--- /dev/null
+From 887cd8a880f552e02b7878e3399010c7379fbe59 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Tue, 12 Mar 2019 12:28:03 -0700
+Subject: acpi/nfit: Always dump _DSM output payload
+
+[ Upstream commit 351f339faa308c1c1461314a18c832239a841ca0 ]
+
+The dynamic-debug statements for command payload output only get emitted
+when the command is not ND_CMD_CALL. Move the output payload dumping
+ahead of the early return path for ND_CMD_CALL.
+
+Fixes: 31eca76ba2fc9 ("...whitelisted dimm command marshaling mechanism")
+Reported-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/nfit/core.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
+index 4be4dc3e8aa62..38ec79bb3edde 100644
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -563,6 +563,12 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
+ goto out;
+ }
+
++ dev_dbg(dev, "%s cmd: %s output length: %d\n", dimm_name,
++ cmd_name, out_obj->buffer.length);
++ print_hex_dump_debug(cmd_name, DUMP_PREFIX_OFFSET, 4, 4,
++ out_obj->buffer.pointer,
++ min_t(u32, 128, out_obj->buffer.length), true);
++
+ if (call_pkg) {
+ call_pkg->nd_fw_size = out_obj->buffer.length;
+ memcpy(call_pkg->nd_payload + call_pkg->nd_size_in,
+@@ -581,12 +587,6 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
+ return 0;
+ }
+
+- dev_dbg(dev, "%s cmd: %s output length: %d\n", dimm_name,
+- cmd_name, out_obj->buffer.length);
+- print_hex_dump_debug(cmd_name, DUMP_PREFIX_OFFSET, 4, 4,
+- out_obj->buffer.pointer,
+- min_t(u32, 128, out_obj->buffer.length), true);
+-
+ for (i = 0, offset = 0; i < desc->out_num; i++) {
+ u32 out_size = nd_cmd_out_size(nvdimm, cmd, desc, i, buf,
+ (u32 *) out_obj->buffer.pointer,
+--
+2.20.1
+
--- /dev/null
+From 764c2884d1dc5d7e1edd2f1c7aabaaa9b55af9ae Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Sat, 13 Apr 2019 08:37:37 +0100
+Subject: afs: Fix in-progess ops to ignore server-level callback invalidation
+
+[ Upstream commit eeba1e9cf31d064284dd1fa7bd6cfe01395bd03d ]
+
+The in-kernel afs filesystem client counts the number of server-level
+callback invalidation events (CB.InitCallBackState* RPC operations) that it
+receives from the server. This is stored in cb_s_break in various
+structures, including afs_server and afs_vnode.
+
+If an inode is examined by afs_validate(), say, the afs_server copy is
+compared, along with other break counters, to those in afs_vnode, and if
+one or more of the counters do not match, it is considered that the
+server's callback promise is broken. At points where this happens,
+AFS_VNODE_CB_PROMISED is cleared to indicate that the status must be
+refetched from the server.
+
+afs_validate() issues an FS.FetchStatus operation to get updated metadata -
+and based on the updated data_version may invalidate the pagecache too.
+
+However, the break counters are also used to determine whether to note a
+new callback in the vnode (which would set the AFS_VNODE_CB_PROMISED flag)
+and whether to cache the permit data included in the YFSFetchStatus record
+by the server.
+
+The problem comes when the server sends us a CB.InitCallBackState op. The
+first such instance doesn't cause cb_s_break to be incremented, but rather
+causes AFS_SERVER_FL_NEW to be cleared - but thereafter, say some hours
+after last use and all the volumes have been automatically unmounted and
+the server has forgotten about the client[*], this *will* likely cause an
+increment.
+
+ [*] There are other circumstances too, such as the server restarting or
+ needing to make space in its callback table.
+
+Note that the server won't send us a CB.InitCallBackState op until we talk
+to it again.
+
+So what happens is:
+
+ (1) A mount for a new volume is attempted, a inode is created for the root
+ vnode and vnode->cb_s_break and AFS_VNODE_CB_PROMISED aren't set
+ immediately, as we don't have a nominated server to talk to yet - and
+ we may iterate through a few to find one.
+
+ (2) Before the operation happens, afs_fetch_status(), say, notes in the
+ cursor (fc.cb_break) the break counter sum from the vnode, volume and
+ server counters, but the server->cb_s_break is currently 0.
+
+ (3) We send FS.FetchStatus to the server. The server sends us back
+ CB.InitCallBackState. We increment server->cb_s_break.
+
+ (4) Our FS.FetchStatus completes. The reply includes a callback record.
+
+ (5) xdr_decode_AFSCallBack()/xdr_decode_YFSCallBack() check to see whether
+ the callback promise was broken by checking the break counter sum from
+ step (2) against the current sum.
+
+ This fails because of step (3), so we don't set the callback record
+ and, importantly, don't set AFS_VNODE_CB_PROMISED on the vnode.
+
+This does not preclude the syscall from progressing, and we don't loop here
+rechecking the status, but rather assume it's good enough for one round
+only and will need to be rechecked next time.
+
+ (6) afs_validate() it triggered on the vnode, probably called from
+ d_revalidate() checking the parent directory.
+
+ (7) afs_validate() notes that AFS_VNODE_CB_PROMISED isn't set, so doesn't
+ update vnode->cb_s_break and assumes the vnode to be invalid.
+
+ (8) afs_validate() needs to calls afs_fetch_status(). Go back to step (2)
+ and repeat, every time the vnode is validated.
+
+This primarily affects volume root dir vnodes. Everything subsequent to
+those inherit an already incremented cb_s_break upon mounting.
+
+The issue is that we assume that the callback record and the cached permit
+information in a reply from the server can't be trusted after getting a
+server break - but this is wrong since the server makes sure things are
+done in the right order, holding up our ops if necessary[*].
+
+ [*] There is an extremely unlikely scenario where a reply from before the
+ CB.InitCallBackState could get its delivery deferred till after - at
+ which point we think we have a promise when we don't. This, however,
+ requires unlucky mass packet loss to one call.
+
+AFS_SERVER_FL_NEW tries to paper over the cracks for the initial mount from
+a server we've never contacted before, but this should be unnecessary.
+It's also further insulated from the problem on an initial mount by
+querying the server first with FS.GetCapabilities, which triggers the
+CB.InitCallBackState.
+
+Fix this by
+
+ (1) Remove AFS_SERVER_FL_NEW.
+
+ (2) In afs_calc_vnode_cb_break(), don't include cb_s_break in the
+ calculation.
+
+ (3) In afs_cb_is_broken(), don't include cb_s_break in the check.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/callback.c | 3 +--
+ fs/afs/internal.h | 4 +---
+ fs/afs/server.c | 1 -
+ 3 files changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/fs/afs/callback.c b/fs/afs/callback.c
+index 1c7955f5cdaf2..128f2dbe256a4 100644
+--- a/fs/afs/callback.c
++++ b/fs/afs/callback.c
+@@ -203,8 +203,7 @@ void afs_put_cb_interest(struct afs_net *net, struct afs_cb_interest *cbi)
+ */
+ void afs_init_callback_state(struct afs_server *server)
+ {
+- if (!test_and_clear_bit(AFS_SERVER_FL_NEW, &server->flags))
+- server->cb_s_break++;
++ server->cb_s_break++;
+ }
+
+ /*
+diff --git a/fs/afs/internal.h b/fs/afs/internal.h
+index 8871b9e8645f1..465526f495b01 100644
+--- a/fs/afs/internal.h
++++ b/fs/afs/internal.h
+@@ -475,7 +475,6 @@ struct afs_server {
+ time64_t put_time; /* Time at which last put */
+ time64_t update_at; /* Time at which to next update the record */
+ unsigned long flags;
+-#define AFS_SERVER_FL_NEW 0 /* New server, don't inc cb_s_break */
+ #define AFS_SERVER_FL_NOT_READY 1 /* The record is not ready for use */
+ #define AFS_SERVER_FL_NOT_FOUND 2 /* VL server says no such server */
+ #define AFS_SERVER_FL_VL_FAIL 3 /* Failed to access VL server */
+@@ -828,7 +827,7 @@ static inline struct afs_cb_interest *afs_get_cb_interest(struct afs_cb_interest
+
+ static inline unsigned int afs_calc_vnode_cb_break(struct afs_vnode *vnode)
+ {
+- return vnode->cb_break + vnode->cb_s_break + vnode->cb_v_break;
++ return vnode->cb_break + vnode->cb_v_break;
+ }
+
+ static inline bool afs_cb_is_broken(unsigned int cb_break,
+@@ -836,7 +835,6 @@ static inline bool afs_cb_is_broken(unsigned int cb_break,
+ const struct afs_cb_interest *cbi)
+ {
+ return !cbi || cb_break != (vnode->cb_break +
+- cbi->server->cb_s_break +
+ vnode->volume->cb_v_break);
+ }
+
+diff --git a/fs/afs/server.c b/fs/afs/server.c
+index 642afa2e9783c..65b33b6da48b9 100644
+--- a/fs/afs/server.c
++++ b/fs/afs/server.c
+@@ -226,7 +226,6 @@ static struct afs_server *afs_alloc_server(struct afs_net *net,
+ RCU_INIT_POINTER(server->addresses, alist);
+ server->addr_version = alist->version;
+ server->uuid = *uuid;
+- server->flags = (1UL << AFS_SERVER_FL_NEW);
+ server->update_at = ktime_get_real_seconds() + afs_server_update_delay;
+ rwlock_init(&server->fs_lock);
+ INIT_HLIST_HEAD(&server->cb_volumes);
+--
+2.20.1
+
--- /dev/null
+From 5219b4becbf26f799511e60bbdb956cff3986391 Mon Sep 17 00:00:00 2001
+From: Marc Dionne <marc.dionne@auristor.com>
+Date: Sat, 13 Apr 2019 08:37:37 +0100
+Subject: afs: Unlock pages for __pagevec_release()
+
+[ Upstream commit 21bd68f196ca91fc0f3d9bd1b32f6e530e8c1c88 ]
+
+__pagevec_release() complains loudly if any page in the vector is still
+locked. The pages need to be locked for generic_error_remove_page(), but
+that function doesn't actually unlock them.
+
+Unlock the pages afterwards.
+
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Jonathan Billings <jsbillin@umich.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/write.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/afs/write.c b/fs/afs/write.c
+index 72efcfcf9f95e..0122d7445fba1 100644
+--- a/fs/afs/write.c
++++ b/fs/afs/write.c
+@@ -264,6 +264,7 @@ static void afs_kill_pages(struct address_space *mapping,
+ first = page->index + 1;
+ lock_page(page);
+ generic_error_remove_page(mapping, page);
++ unlock_page(page);
+ }
+
+ __pagevec_release(&pv);
+--
+2.20.1
+
--- /dev/null
+From d8ca9c5bb9119153e04a04d19a3886fcb746fa57 Mon Sep 17 00:00:00 2001
+From: Tigran Tadevosyan <tigran.tadevosyan@arm.com>
+Date: Fri, 5 Apr 2019 14:16:13 +0100
+Subject: ARM: 8856/1: NOMMU: Fix CCR register faulty initialization when MPU
+ is disabled
+
+[ Upstream commit c3143967807adb1357c36b68a7563fc0c4e1f615 ]
+
+When CONFIG_ARM_MPU is not defined, the base address of v7M SCB register
+is not initialized with correct value. This prevents enabling I/D caches
+when the L1 cache poilcy is applied in kernel.
+
+Fixes: 3c24121039c9da14692eb48f6e39565b28c0f3cf ("ARM: 8756/1: NOMMU: Postpone MPU activation till __after_proc_init")
+Signed-off-by: Tigran Tadevosyan <tigran.tadevosyan@arm.com>
+Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/head-nommu.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/kernel/head-nommu.S b/arch/arm/kernel/head-nommu.S
+index ec29de2500764..cab89479d15ef 100644
+--- a/arch/arm/kernel/head-nommu.S
++++ b/arch/arm/kernel/head-nommu.S
+@@ -133,9 +133,9 @@ __secondary_data:
+ */
+ .text
+ __after_proc_init:
+-#ifdef CONFIG_ARM_MPU
+ M_CLASS(movw r12, #:lower16:BASEADDR_V7M_SCB)
+ M_CLASS(movt r12, #:upper16:BASEADDR_V7M_SCB)
++#ifdef CONFIG_ARM_MPU
+ M_CLASS(ldr r3, [r12, 0x50])
+ AR_CLASS(mrc p15, 0, r3, c0, c1, 4) @ Read ID_MMFR0
+ and r3, r3, #(MMFR0_PMSA) @ PMSA field
+--
+2.20.1
+
--- /dev/null
+From 26c775c98b9eaa9a13e4388555b7c67655fc0c46 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Tue, 23 Apr 2019 17:09:38 +0100
+Subject: ARM: fix function graph tracer and unwinder dependencies
+
+[ Upstream commit 503621628b32782a07b2318e4112bd4372aa3401 ]
+
+Naresh Kamboju recently reported that the function-graph tracer crashes
+on ARM. The function-graph tracer assumes that the kernel is built with
+frame pointers.
+
+We explicitly disabled the function-graph tracer when building Thumb2,
+since the Thumb2 ABI doesn't have frame pointers.
+
+We recently changed the way the unwinder method was selected, which
+seems to have made it more likely that we can end up with the function-
+graph tracer enabled but without the kernel built with frame pointers.
+
+Fix up the function graph tracer dependencies so the option is not
+available when we have no possibility of having frame pointers, and
+adjust the dependencies on the unwinder option to hide the non-frame
+pointer unwinder options if the function-graph tracer is enabled.
+
+Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
+Tested-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/Kconfig | 2 +-
+ arch/arm/Kconfig.debug | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index e5d56d9b712c2..3b353af9c48dc 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -69,7 +69,7 @@ config ARM
+ select HAVE_EFFICIENT_UNALIGNED_ACCESS if (CPU_V6 || CPU_V6K || CPU_V7) && MMU
+ select HAVE_EXIT_THREAD
+ select HAVE_FTRACE_MCOUNT_RECORD if !XIP_KERNEL
+- select HAVE_FUNCTION_GRAPH_TRACER if !THUMB2_KERNEL
++ select HAVE_FUNCTION_GRAPH_TRACER if !THUMB2_KERNEL && !CC_IS_CLANG
+ select HAVE_FUNCTION_TRACER if !XIP_KERNEL
+ select HAVE_GCC_PLUGINS
+ select HAVE_GENERIC_DMA_COHERENT
+diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug
+index 6d6e0330930b5..e388af4594a6e 100644
+--- a/arch/arm/Kconfig.debug
++++ b/arch/arm/Kconfig.debug
+@@ -47,8 +47,8 @@ config DEBUG_WX
+
+ choice
+ prompt "Choose kernel unwinder"
+- default UNWINDER_ARM if AEABI && !FUNCTION_GRAPH_TRACER
+- default UNWINDER_FRAME_POINTER if !AEABI || FUNCTION_GRAPH_TRACER
++ default UNWINDER_ARM if AEABI
++ default UNWINDER_FRAME_POINTER if !AEABI
+ help
+ This determines which method will be used for unwinding kernel stack
+ traces for panics, oopses, bugs, warnings, perf, /proc/<pid>/stack,
+@@ -65,7 +65,7 @@ config UNWINDER_FRAME_POINTER
+
+ config UNWINDER_ARM
+ bool "ARM EABI stack unwinder"
+- depends on AEABI
++ depends on AEABI && !FUNCTION_GRAPH_TRACER
+ select ARM_UNWIND
+ help
+ This option enables stack unwinding support in the kernel
+--
+2.20.1
+
--- /dev/null
+From 9df378e2bb9616efba8df7945e5345965928faf8 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Fri, 12 Apr 2019 23:59:25 -0700
+Subject: arm64/module: ftrace: deal with place relative nature of PLTs
+
+[ Upstream commit 4e69ecf4da1ee0b2ac735e1f1bb13935acd5a38d ]
+
+Another bodge for the ftrace PLT code: plt_entries_equal() now takes
+the place relative nature of the ADRP/ADD based PLT entries into
+account, which means that a struct trampoline instance on the stack
+is no longer equal to the same set of opcodes in the module struct,
+given that they don't point to the same place in memory anymore.
+
+Work around this by using memcmp() in the ftrace PLT handling code.
+
+Acked-by: Will Deacon <will.deacon@arm.com>
+Tested-by: dann frazier <dann.frazier@canonical.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/ftrace.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/kernel/ftrace.c b/arch/arm64/kernel/ftrace.c
+index 07b2981201820..65a51331088eb 100644
+--- a/arch/arm64/kernel/ftrace.c
++++ b/arch/arm64/kernel/ftrace.c
+@@ -103,10 +103,15 @@ int ftrace_make_call(struct dyn_ftrace *rec, unsigned long addr)
+ * to be revisited if support for multiple ftrace entry points
+ * is added in the future, but for now, the pr_err() below
+ * deals with a theoretical issue only.
++ *
++ * Note that PLTs are place relative, and plt_entries_equal()
++ * checks whether they point to the same target. Here, we need
++ * to check if the actual opcodes are in fact identical,
++ * regardless of the offset in memory so use memcmp() instead.
+ */
+ trampoline = get_plt_entry(addr, mod->arch.ftrace_trampoline);
+- if (!plt_entries_equal(mod->arch.ftrace_trampoline,
+- &trampoline)) {
++ if (memcmp(mod->arch.ftrace_trampoline, &trampoline,
++ sizeof(trampoline))) {
+ if (plt_entry_is_initialized(mod->arch.ftrace_trampoline)) {
+ pr_err("ftrace: far branches to multiple entry points unsupported inside a single module\n");
+ return -EINVAL;
+--
+2.20.1
+
--- /dev/null
+From c2f00e9664a0b9d52b8a60edf35b01a32b356683 Mon Sep 17 00:00:00 2001
+From: Willem de Bruijn <willemb@google.com>
+Date: Wed, 6 Mar 2019 14:35:15 -0500
+Subject: bpf: only test gso type on gso packets
+
+[ Upstream commit 4c3024debf62de4c6ac6d3cb4c0063be21d4f652 ]
+
+BPF can adjust gso only for tcp bytestreams. Fail on other gso types.
+
+But only on gso packets. It does not touch this field if !gso_size.
+
+Fixes: b90efd225874 ("bpf: only adjust gso_size on bytestream protocols")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+---
+ include/linux/skbuff.h | 4 ++--
+ net/core/filter.c | 8 ++++----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index bdb9563c64a01..b8679dcba96f8 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -4212,10 +4212,10 @@ static inline bool skb_is_gso_sctp(const struct sk_buff *skb)
+ return skb_shinfo(skb)->gso_type & SKB_GSO_SCTP;
+ }
+
++/* Note: Should be called only if skb_is_gso(skb) is true */
+ static inline bool skb_is_gso_tcp(const struct sk_buff *skb)
+ {
+- return skb_is_gso(skb) &&
+- skb_shinfo(skb)->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6);
++ return skb_shinfo(skb)->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6);
+ }
+
+ static inline void skb_gso_reset(struct sk_buff *skb)
+diff --git a/net/core/filter.c b/net/core/filter.c
+index f7d0004fc1609..ff07996515f2d 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -2789,7 +2789,7 @@ static int bpf_skb_proto_4_to_6(struct sk_buff *skb)
+ u32 off = skb_mac_header_len(skb);
+ int ret;
+
+- if (!skb_is_gso_tcp(skb))
++ if (skb_is_gso(skb) && !skb_is_gso_tcp(skb))
+ return -ENOTSUPP;
+
+ ret = skb_cow(skb, len_diff);
+@@ -2830,7 +2830,7 @@ static int bpf_skb_proto_6_to_4(struct sk_buff *skb)
+ u32 off = skb_mac_header_len(skb);
+ int ret;
+
+- if (!skb_is_gso_tcp(skb))
++ if (skb_is_gso(skb) && !skb_is_gso_tcp(skb))
+ return -ENOTSUPP;
+
+ ret = skb_unclone(skb, GFP_ATOMIC);
+@@ -2955,7 +2955,7 @@ static int bpf_skb_net_grow(struct sk_buff *skb, u32 len_diff)
+ u32 off = skb_mac_header_len(skb) + bpf_skb_net_base_len(skb);
+ int ret;
+
+- if (!skb_is_gso_tcp(skb))
++ if (skb_is_gso(skb) && !skb_is_gso_tcp(skb))
+ return -ENOTSUPP;
+
+ ret = skb_cow(skb, len_diff);
+@@ -2984,7 +2984,7 @@ static int bpf_skb_net_shrink(struct sk_buff *skb, u32 len_diff)
+ u32 off = skb_mac_header_len(skb) + bpf_skb_net_base_len(skb);
+ int ret;
+
+- if (!skb_is_gso_tcp(skb))
++ if (skb_is_gso(skb) && !skb_is_gso_tcp(skb))
+ return -ENOTSUPP;
+
+ ret = skb_unclone(skb, GFP_ATOMIC);
+--
+2.20.1
+
--- /dev/null
+From aa11d7001062610d545f09985c32976537d30544 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@kernel.org>
+Date: Mon, 15 Apr 2019 12:00:42 -0400
+Subject: ceph: handle the case where a dentry has been renamed on outstanding
+ req
+
+[ Upstream commit 4b8222870032715f9d995f3eb7c7acd8379a275d ]
+
+It's possible for us to issue a lookup to revalidate a dentry
+concurrently with a rename. If done in the right order, then we could
+end up processing dentry info in the reply that no longer reflects the
+state of the dentry.
+
+If req->r_dentry->d_name differs from the one in the trace, then just
+ignore the trace in the reply. We only need to do this however if the
+parent's i_rwsem is not held.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/inode.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
+index f7f9e305aaf87..fd3db2e112d6e 100644
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -1152,6 +1152,19 @@ static int splice_dentry(struct dentry **pdn, struct inode *in)
+ return 0;
+ }
+
++static int d_name_cmp(struct dentry *dentry, const char *name, size_t len)
++{
++ int ret;
++
++ /* take d_lock to ensure dentry->d_name stability */
++ spin_lock(&dentry->d_lock);
++ ret = dentry->d_name.len - len;
++ if (!ret)
++ ret = memcmp(dentry->d_name.name, name, len);
++ spin_unlock(&dentry->d_lock);
++ return ret;
++}
++
+ /*
+ * Incorporate results into the local cache. This is either just
+ * one inode, or a directory, dentry, and possibly linked-to inode (e.g.,
+@@ -1401,7 +1414,8 @@ int ceph_fill_trace(struct super_block *sb, struct ceph_mds_request *req)
+ err = splice_dentry(&req->r_dentry, in);
+ if (err < 0)
+ goto done;
+- } else if (rinfo->head->is_dentry) {
++ } else if (rinfo->head->is_dentry &&
++ !d_name_cmp(req->r_dentry, rinfo->dname, rinfo->dname_len)) {
+ struct ceph_vino *ptvino = NULL;
+
+ if ((le32_to_cpu(rinfo->diri.in->cap.caps) & CEPH_CAP_FILE_SHARED) ||
+--
+2.20.1
+
--- /dev/null
+From 9f7b50168622ca618333fd21df02ea9952dba4bc Mon Sep 17 00:00:00 2001
+From: Ilan Peer <ilan.peer@intel.com>
+Date: Fri, 15 Mar 2019 17:39:00 +0200
+Subject: cfg80211: Handle WMM rules in regulatory domain intersection
+
+[ Upstream commit 08a75a887ee46828b54600f4bb7068d872a5edd5 ]
+
+The support added for regulatory WMM rules did not handle
+the case of regulatory domain intersections. Fix it.
+
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Fixes: 230ebaa189af ("cfg80211: read wmm rules from regulatory database")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/reg.c | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/net/wireless/reg.c b/net/wireless/reg.c
+index dd58b9909ac99..649c89946dec1 100644
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -1298,6 +1298,16 @@ reg_intersect_dfs_region(const enum nl80211_dfs_regions dfs_region1,
+ return dfs_region1;
+ }
+
++static void reg_wmm_rules_intersect(const struct ieee80211_wmm_ac *wmm_ac1,
++ const struct ieee80211_wmm_ac *wmm_ac2,
++ struct ieee80211_wmm_ac *intersect)
++{
++ intersect->cw_min = max_t(u16, wmm_ac1->cw_min, wmm_ac2->cw_min);
++ intersect->cw_max = max_t(u16, wmm_ac1->cw_max, wmm_ac2->cw_max);
++ intersect->cot = min_t(u16, wmm_ac1->cot, wmm_ac2->cot);
++ intersect->aifsn = max_t(u8, wmm_ac1->aifsn, wmm_ac2->aifsn);
++}
++
+ /*
+ * Helper for regdom_intersect(), this does the real
+ * mathematical intersection fun
+@@ -1312,6 +1322,8 @@ static int reg_rules_intersect(const struct ieee80211_regdomain *rd1,
+ struct ieee80211_freq_range *freq_range;
+ const struct ieee80211_power_rule *power_rule1, *power_rule2;
+ struct ieee80211_power_rule *power_rule;
++ const struct ieee80211_wmm_rule *wmm_rule1, *wmm_rule2;
++ struct ieee80211_wmm_rule *wmm_rule;
+ u32 freq_diff, max_bandwidth1, max_bandwidth2;
+
+ freq_range1 = &rule1->freq_range;
+@@ -1322,6 +1334,10 @@ static int reg_rules_intersect(const struct ieee80211_regdomain *rd1,
+ power_rule2 = &rule2->power_rule;
+ power_rule = &intersected_rule->power_rule;
+
++ wmm_rule1 = &rule1->wmm_rule;
++ wmm_rule2 = &rule2->wmm_rule;
++ wmm_rule = &intersected_rule->wmm_rule;
++
+ freq_range->start_freq_khz = max(freq_range1->start_freq_khz,
+ freq_range2->start_freq_khz);
+ freq_range->end_freq_khz = min(freq_range1->end_freq_khz,
+@@ -1365,6 +1381,29 @@ static int reg_rules_intersect(const struct ieee80211_regdomain *rd1,
+ intersected_rule->dfs_cac_ms = max(rule1->dfs_cac_ms,
+ rule2->dfs_cac_ms);
+
++ if (rule1->has_wmm && rule2->has_wmm) {
++ u8 ac;
++
++ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
++ reg_wmm_rules_intersect(&wmm_rule1->client[ac],
++ &wmm_rule2->client[ac],
++ &wmm_rule->client[ac]);
++ reg_wmm_rules_intersect(&wmm_rule1->ap[ac],
++ &wmm_rule2->ap[ac],
++ &wmm_rule->ap[ac]);
++ }
++
++ intersected_rule->has_wmm = true;
++ } else if (rule1->has_wmm) {
++ *wmm_rule = *wmm_rule1;
++ intersected_rule->has_wmm = true;
++ } else if (rule2->has_wmm) {
++ *wmm_rule = *wmm_rule2;
++ intersected_rule->has_wmm = true;
++ } else {
++ intersected_rule->has_wmm = false;
++ }
++
+ if (!is_valid_reg_rule(intersected_rule))
+ return -EINVAL;
+
+--
+2.20.1
+
--- /dev/null
+From db45233e26be769174428fd44f6ca990f08fe132 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 5 Mar 2019 14:24:48 +0100
+Subject: clocksource/drivers/npcm: select TIMER_OF
+
+[ Upstream commit 99834eead2a04e93a120abb112542b87c42ff5e1 ]
+
+When this is disabled, we get a link failure:
+
+drivers/clocksource/timer-npcm7xx.o: In function `npcm7xx_timer_init':
+timer-npcm7xx.c:(.init.text+0xf): undefined reference to `timer_of_init'
+
+Fixes: 1c00289ecd12 ("clocksource/drivers/npcm: Add NPCM7xx timer driver")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clocksource/Kconfig b/drivers/clocksource/Kconfig
+index 8dfd3bc448d04..9df90daa9c030 100644
+--- a/drivers/clocksource/Kconfig
++++ b/drivers/clocksource/Kconfig
+@@ -144,6 +144,7 @@ config VT8500_TIMER
+ config NPCM7XX_TIMER
+ bool "NPCM7xx timer driver" if COMPILE_TEST
+ depends on HAS_IOMEM
++ select TIMER_OF
+ select CLKSRC_MMIO
+ help
+ Enable 24-bit TIMER0 and TIMER1 counters in the NPCM7xx architecture,
+--
+2.20.1
+
--- /dev/null
+From ab66aaec1bdd775b0a96ca0d4b935f7c474cbc69 Mon Sep 17 00:00:00 2001
+From: Neil Armstrong <narmstrong@baylibre.com>
+Date: Tue, 12 Mar 2019 11:32:56 +0100
+Subject: clocksource/drivers/oxnas: Fix OX820 compatible
+
+[ Upstream commit fbc87aa0f7c429999dc31f1bac3b2615008cac32 ]
+
+The OX820 compatible is wrong is the driver, fix it.
+
+Fixes: 2ea3401e2a84 ("clocksource/drivers/oxnas: Add OX820 compatible")
+Reported-by: Daniel Golle <daniel@makrotopia.org>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/timer-oxnas-rps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clocksource/timer-oxnas-rps.c b/drivers/clocksource/timer-oxnas-rps.c
+index eed6feff8b5f2..30c6f4ce672b3 100644
+--- a/drivers/clocksource/timer-oxnas-rps.c
++++ b/drivers/clocksource/timer-oxnas-rps.c
+@@ -296,4 +296,4 @@ static int __init oxnas_rps_timer_init(struct device_node *np)
+ TIMER_OF_DECLARE(ox810se_rps,
+ "oxsemi,ox810se-rps-timer", oxnas_rps_timer_init);
+ TIMER_OF_DECLARE(ox820_rps,
+- "oxsemi,ox820se-rps-timer", oxnas_rps_timer_init);
++ "oxsemi,ox820-rps-timer", oxnas_rps_timer_init);
+--
+2.20.1
+
--- /dev/null
+From 944f20abed6f83a813bc8e594c71b085ac375d9f Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Mon, 1 Apr 2019 20:38:19 +0200
+Subject: dmaengine: bcm2835: Avoid GFP_KERNEL in device_prep_slave_sg
+
+[ Upstream commit f147384774a7b24dda4783a3dcd61af272757ea8 ]
+
+The commit af19b7ce76ba ("mmc: bcm2835: Avoid possible races on
+data requests") introduces a possible circular locking dependency,
+which is triggered by swapping to the sdhost interface.
+
+So instead of reintroduce the race condition again, we could also
+avoid this situation by using GFP_NOWAIT for the allocation of the
+DMA buffer descriptors.
+
+Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Fixes: af19b7ce76ba ("mmc: bcm2835: Avoid possible races on data requests")
+Link: http://lists.infradead.org/pipermail/linux-rpi-kernel/2019-March/008615.html
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/bcm2835-dma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/bcm2835-dma.c b/drivers/dma/bcm2835-dma.c
+index ae10f5614f953..bf51192036378 100644
+--- a/drivers/dma/bcm2835-dma.c
++++ b/drivers/dma/bcm2835-dma.c
+@@ -674,7 +674,7 @@ static struct dma_async_tx_descriptor *bcm2835_dma_prep_slave_sg(
+ d = bcm2835_dma_create_cb_chain(chan, direction, false,
+ info, extra,
+ frames, src, dst, 0, 0,
+- GFP_KERNEL);
++ GFP_NOWAIT);
+ if (!d)
+ return NULL;
+
+--
+2.20.1
+
--- /dev/null
+From 68e21c6c44e19c77565a2756e29e40a324726bc7 Mon Sep 17 00:00:00 2001
+From: Martin Leung <martin.leung@amd.com>
+Date: Tue, 26 Mar 2019 13:14:11 -0400
+Subject: drm/amd/display: extending AUX SW Timeout
+
+[ Upstream commit f4bbebf8e7eb4d294b040ab2d2ba71e70e69b930 ]
+
+[Why]
+AUX takes longer to reply when using active DP-DVI dongle on some asics
+resulting in up to 2000+ us edid read (timeout).
+
+[How]
+1. Adjust AUX poll to match spec
+2. Extend the SW timeout. This does not affect normal
+operation since we exit the loop as soon as AUX acks.
+
+Signed-off-by: Martin Leung <martin.leung@amd.com>
+Reviewed-by: Jun Lei <Jun.Lei@amd.com>
+Acked-by: Joshua Aberback <Joshua.Aberback@amd.com>
+Acked-by: Leo Li <sunpeng.li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dce/dce_aux.c | 9 ++++++---
+ drivers/gpu/drm/amd/display/dc/dce/dce_aux.h | 6 +++---
+ 2 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_aux.c b/drivers/gpu/drm/amd/display/dc/dce/dce_aux.c
+index aaeb7faac0c43..e0fff5744b5f6 100644
+--- a/drivers/gpu/drm/amd/display/dc/dce/dce_aux.c
++++ b/drivers/gpu/drm/amd/display/dc/dce/dce_aux.c
+@@ -189,6 +189,12 @@ static void submit_channel_request(
+ 1,
+ 0);
+ }
++
++ REG_UPDATE(AUX_INTERRUPT_CONTROL, AUX_SW_DONE_ACK, 1);
++
++ REG_WAIT(AUX_SW_STATUS, AUX_SW_DONE, 0,
++ 10, aux110->timeout_period/10);
++
+ /* set the delay and the number of bytes to write */
+
+ /* The length include
+@@ -241,9 +247,6 @@ static void submit_channel_request(
+ }
+ }
+
+- REG_UPDATE(AUX_INTERRUPT_CONTROL, AUX_SW_DONE_ACK, 1);
+- REG_WAIT(AUX_SW_STATUS, AUX_SW_DONE, 0,
+- 10, aux110->timeout_period/10);
+ REG_UPDATE(AUX_SW_CONTROL, AUX_SW_GO, 1);
+ }
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_aux.h b/drivers/gpu/drm/amd/display/dc/dce/dce_aux.h
+index f7caab85dc801..2c6f50b4245a4 100644
+--- a/drivers/gpu/drm/amd/display/dc/dce/dce_aux.h
++++ b/drivers/gpu/drm/amd/display/dc/dce/dce_aux.h
+@@ -69,11 +69,11 @@ enum { /* This is the timeout as defined in DP 1.2a,
+ * at most within ~240usec. That means,
+ * increasing this timeout will not affect normal operation,
+ * and we'll timeout after
+- * SW_AUX_TIMEOUT_PERIOD_MULTIPLIER * AUX_TIMEOUT_PERIOD = 1600usec.
