--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Lenny Szubowicz <lszubowi@redhat.com>
+Date: Tue, 27 Mar 2018 09:56:40 -0400
+Subject: ACPI: acpi_pad: Fix memory leak in power saving threads
+
+From: Lenny Szubowicz <lszubowi@redhat.com>
+
+[ Upstream commit 8b29d29abc484d638213dd79a18a95ae7e5bb402 ]
+
+Fix once per second (round_robin_time) memory leak of about 1 KB in
+each acpi_pad kernel idling thread that is activated.
+
+Found by testing with kmemleak.
+
+Signed-off-by: Lenny Szubowicz <lszubowi@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpi_pad.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/acpi/acpi_pad.c
++++ b/drivers/acpi/acpi_pad.c
+@@ -110,6 +110,7 @@ static void round_robin_cpu(unsigned int
+ cpumask_andnot(tmp, cpu_online_mask, pad_busy_cpus);
+ if (cpumask_empty(tmp)) {
+ mutex_unlock(&round_robin_lock);
++ free_cpumask_var(tmp);
+ return;
+ }
+ for_each_cpu(cpu, tmp) {
+@@ -127,6 +128,8 @@ static void round_robin_cpu(unsigned int
+ mutex_unlock(&round_robin_lock);
+
+ set_cpus_allowed_ptr(current, cpumask_of(preferred_cpu));
++
++ free_cpumask_var(tmp);
+ }
+
+ static void exit_round_robin(unsigned int tsk_index)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Seunghun Han <kkamagui@gmail.com>
+Date: Wed, 14 Mar 2018 16:12:56 -0700
+Subject: ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c
+
+From: Seunghun Han <kkamagui@gmail.com>
+
+[ Upstream commit 97f3c0a4b0579b646b6b10ae5a3d59f0441cc12c ]
+
+I found an ACPI cache leak in ACPI early termination and boot continuing case.
+
+When early termination occurs due to malicious ACPI table, Linux kernel
+terminates ACPI function and continues to boot process. While kernel terminates
+ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.
+
+Boot log of ACPI operand cache leak is as follows:
+>[ 0.464168] ACPI: Added _OSI(Module Device)
+>[ 0.467022] ACPI: Added _OSI(Processor Device)
+>[ 0.469376] ACPI: Added _OSI(3.0 _SCP Extensions)
+>[ 0.471647] ACPI: Added _OSI(Processor Aggregator Device)
+>[ 0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
+>[ 0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461)
+>[ 0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
+>[ 0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543)
+>[ 0.497683] ACPI: Interpreter enabled
+>[ 0.499385] ACPI: (supports S0)
+>[ 0.501151] ACPI: Using IOAPIC for interrupt routing
+>[ 0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
+>[ 0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461)
+>[ 0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
+>[ 0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543)
+>[ 0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991)
+>[ 0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
+>[ 0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
+>[ 0.526795] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006
+>[ 0.529668] Call Trace:
+>[ 0.530811] ? dump_stack+0x5c/0x81
+>[ 0.532240] ? kmem_cache_destroy+0x1aa/0x1c0
+>[ 0.533905] ? acpi_os_delete_cache+0xa/0x10
+>[ 0.535497] ? acpi_ut_delete_caches+0x3f/0x7b
+>[ 0.537237] ? acpi_terminate+0xa/0x14
+>[ 0.538701] ? acpi_init+0x2af/0x34f
+>[ 0.540008] ? acpi_sleep_proc_init+0x27/0x27
+>[ 0.541593] ? do_one_initcall+0x4e/0x1a0
+>[ 0.543008] ? kernel_init_freeable+0x19e/0x21f
+>[ 0.546202] ? rest_init+0x80/0x80
+>[ 0.547513] ? kernel_init+0xa/0x100
+>[ 0.548817] ? ret_from_fork+0x25/0x30
+>[ 0.550587] vgaarb: loaded
+>[ 0.551716] EDAC MC: Ver: 3.0.0
+>[ 0.553744] PCI: Probing PCI hardware
+>[ 0.555038] PCI host bridge to bus 0000:00
+> ... Continue to boot and log is omitted ...
+
+I analyzed this memory leak in detail and found acpi_ns_evaluate() function
+only removes Info->return_object in AE_CTRL_RETURN_VALUE case. But, when errors
+occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->return_object is
+also not null. Therefore, this causes acpi operand memory leak.
+
+This cache leak causes a security threat because an old kernel (<= 4.9) shows
+memory locations of kernel functions in stack dump. Some malicious users
+could use this information to neutralize kernel ASLR.
+
+I made a patch to fix ACPI operand cache leak.
+
+Signed-off-by: Seunghun Han <kkamagui@gmail.com>
+Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpica/nseval.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/acpi/acpica/nseval.c
++++ b/drivers/acpi/acpica/nseval.c
+@@ -308,6 +308,14 @@ acpi_status acpi_ns_evaluate(struct acpi
+ /* Map AE_CTRL_RETURN_VALUE to AE_OK, we are done with it */
+
+ status = AE_OK;
++ } else if (ACPI_FAILURE(status)) {
++
++ /* If return_object exists, delete it */
++
++ if (info->return_object) {
++ acpi_ut_remove_reference(info->return_object);
++ info->return_object = NULL;
++ }
+ }
+
+ ACPI_DEBUG_PRINT((ACPI_DB_NAMES,
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Erik Schmauss <erik.schmauss@intel.com>
+Date: Wed, 14 Mar 2018 16:13:08 -0700
+Subject: ACPICA: Events: add a return on failure from acpi_hw_register_read
+
+From: Erik Schmauss <erik.schmauss@intel.com>
+
+[ Upstream commit b4c0de312613ca676db5bd7e696a44b56795612a ]
+
+This ensures that acpi_ev_fixed_event_detect() does not use fixed_status
+and and fixed_enable as uninitialized variables.
+
+Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpica/evevent.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/acpi/acpica/evevent.c
++++ b/drivers/acpi/acpica/evevent.c
+@@ -204,6 +204,7 @@ u32 acpi_ev_fixed_event_detect(void)
+ u32 fixed_status;
+ u32 fixed_enable;
+ u32 i;
++ acpi_status status;
+
+ ACPI_FUNCTION_NAME(ev_fixed_event_detect);
+
+@@ -211,8 +212,12 @@ u32 acpi_ev_fixed_event_detect(void)
+ * Read the fixed feature status and enable registers, as all the cases
+ * depend on their values. Ignore errors here.
+ */
+- (void)acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status);
+- (void)acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable);
++ status = acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status);
++ status |=
++ acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable);
++ if (ACPI_FAILURE(status)) {
++ return (int_status);
++ }
+
+ ACPI_DEBUG_PRINT((ACPI_DB_INTERRUPTS,
+ "Fixed Event Block: Enable %08X Status %08X\n",
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Bob Moore <robert.moore@intel.com>
+Date: Wed, 14 Mar 2018 16:13:01 -0700
+Subject: ACPICA: Fix memory leak on unusual memory leak
+
+From: Bob Moore <robert.moore@intel.com>
+
+[ Upstream commit 1c29c372b2d1d2415601041532745ce859f24126 ]
+
+Fixes a single-object memory leak on a store-to-reference method
+invocation. ACPICA BZ 1439.
+
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpica/psargs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/acpi/acpica/psargs.c
++++ b/drivers/acpi/acpica/psargs.c
+@@ -890,6 +890,10 @@ acpi_ps_get_next_arg(struct acpi_walk_st
+ ACPI_POSSIBLE_METHOD_CALL);
+
+ if (arg->common.aml_opcode == AML_INT_METHODCALL_OP) {
++
++ /* Free method call op and corresponding namestring sub-ob */
++
++ acpi_ps_free_op(arg->common.value.arg);
+ acpi_ps_free_op(arg);
+ arg = NULL;
+ walk_state->arg_count = 1;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Nobutaka Okabe <nob77413@gmail.com>
+Date: Fri, 23 Mar 2018 19:18:22 +0900
+Subject: ALSA: usb-audio: Add native DSD support for Luxman DA-06
+
+From: Nobutaka Okabe <nob77413@gmail.com>
+
+[ Upstream commit 71426535f49fe6034d0e0db77608b91a0c1a022d ]
+
+Add native DSD support quirk for Luxman DA-06 DAC, by adding the
+PID/VID 1852:5065.
+
+Rename "is_marantz_denon_dac()" function to "is_itf_usb_dsd_2alts_dac()"
+to cover broader device family sharing the same USB audio
+implementation(*).
+For the same reason, rename "is_teac_dsd_dac()" function to
+"is_itf_usb_dsd_3alts_dac()".
+
+(*)
+These devices have the same USB controller "ITF-USB DSD", supplied by
+INTERFACE Co., Ltd.
+"ITF-USB DSD" USB controller has two patterns,
+
+Pattern 1. (2 altsets version)
+- Altset 0: for control
+- Altset 1: for stream (S32)
+- Altset 2: for stream (S32, DSD_U32)
+
+Pattern 2. (3 altsets version)
+- Altset 0: for control
+- Altset 1: for stream (S16)
+- Altset 2: for stream (S32)
+- Altset 3: for stream (S32, DSD_U32)
+
+"is_itf_usb_dsd_2alts_dac()" returns true, if the DAC has "Pattern 1"
+USB controller, and "is_itf_usb_dsd_3alts_dac()" returns true, if
+"Pattern2".
+
+Signed-off-by: Nobutaka Okabe <nob77413@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/quirks.c | 29 ++++++++++++++++-------------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1155,24 +1155,27 @@ bool snd_usb_get_sample_rate_quirk(struc
+ return false;
+ }
+
+-/* Marantz/Denon USB DACs need a vendor cmd to switch
++/* ITF-USB DSD based DACs need a vendor cmd to switch
+ * between PCM and native DSD mode
++ * (2 altsets version)
+ */
+-static bool is_marantz_denon_dac(unsigned int id)
++static bool is_itf_usb_dsd_2alts_dac(unsigned int id)
+ {
+ switch (id) {
+ case USB_ID(0x154e, 0x1003): /* Denon DA-300USB */
+ case USB_ID(0x154e, 0x3005): /* Marantz HD-DAC1 */
+ case USB_ID(0x154e, 0x3006): /* Marantz SA-14S1 */
++ case USB_ID(0x1852, 0x5065): /* Luxman DA-06 */
+ return true;
+ }
+ return false;
+ }
+
+-/* TEAC UD-501/UD-503/NT-503 USB DACs need a vendor cmd to switch
+- * between PCM/DOP and native DSD mode
++/* ITF-USB DSD based DACs need a vendor cmd to switch
++ * between PCM and native DSD mode
++ * (3 altsets version)
+ */
+-static bool is_teac_dsd_dac(unsigned int id)
++static bool is_itf_usb_dsd_3alts_dac(unsigned int id)
+ {
+ switch (id) {
+ case USB_ID(0x0644, 0x8043): /* TEAC UD-501/UD-503/NT-503 */
+@@ -1189,7 +1192,7 @@ int snd_usb_select_mode_quirk(struct snd
+ struct usb_device *dev = subs->dev;
+ int err;
+
+- if (is_marantz_denon_dac(subs->stream->chip->usb_id)) {
++ if (is_itf_usb_dsd_2alts_dac(subs->stream->chip->usb_id)) {
+ /* First switch to alt set 0, otherwise the mode switch cmd
+ * will not be accepted by the DAC
+ */
+@@ -1210,7 +1213,7 @@ int snd_usb_select_mode_quirk(struct snd
+ break;
+ }
+ mdelay(20);
+- } else if (is_teac_dsd_dac(subs->stream->chip->usb_id)) {
++ } else if (is_itf_usb_dsd_3alts_dac(subs->stream->chip->usb_id)) {
+ /* Vendor mode switch cmd is required. */
+ switch (fmt->altsetting) {
+ case 3: /* DSD mode (DSD_U32) requested */
+@@ -1306,10 +1309,10 @@ void snd_usb_ctl_msg_quirk(struct usb_de
+ (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS)
+ mdelay(20);
+
+- /* Marantz/Denon devices with USB DAC functionality need a delay
++ /* ITF-USB DSD based DACs functionality need a delay
+ * after each class compliant request
+ */
+- if (is_marantz_denon_dac(chip->usb_id)
++ if (is_itf_usb_dsd_2alts_dac(chip->usb_id)
+ && (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS)
+ mdelay(20);
+
+@@ -1396,14 +1399,14 @@ u64 snd_usb_interface_dsd_format_quirks(
+ break;
+ }
+
+- /* Denon/Marantz devices with USB DAC functionality */
+- if (is_marantz_denon_dac(chip->usb_id)) {
++ /* ITF-USB DSD based DACs (2 altsets version) */
++ if (is_itf_usb_dsd_2alts_dac(chip->usb_id)) {
+ if (fp->altsetting == 2)
+ return SNDRV_PCM_FMTBIT_DSD_U32_BE;
+ }
+
+- /* TEAC devices with USB DAC functionality */
+- if (is_teac_dsd_dac(chip->usb_id)) {
++ /* ITF-USB DSD based DACs (3 altsets version) */
++ if (is_itf_usb_dsd_3alts_dac(chip->usb_id)) {
+ if (fp->altsetting == 3)
+ return SNDRV_PCM_FMTBIT_DSD_U32_BE;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 8 Mar 2018 08:26:48 +0100
+Subject: ALSA: vmaster: Propagate slave error
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 2e2c177ca84aff092c3c96714b0f6a12900f3946 ]
+
+In slave_update() of vmaster code ignores the error from the slave
+get() callback and copies the values. It's not only about the missing
+error code but also that this may potentially lead to a leak of
+uninitialized variables when the slave get() don't clear them.
+
+This patch fixes slave_update() not to copy the potentially
+uninitialized values when an error is returned from the slave get()
+callback, and to propagate the error value properly.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/vmaster.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/sound/core/vmaster.c
++++ b/sound/core/vmaster.c
+@@ -68,10 +68,13 @@ static int slave_update(struct link_slav
+ return -ENOMEM;
+ uctl->id = slave->slave.id;
+ err = slave->slave.get(&slave->slave, uctl);
++ if (err < 0)
++ goto error;
+ for (ch = 0; ch < slave->info.count; ch++)
+ slave->vals[ch] = uctl->value.integer.value[ch];
++ error:
+ kfree(uctl);
+- return 0;
++ return err < 0 ? err : 0;
+ }
+
+ /* get the slave ctl info and save the initial values */
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Ulf Magnusson <ulfalizer@gmail.com>
+Date: Mon, 5 Feb 2018 02:21:31 +0100
+Subject: ARC: Fix malformed ARC_EMUL_UNALIGNED default
+
+From: Ulf Magnusson <ulfalizer@gmail.com>
+
+[ Upstream commit 827cc2fa024dd6517d62de7a44c7b42f32af371b ]
+
+'default N' should be 'default n', though they happen to have the same
+effect here, due to undefined symbols (N in this case) evaluating to n
+in a tristate sense.
+
+Remove the default from ARC_EMUL_UNALIGNED instead of changing it. bool
+and tristate symbols implicitly default to n.
+
+Discovered with the
+https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ulfalizer_Kconfiglib_blob_master_examples_list-5Fundefined.py&d=DwIBAg&c=DPL6_X_6JkXFx7AXWqB0tg&r=c14YS-cH-kdhTOW89KozFhBtBJgs1zXscZojEZQ0THs&m=WxxD8ozR7QQUVzNCBksiznaisBGO_crN7PBOvAoju8s&s=1LmxsNqxwT-7wcInVpZ6Z1J27duZKSoyKxHIJclXU_M&e=
+script.
+
+Signed-off-by: Ulf Magnusson <ulfalizer@gmail.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arc/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/arc/Kconfig
++++ b/arch/arc/Kconfig
+@@ -487,7 +487,6 @@ config ARC_CURR_IN_REG
+
+ config ARC_EMUL_UNALIGNED
+ bool "Emulate unaligned memory access (userspace only)"
+- default N
+ select SYSCTL_ARCH_UNALIGN_NO_WARN
+ select SYSCTL_ARCH_UNALIGN_ALLOW
+ depends on ISA_ARCOMPACT
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Date: Fri, 23 Feb 2018 19:41:52 +0300
+Subject: ARC: mcip: halt GFRC counter when ARC cores halt
+
+From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+
+[ Upstream commit 07423d00a2b2a71a97e4287d9262cb83c4c4c89f ]
+
+In SMP systems, GFRC is used for clocksource. However by default the
+counter keeps running even when core is halted (say when debugging via a
+JTAG debugger). This confuses Linux timekeeping and triggers flase RCU stall
+splat such as below:
+
+| [ARCLinux]# while true; do ./shm_open_23-1.run-test ; done
+| Running with 1000 processes for 1000 objects
+| hrtimer: interrupt took 485060 ns
+|
+| create_cnt: 1000
+| Running with 1000 processes for 1000 objects
+| [ARCLinux]# INFO: rcu_preempt self-detected stall on CPU
+| 2-...: (1 GPs behind) idle=a01/1/0 softirq=135770/135773 fqs=0
+| INFO: rcu_preempt detected stalls on CPUs/tasks:
+| 0-...: (1 GPs behind) idle=71e/0/0 softirq=135264/135264 fqs=0
+| 2-...: (1 GPs behind) idle=a01/1/0 softirq=135770/135773 fqs=0
+| 3-...: (1 GPs behind) idle=4e0/0/0 softirq=134304/134304 fqs=0
+| (detected by 1, t=13648 jiffies, g=31493, c=31492, q=1)
+
+Starting from ARC HS v3.0 it's possible to tie GFRC to state of up-to 4
+ARC cores with help of GFRC's CORE register where we set a mask for
+cores which state we need to rely on.
+
+We update cpu mask every time new cpu came online instead of using
+hardcoded one or using mask generated from "possible_cpus" as we
+want it set correctly even if we run kernel on HW which has fewer cores
+than expected (or we launch kernel via debugger and kick fever cores
+than HW has)
+
+Note that GFRC halts when all cores have halted and thus relies on
+programming of Inter-Core-dEbug register to halt all cores when one
+halts.
+
+Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
+Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+[vgupta: rewrote changelog]
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arc/kernel/mcip.c | 37 +++++++++++++++++++++++++++++++++++++
+ include/soc/arc/mcip.h | 3 +++
+ 2 files changed, 40 insertions(+)
+
+--- a/arch/arc/kernel/mcip.c
++++ b/arch/arc/kernel/mcip.c
+@@ -22,10 +22,47 @@ static DEFINE_RAW_SPINLOCK(mcip_lock);
+
+ static char smp_cpuinfo_buf[128];
+
++/*
++ * Set mask to halt GFRC if any online core in SMP cluster is halted.
++ * Only works for ARC HS v3.0+, on earlier versions has no effect.
++ */
++static void mcip_update_gfrc_halt_mask(int cpu)
++{
++ struct bcr_generic gfrc;
++ unsigned long flags;
++ u32 gfrc_halt_mask;
++
++ READ_BCR(ARC_REG_GFRC_BUILD, gfrc);
++
++ /*
++ * CMD_GFRC_SET_CORE and CMD_GFRC_READ_CORE commands were added in
++ * GFRC 0x3 version.
++ */
++ if (gfrc.ver < 0x3)
++ return;
++
++ raw_spin_lock_irqsave(&mcip_lock, flags);
++
++ __mcip_cmd(CMD_GFRC_READ_CORE, 0);
++ gfrc_halt_mask = read_aux_reg(ARC_REG_MCIP_READBACK);
++ gfrc_halt_mask |= BIT(cpu);
++ __mcip_cmd_data(CMD_GFRC_SET_CORE, 0, gfrc_halt_mask);
++
++ raw_spin_unlock_irqrestore(&mcip_lock, flags);
++}
++
+ static void mcip_setup_per_cpu(int cpu)
+ {
++ struct mcip_bcr mp;
++
++ READ_BCR(ARC_REG_MCIP_BCR, mp);
++
+ smp_ipi_irq_setup(cpu, IPI_IRQ);
+ smp_ipi_irq_setup(cpu, SOFTIRQ_IRQ);
++
++ /* Update GFRC halt mask as new CPU came online */
++ if (mp.gfrc)
++ mcip_update_gfrc_halt_mask(cpu);
+ }
+
+ static void mcip_ipi_send(int cpu)
+--- a/include/soc/arc/mcip.h
++++ b/include/soc/arc/mcip.h
+@@ -15,6 +15,7 @@
+
+ #define ARC_REG_MCIP_BCR 0x0d0
+ #define ARC_REG_MCIP_IDU_BCR 0x0D5
++#define ARC_REG_GFRC_BUILD 0x0D6
+ #define ARC_REG_MCIP_CMD 0x600
+ #define ARC_REG_MCIP_WDATA 0x601
+ #define ARC_REG_MCIP_READBACK 0x602
+@@ -40,6 +41,8 @@ struct mcip_cmd {
+
+ #define CMD_GFRC_READ_LO 0x42
+ #define CMD_GFRC_READ_HI 0x43
++#define CMD_GFRC_SET_CORE 0x47
++#define CMD_GFRC_READ_CORE 0x48
+
+ #define CMD_IDU_ENABLE 0x71
+ #define CMD_IDU_DISABLE 0x72
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Date: Fri, 23 Feb 2018 19:41:53 +0300
+Subject: ARC: mcip: update MCIP debug mask when the new cpu came online
+
+From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+
+[ Upstream commit f3205de98db2fc8083796dd5ad81b191e436fab8 ]
+
+As of today we use hardcoded MCIP debug mask, so if we launch
+kernel via debugger and kick fever cores than HW has all cpus
+hang at the momemt of setup MCIP debug mask.
+
+So update MCIP debug mask when the new cpu came online, instead of
+use hardcoded MCIP debug mask.
+
+Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arc/kernel/mcip.c | 37 ++++++++++++++++++++++++++++++++-----
+ include/soc/arc/mcip.h | 2 ++
+ 2 files changed, 34 insertions(+), 5 deletions(-)
+
+--- a/arch/arc/kernel/mcip.c
++++ b/arch/arc/kernel/mcip.c
+@@ -51,6 +51,34 @@ static void mcip_update_gfrc_halt_mask(i
+ raw_spin_unlock_irqrestore(&mcip_lock, flags);
+ }
+
++static void mcip_update_debug_halt_mask(int cpu)
++{
++ u32 mcip_mask = 0;
++ unsigned long flags;
++
++ raw_spin_lock_irqsave(&mcip_lock, flags);
++
++ /*
++ * mcip_mask is same for CMD_DEBUG_SET_SELECT and CMD_DEBUG_SET_MASK
++ * commands. So read it once instead of reading both CMD_DEBUG_READ_MASK
++ * and CMD_DEBUG_READ_SELECT.
++ */
++ __mcip_cmd(CMD_DEBUG_READ_SELECT, 0);
++ mcip_mask = read_aux_reg(ARC_REG_MCIP_READBACK);
++
++ mcip_mask |= BIT(cpu);
++
++ __mcip_cmd_data(CMD_DEBUG_SET_SELECT, 0, mcip_mask);
++ /*
++ * Parameter specified halt cause:
++ * STATUS32[H]/actionpoint/breakpoint/self-halt
++ * We choose all of them (0xF).
++ */
++ __mcip_cmd_data(CMD_DEBUG_SET_MASK, 0xF, mcip_mask);
++
++ raw_spin_unlock_irqrestore(&mcip_lock, flags);
++}
++
+ static void mcip_setup_per_cpu(int cpu)
+ {
+ struct mcip_bcr mp;
+@@ -63,6 +91,10 @@ static void mcip_setup_per_cpu(int cpu)
+ /* Update GFRC halt mask as new CPU came online */
+ if (mp.gfrc)
+ mcip_update_gfrc_halt_mask(cpu);
++
++ /* Update MCIP debug mask as new CPU came online */
++ if (mp.dbg)
++ mcip_update_debug_halt_mask(cpu);
+ }
+
+ static void mcip_ipi_send(int cpu)
+@@ -138,11 +170,6 @@ static void mcip_probe_n_setup(void)
+ IS_AVAIL1(mp.gfrc, "GFRC"));
+
+ cpuinfo_arc700[0].extn.gfrc = mp.gfrc;
+-
+- if (mp.dbg) {
+- __mcip_cmd_data(CMD_DEBUG_SET_SELECT, 0, 0xf);
+- __mcip_cmd_data(CMD_DEBUG_SET_MASK, 0xf, 0xf);
+- }
+ }
+
+ struct plat_smp_ops plat_smp_ops = {
+--- a/include/soc/arc/mcip.h
++++ b/include/soc/arc/mcip.h
+@@ -37,7 +37,9 @@ struct mcip_cmd {
+ #define CMD_SEMA_RELEASE 0x12
+
+ #define CMD_DEBUG_SET_MASK 0x34
++#define CMD_DEBUG_READ_MASK 0x35
+ #define CMD_DEBUG_SET_SELECT 0x36
++#define CMD_DEBUG_READ_SELECT 0x37
+
+ #define CMD_GFRC_READ_LO 0x42
+ #define CMD_GFRC_READ_HI 0x43
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Date: Fri, 23 Feb 2018 19:41:54 +0300
+Subject: ARC: setup cpu possible mask according to possible-cpus dts property
+
+From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+
+[ Upstream commit a29a25275452c97fe35815f1eb9564f2a07a1965 ]
+
+As we have option in u-boot to set CPU mask for running linux,
+we want to pass information to kernel about CPU cores should
+be brought up. So we patch kernel dtb in u-boot to set
+possible-cpus property.
+
+This also allows us to have correctly setuped MCIP debug mask.
+
+Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arc/kernel/smp.c | 50 ++++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 40 insertions(+), 10 deletions(-)
+
+--- a/arch/arc/kernel/smp.c
++++ b/arch/arc/kernel/smp.c
+@@ -24,6 +24,7 @@
+ #include <linux/reboot.h>
+ #include <linux/irqdomain.h>
+ #include <linux/export.h>
++#include <linux/of_fdt.h>
+
+ #include <asm/processor.h>
+ #include <asm/setup.h>
+@@ -47,6 +48,42 @@ void __init smp_prepare_boot_cpu(void)
+ {
+ }
+
++static int __init arc_get_cpu_map(const char *name, struct cpumask *cpumask)
++{
++ unsigned long dt_root = of_get_flat_dt_root();
++ const char *buf;
++
++ buf = of_get_flat_dt_prop(dt_root, name, NULL);
++ if (!buf)
++ return -EINVAL;
++
++ if (cpulist_parse(buf, cpumask))
++ return -EINVAL;
++
++ return 0;
++}
++
++/*
++ * Read from DeviceTree and setup cpu possible mask. If there is no
++ * "possible-cpus" property in DeviceTree pretend all [0..NR_CPUS-1] exist.
++ */
++static void __init arc_init_cpu_possible(void)
++{
++ struct cpumask cpumask;
++
++ if (arc_get_cpu_map("possible-cpus", &cpumask)) {
++ pr_warn("Failed to get possible-cpus from dtb, pretending all %u cpus exist\n",
++ NR_CPUS);
++
++ cpumask_setall(&cpumask);
++ }
++
++ if (!cpumask_test_cpu(0, &cpumask))
++ panic("Master cpu (cpu[0]) is missed in cpu possible mask!");
++
++ init_cpu_possible(&cpumask);
++}
++
+ /*
+ * Called from setup_arch() before calling setup_processor()
+ *
+@@ -58,10 +95,7 @@ void __init smp_prepare_boot_cpu(void)
+ */
+ void __init smp_init_cpus(void)
+ {
+- unsigned int i;
+-
+- for (i = 0; i < NR_CPUS; i++)
+- set_cpu_possible(i, true);
++ arc_init_cpu_possible();
+
+ if (plat_smp_ops.init_early_smp)
+ plat_smp_ops.init_early_smp();
+@@ -70,16 +104,12 @@ void __init smp_init_cpus(void)
+ /* called from init ( ) => process 1 */
+ void __init smp_prepare_cpus(unsigned int max_cpus)
+ {
+- int i;
+-
+ /*
+ * if platform didn't set the present map already, do it now
+ * boot cpu is set to present already by init/main.c
+ */
+- if (num_present_cpus() <= 1) {
+- for (i = 0; i < max_cpus; i++)
+- set_cpu_present(i, true);
+- }
++ if (num_present_cpus() <= 1)
++ init_cpu_present(cpu_possible_mask);
+ }
+
+ void __init smp_cpus_done(unsigned int max_cpus)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jinbum Park <jinb.park7@gmail.com>
+Date: Tue, 6 Mar 2018 01:37:21 +0100
+Subject: ARM: 8748/1: mm: Define vdso_start, vdso_end as array
+
+From: Jinbum Park <jinb.park7@gmail.com>
+
+[ Upstream commit 73b9160d0dfe44dfdaffd6465dc1224c38a4a73c ]
+
+Define vdso_start, vdso_end as array to avoid compile-time analysis error
+for the case of built with CONFIG_FORTIFY_SOURCE.
+
+and, since vdso_start, vdso_end are used in vdso.c only,
+move extern-declaration from vdso.h to vdso.c.
+
+If kernel is built with CONFIG_FORTIFY_SOURCE,
+compile-time error happens at this code.
+- if (memcmp(&vdso_start, "177ELF", 4))
+
+The size of "&vdso_start" is recognized as 1 byte, but n is 4,
+So that compile-time error is reported.
+
+Acked-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Jinbum Park <jinb.park7@gmail.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/include/asm/vdso.h | 2 --
+ arch/arm/kernel/vdso.c | 12 +++++++-----
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+--- a/arch/arm/include/asm/vdso.h
++++ b/arch/arm/include/asm/vdso.h
+@@ -12,8 +12,6 @@ struct mm_struct;
+
+ void arm_install_vdso(struct mm_struct *mm, unsigned long addr);
+
+-extern char vdso_start, vdso_end;
+-
+ extern unsigned int vdso_total_pages;
+
+ #else /* CONFIG_VDSO */
+--- a/arch/arm/kernel/vdso.c
++++ b/arch/arm/kernel/vdso.c
+@@ -39,6 +39,8 @@
+
+ static struct page **vdso_text_pagelist;
+
++extern char vdso_start[], vdso_end[];
++
+ /* Total number of pages needed for the data and text portions of the VDSO. */
+ unsigned int vdso_total_pages __ro_after_init;
+
+@@ -197,13 +199,13 @@ static int __init vdso_init(void)
+ unsigned int text_pages;
+ int i;
+
+- if (memcmp(&vdso_start, "\177ELF", 4)) {
++ if (memcmp(vdso_start, "\177ELF", 4)) {
+ pr_err("VDSO is not a valid ELF object!\n");
+ return -ENOEXEC;
+ }
+
+- text_pages = (&vdso_end - &vdso_start) >> PAGE_SHIFT;
+- pr_debug("vdso: %i text pages at base %p\n", text_pages, &vdso_start);
++ text_pages = (vdso_end - vdso_start) >> PAGE_SHIFT;
++ pr_debug("vdso: %i text pages at base %p\n", text_pages, vdso_start);
+
+ /* Allocate the VDSO text pagelist */
+ vdso_text_pagelist = kcalloc(text_pages, sizeof(struct page *),
+@@ -218,7 +220,7 @@ static int __init vdso_init(void)
+ for (i = 0; i < text_pages; i++) {
+ struct page *page;
+
+- page = virt_to_page(&vdso_start + i * PAGE_SIZE);
++ page = virt_to_page(vdso_start + i * PAGE_SIZE);
+ vdso_text_pagelist[i] = page;
+ }
+
+@@ -229,7 +231,7 @@ static int __init vdso_init(void)
+
+ cntvct_ok = cntvct_functional();
+
+- patch_vdso(&vdso_start);
++ patch_vdso(vdso_start);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Date: Tue, 10 Apr 2018 16:30:23 -0700
+Subject: ARM: CMA: avoid double mapping to the CMA area if CONFIG_HIGHMEM=y
+
+From: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+
+[ Upstream commit 3d2054ad8c2d5100b68b0c0405f89fd90bf4107b ]
+
+CMA area is now managed by the separate zone, ZONE_MOVABLE, to fix many
+MM related problems. In this implementation, if CONFIG_HIGHMEM = y,
+then ZONE_MOVABLE is considered as HIGHMEM and the memory of the CMA
+area is also considered as HIGHMEM. That means that they are considered
+as the page without direct mapping. However, CMA area could be in a
+lowmem and the memory could have direct mapping.
+
+In ARM, when establishing a new mapping for DMA, direct mapping should
+be cleared since two mapping with different cache policy could cause
+unknown problem. With this patch, PageHighmem() for the CMA memory
+located in lowmem returns true so that the function for DMA mapping
+cannot notice whether it needs to clear direct mapping or not,
+correctly. To handle this situation, this patch always clears direct
+mapping for such CMA memory.
+
+Link: http://lkml.kernel.org/r/1512114786-5085-4-git-send-email-iamjoonsoo.kim@lge.com
+Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Tested-by: Tony Lindgren <tony@atomide.com>
+Cc: "Aneesh Kumar K . V" <aneesh.kumar@linux.vnet.ibm.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Laura Abbott <lauraa@codeaurora.org>
+Cc: Marek Szyprowski <m.szyprowski@samsung.com>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Michal Nazarewicz <mina86@mina86.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mm/dma-mapping.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/mm/dma-mapping.c
++++ b/arch/arm/mm/dma-mapping.c
+@@ -481,6 +481,12 @@ void __init dma_contiguous_early_fixup(p
+ void __init dma_contiguous_remap(void)
+ {
+ int i;
++
++ if (!dma_mmu_remap_num)
++ return;
++
++ /* call flush_cache_all() since CMA area would be large enough */
++ flush_cache_all();
+ for (i = 0; i < dma_mmu_remap_num; i++) {
+ phys_addr_t start = dma_mmu_remap[i].base;
+ phys_addr_t end = start + dma_mmu_remap[i].size;
+@@ -513,7 +519,15 @@ void __init dma_contiguous_remap(void)
+ flush_tlb_kernel_range(__phys_to_virt(start),
+ __phys_to_virt(end));
+
+- iotable_init(&map, 1);
++ /*
++ * All the memory in CMA region will be on ZONE_MOVABLE.
++ * If that zone is considered as highmem, the memory in CMA
++ * region is also considered as highmem even if it's
++ * physical address belong to lowmem. In this case,
++ * re-mapping isn't required.
++ */
++ if (!is_highmem_idx(ZONE_MOVABLE))
++ iotable_init(&map, 1);
+ }
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Date: Thu, 1 Mar 2018 11:34:48 +0100
+Subject: ARM: davinci: fix the GPIO lookup for omapl138-hawk
+
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+
+[ Upstream commit c4dc56be7e26040bfc60ce73425353516a356955 ]
+
+The GPIO chip is called davinci_gpio.0 in legacy mode. Fix it, so that
+mmc can correctly lookup the wp and cp gpios.
+
+Note that it is the gpio-davinci driver that sets the gpiochip label to
+davinci_gpio.0.
+
+Fixes: c69f43fb4f26 ("ARM: davinci: hawk: use gpio descriptor for mmc pins")
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+[nsekhar@ti.com: add a note on where the chip label is set]
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-davinci/board-omapl138-hawk.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/mach-davinci/board-omapl138-hawk.c
++++ b/arch/arm/mach-davinci/board-omapl138-hawk.c
+@@ -127,8 +127,8 @@ static struct gpiod_lookup_table mmc_gpi
+ .dev_id = "da830-mmc.0",
+ .table = {
+ /* CD: gpio3_12: gpio60: chip 1 contains gpio range 32-63*/
+- GPIO_LOOKUP("davinci_gpio.1", 28, "cd", GPIO_ACTIVE_LOW),
+- GPIO_LOOKUP("davinci_gpio.1", 29, "wp", GPIO_ACTIVE_LOW),
++ GPIO_LOOKUP("davinci_gpio.0", 28, "cd", GPIO_ACTIVE_LOW),
++ GPIO_LOOKUP("davinci_gpio.0", 29, "wp", GPIO_ACTIVE_LOW),
+ },
+ };
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: David Lechner <david@lechnology.com>
+Date: Mon, 15 Jan 2018 11:29:31 -0600
+Subject: ARM: davinci_all_defconfig: set CONFIG_DAVINCI_WATCHDOG=y
+
+From: David Lechner <david@lechnology.com>
+
+[ Upstream commit 35ba26772c827dbfc03be8adc3af8ff0d294b38f ]
+
+This changes CONFIG_DAVINCI_WATCHDOG from a module to a compiled-in
+option. Since the reset function has been moved out of the mach code in
+commit 94f2e94514e5 ("ARM: davinci: remove watchdog reset") and into the
+watchdog driver, devices cannot reboot unless the watchdog driver is
+loaded, so make it a compiled-in option so that we can always reboot, even
+when modules are not loaded.
+
+Cc: Sekhar Nori <nsekhar@ti.com>
+Suggested-by: Adam Ford <aford173@gmail.com>
+Signed-off-by: David Lechner <david@lechnology.com>
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/configs/davinci_all_defconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/configs/davinci_all_defconfig
++++ b/arch/arm/configs/davinci_all_defconfig
+@@ -124,7 +124,7 @@ CONFIG_POWER_RESET=y
+ CONFIG_POWER_RESET_GPIO=y
+ CONFIG_BATTERY_LEGO_EV3=m
+ CONFIG_WATCHDOG=y
+-CONFIG_DAVINCI_WATCHDOG=m
++CONFIG_DAVINCI_WATCHDOG=y
+ CONFIG_MFD_DM355EVM_MSP=y
+ CONFIG_TPS6507X=y
+ CONFIG_REGULATOR=y
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Peter Rosin <peda@axentia.se>
+Date: Tue, 16 Jan 2018 17:06:18 +0100
+Subject: ARM: dts: at91: tse850: use the correct compatible for the eeprom
+
+From: Peter Rosin <peda@axentia.se>
+
+[ Upstream commit 7981190fb5dd710dea08c2613cee3d05e795ca5e ]
+
+The used part does contain an eeprom compatible with an Atmel 24c02
+chip and it is from NXP, but it is not called 24c02. It's actually a
+se97b chip. Adjust the compatible accordingly.
+
+Fixes: 21dd0ece34c2 ("ARM: dts: at91: add devicetree for the Axentia TSE-850")
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/at91-tse850-3.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/at91-tse850-3.dts
++++ b/arch/arm/boot/dts/at91-tse850-3.dts
+@@ -245,7 +245,7 @@
+ };
+
+ eeprom@50 {
+- compatible = "nxp,24c02", "atmel,24c02";
++ compatible = "nxp,se97b", "atmel,24c02";
+ reg = <0x50>;
+ pagesize = <16>;
+ };
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Henry Zhang <henryzhang62@gmail.com>
+Date: Wed, 17 Jan 2018 18:41:33 -0800
+Subject: ARM: dts: bcm283x: Fix pin function of JTAG pins
+
+From: Henry Zhang <henryzhang62@gmail.com>
+
+[ Upstream commit 1a012cb2569f2031b3636232c3ab21c20c92d281 ]
+
+BCM2835 ARM Peripherals doc shows gpio pins 4, 5, 6, 12 and 13
+carry altenate function, ALT5 for ARM JTAG
+
+Fixes: 21ff843931b2 ("ARM: dts: bcm283x: Define standard pinctrl groups in the gpio node.")
+
+Signed-off-by: Henry Zhang <henryzhang62@gmail.com>
+Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/bcm283x.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/bcm283x.dtsi
++++ b/arch/arm/boot/dts/bcm283x.dtsi
+@@ -251,7 +251,7 @@
+
+ jtag_gpio4: jtag_gpio4 {
+ brcm,pins = <4 5 6 12 13>;
+- brcm,function = <BCM2835_FSEL_ALT4>;
++ brcm,function = <BCM2835_FSEL_ALT5>;
+ };
+ jtag_gpio22: jtag_gpio22 {
+ brcm,pins = <22 23 24 25 26 27>;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Fri, 16 Feb 2018 11:55:34 +0100
+Subject: ARM: dts: bcm283x: Fix probing of bcm2835-i2s
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+[ Upstream commit 79c81facdc0b43b1cef37b8d5689a8c8b78f8be0 ]
+
+Since 517e7a1537a ("ASoC: bcm2835: move to use the clock framework")
+the bcm2835-i2s requires a clock as DT property. Unfortunately
+the necessary DT change has never been applied. While we are at it
+also fix the first PCM register range to cover the PCM_GRAY register.
+
+Fixes: 517e7a1537a ("ASoC: bcm2835: move to use the clock framework")
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Tested-by: Matthias Reichl <hias@horus.com>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/bcm283x.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/bcm283x.dtsi
++++ b/arch/arm/boot/dts/bcm283x.dtsi
+@@ -396,8 +396,8 @@
+
+ i2s: i2s@7e203000 {
+ compatible = "brcm,bcm2835-i2s";
+- reg = <0x7e203000 0x20>,
+- <0x7e101098 0x02>;
++ reg = <0x7e203000 0x24>;
++ clocks = <&clocks BCM2835_CLOCK_PCM>;
+
+ dmas = <&dma 2>,
+ <&dma 3>;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Sat, 24 Feb 2018 15:15:21 +0100
+Subject: ARM: dts: bcm283x: Fix unit address of local_intc
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+[ Upstream commit 808b7de86a0c19582a7efce4c80d6b4e1da7f370 ]
+
+This patch fixes the following DTC warning (requires W=1):
+Node /soc/local_intc simple-bus unit address format error, expected "40000000"
+
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/bcm2836.dtsi | 2 +-
+ arch/arm/boot/dts/bcm2837.dtsi | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/bcm2836.dtsi
++++ b/arch/arm/boot/dts/bcm2836.dtsi
+@@ -9,7 +9,7 @@
+ <0x40000000 0x40000000 0x00001000>;
+ dma-ranges = <0xc0000000 0x00000000 0x3f000000>;
+
+- local_intc: local_intc {
++ local_intc: local_intc@40000000 {
+ compatible = "brcm,bcm2836-l1-intc";
+ reg = <0x40000000 0x100>;
+ interrupt-controller;
+--- a/arch/arm/boot/dts/bcm2837.dtsi
++++ b/arch/arm/boot/dts/bcm2837.dtsi
+@@ -8,7 +8,7 @@
+ <0x40000000 0x40000000 0x00001000>;
+ dma-ranges = <0xc0000000 0x00000000 0x3f000000>;
+
+- local_intc: local_intc {
++ local_intc: local_intc@40000000 {
+ compatible = "brcm,bcm2836-l1-intc";
+ reg = <0x40000000 0x100>;
+ interrupt-controller;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Ravikumar Kattekola <rk@ti.com>
+Date: Tue, 6 Feb 2018 18:28:02 +0530
+Subject: ARM: dts: dra71-evm: Correct evm_sd regulator max voltage
+
+From: Ravikumar Kattekola <rk@ti.com>
+
+[ Upstream commit f4aa1bd5b4fc80f5f4ecd184caad832fd62c25f7 ]
+
+Correct vpo_sd_1v8_3v3 regulator max voltage to 3.3V
+
+Fixes: 9868bc585ae2 ("ARM: dts: Add support for dra718-evm")
+Signed-off-by: Ravikumar Kattekola <rk@ti.com>
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/dra71-evm.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/dra71-evm.dts
++++ b/arch/arm/boot/dts/dra71-evm.dts
+@@ -24,13 +24,13 @@
+
+ regulator-name = "vddshv8";
+ regulator-min-microvolt = <1800000>;
+- regulator-max-microvolt = <3000000>;
++ regulator-max-microvolt = <3300000>;
+ regulator-boot-on;
+ vin-supply = <&evm_5v0>;
+
+ gpios = <&gpio7 11 GPIO_ACTIVE_HIGH>;
+ states = <1800000 0x0
+- 3000000 0x1>;
++ 3300000 0x1>;
+ };
+
+ evm_1v8_sw: fixedregulator-evm_1v8 {
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Shyam Saini <shyam@amarulasolutions.com>
+Date: Tue, 20 Feb 2018 18:08:08 +0530
+Subject: ARM: dts: imx6dl: Include correct dtsi file for Engicam i.CoreM6 DualLite/Solo RQS
+
+From: Shyam Saini <shyam@amarulasolutions.com>
+
+[ Upstream commit c0c6bb2322964bd264b4ddedaa5776f40c709f0c ]
+
+This patch fixes the wrongly included dtsi file which
+was breaking mainline support for Engicam i.CoreM6 DualLite/Solo RQS.
+
+As per the board name, the correct file should be imx6dl.dtsi instead
+of imx6q.dtsi
+
+Reported-by: Michael Trimarchi <michael@amarulasolutions.com>
+Suggested-by: Jagan Teki <jagan@amarulasolutions.com>
+Signed-off-by: Shyam Saini <shyam@amarulasolutions.com>
+Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
+Fixes: 7a9caba55a61 ("ARM: dts: imx6dl: Add Engicam i.CoreM6 DualLite/Solo RQS initial support")
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/imx6dl-icore-rqs.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/imx6dl-icore-rqs.dts
++++ b/arch/arm/boot/dts/imx6dl-icore-rqs.dts
+@@ -42,7 +42,7 @@
+
+ /dts-v1/;
+
+-#include "imx6q.dtsi"
++#include "imx6dl.dtsi"
+ #include "imx6qdl-icore-rqs.dtsi"
+
+ / {
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Aapo Vienamo <aapo@tuxera.com>
+Date: Wed, 31 Jan 2018 14:34:07 +0000
+Subject: ARM: dts: imx7d: cl-som-imx7: fix pinctrl_enet
+
+From: Aapo Vienamo <aapo@tuxera.com>
+
+[ Upstream commit 2bada7ac1fdcbf79a9689bd2ff65fa515ca7a31f ]
+
+The missing last digit of the CONFIG values is added. Looks like a typo
+of some sort when comparing to the downstream dt. This fixes
+intermittent behavior behaviour of the ethernet controllers.
+
+Signed-off-by: Aapo Vienamo <aapo@tuxera.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/imx7d-cl-som-imx7.dts | 52 ++++++++++++++++----------------
+ 1 file changed, 26 insertions(+), 26 deletions(-)
+
+--- a/arch/arm/boot/dts/imx7d-cl-som-imx7.dts
++++ b/arch/arm/boot/dts/imx7d-cl-som-imx7.dts
+@@ -213,37 +213,37 @@
+ &iomuxc {
+ pinctrl_enet1: enet1grp {
+ fsl,pins = <
+- MX7D_PAD_SD2_CD_B__ENET1_MDIO 0x3
+- MX7D_PAD_SD2_WP__ENET1_MDC 0x3
+- MX7D_PAD_ENET1_RGMII_TXC__ENET1_RGMII_TXC 0x1
+- MX7D_PAD_ENET1_RGMII_TD0__ENET1_RGMII_TD0 0x1
+- MX7D_PAD_ENET1_RGMII_TD1__ENET1_RGMII_TD1 0x1
+- MX7D_PAD_ENET1_RGMII_TD2__ENET1_RGMII_TD2 0x1
+- MX7D_PAD_ENET1_RGMII_TD3__ENET1_RGMII_TD3 0x1
+- MX7D_PAD_ENET1_RGMII_TX_CTL__ENET1_RGMII_TX_CTL 0x1
+- MX7D_PAD_ENET1_RGMII_RXC__ENET1_RGMII_RXC 0x1
+- MX7D_PAD_ENET1_RGMII_RD0__ENET1_RGMII_RD0 0x1
+- MX7D_PAD_ENET1_RGMII_RD1__ENET1_RGMII_RD1 0x1
+- MX7D_PAD_ENET1_RGMII_RD2__ENET1_RGMII_RD2 0x1
+- MX7D_PAD_ENET1_RGMII_RD3__ENET1_RGMII_RD3 0x1
+- MX7D_PAD_ENET1_RGMII_RX_CTL__ENET1_RGMII_RX_CTL 0x1
++ MX7D_PAD_SD2_CD_B__ENET1_MDIO 0x30
++ MX7D_PAD_SD2_WP__ENET1_MDC 0x30
++ MX7D_PAD_ENET1_RGMII_TXC__ENET1_RGMII_TXC 0x11
++ MX7D_PAD_ENET1_RGMII_TD0__ENET1_RGMII_TD0 0x11
++ MX7D_PAD_ENET1_RGMII_TD1__ENET1_RGMII_TD1 0x11
++ MX7D_PAD_ENET1_RGMII_TD2__ENET1_RGMII_TD2 0x11
++ MX7D_PAD_ENET1_RGMII_TD3__ENET1_RGMII_TD3 0x11
++ MX7D_PAD_ENET1_RGMII_TX_CTL__ENET1_RGMII_TX_CTL 0x11
++ MX7D_PAD_ENET1_RGMII_RXC__ENET1_RGMII_RXC 0x11
++ MX7D_PAD_ENET1_RGMII_RD0__ENET1_RGMII_RD0 0x11
++ MX7D_PAD_ENET1_RGMII_RD1__ENET1_RGMII_RD1 0x11
++ MX7D_PAD_ENET1_RGMII_RD2__ENET1_RGMII_RD2 0x11
++ MX7D_PAD_ENET1_RGMII_RD3__ENET1_RGMII_RD3 0x11
++ MX7D_PAD_ENET1_RGMII_RX_CTL__ENET1_RGMII_RX_CTL 0x11
+ >;
+ };
+
+ pinctrl_enet2: enet2grp {
+ fsl,pins = <
+- MX7D_PAD_EPDC_GDSP__ENET2_RGMII_TXC 0x1
+- MX7D_PAD_EPDC_SDCE2__ENET2_RGMII_TD0 0x1
+- MX7D_PAD_EPDC_SDCE3__ENET2_RGMII_TD1 0x1
+- MX7D_PAD_EPDC_GDCLK__ENET2_RGMII_TD2 0x1
+- MX7D_PAD_EPDC_GDOE__ENET2_RGMII_TD3 0x1
+- MX7D_PAD_EPDC_GDRL__ENET2_RGMII_TX_CTL 0x1
+- MX7D_PAD_EPDC_SDCE1__ENET2_RGMII_RXC 0x1
+- MX7D_PAD_EPDC_SDCLK__ENET2_RGMII_RD0 0x1
+- MX7D_PAD_EPDC_SDLE__ENET2_RGMII_RD1 0x1
+- MX7D_PAD_EPDC_SDOE__ENET2_RGMII_RD2 0x1
+- MX7D_PAD_EPDC_SDSHR__ENET2_RGMII_RD3 0x1
+- MX7D_PAD_EPDC_SDCE0__ENET2_RGMII_RX_CTL 0x1
++ MX7D_PAD_EPDC_GDSP__ENET2_RGMII_TXC 0x11
++ MX7D_PAD_EPDC_SDCE2__ENET2_RGMII_TD0 0x11
++ MX7D_PAD_EPDC_SDCE3__ENET2_RGMII_TD1 0x11
++ MX7D_PAD_EPDC_GDCLK__ENET2_RGMII_TD2 0x11
++ MX7D_PAD_EPDC_GDOE__ENET2_RGMII_TD3 0x11
++ MX7D_PAD_EPDC_GDRL__ENET2_RGMII_TX_CTL 0x11
++ MX7D_PAD_EPDC_SDCE1__ENET2_RGMII_RXC 0x11
++ MX7D_PAD_EPDC_SDCLK__ENET2_RGMII_RD0 0x11
++ MX7D_PAD_EPDC_SDLE__ENET2_RGMII_RD1 0x11
++ MX7D_PAD_EPDC_SDOE__ENET2_RGMII_RD2 0x11
++ MX7D_PAD_EPDC_SDSHR__ENET2_RGMII_RD3 0x11
++ MX7D_PAD_EPDC_SDCE0__ENET2_RGMII_RX_CTL 0x11
+ >;
+ };
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Leonard Crestez <leonard.crestez@nxp.com>
+Date: Thu, 1 Mar 2018 14:52:08 +0200
+Subject: ARM: dts: imx7d-sdb: Fix regulator-usb-otg2-vbus node name
+
+From: Leonard Crestez <leonard.crestez@nxp.com>
+
+[ Upstream commit 970656b3246d30955894951ed16bd658e42d8c24 ]
+
+The two usb-otg regulators for imx7d-sdb are both called
+"regulator-usb-otg1-vbus" and they effectively override each other.
+
+This is most likely a copy-paste error.
+
+Fixes: b877039aa1fe ("ARM: dts: imx7d-sdb: Adjust the regulator nodes")
+Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
+Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/imx7d-sdb.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/imx7d-sdb.dts
++++ b/arch/arm/boot/dts/imx7d-sdb.dts
+@@ -82,7 +82,7 @@
+ enable-active-high;
+ };
+
+- reg_usb_otg2_vbus: regulator-usb-otg1-vbus {
++ reg_usb_otg2_vbus: regulator-usb-otg2-vbus {
+ compatible = "regulator-fixed";
+ regulator-name = "usb_otg2_vbus";
+ regulator-min-microvolt = <5000000>;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Esben Haabendal <eha@deif.com>
+Date: Fri, 6 Apr 2018 14:46:35 +0200
+Subject: ARM: dts: ls1021a: Specify TBIPA register address
+
+From: Esben Haabendal <eha@deif.com>
+
+[ Upstream commit 5571196135abb6d51e01592812997403c136067c ]
+
+The current (mildly evil) fsl_pq_mdio code uses an undocumented shadow of
+the TBIPA register on LS1021A, which happens to be read-only.
+Changing TBI PHY address therefore does not work on LS1021A.
+
+The real (and documented) address of the TBIPA registere lies in the eTSEC
+block and not in MDIO/MII, which is read/write, so using that fixes
+the problem.
+
+Signed-off-by: Esben Haabendal <eha@deif.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/ls1021a.dtsi | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/ls1021a.dtsi
++++ b/arch/arm/boot/dts/ls1021a.dtsi
+@@ -565,7 +565,8 @@
+ device_type = "mdio";
+ #address-cells = <1>;
+ #size-cells = <0>;
+- reg = <0x0 0x2d24000 0x0 0x4000>;
++ reg = <0x0 0x2d24000 0x0 0x4000>,
++ <0x0 0x2d10030 0x0 0x4>;
+ };
+
+ ptp_clock@2d10e00 {
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Mon, 26 Feb 2018 17:00:35 -0800
+Subject: ARM: dts: NSP: Fix amount of RAM on BCM958625HR
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 0a5aff64f20d92c5a6e9aeed7b5950b0b817bcd9 ]
+
+Jon attempted to fix the amount of RAM on the BCM958625HR in commit
+c53beb47f621 ("ARM: dts: NSP: Correct RAM amount for BCM958625HR board")
+but it seems like we tripped over some poorly documented schematics.
+
+The top-level page of the schematics says the board has 2GB, but when
+you end-up scrolling to page 6, you see two chips of 4GBit (512MB) but
+what the bootloader really initializes only 512MB, any attempt to use
+more than that results in data aborts. Fix this again back to 512MB.
+
+Fixes: c53beb47f621 ("ARM: dts: NSP: Correct RAM amount for BCM958625HR board")
+Acked-by: Jon Mason <jon.mason@broadcom.com>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/bcm958625hr.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/bcm958625hr.dts
++++ b/arch/arm/boot/dts/bcm958625hr.dts
+@@ -49,7 +49,7 @@
+
+ memory {
+ device_type = "memory";
+- reg = <0x60000000 0x80000000>;
++ reg = <0x60000000 0x20000000>;
+ };
+
+ gpio-restart {
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Date: Sat, 13 Jan 2018 01:14:23 +0200
+Subject: ARM: dts: porter: Fix HDMI output routing
+
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+
+[ Upstream commit d4b78db6ac3e084e2bdc57d5518bd247c727f396 ]
+
+The HDMI encoder is connected to the RGB output of the DU, which is
+port@0, not port@1. Fix the incorrect DT description.
+
+Fixes: c5af8a4248d3 ("ARM: dts: porter: add DU DT support")
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/r8a7791-porter.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/r8a7791-porter.dts
++++ b/arch/arm/boot/dts/r8a7791-porter.dts
+@@ -427,7 +427,7 @@
+ "dclkin.0", "dclkin.1";
+
+ ports {
+- port@1 {
++ port@0 {
+ endpoint {
+ remote-endpoint = <&adv7511_in>;
+ };
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Rob Herring <robh@kernel.org>
+Date: Thu, 1 Mar 2018 14:25:35 -0600
+Subject: ARM: dts: rockchip: Add missing #sound-dai-cells on rk3288
+
+From: Rob Herring <robh@kernel.org>
+
+[ Upstream commit 4e943a890cef42e90f43ce6be64728a290b97c55 ]
+
+dtc now gives the following warning:
+
+arch/arm/boot/dts/rk3288-tinker.dtb: Warning (sound_dai_property): /sound/simple-audio-card,codec: Missing property '#sound-dai-cells' in node /hdmi@ff980000 or bad phandle (referred from sound-dai[0])
+
+Add the missing #sound-dai-cells property.
+
+Cc: Heiko Stuebner <heiko@sntech.de>
+Cc: linux-rockchip@lists.infradead.org
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/rk3288.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm/boot/dts/rk3288.dtsi
++++ b/arch/arm/boot/dts/rk3288.dtsi
+@@ -927,6 +927,7 @@
+ i2s: i2s@ff890000 {
+ compatible = "rockchip,rk3288-i2s", "rockchip,rk3066-i2s";
+ reg = <0x0 0xff890000 0x0 0x10000>;
++ #sound-dai-cells = <0>;
+ interrupts = <GIC_SPI 53 IRQ_TYPE_LEVEL_HIGH>;
+ #address-cells = <1>;
+ #size-cells = <0>;
+@@ -1122,6 +1123,7 @@
+ compatible = "rockchip,rk3288-dw-hdmi";
+ reg = <0x0 0xff980000 0x0 0x20000>;
+ reg-io-width = <4>;
++ #sound-dai-cells = <0>;
+ rockchip,grf = <&grf>;
+ interrupts = <GIC_SPI 103 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cru PCLK_HDMI_CTRL>, <&cru SCLK_HDMI_HDCP>;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Thu, 15 Feb 2018 14:05:54 +0000
+Subject: ARM: dts: rockchip: Fix DWMMC clocks
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit e78c637127ee7683d606737f2e62b5da6fd7b1c3 ]
+
+Trying to boot an RK3328 box with an HS200-capable eMMC, I see said eMMC
+fail to initialise as it can't run its tuning procedure, because the
+sample clock is missing. Upon closer inspection, whilst the clock is
+present in the DT, its name is subtly incorrect per the binding, so
+__of_clk_get_by_name() never finds it. By inspection, the drive clock
+suffers from a similar problem, so has never worked properly either.
+
+This error has propagated across the 32-bit DTs too, so fix those up.
+
+Fixes: 187d7967a5ee ("ARM: dts: rockchip: add the sdio/sdmmc node for rk3036")
+Fixes: faea098e1808 ("ARM: dts: rockchip: add core rk3036 dtsi")
+Fixes: 9848ebeb952d ("ARM: dts: rockchip: add core rk3228 dtsi")
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/rk3036.dtsi | 4 ++--
+ arch/arm/boot/dts/rk322x.dtsi | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/arm/boot/dts/rk3036.dtsi
++++ b/arch/arm/boot/dts/rk3036.dtsi
+@@ -261,7 +261,7 @@
+ max-frequency = <37500000>;
+ clocks = <&cru HCLK_SDIO>, <&cru SCLK_SDIO>,
+ <&cru SCLK_SDIO_DRV>, <&cru SCLK_SDIO_SAMPLE>;
+- clock-names = "biu", "ciu", "ciu_drv", "ciu_sample";
++ clock-names = "biu", "ciu", "ciu-drive", "ciu-sample";
+ fifo-depth = <0x100>;
+ interrupts = <GIC_SPI 15 IRQ_TYPE_LEVEL_HIGH>;
+ resets = <&cru SRST_SDIO>;
+@@ -279,7 +279,7 @@
+ max-frequency = <37500000>;
+ clocks = <&cru HCLK_EMMC>, <&cru SCLK_EMMC>,
+ <&cru SCLK_EMMC_DRV>, <&cru SCLK_EMMC_SAMPLE>;
+- clock-names = "biu", "ciu", "ciu_drv", "ciu_sample";
++ clock-names = "biu", "ciu", "ciu-drive", "ciu-sample";
+ default-sample-phase = <158>;
+ disable-wp;
+ dmas = <&pdma 12>;
+--- a/arch/arm/boot/dts/rk322x.dtsi
++++ b/arch/arm/boot/dts/rk322x.dtsi
+@@ -600,7 +600,7 @@
+ interrupts = <GIC_SPI 12 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cru HCLK_SDMMC>, <&cru SCLK_SDMMC>,
+ <&cru SCLK_SDMMC_DRV>, <&cru SCLK_SDMMC_SAMPLE>;
+- clock-names = "biu", "ciu", "ciu_drv", "ciu_sample";
++ clock-names = "biu", "ciu", "ciu-drive", "ciu-sample";
+ fifo-depth = <0x100>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&sdmmc_clk &sdmmc_cmd &sdmmc_bus4>;
+@@ -613,7 +613,7 @@
+ interrupts = <GIC_SPI 13 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cru HCLK_SDIO>, <&cru SCLK_SDIO>,
+ <&cru SCLK_SDIO_DRV>, <&cru SCLK_SDIO_SAMPLE>;
+- clock-names = "biu", "ciu", "ciu_drv", "ciu_sample";
++ clock-names = "biu", "ciu", "ciu-drive", "ciu-sample";
+ fifo-depth = <0x100>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&sdio_clk &sdio_cmd &sdio_bus4>;
+@@ -628,7 +628,7 @@
+ max-frequency = <37500000>;
+ clocks = <&cru HCLK_EMMC>, <&cru SCLK_EMMC>,
+ <&cru SCLK_EMMC_DRV>, <&cru SCLK_EMMC_SAMPLE>;
+- clock-names = "biu", "ciu", "ciu_drv", "ciu_sample";
++ clock-names = "biu", "ciu", "ciu-drive", "ciu-sample";
+ bus-width = <8>;
+ default-sample-phase = <158>;
+ fifo-depth = <0x100>;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Philipp Puschmann <pp@emlix.com>
+Date: Fri, 23 Mar 2018 10:22:15 +0100
+Subject: arm: dts: socfpga: fix GIC PPI warning
+
+From: Philipp Puschmann <pp@emlix.com>
+
+[ Upstream commit 6d97d5aba08b26108f95dc9fb7bbe4d9436c769c ]
+
+Fixes the warning "GIC: PPI13 is secure or misconfigured" by
+changing the interrupt type from level_low to edge_raising
+
+Signed-off-by: Philipp Puschmann <pp@emlix.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/socfpga.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/socfpga.dtsi
++++ b/arch/arm/boot/dts/socfpga.dtsi
+@@ -827,7 +827,7 @@
+ timer@fffec600 {
+ compatible = "arm,cortex-a9-twd-timer";
+ reg = <0xfffec600 0x100>;
+- interrupts = <1 13 0xf04>;
++ interrupts = <1 13 0xf01>;
+ clocks = <&mpu_periph_clk>;
+ };
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Tony Lindgren <tony@atomide.com>
+Date: Thu, 22 Feb 2018 10:02:49 -0800
+Subject: ARM: OMAP: Fix dmtimer init for omap1
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit ba6887836178d43b3665b9da075c2c5dfe1d207c ]
+
+We need to enable PM runtime on omap1 also as otherwise we
+will get errors:
+
+omap_timer omap_timer.1: omap_dm_timer_probe: pm_runtime_get_sync failed!
+omap_timer: probe of omap_timer.1 failed with error -13
+...
+
+We are checking for OMAP_TIMER_NEEDS_RESET flag elsewhere so this is
+safe to do.
+
+Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
+Cc: Keerthy <j-keerthy@ti.com>
+Cc: Ladislav Michl <ladis@linux-mips.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/plat-omap/dmtimer.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/arch/arm/plat-omap/dmtimer.c
++++ b/arch/arm/plat-omap/dmtimer.c
+@@ -890,11 +890,8 @@ static int omap_dm_timer_probe(struct pl
+ timer->irq = irq->start;
+ timer->pdev = pdev;
+
+- /* Skip pm_runtime_enable for OMAP1 */
+- if (!(timer->capability & OMAP_TIMER_NEEDS_RESET)) {
+- pm_runtime_enable(dev);
+- pm_runtime_irq_safe(dev);
+- }
++ pm_runtime_enable(dev);
++ pm_runtime_irq_safe(dev);
+
+ if (!timer->reserved) {
+ ret = pm_runtime_get_sync(dev);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Tue, 2 Jan 2018 16:25:35 +0100
+Subject: ARM: OMAP1: clock: Fix debugfs_create_*() usage
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 8cbbf1745dcde7ba7e423dc70619d223de90fd43 ]
+
+When exposing data access through debugfs, the correct
+debugfs_create_*() functions must be used, depending on data type.
+
+Remove all casts from data pointers passed to debugfs_create_*()
+functions, as such casts prevent the compiler from flagging bugs.
+
+Correct all wrong usage:
+ - clk.rate is unsigned long, not u32,
+ - clk.flags is u8, not u32, which exposed the successive
+ clk.rate_offset and clk.src_offset fields.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap1/clock.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/arm/mach-omap1/clock.c
++++ b/arch/arm/mach-omap1/clock.c
+@@ -1011,17 +1011,17 @@ static int clk_debugfs_register_one(stru
+ return -ENOMEM;
+ c->dent = d;
+
+- d = debugfs_create_u8("usecount", S_IRUGO, c->dent, (u8 *)&c->usecount);
++ d = debugfs_create_u8("usecount", S_IRUGO, c->dent, &c->usecount);
+ if (!d) {
+ err = -ENOMEM;
+ goto err_out;
+ }
+- d = debugfs_create_u32("rate", S_IRUGO, c->dent, (u32 *)&c->rate);
++ d = debugfs_create_ulong("rate", S_IRUGO, c->dent, &c->rate);
+ if (!d) {
+ err = -ENOMEM;
+ goto err_out;
+ }
+- d = debugfs_create_x32("flags", S_IRUGO, c->dent, (u32 *)&c->flags);
++ d = debugfs_create_x8("flags", S_IRUGO, c->dent, &c->flags);
+ if (!d) {
+ err = -ENOMEM;
+ goto err_out;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Tony Lindgren <tony@atomide.com>
+Date: Fri, 9 Feb 2018 09:35:56 -0800
+Subject: ARM: OMAP2+: Fix sar_base inititalization for HS omaps
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit fe27f16794f313f5fc16f6d2f42d8c2b2f4d70cc ]
+
+HS omaps use irq_save_secure_context() instead of irq_save_context()
+so sar_base will never get initialized and irq_sar_clear() gets called
+with a wrong address for HS omaps from irq_restore_context().
+
+Starting with commit f4b9f40ae95b ("ARM: OMAP4+: Initialize SAR RAM
+base early for proper CPU1 reset for kexec") we have it available,
+and this ideally would been fixed with that commit already.
+
+Fixes: f4b9f40ae95b ("ARM: OMAP4+: Initialize SAR RAM base early for
+proper CPU1 reset for kexec")
+Cc: Andrew F. Davis <afd@ti.com>
+Cc: Dave Gerlach <d-gerlach@ti.com>
+Cc: Keerthy <j-keerthy@ti.com>
+Cc: Santosh Shilimkar <ssantosh@kernel.org>
+Cc: Tero Kristo <t-kristo@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap2/omap-wakeupgen.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/mach-omap2/omap-wakeupgen.c
++++ b/arch/arm/mach-omap2/omap-wakeupgen.c
+@@ -299,8 +299,6 @@ static void irq_save_context(void)
+ if (soc_is_dra7xx())
+ return;
+
+- if (!sar_base)
+- sar_base = omap4_get_sar_ram_base();
+ if (wakeupgen_ops && wakeupgen_ops->save_context)
+ wakeupgen_ops->save_context();
+ }
+@@ -598,6 +596,8 @@ static int __init wakeupgen_init(struct
+ irq_hotplug_init();
+ irq_pm_init();
+
++ sar_base = omap4_get_sar_ram_base();
++
+ return 0;
+ }
+ IRQCHIP_DECLARE(ti_wakeupgen, "ti,omap4-wugen-mpu", wakeupgen_init);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Qi Hou <qi.hou@windriver.com>
+Date: Thu, 11 Jan 2018 12:54:43 +0800
+Subject: ARM: OMAP2+: timer: fix a kmemleak caused in omap_get_timer_dt
+
+From: Qi Hou <qi.hou@windriver.com>
+
+[ Upstream commit db35340c536f1af0108ec9a0b2126a05d358d14a ]
+
+When more than one GP timers are used as kernel system timers and the
+corresponding nodes in device-tree are marked with the same "disabled"
+property, then the "attr" field of the property will be initialized
+more than once as the property being added to sys file system via
+__of_add_property_sysfs().
+
+In __of_add_property_sysfs(), the "name" field of pp->attr.attr is set
+directly to the return value of safe_name(), without taking care of
+whether it's already a valid pointer to a memory block. If it is, its
+old value will always be overwritten by the new one and the memory block
+allocated before will a "ghost", then a kmemleak happened.
+
+That the same "disabled" property being added to different nodes of device
+tree would cause that kind of kmemleak overhead, at least once.
+
+To fix it, allocate the property dynamically, and delete static one.
+
+Signed-off-by: Qi Hou <qi.hou@windriver.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap2/timer.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+--- a/arch/arm/mach-omap2/timer.c
++++ b/arch/arm/mach-omap2/timer.c
+@@ -156,12 +156,6 @@ static struct clock_event_device clockev
+ .tick_resume = omap2_gp_timer_shutdown,
+ };
+
+-static struct property device_disabled = {
+- .name = "status",
+- .length = sizeof("disabled"),
+- .value = "disabled",
+-};
+-
+ static const struct of_device_id omap_timer_match[] __initconst = {
+ { .compatible = "ti,omap2420-timer", },
+ { .compatible = "ti,omap3430-timer", },
+@@ -203,8 +197,17 @@ static struct device_node * __init omap_
+ of_get_property(np, "ti,timer-secure", NULL)))
+ continue;
+
+- if (!of_device_is_compatible(np, "ti,omap-counter32k"))
+- of_add_property(np, &device_disabled);
++ if (!of_device_is_compatible(np, "ti,omap-counter32k")) {
++ struct property *prop;
++
++ prop = kzalloc(sizeof(*prop), GFP_KERNEL);
++ if (!prop)
++ return NULL;
++ prop->name = "status";
++ prop->value = "disabled";
++ prop->length = strlen(prop->value);
++ of_add_property(np, prop);
++ }
+ return np;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Tony Lindgren <tony@atomide.com>
+Date: Fri, 9 Feb 2018 08:15:53 -0800
+Subject: ARM: OMAP3: Fix prm wake interrupt for resume
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit d3be6d2a08bd26580562d9714d3d97ea9ba22c73 ]
+
+For platform_suspend_ops, the finish call is too late to re-enable wake
+irqs and we need re-enable wake irqs on wake call instead.
+
+Otherwise noirq resume for devices has already happened. And then
+dev_pm_disarm_wake_irq() has already disabled the dedicated wake irqs
+when the interrupt triggers and the wake irq is never handled.
+
+For devices that are already in PM runtime suspended state when we
+enter suspend this means that a possible wake irq will never trigger.
+
+And this can lead into a situation where a device has a pending padconf
+wake irq, and the device will stay unresponsive to any further wake
+irqs.
+
+This issue can be easily reproduced by setting serial console log level
+to zero, letting the serial console idle, and suspend the system from
+an ssh terminal. Then try to wake up the system by typing to the serial
+console.
+
+Note that this affects only omap3 PRM interrupt as that's currently
+the only omap variant that does anything in omap_pm_wake().
+
+In general, for the wake irqs to work, the interrupt must have either
+IRQF_NO_SUSPEND or IRQF_EARLY_RESUME set for it to trigger before
+dev_pm_disarm_wake_irq() disables the wake irqs.
+
+Reported-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Cc: Tero Kristo <t-kristo@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap2/pm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/mach-omap2/pm.c
++++ b/arch/arm/mach-omap2/pm.c
+@@ -186,7 +186,7 @@ static void omap_pm_end(void)
+ cpu_idle_poll_ctrl(false);
+ }
+
+-static void omap_pm_finish(void)
++static void omap_pm_wake(void)
+ {
+ if (soc_is_omap34xx())
+ omap_prcm_irq_complete();
+@@ -196,7 +196,7 @@ static const struct platform_suspend_ops
+ .begin = omap_pm_begin,
+ .end = omap_pm_end,
+ .enter = omap_pm_enter,
+- .finish = omap_pm_finish,
++ .wake = omap_pm_wake,
+ .valid = suspend_valid_only_mem,
+ };
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: "David S. Miller" <davem@davemloft.net>
+Date: Mon, 26 Feb 2018 13:41:47 -0500
+Subject: ARM: orion5x: Revert commit 4904dbda41c8.
+
+From: "David S. Miller" <davem@davemloft.net>
+
+[ Upstream commit 13a55372b64e00e564a08d785ca87bd9d454ba30 ]
+
+It is not valid for orion5x to use mac_pton().
+
+First of all, the orion5x buffer is not NULL terminated. mac_pton()
+has no business operating on non-NULL terminated buffers because
+only the caller can know that this is valid and in what manner it
+is ok to parse this NULL'less buffer.
+
+Second of all, orion5x operates on an __iomem pointer, which cannot
+be dereferenced using normal C pointer operations. Accesses to
+such areas much be performed with the proper iomem accessors.
+
+Fixes: 4904dbda41c8 ("ARM: orion5x: use mac_pton() helper")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-orion5x/Kconfig | 3 -
+ arch/arm/mach-orion5x/dns323-setup.c | 53 +++++++++++++++++++++++++++++++++--
+ arch/arm/mach-orion5x/tsx09-common.c | 49 +++++++++++++++++++++++++++++---
+ 3 files changed, 95 insertions(+), 10 deletions(-)
+
+--- a/arch/arm/mach-orion5x/Kconfig
++++ b/arch/arm/mach-orion5x/Kconfig
+@@ -58,7 +58,6 @@ config MACH_KUROBOX_PRO
+
+ config MACH_DNS323
+ bool "D-Link DNS-323"
+- select GENERIC_NET_UTILS
+ select I2C_BOARDINFO if I2C
+ help
+ Say 'Y' here if you want your kernel to support the
+@@ -66,7 +65,6 @@ config MACH_DNS323
+
+ config MACH_TS209
+ bool "QNAP TS-109/TS-209"
+- select GENERIC_NET_UTILS
+ help
+ Say 'Y' here if you want your kernel to support the
+ QNAP TS-109/TS-209 platform.
+@@ -101,7 +99,6 @@ config MACH_LINKSTATION_LS_HGL
+
+ config MACH_TS409
+ bool "QNAP TS-409"
+- select GENERIC_NET_UTILS
+ help
+ Say 'Y' here if you want your kernel to support the
+ QNAP TS-409 platform.
+--- a/arch/arm/mach-orion5x/dns323-setup.c
++++ b/arch/arm/mach-orion5x/dns323-setup.c
+@@ -173,10 +173,42 @@ static struct mv643xx_eth_platform_data
+ .phy_addr = MV643XX_ETH_PHY_ADDR(8),
+ };
+
++/* dns323_parse_hex_*() taken from tsx09-common.c; should a common copy of these
++ * functions be kept somewhere?
++ */
++static int __init dns323_parse_hex_nibble(char n)
++{
++ if (n >= '0' && n <= '9')
++ return n - '0';
++
++ if (n >= 'A' && n <= 'F')
++ return n - 'A' + 10;
++
++ if (n >= 'a' && n <= 'f')
++ return n - 'a' + 10;
++
++ return -1;
++}
++
++static int __init dns323_parse_hex_byte(const char *b)
++{
++ int hi;
++ int lo;
++
++ hi = dns323_parse_hex_nibble(b[0]);
++ lo = dns323_parse_hex_nibble(b[1]);
++
++ if (hi < 0 || lo < 0)
++ return -1;
++
++ return (hi << 4) | lo;
++}
++
+ static int __init dns323_read_mac_addr(void)
+ {
+ u_int8_t addr[6];
+- void __iomem *mac_page;
++ int i;
++ char *mac_page;
+
+ /* MAC address is stored as a regular ol' string in /dev/mtdblock4
+ * (0x007d0000-0x00800000) starting at offset 196480 (0x2ff80).
+@@ -185,8 +217,23 @@ static int __init dns323_read_mac_addr(v
+ if (!mac_page)
+ return -ENOMEM;
+
+- if (!mac_pton((__force const char *) mac_page, addr))
+- goto error_fail;
++ /* Sanity check the string we're looking at */
++ for (i = 0; i < 5; i++) {
++ if (*(mac_page + (i * 3) + 2) != ':') {
++ goto error_fail;
++ }
++ }
++
++ for (i = 0; i < 6; i++) {
++ int byte;
++
++ byte = dns323_parse_hex_byte(mac_page + (i * 3));
++ if (byte < 0) {
++ goto error_fail;
++ }
++
++ addr[i] = byte;
++ }
+
+ iounmap(mac_page);
+ printk("DNS-323: Found ethernet MAC address: %pM\n", addr);
+--- a/arch/arm/mach-orion5x/tsx09-common.c
++++ b/arch/arm/mach-orion5x/tsx09-common.c
+@@ -53,12 +53,53 @@ struct mv643xx_eth_platform_data qnap_ts
+ .phy_addr = MV643XX_ETH_PHY_ADDR(8),
+ };
+
++static int __init qnap_tsx09_parse_hex_nibble(char n)
++{
++ if (n >= '0' && n <= '9')
++ return n - '0';
++
++ if (n >= 'A' && n <= 'F')
++ return n - 'A' + 10;
++
++ if (n >= 'a' && n <= 'f')
++ return n - 'a' + 10;
++
++ return -1;
++}
++
++static int __init qnap_tsx09_parse_hex_byte(const char *b)
++{
++ int hi;
++ int lo;
++
++ hi = qnap_tsx09_parse_hex_nibble(b[0]);
++ lo = qnap_tsx09_parse_hex_nibble(b[1]);
++
++ if (hi < 0 || lo < 0)
++ return -1;
++
++ return (hi << 4) | lo;
++}
++
+ static int __init qnap_tsx09_check_mac_addr(const char *addr_str)
+ {
+ u_int8_t addr[6];
++ int i;
+
+- if (!mac_pton(addr_str, addr))
+- return -1;
++ for (i = 0; i < 6; i++) {
++ int byte;
++
++ /*
++ * Enforce "xx:xx:xx:xx:xx:xx\n" format.
++ */
++ if (addr_str[(i * 3) + 2] != ((i < 5) ? ':' : '\n'))
++ return -1;
++
++ byte = qnap_tsx09_parse_hex_byte(addr_str + (i * 3));
++ if (byte < 0)
++ return -1;
++ addr[i] = byte;
++ }
+
+ printk(KERN_INFO "tsx09: found ethernet mac address %pM\n", addr);
+
+@@ -77,12 +118,12 @@ void __init qnap_tsx09_find_mac_addr(u32
+ unsigned long addr;
+
+ for (addr = mem_base; addr < (mem_base + size); addr += 1024) {
+- void __iomem *nor_page;
++ char *nor_page;
+ int ret = 0;
+
+ nor_page = ioremap(addr, 1024);
+ if (nor_page != NULL) {
+- ret = qnap_tsx09_check_mac_addr((__force const char *)nor_page);
++ ret = qnap_tsx09_check_mac_addr(nor_page);
+ iounmap(nor_page);
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Rob Herring <robh@kernel.org>
+Date: Thu, 1 Feb 2018 15:32:40 -0600
+Subject: arm64: dts: cavium: fix PCI bus dtc warnings
+
+From: Rob Herring <robh@kernel.org>
+
+[ Upstream commit e2c8d283c4e2f468bed1bcfedb80b670b1bc8ab1 ]
+
+dtc recently added PCI bus checks. Fix these warnings:
+
+arch/arm64/boot/dts/cavium/thunder2-99xx.dtb: Warning (pci_bridge): Node /pci missing bus-range for PCI bridge
+arch/arm64/boot/dts/cavium/thunder2-99xx.dtb: Warning (unit_address_vs_reg): Node /pci has a reg or ranges property, but no unit name
+
+Signed-off-by: Rob Herring <robh@kernel.org>
+Cc: Jayachandran C <jnair@caviumnetworks.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/cavium/thunder2-99xx.dtsi | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/cavium/thunder2-99xx.dtsi
++++ b/arch/arm64/boot/dts/cavium/thunder2-99xx.dtsi
+@@ -98,7 +98,7 @@
+ clock-output-names = "clk125mhz";
+ };
+
+- pci {
++ pcie@30000000 {
+ compatible = "pci-host-ecam-generic";
+ device_type = "pci";
+ #interrupt-cells = <1>;
+@@ -118,6 +118,7 @@
+ ranges =
+ <0x02000000 0 0x40000000 0 0x40000000 0 0x20000000
+ 0x43000000 0x40 0x00000000 0x40 0x00000000 0x20 0x00000000>;
++ bus-range = <0 0xff>;
+ interrupt-map-mask = <0 0 0 7>;
+ interrupt-map =
+ /* addr pin ic icaddr icintr */
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Ilia Lin <ilialin@codeaurora.org>
+Date: Tue, 23 Jan 2018 09:36:18 +0200
+Subject: arm64: dts: qcom: Fix SPI5 config on MSM8996
+
+From: Ilia Lin <ilialin@codeaurora.org>
+
+[ Upstream commit e723795c702b52cfceb3bb3faa63059eb4658313 ]
+
+Set correct clocks and interrupt values.
+Fixes the incorrect SPI master configuration. This is
+mandatory to make the SPI5 interface functional.
+
+Signed-off-by: Ilia Lin <ilialin@codeaurora.org>
+Signed-off-by: Andy Gross <andy.gross@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/qcom/msm8996.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi
+@@ -484,8 +484,8 @@
+ blsp2_spi5: spi@075ba000{
+ compatible = "qcom,spi-qup-v2.2.1";
+ reg = <0x075ba000 0x600>;
+- interrupts = <GIC_SPI 107 IRQ_TYPE_LEVEL_HIGH>;
+- clocks = <&gcc GCC_BLSP2_QUP5_SPI_APPS_CLK>,
++ interrupts = <GIC_SPI 106 IRQ_TYPE_LEVEL_HIGH>;
++ clocks = <&gcc GCC_BLSP2_QUP6_SPI_APPS_CLK>,
+ <&gcc GCC_BLSP2_AHB_CLK>;
+ clock-names = "core", "iface";
+ pinctrl-names = "default", "sleep";
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Fri, 9 Feb 2018 16:51:48 +0800
+Subject: arm64: dts: rockchip: correct ep-gpios for rk3399-sapphire
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+[ Upstream commit 2b7d2ed1af2e2c0c90a1a8b97926b7b6c6cb03ed ]
+
+The endpoint control gpio for rk3399-sapphire boards is gpio2_a4,
+so correct it now.
+
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-sapphire.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3399-sapphire.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399-sapphire.dtsi
+@@ -457,7 +457,7 @@
+ assigned-clocks = <&cru SCLK_PCIEPHY_REF>;
+ assigned-clock-parents = <&cru SCLK_PCIEPHY_REF100M>;
+ assigned-clock-rates = <100000000>;
+- ep-gpios = <&gpio3 RK_PB5 GPIO_ACTIVE_HIGH>;
++ ep-gpios = <&gpio2 RK_PA4 GPIO_ACTIVE_HIGH>;
+ num-lanes = <4>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pcie_clkreqn_cpm>;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Thu, 15 Feb 2018 14:05:53 +0000
+Subject: arm64: dts: rockchip: Fix DWMMC clocks
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit ca9eee95a2decc6f60bed65b5b836a26bff825c1 ]
+
+Trying to boot an RK3328 box with an HS200-capable eMMC, I see said eMMC
+fail to initialise as it can't run its tuning procedure, because the
+sample clock is missing. Upon closer inspection, whilst the clock is
+present in the DT, its name is subtly incorrect per the binding, so
+__of_clk_get_by_name() never finds it. By inspection, the drive clock
+suffers from a similar problem, so has never worked properly either.
+
+Fix up all instances of the incorrect clock names across the 64-bit DTs.
+
+Fixes: d717f7352ec6 ("arm64: dts: rockchip: add sdmmc/sdio/emmc nodes for RK3328 SoCs")
+Fixes: b790c2cab5ca ("arm64: dts: add Rockchip rk3368 core dtsi and board dts for the r88 board")
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3328.dtsi | 6 +++---
+ arch/arm64/boot/dts/rockchip/rk3368.dtsi | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3328.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3328.dtsi
+@@ -683,7 +683,7 @@
+ interrupts = <GIC_SPI 12 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cru HCLK_SDMMC>, <&cru SCLK_SDMMC>,
+ <&cru SCLK_SDMMC_DRV>, <&cru SCLK_SDMMC_SAMPLE>;
+- clock-names = "biu", "ciu", "ciu_drv", "ciu_sample";
++ clock-names = "biu", "ciu", "ciu-drive", "ciu-sample";
+ fifo-depth = <0x100>;
+ status = "disabled";
+ };
+@@ -694,7 +694,7 @@
+ interrupts = <GIC_SPI 13 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cru HCLK_SDIO>, <&cru SCLK_SDIO>,
+ <&cru SCLK_SDIO_DRV>, <&cru SCLK_SDIO_SAMPLE>;
+- clock-names = "biu", "ciu", "ciu_drv", "ciu_sample";
++ clock-names = "biu", "ciu", "ciu-drive", "ciu-sample";
+ fifo-depth = <0x100>;
+ status = "disabled";
+ };
+@@ -705,7 +705,7 @@
+ interrupts = <GIC_SPI 14 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cru HCLK_EMMC>, <&cru SCLK_EMMC>,
+ <&cru SCLK_EMMC_DRV>, <&cru SCLK_EMMC_SAMPLE>;
+- clock-names = "biu", "ciu", "ciu_drv", "ciu_sample";
++ clock-names = "biu", "ciu", "ciu-drive", "ciu-sample";
+ fifo-depth = <0x100>;
+ status = "disabled";
+ };
+--- a/arch/arm64/boot/dts/rockchip/rk3368.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3368.dtsi
+@@ -257,7 +257,7 @@
+ max-frequency = <150000000>;
+ clocks = <&cru HCLK_SDIO0>, <&cru SCLK_SDIO0>,
+ <&cru SCLK_SDIO0_DRV>, <&cru SCLK_SDIO0_SAMPLE>;
+- clock-names = "biu", "ciu", "ciu_drv", "ciu_sample";
++ clock-names = "biu", "ciu", "ciu-drive", "ciu-sample";
+ fifo-depth = <0x100>;
+ interrupts = <GIC_SPI 33 IRQ_TYPE_LEVEL_HIGH>;
+ resets = <&cru SRST_SDIO0>;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Douglas Anderson <dianders@chromium.org>
+Date: Tue, 27 Feb 2018 12:47:11 -0800
+Subject: arm64: dts: rockchip: Fix rk3399-gru-* s2r (pinctrl hogs, wifi reset)
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 2560da49de5d0cfec22e9564023aebfffa094732 ]
+
+Back in the early days when gru devices were still under development
+we found an issue where the WiFi reset line needed to be configured as
+early as possible during the boot process to avoid the WiFi module
+being in a bad state.
+
+We found that the way to get the kernel to do this in the earliest
+possible place was to configure this line in the pinctrl hogs, so
+that's what we did. For some history here you can see
+<http://crosreview.com/368770>. After the time that change landed in
+the kernel, we landed a firmware change to configure this line even
+earlier. See <http://crosreview.com/399919>. However, even after the
+firmware change landed we kept the kernel change to deal with the fact
+that some people working on devices might take a little while to
+update their firmware.
+
+At this there are definitely zero devices out in the wild that have
+firmware without the fix in it. Specifically looking in the firmware
+branch several critically important fixes for memory stability landed
+after the patch in coreboot and I know we didn't ship without those.
+Thus, by now, everyone should have the new firmware and it's safe to
+not have the kernel set this up in a pinctrl hog.
+
+Historically, even though it wasn't needed to have this in a pinctrl
+hog, we still kept it since it didn't hurt. Pinctrl would apply the
+default hog at bootup and then would never touch things again. That
+all changed with commit 981ed1bfbc6c ("pinctrl: Really force states
+during suspend/resume"). After that commit then we'll re-apply the
+default hog at resume time and that can screw up the reset state of
+WiFi. ...and on rk3399 if you touch a device on PCIe in the wrong way
+then the whole system can go haywire. That's what was happening.
+Specifically you'd resume a rk3399-gru-* device and it would mostly
+resume, then would crash with some crazy weird crash.
+
+One could say, perhaps, that the recent pinctrl change was at fault
+(and should be fixed) since it changed behavior. ...but that's not
+really true. The device tree for rk3399-gru is really to blame.
+Specifically since the pinctrl is defined in the hog and not in the
+"wlan-pd-n" node then the actual user of this pin doesn't have a
+pinctrl entry for it. That's bad.
+
+Let's fix our problems by just moving the control of
+"wlan_module_reset_l pinctrl" out of the hog and put them in the
+proper place.
+
+NOTE: in theory, I think it should actually be possible to have a pin
+controlled _both_ by the hog and by an actual device. Once the device
+claims the pin I think the hog is supposed to let go. I'm not 100%
+sure that this works and in any case this solution would be more
+complex than is necessary.
+
+Reported-by: Marc Zyngier <marc.zyngier@arm.com>
+Fixes: 48f4d9796d99 ("arm64: dts: rockchip: add Gru/Kevin DTS")
+Fixes: 981ed1bfbc6c ("pinctrl: Really force states during suspend/resume")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Tested-by: Enric Balletbo i Serra <enric.balletbo@collabora.com>
+Tested-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-gru.dtsi | 16 +++-------------
+ 1 file changed, 3 insertions(+), 13 deletions(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3399-gru.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399-gru.dtsi
+@@ -406,8 +406,9 @@
+ wlan_pd_n: wlan-pd-n {
+ compatible = "regulator-fixed";
+ regulator-name = "wlan_pd_n";
++ pinctrl-names = "default";
++ pinctrl-0 = <&wlan_module_reset_l>;
+
+- /* Note the wlan_module_reset_l pinctrl */
+ enable-active-high;
+ gpio = <&gpio1 11 GPIO_ACTIVE_HIGH>;
+
+@@ -940,12 +941,6 @@ ap_i2c_audio: &i2c8 {
+ pinctrl-0 = <
+ &ap_pwroff /* AP will auto-assert this when in S3 */
+ &clk_32k /* This pin is always 32k on gru boards */
+-
+- /*
+- * We want this driven low ASAP; firmware should help us, but
+- * we can help ourselves too.
+- */
+- &wlan_module_reset_l
+ >;
+
+ pcfg_output_low: pcfg-output-low {
+@@ -1125,12 +1120,7 @@ ap_i2c_audio: &i2c8 {
+ };
+
+ wlan_module_reset_l: wlan-module-reset-l {
+- /*
+- * We want this driven low ASAP (As {Soon,Strongly} As
+- * Possible), to avoid leakage through the powered-down
+- * WiFi.
+- */
+- rockchip,pins = <1 11 RK_FUNC_GPIO &pcfg_output_low>;
++ rockchip,pins = <1 11 RK_FUNC_GPIO &pcfg_pull_none>;
+ };
+
+ bt_host_wake_l: bt-host-wake-l {
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: "Kamil Trzciński" <ayufan@ayufan.eu>
+Date: Mon, 22 Jan 2018 18:46:22 +0100
+Subject: arm64: dts: rockchip: fix rock64 gmac2io stability issues
+
+From: "Kamil Trzciński" <ayufan@ayufan.eu>
+
+[ Upstream commit 73e42e18669934fa96cf2bb54291da54177076d7 ]
+
+This commit enables thresh dma mode as this forces to disable checksuming,
+and chooses delay values which make the interface stable.
+
+These changes are needed, because ROCK64 is faced with two problems:
+1. tx checksuming does not work with packets larger than 1498,
+2. the default delays for tx/rx are not stable when using 1Gbps connection.
+
+Delays were found out with:
+https://github.com/ayufan-rock64/linux-build/tree/master/recipes/gmac-delays-test
+
+Signed-off-by: Kamil Trzciński <ayufan@ayufan.eu>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3328-rock64.dts | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3328-rock64.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3328-rock64.dts
+@@ -136,11 +136,12 @@
+ phy-mode = "rgmii";
+ pinctrl-names = "default";
+ pinctrl-0 = <&rgmiim1_pins>;
++ snps,force_thresh_dma_mode;
+ snps,reset-gpio = <&gpio1 RK_PC2 GPIO_ACTIVE_LOW>;
+ snps,reset-active-low;
+ snps,reset-delays-us = <0 10000 50000>;
+- tx_delay = <0x26>;
+- rx_delay = <0x11>;
++ tx_delay = <0x24>;
++ rx_delay = <0x18>;
+ status = "okay";
+ };
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Pratyush Anand <panand@redhat.com>
+Date: Mon, 5 Feb 2018 14:28:01 +0100
+Subject: arm64: fix unwind_frame() for filtered out fn for function graph tracing
+
+From: Pratyush Anand <panand@redhat.com>
+
+[ Upstream commit 9f416319f40cd857d2bb517630e5855a905ef3fb ]
+
+do_task_stat() calls get_wchan(), which further does unwind_frame().
+unwind_frame() restores frame->pc to original value in case function
+graph tracer has modified a return address (LR) in a stack frame to hook
+a function return. However, if function graph tracer has hit a filtered
+function, then we can't unwind it as ftrace_push_return_trace() has
+biased the index(frame->graph) with a 'huge negative'
+offset(-FTRACE_NOTRACE_DEPTH).
+
+Moreover, arm64 stack walker defines index(frame->graph) as unsigned
+int, which can not compare a -ve number.
+
+Similar problem we can have with calling of walk_stackframe() from
+save_stack_trace_tsk() or dump_backtrace().
+
+This patch fixes unwind_frame() to test the index for -ve value and
+restore index accordingly before we can restore frame->pc.
+
+Reproducer:
+
+cd /sys/kernel/debug/tracing/
+echo schedule > set_graph_notrace
+echo 1 > options/display-graph
+echo wakeup > current_tracer
+ps -ef | grep -i agent
+
+Above commands result in:
+Unable to handle kernel paging request at virtual address ffff801bd3d1e000
+pgd = ffff8003cbe97c00
+[ffff801bd3d1e000] *pgd=0000000000000000, *pud=0000000000000000
+Internal error: Oops: 96000006 [#1] SMP
+[...]
+CPU: 5 PID: 11696 Comm: ps Not tainted 4.11.0+ #33
+[...]
+task: ffff8003c21ba000 task.stack: ffff8003cc6c0000
+PC is at unwind_frame+0x12c/0x180
+LR is at get_wchan+0xd4/0x134
+pc : [<ffff00000808892c>] lr : [<ffff0000080860b8>] pstate: 60000145
+sp : ffff8003cc6c3ab0
+x29: ffff8003cc6c3ab0 x28: 0000000000000001
+x27: 0000000000000026 x26: 0000000000000026
+x25: 00000000000012d8 x24: 0000000000000000
+x23: ffff8003c1c04000 x22: ffff000008c83000
+x21: ffff8003c1c00000 x20: 000000000000000f
+x19: ffff8003c1bc0000 x18: 0000fffffc593690
+x17: 0000000000000000 x16: 0000000000000001
+x15: 0000b855670e2b60 x14: 0003e97f22cf1d0f
+x13: 0000000000000001 x12: 0000000000000000
+x11: 00000000e8f4883e x10: 0000000154f47ec8
+x9 : 0000000070f367c0 x8 : 0000000000000000
+x7 : 00008003f7290000 x6 : 0000000000000018
+x5 : 0000000000000000 x4 : ffff8003c1c03cb0
+x3 : ffff8003c1c03ca0 x2 : 00000017ffe80000
+x1 : ffff8003cc6c3af8 x0 : ffff8003d3e9e000
+
+Process ps (pid: 11696, stack limit = 0xffff8003cc6c0000)
+Stack: (0xffff8003cc6c3ab0 to 0xffff8003cc6c4000)
+[...]
+[<ffff00000808892c>] unwind_frame+0x12c/0x180
+[<ffff000008305008>] do_task_stat+0x864/0x870
+[<ffff000008305c44>] proc_tgid_stat+0x3c/0x48
+[<ffff0000082fde0c>] proc_single_show+0x5c/0xb8
+[<ffff0000082b27e0>] seq_read+0x160/0x414
+[<ffff000008289e6c>] __vfs_read+0x58/0x164
+[<ffff00000828b164>] vfs_read+0x88/0x144
+[<ffff00000828c2e8>] SyS_read+0x60/0xc0
+[<ffff0000080834a0>] __sys_trace_return+0x0/0x4
+
+Fixes: 20380bb390a4 (arm64: ftrace: fix a stack tracer's output under function graph tracer)
+Signed-off-by: Pratyush Anand <panand@redhat.com>
+Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
+[catalin.marinas@arm.com: replace WARN_ON with WARN_ON_ONCE]
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/stacktrace.h | 2 +-
+ arch/arm64/kernel/stacktrace.c | 5 +++++
+ arch/arm64/kernel/time.c | 2 +-
+ 3 files changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/stacktrace.h
++++ b/arch/arm64/include/asm/stacktrace.h
+@@ -27,7 +27,7 @@ struct stackframe {
+ unsigned long fp;
+ unsigned long pc;
+ #ifdef CONFIG_FUNCTION_GRAPH_TRACER
+- unsigned int graph;
++ int graph;
+ #endif
+ };
+
+--- a/arch/arm64/kernel/stacktrace.c
++++ b/arch/arm64/kernel/stacktrace.c
+@@ -59,6 +59,11 @@ int notrace unwind_frame(struct task_str
+ #ifdef CONFIG_FUNCTION_GRAPH_TRACER
+ if (tsk->ret_stack &&
+ (frame->pc == (unsigned long)return_to_handler)) {
++ if (WARN_ON_ONCE(frame->graph == -1))
++ return -EINVAL;
++ if (frame->graph < -1)
++ frame->graph += FTRACE_NOTRACE_DEPTH;
++
+ /*
+ * This is a case where function graph tracer has
+ * modified a return address (LR) in a stack frame
+--- a/arch/arm64/kernel/time.c
++++ b/arch/arm64/kernel/time.c
+@@ -52,7 +52,7 @@ unsigned long profile_pc(struct pt_regs
+ frame.fp = regs->regs[29];
+ frame.pc = regs->pc;
+ #ifdef CONFIG_FUNCTION_GRAPH_TRACER
+- frame.graph = -1; /* no task info */
++ frame.graph = current->curr_ret_stack;
+ #endif
+ do {
+ int ret = unwind_frame(NULL, &frame);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Sun, 3 Dec 2017 17:50:00 +0000
+Subject: arm64: insn: Allow ADD/SUB (immediate) with LSL #12
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+[ Upstream commit 11d764079c9f25d1da8e10906d54da7fefec5844 ]
+
+The encoder for ADD/SUB (immediate) can only cope with 12bit
+immediates, while there is an encoding for a 12bit immediate shifted
+by 12 bits to the left.
+
+Let's fix this small oversight by allowing the LSL_12 bit to be set.
+
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/insn.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/kernel/insn.c
++++ b/arch/arm64/kernel/insn.c
+@@ -35,6 +35,7 @@
+
+ #define AARCH64_INSN_SF_BIT BIT(31)
+ #define AARCH64_INSN_N_BIT BIT(22)
++#define AARCH64_INSN_LSL_12 BIT(22)
+
+ static int aarch64_insn_encoding_class[] = {
+ AARCH64_INSN_CLS_UNKNOWN,
+@@ -899,9 +900,18 @@ u32 aarch64_insn_gen_add_sub_imm(enum aa
+ return AARCH64_BREAK_FAULT;
+ }
+
++ /* We can't encode more than a 24bit value (12bit + 12bit shift) */
++ if (imm & ~(BIT(24) - 1))
++ goto out;
++
++ /* If we have something in the top 12 bits... */
+ if (imm & ~(SZ_4K - 1)) {
+- pr_err("%s: invalid immediate encoding %d\n", __func__, imm);
+- return AARCH64_BREAK_FAULT;
++ /* ... and in the low 12 bits -> error */
++ if (imm & (SZ_4K - 1))
++ goto out;
++
++ imm >>= 12;
++ insn |= AARCH64_INSN_LSL_12;
+ }
+
+ insn = aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RD, insn, dst);
+@@ -909,6 +919,10 @@ u32 aarch64_insn_gen_add_sub_imm(enum aa
+ insn = aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RN, insn, src);
+
+ return aarch64_insn_encode_immediate(AARCH64_INSN_IMM_12, insn, imm);
++
++out:
++ pr_err("%s: invalid immediate encoding %d\n", __func__, imm);
++ return AARCH64_BREAK_FAULT;
+ }
+
+ u32 aarch64_insn_gen_bitfield(enum aarch64_insn_register dst,
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Wed, 14 Feb 2018 17:21:57 +0000
+Subject: arm64: perf: correct PMUVer probing
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 0331365edb1d6ccd6ae68b1038111da85d4c68d1 ]
+
+The ID_AA64DFR0_EL1.PMUVer field doesn't follow the usual ID registers
+scheme. While value 0xf indicates a non-architected PMU is implemented,
+values 0x1 to 0xe indicate an increasingly featureful architected PMU,
+as if the field were unsigned.
+
+For more details, see ARM DDI 0487C.a, D10.1.4, "Alternative ID scheme
+used for the Performance Monitors Extension version".
+
+Currently, we treat the field as signed, and erroneously bail out for
+values 0x8 to 0xe. Let's correct that.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/perf_event.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/kernel/perf_event.c
++++ b/arch/arm64/kernel/perf_event.c
+@@ -914,9 +914,9 @@ static void __armv8pmu_probe_pmu(void *i
+ int pmuver;
+
+ dfr0 = read_sysreg(id_aa64dfr0_el1);
+- pmuver = cpuid_feature_extract_signed_field(dfr0,
++ pmuver = cpuid_feature_extract_unsigned_field(dfr0,
+ ID_AA64DFR0_PMUVER_SHIFT);
+- if (pmuver < 1)
++ if (pmuver == 0xf || pmuver == 0)
+ return;
+
+ probe->present = true;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Fri, 9 Mar 2018 15:40:50 +0000
+Subject: arm64: Relax ARM_SMCCC_ARCH_WORKAROUND_1 discovery
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+[ Upstream commit e21da1c992007594d391e7b301779cf30f438691 ]
+
+A recent update to the ARM SMCCC ARCH_WORKAROUND_1 specification
+allows firmware to return a non zero, positive value to describe
+that although the mitigation is implemented at the higher exception
+level, the CPU on which the call is made is not affected.
+
+Let's relax the check on the return value from ARCH_WORKAROUND_1
+so that we only error out if the returned value is negative.
+
+Fixes: b092201e0020 ("arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support")
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/cpu_errata.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/kernel/cpu_errata.c
++++ b/arch/arm64/kernel/cpu_errata.c
+@@ -178,7 +178,7 @@ static int enable_smccc_arch_workaround_
+ case PSCI_CONDUIT_HVC:
+ arm_smccc_1_1_hvc(ARM_SMCCC_ARCH_FEATURES_FUNC_ID,
+ ARM_SMCCC_ARCH_WORKAROUND_1, &res);
+- if (res.a0)
++ if ((int)res.a0 < 0)
+ return 0;
+ cb = call_hvc_arch_workaround_1;
+ smccc_start = __smccc_workaround_1_hvc_start;
+@@ -188,7 +188,7 @@ static int enable_smccc_arch_workaround_
+ case PSCI_CONDUIT_SMC:
+ arm_smccc_1_1_smc(ARM_SMCCC_ARCH_FEATURES_FUNC_ID,
+ ARM_SMCCC_ARCH_WORKAROUND_1, &res);
+- if (res.a0)
++ if ((int)res.a0 < 0)
+ return 0;
+ cb = call_smc_arch_workaround_1;
+ smccc_start = __smccc_workaround_1_smc_start;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Tue, 20 Feb 2018 16:19:05 +0200
+Subject: ASoC: hdmi-codec: Fix module unloading caused kernel crash
+
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+
+[ Upstream commit 5e558f8afaec8957932b1dbe5aeff800f9fc6957 ]
+
+The hcp->chmap_info must not be freed up in the hdmi_codec_remove()
+function as it leads to kernel crash due ALSA core's
+pcm_chmap_ctl_private_free() is trying to free it up again when the card
+destroyed via snd_card_free.
+
+Commit cd6111b26280a ("ASoC: hdmi-codec: add channel mapping control")
+should not have added the kfree(hcp->chmap_info); to the hdmi_codec_remove
+function.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Reviewed-by: Jyri Sarha <jsarha@ti.com>
+Tested-by: Jyri Sarha <jsarha@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/hdmi-codec.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/sound/soc/codecs/hdmi-codec.c
++++ b/sound/soc/codecs/hdmi-codec.c
+@@ -801,12 +801,7 @@ static int hdmi_codec_probe(struct platf
+
+ static int hdmi_codec_remove(struct platform_device *pdev)
+ {
+- struct device *dev = &pdev->dev;
+- struct hdmi_codec_priv *hcp;
+-
+- hcp = dev_get_drvdata(dev);
+- kfree(hcp->chmap_info);
+- snd_soc_unregister_codec(dev);
++ snd_soc_unregister_codec(&pdev->dev);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Ezequiel Garcia <ezequiel@collabora.co.uk>
+Date: Tue, 20 Mar 2018 13:03:31 -0300
+Subject: ASoC: rockchip: rk3288-hdmi-analog: Select needed codecs
+
+From: Ezequiel Garcia <ezequiel@collabora.co.uk>
+
+[ Upstream commit b1d0db067fbe2598d62b248beea5d705a0ea7642 ]
+
+The driver does not select all the codec drivers that needs.
+Fix it by selecting the analog and HDMI codecs.
+
+Cc: Sjoerd Simons <sjoerd.simons@collabora.co.uk>
+Signed-off-by: Ezequiel Garcia <ezequiel@collabora.co.uk>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/rockchip/Kconfig | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/soc/rockchip/Kconfig
++++ b/sound/soc/rockchip/Kconfig
+@@ -56,6 +56,9 @@ config SND_SOC_RK3288_HDMI_ANALOG
+ depends on SND_SOC_ROCKCHIP && I2C && GPIOLIB && CLKDEV_LOOKUP
+ select SND_SOC_ROCKCHIP_I2S
+ select SND_SOC_HDMI_CODEC
++ select SND_SOC_ES8328_I2C
++ select SND_SOC_ES8328_SPI if SPI_MASTER
++ select DRM_DW_HDMI_I2S_AUDIO if DRM_DW_HDMI
+ help
+ Say Y or M here if you want to add support for SoC audio on Rockchip
+ RK3288 boards using an analog output and the built-in HDMI audio.
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Date: Mon, 5 Feb 2018 16:43:56 +0100
+Subject: ASoC: samsung: i2s: Ensure the RCLK rate is properly determined
+
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+
+[ Upstream commit 647d04f8e07afc7c3b7a42b3ee01a8b28db29631 ]
+
+If the RCLK mux clock configuration is specified in DT and no set_sysclk()
+callback is used in the sound card driver the sclk_srcrate field will remain
+set to 0, leading to an incorrect PSR divider setting.
+To fix this the frequency value is retrieved from the CLK_I2S_RCLK_SRC clock,
+so the actual RCLK mux selection is taken into account.
+
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Acked-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/samsung/i2s.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/samsung/i2s.c
++++ b/sound/soc/samsung/i2s.c
+@@ -653,8 +653,12 @@ static int i2s_set_fmt(struct snd_soc_da
+ tmp |= mod_slave;
+ break;
+ case SND_SOC_DAIFMT_CBS_CFS:
+- /* Set default source clock in Master mode */
+- if (i2s->rclk_srcrate == 0)
++ /*
++ * Set default source clock in Master mode, only when the
++ * CLK_I2S_RCLK_SRC clock is not exposed so we ensure any
++ * clock configuration assigned in DT is not overwritten.
++ */
++ if (i2s->rclk_srcrate == 0 && i2s->clk_data.clks == NULL)
+ i2s_set_sysclk(dai, SAMSUNG_I2S_RCLKSRC_0,
+ 0, SND_SOC_CLOCK_IN);
+ break;
+@@ -878,6 +882,11 @@ static int config_setup(struct i2s_dai *
+ return 0;
+
+ if (!(i2s->quirks & QUIRK_NO_MUXPSR)) {
++ struct clk *rclksrc = i2s->clk_table[CLK_I2S_RCLK_SRC];
++
++ if (i2s->rclk_srcrate == 0 && rclksrc && !IS_ERR(rclksrc))
++ i2s->rclk_srcrate = clk_get_rate(rclksrc);
++
+ psr = i2s->rclk_srcrate / i2s->frmclk / rfs;
+ writel(((psr - 1) << 8) | PSR_PSREN, i2s->addr + I2SPSR);
+ dev_dbg(&i2s->pdev->dev,
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Date: Wed, 14 Mar 2018 17:41:13 +0100
+Subject: ASoC: samsung: odroid: Fix 32000 sample rate handling
+
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+
+[ Upstream commit 1d22c337dc8f3a25638f7262e7bcb5729a34d140 ]
+
+In case of sample rates lower than 44100 currently there is too low MCLK
+frequency set for the CODEC. Playback fails with following errors:
+
+$ speaker-test -c2 -t sine -f 1500 -l2 -r 32000
+
+Sine wave rate is 1500.0000Hz
+Rate set to 32000Hz (requested 32000Hz)
+Buffer size range from 128 to 131072
+Period size range from 64 to 65536
+Using max buffer size 131072
+Periods = 4
+Unable to set hw params for playback: Invalid argument
+Setting of hwparams failed: Invalid argument
+
+[ 497.883700] max98090 1-0010: Invalid master clock frequency
+
+To fix this the I2S root clock's frequency is increased, depending
+on sampling rate.
+
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Acked-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/samsung/odroid.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/sound/soc/samsung/odroid.c
++++ b/sound/soc/samsung/odroid.c
+@@ -36,23 +36,26 @@ static int odroid_card_hw_params(struct
+ {
+ struct snd_soc_pcm_runtime *rtd = substream->private_data;
+ struct odroid_priv *priv = snd_soc_card_get_drvdata(rtd->card);
+- unsigned int pll_freq, rclk_freq;
++ unsigned int pll_freq, rclk_freq, rfs;
+ int ret;
+
+ switch (params_rate(params)) {
+- case 32000:
+ case 64000:
+- pll_freq = 131072006U;
++ pll_freq = 196608001U;
++ rfs = 384;
+ break;
+ case 44100:
+ case 88200:
+ case 176400:
+ pll_freq = 180633609U;
++ rfs = 512;
+ break;
++ case 32000:
+ case 48000:
+ case 96000:
+ case 192000:
+ pll_freq = 196608001U;
++ rfs = 512;
+ break;
+ default:
+ return -EINVAL;
+@@ -67,7 +70,7 @@ static int odroid_card_hw_params(struct
+ * frequency values due to the EPLL output frequency not being exact
+ * multiple of the audio sampling rate.
+ */
+- rclk_freq = params_rate(params) * 256 + 1;
++ rclk_freq = params_rate(params) * rfs + 1;
+
+ ret = clk_set_rate(priv->sclk_i2s, rclk_freq);
+ if (ret < 0)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Date: Fri, 9 Mar 2018 11:11:17 -0800
+Subject: ASoC: topology: create TLV data for dapm widgets
+
+From: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+
+[ Upstream commit bde8b3887add8368ecf0ca71117baf2fd56a6fc9 ]
+
+This patch adds the change required to create the TLV data
+for dapm widget kcontrols from topology. This also fixes the following
+TLV read error shown in amixer while showing the card control contents.
+"amixer: Control hw:1 element TLV read error: No such device or address"
+
+Signed-off-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/soc-topology.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/soc/soc-topology.c
++++ b/sound/soc/soc-topology.c
+@@ -1276,6 +1276,9 @@ static struct snd_kcontrol_new *soc_tplg
+ kfree(sm);
+ continue;
+ }
++
++ /* create any TLV data */
++ soc_tplg_create_tlv(tplg, &kc[i], &mc->hdr);
+ }
+ return kc;
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Anilkumar Kolli <akolli@codeaurora.org>
+Date: Wed, 28 Mar 2018 12:19:40 +0300
+Subject: ath10k: advertize beacon_int_min_gcd
+
+From: Anilkumar Kolli <akolli@codeaurora.org>
+
+[ Upstream commit 8ebee73b574ad3dd1f14d461f65ceaffbd637650 ]
+
+This patch fixes regression caused by 0c317a02ca98
+("cfg80211: support virtual interfaces with different beacon intervals"),
+with this change cfg80211 expects the driver to advertize
+'beacon_int_min_gcd' to support different beacon intervals in multivap
+scenario. This support is added for, QCA988X/QCA99X0/QCA9984/QCA4019.
+
+Verifed AP + mesh bring up on QCA9984 with beacon interval 100msec and
+1000msec respectively.
+Frimware: firmware-5.bin_10.4-3.5.3-00053
+
+Fixes: 0c317a02ca98 ("cfg80211: support virtual interfaces with different beacon intervals")
+Signed-off-by: Anilkumar Kolli <akolli@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -7810,6 +7810,7 @@ static const struct ieee80211_iface_comb
+ .max_interfaces = 8,
+ .num_different_channels = 1,
+ .beacon_int_infra_match = true,
++ .beacon_int_min_gcd = 1,
+ #ifdef CONFIG_ATH10K_DFS_CERTIFIED
+ .radar_detect_widths = BIT(NL80211_CHAN_WIDTH_20_NOHT) |
+ BIT(NL80211_CHAN_WIDTH_20) |
+@@ -7933,6 +7934,7 @@ static const struct ieee80211_iface_comb
+ .max_interfaces = 16,
+ .num_different_channels = 1,
+ .beacon_int_infra_match = true,
++ .beacon_int_min_gcd = 1,
+ #ifdef CONFIG_ATH10K_DFS_CERTIFIED
+ .radar_detect_widths = BIT(NL80211_CHAN_WIDTH_20_NOHT) |
+ BIT(NL80211_CHAN_WIDTH_20) |
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Karthikeyan Periyasamy <periyasa@codeaurora.org>
+Date: Mon, 12 Mar 2018 17:09:40 +0530
+Subject: ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk)
+
+From: Karthikeyan Periyasamy <periyasa@codeaurora.org>
+
+[ Upstream commit 8b2d93dd22615cb7f3046a5a2083a6f8bb8052ed ]
+
+When attempt to run worker (ath10k_sta_rc_update_wk) after the station object
+(ieee80211_sta) delete will trigger the kernel panic.
+
+This problem arise in AP + Mesh configuration, Where the current node AP VAP
+and neighbor node mesh VAP MAC address are same. When the current mesh node
+try to establish the mesh link with neighbor node, driver peer creation for
+the neighbor mesh node fails due to duplication MAC address. Already the AP
+VAP created with same MAC address.
+
+It is caused by the following scenario steps.
+
+Steps:
+1. In above condition, ath10k driver sta_state callback (ath10k_sta_state)
+ fails to do the state change for a station from IEEE80211_STA_NOTEXIST
+ to IEEE80211_STA_NONE due to peer creation fails. Sta_state callback is
+ called from ieee80211_add_station() to handle the new station
+ (neighbor mesh node) request from the wpa_supplicant.
+2. Concurrently ath10k receive the sta_rc_update callback notification from
+ the mesh_neighbour_update() to handle the beacon frames of the above
+ neighbor mesh node. since its atomic callback, ath10k driver queue the
+ work (ath10k_sta_rc_update_wk) to handle rc update.
+3. Due to driver sta_state callback fails (step 1), mac80211 free the station
+ object.
+4. When the worker (ath10k_sta_rc_update_wk) scheduled to run, it will access
+ the station object which is already deleted. so it will trigger kernel
+ panic.
+
+Added the peer exist check in sta_rc_update callback before queue the work.
+
+Kernel Panic log:
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000000
+pgd = c0204000
+[00000000] *pgd=00000000
+Internal error: Oops: 17 [#1] PREEMPT SMP ARM
+CPU: 1 PID: 1833 Comm: kworker/u4:2 Not tainted 3.14.77 #1
+task: dcef0000 ti: d72b6000 task.ti: d72b6000
+PC is at pwq_activate_delayed_work+0x10/0x40
+LR is at pwq_activate_delayed_work+0xc/0x40
+pc : [<c023f988>] lr : [<c023f984>] psr: 40000193
+sp : d72b7f18 ip : 0000007a fp : d72b6000
+r10: 00000000 r9 : dd404414 r8 : d8c31998
+r7 : d72b6038 r6 : 00000004 r5 : d4907ec8 r4 : dcee1300
+r3 : ffffffe0 r2 : 00000000 r1 : 00000001 r0 : 00000000
+Flags: nZcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
+Control: 10c5787d Table: 595bc06a DAC: 00000015
+...
+Process kworker/u4:2 (pid: 1833, stack limit = 0xd72b6238)
+Stack: (0xd72b7f18 to 0xd72b8000)
+7f00: 00000001 dcee1300
+7f20: 00000001 c02410dc d8c31980 dd404400 dd404400 c0242790 d8c31980 00000089
+7f40: 00000000 d93e1340 00000000 d8c31980 c0242568 00000000 00000000 00000000
+7f60: 00000000 c02474dc 00000000 00000000 000000f8 d8c31980 00000000 00000000
+7f80: d72b7f80 d72b7f80 00000000 00000000 d72b7f90 d72b7f90 d72b7fac d93e1340
+7fa0: c0247404 00000000 00000000 c0208d20 00000000 00000000 00000000 00000000
+7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
+[<c023f988>] (pwq_activate_delayed_work) from [<c02410dc>] (pwq_dec_nr_in_flight+0x58/0xc4)
+[<c02410dc>] (pwq_dec_nr_in_flight) from [<c0242790>] (worker_thread+0x228/0x360)
+[<c0242790>] (worker_thread) from [<c02474dc>] (kthread+0xd8/0xec)
+[<c02474dc>] (kthread) from [<c0208d20>] (ret_from_fork+0x14/0x34)
+Code: e92d4038 e1a05000 ebffffbc[69210.619376] SMP: failed to stop secondary CPUs
+Rebooting in 3 seconds..
+
+Signed-off-by: Karthikeyan Periyasamy <periyasa@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -7059,10 +7059,20 @@ static void ath10k_sta_rc_update(struct
+ {
+ struct ath10k *ar = hw->priv;
+ struct ath10k_sta *arsta = (struct ath10k_sta *)sta->drv_priv;
++ struct ath10k_vif *arvif = (void *)vif->drv_priv;
++ struct ath10k_peer *peer;
+ u32 bw, smps;
+
+ spin_lock_bh(&ar->data_lock);
+
++ peer = ath10k_peer_find(ar, arvif->vdev_id, sta->addr);
++ if (!peer) {
++ spin_unlock_bh(&ar->data_lock);
++ ath10k_warn(ar, "mac sta rc update failed to find peer %pM on vdev %i\n",
++ sta->addr, arvif->vdev_id);
++ return;
++ }
++
+ ath10k_dbg(ar, ATH10K_DBG_MAC,
+ "mac sta rc update for %pM changed %08x bw %d nss %d smps %d\n",
+ sta->addr, changed, sta->bandwidth, sta->rx_nss,
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Sebastian Gottschall <s.gottschall@dd-wrt.com>
+Date: Sat, 3 Mar 2018 05:10:44 +0100
+Subject: ath9k: fix crash in spectral scan
+
+From: Sebastian Gottschall <s.gottschall@dd-wrt.com>
+
+[ Upstream commit 221b6ec69ed9c56b6cd9a124a387a9472f14284e ]
+
+Fixes crash seen on arm smp systems (gateworks ventana imx6):
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000014
+pgd = 80004000
+[00000014] *pgd=00000000
+Internal error: Oops - BUG: 17 [#1] PREEMPT SMP ARM
+Modules linked in: ip6table_filter nf_conntrack_ipv6 ip6_tables nf_log_ipv6 nf_defrag_ipv6 shortcut_fe ipcomp6 xfrm_ipcomp xfrm6_tunnel xfrm6_mode_tunnel xfrm6_mode_transport xfrm6_mode_ro xfrm6_mode_beet ip6_tunnel tunnel6 mip6 ah6 esp6 xfrm_algo sit ip_tunnel tunnel4 ipv6 ath10k_pci ath10k_core ath9k ath mac80211 cfg80211 compat ath_pci ath_hal(P) caamalg authencesn authenc caamrng caamhash caam_jr caam cdc_ncm usbnet usbcore sky2 imx2_wdt
+CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: P 4.9.85 #19
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+task: bf064980 task.stack: bf07c000
+PC is at relay_buf_full+0xc/0x30
+LR is at _674+0x740/0xf10 [ath9k]
+pc : [<8018bce0>] lr : [<7f1aa604>] psr: 80000013
+sp : bf07dbf0 ip : bf07dc00 fp : bf07dbfc
+r10: 0000003f r9 : bf130e00 r8 : 809044b0
+r7 : 00000000 r6 : be67a9f0 r5 : 00000000 r4 : 809043e4
+r3 : c0864c24 r2 : 00000000 r1 : 00000004 r0 : 00000000
+Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
+Control: 10c5387d Table: 4e6a004a DAC: 00000055
+Process ksoftirqd/0 (pid: 3, stack limit = 0xbf07c210)
+Stack: (0xbf07dbf0 to 0xbf07e000)
+dbe0: bf07dd04 bf07dc00 7f1aa604 8018bce0
+dc00: 00004014 be59e010 bf07dc34 bf07dc18 7f1a7084 7f19c07c be59c010 be6470a0
+dc20: 0000096c be648954 bf07dc6c bf07dc38 7f1c286c bf07dd90 bf07dc5c bf07dc48
+dc40: 8029ea4c 0000003c 00000001 be59c010 00000094 00000000 00000000 00000000
+dc60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+dc80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+dca0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+dcc0: 00000000 00000000 00000000 00000000 00000000 00000000 8010ef24 00000030
+dce0: be94f5e8 be6485a0 bddf0200 be59c010 be6465a0 be6415a0 bf07ddf4 bf07dd08
+dd00: 7f1cf800 7f1aa55c 1fc38c4c 00000000 bf07dd58 cccccccd 66666667 be640bc0
+dd20: bf07dd54 be6415a0 1fc38c4c 00000000 00000000 be59c038 be67a9c0 be59e010
+dd40: be67a9f0 be647170 8090c904 be59c010 00000000 00000001 1fc38e84 00000000
+dd60: be640bc0 bddf0200 00000200 00000010 0000003f 00000002 20000013 be59c010
+dd80: 8092d940 bf7ca2c0 bf07ddb4 bf07dd98 1fc38c4c 2602003f 0100ff1b 80ff1b00
+dda0: 00808080 00000000 00000000 80808080 80808080 80808080 80808080 00008080
+ddc0: 00000000 00000000 7f1b62b8 00000002 be6470ec be6470f0 00000000 bf07de98
+dde0: 8092d940 be6415a0 bf07de94 bf07ddf8 7f1d1ed8 7f1cf1fc 00000000 00000000
+de00: bf7cc4c0 00000400 be6470f0 bf07de18 8015165c be59c010 8090453c 8090453c
+de20: bf07dec4 be6465a0 8014f614 80148884 0000619a 00000001 bf07c000 00000100
+de40: bf07de78 00000001 7f327850 00000002 afb50401 bf064980 bf07de9c bf07de68
+de60: bf064a00 803cc668 bf064a00 be6470b4 be6470b8 80844180 00000000 bf07de98
+de80: 8092d940 bf07c000 bf07dec4 bf07de98 80124d18 7f1d1c44 80124c94 00000000
+dea0: 00000006 80902098 80902080 40000006 00000100 bf07c000 bf07df24 bf07dec8
+dec0: 8012501c 80124ca0 bf7cc4c0 bf064980 be95e1c0 04208040 80902d00 000061c7
+dee0: 0000000a 80600b54 8092d940 808441f8 80902080 bf07dec8 bf03b200 bf07c000
+df00: bf03b200 8090fe54 00000000 00000000 00000000 00000000 bf07df34 bf07df28
+df20: 80125148 80124f28 bf07df5c bf07df38 8013deb4 8012511c 00000000 bf03b240
+df40: bf03b200 8013dc90 00000000 00000000 bf07dfac bf07df60 8013ad40 8013dc9c
+df60: 70448040 00000001 00000000 bf03b200 00000000 00030003 bf07df78 bf07df78
+df80: 00000000 00000000 bf07df88 bf07df88 bf03b240 8013ac48 00000000 00000000
+dfa0: 00000000 bf07dfb0 80107760 8013ac54 00000000 00000000 00000000 00000000
+dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+dfe0: 00000000 00000000 00000000 00000000 00000013 00000000 8c120004 1190ad04
+Backtrace:
+[<8018bcd4>] (relay_buf_full) from [<7f1aa604>] (_674+0x740/0xf10 [ath9k])
+[<7f1aa550>] (_674 [ath9k]) from [<7f1cf800>] (_582+0x14b4/0x3708 [ath9k])
+ r10:be6415a0 r9:be6465a0 r8:be59c010 r7:bddf0200 r6:be6485a0 r5:be94f5e8
+ r4:00000030
+[<7f1cf1f0>] (_582 [ath9k]) from [<7f1d1ed8>] (_735+0x2a0/0xec4 [ath9k])
+ r10:be6415a0 r9:8092d940 r8:bf07de98 r7:00000000 r6:be6470f0 r5:be6470ec
+ r4:00000002
+[<7f1d1c38>] (_735 [ath9k]) from [<80124d18>] (tasklet_action+0x84/0xf8)
+ r10:bf07c000 r9:8092d940 r8:bf07de98 r7:00000000 r6:80844180 r5:be6470b8
+ r4:be6470b4
+[<80124c94>] (tasklet_action) from [<8012501c>] (__do_softirq+0x100/0x1f4)
+ r10:bf07c000 r9:00000100 r8:40000006 r7:80902080 r6:80902098 r5:00000006
+ r4:00000000 r3:80124c94
+[<80124f1c>] (__do_softirq) from [<80125148>] (run_ksoftirqd+0x38/0x4c)
+ r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:8090fe54 r5:bf03b200
+ r4:bf07c000
+[<80125110>] (run_ksoftirqd) from [<8013deb4>] (smpboot_thread_fn+0x224/0x260)
+[<8013dc90>] (smpboot_thread_fn) from [<8013ad40>] (kthread+0xf8/0x100)
+ r9:00000000 r8:00000000 r7:8013dc90 r6:bf03b200 r5:bf03b240 r4:00000000
+[<8013ac48>] (kthread) from [<80107760>] (ret_from_fork+0x14/0x34)
+ r7:00000000 r6:00000000 r5:8013ac48 r4:bf03b240
+Code: e89da800 e1a0c00d e92dd800 e24cb004 (e5901014)
+---[ end trace dddf11ac9111b272 ]---
+Kernel panic - not syncing: Fatal exception in interrupt
+CPU1: stopping
+CPU: 1 PID: 0 Comm: swapper/1 Tainted: P D 4.9.85 #19
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+Backtrace:
+[<8010a708>] (dump_backtrace) from [<8010a99c>] (show_stack+0x18/0x1c)
+ r7:bf093f58 r6:20000193 r5:809168e8 r4:00000000
+[<8010a984>] (show_stack) from [<802a09c4>] (dump_stack+0x94/0xa8)
+[<802a0930>] (dump_stack) from [<8010d184>] (handle_IPI+0xe8/0x180)
+ r7:bf093f58 r6:00000000 r5:00000001 r4:808478c4
+[<8010d09c>] (handle_IPI) from [<801013e8>] (gic_handle_irq+0x78/0x7c)
+ r7:f4000100 r6:bf093f58 r5:f400010c r4:8090467c
+[<80101370>] (gic_handle_irq) from [<8010b378>] (__irq_svc+0x58/0x8c)
+Exception stack(0xbf093f58 to 0xbf093fa0)
+3f40: bf7d62a0 00000000
+3f60: 0010a5f4 80113460 bf092000 809043e4 00000002 80904434 bf092008 412fc09a
+3f80: 00000000 bf093fb4 bf093fb8 bf093fa8 8010804c 80108050 60000013 ffffffff
+ r9:bf092000 r8:bf092008 r7:bf093f8c r6:ffffffff r5:60000013 r4:80108050
+[<80108014>] (arch_cpu_idle) from [<80553c2c>] (default_idle_call+0x30/0x34)
+[<80553bfc>] (default_idle_call) from [<80158394>] (cpu_startup_entry+0xc4/0xfc)
+[<801582d0>] (cpu_startup_entry) from [<8010ce40>] (secondary_start_kernel+0x168/0x174)
+ r7:8092d2f8 r4:80913568
+[<8010ccd8>] (secondary_start_kernel) from [<10101488>] (0x10101488)
+ r5:00000055 r4:4f07806a
+Rebooting in 10 seconds..
+Reboot failed -- System halted
+
+Signed-off-by: Sebastian Gottschall <s.gottschall@dd-wrt.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath9k/common-spectral.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath9k/common-spectral.c
++++ b/drivers/net/wireless/ath/ath9k/common-spectral.c
+@@ -479,14 +479,16 @@ ath_cmn_is_fft_buf_full(struct ath_spec_
+ {
+ int i = 0;
+ int ret = 0;
++ struct rchan_buf *buf;
+ struct rchan *rc = spec_priv->rfs_chan_spec_scan;
+
+- for_each_online_cpu(i)
+- ret += relay_buf_full(*per_cpu_ptr(rc->buf, i));
++ for_each_possible_cpu(i) {
++ if ((buf = *per_cpu_ptr(rc->buf, i))) {
++ ret += relay_buf_full(buf);
++ }
++ }
+
+- i = num_online_cpus();
+-
+- if (ret == i)
++ if (ret)
+ return 1;
+ else
+ return 0;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Richard Guy Briggs <rgb@redhat.com>
+Date: Wed, 21 Feb 2018 04:30:07 -0500
+Subject: audit: return on memory error to avoid null pointer dereference
+
+From: Richard Guy Briggs <rgb@redhat.com>
+
+[ Upstream commit 23138ead270045f1b3e912e667967b6094244999 ]
+
+If there is a memory allocation error when trying to change an audit
+kernel feature value, the ignored allocation error will trigger a NULL
+pointer dereference oops on subsequent use of that pointer. Return
+instead.
+
+Passes audit-testsuite.
+See: https://github.com/linux-audit/audit-kernel/issues/76
+
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+[PM: not necessary (other funcs check for NULL), but a good practice]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/audit.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -1058,6 +1058,8 @@ static void audit_log_feature_change(int
+ return;
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
++ if (!ab)
++ return;
+ audit_log_task_info(ab, current);
+ audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d",
+ audit_feature_names[which], !!old_feature, !!new_feature,
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Fri, 16 Mar 2018 11:29:10 +0100
+Subject: batman-adv: fix header size check in batadv_dbg_arp()
+
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+
+[ Upstream commit 6f27d2c2a8c236d296201c19abb8533ec20d212b ]
+
+Checking for 0 is insufficient: when an SKB without a batadv header, but
+with a VLAN header is received, hdr_size will be 4, making the following
+code interpret the Ethernet header as a batadv header.
+
+Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware")
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/distributed-arp-table.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/batman-adv/distributed-arp-table.c
++++ b/net/batman-adv/distributed-arp-table.c
+@@ -391,7 +391,7 @@ static void batadv_dbg_arp(struct batadv
+ batadv_arp_hw_src(skb, hdr_size), &ip_src,
+ batadv_arp_hw_dst(skb, hdr_size), &ip_dst);
+
+- if (hdr_size == 0)
++ if (hdr_size < sizeof(struct batadv_unicast_packet))
+ return;
+
+ unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "Linus Lüssing" <linus.luessing@c0d3.blue>
+Date: Sun, 4 Mar 2018 13:08:17 +0100
+Subject: batman-adv: Fix multicast packet loss with a single WANT_ALL_IPV4/6 flag
+
+From: "Linus Lüssing" <linus.luessing@c0d3.blue>
+
+[ Upstream commit 74c12c630fe310eb7fcae1b292257d47781fff0a ]
+
+As the kernel doc describes too the code is supposed to skip adding
+multicast TT entries if both the WANT_ALL_IPV4 and WANT_ALL_IPV6 flags
+are present.
+
+Unfortunately, the current code even skips adding multicast TT entries
+if only either the WANT_ALL_IPV4 or WANT_ALL_IPV6 is present.
+
+This could lead to IPv6 multicast packet loss if only an IGMP but not an
+MLD querier is present for instance or vice versa.
+
+Fixes: 687937ab3489 ("batman-adv: Add multicast optimization support for bridged setups")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/multicast.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/multicast.c
++++ b/net/batman-adv/multicast.c
+@@ -540,8 +540,8 @@ update:
+ bat_priv->mcast.enabled = true;
+ }
+
+- return !(mcast_data.flags &
+- (BATADV_MCAST_WANT_ALL_IPV4 | BATADV_MCAST_WANT_ALL_IPV6));
++ return !(mcast_data.flags & BATADV_MCAST_WANT_ALL_IPV4 &&
++ mcast_data.flags & BATADV_MCAST_WANT_ALL_IPV6);
+ }
+
+ /**
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "Linus Lüssing" <linus.luessing@c0d3.blue>
+Date: Tue, 20 Mar 2018 03:13:27 +0100
+Subject: batman-adv: fix multicast-via-unicast transmission with AP isolation
+
+From: "Linus Lüssing" <linus.luessing@c0d3.blue>
+
+[ Upstream commit f8fb3419ead44f9a3136995acd24e35da4525177 ]
+
+For multicast frames AP isolation is only supposed to be checked on
+the receiving nodes and never on the originating one.
+
+Furthermore, the isolation or wifi flag bits should only be intepreted
+as such for unicast and never multicast TT entries.
+
+By injecting flags to the multicast TT entry claimed by a single
+target node it was verified in tests that this multicast address
+becomes unreachable, leading to packet loss.
+
+Omitting the "src" parameter to the batadv_transtable_search() call
+successfully skipped the AP isolation check and made the target
+reachable again.
+
+Fixes: 1d8ab8d3c176 ("batman-adv: Modified forwarding behaviour for multicast packets")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/multicast.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/multicast.c
++++ b/net/batman-adv/multicast.c
+@@ -809,8 +809,8 @@ static struct batadv_orig_node *
+ batadv_mcast_forw_tt_node_get(struct batadv_priv *bat_priv,
+ struct ethhdr *ethhdr)
+ {
+- return batadv_transtable_search(bat_priv, ethhdr->h_source,
+- ethhdr->h_dest, BATADV_NO_FLAGS);
++ return batadv_transtable_search(bat_priv, NULL, ethhdr->h_dest,
++ BATADV_NO_FLAGS);
+ }
+
+ /**
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 24 Feb 2018 12:03:37 +0100
+Subject: batman-adv: Fix netlink dumping of BLA backbones
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit fce672db548ff19e76a08a32a829544617229bc2 ]
+
+The function batadv_bla_backbone_dump_bucket must be able to handle
+non-complete dumps of a single bucket. It tries to do that by saving the
+latest dumped index in *idx_skip to inform the caller about the current
+state.
+
+But the caller only assumes that buckets were not completely dumped when
+the return code is non-zero. This function must therefore also return a
+non-zero index when the dumping of an entry failed. Otherwise the caller
+will just skip all remaining buckets.
+
+And the function must also reset *idx_skip back to zero when it finished a
+bucket. Otherwise it will skip the same number of entries in the next
+bucket as the previous one had.
+
+Fixes: ea4152e11716 ("batman-adv: add backbone table netlink support")
+Reported-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -2394,22 +2394,25 @@ batadv_bla_backbone_dump_bucket(struct s
+ {
+ struct batadv_bla_backbone_gw *backbone_gw;
+ int idx = 0;
++ int ret = 0;
+
+ rcu_read_lock();
+ hlist_for_each_entry_rcu(backbone_gw, head, hash_entry) {
+ if (idx++ < *idx_skip)
+ continue;
+- if (batadv_bla_backbone_dump_entry(msg, portid, seq,
+- primary_if, backbone_gw)) {
++
++ ret = batadv_bla_backbone_dump_entry(msg, portid, seq,
++ primary_if, backbone_gw);
++ if (ret) {
+ *idx_skip = idx - 1;
+ goto unlock;
+ }
+ }
+
+- *idx_skip = idx;
++ *idx_skip = 0;
+ unlock:
+ rcu_read_unlock();
+- return 0;
++ return ret;
+ }
+
+ /**
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 24 Feb 2018 12:03:36 +0100
+Subject: batman-adv: Fix netlink dumping of BLA claims
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit b0264ecdfeab5f889b02ec54af7ca8cc1c245e2f ]
+
+The function batadv_bla_claim_dump_bucket must be able to handle
+non-complete dumps of a single bucket. It tries to do that by saving the
+latest dumped index in *idx_skip to inform the caller about the current
+state.
+
+But the caller only assumes that buckets were not completely dumped when
+the return code is non-zero. This function must therefore also return a
+non-zero index when the dumping of an entry failed. Otherwise the caller
+will just skip all remaining buckets.
+
+And the function must also reset *idx_skip back to zero when it finished a
+bucket. Otherwise it will skip the same number of entries in the next
+bucket as the previous one had.
+
+Fixes: 04f3f5bf1883 ("batman-adv: add B.A.T.M.A.N. Dump BLA claims via netlink")
+Reported-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -2161,22 +2161,25 @@ batadv_bla_claim_dump_bucket(struct sk_b
+ {
+ struct batadv_bla_claim *claim;
+ int idx = 0;
++ int ret = 0;
+
+ rcu_read_lock();
+ hlist_for_each_entry_rcu(claim, head, hash_entry) {
+ if (idx++ < *idx_skip)
+ continue;
+- if (batadv_bla_claim_dump_entry(msg, portid, seq,
+- primary_if, claim)) {
++
++ ret = batadv_bla_claim_dump_entry(msg, portid, seq,
++ primary_if, claim);
++ if (ret) {
+ *idx_skip = idx - 1;
+ goto unlock;
+ }
+ }
+
+- *idx_skip = idx;
++ *idx_skip = 0;
+ unlock:
+ rcu_read_unlock();
+- return 0;
++ return ret;
+ }
+
+ /**
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Tue, 23 Jan 2018 10:59:49 +0100
+Subject: batman-adv: fix packet checksum in receive path
+
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+
+[ Upstream commit abd6360591d3f8259f41c34e31ac4826dfe621b8 ]
+
+eth_type_trans() internally calls skb_pull(), which does not adjust the
+skb checksum; skb_postpull_rcsum() is necessary to avoid log spam of the
+form "bat0: hw csum failure" when packets with CHECKSUM_COMPLETE are
+received.
+
+Note that in usual setups, packets don't reach batman-adv with
+CHECKSUM_COMPLETE (I assume NICs bail out of checksumming when they see
+batadv's ethtype?), which is why the log messages do not occur on every
+system using batman-adv. I could reproduce this issue by stacking
+batman-adv on top of a VXLAN interface.
+
+Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
+Tested-by: Maximilian Wilhelm <max@sdn.clinic>
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/soft-interface.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/net/batman-adv/soft-interface.c
++++ b/net/batman-adv/soft-interface.c
+@@ -451,13 +451,7 @@ void batadv_interface_rx(struct net_devi
+
+ /* skb->dev & skb->pkt_type are set here */
+ skb->protocol = eth_type_trans(skb, soft_iface);
+-
+- /* should not be necessary anymore as we use skb_pull_rcsum()
+- * TODO: please verify this and remove this TODO
+- * -- Dec 21st 2009, Simon Wunderlich
+- */
+-
+- /* skb->ip_summed = CHECKSUM_UNNECESSARY; */
++ skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN);
+
+ batadv_inc_counter(bat_priv, BATADV_CNT_RX);
+ batadv_add_counter(bat_priv, BATADV_CNT_RX_BYTES,
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "Linus Lüssing" <linus.luessing@c0d3.blue>
+Date: Thu, 22 Mar 2018 00:21:32 +0100
+Subject: batman-adv: fix packet loss for broadcasted DHCP packets to a server
+
+From: "Linus Lüssing" <linus.luessing@c0d3.blue>
+
+[ Upstream commit a752c0a4524889cdc0765925258fd1fd72344100 ]
+
+DHCP connectivity issues can currently occur if the following conditions
+are met:
+
+1) A DHCP packet from a client to a server
+2) This packet has a multicast destination
+3) This destination has a matching entry in the translation table
+ (FF:FF:FF:FF:FF:FF for IPv4, 33:33:00:01:00:02/33:33:00:01:00:03
+ for IPv6)
+4) The orig-node determined by TT for the multicast destination
+ does not match the orig-node determined by best-gateway-selection
+
+In this case the DHCP packet will be dropped.
+
+The "gateway-out-of-range" check is supposed to only be applied to
+unicasted DHCP packets to a specific DHCP server.
+
+In that case dropping the the unicasted frame forces the client to
+retry via a broadcasted one, but now directed to the new best
+gateway.
+
+A DHCP packet with broadcast/multicast destination is already ensured to
+always be delivered to the best gateway. Dropping a multicasted
+DHCP packet here will only prevent completing DHCP as there is no
+other fallback.
+
+So far, it seems the unicast check was implicitly performed by
+expecting the batadv_transtable_search() to return NULL for multicast
+destinations. However, a multicast address could have always ended up in
+the translation table and in fact is now common.
+
+To fix this potential loss of a DHCP client-to-server packet to a
+multicast address this patch adds an explicit multicast destination
+check to reliably bail out of the gateway-out-of-range check for such
+destinations.
+
+The issue and fix were tested in the following three node setup:
+
+- Line topology, A-B-C
+- A: gateway client, DHCP client
+- B: gateway server, hop-penalty increased: 30->60, DHCP server
+- C: gateway server, code modifications to announce FF:FF:FF:FF:FF:FF
+
+Without this patch, A would never transmit its DHCP Discover packet
+due to an always "out-of-range" condition. With this patch,
+a full DHCP handshake between A and B was possible again.
+
+Fixes: be7af5cf9cae ("batman-adv: refactoring gateway handling code")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/gateway_client.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/gateway_client.c
++++ b/net/batman-adv/gateway_client.c
+@@ -705,7 +705,7 @@ bool batadv_gw_out_of_range(struct batad
+ {
+ struct batadv_neigh_node *neigh_curr = NULL;
+ struct batadv_neigh_node *neigh_old = NULL;
+- struct batadv_orig_node *orig_dst_node;
++ struct batadv_orig_node *orig_dst_node = NULL;
+ struct batadv_gw_node *gw_node = NULL;
+ struct batadv_gw_node *curr_gw = NULL;
+ struct batadv_neigh_ifinfo *curr_ifinfo, *old_ifinfo;
+@@ -716,6 +716,9 @@ bool batadv_gw_out_of_range(struct batad
+
+ vid = batadv_get_vid(skb, 0);
+
++ if (is_multicast_ether_addr(ethhdr->h_dest))
++ goto out;
++
+ orig_dst_node = batadv_transtable_search(bat_priv, ethhdr->h_source,
+ ethhdr->h_dest, vid);
+ if (!orig_dst_node)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 16 Mar 2018 21:14:32 +0100
+Subject: batman-adv: Fix skbuff rcsum on packet reroute
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit fc04fdb2c8a894283259f5621d31d75610701091 ]
+
+batadv_check_unicast_ttvn may redirect a packet to itself or another
+originator. This involves rewriting the ttvn and the destination address in
+the batadv unicast header. These field were not yet pulled (with skb rcsum
+update) and thus any change to them also requires a change in the receive
+checksum.
+
+Reported-by: Matthias Schiffer <mschiffer@universe-factory.net>
+Fixes: a73105b8d4c7 ("batman-adv: improved client announcement mechanism")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/routing.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/net/batman-adv/routing.c
++++ b/net/batman-adv/routing.c
+@@ -743,6 +743,7 @@ free_skb:
+ /**
+ * batadv_reroute_unicast_packet - update the unicast header for re-routing
+ * @bat_priv: the bat priv with all the soft interface information
++ * @skb: unicast packet to process
+ * @unicast_packet: the unicast header to be updated
+ * @dst_addr: the payload destination
+ * @vid: VLAN identifier
+@@ -754,7 +755,7 @@ free_skb:
+ * Return: true if the packet header has been updated, false otherwise
+ */
+ static bool
+-batadv_reroute_unicast_packet(struct batadv_priv *bat_priv,
++batadv_reroute_unicast_packet(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ struct batadv_unicast_packet *unicast_packet,
+ u8 *dst_addr, unsigned short vid)
+ {
+@@ -783,8 +784,10 @@ batadv_reroute_unicast_packet(struct bat
+ }
+
+ /* update the packet header */
++ skb_postpull_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
+ ether_addr_copy(unicast_packet->dest, orig_addr);
+ unicast_packet->ttvn = orig_ttvn;
++ skb_postpush_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
+
+ ret = true;
+ out:
+@@ -825,7 +828,7 @@ static bool batadv_check_unicast_ttvn(st
+ * the packet to
+ */
+ if (batadv_tt_local_client_is_roaming(bat_priv, ethhdr->h_dest, vid)) {
+- if (batadv_reroute_unicast_packet(bat_priv, unicast_packet,
++ if (batadv_reroute_unicast_packet(bat_priv, skb, unicast_packet,
+ ethhdr->h_dest, vid))
+ batadv_dbg_ratelimited(BATADV_DBG_TT,
+ bat_priv,
+@@ -871,7 +874,7 @@ static bool batadv_check_unicast_ttvn(st
+ * destination can possibly be updated and forwarded towards the new
+ * target host
+ */
+- if (batadv_reroute_unicast_packet(bat_priv, unicast_packet,
++ if (batadv_reroute_unicast_packet(bat_priv, skb, unicast_packet,
+ ethhdr->h_dest, vid)) {
+ batadv_dbg_ratelimited(BATADV_DBG_TT, bat_priv,
+ "Rerouting unicast packet to %pM (dst=%pM): TTVN mismatch old_ttvn=%u new_ttvn=%u\n",
+@@ -894,12 +897,14 @@ static bool batadv_check_unicast_ttvn(st
+ if (!primary_if)
+ return false;
+
++ /* update the packet header */
++ skb_postpull_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
+ ether_addr_copy(unicast_packet->dest, primary_if->net_dev->dev_addr);
++ unicast_packet->ttvn = curr_ttvn;
++ skb_postpush_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
+
+ batadv_hardif_put(primary_if);
+
+- unicast_packet->ttvn = curr_ttvn;
+-
+ return true;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Date: Mon, 19 Feb 2018 14:08:52 +0100
+Subject: batman-adv: Ignore invalid batadv_iv_gw during netlink send
+
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+
+[ Upstream commit 10d570284258a30dc104c50787c5289ec49f3d23 ]
+
+The function batadv_iv_gw_dump stops the processing loop when
+batadv_iv_gw_dump_entry returns a non-0 return code. This should only
+happen when the buffer is full. Otherwise, an empty message may be
+returned by batadv_gw_dump. This empty message will then stop the netlink
+dumping of gateway entries. At worst, not a single entry is returned to
+userspace even when plenty of possible gateways exist.
+
+Fixes: efb766af06e3 ("batman-adv: add B.A.T.M.A.N. IV bat_gw_dump implementations")
+Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_iv_ogm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -2719,7 +2719,7 @@ static int batadv_iv_gw_dump_entry(struc
+ struct batadv_neigh_ifinfo *router_ifinfo = NULL;
+ struct batadv_neigh_node *router;
+ struct batadv_gw_node *curr_gw;
+- int ret = -EINVAL;
++ int ret = 0;
+ void *hdr;
+
+ router = batadv_orig_router_get(gw_node->orig_node, BATADV_IF_DEFAULT);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Date: Mon, 19 Feb 2018 14:08:53 +0100
+Subject: batman-adv: Ignore invalid batadv_v_gw during netlink send
+
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+
+[ Upstream commit 011c935fceae5252619ef730baa610c655281dda ]
+
+The function batadv_v_gw_dump stops the processing loop when
+batadv_v_gw_dump_entry returns a non-0 return code. This should only
+happen when the buffer is full. Otherwise, an empty message may be
+returned by batadv_gw_dump. This empty message will then stop the netlink
+dumping of gateway entries. At worst, not a single entry is returned to
+userspace even when plenty of possible gateways exist.
+
+Fixes: b71bb6f924fe ("batman-adv: add B.A.T.M.A.N. V bat_gw_dump implementations")
+Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_v.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/batman-adv/bat_v.c
++++ b/net/batman-adv/bat_v.c
+@@ -930,7 +930,7 @@ static int batadv_v_gw_dump_entry(struct
+ struct batadv_neigh_ifinfo *router_ifinfo = NULL;
+ struct batadv_neigh_node *router;
+ struct batadv_gw_node *curr_gw;
+- int ret = -EINVAL;
++ int ret = 0;
+ void *hdr;
+
+ router = batadv_orig_router_get(gw_node->orig_node, BATADV_IF_DEFAULT);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Tue, 23 Jan 2018 10:59:50 +0100
+Subject: batman-adv: invalidate checksum on fragment reassembly
+
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+
+[ Upstream commit 3bf2a09da956b43ecfaa630a2ef9a477f991a46a ]
+
+A more sophisticated implementation could try to combine fragment checksums
+when all fragments have CHECKSUM_COMPLETE and are split at even offsets.
+For now, we just set ip_summed to CHECKSUM_NONE to avoid "hw csum failure"
+warnings in the kernel log when fragmented frames are received. In
+consequence, skb_pull_rcsum() can be replaced with skb_pull().
+
+Note that in usual setups, packets don't reach batman-adv with
+CHECKSUM_COMPLETE (I assume NICs bail out of checksumming when they see
+batadv's ethtype?), which is why the log messages do not occur on every
+system using batman-adv. I could reproduce this issue by stacking
+batman-adv on top of a VXLAN interface.
+
+Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
+Tested-by: Maximilian Wilhelm <max@sdn.clinic>
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/fragmentation.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/fragmentation.c
++++ b/net/batman-adv/fragmentation.c
+@@ -287,7 +287,8 @@ batadv_frag_merge_packets(struct hlist_h
+ /* Move the existing MAC header to just before the payload. (Override
+ * the fragment header.)
+ */
+- skb_pull_rcsum(skb_out, hdr_size);
++ skb_pull(skb_out, hdr_size);
++ skb_out->ip_summed = CHECKSUM_NONE;
+ memmove(skb_out->data - ETH_HLEN, skb_mac_header(skb_out), ETH_HLEN);
+ skb_set_mac_header(skb_out, -ETH_HLEN);
+ skb_reset_network_header(skb_out);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Tang Junhui <tang.junhui@zte.com.cn>
+Date: Tue, 27 Feb 2018 09:49:30 -0800
+Subject: bcache: fix kcrashes with fio in RAID5 backend dev
+
+From: Tang Junhui <tang.junhui@zte.com.cn>
+
+[ Upstream commit 60eb34ec5526e264c2bbaea4f7512d714d791caf ]
+
+Kernel crashed when run fio in a RAID5 backend bcache device, the call
+trace is bellow:
+[ 440.012034] kernel BUG at block/blk-ioc.c:146!
+[ 440.012696] invalid opcode: 0000 [#1] SMP NOPTI
+[ 440.026537] CPU: 2 PID: 2205 Comm: md127_raid5 Not tainted 4.15.0 #8
+[ 440.027441] Hardware name: HP ProLiant MicroServer Gen8, BIOS J06 07/16
+/2015
+[ 440.028615] RIP: 0010:put_io_context+0x8b/0x90
+[ 440.029246] RSP: 0018:ffffa8c882b43af8 EFLAGS: 00010246
+[ 440.029990] RAX: 0000000000000000 RBX: ffffa8c88294fca0 RCX: 0000000000
+0f4240
+[ 440.031006] RDX: 0000000000000004 RSI: 0000000000000286 RDI: ffffa8c882
+94fca0
+[ 440.032030] RBP: ffffa8c882b43b10 R08: 0000000000000003 R09: ffff949cb8
+0c1700
+[ 440.033206] R10: 0000000000000104 R11: 000000000000b71c R12: 00000000000
+01000
+[ 440.034222] R13: 0000000000000000 R14: ffff949cad84db70 R15: ffff949cb11
+bd1e0
+[ 440.035239] FS: 0000000000000000(0000) GS:ffff949cba280000(0000) knlGS:
+0000000000000000
+[ 440.060190] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 440.084967] CR2: 00007ff0493ef000 CR3: 00000002f1e0a002 CR4: 00000000001
+606e0
+[ 440.110498] Call Trace:
+[ 440.135443] bio_disassociate_task+0x1b/0x60
+[ 440.160355] bio_free+0x1b/0x60
+[ 440.184666] bio_put+0x23/0x30
+[ 440.208272] search_free+0x23/0x40 [bcache]
+[ 440.231448] cached_dev_write_complete+0x31/0x70 [bcache]
+[ 440.254468] closure_put+0xb6/0xd0 [bcache]
+[ 440.277087] request_endio+0x30/0x40 [bcache]
+[ 440.298703] bio_endio+0xa1/0x120
+[ 440.319644] handle_stripe+0x418/0x2270 [raid456]
+[ 440.340614] ? load_balance+0x17b/0x9c0
+[ 440.360506] handle_active_stripes.isra.58+0x387/0x5a0 [raid456]
+[ 440.380675] ? __release_stripe+0x15/0x20 [raid456]
+[ 440.400132] raid5d+0x3ed/0x5d0 [raid456]
+[ 440.419193] ? schedule+0x36/0x80
+[ 440.437932] ? schedule_timeout+0x1d2/0x2f0
+[ 440.456136] md_thread+0x122/0x150
+[ 440.473687] ? wait_woken+0x80/0x80
+[ 440.491411] kthread+0x102/0x140
+[ 440.508636] ? find_pers+0x70/0x70
+[ 440.524927] ? kthread_associate_blkcg+0xa0/0xa0
+[ 440.541791] ret_from_fork+0x35/0x40
+[ 440.558020] Code: c2 48 00 5b 41 5c 41 5d 5d c3 48 89 c6 4c 89 e7 e8 bb c2
+48 00 48 8b 3d bc 36 4b 01 48 89 de e8 7c f7 e0 ff 5b 41 5c 41 5d 5d c3 <0f> 0b
+0f 1f 00 0f 1f 44 00 00 55 48 8d 47 b8 48 89 e5 41 57 41
+[ 440.610020] RIP: put_io_context+0x8b/0x90 RSP: ffffa8c882b43af8
+[ 440.628575] ---[ end trace a1fd79d85643a73e ]--
+
+All the crash issue happened when a bypass IO coming, in such scenario
+s->iop.bio is pointed to the s->orig_bio. In search_free(), it finishes the
+s->orig_bio by calling bio_complete(), and after that, s->iop.bio became
+invalid, then kernel would crash when calling bio_put(). Maybe its upper
+layer's faulty, since bio should not be freed before we calling bio_put(),
+but we'd better calling bio_put() first before calling bio_complete() to
+notify upper layer ending this bio.
+
+This patch moves bio_complete() under bio_put() to avoid kernel crash.
+
+[mlyle: fixed commit subject for character limits]
+
+Reported-by: Matthias Ferdinand <bcache@mfedv.net>
+Tested-by: Matthias Ferdinand <bcache@mfedv.net>
+Signed-off-by: Tang Junhui <tang.junhui@zte.com.cn>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/request.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/request.c
++++ b/drivers/md/bcache/request.c
+@@ -651,11 +651,11 @@ static void do_bio_hook(struct search *s
+ static void search_free(struct closure *cl)
+ {
+ struct search *s = container_of(cl, struct search, cl);
+- bio_complete(s);
+
+ if (s->iop.bio)
+ bio_put(s->iop.bio);
+
++ bio_complete(s);
+ closure_debug_destroy(cl);
+ mempool_free(s, s->d->c->search);
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Coly Li <colyli@suse.de>
+Date: Sun, 18 Mar 2018 17:36:15 -0700
+Subject: bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set
+
+From: Coly Li <colyli@suse.de>
+
+[ Upstream commit fadd94e05c02afec7b70b0b14915624f1782f578 ]
+
+In patch "bcache: fix cached_dev->count usage for bch_cache_set_error()",
+cached_dev_get() is called when creating dc->writeback_thread, and
+cached_dev_put() is called when exiting dc->writeback_thread. This
+modification works well unless people detach the bcache device manually by
+ 'echo 1 > /sys/block/bcache<N>/bcache/detach'
+Because this sysfs interface only calls bch_cached_dev_detach() which wakes
+up dc->writeback_thread but does not stop it. The reason is, before patch
+"bcache: fix cached_dev->count usage for bch_cache_set_error()", inside
+bch_writeback_thread(), if cache is not dirty after writeback,
+cached_dev_put() will be called here. And in cached_dev_make_request() when
+a new write request makes cache from clean to dirty, cached_dev_get() will
+be called there. Since we don't operate dc->count in these locations,
+refcount d->count cannot be dropped after cache becomes clean, and
+cached_dev_detach_finish() won't be called to detach bcache device.
+
+This patch fixes the issue by checking whether BCACHE_DEV_DETACHING is
+set inside bch_writeback_thread(). If this bit is set and cache is clean
+(no existing writeback_keys), break the while-loop, call cached_dev_put()
+and quit the writeback thread.
+
+Please note if cache is still dirty, even BCACHE_DEV_DETACHING is set the
+writeback thread should continue to perform writeback, this is the original
+design of manually detach.
+
+It is safe to do the following check without locking, let me explain why,
++ if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) &&
++ (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) {
+
+If the kenrel thread does not sleep and continue to run due to conditions
+are not updated in time on the running CPU core, it just consumes more CPU
+cycles and has no hurt. This should-sleep-but-run is safe here. We just
+focus on the should-run-but-sleep condition, which means the writeback
+thread goes to sleep in mistake while it should continue to run.
+1, First of all, no matter the writeback thread is hung or not,
+ kthread_stop() from cached_dev_detach_finish() will wake up it and
+ terminate by making kthread_should_stop() return true. And in normal
+ run time, bit on index BCACHE_DEV_DETACHING is always cleared, the
+ condition
+ !test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)
+ is always true and can be ignored as constant value.
+2, If one of the following conditions is true, the writeback thread should
+ go to sleep,
+ "!atomic_read(&dc->has_dirty)" or "!dc->writeback_running)"
+ each of them independently controls the writeback thread should sleep or
+ not, let's analyse them one by one.
+2.1 condition "!atomic_read(&dc->has_dirty)"
+ If dc->has_dirty is set from 0 to 1 on another CPU core, bcache will
+ call bch_writeback_queue() immediately or call bch_writeback_add() which
+ indirectly calls bch_writeback_queue() too. In bch_writeback_queue(),
+ wake_up_process(dc->writeback_thread) is called. It sets writeback
+ thread's task state to TASK_RUNNING and following an implicit memory
+ barrier, then tries to wake up the writeback thread.
+ In writeback thread, its task state is set to TASK_INTERRUPTIBLE before
+ doing the condition check. If other CPU core sets the TASK_RUNNING state
+ after writeback thread setting TASK_INTERRUPTIBLE, the writeback thread
+ will be scheduled to run very soon because its state is not
+ TASK_INTERRUPTIBLE. If other CPU core sets the TASK_RUNNING state before
+ writeback thread setting TASK_INTERRUPTIBLE, the implict memory barrier
+ of wake_up_process() will make sure modification of dc->has_dirty on
+ other CPU core is updated and observed on the CPU core of writeback
+ thread. Therefore the condition check will correctly be false, and
+ continue writeback code without sleeping.
+2.2 condition "!dc->writeback_running)"
+ dc->writeback_running can be changed via sysfs file, every time it is
+ modified, a following bch_writeback_queue() is alwasy called. So the
+ change is always observed on the CPU core of writeback thread. If
+ dc->writeback_running is changed from 0 to 1 on other CPU core, this
+ condition check will observe the modification and allow writeback
+ thread to continue to run without sleeping.
+Now we can see, even without a locking protection, multiple conditions
+check is safe here, no deadlock or process hang up will happen.
+
+I compose a separte patch because that patch "bcache: fix cached_dev->count
+usage for bch_cache_set_error()" already gets a "Reviewed-by:" from Hannes
+Reinecke. Also this fix is not trivial and good for a separate patch.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Cc: Hannes Reinecke <hare@suse.com>
+Cc: Huijun Tang <tang.junhui@zte.com.cn>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/writeback.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/bcache/writeback.c
++++ b/drivers/md/bcache/writeback.c
+@@ -421,9 +421,15 @@ static int bch_writeback_thread(void *ar
+ while (!kthread_should_stop()) {
+ down_write(&dc->writeback_lock);
+ set_current_state(TASK_INTERRUPTIBLE);
+- if (!atomic_read(&dc->has_dirty) ||
+- (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) &&
+- !dc->writeback_running)) {
++ /*
++ * If the bache device is detaching, skip here and continue
++ * to perform writeback. Otherwise, if no dirty data on cache,
++ * or there is dirty data on cache but writeback is disabled,
++ * the writeback thread should sleep here and wait for others
++ * to wake up it.
++ */
++ if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) &&
++ (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) {
+ up_write(&dc->writeback_lock);
+
+ if (kthread_should_stop()) {
+@@ -444,6 +450,14 @@ static int bch_writeback_thread(void *ar
+ cached_dev_put(dc);
+ SET_BDEV_STATE(&dc->sb, BDEV_STATE_CLEAN);
+ bch_write_bdev_super(dc, NULL);
++ /*
++ * If bcache device is detaching via sysfs interface,
++ * writeback thread should stop after there is no dirty
++ * data on cache. BCACHE_DEV_DETACHING flag is set in
++ * bch_cached_dev_detach().
++ */
++ if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags))
++ break;
+ }
+
+ up_write(&dc->writeback_lock);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+Date: Tue, 27 Feb 2018 20:10:18 +0800
+Subject: block: display the correct diskname for bio
+
+From: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+
+[ Upstream commit 9c0fb1e313aaf4e8edec22433c8b22dd308e466c ]
+
+bio_devname use __bdevname to display the device name, and can
+only show the major and minor of the part0,
+Fix this by using disk_name to display the correct name.
+
+Fixes: 74d46992e0d9 ("block: replace bi_bdev with a gendisk pointer and partitions index")
+Reviewed-by: Omar Sandoval <osandov@fb.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/partition-generic.c | 6 ++++++
+ include/linux/bio.h | 4 +---
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+--- a/block/partition-generic.c
++++ b/block/partition-generic.c
+@@ -51,6 +51,12 @@ const char *bdevname(struct block_device
+
+ EXPORT_SYMBOL(bdevname);
+
++const char *bio_devname(struct bio *bio, char *buf)
++{
++ return disk_name(bio->bi_disk, bio->bi_partno, buf);
++}
++EXPORT_SYMBOL(bio_devname);
++
+ /*
+ * There's very little reason to use this, you should really
+ * have a struct block_device just about everywhere and use
+--- a/include/linux/bio.h
++++ b/include/linux/bio.h
+@@ -501,6 +501,7 @@ void zero_fill_bio(struct bio *bio);
+ extern struct bio_vec *bvec_alloc(gfp_t, int, unsigned long *, mempool_t *);
+ extern void bvec_free(mempool_t *, struct bio_vec *, unsigned int);
+ extern unsigned int bvec_nr_vecs(unsigned short idx);
++extern const char *bio_devname(struct bio *bio, char *buffer);
+
+ #define bio_set_dev(bio, bdev) \
+ do { \
+@@ -519,9 +520,6 @@ do { \
+ #define bio_dev(bio) \
+ disk_devt((bio)->bi_disk)
+
+-#define bio_devname(bio, buf) \
+- __bdevname(bio_dev(bio), (buf))
+-
+ #ifdef CONFIG_BLK_CGROUP
+ int bio_associate_blkcg(struct bio *bio, struct cgroup_subsys_state *blkcg_css);
+ int bio_associate_current(struct bio *bio);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Wed, 28 Feb 2018 10:15:33 -0800
+Subject: block: Fix a race between request queue removal and the block cgroup controller
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+[ Upstream commit a063057d7c731cffa7d10740e8ebc2970df8dbb3 ]
+
+Avoid that the following race can occur:
+
+blk_cleanup_queue() blkcg_print_blkgs()
+ spin_lock_irq(lock) (1) spin_lock_irq(blkg->q->queue_lock) (2,5)
+ q->queue_lock = &q->__queue_lock (3)
+ spin_unlock_irq(lock) (4)
+ spin_unlock_irq(blkg->q->queue_lock) (6)
+
+(1) take driver lock;
+(2) busy loop for driver lock;
+(3) override driver lock with internal lock;
+(4) unlock driver lock;
+(5) can take driver lock now;
+(6) but unlock internal lock.
+
+This change is safe because only the SCSI core and the NVME core keep
+a reference on a request queue after having called blk_cleanup_queue().
+Neither driver accesses any of the removed data structures between its
+blk_cleanup_queue() and blk_put_queue() calls.
+
+Reported-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Jan Kara <jack@suse.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-core.c | 31 +++++++++++++++++++++++++++++++
+ block/blk-sysfs.c | 7 -------
+ 2 files changed, 31 insertions(+), 7 deletions(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -681,6 +681,37 @@ void blk_cleanup_queue(struct request_qu
+ del_timer_sync(&q->backing_dev_info->laptop_mode_wb_timer);
+ blk_sync_queue(q);
+
++ /*
++ * I/O scheduler exit is only safe after the sysfs scheduler attribute
++ * has been removed.
++ */
++ WARN_ON_ONCE(q->kobj.state_in_sysfs);
++
++ /*
++ * Since the I/O scheduler exit code may access cgroup information,
++ * perform I/O scheduler exit before disassociating from the block
++ * cgroup controller.
++ */
++ if (q->elevator) {
++ ioc_clear_queue(q);
++ elevator_exit(q, q->elevator);
++ q->elevator = NULL;
++ }
++
++ /*
++ * Remove all references to @q from the block cgroup controller before
++ * restoring @q->queue_lock to avoid that restoring this pointer causes
++ * e.g. blkcg_print_blkgs() to crash.
++ */
++ blkcg_exit_queue(q);
++
++ /*
++ * Since the cgroup code may dereference the @q->backing_dev_info
++ * pointer, only decrease its reference count after having removed the
++ * association with the block cgroup controller.
++ */
++ bdi_put(q->backing_dev_info);
++
+ if (q->mq_ops)
+ blk_mq_free_queue(q);
+ percpu_ref_exit(&q->q_usage_counter);
+--- a/block/blk-sysfs.c
++++ b/block/blk-sysfs.c
+@@ -801,13 +801,6 @@ static void __blk_release_queue(struct w
+ if (test_bit(QUEUE_FLAG_POLL_STATS, &q->queue_flags))
+ blk_stat_remove_callback(q, q->poll_cb);
+ blk_stat_free_callback(q->poll_cb);
+- bdi_put(q->backing_dev_info);
+- blkcg_exit_queue(q);
+-
+- if (q->elevator) {
+- ioc_clear_queue(q);
+- elevator_exit(q, q->elevator);
+- }
+
+ blk_free_queue_stats(q->stats);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Ming Lei <ming.lei@redhat.com>
+Date: Tue, 6 Mar 2018 12:07:13 +0800
+Subject: block: null_blk: fix 'Invalid parameters' when loading module
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 66231ad3e2886ba99fbf440cea44cab547e5163f ]
+
+On ARM64, the default page size has been 64K on some distributions, and
+we should allow ARM64 people to play null_blk.
+
+This patch fixes the issue by extend page bitmap size for supporting
+other non-4KB PAGE_SIZE.
+
+Cc: Bart Van Assche <Bart.VanAssche@wdc.com>
+Cc: Shaohua Li <shli@kernel.org>
+Cc: Kyungchan Koh <kkc6196@fb.com>,
+Cc: weiping zhang <zhangweiping@didichuxing.com>
+Cc: Yi Zhang <yi.zhang@redhat.com>
+Reported-by: Yi Zhang <yi.zhang@redhat.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/null_blk.c | 46 +++++++++++++++++++++++++---------------------
+ 1 file changed, 25 insertions(+), 21 deletions(-)
+
+--- a/drivers/block/null_blk.c
++++ b/drivers/block/null_blk.c
+@@ -68,6 +68,7 @@ enum nullb_device_flags {
+ NULLB_DEV_FL_CACHE = 3,
+ };
+
++#define MAP_SZ ((PAGE_SIZE >> SECTOR_SHIFT) + 2)
+ /*
+ * nullb_page is a page in memory for nullb devices.
+ *
+@@ -82,10 +83,10 @@ enum nullb_device_flags {
+ */
+ struct nullb_page {
+ struct page *page;
+- unsigned long bitmap;
++ DECLARE_BITMAP(bitmap, MAP_SZ);
+ };
+-#define NULLB_PAGE_LOCK (sizeof(unsigned long) * 8 - 1)
+-#define NULLB_PAGE_FREE (sizeof(unsigned long) * 8 - 2)
++#define NULLB_PAGE_LOCK (MAP_SZ - 1)
++#define NULLB_PAGE_FREE (MAP_SZ - 2)
+
+ struct nullb_device {
+ struct nullb *nullb;
+@@ -725,7 +726,7 @@ static struct nullb_page *null_alloc_pag
+ if (!t_page->page)
+ goto out_freepage;
+
+- t_page->bitmap = 0;
++ memset(t_page->bitmap, 0, sizeof(t_page->bitmap));
+ return t_page;
+ out_freepage:
+ kfree(t_page);
+@@ -735,13 +736,20 @@ out:
+
+ static void null_free_page(struct nullb_page *t_page)
+ {
+- __set_bit(NULLB_PAGE_FREE, &t_page->bitmap);
+- if (test_bit(NULLB_PAGE_LOCK, &t_page->bitmap))
++ __set_bit(NULLB_PAGE_FREE, t_page->bitmap);
++ if (test_bit(NULLB_PAGE_LOCK, t_page->bitmap))
+ return;
+ __free_page(t_page->page);
+ kfree(t_page);
+ }
+
++static bool null_page_empty(struct nullb_page *page)
++{
++ int size = MAP_SZ - 2;
++
++ return find_first_bit(page->bitmap, size) == size;
++}
++
+ static void null_free_sector(struct nullb *nullb, sector_t sector,
+ bool is_cache)
+ {
+@@ -756,9 +764,9 @@ static void null_free_sector(struct null
+
+ t_page = radix_tree_lookup(root, idx);
+ if (t_page) {
+- __clear_bit(sector_bit, &t_page->bitmap);
++ __clear_bit(sector_bit, t_page->bitmap);
+
+- if (!t_page->bitmap) {
++ if (null_page_empty(t_page)) {
+ ret = radix_tree_delete_item(root, idx, t_page);
+ WARN_ON(ret != t_page);
+ null_free_page(ret);
+@@ -829,7 +837,7 @@ static struct nullb_page *__null_lookup_
+ t_page = radix_tree_lookup(root, idx);
+ WARN_ON(t_page && t_page->page->index != idx);
+
+- if (t_page && (for_write || test_bit(sector_bit, &t_page->bitmap)))
++ if (t_page && (for_write || test_bit(sector_bit, t_page->bitmap)))
+ return t_page;
+
+ return NULL;
+@@ -892,10 +900,10 @@ static int null_flush_cache_page(struct
+
+ t_page = null_insert_page(nullb, idx << PAGE_SECTORS_SHIFT, true);
+
+- __clear_bit(NULLB_PAGE_LOCK, &c_page->bitmap);
+- if (test_bit(NULLB_PAGE_FREE, &c_page->bitmap)) {
++ __clear_bit(NULLB_PAGE_LOCK, c_page->bitmap);
++ if (test_bit(NULLB_PAGE_FREE, c_page->bitmap)) {
+ null_free_page(c_page);
+- if (t_page && t_page->bitmap == 0) {
++ if (t_page && null_page_empty(t_page)) {
+ ret = radix_tree_delete_item(&nullb->dev->data,
+ idx, t_page);
+ null_free_page(t_page);
+@@ -911,11 +919,11 @@ static int null_flush_cache_page(struct
+
+ for (i = 0; i < PAGE_SECTORS;
+ i += (nullb->dev->blocksize >> SECTOR_SHIFT)) {
+- if (test_bit(i, &c_page->bitmap)) {
++ if (test_bit(i, c_page->bitmap)) {
+ offset = (i << SECTOR_SHIFT);
+ memcpy(dst + offset, src + offset,
+ nullb->dev->blocksize);
+- __set_bit(i, &t_page->bitmap);
++ __set_bit(i, t_page->bitmap);
+ }
+ }
+
+@@ -952,10 +960,10 @@ again:
+ * We found the page which is being flushed to disk by other
+ * threads
+ */
+- if (test_bit(NULLB_PAGE_LOCK, &c_pages[i]->bitmap))
++ if (test_bit(NULLB_PAGE_LOCK, c_pages[i]->bitmap))
+ c_pages[i] = NULL;
+ else
+- __set_bit(NULLB_PAGE_LOCK, &c_pages[i]->bitmap);
++ __set_bit(NULLB_PAGE_LOCK, c_pages[i]->bitmap);
+ }
+
+ one_round = 0;
+@@ -1008,7 +1016,7 @@ static int copy_to_nullb(struct nullb *n
+ kunmap_atomic(dst);
+ kunmap_atomic(src);
+
+- __set_bit(sector & SECTOR_MASK, &t_page->bitmap);
++ __set_bit(sector & SECTOR_MASK, t_page->bitmap);
+
+ if (is_fua)
+ null_free_sector(nullb, sector, true);
+@@ -1922,10 +1930,6 @@ static int __init null_init(void)
+ struct nullb *nullb;
+ struct nullb_device *dev;
+
+- /* check for nullb_page.bitmap */
+- if (sizeof(unsigned long) * 8 - 2 < (PAGE_SIZE >> SECTOR_SHIFT))
+- return -EINVAL;
+-
+ if (g_bs > PAGE_SIZE) {
+ pr_warn("null_blk: invalid block size\n");
+ pr_warn("null_blk: defaults block size to %lu\n", PAGE_SIZE);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Sun, 11 Feb 2018 12:24:32 -0600
+Subject: Bluetooth: btusb: Add device ID for RTL8822BE
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+[ Upstream commit fed03fe7e55b7dc16077f672bd9d7bbe92b3a691 ]
+
+The Asus Z370-I contains a Realtek RTL8822BE device with an associated
+BT chip using a USB ID of 0b05:185c. This device is added to the driver.
+
+Signed-off-by: Hon Weng Chong <honwchong@gmail.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btusb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -380,6 +380,9 @@ static const struct usb_device_id blackl
+ { USB_DEVICE(0x13d3, 0x3461), .driver_info = BTUSB_REALTEK },
+ { USB_DEVICE(0x13d3, 0x3462), .driver_info = BTUSB_REALTEK },
+
++ /* Additional Realtek 8822BE Bluetooth devices */
++ { USB_DEVICE(0x0b05, 0x185c), .driver_info = BTUSB_REALTEK },
++
+ /* Silicon Wave based devices */
+ { USB_DEVICE(0x0c10, 0x0000), .driver_info = BTUSB_SWAVE },
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Vicente Bergas <vicencb@gmail.com>
+Date: Tue, 20 Mar 2018 19:41:10 +0100
+Subject: Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB
+
+From: Vicente Bergas <vicencb@gmail.com>
+
+[ Upstream commit a41e0796396eeceff673af4a38feaee149c6ff86 ]
+
+This WiFi/Bluetooth USB dongle uses a Realtek chipset, so, use btrtl for it.
+
+Product information:
+https://wikidevi.com/wiki/Edimax_EW-7611ULB
+
+>From /sys/kernel/debug/usb/devices
+T: Bus=02 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0
+D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=7392 ProdID=a611 Rev= 2.00
+S: Manufacturer=Realtek
+S: Product=Edimax Wi-Fi N150 Bluetooth4.0 USB Adapter
+S: SerialNumber=00e04c000001
+C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=500mA
+A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01
+I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+I:* If#= 2 Alt= 0 #EPs= 6 Cls=ff(vend.) Sub=ff Prot=ff Driver=rtl8723bu
+E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=500us
+E: Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Tested-by: Vicente Bergas <vicencb@gmail.com>
+Signed-off-by: Vicente Bergas <vicencb@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btusb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -370,6 +370,9 @@ static const struct usb_device_id blackl
+ { USB_DEVICE(0x13d3, 0x3459), .driver_info = BTUSB_REALTEK },
+ { USB_DEVICE(0x13d3, 0x3494), .driver_info = BTUSB_REALTEK },
+
++ /* Additional Realtek 8723BU Bluetooth devices */
++ { USB_DEVICE(0x7392, 0xa611), .driver_info = BTUSB_REALTEK },
++
+ /* Additional Realtek 8821AE Bluetooth devices */
+ { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK },
+ { USB_DEVICE(0x13d3, 0x3414), .driver_info = BTUSB_REALTEK },
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Fri, 9 Mar 2018 23:46:10 -0500
+Subject: bnxt_en: Check valid VNIC ID in bnxt_hwrm_vnic_set_tpa().
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 3c4fe80b32c685bdc02b280814d0cfe80d441c72 ]
+
+During initialization, if we encounter errors, there is a code path that
+calls bnxt_hwrm_vnic_set_tpa() with invalid VNIC ID. This may cause a
+warning in firmware logs.
+
+Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -3808,6 +3808,9 @@ static int bnxt_hwrm_vnic_set_tpa(struct
+ struct bnxt_vnic_info *vnic = &bp->vnic_info[vnic_id];
+ struct hwrm_vnic_tpa_cfg_input req = {0};
+
++ if (vnic->fw_vnic_id == INVALID_HW_RING_ID)
++ return 0;
++
+ bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_VNIC_TPA_CFG, -1, -1);
+
+ if (tpa_flags) {
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 26 Mar 2018 01:16:45 +0800
+Subject: bonding: fix the err path for dev hwaddr sync in bond_enslave
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 5c78f6bfae2b10ff70e21d343e64584ea6280c26 ]
+
+vlan_vids_add_by_dev is called right after dev hwaddr sync, so on
+the err path it should unsync dev hwaddr. Otherwise, the slave
+dev's hwaddr will never be unsync when this err happens.
+
+Fixes: 1ff412ad7714 ("bonding: change the bond's vlan syncing functions with the standard ones")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Acked-by: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1528,7 +1528,7 @@ int bond_enslave(struct net_device *bond
+ if (res) {
+ netdev_err(bond_dev, "Couldn't add bond vlan ids to %s\n",
+ slave_dev->name);
+- goto err_close;
++ goto err_hwaddr_unsync;
+ }
+
+ prev_slave = bond_last_slave(bond);
+@@ -1767,6 +1767,10 @@ err_detach:
+ synchronize_rcu();
+ slave_disable_netpoll(new_slave);
+
++err_hwaddr_unsync:
++ if (!bond_uses_primary(bond))
++ bond_hw_addr_flush(bond_dev, slave_dev);
++
+ err_close:
+ slave_dev->priv_flags &= ~IFF_BONDING;
+ dev_close(slave_dev);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Wed, 14 Mar 2018 20:02:59 +0100
+Subject: brcmfmac: Fix check for ISO3166 code
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+[ Upstream commit 9b9322db5c5a1917a66c71fe47c3848a9a31227e ]
+
+The commit "regulatory: add NUL to request alpha2" increases the length of
+alpha2 to 3. This causes a regression on brcmfmac, because
+brcmf_cfg80211_reg_notifier() expect valid ISO3166 codes in the complete
+array. So fix this accordingly.
+
+Fixes: 657308f73e67 ("regulatory: add NUL to request alpha2")
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Acked-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6916,7 +6916,7 @@ static void brcmf_cfg80211_reg_notifier(
+ return;
+
+ /* ignore non-ISO3166 country codes */
+- for (i = 0; i < sizeof(req->alpha2); i++)
++ for (i = 0; i < 2; i++)
+ if (req->alpha2[i] < 'A' || req->alpha2[i] > 'Z') {
+ brcmf_err("not an ISO3166 code (0x%02x 0x%02x)\n",
+ req->alpha2[0], req->alpha2[1]);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Liu Bo <bo.liu@linux.alibaba.com>
+Date: Tue, 3 Apr 2018 01:59:48 +0800
+Subject: Btrfs: bail out on error during replay_dir_deletes
+
+From: Liu Bo <bo.liu@linux.alibaba.com>
+
+[ Upstream commit b98def7ca6e152ee55e36863dddf6f41f12d1dc6 ]
+
+If errors were returned by btrfs_next_leaf(), replay_dir_deletes needs
+to bail out, otherwise @ret would be forced to be 0 after 'break;' and
+the caller won't be aware of it.
+
+Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations")
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -2272,8 +2272,10 @@ again:
+ nritems = btrfs_header_nritems(path->nodes[0]);
+ if (path->slots[0] >= nritems) {
+ ret = btrfs_next_leaf(root, path);
+- if (ret)
++ if (ret == 1)
+ break;
++ else if (ret < 0)
++ goto out;
+ }
+ btrfs_item_key_to_cpu(path->nodes[0], &found_key,
+ path->slots[0]);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Liu Bo <bo.liu@linux.alibaba.com>
+Date: Sat, 31 Mar 2018 06:11:56 +0800
+Subject: Btrfs: clean up resources during umount after trans is aborted
+
+From: Liu Bo <bo.liu@linux.alibaba.com>
+
+[ Upstream commit af7227338135d2f1b1552bf9a6d43e02dcba10b9 ]
+
+Currently if some fatal errors occur, like all IO get -EIO, resources
+would be cleaned up when
+a) transaction is being committed or
+b) BTRFS_FS_STATE_ERROR is set
+
+However, in some rare cases, resources may be left alone after transaction
+gets aborted and umount may run into some ASSERT(), e.g.
+ASSERT(list_empty(&block_group->dirty_list));
+
+For case a), in btrfs_commit_transaciton(), there're several places at the
+beginning where we just call btrfs_end_transaction() without cleaning up
+resources. For case b), it is possible that the trans handle doesn't have
+any dirty stuff, then only trans hanlde is marked as aborted while
+BTRFS_FS_STATE_ERROR is not set, so resources remain in memory.
+
+This makes btrfs also check BTRFS_FS_STATE_TRANS_ABORTED to make sure that
+all resources won't stay in memory after umount.
+
+Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/disk-io.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -3896,7 +3896,8 @@ void close_ctree(struct btrfs_fs_info *f
+ btrfs_err(fs_info, "commit super ret %d", ret);
+ }
+
+- if (test_bit(BTRFS_FS_STATE_ERROR, &fs_info->fs_state))
++ if (test_bit(BTRFS_FS_STATE_ERROR, &fs_info->fs_state) ||
++ test_bit(BTRFS_FS_STATE_TRANS_ABORTED, &fs_info->fs_state))
+ btrfs_error_commit_super(fs_info);
+
+ kthread_stop(fs_info->transaction_kthread);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Filipe Manana <fdmanana@suse.com>
+Date: Mon, 26 Mar 2018 23:59:12 +0100
+Subject: Btrfs: fix copy_items() return value when logging an inode
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 8434ec46c6e3232cebc25a910363b29f5c617820 ]
+
+When logging an inode, at tree-log.c:copy_items(), if we call
+btrfs_next_leaf() at the loop which checks for the need to log holes, we
+need to make sure copy_items() returns the value 1 to its caller and
+not 0 (on success). This is because the path the caller passed was
+released and is now different from what is was before, and the caller
+expects a return value of 0 to mean both success and that the path
+has not changed, while a return value of 1 means both success and
+signals the caller that it can not reuse the path, it has to perform
+another tree search.
+
+Even though this is a case that should not be triggered on normal
+circumstances or very rare at least, its consequences can be very
+unpredictable (especially when replaying a log tree).
+
+Fixes: 16e7549f045d ("Btrfs: incompatible format change to remove hole extents")
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -3918,6 +3918,7 @@ fill_holes:
+ ASSERT(ret == 0);
+ src = src_path->nodes[0];
+ i = 0;
++ need_find_last_extent = true;
+ }
+
+ btrfs_item_key_to_cpu(src, &key, i);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Fri, 16 Mar 2018 14:36:27 -0400
+Subject: btrfs: fix lockdep splat in btrfs_alloc_subvolume_writers
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+[ Upstream commit 8a5a916d9a35e13576d79cc16e24611821b13e34 ]
+
+While running btrfs/011, I hit the following lockdep splat.
