_pmu_quirk *quirks;
+ int perfctr_second_write;
+ bool late_ack;
+- unsigned (*limit_period)(struct perf_event *event, unsigned l);
++ u64 (*limit_period)(struct perf_event *event, u64 l);
+
+ /*
+ * sysfs attrs
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Tue, 20 Feb 2018 02:11:50 -0800
+Subject: perf/x86/intel: Properly save/restore the PMU state in the NMI handler
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 82d71ed0277efc45360828af8c4e4d40e1b45352 ]
+
+The PMU is disabled in intel_pmu_handle_irq(), but cpuc->enabled is not updated
+accordingly.
+
+This is fine in current usage because no-one checks it - but fix it
+for future code: for example, the drain_pebs() will be modified to
+fix an auto-reload bug.
+
+Properly save/restore the old PMU state.
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: acme@kernel.org
+Cc: kernel test robot <fengguang.wu@intel.com>
+Link: http://lkml.kernel.org/r/6f44ee84-56f8-79f1-559b-08e371eaeb78@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/core.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -2201,16 +2201,23 @@ static int intel_pmu_handle_irq(struct p
+ int bit, loops;
+ u64 status;
+ int handled;
++ int pmu_enabled;
+
+ cpuc = this_cpu_ptr(&cpu_hw_events);
+
+ /*
++ * Save the PMU state.
++ * It needs to be restored when leaving the handler.
++ */
++ pmu_enabled = cpuc->enabled;
++ /*
+ * No known reason to not always do late ACK,
+ * but just in case do it opt-in.
+ */
+ if (!x86_pmu.late_ack)
+ apic_write(APIC_LVTPC, APIC_DM_NMI);
+ intel_bts_disable_local();
++ cpuc->enabled = 0;
+ __intel_pmu_disable_all();
+ handled = intel_pmu_drain_bts_buffer();
+ handled += intel_bts_interrupt();
+@@ -2320,7 +2327,8 @@ again:
+
+ done:
+ /* Only restore PMU state when it's active. See x86_pmu_disable(). */
+- if (cpuc->enabled)
++ cpuc->enabled = pmu_enabled;
++ if (pmu_enabled)
+ __intel_pmu_enable_all(0, true);
+ intel_bts_enable_local();
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Vivek Gautam <vivek.gautam@codeaurora.org>
+Date: Tue, 16 Jan 2018 16:26:56 +0530
+Subject: phy: qcom-qmp: Fix phy pipe clock gating
+
+From: Vivek Gautam <vivek.gautam@codeaurora.org>
+
+[ Upstream commit f8ba22a39e985c93e278709b1d5f20857a26b49b ]
+
+Pipe clock comes out of the phy and is available as long as
+the phy is turned on. Clock controller fails to gate this
+clock after the phy is turned off and generates a warning.
+
+/ # [ 33.048561] gcc_usb3_phy_pipe_clk status stuck at 'on'
+[ 33.048585] ------------[ cut here ]------------
+[ 33.052621] WARNING: CPU: 1 PID: 18 at ../drivers/clk/qcom/clk-branch.c:97 clk_branch_wait+0xf0/0x108
+[ 33.057384] Modules linked in:
+[ 33.066497] CPU: 1 PID: 18 Comm: kworker/1:0 Tainted: G W 4.12.0-rc7-00024-gfe926e34c36d-dirty #96
+[ 33.069451] Hardware name: Qualcomm Technologies, Inc. DB820c (DT)
+...
+[ 33.278565] [<ffff00000849b27c>] clk_branch_wait+0xf0/0x108
+[ 33.286375] [<ffff00000849b2f4>] clk_branch2_disable+0x28/0x34
+[ 33.291761] [<ffff0000084868dc>] clk_core_disable+0x5c/0x88
+[ 33.297660] [<ffff000008487d68>] clk_core_disable_lock+0x20/0x34
+[ 33.303129] [<ffff000008487d98>] clk_disable+0x1c/0x24
+[ 33.309384] [<ffff0000083ccd78>] qcom_qmp_phy_poweroff+0x20/0x48
+[ 33.314328] [<ffff0000083c53f4>] phy_power_off+0x80/0xdc
+[ 33.320492] [<ffff00000875c950>] dwc3_core_exit+0x94/0xa0
+[ 33.325784] [<ffff00000875c9ac>] dwc3_suspend_common+0x50/0x60
+[ 33.331080] [<ffff00000875ca04>] dwc3_runtime_suspend+0x48/0x6c
+[ 33.336810] [<ffff0000085b82f4>] pm_generic_runtime_suspend+0x28/0x38
+[ 33.342627] [<ffff0000085bace0>] __rpm_callback+0x150/0x254
+[ 33.349222] [<ffff0000085bae08>] rpm_callback+0x24/0x78
+[ 33.354604] [<ffff0000085b9fd8>] rpm_suspend+0xe0/0x4e4
+[ 33.359813] [<ffff0000085bb784>] pm_runtime_work+0xdc/0xf0
+[ 33.365028] [<ffff0000080d7b30>] process_one_work+0x12c/0x28c
+[ 33.370576] [<ffff0000080d7ce8>] worker_thread+0x58/0x3b8
+[ 33.376393] [<ffff0000080dd4a8>] kthread+0x100/0x12c
+[ 33.381776] [<ffff0000080836c0>] ret_from_fork+0x10/0x50
+
+Fix this by disabling it as the first thing in phy_exit().
+
+Fixes: e78f3d15e115 ("phy: qcom-qmp: new qmp phy driver for qcom-chipsets")
+Signed-off-by: Vivek Gautam <vivek.gautam@codeaurora.org>
+Signed-off-by: Manu Gautam <mgautam@codeaurora.org>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/phy/qualcomm/phy-qcom-qmp.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp.c
+@@ -751,8 +751,6 @@ static int qcom_qmp_phy_poweroff(struct
+ struct qmp_phy *qphy = phy_get_drvdata(phy);
+ struct qcom_qmp *qmp = qphy->qmp;
+
+- clk_disable_unprepare(qphy->pipe_clk);
+-
+ regulator_bulk_disable(qmp->cfg->num_vregs, qmp->vregs);
+
+ return 0;
+@@ -936,6 +934,8 @@ static int qcom_qmp_phy_exit(struct phy
+ const struct qmp_phy_cfg *cfg = qmp->cfg;
+ int i = cfg->num_clks;
+
++ clk_disable_unprepare(qphy->pipe_clk);
++
+ /* PHY reset */
+ qphy_setbits(qphy->pcs, cfg->regs[QPHY_SW_RESET], SW_RESET);
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Thu, 11 Jan 2018 10:40:26 +0800
+Subject: phy: rockchip-emmc: retry calpad busy trimming
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+[ Upstream commit a4781c2a74b249cad814ceea7272997bbd20051e ]
+
+It turns out that 5us isn't enough for all cases, so let's
+retry some more times to wait for caldone.
+
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Tested-by: Ziyuan Xu <xzy.xu@rock-chips.com>
+Signed-off-by: Caesar Wang <wxt@rock-chips.com>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/rockchip/phy-rockchip-emmc.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+--- a/drivers/phy/rockchip/phy-rockchip-emmc.c
++++ b/drivers/phy/rockchip/phy-rockchip-emmc.c
+@@ -76,6 +76,10 @@
+ #define PHYCTRL_OTAPDLYSEL_MASK 0xf
+ #define PHYCTRL_OTAPDLYSEL_SHIFT 0x7
+
++#define PHYCTRL_IS_CALDONE(x) \
++ ((((x) >> PHYCTRL_CALDONE_SHIFT) & \
++ PHYCTRL_CALDONE_MASK) == PHYCTRL_CALDONE_DONE)
++
+ struct rockchip_emmc_phy {
+ unsigned int reg_offset;
+ struct regmap *reg_base;
+@@ -90,6 +94,7 @@ static int rockchip_emmc_phy_power(struc
+ unsigned int freqsel = PHYCTRL_FREQSEL_200M;
+ unsigned long rate;
+ unsigned long timeout;
++ int ret;
+
+ /*
+ * Keep phyctrl_pdb and phyctrl_endll low to allow
+@@ -160,17 +165,19 @@ static int rockchip_emmc_phy_power(struc
+ PHYCTRL_PDB_SHIFT));
+
+ /*
+- * According to the user manual, it asks driver to
+- * wait 5us for calpad busy trimming
++ * According to the user manual, it asks driver to wait 5us for
++ * calpad busy trimming. However it is documented that this value is
++ * PVT(A.K.A process,voltage and temperature) relevant, so some
++ * failure cases are found which indicates we should be more tolerant
++ * to calpad busy trimming.
+ */
+- udelay(5);
+- regmap_read(rk_phy->reg_base,
+- rk_phy->reg_offset + GRF_EMMCPHY_STATUS,
+- &caldone);
+- caldone = (caldone >> PHYCTRL_CALDONE_SHIFT) & PHYCTRL_CALDONE_MASK;
+- if (caldone != PHYCTRL_CALDONE_DONE) {
+- pr_err("rockchip_emmc_phy_power: caldone timeout.\n");
+- return -ETIMEDOUT;
++ ret = regmap_read_poll_timeout(rk_phy->reg_base,
++ rk_phy->reg_offset + GRF_EMMCPHY_STATUS,
++ caldone, PHYCTRL_IS_CALDONE(caldone),
++ 0, 50);
++ if (ret) {
++ pr_err("%s: caldone failed, ret=%d\n", __func__, ret);
++ return ret;
+ }
+
+ /* Set the frequency of the DLL operation */
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Niklas Cassel <niklas.cassel@axis.com>
+Date: Thu, 22 Feb 2018 16:22:46 +0100
+Subject: pinctrl: artpec6: dt: add missing pin group uart5nocts
+
+From: Niklas Cassel <niklas.cassel@axis.com>
+
+[ Upstream commit 7e065fb9ccce89fe667fdbd9a177eaec59a359fc ]
+
+Add missing pin group uart5nocts (all pins except cts), which has been
+supported by the artpec6 pinctrl driver since its initial submission.
+
+Fixes: 00df0582eab1 ("pinctrl: Add pincontrol driver for ARTPEC-6 SoC")
+Signed-off-by: Niklas Cassel <niklas.cassel@axis.com>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/pinctrl/axis,artpec6-pinctrl.txt | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/Documentation/devicetree/bindings/pinctrl/axis,artpec6-pinctrl.txt
++++ b/Documentation/devicetree/bindings/pinctrl/axis,artpec6-pinctrl.txt
+@@ -20,7 +20,8 @@ Required subnode-properties:
+ gpio: cpuclkoutgrp0, udlclkoutgrp0, i2c1grp0, i2c2grp0,
+ i2c3grp0, i2s0grp0, i2s1grp0, i2srefclkgrp0, spi0grp0,
+ spi1grp0, pciedebuggrp0, uart0grp0, uart0grp1, uart1grp0,
+- uart2grp0, uart2grp1, uart3grp0, uart4grp0, uart5grp0
++ uart2grp0, uart2grp1, uart3grp0, uart4grp0, uart5grp0,
++ uart5nocts
+ cpuclkout: cpuclkoutgrp0
+ udlclkout: udlclkoutgrp0
+ i2c1: i2c1grp0
+@@ -37,7 +38,7 @@ Required subnode-properties:
+ uart2: uart2grp0, uart2grp1
+ uart3: uart3grp0
+ uart4: uart4grp0
+- uart5: uart5grp0
++ uart5: uart5grp0, uart5nocts
+ nand: nandgrp0
+ sdio0: sdio0grp0
+ sdio1: sdio1grp0
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+Date: Wed, 28 Feb 2018 15:53:06 +0000
+Subject: pinctrl: devicetree: Fix dt_to_map_one_config handling of hogs
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit b89405b6102fcc3746f43697b826028caa94c823 ]
+
+When dt_to_map_one_config() is called with a pinctrl_dev passed
+in, it should only be using this if the node being looked up
+is a hog. The code was always using the passed pinctrl_dev
+without checking whether the dt node referred to it.
+
+A pin controller can have pinctrl-n dependencies on other pin
+controllers in these cases:
+
+- the pin controller hardware is external, for example I2C, so
+ needs other pin controller(s) to be setup to communicate with
+ the hardware device.
+
+- it is a child of a composite MFD so its of_node is shared with
+ the parent MFD and other children of that MFD. Any part of that
+ MFD could have dependencies on other pin controllers.
+
+Because of this, dt_to_map_one_config() can't assume that if it
+has a pinctrl_dev passed in then the node it looks up must be
+a hog. It could be a reference to some other pin controller.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/devicetree.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/devicetree.c
++++ b/drivers/pinctrl/devicetree.c
+@@ -122,8 +122,10 @@ static int dt_to_map_one_config(struct p
+ /* OK let's just assume this will appear later then */
+ return -EPROBE_DEFER;
+ }
+- if (!pctldev)
+- pctldev = get_pinctrl_dev_from_of_node(np_pctldev);
++ /* If we're creating a hog we can use the passed pctldev */
++ if (pctldev && (np_pctldev == p->dev->of_node))
++ break;
++ pctldev = get_pinctrl_dev_from_of_node(np_pctldev);
+ if (pctldev)
+ break;
+ /* Do not defer probing of hogs (circular loop) */
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: "Jan Kundrát" <jan.kundrat@cesnet.cz>
+Date: Thu, 25 Jan 2018 18:29:15 +0100
+Subject: pinctrl: mcp23s08: spi: Fix regmap debugfs entries
+
+From: "Jan Kundrát" <jan.kundrat@cesnet.cz>
+
+[ Upstream commit 9b3e4207661e67f04c72af15e29f74cd944f5964 ]
+
+The SPI version of this chip allows several devices to be present on the
+same SPI bus via a local address. If this is in action and if the kernel
+has debugfs, however, the code attempts to create duplicate entries for
+the regmap's debugfs:
+
+ mcp23s08 spi1.1: Failed to create debugfs directory
+
+This patch simply assigns a local name matching the device logical
+address to the `struct regmap_config`.
+
+No changes are needed for MCP23S18 because that device does not support
+any logical addressing. Similarly, I2C devices do not need any action,
+either, because they are already different in their I2C address.
+
+A similar problem is present for the pinctrl debugfs instance, but that
+one is not addressed by this patch.
+
+Signed-off-by: Jan Kundrát <jan.kundrat@cesnet.cz>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-mcp23s08.c | 37 ++++++++++++++++++++++++++-----------
+ 1 file changed, 26 insertions(+), 11 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-mcp23s08.c
++++ b/drivers/pinctrl/pinctrl-mcp23s08.c
+@@ -771,6 +771,7 @@ static int mcp23s08_probe_one(struct mcp
+ {
+ int status, ret;
+ bool mirror = false;
++ struct regmap_config *one_regmap_config = NULL;
+
+ mutex_init(&mcp->lock);
+
+@@ -791,22 +792,36 @@ static int mcp23s08_probe_one(struct mcp
+ switch (type) {
+ #ifdef CONFIG_SPI_MASTER
+ case MCP_TYPE_S08:
+- mcp->regmap = devm_regmap_init(dev, &mcp23sxx_spi_regmap, mcp,
+- &mcp23x08_regmap);
+- mcp->reg_shift = 0;
+- mcp->chip.ngpio = 8;
+- mcp->chip.label = "mcp23s08";
+- break;
+-
+ case MCP_TYPE_S17:
++ switch (type) {
++ case MCP_TYPE_S08:
++ one_regmap_config =
++ devm_kmemdup(dev, &mcp23x08_regmap,
++ sizeof(struct regmap_config), GFP_KERNEL);
++ mcp->reg_shift = 0;
++ mcp->chip.ngpio = 8;
++ mcp->chip.label = "mcp23s08";
++ break;
++ case MCP_TYPE_S17:
++ one_regmap_config =
++ devm_kmemdup(dev, &mcp23x17_regmap,
++ sizeof(struct regmap_config), GFP_KERNEL);
++ mcp->reg_shift = 1;
++ mcp->chip.ngpio = 16;
++ mcp->chip.label = "mcp23s17";
++ break;
++ }
++ if (!one_regmap_config)
++ return -ENOMEM;
++
++ one_regmap_config->name = devm_kasprintf(dev, GFP_KERNEL, "%d", (addr & ~0x40) >> 1);
+ mcp->regmap = devm_regmap_init(dev, &mcp23sxx_spi_regmap, mcp,
+- &mcp23x17_regmap);
+- mcp->reg_shift = 1;
+- mcp->chip.ngpio = 16;
+- mcp->chip.label = "mcp23s17";
++ one_regmap_config);
+ break;
+
+ case MCP_TYPE_S18:
++ if (!one_regmap_config)
++ return -ENOMEM;
+ mcp->regmap = devm_regmap_init(dev, &mcp23sxx_spi_regmap, mcp,
+ &mcp23x17_regmap);
+ mcp->reg_shift = 1;
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+Date: Sun, 28 Jan 2018 16:59:48 -0800
+Subject: pinctrl: msm: Use dynamic GPIO numbering
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+[ Upstream commit a7aa75a2a7dba32594291a71c3704000a2fd7089 ]
+
+The base of the TLMM gpiochip should not be statically defined as 0, fix
+this to not artificially restrict the existence of multiple pinctrl-msm
+devices.
+
+Fixes: f365be092572 ("pinctrl: Add Qualcomm TLMM driver")
+Reported-by: Timur Tabi <timur@codeaurora.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/qcom/pinctrl-msm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/qcom/pinctrl-msm.c
++++ b/drivers/pinctrl/qcom/pinctrl-msm.c
+@@ -818,7 +818,7 @@ static int msm_gpio_init(struct msm_pinc
+ return -EINVAL;
+
+ chip = &pctrl->chip;
+- chip->base = 0;
++ chip->base = -1;
+ chip->ngpio = ngpio;
+ chip->label = dev_name(pctrl->dev);
+ chip->parent = pctrl->dev;
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Takeshi Kihara <takeshi.kihara.df@renesas.com>
+Date: Fri, 16 Feb 2018 15:25:03 +0100
+Subject: pinctrl: sh-pfc: r8a7796: Fix MOD_SEL register pin assignment for SSI pins group
+
+From: Takeshi Kihara <takeshi.kihara.df@renesas.com>
+
+[ Upstream commit b418c4609d5052d174668ad6d13efe023c45c595 ]
+
+This patch fixes MOD_SEL1 bit20 and MOD_SEL2 bit20, bit21 pin assignment
+for SSI pins group.
+
+This is a correction to the incorrect implementation of MOD_SEL register
+pin assignment for R8A7796 SoC specification of R-Car Gen3 Hardware
+User's Manual Rev.0.51E or later.
+
+Fixes: f9aece7344bd ("pinctrl: sh-pfc: Initial R8A7796 PFC support")
+Signed-off-by: Takeshi Kihara <takeshi.kihara.df@renesas.com>
+Signed-off-by: Ulrich Hecht <ulrich.hecht+renesas@gmail.com>
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/sh-pfc/pfc-r8a7796.c | 40 +++++++++++++++++------------------
+ 1 file changed, 20 insertions(+), 20 deletions(-)
+
+--- a/drivers/pinctrl/sh-pfc/pfc-r8a7796.c
++++ b/drivers/pinctrl/sh-pfc/pfc-r8a7796.c
+@@ -1,7 +1,7 @@
+ /*
+ * R8A7796 processor support - PFC hardware block.
+ *
+- * Copyright (C) 2016 Renesas Electronics Corp.
++ * Copyright (C) 2016-2017 Renesas Electronics Corp.
+ *
+ * This file is based on the drivers/pinctrl/sh-pfc/pfc-r8a7795.c
+ *
+@@ -477,7 +477,7 @@ FM(IP16_31_28) IP16_31_28 FM(IP17_31_28)
+ #define MOD_SEL1_26 FM(SEL_TIMER_TMU_0) FM(SEL_TIMER_TMU_1)
+ #define MOD_SEL1_25_24 FM(SEL_SSP1_1_0) FM(SEL_SSP1_1_1) FM(SEL_SSP1_1_2) FM(SEL_SSP1_1_3)
+ #define MOD_SEL1_23_22_21 FM(SEL_SSP1_0_0) FM(SEL_SSP1_0_1) FM(SEL_SSP1_0_2) FM(SEL_SSP1_0_3) FM(SEL_SSP1_0_4) F_(0, 0) F_(0, 0) F_(0, 0)
+-#define MOD_SEL1_20 FM(SEL_SSI_0) FM(SEL_SSI_1)
++#define MOD_SEL1_20 FM(SEL_SSI1_0) FM(SEL_SSI1_1)
+ #define MOD_SEL1_19 FM(SEL_SPEED_PULSE_0) FM(SEL_SPEED_PULSE_1)
+ #define MOD_SEL1_18_17 FM(SEL_SIMCARD_0) FM(SEL_SIMCARD_1) FM(SEL_SIMCARD_2) FM(SEL_SIMCARD_3)
+ #define MOD_SEL1_16 FM(SEL_SDHI2_0) FM(SEL_SDHI2_1)
+@@ -1218,7 +1218,7 @@ static const u16 pinmux_data[] = {
+ PINMUX_IPSR_GPSR(IP13_11_8, HSCK0),
+ PINMUX_IPSR_MSEL(IP13_11_8, MSIOF1_SCK_D, SEL_MSIOF1_3),
+ PINMUX_IPSR_MSEL(IP13_11_8, AUDIO_CLKB_A, SEL_ADG_B_0),
+- PINMUX_IPSR_MSEL(IP13_11_8, SSI_SDATA1_B, SEL_SSI_1),
++ PINMUX_IPSR_MSEL(IP13_11_8, SSI_SDATA1_B, SEL_SSI1_1),
+ PINMUX_IPSR_MSEL(IP13_11_8, TS_SCK0_D, SEL_TSIF0_3),
+ PINMUX_IPSR_MSEL(IP13_11_8, STP_ISCLK_0_D, SEL_SSP1_0_3),
+ PINMUX_IPSR_MSEL(IP13_11_8, RIF0_CLK_C, SEL_DRIF0_2),
+@@ -1226,14 +1226,14 @@ static const u16 pinmux_data[] = {
+
+ PINMUX_IPSR_GPSR(IP13_15_12, HRX0),
+ PINMUX_IPSR_MSEL(IP13_15_12, MSIOF1_RXD_D, SEL_MSIOF1_3),
+- PINMUX_IPSR_MSEL(IP13_15_12, SSI_SDATA2_B, SEL_SSI_1),
++ PINMUX_IPSR_MSEL(IP13_15_12, SSI_SDATA2_B, SEL_SSI2_1),
+ PINMUX_IPSR_MSEL(IP13_15_12, TS_SDEN0_D, SEL_TSIF0_3),
+ PINMUX_IPSR_MSEL(IP13_15_12, STP_ISEN_0_D, SEL_SSP1_0_3),
+ PINMUX_IPSR_MSEL(IP13_15_12, RIF0_D0_C, SEL_DRIF0_2),
+
+ PINMUX_IPSR_GPSR(IP13_19_16, HTX0),
+ PINMUX_IPSR_MSEL(IP13_19_16, MSIOF1_TXD_D, SEL_MSIOF1_3),
+- PINMUX_IPSR_MSEL(IP13_19_16, SSI_SDATA9_B, SEL_SSI_1),
++ PINMUX_IPSR_MSEL(IP13_19_16, SSI_SDATA9_B, SEL_SSI9_1),
+ PINMUX_IPSR_MSEL(IP13_19_16, TS_SDAT0_D, SEL_TSIF0_3),
+ PINMUX_IPSR_MSEL(IP13_19_16, STP_ISD_0_D, SEL_SSP1_0_3),
+ PINMUX_IPSR_MSEL(IP13_19_16, RIF0_D1_C, SEL_DRIF0_2),
+@@ -1241,7 +1241,7 @@ static const u16 pinmux_data[] = {
+ PINMUX_IPSR_GPSR(IP13_23_20, HCTS0_N),
+ PINMUX_IPSR_MSEL(IP13_23_20, RX2_B, SEL_SCIF2_1),
+ PINMUX_IPSR_MSEL(IP13_23_20, MSIOF1_SYNC_D, SEL_MSIOF1_3),
+- PINMUX_IPSR_MSEL(IP13_23_20, SSI_SCK9_A, SEL_SSI_0),
++ PINMUX_IPSR_MSEL(IP13_23_20, SSI_SCK9_A, SEL_SSI9_0),
+ PINMUX_IPSR_MSEL(IP13_23_20, TS_SPSYNC0_D, SEL_TSIF0_3),
+ PINMUX_IPSR_MSEL(IP13_23_20, STP_ISSYNC_0_D, SEL_SSP1_0_3),
+ PINMUX_IPSR_MSEL(IP13_23_20, RIF0_SYNC_C, SEL_DRIF0_2),
+@@ -1250,7 +1250,7 @@ static const u16 pinmux_data[] = {
+ PINMUX_IPSR_GPSR(IP13_27_24, HRTS0_N),
+ PINMUX_IPSR_MSEL(IP13_27_24, TX2_B, SEL_SCIF2_1),
+ PINMUX_IPSR_MSEL(IP13_27_24, MSIOF1_SS1_D, SEL_MSIOF1_3),
+- PINMUX_IPSR_MSEL(IP13_27_24, SSI_WS9_A, SEL_SSI_0),
++ PINMUX_IPSR_MSEL(IP13_27_24, SSI_WS9_A, SEL_SSI9_0),
+ PINMUX_IPSR_MSEL(IP13_27_24, STP_IVCXO27_0_D, SEL_SSP1_0_3),
+ PINMUX_IPSR_MSEL(IP13_27_24, BPFCLK_A, SEL_FM_0),
+ PINMUX_IPSR_GPSR(IP13_27_24, AUDIO_CLKOUT2_A),
+@@ -1265,7 +1265,7 @@ static const u16 pinmux_data[] = {
+ PINMUX_IPSR_MSEL(IP14_3_0, RX5_A, SEL_SCIF5_0),
+ PINMUX_IPSR_MSEL(IP14_3_0, NFWP_N_A, SEL_NDF_0),
+ PINMUX_IPSR_MSEL(IP14_3_0, AUDIO_CLKA_C, SEL_ADG_A_2),
+- PINMUX_IPSR_MSEL(IP14_3_0, SSI_SCK2_A, SEL_SSI_0),
++ PINMUX_IPSR_MSEL(IP14_3_0, SSI_SCK2_A, SEL_SSI2_0),
+ PINMUX_IPSR_MSEL(IP14_3_0, STP_IVCXO27_0_C, SEL_SSP1_0_2),
+ PINMUX_IPSR_GPSR(IP14_3_0, AUDIO_CLKOUT3_A),
+ PINMUX_IPSR_MSEL(IP14_3_0, TCLK1_B, SEL_TIMER_TMU_1),
+@@ -1274,7 +1274,7 @@ static const u16 pinmux_data[] = {
+ PINMUX_IPSR_MSEL(IP14_7_4, TX5_A, SEL_SCIF5_0),
+ PINMUX_IPSR_MSEL(IP14_7_4, MSIOF1_SS2_D, SEL_MSIOF1_3),
+ PINMUX_IPSR_MSEL(IP14_7_4, AUDIO_CLKC_A, SEL_ADG_C_0),
+- PINMUX_IPSR_MSEL(IP14_7_4, SSI_WS2_A, SEL_SSI_0),
++ PINMUX_IPSR_MSEL(IP14_7_4, SSI_WS2_A, SEL_SSI2_0),
+ PINMUX_IPSR_MSEL(IP14_7_4, STP_OPWM_0_D, SEL_SSP1_0_3),
+ PINMUX_IPSR_GPSR(IP14_7_4, AUDIO_CLKOUT_D),
+ PINMUX_IPSR_MSEL(IP14_7_4, SPEEDIN_B, SEL_SPEED_PULSE_1),
+@@ -1302,10 +1302,10 @@ static const u16 pinmux_data[] = {
+ PINMUX_IPSR_MSEL(IP14_31_28, MSIOF1_SS2_F, SEL_MSIOF1_5),
+
+ /* IPSR15 */
+- PINMUX_IPSR_MSEL(IP15_3_0, SSI_SDATA1_A, SEL_SSI_0),
++ PINMUX_IPSR_MSEL(IP15_3_0, SSI_SDATA1_A, SEL_SSI1_0),
+
+- PINMUX_IPSR_MSEL(IP15_7_4, SSI_SDATA2_A, SEL_SSI_0),
+- PINMUX_IPSR_MSEL(IP15_7_4, SSI_SCK1_B, SEL_SSI_1),
++ PINMUX_IPSR_MSEL(IP15_7_4, SSI_SDATA2_A, SEL_SSI2_0),
++ PINMUX_IPSR_MSEL(IP15_7_4, SSI_SCK1_B, SEL_SSI1_1),
+
+ PINMUX_IPSR_GPSR(IP15_11_8, SSI_SCK349),
+ PINMUX_IPSR_MSEL(IP15_11_8, MSIOF1_SS1_A, SEL_MSIOF1_0),
+@@ -1391,11 +1391,11 @@ static const u16 pinmux_data[] = {
+ PINMUX_IPSR_MSEL(IP16_27_24, RIF1_D1_A, SEL_DRIF1_0),
+ PINMUX_IPSR_MSEL(IP16_27_24, RIF3_D1_A, SEL_DRIF3_0),
+
+- PINMUX_IPSR_MSEL(IP16_31_28, SSI_SDATA9_A, SEL_SSI_0),
++ PINMUX_IPSR_MSEL(IP16_31_28, SSI_SDATA9_A, SEL_SSI9_0),
+ PINMUX_IPSR_MSEL(IP16_31_28, HSCK2_B, SEL_HSCIF2_1),
+ PINMUX_IPSR_MSEL(IP16_31_28, MSIOF1_SS1_C, SEL_MSIOF1_2),
+ PINMUX_IPSR_MSEL(IP16_31_28, HSCK1_A, SEL_HSCIF1_0),
+- PINMUX_IPSR_MSEL(IP16_31_28, SSI_WS1_B, SEL_SSI_1),
++ PINMUX_IPSR_MSEL(IP16_31_28, SSI_WS1_B, SEL_SSI1_1),
+ PINMUX_IPSR_GPSR(IP16_31_28, SCK1),
+ PINMUX_IPSR_MSEL(IP16_31_28, STP_IVCXO27_1_A, SEL_SSP1_1_0),
+ PINMUX_IPSR_MSEL(IP16_31_28, SCK5_A, SEL_SCIF5_0),
+@@ -1427,7 +1427,7 @@ static const u16 pinmux_data[] = {
+
+ PINMUX_IPSR_GPSR(IP17_19_16, USB1_PWEN),
+ PINMUX_IPSR_MSEL(IP17_19_16, SIM0_CLK_C, SEL_SIMCARD_2),
+- PINMUX_IPSR_MSEL(IP17_19_16, SSI_SCK1_A, SEL_SSI_0),
++ PINMUX_IPSR_MSEL(IP17_19_16, SSI_SCK1_A, SEL_SSI1_0),
+ PINMUX_IPSR_MSEL(IP17_19_16, TS_SCK0_E, SEL_TSIF0_4),
+ PINMUX_IPSR_MSEL(IP17_19_16, STP_ISCLK_0_E, SEL_SSP1_0_4),
+ PINMUX_IPSR_MSEL(IP17_19_16, FMCLK_B, SEL_FM_1),
+@@ -1437,7 +1437,7 @@ static const u16 pinmux_data[] = {
+
+ PINMUX_IPSR_GPSR(IP17_23_20, USB1_OVC),
+ PINMUX_IPSR_MSEL(IP17_23_20, MSIOF1_SS2_C, SEL_MSIOF1_2),
+- PINMUX_IPSR_MSEL(IP17_23_20, SSI_WS1_A, SEL_SSI_0),
++ PINMUX_IPSR_MSEL(IP17_23_20, SSI_WS1_A, SEL_SSI1_0),
+ PINMUX_IPSR_MSEL(IP17_23_20, TS_SDAT0_E, SEL_TSIF0_4),
+ PINMUX_IPSR_MSEL(IP17_23_20, STP_ISD_0_E, SEL_SSP1_0_4),
+ PINMUX_IPSR_MSEL(IP17_23_20, FMIN_B, SEL_FM_1),
+@@ -1447,7 +1447,7 @@ static const u16 pinmux_data[] = {
+
+ PINMUX_IPSR_GPSR(IP17_27_24, USB30_PWEN),
+ PINMUX_IPSR_GPSR(IP17_27_24, AUDIO_CLKOUT_B),
+- PINMUX_IPSR_MSEL(IP17_27_24, SSI_SCK2_B, SEL_SSI_1),
++ PINMUX_IPSR_MSEL(IP17_27_24, SSI_SCK2_B, SEL_SSI2_1),
+ PINMUX_IPSR_MSEL(IP17_27_24, TS_SDEN1_D, SEL_TSIF1_3),
+ PINMUX_IPSR_MSEL(IP17_27_24, STP_ISEN_1_D, SEL_SSP1_1_3),
+ PINMUX_IPSR_MSEL(IP17_27_24, STP_OPWM_0_E, SEL_SSP1_0_4),
+@@ -1459,7 +1459,7 @@ static const u16 pinmux_data[] = {
+
+ PINMUX_IPSR_GPSR(IP17_31_28, USB30_OVC),
+ PINMUX_IPSR_GPSR(IP17_31_28, AUDIO_CLKOUT1_B),
+- PINMUX_IPSR_MSEL(IP17_31_28, SSI_WS2_B, SEL_SSI_1),
++ PINMUX_IPSR_MSEL(IP17_31_28, SSI_WS2_B, SEL_SSI2_1),
+ PINMUX_IPSR_MSEL(IP17_31_28, TS_SPSYNC1_D, SEL_TSIF1_3),
+ PINMUX_IPSR_MSEL(IP17_31_28, STP_ISSYNC_1_D, SEL_SSP1_1_3),
+ PINMUX_IPSR_MSEL(IP17_31_28, STP_IVCXO27_0_E, SEL_SSP1_0_4),
+@@ -1470,7 +1470,7 @@ static const u16 pinmux_data[] = {
+ /* IPSR18 */
+ PINMUX_IPSR_GPSR(IP18_3_0, GP6_30),
+ PINMUX_IPSR_GPSR(IP18_3_0, AUDIO_CLKOUT2_B),
+- PINMUX_IPSR_MSEL(IP18_3_0, SSI_SCK9_B, SEL_SSI_1),
++ PINMUX_IPSR_MSEL(IP18_3_0, SSI_SCK9_B, SEL_SSI9_1),
+ PINMUX_IPSR_MSEL(IP18_3_0, TS_SDEN0_E, SEL_TSIF0_4),
+ PINMUX_IPSR_MSEL(IP18_3_0, STP_ISEN_0_E, SEL_SSP1_0_4),
+ PINMUX_IPSR_MSEL(IP18_3_0, RIF2_D0_B, SEL_DRIF2_1),
+@@ -1480,7 +1480,7 @@ static const u16 pinmux_data[] = {
+
+ PINMUX_IPSR_GPSR(IP18_7_4, GP6_31),
+ PINMUX_IPSR_GPSR(IP18_7_4, AUDIO_CLKOUT3_B),
+- PINMUX_IPSR_MSEL(IP18_7_4, SSI_WS9_B, SEL_SSI_1),
++ PINMUX_IPSR_MSEL(IP18_7_4, SSI_WS9_B, SEL_SSI9_1),
+ PINMUX_IPSR_MSEL(IP18_7_4, TS_SPSYNC0_E, SEL_TSIF0_4),
+ PINMUX_IPSR_MSEL(IP18_7_4, STP_ISSYNC_0_E, SEL_SSP1_0_4),
+ PINMUX_IPSR_MSEL(IP18_7_4, RIF2_D1_B, SEL_DRIF2_1),
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 16 Mar 2018 15:10:15 +0300
+Subject: platform/x86: dell-smbios: Fix memory leaks in build_tokens_sysfs()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 0e5b09b165510e2ea5c526e962c4edadd849ef4c ]
+
+We're freeing "value_name" which is NULL, so that's a no-op, but we
+intended to free "location_name" instead. And then we don't free the
+names in token_location_attrs[0] and token_value_attrs[0].
+
+Fixes: 33b9ca1e53b4 ("platform/x86: dell-smbios: Add a sysfs interface for SMBIOS tokens")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/dell-smbios-base.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/platform/x86/dell-smbios-base.c
++++ b/drivers/platform/x86/dell-smbios-base.c
+@@ -514,7 +514,7 @@ static int build_tokens_sysfs(struct pla
+ continue;
+
+ loop_fail_create_value:
+- kfree(value_name);
++ kfree(location_name);
+ goto out_unwind_strings;
+ }
+ smbios_attribute_group.attrs = token_attrs;
+@@ -525,7 +525,7 @@ loop_fail_create_value:
+ return 0;
+
+ out_unwind_strings:
+- for (i = i-1; i > 0; i--) {
++ while (i--) {
+ kfree(token_location_attrs[i].attr.name);
+ kfree(token_value_attrs[i].attr.name);
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Ladislav Michl <ladis@linux-mips.org>
+Date: Thu, 22 Feb 2018 18:21:36 +0100
+Subject: power: supply: ltc2941-battery-gauge: Fix temperature units
+
+From: Ladislav Michl <ladis@linux-mips.org>
+
+[ Upstream commit dde5953f05a89eb63a0d666ffe51d447b2ac3e05 ]
+
+Temperature is measured in tenths of degree Celsius.
+
+Fixes: 085bc24d1553 ("Add LTC2941/LTC2943 Battery Gauge Driver")
+Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/ltc2941-battery-gauge.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/power/supply/ltc2941-battery-gauge.c
++++ b/drivers/power/supply/ltc2941-battery-gauge.c
+@@ -317,15 +317,15 @@ static int ltc294x_get_temperature(const
+
+ if (info->id == LTC2942_ID) {
+ reg = LTC2942_REG_TEMPERATURE_MSB;
+- value = 60000; /* Full-scale is 600 Kelvin */
++ value = 6000; /* Full-scale is 600 Kelvin */
+ } else {
+ reg = LTC2943_REG_TEMPERATURE_MSB;
+- value = 51000; /* Full-scale is 510 Kelvin */
++ value = 5100; /* Full-scale is 510 Kelvin */
+ }
+ ret = ltc294x_read_regs(info->client, reg, &datar[0], 2);
+ value *= (datar[0] << 8) | datar[1];
+- /* Convert to centidegrees */
+- *val = value / 0xFFFF - 27215;
++ /* Convert to tenths of degree Celsius */
++ *val = value / 0xFFFF - 2722;
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Thu, 5 Apr 2018 16:10:00 +1000
+Subject: powerpc/64s/idle: Fix restore of AMOR on POWER9 after deep sleep
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit c1b25a17d24925b0961c319cfc3fd7e1dc778914 ]
+
+POWER8 restores AMOR when waking from deep sleep, but POWER9 does not,
+because it does not go through the subcore restore.
+
+Have POWER9 restore it in core restore.
+
+Fixes: ee97b6b99f42 ("powerpc/mm/radix: Setup AMOR in HV mode to allow key 0")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/idle_book3s.S | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/powerpc/kernel/idle_book3s.S
++++ b/arch/powerpc/kernel/idle_book3s.S
+@@ -834,6 +834,8 @@ BEGIN_FTR_SECTION
+ mtspr SPRN_PTCR,r4
+ ld r4,_RPR(r1)
+ mtspr SPRN_RPR,r4
++ ld r4,_AMOR(r1)
++ mtspr SPRN_AMOR,r4
+ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
+
+ ld r4,_TSCR(r1)
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Tue, 27 Mar 2018 01:01:16 +1000
+Subject: powerpc/64s: sreset panic if there is no debugger or crash dump handlers
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit d40b6768e45bd9213139b2d91d30c7692b6007b1 ]
+
+system_reset_exception does most of its own crash handling now,
+invoking the debugger or crash dumps if they are registered. If not,
+then it goes through to die() to print stack traces, and then is
+supposed to panic (according to comments).
+
+However after die() prints oopses, it does its own handling which
+doesn't allow system_reset_exception to panic (e.g., it may just
+kill the current process). This patch causes sreset exceptions to
+return from die after it prints messages but before acting.
+
+This also stops die from invoking the debugger on 0x100 crashes.
+system_reset_exception similarly calls the debugger. It had been
+thought this was harmless (because if the debugger was disabled,
+neither call would fire, and if it was enabled the first call
+would return). However in some cases like xmon 'X' command, the
+debugger returns 0, which currently causes it to be entered
+again (first in system_reset_exception, then in die), which is
+confusing.
+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/traps.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/traps.c
++++ b/arch/powerpc/kernel/traps.c
+@@ -208,6 +208,12 @@ static void oops_end(unsigned long flags
+ }
+ raw_local_irq_restore(flags);
+
++ /*
++ * system_reset_excption handles debugger, crash dump, panic, for 0x100
++ */
++ if (TRAP(regs) == 0x100)
++ return;
++
+ crash_fadump(regs, "die oops");
+
+ if (kexec_should_crash(current))
+@@ -272,8 +278,13 @@ void die(const char *str, struct pt_regs
+ {
+ unsigned long flags;
+
+- if (debugger(regs))
+- return;
++ /*
++ * system_reset_excption handles debugger, crash dump, panic, for 0x100
++ */
++ if (TRAP(regs) != 0x100) {
++ if (debugger(regs))
++ return;
++ }
+
+ flags = oops_begin(regs);
+ if (__die(str, regs, err))
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Mathieu Malaterre <malat@debian.org>
+Date: Sun, 25 Feb 2018 18:22:29 +0100
+Subject: powerpc: Add missing prototype for arch_irq_work_raise()
+
+From: Mathieu Malaterre <malat@debian.org>
+
+[ Upstream commit f5246862f82f1e16bbf84cda4cddf287672b30fe ]
+
+In commit 4f8b50bbbe63 ("irq_work, ppc: Fix up arch hooks") a new
+function arch_irq_work_raise() was added without a prototype in header
+irq_work.h.