++ * SW_AUX_TIMEOUT_PERIOD_MULTIPLIER * AUX_TIMEOUT_PERIOD = 2400usec.
+ * This timeout is especially important for
+- * resume from S3 and CTS.
++ * converters, resume from S3, and CTS.
+ */
+- SW_AUX_TIMEOUT_PERIOD_MULTIPLIER = 4
++ SW_AUX_TIMEOUT_PERIOD_MULTIPLIER = 6
+ };
+ struct aux_engine_dce110 {
+ struct aux_engine base;
+--
+2.20.1
+
--- /dev/null
+From 433fb4932ff2143e4f276879f5f21b1980c48452 Mon Sep 17 00:00:00 2001
+From: David Francis <David.Francis@amd.com>
+Date: Fri, 29 Mar 2019 13:23:15 -0400
+Subject: drm/amd/display: If one stream full updates, full update all planes
+
+[ Upstream commit c238bfe0be9ef7420f7669a69e27c8c8f4d8a568 ]
+
+[Why]
+On some compositors, with two monitors attached, VT terminal
+switch can cause a graphical issue by the following means:
+
+There are two streams, one for each monitor. Each stream has one
+plane
+
+current state:
+ M1:S1->P1
+ M2:S2->P2
+
+The user calls for a terminal switch and a commit is made to
+change both planes to linear swizzle mode. In atomic check,
+a new dc_state is constructed with new planes on each stream
+
+new state:
+ M1:S1->P3
+ M2:S2->P4
+
+In commit tail, each stream is committed, one at a time. The first
+stream (S1) updates properly, triggerring a full update and replacing
+the state
+
+current state:
+ M1:S1->P3
+ M2:S2->P4
+
+The update for S2 comes in, but dc detects that there is no difference
+between the stream and plane in the new and current states, and so
+triggers a fast update. The fast update does not program swizzle,
+so the second monitor is corrupted
+
+[How]
+Add a flag to dc_plane_state that forces full updates
+
+When a stream undergoes a full update, set this flag on all changed
+planes, then clear it on the current stream
+
+Subsequent streams will get full updates as a result
+
+Signed-off-by: David Francis <David.Francis@amd.com>
+Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Reviewed-by: Roman Li <Roman.Li@amd.com>
+Acked-by: Bhawanpreet Lakha <Bhawanpreet Lakha@amd.com>
+Acked-by: Nicholas Kazlauskas <Nicholas.Kazlauskas@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc.c | 19 +++++++++++++++++++
+ drivers/gpu/drm/amd/display/dc/dc.h | 3 +++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
+index 1f92e7e8e3d38..5af2ea1f201d3 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
+@@ -1308,6 +1308,11 @@ static enum surface_update_type det_surface_update(const struct dc *dc,
+ return UPDATE_TYPE_FULL;
+ }
+
++ if (u->surface->force_full_update) {
++ update_flags->bits.full_update = 1;
++ return UPDATE_TYPE_FULL;
++ }
++
+ type = get_plane_info_update_type(u);
+ elevate_update_type(&overall_type, type);
+
+@@ -1637,6 +1642,14 @@ void dc_commit_updates_for_stream(struct dc *dc,
+ }
+
+ dc_resource_state_copy_construct(state, context);
++
++ for (i = 0; i < dc->res_pool->pipe_count; i++) {
++ struct pipe_ctx *new_pipe = &context->res_ctx.pipe_ctx[i];
++ struct pipe_ctx *old_pipe = &dc->current_state->res_ctx.pipe_ctx[i];
++
++ if (new_pipe->plane_state && new_pipe->plane_state != old_pipe->plane_state)
++ new_pipe->plane_state->force_full_update = true;
++ }
+ }
+
+
+@@ -1680,6 +1693,12 @@ void dc_commit_updates_for_stream(struct dc *dc,
+ dc->current_state = context;
+ dc_release_state(old);
+
++ for (i = 0; i < dc->res_pool->pipe_count; i++) {
++ struct pipe_ctx *pipe_ctx = &context->res_ctx.pipe_ctx[i];
++
++ if (pipe_ctx->plane_state && pipe_ctx->stream == stream)
++ pipe_ctx->plane_state->force_full_update = false;
++ }
+ }
+ /*let's use current_state to update watermark etc*/
+ if (update_type >= UPDATE_TYPE_FULL)
+diff --git a/drivers/gpu/drm/amd/display/dc/dc.h b/drivers/gpu/drm/amd/display/dc/dc.h
+index 4b5bbb13ce7fe..7d5656d7e460d 100644
+--- a/drivers/gpu/drm/amd/display/dc/dc.h
++++ b/drivers/gpu/drm/amd/display/dc/dc.h
+@@ -496,6 +496,9 @@ struct dc_plane_state {
+ struct dc_plane_status status;
+ struct dc_context *ctx;
+
++ /* HACK: Workaround for forcing full reprogramming under some conditions */
++ bool force_full_update;
++
+ /* private to dc_surface.c */
+ enum dc_irq_source irq_source;
+ struct kref refcount;
+--
+2.20.1
+
--- /dev/null
+From b6e9f607c230eb308cdb6b231e4a6a7dcee405d1 Mon Sep 17 00:00:00 2001
+From: wentalou <Wentao.Lou@amd.com>
+Date: Fri, 12 Apr 2019 15:01:14 +0800
+Subject: drm/amdgpu: shadow in shadow_list without tbo.mem.start cause page
+ fault in sriov TDR
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit b575f10dbd6f84c2c8744ff1f486bfae1e4f6f38 ]
+
+shadow was added into shadow_list by amdgpu_bo_create_shadow.
+meanwhile, shadow->tbo.mem was not fully configured.
+tbo.mem would be fully configured by amdgpu_vm_sdma_map_table until calling amdgpu_vm_clear_bo.
+If sriov TDR occurred between amdgpu_bo_create_shadow and amdgpu_vm_sdma_map_table,
+amdgpu_device_recover_vram would deal with shadow without tbo.mem.start.
+
+Signed-off-by: Wentao Lou <Wentao.Lou@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+index d55dd570a7023..27baac26d8e9c 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -3150,6 +3150,7 @@ static int amdgpu_device_recover_vram(struct amdgpu_device *adev)
+
+ /* No need to recover an evicted BO */
+ if (shadow->tbo.mem.mem_type != TTM_PL_TT ||
++ shadow->tbo.mem.start == AMDGPU_BO_INVALID_OFFSET ||
+ shadow->parent->tbo.mem.mem_type != TTM_PL_VRAM)
+ continue;
+
+--
+2.20.1
+
--- /dev/null
+From 37b0b7a1d72fcd0b4845d3aa654139f7973b2482 Mon Sep 17 00:00:00 2001
+From: Jonas Karlman <jonas@kwiboo.se>
+Date: Wed, 20 Feb 2019 07:52:31 +0000
+Subject: drm: bridge: dw-hdmi: Fix overflow workaround for Rockchip SoCs
+
+[ Upstream commit d15d9fd02575ecfada92d42f655940c4f10af842 ]
+
+The Rockchip RK3288 SoC (v2.00a) and RK3328/RK3399 SoCs (v2.11a) have
+also been identified as needing this workaround with a single iteration.
+
+Fixes: be41fc55f1aa ("drm: bridge: dw-hdmi: Handle overflow workaround based on device version")
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Tested-by: Heiko Stueber <heiko@sntech.de>
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/AM3PR03MB0966818FAAAE6192FF4ED11AAC7D0@AM3PR03MB0966.eurprd03.prod.outlook.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/synopsys/dw-hdmi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
+index 64c3cf0275182..14223c0ee7843 100644
+--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
+@@ -1655,6 +1655,8 @@ static void dw_hdmi_clear_overflow(struct dw_hdmi *hdmi)
+ * iteration for others.
+ * The Amlogic Meson GX SoCs (v2.01a) have been identified as needing
+ * the workaround with a single iteration.
++ * The Rockchip RK3288 SoC (v2.00a) and RK3328/RK3399 SoCs (v2.11a) have
++ * been identified as needing the workaround with a single iteration.
+ */
+
+ switch (hdmi->version) {
+@@ -1663,7 +1665,9 @@ static void dw_hdmi_clear_overflow(struct dw_hdmi *hdmi)
+ break;
+ case 0x131a:
+ case 0x132a:
++ case 0x200a:
+ case 0x201a:
++ case 0x211a:
+ case 0x212a:
+ count = 1;
+ break;
+--
+2.20.1
+
--- /dev/null
+From c252a15dd7c0a007e0cb9266f8f7764480590a52 Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Fri, 12 Apr 2019 17:59:41 +0200
+Subject: drm/imx: don't skip DP channel disable for background plane
+
+[ Upstream commit 7bcde275eb1d0ac8793c77c7e666a886eb16633d ]
+
+In order to make sure that the plane color space gets reset correctly.
+
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/imx/ipuv3-crtc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/imx/ipuv3-crtc.c b/drivers/gpu/drm/imx/ipuv3-crtc.c
+index 058b53c0aa7ec..1bb3e598cb843 100644
+--- a/drivers/gpu/drm/imx/ipuv3-crtc.c
++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c
+@@ -70,7 +70,7 @@ static void ipu_crtc_disable_planes(struct ipu_crtc *ipu_crtc,
+ if (disable_partial)
+ ipu_plane_disable(ipu_crtc->plane[1], true);
+ if (disable_full)
+- ipu_plane_disable(ipu_crtc->plane[0], false);
++ ipu_plane_disable(ipu_crtc->plane[0], true);
+ }
+
+ static void ipu_crtc_atomic_disable(struct drm_crtc *crtc,
+--
+2.20.1
+
--- /dev/null
+From acae5ec5e92b82dbb792d727d2737804cfd88998 Mon Sep 17 00:00:00 2001
+From: Damian Kos <dkos@cadence.com>
+Date: Mon, 19 Nov 2018 15:14:14 +0000
+Subject: drm/rockchip: fix for mailbox read validation.
+
+[ Upstream commit e4056bbb6719fe713bfc4030ac78e8e97ddf7574 ]
+
+This is basically the same fix as in
+commit fa68d4f8476b ("drm/rockchip: fix for mailbox read size")
+but for cdn_dp_mailbox_validate_receive function.
+
+See patchwork.kernel.org/patch/10671981/ for details.
+
+Signed-off-by: Damian Kos <dkos@cadence.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/1542640463-18332-1-git-send-email-dkos@cadence.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+---
+ drivers/gpu/drm/rockchip/cdn-dp-reg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/rockchip/cdn-dp-reg.c b/drivers/gpu/drm/rockchip/cdn-dp-reg.c
+index 5a485489a1e23..6c8b14fb1d2f3 100644
+--- a/drivers/gpu/drm/rockchip/cdn-dp-reg.c
++++ b/drivers/gpu/drm/rockchip/cdn-dp-reg.c
+@@ -113,7 +113,7 @@ static int cdp_dp_mailbox_write(struct cdn_dp_device *dp, u8 val)
+
+ static int cdn_dp_mailbox_validate_receive(struct cdn_dp_device *dp,
+ u8 module_id, u8 opcode,
+- u8 req_size)
++ u16 req_size)
+ {
+ u32 mbox_size, i;
+ u8 header[4];
+--
+2.20.1
+
--- /dev/null
+From c7128a6b9cc617cd619d827f7edadf75ba74b7c7 Mon Sep 17 00:00:00 2001
+From: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Date: Thu, 18 Apr 2019 15:27:27 +0200
+Subject: drm/sun4i: Fix component unbinding and component master deletion
+
+[ Upstream commit f5a9ed867c83875546c9aadd4ed8e785e9adcc3c ]
+
+For our component-backed driver to be properly removed, we need to
+delete the component master in sun4i_drv_remove and make sure to call
+component_unbind_all in the master's unbind so that all components are
+unbound when the master is.
+
+Fixes: 9026e0d122ac ("drm: Add Allwinner A10 Display Engine support")
+Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190418132727.5128-4-paul.kocialkowski@bootlin.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/sun4i/sun4i_drv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/sun4i/sun4i_drv.c b/drivers/gpu/drm/sun4i/sun4i_drv.c
+index c6b65a9699794..9a5713fa03b25 100644
+--- a/drivers/gpu/drm/sun4i/sun4i_drv.c
++++ b/drivers/gpu/drm/sun4i/sun4i_drv.c
+@@ -148,6 +148,8 @@ static void sun4i_drv_unbind(struct device *dev)
+ drm_mode_config_cleanup(drm);
+ of_reserved_mem_device_release(dev);
+ drm_dev_put(drm);
++
++ component_unbind_all(dev, NULL);
+ }
+
+ static const struct component_master_ops sun4i_drv_master_ops = {
+@@ -395,6 +397,8 @@ static int sun4i_drv_probe(struct platform_device *pdev)
+
+ static int sun4i_drv_remove(struct platform_device *pdev)
+ {
++ component_master_del(&pdev->dev, &sun4i_drv_master_ops);
++
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 6cf4650f6b3b9241ac4d6277472905343d36529e Mon Sep 17 00:00:00 2001
+From: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Date: Thu, 18 Apr 2019 15:27:26 +0200
+Subject: drm/sun4i: Set device driver data at bind time for use in unbind
+
+[ Upstream commit 02b92adbe33e6dbd15dc6e32540b22f47c4ff0a2 ]
+
+Our sun4i_drv_unbind gets the drm device using dev_get_drvdata.
+However, that driver data is never set in sun4i_drv_bind.
+
+Set it there to avoid getting a NULL pointer at unbind time.
+
+Fixes: 9026e0d122ac ("drm: Add Allwinner A10 Display Engine support")
+Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190418132727.5128-3-paul.kocialkowski@bootlin.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/sun4i/sun4i_drv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/sun4i/sun4i_drv.c b/drivers/gpu/drm/sun4i/sun4i_drv.c
+index 9e4c375ccc96f..c6b65a9699794 100644
+--- a/drivers/gpu/drm/sun4i/sun4i_drv.c
++++ b/drivers/gpu/drm/sun4i/sun4i_drv.c
+@@ -85,6 +85,8 @@ static int sun4i_drv_bind(struct device *dev)
+ ret = -ENOMEM;
+ goto free_drm;
+ }
++
++ dev_set_drvdata(dev, drm);
+ drm->dev_private = drv;
+ INIT_LIST_HEAD(&drv->frontend_list);
+ INIT_LIST_HEAD(&drv->engine_list);
+--
+2.20.1
+
--- /dev/null
+From 48df4d50a7dd6de035ce2094cab8395305f9bbe8 Mon Sep 17 00:00:00 2001
+From: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Date: Wed, 24 Apr 2019 11:04:13 +0200
+Subject: drm/sun4i: Unbind components before releasing DRM and memory
+
+[ Upstream commit e02bc29b2cfa7806830d6da8b2322cddd67e8dfe ]
+
+Our components may still be using the DRM device driver (if only to
+access our driver's private data), so make sure to unbind them before
+the final drm_dev_put.
+
+Also release our reserved memory after component unbind instead of
+before to match reverse creation order.
+
+Fixes: f5a9ed867c83 ("drm/sun4i: Fix component unbinding and component master deletion")
+Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Reviewed-by: Chen-Yu Tsai <wens@csie.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190424090413.6918-1-paul.kocialkowski@bootlin.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/sun4i/sun4i_drv.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/sun4i/sun4i_drv.c b/drivers/gpu/drm/sun4i/sun4i_drv.c
+index 9a5713fa03b25..f8bf5bbec2df3 100644
+--- a/drivers/gpu/drm/sun4i/sun4i_drv.c
++++ b/drivers/gpu/drm/sun4i/sun4i_drv.c
+@@ -146,10 +146,11 @@ static void sun4i_drv_unbind(struct device *dev)
+ drm_dev_unregister(drm);
+ drm_kms_helper_poll_fini(drm);
+ drm_mode_config_cleanup(drm);
+- of_reserved_mem_device_release(dev);
+- drm_dev_put(drm);
+
+ component_unbind_all(dev, NULL);
++ of_reserved_mem_device_release(dev);
++
++ drm_dev_put(drm);
+ }
+
+ static const struct component_master_ops sun4i_drv_master_ops = {
+--
+2.20.1
+
--- /dev/null
+From 6c3a7b53bbf0d058a4a111f288982f1287845b67 Mon Sep 17 00:00:00 2001
+From: Lin Yi <teroincn@163.com>
+Date: Wed, 10 Apr 2019 10:23:34 +0800
+Subject: drm/ttm: fix dma_fence refcount imbalance on error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 543c364d8eeeb42c0edfaac9764f4e9f3d777ec1 ]
+
+the ttm_bo_add_move_fence takes a reference to the struct dma_fence, but
+failed to release it on the error path, leading to a memory leak.
+add dma_fence_put before return when error occur.
+
+Signed-off-by: Lin Yi <teroincn@163.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/ttm/ttm_bo.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
+index 996cadd83f244..d8e1b3f129046 100644
+--- a/drivers/gpu/drm/ttm/ttm_bo.c
++++ b/drivers/gpu/drm/ttm/ttm_bo.c
+@@ -881,8 +881,10 @@ static int ttm_bo_add_move_fence(struct ttm_buffer_object *bo,
+ reservation_object_add_shared_fence(bo->resv, fence);
+
+ ret = reservation_object_reserve_shared(bo->resv, 1);
+- if (unlikely(ret))
++ if (unlikely(ret)) {
++ dma_fence_put(fence);
+ return ret;
++ }
+
+ dma_fence_put(bo->moving);
+ bo->moving = fence;
+--
+2.20.1
+
--- /dev/null
+From f8b68a2b9944a29717a31f08b80b101cc22ed438 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 24 Apr 2019 15:59:33 +0200
+Subject: gpio: Fix gpiochip_add_data_with_key() error path
+
+[ Upstream commit 357798909164bf423eac6a78ff7da7e98d2d7f7f ]
+
+The err_remove_chip block is too coarse, and may perform cleanup that
+must not be done. E.g. if of_gpiochip_add() fails, of_gpiochip_remove()
+is still called, causing:
+
+ OF: ERROR: Bad of_node_put() on /soc/gpio@e6050000
+ CPU: 1 PID: 20 Comm: kworker/1:1 Not tainted 5.1.0-rc2-koelsch+ #407
+ Hardware name: Generic R-Car Gen2 (Flattened Device Tree)
+ Workqueue: events deferred_probe_work_func
+ [<c020ec74>] (unwind_backtrace) from [<c020ae58>] (show_stack+0x10/0x14)
+ [<c020ae58>] (show_stack) from [<c07c1224>] (dump_stack+0x7c/0x9c)
+ [<c07c1224>] (dump_stack) from [<c07c5a80>] (kobject_put+0x94/0xbc)
+ [<c07c5a80>] (kobject_put) from [<c0470420>] (gpiochip_add_data_with_key+0x8d8/0xa3c)
+ [<c0470420>] (gpiochip_add_data_with_key) from [<c0473738>] (gpio_rcar_probe+0x1d4/0x314)
+ [<c0473738>] (gpio_rcar_probe) from [<c052fca8>] (platform_drv_probe+0x48/0x94)
+
+and later, if a GPIO consumer tries to use a GPIO from a failed
+controller:
+
+ WARNING: CPU: 0 PID: 1 at lib/refcount.c:156 kobject_get+0x38/0x4c
+ refcount_t: increment on 0; use-after-free.
+ Modules linked in:
+ CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.1.0-rc2-koelsch+ #407
+ Hardware name: Generic R-Car Gen2 (Flattened Device Tree)
+ [<c020ec74>] (unwind_backtrace) from [<c020ae58>] (show_stack+0x10/0x14)
+ [<c020ae58>] (show_stack) from [<c07c1224>] (dump_stack+0x7c/0x9c)
+ [<c07c1224>] (dump_stack) from [<c0221580>] (__warn+0xd0/0xec)
+ [<c0221580>] (__warn) from [<c02215e0>] (warn_slowpath_fmt+0x44/0x6c)
+ [<c02215e0>] (warn_slowpath_fmt) from [<c07c58fc>] (kobject_get+0x38/0x4c)
+ [<c07c58fc>] (kobject_get) from [<c068b3ec>] (of_node_get+0x14/0x1c)
+ [<c068b3ec>] (of_node_get) from [<c0686f24>] (of_find_node_by_phandle+0xc0/0xf0)
+ [<c0686f24>] (of_find_node_by_phandle) from [<c0686fbc>] (of_phandle_iterator_next+0x68/0x154)
+ [<c0686fbc>] (of_phandle_iterator_next) from [<c0687fe4>] (__of_parse_phandle_with_args+0x40/0xd0)
+ [<c0687fe4>] (__of_parse_phandle_with_args) from [<c0688204>] (of_parse_phandle_with_args_map+0x100/0x3ac)
+ [<c0688204>] (of_parse_phandle_with_args_map) from [<c0471240>] (of_get_named_gpiod_flags+0x38/0x380)
+ [<c0471240>] (of_get_named_gpiod_flags) from [<c046f864>] (gpiod_get_from_of_node+0x24/0xd8)
+ [<c046f864>] (gpiod_get_from_of_node) from [<c0470aa4>] (devm_fwnode_get_index_gpiod_from_child+0xa0/0x144)
+ [<c0470aa4>] (devm_fwnode_get_index_gpiod_from_child) from [<c05f425c>] (gpio_keys_probe+0x418/0x7bc)
+ [<c05f425c>] (gpio_keys_probe) from [<c052fca8>] (platform_drv_probe+0x48/0x94)
+
+Fix this by splitting the cleanup block, and adding a missing call to
+gpiochip_irqchip_remove().
+
+Fixes: 28355f81969962cf ("gpio: defer probe if pinctrl cannot be found")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index d1adfdf50fb30..34fbf879411f6 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -1379,7 +1379,7 @@ int gpiochip_add_data_with_key(struct gpio_chip *chip, void *data,
+
+ status = gpiochip_add_irqchip(chip, lock_key, request_key);
+ if (status)
+- goto err_remove_chip;
++ goto err_free_gpiochip_mask;
+
+ status = of_gpiochip_add(chip);
+ if (status)
+@@ -1387,7 +1387,7 @@ int gpiochip_add_data_with_key(struct gpio_chip *chip, void *data,
+
+ status = gpiochip_init_valid_mask(chip);
+ if (status)
+- goto err_remove_chip;
++ goto err_remove_of_chip;
+
+ for (i = 0; i < chip->ngpio; i++) {
+ struct gpio_desc *desc = &gdev->descs[i];
+@@ -1415,14 +1415,18 @@ int gpiochip_add_data_with_key(struct gpio_chip *chip, void *data,
+ if (gpiolib_initialized) {
+ status = gpiochip_setup_dev(gdev);
+ if (status)
+- goto err_remove_chip;
++ goto err_remove_acpi_chip;
+ }
+ return 0;
+
+-err_remove_chip:
++err_remove_acpi_chip:
+ acpi_gpiochip_remove(chip);
++err_remove_of_chip:
+ gpiochip_free_hogs(chip);
+ of_gpiochip_remove(chip);
++err_remove_chip:
++ gpiochip_irqchip_remove(chip);
++err_free_gpiochip_mask:
+ gpiochip_free_valid_mask(chip);
+ err_remove_irqchip_mask:
+ gpiochip_irqchip_free_valid_mask(chip);
+--
+2.20.1
+
--- /dev/null
+From 2a9a1201d9973cba2a448dfa3b430218833f0832 Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Fri, 12 Apr 2019 17:59:40 +0200
+Subject: gpu: ipu-v3: dp: fix CSC handling
+
+[ Upstream commit d4fad0a426c6e26f48c9a7cdd21a7fe9c198d645 ]
+
+Initialize the flow input colorspaces to unknown and reset to that value
+when the channel gets disabled. This avoids the state getting mixed up
+with a previous mode.
+
+Also keep the CSC settings for the background flow intact when disabling
+the foreground flow.
+
+Root-caused-by: Jonathan Marek <jonathan@marek.ca>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/ipu-v3/ipu-dp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/ipu-v3/ipu-dp.c b/drivers/gpu/ipu-v3/ipu-dp.c
+index 9b2b3fa479c46..5e44ff1f20851 100644
+--- a/drivers/gpu/ipu-v3/ipu-dp.c
++++ b/drivers/gpu/ipu-v3/ipu-dp.c
+@@ -195,7 +195,8 @@ int ipu_dp_setup_channel(struct ipu_dp *dp,
+ ipu_dp_csc_init(flow, flow->foreground.in_cs, flow->out_cs,
+ DP_COM_CONF_CSC_DEF_BOTH);
+ } else {
+- if (flow->foreground.in_cs == flow->out_cs)
++ if (flow->foreground.in_cs == IPUV3_COLORSPACE_UNKNOWN ||
++ flow->foreground.in_cs == flow->out_cs)
+ /*
+ * foreground identical to output, apply color
+ * conversion on background
+@@ -261,6 +262,8 @@ void ipu_dp_disable_channel(struct ipu_dp *dp, bool sync)
+ struct ipu_dp_priv *priv = flow->priv;
+ u32 reg, csc;
+
++ dp->in_cs = IPUV3_COLORSPACE_UNKNOWN;
++
+ if (!dp->foreground)
+ return;
+
+@@ -268,8 +271,9 @@ void ipu_dp_disable_channel(struct ipu_dp *dp, bool sync)
+
+ reg = readl(flow->base + DP_COM_CONF);
+ csc = reg & DP_COM_CONF_CSC_DEF_MASK;
+- if (csc == DP_COM_CONF_CSC_DEF_FG)
+- reg &= ~DP_COM_CONF_CSC_DEF_MASK;
++ reg &= ~DP_COM_CONF_CSC_DEF_MASK;
++ if (csc == DP_COM_CONF_CSC_DEF_BOTH || csc == DP_COM_CONF_CSC_DEF_BG)
++ reg |= DP_COM_CONF_CSC_DEF_BG;
+
+ reg &= ~DP_COM_CONF_FG_EN;
+ writel(reg, flow->base + DP_COM_CONF);
+@@ -347,6 +351,8 @@ int ipu_dp_init(struct ipu_soc *ipu, struct device *dev, unsigned long base)
+ mutex_init(&priv->mutex);
+
+ for (i = 0; i < IPUV3_NUM_FLOWS; i++) {
++ priv->flow[i].background.in_cs = IPUV3_COLORSPACE_UNKNOWN;
++ priv->flow[i].foreground.in_cs = IPUV3_COLORSPACE_UNKNOWN;
+ priv->flow[i].foreground.foreground = true;
+ priv->flow[i].base = priv->base + ipu_dp_flow_base[i];
+ priv->flow[i].priv = priv;
+--
+2.20.1
+
--- /dev/null
+From 00bac42e17cddb0ce1b3a719856267085a287fb8 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 18 Jan 2019 13:59:08 -0800
+Subject: HID: input: add mapping for Expose/Overview key
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 96dd86871e1fffbc39e4fa61c9c75ec54ee9af0f ]
+
+According to HUTRR77 usage 0x29f from the consumer page is reserved for
+the Desktop application to present all running user’s application windows.
+Linux defines KEY_SCALE to request Compiz Scale (Expose) mode, so let's
+add the mapping.
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-input.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index ff92a7b2fc897..468da6f6765db 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -1042,6 +1042,8 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
+ case 0x2cb: map_key_clear(KEY_KBDINPUTASSIST_ACCEPT); break;
+ case 0x2cc: map_key_clear(KEY_KBDINPUTASSIST_CANCEL); break;
+
++ case 0x29f: map_key_clear(KEY_SCALE); break;
++
+ default: map_key_clear(KEY_UNKNOWN);
+ }
+ break;
+--
+2.20.1
+
--- /dev/null
+From d36539c29b459716a7f4b84d7888111f26e88ad6 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 18 Jan 2019 14:05:52 -0800
+Subject: HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys
+
+[ Upstream commit 7975a1d6a7afeb3eb61c971a153d24dd8fa032f3 ]
+
+According to HUTRR73 usages 0x79, 0x7a and 0x7c from the consumer page
+correspond to Brightness Up/Down/Toggle keys, so let's add the mappings.
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-input.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index 468da6f6765db..290efac7e6bfd 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -908,6 +908,10 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
+ case 0x074: map_key_clear(KEY_BRIGHTNESS_MAX); break;
+ case 0x075: map_key_clear(KEY_BRIGHTNESS_AUTO); break;
+
++ case 0x079: map_key_clear(KEY_KBDILLUMUP); break;
++ case 0x07a: map_key_clear(KEY_KBDILLUMDOWN); break;
++ case 0x07c: map_key_clear(KEY_KBDILLUMTOGGLE); break;
++
+ case 0x082: map_key_clear(KEY_VIDEO_NEXT); break;
+ case 0x083: map_key_clear(KEY_LAST); break;
+ case 0x084: map_key_clear(KEY_ENTER); break;
+--
+2.20.1
+
--- /dev/null
+From 32abb27d69a0019e5b49febe7b8d84d4c7fc5a5f Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 18 Jan 2019 14:35:45 -0800
+Subject: HID: input: add mapping for "Toggle Display" key
+
+[ Upstream commit c01908a14bf735b871170092807c618bb9dae654 ]
+
+According to HUT 1.12 usage 0xb5 from the generic desktop page is reserved
+for switching between external and internal display, so let's add the
+mapping.
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-input.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index 290efac7e6bfd..4f119300ce3f5 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -677,6 +677,14 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
+ break;
+ }
+
++ if ((usage->hid & 0xf0) == 0xb0) { /* SC - Display */
++ switch (usage->hid & 0xf) {
++ case 0x05: map_key_clear(KEY_SWITCHVIDEOMODE); break;
++ default: goto ignore;
++ }
++ break;
++ }
++
+ /*
+ * Some lazy vendors declare 255 usages for System Control,
+ * leading to the creation of ABS_X|Y axis and too many others.
+--
+2.20.1
+
--- /dev/null
+From 015fcd2b5dfafdde4c13d4754b36b944fb1c10cb Mon Sep 17 00:00:00 2001
+From: Guy Levi <guyle@mellanox.com>
+Date: Wed, 10 Apr 2019 10:59:45 +0300
+Subject: IB/mlx5: Fix scatter to CQE in DCT QP creation
+
+[ Upstream commit 7249c8ea227a582c14f63e9e8853eb7369122f10 ]
+
+When scatter to CQE is enabled on a DCT QP it corrupts the mailbox command
+since it tried to treat it as as QP create mailbox command instead of a
+DCT create command.
+
+The corrupted mailbox command causes userspace to malfunction as the
+device doesn't create the QP as expected.
+
+A new mlx5 capability is exposed to user-space which ensures that it will
+not enable the feature on DCT without this fix in the kernel.
+
+Fixes: 5d6ff1babe78 ("IB/mlx5: Support scatter to CQE for DC transport type")
+Signed-off-by: Guy Levi <guyle@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 2 ++
+ drivers/infiniband/hw/mlx5/qp.c | 11 +++++++----
+ include/uapi/rdma/mlx5-abi.h | 1 +
+ 3 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index 497181f5ba091..c6bdd0d16c4b6 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -1025,6 +1025,8 @@ static int mlx5_ib_query_device(struct ib_device *ibdev,
+ if (MLX5_CAP_GEN(mdev, qp_packet_based))
+ resp.flags |=
+ MLX5_IB_QUERY_DEV_RESP_PACKET_BASED_CREDIT_MODE;
++
++ resp.flags |= MLX5_IB_QUERY_DEV_RESP_FLAGS_SCAT2CQE_DCT;
+ }
+
+ if (field_avail(typeof(resp), sw_parsing_caps,
+diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
+index 7db778d96ef5c..afc88e6e172e7 100644
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -1724,13 +1724,16 @@ static void configure_responder_scat_cqe(struct ib_qp_init_attr *init_attr,
+
+ rcqe_sz = mlx5_ib_get_cqe_size(init_attr->recv_cq);
+
+- if (rcqe_sz == 128) {
+- MLX5_SET(qpc, qpc, cs_res, MLX5_RES_SCAT_DATA64_CQE);
++ if (init_attr->qp_type == MLX5_IB_QPT_DCT) {
++ if (rcqe_sz == 128)
++ MLX5_SET(dctc, qpc, cs_res, MLX5_RES_SCAT_DATA64_CQE);
++
+ return;
+ }
+
+- if (init_attr->qp_type != MLX5_IB_QPT_DCT)
+- MLX5_SET(qpc, qpc, cs_res, MLX5_RES_SCAT_DATA32_CQE);
++ MLX5_SET(qpc, qpc, cs_res,
++ rcqe_sz == 128 ? MLX5_RES_SCAT_DATA64_CQE :
++ MLX5_RES_SCAT_DATA32_CQE);
+ }
+
+ static void configure_requester_scat_cqe(struct mlx5_ib_dev *dev,
+diff --git a/include/uapi/rdma/mlx5-abi.h b/include/uapi/rdma/mlx5-abi.h
+index 87b3198f4b5d7..f4d4010b7e3e5 100644
+--- a/include/uapi/rdma/mlx5-abi.h
++++ b/include/uapi/rdma/mlx5-abi.h
+@@ -238,6 +238,7 @@ enum mlx5_ib_query_dev_resp_flags {
+ MLX5_IB_QUERY_DEV_RESP_FLAGS_CQE_128B_COMP = 1 << 0,
+ MLX5_IB_QUERY_DEV_RESP_FLAGS_CQE_128B_PAD = 1 << 1,
+ MLX5_IB_QUERY_DEV_RESP_PACKET_BASED_CREDIT_MODE = 1 << 2,
++ MLX5_IB_QUERY_DEV_RESP_FLAGS_SCAT2CQE_DCT = 1 << 3,
+ };
+
+ enum mlx5_ib_tunnel_offloads {
+--
+2.20.1
+
--- /dev/null
+From 0b7e1e5ef4b165c2c8831e085a419dbb8d1dcf4a Mon Sep 17 00:00:00 2001
+From: Sven Van Asbroeck <thesven73@gmail.com>
+Date: Sun, 10 Mar 2019 14:58:25 -0400
+Subject: iio: adc: xilinx: fix potential use-after-free on probe
+
+[ Upstream commit 862e4644fd2d7df8998edc65e0963ea2f567bde9 ]
+
+If probe errors out after request_irq(), its error path
+does not explicitly cancel the delayed work, which may
+have been scheduled by the interrupt handler.