+
+This is the important bit:
+ pcpu_alloc+0x1ac/0x5e0
+ __percpu_counter_init+0x4e/0xb0
+ btrfs_init_fs_root+0x99/0x1c0 [btrfs]
+ btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs]
+ resolve_indirect_refs+0x130/0x830 [btrfs]
+ find_parent_nodes+0x69e/0xff0 [btrfs]
+ btrfs_find_all_roots_safe+0xa0/0x110 [btrfs]
+ btrfs_find_all_roots+0x50/0x70 [btrfs]
+ btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs]
+ btrfs_commit_transaction+0x3ce/0x9b0 [btrfs]
+
+The percpu_counter_init call in btrfs_alloc_subvolume_writers
+uses GFP_KERNEL, which we can't do during transaction commit.
+
+This switches it to GFP_NOFS.
+
+========================================================
+WARNING: possible irq lock inversion dependency detected
+4.12.14-kvmsmall #8 Tainted: G W
+--------------------------------------------------------
+kswapd0/50 just changed the state of lock:
+ (&delayed_node->mutex){+.+.-.}, at: [<ffffffffc06994fa>] __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
+but this lock took another, RECLAIM_FS-unsafe lock in the past:
+ (pcpu_alloc_mutex){+.+.+.}
+
+and interrupts could create inverse lock ordering between them.
+
+other info that might help us debug this:
+Chain exists of:
+ &delayed_node->mutex --> &found->groups_sem --> pcpu_alloc_mutex
+
+ Possible interrupt unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(pcpu_alloc_mutex);
+ local_irq_disable();
+ lock(&delayed_node->mutex);
+ lock(&found->groups_sem);
+ <Interrupt>
+ lock(&delayed_node->mutex);
+
+ *** DEADLOCK ***
+
+2 locks held by kswapd0/50:
+ #0: (shrinker_rwsem){++++..}, at: [<ffffffff811dc11f>] shrink_slab+0x7f/0x5b0
+ #1: (&type->s_umount_key#30){+++++.}, at: [<ffffffff8126dec6>] trylock_super+0x16/0x50
+
+the shortest dependencies between 2nd lock and 1st lock:
+ -> (pcpu_alloc_mutex){+.+.+.} ops: 4904 {
+ HARDIRQ-ON-W at:
+ __mutex_lock+0x4e/0x8c0
+ pcpu_alloc+0x1ac/0x5e0
+ alloc_kmem_cache_cpus.isra.70+0x25/0xa0
+ __do_tune_cpucache+0x2c/0x220
+ do_tune_cpucache+0x26/0xc0
+ enable_cpucache+0x6d/0xf0
+ kmem_cache_init_late+0x42/0x75
+ start_kernel+0x343/0x4cb
+ x86_64_start_kernel+0x127/0x134
+ secondary_startup_64+0xa5/0xb0
+ SOFTIRQ-ON-W at:
+ __mutex_lock+0x4e/0x8c0
+ pcpu_alloc+0x1ac/0x5e0
+ alloc_kmem_cache_cpus.isra.70+0x25/0xa0
+ __do_tune_cpucache+0x2c/0x220
+ do_tune_cpucache+0x26/0xc0
+ enable_cpucache+0x6d/0xf0
+ kmem_cache_init_late+0x42/0x75
+ start_kernel+0x343/0x4cb
+ x86_64_start_kernel+0x127/0x134
+ secondary_startup_64+0xa5/0xb0
+ RECLAIM_FS-ON-W at:
+ __kmalloc+0x47/0x310
+ pcpu_extend_area_map+0x2b/0xc0
+ pcpu_alloc+0x3ec/0x5e0
+ alloc_kmem_cache_cpus.isra.70+0x25/0xa0
+ __do_tune_cpucache+0x2c/0x220
+ do_tune_cpucache+0x26/0xc0
+ enable_cpucache+0x6d/0xf0
+ __kmem_cache_create+0x1bf/0x390
+ create_cache+0xba/0x1b0
+ kmem_cache_create+0x1f8/0x2b0
+ ksm_init+0x6f/0x19d
+ do_one_initcall+0x50/0x1b0
+ kernel_init_freeable+0x201/0x289
+ kernel_init+0xa/0x100
+ ret_from_fork+0x3a/0x50
+ INITIAL USE at:
+ __mutex_lock+0x4e/0x8c0
+ pcpu_alloc+0x1ac/0x5e0
+ alloc_kmem_cache_cpus.isra.70+0x25/0xa0
+ setup_cpu_cache+0x2f/0x1f0
+ __kmem_cache_create+0x1bf/0x390
+ create_boot_cache+0x8b/0xb1
+ kmem_cache_init+0xa1/0x19e
+ start_kernel+0x270/0x4cb
+ x86_64_start_kernel+0x127/0x134
+ secondary_startup_64+0xa5/0xb0
+ }
+ ... key at: [<ffffffff821d8e70>] pcpu_alloc_mutex+0x70/0xa0
+ ... acquired at:
+ pcpu_alloc+0x1ac/0x5e0
+ __percpu_counter_init+0x4e/0xb0
+ btrfs_init_fs_root+0x99/0x1c0 [btrfs]
+ btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs]
+ resolve_indirect_refs+0x130/0x830 [btrfs]
+ find_parent_nodes+0x69e/0xff0 [btrfs]
+ btrfs_find_all_roots_safe+0xa0/0x110 [btrfs]
+ btrfs_find_all_roots+0x50/0x70 [btrfs]
+ btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs]
+ btrfs_commit_transaction+0x3ce/0x9b0 [btrfs]
+ transaction_kthread+0x176/0x1b0 [btrfs]
+ kthread+0x102/0x140
+ ret_from_fork+0x3a/0x50
+
+ -> (&fs_info->commit_root_sem){++++..} ops: 1566382 {
+ HARDIRQ-ON-W at:
+ down_write+0x3e/0xa0
+ cache_block_group+0x287/0x420 [btrfs]
+ find_free_extent+0x106c/0x12d0 [btrfs]
+ btrfs_reserve_extent+0xd8/0x170 [btrfs]
+ cow_file_range.isra.66+0x133/0x470 [btrfs]
+ run_delalloc_range+0x121/0x410 [btrfs]
+ writepage_delalloc.isra.50+0xfe/0x180 [btrfs]
+ __extent_writepage+0x19a/0x360 [btrfs]
+ extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs]
+ extent_writepages+0x4d/0x60 [btrfs]
+ do_writepages+0x1a/0x70
+ __filemap_fdatawrite_range+0xa7/0xe0
+ btrfs_rename+0x5ee/0xdb0 [btrfs]
+ vfs_rename+0x52a/0x7e0
+ SyS_rename+0x351/0x3b0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ HARDIRQ-ON-R at:
+ down_read+0x35/0x90
+ caching_thread+0x57/0x560 [btrfs]
+ normal_work_helper+0x1c0/0x5e0 [btrfs]
+ process_one_work+0x1e0/0x5c0
+ worker_thread+0x44/0x390
+ kthread+0x102/0x140
+ ret_from_fork+0x3a/0x50
+ SOFTIRQ-ON-W at:
+ down_write+0x3e/0xa0
+ cache_block_group+0x287/0x420 [btrfs]
+ find_free_extent+0x106c/0x12d0 [btrfs]
+ btrfs_reserve_extent+0xd8/0x170 [btrfs]
+ cow_file_range.isra.66+0x133/0x470 [btrfs]
+ run_delalloc_range+0x121/0x410 [btrfs]
+ writepage_delalloc.isra.50+0xfe/0x180 [btrfs]
+ __extent_writepage+0x19a/0x360 [btrfs]
+ extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs]
+ extent_writepages+0x4d/0x60 [btrfs]
+ do_writepages+0x1a/0x70
+ __filemap_fdatawrite_range+0xa7/0xe0
+ btrfs_rename+0x5ee/0xdb0 [btrfs]
+ vfs_rename+0x52a/0x7e0
+ SyS_rename+0x351/0x3b0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ SOFTIRQ-ON-R at:
+ down_read+0x35/0x90
+ caching_thread+0x57/0x560 [btrfs]
+ normal_work_helper+0x1c0/0x5e0 [btrfs]
+ process_one_work+0x1e0/0x5c0
+ worker_thread+0x44/0x390
+ kthread+0x102/0x140
+ ret_from_fork+0x3a/0x50
+ INITIAL USE at:
+ down_write+0x3e/0xa0
+ cache_block_group+0x287/0x420 [btrfs]
+ find_free_extent+0x106c/0x12d0 [btrfs]
+ btrfs_reserve_extent+0xd8/0x170 [btrfs]
+ cow_file_range.isra.66+0x133/0x470 [btrfs]
+ run_delalloc_range+0x121/0x410 [btrfs]
+ writepage_delalloc.isra.50+0xfe/0x180 [btrfs]
+ __extent_writepage+0x19a/0x360 [btrfs]
+ extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs]
+ extent_writepages+0x4d/0x60 [btrfs]
+ do_writepages+0x1a/0x70
+ __filemap_fdatawrite_range+0xa7/0xe0
+ btrfs_rename+0x5ee/0xdb0 [btrfs]
+ vfs_rename+0x52a/0x7e0
+ SyS_rename+0x351/0x3b0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ }
+ ... key at: [<ffffffffc0729578>] __key.61970+0x0/0xfffffffffff9aa88 [btrfs]
+ ... acquired at:
+ cache_block_group+0x287/0x420 [btrfs]
+ find_free_extent+0x106c/0x12d0 [btrfs]
+ btrfs_reserve_extent+0xd8/0x170 [btrfs]
+ btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs]
+ btrfs_create_tree+0xbb/0x2a0 [btrfs]
+ btrfs_create_uuid_tree+0x37/0x140 [btrfs]
+ open_ctree+0x23c0/0x2660 [btrfs]
+ btrfs_mount+0xd36/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ btrfs_mount+0x18c/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ do_mount+0x1c1/0xcc0
+ SyS_mount+0x7e/0xd0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+ -> (&found->groups_sem){++++..} ops: 2134587 {
+ HARDIRQ-ON-W at:
+ down_write+0x3e/0xa0
+ __link_block_group+0x34/0x130 [btrfs]
+ btrfs_read_block_groups+0x33d/0x7b0 [btrfs]
+ open_ctree+0x2054/0x2660 [btrfs]
+ btrfs_mount+0xd36/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ btrfs_mount+0x18c/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ do_mount+0x1c1/0xcc0
+ SyS_mount+0x7e/0xd0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ HARDIRQ-ON-R at:
+ down_read+0x35/0x90
+ btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs]
+ open_ctree+0x207b/0x2660 [btrfs]
+ btrfs_mount+0xd36/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ btrfs_mount+0x18c/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ do_mount+0x1c1/0xcc0
+ SyS_mount+0x7e/0xd0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ SOFTIRQ-ON-W at:
+ down_write+0x3e/0xa0
+ __link_block_group+0x34/0x130 [btrfs]
+ btrfs_read_block_groups+0x33d/0x7b0 [btrfs]
+ open_ctree+0x2054/0x2660 [btrfs]
+ btrfs_mount+0xd36/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ btrfs_mount+0x18c/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ do_mount+0x1c1/0xcc0
+ SyS_mount+0x7e/0xd0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ SOFTIRQ-ON-R at:
+ down_read+0x35/0x90
+ btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs]
+ open_ctree+0x207b/0x2660 [btrfs]
+ btrfs_mount+0xd36/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ btrfs_mount+0x18c/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ do_mount+0x1c1/0xcc0
+ SyS_mount+0x7e/0xd0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ INITIAL USE at:
+ down_write+0x3e/0xa0
+ __link_block_group+0x34/0x130 [btrfs]
+ btrfs_read_block_groups+0x33d/0x7b0 [btrfs]
+ open_ctree+0x2054/0x2660 [btrfs]
+ btrfs_mount+0xd36/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ btrfs_mount+0x18c/0xf90 [btrfs]
+ mount_fs+0x3a/0x160
+ vfs_kern_mount+0x66/0x150
+ do_mount+0x1c1/0xcc0
+ SyS_mount+0x7e/0xd0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ }
+ ... key at: [<ffffffffc0729488>] __key.59101+0x0/0xfffffffffff9ab78 [btrfs]
+ ... acquired at:
+ find_free_extent+0xcb4/0x12d0 [btrfs]
+ btrfs_reserve_extent+0xd8/0x170 [btrfs]
+ btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs]
+ __btrfs_cow_block+0x110/0x5b0 [btrfs]
+ btrfs_cow_block+0xd7/0x290 [btrfs]
+ btrfs_search_slot+0x1f6/0x960 [btrfs]
+ btrfs_lookup_inode+0x2a/0x90 [btrfs]
+ __btrfs_update_delayed_inode+0x65/0x210 [btrfs]
+ btrfs_commit_inode_delayed_inode+0x121/0x130 [btrfs]
+ btrfs_evict_inode+0x3fe/0x6a0 [btrfs]
+ evict+0xc4/0x190
+ __dentry_kill+0xbf/0x170
+ dput+0x2ae/0x2f0
+ SyS_rename+0x2a6/0x3b0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+-> (&delayed_node->mutex){+.+.-.} ops: 5580204 {
+ HARDIRQ-ON-W at:
+ __mutex_lock+0x4e/0x8c0
+ btrfs_delayed_update_inode+0x46/0x6e0 [btrfs]
+ btrfs_update_inode+0x83/0x110 [btrfs]
+ btrfs_dirty_inode+0x62/0xe0 [btrfs]
+ touch_atime+0x8c/0xb0
+ do_generic_file_read+0x818/0xb10
+ __vfs_read+0xdc/0x150
+ vfs_read+0x8a/0x130
+ SyS_read+0x45/0xa0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ SOFTIRQ-ON-W at:
+ __mutex_lock+0x4e/0x8c0
+ btrfs_delayed_update_inode+0x46/0x6e0 [btrfs]
+ btrfs_update_inode+0x83/0x110 [btrfs]
+ btrfs_dirty_inode+0x62/0xe0 [btrfs]
+ touch_atime+0x8c/0xb0
+ do_generic_file_read+0x818/0xb10
+ __vfs_read+0xdc/0x150
+ vfs_read+0x8a/0x130
+ SyS_read+0x45/0xa0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ IN-RECLAIM_FS-W at:
+ __mutex_lock+0x4e/0x8c0
+ __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
+ btrfs_evict_inode+0x22c/0x6a0 [btrfs]
+ evict+0xc4/0x190
+ dispose_list+0x35/0x50
+ prune_icache_sb+0x42/0x50
+ super_cache_scan+0x139/0x190
+ shrink_slab+0x262/0x5b0
+ shrink_node+0x2eb/0x2f0
+ kswapd+0x2eb/0x890
+ kthread+0x102/0x140
+ ret_from_fork+0x3a/0x50
+ INITIAL USE at:
+ __mutex_lock+0x4e/0x8c0
+ btrfs_delayed_update_inode+0x46/0x6e0 [btrfs]
+ btrfs_update_inode+0x83/0x110 [btrfs]
+ btrfs_dirty_inode+0x62/0xe0 [btrfs]
+ touch_atime+0x8c/0xb0
+ do_generic_file_read+0x818/0xb10
+ __vfs_read+0xdc/0x150
+ vfs_read+0x8a/0x130
+ SyS_read+0x45/0xa0
+ do_syscall_64+0x79/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+ }
+ ... key at: [<ffffffffc072d488>] __key.56935+0x0/0xfffffffffff96b78 [btrfs]
+ ... acquired at:
+ __lock_acquire+0x264/0x11c0
+ lock_acquire+0xbd/0x1e0
+ __mutex_lock+0x4e/0x8c0
+ __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
+ btrfs_evict_inode+0x22c/0x6a0 [btrfs]
+ evict+0xc4/0x190
+ dispose_list+0x35/0x50
+ prune_icache_sb+0x42/0x50
+ super_cache_scan+0x139/0x190
+ shrink_slab+0x262/0x5b0
+ shrink_node+0x2eb/0x2f0
+ kswapd+0x2eb/0x890
+ kthread+0x102/0x140
+ ret_from_fork+0x3a/0x50
+
+stack backtrace:
+CPU: 1 PID: 50 Comm: kswapd0 Tainted: G W 4.12.14-kvmsmall #8 SLE15 (unreleased)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
+Call Trace:
+ dump_stack+0x78/0xb7
+ print_irq_inversion_bug.part.38+0x19f/0x1aa
+ check_usage_forwards+0x102/0x120
+ ? ret_from_fork+0x3a/0x50
+ ? check_usage_backwards+0x110/0x110
+ mark_lock+0x16c/0x270
+ __lock_acquire+0x264/0x11c0
+ ? pagevec_lookup_entries+0x1a/0x30
+ ? truncate_inode_pages_range+0x2b3/0x7f0
+ lock_acquire+0xbd/0x1e0
+ ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
+ __mutex_lock+0x4e/0x8c0
+ ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
+ ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
+ ? btrfs_evict_inode+0x1f6/0x6a0 [btrfs]
+ __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
+ btrfs_evict_inode+0x22c/0x6a0 [btrfs]
+ evict+0xc4/0x190
+ dispose_list+0x35/0x50
+ prune_icache_sb+0x42/0x50
+ super_cache_scan+0x139/0x190
+ shrink_slab+0x262/0x5b0
+ shrink_node+0x2eb/0x2f0
+ kswapd+0x2eb/0x890
+ kthread+0x102/0x140
+ ? mem_cgroup_shrink_node+0x2c0/0x2c0
+ ? kthread_create_on_node+0x40/0x40
+ ret_from_fork+0x3a/0x50
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Reviewed-by: Liu Bo <bo.liu@linux.alibaba.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/disk-io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -1276,7 +1276,7 @@ static struct btrfs_subvolume_writers *b
+ if (!writers)
+ return ERR_PTR(-ENOMEM);
+
+- ret = percpu_counter_init(&writers->counter, 0, GFP_KERNEL);
++ ret = percpu_counter_init(&writers->counter, 0, GFP_NOFS);
+ if (ret < 0) {
+ kfree(writers);
+ return ERR_PTR(ret);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Filipe Manana <fdmanana@suse.com>
+Date: Wed, 28 Feb 2018 15:55:40 +0000
+Subject: Btrfs: fix log replay failure after linking special file and fsync
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 9a6509c4daa91400b52a5fd541a5521c649a8fea ]
+
+If in the same transaction we rename a special file (fifo, character/block
+device or symbolic link), create a hard link for it having its old name
+then sync the log, we will end up with a log that can not be replayed and
+at when attempting to replay it, an EEXIST error is returned and mounting
+the filesystem fails. Example scenario:
+
+ $ mkfs.btrfs -f /dev/sdc
+ $ mount /dev/sdc /mnt
+ $ mkdir /mnt/testdir
+ $ mkfifo /mnt/testdir/foo
+ # Make sure everything done so far is durably persisted.
+ $ sync
+
+ # Create some unrelated file and fsync it, this is just to create a log
+ # tree. The file must be in the same directory as our special file.
+ $ touch /mnt/testdir/f1
+ $ xfs_io -c "fsync" /mnt/testdir/f1
+
+ # Rename our special file and then create a hard link with its old name.
+ $ mv /mnt/testdir/foo /mnt/testdir/bar
+ $ ln /mnt/testdir/bar /mnt/testdir/foo
+
+ # Create some other unrelated file and fsync it, this is just to persist
+ # the log tree which was modified by the previous rename and link
+ # operations. Alternatively we could have modified file f1 and fsync it.
+ $ touch /mnt/f2
+ $ xfs_io -c "fsync" /mnt/f2
+
+ <power failure>
+
+ $ mount /dev/sdc /mnt
+ mount: mount /dev/sdc on /mnt failed: File exists
+
+This happens because when both the log tree and the subvolume's tree have
+an entry in the directory "testdir" with the same name, that is, there
+is one key (258 INODE_REF 257) in the subvolume tree and another one in
+the log tree (where 258 is the inode number of our special file and 257
+is the inode for directory "testdir"). Only the data of those two keys
+differs, in the subvolume tree the index field for inode reference has
+a value of 3 while the log tree it has a value of 5. Because the same key
+exists in both trees, but have different index, the log replay fails with
+an -EEXIST error when attempting to replay the inode reference from the
+log tree.
+
+Fix this by setting the last_unlink_trans field of the inode (our special
+file) to the current transaction id when a hard link is created, as this
+forces logging the parent directory inode, solving the conflict at log
+replay time.
+
+A new generic test case for fstests was also submitted.
+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -5881,7 +5881,7 @@ int btrfs_log_new_name(struct btrfs_tran
+ * this will force the logging code to walk the dentry chain
+ * up for the file
+ */
+- if (S_ISREG(inode->vfs_inode.i_mode))
++ if (!S_ISDIR(inode->vfs_inode.i_mode))
+ inode->last_unlink_trans = trans->transid;
+
+ /*
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Filipe Manana <fdmanana@suse.com>
+Date: Thu, 5 Apr 2018 22:55:12 +0100
+Subject: Btrfs: fix loss of prealloc extents past i_size after fsync log replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 471d557afed155b85da237ec46c549f443eeb5de ]
+
+Currently if we allocate extents beyond an inode's i_size (through the
+fallocate system call) and then fsync the file, we log the extents but
+after a power failure we replay them and then immediately drop them.
+This behaviour happens since about 2009, commit c71bf099abdd ("Btrfs:
+Avoid orphan inodes cleanup while replaying log"), because it marks
+the inode as an orphan instead of dropping any extents beyond i_size
+before replaying logged extents, so after the log replay, and while
+the mount operation is still ongoing, we find the inode marked as an
+orphan and then perform a truncation (drop extents beyond the inode's
+i_size). Because the processing of orphan inodes is still done
+right after replaying the log and before the mount operation finishes,
+the intention of that commit does not make any sense (at least as
+of today). However reverting that behaviour is not enough, because
+we can not simply discard all extents beyond i_size and then replay
+logged extents, because we risk dropping extents beyond i_size created
+in past transactions, for example:
+
+ add prealloc extent beyond i_size
+ fsync - clears the flag BTRFS_INODE_NEEDS_FULL_SYNC from the inode
+ transaction commit
+ add another prealloc extent beyond i_size
+ fsync - triggers the fast fsync path
+ power failure
+
+In that scenario, we would drop the first extent and then replay the
+second one. To fix this just make sure that all prealloc extents
+beyond i_size are logged, and if we find too many (which is far from
+a common case), fallback to a full transaction commit (like we do when
+logging regular extents in the fast fsync path).
+
+Trivial reproducer:
+
+ $ mkfs.btrfs -f /dev/sdb
+ $ mount /dev/sdb /mnt
+ $ xfs_io -f -c "pwrite -S 0xab 0 256K" /mnt/foo
+ $ sync
+ $ xfs_io -c "falloc -k 256K 1M" /mnt/foo
+ $ xfs_io -c "fsync" /mnt/foo
+ <power failure>
+
+ # mount to replay log
+ $ mount /dev/sdb /mnt
+ # at this point the file only has one extent, at offset 0, size 256K
+
+A test case for fstests follows soon, covering multiple scenarios that
+involve adding prealloc extents with previous shrinking truncates and
+without such truncates.
+
+Fixes: c71bf099abdd ("Btrfs: Avoid orphan inodes cleanup while replaying log")
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 58 insertions(+), 5 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -2377,13 +2377,41 @@ static int replay_one_buffer(struct btrf
+ if (ret)
+ break;
+
+- /* for regular files, make sure corresponding
+- * orphan item exist. extents past the new EOF
+- * will be truncated later by orphan cleanup.
++ /*
++ * Before replaying extents, truncate the inode to its
++ * size. We need to do it now and not after log replay
++ * because before an fsync we can have prealloc extents
++ * added beyond the inode's i_size. If we did it after,
++ * through orphan cleanup for example, we would drop
++ * those prealloc extents just after replaying them.
+ */
+ if (S_ISREG(mode)) {
+- ret = insert_orphan_item(wc->trans, root,
+- key.objectid);
++ struct inode *inode;
++ u64 from;
++
++ inode = read_one_inode(root, key.objectid);
++ if (!inode) {
++ ret = -EIO;
++ break;
++ }
++ from = ALIGN(i_size_read(inode),
++ root->fs_info->sectorsize);
++ ret = btrfs_drop_extents(wc->trans, root, inode,
++ from, (u64)-1, 1);
++ /*
++ * If the nlink count is zero here, the iput
++ * will free the inode. We bump it to make
++ * sure it doesn't get freed until the link
++ * count fixup is done.
++ */
++ if (!ret) {
++ if (inode->i_nlink == 0)
++ inc_nlink(inode);
++ /* Update link count and nbytes. */
++ ret = btrfs_update_inode(wc->trans,
++ root, inode);
++ }
++ iput(inode);
+ if (ret)
+ break;
+ }
+@@ -4234,6 +4262,31 @@ static int btrfs_log_changed_extents(str
+ num++;
+ }
+
++ /*
++ * Add all prealloc extents beyond the inode's i_size to make sure we
++ * don't lose them after doing a fast fsync and replaying the log.
++ */
++ if (inode->flags & BTRFS_INODE_PREALLOC) {
++ struct rb_node *node;
++
++ for (node = rb_last(&tree->map); node; node = rb_prev(node)) {
++ em = rb_entry(node, struct extent_map, rb_node);
++ if (em->start < i_size_read(&inode->vfs_inode))
++ break;
++ if (!list_empty(&em->list))
++ continue;
++ /* Same as above loop. */
++ if (++num > 32768) {
++ list_del_init(&tree->modified_extents);
++ ret = -EFBIG;
++ goto process;
++ }
++ refcount_inc(&em->refs);
++ set_bit(EXTENT_FLAG_LOGGING, &em->flags);
++ list_add_tail(&em->list, &extents);
++ }
++ }
++
+ list_sort(NULL, &extents, extent_cmp);
+ btrfs_get_logged_extents(inode, logged_list, logged_start, logged_end);
+ /*
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Liu Bo <bo.liu@linux.alibaba.com>
+Date: Tue, 3 Apr 2018 01:59:47 +0800
+Subject: Btrfs: fix NULL pointer dereference in log_dir_items
+
+From: Liu Bo <bo.liu@linux.alibaba.com>
+
+[ Upstream commit 80c0b4210a963e31529e15bf90519708ec947596 ]
+
+0, 1 and <0 can be returned by btrfs_next_leaf(), and when <0 is
+returned, path->nodes[0] could be NULL, log_dir_items lacks such a
+check for <0 and we may run into a null pointer dereference panic.
+
+Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations")
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -3462,8 +3462,11 @@ static noinline int log_dir_items(struct
+ * from this directory and from this transaction
+ */
+ ret = btrfs_next_leaf(root, path);
+- if (ret == 1) {
+- last_offset = (u64)-1;
++ if (ret) {
++ if (ret == 1)
++ last_offset = (u64)-1;
++ else
++ err = ret;
+ goto done;
+ }
+ btrfs_item_key_to_cpu(path->nodes[0], &tmp, path->slots[0]);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Nikolay Borisov <nborisov@suse.com>
+Date: Thu, 5 Apr 2018 10:40:15 +0300
+Subject: btrfs: Fix possible softlock on single core machines
+
+From: Nikolay Borisov <nborisov@suse.com>
+
+[ Upstream commit 1e1c50a929bc9e49bc3f9935b92450d9e69f8158 ]
+
+do_chunk_alloc implements a loop checking whether there is a pending
+chunk allocation and if so causes the caller do loop. Generally this
+loop is executed only once, however testing with btrfs/072 on a single
+core vm machines uncovered an extreme case where the system could loop
+indefinitely. This is due to a missing cond_resched when loop which
+doesn't give a chance to the previous chunk allocator finish its job.
+
+The fix is to simply add the missing cond_resched.
+
+Fixes: 6d74119f1a3e ("Btrfs: avoid taking the chunk_mutex in do_chunk_alloc")
+Signed-off-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent-tree.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -4668,6 +4668,7 @@ again:
+ if (wait_for_alloc) {
+ mutex_unlock(&fs_info->chunk_mutex);
+ wait_for_alloc = 0;
++ cond_resched();
+ goto again;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Qu Wenruo <wqu@suse.com>
+Date: Tue, 19 Dec 2017 15:44:54 +0800
+Subject: btrfs: qgroup: Fix root item corruption when multiple same source snapshots are created with quota enabled
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 4d31778aa2fa342f5f92ca4025b293a1729161d1 ]
+
+When multiple pending snapshots referring to the same source subvolume
+are executed, enabled quota will cause root item corruption, where root
+items are using old bytenr (no backref in extent tree).
+
+This can be triggered by fstests btrfs/152.
+
+The cause is when source subvolume is still dirty, extra commit
+(simplied transaction commit) of qgroup_account_snapshot() can skip
+dirty roots not recorded in current transaction, making root item of
+source subvolume not updated.
+
+Fix it by forcing recording source subvolume in current transaction
+before qgroup sub-transaction commit.
+
+Reported-by: Justin Maggard <jmaggard@netgear.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/transaction.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -319,7 +319,7 @@ static int record_root_in_trans(struct b
+ if ((test_bit(BTRFS_ROOT_REF_COWS, &root->state) &&
+ root->last_trans < trans->transid) || force) {
+ WARN_ON(root == fs_info->extent_root);
+- WARN_ON(root->commit_root != root->node);
++ WARN_ON(!force && root->commit_root != root->node);
+
+ /*
+ * see below for IN_TRANS_SETUP usage rules
+@@ -1366,6 +1366,14 @@ static int qgroup_account_snapshot(struc
+ return 0;
+
+ /*
++ * Ensure dirty @src will be commited. Or, after comming
++ * commit_fs_roots() and switch_commit_roots(), any dirty but not
++ * recorded root will never be updated again, causing an outdated root
++ * item.
++ */
++ record_root_in_trans(trans, src, 1);
++
++ /*
+ * We are going to commit transaction, see btrfs_commit_transaction()
+ * comment for reason locking tree_log_mutex
+ */
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Filipe Manana <fdmanana@suse.com>
+Date: Tue, 6 Feb 2018 20:39:20 +0000
+Subject: Btrfs: send, fix issuing write op when processing hole in no data mode
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit d4dfc0f4d39475ccbbac947880b5464a74c30b99 ]
+
+When doing an incremental send of a filesystem with the no-holes feature
+enabled, we end up issuing a write operation when using the no data mode
+send flag, instead of issuing an update extent operation. Fix this by
+issuing the update extent operation instead.
+
+Trivial reproducer:
+
+ $ mkfs.btrfs -f -O no-holes /dev/sdc
+ $ mkfs.btrfs -f /dev/sdd
+ $ mount /dev/sdc /mnt/sdc
+ $ mount /dev/sdd /mnt/sdd
+
+ $ xfs_io -f -c "pwrite -S 0xab 0 32K" /mnt/sdc/foobar
+ $ btrfs subvolume snapshot -r /mnt/sdc /mnt/sdc/snap1
+
+ $ xfs_io -c "fpunch 8K 8K" /mnt/sdc/foobar
+ $ btrfs subvolume snapshot -r /mnt/sdc /mnt/sdc/snap2
+
+ $ btrfs send /mnt/sdc/snap1 | btrfs receive /mnt/sdd
+ $ btrfs send --no-data -p /mnt/sdc/snap1 /mnt/sdc/snap2 \
+ | btrfs receive -vv /mnt/sdd
+
+Before this change the output of the second receive command is:
+
+ receiving snapshot snap2 uuid=f6922049-8c22-e544-9ff9-fc6755918447...
+ utimes
+ write foobar, offset 8192, len 8192
+ utimes foobar
+ BTRFS_IOC_SET_RECEIVED_SUBVOL uuid=f6922049-8c22-e544-9ff9-...
+
+After this change it is:
+
+ receiving snapshot snap2 uuid=564d36a3-ebc8-7343-aec9-bf6fda278e64...
+ utimes
+ update_extent foobar: offset=8192, len=8192
+ utimes foobar
+ BTRFS_IOC_SET_RECEIVED_SUBVOL uuid=564d36a3-ebc8-7343-aec9-bf6fda278e64...
+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/send.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -5008,6 +5008,9 @@ static int send_hole(struct send_ctx *sc
+ u64 len;
+ int ret = 0;
+
++ if (sctx->flags & BTRFS_SEND_FLAG_NO_FILE_DATA)
++ return send_update_extent(sctx, offset, end - offset);
++
+ p = fs_path_alloc();
+ if (!p)
+ return -ENOMEM;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Qu Wenruo <wqu@suse.com>
+Date: Tue, 27 Mar 2018 20:44:18 +0800
+Subject: btrfs: tests/qgroup: Fix wrong tree backref level
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 3c0efdf03b2d127f0e40e30db4e7aa0429b1b79a ]
+
+The extent tree of the test fs is like the following:
+
+ BTRFS info (device (null)): leaf 16327509003777336587 total ptrs 1 free space 3919
+ item 0 key (4096 168 4096) itemoff 3944 itemsize 51
+ extent refs 1 gen 1 flags 2
+ tree block key (68719476736 0 0) level 1
+ ^^^^^^^
+ ref#0: tree block backref root 5
+
+And it's using an empty tree for fs tree, so there is no way that its
+level can be 1.
+
+For REAL (created by mkfs) fs tree backref with no skinny metadata, the
+result should look like:
+
+ item 3 key (30408704 EXTENT_ITEM 4096) itemoff 3845 itemsize 51
+ refs 1 gen 4 flags TREE_BLOCK
+ tree block key (256 INODE_ITEM 0) level 0
+ ^^^^^^^
+ tree block backref root 5
+
+Fix the level to 0, so it won't break later tree level checker.
+
+Fixes: faa2dbf004e8 ("Btrfs: add sanity tests for new qgroup accounting code")
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tests/qgroup-tests.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/tests/qgroup-tests.c
++++ b/fs/btrfs/tests/qgroup-tests.c
+@@ -63,7 +63,7 @@ static int insert_normal_tree_ref(struct
+ btrfs_set_extent_generation(leaf, item, 1);
+ btrfs_set_extent_flags(leaf, item, BTRFS_EXTENT_FLAG_TREE_BLOCK);
+ block_info = (struct btrfs_tree_block_info *)(item + 1);
+- btrfs_set_tree_block_level(leaf, block_info, 1);
++ btrfs_set_tree_block_level(leaf, block_info, 0);
+ iref = (struct btrfs_extent_inline_ref *)(block_info + 1);
+ if (parent > 0) {
+ btrfs_set_extent_inline_ref_type(leaf, iref,
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Thu, 15 Feb 2018 22:59:47 -0500
+Subject: btrfs: use kvzalloc to allocate btrfs_fs_info
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+[ Upstream commit a8fd1f71749387c9a1053a83ff1c16287499a4e7 ]
+
+The srcu_struct in btrfs_fs_info scales in size with NR_CPUS. On
+kernels built with NR_CPUS=8192, this can result in kmalloc failures
+that prevent mounting.
+
+There is work in progress to try to resolve this for every user of
+srcu_struct but using kvzalloc will work around the failures until
+that is complete.
+
+As an example with NR_CPUS=512 on x86_64: the overall size of
+subvol_srcu is 3460 bytes, fs_info is 6496.
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ctree.h | 2 +-
+ fs/btrfs/super.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -2969,7 +2969,7 @@ static inline void free_fs_info(struct b
+ kfree(fs_info->super_copy);
+ kfree(fs_info->super_for_commit);
+ security_free_mnt_opts(&fs_info->security_opts);
+- kfree(fs_info);
++ kvfree(fs_info);
+ }
+
+ /* tree mod log functions from ctree.c */
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -1581,7 +1581,7 @@ static struct dentry *btrfs_mount(struct
+ * it for searching for existing supers, so this lets us do that and
+ * then open_ctree will properly initialize everything later.
+ */
+- fs_info = kzalloc(sizeof(struct btrfs_fs_info), GFP_KERNEL);
++ fs_info = kvzalloc(sizeof(struct btrfs_fs_info), GFP_KERNEL);
+ if (!fs_info) {
+ error = -ENOMEM;
+ goto error_sec_opts;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 21 Feb 2018 14:45:54 -0800
+Subject: bug.h: work around GCC PR82365 in BUG()
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 173a3efd3edb2ef6ef07471397c5f542a360e9c1 ]
+
+Looking at functions with large stack frames across all architectures
+led me discovering that BUG() suffers from the same problem as
+fortify_panic(), which I've added a workaround for already.
+
+In short, variables that go out of scope by calling a noreturn function
+or __builtin_unreachable() keep using stack space in functions
+afterwards.
+
+A workaround that was identified is to insert an empty assembler
+statement just before calling the function that doesn't return. I'm
+adding a macro "barrier_before_unreachable()" to document this, and
+insert calls to that in all instances of BUG() that currently suffer
+from this problem.
+
+The files that saw the largest change from this had these frame sizes
+before, and much less with my patch:
+
+ fs/ext4/inode.c:82:1: warning: the frame size of 1672 bytes is larger than 800 bytes [-Wframe-larger-than=]
+ fs/ext4/namei.c:434:1: warning: the frame size of 904 bytes is larger than 800 bytes [-Wframe-larger-than=]
+ fs/ext4/super.c:2279:1: warning: the frame size of 1160 bytes is larger than 800 bytes [-Wframe-larger-than=]
+ fs/ext4/xattr.c:146:1: warning: the frame size of 1168 bytes is larger than 800 bytes [-Wframe-larger-than=]
+ fs/f2fs/inode.c:152:1: warning: the frame size of 1424 bytes is larger than 800 bytes [-Wframe-larger-than=]
+ net/netfilter/ipvs/ip_vs_core.c:1195:1: warning: the frame size of 1068 bytes is larger than 800 bytes [-Wframe-larger-than=]
+ net/netfilter/ipvs/ip_vs_core.c:395:1: warning: the frame size of 1084 bytes is larger than 800 bytes [-Wframe-larger-than=]
+ net/netfilter/ipvs/ip_vs_ftp.c:298:1: warning: the frame size of 928 bytes is larger than 800 bytes [-Wframe-larger-than=]
+ net/netfilter/ipvs/ip_vs_ftp.c:418:1: warning: the frame size of 908 bytes is larger than 800 bytes [-Wframe-larger-than=]
+ net/netfilter/ipvs/ip_vs_lblcr.c:718:1: warning: the frame size of 960 bytes is larger than 800 bytes [-Wframe-larger-than=]
+ drivers/net/xen-netback/netback.c:1500:1: warning: the frame size of 1088 bytes is larger than 800 bytes [-Wframe-larger-than=]
+
+In case of ARC and CRIS, it turns out that the BUG() implementation
+actually does return (or at least the compiler thinks it does),
+resulting in lots of warnings about uninitialized variable use and
+leaving noreturn functions, such as:
+
+ block/cfq-iosched.c: In function 'cfq_async_queue_prio':
+ block/cfq-iosched.c:3804:1: error: control reaches end of non-void function [-Werror=return-type]
+ include/linux/dmaengine.h: In function 'dma_maxpq':
+ include/linux/dmaengine.h:1123:1: error: control reaches end of non-void function [-Werror=return-type]
+
+This makes them call __builtin_trap() instead, which should normally
+dump the stack and kill the current process, like some of the other
+architectures already do.
+
+I tried adding barrier_before_unreachable() to panic() and
+fortify_panic() as well, but that had very little effect, so I'm not
+submitting that patch.
+
+Vineet said:
+
+: For ARC, it is double win.
+:
+: 1. Fixes 3 -Wreturn-type warnings
+:
+: | ../net/core/ethtool.c:311:1: warning: control reaches end of non-void function
+: [-Wreturn-type]
+: | ../kernel/sched/core.c:3246:1: warning: control reaches end of non-void function
+: [-Wreturn-type]
+: | ../include/linux/sunrpc/svc_xprt.h:180:1: warning: control reaches end of
+: non-void function [-Wreturn-type]
+:
+: 2. bloat-o-meter reports code size improvements as gcc elides the
+: generated code for stack return.
+
+Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82365
+Link: http://lkml.kernel.org/r/20171219114112.939391-1-arnd@arndb.de
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Vineet Gupta <vgupta@synopsys.com> [arch/arc]
+Tested-by: Vineet Gupta <vgupta@synopsys.com> [arch/arc]
+Cc: Mikael Starvik <starvik@axis.com>
+Cc: Jesper Nilsson <jesper.nilsson@axis.com>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Christopher Li <sparse@chrisli.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arc/include/asm/bug.h | 3 ++-
+ arch/cris/include/arch-v10/arch/bug.h | 11 +++++++++--
+ arch/ia64/include/asm/bug.h | 6 +++++-
+ arch/m68k/include/asm/bug.h | 3 +++
+ arch/sparc/include/asm/bug.h | 6 +++++-
+ include/asm-generic/bug.h | 1 +
+ include/linux/compiler-gcc.h | 15 ++++++++++++++-
+ include/linux/compiler.h | 5 +++++
+ 8 files changed, 44 insertions(+), 6 deletions(-)
+
+--- a/arch/arc/include/asm/bug.h
++++ b/arch/arc/include/asm/bug.h
+@@ -23,7 +23,8 @@ void die(const char *str, struct pt_regs
+
+ #define BUG() do { \
+ pr_warn("BUG: failure at %s:%d/%s()!\n", __FILE__, __LINE__, __func__); \
+- dump_stack(); \
++ barrier_before_unreachable(); \
++ __builtin_trap(); \
+ } while (0)
+
+ #define HAVE_ARCH_BUG
+--- a/arch/cris/include/arch-v10/arch/bug.h
++++ b/arch/cris/include/arch-v10/arch/bug.h
+@@ -44,18 +44,25 @@ struct bug_frame {
+ * not be used like this with newer versions of gcc.
+ */
+ #define BUG() \
++do { \
+ __asm__ __volatile__ ("clear.d [" __stringify(BUG_MAGIC) "]\n\t"\
+ "movu.w " __stringify(__LINE__) ",$r0\n\t"\
+ "jump 0f\n\t" \
+ ".section .rodata\n" \
+ "0:\t.string \"" __FILE__ "\"\n\t" \
+- ".previous")
++ ".previous"); \
++ unreachable(); \
++} while (0)
+ #endif
+
+ #else
+
+ /* This just causes an oops. */
+-#define BUG() (*(int *)0 = 0)
++#define BUG() \
++do { \
++ barrier_before_unreachable(); \
++ __builtin_trap(); \
++} while (0)
+
+ #endif
+
+--- a/arch/ia64/include/asm/bug.h
++++ b/arch/ia64/include/asm/bug.h
+@@ -4,7 +4,11 @@
+
+ #ifdef CONFIG_BUG
+ #define ia64_abort() __builtin_trap()
+-#define BUG() do { printk("kernel BUG at %s:%d!\n", __FILE__, __LINE__); ia64_abort(); } while (0)
++#define BUG() do { \
++ printk("kernel BUG at %s:%d!\n", __FILE__, __LINE__); \
++ barrier_before_unreachable(); \
++ ia64_abort(); \
++} while (0)
+
+ /* should this BUG be made generic? */
+ #define HAVE_ARCH_BUG
+--- a/arch/m68k/include/asm/bug.h
++++ b/arch/m68k/include/asm/bug.h
+@@ -8,16 +8,19 @@
+ #ifndef CONFIG_SUN3
+ #define BUG() do { \
+ pr_crit("kernel BUG at %s:%d!\n", __FILE__, __LINE__); \
++ barrier_before_unreachable(); \
+ __builtin_trap(); \
+ } while (0)
+ #else
+ #define BUG() do { \
+ pr_crit("kernel BUG at %s:%d!\n", __FILE__, __LINE__); \
++ barrier_before_unreachable(); \
+ panic("BUG!"); \
+ } while (0)
+ #endif
+ #else
+ #define BUG() do { \
++ barrier_before_unreachable(); \
+ __builtin_trap(); \
+ } while (0)
+ #endif
+--- a/arch/sparc/include/asm/bug.h
++++ b/arch/sparc/include/asm/bug.h
+@@ -9,10 +9,14 @@
+ void do_BUG(const char *file, int line);
+ #define BUG() do { \
+ do_BUG(__FILE__, __LINE__); \
++ barrier_before_unreachable(); \
+ __builtin_trap(); \
+ } while (0)
+ #else
+-#define BUG() __builtin_trap()
++#define BUG() do { \
++ barrier_before_unreachable(); \
++ __builtin_trap(); \
++} while (0)
+ #endif
+
+ #define HAVE_ARCH_BUG
+--- a/include/asm-generic/bug.h
++++ b/include/asm-generic/bug.h
+@@ -50,6 +50,7 @@ struct bug_entry {
+ #ifndef HAVE_ARCH_BUG
+ #define BUG() do { \
+ printk("BUG: failure at %s:%d/%s()!\n", __FILE__, __LINE__, __func__); \
++ barrier_before_unreachable(); \
+ panic("BUG!"); \
+ } while (0)
+ #endif
+--- a/include/linux/compiler-gcc.h
++++ b/include/linux/compiler-gcc.h
+@@ -212,6 +212,15 @@
+ #endif
+
+ /*
++ * calling noreturn functions, __builtin_unreachable() and __builtin_trap()
++ * confuse the stack allocation in gcc, leading to overly large stack
++ * frames, see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82365
++ *
++ * Adding an empty inline assembly before it works around the problem
++ */
++#define barrier_before_unreachable() asm volatile("")
++
++/*
+ * Mark a position in code as unreachable. This can be used to
+ * suppress control flow warnings after asm blocks that transfer
+ * control elsewhere.
+@@ -221,7 +230,11 @@
+ * unreleased. Really, we need to have autoconf for the kernel.
+ */
+ #define unreachable() \
+- do { annotate_unreachable(); __builtin_unreachable(); } while (0)
++ do { \
++ annotate_unreachable(); \
++ barrier_before_unreachable(); \
++ __builtin_unreachable(); \
++ } while (0)
+
+ /* Mark a function definition as prohibited from being cloned. */
+ #define __noclone __attribute__((__noclone__, __optimize__("no-tracer")))
+--- a/include/linux/compiler.h
++++ b/include/linux/compiler.h
+@@ -86,6 +86,11 @@ void ftrace_likely_update(struct ftrace_
+ # define barrier_data(ptr) barrier()
+ #endif
+
++/* workaround for GCC PR82365 if needed */
++#ifndef barrier_before_unreachable
++# define barrier_before_unreachable() do { } while (0)
++#endif
++
+ /* Unreachable code */
+ #ifdef CONFIG_STACK_VALIDATION
+ #define annotate_reachable() ({ \
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jan Kiszka <jan.kiszka@siemens.com>
+Date: Wed, 21 Mar 2018 13:15:28 +0800
+Subject: builddeb: Fix header package regarding dtc source links
+
+From: Jan Kiszka <jan.kiszka@siemens.com>
+
+[ Upstream commit f8437520704cfd9cc442a99d73ed708a3cdadaf9 ]
+
+Since d5d332d3f7e8, a couple of links in scripts/dtc/include-prefixes
+are additionally required in order to build device trees with the header
+package.
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Reviewed-by: Riku Voipio <riku.voipio@linaro.org>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/package/builddeb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/scripts/package/builddeb
++++ b/scripts/package/builddeb
+@@ -313,7 +313,7 @@ fi
+
+ # Build kernel header package
+ (cd $srctree; find . -name Makefile\* -o -name Kconfig\* -o -name \*.pl) > "$objtree/debian/hdrsrcfiles"
+-(cd $srctree; find arch/*/include include scripts -type f) >> "$objtree/debian/hdrsrcfiles"
++(cd $srctree; find arch/*/include include scripts -type f -o -type l) >> "$objtree/debian/hdrsrcfiles"
+ (cd $srctree; find arch/$SRCARCH -name module.lds -o -name Kbuild.platforms -o -name Platform) >> "$objtree/debian/hdrsrcfiles"
+ (cd $srctree; find $(find arch/$SRCARCH -name include -o -name scripts -type d) -type f) >> "$objtree/debian/hdrsrcfiles"
+ if grep -q '^CONFIG_STACK_VALIDATION=y' $KCONFIG_CONFIG ; then
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Tue, 6 Feb 2018 09:52:07 +0100
+Subject: can: m_can: change comparison to bitshift when dealing with a mask
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit b7db978ac283b237835129ac87f26cbac94d04e7 ]
+
+Due to a typo, the mask was destroyed by a comparison instead of a bit
+shift.
+
+Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/m_can/m_can.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -246,7 +246,7 @@ enum m_can_mram_cfg {
+
+ /* Rx FIFO 0/1 Configuration (RXF0C/RXF1C) */
+ #define RXFC_FWM_SHIFT 24
+-#define RXFC_FWM_MASK (0x7f < RXFC_FWM_SHIFT)
++#define RXFC_FWM_MASK (0x7f << RXFC_FWM_SHIFT)
+ #define RXFC_FS_SHIFT 16
+ #define RXFC_FS_MASK (0x7f << RXFC_FS_SHIFT)
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Bich HEMON <bich.hemon@st.com>
+Date: Mon, 12 Mar 2018 08:52:37 +0000
+Subject: can: m_can: select pinctrl state in each suspend/resume function
+
+From: Bich HEMON <bich.hemon@st.com>
+
+[ Upstream commit c9b3bce18da4a0aebc27853052dea39aa64b7d75 ]
+
+Make sure to apply the correct pin state in suspend/resume callbacks.
+Putting pins in sleep state saves power.
+
+Signed-off-by: Bich Hemon <bich.hemon@st.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/m_can/m_can.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -25,6 +25,7 @@
+ #include <linux/platform_device.h>
+ #include <linux/iopoll.h>
+ #include <linux/can/dev.h>
++#include <linux/pinctrl/consumer.h>
+
+ /* napi related */
+ #define M_CAN_NAPI_WEIGHT 64
+@@ -1682,6 +1683,8 @@ static __maybe_unused int m_can_suspend(
+ m_can_clk_stop(priv);
+ }
+
++ pinctrl_pm_select_sleep_state(dev);
++
+ priv->can.state = CAN_STATE_SLEEPING;
+
+ return 0;
+@@ -1692,6 +1695,8 @@ static __maybe_unused int m_can_resume(s
+ struct net_device *ndev = dev_get_drvdata(dev);
+ struct m_can_priv *priv = netdev_priv(ndev);
+
++ pinctrl_pm_select_default_state(dev);
++
+ m_can_init_ram(priv);
+
+ priv->can.state = CAN_STATE_ERROR_ACTIVE;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Maurizio Lombardi <mlombard@redhat.com>
+Date: Fri, 9 Mar 2018 13:59:06 +0100
+Subject: cdrom: do not call check_disk_change() inside cdrom_open()
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 2bbea6e117357d17842114c65e9a9cf2d13ae8a3 ]
+
+when mounting an ISO filesystem sometimes (very rarely)
+the system hangs because of a race condition between two tasks.
+
+PID: 6766 TASK: ffff88007b2a6dd0 CPU: 0 COMMAND: "mount"
+ #0 [ffff880078447ae0] __schedule at ffffffff8168d605
+ #1 [ffff880078447b48] schedule_preempt_disabled at ffffffff8168ed49
+ #2 [ffff880078447b58] __mutex_lock_slowpath at ffffffff8168c995
+ #3 [ffff880078447bb8] mutex_lock at ffffffff8168bdef
+ #4 [ffff880078447bd0] sr_block_ioctl at ffffffffa00b6818 [sr_mod]
+ #5 [ffff880078447c10] blkdev_ioctl at ffffffff812fea50
+ #6 [ffff880078447c70] ioctl_by_bdev at ffffffff8123a8b3
+ #7 [ffff880078447c90] isofs_fill_super at ffffffffa04fb1e1 [isofs]
+ #8 [ffff880078447da8] mount_bdev at ffffffff81202570
+ #9 [ffff880078447e18] isofs_mount at ffffffffa04f9828 [isofs]
+#10 [ffff880078447e28] mount_fs at ffffffff81202d09
+#11 [ffff880078447e70] vfs_kern_mount at ffffffff8121ea8f
+#12 [ffff880078447ea8] do_mount at ffffffff81220fee
+#13 [ffff880078447f28] sys_mount at ffffffff812218d6
+#14 [ffff880078447f80] system_call_fastpath at ffffffff81698c49
+ RIP: 00007fd9ea914e9a RSP: 00007ffd5d9bf648 RFLAGS: 00010246
+ RAX: 00000000000000a5 RBX: ffffffff81698c49 RCX: 0000000000000010
+ RDX: 00007fd9ec2bc210 RSI: 00007fd9ec2bc290 RDI: 00007fd9ec2bcf30
+ RBP: 0000000000000000 R8: 0000000000000000 R9: 0000000000000010
+ R10: 00000000c0ed0001 R11: 0000000000000206 R12: 00007fd9ec2bc040
+ R13: 00007fd9eb6b2380 R14: 00007fd9ec2bc210 R15: 00007fd9ec2bcf30
+ ORIG_RAX: 00000000000000a5 CS: 0033 SS: 002b
+
+This task was trying to mount the cdrom. It allocated and configured a
+super_block struct and owned the write-lock for the super_block->s_umount
+rwsem. While exclusively owning the s_umount lock, it called
+sr_block_ioctl and waited to acquire the global sr_mutex lock.
+
+PID: 6785 TASK: ffff880078720fb0 CPU: 0 COMMAND: "systemd-udevd"
+ #0 [ffff880078417898] __schedule at ffffffff8168d605
+ #1 [ffff880078417900] schedule at ffffffff8168dc59
+ #2 [ffff880078417910] rwsem_down_read_failed at ffffffff8168f605
+ #3 [ffff880078417980] call_rwsem_down_read_failed at ffffffff81328838
+ #4 [ffff8800784179d0] down_read at ffffffff8168cde0
+ #5 [ffff8800784179e8] get_super at ffffffff81201cc7
+ #6 [ffff880078417a10] __invalidate_device at ffffffff8123a8de
+ #7 [ffff880078417a40] flush_disk at ffffffff8123a94b
+ #8 [ffff880078417a88] check_disk_change at ffffffff8123ab50
+ #9 [ffff880078417ab0] cdrom_open at ffffffffa00a29e1 [cdrom]
+#10 [ffff880078417b68] sr_block_open at ffffffffa00b6f9b [sr_mod]
+#11 [ffff880078417b98] __blkdev_get at ffffffff8123ba86
+#12 [ffff880078417bf0] blkdev_get at ffffffff8123bd65
+#13 [ffff880078417c78] blkdev_open at ffffffff8123bf9b
+#14 [ffff880078417c90] do_dentry_open at ffffffff811fc7f7
+#15 [ffff880078417cd8] vfs_open at ffffffff811fc9cf
+#16 [ffff880078417d00] do_last at ffffffff8120d53d
+#17 [ffff880078417db0] path_openat at ffffffff8120e6b2
+#18 [ffff880078417e48] do_filp_open at ffffffff8121082b
+#19 [ffff880078417f18] do_sys_open at ffffffff811fdd33
+#20 [ffff880078417f70] sys_open at ffffffff811fde4e
+#21 [ffff880078417f80] system_call_fastpath at ffffffff81698c49
+ RIP: 00007f29438b0c20 RSP: 00007ffc76624b78 RFLAGS: 00010246
+ RAX: 0000000000000002 RBX: ffffffff81698c49 RCX: 0000000000000000
+ RDX: 00007f2944a5fa70 RSI: 00000000000a0800 RDI: 00007f2944a5fa70
+ RBP: 00007f2944a5f540 R8: 0000000000000000 R9: 0000000000000020
+ R10: 00007f2943614c40 R11: 0000000000000246 R12: ffffffff811fde4e
+ R13: ffff880078417f78 R14: 000000000000000c R15: 00007f2944a4b010
+ ORIG_RAX: 0000000000000002 CS: 0033 SS: 002b
+
+This task tried to open the cdrom device, the sr_block_open function
+acquired the global sr_mutex lock. The call to check_disk_change()
+then saw an event flag indicating a possible media change and tried
+to flush any cached data for the device.
+As part of the flush, it tried to acquire the super_block->s_umount
+lock associated with the cdrom device.
+This was the same super_block as created and locked by the previous task.
+
+The first task acquires the s_umount lock and then the sr_mutex_lock;
+the second task acquires the sr_mutex_lock and then the s_umount lock.
+
+This patch fixes the issue by moving check_disk_change() out of
+cdrom_open() and let the caller take care of it.
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/paride/pcd.c | 2 ++
+ drivers/cdrom/cdrom.c | 3 ---
+ drivers/cdrom/gdrom.c | 3 +++
+ drivers/ide/ide-cd.c | 2 ++
+ drivers/scsi/sr.c | 2 ++
+ 5 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/block/paride/pcd.c
++++ b/drivers/block/paride/pcd.c
+@@ -230,6 +230,8 @@ static int pcd_block_open(struct block_d
+ struct pcd_unit *cd = bdev->bd_disk->private_data;
+ int ret;
+
++ check_disk_change(bdev);
++
+ mutex_lock(&pcd_mutex);
+ ret = cdrom_open(&cd->info, bdev, mode);
+ mutex_unlock(&pcd_mutex);
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -1152,9 +1152,6 @@ int cdrom_open(struct cdrom_device_info
+
+ cd_dbg(CD_OPEN, "entering cdrom_open\n");
+
+- /* open is event synchronization point, check events first */
+- check_disk_change(bdev);
+-
+ /* if this was a O_NONBLOCK open and we should honor the flags,
+ * do a quick open without drive/disc integrity checks. */
+ cdi->use_count++;
+--- a/drivers/cdrom/gdrom.c
++++ b/drivers/cdrom/gdrom.c
+@@ -497,6 +497,9 @@ static const struct cdrom_device_ops gdr
+ static int gdrom_bdops_open(struct block_device *bdev, fmode_t mode)
+ {
+ int ret;
++
++ check_disk_change(bdev);
++
+ mutex_lock(&gdrom_mutex);
+ ret = cdrom_open(gd.cd_info, bdev, mode);
+ mutex_unlock(&gdrom_mutex);
+--- a/drivers/ide/ide-cd.c
++++ b/drivers/ide/ide-cd.c
+@@ -1614,6 +1614,8 @@ static int idecd_open(struct block_devic
+ struct cdrom_info *info;
+ int rc = -ENXIO;
+
++ check_disk_change(bdev);
++
+ mutex_lock(&ide_cd_mutex);
+ info = ide_cd_get(bdev->bd_disk);
+ if (!info)
+--- a/drivers/scsi/sr.c
++++ b/drivers/scsi/sr.c
+@@ -525,6 +525,8 @@ static int sr_block_open(struct block_de
+ struct scsi_cd *cd;
+ int ret = -ENXIO;
+
++ check_disk_change(bdev);
++
+ mutex_lock(&sr_mutex);
+ cd = scsi_cd_get(bdev->bd_disk);
+ if (cd) {
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Chengguang Xu <cgxu519@icloud.com>
+Date: Fri, 9 Feb 2018 20:40:59 +0800
+Subject: ceph: fix dentry leak when failing to init debugfs
+
+From: Chengguang Xu <cgxu519@icloud.com>
+
+[ Upstream commit 18106734b512664a8541026519ce4b862498b6c3 ]
+
+When failing from ceph_fs_debugfs_init() in ceph_real_mount(),
+there is lack of dput of root_dentry and it causes slab errors,
+so change the calling order of ceph_fs_debugfs_init() and
+open_root_dentry() and do some cleanups to avoid this issue.
+
+Signed-off-by: Chengguang Xu <cgxu519@icloud.com>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/super.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+--- a/fs/ceph/super.c
++++ b/fs/ceph/super.c
+@@ -837,7 +837,6 @@ static struct dentry *ceph_real_mount(st
+ int err;
+ unsigned long started = jiffies; /* note the start time */
+ struct dentry *root;
+- int first = 0; /* first vfsmount for this super_block */
+
+ dout("mount start %p\n", fsc);
+ mutex_lock(&fsc->client->mount_mutex);
+@@ -862,17 +861,17 @@ static struct dentry *ceph_real_mount(st
+ path = fsc->mount_options->server_path + 1;
+ dout("mount opening path %s\n", path);
+ }
++
++ err = ceph_fs_debugfs_init(fsc);
++ if (err < 0)
++ goto out;
++
+ root = open_root_dentry(fsc, path, started);
+ if (IS_ERR(root)) {
+ err = PTR_ERR(root);
+ goto out;
+ }
+ fsc->sb->s_root = dget(root);
+- first = 1;
+-
+- err = ceph_fs_debugfs_init(fsc);
+- if (err < 0)
+- goto fail;
+ } else {
+ root = dget(fsc->sb->s_root);
+ }
+@@ -882,11 +881,6 @@ static struct dentry *ceph_real_mount(st
+ mutex_unlock(&fsc->client->mount_mutex);
+ return root;
+
+-fail:
+- if (first) {
+- dput(fsc->sb->s_root);
+- fsc->sb->s_root = NULL;
+- }
+ out:
+ mutex_unlock(&fsc->client->mount_mutex);
+ return ERR_PTR(err);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Chengguang Xu <cgxu519@icloud.com>
+Date: Thu, 1 Mar 2018 14:24:51 +0800
+Subject: ceph: fix potential memory leak in init_caches()
+
+From: Chengguang Xu <cgxu519@icloud.com>
+
+[ Upstream commit 1c789249578895bb14ab62b4327306439b754857 ]
+
+There is lack of cache destroy operation for ceph_file_cachep
+when failing from fscache register.
+
+Signed-off-by: Chengguang Xu <cgxu519@icloud.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/super.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/fs/ceph/super.c
++++ b/fs/ceph/super.c
+@@ -712,14 +712,17 @@ static int __init init_caches(void)
+ goto bad_dentry;
+
+ ceph_file_cachep = KMEM_CACHE(ceph_file_info, SLAB_MEM_SPREAD);
+-
+ if (!ceph_file_cachep)
+ goto bad_file;
+
+- if ((error = ceph_fscache_register()))
+- goto bad_file;
++ error = ceph_fscache_register();
++ if (error)
++ goto bad_fscache;
+
+ return 0;
++
++bad_fscache:
++ kmem_cache_destroy(ceph_file_cachep);
+ bad_file:
+ kmem_cache_destroy(ceph_dentry_cachep);
+ bad_dentry:
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Avraham Stern <avraham.stern@intel.com>
+Date: Mon, 19 Feb 2018 14:48:38 +0200
+Subject: cfg80211: clear wep keys after disconnection
+
+From: Avraham Stern <avraham.stern@intel.com>
+
+[ Upstream commit 3027a8e799b20fc922496a12f8ad2f9f36a8a696 ]
+
+When a low level driver calls cfg80211_disconnected(), wep keys are
+not cleared. As a result, following connection requests will fail
+since cfg80211 internal state shows a connection is still in progress.
+
+Fix this by clearing the wep keys when disconnecting.
+
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/sme.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -989,6 +989,8 @@ void __cfg80211_disconnected(struct net_
+ wdev->current_bss = NULL;
+ wdev->ssid_len = 0;
+ wdev->conn_owner_nlportid = 0;
++ kzfree(wdev->connect_keys);
++ wdev->connect_keys = NULL;
+
+ nl80211_send_disconnected(rdev, dev, reason, ie, ie_len, from_ap);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Wed, 14 Mar 2018 08:28:31 +0800
+Subject: clk: Don't show the incorrect clock phase
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+[ Upstream commit 1f9c63e8de3d7b377c9d74e4a17524cfb60e6384 ]
+
+It's found that the clock phase output from clk_summary is
+wrong compared to the actual phase reading from the register.
+
+cat /sys/kernel/debug/clk/clk_summary | grep sdio_sample
+sdio_sample 0 1 0 50000000 0 -22
+
+It exposes an issue that clk core, clk_core_get_phase, always
+returns the cached core->phase which should be either updated
+by calling clk_set_phase or directly from the first place the
+clk was registered.
+
+When registering the clk, the core->phase geting from ->get_phase()
+may return negative value indicating error. This is quite common
+since the clk's phase may be highly related to its parent chain,
+but it was temporarily orphan when registered, since its parent
+chains hadn't be ready at that time, so the clk drivers decide to
+return error in this case. However, if no clk_set_phase is called or
+maybe the ->set_phase() isn't even implemented, the core->phase would
+never be updated. This is wrong, and we should try to update it when
+all its parent chains are settled down, like the way of updating clock
+rate for that. But it's not deserved to complicate the code now and
+just update it anyway when calling clk_core_get_phase, which would be
+much simple and enough.
+
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Acked-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/clk.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/clk/clk.c
++++ b/drivers/clk/clk.c
+@@ -1931,6 +1931,9 @@ static int clk_core_get_phase(struct clk
+ int ret;
+
+ clk_prepare_lock();
++ /* Always try to update cached phase if possible */
++ if (core->ops->get_phase)
++ core->phase = core->ops->get_phase(core->hw);
+ ret = core->phase;
+ clk_prepare_unlock();
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 20 Feb 2018 16:15:21 +0100
+Subject: clk: hisilicon: mark wdt_mux_p[] as const
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit df934cbcbff7afbc024bf05f02615917c61f6470 ]
+
+The symbol is in the __initconst section but not marked init, which
+caused a warning when building with LTO.
+
+This makes it 'const' as was obviously intended.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Fixes: c80dfd9bf54e ("clk: hisilicon: add CRG driver for Hi3516CV300 SoC")
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/hisilicon/crg-hi3516cv300.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/hisilicon/crg-hi3516cv300.c
++++ b/drivers/clk/hisilicon/crg-hi3516cv300.c
+@@ -204,7 +204,7 @@ static const struct hisi_crg_funcs hi351
+ /* hi3516CV300 sysctrl CRG */
+ #define HI3516CV300_SYSCTRL_NR_CLKS 16
+
+-static const char *wdt_mux_p[] __initconst = { "3m", "apb" };
++static const char *const wdt_mux_p[] __initconst = { "3m", "apb" };
+ static u32 wdt_mux_table[] = {0, 1};
+
+ static const struct hisi_mux_clock hi3516cv300_sysctrl_mux_clks[] = {
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Wed, 21 Mar 2018 10:39:19 +0800
+Subject: clk: rockchip: Fix wrong parent for SDMMC phase clock for rk3228
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+[ Upstream commit 4b0556a441dd37e598887215bc89b49a6ef525b3 ]
+
+commit c420c1e4db22 ("clk: rockchip: Prevent calculating mmc phase
+if clock rate is zero") catches one gremlin again for clk-rk3228.c
+that the parent of SDMMC phase clock should be sclk_sdmmc0, but not
+sclk_sdmmc. However, the naming of the sdmmc clocks varies in the
+manual with the card clock having the 0 while the hclk is named
+without appended 0. So standardize one one format to prevent
+confusion, as there also is only one (non-sdio) mmc controller on
+the soc.
+
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/rockchip/clk-rk3228.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/rockchip/clk-rk3228.c
++++ b/drivers/clk/rockchip/clk-rk3228.c
+@@ -387,7 +387,7 @@ static struct rockchip_clk_branch rk3228
+ RK2928_CLKSEL_CON(23), 5, 2, MFLAGS, 0, 6, DFLAGS,
+ RK2928_CLKGATE_CON(2), 15, GFLAGS),
+
+- COMPOSITE(SCLK_SDMMC, "sclk_sdmmc0", mux_mmc_src_p, 0,
++ COMPOSITE(SCLK_SDMMC, "sclk_sdmmc", mux_mmc_src_p, 0,
+ RK2928_CLKSEL_CON(11), 8, 2, MFLAGS, 0, 8, DFLAGS,
+ RK2928_CLKGATE_CON(2), 11, GFLAGS),
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Mon, 5 Mar 2018 11:25:58 +0800
+Subject: clk: rockchip: Prevent calculating mmc phase if clock rate is zero
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+[ Upstream commit 4bf59902b50012b1dddeeaa23b217d9c4956cdda ]
+
+The MMC sample and drv clock for rockchip platforms are derived from
+the bus clock output to the MMC/SDIO card. So it should never happens
+that the clk rate is zero given it should inherits the clock rate from
+its parent. If something goes wrong and makes the clock rate to be zero,
+the calculation would be wrong but may still make the mmc tuning process
+work luckily. However it makes people harder to debug when the following
+data transfer is unstable.
+
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/rockchip/clk-mmc-phase.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/drivers/clk/rockchip/clk-mmc-phase.c
++++ b/drivers/clk/rockchip/clk-mmc-phase.c
+@@ -58,6 +58,12 @@ static int rockchip_mmc_get_phase(struct
+ u16 degrees;
+ u32 delay_num = 0;
+
++ /* See the comment for rockchip_mmc_set_phase below */
++ if (!rate) {
++ pr_err("%s: invalid clk rate\n", __func__);
++ return -EINVAL;
++ }
++
+ raw_value = readl(mmc_clock->reg) >> (mmc_clock->shift);
+
+ degrees = (raw_value & ROCKCHIP_MMC_DEGREE_MASK) * 90;
+@@ -84,6 +90,23 @@ static int rockchip_mmc_set_phase(struct
+ u32 raw_value;
+ u32 delay;
+
++ /*
++ * The below calculation is based on the output clock from
++ * MMC host to the card, which expects the phase clock inherits
++ * the clock rate from its parent, namely the output clock
++ * provider of MMC host. However, things may go wrong if
++ * (1) It is orphan.
++ * (2) It is assigned to the wrong parent.
++ *
++ * This check help debug the case (1), which seems to be the
++ * most likely problem we often face and which makes it difficult
++ * for people to debug unstable mmc tuning results.
++ */
++ if (!rate) {
++ pr_err("%s: invalid clk rate\n", __func__);
++ return -EINVAL;
++ }
++
+ nineties = degrees / 90;
+ remainder = (degrees % 90);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Andrzej Hajda <a.hajda@samsung.com>
+Date: Fri, 16 Feb 2018 15:57:48 +0100
+Subject: clk: samsung: exynos3250: Fix PLL rates
+
+From: Andrzej Hajda <a.hajda@samsung.com>
+
+[ Upstream commit a8321e7887410a2b2e80ab89d1ef7b30562658ea ]
+
+Rates declared in PLL rate tables should match exactly rates calculated
+from PLL coefficients. If that is not the case, rate of the PLL's child clock
+might be set not as expected. For instance, if in the PLL rates table we have
+a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate
+callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate
+will return 393216003. If we now attempt to set rate of a PLL's child divider
+clock to 393216000/2 its rate will be 131072001, rather than 196608000.
+That is, the divider will be set to 3 instead of 2, because 393216003/2 is
+greater than 196608000.
+
+To fix this issue declared rates are changed to exactly match rates generated
+by the PLL, as calculated from the P, M, S, K coefficients.
+
+In this patch an erroneous P value for 74176002 output frequency is also
+corrected.
+
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Acked-by: Tomasz Figa <tomasz.figa@gmail.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/samsung/clk-exynos3250.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/clk/samsung/clk-exynos3250.c
++++ b/drivers/clk/samsung/clk-exynos3250.c
+@@ -698,7 +698,7 @@ static const struct samsung_pll_rate_tab
+ PLL_36XX_RATE(144000000, 96, 2, 3, 0),
+ PLL_36XX_RATE( 96000000, 128, 2, 4, 0),
+ PLL_36XX_RATE( 84000000, 112, 2, 4, 0),
+- PLL_36XX_RATE( 80000004, 106, 2, 4, 43691),
++ PLL_36XX_RATE( 80000003, 106, 2, 4, 43691),
+ PLL_36XX_RATE( 73728000, 98, 2, 4, 19923),
+ PLL_36XX_RATE( 67737598, 270, 3, 5, 62285),
+ PLL_36XX_RATE( 65535999, 174, 2, 5, 49982),
+@@ -734,7 +734,7 @@ static const struct samsung_pll_rate_tab
+ PLL_36XX_RATE(148352005, 98, 2, 3, 59070),
+ PLL_36XX_RATE(108000000, 144, 2, 4, 0),
+ PLL_36XX_RATE( 74250000, 99, 2, 4, 0),
+- PLL_36XX_RATE( 74176002, 98, 3, 4, 59070),
++ PLL_36XX_RATE( 74176002, 98, 2, 4, 59070),
+ PLL_36XX_RATE( 54054000, 216, 3, 5, 14156),
+ PLL_36XX_RATE( 54000000, 144, 2, 5, 0),
+ { /* sentinel */ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Andrzej Hajda <a.hajda@samsung.com>
+Date: Fri, 16 Feb 2018 15:57:49 +0100
+Subject: clk: samsung: exynos5250: Fix PLL rates
+
+From: Andrzej Hajda <a.hajda@samsung.com>
+
+[ Upstream commit 2ac051eeabaa411ef89ae7cd5bb8e60cb41ad780 ]
+
+Rates declared in PLL rate tables should match exactly rates calculated
+from PLL coefficients. If that is not the case, rate of the PLL's child clock
+might be set not as expected. For instance, if in the PLL rates table we have
+a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate
+callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate
+will return 393216003. If we now attempt to set rate of a PLL's child divider
+clock to 393216000/2 its rate will be 131072001, rather than 196608000.
+That is, the divider will be set to 3 instead of 2, because 393216003/2 is
+greater than 196608000.
+
+To fix this issue declared rates are changed to exactly match rates generated
+by the PLL, as calculated from the P, M, S, K coefficients.
+
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Acked-by: Tomasz Figa <tomasz.figa@gmail.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/samsung/clk-exynos5250.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/clk/samsung/clk-exynos5250.c
++++ b/drivers/clk/samsung/clk-exynos5250.c
+@@ -711,13 +711,13 @@ static const struct samsung_pll_rate_tab
+ /* sorted in descending order */
+ /* PLL_36XX_RATE(rate, m, p, s, k) */
+ PLL_36XX_RATE(192000000, 64, 2, 2, 0),
+- PLL_36XX_RATE(180633600, 90, 3, 2, 20762),
++ PLL_36XX_RATE(180633605, 90, 3, 2, 20762),
+ PLL_36XX_RATE(180000000, 90, 3, 2, 0),
+ PLL_36XX_RATE(73728000, 98, 2, 4, 19923),
+- PLL_36XX_RATE(67737600, 90, 2, 4, 20762),
++ PLL_36XX_RATE(67737602, 90, 2, 4, 20762),
+ PLL_36XX_RATE(49152000, 98, 3, 4, 19923),
+- PLL_36XX_RATE(45158400, 90, 3, 4, 20762),
+- PLL_36XX_RATE(32768000, 131, 3, 5, 4719),
++ PLL_36XX_RATE(45158401, 90, 3, 4, 20762),
++ PLL_36XX_RATE(32768001, 131, 3, 5, 4719),
+ { },
+ };
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Andrzej Hajda <a.hajda@samsung.com>
+Date: Fri, 16 Feb 2018 15:57:50 +0100
+Subject: clk: samsung: exynos5260: Fix PLL rates
+
+From: Andrzej Hajda <a.hajda@samsung.com>
+
+[ Upstream commit cdb68fbd4e7962be742c4f29475220c5bf28d8a5 ]
+
+Rates declared in PLL rate tables should match exactly rates calculated from
+the PLL coefficients. If that is not the case, rate of the PLL's child clock
+might be set not as expected. For instance, if in the PLL rates table we have
+a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate
+callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate
+will return 393216003. If we now attempt to set rate of a PLL's child divider
+clock to 393216000/2 its rate will be 131072001, rather than 196608000.
+That is, the divider will be set to 3 instead of 2, because 393216003/2 is
+greater than 196608000.
+
+To fix this issue declared rates are changed to exactly match rates generated
+by the PLL, as calculated from the P, M, S, K coefficients.
+
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Acked-by: Tomasz Figa <tomasz.figa@gmail.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/samsung/clk-exynos5260.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/samsung/clk-exynos5260.c
++++ b/drivers/clk/samsung/clk-exynos5260.c
+@@ -65,7 +65,7 @@ static const struct samsung_pll_rate_tab
+ PLL_36XX_RATE(480000000, 160, 2, 2, 0),
+ PLL_36XX_RATE(432000000, 144, 2, 2, 0),
+ PLL_36XX_RATE(400000000, 200, 3, 2, 0),
+- PLL_36XX_RATE(394073130, 459, 7, 2, 49282),
++ PLL_36XX_RATE(394073128, 459, 7, 2, 49282),
+ PLL_36XX_RATE(333000000, 111, 2, 2, 0),
+ PLL_36XX_RATE(300000000, 100, 2, 2, 0),
+ PLL_36XX_RATE(266000000, 266, 3, 3, 0),
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Andrzej Hajda <a.hajda@samsung.com>
+Date: Fri, 16 Feb 2018 15:57:51 +0100
+Subject: clk: samsung: exynos5433: Fix PLL rates
+
+From: Andrzej Hajda <a.hajda@samsung.com>
+
+[ Upstream commit ab0447845cffc0fd752df2ccd6b4e34006000ce4 ]
+
+Rates declared in PLL rate tables should match exactly rates calculated from
+the PLL coefficients. If that is not the case, rate of the PLL's child clock
+might be set not as expected. For instance, if in the PLL rates table we have
+a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate
+callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate
+will return 393216003. If we now attempt to set rate of a PLL's child divider
+clock to 393216000/2 its rate will be 131072001, rather than 196608000.
+That is, the divider will be set to 3 instead of 2, because 393216003/2 is
+greater than 196608000.
+
+To fix this issue declared rates are changed to exactly match rates generated
+by the PLL, as calculated from the P, M, S, K coefficients.
+
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Acked-by: Tomasz Figa <tomasz.figa@gmail.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/samsung/clk-exynos5433.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/clk/samsung/clk-exynos5433.c
++++ b/drivers/clk/samsung/clk-exynos5433.c
+@@ -725,7 +725,7 @@ static const struct samsung_pll_rate_tab
+ PLL_35XX_RATE(800000000U, 400, 6, 1),
+ PLL_35XX_RATE(733000000U, 733, 12, 1),
+ PLL_35XX_RATE(700000000U, 175, 3, 1),
+- PLL_35XX_RATE(667000000U, 222, 4, 1),
++ PLL_35XX_RATE(666000000U, 222, 4, 1),
+ PLL_35XX_RATE(633000000U, 211, 4, 1),
+ PLL_35XX_RATE(600000000U, 500, 5, 2),
+ PLL_35XX_RATE(552000000U, 460, 5, 2),
+@@ -753,12 +753,12 @@ static const struct samsung_pll_rate_tab
+ /* AUD_PLL */
+ static const struct samsung_pll_rate_table exynos5433_aud_pll_rates[] __initconst = {
+ PLL_36XX_RATE(400000000U, 200, 3, 2, 0),
+- PLL_36XX_RATE(393216000U, 197, 3, 2, -25690),
++ PLL_36XX_RATE(393216003U, 197, 3, 2, -25690),
+ PLL_36XX_RATE(384000000U, 128, 2, 2, 0),
+- PLL_36XX_RATE(368640000U, 246, 4, 2, -15729),
+- PLL_36XX_RATE(361507200U, 181, 3, 2, -16148),
+- PLL_36XX_RATE(338688000U, 113, 2, 2, -6816),
+- PLL_36XX_RATE(294912000U, 98, 1, 3, 19923),
++ PLL_36XX_RATE(368639991U, 246, 4, 2, -15729),
++ PLL_36XX_RATE(361507202U, 181, 3, 2, -16148),
++ PLL_36XX_RATE(338687988U, 113, 2, 2, -6816),
++ PLL_36XX_RATE(294912002U, 98, 1, 3, 19923),
+ PLL_36XX_RATE(288000000U, 96, 1, 3, 0),
+ PLL_36XX_RATE(252000000U, 84, 1, 3, 0),
+ { /* sentinel */ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Andrzej Hajda <a.hajda@samsung.com>
+Date: Fri, 16 Feb 2018 15:57:52 +0100
+Subject: clk: samsung: exynos7: Fix PLL rates
+
+From: Andrzej Hajda <a.hajda@samsung.com>
+
+[ Upstream commit 7e4db0c2836e892766565965207eee051c8037b9 ]
+
+Rates declared in PLL rate tables should match exactly rates calculated from
+the PLL coefficients. If that is not the case, rate of the PLL's child clock
+might be set not as expected. For instance, if in the PLL rates table we have
+a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate
+callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate
+will return 393216003. If we now attempt to set rate of a PLL's child divider
+clock to 393216000/2 its rate will be 131072001, rather than 196608000.
+That is, the divider will be set to 3 instead of 2, because 393216003/2 is
+greater than 196608000.
+
+To fix this issue declared rates are changed to exactly match rates generated
+by the PLL, as calculated from the P, M, S, K coefficients.
+
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Acked-by: Tomasz Figa <tomasz.figa@gmail.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/samsung/clk-exynos7.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/samsung/clk-exynos7.c
++++ b/drivers/clk/samsung/clk-exynos7.c
+@@ -140,7 +140,7 @@ static const struct samsung_div_clock to
+ };
+
+ static const struct samsung_pll_rate_table pll1460x_24mhz_tbl[] __initconst = {
+- PLL_36XX_RATE(491520000, 20, 1, 0, 31457),
++ PLL_36XX_RATE(491519897, 20, 1, 0, 31457),
+ {},
+ };
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Andrzej Hajda <a.hajda@samsung.com>
+Date: Fri, 16 Feb 2018 15:57:53 +0100
+Subject: clk: samsung: s3c2410: Fix PLL rates
+
+From: Andrzej Hajda <a.hajda@samsung.com>
+
+[ Upstream commit 179db533c08431f509a3823077549773d519358b ]
+
+Rates declared in PLL rate tables should match exactly rates calculated from
+the PLL coefficients. If that is not the case, rate of the PLL's child clock
+might be set not as expected. For instance, if in the PLL rates table we have
+a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate
+callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate
+will return 393216003. If we now attempt to set rate of a PLL's child divider
+clock to 393216000/2 its rate will be 131072001, rather than 196608000.
+That is, the divider will be set to 3 instead of 2, because 393216003/2 is
+greater than 196608000.
+
+To fix this issue declared rates are changed to exactly match rates generated
+by the PLL, as calculated from the P, M, S, K coefficients.
+
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Acked-by: Tomasz Figa <tomasz.figa@gmail.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/samsung/clk-s3c2410.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/clk/samsung/clk-s3c2410.c
++++ b/drivers/clk/samsung/clk-s3c2410.c
+@@ -168,7 +168,7 @@ static struct samsung_pll_rate_table pll
+ PLL_35XX_RATE(226000000, 105, 1, 1),
+ PLL_35XX_RATE(210000000, 132, 2, 1),
+ /* 2410 common */
+- PLL_35XX_RATE(203000000, 161, 3, 1),
++ PLL_35XX_RATE(202800000, 161, 3, 1),
+ PLL_35XX_RATE(192000000, 88, 1, 1),
+ PLL_35XX_RATE(186000000, 85, 1, 1),
+ PLL_35XX_RATE(180000000, 82, 1, 1),
+@@ -178,18 +178,18 @@ static struct samsung_pll_rate_table pll
+ PLL_35XX_RATE(147000000, 90, 2, 1),
+ PLL_35XX_RATE(135000000, 82, 2, 1),
+ PLL_35XX_RATE(124000000, 116, 1, 2),
+- PLL_35XX_RATE(118000000, 150, 2, 2),
++ PLL_35XX_RATE(118500000, 150, 2, 2),
+ PLL_35XX_RATE(113000000, 105, 1, 2),
+- PLL_35XX_RATE(101000000, 127, 2, 2),
++ PLL_35XX_RATE(101250000, 127, 2, 2),
+ PLL_35XX_RATE(90000000, 112, 2, 2),
+- PLL_35XX_RATE(85000000, 105, 2, 2),
++ PLL_35XX_RATE(84750000, 105, 2, 2),
+ PLL_35XX_RATE(79000000, 71, 1, 2),
+- PLL_35XX_RATE(68000000, 82, 2, 2),
+- PLL_35XX_RATE(56000000, 142, 2, 3),
++ PLL_35XX_RATE(67500000, 82, 2, 2),
++ PLL_35XX_RATE(56250000, 142, 2, 3),
+ PLL_35XX_RATE(48000000, 120, 2, 3),
+- PLL_35XX_RATE(51000000, 161, 3, 3),
++ PLL_35XX_RATE(50700000, 161, 3, 3),
+ PLL_35XX_RATE(45000000, 82, 1, 3),
+- PLL_35XX_RATE(34000000, 82, 2, 3),
++ PLL_35XX_RATE(33750000, 82, 2, 3),
+ { /* sentinel */ },
+ };
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Marcel Ziswiler <marcel@ziswiler.com>
+Date: Fri, 23 Feb 2018 00:04:51 +0100
+Subject: clk: tegra: Fix pll_u rate configuration
+
+From: Marcel Ziswiler <marcel@ziswiler.com>
+
+[ Upstream commit c35b518f9ba06c9de79fb3ff62eed7462d804995 ]
+
+Turns out latest upstream U-Boot does not configure/enable pll_u which
+leaves it at some default rate of 500 kHz:
+
+root@apalis-t30:~# cat /sys/kernel/debug/clk/clk_summary | grep pll_u
+ pll_u 3 3 0 500000 0
+
+Of course this won't quite work leading to the following messages:
+
+[ 6.559593] usb 2-1: new full-speed USB device number 2 using tegra-
+ehci
+[ 11.759173] usb 2-1: device descriptor read/64, error -110
+[ 27.119453] usb 2-1: device descriptor read/64, error -110
+[ 27.389217] usb 2-1: new full-speed USB device number 3 using tegra-
+ehci
+[ 32.559454] usb 2-1: device descriptor read/64, error -110
+[ 47.929777] usb 2-1: device descriptor read/64, error -110
+[ 48.049658] usb usb2-port1: attempt power cycle
+[ 48.759475] usb 2-1: new full-speed USB device number 4 using tegra-
+ehci
+[ 59.349457] usb 2-1: device not accepting address 4, error -110
+[ 59.509449] usb 2-1: new full-speed USB device number 5 using tegra-
+ehci
+[ 70.069457] usb 2-1: device not accepting address 5, error -110
+[ 70.079721] usb usb2-port1: unable to enumerate USB device
+
+Fix this by actually allowing the rate also being set from within
+the Linux kernel.
+
+Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Tested-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/tegra/clk-pll.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/clk/tegra/clk-pll.c
++++ b/drivers/clk/tegra/clk-pll.c
+@@ -1151,6 +1151,8 @@ static const struct clk_ops tegra_clk_pl
+ .enable = clk_pllu_enable,
+ .disable = clk_pll_disable,
+ .recalc_rate = clk_pll_recalc_rate,
++ .round_rate = clk_pll_round_rate,
++ .set_rate = clk_pll_set_rate,
+ };
+
+ static int _pll_fixed_mdiv(struct tegra_clk_pll_params *pll_params,
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Mon, 26 Feb 2018 11:36:14 +0000
+Subject: clocksource/drivers/fsl_ftm_timer: Fix error return checking
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit f287eb9013ccf199cbfa4eabd80c36fedfc15a73 ]
+
+The error checks on freq for a negative error return always fails because
+freq is unsigned and can never be negative. Fix this by making freq a
+signed long.
+
+Detected with Coccinelle:
+drivers/clocksource/fsl_ftm_timer.c:287:5-9: WARNING: Unsigned expression
+compared with zero: freq <= 0
+drivers/clocksource/fsl_ftm_timer.c:291:5-9: WARNING: Unsigned expression
+compared with zero: freq <= 0
+
+Fixes: 2529c3a33079 ("clocksource: Add Freescale FlexTimer Module (FTM) timer support")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
+Cc: kernel-janitors@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180226113614.3092-1-colin.king@canonical.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clocksource/fsl_ftm_timer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clocksource/fsl_ftm_timer.c
++++ b/drivers/clocksource/fsl_ftm_timer.c
+@@ -281,7 +281,7 @@ static int __init __ftm_clk_init(struct
+
+ static unsigned long __init ftm_clk_init(struct device_node *np)
+ {
+- unsigned long freq;
++ long freq;
+
+ freq = __ftm_clk_init(np, "ftm-evt-counter-en", "ftm-evt");
+ if (freq <= 0)
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Felix Fietkau <nbd@nbd.name>
+Date: Wed, 28 Feb 2018 10:56:10 +0100
+Subject: clocksource/drivers/mips-gic-timer: Use correct shift count to extract data
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 5753405e27f8fe4c42c1537d3ddbd9e058e54cdc ]
+
+__gic_clocksource_init() extracts the GIC_CONFIG_COUNTBITS field from
+read_gic_config() by right shifting the register value. The shift count is
+determined by the most significant bit (__fls) of the bitmask which is
+wrong as it shifts out the complete bitfield.
+
+Use the least significant bit (__ffs) instead to shift the bitfield down to
+bit 0.
+
+Fixes: e07127a077c7 ("clocksource: mips-gic-timer: Use new GIC accessor functions")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: daniel.lezcano@linaro.org
+Cc: paul.burton@imgtec.com
+Link: https://lkml.kernel.org/r/20180228095610.50341-1-nbd@nbd.name
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clocksource/mips-gic-timer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clocksource/mips-gic-timer.c
++++ b/drivers/clocksource/mips-gic-timer.c
+@@ -164,7 +164,7 @@ static int __init __gic_clocksource_init
+
+ /* Set clocksource mask. */
+ count_width = read_gic_config() & GIC_CONFIG_COUNTBITS;
+- count_width >>= __fls(GIC_CONFIG_COUNTBITS);
++ count_width >>= __ffs(GIC_CONFIG_COUNTBITS);
+ count_width *= 4;
+ count_width += 32;
+ gic_clocksource.mask = CLOCKSOURCE_MASK(count_width);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Leo Yan <leo.yan@linaro.org>
+Date: Tue, 13 Mar 2018 11:24:30 -0600
+Subject: coresight: Use %px to print pcsr instead of %p
+
+From: Leo Yan <leo.yan@linaro.org>
+
+[ Upstream commit 831c326fcd0e8e2a6ece952f898a1ec9b1dc1004 ]
+
+Commit ad67b74d2469 ("printk: hash addresses printed with %p") lets
+printk specifier %p to hash all addresses before printing, this was
+resulting in the high 32 bits of pcsr can only output zeros. So
+module cannot completely print pc value and it's pointless for debugging
+purpose.
+
+This patch fixes this by using %px to print pcsr instead.
+
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight-cpu-debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/coresight/coresight-cpu-debug.c
++++ b/drivers/hwtracing/coresight/coresight-cpu-debug.c
+@@ -315,7 +315,7 @@ static void debug_dump_regs(struct debug
+ }
+
+ pc = debug_adjust_pc(drvdata);
+- dev_emerg(dev, " EDPCSR: [<%p>] %pS\n", (void *)pc, (void *)pc);
++ dev_emerg(dev, " EDPCSR: [<%px>] %pS\n", (void *)pc, (void *)pc);
+
+ if (drvdata->edcidsr_present)
+ dev_emerg(dev, " EDCIDSR: %08x\n", drvdata->edcidsr);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Shunyong Yang <shunyong.yang@hxt-semitech.com>
+Date: Fri, 6 Apr 2018 10:43:49 +0800
+Subject: cpufreq: CPPC: Initialize shared perf capabilities of CPUs
+
+From: Shunyong Yang <shunyong.yang@hxt-semitech.com>
+
+[ Upstream commit 8913315e9459b146e5888ab5138e10daa061b885 ]
+
+When multiple CPUs are related in one cpufreq policy, the first online
+CPU will be chosen by default to handle cpufreq operations. Let's take
+cpu0 and cpu1 as an example.
+
+When cpu0 is offline, policy->cpu will be shifted to cpu1. cpu1's perf
+capabilities should be initialized. Otherwise, perf capabilities are 0s
+and speed change can not take effect.
+
+This patch copies perf capabilities of the first online CPU to other
+shared CPUs when policy shared type is CPUFREQ_SHARED_TYPE_ANY.
+
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Shunyong Yang <shunyong.yang@hxt-semitech.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cppc_cpufreq.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/cpufreq/cppc_cpufreq.c
++++ b/drivers/cpufreq/cppc_cpufreq.c
+@@ -167,9 +167,19 @@ static int cppc_cpufreq_cpu_init(struct
+ NSEC_PER_USEC;
+ policy->shared_type = cpu->shared_type;
+
+- if (policy->shared_type == CPUFREQ_SHARED_TYPE_ANY)
++ if (policy->shared_type == CPUFREQ_SHARED_TYPE_ANY) {
++ int i;
++
+ cpumask_copy(policy->cpus, cpu->shared_cpu_map);
+- else if (policy->shared_type == CPUFREQ_SHARED_TYPE_ALL) {
++
++ for_each_cpu(i, policy->cpus) {
++ if (unlikely(i == policy->cpu))
++ continue;
++
++ memcpy(&all_cpu_data[i]->perf_caps, &cpu->perf_caps,
++ sizeof(cpu->perf_caps));
++ }
++ } else if (policy->shared_type == CPUFREQ_SHARED_TYPE_ALL) {
+ /* Support only SW_ANY for now. */
+ pr_debug("Unsupported CPU co-ord type\n");
+ return -EFAULT;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Chunyu Hu <chuhu@redhat.com>
+Date: Mon, 5 Mar 2018 13:40:38 +0800
+Subject: cpufreq: cppc_cpufreq: Fix cppc_cpufreq_init() failure path
+
+From: Chunyu Hu <chuhu@redhat.com>
+
+[ Upstream commit 55b55abc17f238c61921360e61dde90dd9a326d1 ]
+
+Kmemleak reported the below leak. When cppc_cpufreq_init went into
+failure path, the cpu mask is not freed. After fix, this report is
+gone. And to avaoid potential NULL pointer reference, check the cpu
+value first.
+
+unreferenced object 0xffff800fd5ea4880 (size 128):
+ comm "swapper/0", pid 1, jiffies 4294939510 (age 668.680s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 .... ...........
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffff0000082c4ae4>] __kmalloc_node+0x278/0x634
+ [<ffff0000088f4a74>] alloc_cpumask_var_node+0x28/0x60
+ [<ffff0000088f4af0>] zalloc_cpumask_var+0x14/0x1c
+ [<ffff000008d20254>] cppc_cpufreq_init+0xd0/0x19c
+ [<ffff000008083828>] do_one_initcall+0xec/0x15c
+ [<ffff000008cd1018>] kernel_init_freeable+0x1f4/0x2a4
+ [<ffff0000089099b0>] kernel_init+0x18/0x10c
+ [<ffff000008084d50>] ret_from_fork+0x10/0x18
+ [<ffffffffffffffff>] 0xffffffffffffffff
+
+Signed-off-by: Chunyu Hu <chuhu@redhat.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cppc_cpufreq.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/cpufreq/cppc_cpufreq.c
++++ b/drivers/cpufreq/cppc_cpufreq.c
+@@ -243,8 +243,13 @@ static int __init cppc_cpufreq_init(void
+ return ret;
+
+ out:
+- for_each_possible_cpu(i)
+- kfree(all_cpu_data[i]);
++ for_each_possible_cpu(i) {
++ cpu = all_cpu_data[i];
++ if (!cpu)
++ break;
++ free_cpumask_var(cpu->shared_cpu_map);
++ kfree(cpu);
++ }
+
+ kfree(all_cpu_data);
+ return -ENODEV;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Thu, 22 Feb 2018 11:29:43 +0530
+Subject: cpufreq: Reorder cpufreq_online() error code path
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+[ Upstream commit b24b6478e65f140610ab1ffaadc7bc6bf0be8aad ]
+
+Ideally the de-allocation of resources should happen in the exact
+opposite order in which they were allocated. It helps maintain the code
+in long term, even if nothing really breaks with incorrect ordering.
+
+That wasn't followed in cpufreq_online() and it has some
+inconsistencies. For example, the symlinks were created from within
+the locked region while they are removed only after putting the locks.
+Also ->exit() should have been called only after the symlinks are
+removed and the lock is dropped, as that was the case when ->init()
+was first called.
+
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+[ rjw: Subject ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cpufreq.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -1315,14 +1315,14 @@ static int cpufreq_online(unsigned int c
+ return 0;
+
+ out_exit_policy:
++ for_each_cpu(j, policy->real_cpus)
++ remove_cpu_dev_symlink(policy, get_cpu_device(j));
++
+ up_write(&policy->rwsem);
+
+ if (cpufreq_driver->exit)
+ cpufreq_driver->exit(policy);
+
+- for_each_cpu(j, policy->real_cpus)
+- remove_cpu_dev_symlink(policy, get_cpu_device(j));
+-
+ out_free_policy:
+ cpufreq_policy_free(policy);
+ return ret;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Apr 2018 13:42:36 -0700
+Subject: crypto: af_alg - fix possible uninit-value in alg_bind()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a466856e0b7ab269cdf9461886d007e88ff575b0 ]
+
+syzbot reported :
+
+BUG: KMSAN: uninit-value in alg_bind+0xe3/0xd90 crypto/af_alg.c:162
+
+We need to check addr_len before dereferencing sa (or uaddr)
+
+Fixes: bb30b8848c85 ("crypto: af_alg - whitelist mask and type")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Stephan Mueller <smueller@chronox.de>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/af_alg.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -158,16 +158,16 @@ static int alg_bind(struct socket *sock,
+ void *private;
+ int err;
+
+- /* If caller uses non-allowed flag, return error. */
+- if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed))
+- return -EINVAL;
+-
+ if (sock->state == SS_CONNECTED)
+ return -EINVAL;
+
+ if (addr_len < sizeof(*sa))
+ return -EINVAL;
+
++ /* If caller uses non-allowed flag, return error. */
++ if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed))
++ return -EINVAL;
++
+ sa->salg_type[sizeof(sa->salg_type) - 1] = 0;
+ sa->salg_name[sizeof(sa->salg_name) + addr_len - sizeof(*sa) - 1] = 0;
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Fri, 23 Feb 2018 10:01:40 +0100
+Subject: crypto: atmel-aes - fix the keys zeroing on errors
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit 5d804a5157dbaa64872a675923ae87161165c66b ]
+
+The Atmel AES driver uses memzero_explicit on the keys on error, but the
+variable zeroed isn't the right one because of a typo. Fix this by using
+the right variable.
+
+Fixes: 89a82ef87e01 ("crypto: atmel-authenc - add support to authenc(hmac(shaX), Y(aes)) modes")
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/atmel-aes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/atmel-aes.c
++++ b/drivers/crypto/atmel-aes.c
+@@ -2145,7 +2145,7 @@ static int atmel_aes_authenc_setkey(stru
+
+ badkey:
+ crypto_aead_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
+- memzero_explicit(&key, sizeof(keys));
++ memzero_explicit(&keys, sizeof(keys));
+ return -EINVAL;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Fri, 23 Feb 2018 23:33:07 +0100
+Subject: crypto: ccp - don't disable interrupts while setting up debugfs
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 79eb382b5e06a6dca5806465d7195d686a463ab0 ]
+
+I don't why we need take a single write lock and disable interrupts
+while setting up debugfs. This is what what happens when we try anyway:
+
+|ccp 0000:03:00.2: enabling device (0000 -> 0002)
+|BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:69
+|in_atomic(): 1, irqs_disabled(): 1, pid: 3, name: kworker/0:0
+|irq event stamp: 17150
+|hardirqs last enabled at (17149): [<0000000097a18c49>] restore_regs_and_return_to_kernel+0x0/0x23
+|hardirqs last disabled at (17150): [<000000000773b3a9>] _raw_write_lock_irqsave+0x1b/0x50
+|softirqs last enabled at (17148): [<0000000064d56155>] __do_softirq+0x3b8/0x4c1
+|softirqs last disabled at (17125): [<0000000092633c18>] irq_exit+0xb1/0xc0
+|CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.16.0-rc2+ #30
+|Workqueue: events work_for_cpu_fn
+|Call Trace:
+| dump_stack+0x7d/0xb6
+| ___might_sleep+0x1eb/0x250
+| down_write+0x17/0x60
+| start_creating+0x4c/0xe0
+| debugfs_create_dir+0x9/0x100
+| ccp5_debugfs_setup+0x191/0x1b0
+| ccp5_init+0x8a7/0x8c0
+| ccp_dev_init+0xb8/0xe0
+| sp_init+0x6c/0x90
+| sp_pci_probe+0x26e/0x590
+| local_pci_probe+0x3f/0x90
+| work_for_cpu_fn+0x11/0x20
+| process_one_work+0x1ff/0x650
+| worker_thread+0x1d4/0x3a0
+| kthread+0xfe/0x130
+| ret_from_fork+0x27/0x50
+
+If any locking is required, a simple mutex will do it.
+
+Cc: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Acked-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/ccp/ccp-debugfs.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/crypto/ccp/ccp-debugfs.c
++++ b/drivers/crypto/ccp/ccp-debugfs.c
+@@ -278,7 +278,7 @@ static const struct file_operations ccp_
+ };
+
+ static struct dentry *ccp_debugfs_dir;
+-static DEFINE_RWLOCK(ccp_debugfs_lock);
++static DEFINE_MUTEX(ccp_debugfs_lock);
+
+ #define MAX_NAME_LEN 20
+
+@@ -290,16 +290,15 @@ void ccp5_debugfs_setup(struct ccp_devic
+ struct dentry *debugfs_stats;
+ struct dentry *debugfs_q_instance;
+ struct dentry *debugfs_q_stats;
+- unsigned long flags;
+ int i;
+
+ if (!debugfs_initialized())
+ return;
+
+- write_lock_irqsave(&ccp_debugfs_lock, flags);
++ mutex_lock(&ccp_debugfs_lock);
+ if (!ccp_debugfs_dir)
+ ccp_debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL);
+- write_unlock_irqrestore(&ccp_debugfs_lock, flags);
++ mutex_unlock(&ccp_debugfs_lock);
+ if (!ccp_debugfs_dir)
+ return;
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Tue, 13 Feb 2018 09:26:54 +0100
+Subject: crypto: inside-secure - do not process request if no command was issued
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit 95831ceafc0de7d94a5fe86ebb1c2042317cc2cd ]
+
+This patch adds a check in the SafeXcel dequeue function, to avoid
+processing request further if no hardware command was issued. This can
+happen in certain cases where the ->send() function caches all the data
+that would have been send.
+
+Fixes: 809778e02cd4 ("crypto: inside-secure - fix hash when length is a multiple of a block")
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/inside-secure/safexcel.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/crypto/inside-secure/safexcel.c
++++ b/drivers/crypto/inside-secure/safexcel.c
+@@ -462,6 +462,15 @@ void safexcel_dequeue(struct safexcel_cr
+ if (backlog)
+ backlog->complete(backlog, -EINPROGRESS);
+
++ /* In case the send() helper did not issue any command to push
++ * to the engine because the input data was cached, continue to
++ * dequeue other requests as this is valid and not an error.
++ */
++ if (!commands && !results) {
++ kfree(request);
++ continue;
++ }
++
+ spin_lock_bh(&priv->ring[ring].egress_lock);
+ list_add_tail(&request->list, &priv->ring[ring].list);
+ spin_unlock_bh(&priv->ring[ring].egress_lock);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Tue, 13 Feb 2018 09:26:53 +0100
+Subject: crypto: inside-secure - fix the cache_len computation
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit 666a9c70b04fccabde5cea5e680ae1ae92460a62 ]
+
+This patch fixes the cache length computation as cache_len could end up
+being a negative value. The check between the queued size and the
+block size is updated to reflect the caching mechanism which can cache
+up to a full block size (included!).
+
+Fixes: 809778e02cd4 ("crypto: inside-secure - fix hash when length is a multiple of a block")
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/inside-secure/safexcel_hash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/inside-secure/safexcel_hash.c
++++ b/drivers/crypto/inside-secure/safexcel_hash.c
+@@ -185,7 +185,7 @@ static int safexcel_ahash_send_req(struc
+ int i, queued, len, cache_len, extra, n_cdesc = 0, ret = 0;
+
+ queued = len = req->len - req->processed;
+- if (queued < crypto_ahash_blocksize(ahash))
++ if (queued <= crypto_ahash_blocksize(ahash))
+ cache_len = queued;
+ else
+ cache_len = queued - areq->nbytes;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Tue, 13 Feb 2018 09:26:52 +0100
+Subject: crypto: inside-secure - fix the extra cache computation
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit c1a8fa6e240ed4b99778d48ab790743565cb61c8 ]
+
+This patch fixes the extra cache computation when the queued data is a
+multiple of a block size. This fixes the hash support in some cases.
+
+Fixes: 809778e02cd4 ("crypto: inside-secure - fix hash when length is a multiple of a block")
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/inside-secure/safexcel_hash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/inside-secure/safexcel_hash.c
++++ b/drivers/crypto/inside-secure/safexcel_hash.c
+@@ -199,7 +199,7 @@ static int safexcel_ahash_send_req(struc
+ /* If this is not the last request and the queued data
+ * is a multiple of a block, cache the last one for now.
+ */
+- extra = queued - crypto_ahash_blocksize(ahash);
++ extra = crypto_ahash_blocksize(ahash);
+
+ if (extra) {
+ sg_pcopy_to_buffer(areq->src, sg_nents(areq->src),
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Tue, 13 Feb 2018 09:26:55 +0100
+Subject: crypto: inside-secure - fix the invalidation step during cra_exit
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit b7007dbccd92f7b8c00e590020bee542a48c6a2c ]
+
+When exiting a transformation, the cra_exit() helper is called in each
+driver providing one. The Inside Secure SafeXcel driver has one, which
+is responsible of freeing some areas and of sending one invalidation
+request to the crypto engine, to invalidate the context that was used
+during the transformation.
+
+We could see in some setups (when lots of transformations were being
+used with a short lifetime, and hence lots of cra_exit() calls) NULL
+pointer dereferences and other weird issues. All these issues were
+coming from accessing the tfm context.
+
+The issue is the invalidation request completion is checked using a
+wait_for_completion_interruptible() call in both the cipher and hash
+cra_exit() helpers. In some cases this was interrupted while the
+invalidation request wasn't processed yet. And then cra_exit() returned,
+and its caller was freeing the tfm instance. Only then the request was
+being handled by the SafeXcel driver, which lead to the said issues.
+
+This patch fixes this by using wait_for_completion() calls in these
+specific cases.
+
+Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver")
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/inside-secure/safexcel_cipher.c | 2 +-
+ drivers/crypto/inside-secure/safexcel_hash.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/inside-secure/safexcel_cipher.c
++++ b/drivers/crypto/inside-secure/safexcel_cipher.c
+@@ -446,7 +446,7 @@ static int safexcel_cipher_exit_inv(stru
+ if (!priv->ring[ring].need_dequeue)
+ safexcel_dequeue(priv, ring);
+
+- wait_for_completion_interruptible(&result.completion);
++ wait_for_completion(&result.completion);
+
+ if (result.error) {
+ dev_warn(priv->dev,
+--- a/drivers/crypto/inside-secure/safexcel_hash.c
++++ b/drivers/crypto/inside-secure/safexcel_hash.c
+@@ -494,7 +494,7 @@ static int safexcel_ahash_exit_inv(struc
+ if (!priv->ring[ring].need_dequeue)
+ safexcel_dequeue(priv, ring);
+
+- wait_for_completion_interruptible(&result.completion);
++ wait_for_completion(&result.completion);
+
+ if (result.error) {
+ dev_warn(priv->dev, "hash: completion error (%d)\n",
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Mon, 26 Feb 2018 14:45:12 +0100
+Subject: crypto: inside-secure - wait for the request to complete if in the backlog
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit 4dc5475ae0375ea4f9283dfd9b2ddc91b20d4c4b ]
+
+This patch updates the safexcel_hmac_init_pad() function to also wait
+for completion when the digest return code is -EBUSY, as it would mean
+the request is in the backlog to be processed later.
+
+Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver")
+Suggested-by: Ofer Heifetz <oferh@marvell.com>
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/inside-secure/safexcel_hash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/inside-secure/safexcel_hash.c
++++ b/drivers/crypto/inside-secure/safexcel_hash.c
+@@ -819,7 +819,7 @@ static int safexcel_hmac_init_pad(struct
+ init_completion(&result.completion);
+
+ ret = crypto_ahash_digest(areq);
+- if (ret == -EINPROGRESS) {
++ if (ret == -EINPROGRESS || ret == -EBUSY) {
+ wait_for_completion_interruptible(&result.completion);
+ ret = result.error;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Peter Robinson <pbrobinson@gmail.com>
+Date: Sun, 11 Feb 2018 23:15:37 +0000
+Subject: crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss
+
+From: Peter Robinson <pbrobinson@gmail.com>
+
+[ Upstream commit 7c73cf4cc2ac16465f5102437dc0a12d66671bd6 ]
+
+The MODULE_ALIAS is required to enable the sun4i-ss driver to load
+automatically when built at a module. Tested on a Cubietruck.
+
+Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator")
+Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/sunxi-ss/sun4i-ss-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/crypto/sunxi-ss/sun4i-ss-core.c
++++ b/drivers/crypto/sunxi-ss/sun4i-ss-core.c
+@@ -451,6 +451,7 @@ static struct platform_driver sun4i_ss_d
+
+ module_platform_driver(sun4i_ss_driver);
+
++MODULE_ALIAS("platform:sun4i-ss");
+ MODULE_DESCRIPTION("Allwinner Security System cryptographic accelerator");
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Corentin LABBE <clabbe.montjoie@gmail.com>");
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Ganesh Goudar <ganeshgr@chelsio.com>
+Date: Wed, 7 Mar 2018 13:10:24 +0530
+Subject: cxgb4: do not set needs_free_netdev for mgmt dev's
+
+From: Ganesh Goudar <ganeshgr@chelsio.com>
+
+[ Upstream commit b06ef18a4c255609388ed6e068a1c69c797545e0 ]
+
+Do not set 'needs_free_netdev' as we do call free_netdev
+for mgmt net devices, doing both hits BUG_ON.
+
+Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+@@ -4679,7 +4679,6 @@ static void dummy_setup(struct net_devic
+ /* Initialize the device structure. */
+ dev->netdev_ops = &cxgb4_mgmt_netdev_ops;
+ dev->ethtool_ops = &cxgb4_mgmt_ethtool_ops;
+- dev->needs_free_netdev = true;
+ }
+
+ static int config_mgmt_dev(struct pci_dev *pdev)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Arjun Vynipadath <arjun@chelsio.com>
+Date: Thu, 15 Mar 2018 17:34:14 +0530
+Subject: cxgb4: Fix queue free path of ULD drivers
+
+From: Arjun Vynipadath <arjun@chelsio.com>
+
+[ Upstream commit d7cb44496a9bb458632cb3c18acb08949c210448 ]
+
+Setting sge_uld_rxq_info to NULL in free_queues_uld().
+We are referencing sge_uld_rxq_info in cxgb_up(). This
+will fix a panic when interface is brought up after a
+ULDq creation failure.
+
+Fixes: 94cdb8bb993a (cxgb4: Add support for dynamic allocation
+ of resources for ULD)
+Signed-off-by: Arjun Vynipadath <arjun@chelsio.com>
+Signed-off-by: Casey Leedom <leedom@chelsio.com>
+Signed-off-by: Ganesh Goudhar <ganeshgr@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
+@@ -342,6 +342,7 @@ static void free_queues_uld(struct adapt
+ {
+ struct sge_uld_rxq_info *rxq_info = adap->sge.uld_rxq_info[uld_type];
+
++ adap->sge.uld_rxq_info[uld_type] = NULL;
+ kfree(rxq_info->rspq_id);
+ kfree(rxq_info->uldrxq);
+ kfree(rxq_info);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Arjun Vynipadath <arjun@chelsio.com>
+Date: Fri, 23 Mar 2018 15:25:10 +0530
+Subject: cxgb4: Setup FW queues before registering netdev
+
+From: Arjun Vynipadath <arjun@chelsio.com>
+
+[ Upstream commit 843bd7db79c861b49e2912d723625f5fa8e94502 ]
+
+When NetworkManager is enabled, there are chances that interface up
+is called even before probe completes. This means we have not yet
+allocated the FW sge queues, hence rest of ingress queue allocation
+wont be proper. Fix this by calling setup_fw_sge_queues() before
+register_netdev().
+
+Fixes: 0fbc81b3ad51 ('chcr/cxgb4i/cxgbit/RDMA/cxgb4: Allocate resources dynamically for all cxgb4 ULD's')
+Signed-off-by: Arjun Vynipadath <arjun@chelsio.com>
+Signed-off-by: Casey Leedom <leedom@chelsio.com>
+Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+@@ -815,8 +815,6 @@ static int setup_fw_sge_queues(struct ad
+
+ err = t4_sge_alloc_rxq(adap, &s->fw_evtq, true, adap->port[0],
+ adap->msi_idx, NULL, fwevtq_handler, NULL, -1);
+- if (err)
+- t4_free_sge_resources(adap);
+ return err;
+ }
+
+@@ -5116,6 +5114,13 @@ static int init_one(struct pci_dev *pdev
+ if (err)
+ goto out_free_dev;
+
++ err = setup_fw_sge_queues(adapter);
++ if (err) {
++ dev_err(adapter->pdev_dev,
++ "FW sge queue allocation failed, err %d", err);
++ goto out_free_dev;
++ }
++
+ /*
+ * The card is now ready to go. If any errors occur during device
+ * registration we do not fail the whole card but rather proceed only
+@@ -5164,7 +5169,6 @@ static int init_one(struct pci_dev *pdev
+ cxgb4_ptp_init(adapter);
+
+ print_adapter_info(adapter);
+- setup_fw_sge_queues(adapter);
+ return 0;
+
+ sriov:
+@@ -5220,6 +5224,7 @@ free_mbox_log:
+ #endif
+
+ out_free_dev:
++ t4_free_sge_resources(adapter);
+ free_some_resources(adapter);
+ if (adapter->flags & USING_MSIX)
+ free_msix_info(adapter);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+Date: Thu, 15 Feb 2018 21:19:24 +0530
+Subject: cxl: Check if PSL data-cache is available before issue flush request
+
+From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+
+[ Upstream commit 94322ed8e857e3b2a33cf75118051af9baaa110f ]
+
+PSL9D doesn't have a data-cache that needs to be flushed before
+resetting the card. However when cxl tries to flush data-cache on such
+a card, it times-out as PSL_Control register never indicates flush
+operation complete due to missing data-cache. This is usually
+indicated in the kernel logs with this message:
+
+"WARNING: cache flush timed out"
+
+To fix this the patch checks PSL_Debug register CDC-Field(BIT:27)
+which indicates the absence of a data-cache and sets a flag
+'no_data_cache' in 'struct cxl_native' to indicate this. When
+cxl_data_cache_flush() is called it checks the flag and if set bails
+out early without requesting a data-cache flush operation to the PSL.
+
+Signed-off-by: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+Acked-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Acked-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/cxl/cxl.h | 4 ++++
+ drivers/misc/cxl/native.c | 11 ++++++++++-
+ drivers/misc/cxl/pci.c | 19 +++++++++++++------
+ 3 files changed, 27 insertions(+), 7 deletions(-)
+
+--- a/drivers/misc/cxl/cxl.h
++++ b/drivers/misc/cxl/cxl.h
+@@ -365,6 +365,9 @@ static const cxl_p2n_reg_t CXL_PSL_WED_A
+ #define CXL_PSL_TFC_An_AE (1ull << (63-30)) /* Restart PSL with address error */
+ #define CXL_PSL_TFC_An_R (1ull << (63-31)) /* Restart PSL transaction */
+
++/****** CXL_PSL_DEBUG *****************************************************/
++#define CXL_PSL_DEBUG_CDC (1ull << (63-27)) /* Coherent Data cache support */
++
+ /****** CXL_XSL9_IERAT_ERAT - CAIA 2 **********************************/
+ #define CXL_XSL9_IERAT_MLPID (1ull << (63-0)) /* Match LPID */
+ #define CXL_XSL9_IERAT_MPID (1ull << (63-1)) /* Match PID */
+@@ -659,6 +662,7 @@ struct cxl_native {
+ irq_hw_number_t err_hwirq;
+ unsigned int err_virq;
+ u64 ps_off;
++ bool no_data_cache; /* set if no data cache on the card */
+ const struct cxl_service_layer_ops *sl_ops;
+ };
+
+--- a/drivers/misc/cxl/native.c
++++ b/drivers/misc/cxl/native.c
+@@ -352,8 +352,17 @@ int cxl_data_cache_flush(struct cxl *ada
+ u64 reg;
+ unsigned long timeout = jiffies + (HZ * CXL_TIMEOUT);
+
+- pr_devel("Flushing data cache\n");
++ /*
++ * Do a datacache flush only if datacache is available.
++ * In case of PSL9D datacache absent hence flush operation.
++ * would timeout.
++ */
++ if (adapter->native->no_data_cache) {
++ pr_devel("No PSL data cache. Ignoring cache flush req.\n");
++ return 0;
++ }
+
++ pr_devel("Flushing data cache\n");
+ reg = cxl_p1_read(adapter, CXL_PSL_Control);
+ reg |= CXL_PSL_Control_Fr;
+ cxl_p1_write(adapter, CXL_PSL_Control, reg);
+--- a/drivers/misc/cxl/pci.c
++++ b/drivers/misc/cxl/pci.c
+@@ -457,6 +457,7 @@ static int init_implementation_adapter_r
+ u64 chipid;
+ u32 phb_index;
+ u64 capp_unit_id;
++ u64 psl_debug;
+ int rc;
+
+ rc = cxl_calc_capp_routing(dev, &chipid, &phb_index, &capp_unit_id);
+@@ -507,6 +508,16 @@ static int init_implementation_adapter_r
+ if (cxl_is_power9_dd1())
+ cxl_p1_write(adapter, CXL_PSL9_GP_CT, 0x0400000000000001ULL);
+
++ /*
++ * Check if PSL has data-cache. We need to flush adapter datacache
++ * when as its about to be removed.
++ */
++ psl_debug = cxl_p1_read(adapter, CXL_PSL9_DEBUG);
++ if (psl_debug & CXL_PSL_DEBUG_CDC) {
++ dev_dbg(&dev->dev, "No data-cache present\n");
++ adapter->native->no_data_cache = true;
++ }
++
+ return 0;
+ }
+
+@@ -1450,10 +1461,8 @@ int cxl_pci_reset(struct cxl *adapter)
+
+ /*
+ * The adapter is about to be reset, so ignore errors.
+- * Not supported on P9 DD1
+ */
+- if ((cxl_is_power8()) || (!(cxl_is_power9_dd1())))
+- cxl_data_cache_flush(adapter);
++ cxl_data_cache_flush(adapter);
+
+ /* pcie_warm_reset requests a fundamental pci reset which includes a
+ * PERST assert/deassert. PERST triggers a loading of the image
+@@ -1898,10 +1907,8 @@ static void cxl_pci_remove_adapter(struc
+
+ /*
+ * Flush adapter datacache as its about to be removed.
+- * Not supported on P9 DD1.
+ */
+- if ((cxl_is_power8()) || (!(cxl_is_power9_dd1())))
+- cxl_data_cache_flush(adapter);
++ cxl_data_cache_flush(adapter);
+
+ cxl_deconfigure_adapter(adapter);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Apr 2018 13:42:41 -0700
+Subject: dccp: initialize ireq->ir_mark
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b855ff827476adbdc2259e9895681d82b7b26065 ]
+
+syzbot reported an uninit-value read of skb->mark in iptable_mangle_hook()
+
+Thanks to the nice report, I tracked the problem to dccp not caring
+of ireq->ir_mark for passive sessions.
+
+BUG: KMSAN: uninit-value in ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:66 [inline]
+BUG: KMSAN: uninit-value in iptable_mangle_hook+0x5e5/0x720 net/ipv4/netfilter/iptable_mangle.c:84
+CPU: 0 PID: 5300 Comm: syz-executor3 Not tainted 4.16.0+ #81
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:66 [inline]
+ iptable_mangle_hook+0x5e5/0x720 net/ipv4/netfilter/iptable_mangle.c:84
+ nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline]
+ nf_hook_slow+0x158/0x3d0 net/netfilter/core.c:483
+ nf_hook include/linux/netfilter.h:243 [inline]
+ __ip_local_out net/ipv4/ip_output.c:113 [inline]
+ ip_local_out net/ipv4/ip_output.c:122 [inline]
+ ip_queue_xmit+0x1d21/0x21c0 net/ipv4/ip_output.c:504
+ dccp_transmit_skb+0x15eb/0x1900 net/dccp/output.c:142
+ dccp_xmit_packet+0x814/0x9e0 net/dccp/output.c:281
+ dccp_write_xmit+0x20f/0x480 net/dccp/output.c:363
+ dccp_sendmsg+0x12ca/0x12d0 net/dccp/proto.c:818
+ inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
+ __sys_sendmsg net/socket.c:2080 [inline]
+ SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
+ SyS_sendmsg+0x54/0x80 net/socket.c:2087
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x455259
+RSP: 002b:00007f1a4473dc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007f1a4473e6d4 RCX: 0000000000455259
+RDX: 0000000000000000 RSI: 0000000020b76fc8 RDI: 0000000000000015
+RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 00000000000004f0 R14: 00000000006fa720 R15: 0000000000000000
+
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
+ __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
+ ip_queue_xmit+0x1e35/0x21c0 net/ipv4/ip_output.c:502
+ dccp_transmit_skb+0x15eb/0x1900 net/dccp/output.c:142
+ dccp_xmit_packet+0x814/0x9e0 net/dccp/output.c:281
+ dccp_write_xmit+0x20f/0x480 net/dccp/output.c:363
+ dccp_sendmsg+0x12ca/0x12d0 net/dccp/proto.c:818
+ inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
+ __sys_sendmsg net/socket.c:2080 [inline]
+ SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
+ SyS_sendmsg+0x54/0x80 net/socket.c:2087
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
+ __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
+ inet_csk_clone_lock+0x503/0x580 net/ipv4/inet_connection_sock.c:797
+ dccp_create_openreq_child+0x7f/0x890 net/dccp/minisocks.c:92
+ dccp_v4_request_recv_sock+0x22c/0xe90 net/dccp/ipv4.c:408
+ dccp_v6_request_recv_sock+0x290/0x2000 net/dccp/ipv6.c:414
+ dccp_check_req+0x7b9/0x8f0 net/dccp/minisocks.c:197
+ dccp_v4_rcv+0x12e4/0x2630 net/dccp/ipv4.c:840
+ ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257
+ dst_input include/net/dst.h:449 [inline]
+ ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
+ __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
+ __netif_receive_skb net/core/dev.c:4627 [inline]
+ process_backlog+0x62d/0xe20 net/core/dev.c:5307
+ napi_poll net/core/dev.c:5705 [inline]
+ net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
+ __do_softirq+0x56d/0x93d kernel/softirq.c:285
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
+ reqsk_alloc include/net/request_sock.h:88 [inline]
+ inet_reqsk_alloc+0xc4/0x7f0 net/ipv4/tcp_input.c:6145
+ dccp_v4_conn_request+0x5cc/0x1770 net/dccp/ipv4.c:600
+ dccp_v6_conn_request+0x299/0x1880 net/dccp/ipv6.c:317
+ dccp_rcv_state_process+0x2ea/0x2410 net/dccp/input.c:612
+ dccp_v4_do_rcv+0x229/0x340 net/dccp/ipv4.c:682
+ dccp_v6_do_rcv+0x16d/0x1220 net/dccp/ipv6.c:578
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __sk_receive_skb+0x60e/0xf20 net/core/sock.c:513
+ dccp_v4_rcv+0x24d4/0x2630 net/dccp/ipv4.c:874
+ ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257
+ dst_input include/net/dst.h:449 [inline]
+ ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
+ __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
+ __netif_receive_skb net/core/dev.c:4627 [inline]
+ process_backlog+0x62d/0xe20 net/core/dev.c:5307
+ napi_poll net/core/dev.c:5705 [inline]
+ net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
+ __do_softirq+0x56d/0x93d kernel/softirq.c:285
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/ipv4.c | 1 +
+ net/dccp/ipv6.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/net/dccp/ipv4.c
++++ b/net/dccp/ipv4.c
+@@ -614,6 +614,7 @@ int dccp_v4_conn_request(struct sock *sk
+ ireq = inet_rsk(req);
+ sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr);
+ sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr);
++ ireq->ir_mark = inet_request_mark(sk, skb);
+ ireq->ireq_family = AF_INET;
+ ireq->ir_iif = sk->sk_bound_dev_if;
+
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -351,6 +351,7 @@ static int dccp_v6_conn_request(struct s
+ ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
+ ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
+ ireq->ireq_family = AF_INET6;
++ ireq->ir_mark = inet_request_mark(sk, skb);
+
+ if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) ||
+ np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Gregory CLEMENT <gregory.clement@bootlin.com>
+Date: Wed, 7 Mar 2018 16:40:10 +0100
+Subject: dmaengine: mv_xor_v2: Fix clock resource by adding a register clock
+
+From: Gregory CLEMENT <gregory.clement@bootlin.com>
+
+[ Upstream commit 3cd2c313f1d618f92d1294addc6c685c17065761 ]
+
+On the CP110 components which are present on the Armada 7K/8K SoC we need
+to explicitly enable the clock for the registers. However it is not
+needed for the AP8xx component, that's why this clock is optional.
+
+With this patch both clock have now a name, but in order to be backward
+compatible, the name of the first clock is not used. It allows to still
+use this clock with a device tree using the old binding.
+
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/dma/mv-xor-v2.txt | 6 ++++
+ drivers/dma/mv_xor_v2.c | 25 ++++++++++++++++----
+ 2 files changed, 25 insertions(+), 6 deletions(-)
+
+--- a/Documentation/devicetree/bindings/dma/mv-xor-v2.txt
++++ b/Documentation/devicetree/bindings/dma/mv-xor-v2.txt
+@@ -11,7 +11,11 @@ Required properties:
+ interrupts.
+
+ Optional properties:
+-- clocks: Optional reference to the clock used by the XOR engine.
++- clocks: Optional reference to the clocks used by the XOR engine.
++- clock-names: mandatory if there is a second clock, in this case the
++ name must be "core" for the first clock and "reg" for the second
++ one
++
+
+ Example:
+
+--- a/drivers/dma/mv_xor_v2.c
++++ b/drivers/dma/mv_xor_v2.c
+@@ -163,6 +163,7 @@ struct mv_xor_v2_device {
+ void __iomem *dma_base;
+ void __iomem *glob_base;
+ struct clk *clk;
++ struct clk *reg_clk;
+ struct tasklet_struct irq_tasklet;
+ struct list_head free_sw_desc;
+ struct dma_device dmadev;
+@@ -749,13 +750,26 @@ static int mv_xor_v2_probe(struct platfo
+ if (ret)
+ return ret;
+
++ xor_dev->reg_clk = devm_clk_get(&pdev->dev, "reg");
++ if (PTR_ERR(xor_dev->reg_clk) != -ENOENT) {
++ if (!IS_ERR(xor_dev->reg_clk)) {
++ ret = clk_prepare_enable(xor_dev->reg_clk);
++ if (ret)
++ return ret;
++ } else {
++ return PTR_ERR(xor_dev->reg_clk);
++ }
++ }
++
+ xor_dev->clk = devm_clk_get(&pdev->dev, NULL);
+- if (IS_ERR(xor_dev->clk) && PTR_ERR(xor_dev->clk) == -EPROBE_DEFER)
+- return -EPROBE_DEFER;
++ if (IS_ERR(xor_dev->clk) && PTR_ERR(xor_dev->clk) == -EPROBE_DEFER) {
++ ret = EPROBE_DEFER;
++ goto disable_reg_clk;
++ }
+ if (!IS_ERR(xor_dev->clk)) {
+ ret = clk_prepare_enable(xor_dev->clk);
+ if (ret)
+- return ret;
++ goto disable_reg_clk;
+ }
+
+ ret = platform_msi_domain_alloc_irqs(&pdev->dev, 1,
+@@ -866,8 +880,9 @@ free_hw_desq:
+ free_msi_irqs:
+ platform_msi_domain_free_irqs(&pdev->dev);
+ disable_clk:
+- if (!IS_ERR(xor_dev->clk))
+- clk_disable_unprepare(xor_dev->clk);
++ clk_disable_unprepare(xor_dev->clk);
++disable_reg_clk:
++ clk_disable_unprepare(xor_dev->reg_clk);
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Qi Hou <qi.hou@windriver.com>
+Date: Tue, 6 Mar 2018 09:13:37 +0800
+Subject: dmaengine: pl330: fix a race condition in case of threaded irqs
+
+From: Qi Hou <qi.hou@windriver.com>
+
+[ Upstream commit a3ca831249ca8c4c226e4ceafee04e280152e59d ]
+
+When booting up with "threadirqs" in command line, all irq handlers of the DMA
+controller pl330 will be threaded forcedly. These threads will race for the same
+list, pl330->req_done.
+
+Before the callback, the spinlock was released. And after it, the spinlock was
+taken. This opened an race window where another threaded irq handler could steal
+the spinlock and be permitted to delete entries of the list, pl330->req_done.
+
+If the later deleted an entry that was still referred to by the former, there would
+be a kernel panic when the former was scheduled and tried to get the next sibling
+of the deleted entry.
+
+The scenario could be depicted as below:
+
+ Thread: T1 pl330->req_done Thread: T2
+ | | |
+ | -A-B-C-D- |
+ Locked | |
+ | | Waiting
+ Del A | |
+ | -B-C-D- |
+ Unlocked | |
+ | | Locked
+ Waiting | |
+ | | Del B
+ | | |
+ | -C-D- Unlocked
+ Waiting | |
+ |
+ Locked
+ |
+ get C via B
+ \
+ - Kernel panic
+
+The kernel panic looked like as below:
+
+Unable to handle kernel paging request at virtual address dead000000000108
+pgd = ffffff8008c9e000
+[dead000000000108] *pgd=000000027fffe003, *pud=000000027fffe003, *pmd=0000000000000000
+Internal error: Oops: 96000044 [#1] PREEMPT SMP
+Modules linked in:
+CPU: 0 PID: 85 Comm: irq/59-66330000 Not tainted 4.8.24-WR9.0.0.12_standard #2
+Hardware name: Broadcom NS2 SVK (DT)
+task: ffffffc1f5cc3c00 task.stack: ffffffc1f5ce0000
+PC is at pl330_irq_handler+0x27c/0x390
+LR is at pl330_irq_handler+0x2a8/0x390
+pc : [<ffffff80084cb694>] lr : [<ffffff80084cb6c0>] pstate: 800001c5
+sp : ffffffc1f5ce3d00
+x29: ffffffc1f5ce3d00 x28: 0000000000000140
+x27: ffffffc1f5c530b0 x26: dead000000000100
+x25: dead000000000200 x24: 0000000000418958
+x23: 0000000000000001 x22: ffffffc1f5ccd668
+x21: ffffffc1f5ccd590 x20: ffffffc1f5ccd418
+x19: dead000000000060 x18: 0000000000000001
+x17: 0000000000000007 x16: 0000000000000001
+x15: ffffffffffffffff x14: ffffffffffffffff
+x13: ffffffffffffffff x12: 0000000000000000
+x11: 0000000000000001 x10: 0000000000000840
+x9 : ffffffc1f5ce0000 x8 : ffffffc1f5cc3338
+x7 : ffffff8008ce2020 x6 : 0000000000000000
+x5 : 0000000000000000 x4 : 0000000000000001
+x3 : dead000000000200 x2 : dead000000000100
+x1 : 0000000000000140 x0 : ffffffc1f5ccd590
+
+Process irq/59-66330000 (pid: 85, stack limit = 0xffffffc1f5ce0020)
+Stack: (0xffffffc1f5ce3d00 to 0xffffffc1f5ce4000)
+3d00: ffffffc1f5ce3d80 ffffff80080f09d0 ffffffc1f5ca0c00 ffffffc1f6f7c600
+3d20: ffffffc1f5ce0000 ffffffc1f6f7c600 ffffffc1f5ca0c00 ffffff80080f0998
+3d40: ffffffc1f5ce0000 ffffff80080f0000 0000000000000000 0000000000000000
+3d60: ffffff8008ce202c ffffff8008ce2020 ffffffc1f5ccd668 ffffffc1f5c530b0
+3d80: ffffffc1f5ce3db0 ffffff80080f0d70 ffffffc1f5ca0c40 0000000000000001
+3da0: ffffffc1f5ce0000 ffffff80080f0cfc ffffffc1f5ce3e20 ffffff80080bf4f8
+3dc0: ffffffc1f5ca0c80 ffffff8008bf3798 ffffff8008955528 ffffffc1f5ca0c00
+3de0: ffffff80080f0c30 0000000000000000 0000000000000000 0000000000000000
+3e00: 0000000000000000 0000000000000000 0000000000000000 ffffff80080f0b68
+3e20: 0000000000000000 ffffff8008083690 ffffff80080bf420 ffffffc1f5ca0c80
+3e40: 0000000000000000 0000000000000000 0000000000000000 ffffff80080cb648
+3e60: ffffff8008b1c780 0000000000000000 0000000000000000 ffffffc1f5ca0c00
+3e80: ffffffc100000000 ffffff8000000000 ffffffc1f5ce3e90 ffffffc1f5ce3e90
+3ea0: 0000000000000000 ffffff8000000000 ffffffc1f5ce3eb0 ffffffc1f5ce3eb0
+3ec0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+3ee0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+3f00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+3f20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+3f40: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+3f60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+3f80: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+3fa0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+3fc0: 0000000000000000 0000000000000005 0000000000000000 0000000000000000
+3fe0: 0000000000000000 0000000000000000 0000000275ce3ff0 0000000275ce3ff8
+Call trace:
+Exception stack(0xffffffc1f5ce3b30 to 0xffffffc1f5ce3c60)
+3b20: dead000000000060 0000008000000000
+3b40: ffffffc1f5ce3d00 ffffff80084cb694 0000000000000008 0000000000000e88
+3b60: ffffffc1f5ce3bb0 ffffff80080dac68 ffffffc1f5ce3b90 ffffff8008826fe4
+3b80: 00000000000001c0 00000000000001c0 ffffffc1f5ce3bb0 ffffff800848dfcc
+3ba0: 0000000000020000 ffffff8008b15ae4 ffffffc1f5ce3c00 ffffff800808f000
+3bc0: 0000000000000010 ffffff80088377f0 ffffffc1f5ccd590 0000000000000140
+3be0: dead000000000100 dead000000000200 0000000000000001 0000000000000000
+3c00: 0000000000000000 ffffff8008ce2020 ffffffc1f5cc3338 ffffffc1f5ce0000
+3c20: 0000000000000840 0000000000000001 0000000000000000 ffffffffffffffff
+3c40: ffffffffffffffff ffffffffffffffff 0000000000000001 0000000000000007
+[<ffffff80084cb694>] pl330_irq_handler+0x27c/0x390
+[<ffffff80080f09d0>] irq_forced_thread_fn+0x38/0x88
+[<ffffff80080f0d70>] irq_thread+0x140/0x200
+[<ffffff80080bf4f8>] kthread+0xd8/0xf0
+[<ffffff8008083690>] ret_from_fork+0x10/0x40
+Code: f2a00838 f9405763 aa1c03e1 aa1503e0 (f9000443)
+---[ end trace f50005726d31199c ]---
+Kernel panic - not syncing: Fatal exception in interrupt
+SMP: stopping secondary CPUs
+SMP: failed to stop secondary CPUs 0-1
+Kernel Offset: disabled
+Memory Limit: none
+---[ end Kernel panic - not syncing: Fatal exception in interrupt
+
+To fix this, re-start with the list-head after dropping the lock then
+re-takeing it.
+
+Reviewed-by: Frank Mori Hess <fmh6jj@gmail.com>
+Tested-by: Frank Mori Hess <fmh6jj@gmail.com>
+Signed-off-by: Qi Hou <qi.hou@windriver.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/pl330.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/dma/pl330.c
++++ b/drivers/dma/pl330.c
+@@ -1510,7 +1510,7 @@ static void pl330_dotask(unsigned long d
+ /* Returns 1 if state was updated, 0 otherwise */
+ static int pl330_update(struct pl330_dmac *pl330)
+ {
+- struct dma_pl330_desc *descdone, *tmp;
++ struct dma_pl330_desc *descdone;
+ unsigned long flags;
+ void __iomem *regs;
+ u32 val;
+@@ -1588,7 +1588,9 @@ static int pl330_update(struct pl330_dma
+ }
+
+ /* Now that we are in no hurry, do the callbacks */
+- list_for_each_entry_safe(descdone, tmp, &pl330->req_done, rqd) {
++ while (!list_empty(&pl330->req_done)) {
++ descdone = list_first_entry(&pl330->req_done,
++ struct dma_pl330_desc, rqd);
+ list_del(&descdone->rqd);
+ spin_unlock_irqrestore(&pl330->lock, flags);
+ dma_pl330_rqcb(descdone, PL330_ERR_NONE);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Thu, 15 Feb 2018 12:25:09 +0000
+Subject: dmaengine: qcom: bam_dma: get num-channels and num-ees from dt
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 ]
+
+When Linux is master of BAM, it can directly read registers to know number
+of supported channels, however when its remotely controlled reading these
+registers would trigger a crash if the BAM is not yet initialized or
+powered up on the remote side.
+
+This patch allows driver to read num-channels and num-ees from Device Tree
+for remotely controlled BAM.
+
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/qcom/bam_dma.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+--- a/drivers/dma/qcom/bam_dma.c
++++ b/drivers/dma/qcom/bam_dma.c
+@@ -388,6 +388,7 @@ struct bam_device {
+ struct device_dma_parameters dma_parms;
+ struct bam_chan *channels;
+ u32 num_channels;
++ u32 num_ees;
+
+ /* execution environment ID, from DT */
+ u32 ee;
+@@ -1080,15 +1081,19 @@ static int bam_init(struct bam_device *b
+ u32 val;
+
+ /* read revision and configuration information */
+- val = readl_relaxed(bam_addr(bdev, 0, BAM_REVISION)) >> NUM_EES_SHIFT;
+- val &= NUM_EES_MASK;
++ if (!bdev->num_ees) {
++ val = readl_relaxed(bam_addr(bdev, 0, BAM_REVISION));
++ bdev->num_ees = (val >> NUM_EES_SHIFT) & NUM_EES_MASK;
++ }
+
+ /* check that configured EE is within range */
+- if (bdev->ee >= val)
++ if (bdev->ee >= bdev->num_ees)
+ return -EINVAL;
+
+- val = readl_relaxed(bam_addr(bdev, 0, BAM_NUM_PIPES));
+- bdev->num_channels = val & BAM_NUM_PIPES_MASK;
++ if (!bdev->num_channels) {
++ val = readl_relaxed(bam_addr(bdev, 0, BAM_NUM_PIPES));
++ bdev->num_channels = val & BAM_NUM_PIPES_MASK;
++ }
+
+ if (bdev->controlled_remotely)
+ return 0;
+@@ -1183,6 +1188,18 @@ static int bam_dma_probe(struct platform
+ bdev->controlled_remotely = of_property_read_bool(pdev->dev.of_node,
+ "qcom,controlled-remotely");
+
++ if (bdev->controlled_remotely) {
++ ret = of_property_read_u32(pdev->dev.of_node, "num-channels",
++ &bdev->num_channels);
++ if (ret)
++ dev_err(bdev->dev, "num-channels unspecified in dt\n");
++
++ ret = of_property_read_u32(pdev->dev.of_node, "qcom,num-ees",
++ &bdev->num_ees);
++ if (ret)
++ dev_err(bdev->dev, "num-ees unspecified in dt\n");
++ }
++
+ bdev->bamclk = devm_clk_get(bdev->dev, "bam_clk");
+ if (IS_ERR(bdev->bamclk))
+ return PTR_ERR(bdev->bamclk);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Fri, 2 Feb 2018 19:05:15 +0900
+Subject: dmaengine: rcar-dmac: Check the done lists in rcar_dmac_chan_get_residue()
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit 3e081628d510b2ddbe493371d9c574d9275da17e ]
+
+This patch fixes an issue that a race condition happens between a client
+driver and the rcar-dmac driver:
+
+- The rcar_dmac_isr_transfer_end() is called.
+ - The done list appears, and desc.running is the next active list.
+- rcar_dmac_chan_get_residue() is called by a client driver before
+ rcar_dmac_isr_channel_thread() is called.
+ - The rcar_dmac_chan_get_residue() will not find any descriptors.
+ - And, the following WARNING happens:
+ WARN(1, "No descriptor for cookie!");
+
+The sh-sci driver with HSCIF (921,600bps) on R-Car H3 can cause this
+situation.
+So, this patch checks the done lists in rcar_dmac_chan_get_residue()
+and returns zero if the done lists has the argument cookie.
+
+Tested-by: Nguyen Viet Dung <dung.nguyen.aj@renesas.com>
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/sh/rcar-dmac.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/dma/sh/rcar-dmac.c
++++ b/drivers/dma/sh/rcar-dmac.c
+@@ -1264,8 +1264,17 @@ static unsigned int rcar_dmac_chan_get_r
+ * If the cookie doesn't correspond to the currently running transfer
+ * then the descriptor hasn't been processed yet, and the residue is
+ * equal to the full descriptor size.
++ * Also, a client driver is possible to call this function before
++ * rcar_dmac_isr_channel_thread() runs. In this case, the "desc.running"
++ * will be the next descriptor, and the done list will appear. So, if
++ * the argument cookie matches the done list's cookie, we can assume
++ * the residue is zero.
+ */
+ if (cookie != desc->async_tx.cookie) {
++ list_for_each_entry(desc, &chan->desc.done, node) {
++ if (cookie == desc->async_tx.cookie)
++ return 0;
++ }
+ list_for_each_entry(desc, &chan->desc.pending, node) {
+ if (cookie == desc->async_tx.cookie)
+ return desc->size;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Wed, 14 Feb 2018 18:40:12 +0900
+Subject: dmaengine: rcar-dmac: fix max_chunk_size for R-Car Gen3
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit d716d9b702bb759dd6fb50804f10a174bd156d71 ]
+
+According to R-Car Gen3 Rev.0.80 manual, the DMATCR can be set to
+16,777,215 as maximum. So, this patch fixes the max_chunk_size for
+safety on all of SoCs. Otherwise, a system may hang if the DMATCR
+is set to 0 on R-Car Gen3.
+
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/sh/rcar-dmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/sh/rcar-dmac.c
++++ b/drivers/dma/sh/rcar-dmac.c
+@@ -880,7 +880,7 @@ rcar_dmac_chan_prep_sg(struct rcar_dmac_
+
+ rcar_dmac_chan_configure_desc(chan, desc);
+
+- max_chunk_size = (RCAR_DMATCR_MASK + 1) << desc->xfer_shift;
++ max_chunk_size = RCAR_DMATCR_MASK << desc->xfer_shift;
+
+ /*
+ * Allocate and fill the transfer chunk descriptors. We own the only
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Esben Haabendal <eha@deif.com>
+Date: Sun, 8 Apr 2018 22:17:01 +0200
+Subject: dp83640: Ensure against premature access to PHY registers after reset
+
+From: Esben Haabendal <eha@deif.com>
+
+[ Upstream commit 76327a35caabd1a932e83d6a42b967aa08584e5d ]
+
+The datasheet specifies a 3uS pause after performing a software
+reset. The default implementation of genphy_soft_reset() does not
+provide this, so implement soft_reset with the needed pause.
+
+Signed-off-by: Esben Haabendal <eha@deif.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/dp83640.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/net/phy/dp83640.c
++++ b/drivers/net/phy/dp83640.c
+@@ -1207,6 +1207,23 @@ static void dp83640_remove(struct phy_de
+ kfree(dp83640);
+ }
+
++static int dp83640_soft_reset(struct phy_device *phydev)
++{
++ int ret;
++
++ ret = genphy_soft_reset(phydev);
++ if (ret < 0)
++ return ret;
++
++ /* From DP83640 datasheet: "Software driver code must wait 3 us
++ * following a software reset before allowing further serial MII
++ * operations with the DP83640."
++ */
++ udelay(10); /* Taking udelay inaccuracy into account */
++
++ return 0;
++}
++
+ static int dp83640_config_init(struct phy_device *phydev)
+ {
+ struct dp83640_private *dp83640 = phydev->priv;
+@@ -1501,6 +1518,7 @@ static struct phy_driver dp83640_driver
+ .flags = PHY_HAS_INTERRUPT,
+ .probe = dp83640_probe,
+ .remove = dp83640_remove,
++ .soft_reset = dp83640_soft_reset,
+ .config_init = dp83640_config_init,
+ .config_aneg = genphy_config_aneg,
+ .read_status = genphy_read_status,
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jake Moroni <mail@jakemoroni.com>
+Date: Sun, 18 Feb 2018 15:26:04 -0500
+Subject: dpaa_eth: fix pause capability advertisement logic
+
+From: Jake Moroni <mail@jakemoroni.com>
+
+[ Upstream commit 3021efb440d02bf5b952b6d151c7ffee9bdd49fe ]
+
+The ADVERTISED_Asym_Pause bit was being improperly set when both
+rx and tx pause were enabled. When rx and tx are both enabled, only
+the ADVERTISED_Pause bit is supposed to be set.
+
+Signed-off-by: Jake Moroni <mail@jakemoroni.com>
+Acked-by: Madalin Bucur <madalin.bucur@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
+@@ -211,7 +211,7 @@ static int dpaa_set_pauseparam(struct ne
+ if (epause->rx_pause)
+ newadv = ADVERTISED_Pause | ADVERTISED_Asym_Pause;
+ if (epause->tx_pause)
+- newadv |= ADVERTISED_Asym_Pause;
++ newadv ^= ADVERTISED_Asym_Pause;
+
+ oldadv = phydev->advertising &
+ (ADVERTISED_Pause | ADVERTISED_Asym_Pause);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Madalin Bucur <madalin.bucur@nxp.com>
+Date: Mon, 26 Feb 2018 11:24:01 -0600
+Subject: dpaa_eth: fix SG mapping
+
+From: Madalin Bucur <madalin.bucur@nxp.com>
+
+[ Upstream commit 120d75ecf043044554abbba8507f6d22e4715beb ]
+
+An issue in the code mapping the skb fragments into
+scatter-gather frames was evidentiated by netperf
+TCP_SENDFILE tests. The size was set wrong for all
+fragments but the first, affecting the transmission
+of any skb with more than one fragment.
+
+Signed-off-by: Madalin Bucur <madalin.bucur@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+@@ -1930,8 +1930,10 @@ static int skb_to_sg_fd(struct dpaa_priv
+ goto csum_failed;
+ }
+
++ /* SGT[0] is used by the linear part */
+ sgt = (struct qm_sg_entry *)(sgt_buf + priv->tx_headroom);
+- qm_sg_entry_set_len(&sgt[0], skb_headlen(skb));
++ frag_len = skb_headlen(skb);
++ qm_sg_entry_set_len(&sgt[0], frag_len);
+ sgt[0].bpid = FSL_DPAA_BPID_INV;
+ sgt[0].offset = 0;
+ addr = dma_map_single(dev, skb->data,
+@@ -1944,9 +1946,9 @@ static int skb_to_sg_fd(struct dpaa_priv
+ qm_sg_entry_set64(&sgt[0], addr);
+
+ /* populate the rest of SGT entries */
+- frag = &skb_shinfo(skb)->frags[0];
+- frag_len = frag->size;
+- for (i = 1; i <= nr_frags; i++, frag++) {
++ for (i = 0; i < nr_frags; i++) {
++ frag = &skb_shinfo(skb)->frags[i];
++ frag_len = frag->size;
+ WARN_ON(!skb_frag_page(frag));
+ addr = skb_frag_dma_map(dev, frag, 0,
+ frag_len, dma_dir);
+@@ -1956,15 +1958,16 @@ static int skb_to_sg_fd(struct dpaa_priv
+ goto sg_map_failed;
+ }
+
+- qm_sg_entry_set_len(&sgt[i], frag_len);
+- sgt[i].bpid = FSL_DPAA_BPID_INV;
+- sgt[i].offset = 0;
++ qm_sg_entry_set_len(&sgt[i + 1], frag_len);
++ sgt[i + 1].bpid = FSL_DPAA_BPID_INV;
++ sgt[i + 1].offset = 0;
+
+ /* keep the offset in the address */
+- qm_sg_entry_set64(&sgt[i], addr);
+- frag_len = frag->size;
++ qm_sg_entry_set64(&sgt[i + 1], addr);
+ }
+- qm_sg_entry_set_f(&sgt[i - 1], frag_len);
++
++ /* Set the final bit in the last used entry of the SGT */
++ qm_sg_entry_set_f(&sgt[nr_frags], frag_len);
+
+ qm_fd_set_sg(fd, priv->tx_headroom, skb->len);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Fri, 16 Mar 2018 22:17:28 +0200
+Subject: drivers: macintosh: rack-meter: really fix bogus memsets
+
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+
+[ Upstream commit e283655b5abe26462d53d5196f186c5e8863af3b ]
+
+We should zero an array using sizeof instead of number of elements.
+
+Fixes the following compiler (GCC 7.3.0) warnings:
+
+drivers/macintosh/rack-meter.c: In function 'rackmeter_do_pause':
+drivers/macintosh/rack-meter.c:157:2: warning: 'memset' used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size]
+drivers/macintosh/rack-meter.c:158:2: warning: 'memset' used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size]
+
+Fixes: 4f7bef7a9f69 ("drivers: macintosh: rack-meter: fix bogus memsets")
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/macintosh/rack-meter.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/macintosh/rack-meter.c
++++ b/drivers/macintosh/rack-meter.c
+@@ -154,8 +154,8 @@ static void rackmeter_do_pause(struct ra
+ DBDMA_DO_STOP(rm->dma_regs);
+ return;
+ }
+- memset(rdma->buf1, 0, ARRAY_SIZE(rdma->buf1));
+- memset(rdma->buf2, 0, ARRAY_SIZE(rdma->buf2));
++ memset(rdma->buf1, 0, sizeof(rdma->buf1));
++ memset(rdma->buf2, 0, sizeof(rdma->buf2));
+
+ rm->dma_buf_v->mark = 0;
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Tom St Denis <tom.stdenis@amd.com>
+Date: Mon, 26 Feb 2018 09:09:26 -0500
+Subject: drm/amd/amdgpu: Correct VRAM width for APUs with GMC9
+
+From: Tom St Denis <tom.stdenis@amd.com>
+
+[ Upstream commit 585b7f161c85bd5ca675b97580faf21c506541e3 ]
+
+DDR4 has a 64-bit width not 128-bits. It was reporting
+twice the width. Tested with my Ryzen 2400G.
+
+Signed-off-by: Tom St Denis <tom.stdenis@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c
+@@ -456,7 +456,10 @@ static int gmc_v9_0_mc_init(struct amdgp
+ adev->mc.vram_width = amdgpu_atomfirmware_get_vram_width(adev);
+ if (!adev->mc.vram_width) {
+ /* hbm memory channel size */
+- chansize = 128;
++ if (adev->flags & AMD_IS_APU)
++ chansize = 64;
++ else
++ chansize = 128;
+
+ tmp = RREG32_SOC15(DF, 0, mmDF_CS_AON0_DramBaseAddress0);
+ tmp &= DF_CS_AON0_DramBaseAddress0__IntLvNumChan_MASK;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Monk Liu <Monk.Liu@amd.com>
+Date: Tue, 23 Jan 2018 18:26:20 +0800
+Subject: drm/amdgpu: adjust timeout for ib_ring_tests(v2)
+
+From: Monk Liu <Monk.Liu@amd.com>
+
+[ Upstream commit dbf797655a43c6318ebb90b899e6583fcadc6472 ]
+
+issue:
+sometime GFX/MM ib test hit timeout under SRIOV env, root cause
+is that engine doesn't come back soon enough so the current
+IB test considered as timed out.
+
+fix:
+for SRIOV GFX IB test wait time need to be expanded a lot during
+SRIOV runtimei mode since it couldn't really begin before GFX engine
+come back.
+
+for SRIOV MM IB test it always need more time since MM scheduling
+is not go together with GFX engine, it is controled by h/w MM
+scheduler so no matter runtime or exclusive mode MM IB test
+always need more time.
+
+v2:
+use ring type instead of idx to judge
+
+Signed-off-by: Monk Liu <Monk.Liu@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 33 ++++++++++++++++++++++++++++++++-
+ 1 file changed, 32 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c
+@@ -322,14 +322,45 @@ int amdgpu_ib_ring_tests(struct amdgpu_d
+ {
+ unsigned i;
+ int r, ret = 0;
++ long tmo_gfx, tmo_mm;
++
++ tmo_mm = tmo_gfx = AMDGPU_IB_TEST_TIMEOUT;
++ if (amdgpu_sriov_vf(adev)) {
++ /* for MM engines in hypervisor side they are not scheduled together
++ * with CP and SDMA engines, so even in exclusive mode MM engine could
++ * still running on other VF thus the IB TEST TIMEOUT for MM engines
++ * under SR-IOV should be set to a long time. 8 sec should be enough
++ * for the MM comes back to this VF.
++ */
++ tmo_mm = 8 * AMDGPU_IB_TEST_TIMEOUT;
++ }
++
++ if (amdgpu_sriov_runtime(adev)) {
++ /* for CP & SDMA engines since they are scheduled together so
++ * need to make the timeout width enough to cover the time
++ * cost waiting for it coming back under RUNTIME only
++ */
++ tmo_gfx = 8 * AMDGPU_IB_TEST_TIMEOUT;
++ }
+
+ for (i = 0; i < AMDGPU_MAX_RINGS; ++i) {
+ struct amdgpu_ring *ring = adev->rings[i];
++ long tmo;
+
+ if (!ring || !ring->ready)
+ continue;
+
+- r = amdgpu_ring_test_ib(ring, AMDGPU_IB_TEST_TIMEOUT);
++ /* MM engine need more time */
++ if (ring->funcs->type == AMDGPU_RING_TYPE_UVD ||
++ ring->funcs->type == AMDGPU_RING_TYPE_VCE ||
++ ring->funcs->type == AMDGPU_RING_TYPE_UVD_ENC ||
++ ring->funcs->type == AMDGPU_RING_TYPE_VCN_DEC ||
++ ring->funcs->type == AMDGPU_RING_TYPE_VCN_ENC)
++ tmo = tmo_mm;
++ else
++ tmo = tmo_gfx;
++
++ r = amdgpu_ring_test_ib(ring, tmo);
+ if (r) {
+ ring->ready = false;
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Monk Liu <Monk.Liu@amd.com>
+Date: Mon, 29 Jan 2018 19:24:32 +0800
+Subject: drm/amdgpu: disable GFX ring and disable PQ wptr in hw_fini
+
+From: Monk Liu <Monk.Liu@amd.com>
+
+[ Upstream commit 9f0178fb67699992d38601cb923b434f9986dd68 ]
+
+otherwise there will be DMAR reading error comes out from CP since
+GFX is still alive and CPC's WPTR_POLL is still enabled, which would
+lead to DMAR read error.
+
+fix:
+we can hault CPG after hw_fini, but cannot halt CPC becaues KIQ
+stil need to be alive to let RLCV invoke, but its WPTR_POLL could
+be disabled.
+
+Signed-off-by: Monk Liu <Monk.Liu@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+@@ -2889,7 +2889,13 @@ static int gfx_v9_0_hw_fini(void *handle
+ amdgpu_irq_put(adev, &adev->gfx.priv_reg_irq, 0);
+ amdgpu_irq_put(adev, &adev->gfx.priv_inst_irq, 0);
+ if (amdgpu_sriov_vf(adev)) {
+- pr_debug("For SRIOV client, shouldn't do anything.\n");
++ gfx_v9_0_cp_gfx_enable(adev, false);
++ /* must disable polling for SRIOV when hw finished, otherwise
++ * CPC engine may still keep fetching WB address which is already
++ * invalid after sw finished and trigger DMAR reading error in
++ * hypervisor side.
++ */
++ WREG32_FIELD15(GC, 0, CP_PQ_WPTR_POLL_CNTL, EN, 0);
+ return 0;
+ }
+ gfx_v9_0_cp_enable(adev, false);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Oded Gabbay <oded.gabbay@gmail.com>
+Date: Thu, 15 Mar 2018 10:08:35 +0200
+Subject: drm/amdkfd: add missing include of mm.h
+
+From: Oded Gabbay <oded.gabbay@gmail.com>
+
+[ Upstream commit 7420f482ea5163bf6dae39a5c7628d5397cd6307 ]
+
+This patch fixes kernel build in ARCH=frv
+
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
+@@ -26,6 +26,7 @@
+ #define AMDGPU_AMDKFD_H_INCLUDED
+
+ #include <linux/types.h>
++#include <linux/mm.h>
+ #include <linux/mmu_context.h>
+ #include <kgd_kfd_interface.h>
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+Date: Fri, 23 Mar 2018 15:30:33 -0400
+Subject: drm/amdkfd: Fix scratch memory with HWS enabled
+
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+
+[ Upstream commit c70a36268799cf2f902b5a31e452571fcb96bfe9 ]
+
+Program sh_hidden_private_base_vmid correctly in the map-process
+PM4 packet.
+
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_packet_manager.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_packet_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_packet_manager.c
+@@ -166,8 +166,7 @@ static int pm_create_map_process(struct
+ packet->sh_mem_ape1_base = qpd->sh_mem_ape1_base;
+ packet->sh_mem_ape1_limit = qpd->sh_mem_ape1_limit;
+
+- /* TODO: scratch support */
+- packet->sh_hidden_private_base_vmid = 0;
++ packet->sh_hidden_private_base_vmid = qpd->sh_hidden_private_base;
+
+ packet->gds_addr_lo = lower_32_bits(qpd->gds_context_area);
+ packet->gds_addr_hi = upper_32_bits(qpd->gds_context_area);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "Y.C. Chen" <yc_chen@aspeedtech.com>
+Date: Mon, 12 Mar 2018 11:40:23 +0800
+Subject: drm/ast: Fixed 1280x800 Display Issue
+
+From: "Y.C. Chen" <yc_chen@aspeedtech.com>
+
+[ Upstream commit 5a9f698feb11b198f17b2acebbfe0e2716a3beed ]
+
+The original ast driver cannot display properly if the resolution is 1280x800 and the pixel clock is 83.5MHz.
+Here is the update to fix it.
+
+Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/ast/ast_tables.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/ast/ast_tables.h
++++ b/drivers/gpu/drm/ast/ast_tables.h
+@@ -97,7 +97,7 @@ static const struct ast_vbios_dclk_info
+ {0x67, 0x22, 0x00}, /* 0E: VCLK157_5 */
+ {0x6A, 0x22, 0x00}, /* 0F: VCLK162 */
+ {0x4d, 0x4c, 0x80}, /* 10: VCLK154 */
+- {0xa7, 0x78, 0x80}, /* 11: VCLK83.5 */
++ {0x68, 0x6f, 0x80}, /* 11: VCLK83.5 */
+ {0x28, 0x49, 0x80}, /* 12: VCLK106.5 */
+ {0x37, 0x49, 0x80}, /* 13: VCLK146.25 */
+ {0x1f, 0x45, 0x80}, /* 14: VCLK148.5 */
+@@ -127,7 +127,7 @@ static const struct ast_vbios_dclk_info
+ {0x67, 0x22, 0x00}, /* 0E: VCLK157_5 */
+ {0x6A, 0x22, 0x00}, /* 0F: VCLK162 */
+ {0x4d, 0x4c, 0x80}, /* 10: VCLK154 */
+- {0xa7, 0x78, 0x80}, /* 11: VCLK83.5 */
++ {0x68, 0x6f, 0x80}, /* 11: VCLK83.5 */
+ {0x28, 0x49, 0x80}, /* 12: VCLK106.5 */
+ {0x37, 0x49, 0x80}, /* 13: VCLK146.25 */
+ {0x1f, 0x45, 0x80}, /* 14: VCLK148.5 */
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Mon, 5 Mar 2018 11:17:02 +0100
+Subject: drm/bridge: sii902x: Retry status read after DDI I2C
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 2e7a66a8b5ebf1b04a866e5d7c981640f7f62934 ]
+
+The following happens when connection a DVI output driven
+from the SiI9022 using a DVI-to-VGA adapter plug:
+
+i2c i2c-0: sendbytes: NAK bailout.
+i2c i2c-0: sendbytes: NAK bailout.
+
+Then no picture. Apparently the I2C engine inside the SiI9022
+is not smart enough to try to fall back to DDC I2C. Or the
+vendor have not integrated the electronics properly. I don't
+know which one it is.
+
+After this, the I2C bus seems stalled and the first attempt to
+read the status register fails, and the code returns with
+negative return value, and the display fails to initialized.
+
+Instead, retry status readout five times and continue even
+if this fails.
+
+Tested on the ARM Versatile Express with a DVI-to-VGA
+connector, it now gives picture.
+
+Introduce a helper struct device *dev variable to make
+the code more readable.
+
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Reviewed-by: Liviu Dudau <Liviu.Dudau@arm.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180305101702.13441-1-linus.walleij@linaro.org
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/bridge/sii902x.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/bridge/sii902x.c
++++ b/drivers/gpu/drm/bridge/sii902x.c
+@@ -137,7 +137,9 @@ static int sii902x_get_modes(struct drm_
+ struct sii902x *sii902x = connector_to_sii902x(connector);
+ struct regmap *regmap = sii902x->regmap;
+ u32 bus_format = MEDIA_BUS_FMT_RGB888_1X24;
++ struct device *dev = &sii902x->i2c->dev;
+ unsigned long timeout;
++ unsigned int retries;
+ unsigned int status;
+ struct edid *edid;
+ int num = 0;
+@@ -159,7 +161,7 @@ static int sii902x_get_modes(struct drm_
+ time_before(jiffies, timeout));
+
+ if (!(status & SII902X_SYS_CTRL_DDC_BUS_GRTD)) {
+- dev_err(&sii902x->i2c->dev, "failed to acquire the i2c bus\n");
++ dev_err(dev, "failed to acquire the i2c bus\n");
+ return -ETIMEDOUT;
+ }
+
+@@ -179,9 +181,19 @@ static int sii902x_get_modes(struct drm_
+ if (ret)
+ return ret;
+
+- ret = regmap_read(regmap, SII902X_SYS_CTRL_DATA, &status);
++ /*
++ * Sometimes the I2C bus can stall after failure to use the
++ * EDID channel. Retry a few times to see if things clear
++ * up, else continue anyway.
++ */
++ retries = 5;
++ do {
++ ret = regmap_read(regmap, SII902X_SYS_CTRL_DATA,
++ &status);
++ retries--;
++ } while (ret && retries);
+ if (ret)
+- return ret;
++ dev_err(dev, "failed to read status (%d)\n", ret);
+
+ ret = regmap_update_bits(regmap, SII902X_SYS_CTRL_DATA,
+ SII902X_SYS_CTRL_DDC_BUS_REQ |
+@@ -201,7 +213,7 @@ static int sii902x_get_modes(struct drm_
+
+ if (status & (SII902X_SYS_CTRL_DDC_BUS_REQ |
+ SII902X_SYS_CTRL_DDC_BUS_GRTD)) {
+- dev_err(&sii902x->i2c->dev, "failed to release the i2c bus\n");
++ dev_err(dev, "failed to release the i2c bus\n");
+ return -ETIMEDOUT;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Mon, 5 Feb 2018 21:09:59 +0100
+Subject: drm/exynos: fix comparison to bitshift when dealing with a mask
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 1293b6191010672c0c9dacae8f71c6f3e4d70cbe ]
+
+Due to a typo, the mask was destroyed by a comparison instead of a bit
+shift.
+
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/exynos/regs-fimc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/exynos/regs-fimc.h
++++ b/drivers/gpu/drm/exynos/regs-fimc.h
+@@ -569,7 +569,7 @@
+ #define EXYNOS_CIIMGEFF_FIN_EMBOSSING (4 << 26)
+ #define EXYNOS_CIIMGEFF_FIN_SILHOUETTE (5 << 26)
+ #define EXYNOS_CIIMGEFF_FIN_MASK (7 << 26)
+-#define EXYNOS_CIIMGEFF_PAT_CBCR_MASK ((0xff < 13) | (0xff < 0))
++#define EXYNOS_CIIMGEFF_PAT_CBCR_MASK ((0xff << 13) | (0xff << 0))
+
+ /* Real input DMA size register */
+ #define EXYNOS_CIREAL_ISIZE_AUTOLOAD_ENABLE (1 << 31)
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Markus Elfring <elfring@users.sourceforge.net>
+Date: Thu, 8 Feb 2018 18:42:51 +0100
+Subject: drm/exynos: g2d: Delete an error message for a failed memory allocation in two functions
+
+From: Markus Elfring <elfring@users.sourceforge.net>
+
+[ Upstream commit 6f0a60298bbbea43ab5e3955913ab19c153076f3 ]
+
+Omit an extra message for a memory allocation failure in these functions.
+
+This issue was detected by using the Coccinelle software.
+
+Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_g2d.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c
+@@ -286,7 +286,6 @@ static int g2d_init_cmdlist(struct g2d_d
+
+ node = kcalloc(G2D_CMDLIST_NUM, sizeof(*node), GFP_KERNEL);
+ if (!node) {
+- dev_err(dev, "failed to allocate memory\n");
+ ret = -ENOMEM;
+ goto err;
+ }
+@@ -1358,10 +1357,9 @@ int exynos_g2d_exec_ioctl(struct drm_dev
+ return -EFAULT;
+
+ runqueue_node = kmem_cache_alloc(g2d->runqueue_slab, GFP_KERNEL);
+- if (!runqueue_node) {
+- dev_err(dev, "failed to allocate memory\n");
++ if (!runqueue_node)
+ return -ENOMEM;
+- }
++
+ run_cmdlist = &runqueue_node->run_cmdlist;
+ event_list = &runqueue_node->event_list;
+ INIT_LIST_HEAD(run_cmdlist);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 17 Jan 2018 18:01:21 +0100
+Subject: drm/exynos: g2d: use monotonic timestamps
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit a588a8bb7b25a3fb4f7fed00feb7aec541fc2632 ]
+
+The exynos DRM driver uses real-time 'struct timeval' values
+for exporting its timestamps to user space. This has multiple
+problems:
+
+1. signed seconds overflow in y2038
+2. the 'struct timeval' definition is deprecated in the kernel
+3. time may jump or go backwards after a 'settimeofday()' syscall
+4. other DRM timestamps are in CLOCK_MONOTONIC domain, so they
+ can't be compared
+5. exporting microseconds requires a division by 1000, which may
+ be slow on some architectures.
+
+The code existed in two places before, but the IPP portion was
+removed in 8ded59413ccc ("drm/exynos: ipp: Remove Exynos DRM
+IPP subsystem"), so we no longer need to worry about it.
+
+Ideally timestamps should just use 64-bit nanoseconds instead, but
+of course we can't change that now. Instead, this tries to address
+the first four points above by using monotonic 'timespec' values.
+
+According to Tobias Jakobi, user space doesn't care about the
+timestamp at the moment, so we can change the format. Even if
+there is something looking at them, it will work just fine with
+monotonic times as long as the application only looks at the
+relative values between two events.
+
+Link: https://patchwork.kernel.org/patch/10038593/
+Cc: Tobias Jakobi <tjakobi@math.uni-bielefeld.de>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Tobias Jakobi <tjakobi@math.uni-bielefeld.de>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_g2d.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c
+@@ -926,7 +926,7 @@ static void g2d_finish_event(struct g2d_
+ struct drm_device *drm_dev = g2d->subdrv.drm_dev;
+ struct g2d_runqueue_node *runqueue_node = g2d->runqueue_node;
+ struct drm_exynos_pending_g2d_event *e;
+- struct timeval now;
++ struct timespec64 now;
+
+ if (list_empty(&runqueue_node->event_list))
+ return;
+@@ -934,9 +934,9 @@ static void g2d_finish_event(struct g2d_
+ e = list_first_entry(&runqueue_node->event_list,
+ struct drm_exynos_pending_g2d_event, base.link);
+
+- do_gettimeofday(&now);
++ ktime_get_ts64(&now);
+ e->event.tv_sec = now.tv_sec;
+- e->event.tv_usec = now.tv_usec;
++ e->event.tv_usec = now.tv_nsec / NSEC_PER_USEC;
+ e->event.cmdlist_no = cmdlist_no;
+
+ drm_send_event(drm_dev, &e->base);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Thu, 15 Mar 2018 10:11:59 +0100
+Subject: drm/imx: move arming of the vblank event to atomic_flush
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+[ Upstream commit 6a055b92de15af987b4027826d43aa103c65a3c4 ]
+
+Right now the vblank event completion is racing with the atomic update,
+which is especially bad when the PRE is in use, as one of the hardware
+issue workaround might extend the atomic commit for quite some time.
+
+If the vblank IRQ happens to trigger during that time, we will prematurely
+signal the atomic commit completion to userspace, which causes tearing
+when userspace re-uses a framebuffer we haven't managed to flip away from
+yet.
+
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/imx/ipuv3-crtc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/imx/ipuv3-crtc.c
++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c
+@@ -225,7 +225,11 @@ static void ipu_crtc_atomic_begin(struct
+ struct drm_crtc_state *old_crtc_state)
+ {
+ drm_crtc_vblank_on(crtc);
++}
+
++static void ipu_crtc_atomic_flush(struct drm_crtc *crtc,
++ struct drm_crtc_state *old_crtc_state)
++{
+ spin_lock_irq(&crtc->dev->event_lock);
+ if (crtc->state->event) {
+ WARN_ON(drm_crtc_vblank_get(crtc));
+@@ -293,6 +297,7 @@ static const struct drm_crtc_helper_func
+ .mode_set_nofb = ipu_crtc_mode_set_nofb,
+ .atomic_check = ipu_crtc_atomic_check,
+ .atomic_begin = ipu_crtc_atomic_begin,
++ .atomic_flush = ipu_crtc_atomic_flush,
+ .atomic_disable = ipu_crtc_atomic_disable,
+ .atomic_enable = ipu_crtc_atomic_enable,
+ };
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Mon, 12 Mar 2018 21:15:08 +0100
+Subject: drm/meson: Fix an un-handled error path in 'meson_drv_bind_master()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit e770f6bf18182bc3af6ceec30189b6c323cbc157 ]
+
+'drm_vblank_init()' can fail. So handle this (unlikely) error.
+
+Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/6cbf3d70ac3904489c7194c895225c4103aebb96.1520885192.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/meson/meson_drv.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/meson/meson_drv.c
++++ b/drivers/gpu/drm/meson/meson_drv.c
+@@ -221,7 +221,10 @@ static int meson_drv_bind_master(struct
+
+ priv->vsync_irq = platform_get_irq(pdev, 0);
+
+- drm_vblank_init(drm, 1);
++ ret = drm_vblank_init(drm, 1);
++ if (ret)
++ goto free_drm;
++
+ drm_mode_config_init(drm);
+ drm->mode_config.max_width = 3840;
+ drm->mode_config.max_height = 2160;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Mon, 12 Mar 2018 21:15:10 +0100
+Subject: drm/meson: Fix some error handling paths in 'meson_drv_bind_master()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 2c18107b9d58972588cd45d89b8f58d0f033c110 ]
+
+If one of these functions fail, we whould free 'drm', as alreadry done in
+the other error handling paths, below and above.
+
+Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/df47e03d36c2cf7bc37ec3105fc47c16555bd946.1520885192.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/meson/meson_drv.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/meson/meson_drv.c
++++ b/drivers/gpu/drm/meson/meson_drv.c
+@@ -180,35 +180,43 @@ static int meson_drv_bind_master(struct
+
+ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "vpu");
+ regs = devm_ioremap_resource(dev, res);
+- if (IS_ERR(regs))
+- return PTR_ERR(regs);
++ if (IS_ERR(regs)) {
++ ret = PTR_ERR(regs);
++ goto free_drm;
++ }
+
+ priv->io_base = regs;
+
+ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "hhi");
+ /* Simply ioremap since it may be a shared register zone */
+ regs = devm_ioremap(dev, res->start, resource_size(res));
+- if (!regs)
+- return -EADDRNOTAVAIL;
++ if (!regs) {
++ ret = -EADDRNOTAVAIL;
++ goto free_drm;
++ }
+
+ priv->hhi = devm_regmap_init_mmio(dev, regs,
+ &meson_regmap_config);
+ if (IS_ERR(priv->hhi)) {
+ dev_err(&pdev->dev, "Couldn't create the HHI regmap\n");
+- return PTR_ERR(priv->hhi);
++ ret = PTR_ERR(priv->hhi);
++ goto free_drm;
+ }
+
+ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "dmc");
+ /* Simply ioremap since it may be a shared register zone */
+ regs = devm_ioremap(dev, res->start, resource_size(res));
+- if (!regs)
+- return -EADDRNOTAVAIL;
++ if (!regs) {
++ ret = -EADDRNOTAVAIL;
++ goto free_drm;
++ }
+
+ priv->dmc = devm_regmap_init_mmio(dev, regs,
+ &meson_regmap_config);
+ if (IS_ERR(priv->dmc)) {
+ dev_err(&pdev->dev, "Couldn't create the DMC regmap\n");
+- return PTR_ERR(priv->dmc);
++ ret = PTR_ERR(priv->dmc);
++ goto free_drm;
+ }
+
+ priv->vsync_irq = platform_get_irq(pdev, 0);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Neil Armstrong <narmstrong@baylibre.com>
+Date: Thu, 15 Feb 2018 11:19:36 +0100
+Subject: drm/meson: fix vsync buffer update
+
+From: Neil Armstrong <narmstrong@baylibre.com>
+
+[ Upstream commit e88230a3744a71a0b5ecfb45e08ddfe1c884e50d ]
+
+The plane buffer address/stride/height was incorrectly updated in the
+plane_atomic_update operation instead of the vsync irq.
+This patch delays this operation in the vsync irq along with the
+other plane delayed setup.
+
+This issue was masked using legacy framebuffer and X11 modesetting, but
+is clearly visible using gbm rendering when buffer is submitted late after
+vblank, like using software decoding and OpenGL rendering in Kodi.
+With this patch, tearing and other artifacts disappears completely.
+
+Cc: Michal Lazo <michal.lazo@gmail.com>
+Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller")
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/1518689976-23292-1-git-send-email-narmstrong@baylibre.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/meson/meson_crtc.c | 6 ++++++
+ drivers/gpu/drm/meson/meson_drv.h | 3 +++
+ drivers/gpu/drm/meson/meson_plane.c | 7 +++----
+ 3 files changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/meson/meson_crtc.c
++++ b/drivers/gpu/drm/meson/meson_crtc.c
+@@ -36,6 +36,7 @@
+ #include "meson_venc.h"
+ #include "meson_vpp.h"
+ #include "meson_viu.h"
++#include "meson_canvas.h"
+ #include "meson_registers.h"
+
+ /* CRTC definition */
+@@ -192,6 +193,11 @@ void meson_crtc_irq(struct meson_drm *pr
+ } else
+ meson_vpp_disable_interlace_vscaler_osd1(priv);
+
++ meson_canvas_setup(priv, MESON_CANVAS_ID_OSD1,
++ priv->viu.osd1_addr, priv->viu.osd1_stride,
++ priv->viu.osd1_height, MESON_CANVAS_WRAP_NONE,
++ MESON_CANVAS_BLKMODE_LINEAR);
++
+ /* Enable OSD1 */
+ writel_bits_relaxed(VPP_OSD1_POSTBLEND, VPP_OSD1_POSTBLEND,
+ priv->io_base + _REG(VPP_MISC));
+--- a/drivers/gpu/drm/meson/meson_drv.h
++++ b/drivers/gpu/drm/meson/meson_drv.h
+@@ -43,6 +43,9 @@ struct meson_drm {
+ bool osd1_commit;
+ uint32_t osd1_ctrl_stat;
+ uint32_t osd1_blk0_cfg[5];
++ uint32_t osd1_addr;
++ uint32_t osd1_stride;
++ uint32_t osd1_height;
+ } viu;
+
+ struct {
+--- a/drivers/gpu/drm/meson/meson_plane.c
++++ b/drivers/gpu/drm/meson/meson_plane.c
+@@ -164,10 +164,9 @@ static void meson_plane_atomic_update(st
+ /* Update Canvas with buffer address */
+ gem = drm_fb_cma_get_gem_obj(fb, 0);
+
+- meson_canvas_setup(priv, MESON_CANVAS_ID_OSD1,
+- gem->paddr, fb->pitches[0],
+- fb->height, MESON_CANVAS_WRAP_NONE,
+- MESON_CANVAS_BLKMODE_LINEAR);
++ priv->viu.osd1_addr = gem->paddr;
++ priv->viu.osd1_stride = fb->pitches[0];
++ priv->viu.osd1_height = fb->height;
+
+ spin_unlock_irqrestore(&priv->drm->event_lock, flags);
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Karol Herbst <kherbst@redhat.com>
+Date: Mon, 19 Feb 2018 17:09:45 +0100
+Subject: drm/nouveau/bl: fix backlight regression
+
+From: Karol Herbst <kherbst@redhat.com>
+
+[ Upstream commit 9e75dc61eaa9acd1bff83c3b814ac2af6dc1f64c ]
+
+Fixes: 3c66c87dc9 ("drm/nouveau/disp: remove hw-specific customisation
+of output paths")
+Suggested-by: Ben Skeggs <skeggsb@redhat.com>
+Signed-off-by: Karol Herbst <kherbst@redhat.com>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_backlight.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_backlight.c
++++ b/drivers/gpu/drm/nouveau/nouveau_backlight.c
+@@ -134,7 +134,7 @@ nv50_get_intensity(struct backlight_devi
+ struct nouveau_encoder *nv_encoder = bl_get_data(bd);
+ struct nouveau_drm *drm = nouveau_drm(nv_encoder->base.base.dev);
+ struct nvif_object *device = &drm->client.device.object;
+- int or = nv_encoder->or;
++ int or = ffs(nv_encoder->dcb->or) - 1;
+ u32 div = 1025;
+ u32 val;
+
+@@ -149,7 +149,7 @@ nv50_set_intensity(struct backlight_devi
+ struct nouveau_encoder *nv_encoder = bl_get_data(bd);
+ struct nouveau_drm *drm = nouveau_drm(nv_encoder->base.base.dev);
+ struct nvif_object *device = &drm->client.device.object;
+- int or = nv_encoder->or;
++ int or = ffs(nv_encoder->dcb->or) - 1;
+ u32 div = 1025;
+ u32 val = (bd->props.brightness * div) / 100;
+
+@@ -170,7 +170,7 @@ nva3_get_intensity(struct backlight_devi
+ struct nouveau_encoder *nv_encoder = bl_get_data(bd);
+ struct nouveau_drm *drm = nouveau_drm(nv_encoder->base.base.dev);
+ struct nvif_object *device = &drm->client.device.object;
+- int or = nv_encoder->or;
++ int or = ffs(nv_encoder->dcb->or) - 1;
+ u32 div, val;
+
+ div = nvif_rd32(device, NV50_PDISP_SOR_PWM_DIV(or));
+@@ -188,7 +188,7 @@ nva3_set_intensity(struct backlight_devi
+ struct nouveau_encoder *nv_encoder = bl_get_data(bd);
+ struct nouveau_drm *drm = nouveau_drm(nv_encoder->base.base.dev);
+ struct nvif_object *device = &drm->client.device.object;
+- int or = nv_encoder->or;
++ int or = ffs(nv_encoder->dcb->or) - 1;
+ u32 div, val;
+
+ div = nvif_rd32(device, NV50_PDISP_SOR_PWM_DIV(or));
+@@ -228,7 +228,7 @@ nv50_backlight_init(struct drm_connector
+ return -ENODEV;
+ }
+
+- if (!nvif_rd32(device, NV50_PDISP_SOR_PWM_CTL(nv_encoder->or)))
++ if (!nvif_rd32(device, NV50_PDISP_SOR_PWM_CTL(ffs(nv_encoder->dcb->or) - 1)))
+ return 0;
+
+ if (drm->client.device.info.chipset <= 0xa0 ||
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Benoit Parrot <bparrot@ti.com>
+Date: Mon, 16 May 2016 16:42:50 -0500
+Subject: drm/omap: Add pclk setting case when channel is DSS_WB
+
+From: Benoit Parrot <bparrot@ti.com>
+
+[ Upstream commit 9deb5ad3c47ead2b3c63e44435e9eff0f6f38835 ]
+
+In dispc_set_ovl_common() we need to initialize pclk to a valid
+value when we use WB in capture mode (i.e. mem_2_mem is false).
+Otherwise dispc_ovl_calc_scaling() fails.
+
+Signed-off-by: Benoit Parrot <bparrot@ti.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/omapdrm/dss/dispc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/omapdrm/dss/dispc.c
++++ b/drivers/gpu/drm/omapdrm/dss/dispc.c
+@@ -2491,6 +2491,10 @@ static int dispc_ovl_setup_common(enum o
+ unsigned long pclk = dispc_plane_pclk_rate(plane);
+ unsigned long lclk = dispc_plane_lclk_rate(plane);
+
++ /* when setting up WB, dispc_plane_pclk_rate() returns 0 */
++ if (plane == OMAP_DSS_WB)
++ pclk = vm->pixelclock;
++
+ if (paddr == 0 && rotation_type != OMAP_DSS_ROT_TILER)
+ return -EINVAL;
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Date: Sun, 11 Feb 2018 15:07:44 +0200
+Subject: drm: omapdrm: dss: Move initialization code from component bind to probe
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit 215003b4ae1d47035092fef73b6a22aa82037091 ]
+
+There's no reason to delay initialization of most of the driver (such as
+mapping memory I/O, getting clocks or enabling runtime PM) to the
+component master bind handler.
+
+This additionally fixes a real PM issue caused enabling runtime PM in
+the bind handler.
+
+The bind handler performs the following sequence of PM operations:
+
+ pm_runtime_enable(dev);
+ pm_runtime_get_sync(dev);
+
+ ... (access the hardware to read the device revision) ...
+
+ pm_runtime_put_sync(dev);
+
+If a failure occurs at this point, the error path calls
+pm_runtime_disable() to balance the pm_runtime_enable() call.
+
+To understand the problem, it should be noted that the bind handler is
+called when one of the component registers itself, which happens in the
+component's probe handler. Furthermore, as the components are children
+of the DSS, the device core calls pm_runtime_get_sync() on the DSS
+platform device before calling the component's probe handler. This
+increases the DSS power usage count but doesn't runtime resume the
+device, as runtime PM is disabled at that point.
+
+The bind handler is thus called with runtime PM disabled, with the
+device runtime suspended, but with the power usage count larger than 0.
+The pm_runtime_get_sync() call will thus further increase the power
+usage count and runtime resume the device. The pm_runtime_put_sync()
+handler will decrease the power usage count to a non-zero value and will
+thus not suspend the device. Finally, the pm_runtime_disable() call will
+disable runtime PM, preventing the pm_runtime_put() call in the device
+core from runtime suspending the device. The DSS device is thus left
+powered on.