+
+Fix the following warning (treated as error in W=1):
+ arch/powerpc/kernel/time.c:523:6: error: no previous prototype for ‘arch_irq_work_raise’
+
+Signed-off-by: Mathieu Malaterre <malat@debian.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/irq_work.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/include/asm/irq_work.h
++++ b/arch/powerpc/include/asm/irq_work.h
+@@ -6,5 +6,6 @@ static inline bool arch_irq_work_has_int
+ {
+ return true;
+ }
++extern void arch_irq_work_raise(void);
+
+ #endif /* _ASM_POWERPC_IRQ_WORK_H */
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Anshuman Khandual <khandual@linux.vnet.ibm.com>
+Date: Thu, 29 Mar 2018 11:53:37 +0530
+Subject: powerpc/fscr: Enable interrupts earlier before calling get_user()
+
+From: Anshuman Khandual <khandual@linux.vnet.ibm.com>
+
+[ Upstream commit 709b973c844c0b4d115ac3a227a2e5a68722c912 ]
+
+The function get_user() can sleep while trying to fetch instruction
+from user address space and causes the following warning from the
+scheduler.
+
+BUG: sleeping function called from invalid context
+
+Though interrupts get enabled back but it happens bit later after
+get_user() is called. This change moves enabling these interrupts
+earlier covering the function get_user(). While at this, lets check
+for kernel mode and crash as this interrupt should not have been
+triggered from the kernel context.
+
+Signed-off-by: Anshuman Khandual <khandual@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/traps.c | 32 +++++++++++++++++---------------
+ 1 file changed, 17 insertions(+), 15 deletions(-)
+
+--- a/arch/powerpc/kernel/traps.c
++++ b/arch/powerpc/kernel/traps.c
+@@ -1612,6 +1612,22 @@ void facility_unavailable_exception(stru
+ value = mfspr(SPRN_FSCR);
+
+ status = value >> 56;
++ if ((hv || status >= 2) &&
++ (status < ARRAY_SIZE(facility_strings)) &&
++ facility_strings[status])
++ facility = facility_strings[status];
++
++ /* We should not have taken this interrupt in kernel */
++ if (!user_mode(regs)) {
++ pr_emerg("Facility '%s' unavailable (%d) exception in kernel mode at %lx\n",
++ facility, status, regs->nip);
++ die("Unexpected facility unavailable exception", regs, SIGABRT);
++ }
++
++ /* We restore the interrupt state now */
++ if (!arch_irq_disabled_regs(regs))
++ local_irq_enable();
++
+ if (status == FSCR_DSCR_LG) {
+ /*
+ * User is accessing the DSCR register using the problem
+@@ -1678,25 +1694,11 @@ void facility_unavailable_exception(stru
+ return;
+ }
+
+- if ((hv || status >= 2) &&
+- (status < ARRAY_SIZE(facility_strings)) &&
+- facility_strings[status])
+- facility = facility_strings[status];
+-
+- /* We restore the interrupt state now */
+- if (!arch_irq_disabled_regs(regs))
+- local_irq_enable();
+-
+ pr_err_ratelimited("%sFacility '%s' unavailable (%d), exception at 0x%lx, MSR=%lx\n",
+ hv ? "Hypervisor " : "", facility, status, regs->nip, regs->msr);
+
+ out:
+- if (user_mode(regs)) {
+- _exception(SIGILL, regs, ILL_ILLOPC, regs->nip);
+- return;
+- }
+-
+- die("Unexpected facility unavailable exception", regs, SIGABRT);
++ _exception(SIGILL, regs, ILL_ILLOPC, regs->nip);
+ }
+ #endif
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Thu, 22 Feb 2018 15:27:26 +0100
+Subject: powerpc/mm/slice: Fix hugepage allocation at hint address on 8xx
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+[ Upstream commit aa0ab02ba992eb956934b21373e0138211486ddd ]
+
+On the 8xx, the page size is set in the PMD entry and applies to
+all pages of the page table pointed by the said PMD entry.
+
+When an app has some regular pages allocated (e.g. see below) and tries
+to mmap() a huge page at a hint address covered by the same PMD entry,
+the kernel accepts the hint allthough the 8xx cannot handle different
+page sizes in the same PMD entry.
+
+10000000-10001000 r-xp 00000000 00:0f 2597 /root/malloc
+10010000-10011000 rwxp 00000000 00:0f 2597 /root/malloc
+
+mmap(0x10080000, 524288, PROT_READ|PROT_WRITE,
+ MAP_PRIVATE|MAP_ANONYMOUS|0x40000, -1, 0) = 0x10080000
+
+This results the app remaining forever in do_page_fault()/hugetlb_fault()
+and when interrupting that app, we get the following warning:
+
+[162980.035629] WARNING: CPU: 0 PID: 2777 at arch/powerpc/mm/hugetlbpage.c:354 hugetlb_free_pgd_range+0xc8/0x1e4
+[162980.035699] CPU: 0 PID: 2777 Comm: malloc Tainted: G W 4.14.6 #85
+[162980.035744] task: c67e2c00 task.stack: c668e000
+[162980.035783] NIP: c000fe18 LR: c00e1eec CTR: c00f90c0
+[162980.035830] REGS: c668fc20 TRAP: 0700 Tainted: G W (4.14.6)
+[162980.035854] MSR: 00029032 <EE,ME,IR,DR,RI> CR: 24044224 XER: 20000000
+[162980.036003]
+[162980.036003] GPR00: c00e1eec c668fcd0 c67e2c00 00000010 c6869410 10080000 00000000 77fb4000
+[162980.036003] GPR08: ffff0001 0683c001 00000000 ffffff80 44028228 10018a34 00004008 418004fc
+[162980.036003] GPR16: c668e000 00040100 c668e000 c06c0000 c668fe78 c668e000 c6835ba0 c668fd48
+[162980.036003] GPR24: 00000000 73ffffff 74000000 00000001 77fb4000 100fffff 10100000 10100000
+[162980.036743] NIP [c000fe18] hugetlb_free_pgd_range+0xc8/0x1e4
+[162980.036839] LR [c00e1eec] free_pgtables+0x12c/0x150
+[162980.036861] Call Trace:
+[162980.036939] [c668fcd0] [c00f0774] unlink_anon_vmas+0x1c4/0x214 (unreliable)
+[162980.037040] [c668fd10] [c00e1eec] free_pgtables+0x12c/0x150
+[162980.037118] [c668fd40] [c00eabac] exit_mmap+0xe8/0x1b4
+[162980.037210] [c668fda0] [c0019710] mmput.part.9+0x20/0xd8
+[162980.037301] [c668fdb0] [c001ecb0] do_exit+0x1f0/0x93c
+[162980.037386] [c668fe00] [c001f478] do_group_exit+0x40/0xcc
+[162980.037479] [c668fe10] [c002a76c] get_signal+0x47c/0x614
+[162980.037570] [c668fe70] [c0007840] do_signal+0x54/0x244
+[162980.037654] [c668ff30] [c0007ae8] do_notify_resume+0x34/0x88
+[162980.037744] [c668ff40] [c000dae8] do_user_signal+0x74/0xc4
+[162980.037781] Instruction dump:
+[162980.037821] 7fdff378 81370000 54a3463a 80890020 7d24182e 7c841a14 712a0004 4082ff94
+[162980.038014] 2f890000 419e0010 712a0ff0 408200e0 <0fe00000> 54a9000a 7f984840 419d0094
+[162980.038216] ---[ end trace c0ceeca8e7a5800a ]---
+[162980.038754] BUG: non-zero nr_ptes on freeing mm: 1
+[162985.363322] BUG: non-zero nr_ptes on freeing mm: -1
+
+In order to fix this, this patch uses the address space "slices"
+implemented for BOOK3S/64 and enhanced to support PPC32 by the
+preceding patch.
+
+This patch modifies the context.id on the 8xx to be in the range
+[1:16] instead of [0:15] in order to identify context.id == 0 as
+not initialised contexts as done on BOOK3S
+
+This patch activates CONFIG_PPC_MM_SLICES when CONFIG_HUGETLB_PAGE is
+selected for the 8xx
+
+Alltough we could in theory have as many slices as PMD entries, the
+current slices implementation limits the number of low slices to 16.
+This limitation is not preventing us to fix the initial issue allthough
+it is suboptimal. It will be cured in a subsequent patch.
+
+Fixes: 4b91428699477 ("powerpc/8xx: Implement support of hugepages")
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/mmu-8xx.h | 6 ++++++
+ arch/powerpc/kernel/setup-common.c | 2 ++
+ arch/powerpc/mm/8xx_mmu.c | 2 +-
+ arch/powerpc/mm/hugetlbpage.c | 2 ++
+ arch/powerpc/mm/mmu_context_nohash.c | 18 ++++++++++++++++--
+ arch/powerpc/platforms/Kconfig.cputype | 1 +
+ 6 files changed, 28 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/include/asm/mmu-8xx.h
++++ b/arch/powerpc/include/asm/mmu-8xx.h
+@@ -191,6 +191,12 @@ typedef struct {
+ unsigned int id;
+ unsigned int active;
+ unsigned long vdso_base;
++#ifdef CONFIG_PPC_MM_SLICES
++ u16 user_psize; /* page size index */
++ u64 low_slices_psize; /* page size encodings */
++ unsigned char high_slices_psize[0];
++ unsigned long slb_addr_limit;
++#endif
+ } mm_context_t;
+
+ #define PHYS_IMMR_BASE (mfspr(SPRN_IMMR) & 0xfff80000)
+--- a/arch/powerpc/kernel/setup-common.c
++++ b/arch/powerpc/kernel/setup-common.c
+@@ -919,6 +919,8 @@ void __init setup_arch(char **cmdline_p)
+ #ifdef CONFIG_PPC64
+ if (!radix_enabled())
+ init_mm.context.slb_addr_limit = DEFAULT_MAP_WINDOW_USER64;
++#elif defined(CONFIG_PPC_8xx)
++ init_mm.context.slb_addr_limit = DEFAULT_MAP_WINDOW;
+ #else
+ #error "context.addr_limit not initialized."
+ #endif
+--- a/arch/powerpc/mm/8xx_mmu.c
++++ b/arch/powerpc/mm/8xx_mmu.c
+@@ -192,7 +192,7 @@ void set_context(unsigned long id, pgd_t
+ mtspr(SPRN_M_TW, __pa(pgd) - offset);
+
+ /* Update context */
+- mtspr(SPRN_M_CASID, id);
++ mtspr(SPRN_M_CASID, id - 1);
+ /* sync */
+ mb();
+ }
+--- a/arch/powerpc/mm/hugetlbpage.c
++++ b/arch/powerpc/mm/hugetlbpage.c
+@@ -553,9 +553,11 @@ unsigned long hugetlb_get_unmapped_area(
+ struct hstate *hstate = hstate_file(file);
+ int mmu_psize = shift_to_mmu_psize(huge_page_shift(hstate));
+
++#ifdef CONFIG_PPC_RADIX_MMU
+ if (radix_enabled())
+ return radix__hugetlb_get_unmapped_area(file, addr, len,
+ pgoff, flags);
++#endif
+ return slice_get_unmapped_area(addr, len, flags, mmu_psize, 1);
+ }
+ #endif
+--- a/arch/powerpc/mm/mmu_context_nohash.c
++++ b/arch/powerpc/mm/mmu_context_nohash.c
+@@ -331,6 +331,20 @@ int init_new_context(struct task_struct
+ {
+ pr_hard("initing context for mm @%p\n", mm);
+
++#ifdef CONFIG_PPC_MM_SLICES
++ if (!mm->context.slb_addr_limit)
++ mm->context.slb_addr_limit = DEFAULT_MAP_WINDOW;
++
++ /*
++ * We have MMU_NO_CONTEXT set to be ~0. Hence check
++ * explicitly against context.id == 0. This ensures that we properly
++ * initialize context slice details for newly allocated mm's (which will
++ * have id == 0) and don't alter context slice inherited via fork (which
++ * will have id != 0).
++ */
++ if (mm->context.id == 0)
++ slice_set_user_psize(mm, mmu_virtual_psize);
++#endif
+ mm->context.id = MMU_NO_CONTEXT;
+ mm->context.active = 0;
+ return 0;
+@@ -428,8 +442,8 @@ void __init mmu_context_init(void)
+ * -- BenH
+ */
+ if (mmu_has_feature(MMU_FTR_TYPE_8xx)) {
+- first_context = 0;
+- last_context = 15;
++ first_context = 1;
++ last_context = 16;
+ no_selective_tlbil = true;
+ } else if (mmu_has_feature(MMU_FTR_TYPE_47x)) {
+ first_context = 1;
+--- a/arch/powerpc/platforms/Kconfig.cputype
++++ b/arch/powerpc/platforms/Kconfig.cputype
+@@ -326,6 +326,7 @@ config PPC_BOOK3E_MMU
+ config PPC_MM_SLICES
+ bool
+ default y if PPC_BOOK3S_64
++ default y if PPC_8xx && HUGETLB_PAGE
+ default n
+
+ config PPC_HAVE_PMU_SUPPORT
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Fri, 30 Mar 2018 23:27:25 +1100
+Subject: powerpc/mpic: Check if cpu_possible() in mpic_physmask()
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit 0834d627fbea00c1444075eb3e448e1974da452d ]
+
+In mpic_physmask() we loop over all CPUs up to 32, then get the hard
+SMP processor id of that CPU.
+
+Currently that's possibly walking off the end of the paca array, but
+in a future patch we will change the paca array to be an array of
+pointers, and in that case we will get a NULL for missing CPUs and
+oops. eg:
+
+ Unable to handle kernel paging request for data at address 0x88888888888888b8
+ Faulting instruction address: 0xc00000000004e380
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ ...
+ NIP .mpic_set_affinity+0x60/0x1a0
+ LR .irq_do_set_affinity+0x48/0x100
+
+Fix it by checking the CPU is possible, this also fixes the code if
+there are gaps in the CPU numbering which probably never happens on
+mpic systems but who knows.
+
+Debugged-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/sysdev/mpic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/sysdev/mpic.c
++++ b/arch/powerpc/sysdev/mpic.c
+@@ -626,7 +626,7 @@ static inline u32 mpic_physmask(u32 cpum
+ int i;
+ u32 mask = 0;
+
+- for (i = 0; i < min(32, NR_CPUS); ++i, cpumask >>= 1)
++ for (i = 0; i < min(32, NR_CPUS) && cpu_possible(i); ++i, cpumask >>= 1)
+ mask |= (cpumask & 1) << get_hard_smp_processor_id(i);
+ return mask;
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Wed, 21 Mar 2018 17:10:24 +0530
+Subject: powerpc/perf: Fix kernel address leak via sampling registers
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit e1ebd0e5b9d0a10ba65e63a3514b6da8c6a5a819 ]
+
+Current code in power_pmu_disable() does not clear the sampling
+registers like Sampling Instruction Address Register (SIAR) and
+Sampling Data Address Register (SDAR) after disabling the PMU. Since
+these are userspace readable and could contain kernel addresses, add
+code to explicitly clear the content of these registers.
+
+Also add a "context synchronizing instruction" to enforce no further
+updates to these registers as suggested by Power ISA v3.0B. From
+section 9.4, on page 1108:
+
+ "If an mtspr instruction is executed that changes the value of a
+ Performance Monitor register other than SIAR, SDAR, and SIER, the
+ change is not guaranteed to have taken effect until after a
+ subsequent context synchronizing instruction has been executed (see
+ Chapter 11. "Synchronization Requirements for Context Alterations"
+ on page 1133)."
+
+Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+[mpe: Massage change log and add ISA reference]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/perf/core-book3s.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/arch/powerpc/perf/core-book3s.c
++++ b/arch/powerpc/perf/core-book3s.c
+@@ -1236,6 +1236,7 @@ static void power_pmu_disable(struct pmu
+ */
+ write_mmcr0(cpuhw, val);
+ mb();
++ isync();
+
+ /*
+ * Disable instruction sampling if it was enabled
+@@ -1244,12 +1245,26 @@ static void power_pmu_disable(struct pmu
+ mtspr(SPRN_MMCRA,
+ cpuhw->mmcr[2] & ~MMCRA_SAMPLE_ENABLE);
+ mb();
++ isync();
+ }
+
+ cpuhw->disabled = 1;
+ cpuhw->n_added = 0;
+
+ ebb_switch_out(mmcr0);
++
++#ifdef CONFIG_PPC64
++ /*
++ * These are readable by userspace, may contain kernel
++ * addresses and are not switched by context switch, so clear
++ * them now to avoid leaking anything to userspace in general
++ * including to another process.
++ */
++ if (ppmu->flags & PPMU_ARCH_207S) {
++ mtspr(SPRN_SDAR, 0);
++ mtspr(SPRN_SIAR, 0);
++ }
++#endif
+ }
+
+ local_irq_restore(flags);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Date: Wed, 21 Mar 2018 17:10:25 +0530
+Subject: powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer
+
+From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+
+[ Upstream commit bb19af816025d495376bd76bf6fbcf4244f9a06d ]
+
+The current Branch History Rolling Buffer (BHRB) code does not check
+for any privilege levels before updating the data from BHRB. This
+could leak kernel addresses to userspace even when profiling only with
+userspace privileges. Add proper checks to prevent it.
+
+Acked-by: Balbir Singh <bsingharora@gmail.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/perf/core-book3s.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/powerpc/perf/core-book3s.c
++++ b/arch/powerpc/perf/core-book3s.c
+@@ -457,6 +457,16 @@ static void power_pmu_bhrb_read(struct c
+ /* invalid entry */
+ continue;
+
++ /*
++ * BHRB rolling buffer could very much contain the kernel
++ * addresses at this point. Check the privileges before
++ * exporting it to userspace (avoid exposure of regions
++ * where we could have speculative execution)
++ */
++ if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN) &&
++ is_kernel_addr(addr))
++ continue;
++
+ /* Branches are read most recent first (ie. mfbhrb 0 is
+ * the most recent branch).
+ * There are two types of valid entries:
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Alistair Popple <alistair@popple.id.au>
+Date: Fri, 2 Mar 2018 16:18:45 +1100
+Subject: powerpc/powernv/npu: Fix deadlock in mmio_invalidate()
+
+From: Alistair Popple <alistair@popple.id.au>
+
+[ Upstream commit 2b74e2a9b39df40a2b489af2d24079617c61ee0e ]
+
+When sending TLB invalidates to the NPU we need to send extra flushes due
+to a hardware issue. The original implementation would lock the all the
+ATSD MMIO registers sequentially before unlocking and relocking each of
+them sequentially to do the extra flush.
+
+This introduced a deadlock as it is possible for one thread to hold one
+ATSD register whilst waiting for another register to be freed while the
+other thread is holding that register waiting for the one in the first
+thread to be freed.
+
+For example if there are two threads and two ATSD registers:
+
+ Thread A Thread B
+ ----------------------
+ Acquire 1
+ Acquire 2
+ Release 1 Acquire 1
+ Wait 1 Wait 2
+
+Both threads will be stuck waiting to acquire a register resulting in an
+RCU stall warning or soft lockup.
+
+This patch solves the deadlock by refactoring the code to ensure registers
+are not released between flushes and to ensure all registers are either
+acquired or released together and in order.
+
+Fixes: bbd5ff50afff ("powerpc/powernv/npu-dma: Add explicit flush when sending an ATSD")
+Signed-off-by: Alistair Popple <alistair@popple.id.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/npu-dma.c | 227 +++++++++++++++++++------------
+ 1 file changed, 140 insertions(+), 87 deletions(-)
+
+--- a/arch/powerpc/platforms/powernv/npu-dma.c
++++ b/arch/powerpc/platforms/powernv/npu-dma.c
+@@ -417,6 +417,11 @@ struct npu_context {
+ void *priv;
+ };
+
++struct mmio_atsd_reg {
++ struct npu *npu;
++ int reg;
++};
++
+ /*
+ * Find a free MMIO ATSD register and mark it in use. Return -ENOSPC
+ * if none are available.
+@@ -426,7 +431,7 @@ static int get_mmio_atsd_reg(struct npu
+ int i;
+
+ for (i = 0; i < npu->mmio_atsd_count; i++) {
+- if (!test_and_set_bit(i, &npu->mmio_atsd_usage))
++ if (!test_and_set_bit_lock(i, &npu->mmio_atsd_usage))
+ return i;
+ }
+
+@@ -435,86 +440,90 @@ static int get_mmio_atsd_reg(struct npu
+
+ static void put_mmio_atsd_reg(struct npu *npu, int reg)
+ {
+- clear_bit(reg, &npu->mmio_atsd_usage);
++ clear_bit_unlock(reg, &npu->mmio_atsd_usage);
+ }
+
+ /* MMIO ATSD register offsets */
+ #define XTS_ATSD_AVA 1
+ #define XTS_ATSD_STAT 2
+
+-static int mmio_launch_invalidate(struct npu *npu, unsigned long launch,
+- unsigned long va)
++static void mmio_launch_invalidate(struct mmio_atsd_reg *mmio_atsd_reg,
++ unsigned long launch, unsigned long va)
+ {
+- int mmio_atsd_reg;
+-
+- do {
+- mmio_atsd_reg = get_mmio_atsd_reg(npu);
+- cpu_relax();
+- } while (mmio_atsd_reg < 0);
++ struct npu *npu = mmio_atsd_reg->npu;
++ int reg = mmio_atsd_reg->reg;
+
+ __raw_writeq(cpu_to_be64(va),
+- npu->mmio_atsd_regs[mmio_atsd_reg] + XTS_ATSD_AVA);
++ npu->mmio_atsd_regs[reg] + XTS_ATSD_AVA);
+ eieio();
+- __raw_writeq(cpu_to_be64(launch), npu->mmio_atsd_regs[mmio_atsd_reg]);
+-
+- return mmio_atsd_reg;
++ __raw_writeq(cpu_to_be64(launch), npu->mmio_atsd_regs[reg]);
+ }
+
+-static int mmio_invalidate_pid(struct npu *npu, unsigned long pid, bool flush)
++static void mmio_invalidate_pid(struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS],
++ unsigned long pid, bool flush)
+ {
++ int i;
+ unsigned long launch;
+
+- /* IS set to invalidate matching PID */
+- launch = PPC_BIT(12);
++ for (i = 0; i <= max_npu2_index; i++) {
++ if (mmio_atsd_reg[i].reg < 0)
++ continue;
++
++ /* IS set to invalidate matching PID */
++ launch = PPC_BIT(12);
+
+- /* PRS set to process-scoped */
+- launch |= PPC_BIT(13);
++ /* PRS set to process-scoped */
++ launch |= PPC_BIT(13);
+
+- /* AP */
+- launch |= (u64) mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17);
++ /* AP */
++ launch |= (u64)
++ mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17);
+
+- /* PID */
+- launch |= pid << PPC_BITLSHIFT(38);
++ /* PID */
++ launch |= pid << PPC_BITLSHIFT(38);
+
+- /* No flush */
+- launch |= !flush << PPC_BITLSHIFT(39);
++ /* No flush */
++ launch |= !flush << PPC_BITLSHIFT(39);
+
+- /* Invalidating the entire process doesn't use a va */
+- return mmio_launch_invalidate(npu, launch, 0);
++ /* Invalidating the entire process doesn't use a va */
++ mmio_launch_invalidate(&mmio_atsd_reg[i], launch, 0);
++ }
+ }
+
+-static int mmio_invalidate_va(struct npu *npu, unsigned long va,
+- unsigned long pid, bool flush)
++static void mmio_invalidate_va(struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS],
++ unsigned long va, unsigned long pid, bool flush)
+ {
++ int i;
+ unsigned long launch;
+
+- /* IS set to invalidate target VA */
+- launch = 0;
++ for (i = 0; i <= max_npu2_index; i++) {
++ if (mmio_atsd_reg[i].reg < 0)
++ continue;
+
+- /* PRS set to process scoped */
+- launch |= PPC_BIT(13);
++ /* IS set to invalidate target VA */
++ launch = 0;
+
+- /* AP */
+- launch |= (u64) mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17);
++ /* PRS set to process scoped */
++ launch |= PPC_BIT(13);
+
+- /* PID */
+- launch |= pid << PPC_BITLSHIFT(38);
++ /* AP */
++ launch |= (u64)
++ mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17);
+
+- /* No flush */
+- launch |= !flush << PPC_BITLSHIFT(39);
++ /* PID */
++ launch |= pid << PPC_BITLSHIFT(38);
+
+- return mmio_launch_invalidate(npu, launch, va);
++ /* No flush */
++ launch |= !flush << PPC_BITLSHIFT(39);
++
++ mmio_launch_invalidate(&mmio_atsd_reg[i], launch, va);
++ }
+ }
+
+ #define mn_to_npu_context(x) container_of(x, struct npu_context, mn)
+
+-struct mmio_atsd_reg {
+- struct npu *npu;
+- int reg;
+-};
+-
+ static void mmio_invalidate_wait(
+- struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS], bool flush)
++ struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS])
+ {
+ struct npu *npu;
+ int i, reg;
+@@ -529,16 +538,67 @@ static void mmio_invalidate_wait(
+ reg = mmio_atsd_reg[i].reg;
+ while (__raw_readq(npu->mmio_atsd_regs[reg] + XTS_ATSD_STAT))
+ cpu_relax();
++ }
++}
++
++/*
++ * Acquires all the address translation shootdown (ATSD) registers required to
++ * launch an ATSD on all links this npu_context is active on.
++ */
++static void acquire_atsd_reg(struct npu_context *npu_context,
++ struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS])
++{
++ int i, j;
++ struct npu *npu;
++ struct pci_dev *npdev;
++ struct pnv_phb *nphb;
++
++ for (i = 0; i <= max_npu2_index; i++) {
++ mmio_atsd_reg[i].reg = -1;
++ for (j = 0; j < NV_MAX_LINKS; j++) {
++ /*
++ * There are no ordering requirements with respect to
++ * the setup of struct npu_context, but to ensure
++ * consistent behaviour we need to ensure npdev[][] is
++ * only read once.
++ */
++ npdev = READ_ONCE(npu_context->npdev[i][j]);
++ if (!npdev)
++ continue;
++
++ nphb = pci_bus_to_host(npdev->bus)->private_data;
++ npu = &nphb->npu;
++ mmio_atsd_reg[i].npu = npu;
++ mmio_atsd_reg[i].reg = get_mmio_atsd_reg(npu);
++ while (mmio_atsd_reg[i].reg < 0) {
++ mmio_atsd_reg[i].reg = get_mmio_atsd_reg(npu);
++ cpu_relax();
++ }
++ break;
++ }
++ }
++}
+
+- put_mmio_atsd_reg(npu, reg);
++/*
++ * Release previously acquired ATSD registers. To avoid deadlocks the registers
++ * must be released in the same order they were acquired above in
++ * acquire_atsd_reg.
++ */
++static void release_atsd_reg(struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS])
++{
++ int i;
+
++ for (i = 0; i <= max_npu2_index; i++) {
+ /*
+- * The GPU requires two flush ATSDs to ensure all entries have
+- * been flushed. We use PID 0 as it will never be used for a
+- * process on the GPU.
++ * We can't rely on npu_context->npdev[][] being the same here
++ * as when acquire_atsd_reg() was called, hence we use the
++ * values stored in mmio_atsd_reg during the acquire phase
++ * rather than re-reading npdev[][].
+ */
+- if (flush)
+- mmio_invalidate_pid(npu, 0, true);
++ if (mmio_atsd_reg[i].reg < 0)
++ continue;
++
++ put_mmio_atsd_reg(mmio_atsd_reg[i].npu, mmio_atsd_reg[i].reg);
+ }
+ }
+
+@@ -549,10 +609,6 @@ static void mmio_invalidate_wait(
+ static void mmio_invalidate(struct npu_context *npu_context, int va,
+ unsigned long address, bool flush)
+ {
+- int i, j;
+- struct npu *npu;
+- struct pnv_phb *nphb;
+- struct pci_dev *npdev;
+ struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS];
+ unsigned long pid = npu_context->mm->context.id;
+
+@@ -568,37 +624,25 @@ static void mmio_invalidate(struct npu_c
+ * Loop over all the NPUs this process is active on and launch
+ * an invalidate.
+ */
+- for (i = 0; i <= max_npu2_index; i++) {
+- mmio_atsd_reg[i].reg = -1;
+- for (j = 0; j < NV_MAX_LINKS; j++) {
+- npdev = npu_context->npdev[i][j];
+- if (!npdev)
+- continue;
++ acquire_atsd_reg(npu_context, mmio_atsd_reg);
++ if (va)
++ mmio_invalidate_va(mmio_atsd_reg, address, pid, flush);
++ else
++ mmio_invalidate_pid(mmio_atsd_reg, pid, flush);
+
+- nphb = pci_bus_to_host(npdev->bus)->private_data;
+- npu = &nphb->npu;
+- mmio_atsd_reg[i].npu = npu;
+-
+- if (va)
+- mmio_atsd_reg[i].reg =
+- mmio_invalidate_va(npu, address, pid,
+- flush);
+- else
+- mmio_atsd_reg[i].reg =
+- mmio_invalidate_pid(npu, pid, flush);
+-
+- /*
+- * The NPU hardware forwards the shootdown to all GPUs
+- * so we only have to launch one shootdown per NPU.
+- */
+- break;
+- }
++ mmio_invalidate_wait(mmio_atsd_reg);
++ if (flush) {
++ /*
++ * The GPU requires two flush ATSDs to ensure all entries have
++ * been flushed. We use PID 0 as it will never be used for a
++ * process on the GPU.
++ */
++ mmio_invalidate_pid(mmio_atsd_reg, 0, true);
++ mmio_invalidate_wait(mmio_atsd_reg);
++ mmio_invalidate_pid(mmio_atsd_reg, 0, true);
++ mmio_invalidate_wait(mmio_atsd_reg);
+ }
+-
+- mmio_invalidate_wait(mmio_atsd_reg, flush);
+- if (flush)
+- /* Wait for the flush to complete */
+- mmio_invalidate_wait(mmio_atsd_reg, false);
++ release_atsd_reg(mmio_atsd_reg);
+ }
+
+ static void pnv_npu2_mn_release(struct mmu_notifier *mn,
+@@ -741,7 +785,16 @@ struct npu_context *pnv_npu2_init_contex
+ if (WARN_ON(of_property_read_u32(nvlink_dn, "ibm,npu-link-index",
+ &nvlink_index)))
+ return ERR_PTR(-ENODEV);
+- npu_context->npdev[npu->index][nvlink_index] = npdev;
++
++ /*
++ * npdev is a pci_dev pointer setup by the PCI code. We assign it to
++ * npdev[][] to indicate to the mmu notifiers that an invalidation
++ * should also be sent over this nvlink. The notifiers don't use any
++ * other fields in npu_context, so we just need to ensure that when they
++ * deference npu_context->npdev[][] it is either a valid pointer or
++ * NULL.
++ */
++ WRITE_ONCE(npu_context->npdev[npu->index][nvlink_index], npdev);
+
+ if (!nphb->npu.nmmu_flush) {
+ /*
+@@ -793,7 +846,7 @@ void pnv_npu2_destroy_context(struct npu
+ if (WARN_ON(of_property_read_u32(nvlink_dn, "ibm,npu-link-index",
+ &nvlink_index)))
+ return;
+- npu_context->npdev[npu->index][nvlink_index] = NULL;
++ WRITE_ONCE(npu_context->npdev[npu->index][nvlink_index], NULL);
+ opal_npu_destroy_context(nphb->opal_id, npu_context->mm->context.id,
+ PCI_DEVID(gpdev->bus->number, gpdev->devfn));
+ kref_put(&npu_context->kref, pnv_npu2_release_context);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
+Date: Fri, 9 Feb 2018 11:49:06 -0600
+Subject: powerpc/vas: Fix cleanup when VAS is not configured
+
+From: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
+
+[ Upstream commit 45ddea8a73a25461387eb8e87f3e0ecca084799b ]
+
+When VAS is not configured, unregister the platform driver. Also simplify
+cleanup by delaying vas debugfs init until we know VAS is configured.
+
+Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/vas-debug.c | 11 +++++++++++
+ arch/powerpc/platforms/powernv/vas.c | 6 +++---
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/platforms/powernv/vas-debug.c
++++ b/arch/powerpc/platforms/powernv/vas-debug.c
+@@ -179,6 +179,7 @@ void vas_instance_init_dbgdir(struct vas
+ {
+ struct dentry *d;
+
++ vas_init_dbgdir();
+ if (!vas_debugfs)
+ return;
+
+@@ -201,8 +202,18 @@ free_name:
+ vinst->dbgdir = NULL;
+ }
+
++/*
++ * Set up the "root" VAS debugfs dir. Return if we already set it up
++ * (or failed to) in an earlier instance of VAS.
++ */
+ void vas_init_dbgdir(void)
+ {
++ static bool first_time = true;
++
++ if (!first_time)
++ return;
++
++ first_time = false;
+ vas_debugfs = debugfs_create_dir("vas", NULL);
+ if (IS_ERR(vas_debugfs))
+ vas_debugfs = NULL;
+--- a/arch/powerpc/platforms/powernv/vas.c
++++ b/arch/powerpc/platforms/powernv/vas.c
+@@ -160,8 +160,6 @@ static int __init vas_init(void)
+ int found = 0;
+ struct device_node *dn;
+
+- vas_init_dbgdir();
+-
+ platform_driver_register(&vas_driver);
+
+ for_each_compatible_node(dn, NULL, "ibm,vas") {
+@@ -169,8 +167,10 @@ static int __init vas_init(void)
+ found++;
+ }
+
+- if (!found)
++ if (!found) {
++ platform_driver_unregister(&vas_driver);
+ return -ENODEV;
++ }
+
+ pr_devel("Found %d instances\n", found);
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+Date: Sun, 4 Mar 2018 23:00:25 +0530
+Subject: powerpc/xmon: Setup debugger hooks when first break-point is set
+
+From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+
+[ Upstream commit e1368d0c9edbc366e45216e7295fd61ae55c2b12 ]
+
+Presently sysrq key for xmon('x') is registered during kernel init
+irrespective of the value of kernel param 'xmon'. Thus xmon is enabled
+even if 'xmon=off' is passed on the kernel command line. However this
+doesn't enable the kernel debugger hooks needed for instruction or
+data breakpoints. Thus when a break-point is hit with xmon=off a
+kernel oops of the form below is reported:
+
+ Oops: Exception in kernel mode, sig: 5 [#1]
+ < snip >
+ Trace/breakpoint trap
+
+To fix this the patch checks and enables debugger hooks when an
+instruction or data break-point is set via xmon console.
+
+Signed-off-by: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+Reviewed-by: Balbir Singh <bsingharora@gmail.com>
+[mpe: Just printf directly, no need for static const char[]]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/xmon/xmon.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/xmon/xmon.c
++++ b/arch/powerpc/xmon/xmon.c
+@@ -1273,6 +1273,16 @@ static long check_bp_loc(unsigned long a
+ return 1;
+ }
+
++/* Force enable xmon if not already enabled */
++static inline void force_enable_xmon(void)
++{
++ /* Enable xmon hooks if needed */
++ if (!xmon_on) {
++ printf("xmon: Enabling debugger hooks\n");
++ xmon_on = 1;
++ }
++}
++
+ static char *breakpoint_help_string =
+ "Breakpoint command usage:\n"
+ "b show breakpoints\n"
+@@ -1315,6 +1325,8 @@ bpt_cmds(void)
+ dabr.address &= ~HW_BRK_TYPE_DABR;
+ dabr.enabled = mode | BP_DABR;
+ }
++
++ force_enable_xmon();
+ break;
+
+ case 'i': /* bi - hardware instr breakpoint */
+@@ -1335,6 +1347,7 @@ bpt_cmds(void)
+ if (bp != NULL) {
+ bp->enabled |= BP_CIABR;
+ iabr = bp;
++ force_enable_xmon();
+ }
+ break;
+ #endif
+@@ -1399,8 +1412,10 @@ bpt_cmds(void)
+ if (!check_bp_loc(a))
+ break;
+ bp = new_breakpoint(a);
+- if (bp != NULL)
++ if (bp != NULL) {
+ bp->enabled |= BP_TRAP;
++ force_enable_xmon();
++ }
+ break;
+ }
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Tejun Heo <tj@kernel.org>
+Date: Tue, 9 Jan 2018 10:38:17 -0800
+Subject: rcu: Call touch_nmi_watchdog() while printing stall warnings
+
+From: Tejun Heo <tj@kernel.org>
+
+[ Upstream commit 3caa973b7a260e7a2a69edc94c300ab9c65148c3 ]
+
+When RCU stall warning triggers, it can print out a lot of messages
+while holding spinlocks. If the console device is slow (e.g. an
+actual or IPMI serial console), it may end up triggering NMI hard
+lockup watchdog like the following.
+
+---
+ kernel/rcu/tree_plugin.h | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/kernel/rcu/tree_plugin.h
++++ b/kernel/rcu/tree_plugin.h
+@@ -560,8 +560,14 @@ static void rcu_print_detail_task_stall_
+ }
+ t = list_entry(rnp->gp_tasks->prev,
+ struct task_struct, rcu_node_entry);
+- list_for_each_entry_continue(t, &rnp->blkd_tasks, rcu_node_entry)
++ list_for_each_entry_continue(t, &rnp->blkd_tasks, rcu_node_entry) {
++ /*
++ * We could be printing a lot while holding a spinlock.
++ * Avoid triggering hard lockup.
++ */
++ touch_nmi_watchdog();
+ sched_show_task(t);
++ }
+ raw_spin_unlock_irqrestore_rcu_node(rnp, flags);
+ }
+
+@@ -1677,6 +1683,12 @@ static void print_cpu_stall_info(struct
+ char *ticks_title;
+ unsigned long ticks_value;
+
++ /*
++ * We could be printing a lot while holding a spinlock. Avoid
++ * triggering hard lockup.
++ */
++ touch_nmi_watchdog();
++
+ if (rsp->gpnum == rdp->gpnum) {
+ ticks_title = "ticks this GP";
+ ticks_value = rdp->ticks_this_gp;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Date: Thu, 15 Mar 2018 03:54:26 -0700
+Subject: rds: tcp: must use spin_lock_irq* and not spin_lock_bh with rds_tcp_conn_lock
+
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+
+[ Upstream commit 53d0e83f9329aa51dcc205b514dbee05cb4df309 ]
+
+rds_tcp_connection allocation/free management has the potential to be
+called from __rds_conn_create after IRQs have been disabled, so
+spin_[un]lock_bh cannot be used with rds_tcp_conn_lock.
+
+Bottom-halves that need to synchronize for critical sections protected
+by rds_tcp_conn_lock should instead use rds_destroy_pending() correctly.
+
+Reported-by: syzbot+c68e51bb5e699d3f8d91@syzkaller.appspotmail.com
+Fixes: ebeeb1ad9b8a ("rds: tcp: use rds_destroy_pending() to synchronize
+ netns/module teardown and rds connection/workq management")
+Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/tcp.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/net/rds/tcp.c
++++ b/net/rds/tcp.c
+@@ -275,13 +275,14 @@ static int rds_tcp_laddr_check(struct ne
+ static void rds_tcp_conn_free(void *arg)
+ {
+ struct rds_tcp_connection *tc = arg;
++ unsigned long flags;
+
+ rdsdebug("freeing tc %p\n", tc);
+
+- spin_lock_bh(&rds_tcp_conn_lock);
++ spin_lock_irqsave(&rds_tcp_conn_lock, flags);
+ if (!tc->t_tcp_node_detached)
+ list_del(&tc->t_tcp_node);
+- spin_unlock_bh(&rds_tcp_conn_lock);
++ spin_unlock_irqrestore(&rds_tcp_conn_lock, flags);
+
+ kmem_cache_free(rds_tcp_conn_slab, tc);
+ }
+@@ -311,13 +312,13 @@ static int rds_tcp_conn_alloc(struct rds
+ rdsdebug("rds_conn_path [%d] tc %p\n", i,
+ conn->c_path[i].cp_transport_data);
+ }
+- spin_lock_bh(&rds_tcp_conn_lock);
++ spin_lock_irq(&rds_tcp_conn_lock);
+ for (i = 0; i < RDS_MPATH_WORKERS; i++) {
+ tc = conn->c_path[i].cp_transport_data;
+ tc->t_tcp_node_detached = false;
+ list_add_tail(&tc->t_tcp_node, &rds_tcp_conn_list);
+ }
+- spin_unlock_bh(&rds_tcp_conn_lock);
++ spin_unlock_irq(&rds_tcp_conn_lock);
+ fail:
+ if (ret) {
+ for (j = 0; j < i; j++)
+@@ -529,7 +530,7 @@ static void rds_tcp_kill_sock(struct net
+
+ rtn->rds_tcp_listen_sock = NULL;
+ rds_tcp_listen_stop(lsock, &rtn->rds_tcp_accept_w);
+- spin_lock_bh(&rds_tcp_conn_lock);
++ spin_lock_irq(&rds_tcp_conn_lock);
+ list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node) {
+ struct net *c_net = read_pnet(&tc->t_cpath->cp_conn->c_net);
+
+@@ -542,7 +543,7 @@ static void rds_tcp_kill_sock(struct net
+ tc->t_tcp_node_detached = true;
+ }
+ }
+- spin_unlock_bh(&rds_tcp_conn_lock);
++ spin_unlock_irq(&rds_tcp_conn_lock);
+ list_for_each_entry_safe(tc, _tc, &tmp_list, t_tcp_node)
+ rds_conn_destroy(tc->t_cpath->cp_conn);
+ }
+@@ -590,7 +591,7 @@ static void rds_tcp_sysctl_reset(struct
+ {
+ struct rds_tcp_connection *tc, *_tc;
+
+- spin_lock_bh(&rds_tcp_conn_lock);
++ spin_lock_irq(&rds_tcp_conn_lock);
+ list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node) {
+ struct net *c_net = read_pnet(&tc->t_cpath->cp_conn->c_net);
+
+@@ -600,7 +601,7 @@ static void rds_tcp_sysctl_reset(struct
+ /* reconnect with new parameters */
+ rds_conn_path_drop(tc->t_cpath, false);
+ }
+- spin_unlock_bh(&rds_tcp_conn_lock);
++ spin_unlock_irq(&rds_tcp_conn_lock);
+ }
+
+ static int rds_tcp_skbuf_handler(struct ctl_table *ctl, int write,
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+Date: Mon, 12 Feb 2018 18:15:44 +0000
+Subject: regmap: Correct comparison in regmap_cached
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+[ Upstream commit 71df179363a5a733a8932e9afb869760d7559383 ]
+
+The cache pointer points to the actual memory used by the cache, as the
+comparison here is looking for the type of the cache it should check
+against cache_type.