+
+This means the delayed work may still be running when
+the core frees the private structure (struct xadc).
+This is a potential use-after-free.
+
+Fix by inserting cancel_delayed_work_sync() in the probe
+error path.
+
+Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/xilinx-xadc-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/iio/adc/xilinx-xadc-core.c b/drivers/iio/adc/xilinx-xadc-core.c
+index 1960694e80076..15e1a103f37da 100644
+--- a/drivers/iio/adc/xilinx-xadc-core.c
++++ b/drivers/iio/adc/xilinx-xadc-core.c
+@@ -1290,6 +1290,7 @@ static int xadc_probe(struct platform_device *pdev)
+
+ err_free_irq:
+ free_irq(xadc->irq, indio_dev);
++ cancel_delayed_work_sync(&xadc->zynq_unmask_work);
+ err_clk_disable_unprepare:
+ clk_disable_unprepare(xadc->clk);
+ err_free_samplerate_trigger:
+--
+2.20.1
+
--- /dev/null
+From 47bd0a1576669590407ad14a6997b295ca89ddae Mon Sep 17 00:00:00 2001
+From: Sven Van Asbroeck <thesven73@gmail.com>
+Date: Sun, 10 Mar 2019 14:58:24 -0400
+Subject: iio: adc: xilinx: fix potential use-after-free on remove
+
+[ Upstream commit 62039b6aef63380ba7a37c113bbaeee8a55c5342 ]
+
+When cancel_delayed_work() returns, the delayed work may still
+be running. This means that the core could potentially free
+the private structure (struct xadc) while the delayed work
+is still using it. This is a potential use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which waits for
+any residual work to finish before returning.
+
+Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/xilinx-xadc-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/adc/xilinx-xadc-core.c b/drivers/iio/adc/xilinx-xadc-core.c
+index 3f6be5ac049a8..1960694e80076 100644
+--- a/drivers/iio/adc/xilinx-xadc-core.c
++++ b/drivers/iio/adc/xilinx-xadc-core.c
+@@ -1320,7 +1320,7 @@ static int xadc_remove(struct platform_device *pdev)
+ }
+ free_irq(xadc->irq, indio_dev);
+ clk_disable_unprepare(xadc->clk);
+- cancel_delayed_work(&xadc->zynq_unmask_work);
++ cancel_delayed_work_sync(&xadc->zynq_unmask_work);
+ kfree(xadc->data);
+ kfree(indio_dev->channels);
+
+--
+2.20.1
+
--- /dev/null
+From 28c6c4a1e26bda1f778a869a534294dcf627ff93 Mon Sep 17 00:00:00 2001
+From: Sven Van Asbroeck <thesven73@gmail.com>
+Date: Sun, 10 Mar 2019 14:58:26 -0400
+Subject: iio: adc: xilinx: prevent touching unclocked h/w on remove
+
+[ Upstream commit 2e4b88f73966adead360e47621df0183586fac32 ]
+
+In remove, the clock is disabled before canceling the
+delayed work. This means that the delayed work may be
+touching unclocked hardware.
+
+Fix by disabling the clock after the delayed work is
+fully canceled. This is consistent with the probe error
+path order.
+
+Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/xilinx-xadc-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/adc/xilinx-xadc-core.c b/drivers/iio/adc/xilinx-xadc-core.c
+index 15e1a103f37da..1ae86e7359f73 100644
+--- a/drivers/iio/adc/xilinx-xadc-core.c
++++ b/drivers/iio/adc/xilinx-xadc-core.c
+@@ -1320,8 +1320,8 @@ static int xadc_remove(struct platform_device *pdev)
+ iio_triggered_buffer_cleanup(indio_dev);
+ }
+ free_irq(xadc->irq, indio_dev);
+- clk_disable_unprepare(xadc->clk);
+ cancel_delayed_work_sync(&xadc->zynq_unmask_work);
++ clk_disable_unprepare(xadc->clk);
+ kfree(xadc->data);
+ kfree(indio_dev->channels);
+
+--
+2.20.1
+
--- /dev/null
+From 1290904c7dd1553a016c697deb47fdc86b20bf74 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Thu, 18 Apr 2019 17:50:44 -0700
+Subject: init: initialize jump labels before command line option parsing
+
+[ Upstream commit 6041186a32585fc7a1d0f6cfe2f138b05fdc3c82 ]
+
+When a module option, or core kernel argument, toggles a static-key it
+requires jump labels to be initialized early. While x86, PowerPC, and
+ARM64 arrange for jump_label_init() to be called before parse_args(),
+ARM does not.
+
+ Kernel command line: rdinit=/sbin/init page_alloc.shuffle=1 panic=-1 console=ttyAMA0,115200 page_alloc.shuffle=1
+ ------------[ cut here ]------------
+ WARNING: CPU: 0 PID: 0 at ./include/linux/jump_label.h:303
+ page_alloc_shuffle+0x12c/0x1ac
+ static_key_enable(): static key 'page_alloc_shuffle_key+0x0/0x4' used
+ before call to jump_label_init()
+ Modules linked in:
+ CPU: 0 PID: 0 Comm: swapper Not tainted
+ 5.1.0-rc4-next-20190410-00003-g3367c36ce744 #1
+ Hardware name: ARM Integrator/CP (Device Tree)
+ [<c0011c68>] (unwind_backtrace) from [<c000ec48>] (show_stack+0x10/0x18)
+ [<c000ec48>] (show_stack) from [<c07e9710>] (dump_stack+0x18/0x24)
+ [<c07e9710>] (dump_stack) from [<c001bb1c>] (__warn+0xe0/0x108)
+ [<c001bb1c>] (__warn) from [<c001bb88>] (warn_slowpath_fmt+0x44/0x6c)
+ [<c001bb88>] (warn_slowpath_fmt) from [<c0b0c4a8>]
+ (page_alloc_shuffle+0x12c/0x1ac)
+ [<c0b0c4a8>] (page_alloc_shuffle) from [<c0b0c550>] (shuffle_store+0x28/0x48)
+ [<c0b0c550>] (shuffle_store) from [<c003e6a0>] (parse_args+0x1f4/0x350)
+ [<c003e6a0>] (parse_args) from [<c0ac3c00>] (start_kernel+0x1c0/0x488)
+
+Move the fallback call to jump_label_init() to occur before
+parse_args().
+
+The redundant calls to jump_label_init() in other archs are left intact
+in case they have static key toggling use cases that are even earlier
+than option parsing.
+
+Link: http://lkml.kernel.org/r/155544804466.1032396.13418949511615676665.stgit@dwillia2-desk3.amr.corp.intel.com
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Reported-by: Guenter Roeck <groeck@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Mike Rapoport <rppt@linux.ibm.com>
+Cc: Russell King <rmk@armlinux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ init/main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/init/main.c b/init/main.c
+index c86a1c8f19f40..7ae8245452650 100644
+--- a/init/main.c
++++ b/init/main.c
+@@ -574,6 +574,8 @@ asmlinkage __visible void __init start_kernel(void)
+ page_alloc_init();
+
+ pr_notice("Kernel command line: %s\n", boot_command_line);
++ /* parameters may set static keys */
++ jump_label_init();
+ parse_early_param();
+ after_dashes = parse_args("Booting kernel",
+ static_command_line, __start___param,
+@@ -583,8 +585,6 @@ asmlinkage __visible void __init start_kernel(void)
+ parse_args("Setting init args", after_dashes, NULL, 0, -1, -1,
+ NULL, set_init_arg);
+
+- jump_label_init();
+-
+ /*
+ * These use large bootmem allocations and must precede
+ * kmem_cache_init()
+--
+2.20.1
+
--- /dev/null
+From aa5139dbd77314ae41abf7c2b1b373e44df1b616 Mon Sep 17 00:00:00 2001
+From: Jacky Bai <ping.bai@nxp.com>
+Date: Fri, 5 Apr 2019 10:31:09 -0700
+Subject: Input: snvs_pwrkey - make it depend on ARCH_MXC
+
+[ Upstream commit f06eba72274788db6a43012a05a99915c0283aef ]
+
+The SNVS power key is not only used on i.MX6SX and i.MX7D, it is also
+used by i.MX6UL and NXP's latest ARMv8 based i.MX8M series SOC. So
+update the config dependency to use ARCH_MXC, and add the COMPILE_TEST
+too.
+
+Signed-off-by: Jacky Bai <ping.bai@nxp.com>
+Reviewed-by: Dong Aisheng <aisheng.dong@nxp.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/input/keyboard/Kconfig b/drivers/input/keyboard/Kconfig
+index a878351f16439..52d7f55fca329 100644
+--- a/drivers/input/keyboard/Kconfig
++++ b/drivers/input/keyboard/Kconfig
+@@ -420,7 +420,7 @@ config KEYBOARD_MPR121
+
+ config KEYBOARD_SNVS_PWRKEY
+ tristate "IMX SNVS Power Key Driver"
+- depends on SOC_IMX6SX || SOC_IMX7D
++ depends on ARCH_MXC || COMPILE_TEST
+ depends on OF
+ help
+ This is the snvs powerkey driver for the Freescale i.MX application
+--
+2.20.1
+
--- /dev/null
+From 71a1c1f6e5903373240470442f09dcbb7f12b44b Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Fri, 19 Apr 2019 07:39:00 +0000
+Subject: Input: synaptics-rmi4 - fix possible double free
+
+[ Upstream commit bce1a78423961fce676ac65540a31b6ffd179e6d ]
+
+The RMI4 function structure has been released in rmi_register_function
+if error occurs. However, it will be released again in the function
+rmi_create_function, which may result in a double-free bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/rmi4/rmi_driver.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c
+index fc3ab93b7aea4..7fb358f961957 100644
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -860,7 +860,7 @@ static int rmi_create_function(struct rmi_device *rmi_dev,
+
+ error = rmi_register_function(fn);
+ if (error)
+- goto err_put_fn;
++ return error;
+
+ if (pdt->function_number == 0x01)
+ data->f01_container = fn;
+@@ -870,10 +870,6 @@ static int rmi_create_function(struct rmi_device *rmi_dev,
+ list_add_tail(&fn->node, &data->function_list);
+
+ return RMI_SCAN_CONTINUE;
+-
+-err_put_fn:
+- put_device(&fn->dev);
+- return error;
+ }
+
+ void rmi_enable_irq(struct rmi_device *rmi_dev, bool clear_wake)
+--
+2.20.1
+
--- /dev/null
+From e30b86ae999d7a39c1fdb2050da9925ddff31372 Mon Sep 17 00:00:00 2001
+From: Tony Camuso <tcamuso@redhat.com>
+Date: Tue, 9 Apr 2019 15:20:03 -0400
+Subject: ipmi: ipmi_si_hardcode.c: init si_type array to fix a crash
+
+[ Upstream commit a885bcfd152f97b25005298ab2d6b741aed9b49c ]
+
+The intended behavior of function ipmi_hardcode_init_one() is to default
+to kcs interface when no type argument is presented when initializing
+ipmi with hard coded addresses.
+
+However, the array of char pointers allocated on the stack by function
+ipmi_hardcode_init() was not inited to zeroes, so it contained stack
+debris.
+
+Consequently, passing the cruft stored in this array to function
+ipmi_hardcode_init_one() caused a crash when it was unable to detect
+that the char * being passed was nonsense and tried to access the
+address specified by the bogus pointer.
+
+The fix is simply to initialize the si_type array to zeroes, so if
+there were no type argument given to at the command line, function
+ipmi_hardcode_init_one() could properly default to the kcs interface.
+
+Signed-off-by: Tony Camuso <tcamuso@redhat.com>
+Message-Id: <1554837603-40299-1-git-send-email-tcamuso@redhat.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ipmi/ipmi_si_hardcode.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/char/ipmi/ipmi_si_hardcode.c b/drivers/char/ipmi/ipmi_si_hardcode.c
+index 1e5783961b0dc..ab7180c46d8dd 100644
+--- a/drivers/char/ipmi/ipmi_si_hardcode.c
++++ b/drivers/char/ipmi/ipmi_si_hardcode.c
+@@ -201,6 +201,8 @@ void __init ipmi_hardcode_init(void)
+ char *str;
+ char *si_type[SI_MAX_PARMS];
+
++ memset(si_type, 0, sizeof(si_type));
++
+ /* Parse out the si_type string into its components. */
+ str = si_type_str;
+ if (*str != '\0') {
+--
+2.20.1
+
--- /dev/null
+From 2b764ee796105c0503c3b89b319ab6fe5ecf85a9 Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Sun, 31 Mar 2019 13:24:52 +0300
+Subject: ipvs: do not schedule icmp errors from tunnels
+
+[ Upstream commit 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 ]
+
+We can receive ICMP errors from client or from
+tunneling real server. While the former can be
+scheduled to real server, the latter should
+not be scheduled, they are decapsulated only when
+existing connection is found.
+
+Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
+index 235205c93e14b..df112b27246a3 100644
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -1647,7 +1647,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related,
+ if (!cp) {
+ int v;
+
+- if (!sysctl_schedule_icmp(ipvs))
++ if (ipip || !sysctl_schedule_icmp(ipvs))
+ return NF_ACCEPT;
+
+ if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph))
+--
+2.20.1
+
--- /dev/null
+From a90e6647093c854b759c17b3e507a4905e686003 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu, 11 Apr 2019 11:16:47 +0200
+Subject: KVM: fix spectrev1 gadgets
+
+[ Upstream commit 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c ]
+
+These were found with smatch, and then generalized when applicable.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/lapic.c | 4 +++-
+ include/linux/kvm_host.h | 10 ++++++----
+ virt/kvm/irqchip.c | 5 +++--
+ virt/kvm/kvm_main.c | 6 ++++--
+ 4 files changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
+index 3339697de6e52..235687f3388fa 100644
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -137,6 +137,7 @@ static inline bool kvm_apic_map_get_logical_dest(struct kvm_apic_map *map,
+ if (offset <= max_apic_id) {
+ u8 cluster_size = min(max_apic_id - offset + 1, 16U);
+
++ offset = array_index_nospec(offset, map->max_apic_id + 1);
+ *cluster = &map->phys_map[offset];
+ *mask = dest_id & (0xffff >> (16 - cluster_size));
+ } else {
+@@ -899,7 +900,8 @@ static inline bool kvm_apic_map_get_dest_lapic(struct kvm *kvm,
+ if (irq->dest_id > map->max_apic_id) {
+ *bitmap = 0;
+ } else {
+- *dst = &map->phys_map[irq->dest_id];
++ u32 dest_id = array_index_nospec(irq->dest_id, map->max_apic_id + 1);
++ *dst = &map->phys_map[dest_id];
+ *bitmap = 1;
+ }
+ return true;
+diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
+index cf761ff582248..e41503b2c5a16 100644
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -28,6 +28,7 @@
+ #include <linux/irqbypass.h>
+ #include <linux/swait.h>
+ #include <linux/refcount.h>
++#include <linux/nospec.h>
+ #include <asm/signal.h>
+
+ #include <linux/kvm.h>
+@@ -492,10 +493,10 @@ static inline struct kvm_io_bus *kvm_get_bus(struct kvm *kvm, enum kvm_bus idx)
+
+ static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i)
+ {
+- /* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu, in case
+- * the caller has read kvm->online_vcpus before (as is the case
+- * for kvm_for_each_vcpu, for example).
+- */
++ int num_vcpus = atomic_read(&kvm->online_vcpus);
++ i = array_index_nospec(i, num_vcpus);
++
++ /* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu. */
+ smp_rmb();
+ return kvm->vcpus[i];
+ }
+@@ -579,6 +580,7 @@ void kvm_put_kvm(struct kvm *kvm);
+
+ static inline struct kvm_memslots *__kvm_memslots(struct kvm *kvm, int as_id)
+ {
++ as_id = array_index_nospec(as_id, KVM_ADDRESS_SPACE_NUM);
+ return srcu_dereference_check(kvm->memslots[as_id], &kvm->srcu,
+ lockdep_is_held(&kvm->slots_lock) ||
+ !refcount_read(&kvm->users_count));
+diff --git a/virt/kvm/irqchip.c b/virt/kvm/irqchip.c
+index b1286c4e07122..0bd0683640bdf 100644
+--- a/virt/kvm/irqchip.c
++++ b/virt/kvm/irqchip.c
+@@ -144,18 +144,19 @@ static int setup_routing_entry(struct kvm *kvm,
+ {
+ struct kvm_kernel_irq_routing_entry *ei;
+ int r;
++ u32 gsi = array_index_nospec(ue->gsi, KVM_MAX_IRQ_ROUTES);
+
+ /*
+ * Do not allow GSI to be mapped to the same irqchip more than once.
+ * Allow only one to one mapping between GSI and non-irqchip routing.
+ */
+- hlist_for_each_entry(ei, &rt->map[ue->gsi], link)
++ hlist_for_each_entry(ei, &rt->map[gsi], link)
+ if (ei->type != KVM_IRQ_ROUTING_IRQCHIP ||
+ ue->type != KVM_IRQ_ROUTING_IRQCHIP ||
+ ue->u.irqchip.irqchip == ei->irqchip.irqchip)
+ return -EINVAL;
+
+- e->gsi = ue->gsi;
++ e->gsi = gsi;
+ e->type = ue->type;
+ r = kvm_set_routing_entry(kvm, e, ue);
+ if (r)
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index b4f2d892a1d36..ff68b07e94e97 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -2974,12 +2974,14 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
+ struct kvm_device_ops *ops = NULL;
+ struct kvm_device *dev;
+ bool test = cd->flags & KVM_CREATE_DEVICE_TEST;
++ int type;
+ int ret;
+
+ if (cd->type >= ARRAY_SIZE(kvm_device_ops_table))
+ return -ENODEV;
+
+- ops = kvm_device_ops_table[cd->type];
++ type = array_index_nospec(cd->type, ARRAY_SIZE(kvm_device_ops_table));
++ ops = kvm_device_ops_table[type];
+ if (ops == NULL)
+ return -ENODEV;
+
+@@ -2994,7 +2996,7 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
+ dev->kvm = kvm;
+
+ mutex_lock(&kvm->lock);
+- ret = ops->create(dev, cd->type);
++ ret = ops->create(dev, type);
+ if (ret < 0) {
+ mutex_unlock(&kvm->lock);
+ kfree(dev);
+--
+2.20.1
+
--- /dev/null
+From c81e5619f8f10afe99ef552a04f909e133728171 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 15 Apr 2019 15:57:19 +0200
+Subject: KVM: nVMX: always use early vmcs check when EPT is disabled
+
+[ Upstream commit 2b27924bb1d48e3775f432b70bdad5e6dd4e7798 ]
+
+The remaining failures of vmx.flat when EPT is disabled are caused by
+incorrectly reflecting VMfails to the L1 hypervisor. What happens is
+that nested_vmx_restore_host_state corrupts the guest CR3, reloading it
+with the host's shadow CR3 instead, because it blindly loads GUEST_CR3
+from the vmcs01.
+
+For simplicity let's just always use hardware VMCS checks when EPT is
+disabled. This way, nested_vmx_restore_host_state is not reached at
+all (or at least shouldn't be reached).
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/uapi/asm/vmx.h | 1 +
+ arch/x86/kvm/vmx/nested.c | 22 ++++++++++++++++++++--
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/include/uapi/asm/vmx.h b/arch/x86/include/uapi/asm/vmx.h
+index f0b0c90dd3982..d213ec5c3766d 100644
+--- a/arch/x86/include/uapi/asm/vmx.h
++++ b/arch/x86/include/uapi/asm/vmx.h
+@@ -146,6 +146,7 @@
+
+ #define VMX_ABORT_SAVE_GUEST_MSR_FAIL 1
+ #define VMX_ABORT_LOAD_HOST_PDPTE_FAIL 2
++#define VMX_ABORT_VMCS_CORRUPTED 3
+ #define VMX_ABORT_LOAD_HOST_MSR_FAIL 4
+
+ #endif /* _UAPIVMX_H */
+diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
+index 8f8c42b048757..2a16bd8877297 100644
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -3790,8 +3790,18 @@ static void nested_vmx_restore_host_state(struct kvm_vcpu *vcpu)
+ vmx_set_cr4(vcpu, vmcs_readl(CR4_READ_SHADOW));
+
+ nested_ept_uninit_mmu_context(vcpu);
+- vcpu->arch.cr3 = vmcs_readl(GUEST_CR3);
+- __set_bit(VCPU_EXREG_CR3, (ulong *)&vcpu->arch.regs_avail);
++
++ /*
++ * This is only valid if EPT is in use, otherwise the vmcs01 GUEST_CR3
++ * points to shadow pages! Fortunately we only get here after a WARN_ON
++ * if EPT is disabled, so a VMabort is perfectly fine.
++ */
++ if (enable_ept) {
++ vcpu->arch.cr3 = vmcs_readl(GUEST_CR3);
++ __set_bit(VCPU_EXREG_CR3, (ulong *)&vcpu->arch.regs_avail);
++ } else {
++ nested_vmx_abort(vcpu, VMX_ABORT_VMCS_CORRUPTED);
++ }
+
+ /*
+ * Use ept_save_pdptrs(vcpu) to load the MMU's cached PDPTRs
+@@ -5739,6 +5749,14 @@ __init int nested_vmx_hardware_setup(int (*exit_handlers[])(struct kvm_vcpu *))
+ {
+ int i;
+
++ /*
++ * Without EPT it is not possible to restore L1's CR3 and PDPTR on
++ * VMfail, because they are not available in vmcs01. Just always
++ * use hardware checks.
++ */
++ if (!enable_ept)
++ nested_early_check = 1;
++
+ if (!cpu_has_vmx_shadow_vmcs())
+ enable_shadow_vmcs = 0;
+ if (enable_shadow_vmcs) {
+--
+2.20.1
+
--- /dev/null
+From b2f60a8fdcd51dddc0245e1e6dce33d3e2064b4a Mon Sep 17 00:00:00 2001
+From: Liran Alon <liran.alon@oracle.com>
+Date: Mon, 25 Mar 2019 21:09:17 +0200
+Subject: KVM: nVMX: Expose RDPMC-exiting only when guest supports PMU
+
+[ Upstream commit e51bfdb68725dc052d16241ace40ea3140f938aa ]
+
+Issue was discovered when running kvm-unit-tests on KVM running as L1 on
+top of Hyper-V.
+
+When vmx_instruction_intercept unit-test attempts to run RDPMC to test
+RDPMC-exiting, it is intercepted by L1 KVM which it's EXIT_REASON_RDPMC
+handler raise #GP because vCPU exposed by Hyper-V doesn't support PMU.
+Instead of unit-test expectation to be reflected with EXIT_REASON_RDPMC.
+
+The reason vmx_instruction_intercept unit-test attempts to run RDPMC
+even though Hyper-V doesn't support PMU is because L1 expose to L2
+support for RDPMC-exiting. Which is reasonable to assume that is
+supported only in case CPU supports PMU to being with.
+
+Above issue can easily be simulated by modifying
+vmx_instruction_intercept config in x86/unittests.cfg to run QEMU with
+"-cpu host,+vmx,-pmu" and run unit-test.
+
+To handle issue, change KVM to expose RDPMC-exiting only when guest
+supports PMU.
+
+Reported-by: Saar Amar <saaramar@microsoft.com>
+Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Liran Alon <liran.alon@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx/vmx.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
+index da6fdd5434a17..8f0426d46ba3c 100644
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -6982,6 +6982,30 @@ static void nested_vmx_entry_exit_ctls_update(struct kvm_vcpu *vcpu)
+ }
+ }
+
++static bool guest_cpuid_has_pmu(struct kvm_vcpu *vcpu)
++{
++ struct kvm_cpuid_entry2 *entry;
++ union cpuid10_eax eax;
++
++ entry = kvm_find_cpuid_entry(vcpu, 0xa, 0);
++ if (!entry)
++ return false;
++
++ eax.full = entry->eax;
++ return (eax.split.version_id > 0);
++}
++
++static void nested_vmx_procbased_ctls_update(struct kvm_vcpu *vcpu)
++{
++ struct vcpu_vmx *vmx = to_vmx(vcpu);
++ bool pmu_enabled = guest_cpuid_has_pmu(vcpu);
++
++ if (pmu_enabled)
++ vmx->nested.msrs.procbased_ctls_high |= CPU_BASED_RDPMC_EXITING;
++ else
++ vmx->nested.msrs.procbased_ctls_high &= ~CPU_BASED_RDPMC_EXITING;
++}
++
+ static void update_intel_pt_cfg(struct kvm_vcpu *vcpu)
+ {
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+@@ -7070,6 +7094,7 @@ static void vmx_cpuid_update(struct kvm_vcpu *vcpu)
+ if (nested_vmx_allowed(vcpu)) {
+ nested_vmx_cr_fixed1_bits_update(vcpu);
+ nested_vmx_entry_exit_ctls_update(vcpu);
++ nested_vmx_procbased_ctls_update(vcpu);
+ }
+
+ if (boot_cpu_has(X86_FEATURE_INTEL_PT) &&
+--
+2.20.1
+
--- /dev/null
+From 181f9e622f3b1bd95570f55f23a3173db13c75ea Mon Sep 17 00:00:00 2001
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Wed, 27 Mar 2019 15:12:20 +0100
+Subject: KVM: x86: avoid misreporting level-triggered irqs as edge-triggered
+ in tracing
+
+[ Upstream commit 7a223e06b1a411cef6c4cd7a9b9a33c8d225b10e ]
+
+In __apic_accept_irq() interface trig_mode is int and actually on some code
+paths it is set above u8:
+
+kvm_apic_set_irq() extracts it from 'struct kvm_lapic_irq' where trig_mode
+is u16. This is done on purpose as e.g. kvm_set_msi_irq() sets it to
+(1 << 15) & e->msi.data
+
+kvm_apic_local_deliver sets it to reg & (1 << 15).
+
+Fix the immediate issue by making 'tm' into u16. We may also want to adjust
+__apic_accept_irq() interface and use proper sizes for vector, level,
+trig_mode but this is not urgent.
+
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/trace.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kvm/trace.h b/arch/x86/kvm/trace.h
+index 6432d08c7de79..4d47a2631d1fb 100644
+--- a/arch/x86/kvm/trace.h
++++ b/arch/x86/kvm/trace.h
+@@ -438,13 +438,13 @@ TRACE_EVENT(kvm_apic_ipi,
+ );
+
+ TRACE_EVENT(kvm_apic_accept_irq,
+- TP_PROTO(__u32 apicid, __u16 dm, __u8 tm, __u8 vec),
++ TP_PROTO(__u32 apicid, __u16 dm, __u16 tm, __u8 vec),
+ TP_ARGS(apicid, dm, tm, vec),
+
+ TP_STRUCT__entry(
+ __field( __u32, apicid )
+ __field( __u16, dm )
+- __field( __u8, tm )
++ __field( __u16, tm )
+ __field( __u8, vec )
+ ),
+
+--
+2.20.1
+
--- /dev/null
+From 203d4ce96d1c7e027a30a3eeb5a623834bbf0d26 Mon Sep 17 00:00:00 2001
+From: Liran Alon <liran.alon@oracle.com>
+Date: Mon, 25 Mar 2019 21:10:17 +0200
+Subject: KVM: x86: Raise #GP when guest vCPU do not support PMU
+
+[ Upstream commit 672ff6cff80ca43bf3258410d2b887036969df5f ]
+
+Before this change, reading a VMware pseduo PMC will succeed even when
+PMU is not supported by guest. This can easily be seen by running
+kvm-unit-test vmware_backdoors with "-cpu host,-pmu" option.
+
+Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com>
+Signed-off-by: Liran Alon <liran.alon@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/pmu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/x86/kvm/pmu.c b/arch/x86/kvm/pmu.c
+index 58ead7db71a31..e39741997893a 100644
+--- a/arch/x86/kvm/pmu.c
++++ b/arch/x86/kvm/pmu.c
+@@ -281,9 +281,13 @@ static int kvm_pmu_rdpmc_vmware(struct kvm_vcpu *vcpu, unsigned idx, u64 *data)
+ int kvm_pmu_rdpmc(struct kvm_vcpu *vcpu, unsigned idx, u64 *data)
+ {
+ bool fast_mode = idx & (1u << 31);
++ struct kvm_pmu *pmu = vcpu_to_pmu(vcpu);
+ struct kvm_pmc *pmc;
+ u64 ctr_val;
+
++ if (!pmu->version)
++ return 1;
++
+ if (is_vmware_backdoor_pmc(idx))
+ return kvm_pmu_rdpmc_vmware(vcpu, idx, data);
+
+--
+2.20.1
+
--- /dev/null
+From ca737b5804e368575bd770aa4df100a3816dd548 Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Mon, 25 Mar 2019 16:55:27 -0500
+Subject: libnvdimm/btt: Fix a kmemdup failure check
+
+[ Upstream commit 486fa92df4707b5df58d6508728bdb9321a59766 ]
+
+In case kmemdup fails, the fix releases resources and returns to
+avoid the NULL pointer dereference.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvdimm/btt_devs.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/nvdimm/btt_devs.c b/drivers/nvdimm/btt_devs.c
+index 795ad4ff35caf..e341498876cad 100644
+--- a/drivers/nvdimm/btt_devs.c
++++ b/drivers/nvdimm/btt_devs.c
+@@ -190,14 +190,15 @@ static struct device *__nd_btt_create(struct nd_region *nd_region,
+ return NULL;
+
+ nd_btt->id = ida_simple_get(&nd_region->btt_ida, 0, 0, GFP_KERNEL);
+- if (nd_btt->id < 0) {
+- kfree(nd_btt);
+- return NULL;
+- }
++ if (nd_btt->id < 0)
++ goto out_nd_btt;
+
+ nd_btt->lbasize = lbasize;
+- if (uuid)
++ if (uuid) {
+ uuid = kmemdup(uuid, 16, GFP_KERNEL);
++ if (!uuid)
++ goto out_put_id;
++ }
+ nd_btt->uuid = uuid;
+ dev = &nd_btt->dev;
+ dev_set_name(dev, "btt%d.%d", nd_region->id, nd_btt->id);
+@@ -212,6 +213,13 @@ static struct device *__nd_btt_create(struct nd_region *nd_region,
+ return NULL;
+ }
+ return dev;
++
++out_put_id:
++ ida_simple_remove(&nd_region->btt_ida, nd_btt->id);
++
++out_nd_btt:
++ kfree(nd_btt);
++ return NULL;
+ }
+
+ struct device *nd_btt_create(struct nd_region *nd_region)
+--
+2.20.1
+
--- /dev/null
+From 021e38680b5b5a0e68af3a4a4f75802e463cbcbe Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Tue, 12 Mar 2019 03:20:34 -0500
+Subject: libnvdimm/namespace: Fix a potential NULL pointer dereference
+
+[ Upstream commit 55c1fc0af29a6c1b92f217b7eb7581a882e0c07c ]
+
+In case kmemdup fails, the fix goes to blk_err to avoid NULL
+pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvdimm/namespace_devs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvdimm/namespace_devs.c b/drivers/nvdimm/namespace_devs.c
+index 33a3b23b3db71..e761b29f71606 100644
+--- a/drivers/nvdimm/namespace_devs.c
++++ b/drivers/nvdimm/namespace_devs.c
+@@ -2249,9 +2249,12 @@ static struct device *create_namespace_blk(struct nd_region *nd_region,
+ if (!nsblk->uuid)
+ goto blk_err;
+ memcpy(name, nd_label->name, NSLABEL_NAME_LEN);
+- if (name[0])
++ if (name[0]) {
+ nsblk->alt_name = kmemdup(name, NSLABEL_NAME_LEN,
+ GFP_KERNEL);
++ if (!nsblk->alt_name)
++ goto blk_err;
++ }
+ res = nsblk_add_resource(nd_region, ndd, nsblk,
+ __le64_to_cpu(nd_label->dpa));
+ if (!res)
+--
+2.20.1
+
--- /dev/null
+From 4b6329ae2b7b52cab41030cabf9a4a83473074de Mon Sep 17 00:00:00 2001
+From: Li RongQing <lirongqing@baidu.com>
+Date: Thu, 4 Apr 2019 10:58:01 +0800
+Subject: libnvdimm/pmem: fix a possible OOB access when read and write pmem
+
+[ Upstream commit 9dc6488e84b0f64df17672271664752488cd6a25 ]
+
+If offset is not zero and length is bigger than PAGE_SIZE,
+this will cause to out of boundary access to a page memory
+
+Fixes: 98cc093cba1e ("block, THP: make block_device_operations.rw_page support THP")
+Co-developed-by: Liang ZhiCheng <liangzhicheng@baidu.com>
+Signed-off-by: Liang ZhiCheng <liangzhicheng@baidu.com>
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvdimm/pmem.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/nvdimm/pmem.c b/drivers/nvdimm/pmem.c
+index bc2f700feef8a..0279eb1da3ef5 100644
+--- a/drivers/nvdimm/pmem.c
++++ b/drivers/nvdimm/pmem.c
+@@ -113,13 +113,13 @@ static void write_pmem(void *pmem_addr, struct page *page,
+
+ while (len) {
+ mem = kmap_atomic(page);
+- chunk = min_t(unsigned int, len, PAGE_SIZE);
++ chunk = min_t(unsigned int, len, PAGE_SIZE - off);
+ memcpy_flushcache(pmem_addr, mem + off, chunk);
+ kunmap_atomic(mem);
+ len -= chunk;
+ off = 0;
+ page++;
+- pmem_addr += PAGE_SIZE;
++ pmem_addr += chunk;
+ }
+ }
+
+@@ -132,7 +132,7 @@ static blk_status_t read_pmem(struct page *page, unsigned int off,
+
+ while (len) {
+ mem = kmap_atomic(page);
+- chunk = min_t(unsigned int, len, PAGE_SIZE);
++ chunk = min_t(unsigned int, len, PAGE_SIZE - off);
+ rem = memcpy_mcsafe(mem + off, pmem_addr, chunk);
+ kunmap_atomic(mem);
+ if (rem)
+@@ -140,7 +140,7 @@ static blk_status_t read_pmem(struct page *page, unsigned int off,
+ len -= chunk;
+ off = 0;
+ page++;
+- pmem_addr += PAGE_SIZE;
++ pmem_addr += chunk;
+ }
+ return BLK_STS_OK;
+ }
+--
+2.20.1
+
--- /dev/null
+From 0dfa071b7289cf311bf82d9d9d828045263bb24b Mon Sep 17 00:00:00 2001
+From: Dave Jiang <dave.jiang@intel.com>
+Date: Wed, 27 Mar 2019 11:10:44 -0700
+Subject: libnvdimm/security: provide fix for secure-erase to use zero-key
+
+[ Upstream commit 037c8489ade669e0f09ad40d5b91e5e1159a14b1 ]
+
+Add a zero key in order to standardize hardware that want a key of 0's to
+be passed. Some platforms defaults to a zero-key with security enabled
+rather than allow the OS to enable the security. The zero key would allow
+us to manage those platform as well. This also adds a fix to secure erase
+so it can use the zero key to do crypto erase. Some other security commands
+already use zero keys. This introduces a standard zero-key to allow
+unification of semantics cross nvdimm security commands.