+
+To fix this, move the initialization code from the bind handler to the
+probe handler.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/omapdrm/dss/dss.c | 193 ++++++++++++++++++++------------------
+ 1 file changed, 104 insertions(+), 89 deletions(-)
+
+--- a/drivers/gpu/drm/omapdrm/dss/dss.c
++++ b/drivers/gpu/drm/omapdrm/dss/dss.c
+@@ -1299,88 +1299,18 @@ static const struct soc_device_attribute
+
+ static int dss_bind(struct device *dev)
+ {
+- struct platform_device *pdev = to_platform_device(dev);
+- struct resource *dss_mem;
+- u32 rev;
+ int r;
+
+- dss_mem = platform_get_resource(dss.pdev, IORESOURCE_MEM, 0);
+- dss.base = devm_ioremap_resource(&pdev->dev, dss_mem);
+- if (IS_ERR(dss.base))
+- return PTR_ERR(dss.base);
+-
+- r = dss_get_clocks();
++ r = component_bind_all(dev, NULL);
+ if (r)
+ return r;
+
+- r = dss_setup_default_clock();
+- if (r)
+- goto err_setup_clocks;
+-
+- r = dss_video_pll_probe(pdev);
+- if (r)
+- goto err_pll_init;
+-
+- r = dss_init_ports(pdev);
+- if (r)
+- goto err_init_ports;
+-
+- pm_runtime_enable(&pdev->dev);
+-
+- r = dss_runtime_get();
+- if (r)
+- goto err_runtime_get;
+-
+- dss.dss_clk_rate = clk_get_rate(dss.dss_clk);
+-
+- /* Select DPLL */
+- REG_FLD_MOD(DSS_CONTROL, 0, 0, 0);
+-
+- dss_select_dispc_clk_source(DSS_CLK_SRC_FCK);
+-
+-#ifdef CONFIG_OMAP2_DSS_VENC
+- REG_FLD_MOD(DSS_CONTROL, 1, 4, 4); /* venc dac demen */
+- REG_FLD_MOD(DSS_CONTROL, 1, 3, 3); /* venc clock 4x enable */
+- REG_FLD_MOD(DSS_CONTROL, 0, 2, 2); /* venc clock mode = normal */
+-#endif
+- dss.dsi_clk_source[0] = DSS_CLK_SRC_FCK;
+- dss.dsi_clk_source[1] = DSS_CLK_SRC_FCK;
+- dss.dispc_clk_source = DSS_CLK_SRC_FCK;
+- dss.lcd_clk_source[0] = DSS_CLK_SRC_FCK;
+- dss.lcd_clk_source[1] = DSS_CLK_SRC_FCK;
+-
+- rev = dss_read_reg(DSS_REVISION);
+- pr_info("OMAP DSS rev %d.%d\n", FLD_GET(rev, 7, 4), FLD_GET(rev, 3, 0));
+-
+- dss_runtime_put();
+-
+- r = component_bind_all(&pdev->dev, NULL);
+- if (r)
+- goto err_component;
+-
+- dss_debugfs_create_file("dss", dss_dump_regs);
+-
+ pm_set_vt_switch(0);
+
+ omapdss_gather_components(dev);
+ omapdss_set_is_initialized(true);
+
+ return 0;
+-
+-err_component:
+-err_runtime_get:
+- pm_runtime_disable(&pdev->dev);
+- dss_uninit_ports(pdev);
+-err_init_ports:
+- if (dss.video1_pll)
+- dss_video_pll_uninit(dss.video1_pll);
+-
+- if (dss.video2_pll)
+- dss_video_pll_uninit(dss.video2_pll);
+-err_pll_init:
+-err_setup_clocks:
+- dss_put_clocks();
+- return r;
+ }
+
+ static void dss_unbind(struct device *dev)
+@@ -1390,18 +1320,6 @@ static void dss_unbind(struct device *de
+ omapdss_set_is_initialized(false);
+
+ component_unbind_all(&pdev->dev, NULL);
+-
+- if (dss.video1_pll)
+- dss_video_pll_uninit(dss.video1_pll);
+-
+- if (dss.video2_pll)
+- dss_video_pll_uninit(dss.video2_pll);
+-
+- dss_uninit_ports(pdev);
+-
+- pm_runtime_disable(&pdev->dev);
+-
+- dss_put_clocks();
+ }
+
+ static const struct component_master_ops dss_component_ops = {
+@@ -1433,10 +1351,46 @@ static int dss_add_child_component(struc
+ return 0;
+ }
+
++static int dss_probe_hardware(void)
++{
++ u32 rev;
++ int r;
++
++ r = dss_runtime_get();
++ if (r)
++ return r;
++
++ dss.dss_clk_rate = clk_get_rate(dss.dss_clk);
++
++ /* Select DPLL */
++ REG_FLD_MOD(DSS_CONTROL, 0, 0, 0);
++
++ dss_select_dispc_clk_source(DSS_CLK_SRC_FCK);
++
++#ifdef CONFIG_OMAP2_DSS_VENC
++ REG_FLD_MOD(DSS_CONTROL, 1, 4, 4); /* venc dac demen */
++ REG_FLD_MOD(DSS_CONTROL, 1, 3, 3); /* venc clock 4x enable */
++ REG_FLD_MOD(DSS_CONTROL, 0, 2, 2); /* venc clock mode = normal */
++#endif
++ dss.dsi_clk_source[0] = DSS_CLK_SRC_FCK;
++ dss.dsi_clk_source[1] = DSS_CLK_SRC_FCK;
++ dss.dispc_clk_source = DSS_CLK_SRC_FCK;
++ dss.lcd_clk_source[0] = DSS_CLK_SRC_FCK;
++ dss.lcd_clk_source[1] = DSS_CLK_SRC_FCK;
++
++ rev = dss_read_reg(DSS_REVISION);
++ pr_info("OMAP DSS rev %d.%d\n", FLD_GET(rev, 7, 4), FLD_GET(rev, 3, 0));
++
++ dss_runtime_put();
++
++ return 0;
++}
++
+ static int dss_probe(struct platform_device *pdev)
+ {
+ const struct soc_device_attribute *soc;
+ struct component_match *match = NULL;
++ struct resource *dss_mem;
+ int r;
+
+ dss.pdev = pdev;
+@@ -1451,20 +1405,69 @@ static int dss_probe(struct platform_dev
+ else
+ dss.feat = of_match_device(dss_of_match, &pdev->dev)->data;
+
+- r = dss_initialize_debugfs();
++ /* Map I/O registers, get and setup clocks. */
++ dss_mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ dss.base = devm_ioremap_resource(&pdev->dev, dss_mem);
++ if (IS_ERR(dss.base))
++ return PTR_ERR(dss.base);
++
++ r = dss_get_clocks();
+ if (r)
+ return r;
+
+- /* add all the child devices as components */
++ r = dss_setup_default_clock();
++ if (r)
++ goto err_put_clocks;
++
++ /* Setup the video PLLs and the DPI and SDI ports. */
++ r = dss_video_pll_probe(pdev);
++ if (r)
++ goto err_put_clocks;
++
++ r = dss_init_ports(pdev);
++ if (r)
++ goto err_uninit_plls;
++
++ /* Enable runtime PM and probe the hardware. */
++ pm_runtime_enable(&pdev->dev);
++
++ r = dss_probe_hardware();
++ if (r)
++ goto err_pm_runtime_disable;
++
++ /* Initialize debugfs. */
++ r = dss_initialize_debugfs();
++ if (r)
++ goto err_pm_runtime_disable;
++
++ dss_debugfs_create_file("dss", dss_dump_regs);
++
++ /* Add all the child devices as components. */
+ device_for_each_child(&pdev->dev, &match, dss_add_child_component);
+
+ r = component_master_add_with_match(&pdev->dev, &dss_component_ops, match);
+- if (r) {
+- dss_uninitialize_debugfs();
+- return r;
+- }
++ if (r)
++ goto err_uninit_debugfs;
+
+ return 0;
++
++err_uninit_debugfs:
++ dss_uninitialize_debugfs();
++
++err_pm_runtime_disable:
++ pm_runtime_disable(&pdev->dev);
++ dss_uninit_ports(pdev);
++
++err_uninit_plls:
++ if (dss.video1_pll)
++ dss_video_pll_uninit(dss.video1_pll);
++ if (dss.video2_pll)
++ dss_video_pll_uninit(dss.video2_pll);
++
++err_put_clocks:
++ dss_put_clocks();
++
++ return r;
+ }
+
+ static int dss_remove(struct platform_device *pdev)
+@@ -1473,6 +1476,18 @@ static int dss_remove(struct platform_de
+
+ dss_uninitialize_debugfs();
+
++ pm_runtime_disable(&pdev->dev);
++
++ dss_uninit_ports(pdev);
++
++ if (dss.video1_pll)
++ dss_video_pll_uninit(dss.video1_pll);
++
++ if (dss.video2_pll)
++ dss_video_pll_uninit(dss.video2_pll);
++
++ dss_put_clocks();
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Eric Anholt <eric@anholt.net>
+Date: Fri, 9 Mar 2018 15:33:32 -0800
+Subject: drm/panel: simple: Fix the bus format for the Ontat panel
+
+From: Eric Anholt <eric@anholt.net>
+
+[ Upstream commit 5651e5e094591f479adad5830ac1bc45196a39b3 ]
+
+This fixes bad color output. When I was first testing the device I
+had the DPI hardware set to 666 mode, but apparently in the refactor
+to use the bus_format information from the panel driver, I failed to
+actually update the panel.
+
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Fixes: e8b6f561b2ee ("drm/panel: simple: Add the 7" DPI panel from Adafruit")
+Cc: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180309233332.1769-1-eric@anholt.net
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/panel/panel-simple.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/panel/panel-simple.c
++++ b/drivers/gpu/drm/panel/panel-simple.c
+@@ -1561,7 +1561,7 @@ static const struct panel_desc ontat_yx7
+ .width = 154,
+ .height = 83,
+ },
+- .bus_format = MEDIA_BUS_FMT_RGB888_1X24,
++ .bus_format = MEDIA_BUS_FMT_RGB666_1X18,
+ };
+
+ static const struct drm_display_mode ortustech_com43h4m85ulc_mode = {
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Fri, 12 Jan 2018 23:12:05 +0300
+Subject: drm: rcar-du: lvds: Fix LVDS startup on R-Car Gen2
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+[ Upstream commit 8525d04ba8a6a9ecfa4bd619c988ca873a5fc2a4 ]
+
+According to the latest revision 2.00 of the R-Car Gen2 manual, the LVDS
+and the bias circuit must be enabled after the LVDS I/O pins are
+enabled, not before. Fix the Gen2 LVDS startup sequence accordingly.
+
+While at it, also fix the comment preceding the first LVDCR0 write that
+still talks about hardcoding the LVDS mode 0.
+
+Fixes: 90374b5c25c9 ("drm/rcar-du: Add internal LVDS encoder support")
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Tested-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c
++++ b/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c
+@@ -59,11 +59,8 @@ static void rcar_du_lvdsenc_start_gen2(s
+
+ rcar_lvds_write(lvds, LVDPLLCR, pllcr);
+
+- /*
+- * Select the input, hardcode mode 0, enable LVDS operation and turn
+- * bias circuitry on.
+- */
+- lvdcr0 = (lvds->mode << LVDCR0_LVMD_SHIFT) | LVDCR0_BEN | LVDCR0_LVEN;
++ /* Select the input and set the LVDS mode. */
++ lvdcr0 = lvds->mode << LVDCR0_LVMD_SHIFT;
+ if (rcrtc->index == 2)
+ lvdcr0 |= LVDCR0_DUSEL;
+ rcar_lvds_write(lvds, LVDCR0, lvdcr0);
+@@ -74,6 +71,10 @@ static void rcar_du_lvdsenc_start_gen2(s
+ LVDCR1_CHSTBY_GEN2(1) | LVDCR1_CHSTBY_GEN2(0) |
+ LVDCR1_CLKSTBY_GEN2);
+
++ /* Enable LVDS operation and turn bias circuitry on. */
++ lvdcr0 |= LVDCR0_BEN | LVDCR0_LVEN;
++ rcar_lvds_write(lvds, LVDCR0, lvdcr0);
++
+ /*
+ * Turn the PLL on, wait for the startup delay, and turn the output
+ * on.
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Fri, 12 Jan 2018 23:12:04 +0300
+Subject: drm: rcar-du: lvds: Fix LVDS startup on R-Car Gen3
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+[ Upstream commit 796ceb9269626afaed3b4955c40d2c3d7a8c5d01 ]
+
+According to the latest revisions of the R-Car Gen3 manual, the LVDS mode
+must be set before the LVDS I/O pins are enabled, not after -- fix the
+Gen3 LVDS startup sequence accordingly.
+
+Fixes: e947eccbeba4 ("drm: rcar-du: Add support for LVDS mode selection")
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+[Updated comment in rcar_du_lvdsenc_start_gen3()]
+[Moved Gen2 startup comment update to separate commit]
+[Fixed =| typo]
+Tested-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c
++++ b/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c
+@@ -95,7 +95,7 @@ static void rcar_du_lvdsenc_start_gen3(s
+ u32 lvdcr0;
+ u32 pllcr;
+
+- /* PLL clock configuration */
++ /* Set the PLL clock configuration and LVDS mode. */
+ if (freq < 42000)
+ pllcr = LVDPLLCR_PLLDIVCNT_42M;
+ else if (freq < 85000)
+@@ -107,6 +107,9 @@ static void rcar_du_lvdsenc_start_gen3(s
+
+ rcar_lvds_write(lvds, LVDPLLCR, pllcr);
+
++ lvdcr0 = lvds->mode << LVDCR0_LVMD_SHIFT;
++ rcar_lvds_write(lvds, LVDCR0, lvdcr0);
++
+ /* Turn all the channels on. */
+ rcar_lvds_write(lvds, LVDCR1,
+ LVDCR1_CHSTBY_GEN3(3) | LVDCR1_CHSTBY_GEN3(2) |
+@@ -117,7 +120,7 @@ static void rcar_du_lvdsenc_start_gen3(s
+ * Turn the PLL on, set it to LVDS normal mode, wait for the startup
+ * delay and turn the output on.
+ */
+- lvdcr0 = (lvds->mode << LVDCR0_LVMD_SHIFT) | LVDCR0_PLLON;
++ lvdcr0 |= LVDCR0_PLLON;
+ rcar_lvds_write(lvds, LVDCR0, lvdcr0);
+
+ lvdcr0 |= LVDCR0_PWD;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "Ørjan Eide" <orjan.eide@arm.com>
+Date: Tue, 30 Jan 2018 21:28:33 +0100
+Subject: drm/rockchip: Respect page offset for PRIME mmap calls
+
+From: "Ørjan Eide" <orjan.eide@arm.com>
+
+[ Upstream commit 57de50af162b67612da99207b061ade3239e57db ]
+
+When mapping external DMA-bufs through the PRIME mmap call, we might be
+given an offset which has to be respected. However for the internal DRM
+GEM mmap path, we have to ignore the fake mmap offset used to identify
+the buffer only. Currently the code always zeroes out vma->vm_pgoff,
+which breaks the former.
+
+This patch fixes the problem by moving the vm_pgoff assignment to a
+function that is used only for GEM mmap path, so that the PRIME path
+retains the original offset.
+
+Cc: Daniel Kurtz <djkurtz@chromium.org>
+Signed-off-by: Ørjan Eide <orjan.eide@arm.com>
+Signed-off-by: Tomasz Figa <tfiga@chromium.org>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Thierry Escande <thierry.escande@collabora.com>
+Tested-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180130202913.28724-4-thierry.escande@collabora.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
+@@ -262,7 +262,6 @@ static int rockchip_drm_gem_object_mmap(
+ * VM_PFNMAP flag that was set by drm_gem_mmap_obj()/drm_gem_mmap().
+ */
+ vma->vm_flags &= ~VM_PFNMAP;
+- vma->vm_pgoff = 0;
+
+ if (rk_obj->pages)
+ ret = rockchip_drm_gem_object_mmap_iommu(obj, vma);
+@@ -297,6 +296,12 @@ int rockchip_gem_mmap(struct file *filp,
+ if (ret)
+ return ret;
+
++ /*
++ * Set vm_pgoff (used as a fake buffer offset by DRM) to 0 and map the
++ * whole buffer from the start.
++ */
++ vma->vm_pgoff = 0;
++
+ obj = vma->vm_private_data;
+
+ return rockchip_drm_gem_object_mmap(obj, vma);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Giulio Benetti <giulio.benetti@micronovasrl.com>
+Date: Wed, 28 Feb 2018 17:46:53 +0100
+Subject: drm/sun4i: Fix dclk_set_phase
+
+From: Giulio Benetti <giulio.benetti@micronovasrl.com>
+
+[ Upstream commit e64b6afa98f3629d0c0c46233bbdbe8acdb56f06 ]
+
+Phase value is not shifted before writing.
+
+Shift left of 28 bits to fit right bits
+
+Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1519836413-35023-1-git-send-email-giulio.benetti@micronovasrl.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/sun4i/sun4i_dotclock.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/sun4i/sun4i_dotclock.c
++++ b/drivers/gpu/drm/sun4i/sun4i_dotclock.c
+@@ -129,10 +129,13 @@ static int sun4i_dclk_get_phase(struct c
+ static int sun4i_dclk_set_phase(struct clk_hw *hw, int degrees)
+ {
+ struct sun4i_dclk *dclk = hw_to_dclk(hw);
++ u32 val = degrees / 120;
++
++ val <<= 28;
+
+ regmap_update_bits(dclk->regmap, SUN4I_TCON0_IO_POL_REG,
+ GENMASK(29, 28),
+- degrees / 120);
++ val);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Maxime Ripard <maxime.ripard@bootlin.com>
+Date: Wed, 21 Feb 2018 13:57:02 +0100
+Subject: drm/sun4i: rgb: Fix potential division by zero
+
+From: Maxime Ripard <maxime.ripard@bootlin.com>
+
+[ Upstream commit 5af894bd20fa16970378cae8ff55917294e0d9dd ]
+
+In the case where mode_valid callback of our RGB connector was called
+before mode_set was being called, the range of dividers would not be set,
+resulting in a division by zero later on in the clk_round_rate logic.
+
+Set the range of dividers before calling clk_round_rate to fix this.
+
+Reviewed-by: Chen-Yu Tsai <wens@csie.org>
+Tested-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180221125703.4595-2-maxime.ripard@bootlin.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/sun4i/sun4i_rgb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/sun4i/sun4i_rgb.c
++++ b/drivers/gpu/drm/sun4i/sun4i_rgb.c
+@@ -92,6 +92,8 @@ static int sun4i_rgb_mode_valid(struct d
+
+ DRM_DEBUG_DRIVER("Vertical parameters OK\n");
+
++ tcon->dclk_min_div = 6;
++ tcon->dclk_max_div = 127;
+ rounded_rate = clk_round_rate(tcon->dclk, rate);
+ if (rounded_rate < rate)
+ return MODE_CLOCK_LOW;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Thierry Reding <treding@nvidia.com>
+Date: Sun, 18 Mar 2018 01:13:39 +0100
+Subject: drm/tegra: Shutdown on driver unbind
+
+From: Thierry Reding <treding@nvidia.com>
+
+[ Upstream commit 192b4af6cd28cdad9b42fd79c21a90a2aeb0bec7 ]
+
+Since commit 846c7dfc1193 ("drm/atomic: Try to preserve the crtc enabled
+state in drm_atomic_remove_fb, v2."), removing the last framebuffer will
+no longer disable the corresponding pipeline, which causes the KMS core
+to complain about leaked connectors on driver unbind.
+
+Fix this by calling drm_atomic_helper_shutdown() on driver unbind, which
+will cause all display pipelines to be shut down and therefore drop the
+extra references on the connectors.
+
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/tegra/drm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/tegra/drm.c
++++ b/drivers/gpu/drm/tegra/drm.c
+@@ -250,6 +250,7 @@ static void tegra_drm_unload(struct drm_
+
+ drm_kms_helper_poll_fini(drm);
+ tegra_drm_fb_exit(drm);
++ drm_atomic_helper_shutdown(drm);
+ drm_mode_config_cleanup(drm);
+
+ err = host1x_device_exit(device);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Thomas Hellstrom <thellstrom@vmware.com>
+Date: Thu, 22 Mar 2018 10:35:18 +0100
+Subject: drm/vmwgfx: Unpin the screen object backup buffer when not used
+
+From: Thomas Hellstrom <thellstrom@vmware.com>
+
+[ Upstream commit 20fb5a635a0c8478ac98f15cfafc2ea83df29565 ]
+
+We were relying on the pinned screen object backup buffer to be destroyed
+when not used. But if we hold a copy of the atomic state, like when
+hibernating, the backup buffer might not be destroyed since it's
+refcounted by the atomic state. This causes us to hibernate with a
+buffer pinned in VRAM.
+
+Fix this by only having the buffer pinned when it is actually used by a
+screen object.
+
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Reviewed-by: Brian Paul <brianp@vmware.com>
+Reviewed-by: Sinclair Yeh <syeh@vmware.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c
+@@ -453,7 +453,11 @@ vmw_sou_primary_plane_cleanup_fb(struct
+ struct drm_plane_state *old_state)
+ {
+ struct vmw_plane_state *vps = vmw_plane_state_to_vps(old_state);
++ struct drm_crtc *crtc = plane->state->crtc ?
++ plane->state->crtc : old_state->crtc;
+
++ if (vps->dmabuf)
++ vmw_dmabuf_unpin(vmw_priv(crtc->dev), vps->dmabuf, false);
+ vmw_dmabuf_unreference(&vps->dmabuf);
+ vps->dmabuf_size = 0;
+
+@@ -491,10 +495,17 @@ vmw_sou_primary_plane_prepare_fb(struct
+ }
+
+ size = new_state->crtc_w * new_state->crtc_h * 4;
++ dev_priv = vmw_priv(crtc->dev);
+
+ if (vps->dmabuf) {
+- if (vps->dmabuf_size == size)
+- return 0;
++ if (vps->dmabuf_size == size) {
++ /*
++ * Note that this might temporarily up the pin-count
++ * to 2, until cleanup_fb() is called.
++ */
++ return vmw_dmabuf_pin_in_vram(dev_priv, vps->dmabuf,
++ true);
++ }
+
+ vmw_dmabuf_unreference(&vps->dmabuf);
+ vps->dmabuf_size = 0;
+@@ -504,7 +515,6 @@ vmw_sou_primary_plane_prepare_fb(struct
+ if (!vps->dmabuf)
+ return -ENOMEM;
+
+- dev_priv = vmw_priv(crtc->dev);
+ vmw_svga_enable(dev_priv);
+
+ /* After we have alloced the backing store might not be able to
+@@ -515,13 +525,16 @@ vmw_sou_primary_plane_prepare_fb(struct
+ &vmw_vram_ne_placement,
+ false, &vmw_dmabuf_bo_free);
+ vmw_overlay_resume_all(dev_priv);
+-
+- if (ret != 0)
++ if (ret) {
+ vps->dmabuf = NULL; /* vmw_dmabuf_init frees on error */
+- else
+- vps->dmabuf_size = size;
++ return ret;
++ }
+
+- return ret;
++ /*
++ * TTM already thinks the buffer is pinned, but make sure the
++ * pin_count is upped.
++ */
++ return vmw_dmabuf_pin_in_vram(dev_priv, vps->dmabuf, true);
+ }
+
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Icenowy Zheng <icenowy@aosc.io>
+Date: Fri, 16 Mar 2018 22:02:12 +0800
+Subject: dt-bindings: add device tree binding for Allwinner H6 main CCU
+
+From: Icenowy Zheng <icenowy@aosc.io>
+
+[ Upstream commit 2e08e4d2ff488424919d69dd211ac860a019ac1d ]
+
+The Allwinner H6 main CCU uses the internal oscillator of the SoC, which
+is different with old SoCs' main CCU.
+
+Add device tree binding for the Allwinner H6 main CCU.
+
+Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/clock/sunxi-ccu.txt | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/Documentation/devicetree/bindings/clock/sunxi-ccu.txt
++++ b/Documentation/devicetree/bindings/clock/sunxi-ccu.txt
+@@ -20,6 +20,7 @@ Required properties :
+ - "allwinner,sun50i-a64-ccu"
+ - "allwinner,sun50i-a64-r-ccu"
+ - "allwinner,sun50i-h5-ccu"
++ - "allwinner,sun50i-h6-ccu"
+ - "nextthing,gr8-ccu"
+
+ - reg: Must contain the registers base address and length
+@@ -31,6 +32,9 @@ Required properties :
+ - #clock-cells : must contain 1
+ - #reset-cells : must contain 1
+
++For the main CCU on H6, one more clock is needed:
++- "iosc": the SoC's internal frequency oscillator
++
+ For the PRCM CCUs on A83T/H3/A64, two more clocks are needed:
+ - "pll-periph": the SoC's peripheral PLL from the main CCU
+ - "iosc": the SoC's internal frequency oscillator
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Pierre-Yves Kerbrat <pkerbrat@kalray.eu>
+Date: Fri, 26 Jan 2018 11:24:12 +0100
+Subject: e1000e: allocate ring descriptors with dma_zalloc_coherent
+
+From: Pierre-Yves Kerbrat <pkerbrat@kalray.eu>
+
+[ Upstream commit aea3fca005fb45f80869f2e8d56fd4e64c1d1fdb ]
+
+Descriptor rings were not initialized at zero when allocated
+When area contained garbage data, it caused skb_over_panic in
+e1000_clean_rx_irq (if data had E1000_RXD_STAT_DD bit set)
+
+This patch makes use of dma_zalloc_coherent to make sure the
+ring is memset at 0 to prevent the area from containing garbage.
+
+Following is the signature of the panic:
+IODDR0@0.0: skbuff: skb_over_panic: text:80407b20 len:64010 put:64010 head:ab46d800 data:ab46d842 tail:0xab47d24c end:0xab46df40 dev:eth0
+IODDR0@0.0: BUG: failure at net/core/skbuff.c:105/skb_panic()!
+IODDR0@0.0: Kernel panic - not syncing: BUG!
+IODDR0@0.0:
+IODDR0@0.0: Process swapper/0 (pid: 0, threadinfo=81728000, task=8173cc00 ,cpu: 0)
+IODDR0@0.0: SP = <815a1c0c>
+IODDR0@0.0: Stack: 00000001
+IODDR0@0.0: b2d89800 815e33ac
+IODDR0@0.0: ea73c040 00000001
+IODDR0@0.0: 60040003 0000fa0a
+IODDR0@0.0: 00000002
+IODDR0@0.0:
+IODDR0@0.0: 804540c0 815a1c70
+IODDR0@0.0: b2744000 602ac070
+IODDR0@0.0: 815a1c44 b2d89800
+IODDR0@0.0: 8173cc00 815a1c08
+IODDR0@0.0:
+IODDR0@0.0: 00000006
+IODDR0@0.0: 815a1b50 00000000
+IODDR0@0.0: 80079434 00000001
+IODDR0@0.0: ab46df40 b2744000
+IODDR0@0.0: b2d89800
+IODDR0@0.0:
+IODDR0@0.0: 0000fa0a 8045745c
+IODDR0@0.0: 815a1c88 0000fa0a
+IODDR0@0.0: 80407b20 b2789f80
+IODDR0@0.0: 00000005 80407b20
+IODDR0@0.0:
+IODDR0@0.0:
+IODDR0@0.0: Call Trace:
+IODDR0@0.0: [<804540bc>] skb_panic+0xa4/0xa8
+IODDR0@0.0: [<80079430>] console_unlock+0x2f8/0x6d0
+IODDR0@0.0: [<80457458>] skb_put+0xa0/0xc0
+IODDR0@0.0: [<80407b1c>] e1000_clean_rx_irq+0x2dc/0x3e8
+IODDR0@0.0: [<80407b1c>] e1000_clean_rx_irq+0x2dc/0x3e8
+IODDR0@0.0: [<804079c8>] e1000_clean_rx_irq+0x188/0x3e8
+IODDR0@0.0: [<80407b1c>] e1000_clean_rx_irq+0x2dc/0x3e8
+IODDR0@0.0: [<80468b48>] __dev_kfree_skb_any+0x88/0xa8
+IODDR0@0.0: [<804101ac>] e1000e_poll+0x94/0x288
+IODDR0@0.0: [<8046e9d4>] net_rx_action+0x19c/0x4e8
+IODDR0@0.0: ...
+IODDR0@0.0: Maximum depth to print reached. Use kstack=<maximum_depth_to_print> To specify a custom value (where 0 means to display the full backtrace)
+IODDR0@0.0: ---[ end Kernel panic - not syncing: BUG!
+
+Signed-off-by: Pierre-Yves Kerbrat <pkerbrat@kalray.eu>
+Signed-off-by: Marius Gligor <mgligor@kalray.eu>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Reviewed-by: Alexander Duyck <alexander.h.duyck@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/e1000e/netdev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -2329,8 +2329,8 @@ static int e1000_alloc_ring_dma(struct e
+ {
+ struct pci_dev *pdev = adapter->pdev;
+
+- ring->desc = dma_alloc_coherent(&pdev->dev, ring->size, &ring->dma,
+- GFP_KERNEL);
++ ring->desc = dma_zalloc_coherent(&pdev->dev, ring->size, &ring->dma,
++ GFP_KERNEL);
+ if (!ring->desc)
+ return -ENOMEM;
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Benjamin Poirier <bpoirier@suse.com>
+Date: Tue, 20 Feb 2018 15:12:00 +0900
+Subject: e1000e: Fix check_for_link return value with autoneg off
+
+From: Benjamin Poirier <bpoirier@suse.com>
+
+[ Upstream commit 4e7dc08e57c95673d2edaba8983c3de4dd1f65f5 ]
+
+When autoneg is off, the .check_for_link callback functions clear the
+get_link_status flag and systematically return a "pseudo-error". This means
+that the link is not detected as up until the next execution of the
+e1000_watchdog_task() 2 seconds later.
+
+Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up")
+Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
+Acked-by: Sasha Neftin <sasha.neftin@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/e1000e/ich8lan.c | 2 +-
+ drivers/net/ethernet/intel/e1000e/mac.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
+@@ -1602,7 +1602,7 @@ static s32 e1000_check_for_copper_link_i
+ * we have already determined whether we have link or not.
+ */
+ if (!mac->autoneg)
+- return -E1000_ERR_CONFIG;
++ return 1;
+
+ /* Auto-Neg is enabled. Auto Speed Detection takes care
+ * of MAC speed/duplex configuration. So we only need to
+--- a/drivers/net/ethernet/intel/e1000e/mac.c
++++ b/drivers/net/ethernet/intel/e1000e/mac.c
+@@ -450,7 +450,7 @@ s32 e1000e_check_for_copper_link(struct
+ * we have already determined whether we have link or not.
+ */
+ if (!mac->autoneg)
+- return -E1000_ERR_CONFIG;
++ return 1;
+
+ /* Auto-Neg is enabled. Auto Speed Detection takes care
+ * of MAC speed/duplex configuration. So we only need to
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Thu, 8 Mar 2018 08:00:09 +0000
+Subject: efi/arm*: Only register page tables when they exist
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 6b31a2fa1e8f7bc6c2a474b4a12dad7a145cf83d ]
+
+Currently the arm/arm64 runtime code registers the runtime servies
+pagetables with ptdump regardless of whether runtime services page
+tables have been created.
+
+As efi_mm.pgd is NULL in these cases, attempting to dump the efi page
+tables results in a NULL pointer dereference in the ptdump code:
+
+/sys/kernel/debug# cat efi_page_tables
+[ 479.522600] Unable to handle kernel NULL pointer dereference at virtual address 00000000
+[ 479.522715] Mem abort info:
+[ 479.522764] ESR = 0x96000006
+[ 479.522850] Exception class = DABT (current EL), IL = 32 bits
+[ 479.522899] SET = 0, FnV = 0
+[ 479.522937] EA = 0, S1PTW = 0
+[ 479.528200] Data abort info:
+[ 479.528230] ISV = 0, ISS = 0x00000006
+[ 479.528317] CM = 0, WnR = 0
+[ 479.528317] user pgtable: 4k pages, 48-bit VAs, pgd = 0000000064ab0cb0
+[ 479.528449] [0000000000000000] *pgd=00000000fbbe4003, *pud=00000000fb66e003, *pmd=0000000000000000
+[ 479.528600] Internal error: Oops: 96000006 [#1] PREEMPT SMP
+[ 479.528664] Modules linked in:
+[ 479.528699] CPU: 0 PID: 2457 Comm: cat Not tainted 4.15.0-rc3-00065-g2ad2ee7ecb5c-dirty #7
+[ 479.528799] Hardware name: FVP Base (DT)
+[ 479.528899] pstate: 00400009 (nzcv daif +PAN -UAO)
+[ 479.528941] pc : walk_pgd.isra.1+0x20/0x1d0
+[ 479.529011] lr : ptdump_walk_pgd+0x30/0x50
+[ 479.529105] sp : ffff00000bf4bc20
+[ 479.529185] x29: ffff00000bf4bc20 x28: 0000ffff9d22e000
+[ 479.529271] x27: 0000000000020000 x26: ffff80007b4c63c0
+[ 479.529358] x25: 00000000014000c0 x24: ffff80007c098900
+[ 479.529445] x23: ffff00000bf4beb8 x22: 0000000000000000
+[ 479.529532] x21: ffff00000bf4bd70 x20: 0000000000000001
+[ 479.529618] x19: ffff00000bf4bcb0 x18: 0000000000000000
+[ 479.529760] x17: 000000000041a1c8 x16: ffff0000082139d8
+[ 479.529800] x15: 0000ffff9d3c6030 x14: 0000ffff9d2527f4
+[ 479.529924] x13: 00000000000003f3 x12: 0000000000000038
+[ 479.530000] x11: 0000000000000003 x10: 0101010101010101
+[ 479.530099] x9 : 0000000017e94050 x8 : 000000000000003f
+[ 479.530226] x7 : 0000000000000000 x6 : 0000000000000000
+[ 479.530313] x5 : 0000000000000001 x4 : 0000000000000000
+[ 479.530416] x3 : ffff000009069fd8 x2 : 0000000000000000
+[ 479.530500] x1 : 0000000000000000 x0 : 0000000000000000
+[ 479.530599] Process cat (pid: 2457, stack limit = 0x000000005d1b0e6f)
+[ 479.530660] Call trace:
+[ 479.530746] walk_pgd.isra.1+0x20/0x1d0
+[ 479.530833] ptdump_walk_pgd+0x30/0x50
+[ 479.530907] ptdump_show+0x10/0x20
+[ 479.530920] seq_read+0xc8/0x470
+[ 479.531023] full_proxy_read+0x60/0x90
+[ 479.531100] __vfs_read+0x18/0x100
+[ 479.531180] vfs_read+0x88/0x160
+[ 479.531267] SyS_read+0x48/0xb0
+[ 479.531299] el0_svc_naked+0x20/0x24
+[ 479.531400] Code: 91400420 f90033a0 a90707a2 f9403fa0 (f9400000)
+[ 479.531499] ---[ end trace bfe8e28d8acb2b67 ]---
+Segmentation fault
+
+Let's avoid this problem by only registering the tables after their
+successful creation, which is also less confusing when EFI runtime
+services are not in use.
+
+Reported-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20180308080020.22828-2-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/arm-runtime.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/firmware/efi/arm-runtime.c
++++ b/drivers/firmware/efi/arm-runtime.c
+@@ -54,6 +54,9 @@ static struct ptdump_info efi_ptdump_inf
+
+ static int __init ptdump_init(void)
+ {
++ if (!efi_enabled(EFI_RUNTIME_SERVICES))
++ return 0;
++
+ return ptdump_debugfs_register(&efi_ptdump_info, "efi_page_tables");
+ }
+ device_initcall(ptdump_init);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Date: Thu, 1 Mar 2018 11:07:23 -0800
+Subject: enic: enable rq before updating rq descriptors
+
+From: Govindarajulu Varadarajan <gvaradar@cisco.com>
+
+[ Upstream commit e8588e268509292550634d9a35f2723a207683b2 ]
+
+rq should be enabled before posting the buffers to rq desc. If not hw sees
+stale value and casuses DMAR errors.
+
+Signed-off-by: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cisco/enic/enic_main.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -1897,6 +1897,8 @@ static int enic_open(struct net_device *
+ }
+
+ for (i = 0; i < enic->rq_count; i++) {
++ /* enable rq before updating rq desc */
++ vnic_rq_enable(&enic->rq[i]);
+ vnic_rq_fill(&enic->rq[i], enic_rq_alloc_buf);
+ /* Need at least one buffer on ring to get going */
+ if (vnic_rq_desc_used(&enic->rq[i]) == 0) {
+@@ -1908,8 +1910,6 @@ static int enic_open(struct net_device *
+
+ for (i = 0; i < enic->wq_count; i++)
+ vnic_wq_enable(&enic->wq[i]);
+- for (i = 0; i < enic->rq_count; i++)
+- vnic_rq_enable(&enic->rq[i]);
+
+ if (!enic_is_dynamic(enic) && !enic_is_sriov_vf(enic))
+ enic_dev_add_station_addr(enic);
+@@ -1935,8 +1935,12 @@ static int enic_open(struct net_device *
+ return 0;
+
+ err_out_free_rq:
+- for (i = 0; i < enic->rq_count; i++)
++ for (i = 0; i < enic->rq_count; i++) {
++ err = vnic_rq_disable(&enic->rq[i]);
++ if (err)
++ return err;
+ vnic_rq_clean(&enic->rq[i], enic_free_rq_buf);
++ }
+ enic_dev_notify_unset(enic);
+ err_out_free_intr:
+ enic_unset_affinity_hint(enic);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Thu, 22 Mar 2018 11:59:00 -0400
+Subject: ext4: don't complain about incorrect features when probing
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+[ Upstream commit 0d9366d67bcf066b028e57d09c9a86ce879bcc28 ]
+
+If mount is auto-probing for filesystem type, it will try various
+filesystems in order, with the MS_SILENT flag set. We get
+that flag as the silent arg to ext4_fill_super.
+
+If we're probing (silent==1) then don't complain about feature
+incompatibilities that are found if it looks like it's actually
+a different valid extN type - failed probes should be silent
+in this case.
+
+If the on-disk features are unknown even to ext4, then complain.
+
+Reported-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
+Tested-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3663,6 +3663,12 @@ static int ext4_fill_super(struct super_
+ ext4_msg(sb, KERN_INFO, "mounting ext2 file system "
+ "using the ext4 subsystem");
+ else {
++ /*
++ * If we're probing be silent, if this looks like
++ * it's actually an ext[34] filesystem.
++ */
++ if (silent && ext4_feature_set_ok(sb, sb_rdonly(sb)))
++ goto failed_mount;
+ ext4_msg(sb, KERN_ERR, "couldn't mount as ext2 due "
+ "to feature incompatibilities");
+ goto failed_mount;
+@@ -3674,6 +3680,12 @@ static int ext4_fill_super(struct super_
+ ext4_msg(sb, KERN_INFO, "mounting ext3 file system "
+ "using the ext4 subsystem");
+ else {
++ /*
++ * If we're probing be silent, if this looks like
++ * it's actually an ext4 filesystem.
++ */
++ if (silent && ext4_feature_set_ok(sb, sb_rdonly(sb)))
++ goto failed_mount;
+ ext4_msg(sb, KERN_ERR, "couldn't mount as ext3 due "
+ "to feature incompatibilities");
+ goto failed_mount;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Chao Yu <yuchao0@huawei.com>
+Date: Sat, 27 Jan 2018 17:29:49 +0800
+Subject: f2fs: fix to check extent cache in f2fs_drop_extent_tree
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit bf617f7a92edc6bb2909db2bfa4576f50b280ee5 ]
+
+If noextent_cache mount option is on, we will never initialize extent tree
+in inode, but still we're going to access it in f2fs_drop_extent_tree,
+result in kernel panic as below:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
+ IP: _raw_write_lock+0xc/0x30
+ Call Trace:
+ ? f2fs_drop_extent_tree+0x41/0x70 [f2fs]
+ f2fs_fallocate+0x5a0/0xdd0 [f2fs]
+ ? common_file_perm+0x47/0xc0
+ ? apparmor_file_permission+0x1a/0x20
+ vfs_fallocate+0x15b/0x290
+ SyS_fallocate+0x44/0x70
+ do_syscall_64+0x6e/0x160
+ entry_SYSCALL64_slow_path+0x25/0x25
+
+This patch fixes to check extent cache status before using in
+f2fs_drop_extent_tree.
+
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/extent_cache.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/f2fs/extent_cache.c
++++ b/fs/f2fs/extent_cache.c
+@@ -706,6 +706,9 @@ void f2fs_drop_extent_tree(struct inode
+ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+ struct extent_tree *et = F2FS_I(inode)->extent_tree;
+
++ if (!f2fs_may_extent_tree(inode))
++ return;
++
+ set_inode_flag(inode, FI_NO_EXTENT);
+
+ write_lock(&et->lock);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Chao Yu <yuchao0@huawei.com>
+Date: Wed, 31 Jan 2018 09:30:34 +0800
+Subject: f2fs: fix to clear CP_TRIMMED_FLAG
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit cd36d7a17f9da68be9aa67185ba3ad7969934a19 ]
+
+Once CP_TRIMMED_FLAG is set, after a reboot, we will never issue discard
+before LBA becomes invalid again, fix it by clearing the flag in
+checkpoint without CP_TRIMMED reason.
+
+Fixes: 1f43e2ad7bff ("f2fs: introduce CP_TRIMMED_FLAG to avoid unneeded discard")
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/checkpoint.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/f2fs/checkpoint.c
++++ b/fs/f2fs/checkpoint.c
+@@ -1108,6 +1108,8 @@ static void update_ckpt_flags(struct f2f
+
+ if (cpc->reason & CP_TRIMMED)
+ __set_ckpt_flags(ckpt, CP_TRIMMED_FLAG);
++ else
++ __clear_ckpt_flags(ckpt, CP_TRIMMED_FLAG);
+
+ if (cpc->reason & CP_UMOUNT)
+ __set_ckpt_flags(ckpt, CP_UMOUNT_FLAG);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Chao Yu <yuchao0@huawei.com>
+Date: Sun, 25 Feb 2018 23:38:21 +0800
+Subject: f2fs: fix to set KEEP_SIZE bit in f2fs_zero_range
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit 17cd07ae95073c298af92c1ba14ac58ce84de33b ]
+
+As Jayashree Mohan reported:
+
+A simple workload to reproduce this would be :
+1. create foo
+2. Write (8K - 16K) // foo size = 16K now
+3. fsync()
+4. falloc zero_range , keep_size (4202496 - 4210688) // foo size must be 16K
+5. fdatasync()
+Crash now
+
+On recovery, we see that the file size is 4210688 and not 16K, which
+violates the semantics of keep_size flag. We have a test case to
+reproduce this using CrashMonkey on 4.15 kernel. Try this out by
+simply running :
+ ./c_harness -f /dev/sda -d /dev/cow_ram0 -t f2fs -e 102400 -P -v
+ tests/generic_468_zero.so
+
+The root cause is that we miss to set KEEP_SIZE bit correctly in zero_range
+when zeroing block cross EOF with FALLOC_FL_KEEP_SIZE, let's fix this
+missing case.
+
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/file.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -1321,8 +1321,12 @@ static int f2fs_zero_range(struct inode
+ }
+
+ out:
+- if (!(mode & FALLOC_FL_KEEP_SIZE) && i_size_read(inode) < new_size)
+- f2fs_i_size_write(inode, new_size);
++ if (new_size > i_size_read(inode)) {
++ if (mode & FALLOC_FL_KEEP_SIZE)
++ file_set_keep_isize(inode);
++ else
++ f2fs_i_size_write(inode, new_size);
++ }
+ out_sem:
+ up_write(&F2FS_I(inode)->i_mmap_sem);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Peter Malone <peter.malone@gmail.com>
+Date: Wed, 7 Mar 2018 14:00:34 +0100
+Subject: fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper().
+
+From: Peter Malone <peter.malone@gmail.com>
+
+[ Upstream commit 250c6c49e3b68756b14983c076183568636e2bde ]
+
+Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in
+sbusfb_ioctl_helper().
+
+'index' is defined as an int in sbusfb_ioctl_helper().
+We retrieve this from the user:
+if (get_user(index, &c->index) ||
+ __get_user(count, &c->count) ||
+ __get_user(ured, &c->red) ||
+ __get_user(ugreen, &c->green) ||
+ __get_user(ublue, &c->blue))
+ return -EFAULT;
+
+and then we use 'index' in the following way:
+red = cmap->red[index + i] >> 8;
+green = cmap->green[index + i] >> 8;
+blue = cmap->blue[index + i] >> 8;
+
+This is a classic information leak vulnerability. 'index' should be
+an unsigned int, given its usage above.
+
+This patch is straight-forward; it changes 'index' to unsigned int
+in two switch-cases: FBIOGETCMAP_SPARC && FBIOPUTCMAP_SPARC.
+
+This patch fixes CVE-2018-6412.
+
+Signed-off-by: Peter Malone <peter.malone@gmail.com>
+Acked-by: Mathieu Malaterre <malat@debian.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/sbuslib.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/fbdev/sbuslib.c
++++ b/drivers/video/fbdev/sbuslib.c
+@@ -122,7 +122,7 @@ int sbusfb_ioctl_helper(unsigned long cm
+ unsigned char __user *ured;
+ unsigned char __user *ugreen;
+ unsigned char __user *ublue;
+- int index, count, i;
++ unsigned int index, count, i;
+
+ if (get_user(index, &c->index) ||
+ __get_user(count, &c->count) ||
+@@ -161,7 +161,7 @@ int sbusfb_ioctl_helper(unsigned long cm
+ unsigned char __user *ugreen;
+ unsigned char __user *ublue;
+ struct fb_cmap *cmap = &info->cmap;
+- int index, count, i;
++ unsigned int index, count, i;
+ u8 red, green, blue;
+
+ if (get_user(index, &c->index) ||
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jean Delvare <jdelvare@suse.de>
+Date: Fri, 13 Apr 2018 15:37:59 +0200
+Subject: firmware: dmi_scan: Fix UUID length safety check
+
+From: Jean Delvare <jdelvare@suse.de>
+
+[ Upstream commit 90fe6f8ff00a07641ca893d64f75ca22ce77cca2 ]
+
+The test which ensures that the DMI type 1 structure is long enough
+to hold the UUID is off by one. It would fail if the structure is
+exactly 24 bytes long, while that's sufficient to hold the UUID.
+
+I don't expect this bug to cause problem in practice because all
+implementations I have seen had length 8, 25 or 27 bytes, in line
+with the SMBIOS specifications. But let's fix it still.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Fixes: a814c3597a6b ("firmware: dmi_scan: Check DMI structure length")
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/dmi_scan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/firmware/dmi_scan.c
++++ b/drivers/firmware/dmi_scan.c
+@@ -191,7 +191,7 @@ static void __init dmi_save_uuid(const s
+ char *s;
+ int is_ff = 1, is_00 = 1, i;
+
+- if (dmi_ident[slot] || dm->length <= index + 16)
++ if (dmi_ident[slot] || dm->length < index + 16)
+ return;
+
+ d = (u8 *) dm + index;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Carlos Maiolino <cmaiolino@redhat.com>
+Date: Tue, 10 Apr 2018 22:39:04 -0700
+Subject: Force log to disk before reading the AGF during a fstrim
+
+From: Carlos Maiolino <cmaiolino@redhat.com>
+
+[ Upstream commit 8c81dd46ef3c416b3b95e3020fb90dbd44e6140b ]
+
+Forcing the log to disk after reading the agf is wrong, we might be
+calling xfs_log_force with XFS_LOG_SYNC with a metadata lock held.
+
+This can cause a deadlock when racing a fstrim with a filesystem
+shutdown.
+
+The deadlock has been identified due a miscalculation bug in device-mapper
+dm-thin, which returns lack of space to its users earlier than the device itself
+really runs out of space, changing the device-mapper volume into an error state.
+
+The problem happened while filling the filesystem with a single file,
+triggering the bug in device-mapper, consequently causing an IO error
+and shutting down the filesystem.
+
+If such file is removed, and fstrim executed before the XFS finishes the
+shut down process, the fstrim process will end up holding the buffer
+lock, and going to sleep on the cil wait queue.
+
+At this point, the shut down process will try to wake up all the threads
+waiting on the cil wait queue, but for this, it will try to hold the
+same buffer log already held my the fstrim, locking up the filesystem.
+
+Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_discard.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/fs/xfs/xfs_discard.c
++++ b/fs/xfs/xfs_discard.c
+@@ -50,19 +50,19 @@ xfs_trim_extents(
+
+ pag = xfs_perag_get(mp, agno);
+
+- error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp);
+- if (error || !agbp)
+- goto out_put_perag;
+-
+- cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT);
+-
+ /*
+ * Force out the log. This means any transactions that might have freed
+- * space before we took the AGF buffer lock are now on disk, and the
++ * space before we take the AGF buffer lock are now on disk, and the
+ * volatile disk cache is flushed.
+ */
+ xfs_log_force(mp, XFS_LOG_SYNC);
+
++ error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp);
++ if (error || !agbp)
++ goto out_put_perag;
++
++ cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT);
++
+ /*
+ * Look up the longest btree in the AGF and start with it.
+ */
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Will Deacon <will.deacon@arm.com>
+Date: Mon, 19 Feb 2018 14:55:54 +0000
+Subject: fs: dcache: Avoid livelock between d_alloc_parallel and __d_add
+
+From: Will Deacon <will.deacon@arm.com>
+
+[ Upstream commit 015555fd4d2930bc0c86952c46ad88b3392f66e4 ]
+
+If d_alloc_parallel runs concurrently with __d_add, it is possible for
+d_alloc_parallel to continuously retry whilst i_dir_seq has been
+incremented to an odd value by __d_add:
+
+CPU0:
+__d_add
+ n = start_dir_add(dir);
+ cmpxchg(&dir->i_dir_seq, n, n + 1) == n
+
+CPU1:
+d_alloc_parallel
+retry:
+ seq = smp_load_acquire(&parent->d_inode->i_dir_seq) & ~1;
+ hlist_bl_lock(b);
+ bit_spin_lock(0, (unsigned long *)b); // Always succeeds
+
+CPU0:
+ __d_lookup_done(dentry)
+ hlist_bl_lock
+ bit_spin_lock(0, (unsigned long *)b); // Never succeeds
+
+CPU1:
+ if (unlikely(parent->d_inode->i_dir_seq != seq)) {
+ hlist_bl_unlock(b);
+ goto retry;
+ }
+
+Since the simple bit_spin_lock used to implement hlist_bl_lock does not
+provide any fairness guarantees, then CPU1 can starve CPU0 of the lock
+and prevent it from reaching end_dir_add(dir), therefore CPU1 cannot
+exit its retry loop because the sequence number always has the bottom
+bit set.
+
+This patch resolves the livelock by not taking hlist_bl_lock in
+d_alloc_parallel if the sequence counter is odd, since any subsequent
+masked comparison with i_dir_seq will fail anyway.
+
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Reported-by: Naresh Madhusudana <naresh.madhusudana@arm.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Matthew Wilcox <mawilcox@microsoft.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dcache.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -2460,7 +2460,7 @@ struct dentry *d_alloc_parallel(struct d
+
+ retry:
+ rcu_read_lock();
+- seq = smp_load_acquire(&parent->d_inode->i_dir_seq) & ~1;
++ seq = smp_load_acquire(&parent->d_inode->i_dir_seq);
+ r_seq = read_seqbegin(&rename_lock);
+ dentry = __d_lookup_rcu(parent, name, &d_seq);
+ if (unlikely(dentry)) {
+@@ -2481,6 +2481,12 @@ retry:
+ rcu_read_unlock();
+ goto retry;
+ }
++
++ if (unlikely(seq & 1)) {
++ rcu_read_unlock();
++ goto retry;
++ }
++
+ hlist_bl_lock(b);
+ if (unlikely(parent->d_inode->i_dir_seq != seq)) {
+ hlist_bl_unlock(b);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Will Deacon <will.deacon@arm.com>
+Date: Mon, 19 Feb 2018 14:55:55 +0000
+Subject: fs: dcache: Use READ_ONCE when accessing i_dir_seq
+
+From: Will Deacon <will.deacon@arm.com>
+
+[ Upstream commit 8cc07c808c9d595e81cbe5aad419b7769eb2e5c9 ]
+
+i_dir_seq is subject to concurrent modification by a cmpxchg or
+store-release operation, so ensure that the relaxed access in
+d_alloc_parallel uses READ_ONCE.
+
+Reported-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dcache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -2488,7 +2488,7 @@ retry:
+ }
+
+ hlist_bl_lock(b);
+- if (unlikely(parent->d_inode->i_dir_seq != seq)) {
++ if (unlikely(READ_ONCE(parent->d_inode->i_dir_seq) != seq)) {
+ hlist_bl_unlock(b);
+ rcu_read_unlock();
+ goto retry;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Danilo Krummrich <danilokrummrich@dk-develop.de>
+Date: Tue, 10 Apr 2018 16:31:38 -0700
+Subject: fs/proc/proc_sysctl.c: fix potential page fault while unregistering sysctl table
+
+From: Danilo Krummrich <danilokrummrich@dk-develop.de>
+
+[ Upstream commit a0b0d1c345d0317efe594df268feb5ccc99f651e ]
+
+proc_sys_link_fill_cache() does not take currently unregistering sysctl
+tables into account, which might result into a page fault in
+sysctl_follow_link() - add a check to fix it.
+
+This bug has been present since v3.4.
+
+Link: http://lkml.kernel.org/r/20180228013506.4915-1-danilokrummrich@dk-develop.de
+Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets")
+Signed-off-by: Danilo Krummrich <danilokrummrich@dk-develop.de>
+Acked-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: "Luis R . Rodriguez" <mcgrof@kernel.org>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/proc_sysctl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -707,7 +707,10 @@ static bool proc_sys_link_fill_cache(str
+ struct ctl_table *table)
+ {
+ bool ret = true;
++
+ head = sysctl_head_grab(head);
++ if (IS_ERR(head))
++ return false;
+
+ if (S_ISLNK(table->mode)) {
+ /* It is not an error if we can not follow the link ignore it */
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Mon, 12 Feb 2018 13:18:38 -0800
+Subject: fs/signalfd: fix build error for BUS_MCEERR_AR
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 9026e820cbd2ea39a06a129ecdddf2739bd3602b ]
+
+Fix build error in fs/signalfd.c by using same method that is used in
+kernel/signal.c: separate blocks for different signal si_code values.
+
+./fs/signalfd.c: error: 'BUS_MCEERR_AR' undeclared (first use in this function)
+
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/signalfd.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/fs/signalfd.c
++++ b/fs/signalfd.c
+@@ -118,13 +118,22 @@ static int signalfd_copyinfo(struct sign
+ err |= __put_user(kinfo->si_trapno, &uinfo->ssi_trapno);
+ #endif
+ #ifdef BUS_MCEERR_AO
+- /*
++ /*
+ * Other callers might not initialize the si_lsb field,
+ * so check explicitly for the right codes here.
+ */
+ if (kinfo->si_signo == SIGBUS &&
+- (kinfo->si_code == BUS_MCEERR_AR ||
+- kinfo->si_code == BUS_MCEERR_AO))
++ kinfo->si_code == BUS_MCEERR_AO)
++ err |= __put_user((short) kinfo->si_addr_lsb,
++ &uinfo->ssi_addr_lsb);
++#endif
++#ifdef BUS_MCEERR_AR
++ /*
++ * Other callers might not initialize the si_lsb field,
++ * so check explicitly for the right codes here.
++ */
++ if (kinfo->si_signo == SIGBUS &&
++ kinfo->si_code == BUS_MCEERR_AR)
+ err |= __put_user((short) kinfo->si_addr_lsb,
+ &uinfo->ssi_addr_lsb);
+ #endif
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 4 Apr 2018 13:41:26 +0100
+Subject: fscache: Fix hanging wait on page discarded by writeback
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 2c98425720233ae3e135add0c7e869b32913502f ]
+
+If the fscache asynchronous write operation elects to discard a page that's
+pending storage to the cache because the page would be over the store limit
+then it needs to wake the page as someone may be waiting on completion of
+the write.
+
+The problem is that the store limit may be updated by a different
+asynchronous operation - and so may miss the write - and that the store
+limit may not even get updated until later by the netfs.
+
+Fix the kernel hang by making fscache_write_op() mark as written any pages
+that are over the limit.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fscache/page.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/fscache/page.c
++++ b/fs/fscache/page.c
+@@ -776,6 +776,7 @@ static void fscache_write_op(struct fsca
+
+ _enter("{OP%x,%d}", op->op.debug_id, atomic_read(&op->op.usage));
+
++again:
+ spin_lock(&object->lock);
+ cookie = object->cookie;
+
+@@ -816,10 +817,6 @@ static void fscache_write_op(struct fsca
+ goto superseded;
+ page = results[0];
+ _debug("gang %d [%lx]", n, page->index);
+- if (page->index >= op->store_limit) {
+- fscache_stat(&fscache_n_store_pages_over_limit);
+- goto superseded;
+- }
+
+ radix_tree_tag_set(&cookie->stores, page->index,
+ FSCACHE_COOKIE_STORING_TAG);
+@@ -829,6 +826,9 @@ static void fscache_write_op(struct fsca
+ spin_unlock(&cookie->stores_lock);
+ spin_unlock(&object->lock);
+
++ if (page->index >= op->store_limit)
++ goto discard_page;
++
+ fscache_stat(&fscache_n_store_pages);
+ fscache_stat(&fscache_n_cop_write_page);
+ ret = object->cache->ops->write_page(op, page);
+@@ -844,6 +844,11 @@ static void fscache_write_op(struct fsca
+ _leave("");
+ return;
+
++discard_page:
++ fscache_stat(&fscache_n_store_pages_over_limit);
++ fscache_end_page_write(object, page);
++ goto again;
++
+ superseded:
+ /* this writer is going away and there aren't any more things to
+ * write */
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Denis Kirjanov <kda@linux-powerpc.org>
+Date: Sun, 4 Mar 2018 21:48:17 +0300
+Subject: fsl/fman: avoid sleeping in atomic context while adding an address
+
+From: Denis Kirjanov <kda@linux-powerpc.org>
+
+[ Upstream commit 803fafbe0cd522fa6b9e41ca3b96cfb2e2a2222d ]
+
+__dev_mc_add grabs an adress spinlock so use
+atomic context in kmalloc.
+
+/ # ifconfig eth0 inet 192.168.0.111
+[ 89.331622] BUG: sleeping function called from invalid context at mm/slab.h:420
+[ 89.339002] in_atomic(): 1, irqs_disabled(): 0, pid: 1035, name: ifconfig
+[ 89.345799] 2 locks held by ifconfig/1035:
+[ 89.349908] #0: (rtnl_mutex){+.+.}, at: [<(ptrval)>] devinet_ioctl+0xc0/0x8a0
+[ 89.357258] #1: (_xmit_ETHER){+...}, at: [<(ptrval)>] __dev_mc_add+0x28/0x80
+[ 89.364520] CPU: 1 PID: 1035 Comm: ifconfig Not tainted 4.16.0-rc3-dirty #8
+[ 89.371464] Call Trace:
+[ 89.373908] [e959db60] [c066f948] dump_stack+0xa4/0xfc (unreliable)
+[ 89.380177] [e959db80] [c00671d8] ___might_sleep+0x248/0x280
+[ 89.385833] [e959dba0] [c01aec34] kmem_cache_alloc_trace+0x174/0x320
+[ 89.392179] [e959dbd0] [c04ab920] dtsec_add_hash_mac_address+0x130/0x240
+[ 89.398874] [e959dc00] [c04a9d74] set_multi+0x174/0x1b0
+[ 89.404093] [e959dc30] [c04afb68] dpaa_set_rx_mode+0x68/0xe0
+[ 89.409745] [e959dc40] [c057baf8] __dev_mc_add+0x58/0x80
+[ 89.415052] [e959dc60] [c060fd64] igmp_group_added+0x164/0x190
+[ 89.420878] [e959dca0] [c060ffa8] ip_mc_inc_group+0x218/0x460
+[ 89.426617] [e959dce0] [c06120fc] ip_mc_up+0x3c/0x190
+[ 89.431662] [e959dd10] [c0607270] inetdev_event+0x250/0x620
+[ 89.437227] [e959dd50] [c005f190] notifier_call_chain+0x80/0xf0
+[ 89.443138] [e959dd80] [c0573a74] __dev_notify_flags+0x54/0xf0
+[ 89.448964] [e959dda0] [c05743f8] dev_change_flags+0x48/0x60
+[ 89.454615] [e959ddc0] [c0606744] devinet_ioctl+0x544/0x8a0
+[ 89.460180] [e959de10] [c060987c] inet_ioctl+0x9c/0x1f0
+[ 89.465400] [e959de80] [c05479a8] sock_ioctl+0x168/0x460
+[ 89.470708] [e959ded0] [c01cf3ec] do_vfs_ioctl+0xac/0x8c0
+[ 89.476099] [e959df20] [c01cfc40] SyS_ioctl+0x40/0xc0
+[ 89.481147] [e959df40] [c0011318] ret_from_syscall+0x0/0x3c
+[ 89.486715] --- interrupt: c01 at 0x1006943c
+[ 89.486715] LR = 0x100c45ec
+
+Signed-off-by: Denis Kirjanov <kda@linux-powerpc.org>
+Acked-by: Madalin Bucur <madalin.bucur@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/fman/fman_dtsec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/fman/fman_dtsec.c
++++ b/drivers/net/ethernet/freescale/fman/fman_dtsec.c
+@@ -1100,7 +1100,7 @@ int dtsec_add_hash_mac_address(struct fm
+ set_bucket(dtsec->regs, bucket, true);
+
+ /* Create element to be added to the driver hash table */
+- hash_entry = kmalloc(sizeof(*hash_entry), GFP_KERNEL);
++ hash_entry = kmalloc(sizeof(*hash_entry), GFP_ATOMIC);
+ if (!hash_entry)
+ return -ENOMEM;
+ hash_entry->addr = addr;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Tue, 20 Feb 2018 08:03:24 -0700
+Subject: gfs2: Fix fallocate chunk size
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit 174d1232ebc84fcde8f5889d1171c9c7e74a10a7 ]
+
+The chunk size of allocations in __gfs2_fallocate is calculated
+incorrectly. The size can collapse, causing __gfs2_fallocate to
+allocate one block at a time, which is very inefficient. This needs
+fixing in two places:
+
+In gfs2_quota_lock_check, always set ap->allowed to UINT_MAX to indicate
+that there is no quota limit. This fixes callers that rely on
+ap->allowed to be set even when quotas are off.
+
+In __gfs2_fallocate, reset max_blks to UINT_MAX in each iteration of the
+loop to make sure that allocation limits from one resource group won't
+spill over into another resource group.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/gfs2/file.c | 5 +++--
+ fs/gfs2/quota.h | 2 ++
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/gfs2/file.c
++++ b/fs/gfs2/file.c
+@@ -803,7 +803,7 @@ static long __gfs2_fallocate(struct file
+ struct gfs2_inode *ip = GFS2_I(inode);
+ struct gfs2_alloc_parms ap = { .aflags = 0, };
+ unsigned int data_blocks = 0, ind_blocks = 0, rblocks;
+- loff_t bytes, max_bytes, max_blks = UINT_MAX;
++ loff_t bytes, max_bytes, max_blks;
+ int error;
+ const loff_t pos = offset;
+ const loff_t count = len;
+@@ -855,7 +855,8 @@ static long __gfs2_fallocate(struct file
+ return error;
+ /* ap.allowed tells us how many blocks quota will allow
+ * us to write. Check if this reduces max_blks */
+- if (ap.allowed && ap.allowed < max_blks)
++ max_blks = UINT_MAX;
++ if (ap.allowed)
+ max_blks = ap.allowed;
+
+ error = gfs2_inplace_reserve(ip, &ap);
+--- a/fs/gfs2/quota.h
++++ b/fs/gfs2/quota.h
+@@ -45,6 +45,8 @@ static inline int gfs2_quota_lock_check(
+ {
+ struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode);
+ int ret;
++
++ ap->allowed = UINT_MAX; /* Assume we are permitted a whole lot */
+ if (sdp->sd_args.ar_quota == GFS2_QUOTA_OFF)
+ return 0;
+ ret = gfs2_quota_lock(ip, NO_UID_QUOTA_CHANGE, NO_GID_QUOTA_CHANGE);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Claudiu Manoil <claudiu.manoil@nxp.com>
+Date: Tue, 27 Feb 2018 17:33:10 +0200
+Subject: gianfar: Fix Rx byte accounting for ndev stats
+
+From: Claudiu Manoil <claudiu.manoil@nxp.com>
+
+[ Upstream commit 590399ddf9561f2ed0839311c8ae1be21597ba68 ]
+
+Don't include in the Rx bytecount of the packet sent up the stack:
+the FCB (frame control block), and the padding bytes inserted by
+the controller into the frame payload, nor the FCS. All these are
+being pulled out of the skb by gfar_process_frame().
+This issue is old, likely from the driver's beginnings, however
+it was amplified by recent:
+commit d903ec77118c ("gianfar: simplify FCS handling and fix memory leak")
+which basically added the FCS to the Rx bytecount, and so brought
+this to my attention.
+
+Signed-off-by: Claudiu Manoil <claudiu.manoil@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/gianfar.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/gianfar.c
++++ b/drivers/net/ethernet/freescale/gianfar.c
+@@ -3072,9 +3072,6 @@ static void gfar_process_frame(struct ne
+ if (ndev->features & NETIF_F_RXCSUM)
+ gfar_rx_checksum(skb, fcb);
+
+- /* Tell the skb what kind of packet this is */
+- skb->protocol = eth_type_trans(skb, ndev);
+-
+ /* There's need to check for NETIF_F_HW_VLAN_CTAG_RX here.
+ * Even if vlan rx accel is disabled, on some chips
+ * RXFCB_VLN is pseudo randomly set.
+@@ -3145,13 +3142,15 @@ int gfar_clean_rx_ring(struct gfar_priv_
+ continue;
+ }
+
++ gfar_process_frame(ndev, skb);
++
+ /* Increment the number of packets */
+ total_pkts++;
+ total_bytes += skb->len;
+
+ skb_record_rx_queue(skb, rx_queue->qindex);
+
+- gfar_process_frame(ndev, skb);
++ skb->protocol = eth_type_trans(skb, ndev);
+
+ /* Send the packet up the stack */
+ napi_gro_receive(&rx_queue->grp->napi_rx, skb);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Tobias Jordan <Tobias.Jordan@elektrobit.com>
+Date: Thu, 15 Feb 2018 15:34:55 +0100
+Subject: gpu: ipu-v3: pre: fix device node leak in ipu_pre_lookup_by_phandle
+
+From: Tobias Jordan <Tobias.Jordan@elektrobit.com>
+
+[ Upstream commit c795f3052b60b01e80485fad98c53e5e67d093c9 ]
+
+Before returning, call of_node_put() for the device node returned by
+of_parse_phandle().
+
+Fixes: d2a34232580a ("gpu: ipu-v3: add driver for Prefetch Resolve Engine")
+Signed-off-by: Tobias Jordan <Tobias.Jordan@elektrobit.com>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/ipu-v3/ipu-pre.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/ipu-v3/ipu-pre.c
++++ b/drivers/gpu/ipu-v3/ipu-pre.c
+@@ -125,11 +125,14 @@ ipu_pre_lookup_by_phandle(struct device
+ if (pre_node == pre->dev->of_node) {
+ mutex_unlock(&ipu_pre_list_mutex);
+ device_link_add(dev, pre->dev, DL_FLAG_AUTOREMOVE);
++ of_node_put(pre_node);
+ return pre;
+ }
+ }
+ mutex_unlock(&ipu_pre_list_mutex);
+
++ of_node_put(pre_node);
++
+ return NULL;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 15 Mar 2018 17:19:57 +0100
+Subject: gpu: ipu-v3: prg: avoid possible array underflow
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 746d024c3211813946b319411aeb2b47767f8fb0 ]
+
+gcc-8 reports that we access an array with a negative index
+in an error case:
+
+drivers/gpu/ipu-v3/ipu-prg.c: In function 'ipu_prg_channel_disable':
+drivers/gpu/ipu-v3/ipu-prg.c:252:43: error: array subscript -22 is below array bounds of 'struct ipu_prg_channel[3]' [-Werror=array-bounds]
+
+This moves the range check in front of the first time that
+variable gets used.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/ipu-v3/ipu-prg.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/ipu-v3/ipu-prg.c
++++ b/drivers/gpu/ipu-v3/ipu-prg.c
+@@ -252,10 +252,14 @@ void ipu_prg_channel_disable(struct ipuv
+ {
+ int prg_chan = ipu_prg_ipu_to_prg_chan(ipu_chan->num);
+ struct ipu_prg *prg = ipu_chan->ipu->prg_priv;
+- struct ipu_prg_channel *chan = &prg->chan[prg_chan];
++ struct ipu_prg_channel *chan;
+ u32 val;
+
+- if (!chan->enabled || prg_chan < 0)
++ if (prg_chan < 0)
++ return;
++
++ chan = &prg->chan[prg_chan];
++ if (!chan->enabled)
+ return;
+
+ clk_prepare_enable(prg->clk_ipg);
+@@ -282,13 +286,15 @@ int ipu_prg_channel_configure(struct ipu
+ {
+ int prg_chan = ipu_prg_ipu_to_prg_chan(ipu_chan->num);
+ struct ipu_prg *prg = ipu_chan->ipu->prg_priv;
+- struct ipu_prg_channel *chan = &prg->chan[prg_chan];
++ struct ipu_prg_channel *chan;
+ u32 val;
+ int ret;
+
+ if (prg_chan < 0)
+ return prg_chan;
+
++ chan = &prg->chan[prg_chan];
++
+ if (chan->enabled) {
+ ipu_pre_update(prg->pres[chan->used_pre], *eba);
+ return 0;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Tobias Jordan <Tobias.Jordan@elektrobit.com>
+Date: Thu, 15 Feb 2018 15:35:30 +0100
+Subject: gpu: ipu-v3: prg: fix device node leak in ipu_prg_lookup_by_phandle
+
+From: Tobias Jordan <Tobias.Jordan@elektrobit.com>
+
+[ Upstream commit 3addaba8141bc6a4f649a48f46e552af32922147 ]
+
+Before returning, call of_node_put() for the device node returned by
+of_parse_phandle().
+
+Fixes: ea9c260514c1 ("gpu: ipu-v3: add driver for Prefetch Resolve Gasket")
+Signed-off-by: Tobias Jordan <Tobias.Jordan@elektrobit.com>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/ipu-v3/ipu-prg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/ipu-v3/ipu-prg.c
++++ b/drivers/gpu/ipu-v3/ipu-prg.c
+@@ -101,11 +101,14 @@ ipu_prg_lookup_by_phandle(struct device
+ mutex_unlock(&ipu_prg_list_mutex);
+ device_link_add(dev, prg->dev, DL_FLAG_AUTOREMOVE);
+ prg->id = ipu_id;
++ of_node_put(prg_node);
+ return prg;
+ }
+ }
+ mutex_unlock(&ipu_prg_list_mutex);
+
++ of_node_put(prg_node);
++
+ return NULL;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Fri, 2 Mar 2018 13:49:01 -0800
+Subject: hv_netvsc: avoid retry on send during shutdown
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+[ Upstream commit 12f69661a49446840d742d8feb593ace022d9f66 ]
+
+Change the initialization order so that the device is ready to transmit
+(ie connect vsp is completed) before setting the internal reference
+to the device with RCU.
+
+This avoids any races on initialization and prevents retry issues
+on shutdown.
+
+Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc.c | 24 +++++++-----------------
+ 1 file changed, 7 insertions(+), 17 deletions(-)
+
+--- a/drivers/net/hyperv/netvsc.c
++++ b/drivers/net/hyperv/netvsc.c
+@@ -848,13 +848,6 @@ int netvsc_send(struct net_device_contex
+ if (unlikely(!net_device || net_device->destroy))
+ return -ENODEV;
+
+- /* We may race with netvsc_connect_vsp()/netvsc_init_buf() and get
+- * here before the negotiation with the host is finished and
+- * send_section_map may not be allocated yet.
+- */
+- if (unlikely(!net_device->send_section_map))
+- return -EAGAIN;
+-
+ nvchan = &net_device->chan_table[packet->q_idx];
+ packet->send_buf_index = NETVSC_INVALID_INDEX;
+ packet->cp_partial = false;
+@@ -862,10 +855,8 @@ int netvsc_send(struct net_device_contex
+ /* Send control message directly without accessing msd (Multi-Send
+ * Data) field which may be changed during data packet processing.
+ */
+- if (!skb) {
+- cur_send = packet;
+- goto send_now;
+- }
++ if (!skb)
++ return netvsc_send_pkt(device, packet, net_device, pb, skb);
+
+ /* batch packets in send buffer if possible */
+ msdp = &nvchan->msd;
+@@ -942,7 +933,6 @@ int netvsc_send(struct net_device_contex
+ }
+ }
+
+-send_now:
+ if (cur_send)
+ ret = netvsc_send_pkt(device, cur_send, net_device, pb, skb);
+
+@@ -1296,11 +1286,6 @@ struct netvsc_device *netvsc_device_add(
+
+ napi_enable(&net_device->chan_table[0].napi);
+
+- /* Writing nvdev pointer unlocks netvsc_send(), make sure chn_table is
+- * populated.
+- */
+- rcu_assign_pointer(net_device_ctx->nvdev, net_device);
+-
+ /* Connect with the NetVsp */
+ ret = netvsc_connect_vsp(device, net_device, device_info);
+ if (ret != 0) {
+@@ -1309,6 +1294,11 @@ struct netvsc_device *netvsc_device_add(
+ goto close;
+ }
+
++ /* Writing nvdev pointer unlocks netvsc_send(), make sure chn_table is
++ * populated.
++ */
++ rcu_assign_pointer(net_device_ctx->nvdev, net_device);
++
+ return net_device;
+
+ close:
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Fri, 2 Mar 2018 13:49:04 -0800
+Subject: hv_netvsc: cancel subchannel setup before halting device
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+[ Upstream commit a7483ec0267c69b34e818738da60b392623da94b ]
+
+Block setup of multiple channels earlier in the teardown
+process. This avoids possible races between halt and subchannel
+initialization.
+
+Suggested-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/rndis_filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/hyperv/rndis_filter.c
++++ b/drivers/net/hyperv/rndis_filter.c
+@@ -1325,6 +1325,9 @@ void rndis_filter_device_remove(struct h
+ {
+ struct rndis_device *rndis_dev = net_dev->extension;
+
++ /* Don't try and setup sub channels if about to halt */
++ cancel_work_sync(&net_dev->subchan_work);
++
+ /* Halt and release the rndis device */
+ rndis_filter_halt_device(rndis_dev);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Fri, 2 Mar 2018 13:49:07 -0800
+Subject: hv_netvsc: defer queue selection to VF
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+[ Upstream commit b3bf5666a51068ad5ddd89a76ed877101ef3bc16 ]
+
+When VF is used for accelerated networking it will likely have
+more queues (and different policy) than the synthetic NIC.
+This patch defers the queue policy to the VF so that all the
+queues can be used. This impacts workloads like local generate UDP.
+
+Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -283,8 +283,19 @@ static u16 netvsc_select_queue(struct ne
+ rcu_read_lock();
+ vf_netdev = rcu_dereference(ndc->vf_netdev);
+ if (vf_netdev) {
+- txq = skb_rx_queue_recorded(skb) ? skb_get_rx_queue(skb) : 0;
+- qdisc_skb_cb(skb)->slave_dev_queue_mapping = skb->queue_mapping;
++ const struct net_device_ops *vf_ops = vf_netdev->netdev_ops;
++
++ if (vf_ops->ndo_select_queue)
++ txq = vf_ops->ndo_select_queue(vf_netdev, skb,
++ accel_priv, fallback);
++ else
++ txq = fallback(vf_netdev, skb);
++
++ /* Record the queue selected by VF so that it can be
++ * used for common case where VF has more queues than
++ * the synthetic device.
++ */
++ qdisc_skb_cb(skb)->slave_dev_queue_mapping = txq;
+ } else {
+ txq = netvsc_pick_tx(ndev, skb);
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Tue, 27 Mar 2018 11:28:48 -0700
+Subject: hv_netvsc: enable multicast if necessary
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+[ Upstream commit f03dbb06dc380274e351ca4b1ee1587ed4529e62 ]
+
+My recent change to netvsc drive in how receive flags are handled
+broke multicast. The Hyper-v/Azure virtual interface there is not a
+multicast filter list, filtering is only all or none. The driver must
+enable all multicast if any multicast address is present.
+
+Fixes: 009f766ca238 ("hv_netvsc: filter multicast/broadcast")
+Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/rndis_filter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/hyperv/rndis_filter.c
++++ b/drivers/net/hyperv/rndis_filter.c
+@@ -861,7 +861,7 @@ static void rndis_set_multicast(struct w
+ if (flags & IFF_PROMISC) {
+ filter = NDIS_PACKET_TYPE_PROMISCUOUS;
+ } else {
+- if (flags & IFF_ALLMULTI)
++ if (!netdev_mc_empty(rdev->ndev) || (flags & IFF_ALLMULTI))
+ filter |= NDIS_PACKET_TYPE_ALL_MULTICAST;
+ if (flags & IFF_BROADCAST)
+ filter |= NDIS_PACKET_TYPE_BROADCAST;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Fri, 2 Mar 2018 13:49:08 -0800
+Subject: hv_netvsc: filter multicast/broadcast
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+[ Upstream commit 009f766ca2383d8788acd65c2c36c51bbfb19470 ]
+
+The netvsc driver was always enabling all multicast and broadcast
+even if netdevice flag had not enabled it.
+
+Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/rndis_filter.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/hyperv/rndis_filter.c
++++ b/drivers/net/hyperv/rndis_filter.c
+@@ -855,15 +855,19 @@ static void rndis_set_multicast(struct w
+ {
+ struct rndis_device *rdev
+ = container_of(w, struct rndis_device, mcast_work);
++ u32 filter = NDIS_PACKET_TYPE_DIRECTED;
++ unsigned int flags = rdev->ndev->flags;
+
+- if (rdev->ndev->flags & IFF_PROMISC)
+- rndis_filter_set_packet_filter(rdev,
+- NDIS_PACKET_TYPE_PROMISCUOUS);
+- else
+- rndis_filter_set_packet_filter(rdev,
+- NDIS_PACKET_TYPE_BROADCAST |
+- NDIS_PACKET_TYPE_ALL_MULTICAST |
+- NDIS_PACKET_TYPE_DIRECTED);
++ if (flags & IFF_PROMISC) {
++ filter = NDIS_PACKET_TYPE_PROMISCUOUS;
++ } else {
++ if (flags & IFF_ALLMULTI)
++ flags |= NDIS_PACKET_TYPE_ALL_MULTICAST;
++ if (flags & IFF_BROADCAST)
++ flags |= NDIS_PACKET_TYPE_BROADCAST;
++ }
++
++ rndis_filter_set_packet_filter(rdev, filter);
+ }
+
+ void rndis_filter_update(struct netvsc_device *nvdev)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Fri, 2 Mar 2018 13:49:03 -0800
+Subject: hv_netvsc: fix error unwind handling if vmbus_open fails
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+[ Upstream commit fcfb4a00d1e514e8313277a01ef919de1113025b ]
+
+Need to delete NAPI association if vmbus_open fails.
+
+Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/hyperv/netvsc.c
++++ b/drivers/net/hyperv/netvsc.c
+@@ -1276,7 +1276,6 @@ struct netvsc_device *netvsc_device_add(
+ net_device->chan_table);
+
+ if (ret != 0) {
+- netif_napi_del(&net_device->chan_table[0].napi);
+ netdev_err(ndev, "unable to open channel: %d\n", ret);
+ goto cleanup;
+ }
+@@ -1309,6 +1308,7 @@ close:
+ vmbus_close(device->channel);
+
+ cleanup:
++ netif_napi_del(&net_device->chan_table[0].napi);
+ free_netvsc_device(&net_device->rcu);
+
+ return ERR_PTR(ret);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Wed, 7 Mar 2018 13:49:09 -0800
+Subject: hv_netvsc: fix filter flags
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+[ Upstream commit de3d50aadd40bf68614db9fd157b275ce9c2d467 ]
+
+The recent change to not always enable all multicast and broadcast
+was broken; meant to set filter, not change flags.
+
+Fixes: 009f766ca238 ("hv_netvsc: filter multicast/broadcast")
+Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/rndis_filter.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/hyperv/rndis_filter.c
++++ b/drivers/net/hyperv/rndis_filter.c
+@@ -862,9 +862,9 @@ static void rndis_set_multicast(struct w
+ filter = NDIS_PACKET_TYPE_PROMISCUOUS;
+ } else {
+ if (flags & IFF_ALLMULTI)
+- flags |= NDIS_PACKET_TYPE_ALL_MULTICAST;
++ filter |= NDIS_PACKET_TYPE_ALL_MULTICAST;
+ if (flags & IFF_BROADCAST)
+- flags |= NDIS_PACKET_TYPE_BROADCAST;
++ filter |= NDIS_PACKET_TYPE_BROADCAST;
+ }
+
+ rndis_filter_set_packet_filter(rdev, filter);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Wed, 7 Mar 2018 13:49:12 -0800
+Subject: hv_netvsc: fix locking during VF setup
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+[ Upstream commit b0dee7910317f41f398838992516af6a3b981d86 ]
+
+The dev_uc/mc_sync calls need to have the device address list
+locked. This was spotted by running with lockdep enabled.
+
+Fixes: bee9d41b37ea ("hv_netvsc: propagate rx filters to VF")
+Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -1821,8 +1821,12 @@ static void __netvsc_vf_setup(struct net
+
+ /* set multicast etc flags on VF */
+ dev_change_flags(vf_netdev, ndev->flags | IFF_SLAVE);
++
++ /* sync address list from ndev to VF */
++ netif_addr_lock_bh(ndev);
+ dev_uc_sync(vf_netdev, ndev);
+ dev_mc_sync(vf_netdev, ndev);
++ netif_addr_unlock_bh(ndev);
+
+ if (netif_running(ndev)) {
+ ret = dev_open(vf_netdev);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Wed, 7 Mar 2018 13:49:11 -0800
+Subject: hv_netvsc: fix locking for rx_mode
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+[ Upstream commit 35a57b7fef136fa3d5b735ba773f191b95110fa0 ]
+
+The rx_mode operation handler is different than other callbacks
+in that is not always called with rtnl held. Therefore use
+RCU to ensure that references are valid.
+
+Fixes: bee9d41b37ea ("hv_netvsc: propagate rx filters to VF")
+Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -86,15 +86,20 @@ static void netvsc_change_rx_flags(struc
+ static void netvsc_set_rx_mode(struct net_device *net)
+ {
+ struct net_device_context *ndev_ctx = netdev_priv(net);
+- struct net_device *vf_netdev = rtnl_dereference(ndev_ctx->vf_netdev);
+- struct netvsc_device *nvdev = rtnl_dereference(ndev_ctx->nvdev);
++ struct net_device *vf_netdev;
++ struct netvsc_device *nvdev;
+
++ rcu_read_lock();
++ vf_netdev = rcu_dereference(ndev_ctx->vf_netdev);
+ if (vf_netdev) {
+ dev_uc_sync(vf_netdev, net);
+ dev_mc_sync(vf_netdev, net);
+ }
+
+- rndis_filter_update(nvdev);
++ nvdev = rcu_dereference(ndev_ctx->nvdev);
++ if (nvdev)
++ rndis_filter_update(nvdev);
++ rcu_read_unlock();
+ }
+
+ static int netvsc_open(struct net_device *net)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Fri, 2 Mar 2018 13:49:05 -0800
+Subject: hv_netvsc: fix race in napi poll when rescheduling
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+[ Upstream commit d64e38ae690e3337db0d38d9b149a193a1646c4b ]
+
+There is a race between napi_reschedule and re-enabling interrupts
+which could lead to missed host interrrupts. This occurs when
+interrupts are re-enabled (hv_end_read) and vmbus irq callback
+(netvsc_channel_cb) has already scheduled NAPI.
+
+Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/hyperv/netvsc.c
++++ b/drivers/net/hyperv/netvsc.c
+@@ -1196,9 +1196,10 @@ int netvsc_poll(struct napi_struct *napi
+ if (send_recv_completions(ndev, net_device, nvchan) == 0 &&
+ work_done < budget &&
+ napi_complete_done(napi, work_done) &&
+- hv_end_read(&channel->inbound)) {
++ hv_end_read(&channel->inbound) &&
++ napi_schedule_prep(napi)) {
+ hv_begin_read(&channel->inbound);
+- napi_reschedule(napi);
++ __napi_schedule(napi);
+ }
+
+ /* Driver may overshoot since multiple packets per descriptor */
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Fri, 2 Mar 2018 13:49:02 -0800
+Subject: hv_netvsc: only wake transmit queue if link is up
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+[ Upstream commit f4950e4586dfc957e0a28226eeb992ddc049b5a2 ]
+
+Don't wake transmit queues if link is not up yet.
+
+Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -88,12 +88,11 @@ static int netvsc_open(struct net_device
+ return ret;
+ }
+
+- netif_tx_wake_all_queues(net);
+-
+ rdev = nvdev->extension;
+-
+- if (!rdev->link_state)
++ if (!rdev->link_state) {
+ netif_carrier_on(net);
++ netif_tx_wake_all_queues(net);
++ }
+
+ if (vf_netdev) {
+ /* Setting synthetic device up transparently sets
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Fri, 2 Mar 2018 13:49:09 -0800
+Subject: hv_netvsc: propagate rx filters to VF
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+[ Upstream commit bee9d41b37ea6b1f860e5bc0989cf1cf1d7e6ab3 ]
+
+The netvsc device should propagate filters to the SR-IOV VF
+device (if present). The flags also need to be propagated to the
+VF device as well. This only really matters on local Hyper-V
+since Azure does not support multiple addresses.
+
+Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 40 ++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 36 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -63,10 +63,36 @@ static int debug = -1;
+ module_param(debug, int, S_IRUGO);
+ MODULE_PARM_DESC(debug, "Debug level (0=none,...,16=all)");
+
+-static void netvsc_set_multicast_list(struct net_device *net)
++static void netvsc_change_rx_flags(struct net_device *net, int change)
+ {
+- struct net_device_context *net_device_ctx = netdev_priv(net);
+- struct netvsc_device *nvdev = rtnl_dereference(net_device_ctx->nvdev);
++ struct net_device_context *ndev_ctx = netdev_priv(net);
++ struct net_device *vf_netdev = rtnl_dereference(ndev_ctx->vf_netdev);
++ int inc;
++
++ if (!vf_netdev)
++ return;
++
++ if (change & IFF_PROMISC) {
++ inc = (net->flags & IFF_PROMISC) ? 1 : -1;
++ dev_set_promiscuity(vf_netdev, inc);
++ }
++
++ if (change & IFF_ALLMULTI) {
++ inc = (net->flags & IFF_ALLMULTI) ? 1 : -1;
++ dev_set_allmulti(vf_netdev, inc);
++ }
++}
++
++static void netvsc_set_rx_mode(struct net_device *net)
++{
++ struct net_device_context *ndev_ctx = netdev_priv(net);
++ struct net_device *vf_netdev = rtnl_dereference(ndev_ctx->vf_netdev);
++ struct netvsc_device *nvdev = rtnl_dereference(ndev_ctx->nvdev);
++
++ if (vf_netdev) {
++ dev_uc_sync(vf_netdev, net);
++ dev_mc_sync(vf_netdev, net);
++ }
+
+ rndis_filter_update(nvdev);
+ }
+@@ -1556,7 +1582,8 @@ static const struct net_device_ops devic
+ .ndo_open = netvsc_open,
+ .ndo_stop = netvsc_close,
+ .ndo_start_xmit = netvsc_start_xmit,
+- .ndo_set_rx_mode = netvsc_set_multicast_list,
++ .ndo_change_rx_flags = netvsc_change_rx_flags,
++ .ndo_set_rx_mode = netvsc_set_rx_mode,
+ .ndo_change_mtu = netvsc_change_mtu,
+ .ndo_validate_addr = eth_validate_addr,
+ .ndo_set_mac_address = netvsc_set_mac_addr,
+@@ -1787,6 +1814,11 @@ static void __netvsc_vf_setup(struct net
+ netdev_warn(vf_netdev,
+ "unable to change mtu to %u\n", ndev->mtu);
+
++ /* set multicast etc flags on VF */
++ dev_change_flags(vf_netdev, ndev->flags | IFF_SLAVE);
++ dev_uc_sync(vf_netdev, ndev);
++ dev_mc_sync(vf_netdev, ndev);
++
+ if (netif_running(ndev)) {
+ ret = dev_open(vf_netdev);
+ if (ret)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Fri, 2 Mar 2018 13:49:06 -0800
+Subject: hv_netvsc: use napi_schedule_irqoff
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+[ Upstream commit 68633edaef655ce94e51088ecef5dd4e1d2f6f34 ]
+
+Since the netvsc_channel_cb is already called in interrupt
+context from vmbus, there is no need to do irqsave/restore.
+
+Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/hyperv/netvsc.c
++++ b/drivers/net/hyperv/netvsc.c
+@@ -1222,7 +1222,7 @@ void netvsc_channel_cb(void *context)
+ /* disable interupts from host */
+ hv_begin_read(rbi);
+
+- __napi_schedule(&nvchan->napi);
++ __napi_schedule_irqoff(&nvchan->napi);
+ }
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Mon, 26 Mar 2018 19:50:31 -0700
+Subject: hwmon: (nct6775) Fix writing pwmX_mode
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 415eb2a1aaa4881cf85bd86c683356fdd8094a23 ]
+
+pwmX_mode is defined in the ABI as 0=DC mode, 1=pwm mode. The chip
+register bit is set to 1 for DC mode. This got mixed up, and writing
+1 into pwmX_mode resulted in DC mode enabled. Fix it up by using
+the ABI definition throughout the driver for consistency.
+
+Fixes: 77eb5b3703d99 ("hwmon: (nct6775) Add support for pwm, pwm_mode, ... ")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/nct6775.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/hwmon/nct6775.c
++++ b/drivers/hwmon/nct6775.c
+@@ -1469,7 +1469,7 @@ static void nct6775_update_pwm(struct de
+ duty_is_dc = data->REG_PWM_MODE[i] &&
+ (nct6775_read_value(data, data->REG_PWM_MODE[i])
+ & data->PWM_MODE_MASK[i]);
+- data->pwm_mode[i] = duty_is_dc;
++ data->pwm_mode[i] = !duty_is_dc;
+
+ fanmodecfg = nct6775_read_value(data, data->REG_FAN_MODE[i]);
+ for (j = 0; j < ARRAY_SIZE(data->REG_PWM); j++) {
+@@ -2350,7 +2350,7 @@ show_pwm_mode(struct device *dev, struct
+ struct nct6775_data *data = nct6775_update_device(dev);
+ struct sensor_device_attribute *sattr = to_sensor_dev_attr(attr);
+
+- return sprintf(buf, "%d\n", !data->pwm_mode[sattr->index]);
++ return sprintf(buf, "%d\n", data->pwm_mode[sattr->index]);
+ }
+
+ static ssize_t
+@@ -2371,9 +2371,9 @@ store_pwm_mode(struct device *dev, struc
+ if (val > 1)
+ return -EINVAL;
+
+- /* Setting DC mode is not supported for all chips/channels */
++ /* Setting DC mode (0) is not supported for all chips/channels */
+ if (data->REG_PWM_MODE[nr] == 0) {
+- if (val)
++ if (!val)
+ return -EINVAL;
+ return count;
+ }
+@@ -2382,7 +2382,7 @@ store_pwm_mode(struct device *dev, struc
+ data->pwm_mode[nr] = val;
+ reg = nct6775_read_value(data, data->REG_PWM_MODE[nr]);
+ reg &= ~data->PWM_MODE_MASK[nr];
+- if (val)
++ if (!val)
+ reg |= data->PWM_MODE_MASK[nr];
+ nct6775_write_value(data, data->REG_PWM_MODE[nr], reg);
+ mutex_unlock(&data->update_lock);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Sat, 10 Mar 2018 17:55:47 -0800
+Subject: hwmon: (pmbus/adm1275) Accept negative page register values
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit ecb29abd4cb0670c616fb563a078f25d777ce530 ]
+
+A negative page register value means that no page needs to be
+selected. This is used by status register read operations and needs
+to be accepted. The failure to do so so results in missed status
+and limit registers.
+
+Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/pmbus/adm1275.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/hwmon/pmbus/adm1275.c
++++ b/drivers/hwmon/pmbus/adm1275.c
+@@ -154,7 +154,7 @@ static int adm1275_read_word_data(struct
+ const struct adm1275_data *data = to_adm1275_data(info);
+ int ret = 0;
+
+- if (page)
++ if (page > 0)
+ return -ENXIO;
+
+ switch (reg) {
+@@ -240,7 +240,7 @@ static int adm1275_write_word_data(struc
+ const struct adm1275_data *data = to_adm1275_data(info);
+ int ret;
+
+- if (page)
++ if (page > 0)
+ return -ENXIO;
+
+ switch (reg) {
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Sat, 10 Mar 2018 17:49:47 -0800
+Subject: hwmon: (pmbus/max8688) Accept negative page register values
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit a46f8cd696624ef757be0311eb28f119c36778e8 ]
+
+A negative page register value means that no page needs to be
+selected. This is used by status register evaluations and needs
+to be accepted.
+
+Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/pmbus/max8688.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwmon/pmbus/max8688.c
++++ b/drivers/hwmon/pmbus/max8688.c
+@@ -45,7 +45,7 @@ static int max8688_read_word_data(struct
+ {
+ int ret;
+
+- if (page)
++ if (page > 0)
+ return -ENXIO;
+
+ switch (reg) {
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "lionel.debieve@st.com" <lionel.debieve@st.com>
+Date: Thu, 15 Feb 2018 14:03:08 +0100
+Subject: hwrng: stm32 - add reset during probe
+
+From: "lionel.debieve@st.com" <lionel.debieve@st.com>
+
+[ Upstream commit 326ed382256475aa4b8b7eae8a2f60689fd25e78 ]
+
+Avoid issue when probing the RNG without
+reset if bad status has been detected previously
+
+Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/hw_random/stm32-rng.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/char/hw_random/stm32-rng.c
++++ b/drivers/char/hw_random/stm32-rng.c
+@@ -21,6 +21,7 @@
+ #include <linux/of_address.h>
+ #include <linux/of_platform.h>
+ #include <linux/pm_runtime.h>
++#include <linux/reset.h>
+ #include <linux/slab.h>
+
+ #define RNG_CR 0x00
+@@ -46,6 +47,7 @@ struct stm32_rng_private {
+ struct hwrng rng;
+ void __iomem *base;
+ struct clk *clk;
++ struct reset_control *rst;
+ };
+
+ static int stm32_rng_read(struct hwrng *rng, void *data, size_t max, bool wait)
+@@ -140,6 +142,13 @@ static int stm32_rng_probe(struct platfo
+ if (IS_ERR(priv->clk))
+ return PTR_ERR(priv->clk);
+
++ priv->rst = devm_reset_control_get(&ofdev->dev, NULL);
++ if (!IS_ERR(priv->rst)) {
++ reset_control_assert(priv->rst);
++ udelay(2);
++ reset_control_deassert(priv->rst);
++ }
++
+ dev_set_drvdata(dev, priv);
+
+ priv->rng.name = dev_driver_string(dev),
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Sun, 3 Dec 2017 22:40:50 +0100
+Subject: i2c: core: report OF style module alias for devices registered via OF
+
+From: Javier Martinez Canillas <javierm@redhat.com>
+
+[ Upstream commit af503716ac1444db61d80cb6d17cfe62929c21df ]
+
+The buses should honor the firmware interface used to register the device,
+but the I2C core reports a MODALIAS of the form i2c:<device> even for I2C
+devices registered via OF.
+
+This means that user-space will never get an OF stype uevent MODALIAS even
+when the drivers modules contain aliases exported from both the I2C and OF
+device ID tables. For example, an Atmel maXTouch Touchscreen registered by
+a DT node with compatible "atmel,maxtouch" has the following module alias:
+
+$ cat /sys/class/i2c-adapter/i2c-8/8-004b/modalias
+i2c:maxtouch
+
+So udev won't be able to auto-load a module for an OF-only device driver.
+Many OF-only drivers duplicate the OF device ID table entries in an I2C ID
+table only has a workaround for how the I2C core reports the module alias.
+
+This patch changes the I2C core to report an OF related MODALIAS uevent if
+the device was registered via OF. So for the previous example, after this
+patch, the reported MODALIAS for the Atmel maXTouch will be the following:
+
+$ cat /sys/class/i2c-adapter/i2c-8/8-004b/modalias
+of:NtrackpadT<NULL>Catmel,maxtouch
+
+NOTE: This patch may break out-of-tree drivers that were relying on this
+ behavior, and only had an I2C device ID table even when the device
+ was registered via OF. There are no remaining drivers in mainline
+ that do this, but out-of-tree drivers have to be fixed and define
+ a proper OF device ID table to have module auto-loading working.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Tested-by: Dmitry Mastykin <mastichi@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/i2c-core-base.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/i2c/i2c-core-base.c
++++ b/drivers/i2c/i2c-core-base.c
+@@ -123,6 +123,10 @@ static int i2c_device_uevent(struct devi
+ struct i2c_client *client = to_i2c_client(dev);
+ int rc;
+
++ rc = of_device_uevent_modalias(dev, env);
++ if (rc != -ENODEV)
++ return rc;
++
+ rc = acpi_device_uevent_modalias(dev, env);
+ if (rc != -ENODEV)
+ return rc;
+@@ -472,6 +476,10 @@ show_modalias(struct device *dev, struct
+ struct i2c_client *client = to_i2c_client(dev);
+ int len;
+
++ len = of_device_modalias(dev, buf, PAGE_SIZE);
++ if (len != -ENODEV)
++ return len;
++
+ len = acpi_device_modalias(dev, buf, PAGE_SIZE -1);
+ if (len != -ENODEV)
+ return len;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Gregory CLEMENT <gregory.clement@bootlin.com>
+Date: Wed, 14 Mar 2018 18:03:40 +0100
+Subject: i2c: mv64xxx: Apply errata delay only in standard mode
+
+From: Gregory CLEMENT <gregory.clement@bootlin.com>
+
+[ Upstream commit 31184d8c6ea49ea0676d100cdd7e1f102ad025b5 ]
+
+The errata FE-8471889 description has been updated. There is still a
+timing violation for repeated start. But the errata now states that it
+was only the case for the Standard mode (100 kHz), in Fast mode (400 kHz)
+there is no issue.
+
+This patch limit the errata fix to the Standard mode.
+
+It has been tesed successfully on the clearfog (Aramda 388 based board).
+
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-mv64xxx.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-mv64xxx.c
++++ b/drivers/i2c/busses/i2c-mv64xxx.c
+@@ -844,12 +844,16 @@ mv64xxx_of_config(struct mv64xxx_i2c_dat
+ */
+ if (of_device_is_compatible(np, "marvell,mv78230-i2c")) {
+ drv_data->offload_enabled = true;
+- drv_data->errata_delay = true;
++ /* The delay is only needed in standard mode (100kHz) */
++ if (bus_freq <= 100000)
++ drv_data->errata_delay = true;
+ }
+
+ if (of_device_is_compatible(np, "marvell,mv78230-a0-i2c")) {
+ drv_data->offload_enabled = false;
+- drv_data->errata_delay = true;
++ /* The delay is only needed in standard mode (100kHz) */
++ if (bus_freq <= 100000)
++ drv_data->errata_delay = true;
+ }
+
+ if (of_device_is_compatible(np, "allwinner,sun6i-a31-i2c"))
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Filip Sadowski <filip.sadowski@intel.com>
+Date: Fri, 29 Dec 2017 08:50:05 -0500
+Subject: i40e: Add delay after EMP reset for firmware to recover
+
+From: Filip Sadowski <filip.sadowski@intel.com>
+
+[ Upstream commit 1fa51a650e1deb50410677f1bd6c0ce17aa48a49 ]
+
+This patch adds necessary delay for 4.33 firmware to recover after
+EMP reset. Without this patch driver occasionally reinitializes
+structures too quickly to communicate with firmware after EMP reset
+causing AdminQ to timeout.
+
+Signed-off-by: Filip Sadowski <filip.sadowski@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -7196,6 +7196,17 @@ static void i40e_rebuild(struct i40e_pf
+ }
+ i40e_get_oem_version(&pf->hw);
+
++ if (test_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state) &&
++ ((hw->aq.fw_maj_ver == 4 && hw->aq.fw_min_ver <= 33) ||
++ hw->aq.fw_maj_ver < 4) && hw->mac.type == I40E_MAC_XL710) {
++ /* The following delay is necessary for 4.33 firmware and older
++ * to recover after EMP reset. 200 ms should suffice but we
++ * put here 300 ms to be sure that FW is ready to operate
++ * after reset.
++ */
++ mdelay(300);
++ }
++
+ /* re-verify the eeprom if we just had an EMP reset */
+ if (test_and_clear_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state))
+ i40e_verify_eeprom(pf);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Davidlohr Bueso <dave@stgolabs.net>
+Date: Mon, 22 Jan 2018 09:21:37 -0800
+Subject: ia64/err-inject: Use get_user_pages_fast()
+
+From: Davidlohr Bueso <dave@stgolabs.net>
+
+[ Upstream commit 69c907022a7d9325cdc5c9dd064571e445df9a47 ]
+
+At the point of sysfs callback, the call to gup is
+done without mmap_sem (or any lock for that matter).
+This is racy. As such, use the get_user_pages_fast()
+alternative and safely avoid taking the lock, if possible.
+
+Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/ia64/kernel/err_inject.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/ia64/kernel/err_inject.c
++++ b/arch/ia64/kernel/err_inject.c
+@@ -142,7 +142,7 @@ store_virtual_to_phys(struct device *dev
+ u64 virt_addr=simple_strtoull(buf, NULL, 16);
+ int ret;
+
+- ret = get_user_pages(virt_addr, 1, FOLL_WRITE, NULL, NULL);
++ ret = get_user_pages_fast(virt_addr, 1, FOLL_WRITE, NULL);
+ if (ret<=0) {
+ #ifdef ERR_INJ_DEBUG
+ printk("Virtual address %lx is not existing.\n",virt_addr);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Parav Pandit <parav@mellanox.com>
+Date: Wed, 7 Mar 2018 08:07:41 +0200
+Subject: IB/core: Fix possible crash to access NULL netdev
+
+From: Parav Pandit <parav@mellanox.com>
+
+[ Upstream commit bb7f8f199c354c4cf155b1d6d55f86eaaed7fa5a ]
+
+resolved_dev returned might be NULL as ifindex is transient number.
+Ignoring NULL check of resolved_dev might crash the kernel.
+Therefore perform NULL check before accessing resolved_dev.
+
+Additionally rdma_resolve_ip_route() invokes addr_resolve() which
+performs check and address translation for loopback ifindex.
+Therefore, checking it again in rdma_resolve_ip_route() is not helpful.
+Therefore, the code is simplified to avoid IFF_LOOPBACK check.
+
+Fixes: 200298326b27 ("IB/core: Validate route when we init ah")
+Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/sa_query.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/infiniband/core/sa_query.c
++++ b/drivers/infiniband/core/sa_query.c
+@@ -1291,10 +1291,9 @@ int ib_init_ah_from_path(struct ib_devic
+
+ resolved_dev = dev_get_by_index(dev_addr.net,
+ dev_addr.bound_dev_if);
+- if (resolved_dev->flags & IFF_LOOPBACK) {
+- dev_put(resolved_dev);
+- resolved_dev = idev;
+- dev_hold(resolved_dev);
++ if (!resolved_dev) {
++ dev_put(idev);
++ return -ENODEV;
+ }
+ ndev = ib_get_ndev_from_path(rec);
+ rcu_read_lock();
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Parav Pandit <parav@mellanox.com>
+Date: Tue, 13 Mar 2018 16:06:14 +0200
+Subject: IB/core: Honor port_num while resolving GID for IB link layer
+
+From: Parav Pandit <parav@mellanox.com>
+
+[ Upstream commit 563c4ba3bd2b8b0b21c65669ec2226b1cfa1138b ]
+
+ah_attr contains the port number to which cm_id is bound. However, while
+searching for GID table for matching GID entry, the port number is
+ignored.
+
+This could cause the wrong GID to be used when the ah_attr is converted to
+an AH.
+
+Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/multicast.c | 24 +++++++++++-------------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+--- a/drivers/infiniband/core/multicast.c
++++ b/drivers/infiniband/core/multicast.c
+@@ -724,21 +724,19 @@ int ib_init_ah_from_mcmember(struct ib_d
+ {
+ int ret;
+ u16 gid_index;
+- u8 p;
+
+- if (rdma_protocol_roce(device, port_num)) {
+- ret = ib_find_cached_gid_by_port(device, &rec->port_gid,
+- gid_type, port_num,
+- ndev,
+- &gid_index);
+- } else if (rdma_protocol_ib(device, port_num)) {
+- ret = ib_find_cached_gid(device, &rec->port_gid,
+- IB_GID_TYPE_IB, NULL, &p,
+- &gid_index);
+- } else {
+- ret = -EINVAL;
+- }
++ /* GID table is not based on the netdevice for IB link layer,
++ * so ignore ndev during search.
++ */
++ if (rdma_protocol_ib(device, port_num))
++ ndev = NULL;
++ else if (!rdma_protocol_roce(device, port_num))
++ return -EINVAL;
+
++ ret = ib_find_cached_gid_by_port(device, &rec->port_gid,
++ gid_type, port_num,
++ ndev,
++ &gid_index);
+ if (ret)
+ return ret;
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Moni Shoua <monis@mellanox.com>
+Date: Sun, 25 Feb 2018 13:39:54 +0200
+Subject: IB/mlx: Set slid to zero in Ethernet completion struct
+
+From: Moni Shoua <monis@mellanox.com>
+
+[ Upstream commit 65389322b28f81cc137b60a41044c2d958a7b950 ]
+
+IB spec says that a lid should be ignored when link layer is Ethernet,
+for example when building or parsing a CM request message (CA17-34).
+However, since ib_lid_be16() and ib_lid_cpu16() validates the slid,
+not only when link layer is IB, we set the slid to zero to prevent
+false warnings in the kernel log.
+
+Fixes: 62ede7779904 ("Add OPA extended LID support")
+Reviewed-by: Majd Dibbiny <majd@mellanox.com>
+Signed-off-by: Moni Shoua <monis@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx4/cq.c | 4 +++-
+ drivers/infiniband/hw/mlx5/cq.c | 3 ++-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx4/cq.c
++++ b/drivers/infiniband/hw/mlx4/cq.c
+@@ -597,6 +597,7 @@ static void use_tunnel_data(struct mlx4_
+ wc->dlid_path_bits = 0;
+
+ if (is_eth) {
++ wc->slid = 0;
+ wc->vlan_id = be16_to_cpu(hdr->tun.sl_vid);
+ memcpy(&(wc->smac[0]), (char *)&hdr->tun.mac_31_0, 4);
+ memcpy(&(wc->smac[4]), (char *)&hdr->tun.slid_mac_47_32, 2);
+@@ -845,7 +846,6 @@ repoll:
+ }
+ }
+
+- wc->slid = be16_to_cpu(cqe->rlid);
+ g_mlpath_rqpn = be32_to_cpu(cqe->g_mlpath_rqpn);
+ wc->src_qp = g_mlpath_rqpn & 0xffffff;
+ wc->dlid_path_bits = (g_mlpath_rqpn >> 24) & 0x7f;
+@@ -854,6 +854,7 @@ repoll:
+ wc->wc_flags |= mlx4_ib_ipoib_csum_ok(cqe->status,
+ cqe->checksum) ? IB_WC_IP_CSUM_OK : 0;
+ if (is_eth) {
++ wc->slid = 0;
+ wc->sl = be16_to_cpu(cqe->sl_vid) >> 13;
+ if (be32_to_cpu(cqe->vlan_my_qpn) &
+ MLX4_CQE_CVLAN_PRESENT_MASK) {
+@@ -865,6 +866,7 @@ repoll:
+ memcpy(wc->smac, cqe->smac, ETH_ALEN);
+ wc->wc_flags |= (IB_WC_WITH_VLAN | IB_WC_WITH_SMAC);
+ } else {
++ wc->slid = be16_to_cpu(cqe->rlid);
+ wc->sl = be16_to_cpu(cqe->sl_vid) >> 12;
+ wc->vlan_id = 0xffff;
+ }
+--- a/drivers/infiniband/hw/mlx5/cq.c
++++ b/drivers/infiniband/hw/mlx5/cq.c
+@@ -224,7 +224,6 @@ static void handle_responder(struct ib_w
+ wc->ex.invalidate_rkey = be32_to_cpu(cqe->imm_inval_pkey);
+ break;
+ }
+- wc->slid = be16_to_cpu(cqe->slid);
+ wc->src_qp = be32_to_cpu(cqe->flags_rqpn) & 0xffffff;
+ wc->dlid_path_bits = cqe->ml_path;
+ g = (be32_to_cpu(cqe->flags_rqpn) >> 28) & 3;
+@@ -239,10 +238,12 @@ static void handle_responder(struct ib_w
+ }
+
+ if (ll != IB_LINK_LAYER_ETHERNET) {
++ wc->slid = be16_to_cpu(cqe->slid);
+ wc->sl = (be32_to_cpu(cqe->flags_rqpn) >> 24) & 0xf;
+ return;
+ }
+
++ wc->slid = 0;
+ vlan_present = cqe->l4_l3_hdr_type & 0x1;
+ roce_packet_type = (be32_to_cpu(cqe->flags_rqpn) >> 24) & 0x3;
+ if (vlan_present) {
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Mon, 5 Mar 2018 20:09:45 +0200
+Subject: IB/mlx4: Fix corruption of RoCEv2 IPv4 GIDs
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+[ Upstream commit 0077416a3d529baccbe07ab3242e8db541cfadf6 ]
+
+When using IPv4 addresses in RoCEv2, the GID format for the mapped
+IPv4 address should be: ::ffff:<4-byte IPv4 address>.
+
+In the cited commit, IPv4 mapped IPV6 addresses had the 3 upper dwords
+zeroed out by memset, which resulted in deleting the ffff field.
+
+However, since procedure ipv6_addr_v4mapped() already verifies that the
+gid has format ::ffff:<ipv4 address>, no change is needed for the gid,
+and the memset can simply be removed.
+
+Fixes: 7e57b85c444c ("IB/mlx4: Add support for setting RoCEv2 gids in hardware")
+Reviewed-by: Moni Shoua <monis@mellanox.com>
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx4/main.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx4/main.c
++++ b/drivers/infiniband/hw/mlx4/main.c
+@@ -219,8 +219,6 @@ static int mlx4_ib_update_gids_v1_v2(str
+ gid_tbl[i].version = 2;
+ if (!ipv6_addr_v4mapped((struct in6_addr *)&gids[i].gid))
+ gid_tbl[i].type = 1;
+- else
+- memset(&gid_tbl[i].gid, 0, 12);
+ }
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jack M <jackm@dev.mellanox.co.il>
+Date: Mon, 5 Mar 2018 20:09:46 +0200
+Subject: IB/mlx4: Include GID type when deleting GIDs from HW table under RoCE
+
+From: Jack M <jackm@dev.mellanox.co.il>
+
+[ Upstream commit a18177925c252da7801149abe217c05b80884798 ]
+
+The commit cited below added a gid_type field (RoCEv1 or RoCEv2)
+to GID properties.
+
+When adding GIDs, this gid_type field was copied over to the
+hardware gid table. However, when deleting GIDs, the gid_type field
+was not copied over to the hardware gid table.
+
+As a result, when running RoCEv2, all RoCEv2 gids in the
+hardware gid table were set to type RoCEv1 when any gid was deleted.
+
+This problem would persist until the next gid was added (which would again
+restore the gid_type field for all the gids in the hardware gid table).
+
+Fix this by copying over the gid_type field to the hardware gid table
+when deleting gids, so that the gid_type of all remaining gids is
+preserved when a gid is deleted.
+
+Fixes: b699a859d17b ("IB/mlx4: Add gid_type to GID properties")
+Reviewed-by: Moni Shoua <monis@mellanox.com>
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx4/main.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx4/main.c
++++ b/drivers/infiniband/hw/mlx4/main.c
+@@ -364,8 +364,13 @@ static int mlx4_ib_del_gid(struct ib_dev
+ if (!gids) {
+ ret = -ENOMEM;
+ } else {
+- for (i = 0; i < MLX4_MAX_PORT_GIDS; i++)
+- memcpy(&gids[i].gid, &port_gid_table->gids[i].gid, sizeof(union ib_gid));
++ for (i = 0; i < MLX4_MAX_PORT_GIDS; i++) {
++ memcpy(&gids[i].gid,
++ &port_gid_table->gids[i].gid,
++ sizeof(union ib_gid));
++ gids[i].gid_type =
++ port_gid_table->gids[i].gid_type;
++ }
+ }
+ }
+ spin_unlock_bh(&iboe->lock);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 6 Mar 2018 13:00:31 +0300
+Subject: IB/mlx5: Fix an error code in __mlx5_ib_modify_qp()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 5d414b178e950ce9685c253994cc730893d5d887 ]
+
+"err" is either zero or possibly uninitialized here. It should be
+-EINVAL.
+
+Fixes: 427c1e7bcd7e ("{IB, net}/mlx5: Move the modify QP operation table to mlx5_ib")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx5/qp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -2877,8 +2877,10 @@ static int __mlx5_ib_modify_qp(struct ib
+ goto out;
+
+ if (mlx5_cur >= MLX5_QP_NUM_STATE || mlx5_new >= MLX5_QP_NUM_STATE ||
+- !optab[mlx5_cur][mlx5_new])
++ !optab[mlx5_cur][mlx5_new]) {
++ err = -EINVAL;
+ goto out;
++ }
+
+ op = optab[mlx5_cur][mlx5_new];
+ optpar = ib_mask_to_mlx5_opt(attr_mask);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Honggang Li <honli@redhat.com>
+Date: Fri, 16 Mar 2018 10:37:13 +0800
+Subject: IB/mlx5: Set the default active rate and width to QDR and 4X
+
+From: Honggang Li <honli@redhat.com>
+
+[ Upstream commit 7672ed33c4c15dbe9d56880683baaba4227cf940 ]
+
+Before commit f1b65df5a232 ("IB/mlx5: Add support for active_width and
+active_speed in RoCE"), the mlx5_ib driver set the default active_width
+and active_speed to IB_WIDTH_4X and IB_SPEED_QDR.
+
+When the RoCE port is down, the RoCE port does not negotiate the active
+width with the remote side, causing the active width to be zero. When
+running userspace ibstat to view the port status, ibstat will panic as it
+reads an invalid width from sys file.
+
+This patch restores the original behavior.
+
+Fixes: f1b65df5a232 ("IB/mlx5: Add support for active_width and active_speed in RoCE").
+Signed-off-by: Honggang Li <honli@redhat.com>
+Reviewed-by: Hal Rosenstock <hal@mellanox.com>
+Reviewed-by: Noa Osherovich <noaos@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -270,6 +270,9 @@ static int mlx5_query_port_roce(struct i
+ if (err)
+ return err;
+
++ props->active_width = IB_WIDTH_4X;
++ props->active_speed = IB_SPEED_QDR;
++
+ translate_eth_proto_oper(eth_prot_oper, &props->active_speed,
+ &props->active_width);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Mikhail Malygin <mikhail@malygin.me>
+Date: Mon, 2 Apr 2018 12:26:59 +0300
+Subject: IB/rxe: Fix for oops in rxe_register_device on ppc64le arch
+
+From: Mikhail Malygin <mikhail@malygin.me>
+
+[ Upstream commit efc365e7290d040fbd43f60b0e97653489a739d4 ]
+
+On ppc64le arch rxe_add command causes oops in kernel log:
+
+[ 92.495140] Oops: Kernel access of bad area, sig: 11 [#1]
+[ 92.499710] SMP NR_CPUS=2048 NUMA pSeries
+[ 92.499792] Modules linked in: ipt_MASQUERADE(E) nf_nat_masquerade_ipv4(E) nf_conntrack_netlink(E) nfnetlink(E) xfrm_user(E) iptable
+_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) xt_addrtype(E) iptable_filter(E) ip_tables(E) xt_conntrack(E) x_tables(E)
+ nf_nat(E) nf_conntrack(E) br_netfilter(E) bridge(E) stp(E) llc(E) overlay(E) af_packet(E) rpcrdma(E) ib_isert(E) iscsi_target_mod(E) i
+b_iser(E) libiscsi(E) ib_srpt(E) target_core_mod(E) ib_srp(E) ib_ipoib(E) rdma_ucm(E) ib_ucm(E) ib_uverbs(E) ib_umad(E) bochs_drm(E) tt
+m(E) drm_kms_helper(E) syscopyarea(E) sysfillrect(E) sysimgblt(E) fb_sys_fops(E) drm(E) agpgart(E) virtio_rng(E) virtio_console(E) rtc_
+generic(E) dm_ec(OEN) ttln_rdma(OEN) rdma_cm(E) configfs(E) iw_cm(E) ib_cm(E) rdma_rxe(E) ip6_udp_tunnel(E) udp_tunnel(E) ib_core(E) ql
+a2xxx(E)
+[ 92.499832] scsi_transport_fc(E) nvme_fc(E) nvme_fabrics(E) nvme_core(E) ipmi_watchdog(E) ipmi_ssif(E) ipmi_poweroff(E) ipmi_powernv(EX) ipmi_devintf(E) ipmi_msghandler(E) dummy(E) ext4(E) crc16(E) jbd2(E) mbcache(E) dm_service_time(E) scsi_transport_iscsi(E) sd_mod(E) sr_mod(E) cdrom(E) hid_generic(E) usbhid(E) virtio_blk(E) virtio_scsi(E) virtio_net(E) ibmvscsi(EX) scsi_transport_srp(E) xhci_pci(E) xhci_hcd(E) usbcore(E) usb_common(E) virtio_pci(E) virtio_ring(E) virtio(E) sunrpc(E) dm_mirror(E) dm_region_hash(E) dm_log(E) sg(E) dm_multipath(E) dm_mod(E) scsi_dh_rdac(E) scsi_dh_emc(E) scsi_dh_alua(E) scsi_mod(E) autofs4(E)
+[ 92.499834] Supported: No, Unsupported modules are loaded
+[ 92.499839] CPU: 3 PID: 5576 Comm: sh Tainted: G OE NX 4.4.120-ttln.17-default #1
+[ 92.499841] task: c0000000afe8a490 ti: c0000000beba8000 task.ti: c0000000beba8000
+[ 92.499842] NIP: c00000000008ba3c LR: c000000000027644 CTR: c00000000008ba10
+[ 92.499844] REGS: c0000000bebab750 TRAP: 0300 Tainted: G OE NX (4.4.120-ttln.17-default)
+[ 92.499850] MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 28424428 XER: 20000000
+[ 92.499871] CFAR: 0000000000002424 DAR: 0000000000000208 DSISR: 40000000 SOFTE: 1
+ GPR00: c000000000027644 c0000000bebab9d0 c000000000f09700 0000000000000000
+ GPR04: d0000000043d7192 0000000000000002 000000000000001a fffffffffffffffe
+ GPR08: 000000000000009c c00000000008ba10 d0000000043e5848 d0000000043d3828
+ GPR12: c00000000008ba10 c000000007a02400 0000000010062e38 0000010020388860
+ GPR16: 0000000000000000 0000000000000000 00000100203885f0 00000000100f6c98
+ GPR20: c0000000b3f1fcc0 c0000000b3f1fc48 c0000000b3f1fbd0 c0000000b3f1fb58
+ GPR24: c0000000b3f1fae0 c0000000b3f1fa68 00000000000005dc c0000000b3f1f9f0
+ GPR28: d0000000043e5848 c0000000b3f1f900 c0000000b3f1f320 c0000000b3f1f000
+[ 92.499881] NIP [c00000000008ba3c] dma_get_required_mask_pSeriesLP+0x2c/0x1a0
+[ 92.499885] LR [c000000000027644] dma_get_required_mask+0x44/0xac
+[ 92.499886] Call Trace:
+[ 92.499891] [c0000000bebab9d0] [c0000000bebaba30] 0xc0000000bebaba30 (unreliable)
+[ 92.499894] [c0000000bebaba10] [c000000000027644] dma_get_required_mask+0x44/0xac
+[ 92.499904] [c0000000bebaba30] [d0000000043cb4b4] rxe_register_device+0xc4/0x430 [rdma_rxe]
+[ 92.499910] [c0000000bebabab0] [d0000000043c06c8] rxe_add+0x448/0x4e0 [rdma_rxe]
+[ 92.499915] [c0000000bebabb30] [d0000000043d28dc] rxe_net_add+0x4c/0xf0 [rdma_rxe]
+[ 92.499921] [c0000000bebabb60] [d0000000043d305c] rxe_param_set_add+0x6c/0x1ac [rdma_rxe]
+[ 92.499924] [c0000000bebabbf0] [c0000000000e78c0] param_attr_store+0xa0/0x180
+[ 92.499927] [c0000000bebabc70] [c0000000000e6448] module_attr_store+0x48/0x70
+[ 92.499932] [c0000000bebabc90] [c000000000391f60] sysfs_kf_write+0x70/0xb0
+[ 92.499935] [c0000000bebabcb0] [c000000000390f1c] kernfs_fop_write+0x18c/0x1e0
+[ 92.499939] [c0000000bebabd00] [c0000000002e22ac] __vfs_write+0x4c/0x1d0
+[ 92.499942] [c0000000bebabd90] [c0000000002e2f94] vfs_write+0xc4/0x200
+[ 92.499945] [c0000000bebabde0] [c0000000002e488c] SyS_write+0x6c/0x110
+[ 92.499948] [c0000000bebabe30] [c000000000009384] system_call+0x38/0xe4
+[ 92.499949] Instruction dump:
+[ 92.499954] 4e800020 3c4c00e8 3842dcf0 7c0802a6 f8010010 60000000 7c0802a6 fba1ffe8
+[ 92.499958] fbc1fff0 fbe1fff8 f8010010 f821ffc1 <e9230208> 7c7e1b78 2fa90000 419e0078
+[ 92.499962] ---[ end trace bed077e15eb420cf ]---
+
+It fails in dma_get_required_mask, that has ppc-specific implementation,
+and fail if provided device argument is NULL
+
+Signed-off-by: Mikhail Malygin <mikhail@malygin.me>
+Reviewed-by: Yonatan Cohen <yonatanc@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/sw/rxe/rxe_verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/sw/rxe/rxe_verbs.c
++++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
+@@ -1206,7 +1206,7 @@ int rxe_register_device(struct rxe_dev *
+ rxe->ndev->dev_addr);
+ dev->dev.dma_ops = &dma_virt_ops;
+ dma_coerce_mask_and_coherent(&dev->dev,
+- dma_get_required_mask(dev->dev.parent));
++ dma_get_required_mask(&dev->dev));
+
+ dev->uverbs_abi_ver = RXE_UVERBS_ABI_VERSION;
+ dev->uverbs_cmd_mask = BIT_ULL(IB_USER_VERBS_CMD_GET_CONTEXT)
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Matan Barak <matanb@mellanox.com>
+Date: Tue, 13 Feb 2018 12:18:32 +0200
+Subject: IB/uverbs: Fix method merging in uverbs_ioctl_merge
+
+From: Matan Barak <matanb@mellanox.com>
+
+[ Upstream commit 3d89459e2ef92cc0e5a50dde868780ccda9786c1 ]
+
+Fix a bug in uverbs_ioctl_merge that looked at the object's iterator
+number instead of the method's iterator number when merging methods.
+
+While we're at it, make the uverbs_ioctl_merge code a bit more clear
+and faster.
+
+Fixes: 118620d3686b ('IB/core: Add uverbs merge trees functionality')
+Signed-off-by: Matan Barak <matanb@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/uverbs_ioctl_merge.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/infiniband/core/uverbs_ioctl_merge.c
++++ b/drivers/infiniband/core/uverbs_ioctl_merge.c
+@@ -114,6 +114,7 @@ static size_t get_elements_above_id(cons
+ short min = SHRT_MAX;
+ const void *elem;
+ int i, j, last_stored = -1;
++ unsigned int equal_min = 0;
+
+ for_each_element(elem, i, j, elements, num_elements, num_offset,
+ data_offset) {
+@@ -136,6 +137,10 @@ static size_t get_elements_above_id(cons
+ */
+ iters[last_stored == i ? num_iters - 1 : num_iters++] = elem;
+ last_stored = i;
++ if (min == GET_ID(id))
++ equal_min++;
++ else
++ equal_min = 1;
+ min = GET_ID(id);
+ }
+
+@@ -146,15 +151,10 @@ static size_t get_elements_above_id(cons
+ * Therefore, we need to clean the beginning of the array to make sure
+ * all ids of final elements are equal to min.
+ */
+- for (i = num_iters - 1; i >= 0 &&
+- GET_ID(*(u16 *)(iters[i] + id_offset)) == min; i--)
+- ;
+-
+- num_iters -= i + 1;
+- memmove(iters, iters + i + 1, sizeof(*iters) * num_iters);
++ memmove(iters, iters + num_iters - equal_min, sizeof(*iters) * equal_min);
+
+ *min_id = min;
+- return num_iters;
++ return equal_min;
+ }
+
+ #define find_max_element_entry_id(num_elements, elements, num_objects_fld, \
+@@ -322,7 +322,7 @@ static struct uverbs_method_spec *build_
+ hash = kzalloc(sizeof(*hash) +
+ ALIGN(sizeof(*hash->attrs) * (attr_max_bucket + 1),
+ sizeof(long)) +
+- BITS_TO_LONGS(attr_max_bucket) * sizeof(long),
++ BITS_TO_LONGS(attr_max_bucket + 1) * sizeof(long),
+ GFP_KERNEL);
+ if (!hash) {
+ res = -ENOMEM;
+@@ -509,7 +509,7 @@ static struct uverbs_object_spec *build_
+ * first handler which != NULL. This also defines the
+ * set of flags used for this handler.
+ */
+- for (i = num_object_defs - 1;
++ for (i = num_method_defs - 1;
+ i >= 0 && !method_defs[i]->handler; i--)
+ ;
+ hash->methods[min_id++] = method;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Matan Barak <matanb@mellanox.com>
+Date: Tue, 13 Feb 2018 12:18:35 +0200
+Subject: IB/uverbs: Fix possible oops with duplicate ioctl attributes
+
+From: Matan Barak <matanb@mellanox.com>
+
+[ Upstream commit 4d39a959bc1f3d164b5a54147fdeb19f84b1ed58 ]
+
+If the same attribute is listed twice by the user in the ioctl attribute
+list then error unwind can cause the kernel to deref garbage.
+
+This happens when an object with WRITE access is sent twice. The second
+parse properly fails but corrupts the state required for the error unwind
+it triggers.
+
+Fixing this by making duplicates in the attribute list invalid. This is
+not something we need to support.
+
+The ioctl interface is currently recommended to be disabled in kConfig.
+
+Signed-off-by: Matan Barak <matanb@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/uverbs_ioctl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/infiniband/core/uverbs_ioctl.c
++++ b/drivers/infiniband/core/uverbs_ioctl.c
+@@ -59,6 +59,9 @@ static int uverbs_process_attr(struct ib
+ return 0;
+ }
+
++ if (test_bit(attr_id, attr_bundle_h->valid_bitmap))
++ return -EINVAL;
++
+ spec = &attr_spec_bucket->attrs[attr_id];
+ e = &elements[attr_id];
+ e->uattr = uattr_ptr;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Jason Gunthorpe <jgg@mellanox.com>
+Date: Tue, 13 Feb 2018 12:18:40 +0200
+Subject: IB/uverbs: Fix unbalanced unlock on error path for rdma_explicit_destroy
+
+From: Jason Gunthorpe <jgg@mellanox.com>
+
+[ Upstream commit ec6f8401c48a86809237e86878a6fac6b281118f ]
+
+If remove_commit fails then the lock is left locked while the uobj still
+exists. Eventually the kernel will deadlock.
+
+lockdep detects this and says:
+
+ test/4221 is leaving the kernel with locks still held!
+ 1 lock held by test/4221:
+ #0: (&ucontext->cleanup_rwsem){.+.+}, at: [<000000001e5c7523>] rdma_explicit_destroy+0x37/0x120 [ib_uverbs]
+
+Fixes: 4da70da23e9b ("IB/core: Explicitly destroy an object while keeping uobject")
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/rdma_core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/core/rdma_core.c
++++ b/drivers/infiniband/core/rdma_core.c
+@@ -486,12 +486,13 @@ int rdma_explicit_destroy(struct ib_uobj
+ ret = uobject->type->type_class->remove_commit(uobject,
+ RDMA_REMOVE_DESTROY);
+ if (ret)
+- return ret;
++ goto out;
+
+ uobject->type = &null_obj_type;
+
++out:
+ up_read(&ucontext->cleanup_rwsem);
+- return 0;
++ return ret;
+ }
+
+ static void alloc_commit_idr_uobject(struct ib_uobject *uobj)
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Date: Mon, 19 Feb 2018 20:12:57 -0600
+Subject: ibmvnic: Check for NULL skb's in NAPI poll routine
+
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+
+[ Upstream commit abe27a885d9e6575e663a16176dabc58ce9d7188 ]
+
+After introduction of commit d0869c0071e4, there were some instances of
+RX queue entries from a previous session (before the device was closed
+and reopened) returned to the NAPI polling routine. Since the corresponding
+socket buffers were freed, this resulted in a panic on reopen. Include
+a check for a NULL skb here to avoid this.
+
+Fixes: d0869c0071e4 ("ibmvnic: Clean RX pool buffers during device close")
+Signed-off-by: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1668,6 +1668,11 @@ restart_poll:
+ dev_kfree_skb_any(rx_buff->skb);
+ remove_buff_from_pool(adapter, rx_buff);
+ continue;
++ } else if (!rx_buff->skb) {
++ /* free the entry */
++ next->rx_comp.first = 0;
++ remove_buff_from_pool(adapter, rx_buff);
++ continue;
+ }
+
+ length = be32_to_cpu(next->rx_comp.len);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Date: Tue, 13 Feb 2018 18:23:43 -0600
+Subject: ibmvnic: Clean RX pool buffers during device close
+
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+
+[ Upstream commit d0869c0071e40c4407d1a4d7c9497653cf47253b ]
+
+During device close or reset, there were some cases of outstanding
+RX socket buffers not being freed. Include a function similar to the
+one that already exists to clean TX socket buffers in this case.
+
+Signed-off-by: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 31 ++++++++++++++++++++++++++++++-
+ 1 file changed, 30 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -933,6 +933,35 @@ static int ibmvnic_open(struct net_devic
+ return rc;
+ }
+
++static void clean_rx_pools(struct ibmvnic_adapter *adapter)
++{
++ struct ibmvnic_rx_pool *rx_pool;
++ u64 rx_entries;
++ int rx_scrqs;
++ int i, j;
++
++ if (!adapter->rx_pool)
++ return;
++
++ rx_scrqs = be32_to_cpu(adapter->login_rsp_buf->num_rxadd_subcrqs);
++ rx_entries = adapter->req_rx_add_entries_per_subcrq;
++
++ /* Free any remaining skbs in the rx buffer pools */
++ for (i = 0; i < rx_scrqs; i++) {
++ rx_pool = &adapter->rx_pool[i];
++ if (!rx_pool)
++ continue;
++
++ netdev_dbg(adapter->netdev, "Cleaning rx_pool[%d]\n", i);
++ for (j = 0; j < rx_entries; j++) {
++ if (rx_pool->rx_buff[j].skb) {
++ dev_kfree_skb_any(rx_pool->rx_buff[j].skb);
++ rx_pool->rx_buff[j].skb = NULL;
++ }
++ }
++ }
++}
++
+ static void clean_tx_pools(struct ibmvnic_adapter *adapter)
+ {
+ struct ibmvnic_tx_pool *tx_pool;
+@@ -1010,7 +1039,7 @@ static int __ibmvnic_close(struct net_de
+ }
+ }
+ }
+-
++ clean_rx_pools(adapter);
+ clean_tx_pools(adapter);
+ adapter->state = VNIC_CLOSED;
+ return rc;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Date: Mon, 26 Feb 2018 18:10:55 -0600
+Subject: ibmvnic: Fix TX descriptor tracking again
+
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+
+[ Upstream commit ecba616e041e64840d14e294b089ca355614b7fb ]
+
+Sorry, the previous change introduced a race condition between
+transmit completion processing and tracking TX descriptors. If a
+completion is received before the number of descriptors is logged,
+the number of descriptors will be add but not removed. After enough
+times, this could halt the transmit queue forever.
+
+Log the number of descriptors used by a transmit before sending.
+I stress tested the fix on two different systems running over the
+weekend without any issues.
+
+Signed-off-by: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1286,6 +1286,7 @@ static int ibmvnic_xmit(struct sk_buff *
+ skb->protocol == htons(ETH_P_IPV6))) {
+ build_hdr_descs_arr(tx_buff, &num_entries, *hdrs);
+ tx_crq.v1.n_crq_elem = num_entries;
++ tx_buff->num_entries = num_entries;
+ tx_buff->indir_arr[0] = tx_crq;
+ tx_buff->indir_dma = dma_map_single(dev, tx_buff->indir_arr,
+ sizeof(tx_buff->indir_arr),
+@@ -1304,6 +1305,7 @@ static int ibmvnic_xmit(struct sk_buff *
+ (u64)tx_buff->indir_dma,
+ (u64)num_entries);
+ } else {
++ tx_buff->num_entries = num_entries;
+ lpar_rc = send_subcrq(adapter, handle_array[queue_num],
+ &tx_crq);
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Date: Tue, 13 Feb 2018 18:23:42 -0600
+Subject: ibmvnic: Free RX socket buffer in case of adapter error
+
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+
+[ Upstream commit 4b9b0f01350500173f17e2b2e65beb4df4ef99c7 ]
+
+If a RX buffer is returned to the client driver with an error, free the
+corresponding socket buffer before continuing.
+
+Signed-off-by: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1636,6 +1636,7 @@ restart_poll:
+ be16_to_cpu(next->rx_comp.rc));
+ /* free the entry */
+ next->rx_comp.first = 0;
++ dev_kfree_skb_any(rx_buff->skb);
+ remove_buff_from_pool(adapter, rx_buff);
+ continue;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Date: Tue, 13 Feb 2018 15:32:50 -0600
+Subject: ibmvnic: Wait until reset is complete to set carrier on
+
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+
+[ Upstream commit cc85c02edfe48a34865ae00f7d22298a3fdd17aa ]
+
+Pushes back setting the carrier on until the end of the reset
+code. This resolves a bug where a watchdog timer was detecting
+that a TX queue had stalled before the adapter reset was complete.
+
+Signed-off-by: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1460,8 +1460,6 @@ static int do_reset(struct ibmvnic_adapt
+ return 0;
+ }
+
+- netif_carrier_on(netdev);
+-
+ /* kick napi */
+ for (i = 0; i < adapter->req_rx_queues; i++)
+ napi_schedule(&adapter->napi[i]);
+@@ -1469,6 +1467,8 @@ static int do_reset(struct ibmvnic_adapt
+ if (adapter->reset_reason != VNIC_RESET_FAILOVER)
+ netdev_notify_peers(netdev);
+
++ netif_carrier_on(netdev);
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Date: Fri, 6 Apr 2018 18:37:03 -0500
+Subject: ibmvnic: Zero used TX descriptor counter on reset
+
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+
+[ Upstream commit 41f714672f93608751dbd2fa2291d476a8ff0150 ]
+
+The counter that tracks used TX descriptors pending completion
+needs to be zeroed as part of a device reset. This change fixes
+a bug causing transmit queues to be stopped unnecessarily and in
+some cases a transmit queue stall and timeout reset. If the counter
+is not reset, the remaining descriptors will not be "removed",
+effectively reducing queue capacity. If the queue is over half full,
+it will cause the queue to stall if stopped.
+
+Signed-off-by: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1962,6 +1962,7 @@ static int reset_one_sub_crq_queue(struc
+ }
+
+ memset(scrq->msgs, 0, 4 * PAGE_SIZE);
++ atomic_set(&scrq->used, 0);
+ scrq->cur = 0;
+
+ rc = h_reg_sub_crq(adapter->vdev->unit_address, scrq->msg_token,
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Harry Morris <h.morris@cascoda.com>
+Date: Wed, 28 Mar 2018 11:54:27 +0100
+Subject: ieee802154: ca8210: fix uninitialised data read
+
+From: Harry Morris <h.morris@cascoda.com>
+
+[ Upstream commit 86674a97f5055f4c7f406563408096e8cf9364ff ]
+
+In ca8210_test_int_user_write() a user can request the transfer of a
+frame with a length field (command.length) that is longer than the
+actual buffer provided (len). In this scenario the driver will copy
+the buffer contents into the uninitialised command[] buffer, then
+transfer <data.length> bytes over the SPI even though only <len> bytes
+had been populated, potentially leaking sensitive kernel memory.
+
+Also the first 6 bytes of the command buffer must be initialised in case
+a malformed, short packet is written and the uninitialised bytes are
+read in ca8210_test_check_upstream.
+
+Reported-by: Domen Puncer Kugler <domen.puncer@samsung.com>
+Signed-off-by: Harry Morris <h.morris@cascoda.com>
+Tested-by: Harry Morris <h.morris@cascoda.com>
+Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ieee802154/ca8210.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ieee802154/ca8210.c
++++ b/drivers/net/ieee802154/ca8210.c
+@@ -2493,13 +2493,14 @@ static ssize_t ca8210_test_int_user_writ
+ struct ca8210_priv *priv = filp->private_data;
+ u8 command[CA8210_SPI_BUF_SIZE];
+
+- if (len > CA8210_SPI_BUF_SIZE) {
++ memset(command, SPI_IDLE, 6);
++ if (len > CA8210_SPI_BUF_SIZE || len < 2) {
+ dev_warn(
+ &priv->spi->dev,
+- "userspace requested erroneously long write (%zu)\n",
++ "userspace requested erroneous write length (%zu)\n",
+ len
+ );
+- return -EMSGSIZE;
++ return -EBADE;
+ }
+
+ ret = copy_from_user(command, in_buf, len);
+@@ -2511,6 +2512,13 @@ static ssize_t ca8210_test_int_user_writ
+ );
+ return -EIO;
+ }
++ if (len != command[1] + 2) {
++ dev_err(
++ &priv->spi->dev,
++ "write len does not match packet length field\n"
++ );
++ return -EBADE;
++ }
+
+ ret = ca8210_test_check_upstream(command, priv->spi);
+ if (ret == 0) {
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Petr Vorel <pvorel@suse.cz>
+Date: Fri, 23 Mar 2018 14:41:08 +0100
+Subject: ima: Fallback to the builtin hash algorithm
+
+From: Petr Vorel <pvorel@suse.cz>
+
+[ Upstream commit ab60368ab6a452466885ef4edf0cefd089465132 ]
+
+IMA requires having it's hash algorithm be compiled-in due to it's
+early use. The default IMA algorithm is protected by Kconfig to be
+compiled-in.
+
+The ima_hash kernel parameter allows to choose the hash algorithm. When
+the specified algorithm is not available or available as a module, IMA
+initialization fails, which leads to a kernel panic (mknodat syscall calls
+ima_post_path_mknod()). Therefore as fallback we force IMA to use
+the default builtin Kconfig hash algorithm.
+
+Fixed crash:
+
+$ grep CONFIG_CRYPTO_MD4 .config
+CONFIG_CRYPTO_MD4=m
+
+[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.12.14-2.3-default root=UUID=74ae8202-9ca7-4e39-813b-22287ec52f7a video=1024x768-16 plymouth.ignore-serial-consoles console=ttyS0 console=tty resume=/dev/disk/by-path/pci-0000:00:07.0-part3 splash=silent showopts ima_hash=md4
+...
+[ 1.545190] ima: Can not allocate md4 (reason: -2)
+...
+[ 2.610120] BUG: unable to handle kernel NULL pointer dereference at (null)
+[ 2.611903] IP: ima_match_policy+0x23/0x390
+[ 2.612967] PGD 0 P4D 0
+[ 2.613080] Oops: 0000 [#1] SMP
+[ 2.613080] Modules linked in: autofs4
+[ 2.613080] Supported: Yes
+[ 2.613080] CPU: 0 PID: 1 Comm: systemd Not tainted 4.12.14-2.3-default #1
+[ 2.613080] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
+[ 2.613080] task: ffff88003e2d0040 task.stack: ffffc90000190000
+[ 2.613080] RIP: 0010:ima_match_policy+0x23/0x390
+[ 2.613080] RSP: 0018:ffffc90000193e88 EFLAGS: 00010296
+[ 2.613080] RAX: 0000000000000000 RBX: 000000000000000c RCX: 0000000000000004
+[ 2.613080] RDX: 0000000000000010 RSI: 0000000000000001 RDI: ffff880037071728
+[ 2.613080] RBP: 0000000000008000 R08: 0000000000000000 R09: 0000000000000000
+[ 2.613080] R10: 0000000000000008 R11: 61c8864680b583eb R12: 00005580ff10086f
+[ 2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000008000
+[ 2.613080] FS: 00007f5c1da08940(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
+[ 2.613080] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 2.613080] CR2: 0000000000000000 CR3: 0000000037002000 CR4: 00000000003406f0
+[ 2.613080] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 2.613080] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 2.613080] Call Trace:
+[ 2.613080] ? shmem_mknod+0xbf/0xd0
+[ 2.613080] ima_post_path_mknod+0x1c/0x40
+[ 2.613080] SyS_mknod+0x210/0x220
+[ 2.613080] entry_SYSCALL_64_fastpath+0x1a/0xa5
+[ 2.613080] RIP: 0033:0x7f5c1bfde570
+[ 2.613080] RSP: 002b:00007ffde1c90dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000085
+[ 2.613080] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5c1bfde570
+[ 2.613080] RDX: 0000000000000000 RSI: 0000000000008000 RDI: 00005580ff10086f
+[ 2.613080] RBP: 00007ffde1c91040 R08: 00005580ff10086f R09: 0000000000000000
+[ 2.613080] R10: 0000000000104000 R11: 0000000000000246 R12: 00005580ffb99660
+[ 2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
+[ 2.613080] Code: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 57 41 56 44 8d 14 09 41 55 41 54 55 53 44 89 d3 09 cb 48 83 ec 38 48 8b 05 c5 03 29 01 <4c> 8b 20 4c 39 e0 0f 84 d7 01 00 00 4c 89 44 24 08 89 54 24 20
+[ 2.613080] RIP: ima_match_policy+0x23/0x390 RSP: ffffc90000193e88
+[ 2.613080] CR2: 0000000000000000
+[ 2.613080] ---[ end trace 9a9f0a8a73079f6a ]---
+[ 2.673052] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
+[ 2.673052]
+[ 2.675337] Kernel Offset: disabled
+[ 2.676405] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
+
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/integrity/ima/ima_crypto.c | 2 ++
+ security/integrity/ima/ima_main.c | 13 +++++++++++++
+ 2 files changed, 15 insertions(+)
+
+--- a/security/integrity/ima/ima_crypto.c
++++ b/security/integrity/ima/ima_crypto.c
+@@ -78,6 +78,8 @@ int __init ima_init_crypto(void)
+ hash_algo_name[ima_hash_algo], rc);
+ return rc;
+ }
++ pr_info("Allocated hash algorithm: %s\n",
++ hash_algo_name[ima_hash_algo]);
+ return 0;
+ }
+
+--- a/security/integrity/ima/ima_main.c
++++ b/security/integrity/ima/ima_main.c
+@@ -16,6 +16,9 @@
+ * implements the IMA hooks: ima_bprm_check, ima_file_mmap,
+ * and ima_file_check.
+ */
++
++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
++
+ #include <linux/module.h>
+ #include <linux/file.h>
+ #include <linux/binfmts.h>
+@@ -427,6 +430,16 @@ static int __init init_ima(void)
+ ima_init_template_list();
+ hash_setup(CONFIG_IMA_DEFAULT_HASH);
+ error = ima_init();
++
++ if (error && strcmp(hash_algo_name[ima_hash_algo],
++ CONFIG_IMA_DEFAULT_HASH) != 0) {
++ pr_info("Allocating %s failed, going to use default hash algorithm %s\n",
++ hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH);
++ hash_setup_done = 0;
++ hash_setup(CONFIG_IMA_DEFAULT_HASH);
++ error = ima_init();
++ }
++
+ if (!error) {
+ ima_initialized = 1;
+ ima_update_policy_flag();
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jiandi An <anjiandi@codeaurora.org>
+Date: Tue, 6 Mar 2018 23:26:26 -0600
+Subject: ima: Fix Kconfig to select TPM 2.0 CRB interface
+
+From: Jiandi An <anjiandi@codeaurora.org>
+
+[ Upstream commit fac37c628fd5d68fd7298d9b57ae8601ee1b4723 ]
+
+TPM_CRB driver provides TPM CRB 2.0 support. If it is built as a
+module, the TPM chip is registered after IMA init. tpm_pcr_read() in
+IMA fails and displays the following message even though eventually
+there is a TPM chip on the system.
+
+ima: No TPM chip found, activating TPM-bypass! (rc=-19)
+
+Fix IMA Kconfig to select TPM_CRB so TPM_CRB driver is built in the kernel
+and initializes before IMA.
+
+Signed-off-by: Jiandi An <anjiandi@codeaurora.org>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/integrity/ima/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/security/integrity/ima/Kconfig
++++ b/security/integrity/ima/Kconfig
+@@ -10,6 +10,7 @@ config IMA
+ select CRYPTO_HASH_INFO
+ select TCG_TPM if HAS_IOMEM && !UML
+ select TCG_TIS if TCG_TPM && X86
++ select TCG_CRB if TCG_TPM && ACPI
+ select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
+ help
+ The Trusted Computing Group(TCG) runtime Integrity
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Mon, 12 Feb 2018 17:26:20 -0800
+Subject: integrity/security: fix digsig.c build error with header file
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 120f3b11ef88fc38ce1d0ff9c9a4b37860ad3140 ]
+
+security/integrity/digsig.c has build errors on some $ARCH due to a
+missing header file, so add it.
+
+ security/integrity/digsig.c:146:2: error: implicit declaration of function 'vfree' [-Werror=implicit-function-declaration]
+
+Reported-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Cc: linux-integrity@vger.kernel.org
+Link: http://kisskb.ellerman.id.au/kisskb/head/13396/
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/integrity/digsig.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/security/integrity/digsig.c
++++ b/security/integrity/digsig.c
+@@ -18,6 +18,7 @@
+ #include <linux/cred.h>
+ #include <linux/key-type.h>
+ #include <linux/digsig.h>
++#include <linux/vmalloc.h>
+ #include <crypto/public_key.h>
+ #include <keys/system_keyring.h>
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Thu, 1 Mar 2018 10:15:32 +0200
+Subject: intel_th: Use correct method of finding hub
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+[ Upstream commit 9ad577087165478c9d9be82b15ed9bf2db5835f5 ]
+
+Since commit 8edc514b01e9 ("intel_th: Make SOURCE devices children of the
+root device") the hub is not the parent of SOURCE devices any more, so the
+new helper function should be used for that instead of always using the
+parent. The intel_th_set_output() path, however, still uses the old
+logic, leading to the hub driver structure being aliased with something
+else, like struct pci_driver or struct acpi_driver, and an incorrect call
+to an address inferred from that, potentially resulting in a crash.
+
+Fixes: 8edc514b01e9 ("intel_th: Make SOURCE devices children of the root device")
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/intel_th/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/intel_th/core.c
++++ b/drivers/hwtracing/intel_th/core.c
+@@ -935,7 +935,7 @@ EXPORT_SYMBOL_GPL(intel_th_trace_disable
+ int intel_th_set_output(struct intel_th_device *thdev,
+ unsigned int master)
+ {
+- struct intel_th_device *hub = to_intel_th_device(thdev->dev.parent);
++ struct intel_th_device *hub = to_intel_th_hub(thdev);
+ struct intel_th_driver *hubdrv = to_intel_th_driver(hub->dev.driver);
+
+ if (!hubdrv->set_output)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Thu, 22 Mar 2018 16:22:33 +0100
+Subject: iommu/amd: Take into account that alloc_dev_data() may return NULL
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 39ffe39545cd5cb5b8cee9f0469165cf24dc62c2 ]
+
+find_dev_data() does not check whether the return value alloc_dev_data()
+is NULL. This was okay once because the pointer was returned once as-is.
+Since commit df3f7a6e8e85 ("iommu/amd: Use is_attach_deferred
+call-back") the pointer may be used within find_dev_data() so a NULL
+check is required.
+
+Cc: Baoquan He <bhe@redhat.com>
+Fixes: df3f7a6e8e85 ("iommu/amd: Use is_attach_deferred call-back")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/amd_iommu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -311,6 +311,8 @@ static struct iommu_dev_data *find_dev_d
+
+ if (dev_data == NULL) {
+ dev_data = alloc_dev_data(devid);
++ if (!dev_data)
++ return NULL;
+
+ if (translation_pre_enabled(iommu))
+ dev_data->defer_attach = true;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Yong Wu <yong.wu@mediatek.com>
+Date: Sun, 18 Mar 2018 09:52:54 +0800
+Subject: iommu/mediatek: Fix protect memory setting
+
+From: Yong Wu <yong.wu@mediatek.com>
+
+[ Upstream commit 70ca608b2ec6dafa6bb1c2b0691852fc78f8f717 ]
+
+In MediaTek's IOMMU design, When a iommu translation fault occurs
+(HW can NOT translate the destination address to a valid physical
+address), the IOMMU HW output the dirty data into a special memory
+to avoid corrupting the main memory, this is called "protect memory".
+the register(0x114) for protect memory is a little different between
+mt8173 and mt2712.
+
+In the mt8173, bit[30:6] in the register represents [31:7] of the
+physical address. In the 4GB mode, the register bit[31] should be 1.
+While in the mt2712, the bits don't shift. bit[31:7] in the register
+represents [31:7] in the physical address, and bit[1:0] in the
+register represents bit[33:32] of the physical address if it has.
+
+Fixes: e6dec9230862 ("iommu/mediatek: Add mt2712 IOMMU support")
+Reported-by: Honghui Zhang <honghui.zhang@mediatek.com>
+Signed-off-by: Yong Wu <yong.wu@mediatek.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/mtk_iommu.c | 15 ++++++++++-----
+ drivers/iommu/mtk_iommu.h | 1 +
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+--- a/drivers/iommu/mtk_iommu.c
++++ b/drivers/iommu/mtk_iommu.c
+@@ -60,7 +60,7 @@
+ (((prot) & 0x3) << F_MMU_TF_PROTECT_SEL_SHIFT(data))
+
+ #define REG_MMU_IVRP_PADDR 0x114
+-#define F_MMU_IVRP_PA_SET(pa, ext) (((pa) >> 1) | ((!!(ext)) << 31))
++
+ #define REG_MMU_VLD_PA_RNG 0x118
+ #define F_MMU_VLD_PA_RNG(EA, SA) (((EA) << 8) | (SA))
+
+@@ -532,8 +532,13 @@ static int mtk_iommu_hw_init(const struc
+ F_INT_PRETETCH_TRANSATION_FIFO_FAULT;
+ writel_relaxed(regval, data->base + REG_MMU_INT_MAIN_CONTROL);
+
+- writel_relaxed(F_MMU_IVRP_PA_SET(data->protect_base, data->enable_4GB),
+- data->base + REG_MMU_IVRP_PADDR);
++ if (data->m4u_plat == M4U_MT8173)
++ regval = (data->protect_base >> 1) | (data->enable_4GB << 31);
++ else
++ regval = lower_32_bits(data->protect_base) |
++ upper_32_bits(data->protect_base);
++ writel_relaxed(regval, data->base + REG_MMU_IVRP_PADDR);
++
+ if (data->enable_4GB && data->m4u_plat != M4U_MT8173) {
+ /*
+ * If 4GB mode is enabled, the validate PA range is from
+@@ -688,6 +693,7 @@ static int __maybe_unused mtk_iommu_susp
+ reg->ctrl_reg = readl_relaxed(base + REG_MMU_CTRL_REG);
+ reg->int_control0 = readl_relaxed(base + REG_MMU_INT_CONTROL0);
+ reg->int_main_control = readl_relaxed(base + REG_MMU_INT_MAIN_CONTROL);
++ reg->ivrp_paddr = readl_relaxed(base + REG_MMU_IVRP_PADDR);
+ clk_disable_unprepare(data->bclk);
+ return 0;
+ }
+@@ -710,8 +716,7 @@ static int __maybe_unused mtk_iommu_resu
+ writel_relaxed(reg->ctrl_reg, base + REG_MMU_CTRL_REG);
+ writel_relaxed(reg->int_control0, base + REG_MMU_INT_CONTROL0);
+ writel_relaxed(reg->int_main_control, base + REG_MMU_INT_MAIN_CONTROL);
+- writel_relaxed(F_MMU_IVRP_PA_SET(data->protect_base, data->enable_4GB),
+- base + REG_MMU_IVRP_PADDR);
++ writel_relaxed(reg->ivrp_paddr, base + REG_MMU_IVRP_PADDR);
+ if (data->m4u_dom)
+ writel(data->m4u_dom->cfg.arm_v7s_cfg.ttbr[0],
+ base + REG_MMU_PT_BASE_ADDR);
+--- a/drivers/iommu/mtk_iommu.h
++++ b/drivers/iommu/mtk_iommu.h
+@@ -32,6 +32,7 @@ struct mtk_iommu_suspend_reg {
+ u32 ctrl_reg;
+ u32 int_control0;
+ u32 int_main_control;
++ u32 ivrp_paddr;
+ };
+
+ enum mtk_iommu_plat {
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 27 Feb 2018 19:19:40 +0800
+Subject: ip6_tunnel: fix IFLA_MTU ignored on NEWLINK
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit a6aa80446234ec0ad38eecdb8efc59e91daae565 ]
+
+Commit 128bb975dc3c ("ip6_gre: init dev->mtu and dev->hard_header_len
+correctly") fixed IFLA_MTU ignored on NEWLINK for ip6_gre. The same
+mtu fix is also needed for ip6_tunnel.
+
+Note that dev->hard_header_len setting for ip6_tunnel works fine,
+no need to fix it.
+
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1991,14 +1991,14 @@ static int ip6_tnl_newlink(struct net *s
+ {
+ struct net *net = dev_net(dev);
+ struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id);
+- struct ip6_tnl *nt, *t;
+ struct ip_tunnel_encap ipencap;
++ struct ip6_tnl *nt, *t;
++ int err;
+
+ nt = netdev_priv(dev);
+
+ if (ip6_tnl_netlink_encap_parms(data, &ipencap)) {
+- int err = ip6_tnl_encap_setup(nt, &ipencap);
+-
++ err = ip6_tnl_encap_setup(nt, &ipencap);
+ if (err < 0)
+ return err;
+ }
+@@ -2014,7 +2014,11 @@ static int ip6_tnl_newlink(struct net *s
+ return -EEXIST;
+ }
+
+- return ip6_tnl_create2(dev);
++ err = ip6_tnl_create2(dev);
++ if (!err && tb[IFLA_MTU])
++ ip6_tnl_change_mtu(dev, nla_get_u32(tb[IFLA_MTU]));
++
++ return err;
+ }
+
+ static int ip6_tnl_changelink(struct net_device *dev, struct nlattr *tb[],
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 27 Feb 2018 19:19:39 +0800
+Subject: ip_gre: fix IFLA_MTU ignored on NEWLINK
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit ffc2b6ee417435605ee8bb1eb4c8f02e9ff4b4a5 ]
+
+It's safe to remove the setting of dev's needed_headroom and mtu in
+__gre_tunnel_init, as discussed in [1], ip_tunnel_newlink can do it
+properly.
+
+Now Eric noticed that it could cover the mtu value set in do_setlink
+when creating a ip_gre dev. It makes IFLA_MTU param not take effect.
+
+So this patch is to remove them to make IFLA_MTU work, as in other
+ipv4 tunnels.
+
+ [1]: https://patchwork.ozlabs.org/patch/823504/
+
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Reported-by: Eric Garver <e@erig.me>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_gre.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -951,9 +951,6 @@ static void __gre_tunnel_init(struct net
+
+ t_hlen = tunnel->hlen + sizeof(struct iphdr);
+
+- dev->needed_headroom = LL_MAX_HEADER + t_hlen + 4;
+- dev->mtu = ETH_DATA_LEN - t_hlen - 4;
+-
+ dev->features |= GRE_FEATURES;
+ dev->hw_features |= GRE_FEATURES;
+
+@@ -1253,8 +1250,6 @@ static int erspan_tunnel_init(struct net
+ sizeof(struct erspanhdr);
+ t_hlen = tunnel->hlen + sizeof(struct iphdr);
+
+- dev->needed_headroom = LL_MAX_HEADER + t_hlen + 4;
+- dev->mtu = ETH_DATA_LEN - t_hlen - 4;
+ dev->features |= GRE_FEATURES;
+ dev->hw_features |= GRE_FEATURES;
+ dev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Thu, 15 Mar 2018 17:16:28 +0100
+Subject: ip_tunnel: Clamp MTU to bounds on new link
+
+From: Stefano Brivio <sbrivio@redhat.com>
+
+[ Upstream commit 24fc79798b8ddfd46f2dd363a8d29072c083b977 ]
+
+Otherwise, it's possible to specify invalid MTU values directly
+on creation of a link (via 'ip link add'). This is already
+prevented on subsequent MTU changes by commit b96f9afee4eb
+("ipv4/6: use core net MTU range checking").
+
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Acked-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_tunnel.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -1104,8 +1104,14 @@ int ip_tunnel_newlink(struct net_device
+ eth_hw_addr_random(dev);
+
+ mtu = ip_tunnel_bind_dev(dev);
+- if (!tb[IFLA_MTU])
++ if (tb[IFLA_MTU]) {
++ unsigned int max = 0xfff8 - dev->hard_header_len - nt->hlen;
++
++ dev->mtu = clamp(dev->mtu, (unsigned int)ETH_MIN_MTU,
++ (unsigned int)(max - sizeof(struct iphdr)));
++ } else {
+ dev->mtu = mtu;
++ }
+
+ ip_tunnel_add(itn, nt);
+ out:
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Kamlakant Patel <kamlakant.patel@cavium.com>
+Date: Tue, 13 Mar 2018 16:32:27 +0530
+Subject: ipmi_ssif: Fix kernel panic at msg_done_handler
+
+From: Kamlakant Patel <kamlakant.patel@cavium.com>
+
+[ Upstream commit f002612b9d86613bc6fde0a444e0095225f6053e ]
+
+This happens when BMC doesn't return any data and the code is trying
+to print the value of data[2].
+
+Getting following crash:
+[ 484.728410] Unable to handle kernel NULL pointer dereference at virtual address 00000002
+[ 484.736496] pgd = ffff0000094a2000
+[ 484.739885] [00000002] *pgd=00000047fcffe003, *pud=00000047fcffd003, *pmd=0000000000000000
+[ 484.748158] Internal error: Oops: 96000005 [#1] SMP
+[...]
+[ 485.101451] Call trace:
+[...]
+[ 485.188473] [<ffff000000a46e68>] msg_done_handler+0x668/0x700 [ipmi_ssif]
+[ 485.195249] [<ffff000000a456b8>] ipmi_ssif_thread+0x110/0x128 [ipmi_ssif]
+[ 485.202038] [<ffff0000080f1430>] kthread+0x108/0x138
+[ 485.206994] [<ffff0000080838e0>] ret_from_fork+0x10/0x30
+[ 485.212294] Code: aa1903e1 aa1803e0 b900227f 95fef6a5 (39400aa3)
+
+Adding a check to validate the data len before printing data[2] to fix this issue.
+
+Signed-off-by: Kamlakant Patel <kamlakant.patel@cavium.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_ssif.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_ssif.c
++++ b/drivers/char/ipmi/ipmi_ssif.c
+@@ -763,7 +763,7 @@ static void msg_done_handler(struct ssif
+ ssif_info->ssif_state = SSIF_NORMAL;
+ ipmi_ssif_unlock_cond(ssif_info, flags);
+ pr_warn(PFX "Error getting flags: %d %d, %x\n",
+- result, len, data[2]);
++ result, len, (len >= 3) ? data[2] : 0);
+ } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2
+ || data[1] != IPMI_GET_MSG_FLAGS_CMD) {
+ /*
+@@ -785,7 +785,7 @@ static void msg_done_handler(struct ssif
+ if ((result < 0) || (len < 3) || (data[2] != 0)) {
+ /* Error clearing flags */
+ pr_warn(PFX "Error clearing flags: %d %d, %x\n",
+- result, len, data[2]);
++ result, len, (len >= 3) ? data[2] : 0);
+ } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2
+ || data[1] != IPMI_CLEAR_MSG_FLAGS_CMD) {
+ pr_warn(PFX "Invalid response clearing flags: %x %x\n",
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Wed, 14 Mar 2018 10:21:14 +0100
+Subject: ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmtu
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221 ]
+
+Prior to the rework of PMTU information storage in commit
+2c8cec5c10bc ("ipv4: Cache learned PMTU information in inetpeer."),
+when a PMTU event advertising a PMTU smaller than
+net.ipv4.route.min_pmtu was received, we would disable setting the DF
+flag on packets by locking the MTU metric, and set the PMTU to
+net.ipv4.route.min_pmtu.
+
+Since then, we don't disable DF, and set PMTU to
+net.ipv4.route.min_pmtu, so the intermediate router that has this link
+with a small MTU will have to drop the packets.
+
+This patch reestablishes pre-2.6.39 behavior by splitting
+rtable->rt_pmtu into a bitfield with rt_mtu_locked and rt_pmtu.
+rt_mtu_locked indicates that we shouldn't set the DF bit on that path,
+and is checked in ip_dont_fragment().
+
+One possible workaround is to set net.ipv4.route.min_pmtu to a value low
+enough to accommodate the lowest MTU encountered.
+
+Fixes: 2c8cec5c10bc ("ipv4: Cache learned PMTU information in inetpeer.")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ip.h | 11 +++++++++--
+ include/net/ip_fib.h | 1 +
+ include/net/route.h | 3 ++-
+ net/ipv4/route.c | 26 +++++++++++++++++++-------
+ net/ipv4/xfrm4_policy.c | 1 +
+ 5 files changed, 32 insertions(+), 10 deletions(-)
+
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -326,6 +326,13 @@ int ip_decrease_ttl(struct iphdr *iph)
+ return --iph->ttl;
+ }
+
++static inline int ip_mtu_locked(const struct dst_entry *dst)
++{
++ const struct rtable *rt = (const struct rtable *)dst;
++
++ return rt->rt_mtu_locked || dst_metric_locked(dst, RTAX_MTU);
++}
++
+ static inline
+ int ip_dont_fragment(const struct sock *sk, const struct dst_entry *dst)
+ {
+@@ -333,7 +340,7 @@ int ip_dont_fragment(const struct sock *
+
+ return pmtudisc == IP_PMTUDISC_DO ||
+ (pmtudisc == IP_PMTUDISC_WANT &&
+- !(dst_metric_locked(dst, RTAX_MTU)));
++ !ip_mtu_locked(dst));
+ }
+
+ static inline bool ip_sk_accept_pmtu(const struct sock *sk)
+@@ -359,7 +366,7 @@ static inline unsigned int ip_dst_mtu_ma
+ struct net *net = dev_net(dst->dev);
+
+ if (net->ipv4.sysctl_ip_fwd_use_pmtu ||
+- dst_metric_locked(dst, RTAX_MTU) ||
++ ip_mtu_locked(dst) ||
+ !forwarding)
+ return dst_mtu(dst);
+
+--- a/include/net/ip_fib.h
++++ b/include/net/ip_fib.h
+@@ -59,6 +59,7 @@ struct fib_nh_exception {
+ int fnhe_genid;
+ __be32 fnhe_daddr;
+ u32 fnhe_pmtu;
++ bool fnhe_mtu_locked;
+ __be32 fnhe_gw;
+ unsigned long fnhe_expires;
+ struct rtable __rcu *fnhe_rth_input;
+--- a/include/net/route.h
++++ b/include/net/route.h
+@@ -63,7 +63,8 @@ struct rtable {
+ __be32 rt_gateway;
+
+ /* Miscellaneous cached information */
+- u32 rt_pmtu;
++ u32 rt_mtu_locked:1,
++ rt_pmtu:31;
+
+ u32 rt_table_id;
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -639,6 +639,7 @@ static inline u32 fnhe_hashfun(__be32 da
+ static void fill_route_from_fnhe(struct rtable *rt, struct fib_nh_exception *fnhe)
+ {
+ rt->rt_pmtu = fnhe->fnhe_pmtu;
++ rt->rt_mtu_locked = fnhe->fnhe_mtu_locked;
+ rt->dst.expires = fnhe->fnhe_expires;
+
+ if (fnhe->fnhe_gw) {
+@@ -649,7 +650,7 @@ static void fill_route_from_fnhe(struct
+ }
+
+ static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw,
+- u32 pmtu, unsigned long expires)
++ u32 pmtu, bool lock, unsigned long expires)
+ {
+ struct fnhe_hash_bucket *hash;
+ struct fib_nh_exception *fnhe;
+@@ -686,8 +687,10 @@ static void update_or_create_fnhe(struct
+ fnhe->fnhe_genid = genid;
+ if (gw)
+ fnhe->fnhe_gw = gw;
+- if (pmtu)
++ if (pmtu) {
+ fnhe->fnhe_pmtu = pmtu;
++ fnhe->fnhe_mtu_locked = lock;
++ }
+ fnhe->fnhe_expires = max(1UL, expires);
+ /* Update all cached dsts too */
+ rt = rcu_dereference(fnhe->fnhe_rth_input);
+@@ -711,6 +714,7 @@ static void update_or_create_fnhe(struct
+ fnhe->fnhe_daddr = daddr;
+ fnhe->fnhe_gw = gw;
+ fnhe->fnhe_pmtu = pmtu;
++ fnhe->fnhe_mtu_locked = lock;
+ fnhe->fnhe_expires = expires;
+
+ /* Exception created; mark the cached routes for the nexthop
+@@ -792,7 +796,8 @@ static void __ip_do_redirect(struct rtab
+ struct fib_nh *nh = &FIB_RES_NH(res);
+
+ update_or_create_fnhe(nh, fl4->daddr, new_gw,
+- 0, jiffies + ip_rt_gc_timeout);
++ 0, false,
++ jiffies + ip_rt_gc_timeout);
+ }
+ if (kill_route)
+ rt->dst.obsolete = DST_OBSOLETE_KILL;
+@@ -1005,15 +1010,18 @@ static void __ip_rt_update_pmtu(struct r
+ {
+ struct dst_entry *dst = &rt->dst;
+ struct fib_result res;
++ bool lock = false;
+
+- if (dst_metric_locked(dst, RTAX_MTU))
++ if (ip_mtu_locked(dst))
+ return;
+
+ if (ipv4_mtu(dst) < mtu)
+ return;
+
+- if (mtu < ip_rt_min_pmtu)
++ if (mtu < ip_rt_min_pmtu) {
++ lock = true;
+ mtu = ip_rt_min_pmtu;
++ }
+
+ if (rt->rt_pmtu == mtu &&
+ time_before(jiffies, dst->expires - ip_rt_mtu_expires / 2))
+@@ -1023,7 +1031,7 @@ static void __ip_rt_update_pmtu(struct r
+ if (fib_lookup(dev_net(dst->dev), fl4, &res, 0) == 0) {
+ struct fib_nh *nh = &FIB_RES_NH(res);
+
+- update_or_create_fnhe(nh, fl4->daddr, 0, mtu,
++ update_or_create_fnhe(nh, fl4->daddr, 0, mtu, lock,
+ jiffies + ip_rt_mtu_expires);
+ }
+ rcu_read_unlock();
+@@ -1276,7 +1284,7 @@ static unsigned int ipv4_mtu(const struc
+
+ mtu = READ_ONCE(dst->dev->mtu);
+
+- if (unlikely(dst_metric_locked(dst, RTAX_MTU))) {
++ if (unlikely(ip_mtu_locked(dst))) {
+ if (rt->rt_uses_gateway && mtu > 576)
+ mtu = 576;
+ }
+@@ -1512,6 +1520,7 @@ struct rtable *rt_dst_alloc(struct net_d
+ rt->rt_is_input = 0;
+ rt->rt_iif = 0;
+ rt->rt_pmtu = 0;
++ rt->rt_mtu_locked = 0;
+ rt->rt_gateway = 0;
+ rt->rt_uses_gateway = 0;
+ rt->rt_table_id = 0;
+@@ -2537,6 +2546,7 @@ struct dst_entry *ipv4_blackhole_route(s
+ rt->rt_is_input = ort->rt_is_input;
+ rt->rt_iif = ort->rt_iif;
+ rt->rt_pmtu = ort->rt_pmtu;
++ rt->rt_mtu_locked = ort->rt_mtu_locked;
+
+ rt->rt_genid = rt_genid_ipv4(net);
+ rt->rt_flags = ort->rt_flags;
+@@ -2639,6 +2649,8 @@ static int rt_fill_info(struct net *net,
+ memcpy(metrics, dst_metrics_ptr(&rt->dst), sizeof(metrics));
+ if (rt->rt_pmtu && expires)
+ metrics[RTAX_MTU - 1] = rt->rt_pmtu;
++ if (rt->rt_mtu_locked && expires)
++ metrics[RTAX_LOCK - 1] |= BIT(RTAX_MTU);
+ if (rtnetlink_put_metrics(skb, metrics) < 0)
+ goto nla_put_failure;
+
+--- a/net/ipv4/xfrm4_policy.c
++++ b/net/ipv4/xfrm4_policy.c
+@@ -100,6 +100,7 @@ static int xfrm4_fill_dst(struct xfrm_ds
+ xdst->u.rt.rt_gateway = rt->rt_gateway;
+ xdst->u.rt.rt_uses_gateway = rt->rt_uses_gateway;
+ xdst->u.rt.rt_pmtu = rt->rt_pmtu;
++ xdst->u.rt.rt_mtu_locked = rt->rt_mtu_locked;
+ xdst->u.rt.rt_table_id = rt->rt_table_id;
+ INIT_LIST_HEAD(&xdst->u.rt.rt_uncached);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Julian Anastasov <ja@ssi.bg>
+Date: Sun, 25 Feb 2018 22:29:18 +0200
+Subject: ipvs: remove IPS_NAT_MASK check to fix passive FTP
+
+From: Julian Anastasov <ja@ssi.bg>
+
+[ Upstream commit 8a949fff0302b50063f74bb345a66190015528d0 ]
+
+The IPS_NAT_MASK check in 4.12 replaced previous check for nfct_nat()
+which was needed to fix a crash in 2.6.36-rc, see
+commit 7bcbf81a2296 ("ipvs: avoid oops for passive FTP").
+But as IPVS does not set the IPS_SRC_NAT and IPS_DST_NAT bits,
+checking for IPS_NAT_MASK prevents PASV response to be properly
+mangled and blocks the transfer. Remove the check as it is not
+needed after 3.12 commit 41d73ec053d2 ("netfilter: nf_conntrack:
+make sequence number adjustments usuable without NAT") which
+changes nfct_nat() with nfct_seqadj() and especially after 3.13
+commit b25adce16064 ("ipvs: correct usage/allocation of seqadj
+ext in ipvs").
+
+Thanks to Li Shuang and Florian Westphal for reporting the problem!
+
+Reported-by: Li Shuang <shuali@redhat.com>
+Fixes: be7be6e161a2 ("netfilter: ipvs: fix incorrect conflict resolution")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipvs/ip_vs_ftp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/ipvs/ip_vs_ftp.c
++++ b/net/netfilter/ipvs/ip_vs_ftp.c
+@@ -260,7 +260,7 @@ static int ip_vs_ftp_out(struct ip_vs_ap
+ buf_len = strlen(buf);
+
+ ct = nf_ct_get(skb, &ctinfo);
+- if (ct && (ct->status & IPS_NAT_MASK)) {
++ if (ct) {
+ bool mangled;
+
+ /* If mangling fails this function will return 0
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Shaul Triebitz <shaul.triebitz@intel.com>
+Date: Thu, 11 Jan 2018 16:18:46 +0200
+Subject: iwlwifi: avoid collecting firmware dump if not loaded
+
+From: Shaul Triebitz <shaul.triebitz@intel.com>
+
+[ Upstream commit 8745f12a6600dd9d31122588621d4c8ddb332cd7 ]
+
+Trying to collect firmware debug data while firmware
+is not loaded causes various errors (e.g. failing NIC access).
+This causes even a bigger issue if at that time the
+HW radio is off.
+In that case, when later turning the radio on, the Driver
+fails to read the HW (registers contain garbage values).
+(It may be that the CSR_GP_CNTRL_REG_FLAG_RFKILL_WAKE_L1A_EN
+bit is cleared on faulty NIC access - since the same behavior
+was seen in HW RFKILL toggling before setting that bit.)
+
+Signed-off-by: Shaul Triebitz <shaul.triebitz@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 13 +++++++++++--
+ drivers/net/wireless/intel/iwlwifi/fw/dbg.h | 3 +++
+ drivers/net/wireless/intel/iwlwifi/fw/runtime.h | 3 +++
+ drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c | 5 ++---
+ drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 8 ++++++++
+ 5 files changed, 27 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+@@ -8,6 +8,7 @@
+ * Copyright(c) 2008 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2015 - 2017 Intel Deutschland GmbH
++ * Copyright(c) 2018 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+@@ -33,6 +34,7 @@
+ * Copyright(c) 2005 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2015 - 2017 Intel Deutschland GmbH
++ * Copyright(c) 2018 Intel Corporation
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+@@ -928,7 +930,6 @@ dump_trans_data:
+
+ out:
+ iwl_fw_free_dump_desc(fwrt);
+- fwrt->dump.trig = NULL;
+ clear_bit(IWL_FWRT_STATUS_DUMPING, &fwrt->status);
+ }
+ IWL_EXPORT_SYMBOL(iwl_fw_error_dump);
+@@ -1084,6 +1085,14 @@ void iwl_fw_error_dump_wk(struct work_st
+ fwrt->ops->dump_start(fwrt->ops_ctx))
+ return;
+
++ if (fwrt->ops && fwrt->ops->fw_running &&
++ !fwrt->ops->fw_running(fwrt->ops_ctx)) {
++ IWL_ERR(fwrt, "Firmware not running - cannot dump error\n");
++ iwl_fw_free_dump_desc(fwrt);
++ clear_bit(IWL_FWRT_STATUS_DUMPING, &fwrt->status);
++ goto out;
++ }
++
+ if (fwrt->trans->cfg->device_family == IWL_DEVICE_FAMILY_7000) {
+ /* stop recording */
+ iwl_fw_dbg_stop_recording(fwrt);
+@@ -1117,7 +1126,7 @@ void iwl_fw_error_dump_wk(struct work_st
+ iwl_write_prph(fwrt->trans, DBGC_OUT_CTRL, out_ctrl);
+ }
+ }
+-
++out:
+ if (fwrt->ops && fwrt->ops->dump_end)
+ fwrt->ops->dump_end(fwrt->ops_ctx);
+ }
+--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.h
++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.h
+@@ -8,6 +8,7 @@
+ * Copyright(c) 2008 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2015 - 2017 Intel Deutschland GmbH
++ * Copyright(c) 2018 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+@@ -33,6 +34,7 @@
+ * Copyright(c) 2005 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2015 - 2017 Intel Deutschland GmbH
++ * Copyright(c) 2018 Intel Corporation
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+@@ -91,6 +93,7 @@ static inline void iwl_fw_free_dump_desc
+ if (fwrt->dump.desc != &iwl_dump_desc_assert)
+ kfree(fwrt->dump.desc);
+ fwrt->dump.desc = NULL;
++ fwrt->dump.trig = NULL;
+ }
+
+ void iwl_fw_error_dump(struct iwl_fw_runtime *fwrt);
+--- a/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
++++ b/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
+@@ -6,6 +6,7 @@
+ * GPL LICENSE SUMMARY
+ *
+ * Copyright(c) 2017 Intel Deutschland GmbH
++ * Copyright(c) 2018 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+@@ -26,6 +27,7 @@
+ * BSD LICENSE
+ *
+ * Copyright(c) 2017 Intel Deutschland GmbH
++ * Copyright(c) 2018 Intel Corporation
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+@@ -68,6 +70,7 @@
+ struct iwl_fw_runtime_ops {
+ int (*dump_start)(void *ctx);
+ void (*dump_end)(void *ctx);
++ bool (*fw_running)(void *ctx);
+ };
+
+ #define MAX_NUM_LMAC 2
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
+@@ -8,6 +8,7 @@
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
++ * Copyright(c) 2018 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+@@ -35,6 +36,7 @@
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
++ * Copyright(c) 2018 Intel Corporation
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+@@ -1209,9 +1211,6 @@ static ssize_t iwl_dbgfs_fw_dbg_collect_
+ {
+ int ret;
+
+- if (!iwl_mvm_firmware_running(mvm))
+- return -EIO;
+-
+ ret = iwl_mvm_ref_sync(mvm, IWL_MVM_REF_PRPH_WRITE);
+ if (ret)
+ return ret;
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+@@ -8,6 +8,7 @@
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
++ * Copyright(c) 2018 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+@@ -35,6 +36,7 @@
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
++ * Copyright(c) 2018 Intel Corporation
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+@@ -553,9 +555,15 @@ static void iwl_mvm_fwrt_dump_end(void *
+ iwl_mvm_unref(mvm, IWL_MVM_REF_FW_DBG_COLLECT);
+ }
+
++static bool iwl_mvm_fwrt_fw_running(void *ctx)
++{
++ return iwl_mvm_firmware_running(ctx);
++}
++
+ static const struct iwl_fw_runtime_ops iwl_mvm_fwrt_ops = {
+ .dump_start = iwl_mvm_fwrt_dump_start,
+ .dump_end = iwl_mvm_fwrt_dump_end,
++ .fw_running = iwl_mvm_fwrt_fw_running,
+ };
+
+ static struct iwl_op_mode *
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Naftali Goldstein <naftali.goldstein@intel.com>
+Date: Thu, 28 Dec 2017 15:53:04 +0200
+Subject: iwlwifi: mvm: always init rs with 20mhz bandwidth rates
+
+From: Naftali Goldstein <naftali.goldstein@intel.com>
+
+[ Upstream commit 6b7a5aea71b342ec0593d23b08383e1f33da4c9a ]
+
+In AP mode, when a new station associates, rs is initialized immediately
+upon association completion, before the phy context is updated with the
+association parameters, so the sta bandwidth might be wider than the phy
+context allows.
+To avoid this issue, always initialize rs with 20mhz bandwidth rate, and
+after authorization, when the phy context is already up-to-date, re-init
+rs with the correct bw.
+
+Signed-off-by: Naftali Goldstein <naftali.goldstein@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 4 +++
+ drivers/net/wireless/intel/iwlwifi/mvm/rs.c | 28 +++++++++++++++-------
+ 2 files changed, 24 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -2703,6 +2703,10 @@ static int iwl_mvm_mac_sta_state(struct
+
+ /* enable beacon filtering */
+ WARN_ON(iwl_mvm_enable_beacon_filter(mvm, vif, 0));
++
++ iwl_mvm_rs_rate_init(mvm, sta, mvmvif->phy_ctxt->channel->band,
++ false);
++
+ ret = 0;
+ } else if (old_state == IEEE80211_STA_AUTHORIZED &&
+ new_state == IEEE80211_STA_ASSOC) {
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c
+@@ -2690,7 +2690,8 @@ static void rs_get_initial_rate(struct i
+ struct ieee80211_sta *sta,
+ struct iwl_lq_sta *lq_sta,
+ enum nl80211_band band,
+- struct rs_rate *rate)
++ struct rs_rate *rate,
++ bool init)
+ {
+ int i, nentries;
+ unsigned long active_rate;
+@@ -2744,14 +2745,25 @@ static void rs_get_initial_rate(struct i
+ */
+ if (sta->vht_cap.vht_supported &&
+ best_rssi > IWL_RS_LOW_RSSI_THRESHOLD) {
+- switch (sta->bandwidth) {
+- case IEEE80211_STA_RX_BW_160:
+- case IEEE80211_STA_RX_BW_80:
+- case IEEE80211_STA_RX_BW_40:
++ /*
++ * In AP mode, when a new station associates, rs is initialized
++ * immediately upon association completion, before the phy
++ * context is updated with the association parameters, so the
++ * sta bandwidth might be wider than the phy context allows.
++ * To avoid this issue, always initialize rs with 20mhz
++ * bandwidth rate, and after authorization, when the phy context
++ * is already up-to-date, re-init rs with the correct bw.
++ */
++ u32 bw = init ? RATE_MCS_CHAN_WIDTH_20 : rs_bw_from_sta_bw(sta);
++
++ switch (bw) {
++ case RATE_MCS_CHAN_WIDTH_40:
++ case RATE_MCS_CHAN_WIDTH_80:
++ case RATE_MCS_CHAN_WIDTH_160:
+ initial_rates = rs_optimal_rates_vht;
+ nentries = ARRAY_SIZE(rs_optimal_rates_vht);
+ break;
+- case IEEE80211_STA_RX_BW_20:
++ case RATE_MCS_CHAN_WIDTH_20:
+ initial_rates = rs_optimal_rates_vht_20mhz;
+ nentries = ARRAY_SIZE(rs_optimal_rates_vht_20mhz);
+ break;
+@@ -2762,7 +2774,7 @@ static void rs_get_initial_rate(struct i
+
+ active_rate = lq_sta->active_siso_rate;
+ rate->type = LQ_VHT_SISO;
+- rate->bw = rs_bw_from_sta_bw(sta);
++ rate->bw = bw;
+ } else if (sta->ht_cap.ht_supported &&
+ best_rssi > IWL_RS_LOW_RSSI_THRESHOLD) {
+ initial_rates = rs_optimal_rates_ht;
+@@ -2844,7 +2856,7 @@ static void rs_initialize_lq(struct iwl_
+ tbl = &(lq_sta->lq_info[active_tbl]);
+ rate = &tbl->rate;
+
+- rs_get_initial_rate(mvm, sta, lq_sta, band, rate);
++ rs_get_initial_rate(mvm, sta, lq_sta, band, rate, init);
+ rs_init_optimal_rate(mvm, sta, lq_sta);
+
+ WARN_ONCE(rate->ant != ANT_A && rate->ant != ANT_B,
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Luca Coelho <luciano.coelho@intel.com>
+Date: Mon, 18 Dec 2017 20:13:07 +0200
+Subject: iwlwifi: mvm: check if mac80211_queue is valid in iwl_mvm_disable_txq
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+[ Upstream commit 9a233bb8025105db9a60b5d761005cc5a6c77f3d ]
+
+Sometimes iwl_mvm_disable_txq() may be called with mac80211_queue ==
+IEEE80211_INVAL_HW_QUEUE, and this would cause us to use BIT(0xFF)
+which is way too large for the u16 we used to store it in
+hw_queue_to_mac820211. If this happens the following UBSAN warning
+will be generated:
+
+[ 167.185167] UBSAN: Undefined behaviour in drivers/net/wireless/intel/iwlwifi/mvm/utils.c:838:5
+[ 167.185171] shift exponent 255 is too large for 64-bit type 'long unsigned int'
+
+Fix that by checking that it is not IEEE80211_INVAL_HW_QUEUE and,
+while at it, add a warning if the queue number is larger than
+IEEE80211_MAX_QUEUES.
+
+Fixes: 34e10860ae8d ("iwlwifi: mvm: remove references to queue_info in new TX path")
+Reported-by: Paul Menzel <pmenzel+linux-wireless@molgen.mpg.de>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/utils.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/utils.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/utils.c
+@@ -810,12 +810,19 @@ int iwl_mvm_disable_txq(struct iwl_mvm *
+ .scd_queue = queue,
+ .action = SCD_CFG_DISABLE_QUEUE,
+ };
+- bool remove_mac_queue = true;
++ bool remove_mac_queue = mac80211_queue != IEEE80211_INVAL_HW_QUEUE;
+ int ret;
+
++ if (WARN_ON(remove_mac_queue && mac80211_queue >= IEEE80211_MAX_QUEUES))
++ return -EINVAL;
++
+ if (iwl_mvm_has_new_tx_api(mvm)) {
+ spin_lock_bh(&mvm->queue_info_lock);
+- mvm->hw_queue_to_mac80211[queue] &= ~BIT(mac80211_queue);
++
++ if (remove_mac_queue)
++ mvm->hw_queue_to_mac80211[queue] &=
++ ~BIT(mac80211_queue);
++
+ spin_unlock_bh(&mvm->queue_info_lock);
+
+ iwl_trans_txq_free(mvm->trans, queue);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Avraham Stern <avraham.stern@intel.com>
+Date: Wed, 7 Mar 2018 10:41:18 +0200
+Subject: iwlwifi: mvm: clear tx queue id when unreserving aggregation queue
+
+From: Avraham Stern <avraham.stern@intel.com>
+
+[ Upstream commit 4b387906b1c3692bb790388c335515c0cf098a23 ]
+
+When a queue is reserved for aggregation, the queue id is assigned
+to the tid_data. This is fine since iwl_mvm_sta_tx_agg_oper()
+takes care of allocating the queue before actual tx starts.