+
+Fixes: 1ea975cf1ef5 ("regmap: Add a function to check if a regmap register is cached")
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/regmap/regmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/regmap/regmap.c
++++ b/drivers/base/regmap/regmap.c
+@@ -99,7 +99,7 @@ bool regmap_cached(struct regmap *map, u
+ int ret;
+ unsigned int val;
+
+- if (map->cache == REGCACHE_NONE)
++ if (map->cache_type == REGCACHE_NONE)
+ return false;
+
+ if (!map->cache_ops)
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+Date: Tue, 13 Mar 2018 21:33:11 +0100
+Subject: regulator: gpio: Fix some error handling paths in 'gpio_regulator_probe()'
+
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit ed8cffda27dea6fd3dafb3ee881c5a786edac9ca ]
+
+Re-order error handling code and gotos to avoid leaks in error handling
+paths.
+
+Fixes: 9f946099fe19 ("regulator: gpio: fix parsing of gpio list")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/regulator/gpio-regulator.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/drivers/regulator/gpio-regulator.c
++++ b/drivers/regulator/gpio-regulator.c
+@@ -271,8 +271,7 @@ static int gpio_regulator_probe(struct p
+ drvdata->desc.name = kstrdup(config->supply_name, GFP_KERNEL);
+ if (drvdata->desc.name == NULL) {
+ dev_err(&pdev->dev, "Failed to allocate supply name\n");
+- ret = -ENOMEM;
+- goto err;
++ return -ENOMEM;
+ }
+
+ if (config->nr_gpios != 0) {
+@@ -292,7 +291,7 @@ static int gpio_regulator_probe(struct p
+ dev_err(&pdev->dev,
+ "Could not obtain regulator setting GPIOs: %d\n",
+ ret);
+- goto err_memstate;
++ goto err_memgpio;
+ }
+ }
+
+@@ -303,7 +302,7 @@ static int gpio_regulator_probe(struct p
+ if (drvdata->states == NULL) {
+ dev_err(&pdev->dev, "Failed to allocate state data\n");
+ ret = -ENOMEM;
+- goto err_memgpio;
++ goto err_stategpio;
+ }
+ drvdata->nr_states = config->nr_states;
+
+@@ -324,7 +323,7 @@ static int gpio_regulator_probe(struct p
+ default:
+ dev_err(&pdev->dev, "No regulator type set\n");
+ ret = -EINVAL;
+- goto err_memgpio;
++ goto err_memstate;
+ }
+
+ /* build initial state from gpio init data. */
+@@ -361,22 +360,21 @@ static int gpio_regulator_probe(struct p
+ if (IS_ERR(drvdata->dev)) {
+ ret = PTR_ERR(drvdata->dev);
+ dev_err(&pdev->dev, "Failed to register regulator: %d\n", ret);
+- goto err_stategpio;
++ goto err_memstate;
+ }
+
+ platform_set_drvdata(pdev, drvdata);
+
+ return 0;
+
+-err_stategpio:
+- gpio_free_array(drvdata->gpios, drvdata->nr_gpios);
+ err_memstate:
+ kfree(drvdata->states);
++err_stategpio:
++ gpio_free_array(drvdata->gpios, drvdata->nr_gpios);
+ err_memgpio:
+ kfree(drvdata->gpios);
+ err_name:
+ kfree(drvdata->desc.name);
+-err:
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Fri, 26 Jan 2018 23:13:44 +0100
+Subject: regulator: of: Add a missing 'of_node_put()' in an error handling path of 'of_regulator_match()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 30966861a7a2051457be8c49466887d78cc47e97 ]
+
+If an unlikely failure in 'of_get_regulator_init_data()' occurs, we must
+release the reference on the current 'child' node before returning.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/regulator/of_regulator.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/regulator/of_regulator.c
++++ b/drivers/regulator/of_regulator.c
+@@ -321,6 +321,7 @@ int of_regulator_match(struct device *de
+ dev_err(dev,
+ "failed to parse DT for regulator %s\n",
+ child->name);
++ of_node_put(child);
+ return -EINVAL;
+ }
+ match->of_node = of_node_get(child);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Wed, 14 Mar 2018 20:56:37 +0100
+Subject: remoteproc: imx_rproc: Fix an error handling path in 'imx_rproc_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit de6f83f85be94e0b7d0d324c29ccc9d78a6bb4e7 ]
+
+If 'of_device_get_match_data()' fails, we must undo the previous
+'rproc_alloc()' call.
+
+Fixes: a0ff4aa6f010 ("remoteproc: imx_rproc: add a NXP/Freescale imx_rproc driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/imx_rproc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/remoteproc/imx_rproc.c
++++ b/drivers/remoteproc/imx_rproc.c
+@@ -339,8 +339,10 @@ static int imx_rproc_probe(struct platfo
+ }
+
+ dcfg = of_device_get_match_data(dev);
+- if (!dcfg)
+- return -EINVAL;
++ if (!dcfg) {
++ ret = -EINVAL;
++ goto err_put_rproc;
++ }
+
+ priv = rproc->priv;
+ priv->rproc = rproc;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Andrea Parri <parri.andrea@gmail.com>
+Date: Fri, 9 Mar 2018 13:13:20 +0100
+Subject: riscv/spinlock: Strengthen implementations with fences
+
+From: Andrea Parri <parri.andrea@gmail.com>
+
+[ Upstream commit 0123f4d76ca63b7b895f40089be0ce4809e392d8 ]
+
+Current implementations map locking operations using .rl and .aq
+annotations. However, this mapping is unsound w.r.t. the kernel
+memory consistency model (LKMM) [1]:
+
+Referring to the "unlock-lock-read-ordering" test reported below,
+Daniel wrote:
+
+ "I think an RCpc interpretation of .aq and .rl would in fact
+ allow the two normal loads in P1 to be reordered [...]
+
+ The intuition would be that the amoswap.w.aq can forward from
+ the amoswap.w.rl while that's still in the store buffer, and
+ then the lw x3,0(x4) can also perform while the amoswap.w.rl
+ is still in the store buffer, all before the l1 x1,0(x2)
+ executes. That's not forbidden unless the amoswaps are RCsc,
+ unless I'm missing something.
+
+ Likewise even if the unlock()/lock() is between two stores.
+ A control dependency might originate from the load part of
+ the amoswap.w.aq, but there still would have to be something
+ to ensure that this load part in fact performs after the store
+ part of the amoswap.w.rl performs globally, and that's not
+ automatic under RCpc."
+
+Simulation of the RISC-V memory consistency model confirmed this
+expectation.
+
+In order to "synchronize" LKMM and RISC-V's implementation, this
+commit strengthens the implementations of the locking operations
+by replacing .rl and .aq with the use of ("lightweigth") fences,
+resp., "fence rw, w" and "fence r , rw".
+
+C unlock-lock-read-ordering
+
+{}
+/* s initially owned by P1 */
+
+P0(int *x, int *y)
+{
+ WRITE_ONCE(*x, 1);
+ smp_wmb();
+ WRITE_ONCE(*y, 1);
+}
+
+P1(int *x, int *y, spinlock_t *s)
+{
+ int r0;
+ int r1;
+
+ r0 = READ_ONCE(*y);
+ spin_unlock(s);
+ spin_lock(s);
+ r1 = READ_ONCE(*x);
+}
+
+exists (1:r0=1 /\ 1:r1=0)
+
+[1] https://marc.info/?l=linux-kernel&m=151930201102853&w=2
+ https://groups.google.com/a/groups.riscv.org/forum/#!topic/isa-dev/hKywNHBkAXM
+ https://marc.info/?l=linux-kernel&m=151633436614259&w=2
+
+Signed-off-by: Andrea Parri <parri.andrea@gmail.com>
+Cc: Palmer Dabbelt <palmer@sifive.com>
+Cc: Albert Ou <albert@sifive.com>
+Cc: Daniel Lustig <dlustig@nvidia.com>
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Boqun Feng <boqun.feng@gmail.com>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Jade Alglave <j.alglave@ucl.ac.uk>
+Cc: Luc Maranget <luc.maranget@inria.fr>
+Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
+Cc: Akira Yokosawa <akiyks@gmail.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: linux-riscv@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/include/asm/fence.h | 12 ++++++++++++
+ arch/riscv/include/asm/spinlock.h | 29 +++++++++++++++--------------
+ 2 files changed, 27 insertions(+), 14 deletions(-)
+ create mode 100644 arch/riscv/include/asm/fence.h
+
+--- /dev/null
++++ b/arch/riscv/include/asm/fence.h
+@@ -0,0 +1,12 @@
++#ifndef _ASM_RISCV_FENCE_H
++#define _ASM_RISCV_FENCE_H
++
++#ifdef CONFIG_SMP
++#define RISCV_ACQUIRE_BARRIER "\tfence r , rw\n"
++#define RISCV_RELEASE_BARRIER "\tfence rw, w\n"
++#else
++#define RISCV_ACQUIRE_BARRIER
++#define RISCV_RELEASE_BARRIER
++#endif
++
++#endif /* _ASM_RISCV_FENCE_H */
+--- a/arch/riscv/include/asm/spinlock.h
++++ b/arch/riscv/include/asm/spinlock.h
+@@ -17,6 +17,7 @@
+
+ #include <linux/kernel.h>
+ #include <asm/current.h>
++#include <asm/fence.h>
+
+ /*
+ * Simple spin lock operations. These provide no fairness guarantees.
+@@ -28,10 +29,7 @@
+
+ static inline void arch_spin_unlock(arch_spinlock_t *lock)
+ {
+- __asm__ __volatile__ (
+- "amoswap.w.rl x0, x0, %0"
+- : "=A" (lock->lock)
+- :: "memory");
++ smp_store_release(&lock->lock, 0);
+ }
+
+ static inline int arch_spin_trylock(arch_spinlock_t *lock)
+@@ -39,7 +37,8 @@ static inline int arch_spin_trylock(arch
+ int tmp = 1, busy;
+
+ __asm__ __volatile__ (
+- "amoswap.w.aq %0, %2, %1"
++ " amoswap.w %0, %2, %1\n"
++ RISCV_ACQUIRE_BARRIER
+ : "=r" (busy), "+A" (lock->lock)
+ : "r" (tmp)
+ : "memory");
+@@ -68,8 +67,9 @@ static inline void arch_read_lock(arch_r
+ "1: lr.w %1, %0\n"
+ " bltz %1, 1b\n"
+ " addi %1, %1, 1\n"
+- " sc.w.aq %1, %1, %0\n"
++ " sc.w %1, %1, %0\n"
+ " bnez %1, 1b\n"
++ RISCV_ACQUIRE_BARRIER
+ : "+A" (lock->lock), "=&r" (tmp)
+ :: "memory");
+ }
+@@ -82,8 +82,9 @@ static inline void arch_write_lock(arch_
+ "1: lr.w %1, %0\n"
+ " bnez %1, 1b\n"
+ " li %1, -1\n"
+- " sc.w.aq %1, %1, %0\n"
++ " sc.w %1, %1, %0\n"
+ " bnez %1, 1b\n"
++ RISCV_ACQUIRE_BARRIER
+ : "+A" (lock->lock), "=&r" (tmp)
+ :: "memory");
+ }
+@@ -96,8 +97,9 @@ static inline int arch_read_trylock(arch
+ "1: lr.w %1, %0\n"
+ " bltz %1, 1f\n"
+ " addi %1, %1, 1\n"
+- " sc.w.aq %1, %1, %0\n"
++ " sc.w %1, %1, %0\n"
+ " bnez %1, 1b\n"
++ RISCV_ACQUIRE_BARRIER
+ "1:\n"
+ : "+A" (lock->lock), "=&r" (busy)
+ :: "memory");
+@@ -113,8 +115,9 @@ static inline int arch_write_trylock(arc
+ "1: lr.w %1, %0\n"
+ " bnez %1, 1f\n"
+ " li %1, -1\n"
+- " sc.w.aq %1, %1, %0\n"
++ " sc.w %1, %1, %0\n"
+ " bnez %1, 1b\n"
++ RISCV_ACQUIRE_BARRIER
+ "1:\n"
+ : "+A" (lock->lock), "=&r" (busy)
+ :: "memory");
+@@ -125,7 +128,8 @@ static inline int arch_write_trylock(arc
+ static inline void arch_read_unlock(arch_rwlock_t *lock)
+ {
+ __asm__ __volatile__(
+- "amoadd.w.rl x0, %1, %0"
++ RISCV_RELEASE_BARRIER
++ " amoadd.w x0, %1, %0\n"
+ : "+A" (lock->lock)
+ : "r" (-1)
+ : "memory");
+@@ -133,10 +137,7 @@ static inline void arch_read_unlock(arch
+
+ static inline void arch_write_unlock(arch_rwlock_t *lock)
+ {
+- __asm__ __volatile__ (
+- "amoswap.w.rl x0, x0, %0"
+- : "=A" (lock->lock)
+- :: "memory");
++ smp_store_release(&lock->lock, 0);
+ }
+
+ #endif /* _ASM_RISCV_SPINLOCK_H */
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Amitkumar Karwar <amit.karwar@redpinesignals.com>
+Date: Tue, 20 Mar 2018 19:10:41 +0530
+Subject: rsi: fix kernel panic observed on 64bit machine
+
+From: Amitkumar Karwar <amit.karwar@redpinesignals.com>
+
+[ Upstream commit 864db4d5085349fcfa1f260b5bcd2adde3d7f2ed ]
+
+Following kernel panic is observed on 64bit machine while loading
+the driver. It is fixed if we pass dynamically allocated memory to
+SDIO for DMA.
+
+BUG: unable to handle kernel paging request at ffffeb04000172e0
+IP: sg_miter_stop+0x56/0x70
+PGD 0 P4D 0
+Oops: 0000 [#1] SMP PTI
+Modules linked in: rsi_sdio(OE+) rsi_91x(OE) btrsi(OE) rfcomm bluetooth
+ecdh_generic mac80211 mmc_block fuse xt_CHECKSUM iptable_mangle
+drm_kms_helper mmc_core serio_raw drm firewire_ohci tg3
+CPU: 0 PID: 4003 Comm: insmod Tainted: G OE 4.16.0-rc1+ #27
+Hardware name: Dell Inc. Latitude E5500 /0DW634, BIOS
+A19 06/13/2013
+RIP: 0010:sg_miter_stop+0x56/0x70
+RSP: 0018:ffff88007d003e78 EFLAGS: 00010002
+RAX: 0000000000000003 RBX: 0000000000000004 RCX: 0000000000000000
+RDX: ffffeb04000172c0 RSI: ffff88002f58002c RDI: ffff88007d003e80
+RBP: 0000000000000004 R08: ffff88007d003e80 R09: 0000000000000008
+R10: 0000000000000003 R11: 0000000000000001 R12: 0000000000000004
+R13: ffff88002f580028 R14: 0000000000000000 R15: 0000000000000004
+FS: 00007f35c29db700(0000) GS:ffff88007d000000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffeb04000172e0 CR3: 000000007038e000 CR4: 00000000000406f0
+Call Trace:
+<IRQ>
+sg_copy_buffer+0xc6/0xf0
+sdhci_tasklet_finish+0x170/0x260 [sdhci]
+tasklet_action+0xf4/0x100
+__do_softirq+0xef/0x26e
+irq_exit+0xbe/0xd0
+do_IRQ+0x4a/0xc0
+common_interrupt+0xa2/0xa2
+</IRQ>
+
+Signed-off-by: Amitkumar Karwar <amit.karwar@redpinesignals.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/rsi/rsi_91x_sdio.c | 32 +++++++++++++++++++++-----------
+ drivers/net/wireless/rsi/rsi_sdio.h | 2 ++
+ 2 files changed, 23 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c
++++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c
+@@ -636,11 +636,14 @@ static int rsi_sdio_master_reg_read(stru
+ u32 *read_buf, u16 size)
+ {
+ u32 addr_on_bus, *data;
+- u32 align[2] = {};
+ u16 ms_addr;
+ int status;
+
+- data = PTR_ALIGN(&align[0], 8);
++ data = kzalloc(RSI_MASTER_REG_BUF_SIZE, GFP_KERNEL);
++ if (!data)
++ return -ENOMEM;
++
++ data = PTR_ALIGN(data, 8);
+
+ ms_addr = (addr >> 16);
+ status = rsi_sdio_master_access_msword(adapter, ms_addr);
+@@ -648,7 +651,7 @@ static int rsi_sdio_master_reg_read(stru
+ rsi_dbg(ERR_ZONE,
+ "%s: Unable to set ms word to common reg\n",
+ __func__);
+- return status;
++ goto err;
+ }
+ addr &= 0xFFFF;
+
+@@ -666,7 +669,7 @@ static int rsi_sdio_master_reg_read(stru
+ (u8 *)data, 4);
+ if (status < 0) {
+ rsi_dbg(ERR_ZONE, "%s: AHB register read failed\n", __func__);
+- return status;
++ goto err;
+ }
+ if (size == 2) {
+ if ((addr & 0x3) == 0)
+@@ -688,17 +691,23 @@ static int rsi_sdio_master_reg_read(stru
+ *read_buf = *data;
+ }
+
+- return 0;
++err:
++ kfree(data);
++ return status;
+ }
+
+ static int rsi_sdio_master_reg_write(struct rsi_hw *adapter,
+ unsigned long addr,
+ unsigned long data, u16 size)
+ {
+- unsigned long data1[2], *data_aligned;
++ unsigned long *data_aligned;
+ int status;
+
+- data_aligned = PTR_ALIGN(&data1[0], 8);
++ data_aligned = kzalloc(RSI_MASTER_REG_BUF_SIZE, GFP_KERNEL);
++ if (!data_aligned)
++ return -ENOMEM;
++
++ data_aligned = PTR_ALIGN(data_aligned, 8);
+
+ if (size == 2) {
+ *data_aligned = ((data << 16) | (data & 0xFFFF));
+@@ -717,6 +726,7 @@ static int rsi_sdio_master_reg_write(str
+ rsi_dbg(ERR_ZONE,
+ "%s: Unable to set ms word to common reg\n",
+ __func__);
++ kfree(data_aligned);
+ return -EIO;
+ }
+ addr = addr & 0xFFFF;
+@@ -726,12 +736,12 @@ static int rsi_sdio_master_reg_write(str
+ (adapter,
+ (addr | RSI_SD_REQUEST_MASTER),
+ (u8 *)data_aligned, size);
+- if (status < 0) {
++ if (status < 0)
+ rsi_dbg(ERR_ZONE,
+ "%s: Unable to do AHB reg write\n", __func__);
+- return status;
+- }
+- return 0;
++
++ kfree(data_aligned);
++ return status;
+ }
+
+ /**
+--- a/drivers/net/wireless/rsi/rsi_sdio.h
++++ b/drivers/net/wireless/rsi/rsi_sdio.h
+@@ -46,6 +46,8 @@ enum sdio_interrupt_type {
+ #define PKT_BUFF_AVAILABLE 1
+ #define FW_ASSERT_IND 2
+
++#define RSI_MASTER_REG_BUF_SIZE 12
++
+ #define RSI_DEVICE_BUFFER_STATUS_REGISTER 0xf3
+ #define RSI_FN1_INT_REGISTER 0xf9
+ #define RSI_INT_ENABLE_REGISTER 0x04
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: James Hogan <jhogan@kernel.org>
+Date: Tue, 16 Jan 2018 14:45:21 +0000
+Subject: rtc: goldfish: Add missing MODULE_LICENSE
+
+From: James Hogan <jhogan@kernel.org>
+
+[ Upstream commit 82d632b85eb89f97051530f556cb49ee1c04bde7 ]
+
+Fix the following warning in MIPS allmodconfig by adding a
+MODULE_LICENSE() at the end of rtc-goldfish.c, based on the file header
+comment which says GNU General Public License version 2:
+
+WARNING: modpost: missing MODULE_LICENSE() in drivers/rtc/rtc-goldfish.o
+
+Fixes: f22d9cdcb5eb ("rtc: goldfish: Add RTC driver for Android emulator")
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Cc: Miodrag Dinic <miodrag.dinic@mips.com>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Cc: linux-rtc@vger.kernel.org
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-goldfish.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/rtc/rtc-goldfish.c
++++ b/drivers/rtc/rtc-goldfish.c
+@@ -235,3 +235,5 @@ static struct platform_driver goldfish_r
+ };
+
+ module_platform_driver(goldfish_rtc);
++
++MODULE_LICENSE("GPL v2");
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Thu, 8 Mar 2018 23:27:31 +0100
+Subject: rtc: hctosys: Ensure system time doesn't overflow time_t
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit b3a5ac42ab18b7d1a8f2f072ca0ee76a3b754a43 ]
+
+On 32bit platforms, time_t is still a signed 32bit long. If it is
+overflowed, userspace and the kernel cant agree on the current system time.
+This causes multiple issues, in particular with systemd:
+https://github.com/systemd/systemd/issues/1143
+
+A good workaround is to simply avoid using hctosys which is something I
+greatly encourage as the time is better set by userspace.
+
+However, many distribution enable it and use systemd which is rendering the
+system unusable in case the RTC holds a date after 2038 (and more so after
+2106). Many drivers have workaround for this case and they should be
+eliminated so there is only one place left to fix when userspace is able to
+cope with dates after the 31bit overflow.
+
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/hctosys.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/rtc/hctosys.c
++++ b/drivers/rtc/hctosys.c
+@@ -49,6 +49,11 @@ static int __init rtc_hctosys(void)
+
+ tv64.tv_sec = rtc_tm_to_time64(&tm);
+
++#if BITS_PER_LONG == 32
++ if (tv64.tv_sec > INT_MAX)
++ goto err_read;
++#endif
++
+ err = do_settimeofday64(&tv64);
+
+ dev_info(rtc->dev.parent,
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Sun, 25 Feb 2018 21:14:31 +0100
+Subject: rtc: m41t80: fix race conditions
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit 10d0c768cc6d581523d673b9d1b54213f8a5eb24 ]
+
+The IRQ is requested before the struct rtc is allocated and registered, but
+this struct is used in the IRQ handler, leading to:
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000017c
+pgd = a38a2f9b
+[0000017c] *pgd=00000000
+Internal error: Oops: 5 [#1] ARM
+Modules linked in:
+CPU: 0 PID: 613 Comm: irq/48-m41t80 Not tainted 4.16.0-rc1+ #42
+Hardware name: Atmel SAMA5
+PC is at mutex_lock+0x14/0x38
+LR is at m41t80_handle_irq+0x1c/0x9c
+pc : [<c06e864c>] lr : [<c04b70f0>] psr: 20000013
+sp : dec73f30 ip : 00000000 fp : dec56d98
+r10: df437cf0 r9 : c0a03008 r8 : c0145ffc
+r7 : df5c4300 r6 : dec568d0 r5 : df593000 r4 : 0000017c
+r3 : df592800 r2 : 60000013 r1 : df593000 r0 : 0000017c
+Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 10c53c7d Table: 20004059 DAC: 00000051
+Process irq/48-m41t80 (pid: 613, stack limit = 0xb52d091e)
+Stack: (0xdec73f30 to 0xdec74000)
+3f20: dec56840 df5c4300 00000001 df5c4300
+3f40: c0145ffc c0146018 dec56840 ffffe000 00000001 c0146290 dec567c0 00000000
+3f60: c0146084 ed7c9a62 c014615c dec56d80 dec567c0 00000000 dec72000 dec56840
+3f80: c014615c c012ffc0 dec72000 dec567c0 c012fe80 00000000 00000000 00000000
+3fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000
+3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 29282726 2d2c2b2a
+[<c06e864c>] (mutex_lock) from [<c04b70f0>] (m41t80_handle_irq+0x1c/0x9c)
+[<c04b70f0>] (m41t80_handle_irq) from [<c0146018>] (irq_thread_fn+0x1c/0x54)
+[<c0146018>] (irq_thread_fn) from [<c0146290>] (irq_thread+0x134/0x1c0)
+[<c0146290>] (irq_thread) from [<c012ffc0>] (kthread+0x140/0x148)
+[<c012ffc0>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
+Exception stack(0xdec73fb0 to 0xdec73ff8)
+3fa0: 00000000 00000000 00000000 00000000
+3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+3fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+Code: e3c33d7f e3c3303f f5d0f000 e593300c (e1901f9f)
+---[ end trace 22b027302eb7c604 ]---
+genirq: exiting task "irq/48-m41t80" (613) is an active IRQ thread (irq 48)
+
+Also, there is another possible race condition. The probe function is not
+allowed to fail after the RTC is registered because the following may
+happen:
+
+CPU0: CPU1:
+sys_load_module()
+ do_init_module()
+ do_one_initcall()
+ cmos_do_probe()
+ rtc_device_register()
+ __register_chrdev()
+ cdev->owner = struct module*
+ open("/dev/rtc0")
+ rtc_device_unregister()
+ module_put()
+ free_module()
+ module_free(mod->module_core)
+ /* struct module *module is now
+ freed */
+ chrdev_open()
+ spin_lock(cdev_lock)
+ cdev_get()
+ try_module_get()
+ module_is_live()
+ /* dereferences already
+ freed struct module* */
+
+Switch to devm_rtc_allocate_device/rtc_register_device to allocate the rtc
+before requesting the IRQ and register it as late as possible.
+
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-m41t80.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+--- a/drivers/rtc/rtc-m41t80.c
++++ b/drivers/rtc/rtc-m41t80.c
+@@ -885,7 +885,6 @@ static int m41t80_probe(struct i2c_clien
+ {
+ struct i2c_adapter *adapter = to_i2c_adapter(client->dev.parent);
+ int rc = 0;
+- struct rtc_device *rtc = NULL;
+ struct rtc_time tm;
+ struct m41t80_data *m41t80_data = NULL;
+ bool wakeup_source = false;
+@@ -909,6 +908,10 @@ static int m41t80_probe(struct i2c_clien
+ m41t80_data->features = id->driver_data;
+ i2c_set_clientdata(client, m41t80_data);
+
++ m41t80_data->rtc = devm_rtc_allocate_device(&client->dev);
++ if (IS_ERR(m41t80_data->rtc))
++ return PTR_ERR(m41t80_data->rtc);
++
+ #ifdef CONFIG_OF
+ wakeup_source = of_property_read_bool(client->dev.of_node,
+ "wakeup-source");
+@@ -932,15 +935,11 @@ static int m41t80_probe(struct i2c_clien
+ device_init_wakeup(&client->dev, true);
+ }
+
+- rtc = devm_rtc_device_register(&client->dev, client->name,
+- &m41t80_rtc_ops, THIS_MODULE);
+- if (IS_ERR(rtc))
+- return PTR_ERR(rtc);
++ m41t80_data->rtc->ops = &m41t80_rtc_ops;
+
+- m41t80_data->rtc = rtc;
+ if (client->irq <= 0) {
+ /* We cannot support UIE mode if we do not have an IRQ line */
+- rtc->uie_unsupported = 1;
++ m41t80_data->rtc->uie_unsupported = 1;
+ }
+
+ /* Make sure HT (Halt Update) bit is cleared */
+@@ -993,6 +992,11 @@ static int m41t80_probe(struct i2c_clien
+ if (m41t80_data->features & M41T80_FEATURE_SQ)
+ m41t80_sqw_register_clk(m41t80_data);
+ #endif
++
++ rc = rtc_register_device(m41t80_data->rtc);
++ if (rc)
++ return rc;
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Wed, 21 Feb 2018 11:57:05 +0100
+Subject: rtc: rk808: fix possible race condition
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit 201fac95e799c3d0304ec724d555e1251b9f6e84 ]
+
+The probe function is not allowed to fail after registering the RTC because
+the following may happen:
+
+CPU0: CPU1:
+sys_load_module()
+ do_init_module()
+ do_one_initcall()
+ cmos_do_probe()
+ rtc_device_register()
+ __register_chrdev()
+ cdev->owner = struct module*
+ open("/dev/rtc0")
+ rtc_device_unregister()
+ module_put()
+ free_module()
+ module_free(mod->module_core)
+ /* struct module *module is now
+ freed */
+ chrdev_open()
+ spin_lock(cdev_lock)
+ cdev_get()
+ try_module_get()
+ module_is_live()
+ /* dereferences already
+ freed struct module* */
+
+Switch to devm_rtc_allocate_device/rtc_register_device to register the rtc
+as late as possible.
+
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-rk808.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/rtc/rtc-rk808.c
++++ b/drivers/rtc/rtc-rk808.c
+@@ -416,12 +416,11 @@ static int rk808_rtc_probe(struct platfo
+
+ device_init_wakeup(&pdev->dev, 1);
+
+- rk808_rtc->rtc = devm_rtc_device_register(&pdev->dev, "rk808-rtc",
+- &rk808_rtc_ops, THIS_MODULE);
+- if (IS_ERR(rk808_rtc->rtc)) {
+- ret = PTR_ERR(rk808_rtc->rtc);
+- return ret;
+- }
++ rk808_rtc->rtc = devm_rtc_allocate_device(&pdev->dev);
++ if (IS_ERR(rk808_rtc->rtc))
++ return PTR_ERR(rk808_rtc->rtc);
++
++ rk808_rtc->rtc->ops = &rk808_rtc_ops;
+
+ rk808_rtc->irq = platform_get_irq(pdev, 0);
+ if (rk808_rtc->irq < 0) {
+@@ -438,9 +437,10 @@ static int rk808_rtc_probe(struct platfo
+ if (ret) {
+ dev_err(&pdev->dev, "Failed to request alarm IRQ %d: %d\n",
+ rk808_rtc->irq, ret);
++ return ret;
+ }
+
+- return ret;
++ return rtc_register_device(rk808_rtc->rtc);
+ }
+
+ static struct platform_driver rk808_rtc_driver = {
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Mon, 12 Feb 2018 23:47:49 +0100
+Subject: rtc: rp5c01: fix possible race condition
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit bcdd559268039d8340d38fa58668393596e29fdc ]
+
+The probe function is not allowed to fail after registering the RTC because
+the following may happen:
+
+CPU0: CPU1:
+sys_load_module()
+ do_init_module()
+ do_one_initcall()
+ cmos_do_probe()
+ rtc_device_register()
+ __register_chrdev()
+ cdev->owner = struct module*
+ open("/dev/rtc0")
+ rtc_device_unregister()
+ module_put()
+ free_module()
+ module_free(mod->module_core)
+ /* struct module *module is now
+ freed */
+ chrdev_open()
+ spin_lock(cdev_lock)
+ cdev_get()
+ try_module_get()
+ module_is_live()
+ /* dereferences already
+ freed struct module* */
+
+Switch to devm_rtc_allocate_device/rtc_register_device to register the rtc
+as late as possible.
+
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-rp5c01.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/rtc/rtc-rp5c01.c
++++ b/drivers/rtc/rtc-rp5c01.c
+@@ -249,16 +249,24 @@ static int __init rp5c01_rtc_probe(struc
+
+ platform_set_drvdata(dev, priv);
+
+- rtc = devm_rtc_device_register(&dev->dev, "rtc-rp5c01", &rp5c01_rtc_ops,
+- THIS_MODULE);
++ rtc = devm_rtc_allocate_device(&dev->dev);
+ if (IS_ERR(rtc))
+ return PTR_ERR(rtc);
++
++ rtc->ops = &rp5c01_rtc_ops;
++
+ priv->rtc = rtc;
+
+ error = sysfs_create_bin_file(&dev->dev.kobj, &priv->nvram_attr);
+ if (error)
+ return error;
+
++ error = rtc_register_device(rtc);
++ if (error) {
++ sysfs_remove_bin_file(&dev->dev.kobj, &priv->nvram_attr);
++ return error;
++ }
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Bryan O'Donoghue <pure.logic@nexus-software.ie>
+Date: Wed, 28 Mar 2018 20:14:05 +0100
+Subject: rtc: snvs: Fix usage of snvs_rtc_enable
+
+From: Bryan O'Donoghue <pure.logic@nexus-software.ie>
+
+[ Upstream commit 1485991c024603b2fb4ae77beb7a0d741128a48e ]
+
+commit 179a502f8c46 ("rtc: snvs: add Freescale rtc-snvs driver") introduces
+the SNVS RTC driver with a function snvs_rtc_enable().
+
+snvs_rtc_enable() can return an error on the enable path however this
+driver does not currently trap that failure on the probe() path and
+consequently if enabling the RTC fails we encounter a later error spinning
+forever in rtc_write_sync_lp().
+
+[ 36.093481] [<c010d630>] (__irq_svc) from [<c0c2e9ec>] (_raw_spin_unlock_irqrestore+0x34/0x44)
+[ 36.102122] [<c0c2e9ec>] (_raw_spin_unlock_irqrestore) from [<c072e32c>] (regmap_read+0x4c/0x5c)
+[ 36.110938] [<c072e32c>] (regmap_read) from [<c085d0f4>] (rtc_write_sync_lp+0x6c/0x98)
+[ 36.118881] [<c085d0f4>] (rtc_write_sync_lp) from [<c085d160>] (snvs_rtc_alarm_irq_enable+0x40/0x4c)
+[ 36.128041] [<c085d160>] (snvs_rtc_alarm_irq_enable) from [<c08567b4>] (rtc_timer_do_work+0xd8/0x1a8)
+[ 36.137291] [<c08567b4>] (rtc_timer_do_work) from [<c01441b8>] (process_one_work+0x28c/0x76c)
+[ 36.145840] [<c01441b8>] (process_one_work) from [<c01446cc>] (worker_thread+0x34/0x58c)
+[ 36.153961] [<c01446cc>] (worker_thread) from [<c014aee4>] (kthread+0x138/0x150)
+[ 36.161388] [<c014aee4>] (kthread) from [<c0107e14>] (ret_from_fork+0x14/0x20)
+[ 36.168635] rcu_sched kthread starved for 2602 jiffies! g496 c495 f0x2 RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=0
+[ 36.178564] rcu_sched R running task 0 8 2 0x00000000
+[ 36.185664] [<c0c288b0>] (__schedule) from [<c0c29134>] (schedule+0x3c/0xa0)
+[ 36.192739] [<c0c29134>] (schedule) from [<c0c2db80>] (schedule_timeout+0x78/0x4e0)
+[ 36.200422] [<c0c2db80>] (schedule_timeout) from [<c01a7ab0>] (rcu_gp_kthread+0x648/0x1864)
+[ 36.208800] [<c01a7ab0>] (rcu_gp_kthread) from [<c014aee4>] (kthread+0x138/0x150)
+[ 36.216309] [<c014aee4>] (kthread) from [<c0107e14>] (ret_from_fork+0x14/0x20)
+
+This patch fixes by parsing the result of rtc_write_sync_lp() and
+propagating both in the probe and elsewhere. If the RTC doesn't start we
+don't proceed loading the driver and don't get into this loop mess later
+on.
+
+Fixes: 179a502f8c46 ("rtc: snvs: add Freescale rtc-snvs driver")
+Signed-off-by: Bryan O'Donoghue <pure.logic@nexus-software.ie>
+Acked-by: Shawn Guo <shawn.guo@linaro.org>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-snvs.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/rtc/rtc-snvs.c
++++ b/drivers/rtc/rtc-snvs.c
+@@ -132,20 +132,23 @@ static int snvs_rtc_set_time(struct devi
+ {
+ struct snvs_rtc_data *data = dev_get_drvdata(dev);
+ unsigned long time;
++ int ret;
+
+ rtc_tm_to_time(tm, &time);
+
+ /* Disable RTC first */
+- snvs_rtc_enable(data, false);
++ ret = snvs_rtc_enable(data, false);
++ if (ret)
++ return ret;
+
+ /* Write 32-bit time to 47-bit timer, leaving 15 LSBs blank */
+ regmap_write(data->regmap, data->offset + SNVS_LPSRTCLR, time << CNTR_TO_SECS_SH);
+ regmap_write(data->regmap, data->offset + SNVS_LPSRTCMR, time >> (32 - CNTR_TO_SECS_SH));
+
+ /* Enable RTC again */
+- snvs_rtc_enable(data, true);
++ ret = snvs_rtc_enable(data, true);
+
+- return 0;
++ return ret;
+ }
+
+ static int snvs_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm)
+@@ -288,7 +291,11 @@ static int snvs_rtc_probe(struct platfor
+ regmap_write(data->regmap, data->offset + SNVS_LPSR, 0xffffffff);
+
+ /* Enable RTC */
+- snvs_rtc_enable(data, true);
++ ret = snvs_rtc_enable(data, true);
++ if (ret) {
++ dev_err(&pdev->dev, "failed to enable rtc %d\n", ret);
++ goto error_rtc_device_register;
++ }
+
+ device_init_wakeup(&pdev->dev, true);
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 15 Feb 2018 19:36:14 +0000
+Subject: rtc: tx4939: avoid unintended sign extension on a 24 bit shift
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 347876ad47b9923ce26e686173bbf46581802ffa ]
+
+The shifting of buf[5] by 24 bits to the left will be promoted to
+a 32 bit signed int and then sign-extended to an unsigned long. If
+the top bit of buf[5] is set then all then all the upper bits sec
+end up as also being set because of the sign-extension. Fix this by
+casting buf[5] to an unsigned long before the shift.
+
+Detected by CoverityScan, CID#1465292 ("Unintended sign extension")
+
+Fixes: 0e1492330cd2 ("rtc: add rtc-tx4939 driver")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-tx4939.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/rtc/rtc-tx4939.c
++++ b/drivers/rtc/rtc-tx4939.c
+@@ -86,7 +86,8 @@ static int tx4939_rtc_read_time(struct d
+ for (i = 2; i < 6; i++)
+ buf[i] = __raw_readl(&rtcreg->dat);
+ spin_unlock_irq(&pdata->lock);
+- sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2];
++ sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) |
++ (buf[3] << 8) | buf[2];
+ rtc_time_to_tm(sec, tm);
+ return rtc_valid_tm(tm);
+ }
+@@ -147,7 +148,8 @@ static int tx4939_rtc_read_alarm(struct
+ alrm->enabled = (ctl & TX4939_RTCCTL_ALME) ? 1 : 0;
+ alrm->pending = (ctl & TX4939_RTCCTL_ALMD) ? 1 : 0;
+ spin_unlock_irq(&pdata->lock);
+- sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2];
++ sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) |
++ (buf[3] << 8) | buf[2];
+ rtc_time_to_tm(sec, &alrm->time);
+ return rtc_valid_tm(&alrm->time);
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 30 Mar 2018 21:04:44 +0100
+Subject: rxrpc: Don't treat call aborts as conn aborts
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 57b0c9d49b94bbeb53649b7fbd264603c1ebd585 ]
+
+If a call-level abort is received for the previous call to complete on a
+connection channel, then that abort is queued for the connection processor
+to handle. Unfortunately, the connection processor then assumes without
+checking that the abort is connection-level (ie. callNumber is 0) and
+distributes it over all active calls on that connection, thereby
+incorrectly aborting them.
+
+Fix this by discarding aborts aimed at a completed call.
+
+Further, discard all packets aimed at a call that's complete if there's
+currently an active call on a channel, since the DATA packets associated
+with the new call automatically terminate the old call.
+
+Fixes: 18bfeba50dfd ("rxrpc: Perform terminal call ACK/ABORT retransmission from conn processor")
+Reported-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/input.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -1240,16 +1240,19 @@ void rxrpc_data_ready(struct sock *udp_s
+ goto discard_unlock;
+
+ if (sp->hdr.callNumber == chan->last_call) {
+- /* For the previous service call, if completed successfully, we
+- * discard all further packets.