+
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvdimm/security.c | 17 ++++++++++++-----
+ tools/testing/nvdimm/test/nfit.c | 11 +++++++++--
+ 2 files changed, 21 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/nvdimm/security.c b/drivers/nvdimm/security.c
+index f8bb746a549f7..6bea6852bf278 100644
+--- a/drivers/nvdimm/security.c
++++ b/drivers/nvdimm/security.c
+@@ -22,6 +22,8 @@ static bool key_revalidate = true;
+ module_param(key_revalidate, bool, 0444);
+ MODULE_PARM_DESC(key_revalidate, "Require key validation at init.");
+
++static const char zero_key[NVDIMM_PASSPHRASE_LEN];
++
+ static void *key_data(struct key *key)
+ {
+ struct encrypted_key_payload *epayload = dereference_key_locked(key);
+@@ -286,8 +288,9 @@ int nvdimm_security_erase(struct nvdimm *nvdimm, unsigned int keyid,
+ {
+ struct device *dev = &nvdimm->dev;
+ struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);
+- struct key *key;
++ struct key *key = NULL;
+ int rc;
++ const void *data;
+
+ /* The bus lock should be held at the top level of the call stack */
+ lockdep_assert_held(&nvdimm_bus->reconfig_mutex);
+@@ -319,11 +322,15 @@ int nvdimm_security_erase(struct nvdimm *nvdimm, unsigned int keyid,
+ return -EOPNOTSUPP;
+ }
+
+- key = nvdimm_lookup_user_key(nvdimm, keyid, NVDIMM_BASE_KEY);
+- if (!key)
+- return -ENOKEY;
++ if (keyid != 0) {
++ key = nvdimm_lookup_user_key(nvdimm, keyid, NVDIMM_BASE_KEY);
++ if (!key)
++ return -ENOKEY;
++ data = key_data(key);
++ } else
++ data = zero_key;
+
+- rc = nvdimm->sec.ops->erase(nvdimm, key_data(key), pass_type);
++ rc = nvdimm->sec.ops->erase(nvdimm, data, pass_type);
+ dev_dbg(dev, "key: %d erase%s: %s\n", key_serial(key),
+ pass_type == NVDIMM_MASTER ? "(master)" : "(user)",
+ rc == 0 ? "success" : "fail");
+diff --git a/tools/testing/nvdimm/test/nfit.c b/tools/testing/nvdimm/test/nfit.c
+index b579f962451d6..cad719876ef45 100644
+--- a/tools/testing/nvdimm/test/nfit.c
++++ b/tools/testing/nvdimm/test/nfit.c
+@@ -225,6 +225,8 @@ static struct workqueue_struct *nfit_wq;
+
+ static struct gen_pool *nfit_pool;
+
++static const char zero_key[NVDIMM_PASSPHRASE_LEN];
++
+ static struct nfit_test *to_nfit_test(struct device *dev)
+ {
+ struct platform_device *pdev = to_platform_device(dev);
+@@ -1059,8 +1061,7 @@ static int nd_intel_test_cmd_secure_erase(struct nfit_test *t,
+ struct device *dev = &t->pdev.dev;
+ struct nfit_test_sec *sec = &dimm_sec_info[dimm];
+
+- if (!(sec->state & ND_INTEL_SEC_STATE_ENABLED) ||
+- (sec->state & ND_INTEL_SEC_STATE_FROZEN)) {
++ if (sec->state & ND_INTEL_SEC_STATE_FROZEN) {
+ nd_cmd->status = ND_INTEL_STATUS_INVALID_STATE;
+ dev_dbg(dev, "secure erase: wrong security state\n");
+ } else if (memcmp(nd_cmd->passphrase, sec->passphrase,
+@@ -1068,6 +1069,12 @@ static int nd_intel_test_cmd_secure_erase(struct nfit_test *t,
+ nd_cmd->status = ND_INTEL_STATUS_INVALID_PASS;
+ dev_dbg(dev, "secure erase: wrong passphrase\n");
+ } else {
++ if (!(sec->state & ND_INTEL_SEC_STATE_ENABLED)
++ && (memcmp(nd_cmd->passphrase, zero_key,
++ ND_INTEL_PASSPHRASE_SIZE) != 0)) {
++ dev_dbg(dev, "invalid zero key\n");
++ return 0;
++ }
+ memset(sec->passphrase, 0, ND_INTEL_PASSPHRASE_SIZE);
+ memset(sec->master_passphrase, 0, ND_INTEL_PASSPHRASE_SIZE);
+ sec->state = 0;
+--
+2.20.1
+
--- /dev/null
+From 8a7687806e56715eefd334e4446682bb3d709376 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Sat, 16 Mar 2019 18:06:31 +0100
+Subject: mac80211: fix memory accounting with A-MSDU aggregation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit eb9b64e3a9f8483e6e54f4e03b2ae14ae5db2690 ]
+
+skb->truesize can change due to memory reallocation or when adding extra
+fragments. Adjust fq->memory_usage accordingly
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 928f13a208b05..714d80e48a102 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3214,6 +3214,7 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata,
+ u8 max_subframes = sta->sta.max_amsdu_subframes;
+ int max_frags = local->hw.max_tx_fragments;
+ int max_amsdu_len = sta->sta.max_amsdu_len;
++ int orig_truesize;
+ __be16 len;
+ void *data;
+ bool ret = false;
+@@ -3254,6 +3255,7 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata,
+ if (!head || skb_is_gso(head))
+ goto out;
+
++ orig_truesize = head->truesize;
+ orig_len = head->len;
+
+ if (skb->len + head->len > max_amsdu_len)
+@@ -3311,6 +3313,7 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata,
+ *frag_tail = skb;
+
+ out_recalc:
++ fq->memory_usage += head->truesize - orig_truesize;
+ if (head->len != orig_len) {
+ flow->backlog += head->len - orig_len;
+ tin->backlog_bytes += head->len - orig_len;
+--
+2.20.1
+
--- /dev/null
+From 5e011ec74ec21c36a1d46b5c56991d01779660a5 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Wed, 13 Mar 2019 18:54:27 +0100
+Subject: mac80211: fix unaligned access in mesh table hash function
+
+[ Upstream commit 40586e3fc400c00c11151804dcdc93f8c831c808 ]
+
+The pointer to the last four bytes of the address is not guaranteed to be
+aligned, so we need to use __get_unaligned_cpu32 here
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh_pathtbl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
+index 88a6d5e18ccc9..ac1f5db529945 100644
+--- a/net/mac80211/mesh_pathtbl.c
++++ b/net/mac80211/mesh_pathtbl.c
+@@ -23,7 +23,7 @@ static void mesh_path_free_rcu(struct mesh_table *tbl, struct mesh_path *mpath);
+ static u32 mesh_table_hash(const void *addr, u32 len, u32 seed)
+ {
+ /* Use last four bytes of hw addr as hash index */
+- return jhash_1word(*(u32 *)(addr+2), seed);
++ return jhash_1word(__get_unaligned_cpu32((u8 *)addr + 2), seed);
+ }
+
+ static const struct rhashtable_params mesh_rht_params = {
+--
+2.20.1
+
--- /dev/null
+From 45945ac379ce196c4157e0bef783a4f185cb2d10 Mon Sep 17 00:00:00 2001
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Date: Fri, 15 Mar 2019 17:38:57 +0200
+Subject: mac80211: Increase MAX_MSG_LEN
+
+[ Upstream commit 78be2d21cc1cd3069c6138dcfecec62583130171 ]
+
+Looks that 100 chars isn't enough for messages, as we keep getting
+warnings popping from different places due to message shortening.
+Instead of trying to shorten the prints, just increase the buffer size.
+
+Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/trace_msg.h | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/trace_msg.h b/net/mac80211/trace_msg.h
+index 366b9e6f043e2..40141df09f255 100644
+--- a/net/mac80211/trace_msg.h
++++ b/net/mac80211/trace_msg.h
+@@ -1,4 +1,9 @@
+ /* SPDX-License-Identifier: GPL-2.0 */
++/*
++ * Portions of this file
++ * Copyright (C) 2019 Intel Corporation
++ */
++
+ #ifdef CONFIG_MAC80211_MESSAGE_TRACING
+
+ #if !defined(__MAC80211_MSG_DRIVER_TRACE) || defined(TRACE_HEADER_MULTI_READ)
+@@ -11,7 +16,7 @@
+ #undef TRACE_SYSTEM
+ #define TRACE_SYSTEM mac80211_msg
+
+-#define MAX_MSG_LEN 100
++#define MAX_MSG_LEN 120
+
+ DECLARE_EVENT_CLASS(mac80211_msg_event,
+ TP_PROTO(struct va_format *vaf),
+--
+2.20.1
+
--- /dev/null
+From ef0b897af6fda289b8bb3a3785818f32cb07c6bb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Fri, 12 Apr 2019 23:08:32 +0200
+Subject: MIPS: perf: ath79: Fix perfcount IRQ assignment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit a1e8783db8e0d58891681bc1e6d9ada66eae8e20 ]
+
+Currently it's not possible to use perf on ath79 due to genirq flags
+mismatch happening on static virtual IRQ 13 which is used for
+performance counters hardware IRQ 5.
+
+On TP-Link Archer C7v5:
+
+ CPU0
+ 2: 0 MIPS 2 ath9k
+ 4: 318 MIPS 4 19000000.eth
+ 7: 55034 MIPS 7 timer
+ 8: 1236 MISC 3 ttyS0
+ 12: 0 INTC 1 ehci_hcd:usb1
+ 13: 0 gpio-ath79 2 keys
+ 14: 0 gpio-ath79 5 keys
+ 15: 31 AR724X PCI 1 ath10k_pci
+
+ $ perf top
+ genirq: Flags mismatch irq 13. 00014c83 (mips_perf_pmu) vs. 00002003 (keys)
+
+On TP-Link Archer C7v4:
+
+ CPU0
+ 4: 0 MIPS 4 19000000.eth
+ 5: 7135 MIPS 5 1a000000.eth
+ 7: 98379 MIPS 7 timer
+ 8: 30 MISC 3 ttyS0
+ 12: 90028 INTC 0 ath9k
+ 13: 5520 INTC 1 ehci_hcd:usb1
+ 14: 4623 INTC 2 ehci_hcd:usb2
+ 15: 32844 AR724X PCI 1 ath10k_pci
+ 16: 0 gpio-ath79 16 keys
+ 23: 0 gpio-ath79 23 keys
+
+ $ perf top
+ genirq: Flags mismatch irq 13. 00014c80 (mips_perf_pmu) vs. 00000080 (ehci_hcd:usb1)
+
+This problem is happening, because currently statically assigned virtual
+IRQ 13 for performance counters is not claimed during the initialization
+of MIPS PMU during the bootup, so the IRQ subsystem doesn't know, that
+this interrupt isn't available for further use.
+
+So this patch fixes the issue by simply booking hardware IRQ 5 for MIPS PMU.
+
+Tested-by: Kevin 'ldir' Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+Signed-off-by: Petr Å tetiar <ynezz@true.cz>
+Acked-by: John Crispin <john@phrozen.org>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: linux-mips@vger.kernel.org
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Jason Cooper <jason@lakedaemon.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/ath79/setup.c | 6 ------
+ drivers/irqchip/irq-ath79-misc.c | 11 +++++++++++
+ 2 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/arch/mips/ath79/setup.c b/arch/mips/ath79/setup.c
+index 9728abcb18fac..c04ae685003f7 100644
+--- a/arch/mips/ath79/setup.c
++++ b/arch/mips/ath79/setup.c
+@@ -211,12 +211,6 @@ const char *get_system_type(void)
+ return ath79_sys_type;
+ }
+
+-int get_c0_perfcount_int(void)
+-{
+- return ATH79_MISC_IRQ(5);
+-}
+-EXPORT_SYMBOL_GPL(get_c0_perfcount_int);
+-
+ unsigned int get_c0_compare_int(void)
+ {
+ return CP0_LEGACY_COMPARE_IRQ;
+diff --git a/drivers/irqchip/irq-ath79-misc.c b/drivers/irqchip/irq-ath79-misc.c
+index aa72907846360..0390603170b40 100644
+--- a/drivers/irqchip/irq-ath79-misc.c
++++ b/drivers/irqchip/irq-ath79-misc.c
+@@ -22,6 +22,15 @@
+ #define AR71XX_RESET_REG_MISC_INT_ENABLE 4
+
+ #define ATH79_MISC_IRQ_COUNT 32
++#define ATH79_MISC_PERF_IRQ 5
++
++static int ath79_perfcount_irq;
++
++int get_c0_perfcount_int(void)
++{
++ return ath79_perfcount_irq;
++}
++EXPORT_SYMBOL_GPL(get_c0_perfcount_int);
+
+ static void ath79_misc_irq_handler(struct irq_desc *desc)
+ {
+@@ -113,6 +122,8 @@ static void __init ath79_misc_intc_domain_init(
+ {
+ void __iomem *base = domain->host_data;
+
++ ath79_perfcount_irq = irq_create_mapping(domain, ATH79_MISC_PERF_IRQ);
++
+ /* Disable and clear all interrupts */
+ __raw_writel(0, base + AR71XX_RESET_REG_MISC_INT_ENABLE);
+ __raw_writel(0, base + AR71XX_RESET_REG_MISC_INT_STATUS);
+--
+2.20.1
+
--- /dev/null
+From b7521968faa242fe941d60cd3c5e4c309d6ab3f9 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 12 Apr 2019 19:52:36 +0900
+Subject: mISDN: Check address length before reading address family
+
+[ Upstream commit 238ffdc49ef98b15819cfd5e3fb23194e3ea3d39 ]
+
+KMSAN will complain if valid address length passed to bind() is shorter
+than sizeof("struct sockaddr_mISDN"->family) bytes.
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/mISDN/socket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c
+index 15d3ca37669a4..04da3a17cd950 100644
+--- a/drivers/isdn/mISDN/socket.c
++++ b/drivers/isdn/mISDN/socket.c
+@@ -710,10 +710,10 @@ base_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
+ struct sock *sk = sock->sk;
+ int err = 0;
+
+- if (!maddr || maddr->family != AF_ISDN)
++ if (addr_len < sizeof(struct sockaddr_mISDN))
+ return -EINVAL;
+
+- if (addr_len < sizeof(struct sockaddr_mISDN))
++ if (!maddr || maddr->family != AF_ISDN)
+ return -EINVAL;
+
+ lock_sock(sk);
+--
+2.20.1
+
--- /dev/null
+From a46082331c93bb10e3f08a907fa330e78e446509 Mon Sep 17 00:00:00 2001
+From: Johannes Weiner <hannes@cmpxchg.org>
+Date: Thu, 18 Apr 2019 17:50:34 -0700
+Subject: mm: fix inactive list balancing between NUMA nodes and cgroups
+
+[ Upstream commit 3b991208b897f52507168374033771a984b947b1 ]
+
+During !CONFIG_CGROUP reclaim, we expand the inactive list size if it's
+thrashing on the node that is about to be reclaimed. But when cgroups
+are enabled, we suddenly ignore the node scope and use the cgroup scope
+only. The result is that pressure bleeds between NUMA nodes depending
+on whether cgroups are merely compiled into Linux. This behavioral
+difference is unexpected and undesirable.
+
+When the refault adaptivity of the inactive list was first introduced,
+there were no statistics at the lruvec level - the intersection of node
+and memcg - so it was better than nothing.
+
+But now that we have that infrastructure, use lruvec_page_state() to
+make the list balancing decision always NUMA aware.
+
+[hannes@cmpxchg.org: fix bisection hole]
+ Link: http://lkml.kernel.org/r/20190417155241.GB23013@cmpxchg.org
+Link: http://lkml.kernel.org/r/20190412144438.2645-1-hannes@cmpxchg.org
+Fixes: 2a2e48854d70 ("mm: vmscan: fix IO/refault regression in cache workingset transition")
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Reviewed-by: Shakeel Butt <shakeelb@google.com>
+Cc: Roman Gushchin <guro@fb.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/vmscan.c | 29 +++++++++--------------------
+ 1 file changed, 9 insertions(+), 20 deletions(-)
+
+diff --git a/mm/vmscan.c b/mm/vmscan.c
+index e979705bbf325..022afabac3f69 100644
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -2199,7 +2199,6 @@ static void shrink_active_list(unsigned long nr_to_scan,
+ * 10TB 320 32GB
+ */
+ static bool inactive_list_is_low(struct lruvec *lruvec, bool file,
+- struct mem_cgroup *memcg,
+ struct scan_control *sc, bool actual_reclaim)
+ {
+ enum lru_list active_lru = file * LRU_FILE + LRU_ACTIVE;
+@@ -2220,16 +2219,12 @@ static bool inactive_list_is_low(struct lruvec *lruvec, bool file,
+ inactive = lruvec_lru_size(lruvec, inactive_lru, sc->reclaim_idx);
+ active = lruvec_lru_size(lruvec, active_lru, sc->reclaim_idx);
+
+- if (memcg)
+- refaults = memcg_page_state(memcg, WORKINGSET_ACTIVATE);
+- else
+- refaults = node_page_state(pgdat, WORKINGSET_ACTIVATE);
+-
+ /*
+ * When refaults are being observed, it means a new workingset
+ * is being established. Disable active list protection to get
+ * rid of the stale workingset quickly.
+ */
++ refaults = lruvec_page_state(lruvec, WORKINGSET_ACTIVATE);
+ if (file && actual_reclaim && lruvec->refaults != refaults) {
+ inactive_ratio = 0;
+ } else {
+@@ -2250,12 +2245,10 @@ static bool inactive_list_is_low(struct lruvec *lruvec, bool file,
+ }
+
+ static unsigned long shrink_list(enum lru_list lru, unsigned long nr_to_scan,
+- struct lruvec *lruvec, struct mem_cgroup *memcg,
+- struct scan_control *sc)
++ struct lruvec *lruvec, struct scan_control *sc)
+ {
+ if (is_active_lru(lru)) {
+- if (inactive_list_is_low(lruvec, is_file_lru(lru),
+- memcg, sc, true))
++ if (inactive_list_is_low(lruvec, is_file_lru(lru), sc, true))
+ shrink_active_list(nr_to_scan, lruvec, sc, lru);
+ return 0;
+ }
+@@ -2355,7 +2348,7 @@ static void get_scan_count(struct lruvec *lruvec, struct mem_cgroup *memcg,
+ * anonymous pages on the LRU in eligible zones.
+ * Otherwise, the small LRU gets thrashed.
+ */
+- if (!inactive_list_is_low(lruvec, false, memcg, sc, false) &&
++ if (!inactive_list_is_low(lruvec, false, sc, false) &&
+ lruvec_lru_size(lruvec, LRU_INACTIVE_ANON, sc->reclaim_idx)
+ >> sc->priority) {
+ scan_balance = SCAN_ANON;
+@@ -2373,7 +2366,7 @@ static void get_scan_count(struct lruvec *lruvec, struct mem_cgroup *memcg,
+ * lruvec even if it has plenty of old anonymous pages unless the
+ * system is under heavy pressure.
+ */
+- if (!inactive_list_is_low(lruvec, true, memcg, sc, false) &&
++ if (!inactive_list_is_low(lruvec, true, sc, false) &&
+ lruvec_lru_size(lruvec, LRU_INACTIVE_FILE, sc->reclaim_idx) >> sc->priority) {
+ scan_balance = SCAN_FILE;
+ goto out;
+@@ -2526,7 +2519,7 @@ static void shrink_node_memcg(struct pglist_data *pgdat, struct mem_cgroup *memc
+ nr[lru] -= nr_to_scan;
+
+ nr_reclaimed += shrink_list(lru, nr_to_scan,
+- lruvec, memcg, sc);
++ lruvec, sc);
+ }
+ }
+
+@@ -2593,7 +2586,7 @@ static void shrink_node_memcg(struct pglist_data *pgdat, struct mem_cgroup *memc
+ * Even if we did not try to evict anon pages at all, we want to
+ * rebalance the anon lru active/inactive ratio.
+ */
+- if (inactive_list_is_low(lruvec, false, memcg, sc, true))
++ if (inactive_list_is_low(lruvec, false, sc, true))
+ shrink_active_list(SWAP_CLUSTER_MAX, lruvec,
+ sc, LRU_ACTIVE_ANON);
+ }
+@@ -2993,12 +2986,8 @@ static void snapshot_refaults(struct mem_cgroup *root_memcg, pg_data_t *pgdat)
+ unsigned long refaults;
+ struct lruvec *lruvec;
+
+- if (memcg)
+- refaults = memcg_page_state(memcg, WORKINGSET_ACTIVATE);
+- else
+- refaults = node_page_state(pgdat, WORKINGSET_ACTIVATE);
+-
+ lruvec = mem_cgroup_lruvec(pgdat, memcg);
++ refaults = lruvec_page_state(lruvec, WORKINGSET_ACTIVATE);
+ lruvec->refaults = refaults;
+ } while ((memcg = mem_cgroup_iter(root_memcg, memcg, NULL)));
+ }
+@@ -3363,7 +3352,7 @@ static void age_active_anon(struct pglist_data *pgdat,
+ do {
+ struct lruvec *lruvec = mem_cgroup_lruvec(pgdat, memcg);
+
+- if (inactive_list_is_low(lruvec, false, memcg, sc, true))
++ if (inactive_list_is_low(lruvec, false, sc, true))
+ shrink_active_list(SWAP_CLUSTER_MAX, lruvec,
+ sc, LRU_ACTIVE_ANON);
+
+--
+2.20.1
+
--- /dev/null
+From fff821d6af97b9da2e03f3b645e0bc3d99bc068f Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Thu, 18 Apr 2019 17:50:30 -0700
+Subject: mm/hotplug: treat CMA pages as unmovable
+
+[ Upstream commit 1a9f219157b22d0ffb340a9c5f431afd02cd2cf3 ]
+
+has_unmovable_pages() is used by allocating CMA and gigantic pages as
+well as the memory hotplug. The later doesn't know how to offline CMA
+pool properly now, but if an unused (free) CMA page is encountered, then
+has_unmovable_pages() happily considers it as a free memory and
+propagates this up the call chain. Memory offlining code then frees the
+page without a proper CMA tear down which leads to an accounting issues.
+Moreover if the same memory range is onlined again then the memory never
+gets back to the CMA pool.
+
+State after memory offline:
+
+ # grep cma /proc/vmstat
+ nr_free_cma 205824
+
+ # cat /sys/kernel/debug/cma/cma-kvm_cma/count
+ 209920
+
+Also, kmemleak still think those memory address are reserved below but
+have already been used by the buddy allocator after onlining. This
+patch fixes the situation by treating CMA pageblocks as unmovable except
+when has_unmovable_pages() is called as part of CMA allocation.
+
+ Offlined Pages 4096
+ kmemleak: Cannot insert 0xc000201f7d040008 into the object search tree (overlaps existing)
+ Call Trace:
+ dump_stack+0xb0/0xf4 (unreliable)
+ create_object+0x344/0x380
+ __kmalloc_node+0x3ec/0x860
+ kvmalloc_node+0x58/0x110
+ seq_read+0x41c/0x620
+ __vfs_read+0x3c/0x70
+ vfs_read+0xbc/0x1a0
+ ksys_read+0x7c/0x140
+ system_call+0x5c/0x70
+ kmemleak: Kernel memory leak detector disabled
+ kmemleak: Object 0xc000201cc8000000 (size 13757317120):
+ kmemleak: comm "swapper/0", pid 0, jiffies 4294937297
+ kmemleak: min_count = -1
+ kmemleak: count = 0
+ kmemleak: flags = 0x5
+ kmemleak: checksum = 0
+ kmemleak: backtrace:
+ cma_declare_contiguous+0x2a4/0x3b0
+ kvm_cma_reserve+0x11c/0x134
+ setup_arch+0x300/0x3f8
+ start_kernel+0x9c/0x6e8
+ start_here_common+0x1c/0x4b0
+ kmemleak: Automatic memory scanning thread ended
+
+[cai@lca.pw: use is_migrate_cma_page() and update commit log]
+ Link: http://lkml.kernel.org/r/20190416170510.20048-1-cai@lca.pw
+Link: http://lkml.kernel.org/r/20190413002623.8967-1-cai@lca.pw
+Signed-off-by: Qian Cai <cai@lca.pw>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/page_alloc.c | 30 ++++++++++++++++++------------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/mm/page_alloc.c b/mm/page_alloc.c
+index 318ef6ccdb3b5..eedb57f9b40b5 100644
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -7945,7 +7945,10 @@ void *__init alloc_large_system_hash(const char *tablename,
+ bool has_unmovable_pages(struct zone *zone, struct page *page, int count,
+ int migratetype, int flags)
+ {
+- unsigned long pfn, iter, found;
++ unsigned long found;
++ unsigned long iter = 0;
++ unsigned long pfn = page_to_pfn(page);
++ const char *reason = "unmovable page";
+
+ /*
+ * TODO we could make this much more efficient by not checking every
+@@ -7955,17 +7958,20 @@ bool has_unmovable_pages(struct zone *zone, struct page *page, int count,
+ * can still lead to having bootmem allocations in zone_movable.
+ */
+
+- /*
+- * CMA allocations (alloc_contig_range) really need to mark isolate
+- * CMA pageblocks even when they are not movable in fact so consider
+- * them movable here.
+- */
+- if (is_migrate_cma(migratetype) &&
+- is_migrate_cma(get_pageblock_migratetype(page)))
+- return false;
++ if (is_migrate_cma_page(page)) {
++ /*
++ * CMA allocations (alloc_contig_range) really need to mark
++ * isolate CMA pageblocks even when they are not movable in fact
++ * so consider them movable here.
++ */
++ if (is_migrate_cma(migratetype))
++ return false;
++
++ reason = "CMA page";
++ goto unmovable;
++ }
+
+- pfn = page_to_pfn(page);
+- for (found = 0, iter = 0; iter < pageblock_nr_pages; iter++) {
++ for (found = 0; iter < pageblock_nr_pages; iter++) {
+ unsigned long check = pfn + iter;
+
+ if (!pfn_valid_within(check))
+@@ -8045,7 +8051,7 @@ bool has_unmovable_pages(struct zone *zone, struct page *page, int count,
+ unmovable:
+ WARN_ON_ONCE(zone_idx(zone) == ZONE_MOVABLE);
+ if (flags & REPORT_FAILURE)
+- dump_page(pfn_to_page(pfn+iter), "unmovable page");
++ dump_page(pfn_to_page(pfn + iter), reason);
+ return true;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From a12db310039156e4a59a314890d8ef26f0a98353 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Thu, 25 Apr 2019 22:23:37 -0700
+Subject: mm/memory_hotplug.c: drop memory device reference after
+ find_memory_block()
+
+[ Upstream commit 89c02e69fc5245f8a2f34b58b42d43a737af1a5e ]
+
+Right now we are using find_memory_block() to get the node id for the
+pfn range to online. We are missing to drop a reference to the memory
+block device. While the device still gets unregistered via
+device_unregister(), resulting in no user visible problem, the device is
+never released via device_release(), resulting in a memory leak. Fix
+that by properly using a put_device().
+
+Link: http://lkml.kernel.org/r/20190411110955.1430-1-david@redhat.com
+Fixes: d0dc12e86b31 ("mm/memory_hotplug: optimize memory hotplug")
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Reviewed-by: Wei Yang <richard.weiyang@gmail.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Pankaj Gupta <pagupta@redhat.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
+Cc: Qian Cai <cai@lca.pw>
+Cc: Arun KS <arunks@codeaurora.org>
+Cc: Mathieu Malaterre <malat@debian.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/memory_hotplug.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
+index 11593a03c051f..7493f50ee8800 100644
+--- a/mm/memory_hotplug.c
++++ b/mm/memory_hotplug.c
+@@ -858,6 +858,7 @@ int __ref online_pages(unsigned long pfn, unsigned long nr_pages, int online_typ
+ */
+ mem = find_memory_block(__pfn_to_section(pfn));
+ nid = mem->nid;
++ put_device(&mem->dev);
+
+ /* associate pfn range with the zone */
+ zone = move_pfn_range(online_type, nid, pfn, nr_pages);
+--
+2.20.1
+
--- /dev/null
+From ec564ec4f2654cdc6b48e5cd48fe7eb9d1eb6c93 Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Thu, 25 Apr 2019 22:23:58 -0700
+Subject: mm/page_alloc.c: avoid potential NULL pointer dereference
+
+[ Upstream commit 8139ad043d632c0e9e12d760068a7a8e91659aa1 ]
+
+ac.preferred_zoneref->zone passed to alloc_flags_nofragment() can be NULL.
+'zone' pointer unconditionally derefernced in alloc_flags_nofragment().
+Bail out on NULL zone to avoid potential crash. Currently we don't see
+any crashes only because alloc_flags_nofragment() has another bug which
+allows compiler to optimize away all accesses to 'zone'.
+
+Link: http://lkml.kernel.org/r/20190423120806.3503-1-aryabinin@virtuozzo.com
+Fixes: 6bb154504f8b ("mm, page_alloc: spread allocations across zones before introducing fragmentation")
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Acked-by: Mel Gorman <mgorman@techsingularity.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/page_alloc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/mm/page_alloc.c b/mm/page_alloc.c
+index eedb57f9b40b5..d59be95ba45cf 100644
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -3385,6 +3385,9 @@ alloc_flags_nofragment(struct zone *zone, gfp_t gfp_mask)
+ alloc_flags |= ALLOC_KSWAPD;
+
+ #ifdef CONFIG_ZONE_DMA32
++ if (!zone)
++ return alloc_flags;
++
+ if (zone_idx(zone) != ZONE_NORMAL)
+ goto out;
+
+--
+2.20.1
+
--- /dev/null
+From c6cd8632b739976f59d7ba9ebc397a733e0e4c3e Mon Sep 17 00:00:00 2001
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Fri, 1 Mar 2019 11:52:08 +0100
+Subject: net: mvpp2: fix validate for PPv2.1
+
+[ Upstream commit 8b318f30ab4ef9bbc1241e6f8c1db366dbd347f2 ]
+
+The Phylink validate function is the Marvell PPv2 driver makes a check
+on the GoP id. This is valid an has to be done when using PPv2.2 engines
+but makes no sense when using PPv2.1. The check done when using an RGMII
+interface makes sure the GoP id is not 0, but this breaks PPv2.1. Fixes
+it.
+
+Fixes: 0fb628f0f250 ("net: mvpp2: fix phylink handling of invalid PHY modes")
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index 931beac3359d1..70031e2b22944 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -4370,7 +4370,7 @@ static void mvpp2_phylink_validate(struct net_device *dev,
+ case PHY_INTERFACE_MODE_RGMII_ID:
+ case PHY_INTERFACE_MODE_RGMII_RXID:
+ case PHY_INTERFACE_MODE_RGMII_TXID:
+- if (port->gop_id == 0)
++ if (port->priv->hw_version == MVPP22 && port->gop_id == 0)
+ goto empty_set;
+ break;
+ default:
+--
+2.20.1
+
--- /dev/null
+From 940d9dd615e3fbfb9834545b0f3211def0502bb0 Mon Sep 17 00:00:00 2001
+From: John Hurley <john.hurley@netronome.com>
+Date: Fri, 22 Mar 2019 12:37:35 +0000
+Subject: net: sched: fix cleanup NULL pointer exception in act_mirr
+
+[ Upstream commit 064c5d6881e897077639e04973de26440ee205e6 ]
+
+A new mirred action is created by the tcf_mirred_init function. This
+contains a list head struct which is inserted into a global list on
+successful creation of a new action. However, after a creation, it is
+still possible to error out and call the tcf_idr_release function. This,
+in turn, calls the act_mirr cleanup function via __tcf_idr_release and
+__tcf_action_put. This cleanup function tries to delete the list entry
+which is as yet uninitialised, leading to a NULL pointer exception.
+
+Fix this by initialising the list entry on creation of a new action.