+When the reservation is cancelled (e.g. when the AP declined the
+aggregation request) the tid_data is not cleared. As a result,
+following tx for this tid was trying to use an unallocated queue.
+
+Fix this by setting the txq_id for the tid to invalid when unreserving
+the queue.
+
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+@@ -2645,8 +2645,10 @@ out:
+
+ static void iwl_mvm_unreserve_agg_queue(struct iwl_mvm *mvm,
+ struct iwl_mvm_sta *mvmsta,
+- u16 txq_id)
++ struct iwl_mvm_tid_data *tid_data)
+ {
++ u16 txq_id = tid_data->txq_id;
++
+ if (iwl_mvm_has_new_tx_api(mvm))
+ return;
+
+@@ -2658,8 +2660,10 @@ static void iwl_mvm_unreserve_agg_queue(
+ * allocated through iwl_mvm_enable_txq, so we can just mark it back as
+ * free.
+ */
+- if (mvm->queue_info[txq_id].status == IWL_MVM_QUEUE_RESERVED)
++ if (mvm->queue_info[txq_id].status == IWL_MVM_QUEUE_RESERVED) {
+ mvm->queue_info[txq_id].status = IWL_MVM_QUEUE_FREE;
++ tid_data->txq_id = IWL_MVM_INVALID_QUEUE;
++ }
+
+ spin_unlock_bh(&mvm->queue_info_lock);
+ }
+@@ -2690,7 +2694,7 @@ int iwl_mvm_sta_tx_agg_stop(struct iwl_m
+
+ mvmsta->agg_tids &= ~BIT(tid);
+
+- iwl_mvm_unreserve_agg_queue(mvm, mvmsta, txq_id);
++ iwl_mvm_unreserve_agg_queue(mvm, mvmsta, tid_data);
+
+ switch (tid_data->state) {
+ case IWL_AGG_ON:
+@@ -2757,7 +2761,7 @@ int iwl_mvm_sta_tx_agg_flush(struct iwl_
+ mvmsta->agg_tids &= ~BIT(tid);
+ spin_unlock_bh(&mvmsta->lock);
+
+- iwl_mvm_unreserve_agg_queue(mvm, mvmsta, txq_id);
++ iwl_mvm_unreserve_agg_queue(mvm, mvmsta, tid_data);
+
+ if (old_state >= IWL_AGG_ON) {
+ iwl_mvm_drain_sta(mvm, mvmsta, true);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Beni Lev <beni.lev@intel.com>
+Date: Tue, 20 Feb 2018 13:41:54 +0200
+Subject: iwlwifi: mvm: Correctly set IGTK for AP
+
+From: Beni Lev <beni.lev@intel.com>
+
+[ Upstream commit e829b17caf96c2da34620e335fb777592990906c ]
+
+Currently when an IGTK is set for an AP, it is set as a regular key.
+Since the cipher is set to CMAC, the STA_KEY_FLG_EXT flag is added to
+the host command, which causes assert 0x253D on NICs that do not support
+this.
+
+Fixes: 85aeb58cec1a ("iwlwifi: mvm: Enable security on new TX API")
+Signed-off-by: Beni Lev <beni.lev@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+@@ -3182,17 +3182,9 @@ int iwl_mvm_set_sta_key(struct iwl_mvm *
+ }
+ sta_id = mvm_sta->sta_id;
+
+- if (keyconf->cipher == WLAN_CIPHER_SUITE_AES_CMAC ||
+- keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_128 ||
+- keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_256) {
+- ret = iwl_mvm_send_sta_igtk(mvm, keyconf, sta_id,
+- false);
+- goto end;
+- }
+-
+ /*
+ * It is possible that the 'sta' parameter is NULL, and thus
+- * there is a need to retrieve the sta from the local station
++ * there is a need to retrieve the sta from the local station
+ * table.
+ */
+ if (!sta) {
+@@ -3207,6 +3199,17 @@ int iwl_mvm_set_sta_key(struct iwl_mvm *
+
+ if (WARN_ON_ONCE(iwl_mvm_sta_from_mac80211(sta)->vif != vif))
+ return -EINVAL;
++ } else {
++ struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
++
++ sta_id = mvmvif->mcast_sta.sta_id;
++ }
++
++ if (keyconf->cipher == WLAN_CIPHER_SUITE_AES_CMAC ||
++ keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_128 ||
++ keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_256) {
++ ret = iwl_mvm_send_sta_igtk(mvm, keyconf, sta_id, false);
++ goto end;
+ }
+
+ /* If the key_offset is not pre-assigned, we need to find a
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Ilan Peer <ilan.peer@intel.com>
+Date: Thu, 25 Jan 2018 15:22:41 +0200
+Subject: iwlwifi: mvm: Correctly set the tid for mcast queue
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+[ Upstream commit 6508de0305d560235b366cc2cc98f7bcfb029e92 ]
+
+In the scheduler config command, the meaning of tid == 0xf was intended
+to indicate the configuration is for management frames. However,
+tid == 0xf was also used for the multicast queue that was meant only
+for multicast data frames, which resulted with the FW not encrypting
+multicast data frames.
+
+As multicast frames do not have a QoS header, fix this by setting
+tid == 0, to indicate that this is a data queue and not management
+one.
+
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+@@ -2023,7 +2023,7 @@ int iwl_mvm_add_mcast_sta(struct iwl_mvm
+ struct iwl_trans_txq_scd_cfg cfg = {
+ .fifo = IWL_MVM_TX_FIFO_MCAST,
+ .sta_id = msta->sta_id,
+- .tid = IWL_MAX_TID_COUNT,
++ .tid = 0,
+ .aggregate = false,
+ .frame_limit = IWL_FRAME_LIMIT,
+ };
+@@ -2074,7 +2074,7 @@ int iwl_mvm_add_mcast_sta(struct iwl_mvm
+ if (iwl_mvm_has_new_tx_api(mvm)) {
+ int queue = iwl_mvm_tvqm_enable_txq(mvm, vif->cab_queue,
+ msta->sta_id,
+- IWL_MAX_TID_COUNT,
++ 0,
+ timeout);
+ mvmvif->cab_queue = queue;
+ } else if (!fw_has_api(&mvm->fw->ucode_capa,
+@@ -2099,7 +2099,7 @@ int iwl_mvm_rm_mcast_sta(struct iwl_mvm
+ iwl_mvm_flush_sta(mvm, &mvmvif->mcast_sta, true, 0);
+
+ iwl_mvm_disable_txq(mvm, mvmvif->cab_queue, vif->cab_queue,
+- IWL_MAX_TID_COUNT, 0);
++ 0, 0);
+
+ ret = iwl_mvm_rm_sta_common(mvm, mvmvif->mcast_sta.sta_id);
+ if (ret)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Ilan Peer <ilan.peer@intel.com>
+Date: Mon, 22 Jan 2018 08:55:06 +0200
+Subject: iwlwifi: mvm: Direct multicast frames to the correct station
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+[ Upstream commit 7c305de2b9548ab6b65fce342c78618bbed5db73 ]
+
+Multicast frames for NL80211_IFTYPE_AP and NL80211_IFTYPE_ADHOC were
+directed to the broadcast station, however, as the broadcast station
+did not have keys configured, these frames were sent unencrypted.
+
+Fix this by using the multicast station which is the station for which
+encryption keys are configured.
+
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -648,7 +648,11 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv
+ if (info.control.vif->type == NL80211_IFTYPE_P2P_DEVICE ||
+ info.control.vif->type == NL80211_IFTYPE_AP ||
+ info.control.vif->type == NL80211_IFTYPE_ADHOC) {
+- sta_id = mvmvif->bcast_sta.sta_id;
++ if (info.control.vif->type == NL80211_IFTYPE_P2P_DEVICE)
++ sta_id = mvmvif->bcast_sta.sta_id;
++ else
++ sta_id = mvmvif->mcast_sta.sta_id;
++
+ queue = iwl_mvm_get_ctrl_vif_queue(mvm, &info,
+ hdr->frame_control);
+ if (queue < 0)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Avraham Stern <avraham.stern@intel.com>
+Date: Mon, 5 Mar 2018 11:26:53 +0200
+Subject: iwlwifi: mvm: fix array out of bounds reference
+
+From: Avraham Stern <avraham.stern@intel.com>
+
+[ Upstream commit 4a6d2e525b43eba5870ea7e360f59aa65de00705 ]
+
+When starting aggregation, the code checks the status of the queue
+allocated to the aggregation tid, which might not yet be allocated
+and thus the queue index may be invalid.
+Fix this by reserving a new queue in case the queue id is invalid.
+
+While at it, clean up some unreachable code (a condition that is
+already handled earlier) and remove all the non-DQA comments since
+non-DQA mode is no longer supported.
+
+Fixes: cf961e16620f ("iwlwifi: mvm: support dqa-mode agg on non-shared queue")
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 38 +++++++--------------------
+ 1 file changed, 11 insertions(+), 27 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+@@ -2436,28 +2436,12 @@ int iwl_mvm_sta_tx_agg_start(struct iwl_
+
+ /*
+ * Note the possible cases:
+- * 1. In DQA mode with an enabled TXQ - TXQ needs to become agg'ed
+- * 2. Non-DQA mode: the TXQ hasn't yet been enabled, so find a free
+- * one and mark it as reserved
+- * 3. In DQA mode, but no traffic yet on this TID: same treatment as in
+- * non-DQA mode, since the TXQ hasn't yet been allocated
+- * Don't support case 3 for new TX path as it is not expected to happen
+- * and aggregation will be offloaded soon anyway
++ * 1. An enabled TXQ - TXQ needs to become agg'ed
++ * 2. The TXQ hasn't yet been enabled, so find a free one and mark
++ * it as reserved
+ */
+ txq_id = mvmsta->tid_data[tid].txq_id;
+- if (iwl_mvm_has_new_tx_api(mvm)) {
+- if (txq_id == IWL_MVM_INVALID_QUEUE) {
+- ret = -ENXIO;
+- goto release_locks;
+- }
+- } else if (unlikely(mvm->queue_info[txq_id].status ==
+- IWL_MVM_QUEUE_SHARED)) {
+- ret = -ENXIO;
+- IWL_DEBUG_TX_QUEUES(mvm,
+- "Can't start tid %d agg on shared queue!\n",
+- tid);
+- goto release_locks;
+- } else if (mvm->queue_info[txq_id].status != IWL_MVM_QUEUE_READY) {
++ if (txq_id == IWL_MVM_INVALID_QUEUE) {
+ txq_id = iwl_mvm_find_free_queue(mvm, mvmsta->sta_id,
+ IWL_MVM_DQA_MIN_DATA_QUEUE,
+ IWL_MVM_DQA_MAX_DATA_QUEUE);
+@@ -2466,16 +2450,16 @@ int iwl_mvm_sta_tx_agg_start(struct iwl_
+ IWL_ERR(mvm, "Failed to allocate agg queue\n");
+ goto release_locks;
+ }
+- /*
+- * TXQ shouldn't be in inactive mode for non-DQA, so getting
+- * an inactive queue from iwl_mvm_find_free_queue() is
+- * certainly a bug
+- */
+- WARN_ON(mvm->queue_info[txq_id].status ==
+- IWL_MVM_QUEUE_INACTIVE);
+
+ /* TXQ hasn't yet been enabled, so mark it only as reserved */
+ mvm->queue_info[txq_id].status = IWL_MVM_QUEUE_RESERVED;
++ } else if (unlikely(mvm->queue_info[txq_id].status ==
++ IWL_MVM_QUEUE_SHARED)) {
++ ret = -ENXIO;
++ IWL_DEBUG_TX_QUEUES(mvm,
++ "Can't start tid %d agg on shared queue!\n",
++ tid);
++ goto release_locks;
+ }
+
+ spin_unlock(&mvm->queue_info_lock);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Sara Sharon <sara.sharon@intel.com>
+Date: Sun, 7 Jan 2018 14:30:49 +0200
+Subject: iwlwifi: mvm: fix assert 0x2B00 on older FWs
+
+From: Sara Sharon <sara.sharon@intel.com>
+
+[ Upstream commit 63dd5d022f4766e6b05ee611124afcc7cbfbb953 ]
+
+We should add the multicast station before adding the
+broadcast station.
+
+However, in older FW, the firmware will start beaconing
+when we add the multicast station, and since the broadcast
+station is not added at this point so the transmission
+of the beacon will fail on assert 0x2b00.
+
+This is fixed in later firmware, so make the order
+of addition depend on the TLV.
+
+Fixes: 26d6c16bed53 ("iwlwifi: mvm: add multicast station")
+Signed-off-by: Sara Sharon <sara.sharon@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 45 +++++++++++++++++-----
+ 1 file changed, 35 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -8,6 +8,7 @@
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
++ * Copyright(c) 2018 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+@@ -2127,15 +2128,40 @@ static int iwl_mvm_start_ap_ibss(struct
+ if (ret)
+ goto out_remove;
+
+- ret = iwl_mvm_add_mcast_sta(mvm, vif);
+- if (ret)
+- goto out_unbind;
+-
+- /* Send the bcast station. At this stage the TBTT and DTIM time events
+- * are added and applied to the scheduler */
+- ret = iwl_mvm_send_add_bcast_sta(mvm, vif);
+- if (ret)
+- goto out_rm_mcast;
++ /*
++ * This is not very nice, but the simplest:
++ * For older FWs adding the mcast sta before the bcast station may
++ * cause assert 0x2b00.
++ * This is fixed in later FW so make the order of removal depend on
++ * the TLV
++ */
++ if (fw_has_api(&mvm->fw->ucode_capa, IWL_UCODE_TLV_API_STA_TYPE)) {
++ ret = iwl_mvm_add_mcast_sta(mvm, vif);
++ if (ret)
++ goto out_unbind;
++ /*
++ * Send the bcast station. At this stage the TBTT and DTIM time
++ * events are added and applied to the scheduler
++ */
++ ret = iwl_mvm_send_add_bcast_sta(mvm, vif);
++ if (ret) {
++ iwl_mvm_rm_mcast_sta(mvm, vif);
++ goto out_unbind;
++ }
++ } else {
++ /*
++ * Send the bcast station. At this stage the TBTT and DTIM time
++ * events are added and applied to the scheduler
++ */
++ iwl_mvm_send_add_bcast_sta(mvm, vif);
++ if (ret)
++ goto out_unbind;
++ iwl_mvm_add_mcast_sta(mvm, vif);
++ if (ret) {
++ iwl_mvm_send_rm_bcast_sta(mvm, vif);
++ goto out_unbind;
++ }
++ }
+
+ /* must be set before quota calculations */
+ mvmvif->ap_ibss_active = true;
+@@ -2165,7 +2191,6 @@ out_quota_failed:
+ iwl_mvm_power_update_mac(mvm);
+ mvmvif->ap_ibss_active = false;
+ iwl_mvm_send_rm_bcast_sta(mvm, vif);
+-out_rm_mcast:
+ iwl_mvm_rm_mcast_sta(mvm, vif);
+ out_unbind:
+ iwl_mvm_binding_remove_vif(mvm, vif);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Date: Thu, 4 Jan 2018 17:39:08 +0200
+Subject: iwlwifi: mvm: Fix channel switch for count 0 and 1
+
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+
+[ Upstream commit 40d53f4a60c9eb10d4fa58066c23ba1af8a59e39 ]
+
+It was assumed that apply_time==0 implies immediate scheduling, which is
+wrong. Instead, the fw expects the START_IMMEDIATELY flag to be set.
+Otherwise, this resulted in 0x3063 assert.
+Fix that.
+While at it rename the T2_V2_START_IMMEDIATELY to
+TE_V2_START_IMMEDIATELY.
+
+Fixes: f5d8f50f271d ("iwlwifi: mvm: Fix channel switch in case of count <= 1")
+Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/api/time-event.h | 4 ++--
+ drivers/net/wireless/intel/iwlwifi/mvm/time-event.c | 6 ++++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/fw/api/time-event.h
++++ b/drivers/net/wireless/intel/iwlwifi/fw/api/time-event.h
+@@ -211,7 +211,7 @@ enum {
+ * @TE_V2_NOTIF_HOST_FRAG_END:request/receive notification on frag end
+ * @TE_V2_NOTIF_INTERNAL_FRAG_START: internal FW use.
+ * @TE_V2_NOTIF_INTERNAL_FRAG_END: internal FW use.
+- * @T2_V2_START_IMMEDIATELY: start time event immediately
++ * @TE_V2_START_IMMEDIATELY: start time event immediately
+ * @TE_V2_DEP_OTHER: depends on another time event
+ * @TE_V2_DEP_TSF: depends on a specific time
+ * @TE_V2_EVENT_SOCIOPATHIC: can't co-exist with other events of tha same MAC
+@@ -230,7 +230,7 @@ enum iwl_time_event_policy {
+ TE_V2_NOTIF_HOST_FRAG_END = BIT(5),
+ TE_V2_NOTIF_INTERNAL_FRAG_START = BIT(6),
+ TE_V2_NOTIF_INTERNAL_FRAG_END = BIT(7),
+- T2_V2_START_IMMEDIATELY = BIT(11),
++ TE_V2_START_IMMEDIATELY = BIT(11),
+
+ /* placement characteristics */
+ TE_V2_DEP_OTHER = BIT(TE_V2_PLACEMENT_POS),
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
+@@ -621,7 +621,7 @@ void iwl_mvm_protect_session(struct iwl_
+ time_cmd.repeat = 1;
+ time_cmd.policy = cpu_to_le16(TE_V2_NOTIF_HOST_EVENT_START |
+ TE_V2_NOTIF_HOST_EVENT_END |
+- T2_V2_START_IMMEDIATELY);
++ TE_V2_START_IMMEDIATELY);
+
+ if (!wait_for_notif) {
+ iwl_mvm_time_event_send_add(mvm, vif, te_data, &time_cmd);
+@@ -814,7 +814,7 @@ int iwl_mvm_start_p2p_roc(struct iwl_mvm
+ time_cmd.repeat = 1;
+ time_cmd.policy = cpu_to_le16(TE_V2_NOTIF_HOST_EVENT_START |
+ TE_V2_NOTIF_HOST_EVENT_END |
+- T2_V2_START_IMMEDIATELY);
++ TE_V2_START_IMMEDIATELY);
+
+ return iwl_mvm_time_event_send_add(mvm, vif, te_data, &time_cmd);
+ }
+@@ -924,6 +924,8 @@ int iwl_mvm_schedule_csa_period(struct i
+ time_cmd.interval = cpu_to_le32(1);
+ time_cmd.policy = cpu_to_le16(TE_V2_NOTIF_HOST_EVENT_START |
+ TE_V2_ABSENCE);
++ if (!apply_time)
++ time_cmd.policy |= cpu_to_le16(TE_V2_START_IMMEDIATELY);
+
+ return iwl_mvm_time_event_send_add(mvm, vif, te_data, &time_cmd);
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 22 Feb 2018 13:51:21 +0100
+Subject: iwlwifi: mvm: fix error checking for multi/broadcast sta
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 75fd4fec3e4c43b131c7c4958adb3ab9f1665513 ]
+
+The earlier patch called the station add functions but didn't
+assign their return value to the ret variable, so that the
+checks for it were meaningless. Fix that.
+
+Found by smatch:
+
+.../mac80211.c:2560 iwl_mvm_start_ap_ibss() warn: we tested 'ret' before and it was 'false'
+.../mac80211.c:2563 iwl_mvm_start_ap_ibss() warn: we tested 'ret' before and it was 'false'
+
+Fixes: 3a89411cd31c ("iwlwifi: mvm: fix assert 0x2B00 on older FWs")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -2153,10 +2153,10 @@ static int iwl_mvm_start_ap_ibss(struct
+ * Send the bcast station. At this stage the TBTT and DTIM time
+ * events are added and applied to the scheduler
+ */
+- iwl_mvm_send_add_bcast_sta(mvm, vif);
++ ret = iwl_mvm_send_add_bcast_sta(mvm, vif);
+ if (ret)
+ goto out_unbind;
+- iwl_mvm_add_mcast_sta(mvm, vif);
++ ret = iwl_mvm_add_mcast_sta(mvm, vif);
+ if (ret) {
+ iwl_mvm_send_rm_bcast_sta(mvm, vif);
+ goto out_unbind;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Sara Sharon <sara.sharon@intel.com>
+Date: Mon, 15 Jan 2018 13:50:59 +0200
+Subject: iwlwifi: mvm: fix "failed to remove key" message
+
+From: Sara Sharon <sara.sharon@intel.com>
+
+[ Upstream commit e4f13ad07823b24a1537518d2163bd164292fb10 ]
+
+When the GTK is installed, we install it to HW with the
+station ID of the AP.
+
+Mac80211 will try to remove it only after the AP sta is
+removed, which will result in a failure to remove key
+since we do not have any station for it.
+
+This is a valid situation, but a previous commit removed
+the early return and added a return with error value, which
+resulted in an error message that is confusing to users.
+
+Remove the error return value.
+
+Fixes: 85aeb58cec1a ("iwlwifi: mvm: Enable security on new TX API")
+Signed-off-by: Sara Sharon <sara.sharon@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+@@ -3119,8 +3119,9 @@ static int __iwl_mvm_remove_sta_key(stru
+ int ret, size;
+ u32 status;
+
++ /* This is a valid situation for GTK removal */
+ if (sta_id == IWL_MVM_INVALID_STA)
+- return -EINVAL;
++ return 0;
+
+ key_flags = cpu_to_le16((keyconf->keyidx << STA_KEY_FLG_KEYID_POS) &
+ STA_KEY_FLG_KEYID_MSK);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Sara Sharon <sara.sharon@intel.com>
+Date: Thu, 21 Dec 2017 15:05:28 +0200
+Subject: iwlwifi: mvm: fix IBSS for devices that support station type API
+
+From: Sara Sharon <sara.sharon@intel.com>
+
+[ Upstream commit fc07bd8ce19bff9e7479c04077ddb5957d1a27be ]
+
+In IBSS, the mac80211 sets the cab_queue to be invalid.
+
+However, the multicast station uses it, so we need to override it.
+
+A previous patch did it, but it was nested inside the if's and was
+applied only for legacy FWs that don't support the new station type
+API, instead of being applied for all paths.
+
+In addition, add a missing NL80211_IFTYPE_ADHOC to the initialization
+of the queues in iwl_mvm_mac_ctxt_init()
+
+Fixes: ee48b72211f8 ("iwlwifi: mvm: support ibss in dqa mode")
+Signed-off-by: Sara Sharon <sara.sharon@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c | 3 +-
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 24 +++++++++++-----------
+ 2 files changed, 14 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
+@@ -438,7 +438,8 @@ int iwl_mvm_mac_ctxt_init(struct iwl_mvm
+ }
+
+ /* Allocate the CAB queue for softAP and GO interfaces */
+- if (vif->type == NL80211_IFTYPE_AP) {
++ if (vif->type == NL80211_IFTYPE_AP ||
++ vif->type == NL80211_IFTYPE_ADHOC) {
+ /*
+ * For TVQM this will be overwritten later with the FW assigned
+ * queue value (when queue is enabled).
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+@@ -2037,6 +2037,17 @@ int iwl_mvm_add_mcast_sta(struct iwl_mvm
+ return -ENOTSUPP;
+
+ /*
++ * In IBSS, ieee80211_check_queues() sets the cab_queue to be
++ * invalid, so make sure we use the queue we want.
++ * Note that this is done here as we want to avoid making DQA
++ * changes in mac80211 layer.
++ */
++ if (vif->type == NL80211_IFTYPE_ADHOC) {
++ vif->cab_queue = IWL_MVM_DQA_GCAST_QUEUE;
++ mvmvif->cab_queue = vif->cab_queue;
++ }
++
++ /*
+ * While in previous FWs we had to exclude cab queue from TFD queue
+ * mask, now it is needed as any other queue.
+ */
+@@ -2067,20 +2078,9 @@ int iwl_mvm_add_mcast_sta(struct iwl_mvm
+ timeout);
+ mvmvif->cab_queue = queue;
+ } else if (!fw_has_api(&mvm->fw->ucode_capa,
+- IWL_UCODE_TLV_API_STA_TYPE)) {
+- /*
+- * In IBSS, ieee80211_check_queues() sets the cab_queue to be
+- * invalid, so make sure we use the queue we want.
+- * Note that this is done here as we want to avoid making DQA
+- * changes in mac80211 layer.
+- */
+- if (vif->type == NL80211_IFTYPE_ADHOC) {
+- vif->cab_queue = IWL_MVM_DQA_GCAST_QUEUE;
+- mvmvif->cab_queue = vif->cab_queue;
+- }
++ IWL_UCODE_TLV_API_STA_TYPE))
+ iwl_mvm_enable_txq(mvm, vif->cab_queue, vif->cab_queue, 0,
+ &cfg, timeout);
+- }
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Sara Sharon <sara.sharon@intel.com>
+Date: Tue, 29 Mar 2016 10:56:57 +0300
+Subject: iwlwifi: mvm: fix security bug in PN checking
+
+From: Sara Sharon <sara.sharon@intel.com>
+
+[ Upstream commit 5ab2ba931255d8bf03009c06d58dce97de32797c ]
+
+A previous patch allowed the same PN for packets originating from the
+same AMSDU by copying PN only for the last packet in the series.
+
+This however is bogus since we cannot assume the last frame will be
+received on the same queue, and if it is received on a different ueue
+we will end up not incrementing the PN and possibly let the next
+packet to have the same PN and pass through.
+
+Change the logic instead to driver explicitly indicate for the second
+sub frame and on to be allowed to have the same PN as the first
+subframe. Indicate it to mac80211 as well for the fallback queue.
+
+Fixes: f1ae02b186d9 ("iwlwifi: mvm: allow same PN for de-aggregated AMSDU")
+Signed-off-by: Sara Sharon <sara.sharon@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 39 +++++++++++++-------------
+ 1 file changed, 20 insertions(+), 19 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+@@ -71,6 +71,7 @@ static inline int iwl_mvm_check_pn(struc
+ struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
+ struct ieee80211_rx_status *stats = IEEE80211_SKB_RXCB(skb);
+ struct iwl_mvm_key_pn *ptk_pn;
++ int res;
+ u8 tid, keyidx;
+ u8 pn[IEEE80211_CCMP_PN_LEN];
+ u8 *extiv;
+@@ -127,12 +128,13 @@ static inline int iwl_mvm_check_pn(struc
+ pn[4] = extiv[1];
+ pn[5] = extiv[0];
+
+- if (memcmp(pn, ptk_pn->q[queue].pn[tid],
+- IEEE80211_CCMP_PN_LEN) <= 0)
++ res = memcmp(pn, ptk_pn->q[queue].pn[tid], IEEE80211_CCMP_PN_LEN);
++ if (res < 0)
++ return -1;
++ if (!res && !(stats->flag & RX_FLAG_ALLOW_SAME_PN))
+ return -1;
+
+- if (!(stats->flag & RX_FLAG_AMSDU_MORE))
+- memcpy(ptk_pn->q[queue].pn[tid], pn, IEEE80211_CCMP_PN_LEN);
++ memcpy(ptk_pn->q[queue].pn[tid], pn, IEEE80211_CCMP_PN_LEN);
+ stats->flag |= RX_FLAG_PN_VALIDATED;
+
+ return 0;
+@@ -310,28 +312,21 @@ static void iwl_mvm_rx_csum(struct ieee8
+ }
+
+ /*
+- * returns true if a packet outside BA session is a duplicate and
+- * should be dropped
++ * returns true if a packet is a duplicate and should be dropped.
++ * Updates AMSDU PN tracking info
+ */
+-static bool iwl_mvm_is_nonagg_dup(struct ieee80211_sta *sta, int queue,
+- struct ieee80211_rx_status *rx_status,
+- struct ieee80211_hdr *hdr,
+- struct iwl_rx_mpdu_desc *desc)
++static bool iwl_mvm_is_dup(struct ieee80211_sta *sta, int queue,
++ struct ieee80211_rx_status *rx_status,
++ struct ieee80211_hdr *hdr,
++ struct iwl_rx_mpdu_desc *desc)
+ {
+ struct iwl_mvm_sta *mvm_sta;
+ struct iwl_mvm_rxq_dup_data *dup_data;
+- u8 baid, tid, sub_frame_idx;
++ u8 tid, sub_frame_idx;
+
+ if (WARN_ON(IS_ERR_OR_NULL(sta)))
+ return false;
+
+- baid = (le32_to_cpu(desc->reorder_data) &
+- IWL_RX_MPDU_REORDER_BAID_MASK) >>
+- IWL_RX_MPDU_REORDER_BAID_SHIFT;
+-
+- if (baid != IWL_RX_REORDER_DATA_INVALID_BAID)
+- return false;
+-
+ mvm_sta = iwl_mvm_sta_from_mac80211(sta);
+ dup_data = &mvm_sta->dup_data[queue];
+
+@@ -361,6 +356,12 @@ static bool iwl_mvm_is_nonagg_dup(struct
+ dup_data->last_sub_frame[tid] >= sub_frame_idx))
+ return true;
+
++ /* Allow same PN as the first subframe for following sub frames */
++ if (dup_data->last_seq[tid] == hdr->seq_ctrl &&
++ sub_frame_idx > dup_data->last_sub_frame[tid] &&
++ desc->mac_flags2 & IWL_RX_MPDU_MFLG2_AMSDU)
++ rx_status->flag |= RX_FLAG_ALLOW_SAME_PN;
++
+ dup_data->last_seq[tid] = hdr->seq_ctrl;
+ dup_data->last_sub_frame[tid] = sub_frame_idx;
+
+@@ -929,7 +930,7 @@ void iwl_mvm_rx_mpdu_mq(struct iwl_mvm *
+ if (ieee80211_is_data(hdr->frame_control))
+ iwl_mvm_rx_csum(sta, skb, desc);
+
+- if (iwl_mvm_is_nonagg_dup(sta, queue, rx_status, hdr, desc)) {
++ if (iwl_mvm_is_dup(sta, queue, rx_status, hdr, desc)) {
+ kfree_skb(skb);
+ goto out;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Sara Sharon <sara.sharon@intel.com>
+Date: Tue, 2 Jan 2018 11:40:15 +0200
+Subject: iwlwifi: mvm: fix TX of CCMP 256
+
+From: Sara Sharon <sara.sharon@intel.com>
+
+[ Upstream commit de04d4fbf87b769ab18c480e4f020c53e74bbdd2 ]
+
+We don't have enough room in the TX command for a CCMP 256
+key, and need to use key from table.
+
+Fixes: 3264bf032bd9 ("[BUGFIX] iwlwifi: mvm: Fix CCMP IV setting")
+Signed-off-by: Sara Sharon <sara.sharon@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -419,11 +419,11 @@ static void iwl_mvm_set_tx_cmd_crypto(st
+ {
+ struct ieee80211_key_conf *keyconf = info->control.hw_key;
+ u8 *crypto_hdr = skb_frag->data + hdrlen;
++ enum iwl_tx_cmd_sec_ctrl type = TX_CMD_SEC_CCM;
+ u64 pn;
+
+ switch (keyconf->cipher) {
+ case WLAN_CIPHER_SUITE_CCMP:
+- case WLAN_CIPHER_SUITE_CCMP_256:
+ iwl_mvm_set_tx_cmd_ccmp(info, tx_cmd);
+ iwl_mvm_set_tx_cmd_pn(info, crypto_hdr);
+ break;
+@@ -447,13 +447,16 @@ static void iwl_mvm_set_tx_cmd_crypto(st
+ break;
+ case WLAN_CIPHER_SUITE_GCMP:
+ case WLAN_CIPHER_SUITE_GCMP_256:
++ type = TX_CMD_SEC_GCMP;
++ /* Fall through */
++ case WLAN_CIPHER_SUITE_CCMP_256:
+ /* TODO: Taking the key from the table might introduce a race
+ * when PTK rekeying is done, having an old packets with a PN
+ * based on the old key but the message encrypted with a new
+ * one.
+ * Need to handle this.
+ */
+- tx_cmd->sec_ctl |= TX_CMD_SEC_GCMP | TX_CMD_SEC_KEY_FROM_TABLE;
++ tx_cmd->sec_ctl |= type | TX_CMD_SEC_KEY_FROM_TABLE;
+ tx_cmd->key[0] = keyconf->hw_key_idx;
+ iwl_mvm_set_tx_cmd_pn(info, crypto_hdr);
+ break;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Date: Wed, 28 Feb 2018 17:18:48 +0200
+Subject: iwlwifi: mvm: Increase session protection time after CS
+
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+
+[ Upstream commit 19125cb0591ae63cd4591e3dfe4c22058e748518 ]
+
+After switching to a new channel, driver schedules session protection
+time event in order to hear the beacon on the new channel.
+The duration of the protection is two beacon intervals.
+However, since we start to switch slightly before beacon with count 1, in
+case we don't hear (or AP doesn't transmit) the very first beacon on the
+new channel the protection ends without hearing any beacon at all.
+At this stage the switch is not complete, the queues are closed and the
+interface doesn't have quota yet or TBTT events. As the result, we are
+stuck forever waiting for iwl_mvm_post_channel_switch() to be called.
+
+Fix this by increasing the protection time to be 3 beacon intervals and
+in addition drop the connection if the time event ends before we got any
+beacon.
+
+Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 5 ++++-
+ drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 3 +++
+ drivers/net/wireless/intel/iwlwifi/mvm/time-event.c | 15 ++++++++-------
+ 3 files changed, 15 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -3497,6 +3497,7 @@ static int __iwl_mvm_assign_vif_chanctx(
+ ret = 0;
+ goto out;
+ case NL80211_IFTYPE_STATION:
++ mvmvif->csa_bcn_pending = false;
+ break;
+ case NL80211_IFTYPE_MONITOR:
+ /* always disable PS when a monitor interface is active */
+@@ -3540,7 +3541,7 @@ static int __iwl_mvm_assign_vif_chanctx(
+ }
+
+ if (switching_chanctx && vif->type == NL80211_IFTYPE_STATION) {
+- u32 duration = 2 * vif->bss_conf.beacon_int;
++ u32 duration = 3 * vif->bss_conf.beacon_int;
+
+ /* iwl_mvm_protect_session() reads directly from the
+ * device (the system time), so make sure it is
+@@ -3553,6 +3554,7 @@ static int __iwl_mvm_assign_vif_chanctx(
+ /* Protect the session to make sure we hear the first
+ * beacon on the new channel.
+ */
++ mvmvif->csa_bcn_pending = true;
+ iwl_mvm_protect_session(mvm, vif, duration, duration,
+ vif->bss_conf.beacon_int / 2,
+ true);
+@@ -3996,6 +3998,7 @@ static int iwl_mvm_post_channel_switch(s
+ if (vif->type == NL80211_IFTYPE_STATION) {
+ struct iwl_mvm_sta *mvmsta;
+
++ mvmvif->csa_bcn_pending = false;
+ mvmsta = iwl_mvm_sta_from_staid_protected(mvm,
+ mvmvif->ap_sta_id);
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+@@ -434,6 +434,9 @@ struct iwl_mvm_vif {
+ bool csa_failed;
+ u16 csa_target_freq;
+
++ /* Indicates that we are waiting for a beacon on a new channel */
++ bool csa_bcn_pending;
++
+ /* TCP Checksum Offload */
+ netdev_features_t features;
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
+@@ -8,6 +8,7 @@
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2017 Intel Deutschland GmbH
++ * Copyright(c) 2018 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+@@ -18,11 +19,6 @@
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+- * You should have received a copy of the GNU General Public License
+- * along with this program; if not, write to the Free Software
+- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110,
+- * USA
+- *
+ * The full GNU General Public License is included in this distribution
+ * in the file called COPYING.
+ *
+@@ -35,6 +31,7 @@
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2017 Intel Deutschland GmbH
++ * Copyright(c) 2018 Intel Corporation
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+@@ -203,9 +200,13 @@ static bool iwl_mvm_te_check_disconnect(
+ struct ieee80211_vif *vif,
+ const char *errmsg)
+ {
++ struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
++
+ if (vif->type != NL80211_IFTYPE_STATION)
+ return false;
+- if (vif->bss_conf.assoc && vif->bss_conf.dtim_period)
++
++ if (!mvmvif->csa_bcn_pending && vif->bss_conf.assoc &&
++ vif->bss_conf.dtim_period)
+ return false;
+ if (errmsg)
+ IWL_ERR(mvm, "%s\n", errmsg);
+@@ -349,7 +350,7 @@ static void iwl_mvm_te_handle_notif(stru
+ * and know the dtim period.
+ */
+ iwl_mvm_te_check_disconnect(mvm, te_data->vif,
+- "No association and the time event is over already...");
++ "No beacon heard and the time event is over already...");
+ break;
+ default:
+ break;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Avraham Stern <avraham.stern@intel.com>
+Date: Tue, 6 Mar 2018 14:10:49 +0200
+Subject: iwlwifi: mvm: make sure internal station has a valid id
+
+From: Avraham Stern <avraham.stern@intel.com>
+
+[ Upstream commit df65c8d1728adee2a52c30287d33da83a8c87480 ]
+
+If the driver failed to resume from D3, it is possible that it has
+no valid aux station. In such case, fw restart will end up in sending
+station related commands with an invalid station id, which will
+result in an assert.
+
+Fix this by allocating a new station id for the aux station if it
+does not have a valid id even in the case of fw restart.
+
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+@@ -1679,7 +1679,8 @@ int iwl_mvm_allocate_int_sta(struct iwl_
+ u32 qmask, enum nl80211_iftype iftype,
+ enum iwl_sta_type type)
+ {
+- if (!test_bit(IWL_MVM_STATUS_IN_HW_RESTART, &mvm->status)) {
++ if (!test_bit(IWL_MVM_STATUS_IN_HW_RESTART, &mvm->status) ||
++ sta->sta_id == IWL_MVM_INVALID_STA) {
+ sta->sta_id = iwl_mvm_find_free_sta_id(mvm, iftype);
+ if (WARN_ON_ONCE(sta->sta_id == IWL_MVM_INVALID_STA))
+ return -ENOSPC;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Thu, 15 Feb 2018 15:48:09 +0200
+Subject: iwlwifi: mvm: set the correct tid when we flush the MCAST sta
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit 334167decf98f01a66c91ea84180c278bc4ad290 ]
+
+The tid being used for the queue (cab_queue) for the MCAST
+station has been changed recently to be 0 (for BE).
+The flush path still flushed only the special tid (15)
+which means that the firmware wasn't flushing the right
+queue and we could get a firmware crash upon remove
+station if we had an MCAST packet on the ring.
+
+The current code that flushes queues for a station only
+differentiates between internal stations (stations that
+aren't instantiated in mac80211, like the MCAST station)
+and the non-internal ones.
+Internal stations can be either: BCAST (beacons), MCAST
+(for cab_queue), GENERAL_PURPOSE (p2p dev, and sniffer
+injection). The internal stations can use different tids.
+
+To make the code simpler, just flush all the tids always
+and add the special internal tid (15) for internal
+stations. The firmware will know how to handle this even
+if we hadn't any queue mapped that that tid.
+
+Fixes: e340c1a6ef4b ("iwlwifi: mvm: Correctly set the tid for mcast queue")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -1879,14 +1879,12 @@ int iwl_mvm_flush_sta(struct iwl_mvm *mv
+ struct iwl_mvm_int_sta *int_sta = sta;
+ struct iwl_mvm_sta *mvm_sta = sta;
+
+- if (iwl_mvm_has_new_tx_api(mvm)) {
+- if (internal)
+- return iwl_mvm_flush_sta_tids(mvm, int_sta->sta_id,
+- BIT(IWL_MGMT_TID), flags);
++ BUILD_BUG_ON(offsetof(struct iwl_mvm_int_sta, sta_id) !=
++ offsetof(struct iwl_mvm_sta, sta_id));
+
++ if (iwl_mvm_has_new_tx_api(mvm))
+ return iwl_mvm_flush_sta_tids(mvm, mvm_sta->sta_id,
+- 0xFF, flags);
+- }
++ 0xff | BIT(IWL_MGMT_TID), flags);
+
+ if (internal)
+ return iwl_mvm_flush_tx_path(mvm, int_sta->tfd_queue_msk,
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jacob Keller <jacob.e.keller@intel.com>
+Date: Mon, 29 Jan 2018 15:57:48 -0800
+Subject: ixgbe: prevent ptp_rx_hang from running when in FILTER_ALL mode
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit 6704a3abf4cf4181a1ee64f5db4969347b88ca1d ]
+
+On hardware which supports timestamping all packets, the timestamps are
+recorded in the packet buffer, and the driver no longer uses or reads
+the registers. This makes the logic for checking and clearing Rx
+timestamp hangs meaningless.
+
+If we run the ixgbe_ptp_rx_hang() function in this case, then the driver
+will continuously spam the log output with "Clearing Rx timestamp hang".
+These messages are spurious, and confusing to end users.
+
+The original code in commit a9763f3cb54c ("ixgbe: Update PTP to support
+X550EM_x devices", 2015-12-03) did have a flag PTP_RX_TIMESTAMP_IN_REGISTER
+which was intended to be used to avoid the Rx timestamp hang check,
+however it did not actually check the flag before calling the function.
+
+Do so now in order to stop the checks and prevent the spurious log
+messages.
+
+Fixes: a9763f3cb54c ("ixgbe: Update PTP to support X550EM_x devices", 2015-12-03)
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -7658,7 +7658,8 @@ static void ixgbe_service_task(struct wo
+
+ if (test_bit(__IXGBE_PTP_RUNNING, &adapter->state)) {
+ ixgbe_ptp_overflow_check(adapter);
+- ixgbe_ptp_rx_hang(adapter);
++ if (adapter->flags & IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER)
++ ixgbe_ptp_rx_hang(adapter);
+ ixgbe_ptp_tx_hang(adapter);
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+Date: Thu, 15 Mar 2018 16:56:20 -0400
+Subject: kbuild: make scripts/adjust_autoksyms.sh robust against timestamp races
+
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+
+[ Upstream commit 825d487583089f9a33d31650c9c41f6474aab7fc ]
+
+Some filesystems have timestamps with coarse precision that may allow
+for a recently built object file to have the same timestamp as the
+updated time on one of its dependency files. When that happens, the
+object file doesn't get rebuilt as it should.
+
+This is especially the case on filesystems that don't have sub-second
+time precision, such as ext3 or Ext4 with 128B inodes.
+
+Let's prevent that by making sure updated dependency files have a newer
+timestamp than the first file we created (i.e. autoksyms.h.tmpnew).
+
+Reported-by: Thomas Lindroth <thomas.lindroth@gmail.com>
+Signed-off-by: Nicolas Pitre <nico@linaro.org>
+Tested-by: Thomas Lindroth <thomas.lindroth@gmail.com>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/adjust_autoksyms.sh | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/scripts/adjust_autoksyms.sh
++++ b/scripts/adjust_autoksyms.sh
+@@ -84,6 +84,13 @@ while read sympath; do
+ depfile="include/config/ksym/${sympath}.h"
+ mkdir -p "$(dirname "$depfile")"
+ touch "$depfile"
++ # Filesystems with coarse time precision may create timestamps
++ # equal to the one from a file that was very recently built and that
++ # needs to be rebuild. Let's guard against that by making sure our
++ # dep files are always newer than the first file we created here.
++ while [ ! "$depfile" -nt "$new_ksyms_file" ]; do
++ touch "$depfile"
++ done
+ echo $((count += 1))
+ done | tail -1 )
+ changed=${changed:-0}
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Fri, 8 Dec 2017 10:19:19 -0800
+Subject: kdb: make "mdr" command repeat
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 1e0ce03bf142454f38a5fc050bf4fd698d2d36d8 ]
+
+The "mdr" command should repeat (continue) when only Enter/Return
+is pressed, so make it do so.
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Daniel Thompson <daniel.thompson@linaro.org>
+Cc: Jason Wessel <jason.wessel@windriver.com>
+Cc: kgdb-bugreport@lists.sourceforge.net
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/debug/kdb/kdb_main.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+--- a/kernel/debug/kdb/kdb_main.c
++++ b/kernel/debug/kdb/kdb_main.c
+@@ -1566,6 +1566,7 @@ static int kdb_md(int argc, const char *
+ int symbolic = 0;
+ int valid = 0;
+ int phys = 0;
++ int raw = 0;
+
+ kdbgetintenv("MDCOUNT", &mdcount);
+ kdbgetintenv("RADIX", &radix);
+@@ -1575,9 +1576,10 @@ static int kdb_md(int argc, const char *
+ repeat = mdcount * 16 / bytesperword;
+
+ if (strcmp(argv[0], "mdr") == 0) {
+- if (argc != 2)
++ if (argc == 2 || (argc == 0 && last_addr != 0))
++ valid = raw = 1;
++ else
+ return KDB_ARGCOUNT;
+- valid = 1;
+ } else if (isdigit(argv[0][2])) {
+ bytesperword = (int)(argv[0][2] - '0');
+ if (bytesperword == 0) {
+@@ -1613,7 +1615,10 @@ static int kdb_md(int argc, const char *
+ radix = last_radix;
+ bytesperword = last_bytesperword;
+ repeat = last_repeat;
+- mdcount = ((repeat * bytesperword) + 15) / 16;
++ if (raw)
++ mdcount = repeat;
++ else
++ mdcount = ((repeat * bytesperword) + 15) / 16;
+ }
+
+ if (argc) {
+@@ -1630,7 +1635,10 @@ static int kdb_md(int argc, const char *
+ diag = kdbgetularg(argv[nextarg], &val);
+ if (!diag) {
+ mdcount = (int) val;
+- repeat = mdcount * 16 / bytesperword;
++ if (raw)
++ repeat = mdcount;
++ else
++ repeat = mdcount * 16 / bytesperword;
+ }
+ }
+ if (argc >= nextarg+1) {
+@@ -1640,8 +1648,15 @@ static int kdb_md(int argc, const char *
+ }
+ }
+
+- if (strcmp(argv[0], "mdr") == 0)
+- return kdb_mdr(addr, mdcount);
++ if (strcmp(argv[0], "mdr") == 0) {
++ int ret;
++ last_addr = addr;
++ ret = kdb_mdr(addr, mdcount);
++ last_addr += mdcount;
++ last_repeat = mdcount;
++ last_bytesperword = bytesperword; // to make REPEAT happy
++ return ret;
++ }
+
+ switch (radix) {
+ case 10:
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: David Rientjes <rientjes@google.com>
+Date: Wed, 21 Feb 2018 14:45:32 -0800
+Subject: kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE
+
+From: David Rientjes <rientjes@google.com>
+
+[ Upstream commit 88913bd8ea2a75d7e460a4bed5f75e1c32660d7e ]
+
+chan->n_subbufs is set by the user and relay_create_buf() does a kmalloc()
+of chan->n_subbufs * sizeof(size_t *).
+
+kmalloc_slab() will generate a warning when this fails if
+chan->subbufs * sizeof(size_t *) > KMALLOC_MAX_SIZE.
+
+Limit chan->n_subbufs to the maximum allowed kmalloc() size.
+
+Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1802061216100.122576@chino.kir.corp.google.com
+Fixes: f6302f1bcd75 ("relay: prevent integer overflow in relay_open()")
+Signed-off-by: David Rientjes <rientjes@google.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Dave Jiang <dave.jiang@intel.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/relay.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/relay.c
++++ b/kernel/relay.c
+@@ -163,7 +163,7 @@ static struct rchan_buf *relay_create_bu
+ {
+ struct rchan_buf *buf;
+
+- if (chan->n_subbufs > UINT_MAX / sizeof(size_t *))
++ if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *))
+ return NULL;
+
+ buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Andre Przywara <andre.przywara@arm.com>
+Date: Tue, 6 Mar 2018 09:21:06 +0000
+Subject: KVM: arm/arm64: vgic: Add missing irq_lock to vgic_mmio_read_pending
+
+From: Andre Przywara <andre.przywara@arm.com>
+
+[ Upstream commit 62b06f8f429cd233e4e2e7bbd21081ad60c9018f ]
+
+Our irq_is_pending() helper function accesses multiple members of the
+vgic_irq struct, so we need to hold the lock when calling it.
+Add that requirement as a comment to the definition and take the lock
+around the call in vgic_mmio_read_pending(), where we were missing it
+before.
+
+Fixes: 96b298000db4 ("KVM: arm/arm64: vgic-new: Add PENDING registers handlers")
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/arm/vgic/vgic-mmio.c | 3 +++
+ virt/kvm/arm/vgic/vgic.h | 1 +
+ 2 files changed, 4 insertions(+)
+
+--- a/virt/kvm/arm/vgic/vgic-mmio.c
++++ b/virt/kvm/arm/vgic/vgic-mmio.c
+@@ -110,9 +110,12 @@ unsigned long vgic_mmio_read_pending(str
+ /* Loop over all IRQs affected by this read */
+ for (i = 0; i < len * 8; i++) {
+ struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
++ unsigned long flags;
+
++ spin_lock_irqsave(&irq->irq_lock, flags);
+ if (irq_is_pending(irq))
+ value |= (1U << i);
++ spin_unlock_irqrestore(&irq->irq_lock, flags);
+
+ vgic_put_irq(vcpu->kvm, irq);
+ }
+--- a/virt/kvm/arm/vgic/vgic.h
++++ b/virt/kvm/arm/vgic/vgic.h
+@@ -96,6 +96,7 @@
+ /* we only support 64 kB translation table page size */
+ #define KVM_ITS_L1E_ADDR_MASK GENMASK_ULL(51, 16)
+
++/* Requires the irq_lock to be held by the caller. */
+ static inline bool irq_is_pending(struct vgic_irq *irq)
+ {
+ if (irq->config == VGIC_CONFIG_EDGE)
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Date: Thu, 22 Feb 2018 13:05:41 +0100
+Subject: kvm: fix warning for CONFIG_HAVE_KVM_EVENTFD builds
+
+From: Sebastian Ott <sebott@linux.vnet.ibm.com>
+
+[ Upstream commit 076467490b8176eb96eddc548a14d4135c7b5852 ]
+
+Move the kvm_arch_irq_routing_update() prototype outside of
+ifdef CONFIG_HAVE_KVM_EVENTFD guards to fix the following sparse warning:
+
+arch/s390/kvm/../../../virt/kvm/irqchip.c:171:28: warning: symbol 'kvm_arch_irq_routing_update' was not declared. Should it be static?
+
+Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/kvm_host.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -1104,7 +1104,6 @@ static inline void kvm_irq_routing_updat
+ {
+ }
+ #endif
+-void kvm_arch_irq_routing_update(struct kvm *kvm);
+
+ static inline int kvm_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args)
+ {
+@@ -1113,6 +1112,8 @@ static inline int kvm_ioeventfd(struct k
+
+ #endif /* CONFIG_HAVE_KVM_EVENTFD */
+
++void kvm_arch_irq_routing_update(struct kvm *kvm);
++
+ static inline void kvm_make_request(int req, struct kvm_vcpu *vcpu)
+ {
+ /*
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Fri, 9 Feb 2018 14:01:33 +0100
+Subject: KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+[ Upstream commit 0bcc3fb95b97ac2ca223a5a870287b37f56265ac ]
+
+Devices which use level-triggered interrupts under Windows 2016 with
+Hyper-V role enabled don't work: Windows disables EOI broadcast in SPIV
+unconditionally. Our in-kernel IOAPIC implementation emulates an old IOAPIC
+version which has no EOI register so EOI never happens.
+
+The issue was discovered and discussed a while ago:
+https://www.spinics.net/lists/kvm/msg148098.html
+
+While this is a guest OS bug (it should check that IOAPIC has the required
+capabilities before disabling EOI broadcast) we can workaround it in KVM:
+advertising DIRECTED_EOI with in-kernel IOAPIC makes little sense anyway.
+
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/lapic.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -321,8 +321,16 @@ void kvm_apic_set_version(struct kvm_vcp
+ if (!lapic_in_kernel(vcpu))
+ return;
+
++ /*
++ * KVM emulates 82093AA datasheet (with in-kernel IOAPIC implementation)
++ * which doesn't have EOI register; Some buggy OSes (e.g. Windows with
++ * Hyper-V role) disable EOI broadcast in lapic not checking for IOAPIC
++ * version first and level-triggered interrupts never get EOIed in
++ * IOAPIC.
++ */
+ feat = kvm_find_cpuid_entry(apic->vcpu, 0x1, 0);
+- if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31))))
++ if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31))) &&
++ !ioapic_in_kernel(vcpu->kvm))
+ v |= APIC_LVR_DIRECTED_EOI;
+ kvm_lapic_set_reg(apic, APIC_LVR, v);
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Chao Gao <chao.gao@intel.com>
+Date: Sun, 11 Feb 2018 10:06:30 +0800
+Subject: KVM: nVMX: Don't halt vcpu when L1 is injecting events to L2
+
+From: Chao Gao <chao.gao@intel.com>
+
+[ Upstream commit 135a06c3a515bbd17729eb04f4f26316d48363d7 ]
+
+Although L2 is in halt state, it will be in the active state after
+VM entry if the VM entry is vectoring according to SDM 26.6.2 Activity
+State. Halting the vcpu here means the event won't be injected to L2
+and this decision isn't reported to L1. Thus L0 drops an event that
+should be injected to L2.
+
+Cc: Liran Alon <liran.alon@oracle.com>
+Reviewed-by: Liran Alon <liran.alon@oracle.com>
+Signed-off-by: Chao Gao <chao.gao@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -11166,7 +11166,12 @@ static int nested_vmx_run(struct kvm_vcp
+ if (ret)
+ return ret;
+
+- if (vmcs12->guest_activity_state == GUEST_ACTIVITY_HLT)
++ /*
++ * If we're entering a halted L2 vcpu and the L2 vcpu won't be woken
++ * by event injection, halt vcpu.
++ */
++ if ((vmcs12->guest_activity_state == GUEST_ACTIVITY_HLT) &&
++ !(vmcs12->vm_entry_intr_info_field & INTR_INFO_VALID_MASK))
+ return kvm_vcpu_halt(vcpu);
+
+ vmx->nested.nested_run_pending = 1;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Laurent Vivier <lvivier@redhat.com>
+Date: Fri, 2 Mar 2018 11:51:56 +0100
+Subject: KVM: PPC: Book3S HV: Fix guest time accounting with VIRT_CPU_ACCOUNTING_GEN
+
+From: Laurent Vivier <lvivier@redhat.com>
+
+[ Upstream commit 61bd0f66ff92d5ce765ff9850fd3cbfec773c560 ]
+
+Since commit 8b24e69fc47e ("KVM: PPC: Book3S HV: Close race with testing
+for signals on guest entry"), if CONFIG_VIRT_CPU_ACCOUNTING_GEN is set, the
+guest time is not accounted to guest time and user time, but instead to
+system time.
+
+This is because guest_enter()/guest_exit() are called while interrupts
+are disabled and the tick counter cannot be updated between them.
+
+To fix that, move guest_exit() after local_irq_enable(), and as
+guest_enter() is called with IRQ disabled, call guest_enter_irqoff()
+instead.
+
+Fixes: 8b24e69fc47e ("KVM: PPC: Book3S HV: Close race with testing for signals on guest entry")
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kvm/book3s_hv.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -2847,7 +2847,7 @@ static noinline void kvmppc_run_core(str
+ */
+ trace_hardirqs_on();
+
+- guest_enter();
++ guest_enter_irqoff();
+
+ srcu_idx = srcu_read_lock(&vc->kvm->srcu);
+
+@@ -2855,8 +2855,6 @@ static noinline void kvmppc_run_core(str
+
+ srcu_read_unlock(&vc->kvm->srcu, srcu_idx);
+
+- guest_exit();
+-
+ trace_hardirqs_off();
+ set_irq_happened(trap);
+
+@@ -2890,6 +2888,7 @@ static noinline void kvmppc_run_core(str
+ kvmppc_set_host_core(pcpu);
+
+ local_irq_enable();
++ guest_exit();
+
+ /* Let secondaries go back to the offline loop */
+ for (i = 0; i < controlled_threads; ++i) {
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Fri, 23 Feb 2018 21:21:12 +1100
+Subject: KVM: PPC: Book3S HV: Fix handling of large pages in radix page fault handler
+
+From: Paul Mackerras <paulus@ozlabs.org>
+
+[ Upstream commit c3856aeb29402e94ad9b3879030165cc6a4fdc56 ]
+
+This fixes several bugs in the radix page fault handler relating to
+the way large pages in the memory backing the guest were handled.
+First, the check for large pages only checked for explicit huge pages
+and missed transparent huge pages. Then the check that the addresses
+(host virtual vs. guest physical) had appropriate alignment was
+wrong, meaning that the code never put a large page in the partition
+scoped radix tree; it was always demoted to a small page.
+
+Fixing this exposed bugs in kvmppc_create_pte(). We were never
+invalidating a 2MB PTE, which meant that if a page was initially
+faulted in without write permission and the guest then attempted
+to store to it, we would never update the PTE to have write permission.
+If we find a valid 2MB PTE in the PMD, we need to clear it and
+do a TLB invalidation before installing either the new 2MB PTE or
+a pointer to a page table page.
+
+This also corrects an assumption that get_user_pages_fast would set
+the _PAGE_DIRTY bit if we are writing, which is not true. Instead we
+mark the page dirty explicitly with set_page_dirty_lock(). This
+also means we don't need the dirty bit set on the host PTE when
+providing write access on a read fault.
+
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kvm/book3s_64_mmu_radix.c | 69 ++++++++++++++++++++-------------
+ 1 file changed, 43 insertions(+), 26 deletions(-)
+
+--- a/arch/powerpc/kvm/book3s_64_mmu_radix.c
++++ b/arch/powerpc/kvm/book3s_64_mmu_radix.c
+@@ -195,6 +195,12 @@ static void kvmppc_pte_free(pte_t *ptep)
+ kmem_cache_free(kvm_pte_cache, ptep);
+ }
+
++/* Like pmd_huge() and pmd_large(), but works regardless of config options */
++static inline int pmd_is_leaf(pmd_t pmd)
++{
++ return !!(pmd_val(pmd) & _PAGE_PTE);
++}
++
+ static int kvmppc_create_pte(struct kvm *kvm, pte_t pte, unsigned long gpa,
+ unsigned int level, unsigned long mmu_seq)
+ {
+@@ -219,7 +225,7 @@ static int kvmppc_create_pte(struct kvm
+ else
+ new_pmd = pmd_alloc_one(kvm->mm, gpa);
+
+- if (level == 0 && !(pmd && pmd_present(*pmd)))
++ if (level == 0 && !(pmd && pmd_present(*pmd) && !pmd_is_leaf(*pmd)))
+ new_ptep = kvmppc_pte_alloc();
+
+ /* Check if we might have been invalidated; let the guest retry if so */
+@@ -244,12 +250,30 @@ static int kvmppc_create_pte(struct kvm
+ new_pmd = NULL;
+ }
+ pmd = pmd_offset(pud, gpa);
+- if (pmd_large(*pmd)) {
+- /* Someone else has instantiated a large page here; retry */
+- ret = -EAGAIN;
+- goto out_unlock;
+- }
+- if (level == 1 && !pmd_none(*pmd)) {
++ if (pmd_is_leaf(*pmd)) {
++ unsigned long lgpa = gpa & PMD_MASK;
++
++ /*
++ * If we raced with another CPU which has just put
++ * a 2MB pte in after we saw a pte page, try again.
++ */
++ if (level == 0 && !new_ptep) {
++ ret = -EAGAIN;
++ goto out_unlock;
++ }
++ /* Valid 2MB page here already, remove it */
++ old = kvmppc_radix_update_pte(kvm, pmdp_ptep(pmd),
++ ~0UL, 0, lgpa, PMD_SHIFT);
++ kvmppc_radix_tlbie_page(kvm, lgpa, PMD_SHIFT);
++ if (old & _PAGE_DIRTY) {
++ unsigned long gfn = lgpa >> PAGE_SHIFT;
++ struct kvm_memory_slot *memslot;
++ memslot = gfn_to_memslot(kvm, gfn);
++ if (memslot && memslot->dirty_bitmap)
++ kvmppc_update_dirty_map(memslot,
++ gfn, PMD_SIZE);
++ }
++ } else if (level == 1 && !pmd_none(*pmd)) {
+ /*
+ * There's a page table page here, but we wanted
+ * to install a large page. Tell the caller and let
+@@ -412,28 +436,24 @@ int kvmppc_book3s_radix_page_fault(struc
+ } else {
+ page = pages[0];
+ pfn = page_to_pfn(page);
+- if (PageHuge(page)) {
+- page = compound_head(page);
+- pte_size <<= compound_order(page);
++ if (PageCompound(page)) {
++ pte_size <<= compound_order(compound_head(page));
+ /* See if we can insert a 2MB large-page PTE here */
+ if (pte_size >= PMD_SIZE &&
+- (gpa & PMD_MASK & PAGE_MASK) ==
+- (hva & PMD_MASK & PAGE_MASK)) {
++ (gpa & (PMD_SIZE - PAGE_SIZE)) ==
++ (hva & (PMD_SIZE - PAGE_SIZE))) {
+ level = 1;
+ pfn &= ~((PMD_SIZE >> PAGE_SHIFT) - 1);
+ }
+ }
+ /* See if we can provide write access */
+ if (writing) {
+- /*
+- * We assume gup_fast has set dirty on the host PTE.
+- */
+ pgflags |= _PAGE_WRITE;
+ } else {
+ local_irq_save(flags);
+ ptep = find_current_mm_pte(current->mm->pgd,
+ hva, NULL, NULL);
+- if (ptep && pte_write(*ptep) && pte_dirty(*ptep))
++ if (ptep && pte_write(*ptep))
+ pgflags |= _PAGE_WRITE;
+ local_irq_restore(flags);
+ }
+@@ -459,18 +479,15 @@ int kvmppc_book3s_radix_page_fault(struc
+ pte = pfn_pte(pfn, __pgprot(pgflags));
+ ret = kvmppc_create_pte(kvm, pte, gpa, level, mmu_seq);
+ }
+- if (ret == 0 || ret == -EAGAIN)
+- ret = RESUME_GUEST;
+
+ if (page) {
+- /*
+- * We drop pages[0] here, not page because page might
+- * have been set to the head page of a compound, but
+- * we have to drop the reference on the correct tail
+- * page to match the get inside gup()
+- */
+- put_page(pages[0]);
++ if (!ret && (pgflags & _PAGE_WRITE))
++ set_page_dirty_lock(page);
++ put_page(page);
+ }
++
++ if (ret == 0 || ret == -EAGAIN)
++ ret = RESUME_GUEST;
+ return ret;
+ }
+
+@@ -676,7 +693,7 @@ void kvmppc_free_radix(struct kvm *kvm)
+ continue;
+ pmd = pmd_offset(pud, 0);
+ for (im = 0; im < PTRS_PER_PMD; ++im, ++pmd) {
+- if (pmd_huge(*pmd)) {
++ if (pmd_is_leaf(*pmd)) {
+ pmd_clear(pmd);
+ continue;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Fri, 2 Mar 2018 15:38:04 +1100
+Subject: KVM: PPC: Book3S HV: Fix VRMA initialization with 2MB or 1GB memory backing
+
+From: Paul Mackerras <paulus@ozlabs.org>
+
+[ Upstream commit debd574f4195e205ba505b25e19b2b797f4bcd94 ]
+
+The current code for initializing the VRMA (virtual real memory area)
+for HPT guests requires the page size of the backing memory to be one
+of 4kB, 64kB or 16MB. With a radix host we have the possibility that
+the backing memory page size can be 2MB or 1GB. In these cases, if the
+guest switches to HPT mode, KVM will not initialize the VRMA and the
+guest will fail to run.
+
+In fact it is not necessary that the VRMA page size is the same as the
+backing memory page size; any VRMA page size less than or equal to the
+backing memory page size is acceptable. Therefore we now choose the
+largest page size out of the set {4k, 64k, 16M} which is not larger
+than the backing memory page size.
+
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kvm/book3s_hv.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -3619,15 +3619,17 @@ static int kvmppc_hv_setup_htab_rma(stru
+ goto up_out;
+
+ psize = vma_kernel_pagesize(vma);
+- porder = __ilog2(psize);
+
+ up_read(¤t->mm->mmap_sem);
+
+ /* We can handle 4k, 64k or 16M pages in the VRMA */
+- err = -EINVAL;
+- if (!(psize == 0x1000 || psize == 0x10000 ||
+- psize == 0x1000000))
+- goto out_srcu;
++ if (psize >= 0x1000000)
++ psize = 0x1000000;
++ else if (psize >= 0x10000)
++ psize = 0x10000;
++ else
++ psize = 0x1000;
++ porder = __ilog2(psize);
+
+ senc = slb_pgsize_encoding(psize);
+ kvm->arch.vrma_slb_v = senc | SLB_VSID_B_1T |
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Fri, 23 Mar 2018 09:34:00 -0700
+Subject: KVM: VMX: raise internal error for exception during invalid protected mode state
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+[ Upstream commit add5ff7a216ee545a214013f26d1ef2f44a9c9f8 ]
+
+Exit to userspace with KVM_INTERNAL_ERROR_EMULATION if we encounter
+an exception in Protected Mode while emulating guest due to invalid
+guest state. Unlike Big RM, KVM doesn't support emulating exceptions
+in PM, i.e. PM exceptions are always injected via the VMCS. Because
+we will never do VMRESUME due to emulation_required, the exception is
+never realized and we'll keep emulating the faulting instruction over
+and over until we receive a signal.
+
+Exit to userspace iff there is a pending exception, i.e. don't exit
+simply on a requested event. The purpose of this check and exit is to
+aid in debugging a guest that is in all likelihood already doomed.
+Invalid guest state in PM is extremely limited in normal operation,
+e.g. it generally only occurs for a few instructions early in BIOS,
+and any exception at this time is all but guaranteed to be fatal.
+Non-vectored interrupts, e.g. INIT, SIPI and SMI, can be cleanly
+handled/emulated, while checking for vectored interrupts, e.g. INTR
+and NMI, without hitting false positives would add a fair amount of
+complexity for almost no benefit (getting hit by lightning seems
+more likely than encountering this specific scenario).
+
+Add a WARN_ON_ONCE to vmx_queue_exception() if we try to inject an
+exception via the VMCS and emulation_required is true.
+
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2583,6 +2583,8 @@ static void vmx_queue_exception(struct k
+ return;
+ }
+
++ WARN_ON_ONCE(vmx->emulation_required);
++
+ if (kvm_exception_is_soft(nr)) {
+ vmcs_write32(VM_ENTRY_INSTRUCTION_LEN,
+ vmx->vcpu.arch.event_exit_inst_len);
+@@ -6832,12 +6834,12 @@ static int handle_invalid_guest_state(st
+ goto out;
+ }
+
+- if (err != EMULATE_DONE) {
+- vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
+- vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
+- vcpu->run->internal.ndata = 0;
+- return 0;
+- }
++ if (err != EMULATE_DONE)
++ goto emulation_error;
++
++ if (vmx->emulation_required && !vmx->rmode.vm86_active &&
++ vcpu->arch.exception.pending)
++ goto emulation_error;
+
+ if (vcpu->arch.halt_request) {
+ vcpu->arch.halt_request = 0;
+@@ -6853,6 +6855,12 @@ static int handle_invalid_guest_state(st
+
+ out:
+ return ret;
++
++emulation_error:
++ vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
++ vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
++ vcpu->run->internal.ndata = 0;
++ return 0;
+ }
+
+ static int __grow_ple_window(int val)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Alexander Graf <agraf@suse.de>
+Date: Wed, 4 Apr 2018 00:19:35 +0200
+Subject: lan78xx: Connect phy early
+
+From: Alexander Graf <agraf@suse.de>
+
+[ Upstream commit 92571a1aae40d291158d16e7142637908220f470 ]
+
+When using wicked with a lan78xx device attached to the system, we
+end up with ethtool commands issued on the device before an ifup
+got issued. That lead to the following crash:
+
+ Unable to handle kernel NULL pointer dereference at virtual address 0000039c
+ pgd = ffff800035b30000
+ [0000039c] *pgd=0000000000000000
+ Internal error: Oops: 96000004 [#1] SMP
+ Modules linked in: [...]
+ Supported: Yes
+ CPU: 3 PID: 638 Comm: wickedd Tainted: G E 4.12.14-0-default #1
+ Hardware name: raspberrypi rpi/rpi, BIOS 2018.03-rc2 02/21/2018
+ task: ffff800035e74180 task.stack: ffff800036718000
+ PC is at phy_ethtool_ksettings_get+0x20/0x98
+ LR is at lan78xx_get_link_ksettings+0x44/0x60 [lan78xx]
+ pc : [<ffff0000086f7f30>] lr : [<ffff000000dcca84>] pstate: 20000005
+ sp : ffff80003671bb20
+ x29: ffff80003671bb20 x28: ffff800035e74180
+ x27: ffff000008912000 x26: 000000000000001d
+ x25: 0000000000000124 x24: ffff000008f74d00
+ x23: 0000004000114809 x22: 0000000000000000
+ x21: ffff80003671bbd0 x20: 0000000000000000
+ x19: ffff80003671bbd0 x18: 000000000000040d
+ x17: 0000000000000001 x16: 0000000000000000
+ x15: 0000000000000000 x14: ffffffffffffffff
+ x13: 0000000000000000 x12: 0000000000000020
+ x11: 0101010101010101 x10: fefefefefefefeff
+ x9 : 7f7f7f7f7f7f7f7f x8 : fefefeff31677364
+ x7 : 0000000080808080 x6 : ffff80003671bc9c
+ x5 : ffff80003671b9f8 x4 : ffff80002c296190
+ x3 : 0000000000000000 x2 : 0000000000000000
+ x1 : ffff80003671bbd0 x0 : ffff80003671bc00
+ Process wickedd (pid: 638, stack limit = 0xffff800036718000)
+ Call trace:
+ Exception stack(0xffff80003671b9e0 to 0xffff80003671bb20)
+ b9e0: ffff80003671bc00 ffff80003671bbd0 0000000000000000 0000000000000000
+ ba00: ffff80002c296190 ffff80003671b9f8 ffff80003671bc9c 0000000080808080
+ ba20: fefefeff31677364 7f7f7f7f7f7f7f7f fefefefefefefeff 0101010101010101
+ ba40: 0000000000000020 0000000000000000 ffffffffffffffff 0000000000000000
+ ba60: 0000000000000000 0000000000000001 000000000000040d ffff80003671bbd0
+ ba80: 0000000000000000 ffff80003671bbd0 0000000000000000 0000004000114809
+ baa0: ffff000008f74d00 0000000000000124 000000000000001d ffff000008912000
+ bac0: ffff800035e74180 ffff80003671bb20 ffff000000dcca84 ffff80003671bb20
+ bae0: ffff0000086f7f30 0000000020000005 ffff80002c296000 ffff800035223900
+ bb00: 0000ffffffffffff 0000000000000000 ffff80003671bb20 ffff0000086f7f30
+ [<ffff0000086f7f30>] phy_ethtool_ksettings_get+0x20/0x98
+ [<ffff000000dcca84>] lan78xx_get_link_ksettings+0x44/0x60 [lan78xx]
+ [<ffff0000087cbc40>] ethtool_get_settings+0x68/0x210
+ [<ffff0000087cc0d4>] dev_ethtool+0x214/0x2180
+ [<ffff0000087e5008>] dev_ioctl+0x400/0x630
+ [<ffff00000879dd00>] sock_do_ioctl+0x70/0x88
+ [<ffff00000879f5f8>] sock_ioctl+0x208/0x368
+ [<ffff0000082cde10>] do_vfs_ioctl+0xb0/0x848
+ [<ffff0000082ce634>] SyS_ioctl+0x8c/0xa8
+ Exception stack(0xffff80003671bec0 to 0xffff80003671c000)
+ bec0: 0000000000000009 0000000000008946 0000fffff4e841d0 0000aa0032687465
+ bee0: 0000aaaafa2319d4 0000fffff4e841d4 0000000032687465 0000000032687465
+ bf00: 000000000000001d 7f7fff7f7f7f7f7f 72606b622e71ff4c 7f7f7f7f7f7f7f7f
+ bf20: 0101010101010101 0000000000000020 ffffffffffffffff 0000ffff7f510c68
+ bf40: 0000ffff7f6a9d18 0000ffff7f44ce30 000000000000040d 0000ffff7f6f98f0
+ bf60: 0000fffff4e842c0 0000000000000001 0000aaaafa2c2e00 0000ffff7f6ab000
+ bf80: 0000fffff4e842c0 0000ffff7f62a000 0000aaaafa2b9f20 0000aaaafa2c2e00
+ bfa0: 0000fffff4e84818 0000fffff4e841a0 0000ffff7f5ad0cc 0000fffff4e841a0
+ bfc0: 0000ffff7f44ce3c 0000000080000000 0000000000000009 000000000000001d
+ bfe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+
+The culprit is quite simple: The driver tries to access the phy left and right,
+but only actually has a working reference to it when the device is up.
+
+The fix thus is quite simple too: Get a reference to the phy on probe already
+and keep it even when the device is going down.
+
+With this patch applied, I can successfully run wicked on my system and bring
+the interface up and down as many times as I want, without getting NULL pointer
+dereferences in between.
+
+Signed-off-by: Alexander Graf <agraf@suse.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/lan78xx.c | 34 ++++++++++++++++++----------------
+ 1 file changed, 18 insertions(+), 16 deletions(-)
+
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -2083,10 +2083,6 @@ static int lan78xx_phy_init(struct lan78
+
+ dev->fc_autoneg = phydev->autoneg;
+
+- phy_start(phydev);
+-
+- netif_dbg(dev, ifup, dev->net, "phy initialised successfully");
+-
+ return 0;
+
+ error:
+@@ -2523,9 +2519,9 @@ static int lan78xx_open(struct net_devic
+ if (ret < 0)
+ goto done;
+
+- ret = lan78xx_phy_init(dev);
+- if (ret < 0)
+- goto done;
++ phy_start(net->phydev);
++
++ netif_dbg(dev, ifup, dev->net, "phy initialised successfully");
+
+ /* for Link Check */
+ if (dev->urb_intr) {
+@@ -2586,13 +2582,8 @@ static int lan78xx_stop(struct net_devic
+ if (timer_pending(&dev->stat_monitor))
+ del_timer_sync(&dev->stat_monitor);
+
+- phy_unregister_fixup_for_uid(PHY_KSZ9031RNX, 0xfffffff0);
+- phy_unregister_fixup_for_uid(PHY_LAN8835, 0xfffffff0);
+-
+- phy_stop(net->phydev);
+- phy_disconnect(net->phydev);
+-
+- net->phydev = NULL;
++ if (net->phydev)
++ phy_stop(net->phydev);
+
+ clear_bit(EVENT_DEV_OPEN, &dev->flags);
+ netif_stop_queue(net);
+@@ -3507,8 +3498,13 @@ static void lan78xx_disconnect(struct us
+ return;
+
+ udev = interface_to_usbdev(intf);
+-
+ net = dev->net;
++
++ phy_unregister_fixup_for_uid(PHY_KSZ9031RNX, 0xfffffff0);
++ phy_unregister_fixup_for_uid(PHY_LAN8835, 0xfffffff0);
++
++ phy_disconnect(net->phydev);
++
+ unregister_netdev(net);
+
+ cancel_delayed_work_sync(&dev->wq);
+@@ -3668,8 +3664,14 @@ static int lan78xx_probe(struct usb_inte
+ pm_runtime_set_autosuspend_delay(&udev->dev,
+ DEFAULT_AUTOSUSPEND_DELAY);
+
++ ret = lan78xx_phy_init(dev);
++ if (ret < 0)
++ goto out4;
++
+ return 0;
+
++out4:
++ unregister_netdev(netdev);
+ out3:
+ lan78xx_unbind(dev, intf);
+ out2:
+@@ -4017,7 +4019,7 @@ static int lan78xx_reset_resume(struct u
+
+ lan78xx_reset(dev);
+
+- lan78xx_phy_init(dev);
++ phy_start(dev->net->phydev);
+
+ return lan78xx_resume(intf);
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Raghuram Chary J <raghuramchary.jallipalli@microchip.com>
+Date: Fri, 23 Mar 2018 15:48:08 +0530
+Subject: lan78xx: Set ASD in MAC_CR when EEE is enabled.
+
+From: Raghuram Chary J <raghuramchary.jallipalli@microchip.com>
+
+[ Upstream commit e69647a19c870c2f919e4d5023af8a515e8ef25f ]
+
+Description:
+EEE does not work with lan7800 when AutoSpeed is not set.
+(This can happen when EEPROM is not populated or configured incorrectly)
+
+Root-Cause:
+When EEE is enabled, the mac config register ASD is not set
+i.e. in default state, causing EEE fail.
+
+Fix:
+Set the register when eeprom is not present.
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Signed-off-by: Raghuram Chary J <raghuramchary.jallipalli@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/lan78xx.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -2352,6 +2352,7 @@ static int lan78xx_reset(struct lan78xx_
+ u32 buf;
+ int ret = 0;
+ unsigned long timeout;
++ u8 sig;
+
+ ret = lan78xx_read_reg(dev, HW_CFG, &buf);
+ buf |= HW_CFG_LRST_;
+@@ -2451,6 +2452,15 @@ static int lan78xx_reset(struct lan78xx_
+ /* LAN7801 only has RGMII mode */
+ if (dev->chipid == ID_REV_CHIP_ID_7801_)
+ buf &= ~MAC_CR_GMII_EN_;
++
++ if (dev->chipid == ID_REV_CHIP_ID_7800_) {
++ ret = lan78xx_read_raw_eeprom(dev, 0, 1, &sig);
++ if (!ret && sig != EEPROM_INDICATOR) {
++ /* Implies there is no external eeprom. Set mac speed */
++ netdev_info(dev->net, "No External EEPROM. Setting MAC Speed\n");
++ buf |= MAC_CR_AUTO_DUPLEX_ | MAC_CR_AUTO_SPEED_;
++ }
++ }
+ ret = lan78xx_write_reg(dev, MAC_CR, buf);
+
+ ret = lan78xx_read_reg(dev, MAC_TX, &buf);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "Luis R. Rodriguez" <mcgrof@kernel.org>
+Date: Fri, 9 Mar 2018 15:51:20 -0800
+Subject: lib/test_kmod.c: fix limit check on number of test devices created
+
+From: "Luis R. Rodriguez" <mcgrof@kernel.org>
+
+[ Upstream commit ac68b1b3b9c73e652dc7ce0585672e23c5a2dca4 ]
+
+As reported by Dan the parentheses is in the wrong place, and since
+unlikely() call returns either 0 or 1 it's never less than zero. The
+second issue is that signed integer overflows like "INT_MAX + 1" are
+undefined behavior.
+
+Since num_test_devs represents the number of devices, we want to stop
+prior to hitting the max, and not rely on the wrap arround at all. So
+just cap at num_test_devs + 1, prior to assigning a new device.
+
+Link: http://lkml.kernel.org/r/20180224030046.24238-1-mcgrof@kernel.org
+Fixes: d9c6a72d6fa2 ("kmod: add test driver to stress test the module loader")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org>
+Acked-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/test_kmod.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/test_kmod.c
++++ b/lib/test_kmod.c
+@@ -1149,7 +1149,7 @@ static struct kmod_test_device *register
+ mutex_lock(®_dev_mutex);
+
+ /* int should suffice for number of devices, test for wrap */
+- if (unlikely(num_test_devs + 1) < 0) {
++ if (num_test_devs + 1 == INT_MAX) {
+ pr_err("reached limit of number of test devices\n");
+ goto out;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Dong Bo <dongbo4@huawei.com>
+Date: Fri, 26 Jan 2018 11:21:49 +0800
+Subject: libata: Fix compile warning with ATA_DEBUG enabled
+
+From: Dong Bo <dongbo4@huawei.com>
+
+[ Upstream commit 0d3e45bc6507bd1f8728bf586ebd16c2d9e40613 ]
+
+This fixs the following comile warnings with ATA_DEBUG enabled,
+which detected by Linaro GCC 5.2-2015.11:
+
+ drivers/ata/libata-scsi.c: In function 'ata_scsi_dump_cdb':
+ ./include/linux/kern_levels.h:5:18: warning: format '%d' expects
+ argument of type 'int', but argument 6 has type 'u64 {aka long
+ long unsigned int}' [-Wformat=]
+
+tj: Patch hand-applied and description trimmed.
+
+Signed-off-by: Dong Bo <dongbo4@huawei.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -4287,7 +4287,7 @@ static inline void ata_scsi_dump_cdb(str
+ #ifdef ATA_DEBUG
+ struct scsi_device *scsidev = cmd->device;
+
+- DPRINTK("CDB (%u:%d,%d,%d) %9ph\n",
++ DPRINTK("CDB (%u:%d,%d,%lld) %9ph\n",
+ ap->print_id,
+ scsidev->channel, scsidev->id, scsidev->lun,
+ cmd->cmnd);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Chengguang Xu <cgxu519@icloud.com>
+Date: Tue, 6 Feb 2018 08:25:55 +0800
+Subject: libceph, ceph: avoid memory leak when specifying same option several times
+
+From: Chengguang Xu <cgxu519@icloud.com>
+
+[ Upstream commit 937441f3a3158d5510ca8cc78a82453f57a96365 ]
+
+When parsing string option, in order to avoid memory leak we need to
+carefully free it first in case of specifying same option several times.
+
+Signed-off-by: Chengguang Xu <cgxu519@icloud.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/super.c | 2 ++
+ net/ceph/ceph_common.c | 7 +++++++
+ 2 files changed, 9 insertions(+)
+
+--- a/fs/ceph/super.c
++++ b/fs/ceph/super.c
+@@ -224,6 +224,7 @@ static int parse_fsopt_token(char *c, vo
+ return -ENOMEM;
+ break;
+ case Opt_mds_namespace:
++ kfree(fsopt->mds_namespace);
+ fsopt->mds_namespace = kstrndup(argstr[0].from,
+ argstr[0].to-argstr[0].from,
+ GFP_KERNEL);
+@@ -231,6 +232,7 @@ static int parse_fsopt_token(char *c, vo
+ return -ENOMEM;
+ break;
+ case Opt_fscache_uniq:
++ kfree(fsopt->fscache_uniq);
+ fsopt->fscache_uniq = kstrndup(argstr[0].from,
+ argstr[0].to-argstr[0].from,
+ GFP_KERNEL);
+--- a/net/ceph/ceph_common.c
++++ b/net/ceph/ceph_common.c
+@@ -418,11 +418,15 @@ ceph_parse_options(char *options, const
+ opt->flags |= CEPH_OPT_FSID;
+ break;
+ case Opt_name:
++ kfree(opt->name);
+ opt->name = kstrndup(argstr[0].from,
+ argstr[0].to-argstr[0].from,
+ GFP_KERNEL);
+ break;
+ case Opt_secret:
++ ceph_crypto_key_destroy(opt->key);
++ kfree(opt->key);
++
+ opt->key = kzalloc(sizeof(*opt->key), GFP_KERNEL);
+ if (!opt->key) {
+ err = -ENOMEM;
+@@ -433,6 +437,9 @@ ceph_parse_options(char *options, const
+ goto out;
+ break;
+ case Opt_key:
++ ceph_crypto_key_destroy(opt->key);
++ kfree(opt->key);
++
+ opt->key = kzalloc(sizeof(*opt->key), GFP_KERNEL);
+ if (!opt->key) {
+ err = -ENOMEM;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Mon, 26 Mar 2018 15:08:33 -0700
+Subject: llc: properly handle dev_queue_xmit() return value
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit b85ab56c3f81c5a24b5a5213374f549df06430da ]
+
+llc_conn_send_pdu() pushes the skb into write queue and
+calls llc_conn_send_pdus() to flush them out. However, the
+status of dev_queue_xmit() is not returned to caller,
+in this case, llc_conn_state_process().
+
+llc_conn_state_process() needs hold the skb no matter
+success or failure, because it still uses it after that,
+therefore we should hold skb before dev_queue_xmit() when
+that skb is the one being processed by llc_conn_state_process().
+
+For other callers, they can just pass NULL and ignore
+the return value as they are.
+
+Reported-by: Noam Rathaus <noamr@beyondsecurity.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/llc_conn.h | 2 +-
+ net/llc/llc_c_ac.c | 15 +++++++++------
+ net/llc/llc_conn.c | 32 +++++++++++++++++++++++---------
+ 3 files changed, 33 insertions(+), 16 deletions(-)
+
+--- a/include/net/llc_conn.h
++++ b/include/net/llc_conn.h
+@@ -104,7 +104,7 @@ void llc_sk_reset(struct sock *sk);
+
+ /* Access to a connection */
+ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb);
+-void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb);
++int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb);
+ void llc_conn_rtn_pdu(struct sock *sk, struct sk_buff *skb);
+ void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit);
+ void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit);
+--- a/net/llc/llc_c_ac.c
++++ b/net/llc/llc_c_ac.c
+@@ -389,7 +389,7 @@ static int llc_conn_ac_send_i_cmd_p_set_
+ llc_pdu_init_as_i_cmd(skb, 0, llc->vS, llc->vR);
+ rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
+ if (likely(!rc)) {
+- llc_conn_send_pdu(sk, skb);
++ rc = llc_conn_send_pdu(sk, skb);
+ llc_conn_ac_inc_vs_by_1(sk, skb);
+ }
+ return rc;
+@@ -916,7 +916,7 @@ static int llc_conn_ac_send_i_rsp_f_set_
+ llc_pdu_init_as_i_cmd(skb, llc->ack_pf, llc->vS, llc->vR);
+ rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
+ if (likely(!rc)) {
+- llc_conn_send_pdu(sk, skb);
++ rc = llc_conn_send_pdu(sk, skb);
+ llc_conn_ac_inc_vs_by_1(sk, skb);
+ }
+ return rc;
+@@ -935,14 +935,17 @@ static int llc_conn_ac_send_i_rsp_f_set_
+ int llc_conn_ac_send_i_as_ack(struct sock *sk, struct sk_buff *skb)
+ {
+ struct llc_sock *llc = llc_sk(sk);
++ int ret;
+
+ if (llc->ack_must_be_send) {
+- llc_conn_ac_send_i_rsp_f_set_ackpf(sk, skb);
++ ret = llc_conn_ac_send_i_rsp_f_set_ackpf(sk, skb);
+ llc->ack_must_be_send = 0 ;
+ llc->ack_pf = 0;
+- } else
+- llc_conn_ac_send_i_cmd_p_set_0(sk, skb);
+- return 0;
++ } else {
++ ret = llc_conn_ac_send_i_cmd_p_set_0(sk, skb);
++ }
++
++ return ret;
+ }
+
+ /**
+--- a/net/llc/llc_conn.c
++++ b/net/llc/llc_conn.c
+@@ -30,7 +30,7 @@
+ #endif
+
+ static int llc_find_offset(int state, int ev_type);
+-static void llc_conn_send_pdus(struct sock *sk);
++static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *skb);
+ static int llc_conn_service(struct sock *sk, struct sk_buff *skb);
+ static int llc_exec_conn_trans_actions(struct sock *sk,
+ struct llc_conn_state_trans *trans,
+@@ -193,11 +193,11 @@ out_skb_put:
+ return rc;
+ }
+
+-void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb)
++int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb)
+ {
+ /* queue PDU to send to MAC layer */
+ skb_queue_tail(&sk->sk_write_queue, skb);
+- llc_conn_send_pdus(sk);
++ return llc_conn_send_pdus(sk, skb);
+ }
+
+ /**
+@@ -255,7 +255,7 @@ void llc_conn_resend_i_pdu_as_cmd(struct
+ if (howmany_resend > 0)
+ llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO;
+ /* any PDUs to re-send are queued up; start sending to MAC */
+- llc_conn_send_pdus(sk);
++ llc_conn_send_pdus(sk, NULL);
+ out:;
+ }
+
+@@ -296,7 +296,7 @@ void llc_conn_resend_i_pdu_as_rsp(struct
+ if (howmany_resend > 0)
+ llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO;
+ /* any PDUs to re-send are queued up; start sending to MAC */
+- llc_conn_send_pdus(sk);
++ llc_conn_send_pdus(sk, NULL);
+ out:;
+ }
+
+@@ -340,12 +340,16 @@ out:
+ /**
+ * llc_conn_send_pdus - Sends queued PDUs
+ * @sk: active connection
++ * @hold_skb: the skb held by caller, or NULL if does not care
+ *
+- * Sends queued pdus to MAC layer for transmission.
++ * Sends queued pdus to MAC layer for transmission. When @hold_skb is
++ * NULL, always return 0. Otherwise, return 0 if @hold_skb is sent
++ * successfully, or 1 for failure.
+ */
+-static void llc_conn_send_pdus(struct sock *sk)
++static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *hold_skb)
+ {
+ struct sk_buff *skb;
++ int ret = 0;
+
+ while ((skb = skb_dequeue(&sk->sk_write_queue)) != NULL) {
+ struct llc_pdu_sn *pdu = llc_pdu_sn_hdr(skb);
+@@ -357,10 +361,20 @@ static void llc_conn_send_pdus(struct so
+ skb_queue_tail(&llc_sk(sk)->pdu_unack_q, skb);
+ if (!skb2)
+ break;
+- skb = skb2;
++ dev_queue_xmit(skb2);
++ } else {
++ bool is_target = skb == hold_skb;
++ int rc;
++
++ if (is_target)
++ skb_get(skb);
++ rc = dev_queue_xmit(skb);
++ if (is_target)
++ ret = rc;
+ }
+- dev_queue_xmit(skb);
+ }
++
++ return ret;
+ }
+
+ /**
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Andrea Parri <parri.andrea@gmail.com>
+Date: Tue, 20 Feb 2018 19:45:56 +0100
+Subject: locking/xchg/alpha: Add unconditional memory barrier to cmpxchg()
+
+From: Andrea Parri <parri.andrea@gmail.com>
+
+[ Upstream commit cb13b424e986aed68d74cbaec3449ea23c50e167 ]
+
+Continuing along with the fight against smp_read_barrier_depends() [1]
+(or rather, against its improper use), add an unconditional barrier to
+cmpxchg. This guarantees that dependency ordering is preserved when a
+dependency is headed by an unsuccessful cmpxchg. As it turns out, the
+change could enable further simplification of LKMM as proposed in [2].
+
+[1] https://marc.info/?l=linux-kernel&m=150884953419377&w=2
+ https://marc.info/?l=linux-kernel&m=150884946319353&w=2
+ https://marc.info/?l=linux-kernel&m=151215810824468&w=2
+ https://marc.info/?l=linux-kernel&m=151215816324484&w=2
+
+[2] https://marc.info/?l=linux-kernel&m=151881978314872&w=2
+
+Signed-off-by: Andrea Parri <parri.andrea@gmail.com>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Matt Turner <mattst88@gmail.com>
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: linux-alpha@vger.kernel.org
+Link: http://lkml.kernel.org/r/1519152356-4804-1-git-send-email-parri.andrea@gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/alpha/include/asm/xchg.h | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/arch/alpha/include/asm/xchg.h
++++ b/arch/alpha/include/asm/xchg.h
+@@ -128,10 +128,9 @@ ____xchg(, volatile void *ptr, unsigned
+ * store NEW in MEM. Return the initial value in MEM. Success is
+ * indicated by comparing RETURN with OLD.
+ *
+- * The memory barrier should be placed in SMP only when we actually
+- * make the change. If we don't change anything (so if the returned
+- * prev is equal to old) then we aren't acquiring anything new and
+- * we don't need any memory barrier as far I can tell.
++ * The memory barrier is placed in SMP unconditionally, in order to
++ * guarantee that dependency ordering is preserved when a dependency
++ * is headed by an unsuccessful operation.
+ */
+
+ static inline unsigned long
+@@ -150,8 +149,8 @@ ____cmpxchg(_u8, volatile char *m, unsig
+ " or %1,%2,%2\n"
+ " stq_c %2,0(%4)\n"
+ " beq %2,3f\n"
+- __ASM__MB
+ "2:\n"
++ __ASM__MB
+ ".subsection 2\n"
+ "3: br 1b\n"
+ ".previous"
+@@ -177,8 +176,8 @@ ____cmpxchg(_u16, volatile short *m, uns
+ " or %1,%2,%2\n"
+ " stq_c %2,0(%4)\n"
+ " beq %2,3f\n"
+- __ASM__MB
+ "2:\n"
++ __ASM__MB
+ ".subsection 2\n"
+ "3: br 1b\n"
+ ".previous"
+@@ -200,8 +199,8 @@ ____cmpxchg(_u32, volatile int *m, int o
+ " mov %4,%1\n"
+ " stl_c %1,%2\n"
+ " beq %1,3f\n"
+- __ASM__MB
+ "2:\n"
++ __ASM__MB
+ ".subsection 2\n"
+ "3: br 1b\n"
+ ".previous"
+@@ -223,8 +222,8 @@ ____cmpxchg(_u64, volatile long *m, unsi
+ " mov %4,%1\n"
+ " stq_c %1,%2\n"
+ " beq %1,3f\n"
+- __ASM__MB
+ "2:\n"
++ __ASM__MB
+ ".subsection 2\n"
+ "3: br 1b\n"
+ ".previous"
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Andrea Parri <parri.andrea@gmail.com>
+Date: Thu, 22 Feb 2018 10:24:48 +0100
+Subject: locking/xchg/alpha: Fix xchg() and cmpxchg() memory ordering bugs
+
+From: Andrea Parri <parri.andrea@gmail.com>
+
+[ Upstream commit 472e8c55cf6622d1c112dc2bc777f68bbd4189db ]
+
+Successful RMW operations are supposed to be fully ordered, but
+Alpha's xchg() and cmpxchg() do not meet this requirement.
+
+Will Deacon noticed the bug:
+
+ > So MP using xchg:
+ >
+ > WRITE_ONCE(x, 1)
+ > xchg(y, 1)
+ >
+ > smp_load_acquire(y) == 1
+ > READ_ONCE(x) == 0
+ >
+ > would be allowed.
+
+... which thus violates the above requirement.
+
+Fix it by adding a leading smp_mb() to the xchg() and cmpxchg() implementations.
+
+Reported-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Andrea Parri <parri.andrea@gmail.com>
+Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Matt Turner <mattst88@gmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-alpha@vger.kernel.org
+Link: http://lkml.kernel.org/r/1519291488-5752-1-git-send-email-parri.andrea@gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/alpha/include/asm/xchg.h | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+--- a/arch/alpha/include/asm/xchg.h
++++ b/arch/alpha/include/asm/xchg.h
+@@ -12,6 +12,10 @@
+ * Atomic exchange.
+ * Since it can be used to implement critical sections
+ * it must clobber "memory" (also for interrupts in UP).
++ *
++ * The leading and the trailing memory barriers guarantee that these
++ * operations are fully ordered.
++ *
+ */
+
+ static inline unsigned long
+@@ -19,6 +23,7 @@ ____xchg(_u8, volatile char *m, unsigned
+ {
+ unsigned long ret, tmp, addr64;
+
++ smp_mb();
+ __asm__ __volatile__(
+ " andnot %4,7,%3\n"
+ " insbl %1,%4,%1\n"
+@@ -43,6 +48,7 @@ ____xchg(_u16, volatile short *m, unsign
+ {
+ unsigned long ret, tmp, addr64;
+
++ smp_mb();
+ __asm__ __volatile__(
+ " andnot %4,7,%3\n"
+ " inswl %1,%4,%1\n"
+@@ -67,6 +73,7 @@ ____xchg(_u32, volatile int *m, unsigned
+ {
+ unsigned long dummy;
+
++ smp_mb();
+ __asm__ __volatile__(
+ "1: ldl_l %0,%4\n"
+ " bis $31,%3,%1\n"
+@@ -87,6 +94,7 @@ ____xchg(_u64, volatile long *m, unsigne
+ {
+ unsigned long dummy;
+
++ smp_mb();
+ __asm__ __volatile__(
+ "1: ldq_l %0,%4\n"
+ " bis $31,%3,%1\n"
+@@ -128,9 +136,12 @@ ____xchg(, volatile void *ptr, unsigned
+ * store NEW in MEM. Return the initial value in MEM. Success is
+ * indicated by comparing RETURN with OLD.
+ *
+- * The memory barrier is placed in SMP unconditionally, in order to
+- * guarantee that dependency ordering is preserved when a dependency
+- * is headed by an unsuccessful operation.
++ * The leading and the trailing memory barriers guarantee that these
++ * operations are fully ordered.
++ *
++ * The trailing memory barrier is placed in SMP unconditionally, in
++ * order to guarantee that dependency ordering is preserved when a
++ * dependency is headed by an unsuccessful operation.
+ */
+
+ static inline unsigned long
+@@ -138,6 +149,7 @@ ____cmpxchg(_u8, volatile char *m, unsig
+ {
+ unsigned long prev, tmp, cmp, addr64;
+
++ smp_mb();
+ __asm__ __volatile__(
+ " andnot %5,7,%4\n"
+ " insbl %1,%5,%1\n"
+@@ -165,6 +177,7 @@ ____cmpxchg(_u16, volatile short *m, uns
+ {
+ unsigned long prev, tmp, cmp, addr64;
+
++ smp_mb();
+ __asm__ __volatile__(
+ " andnot %5,7,%4\n"
+ " inswl %1,%5,%1\n"
+@@ -192,6 +205,7 @@ ____cmpxchg(_u32, volatile int *m, int o
+ {
+ unsigned long prev, cmp;
+
++ smp_mb();
+ __asm__ __volatile__(
+ "1: ldl_l %0,%5\n"
+ " cmpeq %0,%3,%1\n"
+@@ -215,6 +229,7 @@ ____cmpxchg(_u64, volatile long *m, unsi
+ {
+ unsigned long prev, cmp;
+
++ smp_mb();
+ __asm__ __volatile__(
+ "1: ldq_l %0,%5\n"
+ " cmpeq %0,%3,%1\n"
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Omar Sandoval <osandov@fb.com>
+Date: Mon, 26 Mar 2018 21:39:11 -0700
+Subject: loop: don't call into filesystem while holding lo_ctl_mutex
+
+From: Omar Sandoval <osandov@fb.com>
+
+[ Upstream commit 2d1d4c1e591fd40bd7dafd868a249d7d00e215d5 ]
+
+We hit an issue where a loop device on NFS was stuck in
+loop_get_status() doing vfs_getattr() after the NFS server died, which
+caused a pile-up of uninterruptible processes waiting on lo_ctl_mutex.
+There's no reason to hold this lock while we wait on the filesystem;
+let's drop it so that other processes can do their thing. We need to
+grab a reference on lo_backing_file while we use it, and we can get rid
+of the check on lo_device, which has been unnecessary since commit
+a34c0ae9ebd6 ("[PATCH] loop: remove the bio remapping capability") in
+the linux-history tree.
+
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/loop.c | 38 ++++++++++++++++++++++++--------------
+ 1 file changed, 24 insertions(+), 14 deletions(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1166,21 +1166,17 @@ loop_set_status(struct loop_device *lo,
+ static int
+ loop_get_status(struct loop_device *lo, struct loop_info64 *info)
+ {
+- struct file *file = lo->lo_backing_file;
++ struct file *file;
+ struct kstat stat;
+- int error;
++ int ret;
+
+- if (lo->lo_state != Lo_bound)
++ if (lo->lo_state != Lo_bound) {
++ mutex_unlock(&lo->lo_ctl_mutex);
+ return -ENXIO;
+- error = vfs_getattr(&file->f_path, &stat,
+- STATX_INO, AT_STATX_SYNC_AS_STAT);
+- if (error)
+- return error;
++ }
++
+ memset(info, 0, sizeof(*info));
+ info->lo_number = lo->lo_number;
+- info->lo_device = huge_encode_dev(stat.dev);
+- info->lo_inode = stat.ino;
+- info->lo_rdevice = huge_encode_dev(lo->lo_device ? stat.rdev : stat.dev);
+ info->lo_offset = lo->lo_offset;
+ info->lo_sizelimit = lo->lo_sizelimit;
+ info->lo_flags = lo->lo_flags;
+@@ -1193,7 +1189,19 @@ loop_get_status(struct loop_device *lo,
+ memcpy(info->lo_encrypt_key, lo->lo_encrypt_key,
+ lo->lo_encrypt_key_size);
+ }
+- return 0;
++
++ /* Drop lo_ctl_mutex while we call into the filesystem. */
++ file = get_file(lo->lo_backing_file);
++ mutex_unlock(&lo->lo_ctl_mutex);
++ ret = vfs_getattr(&file->f_path, &stat, STATX_INO,
++ AT_STATX_SYNC_AS_STAT);
++ if (!ret) {
++ info->lo_device = huge_encode_dev(stat.dev);
++ info->lo_inode = stat.ino;
++ info->lo_rdevice = huge_encode_dev(stat.rdev);
++ }
++ fput(file);
++ return ret;
+ }
+
+ static void
+@@ -1373,7 +1381,8 @@ static int lo_ioctl(struct block_device
+ break;
+ case LOOP_GET_STATUS:
+ err = loop_get_status_old(lo, (struct loop_info __user *) arg);
+- break;
++ /* loop_get_status() unlocks lo_ctl_mutex */
++ goto out_unlocked;
+ case LOOP_SET_STATUS64:
+ err = -EPERM;
+ if ((mode & FMODE_WRITE) || capable(CAP_SYS_ADMIN))
+@@ -1382,7 +1391,8 @@ static int lo_ioctl(struct block_device
+ break;
+ case LOOP_GET_STATUS64:
+ err = loop_get_status64(lo, (struct loop_info64 __user *) arg);
+- break;
++ /* loop_get_status() unlocks lo_ctl_mutex */
++ goto out_unlocked;
+ case LOOP_SET_CAPACITY:
+ err = -EPERM;
+ if ((mode & FMODE_WRITE) || capable(CAP_SYS_ADMIN))
+@@ -1543,7 +1553,7 @@ static int lo_compat_ioctl(struct block_
+ mutex_lock(&lo->lo_ctl_mutex);
+ err = loop_get_status_compat(
+ lo, (struct compat_loop_info __user *) arg);
+- mutex_unlock(&lo->lo_ctl_mutex);
++ /* loop_get_status() unlocks lo_ctl_mutex */
+ break;
+ case LOOP_SET_CAPACITY:
+ case LOOP_CLR_FD:
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Greg Ungerer <gerg@linux-m68k.org>
+Date: Wed, 28 Mar 2018 17:12:18 +1000
+Subject: m68k: set dma and coherent masks for platform FEC ethernets
+
+From: Greg Ungerer <gerg@linux-m68k.org>
+
+[ Upstream commit f61e64310b75733d782e930d1fb404b84699eed6 ]
+
+As of commit 205e1b7f51e4 ("dma-mapping: warn when there is no
+coherent_dma_mask") the Freescale FEC driver is issuing the following
+warning on driver initialization on ColdFire systems:
+
+WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516 0x40159e20
+Modules linked in:
+CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc7-dirty #4
+Stack from 41833dd8:
+ 41833dd8 40259c53 40025534 40279e26 00000003 00000000 4004e514 41827000
+ 400255de 40244e42 00000204 40159e20 00000009 00000000 00000000 4024531d
+ 40159e20 40244e42 00000204 00000000 00000000 00000000 00000007 00000000
+ 00000000 40279e26 4028d040 40226576 4003ae88 40279e26 418273f6 41833ef8
+ 7fffffff 418273f2 41867028 4003c9a2 4180ac6c 00000004 41833f8c 4013e71c
+ 40279e1c 40279e26 40226c16 4013ced2 40279e26 40279e58 4028d040 00000000
+Call Trace:
+ [<40025534>] 0x40025534
+ [<4004e514>] 0x4004e514
+ [<400255de>] 0x400255de
+ [<40159e20>] 0x40159e20
+ [<40159e20>] 0x40159e20
+
+It is not fatal, the driver and the system continue to function normally.
+
+As per the warning the coherent_dma_mask is not set on this device.
+There is nothing special about the DMA memory coherency on this hardware
+so we can just set the mask to 32bits in the platform data for the FEC
+ethernet devices.
+
+Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/m68k/coldfire/device.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/arch/m68k/coldfire/device.c
++++ b/arch/m68k/coldfire/device.c
+@@ -135,7 +135,11 @@ static struct platform_device mcf_fec0 =
+ .id = 0,
+ .num_resources = ARRAY_SIZE(mcf_fec0_resources),
+ .resource = mcf_fec0_resources,
+- .dev.platform_data = FEC_PDATA,
++ .dev = {
++ .dma_mask = &mcf_fec0.dev.coherent_dma_mask,
++ .coherent_dma_mask = DMA_BIT_MASK(32),
++ .platform_data = FEC_PDATA,
++ }
+ };
+
+ #ifdef MCFFEC_BASE1
+@@ -167,7 +171,11 @@ static struct platform_device mcf_fec1 =
+ .id = 1,
+ .num_resources = ARRAY_SIZE(mcf_fec1_resources),
+ .resource = mcf_fec1_resources,
+- .dev.platform_data = FEC_PDATA,
++ .dev = {
++ .dma_mask = &mcf_fec1.dev.coherent_dma_mask,
++ .coherent_dma_mask = DMA_BIT_MASK(32),
++ .platform_data = FEC_PDATA,
++ }
+ };
+ #endif /* MCFFEC_BASE1 */
+ #endif /* CONFIG_FEC */
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Ilan Peer <ilan.peer@intel.com>
+Date: Mon, 19 Feb 2018 14:48:42 +0200
+Subject: mac80211: Do not disconnect on invalid operating class
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+[ Upstream commit 191da271ac260700db3e5b4bb982a17ca78769d6 ]
+
+Some APs include a non global operating class in their extended channel
+switch information element. In such a case, as the operating class is not
+known, mac80211 would decide to disconnect.
+
+However the specification states that the operating class needs to be
+taken from Annex E, but it does not specify from which table it should be
+taken, so it is valid for an AP to use a non global operating class.
+
+To avoid possibly unneeded disconnection, in such a case ignore the
+operating class and assume that the current band is used, and if the
+resulting channel and band configuration is invalid disconnect.
+
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/spectmgmt.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/spectmgmt.c
++++ b/net/mac80211/spectmgmt.c
+@@ -8,6 +8,7 @@
+ * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
+ * Copyright 2007-2008, Intel Corporation
+ * Copyright 2008, Johannes Berg <johannes@sipsolutions.net>
++ * Copyright (C) 2018 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+@@ -27,7 +28,7 @@ int ieee80211_parse_ch_switch_ie(struct
+ u32 sta_flags, u8 *bssid,
+ struct ieee80211_csa_ie *csa_ie)
+ {
+- enum nl80211_band new_band;
++ enum nl80211_band new_band = current_band;
+ int new_freq;
+ u8 new_chan_no;
+ struct ieee80211_channel *new_chan;
+@@ -55,15 +56,13 @@ int ieee80211_parse_ch_switch_ie(struct
+ elems->ext_chansw_ie->new_operating_class,
+ &new_band)) {
+ sdata_info(sdata,
+- "cannot understand ECSA IE operating class %d, disconnecting\n",
++ "cannot understand ECSA IE operating class, %d, ignoring\n",
+ elems->ext_chansw_ie->new_operating_class);
+- return -EINVAL;
+ }
+ new_chan_no = elems->ext_chansw_ie->new_ch_num;
+ csa_ie->count = elems->ext_chansw_ie->count;
+ csa_ie->mode = elems->ext_chansw_ie->mode;
+ } else if (elems->ch_switch_ie) {
+- new_band = current_band;
+ new_chan_no = elems->ch_switch_ie->new_ch_num;
+ csa_ie->count = elems->ch_switch_ie->count;
+ csa_ie->mode = elems->ch_switch_ie->mode;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 26 Mar 2018 16:21:04 +0300
+Subject: mac80211: don't WARN on bad WMM parameters from buggy APs
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit c470bdc1aaf36669e04ba65faf1092b2d1c6cabe ]
+
+Apparently, some APs are buggy enough to send a zeroed
+WMM IE. Don't WARN on this since this is not caused by a bug
+on the client's system.
+
+This aligns the condition of the WARNING in drv_conf_tx
+with the validity check in ieee80211_sta_wmm_params.
+We will now pick the default values whenever we get
+a zeroed WMM IE.
+
+This has been reported here:
+https://bugzilla.kernel.org/show_bug.cgi?id=199161
+
+Fixes: f409079bb678 ("mac80211: sanity check CW_min/CW_max towards driver")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mlme.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1797,7 +1797,8 @@ static bool ieee80211_sta_wmm_params(str
+ params[ac].acm = acm;
+ params[ac].uapsd = uapsd;
+
+- if (params[ac].cw_min > params[ac].cw_max) {
++ if (params->cw_min == 0 ||
++ params[ac].cw_min > params[ac].cw_max) {
+ sdata_info(sdata,
+ "AP has invalid WMM params (CWmin/max=%d/%d for ACI %d), using defaults\n",
+ params[ac].cw_min, params[ac].cw_max, aci);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Felix Fietkau <nbd@nbd.name>
+Date: Fri, 23 Feb 2018 10:06:03 +0100
+Subject: mac80211: drop frames with unexpected DS bits from fast-rx to slow path
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit b323ac19b7734a1c464b2785a082ee50bccd3b91 ]
+
+Fixes rx for 4-addr packets in AP mode. These may be used for setting
+up a 4-addr link for stations that are allowed to do so.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/rx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -3928,7 +3928,7 @@ static bool ieee80211_invoke_fast_rx(str
+ if ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_FROMDS |
+ IEEE80211_FCTL_TODS)) !=
+ fast_rx->expected_ds_bits)
+- goto drop;
++ return false;
+
+ /* assign the key to drop unencrypted frames (later)
+ * and strip the IV/MIC if necessary
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Sara Sharon <sara.sharon@intel.com>
+Date: Mon, 19 Feb 2018 14:48:35 +0200
+Subject: mac80211: fix a possible leak of station stats
+
+From: Sara Sharon <sara.sharon@intel.com>
+
+[ Upstream commit d78d9ee9d40aca4781d2c5334972544601a4c3a2 ]
+
+If sta_info_alloc fails after allocating the per CPU statistics,
+they are not properly freed.
+
+Fixes: c9c5962b56c1 ("mac80211: enable collecting station statistics per-CPU")
+Signed-off-by: Sara Sharon <sara.sharon@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/sta_info.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -439,6 +439,7 @@ free_txq:
+ if (sta->sta.txq[0])
+ kfree(to_txq_info(sta->sta.txq[0]));
+ free:
++ free_percpu(sta->pcpu_rx_stats);
+ #ifdef CONFIG_MAC80211_MESH
+ kfree(sta->mesh);
+ #endif
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Sara Sharon <sara.sharon@intel.com>
+Date: Mon, 19 Feb 2018 14:48:37 +0200
+Subject: mac80211: fix calling sleeping function in atomic context
+
+From: Sara Sharon <sara.sharon@intel.com>
+
+[ Upstream commit 95f3ce6a77893ac828ba841df44421620de4314b ]
+
+sta_info_alloc can be called from atomic paths (such as RX path)
+so we need to call pcpu_alloc with the correct gfp.
+
+Fixes: c9c5962b56c1 ("mac80211: enable collecting station statistics per-CPU")
+Signed-off-by: Sara Sharon <sara.sharon@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/sta_info.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -314,7 +314,7 @@ struct sta_info *sta_info_alloc(struct i
+
+ if (ieee80211_hw_check(hw, USES_RSS)) {
+ sta->pcpu_rx_stats =
+- alloc_percpu(struct ieee80211_sta_rx_stats);
++ alloc_percpu_gfp(struct ieee80211_sta_rx_stats, gfp);
+ if (!sta->pcpu_rx_stats)
+ goto free;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Ilan Peer <ilan.peer@intel.com>
+Date: Mon, 19 Feb 2018 14:48:43 +0200
+Subject: mac80211: Fix sending ADDBA response for an ongoing session
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+[ Upstream commit 3b07029729e347f288c70227cfe3c66b085d6b0b ]
+
+In case an ADDBA request is received while there is already
+an ongoing BA sessions with the same parameters, i.e., update
+flow, an ADBBA response with decline status was sent twice. Fix it.
+
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/agg-rx.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/mac80211/agg-rx.c
++++ b/net/mac80211/agg-rx.c
+@@ -8,6 +8,7 @@
+ * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
+ * Copyright 2007-2010, Intel Corporation
+ * Copyright(c) 2015-2017 Intel Deutschland GmbH
++ * Copyright (C) 2018 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+@@ -322,9 +323,6 @@ void ___ieee80211_start_rx_ba_session(st
+ * driver so reject the timeout update.
+ */
+ status = WLAN_STATUS_REQUEST_DECLINED;
+- ieee80211_send_addba_resp(sta->sdata, sta->sta.addr,
+- tid, dialog_token, status,
+- 1, buf_size, timeout);
+ goto end;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Peter Oh <peter.oh@bowerswilkins.com>
+Date: Fri, 26 Jan 2018 14:02:37 -0800
+Subject: mac80211: mesh: fix wrong mesh TTL offset calculation
+
+From: Peter Oh <peter.oh@bowerswilkins.com>
+
+[ Upstream commit c4de37ee2b55deac7d6aeac33e02e3d6be243898 ]
+
+mesh TTL offset in Mesh Channel Switch Parameters element depends on
+not only Secondary Channel Offset element, but also affected by
+HT Control field and Wide Bandwidth Channel Switch element.
+So use element structure to manipulate mesh channel swich param IE
+after removing its constant attribution to correct the miscalculation.
+
+Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/ieee80211_i.h | 2 +-
+ net/mac80211/mesh.c | 17 ++++++-----------
+ 2 files changed, 7 insertions(+), 12 deletions(-)
+
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -1466,7 +1466,7 @@ struct ieee802_11_elems {
+ const struct ieee80211_timeout_interval_ie *timeout_int;
+ const u8 *opmode_notif;
+ const struct ieee80211_sec_chan_offs_ie *sec_chan_offs;
+- const struct ieee80211_mesh_chansw_params_ie *mesh_chansw_params_ie;
++ struct ieee80211_mesh_chansw_params_ie *mesh_chansw_params_ie;
+ const struct ieee80211_bss_max_idle_period_ie *max_idle_period_ie;
+
+ /* length of them, respectively */
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -1253,13 +1253,12 @@ int ieee80211_mesh_csa_beacon(struct iee
+ }
+
+ static int mesh_fwd_csa_frame(struct ieee80211_sub_if_data *sdata,
+- struct ieee80211_mgmt *mgmt, size_t len)
++ struct ieee80211_mgmt *mgmt, size_t len,
++ struct ieee802_11_elems *elems)
+ {
+ struct ieee80211_mgmt *mgmt_fwd;
+ struct sk_buff *skb;
+ struct ieee80211_local *local = sdata->local;
+- u8 *pos = mgmt->u.action.u.chan_switch.variable;
+- size_t offset_ttl;
+
+ skb = dev_alloc_skb(local->tx_headroom + len);
+ if (!skb)
+@@ -1267,13 +1266,9 @@ static int mesh_fwd_csa_frame(struct iee
+ skb_reserve(skb, local->tx_headroom);
+ mgmt_fwd = skb_put(skb, len);
+
+- /* offset_ttl is based on whether the secondary channel
+- * offset is available or not. Subtract 1 from the mesh TTL
+- * and disable the initiator flag before forwarding.
+- */
+- offset_ttl = (len < 42) ? 7 : 10;
+- *(pos + offset_ttl) -= 1;
+- *(pos + offset_ttl + 1) &= ~WLAN_EID_CHAN_SWITCH_PARAM_INITIATOR;
++ elems->mesh_chansw_params_ie->mesh_ttl--;
++ elems->mesh_chansw_params_ie->mesh_flags &=
++ ~WLAN_EID_CHAN_SWITCH_PARAM_INITIATOR;
+
+ memcpy(mgmt_fwd, mgmt, len);
+ eth_broadcast_addr(mgmt_fwd->da);
+@@ -1321,7 +1316,7 @@ static void mesh_rx_csa_frame(struct iee
+
+ /* forward or re-broadcast the CSA frame */
+ if (fwd_csa) {
+- if (mesh_fwd_csa_frame(sdata, mgmt, len) < 0)
++ if (mesh_fwd_csa_frame(sdata, mgmt, len, &elems) < 0)
+ mcsa_dbg(sdata, "Failed to forward the CSA frame");
+ }
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Felix Fietkau <nbd@nbd.name>
+Date: Sat, 10 Feb 2018 13:20:34 +0100
+Subject: mac80211: round IEEE80211_TX_STATUS_HEADROOM up to multiple of 4
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 651b9920d7a694ffb1f885aef2bbb068a25d9d66 ]
+
+This ensures that mac80211 allocated management frames are properly
+aligned, which makes copying them more efficient.
+For instance, mt76 uses iowrite32_copy to copy beacon frames to beacon
+template memory on the chip.
+Misaligned 32-bit accesses cause CPU exceptions on MIPS and should be
+avoided.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/mac80211.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/mac80211.h
++++ b/include/net/mac80211.h
+@@ -4141,7 +4141,7 @@ void ieee80211_sta_uapsd_trigger(struct
+ * The TX headroom reserved by mac80211 for its own tx_status functions.
+ * This is enough for the radiotap header.
+ */
+-#define IEEE80211_TX_STATUS_HEADROOM 14
++#define IEEE80211_TX_STATUS_HEADROOM ALIGN(14, 4)
+
+ /**
+ * ieee80211_sta_set_buffered - inform mac80211 about driver-buffered frames
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 21 Mar 2018 11:09:01 +0300
+Subject: macsec: missing dev_put() on error in macsec_newlink()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 5dcd8400884cc4a043a6d4617e042489e5d566a9 ]
+
+We moved the dev_hold(real_dev); call earlier in the function but forgot
+to update the error paths.
+
+Fixes: 0759e552bce7 ("macsec: fix negative refcnt on parent link")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -3248,7 +3248,7 @@ static int macsec_newlink(struct net *ne
+
+ err = netdev_upper_dev_link(real_dev, dev);
+ if (err < 0)
+- goto unregister;
++ goto put_dev;
+
+ /* need to be already registered so that ->init has run and
+ * the MAC addr is set
+@@ -3284,7 +3284,8 @@ del_dev:
+ macsec_del_dev(macsec);
+ unlink:
+ netdev_upper_dev_unlink(real_dev, dev);
+-unregister:
++put_dev:
++ dev_put(real_dev);
+ unregister_netdevice(dev);
+ return err;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Date: Thu, 22 Feb 2018 18:20:30 +0300
+Subject: macvlan: fix use-after-free in macvlan_common_newlink()
+
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+
+[ Upstream commit 4e14bf4236490306004782813b8b4494b18f5e60 ]
+
+The following use-after-free was reported by KASan when running
+LTP macvtap01 test on 4.16-rc2:
+
+[10642.528443] BUG: KASAN: use-after-free in
+ macvlan_common_newlink+0x12ef/0x14a0 [macvlan]
+[10642.626607] Read of size 8 at addr ffff880ba49f2100 by task ip/18450
+...
+[10642.963873] Call Trace:
+[10642.994352] dump_stack+0x5c/0x7c
+[10643.035325] print_address_description+0x75/0x290
+[10643.092938] kasan_report+0x28d/0x390
+[10643.137971] ? macvlan_common_newlink+0x12ef/0x14a0 [macvlan]
+[10643.207963] macvlan_common_newlink+0x12ef/0x14a0 [macvlan]
+[10643.275978] macvtap_newlink+0x171/0x260 [macvtap]
+[10643.334532] rtnl_newlink+0xd4f/0x1300
+...
+[10646.256176] Allocated by task 18450:
+[10646.299964] kasan_kmalloc+0xa6/0xd0
+[10646.343746] kmem_cache_alloc_trace+0xf1/0x210
+[10646.397826] macvlan_common_newlink+0x6de/0x14a0 [macvlan]
+[10646.464386] macvtap_newlink+0x171/0x260 [macvtap]
+[10646.522728] rtnl_newlink+0xd4f/0x1300
+...
+[10647.022028] Freed by task 18450:
+[10647.061549] __kasan_slab_free+0x138/0x180
+[10647.111468] kfree+0x9e/0x1c0
+[10647.147869] macvlan_port_destroy+0x3db/0x650 [macvlan]
+[10647.211411] rollback_registered_many+0x5b9/0xb10
+[10647.268715] rollback_registered+0xd9/0x190
+[10647.319675] register_netdevice+0x8eb/0xc70
+[10647.370635] macvlan_common_newlink+0xe58/0x14a0 [macvlan]
+[10647.437195] macvtap_newlink+0x171/0x260 [macvtap]
+
+Commit d02fd6e7d293 ("macvlan: Fix one possible double free") handles
+the case when register_netdevice() invokes ndo_uninit() on error and
+as a result free the port. But 'macvlan_port_get_rtnl(dev))' check
+(returns dev->rx_handler_data), which was added by this commit in order
+to prevent double free, is not quite correct:
+
+* for macvlan it always returns NULL because 'lowerdev' is the one that
+ was used to register rx handler (port) in macvlan_port_create() as
+ well as to unregister it in macvlan_port_destroy().
+* for macvtap it always returns a valid pointer because macvtap registers
+ its own rx handler before macvlan_common_newlink().
+
+Fixes: d02fd6e7d293 ("macvlan: Fix one possible double free")
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvlan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -1448,7 +1448,7 @@ destroy_macvlan_port:
+ /* the macvlan port may be freed by macvlan_uninit when fail to register.
+ * so we destroy the macvlan port only when it's valid.
+ */
+- if (create && macvlan_port_get_rtnl(dev))
++ if (create && macvlan_port_get_rtnl(lowerdev))
+ macvlan_port_destroy(port->dev);
+ return err;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Pierre Bourdon <delroth@google.com>
+Date: Tue, 20 Feb 2018 16:03:18 +0100
+Subject: max17042: propagate of_node to power supply device
+
+From: Pierre Bourdon <delroth@google.com>
+
+[ Upstream commit 66ec32fc7cd116dab5c02603ea8ec28ff92da3b5 ]
+
+max17042_get_status uses the core power_supply_am_i_supplied. That
+function relies on DT properties to figure out the power supply
+topology, and will error out without DT.
+
+Fixes max17042 battery status being reported as "unknown".
+
+Signed-off-by: Pierre Bourdon <delroth@google.com>
+Signed-off-by: Andre Heider <a.heider@gmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/max17042_battery.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/power/supply/max17042_battery.c
++++ b/drivers/power/supply/max17042_battery.c
+@@ -1021,6 +1021,7 @@ static int max17042_probe(struct i2c_cli
+
+ i2c_set_clientdata(client, chip);
+ psy_cfg.drv_data = chip;
++ psy_cfg.of_node = dev->of_node;
+
+ /* When current is not measured,
+ * CURRENT_NOW and CURRENT_AVG properties should be invisible. */
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: BingJing Chang <bingjingc@synology.com>
+Date: Thu, 22 Feb 2018 13:34:46 +0800
+Subject: md: fix a potential deadlock of raid5/raid10 reshape
+
+From: BingJing Chang <bingjingc@synology.com>
+
+[ Upstream commit 8876391e440ba615b10eef729576e111f0315f87 ]
+
+There is a potential deadlock if mount/umount happens when
+raid5_finish_reshape() tries to grow the size of emulated disk.
+
+How the deadlock happens?
+1) The raid5 resync thread finished reshape (expanding array).
+2) The mount or umount thread holds VFS sb->s_umount lock and tries to
+ write through critical data into raid5 emulated block device. So it
+ waits for raid5 kernel thread handling stripes in order to finish it
+ I/Os.
+3) In the routine of raid5 kernel thread, md_check_recovery() will be
+ called first in order to reap the raid5 resync thread. That is,
+ raid5_finish_reshape() will be called. In this function, it will try
+ to update conf and call VFS revalidate_disk() to grow the raid5
+ emulated block device. It will try to acquire VFS sb->s_umount lock.
+The raid5 kernel thread cannot continue, so no one can handle mount/
+umount I/Os (stripes). Once the write-through I/Os cannot be finished,
+mount/umount will not release sb->s_umount lock. The deadlock happens.
+
+The raid5 kernel thread is an emulated block device. It is responible to
+handle I/Os (stripes) from upper layers. The emulated block device
+should not request any I/Os on itself. That is, it should not call VFS
+layer functions. (If it did, it will try to acquire VFS locks to
+guarantee the I/Os sequence.) So we have the resync thread to send
+resync I/O requests and to wait for the results.
+
+For solving this potential deadlock, we can put the size growth of the
+emulated block device as the final step of reshape thread.
+
+2017/12/29:
+Thanks to Guoqing Jiang <gqjiang@suse.com>,
+we confirmed that there is the same deadlock issue in raid10. It's
+reproducible and can be fixed by this patch. For raid10.c, we can remove
+the similar code to prevent deadlock as well since they has been called
+before.
+
+Reported-by: Alex Wu <alexwu@synology.com>
+Reviewed-by: Alex Wu <alexwu@synology.com>
+Reviewed-by: Chung-Chiang Cheng <cccheng@synology.com>
+Signed-off-by: BingJing Chang <bingjingc@synology.com>
+Signed-off-by: Shaohua Li <sh.li@alibaba-inc.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md.c | 13 +++++++++++++
+ drivers/md/raid10.c | 8 +-------
+ drivers/md/raid5.c | 8 +-------
+ 3 files changed, 15 insertions(+), 14 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -8522,6 +8522,19 @@ void md_do_sync(struct md_thread *thread
+ set_mask_bits(&mddev->sb_flags, 0,
+ BIT(MD_SB_CHANGE_PENDING) | BIT(MD_SB_CHANGE_DEVS));
+
++ if (test_bit(MD_RECOVERY_RESHAPE, &mddev->recovery) &&
++ !test_bit(MD_RECOVERY_INTR, &mddev->recovery) &&
++ mddev->delta_disks > 0 &&
++ mddev->pers->finish_reshape &&
++ mddev->pers->size &&
++ mddev->queue) {
++ mddev_lock_nointr(mddev);
++ md_set_array_sectors(mddev, mddev->pers->size(mddev, 0, 0));
++ mddev_unlock(mddev);
++ set_capacity(mddev->gendisk, mddev->array_sectors);
++ revalidate_disk(mddev->gendisk);
++ }
++
+ spin_lock(&mddev->lock);
+ if (!test_bit(MD_RECOVERY_INTR, &mddev->recovery)) {
+ /* We completed so min/max setting can be forgotten if used. */
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -4693,17 +4693,11 @@ static void raid10_finish_reshape(struct
+ return;
+
+ if (mddev->delta_disks > 0) {
+- sector_t size = raid10_size(mddev, 0, 0);
+- md_set_array_sectors(mddev, size);
+ if (mddev->recovery_cp > mddev->resync_max_sectors) {
+ mddev->recovery_cp = mddev->resync_max_sectors;
+ set_bit(MD_RECOVERY_NEEDED, &mddev->recovery);
+ }
+- mddev->resync_max_sectors = size;
+- if (mddev->queue) {
+- set_capacity(mddev->gendisk, mddev->array_sectors);
+- revalidate_disk(mddev->gendisk);
+- }
++ mddev->resync_max_sectors = mddev->array_sectors;
+ } else {
+ int d;
+ rcu_read_lock();
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -8001,13 +8001,7 @@ static void raid5_finish_reshape(struct
+
+ if (!test_bit(MD_RECOVERY_INTR, &mddev->recovery)) {
+
+- if (mddev->delta_disks > 0) {
+- md_set_array_sectors(mddev, raid5_size(mddev, 0, 0));
+- if (mddev->queue) {
+- set_capacity(mddev->gendisk, mddev->array_sectors);
+- revalidate_disk(mddev->gendisk);
+- }
+- } else {
++ if (mddev->delta_disks <= 0) {
+ int d;
+ spin_lock_irq(&conf->device_lock);
+ mddev->degraded = raid5_calc_degraded(conf);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Heinz Mauelshagen <heinzm@redhat.com>
+Date: Fri, 2 Feb 2018 23:13:19 +0100
+Subject: md: fix md_write_start() deadlock w/o metadata devices
+
+From: Heinz Mauelshagen <heinzm@redhat.com>
+
+[ Upstream commit 4b6c1060eaa6495aa5b0032e8f2d51dd936b1257 ]
+
+If no metadata devices are configured on raid1/4/5/6/10
+(e.g. via dm-raid), md_write_start() unconditionally waits
+for superblocks to be written thus deadlocking.
+
+Fix introduces mddev->has_superblocks bool, defines it in md_run()
+and checks for it in md_write_start() to conditionally avoid waiting.
+
+Once on it, check for non-existing superblocks in md_super_write().
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=198647
+Fixes: cc27b0c78c796 ("md: fix deadlock between mddev_suspend() and md_write_start()")
+
+Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
+Signed-off-by: Shaohua Li <sh.li@alibaba-inc.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md.c | 10 ++++++++++
+ drivers/md/md.h | 2 ++
+ 2 files changed, 12 insertions(+)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -779,6 +779,9 @@ void md_super_write(struct mddev *mddev,
+ struct bio *bio;
+ int ff = 0;
+
++ if (!page)
++ return;
++
+ if (test_bit(Faulty, &rdev->flags))
+ return;
+
+@@ -5434,6 +5437,7 @@ int md_run(struct mddev *mddev)
+ * the only valid external interface is through the md
+ * device.
+ */
++ mddev->has_superblocks = false;
+ rdev_for_each(rdev, mddev) {
+ if (test_bit(Faulty, &rdev->flags))
+ continue;
+@@ -5447,6 +5451,9 @@ int md_run(struct mddev *mddev)
+ set_disk_ro(mddev->gendisk, 1);
+ }
+
++ if (rdev->sb_page)
++ mddev->has_superblocks = true;
++
+ /* perform some consistency tests on the device.
+ * We don't want the data to overlap the metadata,
+ * Internal Bitmap issues have been handled elsewhere.
+@@ -8022,6 +8029,7 @@ EXPORT_SYMBOL(md_done_sync);
+ bool md_write_start(struct mddev *mddev, struct bio *bi)
+ {
+ int did_change = 0;
++
+ if (bio_data_dir(bi) != WRITE)
+ return true;
+
+@@ -8054,6 +8062,8 @@ bool md_write_start(struct mddev *mddev,
+ rcu_read_unlock();
+ if (did_change)
+ sysfs_notify_dirent_safe(mddev->sysfs_state);
++ if (!mddev->has_superblocks)
++ return true;
+ wait_event(mddev->sb_wait,
+ !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags) ||
+ mddev->suspended);
+--- a/drivers/md/md.h
++++ b/drivers/md/md.h
+@@ -462,6 +462,8 @@ struct mddev {
+ void (*sync_super)(struct mddev *mddev, struct md_rdev *rdev);
+ struct md_cluster_info *cluster_info;
+ unsigned int good_device_nr; /* good device num within cluster raid */
++
++ bool has_superblocks:1;
+ };
+
+ enum recovery_flags {
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Xiao Ni <xni@redhat.com>
+Date: Wed, 24 Jan 2018 12:17:38 +0800
+Subject: MD: Free bioset when md_run fails
+
+From: Xiao Ni <xni@redhat.com>
+
+[ Upstream commit b126194cbb799f9980b92a77e58db6ad794c8082 ]
+
+Signed-off-by: Xiao Ni <xni@redhat.com>
+Acked-by: Guoqing Jiang <gqjiang@suse.com>
+Signed-off-by: Shaohua Li <sh.li@alibaba-inc.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md.c | 26 +++++++++++++++++++++-----
+ 1 file changed, 21 insertions(+), 5 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -5479,8 +5479,10 @@ int md_run(struct mddev *mddev)
+ }
+ if (mddev->sync_set == NULL) {
+ mddev->sync_set = bioset_create(BIO_POOL_SIZE, 0, BIOSET_NEED_BVECS);
+- if (!mddev->sync_set)
+- return -ENOMEM;
++ if (!mddev->sync_set) {
++ err = -ENOMEM;
++ goto abort;
++ }
+ }
+
+ spin_lock(&pers_lock);
+@@ -5493,7 +5495,8 @@ int md_run(struct mddev *mddev)
+ else
+ pr_warn("md: personality for level %s is not loaded!\n",
+ mddev->clevel);
+- return -EINVAL;
++ err = -EINVAL;
++ goto abort;
+ }
+ spin_unlock(&pers_lock);
+ if (mddev->level != pers->level) {
+@@ -5506,7 +5509,8 @@ int md_run(struct mddev *mddev)
+ pers->start_reshape == NULL) {
+ /* This personality cannot handle reshaping... */
+ module_put(pers->owner);
+- return -EINVAL;
++ err = -EINVAL;
++ goto abort;
+ }
+
+ if (pers->sync_request) {
+@@ -5580,7 +5584,7 @@ int md_run(struct mddev *mddev)
+ mddev->private = NULL;
+ module_put(pers->owner);
+ bitmap_destroy(mddev);
+- return err;
++ goto abort;
+ }
+ if (mddev->queue) {
+ bool nonrot = true;
+@@ -5642,6 +5646,18 @@ int md_run(struct mddev *mddev)
+ sysfs_notify_dirent_safe(mddev->sysfs_action);
+ sysfs_notify(&mddev->kobj, NULL, "degraded");
+ return 0;
++
++abort:
++ if (mddev->bio_set) {
++ bioset_free(mddev->bio_set);
++ mddev->bio_set = NULL;
++ }
++ if (mddev->sync_set) {
++ bioset_free(mddev->sync_set);
++ mddev->sync_set = NULL;
++ }
++
++ return err;
+ }
+ EXPORT_SYMBOL_GPL(md_run);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Yufen Yu <yuyufen@huawei.com>
+Date: Sat, 24 Feb 2018 12:05:56 +0800
+Subject: md/raid1: fix NULL pointer dereference
+
+From: Yufen Yu <yuyufen@huawei.com>
+
+[ Upstream commit 3de59bb9d551428cbdc76a9ea57883f82e350b4d ]
+
+In handle_write_finished(), if r1_bio->bios[m] != NULL, it thinks
+the corresponding conf->mirrors[m].rdev is also not NULL. But, it
+is not always true.
+
+Even if some io hold replacement rdev(i.e. rdev->nr_pending.count > 0),
+raid1_remove_disk() can also set the rdev as NULL. That means,
+bios[m] != NULL, but mirrors[m].rdev is NULL, resulting in NULL
+pointer dereference in handle_write_finished and sync_request_write.
+
+This patch can fix BUGs as follows:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000140
+ IP: [<ffffffff815bbbbd>] raid1d+0x2bd/0xfc0
+ PGD 12ab52067 PUD 12f587067 PMD 0
+ Oops: 0000 [#1] SMP
+ CPU: 1 PID: 2008 Comm: md3_raid1 Not tainted 4.1.44+ #130
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc26 04/01/2014
+ Call Trace:
+ ? schedule+0x37/0x90
+ ? prepare_to_wait_event+0x83/0xf0
+ md_thread+0x144/0x150
+ ? wake_atomic_t_function+0x70/0x70
+ ? md_start_sync+0xf0/0xf0
+ kthread+0xd8/0xf0
+ ? kthread_worker_fn+0x160/0x160
+ ret_from_fork+0x42/0x70
+ ? kthread_worker_fn+0x160/0x160
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000000000000b8
+ IP: sync_request_write+0x9e/0x980
+ PGD 800000007c518067 P4D 800000007c518067 PUD 8002b067 PMD 0
+ Oops: 0000 [#1] SMP PTI
+ CPU: 24 PID: 2549 Comm: md3_raid1 Not tainted 4.15.0+ #118
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc26 04/01/2014
+ Call Trace:
+ ? sched_clock+0x5/0x10
+ ? sched_clock_cpu+0xc/0xb0
+ ? flush_pending_writes+0x3a/0xd0
+ ? pick_next_task_fair+0x4d5/0x5f0
+ ? __switch_to+0xa2/0x430
+ raid1d+0x65a/0x870
+ ? find_pers+0x70/0x70
+ ? find_pers+0x70/0x70
+ ? md_thread+0x11c/0x160
+ md_thread+0x11c/0x160
+ ? finish_wait+0x80/0x80
+ kthread+0x111/0x130
+ ? kthread_create_worker_on_cpu+0x70/0x70
+ ? do_syscall_64+0x6f/0x190
+ ? SyS_exit_group+0x10/0x10
+ ret_from_fork+0x35/0x40
+
+Reviewed-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+Signed-off-by: Shaohua Li <sh.li@alibaba-inc.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid1.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -1813,6 +1813,17 @@ static int raid1_remove_disk(struct mdde
+ struct md_rdev *repl =
+ conf->mirrors[conf->raid_disks + number].rdev;
+ freeze_array(conf, 0);
++ if (atomic_read(&repl->nr_pending)) {
++ /* It means that some queued IO of retry_list
++ * hold repl. Thus, we cannot set replacement
++ * as NULL, avoiding rdev NULL pointer
++ * dereference in sync_request_write and
++ * handle_write_finished.
++ */
++ err = -EBUSY;
++ unfreeze_array(conf);
++ goto abort;
++ }
+ clear_bit(Replacement, &repl->flags);
+ p->rdev = repl;
+ conf->mirrors[conf->raid_disks + number].rdev = NULL;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Yufen Yu <yuyufen@huawei.com>
+Date: Tue, 6 Feb 2018 17:39:15 +0800
+Subject: md raid10: fix NULL deference in handle_write_completed()
+
+From: Yufen Yu <yuyufen@huawei.com>
+
+[ Upstream commit 01a69cab01c184d3786af09e9339311123d63d22 ]
+
+In the case of 'recover', an r10bio with R10BIO_WriteError &
+R10BIO_IsRecover will be progressed by handle_write_completed().
+This function traverses all r10bio->devs[copies].
+If devs[m].repl_bio != NULL, it thinks conf->mirrors[dev].replacement
+is also not NULL. However, this is not always true.
+
+When there is an rdev of raid10 has replacement, then each r10bio
+->devs[m].repl_bio != NULL in conf->r10buf_pool. However, in 'recover',
+even if corresponded replacement is NULL, it doesn't clear r10bio
+->devs[m].repl_bio, resulting in replacement NULL deference.
+
+This bug was introduced when replacement support for raid10 was
+added in Linux 3.3.
+
+As NeilBrown suggested:
+ Elsewhere the determination of "is this device part of the
+ resync/recovery" is made by resting bio->bi_end_io.
+ If this is end_sync_write, then we tried to write here.
+ If it is NULL, then we didn't try to write.
+
+Fixes: 9ad1aefc8ae8 ("md/raid10: Handle replacement devices during resync.")
+Cc: stable (V3.3+)
+Suggested-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+Signed-off-by: Shaohua Li <sh.li@alibaba-inc.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid10.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -2625,7 +2625,8 @@ static void handle_write_completed(struc
+ for (m = 0; m < conf->copies; m++) {
+ int dev = r10_bio->devs[m].devnum;
+ rdev = conf->mirrors[dev].rdev;
+- if (r10_bio->devs[m].bio == NULL)
++ if (r10_bio->devs[m].bio == NULL ||
++ r10_bio->devs[m].bio->bi_end_io == NULL)
+ continue;
+ if (!r10_bio->devs[m].bio->bi_status) {
+ rdev_clear_badblocks(
+@@ -2640,7 +2641,8 @@ static void handle_write_completed(struc
+ md_error(conf->mddev, rdev);
+ }
+ rdev = conf->mirrors[dev].replacement;
+- if (r10_bio->devs[m].repl_bio == NULL)
++ if (r10_bio->devs[m].repl_bio == NULL ||
++ r10_bio->devs[m].repl_bio->bi_end_io == NULL)
+ continue;
+
+ if (!r10_bio->devs[m].repl_bio->bi_status) {
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 20 Feb 2018 14:09:11 +0100
+Subject: md: raid5: avoid string overflow warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 53b8d89ddbdbb0e4625a46d2cdbb6f106c52f801 ]
+
+gcc warns about a possible overflow of the kmem_cache string, when adding
+four characters to a string of the same length:
+
+drivers/md/raid5.c: In function 'setup_conf':
+drivers/md/raid5.c:2207:34: error: '-alt' directive writing 4 bytes into a region of size between 1 and 32 [-Werror=format-overflow=]
+ sprintf(conf->cache_name[1], "%s-alt", conf->cache_name[0]);
+ ^~~~
+drivers/md/raid5.c:2207:2: note: 'sprintf' output between 5 and 36 bytes into a destination of size 32
+ sprintf(conf->cache_name[1], "%s-alt", conf->cache_name[0]);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If I'm counting correctly, we need 11 characters for the fixed part
+of the string and 18 characters for a 64-bit pointer (when no gendisk
+is used), so that leaves three characters for conf->level, which should
+always be sufficient.
+
+This makes the code use snprintf() with the correct length, to
+make the code more robust against changes, and to get the compiler
+to shut up.
+
+In commit f4be6b43f1ac ("md/raid5: ensure we create a unique name for
+kmem_cache when mddev has no gendisk") from 2010, Neil said that
+the pointer could be removed "shortly" once devices without gendisk
+are disallowed. I have no idea if that happened, but if it did, that
+should probably be changed as well.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Shaohua Li <sh.li@alibaba-inc.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid5.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -2197,15 +2197,16 @@ static int grow_one_stripe(struct r5conf
+ static int grow_stripes(struct r5conf *conf, int num)
+ {
+ struct kmem_cache *sc;
++ size_t namelen = sizeof(conf->cache_name[0]);
+ int devs = max(conf->raid_disks, conf->previous_raid_disks);
+
+ if (conf->mddev->gendisk)
+- sprintf(conf->cache_name[0],
++ snprintf(conf->cache_name[0], namelen,
+ "raid%d-%s", conf->level, mdname(conf->mddev));
+ else
+- sprintf(conf->cache_name[0],
++ snprintf(conf->cache_name[0], namelen,
+ "raid%d-%p", conf->level, conf->mddev);
+- sprintf(conf->cache_name[1], "%s-alt", conf->cache_name[0]);
++ snprintf(conf->cache_name[1], namelen, "%.27s-alt", conf->cache_name[0]);
+
+ conf->active_name = 0;
+ sc = kmem_cache_create(conf->cache_name[conf->active_name],
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Brad Love <brad@nextdimension.cc>
+Date: Tue, 6 Mar 2018 14:15:37 -0500
+Subject: media: cx23885: Override 888 ImpactVCBe crystal frequency
+
+From: Brad Love <brad@nextdimension.cc>
+
+[ Upstream commit 779c79d4b833ec646b0aed878da38edb45bbe156 ]
+
+Hauppauge produced a revision of ImpactVCBe using an 888,
+with a 25MHz crystal, instead of using the default third
+overtone 50Mhz crystal. This overrides that frequency so
+that the cx25840 is properly configured. Without the proper
+crystal setup the cx25840 cannot load the firmware or
+decode video.
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/cx23885/cx23885-core.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/media/pci/cx23885/cx23885-core.c
++++ b/drivers/media/pci/cx23885/cx23885-core.c
+@@ -873,6 +873,16 @@ static int cx23885_dev_setup(struct cx23
+ if (cx23885_boards[dev->board].clk_freq > 0)
+ dev->clk_freq = cx23885_boards[dev->board].clk_freq;
+
++ if (dev->board == CX23885_BOARD_HAUPPAUGE_IMPACTVCBE &&
++ dev->pci->subsystem_device == 0x7137) {
++ /* Hauppauge ImpactVCBe device ID 0x7137 is populated
++ * with an 888, and a 25Mhz crystal, instead of the
++ * usual third overtone 50Mhz. The default clock rate must
++ * be overridden so the cx25840 is properly configured
++ */
++ dev->clk_freq = 25000000;
++ }
++
+ dev->pci_bus = dev->pci->bus->number;
+ dev->pci_slot = PCI_SLOT(dev->pci->devfn);
+ cx23885_irq_add(dev, 0x001f00);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Brad Love <brad@nextdimension.cc>
+Date: Tue, 6 Mar 2018 14:15:36 -0500
+Subject: media: cx23885: Set subdev host data to clk_freq pointer
+
+From: Brad Love <brad@nextdimension.cc>
+
+[ Upstream commit 5ceade1d97fc6687e050c44c257382c192f56276 ]
+
+Currently clk_freq is ignored entirely, because the cx235840 driver
+configures the xtal at the chip defaults. This is an issue if a
+board is produced with a non-default frequency crystal. If clk_freq
+is not zero the cx25840 will attempt to use the setting provided,
+or fall back to defaults otherwise.
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/cx23885/cx23885-cards.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/media/pci/cx23885/cx23885-cards.c
++++ b/drivers/media/pci/cx23885/cx23885-cards.c
+@@ -2286,6 +2286,10 @@ void cx23885_card_setup(struct cx23885_d
+ &dev->i2c_bus[2].i2c_adap,
+ "cx25840", 0x88 >> 1, NULL);
+ if (dev->sd_cx25840) {
++ /* set host data for clk_freq configuration */
++ v4l2_set_subdev_hostdata(dev->sd_cx25840,
++ &dev->clk_freq);
++
+ dev->sd_cx25840->grp_id = CX23885_HW_AV_CORE;
+ v4l2_subdev_call(dev->sd_cx25840, core, load_fw);
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 31 Jan 2018 12:33:09 -0500
+Subject: media: cx25821: prevent out-of-bounds read on array card
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 67300abdbe9f1717532aaf4e037222762716d0f6 ]
+
+Currently an out of range dev->nr is detected by just reporting the
+issue and later on an out-of-bounds read on array card occurs because
+of this. Fix this by checking the upper range of dev->nr with the size
+of array card (removes the hard coded size), move this check earlier
+and also exit with the error -ENOSYS to avoid the later out-of-bounds
+array read.
+
+Detected by CoverityScan, CID#711191 ("Out-of-bounds-read")
+
+Fixes: commit 02b20b0b4cde ("V4L/DVB (12730): Add conexant cx25821 driver")
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+[hans.verkuil@cisco.com: %ld -> %zd]
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/cx25821/cx25821-core.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/pci/cx25821/cx25821-core.c
++++ b/drivers/media/pci/cx25821/cx25821-core.c
+@@ -867,6 +867,10 @@ static int cx25821_dev_setup(struct cx25
+ dev->nr = ++cx25821_devcount;
+ sprintf(dev->name, "cx25821[%d]", dev->nr);
+
++ if (dev->nr >= ARRAY_SIZE(card)) {
++ CX25821_INFO("dev->nr >= %zd", ARRAY_SIZE(card));
++ return -ENODEV;
++ }
+ if (dev->pci->device != 0x8210) {
+ pr_info("%s(): Exiting. Incorrect Hardware device = 0x%02x\n",
+ __func__, dev->pci->device);
+@@ -882,9 +886,6 @@ static int cx25821_dev_setup(struct cx25
+ dev->channels[i].sram_channels = &cx25821_sram_channels[i];
+ }
+
+- if (dev->nr > 1)
+- CX25821_INFO("dev->nr > 1!");
+-
+ /* board config */
+ dev->board = 1; /* card[dev->nr]; */
+ dev->_max_num_decoders = MAX_DECODERS;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Date: Sun, 11 Feb 2018 05:44:21 -0500
+Subject: media: dmxdev: fix error code for invalid ioctls
+
+From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+
+[ Upstream commit a145f64c6107d3aa5a7cec9f8977d04ac2a896c9 ]
+
+Returning -EINVAL when an ioctl is not implemented is a very
+bad idea, as it is hard to distinguish from other error
+contitions that an ioctl could lead. Replace it by its
+right error code: -ENOTTY.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-core/dmxdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-core/dmxdev.c
++++ b/drivers/media/dvb-core/dmxdev.c
+@@ -1055,7 +1055,7 @@ static int dvb_demux_do_ioctl(struct fil
+ break;
+
+ default:
+- ret = -EINVAL;
++ ret = -ENOTTY;
+ break;
+ }
+ mutex_unlock(&dmxdev->mutex);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Date: Mon, 19 Feb 2018 13:23:39 -0500
+Subject: media: Don't let tvp5150_get_vbi() go out of vbi_ram_default array
+
+From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+
+[ Upstream commit 3dd6b560dc5d59e7cb6dbda6e85dc9af7925fcf8 ]
+
+As pointed by Dan, possible values for bits[3:0] of te Line Mode Registers
+can range from 0x0 to 0xf, but the check logic allow values ranging
+from 0x0 to 0xe.
+
+As static arrays are initialized with zero, using a value without
+an explicit initializer at the array won't cause any harm.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/tvp5150.c | 88 ++++++++++++++++++++++----------------------
+ 1 file changed, 45 insertions(+), 43 deletions(-)
+
+--- a/drivers/media/i2c/tvp5150.c
++++ b/drivers/media/i2c/tvp5150.c
+@@ -506,80 +506,77 @@ static struct i2c_vbi_ram_value vbi_ram_
+ /* FIXME: Current api doesn't handle all VBI types, those not
+ yet supported are placed under #if 0 */
+ #if 0
+- {0x010, /* Teletext, SECAM, WST System A */
++ [0] = {0x010, /* Teletext, SECAM, WST System A */
+ {V4L2_SLICED_TELETEXT_SECAM,6,23,1},
+ { 0xaa, 0xaa, 0xff, 0xff, 0xe7, 0x2e, 0x20, 0x26,
+ 0xe6, 0xb4, 0x0e, 0x00, 0x00, 0x00, 0x10, 0x00 }
+ },
+ #endif
+- {0x030, /* Teletext, PAL, WST System B */
++ [1] = {0x030, /* Teletext, PAL, WST System B */
+ {V4L2_SLICED_TELETEXT_B,6,22,1},
+ { 0xaa, 0xaa, 0xff, 0xff, 0x27, 0x2e, 0x20, 0x2b,
+ 0xa6, 0x72, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00 }
+ },
+ #if 0
+- {0x050, /* Teletext, PAL, WST System C */
++ [2] = {0x050, /* Teletext, PAL, WST System C */
+ {V4L2_SLICED_TELETEXT_PAL_C,6,22,1},
+ { 0xaa, 0xaa, 0xff, 0xff, 0xe7, 0x2e, 0x20, 0x22,
+ 0xa6, 0x98, 0x0d, 0x00, 0x00, 0x00, 0x10, 0x00 }
+ },
+- {0x070, /* Teletext, NTSC, WST System B */
++ [3] = {0x070, /* Teletext, NTSC, WST System B */
+ {V4L2_SLICED_TELETEXT_NTSC_B,10,21,1},
+ { 0xaa, 0xaa, 0xff, 0xff, 0x27, 0x2e, 0x20, 0x23,
+ 0x69, 0x93, 0x0d, 0x00, 0x00, 0x00, 0x10, 0x00 }
+ },
+- {0x090, /* Tetetext, NTSC NABTS System C */
++ [4] = {0x090, /* Tetetext, NTSC NABTS System C */
+ {V4L2_SLICED_TELETEXT_NTSC_C,10,21,1},
+ { 0xaa, 0xaa, 0xff, 0xff, 0xe7, 0x2e, 0x20, 0x22,
+ 0x69, 0x93, 0x0d, 0x00, 0x00, 0x00, 0x15, 0x00 }
+ },
+- {0x0b0, /* Teletext, NTSC-J, NABTS System D */
++ [5] = {0x0b0, /* Teletext, NTSC-J, NABTS System D */
+ {V4L2_SLICED_TELETEXT_NTSC_D,10,21,1},
+ { 0xaa, 0xaa, 0xff, 0xff, 0xa7, 0x2e, 0x20, 0x23,
+ 0x69, 0x93, 0x0d, 0x00, 0x00, 0x00, 0x10, 0x00 }
+ },
+- {0x0d0, /* Closed Caption, PAL/SECAM */
++ [6] = {0x0d0, /* Closed Caption, PAL/SECAM */
+ {V4L2_SLICED_CAPTION_625,22,22,1},
+ { 0xaa, 0x2a, 0xff, 0x3f, 0x04, 0x51, 0x6e, 0x02,
+ 0xa6, 0x7b, 0x09, 0x00, 0x00, 0x00, 0x27, 0x00 }
+ },
+ #endif
+- {0x0f0, /* Closed Caption, NTSC */
++ [7] = {0x0f0, /* Closed Caption, NTSC */
+ {V4L2_SLICED_CAPTION_525,21,21,1},
+ { 0xaa, 0x2a, 0xff, 0x3f, 0x04, 0x51, 0x6e, 0x02,
+ 0x69, 0x8c, 0x09, 0x00, 0x00, 0x00, 0x27, 0x00 }
+ },
+- {0x110, /* Wide Screen Signal, PAL/SECAM */
++ [8] = {0x110, /* Wide Screen Signal, PAL/SECAM */
+ {V4L2_SLICED_WSS_625,23,23,1},
+ { 0x5b, 0x55, 0xc5, 0xff, 0x00, 0x71, 0x6e, 0x42,
+ 0xa6, 0xcd, 0x0f, 0x00, 0x00, 0x00, 0x3a, 0x00 }
+ },
+ #if 0
+- {0x130, /* Wide Screen Signal, NTSC C */
++ [9] = {0x130, /* Wide Screen Signal, NTSC C */
+ {V4L2_SLICED_WSS_525,20,20,1},
+ { 0x38, 0x00, 0x3f, 0x00, 0x00, 0x71, 0x6e, 0x43,
+ 0x69, 0x7c, 0x08, 0x00, 0x00, 0x00, 0x39, 0x00 }
+ },
+- {0x150, /* Vertical Interval Timecode (VITC), PAL/SECAM */
++ [10] = {0x150, /* Vertical Interval Timecode (VITC), PAL/SECAM */
+ {V4l2_SLICED_VITC_625,6,22,0},
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x8f, 0x6d, 0x49,
+ 0xa6, 0x85, 0x08, 0x00, 0x00, 0x00, 0x4c, 0x00 }
+ },
+- {0x170, /* Vertical Interval Timecode (VITC), NTSC */
++ [11] = {0x170, /* Vertical Interval Timecode (VITC), NTSC */
+ {V4l2_SLICED_VITC_525,10,20,0},
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x8f, 0x6d, 0x49,
+ 0x69, 0x94, 0x08, 0x00, 0x00, 0x00, 0x4c, 0x00 }
+ },
+ #endif
+- {0x190, /* Video Program System (VPS), PAL */
++ [12] = {0x190, /* Video Program System (VPS), PAL */
+ {V4L2_SLICED_VPS,16,16,0},
+ { 0xaa, 0xaa, 0xff, 0xff, 0xba, 0xce, 0x2b, 0x0d,
+ 0xa6, 0xda, 0x0b, 0x00, 0x00, 0x00, 0x60, 0x00 }
+ },
+ /* 0x1d0 User programmable */
+-
+- /* End of struct */
+- { (u16)-1 }
+ };
+
+ static int tvp5150_write_inittab(struct v4l2_subdev *sd,
+@@ -592,10 +589,10 @@ static int tvp5150_write_inittab(struct
+ return 0;
+ }
+
+-static int tvp5150_vdp_init(struct v4l2_subdev *sd,
+- const struct i2c_vbi_ram_value *regs)
++static int tvp5150_vdp_init(struct v4l2_subdev *sd)
+ {
+ unsigned int i;
++ int j;
+
+ /* Disable Full Field */
+ tvp5150_write(sd, TVP5150_FULL_FIELD_ENA, 0);
+@@ -605,14 +602,17 @@ static int tvp5150_vdp_init(struct v4l2_
+ tvp5150_write(sd, i, 0xff);
+
+ /* Load Ram Table */
+- while (regs->reg != (u16)-1) {
++ for (j = 0; j < ARRAY_SIZE(vbi_ram_default); j++) {
++ const struct i2c_vbi_ram_value *regs = &vbi_ram_default[j];
++
++ if (!regs->type.vbi_type)
++ continue;
++
+ tvp5150_write(sd, TVP5150_CONF_RAM_ADDR_HIGH, regs->reg >> 8);
+ tvp5150_write(sd, TVP5150_CONF_RAM_ADDR_LOW, regs->reg);
+
+ for (i = 0; i < 16; i++)
+ tvp5150_write(sd, TVP5150_VDP_CONF_RAM_DATA, regs->values[i]);
+-
+- regs++;
+ }
+ return 0;
+ }
+@@ -621,19 +621,23 @@ static int tvp5150_vdp_init(struct v4l2_
+ static int tvp5150_g_sliced_vbi_cap(struct v4l2_subdev *sd,
+ struct v4l2_sliced_vbi_cap *cap)
+ {
+- const struct i2c_vbi_ram_value *regs = vbi_ram_default;
+- int line;
++ int line, i;
+
+ dev_dbg_lvl(sd->dev, 1, debug, "g_sliced_vbi_cap\n");
+ memset(cap, 0, sizeof *cap);
+
+- while (regs->reg != (u16)-1 ) {
+- for (line=regs->type.ini_line;line<=regs->type.end_line;line++) {
++ for (i = 0; i < ARRAY_SIZE(vbi_ram_default); i++) {
++ const struct i2c_vbi_ram_value *regs = &vbi_ram_default[i];
++
++ if (!regs->type.vbi_type)
++ continue;
++
++ for (line = regs->type.ini_line;
++ line <= regs->type.end_line;
++ line++) {
+ cap->service_lines[0][line] |= regs->type.vbi_type;
+ }
+ cap->service_set |= regs->type.vbi_type;
+-
+- regs++;
+ }
+ return 0;
+ }
+@@ -652,14 +656,13 @@ static int tvp5150_g_sliced_vbi_cap(stru
+ * MSB = field2
+ */
+ static int tvp5150_set_vbi(struct v4l2_subdev *sd,
+- const struct i2c_vbi_ram_value *regs,
+ unsigned int type,u8 flags, int line,
+ const int fields)
+ {
+ struct tvp5150 *decoder = to_tvp5150(sd);
+ v4l2_std_id std = decoder->norm;
+ u8 reg;
+- int pos = 0;
++ int i, pos = 0;
+
+ if (std == V4L2_STD_ALL) {
+ dev_err(sd->dev, "VBI can't be configured without knowing number of lines\n");
+@@ -672,19 +675,19 @@ static int tvp5150_set_vbi(struct v4l2_s
+ if (line < 6 || line > 27)
+ return 0;
+
+- while (regs->reg != (u16)-1) {
++ for (i = 0; i < ARRAY_SIZE(vbi_ram_default); i++) {
++ const struct i2c_vbi_ram_value *regs = &vbi_ram_default[i];
++
++ if (!regs->type.vbi_type)
++ continue;
++
+ if ((type & regs->type.vbi_type) &&
+ (line >= regs->type.ini_line) &&
+ (line <= regs->type.end_line))
+ break;
+-
+- regs++;
+ pos++;
+ }
+
+- if (regs->reg == (u16)-1)
+- return 0;
+-
+ type = pos | (flags & 0xf0);
+ reg = ((line - 6) << 1) + TVP5150_LINE_MODE_INI;
+
+@@ -697,8 +700,7 @@ static int tvp5150_set_vbi(struct v4l2_s
+ return type;
+ }
+
+-static int tvp5150_get_vbi(struct v4l2_subdev *sd,
+- const struct i2c_vbi_ram_value *regs, int line)
++static int tvp5150_get_vbi(struct v4l2_subdev *sd, int line)
+ {
+ struct tvp5150 *decoder = to_tvp5150(sd);
+ v4l2_std_id std = decoder->norm;
+@@ -727,8 +729,8 @@ static int tvp5150_get_vbi(struct v4l2_s
+ return 0;
+ }
+ pos = ret & 0x0f;
+- if (pos < 0x0f)
+- type |= regs[pos].type.vbi_type;
++ if (pos < ARRAY_SIZE(vbi_ram_default))
++ type |= vbi_ram_default[pos].type.vbi_type;
+ }
+
+ return type;
+@@ -789,7 +791,7 @@ static int tvp5150_reset(struct v4l2_sub
+ tvp5150_write_inittab(sd, tvp5150_init_default);
+
+ /* Initializes VDP registers */
+- tvp5150_vdp_init(sd, vbi_ram_default);
++ tvp5150_vdp_init(sd);
+
+ /* Selects decoder input */
+ tvp5150_selmux(sd);
+@@ -1122,8 +1124,8 @@ static int tvp5150_s_sliced_fmt(struct v
+ for (i = 0; i <= 23; i++) {
+ svbi->service_lines[1][i] = 0;
+ svbi->service_lines[0][i] =
+- tvp5150_set_vbi(sd, vbi_ram_default,
+- svbi->service_lines[0][i], 0xf0, i, 3);
++ tvp5150_set_vbi(sd, svbi->service_lines[0][i],
++ 0xf0, i, 3);
+ }
+ /* Enables FIFO */
+ tvp5150_write(sd, TVP5150_FIFO_OUT_CTRL, 1);
+@@ -1149,7 +1151,7 @@ static int tvp5150_g_sliced_fmt(struct v
+
+ for (i = 0; i <= 23; i++) {
+ svbi->service_lines[0][i] =
+- tvp5150_get_vbi(sd, vbi_ram_default, i);
++ tvp5150_get_vbi(sd, i);
+ mask |= svbi->service_lines[0][i];
+ }
+ svbi->service_set = mask;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Brad Love <brad@nextdimension.cc>
+Date: Thu, 4 Jan 2018 19:04:15 -0500
+Subject: media: em28xx: Add Hauppauge SoloHD/DualHD bulk models
+
+From: Brad Love <brad@nextdimension.cc>
+
+[ Upstream commit f2a326c928cca1f5e36a3dceaf66e8c6b34e9cb8 ]
+
+Add additional pids to driver list
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Reviewed-by: Michael Ira Krufky <mkrufky@linuxtv.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/em28xx/em28xx-cards.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+--- a/drivers/media/usb/em28xx/em28xx-cards.c
++++ b/drivers/media/usb/em28xx/em28xx-cards.c
+@@ -508,8 +508,10 @@ static struct em28xx_reg_seq plex_px_bcu
+ };
+
+ /*
+- * 2040:0265 Hauppauge WinTV-dualHD DVB
+- * 2040:026d Hauppauge WinTV-dualHD ATSC/QAM
++ * 2040:0265 Hauppauge WinTV-dualHD DVB Isoc
++ * 2040:8265 Hauppauge WinTV-dualHD DVB Bulk
++ * 2040:026d Hauppauge WinTV-dualHD ATSC/QAM Isoc
++ * 2040:826d Hauppauge WinTV-dualHD ATSC/QAM Bulk
+ * reg 0x80/0x84:
+ * GPIO_0: Yellow LED tuner 1, 0=on, 1=off
+ * GPIO_1: Green LED tuner 1, 0=on, 1=off
+@@ -2392,7 +2394,8 @@ struct em28xx_board em28xx_boards[] = {
+ .has_dvb = 1,
+ },
+ /*
+- * 2040:0265 Hauppauge WinTV-dualHD (DVB version).
++ * 2040:0265 Hauppauge WinTV-dualHD (DVB version) Isoc.
++ * 2040:8265 Hauppauge WinTV-dualHD (DVB version) Bulk.
+ * Empia EM28274, 2x Silicon Labs Si2168, 2x Silicon Labs Si2157
+ */
+ [EM28174_BOARD_HAUPPAUGE_WINTV_DUALHD_DVB] = {
+@@ -2407,7 +2410,8 @@ struct em28xx_board em28xx_boards[] = {
+ .leds = hauppauge_dualhd_leds,
+ },
+ /*
+- * 2040:026d Hauppauge WinTV-dualHD (model 01595 - ATSC/QAM).
++ * 2040:026d Hauppauge WinTV-dualHD (model 01595 - ATSC/QAM) Isoc.
++ * 2040:826d Hauppauge WinTV-dualHD (model 01595 - ATSC/QAM) Bulk.
+ * Empia EM28274, 2x LG LGDT3306A, 2x Silicon Labs Si2157
+ */
+ [EM28174_BOARD_HAUPPAUGE_WINTV_DUALHD_01595] = {
+@@ -2548,8 +2552,12 @@ struct usb_device_id em28xx_id_table[] =
+ .driver_info = EM2883_BOARD_HAUPPAUGE_WINTV_HVR_850 },
+ { USB_DEVICE(0x2040, 0x0265),
+ .driver_info = EM28174_BOARD_HAUPPAUGE_WINTV_DUALHD_DVB },
++ { USB_DEVICE(0x2040, 0x8265),
++ .driver_info = EM28174_BOARD_HAUPPAUGE_WINTV_DUALHD_DVB },
+ { USB_DEVICE(0x2040, 0x026d),
+ .driver_info = EM28174_BOARD_HAUPPAUGE_WINTV_DUALHD_01595 },
++ { USB_DEVICE(0x2040, 0x826d),
++ .driver_info = EM28174_BOARD_HAUPPAUGE_WINTV_DUALHD_01595 },
+ { USB_DEVICE(0x0438, 0xb002),
+ .driver_info = EM2880_BOARD_AMD_ATI_TV_WONDER_HD_600 },
+ { USB_DEVICE(0x2001, 0xf112),
+@@ -2610,7 +2618,11 @@ struct usb_device_id em28xx_id_table[] =
+ .driver_info = EM28178_BOARD_PCTV_461E },
+ { USB_DEVICE(0x2013, 0x025f),
+ .driver_info = EM28178_BOARD_PCTV_292E },
+- { USB_DEVICE(0x2040, 0x0264), /* Hauppauge WinTV-soloHD */
++ { USB_DEVICE(0x2040, 0x0264), /* Hauppauge WinTV-soloHD Isoc */
++ .driver_info = EM28178_BOARD_PCTV_292E },
++ { USB_DEVICE(0x2040, 0x8264), /* Hauppauge OEM Generic WinTV-soloHD Bulk */
++ .driver_info = EM28178_BOARD_PCTV_292E },
++ { USB_DEVICE(0x2040, 0x8268), /* Hauppauge Retail WinTV-soloHD Bulk */
+ .driver_info = EM28178_BOARD_PCTV_292E },
+ { USB_DEVICE(0x0413, 0x6f07),
+ .driver_info = EM2861_BOARD_LEADTEK_VC100 },
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Brad Love <brad@nextdimension.cc>
+Date: Thu, 4 Jan 2018 19:04:13 -0500
+Subject: media: em28xx: USB bulk packet size fix
+
+From: Brad Love <brad@nextdimension.cc>
+
+[ Upstream commit c7c7e8d7803406daa21e96d00c357de8b77b6764 ]
+
+Hauppauge em28xx bulk devices exhibit continuity errors and corrupted
+packets, when run in VMWare virtual machines. Unknown if other
+manufacturers bulk models exhibit the same issue. KVM/Qemu is unaffected.
+
+According to documentation the maximum packet multiplier for em28xx in bulk
+transfer mode is 256 * 188 bytes. This changes the size of bulk transfers
+to maximum supported value and have a bonus beneficial alignment.
+
+Before:
+
+After:
+
+This sets up USB to expect just as many bytes as the em28xx is set to emit.
+
+Successful usage under load afterwards natively and in both VMWare
+and KVM/Qemu virtual machines.
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Reviewed-by: Michael Ira Krufky <mkrufky@linuxtv.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/em28xx/em28xx.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/em28xx/em28xx.h
++++ b/drivers/media/usb/em28xx/em28xx.h
+@@ -191,7 +191,7 @@
+ USB 2.0 spec says bulk packet size is always 512 bytes
+ */
+ #define EM28XX_BULK_PACKET_MULTIPLIER 384
+-#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 384
++#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 94
+
+ #define EM28XX_INTERLACED_DEFAULT 1
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Kieran Bingham <kieran.bingham@ideasonboard.com>
+Date: Mon, 8 Jan 2018 13:14:04 -0500
+Subject: media: i2c: adv748x: fix HDMI field heights
+
+From: Kieran Bingham <kieran.bingham@ideasonboard.com>
+
+[ Upstream commit 9f564184e6cc21a86c26bab920afac1bab7653ff ]
+
+The ADV748x handles interlaced media using V4L2_FIELD_ALTERNATE field
+types. The correct specification for the height on the mbus is the
+image height, in this instance, the field height.
+
+The AFE component already correctly adjusts the height on the mbus, but
+the HDMI component got left behind.
+
+Adjust the mbus height to correctly describe the image height of the
+fields when processing interlaced video for HDMI pipelines.
+
+Fixes: 3e89586a64df ("media: i2c: adv748x: add adv748x driver")
+
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/adv748x/adv748x-hdmi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/i2c/adv748x/adv748x-hdmi.c
++++ b/drivers/media/i2c/adv748x/adv748x-hdmi.c
+@@ -105,6 +105,9 @@ static void adv748x_hdmi_fill_format(str
+
+ fmt->width = hdmi->timings.bt.width;
+ fmt->height = hdmi->timings.bt.height;
++
++ if (fmt->field == V4L2_FIELD_ALTERNATE)
++ fmt->height /= 2;
+ }
+
+ static void adv748x_fill_optional_dv_timings(struct v4l2_dv_timings *timings)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Brad Love <brad@nextdimension.cc>
+Date: Fri, 5 Jan 2018 09:57:13 -0500
+Subject: media: lgdt3306a: Fix a double kfree on i2c device remove
+
+From: Brad Love <brad@nextdimension.cc>
+
+[ Upstream commit 94448e21cf08b10f7dc7acdaca387594370396b0 ]
+
+Both lgdt33606a_release and lgdt3306a_remove kfree state, but _release is
+called first, then _remove operates on states members before kfree'ing it.
+This can lead to random oops/GPF/etc on USB disconnect.
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-frontends/lgdt3306a.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-frontends/lgdt3306a.c
++++ b/drivers/media/dvb-frontends/lgdt3306a.c
+@@ -1767,7 +1767,13 @@ static void lgdt3306a_release(struct dvb
+ struct lgdt3306a_state *state = fe->demodulator_priv;
+
+ dbg_info("\n");
+- kfree(state);
++
++ /*
++ * If state->muxc is not NULL, then we are an i2c device
++ * and lgdt3306a_remove will clean up state
++ */
++ if (!state->muxc)
++ kfree(state);
+ }
+
+ static const struct dvb_frontend_ops lgdt3306a_ops;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Brad Love <brad@nextdimension.cc>
+Date: Fri, 5 Jan 2018 09:57:12 -0500
+Subject: media: lgdt3306a: Fix module count mismatch on usb unplug
+
+From: Brad Love <brad@nextdimension.cc>
+
+[ Upstream commit 835d66173a38538c072a7c393d02360dcfac8582 ]
+
+When used as an i2c device there is a module usage count mismatch on
+removal, preventing the driver from being used thereafter. dvb_attach
+increments the usage count so it is properly balanced on removal.
+
+On disconnect of Hauppauge SoloHD/DualHD before:
+
+lsmod | grep lgdt3306a
+lgdt3306a 28672 -1
+i2c_mux 16384 1 lgdt3306a
+
+On disconnect of Hauppauge SoloHD/DualHD after:
+
+lsmod | grep lgdt3306a
+lgdt3306a 28672 0
+i2c_mux 16384 1 lgdt3306a
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-frontends/lgdt3306a.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-frontends/lgdt3306a.c
++++ b/drivers/media/dvb-frontends/lgdt3306a.c
+@@ -2174,7 +2174,7 @@ static int lgdt3306a_probe(struct i2c_cl
+ sizeof(struct lgdt3306a_config));
+
+ config->i2c_addr = client->addr;
+- fe = lgdt3306a_attach(config, client->adapter);
++ fe = dvb_attach(lgdt3306a_attach, config, client->adapter);
+ if (fe == NULL) {
+ ret = -ENODEV;
+ goto err_fe;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Mon, 19 Mar 2018 12:14:17 -0400
+Subject: media: ov5645: add missing of_node_put() in error path
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+[ Upstream commit 06fe932307d58108a11c3e603517dd2a73a57b80 ]
+
+The device node obtained with of_graph_get_next_endpoint() should be
+released by calling of_node_put(). But it was not released when
+v4l2_fwnode_endpoint_parse() failed.
+
+This change moves the of_node_put() call before the error check and
+fixes the issue.
+
+Cc: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Acked-by: Todor Tomov <todor.tomov@linaro.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ov5645.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/i2c/ov5645.c
++++ b/drivers/media/i2c/ov5645.c
+@@ -1131,13 +1131,14 @@ static int ov5645_probe(struct i2c_clien
+
+ ret = v4l2_fwnode_endpoint_parse(of_fwnode_handle(endpoint),
+ &ov5645->ep);
++
++ of_node_put(endpoint);
++
+ if (ret < 0) {
+ dev_err(dev, "parsing endpoint node failed\n");
+ return ret;
+ }
+
+- of_node_put(endpoint);
+-
+ if (ov5645->ep.bus_type != V4L2_MBUS_CSI2) {
+ dev_err(dev, "invalid bus type, must be CSI2\n");
+ return -EINVAL;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 16 Jan 2018 16:52:15 -0500
+Subject: media: s3c-camif: fix out-of-bounds array access
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit a398e043637a4819a0e96467bfecaabf3224dd62 ]
+
+While experimenting with older compiler versions, I ran
+into a warning that no longer shows up on gcc-4.8 or newer:
+
+drivers/media/platform/s3c-camif/camif-capture.c: In function '__camif_subdev_try_format':
+drivers/media/platform/s3c-camif/camif-capture.c:1265:25: error: array subscript is below array bounds
+
+This is an off-by-one bug, leading to an access before the start of the
+array, while newer compilers silently assume this undefined behavior
+cannot happen and leave the loop at index 0 if no other entry matches.
+
+As Sylvester explains, we actually need to ensure that the
+value is within the range, so this reworks the loop to be
+easier to parse correctly, and an additional check to fall
+back on the first format value for any unexpected input.
+
+I found an existing gcc bug for it and added a reduced version
+of the function there.
+
+Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69249#c3
+Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface")
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/s3c-camif/camif-capture.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/platform/s3c-camif/camif-capture.c
++++ b/drivers/media/platform/s3c-camif/camif-capture.c
+@@ -1256,16 +1256,17 @@ static void __camif_subdev_try_format(st
+ {
+ const struct s3c_camif_variant *variant = camif->variant;
+ const struct vp_pix_limits *pix_lim;
+- int i = ARRAY_SIZE(camif_mbus_formats);
++ unsigned int i;
+
+ /* FIXME: constraints against codec or preview path ? */
+ pix_lim = &variant->vp_pix_limits[VP_CODEC];
+
+- while (i-- >= 0)
++ for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++)
+ if (camif_mbus_formats[i] == mf->code)
+ break;
+
+- mf->code = camif_mbus_formats[i];
++ if (i == ARRAY_SIZE(camif_mbus_formats))
++ mf->code = camif_mbus_formats[0];
+
+ if (pad == CAMIF_SD_PAD_SINK) {
+ v4l_bound_align_image(&mf->width, 8, CAMIF_MAX_PIX_WIDTH,
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Date: Sun, 3 Dec 2017 05:06:57 -0500
+Subject: media: v4l: vsp1: Fix display stalls when requesting too many inputs
+
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+
+[ Upstream commit 5e3e4cb5e24b92773b194aa90066170b12133bc6 ]
+
+Make sure we don't accept more inputs than the hardware can handle. This
+is a temporary fix to avoid display stall, we need to instead allocate
+the BRU or BRS to display pipelines dynamically based on the number of
+planes they each use.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/vsp1/vsp1_drm.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/media/platform/vsp1/vsp1_drm.c
++++ b/drivers/media/platform/vsp1/vsp1_drm.c
+@@ -504,6 +504,15 @@ void vsp1_du_atomic_flush(struct device
+ struct vsp1_rwpf *rpf = vsp1->rpf[i];
+ unsigned int j;
+
++ /*
++ * Make sure we don't accept more inputs than the hardware can
++ * handle. This is a temporary fix to avoid display stall, we
++ * need to instead allocate the BRU or BRS to display pipelines
++ * dynamically based on the number of planes they each use.
++ */
++ if (pipe->num_inputs >= pipe->bru->source_pad)
++ pipe->inputs[i] = NULL;
++
+ if (!pipe->inputs[i])
+ continue;
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Tue, 6 Feb 2018 03:02:23 -0500
+Subject: media: vb2: Fix videobuf2 to map correct area
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit d13a0139d7874a0577b5955d6eed895517d23b72 ]
+
+Fixes vb2_vmalloc_get_userptr() to ioremap correct area.
+Since the current code does ioremap the page address, if the offset > 0,
+it does not do ioremap the last page and results in kernel panic.
+
+This fixes to pass the size + offset to ioremap so that ioremap
+can map correct area. Also, this uses __pfn_to_phys() to get the physical
+address of given PFN.
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Reported-by: Takao Orito <orito.takao@socionext.com>
+Reported-by: Fumihiro ATSUMI <atsumi@infinitegra.co.jp>
+Reviewed-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/videobuf2-vmalloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/v4l2-core/videobuf2-vmalloc.c
++++ b/drivers/media/v4l2-core/videobuf2-vmalloc.c
+@@ -106,7 +106,7 @@ static void *vb2_vmalloc_get_userptr(str
+ if (nums[i-1] + 1 != nums[i])
+ goto fail_map;
+ buf->vaddr = (__force void *)
+- ioremap_nocache(nums[0] << PAGE_SHIFT, size);
++ ioremap_nocache(__pfn_to_phys(nums[0]), size + offset);
+ } else {
+ buf->vaddr = vm_map_ram(frame_vector_pages(vec), n_pages, -1,
+ PAGE_KERNEL);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Thu, 1 Feb 2018 02:36:33 -0500
+Subject: media: vivid: fix incorrect capabilities for radio
+
+From: Hans Verkuil <hverkuil@xs4all.nl>
+
+[ Upstream commit 65243386f41d38460bfd4375d231a7c0346d0401 ]
+
+The vivid driver has two custom controls that change the behavior of RDS.
+Depending on the control setting the V4L2_CAP_READWRITE capability is toggled.
+However, after an earlier commit the capability was no longer set correctly.
+This is now fixed.
+
+Fixes: 9765a32cd8 ("vivid: set device_caps in video_device")
+
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/vivid/vivid-ctrls.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/platform/vivid/vivid-ctrls.c
++++ b/drivers/media/platform/vivid/vivid-ctrls.c
+@@ -1191,6 +1191,7 @@ static int vivid_radio_rx_s_ctrl(struct
+ v4l2_ctrl_activate(dev->radio_rx_rds_ta, dev->radio_rx_rds_controls);
+ v4l2_ctrl_activate(dev->radio_rx_rds_tp, dev->radio_rx_rds_controls);
+ v4l2_ctrl_activate(dev->radio_rx_rds_ms, dev->radio_rx_rds_controls);
++ dev->radio_rx_dev.device_caps = dev->radio_rx_caps;
+ break;
+ case V4L2_CID_RDS_RECEPTION:
+ dev->radio_rx_rds_enabled = ctrl->val;
+@@ -1265,6 +1266,7 @@ static int vivid_radio_tx_s_ctrl(struct
+ dev->radio_tx_caps &= ~V4L2_CAP_READWRITE;
+ if (!dev->radio_tx_rds_controls)
+ dev->radio_tx_caps |= V4L2_CAP_READWRITE;
++ dev->radio_tx_dev.device_caps = dev->radio_tx_caps;
+ break;
+ case V4L2_CID_RDS_TX_PTY:
+ if (dev->radio_rx_rds_controls)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Rob Herring <robh@kernel.org>
+Date: Fri, 9 Mar 2018 09:54:07 -0600
+Subject: microblaze: switch to NO_BOOTMEM
+
+From: Rob Herring <robh@kernel.org>
+
+[ Upstream commit 101646a24a2f9cdb61d7732459fbf068a7bbb542 ]
+
+Microblaze doesn't set CONFIG_NO_BOOTMEM and so memblock_virt_alloc()
+doesn't work for CONFIG_HAVE_MEMBLOCK && !CONFIG_NO_BOOTMEM.
+
+Similar change was already done by others architectures
+"ARM: mm: Remove bootmem code and switch to NO_BOOTMEM"
+(sha1: 84f452b1e8fc73ac0e31254c66e3e2260ce5263d)
+or
+"openrisc: Consolidate setup to use memblock instead of bootmem"
+(sha1: 266c7fad157265bb54d17db1c9545f2aaa488643)
+or
+"parisc: Drop bootmem and switch to memblock"
+(sha1: 4fe9e1d957e45ad8eba9885ee860a0e93d13a7c7)
+or
+"powerpc: Remove bootmem allocator"
+(sha1: 10239733ee8617bac3f1c1769af43a88ed979324)
+or
+"s390/mm: Convert bootmem to memblock"
+(sha1: 50be634507284eea38df78154d22615d21200b42)
+or
+"sparc64: Convert over to NO_BOOTMEM."
+(sha1: 625d693e9784f988371e69c2b41a2172c0be6c11)
+or
+"xtensa: drop sysmem and switch to memblock"
+(sha1: 0e46c1115f5816949220d62dd3ff04aa68e7ac6b)
+
+Issue was introduced by:
+"of/fdt: use memblock_virt_alloc for early alloc"
+(sha1: 0fa1c579349fdd90173381712ad78aa99c09d38b)
+
+Signed-off-by: Rob Herring <robh@kernel.org>
+Tested-by: Alvaro Gamez Machado <alvaro.gamez@hazent.com>
+Tested-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/microblaze/Kconfig | 1
+ arch/microblaze/mm/init.c | 56 ++++------------------------------------------
+ 2 files changed, 7 insertions(+), 50 deletions(-)
+
+--- a/arch/microblaze/Kconfig
++++ b/arch/microblaze/Kconfig
+@@ -24,6 +24,7 @@ config MICROBLAZE
+ select HAVE_FTRACE_MCOUNT_RECORD
+ select HAVE_FUNCTION_GRAPH_TRACER
+ select HAVE_FUNCTION_TRACER
++ select NO_BOOTMEM
+ select HAVE_MEMBLOCK
+ select HAVE_MEMBLOCK_NODE_MAP
+ select HAVE_OPROFILE
+--- a/arch/microblaze/mm/init.c
++++ b/arch/microblaze/mm/init.c
+@@ -32,9 +32,6 @@ int mem_init_done;
+ #ifndef CONFIG_MMU
+ unsigned int __page_offset;
+ EXPORT_SYMBOL(__page_offset);
+-
+-#else
+-static int init_bootmem_done;
+ #endif /* CONFIG_MMU */
+
+ char *klimit = _end;
+@@ -117,7 +114,6 @@ static void __init paging_init(void)
+
+ void __init setup_memory(void)
+ {
+- unsigned long map_size;
+ struct memblock_region *reg;
+
+ #ifndef CONFIG_MMU
+@@ -174,17 +170,6 @@ void __init setup_memory(void)
+ pr_info("%s: max_low_pfn: %#lx\n", __func__, max_low_pfn);
+ pr_info("%s: max_pfn: %#lx\n", __func__, max_pfn);
+
+- /*
+- * Find an area to use for the bootmem bitmap.
+- * We look for the first area which is at least
+- * 128kB in length (128kB is enough for a bitmap
+- * for 4GB of memory, using 4kB pages), plus 1 page
+- * (in case the address isn't page-aligned).