++ if (chan->call ||
++ sp->hdr.type == RXRPC_PACKET_TYPE_ABORT)
++ goto discard_unlock;
++
++ /* For the previous service call, if completed
++ * successfully, we discard all further packets.
+ */
+ if (rxrpc_conn_is_service(conn) &&
+- (chan->last_type == RXRPC_PACKET_TYPE_ACK ||
+- sp->hdr.type == RXRPC_PACKET_TYPE_ABORT))
++ chan->last_type == RXRPC_PACKET_TYPE_ACK)
+ goto discard_unlock;
+
+- /* But otherwise we need to retransmit the final packet from
+- * data cached in the connection record.
++ /* But otherwise we need to retransmit the final packet
++ * from data cached in the connection record.
+ */
+ rxrpc_post_packet_to_conn(conn, skb);
+ goto out_unlock;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Marc Dionne <marc.dionne@auristor.com>
+Date: Fri, 30 Mar 2018 21:04:44 +0100
+Subject: rxrpc: Fix resend event time calculation
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+[ Upstream commit 59299aa1028fce051adbd25aaff7c387b865cd6d ]
+
+Commit a158bdd3 ("rxrpc: Fix call timeouts") reworked the time calculation
+for the next resend event. For this calculation, "oldest" will be before
+"now", so ktime_sub(oldest, now) will yield a negative value. When passed
+to nsecs_to_jiffies which expects an unsigned value, the end result will be
+a very large value, and a resend event scheduled far into the future. This
+could cause calls to stall if some packets were lost.
+
+Fix by ordering the arguments to ktime_sub correctly.
+
+Fixes: a158bdd3247b ("rxrpc: Fix call timeouts")
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/call_event.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/rxrpc/call_event.c
++++ b/net/rxrpc/call_event.c
+@@ -225,7 +225,7 @@ static void rxrpc_resend(struct rxrpc_ca
+ ktime_to_ns(ktime_sub(skb->tstamp, max_age)));
+ }
+
+- resend_at = nsecs_to_jiffies(ktime_to_ns(ktime_sub(oldest, now)));
++ resend_at = nsecs_to_jiffies(ktime_to_ns(ktime_sub(now, oldest)));
+ resend_at += jiffies + rxrpc_resend_timeout;
+ WRITE_ONCE(call->resend_at, resend_at);
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 30 Mar 2018 21:04:43 +0100
+Subject: rxrpc: Fix Tx ring annotation after initial Tx failure
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 03877bf6a30cca7d4bc3ffabd3c3e9464a7a1a19 ]
+
+rxrpc calls have a ring of packets that are awaiting ACK or retransmission
+and a parallel ring of annotations that tracks the state of those packets.
+If the initial transmission of a packet on the underlying UDP socket fails
+then the packet annotation is marked for resend - but the setting of this
+mark accidentally erases the last-packet mark also stored in the same
+annotation slot. If this happens, a call won't switch out of the Tx phase
+when all the packets have been transmitted.
+
+Fix this by retaining the last-packet mark and only altering the packet
+state.
+
+Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/sendmsg.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/rxrpc/sendmsg.c
++++ b/net/rxrpc/sendmsg.c
+@@ -130,7 +130,9 @@ static inline void rxrpc_instant_resend(
+ spin_lock_bh(&call->lock);
+
+ if (call->state < RXRPC_CALL_COMPLETE) {
+- call->rxtx_annotations[ix] = RXRPC_TX_ANNO_RETRANS;
++ call->rxtx_annotations[ix] =
++ (call->rxtx_annotations[ix] & RXRPC_TX_ANNO_LAST) |
++ RXRPC_TX_ANNO_RETRANS;
+ if (!test_and_set_bit(RXRPC_CALL_EV_RESEND, &call->events))
+ rxrpc_queue_call(call);
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Davidlohr Bueso <dave@stgolabs.net>
+Date: Mon, 2 Apr 2018 09:49:54 -0700
+Subject: sched/rt: Fix rq->clock_update_flags < RQCF_ACT_SKIP warning
+
+From: Davidlohr Bueso <dave@stgolabs.net>
+
+[ Upstream commit d29a20645d5e929aa7e8616f28e5d8e1c49263ec ]
+
+While running rt-tests' pi_stress program I got the following splat:
+
+ rq->clock_update_flags < RQCF_ACT_SKIP
+ WARNING: CPU: 27 PID: 0 at kernel/sched/sched.h:960 assert_clock_updated.isra.38.part.39+0x13/0x20
+
+ [...]
+
+ <IRQ>
+ enqueue_top_rt_rq+0xf4/0x150
+ ? cpufreq_dbs_governor_start+0x170/0x170
+ sched_rt_rq_enqueue+0x65/0x80
+ sched_rt_period_timer+0x156/0x360
+ ? sched_rt_rq_enqueue+0x80/0x80
+ __hrtimer_run_queues+0xfa/0x260
+ hrtimer_interrupt+0xcb/0x220
+ smp_apic_timer_interrupt+0x62/0x120
+ apic_timer_interrupt+0xf/0x20
+ </IRQ>
+
+ [...]
+
+ do_idle+0x183/0x1e0
+ cpu_startup_entry+0x5f/0x70
+ start_secondary+0x192/0x1d0
+ secondary_startup_64+0xa5/0xb0
+
+We can get rid of it be the "traditional" means of adding an
+update_rq_clock() call after acquiring the rq->lock in
+do_sched_rt_period_timer().
+
+The case for the RT task throttling (which this workload also hits)
+can be ignored in that the skip_update call is actually bogus and
+quite the contrary (the request bits are removed/reverted).
+
+By setting RQCF_UPDATED we really don't care if the skip is happening
+or not and will therefore make the assert_clock_updated() check happy.
+
+Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
+Reviewed-by: Matt Fleming <matt@codeblueprint.co.uk>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: dave@stgolabs.net
+Cc: linux-kernel@vger.kernel.org
+Cc: rostedt@goodmis.org
+Link: http://lkml.kernel.org/r/20180402164954.16255-1-dave@stgolabs.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/rt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/sched/rt.c
++++ b/kernel/sched/rt.c
+@@ -843,6 +843,8 @@ static int do_sched_rt_period_timer(stru
+ continue;
+
+ raw_spin_lock(&rq->lock);
++ update_rq_clock(rq);
++
+ if (rt_rq->rt_time) {
+ u64 runtime;
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Dave Carroll <david.carroll@microsemi.com>
+Date: Tue, 3 Apr 2018 15:50:42 -0600
+Subject: scsi: aacraid: Insure command thread is not recursively stopped
+
+From: Dave Carroll <david.carroll@microsemi.com>
+
+[ Upstream commit 1c6b41fb92936fa5facea464d5d7cbf855966d04 ]
+
+If a recursive IOP_RESET is invoked, usually due to the eh_thread
+handling errors after the first reset, be sure we flag that the command
+thread has been stopped to avoid an Oops of the form;
+
+ [ 336.620256] CPU: 28 PID: 1193 Comm: scsi_eh_0 Kdump: loaded Not tainted 4.14.0-49.el7a.ppc64le #1
+ [ 336.620297] task: c000003fd630b800 task.stack: c000003fd61a4000
+ [ 336.620326] NIP: c000000000176794 LR: c00000000013038c CTR: c00000000024bc10
+ [ 336.620361] REGS: c000003fd61a7720 TRAP: 0300 Not tainted (4.14.0-49.el7a.ppc64le)
+ [ 336.620395] MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 22084022 XER: 20040000
+ [ 336.620435] CFAR: c000000000130388 DAR: 0000000000000000 DSISR: 40000000 SOFTE: 1
+ [ 336.620435] GPR00: c00000000013038c c000003fd61a79a0 c0000000014c7e00 0000000000000000
+ [ 336.620435] GPR04: 000000000000000c 000000000000000c 9000000000009033 0000000000000477
+ [ 336.620435] GPR08: 0000000000000477 0000000000000000 0000000000000000 c008000010f7d940
+ [ 336.620435] GPR12: c00000000024bc10 c000000007a33400 c0000000001708a8 c000003fe3b881d8
+ [ 336.620435] GPR16: c000003fe3b88060 c000003fd61a7d10 fffffffffffff000 000000000000001e
+ [ 336.620435] GPR20: 0000000000000001 c000000000ebf1a0 0000000000000001 c000003fe3b88000
+ [ 336.620435] GPR24: 0000000000000003 0000000000000002 c000003fe3b88840 c000003fe3b887e8
+ [ 336.620435] GPR28: c000003fe3b88000 c000003fc8181788 0000000000000000 c000003fc8181700
+ [ 336.620750] NIP [c000000000176794] exit_creds+0x34/0x160
+ [ 336.620775] LR [c00000000013038c] __put_task_struct+0x8c/0x1f0
+ [ 336.620804] Call Trace:
+ [ 336.620817] [c000003fd61a79a0] [c000003fe3b88000] 0xc000003fe3b88000 (unreliable)
+ [ 336.620853] [c000003fd61a79d0] [c00000000013038c] __put_task_struct+0x8c/0x1f0
+ [ 336.620889] [c000003fd61a7a00] [c000000000171418] kthread_stop+0x1e8/0x1f0
+ [ 336.620922] [c000003fd61a7a40] [c008000010f7448c] aac_reset_adapter+0x14c/0x8d0 [aacraid]
+ [ 336.620959] [c000003fd61a7b00] [c008000010f60174] aac_eh_host_reset+0x84/0x100 [aacraid]
+ [ 336.621010] [c000003fd61a7b30] [c000000000864f24] scsi_try_host_reset+0x74/0x180
+ [ 336.621046] [c000003fd61a7bb0] [c000000000867ac0] scsi_eh_ready_devs+0xc00/0x14d0
+ [ 336.625165] [c000003fd61a7ca0] [c0000000008699e0] scsi_error_handler+0x550/0x730
+ [ 336.632101] [c000003fd61a7dc0] [c000000000170a08] kthread+0x168/0x1b0
+ [ 336.639031] [c000003fd61a7e30] [c00000000000b528] ret_from_kernel_thread+0x5c/0xb4
+ [ 336.645971] Instruction dump:
+ [ 336.648743] 384216a0 7c0802a6 fbe1fff8 f8010010 f821ffd1 7c7f1b78 60000000 60000000
+ [ 336.657056] 39400000 e87f0838 f95f0838 7c0004ac <7d401828> 314affff 7d40192d 40c2fff4
+ [ 336.663997] -[ end trace 4640cf8d4945ad95 ]-
+
+So flag when the thread is stopped by setting the thread pointer to NULL.
+
+Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
+Reviewed-by: Raghava Aditya Renukunta <raghavaaditya.renukunta@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/aacraid/commsup.c | 4 +++-
+ drivers/scsi/aacraid/linit.c | 1 +
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/aacraid/commsup.c
++++ b/drivers/scsi/aacraid/commsup.c
+@@ -1502,9 +1502,10 @@ static int _aac_reset_adapter(struct aac
+ host = aac->scsi_host_ptr;
+ scsi_block_requests(host);
+ aac_adapter_disable_int(aac);
+- if (aac->thread->pid != current->pid) {
++ if (aac->thread && aac->thread->pid != current->pid) {
+ spin_unlock_irq(host->host_lock);
+ kthread_stop(aac->thread);
++ aac->thread = NULL;
+ jafo = 1;
+ }
+
+@@ -1591,6 +1592,7 @@ static int _aac_reset_adapter(struct aac
+ aac->name);
+ if (IS_ERR(aac->thread)) {
+ retval = PTR_ERR(aac->thread);
++ aac->thread = NULL;
+ goto out;
+ }
+ }
+--- a/drivers/scsi/aacraid/linit.c
++++ b/drivers/scsi/aacraid/linit.c
+@@ -1562,6 +1562,7 @@ static void __aac_shutdown(struct aac_de
+ up(&fib->event_wait);
+ }
+ kthread_stop(aac->thread);
++ aac->thread = NULL;
+ }
+
+ aac_send_shutdown(aac);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Douglas Gilbert <dgilbert@interlog.com>
+Date: Tue, 6 Mar 2018 22:19:49 -0500
+Subject: scsi: core: Make SCSI Status CONDITION MET equivalent to GOOD
+
+From: Douglas Gilbert <dgilbert@interlog.com>
+
+[ Upstream commit 1875ede02ed5e176a18dccbca84abc28d5b3e141 ]
+
+The SCSI PRE-FETCH (10 or 16) command is present both on hard disks
+and some SSDs. It is useful when the address of the next block(s) to
+be read is known but it is not following the LBA of the current READ
+(so read-ahead won't help). It returns two "good" SCSI Status values.
+If the requested blocks have fitted (or will most likely fit (when
+the IMMED bit is set)) into the disk's cache, it returns CONDITION
+MET. If it didn't (or will not) fit then it returns GOOD status.
+
+The goal of this patch is to stop the SCSI subsystem treating the
+CONDITION MET SCSI status as an error. The current state makes the
+PRE-FETCH command effectively unusable via pass-throughs.
+
+Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_lib.c | 11 +++++++++++
+ include/scsi/scsi.h | 2 ++
+ 2 files changed, 13 insertions(+)
+
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -856,6 +856,17 @@ void scsi_io_completion(struct scsi_cmnd
+ /* for passthrough error may be set */
+ error = BLK_STS_OK;
+ }
++ /*
++ * Another corner case: the SCSI status byte is non-zero but 'good'.
++ * Example: PRE-FETCH command returns SAM_STAT_CONDITION_MET when
++ * it is able to fit nominated LBs in its cache (and SAM_STAT_GOOD
++ * if it can't fit). Treat SAM_STAT_CONDITION_MET and the related
++ * intermediate statuses (both obsolete in SAM-4) as good.
++ */
++ if (status_byte(result) && scsi_status_is_good(result)) {
++ result = 0;
++ error = BLK_STS_OK;
++ }
+
+ /*
+ * special case: failed zero length commands always need to
+--- a/include/scsi/scsi.h
++++ b/include/scsi/scsi.h
+@@ -47,6 +47,8 @@ static inline int scsi_status_is_good(in
+ */
+ status &= 0xfe;
+ return ((status == SAM_STAT_GOOD) ||
++ (status == SAM_STAT_CONDITION_MET) ||
++ /* Next two "intermediate" statuses are obsolete in SAM-4 */
+ (status == SAM_STAT_INTERMEDIATE) ||
+ (status == SAM_STAT_INTERMEDIATE_CONDITION_MET) ||
+ /* FIXME: this is obsolete in SAM-3 */
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Xose Vazquez Perez <xose.vazquez@gmail.com>
+Date: Thu, 15 Mar 2018 18:32:01 +0100
+Subject: scsi: devinfo: add HP DISK-SUBSYSTEM device, for HP XP arrays
+
+From: Xose Vazquez Perez <xose.vazquez@gmail.com>
+
+[ Upstream commit 5f96f42b76e00e2871033745ff029056cc725c76 ]
+
+"The DISK-SUBSYSTEM is a special model name returned when LUs
+are not installed. For example, when LU#0 is not installed in "OPEN-"
+models, LU#0 is detected as the DISK-SUBSYSTEM model":
+https://marc.info/?l=linux-scsi&m=125424006417825
+
+It's missing for HP XP rebranded arrays, "HP"/"OPEN-".
+Only the HITACHI one is present:
+13f7e5acc8b329080672c13f05f252ace5b79825
+627511e3e67553b04f6917c03e39b797df210e04
+
+Cc: Anthony Cheung <anthony.cheung@hpe.com>
+Cc: Takahiro Yasui <takahiro.yasui@hitachivantara.com>
+Cc: Matthias Rudolph <Matthias.Rudolph@hitachivantara.com>
+Cc: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: James E.J. Bottomley <jejb@linux.vnet.ibm.com>
+Cc: SCSI ML <linux-scsi@vger.kernel.org>
+Signed-off-by: Xose Vazquez Perez <xose.vazquez@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_devinfo.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/scsi_devinfo.c
++++ b/drivers/scsi/scsi_devinfo.c
+@@ -189,6 +189,7 @@ static struct {
+ {"HP", "C5713A", NULL, BLIST_NOREPORTLUN},
+ {"HP", "DF400", "*", BLIST_REPORTLUN2},
+ {"HP", "DF500", "*", BLIST_REPORTLUN2},
++ {"HP", "DISK-SUBSYSTEM", "*", BLIST_REPORTLUN2},
+ {"HP", "OP-C-", "*", BLIST_SPARSELUN | BLIST_LARGELUN},
+ {"HP", "3380-", "*", BLIST_SPARSELUN | BLIST_LARGELUN},
+ {"HP", "3390-", "*", BLIST_SPARSELUN | BLIST_LARGELUN},
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 30 Jan 2018 15:58:45 -0800
+Subject: scsi: lpfc: Fix frequency of Release WQE CQEs
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 04673e38f56b30cd39b1fa0f386137d818b17781 ]
+
+The driver controls when the hardware sends completions that communicate
+consumption of elements from the WQ. This is done by setting a WQEC bit
+on a WQE.
+
+The current driver sets it on every Nth WQE posting. However, the driver
+isn't clearing the bit if the WQE is reused. Thus, if the queue depth
+isn't evenly divisible by N, with enough time, it can be set on every
+element, creating a lot of overhead and risking CQ full conditions.
+
+Correct by clearing the bit when not setting it on an Nth element.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -129,6 +129,8 @@ lpfc_sli4_wq_put(struct lpfc_queue *q, u
+ /* set consumption flag every once in a while */
+ if (!((q->host_index + 1) % q->entry_repost))
+ bf_set(wqe_wqec, &wqe->generic.wqe_com, 1);
++ else
++ bf_set(wqe_wqec, &wqe->generic.wqe_com, 0);
+ if (q->phba->sli3_options & LPFC_SLI4_PHWQ_ENABLED)
+ bf_set(wqe_wqid, &wqe->generic.wqe_com, q->queue_id);
+ lpfc_sli_pcimem_bcopy(wqe, temp_wqe, q->entry_size);
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 30 Jan 2018 15:58:51 -0800
+Subject: scsi: lpfc: Fix IO failure during hba reset testing with nvme io.
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 91455b850956bc13708a074bd1400f54aae74890 ]
+
+A stress test repeatedly resetting the adapter while performing io would
+eventually report I/O failures and missing nvme namespaces.
+
+The driver was setting the nvmefc_fcp_req->private pointer to NULL
+during the IO completion routine before upcalling done(). If the
+transport was also running an abort for that IO, the driver would fail
+the abort with message 6140. Failing the abort is not allowed by the
+nvme-fc transport, as it mandates that the io must be returned back to
+the transport. As that does not happen, the transport controller delete
+has an outstanding reference and can't complete teardown.
+
+The NULL-ing of the private pointer should be done only when the io is
+considered complete. It's complete when the adapter returns the exchange
+with the "exchange busy" flag clear.
+
+Move the NULL'ing of the structure to the done case. This leaves the io
+contexts set while it is busy and until the subsequent XRI_ABORTED
+completion which returns the exchange is received.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_nvme.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_nvme.c
++++ b/drivers/scsi/lpfc/lpfc_nvme.c
+@@ -982,14 +982,14 @@ out_err:
+ phba->cpucheck_cmpl_io[lpfc_ncmd->cpu]++;
+ }
+ #endif
+- freqpriv = nCmd->private;
+- freqpriv->nvme_buf = NULL;
+
+ /* NVME targets need completion held off until the abort exchange
+ * completes unless the NVME Rport is getting unregistered.
+ */
+
+ if (!(lpfc_ncmd->flags & LPFC_SBUF_XBUSY)) {
++ freqpriv = nCmd->private;
++ freqpriv->nvme_buf = NULL;
+ nCmd->done(nCmd);
+ lpfc_ncmd->nvmeCmd = NULL;
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 30 Jan 2018 15:58:55 -0800
+Subject: scsi: lpfc: Fix issue_lip if link is disabled
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 2289e9598dde9705400559ca2606fb8c145c34f0 ]
+
+The driver ignored checks on whether the link should be kept
+administratively down after a link bounce. Correct the checks.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_attr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/scsi/lpfc/lpfc_attr.c
++++ b/drivers/scsi/lpfc/lpfc_attr.c
+@@ -905,7 +905,12 @@ lpfc_issue_lip(struct Scsi_Host *shost)
+ LPFC_MBOXQ_t *pmboxq;
+ int mbxstatus = MBXERR_ERROR;
+
++ /*
++ * If the link is offline, disabled or BLOCK_MGMT_IO
++ * it doesn't make any sense to allow issue_lip
++ */
+ if ((vport->fc_flag & FC_OFFLINE_MODE) ||
++ (phba->hba_flag & LINK_DISABLED) ||
+ (phba->sli.sli_flag & LPFC_BLOCK_MGMT_IO))
+ return -EPERM;
+
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 30 Jan 2018 15:59:01 -0800
+Subject: scsi: lpfc: Fix nonrecovery of NVME controller after cable swap.
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 815a9c437617e221842d12b3366ff6911b3df628 ]
+
+In a test that is doing large numbers of cable swaps on the target, the
+nvme controllers wouldn't reconnect.
+
+During the cable swaps, the targets n_port_id would change. This
+information was passed to the nvme-fc transport, in the new remoteport
+registration. However, the nvme-fc transport didn't update the n_port_id
+value in the remoteport struct when it reused an existing structure.
+Later, when a new association was attempted on the remoteport, the
+driver's NVME LS routine would use the stale n_port_id from the
+remoteport struct to address the LS. As the device is no longer at that
+address, the LS would go into never never land.
+
+Separately, the nvme-fc transport will be corrected to update the
+n_port_id value on a re-registration.
+
+However, for now, there's no reason to use the transports values. The
+private pointer points to the drivers node structure and the node
+structure is up to date. Therefore, revise the LS routine to use the
+drivers data structures for the LS. Augmented the debug message for
+better debugging in the future.
+
+Also removed a duplicate if check that seems to have slipped in.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_nvme.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_nvme.c
++++ b/drivers/scsi/lpfc/lpfc_nvme.c
+@@ -241,10 +241,11 @@ lpfc_nvme_cmpl_gen_req(struct lpfc_hba *
+ ndlp = (struct lpfc_nodelist *)cmdwqe->context1;
+ lpfc_printf_vlog(vport, KERN_INFO, LOG_NVME_DISC,
+ "6047 nvme cmpl Enter "
+- "Data %p DID %x Xri: %x status %x cmd:%p lsreg:%p "
+- "bmp:%p ndlp:%p\n",
++ "Data %p DID %x Xri: %x status %x reason x%x cmd:%p "
++ "lsreg:%p bmp:%p ndlp:%p\n",
+ pnvme_lsreq, ndlp ? ndlp->nlp_DID : 0,
+ cmdwqe->sli4_xritag, status,
++ (wcqe->parameter & 0xffff),
+ cmdwqe, pnvme_lsreq, cmdwqe->context3, ndlp);
+
+ lpfc_nvmeio_data(phba, "NVME LS CMPL: xri x%x stat x%x parm x%x\n",
+@@ -419,6 +420,7 @@ lpfc_nvme_ls_req(struct nvme_fc_local_po
+ {
+ int ret = 0;
+ struct lpfc_nvme_lport *lport;
++ struct lpfc_nvme_rport *rport;
+ struct lpfc_vport *vport;
+ struct lpfc_nodelist *ndlp;
+ struct ulp_bde64 *bpl;
+@@ -437,19 +439,18 @@ lpfc_nvme_ls_req(struct nvme_fc_local_po
+ */
+
+ lport = (struct lpfc_nvme_lport *)pnvme_lport->private;
++ rport = (struct lpfc_nvme_rport *)pnvme_rport->private;
+ vport = lport->vport;
+
+ if (vport->load_flag & FC_UNLOADING)
+ return -ENODEV;
+
+- if (vport->load_flag & FC_UNLOADING)
+- return -ENODEV;
+-
+- ndlp = lpfc_findnode_did(vport, pnvme_rport->port_id);
++ /* Need the ndlp. It is stored in the driver's rport. */
++ ndlp = rport->ndlp;
+ if (!ndlp || !NLP_CHK_NODE_ACT(ndlp)) {
+ lpfc_printf_vlog(vport, KERN_ERR, LOG_NODE | LOG_NVME_IOERR,
+- "6051 DID x%06x not an active rport.\n",
+- pnvme_rport->port_id);
++ "6051 Remoteport %p, rport has invalid ndlp. "
++ "Failing LS Req\n", pnvme_rport);
+ return -ENODEV;
+ }
+
+@@ -500,8 +501,9 @@ lpfc_nvme_ls_req(struct nvme_fc_local_po
+
+ /* Expand print to include key fields. */
+ lpfc_printf_vlog(vport, KERN_INFO, LOG_NVME_DISC,
+- "6149 ENTER. lport %p, rport %p lsreq%p rqstlen:%d "
+- "rsplen:%d %pad %pad\n",
++ "6149 Issue LS Req to DID 0x%06x lport %p, rport %p "
++ "lsreq%p rqstlen:%d rsplen:%d %pad %pad\n",
++ ndlp->nlp_DID,
+ pnvme_lport, pnvme_rport,
+ pnvme_lsreq, pnvme_lsreq->rqstlen,
+ pnvme_lsreq->rsplen, &pnvme_lsreq->rqstdma,
+@@ -517,7 +519,7 @@ lpfc_nvme_ls_req(struct nvme_fc_local_po
+ ndlp, 2, 30, 0);
+ if (ret != WQE_SUCCESS) {
+ atomic_inc(&lport->xmt_ls_err);
+- lpfc_printf_vlog(vport, KERN_INFO, LOG_NVME_DISC,
++ lpfc_printf_vlog(vport, KERN_ERR, LOG_NVME_DISC,
+ "6052 EXIT. issue ls wqe failed lport %p, "
+ "rport %p lsreq%p Status %x DID %x\n",
+ pnvme_lport, pnvme_rport, pnvme_lsreq,
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: James Smart <jsmart2021@gmail.com>
+Date: Mon, 5 Mar 2018 12:04:02 -0800
+Subject: scsi: lpfc: Fix NVME Initiator FirstBurst
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 0709263abe0de70a798dcdf481d5dd489ca4752e ]
+
+First Burst support was not properly indicated in NVMe PRLI.
+
+Correct the bit position and the logic to check and set first burst support.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_nportdisc.c | 15 ++++++++++++++-
+ drivers/scsi/lpfc/lpfc_nvme.h | 2 ++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
+@@ -1998,8 +1998,14 @@ lpfc_cmpl_prli_prli_issue(struct lpfc_vp
+ ndlp->nlp_type |= NLP_NVME_TARGET;
+ if (bf_get_be32(prli_disc, nvpr))
+ ndlp->nlp_type |= NLP_NVME_DISCOVERY;
++
++ /*
++ * If prli_fba is set, the Target supports FirstBurst.
++ * If prli_fb_sz is 0, the FirstBurst size is unlimited,
++ * otherwise it defines the actual size supported by
++ * the NVME Target.
++ */
+ if ((bf_get_be32(prli_fba, nvpr) == 1) &&
+- (bf_get_be32(prli_fb_sz, nvpr) > 0) &&
+ (phba->cfg_nvme_enable_fb) &&
+ (!phba->nvmet_support)) {
+ /* Both sides support FB. The target's first
+@@ -2008,6 +2014,13 @@ lpfc_cmpl_prli_prli_issue(struct lpfc_vp
+ ndlp->nlp_flag |= NLP_FIRSTBURST;
+ ndlp->nvme_fb_size = bf_get_be32(prli_fb_sz,
+ nvpr);
++
++ /* Expressed in units of 512 bytes */
++ if (ndlp->nvme_fb_size)
++ ndlp->nvme_fb_size <<=
++ LPFC_NVME_FB_SHIFT;
++ else
++ ndlp->nvme_fb_size = LPFC_NVME_MAX_FB;
+ }
+ }
+
+--- a/drivers/scsi/lpfc/lpfc_nvme.h
++++ b/drivers/scsi/lpfc/lpfc_nvme.h
+@@ -27,6 +27,8 @@
+
+ #define LPFC_NVME_WAIT_TMO 10
+ #define LPFC_NVME_EXPEDITE_XRICNT 8
++#define LPFC_NVME_FB_SHIFT 9
++#define LPFC_NVME_MAX_FB (1 << 20) /* 1M */
+
+ struct lpfc_nvme_qhandle {
+ uint32_t index; /* WQ index to use */
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 30 Jan 2018 15:58:54 -0800
+Subject: scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 161df4f09987ae2e9f0f97f0b38eee298b4a39ff ]
+
+During link bounce testing in a point-to-point topology, the host may
+enter a soft lockup on the lpfc_worker thread:
+
+ Call Trace:
+ lpfc_work_done+0x1f3/0x1390 [lpfc]
+ lpfc_do_work+0x16f/0x180 [lpfc]
+ kthread+0xc7/0xe0
+ ret_from_fork+0x3f/0x70
+
+The driver was simultaneously setting a combination of flags that caused
+lpfc_do_work()to effectively spin between slow path work and new event
+data, causing the lockup.
+
+Ensure in the typical wq completions, that new event data flags are set
+if the slow path flag is running. The slow path will eventually
+reschedule the wq handling.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_hbadisc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
+@@ -696,8 +696,9 @@ lpfc_work_done(struct lpfc_hba *phba)
+ phba->hba_flag & HBA_SP_QUEUE_EVT)) {
+ if (pring->flag & LPFC_STOP_IOCB_EVENT) {
+ pring->flag |= LPFC_DEFERRED_RING_EVENT;
+- /* Set the lpfc data pending flag */
+- set_bit(LPFC_DATA_READY, &phba->data_flags);
++ /* Preserve legacy behavior. */
++ if (!(phba->hba_flag & HBA_SP_QUEUE_EVT))
++ set_bit(LPFC_DATA_READY, &phba->data_flags);
+ } else {
+ if (phba->link_state >= LPFC_LINK_UP ||
+ phba->link_flag & LS_MDS_LOOPBACK) {
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Wilfried Weissmann <wilfried.weissmann@gmx.at>
+Date: Fri, 23 Feb 2018 20:52:34 +0100
+Subject: scsi: mvsas: fix wrong endianness of sgpio api
+
+From: Wilfried Weissmann <wilfried.weissmann@gmx.at>
+
+[ Upstream commit e75fba9c0668b3767f608ea07485f48d33c270cf ]
+
+This patch fixes the byte order of the SGPIO api and brings it back in
+sync with ledmon v0.80 and above.
+
+[mkp: added missing SoB and fixed whitespace]
+
+Signed-off-by: Wilfried Weissmann <wilfried.weissmann@gmx.at>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mvsas/mv_94xx.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+--- a/drivers/scsi/mvsas/mv_94xx.c
++++ b/drivers/scsi/mvsas/mv_94xx.c
+@@ -1080,16 +1080,16 @@ static int mvs_94xx_gpio_write(struct mv
+ void __iomem *regs = mvi->regs_ex - 0x10200;
+
+ int drive = (i/3) & (4-1); /* drive number on host */
+- u32 block = mr32(MVS_SGPIO_DCTRL +
++ int driveshift = drive * 8; /* bit offset of drive */
++ u32 block = ioread32be(regs + MVS_SGPIO_DCTRL +
+ MVS_SGPIO_HOST_OFFSET * mvi->id);
+
+-
+ /*
+ * if bit is set then create a mask with the first
+ * bit of the drive set in the mask ...
+ */
+- u32 bit = (write_data[i/8] & (1 << (i&(8-1)))) ?
+- 1<<(24-drive*8) : 0;
++ u32 bit = get_unaligned_be32(write_data) & (1 << i) ?
++ 1 << driveshift : 0;
+
+ /*
+ * ... and then shift it to the right position based
+@@ -1098,26 +1098,27 @@ static int mvs_94xx_gpio_write(struct mv
+ switch (i%3) {
+ case 0: /* activity */
+ block &= ~((0x7 << MVS_SGPIO_DCTRL_ACT_SHIFT)
+- << (24-drive*8));
++ << driveshift);
+ /* hardwire activity bit to SOF */
+ block |= LED_BLINKA_SOF << (
+ MVS_SGPIO_DCTRL_ACT_SHIFT +
+- (24-drive*8));
++ driveshift);
+ break;
+ case 1: /* id */
+ block &= ~((0x3 << MVS_SGPIO_DCTRL_LOC_SHIFT)
+- << (24-drive*8));
++ << driveshift);
+ block |= bit << MVS_SGPIO_DCTRL_LOC_SHIFT;
+ break;
+ case 2: /* fail */
+ block &= ~((0x7 << MVS_SGPIO_DCTRL_ERR_SHIFT)
+- << (24-drive*8));
++ << driveshift);
+ block |= bit << MVS_SGPIO_DCTRL_ERR_SHIFT;
+ break;
+ }
+
+- mw32(MVS_SGPIO_DCTRL + MVS_SGPIO_HOST_OFFSET * mvi->id,
+- block);
++ iowrite32be(block,
++ regs + MVS_SGPIO_DCTRL +
++ MVS_SGPIO_HOST_OFFSET * mvi->id);
+
+ }
+
+@@ -1132,7 +1133,7 @@ static int mvs_94xx_gpio_write(struct mv
+ void __iomem *regs = mvi->regs_ex - 0x10200;
+
+ mw32(MVS_SGPIO_DCTRL + MVS_SGPIO_HOST_OFFSET * mvi->id,
+- be32_to_cpu(((u32 *) write_data)[i]));
++ ((u32 *) write_data)[i]);
+ }
+ return reg_count;
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: David Ahern <dsahern@gmail.com>
+Date: Tue, 13 Feb 2018 08:44:06 -0800
+Subject: selftests: Add FIB onlink tests
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit 153e1b84f477f716bc3f81e6cfae1a3d941fc7ec ]
+
+Add test cases verifying FIB onlink commands work as expected in
+various conditions - IPv4, IPv6, main table, and VRF.
+
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/fib-onlink-tests.sh | 375 ++++++++++++++++++++++++
+ 1 file changed, 375 insertions(+)
+ create mode 100755 tools/testing/selftests/net/fib-onlink-tests.sh
+
+--- /dev/null
++++ b/tools/testing/selftests/net/fib-onlink-tests.sh
+@@ -0,0 +1,375 @@
++#!/bin/bash
++# SPDX-License-Identifier: GPL-2.0
++
++# IPv4 and IPv6 onlink tests
++
++PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no}
++
++# Network interfaces
++# - odd in current namespace; even in peer ns
++declare -A NETIFS
++# default VRF
++NETIFS[p1]=veth1
++NETIFS[p2]=veth2
++NETIFS[p3]=veth3
++NETIFS[p4]=veth4
++# VRF
++NETIFS[p5]=veth5
++NETIFS[p6]=veth6
++NETIFS[p7]=veth7
++NETIFS[p8]=veth8
++
++# /24 network
++declare -A V4ADDRS
++V4ADDRS[p1]=169.254.1.1
++V4ADDRS[p2]=169.254.1.2
++V4ADDRS[p3]=169.254.3.1
++V4ADDRS[p4]=169.254.3.2
++V4ADDRS[p5]=169.254.5.1
++V4ADDRS[p6]=169.254.5.2
++V4ADDRS[p7]=169.254.7.1
++V4ADDRS[p8]=169.254.7.2
++
++# /64 network
++declare -A V6ADDRS
++V6ADDRS[p1]=2001:db8:101::1
++V6ADDRS[p2]=2001:db8:101::2
++V6ADDRS[p3]=2001:db8:301::1
++V6ADDRS[p4]=2001:db8:301::2
++V6ADDRS[p5]=2001:db8:501::1
++V6ADDRS[p6]=2001:db8:501::2
++V6ADDRS[p7]=2001:db8:701::1
++V6ADDRS[p8]=2001:db8:701::2
++
++# Test networks:
++# [1] = default table
++# [2] = VRF
++#
++# /32 host routes
++declare -A TEST_NET4
++TEST_NET4[1]=169.254.101
++TEST_NET4[2]=169.254.102
++# /128 host routes
++declare -A TEST_NET6
++TEST_NET6[1]=2001:db8:101
++TEST_NET6[2]=2001:db8:102
++
++# connected gateway
++CONGW[1]=169.254.1.254
++CONGW[2]=169.254.5.254
++
++# recursive gateway
++RECGW4[1]=169.254.11.254
++RECGW4[2]=169.254.12.254
++RECGW6[1]=2001:db8:11::64
++RECGW6[2]=2001:db8:12::64
++
++# for v4 mapped to v6
++declare -A TEST_NET4IN6IN6
++TEST_NET4IN6[1]=10.1.1.254
++TEST_NET4IN6[2]=10.2.1.254
++
++# mcast address
++MCAST6=ff02::1
++
++
++PEER_NS=bart
++PEER_CMD="ip netns exec ${PEER_NS}"
++VRF=lisa
++VRF_TABLE=1101
++PBR_TABLE=101
++
++################################################################################
++# utilities
++
++log_test()
++{
++ local rc=$1
++ local expected=$2
++ local msg="$3"
++
++ if [ ${rc} -eq ${expected} ]; then
++ nsuccess=$((nsuccess+1))
++ printf "\n TEST: %-50s [ OK ]\n" "${msg}"
++ else
++ nfail=$((nfail+1))
++ printf "\n TEST: %-50s [FAIL]\n" "${msg}"
++ if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
++ echo
++ echo "hit enter to continue, 'q' to quit"
++ read a
++ [ "$a" = "q" ] && exit 1
++ fi
++ fi
++}
++
++log_section()
++{
++ echo
++ echo "######################################################################"
++ echo "TEST SECTION: $*"
++ echo "######################################################################"
++}
++
++log_subsection()
++{
++ echo
++ echo "#########################################"
++ echo "TEST SUBSECTION: $*"
++}
++
++run_cmd()
++{
++ echo
++ echo "COMMAND: $*"
++ eval $*
++}
++
++get_linklocal()
++{
++ local dev=$1
++ local pfx
++ local addr
++
++ addr=$(${pfx} ip -6 -br addr show dev ${dev} | \
++ awk '{
++ for (i = 3; i <= NF; ++i) {
++ if ($i ~ /^fe80/)
++ print $i
++ }
++ }'
++ )
++ addr=${addr/\/*}
++
++ [ -z "$addr" ] && return 1
++
++ echo $addr
++
++ return 0
++}
++
++################################################################################
++#
++
++setup()
++{
++ echo
++ echo "########################################"
++ echo "Configuring interfaces"
++
++ set -e
++
++ # create namespace
++ ip netns add ${PEER_NS}
++ ip -netns ${PEER_NS} li set lo up
++
++ # add vrf table
++ ip li add ${VRF} type vrf table ${VRF_TABLE}
++ ip li set ${VRF} up
++ ip ro add table ${VRF_TABLE} unreachable default
++ ip -6 ro add table ${VRF_TABLE} unreachable default
++
++ # create test interfaces
++ ip li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]}
++ ip li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]}
++ ip li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]}
++ ip li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]}
++
++ # enslave vrf interfaces
++ for n in 5 7; do
++ ip li set ${NETIFS[p${n}]} vrf ${VRF}
++ done
++
++ # add addresses
++ for n in 1 3 5 7; do
++ ip li set ${NETIFS[p${n}]} up
++ ip addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
++ ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]}
++ done
++
++ # move peer interfaces to namespace and add addresses
++ for n in 2 4 6 8; do
++ ip li set ${NETIFS[p${n}]} netns ${PEER_NS} up
++ ip -netns ${PEER_NS} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
++ ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]}
++ done
++
++ set +e
++
++ # let DAD complete - assume default of 1 probe
++ sleep 1
++}
++
++cleanup()
++{
++ # make sure we start from a clean slate
++ ip netns del ${PEER_NS} 2>/dev/null
++ for n in 1 3 5 7; do
++ ip link del ${NETIFS[p${n}]} 2>/dev/null
++ done
++ ip link del ${VRF} 2>/dev/null
++ ip ro flush table ${VRF_TABLE}
++ ip -6 ro flush table ${VRF_TABLE}
++}
++
++################################################################################
++# IPv4 tests
++#
++
++run_ip()
++{
++ local table="$1"
++ local prefix="$2"
++ local gw="$3"
++ local dev="$4"
++ local exp_rc="$5"
++ local desc="$6"
++
++ # dev arg may be empty
++ [ -n "${dev}" ] && dev="dev ${dev}"
++
++ run_cmd ip ro add table "${table}" "${prefix}"/32 via "${gw}" "${dev}" onlink
++ log_test $? ${exp_rc} "${desc}"
++}
++
++valid_onlink_ipv4()
++{
++ # - unicast connected, unicast recursive
++ #
++ log_subsection "default VRF - main table"
++
++ run_ip 254 ${TEST_NET4[1]}.1 ${CONGW[1]} ${NETIFS[p1]} 0 "unicast connected"
++ run_ip 254 ${TEST_NET4[1]}.2 ${RECGW4[1]} ${NETIFS[p1]} 0 "unicast recursive"
++
++ log_subsection "VRF ${VRF}"
++
++ run_ip ${VRF_TABLE} ${TEST_NET4[2]}.1 ${CONGW[2]} ${NETIFS[p5]} 0 "unicast connected"
++ run_ip ${VRF_TABLE} ${TEST_NET4[2]}.2 ${RECGW4[2]} ${NETIFS[p5]} 0 "unicast recursive"
++
++ log_subsection "VRF device, PBR table"
++
++ run_ip ${PBR_TABLE} ${TEST_NET4[2]}.3 ${CONGW[2]} ${NETIFS[p5]} 0 "unicast connected"
++ run_ip ${PBR_TABLE} ${TEST_NET4[2]}.4 ${RECGW4[2]} ${NETIFS[p5]} 0 "unicast recursive"
++}
++
++invalid_onlink_ipv4()
++{
++ run_ip 254 ${TEST_NET4[1]}.11 ${V4ADDRS[p1]} ${NETIFS[p1]} 2 \
++ "Invalid gw - local unicast address"
++
++ run_ip ${VRF_TABLE} ${TEST_NET4[2]}.11 ${V4ADDRS[p5]} ${NETIFS[p5]} 2 \
++ "Invalid gw - local unicast address, VRF"
++
++ run_ip 254 ${TEST_NET4[1]}.101 ${V4ADDRS[p1]} "" 2 "No nexthop device given"
++
++ run_ip 254 ${TEST_NET4[1]}.102 ${V4ADDRS[p3]} ${NETIFS[p1]} 2 \
++ "Gateway resolves to wrong nexthop device"
++
++ run_ip ${VRF_TABLE} ${TEST_NET4[2]}.103 ${V4ADDRS[p7]} ${NETIFS[p5]} 2 \
++ "Gateway resolves to wrong nexthop device - VRF"
++}
++
++################################################################################
++# IPv6 tests
++#
++
++run_ip6()
++{
++ local table="$1"
++ local prefix="$2"
++ local gw="$3"
++ local dev="$4"
++ local exp_rc="$5"
++ local desc="$6"
++
++ # dev arg may be empty
++ [ -n "${dev}" ] && dev="dev ${dev}"
++
++ run_cmd ip -6 ro add table "${table}" "${prefix}"/128 via "${gw}" "${dev}" onlink
++ log_test $? ${exp_rc} "${desc}"
++}
++
++valid_onlink_ipv6()
++{
++ # - unicast connected, unicast recursive, v4-mapped
++ #
++ log_subsection "default VRF - main table"
++
++ run_ip6 254 ${TEST_NET6[1]}::1 ${V6ADDRS[p1]/::*}::64 ${NETIFS[p1]} 0 "unicast connected"
++ run_ip6 254 ${TEST_NET6[1]}::2 ${RECGW6[1]} ${NETIFS[p1]} 0 "unicast recursive"
++ run_ip6 254 ${TEST_NET6[1]}::3 ::ffff:${TEST_NET4IN6[1]} ${NETIFS[p1]} 0 "v4-mapped"
++
++ log_subsection "VRF ${VRF}"
++
++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::1 ${V6ADDRS[p5]/::*}::64 ${NETIFS[p5]} 0 "unicast connected"
++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::2 ${RECGW6[2]} ${NETIFS[p5]} 0 "unicast recursive"
++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::3 ::ffff:${TEST_NET4IN6[2]} ${NETIFS[p5]} 0 "v4-mapped"
++
++ log_subsection "VRF device, PBR table"
++
++ run_ip6 ${PBR_TABLE} ${TEST_NET6[2]}::4 ${V6ADDRS[p5]/::*}::64 ${NETIFS[p5]} 0 "unicast connected"
++ run_ip6 ${PBR_TABLE} ${TEST_NET6[2]}::5 ${RECGW6[2]} ${NETIFS[p5]} 0 "unicast recursive"
++ run_ip6 ${PBR_TABLE} ${TEST_NET6[2]}::6 ::ffff:${TEST_NET4IN6[2]} ${NETIFS[p5]} 0 "v4-mapped"
++}
++
++invalid_onlink_ipv6()
++{
++ local lladdr
++
++ lladdr=$(get_linklocal ${NETIFS[p1]}) || return 1
++
++ run_ip6 254 ${TEST_NET6[1]}::11 ${V6ADDRS[p1]} ${NETIFS[p1]} 2 \
++ "Invalid gw - local unicast address"
++ run_ip6 254 ${TEST_NET6[1]}::12 ${lladdr} ${NETIFS[p1]} 2 \
++ "Invalid gw - local linklocal address"
++ run_ip6 254 ${TEST_NET6[1]}::12 ${MCAST6} ${NETIFS[p1]} 2 \
++ "Invalid gw - multicast address"
++
++ lladdr=$(get_linklocal ${NETIFS[p5]}) || return 1
++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::11 ${V6ADDRS[p5]} ${NETIFS[p5]} 2 \
++ "Invalid gw - local unicast address, VRF"
++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::12 ${lladdr} ${NETIFS[p5]} 2 \
++ "Invalid gw - local linklocal address, VRF"
++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::12 ${MCAST6} ${NETIFS[p5]} 2 \
++ "Invalid gw - multicast address, VRF"
++
++ run_ip6 254 ${TEST_NET6[1]}::101 ${V6ADDRS[p1]} "" 2 \
++ "No nexthop device given"
++
++ # default VRF validation is done against LOCAL table
++ # run_ip6 254 ${TEST_NET6[1]}::102 ${V6ADDRS[p3]/::[0-9]/::64} ${NETIFS[p1]} 2 \
++ # "Gateway resolves to wrong nexthop device"
++
++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::103 ${V6ADDRS[p7]/::[0-9]/::64} ${NETIFS[p5]} 2 \
++ "Gateway resolves to wrong nexthop device - VRF"
++}
++
++run_onlink_tests()
++{
++ log_section "IPv4 onlink"
++ log_subsection "Valid onlink commands"
++ valid_onlink_ipv4
++ log_subsection "Invalid onlink commands"
++ invalid_onlink_ipv4
++
++ log_section "IPv6 onlink"
++ log_subsection "Valid onlink commands"
++ valid_onlink_ipv6
++ invalid_onlink_ipv6
++}
++
++################################################################################
++# main
++
++nsuccess=0
++nfail=0
++
++cleanup
++setup
++run_onlink_tests
++cleanup
++
++if [ "$TESTS" != "none" ]; then
++ printf "\nTests passed: %3d\n" ${nsuccess}
++ printf "Tests failed: %3d\n" ${nfail}
++fi
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Prashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
+Date: Thu, 15 Feb 2018 09:19:26 +0900
+Subject: selftests/net: fixes psock_fanout eBPF test case
+
+From: Prashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
+
+[ Upstream commit ddd0010392d9cbcb95b53d11b7cafc67b373ab56 ]
+
+eBPF test fails due to verifier failure because log_buf is too small.