+
+Bug report:
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+PGD 8000000840c73067 P4D 8000000840c73067 PUD 858dcc067 PMD 0
+Oops: 0002 [#1] SMP PTI
+CPU: 32 PID: 5636 Comm: handler194 Tainted: G OE 5.0.0+ #186
+Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.3.6 06/03/2015
+RIP: 0010:tcf_mirred_release+0x42/0xa7 [act_mirred]
+Code: f0 90 39 c0 e8 52 04 57 c8 48 c7 c7 b8 80 39 c0 e8 94 fa d4 c7 48 8b 93 d0 00 00 00 48 8b 83 d8 00 00 00 48 c7 c7 f0 90 39 c0 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 d0 00
+RSP: 0018:ffffac4aa059f688 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: ffff9dcd1b214d00 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffff9dcd1fa165f8 RDI: ffffffffc03990f0
+RBP: ffff9dccf9c7af80 R08: 0000000000000a3b R09: 0000000000000000
+R10: ffff9dccfa11f420 R11: 0000000000000000 R12: 0000000000000001
+R13: ffff9dcd16b433c0 R14: ffff9dcd1b214d80 R15: 0000000000000000
+FS: 00007f441bfff700(0000) GS:ffff9dcd1fa00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000008 CR3: 0000000839e64004 CR4: 00000000001606e0
+Call Trace:
+tcf_action_cleanup+0x59/0xca
+__tcf_action_put+0x54/0x6b
+__tcf_idr_release.cold.33+0x9/0x12
+tcf_mirred_init.cold.20+0x22e/0x3b0 [act_mirred]
+tcf_action_init_1+0x3d0/0x4c0
+tcf_action_init+0x9c/0x130
+tcf_exts_validate+0xab/0xc0
+fl_change+0x1ca/0x982 [cls_flower]
+tc_new_tfilter+0x647/0x8d0
+? load_balance+0x14b/0x9e0
+rtnetlink_rcv_msg+0xe3/0x370
+? __switch_to_asm+0x40/0x70
+? __switch_to_asm+0x34/0x70
+? _cond_resched+0x15/0x30
+? __kmalloc_node_track_caller+0x1d4/0x2b0
+? rtnl_calcit.isra.31+0xf0/0xf0
+netlink_rcv_skb+0x49/0x110
+netlink_unicast+0x16f/0x210
+netlink_sendmsg+0x1df/0x390
+sock_sendmsg+0x36/0x40
+___sys_sendmsg+0x27b/0x2c0
+? futex_wake+0x80/0x140
+? do_futex+0x2b9/0xac0
+? ep_scan_ready_list.constprop.22+0x1f2/0x210
+? ep_poll+0x7a/0x430
+__sys_sendmsg+0x47/0x80
+do_syscall_64+0x55/0x100
+entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 4e232818bd32 ("net: sched: act_mirred: remove dependency on rtnl lock")
+Signed-off-by: John Hurley <john.hurley@netronome.com>
+Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+---
+ net/sched/act_mirred.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
+index c8cf4d10c4355..971dc03304f42 100644
+--- a/net/sched/act_mirred.c
++++ b/net/sched/act_mirred.c
+@@ -159,6 +159,9 @@ static int tcf_mirred_init(struct net *net, struct nlattr *nla,
+ }
+ m = to_mirred(*a);
+
++ if (ret == ACT_P_CREATED)
++ INIT_LIST_HEAD(&m->tcfm_list);
++
+ spin_lock_bh(&m->tcf_lock);
+ m->tcf_action = parm->action;
+ m->tcfm_eaction = parm->eaction;
+--
+2.20.1
+
--- /dev/null
+From 014ce98139c0a9534360d982c0ee241c1b91cfe1 Mon Sep 17 00:00:00 2001
+From: Miaohe Lin <linmiaohe@huawei.com>
+Date: Sat, 20 Apr 2019 12:09:39 +0800
+Subject: net: vrf: Fix operation not supported when set vrf mac
+
+[ Upstream commit 6819e3f6d83a24777813b0d031ebe0861694db5a ]
+
+Vrf device is not able to change mac address now because lack of
+ndo_set_mac_address. Complete this in case some apps need to do
+this.
+
+Reported-by: Hui Wang <wanghui104@huawei.com>
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vrf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
+index cd15c32b2e436..9ee4d7402ca23 100644
+--- a/drivers/net/vrf.c
++++ b/drivers/net/vrf.c
+@@ -875,6 +875,7 @@ static const struct net_device_ops vrf_netdev_ops = {
+ .ndo_init = vrf_dev_init,
+ .ndo_uninit = vrf_dev_uninit,
+ .ndo_start_xmit = vrf_xmit,
++ .ndo_set_mac_address = eth_mac_addr,
+ .ndo_get_stats64 = vrf_get_stats64,
+ .ndo_add_slave = vrf_add_slave,
+ .ndo_del_slave = vrf_del_slave,
+@@ -1274,6 +1275,7 @@ static void vrf_setup(struct net_device *dev)
+ /* default to no qdisc; user can add if desired */
+ dev->priv_flags |= IFF_NO_QUEUE;
+ dev->priv_flags |= IFF_NO_RX_HANDLER;
++ dev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
+
+ /* VRF devices do not care about MTU, but if the MTU is set
+ * too low then the ipv4 and ipv6 protocols are disabled
+--
+2.20.1
+
--- /dev/null
+From b9c8734b8a5f24dd3fd7641576389827d68451cc Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 1 Apr 2019 13:08:54 +0200
+Subject: netfilter: ctnetlink: don't use conntrack/expect object addresses as
+ id
+
+[ Upstream commit 3c79107631db1f7fd32cf3f7368e4672004a3010 ]
+
+else, we leak the addresses to userspace via ctnetlink events
+and dumps.
+
+Compute an ID on demand based on the immutable parts of nf_conn struct.
+
+Another advantage compared to using an address is that there is no
+immediate re-use of the same ID in case the conntrack entry is freed and
+reallocated again immediately.
+
+Fixes: 3583240249ef ("[NETFILTER]: nf_conntrack_expect: kill unique ID")
+Fixes: 7f85f914721f ("[NETFILTER]: nf_conntrack: kill unique ID")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_conntrack.h | 2 ++
+ net/netfilter/nf_conntrack_core.c | 35 ++++++++++++++++++++++++++++
+ net/netfilter/nf_conntrack_netlink.c | 34 +++++++++++++++++++++++----
+ 3 files changed, 66 insertions(+), 5 deletions(-)
+
+diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
+index 249d0a5b12b82..63fd47e924b92 100644
+--- a/include/net/netfilter/nf_conntrack.h
++++ b/include/net/netfilter/nf_conntrack.h
+@@ -318,6 +318,8 @@ struct nf_conn *nf_ct_tmpl_alloc(struct net *net,
+ gfp_t flags);
+ void nf_ct_tmpl_free(struct nf_conn *tmpl);
+
++u32 nf_ct_get_id(const struct nf_conn *ct);
++
+ static inline void
+ nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info)
+ {
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index 9dd4c2048a2ba..1982faf21ebb5 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -25,6 +25,7 @@
+ #include <linux/slab.h>
+ #include <linux/random.h>
+ #include <linux/jhash.h>
++#include <linux/siphash.h>
+ #include <linux/err.h>
+ #include <linux/percpu.h>
+ #include <linux/moduleparam.h>
+@@ -424,6 +425,40 @@ nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse,
+ }
+ EXPORT_SYMBOL_GPL(nf_ct_invert_tuple);
+
++/* Generate a almost-unique pseudo-id for a given conntrack.
++ *
++ * intentionally doesn't re-use any of the seeds used for hash
++ * table location, we assume id gets exposed to userspace.
++ *
++ * Following nf_conn items do not change throughout lifetime
++ * of the nf_conn after it has been committed to main hash table:
++ *
++ * 1. nf_conn address
++ * 2. nf_conn->ext address
++ * 3. nf_conn->master address (normally NULL)
++ * 4. tuple
++ * 5. the associated net namespace
++ */
++u32 nf_ct_get_id(const struct nf_conn *ct)
++{
++ static __read_mostly siphash_key_t ct_id_seed;
++ unsigned long a, b, c, d;
++
++ net_get_random_once(&ct_id_seed, sizeof(ct_id_seed));
++
++ a = (unsigned long)ct;
++ b = (unsigned long)ct->master ^ net_hash_mix(nf_ct_net(ct));
++ c = (unsigned long)ct->ext;
++ d = (unsigned long)siphash(&ct->tuplehash, sizeof(ct->tuplehash),
++ &ct_id_seed);
++#ifdef CONFIG_64BIT
++ return siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &ct_id_seed);
++#else
++ return siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &ct_id_seed);
++#endif
++}
++EXPORT_SYMBOL_GPL(nf_ct_get_id);
++
+ static void
+ clean_from_lists(struct nf_conn *ct)
+ {
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 1213beb5a7146..36619ad8ab8c2 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -29,6 +29,7 @@
+ #include <linux/spinlock.h>
+ #include <linux/interrupt.h>
+ #include <linux/slab.h>
++#include <linux/siphash.h>
+
+ #include <linux/netfilter.h>
+ #include <net/netlink.h>
+@@ -485,7 +486,9 @@ static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct)
+
+ static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
+ {
+- if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct)))
++ __be32 id = (__force __be32)nf_ct_get_id(ct);
++
++ if (nla_put_be32(skb, CTA_ID, id))
+ goto nla_put_failure;
+ return 0;
+
+@@ -1286,8 +1289,9 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
+ }
+
+ if (cda[CTA_ID]) {
+- u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID]));
+- if (id != (u32)(unsigned long)ct) {
++ __be32 id = nla_get_be32(cda[CTA_ID]);
++
++ if (id != (__force __be32)nf_ct_get_id(ct)) {
+ nf_ct_put(ct);
+ return -ENOENT;
+ }
+@@ -2694,6 +2698,25 @@ static int ctnetlink_exp_dump_mask(struct sk_buff *skb,
+
+ static const union nf_inet_addr any_addr;
+
++static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp)
++{
++ static __read_mostly siphash_key_t exp_id_seed;
++ unsigned long a, b, c, d;
++
++ net_get_random_once(&exp_id_seed, sizeof(exp_id_seed));
++
++ a = (unsigned long)exp;
++ b = (unsigned long)exp->helper;
++ c = (unsigned long)exp->master;
++ d = (unsigned long)siphash(&exp->tuple, sizeof(exp->tuple), &exp_id_seed);
++
++#ifdef CONFIG_64BIT
++ return (__force __be32)siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &exp_id_seed);
++#else
++ return (__force __be32)siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &exp_id_seed);
++#endif
++}
++
+ static int
+ ctnetlink_exp_dump_expect(struct sk_buff *skb,
+ const struct nf_conntrack_expect *exp)
+@@ -2741,7 +2764,7 @@ ctnetlink_exp_dump_expect(struct sk_buff *skb,
+ }
+ #endif
+ if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) ||
+- nla_put_be32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)) ||
++ nla_put_be32(skb, CTA_EXPECT_ID, nf_expect_get_id(exp)) ||
+ nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) ||
+ nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class)))
+ goto nla_put_failure;
+@@ -3046,7 +3069,8 @@ static int ctnetlink_get_expect(struct net *net, struct sock *ctnl,
+
+ if (cda[CTA_EXPECT_ID]) {
+ __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
+- if (ntohl(id) != (u32)(unsigned long)exp) {
++
++ if (id != nf_expect_get_id(exp)) {
+ nf_ct_expect_put(exp);
+ return -ENOENT;
+ }
+--
+2.20.1
+
--- /dev/null
+From fc578e2fb36b4ec9de1a189f271fa5e0804d9198 Mon Sep 17 00:00:00 2001
+From: Andrei Vagin <avagin@gmail.com>
+Date: Wed, 17 Apr 2019 09:49:44 -0700
+Subject: netfilter: fix nf_l4proto_log_invalid to log invalid packets
+
+[ Upstream commit d48668052b2603b6262459625c86108c493588dd ]
+
+It doesn't log a packet if sysctl_log_invalid isn't equal to protonum
+OR sysctl_log_invalid isn't equal to IPPROTO_RAW. This sentence is
+always true. I believe we need to replace OR to AND.
+
+Cc: Florian Westphal <fw@strlen.de>
+Fixes: c4f3db1595827 ("netfilter: conntrack: add and use nf_l4proto_log_invalid")
+Signed-off-by: Andrei Vagin <avagin@gmail.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_proto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
+index 859f5d07a9159..78361e462e802 100644
+--- a/net/netfilter/nf_conntrack_proto.c
++++ b/net/netfilter/nf_conntrack_proto.c
+@@ -86,7 +86,7 @@ void nf_l4proto_log_invalid(const struct sk_buff *skb,
+ struct va_format vaf;
+ va_list args;
+
+- if (net->ct.sysctl_log_invalid != protonum ||
++ if (net->ct.sysctl_log_invalid != protonum &&
+ net->ct.sysctl_log_invalid != IPPROTO_RAW)
+ return;
+
+--
+2.20.1
+
--- /dev/null
+From 2f35a392f856617eb0e478ab173ed437aae55307 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 9 Apr 2019 14:45:20 +0200
+Subject: netfilter: nat: fix icmp id randomization
+
+[ Upstream commit 5bdac418f33f60b07a34e01e722889140ee8fac9 ]
+
+Sven Auhagen reported that a 2nd ping request will fail if 'fully-random'
+mode is used.
+
+Reason is that if no proto information is given, min/max are both 0,
+so we set the icmp id to 0 instead of chosing a random value between
+0 and 65535.
+
+Update test case as well to catch this, without fix this yields:
+[..]
+ERROR: cannot ping ns1 from ns2 with ip masquerade fully-random (attempt 2)
+ERROR: cannot ping ns1 from ns2 with ipv6 masquerade fully-random (attempt 2)
+
+... becaus 2nd ping clashes with existing 'id 0' icmp conntrack and gets
+dropped.
+
+Fixes: 203f2e78200c27e ("netfilter: nat: remove l4proto->unique_tuple")
+Reported-by: Sven Auhagen <sven.auhagen@voleatech.de>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_nat_core.c | 11 ++++--
+ tools/testing/selftests/netfilter/nft_nat.sh | 36 +++++++++++++++-----
+ 2 files changed, 35 insertions(+), 12 deletions(-)
+
+diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
+index d159e9e7835b4..ade527565127b 100644
+--- a/net/netfilter/nf_nat_core.c
++++ b/net/netfilter/nf_nat_core.c
+@@ -358,9 +358,14 @@ static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
+ case IPPROTO_ICMPV6:
+ /* id is same for either direction... */
+ keyptr = &tuple->src.u.icmp.id;
+- min = range->min_proto.icmp.id;
+- range_size = ntohs(range->max_proto.icmp.id) -
+- ntohs(range->min_proto.icmp.id) + 1;
++ if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
++ min = 0;
++ range_size = 65536;
++ } else {
++ min = ntohs(range->min_proto.icmp.id);
++ range_size = ntohs(range->max_proto.icmp.id) -
++ ntohs(range->min_proto.icmp.id) + 1;
++ }
+ goto find_free_id;
+ #if IS_ENABLED(CONFIG_NF_CT_PROTO_GRE)
+ case IPPROTO_GRE:
+diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh
+index 8ec76681605cc..3194007cf8d1b 100755
+--- a/tools/testing/selftests/netfilter/nft_nat.sh
++++ b/tools/testing/selftests/netfilter/nft_nat.sh
+@@ -321,6 +321,7 @@ EOF
+
+ test_masquerade6()
+ {
++ local natflags=$1
+ local lret=0
+
+ ip netns exec ns0 sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
+@@ -354,13 +355,13 @@ ip netns exec ns0 nft -f - <<EOF
+ table ip6 nat {
+ chain postrouting {
+ type nat hook postrouting priority 0; policy accept;
+- meta oif veth0 masquerade
++ meta oif veth0 masquerade $natflags
+ }
+ }
+ EOF
+ ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1
+ if [ $? -ne 0 ] ; then
+- echo "ERROR: cannot ping ns1 from ns2 with active ipv6 masquerading"
++ echo "ERROR: cannot ping ns1 from ns2 with active ipv6 masquerade $natflags"
+ lret=1
+ fi
+
+@@ -397,19 +398,26 @@ EOF
+ fi
+ done
+
++ ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1
++ if [ $? -ne 0 ] ; then
++ echo "ERROR: cannot ping ns1 from ns2 with active ipv6 masquerade $natflags (attempt 2)"
++ lret=1
++ fi
++
+ ip netns exec ns0 nft flush chain ip6 nat postrouting
+ if [ $? -ne 0 ]; then
+ echo "ERROR: Could not flush ip6 nat postrouting" 1>&2
+ lret=1
+ fi
+
+- test $lret -eq 0 && echo "PASS: IPv6 masquerade for ns2"
++ test $lret -eq 0 && echo "PASS: IPv6 masquerade $natflags for ns2"
+
+ return $lret
+ }
+
+ test_masquerade()
+ {
++ local natflags=$1
+ local lret=0
+
+ ip netns exec ns0 sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
+@@ -417,7 +425,7 @@ test_masquerade()
+
+ ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1
+ if [ $? -ne 0 ] ; then
+- echo "ERROR: canot ping ns1 from ns2"
++ echo "ERROR: cannot ping ns1 from ns2 $natflags"
+ lret=1
+ fi
+
+@@ -443,13 +451,13 @@ ip netns exec ns0 nft -f - <<EOF
+ table ip nat {
+ chain postrouting {
+ type nat hook postrouting priority 0; policy accept;
+- meta oif veth0 masquerade
++ meta oif veth0 masquerade $natflags
+ }
+ }
+ EOF
+ ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1
+ if [ $? -ne 0 ] ; then
+- echo "ERROR: cannot ping ns1 from ns2 with active ip masquerading"
++ echo "ERROR: cannot ping ns1 from ns2 with active ip masquere $natflags"
+ lret=1
+ fi
+
+@@ -485,13 +493,19 @@ EOF
+ fi
+ done
+
++ ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1
++ if [ $? -ne 0 ] ; then
++ echo "ERROR: cannot ping ns1 from ns2 with active ip masquerade $natflags (attempt 2)"
++ lret=1
++ fi
++
+ ip netns exec ns0 nft flush chain ip nat postrouting
+ if [ $? -ne 0 ]; then
+ echo "ERROR: Could not flush nat postrouting" 1>&2
+ lret=1
+ fi
+
+- test $lret -eq 0 && echo "PASS: IP masquerade for ns2"
++ test $lret -eq 0 && echo "PASS: IP masquerade $natflags for ns2"
+
+ return $lret
+ }
+@@ -750,8 +764,12 @@ test_local_dnat
+ test_local_dnat6
+
+ reset_counters
+-test_masquerade
+-test_masquerade6
++test_masquerade ""
++test_masquerade6 ""
++
++reset_counters
++test_masquerade "fully-random"
++test_masquerade6 "fully-random"
+
+ reset_counters
+ test_redirect
+--
+2.20.1
+
--- /dev/null
+From 47663fb01cbb1c2369e828e26335ecce0534014e Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 17 Apr 2019 02:17:23 +0200
+Subject: netfilter: never get/set skb->tstamp
+
+[ Upstream commit 916f6efae62305796e012e7c3a7884a267cbacbf ]
+
+setting net.netfilter.nf_conntrack_timestamp=1 breaks xmit with fq
+scheduler. skb->tstamp might be "refreshed" using ktime_get_real(),
+but fq expects CLOCK_MONOTONIC.
+
+This patch removes all places in netfilter that check/set skb->tstamp:
+
+1. To fix the bogus "start" time seen with conntrack timestamping for
+ outgoing packets, never use skb->tstamp and always use current time.
+2. In nfqueue and nflog, only use skb->tstamp for incoming packets,
+ as determined by current hook (prerouting, input, forward).
+3. xt_time has to use system clock as well rather than skb->tstamp.
+ We could still use skb->tstamp for prerouting/input/foward, but
+ I see no advantage to make this conditional.
+
+Fixes: fb420d5d91c1 ("tcp/fq: move back to CLOCK_MONOTONIC")
+Cc: Eric Dumazet <edumazet@google.com>
+Reported-by: Michal Soltys <soltys@ziu.info>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_core.c | 7 ++-----
+ net/netfilter/nfnetlink_log.c | 2 +-
+ net/netfilter/nfnetlink_queue.c | 2 +-
+ net/netfilter/xt_time.c | 23 ++++++++++++++---------
+ 4 files changed, 18 insertions(+), 16 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index 1982faf21ebb5..d7ac2f82bb6d8 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -983,12 +983,9 @@ __nf_conntrack_confirm(struct sk_buff *skb)
+
+ /* set conntrack timestamp, if enabled. */
+ tstamp = nf_conn_tstamp_find(ct);
+- if (tstamp) {
+- if (skb->tstamp == 0)
+- __net_timestamp(skb);
++ if (tstamp)
++ tstamp->start = ktime_get_real_ns();
+
+- tstamp->start = ktime_to_ns(skb->tstamp);
+- }
+ /* Since the lookup is lockless, hash insertion must be done after
+ * starting the timer and setting the CONFIRMED bit. The RCU barriers
+ * guarantee that no other CPU can find the conntrack before the above
+diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
+index b1f9c5303f026..0b3347570265c 100644
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -540,7 +540,7 @@ __build_packet_message(struct nfnl_log_net *log,
+ goto nla_put_failure;
+ }
+
+- if (skb->tstamp) {
++ if (hooknum <= NF_INET_FORWARD && skb->tstamp) {
+ struct nfulnl_msg_packet_timestamp ts;
+ struct timespec64 kts = ktime_to_timespec64(skb->tstamp);
+ ts.sec = cpu_to_be64(kts.tv_sec);
+diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
+index 0dcc3592d053f..e057b2961d313 100644
+--- a/net/netfilter/nfnetlink_queue.c
++++ b/net/netfilter/nfnetlink_queue.c
+@@ -582,7 +582,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
+ if (nfqnl_put_bridge(entry, skb) < 0)
+ goto nla_put_failure;
+
+- if (entskb->tstamp) {
++ if (entry->state.hook <= NF_INET_FORWARD && entskb->tstamp) {
+ struct nfqnl_msg_packet_timestamp ts;
+ struct timespec64 kts = ktime_to_timespec64(entskb->tstamp);
+
+diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
+index c13bcd0ab4913..8dbb4d48f2ed5 100644
+--- a/net/netfilter/xt_time.c
++++ b/net/netfilter/xt_time.c
+@@ -163,19 +163,24 @@ time_mt(const struct sk_buff *skb, struct xt_action_param *par)
+ s64 stamp;
+
+ /*
+- * We cannot use get_seconds() instead of __net_timestamp() here.
++ * We need real time here, but we can neither use skb->tstamp
++ * nor __net_timestamp().
++ *
++ * skb->tstamp and skb->skb_mstamp_ns overlap, however, they
++ * use different clock types (real vs monotonic).
++ *
+ * Suppose you have two rules:
+- * 1. match before 13:00
+- * 2. match after 13:00
++ * 1. match before 13:00
++ * 2. match after 13:00
++ *
+ * If you match against processing time (get_seconds) it
+ * may happen that the same packet matches both rules if
+- * it arrived at the right moment before 13:00.
++ * it arrived at the right moment before 13:00, so it would be
++ * better to check skb->tstamp and set it via __net_timestamp()
++ * if needed. This however breaks outgoing packets tx timestamp,
++ * and causes them to get delayed forever by fq packet scheduler.
+ */
+- if (skb->tstamp == 0)
+- __net_timestamp((struct sk_buff *)skb);
+-
+- stamp = ktime_to_ns(skb->tstamp);
+- stamp = div_s64(stamp, NSEC_PER_SEC);
++ stamp = get_seconds();
+
+ if (info->flags & XT_TIME_LOCAL_TZ)
+ /* Adjust for local timezone */
+--
+2.20.1
+
--- /dev/null
+From c0cf1eaf1aee8c40ebb23bbaa3901647c80b78df Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sat, 6 Apr 2019 08:26:52 +0300
+Subject: netfilter: nf_tables: prevent shift wrap in nft_chain_parse_hook()
+
+[ Upstream commit 33d1c018179d0a30c39cc5f1682b77867282694b ]
+
+I believe that "hook->num" can be up to UINT_MAX. Shifting more than
+31 bits would is undefined in C but in practice it would lead to shift
+wrapping. That would lead to an array overflow in nf_tables_addchain():
+
+ ops->hook = hook.type->hooks[ops->hooknum];
+
+Fixes: fe19c04ca137 ("netfilter: nf_tables: remove nhooks field from struct nft_af_info")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index e2aac80f9b7b1..25c2b98b9a960 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1502,7 +1502,7 @@ static int nft_chain_parse_hook(struct net *net,
+ if (IS_ERR(type))
+ return PTR_ERR(type);
+ }
+- if (!(type->hook_mask & (1 << hook->num)))
++ if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
+ return -EOPNOTSUPP;
+
+ if (type->type == NFT_CHAIN_T_NAT &&
+--
+2.20.1
+
--- /dev/null
+From 8676d393cd5ac081ad68685cf366192398e7d5c0 Mon Sep 17 00:00:00 2001
+From: Sunil Dutt <usdutt@codeaurora.org>
+Date: Mon, 25 Feb 2019 15:37:20 +0530
+Subject: nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands
+
+[ Upstream commit d6db02a88a4aaa1cd7105137c67ddec7f3bdbc05 ]
+
+This commit adds NL80211_FLAG_CLEAR_SKB flag to other NL commands
+that carry key data to ensure they do not stick around on heap
+after the SKB is freed.
+
+Also introduced this flag for NL80211_CMD_VENDOR as there are sub
+commands which configure the keys.
+
+Signed-off-by: Sunil Dutt <usdutt@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index d91a408db113e..156ce708b5330 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -13596,7 +13596,8 @@ static const struct genl_ops nl80211_ops[] = {
+ .policy = nl80211_policy,
+ .flags = GENL_UNS_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_DEAUTHENTICATE,
+@@ -13647,7 +13648,8 @@ static const struct genl_ops nl80211_ops[] = {
+ .policy = nl80211_policy,
+ .flags = GENL_UNS_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
+@@ -13655,7 +13657,8 @@ static const struct genl_ops nl80211_ops[] = {
+ .policy = nl80211_policy,
+ .flags = GENL_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_DISCONNECT,
+@@ -13684,7 +13687,8 @@ static const struct genl_ops nl80211_ops[] = {
+ .policy = nl80211_policy,
+ .flags = GENL_UNS_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_DEL_PMKSA,
+@@ -14036,7 +14040,8 @@ static const struct genl_ops nl80211_ops[] = {
+ .policy = nl80211_policy,
+ .flags = GENL_UNS_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_WIPHY |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_SET_QOS_MAP,
+@@ -14091,7 +14096,8 @@ static const struct genl_ops nl80211_ops[] = {
+ .doit = nl80211_set_pmk,
+ .policy = nl80211_policy,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_DEL_PMK,
+--
+2.20.1
+
--- /dev/null
+From 8de16b441f65ac540f0330cc88f98f147f21dd00 Mon Sep 17 00:00:00 2001
+From: Claudiu Manoil <claudiu.manoil@nxp.com>
+Date: Tue, 16 Apr 2019 17:51:58 +0300
+Subject: ocelot: Don't sleep in atomic context (irqs_disabled())
+
+[ Upstream commit a8fd48b50deaa20808bbf0f6685f6f1acba6a64c ]
+
+Preemption disabled at:
+ [<ffff000008cabd54>] dev_set_rx_mode+0x1c/0x38
+ Call trace:
+ [<ffff00000808a5c0>] dump_backtrace+0x0/0x3d0
+ [<ffff00000808a9a4>] show_stack+0x14/0x20
+ [<ffff000008e6c0c0>] dump_stack+0xac/0xe4
+ [<ffff0000080fe76c>] ___might_sleep+0x164/0x238
+ [<ffff0000080fe890>] __might_sleep+0x50/0x88
+ [<ffff0000082261e4>] kmem_cache_alloc+0x17c/0x1d0
+ [<ffff000000ea0ae8>] ocelot_set_rx_mode+0x108/0x188 [mscc_ocelot_common]
+ [<ffff000008cabcf0>] __dev_set_rx_mode+0x58/0xa0
+ [<ffff000008cabd5c>] dev_set_rx_mode+0x24/0x38
+
+Fixes: a556c76adc05 ("net: mscc: Add initial Ocelot switch support")
+
+Signed-off-by: Claudiu Manoil <claudiu.manoil@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mscc/ocelot.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c
+index 215a45374d7b0..0ef95abde6bb0 100644
+--- a/drivers/net/ethernet/mscc/ocelot.c
++++ b/drivers/net/ethernet/mscc/ocelot.c
+@@ -613,7 +613,7 @@ static int ocelot_mact_mc_add(struct ocelot_port *port,
+ struct netdev_hw_addr *hw_addr)
+ {
+ struct ocelot *ocelot = port->ocelot;
+- struct netdev_hw_addr *ha = kzalloc(sizeof(*ha), GFP_KERNEL);
++ struct netdev_hw_addr *ha = kzalloc(sizeof(*ha), GFP_ATOMIC);
+
+ if (!ha)
+ return -ENOMEM;
+--
+2.20.1
+
--- /dev/null
+From 0526bbb0d330b59492d260601be3b2289ef23b64 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Wed, 17 Apr 2019 22:09:12 +0200
+Subject: of_net: Fix residues after of_get_nvmem_mac_address removal
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 36ad7022536e0c65f8baeeaa5efde11dec44808a ]
+
+I've discovered following discrepancy in the bindings/net/ethernet.txt
+documentation, where it states following:
+
+ - nvmem-cells: phandle, reference to an nvmem node for the MAC address;
+ - nvmem-cell-names: string, should be "mac-address" if nvmem is to be..
+
+which is actually misleading and confusing. There are only two ethernet
+drivers in the tree, cadence/macb and davinci which supports this
+properties.
+
+This nvmem-cell* properties were introduced in commit 9217e566bdee
+("of_net: Implement of_get_nvmem_mac_address helper"), but
+commit afa64a72b862 ("of: net: kill of_get_nvmem_mac_address()")
+forget to properly clean up this parts.
+
+So this patch fixes the documentation by moving the nvmem-cell*
+properties at the appropriate places. While at it, I've removed unused
+include as well.
+
+Cc: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Fixes: afa64a72b862 ("of: net: kill of_get_nvmem_mac_address()")
+Signed-off-by: Petr Å tetiar <ynezz@true.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/net/davinci_emac.txt | 2 ++
+ Documentation/devicetree/bindings/net/ethernet.txt | 2 --
+ Documentation/devicetree/bindings/net/macb.txt | 4 ++++
+ drivers/of/of_net.c | 1 -
+ 4 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/net/davinci_emac.txt b/Documentation/devicetree/bindings/net/davinci_emac.txt
+index 24c5cdaba8d27..ca83dcc84fb8e 100644
+--- a/Documentation/devicetree/bindings/net/davinci_emac.txt
++++ b/Documentation/devicetree/bindings/net/davinci_emac.txt
+@@ -20,6 +20,8 @@ Required properties:
+ Optional properties:
+ - phy-handle: See ethernet.txt file in the same directory.
+ If absent, davinci_emac driver defaults to 100/FULL.
++- nvmem-cells: phandle, reference to an nvmem node for the MAC address
++- nvmem-cell-names: string, should be "mac-address" if nvmem is to be used
+ - ti,davinci-rmii-en: 1 byte, 1 means use RMII
+ - ti,davinci-no-bd-ram: boolean, does EMAC have BD RAM?
+
+diff --git a/Documentation/devicetree/bindings/net/ethernet.txt b/Documentation/devicetree/bindings/net/ethernet.txt
+index cfc376bc977aa..2974e63ba311a 100644
+--- a/Documentation/devicetree/bindings/net/ethernet.txt
++++ b/Documentation/devicetree/bindings/net/ethernet.txt
+@@ -10,8 +10,6 @@ Documentation/devicetree/bindings/phy/phy-bindings.txt.
+ the boot program; should be used in cases where the MAC address assigned to
+ the device by the boot program is different from the "local-mac-address"
+ property;
+-- nvmem-cells: phandle, reference to an nvmem node for the MAC address;
+-- nvmem-cell-names: string, should be "mac-address" if nvmem is to be used;
+ - max-speed: number, specifies maximum speed in Mbit/s supported by the device;
+ - max-frame-size: number, maximum transfer unit (IEEE defined MTU), rather than
+ the maximum frame size (there's contradiction in the Devicetree
+diff --git a/Documentation/devicetree/bindings/net/macb.txt b/Documentation/devicetree/bindings/net/macb.txt
+index 3e17ac1d5d58c..1a914116f4c2c 100644
+--- a/Documentation/devicetree/bindings/net/macb.txt
++++ b/Documentation/devicetree/bindings/net/macb.txt
+@@ -26,6 +26,10 @@ Required properties:
+ Optional elements: 'tsu_clk'
+ - clocks: Phandles to input clocks.
+
++Optional properties:
++- nvmem-cells: phandle, reference to an nvmem node for the MAC address
++- nvmem-cell-names: string, should be "mac-address" if nvmem is to be used
++
+ Optional properties for PHY child node:
+ - reset-gpios : Should specify the gpio for phy reset
+ - magic-packet : If present, indicates that the hardware supports waking
+diff --git a/drivers/of/of_net.c b/drivers/of/of_net.c
+index 810ab0fbcccbf..d820f3edd4311 100644
+--- a/drivers/of/of_net.c
++++ b/drivers/of/of_net.c
+@@ -7,7 +7,6 @@
+ */
+ #include <linux/etherdevice.h>
+ #include <linux/kernel.h>
+-#include <linux/nvmem-consumer.h>
+ #include <linux/of_net.h>
+ #include <linux/phy.h>
+ #include <linux/export.h>
+--
+2.20.1
+
--- /dev/null
+From 8b4c7219d1fe71b62c491a0a83d0548b9fd024e9 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Tue, 16 Apr 2019 18:01:24 +0200
+Subject: perf tools: Fix map reference counting
+
+[ Upstream commit b9abbdfa88024d52c8084d8f46ea4f161606c692 ]
+
+By calling maps__insert() we assume to get 2 references on the map,
+which we relese within maps__remove call.
+
+However if there's already same map name, we currently don't bump the
+reference and can crash, like:
+
+ Program received signal SIGABRT, Aborted.
+ 0x00007ffff75e60f5 in raise () from /lib64/libc.so.6
+
+ (gdb) bt
+ #0 0x00007ffff75e60f5 in raise () from /lib64/libc.so.6
+ #1 0x00007ffff75d0895 in abort () from /lib64/libc.so.6
+ #2 0x00007ffff75d0769 in __assert_fail_base.cold () from /lib64/libc.so.6
+ #3 0x00007ffff75de596 in __assert_fail () from /lib64/libc.so.6
+ #4 0x00000000004fc006 in refcount_sub_and_test (i=1, r=0x1224e88) at tools/include/linux/refcount.h:131
+ #5 refcount_dec_and_test (r=0x1224e88) at tools/include/linux/refcount.h:148
+ #6 map__put (map=0x1224df0) at util/map.c:299
+ #7 0x00000000004fdb95 in __maps__remove (map=0x1224df0, maps=0xb17d80) at util/map.c:953
+ #8 maps__remove (maps=0xb17d80, map=0x1224df0) at util/map.c:959
+ #9 0x00000000004f7d8a in map_groups__remove (map=<optimized out>, mg=<optimized out>) at util/map_groups.h:65
+ #10 machine__process_ksymbol_unregister (sample=<optimized out>, event=0x7ffff7279670, machine=<optimized out>) at util/machine.c:728
+ #11 machine__process_ksymbol (machine=<optimized out>, event=0x7ffff7279670, sample=<optimized out>) at util/machine.c:741
+ #12 0x00000000004fffbb in perf_session__deliver_event (session=0xb11390, event=0x7ffff7279670, tool=0x7fffffffc7b0, file_offset=13936) at util/session.c:1362
+ #13 0x00000000005039bb in do_flush (show_progress=false, oe=0xb17e80) at util/ordered-events.c:243
+ #14 __ordered_events__flush (oe=0xb17e80, how=OE_FLUSH__ROUND, timestamp=<optimized out>) at util/ordered-events.c:322
+ #15 0x00000000005005e4 in perf_session__process_user_event (session=session@entry=0xb11390, event=event@entry=0x7ffff72a4af8,
+ ...