+- */
+- map_size = init_bootmem_node(NODE_DATA(0),
+- PFN_UP(TOPHYS((u32)klimit)), min_low_pfn, max_low_pfn);
+- memblock_reserve(PFN_UP(TOPHYS((u32)klimit)) << PAGE_SHIFT, map_size);
+-
+ /* Add active regions with valid PFNs */
+ for_each_memblock(memory, reg) {
+ unsigned long start_pfn, end_pfn;
+@@ -196,32 +181,9 @@ void __init setup_memory(void)
+ &memblock.memory, 0);
+ }
+
+- /* free bootmem is whole main memory */
+- free_bootmem_with_active_regions(0, max_low_pfn);
+-
+- /* reserve allocate blocks */
+- for_each_memblock(reserved, reg) {
+- unsigned long top = reg->base + reg->size - 1;
+-
+- pr_debug("reserved - 0x%08x-0x%08x, %lx, %lx\n",
+- (u32) reg->base, (u32) reg->size, top,
+- memory_start + lowmem_size - 1);
+-
+- if (top <= (memory_start + lowmem_size - 1)) {
+- reserve_bootmem(reg->base, reg->size, BOOTMEM_DEFAULT);
+- } else if (reg->base < (memory_start + lowmem_size - 1)) {
+- unsigned long trunc_size = memory_start + lowmem_size -
+- reg->base;
+- reserve_bootmem(reg->base, trunc_size, BOOTMEM_DEFAULT);
+- }
+- }
+-
+ /* XXX need to clip this if using highmem? */
+ sparse_memory_present_with_active_regions(0);
+
+-#ifdef CONFIG_MMU
+- init_bootmem_done = 1;
+-#endif
+ paging_init();
+ }
+
+@@ -398,18 +360,12 @@ asmlinkage void __init mmu_init(void)
+ /* This is only called until mem_init is done. */
+ void __init *early_get_page(void)
+ {
+- void *p;
+- if (init_bootmem_done) {
+- p = alloc_bootmem_pages(PAGE_SIZE);
+- } else {
+- /*
+- * Mem start + kernel_tlb -> here is limit
+- * because of mem mapping from head.S
+- */
+- p = __va(memblock_alloc_base(PAGE_SIZE, PAGE_SIZE,
+- memory_start + kernel_tlb));
+- }
+- return p;
++ /*
++ * Mem start + kernel_tlb -> here is limit
++ * because of mem mapping from head.S
++ */
++ return __va(memblock_alloc_base(PAGE_SIZE, PAGE_SIZE,
++ memory_start + kernel_tlb));
+ }
+
+ #endif /* CONFIG_MMU */
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Mathias Kresin <dev@kresin.me>
+Date: Thu, 11 May 2017 08:18:24 +0200
+Subject: MIPS: ath79: Fix AR724X_PLL_REG_PCIE_CONFIG offset
+
+From: Mathias Kresin <dev@kresin.me>
+
+[ Upstream commit 05454c1bde91fb013c0431801001da82947e6b5a ]
+
+According to the QCA u-boot source the "PCIE Phase Lock Loop
+Configuration (PCIE_PLL_CONFIG)" register is for all SoCs except the
+QCA955X and QCA956X at offset 0x10.
+
+Since the PCIE PLL config register is only defined for the AR724x fix
+only this value. The value is wrong since the day it was added and isn't
+used by any driver yet.
+
+Signed-off-by: Mathias Kresin <dev@kresin.me>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16048/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/include/asm/mach-ath79/ar71xx_regs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/include/asm/mach-ath79/ar71xx_regs.h
++++ b/arch/mips/include/asm/mach-ath79/ar71xx_regs.h
+@@ -167,7 +167,7 @@
+ #define AR71XX_AHB_DIV_MASK 0x7
+
+ #define AR724X_PLL_REG_CPU_CONFIG 0x00
+-#define AR724X_PLL_REG_PCIE_CONFIG 0x18
++#define AR724X_PLL_REG_PCIE_CONFIG 0x10
+
+ #define AR724X_PLL_FB_SHIFT 0
+ #define AR724X_PLL_FB_MASK 0x3ff
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: James Hogan <jhogan@kernel.org>
+Date: Fri, 2 Feb 2018 22:14:09 +0000
+Subject: MIPS: generic: Fix machine compatible matching
+
+From: James Hogan <jhogan@kernel.org>
+
+[ Upstream commit 9a9ab3078e2744a1a55163cfaec73a5798aae33e ]
+
+We now have a platform (Ranchu) in the "generic" platform which matches
+based on the FDT compatible string using mips_machine_is_compatible(),
+however that function doesn't stop at a blank struct
+of_device_id::compatible as that is an array in the struct, not a
+pointer to a string.
+
+Fix the loop completion to check the first byte of the compatible array
+rather than the address of the compatible array in the struct.
+
+Fixes: eed0eabd12ef ("MIPS: generic: Introduce generic DT-based board support")
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Reviewed-by: Paul Burton <paul.burton@mips.com>
+Reviewed-by: Matt Redfearn <matt.redfearn@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/18580/
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/include/asm/machine.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/include/asm/machine.h
++++ b/arch/mips/include/asm/machine.h
+@@ -52,7 +52,7 @@ mips_machine_is_compatible(const struct
+ if (!mach->matches)
+ return NULL;
+
+- for (match = mach->matches; match->compatible; match++) {
++ for (match = mach->matches; match->compatible[0]; match++) {
+ if (fdt_node_check_compatible(fdt, 0, match->compatible) == 0)
+ return match;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Joe Perches <joe@perches.com>
+Date: Tue, 5 Dec 2017 23:04:58 -0800
+Subject: MIPS: Octeon: Fix logging messages with spurious periods after newlines
+
+From: Joe Perches <joe@perches.com>
+
+[ Upstream commit db6775ca6e0353d2618ca7d5e210fc36ad43bbd4 ]
+
+Using a period after a newline causes bad output.
+
+Fixes: 64b139f97c01 ("MIPS: OCTEON: irq: add CIB and other fixes")
+Signed-off-by: Joe Perches <joe@perches.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/17886/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/cavium-octeon/octeon-irq.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/mips/cavium-octeon/octeon-irq.c
++++ b/arch/mips/cavium-octeon/octeon-irq.c
+@@ -2271,7 +2271,7 @@ static int __init octeon_irq_init_cib(st
+
+ parent_irq = irq_of_parse_and_map(ciu_node, 0);
+ if (!parent_irq) {
+- pr_err("ERROR: Couldn't acquire parent_irq for %s\n.",
++ pr_err("ERROR: Couldn't acquire parent_irq for %s\n",
+ ciu_node->name);
+ return -EINVAL;
+ }
+@@ -2283,7 +2283,7 @@ static int __init octeon_irq_init_cib(st
+
+ addr = of_get_address(ciu_node, 0, NULL, NULL);
+ if (!addr) {
+- pr_err("ERROR: Couldn't acquire reg(0) %s\n.", ciu_node->name);
++ pr_err("ERROR: Couldn't acquire reg(0) %s\n", ciu_node->name);
+ return -EINVAL;
+ }
+ host_data->raw_reg = (u64)phys_to_virt(
+@@ -2291,7 +2291,7 @@ static int __init octeon_irq_init_cib(st
+
+ addr = of_get_address(ciu_node, 1, NULL, NULL);
+ if (!addr) {
+- pr_err("ERROR: Couldn't acquire reg(1) %s\n.", ciu_node->name);
++ pr_err("ERROR: Couldn't acquire reg(1) %s\n", ciu_node->name);
+ return -EINVAL;
+ }
+ host_data->en_reg = (u64)phys_to_virt(
+@@ -2299,7 +2299,7 @@ static int __init octeon_irq_init_cib(st
+
+ r = of_property_read_u32(ciu_node, "cavium,max-bits", &val);
+ if (r) {
+- pr_err("ERROR: Couldn't read cavium,max-bits from %s\n.",
++ pr_err("ERROR: Couldn't read cavium,max-bits from %s\n",
+ ciu_node->name);
+ return r;
+ }
+@@ -2309,7 +2309,7 @@ static int __init octeon_irq_init_cib(st
+ &octeon_irq_domain_cib_ops,
+ host_data);
+ if (!cib_domain) {
+- pr_err("ERROR: Couldn't irq_domain_add_linear()\n.");
++ pr_err("ERROR: Couldn't irq_domain_add_linear()\n");
+ return -ENOMEM;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Jiri Pirko <jiri@mellanox.com>
+Date: Wed, 28 Feb 2018 13:12:08 +0100
+Subject: mlxsw: core: Fix flex keys scratchpad offset conflict
+
+From: Jiri Pirko <jiri@mellanox.com>
+
+[ Upstream commit 2ddc94c76cc4ccaf51b478315912b38dfdde1afc ]
+
+IP_TTL, IP_ECN and IP_DSCP are using the same offset within the
+scratchpad as L4 ports. Fix this by shifting all up.
+
+Fixes: 5f57e0909136 ("mlxsw: acl: Add ip ttl acl element")
+Fixes: i80d0fe4710c ("mlxsw: acl: Add ip tos acl element")
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.h | 20 +++++++--------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.h
++++ b/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.h
+@@ -107,20 +107,20 @@ static const struct mlxsw_afk_element_in
+ MLXSW_AFK_ELEMENT_INFO_U32(VID, 0x10, 8, 12),
+ MLXSW_AFK_ELEMENT_INFO_U32(PCP, 0x10, 20, 3),
+ MLXSW_AFK_ELEMENT_INFO_U32(TCP_FLAGS, 0x10, 23, 9),
+- MLXSW_AFK_ELEMENT_INFO_U32(IP_TTL_, 0x14, 0, 8),
+- MLXSW_AFK_ELEMENT_INFO_U32(IP_ECN, 0x14, 9, 2),
+- MLXSW_AFK_ELEMENT_INFO_U32(IP_DSCP, 0x14, 11, 6),
+- MLXSW_AFK_ELEMENT_INFO_U32(SRC_IP4, 0x18, 0, 32),
+- MLXSW_AFK_ELEMENT_INFO_U32(DST_IP4, 0x1C, 0, 32),
+- MLXSW_AFK_ELEMENT_INFO_BUF(SRC_IP6_HI, 0x18, 8),
+- MLXSW_AFK_ELEMENT_INFO_BUF(SRC_IP6_LO, 0x20, 8),
+- MLXSW_AFK_ELEMENT_INFO_BUF(DST_IP6_HI, 0x28, 8),
+- MLXSW_AFK_ELEMENT_INFO_BUF(DST_IP6_LO, 0x30, 8),
+ MLXSW_AFK_ELEMENT_INFO_U32(DST_L4_PORT, 0x14, 0, 16),
+ MLXSW_AFK_ELEMENT_INFO_U32(SRC_L4_PORT, 0x14, 16, 16),
++ MLXSW_AFK_ELEMENT_INFO_U32(IP_TTL_, 0x18, 0, 8),
++ MLXSW_AFK_ELEMENT_INFO_U32(IP_ECN, 0x18, 9, 2),
++ MLXSW_AFK_ELEMENT_INFO_U32(IP_DSCP, 0x18, 11, 6),
++ MLXSW_AFK_ELEMENT_INFO_U32(SRC_IP4, 0x20, 0, 32),
++ MLXSW_AFK_ELEMENT_INFO_U32(DST_IP4, 0x24, 0, 32),
++ MLXSW_AFK_ELEMENT_INFO_BUF(SRC_IP6_HI, 0x20, 8),
++ MLXSW_AFK_ELEMENT_INFO_BUF(SRC_IP6_LO, 0x28, 8),
++ MLXSW_AFK_ELEMENT_INFO_BUF(DST_IP6_HI, 0x30, 8),
++ MLXSW_AFK_ELEMENT_INFO_BUF(DST_IP6_LO, 0x38, 8),
+ };
+
+-#define MLXSW_AFK_ELEMENT_STORAGE_SIZE 0x38
++#define MLXSW_AFK_ELEMENT_STORAGE_SIZE 0x40
+
+ struct mlxsw_afk_element_inst { /* element instance in actual block */
+ const struct mlxsw_afk_element_info *info;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Wed, 28 Feb 2018 13:12:10 +0100
+Subject: mlxsw: spectrum: Treat IPv6 unregistered multicast as broadcast
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit 9d45deb04c59b628b21fc5014aff4f9a1d38f969 ]
+
+When multicast snooping is enabled, the Linux bridge resorts to flooding
+unregistered multicast packets to all ports only in case it did not
+detect a querier in the network.
+
+The above condition is not reflected to underlying drivers, which is
+especially problematic in IPv6 environments, as multicast snooping is
+enabled by default and since neighbour solicitation packets might be
+treated as unregistered multicast packets in case there is no
+corresponding MDB entry.
+
+Until the Linux bridge reflects its querier state to underlying drivers,
+simply treat unregistered multicast packets as broadcast and allow them
+to reach their destination.
+
+Fixes: 9df552ef3e21 ("mlxsw: spectrum: Improve IPv6 unregistered multicast flooding")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_fid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_fid.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_fid.c
+@@ -112,11 +112,11 @@ static const int mlxsw_sp_sfgc_bc_packet
+ [MLXSW_REG_SFGC_TYPE_UNREGISTERED_MULTICAST_NON_IP] = 1,
+ [MLXSW_REG_SFGC_TYPE_IPV4_LINK_LOCAL] = 1,
+ [MLXSW_REG_SFGC_TYPE_IPV6_ALL_HOST] = 1,
++ [MLXSW_REG_SFGC_TYPE_UNREGISTERED_MULTICAST_IPV6] = 1,
+ };
+
+ static const int mlxsw_sp_sfgc_mc_packet_types[MLXSW_REG_SFGC_TYPE_MAX] = {
+ [MLXSW_REG_SFGC_TYPE_UNREGISTERED_MULTICAST_IPV4] = 1,
+- [MLXSW_REG_SFGC_TYPE_UNREGISTERED_MULTICAST_IPV6] = 1,
+ };
+
+ static const int *mlxsw_sp_packet_type_sfgc_types[] = {
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Huang Ying <ying.huang@intel.com>
+Date: Thu, 5 Apr 2018 16:23:20 -0700
+Subject: mm: fix races between address_space dereference and free in page_evicatable
+
+From: Huang Ying <ying.huang@intel.com>
+
+[ Upstream commit e92bb4dd9673945179b1fc738c9817dd91bfb629 ]
+
+When page_mapping() is called and the mapping is dereferenced in
+page_evicatable() through shrink_active_list(), it is possible for the
+inode to be truncated and the embedded address space to be freed at the
+same time. This may lead to the following race.
+
+CPU1 CPU2
+
+truncate(inode) shrink_active_list()
+ ... page_evictable(page)
+ truncate_inode_page(mapping, page);
+ delete_from_page_cache(page)
+ spin_lock_irqsave(&mapping->tree_lock, flags);
+ __delete_from_page_cache(page, NULL)
+ page_cache_tree_delete(..)
+ ... mapping = page_mapping(page);
+ page->mapping = NULL;
+ ...
+ spin_unlock_irqrestore(&mapping->tree_lock, flags);
+ page_cache_free_page(mapping, page)
+ put_page(page)
+ if (put_page_testzero(page)) -> false
+- inode now has no pages and can be freed including embedded address_space
+
+ mapping_unevictable(mapping)
+ test_bit(AS_UNEVICTABLE, &mapping->flags);
+- we've dereferenced mapping which is potentially already free.
+
+Similar race exists between swap cache freeing and page_evicatable()
+too.
+
+The address_space in inode and swap cache will be freed after a RCU
+grace period. So the races are fixed via enclosing the page_mapping()
+and address_space usage in rcu_read_lock/unlock(). Some comments are
+added in code to make it clear what is protected by the RCU read lock.
+
+Link: http://lkml.kernel.org/r/20180212081227.1940-1-ying.huang@intel.com
+Signed-off-by: "Huang, Ying" <ying.huang@intel.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: "Huang, Ying" <ying.huang@intel.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/vmscan.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -3904,7 +3904,13 @@ int node_reclaim(struct pglist_data *pgd
+ */
+ int page_evictable(struct page *page)
+ {
+- return !mapping_unevictable(page_mapping(page)) && !PageMlocked(page);
++ int ret;
++
++ /* Prevent address_space of inode and swap cache from being freed */
++ rcu_read_lock();
++ ret = !mapping_unevictable(page_mapping(page)) && !PageMlocked(page);
++ rcu_read_unlock();
++ return ret;
+ }
+
+ #ifdef CONFIG_SHMEM
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Vinayak Menon <vinmenon@codeaurora.org>
+Date: Wed, 28 Mar 2018 16:01:16 -0700
+Subject: mm/kmemleak.c: wait for scan completion before disabling free
+
+From: Vinayak Menon <vinmenon@codeaurora.org>
+
+[ Upstream commit 914b6dfff790544d9b77dfd1723adb3745ec9700 ]
+
+A crash is observed when kmemleak_scan accesses the object->pointer,
+likely due to the following race.
+
+ TASK A TASK B TASK C
+ kmemleak_write
+ (with "scan" and
+ NOT "scan=on")
+ kmemleak_scan()
+ create_object
+ kmem_cache_alloc fails
+ kmemleak_disable
+ kmemleak_do_cleanup
+ kmemleak_free_enabled = 0
+ kfree
+ kmemleak_free bails out
+ (kmemleak_free_enabled is 0)
+ slub frees object->pointer
+ update_checksum
+ crash - object->pointer
+ freed (DEBUG_PAGEALLOC)
+
+kmemleak_do_cleanup waits for the scan thread to complete, but not for
+direct call to kmemleak_scan via kmemleak_write. So add a wait for
+kmemleak_scan completion before disabling kmemleak_free, and while at it
+fix the comment on stop_scan_thread.
+
+[vinmenon@codeaurora.org: fix stop_scan_thread comment]
+ Link: http://lkml.kernel.org/r/1522219972-22809-1-git-send-email-vinmenon@codeaurora.org
+Link: http://lkml.kernel.org/r/1522063429-18992-1-git-send-email-vinmenon@codeaurora.org
+Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kmemleak.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/mm/kmemleak.c
++++ b/mm/kmemleak.c
+@@ -1658,8 +1658,7 @@ static void start_scan_thread(void)
+ }
+
+ /*
+- * Stop the automatic memory scanning thread. This function must be called
+- * with the scan_mutex held.
++ * Stop the automatic memory scanning thread.
+ */
+ static void stop_scan_thread(void)
+ {
+@@ -1922,12 +1921,15 @@ static void kmemleak_do_cleanup(struct w
+ {
+ stop_scan_thread();
+
++ mutex_lock(&scan_mutex);
+ /*
+- * Once the scan thread has stopped, it is safe to no longer track
+- * object freeing. Ordering of the scan thread stopping and the memory
+- * accesses below is guaranteed by the kthread_stop() function.
++ * Once it is made sure that kmemleak_scan has stopped, it is safe to no
++ * longer track object freeing. Ordering of the scan thread stopping and
++ * the memory accesses below is guaranteed by the kthread_stop()
++ * function.
+ */
+ kmemleak_free_enabled = 0;
++ mutex_unlock(&scan_mutex);
+
+ if (!kmemleak_found_leaks)
+ __kmemleak_do_cleanup();
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
+Date: Thu, 5 Apr 2018 16:25:41 -0700
+Subject: mm/ksm: fix interaction with THP
+
+From: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
+
+[ Upstream commit 77da2ba0648a4fd52e5ff97b8b2b8dd312aec4b0 ]
+
+This patch fixes a corner case for KSM. When two pages belong or
+belonged to the same transparent hugepage, and they should be merged,
+KSM fails to split the page, and therefore no merging happens.
+
+This bug can be reproduced by:
+* making sure ksm is running (in case disabling ksmtuned)
+* enabling transparent hugepages
+* allocating a THP-aligned 1-THP-sized buffer
+ e.g. on amd64: posix_memalign(&p, 1<<21, 1<<21)
+* filling it with the same values
+ e.g. memset(p, 42, 1<<21)
+* performing madvise to make it mergeable
+ e.g. madvise(p, 1<<21, MADV_MERGEABLE)
+* waiting for KSM to perform a few scans
+
+The expected outcome is that the all the pages get merged (1 shared and
+the rest sharing); the actual outcome is that no pages get merged (1
+unshared and the rest volatile)
+
+The reason of this behaviour is that we increase the reference count
+once for both pages we want to merge, but if they belong to the same
+hugepage (or compound page), the reference counter used in both cases is
+the one of the head of the compound page. This means that
+split_huge_page will find a value of the reference counter too high and
+will fail.
+
+This patch solves this problem by testing if the two pages to merge
+belong to the same hugepage when attempting to merge them. If so, the
+hugepage is split safely. This means that the hugepage is not split if
+not necessary.
+
+Link: http://lkml.kernel.org/r/1521548069-24758-1-git-send-email-imbrenda@linux.vnet.ibm.com
+Signed-off-by: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
+Co-authored-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/ksm.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+--- a/mm/ksm.c
++++ b/mm/ksm.c
+@@ -2085,8 +2085,22 @@ static void cmp_and_merge_page(struct pa
+ tree_rmap_item =
+ unstable_tree_search_insert(rmap_item, page, &tree_page);
+ if (tree_rmap_item) {
++ bool split;
++
+ kpage = try_to_merge_two_pages(rmap_item, page,
+ tree_rmap_item, tree_page);
++ /*
++ * If both pages we tried to merge belong to the same compound
++ * page, then we actually ended up increasing the reference
++ * count of the same compound page twice, and split_huge_page
++ * failed.
++ * Here we set a flag if that happened, and we use it later to
++ * try split_huge_page again. Since we call put_page right
++ * afterwards, the reference count will be correct and
++ * split_huge_page should succeed.
++ */
++ split = PageTransCompound(page)
++ && compound_head(page) == compound_head(tree_page);
+ put_page(tree_page);
+ if (kpage) {
+ /*
+@@ -2113,6 +2127,20 @@ static void cmp_and_merge_page(struct pa
+ break_cow(tree_rmap_item);
+ break_cow(rmap_item);
+ }
++ } else if (split) {
++ /*
++ * We are here if we tried to merge two pages and
++ * failed because they both belonged to the same
++ * compound page. We will split the page now, but no
++ * merging will take place.
++ * We do not want to add the cost of a full lock; if
++ * the page is locked, it is better to skip it and
++ * perhaps try again later.
++ */
++ if (!trylock_page(page))
++ return;
++ split_huge_page(page);
++ unlock_page(page);
+ }
+ }
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Yisheng Xie <xieyisheng1@huawei.com>
+Date: Thu, 22 Mar 2018 16:17:02 -0700
+Subject: mm/mempolicy.c: avoid use uninitialized preferred_node
+
+From: Yisheng Xie <xieyisheng1@huawei.com>
+
+[ Upstream commit 8970a63e965b43288c4f5f40efbc2bbf80de7f16 ]
+
+Alexander reported a use of uninitialized memory in __mpol_equal(),
+which is caused by incorrect use of preferred_node.
+
+When mempolicy in mode MPOL_PREFERRED with flags MPOL_F_LOCAL, it uses
+numa_node_id() instead of preferred_node, however, __mpol_equal() uses
+preferred_node without checking whether it is MPOL_F_LOCAL or not.
+
+[akpm@linux-foundation.org: slight comment tweak]
+Link: http://lkml.kernel.org/r/4ebee1c2-57f6-bcb8-0e2d-1833d1ee0bb7@huawei.com
+Fixes: fc36b8d3d819 ("mempolicy: use MPOL_F_LOCAL to Indicate Preferred Local Policy")
+Signed-off-by: Yisheng Xie <xieyisheng1@huawei.com>
+Reported-by: Alexander Potapenko <glider@google.com>
+Tested-by: Alexander Potapenko <glider@google.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Dmitriy Vyukov <dvyukov@google.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Michal Hocko <mhocko@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mempolicy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -2128,6 +2128,9 @@ bool __mpol_equal(struct mempolicy *a, s
+ case MPOL_INTERLEAVE:
+ return !!nodes_equal(a->v.nodes, b->v.nodes);
+ case MPOL_PREFERRED:
++ /* a's ->flags is the same as b's */
++ if (a->flags & MPOL_F_LOCAL)
++ return true;
+ return a->v.preferred_node == b->v.preferred_node;
+ default:
+ BUG();
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Shakeel Butt <shakeelb@google.com>
+Date: Wed, 21 Feb 2018 14:45:28 -0800
+Subject: mm, mlock, vmscan: no more skipping pagevecs
+
+From: Shakeel Butt <shakeelb@google.com>
+
+[ Upstream commit 9c4e6b1a7027f102990c0395296015a812525f4d ]
+
+When a thread mlocks an address space backed either by file pages which
+are currently not present in memory or swapped out anon pages (not in
+swapcache), a new page is allocated and added to the local pagevec
+(lru_add_pvec), I/O is triggered and the thread then sleeps on the page.
+On I/O completion, the thread can wake on a different CPU, the mlock
+syscall will then sets the PageMlocked() bit of the page but will not be
+able to put that page in unevictable LRU as the page is on the pagevec
+of a different CPU. Even on drain, that page will go to evictable LRU
+because the PageMlocked() bit is not checked on pagevec drain.
+
+The page will eventually go to right LRU on reclaim but the LRU stats
+will remain skewed for a long time.
+
+This patch puts all the pages, even unevictable, to the pagevecs and on
+the drain, the pages will be added on their LRUs correctly by checking
+their evictability. This resolves the mlocked pages on pagevec of other
+CPUs issue because when those pagevecs will be drained, the mlocked file
+pages will go to unevictable LRU. Also this makes the race with munlock
+easier to resolve because the pagevec drains happen in LRU lock.
+
+However there is still one place which makes a page evictable and does
+PageLRU check on that page without LRU lock and needs special attention.
+TestClearPageMlocked() and isolate_lru_page() in clear_page_mlock().
+
+ #0: __pagevec_lru_add_fn #1: clear_page_mlock
+
+ SetPageLRU() if (!TestClearPageMlocked())
+ return
+ smp_mb() // <--required
+ // inside does PageLRU
+ if (!PageMlocked()) if (isolate_lru_page())
+ move to evictable LRU putback_lru_page()
+ else
+ move to unevictable LRU
+
+In '#1', TestClearPageMlocked() provides full memory barrier semantics
+and thus the PageLRU check (inside isolate_lru_page) can not be
+reordered before it.
+
+In '#0', without explicit memory barrier, the PageMlocked() check can be
+reordered before SetPageLRU(). If that happens, '#0' can put a page in
+unevictable LRU and '#1' might have just cleared the Mlocked bit of that
+page but fails to isolate as PageLRU fails as '#0' still hasn't set
+PageLRU bit of that page. That page will be stranded on the unevictable
+LRU.
+
+There is one (good) side effect though. Without this patch, the pages
+allocated for System V shared memory segment are added to evictable LRUs
+even after shmctl(SHM_LOCK) on that segment. This patch will correctly
+put such pages to unevictable LRU.
+
+Link: http://lkml.kernel.org/r/20171121211241.18877-1-shakeelb@google.com
+Signed-off-by: Shakeel Butt <shakeelb@google.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Jérôme Glisse <jglisse@redhat.com>
+Cc: Huang Ying <ying.huang@intel.com>
+Cc: Tim Chen <tim.c.chen@linux.intel.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Greg Thelen <gthelen@google.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Balbir Singh <bsingharora@gmail.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Shaohua Li <shli@fb.com>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Mel Gorman <mgorman@suse.de>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/swap.h | 2 -
+ mm/mlock.c | 6 +++
+ mm/swap.c | 82 +++++++++++++++++++++++++++++----------------------
+ mm/vmscan.c | 59 ------------------------------------
+ 4 files changed, 54 insertions(+), 95 deletions(-)
+
+--- a/include/linux/swap.h
++++ b/include/linux/swap.h
+@@ -326,8 +326,6 @@ extern void deactivate_file_page(struct
+ extern void mark_page_lazyfree(struct page *page);
+ extern void swap_setup(void);
+
+-extern void add_page_to_unevictable_list(struct page *page);
+-
+ extern void lru_cache_add_active_or_unevictable(struct page *page,
+ struct vm_area_struct *vma);
+
+--- a/mm/mlock.c
++++ b/mm/mlock.c
+@@ -64,6 +64,12 @@ void clear_page_mlock(struct page *page)
+ mod_zone_page_state(page_zone(page), NR_MLOCK,
+ -hpage_nr_pages(page));
+ count_vm_event(UNEVICTABLE_PGCLEARED);
++ /*
++ * The previous TestClearPageMlocked() corresponds to the smp_mb()
++ * in __pagevec_lru_add_fn().
++ *
++ * See __pagevec_lru_add_fn for more explanation.
++ */
+ if (!isolate_lru_page(page)) {
+ putback_lru_page(page);
+ } else {
+--- a/mm/swap.c
++++ b/mm/swap.c
+@@ -446,30 +446,6 @@ void lru_cache_add(struct page *page)
+ }
+
+ /**
+- * add_page_to_unevictable_list - add a page to the unevictable list
+- * @page: the page to be added to the unevictable list
+- *
+- * Add page directly to its zone's unevictable list. To avoid races with
+- * tasks that might be making the page evictable, through eg. munlock,
+- * munmap or exit, while it's not on the lru, we want to add the page
+- * while it's locked or otherwise "invisible" to other tasks. This is
+- * difficult to do when using the pagevec cache, so bypass that.
+- */
+-void add_page_to_unevictable_list(struct page *page)
+-{
+- struct pglist_data *pgdat = page_pgdat(page);
+- struct lruvec *lruvec;
+-
+- spin_lock_irq(&pgdat->lru_lock);
+- lruvec = mem_cgroup_page_lruvec(page, pgdat);
+- ClearPageActive(page);
+- SetPageUnevictable(page);
+- SetPageLRU(page);
+- add_page_to_lru_list(page, lruvec, LRU_UNEVICTABLE);
+- spin_unlock_irq(&pgdat->lru_lock);
+-}
+-
+-/**
+ * lru_cache_add_active_or_unevictable
+ * @page: the page to be added to LRU
+ * @vma: vma in which page is mapped for determining reclaimability
+@@ -484,13 +460,9 @@ void lru_cache_add_active_or_unevictable
+ {
+ VM_BUG_ON_PAGE(PageLRU(page), page);
+
+- if (likely((vma->vm_flags & (VM_LOCKED | VM_SPECIAL)) != VM_LOCKED)) {
++ if (likely((vma->vm_flags & (VM_LOCKED | VM_SPECIAL)) != VM_LOCKED))
+ SetPageActive(page);
+- lru_cache_add(page);
+- return;
+- }
+-
+- if (!TestSetPageMlocked(page)) {
++ else if (!TestSetPageMlocked(page)) {
+ /*
+ * We use the irq-unsafe __mod_zone_page_stat because this
+ * counter is not modified from interrupt context, and the pte
+@@ -500,7 +472,7 @@ void lru_cache_add_active_or_unevictable
+ hpage_nr_pages(page));
+ count_vm_event(UNEVICTABLE_PGMLOCKED);
+ }
+- add_page_to_unevictable_list(page);
++ lru_cache_add(page);
+ }
+
+ /*
+@@ -883,15 +855,55 @@ void lru_add_page_tail(struct page *page
+ static void __pagevec_lru_add_fn(struct page *page, struct lruvec *lruvec,
+ void *arg)
+ {
+- int file = page_is_file_cache(page);
+- int active = PageActive(page);
+- enum lru_list lru = page_lru(page);
++ enum lru_list lru;
++ int was_unevictable = TestClearPageUnevictable(page);
+
+ VM_BUG_ON_PAGE(PageLRU(page), page);
+
+ SetPageLRU(page);
++ /*
++ * Page becomes evictable in two ways:
++ * 1) Within LRU lock [munlock_vma_pages() and __munlock_pagevec()].
++ * 2) Before acquiring LRU lock to put the page to correct LRU and then
++ * a) do PageLRU check with lock [check_move_unevictable_pages]
++ * b) do PageLRU check before lock [clear_page_mlock]
++ *
++ * (1) & (2a) are ok as LRU lock will serialize them. For (2b), we need
++ * following strict ordering:
++ *
++ * #0: __pagevec_lru_add_fn #1: clear_page_mlock
++ *
++ * SetPageLRU() TestClearPageMlocked()
++ * smp_mb() // explicit ordering // above provides strict
++ * // ordering
++ * PageMlocked() PageLRU()
++ *
++ *
++ * if '#1' does not observe setting of PG_lru by '#0' and fails
++ * isolation, the explicit barrier will make sure that page_evictable
++ * check will put the page in correct LRU. Without smp_mb(), SetPageLRU
++ * can be reordered after PageMlocked check and can make '#1' to fail
++ * the isolation of the page whose Mlocked bit is cleared (#0 is also
++ * looking at the same page) and the evictable page will be stranded
++ * in an unevictable LRU.
++ */
++ smp_mb();
++
++ if (page_evictable(page)) {
++ lru = page_lru(page);
++ update_page_reclaim_stat(lruvec, page_is_file_cache(page),
++ PageActive(page));
++ if (was_unevictable)
++ count_vm_event(UNEVICTABLE_PGRESCUED);
++ } else {
++ lru = LRU_UNEVICTABLE;
++ ClearPageActive(page);
++ SetPageUnevictable(page);
++ if (!was_unevictable)
++ count_vm_event(UNEVICTABLE_PGCULLED);
++ }
++
+ add_page_to_lru_list(page, lruvec, lru);
+- update_page_reclaim_stat(lruvec, file, active);
+ trace_mm_lru_insertion(page, lru);
+ }
+
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -790,64 +790,7 @@ int remove_mapping(struct address_space
+ */
+ void putback_lru_page(struct page *page)
+ {
+- bool is_unevictable;
+- int was_unevictable = PageUnevictable(page);
+-
+- VM_BUG_ON_PAGE(PageLRU(page), page);
+-
+-redo:
+- ClearPageUnevictable(page);
+-
+- if (page_evictable(page)) {
+- /*
+- * For evictable pages, we can use the cache.
+- * In event of a race, worst case is we end up with an
+- * unevictable page on [in]active list.
+- * We know how to handle that.
+- */
+- is_unevictable = false;
+- lru_cache_add(page);
+- } else {
+- /*
+- * Put unevictable pages directly on zone's unevictable
+- * list.
+- */
+- is_unevictable = true;
+- add_page_to_unevictable_list(page);
+- /*
+- * When racing with an mlock or AS_UNEVICTABLE clearing
+- * (page is unlocked) make sure that if the other thread
+- * does not observe our setting of PG_lru and fails
+- * isolation/check_move_unevictable_pages,
+- * we see PG_mlocked/AS_UNEVICTABLE cleared below and move
+- * the page back to the evictable list.
+- *
+- * The other side is TestClearPageMlocked() or shmem_lock().
+- */
+- smp_mb();
+- }
+-
+- /*
+- * page's status can change while we move it among lru. If an evictable
+- * page is on unevictable list, it never be freed. To avoid that,
+- * check after we added it to the list, again.
+- */
+- if (is_unevictable && page_evictable(page)) {
+- if (!isolate_lru_page(page)) {
+- put_page(page);
+- goto redo;
+- }
+- /* This means someone else dropped this page from LRU
+- * So, it will be freed or putback to LRU again. There is
+- * nothing to do here.
+- */
+- }
+-
+- if (was_unevictable && !is_unevictable)
+- count_vm_event(UNEVICTABLE_PGRESCUED);
+- else if (!was_unevictable && is_unevictable)
+- count_vm_event(UNEVICTABLE_PGCULLED);
+-
++ lru_cache_add(page);
+ put_page(page); /* drop ref from isolate */
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Maninder Singh <maninder1.s@samsung.com>
+Date: Wed, 28 Mar 2018 16:01:05 -0700
+Subject: mm/page_owner: fix recursion bug after changing skip entries
+
+From: Maninder Singh <maninder1.s@samsung.com>
+
+[ Upstream commit 299815a4fba9f3c7a81434dba0072148f1690608 ]
+
+This patch fixes commit 5f48f0bd4e36 ("mm, page_owner: skip unnecessary
+stack_trace entries").
+
+Because if we skip first two entries then logic of checking count value
+as 2 for recursion is broken and code will go in one depth recursion.
+
+so we need to check only one call of _RET_IP(__set_page_owner) while
+checking for recursion.
+
+Current Backtrace while checking for recursion:-
+
+ (save_stack) from (__set_page_owner) // (But recursion returns true here)
+ (__set_page_owner) from (get_page_from_freelist)
+ (get_page_from_freelist) from (__alloc_pages_nodemask)
+ (__alloc_pages_nodemask) from (depot_save_stack)
+ (depot_save_stack) from (save_stack) // recursion should return true here
+ (save_stack) from (__set_page_owner)
+ (__set_page_owner) from (get_page_from_freelist)
+ (get_page_from_freelist) from (__alloc_pages_nodemask+)
+ (__alloc_pages_nodemask) from (depot_save_stack)
+ (depot_save_stack) from (save_stack)
+ (save_stack) from (__set_page_owner)
+ (__set_page_owner) from (get_page_from_freelist)
+
+Correct Backtrace with fix:
+
+ (save_stack) from (__set_page_owner) // recursion returned true here
+ (__set_page_owner) from (get_page_from_freelist)
+ (get_page_from_freelist) from (__alloc_pages_nodemask+)
+ (__alloc_pages_nodemask) from (depot_save_stack)
+ (depot_save_stack) from (save_stack)
+ (save_stack) from (__set_page_owner)
+ (__set_page_owner) from (get_page_from_freelist)
+
+Link: http://lkml.kernel.org/r/1521607043-34670-1-git-send-email-maninder1.s@samsung.com
+Fixes: 5f48f0bd4e36 ("mm, page_owner: skip unnecessary stack_trace entries")
+Signed-off-by: Maninder Singh <maninder1.s@samsung.com>
+Signed-off-by: Vaneet Narang <v.narang@samsung.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Oscar Salvador <osalvador@techadventures.net>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Ayush Mittal <ayush.m@samsung.com>
+Cc: Prakash Gupta <guptap@codeaurora.org>
+Cc: Vinayak Menon <vinmenon@codeaurora.org>
+Cc: Vasyl Gomonovych <gomonovych@gmail.com>
+Cc: Amit Sahrawat <a.sahrawat@samsung.com>
+Cc: <pankaj.m@samsung.com>
+Cc: Vaneet Narang <v.narang@samsung.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/page_owner.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/mm/page_owner.c
++++ b/mm/page_owner.c
+@@ -123,13 +123,13 @@ void __reset_page_owner(struct page *pag
+ static inline bool check_recursive_alloc(struct stack_trace *trace,
+ unsigned long ip)
+ {
+- int i, count;
++ int i;
+
+ if (!trace->nr_entries)
+ return false;
+
+- for (i = 0, count = 0; i < trace->nr_entries; i++) {
+- if (trace->entries[i] == ip && ++count == 2)
++ for (i = 0; i < trace->nr_entries; i++) {
++ if (trace->entries[i] == ip)
+ return true;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Shakeel Butt <shakeelb@google.com>
+Date: Wed, 28 Mar 2018 16:00:57 -0700
+Subject: mm, slab: memcg_link the SLAB's kmem_cache
+
+From: Shakeel Butt <shakeelb@google.com>
+
+[ Upstream commit 880cd276dff17ea29e9a8404275c9502b265afa7 ]
+
+All the root caches are linked into slab_root_caches which was
+introduced by the commit 510ded33e075 ("slab: implement slab_root_caches
+list") but it missed to add the SLAB's kmem_cache.
+
+While experimenting with opt-in/opt-out kmem accounting, I noticed
+system crashes due to NULL dereference inside cache_from_memcg_idx()
+while deferencing kmem_cache.memcg_params.memcg_caches. The upstream
+clean kernel will not see these crashes but SLAB should be consistent
+with SLUB which does linked its boot caches (kmem_cache_node and
+kmem_cache) into slab_root_caches.
+
+Link: http://lkml.kernel.org/r/20180319210020.60289-1-shakeelb@google.com
+Fixes: 510ded33e075c ("slab: implement slab_root_caches list")
+Signed-off-by: Shakeel Butt <shakeelb@google.com>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
+Cc: Greg Thelen <gthelen@google.com>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Michal Hocko <mhocko@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/slab.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/slab.c
++++ b/mm/slab.c
+@@ -1283,6 +1283,7 @@ void __init kmem_cache_init(void)
+ nr_node_ids * sizeof(struct kmem_cache_node *),
+ SLAB_HWCACHE_ALIGN);
+ list_add(&kmem_cache->list, &slab_caches);
++ memcg_link_cache(kmem_cache);
+ slab_state = PARTIAL;
+
+ /*
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: David Rientjes <rientjes@google.com>
+Date: Thu, 22 Mar 2018 16:17:45 -0700
+Subject: mm, thp: do not cause memcg oom for thp
+
+From: David Rientjes <rientjes@google.com>
+
+[ Upstream commit 9d3c3354bb85bab4d865fe95039443f09a4c8394 ]
+
+Commit 2516035499b9 ("mm, thp: remove __GFP_NORETRY from khugepaged and
+madvised allocations") changed the page allocator to no longer detect
+thp allocations based on __GFP_NORETRY.
+
+It did not, however, modify the mem cgroup try_charge() path to avoid
+oom kill for either khugepaged collapsing or thp faulting. It is never
+expected to oom kill a process to allocate a hugepage for thp; reclaim
+is governed by the thp defrag mode and MADV_HUGEPAGE, but allocations
+(and charging) should fallback instead of oom killing processes.
+
+Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1803191409420.124411@chino.kir.corp.google.com
+Fixes: 2516035499b9 ("mm, thp: remove __GFP_NORETRY from khugepaged and madvised allocations")
+Signed-off-by: David Rientjes <rientjes@google.com>
+Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/huge_memory.c | 5 +++--
+ mm/khugepaged.c | 8 ++++++--
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -555,7 +555,8 @@ static int __do_huge_pmd_anonymous_page(
+
+ VM_BUG_ON_PAGE(!PageCompound(page), page);
+
+- if (mem_cgroup_try_charge(page, vma->vm_mm, gfp, &memcg, true)) {
++ if (mem_cgroup_try_charge(page, vma->vm_mm, gfp | __GFP_NORETRY, &memcg,
++ true)) {
+ put_page(page);
+ count_vm_event(THP_FAULT_FALLBACK);
+ return VM_FAULT_FALLBACK;
+@@ -1304,7 +1305,7 @@ alloc:
+ }
+
+ if (unlikely(mem_cgroup_try_charge(new_page, vma->vm_mm,
+- huge_gfp, &memcg, true))) {
++ huge_gfp | __GFP_NORETRY, &memcg, true))) {
+ put_page(new_page);
+ split_huge_pmd(vma, vmf->pmd, vmf->address);
+ if (page)
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -965,7 +965,9 @@ static void collapse_huge_page(struct mm
+ goto out_nolock;
+ }
+
+- if (unlikely(mem_cgroup_try_charge(new_page, mm, gfp, &memcg, true))) {
++ /* Do not oom kill for khugepaged charges */
++ if (unlikely(mem_cgroup_try_charge(new_page, mm, gfp | __GFP_NORETRY,
++ &memcg, true))) {
+ result = SCAN_CGROUP_CHARGE_FAIL;
+ goto out_nolock;
+ }
+@@ -1324,7 +1326,9 @@ static void collapse_shmem(struct mm_str
+ goto out;
+ }
+
+- if (unlikely(mem_cgroup_try_charge(new_page, mm, gfp, &memcg, true))) {
++ /* Do not oom kill for khugepaged charges */
++ if (unlikely(mem_cgroup_try_charge(new_page, mm, gfp | __GFP_NORETRY,
++ &memcg, true))) {
+ result = SCAN_CGROUP_CHARGE_FAIL;
+ goto out;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Yang Shi <yang.shi@linux.alibaba.com>
+Date: Thu, 5 Apr 2018 16:22:35 -0700
+Subject: mm: thp: fix potential clearing to referenced flag in page_idle_clear_pte_refs_one()
+
+From: Yang Shi <yang.shi@linux.alibaba.com>
+
+[ Upstream commit f0849ac0b8e072073ec5fcc7fadd05a77434364e ]
+
+For PTE-mapped THP, the compound THP has not been split to normal 4K
+pages yet, the whole THP is considered referenced if any one of sub page
+is referenced.
+
+When walking PTE-mapped THP by pvmw, all relevant PTEs will be checked
+to retrieve referenced bit. But, the current code just returns the
+result of the last PTE. If the last PTE has not referenced, the
+referenced flag will be cleared.
+
+Just set referenced when ptep{pmdp}_clear_young_notify() returns true.
+
+Link: http://lkml.kernel.org/r/1518212451-87134-1-git-send-email-yang.shi@linux.alibaba.com
+Signed-off-by: Yang Shi <yang.shi@linux.alibaba.com>
+Reported-by: Gang Deng <gavin.dg@linux.alibaba.com>
+Suggested-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/page_idle.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/mm/page_idle.c
++++ b/mm/page_idle.c
+@@ -65,11 +65,15 @@ static bool page_idle_clear_pte_refs_one
+ while (page_vma_mapped_walk(&pvmw)) {
+ addr = pvmw.address;
+ if (pvmw.pte) {
+- referenced = ptep_clear_young_notify(vma, addr,
+- pvmw.pte);
++ /*
++ * For PTE-mapped THP, one sub page is referenced,
++ * the whole THP is referenced.
++ */
++ if (ptep_clear_young_notify(vma, addr, pvmw.pte))
++ referenced = true;
+ } else if (IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE)) {
+- referenced = pmdp_clear_young_notify(vma, addr,
+- pvmw.pmd);
++ if (pmdp_clear_young_notify(vma, addr, pvmw.pmd))
++ referenced = true;
+ } else {
+ /* unexpected pmd-mapped page? */
+ WARN_ON_ONCE(1);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "Steven J. Hill" <steven.hill@cavium.com>
+Date: Wed, 28 Mar 2018 16:01:09 -0700
+Subject: mm/vmstat.c: fix vmstat_update() preemption BUG
+
+From: "Steven J. Hill" <steven.hill@cavium.com>
+
+[ Upstream commit c7f26ccfb2c31eb1bf810ba13d044fcf583232db ]
+
+Attempting to hotplug CPUs with CONFIG_VM_EVENT_COUNTERS enabled can
+cause vmstat_update() to report a BUG due to preemption not being
+disabled around smp_processor_id().
+
+Discovered on Ubiquiti EdgeRouter Pro with Cavium Octeon II processor.
+
+ BUG: using smp_processor_id() in preemptible [00000000] code:
+ kworker/1:1/269
+ caller is vmstat_update+0x50/0xa0
+ CPU: 0 PID: 269 Comm: kworker/1:1 Not tainted
+ 4.16.0-rc4-Cavium-Octeon-00009-gf83bbd5-dirty #1
+ Workqueue: mm_percpu_wq vmstat_update
+ Call Trace:
+ show_stack+0x94/0x128
+ dump_stack+0xa4/0xe0
+ check_preemption_disabled+0x118/0x120
+ vmstat_update+0x50/0xa0
+ process_one_work+0x144/0x348
+ worker_thread+0x150/0x4b8
+ kthread+0x110/0x140
+ ret_from_kernel_thread+0x14/0x1c
+
+Link: http://lkml.kernel.org/r/1520881552-25659-1-git-send-email-steven.hill@cavium.com
+Signed-off-by: Steven J. Hill <steven.hill@cavium.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Tejun Heo <htejun@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/vmstat.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/vmstat.c
++++ b/mm/vmstat.c
+@@ -1770,9 +1770,11 @@ static void vmstat_update(struct work_st
+ * to occur in the future. Keep on running the
+ * update worker thread.
+ */
++ preempt_disable();
+ queue_delayed_work_on(smp_processor_id(), mm_percpu_wq,
+ this_cpu_ptr(&vmstat_work),
+ round_jiffies_relative(sysctl_stat_interval));
++ preempt_enable();
+ }
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 12 Feb 2018 11:14:55 -0600
+Subject: nbd: fix return value in error handling path
+
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+
+[ Upstream commit 0979962f5490abe75b3e2befb07a564fa0cf631b ]
+
+It seems that the proper value to return in this particular case is the
+one contained into variable new_index instead of ret.
+
+Addresses-Coverity-ID: 1465148 ("Copy-paste error")
+Fixes: e46c7287b1c2 ("nbd: add a basic netlink interface")
+Reviewed-by: Omar Sandoval <osandov@fb.com>
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/nbd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -1591,7 +1591,7 @@ again:
+ if (new_index < 0) {
+ mutex_unlock(&nbd_index_mutex);
+ printk(KERN_ERR "nbd: failed to add new device\n");
+- return ret;
++ return new_index;
+ }
+ nbd = idr_find(&nbd_index_idr, new_index);
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Sun, 1 Apr 2018 10:26:29 -0700
+Subject: net: bgmac: Correctly annotate register space
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 16a1c0646e55c3345bce8e4edfc06ad119d27c04 ]
+
+All the members: base, idm_base and nicpm_base should be annotated with
+__iomem since they are pointers to register space. This fixes a bunch of
+sparse reported warnings.
+
+Fixes: f6a95a24957a ("net: ethernet: bgmac: Add platform device support")
+Fixes: dd5c5d037f5e ("net: ethernet: bgmac: add NS2 support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bgmac.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bgmac.h
++++ b/drivers/net/ethernet/broadcom/bgmac.h
+@@ -479,9 +479,9 @@ struct bgmac_rx_header {
+ struct bgmac {
+ union {
+ struct {
+- void *base;
+- void *idm_base;
+- void *nicpm_base;
++ void __iomem *base;
++ void __iomem *idm_base;
++ void __iomem *nicpm_base;
+ } plat;
+ struct {
+ struct bcma_device *core;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Sun, 1 Apr 2018 10:26:30 -0700
+Subject: net: bgmac: Fix endian access in bgmac_dma_tx_ring_free()
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 60d6e6f0b9e422dd01aeda39257ee0428e5e2a3f ]
+
+bgmac_dma_tx_ring_free() assigns the ctl1 word which is a litle endian
+32-bit word without using proper accessors, fix this, and because a
+length cannot be negative, use unsigned int while at it.
+
+Fixes: 9cde94506eac ("bgmac: implement scatter/gather support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bgmac.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bgmac.c
++++ b/drivers/net/ethernet/broadcom/bgmac.c
+@@ -532,7 +532,8 @@ static void bgmac_dma_tx_ring_free(struc
+ int i;
+
+ for (i = 0; i < BGMAC_TX_RING_SLOTS; i++) {
+- int len = dma_desc[i].ctl1 & BGMAC_DESC_CTL1_LEN;
++ u32 ctl1 = le32_to_cpu(dma_desc[i].ctl1);
++ unsigned int len = ctl1 & BGMAC_DESC_CTL1_LEN;
+
+ slot = &ring->slots[i];
+ dev_kfree_skb(slot->skb);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Tue, 20 Mar 2018 17:31:10 -0700
+Subject: net: dsa: Fix functional dsa-loop dependency on FIXED_PHY
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 40013ff20b1beed31184935fc0aea6a859d4d4ef ]
+
+We have a functional dependency on the FIXED_PHY MDIO bus because we register
+fixed PHY devices "the old way" which only works if the code that does this has
+had a chance to run before the fixed MDIO bus is probed. Make sure we account
+for that and have dsa_loop_bdinfo.o be either built-in or modular depending on
+whether CONFIG_FIXED_PHY reflects that too.
+
+Fixes: 98cd1552ea27 ("net: dsa: Mock-up driver")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/Makefile | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/Makefile
++++ b/drivers/net/dsa/Makefile
+@@ -1,7 +1,10 @@
+ # SPDX-License-Identifier: GPL-2.0
+ obj-$(CONFIG_NET_DSA_BCM_SF2) += bcm-sf2.o
+ bcm-sf2-objs := bcm_sf2.o bcm_sf2_cfp.o
+-obj-$(CONFIG_NET_DSA_LOOP) += dsa_loop.o dsa_loop_bdinfo.o
++obj-$(CONFIG_NET_DSA_LOOP) += dsa_loop.o
++ifdef CONFIG_NET_DSA_LOOP
++obj-$(CONFIG_FIXED_PHY) += dsa_loop_bdinfo.o
++endif
+ obj-$(CONFIG_NET_DSA_MT7530) += mt7530.o
+ obj-$(CONFIG_NET_DSA_MV88E6060) += mv88e6060.o
+ obj-$(CONFIG_NET_DSA_QCA8K) += qca8k.o
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Sean Wang <sean.wang@mediatek.com>
+Date: Mon, 26 Mar 2018 18:07:10 +0800
+Subject: net: dsa: mt7530: fix module autoloading for OF platform drivers
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit 3c82b372a9f44aa224b8d5106ff6f1ad516fa8a8 ]
+
+It's required to create a modules.alias via MODULE_DEVICE_TABLE helper
+for the OF platform driver. Otherwise, module autoloading cannot work.
+
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mt7530.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -1122,6 +1122,7 @@ static const struct of_device_id mt7530_
+ { .compatible = "mediatek,mt7530" },
+ { /* sentinel */ },
+ };
++MODULE_DEVICE_TABLE(of, mt7530_of_match);
+
+ static struct mdio_driver mt7530_mdio_driver = {
+ .probe = mt7530_probe,
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Edward Cree <ecree@solarflare.com>
+Date: Wed, 28 Feb 2018 19:15:58 +0000
+Subject: net: ethtool: don't ignore return from driver get_fecparam method
+
+From: Edward Cree <ecree@solarflare.com>
+
+[ Upstream commit a6d50512b4d86ecd9f5952525e454583be1c3b14 ]
+
+If ethtool_ops->get_fecparam returns an error, pass that error on to the
+ user, rather than ignoring it.
+
+Fixes: 1a5f3da20bd9 ("net: ethtool: add support for forward error correction modes")
+Signed-off-by: Edward Cree <ecree@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/ethtool.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/core/ethtool.c
++++ b/net/core/ethtool.c
+@@ -2505,11 +2505,14 @@ static int set_phy_tunable(struct net_de
+ static int ethtool_get_fecparam(struct net_device *dev, void __user *useraddr)
+ {
+ struct ethtool_fecparam fecparam = { ETHTOOL_GFECPARAM };
++ int rc;
+
+ if (!dev->ethtool_ops->get_fecparam)
+ return -EOPNOTSUPP;
+
+- dev->ethtool_ops->get_fecparam(dev, &fecparam);
++ rc = dev->ethtool_ops->get_fecparam(dev, &fecparam);
++ if (rc)
++ return rc;
+
+ if (copy_to_user(useraddr, &fecparam, sizeof(fecparam)))
+ return -EFAULT;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Date: Thu, 29 Mar 2018 19:05:29 +0900
+Subject: net: Fix untag for vlan packets without ethernet header
+
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+
+[ Upstream commit ae4745730cf8e693d354ccd4dbaf59ea440c09a9 ]
+
+In some situation vlan packets do not have ethernet headers. One example
+is packets from tun devices. Users can specify vlan protocol in tun_pi
+field instead of IP protocol, and skb_vlan_untag() attempts to untag such
+packets.
+
+skb_vlan_untag() (more precisely, skb_reorder_vlan_header() called by it)
+however did not expect packets without ethernet headers, so in such a case
+size argument for memmove() underflowed and triggered crash.
+
+====
+BUG: unable to handle kernel paging request at ffff8801cccb8000
+IP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43
+PGD 9cee067 P4D 9cee067 PUD 1d9401063 PMD 1cccb7063 PTE 2810100028101
+Oops: 000b [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 1 PID: 17663 Comm: syz-executor2 Not tainted 4.16.0-rc7+ #368
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:__memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43
+RSP: 0018:ffff8801cc046e28 EFLAGS: 00010287
+RAX: ffff8801ccc244c4 RBX: fffffffffffffffe RCX: fffffffffff6c4c2
+RDX: fffffffffffffffe RSI: ffff8801cccb7ffc RDI: ffff8801cccb8000
+RBP: ffff8801cc046e48 R08: ffff8801ccc244be R09: ffffed0039984899
+R10: 0000000000000001 R11: ffffed0039984898 R12: ffff8801ccc244c4
+R13: ffff8801ccc244c0 R14: ffff8801d96b7c06 R15: ffff8801d96b7b40
+FS: 00007febd562d700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffff8801cccb8000 CR3: 00000001ccb2f006 CR4: 00000000001606e0
+DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
+Call Trace:
+ memmove include/linux/string.h:360 [inline]
+ skb_reorder_vlan_header net/core/skbuff.c:5031 [inline]
+ skb_vlan_untag+0x470/0xc40 net/core/skbuff.c:5061
+ __netif_receive_skb_core+0x119c/0x3460 net/core/dev.c:4460
+ __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4627
+ netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4701
+ netif_receive_skb+0xae/0x390 net/core/dev.c:4725
+ tun_rx_batched.isra.50+0x5ee/0x870 drivers/net/tun.c:1555
+ tun_get_user+0x299e/0x3c20 drivers/net/tun.c:1962
+ tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1990
+ call_write_iter include/linux/fs.h:1782 [inline]
+ new_sync_write fs/read_write.c:469 [inline]
+ __vfs_write+0x684/0x970 fs/read_write.c:482
+ vfs_write+0x189/0x510 fs/read_write.c:544
+ SYSC_write fs/read_write.c:589 [inline]
+ SyS_write+0xef/0x220 fs/read_write.c:581
+ do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+RIP: 0033:0x454879
+RSP: 002b:00007febd562cc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00007febd562d6d4 RCX: 0000000000454879
+RDX: 0000000000000157 RSI: 0000000020000180 RDI: 0000000000000014
+RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 00000000000006b0 R14: 00000000006fc120 R15: 0000000000000000
+Code: 90 90 90 90 90 90 90 48 89 f8 48 83 fa 20 0f 82 03 01 00 00 48 39 fe 7d 0f 49 89 f0 49 01 d0 49 39 f8 0f 8f 9f 00 00 00 48 89 d1 <f3> a4 c3 48 81 fa a8 02 00 00 72 05 40 38 fe 74 3b 48 83 ea 20
+RIP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43 RSP: ffff8801cc046e28
+CR2: ffff8801cccb8000
+====
+
+We don't need to copy headers for packets which do not have preceding
+headers of vlan headers, so skip memmove() in that case.
+
+Fixes: 4bbb3e0e8239 ("net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off")
+Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -4946,8 +4946,10 @@ static struct sk_buff *skb_reorder_vlan_
+ }
+
+ mac_len = skb->data - skb_mac_header(skb);
+- memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
+- mac_len - VLAN_HLEN - ETH_TLEN);
++ if (likely(mac_len > VLAN_HLEN + ETH_TLEN)) {
++ memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
++ mac_len - VLAN_HLEN - ETH_TLEN);
++ }
+ skb->mac_header += VLAN_HLEN;
+ return skb;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Date: Tue, 13 Mar 2018 14:51:27 +0900
+Subject: net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off
+
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+
+[ Upstream commit 4bbb3e0e8239f9079bf1fe20b3c0cb598714ae61 ]
+
+When we have a bridge with vlan_filtering on and a vlan device on top of
+it, packets would be corrupted in skb_vlan_untag() called from
+br_dev_xmit().
+
+The problem sits in skb_reorder_vlan_header() used in skb_vlan_untag(),
+which makes use of skb->mac_len. In this function mac_len is meant for
+handling rx path with vlan devices with reorder_header disabled, but in
+tx path mac_len is typically 0 and cannot be used, which is the problem
+in this case.
+
+The current code even does not properly handle rx path (skb_vlan_untag()
+called from __netif_receive_skb_core()) with reorder_header off actually.
+
+In rx path single tag case, it works as follows:
+
+- Before skb_reorder_vlan_header()
+
+ mac_header data
+ v v
+ +-------------------+-------------+------+----
+ | ETH | VLAN | ETH |
+ | ADDRS | TPID | TCI | TYPE |
+ +-------------------+-------------+------+----
+ <-------- mac_len --------->
+ <------------->
+ to be removed
+
+- After skb_reorder_vlan_header()
+
+ mac_header data
+ v v
+ +-------------------+------+----
+ | ETH | ETH |
+ | ADDRS | TYPE |
+ +-------------------+------+----
+ <-------- mac_len --------->
+
+This is ok, but in rx double tag case, it corrupts packets:
+
+- Before skb_reorder_vlan_header()
+
+ mac_header data
+ v v
+ +-------------------+-------------+-------------+------+----
+ | ETH | VLAN | VLAN | ETH |
+ | ADDRS | TPID | TCI | TPID | TCI | TYPE |
+ +-------------------+-------------+-------------+------+----
+ <--------------- mac_len ---------------->
+ <------------->
+ should be removed
+ <--------------------------->
+ actually will be removed
+
+- After skb_reorder_vlan_header()
+
+ mac_header data
+ v v
+ +-------------------+------+----
+ | ETH | ETH |
+ | ADDRS | TYPE |
+ +-------------------+------+----
+ <--------------- mac_len ---------------->
+
+So, two of vlan tags are both removed while only inner one should be
+removed and mac_header (and mac_len) is broken.
+
+skb_vlan_untag() is meant for removing the vlan header at (skb->data - 2),
+so use skb->data and skb->mac_header to calculate the right offset.
+
+Reported-by: Brandon Carpenter <brandon.carpenter@cypherpath.com>
+Fixes: a6e18ff11170 ("vlan: Fix untag operations of stacked vlans with REORDER_HEADER off")
+Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/if_ether.h | 1 +
+ net/core/skbuff.c | 7 +++++--
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/include/uapi/linux/if_ether.h
++++ b/include/uapi/linux/if_ether.h
+@@ -30,6 +30,7 @@
+ */
+
+ #define ETH_ALEN 6 /* Octets in one ethernet addr */
++#define ETH_TLEN 2 /* Octets in ethernet type field */
+ #define ETH_HLEN 14 /* Total octets in header. */
+ #define ETH_ZLEN 60 /* Min. octets in frame sans FCS */
+ #define ETH_DATA_LEN 1500 /* Max. octets in payload */
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -4938,13 +4938,16 @@ EXPORT_SYMBOL_GPL(skb_gso_validate_mtu);
+
+ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
+ {
++ int mac_len;
++
+ if (skb_cow(skb, skb_headroom(skb)) < 0) {
+ kfree_skb(skb);
+ return NULL;
+ }
+
+- memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN,
+- 2 * ETH_ALEN);
++ mac_len = skb->data - skb_mac_header(skb);
++ memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
++ mac_len - VLAN_HLEN - ETH_TLEN);
+ skb->mac_header += VLAN_HLEN;
+ return skb;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Or Gerlitz <ogerlitz@mellanox.com>
+Date: Thu, 15 Feb 2018 12:39:55 +0200
+Subject: net/mlx5: Make eswitch support to depend on switchdev
+
+From: Or Gerlitz <ogerlitz@mellanox.com>
+
+[ Upstream commit f125376b06bcc57dfb0216ac8d6ec6d5dcf81025 ]
+
+Add dependancy for switchdev to be congfigured as any user-space control
+plane SW is expected to use the HW switchdev ID to locate the representors
+related to VFs of a certain PF and apply SW/offloaded switching on them.
+
+Fixes: e80541ecabd5 ('net/mlx5: Add CONFIG_MLX5_ESWITCH Kconfig')
+Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
+Reviewed-by: Mark Bloch <markb@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/Kconfig | 2 +-
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++--
+ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 2 --
+ 3 files changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/Kconfig
++++ b/drivers/net/ethernet/mellanox/mlx5/core/Kconfig
+@@ -46,7 +46,7 @@ config MLX5_MPFS
+
+ config MLX5_ESWITCH
+ bool "Mellanox Technologies MLX5 SRIOV E-Switch support"
+- depends on MLX5_CORE_EN
++ depends on MLX5_CORE_EN && NET_SWITCHDEV
+ default y
+ ---help---
+ Mellanox Technologies Ethernet SRIOV E-Switch support in ConnectX NIC.
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -4022,7 +4022,7 @@ static void mlx5e_set_netdev_dev_addr(st
+ }
+ }
+
+-#if IS_ENABLED(CONFIG_NET_SWITCHDEV) && IS_ENABLED(CONFIG_MLX5_ESWITCH)
++#if IS_ENABLED(CONFIG_MLX5_ESWITCH)
+ static const struct switchdev_ops mlx5e_switchdev_ops = {
+ .switchdev_port_attr_get = mlx5e_attr_get,
+ };
+@@ -4126,7 +4126,7 @@ static void mlx5e_build_nic_netdev(struc
+
+ mlx5e_set_netdev_dev_addr(netdev);
+
+-#if IS_ENABLED(CONFIG_NET_SWITCHDEV) && IS_ENABLED(CONFIG_MLX5_ESWITCH)
++#if IS_ENABLED(CONFIG_MLX5_ESWITCH)
+ if (MLX5_VPORT_MANAGER(mdev))
+ netdev->switchdev_ops = &mlx5e_switchdev_ops;
+ #endif
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+@@ -825,9 +825,7 @@ static void mlx5e_build_rep_netdev(struc
+
+ netdev->ethtool_ops = &mlx5e_rep_ethtool_ops;
+
+-#ifdef CONFIG_NET_SWITCHDEV
+ netdev->switchdev_ops = &mlx5e_rep_switchdev_ops;
+-#endif
+
+ netdev->features |= NETIF_F_VLAN_CHALLENGED | NETIF_F_HW_TC | NETIF_F_NETNS_LOCAL;
+ netdev->hw_features |= NETIF_F_HW_TC;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Tue, 2 Jan 2018 16:49:56 +0200
+Subject: net/mlx5: Protect from command bit overflow
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+[ Upstream commit 957f6ba8adc7be401a74ccff427e4cfd88d3bfcb ]
+
+The system with CONFIG_UBSAN enabled on produces the following error
+during driver initialization. The reason to it that max_reg_cmds can be
+larger enough to cause to "1 << max_reg_cmds" overflow the unsigned long.
+
+================================================================================
+UBSAN: Undefined behaviour in drivers/net/ethernet/mellanox/mlx5/core/cmd.c:1805:42
+signed integer overflow:
+-2147483648 - 1 cannot be represented in type 'int'
+CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2-00032-g06cda2358d9b-dirty #724
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
+Call Trace:
+ dump_stack+0xe9/0x18f
+ ? dma_virt_alloc+0x81/0x81
+ ubsan_epilogue+0xe/0x4e
+ handle_overflow+0x187/0x20c
+ mlx5_cmd_init+0x73a/0x12b0
+ mlx5_load_one+0x1c3d/0x1d30
+ init_one+0xd02/0xf10
+ pci_device_probe+0x26c/0x3b0
+ driver_probe_device+0x622/0xb40
+ __driver_attach+0x175/0x1b0
+ bus_for_each_dev+0xef/0x190
+ bus_add_driver+0x2db/0x490
+ driver_register+0x16b/0x1e0
+ __pci_register_driver+0x177/0x1b0
+ init+0x6d/0x92
+ do_one_initcall+0x15b/0x270
+ kernel_init_freeable+0x2d8/0x3d0
+ kernel_init+0x14/0x190
+ ret_from_fork+0x24/0x30
+================================================================================
+
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -1802,7 +1802,7 @@ int mlx5_cmd_init(struct mlx5_core_dev *
+
+ cmd->checksum_disabled = 1;
+ cmd->max_reg_cmds = (1 << cmd->log_sz) - 1;
+- cmd->bitmask = (1 << cmd->max_reg_cmds) - 1;
++ cmd->bitmask = (1UL << cmd->max_reg_cmds) - 1;
+
+ cmd->cmdif_rev = ioread32be(&dev->iseg->cmdif_rev_fw_sub) >> 16;
+ if (cmd->cmdif_rev > CMD_IF_REV) {
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Or Gerlitz <ogerlitz@mellanox.com>
+Date: Tue, 30 Jan 2018 13:16:58 +0200
+Subject: net/mlx5e: Return error if prio is specified when offloading eswitch vlan push
+
+From: Or Gerlitz <ogerlitz@mellanox.com>
+
+[ Upstream commit 001a2fc0c8cc29241305e44ffbce52d1daf8782b ]
+
+This isn't supported when we emulate eswitch vlan push action which
+is the current state of things.
+
+Fixes: 8b32580df1cb ('net/mlx5e: Add TC vlan action for SRIOV offloads')
+Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
+Reviewed-by: Mark Bloch <markb@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -2013,7 +2013,8 @@ static int parse_tc_fdb_actions(struct m
+ if (tcf_vlan_action(a) == TCA_VLAN_ACT_POP) {
+ attr->action |= MLX5_FLOW_CONTEXT_ACTION_VLAN_POP;
+ } else if (tcf_vlan_action(a) == TCA_VLAN_ACT_PUSH) {
+- if (tcf_vlan_push_proto(a) != htons(ETH_P_8021Q))
++ if (tcf_vlan_push_proto(a) != htons(ETH_P_8021Q) ||
++ tcf_vlan_push_prio(a))
+ return -EOPNOTSUPP;
+
+ attr->action |= MLX5_FLOW_CONTEXT_ACTION_VLAN_PUSH;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Yelena Krivosheev <yelena@marvell.com>
+Date: Fri, 30 Mar 2018 12:05:31 +0200
+Subject: net: mvneta: fix enable of all initialized RXQs
+
+From: Yelena Krivosheev <yelena@marvell.com>
+
+[ Upstream commit e81b5e01c14add8395dfba7130f8829206bb507d ]
+
+In mvneta_port_up() we enable relevant RX and TX port queues by write
+queues bit map to an appropriate register.
+
+q_map must be ZERO in the beginning of this process.
+
+Signed-off-by: Yelena Krivosheev <yelena@marvell.com>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Acked-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -1112,6 +1112,7 @@ static void mvneta_port_up(struct mvneta
+ }
+ mvreg_write(pp, MVNETA_TXQ_CMD, q_map);
+
++ q_map = 0;
+ /* Enable all initialized RXQs. */
+ for (queue = 0; queue < rxq_number; queue++) {
+ struct mvneta_rx_queue *rxq = &pp->rxqs[queue];
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Hemanth Puranik <hpuranik@codeaurora.org>
+Date: Tue, 6 Mar 2018 08:18:06 +0530
+Subject: net: qcom/emac: Use proper free methods during TX
+
+From: Hemanth Puranik <hpuranik@codeaurora.org>
+
+[ Upstream commit cc5db3150e87fe7f7e947bf333b6c1c97f848ecb ]
+
+This patch fixes the warning messages/call traces seen if DMA debug is
+enabled, In case of fragmented skb's memory was allocated using
+dma_map_page but freed using dma_unmap_single. This patch modifies buffer
+allocations in TX path to use dma_map_page in all the places and
+dma_unmap_page while freeing the buffers.
+
+Signed-off-by: Hemanth Puranik <hpuranik@codeaurora.org>
+Acked-by: Timur Tabi <timur@codeaurora.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qualcomm/emac/emac-mac.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/ethernet/qualcomm/emac/emac-mac.c
++++ b/drivers/net/ethernet/qualcomm/emac/emac-mac.c
+@@ -1204,9 +1204,9 @@ void emac_mac_tx_process(struct emac_ada
+ while (tx_q->tpd.consume_idx != hw_consume_idx) {
+ tpbuf = GET_TPD_BUFFER(tx_q, tx_q->tpd.consume_idx);
+ if (tpbuf->dma_addr) {
+- dma_unmap_single(adpt->netdev->dev.parent,
+- tpbuf->dma_addr, tpbuf->length,
+- DMA_TO_DEVICE);
++ dma_unmap_page(adpt->netdev->dev.parent,
++ tpbuf->dma_addr, tpbuf->length,
++ DMA_TO_DEVICE);
+ tpbuf->dma_addr = 0;
+ }
+
+@@ -1363,9 +1363,11 @@ static void emac_tx_fill_tpd(struct emac
+
+ tpbuf = GET_TPD_BUFFER(tx_q, tx_q->tpd.produce_idx);
+ tpbuf->length = mapped_len;
+- tpbuf->dma_addr = dma_map_single(adpt->netdev->dev.parent,
+- skb->data, tpbuf->length,
+- DMA_TO_DEVICE);
++ tpbuf->dma_addr = dma_map_page(adpt->netdev->dev.parent,
++ virt_to_page(skb->data),
++ offset_in_page(skb->data),
++ tpbuf->length,
++ DMA_TO_DEVICE);
+ ret = dma_mapping_error(adpt->netdev->dev.parent,
+ tpbuf->dma_addr);
+ if (ret)
+@@ -1381,9 +1383,12 @@ static void emac_tx_fill_tpd(struct emac
+ if (mapped_len < len) {
+ tpbuf = GET_TPD_BUFFER(tx_q, tx_q->tpd.produce_idx);
+ tpbuf->length = len - mapped_len;
+- tpbuf->dma_addr = dma_map_single(adpt->netdev->dev.parent,
+- skb->data + mapped_len,
+- tpbuf->length, DMA_TO_DEVICE);
++ tpbuf->dma_addr = dma_map_page(adpt->netdev->dev.parent,
++ virt_to_page(skb->data +
++ mapped_len),
++ offset_in_page(skb->data +
++ mapped_len),
++ tpbuf->length, DMA_TO_DEVICE);
+ ret = dma_mapping_error(adpt->netdev->dev.parent,
+ tpbuf->dma_addr);
+ if (ret)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Pawel Dembicki <paweldembicki@gmail.com>
+Date: Sat, 24 Mar 2018 22:08:14 +0100
+Subject: net: qmi_wwan: add BroadMobi BM806U 2020:2033
+
+From: Pawel Dembicki <paweldembicki@gmail.com>
+
+[ Upstream commit 743989254ea9f132517806d8893ca9b6cf9dc86b ]
+
+BroadMobi BM806U is an Qualcomm MDM9225 based 3G/4G modem.
+Tested hardware BM806U is mounted on D-Link DWR-921-C3 router.
+The USB id is added to qmi_wwan.c to allow QMI communication with
+the BM806U.
+
+Tested on 4.14 kernel and OpenWRT.
+
+Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1180,6 +1180,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */
+ {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */
+ {QMI_FIXED_INTF(0x2001, 0x7e35, 4)}, /* D-Link DWM-222 */
++ {QMI_FIXED_INTF(0x2020, 0x2033, 4)}, /* BroadMobi BM806U */
+ {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */
+ {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */
+ {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Mon, 19 Mar 2018 15:31:26 +0100
+Subject: net/sched: fix idr leak in the error path of __tcf_ipt_init()
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 1e46ef1762bb2e52f0f996131a4d16ed4e9fd065 ]
+
+__tcf_ipt_init() can fail after the idr has been successfully reserved.
+When this happens, subsequent attempts to configure xt/ipt rules using
+the same idr value systematically fail with -ENOSPC:
+
+ # tc action add action xt -j LOG --log-prefix test1 index 100
+ tablename: mangle hook: NF_IP_POST_ROUTING
+ target: LOG level warning prefix "test1" index 100
+ RTNETLINK answers: Cannot allocate memory
+ We have an error talking to the kernel
+ Command "(null)" is unknown, try "tc actions help".
+ # tc action add action xt -j LOG --log-prefix test1 index 100
+ tablename: mangle hook: NF_IP_POST_ROUTING
+ target: LOG level warning prefix "test1" index 100
+ RTNETLINK answers: No space left on device
+ We have an error talking to the kernel
+ Command "(null)" is unknown, try "tc actions help".
+ # tc action add action xt -j LOG --log-prefix test1 index 100
+ tablename: mangle hook: NF_IP_POST_ROUTING
+ target: LOG level warning prefix "test1" index 100
+ RTNETLINK answers: No space left on device
+ We have an error talking to the kernel
+ ...
+
+Fix this in the error path of __tcf_ipt_init(), calling tcf_idr_release()
+in place of tcf_idr_cleanup(). Since tcf_ipt_release() can now be called
+when tcfi_t is NULL, we also need to protect calls to ipt_destroy_target()
+to avoid NULL pointer dereference.
+
+Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR")
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ipt.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/net/sched/act_ipt.c
++++ b/net/sched/act_ipt.c
+@@ -80,9 +80,12 @@ static void ipt_destroy_target(struct xt
+ static void tcf_ipt_release(struct tc_action *a, int bind)
+ {
+ struct tcf_ipt *ipt = to_ipt(a);
+- ipt_destroy_target(ipt->tcfi_t);
++
++ if (ipt->tcfi_t) {
++ ipt_destroy_target(ipt->tcfi_t);
++ kfree(ipt->tcfi_t);
++ }
+ kfree(ipt->tcfi_tname);
+- kfree(ipt->tcfi_t);
+ }
+
+ static const struct nla_policy ipt_policy[TCA_IPT_MAX + 1] = {
+@@ -187,7 +190,7 @@ err2:
+ kfree(tname);
+ err1:
+ if (ret == ACT_P_CREATED)
+- tcf_idr_cleanup(*a, est);
++ tcf_idr_release(*a, bind);
+ return err;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Mon, 19 Mar 2018 15:31:24 +0100
+Subject: net/sched: fix idr leak in the error path of tcf_act_police_init()
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 5bf7f8185f7c7112decdfe3d3e5c5d5e67f099a1 ]
+
+tcf_act_police_init() can fail after the idr has been successfully
+reserved (e.g., qdisc_get_rtab() may return NULL). When this happens,
+subsequent attempts to configure a police rule using the same idr value
+systematiclly fail with -ENOSPC:
+
+ # tc action add action police rate 1000 burst 1000 drop index 100
+ RTNETLINK answers: Cannot allocate memory
+ We have an error talking to the kernel
+ # tc action add action police rate 1000 burst 1000 drop index 100
+ RTNETLINK answers: No space left on device
+ We have an error talking to the kernel
+ # tc action add action police rate 1000 burst 1000 drop index 100
+ RTNETLINK answers: No space left on device
+ ...
+
+Fix this in the error path of tcf_act_police_init(), calling
+tcf_idr_release() in place of tcf_idr_cleanup().
+
+Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR")
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_police.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/act_police.c
++++ b/net/sched/act_police.c
+@@ -194,7 +194,7 @@ failure:
+ qdisc_put_rtab(P_tab);
+ qdisc_put_rtab(R_tab);
+ if (ret == ACT_P_CREATED)
+- tcf_idr_cleanup(*a, est);
++ tcf_idr_release(*a, bind);
+ return err;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Mon, 19 Mar 2018 15:31:23 +0100
+Subject: net/sched: fix idr leak in the error path of tcf_simp_init()
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 60e10b3adc3bac0f6a894c28e0eb1f2d13607362 ]
+
+if the kernel fails to duplicate 'sdata', creation of a new action fails
+with -ENOMEM. However, subsequent attempts to install the same action
+using the same value of 'index' systematically fail with -ENOSPC, and
+that value of 'index' will no more be usable by act_simple, until rmmod /
+insmod of act_simple.ko is done:
+
+ # tc actions add action simple sdata hello index 100
+ # tc actions list action simple
+
+ action order 0: Simple <hello>
+ index 100 ref 1 bind 0
+ # tc actions flush action simple
+ # tc actions add action simple sdata hello index 100
+ RTNETLINK answers: Cannot allocate memory
+ We have an error talking to the kernel
+ # tc actions flush action simple
+ # tc actions add action simple sdata hello index 100
+ RTNETLINK answers: No space left on device
+ We have an error talking to the kernel
+ # tc actions add action simple sdata hello index 100
+ RTNETLINK answers: No space left on device
+ We have an error talking to the kernel
+ ...
+
+Fix this in the error path of tcf_simp_init(), calling tcf_idr_release()
+in place of tcf_idr_cleanup().
+
+Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR")
+Suggested-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_simple.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/act_simple.c
++++ b/net/sched/act_simple.c
+@@ -121,7 +121,7 @@ static int tcf_simp_init(struct net *net
+ d = to_defact(*a);
+ ret = alloc_defdata(d, defdata);
+ if (ret < 0) {
+- tcf_idr_cleanup(*a, est);
++ tcf_idr_release(*a, bind);
+ return ret;
+ }
+ d->tcf_action = parm->action;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Mon, 19 Mar 2018 15:31:28 +0100
+Subject: net/sched: fix idr leak in the error path of tcf_skbmod_init()
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit f29cdfbe33d6915ba8056179b0041279a67e3647 ]
+
+tcf_skbmod_init() can fail after the idr has been successfully reserved.
+When this happens, every subsequent attempt to configure skbmod rules
+using the same idr value will systematically fail with -ENOSPC, unless
+the first attempt was done using the 'replace' keyword:
+
+ # tc action add action skbmod swap mac index 100
+ RTNETLINK answers: Cannot allocate memory
+ We have an error talking to the kernel
+ # tc action add action skbmod swap mac index 100
+ RTNETLINK answers: No space left on device
+ We have an error talking to the kernel
+ # tc action add action skbmod swap mac index 100
+ RTNETLINK answers: No space left on device
+ We have an error talking to the kernel
+ ...
+
+Fix this in tcf_skbmod_init(), ensuring that tcf_idr_release() is called
+on the error path when the idr has been reserved, but not yet inserted.
+Also, don't test 'ovr' in the error path, to avoid a 'replace' failure
+implicitly become a 'delete' that leaks refcount in act_skbmod module:
+
+ # rmmod act_skbmod; modprobe act_skbmod
+ # tc action add action skbmod swap mac index 100
+ # tc action add action skbmod swap mac continue index 100
+ RTNETLINK answers: File exists
+ We have an error talking to the kernel
+ # tc action replace action skbmod swap mac continue index 100
+ RTNETLINK answers: Cannot allocate memory
+ We have an error talking to the kernel
+ # tc action list action skbmod
+ #
+ # rmmod act_skbmod
+ rmmod: ERROR: Module act_skbmod is in use
+
+Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR")
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_skbmod.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/act_skbmod.c
++++ b/net/sched/act_skbmod.c
+@@ -152,7 +152,7 @@ static int tcf_skbmod_init(struct net *n
+ ASSERT_RTNL();
+ p = kzalloc(sizeof(struct tcf_skbmod_params), GFP_KERNEL);
+ if (unlikely(!p)) {
+- if (ovr)
++ if (ret == ACT_P_CREATED)
+ tcf_idr_release(*a, bind);
+ return -ENOMEM;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Mon, 19 Mar 2018 15:31:25 +0100
+Subject: net/sched: fix idr leak in the error path of tcp_pedit_init()
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 94fa3f929ec0c048b1f3658cc335b940df4f6d22 ]
+
+tcf_pedit_init() can fail to allocate 'keys' after the idr has been
+successfully reserved. When this happens, subsequent attempts to configure
+a pedit rule using the same idr value systematically fail with -ENOSPC:
+
+ # tc action add action pedit munge ip ttl set 63 index 100
+ RTNETLINK answers: Cannot allocate memory
+ We have an error talking to the kernel
+ # tc action add action pedit munge ip ttl set 63 index 100
+ RTNETLINK answers: No space left on device
+ We have an error talking to the kernel
+ # tc action add action pedit munge ip ttl set 63 index 100
+ RTNETLINK answers: No space left on device
+ We have an error talking to the kernel
+ ...
+
+Fix this in the error path of tcf_act_pedit_init(), calling
+tcf_idr_release() in place of tcf_idr_cleanup().
+
+Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR")
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_pedit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/act_pedit.c
++++ b/net/sched/act_pedit.c
+@@ -176,7 +176,7 @@ static int tcf_pedit_init(struct net *ne
+ p = to_pedit(*a);
+ keys = kmalloc(ksize, GFP_KERNEL);
+ if (keys == NULL) {
+- tcf_idr_cleanup(*a, est);
++ tcf_idr_release(*a, bind);
+ kfree(keys_ex);
+ return -ENOMEM;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Mon, 19 Mar 2018 15:31:22 +0100
+Subject: net/sched: fix idr leak on the error path of tcf_bpf_init()
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit bbc09e7842a5023ba5bc0f8d559b9dd464e44006 ]
+
+when the following command sequence is entered
+
+ # tc action add action bpf bytecode '4,40 0 0 12,31 0 1 2048,6 0 0 262144,6 0 0 0' index 100
+ RTNETLINK answers: Invalid argument
+ We have an error talking to the kernel
+ # tc action add action bpf bytecode '4,40 0 0 12,21 0 1 2048,6 0 0 262144,6 0 0 0' index 100
+ RTNETLINK answers: No space left on device
+ We have an error talking to the kernel
+
+act_bpf correctly refuses to install the first TC rule, because 31 is not
+a valid instruction. However, it refuses to install the second TC rule,
+even if the BPF code is correct. Furthermore, it's no more possible to
+install any other rule having the same value of 'index' until act_bpf
+module is unloaded/inserted again. After the idr has been reserved, call
+tcf_idr_release() instead of tcf_idr_cleanup(), to fix this issue.
+
+Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR")
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_bpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/act_bpf.c
++++ b/net/sched/act_bpf.c
+@@ -356,7 +356,7 @@ static int tcf_bpf_init(struct net *net,
+ return res;
+ out:
+ if (res == ACT_P_CREATED)
+- tcf_idr_cleanup(*act, est);
++ tcf_idr_release(*act, bind);
+
+ return ret;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Fri, 16 Mar 2018 00:00:56 +0100
+Subject: net/sched: fix NULL dereference in the error path of tcf_sample_init()
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 1f110e7cae09e6c6a144616480d1a9dd99c5208a ]
+
+when the following command
+
+ # tc action add action sample rate 100 group 100 index 100
+
+is run for the first time, and psample_group_get(100) fails to create a
+new group, tcf_sample_cleanup() calls psample_group_put(NULL), thus
+causing the following error:
+
+ BUG: unable to handle kernel NULL pointer dereference at 000000000000001c
+ IP: psample_group_put+0x15/0x71 [psample]
+ PGD 8000000075775067 P4D 8000000075775067 PUD 7453c067 PMD 0
+ Oops: 0002 [#1] SMP PTI
+ Modules linked in: act_sample(E) psample ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core mbcache jbd2 crct10dif_pclmul snd_hwdep crc32_pclmul snd_seq ghash_clmulni_intel pcbc snd_seq_device snd_pcm aesni_intel crypto_simd snd_timer glue_helper snd cryptd joydev pcspkr i2c_piix4 soundcore virtio_balloon nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm virtio_net ata_piix virtio_console virtio_blk libata serio_raw crc32c_intel virtio_pci i2c_core virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_tunnel_key]
+ CPU: 2 PID: 5740 Comm: tc Tainted: G E 4.16.0-rc4.act_vlan.orig+ #403
+ Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ RIP: 0010:psample_group_put+0x15/0x71 [psample]
+ RSP: 0018:ffffb8a80032f7d0 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000024
+ RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffffffc06d93c0
+ RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044
+ R10: 00000000bd003000 R11: ffff979fba04aa59 R12: 0000000000000000
+ R13: 0000000000000000 R14: 0000000000000000 R15: ffff979fbba3f22c
+ FS: 00007f7638112740(0000) GS:ffff979fbfd00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000000000000001c CR3: 00000000734ea001 CR4: 00000000001606e0
+ Call Trace:
+ __tcf_idr_release+0x79/0xf0
+ tcf_sample_init+0x125/0x1d0 [act_sample]
+ tcf_action_init_1+0x2cc/0x430
+ tcf_action_init+0xd3/0x1b0
+ tc_ctl_action+0x18b/0x240
+ rtnetlink_rcv_msg+0x29c/0x310
+ ? _cond_resched+0x15/0x30
+ ? __kmalloc_node_track_caller+0x1b9/0x270
+ ? rtnl_calcit.isra.28+0x100/0x100
+ netlink_rcv_skb+0xd2/0x110
+ netlink_unicast+0x17c/0x230
+ netlink_sendmsg+0x2cd/0x3c0
+ sock_sendmsg+0x30/0x40
+ ___sys_sendmsg+0x27a/0x290
+ ? filemap_map_pages+0x34a/0x3a0
+ ? __handle_mm_fault+0xbfd/0xe20
+ __sys_sendmsg+0x51/0x90
+ do_syscall_64+0x6e/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+ RIP: 0033:0x7f7637523ba0
+ RSP: 002b:00007fff0473ef58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 00007fff0473f080 RCX: 00007f7637523ba0
+ RDX: 0000000000000000 RSI: 00007fff0473efd0 RDI: 0000000000000003
+ RBP: 000000005aaaac80 R08: 0000000000000002 R09: 0000000000000000
+ R10: 00007fff0473e9e0 R11: 0000000000000246 R12: 0000000000000000
+ R13: 00007fff0473f094 R14: 0000000000000001 R15: 0000000000669f60
+ Code: be 02 00 00 00 48 89 df e8 a9 fe ff ff e9 7c ff ff ff 0f 1f 40 00 0f 1f 44 00 00 53 48 89 fb 48 c7 c7 c0 93 6d c0 e8 db 20 8c ef <83> 6b 1c 01 74 10 48 c7 c7 c0 93 6d c0 ff 14 25 e8 83 83 b0 5b
+ RIP: psample_group_put+0x15/0x71 [psample] RSP: ffffb8a80032f7d0
+ CR2: 000000000000001c
+
+Fix it in tcf_sample_cleanup(), ensuring that calls to psample_group_put(p)
+are done only when p is not NULL.
+
+Fixes: cadb9c9fdbc6 ("net/sched: act_sample: Fix error path in init")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_sample.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/act_sample.c
++++ b/net/sched/act_sample.c
+@@ -103,7 +103,8 @@ static void tcf_sample_cleanup_rcu(struc
+
+ psample_group = rcu_dereference_protected(s->psample_group, 1);
+ RCU_INIT_POINTER(s->psample_group, NULL);
+- psample_group_put(psample_group);
++ if (psample_group)
++ psample_group_put(psample_group);
+ }
+
+ static void tcf_sample_cleanup(struct tc_action *a, int bind)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Ursula Braun <ubraun@linux.vnet.ibm.com>
+Date: Wed, 14 Mar 2018 11:01:00 +0100
+Subject: net/smc: pay attention to MAX_ORDER for CQ entries
+
+From: Ursula Braun <ubraun@linux.vnet.ibm.com>
+
+[ Upstream commit c9f4c6cf53bfafb639386a4c094929f13f573e04 ]
+
+smc allocates a certain number of CQ entries for used RoCE devices. For
+mlx5 devices the chosen constant number results in a large allocation
+causing this warning:
+
+[13355.124656] WARNING: CPU: 3 PID: 16535 at mm/page_alloc.c:3883 __alloc_pages_nodemask+0x2be/0x10c0
+[13355.124657] Modules linked in: smc_diag(O) smc(O) xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ip6table_filter ip6_tables iptable_filter mlx5_ib ib_core sunrpc mlx5_core s390_trng rng_core ghash_s390 prng aes_s390 des_s390 des_generic sha512_s390 sha256_s390 sha1_s390 sha_common ptp pps_core eadm_sch dm_multipath dm_mod vhost_net tun vhost tap sch_fq_codel kvm ip_tables x_tables autofs4 [last unloaded: smc]
+[13355.124672] CPU: 3 PID: 16535 Comm: kworker/3:0 Tainted: G O 4.14.0uschi #1
+[13355.124673] Hardware name: IBM 3906 M04 704 (LPAR)
+[13355.124675] Workqueue: events smc_listen_work [smc]
+[13355.124677] task: 00000000e2f22100 task.stack: 0000000084720000
+[13355.124678] Krnl PSW : 0704c00180000000 000000000029da76 (__alloc_pages_nodemask+0x2be/0x10c0)
+[13355.124681] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3
+[13355.124682] Krnl GPRS: 0000000000000000 00550e00014080c0 0000000000000000 0000000000000001
+[13355.124684] 000000000029d8b6 00000000f3bfd710 0000000000000000 00000000014080c0
+[13355.124685] 0000000000000009 00000000ec277a00 0000000000200000 0000000000000000
+[13355.124686] 0000000000000000 00000000000001ff 000000000029d8b6 0000000084723720
+[13355.124708] Krnl Code: 000000000029da6a: a7110200 tmll %r1,512
+ 000000000029da6e: a774ff29 brc 7,29d8c0
+ #000000000029da72: a7f40001 brc 15,29da74
+ >000000000029da76: a7f4ff25 brc 15,29d8c0
+ 000000000029da7a: a7380000 lhi %r3,0
+ 000000000029da7e: a7f4fef1 brc 15,29d860
+ 000000000029da82: 5820f0c4 l %r2,196(%r15)
+ 000000000029da86: a53e0048 llilh %r3,72
+[13355.124720] Call Trace:
+[13355.124722] ([<000000000029d8b6>] __alloc_pages_nodemask+0xfe/0x10c0)
+[13355.124724] [<000000000013bd1e>] s390_dma_alloc+0x6e/0x148
+[13355.124733] [<000003ff802eeba6>] mlx5_dma_zalloc_coherent_node+0x8e/0xe0 [mlx5_core]
+[13355.124740] [<000003ff802eee18>] mlx5_buf_alloc_node+0x70/0x108 [mlx5_core]
+[13355.124744] [<000003ff804eb410>] mlx5_ib_create_cq+0x558/0x898 [mlx5_ib]
+[13355.124749] [<000003ff80407d40>] ib_create_cq+0x48/0x88 [ib_core]
+[13355.124751] [<000003ff80109fba>] smc_ib_setup_per_ibdev+0x52/0x118 [smc]
+[13355.124753] [<000003ff8010bcb6>] smc_conn_create+0x65e/0x728 [smc]
+[13355.124755] [<000003ff801081a2>] smc_listen_work+0x2d2/0x540 [smc]
+[13355.124756] [<0000000000162c66>] process_one_work+0x1be/0x440
+[13355.124758] [<0000000000162f40>] worker_thread+0x58/0x458
+[13355.124759] [<0000000000169e7e>] kthread+0x14e/0x168
+[13355.124760] [<00000000009ce8be>] kernel_thread_starter+0x6/0xc
+[13355.124762] [<00000000009ce8b8>] kernel_thread_starter+0x0/0xc
+[13355.124762] Last Breaking-Event-Address:
+[13355.124764] [<000000000029da72>] __alloc_pages_nodemask+0x2ba/0x10c0
+[13355.124764] ---[ end trace 34be38b581c0b585 ]---
+
+This patch reduces the smc constant for the maximum number of allocated
+completion queue entries SMC_MAX_CQE by 2 to avoid high round up values
+in the mlx5 code, and reduces the number of allocated completion queue
+entries even more, if the final allocation for an mlx5 device hits the
+MAX_ORDER limit.
+
+Reported-by: Ihnken Menssen <menssen@de.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/smc_ib.c | 10 +++++++++-
+ net/smc/smc_wr.h | 1 -
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/net/smc/smc_ib.c
++++ b/net/smc/smc_ib.c
+@@ -23,6 +23,8 @@
+ #include "smc_wr.h"
+ #include "smc.h"
+
++#define SMC_MAX_CQE 32766 /* max. # of completion queue elements */
++
+ #define SMC_QP_MIN_RNR_TIMER 5
+ #define SMC_QP_TIMEOUT 15 /* 4096 * 2 ** timeout usec */
+ #define SMC_QP_RETRY_CNT 7 /* 7: infinite */
+@@ -435,9 +437,15 @@ out:
+ long smc_ib_setup_per_ibdev(struct smc_ib_device *smcibdev)
+ {
+ struct ib_cq_init_attr cqattr = {
+- .cqe = SMC_WR_MAX_CQE, .comp_vector = 0 };
++ .cqe = SMC_MAX_CQE, .comp_vector = 0 };
++ int cqe_size_order, smc_order;
+ long rc;
+
++ /* the calculated number of cq entries fits to mlx5 cq allocation */
++ cqe_size_order = cache_line_size() == 128 ? 7 : 6;
++ smc_order = MAX_ORDER - cqe_size_order - 1;
++ if (SMC_MAX_CQE + 2 > (0x00000001 << smc_order) * PAGE_SIZE)
++ cqattr.cqe = (0x00000001 << smc_order) * PAGE_SIZE - 2;
+ smcibdev->roce_cq_send = ib_create_cq(smcibdev->ibdev,
+ smc_wr_tx_cq_handler, NULL,
+ smcibdev, &cqattr);
+--- a/net/smc/smc_wr.h
++++ b/net/smc/smc_wr.h
+@@ -19,7 +19,6 @@
+ #include "smc.h"
+ #include "smc_core.h"
+
+-#define SMC_WR_MAX_CQE 32768 /* max. # of completion queue elements */
+ #define SMC_WR_BUF_CNT 16 /* # of ctrl buffers per link */
+
+ #define SMC_WR_TX_WAIT_FREE_SLOT_TIME (10 * HZ)
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Karsten Graul <kgraul@linux.vnet.ibm.com>
+Date: Wed, 28 Feb 2018 12:44:08 +0100
+Subject: net/smc: use link_id of server in confirm link reply
+
+From: Karsten Graul <kgraul@linux.vnet.ibm.com>
+
+[ Upstream commit 2be922f31606f114119f48de3207d122a90e7357 ]
+
+The CONFIRM LINK reply message must contain the link_id sent
+by the server. And set the link_id explicitly when
+initializing the link.
+
+Signed-off-by: Karsten Graul <kgraul@linux.vnet.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/smc_core.c | 1 +
+ net/smc/smc_llc.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/smc/smc_core.c
++++ b/net/smc/smc_core.c
+@@ -174,6 +174,7 @@ static int smc_lgr_create(struct smc_soc
+
+ lnk = &lgr->lnk[SMC_SINGLE_LINK];
+ /* initialize link */
++ lnk->link_id = SMC_SINGLE_LINK;
+ lnk->smcibdev = smcibdev;
+ lnk->ibport = ibport;
+ lnk->path_mtu = smcibdev->pattr[ibport - 1].active_mtu;
+--- a/net/smc/smc_llc.c
++++ b/net/smc/smc_llc.c
+@@ -92,7 +92,7 @@ int smc_llc_send_confirm_link(struct smc
+ memcpy(confllc->sender_mac, mac, ETH_ALEN);
+ memcpy(confllc->sender_gid, gid, SMC_GID_SIZE);
+ hton24(confllc->sender_qp_num, link->roce_qp->qp_num);
+- /* confllc->link_num = SMC_SINGLE_LINK; already done by memset above */
++ confllc->link_num = link->link_id;
+ memcpy(confllc->link_uid, lgr->id, SMC_LGR_ID_SIZE);
+ confllc->max_links = SMC_LINKS_PER_LGR_MAX;
+ /* send llc message */
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jeremy Linton <jeremy.linton@arm.com>
+Date: Tue, 6 Mar 2018 09:00:06 -0600
+Subject: net: smsc911x: Fix unload crash when link is up
+
+From: Jeremy Linton <jeremy.linton@arm.com>
+
+[ Upstream commit e06513d78d54e6c7026c9043a39e2c01ee25bdbe ]
+
+The smsc911x driver will crash if it is rmmod'ed while the netdev
+is up like:
+
+Call trace:
+ phy_detach+0x94/0x150
+ phy_disconnect+0x40/0x50
+ smsc911x_stop+0x104/0x128 [smsc911x]
+ __dev_close_many+0xb4/0x138
+ dev_close_many+0xbc/0x190
+ rollback_registered_many+0x140/0x460
+ rollback_registered+0x68/0xb0
+ unregister_netdevice_queue+0x100/0x118
+ unregister_netdev+0x28/0x38
+ smsc911x_drv_remove+0x58/0x130 [smsc911x]
+ platform_drv_remove+0x30/0x50
+ device_release_driver_internal+0x15c/0x1f8
+ driver_detach+0x54/0x98
+ bus_remove_driver+0x64/0xe8
+ driver_unregister+0x34/0x60
+ platform_driver_unregister+0x20/0x30
+ smsc911x_cleanup_module+0x14/0xbca8 [smsc911x]
+ SyS_delete_module+0x1e8/0x238
+ __sys_trace_return+0x0/0x4
+
+This is caused by the mdiobus being unregistered/free'd
+and the code in phy_detach() attempting to manipulate mdio
+related structures from unregister_netdev() calling close()
+
+To fix this, we delay the mdiobus teardown until after
+the netdev is deregistered.
+
+Reported-by: Matt Sealey <matt.sealey@arm.com>
+Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/smsc/smsc911x.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/smsc/smsc911x.c
++++ b/drivers/net/ethernet/smsc/smsc911x.c
+@@ -2335,14 +2335,14 @@ static int smsc911x_drv_remove(struct pl
+ pdata = netdev_priv(dev);
+ BUG_ON(!pdata);
+ BUG_ON(!pdata->ioaddr);
+- WARN_ON(dev->phydev);
+
+ SMSC_TRACE(pdata, ifdown, "Stopping driver");
+
++ unregister_netdev(dev);
++
+ mdiobus_unregister(pdata->mii_bus);
+ mdiobus_free(pdata->mii_bus);
+
+- unregister_netdev(dev);
+ res = platform_get_resource_byname(pdev, IORESOURCE_MEM,
+ "smsc911x-memory");
+ if (!res)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Niklas Cassel <niklas.cassel@axis.com>
+Date: Mon, 19 Feb 2018 18:11:13 +0100
+Subject: net: stmmac: call correct function in stmmac_mac_config_rx_queues_routing()
+
+From: Niklas Cassel <niklas.cassel@axis.com>
+
+[ Upstream commit 13138de01400762f706c5e956e70660770d61962 ]
+
+stmmac_mac_config_rx_queues_routing() incorrectly calls rx_queue_prio()
+instead of rx_queue_routing().
+
+This looks like a copy paste issue, since
+stmmac_mac_config_rx_queues_prio() already calls rx_queue_prio(),
+and both stmmac_mac_config_rx_queues_routing() and
+stmmac_mac_config_rx_queues_prio() are very similar in structure.
+
+Fixes: abe80fdc6ee6 ("net: stmmac: RX queue routing configuration")
+Signed-off-by: Niklas Cassel <niklas.cassel@axis.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -2373,7 +2373,7 @@ static void stmmac_mac_config_rx_queues_
+ continue;
+
+ packet = priv->plat->rx_queues_cfg[queue].pkt_route;
+- priv->hw->mac->rx_queue_prio(priv->hw, packet, queue);
++ priv->hw->mac->rx_queue_routing(priv->hw, packet, queue);
+ }
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Niklas Cassel <niklas.cassel@axis.com>
+Date: Mon, 26 Feb 2018 22:47:08 +0100
+Subject: net: stmmac: ensure that the device has released ownership before reading data
+
+From: Niklas Cassel <niklas.cassel@axis.com>
+
+[ Upstream commit a6b25da5e7ba212af5826a662e6a035a79bffabd ]
+
+According to Documentation/memory-barriers.txt, we need to use a
+dma_rmb() after reading the status/own bit, to ensure that all
+descriptor fields are read after reading the own bit.
+
+This way, we ensure that the DMA engine is done with the DMA
+descriptor before we read the other descriptor fields, e.g. reading
+the tx hardware timestamp (if PTP is enabled).
+
+Signed-off-by: Niklas Cassel <niklas.cassel@axis.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -1829,6 +1829,11 @@ static void stmmac_tx_clean(struct stmma
+ if (unlikely(status & tx_dma_own))
+ break;
+
++ /* Make sure descriptor fields are read after reading
++ * the own bit.
++ */
++ dma_rmb();
++
+ /* Just consider the last segment and ...*/
+ if (likely(!(status & tx_not_ls))) {
+ /* ... verify the status error condition */
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Niklas Cassel <niklas.cassel@axis.com>
+Date: Mon, 26 Feb 2018 22:47:06 +0100
+Subject: net: stmmac: ensure that the MSS desc is the last desc to set the own bit
+
+From: Niklas Cassel <niklas.cassel@axis.com>
+
+[ Upstream commit 15d2ee42a3087089e73ad52fd8c1b37ab496b87c ]
+
+A dma_wmb() is used to guarantee the ordering, with respect to
+other writes, to cache coherent DMA memory.
+
+There is a dma_wmb() in prepare_tx_desc()/prepare_tso_tx_desc() which
+ensures that TDES0/1/2 is written before TDES3 (which contains the own
+bit), for First Desc.
+
+However, in the rare case that MSS changes, there will be a MSS
+context descriptor in front of the regular DMA descriptors:
+
+<MSS desc> <- DMA Next Descriptor
+<First Desc>
+<desc n>
+<Last Desc>
+
+Thus, for this special case, we need a dma_wmb()
+after prepare_tso_tx_desc()/before writing the own bit to the MSS desc,
+so that we flush the write to TDES3 for First Desc,
+in order to ensure that the MSS descriptor is the last descriptor to
+set the own bit.
+
+Signed-off-by: Niklas Cassel <niklas.cassel@axis.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -2923,8 +2923,15 @@ static netdev_tx_t stmmac_tso_xmit(struc
+ tcp_hdrlen(skb) / 4, (skb->len - proto_hdr_len));
+
+ /* If context desc is used to change MSS */
+- if (mss_desc)
++ if (mss_desc) {
++ /* Make sure that first descriptor has been completely
++ * written, including its own bit. This is because MSS is
++ * actually before first descriptor, so we need to make
++ * sure that MSS's own bit is the last thing written.
++ */
++ dma_wmb();
+ priv->hw->desc->set_tx_owner(mss_desc);
++ }
+
+ /* The own bit must be the latest setting done when prepare the
+ * descriptor and then barrier is needed to make sure that
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Joey Pabalinas <joeypabalinas@gmail.com>
+Date: Tue, 27 Feb 2018 22:05:53 -1000
+Subject: net/tcp/illinois: replace broken algorithm reference link
+
+From: Joey Pabalinas <joeypabalinas@gmail.com>
+
+[ Upstream commit ecc832758a654e375924ebf06a4ac971acb5ce60 ]
+
+The link to the pdf containing the algorithm description is now a
+dead link; it seems http://www.ifp.illinois.edu/~srikant/ has been
+moved to https://sites.google.com/a/illinois.edu/srikant/ and none of
+the original papers can be found there...
+
+I have replaced it with the only working copy I was able to find.
+
+n.b. there is also a copy available at:
+
+http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.296.6350&rep=rep1&type=pdf
+
+However, this seems to only be a *cached* version, so I am unsure
+exactly how reliable that link can be expected to remain over time
+and have decided against using that one.
+
+Signed-off-by: Joey Pabalinas <joeypabalinas@gmail.com>
+
+ net/ipv4/tcp_illinois.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_illinois.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_illinois.c
++++ b/net/ipv4/tcp_illinois.c
+@@ -6,7 +6,7 @@
+ * The algorithm is described in:
+ * "TCP-Illinois: A Loss and Delay-Based Congestion Control Algorithm
+ * for High-Speed Networks"
+- * http://www.ifp.illinois.edu/~srikant/Papers/liubassri06perf.pdf
++ * http://tamerbasar.csl.illinois.edu/LiuBasarSrikantPerfEvalArtJun2008.pdf
+ *
+ * Implemented from description in paper and ns-2 simulation.
+ * Copyright (C) 2007 Stephen Hemminger <shemminger@linux-foundation.org>
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Giuseppe Lippolis <giu.lippolis@gmail.com>
+Date: Mon, 26 Mar 2018 16:34:39 +0200
+Subject: net-usb: add qmi_wwan if on lte modem wistron neweb d18q1
+
+From: Giuseppe Lippolis <giu.lippolis@gmail.com>
+
+[ Upstream commit d4c4bc11353f3bea6754f7d21e3612c9f32d1d64 ]
+
+This modem is embedded on dlink dwr-921 router.
+ The oem configuration states:
+
+ T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
+ D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+ P: Vendor=1435 ProdID=0918 Rev= 2.32
+ S: Manufacturer=Android
+ S: Product=Android
+ S: SerialNumber=0123456789ABCDEF
+ C:* #Ifs= 7 Cfg#= 1 Atr=80 MxPwr=500mA
+ I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+ E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+ E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+ I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+ E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+ E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+ I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+ E: Ad=84(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+ E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+ E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+ I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+ E: Ad=86(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+ E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+ E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+ I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+ E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+ E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+ E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+ I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+ E: Ad=8a(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+ E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+ E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+ I:* If#= 6 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none)
+ E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+ E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=125us
+
+Tested on openwrt distribution
+
+Signed-off-by: Giuseppe Lippolis <giu.lippolis@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1104,6 +1104,9 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x0846, 0x68a2, 8)},
+ {QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */
+ {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */
++ {QMI_FIXED_INTF(0x1435, 0xd181, 3)}, /* Wistron NeWeb D18Q1 */
++ {QMI_FIXED_INTF(0x1435, 0xd181, 4)}, /* Wistron NeWeb D18Q1 */
++ {QMI_FIXED_INTF(0x1435, 0xd181, 5)}, /* Wistron NeWeb D18Q1 */
+ {QMI_FIXED_INTF(0x16d8, 0x6003, 0)}, /* CMOTech 6003 */
+ {QMI_FIXED_INTF(0x16d8, 0x6007, 0)}, /* CMOTech CHE-628S */
+ {QMI_FIXED_INTF(0x16d8, 0x6008, 0)}, /* CMOTech CMU-301 */
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+Date: Mon, 26 Mar 2018 07:19:57 +0200
+Subject: net/usb/qmi_wwan.c: Add USB id for lt4120 modem
+
+From: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+
+[ Upstream commit f3d801baf118c9d452ee7c278df16880c892e669 ]
+
+This is needed to support the modem found in HP EliteBook 820 G3.
+
+Signed-off-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1241,6 +1241,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x413c, 0x81b6, 8)}, /* Dell Wireless 5811e */
+ {QMI_FIXED_INTF(0x413c, 0x81b6, 10)}, /* Dell Wireless 5811e */
+ {QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)}, /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */
++ {QMI_FIXED_INTF(0x03f0, 0x9d1d, 1)}, /* HP lt4120 Snapdragon X5 LTE */
+ {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */
+ {QMI_FIXED_INTF(0x1e0e, 0x9001, 5)}, /* SIMCom 7230E */
+ {QMI_QUIRK_SET_DTR(0x2c7c, 0x0125, 4)}, /* Quectel EC25, EC20 R2.0 Mini PCIe */
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 5 Mar 2018 11:41:13 -0800
+Subject: net: usbnet: fix potential deadlock on 32bit hosts
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2695578b896aea472b2c0dcbe9d92daa71738484 ]
+
+Marek reported a LOCKDEP issue occurring on 32bit host,
+that we tracked down to the fact that usbnet could either
+run from soft or hard irqs.
+
+This patch adds u64_stats_update_begin_irqsave() and
+u64_stats_update_end_irqrestore() helpers to solve this case.
+
+[ 17.768040] ================================
+[ 17.772239] WARNING: inconsistent lock state
+[ 17.776511] 4.16.0-rc3-next-20180227-00007-g876c53a7493c #453 Not tainted
+[ 17.783329] --------------------------------
+[ 17.787580] inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.
+[ 17.793607] swapper/0/0 [HC0[0]:SC1[1]:HE1:SE0] takes:
+[ 17.798751] (&syncp->seq#5){?.-.}, at: [<9b22e5f0>]
+asix_rx_fixup_internal+0x188/0x288
+[ 17.806790] {IN-HARDIRQ-W} state was registered at:
+[ 17.811677] tx_complete+0x100/0x208
+[ 17.815319] __usb_hcd_giveback_urb+0x60/0xf0
+[ 17.819770] xhci_giveback_urb_in_irq+0xa8/0x240
+[ 17.824469] xhci_td_cleanup+0xf4/0x16c
+[ 17.828367] xhci_irq+0xe74/0x2240
+[ 17.831827] usb_hcd_irq+0x24/0x38
+[ 17.835343] __handle_irq_event_percpu+0x98/0x510
+[ 17.840111] handle_irq_event_percpu+0x1c/0x58
+[ 17.844623] handle_irq_event+0x38/0x5c
+[ 17.848519] handle_fasteoi_irq+0xa4/0x138
+[ 17.852681] generic_handle_irq+0x18/0x28
+[ 17.856760] __handle_domain_irq+0x6c/0xe4
+[ 17.860941] gic_handle_irq+0x54/0xa0
+[ 17.864666] __irq_svc+0x70/0xb0
+[ 17.867964] arch_cpu_idle+0x20/0x3c
+[ 17.871578] arch_cpu_idle+0x20/0x3c
+[ 17.875190] do_idle+0x144/0x218
+[ 17.878468] cpu_startup_entry+0x18/0x1c
+[ 17.882454] start_kernel+0x394/0x400
+[ 17.886177] irq event stamp: 161912
+[ 17.889616] hardirqs last enabled at (161912): [<7bedfacf>]
+__netdev_alloc_skb+0xcc/0x140
+[ 17.897893] hardirqs last disabled at (161911): [<d58261d0>]
+__netdev_alloc_skb+0x94/0x140
+[ 17.904903] exynos5-hsi2c 12ca0000.i2c: tx timeout
+[ 17.906116] softirqs last enabled at (161904): [<387102ff>]
+irq_enter+0x78/0x80
+[ 17.906123] softirqs last disabled at (161905): [<cf4c628e>]
+irq_exit+0x134/0x158
+[ 17.925722].
+[ 17.925722] other info that might help us debug this:
+[ 17.933435] Possible unsafe locking scenario:
+[ 17.933435].
+[ 17.940331] CPU0
+[ 17.942488] ----
+[ 17.944894] lock(&syncp->seq#5);
+[ 17.948274] <Interrupt>
+[ 17.950847] lock(&syncp->seq#5);
+[ 17.954386].
+[ 17.954386] *** DEADLOCK ***
+[ 17.954386].
+[ 17.962422] no locks held by swapper/0/0.
+
+Fixes: c8b5d129ee29 ("net: usbnet: support 64bit stats")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Cc: Greg Ungerer <gerg@linux-m68k.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c | 10 ++++++----
+ include/linux/u64_stats_sync.h | 22 ++++++++++++++++++++++
+ 2 files changed, 28 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -315,6 +315,7 @@ static void __usbnet_status_stop_force(s
+ void usbnet_skb_return (struct usbnet *dev, struct sk_buff *skb)
+ {
+ struct pcpu_sw_netstats *stats64 = this_cpu_ptr(dev->stats64);
++ unsigned long flags;
+ int status;
+
+ if (test_bit(EVENT_RX_PAUSED, &dev->flags)) {
+@@ -326,10 +327,10 @@ void usbnet_skb_return (struct usbnet *d
+ if (skb->protocol == 0)
+ skb->protocol = eth_type_trans (skb, dev->net);
+
+- u64_stats_update_begin(&stats64->syncp);
++ flags = u64_stats_update_begin_irqsave(&stats64->syncp);
+ stats64->rx_packets++;
+ stats64->rx_bytes += skb->len;
+- u64_stats_update_end(&stats64->syncp);
++ u64_stats_update_end_irqrestore(&stats64->syncp, flags);
+
+ netif_dbg(dev, rx_status, dev->net, "< rx, len %zu, type 0x%x\n",
+ skb->len + sizeof (struct ethhdr), skb->protocol);
+@@ -1250,11 +1251,12 @@ static void tx_complete (struct urb *urb
+
+ if (urb->status == 0) {
+ struct pcpu_sw_netstats *stats64 = this_cpu_ptr(dev->stats64);
++ unsigned long flags;
+
+- u64_stats_update_begin(&stats64->syncp);
++ flags = u64_stats_update_begin_irqsave(&stats64->syncp);
+ stats64->tx_packets += entry->packets;
+ stats64->tx_bytes += entry->length;
+- u64_stats_update_end(&stats64->syncp);
++ u64_stats_update_end_irqrestore(&stats64->syncp, flags);
+ } else {
+ dev->net->stats.tx_errors++;
+
+--- a/include/linux/u64_stats_sync.h
++++ b/include/linux/u64_stats_sync.h
+@@ -90,6 +90,28 @@ static inline void u64_stats_update_end(
+ #endif
+ }
+
++static inline unsigned long
++u64_stats_update_begin_irqsave(struct u64_stats_sync *syncp)
++{
++ unsigned long flags = 0;
++
++#if BITS_PER_LONG==32 && defined(CONFIG_SMP)
++ local_irq_save(flags);
++ write_seqcount_begin(&syncp->seq);
++#endif
++ return flags;
++}
++
++static inline void
++u64_stats_update_end_irqrestore(struct u64_stats_sync *syncp,
++ unsigned long flags)
++{
++#if BITS_PER_LONG==32 && defined(CONFIG_SMP)
++ write_seqcount_end(&syncp->seq);
++ local_irq_restore(flags);
++#endif
++}
++
+ static inline void u64_stats_update_begin_raw(struct u64_stats_sync *syncp)
+ {
+ #if BITS_PER_LONG==32 && defined(CONFIG_SMP)
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 15 Feb 2018 00:23:05 +0100
+Subject: netfilter: don't set F_IFACE on ipv6 fib lookups
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 47b7e7f82802dced3ac73658bf4b77584a63063f ]
+
+"fib" starts to behave strangely when an ipv6 default route is
+added - the FIB lookup returns a route using 'oif' in this case.
+
+This behaviour was inherited from ip6tables rpfilter so change
+this as well.
+
+Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1221
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/netfilter/ip6t_rpfilter.c | 4 ----
+ net/ipv6/netfilter/nft_fib_ipv6.c | 12 ++----------
+ 2 files changed, 2 insertions(+), 14 deletions(-)
+
+--- a/net/ipv6/netfilter/ip6t_rpfilter.c
++++ b/net/ipv6/netfilter/ip6t_rpfilter.c
+@@ -48,10 +48,6 @@ static bool rpfilter_lookup_reverse6(str
+ }
+
+ fl6.flowi6_mark = flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0;
+- if ((flags & XT_RPFILTER_LOOSE) == 0) {
+- fl6.flowi6_oif = dev->ifindex;
+- lookup_flags |= RT6_LOOKUP_F_IFACE;
+- }
+
+ rt = (void *) ip6_route_lookup(net, &fl6, lookup_flags);
+ if (rt->dst.error)
+--- a/net/ipv6/netfilter/nft_fib_ipv6.c
++++ b/net/ipv6/netfilter/nft_fib_ipv6.c
+@@ -182,7 +182,6 @@ void nft_fib6_eval(const struct nft_expr
+ }
+
+ *dest = 0;
+- again:
+ rt = (void *)ip6_route_lookup(nft_net(pkt), &fl6, lookup_flags);
+ if (rt->dst.error)
+ goto put_rt_err;
+@@ -191,15 +190,8 @@ void nft_fib6_eval(const struct nft_expr
+ if (rt->rt6i_flags & (RTF_REJECT | RTF_ANYCAST | RTF_LOCAL))
+ goto put_rt_err;
+
+- if (oif && oif != rt->rt6i_idev->dev) {
+- /* multipath route? Try again with F_IFACE */
+- if ((lookup_flags & RT6_LOOKUP_F_IFACE) == 0) {
+- lookup_flags |= RT6_LOOKUP_F_IFACE;
+- fl6.flowi6_oif = oif->ifindex;
+- ip6_rt_put(rt);
+- goto again;
+- }
+- }
++ if (oif && oif != rt->rt6i_idev->dev)
++ goto put_rt_err;
+
+ switch (priv->result) {
+ case NFT_FIB_RESULT_OIF:
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 19 Feb 2018 01:24:53 +0100
+Subject: netfilter: ebtables: convert BUG_ONs to WARN_ONs
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit fc6a5d0601c5ac1d02f283a46f60b87b2033e5ca ]
+
+All of these conditions are not fatal and should have
+been WARN_ONs from the get-go.
+
+Convert them to WARN_ONs and bail out.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/netfilter/ebtables.c | 27 ++++++++++++++++++---------
+ 1 file changed, 18 insertions(+), 9 deletions(-)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1641,7 +1641,8 @@ static int compat_match_to_user(struct e
+ int off = ebt_compat_match_offset(match, m->match_size);
+ compat_uint_t msize = m->match_size - off;
+
+- BUG_ON(off >= m->match_size);
++ if (WARN_ON(off >= m->match_size))
++ return -EINVAL;
+
+ if (copy_to_user(cm->u.name, match->name,
+ strlen(match->name) + 1) || put_user(msize, &cm->match_size))
+@@ -1671,7 +1672,8 @@ static int compat_target_to_user(struct
+ int off = xt_compat_target_offset(target);
+ compat_uint_t tsize = t->target_size - off;
+
+- BUG_ON(off >= t->target_size);
++ if (WARN_ON(off >= t->target_size))
++ return -EINVAL;
+
+ if (copy_to_user(cm->u.name, target->name,
+ strlen(target->name) + 1) || put_user(tsize, &cm->match_size))
+@@ -1906,7 +1908,8 @@ static int ebt_buf_add(struct ebt_entrie
+ if (state->buf_kern_start == NULL)
+ goto count_only;
+
+- BUG_ON(state->buf_kern_offset + sz > state->buf_kern_len);
++ if (WARN_ON(state->buf_kern_offset + sz > state->buf_kern_len))
++ return -EINVAL;
+
+ memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz);
+
+@@ -1919,7 +1922,8 @@ static int ebt_buf_add_pad(struct ebt_en
+ {
+ char *b = state->buf_kern_start;
+
+- BUG_ON(b && state->buf_kern_offset > state->buf_kern_len);
++ if (WARN_ON(b && state->buf_kern_offset > state->buf_kern_len))
++ return -EINVAL;
+
+ if (b != NULL && sz > 0)
+ memset(b + state->buf_kern_offset, 0, sz);
+@@ -1996,8 +2000,10 @@ static int compat_mtw_from_user(struct c
+ pad = XT_ALIGN(size_kern) - size_kern;
+
+ if (pad > 0 && dst) {
+- BUG_ON(state->buf_kern_len <= pad);
+- BUG_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad);
++ if (WARN_ON(state->buf_kern_len <= pad))
++ return -EINVAL;
++ if (WARN_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad))
++ return -EINVAL;
+ memset(dst + size_kern, 0, pad);
+ }
+ return off + match_size;
+@@ -2047,7 +2053,8 @@ static int ebt_size_mwt(struct compat_eb
+ if (ret < 0)
+ return ret;
+
+- BUG_ON(ret < match32->match_size);
++ if (WARN_ON(ret < match32->match_size))
++ return -EINVAL;
+ growth += ret - match32->match_size;
+ growth += ebt_compat_entry_padsize();
+
+@@ -2156,7 +2163,8 @@ static int size_entry_mwt(struct ebt_ent
+
+ startoff = state->buf_user_offset - startoff;
+
+- BUG_ON(*total < startoff);
++ if (WARN_ON(*total < startoff))
++ return -EINVAL;
+ *total -= startoff;
+ return 0;
+ }
+@@ -2285,7 +2293,8 @@ static int compat_do_replace(struct net
+ state.buf_kern_len = size64;
+
+ ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
+- BUG_ON(ret < 0); /* parses same data again */
++ if (WARN_ON(ret < 0))
++ goto out_unlock;
+
+ vfree(entries_tmp);
+ tmp.entries_size = size64;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 8 Mar 2018 12:54:19 +0100
+Subject: netfilter: ebtables: fix erroneous reject of last rule
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 932909d9b28d27e807ff8eecb68c7748f6701628 ]
+
+The last rule in the blob has next_entry offset that is same as total size.
+This made "ebtables32 -A OUTPUT -d de:ad:be:ef:01:02" fail on 64 bit kernel.
+
+Fixes: b71812168571fa ("netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/netfilter/ebtables.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -2123,8 +2123,12 @@ static int size_entry_mwt(struct ebt_ent
+ * offsets are relative to beginning of struct ebt_entry (i.e., 0).
+ */
+ for (i = 0; i < 4 ; ++i) {
+- if (offsets[i] >= *total)
++ if (offsets[i] > *total)
+ return -EINVAL;
++
++ if (i < 3 && offsets[i] == *total)
++ return -EINVAL;
++
+ if (i == 0)
+ continue;
+ if (offsets[i-1] > offsets[i])
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 16 Feb 2018 12:49:33 +0100
+Subject: netfilter: ipt_CLUSTERIP: put config instead of freeing it
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 1a9da5937386dbe553ffcf6c65d985bd48c347c5 ]
+
+Once struct is added to per-netns list it becomes visible to other cpus,
+so we cannot use kfree().
+
+Also delay setting entries refcount to 1 until after everything is
+initialised so that when we call clusterip_config_put() in this spot
+entries is still zero.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/netfilter/ipt_CLUSTERIP.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
+@@ -228,7 +228,6 @@ clusterip_config_init(struct net *net, c
+ c->hash_mode = i->hash_mode;
+ c->hash_initval = i->hash_initval;
+ refcount_set(&c->refcount, 1);
+- refcount_set(&c->entries, 1);
+
+ spin_lock_bh(&cn->lock);
+ if (__clusterip_config_find(net, ip)) {
+@@ -259,8 +258,10 @@ clusterip_config_init(struct net *net, c
+
+ c->notifier.notifier_call = clusterip_netdev_event;
+ err = register_netdevice_notifier(&c->notifier);
+- if (!err)
++ if (!err) {
++ refcount_set(&c->entries, 1);
+ return c;
++ }
+
+ #ifdef CONFIG_PROC_FS
+ proc_remove(c->pde);
+@@ -269,7 +270,7 @@ err:
+ spin_lock_bh(&cn->lock);
+ list_del_rcu(&c->list);
+ spin_unlock_bh(&cn->lock);
+- kfree(c);
++ clusterip_config_put(c);
+
+ return ERR_PTR(err);
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 16 Feb 2018 12:49:32 +0100
+Subject: netfilter: ipt_CLUSTERIP: put config struct if we can't increment ct refcount
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 8ae56822812ddedc26a152ab1916eb30120b4748 ]
+
+This needs to put() the entry to avoid a resource leak in error path.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/netfilter/ipt_CLUSTERIP.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
+@@ -492,12 +492,15 @@ static int clusterip_tg_check(const stru
+ return PTR_ERR(config);
+ }
+ }
+- cipinfo->config = config;
+
+ ret = nf_ct_netns_get(par->net, par->family);
+- if (ret < 0)
++ if (ret < 0) {
+ pr_info("cannot load conntrack support for proto=%u\n",
+ par->family);
++ clusterip_config_entry_put(par->net, config);
++ clusterip_config_put(config);
++ return ret;
++ }
+
+ if (!par->net->xt.clusterip_deprecated_warning) {
+ pr_info("ipt_CLUSTERIP is deprecated and it will removed soon, "
+@@ -505,6 +508,7 @@ static int clusterip_tg_check(const stru
+ par->net->xt.clusterip_deprecated_warning = true;
+ }
+
++ cipinfo->config = config;
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+Date: Thu, 22 Mar 2018 21:12:39 -0600
+Subject: netfilter: nf_socket: Fix out of bounds access in nf_sk_lookup_slow_v{4,6}
+
+From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+
+[ Upstream commit 32c1733f0dd4bd11d6e65512bf4dc337c0452c8e ]
+
+skb_header_pointer will copy data into a buffer if data is non linear,
+otherwise it will return a pointer in the linear section of the data.
+nf_sk_lookup_slow_v{4,6} always copies data of size udphdr but later
+accesses memory within the size of tcphdr (th->doff) in case of TCP
+packets. This causes a crash when running with KASAN with the following
+call stack -
+
+BUG: KASAN: stack-out-of-bounds in xt_socket_lookup_slow_v4+0x524/0x718
+net/netfilter/xt_socket.c:178
+Read of size 2 at addr ffffffe3d417a87c by task syz-executor/28971
+CPU: 2 PID: 28971 Comm: syz-executor Tainted: G B W O 4.9.65+ #1
+Call trace:
+[<ffffff9467e8d390>] dump_backtrace+0x0/0x428 arch/arm64/kernel/traps.c:76
+[<ffffff9467e8d7e0>] show_stack+0x28/0x38 arch/arm64/kernel/traps.c:226
+[<ffffff946842d9b8>] __dump_stack lib/dump_stack.c:15 [inline]
+[<ffffff946842d9b8>] dump_stack+0xd4/0x124 lib/dump_stack.c:51
+[<ffffff946811d4b0>] print_address_description+0x68/0x258 mm/kasan/report.c:248
+[<ffffff946811d8c8>] kasan_report_error mm/kasan/report.c:347 [inline]
+[<ffffff946811d8c8>] kasan_report.part.2+0x228/0x2f0 mm/kasan/report.c:371
+[<ffffff946811df44>] kasan_report+0x5c/0x70 mm/kasan/report.c:372
+[<ffffff946811bebc>] check_memory_region_inline mm/kasan/kasan.c:308 [inline]
+[<ffffff946811bebc>] __asan_load2+0x84/0x98 mm/kasan/kasan.c:739
+[<ffffff94694d6f04>] __tcp_hdrlen include/linux/tcp.h:35 [inline]
+[<ffffff94694d6f04>] xt_socket_lookup_slow_v4+0x524/0x718 net/netfilter/xt_socket.c:178
+
+Fix this by copying data into appropriate size headers based on protocol.
+
+Fixes: a583636a83ea ("inet: refactor inet[6]_lookup functions to take skb")
+Signed-off-by: Tejaswi Tanikella <tejaswit@codeaurora.org>
+Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/netfilter/nf_socket_ipv4.c | 6 ++++--
+ net/ipv6/netfilter/nf_socket_ipv6.c | 6 ++++--
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/netfilter/nf_socket_ipv4.c
++++ b/net/ipv4/netfilter/nf_socket_ipv4.c
+@@ -108,10 +108,12 @@ struct sock *nf_sk_lookup_slow_v4(struct
+ int doff = 0;
+
+ if (iph->protocol == IPPROTO_UDP || iph->protocol == IPPROTO_TCP) {
+- struct udphdr _hdr, *hp;
++ struct tcphdr _hdr;
++ struct udphdr *hp;
+
+ hp = skb_header_pointer(skb, ip_hdrlen(skb),
+- sizeof(_hdr), &_hdr);
++ iph->protocol == IPPROTO_UDP ?
++ sizeof(*hp) : sizeof(_hdr), &_hdr);
+ if (hp == NULL)
+ return NULL;
+
+--- a/net/ipv6/netfilter/nf_socket_ipv6.c
++++ b/net/ipv6/netfilter/nf_socket_ipv6.c
+@@ -116,9 +116,11 @@ struct sock *nf_sk_lookup_slow_v6(struct
+ }
+
+ if (tproto == IPPROTO_UDP || tproto == IPPROTO_TCP) {
+- struct udphdr _hdr, *hp;
++ struct tcphdr _hdr;
++ struct udphdr *hp;
+
+- hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);
++ hp = skb_header_pointer(skb, thoff, tproto == IPPROTO_UDP ?
++ sizeof(*hp) : sizeof(_hdr), &_hdr);
+ if (hp == NULL)
+ return NULL;
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Richard Haines <richard_c_haines@btinternet.com>
+Date: Mon, 13 Nov 2017 20:54:22 +0000
+Subject: netlabel: If PF_INET6, check sk_buff ip header version
+
+From: Richard Haines <richard_c_haines@btinternet.com>
+
+[ Upstream commit 213d7f94775322ba44e0bbb55ec6946e9de88cea ]
+
+When resolving a fallback label, check the sk_buff version as it
+is possible (e.g. SCTP) to have family = PF_INET6 while
+receiving ip_hdr(skb)->version = 4.
+
+Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlabel/netlabel_unlabeled.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/netlabel/netlabel_unlabeled.c
++++ b/net/netlabel/netlabel_unlabeled.c
+@@ -1472,6 +1472,16 @@ int netlbl_unlabel_getattr(const struct
+ iface = rcu_dereference(netlbl_unlhsh_def);
+ if (iface == NULL || !iface->valid)
+ goto unlabel_getattr_nolabel;
++
++#if IS_ENABLED(CONFIG_IPV6)
++ /* When resolving a fallback label, check the sk_buff version as
++ * it is possible (e.g. SCTP) to have family = PF_INET6 while
++ * receiving ip_hdr(skb)->version = 4.
++ */
++ if (family == PF_INET6 && ip_hdr(skb)->version == 4)
++ family = PF_INET;
++#endif /* IPv6 */
++
+ switch (family) {
+ case PF_INET: {
+ struct iphdr *hdr4;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 14 Feb 2018 15:45:07 -0800
+Subject: NFC: llcp: Limit size of SDP URI
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit fe9c842695e26d8116b61b80bfb905356f07834b ]
+
+The tlv_len is u8, so we need to limit the size of the SDP URI. Enforce
+this both in the NLA policy and in the code that performs the allocation
+and copy, to avoid writing past the end of the allocated buffer.
+
+Fixes: d9b8d8e19b073 ("NFC: llcp: Service Name Lookup netlink interface")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp_commands.c | 4 ++++
+ net/nfc/netlink.c | 3 ++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/nfc/llcp_commands.c
++++ b/net/nfc/llcp_commands.c
+@@ -149,6 +149,10 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_
+
+ pr_debug("uri: %s, len: %zu\n", uri, uri_len);
+
++ /* sdreq->tlv_len is u8, takes uri_len, + 3 for header, + 1 for NULL */
++ if (WARN_ON_ONCE(uri_len > U8_MAX - 4))
++ return NULL;
++
+ sdreq = kzalloc(sizeof(struct nfc_llcp_sdp_tlv), GFP_KERNEL);
+ if (sdreq == NULL)
+ return NULL;
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -61,7 +61,8 @@ static const struct nla_policy nfc_genl_
+ };
+
+ static const struct nla_policy nfc_sdp_genl_policy[NFC_SDP_ATTR_MAX + 1] = {
+- [NFC_SDP_ATTR_URI] = { .type = NLA_STRING },
++ [NFC_SDP_ATTR_URI] = { .type = NLA_STRING,
++ .len = U8_MAX - 4 },
+ [NFC_SDP_ATTR_SAP] = { .type = NLA_U8 },
+ };
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: "Bill.Baker@oracle.com" <Bill.Baker@oracle.com>
+Date: Wed, 21 Feb 2018 12:46:43 -0600
+Subject: nfs: system crashes after NFS4ERR_MOVED recovery
+
+From: "Bill.Baker@oracle.com" <Bill.Baker@oracle.com>
+
+[ Upstream commit ad86f605c59500da82d196ac312cfbac3daba31d ]
+
+nfs4_update_server unconditionally releases the nfs_client for the
+source server. If migration fails, this can cause the source server's
+nfs_client struct to be left with a low reference count, resulting in
+use-after-free. Also, adjust reference count handling for ELOOP.
+
+NFS: state manager: migration failed on NFSv4 server nfsvmu10 with error 6
+WARNING: CPU: 16 PID: 17960 at fs/nfs/client.c:281 nfs_put_client+0xfa/0x110 [nfs]()
+ nfs_put_client+0xfa/0x110 [nfs]
+ nfs4_run_state_manager+0x30/0x40 [nfsv4]
+ kthread+0xd8/0xf0
+
+BUG: unable to handle kernel NULL pointer dereference at 00000000000002a8
+ nfs4_xdr_enc_write+0x6b/0x160 [nfsv4]
+ rpcauth_wrap_req+0xac/0xf0 [sunrpc]
+ call_transmit+0x18c/0x2c0 [sunrpc]
+ __rpc_execute+0xa6/0x490 [sunrpc]
+ rpc_async_schedule+0x15/0x20 [sunrpc]
+ process_one_work+0x160/0x470
+ worker_thread+0x112/0x540
+ ? rescuer_thread+0x3f0/0x3f0
+ kthread+0xd8/0xf0
+
+This bug was introduced by 32e62b7c ("NFS: Add nfs4_update_server"),
+but the fix applies cleanly to 52442f9b ("NFS4: Avoid migration loops")
+
+Reported-by: Helen Chao <helen.chao@oracle.com>
+Fixes: 52442f9b11b7 ("NFS4: Avoid migration loops")
+Signed-off-by: Bill Baker <bill.baker@oracle.com>
+Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4client.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/nfs4client.c
++++ b/fs/nfs/nfs4client.c
+@@ -858,8 +858,10 @@ static int nfs4_set_client(struct nfs_se
+ if (IS_ERR(clp))
+ return PTR_ERR(clp);
+
+- if (server->nfs_client == clp)
++ if (server->nfs_client == clp) {
++ nfs_put_client(clp);
+ return -ELOOP;
++ }
+
+ /*
+ * Query for the lease time on clientid setup or renewal
+@@ -1217,11 +1219,11 @@ int nfs4_update_server(struct nfs_server
+ clp->cl_proto, clnt->cl_timeout,
+ clp->cl_minorversion, net);
+ clear_bit(NFS_MIG_TSM_POSSIBLE, &server->mig_status);
+- nfs_put_client(clp);
+ if (error != 0) {
+ nfs_server_insert_lists(server);
+ return error;
+ }
++ nfs_put_client(clp);
+
+ if (server->nfs_client->cl_hostname == NULL)
+ server->nfs_client->cl_hostname = kstrdup(hostname, GFP_KERNEL);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Thu, 12 Apr 2018 09:16:06 -0600
+Subject: nvme: don't send keep-alives to the discovery controller
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+[ Upstream commit 74c6c71530847808d4e3be7b205719270efee80c ]
+
+NVMe over Fabrics 1.0 Section 5.2 "Discovery Controller Properties and
+Command Support" Figure 31 "Discovery Controller – Admin Commands"
+explicitly listst all commands but "Get Log Page" and "Identify" as
+reserved, but NetApp report the Linux host is sending Keep Alive
+commands to the discovery controller, which is a violation of the
+Spec.
+
+We're already checking for discovery controllers when configuring the
+keep alive timeout but when creating a discovery controller we're not
+hard wiring the keep alive timeout to 0 and thus remain on
+NVME_DEFAULT_KATO for the discovery controller.
+
+This can be easily remproduced when issuing a direct connect to the
+discovery susbsystem using:
+'nvme connect [...] --nqn=nqn.2014-08.org.nvmexpress.discovery'
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Fixes: 07bfcd09a288 ("nvme-fabrics: add a generic NVMe over Fabrics library")
+Reported-by: Martin George <marting@netapp.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/fabrics.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/fabrics.c
++++ b/drivers/nvme/host/fabrics.c
+@@ -606,8 +606,10 @@ static int nvmf_parse_options(struct nvm
+ opts->discovery_nqn =
+ !(strcmp(opts->subsysnqn,
+ NVME_DISC_SUBSYS_NAME));
+- if (opts->discovery_nqn)
++ if (opts->discovery_nqn) {
++ opts->kato = 0;
+ opts->nr_io_queues = 0;
++ }
+ break;
+ case NVMF_OPT_TRADDR:
+ p = match_strdup(args);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "Jarosław Janik" <jaroslaw.janik@gmail.com>
+Date: Sun, 11 Mar 2018 19:51:56 +0100
+Subject: nvme-pci: disable APST for Samsung NVMe SSD 960 EVO + ASUS PRIME Z370-A
+
+From: "Jarosław Janik" <jaroslaw.janik@gmail.com>
+
+[ Upstream commit 467c77d4cbefaaf65e2f44fe102d543a52fcae5b ]
+
+Yet another "incompatible" Samsung NVMe SSD 960 EVO and Asus motherboard
+combination. 960 EVO device disappears from PCIe bus within few minutes
+after boot-up when APST is in use and never gets back. Forcing
+NVME_QUIRK_NO_APST is the only way to make this drive work with this
+particular motherboard. NVME_QUIRK_NO_DEEPEST_PS doesn't work, upgrading
+motherboard's BIOS didn't help either.
+Since this is a desktop motherboard, the only drawback of not using APST
+is increased device temperature.
+
+Signed-off-by: Jarosław Janik <jaroslaw.janik@gmail.com>
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/pci.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2305,10 +2305,13 @@ static unsigned long check_vendor_combin
+ } else if (pdev->vendor == 0x144d && pdev->device == 0xa804) {
+ /*
+ * Samsung SSD 960 EVO drops off the PCIe bus after system
+- * suspend on a Ryzen board, ASUS PRIME B350M-A.
++ * suspend on a Ryzen board, ASUS PRIME B350M-A, as well as
++ * within few minutes after bootup on a Coffee Lake board -
++ * ASUS PRIME Z370-A
+ */
+ if (dmi_match(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC.") &&
+- dmi_match(DMI_BOARD_NAME, "PRIME B350M-A"))
++ (dmi_match(DMI_BOARD_NAME, "PRIME B350M-A") ||
++ dmi_match(DMI_BOARD_NAME, "PRIME Z370-A")))
+ return NVME_QUIRK_NO_APST;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Wen Xiong <wenxiong@linux.vnet.ibm.com>
+Date: Thu, 15 Feb 2018 14:05:10 -0600
+Subject: nvme-pci: Fix EEH failure on ppc
+
+From: Wen Xiong <wenxiong@linux.vnet.ibm.com>
+
+[ Upstream commit 651438bb0af5213f1f70d66e75bf11d08cb5537a ]
+
+Triggering PPC EEH detection and handling requires a memory mapped read
+failure. The NVMe driver removed the periodic health check MMIO, so
+there's no early detection mechanism to trigger the recovery. Instead,
+the detection now happens when the nvme driver handles an IO timeout
+event. This takes the pci channel offline, so we do not want the driver
+to proceed with escalating its own recovery efforts that may conflict
+with the EEH handler.
+
+This patch ensures the driver will observe the channel was set to offline
+after a failed MMIO read and resets the IO timer so the EEH handler has
+a chance to recover the device.
+
+Signed-off-by: Wen Xiong <wenxiong@linux.vnet.ibm.com>
+[updated change log]
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/pci.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -1004,12 +1004,6 @@ static bool nvme_should_reset(struct nvm
+ if (!(csts & NVME_CSTS_CFS) && !nssro)
+ return false;
+
+- /* If PCI error recovery process is happening, we cannot reset or
+- * the recovery mechanism will surely fail.
+- */
+- if (pci_channel_offline(to_pci_dev(dev->dev)))
+- return false;
+-
+ return true;
+ }
+
+@@ -1040,6 +1034,13 @@ static enum blk_eh_timer_return nvme_tim
+ struct nvme_command cmd;
+ u32 csts = readl(dev->bar + NVME_REG_CSTS);
+
++ /* If PCI error recovery process is happening, we cannot reset or
++ * the recovery mechanism will surely fail.
++ */
++ mb();
++ if (pci_channel_offline(to_pci_dev(dev->dev)))
++ return BLK_EH_RESET_TIMER;
++
+ /*
+ * Reset immediately if the controller is failed
+ */
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Jianchao Wang <jianchao.w.wang@oracle.com>
+Date: Thu, 15 Feb 2018 19:13:41 +0800
+Subject: nvme-pci: Fix nvme queue cleanup if IRQ setup fails
+
+From: Jianchao Wang <jianchao.w.wang@oracle.com>
+
+[ Upstream commit f25a2dfc20e3a3ed8fe6618c331799dd7bd01190 ]
+
+This patch fixes nvme queue cleanup if requesting an IRQ handler for
+the queue's vector fails. It does this by resetting the cq_vector to
+the uninitialized value of -1 so it is ignored for a controller reset.
+
+Signed-off-by: Jianchao Wang <jianchao.w.wang@oracle.com>
+[changelog updates, removed misc whitespace changes]
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/pci.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -1313,7 +1313,7 @@ static int nvme_create_queue(struct nvme
+ nvmeq->cq_vector = qid - 1;
+ result = adapter_alloc_cq(dev, qid, nvmeq);
+ if (result < 0)
+- return result;
++ goto release_vector;
+
+ result = adapter_alloc_sq(dev, qid, nvmeq);
+ if (result < 0)
+@@ -1327,9 +1327,12 @@ static int nvme_create_queue(struct nvme
+ return result;
+
+ release_sq:
++ dev->online_queues--;
+ adapter_delete_sq(dev, qid);
+ release_cq:
+ adapter_delete_cq(dev, qid);
++ release_vector:
++ nvmeq->cq_vector = -1;
+ return result;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Ming Lei <ming.lei@redhat.com>
+Date: Tue, 6 Feb 2018 20:17:42 +0800
+Subject: nvme: pci: pass max vectors as num_possible_cpus() to pci_alloc_irq_vectors
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 16ccfff2897613007b5eda9e29d65303c6280026 ]
+
+84676c1f21 ("genirq/affinity: assign vectors to all possible CPUs")
+has switched to do irq vectors spread among all possible CPUs, so
+pass num_possible_cpus() as max vecotrs to be assigned.
+
+For example, in a 8 cores system, 0~3 online, 4~8 offline/not present,
+see 'lscpu':
+
+ [ming@box]$lscpu
+ Architecture: x86_64
+ CPU op-mode(s): 32-bit, 64-bit
+ Byte Order: Little Endian
+ CPU(s): 4
+ On-line CPU(s) list: 0-3
+ Thread(s) per core: 1
+ Core(s) per socket: 2
+ Socket(s): 2
+ NUMA node(s): 2
+ ...
+ NUMA node0 CPU(s): 0-3
+ NUMA node1 CPU(s):
+ ...
+
+1) before this patch, follows the allocated vectors and their affinity:
+ irq 47, cpu list 0,4
+ irq 48, cpu list 1,6
+ irq 49, cpu list 2,5
+ irq 50, cpu list 3,7
+
+2) after this patch, follows the allocated vectors and their affinity:
+ irq 43, cpu list 0
+ irq 44, cpu list 1
+ irq 45, cpu list 2
+ irq 46, cpu list 3
+ irq 47, cpu list 4
+ irq 48, cpu list 6
+ irq 49, cpu list 5
+ irq 50, cpu list 7
+
+Cc: Keith Busch <keith.busch@intel.com>
+Cc: Sagi Grimberg <sagi@grimberg.me>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -1761,7 +1761,7 @@ static int nvme_setup_io_queues(struct n
+ int result, nr_io_queues;
+ unsigned long size;
+
+- nr_io_queues = num_present_cpus();
++ nr_io_queues = num_possible_cpus();
+ result = nvme_set_queue_count(&dev->ctrl, &nr_io_queues);
+ if (result < 0)
+ return result;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Max Gurtovoy <maxg@mellanox.com>
+Date: Wed, 24 Jan 2018 17:31:45 +0200
+Subject: nvmet: fix PSDT field check in command format
+
+From: Max Gurtovoy <maxg@mellanox.com>
+
+[ Upstream commit bffd2b61670feef18d2535e9b53364d270a1c991 ]
+
+PSDT field section according to NVM_Express-1.3:
+"This field specifies whether PRPs or SGLs are used for any data
+transfer associated with the command. PRPs shall be used for all
+Admin commands for NVMe over PCIe. SGLs shall be used for all Admin
+and I/O commands for NVMe over Fabrics. This field shall be set to
+01b for NVMe over Fabrics 1.0 implementations.
+
+Suggested-by: Idan Burstein <idanb@mellanox.com>
+Signed-off-by: Max Gurtovoy <maxg@mellanox.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/target/core.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/nvme/target/core.c
++++ b/drivers/nvme/target/core.c
+@@ -505,9 +505,12 @@ bool nvmet_req_init(struct nvmet_req *re
+ goto fail;
+ }
+
+- /* either variant of SGLs is fine, as we don't support metadata */
+- if (unlikely((flags & NVME_CMD_SGL_ALL) != NVME_CMD_SGL_METABUF &&
+- (flags & NVME_CMD_SGL_ALL) != NVME_CMD_SGL_METASEG)) {
++ /*
++ * For fabrics, PSDT field shall describe metadata pointer (MPTR) that
++ * contains an address of a single contiguous physical buffer that is
++ * byte aligned.
++ */
++ if (unlikely((flags & NVME_CMD_SGL_ALL) != NVME_CMD_SGL_METABUF)) {
+ status = NVME_SC_INVALID_FIELD | NVME_SC_DNR;
+ goto fail;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jun Piao <piaojun@huawei.com>
+Date: Thu, 5 Apr 2018 16:18:48 -0700
+Subject: ocfs2/dlm: don't handle migrate lockres if already in shutdown
+
+From: Jun Piao <piaojun@huawei.com>
+
+[ Upstream commit bb34f24c7d2c98d0c81838a7700e6068325b17a0 ]
+
+We should not handle migrate lockres if we are already in
+'DLM_CTXT_IN_SHUTDOWN', as that will cause lockres remains after leaving
+dlm domain. At last other nodes will get stuck into infinite loop when
+requsting lock from us.
+
+The problem is caused by concurrency umount between nodes. Before
+receiveing N1's DLM_BEGIN_EXIT_DOMAIN_MSG, N2 has picked up N1 as the
+migrate target. So N2 will continue sending lockres to N1 even though
+N1 has left domain.
+
+ N1 N2 (owner)
+ touch file
+
+ access the file,
+ and get pr lock
+
+ begin leave domain and
+ pick up N1 as new owner
+
+ begin leave domain and
+ migrate all lockres done
+
+ begin migrate lockres to N1
+
+ end leave domain, but
+ the lockres left
+ unexpectedly, because
+ migrate task has passed
+
+[piaojun@huawei.com: v3]
+ Link: http://lkml.kernel.org/r/5A9CBD19.5020107@huawei.com
+Link: http://lkml.kernel.org/r/5A99F028.2090902@huawei.com
+Signed-off-by: Jun Piao <piaojun@huawei.com>
+Reviewed-by: Yiwen Jiang <jiangyiwen@huawei.com>
+Reviewed-by: Joseph Qi <jiangqi903@gmail.com>
+Reviewed-by: Changwei Ge <ge.changwei@h3c.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/dlm/dlmdomain.c | 14 --------------
+ fs/ocfs2/dlm/dlmdomain.h | 25 ++++++++++++++++++++++++-
+ fs/ocfs2/dlm/dlmrecovery.c | 9 +++++++++
+ 3 files changed, 33 insertions(+), 15 deletions(-)
+
+--- a/fs/ocfs2/dlm/dlmdomain.c
++++ b/fs/ocfs2/dlm/dlmdomain.c
+@@ -676,20 +676,6 @@ static void dlm_leave_domain(struct dlm_
+ spin_unlock(&dlm->spinlock);
+ }
+
+-int dlm_shutting_down(struct dlm_ctxt *dlm)
+-{
+- int ret = 0;
+-
+- spin_lock(&dlm_domain_lock);
+-
+- if (dlm->dlm_state == DLM_CTXT_IN_SHUTDOWN)
+- ret = 1;
+-
+- spin_unlock(&dlm_domain_lock);
+-
+- return ret;
+-}
+-
+ void dlm_unregister_domain(struct dlm_ctxt *dlm)
+ {
+ int leave = 0;
+--- a/fs/ocfs2/dlm/dlmdomain.h
++++ b/fs/ocfs2/dlm/dlmdomain.h
+@@ -28,7 +28,30 @@
+ extern spinlock_t dlm_domain_lock;
+ extern struct list_head dlm_domains;
+
+-int dlm_shutting_down(struct dlm_ctxt *dlm);
++static inline int dlm_joined(struct dlm_ctxt *dlm)
++{
++ int ret = 0;
++
++ spin_lock(&dlm_domain_lock);
++ if (dlm->dlm_state == DLM_CTXT_JOINED)
++ ret = 1;
++ spin_unlock(&dlm_domain_lock);
++
++ return ret;
++}
++
++static inline int dlm_shutting_down(struct dlm_ctxt *dlm)
++{
++ int ret = 0;
++
++ spin_lock(&dlm_domain_lock);
++ if (dlm->dlm_state == DLM_CTXT_IN_SHUTDOWN)
++ ret = 1;
++ spin_unlock(&dlm_domain_lock);
++
++ return ret;
++}
++
+ void dlm_fire_domain_eviction_callbacks(struct dlm_ctxt *dlm,
+ int node_num);
+
+--- a/fs/ocfs2/dlm/dlmrecovery.c
++++ b/fs/ocfs2/dlm/dlmrecovery.c
+@@ -1378,6 +1378,15 @@ int dlm_mig_lockres_handler(struct o2net
+ if (!dlm_grab(dlm))
+ return -EINVAL;
+
++ if (!dlm_joined(dlm)) {
++ mlog(ML_ERROR, "Domain %s not joined! "
++ "lockres %.*s, master %u\n",
++ dlm->name, mres->lockname_len,
++ mres->lockname, mres->master);
++ dlm_put(dlm);
++ return -EINVAL;
++ }
++
+ BUG_ON(!(mres->flags & (DLM_MRES_RECOVERY|DLM_MRES_MIGRATION)));
+
+ real_master = mres->master;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Helge Deller <deller@gmx.de>
+Date: Sun, 25 Mar 2018 14:04:22 +0200
+Subject: parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit b845f66f78bf42a4ce98e5cfe0e94fab41dd0742 ]
+
+Carlo Pisani noticed that his C3600 workstation behaved unstable during heavy
+I/O on the PCI bus with a VIA VT6421 IDE/SATA PCI card.
+
+To avoid such instability, this patch switches the LBA PCI bus from Hard Fail
+mode into Soft Fail mode. In this mode the bus will return -1UL for timed out
+MMIO transactions, which is exactly how the x86 (and most other architectures)
+PCI busses behave.
+
+This patch is based on a proposal by Grant Grundler and Kyle McMartin 10
+years ago:
+https://www.spinics.net/lists/linux-parisc/msg01027.html
+
+Cc: Carlo Pisani <carlojpisani@gmail.com>
+Cc: Kyle McMartin <kyle@mcmartin.ca>
+Reviewed-by: Grant Grundler <grantgrundler@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/parisc/lba_pci.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/drivers/parisc/lba_pci.c
++++ b/drivers/parisc/lba_pci.c
+@@ -1403,9 +1403,27 @@ lba_hw_init(struct lba_device *d)
+ WRITE_REG32(stat, d->hba.base_addr + LBA_ERROR_CONFIG);
+ }
+
+- /* Set HF mode as the default (vs. -1 mode). */
++
++ /*
++ * Hard Fail vs. Soft Fail on PCI "Master Abort".
++ *
++ * "Master Abort" means the MMIO transaction timed out - usually due to
++ * the device not responding to an MMIO read. We would like HF to be
++ * enabled to find driver problems, though it means the system will
++ * crash with a HPMC.
++ *
++ * In SoftFail mode "~0L" is returned as a result of a timeout on the
++ * pci bus. This is like how PCI busses on x86 and most other
++ * architectures behave. In order to increase compatibility with
++ * existing (x86) PCI hardware and existing Linux drivers we enable
++ * Soft Faul mode on PA-RISC now too.
++ */
+ stat = READ_REG32(d->hba.base_addr + LBA_STAT_CTL);
++#if defined(ENABLE_HARDFAIL)
+ WRITE_REG32(stat | HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL);
++#else
++ WRITE_REG32(stat & ~HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL);
++#endif
+
+ /*
+ ** Writing a zero to STAT_CTL.rf (bit 0) will clear reset signal
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Thomas Vincent-Cross <me@tvc.id.au>
+Date: Tue, 27 Feb 2018 20:20:36 +1100
+Subject: PCI: Add function 1 DMA alias quirk for Marvell 88SE9220
+
+From: Thomas Vincent-Cross <me@tvc.id.au>
+
+[ Upstream commit 832e4e1f76b8a84991e9db56fdcef1ebce839b8b ]
+
+Add Marvell 88SE9220 DMA quirk as found and tested on bug 42679.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=42679
+Signed-off-by: Thomas Vincent-Cross <me@tvc.id.au>
+Signed-off-by: Bjorn Helgaas <helgaas@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/quirks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -3896,6 +3896,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M
+ /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c46 */
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x91a0,
+ quirk_dma_func1_alias);
++/* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c127 */
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9220,
++ quirk_dma_func1_alias);
+ /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c49 */
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230,
+ quirk_dma_func1_alias);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com>
+Date: Wed, 28 Feb 2018 18:32:19 +0100
+Subject: PCI: endpoint: Fix kernel panic after put_device()
+
+From: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com>
+
+[ Upstream commit 9eef6a5c3b0bf90eb292d462ea267bcb6ad1c334 ]
+
+'put_device()' calls the relase function 'pci_epf_dev_release()',
+which already frees 'epf->name' and 'epf'.
+
+Therefore we must not free them again after 'put_device()'.
+
+Fixes: 5e8cb4033807 ("PCI: endpoint: Add EP core layer to enable EP controller and EP functions")
+
+Signed-off-by: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Acked-by: Kishon Vijay Abraham I <kishon@ti.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/endpoint/pci-epf-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/endpoint/pci-epf-core.c
++++ b/drivers/pci/endpoint/pci-epf-core.c
+@@ -254,7 +254,7 @@ struct pci_epf *pci_epf_create(const cha
+
+ put_dev:
+ put_device(dev);
+- kfree(epf->name);
++ return ERR_PTR(ret);
+
+ free_func_name:
+ kfree(func_name);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Date: Sat, 3 Mar 2018 10:53:24 +0100
+Subject: PCI: Restore config space on runtime resume despite being unbound
+
+From: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+
+[ Upstream commit 5775b843a619b3c93f946e2b55a208d9f0f48b59 ]
+
+We leave PCI devices not bound to a driver in D0 during runtime suspend.
+But they may have a parent which is bound and can be transitioned to
+D3cold at runtime. Once the parent goes to D3cold, the unbound child
+may go to D3cold as well. When the child goes to D3cold, its internal
+state, including configuration of BARs, MSI, ASPM, MPS, etc., is lost.
+
+One example are recent hybrid graphics laptops which cut power to the
+discrete GPU when the root port above it goes to ACPI power state D3.
+Users may provoke this by unbinding the GPU driver and allowing runtime
+PM on the GPU via sysfs: The PM core will then treat the GPU as
+"suspended", which in turn allows the root port to runtime suspend,
+causing the power resources listed in its _PR3 object to be powered off.
+The GPU's BARs will be uninitialized when a driver later probes it.
+
+Another example are hybrid graphics laptops where the GPU itself (rather
+than the root port) is capable of runtime suspending to D3cold. If the
+GPU's integrated HDA controller is not bound and the GPU's driver
+decides to runtime suspend to D3cold, the HDA controller's BARs will be
+uninitialized when a driver later probes it.
+
+Fix by saving and restoring config space over a runtime suspend cycle
+even if the device is not bound.
+
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Peter Wu <peter@lekensteyn.nl> # Nvidia Optimus
+Tested-by: Lukas Wunner <lukas@wunner.de> # MacBook Pro
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+[lukas: add commit message, bikeshed code comments for clarity]
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/92fb6e6ae2730915eb733c08e2f76c6a313e3860.1520068884.git.lukas@wunner.de
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pci-driver.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/drivers/pci/pci-driver.c
++++ b/drivers/pci/pci-driver.c
+@@ -1164,11 +1164,14 @@ static int pci_pm_runtime_suspend(struct
+ int error;
+
+ /*
+- * If pci_dev->driver is not set (unbound), the device should
+- * always remain in D0 regardless of the runtime PM status
++ * If pci_dev->driver is not set (unbound), we leave the device in D0,
++ * but it may go to D3cold when the bridge above it runtime suspends.
++ * Save its config space in case that happens.
+ */
+- if (!pci_dev->driver)
++ if (!pci_dev->driver) {
++ pci_save_state(pci_dev);
+ return 0;
++ }
+
+ if (!pm || !pm->runtime_suspend)
+ return -ENOSYS;
+@@ -1216,16 +1219,18 @@ static int pci_pm_runtime_resume(struct
+ const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL;
+
+ /*
+- * If pci_dev->driver is not set (unbound), the device should
+- * always remain in D0 regardless of the runtime PM status
++ * Restoring config space is necessary even if the device is not bound
++ * to a driver because although we left it in D0, it may have gone to
++ * D3cold when the bridge above it runtime suspended.
+ */
++ pci_restore_standard_config(pci_dev);
++
+ if (!pci_dev->driver)
+ return 0;
+
+ if (!pm || !pm->runtime_resume)
+ return -ENOSYS;
+
+- pci_restore_standard_config(pci_dev);
+ pci_fixup_device(pci_fixup_resume_early, pci_dev);
+ pci_enable_wake(pci_dev, PCI_D0, false);
+ pci_fixup_device(pci_fixup_resume, pci_dev);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Wed, 21 Feb 2018 13:24:16 +0100
+Subject: PCMCIA / PM: Avoid noirq suspend aborts during suspend-to-idle
+
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+
+[ Upstream commit dbdd0f58fd2cdde5cf945c9da67a2d52d32ba550 ]
+
+There is a problem with PCMCIA system resume callbacks with respect
+to suspend-to-idle in which the ->suspend_noirq() callback may be
+invoked after the ->resume_noirq() one without resuming the system
+entirely in some cases. This doesn't work for PCMCIA because of
+the lack of symmetry between its system suspend and system resume
+"noirq" callbacks.
+
+The system resume handling in PCMCIA is split between
+socket_early_resume() and socket_late_resume() which are called in
+different phases of system resume and both need to run for
+socket_suspend() (invoked by the system suspend "noirq" callback)
+to work. Specifically, socket_suspend() returns an error when
+called after socket_early_resume() without socket_late_resume(),
+so if the suspend-to-idle core detects a spurious wakeup event and
+attempts to put the system back to sleep, that is aborted by the
+error coming from socket_suspend().
+
+Avoid that by using a new socket state flag, SOCKET_IN_RESUME,
+to indicate that socket_early_resume() has already run for the
+socket in which case socket_suspend() will do minimum handling
+and return 0.
+
+This change has been tested on my venerable Toshiba Portege R500
+(which is where the problem has been discovered in the first place),
+but admittedly I have no PCMCIA cards to test along with the socket
+itself.
+
+Fixes: 33e4f80ee69b (ACPI / PM: Ignore spurious SCI wakeups from suspend-to-idle)
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+[linux@dominikbrodowski.net: follow same codepaths for both suspend variants; call ->suspend()]
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pcmcia/cs.c | 10 +++++++---
+ drivers/pcmcia/cs_internal.h | 1 +
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/pcmcia/cs.c
++++ b/drivers/pcmcia/cs.c
+@@ -452,17 +452,20 @@ static int socket_insert(struct pcmcia_s
+
+ static int socket_suspend(struct pcmcia_socket *skt)
+ {
+- if (skt->state & SOCKET_SUSPEND)
++ if ((skt->state & SOCKET_SUSPEND) && !(skt->state & SOCKET_IN_RESUME))
+ return -EBUSY;
+
+ mutex_lock(&skt->ops_mutex);
+- skt->suspended_state = skt->state;
++ /* store state on first suspend, but not after spurious wakeups */
++ if (!(skt->state & SOCKET_IN_RESUME))
++ skt->suspended_state = skt->state;
+
+ skt->socket = dead_socket;
+ skt->ops->set_socket(skt, &skt->socket);
+ if (skt->ops->suspend)
+ skt->ops->suspend(skt);
+ skt->state |= SOCKET_SUSPEND;
++ skt->state &= ~SOCKET_IN_RESUME;
+ mutex_unlock(&skt->ops_mutex);
+ return 0;
+ }
+@@ -475,6 +478,7 @@ static int socket_early_resume(struct pc
+ skt->ops->set_socket(skt, &skt->socket);
+ if (skt->state & SOCKET_PRESENT)
+ skt->resume_status = socket_setup(skt, resume_delay);
++ skt->state |= SOCKET_IN_RESUME;
+ mutex_unlock(&skt->ops_mutex);
+ return 0;
+ }
+@@ -484,7 +488,7 @@ static int socket_late_resume(struct pcm
+ int ret = 0;
+
+ mutex_lock(&skt->ops_mutex);
+- skt->state &= ~SOCKET_SUSPEND;
++ skt->state &= ~(SOCKET_SUSPEND | SOCKET_IN_RESUME);
+ mutex_unlock(&skt->ops_mutex);
+
+ if (!(skt->state & SOCKET_PRESENT)) {
+--- a/drivers/pcmcia/cs_internal.h
++++ b/drivers/pcmcia/cs_internal.h
+@@ -70,6 +70,7 @@ struct pccard_resource_ops {
+ /* Flags in socket state */
+ #define SOCKET_PRESENT 0x0008
+ #define SOCKET_INUSE 0x0010
++#define SOCKET_IN_RESUME 0x0040
+ #define SOCKET_SUSPEND 0x0080
+ #define SOCKET_WIN_REQ(i) (0x0100<<(i))
+ #define SOCKET_CARDBUS 0x8000
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 23 Feb 2018 08:12:42 -0800
+Subject: percpu: add a schedule point in pcpu_balance_workfn()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit accd4f36a7d11c2d54544007eb65e10604dcf2f5 ]
+
+When a large BPF percpu map is destroyed, I have seen
+pcpu_balance_workfn() holding cpu for hundreds of milliseconds.
+
+On KASAN config and 112 hyperthreads, average time to destroy a chunk
+is ~4 ms.
+
+[ 2489.841376] destroy chunk 1 in 4148689 ns
+...
+[ 2490.093428] destroy chunk 32 in 4072718 ns
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/percpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/percpu.c
++++ b/mm/percpu.c
+@@ -1611,6 +1611,7 @@ static void pcpu_balance_workfn(struct w
+ spin_unlock_irq(&pcpu_lock);
+ }
+ pcpu_destroy_chunk(chunk);
++ cond_resched();
+ }
+
+ /*
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Song Liu <songliubraving@fb.com>
+Date: Mon, 12 Mar 2018 09:59:43 -0700
+Subject: perf/cgroup: Fix child event counting bug
+
+From: Song Liu <songliubraving@fb.com>
+
+[ Upstream commit c917e0f259908e75bd2a65877e25f9d90c22c848 ]
+
+When a perf_event is attached to parent cgroup, it should count events
+for all children cgroups:
+
+ parent_group <---- perf_event
+ \
+ - child_group <---- process(es)
+
+However, in our tests, we found this perf_event cannot report reliable
+results. Here is an example case:
+
+ # create cgroups
+ mkdir -p /sys/fs/cgroup/p/c
+ # start perf for parent group
+ perf stat -e instructions -G "p"
+
+ # on another console, run test process in child cgroup:
+ stressapptest -s 2 -M 1000 & echo $! > /sys/fs/cgroup/p/c/cgroup.procs
+
+ # after the test process is done, stop perf in the first console shows
+
+ <not counted> instructions p
+
+The instruction should not be "not counted" as the process runs in the
+child cgroup.
+
+We found this is because perf_event->cgrp and cpuctx->cgrp are not
+identical, thus perf_event->cgrp are not updated properly.
+
+This patch fixes this by updating perf_cgroup properly for ancestor
+cgroup(s).
+
+Reported-by: Ephraim Park <ephiepark@fb.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: <jolsa@redhat.com>
+Cc: <kernel-team@fb.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Link: http://lkml.kernel.org/r/20180312165943.1057894-1-songliubraving@fb.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/events/core.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -642,9 +642,15 @@ static inline void __update_cgrp_time(st
+
+ static inline void update_cgrp_time_from_cpuctx(struct perf_cpu_context *cpuctx)
+ {
+- struct perf_cgroup *cgrp_out = cpuctx->cgrp;
+- if (cgrp_out)
+- __update_cgrp_time(cgrp_out);
++ struct perf_cgroup *cgrp = cpuctx->cgrp;
++ struct cgroup_subsys_state *css;
++
++ if (cgrp) {
++ for (css = &cgrp->css; css; css = css->parent) {
++ cgrp = container_of(css, struct perf_cgroup, css);
++ __update_cgrp_time(cgrp);
++ }
++ }
+ }
+
+ static inline void update_cgrp_time_from_event(struct perf_event *event)
+@@ -672,6 +678,7 @@ perf_cgroup_set_timestamp(struct task_st
+ {
+ struct perf_cgroup *cgrp;
+ struct perf_cgroup_info *info;
++ struct cgroup_subsys_state *css;
+
+ /*
+ * ctx->lock held by caller
+@@ -682,8 +689,12 @@ perf_cgroup_set_timestamp(struct task_st
+ return;
+
+ cgrp = perf_cgroup_from_task(task, ctx);
+- info = this_cpu_ptr(cgrp->info);
+- info->timestamp = ctx->timestamp;
++
++ for (css = &cgrp->css; css; css = css->parent) {
++ cgrp = container_of(css, struct perf_cgroup, css);
++ info = this_cpu_ptr(cgrp->info);
++ info->timestamp = ctx->timestamp;
++ }
+ }
+
+ static DEFINE_PER_CPU(struct list_head, cgrp_cpuctx_list);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Sandipan Das <sandipan@linux.vnet.ibm.com>
+Date: Wed, 4 Apr 2018 23:34:18 +0530
+Subject: perf clang: Add support for recent clang versions
+
+From: Sandipan Das <sandipan@linux.vnet.ibm.com>
+
+[ Upstream commit 7854e499f33fd9c7e63288692ffb754d9b1d02fd ]
+
+The clang API calls used by perf have changed in recent releases and
+builds succeed with libclang-3.9 only. This introduces compatibility
+with libclang-4.0 and above.
+
+Without this patch, we will see the following compilation errors with
+libclang-4.0+:
+
+ util/c++/clang.cpp: In function ‘clang::CompilerInvocation* perf::createCompilerInvocation(llvm::opt::ArgStringList, llvm::StringRef&, clang::DiagnosticsEngine&)’:
+ util/c++/clang.cpp:62:33: error: ‘IK_C’ was not declared in this scope
+ Opts.Inputs.emplace_back(Path, IK_C);
+ ^~~~
+ util/c++/clang.cpp: In function ‘std::unique_ptr<llvm::Module> perf::getModuleFromSource(llvm::opt::ArgStringList, llvm::StringRef, llvm::IntrusiveRefCntPtr<clang::vfs::FileSystem>)’:
+ util/c++/clang.cpp:75:26: error: no matching function for call to ‘clang::CompilerInstance::setInvocation(clang::CompilerInvocation*)’
+ Clang.setInvocation(&*CI);
+ ^
+ In file included from util/c++/clang.cpp:14:0:
+ /usr/include/clang/Frontend/CompilerInstance.h:231:8: note: candidate: void clang::CompilerInstance::setInvocation(std::shared_ptr<clang::CompilerInvocation>)
+ void setInvocation(std::shared_ptr<CompilerInvocation> Value);
+ ^~~~~~~~~~~~~
+
+Committer testing:
+
+Tested on Fedora 27 after installing the clang-devel and llvm-devel
+packages, versions:
+
+ # rpm -qa | egrep llvm\|clang
+ llvm-5.0.1-6.fc27.x86_64
+ clang-libs-5.0.1-5.fc27.x86_64
+ clang-5.0.1-5.fc27.x86_64
+ clang-tools-extra-5.0.1-5.fc27.x86_64
+ llvm-libs-5.0.1-6.fc27.x86_64
+ llvm-devel-5.0.1-6.fc27.x86_64
+ clang-devel-5.0.1-5.fc27.x86_64
+ #
+
+Make sure you don't have some older version lying around in /usr/local,
+etc, then:
+
+ $ make LIBCLANGLLVM=1 -C tools/perf install-bin
+
+And in the end perf will be linked agains these libraries:
+
+ # ldd ~/bin/perf | egrep -i llvm\|clang
+ libclangAST.so.5 => /lib64/libclangAST.so.5 (0x00007f8bb2eb4000)
+ libclangBasic.so.5 => /lib64/libclangBasic.so.5 (0x00007f8bb29e3000)
+ libclangCodeGen.so.5 => /lib64/libclangCodeGen.so.5 (0x00007f8bb23f7000)
+ libclangDriver.so.5 => /lib64/libclangDriver.so.5 (0x00007f8bb2060000)
+ libclangFrontend.so.5 => /lib64/libclangFrontend.so.5 (0x00007f8bb1d06000)
+ libclangLex.so.5 => /lib64/libclangLex.so.5 (0x00007f8bb1a3e000)
+ libclangTooling.so.5 => /lib64/libclangTooling.so.5 (0x00007f8bb17d4000)
+ libclangEdit.so.5 => /lib64/libclangEdit.so.5 (0x00007f8bb15c5000)
+ libclangSema.so.5 => /lib64/libclangSema.so.5 (0x00007f8bb0cc9000)
+ libclangAnalysis.so.5 => /lib64/libclangAnalysis.so.5 (0x00007f8bb0a23000)
+ libclangParse.so.5 => /lib64/libclangParse.so.5 (0x00007f8bb0725000)
+ libclangSerialization.so.5 => /lib64/libclangSerialization.so.5 (0x00007f8bb039a000)
+ libLLVM-5.0.so => /lib64/libLLVM-5.0.so (0x00007f8bace98000)
+ libclangASTMatchers.so.5 => /lib64/../lib64/libclangASTMatchers.so.5 (0x00007f8bab735000)
+ libclangFormat.so.5 => /lib64/../lib64/libclangFormat.so.5 (0x00007f8bab4b2000)
+ libclangRewrite.so.5 => /lib64/../lib64/libclangRewrite.so.5 (0x00007f8bab2a1000)
+ libclangToolingCore.so.5 => /lib64/../lib64/libclangToolingCore.so.5 (0x00007f8bab08e000)
+ #
+
+Signed-off-by: Sandipan Das <sandipan@linux.vnet.ibm.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Fixes: 00b86691c77c ("perf clang: Add builtin clang support ant test case")
+Link: http://lkml.kernel.org/r/20180404180419.19056-2-sandipan@linux.vnet.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/c++/clang.cpp | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/util/c++/clang.cpp
++++ b/tools/perf/util/c++/clang.cpp
+@@ -9,6 +9,7 @@
+ * Copyright (C) 2016 Huawei Inc.
+ */
+
++#include "clang/Basic/Version.h"
+ #include "clang/CodeGen/CodeGenAction.h"
+ #include "clang/Frontend/CompilerInvocation.h"
+ #include "clang/Frontend/CompilerInstance.h"
+@@ -58,7 +59,8 @@ createCompilerInvocation(llvm::opt::ArgS
+
+ FrontendOptions& Opts = CI->getFrontendOpts();
+ Opts.Inputs.clear();
+- Opts.Inputs.emplace_back(Path, IK_C);
++ Opts.Inputs.emplace_back(Path,
++ FrontendOptions::getInputKindForExtension("c"));
+ return CI;
+ }
+
+@@ -71,10 +73,17 @@ getModuleFromSource(llvm::opt::ArgString
+
+ Clang.setVirtualFileSystem(&*VFS);
+
++#if CLANG_VERSION_MAJOR < 4
+ IntrusiveRefCntPtr<CompilerInvocation> CI =
+ createCompilerInvocation(std::move(CFlags), Path,
+ Clang.getDiagnostics());
+ Clang.setInvocation(&*CI);
++#else
++ std::shared_ptr<CompilerInvocation> CI(
++ createCompilerInvocation(std::move(CFlags), Path,
++ Clang.getDiagnostics()));
++ Clang.setInvocation(CI);
++#endif
+
+ std::unique_ptr<CodeGenAction> Act(new EmitLLVMOnlyAction(&*LLVMCtx));
+ if (!Clang.ExecuteAction(*Act))
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "leilei.lin" <leilei.lin@alibaba-inc.com>
+Date: Tue, 6 Mar 2018 17:36:37 +0800
+Subject: perf/core: Fix installing cgroup events on CPU
+
+From: "leilei.lin" <leilei.lin@alibaba-inc.com>
+
+[ Upstream commit 33801b94741d6c3be9713c10aa627477216c21e2 ]
+
+There's two problems when installing cgroup events on CPUs: firstly
+list_update_cgroup_event() only tries to set cpuctx->cgrp for the
+first event, if that mismatches on @cgrp we'll not try again for later
+additions.
+
+Secondly, when we install a cgroup event into an active context, only
+issue an event reprogram when the event matches the current cgroup
+context. This avoids a pointless event reprogramming.
+
+Signed-off-by: leilei.lin <leilei.lin@alibaba-inc.com>
+[ Improved the changelog and comments. ]
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: brendan.d.gregg@gmail.com
+Cc: eranian@gmail.com
+Cc: linux-kernel@vger.kernel.org
+Cc: yang_oliver@hotmail.com
+Link: http://lkml.kernel.org/r/20180306093637.28247-1-linxiulei@gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/events/core.c | 46 +++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 35 insertions(+), 11 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -900,27 +900,39 @@ list_update_cgroup_event(struct perf_eve
+ if (!is_cgroup_event(event))
+ return;
+
+- if (add && ctx->nr_cgroups++)
+- return;
+- else if (!add && --ctx->nr_cgroups)
+- return;
+ /*
+ * Because cgroup events are always per-cpu events,
+ * this will always be called from the right CPU.
+ */
+ cpuctx = __get_cpu_context(ctx);
+- cpuctx_entry = &cpuctx->cgrp_cpuctx_entry;
+- /* cpuctx->cgrp is NULL unless a cgroup event is active in this CPU .*/
+- if (add) {
++
++ /*
++ * Since setting cpuctx->cgrp is conditional on the current @cgrp
++ * matching the event's cgroup, we must do this for every new event,
++ * because if the first would mismatch, the second would not try again
++ * and we would leave cpuctx->cgrp unset.
++ */
++ if (add && !cpuctx->cgrp) {
+ struct perf_cgroup *cgrp = perf_cgroup_from_task(current, ctx);
+
+- list_add(cpuctx_entry, this_cpu_ptr(&cgrp_cpuctx_list));
+ if (cgroup_is_descendant(cgrp->css.cgroup, event->cgrp->css.cgroup))
+ cpuctx->cgrp = cgrp;
+- } else {
+- list_del(cpuctx_entry);
+- cpuctx->cgrp = NULL;
+ }
++
++ if (add && ctx->nr_cgroups++)
++ return;
++ else if (!add && --ctx->nr_cgroups)
++ return;
++
++ /* no cgroup running */
++ if (!add)
++ cpuctx->cgrp = NULL;
++
++ cpuctx_entry = &cpuctx->cgrp_cpuctx_entry;
++ if (add)
++ list_add(cpuctx_entry, this_cpu_ptr(&cgrp_cpuctx_list));
++ else
++ list_del(cpuctx_entry);
+ }
+
+ #else /* !CONFIG_CGROUP_PERF */
+@@ -2404,6 +2416,18 @@ static int __perf_install_in_context(vo
+ raw_spin_lock(&task_ctx->lock);
+ }
+
++#ifdef CONFIG_CGROUP_PERF
++ if (is_cgroup_event(event)) {
++ /*
++ * If the current cgroup doesn't match the event's
++ * cgroup, we should not try to schedule it.
++ */
++ struct perf_cgroup *cgrp = perf_cgroup_from_task(current, ctx);
++ reprogram = cgroup_is_descendant(cgrp->css.cgroup,
++ event->cgrp->css.cgroup);
++ }
++#endif
++
+ if (reprogram) {
+ ctx_sched_out(ctx, cpuctx, EVENT_TIME);
+ add_event_to_ctx(event, ctx);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Fri, 9 Mar 2018 12:52:04 +0100
+Subject: perf/core: Fix perf_output_read_group()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 9e5b127d6f33468143d90c8a45ca12410e4c3fa7 ]
+
+Mark reported his arm64 perf fuzzer runs sometimes splat like:
+
+ armv8pmu_read_counter+0x1e8/0x2d8
+ armpmu_event_update+0x8c/0x188
+ armpmu_read+0xc/0x18
+ perf_output_read+0x550/0x11e8
+ perf_event_read_event+0x1d0/0x248
+ perf_event_exit_task+0x468/0xbb8
+ do_exit+0x690/0x1310
+ do_group_exit+0xd0/0x2b0
+ get_signal+0x2e8/0x17a8
+ do_signal+0x144/0x4f8
+ do_notify_resume+0x148/0x1e8
+ work_pending+0x8/0x14
+
+which asserts that we only call pmu::read() on ACTIVE events.
+
+The above callchain does:
+
+ perf_event_exit_task()
+ perf_event_exit_task_context()
+ task_ctx_sched_out() // INACTIVE
+ perf_event_exit_event()
+ perf_event_set_state(EXIT) // EXIT
+ sync_child_event()
+ perf_event_read_event()
+ perf_output_read()
+ perf_output_read_group()
+ leader->pmu->read()
+
+Which results in doing a pmu::read() on an !ACTIVE event.
+
+I _think_ this is 'new' since we added attr.inherit_stat, which added
+the perf_event_read_event() to the exit path, without that
+perf_event_read_output() would only trigger from samples and for
+@event to trigger a sample, it's leader _must_ be ACTIVE too.
+
+Still, adding this check makes it consistent with the @sub case for
+the siblings.
+
+Reported-and-Tested-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/events/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -5837,7 +5837,8 @@ static void perf_output_read_group(struc
+ if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING)
+ values[n++] = running;
+
+- if (leader != event)
++ if ((leader != event) &&
++ (leader->state == PERF_EVENT_STATE_ACTIVE))
+ leader->pmu->read(leader);
+
+ values[n++] = perf_event_count(leader);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Fri, 2 Mar 2018 17:13:54 +0100
+Subject: perf record: Fix crash in pipe mode
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit ad46e48c65fa1f204fa29eaff1b91174d314a94b ]
+
+Currently we can crash perf record when running in pipe mode, like:
+
+ $ perf record ls | perf report
+ # To display the perf.data header info, please use --header/--header-only options.
+ #
+ perf: Segmentation fault
+ Error:
+ The - file has no samples!
+
+The callstack of the crash is:
+
+ 0x0000000000515242 in perf_event__synthesize_event_update_name
+ 3513 ev = event_update_event__new(len + 1, PERF_EVENT_UPDATE__NAME, evsel->id[0]);
+ (gdb) bt
+ #0 0x0000000000515242 in perf_event__synthesize_event_update_name
+ #1 0x00000000005158a4 in perf_event__synthesize_extra_attr
+ #2 0x0000000000443347 in record__synthesize
+ #3 0x00000000004438e3 in __cmd_record
+ #4 0x000000000044514e in cmd_record
+ #5 0x00000000004cbc95 in run_builtin
+ #6 0x00000000004cbf02 in handle_internal_command
+ #7 0x00000000004cc054 in run_argv
+ #8 0x00000000004cc422 in main
+
+The reason of the crash is that the evsel does not have ids array
+allocated and the pipe's synthesize code tries to access it.
+
+We don't force evsel ids allocation when we have single event, because
+it's not needed. However we need it when we are in pipe mode even for
+single event as a key for evsel update event.
+
+Fixing this by forcing evsel ids allocation event for single event, when
+we are in pipe mode.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20180302161354.30192-1-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/builtin-record.c | 9 +++++++++
+ tools/perf/perf.h | 1 +
+ tools/perf/util/record.c | 8 ++++++--
+ 3 files changed, 16 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/builtin-record.c
++++ b/tools/perf/builtin-record.c
+@@ -926,6 +926,15 @@ static int __cmd_record(struct record *r
+ }
+ }
+
++ /*
++ * If we have just single event and are sending data
++ * through pipe, we need to force the ids allocation,
++ * because we synthesize event name through the pipe
++ * and need the id for that.
++ */
++ if (data->is_pipe && rec->evlist->nr_entries == 1)
++ rec->opts.sample_id = true;
++
+ if (record__open(rec) != 0) {
+ err = -1;
+ goto out_child;
+--- a/tools/perf/perf.h
++++ b/tools/perf/perf.h
+@@ -61,6 +61,7 @@ struct record_opts {
+ bool tail_synthesize;
+ bool overwrite;
+ bool ignore_missing_thread;
++ bool sample_id;
+ unsigned int freq;
+ unsigned int mmap_pages;
+ unsigned int auxtrace_mmap_pages;
+--- a/tools/perf/util/record.c
++++ b/tools/perf/util/record.c
+@@ -137,6 +137,7 @@ void perf_evlist__config(struct perf_evl
+ struct perf_evsel *evsel;
+ bool use_sample_identifier = false;
+ bool use_comm_exec;
++ bool sample_id = opts->sample_id;
+
+ /*
+ * Set the evsel leader links before we configure attributes,
+@@ -163,8 +164,7 @@ void perf_evlist__config(struct perf_evl
+ * match the id.
+ */
+ use_sample_identifier = perf_can_sample_identifier();
+- evlist__for_each_entry(evlist, evsel)
+- perf_evsel__set_sample_id(evsel, use_sample_identifier);
++ sample_id = true;
+ } else if (evlist->nr_entries > 1) {
+ struct perf_evsel *first = perf_evlist__first(evlist);
+
+@@ -174,6 +174,10 @@ void perf_evlist__config(struct perf_evl
+ use_sample_identifier = perf_can_sample_identifier();
+ break;
+ }
++ sample_id = true;
++ }
++
++ if (sample_id) {
+ evlist__for_each_entry(evlist, evsel)
+ perf_evsel__set_sample_id(evsel, use_sample_identifier);
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jiri Olsa <jolsa@redhat.com>
+Date: Fri, 16 Feb 2018 13:36:19 +0100
+Subject: perf report: Fix memory corruption in --branch-history mode --branch-history
+
+From: Jiri Olsa <jolsa@redhat.com>
+
+[ Upstream commit e3ebaa465136ecfedf9c6f4671df02bf625f8125 ]
+
+Jin Yao reported memory corrupton in perf report with
+branch info used for stack trace:
+
+ > Following command lines will cause perf crash.
+
+ > perf record -j call -g -a <application>
+ > perf report --branch-history
+ >
+ > *** Error in `perf': double free or corruption (!prev): 0x00000000104aa040 ***
+ > ======= Backtrace: =========
+ > /lib/x86_64-linux-gnu/libc.so.6(+0x77725)[0x7f6b37254725]
+ > /lib/x86_64-linux-gnu/libc.so.6(+0x7ff4a)[0x7f6b3725cf4a]
+ > /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f6b37260abc]
+ > perf[0x51b914]
+ > perf(hist_entry_iter__add+0x1e5)[0x51f305]
+ > perf[0x43cf01]
+ > perf[0x4fa3bf]
+ > perf[0x4fa923]
+ > perf[0x4fd396]
+ > perf[0x4f9614]
+ > perf(perf_session__process_events+0x89e)[0x4fc38e]
+ > perf(cmd_report+0x15d2)[0x43f202]
+ > perf[0x4a059f]
+ > perf(main+0x631)[0x427b71]
+ > /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f6b371fd830]
+ > perf(_start+0x29)[0x427d89]
+
+For the cumulative output, we allocate the he_cache array based on the
+--max-stack option value and populate it with data from 'callchain_cursor'.