+Fixed by increasing log_buf size
+
+Signed-off-by: Prashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/psock_fanout.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/psock_fanout.c
++++ b/tools/testing/selftests/net/psock_fanout.c
+@@ -128,6 +128,8 @@ static void sock_fanout_getopts(int fd,
+
+ static void sock_fanout_set_ebpf(int fd)
+ {
++ static char log_buf[65536];
++
+ const int len_off = __builtin_offsetof(struct __sk_buff, len);
+ struct bpf_insn prog[] = {
+ { BPF_ALU64 | BPF_MOV | BPF_X, 6, 1, 0, 0 },
+@@ -140,7 +142,6 @@ static void sock_fanout_set_ebpf(int fd)
+ { BPF_ALU | BPF_MOV | BPF_K, 0, 0, 0, 0 },
+ { BPF_JMP | BPF_EXIT, 0, 0, 0, 0 }
+ };
+- char log_buf[512];
+ union bpf_attr attr;
+ int pfd;
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Fri, 23 Mar 2018 20:44:27 +1100
+Subject: selftests: Print the test we're running to /dev/kmsg
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit 88893cf787d3062c631cc20b875068eb11756e03 ]
+
+Some tests cause the kernel to print things to the kernel log
+buffer (ie. printk), in particular oops and warnings etc. However when
+running all the tests in succession it's not always obvious which
+test(s) caused the kernel to print something.
+
+We can narrow it down by printing which test directory we're running
+in to /dev/kmsg, if it's writable.
+
+Example output:
+
+ [ 170.149149] kselftest: Running tests in powerpc
+ [ 305.300132] kworker/dying (71) used greatest stack depth: 7776 bytes
+ left
+ [ 808.915456] kselftest: Running tests in pstore
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/testing/selftests/Makefile
++++ b/tools/testing/selftests/Makefile
+@@ -130,6 +130,7 @@ ifdef INSTALL_PATH
+ BUILD_TARGET=$$BUILD/$$TARGET; \
+ echo "echo ; echo Running tests in $$TARGET" >> $(ALL_SCRIPT); \
+ echo "echo ========================================" >> $(ALL_SCRIPT); \
++ echo "[ -w /dev/kmsg ] && echo \"kselftest: Running tests in $$TARGET\" >> /dev/kmsg" >> $(ALL_SCRIPT); \
+ echo "cd $$TARGET" >> $(ALL_SCRIPT); \
+ make -s --no-print-directory OUTPUT=$$BUILD_TARGET -C $$TARGET emit_tests >> $(ALL_SCRIPT); \
+ echo "cd \$$ROOT" >> $(ALL_SCRIPT); \
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Vignesh R <vigneshr@ti.com>
+Date: Thu, 8 Feb 2018 18:25:41 +0530
+Subject: serial: 8250: Don't service RX FIFO if interrupts are disabled
+
+From: Vignesh R <vigneshr@ti.com>
+
+[ Upstream commit 2e9fe539108320820016f78ca7704a7342788380 ]
+
+Currently, data in RX FIFO is read based on UART_LSR register state even
+if RDI and RLSI interrupts are disabled in UART_IER register.
+This is because when IRQ handler is called due to TX FIFO empty event,
+RX FIFO is serviced based on UART_LSR register status instead of
+UART_IIR status. This defeats the purpose of disabling UART RX
+FIFO interrupts during throttling(see, omap_8250_throttle()) as IRQ
+handler continues to drain UART RX FIFO resulting in overflow of buffer
+at tty layer.
+Fix this by making sure that driver drains UART RX FIFO only when
+UART_IIR_RDI is set along with UART_LSR_BI or UART_LSR_DR bits.
+
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_port.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -1867,7 +1867,8 @@ int serial8250_handle_irq(struct uart_po
+
+ status = serial_port_in(port, UART_LSR);
+
+- if (status & (UART_LSR_DR | UART_LSR_BI)) {
++ if (status & (UART_LSR_DR | UART_LSR_BI) &&
++ iir & UART_IIR_RDI) {
+ if (!up->dma || handle_rx_dma(up, iir))
+ status = serial8250_rx_chars(up, status);
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>
+Date: Thu, 25 Jan 2018 14:30:43 +0100
+Subject: serial: altera: ensure port->regshift is honored consistently
+
+From: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 0e254963b6ba4d63ac911e79537fea38dd03dc50 ]
+
+Most register accesses in the altera driver honor port->regshift by
+using altera_uart_writel(). There are a few accesses however that were
+missed when the driver was converted to use port->regshift and some
+others were added later in commit 4d9d7d896d77 ("serial: altera_uart:
+add earlycon support").
+
+Fixes: 2780ad42f5fe ("tty: serial: altera_uart: Use port->regshift to store bus shift")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Acked-by: Tobias Klauser <tklauser@distanz.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/altera_uart.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/tty/serial/altera_uart.c
++++ b/drivers/tty/serial/altera_uart.c
+@@ -327,7 +327,7 @@ static int altera_uart_startup(struct ua
+
+ /* Enable RX interrupts now */
+ pp->imr = ALTERA_UART_CONTROL_RRDY_MSK;
+- writel(pp->imr, port->membase + ALTERA_UART_CONTROL_REG);
++ altera_uart_writel(port, pp->imr, ALTERA_UART_CONTROL_REG);
+
+ spin_unlock_irqrestore(&port->lock, flags);
+
+@@ -343,7 +343,7 @@ static void altera_uart_shutdown(struct
+
+ /* Disable all interrupts now */
+ pp->imr = 0;
+- writel(pp->imr, port->membase + ALTERA_UART_CONTROL_REG);
++ altera_uart_writel(port, pp->imr, ALTERA_UART_CONTROL_REG);
+
+ spin_unlock_irqrestore(&port->lock, flags);
+
+@@ -432,7 +432,7 @@ static void altera_uart_console_putc(str
+ ALTERA_UART_STATUS_TRDY_MSK))
+ cpu_relax();
+
+- writel(c, port->membase + ALTERA_UART_TXDATA_REG);
++ altera_uart_writel(port, c, ALTERA_UART_TXDATA_REG);
+ }
+
+ static void altera_uart_console_write(struct console *co, const char *s,
+@@ -502,13 +502,13 @@ static int __init altera_uart_earlycon_s
+ return -ENODEV;
+
+ /* Enable RX interrupts now */
+- writel(ALTERA_UART_CONTROL_RRDY_MSK,
+- port->membase + ALTERA_UART_CONTROL_REG);
++ altera_uart_writel(port, ALTERA_UART_CONTROL_RRDY_MSK,
++ ALTERA_UART_CONTROL_REG);
+
+ if (dev->baud) {
+ unsigned int baudclk = port->uartclk / dev->baud;
+
+- writel(baudclk, port->membase + ALTERA_UART_DIVISOR_REG);
++ altera_uart_writel(port, baudclk, ALTERA_UART_DIVISOR_REG);
+ }
+
+ dev->con->write = altera_uart_earlycon_write;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:29 +0100
+Subject: serial: arc_uart: Fix out-of-bounds access through DT alias
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit f9f5786987e81d166c60833edcb7d1836aa16944 ]
+
+The arc_uart_ports[] array is indexed using a value derived from the
+"serialN" alias in DT, which may lead to an out-of-bounds access.
+
+Fix this by adding a range check.
+
+Note that the array size is defined by a Kconfig symbol
+(CONFIG_SERIAL_ARC_NR_PORTS), so this can even be triggered using a
+legitimate DTB.
+
+Fixes: ea28fd56fcde69af ("serial/arc-uart: switch to devicetree based probing")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/arc_uart.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/tty/serial/arc_uart.c
++++ b/drivers/tty/serial/arc_uart.c
+@@ -593,6 +593,11 @@ static int arc_serial_probe(struct platf
+ if (dev_id < 0)
+ dev_id = 0;
+
++ if (dev_id >= ARRAY_SIZE(arc_uart_ports)) {
++ dev_err(&pdev->dev, "serial%d out of range\n", dev_id);
++ return -EINVAL;
++ }
++
+ uart = &arc_uart_ports[dev_id];
+ port = &uart->port;
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:30 +0100
+Subject: serial: fsl_lpuart: Fix out-of-bounds access through DT alias
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit ffab87fdecc655cc676f8be8dd1a2c5e22bd6d47 ]
+
+The lpuart_ports[] array is indexed using a value derived from the
+"serialN" alias in DT, which may lead to an out-of-bounds access.
+
+Fix this by adding a range check.
+
+Fixes: c9e2e946fb0ba5d2 ("tty: serial: add Freescale lpuart driver support")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/fsl_lpuart.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -2145,6 +2145,10 @@ static int lpuart_probe(struct platform_
+ dev_err(&pdev->dev, "failed to get alias id, errno %d\n", ret);
+ return ret;
+ }
++ if (ret >= ARRAY_SIZE(lpuart_ports)) {
++ dev_err(&pdev->dev, "serial%d out of range\n", ret);
++ return -EINVAL;
++ }
+ sport->port.line = ret;
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ sport->port.membase = devm_ioremap_resource(&pdev->dev, res);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:31 +0100
+Subject: serial: imx: Fix out-of-bounds access through serial port index
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 5673444821406dda5fc25e4b52aca419f8065a19 ]
+
+The imx_ports[] array is indexed using a value derived from the
+"serialN" alias in DT, or from platform data, which may lead to an
+out-of-bounds access.
+
+Fix this by adding a range check.
+
+Fixes: ff05967a07225ab6 ("serial/imx: add of_alias_get_id() reference back")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/imx.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/tty/serial/imx.c
++++ b/drivers/tty/serial/imx.c
+@@ -2042,6 +2042,12 @@ static int serial_imx_probe(struct platf
+ else if (ret < 0)
+ return ret;
+
++ if (sport->port.line >= ARRAY_SIZE(imx_ports)) {
++ dev_err(&pdev->dev, "serial%d out of range\n",
++ sport->port.line);
++ return -EINVAL;
++ }
++
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ base = devm_ioremap_resource(&pdev->dev, res);
+ if (IS_ERR(base))
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Gabriel Matni <gabriel.matni@exfo.com>
+Date: Thu, 22 Mar 2018 19:15:12 +0000
+Subject: serial: mvebu-uart: fix tx lost characters
+
+From: Gabriel Matni <gabriel.matni@exfo.com>
+
+[ Upstream commit c685af1108d7c303f0b901413405d68eaeac4477 ]
+
+Fixes missing characters on kernel console at low baud rates (i.e.9600).
+The driver should poll TX_RDY or TX_FIFO_EMP instead of TX_EMP to ensure
+that the transmitter holding register (THR) is ready to receive a new byte.
+
+TX_EMP tells us when it is possible to send a break sequence via
+SND_BRK_SEQ. While this also indicates that both the THR and the TSR are
+empty, it does not guarantee that a new byte can be written just yet.
+
+Fixes: 30530791a7a0 ("serial: mvebu-uart: initial support for Armada-3700 serial port")
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Acked-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Gabriel Matni <gabriel.matni@exfo.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/mvebu-uart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/mvebu-uart.c
++++ b/drivers/tty/serial/mvebu-uart.c
+@@ -617,7 +617,7 @@ static void wait_for_xmitr(struct uart_p
+ u32 val;
+
+ readl_poll_timeout_atomic(port->membase + UART_STAT, val,
+- (val & STAT_TX_EMP), 1, 10000);
++ (val & STAT_TX_RDY(port)), 1, 10000);
+ }
+
+ static void mvebu_uart_console_putchar(struct uart_port *port, int ch)
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:32 +0100
+Subject: serial: mxs-auart: Fix out-of-bounds access through serial port index
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit dd345a31bfdec350d2593e6de5964e55c7f19c76 ]
+
+The auart_port[] array is indexed using a value derived from the
+"serialN" alias in DT, or from platform data, which may lead to an
+out-of-bounds access.
+
+Fix this by adding a range check.
+
+Fixes: 1ea6607d4cdc9179 ("serial: mxs-auart: Allow device tree probing")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/mxs-auart.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/tty/serial/mxs-auart.c
++++ b/drivers/tty/serial/mxs-auart.c
+@@ -1663,6 +1663,10 @@ static int mxs_auart_probe(struct platfo
+ s->port.line = pdev->id < 0 ? 0 : pdev->id;
+ else if (ret < 0)
+ return ret;
++ if (s->port.line >= ARRAY_SIZE(auart_port)) {
++ dev_err(&pdev->dev, "serial%d out of range\n", s->port.line);
++ return -EINVAL;
++ }
+
+ if (of_id) {
+ pdev->id_entry = of_id->data;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:34 +0100
+Subject: serial: samsung: Fix out-of-bounds access through serial port index
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 49ee23b71877831ac087d6083f6f397dc19c9664 ]
+
+The s3c24xx_serial_ports[] array is indexed using a value derived from
+the "serialN" alias in DT, or from an incrementing probe index, which
+may lead to an out-of-bounds access.
+
+Fix this by adding a range check.
+
+Note that the array size is defined by a Kconfig symbol
+(CONFIG_SERIAL_SAMSUNG_UARTS), so this can even be triggered using
+a legitimate DTB or legitimate board code.
+
+Fixes: 13a9f6c64fdc55eb ("serial: samsung: Consider DT alias when probing ports")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/samsung.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/tty/serial/samsung.c
++++ b/drivers/tty/serial/samsung.c
+@@ -1818,6 +1818,10 @@ static int s3c24xx_serial_probe(struct p
+
+ dbg("s3c24xx_serial_probe(%p) %d\n", pdev, index);
+
++ if (index >= ARRAY_SIZE(s3c24xx_serial_ports)) {
++ dev_err(&pdev->dev, "serial%d out of range\n", index);
++ return -EINVAL;
++ }
+ ourport = &s3c24xx_serial_ports[index];
+
+ ourport->drv_data = s3c24xx_get_driver_data(pdev);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:35 +0100
+Subject: serial: sh-sci: Fix out-of-bounds access through DT alias
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 090fa4b0dccfa3d04e1c5ab0fe4eba16e6713895 ]
+
+The sci_ports[] array is indexed using a value derived from the
+"serialN" alias in DT, which may lead to an out-of-bounds access.
+
+Fix this by adding a range check.
+
+Note that the array size is defined by a Kconfig symbol
+(CONFIG_SERIAL_SH_SCI_NR_UARTS), so this can even be triggered using a
+legitimate DTB.
+
+Fixes: 97ed9790c514066b ("serial: sh-sci: Remove unused platform data capabilities field")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/sh-sci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -3098,6 +3098,10 @@ static struct plat_sci_port *sci_parse_d
+ dev_err(&pdev->dev, "failed to get alias id (%d)\n", id);
+ return NULL;
+ }
++ if (id >= ARRAY_SIZE(sci_ports)) {
++ dev_err(&pdev->dev, "serial%d out of range\n", id);
++ return NULL;
++ }
+
+ sp = &sci_ports[id];
+ *dev_id = id;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:37 +0100
+Subject: serial: xuartps: Fix out-of-bounds access through DT alias
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit e7d75e18d0fc3f7193b65282b651f980c778d935 ]
+
+The cdns_uart_port[] array is indexed using a value derived from the
+"serialN" alias in DT, which may lead to an out-of-bounds access.
+
+Fix this by adding a range check.
+
+Fixes: 928e9263492069ee ("tty: xuartps: Initialize ports according to aliases")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/xilinx_uartps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/xilinx_uartps.c
++++ b/drivers/tty/serial/xilinx_uartps.c
+@@ -1110,7 +1110,7 @@ static struct uart_port *cdns_uart_get_p
+ struct uart_port *port;
+
+ /* Try the given port id if failed use default method */
+- if (cdns_uart_port[id].mapbase != 0) {
++ if (id < CDNS_UART_NR_PORTS && cdns_uart_port[id].mapbase != 0) {
+ /* Find the next unused port */
+ for (id = 0; id < CDNS_UART_NR_PORTS; id++)
+ if (cdns_uart_port[id].mapbase == 0)
--- /dev/null
+sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch
+firmware-dmi_scan-fix-uuid-length-safety-check.patch
+nvme-don-t-send-keep-alives-to-the-discovery-controller.patch
+btrfs-clean-up-resources-during-umount-after-trans-is-aborted.patch
+btrfs-fix-loss-of-prealloc-extents-past-i_size-after-fsync-log-replay.patch
+x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch
+x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch
+bnxt_en-ignore-src-port-field-in-decap-filter-nodes.patch
+nvme-expand-nvmf_check_if_ready-checks.patch
+fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch
+kasan-fix-invalid-free-test-crashing-the-kernel.patch
+kasan-slub-fix-handling-of-kasan_slab_free-hook.patch
+ipc-msg-introduce-msgctl-msg_stat_any.patch
+arm-cma-avoid-double-mapping-to-the-cma-area-if-config_highmem-y.patch
+memcg-fix-per_node_info-cleanup.patch
+swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch
+z3fold-fix-memory-leak.patch
+sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch
+force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch
+tracing-uprobe_event-fix-strncpy-corner-case.patch
+cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch
+powerpc-fscr-enable-interrupts-earlier-before-calling-get_user.patch
+scsi-aacraid-insure-command-thread-is-not-recursively-stopped.patch
+perf-tools-fix-perf-builds-with-clang-support.patch
+perf-clang-add-support-for-recent-clang-versions.patch
+dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch
+arm-dts-ls1021a-specify-tbipa-register-address.patch
+ibmvnic-zero-used-tx-descriptor-counter-on-reset.patch
+crypto-af_alg-fix-possible-uninit-value-in-alg_bind.patch
+soreuseport-initialise-timewait-reuseport-field.patch
+dccp-initialize-ireq-ir_mark.patch
+genirq-affinity-don-t-return-with-empty-affinity-masks-on-error.patch
+mm-ksm-fix-interaction-with-thp.patch
+mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch
+mm-thp-fix-potential-clearing-to-referenced-flag-in-page_idle_clear_pte_refs_one.patch
+clk-ti-fix-flag-space-conflict-with-clkctrl-clocks.patch
+btrfs-bail-out-on-error-during-replay_dir_deletes.patch
+btrfs-fix-null-pointer-dereference-in-log_dir_items.patch
+btrfs-fix-possible-softlock-on-single-core-machines.patch
+ib-rxe-fix-for-oops-in-rxe_register_device-on-ppc64le-arch.patch
+ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch
+powerpc-64s-idle-fix-restore-of-amor-on-power9-after-deep-sleep.patch
+sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch
+x86-mm-fix-bogus-warning-during-efi-bootup-use-boot_cpu_has-instead-of-this_cpu_has-in-build_cr3_noflush.patch
+kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch
+lan78xx-connect-phy-early.patch
+fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch
+media-ov5645-add-missing-of_node_put-in-error-path.patch
+dmaengine-rcar-dmac-fix-too-early-late-system-suspend-resume-callbacks.patch
+sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch
+rtc-snvs-fix-usage-of-snvs_rtc_enable.patch
+riscv-spinlock-strengthen-implementations-with-fences.patch
+platform-x86-dell-smbios-fix-memory-leaks-in-build_tokens_sysfs.patch
+net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch
+net-bgmac-correctly-annotate-register-space.patch
+bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch
+bnxt_en-fix-clear-flags-in-ethtool-reset-handling.patch
+powerpc-64s-sreset-panic-if-there-is-no-debugger-or-crash-dump-handlers.patch
+btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch
+btrfs-fix-copy_items-return-value-when-logging-an-inode.patch
+btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch
+btrfs-qgroup-fix-root-item-corruption-when-multiple-same-source-snapshots-are-created-with-quota-enabled.patch
+rxrpc-fix-resend-event-time-calculation.patch
+rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch
+rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch
+crypto-inside-secure-move-the-digest-to-the-request-context.patch
+xen-acpi-off-by-one-in-read_acpi_id.patch
+drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch
+acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch
+powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch
+ieee802154-ca8210-fix-uninitialised-data-read.patch
+mac80211-don-t-warn-on-bad-wmm-parameters-from-buggy-aps.patch
+ath10k-advertize-beacon_int_min_gcd.patch
+staging-bcm2835-audio-release-resources-on-module_exit.patch
+iommu-amd-take-into-account-that-alloc_dev_data-may-return-null.patch
+intel_th-use-correct-method-of-finding-hub.patch
+m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch
+iwlwifi-mvm-check-if-mac80211_queue-is-valid-in-iwl_mvm_disable_txq.patch
+iwlwifi-mvm-take-rcu-lock-before-dereferencing.patch
+net-mlx5e-move-all-tx-timeout-logic-to-be-under-state-lock.patch
+loop-don-t-call-into-filesystem-while-holding-lo_ctl_mutex.patch
+parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch
+perf-mmap-fix-accessing-unmapped-mmap-in-perf_mmap__read_done.patch
+hwmon-nct6775-fix-writing-pwmx_mode.patch
+mt76x2-fix-possible-null-pointer-dereferencing-in-mt76x2_tx.patch
+mt76x2-fix-warning-in-ieee80211_get_key_rx_seq.patch
+rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch
+powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch
+powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch
+rsi-fix-kernel-panic-observed-on-64bit-machine.patch
+tools-thermal-tmon-fix-for-segfault.patch
+selftests-print-the-test-we-re-running-to-dev-kmsg.patch
+i40e-hold-the-rtnl-lock-while-changing-interrupt-schemes.patch
+net-mlx5-protect-from-command-bit-overflow.patch
+watchdog-davinci_wdt-fix-error-handling-in-davinci_wdt_probe.patch
+net-qlge-eliminate-duplicate-barriers-on-weakly-ordered-archs.patch
+net-hns3-fix-for-the-wrong-shift-problem-in-hns3_set_txbd_baseinfo.patch
+net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_indir_size.patch
+net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_key_size.patch
+net-qualcomm-rmnet-check-for-null-ep-to-avoid-null-pointer-dereference.patch
+ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch
+nvme_fc-fix-abort-race-on-teardown-with-lld-reject.patch
+nvme-pci-disable-apst-for-samsung-nvme-ssd-960-evo-asus-prime-z370-a.patch
+ath9k-fix-crash-in-spectral-scan.patch
+btrfs-fix-null-pointer-deref-when-target-device-is-missing.patch
+cxgb4-setup-fw-queues-before-registering-netdev.patch
+hv_netvsc-fix-the-return-status-in-rx-path.patch
+ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch
+ima-fallback-to-the-builtin-hash-algorithm.patch
+watchdog-aspeed-allow-configuring-for-alternate-boot.patch
+alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch
+gfs2-check-for-the-end-of-metadata-in-punch_hole.patch
+virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch
+arm-dts-socfpga-fix-gic-ppi-warning.patch
+ima-clear-ima_hash.patch
+clk-rockchip-fix-wrong-parent-for-sdmmc-phase-clock-for-rk3228.patch
+serial-mvebu-uart-fix-tx-lost-characters.patch
+ext4-don-t-complain-about-incorrect-features-when-probing.patch
+drm-vmwgfx-unpin-the-screen-object-backup-buffer-when-not-used.patch
+usb-dwc3-add-softreset-phy-synchonization-delay.patch
+usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch
+usb-dwc3-makefile-fix-link-error-on-randconfig.patch
+scsi-devinfo-add-hp-disk-subsystem-device-for-hp-xp-arrays.patch
+asoc-rockchip-rk3288-hdmi-analog-select-needed-codecs.patch
+iommu-mediatek-fix-protect-memory-setting.patch
+cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch
+firmware-fix-checking-for-return-values-for-fw_add_devm_name.patch
+clk-don-t-show-the-incorrect-clock-phase.patch
+staging-fsl-dpaa2-eth-fix-incorrect-kfree.patch
+ib-mlx5-set-the-default-active-rate-and-width-to-qdr-and-4x.patch
+arm64-insn-allow-add-sub-immediate-with-lsl-12.patch
+zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch
+asoc-samsung-odroid-fix-32000-sample-rate-handling.patch
+bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch
+remoteproc-imx_rproc-fix-an-error-handling-path-in-imx_rproc_probe.patch
+dt-bindings-add-device-tree-binding-for-allwinner-h6-main-ccu.patch
+bcache-fix-cached_dev-count-usage-for-bch_cache_set_error.patch
+acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch
+acpica-fix-memory-leak-on-unusual-memory-leak.patch
+bcache-stop-dc-writeback_rate_update-properly.patch
+acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch
+cxgb4-fix-queue-free-path-of-uld-drivers.patch
+rds-tcp-must-use-spin_lock_irq-and-not-spin_lock_bh-with-rds_tcp_conn_lock.patch
+i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch
+rtc-rk808-fix-possible-race-condition.patch
+rtc-m41t80-fix-race-conditions.patch
+clk-hisilicon-mark-wdt_mux_p-as-const.patch
+kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch
+perf-top-fix-top.call-graph-config-option-reading.patch
+perf-stat-fix-core-dump-when-flag-t-is-used.patch
+xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch
+ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch
+drm-amdkfd-add-missing-include-of-mm.h.patch
+coresight-use-px-to-print-pcsr-instead-of-p.patch
+ibmvnic-fix-reset-return-from-closed-state.patch
+regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch
+spi-bcm-qspi-fix-some-error-handling-paths.patch
+net-smc-pay-attention-to-max_order-for-cq-entries.patch
+mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch
+powerpc-vas-fix-cleanup-when-vas-is-not-configured.patch
+pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch
+watchdog-sprd_wdt-fix-error-handling-in-sprd_wdt_enable.patch
+watchdog-dw-rmw-the-control-register.patch
+watchdog-aspeed-fix-translation-of-reset-mode-to-ctrl-register.patch
+ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch
+drm-meson-fix-some-error-handling-paths-in-meson_drv_bind_master.patch
+drm-meson-fix-an-un-handled-error-path-in-meson_drv_bind_master.patch
+usb-dwc2-fix-interval-type-issue.patch
+usb-dwc2-hcd-fix-host-channel-halt-flow.patch
+usb-dwc2-host-fix-transaction-errors-in-host-mode.patch
+usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch
+usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch
+powerpc-add-missing-prototype-for-arch_irq_work_raise.patch
+powerpc-powernv-npu-fix-deadlock-in-mmio_invalidate.patch
+powerpc-xmon-setup-debugger-hooks-when-first-break-point-is-set.patch
+scsi-lpfc-fix-nvme-initiator-firstburst.patch
+scsi-core-make-scsi-status-condition-met-equivalent-to-good.patch
+f2fs-flush-cp-pack-except-cp-pack-2-page-at-first.patch
+cxl-check-if-psl-data-cache-is-available-before-issue-flush-request.patch
+f2fs-fix-to-set-keep_size-bit-in-f2fs_zero_range.patch
+f2fs-fix-to-clear-cp_trimmed_flag.patch
+f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch
+asoc-topology-create-tlv-data-for-dapm-widgets.patch
+perf-core-fix-installing-cgroup-events-on-cpu.patch
+max17042-propagate-of_node-to-power-supply-device.patch
+perf-core-fix-perf_output_read_group.patch
+clk-tegra-fix-pll_u-rate-configuration.patch
+drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch
+hwmon-pmbus-max8688-accept-negative-page-register-values.patch
+hwmon-pmbus-adm1275-accept-negative-page-register-values.patch
+usbip-correct-maximum-value-of-config_usbip_vhci_hc_ports.patch
+crypto-inside-secure-wait-for-the-request-to-complete-if-in-the-backlog.patch
+perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch
+cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch
+efi-arm-only-register-page-tables-when-they-exist.patch
+perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch
+perf-x86-intel-fix-event-update-for-auto-reload.patch
+arm64-dts-qcom-fix-spi5-config-on-msm8996.patch
+soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch
+gfs2-fix-fallocate-chunk-size.patch
+usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch
+usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch
+x86-devicetree-initialize-device-tree-before-using-it.patch
+x86-devicetree-fix-device-irq-settings-in-dt.patch
+phy-rockchip-emmc-retry-calpad-busy-trimming.patch
+alsa-vmaster-propagate-slave-error.patch
+phy-qcom-qmp-fix-phy-pipe-clock-gating.patch
+drm-bridge-sii902x-retry-status-read-after-ddi-i2c.patch
+drm-amdgpu-clean-sdma-wptr-register-when-only-enable-wptr-polling.patch
+media-cx23885-override-888-impactvcbe-crystal-frequency.patch
+media-cx23885-set-subdev-host-data-to-clk_freq-pointer.patch
+tools-hv-fix-compiler-warnings-about-major-target_fname.patch
+block-null_blk-fix-invalid-parameters-when-loading-module.patch
+media-s3c-camif-fix-out-of-bounds-array-access.patch
+staging-lustre-fix-bug-in-osc_enter_cache_try.patch
+dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch
+media-lgdt3306a-fix-a-double-kfree-on-i2c-device-remove.patch
+media-lgdt3306a-fix-module-count-mismatch-on-usb-unplug.patch
+media-em28xx-add-hauppauge-solohd-dualhd-bulk-models.patch
+media-em28xx-usb-bulk-packet-size-fix.patch
+arm-dts-keystone-k2e-clocks-fix-missing-unit-address-separator.patch
+clk-rockchip-prevent-calculating-mmc-phase-if-clock-rate-is-zero.patch
+powerpc-mm-slice-fix-hugepage-allocation-at-hint-address-on-8xx.patch
+i2c-core-report-of-style-module-alias-for-devices-registered-via-of.patch
+dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch
+enic-enable-rq-before-updating-rq-descriptors.patch
+watchdog-asm9260_wdt-fix-error-handling-in-asm9260_wdt_probe.patch
+crypto-atmel-aes-fix-the-keys-zeroing-on-errors.patch
+crypto-ccp-don-t-disable-interrupts-while-setting-up-debugfs.patch
+hwrng-stm32-add-reset-during-probe.patch
+pinctrl-devicetree-fix-dt_to_map_one_config-handling-of-hogs.patch
+pinctrl-artpec6-dt-add-missing-pin-group-uart5nocts.patch
+scsi-mvsas-fix-wrong-endianness-of-sgpio-api.patch
+vfio-ccw-fence-off-transport-mode.patch
+staging-fsl-dpaa2-eth-fix-incorrect-casts.patch
+staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch
+staging-ks7010-use-constants-from-ieee80211_eid-instead-of-literal-ints.patch
+pci-endpoint-fix-kernel-panic-after-put_device.patch
+rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch
+rtc-rp5c01-fix-possible-race-condition.patch
+dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch
+drm-omap-add-pclk-setting-case-when-channel-is-dss_wb.patch
+drm-omapdrm-dss-move-initialization-code-from-component-bind-to-probe.patch
+arm-dts-dra71-evm-correct-evm_sd-regulator-max-voltage.patch
+drm-amdgpu-disable-gfx-ring-and-disable-pq-wptr-in-hw_fini.patch
+block-fix-a-race-between-request-queue-removal-and-the-block-cgroup-controller.patch
+drm-amdgpu-adjust-timeout-for-ib_ring_tests-v2.patch
+serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch
+serial-sh-sci-fix-out-of-bounds-access-through-dt-alias.patch
+serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch
+serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch
+serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch
+serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch
+serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch
+serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch
+serial-altera-ensure-port-regshift-is-honored-consistently.patch
+ibmvnic-allocate-statistics-buffers-during-probe.patch
+net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch
+ibmvnic-fix-tx-descriptor-tracking-again.patch
+net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch
+cpufreq-reorder-cpufreq_online-error-code-path.patch
+dpaa_eth-fix-sg-mapping.patch
+pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch
+staging-lustre-lmv-correctly-iput-lmo_root.patch
+udf-provide-saner-default-for-invalid-uid-gid.patch
+fanotify-avoid-lost-events-due-to-enomem-for-unlimited-queues.patch
+ixgbe-prevent-ptp_rx_hang-from-running-when-in-filter_all-mode.patch
+sh_eth-fix-tsu-init-on-sh7734-r8a7740.patch
+media-v4l-vsp1-fix-display-stalls-when-requesting-too-many-inputs.patch
+media-i2c-adv748x-fix-hdmi-field-heights.patch
+media-vb2-fix-videobuf2-to-map-correct-area.patch
+media-vivid-fix-incorrect-capabilities-for-radio.patch
+media-cx25821-prevent-out-of-bounds-read-on-array-card.patch
+x86-xen-add-pvh-specific-rsdp-address-retrieval-function.patch
+arm-davinci_all_defconfig-set-config_davinci_watchdog-y.patch
+clk-samsung-s3c2410-fix-pll-rates.patch
+clk-samsung-exynos7-fix-pll-rates.patch
+clk-samsung-exynos5260-fix-pll-rates.patch
+clk-samsung-exynos5433-fix-pll-rates.patch
+clk-samsung-exynos5250-fix-pll-rates.patch
+clk-samsung-exynos3250-fix-pll-rates.patch
+power-supply-ltc2941-battery-gauge-fix-temperature-units.patch
+arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch
+arm-dts-bcm283x-fix-pin-function-of-jtag-pins.patch
+pcmcia-pm-avoid-noirq-suspend-aborts-during-suspend-to-idle.patch
+crypto-inside-secure-do-not-process-request-if-no-command-was-issued.patch
+crypto-inside-secure-fix-the-cache_len-computation.patch
+crypto-inside-secure-fix-the-extra-cache-computation.patch
+hwrng-bcm2835-handle-deferred-clock-properly.patch
+crypto-inside-secure-do-not-overwrite-the-threshold-value.patch
+crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch
+crypto-inside-secure-fix-the-invalidation-step-during-cra_exit.patch
+audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch
+x86-mce-amd-collect-error-info-even-if-valid-bits-are-not-set.patch
+asoc-fsl_ssi-maintain-a-mask-of-active-streams.patch
+net-stmmac-call-correct-function-in-stmmac_mac_config_rx_queues_routing.patch
+rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch
+pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch
+dt-bindings-display-msm-dsi-fix-the-phy-regulator-supply-props.patch
+drm-amd-display-set-vsc-pack-revision-when-dpcd-revision-is-1.2.patch
+dpaa_eth-fix-pause-capability-advertisement-logic.patch
+mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch
+soc-renesas-r8a77970-sysc-fix-power-area-parents.patch
+drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch
+x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch
+perf-test-fix-test-case-inet_pton-to-accept-inlines.patch
+perf-report-fix-wrong-jump-arrow.patch
+perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch
+perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch
+perf-tests-fix-dwarf-unwind-for-stripped-binaries.patch
+selftests-net-fixes-psock_fanout-ebpf-test-case.patch
+drm-vblank-data-type-fixes-for-64-bit-vblank-sequences.patch
+netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch
+drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen3.patch
+drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen2.patch
+selftests-add-fib-onlink-tests.patch
+rtc-goldfish-add-missing-module_license.patch
+arm-dts-at91-nattis-use-the-correct-compatible-for-the-eeprom.patch
+arm-dts-at91-tse850-use-the-correct-compatible-for-the-eeprom.patch
+regmap-correct-comparison-in-regmap_cached.patch
+soc-amlogic-meson-gx-pwrc-vpu-fix-error-on-shutdown-when-domain-is-powered-off.patch
+i40e-add-delay-after-emp-reset-for-firmware-to-recover.patch
+scsi-lpfc-fix-issue_lip-if-link-is-disabled.patch
+scsi-lpfc-fix-nonrecovery-of-nvme-controller-after-cable-swap.patch
+scsi-lpfc-fix-soft-lockup-in-lpfc-worker-thread-during-lip-testing.patch
+scsi-lpfc-fix-io-failure-during-hba-reset-testing-with-nvme-io.patch
+scsi-lpfc-fix-frequency-of-release-wqe-cqes.patch
+arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch
+arm-dts-porter-fix-hdmi-output-routing.patch
+regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch
+pinctrl-msm-use-dynamic-gpio-numbering.patch
+pinctrl-mcp23s08-spi-fix-regmap-debugfs-entries.patch
+asoc-samsung-i2s-ensure-the-rclk-rate-is-properly-determined.patch
+clk-meson-axg-fix-the-od-shift-of-the-sys_pll.patch
+clk-meson-axg-add-the-fractional-part-of-the-fixed_pll.patch
+bluetooth-btusb-add-device-id-for-rtl8822be.patch
+bluetooth-btusb-add-support-for-intel-bluetooth-device-22560.patch
+kdb-make-mdr-command-repeat.patch
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Rich Felker <dalias@libc.org>
+Date: Thu, 15 Mar 2018 20:01:36 -0400
+Subject: sh: fix debug trap failure to process signals before return to user
+
+From: Rich Felker <dalias@libc.org>
+
+[ Upstream commit 96a598996f6ac518ac79839ecbb17c91af91f4f7 ]
+
+When responding to a debug trap (breakpoint) in userspace, the
+kernel's trap handler raised SIGTRAP but returned from the trap via a
+code path that ignored pending signals, resulting in an infinite loop
+re-executing the trapping instruction.