+
+Add the map to the list and getting the reference event if we find the
+map with same name.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Eric Saint-Etienne <eric.saint.etienne@oracle.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Song Liu <songliubraving@fb.com>
+Fixes: 1e6285699b30 ("perf symbols: Fix slowness due to -ffunction-section")
+Link: http://lkml.kernel.org/r/20190416160127.30203-10-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/map.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c
+index 2b37f56f05493..e33f20d16c8d6 100644
+--- a/tools/perf/util/map.c
++++ b/tools/perf/util/map.c
+@@ -904,10 +904,8 @@ static void __maps__insert_name(struct maps *maps, struct map *map)
+ rc = strcmp(m->dso->short_name, map->dso->short_name);
+ if (rc < 0)
+ p = &(*p)->rb_left;
+- else if (rc > 0)
+- p = &(*p)->rb_right;
+ else
+- return;
++ p = &(*p)->rb_right;
+ }
+ rb_link_node(&map->rb_node_name, parent, p);
+ rb_insert_color(&map->rb_node_name, &maps->names);
+--
+2.20.1
+
--- /dev/null
+From 2b6ef46a09b3177639e3368cf020993d4225fe34 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Mon, 15 Apr 2019 14:53:33 +0200
+Subject: perf top: Always sample time to satisfy needs of use of ordered
+ queuing
+
+[ Upstream commit 1e6db2ee86e6a4399fc0ae5689e55e0fd1c43caf ]
+
+Bastian reported broken 'perf top -p PID' command, it won't display any
+data.
+
+The problem is that for -p option we monitor single thread, so we don't
+enable time in samples, because it's not needed.
+
+However since commit 16c66bc167cc we use ordered queues to stash data
+plus later commits added logic for dropping samples in case there's big
+load and we don't keep up. All this needs timestamp for sample. Enabling
+it unconditionally for perf top.
+
+Reported-by: Bastian Beischer <bastian.beischer@rwth-aachen.de>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: bastian beischer <bastian.beischer@rwth-aachen.de>
+Fixes: 16c66bc167cc ("perf top: Add processing thread")
+Link: http://lkml.kernel.org/r/20190415125333.27160-1-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-top.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c
+index 616408251e258..63750a711123f 100644
+--- a/tools/perf/builtin-top.c
++++ b/tools/perf/builtin-top.c
+@@ -1393,6 +1393,7 @@ int cmd_top(int argc, const char **argv)
+ * */
+ .overwrite = 0,
+ .sample_time = true,
++ .sample_time_set = true,
+ },
+ .max_stack = sysctl__max_stack(),
+ .annotation_opts = annotation__default_options,
+--
+2.20.1
+
--- /dev/null
+From ed8c23509ac9f6ddf86a657a254477e29ba13ba2 Mon Sep 17 00:00:00 2001
+From: Denis Bolotin <dbolotin@marvell.com>
+Date: Sun, 14 Apr 2019 17:23:05 +0300
+Subject: qed: Delete redundant doorbell recovery types
+
+[ Upstream commit 9ac6bb1414ac0d45fe9cefbd1f5b06f0e1a3c98a ]
+
+DB_REC_DRY_RUN (running doorbell recovery without sending doorbells) is
+never used. DB_REC_ONCE (send a single doorbell from the doorbell recovery)
+is not needed anymore because by running the periodic handler we make sure
+we check the overflow status later instead.
+This patch is needed because in the next patches, the only doorbell
+recovery type being used is DB_REC_REAL_DEAL, and the fixes are much
+cleaner without this enum.
+
+Signed-off-by: Denis Bolotin <dbolotin@marvell.com>
+Signed-off-by: Michal Kalderon <mkalderon@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed.h | 3 +-
+ drivers/net/ethernet/qlogic/qed/qed_dev.c | 69 +++++++++--------------
+ drivers/net/ethernet/qlogic/qed/qed_int.c | 6 +-
+ drivers/net/ethernet/qlogic/qed/qed_int.h | 4 +-
+ 4 files changed, 31 insertions(+), 51 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed.h b/drivers/net/ethernet/qlogic/qed/qed.h
+index 2d8a77cc156ba..d5fece7eb1698 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed.h
++++ b/drivers/net/ethernet/qlogic/qed/qed.h
+@@ -918,8 +918,7 @@ u16 qed_get_cm_pq_idx_llt_mtc(struct qed_hwfn *p_hwfn, u8 tc);
+
+ /* doorbell recovery mechanism */
+ void qed_db_recovery_dp(struct qed_hwfn *p_hwfn);
+-void qed_db_recovery_execute(struct qed_hwfn *p_hwfn,
+- enum qed_db_rec_exec db_exec);
++void qed_db_recovery_execute(struct qed_hwfn *p_hwfn);
+ bool qed_edpm_enabled(struct qed_hwfn *p_hwfn);
+
+ /* Other Linux specific common definitions */
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+index 2ecaaaa4469a6..ff0bbf8d073d6 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+@@ -300,26 +300,19 @@ void qed_db_recovery_dp(struct qed_hwfn *p_hwfn)
+
+ /* Ring the doorbell of a single doorbell recovery entry */
+ static void qed_db_recovery_ring(struct qed_hwfn *p_hwfn,
+- struct qed_db_recovery_entry *db_entry,
+- enum qed_db_rec_exec db_exec)
+-{
+- if (db_exec != DB_REC_ONCE) {
+- /* Print according to width */
+- if (db_entry->db_width == DB_REC_WIDTH_32B) {
+- DP_VERBOSE(p_hwfn, QED_MSG_SPQ,
+- "%s doorbell address %p data %x\n",
+- db_exec == DB_REC_DRY_RUN ?
+- "would have rung" : "ringing",
+- db_entry->db_addr,
+- *(u32 *)db_entry->db_data);
+- } else {
+- DP_VERBOSE(p_hwfn, QED_MSG_SPQ,
+- "%s doorbell address %p data %llx\n",
+- db_exec == DB_REC_DRY_RUN ?
+- "would have rung" : "ringing",
+- db_entry->db_addr,
+- *(u64 *)(db_entry->db_data));
+- }
++ struct qed_db_recovery_entry *db_entry)
++{
++ /* Print according to width */
++ if (db_entry->db_width == DB_REC_WIDTH_32B) {
++ DP_VERBOSE(p_hwfn, QED_MSG_SPQ,
++ "ringing doorbell address %p data %x\n",
++ db_entry->db_addr,
++ *(u32 *)db_entry->db_data);
++ } else {
++ DP_VERBOSE(p_hwfn, QED_MSG_SPQ,
++ "ringing doorbell address %p data %llx\n",
++ db_entry->db_addr,
++ *(u64 *)(db_entry->db_data));
+ }
+
+ /* Sanity */
+@@ -334,14 +327,12 @@ static void qed_db_recovery_ring(struct qed_hwfn *p_hwfn,
+ wmb();
+
+ /* Ring the doorbell */
+- if (db_exec == DB_REC_REAL_DEAL || db_exec == DB_REC_ONCE) {
+- if (db_entry->db_width == DB_REC_WIDTH_32B)
+- DIRECT_REG_WR(db_entry->db_addr,
+- *(u32 *)(db_entry->db_data));
+- else
+- DIRECT_REG_WR64(db_entry->db_addr,
+- *(u64 *)(db_entry->db_data));
+- }
++ if (db_entry->db_width == DB_REC_WIDTH_32B)
++ DIRECT_REG_WR(db_entry->db_addr,
++ *(u32 *)(db_entry->db_data));
++ else
++ DIRECT_REG_WR64(db_entry->db_addr,
++ *(u64 *)(db_entry->db_data));
+
+ /* Flush the write combined buffer. Next doorbell may come from a
+ * different entity to the same address...
+@@ -350,29 +341,21 @@ static void qed_db_recovery_ring(struct qed_hwfn *p_hwfn,
+ }
+
+ /* Traverse the doorbell recovery entry list and ring all the doorbells */
+-void qed_db_recovery_execute(struct qed_hwfn *p_hwfn,
+- enum qed_db_rec_exec db_exec)
++void qed_db_recovery_execute(struct qed_hwfn *p_hwfn)
+ {
+ struct qed_db_recovery_entry *db_entry = NULL;
+
+- if (db_exec != DB_REC_ONCE) {
+- DP_NOTICE(p_hwfn,
+- "Executing doorbell recovery. Counter was %d\n",
+- p_hwfn->db_recovery_info.db_recovery_counter);
++ DP_NOTICE(p_hwfn, "Executing doorbell recovery. Counter was %d\n",
++ p_hwfn->db_recovery_info.db_recovery_counter);
+
+- /* Track amount of times recovery was executed */
+- p_hwfn->db_recovery_info.db_recovery_counter++;
+- }
++ /* Track amount of times recovery was executed */
++ p_hwfn->db_recovery_info.db_recovery_counter++;
+
+ /* Protect the list */
+ spin_lock_bh(&p_hwfn->db_recovery_info.lock);
+ list_for_each_entry(db_entry,
+- &p_hwfn->db_recovery_info.list, list_entry) {
+- qed_db_recovery_ring(p_hwfn, db_entry, db_exec);
+- if (db_exec == DB_REC_ONCE)
+- break;
+- }
+-
++ &p_hwfn->db_recovery_info.list, list_entry)
++ qed_db_recovery_ring(p_hwfn, db_entry);
+ spin_unlock_bh(&p_hwfn->db_recovery_info.lock);
+ }
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_int.c b/drivers/net/ethernet/qlogic/qed/qed_int.c
+index 92340919d8521..b994f81eb51c3 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_int.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_int.c
+@@ -409,10 +409,8 @@ int qed_db_rec_handler(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt)
+
+ overflow = qed_rd(p_hwfn, p_ptt, DORQ_REG_PF_OVFL_STICKY);
+ DP_NOTICE(p_hwfn, "PF Overflow sticky 0x%x\n", overflow);
+- if (!overflow) {
+- qed_db_recovery_execute(p_hwfn, DB_REC_ONCE);
++ if (!overflow)
+ return 0;
+- }
+
+ if (qed_edpm_enabled(p_hwfn)) {
+ rc = qed_db_rec_flush_queue(p_hwfn, p_ptt);
+@@ -427,7 +425,7 @@ int qed_db_rec_handler(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt)
+ qed_wr(p_hwfn, p_ptt, DORQ_REG_PF_OVFL_STICKY, 0x0);
+
+ /* Repeat all last doorbells (doorbell drop recovery) */
+- qed_db_recovery_execute(p_hwfn, DB_REC_REAL_DEAL);
++ qed_db_recovery_execute(p_hwfn);
+
+ return 0;
+ }
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_int.h b/drivers/net/ethernet/qlogic/qed/qed_int.h
+index d81a62ebd5244..df26bf333893d 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_int.h
++++ b/drivers/net/ethernet/qlogic/qed/qed_int.h
+@@ -192,8 +192,8 @@ void qed_int_disable_post_isr_release(struct qed_dev *cdev);
+
+ /**
+ * @brief - Doorbell Recovery handler.
+- * Run DB_REAL_DEAL doorbell recovery in case of PF overflow
+- * (and flush DORQ if needed), otherwise run DB_REC_ONCE.
++ * Run doorbell recovery in case of PF overflow (and flush DORQ if
++ * needed).
+ *
+ * @param p_hwfn
+ * @param p_ptt
+--
+2.20.1
+
--- /dev/null
+From 7a9fdcb029c98591ad6dcbbfb7c76a63d4b2ed48 Mon Sep 17 00:00:00 2001
+From: Denis Bolotin <dbolotin@marvell.com>
+Date: Sun, 14 Apr 2019 17:23:07 +0300
+Subject: qed: Fix missing DORQ attentions
+
+[ Upstream commit d4476b8a6151b2dd86c09b5acec64f66430db55d ]
+
+When the DORQ (doorbell block) is overflowed, all PFs get attentions at the
+same time. If one PF finished handling the attention before another PF even
+started, the second PF might miss the DORQ's attention bit and not handle
+the attention at all.
+If the DORQ attention is missed and the issue is not resolved, another
+attention will not be sent, therefore each attention is treated as a
+potential DORQ attention.
+As a result, the attention callback is called more frequently so the debug
+print was moved to reduce its quantity.
+The number of periodic doorbell recovery handler schedules was reduced
+because it was the previous way to mitigating the missed attention issue.
+
+Signed-off-by: Denis Bolotin <dbolotin@marvell.com>
+Signed-off-by: Michal Kalderon <mkalderon@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed.h | 1 +
+ drivers/net/ethernet/qlogic/qed/qed_int.c | 20 ++++++++++++++++++--
+ drivers/net/ethernet/qlogic/qed/qed_main.c | 2 +-
+ 3 files changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed.h b/drivers/net/ethernet/qlogic/qed/qed.h
+index d5fece7eb1698..07ae600d0f357 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed.h
++++ b/drivers/net/ethernet/qlogic/qed/qed.h
+@@ -436,6 +436,7 @@ struct qed_db_recovery_info {
+
+ /* Lock to protect the doorbell recovery mechanism list */
+ spinlock_t lock;
++ bool dorq_attn;
+ u32 db_recovery_counter;
+ };
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_int.c b/drivers/net/ethernet/qlogic/qed/qed_int.c
+index b994f81eb51c3..00688f4c04645 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_int.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_int.c
+@@ -436,17 +436,19 @@ static int qed_dorq_attn_cb(struct qed_hwfn *p_hwfn)
+ struct qed_ptt *p_ptt = p_hwfn->p_dpc_ptt;
+ int rc;
+
+- int_sts = qed_rd(p_hwfn, p_ptt, DORQ_REG_INT_STS);
+- DP_NOTICE(p_hwfn->cdev, "DORQ attention. int_sts was %x\n", int_sts);
++ p_hwfn->db_recovery_info.dorq_attn = true;
+
+ /* int_sts may be zero since all PFs were interrupted for doorbell
+ * overflow but another one already handled it. Can abort here. If
+ * This PF also requires overflow recovery we will be interrupted again.
+ * The masked almost full indication may also be set. Ignoring.
+ */
++ int_sts = qed_rd(p_hwfn, p_ptt, DORQ_REG_INT_STS);
+ if (!(int_sts & ~DORQ_REG_INT_STS_DORQ_FIFO_AFULL))
+ return 0;
+
++ DP_NOTICE(p_hwfn->cdev, "DORQ attention. int_sts was %x\n", int_sts);
++
+ /* check if db_drop or overflow happened */
+ if (int_sts & (DORQ_REG_INT_STS_DB_DROP |
+ DORQ_REG_INT_STS_DORQ_FIFO_OVFL_ERR)) {
+@@ -503,6 +505,17 @@ static int qed_dorq_attn_cb(struct qed_hwfn *p_hwfn)
+ return -EINVAL;
+ }
+
++static void qed_dorq_attn_handler(struct qed_hwfn *p_hwfn)
++{
++ if (p_hwfn->db_recovery_info.dorq_attn)
++ goto out;
++
++ /* Call DORQ callback if the attention was missed */
++ qed_dorq_attn_cb(p_hwfn);
++out:
++ p_hwfn->db_recovery_info.dorq_attn = false;
++}
++
+ /* Instead of major changes to the data-structure, we have a some 'special'
+ * identifiers for sources that changed meaning between adapters.
+ */
+@@ -1076,6 +1089,9 @@ static int qed_int_deassertion(struct qed_hwfn *p_hwfn,
+ }
+ }
+
++ /* Handle missed DORQ attention */
++ qed_dorq_attn_handler(p_hwfn);
++
+ /* Clear IGU indication for the deasserted bits */
+ DIRECT_REG_WR((u8 __iomem *)p_hwfn->regview +
+ GTT_BAR0_MAP_REG_IGU_CMD +
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c
+index 6adf5bda9811e..26bfcbeebc4ca 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_main.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c
+@@ -966,7 +966,7 @@ static void qed_update_pf_params(struct qed_dev *cdev,
+ }
+ }
+
+-#define QED_PERIODIC_DB_REC_COUNT 100
++#define QED_PERIODIC_DB_REC_COUNT 10
+ #define QED_PERIODIC_DB_REC_INTERVAL_MS 100
+ #define QED_PERIODIC_DB_REC_INTERVAL \
+ msecs_to_jiffies(QED_PERIODIC_DB_REC_INTERVAL_MS)
+--
+2.20.1
+
--- /dev/null
+From 017a1f53a083fb1b20e5bb8a1b769a49f25e60ab Mon Sep 17 00:00:00 2001
+From: Denis Bolotin <dbolotin@marvell.com>
+Date: Sun, 14 Apr 2019 17:23:06 +0300
+Subject: qed: Fix the doorbell address sanity check
+
+[ Upstream commit b61b04ad81d5f975349d66abbecabf96ba211140 ]
+
+Fix the condition which verifies that doorbell address is inside the
+doorbell bar by checking that the end of the address is within range
+as well.
+
+Signed-off-by: Denis Bolotin <dbolotin@marvell.com>
+Signed-off-by: Michal Kalderon <mkalderon@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_dev.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+index ff0bbf8d073d6..228891e459bc0 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+@@ -102,11 +102,15 @@ static void qed_db_recovery_dp_entry(struct qed_hwfn *p_hwfn,
+
+ /* Doorbell address sanity (address within doorbell bar range) */
+ static bool qed_db_rec_sanity(struct qed_dev *cdev,
+- void __iomem *db_addr, void *db_data)
++ void __iomem *db_addr,
++ enum qed_db_rec_width db_width,
++ void *db_data)
+ {
++ u32 width = (db_width == DB_REC_WIDTH_32B) ? 32 : 64;
++
+ /* Make sure doorbell address is within the doorbell bar */
+ if (db_addr < cdev->doorbells ||
+- (u8 __iomem *)db_addr >
++ (u8 __iomem *)db_addr + width >
+ (u8 __iomem *)cdev->doorbells + cdev->db_size) {
+ WARN(true,
+ "Illegal doorbell address: %p. Legal range for doorbell addresses is [%p..%p]\n",
+@@ -159,7 +163,7 @@ int qed_db_recovery_add(struct qed_dev *cdev,
+ }
+
+ /* Sanitize doorbell address */
+- if (!qed_db_rec_sanity(cdev, db_addr, db_data))
++ if (!qed_db_rec_sanity(cdev, db_addr, db_width, db_data))
+ return -EINVAL;
+
+ /* Obtain hwfn from doorbell address */
+@@ -205,10 +209,6 @@ int qed_db_recovery_del(struct qed_dev *cdev,
+ return 0;
+ }
+
+- /* Sanitize doorbell address */
+- if (!qed_db_rec_sanity(cdev, db_addr, db_data))
+- return -EINVAL;
+-
+ /* Obtain hwfn from doorbell address */
+ p_hwfn = qed_db_rec_find_hwfn(cdev, db_addr);
+
+@@ -317,7 +317,7 @@ static void qed_db_recovery_ring(struct qed_hwfn *p_hwfn,
+
+ /* Sanity */
+ if (!qed_db_rec_sanity(p_hwfn->cdev, db_entry->db_addr,
+- db_entry->db_data))
++ db_entry->db_width, db_entry->db_data))
+ return;
+
+ /* Flush the write combined buffer. Since there are multiple doorbelling
+--
+2.20.1
+
--- /dev/null
+From 61ae888f629467485462492e7265aa68a5d33395 Mon Sep 17 00:00:00 2001
+From: Denis Bolotin <dbolotin@marvell.com>
+Date: Sun, 14 Apr 2019 17:23:08 +0300
+Subject: qed: Fix the DORQ's attentions handling
+
+[ Upstream commit 0d72c2ac89185f179da1e8a91c40c82f3fa38f0b ]
+
+Separate the overflow handling from the hardware interrupt status analysis.
+The interrupt status is a single register and is common for all PFs. The
+first PF reading the register is not necessarily the one who overflowed.
+All PFs must check their overflow status on every attention.
+In this change we clear the sticky indication in the attention handler to
+allow doorbells to be processed again as soon as possible, but running
+the doorbell recovery is scheduled for the periodic handler to reduce the
+time spent in the attention handler.
+Checking the need for DORQ flush was changed to "db_bar_no_edpm" because
+qed_edpm_enabled()'s result could change dynamically and might have
+prevented a needed flush.
+
+Signed-off-by: Denis Bolotin <dbolotin@marvell.com>
+Signed-off-by: Michal Kalderon <mkalderon@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed.h | 3 ++
+ drivers/net/ethernet/qlogic/qed/qed_int.c | 61 +++++++++++++++++------
+ 2 files changed, 48 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed.h b/drivers/net/ethernet/qlogic/qed/qed.h
+index 07ae600d0f357..f458c9776a89c 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed.h
++++ b/drivers/net/ethernet/qlogic/qed/qed.h
+@@ -431,6 +431,8 @@ struct qed_qm_info {
+ u8 num_pf_rls;
+ };
+
++#define QED_OVERFLOW_BIT 1
++
+ struct qed_db_recovery_info {
+ struct list_head list;
+
+@@ -438,6 +440,7 @@ struct qed_db_recovery_info {
+ spinlock_t lock;
+ bool dorq_attn;
+ u32 db_recovery_counter;
++ unsigned long overflow;
+ };
+
+ struct storm_stats {
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_int.c b/drivers/net/ethernet/qlogic/qed/qed_int.c
+index 00688f4c04645..a7e95f239317f 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_int.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_int.c
+@@ -376,6 +376,9 @@ static int qed_db_rec_flush_queue(struct qed_hwfn *p_hwfn,
+ u32 count = QED_DB_REC_COUNT;
+ u32 usage = 1;
+
++ /* Flush any pending (e)dpms as they may never arrive */
++ qed_wr(p_hwfn, p_ptt, DORQ_REG_DPM_FORCE_ABORT, 0x1);
++
+ /* wait for usage to zero or count to run out. This is necessary since
+ * EDPM doorbell transactions can take multiple 64b cycles, and as such
+ * can "split" over the pci. Possibly, the doorbell drop can happen with
+@@ -404,23 +407,24 @@ static int qed_db_rec_flush_queue(struct qed_hwfn *p_hwfn,
+
+ int qed_db_rec_handler(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt)
+ {
+- u32 overflow;
++ u32 attn_ovfl, cur_ovfl;
+ int rc;
+
+- overflow = qed_rd(p_hwfn, p_ptt, DORQ_REG_PF_OVFL_STICKY);
+- DP_NOTICE(p_hwfn, "PF Overflow sticky 0x%x\n", overflow);
+- if (!overflow)
++ attn_ovfl = test_and_clear_bit(QED_OVERFLOW_BIT,
++ &p_hwfn->db_recovery_info.overflow);
++ cur_ovfl = qed_rd(p_hwfn, p_ptt, DORQ_REG_PF_OVFL_STICKY);
++ if (!cur_ovfl && !attn_ovfl)
+ return 0;
+
+- if (qed_edpm_enabled(p_hwfn)) {
++ DP_NOTICE(p_hwfn, "PF Overflow sticky: attn %u current %u\n",
++ attn_ovfl, cur_ovfl);
++
++ if (cur_ovfl && !p_hwfn->db_bar_no_edpm) {
+ rc = qed_db_rec_flush_queue(p_hwfn, p_ptt);
+ if (rc)
+ return rc;
+ }
+
+- /* Flush any pending (e)dpm as they may never arrive */
+- qed_wr(p_hwfn, p_ptt, DORQ_REG_DPM_FORCE_ABORT, 0x1);
+-
+ /* Release overflow sticky indication (stop silently dropping everything) */
+ qed_wr(p_hwfn, p_ptt, DORQ_REG_PF_OVFL_STICKY, 0x0);
+
+@@ -430,13 +434,35 @@ int qed_db_rec_handler(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt)
+ return 0;
+ }
+
+-static int qed_dorq_attn_cb(struct qed_hwfn *p_hwfn)
++static void qed_dorq_attn_overflow(struct qed_hwfn *p_hwfn)
+ {
+- u32 int_sts, first_drop_reason, details, address, all_drops_reason;
+ struct qed_ptt *p_ptt = p_hwfn->p_dpc_ptt;
++ u32 overflow;
+ int rc;
+
+- p_hwfn->db_recovery_info.dorq_attn = true;
++ overflow = qed_rd(p_hwfn, p_ptt, DORQ_REG_PF_OVFL_STICKY);
++ if (!overflow)
++ goto out;
++
++ /* Run PF doorbell recovery in next periodic handler */
++ set_bit(QED_OVERFLOW_BIT, &p_hwfn->db_recovery_info.overflow);
++
++ if (!p_hwfn->db_bar_no_edpm) {
++ rc = qed_db_rec_flush_queue(p_hwfn, p_ptt);
++ if (rc)
++ goto out;
++ }
++
++ qed_wr(p_hwfn, p_ptt, DORQ_REG_PF_OVFL_STICKY, 0x0);
++out:
++ /* Schedule the handler even if overflow was not detected */
++ qed_periodic_db_rec_start(p_hwfn);
++}
++
++static int qed_dorq_attn_int_sts(struct qed_hwfn *p_hwfn)
++{
++ u32 int_sts, first_drop_reason, details, address, all_drops_reason;
++ struct qed_ptt *p_ptt = p_hwfn->p_dpc_ptt;
+
+ /* int_sts may be zero since all PFs were interrupted for doorbell
+ * overflow but another one already handled it. Can abort here. If
+@@ -475,11 +501,6 @@ static int qed_dorq_attn_cb(struct qed_hwfn *p_hwfn)
+ GET_FIELD(details, QED_DORQ_ATTENTION_SIZE) * 4,
+ first_drop_reason, all_drops_reason);
+
+- rc = qed_db_rec_handler(p_hwfn, p_ptt);
+- qed_periodic_db_rec_start(p_hwfn);
+- if (rc)
+- return rc;
+-
+ /* Clear the doorbell drop details and prepare for next drop */
+ qed_wr(p_hwfn, p_ptt, DORQ_REG_DB_DROP_DETAILS_REL, 0);
+
+@@ -505,6 +526,14 @@ static int qed_dorq_attn_cb(struct qed_hwfn *p_hwfn)
+ return -EINVAL;
+ }
+
++static int qed_dorq_attn_cb(struct qed_hwfn *p_hwfn)
++{
++ p_hwfn->db_recovery_info.dorq_attn = true;
++ qed_dorq_attn_overflow(p_hwfn);
++
++ return qed_dorq_attn_int_sts(p_hwfn);
++}
++
+ static void qed_dorq_attn_handler(struct qed_hwfn *p_hwfn)
+ {
+ if (p_hwfn->db_recovery_info.dorq_attn)
+--
+2.20.1
+
--- /dev/null
+From a2ba89c7cb54fb6a34a3bbd64bfe49afce7eb122 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 12 Apr 2019 15:13:27 +0100
+Subject: qede: fix write to free'd pointer error and double free of ptp
+
+[ Upstream commit 1dc2b3d65523780ed1972d446c76e62e13f3e8f5 ]
+
+The err2 error return path calls qede_ptp_disable that cleans up
+on an error and frees ptp. After this, the free'd ptp is dereferenced
+when ptp->clock is set to NULL and the code falls-through to error
+path err1 that frees ptp again.
+
+Fix this by calling qede_ptp_disable and exiting via an error
+return path that does not set ptp->clock or kfree ptp.
+
+Addresses-Coverity: ("Write to pointer after free")
+Fixes: 035744975aec ("qede: Add support for PTP resource locking.")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_ptp.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qede/qede_ptp.c b/drivers/net/ethernet/qlogic/qede/qede_ptp.c
+index 5f3f42a253616..bddb2b5982dcf 100644
+--- a/drivers/net/ethernet/qlogic/qede/qede_ptp.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_ptp.c
+@@ -490,18 +490,17 @@ int qede_ptp_enable(struct qede_dev *edev, bool init_tc)
+
+ ptp->clock = ptp_clock_register(&ptp->clock_info, &edev->pdev->dev);
+ if (IS_ERR(ptp->clock)) {
+- rc = -EINVAL;
+ DP_ERR(edev, "PTP clock registration failed\n");
++ qede_ptp_disable(edev);
++ rc = -EINVAL;
+ goto err2;
+ }
+
+ return 0;
+
+-err2:
+- qede_ptp_disable(edev);
+- ptp->clock = NULL;
+ err1:
+ kfree(ptp);
++err2:
+ edev->ptp = NULL;
+
+ return rc;
+--
+2.20.1
+
--- /dev/null
+From e0f4f906f365ebeb82e10b750de795869ec0abc3 Mon Sep 17 00:00:00 2001
+From: Lijun Ou <oulijun@huawei.com>
+Date: Tue, 23 Apr 2019 17:30:26 +0800
+Subject: RDMA/hns: Bugfix for mapping user db
+
+[ Upstream commit 2557fabd6e29f349bfa0ac13f38ac98aa5eafc74 ]
+
+When the maximum send wr delivered by the user is zero, the qp does not
+have a sq.
+
+When allocating the sq db buffer to store the user sq pi pointer and map
+it to the kernel mode, max_send_wr is used as the trigger condition, while
+the kernel does not consider the max_send_wr trigger condition when
+mapmping db. It will cause sq record doorbell map fail and create qp fail.
+
+The failed print information as follows:
+
+ hns3 0000:7d:00.1: Send cmd: tail - 418, opcode - 0x8504, flag - 0x0011, retval - 0x0000
+ hns3 0000:7d:00.1: Send cmd: 0xe59dc000 0x00000000 0x00000000 0x00000000 0x00000116 0x0000ffff
+ hns3 0000:7d:00.1: sq record doorbell map failed!
+ hns3 0000:7d:00.1: Create RC QP failed
+
+Fixes: 0425e3e6e0c7 ("RDMA/hns: Support flush cqe for hip08 in kernel space")
+Signed-off-by: Lijun Ou <oulijun@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_qp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c
+index 54031c5b53fa9..89dd2380fc812 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_qp.c
++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
+@@ -517,7 +517,7 @@ static int hns_roce_set_kernel_sq_size(struct hns_roce_dev *hr_dev,
+
+ static int hns_roce_qp_has_sq(struct ib_qp_init_attr *attr)
+ {
+- if (attr->qp_type == IB_QPT_XRC_TGT)
++ if (attr->qp_type == IB_QPT_XRC_TGT || !attr->cap.max_send_wr)
+ return 0;
+
+ return 1;
+--
+2.20.1
+
--- /dev/null
+From b297e16876a7fa6cca4f4da3dfb51f20296bd838 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Wed, 24 Apr 2019 10:52:20 +1000
+Subject: Revert "drm/virtio: drop prime import/export callbacks"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit a0cecc23cfcbf2626497a8c8770856dd56b67917 ]
+
+This patch does more harm than good, as it breaks both Xwayland and
+gnome-shell with X11.
+
+Xwayland requires DRI3 & DRI3 requires PRIME.
+
+X11 crash for obscure double-free reason which are hard to debug
+(starting X11 by hand doesn't trigger the crash).
+
+I don't see an apparent problem implementing those stub prime
+functions, they may return an error at run-time, and it seems to be
+handled fine by GNOME at least.
+
+This reverts commit b318e3ff7ca065d6b107e424c85a63d7a6798a69.
+[airlied:
+This broke userspace for virtio-gpus, and regressed things from DRI3 to DRI2.
+
+This brings back the original problem, but it's better than regressions.]
+
+Fixes: b318e3ff7ca065d6b107e424c85a63d7a6798a ("drm/virtio: drop prime import/export callbacks")
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_drv.c | 4 ++++
+ drivers/gpu/drm/virtio/virtgpu_drv.h | 4 ++++
+ drivers/gpu/drm/virtio/virtgpu_prime.c | 12 ++++++++++++
+ 3 files changed, 20 insertions(+)
+
+diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.c b/drivers/gpu/drm/virtio/virtgpu_drv.c
+index 2d1aaca491050..f7f32a885af79 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_drv.c
++++ b/drivers/gpu/drm/virtio/virtgpu_drv.c
+@@ -127,10 +127,14 @@ static struct drm_driver driver = {
+ #if defined(CONFIG_DEBUG_FS)
+ .debugfs_init = virtio_gpu_debugfs_init,
+ #endif
++ .prime_handle_to_fd = drm_gem_prime_handle_to_fd,
++ .prime_fd_to_handle = drm_gem_prime_fd_to_handle,
+ .gem_prime_export = drm_gem_prime_export,
+ .gem_prime_import = drm_gem_prime_import,
+ .gem_prime_pin = virtgpu_gem_prime_pin,
+ .gem_prime_unpin = virtgpu_gem_prime_unpin,
++ .gem_prime_get_sg_table = virtgpu_gem_prime_get_sg_table,
++ .gem_prime_import_sg_table = virtgpu_gem_prime_import_sg_table,
+ .gem_prime_vmap = virtgpu_gem_prime_vmap,
+ .gem_prime_vunmap = virtgpu_gem_prime_vunmap,
+ .gem_prime_mmap = virtgpu_gem_prime_mmap,
+diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.h b/drivers/gpu/drm/virtio/virtgpu_drv.h
+index 0c15000f926eb..1deb41d42ea4d 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_drv.h
++++ b/drivers/gpu/drm/virtio/virtgpu_drv.h
+@@ -372,6 +372,10 @@ int virtio_gpu_object_wait(struct virtio_gpu_object *bo, bool no_wait);
+ /* virtgpu_prime.c */
+ int virtgpu_gem_prime_pin(struct drm_gem_object *obj);
+ void virtgpu_gem_prime_unpin(struct drm_gem_object *obj);
++struct sg_table *virtgpu_gem_prime_get_sg_table(struct drm_gem_object *obj);
++struct drm_gem_object *virtgpu_gem_prime_import_sg_table(
++ struct drm_device *dev, struct dma_buf_attachment *attach,
++ struct sg_table *sgt);
+ void *virtgpu_gem_prime_vmap(struct drm_gem_object *obj);
+ void virtgpu_gem_prime_vunmap(struct drm_gem_object *obj, void *vaddr);
+ int virtgpu_gem_prime_mmap(struct drm_gem_object *obj,
+diff --git a/drivers/gpu/drm/virtio/virtgpu_prime.c b/drivers/gpu/drm/virtio/virtgpu_prime.c
+index c59ec34c80a5d..eb51a78e11991 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_prime.c
++++ b/drivers/gpu/drm/virtio/virtgpu_prime.c
+@@ -39,6 +39,18 @@ void virtgpu_gem_prime_unpin(struct drm_gem_object *obj)
+ WARN_ONCE(1, "not implemented");
+ }
+
++struct sg_table *virtgpu_gem_prime_get_sg_table(struct drm_gem_object *obj)
++{
++ return ERR_PTR(-ENODEV);
++}
++
++struct drm_gem_object *virtgpu_gem_prime_import_sg_table(
++ struct drm_device *dev, struct dma_buf_attachment *attach,
++ struct sg_table *table)
++{
++ return ERR_PTR(-ENODEV);
++}
++
+ void *virtgpu_gem_prime_vmap(struct drm_gem_object *obj)
+ {
+ struct virtio_gpu_object *bo = gem_to_virtio_gpu_obj(obj);
+--
+2.20.1
+
--- /dev/null
+From 08df3c610a9d846db99dd832ffe84e368006ddf7 Mon Sep 17 00:00:00 2001
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Date: Wed, 3 Apr 2019 09:13:34 +0200
+Subject: s390/3270: fix lockdep false positive on view->lock
+
+[ Upstream commit 5712f3301a12c0c3de9cc423484496b0464f2faf ]
+
+The spinlock in the raw3270_view structure is used by con3270, tty3270
+and fs3270 in different ways. For con3270 the lock can be acquired in
+irq context, for tty3270 and fs3270 the highest context is bh.