+
+The --max-stack option value does not ensure now the limit for number of
+callchain_cursor nodes, so the cumulative iter code will allocate smaller array
+than it's actually needed and cause above corruption.
+
+I think the --max-stack limit does not apply here anyway, because we add
+callchain data as normal hist entries, while the --max-stack control the limit
+of single entry callchain depth.
+
+Using the callchain_cursor.nr as he_cache array count to fix this. Also
+removing struct hist_entry_iter::max_stack, because there's no longer any use
+for it.
+
+We need more fixes to ensure that the branch stack code follows properly the
+logic of --max-stack, which is not the case at the moment.
+
+Original-patch-by: Jin Yao <yao.jin@linux.intel.com>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Reported-by: Jin Yao <yao.jin@linux.intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20180216123619.GA9945@krava
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/hist.c | 4 +---
+ tools/perf/util/hist.h | 1 -
+ 2 files changed, 1 insertion(+), 4 deletions(-)
+
+--- a/tools/perf/util/hist.c
++++ b/tools/perf/util/hist.c
+@@ -878,7 +878,7 @@ iter_prepare_cumulative_entry(struct his
+ * cumulated only one time to prevent entries more than 100%
+ * overhead.
+ */
+- he_cache = malloc(sizeof(*he_cache) * (iter->max_stack + 1));
++ he_cache = malloc(sizeof(*he_cache) * (callchain_cursor.nr + 1));
+ if (he_cache == NULL)
+ return -ENOMEM;
+
+@@ -1043,8 +1043,6 @@ int hist_entry_iter__add(struct hist_ent
+ if (err)
+ return err;
+
+- iter->max_stack = max_stack_depth;
+-
+ err = iter->ops->prepare_entry(iter, al);
+ if (err)
+ goto out;
+--- a/tools/perf/util/hist.h
++++ b/tools/perf/util/hist.h
+@@ -107,7 +107,6 @@ struct hist_entry_iter {
+ int curr;
+
+ bool hide_unresolved;
+- int max_stack;
+
+ struct perf_evsel *evsel;
+ struct perf_sample *sample;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jin Yao <yao.jin@linux.intel.com>
+Date: Mon, 29 Jan 2018 18:57:53 +0800
+Subject: perf report: Fix wrong jump arrow
+
+From: Jin Yao <yao.jin@linux.intel.com>
+
+[ Upstream commit b40982e8468b46b8f7f5bba5a7e541ec04a29d7d ]
+
+When we use perf report interactive annotate view, we can see
+the position of jump arrow is not correct. For example,
+
+1. perf record -b ...
+2. perf report
+3. In interactive mode, select Annotate 'function'
+
+Percent│ IPC Cycle
+ │ if (flag)
+ 1.37 │0.4┌── 1 ↓ je 82
+ │ │ x += x / y + y / x;
+ 0.00 │0.4│ 1310 movsd (%rsp),%xmm0
+ 0.00 │0.4│ 565 movsd 0x8(%rsp),%xmm4
+ │0.4│ movsd 0x8(%rsp),%xmm1
+ │0.4│ movsd (%rsp),%xmm3
+ │0.4│ divsd %xmm4,%xmm0
+ 0.00 │0.4│ 579 divsd %xmm3,%xmm1
+ │0.4│ movsd (%rsp),%xmm2
+ │0.4│ addsd %xmm1,%xmm0
+ │0.4│ addsd %xmm2,%xmm0
+ 0.00 │0.4│ movsd %xmm0,(%rsp)
+ │ │ volatile double x = 1212121212, y = 121212;
+ │ │
+ │ │ s_randseed = time(0);
+ │ │ srand(s_randseed);
+ │ │
+ │ │ for (i = 0; i < 2000000000; i++) {
+ 1.37 │0.4└─→ 82: sub $0x1,%ebx
+ 28.21 │0.48 17 ↑ jne 38
+
+The jump arrow in above example is not correct. It should add the
+width of IPC and Cycle.
+
+With this patch, the result is:
+
+Percent│ IPC Cycle
+ │ if (flag)
+ 1.37 │0.48 1 ┌──je 82
+ │ │ x += x / y + y / x;
+ 0.00 │0.48 1310 │ movsd (%rsp),%xmm0
+ 0.00 │0.48 565 │ movsd 0x8(%rsp),%xmm4
+ │0.48 │ movsd 0x8(%rsp),%xmm1
+ │0.48 │ movsd (%rsp),%xmm3
+ │0.48 │ divsd %xmm4,%xmm0
+ 0.00 │0.48 579 │ divsd %xmm3,%xmm1
+ │0.48 │ movsd (%rsp),%xmm2
+ │0.48 │ addsd %xmm1,%xmm0
+ │0.48 │ addsd %xmm2,%xmm0
+ 0.00 │0.48 │ movsd %xmm0,(%rsp)
+ │ │ volatile double x = 1212121212, y = 121212;
+ │ │
+ │ │ s_randseed = time(0);
+ │ │ srand(s_randseed);
+ │ │
+ │ │ for (i = 0; i < 2000000000; i++) {
+ 1.37 │0.48 82:└─→sub $0x1,%ebx
+ 28.21 │0.48 17 ↑ jne 38
+
+Committer notes:
+
+Please note that only from LBRv5 (according to Jiri) onwards, i.e. >=
+Skylake is that we'll have the cycles counts in each branch record
+entry, so to see the Cycles and IPC columns, and be able to test this
+patch, one need a capable hardware.
+
+While applying this I first tested it on a Broadwell class machine and
+couldn't get those columns, will add code to the annotate browser to
+warn the user about that, i.e. you have branch records, but no cycles,
+use a more recent hardware to get the cycles and IPC columns.
+
+Signed-off-by: Jin Yao <yao.jin@linux.intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jin Yao <yao.jin@intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/1517223473-14750-1-git-send-email-yao.jin@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/ui/browsers/annotate.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/ui/browsers/annotate.c
++++ b/tools/perf/ui/browsers/annotate.c
+@@ -312,6 +312,7 @@ static void annotate_browser__draw_curre
+ struct map_symbol *ms = ab->b.priv;
+ struct symbol *sym = ms->sym;
+ u8 pcnt_width = annotate_browser__pcnt_width(ab);
++ int width = 0;
+
+ /* PLT symbols contain external offsets */
+ if (strstr(sym->name, "@plt"))
+@@ -335,13 +336,17 @@ static void annotate_browser__draw_curre
+ to = (u64)btarget->idx;
+ }
+
++ if (ab->have_cycles)
++ width = IPC_WIDTH + CYCLES_WIDTH;
++
+ ui_browser__set_color(browser, HE_COLORSET_JUMP_ARROWS);
+- __ui_browser__line_arrow(browser, pcnt_width + 2 + ab->addr_width,
++ __ui_browser__line_arrow(browser,
++ pcnt_width + 2 + ab->addr_width + width,
+ from, to);
+
+ if (is_fused(ab, cursor)) {
+ ui_browser__mark_fused(browser,
+- pcnt_width + 3 + ab->addr_width,
++ pcnt_width + 3 + ab->addr_width + width,
+ from - 1,
+ to > from ? true : false);
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Thomas Richter <tmricht@linux.vnet.ibm.com>
+Date: Thu, 8 Mar 2018 15:57:35 +0100
+Subject: perf stat: Fix core dump when flag T is used
+
+From: Thomas Richter <tmricht@linux.vnet.ibm.com>
+
+[ Upstream commit fca32340a5e8b896f57d41fd94b8b1701df25eb1 ]
+
+Executing command 'perf stat -T -- ls' dumps core on x86 and s390.
+
+Here is the call back chain (done on x86):
+
+ # gdb ./perf
+ ....
+ (gdb) r stat -T -- ls
+...
+Program received signal SIGSEGV, Segmentation fault.
+0x00007ffff56d1963 in vasprintf () from /lib64/libc.so.6
+(gdb) where
+ #0 0x00007ffff56d1963 in vasprintf () from /lib64/libc.so.6
+ #1 0x00007ffff56ae484 in asprintf () from /lib64/libc.so.6
+ #2 0x00000000004f1982 in __parse_events_add_pmu (parse_state=0x7fffffffd580,
+ list=0xbfb970, name=0xbf3ef0 "cpu",
+ head_config=0xbfb930, auto_merge_stats=false) at util/parse-events.c:1233
+ #3 0x00000000004f1c8e in parse_events_add_pmu (parse_state=0x7fffffffd580,
+ list=0xbfb970, name=0xbf3ef0 "cpu",
+ head_config=0xbfb930) at util/parse-events.c:1288
+ #4 0x0000000000537ce3 in parse_events_parse (_parse_state=0x7fffffffd580,
+ scanner=0xbf4210) at util/parse-events.y:234
+ #5 0x00000000004f2c7a in parse_events__scanner (str=0x6b66c0
+ "task-clock,{instructions,cycles,cpu/cycles-t/,cpu/tx-start/}",
+ parse_state=0x7fffffffd580, start_token=258) at util/parse-events.c:1673
+ #6 0x00000000004f2e23 in parse_events (evlist=0xbe9990, str=0x6b66c0
+ "task-clock,{instructions,cycles,cpu/cycles-t/,cpu/tx-start/}", err=0x0)
+ at util/parse-events.c:1713
+ #7 0x000000000044e137 in add_default_attributes () at builtin-stat.c:2281
+ #8 0x000000000044f7b5 in cmd_stat (argc=1, argv=0x7fffffffe3b0) at
+ builtin-stat.c:2828
+ #9 0x00000000004c8b0f in run_builtin (p=0xab01a0 <commands+288>, argc=4,
+ argv=0x7fffffffe3b0) at perf.c:297
+ #10 0x00000000004c8d7c in handle_internal_command (argc=4,
+ argv=0x7fffffffe3b0) at perf.c:349
+ #11 0x00000000004c8ece in run_argv (argcp=0x7fffffffe20c,
+ argv=0x7fffffffe200) at perf.c:393
+ #12 0x00000000004c929c in main (argc=4, argv=0x7fffffffe3b0) at perf.c:537
+(gdb)
+
+It turns out that a NULL pointer is referenced. Here are the
+function calls:
+
+ ...
+ cmd_stat()
+ +---> add_default_attributes()
+ +---> parse_events(evsel_list, transaction_attrs, NULL);
+ 3rd parameter set to NULL
+
+Function parse_events(xx, xx, struct parse_events_error *err) dives
+into a bison generated scanner and creates
+parser state information for it first:
+
+ struct parse_events_state parse_state = {
+ .list = LIST_HEAD_INIT(parse_state.list),
+ .idx = evlist->nr_entries,
+ .error = err, <--- NULL POINTER !!!
+ .evlist = evlist,
+ };
+
+Now various functions inside the bison scanner are called to end up in
+__parse_events_add_pmu(struct parse_events_state *parse_state, ..) with
+first parameter being a pointer to above structure definition.
+
+Now the PMU event name is not found (because being executed in a VM) and
+this function tries to create an error message with
+
+ asprintf(&parse_state->error.str, ....)
+
+which references a NULL pointer and dumps core.
+
+Fix this by providing a pointer to the necessary error information
+instead of NULL. Technically only the else part is needed to avoid the
+core dump, just lets be safe...
+
+Signed-off-by: Thomas Richter <tmricht@linux.vnet.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Link: http://lkml.kernel.org/r/20180308145735.64717-1-tmricht@linux.vnet.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/builtin-stat.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/builtin-stat.c
++++ b/tools/perf/builtin-stat.c
+@@ -2185,11 +2185,16 @@ static int add_default_attributes(void)
+ return 0;
+
+ if (transaction_run) {
++ struct parse_events_error errinfo;
++
+ if (pmu_have_event("cpu", "cycles-ct") &&
+ pmu_have_event("cpu", "el-start"))
+- err = parse_events(evsel_list, transaction_attrs, NULL);
++ err = parse_events(evsel_list, transaction_attrs,
++ &errinfo);
+ else
+- err = parse_events(evsel_list, transaction_limited_attrs, NULL);
++ err = parse_events(evsel_list,
++ transaction_limited_attrs,
++ &errinfo);
+ if (err) {
+ fprintf(stderr, "Cannot set up transaction events\n");
+ return -1;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Thomas Richter <tmricht@linux.vnet.ibm.com>
+Date: Wed, 14 Feb 2018 08:03:03 +0100
+Subject: perf test: Fix test case inet_pton to accept inlines.
+
+From: Thomas Richter <tmricht@linux.vnet.ibm.com>
+
+[ Upstream commit 0f19a038afdc592176c9a302f0d08be6a68ad74a ]
+
+Using Fedora 27 and latest Linux kernel the test case
+trace+probe_libc_inet_pton.sh fails again on s390. This time is the
+inlining of functions which does not match. After an update of the
+glibc (from 2.26-16 to 2.26-24) the output is different
+
+The expected output is:
+
+ __inet_pton (/usr/lib64/libc-2.26.so)
+ gaih_inet (inlined)
+ ....
+
+The actual output is:
+
+ 1 packets transmitted, 1 received, 0% packet loss, time 0ms
+ rtt min/avg/max/mdev = 0.061/0.061/0.061/0.000 ms
+ 0.000 probe_libc:inet_pton:(3ffb2140448))
+ __inet_pton (inlined)
+ gaih_inet.constprop.7 (/usr/lib64/libc-2.26.so)
+ ...
+
+Fix this by being less strict on 'inlined' verses library name and
+accept both
+
+Signed-off-by: Thomas Richter <tmricht@linux.vnet.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Link: http://lkml.kernel.org/r/20180214070303.55757-1-tmricht@linux.vnet.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/tests/shell/trace+probe_libc_inet_pton.sh | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/tools/perf/tests/shell/trace+probe_libc_inet_pton.sh
++++ b/tools/perf/tests/shell/trace+probe_libc_inet_pton.sh
+@@ -21,12 +21,12 @@ trace_libc_inet_pton_backtrace() {
+ expected[3]=".*packets transmitted.*"
+ expected[4]="rtt min.*"
+ expected[5]="[0-9]+\.[0-9]+[[:space:]]+probe_libc:inet_pton:\([[:xdigit:]]+\)"
+- expected[6]=".*inet_pton[[:space:]]\($libc\)$"
++ expected[6]=".*inet_pton[[:space:]]\($libc|inlined\)$"
+ case "$(uname -m)" in
+ s390x)
+ eventattr='call-graph=dwarf'
+- expected[7]="gaih_inet[[:space:]]\(inlined\)$"
+- expected[8]="__GI_getaddrinfo[[:space:]]\(inlined\)$"
++ expected[7]="gaih_inet.*[[:space:]]\($libc|inlined\)$"
++ expected[8]="__GI_getaddrinfo[[:space:]]\($libc|inlined\)$"
+ expected[9]="main[[:space:]]\(.*/bin/ping.*\)$"
+ expected[10]="__libc_start_main[[:space:]]\($libc\)$"
+ expected[11]="_start[[:space:]]\(.*/bin/ping.*\)$"
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Tue, 6 Feb 2018 19:18:12 +0100
+Subject: perf tests: Fix dwarf unwind for stripped binaries
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit fdf7c49c200d1b9909e2204cec5bd68b48605c71 ]
+
+When we strip the perf binary, dwarf unwind test stop
+to work. The reason is that strip will remove static
+function symbols, which we need to check for unwind.
+
+This change will keep this test working in cases where
+the global symbols are put into dynamic symbol table,
+which is the case on x86. It still won't work on powerpc.
+
+Making those 5 local functions global, and adding
+'test_dwarf_unwind__' to their names.
+
+Committer testing:
+
+Before:
+
+ # perf test dwarf
+ 58: DWARF unwind : Ok
+ # strip ~/bin/perf
+ # perf test dwarf
+ 58: DWARF unwind : FAILED!
+ # perf test -v dwarf
+ 58: DWARF unwind :
+ --- start ---
+ test child forked, pid 6590
+ unwind: thread map already set, dso=/home/acme/bin/perf
+ <SNIP>
+ unwind: access_mem addr 0x7ffce6c48098 val 48563f, offset 1144
+ unwind: test__dwarf_unwind:ip = 0x4a54e5 (0xa54e5)
+ got: test__dwarf_unwind 0xa54e5, expecting test__dwarf_unwind
+ unwind: '':ip = 0x4a50bb (0xa50bb)
+ failed: got unresolved address 0xa50bb
+ unwind failed
+ test child finished with -1
+ ---- end ----
+ DWARF unwind: FAILED!
+ #
+
+After:
+
+ # perf test dwarf
+ 58: DWARF unwind : Ok
+ # strip ~/bin/perf
+ # perf test dwarf
+ 58: DWARF unwind : Ok
+ #
+ # perf test -v dwarf
+ 58: DWARF unwind :
+ --- start ---
+ test child forked, pid 7219
+ unwind: thread map already set, dso=/home/acme/bin/perf
+ <SNIP>
+ unwind: access_mem addr 0x7fff007da2c8 val 48575f, offset 1144
+ unwind: test__arch_unwind_sample:ip = 0x589044 (0x189044)
+ got: test__arch_unwind_sample 0x189044, expecting test__arch_unwind_sample
+ unwind: test_dwarf_unwind__thread:ip = 0x4a52f7 (0xa52f7)
+ got: test_dwarf_unwind__thread 0xa52f7, expecting test_dwarf_unwind__thread
+ unwind: test_dwarf_unwind__compare:ip = 0x4a5468 (0xa5468)
+ got: test_dwarf_unwind__compare 0xa5468, expecting test_dwarf_unwind__compare
+ unwind: bsearch:ip = 0x7f6608ae94d8 (0x394d8)
+ got: bsearch 0x394d8, expecting bsearch
+ unwind: test_dwarf_unwind__krava_3:ip = 0x4a54d1 (0xa54d1)
+ got: test_dwarf_unwind__krava_3 0xa54d1, expecting test_dwarf_unwind__krava_3
+ unwind: test_dwarf_unwind__krava_2:ip = 0x4a550b (0xa550b)
+ got: test_dwarf_unwind__krava_2 0xa550b, expecting test_dwarf_unwind__krava_2
+ unwind: test_dwarf_unwind__krava_1:ip = 0x4a554b (0xa554b)
+ got: test_dwarf_unwind__krava_1 0xa554b, expecting test_dwarf_unwind__krava_1
+ unwind: test__dwarf_unwind:ip = 0x4a5605 (0xa5605)
+ got: test__dwarf_unwind 0xa5605, expecting test__dwarf_unwind
+ test child finished with 0
+ ---- end ----
+ DWARF unwind: Ok
+ #
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20180206181813.10943-17-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/tests/dwarf-unwind.c | 46 ++++++++++++++++++++++++++--------------
+ 1 file changed, 30 insertions(+), 16 deletions(-)
+
+--- a/tools/perf/tests/dwarf-unwind.c
++++ b/tools/perf/tests/dwarf-unwind.c
+@@ -37,6 +37,19 @@ static int init_live_machine(struct mach
+ mmap_handler, machine, true, 500);
+ }
+
++/*
++ * We need to keep these functions global, despite the
++ * fact that they are used only locally in this object,
++ * in order to keep them around even if the binary is
++ * stripped. If they are gone, the unwind check for
++ * symbol fails.
++ */
++int test_dwarf_unwind__thread(struct thread *thread);
++int test_dwarf_unwind__compare(void *p1, void *p2);
++int test_dwarf_unwind__krava_3(struct thread *thread);
++int test_dwarf_unwind__krava_2(struct thread *thread);
++int test_dwarf_unwind__krava_1(struct thread *thread);
++
+ #define MAX_STACK 8
+
+ static int unwind_entry(struct unwind_entry *entry, void *arg)
+@@ -45,12 +58,12 @@ static int unwind_entry(struct unwind_en
+ char *symbol = entry->sym ? entry->sym->name : NULL;
+ static const char *funcs[MAX_STACK] = {
+ "test__arch_unwind_sample",
+- "unwind_thread",
+- "compare",
++ "test_dwarf_unwind__thread",
++ "test_dwarf_unwind__compare",
+ "bsearch",
+- "krava_3",
+- "krava_2",
+- "krava_1",
++ "test_dwarf_unwind__krava_3",
++ "test_dwarf_unwind__krava_2",
++ "test_dwarf_unwind__krava_1",
+ "test__dwarf_unwind"
+ };
+ /*
+@@ -77,7 +90,7 @@ static int unwind_entry(struct unwind_en
+ return strcmp((const char *) symbol, funcs[idx]);
+ }
+
+-static noinline int unwind_thread(struct thread *thread)
++noinline int test_dwarf_unwind__thread(struct thread *thread)
+ {
+ struct perf_sample sample;
+ unsigned long cnt = 0;
+@@ -108,7 +121,7 @@ static noinline int unwind_thread(struct
+
+ static int global_unwind_retval = -INT_MAX;
+
+-static noinline int compare(void *p1, void *p2)
++noinline int test_dwarf_unwind__compare(void *p1, void *p2)
+ {
+ /* Any possible value should be 'thread' */
+ struct thread *thread = *(struct thread **)p1;
+@@ -117,17 +130,17 @@ static noinline int compare(void *p1, vo
+ /* Call unwinder twice for both callchain orders. */
+ callchain_param.order = ORDER_CALLER;
+
+- global_unwind_retval = unwind_thread(thread);
++ global_unwind_retval = test_dwarf_unwind__thread(thread);
+ if (!global_unwind_retval) {
+ callchain_param.order = ORDER_CALLEE;
+- global_unwind_retval = unwind_thread(thread);
++ global_unwind_retval = test_dwarf_unwind__thread(thread);
+ }
+ }
+
+ return p1 - p2;
+ }
+
+-static noinline int krava_3(struct thread *thread)
++noinline int test_dwarf_unwind__krava_3(struct thread *thread)
+ {
+ struct thread *array[2] = {thread, thread};
+ void *fp = &bsearch;
+@@ -141,18 +154,19 @@ static noinline int krava_3(struct threa
+ size_t, int (*)(void *, void *));
+
+ _bsearch = fp;
+- _bsearch(array, &thread, 2, sizeof(struct thread **), compare);
++ _bsearch(array, &thread, 2, sizeof(struct thread **),
++ test_dwarf_unwind__compare);
+ return global_unwind_retval;
+ }
+
+-static noinline int krava_2(struct thread *thread)
++noinline int test_dwarf_unwind__krava_2(struct thread *thread)
+ {
+- return krava_3(thread);
++ return test_dwarf_unwind__krava_3(thread);
+ }
+
+-static noinline int krava_1(struct thread *thread)
++noinline int test_dwarf_unwind__krava_1(struct thread *thread)
+ {
+- return krava_2(thread);
++ return test_dwarf_unwind__krava_2(thread);
+ }
+
+ int test__dwarf_unwind(struct test *test __maybe_unused, int subtest __maybe_unused)
+@@ -189,7 +203,7 @@ int test__dwarf_unwind(struct test *test
+ goto out;
+ }
+
+- err = krava_1(thread);
++ err = test_dwarf_unwind__krava_1(thread);
+ thread__put(thread);
+
+ out:
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Thu, 15 Feb 2018 13:26:35 +0100
+Subject: perf tests: Use arch__compare_symbol_names to compare symbols
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit ab6e9a99345131cd8e54268d1d0dc04a33f7ed11 ]
+
+The symbol search called by machine__find_kernel_symbol_by_name is using
+internally arch__compare_symbol_names function to compare 2 symbol
+names, because different archs have different ways of comparing symbols.
+Mostly for skipping '.' prefixes and similar.
+
+In test 1 when we try to find matching symbols in kallsyms and vmlinux,
+by address and by symbol name. When either is found we compare the pair
+symbol names by simple strcmp, which is not good enough for reasons
+explained in previous paragraph.
+
+On powerpc this can cause lockup, because even thought we found the
+pair, the compared names are different and don't match simple strcmp.
+Following code path is executed, that leads to lockup:
+
+ - we find the pair in kallsyms by sym->start
+next_pair:
+ - we compare the names and it fails
+ - we find the pair by sym->name
+ - the pair addresses match so we call goto next_pair
+ because we assume the names match in this case
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Tested-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Fixes: 031b84c407c3 ("perf probe ppc: Enable matching against dot symbols automatically")
+Link: http://lkml.kernel.org/r/20180215122635.24029-10-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/tests/vmlinux-kallsyms.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/tests/vmlinux-kallsyms.c
++++ b/tools/perf/tests/vmlinux-kallsyms.c
+@@ -125,7 +125,7 @@ int test__vmlinux_matches_kallsyms(struc
+
+ if (pair && UM(pair->start) == mem_start) {
+ next_pair:
+- if (strcmp(sym->name, pair->name) == 0) {
++ if (arch__compare_symbol_names(sym->name, pair->name) == 0) {
+ /*
+ * kallsyms don't have the symbol end, so we
+ * set that by using the next symbol start - 1,
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Sandipan Das <sandipan@linux.vnet.ibm.com>
+Date: Wed, 4 Apr 2018 23:34:17 +0530
+Subject: perf tools: Fix perf builds with clang support
+
+From: Sandipan Das <sandipan@linux.vnet.ibm.com>
+
+[ Upstream commit c2fb54a183cfe77c6fdc9d71e2d5299c1c302a6e ]
+
+For libclang, some distro packages provide static libraries (.a) while
+some provide shared libraries (.so). Currently, perf code can only be
+linked with static libraries. This makes perf build possible for both
+cases.
+
+Signed-off-by: Sandipan Das <sandipan@linux.vnet.ibm.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Fixes: d58ac0bf8d1e ("perf build: Add clang and llvm compile and linking support")
+Link: http://lkml.kernel.org/r/20180404180419.19056-1-sandipan@linux.vnet.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/Makefile.perf | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/Makefile.perf
++++ b/tools/perf/Makefile.perf
+@@ -368,7 +368,8 @@ LIBS = -Wl,--whole-archive $(PERFLIBS) $
+
+ ifeq ($(USE_CLANG), 1)
+ CLANGLIBS_LIST = AST Basic CodeGen Driver Frontend Lex Tooling Edit Sema Analysis Parse Serialization
+- LIBCLANG = $(foreach l,$(CLANGLIBS_LIST),$(wildcard $(shell $(LLVM_CONFIG) --libdir)/libclang$(l).a))
++ CLANGLIBS_NOEXT_LIST = $(foreach l,$(CLANGLIBS_LIST),$(shell $(LLVM_CONFIG) --libdir)/libclang$(l))
++ LIBCLANG = $(foreach l,$(CLANGLIBS_NOEXT_LIST),$(wildcard $(l).a $(l).so))
+ LIBS += -Wl,--start-group $(LIBCLANG) -Wl,--end-group
+ endif
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Yisheng Xie <xieyisheng1@huawei.com>
+Date: Mon, 12 Mar 2018 19:25:56 +0800
+Subject: perf top: Fix top.call-graph config option reading
+
+From: Yisheng Xie <xieyisheng1@huawei.com>
+
+[ Upstream commit a3a4a3b37c9b911af4c375b2475cea0fd2b84d38 ]
+
+When trying to add the "call-graph" variable for top into the
+.perfconfig file, like:
+
+ [top]
+ call-graph = fp
+
+I that perf_top_config() do not parse this variable.
+
+Fix it by calling perf_default_config() when the top.call-graph variable
+is set.
+
+Signed-off-by: Yisheng Xie <xieyisheng1@huawei.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Wang Nan <wangnan0@huawei.com>
+Fixes: b8cbb349061e ("perf config: Bring perf_default_config to the very beginning at main()")
+Link: http://lkml.kernel.org/r/1520853957-36106-1-git-send-email-xieyisheng1@huawei.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/builtin-top.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/builtin-top.c
++++ b/tools/perf/builtin-top.c
+@@ -1080,8 +1080,10 @@ parse_callchain_opt(const struct option
+
+ static int perf_top_config(const char *var, const char *value, void *cb __maybe_unused)
+ {
+- if (!strcmp(var, "top.call-graph"))
+- var = "call-graph.record-mode"; /* fall-through */
++ if (!strcmp(var, "top.call-graph")) {
++ var = "call-graph.record-mode";
++ return perf_default_config(var, value, cb);
++ }
+ if (!strcmp(var, "top.children")) {
+ symbol_conf.cumulate_callchain = perf_config_bool(var, value);
+ return 0;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Mon, 12 Feb 2018 14:20:31 -0800
+Subject: perf/x86/intel: Fix event update for auto-reload
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit d31fc13fdcb20e1c317f9a7dd6273c18fbd58308 ]
+
+There is a bug when reading event->count with large PEBS enabled.
+
+Here is an example:
+
+ # ./read_count
+ 0x71f0
+ 0x122c0
+ 0x1000000001c54
+ 0x100000001257d
+ 0x200000000bdc5
+
+In fixed period mode, the auto-reload mechanism could be enabled for
+PEBS events, but the calculation of event->count does not take the
+auto-reload values into account.
+
+Anyone who reads event->count will get the wrong result, e.g x86_pmu_read().
+
+This bug was introduced with the auto-reload mechanism enabled since
+commit:
+
+ 851559e35fd5 ("perf/x86/intel: Use the PEBS auto reload mechanism when possible")
+
+Introduce intel_pmu_save_and_restart_reload() to calculate the
+event->count only for auto-reload.
+
+Since the counter increments a negative counter value and overflows on
+the sign switch, giving the interval:
+
+ [-period, 0]
+
+the difference between two consequtive reads is:
+
+ A) value2 - value1;
+ when no overflows have happened in between,
+ B) (0 - value1) + (value2 - (-period));
+ when one overflow happened in between,
+ C) (0 - value1) + (n - 1) * (period) + (value2 - (-period));
+ when @n overflows happened in between.
+
+Here A) is the obvious difference, B) is the extension to the discrete
+interval, where the first term is to the top of the interval and the
+second term is from the bottom of the next interval and C) the extension
+to multiple intervals, where the middle term is the whole intervals
+covered.
+
+The equation for all cases is:
+
+ value2 - value1 + n * period
+
+Previously the event->count is updated right before the sample output.
+But for case A, there is no PEBS record ready. It needs to be specially
+handled.
+
+Remove the auto-reload code from x86_perf_event_set_period() since
+we'll not longer call that function in this case.
+
+Based-on-code-from: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: acme@kernel.org
+Fixes: 851559e35fd5 ("perf/x86/intel: Use the PEBS auto reload mechanism when possible")
+Link: http://lkml.kernel.org/r/1518474035-21006-2-git-send-email-kan.liang@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/core.c | 15 ++-----
+ arch/x86/events/intel/ds.c | 92 +++++++++++++++++++++++++++++++++++++++++++--
+ 2 files changed, 94 insertions(+), 13 deletions(-)
+
+--- a/arch/x86/events/core.c
++++ b/arch/x86/events/core.c
+@@ -1156,16 +1156,13 @@ int x86_perf_event_set_period(struct per
+
+ per_cpu(pmc_prev_left[idx], smp_processor_id()) = left;
+
+- if (!(hwc->flags & PERF_X86_EVENT_AUTO_RELOAD) ||
+- local64_read(&hwc->prev_count) != (u64)-left) {
+- /*
+- * The hw event starts counting from this event offset,
+- * mark it to be able to extra future deltas:
+- */
+- local64_set(&hwc->prev_count, (u64)-left);
++ /*
++ * The hw event starts counting from this event offset,
++ * mark it to be able to extra future deltas:
++ */
++ local64_set(&hwc->prev_count, (u64)-left);
+
+- wrmsrl(hwc->event_base, (u64)(-left) & x86_pmu.cntval_mask);
+- }
++ wrmsrl(hwc->event_base, (u64)(-left) & x86_pmu.cntval_mask);
+
+ /*
+ * Due to erratum on certan cpu we need
+--- a/arch/x86/events/intel/ds.c
++++ b/arch/x86/events/intel/ds.c
+@@ -1312,17 +1312,84 @@ get_next_pebs_record_by_bit(void *base,
+ return NULL;
+ }
+
++/*
++ * Special variant of intel_pmu_save_and_restart() for auto-reload.
++ */
++static int
++intel_pmu_save_and_restart_reload(struct perf_event *event, int count)
++{
++ struct hw_perf_event *hwc = &event->hw;
++ int shift = 64 - x86_pmu.cntval_bits;
++ u64 period = hwc->sample_period;
++ u64 prev_raw_count, new_raw_count;
++ s64 new, old;
++
++ WARN_ON(!period);
++
++ /*
++ * drain_pebs() only happens when the PMU is disabled.
++ */
++ WARN_ON(this_cpu_read(cpu_hw_events.enabled));
++
++ prev_raw_count = local64_read(&hwc->prev_count);
++ rdpmcl(hwc->event_base_rdpmc, new_raw_count);
++ local64_set(&hwc->prev_count, new_raw_count);
++
++ /*
++ * Since the counter increments a negative counter value and
++ * overflows on the sign switch, giving the interval:
++ *
++ * [-period, 0]
++ *
++ * the difference between two consequtive reads is:
++ *
++ * A) value2 - value1;
++ * when no overflows have happened in between,
++ *
++ * B) (0 - value1) + (value2 - (-period));
++ * when one overflow happened in between,
++ *
++ * C) (0 - value1) + (n - 1) * (period) + (value2 - (-period));
++ * when @n overflows happened in between.
++ *
++ * Here A) is the obvious difference, B) is the extension to the
++ * discrete interval, where the first term is to the top of the
++ * interval and the second term is from the bottom of the next
++ * interval and C) the extension to multiple intervals, where the
++ * middle term is the whole intervals covered.
++ *
++ * An equivalent of C, by reduction, is:
++ *
++ * value2 - value1 + n * period
++ */
++ new = ((s64)(new_raw_count << shift) >> shift);
++ old = ((s64)(prev_raw_count << shift) >> shift);
++ local64_add(new - old + count * period, &event->count);
++
++ perf_event_update_userpage(event);
++
++ return 0;
++}
++
+ static void __intel_pmu_pebs_event(struct perf_event *event,
+ struct pt_regs *iregs,
+ void *base, void *top,
+ int bit, int count)
+ {
++ struct hw_perf_event *hwc = &event->hw;
+ struct perf_sample_data data;
+ struct pt_regs regs;
+ void *at = get_next_pebs_record_by_bit(base, top, bit);
+
+- if (!intel_pmu_save_and_restart(event) &&
+- !(event->hw.flags & PERF_X86_EVENT_AUTO_RELOAD))
++ if (hwc->flags & PERF_X86_EVENT_AUTO_RELOAD) {
++ /*
++ * Now, auto-reload is only enabled in fixed period mode.
++ * The reload value is always hwc->sample_period.
++ * May need to change it, if auto-reload is enabled in
++ * freq mode later.
++ */
++ intel_pmu_save_and_restart_reload(event, count);
++ } else if (!intel_pmu_save_and_restart(event))
+ return;
+
+ while (count > 1) {
+@@ -1374,8 +1441,11 @@ static void intel_pmu_drain_pebs_core(st
+ return;
+
+ n = top - at;
+- if (n <= 0)
++ if (n <= 0) {
++ if (event->hw.flags & PERF_X86_EVENT_AUTO_RELOAD)
++ intel_pmu_save_and_restart_reload(event, 0);
+ return;
++ }
+
+ __intel_pmu_pebs_event(event, iregs, at, top, 0, n);
+ }
+@@ -1398,8 +1468,22 @@ static void intel_pmu_drain_pebs_nhm(str
+
+ ds->pebs_index = ds->pebs_buffer_base;
+
+- if (unlikely(base >= top))
++ if (unlikely(base >= top)) {
++ /*
++ * The drain_pebs() could be called twice in a short period
++ * for auto-reload event in pmu::read(). There are no
++ * overflows have happened in between.
++ * It needs to call intel_pmu_save_and_restart_reload() to
++ * update the event->count for this case.
++ */
++ for_each_set_bit(bit, (unsigned long *)&cpuc->pebs_enabled,
++ x86_pmu.max_pebs_events) {
++ event = cpuc->events[bit];
++ if (event->hw.flags & PERF_X86_EVENT_AUTO_RELOAD)
++ intel_pmu_save_and_restart_reload(event, 0);
++ }
+ return;
++ }
+
+ for (at = base; at < top; at += x86_pmu.pebs_record_size) {
+ struct pebs_record_nhm *p = at;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Thu, 1 Mar 2018 12:54:54 -0500
+Subject: perf/x86/intel: Fix large period handling on Broadwell CPUs
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit f605cfca8c39ffa2b98c06d2b9f30ba64f1e54e3 ]
+
+Large fixed period values could be truncated on Broadwell, for example:
+
+ perf record -e cycles -c 10000000000
+
+Here the fixed period is 0x2540BE400, but the period which finally applied is
+0x540BE400 - which is wrong.
+
+The reason is that x86_pmu::limit_period() uses an u32 parameter, so the
+high 32 bits of 'period' get truncated.
+
+This bug was introduced in:
+
+ commit 294fe0f52a44 ("perf/x86/intel: Add INST_RETIRED.ALL workarounds")
+
+It's safe to use u64 instead of u32:
+
+ - Although the 'left' is s64, the value of 'left' must be positive when
+ calling limit_period().
+
+ - bdw_limit_period() only modifies the lowest 6 bits, it doesn't touch
+ the higher 32 bits.
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: 294fe0f52a44 ("perf/x86/intel: Add INST_RETIRED.ALL workarounds")
+Link: http://lkml.kernel.org/r/1519926894-3520-1-git-send-email-kan.liang@linux.intel.com
+[ Rewrote unacceptably bad changelog. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/core.c | 2 +-
+ arch/x86/events/perf_event.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -3196,7 +3196,7 @@ glp_get_event_constraints(struct cpu_hw_
+ * Therefore the effective (average) period matches the requested period,
+ * despite coarser hardware granularity.
+ */
+-static unsigned bdw_limit_period(struct perf_event *event, unsigned left)
++static u64 bdw_limit_period(struct perf_event *event, u64 left)
+ {
+ if ((event->hw.config & INTEL_ARCH_EVENT_MASK) ==
+ X86_CONFIG(.event=0xc0, .umask=0x01)) {
+--- a/arch/x86/events/perf_event.h
++++ b/arch/x86/events/perf_event.h
+@@ -556,7 +556,7 @@ struct x86_pmu {
+ struct x86_pmu_quirk *quirks;
+ int perfctr_second_write;
+ bool late_ack;
+- unsigned (*limit_period)(struct perf_event *event, unsigned l);
++ u64 (*limit_period)(struct perf_event *event, u64 l);
+
+ /*
+ * sysfs attrs
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stephane Eranian <eranian@google.com>
+Date: Fri, 23 Mar 2018 00:01:47 -0700
+Subject: perf/x86/intel: Fix linear IP of PEBS real_ip on Haswell and later CPUs
+
+From: Stephane Eranian <eranian@google.com>
+
+[ Upstream commit 71eb9ee9596d8df3d5723c3cfc18774c6235e8b1 ]
+
+this patch fix a bug in how the pebs->real_ip is handled in the PEBS
+handler. real_ip only exists in Haswell and later processor. It is
+actually the eventing IP, i.e., where the event occurred. As opposed
+to the pebs->ip which is the PEBS interrupt IP which is always off
+by one.
+
+The problem is that the real_ip just like the IP needs to be fixed up
+because PEBS does not record all the machine state registers, and
+in particular the code segement (cs). This is why we have the set_linear_ip()
+function. The problem was that set_linear_ip() was only used on the pebs->ip
+and not the pebs->real_ip.
+
+We have profiles which ran into invalid callstacks because of this.
+Here is an example:
+
+ ..... 0: ffffffffffffff80 recent entry, marker kernel v
+ ..... 1: 000000000040044d <= user address in kernel space!
+ ..... 2: fffffffffffffe00 marker enter user v
+ ..... 3: 000000000040044d
+ ..... 4: 00000000004004b6 oldest entry
+
+Debugging output in get_perf_callchain():
+
+ [ 857.769909] CALLCHAIN: CPU8 ip=40044d regs->cs=10 user_mode(regs)=0
+
+The problem is that the kernel entry in 1: points to a user level
+address. How can that be?
+
+The reason is that with PEBS sampling the instruction that caused the event
+to occur and the instruction where the CPU was when the interrupt was posted
+may be far apart. And sometime during that time window, the privilege level may
+change. This happens, for instance, when the PEBS sample is taken close to a
+kernel entry point. Here PEBS, eventing IP (real_ip) captured a user level
+instruction. But by the time the PMU interrupt fired, the processor had already
+entered kernel space. This is why the debug output shows a user address with
+user_mode() false.
+
+The problem comes from PEBS not recording the code segment (cs) register.
+The register is used in x86_64 to determine if executing in kernel vs user
+space. This is okay because the kernel has a software workaround called
+set_linear_ip(). But the issue in setup_pebs_sample_data() is that
+set_linear_ip() is never called on the real_ip value when it is available
+(Haswell and later) and precise_ip > 1.
+
+This patch fixes this problem and eliminates the callchain discrepancy.
+
+The patch restructures the code around set_linear_ip() to minimize the number
+of times the IP has to be set.
+
+Signed-off-by: Stephane Eranian <eranian@google.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: kan.liang@intel.com
+Link: http://lkml.kernel.org/r/1521788507-10231-1-git-send-email-eranian@google.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/ds.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/events/intel/ds.c
++++ b/arch/x86/events/intel/ds.c
+@@ -1150,6 +1150,7 @@ static void setup_pebs_sample_data(struc
+ if (pebs == NULL)
+ return;
+
++ regs->flags &= ~PERF_EFLAGS_EXACT;
+ sample_type = event->attr.sample_type;
+ dsrc = sample_type & PERF_SAMPLE_DATA_SRC;
+
+@@ -1194,7 +1195,6 @@ static void setup_pebs_sample_data(struc
+ */
+ *regs = *iregs;
+ regs->flags = pebs->flags;
+- set_linear_ip(regs, pebs->ip);
+
+ if (sample_type & PERF_SAMPLE_REGS_INTR) {
+ regs->ax = pebs->ax;
+@@ -1230,13 +1230,22 @@ static void setup_pebs_sample_data(struc
+ #endif
+ }
+
+- if (event->attr.precise_ip > 1 && x86_pmu.intel_cap.pebs_format >= 2) {
+- regs->ip = pebs->real_ip;
+- regs->flags |= PERF_EFLAGS_EXACT;
+- } else if (event->attr.precise_ip > 1 && intel_pmu_pebs_fixup_ip(regs))
+- regs->flags |= PERF_EFLAGS_EXACT;
+- else
+- regs->flags &= ~PERF_EFLAGS_EXACT;
++ if (event->attr.precise_ip > 1) {
++ /* Haswell and later have the eventing IP, so use it: */
++ if (x86_pmu.intel_cap.pebs_format >= 2) {
++ set_linear_ip(regs, pebs->real_ip);
++ regs->flags |= PERF_EFLAGS_EXACT;
++ } else {
++ /* Otherwise use PEBS off-by-1 IP: */
++ set_linear_ip(regs, pebs->ip);
++
++ /* ... and try to fix it up using the LBR entries: */
++ if (intel_pmu_pebs_fixup_ip(regs))
++ regs->flags |= PERF_EFLAGS_EXACT;
++ }
++ } else
++ set_linear_ip(regs, pebs->ip);
++
+
+ if ((sample_type & (PERF_SAMPLE_ADDR | PERF_SAMPLE_PHYS_ADDR)) &&
+ x86_pmu.intel_cap.pebs_format >= 1)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Tue, 20 Feb 2018 02:11:50 -0800
+Subject: perf/x86/intel: Properly save/restore the PMU state in the NMI handler
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 82d71ed0277efc45360828af8c4e4d40e1b45352 ]
+
+The PMU is disabled in intel_pmu_handle_irq(), but cpuc->enabled is not updated
+accordingly.
+
+This is fine in current usage because no-one checks it - but fix it
+for future code: for example, the drain_pebs() will be modified to
+fix an auto-reload bug.
+
+Properly save/restore the old PMU state.
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: acme@kernel.org
+Cc: kernel test robot <fengguang.wu@intel.com>
+Link: http://lkml.kernel.org/r/6f44ee84-56f8-79f1-559b-08e371eaeb78@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/core.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -2201,16 +2201,23 @@ static int intel_pmu_handle_irq(struct p
+ int bit, loops;
+ u64 status;
+ int handled;
++ int pmu_enabled;
+
+ cpuc = this_cpu_ptr(&cpu_hw_events);
+
+ /*
++ * Save the PMU state.
++ * It needs to be restored when leaving the handler.
++ */
++ pmu_enabled = cpuc->enabled;
++ /*
+ * No known reason to not always do late ACK,
+ * but just in case do it opt-in.
+ */
+ if (!x86_pmu.late_ack)
+ apic_write(APIC_LVTPC, APIC_DM_NMI);
+ intel_bts_disable_local();
++ cpuc->enabled = 0;
+ __intel_pmu_disable_all();
+ handled = intel_pmu_drain_bts_buffer();
+ handled += intel_bts_interrupt();
+@@ -2320,7 +2327,8 @@ again:
+
+ done:
+ /* Only restore PMU state when it's active. See x86_pmu_disable(). */
+- if (cpuc->enabled)
++ cpuc->enabled = pmu_enabled;
++ if (pmu_enabled)
+ __intel_pmu_enable_all(0, true);
+ intel_bts_enable_local();
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Vivek Gautam <vivek.gautam@codeaurora.org>
+Date: Tue, 16 Jan 2018 16:26:56 +0530
+Subject: phy: qcom-qmp: Fix phy pipe clock gating
+
+From: Vivek Gautam <vivek.gautam@codeaurora.org>
+
+[ Upstream commit f8ba22a39e985c93e278709b1d5f20857a26b49b ]
+
+Pipe clock comes out of the phy and is available as long as
+the phy is turned on. Clock controller fails to gate this
+clock after the phy is turned off and generates a warning.
+
+/ # [ 33.048561] gcc_usb3_phy_pipe_clk status stuck at 'on'
+[ 33.048585] ------------[ cut here ]------------
+[ 33.052621] WARNING: CPU: 1 PID: 18 at ../drivers/clk/qcom/clk-branch.c:97 clk_branch_wait+0xf0/0x108
+[ 33.057384] Modules linked in:
+[ 33.066497] CPU: 1 PID: 18 Comm: kworker/1:0 Tainted: G W 4.12.0-rc7-00024-gfe926e34c36d-dirty #96
+[ 33.069451] Hardware name: Qualcomm Technologies, Inc. DB820c (DT)
+...
+[ 33.278565] [<ffff00000849b27c>] clk_branch_wait+0xf0/0x108
+[ 33.286375] [<ffff00000849b2f4>] clk_branch2_disable+0x28/0x34
+[ 33.291761] [<ffff0000084868dc>] clk_core_disable+0x5c/0x88
+[ 33.297660] [<ffff000008487d68>] clk_core_disable_lock+0x20/0x34
+[ 33.303129] [<ffff000008487d98>] clk_disable+0x1c/0x24
+[ 33.309384] [<ffff0000083ccd78>] qcom_qmp_phy_poweroff+0x20/0x48
+[ 33.314328] [<ffff0000083c53f4>] phy_power_off+0x80/0xdc
+[ 33.320492] [<ffff00000875c950>] dwc3_core_exit+0x94/0xa0
+[ 33.325784] [<ffff00000875c9ac>] dwc3_suspend_common+0x50/0x60
+[ 33.331080] [<ffff00000875ca04>] dwc3_runtime_suspend+0x48/0x6c
+[ 33.336810] [<ffff0000085b82f4>] pm_generic_runtime_suspend+0x28/0x38
+[ 33.342627] [<ffff0000085bace0>] __rpm_callback+0x150/0x254
+[ 33.349222] [<ffff0000085bae08>] rpm_callback+0x24/0x78
+[ 33.354604] [<ffff0000085b9fd8>] rpm_suspend+0xe0/0x4e4
+[ 33.359813] [<ffff0000085bb784>] pm_runtime_work+0xdc/0xf0
+[ 33.365028] [<ffff0000080d7b30>] process_one_work+0x12c/0x28c
+[ 33.370576] [<ffff0000080d7ce8>] worker_thread+0x58/0x3b8
+[ 33.376393] [<ffff0000080dd4a8>] kthread+0x100/0x12c
+[ 33.381776] [<ffff0000080836c0>] ret_from_fork+0x10/0x50
+
+Fix this by disabling it as the first thing in phy_exit().
+
+Fixes: e78f3d15e115 ("phy: qcom-qmp: new qmp phy driver for qcom-chipsets")
+Signed-off-by: Vivek Gautam <vivek.gautam@codeaurora.org>
+Signed-off-by: Manu Gautam <mgautam@codeaurora.org>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/phy/qualcomm/phy-qcom-qmp.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp.c
+@@ -751,8 +751,6 @@ static int qcom_qmp_phy_poweroff(struct
+ struct qmp_phy *qphy = phy_get_drvdata(phy);
+ struct qcom_qmp *qmp = qphy->qmp;
+
+- clk_disable_unprepare(qphy->pipe_clk);
+-
+ regulator_bulk_disable(qmp->cfg->num_vregs, qmp->vregs);
+
+ return 0;
+@@ -936,6 +934,8 @@ static int qcom_qmp_phy_exit(struct phy
+ const struct qmp_phy_cfg *cfg = qmp->cfg;
+ int i = cfg->num_clks;
+
++ clk_disable_unprepare(qphy->pipe_clk);
++
+ /* PHY reset */
+ qphy_setbits(qphy->pcs, cfg->regs[QPHY_SW_RESET], SW_RESET);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Thu, 11 Jan 2018 10:40:26 +0800
+Subject: phy: rockchip-emmc: retry calpad busy trimming
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+[ Upstream commit a4781c2a74b249cad814ceea7272997bbd20051e ]
+
+It turns out that 5us isn't enough for all cases, so let's
+retry some more times to wait for caldone.
+
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Tested-by: Ziyuan Xu <xzy.xu@rock-chips.com>
+Signed-off-by: Caesar Wang <wxt@rock-chips.com>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/rockchip/phy-rockchip-emmc.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+--- a/drivers/phy/rockchip/phy-rockchip-emmc.c
++++ b/drivers/phy/rockchip/phy-rockchip-emmc.c
+@@ -76,6 +76,10 @@
+ #define PHYCTRL_OTAPDLYSEL_MASK 0xf
+ #define PHYCTRL_OTAPDLYSEL_SHIFT 0x7
+
++#define PHYCTRL_IS_CALDONE(x) \
++ ((((x) >> PHYCTRL_CALDONE_SHIFT) & \
++ PHYCTRL_CALDONE_MASK) == PHYCTRL_CALDONE_DONE)
++
+ struct rockchip_emmc_phy {
+ unsigned int reg_offset;
+ struct regmap *reg_base;
+@@ -90,6 +94,7 @@ static int rockchip_emmc_phy_power(struc
+ unsigned int freqsel = PHYCTRL_FREQSEL_200M;
+ unsigned long rate;
+ unsigned long timeout;
++ int ret;
+
+ /*
+ * Keep phyctrl_pdb and phyctrl_endll low to allow
+@@ -160,17 +165,19 @@ static int rockchip_emmc_phy_power(struc
+ PHYCTRL_PDB_SHIFT));
+
+ /*
+- * According to the user manual, it asks driver to
+- * wait 5us for calpad busy trimming
++ * According to the user manual, it asks driver to wait 5us for
++ * calpad busy trimming. However it is documented that this value is
++ * PVT(A.K.A process,voltage and temperature) relevant, so some
++ * failure cases are found which indicates we should be more tolerant
++ * to calpad busy trimming.
+ */
+- udelay(5);
+- regmap_read(rk_phy->reg_base,
+- rk_phy->reg_offset + GRF_EMMCPHY_STATUS,
+- &caldone);
+- caldone = (caldone >> PHYCTRL_CALDONE_SHIFT) & PHYCTRL_CALDONE_MASK;
+- if (caldone != PHYCTRL_CALDONE_DONE) {
+- pr_err("rockchip_emmc_phy_power: caldone timeout.\n");
+- return -ETIMEDOUT;
++ ret = regmap_read_poll_timeout(rk_phy->reg_base,
++ rk_phy->reg_offset + GRF_EMMCPHY_STATUS,
++ caldone, PHYCTRL_IS_CALDONE(caldone),
++ 0, 50);
++ if (ret) {
++ pr_err("%s: caldone failed, ret=%d\n", __func__, ret);
++ return ret;
+ }
+
+ /* Set the frequency of the DLL operation */
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Niklas Cassel <niklas.cassel@axis.com>
+Date: Thu, 22 Feb 2018 16:22:46 +0100
+Subject: pinctrl: artpec6: dt: add missing pin group uart5nocts
+
+From: Niklas Cassel <niklas.cassel@axis.com>
+
+[ Upstream commit 7e065fb9ccce89fe667fdbd9a177eaec59a359fc ]
+
+Add missing pin group uart5nocts (all pins except cts), which has been
+supported by the artpec6 pinctrl driver since its initial submission.
+
+Fixes: 00df0582eab1 ("pinctrl: Add pincontrol driver for ARTPEC-6 SoC")
+Signed-off-by: Niklas Cassel <niklas.cassel@axis.com>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/pinctrl/axis,artpec6-pinctrl.txt | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/Documentation/devicetree/bindings/pinctrl/axis,artpec6-pinctrl.txt
++++ b/Documentation/devicetree/bindings/pinctrl/axis,artpec6-pinctrl.txt
+@@ -20,7 +20,8 @@ Required subnode-properties:
+ gpio: cpuclkoutgrp0, udlclkoutgrp0, i2c1grp0, i2c2grp0,
+ i2c3grp0, i2s0grp0, i2s1grp0, i2srefclkgrp0, spi0grp0,
+ spi1grp0, pciedebuggrp0, uart0grp0, uart0grp1, uart1grp0,
+- uart2grp0, uart2grp1, uart3grp0, uart4grp0, uart5grp0
++ uart2grp0, uart2grp1, uart3grp0, uart4grp0, uart5grp0,
++ uart5nocts
+ cpuclkout: cpuclkoutgrp0
+ udlclkout: udlclkoutgrp0
+ i2c1: i2c1grp0
+@@ -37,7 +38,7 @@ Required subnode-properties:
+ uart2: uart2grp0, uart2grp1
+ uart3: uart3grp0
+ uart4: uart4grp0
+- uart5: uart5grp0
++ uart5: uart5grp0, uart5nocts
+ nand: nandgrp0
+ sdio0: sdio0grp0
+ sdio1: sdio1grp0
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+Date: Wed, 28 Feb 2018 15:53:06 +0000
+Subject: pinctrl: devicetree: Fix dt_to_map_one_config handling of hogs
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit b89405b6102fcc3746f43697b826028caa94c823 ]
+
+When dt_to_map_one_config() is called with a pinctrl_dev passed
+in, it should only be using this if the node being looked up
+is a hog. The code was always using the passed pinctrl_dev
+without checking whether the dt node referred to it.
+
+A pin controller can have pinctrl-n dependencies on other pin
+controllers in these cases:
+
+- the pin controller hardware is external, for example I2C, so
+ needs other pin controller(s) to be setup to communicate with
+ the hardware device.
+
+- it is a child of a composite MFD so its of_node is shared with
+ the parent MFD and other children of that MFD. Any part of that
+ MFD could have dependencies on other pin controllers.
+
+Because of this, dt_to_map_one_config() can't assume that if it
+has a pinctrl_dev passed in then the node it looks up must be
+a hog. It could be a reference to some other pin controller.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/devicetree.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/devicetree.c
++++ b/drivers/pinctrl/devicetree.c
+@@ -122,8 +122,10 @@ static int dt_to_map_one_config(struct p
+ /* OK let's just assume this will appear later then */
+ return -EPROBE_DEFER;
+ }
+- if (!pctldev)
+- pctldev = get_pinctrl_dev_from_of_node(np_pctldev);
++ /* If we're creating a hog we can use the passed pctldev */
++ if (pctldev && (np_pctldev == p->dev->of_node))
++ break;
++ pctldev = get_pinctrl_dev_from_of_node(np_pctldev);
+ if (pctldev)
+ break;
+ /* Do not defer probing of hogs (circular loop) */
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "Jan Kundrát" <jan.kundrat@cesnet.cz>
+Date: Thu, 25 Jan 2018 18:29:15 +0100
+Subject: pinctrl: mcp23s08: spi: Fix regmap debugfs entries
+
+From: "Jan Kundrát" <jan.kundrat@cesnet.cz>
+
+[ Upstream commit 9b3e4207661e67f04c72af15e29f74cd944f5964 ]
+
+The SPI version of this chip allows several devices to be present on the
+same SPI bus via a local address. If this is in action and if the kernel
+has debugfs, however, the code attempts to create duplicate entries for
+the regmap's debugfs:
+
+ mcp23s08 spi1.1: Failed to create debugfs directory
+
+This patch simply assigns a local name matching the device logical
+address to the `struct regmap_config`.
+
+No changes are needed for MCP23S18 because that device does not support
+any logical addressing. Similarly, I2C devices do not need any action,
+either, because they are already different in their I2C address.
+
+A similar problem is present for the pinctrl debugfs instance, but that
+one is not addressed by this patch.
+
+Signed-off-by: Jan Kundrát <jan.kundrat@cesnet.cz>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-mcp23s08.c | 37 ++++++++++++++++++++++++++-----------
+ 1 file changed, 26 insertions(+), 11 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-mcp23s08.c
++++ b/drivers/pinctrl/pinctrl-mcp23s08.c
+@@ -779,6 +779,7 @@ static int mcp23s08_probe_one(struct mcp
+ {
+ int status, ret;
+ bool mirror = false;
++ struct regmap_config *one_regmap_config = NULL;
+
+ mutex_init(&mcp->lock);
+
+@@ -799,22 +800,36 @@ static int mcp23s08_probe_one(struct mcp
+ switch (type) {
+ #ifdef CONFIG_SPI_MASTER
+ case MCP_TYPE_S08:
+- mcp->regmap = devm_regmap_init(dev, &mcp23sxx_spi_regmap, mcp,
+- &mcp23x08_regmap);
+- mcp->reg_shift = 0;
+- mcp->chip.ngpio = 8;
+- mcp->chip.label = "mcp23s08";
+- break;
+-
+ case MCP_TYPE_S17:
++ switch (type) {
++ case MCP_TYPE_S08:
++ one_regmap_config =
++ devm_kmemdup(dev, &mcp23x08_regmap,
++ sizeof(struct regmap_config), GFP_KERNEL);
++ mcp->reg_shift = 0;
++ mcp->chip.ngpio = 8;
++ mcp->chip.label = "mcp23s08";
++ break;
++ case MCP_TYPE_S17:
++ one_regmap_config =
++ devm_kmemdup(dev, &mcp23x17_regmap,
++ sizeof(struct regmap_config), GFP_KERNEL);
++ mcp->reg_shift = 1;
++ mcp->chip.ngpio = 16;
++ mcp->chip.label = "mcp23s17";
++ break;
++ }
++ if (!one_regmap_config)
++ return -ENOMEM;
++
++ one_regmap_config->name = devm_kasprintf(dev, GFP_KERNEL, "%d", (addr & ~0x40) >> 1);
+ mcp->regmap = devm_regmap_init(dev, &mcp23sxx_spi_regmap, mcp,
+- &mcp23x17_regmap);
+- mcp->reg_shift = 1;
+- mcp->chip.ngpio = 16;
+- mcp->chip.label = "mcp23s17";
++ one_regmap_config);
+ break;
+
+ case MCP_TYPE_S18:
++ if (!one_regmap_config)
++ return -ENOMEM;
+ mcp->regmap = devm_regmap_init(dev, &mcp23sxx_spi_regmap, mcp,
+ &mcp23x17_regmap);
+ mcp->reg_shift = 1;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+Date: Sun, 28 Jan 2018 16:59:48 -0800
+Subject: pinctrl: msm: Use dynamic GPIO numbering
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+[ Upstream commit a7aa75a2a7dba32594291a71c3704000a2fd7089 ]
+
+The base of the TLMM gpiochip should not be statically defined as 0, fix
+this to not artificially restrict the existence of multiple pinctrl-msm
+devices.
+
+Fixes: f365be092572 ("pinctrl: Add Qualcomm TLMM driver")
+Reported-by: Timur Tabi <timur@codeaurora.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/qcom/pinctrl-msm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/qcom/pinctrl-msm.c
++++ b/drivers/pinctrl/qcom/pinctrl-msm.c
+@@ -818,7 +818,7 @@ static int msm_gpio_init(struct msm_pinc
+ return -EINVAL;
+
+ chip = &pctrl->chip;
+- chip->base = 0;
++ chip->base = -1;
+ chip->ngpio = ngpio;
+ chip->label = dev_name(pctrl->dev);
+ chip->parent = pctrl->dev;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Takeshi Kihara <takeshi.kihara.df@renesas.com>
+Date: Fri, 16 Feb 2018 15:25:03 +0100
+Subject: pinctrl: sh-pfc: r8a7796: Fix MOD_SEL register pin assignment for SSI pins group
+
+From: Takeshi Kihara <takeshi.kihara.df@renesas.com>
+
+[ Upstream commit b418c4609d5052d174668ad6d13efe023c45c595 ]
+
+This patch fixes MOD_SEL1 bit20 and MOD_SEL2 bit20, bit21 pin assignment
+for SSI pins group.
+
+This is a correction to the incorrect implementation of MOD_SEL register
+pin assignment for R8A7796 SoC specification of R-Car Gen3 Hardware
+User's Manual Rev.0.51E or later.
+
+Fixes: f9aece7344bd ("pinctrl: sh-pfc: Initial R8A7796 PFC support")
+Signed-off-by: Takeshi Kihara <takeshi.kihara.df@renesas.com>
+Signed-off-by: Ulrich Hecht <ulrich.hecht+renesas@gmail.com>
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/sh-pfc/pfc-r8a7796.c | 40 +++++++++++++++++------------------
+ 1 file changed, 20 insertions(+), 20 deletions(-)
+
+--- a/drivers/pinctrl/sh-pfc/pfc-r8a7796.c
++++ b/drivers/pinctrl/sh-pfc/pfc-r8a7796.c
+@@ -1,7 +1,7 @@
+ /*
+ * R8A7796 processor support - PFC hardware block.
+ *
+- * Copyright (C) 2016 Renesas Electronics Corp.
++ * Copyright (C) 2016-2017 Renesas Electronics Corp.
+ *
+ * This file is based on the drivers/pinctrl/sh-pfc/pfc-r8a7795.c
+ *
+@@ -477,7 +477,7 @@ FM(IP16_31_28) IP16_31_28 FM(IP17_31_28)
+ #define MOD_SEL1_26 FM(SEL_TIMER_TMU_0) FM(SEL_TIMER_TMU_1)
+ #define MOD_SEL1_25_24 FM(SEL_SSP1_1_0) FM(SEL_SSP1_1_1) FM(SEL_SSP1_1_2) FM(SEL_SSP1_1_3)
+ #define MOD_SEL1_23_22_21 FM(SEL_SSP1_0_0) FM(SEL_SSP1_0_1) FM(SEL_SSP1_0_2) FM(SEL_SSP1_0_3) FM(SEL_SSP1_0_4) F_(0, 0) F_(0, 0) F_(0, 0)
+-#define MOD_SEL1_20 FM(SEL_SSI_0) FM(SEL_SSI_1)
++#define MOD_SEL1_20 FM(SEL_SSI1_0) FM(SEL_SSI1_1)
+ #define MOD_SEL1_19 FM(SEL_SPEED_PULSE_0) FM(SEL_SPEED_PULSE_1)
+ #define MOD_SEL1_18_17 FM(SEL_SIMCARD_0) FM(SEL_SIMCARD_1) FM(SEL_SIMCARD_2) FM(SEL_SIMCARD_3)
+ #define MOD_SEL1_16 FM(SEL_SDHI2_0) FM(SEL_SDHI2_1)
+@@ -1224,7 +1224,7 @@ static const u16 pinmux_data[] = {
+ PINMUX_IPSR_GPSR(IP13_11_8, HSCK0),
+ PINMUX_IPSR_MSEL(IP13_11_8, MSIOF1_SCK_D, SEL_MSIOF1_3),
+ PINMUX_IPSR_MSEL(IP13_11_8, AUDIO_CLKB_A, SEL_ADG_B_0),
+- PINMUX_IPSR_MSEL(IP13_11_8, SSI_SDATA1_B, SEL_SSI_1),
++ PINMUX_IPSR_MSEL(IP13_11_8, SSI_SDATA1_B, SEL_SSI1_1),
+ PINMUX_IPSR_MSEL(IP13_11_8, TS_SCK0_D, SEL_TSIF0_3),
+ PINMUX_IPSR_MSEL(IP13_11_8, STP_ISCLK_0_D, SEL_SSP1_0_3),
+ PINMUX_IPSR_MSEL(IP13_11_8, RIF0_CLK_C, SEL_DRIF0_2),
+@@ -1232,14 +1232,14 @@ static const u16 pinmux_data[] = {
+
+ PINMUX_IPSR_GPSR(IP13_15_12, HRX0),
+ PINMUX_IPSR_MSEL(IP13_15_12, MSIOF1_RXD_D, SEL_MSIOF1_3),
+- PINMUX_IPSR_MSEL(IP13_15_12, SSI_SDATA2_B, SEL_SSI_1),
++ PINMUX_IPSR_MSEL(IP13_15_12, SSI_SDATA2_B, SEL_SSI2_1),
+ PINMUX_IPSR_MSEL(IP13_15_12, TS_SDEN0_D, SEL_TSIF0_3),
+ PINMUX_IPSR_MSEL(IP13_15_12, STP_ISEN_0_D, SEL_SSP1_0_3),
+ PINMUX_IPSR_MSEL(IP13_15_12, RIF0_D0_C, SEL_DRIF0_2),
+
+ PINMUX_IPSR_GPSR(IP13_19_16, HTX0),
+ PINMUX_IPSR_MSEL(IP13_19_16, MSIOF1_TXD_D, SEL_MSIOF1_3),
+- PINMUX_IPSR_MSEL(IP13_19_16, SSI_SDATA9_B, SEL_SSI_1),
++ PINMUX_IPSR_MSEL(IP13_19_16, SSI_SDATA9_B, SEL_SSI9_1),
+ PINMUX_IPSR_MSEL(IP13_19_16, TS_SDAT0_D, SEL_TSIF0_3),
+ PINMUX_IPSR_MSEL(IP13_19_16, STP_ISD_0_D, SEL_SSP1_0_3),
+ PINMUX_IPSR_MSEL(IP13_19_16, RIF0_D1_C, SEL_DRIF0_2),
+@@ -1247,7 +1247,7 @@ static const u16 pinmux_data[] = {
+ PINMUX_IPSR_GPSR(IP13_23_20, HCTS0_N),
+ PINMUX_IPSR_MSEL(IP13_23_20, RX2_B, SEL_SCIF2_1),
+ PINMUX_IPSR_MSEL(IP13_23_20, MSIOF1_SYNC_D, SEL_MSIOF1_3),
+- PINMUX_IPSR_MSEL(IP13_23_20, SSI_SCK9_A, SEL_SSI_0),
++ PINMUX_IPSR_MSEL(IP13_23_20, SSI_SCK9_A, SEL_SSI9_0),
+ PINMUX_IPSR_MSEL(IP13_23_20, TS_SPSYNC0_D, SEL_TSIF0_3),
+ PINMUX_IPSR_MSEL(IP13_23_20, STP_ISSYNC_0_D, SEL_SSP1_0_3),
+ PINMUX_IPSR_MSEL(IP13_23_20, RIF0_SYNC_C, SEL_DRIF0_2),
+@@ -1256,7 +1256,7 @@ static const u16 pinmux_data[] = {
+ PINMUX_IPSR_GPSR(IP13_27_24, HRTS0_N),
+ PINMUX_IPSR_MSEL(IP13_27_24, TX2_B, SEL_SCIF2_1),
+ PINMUX_IPSR_MSEL(IP13_27_24, MSIOF1_SS1_D, SEL_MSIOF1_3),
+- PINMUX_IPSR_MSEL(IP13_27_24, SSI_WS9_A, SEL_SSI_0),
++ PINMUX_IPSR_MSEL(IP13_27_24, SSI_WS9_A, SEL_SSI9_0),
+ PINMUX_IPSR_MSEL(IP13_27_24, STP_IVCXO27_0_D, SEL_SSP1_0_3),
+ PINMUX_IPSR_MSEL(IP13_27_24, BPFCLK_A, SEL_FM_0),
+ PINMUX_IPSR_GPSR(IP13_27_24, AUDIO_CLKOUT2_A),
+@@ -1271,7 +1271,7 @@ static const u16 pinmux_data[] = {
+ PINMUX_IPSR_MSEL(IP14_3_0, RX5_A, SEL_SCIF5_0),
+ PINMUX_IPSR_MSEL(IP14_3_0, NFWP_N_A, SEL_NDF_0),
+ PINMUX_IPSR_MSEL(IP14_3_0, AUDIO_CLKA_C, SEL_ADG_A_2),
+- PINMUX_IPSR_MSEL(IP14_3_0, SSI_SCK2_A, SEL_SSI_0),
++ PINMUX_IPSR_MSEL(IP14_3_0, SSI_SCK2_A, SEL_SSI2_0),
+ PINMUX_IPSR_MSEL(IP14_3_0, STP_IVCXO27_0_C, SEL_SSP1_0_2),
+ PINMUX_IPSR_GPSR(IP14_3_0, AUDIO_CLKOUT3_A),
+ PINMUX_IPSR_MSEL(IP14_3_0, TCLK1_B, SEL_TIMER_TMU_1),
+@@ -1280,7 +1280,7 @@ static const u16 pinmux_data[] = {
+ PINMUX_IPSR_MSEL(IP14_7_4, TX5_A, SEL_SCIF5_0),
+ PINMUX_IPSR_MSEL(IP14_7_4, MSIOF1_SS2_D, SEL_MSIOF1_3),
+ PINMUX_IPSR_MSEL(IP14_7_4, AUDIO_CLKC_A, SEL_ADG_C_0),
+- PINMUX_IPSR_MSEL(IP14_7_4, SSI_WS2_A, SEL_SSI_0),
++ PINMUX_IPSR_MSEL(IP14_7_4, SSI_WS2_A, SEL_SSI2_0),
+ PINMUX_IPSR_MSEL(IP14_7_4, STP_OPWM_0_D, SEL_SSP1_0_3),
+ PINMUX_IPSR_GPSR(IP14_7_4, AUDIO_CLKOUT_D),
+ PINMUX_IPSR_MSEL(IP14_7_4, SPEEDIN_B, SEL_SPEED_PULSE_1),
+@@ -1308,10 +1308,10 @@ static const u16 pinmux_data[] = {
+ PINMUX_IPSR_MSEL(IP14_31_28, MSIOF1_SS2_F, SEL_MSIOF1_5),
+
+ /* IPSR15 */
+- PINMUX_IPSR_MSEL(IP15_3_0, SSI_SDATA1_A, SEL_SSI_0),
++ PINMUX_IPSR_MSEL(IP15_3_0, SSI_SDATA1_A, SEL_SSI1_0),
+
+- PINMUX_IPSR_MSEL(IP15_7_4, SSI_SDATA2_A, SEL_SSI_0),
+- PINMUX_IPSR_MSEL(IP15_7_4, SSI_SCK1_B, SEL_SSI_1),
++ PINMUX_IPSR_MSEL(IP15_7_4, SSI_SDATA2_A, SEL_SSI2_0),
++ PINMUX_IPSR_MSEL(IP15_7_4, SSI_SCK1_B, SEL_SSI1_1),
+
+ PINMUX_IPSR_GPSR(IP15_11_8, SSI_SCK349),
+ PINMUX_IPSR_MSEL(IP15_11_8, MSIOF1_SS1_A, SEL_MSIOF1_0),
+@@ -1397,11 +1397,11 @@ static const u16 pinmux_data[] = {
+ PINMUX_IPSR_MSEL(IP16_27_24, RIF1_D1_A, SEL_DRIF1_0),
+ PINMUX_IPSR_MSEL(IP16_27_24, RIF3_D1_A, SEL_DRIF3_0),
+
+- PINMUX_IPSR_MSEL(IP16_31_28, SSI_SDATA9_A, SEL_SSI_0),
++ PINMUX_IPSR_MSEL(IP16_31_28, SSI_SDATA9_A, SEL_SSI9_0),
+ PINMUX_IPSR_MSEL(IP16_31_28, HSCK2_B, SEL_HSCIF2_1),
+ PINMUX_IPSR_MSEL(IP16_31_28, MSIOF1_SS1_C, SEL_MSIOF1_2),
+ PINMUX_IPSR_MSEL(IP16_31_28, HSCK1_A, SEL_HSCIF1_0),
+- PINMUX_IPSR_MSEL(IP16_31_28, SSI_WS1_B, SEL_SSI_1),
++ PINMUX_IPSR_MSEL(IP16_31_28, SSI_WS1_B, SEL_SSI1_1),
+ PINMUX_IPSR_GPSR(IP16_31_28, SCK1),
+ PINMUX_IPSR_MSEL(IP16_31_28, STP_IVCXO27_1_A, SEL_SSP1_1_0),
+ PINMUX_IPSR_MSEL(IP16_31_28, SCK5_A, SEL_SCIF5_0),
+@@ -1433,7 +1433,7 @@ static const u16 pinmux_data[] = {
+
+ PINMUX_IPSR_GPSR(IP17_19_16, USB1_PWEN),
+ PINMUX_IPSR_MSEL(IP17_19_16, SIM0_CLK_C, SEL_SIMCARD_2),
+- PINMUX_IPSR_MSEL(IP17_19_16, SSI_SCK1_A, SEL_SSI_0),
++ PINMUX_IPSR_MSEL(IP17_19_16, SSI_SCK1_A, SEL_SSI1_0),
+ PINMUX_IPSR_MSEL(IP17_19_16, TS_SCK0_E, SEL_TSIF0_4),
+ PINMUX_IPSR_MSEL(IP17_19_16, STP_ISCLK_0_E, SEL_SSP1_0_4),
+ PINMUX_IPSR_MSEL(IP17_19_16, FMCLK_B, SEL_FM_1),
+@@ -1443,7 +1443,7 @@ static const u16 pinmux_data[] = {
+
+ PINMUX_IPSR_GPSR(IP17_23_20, USB1_OVC),
+ PINMUX_IPSR_MSEL(IP17_23_20, MSIOF1_SS2_C, SEL_MSIOF1_2),
+- PINMUX_IPSR_MSEL(IP17_23_20, SSI_WS1_A, SEL_SSI_0),
++ PINMUX_IPSR_MSEL(IP17_23_20, SSI_WS1_A, SEL_SSI1_0),
+ PINMUX_IPSR_MSEL(IP17_23_20, TS_SDAT0_E, SEL_TSIF0_4),
+ PINMUX_IPSR_MSEL(IP17_23_20, STP_ISD_0_E, SEL_SSP1_0_4),
+ PINMUX_IPSR_MSEL(IP17_23_20, FMIN_B, SEL_FM_1),
+@@ -1453,7 +1453,7 @@ static const u16 pinmux_data[] = {
+
+ PINMUX_IPSR_GPSR(IP17_27_24, USB30_PWEN),
+ PINMUX_IPSR_GPSR(IP17_27_24, AUDIO_CLKOUT_B),
+- PINMUX_IPSR_MSEL(IP17_27_24, SSI_SCK2_B, SEL_SSI_1),
++ PINMUX_IPSR_MSEL(IP17_27_24, SSI_SCK2_B, SEL_SSI2_1),
+ PINMUX_IPSR_MSEL(IP17_27_24, TS_SDEN1_D, SEL_TSIF1_3),
+ PINMUX_IPSR_MSEL(IP17_27_24, STP_ISEN_1_D, SEL_SSP1_1_3),
+ PINMUX_IPSR_MSEL(IP17_27_24, STP_OPWM_0_E, SEL_SSP1_0_4),
+@@ -1465,7 +1465,7 @@ static const u16 pinmux_data[] = {
+
+ PINMUX_IPSR_GPSR(IP17_31_28, USB30_OVC),
+ PINMUX_IPSR_GPSR(IP17_31_28, AUDIO_CLKOUT1_B),
+- PINMUX_IPSR_MSEL(IP17_31_28, SSI_WS2_B, SEL_SSI_1),
++ PINMUX_IPSR_MSEL(IP17_31_28, SSI_WS2_B, SEL_SSI2_1),
+ PINMUX_IPSR_MSEL(IP17_31_28, TS_SPSYNC1_D, SEL_TSIF1_3),
+ PINMUX_IPSR_MSEL(IP17_31_28, STP_ISSYNC_1_D, SEL_SSP1_1_3),
+ PINMUX_IPSR_MSEL(IP17_31_28, STP_IVCXO27_0_E, SEL_SSP1_0_4),
+@@ -1476,7 +1476,7 @@ static const u16 pinmux_data[] = {
+ /* IPSR18 */
+ PINMUX_IPSR_GPSR(IP18_3_0, GP6_30),
+ PINMUX_IPSR_GPSR(IP18_3_0, AUDIO_CLKOUT2_B),
+- PINMUX_IPSR_MSEL(IP18_3_0, SSI_SCK9_B, SEL_SSI_1),
++ PINMUX_IPSR_MSEL(IP18_3_0, SSI_SCK9_B, SEL_SSI9_1),
+ PINMUX_IPSR_MSEL(IP18_3_0, TS_SDEN0_E, SEL_TSIF0_4),
+ PINMUX_IPSR_MSEL(IP18_3_0, STP_ISEN_0_E, SEL_SSP1_0_4),
+ PINMUX_IPSR_MSEL(IP18_3_0, RIF2_D0_B, SEL_DRIF2_1),
+@@ -1486,7 +1486,7 @@ static const u16 pinmux_data[] = {
+
+ PINMUX_IPSR_GPSR(IP18_7_4, GP6_31),
+ PINMUX_IPSR_GPSR(IP18_7_4, AUDIO_CLKOUT3_B),
+- PINMUX_IPSR_MSEL(IP18_7_4, SSI_WS9_B, SEL_SSI_1),
++ PINMUX_IPSR_MSEL(IP18_7_4, SSI_WS9_B, SEL_SSI9_1),
+ PINMUX_IPSR_MSEL(IP18_7_4, TS_SPSYNC0_E, SEL_TSIF0_4),
+ PINMUX_IPSR_MSEL(IP18_7_4, STP_ISSYNC_0_E, SEL_SSP1_0_4),
+ PINMUX_IPSR_MSEL(IP18_7_4, RIF2_D1_B, SEL_DRIF2_1),
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 22 Feb 2018 14:38:33 +0000
+Subject: PKCS#7: fix direct verification of SignerInfo signature
+
+From: Eric Biggers <ebiggers@google.com>
+
+[ Upstream commit 6459ae386699a5fe0dc52cf30255f75274fa43a4 ]
+
+If none of the certificates in a SignerInfo's certificate chain match a
+trusted key, nor is the last certificate signed by a trusted key, then
+pkcs7_validate_trust_one() tries to check whether the SignerInfo's
+signature was made directly by a trusted key. But, it actually fails to
+set the 'sig' variable correctly, so it actually verifies the last
+signature seen. That will only be the SignerInfo's signature if the
+certificate chain is empty; otherwise it will actually be the last
+certificate's signature.
+
+This is not by itself a security problem, since verifying any of the
+certificates in the chain should be sufficient to verify the SignerInfo.
+Still, it's not working as intended so it should be fixed.
+
+Fix it by setting 'sig' correctly for the direct verification case.
+
+Fixes: 757932e6da6d ("PKCS#7: Handle PKCS#7 messages that contain no X.509 certs")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/asymmetric_keys/pkcs7_trust.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/crypto/asymmetric_keys/pkcs7_trust.c
++++ b/crypto/asymmetric_keys/pkcs7_trust.c
+@@ -106,6 +106,7 @@ static int pkcs7_validate_trust_one(stru
+ pr_devel("sinfo %u: Direct signer is key %x\n",
+ sinfo->index, key_serial(key));
+ x509 = NULL;
++ sig = sinfo->sig;
+ goto matched;
+ }
+ if (PTR_ERR(key) != -ENOKEY)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Ladislav Michl <ladis@linux-mips.org>
+Date: Thu, 22 Feb 2018 18:21:36 +0100
+Subject: power: supply: ltc2941-battery-gauge: Fix temperature units
+
+From: Ladislav Michl <ladis@linux-mips.org>
+
+[ Upstream commit dde5953f05a89eb63a0d666ffe51d447b2ac3e05 ]
+
+Temperature is measured in tenths of degree Celsius.
+
+Fixes: 085bc24d1553 ("Add LTC2941/LTC2943 Battery Gauge Driver")
+Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/ltc2941-battery-gauge.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/power/supply/ltc2941-battery-gauge.c
++++ b/drivers/power/supply/ltc2941-battery-gauge.c
+@@ -316,15 +316,15 @@ static int ltc294x_get_temperature(const
+
+ if (info->id == LTC2942_ID) {
+ reg = LTC2942_REG_TEMPERATURE_MSB;
+- value = 60000; /* Full-scale is 600 Kelvin */
++ value = 6000; /* Full-scale is 600 Kelvin */
+ } else {
+ reg = LTC2943_REG_TEMPERATURE_MSB;
+- value = 51000; /* Full-scale is 510 Kelvin */
++ value = 5100; /* Full-scale is 510 Kelvin */
+ }
+ ret = ltc294x_read_regs(info->client, reg, &datar[0], 2);
+ value *= (datar[0] << 8) | datar[1];
+- /* Convert to centidegrees */
+- *val = value / 0xFFFF - 27215;
++ /* Convert to tenths of degree Celsius */
++ *val = value / 0xFFFF - 2722;
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Thu, 5 Apr 2018 16:10:00 +1000
+Subject: powerpc/64s/idle: Fix restore of AMOR on POWER9 after deep sleep
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit c1b25a17d24925b0961c319cfc3fd7e1dc778914 ]
+
+POWER8 restores AMOR when waking from deep sleep, but POWER9 does not,
+because it does not go through the subcore restore.
+
+Have POWER9 restore it in core restore.
+
+Fixes: ee97b6b99f42 ("powerpc/mm/radix: Setup AMOR in HV mode to allow key 0")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/idle_book3s.S | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/powerpc/kernel/idle_book3s.S
++++ b/arch/powerpc/kernel/idle_book3s.S
+@@ -838,6 +838,8 @@ BEGIN_FTR_SECTION
+ mtspr SPRN_PTCR,r4
+ ld r4,_RPR(r1)
+ mtspr SPRN_RPR,r4
++ ld r4,_AMOR(r1)
++ mtspr SPRN_AMOR,r4
+ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
+
+ ld r4,_TSCR(r1)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Tue, 27 Mar 2018 01:01:16 +1000
+Subject: powerpc/64s: sreset panic if there is no debugger or crash dump handlers
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit d40b6768e45bd9213139b2d91d30c7692b6007b1 ]
+
+system_reset_exception does most of its own crash handling now,
+invoking the debugger or crash dumps if they are registered. If not,
+then it goes through to die() to print stack traces, and then is
+supposed to panic (according to comments).
+
+However after die() prints oopses, it does its own handling which
+doesn't allow system_reset_exception to panic (e.g., it may just
+kill the current process). This patch causes sreset exceptions to
+return from die after it prints messages but before acting.
+
+This also stops die from invoking the debugger on 0x100 crashes.
+system_reset_exception similarly calls the debugger. It had been
+thought this was harmless (because if the debugger was disabled,
+neither call would fire, and if it was enabled the first call
+would return). However in some cases like xmon 'X' command, the
+debugger returns 0, which currently causes it to be entered
+again (first in system_reset_exception, then in die), which is
+confusing.
+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/traps.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/traps.c
++++ b/arch/powerpc/kernel/traps.c
+@@ -182,6 +182,12 @@ static void oops_end(unsigned long flags
+ }
+ raw_local_irq_restore(flags);
+
++ /*
++ * system_reset_excption handles debugger, crash dump, panic, for 0x100
++ */
++ if (TRAP(regs) == 0x100)
++ return;
++
+ crash_fadump(regs, "die oops");
+
+ if (kexec_should_crash(current))
+@@ -246,8 +252,13 @@ void die(const char *str, struct pt_regs
+ {
+ unsigned long flags;
+
+- if (debugger(regs))
+- return;
++ /*
++ * system_reset_excption handles debugger, crash dump, panic, for 0x100
++ */
++ if (TRAP(regs) != 0x100) {
++ if (debugger(regs))
++ return;
++ }
+
+ flags = oops_begin(regs);
+ if (__die(str, regs, err))
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Mathieu Malaterre <malat@debian.org>
+Date: Sun, 25 Feb 2018 18:22:29 +0100
+Subject: powerpc: Add missing prototype for arch_irq_work_raise()
+
+From: Mathieu Malaterre <malat@debian.org>
+
+[ Upstream commit f5246862f82f1e16bbf84cda4cddf287672b30fe ]
+
+In commit 4f8b50bbbe63 ("irq_work, ppc: Fix up arch hooks") a new
+function arch_irq_work_raise() was added without a prototype in header
+irq_work.h.
+
+Fix the following warning (treated as error in W=1):
+ arch/powerpc/kernel/time.c:523:6: error: no previous prototype for ‘arch_irq_work_raise’
+
+Signed-off-by: Mathieu Malaterre <malat@debian.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/irq_work.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/include/asm/irq_work.h
++++ b/arch/powerpc/include/asm/irq_work.h
+@@ -6,5 +6,6 @@ static inline bool arch_irq_work_has_int
+ {
+ return true;
+ }
++extern void arch_irq_work_raise(void);
+
+ #endif /* _ASM_POWERPC_IRQ_WORK_H */
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Fri, 23 Feb 2018 12:55:59 -0800
+Subject: powerpc/boot: Fix random libfdt related build errors
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 64c3f648c25d108f346fdc96c15180c6b7d250e9 ]
+
+Once in a while I see build errors similar to the following
+when building images from a clean tree.
+
+ Building powerpc:virtex-ml507:44x/virtex5_defconfig ... failed
+ ------------
+ Error log:
+ arch/powerpc/boot/treeboot-akebono.c:37:20: fatal error:
+ libfdt.h: No such file or directory
+
+ Building powerpc:bamboo:smpdev:44x/bamboo_defconfig ... failed
+ ------------
+ Error log:
+ arch/powerpc/boot/treeboot-akebono.c:37:20: fatal error:
+ libfdt.h: No such file or directory
+
+ arch/powerpc/boot/treeboot-currituck.c:35:20: fatal error:
+ libfdt.h: No such file or directory
+
+Rebuilds will succeed.
+
+Turns out that several source files in arch/powerpc/boot/ include
+libfdt.h, but Makefile dependencies are incomplete. Let's fix that.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/boot/Makefile | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/boot/Makefile
++++ b/arch/powerpc/boot/Makefile
+@@ -101,7 +101,8 @@ $(addprefix $(obj)/,$(zlib-y)): \
+ libfdt := fdt.c fdt_ro.c fdt_wip.c fdt_sw.c fdt_rw.c fdt_strerror.c
+ libfdtheader := fdt.h libfdt.h libfdt_internal.h
+
+-$(addprefix $(obj)/,$(libfdt) libfdt-wrapper.o simpleboot.o epapr.o opal.o): \
++$(addprefix $(obj)/,$(libfdt) libfdt-wrapper.o simpleboot.o epapr.o opal.o \
++ treeboot-akebono.o treeboot-currituck.o treeboot-iss4xx.o): \
+ $(addprefix $(obj)/,$(libfdtheader))
+
+ src-wlib-y := string.S crt0.S stdio.c decompress.c main.c \
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Mark Lord <mlord@pobox.com>
+Date: Tue, 20 Feb 2018 14:49:20 -0500
+Subject: powerpc/bpf/jit: Fix 32-bit JIT for seccomp_data access
+
+From: Mark Lord <mlord@pobox.com>
+
+[ Upstream commit 083b20907185b076f21c265b30fe5b5f24c03d8c ]
+
+I am using SECCOMP to filter syscalls on a ppc32 platform, and noticed
+that the JIT compiler was failing on the BPF even though the
+interpreter was working fine.
+
+The issue was that the compiler was missing one of the instructions
+used by SECCOMP, so here is a patch to enable JIT for that
+instruction.
+
+Fixes: eb84bab0fb38 ("ppc: Kconfig: Enable BPF JIT on ppc32")
+Signed-off-by: Mark Lord <mlord@pobox.com>
+Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/net/bpf_jit_comp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/powerpc/net/bpf_jit_comp.c
++++ b/arch/powerpc/net/bpf_jit_comp.c
+@@ -329,6 +329,9 @@ static int bpf_jit_build_body(struct bpf
+ BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, len) != 4);
+ PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff, len));
+ break;
++ case BPF_LDX | BPF_W | BPF_ABS: /* A = *((u32 *)(seccomp_data + K)); */
++ PPC_LWZ_OFFS(r_A, r_skb, K);
++ break;
+ case BPF_LDX | BPF_W | BPF_LEN: /* X = skb->len; */
+ PPC_LWZ_OFFS(r_X, r_skb, offsetof(struct sk_buff, len));
+ break;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Anshuman Khandual <khandual@linux.vnet.ibm.com>
+Date: Thu, 29 Mar 2018 11:53:37 +0530
+Subject: powerpc/fscr: Enable interrupts earlier before calling get_user()
+
+From: Anshuman Khandual <khandual@linux.vnet.ibm.com>
+
+[ Upstream commit 709b973c844c0b4d115ac3a227a2e5a68722c912 ]
+
+The function get_user() can sleep while trying to fetch instruction
+from user address space and causes the following warning from the
+scheduler.
+
+BUG: sleeping function called from invalid context
+
+Though interrupts get enabled back but it happens bit later after
+get_user() is called. This change moves enabling these interrupts
+earlier covering the function get_user(). While at this, lets check
+for kernel mode and crash as this interrupt should not have been
+triggered from the kernel context.
+
+Signed-off-by: Anshuman Khandual <khandual@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/traps.c | 32 +++++++++++++++++---------------
+ 1 file changed, 17 insertions(+), 15 deletions(-)
+
+--- a/arch/powerpc/kernel/traps.c
++++ b/arch/powerpc/kernel/traps.c
+@@ -1379,6 +1379,22 @@ void facility_unavailable_exception(stru
+ value = mfspr(SPRN_FSCR);
+
+ status = value >> 56;
++ if ((hv || status >= 2) &&
++ (status < ARRAY_SIZE(facility_strings)) &&
++ facility_strings[status])
++ facility = facility_strings[status];
++
++ /* We should not have taken this interrupt in kernel */
++ if (!user_mode(regs)) {
++ pr_emerg("Facility '%s' unavailable (%d) exception in kernel mode at %lx\n",
++ facility, status, regs->nip);
++ die("Unexpected facility unavailable exception", regs, SIGABRT);
++ }
++
++ /* We restore the interrupt state now */
++ if (!arch_irq_disabled_regs(regs))
++ local_irq_enable();
++
+ if (status == FSCR_DSCR_LG) {
+ /*
+ * User is accessing the DSCR register using the problem
+@@ -1445,25 +1461,11 @@ void facility_unavailable_exception(stru
+ return;
+ }
+
+- if ((hv || status >= 2) &&
+- (status < ARRAY_SIZE(facility_strings)) &&
+- facility_strings[status])
+- facility = facility_strings[status];
+-
+- /* We restore the interrupt state now */
+- if (!arch_irq_disabled_regs(regs))
+- local_irq_enable();
+-
+ pr_err_ratelimited("%sFacility '%s' unavailable (%d), exception at 0x%lx, MSR=%lx\n",
+ hv ? "Hypervisor " : "", facility, status, regs->nip, regs->msr);
+
+ out:
+- if (user_mode(regs)) {
+- _exception(SIGILL, regs, ILL_ILLOPC, regs->nip);
+- return;
+- }
+-
+- die("Unexpected facility unavailable exception", regs, SIGABRT);
++ _exception(SIGILL, regs, ILL_ILLOPC, regs->nip);
+ }
+ #endif
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Fri, 30 Mar 2018 23:27:25 +1100
+Subject: powerpc/mpic: Check if cpu_possible() in mpic_physmask()
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit 0834d627fbea00c1444075eb3e448e1974da452d ]
+
+In mpic_physmask() we loop over all CPUs up to 32, then get the hard
+SMP processor id of that CPU.
+
+Currently that's possibly walking off the end of the paca array, but
+in a future patch we will change the paca array to be an array of
+pointers, and in that case we will get a NULL for missing CPUs and
+oops. eg:
+
+ Unable to handle kernel paging request for data at address 0x88888888888888b8
+ Faulting instruction address: 0xc00000000004e380
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ ...
+ NIP .mpic_set_affinity+0x60/0x1a0
+ LR .irq_do_set_affinity+0x48/0x100
+
+Fix it by checking the CPU is possible, this also fixes the code if
+there are gaps in the CPU numbering which probably never happens on
+mpic systems but who knows.
+
+Debugged-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/sysdev/mpic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/sysdev/mpic.c
++++ b/arch/powerpc/sysdev/mpic.c
+@@ -626,7 +626,7 @@ static inline u32 mpic_physmask(u32 cpum
+ int i;
+ u32 mask = 0;
+
+- for (i = 0; i < min(32, NR_CPUS); ++i, cpumask >>= 1)
++ for (i = 0; i < min(32, NR_CPUS) && cpu_possible(i); ++i, cpumask >>= 1)
+ mask |= (cpumask & 1) << get_hard_smp_processor_id(i);
+ return mask;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Wed, 21 Mar 2018 17:10:24 +0530
+Subject: powerpc/perf: Fix kernel address leak via sampling registers
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit e1ebd0e5b9d0a10ba65e63a3514b6da8c6a5a819 ]
+
+Current code in power_pmu_disable() does not clear the sampling
+registers like Sampling Instruction Address Register (SIAR) and
+Sampling Data Address Register (SDAR) after disabling the PMU. Since
+these are userspace readable and could contain kernel addresses, add
+code to explicitly clear the content of these registers.
+
+Also add a "context synchronizing instruction" to enforce no further
+updates to these registers as suggested by Power ISA v3.0B. From
+section 9.4, on page 1108:
+
+ "If an mtspr instruction is executed that changes the value of a
+ Performance Monitor register other than SIAR, SDAR, and SIER, the
+ change is not guaranteed to have taken effect until after a
+ subsequent context synchronizing instruction has been executed (see
+ Chapter 11. "Synchronization Requirements for Context Alterations"
+ on page 1133)."
+
+Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+[mpe: Massage change log and add ISA reference]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/perf/core-book3s.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/arch/powerpc/perf/core-book3s.c
++++ b/arch/powerpc/perf/core-book3s.c
+@@ -1236,6 +1236,7 @@ static void power_pmu_disable(struct pmu
+ */
+ write_mmcr0(cpuhw, val);
+ mb();
++ isync();
+
+ /*
+ * Disable instruction sampling if it was enabled
+@@ -1244,12 +1245,26 @@ static void power_pmu_disable(struct pmu
+ mtspr(SPRN_MMCRA,
+ cpuhw->mmcr[2] & ~MMCRA_SAMPLE_ENABLE);
+ mb();
++ isync();
+ }
+
+ cpuhw->disabled = 1;
+ cpuhw->n_added = 0;
+
+ ebb_switch_out(mmcr0);
++
++#ifdef CONFIG_PPC64
++ /*
++ * These are readable by userspace, may contain kernel
++ * addresses and are not switched by context switch, so clear
++ * them now to avoid leaking anything to userspace in general
++ * including to another process.
++ */
++ if (ppmu->flags & PPMU_ARCH_207S) {
++ mtspr(SPRN_SDAR, 0);
++ mtspr(SPRN_SIAR, 0);
++ }
++#endif
+ }
+
+ local_irq_restore(flags);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Date: Wed, 21 Mar 2018 17:10:25 +0530
+Subject: powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer
+
+From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+
+[ Upstream commit bb19af816025d495376bd76bf6fbcf4244f9a06d ]
+
+The current Branch History Rolling Buffer (BHRB) code does not check
+for any privilege levels before updating the data from BHRB. This
+could leak kernel addresses to userspace even when profiling only with
+userspace privileges. Add proper checks to prevent it.
+
+Acked-by: Balbir Singh <bsingharora@gmail.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/perf/core-book3s.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/powerpc/perf/core-book3s.c
++++ b/arch/powerpc/perf/core-book3s.c
+@@ -457,6 +457,16 @@ static void power_pmu_bhrb_read(struct c
+ /* invalid entry */
+ continue;
+
++ /*
++ * BHRB rolling buffer could very much contain the kernel
++ * addresses at this point. Check the privileges before
++ * exporting it to userspace (avoid exposure of regions
++ * where we could have speculative execution)
++ */
++ if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN) &&
++ is_kernel_addr(addr))
++ continue;
++
+ /* Branches are read most recent first (ie. mfbhrb 0 is
+ * the most recent branch).
+ * There are two types of valid entries:
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Alistair Popple <alistair@popple.id.au>
+Date: Fri, 2 Mar 2018 16:18:45 +1100
+Subject: powerpc/powernv/npu: Fix deadlock in mmio_invalidate()
+
+From: Alistair Popple <alistair@popple.id.au>
+
+[ Upstream commit 2b74e2a9b39df40a2b489af2d24079617c61ee0e ]
+
+When sending TLB invalidates to the NPU we need to send extra flushes due
+to a hardware issue. The original implementation would lock the all the
+ATSD MMIO registers sequentially before unlocking and relocking each of
+them sequentially to do the extra flush.
+
+This introduced a deadlock as it is possible for one thread to hold one
+ATSD register whilst waiting for another register to be freed while the
+other thread is holding that register waiting for the one in the first
+thread to be freed.
+
+For example if there are two threads and two ATSD registers:
+
+ Thread A Thread B
+ ----------------------
+ Acquire 1
+ Acquire 2
+ Release 1 Acquire 1
+ Wait 1 Wait 2
+
+Both threads will be stuck waiting to acquire a register resulting in an
+RCU stall warning or soft lockup.
+
+This patch solves the deadlock by refactoring the code to ensure registers
+are not released between flushes and to ensure all registers are either
+acquired or released together and in order.
+
+Fixes: bbd5ff50afff ("powerpc/powernv/npu-dma: Add explicit flush when sending an ATSD")
+Signed-off-by: Alistair Popple <alistair@popple.id.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/npu-dma.c | 227 +++++++++++++++++++------------
+ 1 file changed, 140 insertions(+), 87 deletions(-)
+
+--- a/arch/powerpc/platforms/powernv/npu-dma.c
++++ b/arch/powerpc/platforms/powernv/npu-dma.c
+@@ -413,6 +413,11 @@ struct npu_context {
+ void *priv;
+ };
+
++struct mmio_atsd_reg {
++ struct npu *npu;
++ int reg;
++};
++
+ /*
+ * Find a free MMIO ATSD register and mark it in use. Return -ENOSPC
+ * if none are available.
+@@ -422,7 +427,7 @@ static int get_mmio_atsd_reg(struct npu
+ int i;
+
+ for (i = 0; i < npu->mmio_atsd_count; i++) {
+- if (!test_and_set_bit(i, &npu->mmio_atsd_usage))
++ if (!test_and_set_bit_lock(i, &npu->mmio_atsd_usage))
+ return i;
+ }
+
+@@ -431,86 +436,90 @@ static int get_mmio_atsd_reg(struct npu
+
+ static void put_mmio_atsd_reg(struct npu *npu, int reg)
+ {
+- clear_bit(reg, &npu->mmio_atsd_usage);
++ clear_bit_unlock(reg, &npu->mmio_atsd_usage);
+ }
+
+ /* MMIO ATSD register offsets */
+ #define XTS_ATSD_AVA 1
+ #define XTS_ATSD_STAT 2
+
+-static int mmio_launch_invalidate(struct npu *npu, unsigned long launch,
+- unsigned long va)
++static void mmio_launch_invalidate(struct mmio_atsd_reg *mmio_atsd_reg,
++ unsigned long launch, unsigned long va)
+ {
+- int mmio_atsd_reg;
+-
+- do {
+- mmio_atsd_reg = get_mmio_atsd_reg(npu);
+- cpu_relax();
+- } while (mmio_atsd_reg < 0);
++ struct npu *npu = mmio_atsd_reg->npu;
++ int reg = mmio_atsd_reg->reg;
+
+ __raw_writeq(cpu_to_be64(va),
+- npu->mmio_atsd_regs[mmio_atsd_reg] + XTS_ATSD_AVA);
++ npu->mmio_atsd_regs[reg] + XTS_ATSD_AVA);
+ eieio();
+- __raw_writeq(cpu_to_be64(launch), npu->mmio_atsd_regs[mmio_atsd_reg]);
+-
+- return mmio_atsd_reg;
++ __raw_writeq(cpu_to_be64(launch), npu->mmio_atsd_regs[reg]);
+ }
+
+-static int mmio_invalidate_pid(struct npu *npu, unsigned long pid, bool flush)
++static void mmio_invalidate_pid(struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS],
++ unsigned long pid, bool flush)
+ {
++ int i;
+ unsigned long launch;
+
+- /* IS set to invalidate matching PID */
+- launch = PPC_BIT(12);
++ for (i = 0; i <= max_npu2_index; i++) {
++ if (mmio_atsd_reg[i].reg < 0)
++ continue;
++
++ /* IS set to invalidate matching PID */
++ launch = PPC_BIT(12);
+
+- /* PRS set to process-scoped */
+- launch |= PPC_BIT(13);
++ /* PRS set to process-scoped */
++ launch |= PPC_BIT(13);
+
+- /* AP */
+- launch |= (u64) mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17);
++ /* AP */
++ launch |= (u64)
++ mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17);
+
+- /* PID */
+- launch |= pid << PPC_BITLSHIFT(38);
++ /* PID */
++ launch |= pid << PPC_BITLSHIFT(38);
+
+- /* No flush */
+- launch |= !flush << PPC_BITLSHIFT(39);
++ /* No flush */
++ launch |= !flush << PPC_BITLSHIFT(39);
+
+- /* Invalidating the entire process doesn't use a va */
+- return mmio_launch_invalidate(npu, launch, 0);
++ /* Invalidating the entire process doesn't use a va */
++ mmio_launch_invalidate(&mmio_atsd_reg[i], launch, 0);
++ }
+ }
+
+-static int mmio_invalidate_va(struct npu *npu, unsigned long va,
+- unsigned long pid, bool flush)
++static void mmio_invalidate_va(struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS],
++ unsigned long va, unsigned long pid, bool flush)
+ {
++ int i;
+ unsigned long launch;
+
+- /* IS set to invalidate target VA */
+- launch = 0;
++ for (i = 0; i <= max_npu2_index; i++) {
++ if (mmio_atsd_reg[i].reg < 0)
++ continue;
+
+- /* PRS set to process scoped */
+- launch |= PPC_BIT(13);
++ /* IS set to invalidate target VA */
++ launch = 0;
+
+- /* AP */
+- launch |= (u64) mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17);
++ /* PRS set to process scoped */
++ launch |= PPC_BIT(13);
+
+- /* PID */
+- launch |= pid << PPC_BITLSHIFT(38);
++ /* AP */
++ launch |= (u64)
++ mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17);
+
+- /* No flush */
+- launch |= !flush << PPC_BITLSHIFT(39);
++ /* PID */
++ launch |= pid << PPC_BITLSHIFT(38);
+
+- return mmio_launch_invalidate(npu, launch, va);
++ /* No flush */
++ launch |= !flush << PPC_BITLSHIFT(39);
++
++ mmio_launch_invalidate(&mmio_atsd_reg[i], launch, va);
++ }
+ }
+
+ #define mn_to_npu_context(x) container_of(x, struct npu_context, mn)
+
+-struct mmio_atsd_reg {
+- struct npu *npu;
+- int reg;
+-};
+-
+ static void mmio_invalidate_wait(
+- struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS], bool flush)
++ struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS])
+ {
+ struct npu *npu;
+ int i, reg;
+@@ -525,16 +534,67 @@ static void mmio_invalidate_wait(
+ reg = mmio_atsd_reg[i].reg;
+ while (__raw_readq(npu->mmio_atsd_regs[reg] + XTS_ATSD_STAT))
+ cpu_relax();
++ }
++}
++
++/*
++ * Acquires all the address translation shootdown (ATSD) registers required to
++ * launch an ATSD on all links this npu_context is active on.
++ */
++static void acquire_atsd_reg(struct npu_context *npu_context,
++ struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS])
++{
++ int i, j;
++ struct npu *npu;
++ struct pci_dev *npdev;
++ struct pnv_phb *nphb;
++
++ for (i = 0; i <= max_npu2_index; i++) {
++ mmio_atsd_reg[i].reg = -1;
++ for (j = 0; j < NV_MAX_LINKS; j++) {
++ /*
++ * There are no ordering requirements with respect to
++ * the setup of struct npu_context, but to ensure
++ * consistent behaviour we need to ensure npdev[][] is
++ * only read once.
++ */
++ npdev = READ_ONCE(npu_context->npdev[i][j]);
++ if (!npdev)
++ continue;
++
++ nphb = pci_bus_to_host(npdev->bus)->private_data;
++ npu = &nphb->npu;
++ mmio_atsd_reg[i].npu = npu;
++ mmio_atsd_reg[i].reg = get_mmio_atsd_reg(npu);
++ while (mmio_atsd_reg[i].reg < 0) {
++ mmio_atsd_reg[i].reg = get_mmio_atsd_reg(npu);
++ cpu_relax();
++ }
++ break;
++ }
++ }
++}
+
+- put_mmio_atsd_reg(npu, reg);
++/*
++ * Release previously acquired ATSD registers. To avoid deadlocks the registers
++ * must be released in the same order they were acquired above in
++ * acquire_atsd_reg.
++ */
++static void release_atsd_reg(struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS])
++{
++ int i;
+
++ for (i = 0; i <= max_npu2_index; i++) {
+ /*
+- * The GPU requires two flush ATSDs to ensure all entries have
+- * been flushed. We use PID 0 as it will never be used for a
+- * process on the GPU.
++ * We can't rely on npu_context->npdev[][] being the same here
++ * as when acquire_atsd_reg() was called, hence we use the
++ * values stored in mmio_atsd_reg during the acquire phase
++ * rather than re-reading npdev[][].
+ */
+- if (flush)
+- mmio_invalidate_pid(npu, 0, true);
++ if (mmio_atsd_reg[i].reg < 0)
++ continue;
++
++ put_mmio_atsd_reg(mmio_atsd_reg[i].npu, mmio_atsd_reg[i].reg);
+ }
+ }
+
+@@ -545,10 +605,6 @@ static void mmio_invalidate_wait(
+ static void mmio_invalidate(struct npu_context *npu_context, int va,
+ unsigned long address, bool flush)
+ {
+- int i, j;
+- struct npu *npu;
+- struct pnv_phb *nphb;
+- struct pci_dev *npdev;
+ struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS];
+ unsigned long pid = npu_context->mm->context.id;
+
+@@ -562,37 +618,25 @@ static void mmio_invalidate(struct npu_c
+ * Loop over all the NPUs this process is active on and launch
+ * an invalidate.
+ */
+- for (i = 0; i <= max_npu2_index; i++) {
+- mmio_atsd_reg[i].reg = -1;
+- for (j = 0; j < NV_MAX_LINKS; j++) {
+- npdev = npu_context->npdev[i][j];
+- if (!npdev)
+- continue;
++ acquire_atsd_reg(npu_context, mmio_atsd_reg);
++ if (va)
++ mmio_invalidate_va(mmio_atsd_reg, address, pid, flush);
++ else
++ mmio_invalidate_pid(mmio_atsd_reg, pid, flush);
+
+- nphb = pci_bus_to_host(npdev->bus)->private_data;
+- npu = &nphb->npu;
+- mmio_atsd_reg[i].npu = npu;
+-
+- if (va)
+- mmio_atsd_reg[i].reg =
+- mmio_invalidate_va(npu, address, pid,
+- flush);
+- else
+- mmio_atsd_reg[i].reg =
+- mmio_invalidate_pid(npu, pid, flush);
+-
+- /*
+- * The NPU hardware forwards the shootdown to all GPUs
+- * so we only have to launch one shootdown per NPU.
+- */
+- break;
+- }
++ mmio_invalidate_wait(mmio_atsd_reg);
++ if (flush) {
++ /*
++ * The GPU requires two flush ATSDs to ensure all entries have
++ * been flushed. We use PID 0 as it will never be used for a
++ * process on the GPU.
++ */
++ mmio_invalidate_pid(mmio_atsd_reg, 0, true);
++ mmio_invalidate_wait(mmio_atsd_reg);
++ mmio_invalidate_pid(mmio_atsd_reg, 0, true);
++ mmio_invalidate_wait(mmio_atsd_reg);
+ }
+-
+- mmio_invalidate_wait(mmio_atsd_reg, flush);
+- if (flush)
+- /* Wait for the flush to complete */
+- mmio_invalidate_wait(mmio_atsd_reg, false);
++ release_atsd_reg(mmio_atsd_reg);
+ }
+
+ static void pnv_npu2_mn_release(struct mmu_notifier *mn,
+@@ -735,7 +779,16 @@ struct npu_context *pnv_npu2_init_contex
+ if (WARN_ON(of_property_read_u32(nvlink_dn, "ibm,npu-link-index",
+ &nvlink_index)))
+ return ERR_PTR(-ENODEV);
+- npu_context->npdev[npu->index][nvlink_index] = npdev;
++
++ /*
++ * npdev is a pci_dev pointer setup by the PCI code. We assign it to
++ * npdev[][] to indicate to the mmu notifiers that an invalidation
++ * should also be sent over this nvlink. The notifiers don't use any
++ * other fields in npu_context, so we just need to ensure that when they
++ * deference npu_context->npdev[][] it is either a valid pointer or
++ * NULL.
++ */
++ WRITE_ONCE(npu_context->npdev[npu->index][nvlink_index], npdev);
+
+ return npu_context;
+ }
+@@ -774,7 +827,7 @@ void pnv_npu2_destroy_context(struct npu
+ if (WARN_ON(of_property_read_u32(nvlink_dn, "ibm,npu-link-index",
+ &nvlink_index)))
+ return;
+- npu_context->npdev[npu->index][nvlink_index] = NULL;
++ WRITE_ONCE(npu_context->npdev[npu->index][nvlink_index], NULL);
+ opal_npu_destroy_context(nphb->opal_id, npu_context->mm->context.id,
+ PCI_DEVID(gpdev->bus->number, gpdev->devfn));
+ kref_put(&npu_context->kref, pnv_npu2_release_context);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+Date: Sun, 4 Mar 2018 23:00:25 +0530
+Subject: powerpc/xmon: Setup debugger hooks when first break-point is set
+
+From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+
+[ Upstream commit e1368d0c9edbc366e45216e7295fd61ae55c2b12 ]
+
+Presently sysrq key for xmon('x') is registered during kernel init
+irrespective of the value of kernel param 'xmon'. Thus xmon is enabled
+even if 'xmon=off' is passed on the kernel command line. However this
+doesn't enable the kernel debugger hooks needed for instruction or
+data breakpoints. Thus when a break-point is hit with xmon=off a
+kernel oops of the form below is reported:
+
+ Oops: Exception in kernel mode, sig: 5 [#1]
+ < snip >
+ Trace/breakpoint trap
+
+To fix this the patch checks and enables debugger hooks when an
+instruction or data break-point is set via xmon console.
+
+Signed-off-by: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+Reviewed-by: Balbir Singh <bsingharora@gmail.com>
+[mpe: Just printf directly, no need for static const char[]]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/xmon/xmon.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/xmon/xmon.c
++++ b/arch/powerpc/xmon/xmon.c
+@@ -1246,6 +1246,16 @@ static long check_bp_loc(unsigned long a
+ return 1;
+ }
+
++/* Force enable xmon if not already enabled */
++static inline void force_enable_xmon(void)
++{
++ /* Enable xmon hooks if needed */
++ if (!xmon_on) {
++ printf("xmon: Enabling debugger hooks\n");
++ xmon_on = 1;
++ }
++}
++
+ static char *breakpoint_help_string =
+ "Breakpoint command usage:\n"
+ "b show breakpoints\n"
+@@ -1288,6 +1298,8 @@ bpt_cmds(void)
+ dabr.address &= ~HW_BRK_TYPE_DABR;
+ dabr.enabled = mode | BP_DABR;
+ }
++
++ force_enable_xmon();
+ break;
+
+ case 'i': /* bi - hardware instr breakpoint */
+@@ -1308,6 +1320,7 @@ bpt_cmds(void)
+ if (bp != NULL) {
+ bp->enabled |= BP_CIABR;
+ iabr = bp;
++ force_enable_xmon();
+ }
+ break;
+ #endif
+@@ -1372,8 +1385,10 @@ bpt_cmds(void)
+ if (!check_bp_loc(a))
+ break;
+ bp = new_breakpoint(a);
+- if (bp != NULL)
++ if (bp != NULL) {
+ bp->enabled |= BP_TRAP;
++ force_enable_xmon();
++ }
+ break;
+ }
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Jason Wang <jasowang@redhat.com>
+Date: Sun, 11 Feb 2018 11:28:12 +0800
+Subject: ptr_ring: prevent integer overflow when calculating size
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit 54e02162d4454a99227f520948bf4494c3d972d0 ]
+
+Switch to use dividing to prevent integer overflow when size is too
+big to calculate allocation size properly.
+
+Reported-by: Eric Biggers <ebiggers3@gmail.com>
+Fixes: 6e6e41c31122 ("ptr_ring: fail early if queue occupies more than KMALLOC_MAX_SIZE")
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/ptr_ring.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/ptr_ring.h
++++ b/include/linux/ptr_ring.h
+@@ -450,7 +450,7 @@ static inline int ptr_ring_consume_batch
+ */
+ static inline void **__ptr_ring_init_queue_alloc(unsigned int size, gfp_t gfp)
+ {
+- if (size * sizeof(void *) > KMALLOC_MAX_SIZE)
++ if (size > KMALLOC_MAX_SIZE / sizeof(void *))
+ return NULL;
+ return kvmalloc_array(size, sizeof(void *), gfp | __GFP_ZERO);
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Michal Kalderon <Michal.Kalderon@cavium.com>
+Date: Mon, 5 Mar 2018 23:50:46 +0200
+Subject: qed: Free RoCE ILT Memory on rmmod qedr
+
+From: Michal Kalderon <Michal.Kalderon@cavium.com>
+
+[ Upstream commit 9de506a547c0d172d13a91d69b1a399e6a2c0efa ]
+
+Rdma requires ILT Memory to be allocated for it's QPs.
+Each ILT entry points to a page used by several Rdma QPs.
+To avoid allocating all the memory in advance, the rdma
+implementation dynamically allocates memory as more QPs are
+added, however it does not dynamically free the memory.
+The memory should have been freed on rmmod qedr, but isn't.
+This patch adds the memory freeing on rmmod qedr (currently
+it will be freed with qed is removed).
+
+An outcome of this bug, is that if qedr is unloaded and loaded
+without unloaded qed, there will be no more RoCE traffic.
+
+The reason these are related, is that the logic of detecting the
+first QP ever opened is by asking whether ILT memory for RoCE has
+been allocated.
+
+In addition, this patch modifies freeing of the Task context to
+always use the PROTOCOLID_ROCE and not the protocol passed,
+this is because task context for iWARP and ROCE both use the
+ROCE protocol id, as opposed to the connection context.
+
+Fixes: dbb799c39717 ("qed: Initialize hardware for new protocols")
+Signed-off-by: Michal Kalderon <Michal.Kalderon@cavium.com>
+Signed-off-by: Ariel Elior <Ariel.Elior@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_cxt.c | 5 ++++-
+ drivers/net/ethernet/qlogic/qed/qed_rdma.c | 1 +
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
+@@ -2471,7 +2471,10 @@ int qed_cxt_free_proto_ilt(struct qed_hw
+ if (rc)
+ return rc;
+
+- /* Free Task CXT */
++ /* Free Task CXT ( Intentionally RoCE as task-id is shared between
++ * RoCE and iWARP )
++ */
++ proto = PROTOCOLID_ROCE;
+ rc = qed_cxt_free_ilt_range(p_hwfn, QED_ELEM_TASK, 0,
+ qed_cxt_get_proto_tid_count(p_hwfn, proto));
+ if (rc)
+--- a/drivers/net/ethernet/qlogic/qed/qed_rdma.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_rdma.c
+@@ -360,6 +360,7 @@ static void qed_rdma_free(struct qed_hwf
+ DP_VERBOSE(p_hwfn, QED_MSG_RDMA, "Freeing RDMA\n");
+
+ qed_rdma_resc_free(p_hwfn);
++ qed_cxt_free_proto_ilt(p_hwfn, p_hwfn->p_rdma_info->proto);
+ }
+
+ static void qed_rdma_get_guid(struct qed_hwfn *p_hwfn, u8 *guid)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Manish Chopra <manish.chopra@cavium.com>
+Date: Wed, 28 Mar 2018 03:35:52 -0700
+Subject: qede: Do not drop rx-checksum invalidated packets.
+
+From: Manish Chopra <manish.chopra@cavium.com>
+
+[ Upstream commit 58f101bf87e32753342a6924772c6ebb0fbde24a ]
+
+Today, driver drops received packets which are indicated as
+invalid checksum by the device. Instead of dropping such packets,
+pass them to the stack with CHECKSUM_NONE indication in skb.
+
+Signed-off-by: Ariel Elior <ariel.elior@cavium.com>
+Signed-off-by: Manish Chopra <manish.chopra@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_fp.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c
+@@ -1245,16 +1245,10 @@ static int qede_rx_process_cqe(struct qe
+
+ csum_flag = qede_check_csum(parse_flag);
+ if (unlikely(csum_flag == QEDE_CSUM_ERROR)) {
+- if (qede_pkt_is_ip_fragmented(fp_cqe, parse_flag)) {
++ if (qede_pkt_is_ip_fragmented(fp_cqe, parse_flag))
+ rxq->rx_ip_frags++;
+- } else {
+- DP_NOTICE(edev,
+- "CQE has error, flags = %x, dropping incoming packet\n",
+- parse_flag);
++ else
+ rxq->rx_hw_errors++;
+- qede_recycle_rx_bd_ring(rxq, fp_cqe->bd_num);
+- return 0;
+- }
+ }
+
+ /* Basic validation passed; Need to prepare an SKB. This would also
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Manish Chopra <manish.chopra@cavium.com>
+Date: Tue, 27 Mar 2018 06:34:41 -0700
+Subject: qede: Fix barrier usage after tx doorbell write.
+
+From: Manish Chopra <manish.chopra@cavium.com>
+
+[ Upstream commit b9fc828debc8ac2bb21b5819a44d2aea456f1c95 ]
+
+Since commit c5ad119fb6c09b0297446be05bd66602fa564758
+("net: sched: pfifo_fast use skb_array") driver is exposed
+to an issue where it is hitting NULL skbs while handling TX
+completions. Driver uses mmiowb() to flush the writes to the
+doorbell bar which is a write-combined bar, however on x86
+mmiowb() does not flush the write combined buffer.
+
+This patch fixes this problem by replacing mmiowb() with wmb()
+after the write combined doorbell write so that writes are
+flushed and synchronized from more than one processor.
+
+V1->V2:
+-------
+This patch was marked as "superseded" in patchwork.
+(Not really sure for what reason).Resending it as v2.
+
+Signed-off-by: Ariel Elior <ariel.elior@cavium.com>
+Signed-off-by: Manish Chopra <manish.chopra@cavium.com>
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_fp.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c
+@@ -320,13 +320,11 @@ static inline void qede_update_tx_produc
+ barrier();
+ writel(txq->tx_db.raw, txq->doorbell_addr);
+
+- /* mmiowb is needed to synchronize doorbell writes from more than one
+- * processor. It guarantees that the write arrives to the device before
+- * the queue lock is released and another start_xmit is called (possibly
+- * on another CPU). Without this barrier, the next doorbell can bypass
+- * this doorbell. This is applicable to IA64/Altix systems.
++ /* Fence required to flush the write combined buffer, since another
++ * CPU may write to the same doorbell address and data may be lost
++ * due to relaxed order nature of write combined bar.
+ */
+- mmiowb();
++ wmb();
+ }
+
+ static int qede_xdp_xmit(struct qede_dev *edev, struct qede_fastpath *fp,
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Ramon Fried <rfried@codeaurora.org>
+Date: Sun, 25 Feb 2018 09:49:37 +0200
+Subject: qrtr: add MODULE_ALIAS macro to smd
+
+From: Ramon Fried <rfried@codeaurora.org>
+
+[ Upstream commit c77f5fbbefc04612755117775e8555c2a7006cac ]
+
+Added MODULE_ALIAS("rpmsg:IPCRTR") to ensure qrtr-smd and qrtr will load
+when IPCRTR channel is detected.
+
+Signed-off-by: Ramon Fried <rfried@codeaurora.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/qrtr/smd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/qrtr/smd.c
++++ b/net/qrtr/smd.c
+@@ -114,5 +114,6 @@ static struct rpmsg_driver qcom_smd_qrtr
+
+ module_rpmsg_driver(qcom_smd_qrtr_driver);
+
++MODULE_ALIAS("rpmsg:IPCRTR");
+ MODULE_DESCRIPTION("Qualcomm IPC-Router SMD interface driver");
+ MODULE_LICENSE("GPL v2");
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 25 Feb 2018 19:12:10 -0800
+Subject: r8152: fix tx packets accounting
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4c27bf3c5b7434ccb9ab962301da661c26b467a4 ]
+
+r8152 driver handles TSO packets (limited to ~16KB) quite well,
+but pretends each TSO logical packet is a single packet on the wire.
+
+There is also some error since headers are accounted once, but
+error rate is small enough that we do not care.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/r8152.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -1793,7 +1793,7 @@ static int r8152_tx_agg_fill(struct r815
+
+ tx_data += len;
+ agg->skb_len += len;
+- agg->skb_num++;
++ agg->skb_num += skb_shinfo(skb)->gso_segs ?: 1;
+
+ dev_kfree_skb_any(skb);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Tejun Heo <tj@kernel.org>
+Date: Tue, 9 Jan 2018 10:38:17 -0800
+Subject: rcu: Call touch_nmi_watchdog() while printing stall warnings
+
+From: Tejun Heo <tj@kernel.org>
+
+[ Upstream commit 3caa973b7a260e7a2a69edc94c300ab9c65148c3 ]
+
+When RCU stall warning triggers, it can print out a lot of messages
+while holding spinlocks. If the console device is slow (e.g. an
+actual or IPMI serial console), it may end up triggering NMI hard
+lockup watchdog like the following.
+
+---
+ kernel/rcu/tree_plugin.h | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/kernel/rcu/tree_plugin.h
++++ b/kernel/rcu/tree_plugin.h
+@@ -559,8 +559,14 @@ static void rcu_print_detail_task_stall_
+ }
+ t = list_entry(rnp->gp_tasks->prev,
+ struct task_struct, rcu_node_entry);
+- list_for_each_entry_continue(t, &rnp->blkd_tasks, rcu_node_entry)
++ list_for_each_entry_continue(t, &rnp->blkd_tasks, rcu_node_entry) {
++ /*
++ * We could be printing a lot while holding a spinlock.
++ * Avoid triggering hard lockup.
++ */
++ touch_nmi_watchdog();
+ sched_show_task(t);
++ }
+ raw_spin_unlock_irqrestore_rcu_node(rnp, flags);
+ }
+
+@@ -1677,6 +1683,12 @@ static void print_cpu_stall_info(struct
+ char *ticks_title;
+ unsigned long ticks_value;
+
++ /*
++ * We could be printing a lot while holding a spinlock. Avoid
++ * triggering hard lockup.
++ */
++ touch_nmi_watchdog();
++
+ if (rsp->gpnum == rdp->gpnum) {
+ ticks_title = "ticks this GP";
+ ticks_value = rdp->ticks_this_gp;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Devesh Sharma <devesh.sharma@broadcom.com>
+Date: Mon, 26 Feb 2018 01:51:38 -0800
+Subject: RDMA/bnxt_re: Fix incorrect DB offset calculation
+
+From: Devesh Sharma <devesh.sharma@broadcom.com>
+
+[ Upstream commit c354dff00db8df80f271418d8392065e10ffffb6 ]
+
+To support host systems with non 4K page size, l2_db_size shall be
+calculated with 4096 instead of PAGE_SIZE. Also, supply the host page size
+to FW during initialization.
+
+Signed-off-by: Devesh Sharma <devesh.sharma@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 6 +++++-
+ drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 1 +
+ drivers/infiniband/hw/bnxt_re/qplib_sp.c | 3 ++-
+ drivers/infiniband/hw/bnxt_re/roce_hsi.h | 25 ++++++++++++++++++++++++-
+ 4 files changed, 32 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+@@ -457,7 +457,11 @@ int bnxt_qplib_init_rcfw(struct bnxt_qpl
+ int rc;
+
+ RCFW_CMD_PREP(req, INITIALIZE_FW, cmd_flags);
+-
++ /* Supply (log-base-2-of-host-page-size - base-page-shift)
++ * to bono to adjust the doorbell page sizes.
++ */
++ req.log2_dbr_pg_size = cpu_to_le16(PAGE_SHIFT -
++ RCFW_DBR_BASE_PAGE_SHIFT);
+ /*
+ * VFs need not setup the HW context area, PF
+ * shall setup this area for VF. Skipping the
+--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h
++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h
+@@ -49,6 +49,7 @@
+ #define RCFW_COMM_SIZE 0x104
+
+ #define RCFW_DBR_PCI_BAR_REGION 2
++#define RCFW_DBR_BASE_PAGE_SHIFT 12
+
+ #define RCFW_CMD_PREP(req, CMD, cmd_flags) \
+ do { \
+--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+@@ -130,7 +130,8 @@ int bnxt_qplib_get_dev_attr(struct bnxt_
+ attr->max_pkey = le32_to_cpu(sb->max_pkeys);
+
+ attr->max_inline_data = le32_to_cpu(sb->max_inline_data);
+- attr->l2_db_size = (sb->l2_db_space_size + 1) * PAGE_SIZE;
++ attr->l2_db_size = (sb->l2_db_space_size + 1) *
++ (0x01 << RCFW_DBR_BASE_PAGE_SHIFT);
+ attr->max_sgid = le32_to_cpu(sb->max_gid);
+
+ strlcpy(attr->fw_ver, "20.6.28.0", sizeof(attr->fw_ver));
+--- a/drivers/infiniband/hw/bnxt_re/roce_hsi.h
++++ b/drivers/infiniband/hw/bnxt_re/roce_hsi.h
+@@ -1734,7 +1734,30 @@ struct cmdq_initialize_fw {
+ #define CMDQ_INITIALIZE_FW_TIM_PG_SIZE_PG_2M (0x3UL << 4)
+ #define CMDQ_INITIALIZE_FW_TIM_PG_SIZE_PG_8M (0x4UL << 4)
+ #define CMDQ_INITIALIZE_FW_TIM_PG_SIZE_PG_1G (0x5UL << 4)
+- __le16 reserved16;
++ /* This value is (log-base-2-of-DBR-page-size - 12).
++ * 0 for 4KB. HW supported values are enumerated below.
++ */
++ __le16 log2_dbr_pg_size;
++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_MASK 0xfUL
++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_SFT 0
++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_4K 0x0UL
++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_8K 0x1UL
++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_16K 0x2UL
++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_32K 0x3UL
++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_64K 0x4UL
++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_128K 0x5UL
++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_256K 0x6UL
++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_512K 0x7UL
++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_1M 0x8UL
++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_2M 0x9UL
++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_4M 0xaUL
++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_8M 0xbUL
++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_16M 0xcUL
++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_32M 0xdUL
++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_64M 0xeUL
++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_128M 0xfUL
++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_LAST \
++ CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_128M
+ __le64 qpc_page_dir;
+ __le64 mrw_page_dir;
+ __le64 srq_page_dir;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+Date: Thu, 15 Feb 2018 21:20:12 -0800
+Subject: RDMA/bnxt_re: Fix system crash during load/unload
+
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+
+[ Upstream commit dcdaba08062b4726500b9456f8664bfda896c664 ]
+
+During driver unload, the driver proceeds with cleanup
+without waiting for the scheduled events. So the device
+pointers get freed up and driver crashes when the events
+are scheduled later.
+
+Flush the bnxt_re_task work queue before starting
+device removal.
+
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -1398,6 +1398,11 @@ static void __exit bnxt_re_mod_exit(void
+
+ list_for_each_entry(rdev, &to_be_deleted, list) {
+ dev_info(rdev_to_dev(rdev), "Unregistering Device");
++ /*
++ * Flush out any scheduled tasks before destroying the
++ * resources
++ */
++ flush_workqueue(bnxt_re_wq);
+ bnxt_re_dev_stop(rdev);
+ bnxt_re_ib_unreg(rdev, true);
+ bnxt_re_remove_one(rdev);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+Date: Mon, 26 Feb 2018 01:51:39 -0800
+Subject: RDMA/bnxt_re: Fix the ib_reg failure cleanup
+
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+
+[ Upstream commit 497158aa5f520db50452ef928c0f955cb42f2e77 ]
+
+Release the netdev references in the cleanup path. Invokes the cleanup
+routines if bnxt_re_ib_reg fails.
+
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -1240,9 +1240,12 @@ static void bnxt_re_task(struct work_str
+ switch (re_work->event) {
+ case NETDEV_REGISTER:
+ rc = bnxt_re_ib_reg(rdev);
+- if (rc)
++ if (rc) {
+ dev_err(rdev_to_dev(rdev),
+ "Failed to register with IB: %#x", rc);
++ bnxt_re_remove_one(rdev);
++ bnxt_re_dev_unreg(rdev);
++ }
+ break;
+ case NETDEV_UP:
+ bnxt_re_dispatch_event(&rdev->ibdev, NULL, 1,
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Devesh Sharma <devesh.sharma@broadcom.com>
+Date: Mon, 26 Feb 2018 01:51:37 -0800
+Subject: RDMA/bnxt_re: Unconditionly fence non wire memory operations
+
+From: Devesh Sharma <devesh.sharma@broadcom.com>
+
+[ Upstream commit a45bc17b360d75fac9ced85e99fda14bf38b4dc3 ]
+
+HW requires an unconditonal fence for all non-wire memory operations
+through SQ. This guarantees the completions of these memory operations.
+
+Signed-off-by: Devesh Sharma <devesh.sharma@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -1963,10 +1963,13 @@ static int bnxt_re_build_inv_wqe(struct
+ wqe->type = BNXT_QPLIB_SWQE_TYPE_LOCAL_INV;
+ wqe->local_inv.inv_l_key = wr->ex.invalidate_rkey;
+
++ /* Need unconditional fence for local invalidate
++ * opcode to work as expected.
++ */
++ wqe->flags |= BNXT_QPLIB_SWQE_FLAGS_UC_FENCE;
++
+ if (wr->send_flags & IB_SEND_SIGNALED)
+ wqe->flags |= BNXT_QPLIB_SWQE_FLAGS_SIGNAL_COMP;
+- if (wr->send_flags & IB_SEND_FENCE)
+- wqe->flags |= BNXT_QPLIB_SWQE_FLAGS_UC_FENCE;
+ if (wr->send_flags & IB_SEND_SOLICITED)
+ wqe->flags |= BNXT_QPLIB_SWQE_FLAGS_SOLICIT_EVENT;
+
+@@ -1987,8 +1990,12 @@ static int bnxt_re_build_reg_wqe(struct
+ wqe->frmr.levels = qplib_frpl->hwq.level + 1;
+ wqe->type = BNXT_QPLIB_SWQE_TYPE_REG_MR;
+
+- if (wr->wr.send_flags & IB_SEND_FENCE)
+- wqe->flags |= BNXT_QPLIB_SWQE_FLAGS_UC_FENCE;
++ /* Need unconditional fence for reg_mr
++ * opcode to function as expected.
++ */
++
++ wqe->flags |= BNXT_QPLIB_SWQE_FLAGS_UC_FENCE;
++
+ if (wr->wr.send_flags & IB_SEND_SIGNALED)
+ wqe->flags |= BNXT_QPLIB_SWQE_FLAGS_SIGNAL_COMP;
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Devesh Sharma <devesh.sharma@broadcom.com>
+Date: Thu, 15 Feb 2018 21:20:10 -0800
+Subject: RDMA/bnxt_re: Unpin SQ and RQ memory if QP create fails
+
+From: Devesh Sharma <devesh.sharma@broadcom.com>
+
+[ Upstream commit 6b4521f5174c26020ae0deb3ef7f2c28557cf445 ]
+
+Driver leaves the QP memory pinned if QP create command
+fails from the FW. Avoids this scenario by adding a proper
+exit path if the FW command fails.
+
+Signed-off-by: Devesh Sharma <devesh.sharma@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -1180,7 +1180,7 @@ struct ib_qp *bnxt_re_create_qp(struct i
+ rc = bnxt_qplib_create_qp(&rdev->qplib_res, &qp->qplib_qp);
+ if (rc) {
+ dev_err(rdev_to_dev(rdev), "Failed to create HW QP");
+- goto fail;
++ goto free_umem;
+ }
+ }
+
+@@ -1208,6 +1208,13 @@ struct ib_qp *bnxt_re_create_qp(struct i
+ return &qp->ib_qp;
+ qp_destroy:
+ bnxt_qplib_destroy_qp(&rdev->qplib_res, &qp->qplib_qp);
++free_umem:
++ if (udata) {
++ if (qp->rumem)
++ ib_umem_release(qp->rumem);
++ if (qp->sumem)
++ ib_umem_release(qp->sumem);
++ }
+ fail:
+ kfree(qp);
+ return ERR_PTR(rc);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "Kalderon, Michal" <Michal.Kalderon@cavium.com>
+Date: Mon, 5 Mar 2018 10:50:11 +0200
+Subject: RDMA/qedr: Fix iWARP write and send with immediate
+
+From: "Kalderon, Michal" <Michal.Kalderon@cavium.com>
+
+[ Upstream commit 551e1c67b4207455375a2e7a285dea1c7e8fc361 ]
+
+iWARP does not support RDMA WRITE or SEND with immediate data.
+Driver should check this before submitting to FW and return an
+immediate error
+
+Signed-off-by: Michal Kalderon <Michal.Kalderon@cavium.com>
+Signed-off-by: Ariel Elior <Ariel.Elior@cavium.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/qedr/verbs.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/infiniband/hw/qedr/verbs.c
++++ b/drivers/infiniband/hw/qedr/verbs.c
+@@ -2832,6 +2832,11 @@ static int __qedr_post_send(struct ib_qp
+
+ switch (wr->opcode) {
+ case IB_WR_SEND_WITH_IMM:
++ if (unlikely(rdma_protocol_iwarp(&dev->ibdev, 1))) {
++ rc = -EINVAL;
++ *bad_wr = wr;
++ break;
++ }
+ wqe->req_type = RDMA_SQ_REQ_TYPE_SEND_WITH_IMM;
+ swqe = (struct rdma_sq_send_wqe_1st *)wqe;
+ swqe->wqe_size = 2;
+@@ -2873,6 +2878,11 @@ static int __qedr_post_send(struct ib_qp
+ break;
+
+ case IB_WR_RDMA_WRITE_WITH_IMM:
++ if (unlikely(rdma_protocol_iwarp(&dev->ibdev, 1))) {
++ rc = -EINVAL;
++ *bad_wr = wr;
++ break;
++ }
+ wqe->req_type = RDMA_SQ_REQ_TYPE_RDMA_WR_WITH_IMM;
+ rwqe = (struct rdma_sq_rdma_wqe_1st *)wqe;
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "Kalderon, Michal" <Michal.Kalderon@cavium.com>
+Date: Mon, 5 Mar 2018 10:50:10 +0200
+Subject: RDMA/qedr: Fix kernel panic when running fio over NFSoRDMA
+
+From: "Kalderon, Michal" <Michal.Kalderon@cavium.com>
+
+[ Upstream commit e3fd112cbf21d049faf64ba1471d72b93c22109a ]
+
+Race in qedr_poll_cq, lastest_cqe wasn't protected by lock,
+leading to a case where two context's accessing poll_cq at
+the same time lead to one of them having a pointer to an old
+latest_cqe and reading an invalid cqe element
+
+Signed-off-by: Amit Radzi <Amit.Radzi@cavium.com>
+Signed-off-by: Michal Kalderon <Michal.Kalderon@cavium.com>
+Signed-off-by: Ariel Elior <Ariel.Elior@cavium.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/qedr/verbs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/qedr/verbs.c
++++ b/drivers/infiniband/hw/qedr/verbs.c
+@@ -3518,7 +3518,7 @@ int qedr_poll_cq(struct ib_cq *ibcq, int
+ {
+ struct qedr_dev *dev = get_qedr_dev(ibcq->device);
+ struct qedr_cq *cq = get_qedr_cq(ibcq);
+- union rdma_cqe *cqe = cq->latest_cqe;
++ union rdma_cqe *cqe;
+ u32 old_cons, new_cons;
+ unsigned long flags;
+ int update = 0;
+@@ -3535,6 +3535,7 @@ int qedr_poll_cq(struct ib_cq *ibcq, int
+ return qedr_gsi_poll_cq(ibcq, num_entries, wc);
+
+ spin_lock_irqsave(&cq->cq_lock, flags);
++ cqe = cq->latest_cqe;
+ old_cons = qed_chain_get_cons_idx_u32(&cq->pbl);
+ while (num_entries && is_valid_cqe(cq, cqe)) {
+ struct qedr_qp *qp;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "Kalderon, Michal" <Michal.Kalderon@cavium.com>
+Date: Wed, 21 Mar 2018 14:51:50 +0200
+Subject: RDMA/qedr: fix QP's ack timeout configuration
+
+From: "Kalderon, Michal" <Michal.Kalderon@cavium.com>
+
+[ Upstream commit c3594f22302cca5e924e47ec1cc8edd265708f41 ]
+
+QPs that were configured with ack timeout value lower than 1
+msec will not implement re-transmission timeout.
+This means that if a packet / ACK were dropped, the QP
+will not retransmit this packet.
+
+This can lead to an application hang.
+
+Fixes: cecbcddf6 ("qedr: Add support for QP verbs")
+Signed-off-by: Michal Kalderon <Michal.Kalderon@cavium.com>
+Signed-off-by: Ariel Elior <Ariel.Elior@cavium.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/qedr/verbs.c | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+--- a/drivers/infiniband/hw/qedr/verbs.c
++++ b/drivers/infiniband/hw/qedr/verbs.c
+@@ -1903,18 +1903,23 @@ int qedr_modify_qp(struct ib_qp *ibqp, s
+ SET_FIELD(qp_params.modify_flags,
+ QED_ROCE_MODIFY_QP_VALID_ACK_TIMEOUT, 1);
+
+- qp_params.ack_timeout = attr->timeout;
+- if (attr->timeout) {
+- u32 temp;
+-
+- temp = 4096 * (1UL << attr->timeout) / 1000 / 1000;
+- /* FW requires [msec] */
+- qp_params.ack_timeout = temp;
+- } else {
+- /* Infinite */
++ /* The received timeout value is an exponent used like this:
++ * "12.7.34 LOCAL ACK TIMEOUT
++ * Value representing the transport (ACK) timeout for use by
++ * the remote, expressed as: 4.096 * 2^timeout [usec]"
++ * The FW expects timeout in msec so we need to divide the usec
++ * result by 1000. We'll approximate 1000~2^10, and 4.096 ~ 2^2,
++ * so we get: 2^2 * 2^timeout / 2^10 = 2^(timeout - 8).
++ * The value of zero means infinite so we use a 'max_t' to make
++ * sure that sub 1 msec values will be configured as 1 msec.
++ */
++ if (attr->timeout)
++ qp_params.ack_timeout =
++ 1 << max_t(int, attr->timeout - 8, 0);
++ else
+ qp_params.ack_timeout = 0;
+- }
+ }
++
+ if (attr_mask & IB_QP_RETRY_CNT) {
+ SET_FIELD(qp_params.modify_flags,
+ QED_ROCE_MODIFY_QP_VALID_RETRY_CNT, 1);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "Kalderon, Michal" <Michal.Kalderon@cavium.com>
+Date: Wed, 21 Mar 2018 14:51:52 +0200
+Subject: RDMA/qedr: Fix QP state initialization race
+
+From: "Kalderon, Michal" <Michal.Kalderon@cavium.com>
+
+[ Upstream commit caf61b1b8b88ccf1451f7321a176393797e8d292 ]
+
+Once the FW is transitioned to error, FLUSH cqes can be received.
+We want the driver to be aware of the fact that QP is already in error.
+
+Without this fix, a user may see false error messages in the dmesg log,
+mentioning that a FLUSH cqe was received while QP is not in error state.
+
+Fixes: cecbcddf ("qedr: Add support for QP verbs")
+Signed-off-by: Michal Kalderon <Michal.Kalderon@cavium.com>
+Signed-off-by: Ariel Elior <Ariel.Elior@cavium.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/qedr/verbs.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/hw/qedr/verbs.c
++++ b/drivers/infiniband/hw/qedr/verbs.c
+@@ -1663,14 +1663,15 @@ static void qedr_reset_qp_hwq_info(struc
+
+ static int qedr_update_qp_state(struct qedr_dev *dev,
+ struct qedr_qp *qp,
++ enum qed_roce_qp_state cur_state,
+ enum qed_roce_qp_state new_state)
+ {
+ int status = 0;
+
+- if (new_state == qp->state)
++ if (new_state == cur_state)
+ return 0;
+
+- switch (qp->state) {
++ switch (cur_state) {
+ case QED_ROCE_QP_STATE_RESET:
+ switch (new_state) {
+ case QED_ROCE_QP_STATE_INIT:
+@@ -1774,6 +1775,7 @@ int qedr_modify_qp(struct ib_qp *ibqp, s
+ struct qedr_dev *dev = get_qedr_dev(&qp->dev->ibdev);
+ const struct ib_global_route *grh = rdma_ah_read_grh(&attr->ah_attr);
+ enum ib_qp_state old_qp_state, new_qp_state;
++ enum qed_roce_qp_state cur_state;
+ int rc = 0;
+
+ DP_DEBUG(dev, QEDR_MSG_QP,
+@@ -1992,13 +1994,25 @@ int qedr_modify_qp(struct ib_qp *ibqp, s
+ qp->dest_qp_num = attr->dest_qp_num;
+ }
+
++ cur_state = qp->state;
++
++ /* Update the QP state before the actual ramrod to prevent a race with
++ * fast path. Modifying the QP state to error will cause the device to
++ * flush the CQEs and while polling the flushed CQEs will considered as
++ * a potential issue if the QP isn't in error state.
++ */
++ if ((attr_mask & IB_QP_STATE) && qp->qp_type != IB_QPT_GSI &&
++ !udata && qp_params.new_state == QED_ROCE_QP_STATE_ERR)
++ qp->state = QED_ROCE_QP_STATE_ERR;
++
+ if (qp->qp_type != IB_QPT_GSI)
+ rc = dev->ops->rdma_modify_qp(dev->rdma_ctx,
+ qp->qed_qp, &qp_params);
+
+ if (attr_mask & IB_QP_STATE) {
+ if ((qp->qp_type != IB_QPT_GSI) && (!udata))
+- rc = qedr_update_qp_state(dev, qp, qp_params.new_state);
++ rc = qedr_update_qp_state(dev, qp, cur_state,
++ qp_params.new_state);
+ qp->state = qp_params.new_state;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "Kalderon, Michal" <Michal.Kalderon@cavium.com>
+Date: Wed, 21 Mar 2018 14:51:51 +0200
+Subject: RDMA/qedr: Fix rc initialization on CNQ allocation failure
+
+From: "Kalderon, Michal" <Michal.Kalderon@cavium.com>
+
+[ Upstream commit b15606f47b89b0b09936d7f45b59ba6275527041 ]
+
+Return code wasn't set properly when CNQ allocation failed.
+This only affect error message logging, currently user will
+receive an error message that says the qedr driver load failed
+with rc '0', instead of ENOMEM
+
+Fixes: ec72fce4 ("qedr: Add support for RoCE HW init")
+Signed-off-by: Michal Kalderon <Michal.Kalderon@cavium.com>
+Signed-off-by: Ariel Elior <Ariel.Elior@cavium.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/qedr/main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/qedr/main.c
++++ b/drivers/infiniband/hw/qedr/main.c
+@@ -782,7 +782,8 @@ static struct qedr_dev *qedr_add(struct
+
+ dev->num_cnq = dev->ops->rdma_get_min_cnq_msix(cdev);
+ if (!dev->num_cnq) {
+- DP_ERR(dev, "not enough CNQ resources.\n");
++ DP_ERR(dev, "Failed. At least one CNQ is required.\n");
++ rc = -ENOMEM;
+ goto init_err;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Chien Tin Tung <chien.tin.tung@intel.com>
+Date: Wed, 21 Mar 2018 13:09:25 -0500
+Subject: RDMA/ucma: Correct option size check using optlen
+
+From: Chien Tin Tung <chien.tin.tung@intel.com>
+
+[ Upstream commit 5f3e3b85cc0a5eae1c46d72e47d3de7bf208d9e2 ]
+
+The option size check is using optval instead of optlen
+causing the set option call to fail. Use the correct
+field, optlen, for size check.
+
+Fixes: 6a21dfc0d0db ("RDMA/ucma: Limit possible option size")
+Signed-off-by: Chien Tin Tung <chien.tin.tung@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/ucma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -1315,7 +1315,7 @@ static ssize_t ucma_set_option(struct uc
+ if (IS_ERR(ctx))
+ return PTR_ERR(ctx);
+
+- if (unlikely(cmd.optval > KMALLOC_MAX_SIZE))
++ if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE))
+ return -EINVAL;
+
+ optval = memdup_user((void __user *) (unsigned long) cmd.optval,
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
+Date: Thu, 1 Mar 2018 21:07:18 -0800
+Subject: rds: Incorrect reference counting in TCP socket creation
+
+From: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
+
+[ Upstream commit 84eef2b2187ed73c0e4520cbfeb874e964a0b56a ]
+
+Commit 0933a578cd55 ("rds: tcp: use sock_create_lite() to create the
+accept socket") has a reference counting issue in TCP socket creation
+when accepting a new connection. The code uses sock_create_lite() to
+create a kernel socket. But it does not do __module_get() on the
+socket owner. When the connection is shutdown and sock_release() is
+called to free the socket, the owner's reference count is decremented
+and becomes incorrect. Note that this bug only shows up when the socket
+owner is configured as a kernel module.
+
+v2: Update comments
+
+Fixes: 0933a578cd55 ("rds: tcp: use sock_create_lite() to create the accept socket")
+Signed-off-by: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Acked-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/tcp_listen.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/net/rds/tcp_listen.c
++++ b/net/rds/tcp_listen.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2006 Oracle. All rights reserved.
++ * Copyright (c) 2006, 2018 Oracle. All rights reserved.
+ *
+ * This software is available to you under a choice of one of two
+ * licenses. You may choose to be licensed under the terms of the GNU
+@@ -142,12 +142,20 @@ int rds_tcp_accept_one(struct socket *so
+ if (ret)
+ goto out;
+
+- new_sock->type = sock->type;
+- new_sock->ops = sock->ops;
+ ret = sock->ops->accept(sock, new_sock, O_NONBLOCK, true);
+ if (ret < 0)
+ goto out;
+
++ /* sock_create_lite() does not get a hold on the owner module so we
++ * need to do it here. Note that sock_release() uses sock->ops to
++ * determine if it needs to decrement the reference count. So set
++ * sock->ops after calling accept() in case that fails. And there's
++ * no need to do try_module_get() as the listener should have a hold
++ * already.
++ */
++ new_sock->ops = sock->ops;
++ __module_get(new_sock->ops->owner);
++
+ ret = rds_tcp_keepalive(new_sock);
+ if (ret < 0)
+ goto out;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+Date: Mon, 12 Feb 2018 18:15:44 +0000
+Subject: regmap: Correct comparison in regmap_cached
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+[ Upstream commit 71df179363a5a733a8932e9afb869760d7559383 ]
+
+The cache pointer points to the actual memory used by the cache, as the
+comparison here is looking for the type of the cache it should check
+against cache_type.
+
+Fixes: 1ea975cf1ef5 ("regmap: Add a function to check if a regmap register is cached")
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/regmap/regmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/regmap/regmap.c
++++ b/drivers/base/regmap/regmap.c
+@@ -98,7 +98,7 @@ bool regmap_cached(struct regmap *map, u
+ int ret;
+ unsigned int val;
+
+- if (map->cache == REGCACHE_NONE)
++ if (map->cache_type == REGCACHE_NONE)
+ return false;
+
+ if (!map->cache_ops)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+Date: Tue, 13 Mar 2018 21:33:11 +0100
+Subject: regulator: gpio: Fix some error handling paths in 'gpio_regulator_probe()'
+
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit ed8cffda27dea6fd3dafb3ee881c5a786edac9ca ]
+
+Re-order error handling code and gotos to avoid leaks in error handling
+paths.
+
+Fixes: 9f946099fe19 ("regulator: gpio: fix parsing of gpio list")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/regulator/gpio-regulator.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/drivers/regulator/gpio-regulator.c
++++ b/drivers/regulator/gpio-regulator.c
+@@ -271,8 +271,7 @@ static int gpio_regulator_probe(struct p
+ drvdata->desc.name = kstrdup(config->supply_name, GFP_KERNEL);
+ if (drvdata->desc.name == NULL) {
+ dev_err(&pdev->dev, "Failed to allocate supply name\n");
+- ret = -ENOMEM;
+- goto err;
++ return -ENOMEM;
+ }
+
+ if (config->nr_gpios != 0) {
+@@ -292,7 +291,7 @@ static int gpio_regulator_probe(struct p
+ dev_err(&pdev->dev,
+ "Could not obtain regulator setting GPIOs: %d\n",
+ ret);
+- goto err_memstate;
++ goto err_memgpio;
+ }
+ }
+
+@@ -303,7 +302,7 @@ static int gpio_regulator_probe(struct p
+ if (drvdata->states == NULL) {
+ dev_err(&pdev->dev, "Failed to allocate state data\n");
+ ret = -ENOMEM;
+- goto err_memgpio;
++ goto err_stategpio;
+ }
+ drvdata->nr_states = config->nr_states;
+
+@@ -324,7 +323,7 @@ static int gpio_regulator_probe(struct p
+ default:
+ dev_err(&pdev->dev, "No regulator type set\n");
+ ret = -EINVAL;
+- goto err_memgpio;
++ goto err_memstate;
+ }
+
+ /* build initial state from gpio init data. */
+@@ -361,22 +360,21 @@ static int gpio_regulator_probe(struct p
+ if (IS_ERR(drvdata->dev)) {
+ ret = PTR_ERR(drvdata->dev);
+ dev_err(&pdev->dev, "Failed to register regulator: %d\n", ret);
+- goto err_stategpio;
++ goto err_memstate;
+ }
+
+ platform_set_drvdata(pdev, drvdata);
+
+ return 0;
+
+-err_stategpio:
+- gpio_free_array(drvdata->gpios, drvdata->nr_gpios);
+ err_memstate:
+ kfree(drvdata->states);
++err_stategpio:
++ gpio_free_array(drvdata->gpios, drvdata->nr_gpios);
+ err_memgpio:
+ kfree(drvdata->gpios);
+ err_name:
+ kfree(drvdata->desc.name);
+-err:
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Fri, 26 Jan 2018 23:13:44 +0100
+Subject: regulator: of: Add a missing 'of_node_put()' in an error handling path of 'of_regulator_match()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 30966861a7a2051457be8c49466887d78cc47e97 ]
+
+If an unlikely failure in 'of_get_regulator_init_data()' occurs, we must
+release the reference on the current 'child' node before returning.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/regulator/of_regulator.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/regulator/of_regulator.c
++++ b/drivers/regulator/of_regulator.c
+@@ -305,6 +305,7 @@ int of_regulator_match(struct device *de
+ dev_err(dev,
+ "failed to parse DT for regulator %s\n",
+ child->name);
++ of_node_put(child);
+ return -EINVAL;
+ }
+ match->of_node = of_node_get(child);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 22 Feb 2018 20:55:28 +0100
+Subject: regulatory: add NUL to request alpha2
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 657308f73e674e86b60509a430a46e569bf02846 ]
+
+Similar to the ancient commit a5fe8e7695dc ("regulatory: add NUL
+to alpha2"), add another byte to alpha2 in the request struct so
+that when we use nla_put_string(), we don't overrun anything.
+
+Fixes: 73d54c9e74c4 ("cfg80211: add regulatory netlink multicast group")
+Reported-by: Kees Cook <keescook@google.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/regulatory.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/regulatory.h
++++ b/include/net/regulatory.h
+@@ -78,7 +78,7 @@ struct regulatory_request {
+ int wiphy_idx;
+ enum nl80211_reg_initiator initiator;
+ enum nl80211_user_reg_hint_type user_reg_hint_type;
+- char alpha2[2];
++ char alpha2[3];
+ enum nl80211_dfs_regions dfs_region;
+ bool intersect;
+ bool processed;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Wed, 14 Mar 2018 20:56:37 +0100
+Subject: remoteproc: imx_rproc: Fix an error handling path in 'imx_rproc_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit de6f83f85be94e0b7d0d324c29ccc9d78a6bb4e7 ]
+
+If 'of_device_get_match_data()' fails, we must undo the previous
+'rproc_alloc()' call.
+
+Fixes: a0ff4aa6f010 ("remoteproc: imx_rproc: add a NXP/Freescale imx_rproc driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/imx_rproc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/remoteproc/imx_rproc.c
++++ b/drivers/remoteproc/imx_rproc.c
+@@ -339,8 +339,10 @@ static int imx_rproc_probe(struct platfo
+ }
+
+ dcfg = of_device_get_match_data(dev);
+- if (!dcfg)
+- return -EINVAL;
++ if (!dcfg) {
++ ret = -EINVAL;
++ goto err_put_rproc;
++ }
+
+ priv = rproc->priv;
+ priv->rproc = rproc;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Amitkumar Karwar <amit.karwar@redpinesignals.com>
+Date: Tue, 20 Mar 2018 19:10:41 +0530
+Subject: rsi: fix kernel panic observed on 64bit machine
+
+From: Amitkumar Karwar <amit.karwar@redpinesignals.com>
+
+[ Upstream commit 864db4d5085349fcfa1f260b5bcd2adde3d7f2ed ]
+
+Following kernel panic is observed on 64bit machine while loading
+the driver. It is fixed if we pass dynamically allocated memory to
+SDIO for DMA.
+
+BUG: unable to handle kernel paging request at ffffeb04000172e0
+IP: sg_miter_stop+0x56/0x70
+PGD 0 P4D 0
+Oops: 0000 [#1] SMP PTI
+Modules linked in: rsi_sdio(OE+) rsi_91x(OE) btrsi(OE) rfcomm bluetooth
+ecdh_generic mac80211 mmc_block fuse xt_CHECKSUM iptable_mangle
+drm_kms_helper mmc_core serio_raw drm firewire_ohci tg3
+CPU: 0 PID: 4003 Comm: insmod Tainted: G OE 4.16.0-rc1+ #27
+Hardware name: Dell Inc. Latitude E5500 /0DW634, BIOS
+A19 06/13/2013
+RIP: 0010:sg_miter_stop+0x56/0x70
+RSP: 0018:ffff88007d003e78 EFLAGS: 00010002
+RAX: 0000000000000003 RBX: 0000000000000004 RCX: 0000000000000000
+RDX: ffffeb04000172c0 RSI: ffff88002f58002c RDI: ffff88007d003e80
+RBP: 0000000000000004 R08: ffff88007d003e80 R09: 0000000000000008
+R10: 0000000000000003 R11: 0000000000000001 R12: 0000000000000004
+R13: ffff88002f580028 R14: 0000000000000000 R15: 0000000000000004
+FS: 00007f35c29db700(0000) GS:ffff88007d000000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffeb04000172e0 CR3: 000000007038e000 CR4: 00000000000406f0
+Call Trace:
+<IRQ>
+sg_copy_buffer+0xc6/0xf0
+sdhci_tasklet_finish+0x170/0x260 [sdhci]
+tasklet_action+0xf4/0x100
+__do_softirq+0xef/0x26e
+irq_exit+0xbe/0xd0
+do_IRQ+0x4a/0xc0
+common_interrupt+0xa2/0xa2
+</IRQ>
+
+Signed-off-by: Amitkumar Karwar <amit.karwar@redpinesignals.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/rsi/rsi_91x_sdio.c | 32 +++++++++++++++++++++-----------
+ drivers/net/wireless/rsi/rsi_sdio.h | 2 ++
+ 2 files changed, 23 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c
++++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c
+@@ -636,11 +636,14 @@ static int rsi_sdio_master_reg_read(stru
+ u32 *read_buf, u16 size)
+ {
+ u32 addr_on_bus, *data;
+- u32 align[2] = {};
+ u16 ms_addr;
+ int status;
+
+- data = PTR_ALIGN(&align[0], 8);
++ data = kzalloc(RSI_MASTER_REG_BUF_SIZE, GFP_KERNEL);
++ if (!data)
++ return -ENOMEM;
++
++ data = PTR_ALIGN(data, 8);
+
+ ms_addr = (addr >> 16);
+ status = rsi_sdio_master_access_msword(adapter, ms_addr);
+@@ -648,7 +651,7 @@ static int rsi_sdio_master_reg_read(stru
+ rsi_dbg(ERR_ZONE,
+ "%s: Unable to set ms word to common reg\n",
+ __func__);
+- return status;
++ goto err;
+ }
+ addr &= 0xFFFF;
+
+@@ -666,7 +669,7 @@ static int rsi_sdio_master_reg_read(stru
+ (u8 *)data, 4);
+ if (status < 0) {
+ rsi_dbg(ERR_ZONE, "%s: AHB register read failed\n", __func__);
+- return status;
++ goto err;
+ }
+ if (size == 2) {
+ if ((addr & 0x3) == 0)
+@@ -688,17 +691,23 @@ static int rsi_sdio_master_reg_read(stru
+ *read_buf = *data;
+ }
+
+- return 0;
++err:
++ kfree(data);
++ return status;
+ }
+
+ static int rsi_sdio_master_reg_write(struct rsi_hw *adapter,
+ unsigned long addr,
+ unsigned long data, u16 size)
+ {
+- unsigned long data1[2], *data_aligned;
++ unsigned long *data_aligned;
+ int status;
+
+- data_aligned = PTR_ALIGN(&data1[0], 8);
++ data_aligned = kzalloc(RSI_MASTER_REG_BUF_SIZE, GFP_KERNEL);
++ if (!data_aligned)
++ return -ENOMEM;
++
++ data_aligned = PTR_ALIGN(data_aligned, 8);
+
+ if (size == 2) {
+ *data_aligned = ((data << 16) | (data & 0xFFFF));
+@@ -717,6 +726,7 @@ static int rsi_sdio_master_reg_write(str
+ rsi_dbg(ERR_ZONE,
+ "%s: Unable to set ms word to common reg\n",
+ __func__);
++ kfree(data_aligned);
+ return -EIO;
+ }
+ addr = addr & 0xFFFF;
+@@ -726,12 +736,12 @@ static int rsi_sdio_master_reg_write(str
+ (adapter,
+ (addr | RSI_SD_REQUEST_MASTER),
+ (u8 *)data_aligned, size);
+- if (status < 0) {
++ if (status < 0)
+ rsi_dbg(ERR_ZONE,
+ "%s: Unable to do AHB reg write\n", __func__);
+- return status;
+- }
+- return 0;
++
++ kfree(data_aligned);
++ return status;
+ }
+
+ /**
+--- a/drivers/net/wireless/rsi/rsi_sdio.h
++++ b/drivers/net/wireless/rsi/rsi_sdio.h
+@@ -46,6 +46,8 @@ enum sdio_interrupt_type {
+ #define PKT_BUFF_AVAILABLE 1
+ #define FW_ASSERT_IND 2
+
++#define RSI_MASTER_REG_BUF_SIZE 12
++
+ #define RSI_DEVICE_BUFFER_STATUS_REGISTER 0xf3
+ #define RSI_FN1_INT_REGISTER 0xf9
+ #define RSI_SD_REQUEST_MASTER 0x10000
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: James Hogan <jhogan@kernel.org>
+Date: Tue, 16 Jan 2018 14:45:21 +0000
+Subject: rtc: goldfish: Add missing MODULE_LICENSE
+
+From: James Hogan <jhogan@kernel.org>
+
+[ Upstream commit 82d632b85eb89f97051530f556cb49ee1c04bde7 ]
+
+Fix the following warning in MIPS allmodconfig by adding a
+MODULE_LICENSE() at the end of rtc-goldfish.c, based on the file header
+comment which says GNU General Public License version 2:
+
+WARNING: modpost: missing MODULE_LICENSE() in drivers/rtc/rtc-goldfish.o
+
+Fixes: f22d9cdcb5eb ("rtc: goldfish: Add RTC driver for Android emulator")
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Cc: Miodrag Dinic <miodrag.dinic@mips.com>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Cc: linux-rtc@vger.kernel.org
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-goldfish.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/rtc/rtc-goldfish.c
++++ b/drivers/rtc/rtc-goldfish.c
+@@ -235,3 +235,5 @@ static struct platform_driver goldfish_r
+ };
+
+ module_platform_driver(goldfish_rtc);
++
++MODULE_LICENSE("GPL v2");
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Thu, 8 Mar 2018 23:27:31 +0100
+Subject: rtc: hctosys: Ensure system time doesn't overflow time_t
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit b3a5ac42ab18b7d1a8f2f072ca0ee76a3b754a43 ]
+
+On 32bit platforms, time_t is still a signed 32bit long. If it is
+overflowed, userspace and the kernel cant agree on the current system time.
+This causes multiple issues, in particular with systemd:
+https://github.com/systemd/systemd/issues/1143
+
+A good workaround is to simply avoid using hctosys which is something I
+greatly encourage as the time is better set by userspace.
+
+However, many distribution enable it and use systemd which is rendering the
+system unusable in case the RTC holds a date after 2038 (and more so after
+2106). Many drivers have workaround for this case and they should be
+eliminated so there is only one place left to fix when userspace is able to
+cope with dates after the 31bit overflow.
+
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/hctosys.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/rtc/hctosys.c
++++ b/drivers/rtc/hctosys.c
+@@ -49,6 +49,11 @@ static int __init rtc_hctosys(void)
+
+ tv64.tv_sec = rtc_tm_to_time64(&tm);
+
++#if BITS_PER_LONG == 32
++ if (tv64.tv_sec > INT_MAX)
++ goto err_read;
++#endif
++
+ err = do_settimeofday64(&tv64);
+
+ dev_info(rtc->dev.parent,
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Sun, 25 Feb 2018 21:14:31 +0100
+Subject: rtc: m41t80: fix race conditions
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit 10d0c768cc6d581523d673b9d1b54213f8a5eb24 ]
+
+The IRQ is requested before the struct rtc is allocated and registered, but
+this struct is used in the IRQ handler, leading to:
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000017c
+pgd = a38a2f9b
+[0000017c] *pgd=00000000
+Internal error: Oops: 5 [#1] ARM
+Modules linked in:
+CPU: 0 PID: 613 Comm: irq/48-m41t80 Not tainted 4.16.0-rc1+ #42
+Hardware name: Atmel SAMA5
+PC is at mutex_lock+0x14/0x38
+LR is at m41t80_handle_irq+0x1c/0x9c
+pc : [<c06e864c>] lr : [<c04b70f0>] psr: 20000013
+sp : dec73f30 ip : 00000000 fp : dec56d98
+r10: df437cf0 r9 : c0a03008 r8 : c0145ffc
+r7 : df5c4300 r6 : dec568d0 r5 : df593000 r4 : 0000017c
+r3 : df592800 r2 : 60000013 r1 : df593000 r0 : 0000017c
+Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 10c53c7d Table: 20004059 DAC: 00000051
+Process irq/48-m41t80 (pid: 613, stack limit = 0xb52d091e)
+Stack: (0xdec73f30 to 0xdec74000)
+3f20: dec56840 df5c4300 00000001 df5c4300
+3f40: c0145ffc c0146018 dec56840 ffffe000 00000001 c0146290 dec567c0 00000000
+3f60: c0146084 ed7c9a62 c014615c dec56d80 dec567c0 00000000 dec72000 dec56840
+3f80: c014615c c012ffc0 dec72000 dec567c0 c012fe80 00000000 00000000 00000000
+3fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000
+3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 29282726 2d2c2b2a
+[<c06e864c>] (mutex_lock) from [<c04b70f0>] (m41t80_handle_irq+0x1c/0x9c)
+[<c04b70f0>] (m41t80_handle_irq) from [<c0146018>] (irq_thread_fn+0x1c/0x54)
+[<c0146018>] (irq_thread_fn) from [<c0146290>] (irq_thread+0x134/0x1c0)
+[<c0146290>] (irq_thread) from [<c012ffc0>] (kthread+0x140/0x148)
+[<c012ffc0>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
+Exception stack(0xdec73fb0 to 0xdec73ff8)
+3fa0: 00000000 00000000 00000000 00000000
+3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+3fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+Code: e3c33d7f e3c3303f f5d0f000 e593300c (e1901f9f)
+---[ end trace 22b027302eb7c604 ]---
+genirq: exiting task "irq/48-m41t80" (613) is an active IRQ thread (irq 48)
+
+Also, there is another possible race condition. The probe function is not
+allowed to fail after the RTC is registered because the following may
+happen:
+
+CPU0: CPU1:
+sys_load_module()
+ do_init_module()
+ do_one_initcall()
+ cmos_do_probe()
+ rtc_device_register()
+ __register_chrdev()
+ cdev->owner = struct module*
+ open("/dev/rtc0")
+ rtc_device_unregister()
+ module_put()
+ free_module()
+ module_free(mod->module_core)
+ /* struct module *module is now
+ freed */
+ chrdev_open()
+ spin_lock(cdev_lock)
+ cdev_get()
+ try_module_get()
+ module_is_live()
+ /* dereferences already
+ freed struct module* */
+
+Switch to devm_rtc_allocate_device/rtc_register_device to allocate the rtc
+before requesting the IRQ and register it as late as possible.
+
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-m41t80.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+--- a/drivers/rtc/rtc-m41t80.c
++++ b/drivers/rtc/rtc-m41t80.c
+@@ -885,7 +885,6 @@ static int m41t80_probe(struct i2c_clien
+ {
+ struct i2c_adapter *adapter = to_i2c_adapter(client->dev.parent);
+ int rc = 0;
+- struct rtc_device *rtc = NULL;
+ struct rtc_time tm;
+ struct m41t80_data *m41t80_data = NULL;
+ bool wakeup_source = false;
+@@ -909,6 +908,10 @@ static int m41t80_probe(struct i2c_clien
+ m41t80_data->features = id->driver_data;
+ i2c_set_clientdata(client, m41t80_data);
+
++ m41t80_data->rtc = devm_rtc_allocate_device(&client->dev);
++ if (IS_ERR(m41t80_data->rtc))
++ return PTR_ERR(m41t80_data->rtc);
++
+ #ifdef CONFIG_OF
+ wakeup_source = of_property_read_bool(client->dev.of_node,
+ "wakeup-source");
+@@ -932,15 +935,11 @@ static int m41t80_probe(struct i2c_clien
+ device_init_wakeup(&client->dev, true);
+ }
+
+- rtc = devm_rtc_device_register(&client->dev, client->name,
+- &m41t80_rtc_ops, THIS_MODULE);
+- if (IS_ERR(rtc))
+- return PTR_ERR(rtc);
++ m41t80_data->rtc->ops = &m41t80_rtc_ops;
+
+- m41t80_data->rtc = rtc;
+ if (client->irq <= 0) {
+ /* We cannot support UIE mode if we do not have an IRQ line */
+- rtc->uie_unsupported = 1;
++ m41t80_data->rtc->uie_unsupported = 1;
+ }
+
+ /* Make sure HT (Halt Update) bit is cleared */
+@@ -993,6 +992,11 @@ static int m41t80_probe(struct i2c_clien
+ if (m41t80_data->features & M41T80_FEATURE_SQ)
+ m41t80_sqw_register_clk(m41t80_data);
+ #endif
++
++ rc = rtc_register_device(m41t80_data->rtc);
++ if (rc)
++ return rc;
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Wed, 21 Feb 2018 11:57:05 +0100
+Subject: rtc: rk808: fix possible race condition
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit 201fac95e799c3d0304ec724d555e1251b9f6e84 ]
+
+The probe function is not allowed to fail after registering the RTC because
+the following may happen:
+
+CPU0: CPU1:
+sys_load_module()
+ do_init_module()
+ do_one_initcall()
+ cmos_do_probe()
+ rtc_device_register()
+ __register_chrdev()
+ cdev->owner = struct module*
+ open("/dev/rtc0")
+ rtc_device_unregister()
+ module_put()
+ free_module()
+ module_free(mod->module_core)
+ /* struct module *module is now
+ freed */
+ chrdev_open()
+ spin_lock(cdev_lock)
+ cdev_get()
+ try_module_get()
+ module_is_live()
+ /* dereferences already
+ freed struct module* */
+
+Switch to devm_rtc_allocate_device/rtc_register_device to register the rtc
+as late as possible.
+
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-rk808.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/rtc/rtc-rk808.c
++++ b/drivers/rtc/rtc-rk808.c
+@@ -416,12 +416,11 @@ static int rk808_rtc_probe(struct platfo
+
+ device_init_wakeup(&pdev->dev, 1);
+
+- rk808_rtc->rtc = devm_rtc_device_register(&pdev->dev, "rk808-rtc",
+- &rk808_rtc_ops, THIS_MODULE);
+- if (IS_ERR(rk808_rtc->rtc)) {
+- ret = PTR_ERR(rk808_rtc->rtc);
+- return ret;
+- }
++ rk808_rtc->rtc = devm_rtc_allocate_device(&pdev->dev);
++ if (IS_ERR(rk808_rtc->rtc))
++ return PTR_ERR(rk808_rtc->rtc);
++
++ rk808_rtc->rtc->ops = &rk808_rtc_ops;
+
+ rk808_rtc->irq = platform_get_irq(pdev, 0);
+ if (rk808_rtc->irq < 0) {
+@@ -438,9 +437,10 @@ static int rk808_rtc_probe(struct platfo
+ if (ret) {
+ dev_err(&pdev->dev, "Failed to request alarm IRQ %d: %d\n",
+ rk808_rtc->irq, ret);
++ return ret;
+ }
+
+- return ret;
++ return rtc_register_device(rk808_rtc->rtc);
+ }
+
+ static struct platform_driver rk808_rtc_driver = {
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Mon, 12 Feb 2018 23:47:49 +0100
+Subject: rtc: rp5c01: fix possible race condition
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit bcdd559268039d8340d38fa58668393596e29fdc ]
+
+The probe function is not allowed to fail after registering the RTC because
+the following may happen:
+
+CPU0: CPU1:
+sys_load_module()
+ do_init_module()
+ do_one_initcall()
+ cmos_do_probe()
+ rtc_device_register()
+ __register_chrdev()
+ cdev->owner = struct module*
+ open("/dev/rtc0")
+ rtc_device_unregister()
+ module_put()
+ free_module()
+ module_free(mod->module_core)
+ /* struct module *module is now
+ freed */
+ chrdev_open()
+ spin_lock(cdev_lock)
+ cdev_get()
+ try_module_get()
+ module_is_live()
+ /* dereferences already
+ freed struct module* */
+
+Switch to devm_rtc_allocate_device/rtc_register_device to register the rtc
+as late as possible.
+
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-rp5c01.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/rtc/rtc-rp5c01.c
++++ b/drivers/rtc/rtc-rp5c01.c
+@@ -249,16 +249,24 @@ static int __init rp5c01_rtc_probe(struc
+
+ platform_set_drvdata(dev, priv);
+
+- rtc = devm_rtc_device_register(&dev->dev, "rtc-rp5c01", &rp5c01_rtc_ops,
+- THIS_MODULE);
++ rtc = devm_rtc_allocate_device(&dev->dev);
+ if (IS_ERR(rtc))
+ return PTR_ERR(rtc);
++
++ rtc->ops = &rp5c01_rtc_ops;
++
+ priv->rtc = rtc;
+
+ error = sysfs_create_bin_file(&dev->dev.kobj, &priv->nvram_attr);
+ if (error)
+ return error;
+
++ error = rtc_register_device(rtc);
++ if (error) {
++ sysfs_remove_bin_file(&dev->dev.kobj, &priv->nvram_attr);
++ return error;
++ }
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Bryan O'Donoghue <pure.logic@nexus-software.ie>
+Date: Wed, 28 Mar 2018 20:14:05 +0100
+Subject: rtc: snvs: Fix usage of snvs_rtc_enable
+
+From: Bryan O'Donoghue <pure.logic@nexus-software.ie>
+
+[ Upstream commit 1485991c024603b2fb4ae77beb7a0d741128a48e ]
+
+commit 179a502f8c46 ("rtc: snvs: add Freescale rtc-snvs driver") introduces
+the SNVS RTC driver with a function snvs_rtc_enable().
+
+snvs_rtc_enable() can return an error on the enable path however this
+driver does not currently trap that failure on the probe() path and
+consequently if enabling the RTC fails we encounter a later error spinning
+forever in rtc_write_sync_lp().
+
+[ 36.093481] [<c010d630>] (__irq_svc) from [<c0c2e9ec>] (_raw_spin_unlock_irqrestore+0x34/0x44)
+[ 36.102122] [<c0c2e9ec>] (_raw_spin_unlock_irqrestore) from [<c072e32c>] (regmap_read+0x4c/0x5c)
+[ 36.110938] [<c072e32c>] (regmap_read) from [<c085d0f4>] (rtc_write_sync_lp+0x6c/0x98)
+[ 36.118881] [<c085d0f4>] (rtc_write_sync_lp) from [<c085d160>] (snvs_rtc_alarm_irq_enable+0x40/0x4c)
+[ 36.128041] [<c085d160>] (snvs_rtc_alarm_irq_enable) from [<c08567b4>] (rtc_timer_do_work+0xd8/0x1a8)
+[ 36.137291] [<c08567b4>] (rtc_timer_do_work) from [<c01441b8>] (process_one_work+0x28c/0x76c)
+[ 36.145840] [<c01441b8>] (process_one_work) from [<c01446cc>] (worker_thread+0x34/0x58c)
+[ 36.153961] [<c01446cc>] (worker_thread) from [<c014aee4>] (kthread+0x138/0x150)
+[ 36.161388] [<c014aee4>] (kthread) from [<c0107e14>] (ret_from_fork+0x14/0x20)
+[ 36.168635] rcu_sched kthread starved for 2602 jiffies! g496 c495 f0x2 RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=0
+[ 36.178564] rcu_sched R running task 0 8 2 0x00000000
+[ 36.185664] [<c0c288b0>] (__schedule) from [<c0c29134>] (schedule+0x3c/0xa0)
+[ 36.192739] [<c0c29134>] (schedule) from [<c0c2db80>] (schedule_timeout+0x78/0x4e0)
+[ 36.200422] [<c0c2db80>] (schedule_timeout) from [<c01a7ab0>] (rcu_gp_kthread+0x648/0x1864)
+[ 36.208800] [<c01a7ab0>] (rcu_gp_kthread) from [<c014aee4>] (kthread+0x138/0x150)
+[ 36.216309] [<c014aee4>] (kthread) from [<c0107e14>] (ret_from_fork+0x14/0x20)
+
+This patch fixes by parsing the result of rtc_write_sync_lp() and
+propagating both in the probe and elsewhere. If the RTC doesn't start we
+don't proceed loading the driver and don't get into this loop mess later
+on.
+
+Fixes: 179a502f8c46 ("rtc: snvs: add Freescale rtc-snvs driver")
+Signed-off-by: Bryan O'Donoghue <pure.logic@nexus-software.ie>
+Acked-by: Shawn Guo <shawn.guo@linaro.org>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-snvs.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/rtc/rtc-snvs.c
++++ b/drivers/rtc/rtc-snvs.c
+@@ -132,20 +132,23 @@ static int snvs_rtc_set_time(struct devi
+ {
+ struct snvs_rtc_data *data = dev_get_drvdata(dev);
+ unsigned long time;
++ int ret;
+
+ rtc_tm_to_time(tm, &time);
+
+ /* Disable RTC first */
+- snvs_rtc_enable(data, false);
++ ret = snvs_rtc_enable(data, false);
++ if (ret)
++ return ret;
+
+ /* Write 32-bit time to 47-bit timer, leaving 15 LSBs blank */
+ regmap_write(data->regmap, data->offset + SNVS_LPSRTCLR, time << CNTR_TO_SECS_SH);
+ regmap_write(data->regmap, data->offset + SNVS_LPSRTCMR, time >> (32 - CNTR_TO_SECS_SH));
+
+ /* Enable RTC again */
+- snvs_rtc_enable(data, true);
++ ret = snvs_rtc_enable(data, true);
+
+- return 0;
++ return ret;
+ }
+
+ static int snvs_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm)
+@@ -288,7 +291,11 @@ static int snvs_rtc_probe(struct platfor
+ regmap_write(data->regmap, data->offset + SNVS_LPSR, 0xffffffff);
+
+ /* Enable RTC */
+- snvs_rtc_enable(data, true);
++ ret = snvs_rtc_enable(data, true);
++ if (ret) {
++ dev_err(&pdev->dev, "failed to enable rtc %d\n", ret);
++ goto error_rtc_device_register;
++ }
+
+ device_init_wakeup(&pdev->dev, true);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 15 Feb 2018 19:36:14 +0000
+Subject: rtc: tx4939: avoid unintended sign extension on a 24 bit shift
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 347876ad47b9923ce26e686173bbf46581802ffa ]
+
+The shifting of buf[5] by 24 bits to the left will be promoted to
+a 32 bit signed int and then sign-extended to an unsigned long. If
+the top bit of buf[5] is set then all then all the upper bits sec
+end up as also being set because of the sign-extension. Fix this by
+casting buf[5] to an unsigned long before the shift.
+
+Detected by CoverityScan, CID#1465292 ("Unintended sign extension")
+
+Fixes: 0e1492330cd2 ("rtc: add rtc-tx4939 driver")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-tx4939.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/rtc/rtc-tx4939.c
++++ b/drivers/rtc/rtc-tx4939.c
+@@ -86,7 +86,8 @@ static int tx4939_rtc_read_time(struct d
+ for (i = 2; i < 6; i++)
+ buf[i] = __raw_readl(&rtcreg->dat);
+ spin_unlock_irq(&pdata->lock);
+- sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2];
++ sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) |
++ (buf[3] << 8) | buf[2];
+ rtc_time_to_tm(sec, tm);
+ return rtc_valid_tm(tm);
+ }
+@@ -147,7 +148,8 @@ static int tx4939_rtc_read_alarm(struct
+ alrm->enabled = (ctl & TX4939_RTCCTL_ALME) ? 1 : 0;
+ alrm->pending = (ctl & TX4939_RTCCTL_ALMD) ? 1 : 0;
+ spin_unlock_irq(&pdata->lock);
+- sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2];
++ sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) |
++ (buf[3] << 8) | buf[2];
+ rtc_time_to_tm(sec, &alrm->time);
+ return rtc_valid_tm(&alrm->time);
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 30 Mar 2018 21:04:44 +0100
+Subject: rxrpc: Don't treat call aborts as conn aborts
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 57b0c9d49b94bbeb53649b7fbd264603c1ebd585 ]
+
+If a call-level abort is received for the previous call to complete on a
+connection channel, then that abort is queued for the connection processor
+to handle. Unfortunately, the connection processor then assumes without
+checking that the abort is connection-level (ie. callNumber is 0) and
+distributes it over all active calls on that connection, thereby
+incorrectly aborting them.
+
+Fix this by discarding aborts aimed at a completed call.
+
+Further, discard all packets aimed at a call that's complete if there's
+currently an active call on a channel, since the DATA packets associated
+with the new call automatically terminate the old call.
+
+Fixes: 18bfeba50dfd ("rxrpc: Perform terminal call ACK/ABORT retransmission from conn processor")
+Reported-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/input.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -1175,16 +1175,19 @@ void rxrpc_data_ready(struct sock *udp_s
+ goto discard_unlock;
+
+ if (sp->hdr.callNumber == chan->last_call) {
+- /* For the previous service call, if completed successfully, we
+- * discard all further packets.
++ if (chan->call ||
++ sp->hdr.type == RXRPC_PACKET_TYPE_ABORT)
++ goto discard_unlock;
++
++ /* For the previous service call, if completed
++ * successfully, we discard all further packets.
+ */
+ if (rxrpc_conn_is_service(conn) &&
+- (chan->last_type == RXRPC_PACKET_TYPE_ACK ||
+- sp->hdr.type == RXRPC_PACKET_TYPE_ABORT))
++ chan->last_type == RXRPC_PACKET_TYPE_ACK)
+ goto discard_unlock;
+
+- /* But otherwise we need to retransmit the final packet from
+- * data cached in the connection record.
++ /* But otherwise we need to retransmit the final packet
++ * from data cached in the connection record.
+ */
+ rxrpc_post_packet_to_conn(conn, skb);
+ goto out_unlock;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 30 Mar 2018 21:04:43 +0100
+Subject: rxrpc: Fix Tx ring annotation after initial Tx failure
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 03877bf6a30cca7d4bc3ffabd3c3e9464a7a1a19 ]
+
+rxrpc calls have a ring of packets that are awaiting ACK or retransmission
+and a parallel ring of annotations that tracks the state of those packets.
+If the initial transmission of a packet on the underlying UDP socket fails
+then the packet annotation is marked for resend - but the setting of this
+mark accidentally erases the last-packet mark also stored in the same
+annotation slot. If this happens, a call won't switch out of the Tx phase
+when all the packets have been transmitted.
+
+Fix this by retaining the last-packet mark and only altering the packet
+state.
+
+Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/sendmsg.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/rxrpc/sendmsg.c
++++ b/net/rxrpc/sendmsg.c
+@@ -92,7 +92,9 @@ static inline void rxrpc_instant_resend(
+ spin_lock_bh(&call->lock);
+
+ if (call->state < RXRPC_CALL_COMPLETE) {
+- call->rxtx_annotations[ix] = RXRPC_TX_ANNO_RETRANS;
++ call->rxtx_annotations[ix] =
++ (call->rxtx_annotations[ix] & RXRPC_TX_ANNO_LAST) |
++ RXRPC_TX_ANNO_RETRANS;
+ if (!test_and_set_bit(RXRPC_CALL_EV_RESEND, &call->events))
+ rxrpc_queue_call(call);
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 15 Feb 2018 22:59:00 +0000
+Subject: rxrpc: Work around usercopy check
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit a16b8d0cf2ec1e626d24bc2a7b9e64ace6f7501d ]
+
+Due to a check recently added to copy_to_user(), it's now not permitted to
+copy from slab-held data to userspace unless the slab is whitelisted. This
+affects rxrpc_recvmsg() when it attempts to place an RXRPC_USER_CALL_ID
+control message in the userspace control message buffer. A warning is
+generated by usercopy_warn() because the source is the copy of the
+user_call_ID retained in the rxrpc_call struct.
+
+Work around the issue by copying the user_call_ID to a variable on the
+stack and passing that to put_cmsg().
+
+The warning generated looks like:
+
+ Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'dmaengine-unmap-128' (offset 680, size 8)!
+ WARNING: CPU: 0 PID: 1401 at mm/usercopy.c:81 usercopy_warn+0x7e/0xa0
+ ...
+ RIP: 0010:usercopy_warn+0x7e/0xa0
+ ...