+
+Signed-off-by: Rich Felker <dalias@libc.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sh/kernel/entry-common.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/sh/kernel/entry-common.S
++++ b/arch/sh/kernel/entry-common.S
+@@ -255,7 +255,7 @@ debug_trap:
+ mov.l @r8, r8
+ jsr @r8
+ nop
+- bra __restore_all
++ bra ret_from_exception
+ nop
+ CFI_ENDPROC
+
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Sat, 24 Feb 2018 22:41:45 +0300
+Subject: sh_eth: fix TSU init on SH7734/R8A7740
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+[ Upstream commit a94cf2a614f8bc5b2b33c708626ce695bf71e424 ]
+
+It appears that the single port Ether controllers having TSU (like SH7734/
+R8A7740) need the same kind of treating in sh_eth_tsu_init() as R7S72100
+currently has -- they also don't have the TSU registers related e.g. to
+passing the frames between ports. Add the 'sh_eth_cpu_data::dual_port'
+flag and use it as a new criterion for taking a "short path" in the TSU
+init sequence in order to avoid writing to the non-existent registers...
+
+Fixes: f0e81fecd4f8 ("net: sh_eth: Add support SH7734")
+Fixes: 73a0d907301e ("net: sh_eth: add support R8A7740")
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 6 +++++-
+ drivers/net/ethernet/renesas/sh_eth.h | 1 +
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -763,6 +763,7 @@ static struct sh_eth_cpu_data sh7757_dat
+ .rpadir = 1,
+ .rpadir_value = 2 << 16,
+ .rtrate = 1,
++ .dual_port = 1,
+ };
+
+ #define SH_GIGA_ETH_BASE 0xfee00000UL
+@@ -841,6 +842,7 @@ static struct sh_eth_cpu_data sh7757_dat
+ .no_trimd = 1,
+ .no_ade = 1,
+ .tsu = 1,
++ .dual_port = 1,
+ };
+
+ /* SH7734 */
+@@ -911,6 +913,7 @@ static struct sh_eth_cpu_data sh7763_dat
+ .tsu = 1,
+ .irq_flags = IRQF_SHARED,
+ .magic = 1,
++ .dual_port = 1,
+ };
+
+ static struct sh_eth_cpu_data sh7619_data = {
+@@ -943,6 +946,7 @@ static struct sh_eth_cpu_data sh771x_dat
+ EESIPR_RRFIP | EESIPR_RTLFIP | EESIPR_RTSFIP |
+ EESIPR_PREIP | EESIPR_CERFIP,
+ .tsu = 1,
++ .dual_port = 1,
+ };
+
+ static void sh_eth_set_default_cpu_data(struct sh_eth_cpu_data *cd)
+@@ -2932,7 +2936,7 @@ static int sh_eth_vlan_rx_kill_vid(struc
+ /* SuperH's TSU register init function */
+ static void sh_eth_tsu_init(struct sh_eth_private *mdp)
+ {
+- if (sh_eth_is_rz_fast_ether(mdp)) {
++ if (!mdp->cd->dual_port) {
+ sh_eth_tsu_write(mdp, 0, TSU_TEN); /* Disable all CAM entry */
+ sh_eth_tsu_write(mdp, TSU_FWSLC_POSTENU | TSU_FWSLC_POSTENL,
+ TSU_FWSLC); /* Enable POST registers */
+--- a/drivers/net/ethernet/renesas/sh_eth.h
++++ b/drivers/net/ethernet/renesas/sh_eth.h
+@@ -509,6 +509,7 @@ struct sh_eth_cpu_data {
+ unsigned rmiimode:1; /* EtherC has RMIIMODE register */
+ unsigned rtrate:1; /* EtherC has RTRATE register */
+ unsigned magic:1; /* EtherC has ECMR.MPDE and ECSR.MPD */
++ unsigned dual_port:1; /* Dual EtherC/E-DMAC */
+ };
+
+ struct sh_eth_private {
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Thu, 21 Dec 2017 20:41:02 +0100
+Subject: soc: amlogic: meson-gx-pwrc-vpu: fix error on shutdown when domain is powered off
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 87f88732d25e6175cb4faa8070658f604660d720 ]
+
+When operating the system headless headless, the domain is never
+powered on, leaving the clocks disabled. The shutdown function then
+tries to disable the already disabled clocks, resulting in errors.
+Therefore call meson_gx_pwrc_vpu_power_off() only if domain is
+powered on.
+This patch fixes the described issue on my system (Odorid-C2).
+
+Fixes: 339cd0ea0822 "soc: amlogic: meson-gx-pwrc-vpu: fix power-off when powered by bootloader"
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/amlogic/meson-gx-pwrc-vpu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/soc/amlogic/meson-gx-pwrc-vpu.c
++++ b/drivers/soc/amlogic/meson-gx-pwrc-vpu.c
+@@ -224,7 +224,11 @@ static int meson_gx_pwrc_vpu_probe(struc
+
+ static void meson_gx_pwrc_vpu_shutdown(struct platform_device *pdev)
+ {
+- meson_gx_pwrc_vpu_power_off(&vpu_hdmi_pd.genpd);
++ bool powered_off;
++
++ powered_off = meson_gx_pwrc_vpu_get_power(&vpu_hdmi_pd);
++ if (!powered_off)
++ meson_gx_pwrc_vpu_power_off(&vpu_hdmi_pd.genpd);
+ }
+
+ static const struct of_device_id meson_gx_pwrc_vpu_match_table[] = {
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+Date: Tue, 27 Feb 2018 16:45:25 -0800
+Subject: soc: qcom: wcnss_ctrl: Fix increment in NV upload
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+[ Upstream commit 90c29ed7627b6b4aeb603ee197650173c8434512 ]
+
+hdr.len includes both the size of the header and the fragment, so using
+this when stepping through the firmware causes us to skip 16 bytes every
+chunk of 3072 bytes; causing only the first fragment to actually be
+valid data.
+
+Instead use fragment size steps through the firmware blob.
+
+Fixes: ea7a1f275cf0 ("soc: qcom: Introduce WCNSS_CTRL SMD client")
+Reported-by: Will Newton <will.newton@gmail.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Andy Gross <andy.gross@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/wcnss_ctrl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/soc/qcom/wcnss_ctrl.c
++++ b/drivers/soc/qcom/wcnss_ctrl.c
+@@ -249,7 +249,7 @@ static int wcnss_download_nv(struct wcns
+ /* Increment for next fragment */
+ req->seq++;
+
+- data += req->hdr.len;
++ data += NV_FRAGMENT_SIZE;
+ left -= NV_FRAGMENT_SIZE;
+ } while (left > 0);
+
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Fri, 16 Feb 2018 23:09:48 +0300
+Subject: soc: renesas: r8a77970-sysc: fix power area parents
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+[ Upstream commit 40d5c8e94751f4a4fa4e0e27e3805e201a4e79c0 ]
+
+According to the figure 9.2(b) of the R-Car Series, 3rd Generation User’s
+Manual: Hardware Rev. 0.80 the A2IRn and A2SCn power areas in R8A77970 have
+the A3IR area as a parent, thus the SYSC driver has those parents wrong...
+
+Fixes: bab9b2a74fe9 ("soc: renesas: rcar-sysc: add R8A77970 support")
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/renesas/r8a77970-sysc.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/soc/renesas/r8a77970-sysc.c
++++ b/drivers/soc/renesas/r8a77970-sysc.c
+@@ -25,12 +25,12 @@ static const struct rcar_sysc_area r8a77
+ PD_CPU_NOCR },
+ { "cr7", 0x240, 0, R8A77970_PD_CR7, R8A77970_PD_ALWAYS_ON },
+ { "a3ir", 0x180, 0, R8A77970_PD_A3IR, R8A77970_PD_ALWAYS_ON },
+- { "a2ir0", 0x400, 0, R8A77970_PD_A2IR0, R8A77970_PD_ALWAYS_ON },
+- { "a2ir1", 0x400, 1, R8A77970_PD_A2IR1, R8A77970_PD_A2IR0 },
+- { "a2ir2", 0x400, 2, R8A77970_PD_A2IR2, R8A77970_PD_A2IR0 },
+- { "a2ir3", 0x400, 3, R8A77970_PD_A2IR3, R8A77970_PD_A2IR0 },
+- { "a2sc0", 0x400, 4, R8A77970_PD_A2SC0, R8A77970_PD_ALWAYS_ON },
+- { "a2sc1", 0x400, 5, R8A77970_PD_A2SC1, R8A77970_PD_A2SC0 },
++ { "a2ir0", 0x400, 0, R8A77970_PD_A2IR0, R8A77970_PD_A3IR },
++ { "a2ir1", 0x400, 1, R8A77970_PD_A2IR1, R8A77970_PD_A3IR },
++ { "a2ir2", 0x400, 2, R8A77970_PD_A2IR2, R8A77970_PD_A3IR },
++ { "a2ir3", 0x400, 3, R8A77970_PD_A2IR3, R8A77970_PD_A3IR },
++ { "a2sc0", 0x400, 4, R8A77970_PD_A2SC0, R8A77970_PD_A3IR },
++ { "a2sc1", 0x400, 5, R8A77970_PD_A2SC1, R8A77970_PD_A3IR },
+ };
+
+ const struct rcar_sysc_info r8a77970_sysc_info __initconst = {
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Apr 2018 13:42:43 -0700
+Subject: soreuseport: initialise timewait reuseport field
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3099a52918937ab86ec47038ad80d377ba16c531 ]
+
+syzbot reported an uninit-value in inet_csk_bind_conflict() [1]
+
+It turns out we never propagated sk->sk_reuseport into timewait socket.
+
+[1]
+BUG: KMSAN: uninit-value in inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151
+CPU: 1 PID: 3589 Comm: syzkaller008242 Not tainted 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151
+ inet_csk_get_port+0x1d28/0x1e40 net/ipv4/inet_connection_sock.c:320
+ inet6_bind+0x121c/0x1820 net/ipv6/af_inet6.c:399
+ SYSC_bind+0x3f2/0x4b0 net/socket.c:1474
+ SyS_bind+0x54/0x80 net/socket.c:1460
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x4416e9
+RSP: 002b:00007ffce6d15c88 EFLAGS: 00000217 ORIG_RAX: 0000000000000031
+RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 00000000004416e9
+RDX: 000000000000001c RSI: 0000000020402000 RDI: 0000000000000004
+RBP: 0000000000000000 R08: 00000000e6d15e08 R09: 00000000e6d15e08
+R10: 0000000000000004 R11: 0000000000000217 R12: 0000000000009478
+R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
+ __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
+ tcp_time_wait+0xf17/0xf50 net/ipv4/tcp_minisocks.c:283
+ tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
+ tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __release_sock+0x2d6/0x680 net/core/sock.c:2271
+ release_sock+0x97/0x2a0 net/core/sock.c:2786
+ tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
+ inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
+ inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
+ sock_release net/socket.c:595 [inline]
+ sock_close+0xe0/0x300 net/socket.c:1149
+ __fput+0x49e/0xa10 fs/file_table.c:209
+ ____fput+0x37/0x40 fs/file_table.c:243
+ task_work_run+0x243/0x2c0 kernel/task_work.c:113
+ exit_task_work include/linux/task_work.h:22 [inline]
+ do_exit+0x10e1/0x38d0 kernel/exit.c:867
+ do_group_exit+0x1a0/0x360 kernel/exit.c:970
+ SYSC_exit_group+0x21/0x30 kernel/exit.c:981
+ SyS_exit_group+0x25/0x30 kernel/exit.c:979
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
+ __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
+ inet_twsk_alloc+0xaef/0xc00 net/ipv4/inet_timewait_sock.c:182
+ tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258
+ tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
+ tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __release_sock+0x2d6/0x680 net/core/sock.c:2271
+ release_sock+0x97/0x2a0 net/core/sock.c:2786
+ tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
+ inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
+ inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
+ sock_release net/socket.c:595 [inline]
+ sock_close+0xe0/0x300 net/socket.c:1149
+ __fput+0x49e/0xa10 fs/file_table.c:209
+ ____fput+0x37/0x40 fs/file_table.c:243
+ task_work_run+0x243/0x2c0 kernel/task_work.c:113
+ exit_task_work include/linux/task_work.h:22 [inline]
+ do_exit+0x10e1/0x38d0 kernel/exit.c:867
+ do_group_exit+0x1a0/0x360 kernel/exit.c:970
+ SYSC_exit_group+0x21/0x30 kernel/exit.c:981
+ SyS_exit_group+0x25/0x30 kernel/exit.c:979
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
+ inet_twsk_alloc+0x13b/0xc00 net/ipv4/inet_timewait_sock.c:163
+ tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258
+ tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
+ tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __release_sock+0x2d6/0x680 net/core/sock.c:2271
+ release_sock+0x97/0x2a0 net/core/sock.c:2786
+ tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
+ inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
+ inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
+ sock_release net/socket.c:595 [inline]
+ sock_close+0xe0/0x300 net/socket.c:1149
+ __fput+0x49e/0xa10 fs/file_table.c:209
+ ____fput+0x37/0x40 fs/file_table.c:243
+ task_work_run+0x243/0x2c0 kernel/task_work.c:113
+ exit_task_work include/linux/task_work.h:22 [inline]
+ do_exit+0x10e1/0x38d0 kernel/exit.c:867
+ do_group_exit+0x1a0/0x360 kernel/exit.c:970
+ SYSC_exit_group+0x21/0x30 kernel/exit.c:981
+ SyS_exit_group+0x25/0x30 kernel/exit.c:979
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Fixes: da5e36308d9f ("soreuseport: TCP/IPv4 implementation")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/inet_timewait_sock.h | 1 +
+ net/ipv4/inet_timewait_sock.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/include/net/inet_timewait_sock.h
++++ b/include/net/inet_timewait_sock.h
+@@ -43,6 +43,7 @@ struct inet_timewait_sock {
+ #define tw_family __tw_common.skc_family
+ #define tw_state __tw_common.skc_state
+ #define tw_reuse __tw_common.skc_reuse
++#define tw_reuseport __tw_common.skc_reuseport
+ #define tw_ipv6only __tw_common.skc_ipv6only
+ #define tw_bound_dev_if __tw_common.skc_bound_dev_if
+ #define tw_node __tw_common.skc_nulls_node
+--- a/net/ipv4/inet_timewait_sock.c
++++ b/net/ipv4/inet_timewait_sock.c
+@@ -178,6 +178,7 @@ struct inet_timewait_sock *inet_twsk_all
+ tw->tw_dport = inet->inet_dport;
+ tw->tw_family = sk->sk_family;
+ tw->tw_reuse = sk->sk_reuse;
++ tw->tw_reuseport = sk->sk_reuseport;
+ tw->tw_hash = sk->sk_hash;
+ tw->tw_ipv6only = 0;
+ tw->tw_transparent = inet->transparent;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: "David S. Miller" <davem@davemloft.net>
+Date: Tue, 3 Apr 2018 08:24:35 -0700
+Subject: sparc64: Make atomic_xchg() an inline function rather than a macro.
+
+From: "David S. Miller" <davem@davemloft.net>
+
+[ Upstream commit d13864b68e41c11e4231de90cf358658f6ecea45 ]
+
+This avoids a lot of -Wunused warnings such as:
+
+====================
+kernel/debug/debug_core.c: In function ‘kgdb_cpu_enter’:
+./arch/sparc/include/asm/cmpxchg_64.h:55:22: warning: value computed is not used [-Wunused-value]
+ #define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr))))
+
+./arch/sparc/include/asm/atomic_64.h:86:30: note: in expansion of macro ‘xchg’
+ #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
+ ^~~~
+kernel/debug/debug_core.c:508:4: note: in expansion of macro ‘atomic_xchg’
+ atomic_xchg(&kgdb_active, cpu);
+ ^~~~~~~~~~~
+====================
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/include/asm/atomic_64.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/sparc/include/asm/atomic_64.h
++++ b/arch/sparc/include/asm/atomic_64.h
+@@ -83,7 +83,11 @@ ATOMIC_OPS(xor)
+ #define atomic64_add_negative(i, v) (atomic64_add_return(i, v) < 0)
+
+ #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
+-#define atomic_xchg(v, new) (xchg(&((v)->counter), new))
++
++static inline int atomic_xchg(atomic_t *v, int new)
++{
++ return xchg(&v->counter, new);
++}
+
+ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
+ {
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+Date: Tue, 13 Mar 2018 19:36:58 +0100
+Subject: spi: bcm-qspi: fIX some error handling paths
+
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit bc3cc75281b3c2b1c5355d88d147b66a753bb9a5 ]
+
+For some reason, commit c0368e4db4a3 ("spi: bcm-qspi: Fix use after free
+in bcm_qspi_probe() in error path") has updated some gotos, but not all of
+them.
+
+This looks spurious, so fix it.
+
+Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-bcm-qspi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-bcm-qspi.c
++++ b/drivers/spi/spi-bcm-qspi.c
+@@ -1247,7 +1247,7 @@ int bcm_qspi_probe(struct platform_devic
+ qspi->base[MSPI] = devm_ioremap_resource(dev, res);
+ if (IS_ERR(qspi->base[MSPI])) {
+ ret = PTR_ERR(qspi->base[MSPI]);
+- goto qspi_probe_err;
++ goto qspi_resource_err;
+ }
+ } else {
+ goto qspi_resource_err;
+@@ -1258,7 +1258,7 @@ int bcm_qspi_probe(struct platform_devic
+ qspi->base[BSPI] = devm_ioremap_resource(dev, res);
+ if (IS_ERR(qspi->base[BSPI])) {
+ ret = PTR_ERR(qspi->base[BSPI]);
+- goto qspi_probe_err;
++ goto qspi_resource_err;
+ }
+ qspi->bspi_mode = true;
+ } else {
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 11 Apr 2018 11:26:09 -0600
+Subject: sr: get/drop reference to device in revalidate and check_events
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit 2d097c50212e137e7b53ffe3b37561153eeba87d ]
+
+We can't just use scsi_cd() to get the scsi_cd structure, we have
+to grab a live reference to the device. For both callbacks, we're
+not inside an open where we already hold a reference to the device.
+
+This fixes device removal/addition under concurrent device access,
+which otherwise could result in the below oops.
+
+NULL pointer dereference at 0000000000000010
+PGD 0 P4D 0
+Oops: 0000 [#1] PREEMPT SMP
+Modules linked in:
+sr 12:0:0:0: [sr2] scsi-1 drive
+ scsi_debug crc_t10dif crct10dif_generic crct10dif_common nvme nvme_core sb_edac xl
+sr 12:0:0:0: Attached scsi CD-ROM sr2
+ sr_mod cdrom btrfs xor zstd_decompress zstd_compress xxhash lzo_compress zlib_defc
+sr 12:0:0:0: Attached scsi generic sg7 type 5
+ igb ahci libahci i2c_algo_bit libata dca [last unloaded: crc_t10dif]
+CPU: 43 PID: 4629 Comm: systemd-udevd Not tainted 4.16.0+ #650
+Hardware name: Dell Inc. PowerEdge T630/0NT78X, BIOS 2.3.4 11/09/2016
+RIP: 0010:sr_block_revalidate_disk+0x23/0x190 [sr_mod]
+RSP: 0018:ffff883ff357bb58 EFLAGS: 00010292
+RAX: ffffffffa00b07d0 RBX: ffff883ff3058000 RCX: ffff883ff357bb66
+RDX: 0000000000000003 RSI: 0000000000007530 RDI: ffff881fea631000
+RBP: 0000000000000000 R08: ffff881fe4d38400 R09: 0000000000000000
+R10: 0000000000000000 R11: 00000000000001b6 R12: 000000000800005d
+R13: 000000000800005d R14: ffff883ffd9b3790 R15: 0000000000000000
+FS: 00007f7dc8e6d8c0(0000) GS:ffff883fff340000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000010 CR3: 0000003ffda98005 CR4: 00000000003606e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ ? __invalidate_device+0x48/0x60
+ check_disk_change+0x4c/0x60
+ sr_block_open+0x16/0xd0 [sr_mod]
+ __blkdev_get+0xb9/0x450
+ ? iget5_locked+0x1c0/0x1e0
+ blkdev_get+0x11e/0x320
+ ? bdget+0x11d/0x150
+ ? _raw_spin_unlock+0xa/0x20
+ ? bd_acquire+0xc0/0xc0
+ do_dentry_open+0x1b0/0x320
+ ? inode_permission+0x24/0xc0
+ path_openat+0x4e6/0x1420
+ ? cpumask_any_but+0x1f/0x40
+ ? flush_tlb_mm_range+0xa0/0x120
+ do_filp_open+0x8c/0xf0
+ ? __seccomp_filter+0x28/0x230
+ ? _raw_spin_unlock+0xa/0x20
+ ? __handle_mm_fault+0x7d6/0x9b0
+ ? list_lru_add+0xa8/0xc0
+ ? _raw_spin_unlock+0xa/0x20
+ ? __alloc_fd+0xaf/0x160
+ ? do_sys_open+0x1a6/0x230
+ do_sys_open+0x1a6/0x230
+ do_syscall_64+0x5a/0x100
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sr.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/sr.c
++++ b/drivers/scsi/sr.c
+@@ -585,18 +585,28 @@ out:
+ static unsigned int sr_block_check_events(struct gendisk *disk,
+ unsigned int clearing)
+ {
+- struct scsi_cd *cd = scsi_cd(disk);
++ unsigned int ret = 0;
++ struct scsi_cd *cd;
+
+- if (atomic_read(&cd->device->disk_events_disable_depth))
++ cd = scsi_cd_get(disk);
++ if (!cd)
+ return 0;
+
+- return cdrom_check_events(&cd->cdi, clearing);
++ if (!atomic_read(&cd->device->disk_events_disable_depth))
++ ret = cdrom_check_events(&cd->cdi, clearing);
++
++ scsi_cd_put(cd);
++ return ret;
+ }
+
+ static int sr_block_revalidate_disk(struct gendisk *disk)
+ {
+- struct scsi_cd *cd = scsi_cd(disk);
+ struct scsi_sense_hdr sshdr;
++ struct scsi_cd *cd;
++
++ cd = scsi_cd_get(disk);
++ if (!cd)
++ return -ENXIO;
+
+ /* if the unit is not ready, nothing more to do */
+ if (scsi_test_unit_ready(cd->device, SR_TIMEOUT, MAX_RETRIES, &sshdr))
+@@ -605,6 +615,7 @@ static int sr_block_revalidate_disk(stru
+ sr_cd_check(&cd->cdi);
+ get_sectorsize(cd);
+ out:
++ scsi_cd_put(cd);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Kirill Marinushkin <k.marinushkin@gmail.com>
+Date: Fri, 23 Mar 2018 20:32:54 +0100
+Subject: staging: bcm2835-audio: Release resources on module_exit()
+
+From: Kirill Marinushkin <k.marinushkin@gmail.com>
+
+[ Upstream commit 626118b472d2eb45f83a0276a18d3e6a01c69f6a ]
+
+In the current implementation, `rmmod snd_bcm2835` does not release
+resources properly. It causes an oops when trying to list sound devices.
+
+This commit fixes it.
+
+The details WRT allocation / free are described below.
+
+Device structure WRT allocation:
+
+pdev
+ \childdev[]
+ \card
+ \chip
+ \pcm
+ \ctl
+
+Allocation / register sequence:
+
+* childdev: devm_kzalloc - freed during driver detach
+* childdev: device_initialize - freed during device_unregister
+* pdev: devres_alloc - freed during driver detach
+* childdev: device_add - removed during device_unregister
+* pdev, childdev: devres_add - freed during driver detach
+* card: snd_card_new - freed during snd_card_free
+* chip: kzalloc - freed during kfree
+* card, chip: snd_device_new - freed during snd_device_free
+* chip: new_pcm - TODO: free pcm
+* chip: new_ctl - TODO: free ctl
+* card: snd_card_register - unregistered during snd_card_free
+
+Free / unregister sequence:
+
+* card: snd_card_free
+* card, chip: snd_device_free
+* childdev: device_unregister
+* chip: kfree
+
+Steps to reproduce the issue before this commit:
+
+~~~~
+$ rmmod snd_bcm2835
+$ aplay -L
+[ 138.648130] Unable to handle kernel paging request at virtual address 7f1343c0
+[ 138.660415] pgd = ad8f0000
+[ 138.665567] [7f1343c0] *pgd=3864c811, *pte=00000000, *ppte=00000000
+[ 138.674887] Internal error: Oops: 7 [#1] SMP ARM
+[ 138.683571] Modules linked in: sha256_generic cfg80211 rfkill snd_pcm snd_timer
+ snd fixed uio_pdrv_genirq uio ip_tables x_tables ipv6 [last unloaded: snd_bcm2835
+]
+[ 138.706594] CPU: 3 PID: 463 Comm: aplay Tainted: G WC 4.15.0-rc1-v
+7+ #6
+[ 138.719833] Hardware name: BCM2835
+[ 138.726016] task: b877ac00 task.stack: aebec000
+[ 138.733408] PC is at try_module_get+0x38/0x24c
+[ 138.740813] LR is at snd_ctl_open+0x58/0x194 [snd]
+[ 138.748485] pc : [<801c4d5c>] lr : [<7f0e6b2c>] psr: 20000013
+[ 138.757709] sp : aebedd60 ip : aebedd88 fp : aebedd84
+[ 138.765884] r10: 00000000 r9 : 00000004 r8 : 7f0ed440
+[ 138.774040] r7 : b7e469b0 r6 : 7f0e6b2c r5 : afd91900 r4 : 7f1343c0
+[ 138.783571] r3 : aebec000 r2 : 00000001 r1 : b877ac00 r0 : 7f1343c0
+[ 138.793084] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
+[ 138.803300] Control: 10c5387d Table: 2d8f006a DAC: 00000055
+[ 138.812064] Process aplay (pid: 463, stack limit = 0xaebec210)
+[ 138.820868] Stack: (0xaebedd60 to 0xaebee000)
+[ 138.828207] dd60: 00000000 b848d000 afd91900 00000000 b7e469b0 7f0ed440 aebedda4 aebedd88
+[ 138.842371] dd80: 7f0e6b2c 801c4d30 afd91900 7f0ea4dc 00000000 b7e469b0 aebeddcc aebedda8
+[ 138.856611] dda0: 7f0e250c 7f0e6ae0 7f0e2464 b8478ec0 b7e469b0 afd91900 7f0ea388 00000000
+[ 138.870864] ddc0: aebeddf4 aebeddd0 802ce590 7f0e2470 8090ab64 afd91900 afd91900 b7e469b0
+[ 138.885301] dde0: afd91908 802ce4e4 aebede1c aebeddf8 802c57b4 802ce4f0 afd91900 aebedea8
+[ 138.900110] de00: b7fa4c00 00000000 00000000 00000004 aebede3c aebede20 802c6ba8 802c56b4
+[ 138.915260] de20: aebedea8 00000000 aebedf5c 00000000 aebedea4 aebede40 802d9a68 802c6b58
+[ 138.930661] de40: b874ddd0 00000000 00000000 00000001 00000041 00000000 afd91900 aebede70
+[ 138.946402] de60: 00000000 00000000 00000002 b7e469b0 b8a87610 b8d6ab80 801852f8 00080000
+[ 138.962314] de80: aebedf5c aebedea8 00000001 80108464 aebec000 00000000 aebedf4c aebedea8
+[ 138.978414] dea0: 802dacd4 802d970c b8a87610 b8d6ab80 a7982bc6 00000009 af363019 b9231480
+[ 138.994617] dec0: 00000000 b8c038a0 b7e469b0 00000101 00000002 00000238 00000000 00000000
+[ 139.010823] dee0: 00000000 aebedee8 00080000 0000000f aebedf3c aebedf00 802ed7e4 80843f94
+[ 139.027025] df00: 00000003 00080000 b9231490 b9231480 00000000 00080000 af363000 00000000
+[ 139.043229] df20: 00000005 00000002 ffffff9c 00000000 00080000 ffffff9c af363000 00000003
+[ 139.059430] df40: aebedf94 aebedf50 802c6f70 802dac70 aebec000 00000000 00000001 00000000
+[ 139.075629] df60: 00020000 00000004 00000100 00000001 7ebe577c 0002e038 00000000 00000005
+[ 139.091828] df80: 80108464 aebec000 aebedfa4 aebedf98 802c7060 802c6e6c 00000000 aebedfa8
+[ 139.108025] dfa0: 801082c0 802c7040 7ebe577c 0002e038 7ebe577c 00080000 00000b98 e81c8400
+[ 139.124222] dfc0: 7ebe577c 0002e038 00000000 00000005 7ebe57e4 00a20af8 7ebe57f0 76f87394
+[ 139.140419] dfe0: 00000000 7ebe55c4 76ec88e8 76df1d9c 60000010 7ebe577c 00000000 00000000
+[ 139.156715] [<801c4d5c>] (try_module_get) from [<7f0e6b2c>] (snd_ctl_open+0x58/0x194 [snd])
+[ 139.173222] [<7f0e6b2c>] (snd_ctl_open [snd]) from [<7f0e250c>] (snd_open+0xa8/0x14c [snd])
+[ 139.189683] [<7f0e250c>] (snd_open [snd]) from [<802ce590>] (chrdev_open+0xac/0x188)
+[ 139.205465] [<802ce590>] (chrdev_open) from [<802c57b4>] (do_dentry_open+0x10c/0x314)
+[ 139.221347] [<802c57b4>] (do_dentry_open) from [<802c6ba8>] (vfs_open+0x5c/0x88)
+[ 139.236788] [<802c6ba8>] (vfs_open) from [<802d9a68>] (path_openat+0x368/0x944)
+[ 139.248270] [<802d9a68>] (path_openat) from [<802dacd4>] (do_filp_open+0x70/0xc4)
+[ 139.263731] [<802dacd4>] (do_filp_open) from [<802c6f70>] (do_sys_open+0x110/0x1d4)
+[ 139.279378] [<802c6f70>] (do_sys_open) from [<802c7060>] (SyS_open+0x2c/0x30)
+[ 139.290647] [<802c7060>] (SyS_open) from [<801082c0>] (ret_fast_syscall+0x0/0x28)
+[ 139.306021] Code: e3c3303f e5932004 e2822001 e5832004 (e5943000)
+[ 139.316265] ---[ end trace 7f3f7f6193b663ed ]---
+[ 139.324956] note: aplay[463] exited with preempt_count 1
+~~~~
+
+Signed-off-by: Kirill Marinushkin <k.marinushkin@gmail.com>
+Cc: Eric Anholt <eric@anholt.net>
+Cc: Stefan Wahren <stefan.wahren@i2se.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Cc: Ray Jui <rjui@broadcom.com>
+Cc: Scott Branden <sbranden@broadcom.com>
+Cc: bcm-kernel-feedback-list@broadcom.com
+Cc: Michael Zoran <mzoran@crowfest.net>
+Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: linux-rpi-kernel@lists.infradead.org
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: devel@driverdev.osuosl.org
+Cc: linux-kernel@vger.kernel.org
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/vc04_services/bcm2835-audio/bcm2835.c | 54 ++++++++----------
+ 1 file changed, 25 insertions(+), 29 deletions(-)
+
+--- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835.c
++++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835.c
+@@ -25,6 +25,10 @@ MODULE_PARM_DESC(enable_compat_alsa,
+ static void snd_devm_unregister_child(struct device *dev, void *res)
+ {
+ struct device *childdev = *(struct device **)res;
++ struct bcm2835_chip *chip = dev_get_drvdata(childdev);
++ struct snd_card *card = chip->card;
++
++ snd_card_free(card);
+
+ device_unregister(childdev);
+ }
+@@ -50,6 +54,13 @@ static int snd_devm_add_child(struct dev
+ return 0;
+ }
+
++static void snd_bcm2835_release(struct device *dev)
++{
++ struct bcm2835_chip *chip = dev_get_drvdata(dev);
++
++ kfree(chip);
++}
++
+ static struct device *
+ snd_create_device(struct device *parent,
+ struct device_driver *driver,
+@@ -65,6 +76,7 @@ snd_create_device(struct device *parent,
+ device_initialize(device);
+ device->parent = parent;
+ device->driver = driver;
++ device->release = snd_bcm2835_release;
+
+ dev_set_name(device, "%s", name);
+
+@@ -75,18 +87,19 @@ snd_create_device(struct device *parent,
+ return device;
+ }
+
+-static int snd_bcm2835_free(struct bcm2835_chip *chip)
+-{
+- kfree(chip);
+- return 0;
+-}
+-
+ /* component-destructor
+ * (see "Management of Cards and Components")
+ */
+ static int snd_bcm2835_dev_free(struct snd_device *device)
+ {
+- return snd_bcm2835_free(device->device_data);
++ struct bcm2835_chip *chip = device->device_data;
++ struct snd_card *card = chip->card;
++
++ /* TODO: free pcm, ctl */
++
++ snd_device_free(card, chip);
++
++ return 0;
+ }
+
+ /* chip-specific constructor
+@@ -111,7 +124,7 @@ static int snd_bcm2835_create(struct snd
+
+ err = snd_device_new(card, SNDRV_DEV_LOWLEVEL, chip, &ops);
+ if (err) {
+- snd_bcm2835_free(chip);
++ kfree(chip);
+ return err;
+ }
+
+@@ -119,31 +132,14 @@ static int snd_bcm2835_create(struct snd
+ return 0;
+ }
+
+-static void snd_devm_card_free(struct device *dev, void *res)
++static struct snd_card *snd_bcm2835_card_new(struct device *dev)
+ {
+- struct snd_card *snd_card = *(struct snd_card **)res;
+-
+- snd_card_free(snd_card);
+-}
+-
+-static struct snd_card *snd_devm_card_new(struct device *dev)
+-{
+- struct snd_card **dr;
+ struct snd_card *card;
+ int ret;
+
+- dr = devres_alloc(snd_devm_card_free, sizeof(*dr), GFP_KERNEL);
+- if (!dr)
+- return ERR_PTR(-ENOMEM);
+-
+ ret = snd_card_new(dev, -1, NULL, THIS_MODULE, 0, &card);
+- if (ret) {
+- devres_free(dr);
++ if (ret)
+ return ERR_PTR(ret);
+- }
+-
+- *dr = card;
+- devres_add(dev, dr);
+
+ return card;
+ }
+@@ -260,7 +256,7 @@ static int snd_add_child_device(struct d
+ return PTR_ERR(child);
+ }
+
+- card = snd_devm_card_new(child);
++ card = snd_bcm2835_card_new(child);
+ if (IS_ERR(card)) {
+ dev_err(child, "Failed to create card");
+ return PTR_ERR(card);
+@@ -302,7 +298,7 @@ static int snd_add_child_device(struct d
+ return err;
+ }
+
+- dev_set_drvdata(child, card);
++ dev_set_drvdata(child, chip);
+ dev_info(child, "card created with %d channels\n", numchans);
+
+ return 0;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Ioana Radulescu <ruxandra.radulescu@nxp.com>
+Date: Mon, 26 Feb 2018 10:28:06 -0600
+Subject: staging: fsl-dpaa2/eth: Fix incorrect casts
+
+From: Ioana Radulescu <ruxandra.radulescu@nxp.com>
+
+[ Upstream commit 75c583ab9709692a60871d4719006391cde8dc1d ]
+
+The DPAA2 Ethernet driver incorrectly assumes virtual addresses
+are always 64b long, which causes compiler errors when building
+for a 32b platform.
+
+Fix this by using explicit casts to uintptr_t where necessary.
+
+Signed-off-by: Ioana Radulescu <ruxandra.radulescu@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c
++++ b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c
+@@ -324,7 +324,7 @@ static int consume_frames(struct dpaa2_e
+ }
+
+ fd = dpaa2_dq_fd(dq);
+- fq = (struct dpaa2_eth_fq *)dpaa2_dq_fqd_ctx(dq);
++ fq = (struct dpaa2_eth_fq *)(uintptr_t)dpaa2_dq_fqd_ctx(dq);
+ fq->stats.frames++;
+
+ fq->consume(priv, ch, fd, &ch->napi, fq->flowid);
+@@ -1908,7 +1908,7 @@ static int setup_rx_flow(struct dpaa2_et
+ queue.destination.id = fq->channel->dpcon_id;
+ queue.destination.type = DPNI_DEST_DPCON;
+ queue.destination.priority = 1;
+- queue.user_context = (u64)fq;
++ queue.user_context = (u64)(uintptr_t)fq;
+ err = dpni_set_queue(priv->mc_io, 0, priv->mc_token,
+ DPNI_QUEUE_RX, 0, fq->flowid,
+ DPNI_QUEUE_OPT_USER_CTX | DPNI_QUEUE_OPT_DEST,
+@@ -1960,7 +1960,7 @@ static int setup_tx_flow(struct dpaa2_et
+ queue.destination.id = fq->channel->dpcon_id;
+ queue.destination.type = DPNI_DEST_DPCON;
+ queue.destination.priority = 0;
+- queue.user_context = (u64)fq;
++ queue.user_context = (u64)(uintptr_t)fq;
+ err = dpni_set_queue(priv->mc_io, 0, priv->mc_token,
+ DPNI_QUEUE_TX_CONFIRM, 0, fq->flowid,
+ DPNI_QUEUE_OPT_USER_CTX | DPNI_QUEUE_OPT_DEST,
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Ioana Radulescu <ruxandra.radulescu@nxp.com>
+Date: Wed, 14 Mar 2018 15:04:51 -0500
+Subject: staging: fsl-dpaa2/eth: Fix incorrect kfree
+
+From: Ioana Radulescu <ruxandra.radulescu@nxp.com>
+
+[ Upstream commit 6a9bbe53db9a5aa0be9788aa8a2c250dee55444b ]
+
+Use netdev_alloc_frag() instead of kmalloc to allocate space for
+the S/G table of egress multi-buffer frames.
+
+This fixes a bug where an unaligned pointer received from the
+allocator would be overwritten with the 64B aligned value,
+leading to a wrong address being later passed to kfree.
+
+Signed-off-by: Ioana Radulescu <ruxandra.radulescu@nxp.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c
++++ b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c
+@@ -374,12 +374,14 @@ static int build_sg_fd(struct dpaa2_eth_
+ /* Prepare the HW SGT structure */
+ sgt_buf_size = priv->tx_data_offset +
+ sizeof(struct dpaa2_sg_entry) * (1 + num_dma_bufs);
+- sgt_buf = kzalloc(sgt_buf_size + DPAA2_ETH_TX_BUF_ALIGN, GFP_ATOMIC);
++ sgt_buf = netdev_alloc_frag(sgt_buf_size + DPAA2_ETH_TX_BUF_ALIGN);
+ if (unlikely(!sgt_buf)) {
+ err = -ENOMEM;
+ goto sgt_buf_alloc_failed;
+ }
+ sgt_buf = PTR_ALIGN(sgt_buf, DPAA2_ETH_TX_BUF_ALIGN);
++ memset(sgt_buf, 0, sgt_buf_size);
++
+ sgt = (struct dpaa2_sg_entry *)(sgt_buf + priv->tx_data_offset);
+
+ /* Fill in the HW SGT structure.