+
+Lockdep sees the view->lock as a single class and if the 3270 driver
+is used for the console the following message is generated:
+
+WARNING: inconsistent lock state
+5.1.0-rc3-05157-g5c168033979d #12 Not tainted
+--------------------------------
+inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.
+swapper/0/1 [HC0[0]:SC1[1]:HE1:SE0] takes:
+(____ptrval____) (&(&view->lock)->rlock){?.-.}, at: tty3270_update+0x7c/0x330
+
+Introduce a lockdep subclass for the view lock to distinguish bh from
+irq locks.
+
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/char/con3270.c | 2 +-
+ drivers/s390/char/fs3270.c | 3 ++-
+ drivers/s390/char/raw3270.c | 3 ++-
+ drivers/s390/char/raw3270.h | 4 +++-
+ drivers/s390/char/tty3270.c | 3 ++-
+ 5 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/s390/char/con3270.c b/drivers/s390/char/con3270.c
+index fd2146bcc0add..e17364e13d2f7 100644
+--- a/drivers/s390/char/con3270.c
++++ b/drivers/s390/char/con3270.c
+@@ -629,7 +629,7 @@ con3270_init(void)
+ (void (*)(unsigned long)) con3270_read_tasklet,
+ (unsigned long) condev->read);
+
+- raw3270_add_view(&condev->view, &con3270_fn, 1);
++ raw3270_add_view(&condev->view, &con3270_fn, 1, RAW3270_VIEW_LOCK_IRQ);
+
+ INIT_LIST_HEAD(&condev->freemem);
+ for (i = 0; i < CON3270_STRING_PAGES; i++) {
+diff --git a/drivers/s390/char/fs3270.c b/drivers/s390/char/fs3270.c
+index 8f3a2eeb28dca..8b48ba9c598ec 100644
+--- a/drivers/s390/char/fs3270.c
++++ b/drivers/s390/char/fs3270.c
+@@ -463,7 +463,8 @@ fs3270_open(struct inode *inode, struct file *filp)
+
+ init_waitqueue_head(&fp->wait);
+ fp->fs_pid = get_pid(task_pid(current));
+- rc = raw3270_add_view(&fp->view, &fs3270_fn, minor);
++ rc = raw3270_add_view(&fp->view, &fs3270_fn, minor,
++ RAW3270_VIEW_LOCK_BH);
+ if (rc) {
+ fs3270_free_view(&fp->view);
+ goto out;
+diff --git a/drivers/s390/char/raw3270.c b/drivers/s390/char/raw3270.c
+index f8cd2935fbfd4..63a41b1687610 100644
+--- a/drivers/s390/char/raw3270.c
++++ b/drivers/s390/char/raw3270.c
+@@ -920,7 +920,7 @@ raw3270_deactivate_view(struct raw3270_view *view)
+ * Add view to device with minor "minor".
+ */
+ int
+-raw3270_add_view(struct raw3270_view *view, struct raw3270_fn *fn, int minor)
++raw3270_add_view(struct raw3270_view *view, struct raw3270_fn *fn, int minor, int subclass)
+ {
+ unsigned long flags;
+ struct raw3270 *rp;
+@@ -942,6 +942,7 @@ raw3270_add_view(struct raw3270_view *view, struct raw3270_fn *fn, int minor)
+ view->cols = rp->cols;
+ view->ascebc = rp->ascebc;
+ spin_lock_init(&view->lock);
++ lockdep_set_subclass(&view->lock, subclass);
+ list_add(&view->list, &rp->view_list);
+ rc = 0;
+ spin_unlock_irqrestore(get_ccwdev_lock(rp->cdev), flags);
+diff --git a/drivers/s390/char/raw3270.h b/drivers/s390/char/raw3270.h
+index 114ca7cbf8897..3afaa35f73513 100644
+--- a/drivers/s390/char/raw3270.h
++++ b/drivers/s390/char/raw3270.h
+@@ -150,6 +150,8 @@ struct raw3270_fn {
+ struct raw3270_view {
+ struct list_head list;
+ spinlock_t lock;
++#define RAW3270_VIEW_LOCK_IRQ 0
++#define RAW3270_VIEW_LOCK_BH 1
+ atomic_t ref_count;
+ struct raw3270 *dev;
+ struct raw3270_fn *fn;
+@@ -158,7 +160,7 @@ struct raw3270_view {
+ unsigned char *ascebc; /* ascii -> ebcdic table */
+ };
+
+-int raw3270_add_view(struct raw3270_view *, struct raw3270_fn *, int);
++int raw3270_add_view(struct raw3270_view *, struct raw3270_fn *, int, int);
+ int raw3270_activate_view(struct raw3270_view *);
+ void raw3270_del_view(struct raw3270_view *);
+ void raw3270_deactivate_view(struct raw3270_view *);
+diff --git a/drivers/s390/char/tty3270.c b/drivers/s390/char/tty3270.c
+index 2b0c36c2c5688..98d7fc152e32f 100644
+--- a/drivers/s390/char/tty3270.c
++++ b/drivers/s390/char/tty3270.c
+@@ -980,7 +980,8 @@ static int tty3270_install(struct tty_driver *driver, struct tty_struct *tty)
+ return PTR_ERR(tp);
+
+ rc = raw3270_add_view(&tp->view, &tty3270_fn,
+- tty->index + RAW3270_FIRSTMINOR);
++ tty->index + RAW3270_FIRSTMINOR,
++ RAW3270_VIEW_LOCK_BH);
+ if (rc) {
+ tty3270_free_view(tp);
+ return rc;
+--
+2.20.1
+
--- /dev/null
+From d7a39164d029acf3fef674eebe0aeb27e89962d0 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 17 Apr 2019 18:29:13 +0200
+Subject: s390: ctcm: fix ctcm_new_device error return code
+
+[ Upstream commit 27b141fc234a3670d21bd742c35d7205d03cbb3a ]
+
+clang points out that the return code from this function is
+undefined for one of the error paths:
+
+../drivers/s390/net/ctcm_main.c:1595:7: warning: variable 'result' is used uninitialized whenever 'if' condition is true
+ [-Wsometimes-uninitialized]
+ if (priv->channel[direction] == NULL) {
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+../drivers/s390/net/ctcm_main.c:1638:9: note: uninitialized use occurs here
+ return result;
+ ^~~~~~
+../drivers/s390/net/ctcm_main.c:1595:3: note: remove the 'if' if its condition is always false
+ if (priv->channel[direction] == NULL) {
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+../drivers/s390/net/ctcm_main.c:1539:12: note: initialize the variable 'result' to silence this warning
+ int result;
+ ^
+
+Make it return -ENODEV here, as in the related failure cases.
+gcc has a known bug in underreporting some of these warnings
+when it has already eliminated the assignment of the return code
+based on some earlier optimization step.
+
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/ctcm_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c
+index 7617d21cb2960..f63c5c871d3dd 100644
+--- a/drivers/s390/net/ctcm_main.c
++++ b/drivers/s390/net/ctcm_main.c
+@@ -1595,6 +1595,7 @@ static int ctcm_new_device(struct ccwgroup_device *cgdev)
+ if (priv->channel[direction] == NULL) {
+ if (direction == CTCM_WRITE)
+ channel_free(priv->channel[CTCM_READ]);
++ result = -ENODEV;
+ goto out_dev;
+ }
+ priv->channel[direction]->netdev = dev;
+--
+2.20.1
+
--- /dev/null
+From cdc0e308bd62c4b9db54bb8fd0b2f36da81779dc Mon Sep 17 00:00:00 2001
+From: Peter Oberparleiter <oberpar@linux.ibm.com>
+Date: Fri, 22 Mar 2019 16:01:17 +0100
+Subject: s390/dasd: Fix capacity calculation for large volumes
+
+[ Upstream commit 2cc9637ce825f3a9f51f8f78af7474e9e85bfa5f ]
+
+The DASD driver incorrectly limits the maximum number of blocks of ECKD
+DASD volumes to 32 bit numbers. Volumes with a capacity greater than
+2^32-1 blocks are incorrectly recognized as smaller volumes.
+
+This results in the following volume capacity limits depending on the
+formatted block size:
+
+ BLKSIZE MAX_GB MAX_CYL
+ 512 2047 5843492
+ 1024 4095 8676701
+ 2048 8191 13634816
+ 4096 16383 23860929
+
+The same problem occurs when a volume with more than 17895697 cylinders
+is accessed in raw-track-access mode.
+
+Fix this problem by adding an explicit type cast when calculating the
+maximum number of blocks.
+
+Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Reviewed-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/block/dasd_eckd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
+index 6e294b4d3635f..f89f9d02e7884 100644
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -2004,14 +2004,14 @@ static int dasd_eckd_end_analysis(struct dasd_block *block)
+ blk_per_trk = recs_per_track(&private->rdc_data, 0, block->bp_block);
+
+ raw:
+- block->blocks = (private->real_cyl *
++ block->blocks = ((unsigned long) private->real_cyl *
+ private->rdc_data.trk_per_cyl *
+ blk_per_trk);
+
+ dev_info(&device->cdev->dev,
+- "DASD with %d KB/block, %d KB total size, %d KB/track, "
++ "DASD with %u KB/block, %lu KB total size, %u KB/track, "
+ "%s\n", (block->bp_block >> 10),
+- ((private->real_cyl *
++ (((unsigned long) private->real_cyl *
+ private->rdc_data.trk_per_cyl *
+ blk_per_trk * (block->bp_block >> 9)) >> 1),
+ ((blk_per_trk * block->bp_block) >> 10),
+--
+2.20.1
+
--- /dev/null
+From c45da6c02f37eab72f77a05e7f1936d416cbfa97 Mon Sep 17 00:00:00 2001
+From: Harald Freudenberger <freude@linux.ibm.com>
+Date: Fri, 12 Apr 2019 11:04:50 +0200
+Subject: s390/pkey: add one more argument space for debug feature entry
+
+[ Upstream commit 6b1f16ba730d4c0cda1247568c3a1bf4fa3a2f2f ]
+
+The debug feature entries have been used with up to 5 arguents
+(including the pointer to the format string) but there was only
+space reserved for 4 arguemnts. So now the registration does
+reserve space for 5 times a long value.
+
+This fixes a sometime appearing weired value as the last
+value of an debug feature entry like this:
+
+... pkey_sec2protkey zcrypt_send_cprb (cardnr=10 domain=12)
+ failed with errno -2143346254
+
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Reported-by: Christian Rund <Christian.Rund@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/crypto/pkey_api.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
+index 2f92bbed4bf68..097e890e0d6d9 100644
+--- a/drivers/s390/crypto/pkey_api.c
++++ b/drivers/s390/crypto/pkey_api.c
+@@ -51,7 +51,8 @@ static debug_info_t *debug_info;
+
+ static void __init pkey_debug_init(void)
+ {
+- debug_info = debug_register("pkey", 1, 1, 4 * sizeof(long));
++ /* 5 arguments per dbf entry (including the format string ptr) */
++ debug_info = debug_register("pkey", 1, 1, 5 * sizeof(long));
+ debug_register_view(debug_info, &debug_sprintf_view);
+ debug_set_level(debug_info, 3);
+ }
+--
+2.20.1
+
--- /dev/null
+From 6b9fff169f74b6f32216ca91f9c865919b5f2be9 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Thu, 18 Apr 2019 18:13:58 +0200
+Subject: scsi: aic7xxx: fix EISA support
+
+[ Upstream commit 144ec97493af34efdb77c5aba146e9c7de8d0a06 ]
+
+Instead of relying on the now removed NULL argument to
+pci_alloc_consistent, switch to the generic DMA API, and store the struct
+device so that we can pass it.
+
+Fixes: 4167b2ad5182 ("PCI: Remove NULL device handling from PCI DMA API")
+Reported-by: Matthew Whitehead <tedheadster@gmail.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Tested-by: Matthew Whitehead <tedheadster@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/aic7xxx/aic7770_osm.c | 1 +
+ drivers/scsi/aic7xxx/aic7xxx.h | 1 +
+ drivers/scsi/aic7xxx/aic7xxx_osm.c | 10 ++++------
+ drivers/scsi/aic7xxx/aic7xxx_osm_pci.c | 1 +
+ 4 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/scsi/aic7xxx/aic7770_osm.c b/drivers/scsi/aic7xxx/aic7770_osm.c
+index 3d401d02c0195..bdd177e3d7622 100644
+--- a/drivers/scsi/aic7xxx/aic7770_osm.c
++++ b/drivers/scsi/aic7xxx/aic7770_osm.c
+@@ -91,6 +91,7 @@ aic7770_probe(struct device *dev)
+ ahc = ahc_alloc(&aic7xxx_driver_template, name);
+ if (ahc == NULL)
+ return (ENOMEM);
++ ahc->dev = dev;
+ error = aic7770_config(ahc, aic7770_ident_table + edev->id.driver_data,
+ eisaBase);
+ if (error != 0) {
+diff --git a/drivers/scsi/aic7xxx/aic7xxx.h b/drivers/scsi/aic7xxx/aic7xxx.h
+index 5614921b4041a..88b90f9806c99 100644
+--- a/drivers/scsi/aic7xxx/aic7xxx.h
++++ b/drivers/scsi/aic7xxx/aic7xxx.h
+@@ -943,6 +943,7 @@ struct ahc_softc {
+ * Platform specific device information.
+ */
+ ahc_dev_softc_t dev_softc;
++ struct device *dev;
+
+ /*
+ * Bus specific device information.
+diff --git a/drivers/scsi/aic7xxx/aic7xxx_osm.c b/drivers/scsi/aic7xxx/aic7xxx_osm.c
+index 3c9c17450bb39..d5c4a0d237062 100644
+--- a/drivers/scsi/aic7xxx/aic7xxx_osm.c
++++ b/drivers/scsi/aic7xxx/aic7xxx_osm.c
+@@ -860,8 +860,8 @@ int
+ ahc_dmamem_alloc(struct ahc_softc *ahc, bus_dma_tag_t dmat, void** vaddr,
+ int flags, bus_dmamap_t *mapp)
+ {
+- *vaddr = pci_alloc_consistent(ahc->dev_softc,
+- dmat->maxsize, mapp);
++ /* XXX: check if we really need the GFP_ATOMIC and unwind this mess! */
++ *vaddr = dma_alloc_coherent(ahc->dev, dmat->maxsize, mapp, GFP_ATOMIC);
+ if (*vaddr == NULL)
+ return ENOMEM;
+ return 0;
+@@ -871,8 +871,7 @@ void
+ ahc_dmamem_free(struct ahc_softc *ahc, bus_dma_tag_t dmat,
+ void* vaddr, bus_dmamap_t map)
+ {
+- pci_free_consistent(ahc->dev_softc, dmat->maxsize,
+- vaddr, map);
++ dma_free_coherent(ahc->dev, dmat->maxsize, vaddr, map);
+ }
+
+ int
+@@ -1123,8 +1122,7 @@ ahc_linux_register_host(struct ahc_softc *ahc, struct scsi_host_template *templa
+
+ host->transportt = ahc_linux_transport_template;
+
+- retval = scsi_add_host(host,
+- (ahc->dev_softc ? &ahc->dev_softc->dev : NULL));
++ retval = scsi_add_host(host, ahc->dev);
+ if (retval) {
+ printk(KERN_WARNING "aic7xxx: scsi_add_host failed\n");
+ scsi_host_put(host);
+diff --git a/drivers/scsi/aic7xxx/aic7xxx_osm_pci.c b/drivers/scsi/aic7xxx/aic7xxx_osm_pci.c
+index 0fc14dac7070c..717d8d1082ce1 100644
+--- a/drivers/scsi/aic7xxx/aic7xxx_osm_pci.c
++++ b/drivers/scsi/aic7xxx/aic7xxx_osm_pci.c
+@@ -250,6 +250,7 @@ ahc_linux_pci_dev_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ }
+ }
+ ahc->dev_softc = pci;
++ ahc->dev = &pci->dev;
+ error = ahc_pci_config(ahc, entry);
+ if (error != 0) {
+ ahc_free(ahc);
+--
+2.20.1
+
--- /dev/null
+From 338e29f1cf61c7ec9a7f0cf723672822cce4a727 Mon Sep 17 00:00:00 2001
+From: David Ahern <dsahern@gmail.com>
+Date: Tue, 9 Apr 2019 14:23:10 -0700
+Subject: selftests: fib_tests: Fix 'Command line is not complete' errors
+
+[ Upstream commit a5f622984a623df9a84cf43f6b098d8dd76fbe05 ]
+
+A couple of tests are verifying a route has been removed. The helper
+expects the prefix as the first part of the expected output. When
+checking that a route has been deleted the prefix is empty leading
+to an invalid ip command:
+
+ $ ip ro ls match
+ Command line is not complete. Try option "help"
+
+Fix by moving the comparison of expected output and output to a new
+function that is used by both check_route and check_route6. Use the
+new helper for the 2 checks on route removal.
+
+Also, remove the reset of 'set -x' in route_setup which overrides the
+user managed setting.
+
+Fixes: d69faad76584c ("selftests: fib_tests: Add prefix route tests with metric")
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/fib_tests.sh | 94 ++++++++++--------------
+ 1 file changed, 40 insertions(+), 54 deletions(-)
+
+diff --git a/tools/testing/selftests/net/fib_tests.sh b/tools/testing/selftests/net/fib_tests.sh
+index 1080ff55a788f..0d2a5f4f1e638 100755
+--- a/tools/testing/selftests/net/fib_tests.sh
++++ b/tools/testing/selftests/net/fib_tests.sh
+@@ -605,6 +605,39 @@ run_cmd()
+ return $rc
+ }
+
++check_expected()
++{
++ local out="$1"
++ local expected="$2"
++ local rc=0
++
++ [ "${out}" = "${expected}" ] && return 0
++
++ if [ -z "${out}" ]; then
++ if [ "$VERBOSE" = "1" ]; then
++ printf "\nNo route entry found\n"
++ printf "Expected:\n"
++ printf " ${expected}\n"
++ fi
++ return 1
++ fi
++
++ # tricky way to convert output to 1-line without ip's
++ # messy '\'; this drops all extra white space
++ out=$(echo ${out})
++ if [ "${out}" != "${expected}" ]; then
++ rc=1
++ if [ "${VERBOSE}" = "1" ]; then
++ printf " Unexpected route entry. Have:\n"
++ printf " ${out}\n"
++ printf " Expected:\n"
++ printf " ${expected}\n\n"
++ fi
++ fi
++
++ return $rc
++}
++
+ # add route for a prefix, flushing any existing routes first
+ # expected to be the first step of a test
+ add_route6()
+@@ -652,31 +685,7 @@ check_route6()
+ pfx=$1
+
+ out=$($IP -6 ro ls match ${pfx} | sed -e 's/ pref medium//')
+- [ "${out}" = "${expected}" ] && return 0
+-
+- if [ -z "${out}" ]; then
+- if [ "$VERBOSE" = "1" ]; then
+- printf "\nNo route entry found\n"
+- printf "Expected:\n"
+- printf " ${expected}\n"
+- fi
+- return 1
+- fi
+-
+- # tricky way to convert output to 1-line without ip's
+- # messy '\'; this drops all extra white space
+- out=$(echo ${out})
+- if [ "${out}" != "${expected}" ]; then
+- rc=1
+- if [ "${VERBOSE}" = "1" ]; then
+- printf " Unexpected route entry. Have:\n"
+- printf " ${out}\n"
+- printf " Expected:\n"
+- printf " ${expected}\n\n"
+- fi
+- fi
+-
+- return $rc
++ check_expected "${out}" "${expected}"
+ }
+
+ route_cleanup()
+@@ -725,7 +734,7 @@ route_setup()
+ ip -netns ns2 addr add 172.16.103.2/24 dev veth4
+ ip -netns ns2 addr add 172.16.104.1/24 dev dummy1
+
+- set +ex
++ set +e
+ }
+
+ # assumption is that basic add of a single path route works
+@@ -960,7 +969,8 @@ ipv6_addr_metric_test()
+ run_cmd "$IP li set dev dummy2 down"
+ rc=$?
+ if [ $rc -eq 0 ]; then
+- check_route6 ""
++ out=$($IP -6 ro ls match 2001:db8:104::/64)
++ check_expected "${out}" ""
+ rc=$?
+ fi
+ log_test $rc 0 "Prefix route removed on link down"
+@@ -1091,38 +1101,13 @@ check_route()
+ local pfx
+ local expected="$1"
+ local out
+- local rc=0
+
+ set -- $expected
+ pfx=$1
+ [ "${pfx}" = "unreachable" ] && pfx=$2
+
+ out=$($IP ro ls match ${pfx})
+- [ "${out}" = "${expected}" ] && return 0
+-
+- if [ -z "${out}" ]; then
+- if [ "$VERBOSE" = "1" ]; then
+- printf "\nNo route entry found\n"
+- printf "Expected:\n"
+- printf " ${expected}\n"
+- fi
+- return 1
+- fi
+-
+- # tricky way to convert output to 1-line without ip's
+- # messy '\'; this drops all extra white space
+- out=$(echo ${out})
+- if [ "${out}" != "${expected}" ]; then
+- rc=1
+- if [ "${VERBOSE}" = "1" ]; then
+- printf " Unexpected route entry. Have:\n"
+- printf " ${out}\n"
+- printf " Expected:\n"
+- printf " ${expected}\n\n"
+- fi
+- fi
+-
+- return $rc
++ check_expected "${out}" "${expected}"
+ }
+
+ # assumption is that basic add of a single path route works
+@@ -1387,7 +1372,8 @@ ipv4_addr_metric_test()
+ run_cmd "$IP li set dev dummy2 down"
+ rc=$?
+ if [ $rc -eq 0 ]; then
+- check_route ""
++ out=$($IP ro ls match 172.16.104.0/24)
++ check_expected "${out}" ""
+ rc=$?
+ fi
+ log_test $rc 0 "Prefix route removed on link down"
+--
+2.20.1
+
--- /dev/null
+From 0ec57bb37d9eab23d3bd281a6e241796dd358e16 Mon Sep 17 00:00:00 2001
+From: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Date: Fri, 19 Apr 2019 19:01:13 +0800
+Subject: selftests/net: correct the return value for run_afpackettests
+
+[ Upstream commit 8c03557c3f25271e62e39154af66ebdd1b59c9ca ]
+
+The run_afpackettests will be marked as passed regardless the return
+value of those sub-tests in the script:
+ --------------------
+ running psock_tpacket test
+ --------------------
+ [FAIL]
+ selftests: run_afpackettests [PASS]
+
+Fix this by changing the return value for each tests.
+
+Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/run_afpackettests | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/tools/testing/selftests/net/run_afpackettests b/tools/testing/selftests/net/run_afpackettests
+index 2dc95fda7ef76..ea5938ec009a5 100755
+--- a/tools/testing/selftests/net/run_afpackettests
++++ b/tools/testing/selftests/net/run_afpackettests
+@@ -6,12 +6,14 @@ if [ $(id -u) != 0 ]; then
+ exit 0
+ fi
+
++ret=0
+ echo "--------------------"
+ echo "running psock_fanout test"
+ echo "--------------------"
+ ./in_netns.sh ./psock_fanout
+ if [ $? -ne 0 ]; then
+ echo "[FAIL]"
++ ret=1
+ else
+ echo "[PASS]"
+ fi
+@@ -22,6 +24,7 @@ echo "--------------------"
+ ./in_netns.sh ./psock_tpacket
+ if [ $? -ne 0 ]; then
+ echo "[FAIL]"
++ ret=1
+ else
+ echo "[PASS]"
+ fi
+@@ -32,6 +35,8 @@ echo "--------------------"
+ ./in_netns.sh ./txring_overwrite
+ if [ $? -ne 0 ]; then
+ echo "[FAIL]"
++ ret=1
+ else
+ echo "[PASS]"
+ fi
++exit $ret
+--
+2.20.1
+
--- /dev/null
+From 9591eb5b3efb14a927504f6fb894e16d4cc59d4e Mon Sep 17 00:00:00 2001
+From: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Date: Thu, 18 Apr 2019 19:57:25 +0800
+Subject: selftests/net: correct the return value for run_netsocktests
+
+[ Upstream commit 30c04d796b693e22405c38e9b78e9a364e4c77e6 ]
+
+The run_netsocktests will be marked as passed regardless the actual test
+result from the ./socket:
+
+ selftests: net: run_netsocktests
+ ========================================
+ --------------------
+ running socket test
+ --------------------
+ [FAIL]
+ ok 1..6 selftests: net: run_netsocktests [PASS]
+
+This is because the test script itself has been successfully executed.
+Fix this by exit 1 when the test failed.
+
+Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/run_netsocktests | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/run_netsocktests b/tools/testing/selftests/net/run_netsocktests
+index b093f39c298c3..14e41faf2c574 100755
+--- a/tools/testing/selftests/net/run_netsocktests
++++ b/tools/testing/selftests/net/run_netsocktests
+@@ -7,7 +7,7 @@ echo "--------------------"
+ ./socket
+ if [ $? -ne 0 ]; then
+ echo "[FAIL]"
++ exit 1
+ else
+ echo "[PASS]"
+ fi
+-
+--
+2.20.1
+
--- /dev/null
+From f6549d5f22822eb1a0881eb7d606a7649f1a581c Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 25 Mar 2019 23:11:53 +0100
+Subject: selftests: netfilter: check icmp pkttoobig errors are set as related
+
+[ Upstream commit becf2319f320cae43e20cf179cc51a355a0deb5f ]
+
+When an icmp error such as pkttoobig is received, conntrack checks
+if the "inner" header (header of packet that did not fit link mtu)
+is matches an existing connection, and, if so, sets that packet as
+being related to the conntrack entry it found.
+
+It was recently reported that this "related" setting also works
+if the inner header is from another, different connection (i.e.,
+artificial/forged icmp error).
+
+Add a test, followup patch will add additional "inner dst matches
+outer dst in reverse direction" check before setting related state.
+
+Link: https://www.synacktiv.com/posts/systems/icmp-reachable.html
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/netfilter/Makefile | 2 +-
+ .../netfilter/conntrack_icmp_related.sh | 283 ++++++++++++++++++
+ 2 files changed, 284 insertions(+), 1 deletion(-)
+ create mode 100755 tools/testing/selftests/netfilter/conntrack_icmp_related.sh
+
+diff --git a/tools/testing/selftests/netfilter/Makefile b/tools/testing/selftests/netfilter/Makefile
+index c9ff2b47bd1ca..a37cb1192c6a6 100644
+--- a/tools/testing/selftests/netfilter/Makefile
++++ b/tools/testing/selftests/netfilter/Makefile
+@@ -1,6 +1,6 @@
+ # SPDX-License-Identifier: GPL-2.0
+ # Makefile for netfilter selftests
+
+-TEST_PROGS := nft_trans_stress.sh nft_nat.sh
++TEST_PROGS := nft_trans_stress.sh nft_nat.sh conntrack_icmp_related.sh
+
+ include ../lib.mk
+diff --git a/tools/testing/selftests/netfilter/conntrack_icmp_related.sh b/tools/testing/selftests/netfilter/conntrack_icmp_related.sh
+new file mode 100755
+index 0000000000000..b48e1833bc896
+--- /dev/null
++++ b/tools/testing/selftests/netfilter/conntrack_icmp_related.sh
+@@ -0,0 +1,283 @@
++#!/bin/bash
++#
++# check that ICMP df-needed/pkttoobig icmp are set are set as related
++# state
++#
++# Setup is:
++#
++# nsclient1 -> nsrouter1 -> nsrouter2 -> nsclient2
++# MTU 1500, except for nsrouter2 <-> nsclient2 link (1280).
++# ping nsclient2 from nsclient1, checking that conntrack did set RELATED
++# 'fragmentation needed' icmp packet.
++#
++# In addition, nsrouter1 will perform IP masquerading, i.e. also
++# check the icmp errors are propagated to the correct host as per
++# nat of "established" icmp-echo "connection".
++
++# Kselftest framework requirement - SKIP code is 4.
++ksft_skip=4
++ret=0
++
++nft --version > /dev/null 2>&1
++if [ $? -ne 0 ];then
++ echo "SKIP: Could not run test without nft tool"
++ exit $ksft_skip
++fi
++
++ip -Version > /dev/null 2>&1
++if [ $? -ne 0 ];then
++ echo "SKIP: Could not run test without ip tool"
++ exit $ksft_skip
++fi
++
++cleanup() {
++ for i in 1 2;do ip netns del nsclient$i;done
++ for i in 1 2;do ip netns del nsrouter$i;done
++}
++
++ipv4() {
++ echo -n 192.168.$1.2
++}
++
++ipv6 () {
++ echo -n dead:$1::2
++}
++
++check_counter()
++{
++ ns=$1
++ name=$2
++ expect=$3
++ local lret=0
++
++ cnt=$(ip netns exec $ns nft list counter inet filter "$name" | grep -q "$expect")
++ if [ $? -ne 0 ]; then
++ echo "ERROR: counter $name in $ns has unexpected value (expected $expect)" 1>&2
++ ip netns exec $ns nft list counter inet filter "$name" 1>&2
++ lret=1
++ fi
++
++ return $lret
++}
++
++check_unknown()
++{
++ expect="packets 0 bytes 0"
++ for n in nsclient1 nsclient2 nsrouter1 nsrouter2; do
++ check_counter $n "unknown" "$expect"
++ if [ $? -ne 0 ] ;then
++ return 1
++ fi
++ done
++
++ return 0
++}
++
++for n in nsclient1 nsclient2 nsrouter1 nsrouter2; do
++ ip netns add $n
++ ip -net $n link set lo up
++done
++
++DEV=veth0
++ip link add $DEV netns nsclient1 type veth peer name eth1 netns nsrouter1
++DEV=veth0
++ip link add $DEV netns nsclient2 type veth peer name eth1 netns nsrouter2
++
++DEV=veth0
++ip link add $DEV netns nsrouter1 type veth peer name eth2 netns nsrouter2
++
++DEV=veth0
++for i in 1 2; do
++ ip -net nsclient$i link set $DEV up
++ ip -net nsclient$i addr add $(ipv4 $i)/24 dev $DEV
++ ip -net nsclient$i addr add $(ipv6 $i)/64 dev $DEV
++done
++
++ip -net nsrouter1 link set eth1 up
++ip -net nsrouter1 link set veth0 up
++
++ip -net nsrouter2 link set eth1 up
++ip -net nsrouter2 link set eth2 up
++
++ip -net nsclient1 route add default via 192.168.1.1
++ip -net nsclient1 -6 route add default via dead:1::1
++
++ip -net nsclient2 route add default via 192.168.2.1
++ip -net nsclient2 route add default via dead:2::1
++
++i=3
++ip -net nsrouter1 addr add 192.168.1.1/24 dev eth1
++ip -net nsrouter1 addr add 192.168.3.1/24 dev veth0
++ip -net nsrouter1 addr add dead:1::1/64 dev eth1
++ip -net nsrouter1 addr add dead:3::1/64 dev veth0
++ip -net nsrouter1 route add default via 192.168.3.10
++ip -net nsrouter1 -6 route add default via dead:3::10
++
++ip -net nsrouter2 addr add 192.168.2.1/24 dev eth1
++ip -net nsrouter2 addr add 192.168.3.10/24 dev eth2
++ip -net nsrouter2 addr add dead:2::1/64 dev eth1
++ip -net nsrouter2 addr add dead:3::10/64 dev eth2
++ip -net nsrouter2 route add default via 192.168.3.1
++ip -net nsrouter2 route add default via dead:3::1
++
++sleep 2
++for i in 4 6; do
++ ip netns exec nsrouter1 sysctl -q net.ipv$i.conf.all.forwarding=1
++ ip netns exec nsrouter2 sysctl -q net.ipv$i.conf.all.forwarding=1
++done
++
++for netns in nsrouter1 nsrouter2; do
++ip netns exec $netns nft -f - <<EOF
++table inet filter {
++ counter unknown { }
++ counter related { }
++ chain forward {
++ type filter hook forward priority 0; policy accept;
++ meta l4proto icmpv6 icmpv6 type "packet-too-big" ct state "related" counter name "related" accept
++ meta l4proto icmp icmp type "destination-unreachable" ct state "related" counter name "related" accept
++ meta l4proto { icmp, icmpv6 } ct state new,established accept
++ counter name "unknown" drop
++ }
++}
++EOF
++done
++
++ip netns exec nsclient1 nft -f - <<EOF
++table inet filter {
++ counter unknown { }
++ counter related { }
++ chain input {
++ type filter hook input priority 0; policy accept;
++ meta l4proto { icmp, icmpv6 } ct state established,untracked accept
++
++ meta l4proto { icmp, icmpv6 } ct state "related" counter name "related" accept
++ counter name "unknown" drop
++ }
++}
++EOF
++
++ip netns exec nsclient2 nft -f - <<EOF
++table inet filter {
++ counter unknown { }
++ counter new { }
++ counter established { }
++
++ chain input {
++ type filter hook input priority 0; policy accept;
++ meta l4proto { icmp, icmpv6 } ct state established,untracked accept
++
++ meta l4proto { icmp, icmpv6 } ct state "new" counter name "new" accept
++ meta l4proto { icmp, icmpv6 } ct state "established" counter name "established" accept
++ counter name "unknown" drop
++ }
++ chain output {
++ type filter hook output priority 0; policy accept;
++ meta l4proto { icmp, icmpv6 } ct state established,untracked accept
++
++ meta l4proto { icmp, icmpv6 } ct state "new" counter name "new"
++ meta l4proto { icmp, icmpv6 } ct state "established" counter name "established"
++ counter name "unknown" drop
++ }
++}
++EOF
++
++
++# make sure NAT core rewrites adress of icmp error if nat is used according to
++# conntrack nat information (icmp error will be directed at nsrouter1 address,
++# but it needs to be routed to nsclient1 address).