+ Call Trace:
+ __check_object_size+0x9c/0x1a0
+ put_cmsg+0x98/0x120
+ rxrpc_recvmsg+0x6fc/0x1010 [rxrpc]
+ ? finish_wait+0x80/0x80
+ ___sys_recvmsg+0xf8/0x240
+ ? __clear_rsb+0x25/0x3d
+ ? __clear_rsb+0x15/0x3d
+ ? __clear_rsb+0x25/0x3d
+ ? __clear_rsb+0x15/0x3d
+ ? __clear_rsb+0x25/0x3d
+ ? __clear_rsb+0x15/0x3d
+ ? __clear_rsb+0x25/0x3d
+ ? __clear_rsb+0x15/0x3d
+ ? finish_task_switch+0xa6/0x2b0
+ ? trace_hardirqs_on_caller+0xed/0x180
+ ? _raw_spin_unlock_irq+0x29/0x40
+ ? __sys_recvmsg+0x4e/0x90
+ __sys_recvmsg+0x4e/0x90
+ do_syscall_64+0x7a/0x220
+ entry_SYSCALL_64_after_hwframe+0x26/0x9b
+
+Reported-by: Jonathan Billings <jsbillings@jsbillings.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Tested-by: Jonathan Billings <jsbillings@jsbillings.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/recvmsg.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/rxrpc/recvmsg.c
++++ b/net/rxrpc/recvmsg.c
+@@ -513,9 +513,10 @@ try_again:
+ ret = put_cmsg(msg, SOL_RXRPC, RXRPC_USER_CALL_ID,
+ sizeof(unsigned int), &id32);
+ } else {
++ unsigned long idl = call->user_call_ID;
++
+ ret = put_cmsg(msg, SOL_RXRPC, RXRPC_USER_CALL_ID,
+- sizeof(unsigned long),
+- &call->user_call_ID);
++ sizeof(unsigned long), &idl);
+ }
+ if (ret < 0)
+ goto error_unlock_call;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Date: Mon, 12 Feb 2018 12:01:03 +0100
+Subject: s390/cio: clear timer when terminating driver I/O
+
+From: Sebastian Ott <sebott@linux.vnet.ibm.com>
+
+[ Upstream commit 410d5e13e7638bc146321671e223d56495fbf3c7 ]
+
+When we terminate driver I/O (because we need to stop using a certain
+channel path) we also need to ensure that a timer (which may have been
+set up using ccw_device_start_timeout) is cleared.
+
+Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/cio/device_fsm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/s390/cio/device_fsm.c
++++ b/drivers/s390/cio/device_fsm.c
+@@ -897,6 +897,7 @@ void ccw_device_kill_io(struct ccw_devic
+ {
+ int ret;
+
++ ccw_device_set_timeout(cdev, 0);
+ cdev->private->iretry = 255;
+ cdev->private->async_kill_io_rc = -EIO;
+ ret = ccw_device_cancel_halt_clear(cdev);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Date: Tue, 6 Feb 2018 14:59:43 +0100
+Subject: s390/cio: fix ccw_device_start_timeout API
+
+From: Sebastian Ott <sebott@linux.vnet.ibm.com>
+
+[ Upstream commit f97a6b6c47d2f329a24f92cc0ca3c6df5727ba73 ]
+
+There are cases a device driver can't start IO because the device is
+currently in use by cio. In this case the device driver is notified
+when the device is usable again.
+
+Using ccw_device_start_timeout we would set the timeout (and change
+an existing timeout) before we test for internal usage. Worst case
+this could lead to an unexpected timer deletion.
+
+Fix this by setting the timeout after we test for internal usage.
+
+Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/cio/device_ops.c | 72 ++++++++++++++++++------------------------
+ 1 file changed, 32 insertions(+), 40 deletions(-)
+
+--- a/drivers/s390/cio/device_ops.c
++++ b/drivers/s390/cio/device_ops.c
+@@ -160,7 +160,7 @@ int ccw_device_clear(struct ccw_device *
+ }
+
+ /**
+- * ccw_device_start_key() - start a s390 channel program with key
++ * ccw_device_start_timeout_key() - start a s390 channel program with timeout and key
+ * @cdev: target ccw device
+ * @cpa: logical start address of channel program
+ * @intparm: user specific interruption parameter; will be presented back to
+@@ -171,10 +171,15 @@ int ccw_device_clear(struct ccw_device *
+ * @key: storage key to be used for the I/O
+ * @flags: additional flags; defines the action to be performed for I/O
+ * processing.
++ * @expires: timeout value in jiffies
+ *
+ * Start a S/390 channel program. When the interrupt arrives, the
+ * IRQ handler is called, either immediately, delayed (dev-end missing,
+ * or sense required) or never (no IRQ handler registered).
++ * This function notifies the device driver if the channel program has not
++ * completed during the time specified by @expires. If a timeout occurs, the
++ * channel program is terminated via xsch, hsch or csch, and the device's
++ * interrupt handler will be called with an irb containing ERR_PTR(-%ETIMEDOUT).
+ * Returns:
+ * %0, if the operation was successful;
+ * -%EBUSY, if the device is busy, or status pending;
+@@ -183,9 +188,9 @@ int ccw_device_clear(struct ccw_device *
+ * Context:
+ * Interrupts disabled, ccw device lock held
+ */
+-int ccw_device_start_key(struct ccw_device *cdev, struct ccw1 *cpa,
+- unsigned long intparm, __u8 lpm, __u8 key,
+- unsigned long flags)
++int ccw_device_start_timeout_key(struct ccw_device *cdev, struct ccw1 *cpa,
++ unsigned long intparm, __u8 lpm, __u8 key,
++ unsigned long flags, int expires)
+ {
+ struct subchannel *sch;
+ int ret;
+@@ -225,6 +230,8 @@ int ccw_device_start_key(struct ccw_devi
+ switch (ret) {
+ case 0:
+ cdev->private->intparm = intparm;
++ if (expires)
++ ccw_device_set_timeout(cdev, expires);
+ break;
+ case -EACCES:
+ case -ENODEV:
+@@ -235,7 +242,7 @@ int ccw_device_start_key(struct ccw_devi
+ }
+
+ /**
+- * ccw_device_start_timeout_key() - start a s390 channel program with timeout and key
++ * ccw_device_start_key() - start a s390 channel program with key
+ * @cdev: target ccw device
+ * @cpa: logical start address of channel program
+ * @intparm: user specific interruption parameter; will be presented back to
+@@ -246,15 +253,10 @@ int ccw_device_start_key(struct ccw_devi
+ * @key: storage key to be used for the I/O
+ * @flags: additional flags; defines the action to be performed for I/O
+ * processing.
+- * @expires: timeout value in jiffies
+ *
+ * Start a S/390 channel program. When the interrupt arrives, the
+ * IRQ handler is called, either immediately, delayed (dev-end missing,
+ * or sense required) or never (no IRQ handler registered).
+- * This function notifies the device driver if the channel program has not
+- * completed during the time specified by @expires. If a timeout occurs, the
+- * channel program is terminated via xsch, hsch or csch, and the device's
+- * interrupt handler will be called with an irb containing ERR_PTR(-%ETIMEDOUT).
+ * Returns:
+ * %0, if the operation was successful;
+ * -%EBUSY, if the device is busy, or status pending;
+@@ -263,19 +265,12 @@ int ccw_device_start_key(struct ccw_devi
+ * Context:
+ * Interrupts disabled, ccw device lock held
+ */
+-int ccw_device_start_timeout_key(struct ccw_device *cdev, struct ccw1 *cpa,
+- unsigned long intparm, __u8 lpm, __u8 key,
+- unsigned long flags, int expires)
++int ccw_device_start_key(struct ccw_device *cdev, struct ccw1 *cpa,
++ unsigned long intparm, __u8 lpm, __u8 key,
++ unsigned long flags)
+ {
+- int ret;
+-
+- if (!cdev)
+- return -ENODEV;
+- ccw_device_set_timeout(cdev, expires);
+- ret = ccw_device_start_key(cdev, cpa, intparm, lpm, key, flags);
+- if (ret != 0)
+- ccw_device_set_timeout(cdev, 0);
+- return ret;
++ return ccw_device_start_timeout_key(cdev, cpa, intparm, lpm, key,
++ flags, 0);
+ }
+
+ /**
+@@ -490,18 +485,20 @@ void ccw_device_get_id(struct ccw_device
+ EXPORT_SYMBOL(ccw_device_get_id);
+
+ /**
+- * ccw_device_tm_start_key() - perform start function
++ * ccw_device_tm_start_timeout_key() - perform start function
+ * @cdev: ccw device on which to perform the start function
+ * @tcw: transport-command word to be started
+ * @intparm: user defined parameter to be passed to the interrupt handler
+ * @lpm: mask of paths to use
+ * @key: storage key to use for storage access
++ * @expires: time span in jiffies after which to abort request
+ *
+ * Start the tcw on the given ccw device. Return zero on success, non-zero
+ * otherwise.
+ */
+-int ccw_device_tm_start_key(struct ccw_device *cdev, struct tcw *tcw,
+- unsigned long intparm, u8 lpm, u8 key)
++int ccw_device_tm_start_timeout_key(struct ccw_device *cdev, struct tcw *tcw,
++ unsigned long intparm, u8 lpm, u8 key,
++ int expires)
+ {
+ struct subchannel *sch;
+ int rc;
+@@ -528,37 +525,32 @@ int ccw_device_tm_start_key(struct ccw_d
+ return -EACCES;
+ }
+ rc = cio_tm_start_key(sch, tcw, lpm, key);
+- if (rc == 0)
++ if (rc == 0) {
+ cdev->private->intparm = intparm;
++ if (expires)
++ ccw_device_set_timeout(cdev, expires);
++ }
+ return rc;
+ }
+-EXPORT_SYMBOL(ccw_device_tm_start_key);
++EXPORT_SYMBOL(ccw_device_tm_start_timeout_key);
+
+ /**
+- * ccw_device_tm_start_timeout_key() - perform start function
++ * ccw_device_tm_start_key() - perform start function
+ * @cdev: ccw device on which to perform the start function
+ * @tcw: transport-command word to be started
+ * @intparm: user defined parameter to be passed to the interrupt handler
+ * @lpm: mask of paths to use
+ * @key: storage key to use for storage access
+- * @expires: time span in jiffies after which to abort request
+ *
+ * Start the tcw on the given ccw device. Return zero on success, non-zero
+ * otherwise.
+ */
+-int ccw_device_tm_start_timeout_key(struct ccw_device *cdev, struct tcw *tcw,
+- unsigned long intparm, u8 lpm, u8 key,
+- int expires)
++int ccw_device_tm_start_key(struct ccw_device *cdev, struct tcw *tcw,
++ unsigned long intparm, u8 lpm, u8 key)
+ {
+- int ret;
+-
+- ccw_device_set_timeout(cdev, expires);
+- ret = ccw_device_tm_start_key(cdev, tcw, intparm, lpm, key);
+- if (ret != 0)
+- ccw_device_set_timeout(cdev, 0);
+- return ret;
++ return ccw_device_tm_start_timeout_key(cdev, tcw, intparm, lpm, key, 0);
+ }
+-EXPORT_SYMBOL(ccw_device_tm_start_timeout_key);
++EXPORT_SYMBOL(ccw_device_tm_start_key);
+
+ /**
+ * ccw_device_tm_start() - perform start function
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Date: Wed, 7 Feb 2018 13:18:19 +0100
+Subject: s390/cio: fix return code after missing interrupt
+
+From: Sebastian Ott <sebott@linux.vnet.ibm.com>
+
+[ Upstream commit 770b55c995d171f026a9efb85e71e3b1ea47b93d ]
+
+When a timeout occurs for users of ccw_device_start_timeout
+we will stop the IO and call the drivers int handler with
+the irb pointer set to ERR_PTR(-ETIMEDOUT). Sometimes
+however we'd set the irb pointer to ERR_PTR(-EIO) which is
+not intended. Just set the correct value in all codepaths.
+
+Reported-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/cio/device_fsm.c | 6 ++++--
+ drivers/s390/cio/io_sch.h | 1 +
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/s390/cio/device_fsm.c
++++ b/drivers/s390/cio/device_fsm.c
+@@ -796,6 +796,7 @@ ccw_device_online_timeout(struct ccw_dev
+
+ ccw_device_set_timeout(cdev, 0);
+ cdev->private->iretry = 255;
++ cdev->private->async_kill_io_rc = -ETIMEDOUT;
+ ret = ccw_device_cancel_halt_clear(cdev);
+ if (ret == -EBUSY) {
+ ccw_device_set_timeout(cdev, 3*HZ);
+@@ -872,7 +873,7 @@ ccw_device_killing_irq(struct ccw_device
+ /* OK, i/o is dead now. Call interrupt handler. */
+ if (cdev->handler)
+ cdev->handler(cdev, cdev->private->intparm,
+- ERR_PTR(-EIO));
++ ERR_PTR(cdev->private->async_kill_io_rc));
+ }
+
+ static void
+@@ -889,7 +890,7 @@ ccw_device_killing_timeout(struct ccw_de
+ ccw_device_online_verify(cdev, 0);
+ if (cdev->handler)
+ cdev->handler(cdev, cdev->private->intparm,
+- ERR_PTR(-EIO));
++ ERR_PTR(cdev->private->async_kill_io_rc));
+ }
+
+ void ccw_device_kill_io(struct ccw_device *cdev)
+@@ -897,6 +898,7 @@ void ccw_device_kill_io(struct ccw_devic
+ int ret;
+
+ cdev->private->iretry = 255;
++ cdev->private->async_kill_io_rc = -EIO;
+ ret = ccw_device_cancel_halt_clear(cdev);
+ if (ret == -EBUSY) {
+ ccw_device_set_timeout(cdev, 3*HZ);
+--- a/drivers/s390/cio/io_sch.h
++++ b/drivers/s390/cio/io_sch.h
+@@ -157,6 +157,7 @@ struct ccw_device_private {
+ unsigned long intparm; /* user interruption parameter */
+ struct qdio_irq *qdio_data;
+ struct irb irb; /* device status */
++ int async_kill_io_rc;
+ struct senseid senseid; /* SenseID info */
+ struct pgid pgid[8]; /* path group IDs per chpid*/
+ struct ccw1 iccws[2]; /* ccws for SNID/SID/SPGID commands */
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Stefan Haberland <sth@linux.vnet.ibm.com>
+Date: Wed, 7 Feb 2018 17:39:14 +0100
+Subject: s390/dasd: fix handling of internal requests
+
+From: Stefan Haberland <sth@linux.vnet.ibm.com>
+
+[ Upstream commit 9487cfd3430d07366801886bdf185799a2b6f066 ]
+
+Internal DASD device driver I/O such as query host access count or
+path verification is started using the _sleep_on() function.
+To mark a request as started or ended the callback_data is set to either
+DASD_SLEEPON_START_TAG or DASD_SLEEPON_END_TAG.
+
+In cases where the request has to be stopped unconditionally the status is
+set to DASD_SLEEPON_END_TAG as well which leads to immediate clearing of
+the request.
+But the request might still be on a device request queue for normal
+operation which might lead to a panic because of a BUG() statement in
+__dasd_device_process_final_queue() or a list corruption of the device
+request queue.
+
+Fix by removing the setting of DASD_SLEEPON_END_TAG in the
+dasd_cancel_req() and dasd_generic_requeue_all_requests() functions and
+ensure that the request is not deleted in the requeue function.
+Trigger the device tasklet in the requeue function and let the normal
+processing cleanup the request.
+
+Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
+Reviewed-by: Jan Hoeppner <hoeppner@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/block/dasd.c | 21 +++++++--------------
+ 1 file changed, 7 insertions(+), 14 deletions(-)
+
+--- a/drivers/s390/block/dasd.c
++++ b/drivers/s390/block/dasd.c
+@@ -2596,8 +2596,6 @@ int dasd_cancel_req(struct dasd_ccw_req
+ case DASD_CQR_QUEUED:
+ /* request was not started - just set to cleared */
+ cqr->status = DASD_CQR_CLEARED;
+- if (cqr->callback_data == DASD_SLEEPON_START_TAG)
+- cqr->callback_data = DASD_SLEEPON_END_TAG;
+ break;
+ case DASD_CQR_IN_IO:
+ /* request in IO - terminate IO and release again */
+@@ -3917,9 +3915,12 @@ static int dasd_generic_requeue_all_requ
+ wait_event(dasd_flush_wq,
+ (cqr->status != DASD_CQR_CLEAR_PENDING));
+
+- /* mark sleepon requests as ended */
+- if (cqr->callback_data == DASD_SLEEPON_START_TAG)
+- cqr->callback_data = DASD_SLEEPON_END_TAG;
++ /*
++ * requeue requests to blocklayer will only work
++ * for block device requests
++ */
++ if (_dasd_requeue_request(cqr))
++ continue;
+
+ /* remove requests from device and block queue */
+ list_del_init(&cqr->devlist);
+@@ -3932,13 +3933,6 @@ static int dasd_generic_requeue_all_requ
+ cqr = refers;
+ }
+
+- /*
+- * requeue requests to blocklayer will only work
+- * for block device requests
+- */
+- if (_dasd_requeue_request(cqr))
+- continue;
+-
+ if (cqr->block)
+ list_del_init(&cqr->blocklist);
+ cqr->block->base->discipline->free_cp(
+@@ -3955,8 +3949,7 @@ static int dasd_generic_requeue_all_requ
+ list_splice_tail(&requeue_queue, &device->ccw_queue);
+ spin_unlock_irq(get_ccwdev_lock(device->cdev));
+ }
+- /* wake up generic waitqueue for eventually ended sleepon requests */
+- wake_up(&generic_waitq);
++ dasd_schedule_device_bh(device);
+ return rc;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Khiem Nguyen <khiem.nguyen.xt@rvc.renesas.com>
+Date: Mon, 5 Feb 2018 04:18:51 +0900
+Subject: sata_rcar: Reset SATA PHY when Salvator-X board resumes
+
+From: Khiem Nguyen <khiem.nguyen.xt@rvc.renesas.com>
+
+[ Upstream commit da77d76b95a0e8940793f4f7fe12a4a2d2048e39 ]
+
+Because power of Salvator-X board is cut off in suspend,
+it needs to reset SATA PHY state in resume.
+Otherwise, SATA partition could not be accessed anymore.
+
+Signed-off-by: Khiem Nguyen <khiem.nguyen.xt@rvc.renesas.com>
+Signed-off-by: Hien Dang <hien.dang.eb@rvc.renesas.com>
+[reinit phy in sata_rcar_resume() function on R-Car Gen3 only]
+[factor out SATA module init sequence]
+[fixed the prefix for the subject]
+Signed-off-by: Yoshihiro Kaneko <ykaneko0929@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/sata_rcar.c | 63 ++++++++++++++++++++++++++++++------------------
+ 1 file changed, 40 insertions(+), 23 deletions(-)
+
+--- a/drivers/ata/sata_rcar.c
++++ b/drivers/ata/sata_rcar.c
+@@ -146,6 +146,7 @@
+ enum sata_rcar_type {
+ RCAR_GEN1_SATA,
+ RCAR_GEN2_SATA,
++ RCAR_GEN3_SATA,
+ RCAR_R8A7790_ES1_SATA,
+ };
+
+@@ -784,26 +785,11 @@ static void sata_rcar_setup_port(struct
+ ioaddr->command_addr = ioaddr->cmd_addr + (ATA_REG_CMD << 2);
+ }
+
+-static void sata_rcar_init_controller(struct ata_host *host)
++static void sata_rcar_init_module(struct sata_rcar_priv *priv)
+ {
+- struct sata_rcar_priv *priv = host->private_data;
+ void __iomem *base = priv->base;
+ u32 val;
+
+- /* reset and setup phy */
+- switch (priv->type) {
+- case RCAR_GEN1_SATA:
+- sata_rcar_gen1_phy_init(priv);
+- break;
+- case RCAR_GEN2_SATA:
+- case RCAR_R8A7790_ES1_SATA:
+- sata_rcar_gen2_phy_init(priv);
+- break;
+- default:
+- dev_warn(host->dev, "SATA phy is not initialized\n");
+- break;
+- }
+-
+ /* SATA-IP reset state */
+ val = ioread32(base + ATAPI_CONTROL1_REG);
+ val |= ATAPI_CONTROL1_RESET;
+@@ -824,10 +810,34 @@ static void sata_rcar_init_controller(st
+ /* ack and mask */
+ iowrite32(0, base + SATAINTSTAT_REG);
+ iowrite32(0x7ff, base + SATAINTMASK_REG);
++
+ /* enable interrupts */
+ iowrite32(ATAPI_INT_ENABLE_SATAINT, base + ATAPI_INT_ENABLE_REG);
+ }
+
++static void sata_rcar_init_controller(struct ata_host *host)
++{
++ struct sata_rcar_priv *priv = host->private_data;
++ void __iomem *base = priv->base;
++
++ /* reset and setup phy */
++ switch (priv->type) {
++ case RCAR_GEN1_SATA:
++ sata_rcar_gen1_phy_init(priv);
++ break;
++ case RCAR_GEN2_SATA:
++ case RCAR_GEN3_SATA:
++ case RCAR_R8A7790_ES1_SATA:
++ sata_rcar_gen2_phy_init(priv);
++ break;
++ default:
++ dev_warn(host->dev, "SATA phy is not initialized\n");
++ break;
++ }
++
++ sata_rcar_init_module(priv);
++}
++
+ static const struct of_device_id sata_rcar_match[] = {
+ {
+ /* Deprecated by "renesas,sata-r8a7779" */
+@@ -856,7 +866,7 @@ static const struct of_device_id sata_rc
+ },
+ {
+ .compatible = "renesas,sata-r8a7795",
+- .data = (void *)RCAR_GEN2_SATA
++ .data = (void *)RCAR_GEN3_SATA
+ },
+ {
+ .compatible = "renesas,rcar-gen2-sata",
+@@ -864,7 +874,7 @@ static const struct of_device_id sata_rc
+ },
+ {
+ .compatible = "renesas,rcar-gen3-sata",
+- .data = (void *)RCAR_GEN2_SATA
++ .data = (void *)RCAR_GEN3_SATA
+ },
+ { },
+ };
+@@ -987,11 +997,18 @@ static int sata_rcar_resume(struct devic
+ if (ret)
+ return ret;
+
+- /* ack and mask */
+- iowrite32(0, base + SATAINTSTAT_REG);
+- iowrite32(0x7ff, base + SATAINTMASK_REG);
+- /* enable interrupts */
+- iowrite32(ATAPI_INT_ENABLE_SATAINT, base + ATAPI_INT_ENABLE_REG);
++ if (priv->type == RCAR_GEN3_SATA) {
++ sata_rcar_gen2_phy_init(priv);
++ sata_rcar_init_module(priv);
++ } else {
++ /* ack and mask */
++ iowrite32(0, base + SATAINTSTAT_REG);
++ iowrite32(0x7ff, base + SATAINTMASK_REG);
++
++ /* enable interrupts */
++ iowrite32(ATAPI_INT_ENABLE_SATAINT,
++ base + ATAPI_INT_ENABLE_REG);
++ }
+
+ ata_host_resume(host);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Davidlohr Bueso <dave@stgolabs.net>
+Date: Mon, 2 Apr 2018 09:49:54 -0700
+Subject: sched/rt: Fix rq->clock_update_flags < RQCF_ACT_SKIP warning
+
+From: Davidlohr Bueso <dave@stgolabs.net>
+
+[ Upstream commit d29a20645d5e929aa7e8616f28e5d8e1c49263ec ]
+
+While running rt-tests' pi_stress program I got the following splat:
+
+ rq->clock_update_flags < RQCF_ACT_SKIP
+ WARNING: CPU: 27 PID: 0 at kernel/sched/sched.h:960 assert_clock_updated.isra.38.part.39+0x13/0x20
+
+ [...]
+
+ <IRQ>
+ enqueue_top_rt_rq+0xf4/0x150
+ ? cpufreq_dbs_governor_start+0x170/0x170
+ sched_rt_rq_enqueue+0x65/0x80
+ sched_rt_period_timer+0x156/0x360
+ ? sched_rt_rq_enqueue+0x80/0x80
+ __hrtimer_run_queues+0xfa/0x260
+ hrtimer_interrupt+0xcb/0x220
+ smp_apic_timer_interrupt+0x62/0x120
+ apic_timer_interrupt+0xf/0x20
+ </IRQ>
+
+ [...]
+
+ do_idle+0x183/0x1e0
+ cpu_startup_entry+0x5f/0x70
+ start_secondary+0x192/0x1d0
+ secondary_startup_64+0xa5/0xb0
+
+We can get rid of it be the "traditional" means of adding an
+update_rq_clock() call after acquiring the rq->lock in
+do_sched_rt_period_timer().
+
+The case for the RT task throttling (which this workload also hits)
+can be ignored in that the skip_update call is actually bogus and
+quite the contrary (the request bits are removed/reverted).
+
+By setting RQCF_UPDATED we really don't care if the skip is happening
+or not and will therefore make the assert_clock_updated() check happy.
+
+Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
+Reviewed-by: Matt Fleming <matt@codeblueprint.co.uk>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: dave@stgolabs.net
+Cc: linux-kernel@vger.kernel.org
+Cc: rostedt@goodmis.org
+Link: http://lkml.kernel.org/r/20180402164954.16255-1-dave@stgolabs.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/rt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/sched/rt.c
++++ b/kernel/sched/rt.c
+@@ -843,6 +843,8 @@ static int do_sched_rt_period_timer(stru
+ continue;
+
+ raw_spin_lock(&rq->lock);
++ update_rq_clock(rq);
++
+ if (rt_rq->rt_time) {
+ u64 runtime;
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Meelis Roos <mroos@linux.ee>
+Date: Fri, 9 Feb 2018 08:57:44 +0200
+Subject: scsi: aacraid: fix shutdown crash when init fails
+
+From: Meelis Roos <mroos@linux.ee>
+
+[ Upstream commit 00c20cdc79259c6c5bf978b21af96c2d3edb646d ]
+
+When aacraid init fails with "AAC0: adapter self-test failed.", shutdown
+leads to UBSAN warning and then oops:
+
+[154316.118423] ================================================================================
+[154316.118508] UBSAN: Undefined behaviour in drivers/scsi/scsi_lib.c:2328:27
+[154316.118566] member access within null pointer of type 'struct Scsi_Host'
+[154316.118631] CPU: 2 PID: 14530 Comm: reboot Tainted: G W 4.15.0-dirty #89
+[154316.118701] Hardware name: Hewlett Packard HP NetServer/HP System Board, BIOS 4.06.46 PW 06/25/2003
+[154316.118774] Call Trace:
+[154316.118848] dump_stack+0x48/0x65
+[154316.118916] ubsan_epilogue+0xe/0x40
+[154316.118976] __ubsan_handle_type_mismatch+0xfb/0x180
+[154316.119043] scsi_block_requests+0x20/0x30
+[154316.119135] aac_shutdown+0x18/0x40 [aacraid]
+[154316.119196] pci_device_shutdown+0x33/0x50
+[154316.119269] device_shutdown+0x18a/0x390
+[...]
+[154316.123435] BUG: unable to handle kernel NULL pointer dereference at 000000f4
+[154316.123515] IP: scsi_block_requests+0xa/0x30
+
+This is because aac_shutdown() does
+
+ struct Scsi_Host *shost = pci_get_drvdata(dev);
+ scsi_block_requests(shost);
+
+and that assumes shost has been assigned with pci_set_drvdata().
+
+However, pci_set_drvdata(pdev, shost) is done in aac_probe_one() far
+after bailing out with error from calling the init function
+((*aac_drivers[index].init)(aac)), and when the init function fails, no
+error is returned from aac_probe_one() so PCI layer assumes there is
+driver attached, and tries to shut it down later.
+
+Fix it by returning error from aac_probe_one() when card-specific init
+function fails.
+
+This fixes reboot on my HP NetRAID-4M with dead battery.
+
+Signed-off-by: Meelis Roos <mroos@linux.ee>
+Reviewed-by: Dave Carroll <david.carroll@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/aacraid/linit.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/aacraid/linit.c
++++ b/drivers/scsi/aacraid/linit.c
+@@ -1690,8 +1690,10 @@ static int aac_probe_one(struct pci_dev
+ * Map in the registers from the adapter.
+ */
+ aac->base_size = AAC_MIN_FOOTPRINT_SIZE;
+- if ((*aac_drivers[index].init)(aac))
++ if ((*aac_drivers[index].init)(aac)) {
++ error = -ENODEV;
+ goto out_unmap;
++ }
+
+ if (aac->sync_mode) {
+ if (aac_sync_mode)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Dave Carroll <david.carroll@microsemi.com>
+Date: Tue, 3 Apr 2018 15:50:42 -0600
+Subject: scsi: aacraid: Insure command thread is not recursively stopped
+
+From: Dave Carroll <david.carroll@microsemi.com>
+
+[ Upstream commit 1c6b41fb92936fa5facea464d5d7cbf855966d04 ]
+
+If a recursive IOP_RESET is invoked, usually due to the eh_thread
+handling errors after the first reset, be sure we flag that the command
+thread has been stopped to avoid an Oops of the form;
+
+ [ 336.620256] CPU: 28 PID: 1193 Comm: scsi_eh_0 Kdump: loaded Not tainted 4.14.0-49.el7a.ppc64le #1
+ [ 336.620297] task: c000003fd630b800 task.stack: c000003fd61a4000
+ [ 336.620326] NIP: c000000000176794 LR: c00000000013038c CTR: c00000000024bc10
+ [ 336.620361] REGS: c000003fd61a7720 TRAP: 0300 Not tainted (4.14.0-49.el7a.ppc64le)
+ [ 336.620395] MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 22084022 XER: 20040000
+ [ 336.620435] CFAR: c000000000130388 DAR: 0000000000000000 DSISR: 40000000 SOFTE: 1
+ [ 336.620435] GPR00: c00000000013038c c000003fd61a79a0 c0000000014c7e00 0000000000000000
+ [ 336.620435] GPR04: 000000000000000c 000000000000000c 9000000000009033 0000000000000477
+ [ 336.620435] GPR08: 0000000000000477 0000000000000000 0000000000000000 c008000010f7d940
+ [ 336.620435] GPR12: c00000000024bc10 c000000007a33400 c0000000001708a8 c000003fe3b881d8
+ [ 336.620435] GPR16: c000003fe3b88060 c000003fd61a7d10 fffffffffffff000 000000000000001e
+ [ 336.620435] GPR20: 0000000000000001 c000000000ebf1a0 0000000000000001 c000003fe3b88000
+ [ 336.620435] GPR24: 0000000000000003 0000000000000002 c000003fe3b88840 c000003fe3b887e8
+ [ 336.620435] GPR28: c000003fe3b88000 c000003fc8181788 0000000000000000 c000003fc8181700
+ [ 336.620750] NIP [c000000000176794] exit_creds+0x34/0x160
+ [ 336.620775] LR [c00000000013038c] __put_task_struct+0x8c/0x1f0
+ [ 336.620804] Call Trace:
+ [ 336.620817] [c000003fd61a79a0] [c000003fe3b88000] 0xc000003fe3b88000 (unreliable)
+ [ 336.620853] [c000003fd61a79d0] [c00000000013038c] __put_task_struct+0x8c/0x1f0
+ [ 336.620889] [c000003fd61a7a00] [c000000000171418] kthread_stop+0x1e8/0x1f0
+ [ 336.620922] [c000003fd61a7a40] [c008000010f7448c] aac_reset_adapter+0x14c/0x8d0 [aacraid]
+ [ 336.620959] [c000003fd61a7b00] [c008000010f60174] aac_eh_host_reset+0x84/0x100 [aacraid]
+ [ 336.621010] [c000003fd61a7b30] [c000000000864f24] scsi_try_host_reset+0x74/0x180
+ [ 336.621046] [c000003fd61a7bb0] [c000000000867ac0] scsi_eh_ready_devs+0xc00/0x14d0
+ [ 336.625165] [c000003fd61a7ca0] [c0000000008699e0] scsi_error_handler+0x550/0x730
+ [ 336.632101] [c000003fd61a7dc0] [c000000000170a08] kthread+0x168/0x1b0
+ [ 336.639031] [c000003fd61a7e30] [c00000000000b528] ret_from_kernel_thread+0x5c/0xb4
+ [ 336.645971] Instruction dump:
+ [ 336.648743] 384216a0 7c0802a6 fbe1fff8 f8010010 f821ffd1 7c7f1b78 60000000 60000000
+ [ 336.657056] 39400000 e87f0838 f95f0838 7c0004ac <7d401828> 314affff 7d40192d 40c2fff4
+ [ 336.663997] -[ end trace 4640cf8d4945ad95 ]-
+
+So flag when the thread is stopped by setting the thread pointer to NULL.
+
+Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
+Reviewed-by: Raghava Aditya Renukunta <raghavaaditya.renukunta@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/aacraid/commsup.c | 4 +++-
+ drivers/scsi/aacraid/linit.c | 1 +
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/aacraid/commsup.c
++++ b/drivers/scsi/aacraid/commsup.c
+@@ -1530,9 +1530,10 @@ static int _aac_reset_adapter(struct aac
+ host = aac->scsi_host_ptr;
+ scsi_block_requests(host);
+ aac_adapter_disable_int(aac);
+- if (aac->thread->pid != current->pid) {
++ if (aac->thread && aac->thread->pid != current->pid) {
+ spin_unlock_irq(host->host_lock);
+ kthread_stop(aac->thread);
++ aac->thread = NULL;
+ jafo = 1;
+ }
+
+@@ -1619,6 +1620,7 @@ static int _aac_reset_adapter(struct aac
+ aac->name);
+ if (IS_ERR(aac->thread)) {
+ retval = PTR_ERR(aac->thread);
++ aac->thread = NULL;
+ goto out;
+ }
+ }
+--- a/drivers/scsi/aacraid/linit.c
++++ b/drivers/scsi/aacraid/linit.c
+@@ -1565,6 +1565,7 @@ static void __aac_shutdown(struct aac_de
+ up(&fib->event_wait);
+ }
+ kthread_stop(aac->thread);
++ aac->thread = NULL;
+ }
+
+ aac_send_shutdown(aac);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Chad Dupuis <chad.dupuis@cavium.com>
+Date: Wed, 24 Jan 2018 08:07:06 -0800
+Subject: scsi: bnx2fc: Fix check in SCSI completion handler for timed out request
+
+From: Chad Dupuis <chad.dupuis@cavium.com>
+
+[ Upstream commit ecf7ff49945f5741fa1da112f994939f942031d3 ]
+
+When a request times out we set the io_req flag BNX2FC_FLAG_IO_COMPL so
+that if a subsequent completion comes in on that task ID we will ignore
+it. The issue is that in the check for this flag there is a missing
+return so we will continue to process a request which may have already
+been returned to the ownership of the SCSI layer. This can cause
+unpredictable results.
+
+Solution is to add in the missing return.
+
+[mkp: typo plus title shortening]
+
+Signed-off-by: Chad Dupuis <chad.dupuis@cavium.com>
+Reviewed-by: Laurence Oberman <loberman@redhat.com>
+Tested-by: Laurence Oberman <loberman@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/bnx2fc/bnx2fc_io.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/bnx2fc/bnx2fc_io.c
++++ b/drivers/scsi/bnx2fc/bnx2fc_io.c
+@@ -1865,6 +1865,7 @@ void bnx2fc_process_scsi_cmd_compl(struc
+ /* we will not receive ABTS response for this IO */
+ BNX2FC_IO_DBG(io_req, "Timer context finished processing "
+ "this scsi cmd\n");
++ return;
+ }
+
+ /* Cancel the timeout_work, as we received IO completion */
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Douglas Gilbert <dgilbert@interlog.com>
+Date: Tue, 6 Mar 2018 22:19:49 -0500
+Subject: scsi: core: Make SCSI Status CONDITION MET equivalent to GOOD
+
+From: Douglas Gilbert <dgilbert@interlog.com>
+
+[ Upstream commit 1875ede02ed5e176a18dccbca84abc28d5b3e141 ]
+
+The SCSI PRE-FETCH (10 or 16) command is present both on hard disks
+and some SSDs. It is useful when the address of the next block(s) to
+be read is known but it is not following the LBA of the current READ
+(so read-ahead won't help). It returns two "good" SCSI Status values.
+If the requested blocks have fitted (or will most likely fit (when
+the IMMED bit is set)) into the disk's cache, it returns CONDITION
+MET. If it didn't (or will not) fit then it returns GOOD status.
+
+The goal of this patch is to stop the SCSI subsystem treating the
+CONDITION MET SCSI status as an error. The current state makes the
+PRE-FETCH command effectively unusable via pass-throughs.
+
+Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_lib.c | 11 +++++++++++
+ include/scsi/scsi.h | 2 ++
+ 2 files changed, 13 insertions(+)
+
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -857,6 +857,17 @@ void scsi_io_completion(struct scsi_cmnd
+ /* for passthrough error may be set */
+ error = BLK_STS_OK;
+ }
++ /*
++ * Another corner case: the SCSI status byte is non-zero but 'good'.
++ * Example: PRE-FETCH command returns SAM_STAT_CONDITION_MET when
++ * it is able to fit nominated LBs in its cache (and SAM_STAT_GOOD
++ * if it can't fit). Treat SAM_STAT_CONDITION_MET and the related
++ * intermediate statuses (both obsolete in SAM-4) as good.
++ */
++ if (status_byte(result) && scsi_status_is_good(result)) {
++ result = 0;
++ error = BLK_STS_OK;
++ }
+
+ /*
+ * special case: failed zero length commands always need to
+--- a/include/scsi/scsi.h
++++ b/include/scsi/scsi.h
+@@ -47,6 +47,8 @@ static inline int scsi_status_is_good(in
+ */
+ status &= 0xfe;
+ return ((status == SAM_STAT_GOOD) ||
++ (status == SAM_STAT_CONDITION_MET) ||
++ /* Next two "intermediate" statuses are obsolete in SAM-4 */
+ (status == SAM_STAT_INTERMEDIATE) ||
+ (status == SAM_STAT_INTERMEDIATE_CONDITION_MET) ||
+ /* FIXME: this is obsolete in SAM-3 */
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Hannes Reinecke <hare@suse.de>
+Date: Mon, 26 Feb 2018 08:39:59 +0100
+Subject: scsi: core: return BLK_STS_OK for DID_OK in __scsi_error_from_host_byte()
+
+From: Hannes Reinecke <hare@suse.de>
+
+[ Upstream commit e39a97353e5378eb46bf01679799c5704d397f32 ]
+
+When converting __scsi_error_from_host_byte() to BLK_STS error codes the
+case DID_OK was forgotten, resulting in it always returning an error.
+
+Fixes: 2a842acab109 ("block: introduce new block status code type")
+Cc: Doug Gilbert <dgilbert@interlog.com>
+Signed-off-by: Hannes Reinecke <hare@suse.com>
+Reviewed-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_lib.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -720,6 +720,8 @@ static blk_status_t __scsi_error_from_ho
+ int result)
+ {
+ switch (host_byte(result)) {
++ case DID_OK:
++ return BLK_STS_OK;
+ case DID_TRANSPORT_FAILFAST:
+ return BLK_STS_TRANSPORT;
+ case DID_TARGET_FAILURE:
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jianchao Wang <jianchao.w.wang@oracle.com>
+Date: Wed, 7 Mar 2018 20:29:03 +0800
+Subject: scsi: iscsi_tcp: set BDI_CAP_STABLE_WRITES when data digest enabled
+
+From: Jianchao Wang <jianchao.w.wang@oracle.com>
+
+[ Upstream commit 89d0c804392bb962553f23dc4c119d11b6bd1675 ]
+
+iscsi tcp will first send out data, then calculate and send data
+digest. If we don't have BDI_CAP_STABLE_WRITES, the page cache will be
+written in spite of the on going writeback. Consequently, wrong digest
+will be got and sent to target.
+
+To fix this, set BDI_CAP_STABLE_WRITES when data digest is enabled
+in iscsi_tcp .slave_configure callback.
+
+Signed-off-by: Jianchao Wang <jianchao.w.wang@oracle.com>
+Acked-by: Chris Leech <cleech@redhat.com>
+Acked-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/iscsi_tcp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/scsi/iscsi_tcp.c
++++ b/drivers/scsi/iscsi_tcp.c
+@@ -37,6 +37,7 @@
+ #include <linux/kfifo.h>
+ #include <linux/scatterlist.h>
+ #include <linux/module.h>
++#include <linux/backing-dev.h>
+ #include <net/tcp.h>
+ #include <scsi/scsi_cmnd.h>
+ #include <scsi/scsi_device.h>
+@@ -952,6 +953,13 @@ static int iscsi_sw_tcp_slave_alloc(stru
+
+ static int iscsi_sw_tcp_slave_configure(struct scsi_device *sdev)
+ {
++ struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(sdev->host);
++ struct iscsi_session *session = tcp_sw_host->session;
++ struct iscsi_conn *conn = session->leadconn;
++
++ if (conn->datadgst_en)
++ sdev->request_queue->backing_dev_info->capabilities
++ |= BDI_CAP_STABLE_WRITES;
+ blk_queue_bounce_limit(sdev->request_queue, BLK_BOUNCE_ANY);
+ blk_queue_dma_alignment(sdev->request_queue, 0);
+ return 0;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jason Yan <yanaijie@huawei.com>
+Date: Thu, 8 Mar 2018 10:34:53 +0800
+Subject: scsi: libsas: defer ata device eh commands to libata
+
+From: Jason Yan <yanaijie@huawei.com>
+
+[ Upstream commit 318aaf34f1179b39fa9c30fa0f3288b645beee39 ]
+
+When ata device doing EH, some commands still attached with tasks are
+not passed to libata when abort failed or recover failed, so libata did
+not handle these commands. After these commands done, sas task is freed,
+but ata qc is not freed. This will cause ata qc leak and trigger a
+warning like below:
+
+WARNING: CPU: 0 PID: 28512 at drivers/ata/libata-eh.c:4037
+ata_eh_finish+0xb4/0xcc
+CPU: 0 PID: 28512 Comm: kworker/u32:2 Tainted: G W OE 4.14.0#1
+......
+Call trace:
+[<ffff0000088b7bd0>] ata_eh_finish+0xb4/0xcc
+[<ffff0000088b8420>] ata_do_eh+0xc4/0xd8
+[<ffff0000088b8478>] ata_std_error_handler+0x44/0x8c
+[<ffff0000088b8068>] ata_scsi_port_error_handler+0x480/0x694
+[<ffff000008875fc4>] async_sas_ata_eh+0x4c/0x80
+[<ffff0000080f6be8>] async_run_entry_fn+0x4c/0x170
+[<ffff0000080ebd70>] process_one_work+0x144/0x390
+[<ffff0000080ec100>] worker_thread+0x144/0x418
+[<ffff0000080f2c98>] kthread+0x10c/0x138
+[<ffff0000080855dc>] ret_from_fork+0x10/0x18
+
+If ata qc leaked too many, ata tag allocation will fail and io blocked
+for ever.
+
+As suggested by Dan Williams, defer ata device commands to libata and
+merge sas_eh_finish_cmd() with sas_eh_defer_cmd(). libata will handle
+ata qcs correctly after this.
+
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+CC: Xiaofei Tan <tanxiaofei@huawei.com>
+CC: John Garry <john.garry@huawei.com>
+CC: Dan Williams <dan.j.williams@intel.com>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/libsas/sas_scsi_host.c | 33 +++++++++++++--------------------
+ 1 file changed, 13 insertions(+), 20 deletions(-)
+
+--- a/drivers/scsi/libsas/sas_scsi_host.c
++++ b/drivers/scsi/libsas/sas_scsi_host.c
+@@ -222,6 +222,7 @@ out_done:
+ static void sas_eh_finish_cmd(struct scsi_cmnd *cmd)
+ {
+ struct sas_ha_struct *sas_ha = SHOST_TO_SAS_HA(cmd->device->host);
++ struct domain_device *dev = cmd_to_domain_dev(cmd);
+ struct sas_task *task = TO_SAS_TASK(cmd);
+
+ /* At this point, we only get called following an actual abort
+@@ -230,6 +231,14 @@ static void sas_eh_finish_cmd(struct scs
+ */
+ sas_end_task(cmd, task);
+
++ if (dev_is_sata(dev)) {
++ /* defer commands to libata so that libata EH can
++ * handle ata qcs correctly
++ */
++ list_move_tail(&cmd->eh_entry, &sas_ha->eh_ata_q);
++ return;
++ }
++
+ /* now finish the command and move it on to the error
+ * handler done list, this also takes it off the
+ * error handler pending list.
+@@ -237,22 +246,6 @@ static void sas_eh_finish_cmd(struct scs
+ scsi_eh_finish_cmd(cmd, &sas_ha->eh_done_q);
+ }
+
+-static void sas_eh_defer_cmd(struct scsi_cmnd *cmd)
+-{
+- struct domain_device *dev = cmd_to_domain_dev(cmd);
+- struct sas_ha_struct *ha = dev->port->ha;
+- struct sas_task *task = TO_SAS_TASK(cmd);
+-
+- if (!dev_is_sata(dev)) {
+- sas_eh_finish_cmd(cmd);
+- return;
+- }
+-
+- /* report the timeout to libata */
+- sas_end_task(cmd, task);
+- list_move_tail(&cmd->eh_entry, &ha->eh_ata_q);
+-}
+-
+ static void sas_scsi_clear_queue_lu(struct list_head *error_q, struct scsi_cmnd *my_cmd)
+ {
+ struct scsi_cmnd *cmd, *n;
+@@ -260,7 +253,7 @@ static void sas_scsi_clear_queue_lu(stru
+ list_for_each_entry_safe(cmd, n, error_q, eh_entry) {
+ if (cmd->device->sdev_target == my_cmd->device->sdev_target &&
+ cmd->device->lun == my_cmd->device->lun)
+- sas_eh_defer_cmd(cmd);
++ sas_eh_finish_cmd(cmd);
+ }
+ }
+
+@@ -630,12 +623,12 @@ static void sas_eh_handle_sas_errors(str
+ case TASK_IS_DONE:
+ SAS_DPRINTK("%s: task 0x%p is done\n", __func__,
+ task);
+- sas_eh_defer_cmd(cmd);
++ sas_eh_finish_cmd(cmd);
+ continue;
+ case TASK_IS_ABORTED:
+ SAS_DPRINTK("%s: task 0x%p is aborted\n",
+ __func__, task);
+- sas_eh_defer_cmd(cmd);
++ sas_eh_finish_cmd(cmd);
+ continue;
+ case TASK_IS_AT_LU:
+ SAS_DPRINTK("task 0x%p is at LU: lu recover\n", task);
+@@ -646,7 +639,7 @@ static void sas_eh_handle_sas_errors(str
+ "recovered\n",
+ SAS_ADDR(task->dev),
+ cmd->device->lun);
+- sas_eh_defer_cmd(cmd);
++ sas_eh_finish_cmd(cmd);
+ sas_scsi_clear_queue_lu(work_q, cmd);
+ goto Again;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 30 Jan 2018 15:58:45 -0800
+Subject: scsi: lpfc: Fix frequency of Release WQE CQEs
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 04673e38f56b30cd39b1fa0f386137d818b17781 ]
+
+The driver controls when the hardware sends completions that communicate
+consumption of elements from the WQ. This is done by setting a WQEC bit
+on a WQE.
+
+The current driver sets it on every Nth WQE posting. However, the driver
+isn't clearing the bit if the WQE is reused. Thus, if the queue depth
+isn't evenly divisible by N, with enough time, it can be set on every
+element, creating a lot of overhead and risking CQ full conditions.
+
+Correct by clearing the bit when not setting it on an Nth element.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -129,6 +129,8 @@ lpfc_sli4_wq_put(struct lpfc_queue *q, u
+ /* set consumption flag every once in a while */
+ if (!((q->host_index + 1) % q->entry_repost))
+ bf_set(wqe_wqec, &wqe->generic.wqe_com, 1);
++ else
++ bf_set(wqe_wqec, &wqe->generic.wqe_com, 0);
+ if (q->phba->sli3_options & LPFC_SLI4_PHWQ_ENABLED)
+ bf_set(wqe_wqid, &wqe->generic.wqe_com, q->queue_id);
+ lpfc_sli_pcimem_bcopy(wqe, temp_wqe, q->entry_size);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 30 Jan 2018 15:58:55 -0800
+Subject: scsi: lpfc: Fix issue_lip if link is disabled
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 2289e9598dde9705400559ca2606fb8c145c34f0 ]
+
+The driver ignored checks on whether the link should be kept
+administratively down after a link bounce. Correct the checks.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_attr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/scsi/lpfc/lpfc_attr.c
++++ b/drivers/scsi/lpfc/lpfc_attr.c
+@@ -871,7 +871,12 @@ lpfc_issue_lip(struct Scsi_Host *shost)
+ LPFC_MBOXQ_t *pmboxq;
+ int mbxstatus = MBXERR_ERROR;
+
++ /*
++ * If the link is offline, disabled or BLOCK_MGMT_IO
++ * it doesn't make any sense to allow issue_lip
++ */
+ if ((vport->fc_flag & FC_OFFLINE_MODE) ||
++ (phba->hba_flag & LINK_DISABLED) ||
+ (phba->sli.sli_flag & LPFC_BLOCK_MGMT_IO))
+ return -EPERM;
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 30 Jan 2018 15:58:54 -0800
+Subject: scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 161df4f09987ae2e9f0f97f0b38eee298b4a39ff ]
+
+During link bounce testing in a point-to-point topology, the host may
+enter a soft lockup on the lpfc_worker thread:
+
+ Call Trace:
+ lpfc_work_done+0x1f3/0x1390 [lpfc]
+ lpfc_do_work+0x16f/0x180 [lpfc]
+ kthread+0xc7/0xe0
+ ret_from_fork+0x3f/0x70
+
+The driver was simultaneously setting a combination of flags that caused
+lpfc_do_work()to effectively spin between slow path work and new event
+data, causing the lockup.
+
+Ensure in the typical wq completions, that new event data flags are set
+if the slow path flag is running. The slow path will eventually
+reschedule the wq handling.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_hbadisc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
+@@ -698,8 +698,9 @@ lpfc_work_done(struct lpfc_hba *phba)
+ phba->hba_flag & HBA_SP_QUEUE_EVT)) {
+ if (pring->flag & LPFC_STOP_IOCB_EVENT) {
+ pring->flag |= LPFC_DEFERRED_RING_EVENT;
+- /* Set the lpfc data pending flag */
+- set_bit(LPFC_DATA_READY, &phba->data_flags);
++ /* Preserve legacy behavior. */
++ if (!(phba->hba_flag & HBA_SP_QUEUE_EVT))
++ set_bit(LPFC_DATA_READY, &phba->data_flags);
+ } else {
+ if (phba->link_state >= LPFC_LINK_UP ||
+ phba->link_flag & LS_MDS_LOOPBACK) {
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Hannes Reinecke <hare@suse.de>
+Date: Mon, 26 Feb 2018 15:26:01 +0100
+Subject: scsi: mpt3sas: Do not mark fw_event workqueue as WQ_MEM_RECLAIM
+
+From: Hannes Reinecke <hare@suse.de>
+
+[ Upstream commit 864449eea7c600596e305ffdc4a6a846414b222c ]
+
+The firmware event workqueue should not be marked as WQ_MEM_RECLAIM
+as it's doesn't need to make forward progress under memory pressure.
+In the current state it will result in a deadlock if the device had been
+forcefully removed.
+
+Cc: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Cc: Suganath Prabu Subramani <suganath-prabu.subramani@broadcom.com>
+Acked-by: Sreekanth Reddy <Sreekanth.Reddy@broadcom.com>
+Signed-off-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -8941,7 +8941,7 @@ _scsih_probe(struct pci_dev *pdev, const
+ snprintf(ioc->firmware_event_name, sizeof(ioc->firmware_event_name),
+ "fw_event_%s%d", ioc->driver_name, ioc->id);
+ ioc->firmware_event_thread = alloc_ordered_workqueue(
+- ioc->firmware_event_name, WQ_MEM_RECLAIM);
++ ioc->firmware_event_name, 0);
+ if (!ioc->firmware_event_thread) {
+ pr_err(MPT3SAS_FMT "failure at %s:%d/%s()!\n",
+ ioc->name, __FILE__, __LINE__, __func__);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Tomas Henzl <thenzl@redhat.com>
+Date: Fri, 19 Jan 2018 16:22:05 +0100
+Subject: scsi: mpt3sas: fix an out of bound write
+
+From: Tomas Henzl <thenzl@redhat.com>
+
+[ Upstream commit 4a8842de8db4953fdda7866626b78b12fb8adb97 ]
+
+cpu_msix_table is allocated to store online cpus, but pci_irq_get_affinity
+may return cpu_possible_mask which is then used to access cpu_msix_table.
+That causes bad user experience. Fix limits access to only online cpus,
+I've also added an additional test to protect from an unlikely change in
+cpu_online_mask.
+
+[mkp: checkpatch]
+
+Fixes: 1d55abc0e98a ("scsi: mpt3sas: switch to pci_alloc_irq_vectors")
+Signed-off-by: Tomas Henzl <thenzl@redhat.com>
+Acked-by: Suganath Prabu Subramani <suganath-prabu.subramani@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_base.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
+@@ -1921,8 +1921,11 @@ _base_assign_reply_queues(struct MPT3SAS
+ continue;
+ }
+
+- for_each_cpu(cpu, mask)
++ for_each_cpu_and(cpu, mask, cpu_online_mask) {
++ if (cpu >= ioc->cpu_msix_table_sz)
++ break;
+ ioc->cpu_msix_table[cpu] = reply_q->msix_index;
++ }
+ }
+ return;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 25 Jan 2018 17:27:27 +0300
+Subject: scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit a7043e9529f3c367cc4d82997e00be034cbe57ca ]
+
+My static checker complains about an out of bounds read:
+
+ drivers/message/fusion/mptctl.c:2786 mptctl_hp_targetinfo()
+ error: buffer overflow 'hd->sel_timeout' 255 <= u32max.
+
+It's true that we probably should have a bounds check here.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/message/fusion/mptctl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/message/fusion/mptctl.c
++++ b/drivers/message/fusion/mptctl.c
+@@ -2698,6 +2698,8 @@ mptctl_hp_targetinfo(unsigned long arg)
+ __FILE__, __LINE__, iocnum);
+ return -ENODEV;
+ }
++ if (karg.hdr.id >= MPT_MAX_FC_DEVICES)
++ return -EINVAL;
+ dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_hp_targetinfo called.\n",
+ ioc->name));
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Wilfried Weissmann <wilfried.weissmann@gmx.at>
+Date: Fri, 23 Feb 2018 20:52:34 +0100
+Subject: scsi: mvsas: fix wrong endianness of sgpio api
+
+From: Wilfried Weissmann <wilfried.weissmann@gmx.at>
+
+[ Upstream commit e75fba9c0668b3767f608ea07485f48d33c270cf ]
+
+This patch fixes the byte order of the SGPIO api and brings it back in
+sync with ledmon v0.80 and above.
+
+[mkp: added missing SoB and fixed whitespace]
+
+Signed-off-by: Wilfried Weissmann <wilfried.weissmann@gmx.at>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mvsas/mv_94xx.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+--- a/drivers/scsi/mvsas/mv_94xx.c
++++ b/drivers/scsi/mvsas/mv_94xx.c
+@@ -1080,16 +1080,16 @@ static int mvs_94xx_gpio_write(struct mv
+ void __iomem *regs = mvi->regs_ex - 0x10200;
+
+ int drive = (i/3) & (4-1); /* drive number on host */
+- u32 block = mr32(MVS_SGPIO_DCTRL +
++ int driveshift = drive * 8; /* bit offset of drive */
++ u32 block = ioread32be(regs + MVS_SGPIO_DCTRL +
+ MVS_SGPIO_HOST_OFFSET * mvi->id);
+
+-
+ /*
+ * if bit is set then create a mask with the first
+ * bit of the drive set in the mask ...
+ */
+- u32 bit = (write_data[i/8] & (1 << (i&(8-1)))) ?
+- 1<<(24-drive*8) : 0;
++ u32 bit = get_unaligned_be32(write_data) & (1 << i) ?
++ 1 << driveshift : 0;
+
+ /*
+ * ... and then shift it to the right position based
+@@ -1098,26 +1098,27 @@ static int mvs_94xx_gpio_write(struct mv
+ switch (i%3) {
+ case 0: /* activity */
+ block &= ~((0x7 << MVS_SGPIO_DCTRL_ACT_SHIFT)
+- << (24-drive*8));
++ << driveshift);
+ /* hardwire activity bit to SOF */
+ block |= LED_BLINKA_SOF << (
+ MVS_SGPIO_DCTRL_ACT_SHIFT +
+- (24-drive*8));
++ driveshift);
+ break;
+ case 1: /* id */
+ block &= ~((0x3 << MVS_SGPIO_DCTRL_LOC_SHIFT)
+- << (24-drive*8));
++ << driveshift);
+ block |= bit << MVS_SGPIO_DCTRL_LOC_SHIFT;
+ break;
+ case 2: /* fail */
+ block &= ~((0x7 << MVS_SGPIO_DCTRL_ERR_SHIFT)
+- << (24-drive*8));
++ << driveshift);
+ block |= bit << MVS_SGPIO_DCTRL_ERR_SHIFT;
+ break;
+ }
+
+- mw32(MVS_SGPIO_DCTRL + MVS_SGPIO_HOST_OFFSET * mvi->id,
+- block);
++ iowrite32be(block,
++ regs + MVS_SGPIO_DCTRL +
++ MVS_SGPIO_HOST_OFFSET * mvi->id);
+
+ }
+
+@@ -1132,7 +1133,7 @@ static int mvs_94xx_gpio_write(struct mv
+ void __iomem *regs = mvi->regs_ex - 0x10200;
+
+ mw32(MVS_SGPIO_DCTRL + MVS_SGPIO_HOST_OFFSET * mvi->id,
+- be32_to_cpu(((u32 *) write_data)[i]));
++ ((u32 *) write_data)[i]);
+ }
+ return reg_count;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Manish Rangankar <manish.rangankar@cavium.com>
+Date: Mon, 26 Feb 2018 01:01:17 -0800
+Subject: scsi: qedi: Fix kernel crash during port toggle
+
+From: Manish Rangankar <manish.rangankar@cavium.com>
+
+[ Upstream commit 967823d6c3980a30e214b92bfe6a101e7b46d025 ]
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000100
+
+[ 985.596918] IP: _raw_spin_lock_bh+0x17/0x30
+[ 985.601581] PGD 0 P4D 0
+[ 985.604405] Oops: 0002 [#1] SMP
+:
+[ 985.704533] CPU: 16 PID: 1156 Comm: qedi_thread/16 Not tainted 4.16.0-rc2 #1
+[ 985.712397] Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 2.4.3 01/17/2017
+[ 985.720747] RIP: 0010:_raw_spin_lock_bh+0x17/0x30
+[ 985.725996] RSP: 0018:ffffa4b1c43d3e10 EFLAGS: 00010246
+[ 985.731823] RAX: 0000000000000000 RBX: ffff94a31bd03000 RCX: 0000000000000000
+[ 985.739783] RDX: 0000000000000001 RSI: ffff94a32fa16938 RDI: 0000000000000100
+[ 985.747744] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000a33
+[ 985.755703] R10: 0000000000000000 R11: ffffa4b1c43d3af0 R12: 0000000000000000
+[ 985.763662] R13: ffff94a301f40818 R14: 0000000000000000 R15: 000000000000000c
+[ 985.771622] FS: 0000000000000000(0000) GS:ffff94a32fa00000(0000) knlGS:0000000000000000
+[ 985.780649] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 985.787057] CR2: 0000000000000100 CR3: 000000067a009006 CR4: 00000000001606e0
+[ 985.795017] Call Trace:
+[ 985.797747] qedi_fp_process_cqes+0x258/0x980 [qedi]
+[ 985.803294] qedi_percpu_io_thread+0x10f/0x1b0 [qedi]
+[ 985.808931] kthread+0xf5/0x130
+[ 985.812434] ? qedi_free_uio+0xd0/0xd0 [qedi]
+[ 985.817298] ? kthread_bind+0x10/0x10
+[ 985.821372] ? do_syscall_64+0x6e/0x1a0
+
+Signed-off-by: Manish Rangankar <manish.rangankar@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qedi/qedi_fw.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/scsi/qedi/qedi_fw.c
++++ b/drivers/scsi/qedi/qedi_fw.c
+@@ -769,6 +769,11 @@ static void qedi_process_cmd_cleanup_res
+
+ iscsi_cid = cqe->conn_id;
+ qedi_conn = qedi->cid_que.conn_cid_tbl[iscsi_cid];
++ if (!qedi_conn) {
++ QEDI_INFO(&qedi->dbg_ctx, QEDI_LOG_INFO,
++ "icid not found 0x%x\n", cqe->conn_id);
++ return;
++ }
+
+ /* Based on this itt get the corresponding qedi_cmd */
+ spin_lock_bh(&qedi_conn->tmf_work_lock);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Andrew Vasquez <andrew.vasquez@cavium.com>
+Date: Wed, 7 Feb 2018 08:12:35 -0800
+Subject: scsi: qedi: Fix truncation of CHAP name and secret
+
+From: Andrew Vasquez <andrew.vasquez@cavium.com>
+
+[ Upstream commit 1683ce57f568c7c92d53e9234624a53554a29cd5 ]
+
+The data in NVRAM is not guaranteed to be NUL terminated. Since
+snprintf expects byte-stream to accommodate null byte, the CHAP secret
+is truncated. Use sprintf instead of snprintf to fix the truncation of
+CHAP name and secret.
+
+Signed-off-by: Andrew Vasquez <andrew.vasquez@cavium.com>
+Signed-off-by: Nilesh Javali <nilesh.javali@cavium.com>
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Acked-by: Chris Leech <cleech@redhat.com>
+Acked-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qedi/qedi_main.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/drivers/scsi/qedi/qedi_main.c
++++ b/drivers/scsi/qedi/qedi_main.c
+@@ -1840,8 +1840,8 @@ static ssize_t qedi_show_boot_ini_info(v
+
+ switch (type) {
+ case ISCSI_BOOT_INI_INITIATOR_NAME:
+- rc = snprintf(str, NVM_ISCSI_CFG_ISCSI_NAME_MAX_LEN, "%s\n",
+- initiator->initiator_name.byte);
++ rc = sprintf(str, "%.*s\n", NVM_ISCSI_CFG_ISCSI_NAME_MAX_LEN,
++ initiator->initiator_name.byte);
+ break;
+ default:
+ rc = 0;
+@@ -1908,8 +1908,8 @@ qedi_show_boot_tgt_info(struct qedi_ctx
+
+ switch (type) {
+ case ISCSI_BOOT_TGT_NAME:
+- rc = snprintf(str, NVM_ISCSI_CFG_ISCSI_NAME_MAX_LEN, "%s\n",
+- block->target[idx].target_name.byte);
++ rc = sprintf(str, "%.*s\n", NVM_ISCSI_CFG_ISCSI_NAME_MAX_LEN,
++ block->target[idx].target_name.byte);
+ break;
+ case ISCSI_BOOT_TGT_IP_ADDR:
+ if (ipv6_en)
+@@ -1930,20 +1930,20 @@ qedi_show_boot_tgt_info(struct qedi_ctx
+ block->target[idx].lun.value[0]);
+ break;
+ case ISCSI_BOOT_TGT_CHAP_NAME:
+- rc = snprintf(str, NVM_ISCSI_CFG_CHAP_NAME_MAX_LEN, "%s\n",
+- chap_name);
++ rc = sprintf(str, "%.*s\n", NVM_ISCSI_CFG_CHAP_NAME_MAX_LEN,
++ chap_name);
+ break;
+ case ISCSI_BOOT_TGT_CHAP_SECRET:
+- rc = snprintf(str, NVM_ISCSI_CFG_CHAP_PWD_MAX_LEN, "%s\n",
+- chap_secret);
++ rc = sprintf(str, "%.*s\n", NVM_ISCSI_CFG_CHAP_NAME_MAX_LEN,
++ chap_secret);
+ break;
+ case ISCSI_BOOT_TGT_REV_CHAP_NAME:
+- rc = snprintf(str, NVM_ISCSI_CFG_CHAP_NAME_MAX_LEN, "%s\n",
+- mchap_name);
++ rc = sprintf(str, "%.*s\n", NVM_ISCSI_CFG_CHAP_NAME_MAX_LEN,
++ mchap_name);
+ break;
+ case ISCSI_BOOT_TGT_REV_CHAP_SECRET:
+- rc = snprintf(str, NVM_ISCSI_CFG_CHAP_PWD_MAX_LEN, "%s\n",
+- mchap_secret);
++ rc = sprintf(str, "%.*s\n", NVM_ISCSI_CFG_CHAP_NAME_MAX_LEN,
++ mchap_secret);
+ break;
+ case ISCSI_BOOT_TGT_FLAGS:
+ rc = snprintf(str, 3, "%hhd\n", SYSFS_FLAG_FW_SEL_BOOT);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Thu, 25 Jan 2018 08:24:29 -0800
+Subject: scsi: qla2xxx: Avoid triggering undefined behavior in qla2x00_mbx_completion()
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+[ Upstream commit c02189e12ce3bf3808cb880569d3b10249f50bd9 ]
+
+A left shift must shift less than the bit width of the left argument.
+Avoid triggering undefined behavior if ha->mbx_count == 32.
+
+This patch avoids that UBSAN reports the following complaint:
+
+UBSAN: Undefined behaviour in drivers/scsi/qla2xxx/qla_isr.c:275:14
+shift exponent 32 is too large for 32-bit type 'int'
+Call Trace:
+ dump_stack+0x4e/0x6c
+ ubsan_epilogue+0xd/0x3b
+ __ubsan_handle_shift_out_of_bounds+0x112/0x14c
+ qla2x00_mbx_completion+0x1c5/0x25d [qla2xxx]
+ qla2300_intr_handler+0x1ea/0x3bb [qla2xxx]
+ qla2x00_mailbox_command+0x77b/0x139a [qla2xxx]
+ qla2x00_mbx_reg_test+0x83/0x114 [qla2xxx]
+ qla2x00_chip_diag+0x354/0x45f [qla2xxx]
+ qla2x00_initialize_adapter+0x2c2/0xa4e [qla2xxx]
+ qla2x00_probe_one+0x1681/0x392e [qla2xxx]
+ pci_device_probe+0x10b/0x1f1
+ driver_probe_device+0x21f/0x3a4
+ __driver_attach+0xa9/0xe1
+ bus_for_each_dev+0x6e/0xb5
+ driver_attach+0x22/0x3c
+ bus_add_driver+0x1d1/0x2ae
+ driver_register+0x78/0x130
+ __pci_register_driver+0x75/0xa8
+ qla2x00_module_init+0x21b/0x267 [qla2xxx]
+ do_one_initcall+0x5a/0x1e2
+ do_init_module+0x9d/0x285
+ load_module+0x20db/0x38e3
+ SYSC_finit_module+0xa8/0xbc
+ SyS_finit_module+0x9/0xb
+ do_syscall_64+0x77/0x271
+ entry_SYSCALL64_slow_path+0x25/0x25
+
+Reported-by: Meelis Roos <mroos@linux.ee>
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: Himanshu Madhani <himanshu.madhani@cavium.com>
+Reviewed-by: Laurence Oberman <loberman@redhat.com>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_isr.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -272,7 +272,8 @@ qla2x00_mbx_completion(scsi_qla_host_t *
+ struct device_reg_2xxx __iomem *reg = &ha->iobase->isp;
+
+ /* Read all mbox registers? */
+- mboxes = (1 << ha->mbx_count) - 1;
++ WARN_ON_ONCE(ha->mbx_count > 32);
++ mboxes = (1ULL << ha->mbx_count) - 1;
+ if (!ha->mcp)
+ ql_dbg(ql_dbg_async, vha, 0x5001, "MBX pointer ERROR.\n");
+ else
+@@ -2821,7 +2822,8 @@ qla24xx_mbx_completion(scsi_qla_host_t *
+ struct device_reg_24xx __iomem *reg = &ha->iobase->isp24;
+
+ /* Read all mbox registers? */
+- mboxes = (1 << ha->mbx_count) - 1;
++ WARN_ON_ONCE(ha->mbx_count > 32);
++ mboxes = (1ULL << ha->mbx_count) - 1;
+ if (!ha->mcp)
+ ql_dbg(ql_dbg_async, vha, 0x504e, "MBX pointer ERROR.\n");
+ else
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Quinn Tran <quinn.tran@cavium.com>
+Date: Tue, 23 Jan 2018 11:05:21 -0800
+Subject: scsi: qla2xxx: Fix memory corruption during hba reset test
+
+From: Quinn Tran <quinn.tran@cavium.com>
+
+[ Upstream commit 2ce87cc5b269510de9ca1185ca8a6e10ec78c069 ]
+
+This patch fixes memory corrpution while performing HBA Reset test.
+
+Following stack trace is seen:
+
+[ 466.397219] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
+[ 466.433669] IP: [<ffffffffc06f5dd0>] qlt_free_session_done+0x260/0x5f0 [qla2xxx]
+[ 466.467731] PGD 0
+[ 466.476718] Oops: 0000 [#1] SMP
+
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -3581,6 +3581,8 @@ qla2x00_remove_one(struct pci_dev *pdev)
+ }
+ qla2x00_wait_for_hba_ready(base_vha);
+
++ qla2x00_wait_for_sess_deletion(base_vha);
++
+ /*
+ * if UNLOAD flag is already set, then continue unload,
+ * where it was set first.
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Manish Rangankar <manish.rangankar@cavium.com>
+Date: Sun, 11 Feb 2018 22:48:41 -0800
+Subject: scsi: qla4xxx: skip error recovery in case of register disconnect.
+
+From: Manish Rangankar <manish.rangankar@cavium.com>
+
+[ Upstream commit 1bc5ad3a6acdcf56f83272f2de1cd2389ea9e9e2 ]
+
+A system crashes when continuously removing/re-adding the storage
+controller.
+
+Signed-off-by: Manish Rangankar <manish.rangankar@cavium.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Reviewed-by: Tomas Henzl <thenzl@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla4xxx/ql4_def.h | 2 +
+ drivers/scsi/qla4xxx/ql4_os.c | 46 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 48 insertions(+)
+
+--- a/drivers/scsi/qla4xxx/ql4_def.h
++++ b/drivers/scsi/qla4xxx/ql4_def.h
+@@ -168,6 +168,8 @@
+ #define DEV_DB_NON_PERSISTENT 0
+ #define DEV_DB_PERSISTENT 1
+
++#define QL4_ISP_REG_DISCONNECT 0xffffffffU
++
+ #define COPY_ISID(dst_isid, src_isid) { \
+ int i, j; \
+ for (i = 0, j = ISID_SIZE - 1; i < ISID_SIZE;) \
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -262,6 +262,24 @@ static struct iscsi_transport qla4xxx_is
+
+ static struct scsi_transport_template *qla4xxx_scsi_transport;
+
++static int qla4xxx_isp_check_reg(struct scsi_qla_host *ha)
++{
++ u32 reg_val = 0;
++ int rval = QLA_SUCCESS;
++
++ if (is_qla8022(ha))
++ reg_val = readl(&ha->qla4_82xx_reg->host_status);
++ else if (is_qla8032(ha) || is_qla8042(ha))
++ reg_val = qla4_8xxx_rd_direct(ha, QLA8XXX_PEG_ALIVE_COUNTER);
++ else
++ reg_val = readw(&ha->reg->ctrl_status);
++
++ if (reg_val == QL4_ISP_REG_DISCONNECT)
++ rval = QLA_ERROR;
++
++ return rval;
++}
++
+ static int qla4xxx_send_ping(struct Scsi_Host *shost, uint32_t iface_num,
+ uint32_t iface_type, uint32_t payload_size,
+ uint32_t pid, struct sockaddr *dst_addr)
+@@ -9188,10 +9206,17 @@ static int qla4xxx_eh_abort(struct scsi_
+ struct srb *srb = NULL;
+ int ret = SUCCESS;
+ int wait = 0;
++ int rval;
+
+ ql4_printk(KERN_INFO, ha, "scsi%ld:%d:%llu: Abort command issued cmd=%p, cdb=0x%x\n",
+ ha->host_no, id, lun, cmd, cmd->cmnd[0]);
+
++ rval = qla4xxx_isp_check_reg(ha);
++ if (rval != QLA_SUCCESS) {
++ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n");
++ return FAILED;
++ }
++
+ spin_lock_irqsave(&ha->hardware_lock, flags);
+ srb = (struct srb *) CMD_SP(cmd);
+ if (!srb) {
+@@ -9243,6 +9268,7 @@ static int qla4xxx_eh_device_reset(struc
+ struct scsi_qla_host *ha = to_qla_host(cmd->device->host);
+ struct ddb_entry *ddb_entry = cmd->device->hostdata;
+ int ret = FAILED, stat;
++ int rval;
+
+ if (!ddb_entry)
+ return ret;
+@@ -9262,6 +9288,12 @@ static int qla4xxx_eh_device_reset(struc
+ cmd, jiffies, cmd->request->timeout / HZ,
+ ha->dpc_flags, cmd->result, cmd->allowed));
+
++ rval = qla4xxx_isp_check_reg(ha);
++ if (rval != QLA_SUCCESS) {
++ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n");
++ return FAILED;
++ }
++
+ /* FIXME: wait for hba to go online */
+ stat = qla4xxx_reset_lun(ha, ddb_entry, cmd->device->lun);
+ if (stat != QLA_SUCCESS) {
+@@ -9305,6 +9337,7 @@ static int qla4xxx_eh_target_reset(struc
+ struct scsi_qla_host *ha = to_qla_host(cmd->device->host);
+ struct ddb_entry *ddb_entry = cmd->device->hostdata;
+ int stat, ret;
++ int rval;
+
+ if (!ddb_entry)
+ return FAILED;
+@@ -9322,6 +9355,12 @@ static int qla4xxx_eh_target_reset(struc
+ ha->host_no, cmd, jiffies, cmd->request->timeout / HZ,
+ ha->dpc_flags, cmd->result, cmd->allowed));
+
++ rval = qla4xxx_isp_check_reg(ha);
++ if (rval != QLA_SUCCESS) {
++ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n");
++ return FAILED;
++ }
++
+ stat = qla4xxx_reset_target(ha, ddb_entry);
+ if (stat != QLA_SUCCESS) {
+ starget_printk(KERN_INFO, scsi_target(cmd->device),
+@@ -9376,9 +9415,16 @@ static int qla4xxx_eh_host_reset(struct
+ {
+ int return_status = FAILED;
+ struct scsi_qla_host *ha;
++ int rval;
+
+ ha = to_qla_host(cmd->device->host);
+
++ rval = qla4xxx_isp_check_reg(ha);
++ if (rval != QLA_SUCCESS) {
++ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n");
++ return FAILED;
++ }
++
+ if ((is_qla8032(ha) || is_qla8042(ha)) && ql4xdontresethba)
+ qla4_83xx_set_idc_dontreset(ha);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jeremy Cline <jeremy@jcline.org>
+Date: Tue, 6 Mar 2018 21:47:32 +0000
+Subject: scsi: sd: Keep disk read-only when re-reading partition
+
+From: Jeremy Cline <jeremy@jcline.org>
+
+[ Upstream commit 20bd1d026aacc5399464f8328f305985c493cde3 ]
+
+If the read-only flag is true on a SCSI disk, re-reading the partition
+table sets the flag back to false.
+
+To observe this bug, you can run:
+
+1. blockdev --setro /dev/sda
+2. blockdev --rereadpt /dev/sda
+3. blockdev --getro /dev/sda
+
+This commit reads the disk's old state and combines it with the device
+disk-reported state rather than unconditionally marking it as RW.
+
+Reported-by: Li Ning <lining916740672@icloud.com>
+Signed-off-by: Jeremy Cline <jeremy@jcline.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -2608,6 +2608,7 @@ sd_read_write_protect_flag(struct scsi_d
+ int res;
+ struct scsi_device *sdp = sdkp->device;
+ struct scsi_mode_data data;
++ int disk_ro = get_disk_ro(sdkp->disk);
+ int old_wp = sdkp->write_prot;
+
+ set_disk_ro(sdkp->disk, 0);
+@@ -2648,7 +2649,7 @@ sd_read_write_protect_flag(struct scsi_d
+ "Test WP failed, assume Write Enabled\n");
+ } else {
+ sdkp->write_prot = ((data.device_specific & 0x80) != 0);
+- set_disk_ro(sdkp->disk, sdkp->write_prot);
++ set_disk_ro(sdkp->disk, sdkp->write_prot || disk_ro);
+ if (sdkp->first_scan || old_wp != sdkp->write_prot) {
+ sd_printk(KERN_NOTICE, sdkp, "Write Protect is %s\n",
+ sdkp->write_prot ? "on" : "off");
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: "Michael Kelley (EOSG)" <Michael.H.Kelley@microsoft.com>
+Date: Wed, 24 Jan 2018 22:49:57 +0000
+Subject: scsi: storvsc: Increase cmd_per_lun for higher speed devices
+
+From: "Michael Kelley (EOSG)" <Michael.H.Kelley@microsoft.com>
+
+[ Upstream commit cabe92a55e3a12005a4ac4d3954c9a174b0efe2a ]
+
+Increase cmd_per_lun to allow more I/Os in progress per device,
+particularly for NVMe's. The Hyper-V host side can handle the higher
+count with no issues.
+
+Signed-off-by: Michael Kelley <mikelley@microsoft.com>
+Reviewed-by: K. Y. Srinivasan <kys@microsoft.com>
+Acked-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/storvsc_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/storvsc_drv.c
++++ b/drivers/scsi/storvsc_drv.c
+@@ -1661,7 +1661,7 @@ static struct scsi_host_template scsi_dr
+ .eh_timed_out = storvsc_eh_timed_out,
+ .slave_alloc = storvsc_device_alloc,
+ .slave_configure = storvsc_device_configure,
+- .cmd_per_lun = 255,
++ .cmd_per_lun = 2048,
+ .this_id = -1,
+ .use_clustering = ENABLE_CLUSTERING,
+ /* Make sure we dont get a sg segment crosses a page boundary */
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 25 Jan 2018 17:13:40 +0300
+Subject: scsi: sym53c8xx_2: iterator underflow in sym_getsync()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit e6f791d95313c85f3dd4a26141e28e50ae9aa0ae ]
+
+We wanted to exit the loop with "div" set to zero, but instead, if we
+don't hit the break then "div" is -1 when we finish the loop. It leads
+to an array underflow a few lines later.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Acked-by: Matthew Wilcox <mawilcox@microsoft.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sym53c8xx_2/sym_hipd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/sym53c8xx_2/sym_hipd.c
++++ b/drivers/scsi/sym53c8xx_2/sym_hipd.c
+@@ -536,7 +536,7 @@ sym_getsync(struct sym_hcb *np, u_char d
+ * Look for the greatest clock divisor that allows an
+ * input speed faster than the period.
+ */
+- while (div-- > 0)
++ while (--div > 0)
+ if (kpc >= (div_10M[div] << 2)) break;
+
+ /*
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Sujit Reddy Thumma <sthumma@codeaurora.org>
+Date: Wed, 24 Jan 2018 09:52:35 +0530
+Subject: scsi: ufs: Enable quirk to ignore sending WRITE_SAME command
+
+From: Sujit Reddy Thumma <sthumma@codeaurora.org>
+
+[ Upstream commit 84af7e8b895088d89f246d6b0f82717fafdebf61 ]
+
+WRITE_SAME command is not supported by UFS. Enable a quirk for the upper
+level drivers to not send WRITE SAME command.
+
+[mkp: botched patch, applied by hand]
+
+Signed-off-by: Sujit Reddy Thumma <sthumma@codeaurora.org>
+Signed-off-by: Subhash Jadavani <subhashj@codeaurora.org>
+Signed-off-by: Asutosh Das <asutoshd@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -4347,6 +4347,8 @@ static int ufshcd_slave_alloc(struct scs
+ /* REPORT SUPPORTED OPERATION CODES is not supported */
+ sdev->no_report_opcodes = 1;
+
++ /* WRITE_SAME command is not supported */
++ sdev->no_write_same = 1;
+
+ ufshcd_set_queue_depth(sdev);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Tycho Andersen <tycho@tycho.ws>
+Date: Tue, 20 Feb 2018 19:47:47 -0700
+Subject: seccomp: add a selftest for get_metadata
+
+From: Tycho Andersen <tycho@tycho.ws>
+
+[ Upstream commit d057dc4e35e16050befa3dda943876dab39cbf80 ]
+
+Let's test that we get the flags correctly, and that we preserve the filter
+index across the ptrace(PTRACE_SECCOMP_GET_METADATA) correctly.
+
+Signed-off-by: Tycho Andersen <tycho@tycho.ws>
+CC: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/seccomp/seccomp_bpf.c | 61 ++++++++++++++++++++++++++
+ 1 file changed, 61 insertions(+)
+
+--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
+@@ -141,6 +141,15 @@ struct seccomp_data {
+ #define SECCOMP_FILTER_FLAG_LOG 2
+ #endif
+
++#ifndef PTRACE_SECCOMP_GET_METADATA
++#define PTRACE_SECCOMP_GET_METADATA 0x420d
++
++struct seccomp_metadata {
++ __u64 filter_off; /* Input: which filter */
++ __u64 flags; /* Output: filter's flags */
++};
++#endif
++
+ #ifndef seccomp
+ int seccomp(unsigned int op, unsigned int flags, void *args)
+ {
+@@ -2845,6 +2854,58 @@ TEST(get_action_avail)
+ EXPECT_EQ(errno, EOPNOTSUPP);
+ }
+
++TEST(get_metadata)
++{
++ pid_t pid;
++ int pipefd[2];
++ char buf;
++ struct seccomp_metadata md;
++
++ ASSERT_EQ(0, pipe(pipefd));
++
++ pid = fork();
++ ASSERT_GE(pid, 0);
++ if (pid == 0) {
++ struct sock_filter filter[] = {
++ BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
++ };
++ struct sock_fprog prog = {
++ .len = (unsigned short)ARRAY_SIZE(filter),
++ .filter = filter,
++ };
++
++ /* one with log, one without */
++ ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER,
++ SECCOMP_FILTER_FLAG_LOG, &prog));
++ ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog));
++
++ ASSERT_EQ(0, close(pipefd[0]));
++ ASSERT_EQ(1, write(pipefd[1], "1", 1));
++ ASSERT_EQ(0, close(pipefd[1]));
++
++ while (1)
++ sleep(100);
++ }
++
++ ASSERT_EQ(0, close(pipefd[1]));
++ ASSERT_EQ(1, read(pipefd[0], &buf, 1));
++
++ ASSERT_EQ(0, ptrace(PTRACE_ATTACH, pid));
++ ASSERT_EQ(pid, waitpid(pid, NULL, 0));
++
++ md.filter_off = 0;
++ ASSERT_EQ(sizeof(md), ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md));
++ EXPECT_EQ(md.flags, SECCOMP_FILTER_FLAG_LOG);
++ EXPECT_EQ(md.filter_off, 0);
++
++ md.filter_off = 1;
++ ASSERT_EQ(sizeof(md), ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md));
++ EXPECT_EQ(md.flags, 0);
++ EXPECT_EQ(md.filter_off, 1);
++
++ ASSERT_EQ(0, kill(pid, SIGKILL));
++}
++
+ /*
+ * TODO:
+ * - add microbenchmarks
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Dominik Brodowski <linux@dominikbrodowski.net>
+Date: Sun, 11 Feb 2018 11:59:50 +0100
+Subject: selftest/vDSO: fix O=
+
+From: Dominik Brodowski <linux@dominikbrodowski.net>
+
+[ Upstream commit 70b574e7d719bdf96d26528cb289f3e782e83979 ]
+
+The vDSO selftests ignored the O= or KBUILD_OUTPUT= parameters. Fix it.
+
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/vDSO/Makefile | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/tools/testing/selftests/vDSO/Makefile
++++ b/tools/testing/selftests/vDSO/Makefile
+@@ -1,4 +1,6 @@
+ # SPDX-License-Identifier: GPL-2.0
++include ../lib.mk
++
+ ifndef CROSS_COMPILE
+ CFLAGS := -std=gnu99
+ CFLAGS_vdso_standalone_test_x86 := -nostdlib -fno-asynchronous-unwind-tables -fno-stack-protector
+@@ -6,16 +8,14 @@ ifeq ($(CONFIG_X86_32),y)
+ LDLIBS += -lgcc_s
+ endif
+
+-TEST_PROGS := vdso_test vdso_standalone_test_x86
++TEST_PROGS := $(OUTPUT)/vdso_test $(OUTPUT)/vdso_standalone_test_x86
+
+ all: $(TEST_PROGS)
+-vdso_test: parse_vdso.c vdso_test.c
+-vdso_standalone_test_x86: vdso_standalone_test_x86.c parse_vdso.c
++$(OUTPUT)/vdso_test: parse_vdso.c vdso_test.c
++$(OUTPUT)/vdso_standalone_test_x86: vdso_standalone_test_x86.c parse_vdso.c
+ $(CC) $(CFLAGS) $(CFLAGS_vdso_standalone_test_x86) \
+ vdso_standalone_test_x86.c parse_vdso.c \
+- -o vdso_standalone_test_x86
++ -o $@
+
+-include ../lib.mk
+-clean:
+- rm -fr $(TEST_PROGS)
++EXTRA_CLEAN := $(TEST_PROGS)
+ endif
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: David Ahern <dsahern@gmail.com>
+Date: Tue, 13 Feb 2018 08:44:06 -0800
+Subject: selftests: Add FIB onlink tests
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit 153e1b84f477f716bc3f81e6cfae1a3d941fc7ec ]
+
+Add test cases verifying FIB onlink commands work as expected in
+various conditions - IPv4, IPv6, main table, and VRF.
+
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/fib-onlink-tests.sh | 375 ++++++++++++++++++++++++
+ 1 file changed, 375 insertions(+)
+ create mode 100755 tools/testing/selftests/net/fib-onlink-tests.sh
+
+--- /dev/null
++++ b/tools/testing/selftests/net/fib-onlink-tests.sh
+@@ -0,0 +1,375 @@
++#!/bin/bash
++# SPDX-License-Identifier: GPL-2.0
++
++# IPv4 and IPv6 onlink tests
++
++PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no}
++
++# Network interfaces
++# - odd in current namespace; even in peer ns
++declare -A NETIFS
++# default VRF
++NETIFS[p1]=veth1
++NETIFS[p2]=veth2
++NETIFS[p3]=veth3
++NETIFS[p4]=veth4
++# VRF
++NETIFS[p5]=veth5
++NETIFS[p6]=veth6
++NETIFS[p7]=veth7
++NETIFS[p8]=veth8
++
++# /24 network
++declare -A V4ADDRS
++V4ADDRS[p1]=169.254.1.1
++V4ADDRS[p2]=169.254.1.2
++V4ADDRS[p3]=169.254.3.1
++V4ADDRS[p4]=169.254.3.2
++V4ADDRS[p5]=169.254.5.1
++V4ADDRS[p6]=169.254.5.2
++V4ADDRS[p7]=169.254.7.1
++V4ADDRS[p8]=169.254.7.2
++
++# /64 network
++declare -A V6ADDRS
++V6ADDRS[p1]=2001:db8:101::1
++V6ADDRS[p2]=2001:db8:101::2
++V6ADDRS[p3]=2001:db8:301::1
++V6ADDRS[p4]=2001:db8:301::2
++V6ADDRS[p5]=2001:db8:501::1
++V6ADDRS[p6]=2001:db8:501::2
++V6ADDRS[p7]=2001:db8:701::1
++V6ADDRS[p8]=2001:db8:701::2
++
++# Test networks:
++# [1] = default table
++# [2] = VRF
++#
++# /32 host routes
++declare -A TEST_NET4
++TEST_NET4[1]=169.254.101
++TEST_NET4[2]=169.254.102
++# /128 host routes
++declare -A TEST_NET6
++TEST_NET6[1]=2001:db8:101
++TEST_NET6[2]=2001:db8:102
++
++# connected gateway
++CONGW[1]=169.254.1.254
++CONGW[2]=169.254.5.254
++
++# recursive gateway
++RECGW4[1]=169.254.11.254
++RECGW4[2]=169.254.12.254
++RECGW6[1]=2001:db8:11::64
++RECGW6[2]=2001:db8:12::64
++
++# for v4 mapped to v6
++declare -A TEST_NET4IN6IN6
++TEST_NET4IN6[1]=10.1.1.254
++TEST_NET4IN6[2]=10.2.1.254
++
++# mcast address
++MCAST6=ff02::1
++
++
++PEER_NS=bart
++PEER_CMD="ip netns exec ${PEER_NS}"
++VRF=lisa
++VRF_TABLE=1101
++PBR_TABLE=101
++
++################################################################################
++# utilities
++
++log_test()
++{
++ local rc=$1
++ local expected=$2
++ local msg="$3"
++
++ if [ ${rc} -eq ${expected} ]; then
++ nsuccess=$((nsuccess+1))
++ printf "\n TEST: %-50s [ OK ]\n" "${msg}"
++ else
++ nfail=$((nfail+1))
++ printf "\n TEST: %-50s [FAIL]\n" "${msg}"
++ if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
++ echo
++ echo "hit enter to continue, 'q' to quit"
++ read a
++ [ "$a" = "q" ] && exit 1
++ fi
++ fi
++}
++
++log_section()
++{
++ echo
++ echo "######################################################################"
++ echo "TEST SECTION: $*"
++ echo "######################################################################"
++}
++
++log_subsection()
++{
++ echo
++ echo "#########################################"
++ echo "TEST SUBSECTION: $*"
++}
++
++run_cmd()
++{
++ echo
++ echo "COMMAND: $*"
++ eval $*
++}
++
++get_linklocal()
++{
++ local dev=$1
++ local pfx
++ local addr
++
++ addr=$(${pfx} ip -6 -br addr show dev ${dev} | \
++ awk '{
++ for (i = 3; i <= NF; ++i) {
++ if ($i ~ /^fe80/)
++ print $i
++ }
++ }'
++ )
++ addr=${addr/\/*}
++
++ [ -z "$addr" ] && return 1
++
++ echo $addr
++
++ return 0
++}
++
++################################################################################
++#
++
++setup()
++{
++ echo
++ echo "########################################"
++ echo "Configuring interfaces"
++
++ set -e
++
++ # create namespace
++ ip netns add ${PEER_NS}
++ ip -netns ${PEER_NS} li set lo up
++
++ # add vrf table
++ ip li add ${VRF} type vrf table ${VRF_TABLE}
++ ip li set ${VRF} up
++ ip ro add table ${VRF_TABLE} unreachable default
++ ip -6 ro add table ${VRF_TABLE} unreachable default
++
++ # create test interfaces
++ ip li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]}
++ ip li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]}
++ ip li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]}
++ ip li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]}
++
++ # enslave vrf interfaces
++ for n in 5 7; do
++ ip li set ${NETIFS[p${n}]} vrf ${VRF}
++ done
++
++ # add addresses
++ for n in 1 3 5 7; do
++ ip li set ${NETIFS[p${n}]} up
++ ip addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
++ ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]}
++ done
++
++ # move peer interfaces to namespace and add addresses
++ for n in 2 4 6 8; do
++ ip li set ${NETIFS[p${n}]} netns ${PEER_NS} up
++ ip -netns ${PEER_NS} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
++ ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]}
++ done
++
++ set +e
++
++ # let DAD complete - assume default of 1 probe
++ sleep 1
++}
++
++cleanup()
++{
++ # make sure we start from a clean slate
++ ip netns del ${PEER_NS} 2>/dev/null
++ for n in 1 3 5 7; do
++ ip link del ${NETIFS[p${n}]} 2>/dev/null
++ done
++ ip link del ${VRF} 2>/dev/null
++ ip ro flush table ${VRF_TABLE}
++ ip -6 ro flush table ${VRF_TABLE}
++}
++
++################################################################################
++# IPv4 tests
++#
++
++run_ip()
++{
++ local table="$1"
++ local prefix="$2"
++ local gw="$3"
++ local dev="$4"
++ local exp_rc="$5"
++ local desc="$6"
++
++ # dev arg may be empty
++ [ -n "${dev}" ] && dev="dev ${dev}"
++
++ run_cmd ip ro add table "${table}" "${prefix}"/32 via "${gw}" "${dev}" onlink
++ log_test $? ${exp_rc} "${desc}"
++}
++
++valid_onlink_ipv4()
++{
++ # - unicast connected, unicast recursive
++ #
++ log_subsection "default VRF - main table"
++
++ run_ip 254 ${TEST_NET4[1]}.1 ${CONGW[1]} ${NETIFS[p1]} 0 "unicast connected"
++ run_ip 254 ${TEST_NET4[1]}.2 ${RECGW4[1]} ${NETIFS[p1]} 0 "unicast recursive"
++
++ log_subsection "VRF ${VRF}"
++
++ run_ip ${VRF_TABLE} ${TEST_NET4[2]}.1 ${CONGW[2]} ${NETIFS[p5]} 0 "unicast connected"
++ run_ip ${VRF_TABLE} ${TEST_NET4[2]}.2 ${RECGW4[2]} ${NETIFS[p5]} 0 "unicast recursive"
++
++ log_subsection "VRF device, PBR table"
++
++ run_ip ${PBR_TABLE} ${TEST_NET4[2]}.3 ${CONGW[2]} ${NETIFS[p5]} 0 "unicast connected"
++ run_ip ${PBR_TABLE} ${TEST_NET4[2]}.4 ${RECGW4[2]} ${NETIFS[p5]} 0 "unicast recursive"
++}
++
++invalid_onlink_ipv4()
++{
++ run_ip 254 ${TEST_NET4[1]}.11 ${V4ADDRS[p1]} ${NETIFS[p1]} 2 \
++ "Invalid gw - local unicast address"
++
++ run_ip ${VRF_TABLE} ${TEST_NET4[2]}.11 ${V4ADDRS[p5]} ${NETIFS[p5]} 2 \
++ "Invalid gw - local unicast address, VRF"
++
++ run_ip 254 ${TEST_NET4[1]}.101 ${V4ADDRS[p1]} "" 2 "No nexthop device given"
++
++ run_ip 254 ${TEST_NET4[1]}.102 ${V4ADDRS[p3]} ${NETIFS[p1]} 2 \
++ "Gateway resolves to wrong nexthop device"
++
++ run_ip ${VRF_TABLE} ${TEST_NET4[2]}.103 ${V4ADDRS[p7]} ${NETIFS[p5]} 2 \
++ "Gateway resolves to wrong nexthop device - VRF"
++}
++
++################################################################################
++# IPv6 tests
++#
++
++run_ip6()
++{
++ local table="$1"
++ local prefix="$2"
++ local gw="$3"
++ local dev="$4"
++ local exp_rc="$5"
++ local desc="$6"
++
++ # dev arg may be empty
++ [ -n "${dev}" ] && dev="dev ${dev}"
++
++ run_cmd ip -6 ro add table "${table}" "${prefix}"/128 via "${gw}" "${dev}" onlink
++ log_test $? ${exp_rc} "${desc}"
++}
++
++valid_onlink_ipv6()
++{
++ # - unicast connected, unicast recursive, v4-mapped
++ #
++ log_subsection "default VRF - main table"
++
++ run_ip6 254 ${TEST_NET6[1]}::1 ${V6ADDRS[p1]/::*}::64 ${NETIFS[p1]} 0 "unicast connected"
++ run_ip6 254 ${TEST_NET6[1]}::2 ${RECGW6[1]} ${NETIFS[p1]} 0 "unicast recursive"
++ run_ip6 254 ${TEST_NET6[1]}::3 ::ffff:${TEST_NET4IN6[1]} ${NETIFS[p1]} 0 "v4-mapped"
++
++ log_subsection "VRF ${VRF}"
++
++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::1 ${V6ADDRS[p5]/::*}::64 ${NETIFS[p5]} 0 "unicast connected"
++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::2 ${RECGW6[2]} ${NETIFS[p5]} 0 "unicast recursive"
++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::3 ::ffff:${TEST_NET4IN6[2]} ${NETIFS[p5]} 0 "v4-mapped"
++
++ log_subsection "VRF device, PBR table"
++
++ run_ip6 ${PBR_TABLE} ${TEST_NET6[2]}::4 ${V6ADDRS[p5]/::*}::64 ${NETIFS[p5]} 0 "unicast connected"
++ run_ip6 ${PBR_TABLE} ${TEST_NET6[2]}::5 ${RECGW6[2]} ${NETIFS[p5]} 0 "unicast recursive"
++ run_ip6 ${PBR_TABLE} ${TEST_NET6[2]}::6 ::ffff:${TEST_NET4IN6[2]} ${NETIFS[p5]} 0 "v4-mapped"
++}
++
++invalid_onlink_ipv6()
++{
++ local lladdr
++
++ lladdr=$(get_linklocal ${NETIFS[p1]}) || return 1
++
++ run_ip6 254 ${TEST_NET6[1]}::11 ${V6ADDRS[p1]} ${NETIFS[p1]} 2 \
++ "Invalid gw - local unicast address"
++ run_ip6 254 ${TEST_NET6[1]}::12 ${lladdr} ${NETIFS[p1]} 2 \
++ "Invalid gw - local linklocal address"
++ run_ip6 254 ${TEST_NET6[1]}::12 ${MCAST6} ${NETIFS[p1]} 2 \
++ "Invalid gw - multicast address"
++
++ lladdr=$(get_linklocal ${NETIFS[p5]}) || return 1
++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::11 ${V6ADDRS[p5]} ${NETIFS[p5]} 2 \
++ "Invalid gw - local unicast address, VRF"
++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::12 ${lladdr} ${NETIFS[p5]} 2 \
++ "Invalid gw - local linklocal address, VRF"
++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::12 ${MCAST6} ${NETIFS[p5]} 2 \
++ "Invalid gw - multicast address, VRF"
++
++ run_ip6 254 ${TEST_NET6[1]}::101 ${V6ADDRS[p1]} "" 2 \
++ "No nexthop device given"
++
++ # default VRF validation is done against LOCAL table
++ # run_ip6 254 ${TEST_NET6[1]}::102 ${V6ADDRS[p3]/::[0-9]/::64} ${NETIFS[p1]} 2 \
++ # "Gateway resolves to wrong nexthop device"
++
++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::103 ${V6ADDRS[p7]/::[0-9]/::64} ${NETIFS[p5]} 2 \
++ "Gateway resolves to wrong nexthop device - VRF"
++}
++
++run_onlink_tests()
++{
++ log_section "IPv4 onlink"
++ log_subsection "Valid onlink commands"
++ valid_onlink_ipv4
++ log_subsection "Invalid onlink commands"
++ invalid_onlink_ipv4
++
++ log_section "IPv6 onlink"
++ log_subsection "Valid onlink commands"
++ valid_onlink_ipv6
++ invalid_onlink_ipv6
++}
++
++################################################################################
++# main
++
++nsuccess=0
++nfail=0
++
++cleanup
++setup
++run_onlink_tests
++cleanup
++
++if [ "$TESTS" != "none" ]; then
++ printf "\nTests passed: %3d\n" ${nsuccess}
++ printf "Tests failed: %3d\n" ${nfail}
++fi
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Li Zhijian <zhijianx.li@intel.com>
+Date: Thu, 22 Feb 2018 10:34:02 +0800
+Subject: selftests/bpf/test_maps: exit child process without error in ENOMEM case
+
+From: Li Zhijian <zhijianx.li@intel.com>
+
+[ Upstream commit 80475c48c6a8a65171e035e0915dc7996b5a0a65 ]
+
+test_maps contains a series of stress tests, and previously it will break the
+rest tests when it failed to alloc memory.
+-----------------------
+Failed to create hashmap key=8 value=262144 'Cannot allocate memory'
+Failed to create hashmap key=16 value=262144 'Cannot allocate memory'
+Failed to create hashmap key=8 value=262144 'Cannot allocate memory'
+Failed to create hashmap key=8 value=262144 'Cannot allocate memory'
+test_maps: test_maps.c:955: run_parallel: Assertion `status == 0' failed.
+Aborted
+not ok 1..3 selftests: test_maps [FAIL]
+-----------------------
+after this patch, the rest tests will be continue when it occurs an ENOMEM failure
+
+CC: Alexei Starovoitov <alexei.starovoitov@gmail.com>
+CC: Philip Li <philip.li@intel.com>
+Suggested-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Li Zhijian <zhijianx.li@intel.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/bpf/test_maps.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/tools/testing/selftests/bpf/test_maps.c
++++ b/tools/testing/selftests/bpf/test_maps.c
+@@ -126,6 +126,8 @@ static void test_hashmap_sizes(int task,
+ fd = bpf_create_map(BPF_MAP_TYPE_HASH, i, j,
+ 2, map_flags);
+ if (fd < 0) {
++ if (errno == ENOMEM)
++ return;
+ printf("Failed to create hashmap key=%d value=%d '%s'\n",
+ i, j, strerror(errno));
+ exit(1);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Sat, 17 Mar 2018 21:40:31 +0900
+Subject: selftests: ftrace: Add a testcase for probepoint
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit dfa453bc90eca0febff33c8d292a656e53702158 ]
+
+Add a testcase for probe point definition. This tests
+symbol, address and symbol+offset syntax. The offset
+must be positive and smaller than UINT_MAX.
+
+Link: http://lkml.kernel.org/r/152129043097.31874.14273580606301767394.stgit@devbox
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc | 43 +++++++++++++
+ 1 file changed, 43 insertions(+)
+ create mode 100644 tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc
+
+--- /dev/null
++++ b/tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc
+@@ -0,0 +1,43 @@
++#!/bin/sh
++# SPDX-License-Identifier: GPL-2.0
++# description: Kprobe events - probe points
++
++[ -f kprobe_events ] || exit_unsupported # this is configurable
++
++TARGET_FUNC=create_trace_kprobe
++
++dec_addr() { # hexaddr
++ printf "%d" "0x"`echo $1 | tail -c 8`
++}
++
++set_offs() { # prev target next
++ A1=`dec_addr $1`
++ A2=`dec_addr $2`
++ A3=`dec_addr $3`
++ TARGET="0x$2" # an address
++ PREV=`expr $A1 - $A2` # offset to previous symbol
++ NEXT=+`expr $A3 - $A2` # offset to next symbol
++ OVERFLOW=+`printf "0x%x" ${PREV}` # overflow offset to previous symbol
++}
++
++# We have to decode symbol addresses to get correct offsets.
++# If the offset is not an instruction boundary, it cause -EILSEQ.
++set_offs `grep -A1 -B1 ${TARGET_FUNC} /proc/kallsyms | cut -f 1 -d " " | xargs`
++
++UINT_TEST=no
++# printf "%x" -1 returns (unsigned long)-1.
++if [ `printf "%x" -1 | wc -c` != 9 ]; then
++ UINT_TEST=yes
++fi
++
++echo 0 > events/enable
++echo > kprobe_events
++echo "p:testprobe ${TARGET_FUNC}" > kprobe_events
++echo "p:testprobe ${TARGET}" > kprobe_events
++echo "p:testprobe ${TARGET_FUNC}${NEXT}" > kprobe_events
++! echo "p:testprobe ${TARGET_FUNC}${PREV}" > kprobe_events
++if [ "${UINT_TEST}" = yes ]; then
++! echo "p:testprobe ${TARGET_FUNC}${OVERFLOW}" > kprobe_events
++fi
++echo > kprobe_events
++clear_trace
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Sat, 17 Mar 2018 21:39:44 +0900
+Subject: selftests: ftrace: Add a testcase for string type with kprobe_event
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit 5fbdbed797b6d12d043a5121fdbc8d8b49d10e80 ]
+
+Add a testcase for string type with kprobe event.
+This tests good/bad syntax combinations and also
+the traced data is correct in several way.
+
+Link: http://lkml.kernel.org/r/152129038381.31874.9201387794548737554.stgit@devbox
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc | 46 ++++++++++
+ 1 file changed, 46 insertions(+)
+ create mode 100644 tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc
+
+--- /dev/null
++++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc
+@@ -0,0 +1,46 @@
++#!/bin/sh
++# SPDX-License-Identifier: GPL-2.0
++# description: Kprobe event string type argument
++
++[ -f kprobe_events ] || exit_unsupported # this is configurable
++
++echo 0 > events/enable
++echo > kprobe_events
++
++case `uname -m` in
++x86_64)
++ ARG2=%si
++ OFFS=8
++;;
++i[3456]86)
++ ARG2=%cx
++ OFFS=4
++;;
++aarch64)
++ ARG2=%x1
++ OFFS=8
++;;
++arm*)
++ ARG2=%r1
++ OFFS=4
++;;
++*)
++ echo "Please implement other architecture here"
++ exit_untested
++esac
++
++: "Test get argument (1)"
++echo "p:testprobe create_trace_kprobe arg1=+0(+0(${ARG2})):string" > kprobe_events
++echo 1 > events/kprobes/testprobe/enable
++! echo test >> kprobe_events
++tail -n 1 trace | grep -qe "testprobe.* arg1=\"test\""
++
++echo 0 > events/kprobes/testprobe/enable
++: "Test get argument (2)"
++echo "p:testprobe create_trace_kprobe arg1=+0(+0(${ARG2})):string arg2=+0(+${OFFS}(${ARG2})):string" > kprobe_events
++echo 1 > events/kprobes/testprobe/enable
++! echo test1 test2 >> kprobe_events
++tail -n 1 trace | grep -qe "testprobe.* arg1=\"test1\" arg2=\"test2\""
++
++echo 0 > events/enable
++echo > kprobe_events
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Sat, 17 Mar 2018 21:38:56 +0900
+Subject: selftests: ftrace: Add probe event argument syntax testcase
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit 871bef2000968c312a4000b2f56d370dcedbc93c ]
+
+Add a testcase for probe event argument syntax which
+ensures the kprobe_events interface correctly parses
+given event arguments.
+
+Link: http://lkml.kernel.org/r/152129033679.31874.12705519603869152799.stgit@devbox
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc | 97 ++++++++++
+ 1 file changed, 97 insertions(+)
+ create mode 100644 tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc
+
+--- /dev/null
++++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc
+@@ -0,0 +1,97 @@
++#!/bin/sh
++# SPDX-License-Identifier: GPL-2.0
++# description: Kprobe event argument syntax
++
++[ -f kprobe_events ] || exit_unsupported # this is configurable
++
++grep "x8/16/32/64" README > /dev/null || exit_unsupported # version issue
++
++echo 0 > events/enable
++echo > kprobe_events
++
++PROBEFUNC="vfs_read"
++GOODREG=
++BADREG=
++GOODSYM="_sdata"
++if ! grep -qw ${GOODSYM} /proc/kallsyms ; then
++ GOODSYM=$PROBEFUNC
++fi
++BADSYM="deaqswdefr"
++SYMADDR=0x`grep -w ${GOODSYM} /proc/kallsyms | cut -f 1 -d " "`
++GOODTYPE="x16"
++BADTYPE="y16"
++
++case `uname -m` in
++x86_64|i[3456]86)
++ GOODREG=%ax
++ BADREG=%ex
++;;
++aarch64)
++ GOODREG=%x0
++ BADREG=%ax
++;;
++arm*)
++ GOODREG=%r0
++ BADREG=%ax
++;;
++esac
++
++test_goodarg() # Good-args
++{
++ while [ "$1" ]; do
++ echo "p ${PROBEFUNC} $1" > kprobe_events
++ shift 1
++ done;
++}
++
++test_badarg() # Bad-args
++{
++ while [ "$1" ]; do
++ ! echo "p ${PROBEFUNC} $1" > kprobe_events
++ shift 1
++ done;
++}
++
++echo > kprobe_events
++
++: "Register access"
++test_goodarg ${GOODREG}
++test_badarg ${BADREG}
++
++: "Symbol access"
++test_goodarg "@${GOODSYM}" "@${SYMADDR}" "@${GOODSYM}+10" "@${GOODSYM}-10"
++test_badarg "@" "@${BADSYM}" "@${GOODSYM}*10" "@${GOODSYM}/10" \
++ "@${GOODSYM}%10" "@${GOODSYM}&10" "@${GOODSYM}|10"
++
++: "Stack access"
++test_goodarg "\$stack" "\$stack0" "\$stack1"
++test_badarg "\$stackp" "\$stack0+10" "\$stack1-10"
++
++: "Retval access"
++echo "r ${PROBEFUNC} \$retval" > kprobe_events
++! echo "p ${PROBEFUNC} \$retval" > kprobe_events
++
++: "Comm access"
++test_goodarg "\$comm"
++
++: "Indirect memory access"
++test_goodarg "+0(${GOODREG})" "-0(${GOODREG})" "+10(\$stack)" \
++ "+0(\$stack1)" "+10(@${GOODSYM}-10)" "+0(+10(+20(\$stack)))"
++test_badarg "+(${GOODREG})" "(${GOODREG}+10)" "-(${GOODREG})" "(${GOODREG})" \
++ "+10(\$comm)" "+0(${GOODREG})+10"
++
++: "Name assignment"
++test_goodarg "varname=${GOODREG}"
++test_badarg "varname=varname2=${GOODREG}"
++
++: "Type syntax"
++test_goodarg "${GOODREG}:${GOODTYPE}"
++test_badarg "${GOODREG}::${GOODTYPE}" "${GOODREG}:${BADTYPE}" \
++ "${GOODTYPE}:${GOODREG}"
++
++: "Combination check"
++
++test_goodarg "\$comm:string" "+0(\$stack):string"
++test_badarg "\$comm:x64" "\$stack:string" "${GOODREG}:string"
++
++echo > kprobe_events
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: "Daniel Díaz" <daniel.diaz@linaro.org>
+Date: Wed, 7 Feb 2018 11:24:31 -0600
+Subject: selftests/futex: Fix line continuation in Makefile
+
+From: "Daniel Díaz" <daniel.diaz@linaro.org>
+
+[ Upstream commit 067b25a5639b10dfdd41ce6b4d4140fe84d0a8e7 ]
+
+The Makefile lacks a couple of line continuation backslashes
+in an `if' clause, which produces an error when make versions
+prior to 4.x are used for building the tests.
+
+ $ make
+ make[1]: Entering directory `/[...]/linux/tools/testing/selftests/futex'
+ /bin/sh: -c: line 5: syntax error: unexpected end of file
+ make[1]: *** [all] Error 1
+ make[1]: Leaving directory `/[...]/linux/tools/testing/selftests/futex'
+ make: *** [all] Error 2
+
+Signed-off-by: Daniel Díaz <daniel.diaz@linaro.org>
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/futex/Makefile | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/tools/testing/selftests/futex/Makefile
++++ b/tools/testing/selftests/futex/Makefile
+@@ -12,9 +12,9 @@ all:
+ BUILD_TARGET=$(OUTPUT)/$$DIR; \
+ mkdir $$BUILD_TARGET -p; \
+ make OUTPUT=$$BUILD_TARGET -C $$DIR $@;\
+- if [ -e $$DIR/$(TEST_PROGS) ]; then
+- rsync -a $$DIR/$(TEST_PROGS) $$BUILD_TARGET/;
+- fi
++ if [ -e $$DIR/$(TEST_PROGS) ]; then \
++ rsync -a $$DIR/$(TEST_PROGS) $$BUILD_TARGET/; \
++ fi \
+ done
+
+ override define RUN_TESTS
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Anders Roxell <anders.roxell@linaro.org>
+Date: Tue, 6 Feb 2018 16:20:44 -0600
+Subject: selftests: memfd: add config fragment for fuse
+
+From: Anders Roxell <anders.roxell@linaro.org>
+
+[ Upstream commit 9a606f8d55cfc932ec02172aaed4124fdc150047 ]
+
+The memfd test requires to insert the fuse module (CONFIG_FUSE_FS).
+
+Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
+Signed-off-by: Daniel Díaz <daniel.diaz@linaro.org>
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/memfd/config | 1 +
+ 1 file changed, 1 insertion(+)
+ create mode 100644 tools/testing/selftests/memfd/config
+
+--- /dev/null
++++ b/tools/testing/selftests/memfd/config
+@@ -0,0 +1 @@
++CONFIG_FUSE_FS=m
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Anders Roxell <anders.roxell@linaro.org>
+Date: Wed, 21 Feb 2018 14:45:58 -0800
+Subject: selftests/memfd: add run_fuse_test.sh to TEST_FILES
+
+From: Anders Roxell <anders.roxell@linaro.org>
+
+[ Upstream commit bdefe01a6b14bde268741435ac854fda4ef7e847 ]
+
+While testing memfd tests, there is a missing script, as reported by
+kselftest:
+
+ ./run_tests.sh: line 7: ./run_fuse_test.sh: No such file or directory
+
+Link: http://lkml.kernel.org/r/1517955779-11386-1-git-send-email-daniel.diaz@linaro.org
+Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
+Signed-off-by: Daniel Díaz <daniel.diaz@linaro.org>
+Cc: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/memfd/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/testing/selftests/memfd/Makefile
++++ b/tools/testing/selftests/memfd/Makefile
+@@ -5,6 +5,7 @@ CFLAGS += -I../../../../include/
+ CFLAGS += -I../../../../usr/include/
+
+ TEST_PROGS := run_tests.sh
++TEST_FILES := run_fuse_test.sh
+ TEST_GEN_FILES := memfd_test fuse_mnt fuse_test
+
+ fuse_mnt.o: CFLAGS += $(shell pkg-config fuse --cflags)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Prashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
+Date: Thu, 15 Feb 2018 09:19:26 +0900
+Subject: selftests/net: fixes psock_fanout eBPF test case
+
+From: Prashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
+
+[ Upstream commit ddd0010392d9cbcb95b53d11b7cafc67b373ab56 ]
+
+eBPF test fails due to verifier failure because log_buf is too small.
+Fixed by increasing log_buf size
+
+Signed-off-by: Prashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/psock_fanout.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/psock_fanout.c
++++ b/tools/testing/selftests/net/psock_fanout.c
+@@ -128,6 +128,8 @@ static void sock_fanout_getopts(int fd,
+
+ static void sock_fanout_set_ebpf(int fd)
+ {
++ static char log_buf[65536];
++
+ const int len_off = __builtin_offsetof(struct __sk_buff, len);
+ struct bpf_insn prog[] = {
+ { BPF_ALU64 | BPF_MOV | BPF_X, 6, 1, 0, 0 },
+@@ -140,7 +142,6 @@ static void sock_fanout_set_ebpf(int fd)
+ { BPF_ALU | BPF_MOV | BPF_K, 0, 0, 0, 0 },
+ { BPF_JMP | BPF_EXIT, 0, 0, 0, 0 }
+ };
+- char log_buf[512];
+ union bpf_attr attr;
+ int pfd;
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Mon, 26 Feb 2018 15:22:22 +1100
+Subject: selftests/powerpc: Skip the subpage_prot tests if the syscall is unavailable
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit cd4a6f3ab4d80cb919d15897eb3cbc85c2009d4b ]
+
+The subpage_prot syscall is only functional when the system is using
+the Hash MMU. Since commit 5b2b80714796 ("powerpc/mm: Invalidate
+subpage_prot() system call on radix platforms") it returns ENOENT when
+the Radix MMU is active. Currently this just makes the test fail.
+
+Additionally the syscall is not available if the kernel is built with
+4K pages, or if CONFIG_PPC_SUBPAGE_PROT=n, in which case it returns
+ENOSYS because the syscall is missing entirely.
+
+So check explicitly for ENOENT and ENOSYS and skip if we see either of
+those.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/powerpc/mm/subpage_prot.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/tools/testing/selftests/powerpc/mm/subpage_prot.c
++++ b/tools/testing/selftests/powerpc/mm/subpage_prot.c
+@@ -135,6 +135,16 @@ static int run_test(void *addr, unsigned
+ return 0;
+ }
+
++static int syscall_available(void)
++{
++ int rc;
++
++ errno = 0;
++ rc = syscall(__NR_subpage_prot, 0, 0, 0);
++
++ return rc == 0 || (errno != ENOENT && errno != ENOSYS);
++}
++
+ int test_anon(void)
+ {
+ unsigned long align;
+@@ -145,6 +155,8 @@ int test_anon(void)
+ void *mallocblock;
+ unsigned long mallocsize;
+
++ SKIP_IF(!syscall_available());
++
+ if (getpagesize() != 0x10000) {
+ fprintf(stderr, "Kernel page size must be 64K!\n");
+ return 1;
+@@ -180,6 +192,8 @@ int test_file(void)
+ off_t filesize;
+ int fd;
+
++ SKIP_IF(!syscall_available());
++
+ fd = open(file_name, O_RDWR);
+ if (fd == -1) {
+ perror("failed to open file");
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Fri, 23 Mar 2018 20:44:27 +1100
+Subject: selftests: Print the test we're running to /dev/kmsg
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit 88893cf787d3062c631cc20b875068eb11756e03 ]
+
+Some tests cause the kernel to print things to the kernel log
+buffer (ie. printk), in particular oops and warnings etc. However when
+running all the tests in succession it's not always obvious which
+test(s) caused the kernel to print something.
+
+We can narrow it down by printing which test directory we're running
+in to /dev/kmsg, if it's writable.
+
+Example output:
+
+ [ 170.149149] kselftest: Running tests in powerpc
+ [ 305.300132] kworker/dying (71) used greatest stack depth: 7776 bytes
+ left
+ [ 808.915456] kselftest: Running tests in pstore
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/testing/selftests/Makefile
++++ b/tools/testing/selftests/Makefile
+@@ -122,6 +122,7 @@ ifdef INSTALL_PATH
+ BUILD_TARGET=$$BUILD/$$TARGET; \
+ echo "echo ; echo Running tests in $$TARGET" >> $(ALL_SCRIPT); \
+ echo "echo ========================================" >> $(ALL_SCRIPT); \
++ echo "[ -w /dev/kmsg ] && echo \"kselftest: Running tests in $$TARGET\" >> /dev/kmsg" >> $(ALL_SCRIPT); \
+ echo "cd $$TARGET" >> $(ALL_SCRIPT); \
+ make -s --no-print-directory OUTPUT=$$BUILD_TARGET -C $$TARGET emit_tests >> $(ALL_SCRIPT); \
+ echo "cd \$$ROOT" >> $(ALL_SCRIPT); \
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Naresh Kamboju <naresh.kamboju@linaro.org>
+Date: Wed, 7 Feb 2018 14:47:20 +0530
+Subject: selftests: pstore: Adding config fragment CONFIG_PSTORE_RAM=m
+
+From: Naresh Kamboju <naresh.kamboju@linaro.org>
+
+[ Upstream commit 9a379e77033f02c4a071891afdf0f0a01eff8ccb ]
+
+pstore_tests and pstore_post_reboot_tests need CONFIG_PSTORE_RAM=m
+
+Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Acked-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/pstore/config | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/testing/selftests/pstore/config
++++ b/tools/testing/selftests/pstore/config
+@@ -2,3 +2,4 @@ CONFIG_MISC_FILESYSTEMS=y
+ CONFIG_PSTORE=y
+ CONFIG_PSTORE_PMSG=y
+ CONFIG_PSTORE_CONSOLE=y
++CONFIG_PSTORE_RAM=m
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Anders Roxell <anders.roxell@linaro.org>
+Date: Tue, 6 Feb 2018 16:23:39 -0600
+Subject: selftests: sync: missing CFLAGS while compiling
+
+From: Anders Roxell <anders.roxell@linaro.org>
+
+[ Upstream commit b2c93e300a11b419b4c67ce08e16fa1436d8118c ]
+
+Based on patch: https://patchwork.kernel.org/patch/10042045/
+
+arch64-linux-gnu-gcc -c sync.c -o sync/sync.o
+sync.c:42:29: fatal error: linux/sync_file.h: No such file or directory
+ #include <linux/sync_file.h>
+ ^
+CFLAGS is not used during the compile step, so the system instead of
+kernel headers are used. Fix this by adding CFLAGS to the OBJS compile
+rule.
+
+Reported-by: Lei Yang <Lei.Yang@windriver.com>
+Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
+Signed-off-by: Daniel Díaz <daniel.diaz@linaro.org>
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/sync/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/sync/Makefile
++++ b/tools/testing/selftests/sync/Makefile
+@@ -30,7 +30,7 @@ $(TEST_CUSTOM_PROGS): $(TESTS) $(OBJS)
+ $(CC) -o $(TEST_CUSTOM_PROGS) $(OBJS) $(TESTS) $(CFLAGS) $(LDFLAGS)
+
+ $(OBJS): $(OUTPUT)/%.o: %.c
+- $(CC) -c $^ -o $@
++ $(CC) -c $^ -o $@ $(CFLAGS)
+
+ $(TESTS): $(OUTPUT)/%.o: %.c
+ $(CC) -c $^ -o $@
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Li Zhijian <zhijianx.li@intel.com>
+Date: Fri, 9 Mar 2018 15:51:16 -0800
+Subject: selftests/vm/run_vmtests: adjust hugetlb size according to nr_cpus
+
+From: Li Zhijian <zhijianx.li@intel.com>
+
+[ Upstream commit 0627be7d3c871035364923559543c9b2ff5357f2 ]
+
+Fix userfaultfd_hugetlb on hosts which have more than 64 cpus.
+
+ ---------------------------
+ running userfaultfd_hugetlb
+ ---------------------------
+ invalid MiB
+ Usage: <MiB> <bounces>
+ [FAIL]
+
+Via userfaultfd.c we can know, hugetlb_size needs to meet hugetlb_size
+>= nr_cpus * hugepage_size. hugepage_size is often 2M, so when host
+cpus > 64, it requires more than 128M.
+
+[zhijianx.li@intel.com: update changelog/comments and variable name]
+ Link: http://lkml.kernel.org/r/20180302024356.83359-1-zhijianx.li@intel.com
+ Link: http://lkml.kernel.org/r/20180303125027.81638-1-zhijianx.li@intel.com
+Link: http://lkml.kernel.org/r/20180302024356.83359-1-zhijianx.li@intel.com
+Signed-off-by: Li Zhijian <zhijianx.li@intel.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: SeongJae Park <sj38.park@gmail.com>
+Cc: Philippe Ombredanne <pombredanne@nexb.com>
+Cc: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/vm/run_vmtests | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+--- a/tools/testing/selftests/vm/run_vmtests
++++ b/tools/testing/selftests/vm/run_vmtests
+@@ -2,25 +2,33 @@
+ # SPDX-License-Identifier: GPL-2.0
+ #please run as root
+
+-#we need 256M, below is the size in kB
+-needmem=262144
+ mnt=./huge
+ exitcode=0
+
+-#get pagesize and freepages from /proc/meminfo
++#get huge pagesize and freepages from /proc/meminfo
+ while read name size unit; do
+ if [ "$name" = "HugePages_Free:" ]; then
+ freepgs=$size
+ fi
+ if [ "$name" = "Hugepagesize:" ]; then
+- pgsize=$size
++ hpgsize_KB=$size
+ fi
+ done < /proc/meminfo
+
++# Simple hugetlbfs tests have a hardcoded minimum requirement of
++# huge pages totaling 256MB (262144KB) in size. The userfaultfd
++# hugetlb test requires a minimum of 2 * nr_cpus huge pages. Take
++# both of these requirements into account and attempt to increase
++# number of huge pages available.
++nr_cpus=$(nproc)
++hpgsize_MB=$((hpgsize_KB / 1024))
++half_ufd_size_MB=$((((nr_cpus * hpgsize_MB + 127) / 128) * 128))
++needmem_KB=$((half_ufd_size_MB * 2 * 1024))
++
+ #set proper nr_hugepages
+-if [ -n "$freepgs" ] && [ -n "$pgsize" ]; then
++if [ -n "$freepgs" ] && [ -n "$hpgsize_KB" ]; then
+ nr_hugepgs=`cat /proc/sys/vm/nr_hugepages`
+- needpgs=`expr $needmem / $pgsize`
++ needpgs=$((needmem_KB / hpgsize_KB))
+ tries=2
+ while [ $tries -gt 0 ] && [ $freepgs -lt $needpgs ]; do
+ lackpgs=$(( $needpgs - $freepgs ))
+@@ -107,8 +115,9 @@ fi
+ echo "---------------------------"
+ echo "running userfaultfd_hugetlb"
+ echo "---------------------------"
+-# 256MB total huge pages == 128MB src and 128MB dst
+-./userfaultfd hugetlb 128 32 $mnt/ufd_test_file
++# Test requires source and destination huge pages. Size of source
++# (half_ufd_size_MB) is passed as argument to test.
++./userfaultfd hugetlb $half_ufd_size_MB 32 $mnt/ufd_test_file
+ if [ $? -ne 0 ]; then
+ echo "[FAIL]"
+ exitcode=1
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Vignesh R <vigneshr@ti.com>
+Date: Thu, 8 Feb 2018 18:25:41 +0530
+Subject: serial: 8250: Don't service RX FIFO if interrupts are disabled
+
+From: Vignesh R <vigneshr@ti.com>
+
+[ Upstream commit 2e9fe539108320820016f78ca7704a7342788380 ]
+
+Currently, data in RX FIFO is read based on UART_LSR register state even
+if RDI and RLSI interrupts are disabled in UART_IER register.
+This is because when IRQ handler is called due to TX FIFO empty event,
+RX FIFO is serviced based on UART_LSR register status instead of
+UART_IIR status. This defeats the purpose of disabling UART RX
+FIFO interrupts during throttling(see, omap_8250_throttle()) as IRQ
+handler continues to drain UART RX FIFO resulting in overflow of buffer
+at tty layer.
+Fix this by making sure that driver drains UART RX FIFO only when
+UART_IIR_RDI is set along with UART_LSR_BI or UART_LSR_DR bits.
+
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_port.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -1874,7 +1874,8 @@ int serial8250_handle_irq(struct uart_po
+
+ status = serial_port_in(port, UART_LSR);
+
+- if (status & (UART_LSR_DR | UART_LSR_BI)) {
++ if (status & (UART_LSR_DR | UART_LSR_BI) &&
++ iir & UART_IIR_RDI) {
+ if (!up->dma || handle_rx_dma(up, iir))
+ status = serial8250_rx_chars(up, status);
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>
+Date: Thu, 25 Jan 2018 14:30:43 +0100
+Subject: serial: altera: ensure port->regshift is honored consistently
+
+From: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 0e254963b6ba4d63ac911e79537fea38dd03dc50 ]
+
+Most register accesses in the altera driver honor port->regshift by
+using altera_uart_writel(). There are a few accesses however that were
+missed when the driver was converted to use port->regshift and some
+others were added later in commit 4d9d7d896d77 ("serial: altera_uart:
+add earlycon support").
+
+Fixes: 2780ad42f5fe ("tty: serial: altera_uart: Use port->regshift to store bus shift")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Acked-by: Tobias Klauser <tklauser@distanz.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/altera_uart.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/tty/serial/altera_uart.c
++++ b/drivers/tty/serial/altera_uart.c
+@@ -331,7 +331,7 @@ static int altera_uart_startup(struct ua
+
+ /* Enable RX interrupts now */
+ pp->imr = ALTERA_UART_CONTROL_RRDY_MSK;
+- writel(pp->imr, port->membase + ALTERA_UART_CONTROL_REG);
++ altera_uart_writel(port, pp->imr, ALTERA_UART_CONTROL_REG);
+
+ spin_unlock_irqrestore(&port->lock, flags);
+
+@@ -347,7 +347,7 @@ static void altera_uart_shutdown(struct
+
+ /* Disable all interrupts now */
+ pp->imr = 0;
+- writel(pp->imr, port->membase + ALTERA_UART_CONTROL_REG);
++ altera_uart_writel(port, pp->imr, ALTERA_UART_CONTROL_REG);
+
+ spin_unlock_irqrestore(&port->lock, flags);
+
+@@ -436,7 +436,7 @@ static void altera_uart_console_putc(str
+ ALTERA_UART_STATUS_TRDY_MSK))
+ cpu_relax();
+
+- writel(c, port->membase + ALTERA_UART_TXDATA_REG);
++ altera_uart_writel(port, c, ALTERA_UART_TXDATA_REG);
+ }
+
+ static void altera_uart_console_write(struct console *co, const char *s,
+@@ -506,13 +506,13 @@ static int __init altera_uart_earlycon_s
+ return -ENODEV;
+
+ /* Enable RX interrupts now */
+- writel(ALTERA_UART_CONTROL_RRDY_MSK,
+- port->membase + ALTERA_UART_CONTROL_REG);
++ altera_uart_writel(port, ALTERA_UART_CONTROL_RRDY_MSK,
++ ALTERA_UART_CONTROL_REG);
+
+ if (dev->baud) {
+ unsigned int baudclk = port->uartclk / dev->baud;
+
+- writel(baudclk, port->membase + ALTERA_UART_DIVISOR_REG);
++ altera_uart_writel(port, baudclk, ALTERA_UART_DIVISOR_REG);
+ }
+
+ dev->con->write = altera_uart_earlycon_write;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:29 +0100
+Subject: serial: arc_uart: Fix out-of-bounds access through DT alias
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit f9f5786987e81d166c60833edcb7d1836aa16944 ]
+
+The arc_uart_ports[] array is indexed using a value derived from the
+"serialN" alias in DT, which may lead to an out-of-bounds access.
+
+Fix this by adding a range check.
+
+Note that the array size is defined by a Kconfig symbol
+(CONFIG_SERIAL_ARC_NR_PORTS), so this can even be triggered using a
+legitimate DTB.
+
+Fixes: ea28fd56fcde69af ("serial/arc-uart: switch to devicetree based probing")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/arc_uart.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/tty/serial/arc_uart.c
++++ b/drivers/tty/serial/arc_uart.c
+@@ -596,6 +596,11 @@ static int arc_serial_probe(struct platf
+ if (dev_id < 0)
+ dev_id = 0;
+
++ if (dev_id >= ARRAY_SIZE(arc_uart_ports)) {
++ dev_err(&pdev->dev, "serial%d out of range\n", dev_id);
++ return -EINVAL;
++ }
++
+ uart = &arc_uart_ports[dev_id];
+ port = &uart->port;
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:30 +0100
+Subject: serial: fsl_lpuart: Fix out-of-bounds access through DT alias
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit ffab87fdecc655cc676f8be8dd1a2c5e22bd6d47 ]
+
+The lpuart_ports[] array is indexed using a value derived from the
+"serialN" alias in DT, which may lead to an out-of-bounds access.
+
+Fix this by adding a range check.
+
+Fixes: c9e2e946fb0ba5d2 ("tty: serial: add Freescale lpuart driver support")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/fsl_lpuart.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -2151,6 +2151,10 @@ static int lpuart_probe(struct platform_
+ dev_err(&pdev->dev, "failed to get alias id, errno %d\n", ret);
+ return ret;
+ }
++ if (ret >= ARRAY_SIZE(lpuart_ports)) {
++ dev_err(&pdev->dev, "serial%d out of range\n", ret);
++ return -EINVAL;
++ }
+ sport->port.line = ret;
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ sport->port.membase = devm_ioremap_resource(&pdev->dev, res);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:31 +0100
+Subject: serial: imx: Fix out-of-bounds access through serial port index
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 5673444821406dda5fc25e4b52aca419f8065a19 ]
+
+The imx_ports[] array is indexed using a value derived from the
+"serialN" alias in DT, or from platform data, which may lead to an
+out-of-bounds access.
+
+Fix this by adding a range check.
+
+Fixes: ff05967a07225ab6 ("serial/imx: add of_alias_get_id() reference back")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/imx.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/tty/serial/imx.c
++++ b/drivers/tty/serial/imx.c
+@@ -2096,6 +2096,12 @@ static int serial_imx_probe(struct platf
+ else if (ret < 0)
+ return ret;
+
++ if (sport->port.line >= ARRAY_SIZE(imx_ports)) {
++ dev_err(&pdev->dev, "serial%d out of range\n",
++ sport->port.line);
++ return -EINVAL;
++ }
++
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ base = devm_ioremap_resource(&pdev->dev, res);
+ if (IS_ERR(base))
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:32 +0100
+Subject: serial: mxs-auart: Fix out-of-bounds access through serial port index
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit dd345a31bfdec350d2593e6de5964e55c7f19c76 ]
+
+The auart_port[] array is indexed using a value derived from the
+"serialN" alias in DT, or from platform data, which may lead to an
+out-of-bounds access.
+
+Fix this by adding a range check.
+
+Fixes: 1ea6607d4cdc9179 ("serial: mxs-auart: Allow device tree probing")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/mxs-auart.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/tty/serial/mxs-auart.c
++++ b/drivers/tty/serial/mxs-auart.c
+@@ -1667,6 +1667,10 @@ static int mxs_auart_probe(struct platfo
+ s->port.line = pdev->id < 0 ? 0 : pdev->id;
+ else if (ret < 0)
+ return ret;
++ if (s->port.line >= ARRAY_SIZE(auart_port)) {
++ dev_err(&pdev->dev, "serial%d out of range\n", s->port.line);
++ return -EINVAL;
++ }
+
+ if (of_id) {
+ pdev->id_entry = of_id->data;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:34 +0100
+Subject: serial: samsung: Fix out-of-bounds access through serial port index
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 49ee23b71877831ac087d6083f6f397dc19c9664 ]
+
+The s3c24xx_serial_ports[] array is indexed using a value derived from
+the "serialN" alias in DT, or from an incrementing probe index, which
+may lead to an out-of-bounds access.
+
+Fix this by adding a range check.
+
+Note that the array size is defined by a Kconfig symbol
+(CONFIG_SERIAL_SAMSUNG_UARTS), so this can even be triggered using
+a legitimate DTB or legitimate board code.
+
+Fixes: 13a9f6c64fdc55eb ("serial: samsung: Consider DT alias when probing ports")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/samsung.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/tty/serial/samsung.c
++++ b/drivers/tty/serial/samsung.c
+@@ -1821,6 +1821,10 @@ static int s3c24xx_serial_probe(struct p
+
+ dbg("s3c24xx_serial_probe(%p) %d\n", pdev, index);
+
++ if (index >= ARRAY_SIZE(s3c24xx_serial_ports)) {
++ dev_err(&pdev->dev, "serial%d out of range\n", index);
++ return -EINVAL;
++ }
+ ourport = &s3c24xx_serial_ports[index];
+
+ ourport->drv_data = s3c24xx_get_driver_data(pdev);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:35 +0100
+Subject: serial: sh-sci: Fix out-of-bounds access through DT alias
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 090fa4b0dccfa3d04e1c5ab0fe4eba16e6713895 ]
+
+The sci_ports[] array is indexed using a value derived from the
+"serialN" alias in DT, which may lead to an out-of-bounds access.
+
+Fix this by adding a range check.
+
+Note that the array size is defined by a Kconfig symbol
+(CONFIG_SERIAL_SH_SCI_NR_UARTS), so this can even be triggered using a
+legitimate DTB.
+
+Fixes: 97ed9790c514066b ("serial: sh-sci: Remove unused platform data capabilities field")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/sh-sci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -3076,6 +3076,10 @@ static struct plat_sci_port *sci_parse_d
+ dev_err(&pdev->dev, "failed to get alias id (%d)\n", id);
+ return NULL;
+ }
++ if (id >= ARRAY_SIZE(sci_ports)) {
++ dev_err(&pdev->dev, "serial%d out of range\n", id);
++ return NULL;
++ }
+
+ sp = &sci_ports[id];
+ *dev_id = id;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:37 +0100
+Subject: serial: xuartps: Fix out-of-bounds access through DT alias
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit e7d75e18d0fc3f7193b65282b651f980c778d935 ]
+
+The cdns_uart_port[] array is indexed using a value derived from the
+"serialN" alias in DT, which may lead to an out-of-bounds access.
+
+Fix this by adding a range check.
+
+Fixes: 928e9263492069ee ("tty: xuartps: Initialize ports according to aliases")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/xilinx_uartps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/xilinx_uartps.c
++++ b/drivers/tty/serial/xilinx_uartps.c
+@@ -1115,7 +1115,7 @@ static struct uart_port *cdns_uart_get_p
+ struct uart_port *port;
+
+ /* Try the given port id if failed use default method */
+- if (cdns_uart_port[id].mapbase != 0) {
++ if (id < CDNS_UART_NR_PORTS && cdns_uart_port[id].mapbase != 0) {
+ /* Find the next unused port */
+ for (id = 0; id < CDNS_UART_NR_PORTS; id++)
+ if (cdns_uart_port[id].mapbase == 0)
--- /dev/null
+mips-generic-fix-machine-compatible-matching.patch
+scsi-mpt3sas-fix-an-out-of-bound-write.patch
+scsi-qla2xxx-fix-memory-corruption-during-hba-reset-test.patch
+scsi-ufs-enable-quirk-to-ignore-sending-write_same-command.patch
+scsi-bnx2fc-fix-check-in-scsi-completion-handler-for-timed-out-request.patch
+scsi-sym53c8xx_2-iterator-underflow-in-sym_getsync.patch
+scsi-mptfusion-add-bounds-check-in-mptctl_hp_targetinfo.patch
+scsi-qla2xxx-avoid-triggering-undefined-behavior-in-qla2x00_mbx_completion.patch
+mac80211-mesh-fix-wrong-mesh-ttl-offset-calculation.patch
+arc-fix-malformed-arc_emul_unaligned-default.patch
+ptr_ring-prevent-integer-overflow-when-calculating-size.patch
+arm64-dts-rockchip-fix-rock64-gmac2io-stability-issues.patch
+arm64-dts-rockchip-correct-ep-gpios-for-rk3399-sapphire.patch
+usb-gadget-f_uac2-fix-bfirstinterface-in-composite-gadget.patch
+usb-dwc3-undo-phy-init-if-soft-reset-fails.patch
+usb-dwc3-omap-don-t-miss-events-during-suspend-resume.patch
+usb-gadget-core-fix-use-after-free-of-usb_request.patch
+usb-gadget-fsl_udc_core-fix-ep-valid-checks.patch
+usb-dwc2-fix-dwc2_hsotg_core_init_disconnected.patch
+libata-fix-compile-warning-with-ata_debug-enabled.patch
+sata_rcar-reset-sata-phy-when-salvator-x-board-resumes.patch
+selftests-sync-missing-cflags-while-compiling.patch
+selftest-vdso-fix-o.patch
+selftests-pstore-adding-config-fragment-config_pstore_ram-m.patch
+selftests-memfd-add-config-fragment-for-fuse.patch
+scsi-storvsc-increase-cmd_per_lun-for-higher-speed-devices.patch
+scsi-qedi-fix-truncation-of-chap-name-and-secret.patch
+scsi-aacraid-fix-shutdown-crash-when-init-fails.patch
+scsi-qla4xxx-skip-error-recovery-in-case-of-register-disconnect.patch
+arm-omap2-timer-fix-a-kmemleak-caused-in-omap_get_timer_dt.patch
+arm-omap3-fix-prm-wake-interrupt-for-resume.patch
+arm-omap2-fix-sar_base-inititalization-for-hs-omaps.patch
+arm-omap1-clock-fix-debugfs_create_-usage.patch
+ibmvnic-wait-until-reset-is-complete-to-set-carrier-on.patch
+ibmvnic-free-rx-socket-buffer-in-case-of-adapter-error.patch
+ibmvnic-clean-rx-pool-buffers-during-device-close.patch
+tls-retrun-the-correct-iv-in-getsockopt.patch
+tls-reset-the-crypto-info-if-copy_from_user-fails.patch
+xhci-workaround-for-amd-promontory-disabled-ports-wakeup.patch
+usb-serial-option-add-support-for-quectel-ep06.patch
+ib-uverbs-fix-method-merging-in-uverbs_ioctl_merge.patch
+ib-uverbs-fix-possible-oops-with-duplicate-ioctl-attributes.patch
+ib-uverbs-fix-unbalanced-unlock-on-error-path-for-rdma_explicit_destroy.patch
+usb-cdc_acm-prevent-race-at-write-to-acm-while-system-resumes.patch
+arm64-dts-rockchip-fix-dwmmc-clocks.patch
+arm-dts-rockchip-fix-dwmmc-clocks.patch
+iwlwifi-mvm-fix-security-bug-in-pn-checking.patch
+iwlwifi-mvm-fix-ibss-for-devices-that-support-station-type-api.patch
+iwlwifi-mvm-always-init-rs-with-20mhz-bandwidth-rates.patch
+nfc-llcp-limit-size-of-sdp-uri.patch
+rxrpc-work-around-usercopy-check.patch
+md-free-bioset-when-md_run-fails.patch
+md-fix-md_write_start-deadlock-w-o-metadata-devices.patch
+s390-dasd-fix-handling-of-internal-requests.patch
+xfrm-do-not-call-rcu_read_unlock-when-afinfo-is-null-in-xfrm_get_tos.patch
+mac80211-round-ieee80211_tx_status_headroom-up-to-multiple-of-4.patch
+mac80211-fix-a-possible-leak-of-station-stats.patch
+mac80211-fix-calling-sleeping-function-in-atomic-context.patch
+cfg80211-clear-wep-keys-after-disconnection.patch
+mac80211-do-not-disconnect-on-invalid-operating-class.patch
+mac80211-fix-sending-addba-response-for-an-ongoing-session.patch
+gpu-ipu-v3-pre-fix-device-node-leak-in-ipu_pre_lookup_by_phandle.patch
+gpu-ipu-v3-prg-fix-device-node-leak-in-ipu_prg_lookup_by_phandle.patch
+md-raid10-fix-null-deference-in-handle_write_completed.patch
+drm-exynos-g2d-use-monotonic-timestamps.patch
+drm-exynos-fix-comparison-to-bitshift-when-dealing-with-a-mask.patch
+drm-exynos-g2d-delete-an-error-message-for-a-failed-memory-allocation-in-two-functions.patch
+drm-meson-fix-vsync-buffer-update.patch
+arm64-perf-correct-pmuver-probing.patch
+asoc-hdmi-codec-fix-module-unloading-caused-kernel-crash.patch
+rdma-bnxt_re-unpin-sq-and-rq-memory-if-qp-create-fails.patch
+rdma-bnxt_re-fix-system-crash-during-load-unload.patch
+ibmvnic-check-for-null-skb-s-in-napi-poll-routine.patch
+net-mlx5e-return-error-if-prio-is-specified-when-offloading-eswitch-vlan-push.patch
+locking-xchg-alpha-add-unconditional-memory-barrier-to-cmpxchg.patch
+md-raid5-avoid-string-overflow-warning.patch
+virtio_net-fix-xdp-code-path-in-receive_small.patch
+mm-mlock-vmscan-no-more-skipping-pagevecs.patch
+kernel-relay.c-limit-kmalloc-size-to-kmalloc_max_size.patch
+bug.h-work-around-gcc-pr82365-in-bug.patch
+selftests-memfd-add-run_fuse_test.sh-to-test_files.patch
+seccomp-add-a-selftest-for-get_metadata.patch
+soc-imx-gpc-de-register-power-domains-only-if-initialized.patch
+powerpc-bpf-jit-fix-32-bit-jit-for-seccomp_data-access.patch
+s390-cio-fix-ccw_device_start_timeout-api.patch
+s390-cio-fix-return-code-after-missing-interrupt.patch
+s390-cio-clear-timer-when-terminating-driver-i-o.patch
+selftests-bpf-test_maps-exit-child-process-without-error-in-enomem-case.patch
+pkcs-7-fix-direct-verification-of-signerinfo-signature.patch
+arm64-dts-cavium-fix-pci-bus-dtc-warnings.patch
+nfs-system-crashes-after-nfs4err_moved-recovery.patch
+arm-omap-fix-dmtimer-init-for-omap1.patch
+smsc75xx-fix-smsc75xx_set_features.patch
+regulatory-add-nul-to-request-alpha2.patch
+fs-signalfd-fix-build-error-for-bus_mceerr_ar.patch
+integrity-security-fix-digsig.c-build-error-with-header-file.patch
+x86-intel_rdt-fix-incorrect-returned-value-when-creating-rdgroup-sub-directory-in-resctrl-file-system.patch
+locking-xchg-alpha-fix-xchg-and-cmpxchg-memory-ordering-bugs.patch
+x86-topology-update-the-cpu-cores-field-in-proc-cpuinfo-correctly-across-cpu-hotplug-operations.patch
+media-dmxdev-fix-error-code-for-invalid-ioctls.patch
+mac80211-drop-frames-with-unexpected-ds-bits-from-fast-rx-to-slow-path.patch
+arm64-fix-unwind_frame-for-filtered-out-fn-for-function-graph-tracing.patch
+macvlan-fix-use-after-free-in-macvlan_common_newlink.patch
+media-don-t-let-tvp5150_get_vbi-go-out-of-vbi_ram_default-array.patch
+percpu-add-a-schedule-point-in-pcpu_balance_workfn.patch
+kvm-nvmx-don-t-halt-vcpu-when-l1-is-injecting-events-to-l2.patch
+kvm-fix-warning-for-config_have_kvm_eventfd-builds.patch
+arm-dts-imx6dl-include-correct-dtsi-file-for-engicam-i.corem6-duallite-solo-rqs.patch
+fs-dcache-avoid-livelock-between-d_alloc_parallel-and-__d_add.patch
+fs-dcache-use-read_once-when-accessing-i_dir_seq.patch
+md-fix-a-potential-deadlock-of-raid5-raid10-reshape.patch
+md-raid1-fix-null-pointer-dereference.patch
+batman-adv-fix-packet-checksum-in-receive-path.patch
+batman-adv-invalidate-checksum-on-fragment-reassembly.patch
+netfilter-ipt_clusterip-put-config-struct-if-we-can-t-increment-ct-refcount.patch
+netfilter-ipt_clusterip-put-config-instead-of-freeing-it.patch
+netfilter-ebtables-convert-bug_ons-to-warn_ons.patch
+batman-adv-ignore-invalid-batadv_iv_gw-during-netlink-send.patch
+batman-adv-ignore-invalid-batadv_v_gw-during-netlink-send.patch
+batman-adv-fix-netlink-dumping-of-bla-claims.patch
+batman-adv-fix-netlink-dumping-of-bla-backbones.patch
+netfilter-don-t-set-f_iface-on-ipv6-fib-lookups.patch
+nvme-pci-fix-nvme-queue-cleanup-if-irq-setup-fails.patch
+clocksource-drivers-fsl_ftm_timer-fix-error-return-checking.patch
+libceph-ceph-avoid-memory-leak-when-specifying-same-option-several-times.patch
+ceph-fix-dentry-leak-when-failing-to-init-debugfs.patch
+xen-pvcalls-fix-null-pointer-dereference-on-map-sock.patch
+arm-orion5x-revert-commit-4904dbda41c8.patch
+qrtr-add-module_alias-macro-to-smd.patch
+selftests-futex-fix-line-continuation-in-makefile.patch
+r8152-fix-tx-packets-accounting.patch
+virtio-gpu-fix-ioctl-and-expose-the-fixed-status-to-userspace.patch
+dmaengine-rcar-dmac-fix-max_chunk_size-for-r-car-gen3.patch
+bcache-fix-kcrashes-with-fio-in-raid5-backend-dev.patch
+ip_gre-fix-ifla_mtu-ignored-on-newlink.patch
+ip6_tunnel-fix-ifla_mtu-ignored-on-newlink.patch
+sit-fix-ifla_mtu-ignored-on-newlink.patch
+nbd-fix-return-value-in-error-handling-path.patch
+arm-dts-nsp-fix-amount-of-ram-on-bcm958625hr.patch
+arm-dts-bcm283x-fix-unit-address-of-local_intc.patch
+powerpc-boot-fix-random-libfdt-related-build-errors.patch
+clocksource-drivers-mips-gic-timer-use-correct-shift-count-to-extract-data.patch
+gianfar-fix-rx-byte-accounting-for-ndev-stats.patch
+net-tcp-illinois-replace-broken-algorithm-reference-link.patch
+nvmet-fix-psdt-field-check-in-command-format.patch
+net-smc-use-link_id-of-server-in-confirm-link-reply.patch
+mlxsw-core-fix-flex-keys-scratchpad-offset-conflict.patch
+mlxsw-spectrum-treat-ipv6-unregistered-multicast-as-broadcast.patch
+spectrum-reference-count-vlan-entries.patch
+arc-mcip-halt-gfrc-counter-when-arc-cores-halt.patch
+arc-mcip-update-mcip-debug-mask-when-the-new-cpu-came-online.patch
+arc-setup-cpu-possible-mask-according-to-possible-cpus-dts-property.patch
+ipvs-remove-ips_nat_mask-check-to-fix-passive-ftp.patch
+ib-mlx-set-slid-to-zero-in-ethernet-completion-struct.patch
+rdma-bnxt_re-unconditionly-fence-non-wire-memory-operations.patch
+rdma-bnxt_re-fix-incorrect-db-offset-calculation.patch
+rdma-bnxt_re-fix-the-ib_reg-failure-cleanup.patch
+xen-pirq-fix-error-path-cleanup-when-binding-msis.patch
+drm-amd-amdgpu-correct-vram-width-for-apus-with-gmc9.patch
+xfrm-fix-esn-sequence-number-handling-for-ipsec-gso-packets.patch
+arm64-dts-rockchip-fix-rk3399-gru-s2r-pinctrl-hogs-wifi-reset.patch
+drm-sun4i-fix-dclk_set_phase.patch
+btrfs-use-kvzalloc-to-allocate-btrfs_fs_info.patch
+btrfs-send-fix-issuing-write-op-when-processing-hole-in-no-data-mode.patch
+btrfs-fix-log-replay-failure-after-linking-special-file-and-fsync.patch
+ceph-fix-potential-memory-leak-in-init_caches.patch
+block-display-the-correct-diskname-for-bio.patch
+nvme-pci-fix-eeh-failure-on-ppc.patch
+nvme-pci-pass-max-vectors-as-num_possible_cpus-to-pci_alloc_irq_vectors.patch
+selftests-powerpc-skip-the-subpage_prot-tests-if-the-syscall-is-unavailable.patch
+scsi-core-return-blk_sts_ok-for-did_ok-in-__scsi_error_from_host_byte.patch
+scsi-qedi-fix-kernel-crash-during-port-toggle.patch
+net-ethtool-don-t-ignore-return-from-driver-get_fecparam-method.patch
+kvm-ppc-book3s-hv-fix-handling-of-large-pages-in-radix-page-fault-handler.patch
+kvm-ppc-book3s-hv-fix-vrma-initialization-with-2mb-or-1gb-memory-backing.patch
+iwlwifi-mvm-fix-tx-of-ccmp-256.patch
+iwlwifi-mvm-fix-channel-switch-for-count-0-and-1.patch
+iwlwifi-mvm-fix-assert-0x2b00-on-older-fws.patch
+iwlwifi-avoid-collecting-firmware-dump-if-not-loaded.patch
+iwlwifi-mvm-fix-failed-to-remove-key-message.patch
+iwlwifi-mvm-direct-multicast-frames-to-the-correct-station.patch
+iwlwifi-mvm-correctly-set-the-tid-for-mcast-queue.patch
+rds-incorrect-reference-counting-in-tcp-socket-creation.patch
+kvm-ppc-book3s-hv-fix-guest-time-accounting-with-virt_cpu_accounting_gen.patch
+watchdog-f71808e_wdt-fix-magic-close-handling.patch
+watchdog-sbsa-use-32-bit-read-for-wcv.patch
+batman-adv-fix-multicast-packet-loss-with-a-single-want_all_ipv4-6-flag.patch
+hv_netvsc-avoid-retry-on-send-during-shutdown.patch
+hv_netvsc-only-wake-transmit-queue-if-link-is-up.patch
+hv_netvsc-fix-error-unwind-handling-if-vmbus_open-fails.patch
+hv_netvsc-cancel-subchannel-setup-before-halting-device.patch
+hv_netvsc-fix-race-in-napi-poll-when-rescheduling.patch
+hv_netvsc-use-napi_schedule_irqoff.patch
+hv_netvsc-defer-queue-selection-to-vf.patch
+hv_netvsc-filter-multicast-broadcast.patch
+hv_netvsc-propagate-rx-filters-to-vf.patch
+arm-dts-rockchip-add-missing-sound-dai-cells-on-rk3288.patch
+perf-record-fix-crash-in-pipe-mode.patch
+e1000e-fix-check_for_link-return-value-with-autoneg-off.patch
+e1000e-allocate-ring-descriptors-with-dma_zalloc_coherent.patch
+ia64-err-inject-use-get_user_pages_fast.patch
+drm-sun4i-rgb-fix-potential-division-by-zero.patch
+rdma-qedr-fix-kernel-panic-when-running-fio-over-nfsordma.patch
+rdma-qedr-fix-iwarp-write-and-send-with-immediate.patch
+scsi-mpt3sas-do-not-mark-fw_event-workqueue-as-wq_mem_reclaim.patch
+scsi-sd-keep-disk-read-only-when-re-reading-partition.patch
+ib-mlx4-fix-corruption-of-rocev2-ipv4-gids.patch
+ib-mlx4-include-gid-type-when-deleting-gids-from-hw-table-under-roce.patch
+ib-mlx5-fix-an-error-code-in-__mlx5_ib_modify_qp.patch
+fbdev-fixing-arbitrary-kernel-leak-in-case-fbiogetcmap_sparc-in-sbusfb_ioctl_helper.patch
+fsl-fman-avoid-sleeping-in-atomic-context-while-adding-an-address.patch
+net-usbnet-fix-potential-deadlock-on-32bit-hosts.patch
+qed-free-roce-ilt-memory-on-rmmod-qedr.patch
+net-qcom-emac-use-proper-free-methods-during-tx.patch
+net-smsc911x-fix-unload-crash-when-link-is-up.patch
+ib-core-fix-possible-crash-to-access-null-netdev.patch
+cxgb4-do-not-set-needs_free_netdev-for-mgmt-dev-s.patch
+xen-blkfront-move-negotiate_mq-to-cover-all-cases-of-new-vbds.patch
+arm-dts-imx7d-sdb-fix-regulator-usb-otg2-vbus-node-name.patch
+xen-xenbus-use-put_device-instead-of-kfree.patch
+hv_netvsc-fix-filter-flags.patch
+hv_netvsc-fix-locking-for-rx_mode.patch
+hv_netvsc-fix-locking-during-vf-setup.patch
+arm-davinci-fix-the-gpio-lookup-for-omapl138-hawk.patch
+usb-host-xhci-plat-revert-usb-host-xhci-plat-enable-clk-in-resume-timing.patch
+arm64-relax-arm_smccc_arch_workaround_1-discovery.patch
+usb-ohci-fix-null-dereference-in-hcds-using-hcd_local_mem.patch
+selftests-vm-run_vmtests-adjust-hugetlb-size-according-to-nr_cpus.patch
+lib-test_kmod.c-fix-limit-check-on-number-of-test-devices-created.patch
+dmaengine-mv_xor_v2-fix-clock-resource-by-adding-a-register-clock.patch
+netfilter-ebtables-fix-erroneous-reject-of-last-rule.patch
+can-m_can-change-comparison-to-bitshift-when-dealing-with-a-mask.patch
+can-m_can-select-pinctrl-state-in-each-suspend-resume-function.patch
+bnxt_en-check-valid-vnic-id-in-bnxt_hwrm_vnic_set_tpa.patch
+scsi-libsas-defer-ata-device-eh-commands-to-libata.patch
+workqueue-use-put_device-instead-of-kfree.patch
+ipv4-lock-mtu-in-fnhe-when-received-pmtu-net.ipv4.route.min_pmtu.patch
+sunvnet-does-not-support-gso-for-sctp.patch
+kvm-arm-arm64-vgic-add-missing-irq_lock-to-vgic_mmio_read_pending.patch
+gpu-ipu-v3-prg-avoid-possible-array-underflow.patch
+drm-imx-move-arming-of-the-vblank-event-to-atomic_flush.patch
+drm-nouveau-bl-fix-backlight-regression.patch
+xfrm-fix-rcu_read_unlock-usage-in-xfrm_local_error.patch
+iwlwifi-mvm-set-the-correct-tid-when-we-flush-the-mcast-sta.patch
+iwlwifi-mvm-correctly-set-igtk-for-ap.patch
+iwlwifi-mvm-fix-error-checking-for-multi-broadcast-sta.patch
+microblaze-switch-to-no_bootmem.patch
+net-fix-vlan-untag-for-bridge-and-vlan_dev-with-reorder_hdr-off.patch
+vlan-fix-out-of-order-vlan-headers-with-reorder-header-off.patch
+batman-adv-fix-header-size-check-in-batadv_dbg_arp.patch
+net-sched-fix-null-dereference-in-the-error-path-of-tcf_sample_init.patch
+batman-adv-fix-skbuff-rcsum-on-packet-reroute.patch
+vti4-don-t-count-header-length-twice-on-tunnel-setup.patch
+ip_tunnel-clamp-mtu-to-bounds-on-new-link.patch
+vti4-don-t-override-mtu-passed-on-link-creation-via-ifla_mtu.patch
+vti6-fix-dev-max_mtu-setting.patch
+iwlwifi-mvm-increase-session-protection-time-after-cs.patch
+iwlwifi-mvm-clear-tx-queue-id-when-unreserving-aggregation-queue.patch
+iwlwifi-mvm-make-sure-internal-station-has-a-valid-id.patch
+iwlwifi-mvm-fix-array-out-of-bounds-reference.patch
+drm-tegra-shutdown-on-driver-unbind.patch
+scsi-iscsi_tcp-set-bdi_cap_stable_writes-when-data-digest-enabled.patch
+perf-cgroup-fix-child-event-counting-bug.patch
+brcmfmac-fix-check-for-iso3166-code.patch
+kbuild-make-scripts-adjust_autoksyms.sh-robust-against-timestamp-races.patch
+rdma-ucma-correct-option-size-check-using-optlen.patch
+rdma-qedr-fix-qp-s-ack-timeout-configuration.patch
+rdma-qedr-fix-rc-initialization-on-cnq-allocation-failure.patch
+rdma-qedr-fix-qp-state-initialization-race.patch
+net-sched-fix-idr-leak-on-the-error-path-of-tcf_bpf_init.patch
+net-sched-fix-idr-leak-in-the-error-path-of-tcf_simp_init.patch
+net-sched-fix-idr-leak-in-the-error-path-of-tcf_act_police_init.patch
+net-sched-fix-idr-leak-in-the-error-path-of-tcp_pedit_init.patch
+net-sched-fix-idr-leak-in-the-error-path-of-__tcf_ipt_init.patch
+net-sched-fix-idr-leak-in-the-error-path-of-tcf_skbmod_init.patch
+net-dsa-fix-functional-dsa-loop-dependency-on-fixed_phy.patch
+macsec-missing-dev_put-on-error-in-macsec_newlink.patch
+drm-ast-fixed-1280x800-display-issue.patch
+mm-mempolicy.c-avoid-use-uninitialized-preferred_node.patch
+mm-thp-do-not-cause-memcg-oom-for-thp.patch
+xfrm-fix-transport-mode-skb-control-buffer-usage.patch
+selftests-ftrace-add-probe-event-argument-syntax-testcase.patch
+selftests-ftrace-add-a-testcase-for-string-type-with-kprobe_event.patch
+selftests-ftrace-add-a-testcase-for-probepoint.patch
+drm-amdkfd-fix-scratch-memory-with-hws-enabled.patch
+batman-adv-fix-multicast-via-unicast-transmission-with-ap-isolation.patch
+batman-adv-fix-packet-loss-for-broadcasted-dhcp-packets-to-a-server.patch
+arm-8748-1-mm-define-vdso_start-vdso_end-as-array.patch
+netfilter-nf_socket-fix-out-of-bounds-access-in-nf_sk_lookup_slow_v-4-6.patch
+lan78xx-set-asd-in-mac_cr-when-eee-is-enabled.patch
+net-qmi_wwan-add-broadmobi-bm806u-2020-2033.patch
+bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch
+net-usb-qmi_wwan.c-add-usb-id-for-lt4120-modem.patch
+net-dsa-mt7530-fix-module-autoloading-for-of-platform-drivers.patch
+net-mlx5-make-eswitch-support-to-depend-on-switchdev.patch
+perf-x86-intel-fix-linear-ip-of-pebs-real_ip-on-haswell-and-later-cpus.patch
+x86-alternatives-fixup-alternative_call_2.patch
+net-usb-add-qmi_wwan-if-on-lte-modem-wistron-neweb-d18q1.patch
+llc-properly-handle-dev_queue_xmit-return-value.patch
+builddeb-fix-header-package-regarding-dtc-source-links.patch
+qede-fix-barrier-usage-after-tx-doorbell-write.patch
+mm-slab-memcg_link-the-slab-s-kmem_cache.patch
+mm-page_owner-fix-recursion-bug-after-changing-skip-entries.patch
+mm-vmstat.c-fix-vmstat_update-preemption-bug.patch
+mm-kmemleak.c-wait-for-scan-completion-before-disabling-free.patch
+hv_netvsc-enable-multicast-if-necessary.patch
+qede-do-not-drop-rx-checksum-invalidated-packets.patch
+net-fix-untag-for-vlan-packets-without-ethernet-header.patch
+vlan-fix-vlan-insertion-for-packets-without-ethernet-header.patch
+net-mvneta-fix-enable-of-all-initialized-rxqs.patch
+sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch
+firmware-dmi_scan-fix-uuid-length-safety-check.patch
+nvme-don-t-send-keep-alives-to-the-discovery-controller.patch
+btrfs-clean-up-resources-during-umount-after-trans-is-aborted.patch
+btrfs-fix-loss-of-prealloc-extents-past-i_size-after-fsync-log-replay.patch
+x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch
+x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch
+fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch
+arm-cma-avoid-double-mapping-to-the-cma-area-if-config_highmem-y.patch
+swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch
+z3fold-fix-memory-leak.patch
+sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch
+force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch
+tracing-uprobe_event-fix-strncpy-corner-case.patch
+cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch
+powerpc-fscr-enable-interrupts-earlier-before-calling-get_user.patch
+scsi-aacraid-insure-command-thread-is-not-recursively-stopped.patch
+perf-tools-fix-perf-builds-with-clang-support.patch
+perf-clang-add-support-for-recent-clang-versions.patch
+dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch
+arm-dts-ls1021a-specify-tbipa-register-address.patch
+ibmvnic-zero-used-tx-descriptor-counter-on-reset.patch
+crypto-af_alg-fix-possible-uninit-value-in-alg_bind.patch
+soreuseport-initialise-timewait-reuseport-field.patch
+dccp-initialize-ireq-ir_mark.patch
+mm-ksm-fix-interaction-with-thp.patch
+mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch
+mm-thp-fix-potential-clearing-to-referenced-flag-in-page_idle_clear_pte_refs_one.patch
+btrfs-bail-out-on-error-during-replay_dir_deletes.patch
+btrfs-fix-null-pointer-dereference-in-log_dir_items.patch
+btrfs-fix-possible-softlock-on-single-core-machines.patch
+ib-rxe-fix-for-oops-in-rxe_register_device-on-ppc64le-arch.patch
+ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch
+powerpc-64s-idle-fix-restore-of-amor-on-power9-after-deep-sleep.patch
+sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch
+x86-mm-fix-bogus-warning-during-efi-bootup-use-boot_cpu_has-instead-of-this_cpu_has-in-build_cr3_noflush.patch
+kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch
+lan78xx-connect-phy-early.patch
+fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch
+media-ov5645-add-missing-of_node_put-in-error-path.patch
+sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch
+rtc-snvs-fix-usage-of-snvs_rtc_enable.patch
+net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch
+net-bgmac-correctly-annotate-register-space.patch
+bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch
+powerpc-64s-sreset-panic-if-there-is-no-debugger-or-crash-dump-handlers.patch
+btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch
+btrfs-fix-copy_items-return-value-when-logging-an-inode.patch
+btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch
+btrfs-qgroup-fix-root-item-corruption-when-multiple-same-source-snapshots-are-created-with-quota-enabled.patch
+rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch
+rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch
+xen-acpi-off-by-one-in-read_acpi_id.patch
+drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch
+acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch
+powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch
+ieee802154-ca8210-fix-uninitialised-data-read.patch
+mac80211-don-t-warn-on-bad-wmm-parameters-from-buggy-aps.patch
+ath10k-advertize-beacon_int_min_gcd.patch
+staging-bcm2835-audio-release-resources-on-module_exit.patch
+iommu-amd-take-into-account-that-alloc_dev_data-may-return-null.patch
+intel_th-use-correct-method-of-finding-hub.patch
+m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch
+iwlwifi-mvm-check-if-mac80211_queue-is-valid-in-iwl_mvm_disable_txq.patch
+loop-don-t-call-into-filesystem-while-holding-lo_ctl_mutex.patch
+parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch
+hwmon-nct6775-fix-writing-pwmx_mode.patch
+rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch
+powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch
+powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch
+rsi-fix-kernel-panic-observed-on-64bit-machine.patch
+tools-thermal-tmon-fix-for-segfault.patch
+selftests-print-the-test-we-re-running-to-dev-kmsg.patch
+net-mlx5-protect-from-command-bit-overflow.patch
+watchdog-davinci_wdt-fix-error-handling-in-davinci_wdt_probe.patch
+ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch
+nvme-pci-disable-apst-for-samsung-nvme-ssd-960-evo-asus-prime-z370-a.patch
+ath9k-fix-crash-in-spectral-scan.patch
+cxgb4-setup-fw-queues-before-registering-netdev.patch
+ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch
+ima-fallback-to-the-builtin-hash-algorithm.patch
+watchdog-aspeed-allow-configuring-for-alternate-boot.patch
+alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch
+virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch
+arm-dts-socfpga-fix-gic-ppi-warning.patch
+clk-rockchip-fix-wrong-parent-for-sdmmc-phase-clock-for-rk3228.patch
+ext4-don-t-complain-about-incorrect-features-when-probing.patch
+drm-vmwgfx-unpin-the-screen-object-backup-buffer-when-not-used.patch
+usb-dwc3-add-softreset-phy-synchonization-delay.patch
+usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch
+usb-dwc3-makefile-fix-link-error-on-randconfig.patch
+asoc-rockchip-rk3288-hdmi-analog-select-needed-codecs.patch
+iommu-mediatek-fix-protect-memory-setting.patch
+cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch
+clk-don-t-show-the-incorrect-clock-phase.patch
+ib-mlx5-set-the-default-active-rate-and-width-to-qdr-and-4x.patch
+arm64-insn-allow-add-sub-immediate-with-lsl-12.patch
+zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch
+asoc-samsung-odroid-fix-32000-sample-rate-handling.patch
+bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch
+remoteproc-imx_rproc-fix-an-error-handling-path-in-imx_rproc_probe.patch
+dt-bindings-add-device-tree-binding-for-allwinner-h6-main-ccu.patch
+acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch
+acpica-fix-memory-leak-on-unusual-memory-leak.patch
+acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch
+cxgb4-fix-queue-free-path-of-uld-drivers.patch
+i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch
+rtc-rk808-fix-possible-race-condition.patch
+rtc-m41t80-fix-race-conditions.patch
+clk-hisilicon-mark-wdt_mux_p-as-const.patch
+kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch
+perf-top-fix-top.call-graph-config-option-reading.patch
+perf-stat-fix-core-dump-when-flag-t-is-used.patch
+xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch
+ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch
+drm-amdkfd-add-missing-include-of-mm.h.patch
+coresight-use-px-to-print-pcsr-instead-of-p.patch
+regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch
+spi-bcm-qspi-fix-some-error-handling-paths.patch
+net-smc-pay-attention-to-max_order-for-cq-entries.patch
+mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch
+pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch
+watchdog-dw-rmw-the-control-register.patch
+watchdog-aspeed-fix-translation-of-reset-mode-to-ctrl-register.patch
+ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch
+drm-meson-fix-some-error-handling-paths-in-meson_drv_bind_master.patch
+drm-meson-fix-an-un-handled-error-path-in-meson_drv_bind_master.patch
+usb-dwc2-fix-interval-type-issue.patch
+usb-dwc2-hcd-fix-host-channel-halt-flow.patch
+usb-dwc2-host-fix-transaction-errors-in-host-mode.patch
+usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch
+usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch
+powerpc-add-missing-prototype-for-arch_irq_work_raise.patch
+powerpc-powernv-npu-fix-deadlock-in-mmio_invalidate.patch
+powerpc-xmon-setup-debugger-hooks-when-first-break-point-is-set.patch
+scsi-core-make-scsi-status-condition-met-equivalent-to-good.patch
+cxl-check-if-psl-data-cache-is-available-before-issue-flush-request.patch
+f2fs-fix-to-set-keep_size-bit-in-f2fs_zero_range.patch
+f2fs-fix-to-clear-cp_trimmed_flag.patch
+f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch
+asoc-topology-create-tlv-data-for-dapm-widgets.patch
+perf-core-fix-installing-cgroup-events-on-cpu.patch
+max17042-propagate-of_node-to-power-supply-device.patch
+perf-core-fix-perf_output_read_group.patch
+clk-tegra-fix-pll_u-rate-configuration.patch
+drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch
+hwmon-pmbus-max8688-accept-negative-page-register-values.patch
+hwmon-pmbus-adm1275-accept-negative-page-register-values.patch
+usbip-correct-maximum-value-of-config_usbip_vhci_hc_ports.patch
+crypto-inside-secure-wait-for-the-request-to-complete-if-in-the-backlog.patch
+perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch
+cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch
+efi-arm-only-register-page-tables-when-they-exist.patch
+perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch
+perf-x86-intel-fix-event-update-for-auto-reload.patch
+arm64-dts-qcom-fix-spi5-config-on-msm8996.patch
+soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch
+gfs2-fix-fallocate-chunk-size.patch
+usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch
+usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch
+x86-devicetree-initialize-device-tree-before-using-it.patch
+x86-devicetree-fix-device-irq-settings-in-dt.patch
+phy-rockchip-emmc-retry-calpad-busy-trimming.patch
+alsa-vmaster-propagate-slave-error.patch
+phy-qcom-qmp-fix-phy-pipe-clock-gating.patch
+drm-bridge-sii902x-retry-status-read-after-ddi-i2c.patch
+media-cx23885-override-888-impactvcbe-crystal-frequency.patch
+media-cx23885-set-subdev-host-data-to-clk_freq-pointer.patch
+tools-hv-fix-compiler-warnings-about-major-target_fname.patch
+block-null_blk-fix-invalid-parameters-when-loading-module.patch
+media-s3c-camif-fix-out-of-bounds-array-access.patch
+staging-lustre-fix-bug-in-osc_enter_cache_try.patch
+dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch
+media-lgdt3306a-fix-a-double-kfree-on-i2c-device-remove.patch
+media-lgdt3306a-fix-module-count-mismatch-on-usb-unplug.patch
+media-em28xx-add-hauppauge-solohd-dualhd-bulk-models.patch
+media-em28xx-usb-bulk-packet-size-fix.patch
+clk-rockchip-prevent-calculating-mmc-phase-if-clock-rate-is-zero.patch
+i2c-core-report-of-style-module-alias-for-devices-registered-via-of.patch
+dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch
+enic-enable-rq-before-updating-rq-descriptors.patch
+watchdog-asm9260_wdt-fix-error-handling-in-asm9260_wdt_probe.patch
+crypto-atmel-aes-fix-the-keys-zeroing-on-errors.patch
+crypto-ccp-don-t-disable-interrupts-while-setting-up-debugfs.patch
+hwrng-stm32-add-reset-during-probe.patch
+pinctrl-devicetree-fix-dt_to_map_one_config-handling-of-hogs.patch
+pinctrl-artpec6-dt-add-missing-pin-group-uart5nocts.patch
+scsi-mvsas-fix-wrong-endianness-of-sgpio-api.patch
+vfio-ccw-fence-off-transport-mode.patch
+staging-fsl-dpaa2-eth-fix-incorrect-casts.patch
+staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch
+staging-ks7010-use-constants-from-ieee80211_eid-instead-of-literal-ints.patch
+pci-endpoint-fix-kernel-panic-after-put_device.patch
+rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch
+rtc-rp5c01-fix-possible-race-condition.patch
+dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch
+drm-omap-add-pclk-setting-case-when-channel-is-dss_wb.patch
+drm-omapdrm-dss-move-initialization-code-from-component-bind-to-probe.patch
+arm-dts-dra71-evm-correct-evm_sd-regulator-max-voltage.patch
+drm-amdgpu-disable-gfx-ring-and-disable-pq-wptr-in-hw_fini.patch
+block-fix-a-race-between-request-queue-removal-and-the-block-cgroup-controller.patch
+drm-amdgpu-adjust-timeout-for-ib_ring_tests-v2.patch
+serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch
+serial-sh-sci-fix-out-of-bounds-access-through-dt-alias.patch
+serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch
+serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch
+serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch
+serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch
+serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch
+serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch
+serial-altera-ensure-port-regshift-is-honored-consistently.patch
+net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch
+ibmvnic-fix-tx-descriptor-tracking-again.patch
+net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch
+cpufreq-reorder-cpufreq_online-error-code-path.patch
+dpaa_eth-fix-sg-mapping.patch
+pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch
+staging-lustre-lmv-correctly-iput-lmo_root.patch
+udf-provide-saner-default-for-invalid-uid-gid.patch
+ixgbe-prevent-ptp_rx_hang-from-running-when-in-filter_all-mode.patch
+sh_eth-fix-tsu-init-on-sh7734-r8a7740.patch
+media-v4l-vsp1-fix-display-stalls-when-requesting-too-many-inputs.patch
+media-i2c-adv748x-fix-hdmi-field-heights.patch
+media-vb2-fix-videobuf2-to-map-correct-area.patch
+media-vivid-fix-incorrect-capabilities-for-radio.patch
+media-cx25821-prevent-out-of-bounds-read-on-array-card.patch
+arm-davinci_all_defconfig-set-config_davinci_watchdog-y.patch
+clk-samsung-s3c2410-fix-pll-rates.patch
+clk-samsung-exynos7-fix-pll-rates.patch
+clk-samsung-exynos5260-fix-pll-rates.patch
+clk-samsung-exynos5433-fix-pll-rates.patch
+clk-samsung-exynos5250-fix-pll-rates.patch
+clk-samsung-exynos3250-fix-pll-rates.patch
+power-supply-ltc2941-battery-gauge-fix-temperature-units.patch
+arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch
+arm-dts-bcm283x-fix-pin-function-of-jtag-pins.patch
+pcmcia-pm-avoid-noirq-suspend-aborts-during-suspend-to-idle.patch
+crypto-inside-secure-do-not-process-request-if-no-command-was-issued.patch
+crypto-inside-secure-fix-the-cache_len-computation.patch
+crypto-inside-secure-fix-the-extra-cache-computation.patch
+crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch
+crypto-inside-secure-fix-the-invalidation-step-during-cra_exit.patch
+audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch
+x86-mce-amd-collect-error-info-even-if-valid-bits-are-not-set.patch
+net-stmmac-call-correct-function-in-stmmac_mac_config_rx_queues_routing.patch
+rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch
+pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch
+dpaa_eth-fix-pause-capability-advertisement-logic.patch
+mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch
+drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch
+x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch
+perf-test-fix-test-case-inet_pton-to-accept-inlines.patch
+perf-report-fix-wrong-jump-arrow.patch
+perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch
+perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch
+perf-tests-fix-dwarf-unwind-for-stripped-binaries.patch
+selftests-net-fixes-psock_fanout-ebpf-test-case.patch
+netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch
+drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen3.patch
+drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen2.patch
+selftests-add-fib-onlink-tests.patch
+rtc-goldfish-add-missing-module_license.patch
+arm-dts-at91-tse850-use-the-correct-compatible-for-the-eeprom.patch
+regmap-correct-comparison-in-regmap_cached.patch
+i40e-add-delay-after-emp-reset-for-firmware-to-recover.patch
+scsi-lpfc-fix-issue_lip-if-link-is-disabled.patch
+scsi-lpfc-fix-soft-lockup-in-lpfc-worker-thread-during-lip-testing.patch
+scsi-lpfc-fix-frequency-of-release-wqe-cqes.patch
+arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch
+arm-dts-porter-fix-hdmi-output-routing.patch
+regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch
+pinctrl-msm-use-dynamic-gpio-numbering.patch
+pinctrl-mcp23s08-spi-fix-regmap-debugfs-entries.patch
+asoc-samsung-i2s-ensure-the-rclk-rate-is-properly-determined.patch
+bluetooth-btusb-add-device-id-for-rtl8822be.patch
+kdb-make-mdr-command-repeat.patch
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Rich Felker <dalias@libc.org>
+Date: Thu, 15 Mar 2018 20:01:36 -0400
+Subject: sh: fix debug trap failure to process signals before return to user
+
+From: Rich Felker <dalias@libc.org>
+
+[ Upstream commit 96a598996f6ac518ac79839ecbb17c91af91f4f7 ]
+
+When responding to a debug trap (breakpoint) in userspace, the
+kernel's trap handler raised SIGTRAP but returned from the trap via a
+code path that ignored pending signals, resulting in an infinite loop
+re-executing the trapping instruction.
+
+Signed-off-by: Rich Felker <dalias@libc.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sh/kernel/entry-common.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/sh/kernel/entry-common.S
++++ b/arch/sh/kernel/entry-common.S
+@@ -255,7 +255,7 @@ debug_trap:
+ mov.l @r8, r8
+ jsr @r8
+ nop
+- bra __restore_all
++ bra ret_from_exception
+ nop
+ CFI_ENDPROC
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Sat, 24 Feb 2018 22:41:45 +0300
+Subject: sh_eth: fix TSU init on SH7734/R8A7740
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+[ Upstream commit a94cf2a614f8bc5b2b33c708626ce695bf71e424 ]
+
+It appears that the single port Ether controllers having TSU (like SH7734/
+R8A7740) need the same kind of treating in sh_eth_tsu_init() as R7S72100
+currently has -- they also don't have the TSU registers related e.g. to
+passing the frames between ports. Add the 'sh_eth_cpu_data::dual_port'
+flag and use it as a new criterion for taking a "short path" in the TSU
+init sequence in order to avoid writing to the non-existent registers...
+
+Fixes: f0e81fecd4f8 ("net: sh_eth: Add support SH7734")
+Fixes: 73a0d907301e ("net: sh_eth: add support R8A7740")
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 6 +++++-
+ drivers/net/ethernet/renesas/sh_eth.h | 1 +
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -753,6 +753,7 @@ static struct sh_eth_cpu_data sh7757_dat
+ .rpadir = 1,
+ .rpadir_value = 2 << 16,
+ .rtrate = 1,
++ .dual_port = 1,
+ };
+
+ #define SH_GIGA_ETH_BASE 0xfee00000UL
+@@ -831,6 +832,7 @@ static struct sh_eth_cpu_data sh7757_dat
+ .no_trimd = 1,
+ .no_ade = 1,
+ .tsu = 1,
++ .dual_port = 1,
+ };
+
+ /* SH7734 */
+@@ -901,6 +903,7 @@ static struct sh_eth_cpu_data sh7763_dat
+ .tsu = 1,
+ .irq_flags = IRQF_SHARED,
+ .magic = 1,
++ .dual_port = 1,
+ };
+
+ static struct sh_eth_cpu_data sh7619_data = {
+@@ -933,6 +936,7 @@ static struct sh_eth_cpu_data sh771x_dat
+ EESIPR_RRFIP | EESIPR_RTLFIP | EESIPR_RTSFIP |
+ EESIPR_PREIP | EESIPR_CERFIP,
+ .tsu = 1,
++ .dual_port = 1,
+ };
+
+ static void sh_eth_set_default_cpu_data(struct sh_eth_cpu_data *cd)
+@@ -2911,7 +2915,7 @@ static int sh_eth_vlan_rx_kill_vid(struc
+ /* SuperH's TSU register init function */
+ static void sh_eth_tsu_init(struct sh_eth_private *mdp)
+ {
+- if (sh_eth_is_rz_fast_ether(mdp)) {
++ if (!mdp->cd->dual_port) {
+ sh_eth_tsu_write(mdp, 0, TSU_TEN); /* Disable all CAM entry */
+ sh_eth_tsu_write(mdp, TSU_FWSLC_POSTENU | TSU_FWSLC_POSTENL,
+ TSU_FWSLC); /* Enable POST registers */
+--- a/drivers/net/ethernet/renesas/sh_eth.h
++++ b/drivers/net/ethernet/renesas/sh_eth.h
+@@ -509,6 +509,7 @@ struct sh_eth_cpu_data {
+ unsigned rmiimode:1; /* EtherC has RMIIMODE register */
+ unsigned rtrate:1; /* EtherC has RTRATE register */
+ unsigned magic:1; /* EtherC has ECMR.MPDE and ECSR.MPD */
++ unsigned dual_port:1; /* Dual EtherC/E-DMAC */
+ };
+
+ struct sh_eth_private {
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 27 Feb 2018 19:19:41 +0800
+Subject: sit: fix IFLA_MTU ignored on NEWLINK
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 2b3957c34b6d7f03544b12ebbf875eee430745db ]
+
+Commit 128bb975dc3c ("ip6_gre: init dev->mtu and dev->hard_header_len
+correctly") fixed IFLA_MTU ignored on NEWLINK for ip6_gre. The same
+mtu fix is also needed for sit.
+
+Note that dev->hard_header_len setting for sit works fine, no need to
+fix it. sit is actually ipv4 tunnel, it can't call ip6_tnl_change_mtu
+to set mtu.
+
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/sit.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -1569,6 +1569,13 @@ static int ipip6_newlink(struct net *src
+ if (err < 0)
+ return err;
+
++ if (tb[IFLA_MTU]) {
++ u32 mtu = nla_get_u32(tb[IFLA_MTU]);
++
++ if (mtu >= IPV6_MIN_MTU && mtu <= 0xFFF8 - dev->hard_header_len)
++ dev->mtu = mtu;
++ }
++
+ #ifdef CONFIG_IPV6_SIT_6RD
+ if (ipip6_netlink_6rd_parms(data, &ip6rd))
+ err = ipip6_tunnel_update_6rd(nt, &ip6rd);
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 20 Feb 2018 21:42:26 -0800
+Subject: smsc75xx: fix smsc75xx_set_features()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 88e80c62671ceecdbb77c902731ec95a4bfa62f9 ]
+
+If an attempt is made to disable RX checksums, USB adapter is changed
+but netdev->features is not, because smsc75xx_set_features() returns a
+non zero value.
+
+This throws errors from netdev_rx_csum_fault() :
+<devname>: hw csum failure
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Steve Glendinning <steve.glendinning@shawell.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/smsc75xx.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -954,10 +954,11 @@ static int smsc75xx_set_features(struct
+ /* it's racing here! */
+
+ ret = smsc75xx_write_reg(dev, RFE_CTL, pdata->rfe_ctl);
+- if (ret < 0)
++ if (ret < 0) {
+ netdev_warn(dev->net, "Error writing RFE_CTL\n");
+-
+- return ret;
++ return ret;
++ }
++ return 0;
+ }
+
+ static int smsc75xx_wait_ready(struct usbnet *dev, int in_pm)
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Stefan Agner <stefan@agner.ch>
+Date: Sun, 7 Jan 2018 14:49:05 +0100
+Subject: soc: imx: gpc: de-register power domains only if initialized
+
+From: Stefan Agner <stefan@agner.ch>
+
+[ Upstream commit 7801c545e706674aeed40256eb806ad37b18ad71 ]
+
+If power domain information are missing in the device tree, no
+power domains get initialized. However, imx_gpc_remove tries to
+remove power domains always in the old DT binding case. Only
+remove power domains when imx_gpc_probe initialized them in
+first place.
+
+Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver")
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Reviewed-by: Lucas Stach <l.stach@pengutronix.de>
+Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/imx/gpc.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/soc/imx/gpc.c
++++ b/drivers/soc/imx/gpc.c
+@@ -456,13 +456,21 @@ static int imx_gpc_probe(struct platform
+
+ static int imx_gpc_remove(struct platform_device *pdev)
+ {
++ struct device_node *pgc_node;
+ int ret;
+
++ pgc_node = of_get_child_by_name(pdev->dev.of_node, "pgc");
++
++ /* bail out if DT too old and doesn't provide the necessary info */
++ if (!of_property_read_bool(pdev->dev.of_node, "#power-domain-cells") &&
++ !pgc_node)
++ return 0;
++
+ /*
+ * If the old DT binding is used the toplevel driver needs to
+ * de-register the power domains
+ */
+- if (!of_get_child_by_name(pdev->dev.of_node, "pgc")) {
++ if (!pgc_node) {
+ of_genpd_del_provider(pdev->dev.of_node);
+
+ ret = pm_genpd_remove(&imx_gpc_domains[GPC_PGC_DOMAIN_PU].base);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+Date: Tue, 27 Feb 2018 16:45:25 -0800
+Subject: soc: qcom: wcnss_ctrl: Fix increment in NV upload
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+[ Upstream commit 90c29ed7627b6b4aeb603ee197650173c8434512 ]
+
+hdr.len includes both the size of the header and the fragment, so using
+this when stepping through the firmware causes us to skip 16 bytes every
+chunk of 3072 bytes; causing only the first fragment to actually be
+valid data.