+@@ -421,7 +423,7 @@ static int build_sg_fd(struct dpaa2_eth_
+ return 0;
+
+ dma_map_single_failed:
+- kfree(sgt_buf);
++ skb_free_frag(sgt_buf);
+ sgt_buf_alloc_failed:
+ dma_unmap_sg(dev, scl, num_sg, DMA_BIDIRECTIONAL);
+ dma_map_sg_failed:
+@@ -525,9 +527,9 @@ static void free_tx_fd(const struct dpaa
+ return;
+ }
+
+- /* Free SGT buffer kmalloc'ed on tx */
++ /* Free SGT buffer allocated on tx */
+ if (fd_format != dpaa2_fd_single)
+- kfree(skbh);
++ skb_free_frag(skbh);
+
+ /* Move on with skb release */
+ dev_kfree_skb(skb);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Quytelda Kahja <quytelda@tamalin.org>
+Date: Wed, 28 Feb 2018 21:19:07 -0800
+Subject: staging: ks7010: Use constants from ieee80211_eid instead of literal ints.
+
+From: Quytelda Kahja <quytelda@tamalin.org>
+
+[ Upstream commit dc13498ab47fdfae3cda4df712beb2e4244b3fe0 ]
+
+The case statement in get_ap_information() should not use literal integers
+to parse information element IDs when these values are provided by name
+in 'enum ieee80211_eid' in the header 'linux/ieee80211.h'.
+
+Signed-off-by: Quytelda Kahja <quytelda@tamalin.org>
+Reviewed-by: Tobin C. Harding <me@tobin.cc>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/ks7010/ks_hostif.c | 31 +++++++++++++++----------------
+ drivers/staging/ks7010/ks_hostif.h | 1 +
+ 2 files changed, 16 insertions(+), 16 deletions(-)
+
+--- a/drivers/staging/ks7010/ks_hostif.c
++++ b/drivers/staging/ks7010/ks_hostif.c
+@@ -242,9 +242,8 @@ int get_ap_information(struct ks_wlan_pr
+ offset = 0;
+
+ while (bsize > offset) {
+- /* DPRINTK(4, "Element ID=%d\n",*bp); */
+- switch (*bp) {
+- case 0: /* ssid */
++ switch (*bp) { /* Information Element ID */
++ case WLAN_EID_SSID:
+ if (*(bp + 1) <= SSID_MAX_SIZE) {
+ ap->ssid.size = *(bp + 1);
+ } else {
+@@ -254,8 +253,8 @@ int get_ap_information(struct ks_wlan_pr
+ }
+ memcpy(ap->ssid.body, bp + 2, ap->ssid.size);
+ break;
+- case 1: /* rate */
+- case 50: /* ext rate */
++ case WLAN_EID_SUPP_RATES:
++ case WLAN_EID_EXT_SUPP_RATES:
+ if ((*(bp + 1) + ap->rate_set.size) <=
+ RATE_SET_MAX_SIZE) {
+ memcpy(&ap->rate_set.body[ap->rate_set.size],
+@@ -271,9 +270,9 @@ int get_ap_information(struct ks_wlan_pr
+ (RATE_SET_MAX_SIZE - ap->rate_set.size);
+ }
+ break;
+- case 3: /* DS parameter */
++ case WLAN_EID_DS_PARAMS:
+ break;
+- case 48: /* RSN(WPA2) */
++ case WLAN_EID_RSN:
+ ap->rsn_ie.id = *bp;
+ if (*(bp + 1) <= RSN_IE_BODY_MAX) {
+ ap->rsn_ie.size = *(bp + 1);
+@@ -284,8 +283,8 @@ int get_ap_information(struct ks_wlan_pr
+ }
+ memcpy(ap->rsn_ie.body, bp + 2, ap->rsn_ie.size);
+ break;
+- case 221: /* WPA */
+- if (memcmp(bp + 2, "\x00\x50\xf2\x01", 4) == 0) { /* WPA OUI check */
++ case WLAN_EID_VENDOR_SPECIFIC: /* WPA */
++ if (memcmp(bp + 2, "\x00\x50\xf2\x01", 4) == 0) { /* WPA OUI check */
+ ap->wpa_ie.id = *bp;
+ if (*(bp + 1) <= RSN_IE_BODY_MAX) {
+ ap->wpa_ie.size = *(bp + 1);
+@@ -300,18 +299,18 @@ int get_ap_information(struct ks_wlan_pr
+ }
+ break;
+
+- case 2: /* FH parameter */
+- case 4: /* CF parameter */
+- case 5: /* TIM */
+- case 6: /* IBSS parameter */
+- case 7: /* Country */
+- case 42: /* ERP information */
+- case 47: /* Reserve ID 47 Broadcom AP */
++ case WLAN_EID_FH_PARAMS:
++ case WLAN_EID_CF_PARAMS:
++ case WLAN_EID_TIM:
++ case WLAN_EID_IBSS_PARAMS:
++ case WLAN_EID_COUNTRY:
++ case WLAN_EID_ERP_INFO:
+ break;
+ default:
+ DPRINTK(4, "unknown Element ID=%d\n", *bp);
+ break;
+ }
++
+ offset += 2; /* id & size field */
+ offset += *(bp + 1); /* +size offset */
+ bp += (*(bp + 1) + 2); /* pointer update */
+--- a/drivers/staging/ks7010/ks_hostif.h
++++ b/drivers/staging/ks7010/ks_hostif.h
+@@ -13,6 +13,7 @@
+ #define _KS_HOSTIF_H_
+
+ #include <linux/compiler.h>
++#include <linux/ieee80211.h>
+
+ /*
+ * HOST-MAC I/F events
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 2 Mar 2018 10:31:25 +1100
+Subject: staging: lustre: fix bug in osc_enter_cache_try
+
+From: NeilBrown <neilb@suse.com>
+
+[ Upstream commit 2fab9faf9b27298c4536c1c1b14072ab18b8f80b ]
+
+The lustre-release patch commit bdc5bb52c554 ("LU-4933 osc:
+Automatically increase the max_dirty_mb") changed
+
+- if (cli->cl_dirty + PAGE_CACHE_SIZE <= cli->cl_dirty_max &&
++ if (cli->cl_dirty_pages < cli->cl_dirty_max_pages &&
+
+When this patch landed in Linux a couple of years later, it landed as
+
+- if (cli->cl_dirty + PAGE_SIZE <= cli->cl_dirty_max &&
++ if (cli->cl_dirty_pages <= cli->cl_dirty_max_pages &&
+
+which is clearly different ('<=' vs '<'), and allows cl_dirty_pages to
+increase beyond cl_dirty_max_pages - which causes a latter assertion
+to fails.
+
+Fixes: 3147b268400a ("staging: lustre: osc: Automatically increase the max_dirty_mb")
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/lustre/lustre/include/obd.h | 2 +-
+ drivers/staging/lustre/lustre/osc/osc_cache.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/lustre/lustre/include/obd.h
++++ b/drivers/staging/lustre/lustre/include/obd.h
+@@ -191,7 +191,7 @@ struct client_obd {
+ struct sptlrpc_flavor cl_flvr_mgc; /* fixed flavor of mgc->mgs */
+
+ /* the grant values are protected by loi_list_lock below */
+- unsigned long cl_dirty_pages; /* all _dirty_ in pahges */
++ unsigned long cl_dirty_pages; /* all _dirty_ in pages */
+ unsigned long cl_dirty_max_pages; /* allowed w/o rpc */
+ unsigned long cl_dirty_transit; /* dirty synchronous */
+ unsigned long cl_avail_grant; /* bytes of credit for ost */
+--- a/drivers/staging/lustre/lustre/osc/osc_cache.c
++++ b/drivers/staging/lustre/lustre/osc/osc_cache.c
+@@ -1530,7 +1530,7 @@ static int osc_enter_cache_try(struct cl
+ if (rc < 0)
+ return 0;
+
+- if (cli->cl_dirty_pages <= cli->cl_dirty_max_pages &&
++ if (cli->cl_dirty_pages < cli->cl_dirty_max_pages &&
+ atomic_long_read(&obd_dirty_pages) + 1 <= obd_max_dirty_pages) {
+ osc_consume_write_grant(cli, &oap->oap_brw_page);
+ if (transient) {
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 23 Feb 2018 09:09:33 +1100
+Subject: staging: lustre: lmv: correctly iput lmo_root
+
+From: NeilBrown <neilb@suse.com>
+
+[ Upstream commit 17556cdbe6ed70a6a20e597b228628f7f34387f8 ]
+
+Commit 8f18c8a48b73 ("staging: lustre: lmv: separate master object
+with master stripe") changed how lmo_root inodes were managed,
+particularly when LMV_HASH_FLAG_MIGRATION is not set.
+Previously lsm_md_oinfo[0].lmo_root was always a borrowed
+inode reference and didn't need to by iput().
+Since the change, that special case only applies when
+LMV_HASH_FLAG_MIGRATION is set
+
+In the upstream (lustre-release) version of this patch [Commit
+60e07b972114 ("LU-4690 lod: separate master object with master
+stripe")] the for loop in the lmv_unpack_md() was changed to count
+from 0 and to ignore entry 0 if LMV_HASH_FLAG_MIGRATION is set.
+In the patch that got applied to Linux, that change was missing,
+so lsm_md_oinfo[0].lmo_root is never iput().
+This results in a "VFS: Busy inodes" warning at unmount.
+
+Fixes: 8f18c8a48b73 ("staging: lustre: lmv: separate master object with master stripe")
+Signed-off-by: NeilBrown <neilb@suse.com>
+Reviewed-by: James Simmons <jsimmons@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/lustre/lustre/lmv/lmv_obd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/lustre/lustre/lmv/lmv_obd.c
++++ b/drivers/staging/lustre/lustre/lmv/lmv_obd.c
+@@ -2695,7 +2695,7 @@ static int lmv_unpackmd(struct obd_expor
+ if (lsm && !lmm) {
+ int i;
+
+- for (i = 1; i < lsm->lsm_md_stripe_count; i++) {
++ for (i = 0; i < lsm->lsm_md_stripe_count; i++) {
+ /*
+ * For migrating inode, the master stripe and master
+ * object will be the same, so do not need iput, see
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 28 Feb 2018 11:28:49 +0000
+Subject: staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit e1a7418529e33bc4efc346324557251a16a3e79b ]
+
+Currently the allocation of priv->oldaddr is not null checked which will
+lead to subsequent errors when accessing priv->oldaddr. Fix this with
+a null pointer check and a return of -ENOMEM on allocation failure.
+
+Detected with Coccinelle:
+drivers/staging/rtl8192u/r8192U_core.c:1708:2-15: alloc with no test,
+possible model on line 1723
+
+Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8192u/r8192U_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/staging/rtl8192u/r8192U_core.c
++++ b/drivers/staging/rtl8192u/r8192U_core.c
+@@ -1706,6 +1706,8 @@ static short rtl8192_usb_initendpoints(s
+
+ priv->rx_urb[16] = usb_alloc_urb(0, GFP_KERNEL);
+ priv->oldaddr = kmalloc(16, GFP_KERNEL);
++ if (!priv->oldaddr)
++ return -ENOMEM;
+ oldaddr = priv->oldaddr;
+ align = ((long)oldaddr) & 3;
+ if (align) {
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Tom Abraham <tabraham@suse.com>
+Date: Tue, 10 Apr 2018 16:29:48 -0700
+Subject: swap: divide-by-zero when zero length swap file on ssd
+
+From: Tom Abraham <tabraham@suse.com>
+
+[ Upstream commit a06ad633a37c64a0cd4c229fc605cee8725d376e ]
+
+Calling swapon() on a zero length swap file on SSD can lead to a
+divide-by-zero.
+
+Although creating such files isn't possible with mkswap and they woud be
+considered invalid, it would be better for the swapon code to be more
+robust and handle this condition gracefully (return -EINVAL).
+Especially since the fix is small and straightforward.
+
+To help with wear leveling on SSD, the swapon syscall calculates a
+random position in the swap file using modulo p->highest_bit, which is
+set to maxpages - 1 in read_swap_header.
+
+If the swap file is zero length, read_swap_header sets maxpages=1 and
+last_page=0, resulting in p->highest_bit=0 and we divide-by-zero when we
+modulo p->highest_bit in swapon syscall.
+
+This can be prevented by having read_swap_header return zero if
+last_page is zero.
+
+Link: http://lkml.kernel.org/r/5AC747C1020000A7001FA82C@prv-mh.provo.novell.com
+Signed-off-by: Thomas Abraham <tabraham@suse.com>
+Reported-by: <Mark.Landis@Teradata.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/swapfile.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/mm/swapfile.c
++++ b/mm/swapfile.c
+@@ -2961,6 +2961,10 @@ static unsigned long read_swap_header(st
+ maxpages = swp_offset(pte_to_swp_entry(
+ swp_entry_to_pte(swp_entry(0, ~0UL)))) + 1;
+ last_page = swap_header->info.last_page;
++ if (!last_page) {
++ pr_warn("Empty swap-file\n");
++ return 0;
++ }
+ if (last_page > maxpages) {
+ pr_warn("Truncating oversized swap area, only using %luk out of %luk\n",
+ maxpages << (PAGE_SHIFT - 10),
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Dexuan Cui <decui@microsoft.com>
+Date: Sun, 4 Mar 2018 22:17:14 -0700
+Subject: tools: hv: fix compiler warnings about major/target_fname
+
+From: Dexuan Cui <decui@microsoft.com>
+
+[ Upstream commit 1330fc35327f3ecdfa1aa645e7321ced7349b2cd ]
+
+This patch fixes the below warnings with new glibc and gcc:
+
+hv_vss_daemon.c:100:13: warning: In the GNU C Library, "major" is defined
+ by <sys/sysmacros.h>. For historical compatibility, it is currently
+defined by <sys/types.h> as well, but we plan to remove this soon.
+To use "major", include <sys/sysmacros.h> directly.
+
+hv_fcopy_daemon.c:42:2: note: 'snprintf' output between 2 and 1040
+bytes into a destination of size 260
+
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/hv/hv_fcopy_daemon.c | 3 ++-
+ tools/hv/hv_vss_daemon.c | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/tools/hv/hv_fcopy_daemon.c
++++ b/tools/hv/hv_fcopy_daemon.c
+@@ -23,13 +23,14 @@
+ #include <unistd.h>
+ #include <errno.h>
+ #include <linux/hyperv.h>
++#include <linux/limits.h>
+ #include <syslog.h>
+ #include <sys/stat.h>
+ #include <fcntl.h>
+ #include <getopt.h>
+
+ static int target_fd;
+-static char target_fname[W_MAX_PATH];
++static char target_fname[PATH_MAX];
+ static unsigned long long filesize;
+
+ static int hv_start_fcopy(struct hv_start_fcopy *smsg)
+--- a/tools/hv/hv_vss_daemon.c
++++ b/tools/hv/hv_vss_daemon.c
+@@ -22,6 +22,7 @@
+ #include <sys/poll.h>
+ #include <sys/ioctl.h>
+ #include <sys/stat.h>
++#include <sys/sysmacros.h>
+ #include <fcntl.h>
+ #include <stdio.h>
+ #include <mntent.h>
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Frank Asseg <frank.asseg@objecthunter.net>
+Date: Mon, 12 Mar 2018 19:57:06 +0100
+Subject: tools/thermal: tmon: fix for segfault
+
+From: Frank Asseg <frank.asseg@objecthunter.net>
+
+[ Upstream commit 6c59f64b7ecf2bccbe73931d7d573d66ed13b537 ]
+
+Fixes a segfault occurring when e.g. <TAB> is pressed multiple times in the
+ncurses tmon application. The segfault is caused by incrementing
+cur_thermal_record in the main function without checking if it's value reached
+NR_THERMAL_RECORD immediately. Since the boundary check only occurred in
+update_thermal_data a race condition existed, which lead to an attempted read
+beyond the last element of the trec array.
+
+The fix was implemented by moving the cur_thermal_record incrementation to the
+update_thermal_data function using a temporary variable on which the boundary
+condition is checked before updating cur_thread_record, so that the variable is
+never incremented beyond the trec array's boundary.
+
+It seems the segfault does not occur on every machine: On a HP EliteBook G4 the
+segfault happens, while it does not happen on a Thinkpad T540p.
+
+Signed-off-by: Frank Asseg <frank.asseg@objecthunter.net>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/thermal/tmon/sysfs.c | 12 +++++++-----
+ tools/thermal/tmon/tmon.c | 1 -
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+--- a/tools/thermal/tmon/sysfs.c
++++ b/tools/thermal/tmon/sysfs.c
+@@ -486,6 +486,7 @@ int zone_instance_to_index(int zone_inst
+ int update_thermal_data()
+ {
+ int i;
++ int next_thermal_record = cur_thermal_record + 1;
+ char tz_name[256];
+ static unsigned long samples;
+
+@@ -495,9 +496,9 @@ int update_thermal_data()
+ }
+
+ /* circular buffer for keeping historic data */
+- if (cur_thermal_record >= NR_THERMAL_RECORDS)
+- cur_thermal_record = 0;
+- gettimeofday(&trec[cur_thermal_record].tv, NULL);
++ if (next_thermal_record >= NR_THERMAL_RECORDS)
++ next_thermal_record = 0;
++ gettimeofday(&trec[next_thermal_record].tv, NULL);
+ if (tmon_log) {
+ fprintf(tmon_log, "%lu ", ++samples);
+ fprintf(tmon_log, "%3.1f ", p_param.t_target);
+@@ -507,11 +508,12 @@ int update_thermal_data()
+ snprintf(tz_name, 256, "%s/%s%d", THERMAL_SYSFS, TZONE,
+ ptdata.tzi[i].instance);
+ sysfs_get_ulong(tz_name, "temp",
+- &trec[cur_thermal_record].temp[i]);
++ &trec[next_thermal_record].temp[i]);
+ if (tmon_log)
+ fprintf(tmon_log, "%lu ",
+- trec[cur_thermal_record].temp[i]/1000);
++ trec[next_thermal_record].temp[i] / 1000);
+ }
++ cur_thermal_record = next_thermal_record;
+ for (i = 0; i < ptdata.nr_cooling_dev; i++) {
+ char cdev_name[256];
+ unsigned long val;
+--- a/tools/thermal/tmon/tmon.c
++++ b/tools/thermal/tmon/tmon.c
+@@ -336,7 +336,6 @@ int main(int argc, char **argv)
+ show_data_w();
+ show_cooling_device();
+ }
+- cur_thermal_record++;
+ time_elapsed += ticktime;
+ controller_handler(trec[0].temp[target_tz_index] / 1000,
+ &yk);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Tue, 10 Apr 2018 21:20:08 +0900
+Subject: tracing/uprobe_event: Fix strncpy corner case
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit 50268a3d266ecfdd6c5873d62b2758d9732fc598 ]
+
+Fix string fetch function to terminate with NUL.
+It is OK to drop the rest of string.
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: security@kernel.org
+Cc: 范龙飞 <long7573@126.com>
+Fixes: 5baaa59ef09e ("tracing/probes: Implement 'memory' fetch method for uprobes")
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_uprobe.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/trace/trace_uprobe.c
++++ b/kernel/trace/trace_uprobe.c
+@@ -151,6 +151,8 @@ static void FETCH_FUNC_NAME(memory, stri
+ return;
+
+ ret = strncpy_from_user(dst, src, maxlen);
++ if (ret == maxlen)
++ dst[--ret] = '\0';
+
+ if (ret < 0) { /* Failed to fetch string */
+ ((u8 *)get_rloc_data(dest))[0] = '\0';
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 22 Feb 2018 10:39:52 +0100
+Subject: udf: Provide saner default for invalid uid / gid
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 116e5258e4115aca0c64ac0bf40ded3b353ed626 ]
+
+Currently when UDF filesystem is recorded without uid / gid (ids are set
+to -1), we will assign INVALID_[UG]ID to vfs inode unless user uses uid=
+and gid= mount options. In such case filesystem could not be modified in
+any way as VFS refuses to modify files with invalid ids (even by root).
+This is confusing to users and not very useful default since such media
+mode is generally used for removable media. Use overflow[ug]id instead
+so that at least root can modify the filesystem.
+
+Reported-by: Steve Kenton <skenton@ou.edu>
+Reviewed-by: Pali Rohár <pali.rohar@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/udf/super.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -2091,8 +2091,9 @@ static int udf_fill_super(struct super_b
+ bool lvid_open = false;
+
+ uopt.flags = (1 << UDF_FLAG_USE_AD_IN_ICB) | (1 << UDF_FLAG_STRICT);
+- uopt.uid = INVALID_UID;
+- uopt.gid = INVALID_GID;
++ /* By default we'll use overflow[ug]id when UDF inode [ug]id == -1 */
++ uopt.uid = make_kuid(current_user_ns(), overflowuid);
++ uopt.gid = make_kgid(current_user_ns(), overflowgid);
+ uopt.umask = 0;
+ uopt.fmode = UDF_INVALID_MODE;
+ uopt.dmode = UDF_INVALID_MODE;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Grigor Tovmasyan <Grigor.Tovmasyan@synopsys.com>
+Date: Tue, 6 Feb 2018 19:07:38 +0400
+Subject: usb: dwc2: Fix interval type issue
+
+From: Grigor Tovmasyan <Grigor.Tovmasyan@synopsys.com>
+
+[ Upstream commit 12814a3f8f9b247531d7863170cc82b3fe4218fd ]
+
+The maximum value that unsigned char can hold is 255, meanwhile
+the maximum value of interval is 2^(bIntervalMax-1)=2^15.
+
+Signed-off-by: Grigor Tovmasyan <tovmasya@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/core.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc2/core.h
++++ b/drivers/usb/dwc2/core.h
+@@ -217,7 +217,7 @@ struct dwc2_hsotg_ep {
+ unsigned char dir_in;
+ unsigned char index;
+ unsigned char mc;
+- unsigned char interval;
++ u16 interval;
+
+ unsigned int halted:1;
+ unsigned int periodic:1;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Minas Harutyunyan <hminas@synopsys.com>
+Date: Fri, 19 Jan 2018 14:43:53 +0400
+Subject: usb: dwc2: hcd: Fix host channel halt flow
+
+From: Minas Harutyunyan <hminas@synopsys.com>
+
+[ Upstream commit a82c7abdf8fc3b09c4a0ed2eee6d43ecef2ccdb0 ]
+
+According databook in Buffer and External DMA mode
+non-split periodic channels can't be halted.
+
+Acked-by: John Youn <johnyoun@synopsys.com>
+Signed-off-by: Minas Harutyunyan <hminas@synopsys.com>
+Signed-off-by: Grigor Tovmasyan <tovmasya@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/hcd.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/usb/dwc2/hcd.c
++++ b/drivers/usb/dwc2/hcd.c
+@@ -989,6 +989,24 @@ void dwc2_hc_halt(struct dwc2_hsotg *hso
+
+ if (dbg_hc(chan))
+ dev_vdbg(hsotg->dev, "%s()\n", __func__);
++
++ /*
++ * In buffer DMA or external DMA mode channel can't be halted
++ * for non-split periodic channels. At the end of the next
++ * uframe/frame (in the worst case), the core generates a channel
++ * halted and disables the channel automatically.
++ */
++ if ((hsotg->params.g_dma && !hsotg->params.g_dma_desc) ||
++ hsotg->hw_params.arch == GHWCFG2_EXT_DMA_ARCH) {
++ if (!chan->do_split &&
++ (chan->ep_type == USB_ENDPOINT_XFER_ISOC ||
++ chan->ep_type == USB_ENDPOINT_XFER_INT)) {
++ dev_err(hsotg->dev, "%s() Channel can't be halted\n",
++ __func__);
++ return;
++ }
++ }
++
+ if (halt_status == DWC2_HC_XFER_NO_HALT_STATUS)
+ dev_err(hsotg->dev, "!!! halt_status = %d !!!\n", halt_status);
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Minas Harutyunyan <hminas@synopsys.com>
+Date: Fri, 19 Jan 2018 14:44:20 +0400
+Subject: usb: dwc2: host: Fix transaction errors in host mode
+
+From: Minas Harutyunyan <hminas@synopsys.com>
+
+[ Upstream commit 92a8dd26464e1f21f1d869ec53717bd2c1200d63 ]
+
+Added missing GUSBCFG programming in host mode, which fixes
+transaction errors issue on HiKey and Altera Cyclone V boards.
+
+These field even if was programmed in device mode (in function
+dwc2_hsotg_core_init_disconnected()) will be resetting to POR values
+after core soft reset applied.
+So, each time when switching to host mode required to set this field
+to correct value.
+
+Acked-by: John Youn <johnyoun@synopsys.com>
+Signed-off-by: Minas Harutyunyan <hminas@synopsys.com>
+Signed-off-by: Grigor Tovmasyan <tovmasya@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/hcd.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc2/hcd.c
++++ b/drivers/usb/dwc2/hcd.c
+@@ -2340,10 +2340,22 @@ static int dwc2_core_init(struct dwc2_hs
+ */
+ static void dwc2_core_host_init(struct dwc2_hsotg *hsotg)
+ {
+- u32 hcfg, hfir, otgctl;
++ u32 hcfg, hfir, otgctl, usbcfg;
+
+ dev_dbg(hsotg->dev, "%s(%p)\n", __func__, hsotg);
+
++ /* Set HS/FS Timeout Calibration to 7 (max available value).
++ * The number of PHY clocks that the application programs in
++ * this field is added to the high/full speed interpacket timeout
++ * duration in the core to account for any additional delays
++ * introduced by the PHY. This can be required, because the delay
++ * introduced by the PHY in generating the linestate condition
++ * can vary from one PHY to another.
++ */
++ usbcfg = dwc2_readl(hsotg->regs + GUSBCFG);
++ usbcfg |= GUSBCFG_TOUTCAL(7);
++ dwc2_writel(usbcfg, hsotg->regs + GUSBCFG);
++
+ /* Restart the Phy Clock */
+ dwc2_writel(0, hsotg->regs + PCGCTL);
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Fri, 16 Mar 2018 15:33:48 -0700
+Subject: usb: dwc3: Add SoftReset PHY synchonization delay
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+[ Upstream commit fab3833338779e1e668bd58d1f76d601657304b8 ]
+
+>From DWC_usb31 programming guide section 1.3.2, once DWC3_DCTL_CSFTRST
+bit is cleared, we must wait at least 50ms before accessing the PHY
+domain (synchronization delay).
+
+Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -232,7 +232,7 @@ static int dwc3_core_soft_reset(struct d
+ do {
+ reg = dwc3_readl(dwc->regs, DWC3_DCTL);
+ if (!(reg & DWC3_DCTL_CSFTRST))
+- return 0;
++ goto done;
+
+ udelay(1);
+ } while (--retries);
+@@ -241,6 +241,17 @@ static int dwc3_core_soft_reset(struct d
+ phy_exit(dwc->usb2_generic_phy);
+
+ return -ETIMEDOUT;
++
++done:
++ /*
++ * For DWC_usb31 controller, once DWC3_DCTL_CSFTRST bit is cleared,
++ * we must wait at least 50ms before accessing the PHY domain
++ * (synchronization delay). DWC_usb31 programming guide section 1.3.2.
++ */
++ if (dwc3_is_usb31(dwc))
++ msleep(50);
++
++ return 0;
+ }
+
+ /*
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+Date: Thu, 22 Mar 2018 10:45:20 +0200
+Subject: usb: dwc3: Makefile: fix link error on randconfig
+
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+
+[ Upstream commit de948a74ad6f0eefddf36d765b8f2dd6df82caa0 ]
+
+If building a kernel without FTRACE but with TRACING, dwc3.ko fails to
+link due to missing trace events. Fix this by using the correct
+Kconfig symbol on Makefile.
+
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/Makefile
++++ b/drivers/usb/dwc3/Makefile
+@@ -6,7 +6,7 @@ obj-$(CONFIG_USB_DWC3) += dwc3.o
+
+ dwc3-y := core.o
+
+-ifneq ($(CONFIG_FTRACE),)
++ifneq ($(CONFIG_TRACING),)
+ dwc3-y += trace.o
+ endif
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Fri, 16 Mar 2018 15:33:54 -0700
+Subject: usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+[ Upstream commit 0cab8d26d6e5e053b2bed3356992aaa71dc93628 ]
+
+Update two GTXFIFOSIZ bit fields for the DWC_usb31 controller. TXFDEP
+is a 15-bit value instead of 16-bit value, and bit 15 is TXFRAMNUM.
+
+The GTXFIFOSIZ register for DWC_usb31 is as follows:
+ +-------+-----------+----------------------------------+
+ | BITS | Name | Description |
+ +=======+===========+==================================+
+ | 31:16 | TXFSTADDR | Transmit FIFOn RAM Start Address |
+ | 15 | TXFRAMNUM | Asynchronous/Periodic TXFIFO |
+ | 14:0 | TXFDEP | TXFIFO Depth |
+ +-------+-----------+----------------------------------+
+
+Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/dwc3/core.h
++++ b/drivers/usb/dwc3/core.h
+@@ -241,6 +241,8 @@
+ #define DWC3_GUSB3PIPECTL_TX_DEEPH(n) ((n) << 1)
+
+ /* Global TX Fifo Size Register */
++#define DWC31_GTXFIFOSIZ_TXFRAMNUM BIT(15) /* DWC_usb31 only */
++#define DWC31_GTXFIFOSIZ_TXFDEF(n) ((n) & 0x7fff) /* DWC_usb31 only */
+ #define DWC3_GTXFIFOSIZ_TXFDEF(n) ((n) & 0xffff)
+ #define DWC3_GTXFIFOSIZ_TXFSTADDR(n) ((n) & 0xffff0000)
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Chris Dickens <christopher.a.dickens@gmail.com>
+Date: Sun, 31 Dec 2017 18:59:42 -0800
+Subject: usb: gadget: composite: fix incorrect handling of OS desc requests
+
+From: Chris Dickens <christopher.a.dickens@gmail.com>
+
+[ Upstream commit 5d6ae4f0da8a64a185074dabb1b2f8c148efa741 ]
+
+When handling an OS descriptor request, one of the first operations is
+to zero out the request buffer using the wLength from the setup packet.
+There is no bounds checking, so a wLength > 4096 would clobber memory
+adjacent to the request buffer. Fix this by taking the min of wLength
+and the request buffer length prior to the memset. While at it, define
+the buffer length in a header file so that magic numbers don't appear
+throughout the code.
+
+When returning data to the host, the data length should be the min of
+the wLength and the valid data we have to return. Currently we are
+returning wLength, thus requests for a wLength greater than the amount
+of data in the OS descriptor buffer would return invalid (albeit zero'd)
+data following the valid descriptor data. Fix this by counting the
+number of bytes when constructing the data and using this when
+determining the length of the request.
+
+Signed-off-by: Chris Dickens <christopher.a.dickens@gmail.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/composite.c | 40 +++++++++++++++++++---------------------
+ include/linux/usb/composite.h | 3 +++
+ 2 files changed, 22 insertions(+), 21 deletions(-)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -1422,7 +1422,7 @@ static int count_ext_compat(struct usb_c
+ return res;
+ }
+
+-static void fill_ext_compat(struct usb_configuration *c, u8 *buf)
++static int fill_ext_compat(struct usb_configuration *c, u8 *buf)
+ {
+ int i, count;
+
+@@ -1449,10 +1449,12 @@ static void fill_ext_compat(struct usb_c
+ buf += 23;
+ }
+ count += 24;
+- if (count >= 4096)
+- return;
++ if (count + 24 >= USB_COMP_EP0_OS_DESC_BUFSIZ)
++ return count;
+ }
+ }
++
++ return count;
+ }
+
+ static int count_ext_prop(struct usb_configuration *c, int interface)
+@@ -1497,25 +1499,20 @@ static int fill_ext_prop(struct usb_conf
+ struct usb_os_desc *d;
+ struct usb_os_desc_ext_prop *ext_prop;
+ int j, count, n, ret;
+- u8 *start = buf;
+
+ f = c->interface[interface];
++ count = 10; /* header length */
+ for (j = 0; j < f->os_desc_n; ++j) {
+ if (interface != f->os_desc_table[j].if_id)
+ continue;
+ d = f->os_desc_table[j].os_desc;
+ if (d)
+ list_for_each_entry(ext_prop, &d->ext_prop, entry) {
+- /* 4kB minus header length */
+- n = buf - start;
+- if (n >= 4086)
+- return 0;
+-
+- count = ext_prop->data_len +
++ n = ext_prop->data_len +
+ ext_prop->name_len + 14;
+- if (count > 4086 - n)
+- return -EINVAL;
+- usb_ext_prop_put_size(buf, count);
++ if (count + n >= USB_COMP_EP0_OS_DESC_BUFSIZ)
++ return count;
++ usb_ext_prop_put_size(buf, n);
+ usb_ext_prop_put_type(buf, ext_prop->type);
+ ret = usb_ext_prop_put_name(buf, ext_prop->name,
+ ext_prop->name_len);
+@@ -1541,11 +1538,12 @@ static int fill_ext_prop(struct usb_conf
+ default:
+ return -EINVAL;
+ }
+- buf += count;
++ buf += n;
++ count += n;
+ }
+ }
+
+- return 0;
++ return count;
+ }
+
+ /*
+@@ -1827,6 +1825,7 @@ unknown:
+ req->complete = composite_setup_complete;
+ buf = req->buf;
+ os_desc_cfg = cdev->os_desc_config;
++ w_length = min_t(u16, w_length, USB_COMP_EP0_OS_DESC_BUFSIZ);
+ memset(buf, 0, w_length);
+ buf[5] = 0x01;
+ switch (ctrl->bRequestType & USB_RECIP_MASK) {
+@@ -1850,8 +1849,8 @@ unknown:
+ count += 16; /* header */
+ put_unaligned_le32(count, buf);
+ buf += 16;
+- fill_ext_compat(os_desc_cfg, buf);
+- value = w_length;
++ value = fill_ext_compat(os_desc_cfg, buf);
++ value = min_t(u16, w_length, value);
+ }
+ break;
+ case USB_RECIP_INTERFACE:
+@@ -1880,8 +1879,7 @@ unknown:
+ interface, buf);
+ if (value < 0)
+ return value;
+-
+- value = w_length;
++ value = min_t(u16, w_length, value);
+ }
+ break;
+ }
+@@ -2156,8 +2154,8 @@ int composite_os_desc_req_prepare(struct
+ goto end;
+ }
+
+- /* OS feature descriptor length <= 4kB */
+- cdev->os_desc_req->buf = kmalloc(4096, GFP_KERNEL);
++ cdev->os_desc_req->buf = kmalloc(USB_COMP_EP0_OS_DESC_BUFSIZ,
++ GFP_KERNEL);
+ if (!cdev->os_desc_req->buf) {
+ ret = -ENOMEM;
+ usb_ep_free_request(ep0, cdev->os_desc_req);
+--- a/include/linux/usb/composite.h
++++ b/include/linux/usb/composite.h
+@@ -54,6 +54,9 @@
+ /* big enough to hold our biggest descriptor */
+ #define USB_COMP_EP0_BUFSIZ 1024
+
++/* OS feature descriptor length <= 4kB */
++#define USB_COMP_EP0_OS_DESC_BUFSIZ 4096
++
+ #define USB_MS_TO_HS_INTERVAL(x) (ilog2((x * 1000 / 125)) + 1)
+ struct usb_configuration;
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Fri, 12 Jan 2018 11:05:02 +0100
+Subject: usb: gadget: ffs: Execute copy_to_user() with USER_DS set
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+[ Upstream commit 4058ebf33cb0be88ca516f968eda24ab7b6b93e4 ]
+
+When using a AIO read() operation on the function FS gadget driver a URB is
+submitted asynchronously and on URB completion the received data is copied
+to the userspace buffer associated with the read operation.
+
+This is done from a kernel worker thread invoking copy_to_user() (through
+copy_to_iter()). And while the user space process memory is made available
+to the kernel thread using use_mm(), some architecture require in addition
+to this that the operation runs with USER_DS set. Otherwise the userspace
+memory access will fail.
+
+For example on ARM64 with Privileged Access Never (PAN) and User Access
+Override (UAO) enabled the following crash occurs.
+
+ Internal error: Accessing user space memory with fs=KERNEL_DS: 9600004f [#1] SMP
+ Modules linked in:
+ CPU: 2 PID: 1636 Comm: kworker/2:1 Not tainted 4.9.0-04081-g8ab2dfb-dirty #487
+ Hardware name: ZynqMP ZCU102 Rev1.0 (DT)
+ Workqueue: events ffs_user_copy_worker
+ task: ffffffc87afc8080 task.stack: ffffffc87a00c000
+ PC is at __arch_copy_to_user+0x190/0x220
+ LR is at copy_to_iter+0x78/0x3c8
+ [...]
+ [<ffffff800847b790>] __arch_copy_to_user+0x190/0x220
+ [<ffffff80086f25d8>] ffs_user_copy_worker+0x70/0x130
+ [<ffffff80080b8c64>] process_one_work+0x1dc/0x460
+ [<ffffff80080b8f38>] worker_thread+0x50/0x4b0
+ [<ffffff80080bf5a0>] kthread+0xd8/0xf0
+ [<ffffff8008083680>] ret_from_fork+0x10/0x50
+
+Address this by placing a set_fs(USER_DS) before of the copy operation
+and revert it again once the copy operation has finished.
+
+This patch is analogous to commit d7ffde35e31a ("vhost: use USER_DS in
+vhost_worker thread") which addresses the same underlying issue.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -758,9 +758,13 @@ static void ffs_user_copy_worker(struct
+ bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD;
+
+ if (io_data->read && ret > 0) {
++ mm_segment_t oldfs = get_fs();
++
++ set_fs(USER_DS);
+ use_mm(io_data->mm);
+ ret = ffs_copy_to_iter(io_data->buf, ret, &io_data->data);
+ unuse_mm(io_data->mm);
++ set_fs(oldfs);
+ }
+
+ io_data->kiocb->ki_complete(io_data->kiocb, ret, ret);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Fri, 12 Jan 2018 11:26:16 +0100
+Subject: usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+[ Upstream commit 946ef68ad4e45aa048a5fb41ce8823ed29da866a ]
+
+Some UDC drivers (like the DWC3) expect that the response to a setup()
+request is queued from within the setup function itself so that it is
+available as soon as setup() has completed.
+
+Upon receiving a setup request the function fs driver creates an event that
+is made available to userspace. And only once userspace has acknowledged
+that event the response to the setup request is queued.
+
+So it violates the requirement of those UDC drivers and random failures can
+be observed. This is basically a race condition and if userspace is able to
+read the event and queue the response fast enough all is good. But if it is
+not, for example because other processes are currently scheduled to run,
+the USB host that sent the setup request will observe an error.
+
+To avoid this the gadget framework provides the USB_GADGET_DELAYED_STATUS
+return code. If a setup() callback returns this value the UDC driver is
+aware that response is not yet available and can uses the appropriate
+methods to handle this case.
+
+Since in the case of function fs the response will never be available when
+the setup() function returns make sure that this status code is used.
+
+This fixed random occasional failures that were previously observed on a
+DWC3 based system under high system load.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -3238,7 +3238,7 @@ static int ffs_func_setup(struct usb_fun
+ __ffs_event_add(ffs, FUNCTIONFS_SETUP);
+ spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
+
+- return 0;
++ return USB_GADGET_DELAYED_STATUS;
+ }
+
+ static bool ffs_func_req_match(struct usb_function *f,
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Tue, 6 Feb 2018 09:50:40 +0100
+Subject: usb: gadget: udc: change comparison to bitshift when dealing with a mask
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit ac87e560f7c0f91b62012e9a159c0681a373b922 ]
+
+Due to a typo, the mask was destroyed by a comparison instead of a bit
+shift.
+
+Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/goku_udc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/udc/goku_udc.h
++++ b/drivers/usb/gadget/udc/goku_udc.h
+@@ -25,7 +25,7 @@ struct goku_udc_regs {
+ # define INT_EP1DATASET 0x00040
+ # define INT_EP2DATASET 0x00080
+ # define INT_EP3DATASET 0x00100
+-#define INT_EPnNAK(n) (0x00100 < (n)) /* 0 < n < 4 */
++#define INT_EPnNAK(n) (0x00100 << (n)) /* 0 < n < 4 */
+ # define INT_EP1NAK 0x00200
+ # define INT_EP2NAK 0x00400
+ # define INT_EP3NAK 0x00800
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 29 Jan 2018 00:04:18 +0000
+Subject: usbip: Correct maximum value of CONFIG_USBIP_VHCI_HC_PORTS
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+[ Upstream commit 351a8d4837ae0d61744e64262c3a80ab92ff3e42 ]
+
+Now that usbip supports USB3, the maximum number of ports allowed
+on a hub is 15 (USB_SS_MAXPORTS), not 31 (USB_MAXCHILDREN).
+
+Reported-by: Gianluigi Tiesi <sherpya@netfarm.it>
+Reported-by: Borissh1983 <borissh1983@gmail.com>
+References: https://bugs.debian.org/878866
+Fixes: 1c9de5bf4286 ("usbip: vhci-hcd: Add USB3 SuperSpeed support")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/usbip/Kconfig
++++ b/drivers/usb/usbip/Kconfig
+@@ -27,7 +27,7 @@ config USBIP_VHCI_HCD
+
+ config USBIP_VHCI_HC_PORTS
+ int "Number of ports per USB/IP virtual host controller"
+- range 1 31
++ range 1 15
+ default 8
+ depends on USBIP_VHCI_HCD
+ ---help---
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Cornelia Huck <cohuck@redhat.com>
+Date: Thu, 22 Feb 2018 15:35:43 +0100
+Subject: vfio-ccw: fence off transport mode
+
+From: Cornelia Huck <cohuck@redhat.com>
+
+[ Upstream commit 9851bc77e62499957567e7c39a5beba7d6de6296 ]
+
+vfio-ccw only supports command mode for channel programs, not transport
+mode. User space is supposed to already take care of that and pass us
+command-mode ORBs only, but better make sure and return an error to
+the caller instead of trying to process tcws as ccws.
+
+Reviewed-by: Dong Jia Shi <bjsdjshi@linux.vnet.ibm.com>
+Acked-by: Halil Pasic <pasic@linux.vnet.ibm.com>
+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/cio/vfio_ccw_fsm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/s390/cio/vfio_ccw_fsm.c
++++ b/drivers/s390/cio/vfio_ccw_fsm.c
+@@ -129,6 +129,11 @@ static void fsm_io_request(struct vfio_c
+ if (scsw->cmd.fctl & SCSW_FCTL_START_FUNC) {
+ orb = (union orb *)io_region->orb_area;
+
++ /* Don't try to build a cp if transport mode is specified. */
++ if (orb->tm.b) {
++ io_region->ret_code = -EOPNOTSUPP;
++ goto err_out;
++ }
+ io_region->ret_code = cp_init(&private->cp, mdev_dev(mdev),
+ orb);
+ if (io_region->ret_code)
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Jay Vosburgh <jay.vosburgh@canonical.com>
+Date: Thu, 22 Mar 2018 14:42:41 +0000
+Subject: virtio-net: Fix operstate for virtio when no VIRTIO_NET_F_STATUS
+
+From: Jay Vosburgh <jay.vosburgh@canonical.com>
+
+[ Upstream commit bda7fab54828bbef2164bb23c0f6b1a7d05cc718 ]
+
+The operstate update logic will leave an interface in the
+default UNKNOWN operstate if the interface carrier state never changes
+from the default carrier up state set at creation. This includes the
+case of an explicit call to netif_carrier_on, as the carrier on to on
+transition has no effect on operstate.
+
+ This affects virtio-net for the case that the virtio peer does
+not support VIRTIO_NET_F_STATUS (the feature that provides carrier state
+updates). Without this feature, the virtio specification states that
+"the link should be assumed active," so, logically, the operstate should
+be UP instead of UNKNOWN. This has impact on user space applications
+that use the operstate to make availability decisions for the interface.
+
+ Resolve this by changing the virtio probe logic slightly to call
+netif_carrier_off for both the "with" and "without" VIRTIO_NET_F_STATUS
+cases, and then the existing call to netif_carrier_on for the "without"
+case will cause an operstate transition.
+
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -2874,8 +2874,8 @@ static int virtnet_probe(struct virtio_d
+
+ /* Assume link up if device can't report link status,
+ otherwise get link status from config. */
++ netif_carrier_off(dev);
+ if (virtio_has_feature(vi->vdev, VIRTIO_NET_F_STATUS)) {
+- netif_carrier_off(dev);
+ schedule_work(&vi->config_work);
+ } else {
+ vi->status = VIRTIO_NET_S_LINK_UP;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Sat, 10 Feb 2018 13:17:27 +0300
+Subject: watchdog: asm9260_wdt: fix error handling in asm9260_wdt_probe()
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+[ Upstream commit 3c829f47e33eb0398a9a14e357a05199a7be0277 ]
+
+If devm_reset_control_get_exclusive() fails, asm9260_wdt_probe()
+returns immediately. But clks has been already enabled at that point,
+so it is required to disable them or to move the code around.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/asm9260_wdt.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/watchdog/asm9260_wdt.c
++++ b/drivers/watchdog/asm9260_wdt.c
+@@ -292,14 +292,14 @@ static int asm9260_wdt_probe(struct plat
+ if (IS_ERR(priv->iobase))
+ return PTR_ERR(priv->iobase);
+
+- ret = asm9260_wdt_get_dt_clks(priv);
+- if (ret)
+- return ret;
+-
+ priv->rst = devm_reset_control_get_exclusive(&pdev->dev, "wdt_rst");
+ if (IS_ERR(priv->rst))
+ return PTR_ERR(priv->rst);
+
++ ret = asm9260_wdt_get_dt_clks(priv);
++ if (ret)
++ return ret;
++
+ wdd = &priv->wdd;
+ wdd->info = &asm9260_wdt_ident;
+ wdd->ops = &asm9260_wdt_ops;
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Milton Miller <miltonm@us.ibm.com>
+Date: Thu, 15 Mar 2018 11:02:06 -0500
+Subject: watchdog: aspeed: Allow configuring for alternate boot
+
+From: Milton Miller <miltonm@us.ibm.com>
+
+[ Upstream commit 6ffa3402211acc30e47e691e14d62f3fd065a54e ]
+
+Allow the device tree to specify a watchdog to fallover to
+the alternate boot source.
+
+The aspeeed watchdog can set a latch directing flash chip select 0 to
+chip select 1, allowing boot from an alternate media if the watchdog
+is not reset in time. On the ast2400 bank 1 also goes to flash bank 1,
+while on the ast2500 the chip selects are swapped.
+
+Also clear the secondary boot bit during the machine restart operation.
+Otherwise, the system will switch to the alternate boot after every
+reboot, which is not desired.
+
+Signed-off-by: Milton Miller <miltonm@us.ibm.com>
+Signed-off-by: Eddie James <eajames@linux.vnet.ibm.com>
+Reviewed-by: Joel Stanley <joel@jms.id.au>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/aspeed_wdt.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/watchdog/aspeed_wdt.c
++++ b/drivers/watchdog/aspeed_wdt.c
+@@ -46,6 +46,7 @@ MODULE_DEVICE_TABLE(of, aspeed_wdt_of_ta
+ #define WDT_RELOAD_VALUE 0x04
+ #define WDT_RESTART 0x08
+ #define WDT_CTRL 0x0C
++#define WDT_CTRL_BOOT_SECONDARY BIT(7)
+ #define WDT_CTRL_RESET_MODE_SOC (0x00 << 5)
+ #define WDT_CTRL_RESET_MODE_FULL_CHIP (0x01 << 5)
+ #define WDT_CTRL_RESET_MODE_ARM_CPU (0x10 << 5)
+@@ -158,6 +159,7 @@ static int aspeed_wdt_restart(struct wat
+ {
+ struct aspeed_wdt *wdt = to_aspeed_wdt(wdd);
+
++ wdt->ctrl &= ~WDT_CTRL_BOOT_SECONDARY;
+ aspeed_wdt_enable(wdt, 128 * WDT_RATE_1MHZ / 1000);
+
+ mdelay(1000);
+@@ -242,6 +244,8 @@ static int aspeed_wdt_probe(struct platf
+ }
+ if (of_property_read_bool(np, "aspeed,external-signal"))
+ wdt->ctrl |= WDT_CTRL_WDT_EXT;
++ if (of_property_read_bool(np, "aspeed,alt-boot"))
++ wdt->ctrl |= WDT_CTRL_BOOT_SECONDARY;
+
+ if (readl(wdt->base + WDT_CTRL) & WDT_CTRL_ENABLE) {
+ /*
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Milton Miller <miltonm@us.ibm.com>
+Date: Fri, 9 Mar 2018 15:58:19 -0600
+Subject: watchdog: aspeed: Fix translation of reset mode to ctrl register
+
+From: Milton Miller <miltonm@us.ibm.com>
+
+[ Upstream commit d2fc8db691bf3197d43b2afb553311a9bf257bff ]
+
+Assert RESET_SYSTEM bit for any reset and set MODE field from reset
+type.
+
+The watchdog control register has a RESET_SYSTEM bit that is really
+closer to activate a reset, and RESET_SYSTEM_MODE field that chooses
+how much to reset.
+
+Before this patch, a node without these optional property would do a
+SOC reset, but a node with properties requesting a cpu or SOC reset
+would do nothing and a node requesting a system reset would do a
+SOC reset.
+
+Fixes: b7f0b8ad25f3 ("drivers/watchdog: ASPEED reference dev tree properties for config")
+Signed-off-by: Milton Miller <miltonm@us.ibm.com>
+Signed-off-by: Eddie James <eajames@linux.vnet.ibm.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/aspeed_wdt.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/watchdog/aspeed_wdt.c
++++ b/drivers/watchdog/aspeed_wdt.c
+@@ -234,11 +234,14 @@ static int aspeed_wdt_probe(struct platf
+ wdt->ctrl |= WDT_CTRL_RESET_MODE_SOC | WDT_CTRL_RESET_SYSTEM;
+ } else {
+ if (!strcmp(reset_type, "cpu"))
+- wdt->ctrl |= WDT_CTRL_RESET_MODE_ARM_CPU;
++ wdt->ctrl |= WDT_CTRL_RESET_MODE_ARM_CPU |
++ WDT_CTRL_RESET_SYSTEM;
+ else if (!strcmp(reset_type, "soc"))
+- wdt->ctrl |= WDT_CTRL_RESET_MODE_SOC;
++ wdt->ctrl |= WDT_CTRL_RESET_MODE_SOC |
++ WDT_CTRL_RESET_SYSTEM;
+ else if (!strcmp(reset_type, "system"))
+- wdt->ctrl |= WDT_CTRL_RESET_SYSTEM;
++ wdt->ctrl |= WDT_CTRL_RESET_MODE_FULL_CHIP |
++ WDT_CTRL_RESET_SYSTEM;
+ else if (strcmp(reset_type, "none"))
+ return -EINVAL;
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Sat, 24 Mar 2018 00:36:46 +0300
+Subject: watchdog: davinci_wdt: fix error handling in davinci_wdt_probe()
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+[ Upstream commit d66e53649c18377edc08d48901e658e4fd491d46 ]
+
+clk_disable_unprepare() was added to one error path,
+but there is another one. The patch makes sure clk is
+disabled at the both of them.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/davinci_wdt.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/watchdog/davinci_wdt.c
++++ b/drivers/watchdog/davinci_wdt.c
+@@ -236,15 +236,22 @@ static int davinci_wdt_probe(struct plat
+
+ wdt_mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ davinci_wdt->base = devm_ioremap_resource(dev, wdt_mem);
+- if (IS_ERR(davinci_wdt->base))
+- return PTR_ERR(davinci_wdt->base);
++ if (IS_ERR(davinci_wdt->base)) {
++ ret = PTR_ERR(davinci_wdt->base);
++ goto err_clk_disable;
++ }
+
+ ret = watchdog_register_device(wdd);
+- if (ret < 0) {
+- clk_disable_unprepare(davinci_wdt->clk);
++ if (ret) {
+ dev_err(dev, "cannot register watchdog device\n");
++ goto err_clk_disable;
+ }
+
++ return 0;
++
++err_clk_disable:
++ clk_disable_unprepare(davinci_wdt->clk);
++
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Brian Norris <briannorris@chromium.org>
+Date: Fri, 9 Mar 2018 19:46:06 -0800
+Subject: watchdog: dw: RMW the control register
+
+From: Brian Norris <briannorris@chromium.org>
+
+[ Upstream commit a81abbb412341e9e3b2d42ed7d310cf71fbb84a8 ]
+
+RK3399 has rst_pulse_length in CONTROL_REG[4:2], determining the length
+of pulse to issue for system reset. We shouldn't clobber this value,
+because that might make the system reset ineffective. On RK3399, we're
+seeing that a value of 000b (meaning 2 cycles) yields an unreliable
+(partial?) reset, and so we only fully reset after the watchdog fires a
+second time. If we retain the system default (010b, or 8 clock cycles),
+then the watchdog reset is much more reliable.
+
+Read-modify-write retains the system value and improves reset
+reliability.
+
+It seems we were intentionally clobbering the response mode previously,
+to ensure we performed a system reset (we don't support an interrupt
+notification), so retain that explicitly.
+
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/dw_wdt.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+--- a/drivers/watchdog/dw_wdt.c
++++ b/drivers/watchdog/dw_wdt.c
+@@ -34,6 +34,7 @@
+
+ #define WDOG_CONTROL_REG_OFFSET 0x00
+ #define WDOG_CONTROL_REG_WDT_EN_MASK 0x01
++#define WDOG_CONTROL_REG_RESP_MODE_MASK 0x02
+ #define WDOG_TIMEOUT_RANGE_REG_OFFSET 0x04
+ #define WDOG_TIMEOUT_RANGE_TOPINIT_SHIFT 4
+ #define WDOG_CURRENT_COUNT_REG_OFFSET 0x08
+@@ -121,14 +122,23 @@ static int dw_wdt_set_timeout(struct wat
+ return 0;
+ }
+
++static void dw_wdt_arm_system_reset(struct dw_wdt *dw_wdt)
++{
++ u32 val = readl(dw_wdt->regs + WDOG_CONTROL_REG_OFFSET);
++
++ /* Disable interrupt mode; always perform system reset. */
++ val &= ~WDOG_CONTROL_REG_RESP_MODE_MASK;
++ /* Enable watchdog. */
++ val |= WDOG_CONTROL_REG_WDT_EN_MASK;
++ writel(val, dw_wdt->regs + WDOG_CONTROL_REG_OFFSET);
++}
++
+ static int dw_wdt_start(struct watchdog_device *wdd)
+ {
+ struct dw_wdt *dw_wdt = to_dw_wdt(wdd);
+
+ dw_wdt_set_timeout(wdd, wdd->timeout);
+-
+- writel(WDOG_CONTROL_REG_WDT_EN_MASK,
+- dw_wdt->regs + WDOG_CONTROL_REG_OFFSET);
++ dw_wdt_arm_system_reset(dw_wdt);
+
+ return 0;
+ }
+@@ -152,16 +162,13 @@ static int dw_wdt_restart(struct watchdo
+ unsigned long action, void *data)
+ {
+ struct dw_wdt *dw_wdt = to_dw_wdt(wdd);
+- u32 val;
+
+ writel(0, dw_wdt->regs + WDOG_TIMEOUT_RANGE_REG_OFFSET);
+- val = readl(dw_wdt->regs + WDOG_CONTROL_REG_OFFSET);
+- if (val & WDOG_CONTROL_REG_WDT_EN_MASK)
++ if (dw_wdt_is_enabled(dw_wdt))
+ writel(WDOG_COUNTER_RESTART_KICK_VALUE,
+ dw_wdt->regs + WDOG_COUNTER_RESTART_REG_OFFSET);
+ else
+- writel(WDOG_CONTROL_REG_WDT_EN_MASK,
+- dw_wdt->regs + WDOG_CONTROL_REG_OFFSET);
++ dw_wdt_arm_system_reset(dw_wdt);
+
+ /* wait for reset to assert... */
+ mdelay(500);
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Fri, 9 Mar 2018 00:21:48 +0300
+Subject: watchdog: sprd_wdt: Fix error handling in sprd_wdt_enable()
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+[ Upstream commit 3c578cd4bc52b6e65d65be1abad9a8aa489ec207 ]
+
+If clk_prepare_enable(wdt->rtc_enable) fails,
+wdt->enable clock is left enabled.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/sprd_wdt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/watchdog/sprd_wdt.c
++++ b/drivers/watchdog/sprd_wdt.c
+@@ -154,8 +154,10 @@ static int sprd_wdt_enable(struct sprd_w
+ if (ret)
+ return ret;
+ ret = clk_prepare_enable(wdt->rtc_enable);
+- if (ret)
++ if (ret) {
++ clk_disable_unprepare(wdt->enable);
+ return ret;
++ }
+
+ sprd_wdt_unlock(wdt->base);
+ val = readl_relaxed(wdt->base + SPRD_WDT_CTRL);
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Baoquan He <bhe@redhat.com>
+Date: Wed, 14 Feb 2018 13:46:56 +0800
+Subject: x86/apic: Set up through-local-APIC mode on the boot CPU if 'noapic' specified
+
+From: Baoquan He <bhe@redhat.com>
+
+[ Upstream commit bee3204ec3c49f6f53add9c3962c9012a5c036fa ]
+
+Currently the kdump kernel becomes very slow if 'noapic' is specified.
+Normal kernel doesn't have this bug.
+
+Kernel parameter 'noapic' is used to disable IO-APIC in system for
+testing or special purpose. Here the root cause is that in kdump
+kernel LAPIC is disabled since commit:
+
+ 522e664644 ("x86/apic: Disable I/O APIC before shutdown of the local APIC")
+
+In this case we need set up through-local-APIC on boot CPU in
+setup_local_APIC().
+
+In normal kernel the legacy irq mode is enabled by the BIOS. If
+it is virtual wire mode, the local-APIC has been enabled and set as
+through-local-APIC.
+
+Though we fixed the regression introduced by commit 522e664644,
+to further improve robustness set up the through-local-APIC mode
+explicitly, do not rely on the default boot IRQ mode.
+
+Signed-off-by: Baoquan He <bhe@redhat.com>
+Reviewed-by: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: douly.fnst@cn.fujitsu.com
+Cc: joro@8bytes.org
+Cc: prarit@redhat.com
+Cc: uobergfe@redhat.com
+Link: http://lkml.kernel.org/r/20180214054656.3780-7-bhe@redhat.com
+[ Rewrote the changelog. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/apic/apic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -1570,7 +1570,7 @@ void setup_local_APIC(void)
+ * TODO: set up through-local-APIC from through-I/O-APIC? --macro
+ */
+ value = apic_read(APIC_LVT0) & APIC_LVT_MASKED;
+- if (!cpu && (pic_mode || !value)) {
++ if (!cpu && (pic_mode || !value || skip_ioapic_setup)) {
+ value = APIC_DM_EXTINT;
+ apic_printk(APIC_VERBOSE, "enabled ExtINT on CPU#%d\n", cpu);
+ } else {
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Ivan Gorinov <ivan.gorinov@intel.com>
+Date: Wed, 7 Mar 2018 11:46:53 -0800
+Subject: x86/devicetree: Fix device IRQ settings in DT
+
+From: Ivan Gorinov <ivan.gorinov@intel.com>
+
+[ Upstream commit 0a5169add90e43ab45ab1ba34223b8583fcaf675 ]
+
+IRQ parameters for the SoC devices connected directly to I/O APIC lines
+(without PCI IRQ routing) may be specified in the Device Tree.
+
+Called from DT IRQ parser, irq_create_fwspec_mapping() calls
+irq_domain_alloc_irqs() with a pointer to irq_fwspec structure as @arg.
+
+But x86-specific DT IRQ allocation code casts @arg to of_phandle_args
+structure pointer and crashes trying to read the IRQ parameters. The
+function was not converted when the mapping descriptor was changed to
+irq_fwspec in the generic irqdomain code.
+
+Fixes: 11e4438ee330 ("irqdomain: Introduce a firmware-specific IRQ specifier structure")
+Signed-off-by: Ivan Gorinov <ivan.gorinov@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Link: https://lkml.kernel.org/r/a234dee27ea60ce76141872da0d6bdb378b2a9ee.1520450752.git.ivan.gorinov@intel.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/devicetree.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kernel/devicetree.c
++++ b/arch/x86/kernel/devicetree.c
+@@ -195,19 +195,22 @@ static struct of_ioapic_type of_ioapic_t
+ static int dt_irqdomain_alloc(struct irq_domain *domain, unsigned int virq,
+ unsigned int nr_irqs, void *arg)
+ {
+- struct of_phandle_args *irq_data = (void *)arg;
++ struct irq_fwspec *fwspec = (struct irq_fwspec *)arg;
+ struct of_ioapic_type *it;
+ struct irq_alloc_info tmp;
++ int type_index;
+
+- if (WARN_ON(irq_data->args_count < 2))
++ if (WARN_ON(fwspec->param_count < 2))
+ return -EINVAL;
+- if (irq_data->args[1] >= ARRAY_SIZE(of_ioapic_type))
++
++ type_index = fwspec->param[1];
++ if (type_index >= ARRAY_SIZE(of_ioapic_type))
+ return -EINVAL;
+
+- it = &of_ioapic_type[irq_data->args[1]];
++ it = &of_ioapic_type[type_index];
+ ioapic_set_alloc_attr(&tmp, NUMA_NO_NODE, it->trigger, it->polarity);
+ tmp.ioapic_id = mpc_ioapic_id(mp_irqdomain_ioapic_idx(domain));
+- tmp.ioapic_pin = irq_data->args[0];
++ tmp.ioapic_pin = fwspec->param[0];
+
+ return mp_irqdomain_alloc(domain, virq, nr_irqs, &tmp);
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Ivan Gorinov <ivan.gorinov@intel.com>
+Date: Wed, 7 Mar 2018 11:46:29 -0800
+Subject: x86/devicetree: Initialize device tree before using it
+
+From: Ivan Gorinov <ivan.gorinov@intel.com>
+
+[ Upstream commit 628df9dc5ad886b0a9b33c75a7b09710eb859ca1 ]
+
+Commit 08d53aa58cb1 added CRC32 calculation in early_init_dt_verify() and
+checking in late initcall of_fdt_raw_init(), making early_init_dt_verify()
+mandatory.
+
+The required call to early_init_dt_verify() was not added to the
+x86-specific implementation, causing failure to create the sysfs entry in
+of_fdt_raw_init().
+
+Fixes: 08d53aa58cb1 ("of/fdt: export fdt blob as /sys/firmware/fdt")
+Signed-off-by: Ivan Gorinov <ivan.gorinov@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Link: https://lkml.kernel.org/r/c8c7e941efc63b5d25ebf9b6350b0f3df38f6098.1520450752.git.ivan.gorinov@intel.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/devicetree.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/devicetree.c
++++ b/arch/x86/kernel/devicetree.c
+@@ -11,6 +11,7 @@
+ #include <linux/of_address.h>
+ #include <linux/of_platform.h>
+ #include <linux/of_irq.h>
++#include <linux/libfdt.h>
+ #include <linux/slab.h>
+ #include <linux/pci.h>
+ #include <linux/of_pci.h>
+@@ -270,14 +271,15 @@ static void __init x86_flattree_get_conf
+
+ map_len = max(PAGE_SIZE - (initial_dtb & ~PAGE_MASK), (u64)128);
+
+- initial_boot_params = dt = early_memremap(initial_dtb, map_len);
+- size = of_get_flat_dt_size();
++ dt = early_memremap(initial_dtb, map_len);
++ size = fdt_totalsize(dt);
+ if (map_len < size) {
+ early_memunmap(dt, map_len);
+- initial_boot_params = dt = early_memremap(initial_dtb, size);
++ dt = early_memremap(initial_dtb, size);
+ map_len = size;
+ }
+
++ early_init_dt_verify(dt);
+ unflatten_and_copy_device_tree();
+ early_memunmap(dt, map_len);
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Borislav Petkov <bp@suse.de>
+Date: Wed, 21 Feb 2018 11:18:56 +0100
+Subject: x86/mce/AMD: Collect error info even if valid bits are not set
+
+From: Borislav Petkov <bp@suse.de>
+
+[ Upstream commit 4b1e84276a6172980c5bf39aa091ba13e90d6dad ]
+
+The MCA banks log error info into MCA_ADDR, MCA_MISC0, and MCA_SYND even
+if the corresponding valid bits are not set:
+
+"Error handlers should save the values in MCA_ADDR, MCA_MISC0,
+and MCA_SYND even if MCA_STATUS[AddrV], MCA_STATUS[MiscV], and
+MCA_STATUS[SyndV] are zero."
+
+Do so by setting those bits so that code down the MCE processing path
+doesn't need to be changed.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20180221101900.10326-5-bp@alien8.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/mcheck/mce.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce.c
++++ b/arch/x86/kernel/cpu/mcheck/mce.c
+@@ -444,6 +444,20 @@ static inline void mce_gather_info(struc
+ if (mca_cfg.rip_msr)
+ m->ip = mce_rdmsrl(mca_cfg.rip_msr);
+ }
++
++ /*
++ * Error handlers should save the values in MCA_ADDR, MCA_MISC0, and
++ * MCA_SYND even if MCA_STATUS[AddrV], MCA_STATUS[MiscV], and
++ * MCA_STATUS[SyndV] are zero.
++ */
++ if (m->cpuvendor == X86_VENDOR_AMD) {
++ u64 status = MCI_STATUS_ADDRV | MCI_STATUS_MISCV;
++
++ if (mce_flags.smca)
++ status |= MCI_STATUS_SYNDV;
++
++ m->status |= status;
++ }
+ }
+
+ int mce_available(struct cpuinfo_x86 *c)
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Fri, 6 Apr 2018 13:55:14 -0700
+Subject: x86/mm: Do not forbid _PAGE_RW before init for __ro_after_init
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+[ Upstream commit 639d6aafe437a7464399d2a77d006049053df06f ]
+
+__ro_after_init data gets stuck in the .rodata section. That's normally
+fine because the kernel itself manages the R/W properties.
+
+But, if we run __change_page_attr() on an area which is __ro_after_init,
+the .rodata checks will trigger and force the area to be immediately
+read-only, even if it is early-ish in boot. This caused problems when
+trying to clear the _PAGE_GLOBAL bit for these area in the PTI code:
+it cleared _PAGE_GLOBAL like I asked, but also took it up on itself
+to clear _PAGE_RW. The kernel then oopses the next time it wrote to
+a __ro_after_init data structure.
+
+To fix this, add the kernel_set_to_readonly check, just like we have
+for kernel text, just a few lines below in this function.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Arjan van de Ven <arjan@linux.intel.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Nadav Amit <namit@vmware.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/20180406205514.8D898241@viggo.jf.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/pageattr.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/mm/pageattr.c
++++ b/arch/x86/mm/pageattr.c
+@@ -298,9 +298,11 @@ static inline pgprot_t static_protection
+
+ /*
+ * The .rodata section needs to be read-only. Using the pfn
+- * catches all aliases.
++ * catches all aliases. This also includes __ro_after_init,
++ * so do not enforce until kernel_set_to_readonly is true.
+ */
+- if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
++ if (kernel_set_to_readonly &&
++ within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
+ __pa_symbol(__end_rodata) >> PAGE_SHIFT))
+ pgprot_val(forbidden) |= _PAGE_RW;
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Sai Praneeth <sai.praneeth.prakhya@intel.com>
+Date: Wed, 4 Apr 2018 12:34:19 -0700
+Subject: x86/mm: Fix bogus warning during EFI bootup, use boot_cpu_has() instead of this_cpu_has() in build_cr3_noflush()
+
+From: Sai Praneeth <sai.praneeth.prakhya@intel.com>
+
+[ Upstream commit 162ee5a8ab49be40d253f90e94aef712470a3a24 ]
+
+Linus reported the following boot warning:
+
+ WARNING: CPU: 0 PID: 0 at arch/x86/include/asm/tlbflush.h:134 load_new_mm_cr3+0x114/0x170
+ [...]
+ Call Trace:
+ switch_mm_irqs_off+0x267/0x590
+ switch_mm+0xe/0x20
+ efi_switch_mm+0x3e/0x50
+ efi_enter_virtual_mode+0x43f/0x4da
+ start_kernel+0x3bf/0x458
+ secondary_startup_64+0xa5/0xb0
+
+... after merging:
+
+ 03781e40890c: x86/efi: Use efi_switch_mm() rather than manually twiddling with %cr3
+
+When the platform supports PCID and if CONFIG_DEBUG_VM=y is enabled,
+build_cr3_noflush() (called via switch_mm()) does a sanity check to see
+if X86_FEATURE_PCID is set.
+
+Presently, build_cr3_noflush() uses "this_cpu_has(X86_FEATURE_PCID)" to
+perform the check but this_cpu_has() works only after SMP is initialized
+(i.e. per cpu cpu_info's should be populated) and this happens to be very
+late in the boot process (during rest_init()).
+
+As efi_runtime_services() are called during (early) kernel boot time
+and run time, modify build_cr3_noflush() to use boot_cpu_has() all the
+time. As suggested by Dave Hansen, this should be OK because all CPU's have
+same capabilities on x86.
+
+With this change the warning is fixed.
+
+( Dave also suggested that we put a warning in this_cpu_has() if it's used
+ early in the boot process. This is still work in progress as it affects
+ MCE. )
+
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Lee Chun-Yi <jlee@suse.com>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ravi Shankar <ravi.v.shankar@intel.com>
+Cc: Ricardo Neri <ricardo.neri@intel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/1522870459-7432-1-git-send-email-sai.praneeth.prakhya@intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/tlbflush.h | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/tlbflush.h
++++ b/arch/x86/include/asm/tlbflush.h
+@@ -131,7 +131,12 @@ static inline unsigned long build_cr3(pg
+ static inline unsigned long build_cr3_noflush(pgd_t *pgd, u16 asid)
+ {
+ VM_WARN_ON_ONCE(asid > MAX_ASID_AVAILABLE);
+- VM_WARN_ON_ONCE(!this_cpu_has(X86_FEATURE_PCID));
++ /*
++ * Use boot_cpu_has() instead of this_cpu_has() as this function
++ * might be called during early boot. This should work even after
++ * boot because all CPU's the have same capabilities:
++ */
++ VM_WARN_ON_ONCE(!boot_cpu_has(X86_FEATURE_PCID));
+ return __sme_pa(pgd) | kern_pcid(asid) | CR3_NOFLUSH;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Joerg Roedel <joro@8bytes.org>
+Date: Wed, 11 Apr 2018 17:24:38 +0200
+Subject: x86/pgtable: Don't set huge PUD/PMD on non-leaf entries
+
+From: Joerg Roedel <joro@8bytes.org>
+
+[ Upstream commit e3e288121408c3abeed5af60b87b95c847143845 ]
+
+The pmd_set_huge() and pud_set_huge() functions are used from
+the generic ioremap() code to establish large mappings where this
+is possible.
+
+But the generic ioremap() code does not check whether the
+PMD/PUD entries are already populated with a non-leaf entry,
+so that any page-table pages these entries point to will be
+lost.
+
+Further, on x86-32 with SHARED_KERNEL_PMD=0, this causes a
+BUG_ON() in vmalloc_sync_one() when PMD entries are synced
+from swapper_pg_dir to the current page-table. This happens
+because the PMD entry from swapper_pg_dir was promoted to a
+huge-page entry while the current PGD still contains the
+non-leaf entry. Because both entries are present and point
+to a different page, the BUG_ON() triggers.
+
+This was actually triggered with pti-x32 enabled in a KVM
+virtual machine by the graphics driver.
+
+A real and better fix for that would be to improve the
+page-table handling in the generic ioremap() code. But that is
+out-of-scope for this patch-set and left for later work.
+
+Reported-by: David H. Gutteridge <dhgutteridge@sympatico.ca>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: David Laight <David.Laight@aculab.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: Eduardo Valentin <eduval@amazon.com>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: Jiri Kosina <jkosina@suse.cz>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Pavel Machek <pavel@ucw.cz>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Waiman Long <llong@redhat.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: aliguori@amazon.com
+Cc: daniel.gruss@iaik.tugraz.at
+Cc: hughd@google.com
+Cc: keescook@google.com
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/20180411152437.GC15462@8bytes.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/pgtable.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/arch/x86/mm/pgtable.c
++++ b/arch/x86/mm/pgtable.c
+@@ -1,6 +1,7 @@
+ // SPDX-License-Identifier: GPL-2.0
+ #include <linux/mm.h>
+ #include <linux/gfp.h>
++#include <linux/hugetlb.h>
+ #include <asm/pgalloc.h>
+ #include <asm/pgtable.h>
+ #include <asm/tlb.h>
+@@ -636,6 +637,10 @@ int pud_set_huge(pud_t *pud, phys_addr_t
+ (mtrr != MTRR_TYPE_WRBACK))
+ return 0;
+
++ /* Bail out if we are we on a populated non-leaf entry: */
++ if (pud_present(*pud) && !pud_huge(*pud))
++ return 0;
++
+ prot = pgprot_4k_2_large(prot);
+
+ set_pte((pte_t *)pud, pfn_pte(
+@@ -664,6 +669,10 @@ int pmd_set_huge(pmd_t *pmd, phys_addr_t
+ return 0;
+ }
+
++ /* Bail out if we are we on a populated non-leaf entry: */
++ if (pmd_present(*pmd) && !pmd_huge(*pmd))
++ return 0;
++
+ prot = pgprot_4k_2_large(prot);
+
+ set_pte((pte_t *)pmd, pfn_pte(
--- /dev/null
+From foo@baz Tue May 1 14:59:18 PDT 2018
+From: Juergen Gross <jgross@suse.com>
+Date: Mon, 19 Feb 2018 11:09:06 +0100
+Subject: x86/xen: Add pvh specific rsdp address retrieval function
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit b17d9d1df3c33a4f1d2bf397e2257aecf9dc56d4 ]
+
+Add pvh_get_root_pointer() for Xen PVH guests to communicate the
+address of the RSDP table given to the kernel via Xen start info.
+
+This makes the kernel boot again in PVH mode after on recent Xen the
+RSDP was moved to higher addresses. So up to that change it was pure
+luck that the legacy method to locate the RSDP was working when
+running as PVH mode.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Eric Biederman <ebiederm@xmission.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: boris.ostrovsky@oracle.com
+Cc: lenb@kernel.org
+Cc: linux-acpi@vger.kernel.org
+Cc: xen-devel@lists.xenproject.org
+Link: http://lkml.kernel.org/r/20180219100906.14265-4-jgross@suse.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/xen/enlighten_pvh.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/xen/enlighten_pvh.c
++++ b/arch/x86/xen/enlighten_pvh.c
+@@ -6,6 +6,7 @@
+ #include <asm/io_apic.h>
+ #include <asm/hypervisor.h>
+ #include <asm/e820/api.h>
++#include <asm/x86_init.h>
+
+ #include <asm/xen/interface.h>
+ #include <asm/xen/hypercall.h>
+@@ -16,15 +17,20 @@
+ /*
+ * PVH variables.
+ *
+- * xen_pvh and pvh_bootparams need to live in data segment since they
+- * are used after startup_{32|64}, which clear .bss, are invoked.
++ * xen_pvh pvh_bootparams and pvh_start_info need to live in data segment
++ * since they are used after startup_{32|64}, which clear .bss, are invoked.
+ */
+ bool xen_pvh __attribute__((section(".data"))) = 0;
+ struct boot_params pvh_bootparams __attribute__((section(".data")));
++struct hvm_start_info pvh_start_info __attribute__((section(".data")));
+
+-struct hvm_start_info pvh_start_info;
+ unsigned int pvh_start_info_sz = sizeof(pvh_start_info);
+
++static u64 pvh_get_root_pointer(void)
++{
++ return pvh_start_info.rsdp_paddr;
++}
++
+ static void __init init_pvh_bootparams(void)
+ {
+ struct xen_memory_map memmap;
+@@ -71,6 +77,8 @@ static void __init init_pvh_bootparams(v
+ */
+ pvh_bootparams.hdr.version = 0x212;
+ pvh_bootparams.hdr.type_of_loader = (9 << 4) | 0; /* Xen loader */
++
++ x86_init.acpi.get_root_pointer = pvh_get_root_pointer;
+ }
+
+ /*
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 29 Mar 2018 12:01:53 +0300
+Subject: xen/acpi: off by one in read_acpi_id()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit c37a3c94775855567b90f91775b9691e10bd2806 ]
+
+If acpi_id is == nr_acpi_bits, then we access one element beyond the end
+of the acpi_psd[] array or we set one bit beyond the end of the bit map
+when we do __set_bit(acpi_id, acpi_id_present);
+
+Fixes: 59a568029181 ("xen/acpi-processor: C and P-state driver that uploads said data to hypervisor.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/xen-acpi-processor.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/xen/xen-acpi-processor.c
++++ b/drivers/xen/xen-acpi-processor.c
+@@ -362,9 +362,9 @@ read_acpi_id(acpi_handle handle, u32 lvl
+ }
+ /* There are more ACPI Processor objects than in x2APIC or MADT.
+ * This can happen with incorrect ACPI SSDT declerations. */
+- if (acpi_id > nr_acpi_bits) {
+- pr_debug("We only have %u, trying to set %u\n",
+- nr_acpi_bits, acpi_id);
++ if (acpi_id >= nr_acpi_bits) {
++ pr_debug("max acpi id %u, trying to set %u\n",
++ nr_acpi_bits - 1, acpi_id);
+ return AE_OK;
+ }
+ /* OK, There is a ACPI Processor object */
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Fri, 16 Mar 2018 16:33:01 +0200
+Subject: xhci: zero usb device slot_id member when disabling and freeing a xhci slot
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit a400efe455f7b61ac9a801ac8d0d01f8c8d82dd5 ]
+
+set udev->slot_id to zero when disabling and freeing the xhci slot.
+Prevents usb core from calling xhci with a stale slot id.
+
+xHC controller may be reset during resume to recover from some error.
+All slots are unusable as they are disabled and freed.
+xhci driver starts slot enumeration again from 1 in the order they are
+enabled. In the worst case a stale udev->slot_id for one device matches
+a newly enabled slot_id for a different device, causing us to
+perform a action on the wrong device.
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-mem.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -913,6 +913,8 @@ void xhci_free_virt_device(struct xhci_h
+ if (dev->out_ctx)
+ xhci_free_container_ctx(xhci, dev->out_ctx);
+
++ if (dev->udev && dev->udev->slot_id)
++ dev->udev->slot_id = 0;
+ kfree(xhci->devs[slot_id]);
+ xhci->devs[slot_id] = NULL;
+ }
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Xidong Wang <wangxidong_97@163.com>
+Date: Tue, 10 Apr 2018 16:29:34 -0700
+Subject: z3fold: fix memory leak
+
+From: Xidong Wang <wangxidong_97@163.com>
+
+[ Upstream commit 1ec6995d1290bfb87cc3a51f0836c889e857cef9 ]
+
+In z3fold_create_pool(), the memory allocated by __alloc_percpu() is not
+released on the error path that pool->compact_wq , which holds the
+return value of create_singlethread_workqueue(), is NULL. This will
+result in a memory leak bug.
+
+[akpm@linux-foundation.org: fix oops on kzalloc() failure, check __alloc_percpu() retval]
+Link: http://lkml.kernel.org/r/1522803111-29209-1-git-send-email-wangxidong_97@163.com
+Signed-off-by: Xidong Wang <wangxidong_97@163.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Vitaly Wool <vitalywool@gmail.com>
+Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/z3fold.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/mm/z3fold.c
++++ b/mm/z3fold.c
+@@ -467,6 +467,8 @@ static struct z3fold_pool *z3fold_create
+ spin_lock_init(&pool->lock);
+ spin_lock_init(&pool->stale_lock);
+ pool->unbuddied = __alloc_percpu(sizeof(struct list_head)*NCHUNKS, 2);
++ if (!pool->unbuddied)
++ goto out_pool;
+ for_each_possible_cpu(cpu) {
+ struct list_head *unbuddied =
+ per_cpu_ptr(pool->unbuddied, cpu);
+@@ -479,7 +481,7 @@ static struct z3fold_pool *z3fold_create
+ pool->name = name;
+ pool->compact_wq = create_singlethread_workqueue(pool->name);
+ if (!pool->compact_wq)
+- goto out;
++ goto out_unbuddied;
+ pool->release_wq = create_singlethread_workqueue(pool->name);
+ if (!pool->release_wq)
+ goto out_wq;
+@@ -489,8 +491,11 @@ static struct z3fold_pool *z3fold_create
+
+ out_wq:
+ destroy_workqueue(pool->compact_wq);
+-out:
++out_unbuddied:
++ free_percpu(pool->unbuddied);
++out_pool:
+ kfree(pool);
++out:
+ return NULL;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 14:59:17 PDT 2018
+From: Michael Schmitz <schmitzmic@gmail.com>
+Date: Sat, 3 Mar 2018 12:04:13 +1300
+Subject: zorro: Set up z->dev.dma_mask for the DMA API
+
+From: Michael Schmitz <schmitzmic@gmail.com>
+
+[ Upstream commit 55496d3fe2acd1a365c43cbd613a20ecd4d74395 ]
+
+The generic DMA API uses dev->dma_mask to check the DMA addressable
+memory bitmask, and warns if no mask is set or even allocated.
+
+Set z->dev.dma_coherent_mask on Zorro bus scan, and make z->dev.dma_mask
+to point to z->dev.dma_coherent_mask so device drivers that need DMA have
+everything set up to avoid warnings from dma_alloc_coherent(). Drivers can
+still use dma_set_mask_and_coherent() to explicitly set their DMA bit mask.
+
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+[geert: Handle Zorro II with 24-bit address space]
+Acked-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/zorro/zorro.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/zorro/zorro.c
++++ b/drivers/zorro/zorro.c
+@@ -16,6 +16,7 @@
+ #include <linux/bitops.h>
+ #include <linux/string.h>
+ #include <linux/platform_device.h>
++#include <linux/dma-mapping.h>
+ #include <linux/slab.h>
+
+ #include <asm/byteorder.h>
+@@ -185,6 +186,17 @@ static int __init amiga_zorro_probe(stru
+ z->dev.parent = &bus->dev;
+ z->dev.bus = &zorro_bus_type;
+ z->dev.id = i;
++ switch (z->rom.er_Type & ERT_TYPEMASK) {
++ case ERT_ZORROIII:
++ z->dev.coherent_dma_mask = DMA_BIT_MASK(32);
++ break;
++
++ case ERT_ZORROII:
++ default:
++ z->dev.coherent_dma_mask = DMA_BIT_MASK(24);
++ break;
++ }
++ z->dev.dma_mask = &z->dev.coherent_dma_mask;
+ }
+
+ /* ... then register them */
projects / thirdparty / kernel / stable-queue.git / commitdiff