+
+Instead use fragment size steps through the firmware blob.
+
+Fixes: ea7a1f275cf0 ("soc: qcom: Introduce WCNSS_CTRL SMD client")
+Reported-by: Will Newton <will.newton@gmail.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Andy Gross <andy.gross@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/wcnss_ctrl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/soc/qcom/wcnss_ctrl.c
++++ b/drivers/soc/qcom/wcnss_ctrl.c
+@@ -249,7 +249,7 @@ static int wcnss_download_nv(struct wcns
+ /* Increment for next fragment */
+ req->seq++;
+
+- data += req->hdr.len;
++ data += NV_FRAGMENT_SIZE;
+ left -= NV_FRAGMENT_SIZE;
+ } while (left > 0);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Apr 2018 13:42:43 -0700
+Subject: soreuseport: initialise timewait reuseport field
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3099a52918937ab86ec47038ad80d377ba16c531 ]
+
+syzbot reported an uninit-value in inet_csk_bind_conflict() [1]
+
+It turns out we never propagated sk->sk_reuseport into timewait socket.
+
+[1]
+BUG: KMSAN: uninit-value in inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151
+CPU: 1 PID: 3589 Comm: syzkaller008242 Not tainted 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151
+ inet_csk_get_port+0x1d28/0x1e40 net/ipv4/inet_connection_sock.c:320
+ inet6_bind+0x121c/0x1820 net/ipv6/af_inet6.c:399
+ SYSC_bind+0x3f2/0x4b0 net/socket.c:1474
+ SyS_bind+0x54/0x80 net/socket.c:1460
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x4416e9
+RSP: 002b:00007ffce6d15c88 EFLAGS: 00000217 ORIG_RAX: 0000000000000031
+RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 00000000004416e9
+RDX: 000000000000001c RSI: 0000000020402000 RDI: 0000000000000004
+RBP: 0000000000000000 R08: 00000000e6d15e08 R09: 00000000e6d15e08
+R10: 0000000000000004 R11: 0000000000000217 R12: 0000000000009478
+R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
+ __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
+ tcp_time_wait+0xf17/0xf50 net/ipv4/tcp_minisocks.c:283
+ tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
+ tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __release_sock+0x2d6/0x680 net/core/sock.c:2271
+ release_sock+0x97/0x2a0 net/core/sock.c:2786
+ tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
+ inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
+ inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
+ sock_release net/socket.c:595 [inline]
+ sock_close+0xe0/0x300 net/socket.c:1149
+ __fput+0x49e/0xa10 fs/file_table.c:209
+ ____fput+0x37/0x40 fs/file_table.c:243
+ task_work_run+0x243/0x2c0 kernel/task_work.c:113
+ exit_task_work include/linux/task_work.h:22 [inline]
+ do_exit+0x10e1/0x38d0 kernel/exit.c:867
+ do_group_exit+0x1a0/0x360 kernel/exit.c:970
+ SYSC_exit_group+0x21/0x30 kernel/exit.c:981
+ SyS_exit_group+0x25/0x30 kernel/exit.c:979
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
+ __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
+ inet_twsk_alloc+0xaef/0xc00 net/ipv4/inet_timewait_sock.c:182
+ tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258
+ tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
+ tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __release_sock+0x2d6/0x680 net/core/sock.c:2271
+ release_sock+0x97/0x2a0 net/core/sock.c:2786
+ tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
+ inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
+ inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
+ sock_release net/socket.c:595 [inline]
+ sock_close+0xe0/0x300 net/socket.c:1149
+ __fput+0x49e/0xa10 fs/file_table.c:209
+ ____fput+0x37/0x40 fs/file_table.c:243
+ task_work_run+0x243/0x2c0 kernel/task_work.c:113
+ exit_task_work include/linux/task_work.h:22 [inline]
+ do_exit+0x10e1/0x38d0 kernel/exit.c:867
+ do_group_exit+0x1a0/0x360 kernel/exit.c:970
+ SYSC_exit_group+0x21/0x30 kernel/exit.c:981
+ SyS_exit_group+0x25/0x30 kernel/exit.c:979
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
+ inet_twsk_alloc+0x13b/0xc00 net/ipv4/inet_timewait_sock.c:163
+ tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258
+ tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
+ tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __release_sock+0x2d6/0x680 net/core/sock.c:2271
+ release_sock+0x97/0x2a0 net/core/sock.c:2786
+ tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
+ inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
+ inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
+ sock_release net/socket.c:595 [inline]
+ sock_close+0xe0/0x300 net/socket.c:1149
+ __fput+0x49e/0xa10 fs/file_table.c:209
+ ____fput+0x37/0x40 fs/file_table.c:243
+ task_work_run+0x243/0x2c0 kernel/task_work.c:113
+ exit_task_work include/linux/task_work.h:22 [inline]
+ do_exit+0x10e1/0x38d0 kernel/exit.c:867
+ do_group_exit+0x1a0/0x360 kernel/exit.c:970
+ SYSC_exit_group+0x21/0x30 kernel/exit.c:981
+ SyS_exit_group+0x25/0x30 kernel/exit.c:979
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Fixes: da5e36308d9f ("soreuseport: TCP/IPv4 implementation")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/inet_timewait_sock.h | 1 +
+ net/ipv4/inet_timewait_sock.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/include/net/inet_timewait_sock.h
++++ b/include/net/inet_timewait_sock.h
+@@ -43,6 +43,7 @@ struct inet_timewait_sock {
+ #define tw_family __tw_common.skc_family
+ #define tw_state __tw_common.skc_state
+ #define tw_reuse __tw_common.skc_reuse
++#define tw_reuseport __tw_common.skc_reuseport
+ #define tw_ipv6only __tw_common.skc_ipv6only
+ #define tw_bound_dev_if __tw_common.skc_bound_dev_if
+ #define tw_node __tw_common.skc_nulls_node
+--- a/net/ipv4/inet_timewait_sock.c
++++ b/net/ipv4/inet_timewait_sock.c
+@@ -179,6 +179,7 @@ struct inet_timewait_sock *inet_twsk_all
+ tw->tw_dport = inet->inet_dport;
+ tw->tw_family = sk->sk_family;
+ tw->tw_reuse = sk->sk_reuse;
++ tw->tw_reuseport = sk->sk_reuseport;
+ tw->tw_hash = sk->sk_hash;
+ tw->tw_ipv6only = 0;
+ tw->tw_transparent = inet->transparent;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: "David S. Miller" <davem@davemloft.net>
+Date: Tue, 3 Apr 2018 08:24:35 -0700
+Subject: sparc64: Make atomic_xchg() an inline function rather than a macro.
+
+From: "David S. Miller" <davem@davemloft.net>
+
+[ Upstream commit d13864b68e41c11e4231de90cf358658f6ecea45 ]
+
+This avoids a lot of -Wunused warnings such as:
+
+====================
+kernel/debug/debug_core.c: In function ‘kgdb_cpu_enter’:
+./arch/sparc/include/asm/cmpxchg_64.h:55:22: warning: value computed is not used [-Wunused-value]
+ #define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr))))
+
+./arch/sparc/include/asm/atomic_64.h:86:30: note: in expansion of macro ‘xchg’
+ #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
+ ^~~~
+kernel/debug/debug_core.c:508:4: note: in expansion of macro ‘atomic_xchg’
+ atomic_xchg(&kgdb_active, cpu);
+ ^~~~~~~~~~~
+====================
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/include/asm/atomic_64.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/sparc/include/asm/atomic_64.h
++++ b/arch/sparc/include/asm/atomic_64.h
+@@ -83,7 +83,11 @@ ATOMIC_OPS(xor)
+ #define atomic64_add_negative(i, v) (atomic64_add_return(i, v) < 0)
+
+ #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
+-#define atomic_xchg(v, new) (xchg(&((v)->counter), new))
++
++static inline int atomic_xchg(atomic_t *v, int new)
++{
++ return xchg(&v->counter, new);
++}
+
+ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
+ {
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Wed, 28 Feb 2018 13:12:11 +0100
+Subject: spectrum: Reference count VLAN entries
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit b3529af6bb0d4fe72defdd539712ceffaa054fb3 ]
+
+One of the basic construct in the device is a port-VLAN pair, which can
+be bound to a FID or a RIF in order to direct packets to the bridge or
+the router, respectively.
+
+Since not all the netdevs are configured with a VLAN (e.g., sw1p1 vs.
+sw1p1.10), VID 1 is used to represent these and thus this VID can be
+used by both upper devices of mlxsw ports and by the driver itself.
+
+However, this VID is not reference counted and therefore might be freed
+prematurely, which can result in various WARNINGs. For example:
+
+$ ip link add name br0 type bridge vlan_filtering 1
+$ teamd -t team0 -d -c '{"runner": {"name": "lacp"}}'
+$ ip link set dev team0 master br0
+$ ip link set dev enp1s0np1 master team0
+$ ip address add 192.0.2.1/24 dev enp1s0np1
+
+The enslavement to team0 will fail because team0 already has an upper
+and thus vlan_vids_del_by_dev() will be executed as part of team's error
+path which will delete VID 1 from enp1s0np1 (added by br0 as PVID). The
+WARNING will be generated when the driver will realize it can't find VID
+1 on the port and bind it to a RIF.
+
+Fix this by adding a reference count to the VLAN entries on the port, in
+a similar fashion to the reference counting used by the corresponding
+'vlan_vid_info' structure in the 8021q driver.
+
+Fixes: c57529e1d5d8 ("mlxsw: spectrum: Replace vPorts with Port-VLAN")
+Reported-by: Tal Bar <talb@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Tested-by: Tal Bar <talb@mellanox.com>
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 8 +++++++-
+ drivers/net/ethernet/mellanox/mlxsw/spectrum.h | 1 +
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+@@ -1417,6 +1417,7 @@ mlxsw_sp_port_vlan_create(struct mlxsw_s
+ }
+
+ mlxsw_sp_port_vlan->mlxsw_sp_port = mlxsw_sp_port;
++ mlxsw_sp_port_vlan->ref_count = 1;
+ mlxsw_sp_port_vlan->vid = vid;
+ list_add(&mlxsw_sp_port_vlan->list, &mlxsw_sp_port->vlans_list);
+
+@@ -1444,8 +1445,10 @@ mlxsw_sp_port_vlan_get(struct mlxsw_sp_p
+ struct mlxsw_sp_port_vlan *mlxsw_sp_port_vlan;
+
+ mlxsw_sp_port_vlan = mlxsw_sp_port_vlan_find_by_vid(mlxsw_sp_port, vid);
+- if (mlxsw_sp_port_vlan)
++ if (mlxsw_sp_port_vlan) {
++ mlxsw_sp_port_vlan->ref_count++;
+ return mlxsw_sp_port_vlan;
++ }
+
+ return mlxsw_sp_port_vlan_create(mlxsw_sp_port, vid);
+ }
+@@ -1454,6 +1457,9 @@ void mlxsw_sp_port_vlan_put(struct mlxsw
+ {
+ struct mlxsw_sp_fid *fid = mlxsw_sp_port_vlan->fid;
+
++ if (--mlxsw_sp_port_vlan->ref_count != 0)
++ return;
++
+ if (mlxsw_sp_port_vlan->bridge_port)
+ mlxsw_sp_port_vlan_bridge_leave(mlxsw_sp_port_vlan);
+ else if (fid)
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.h
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.h
+@@ -194,6 +194,7 @@ struct mlxsw_sp_port_vlan {
+ struct list_head list;
+ struct mlxsw_sp_port *mlxsw_sp_port;
+ struct mlxsw_sp_fid *fid;
++ unsigned int ref_count;
+ u16 vid;
+ struct mlxsw_sp_bridge_port *bridge_port;
+ struct list_head bridge_vlan_node;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+Date: Tue, 13 Mar 2018 19:36:58 +0100
+Subject: spi: bcm-qspi: fIX some error handling paths
+
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit bc3cc75281b3c2b1c5355d88d147b66a753bb9a5 ]
+
+For some reason, commit c0368e4db4a3 ("spi: bcm-qspi: Fix use after free
+in bcm_qspi_probe() in error path") has updated some gotos, but not all of
+them.
+
+This looks spurious, so fix it.
+
+Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-bcm-qspi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-bcm-qspi.c
++++ b/drivers/spi/spi-bcm-qspi.c
+@@ -1247,7 +1247,7 @@ int bcm_qspi_probe(struct platform_devic
+ qspi->base[MSPI] = devm_ioremap_resource(dev, res);
+ if (IS_ERR(qspi->base[MSPI])) {
+ ret = PTR_ERR(qspi->base[MSPI]);
+- goto qspi_probe_err;
++ goto qspi_resource_err;
+ }
+ } else {
+ goto qspi_resource_err;
+@@ -1258,7 +1258,7 @@ int bcm_qspi_probe(struct platform_devic
+ qspi->base[BSPI] = devm_ioremap_resource(dev, res);
+ if (IS_ERR(qspi->base[BSPI])) {
+ ret = PTR_ERR(qspi->base[BSPI]);
+- goto qspi_probe_err;
++ goto qspi_resource_err;
+ }
+ qspi->bspi_mode = true;
+ } else {
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 11 Apr 2018 11:26:09 -0600
+Subject: sr: get/drop reference to device in revalidate and check_events
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit 2d097c50212e137e7b53ffe3b37561153eeba87d ]
+
+We can't just use scsi_cd() to get the scsi_cd structure, we have
+to grab a live reference to the device. For both callbacks, we're
+not inside an open where we already hold a reference to the device.
+
+This fixes device removal/addition under concurrent device access,
+which otherwise could result in the below oops.
+
+NULL pointer dereference at 0000000000000010
+PGD 0 P4D 0
+Oops: 0000 [#1] PREEMPT SMP
+Modules linked in:
+sr 12:0:0:0: [sr2] scsi-1 drive
+ scsi_debug crc_t10dif crct10dif_generic crct10dif_common nvme nvme_core sb_edac xl
+sr 12:0:0:0: Attached scsi CD-ROM sr2
+ sr_mod cdrom btrfs xor zstd_decompress zstd_compress xxhash lzo_compress zlib_defc
+sr 12:0:0:0: Attached scsi generic sg7 type 5
+ igb ahci libahci i2c_algo_bit libata dca [last unloaded: crc_t10dif]
+CPU: 43 PID: 4629 Comm: systemd-udevd Not tainted 4.16.0+ #650
+Hardware name: Dell Inc. PowerEdge T630/0NT78X, BIOS 2.3.4 11/09/2016
+RIP: 0010:sr_block_revalidate_disk+0x23/0x190 [sr_mod]
+RSP: 0018:ffff883ff357bb58 EFLAGS: 00010292
+RAX: ffffffffa00b07d0 RBX: ffff883ff3058000 RCX: ffff883ff357bb66
+RDX: 0000000000000003 RSI: 0000000000007530 RDI: ffff881fea631000
+RBP: 0000000000000000 R08: ffff881fe4d38400 R09: 0000000000000000
+R10: 0000000000000000 R11: 00000000000001b6 R12: 000000000800005d
+R13: 000000000800005d R14: ffff883ffd9b3790 R15: 0000000000000000
+FS: 00007f7dc8e6d8c0(0000) GS:ffff883fff340000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000010 CR3: 0000003ffda98005 CR4: 00000000003606e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ ? __invalidate_device+0x48/0x60
+ check_disk_change+0x4c/0x60
+ sr_block_open+0x16/0xd0 [sr_mod]
+ __blkdev_get+0xb9/0x450
+ ? iget5_locked+0x1c0/0x1e0
+ blkdev_get+0x11e/0x320
+ ? bdget+0x11d/0x150
+ ? _raw_spin_unlock+0xa/0x20
+ ? bd_acquire+0xc0/0xc0
+ do_dentry_open+0x1b0/0x320
+ ? inode_permission+0x24/0xc0
+ path_openat+0x4e6/0x1420
+ ? cpumask_any_but+0x1f/0x40
+ ? flush_tlb_mm_range+0xa0/0x120
+ do_filp_open+0x8c/0xf0
+ ? __seccomp_filter+0x28/0x230
+ ? _raw_spin_unlock+0xa/0x20
+ ? __handle_mm_fault+0x7d6/0x9b0
+ ? list_lru_add+0xa8/0xc0
+ ? _raw_spin_unlock+0xa/0x20
+ ? __alloc_fd+0xaf/0x160
+ ? do_sys_open+0x1a6/0x230
+ do_sys_open+0x1a6/0x230
+ do_syscall_64+0x5a/0x100
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sr.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/sr.c
++++ b/drivers/scsi/sr.c
+@@ -585,18 +585,28 @@ out:
+ static unsigned int sr_block_check_events(struct gendisk *disk,
+ unsigned int clearing)
+ {
+- struct scsi_cd *cd = scsi_cd(disk);
++ unsigned int ret = 0;
++ struct scsi_cd *cd;
+
+- if (atomic_read(&cd->device->disk_events_disable_depth))
++ cd = scsi_cd_get(disk);
++ if (!cd)
+ return 0;
+
+- return cdrom_check_events(&cd->cdi, clearing);
++ if (!atomic_read(&cd->device->disk_events_disable_depth))
++ ret = cdrom_check_events(&cd->cdi, clearing);
++
++ scsi_cd_put(cd);
++ return ret;
+ }
+
+ static int sr_block_revalidate_disk(struct gendisk *disk)
+ {
+- struct scsi_cd *cd = scsi_cd(disk);
+ struct scsi_sense_hdr sshdr;
++ struct scsi_cd *cd;
++
++ cd = scsi_cd_get(disk);
++ if (!cd)
++ return -ENXIO;
+
+ /* if the unit is not ready, nothing more to do */
+ if (scsi_test_unit_ready(cd->device, SR_TIMEOUT, MAX_RETRIES, &sshdr))
+@@ -605,6 +615,7 @@ static int sr_block_revalidate_disk(stru
+ sr_cd_check(&cd->cdi);
+ get_sectorsize(cd);
+ out:
++ scsi_cd_put(cd);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Kirill Marinushkin <k.marinushkin@gmail.com>
+Date: Fri, 23 Mar 2018 20:32:54 +0100
+Subject: staging: bcm2835-audio: Release resources on module_exit()
+
+From: Kirill Marinushkin <k.marinushkin@gmail.com>
+
+[ Upstream commit 626118b472d2eb45f83a0276a18d3e6a01c69f6a ]
+
+In the current implementation, `rmmod snd_bcm2835` does not release
+resources properly. It causes an oops when trying to list sound devices.
+
+This commit fixes it.
+
+The details WRT allocation / free are described below.
+
+Device structure WRT allocation:
+
+pdev
+ \childdev[]
+ \card
+ \chip
+ \pcm
+ \ctl
+
+Allocation / register sequence:
+
+* childdev: devm_kzalloc - freed during driver detach
+* childdev: device_initialize - freed during device_unregister
+* pdev: devres_alloc - freed during driver detach
+* childdev: device_add - removed during device_unregister
+* pdev, childdev: devres_add - freed during driver detach
+* card: snd_card_new - freed during snd_card_free
+* chip: kzalloc - freed during kfree
+* card, chip: snd_device_new - freed during snd_device_free
+* chip: new_pcm - TODO: free pcm
+* chip: new_ctl - TODO: free ctl
+* card: snd_card_register - unregistered during snd_card_free
+
+Free / unregister sequence:
+
+* card: snd_card_free
+* card, chip: snd_device_free
+* childdev: device_unregister
+* chip: kfree
+
+Steps to reproduce the issue before this commit:
+
+~~~~
+$ rmmod snd_bcm2835
+$ aplay -L
+[ 138.648130] Unable to handle kernel paging request at virtual address 7f1343c0
+[ 138.660415] pgd = ad8f0000
+[ 138.665567] [7f1343c0] *pgd=3864c811, *pte=00000000, *ppte=00000000
+[ 138.674887] Internal error: Oops: 7 [#1] SMP ARM
+[ 138.683571] Modules linked in: sha256_generic cfg80211 rfkill snd_pcm snd_timer
+ snd fixed uio_pdrv_genirq uio ip_tables x_tables ipv6 [last unloaded: snd_bcm2835
+]
+[ 138.706594] CPU: 3 PID: 463 Comm: aplay Tainted: G WC 4.15.0-rc1-v
+7+ #6
+[ 138.719833] Hardware name: BCM2835
+[ 138.726016] task: b877ac00 task.stack: aebec000
+[ 138.733408] PC is at try_module_get+0x38/0x24c
+[ 138.740813] LR is at snd_ctl_open+0x58/0x194 [snd]
+[ 138.748485] pc : [<801c4d5c>] lr : [<7f0e6b2c>] psr: 20000013
+[ 138.757709] sp : aebedd60 ip : aebedd88 fp : aebedd84
+[ 138.765884] r10: 00000000 r9 : 00000004 r8 : 7f0ed440
+[ 138.774040] r7 : b7e469b0 r6 : 7f0e6b2c r5 : afd91900 r4 : 7f1343c0
+[ 138.783571] r3 : aebec000 r2 : 00000001 r1 : b877ac00 r0 : 7f1343c0
+[ 138.793084] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
+[ 138.803300] Control: 10c5387d Table: 2d8f006a DAC: 00000055
+[ 138.812064] Process aplay (pid: 463, stack limit = 0xaebec210)
+[ 138.820868] Stack: (0xaebedd60 to 0xaebee000)
+[ 138.828207] dd60: 00000000 b848d000 afd91900 00000000 b7e469b0 7f0ed440 aebedda4 aebedd88
+[ 138.842371] dd80: 7f0e6b2c 801c4d30 afd91900 7f0ea4dc 00000000 b7e469b0 aebeddcc aebedda8
+[ 138.856611] dda0: 7f0e250c 7f0e6ae0 7f0e2464 b8478ec0 b7e469b0 afd91900 7f0ea388 00000000
+[ 138.870864] ddc0: aebeddf4 aebeddd0 802ce590 7f0e2470 8090ab64 afd91900 afd91900 b7e469b0
+[ 138.885301] dde0: afd91908 802ce4e4 aebede1c aebeddf8 802c57b4 802ce4f0 afd91900 aebedea8
+[ 138.900110] de00: b7fa4c00 00000000 00000000 00000004 aebede3c aebede20 802c6ba8 802c56b4
+[ 138.915260] de20: aebedea8 00000000 aebedf5c 00000000 aebedea4 aebede40 802d9a68 802c6b58
+[ 138.930661] de40: b874ddd0 00000000 00000000 00000001 00000041 00000000 afd91900 aebede70
+[ 138.946402] de60: 00000000 00000000 00000002 b7e469b0 b8a87610 b8d6ab80 801852f8 00080000
+[ 138.962314] de80: aebedf5c aebedea8 00000001 80108464 aebec000 00000000 aebedf4c aebedea8
+[ 138.978414] dea0: 802dacd4 802d970c b8a87610 b8d6ab80 a7982bc6 00000009 af363019 b9231480
+[ 138.994617] dec0: 00000000 b8c038a0 b7e469b0 00000101 00000002 00000238 00000000 00000000
+[ 139.010823] dee0: 00000000 aebedee8 00080000 0000000f aebedf3c aebedf00 802ed7e4 80843f94
+[ 139.027025] df00: 00000003 00080000 b9231490 b9231480 00000000 00080000 af363000 00000000
+[ 139.043229] df20: 00000005 00000002 ffffff9c 00000000 00080000 ffffff9c af363000 00000003
+[ 139.059430] df40: aebedf94 aebedf50 802c6f70 802dac70 aebec000 00000000 00000001 00000000
+[ 139.075629] df60: 00020000 00000004 00000100 00000001 7ebe577c 0002e038 00000000 00000005
+[ 139.091828] df80: 80108464 aebec000 aebedfa4 aebedf98 802c7060 802c6e6c 00000000 aebedfa8
+[ 139.108025] dfa0: 801082c0 802c7040 7ebe577c 0002e038 7ebe577c 00080000 00000b98 e81c8400
+[ 139.124222] dfc0: 7ebe577c 0002e038 00000000 00000005 7ebe57e4 00a20af8 7ebe57f0 76f87394
+[ 139.140419] dfe0: 00000000 7ebe55c4 76ec88e8 76df1d9c 60000010 7ebe577c 00000000 00000000
+[ 139.156715] [<801c4d5c>] (try_module_get) from [<7f0e6b2c>] (snd_ctl_open+0x58/0x194 [snd])
+[ 139.173222] [<7f0e6b2c>] (snd_ctl_open [snd]) from [<7f0e250c>] (snd_open+0xa8/0x14c [snd])
+[ 139.189683] [<7f0e250c>] (snd_open [snd]) from [<802ce590>] (chrdev_open+0xac/0x188)
+[ 139.205465] [<802ce590>] (chrdev_open) from [<802c57b4>] (do_dentry_open+0x10c/0x314)
+[ 139.221347] [<802c57b4>] (do_dentry_open) from [<802c6ba8>] (vfs_open+0x5c/0x88)
+[ 139.236788] [<802c6ba8>] (vfs_open) from [<802d9a68>] (path_openat+0x368/0x944)
+[ 139.248270] [<802d9a68>] (path_openat) from [<802dacd4>] (do_filp_open+0x70/0xc4)
+[ 139.263731] [<802dacd4>] (do_filp_open) from [<802c6f70>] (do_sys_open+0x110/0x1d4)
+[ 139.279378] [<802c6f70>] (do_sys_open) from [<802c7060>] (SyS_open+0x2c/0x30)
+[ 139.290647] [<802c7060>] (SyS_open) from [<801082c0>] (ret_fast_syscall+0x0/0x28)
+[ 139.306021] Code: e3c3303f e5932004 e2822001 e5832004 (e5943000)
+[ 139.316265] ---[ end trace 7f3f7f6193b663ed ]---
+[ 139.324956] note: aplay[463] exited with preempt_count 1
+~~~~
+
+Signed-off-by: Kirill Marinushkin <k.marinushkin@gmail.com>
+Cc: Eric Anholt <eric@anholt.net>
+Cc: Stefan Wahren <stefan.wahren@i2se.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Cc: Ray Jui <rjui@broadcom.com>
+Cc: Scott Branden <sbranden@broadcom.com>
+Cc: bcm-kernel-feedback-list@broadcom.com
+Cc: Michael Zoran <mzoran@crowfest.net>
+Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: linux-rpi-kernel@lists.infradead.org
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: devel@driverdev.osuosl.org
+Cc: linux-kernel@vger.kernel.org
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/vc04_services/bcm2835-audio/bcm2835.c | 54 ++++++++----------
+ 1 file changed, 25 insertions(+), 29 deletions(-)
+
+--- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835.c
++++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835.c
+@@ -36,6 +36,10 @@ MODULE_PARM_DESC(enable_compat_alsa,
+ static void snd_devm_unregister_child(struct device *dev, void *res)
+ {
+ struct device *childdev = *(struct device **)res;
++ struct bcm2835_chip *chip = dev_get_drvdata(childdev);
++ struct snd_card *card = chip->card;
++
++ snd_card_free(card);
+
+ device_unregister(childdev);
+ }
+@@ -61,6 +65,13 @@ static int snd_devm_add_child(struct dev
+ return 0;
+ }
+
++static void snd_bcm2835_release(struct device *dev)
++{
++ struct bcm2835_chip *chip = dev_get_drvdata(dev);
++
++ kfree(chip);
++}
++
+ static struct device *
+ snd_create_device(struct device *parent,
+ struct device_driver *driver,
+@@ -76,6 +87,7 @@ snd_create_device(struct device *parent,
+ device_initialize(device);
+ device->parent = parent;
+ device->driver = driver;
++ device->release = snd_bcm2835_release;
+
+ dev_set_name(device, "%s", name);
+
+@@ -86,18 +98,19 @@ snd_create_device(struct device *parent,
+ return device;
+ }
+
+-static int snd_bcm2835_free(struct bcm2835_chip *chip)
+-{
+- kfree(chip);
+- return 0;
+-}
+-
+ /* component-destructor
+ * (see "Management of Cards and Components")
+ */
+ static int snd_bcm2835_dev_free(struct snd_device *device)
+ {
+- return snd_bcm2835_free(device->device_data);
++ struct bcm2835_chip *chip = device->device_data;
++ struct snd_card *card = chip->card;
++
++ /* TODO: free pcm, ctl */
++
++ snd_device_free(card, chip);
++
++ return 0;
+ }
+
+ /* chip-specific constructor
+@@ -122,7 +135,7 @@ static int snd_bcm2835_create(struct snd
+
+ err = snd_device_new(card, SNDRV_DEV_LOWLEVEL, chip, &ops);
+ if (err) {
+- snd_bcm2835_free(chip);
++ kfree(chip);
+ return err;
+ }
+
+@@ -130,31 +143,14 @@ static int snd_bcm2835_create(struct snd
+ return 0;
+ }
+
+-static void snd_devm_card_free(struct device *dev, void *res)
++static struct snd_card *snd_bcm2835_card_new(struct device *dev)
+ {
+- struct snd_card *snd_card = *(struct snd_card **)res;
+-
+- snd_card_free(snd_card);
+-}
+-
+-static struct snd_card *snd_devm_card_new(struct device *dev)
+-{
+- struct snd_card **dr;
+ struct snd_card *card;
+ int ret;
+
+- dr = devres_alloc(snd_devm_card_free, sizeof(*dr), GFP_KERNEL);
+- if (!dr)
+- return ERR_PTR(-ENOMEM);
+-
+ ret = snd_card_new(dev, -1, NULL, THIS_MODULE, 0, &card);
+- if (ret) {
+- devres_free(dr);
++ if (ret)
+ return ERR_PTR(ret);
+- }
+-
+- *dr = card;
+- devres_add(dev, dr);
+
+ return card;
+ }
+@@ -271,7 +267,7 @@ static int snd_add_child_device(struct d
+ return PTR_ERR(child);
+ }
+
+- card = snd_devm_card_new(child);
++ card = snd_bcm2835_card_new(child);
+ if (IS_ERR(card)) {
+ dev_err(child, "Failed to create card");
+ return PTR_ERR(card);
+@@ -313,7 +309,7 @@ static int snd_add_child_device(struct d
+ return err;
+ }
+
+- dev_set_drvdata(child, card);
++ dev_set_drvdata(child, chip);
+ dev_info(child, "card created with %d channels\n", numchans);
+
+ return 0;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Ioana Radulescu <ruxandra.radulescu@nxp.com>
+Date: Mon, 26 Feb 2018 10:28:06 -0600
+Subject: staging: fsl-dpaa2/eth: Fix incorrect casts
+
+From: Ioana Radulescu <ruxandra.radulescu@nxp.com>
+
+[ Upstream commit 75c583ab9709692a60871d4719006391cde8dc1d ]
+
+The DPAA2 Ethernet driver incorrectly assumes virtual addresses
+are always 64b long, which causes compiler errors when building
+for a 32b platform.
+
+Fix this by using explicit casts to uintptr_t where necessary.
+
+Signed-off-by: Ioana Radulescu <ruxandra.radulescu@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c
++++ b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c
+@@ -315,7 +315,7 @@ static int consume_frames(struct dpaa2_e
+ }
+
+ fd = dpaa2_dq_fd(dq);
+- fq = (struct dpaa2_eth_fq *)dpaa2_dq_fqd_ctx(dq);
++ fq = (struct dpaa2_eth_fq *)(uintptr_t)dpaa2_dq_fqd_ctx(dq);
+ fq->stats.frames++;
+
+ fq->consume(priv, ch, fd, &ch->napi);
+@@ -1888,7 +1888,7 @@ static int setup_rx_flow(struct dpaa2_et
+ queue.destination.id = fq->channel->dpcon_id;
+ queue.destination.type = DPNI_DEST_DPCON;
+ queue.destination.priority = 1;
+- queue.user_context = (u64)fq;
++ queue.user_context = (u64)(uintptr_t)fq;
+ err = dpni_set_queue(priv->mc_io, 0, priv->mc_token,
+ DPNI_QUEUE_RX, 0, fq->flowid,
+ DPNI_QUEUE_OPT_USER_CTX | DPNI_QUEUE_OPT_DEST,
+@@ -1940,7 +1940,7 @@ static int setup_tx_flow(struct dpaa2_et
+ queue.destination.id = fq->channel->dpcon_id;
+ queue.destination.type = DPNI_DEST_DPCON;
+ queue.destination.priority = 0;
+- queue.user_context = (u64)fq;
++ queue.user_context = (u64)(uintptr_t)fq;
+ err = dpni_set_queue(priv->mc_io, 0, priv->mc_token,
+ DPNI_QUEUE_TX_CONFIRM, 0, fq->flowid,
+ DPNI_QUEUE_OPT_USER_CTX | DPNI_QUEUE_OPT_DEST,
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Quytelda Kahja <quytelda@tamalin.org>
+Date: Wed, 28 Feb 2018 21:19:07 -0800
+Subject: staging: ks7010: Use constants from ieee80211_eid instead of literal ints.
+
+From: Quytelda Kahja <quytelda@tamalin.org>
+
+[ Upstream commit dc13498ab47fdfae3cda4df712beb2e4244b3fe0 ]
+
+The case statement in get_ap_information() should not use literal integers
+to parse information element IDs when these values are provided by name
+in 'enum ieee80211_eid' in the header 'linux/ieee80211.h'.
+
+Signed-off-by: Quytelda Kahja <quytelda@tamalin.org>
+Reviewed-by: Tobin C. Harding <me@tobin.cc>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/ks7010/ks_hostif.c | 31 +++++++++++++++----------------
+ drivers/staging/ks7010/ks_hostif.h | 1 +
+ 2 files changed, 16 insertions(+), 16 deletions(-)
+
+--- a/drivers/staging/ks7010/ks_hostif.c
++++ b/drivers/staging/ks7010/ks_hostif.c
+@@ -242,9 +242,8 @@ int get_ap_information(struct ks_wlan_pr
+ offset = 0;
+
+ while (bsize > offset) {
+- /* DPRINTK(4, "Element ID=%d\n",*bp); */
+- switch (*bp) {
+- case 0: /* ssid */
++ switch (*bp) { /* Information Element ID */
++ case WLAN_EID_SSID:
+ if (*(bp + 1) <= SSID_MAX_SIZE) {
+ ap->ssid.size = *(bp + 1);
+ } else {
+@@ -254,8 +253,8 @@ int get_ap_information(struct ks_wlan_pr
+ }
+ memcpy(ap->ssid.body, bp + 2, ap->ssid.size);
+ break;
+- case 1: /* rate */
+- case 50: /* ext rate */
++ case WLAN_EID_SUPP_RATES:
++ case WLAN_EID_EXT_SUPP_RATES:
+ if ((*(bp + 1) + ap->rate_set.size) <=
+ RATE_SET_MAX_SIZE) {
+ memcpy(&ap->rate_set.body[ap->rate_set.size],
+@@ -271,9 +270,9 @@ int get_ap_information(struct ks_wlan_pr
+ (RATE_SET_MAX_SIZE - ap->rate_set.size);
+ }
+ break;
+- case 3: /* DS parameter */
++ case WLAN_EID_DS_PARAMS:
+ break;
+- case 48: /* RSN(WPA2) */
++ case WLAN_EID_RSN:
+ ap->rsn_ie.id = *bp;
+ if (*(bp + 1) <= RSN_IE_BODY_MAX) {
+ ap->rsn_ie.size = *(bp + 1);
+@@ -284,8 +283,8 @@ int get_ap_information(struct ks_wlan_pr
+ }
+ memcpy(ap->rsn_ie.body, bp + 2, ap->rsn_ie.size);
+ break;
+- case 221: /* WPA */
+- if (memcmp(bp + 2, "\x00\x50\xf2\x01", 4) == 0) { /* WPA OUI check */
++ case WLAN_EID_VENDOR_SPECIFIC: /* WPA */
++ if (memcmp(bp + 2, "\x00\x50\xf2\x01", 4) == 0) { /* WPA OUI check */
+ ap->wpa_ie.id = *bp;
+ if (*(bp + 1) <= RSN_IE_BODY_MAX) {
+ ap->wpa_ie.size = *(bp + 1);
+@@ -300,18 +299,18 @@ int get_ap_information(struct ks_wlan_pr
+ }
+ break;
+
+- case 2: /* FH parameter */
+- case 4: /* CF parameter */
+- case 5: /* TIM */
+- case 6: /* IBSS parameter */
+- case 7: /* Country */
+- case 42: /* ERP information */
+- case 47: /* Reserve ID 47 Broadcom AP */
++ case WLAN_EID_FH_PARAMS:
++ case WLAN_EID_CF_PARAMS:
++ case WLAN_EID_TIM:
++ case WLAN_EID_IBSS_PARAMS:
++ case WLAN_EID_COUNTRY:
++ case WLAN_EID_ERP_INFO:
+ break;
+ default:
+ DPRINTK(4, "unknown Element ID=%d\n", *bp);
+ break;
+ }
++
+ offset += 2; /* id & size field */
+ offset += *(bp + 1); /* +size offset */
+ bp += (*(bp + 1) + 2); /* pointer update */
+--- a/drivers/staging/ks7010/ks_hostif.h
++++ b/drivers/staging/ks7010/ks_hostif.h
+@@ -13,6 +13,7 @@
+ #define _KS_HOSTIF_H_
+
+ #include <linux/compiler.h>
++#include <linux/ieee80211.h>
+
+ /*
+ * HOST-MAC I/F events
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 2 Mar 2018 10:31:25 +1100
+Subject: staging: lustre: fix bug in osc_enter_cache_try
+
+From: NeilBrown <neilb@suse.com>
+
+[ Upstream commit 2fab9faf9b27298c4536c1c1b14072ab18b8f80b ]
+
+The lustre-release patch commit bdc5bb52c554 ("LU-4933 osc:
+Automatically increase the max_dirty_mb") changed
+
+- if (cli->cl_dirty + PAGE_CACHE_SIZE <= cli->cl_dirty_max &&
++ if (cli->cl_dirty_pages < cli->cl_dirty_max_pages &&
+
+When this patch landed in Linux a couple of years later, it landed as
+
+- if (cli->cl_dirty + PAGE_SIZE <= cli->cl_dirty_max &&
++ if (cli->cl_dirty_pages <= cli->cl_dirty_max_pages &&
+
+which is clearly different ('<=' vs '<'), and allows cl_dirty_pages to
+increase beyond cl_dirty_max_pages - which causes a latter assertion
+to fails.
+
+Fixes: 3147b268400a ("staging: lustre: osc: Automatically increase the max_dirty_mb")
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/lustre/lustre/include/obd.h | 2 +-
+ drivers/staging/lustre/lustre/osc/osc_cache.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/lustre/lustre/include/obd.h
++++ b/drivers/staging/lustre/lustre/include/obd.h
+@@ -190,7 +190,7 @@ struct client_obd {
+ struct sptlrpc_flavor cl_flvr_mgc; /* fixed flavor of mgc->mgs */
+
+ /* the grant values are protected by loi_list_lock below */
+- unsigned long cl_dirty_pages; /* all _dirty_ in pahges */
++ unsigned long cl_dirty_pages; /* all _dirty_ in pages */
+ unsigned long cl_dirty_max_pages; /* allowed w/o rpc */
+ unsigned long cl_dirty_transit; /* dirty synchronous */
+ unsigned long cl_avail_grant; /* bytes of credit for ost */
+--- a/drivers/staging/lustre/lustre/osc/osc_cache.c
++++ b/drivers/staging/lustre/lustre/osc/osc_cache.c
+@@ -1528,7 +1528,7 @@ static int osc_enter_cache_try(struct cl
+ if (rc < 0)
+ return 0;
+
+- if (cli->cl_dirty_pages <= cli->cl_dirty_max_pages &&
++ if (cli->cl_dirty_pages < cli->cl_dirty_max_pages &&
+ atomic_long_read(&obd_dirty_pages) + 1 <= obd_max_dirty_pages) {
+ osc_consume_write_grant(cli, &oap->oap_brw_page);
+ if (transient) {
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 23 Feb 2018 09:09:33 +1100
+Subject: staging: lustre: lmv: correctly iput lmo_root
+
+From: NeilBrown <neilb@suse.com>
+
+[ Upstream commit 17556cdbe6ed70a6a20e597b228628f7f34387f8 ]
+
+Commit 8f18c8a48b73 ("staging: lustre: lmv: separate master object
+with master stripe") changed how lmo_root inodes were managed,
+particularly when LMV_HASH_FLAG_MIGRATION is not set.
+Previously lsm_md_oinfo[0].lmo_root was always a borrowed
+inode reference and didn't need to by iput().
+Since the change, that special case only applies when
+LMV_HASH_FLAG_MIGRATION is set
+
+In the upstream (lustre-release) version of this patch [Commit
+60e07b972114 ("LU-4690 lod: separate master object with master
+stripe")] the for loop in the lmv_unpack_md() was changed to count
+from 0 and to ignore entry 0 if LMV_HASH_FLAG_MIGRATION is set.
+In the patch that got applied to Linux, that change was missing,
+so lsm_md_oinfo[0].lmo_root is never iput().
+This results in a "VFS: Busy inodes" warning at unmount.
+
+Fixes: 8f18c8a48b73 ("staging: lustre: lmv: separate master object with master stripe")
+Signed-off-by: NeilBrown <neilb@suse.com>
+Reviewed-by: James Simmons <jsimmons@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/lustre/lustre/lmv/lmv_obd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/lustre/lustre/lmv/lmv_obd.c
++++ b/drivers/staging/lustre/lustre/lmv/lmv_obd.c
+@@ -2694,7 +2694,7 @@ static int lmv_unpackmd(struct obd_expor
+ if (lsm && !lmm) {
+ int i;
+
+- for (i = 1; i < lsm->lsm_md_stripe_count; i++) {
++ for (i = 0; i < lsm->lsm_md_stripe_count; i++) {
+ /*
+ * For migrating inode, the master stripe and master
+ * object will be the same, so do not need iput, see
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 28 Feb 2018 11:28:49 +0000
+Subject: staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit e1a7418529e33bc4efc346324557251a16a3e79b ]
+
+Currently the allocation of priv->oldaddr is not null checked which will
+lead to subsequent errors when accessing priv->oldaddr. Fix this with
+a null pointer check and a return of -ENOMEM on allocation failure.
+
+Detected with Coccinelle:
+drivers/staging/rtl8192u/r8192U_core.c:1708:2-15: alloc with no test,
+possible model on line 1723
+
+Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8192u/r8192U_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/staging/rtl8192u/r8192U_core.c
++++ b/drivers/staging/rtl8192u/r8192U_core.c
+@@ -1702,6 +1702,8 @@ static short rtl8192_usb_initendpoints(s
+
+ priv->rx_urb[16] = usb_alloc_urb(0, GFP_KERNEL);
+ priv->oldaddr = kmalloc(16, GFP_KERNEL);
++ if (!priv->oldaddr)
++ return -ENOMEM;
+ oldaddr = priv->oldaddr;
+ align = ((long)oldaddr) & 3;
+ if (align) {
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Cathy Zhou <Cathy.Zhou@Oracle.COM>
+Date: Wed, 14 Mar 2018 10:56:07 -0700
+Subject: sunvnet: does not support GSO for sctp
+
+From: Cathy Zhou <Cathy.Zhou@Oracle.COM>
+
+[ Upstream commit cf55612a945039476abfd73e39064b2e721c3272 ]
+
+The NETIF_F_GSO_SOFTWARE implies support for GSO on SCTP, but the
+sunvnet driver does not support GSO for sctp. Here we remove the
+NETIF_F_GSO_SOFTWARE feature flag and only report NETIF_F_ALL_TSO
+instead.
+
+Signed-off-by: Cathy Zhou <Cathy.Zhou@Oracle.COM>
+Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/sun/sunvnet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/sun/sunvnet.c
++++ b/drivers/net/ethernet/sun/sunvnet.c
+@@ -311,7 +311,7 @@ static struct vnet *vnet_new(const u64 *
+ dev->ethtool_ops = &vnet_ethtool_ops;
+ dev->watchdog_timeo = VNET_TX_TIMEOUT;
+
+- dev->hw_features = NETIF_F_TSO | NETIF_F_GSO | NETIF_F_GSO_SOFTWARE |
++ dev->hw_features = NETIF_F_TSO | NETIF_F_GSO | NETIF_F_ALL_TSO |
+ NETIF_F_HW_CSUM | NETIF_F_SG;
+ dev->features = dev->hw_features;
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Tom Abraham <tabraham@suse.com>
+Date: Tue, 10 Apr 2018 16:29:48 -0700
+Subject: swap: divide-by-zero when zero length swap file on ssd
+
+From: Tom Abraham <tabraham@suse.com>
+
+[ Upstream commit a06ad633a37c64a0cd4c229fc605cee8725d376e ]
+
+Calling swapon() on a zero length swap file on SSD can lead to a
+divide-by-zero.
+
+Although creating such files isn't possible with mkswap and they woud be
+considered invalid, it would be better for the swapon code to be more
+robust and handle this condition gracefully (return -EINVAL).
+Especially since the fix is small and straightforward.
+
+To help with wear leveling on SSD, the swapon syscall calculates a
+random position in the swap file using modulo p->highest_bit, which is
+set to maxpages - 1 in read_swap_header.
+
+If the swap file is zero length, read_swap_header sets maxpages=1 and
+last_page=0, resulting in p->highest_bit=0 and we divide-by-zero when we
+modulo p->highest_bit in swapon syscall.
+
+This can be prevented by having read_swap_header return zero if
+last_page is zero.
+
+Link: http://lkml.kernel.org/r/5AC747C1020000A7001FA82C@prv-mh.provo.novell.com
+Signed-off-by: Thomas Abraham <tabraham@suse.com>
+Reported-by: <Mark.Landis@Teradata.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/swapfile.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/mm/swapfile.c
++++ b/mm/swapfile.c
+@@ -2954,6 +2954,10 @@ static unsigned long read_swap_header(st
+ maxpages = swp_offset(pte_to_swp_entry(
+ swp_entry_to_pte(swp_entry(0, ~0UL)))) + 1;
+ last_page = swap_header->info.last_page;
++ if (!last_page) {
++ pr_warn("Empty swap-file\n");
++ return 0;
++ }
+ if (last_page > maxpages) {
+ pr_warn("Truncating oversized swap area, only using %luk out of %luk\n",
+ maxpages << (PAGE_SHIFT - 10),
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Boris Pismenny <borisp@mellanox.com>
+Date: Wed, 14 Feb 2018 10:46:07 +0200
+Subject: tls: reset the crypto info if copy_from_user fails
+
+From: Boris Pismenny <borisp@mellanox.com>
+
+[ Upstream commit 257082e6ae23e92898440f6bcb2857555bf7957c ]
+
+copy_from_user could copy some partial information, as a result
+TLS_CRYPTO_INFO_READY(crypto_info) could be true while crypto_info is
+using uninitialzed data.
+
+This patch resets crypto_info when copy_from_user fails.
+
+fixes: 3c4d7559159b ("tls: kernel TLS support")
+Signed-off-by: Boris Pismenny <borisp@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/tls/tls_main.c
++++ b/net/tls/tls_main.c
+@@ -352,7 +352,7 @@ static int do_tls_setsockopt_tx(struct s
+ rc = copy_from_user(&tmp_crypto_info, optval, sizeof(*crypto_info));
+ if (rc) {
+ rc = -EFAULT;
+- goto out;
++ goto err_crypto_info;
+ }
+
+ /* check version */
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Boris Pismenny <borisp@mellanox.com>
+Date: Wed, 14 Feb 2018 10:46:06 +0200
+Subject: tls: retrun the correct IV in getsockopt
+
+From: Boris Pismenny <borisp@mellanox.com>
+
+[ Upstream commit a1dfa6812b682eef750412dd5a90e7d38d7af068 ]
+
+Current code returns four bytes of salt followed by four bytes of IV.
+This patch returns all eight bytes of IV.
+
+fixes: 3c4d7559159b ("tls: kernel TLS support")
+Signed-off-by: Boris Pismenny <borisp@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/tls/tls_main.c
++++ b/net/tls/tls_main.c
+@@ -291,7 +291,8 @@ static int do_tls_getsockopt_tx(struct s
+ goto out;
+ }
+ lock_sock(sk);
+- memcpy(crypto_info_aes_gcm_128->iv, ctx->iv,
++ memcpy(crypto_info_aes_gcm_128->iv,
++ ctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
+ TLS_CIPHER_AES_GCM_128_IV_SIZE);
+ release_sock(sk);
+ if (copy_to_user(optval,
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Dexuan Cui <decui@microsoft.com>
+Date: Sun, 4 Mar 2018 22:17:14 -0700
+Subject: tools: hv: fix compiler warnings about major/target_fname
+
+From: Dexuan Cui <decui@microsoft.com>
+
+[ Upstream commit 1330fc35327f3ecdfa1aa645e7321ced7349b2cd ]
+
+This patch fixes the below warnings with new glibc and gcc:
+
+hv_vss_daemon.c:100:13: warning: In the GNU C Library, "major" is defined
+ by <sys/sysmacros.h>. For historical compatibility, it is currently
+defined by <sys/types.h> as well, but we plan to remove this soon.
+To use "major", include <sys/sysmacros.h> directly.
+
+hv_fcopy_daemon.c:42:2: note: 'snprintf' output between 2 and 1040
+bytes into a destination of size 260
+
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/hv/hv_fcopy_daemon.c | 3 ++-
+ tools/hv/hv_vss_daemon.c | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/tools/hv/hv_fcopy_daemon.c
++++ b/tools/hv/hv_fcopy_daemon.c
+@@ -23,13 +23,14 @@
+ #include <unistd.h>
+ #include <errno.h>
+ #include <linux/hyperv.h>
++#include <linux/limits.h>
+ #include <syslog.h>
+ #include <sys/stat.h>
+ #include <fcntl.h>
+ #include <getopt.h>
+
+ static int target_fd;
+-static char target_fname[W_MAX_PATH];
++static char target_fname[PATH_MAX];
+ static unsigned long long filesize;
+
+ static int hv_start_fcopy(struct hv_start_fcopy *smsg)
+--- a/tools/hv/hv_vss_daemon.c
++++ b/tools/hv/hv_vss_daemon.c
+@@ -22,6 +22,7 @@
+ #include <sys/poll.h>
+ #include <sys/ioctl.h>
+ #include <sys/stat.h>
++#include <sys/sysmacros.h>
+ #include <fcntl.h>
+ #include <stdio.h>
+ #include <mntent.h>
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Frank Asseg <frank.asseg@objecthunter.net>
+Date: Mon, 12 Mar 2018 19:57:06 +0100
+Subject: tools/thermal: tmon: fix for segfault
+
+From: Frank Asseg <frank.asseg@objecthunter.net>
+
+[ Upstream commit 6c59f64b7ecf2bccbe73931d7d573d66ed13b537 ]
+
+Fixes a segfault occurring when e.g. <TAB> is pressed multiple times in the
+ncurses tmon application. The segfault is caused by incrementing
+cur_thermal_record in the main function without checking if it's value reached
+NR_THERMAL_RECORD immediately. Since the boundary check only occurred in
+update_thermal_data a race condition existed, which lead to an attempted read
+beyond the last element of the trec array.
+
+The fix was implemented by moving the cur_thermal_record incrementation to the
+update_thermal_data function using a temporary variable on which the boundary
+condition is checked before updating cur_thread_record, so that the variable is
+never incremented beyond the trec array's boundary.
+
+It seems the segfault does not occur on every machine: On a HP EliteBook G4 the
+segfault happens, while it does not happen on a Thinkpad T540p.
+
+Signed-off-by: Frank Asseg <frank.asseg@objecthunter.net>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/thermal/tmon/sysfs.c | 12 +++++++-----
+ tools/thermal/tmon/tmon.c | 1 -
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+--- a/tools/thermal/tmon/sysfs.c
++++ b/tools/thermal/tmon/sysfs.c
+@@ -486,6 +486,7 @@ int zone_instance_to_index(int zone_inst
+ int update_thermal_data()
+ {
+ int i;
++ int next_thermal_record = cur_thermal_record + 1;
+ char tz_name[256];
+ static unsigned long samples;
+
+@@ -495,9 +496,9 @@ int update_thermal_data()
+ }
+
+ /* circular buffer for keeping historic data */
+- if (cur_thermal_record >= NR_THERMAL_RECORDS)
+- cur_thermal_record = 0;
+- gettimeofday(&trec[cur_thermal_record].tv, NULL);
++ if (next_thermal_record >= NR_THERMAL_RECORDS)
++ next_thermal_record = 0;
++ gettimeofday(&trec[next_thermal_record].tv, NULL);
+ if (tmon_log) {
+ fprintf(tmon_log, "%lu ", ++samples);
+ fprintf(tmon_log, "%3.1f ", p_param.t_target);
+@@ -507,11 +508,12 @@ int update_thermal_data()
+ snprintf(tz_name, 256, "%s/%s%d", THERMAL_SYSFS, TZONE,
+ ptdata.tzi[i].instance);
+ sysfs_get_ulong(tz_name, "temp",
+- &trec[cur_thermal_record].temp[i]);
++ &trec[next_thermal_record].temp[i]);
+ if (tmon_log)
+ fprintf(tmon_log, "%lu ",
+- trec[cur_thermal_record].temp[i]/1000);
++ trec[next_thermal_record].temp[i] / 1000);
+ }
++ cur_thermal_record = next_thermal_record;
+ for (i = 0; i < ptdata.nr_cooling_dev; i++) {
+ char cdev_name[256];
+ unsigned long val;
+--- a/tools/thermal/tmon/tmon.c
++++ b/tools/thermal/tmon/tmon.c
+@@ -336,7 +336,6 @@ int main(int argc, char **argv)
+ show_data_w();
+ show_cooling_device();
+ }
+- cur_thermal_record++;
+ time_elapsed += ticktime;
+ controller_handler(trec[0].temp[target_tz_index] / 1000,
+ &yk);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Tue, 10 Apr 2018 21:20:08 +0900
+Subject: tracing/uprobe_event: Fix strncpy corner case
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit 50268a3d266ecfdd6c5873d62b2758d9732fc598 ]
+
+Fix string fetch function to terminate with NUL.
+It is OK to drop the rest of string.
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: security@kernel.org
+Cc: 范龙飞 <long7573@126.com>
+Fixes: 5baaa59ef09e ("tracing/probes: Implement 'memory' fetch method for uprobes")
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_uprobe.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/trace/trace_uprobe.c
++++ b/kernel/trace/trace_uprobe.c
+@@ -151,6 +151,8 @@ static void FETCH_FUNC_NAME(memory, stri
+ return;
+
+ ret = strncpy_from_user(dst, src, maxlen);
++ if (ret == maxlen)
++ dst[--ret] = '\0';
+
+ if (ret < 0) { /* Failed to fetch string */
+ ((u8 *)get_rloc_data(dest))[0] = '\0';
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 22 Feb 2018 10:39:52 +0100
+Subject: udf: Provide saner default for invalid uid / gid
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 116e5258e4115aca0c64ac0bf40ded3b353ed626 ]
+
+Currently when UDF filesystem is recorded without uid / gid (ids are set
+to -1), we will assign INVALID_[UG]ID to vfs inode unless user uses uid=
+and gid= mount options. In such case filesystem could not be modified in
+any way as VFS refuses to modify files with invalid ids (even by root).
+This is confusing to users and not very useful default since such media
+mode is generally used for removable media. Use overflow[ug]id instead
+so that at least root can modify the filesystem.
+
+Reported-by: Steve Kenton <skenton@ou.edu>
+Reviewed-by: Pali Rohár <pali.rohar@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/udf/super.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -2091,8 +2091,9 @@ static int udf_fill_super(struct super_b
+ bool lvid_open = false;
+
+ uopt.flags = (1 << UDF_FLAG_USE_AD_IN_ICB) | (1 << UDF_FLAG_STRICT);
+- uopt.uid = INVALID_UID;
+- uopt.gid = INVALID_GID;
++ /* By default we'll use overflow[ug]id when UDF inode [ug]id == -1 */
++ uopt.uid = make_kuid(current_user_ns(), overflowuid);
++ uopt.gid = make_kgid(current_user_ns(), overflowgid);
+ uopt.umask = 0;
+ uopt.fmode = UDF_INVALID_MODE;
+ uopt.dmode = UDF_INVALID_MODE;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Dominik Bozek <dominikx.bozek@intel.com>
+Date: Thu, 15 Feb 2018 21:27:48 -0800
+Subject: usb: cdc_acm: prevent race at write to acm while system resumes
+
+From: Dominik Bozek <dominikx.bozek@intel.com>
+
+[ Upstream commit b86b8eb6fecb5a4bac1ed0ca925c4082a61ea6e9 ]
+
+ACM driver may accept data to transmit while system is not fully
+resumed. In this case ACM driver buffers data and prepare URBs
+on usb anchor list.
+There is a little chance that two tasks put a char and initiate
+acm_tty_flush_chars(). In such a case, driver will put one URB
+twice on usb anchor list.
+This patch also reset length of data before resue of a buffer.
+This not only prevent sending rubbish, but also lower risc of race.
+
+Without this patch we hit following kernel panic in one of our
+stabilty/stress tests.
+
+[ 46.884442] *list_add double add*: new=ffff9b2ab7289330, prev=ffff9b2ab7289330, next=ffff9b2ab81e28e0.
+[ 46.884476] Modules linked in: hci_uart btbcm bluetooth rfkill_gpio igb_avb(O) cfg80211 snd_soc_sst_bxt_tdf8532 snd_soc_skl snd_soc_skl_ipc snd_soc_sst_ipc snd_soc_sst_dsp snd_soc_sst_acpi snd_soc_sst_match snd_hda_ext_core snd_hda_core trusty_timer trusty_wall trusty_log trusty_virtio trusty_ipc trusty_mem trusty_irq trusty virtio_ring virtio intel_ipu4_mmu_bxtB0 lib2600_mod_bxtB0 intel_ipu4_isys_mod_bxtB0 lib2600psys_mod_bxtB0 intel_ipu4_psys_mod_bxtB0 intel_ipu4_mod_bxtB0 intel_ipu4_wrapper_bxtB0 intel_ipu4_acpi videobuf2_dma_contig as3638 dw9714 lm3643 crlmodule smiapp smiapp_pll
+[ 46.884480] CPU: 1 PID: 33 Comm: kworker/u8:1 Tainted: G U W O 4.9.56-quilt-2e5dc0ac-g618ed69ced6e-dirty #4
+[ 46.884489] Workqueue: events_unbound flush_to_ldisc
+[ 46.884494] ffffb98ac012bb08 ffffffffad3e82e5 ffffb98ac012bb58 0000000000000000
+[ 46.884497] ffffb98ac012bb48 ffffffffad0a23d1 00000024ad6374dd ffff9b2ab7289330
+[ 46.884500] ffff9b2ab81e28e0 ffff9b2ab7289330 0000000000000002 0000000000000000
+[ 46.884501] Call Trace:
+[ 46.884507] [<ffffffffad3e82e5>] dump_stack+0x67/0x92
+[ 46.884511] [<ffffffffad0a23d1>] __warn+0xd1/0xf0
+[ 46.884513] [<ffffffffad0a244f>] warn_slowpath_fmt+0x5f/0x80
+[ 46.884516] [<ffffffffad407443>] __list_add+0xb3/0xc0
+[ 46.884521] [<ffffffffad71133c>] *usb_anchor_urb*+0x4c/0xa0
+[ 46.884524] [<ffffffffad782c6f>] *acm_tty_flush_chars*+0x8f/0xb0
+[ 46.884527] [<ffffffffad782cd1>] *acm_tty_put_char*+0x41/0x100
+[ 46.884530] [<ffffffffad4ced34>] tty_put_char+0x24/0x40
+[ 46.884533] [<ffffffffad4d3bf5>] do_output_char+0xa5/0x200
+[ 46.884535] [<ffffffffad4d3e98>] __process_echoes+0x148/0x290
+[ 46.884538] [<ffffffffad4d654c>] n_tty_receive_buf_common+0x57c/0xb00
+[ 46.884541] [<ffffffffad4d6ae4>] n_tty_receive_buf2+0x14/0x20
+[ 46.884543] [<ffffffffad4d9662>] tty_ldisc_receive_buf+0x22/0x50
+[ 46.884545] [<ffffffffad4d9c05>] flush_to_ldisc+0xc5/0xe0
+[ 46.884549] [<ffffffffad0bcfe8>] process_one_work+0x148/0x440
+[ 46.884551] [<ffffffffad0bdc19>] worker_thread+0x69/0x4a0
+[ 46.884554] [<ffffffffad0bdbb0>] ? max_active_store+0x80/0x80
+[ 46.884556] [<ffffffffad0c2e10>] kthread+0x110/0x130
+[ 46.884559] [<ffffffffad0c2d00>] ? kthread_park+0x60/0x60
+[ 46.884563] [<ffffffffadad9917>] ret_from_fork+0x27/0x40
+[ 46.884566] ---[ end trace 3bd599058b8a9eb3 ]---
+
+Signed-off-by: Dominik Bozek <dominikx.bozek@intel.com>
+Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-acm.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -187,6 +187,7 @@ static int acm_wb_alloc(struct acm *acm)
+ wb = &acm->wb[wbn];
+ if (!wb->use) {
+ wb->use = 1;
++ wb->len = 0;
+ return wbn;
+ }
+ wbn = (wbn + 1) % ACM_NW;
+@@ -818,16 +819,18 @@ static int acm_tty_write(struct tty_stru
+ static void acm_tty_flush_chars(struct tty_struct *tty)
+ {
+ struct acm *acm = tty->driver_data;
+- struct acm_wb *cur = acm->putbuffer;
++ struct acm_wb *cur;
+ int err;
+ unsigned long flags;
+
++ spin_lock_irqsave(&acm->write_lock, flags);
++
++ cur = acm->putbuffer;
+ if (!cur) /* nothing to do */
+- return;
++ goto out;
+
+ acm->putbuffer = NULL;
+ err = usb_autopm_get_interface_async(acm->control);
+- spin_lock_irqsave(&acm->write_lock, flags);
+ if (err < 0) {
+ cur->use = 0;
+ acm->putbuffer = cur;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Vardan Mikayelyan <mvardan@synopsys.com>
+Date: Tue, 16 Jan 2018 16:04:24 +0400
+Subject: usb: dwc2: Fix dwc2_hsotg_core_init_disconnected()
+
+From: Vardan Mikayelyan <mvardan@synopsys.com>
+
+[ Upstream commit 755d739534f998d92e348fba8ffb0478416576e7 ]
+
+We should call dwc2_hsotg_enqueue_setup() after properly
+setting lx_state. Because it may cause error-out from
+dwc2_hsotg_enqueue_setup() due to wrong value in lx_state.
+
+Issue can be reproduced by loading driver while connected
+A-Connector (start in A-HOST mode) then disconnect A-Connector
+to switch to B-DEVICE.
+
+Acked-by: John Youn <johnyoun@synopsys.com>
+Signed-off-by: Vardan Mikayelyan <mvardan@synopsys.com>
+Signed-off-by: Grigor Tovmasyan <tovmasya@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/gadget.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/dwc2/gadget.c
++++ b/drivers/usb/dwc2/gadget.c
+@@ -3414,12 +3414,6 @@ void dwc2_hsotg_core_init_disconnected(s
+ dwc2_writel(dwc2_hsotg_ep0_mps(hsotg->eps_out[0]->ep.maxpacket) |
+ DXEPCTL_USBACTEP, hsotg->regs + DIEPCTL0);
+
+- dwc2_hsotg_enqueue_setup(hsotg);
+-
+- dev_dbg(hsotg->dev, "EP0: DIEPCTL0=0x%08x, DOEPCTL0=0x%08x\n",
+- dwc2_readl(hsotg->regs + DIEPCTL0),
+- dwc2_readl(hsotg->regs + DOEPCTL0));
+-
+ /* clear global NAKs */
+ val = DCTL_CGOUTNAK | DCTL_CGNPINNAK;
+ if (!is_usb_reset)
+@@ -3430,6 +3424,12 @@ void dwc2_hsotg_core_init_disconnected(s
+ mdelay(3);
+
+ hsotg->lx_state = DWC2_L0;
++
++ dwc2_hsotg_enqueue_setup(hsotg);
++
++ dev_dbg(hsotg->dev, "EP0: DIEPCTL0=0x%08x, DOEPCTL0=0x%08x\n",
++ dwc2_readl(hsotg->regs + DIEPCTL0),
++ dwc2_readl(hsotg->regs + DOEPCTL0));
+ }
+
+ static void dwc2_hsotg_core_disconnect(struct dwc2_hsotg *hsotg)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Grigor Tovmasyan <Grigor.Tovmasyan@synopsys.com>
+Date: Tue, 6 Feb 2018 19:07:38 +0400
+Subject: usb: dwc2: Fix interval type issue
+
+From: Grigor Tovmasyan <Grigor.Tovmasyan@synopsys.com>
+
+[ Upstream commit 12814a3f8f9b247531d7863170cc82b3fe4218fd ]
+
+The maximum value that unsigned char can hold is 255, meanwhile
+the maximum value of interval is 2^(bIntervalMax-1)=2^15.
+
+Signed-off-by: Grigor Tovmasyan <tovmasya@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/core.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc2/core.h
++++ b/drivers/usb/dwc2/core.h
+@@ -216,7 +216,7 @@ struct dwc2_hsotg_ep {
+ unsigned char dir_in;
+ unsigned char index;
+ unsigned char mc;
+- unsigned char interval;
++ u16 interval;
+
+ unsigned int halted:1;
+ unsigned int periodic:1;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Minas Harutyunyan <hminas@synopsys.com>
+Date: Fri, 19 Jan 2018 14:43:53 +0400
+Subject: usb: dwc2: hcd: Fix host channel halt flow
+
+From: Minas Harutyunyan <hminas@synopsys.com>
+
+[ Upstream commit a82c7abdf8fc3b09c4a0ed2eee6d43ecef2ccdb0 ]
+
+According databook in Buffer and External DMA mode
+non-split periodic channels can't be halted.
+
+Acked-by: John Youn <johnyoun@synopsys.com>
+Signed-off-by: Minas Harutyunyan <hminas@synopsys.com>
+Signed-off-by: Grigor Tovmasyan <tovmasya@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/hcd.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/usb/dwc2/hcd.c
++++ b/drivers/usb/dwc2/hcd.c
+@@ -979,6 +979,24 @@ void dwc2_hc_halt(struct dwc2_hsotg *hso
+
+ if (dbg_hc(chan))
+ dev_vdbg(hsotg->dev, "%s()\n", __func__);
++
++ /*
++ * In buffer DMA or external DMA mode channel can't be halted
++ * for non-split periodic channels. At the end of the next
++ * uframe/frame (in the worst case), the core generates a channel
++ * halted and disables the channel automatically.
++ */
++ if ((hsotg->params.g_dma && !hsotg->params.g_dma_desc) ||
++ hsotg->hw_params.arch == GHWCFG2_EXT_DMA_ARCH) {
++ if (!chan->do_split &&
++ (chan->ep_type == USB_ENDPOINT_XFER_ISOC ||
++ chan->ep_type == USB_ENDPOINT_XFER_INT)) {
++ dev_err(hsotg->dev, "%s() Channel can't be halted\n",
++ __func__);
++ return;
++ }
++ }
++
+ if (halt_status == DWC2_HC_XFER_NO_HALT_STATUS)
+ dev_err(hsotg->dev, "!!! halt_status = %d !!!\n", halt_status);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Minas Harutyunyan <hminas@synopsys.com>
+Date: Fri, 19 Jan 2018 14:44:20 +0400
+Subject: usb: dwc2: host: Fix transaction errors in host mode
+
+From: Minas Harutyunyan <hminas@synopsys.com>
+
+[ Upstream commit 92a8dd26464e1f21f1d869ec53717bd2c1200d63 ]
+
+Added missing GUSBCFG programming in host mode, which fixes
+transaction errors issue on HiKey and Altera Cyclone V boards.
+
+These field even if was programmed in device mode (in function
+dwc2_hsotg_core_init_disconnected()) will be resetting to POR values
+after core soft reset applied.
+So, each time when switching to host mode required to set this field
+to correct value.
+
+Acked-by: John Youn <johnyoun@synopsys.com>
+Signed-off-by: Minas Harutyunyan <hminas@synopsys.com>
+Signed-off-by: Grigor Tovmasyan <tovmasya@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/hcd.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc2/hcd.c
++++ b/drivers/usb/dwc2/hcd.c
+@@ -2329,10 +2329,22 @@ static int dwc2_core_init(struct dwc2_hs
+ */
+ static void dwc2_core_host_init(struct dwc2_hsotg *hsotg)
+ {
+- u32 hcfg, hfir, otgctl;
++ u32 hcfg, hfir, otgctl, usbcfg;
+
+ dev_dbg(hsotg->dev, "%s(%p)\n", __func__, hsotg);
+
++ /* Set HS/FS Timeout Calibration to 7 (max available value).
++ * The number of PHY clocks that the application programs in
++ * this field is added to the high/full speed interpacket timeout
++ * duration in the core to account for any additional delays
++ * introduced by the PHY. This can be required, because the delay
++ * introduced by the PHY in generating the linestate condition
++ * can vary from one PHY to another.
++ */
++ usbcfg = dwc2_readl(hsotg->regs + GUSBCFG);
++ usbcfg |= GUSBCFG_TOUTCAL(7);
++ dwc2_writel(usbcfg, hsotg->regs + GUSBCFG);
++
+ /* Restart the Phy Clock */
+ dwc2_writel(0, hsotg->regs + PCGCTL);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Fri, 16 Mar 2018 15:33:48 -0700
+Subject: usb: dwc3: Add SoftReset PHY synchonization delay
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+[ Upstream commit fab3833338779e1e668bd58d1f76d601657304b8 ]
+
+>From DWC_usb31 programming guide section 1.3.2, once DWC3_DCTL_CSFTRST
+bit is cleared, we must wait at least 50ms before accessing the PHY
+domain (synchronization delay).
+
+Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -243,7 +243,7 @@ static int dwc3_core_soft_reset(struct d
+ do {
+ reg = dwc3_readl(dwc->regs, DWC3_DCTL);
+ if (!(reg & DWC3_DCTL_CSFTRST))
+- return 0;
++ goto done;
+
+ udelay(1);
+ } while (--retries);
+@@ -252,6 +252,17 @@ static int dwc3_core_soft_reset(struct d
+ phy_exit(dwc->usb2_generic_phy);
+
+ return -ETIMEDOUT;
++
++done:
++ /*
++ * For DWC_usb31 controller, once DWC3_DCTL_CSFTRST bit is cleared,
++ * we must wait at least 50ms before accessing the PHY domain
++ * (synchronization delay). DWC_usb31 programming guide section 1.3.2.
++ */
++ if (dwc3_is_usb31(dwc))
++ msleep(50);
++
++ return 0;
+ }
+
+ /*
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+Date: Thu, 22 Mar 2018 10:45:20 +0200
+Subject: usb: dwc3: Makefile: fix link error on randconfig
+
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+
+[ Upstream commit de948a74ad6f0eefddf36d765b8f2dd6df82caa0 ]
+
+If building a kernel without FTRACE but with TRACING, dwc3.ko fails to
+link due to missing trace events. Fix this by using the correct
+Kconfig symbol on Makefile.
+
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/Makefile
++++ b/drivers/usb/dwc3/Makefile
+@@ -6,7 +6,7 @@ obj-$(CONFIG_USB_DWC3) += dwc3.o
+
+ dwc3-y := core.o
+
+-ifneq ($(CONFIG_FTRACE),)
++ifneq ($(CONFIG_TRACING),)
+ dwc3-y += trace.o
+ endif
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Roger Quadros <rogerq@ti.com>
+Date: Mon, 22 Jan 2018 15:01:42 +0200
+Subject: usb: dwc3: omap: don't miss events during suspend/resume
+
+From: Roger Quadros <rogerq@ti.com>
+
+[ Upstream commit c49f63055e252810e5d6c83a4943b18db16b3cd8 ]
+
+The USB cable state can change during suspend/resume
+so be sure to check and update the extcon state.
+
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/dwc3-omap.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/usb/dwc3/dwc3-omap.c
++++ b/drivers/usb/dwc3/dwc3-omap.c
+@@ -590,9 +590,25 @@ static int dwc3_omap_resume(struct devic
+ return 0;
+ }
+
++static void dwc3_omap_complete(struct device *dev)
++{
++ struct dwc3_omap *omap = dev_get_drvdata(dev);
++
++ if (extcon_get_state(omap->edev, EXTCON_USB))
++ dwc3_omap_set_mailbox(omap, OMAP_DWC3_VBUS_VALID);
++ else
++ dwc3_omap_set_mailbox(omap, OMAP_DWC3_VBUS_OFF);
++
++ if (extcon_get_state(omap->edev, EXTCON_USB_HOST))
++ dwc3_omap_set_mailbox(omap, OMAP_DWC3_ID_GROUND);
++ else
++ dwc3_omap_set_mailbox(omap, OMAP_DWC3_ID_FLOAT);
++}
++
+ static const struct dev_pm_ops dwc3_omap_dev_pm_ops = {
+
+ SET_SYSTEM_SLEEP_PM_OPS(dwc3_omap_suspend, dwc3_omap_resume)
++ .complete = dwc3_omap_complete,
+ };
+
+ #define DEV_PM_OPS (&dwc3_omap_dev_pm_ops)
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Brian Norris <briannorris@chromium.org>
+Date: Wed, 17 Jan 2018 13:22:49 -0800
+Subject: usb: dwc3: Undo PHY init if soft reset fails
+
+From: Brian Norris <briannorris@chromium.org>
+
+[ Upstream commit 00b42170c86f90ac9dea83a7dfcd3f0c38098fe2 ]
+
+In this function, we init the USB2 and USB3 PHYs, but if soft reset
+times out, we don't unwind this.
+
+Noticed by inspection.
+
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -248,6 +248,9 @@ static int dwc3_core_soft_reset(struct d
+ udelay(1);
+ } while (--retries);
+
++ phy_exit(dwc->usb3_generic_phy);
++ phy_exit(dwc->usb2_generic_phy);
++
+ return -ETIMEDOUT;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Fri, 16 Mar 2018 15:33:54 -0700
+Subject: usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+[ Upstream commit 0cab8d26d6e5e053b2bed3356992aaa71dc93628 ]
+
+Update two GTXFIFOSIZ bit fields for the DWC_usb31 controller. TXFDEP
+is a 15-bit value instead of 16-bit value, and bit 15 is TXFRAMNUM.
+
+The GTXFIFOSIZ register for DWC_usb31 is as follows:
+ +-------+-----------+----------------------------------+
+ | BITS | Name | Description |
+ +=======+===========+==================================+
+ | 31:16 | TXFSTADDR | Transmit FIFOn RAM Start Address |
+ | 15 | TXFRAMNUM | Asynchronous/Periodic TXFIFO |
+ | 14:0 | TXFDEP | TXFIFO Depth |
+ +-------+-----------+----------------------------------+
+
+Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/dwc3/core.h
++++ b/drivers/usb/dwc3/core.h
+@@ -249,6 +249,8 @@
+ #define DWC3_GUSB3PIPECTL_TX_DEEPH(n) ((n) << 1)
+
+ /* Global TX Fifo Size Register */
++#define DWC31_GTXFIFOSIZ_TXFRAMNUM BIT(15) /* DWC_usb31 only */
++#define DWC31_GTXFIFOSIZ_TXFDEF(n) ((n) & 0x7fff) /* DWC_usb31 only */
+ #define DWC3_GTXFIFOSIZ_TXFDEF(n) ((n) & 0xffff)
+ #define DWC3_GTXFIFOSIZ_TXFSTADDR(n) ((n) & 0xffff0000)
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Chris Dickens <christopher.a.dickens@gmail.com>
+Date: Sun, 31 Dec 2017 18:59:42 -0800
+Subject: usb: gadget: composite: fix incorrect handling of OS desc requests
+
+From: Chris Dickens <christopher.a.dickens@gmail.com>
+
+[ Upstream commit 5d6ae4f0da8a64a185074dabb1b2f8c148efa741 ]
+
+When handling an OS descriptor request, one of the first operations is
+to zero out the request buffer using the wLength from the setup packet.
+There is no bounds checking, so a wLength > 4096 would clobber memory
+adjacent to the request buffer. Fix this by taking the min of wLength
+and the request buffer length prior to the memset. While at it, define
+the buffer length in a header file so that magic numbers don't appear
+throughout the code.
+
+When returning data to the host, the data length should be the min of
+the wLength and the valid data we have to return. Currently we are
+returning wLength, thus requests for a wLength greater than the amount
+of data in the OS descriptor buffer would return invalid (albeit zero'd)
+data following the valid descriptor data. Fix this by counting the
+number of bytes when constructing the data and using this when
+determining the length of the request.
+
+Signed-off-by: Chris Dickens <christopher.a.dickens@gmail.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/composite.c | 40 +++++++++++++++++++---------------------
+ include/linux/usb/composite.h | 3 +++
+ 2 files changed, 22 insertions(+), 21 deletions(-)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -1425,7 +1425,7 @@ static int count_ext_compat(struct usb_c
+ return res;
+ }
+
+-static void fill_ext_compat(struct usb_configuration *c, u8 *buf)
++static int fill_ext_compat(struct usb_configuration *c, u8 *buf)
+ {
+ int i, count;
+
+@@ -1452,10 +1452,12 @@ static void fill_ext_compat(struct usb_c
+ buf += 23;
+ }
+ count += 24;
+- if (count >= 4096)
+- return;
++ if (count + 24 >= USB_COMP_EP0_OS_DESC_BUFSIZ)
++ return count;
+ }
+ }
++
++ return count;
+ }
+
+ static int count_ext_prop(struct usb_configuration *c, int interface)
+@@ -1500,25 +1502,20 @@ static int fill_ext_prop(struct usb_conf
+ struct usb_os_desc *d;
+ struct usb_os_desc_ext_prop *ext_prop;
+ int j, count, n, ret;
+- u8 *start = buf;
+
+ f = c->interface[interface];
++ count = 10; /* header length */
+ for (j = 0; j < f->os_desc_n; ++j) {
+ if (interface != f->os_desc_table[j].if_id)
+ continue;
+ d = f->os_desc_table[j].os_desc;
+ if (d)
+ list_for_each_entry(ext_prop, &d->ext_prop, entry) {
+- /* 4kB minus header length */
+- n = buf - start;
+- if (n >= 4086)
+- return 0;
+-
+- count = ext_prop->data_len +
++ n = ext_prop->data_len +
+ ext_prop->name_len + 14;
+- if (count > 4086 - n)
+- return -EINVAL;
+- usb_ext_prop_put_size(buf, count);
++ if (count + n >= USB_COMP_EP0_OS_DESC_BUFSIZ)
++ return count;
++ usb_ext_prop_put_size(buf, n);
+ usb_ext_prop_put_type(buf, ext_prop->type);
+ ret = usb_ext_prop_put_name(buf, ext_prop->name,
+ ext_prop->name_len);
+@@ -1544,11 +1541,12 @@ static int fill_ext_prop(struct usb_conf
+ default:
+ return -EINVAL;
+ }
+- buf += count;
++ buf += n;
++ count += n;
+ }
+ }
+
+- return 0;
++ return count;
+ }
+
+ /*
+@@ -1830,6 +1828,7 @@ unknown:
+ req->complete = composite_setup_complete;
+ buf = req->buf;
+ os_desc_cfg = cdev->os_desc_config;
++ w_length = min_t(u16, w_length, USB_COMP_EP0_OS_DESC_BUFSIZ);
+ memset(buf, 0, w_length);
+ buf[5] = 0x01;
+ switch (ctrl->bRequestType & USB_RECIP_MASK) {
+@@ -1853,8 +1852,8 @@ unknown:
+ count += 16; /* header */
+ put_unaligned_le32(count, buf);
+ buf += 16;
+- fill_ext_compat(os_desc_cfg, buf);
+- value = w_length;
++ value = fill_ext_compat(os_desc_cfg, buf);
++ value = min_t(u16, w_length, value);
+ }
+ break;
+ case USB_RECIP_INTERFACE:
+@@ -1883,8 +1882,7 @@ unknown:
+ interface, buf);
+ if (value < 0)
+ return value;
+-
+- value = w_length;
++ value = min_t(u16, w_length, value);
+ }
+ break;
+ }
+@@ -2159,8 +2157,8 @@ int composite_os_desc_req_prepare(struct
+ goto end;
+ }
+
+- /* OS feature descriptor length <= 4kB */
+- cdev->os_desc_req->buf = kmalloc(4096, GFP_KERNEL);
++ cdev->os_desc_req->buf = kmalloc(USB_COMP_EP0_OS_DESC_BUFSIZ,
++ GFP_KERNEL);
+ if (!cdev->os_desc_req->buf) {
+ ret = -ENOMEM;
+ usb_ep_free_request(ep0, cdev->os_desc_req);
+--- a/include/linux/usb/composite.h
++++ b/include/linux/usb/composite.h
+@@ -53,6 +53,9 @@
+ /* big enough to hold our biggest descriptor */
+ #define USB_COMP_EP0_BUFSIZ 1024
+
++/* OS feature descriptor length <= 4kB */
++#define USB_COMP_EP0_OS_DESC_BUFSIZ 4096
++
+ #define USB_MS_TO_HS_INTERVAL(x) (ilog2((x * 1000 / 125)) + 1)
+ struct usb_configuration;
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Manu Gautam <mgautam@codeaurora.org>
+Date: Thu, 21 Dec 2017 09:54:25 +0530
+Subject: usb: gadget: core: Fix use-after-free of usb_request
+
+From: Manu Gautam <mgautam@codeaurora.org>
+
+[ Upstream commit e74bd4d358e5455233f1dcc3975425905b270b91 ]
+
+Driver is tracing usb_request after freeing it.
+Fix it by changing the order.
+
+Signed-off-by: Manu Gautam <mgautam@codeaurora.org>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/udc/core.c
++++ b/drivers/usb/gadget/udc/core.c
+@@ -191,8 +191,8 @@ EXPORT_SYMBOL_GPL(usb_ep_alloc_request);
+ void usb_ep_free_request(struct usb_ep *ep,
+ struct usb_request *req)
+ {
+- ep->ops->free_request(ep, req);
+ trace_usb_ep_free_request(ep, req, 0);
++ ep->ops->free_request(ep, req);
+ }
+ EXPORT_SYMBOL_GPL(usb_ep_free_request);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: John Keeping <john@metanate.com>
+Date: Fri, 12 Jan 2018 18:43:32 +0000
+Subject: usb: gadget: f_uac2: fix bFirstInterface in composite gadget
+
+From: John Keeping <john@metanate.com>
+
+[ Upstream commit 8813a59ed892305b5ac1b5b901740b1ad4b5fefa ]
+
+If there are multiple functions associated with a configuration, then
+the UAC2 interfaces may not start at zero. Set the correct first
+interface number in the association descriptor so that the audio
+interfaces are enumerated correctly in this case.
+
+Reviewed-by: Krzysztof Opasiak <k.opasiak@samsung.com>
+Signed-off-by: John Keeping <john@metanate.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_uac2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/gadget/function/f_uac2.c
++++ b/drivers/usb/gadget/function/f_uac2.c
+@@ -528,6 +528,8 @@ afunc_bind(struct usb_configuration *cfg
+ dev_err(dev, "%s:%d Error!\n", __func__, __LINE__);
+ return ret;
+ }
++ iad_desc.bFirstInterface = ret;
++
+ std_ac_if_desc.bInterfaceNumber = ret;
+ uac2->ac_intf = ret;
+ uac2->ac_alt = 0;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Fri, 12 Jan 2018 11:05:02 +0100
+Subject: usb: gadget: ffs: Execute copy_to_user() with USER_DS set
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+[ Upstream commit 4058ebf33cb0be88ca516f968eda24ab7b6b93e4 ]
+
+When using a AIO read() operation on the function FS gadget driver a URB is
+submitted asynchronously and on URB completion the received data is copied
+to the userspace buffer associated with the read operation.
+
+This is done from a kernel worker thread invoking copy_to_user() (through
+copy_to_iter()). And while the user space process memory is made available
+to the kernel thread using use_mm(), some architecture require in addition
+to this that the operation runs with USER_DS set. Otherwise the userspace
+memory access will fail.
+
+For example on ARM64 with Privileged Access Never (PAN) and User Access
+Override (UAO) enabled the following crash occurs.
+
+ Internal error: Accessing user space memory with fs=KERNEL_DS: 9600004f [#1] SMP
+ Modules linked in:
+ CPU: 2 PID: 1636 Comm: kworker/2:1 Not tainted 4.9.0-04081-g8ab2dfb-dirty #487
+ Hardware name: ZynqMP ZCU102 Rev1.0 (DT)
+ Workqueue: events ffs_user_copy_worker
+ task: ffffffc87afc8080 task.stack: ffffffc87a00c000
+ PC is at __arch_copy_to_user+0x190/0x220
+ LR is at copy_to_iter+0x78/0x3c8
+ [...]
+ [<ffffff800847b790>] __arch_copy_to_user+0x190/0x220
+ [<ffffff80086f25d8>] ffs_user_copy_worker+0x70/0x130
+ [<ffffff80080b8c64>] process_one_work+0x1dc/0x460
+ [<ffffff80080b8f38>] worker_thread+0x50/0x4b0
+ [<ffffff80080bf5a0>] kthread+0xd8/0xf0
+ [<ffffff8008083680>] ret_from_fork+0x10/0x50
+
+Address this by placing a set_fs(USER_DS) before of the copy operation
+and revert it again once the copy operation has finished.
+
+This patch is analogous to commit d7ffde35e31a ("vhost: use USER_DS in
+vhost_worker thread") which addresses the same underlying issue.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -759,9 +759,13 @@ static void ffs_user_copy_worker(struct
+ bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD;
+
+ if (io_data->read && ret > 0) {
++ mm_segment_t oldfs = get_fs();
++
++ set_fs(USER_DS);
+ use_mm(io_data->mm);
+ ret = ffs_copy_to_iter(io_data->buf, ret, &io_data->data);
+ unuse_mm(io_data->mm);
++ set_fs(oldfs);
+ }
+
+ io_data->kiocb->ki_complete(io_data->kiocb, ret, ret);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Fri, 12 Jan 2018 11:26:16 +0100
+Subject: usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+[ Upstream commit 946ef68ad4e45aa048a5fb41ce8823ed29da866a ]
+
+Some UDC drivers (like the DWC3) expect that the response to a setup()
+request is queued from within the setup function itself so that it is
+available as soon as setup() has completed.
+
+Upon receiving a setup request the function fs driver creates an event that
+is made available to userspace. And only once userspace has acknowledged
+that event the response to the setup request is queued.
+
+So it violates the requirement of those UDC drivers and random failures can
+be observed. This is basically a race condition and if userspace is able to
+read the event and queue the response fast enough all is good. But if it is
+not, for example because other processes are currently scheduled to run,
+the USB host that sent the setup request will observe an error.
+
+To avoid this the gadget framework provides the USB_GADGET_DELAYED_STATUS
+return code. If a setup() callback returns this value the UDC driver is
+aware that response is not yet available and can uses the appropriate
+methods to handle this case.
+
+Since in the case of function fs the response will never be available when
+the setup() function returns make sure that this status code is used.
+
+This fixed random occasional failures that were previously observed on a
+DWC3 based system under high system load.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -3239,7 +3239,7 @@ static int ffs_func_setup(struct usb_fun
+ __ffs_event_add(ffs, FUNCTIONFS_SETUP);
+ spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
+
+- return 0;
++ return USB_GADGET_DELAYED_STATUS;
+ }
+
+ static bool ffs_func_req_match(struct usb_function *f,
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Stefan Agner <stefan@agner.ch>
+Date: Mon, 12 Feb 2018 00:14:42 +0100
+Subject: usb: gadget: fsl_udc_core: fix ep valid checks
+
+From: Stefan Agner <stefan@agner.ch>
+
+[ Upstream commit 20c63f4089cceab803438c383631963e34c4d8e5 ]
+
+Clang reports the following warning:
+ drivers/usb/gadget/udc/fsl_udc_core.c:1312:10: warning: address of array
+ 'ep->name' will always evaluate to 'true' [-Wpointer-bool-conversion]
+ if (ep->name)
+ ~~ ~~~~^~~~
+
+It seems that the authors intention was to check if the ep has been
+configured through struct_ep_setup. Check whether struct usb_ep name
+pointer has been set instead.
+
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/fsl_udc_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/udc/fsl_udc_core.c
++++ b/drivers/usb/gadget/udc/fsl_udc_core.c
+@@ -1309,7 +1309,7 @@ static void udc_reset_ep_queue(struct fs
+ {
+ struct fsl_ep *ep = get_ep_by_pipe(udc, pipe);
+
+- if (ep->name)
++ if (ep->ep.name)
+ nuke(ep, -ESHUTDOWN);
+ }
+
+@@ -1697,7 +1697,7 @@ static void dtd_complete_irq(struct fsl_
+ curr_ep = get_ep_by_pipe(udc, i);
+
+ /* If the ep is configured */
+- if (curr_ep->name == NULL) {
++ if (!curr_ep->ep.name) {
+ WARNING("Invalid EP?");
+ continue;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Tue, 6 Feb 2018 09:50:40 +0100
+Subject: usb: gadget: udc: change comparison to bitshift when dealing with a mask
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit ac87e560f7c0f91b62012e9a159c0681a373b922 ]
+
+Due to a typo, the mask was destroyed by a comparison instead of a bit
+shift.
+
+Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/goku_udc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/udc/goku_udc.h
++++ b/drivers/usb/gadget/udc/goku_udc.h
+@@ -28,7 +28,7 @@ struct goku_udc_regs {
+ # define INT_EP1DATASET 0x00040
+ # define INT_EP2DATASET 0x00080
+ # define INT_EP3DATASET 0x00100
+-#define INT_EPnNAK(n) (0x00100 < (n)) /* 0 < n < 4 */
++#define INT_EPnNAK(n) (0x00100 << (n)) /* 0 < n < 4 */
+ # define INT_EP1NAK 0x00200
+ # define INT_EP2NAK 0x00400
+ # define INT_EP3NAK 0x00800
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Thu, 8 Mar 2018 17:17:16 +0200
+Subject: usb: host: xhci-plat: revert "usb: host: xhci-plat: enable clk in resume timing"
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit d56e57ca030c8b4296944a2ae61ac167bf979c07 ]
+
+This patch reverts the commit 835e4241e714 ("usb: host: xhci-plat:
+enable clk in resume timing") because this driver also has runtime PM
+and the commit 560869100b99 ("clk: renesas: cpg-mssr: Restore module
+clocks during resume") will restore the clock on R-Car H3 environment.
+
+If the xhci_plat_suspend() disables the clk, the system cannot enable
+the clk in resume like the following behavior:
+
+< In resume >
+ - genpd_resume_noirq() runs and enable the clk (enable_count = 1)
+ - cpg_mssr_resume_noirq() restores the clk register.
+ -- Since the clk was disabled in suspend, cpg_mssr_resume_noirq()
+ will disable the clk and keep the enable_count.
+ - Even if xhci_plat_resume() calls clk_prepare_enable(), since
+ the enable_count is 1, the clk will be not enabled.
+
+After this patch is applied, the cpg-mssr driver will save the clk
+as enable, so the clk will be enabled in resume.
+
+Fixes: 835e4241e714 ("usb: host: xhci-plat: enable clk in resume timing")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-plat.c | 11 +----------
+ 1 file changed, 1 insertion(+), 10 deletions(-)
+
+--- a/drivers/usb/host/xhci-plat.c
++++ b/drivers/usb/host/xhci-plat.c
+@@ -355,7 +355,6 @@ static int __maybe_unused xhci_plat_susp
+ {
+ struct usb_hcd *hcd = dev_get_drvdata(dev);
+ struct xhci_hcd *xhci = hcd_to_xhci(hcd);
+- int ret;
+
+ /*
+ * xhci_suspend() needs `do_wakeup` to know whether host is allowed
+@@ -365,12 +364,7 @@ static int __maybe_unused xhci_plat_susp
+ * reconsider this when xhci_plat_suspend enlarges its scope, e.g.,
+ * also applies to runtime suspend.
+ */
+- ret = xhci_suspend(xhci, device_may_wakeup(dev));
+-
+- if (!device_may_wakeup(dev) && !IS_ERR(xhci->clk))
+- clk_disable_unprepare(xhci->clk);
+-
+- return ret;
++ return xhci_suspend(xhci, device_may_wakeup(dev));
+ }
+
+ static int __maybe_unused xhci_plat_resume(struct device *dev)
+@@ -379,9 +373,6 @@ static int __maybe_unused xhci_plat_resu
+ struct xhci_hcd *xhci = hcd_to_xhci(hcd);
+ int ret;
+
+- if (!device_may_wakeup(dev) && !IS_ERR(xhci->clk))
+- clk_prepare_enable(xhci->clk);
+-
+ ret = xhci_priv_resume_quirk(hcd);
+ if (ret)
+ return ret;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Fredrik Noring <noring@nocrew.org>
+Date: Fri, 9 Mar 2018 18:34:34 +0100
+Subject: USB: OHCI: Fix NULL dereference in HCDs using HCD_LOCAL_MEM
+
+From: Fredrik Noring <noring@nocrew.org>
+
+[ Upstream commit d6c931ea32dc08ac2665bb5f009f9c40ad1bbdb3 ]
+
+Scatter-gather needs to be disabled when using dma_declare_coherent_memory
+and HCD_LOCAL_MEM. Andrea Righi made the equivalent fix for EHCI drivers
+in commit 4307a28eb01284 "USB: EHCI: fix NULL pointer dererence in HCDs
+that use HCD_LOCAL_MEM".
+
+The following NULL pointer WARN_ON_ONCE triggered with OHCI drivers:
+
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 49 at drivers/usb/core/hcd.c:1379 hcd_alloc_coherent+0x4c/0xc8
+Modules linked in:
+CPU: 0 PID: 49 Comm: usb-storage Not tainted 4.15.0+ #1014
+Stack : 00000000 00000000 805a78d2 0000003a 81f5c2cc 8053d367 804d77fc 00000031
+ 805a3a08 00000563 81ee9400 805a0000 00000000 10058c00 81f61b10 805c0000
+ 00000000 00000000 805a0000 00d9038e 00000004 803ee818 00000006 312e3420
+ 805c0000 00000000 00000073 81f61958 00000000 00000000 802eb380 804fd538
+ 00000009 00000563 81ee9400 805a0000 00000002 80056148 00000000 805a0000
+ ...
+Call Trace:
+[<578af360>] show_stack+0x74/0x104
+[<2f3702c6>] __warn+0x118/0x120
+[<ae93fc9e>] warn_slowpath_null+0x44/0x58
+[<a891a517>] hcd_alloc_coherent+0x4c/0xc8
+[<3578fa36>] usb_hcd_map_urb_for_dma+0x4d8/0x534
+[<110bc94c>] usb_hcd_submit_urb+0x82c/0x834
+[<02eb5baf>] usb_sg_wait+0x14c/0x1a0
+[<ccd09e85>] usb_stor_bulk_transfer_sglist.part.1+0xac/0x124
+[<87a5c34c>] usb_stor_bulk_srb+0x40/0x60
+[<ff1792ac>] usb_stor_Bulk_transport+0x160/0x37c
+[<b9e2709c>] usb_stor_invoke_transport+0x3c/0x500
+[<004754f4>] usb_stor_control_thread+0x258/0x28c
+[<22edf42e>] kthread+0x134/0x13c
+[<a419ffd0>] ret_from_kernel_thread+0x14/0x1c
+---[ end trace bcdb825805eefdcc ]---
+
+Signed-off-by: Fredrik Noring <noring@nocrew.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/ohci-hcd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/ohci-hcd.c
++++ b/drivers/usb/host/ohci-hcd.c
+@@ -446,7 +446,8 @@ static int ohci_init (struct ohci_hcd *o
+ struct usb_hcd *hcd = ohci_to_hcd(ohci);
+
+ /* Accept arbitrarily long scatter-gather lists */
+- hcd->self.sg_tablesize = ~0;
++ if (!(hcd->driver->flags & HCD_LOCAL_MEM))
++ hcd->self.sg_tablesize = ~0;
+
+ if (distrust_firmware)
+ ohci->flags |= OHCI_QUIRK_HUB_POWER;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Kristian Evensen <kristian.evensen@gmail.com>
+Date: Thu, 1 Feb 2018 10:32:32 +0100
+Subject: USB: serial: option: Add support for Quectel EP06
+
+From: Kristian Evensen <kristian.evensen@gmail.com>
+
+[ Upstream commit 71a0483d56e784b1e11f38f10d7e22d265dbe244 ]
+
+The Quectel EP06 is a Cat. 6 LTE modem, and the interface mapping is as
+follows:
+
+0: Diag
+1: NMEA
+2: AT
+3: Modem
+
+Interface 4 is QMI and interface 5 is ADB, so they are blacklisted.
+
+This patch should also be considered for -stable. The QMI-patch for this
+modem is already in the -stable-queue.
+
+v1->v2:
+* Updated commit prefix (thanks Johan Hovold)
+* Updated commit message slightly.
+
+Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
+Acked-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -244,6 +244,7 @@ static void option_instat_callback(struc
+ #define QUECTEL_PRODUCT_EC21 0x0121
+ #define QUECTEL_PRODUCT_EC25 0x0125
+ #define QUECTEL_PRODUCT_BG96 0x0296
++#define QUECTEL_PRODUCT_EP06 0x0306
+
+ #define CMOTECH_VENDOR_ID 0x16d8
+ #define CMOTECH_PRODUCT_6001 0x6001
+@@ -692,6 +693,10 @@ static const struct option_blacklist_inf
+ .reserved = BIT(1) | BIT(4),
+ };
+
++static const struct option_blacklist_info quectel_ep06_blacklist = {
++ .reserved = BIT(4) | BIT(5),
++};
++
+ static const struct usb_device_id option_ids[] = {
+ { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) },
+ { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_RICOLA) },
+@@ -1206,6 +1211,8 @@ static const struct usb_device_id option
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_BG96),
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
++ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EP06),
++ .driver_info = (kernel_ulong_t)&quectel_ep06_blacklist },
+ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
+ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) },
+ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003),
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 29 Jan 2018 00:04:18 +0000
+Subject: usbip: Correct maximum value of CONFIG_USBIP_VHCI_HC_PORTS
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+[ Upstream commit 351a8d4837ae0d61744e64262c3a80ab92ff3e42 ]
+
+Now that usbip supports USB3, the maximum number of ports allowed
+on a hub is 15 (USB_SS_MAXPORTS), not 31 (USB_MAXCHILDREN).
+
+Reported-by: Gianluigi Tiesi <sherpya@netfarm.it>
+Reported-by: Borissh1983 <borissh1983@gmail.com>
+References: https://bugs.debian.org/878866
+Fixes: 1c9de5bf4286 ("usbip: vhci-hcd: Add USB3 SuperSpeed support")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/usbip/Kconfig
++++ b/drivers/usb/usbip/Kconfig
+@@ -27,7 +27,7 @@ config USBIP_VHCI_HCD
+
+ config USBIP_VHCI_HC_PORTS
+ int "Number of ports per USB/IP virtual host controller"
+- range 1 31
++ range 1 15
+ default 8
+ depends on USBIP_VHCI_HCD
+ ---help---
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Cornelia Huck <cohuck@redhat.com>
+Date: Thu, 22 Feb 2018 15:35:43 +0100
+Subject: vfio-ccw: fence off transport mode
+
+From: Cornelia Huck <cohuck@redhat.com>
+
+[ Upstream commit 9851bc77e62499957567e7c39a5beba7d6de6296 ]
+
+vfio-ccw only supports command mode for channel programs, not transport
+mode. User space is supposed to already take care of that and pass us
+command-mode ORBs only, but better make sure and return an error to
+the caller instead of trying to process tcws as ccws.
+
+Reviewed-by: Dong Jia Shi <bjsdjshi@linux.vnet.ibm.com>
+Acked-by: Halil Pasic <pasic@linux.vnet.ibm.com>
+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/cio/vfio_ccw_fsm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/s390/cio/vfio_ccw_fsm.c
++++ b/drivers/s390/cio/vfio_ccw_fsm.c
+@@ -129,6 +129,11 @@ static void fsm_io_request(struct vfio_c
+ if (scsw->cmd.fctl & SCSW_FCTL_START_FUNC) {
+ orb = (union orb *)io_region->orb_area;
+
++ /* Don't try to build a cp if transport mode is specified. */
++ if (orb->tm.b) {
++ io_region->ret_code = -EOPNOTSUPP;
++ goto err_out;
++ }
+ io_region->ret_code = cp_init(&private->cp, mdev_dev(mdev),
+ orb);
+ if (io_region->ret_code)
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Dave Airlie <airlied@redhat.com>
+Date: Wed, 21 Feb 2018 11:50:03 +1000
+Subject: virtio-gpu: fix ioctl and expose the fixed status to userspace.
+
+From: Dave Airlie <airlied@redhat.com>
+
+[ Upstream commit 9a191b114906457c4b2494c474f58ae4142d4e67 ]
+
+This exposes to mesa that it can use the fixed ioctl for querying
+later cap sets, cap set 1 is forever frozen in time.
+
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20180221015003.22884-1-airlied@gmail.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_ioctl.c | 17 +++++++++++------
+ include/uapi/drm/virtgpu_drm.h | 1 +
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c
++++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c
+@@ -196,6 +196,9 @@ static int virtio_gpu_getparam_ioctl(str
+ case VIRTGPU_PARAM_3D_FEATURES:
+ value = vgdev->has_virgl_3d == true ? 1 : 0;
+ break;
++ case VIRTGPU_PARAM_CAPSET_QUERY_FIX:
++ value = 1;
++ break;
+ default:
+ return -EINVAL;
+ }
+@@ -471,7 +474,7 @@ static int virtio_gpu_get_caps_ioctl(str
+ {
+ struct virtio_gpu_device *vgdev = dev->dev_private;
+ struct drm_virtgpu_get_caps *args = data;
+- int size;
++ unsigned size, host_caps_size;
+ int i;
+ int found_valid = -1;
+ int ret;
+@@ -480,6 +483,10 @@ static int virtio_gpu_get_caps_ioctl(str
+ if (vgdev->num_capsets == 0)
+ return -ENOSYS;
+
++ /* don't allow userspace to pass 0 */
++ if (args->size == 0)
++ return -EINVAL;
++
+ spin_lock(&vgdev->display_info_lock);
+ for (i = 0; i < vgdev->num_capsets; i++) {
+ if (vgdev->capsets[i].id == args->cap_set_id) {
+@@ -495,11 +502,9 @@ static int virtio_gpu_get_caps_ioctl(str
+ return -EINVAL;
+ }
+
+- size = vgdev->capsets[found_valid].max_size;
+- if (args->size > size) {
+- spin_unlock(&vgdev->display_info_lock);
+- return -EINVAL;
+- }
++ host_caps_size = vgdev->capsets[found_valid].max_size;
++ /* only copy to user the minimum of the host caps size or the guest caps size */
++ size = min(args->size, host_caps_size);
+
+ list_for_each_entry(cache_ent, &vgdev->cap_cache, head) {
+ if (cache_ent->id == args->cap_set_id &&
+--- a/include/uapi/drm/virtgpu_drm.h
++++ b/include/uapi/drm/virtgpu_drm.h
+@@ -63,6 +63,7 @@ struct drm_virtgpu_execbuffer {
+ };
+
+ #define VIRTGPU_PARAM_3D_FEATURES 1 /* do we have 3D features in the hw */
++#define VIRTGPU_PARAM_CAPSET_QUERY_FIX 2 /* do we have the capset fix */
+
+ struct drm_virtgpu_getparam {
+ __u64 param;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jay Vosburgh <jay.vosburgh@canonical.com>
+Date: Thu, 22 Mar 2018 14:42:41 +0000
+Subject: virtio-net: Fix operstate for virtio when no VIRTIO_NET_F_STATUS
+
+From: Jay Vosburgh <jay.vosburgh@canonical.com>
+
+[ Upstream commit bda7fab54828bbef2164bb23c0f6b1a7d05cc718 ]
+
+The operstate update logic will leave an interface in the
+default UNKNOWN operstate if the interface carrier state never changes
+from the default carrier up state set at creation. This includes the
+case of an explicit call to netif_carrier_on, as the carrier on to on
+transition has no effect on operstate.
+
+ This affects virtio-net for the case that the virtio peer does
+not support VIRTIO_NET_F_STATUS (the feature that provides carrier state
+updates). Without this feature, the virtio specification states that
+"the link should be assumed active," so, logically, the operstate should
+be UP instead of UNKNOWN. This has impact on user space applications
+that use the operstate to make availability decisions for the interface.
+
+ Resolve this by changing the virtio probe logic slightly to call
+netif_carrier_off for both the "with" and "without" VIRTIO_NET_F_STATUS
+cases, and then the existing call to netif_carrier_on for the "without"
+case will cause an operstate transition.
+
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -2655,8 +2655,8 @@ static int virtnet_probe(struct virtio_d
+
+ /* Assume link up if device can't report link status,
+ otherwise get link status from config. */
++ netif_carrier_off(dev);
+ if (virtio_has_feature(vi->vdev, VIRTIO_NET_F_STATUS)) {
+- netif_carrier_off(dev);
+ schedule_work(&vi->config_work);
+ } else {
+ vi->status = VIRTIO_NET_S_LINK_UP;
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Jesper Dangaard Brouer <brouer@redhat.com>
+Date: Tue, 20 Feb 2018 14:32:10 +0100
+Subject: virtio_net: fix XDP code path in receive_small()
+
+From: Jesper Dangaard Brouer <brouer@redhat.com>
+
+[ Upstream commit 95dbe9e7b3720efa5cf83d21f44f6d953f7cf4a2 ]
+
+When configuring virtio_net to use the code path 'receive_small()',
+in-order to get correct XDP_REDIRECT support, I discovered TCP packets
+would get silently dropped when loading an XDP program action XDP_PASS.
+
+The bug seems to be that receive_small() when XDP is loaded check that
+hdr->hdr.flags is zero, which seems wrong as hdr.flags contains the
+flags VIRTIO_NET_HDR_F_* :
+ #define VIRTIO_NET_HDR_F_NEEDS_CSUM 1 /* Use csum_start, csum_offset */
+ #define VIRTIO_NET_HDR_F_DATA_VALID 2 /* Csum is valid */
+
+TCP got dropped as it had the VIRTIO_NET_HDR_F_DATA_VALID flag set.
+
+The flags that are relevant here are the VIRTIO_NET_HDR_GSO_* flags
+stored in hdr->hdr.gso_type. Thus, the fix is just check that none of
+the gso_type flags have been set.
+
+Fixes: bb91accf2733 ("virtio-net: XDP support for small buffers")
+Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -513,7 +513,7 @@ static struct sk_buff *receive_small(str
+ void *orig_data;
+ u32 act;
+
+- if (unlikely(hdr->hdr.gso_type || hdr->hdr.flags))
++ if (unlikely(hdr->hdr.gso_type))
+ goto err_xdp;
+
+ if (unlikely(xdp_headroom < virtnet_get_headroom(vi))) {
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Date: Tue, 13 Mar 2018 14:51:28 +0900
+Subject: vlan: Fix out of order vlan headers with reorder header off
+
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+
+[ Upstream commit cbe7128c4b92e2004984f477fd38dfa81662f02e ]
+
+With reorder header off, received packets are untagged in skb_vlan_untag()
+called from within __netif_receive_skb_core(), and later the tag will be
+inserted back in vlan_do_receive().
+
+This caused out of order vlan headers when we create a vlan device on top
+of another vlan device, because vlan_do_receive() inserts a tag as the
+outermost vlan tag. E.g. the outer tag is first removed in skb_vlan_untag()
+and inserted back in vlan_do_receive(), then the inner tag is next removed
+and inserted back as the outermost tag.
+
+This patch fixes the behaviour by inserting the inner tag at the right
+position.
+
+Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/if_vlan.h | 66 ++++++++++++++++++++++++++++++++++++++++--------
+ net/8021q/vlan_core.c | 4 +-
+ 2 files changed, 57 insertions(+), 13 deletions(-)
+
+--- a/include/linux/if_vlan.h
++++ b/include/linux/if_vlan.h
+@@ -300,30 +300,34 @@ static inline bool vlan_hw_offload_capab
+ }
+
+ /**
+- * __vlan_insert_tag - regular VLAN tag inserting
++ * __vlan_insert_inner_tag - inner VLAN tag inserting
+ * @skb: skbuff to tag
+ * @vlan_proto: VLAN encapsulation protocol
+ * @vlan_tci: VLAN TCI to insert
++ * @mac_len: MAC header length including outer vlan headers
+ *
+- * Inserts the VLAN tag into @skb as part of the payload
++ * Inserts the VLAN tag into @skb as part of the payload at offset mac_len
+ * Returns error if skb_cow_head failes.
+ *
+ * Does not change skb->protocol so this function can be used during receive.
+ */
+-static inline int __vlan_insert_tag(struct sk_buff *skb,
+- __be16 vlan_proto, u16 vlan_tci)
++static inline int __vlan_insert_inner_tag(struct sk_buff *skb,
++ __be16 vlan_proto, u16 vlan_tci,
++ unsigned int mac_len)
+ {
+ struct vlan_ethhdr *veth;
+
+ if (skb_cow_head(skb, VLAN_HLEN) < 0)
+ return -ENOMEM;
+
+- veth = skb_push(skb, VLAN_HLEN);
++ skb_push(skb, VLAN_HLEN);
+
+- /* Move the mac addresses to the beginning of the new header. */
+- memmove(skb->data, skb->data + VLAN_HLEN, 2 * ETH_ALEN);
++ /* Move the mac header sans proto to the beginning of the new header. */
++ memmove(skb->data, skb->data + VLAN_HLEN, mac_len - ETH_TLEN);
+ skb->mac_header -= VLAN_HLEN;
+
++ veth = (struct vlan_ethhdr *)(skb->data + mac_len - ETH_HLEN);
++
+ /* first, the ethernet type */
+ veth->h_vlan_proto = vlan_proto;
+
+@@ -334,12 +338,30 @@ static inline int __vlan_insert_tag(stru
+ }
+
+ /**
+- * vlan_insert_tag - regular VLAN tag inserting
++ * __vlan_insert_tag - regular VLAN tag inserting
+ * @skb: skbuff to tag
+ * @vlan_proto: VLAN encapsulation protocol
+ * @vlan_tci: VLAN TCI to insert
+ *
+ * Inserts the VLAN tag into @skb as part of the payload
++ * Returns error if skb_cow_head failes.
++ *
++ * Does not change skb->protocol so this function can be used during receive.
++ */
++static inline int __vlan_insert_tag(struct sk_buff *skb,
++ __be16 vlan_proto, u16 vlan_tci)
++{
++ return __vlan_insert_inner_tag(skb, vlan_proto, vlan_tci, ETH_HLEN);
++}
++
++/**
++ * vlan_insert_inner_tag - inner VLAN tag inserting
++ * @skb: skbuff to tag
++ * @vlan_proto: VLAN encapsulation protocol
++ * @vlan_tci: VLAN TCI to insert
++ * @mac_len: MAC header length including outer vlan headers
++ *
++ * Inserts the VLAN tag into @skb as part of the payload at offset mac_len
+ * Returns a VLAN tagged skb. If a new skb is created, @skb is freed.
+ *
+ * Following the skb_unshare() example, in case of error, the calling function
+@@ -347,12 +369,14 @@ static inline int __vlan_insert_tag(stru
+ *
+ * Does not change skb->protocol so this function can be used during receive.
+ */
+-static inline struct sk_buff *vlan_insert_tag(struct sk_buff *skb,
+- __be16 vlan_proto, u16 vlan_tci)
++static inline struct sk_buff *vlan_insert_inner_tag(struct sk_buff *skb,
++ __be16 vlan_proto,
++ u16 vlan_tci,
++ unsigned int mac_len)
+ {
+ int err;
+
+- err = __vlan_insert_tag(skb, vlan_proto, vlan_tci);
++ err = __vlan_insert_inner_tag(skb, vlan_proto, vlan_tci, mac_len);
+ if (err) {
+ dev_kfree_skb_any(skb);
+ return NULL;
+@@ -361,6 +385,26 @@ static inline struct sk_buff *vlan_inser
+ }
+
+ /**
++ * vlan_insert_tag - regular VLAN tag inserting
++ * @skb: skbuff to tag
++ * @vlan_proto: VLAN encapsulation protocol
++ * @vlan_tci: VLAN TCI to insert
++ *
++ * Inserts the VLAN tag into @skb as part of the payload
++ * Returns a VLAN tagged skb. If a new skb is created, @skb is freed.
++ *
++ * Following the skb_unshare() example, in case of error, the calling function
++ * doesn't have to worry about freeing the original skb.
++ *
++ * Does not change skb->protocol so this function can be used during receive.
++ */
++static inline struct sk_buff *vlan_insert_tag(struct sk_buff *skb,
++ __be16 vlan_proto, u16 vlan_tci)
++{
++ return vlan_insert_inner_tag(skb, vlan_proto, vlan_tci, ETH_HLEN);
++}
++
++/**
+ * vlan_insert_tag_set_proto - regular VLAN tag inserting
+ * @skb: skbuff to tag
+ * @vlan_proto: VLAN encapsulation protocol
+--- a/net/8021q/vlan_core.c
++++ b/net/8021q/vlan_core.c
+@@ -48,8 +48,8 @@ bool vlan_do_receive(struct sk_buff **sk
+ * original position later
+ */
+ skb_push(skb, offset);
+- skb = *skbp = vlan_insert_tag(skb, skb->vlan_proto,
+- skb->vlan_tci);
++ skb = *skbp = vlan_insert_inner_tag(skb, skb->vlan_proto,
++ skb->vlan_tci, skb->mac_len);
+ if (!skb)
+ return false;
+ skb_pull(skb, offset + VLAN_HLEN);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Date: Thu, 29 Mar 2018 19:05:30 +0900
+Subject: vlan: Fix vlan insertion for packets without ethernet header
+
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+
+[ Upstream commit c769accdf3d8a103940bea2979b65556718567e9 ]
+
+In some situation vlan packets do not have ethernet headers. One example
+is packets from tun devices. Users can specify vlan protocol in tun_pi
+field instead of IP protocol. When we have a vlan device with reorder_hdr
+disabled on top of the tun device, such packets from tun devices are
+untagged in skb_vlan_untag() and vlan headers will be inserted back in
+vlan_insert_inner_tag().
+
+vlan_insert_inner_tag() however did not expect packets without ethernet
+headers, so in such a case size argument for memmove() underflowed.
+
+We don't need to copy headers for packets which do not have preceding
+headers of vlan headers, so skip memmove() in that case.
+Also don't write vlan protocol in skb->data when it does not have enough
+room for it.
+
+Fixes: cbe7128c4b92 ("vlan: Fix out of order vlan headers with reorder header off")
+Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/if_vlan.h | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/include/linux/if_vlan.h
++++ b/include/linux/if_vlan.h
+@@ -323,13 +323,24 @@ static inline int __vlan_insert_inner_ta
+ skb_push(skb, VLAN_HLEN);
+
+ /* Move the mac header sans proto to the beginning of the new header. */
+- memmove(skb->data, skb->data + VLAN_HLEN, mac_len - ETH_TLEN);
++ if (likely(mac_len > ETH_TLEN))
++ memmove(skb->data, skb->data + VLAN_HLEN, mac_len - ETH_TLEN);
+ skb->mac_header -= VLAN_HLEN;
+
+ veth = (struct vlan_ethhdr *)(skb->data + mac_len - ETH_HLEN);
+
+ /* first, the ethernet type */
+- veth->h_vlan_proto = vlan_proto;
++ if (likely(mac_len >= ETH_TLEN)) {
++ /* h_vlan_encapsulated_proto should already be populated, and
++ * skb->data has space for h_vlan_proto
++ */
++ veth->h_vlan_proto = vlan_proto;
++ } else {
++ /* h_vlan_encapsulated_proto should not be populated, and
++ * skb->data has no space for h_vlan_proto
++ */
++ veth->h_vlan_encapsulated_proto = skb->protocol;
++ }
+
+ /* now, the TCI */
+ veth->h_vlan_TCI = htons(vlan_tci);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Thu, 15 Mar 2018 17:16:27 +0100
+Subject: vti4: Don't count header length twice on tunnel setup
+
+From: Stefano Brivio <sbrivio@redhat.com>
+
+[ Upstream commit dd1df24737727e119c263acf1be2a92763938297 ]
+
+This re-introduces the effect of commit a32452366b72 ("vti4:
+Don't count header length twice.") which was accidentally
+reverted by merge commit f895f0cfbb77 ("Merge branch 'master' of
+git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec").
+
+The commit message from Steffen Klassert said:
+
+ We currently count the size of LL_MAX_HEADER and struct iphdr
+ twice for vti4 devices, this leads to a wrong device mtu.
+ The size of LL_MAX_HEADER and struct iphdr is already counted in
+ ip_tunnel_bind_dev(), so don't do it again in vti_tunnel_init().
+
+And this is still the case now: ip_tunnel_bind_dev() already
+accounts for the header length of the link layer (not
+necessarily LL_MAX_HEADER, if the output device is found), plus
+one IP header.
+
+For example, with a vti device on top of veth, with MTU of 1500,
+the existing implementation would set the initial vti MTU to
+1332, accounting once for LL_MAX_HEADER (128, included in
+hard_header_len by vti) and twice for the same IP header (once
+from hard_header_len, once from ip_tunnel_bind_dev()).
+
+It should instead be 1480, because ip_tunnel_bind_dev() is able
+to figure out that the output device is veth, so no additional
+link layer header is attached, and will properly count one
+single IP header.
+
+The existing issue had the side effect of avoiding PMTUD for
+most xfrm policies, by arbitrarily lowering the initial MTU.
+However, the only way to get a consistent PMTU value is to let
+the xfrm PMTU discovery do its course, and commit d6af1a31cc72
+("vti: Add pmtu handling to vti_xmit.") now takes care of local
+delivery cases where the application ignores local socket
+notifications.
+
+Fixes: b9959fd3b0fa ("vti: switch to new ip tunnel code")
+Fixes: f895f0cfbb77 ("Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Acked-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_vti.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/ipv4/ip_vti.c
++++ b/net/ipv4/ip_vti.c
+@@ -396,7 +396,6 @@ static int vti_tunnel_init(struct net_de
+ memcpy(dev->dev_addr, &iph->saddr, 4);
+ memcpy(dev->broadcast, &iph->daddr, 4);
+
+- dev->hard_header_len = LL_MAX_HEADER + sizeof(struct iphdr);
+ dev->mtu = ETH_DATA_LEN;
+ dev->flags = IFF_NOARP;
+ dev->addr_len = 4;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Thu, 15 Mar 2018 17:16:29 +0100
+Subject: vti4: Don't override MTU passed on link creation via IFLA_MTU
+
+From: Stefano Brivio <sbrivio@redhat.com>
+
+[ Upstream commit 03080e5ec72740c1a62e6730f2a5f3f114f11b19 ]
+
+Don't hardcode a MTU value on vti tunnel initialization,
+ip_tunnel_newlink() is able to deal with this already. See also
+commit ffc2b6ee4174 ("ip_gre: fix IFLA_MTU ignored on NEWLINK").
+
+Fixes: 1181412c1a67 ("net/ipv4: VTI support new module for ip_vti.")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Acked-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_vti.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/ipv4/ip_vti.c
++++ b/net/ipv4/ip_vti.c
+@@ -396,7 +396,6 @@ static int vti_tunnel_init(struct net_de
+ memcpy(dev->dev_addr, &iph->saddr, 4);
+ memcpy(dev->broadcast, &iph->daddr, 4);
+
+- dev->mtu = ETH_DATA_LEN;
+ dev->flags = IFF_NOARP;
+ dev->addr_len = 4;
+ dev->features |= NETIF_F_LLTX;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Thu, 15 Mar 2018 17:17:13 +0100
+Subject: vti6: Fix dev->max_mtu setting
+
+From: Stefano Brivio <sbrivio@redhat.com>
+
+[ Upstream commit f8a554b4aa9686bb2c12f6bae516e58783289a03 ]
+
+We shouldn't allow a tunnel to have IP_MAX_MTU as MTU, because
+another IPv6 header is going on top of our packets. Without this
+patch, we might end up building packets bigger than IP_MAX_MTU.
+
+Fixes: b96f9afee4eb ("ipv4/6: use core net MTU range checking")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Acked-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_vti.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -852,7 +852,7 @@ static void vti6_dev_setup(struct net_de
+ dev->hard_header_len = LL_MAX_HEADER + sizeof(struct ipv6hdr);
+ dev->mtu = ETH_DATA_LEN;
+ dev->min_mtu = IPV6_MIN_MTU;
+- dev->max_mtu = IP_MAX_MTU;
++ dev->max_mtu = IP_MAX_MTU - sizeof(struct ipv6hdr);
+ dev->flags |= IFF_NOARP;
+ dev->addr_len = sizeof(struct in6_addr);
+ netif_keep_dst(dev);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Sat, 10 Feb 2018 13:17:27 +0300
+Subject: watchdog: asm9260_wdt: fix error handling in asm9260_wdt_probe()
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+[ Upstream commit 3c829f47e33eb0398a9a14e357a05199a7be0277 ]
+
+If devm_reset_control_get_exclusive() fails, asm9260_wdt_probe()
+returns immediately. But clks has been already enabled at that point,
+so it is required to disable them or to move the code around.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/asm9260_wdt.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/watchdog/asm9260_wdt.c
++++ b/drivers/watchdog/asm9260_wdt.c
+@@ -292,14 +292,14 @@ static int asm9260_wdt_probe(struct plat
+ if (IS_ERR(priv->iobase))
+ return PTR_ERR(priv->iobase);
+
+- ret = asm9260_wdt_get_dt_clks(priv);
+- if (ret)
+- return ret;
+-
+ priv->rst = devm_reset_control_get_exclusive(&pdev->dev, "wdt_rst");
+ if (IS_ERR(priv->rst))
+ return PTR_ERR(priv->rst);
+
++ ret = asm9260_wdt_get_dt_clks(priv);
++ if (ret)
++ return ret;
++
+ wdd = &priv->wdd;
+ wdd->info = &asm9260_wdt_ident;
+ wdd->ops = &asm9260_wdt_ops;
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Milton Miller <miltonm@us.ibm.com>
+Date: Thu, 15 Mar 2018 11:02:06 -0500
+Subject: watchdog: aspeed: Allow configuring for alternate boot
+
+From: Milton Miller <miltonm@us.ibm.com>
+
+[ Upstream commit 6ffa3402211acc30e47e691e14d62f3fd065a54e ]
+
+Allow the device tree to specify a watchdog to fallover to
+the alternate boot source.
+
+The aspeeed watchdog can set a latch directing flash chip select 0 to
+chip select 1, allowing boot from an alternate media if the watchdog
+is not reset in time. On the ast2400 bank 1 also goes to flash bank 1,
+while on the ast2500 the chip selects are swapped.
+
+Also clear the secondary boot bit during the machine restart operation.
+Otherwise, the system will switch to the alternate boot after every
+reboot, which is not desired.
+
+Signed-off-by: Milton Miller <miltonm@us.ibm.com>
+Signed-off-by: Eddie James <eajames@linux.vnet.ibm.com>
+Reviewed-by: Joel Stanley <joel@jms.id.au>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/aspeed_wdt.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/watchdog/aspeed_wdt.c
++++ b/drivers/watchdog/aspeed_wdt.c
+@@ -46,6 +46,7 @@ MODULE_DEVICE_TABLE(of, aspeed_wdt_of_ta
+ #define WDT_RELOAD_VALUE 0x04
+ #define WDT_RESTART 0x08
+ #define WDT_CTRL 0x0C
++#define WDT_CTRL_BOOT_SECONDARY BIT(7)
+ #define WDT_CTRL_RESET_MODE_SOC (0x00 << 5)
+ #define WDT_CTRL_RESET_MODE_FULL_CHIP (0x01 << 5)
+ #define WDT_CTRL_RESET_MODE_ARM_CPU (0x10 << 5)
+@@ -158,6 +159,7 @@ static int aspeed_wdt_restart(struct wat
+ {
+ struct aspeed_wdt *wdt = to_aspeed_wdt(wdd);
+
++ wdt->ctrl &= ~WDT_CTRL_BOOT_SECONDARY;
+ aspeed_wdt_enable(wdt, 128 * WDT_RATE_1MHZ / 1000);
+
+ mdelay(1000);
+@@ -242,6 +244,8 @@ static int aspeed_wdt_probe(struct platf
+ }
+ if (of_property_read_bool(np, "aspeed,external-signal"))
+ wdt->ctrl |= WDT_CTRL_WDT_EXT;
++ if (of_property_read_bool(np, "aspeed,alt-boot"))
++ wdt->ctrl |= WDT_CTRL_BOOT_SECONDARY;
+
+ writel(wdt->ctrl, wdt->base + WDT_CTRL);
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Milton Miller <miltonm@us.ibm.com>
+Date: Fri, 9 Mar 2018 15:58:19 -0600
+Subject: watchdog: aspeed: Fix translation of reset mode to ctrl register
+
+From: Milton Miller <miltonm@us.ibm.com>
+
+[ Upstream commit d2fc8db691bf3197d43b2afb553311a9bf257bff ]
+
+Assert RESET_SYSTEM bit for any reset and set MODE field from reset
+type.
+
+The watchdog control register has a RESET_SYSTEM bit that is really
+closer to activate a reset, and RESET_SYSTEM_MODE field that chooses
+how much to reset.
+
+Before this patch, a node without these optional property would do a
+SOC reset, but a node with properties requesting a cpu or SOC reset
+would do nothing and a node requesting a system reset would do a
+SOC reset.
+
+Fixes: b7f0b8ad25f3 ("drivers/watchdog: ASPEED reference dev tree properties for config")
+Signed-off-by: Milton Miller <miltonm@us.ibm.com>
+Signed-off-by: Eddie James <eajames@linux.vnet.ibm.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/aspeed_wdt.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/watchdog/aspeed_wdt.c
++++ b/drivers/watchdog/aspeed_wdt.c
+@@ -234,11 +234,14 @@ static int aspeed_wdt_probe(struct platf
+ wdt->ctrl |= WDT_CTRL_RESET_MODE_SOC | WDT_CTRL_RESET_SYSTEM;
+ } else {
+ if (!strcmp(reset_type, "cpu"))
+- wdt->ctrl |= WDT_CTRL_RESET_MODE_ARM_CPU;
++ wdt->ctrl |= WDT_CTRL_RESET_MODE_ARM_CPU |
++ WDT_CTRL_RESET_SYSTEM;
+ else if (!strcmp(reset_type, "soc"))
+- wdt->ctrl |= WDT_CTRL_RESET_MODE_SOC;
++ wdt->ctrl |= WDT_CTRL_RESET_MODE_SOC |
++ WDT_CTRL_RESET_SYSTEM;
+ else if (!strcmp(reset_type, "system"))
+- wdt->ctrl |= WDT_CTRL_RESET_SYSTEM;
++ wdt->ctrl |= WDT_CTRL_RESET_MODE_FULL_CHIP |
++ WDT_CTRL_RESET_SYSTEM;
+ else if (strcmp(reset_type, "none"))
+ return -EINVAL;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Sat, 24 Mar 2018 00:36:46 +0300
+Subject: watchdog: davinci_wdt: fix error handling in davinci_wdt_probe()
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+[ Upstream commit d66e53649c18377edc08d48901e658e4fd491d46 ]
+
+clk_disable_unprepare() was added to one error path,
+but there is another one. The patch makes sure clk is
+disabled at the both of them.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/davinci_wdt.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/watchdog/davinci_wdt.c
++++ b/drivers/watchdog/davinci_wdt.c
+@@ -198,15 +198,22 @@ static int davinci_wdt_probe(struct plat
+
+ wdt_mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ davinci_wdt->base = devm_ioremap_resource(dev, wdt_mem);
+- if (IS_ERR(davinci_wdt->base))
+- return PTR_ERR(davinci_wdt->base);
++ if (IS_ERR(davinci_wdt->base)) {
++ ret = PTR_ERR(davinci_wdt->base);
++ goto err_clk_disable;
++ }
+
+ ret = watchdog_register_device(wdd);
+- if (ret < 0) {
+- clk_disable_unprepare(davinci_wdt->clk);
++ if (ret) {
+ dev_err(dev, "cannot register watchdog device\n");
++ goto err_clk_disable;
+ }
+
++ return 0;
++
++err_clk_disable:
++ clk_disable_unprepare(davinci_wdt->clk);
++
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Brian Norris <briannorris@chromium.org>
+Date: Fri, 9 Mar 2018 19:46:06 -0800
+Subject: watchdog: dw: RMW the control register
+
+From: Brian Norris <briannorris@chromium.org>
+
+[ Upstream commit a81abbb412341e9e3b2d42ed7d310cf71fbb84a8 ]
+
+RK3399 has rst_pulse_length in CONTROL_REG[4:2], determining the length
+of pulse to issue for system reset. We shouldn't clobber this value,
+because that might make the system reset ineffective. On RK3399, we're
+seeing that a value of 000b (meaning 2 cycles) yields an unreliable
+(partial?) reset, and so we only fully reset after the watchdog fires a
+second time. If we retain the system default (010b, or 8 clock cycles),
+then the watchdog reset is much more reliable.
+
+Read-modify-write retains the system value and improves reset
+reliability.
+
+It seems we were intentionally clobbering the response mode previously,
+to ensure we performed a system reset (we don't support an interrupt
+notification), so retain that explicitly.
+
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/dw_wdt.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+--- a/drivers/watchdog/dw_wdt.c
++++ b/drivers/watchdog/dw_wdt.c
+@@ -34,6 +34,7 @@
+
+ #define WDOG_CONTROL_REG_OFFSET 0x00
+ #define WDOG_CONTROL_REG_WDT_EN_MASK 0x01
++#define WDOG_CONTROL_REG_RESP_MODE_MASK 0x02
+ #define WDOG_TIMEOUT_RANGE_REG_OFFSET 0x04
+ #define WDOG_TIMEOUT_RANGE_TOPINIT_SHIFT 4
+ #define WDOG_CURRENT_COUNT_REG_OFFSET 0x08
+@@ -121,14 +122,23 @@ static int dw_wdt_set_timeout(struct wat
+ return 0;
+ }
+
++static void dw_wdt_arm_system_reset(struct dw_wdt *dw_wdt)
++{
++ u32 val = readl(dw_wdt->regs + WDOG_CONTROL_REG_OFFSET);
++
++ /* Disable interrupt mode; always perform system reset. */
++ val &= ~WDOG_CONTROL_REG_RESP_MODE_MASK;
++ /* Enable watchdog. */
++ val |= WDOG_CONTROL_REG_WDT_EN_MASK;
++ writel(val, dw_wdt->regs + WDOG_CONTROL_REG_OFFSET);
++}
++
+ static int dw_wdt_start(struct watchdog_device *wdd)
+ {
+ struct dw_wdt *dw_wdt = to_dw_wdt(wdd);
+
+ dw_wdt_set_timeout(wdd, wdd->timeout);
+-
+- writel(WDOG_CONTROL_REG_WDT_EN_MASK,
+- dw_wdt->regs + WDOG_CONTROL_REG_OFFSET);
++ dw_wdt_arm_system_reset(dw_wdt);
+
+ return 0;
+ }
+@@ -152,16 +162,13 @@ static int dw_wdt_restart(struct watchdo
+ unsigned long action, void *data)
+ {
+ struct dw_wdt *dw_wdt = to_dw_wdt(wdd);
+- u32 val;
+
+ writel(0, dw_wdt->regs + WDOG_TIMEOUT_RANGE_REG_OFFSET);
+- val = readl(dw_wdt->regs + WDOG_CONTROL_REG_OFFSET);
+- if (val & WDOG_CONTROL_REG_WDT_EN_MASK)
++ if (dw_wdt_is_enabled(dw_wdt))
+ writel(WDOG_COUNTER_RESTART_KICK_VALUE,
+ dw_wdt->regs + WDOG_COUNTER_RESTART_REG_OFFSET);
+ else
+- writel(WDOG_CONTROL_REG_WDT_EN_MASK,
+- dw_wdt->regs + WDOG_CONTROL_REG_OFFSET);
++ dw_wdt_arm_system_reset(dw_wdt);
+
+ /* wait for reset to assert... */
+ mdelay(500);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Igor Pylypiv <igor.pylypiv@gmail.com>
+Date: Wed, 28 Feb 2018 00:59:12 -0800
+Subject: watchdog: f71808e_wdt: Fix magic close handling
+
+From: Igor Pylypiv <igor.pylypiv@gmail.com>
+
+[ Upstream commit 7bd3e7b743956afbec30fb525bc3c5e22e3d475c ]
+
+Watchdog close is "expected" when any byte is 'V' not just the last one.
+Writing "V" to the device fails because the last byte is the end of string.
+
+$ echo V > /dev/watchdog
+f71808e_wdt: Unexpected close, not stopping watchdog!
+
+Signed-off-by: Igor Pylypiv <igor.pylypiv@gmail.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/f71808e_wdt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/watchdog/f71808e_wdt.c
++++ b/drivers/watchdog/f71808e_wdt.c
+@@ -566,7 +566,8 @@ static ssize_t watchdog_write(struct fil
+ char c;
+ if (get_user(c, buf + i))
+ return -EFAULT;
+- expect_close = (c == 'V');
++ if (c == 'V')
++ expect_close = true;
+ }
+
+ /* Properly order writes across fork()ed processes */
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Jayachandran C <jnair@caviumnetworks.com>
+Date: Wed, 28 Feb 2018 02:52:20 -0800
+Subject: watchdog: sbsa: use 32-bit read for WCV
+
+From: Jayachandran C <jnair@caviumnetworks.com>
+
+[ Upstream commit 93ac3deb7c220cbcec032a967220a1f109d58431 ]
+
+According to SBSA spec v3.1 section 5.3:
+ All registers are 32 bits in size and should be accessed using
+ 32-bit reads and writes. If an access size other than 32 bits
+ is used then the results are IMPLEMENTATION DEFINED.
+ [...]
+ The Generic Watchdog is little-endian
+
+The current code uses readq to read the watchdog compare register
+which does a 64-bit access. This fails on ThunderX2 which does not
+implement 64-bit access to this register.
+
+Fix this by using lo_hi_readq() that does two 32-bit reads.
+
+Signed-off-by: Jayachandran C <jnair@caviumnetworks.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/sbsa_gwdt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/watchdog/sbsa_gwdt.c
++++ b/drivers/watchdog/sbsa_gwdt.c
+@@ -50,6 +50,7 @@
+ */
+
+ #include <linux/io.h>
++#include <linux/io-64-nonatomic-lo-hi.h>
+ #include <linux/interrupt.h>
+ #include <linux/module.h>
+ #include <linux/moduleparam.h>
+@@ -159,7 +160,7 @@ static unsigned int sbsa_gwdt_get_timele
+ !(readl(gwdt->control_base + SBSA_GWDT_WCS) & SBSA_GWDT_WCS_WS0))
+ timeleft += readl(gwdt->control_base + SBSA_GWDT_WOR);
+
+- timeleft += readq(gwdt->control_base + SBSA_GWDT_WCV) -
++ timeleft += lo_hi_readq(gwdt->control_base + SBSA_GWDT_WCV) -
+ arch_counter_get_cntvct();
+
+ do_div(timeleft, gwdt->clk);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Tue, 6 Mar 2018 15:35:43 +0530
+Subject: workqueue: use put_device() instead of kfree()
+
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+
+[ Upstream commit 537f4146c53c95aac977852b371bafb9c6755ee1 ]
+
+Never directly free @dev after calling device_register(), even
+if it returned an error! Always use put_device() to give up the
+reference initialized in this function instead.
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/workqueue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -5350,7 +5350,7 @@ int workqueue_sysfs_register(struct work
+
+ ret = device_register(&wq_dev->dev);
+ if (ret) {
+- kfree(wq_dev);
++ put_device(&wq_dev->dev);
+ wq->wq_dev = NULL;
+ return ret;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Alexey Dobriyan <adobriyan@gmail.com>
+Date: Sun, 14 Jan 2018 15:05:04 +0300
+Subject: x86/alternatives: Fixup alternative_call_2
+
+From: Alexey Dobriyan <adobriyan@gmail.com>
+
+[ Upstream commit bd6271039ee6f0c9b468148fc2d73e0584af6b4f ]
+
+The following pattern fails to compile while the same pattern
+with alternative_call() does:
+
+ if (...)
+ alternative_call_2(...);
+ else
+ alternative_call_2(...);
+
+as it expands into
+
+ if (...)
+ {
+ }; <===
+ else
+ {
+ };
+
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20180114120504.GA11368@avx2
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/alternative.h | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/arch/x86/include/asm/alternative.h
++++ b/arch/x86/include/asm/alternative.h
+@@ -218,13 +218,11 @@ static inline int alternatives_text_rese
+ */
+ #define alternative_call_2(oldfunc, newfunc1, feature1, newfunc2, feature2, \
+ output, input...) \
+-{ \
+ asm volatile (ALTERNATIVE_2("call %P[old]", "call %P[new1]", feature1,\
+ "call %P[new2]", feature2) \
+ : output, ASM_CALL_CONSTRAINT \
+ : [old] "i" (oldfunc), [new1] "i" (newfunc1), \
+- [new2] "i" (newfunc2), ## input); \
+-}
++ [new2] "i" (newfunc2), ## input)
+
+ /*
+ * use this macro(s) if you need more than one output parameter
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Baoquan He <bhe@redhat.com>
+Date: Wed, 14 Feb 2018 13:46:56 +0800
+Subject: x86/apic: Set up through-local-APIC mode on the boot CPU if 'noapic' specified
+
+From: Baoquan He <bhe@redhat.com>
+
+[ Upstream commit bee3204ec3c49f6f53add9c3962c9012a5c036fa ]
+
+Currently the kdump kernel becomes very slow if 'noapic' is specified.
+Normal kernel doesn't have this bug.
+
+Kernel parameter 'noapic' is used to disable IO-APIC in system for
+testing or special purpose. Here the root cause is that in kdump
+kernel LAPIC is disabled since commit:
+
+ 522e664644 ("x86/apic: Disable I/O APIC before shutdown of the local APIC")
+
+In this case we need set up through-local-APIC on boot CPU in
+setup_local_APIC().
+
+In normal kernel the legacy irq mode is enabled by the BIOS. If
+it is virtual wire mode, the local-APIC has been enabled and set as
+through-local-APIC.
+
+Though we fixed the regression introduced by commit 522e664644,
+to further improve robustness set up the through-local-APIC mode
+explicitly, do not rely on the default boot IRQ mode.
+
+Signed-off-by: Baoquan He <bhe@redhat.com>
+Reviewed-by: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: douly.fnst@cn.fujitsu.com
+Cc: joro@8bytes.org
+Cc: prarit@redhat.com
+Cc: uobergfe@redhat.com
+Link: http://lkml.kernel.org/r/20180214054656.3780-7-bhe@redhat.com
+[ Rewrote the changelog. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/apic/apic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -1481,7 +1481,7 @@ void setup_local_APIC(void)
+ * TODO: set up through-local-APIC from through-I/O-APIC? --macro
+ */
+ value = apic_read(APIC_LVT0) & APIC_LVT_MASKED;
+- if (!cpu && (pic_mode || !value)) {
++ if (!cpu && (pic_mode || !value || skip_ioapic_setup)) {
+ value = APIC_DM_EXTINT;
+ apic_printk(APIC_VERBOSE, "enabled ExtINT on CPU#%d\n", cpu);
+ } else {
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Ivan Gorinov <ivan.gorinov@intel.com>
+Date: Wed, 7 Mar 2018 11:46:53 -0800
+Subject: x86/devicetree: Fix device IRQ settings in DT
+
+From: Ivan Gorinov <ivan.gorinov@intel.com>
+
+[ Upstream commit 0a5169add90e43ab45ab1ba34223b8583fcaf675 ]
+
+IRQ parameters for the SoC devices connected directly to I/O APIC lines
+(without PCI IRQ routing) may be specified in the Device Tree.
+
+Called from DT IRQ parser, irq_create_fwspec_mapping() calls
+irq_domain_alloc_irqs() with a pointer to irq_fwspec structure as @arg.
+
+But x86-specific DT IRQ allocation code casts @arg to of_phandle_args
+structure pointer and crashes trying to read the IRQ parameters. The
+function was not converted when the mapping descriptor was changed to
+irq_fwspec in the generic irqdomain code.
+
+Fixes: 11e4438ee330 ("irqdomain: Introduce a firmware-specific IRQ specifier structure")
+Signed-off-by: Ivan Gorinov <ivan.gorinov@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Link: https://lkml.kernel.org/r/a234dee27ea60ce76141872da0d6bdb378b2a9ee.1520450752.git.ivan.gorinov@intel.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/devicetree.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kernel/devicetree.c
++++ b/arch/x86/kernel/devicetree.c
+@@ -201,19 +201,22 @@ static struct of_ioapic_type of_ioapic_t
+ static int dt_irqdomain_alloc(struct irq_domain *domain, unsigned int virq,
+ unsigned int nr_irqs, void *arg)
+ {
+- struct of_phandle_args *irq_data = (void *)arg;
++ struct irq_fwspec *fwspec = (struct irq_fwspec *)arg;
+ struct of_ioapic_type *it;
+ struct irq_alloc_info tmp;
++ int type_index;
+
+- if (WARN_ON(irq_data->args_count < 2))
++ if (WARN_ON(fwspec->param_count < 2))
+ return -EINVAL;
+- if (irq_data->args[1] >= ARRAY_SIZE(of_ioapic_type))
++
++ type_index = fwspec->param[1];
++ if (type_index >= ARRAY_SIZE(of_ioapic_type))
+ return -EINVAL;
+
+- it = &of_ioapic_type[irq_data->args[1]];
++ it = &of_ioapic_type[type_index];
+ ioapic_set_alloc_attr(&tmp, NUMA_NO_NODE, it->trigger, it->polarity);
+ tmp.ioapic_id = mpc_ioapic_id(mp_irqdomain_ioapic_idx(domain));
+- tmp.ioapic_pin = irq_data->args[0];
++ tmp.ioapic_pin = fwspec->param[0];
+
+ return mp_irqdomain_alloc(domain, virq, nr_irqs, &tmp);
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Ivan Gorinov <ivan.gorinov@intel.com>
+Date: Wed, 7 Mar 2018 11:46:29 -0800
+Subject: x86/devicetree: Initialize device tree before using it
+
+From: Ivan Gorinov <ivan.gorinov@intel.com>
+
+[ Upstream commit 628df9dc5ad886b0a9b33c75a7b09710eb859ca1 ]
+
+Commit 08d53aa58cb1 added CRC32 calculation in early_init_dt_verify() and
+checking in late initcall of_fdt_raw_init(), making early_init_dt_verify()
+mandatory.
+
+The required call to early_init_dt_verify() was not added to the
+x86-specific implementation, causing failure to create the sysfs entry in
+of_fdt_raw_init().
+
+Fixes: 08d53aa58cb1 ("of/fdt: export fdt blob as /sys/firmware/fdt")
+Signed-off-by: Ivan Gorinov <ivan.gorinov@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Link: https://lkml.kernel.org/r/c8c7e941efc63b5d25ebf9b6350b0f3df38f6098.1520450752.git.ivan.gorinov@intel.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/devicetree.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/devicetree.c
++++ b/arch/x86/kernel/devicetree.c
+@@ -12,6 +12,7 @@
+ #include <linux/of_address.h>
+ #include <linux/of_platform.h>
+ #include <linux/of_irq.h>
++#include <linux/libfdt.h>
+ #include <linux/slab.h>
+ #include <linux/pci.h>
+ #include <linux/of_pci.h>
+@@ -276,14 +277,15 @@ static void __init x86_flattree_get_conf
+
+ map_len = max(PAGE_SIZE - (initial_dtb & ~PAGE_MASK), (u64)128);
+
+- initial_boot_params = dt = early_memremap(initial_dtb, map_len);
+- size = of_get_flat_dt_size();
++ dt = early_memremap(initial_dtb, map_len);
++ size = fdt_totalsize(dt);
+ if (map_len < size) {
+ early_memunmap(dt, map_len);
+- initial_boot_params = dt = early_memremap(initial_dtb, size);
++ dt = early_memremap(initial_dtb, size);
+ map_len = size;
+ }
+
++ early_init_dt_verify(dt);
+ unflatten_and_copy_device_tree();
+ early_memunmap(dt, map_len);
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Wang Hui <john.wanghui@huawei.com>
+Date: Thu, 22 Feb 2018 19:26:03 -0800
+Subject: x86/intel_rdt: Fix incorrect returned value when creating rdgroup sub-directory in resctrl file system
+
+From: Wang Hui <john.wanghui@huawei.com>
+
+[ Upstream commit 36e74d355297dde6e69a39c838d24710e442babe ]
+
+If no monitoring feature is detected because all monitoring features are
+disabled during boot time or there is no monitoring feature in hardware,
+creating rdtgroup sub-directory by "mkdir" command reports error:
+
+ mkdir: cannot create directory ‘/sys/fs/resctrl/p1’: No such file or directory
+
+But the sub-directory actually is generated and content is correct:
+
+ cpus cpus_list schemata tasks
+
+The error is because rdtgroup_mkdir_ctrl_mon() returns non zero value after
+the sub-directory is created and the returned value is reported as an error
+to user.
+
+Clear the returned value to report to user that the sub-directory is
+actually created successfully.
+
+Signed-off-by: Wang Hui <john.wanghui@huawei.com>
+Signed-off-by: Zhang Yanfei <yanfei.zhang@huawei.com>
+Signed-off-by: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ravi V Shankar <ravi.v.shankar@intel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: Vikas <vikas.shivappa@intel.com>
+Cc: Xiaochen Shen <xiaochen.shen@intel.com>
+Link: http://lkml.kernel.org/r/1519356363-133085-1-git-send-email-fenghua.yu@intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/intel_rdt_rdtgroup.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
++++ b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
+@@ -1657,6 +1657,7 @@ static int rdtgroup_mkdir_ctrl_mon(struc
+ if (ret < 0)
+ goto out_common_fail;
+ closid = ret;
++ ret = 0;
+
+ rdtgrp->closid = closid;
+ list_add(&rdtgrp->rdtgroup_list, &rdt_all_groups);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Borislav Petkov <bp@suse.de>
+Date: Wed, 21 Feb 2018 11:18:56 +0100
+Subject: x86/mce/AMD: Collect error info even if valid bits are not set
+
+From: Borislav Petkov <bp@suse.de>
+
+[ Upstream commit 4b1e84276a6172980c5bf39aa091ba13e90d6dad ]
+
+The MCA banks log error info into MCA_ADDR, MCA_MISC0, and MCA_SYND even
+if the corresponding valid bits are not set:
+
+"Error handlers should save the values in MCA_ADDR, MCA_MISC0,
+and MCA_SYND even if MCA_STATUS[AddrV], MCA_STATUS[MiscV], and
+MCA_STATUS[SyndV] are zero."
+
+Do so by setting those bits so that code down the MCE processing path
+doesn't need to be changed.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20180221101900.10326-5-bp@alien8.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/mcheck/mce.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce.c
++++ b/arch/x86/kernel/cpu/mcheck/mce.c
+@@ -445,6 +445,20 @@ static inline void mce_gather_info(struc
+ if (mca_cfg.rip_msr)
+ m->ip = mce_rdmsrl(mca_cfg.rip_msr);
+ }
++
++ /*
++ * Error handlers should save the values in MCA_ADDR, MCA_MISC0, and
++ * MCA_SYND even if MCA_STATUS[AddrV], MCA_STATUS[MiscV], and
++ * MCA_STATUS[SyndV] are zero.
++ */
++ if (m->cpuvendor == X86_VENDOR_AMD) {
++ u64 status = MCI_STATUS_ADDRV | MCI_STATUS_MISCV;
++
++ if (mce_flags.smca)
++ status |= MCI_STATUS_SYNDV;
++
++ m->status |= status;
++ }
+ }
+
+ int mce_available(struct cpuinfo_x86 *c)
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Fri, 6 Apr 2018 13:55:14 -0700
+Subject: x86/mm: Do not forbid _PAGE_RW before init for __ro_after_init
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+[ Upstream commit 639d6aafe437a7464399d2a77d006049053df06f ]
+
+__ro_after_init data gets stuck in the .rodata section. That's normally
+fine because the kernel itself manages the R/W properties.
+
+But, if we run __change_page_attr() on an area which is __ro_after_init,
+the .rodata checks will trigger and force the area to be immediately
+read-only, even if it is early-ish in boot. This caused problems when
+trying to clear the _PAGE_GLOBAL bit for these area in the PTI code:
+it cleared _PAGE_GLOBAL like I asked, but also took it up on itself
+to clear _PAGE_RW. The kernel then oopses the next time it wrote to
+a __ro_after_init data structure.
+
+To fix this, add the kernel_set_to_readonly check, just like we have
+for kernel text, just a few lines below in this function.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Arjan van de Ven <arjan@linux.intel.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Nadav Amit <namit@vmware.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/20180406205514.8D898241@viggo.jf.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/pageattr.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/mm/pageattr.c
++++ b/arch/x86/mm/pageattr.c
+@@ -298,9 +298,11 @@ static inline pgprot_t static_protection
+
+ /*
+ * The .rodata section needs to be read-only. Using the pfn
+- * catches all aliases.
++ * catches all aliases. This also includes __ro_after_init,
++ * so do not enforce until kernel_set_to_readonly is true.
+ */
+- if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
++ if (kernel_set_to_readonly &&
++ within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
+ __pa_symbol(__end_rodata) >> PAGE_SHIFT))
+ pgprot_val(forbidden) |= _PAGE_RW;
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Sai Praneeth <sai.praneeth.prakhya@intel.com>
+Date: Wed, 4 Apr 2018 12:34:19 -0700
+Subject: x86/mm: Fix bogus warning during EFI bootup, use boot_cpu_has() instead of this_cpu_has() in build_cr3_noflush()
+
+From: Sai Praneeth <sai.praneeth.prakhya@intel.com>
+
+[ Upstream commit 162ee5a8ab49be40d253f90e94aef712470a3a24 ]
+
+Linus reported the following boot warning:
+
+ WARNING: CPU: 0 PID: 0 at arch/x86/include/asm/tlbflush.h:134 load_new_mm_cr3+0x114/0x170
+ [...]
+ Call Trace:
+ switch_mm_irqs_off+0x267/0x590
+ switch_mm+0xe/0x20
+ efi_switch_mm+0x3e/0x50
+ efi_enter_virtual_mode+0x43f/0x4da
+ start_kernel+0x3bf/0x458
+ secondary_startup_64+0xa5/0xb0
+
+... after merging:
+
+ 03781e40890c: x86/efi: Use efi_switch_mm() rather than manually twiddling with %cr3
+
+When the platform supports PCID and if CONFIG_DEBUG_VM=y is enabled,
+build_cr3_noflush() (called via switch_mm()) does a sanity check to see
+if X86_FEATURE_PCID is set.
+
+Presently, build_cr3_noflush() uses "this_cpu_has(X86_FEATURE_PCID)" to
+perform the check but this_cpu_has() works only after SMP is initialized
+(i.e. per cpu cpu_info's should be populated) and this happens to be very
+late in the boot process (during rest_init()).
+
+As efi_runtime_services() are called during (early) kernel boot time
+and run time, modify build_cr3_noflush() to use boot_cpu_has() all the
+time. As suggested by Dave Hansen, this should be OK because all CPU's have
+same capabilities on x86.
+
+With this change the warning is fixed.
+
+( Dave also suggested that we put a warning in this_cpu_has() if it's used
+ early in the boot process. This is still work in progress as it affects
+ MCE. )
+
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Lee Chun-Yi <jlee@suse.com>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ravi Shankar <ravi.v.shankar@intel.com>
+Cc: Ricardo Neri <ricardo.neri@intel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/1522870459-7432-1-git-send-email-sai.praneeth.prakhya@intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/tlbflush.h | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/tlbflush.h
++++ b/arch/x86/include/asm/tlbflush.h
+@@ -131,7 +131,12 @@ static inline unsigned long build_cr3(pg
+ static inline unsigned long build_cr3_noflush(pgd_t *pgd, u16 asid)
+ {
+ VM_WARN_ON_ONCE(asid > MAX_ASID_AVAILABLE);
+- VM_WARN_ON_ONCE(!this_cpu_has(X86_FEATURE_PCID));
++ /*
++ * Use boot_cpu_has() instead of this_cpu_has() as this function
++ * might be called during early boot. This should work even after
++ * boot because all CPU's the have same capabilities:
++ */
++ VM_WARN_ON_ONCE(!boot_cpu_has(X86_FEATURE_PCID));
+ return __sme_pa(pgd) | kern_pcid(asid) | CR3_NOFLUSH;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Joerg Roedel <joro@8bytes.org>
+Date: Wed, 11 Apr 2018 17:24:38 +0200
+Subject: x86/pgtable: Don't set huge PUD/PMD on non-leaf entries
+
+From: Joerg Roedel <joro@8bytes.org>
+
+[ Upstream commit e3e288121408c3abeed5af60b87b95c847143845 ]
+
+The pmd_set_huge() and pud_set_huge() functions are used from
+the generic ioremap() code to establish large mappings where this
+is possible.
+
+But the generic ioremap() code does not check whether the
+PMD/PUD entries are already populated with a non-leaf entry,
+so that any page-table pages these entries point to will be
+lost.
+
+Further, on x86-32 with SHARED_KERNEL_PMD=0, this causes a
+BUG_ON() in vmalloc_sync_one() when PMD entries are synced
+from swapper_pg_dir to the current page-table. This happens
+because the PMD entry from swapper_pg_dir was promoted to a
+huge-page entry while the current PGD still contains the
+non-leaf entry. Because both entries are present and point
+to a different page, the BUG_ON() triggers.
+
+This was actually triggered with pti-x32 enabled in a KVM
+virtual machine by the graphics driver.
+
+A real and better fix for that would be to improve the
+page-table handling in the generic ioremap() code. But that is
+out-of-scope for this patch-set and left for later work.
+
+Reported-by: David H. Gutteridge <dhgutteridge@sympatico.ca>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: David Laight <David.Laight@aculab.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: Eduardo Valentin <eduval@amazon.com>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: Jiri Kosina <jkosina@suse.cz>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Pavel Machek <pavel@ucw.cz>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Waiman Long <llong@redhat.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: aliguori@amazon.com
+Cc: daniel.gruss@iaik.tugraz.at
+Cc: hughd@google.com
+Cc: keescook@google.com
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/20180411152437.GC15462@8bytes.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/pgtable.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/arch/x86/mm/pgtable.c
++++ b/arch/x86/mm/pgtable.c
+@@ -1,6 +1,7 @@
+ // SPDX-License-Identifier: GPL-2.0
+ #include <linux/mm.h>
+ #include <linux/gfp.h>
++#include <linux/hugetlb.h>
+ #include <asm/pgalloc.h>
+ #include <asm/pgtable.h>
+ #include <asm/tlb.h>
+@@ -636,6 +637,10 @@ int pud_set_huge(pud_t *pud, phys_addr_t
+ (mtrr != MTRR_TYPE_WRBACK))
+ return 0;
+
++ /* Bail out if we are we on a populated non-leaf entry: */
++ if (pud_present(*pud) && !pud_huge(*pud))
++ return 0;
++
+ prot = pgprot_4k_2_large(prot);
+
+ set_pte((pte_t *)pud, pfn_pte(
+@@ -664,6 +669,10 @@ int pmd_set_huge(pmd_t *pmd, phys_addr_t
+ return 0;
+ }
+
++ /* Bail out if we are we on a populated non-leaf entry: */
++ if (pmd_present(*pmd) && !pmd_huge(*pmd))
++ return 0;
++
+ prot = pgprot_4k_2_large(prot);
+
+ set_pte((pte_t *)pmd, pfn_pte(
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Samuel Neves <sneves@dei.uc.pt>
+Date: Wed, 21 Feb 2018 20:50:36 +0000
+Subject: x86/topology: Update the 'cpu cores' field in /proc/cpuinfo correctly across CPU hotplug operations
+
+From: Samuel Neves <sneves@dei.uc.pt>
+
+[ Upstream commit 4596749339e06dc7a424fc08a15eded850ed78b7 ]
+
+Without this fix, /proc/cpuinfo will display an incorrect amount
+of CPU cores, after bringing them offline and online again, as
+exemplified below:
+
+ $ cat /proc/cpuinfo | grep cores
+ cpu cores : 4
+ cpu cores : 8
+ cpu cores : 8
+ cpu cores : 20
+ cpu cores : 4
+ cpu cores : 3
+ cpu cores : 2
+ cpu cores : 2
+
+This patch fixes this by always zeroing the booted_cores variable
+upon turning off a logical CPU.
+
+Tested-by: Dou Liyang <douly.fnst@cn.fujitsu.com>
+Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: jgross@suse.com
+Cc: luto@kernel.org
+Cc: prarit@redhat.com
+Cc: vkuznets@redhat.com
+Link: http://lkml.kernel.org/r/20180221205036.5244-1-sneves@dei.uc.pt
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/smpboot.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kernel/smpboot.c
++++ b/arch/x86/kernel/smpboot.c
+@@ -1516,6 +1516,7 @@ static void remove_siblinginfo(int cpu)
+ cpumask_clear(topology_core_cpumask(cpu));
+ c->phys_proc_id = 0;
+ c->cpu_core_id = 0;
++ c->booted_cores = 0;
+ cpumask_clear_cpu(cpu, cpu_sibling_setup_mask);
+ recompute_smt_state();
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 29 Mar 2018 12:01:53 +0300
+Subject: xen/acpi: off by one in read_acpi_id()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit c37a3c94775855567b90f91775b9691e10bd2806 ]
+
+If acpi_id is == nr_acpi_bits, then we access one element beyond the end
+of the acpi_psd[] array or we set one bit beyond the end of the bit map
+when we do __set_bit(acpi_id, acpi_id_present);
+
+Fixes: 59a568029181 ("xen/acpi-processor: C and P-state driver that uploads said data to hypervisor.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/xen-acpi-processor.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/xen/xen-acpi-processor.c
++++ b/drivers/xen/xen-acpi-processor.c
+@@ -362,9 +362,9 @@ read_acpi_id(acpi_handle handle, u32 lvl
+ }
+ /* There are more ACPI Processor objects than in x2APIC or MADT.
+ * This can happen with incorrect ACPI SSDT declerations. */
+- if (acpi_id > nr_acpi_bits) {
+- pr_debug("We only have %u, trying to set %u\n",
+- nr_acpi_bits, acpi_id);
++ if (acpi_id >= nr_acpi_bits) {
++ pr_debug("max acpi id %u, trying to set %u\n",
++ nr_acpi_bits - 1, acpi_id);
+ return AE_OK;
+ }
+ /* OK, There is a ACPI Processor object */
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Bhavesh Davda <bhavesh.davda@oracle.com>
+Date: Fri, 22 Dec 2017 14:17:13 -0800
+Subject: xen-blkfront: move negotiate_mq to cover all cases of new VBDs
+
+From: Bhavesh Davda <bhavesh.davda@oracle.com>
+
+[ Upstream commit 7ed8ce1c5fc7cf25b3602c73bef897a3466a6645 ]
+
+negotiate_mq should happen in all cases of a new VBD being discovered by
+xen-blkfront, whether called through _probe() or a hot-attached new VBD
+from dom-0 via xenstore. Otherwise, hot-attached new VBDs are left
+configured without multi-queue.
+
+Signed-off-by: Bhavesh Davda <bhavesh.davda@oracle.com>
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/xen-blkfront.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+--- a/drivers/block/xen-blkfront.c
++++ b/drivers/block/xen-blkfront.c
+@@ -262,6 +262,7 @@ static DEFINE_SPINLOCK(minor_lock);
+
+ static int blkfront_setup_indirect(struct blkfront_ring_info *rinfo);
+ static void blkfront_gather_backend_features(struct blkfront_info *info);
++static int negotiate_mq(struct blkfront_info *info);
+
+ static int get_id_from_freelist(struct blkfront_ring_info *rinfo)
+ {
+@@ -1774,11 +1775,18 @@ static int talk_to_blkback(struct xenbus
+ unsigned int i, max_page_order;
+ unsigned int ring_page_order;
+
++ if (!info)
++ return -ENODEV;
++
+ max_page_order = xenbus_read_unsigned(info->xbdev->otherend,
+ "max-ring-page-order", 0);
+ ring_page_order = min(xen_blkif_max_ring_order, max_page_order);
+ info->nr_ring_pages = 1 << ring_page_order;
+
++ err = negotiate_mq(info);
++ if (err)
++ goto destroy_blkring;
++
+ for (i = 0; i < info->nr_rings; i++) {
+ struct blkfront_ring_info *rinfo = &info->rinfo[i];
+
+@@ -1978,11 +1986,6 @@ static int blkfront_probe(struct xenbus_
+ }
+
+ info->xbdev = dev;
+- err = negotiate_mq(info);
+- if (err) {
+- kfree(info);
+- return err;
+- }
+
+ mutex_init(&info->mutex);
+ info->vdevice = vdevice;
+@@ -2099,10 +2102,6 @@ static int blkfront_resume(struct xenbus
+
+ blkif_free(info, info->connected == BLKIF_STATE_CONNECTED);
+
+- err = negotiate_mq(info);
+- if (err)
+- return err;
+-
+ err = talk_to_blkback(dev, info);
+ if (!err)
+ blk_mq_update_nr_hw_queues(&info->tag_set, info->nr_rings);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Wed, 28 Feb 2018 09:19:03 +0000
+Subject: xen/pirq: fix error path cleanup when binding MSIs
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+[ Upstream commit 910f8befdf5bccf25287d9f1743e3e546bcb7ce0 ]
+
+Current cleanup in the error path of xen_bind_pirq_msi_to_irq is
+wrong. First of all there's an off-by-one in the cleanup loop, which
+can lead to unbinding wrong IRQs.
+
+Secondly IRQs not bound won't be freed, thus leaking IRQ numbers.
+
+Note that there's no need to differentiate between bound and unbound
+IRQs when freeing them, __unbind_from_irq will deal with both of them
+correctly.
+
+Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups")
+Reported-by: Hooman Mirhadi <mirhadih@amazon.com>
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Amit Shah <aams@amazon.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/events/events_base.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/xen/events/events_base.c
++++ b/drivers/xen/events/events_base.c
+@@ -755,8 +755,8 @@ out:
+ mutex_unlock(&irq_mapping_update_lock);
+ return irq;
+ error_irq:
+- for (; i >= 0; i--)
+- __unbind_from_irq(irq + i);
++ while (nvec--)
++ __unbind_from_irq(irq + nvec);
+ mutex_unlock(&irq_mapping_update_lock);
+ return ret;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 22 Feb 2018 17:22:59 +0000
+Subject: xen/pvcalls: fix null pointer dereference on map->sock
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 68d2059be660944152ba667e43c3b4ec225974bc ]
+
+Currently if map is null then a potential null pointer deference
+occurs when calling sock_release on map->sock. I believe the
+actual intention was to call sock_release on sock instead. Fix
+this.
+
+Fixes: 5db4d286a8ef ("xen/pvcalls: implement connect command")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/pvcalls-back.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/xen/pvcalls-back.c
++++ b/drivers/xen/pvcalls-back.c
+@@ -424,7 +424,7 @@ static int pvcalls_back_connect(struct x
+ sock);
+ if (!map) {
+ ret = -EFAULT;
+- sock_release(map->sock);
++ sock_release(sock);
+ }
+
+ out:
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Tue, 6 Mar 2018 15:40:37 +0530
+Subject: xen: xenbus: use put_device() instead of kfree()
+
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+
+[ Upstream commit 351b2bccede1cb673ec7957b35ea997ea24c8884 ]
+
+Never directly free @dev after calling device_register(), even
+if it returned an error! Always use put_device() to give up the
+reference initialized.
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/xenbus/xenbus_probe.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/xen/xenbus/xenbus_probe.c
++++ b/drivers/xen/xenbus/xenbus_probe.c
+@@ -466,8 +466,11 @@ int xenbus_probe_node(struct xen_bus_typ
+
+ /* Register with generic device framework. */
+ err = device_register(&xendev->dev);
+- if (err)
++ if (err) {
++ put_device(&xendev->dev);
++ xendev = NULL;
+ goto fail;
++ }
+
+ return 0;
+ fail:
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sat, 17 Feb 2018 15:16:22 +0800
+Subject: xfrm: do not call rcu_read_unlock when afinfo is NULL in xfrm_get_tos
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 143a4454daaf0e80a2b9f37159a0d6d2b61e64ed ]
+
+When xfrm_policy_get_afinfo returns NULL, it will not hold rcu
+read lock. In this case, rcu_read_unlock should not be called
+in xfrm_get_tos, just like other places where it's calling
+xfrm_policy_get_afinfo.
+
+Fixes: f5e2bb4f5b22 ("xfrm: policy: xfrm_get_tos cannot fail")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_policy.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1459,10 +1459,13 @@ xfrm_tmpl_resolve(struct xfrm_policy **p
+ static int xfrm_get_tos(const struct flowi *fl, int family)
+ {
+ const struct xfrm_policy_afinfo *afinfo;
+- int tos = 0;
++ int tos;
+
+ afinfo = xfrm_policy_get_afinfo(family);
+- tos = afinfo ? afinfo->get_tos(fl) : 0;
++ if (!afinfo)
++ return 0;
++
++ tos = afinfo->get_tos(fl);
+
+ rcu_read_unlock();
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Wed, 28 Feb 2018 09:23:19 +0100
+Subject: xfrm: Fix ESN sequence number handling for IPsec GSO packets.
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+[ Upstream commit b8b549eec8187ac1b12075d69a2d84d89b5e811a ]
+
+When IPsec offloading was introduced, we accidentally incremented
+the sequence number counter on the xfrm_state by one packet
+too much in the ESN case. This leads to a sequence number gap of
+one packet after each GSO packet. Fix this by setting the sequence
+number to the correct value.
+
+Fixes: d7dbefc45cf5 ("xfrm: Add xfrm_replay_overflow functions for offloading")
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_replay.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/xfrm/xfrm_replay.c
++++ b/net/xfrm/xfrm_replay.c
+@@ -658,7 +658,7 @@ static int xfrm_replay_overflow_offload_
+ } else {
+ XFRM_SKB_CB(skb)->seq.output.low = oseq + 1;
+ XFRM_SKB_CB(skb)->seq.output.hi = oseq_hi;
+- xo->seq.low = oseq = oseq + 1;
++ xo->seq.low = oseq + 1;
+ xo->seq.hi = oseq_hi;
+ oseq += skb_shinfo(skb)->gso_segs;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Fri, 16 Mar 2018 11:35:51 +0900
+Subject: xfrm: fix rcu_read_unlock usage in xfrm_local_error
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 46c0ef6e1eb95f619d9f62da4332749153db92f7 ]
+
+In the xfrm_local_error, rcu_read_unlock should be called when afinfo
+is not NULL. because xfrm_state_get_afinfo calls rcu_read_unlock
+if afinfo is NULL.
+
+Fixes: af5d27c4e12b ("xfrm: remove xfrm_state_put_afinfo")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_output.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -285,8 +285,9 @@ void xfrm_local_error(struct sk_buff *sk
+ return;
+
+ afinfo = xfrm_state_get_afinfo(proto);
+- if (afinfo)
++ if (afinfo) {
+ afinfo->local_error(skb, mtu);
+- rcu_read_unlock();
++ rcu_read_unlock();
++ }
+ }
+ EXPORT_SYMBOL_GPL(xfrm_local_error);
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Mon, 19 Mar 2018 07:15:39 +0100
+Subject: xfrm: Fix transport mode skb control buffer usage.
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+[ Upstream commit 9a3fb9fb84cc30577c1b012a6a3efda944684291 ]
+
+A recent commit introduced a new struct xfrm_trans_cb
+that is used with the sk_buff control buffer. Unfortunately
+it placed the structure in front of the control buffer and
+overlooked that the IPv4/IPv6 control buffer is still needed
+for some layer 4 protocols. As a result the IPv4/IPv6 control
+buffer is overwritten with this structure. Fix this by setting
+a apropriate header in front of the structure.
+
+Fixes acf568ee859f ("xfrm: Reinject transport-mode packets ...")
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_input.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -26,6 +26,12 @@ struct xfrm_trans_tasklet {
+ };
+
+ struct xfrm_trans_cb {
++ union {
++ struct inet_skb_parm h4;
++#if IS_ENABLED(CONFIG_IPV6)
++ struct inet6_skb_parm h6;
++#endif
++ } header;
+ int (*finish)(struct net *net, struct sock *sk, struct sk_buff *skb);
+ };
+
--- /dev/null
+From foo@baz Tue May 1 16:18:19 PDT 2018
+From: Joe Lee <asmt.swfae@gmail.com>
+Date: Mon, 12 Feb 2018 14:24:46 +0200
+Subject: xhci: workaround for AMD Promontory disabled ports wakeup
+
+From: Joe Lee <asmt.swfae@gmail.com>
+
+[ Upstream commit bde0716d1f076e4c913c7946bcc858f71243c7a0 ]
+
+For AMD Promontory xHCI host, although you can disable USB ports in
+BIOS settings, those ports will be enabled anyway after you remove a
+device on that port and re-plug it in again. It's a known limitation of
+the chip. As a workaround we can clear the PORT_WAKE_BITS.
+
+[commit and code comment rephrasing -Mathias]
+Signed-off-by: Joe Lee <asmt.swfae@gmail.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/pci-quirks.c | 109 ++++++++++++++++++++++++++++++++++++++++++
+ drivers/usb/host/pci-quirks.h | 5 +
+ drivers/usb/host/xhci-hub.c | 7 ++
+ drivers/usb/host/xhci-pci.c | 11 ++++
+ drivers/usb/host/xhci.h | 2
+ 5 files changed, 133 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/pci-quirks.c
++++ b/drivers/usb/host/pci-quirks.c
+@@ -65,6 +65,23 @@
+ #define AX_INDXC 0x30
+ #define AX_DATAC 0x34
+
++#define PT_ADDR_INDX 0xE8
++#define PT_READ_INDX 0xE4
++#define PT_SIG_1_ADDR 0xA520
++#define PT_SIG_2_ADDR 0xA521
++#define PT_SIG_3_ADDR 0xA522
++#define PT_SIG_4_ADDR 0xA523
++#define PT_SIG_1_DATA 0x78
++#define PT_SIG_2_DATA 0x56
++#define PT_SIG_3_DATA 0x34
++#define PT_SIG_4_DATA 0x12
++#define PT4_P1_REG 0xB521
++#define PT4_P2_REG 0xB522
++#define PT2_P1_REG 0xD520
++#define PT2_P2_REG 0xD521
++#define PT1_P1_REG 0xD522
++#define PT1_P2_REG 0xD523
++
+ #define NB_PCIE_INDX_ADDR 0xe0
+ #define NB_PCIE_INDX_DATA 0xe4
+ #define PCIE_P_CNTL 0x10040
+@@ -512,6 +529,98 @@ void usb_amd_dev_put(void)
+ EXPORT_SYMBOL_GPL(usb_amd_dev_put);
+
+ /*
++ * Check if port is disabled in BIOS on AMD Promontory host.
++ * BIOS Disabled ports may wake on connect/disconnect and need
++ * driver workaround to keep them disabled.
++ * Returns true if port is marked disabled.
++ */
++bool usb_amd_pt_check_port(struct device *device, int port)
++{
++ unsigned char value, port_shift;
++ struct pci_dev *pdev;
++ u16 reg;
++
++ pdev = to_pci_dev(device);
++ pci_write_config_word(pdev, PT_ADDR_INDX, PT_SIG_1_ADDR);
++
++ pci_read_config_byte(pdev, PT_READ_INDX, &value);
++ if (value != PT_SIG_1_DATA)
++ return false;
++
++ pci_write_config_word(pdev, PT_ADDR_INDX, PT_SIG_2_ADDR);
++
++ pci_read_config_byte(pdev, PT_READ_INDX, &value);
++ if (value != PT_SIG_2_DATA)
++ return false;
++
++ pci_write_config_word(pdev, PT_ADDR_INDX, PT_SIG_3_ADDR);
++
++ pci_read_config_byte(pdev, PT_READ_INDX, &value);
++ if (value != PT_SIG_3_DATA)
++ return false;
++
++ pci_write_config_word(pdev, PT_ADDR_INDX, PT_SIG_4_ADDR);
++
++ pci_read_config_byte(pdev, PT_READ_INDX, &value);
++ if (value != PT_SIG_4_DATA)
++ return false;
++
++ /* Check disabled port setting, if bit is set port is enabled */
++ switch (pdev->device) {
++ case 0x43b9:
++ case 0x43ba:
++ /*
++ * device is AMD_PROMONTORYA_4(0x43b9) or PROMONTORYA_3(0x43ba)
++ * PT4_P1_REG bits[7..1] represents USB2.0 ports 6 to 0
++ * PT4_P2_REG bits[6..0] represents ports 13 to 7
++ */
++ if (port > 6) {
++ reg = PT4_P2_REG;
++ port_shift = port - 7;
++ } else {
++ reg = PT4_P1_REG;
++ port_shift = port + 1;
++ }
++ break;
++ case 0x43bb:
++ /*
++ * device is AMD_PROMONTORYA_2(0x43bb)
++ * PT2_P1_REG bits[7..5] represents USB2.0 ports 2 to 0
++ * PT2_P2_REG bits[5..0] represents ports 9 to 3
++ */
++ if (port > 2) {
++ reg = PT2_P2_REG;
++ port_shift = port - 3;
++ } else {
++ reg = PT2_P1_REG;
++ port_shift = port + 5;
++ }
++ break;
++ case 0x43bc:
++ /*
++ * device is AMD_PROMONTORYA_1(0x43bc)
++ * PT1_P1_REG[7..4] represents USB2.0 ports 3 to 0
++ * PT1_P2_REG[5..0] represents ports 9 to 4
++ */
++ if (port > 3) {
++ reg = PT1_P2_REG;
++ port_shift = port - 4;
++ } else {
++ reg = PT1_P1_REG;
++ port_shift = port + 4;
++ }
++ break;
++ default:
++ return false;
++ }
++ pci_write_config_word(pdev, PT_ADDR_INDX, reg);
++ pci_read_config_byte(pdev, PT_READ_INDX, &value);
++
++ return !(value & BIT(port_shift));
++}
++EXPORT_SYMBOL_GPL(usb_amd_pt_check_port);
++
++/*
+ * Make sure the controller is completely inactive, unable to
+ * generate interrupts or do DMA.
+ */
+--- a/drivers/usb/host/pci-quirks.h
++++ b/drivers/usb/host/pci-quirks.h
+@@ -17,6 +17,7 @@ void usb_enable_intel_xhci_ports(struct
+ void usb_disable_xhci_ports(struct pci_dev *xhci_pdev);
+ void sb800_prefetch(struct device *dev, int on);
+ bool usb_xhci_needs_pci_reset(struct pci_dev *pdev);
++bool usb_amd_pt_check_port(struct device *device, int port);
+ #else
+ struct pci_dev;
+ static inline void usb_amd_quirk_pll_disable(void) {}
+@@ -25,6 +26,10 @@ static inline void usb_asmedia_modifyflo
+ static inline void usb_amd_dev_put(void) {}
+ static inline void usb_disable_xhci_ports(struct pci_dev *xhci_pdev) {}
+ static inline void sb800_prefetch(struct device *dev, int on) {}
++static inline bool usb_amd_pt_check_port(struct device *device, int port)
++{
++ return false;
++}
+ #endif /* CONFIG_USB_PCI */
+
+ #endif /* __LINUX_USB_PCI_QUIRKS_H */
+--- a/drivers/usb/host/xhci-hub.c
++++ b/drivers/usb/host/xhci-hub.c
+@@ -1531,6 +1531,13 @@ int xhci_bus_suspend(struct usb_hcd *hcd
+ t2 |= PORT_WKOC_E | PORT_WKCONN_E;
+ t2 &= ~PORT_WKDISC_E;
+ }
++
++ if ((xhci->quirks & XHCI_U2_DISABLE_WAKE) &&
++ (hcd->speed < HCD_USB3)) {
++ if (usb_amd_pt_check_port(hcd->self.controller,
++ port_index))
++ t2 &= ~PORT_WAKE_BITS;
++ }
+ } else
+ t2 &= ~PORT_WAKE_BITS;
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -54,6 +54,10 @@
+ #define PCI_DEVICE_ID_INTEL_APL_XHCI 0x5aa8
+ #define PCI_DEVICE_ID_INTEL_DNV_XHCI 0x19d0
+
++#define PCI_DEVICE_ID_AMD_PROMONTORYA_4 0x43b9
++#define PCI_DEVICE_ID_AMD_PROMONTORYA_3 0x43ba
++#define PCI_DEVICE_ID_AMD_PROMONTORYA_2 0x43bb
++#define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc
+ #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142
+
+ static const char hcd_name[] = "xhci_hcd";
+@@ -143,6 +147,13 @@ static void xhci_pci_quirks(struct devic
+ if (pdev->vendor == PCI_VENDOR_ID_AMD)
+ xhci->quirks |= XHCI_TRUST_TX_LENGTH;
+
++ if ((pdev->vendor == PCI_VENDOR_ID_AMD) &&
++ ((pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_4) ||
++ (pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_3) ||
++ (pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_2) ||
++ (pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_1)))
++ xhci->quirks |= XHCI_U2_DISABLE_WAKE;
++
+ if (pdev->vendor == PCI_VENDOR_ID_INTEL) {
+ xhci->quirks |= XHCI_LPM_SUPPORT;
+ xhci->quirks |= XHCI_INTEL_HOST;
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -1829,7 +1829,7 @@ struct xhci_hcd {
+ /* For controller with a broken Port Disable implementation */
+ #define XHCI_BROKEN_PORT_PED (1 << 25)
+ #define XHCI_LIMIT_ENDPOINT_INTERVAL_7 (1 << 26)
+-/* Reserved. It was XHCI_U2_DISABLE_WAKE */
++#define XHCI_U2_DISABLE_WAKE (1 << 27)
+ #define XHCI_ASMEDIA_MODIFY_FLOWCONTROL (1 << 28)
+ #define XHCI_SUSPEND_DELAY (1 << 30)
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Fri, 16 Mar 2018 16:33:01 +0200
+Subject: xhci: zero usb device slot_id member when disabling and freeing a xhci slot
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit a400efe455f7b61ac9a801ac8d0d01f8c8d82dd5 ]
+
+set udev->slot_id to zero when disabling and freeing the xhci slot.
+Prevents usb core from calling xhci with a stale slot id.
+
+xHC controller may be reset during resume to recover from some error.
+All slots are unusable as they are disabled and freed.
+xhci driver starts slot enumeration again from 1 in the order they are
+enabled. In the worst case a stale udev->slot_id for one device matches
+a newly enabled slot_id for a different device, causing us to
+perform a action on the wrong device.
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-mem.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -926,6 +926,8 @@ void xhci_free_virt_device(struct xhci_h
+ if (dev->out_ctx)
+ xhci_free_container_ctx(xhci, dev->out_ctx);
+
++ if (dev->udev && dev->udev->slot_id)
++ dev->udev->slot_id = 0;
+ kfree(xhci->devs[slot_id]);
+ xhci->devs[slot_id] = NULL;
+ }
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Xidong Wang <wangxidong_97@163.com>
+Date: Tue, 10 Apr 2018 16:29:34 -0700
+Subject: z3fold: fix memory leak
+
+From: Xidong Wang <wangxidong_97@163.com>
+
+[ Upstream commit 1ec6995d1290bfb87cc3a51f0836c889e857cef9 ]
+
+In z3fold_create_pool(), the memory allocated by __alloc_percpu() is not
+released on the error path that pool->compact_wq , which holds the
+return value of create_singlethread_workqueue(), is NULL. This will
+result in a memory leak bug.
+
+[akpm@linux-foundation.org: fix oops on kzalloc() failure, check __alloc_percpu() retval]
+Link: http://lkml.kernel.org/r/1522803111-29209-1-git-send-email-wangxidong_97@163.com
+Signed-off-by: Xidong Wang <wangxidong_97@163.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Vitaly Wool <vitalywool@gmail.com>
+Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/z3fold.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/mm/z3fold.c
++++ b/mm/z3fold.c
+@@ -467,6 +467,8 @@ static struct z3fold_pool *z3fold_create
+ spin_lock_init(&pool->lock);
+ spin_lock_init(&pool->stale_lock);
+ pool->unbuddied = __alloc_percpu(sizeof(struct list_head)*NCHUNKS, 2);
++ if (!pool->unbuddied)
++ goto out_pool;
+ for_each_possible_cpu(cpu) {
+ struct list_head *unbuddied =
+ per_cpu_ptr(pool->unbuddied, cpu);
+@@ -479,7 +481,7 @@ static struct z3fold_pool *z3fold_create
+ pool->name = name;
+ pool->compact_wq = create_singlethread_workqueue(pool->name);
+ if (!pool->compact_wq)
+- goto out;
++ goto out_unbuddied;
+ pool->release_wq = create_singlethread_workqueue(pool->name);
+ if (!pool->release_wq)
+ goto out_wq;
+@@ -489,8 +491,11 @@ static struct z3fold_pool *z3fold_create
+
+ out_wq:
+ destroy_workqueue(pool->compact_wq);
+-out:
++out_unbuddied:
++ free_percpu(pool->unbuddied);
++out_pool:
+ kfree(pool);
++out:
+ return NULL;
+ }
+
--- /dev/null
+From foo@baz Tue May 1 16:18:20 PDT 2018
+From: Michael Schmitz <schmitzmic@gmail.com>
+Date: Sat, 3 Mar 2018 12:04:13 +1300
+Subject: zorro: Set up z->dev.dma_mask for the DMA API
+
+From: Michael Schmitz <schmitzmic@gmail.com>
+
+[ Upstream commit 55496d3fe2acd1a365c43cbd613a20ecd4d74395 ]
+
+The generic DMA API uses dev->dma_mask to check the DMA addressable
+memory bitmask, and warns if no mask is set or even allocated.
+
+Set z->dev.dma_coherent_mask on Zorro bus scan, and make z->dev.dma_mask
+to point to z->dev.dma_coherent_mask so device drivers that need DMA have
+everything set up to avoid warnings from dma_alloc_coherent(). Drivers can
+still use dma_set_mask_and_coherent() to explicitly set their DMA bit mask.
+
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+[geert: Handle Zorro II with 24-bit address space]
+Acked-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/zorro/zorro.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/zorro/zorro.c
++++ b/drivers/zorro/zorro.c
+@@ -16,6 +16,7 @@
+ #include <linux/bitops.h>
+ #include <linux/string.h>
+ #include <linux/platform_device.h>
++#include <linux/dma-mapping.h>
+ #include <linux/slab.h>
+
+ #include <asm/byteorder.h>
+@@ -185,6 +186,17 @@ static int __init amiga_zorro_probe(stru
+ z->dev.parent = &bus->dev;
+ z->dev.bus = &zorro_bus_type;
+ z->dev.id = i;
++ switch (z->rom.er_Type & ERT_TYPEMASK) {
++ case ERT_ZORROIII:
++ z->dev.coherent_dma_mask = DMA_BIT_MASK(32);
++ break;
++
++ case ERT_ZORROII:
++ default:
++ z->dev.coherent_dma_mask = DMA_BIT_MASK(24);
++ break;
++ }
++ z->dev.dma_mask = &z->dev.coherent_dma_mask;
+ }
+
+ /* ... then register them */
projects / thirdparty / kernel / stable-queue.git / commitdiff