++ip netns exec nsrouter1 nft -f - <<EOF
++table ip nat {
++ chain postrouting {
++ type nat hook postrouting priority 0; policy accept;
++ ip protocol icmp oifname "veth0" counter masquerade
++ }
++}
++table ip6 nat {
++ chain postrouting {
++ type nat hook postrouting priority 0; policy accept;
++ ip6 nexthdr icmpv6 oifname "veth0" counter masquerade
++ }
++}
++EOF
++
++ip netns exec nsrouter2 ip link set eth1 mtu 1280
++ip netns exec nsclient2 ip link set veth0 mtu 1280
++sleep 1
++
++ip netns exec nsclient1 ping -c 1 -s 1000 -q -M do 192.168.2.2 >/dev/null
++if [ $? -ne 0 ]; then
++ echo "ERROR: netns ip routing/connectivity broken" 1>&2
++ cleanup
++ exit 1
++fi
++ip netns exec nsclient1 ping6 -q -c 1 -s 1000 dead:2::2 >/dev/null
++if [ $? -ne 0 ]; then
++ echo "ERROR: netns ipv6 routing/connectivity broken" 1>&2
++ cleanup
++ exit 1
++fi
++
++check_unknown
++if [ $? -ne 0 ]; then
++ ret=1
++fi
++
++expect="packets 0 bytes 0"
++for netns in nsrouter1 nsrouter2 nsclient1;do
++ check_counter "$netns" "related" "$expect"
++ if [ $? -ne 0 ]; then
++ ret=1
++ fi
++done
++
++expect="packets 2 bytes 2076"
++check_counter nsclient2 "new" "$expect"
++if [ $? -ne 0 ]; then
++ ret=1
++fi
++
++ip netns exec nsclient1 ping -q -c 1 -s 1300 -M do 192.168.2.2 > /dev/null
++if [ $? -eq 0 ]; then
++ echo "ERROR: ping should have failed with PMTU too big error" 1>&2
++ ret=1
++fi
++
++# nsrouter2 should have generated the icmp error, so
++# related counter should be 0 (its in forward).
++expect="packets 0 bytes 0"
++check_counter "nsrouter2" "related" "$expect"
++if [ $? -ne 0 ]; then
++ ret=1
++fi
++
++# but nsrouter1 should have seen it, same for nsclient1.
++expect="packets 1 bytes 576"
++for netns in nsrouter1 nsclient1;do
++ check_counter "$netns" "related" "$expect"
++ if [ $? -ne 0 ]; then
++ ret=1
++ fi
++done
++
++ip netns exec nsclient1 ping6 -c 1 -s 1300 dead:2::2 > /dev/null
++if [ $? -eq 0 ]; then
++ echo "ERROR: ping6 should have failed with PMTU too big error" 1>&2
++ ret=1
++fi
++
++expect="packets 2 bytes 1856"
++for netns in nsrouter1 nsclient1;do
++ check_counter "$netns" "related" "$expect"
++ if [ $? -ne 0 ]; then
++ ret=1
++ fi
++done
++
++if [ $ret -eq 0 ];then
++ echo "PASS: icmp mtu error had RELATED state"
++else
++ echo "ERROR: icmp error RELATED state test has failed"
++fi
++
++cleanup
++exit $ret
+--
+2.20.1
+
kernfs-fix-barrier-usage-in-__kernfs_new_node.patch
virt-vbox-sanity-check-parameter-types-for-hgcm-calls-coming-from-userspace.patch
usb-serial-fix-unthrottle-races.patch
+iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch
+iio-adc-xilinx-fix-potential-use-after-free-on-probe.patch
+iio-adc-xilinx-prevent-touching-unclocked-h-w-on-rem.patch
+acpi-nfit-always-dump-_dsm-output-payload.patch
+libnvdimm-namespace-fix-a-potential-null-pointer-der.patch
+hid-input-add-mapping-for-expose-overview-key.patch
+hid-input-add-mapping-for-keyboard-brightness-up-dow.patch
+hid-input-add-mapping-for-toggle-display-key.patch
+libnvdimm-btt-fix-a-kmemdup-failure-check.patch
+s390-dasd-fix-capacity-calculation-for-large-volumes.patch
+mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch
+mac80211-increase-max_msg_len.patch
+cfg80211-handle-wmm-rules-in-regulatory-domain-inter.patch
+mac80211-fix-memory-accounting-with-a-msdu-aggregati.patch
+nl80211-add-nl80211_flag_clear_skb-flag-for-other-nl.patch
+libnvdimm-security-provide-fix-for-secure-erase-to-u.patch
+libnvdimm-pmem-fix-a-possible-oob-access-when-read-a.patch
+tools-testing-nvdimm-retain-security-state-after-ove.patch
+s390-3270-fix-lockdep-false-positive-on-view-lock.patch
+drm-ttm-fix-dma_fence-refcount-imbalance-on-error-pa.patch
+drm-amd-display-extending-aux-sw-timeout.patch
+clocksource-drivers-npcm-select-timer_of.patch
+clocksource-drivers-oxnas-fix-ox820-compatible.patch
+selftests-fib_tests-fix-command-line-is-not-complete.patch
+drm-amdgpu-shadow-in-shadow_list-without-tbo.mem.sta.patch
+misdn-check-address-length-before-reading-address-fa.patch
+vxge-fix-return-of-a-free-d-memblock-on-a-failed-dma.patch
+qede-fix-write-to-free-d-pointer-error-and-double-fr.patch
+afs-unlock-pages-for-__pagevec_release.patch
+afs-fix-in-progess-ops-to-ignore-server-level-callba.patch
+qed-delete-redundant-doorbell-recovery-types.patch
+qed-fix-the-doorbell-address-sanity-check.patch
+qed-fix-missing-dorq-attentions.patch
+qed-fix-the-dorq-s-attentions-handling.patch
+drm-amd-display-if-one-stream-full-updates-full-upda.patch
+s390-pkey-add-one-more-argument-space-for-debug-feat.patch
+x86-build-lto-fix-truncated-.bss-with-fdata-sections.patch
+x86-mm-prevent-bogus-warnings-with-noexec-off.patch
+x86-reboot-efi-use-efi-reboot-for-acer-travelmate-x5.patch
+kvm-nvmx-always-use-early-vmcs-check-when-ept-is-dis.patch
+kvm-x86-raise-gp-when-guest-vcpu-do-not-support-pmu.patch
+kvm-nvmx-expose-rdpmc-exiting-only-when-guest-suppor.patch
+kvm-fix-spectrev1-gadgets.patch
+kvm-x86-avoid-misreporting-level-triggered-irqs-as-e.patch
+tools-lib-traceevent-fix-missing-equality-check-for-.patch
+perf-top-always-sample-time-to-satisfy-needs-of-use-.patch
+ipmi-ipmi_si_hardcode.c-init-si_type-array-to-fix-a-.patch
+ocelot-don-t-sleep-in-atomic-context-irqs_disabled.patch
+perf-tools-fix-map-reference-counting.patch
+scsi-aic7xxx-fix-eisa-support.patch
+slab-store-tagged-freelist-for-off-slab-slabmgmt.patch
+mm-hotplug-treat-cma-pages-as-unmovable.patch
+mm-fix-inactive-list-balancing-between-numa-nodes-an.patch
+init-initialize-jump-labels-before-command-line-opti.patch
+drm-bridge-dw-hdmi-fix-overflow-workaround-for-rockc.patch
+selftests-netfilter-check-icmp-pkttoobig-errors-are-.patch
+ipvs-do-not-schedule-icmp-errors-from-tunnels.patch
+netfilter-ctnetlink-don-t-use-conntrack-expect-objec.patch
+netfilter-nf_tables-prevent-shift-wrap-in-nft_chain_.patch
+netfilter-nat-fix-icmp-id-randomization.patch
+mips-perf-ath79-fix-perfcount-irq-assignment.patch
+ib-mlx5-fix-scatter-to-cqe-in-dct-qp-creation.patch
+s390-ctcm-fix-ctcm_new_device-error-return-code.patch
+drm-sun4i-set-device-driver-data-at-bind-time-for-us.patch
+drm-sun4i-fix-component-unbinding-and-component-mast.patch
+of_net-fix-residues-after-of_get_nvmem_mac_address-r.patch
+selftests-net-correct-the-return-value-for-run_netso.patch
+selftests-net-correct-the-return-value-for-run_afpac.patch
+netfilter-never-get-set-skb-tstamp.patch
+netfilter-fix-nf_l4proto_log_invalid-to-log-invalid-.patch
+dmaengine-bcm2835-avoid-gfp_kernel-in-device_prep_sl.patch
+arm64-module-ftrace-deal-with-place-relative-nature-.patch
+gpu-ipu-v3-dp-fix-csc-handling.patch
+drm-imx-don-t-skip-dp-channel-disable-for-background.patch
+arm-fix-function-graph-tracer-and-unwinder-dependenc.patch
+arm-8856-1-nommu-fix-ccr-register-faulty-initializat.patch
+spi-micrel-eth-switch-declare-missing-of-table.patch
+spi-st-st95hf-nfc-declare-missing-of-table.patch
+ceph-handle-the-case-where-a-dentry-has-been-renamed.patch
+revert-drm-virtio-drop-prime-import-export-callbacks.patch
+drm-sun4i-unbind-components-before-releasing-drm-and.patch
+input-snvs_pwrkey-make-it-depend-on-arch_mxc.patch
+input-synaptics-rmi4-fix-possible-double-free.patch
+net-vrf-fix-operation-not-supported-when-set-vrf-mac.patch
+gpio-fix-gpiochip_add_data_with_key-error-path.patch
+rdma-hns-bugfix-for-mapping-user-db.patch
+mm-memory_hotplug.c-drop-memory-device-reference-aft.patch
+mm-page_alloc.c-avoid-potential-null-pointer-derefer.patch
+bpf-only-test-gso-type-on-gso-packets.patch
+net-sched-fix-cleanup-null-pointer-exception-in-act_.patch
+net-mvpp2-fix-validate-for-ppv2.1.patch
+drm-rockchip-fix-for-mailbox-read-validation.patch
--- /dev/null
+From 9122c9347bebb381ed1865505f4a117070123200 Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Thu, 18 Apr 2019 17:49:55 -0700
+Subject: slab: store tagged freelist for off-slab slabmgmt
+
+[ Upstream commit 1a62b18d51e5c5ecc0345c85bb9fef870ab721ed ]
+
+Commit 51dedad06b5f ("kasan, slab: make freelist stored without tags")
+calls kasan_reset_tag() for off-slab slab management object leading to
+freelist being stored non-tagged.
+
+However, cache_grow_begin() calls alloc_slabmgmt() which calls
+kmem_cache_alloc_node() assigns a tag for the address and stores it in
+the shadow address. As the result, it causes endless errors below
+during boot due to drain_freelist() -> slab_destroy() ->
+kasan_slab_free() which compares already untagged freelist against the
+stored tag in the shadow address.
+
+Since off-slab slab management object freelist is such a special case,
+just store it tagged. Non-off-slab management object freelist is still
+stored untagged which has not been assigned a tag and should not cause
+any other troubles with this inconsistency.
+
+ BUG: KASAN: double-free or invalid-free in slab_destroy+0x84/0x88
+ Pointer tag: [ff], memory tag: [99]
+
+ CPU: 0 PID: 1376 Comm: kworker/0:4 Tainted: G W 5.1.0-rc3+ #8
+ Hardware name: HPE Apollo 70 /C01_APACHE_MB , BIOS L50_5.13_1.0.6 07/10/2018
+ Workqueue: cgroup_destroy css_killed_work_fn
+ Call trace:
+ print_address_description+0x74/0x2a4
+ kasan_report_invalid_free+0x80/0xc0
+ __kasan_slab_free+0x204/0x208
+ kasan_slab_free+0xc/0x18
+ kmem_cache_free+0xe4/0x254
+ slab_destroy+0x84/0x88
+ drain_freelist+0xd0/0x104
+ __kmem_cache_shrink+0x1ac/0x224
+ __kmemcg_cache_deactivate+0x1c/0x28
+ memcg_deactivate_kmem_caches+0xa0/0xe8
+ memcg_offline_kmem+0x8c/0x3d4
+ mem_cgroup_css_offline+0x24c/0x290
+ css_killed_work_fn+0x154/0x618
+ process_one_work+0x9cc/0x183c
+ worker_thread+0x9b0/0xe38
+ kthread+0x374/0x390
+ ret_from_fork+0x10/0x18
+
+ Allocated by task 1625:
+ __kasan_kmalloc+0x168/0x240
+ kasan_slab_alloc+0x18/0x20
+ kmem_cache_alloc_node+0x1f8/0x3a0
+ cache_grow_begin+0x4fc/0xa24
+ cache_alloc_refill+0x2f8/0x3e8
+ kmem_cache_alloc+0x1bc/0x3bc
+ sock_alloc_inode+0x58/0x334
+ alloc_inode+0xb8/0x164
+ new_inode_pseudo+0x20/0xec
+ sock_alloc+0x74/0x284
+ __sock_create+0xb0/0x58c
+ sock_create+0x98/0xb8
+ __sys_socket+0x60/0x138
+ __arm64_sys_socket+0xa4/0x110
+ el0_svc_handler+0x2c0/0x47c
+ el0_svc+0x8/0xc
+
+ Freed by task 1625:
+ __kasan_slab_free+0x114/0x208
+ kasan_slab_free+0xc/0x18
+ kfree+0x1a8/0x1e0
+ single_release+0x7c/0x9c
+ close_pdeo+0x13c/0x43c
+ proc_reg_release+0xec/0x108
+ __fput+0x2f8/0x784
+ ____fput+0x1c/0x28
+ task_work_run+0xc0/0x1b0
+ do_notify_resume+0xb44/0x1278
+ work_pending+0x8/0x10
+
+ The buggy address belongs to the object at ffff809681b89e00
+ which belongs to the cache kmalloc-128 of size 128
+ The buggy address is located 0 bytes inside of
+ 128-byte region [ffff809681b89e00, ffff809681b89e80)
+ The buggy address belongs to the page:
+ page:ffff7fe025a06e00 count:1 mapcount:0 mapping:01ff80082000fb00
+ index:0xffff809681b8fe04
+ flags: 0x17ffffffc000200(slab)
+ raw: 017ffffffc000200 ffff7fe025a06d08 ffff7fe022ef7b88 01ff80082000fb00
+ raw: ffff809681b8fe04 ffff809681b80000 00000001000000e0 0000000000000000
+ page dumped because: kasan: bad access detected
+ page allocated via order 0, migratetype Unmovable, gfp_mask
+ 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE)
+ prep_new_page+0x4e0/0x5e0
+ get_page_from_freelist+0x4ce8/0x50d4
+ __alloc_pages_nodemask+0x738/0x38b8
+ cache_grow_begin+0xd8/0xa24
+ ____cache_alloc_node+0x14c/0x268
+ __kmalloc+0x1c8/0x3fc
+ ftrace_free_mem+0x408/0x1284
+ ftrace_free_init_mem+0x20/0x28
+ kernel_init+0x24/0x548
+ ret_from_fork+0x10/0x18
+
+ Memory state around the buggy address:
+ ffff809681b89c00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
+ ffff809681b89d00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
+ >ffff809681b89e00: 99 99 99 99 99 99 99 99 fe fe fe fe fe fe fe fe
+ ^
+ ffff809681b89f00: 43 43 43 43 43 fe fe fe fe fe fe fe fe fe fe fe
+ ffff809681b8a000: 6d fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
+
+Link: http://lkml.kernel.org/r/20190403022858.97584-1-cai@lca.pw
+Fixes: 51dedad06b5f ("kasan, slab: make freelist stored without tags")
+Signed-off-by: Qian Cai <cai@lca.pw>
+Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/slab.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/mm/slab.c b/mm/slab.c
+index 188c4b65255dc..f4bbc53008f3b 100644
+--- a/mm/slab.c
++++ b/mm/slab.c
+@@ -2371,7 +2371,6 @@ static void *alloc_slabmgmt(struct kmem_cache *cachep,
+ /* Slab management obj is off-slab. */
+ freelist = kmem_cache_alloc_node(cachep->freelist_cache,
+ local_flags, nodeid);
+- freelist = kasan_reset_tag(freelist);
+ if (!freelist)
+ return NULL;
+ } else {
+--
+2.20.1
+
--- /dev/null
+From cdcfd7123d9f0eb54042cc867d198158da2a6e9b Mon Sep 17 00:00:00 2001
+From: Daniel Gomez <dagmcr@gmail.com>
+Date: Mon, 22 Apr 2019 21:08:03 +0200
+Subject: spi: Micrel eth switch: declare missing of table
+
+[ Upstream commit 2f23a2a768bee7ad2ff1e9527c3f7e279e794a46 ]
+
+Add missing <of_device_id> table for SPI driver relying on SPI
+device match since compatible is in a DT binding or in a DTS.
+
+Before this patch:
+modinfo drivers/net/phy/spi_ks8995.ko | grep alias
+alias: spi:ksz8795
+alias: spi:ksz8864
+alias: spi:ks8995
+
+After this patch:
+modinfo drivers/net/phy/spi_ks8995.ko | grep alias
+alias: spi:ksz8795
+alias: spi:ksz8864
+alias: spi:ks8995
+alias: of:N*T*Cmicrel,ksz8795C*
+alias: of:N*T*Cmicrel,ksz8795
+alias: of:N*T*Cmicrel,ksz8864C*
+alias: of:N*T*Cmicrel,ksz8864
+alias: of:N*T*Cmicrel,ks8995C*
+alias: of:N*T*Cmicrel,ks8995
+
+Reported-by: Javier Martinez Canillas <javier@dowhile0.org>
+Signed-off-by: Daniel Gomez <dagmcr@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/spi_ks8995.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/phy/spi_ks8995.c b/drivers/net/phy/spi_ks8995.c
+index f17b3441779bf..d8ea4147dfe78 100644
+--- a/drivers/net/phy/spi_ks8995.c
++++ b/drivers/net/phy/spi_ks8995.c
+@@ -162,6 +162,14 @@ static const struct spi_device_id ks8995_id[] = {
+ };
+ MODULE_DEVICE_TABLE(spi, ks8995_id);
+
++static const struct of_device_id ks8895_spi_of_match[] = {
++ { .compatible = "micrel,ks8995" },
++ { .compatible = "micrel,ksz8864" },
++ { .compatible = "micrel,ksz8795" },
++ { },
++ };
++MODULE_DEVICE_TABLE(of, ks8895_spi_of_match);
++
+ static inline u8 get_chip_id(u8 val)
+ {
+ return (val >> ID1_CHIPID_S) & ID1_CHIPID_M;
+@@ -529,6 +537,7 @@ static int ks8995_remove(struct spi_device *spi)
+ static struct spi_driver ks8995_driver = {
+ .driver = {
+ .name = "spi-ks8995",
++ .of_match_table = of_match_ptr(ks8895_spi_of_match),
+ },
+ .probe = ks8995_probe,
+ .remove = ks8995_remove,
+--
+2.20.1
+
--- /dev/null
+From 179789dabf0d50a1bc65e8a39931bc4decc653a1 Mon Sep 17 00:00:00 2001
+From: Daniel Gomez <dagmcr@gmail.com>
+Date: Mon, 22 Apr 2019 21:08:04 +0200
+Subject: spi: ST ST95HF NFC: declare missing of table
+
+[ Upstream commit d04830531d0c4a99c897a44038e5da3d23331d2f ]
+
+Add missing <of_device_id> table for SPI driver relying on SPI
+device match since compatible is in a DT binding or in a DTS.
+
+Before this patch:
+modinfo drivers/nfc/st95hf/st95hf.ko | grep alias
+alias: spi:st95hf
+
+After this patch:
+modinfo drivers/nfc/st95hf/st95hf.ko | grep alias
+alias: spi:st95hf
+alias: of:N*T*Cst,st95hfC*
+alias: of:N*T*Cst,st95hf
+
+Reported-by: Javier Martinez Canillas <javier@dowhile0.org>
+Signed-off-by: Daniel Gomez <dagmcr@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/st95hf/core.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/nfc/st95hf/core.c b/drivers/nfc/st95hf/core.c
+index 2b26f762fbc3b..01acb6e533655 100644
+--- a/drivers/nfc/st95hf/core.c
++++ b/drivers/nfc/st95hf/core.c
+@@ -1074,6 +1074,12 @@ static const struct spi_device_id st95hf_id[] = {
+ };
+ MODULE_DEVICE_TABLE(spi, st95hf_id);
+
++static const struct of_device_id st95hf_spi_of_match[] = {
++ { .compatible = "st,st95hf" },
++ { },
++};
++MODULE_DEVICE_TABLE(of, st95hf_spi_of_match);
++
+ static int st95hf_probe(struct spi_device *nfc_spi_dev)
+ {
+ int ret;
+@@ -1260,6 +1266,7 @@ static struct spi_driver st95hf_driver = {
+ .driver = {
+ .name = "st95hf",
+ .owner = THIS_MODULE,
++ .of_match_table = of_match_ptr(st95hf_spi_of_match),
+ },
+ .id_table = st95hf_id,
+ .probe = st95hf_probe,
+--
+2.20.1
+
--- /dev/null
+From 7d8191c94ce3894216a447b76f11f0c8a9341b41 Mon Sep 17 00:00:00 2001
+From: Rikard Falkeborn <rikard.falkeborn@gmail.com>
+Date: Tue, 9 Apr 2019 11:15:29 +0200
+Subject: tools lib traceevent: Fix missing equality check for strcmp
+
+[ Upstream commit f32c2877bcb068a718bb70094cd59ccc29d4d082 ]
+
+There was a missing comparison with 0 when checking if type is "s64" or
+"u64". Therefore, the body of the if-statement was entered if "type" was
+"u64" or not "s64", which made the first strcmp() redundant since if
+type is "u64", it's not "s64".
+
+If type is "s64", the body of the if-statement is not entered but since
+the remainder of the function consists of if-statements which will not
+be entered if type is "s64", we will just return "val", which is
+correct, albeit at the cost of a few more calls to strcmp(), i.e., it
+will behave just as if the if-statement was entered.
+
+If type is neither "s64" or "u64", the body of the if-statement will be
+entered incorrectly and "val" returned. This means that any type that is
+checked after "s64" and "u64" is handled the same way as "s64" and
+"u64", i.e., the limiting of "val" to fit in for example "s8" is never
+reached.
+
+This was introduced in the kernel tree when the sources were copied from
+trace-cmd in commit f7d82350e597 ("tools/events: Add files to create
+libtraceevent.a"), and in the trace-cmd repo in 1cdbae6035cei
+("Implement typecasting in parser") when the function was introduced,
+i.e., it has always behaved the wrong way.
+
+Detected by cppcheck.
+
+Signed-off-by: Rikard Falkeborn <rikard.falkeborn@gmail.com>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: Tzvetomir Stoyanov <tstoyanov@vmware.com>
+Fixes: f7d82350e597 ("tools/events: Add files to create libtraceevent.a")
+Link: http://lkml.kernel.org/r/20190409091529.2686-1-rikard.falkeborn@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/traceevent/event-parse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c
+index 87494c7c619d8..981c6ce2da2c7 100644
+--- a/tools/lib/traceevent/event-parse.c
++++ b/tools/lib/traceevent/event-parse.c
+@@ -2233,7 +2233,7 @@ eval_type_str(unsigned long long val, const char *type, int pointer)
+ return val & 0xffffffff;
+
+ if (strcmp(type, "u64") == 0 ||
+- strcmp(type, "s64"))
++ strcmp(type, "s64") == 0)
+ return val;
+
+ if (strcmp(type, "s8") == 0)
+--
+2.20.1
+
--- /dev/null
+From 4aed252d6278e399da46c768399eecde0477f984 Mon Sep 17 00:00:00 2001
+From: Dave Jiang <dave.jiang@intel.com>
+Date: Mon, 11 Mar 2019 12:47:14 -0700
+Subject: tools/testing/nvdimm: Retain security state after overwrite
+
+[ Upstream commit 2170a0d53bee1a6c1a4ebd042f99d85aafc6c0ea ]
+
+Overwrite retains the security state after completion of operation. Fix
+nfit_test to reflect this so that the kernel can test the behavior it is
+more likely to see in practice.
+
+Fixes: 926f74802cb1 ("tools/testing/nvdimm: Add overwrite support for nfit_test")
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/nvdimm/test/nfit.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/nvdimm/test/nfit.c b/tools/testing/nvdimm/test/nfit.c
+index cad719876ef45..85ffdcfa596b5 100644
+--- a/tools/testing/nvdimm/test/nfit.c
++++ b/tools/testing/nvdimm/test/nfit.c
+@@ -146,6 +146,7 @@ static int dimm_fail_cmd_code[ARRAY_SIZE(handle)];
+ struct nfit_test_sec {
+ u8 state;
+ u8 ext_state;
++ u8 old_state;
+ u8 passphrase[32];
+ u8 master_passphrase[32];
+ u64 overwrite_end_time;
+@@ -1100,7 +1101,7 @@ static int nd_intel_test_cmd_overwrite(struct nfit_test *t,
+ return 0;
+ }
+
+- memset(sec->passphrase, 0, ND_INTEL_PASSPHRASE_SIZE);
++ sec->old_state = sec->state;
+ sec->state = ND_INTEL_SEC_STATE_OVERWRITE;
+ dev_dbg(dev, "overwrite progressing.\n");
+ sec->overwrite_end_time = get_jiffies_64() + 5 * HZ;
+@@ -1122,7 +1123,8 @@ static int nd_intel_test_cmd_query_overwrite(struct nfit_test *t,
+
+ if (time_is_before_jiffies64(sec->overwrite_end_time)) {
+ sec->overwrite_end_time = 0;
+- sec->state = 0;
++ sec->state = sec->old_state;
++ sec->old_state = 0;
+ sec->ext_state = ND_INTEL_SEC_ESTATE_ENABLED;
+ dev_dbg(dev, "overwrite is complete\n");
+ } else
+--
+2.20.1
+
--- /dev/null
+From 3b6be18d084626cc715a30cbf877c92f29d120aa Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 12 Apr 2019 14:45:12 +0100
+Subject: vxge: fix return of a free'd memblock on a failed dma mapping
+
+[ Upstream commit 0a2c34f18c94b596562bf3d019fceab998b8b584 ]
+
+Currently if a pci dma mapping failure is detected a free'd
+memblock address is returned rather than a NULL (that indicates
+an error). Fix this by ensuring NULL is returned on this error case.
+
+Addresses-Coverity: ("Use after free")
+Fixes: 528f727279ae ("vxge: code cleanup and reorganization")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/neterion/vxge/vxge-config.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.c b/drivers/net/ethernet/neterion/vxge/vxge-config.c
+index 7cde387e5ec62..51cd57ab3d958 100644
+--- a/drivers/net/ethernet/neterion/vxge/vxge-config.c
++++ b/drivers/net/ethernet/neterion/vxge/vxge-config.c
+@@ -2366,6 +2366,7 @@ static void *__vxge_hw_blockpool_malloc(struct __vxge_hw_device *devh, u32 size,
+ dma_object->addr))) {
+ vxge_os_dma_free(devh->pdev, memblock,
+ &dma_object->acc_handle);
++ memblock = NULL;
+ goto exit;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 7e60d5a33f5991524422261324266edaf4a2e6b7 Mon Sep 17 00:00:00 2001
+From: Sami Tolvanen <samitolvanen@google.com>
+Date: Mon, 15 Apr 2019 09:49:56 -0700
+Subject: x86/build/lto: Fix truncated .bss with -fdata-sections
+
+[ Upstream commit 6a03469a1edc94da52b65478f1e00837add869a3 ]
+
+With CONFIG_LD_DEAD_CODE_DATA_ELIMINATION=y, we compile the kernel with
+-fdata-sections, which also splits the .bss section.
+
+The new section, with a new .bss.* name, which pattern gets missed by the
+main x86 linker script which only expects the '.bss' name. This results
+in the discarding of the second part and a too small, truncated .bss
+section and an unhappy, non-working kernel.
+
+Use the common BSS_MAIN macro in the linker script to properly capture
+and merge all the generated BSS sections.
+
+Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20190415164956.124067-1-samitolvanen@google.com
+[ Extended the changelog. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/vmlinux.lds.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
+index ee3b5c7d662e1..c45214c44e612 100644
+--- a/arch/x86/kernel/vmlinux.lds.S
++++ b/arch/x86/kernel/vmlinux.lds.S
+@@ -362,7 +362,7 @@ SECTIONS
+ .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
+ __bss_start = .;
+ *(.bss..page_aligned)
+- *(.bss)
++ *(BSS_MAIN)
+ BSS_DECRYPTED
+ . = ALIGN(PAGE_SIZE);
+ __bss_stop = .;
+--
+2.20.1
+
--- /dev/null
+From 62673713fb19d033f8eba868a125f511aa089d6c Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Mon, 15 Apr 2019 10:46:07 +0200
+Subject: x86/mm: Prevent bogus warnings with "noexec=off"
+
+[ Upstream commit 510bb96fe5b3480b4b22d815786377e54cb701e7 ]
+
+Xose Vazquez Perez reported boot warnings when NX is disabled on the kernel command line.
+
+__early_set_fixmap() triggers this warning:
+
+ attempted to set unsupported pgprot: 8000000000000163
+ bits: 8000000000000000
+ supported: 7fffffffffffffff
+
+ WARNING: CPU: 0 PID: 0 at arch/x86/include/asm/pgtable.h:537
+ __early_set_fixmap+0xa2/0xff
+
+because it uses __default_kernel_pte_mask to mask out unsupported bits.
+
+Use __supported_pte_mask instead.
+
+Disabling NX on the command line also triggers the NX warning in the page
+table mapping check:
+
+ WARNING: CPU: 1 PID: 1 at arch/x86/mm/dump_pagetables.c:262 note_page+0x2ae/0x650
+ ....
+
+Make the warning depend on NX set in __supported_pte_mask.
+
+Reported-by: Xose Vazquez Perez <xose.vazquez@gmail.com>
+Tested-by: Xose Vazquez Perez <xose.vazquez@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Rik van Riel <riel@surriel.com>
+Link: http://lkml.kernel.org/r/alpine.DEB.2.21.1904151037530.1729@nanos.tec.linutronix.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/mm/dump_pagetables.c | 3 ++-
+ arch/x86/mm/ioremap.c | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/mm/dump_pagetables.c b/arch/x86/mm/dump_pagetables.c
+index e3cdc85ce5b6e..84304626b1cb8 100644
+--- a/arch/x86/mm/dump_pagetables.c
++++ b/arch/x86/mm/dump_pagetables.c
+@@ -259,7 +259,8 @@ static void note_wx(struct pg_state *st)
+ #endif
+ /* Account the WX pages */
+ st->wx_pages += npages;
+- WARN_ONCE(1, "x86/mm: Found insecure W+X mapping at address %pS\n",
++ WARN_ONCE(__supported_pte_mask & _PAGE_NX,
++ "x86/mm: Found insecure W+X mapping at address %pS\n",
+ (void *)st->start_address);
+ }
+
+diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
+index 5378d10f1d31d..3b76fe954978c 100644
+--- a/arch/x86/mm/ioremap.c
++++ b/arch/x86/mm/ioremap.c
+@@ -825,7 +825,7 @@ void __init __early_set_fixmap(enum fixed_addresses idx,
+ pte = early_ioremap_pte(addr);
+
+ /* Sanitize 'prot' against any unsupported bits: */
+- pgprot_val(flags) &= __default_kernel_pte_mask;
++ pgprot_val(flags) &= __supported_pte_mask;
+
+ if (pgprot_val(flags))
+ set_pte(pte, pfn_pte(phys >> PAGE_SHIFT, flags));
+--
+2.20.1
+
--- /dev/null
+From fe6804bb524f3712dcaeb69ec3ee10465c972bb1 Mon Sep 17 00:00:00 2001
+From: Jian-Hong Pan <jian-hong@endlessm.com>
+Date: Fri, 12 Apr 2019 16:01:53 +0800
+Subject: x86/reboot, efi: Use EFI reboot for Acer TravelMate X514-51T
+
+[ Upstream commit 0082517fa4bce073e7cf542633439f26538a14cc ]
+
+Upon reboot, the Acer TravelMate X514-51T laptop appears to complete the
+shutdown process, but then it hangs in BIOS POST with a black screen.
+
+The problem is intermittent - at some points it has appeared related to
+Secure Boot settings or different kernel builds, but ultimately we have
+not been able to identify the exact conditions that trigger the issue to
+come and go.
+
+Besides, the EFI mode cannot be disabled in the BIOS of this model.
+
+However, after extensive testing, we observe that using the EFI reboot
+method reliably avoids the issue in all cases.
+
+So add a boot time quirk to use EFI reboot on such systems.
+
+Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=203119
+Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
+Signed-off-by: Daniel Drake <drake@endlessm.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Cc: linux@endlessm.com
+Link: http://lkml.kernel.org/r/20190412080152.3718-1-jian-hong@endlessm.com
+[ Fix !CONFIG_EFI build failure, clarify the code and the changelog a bit. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/reboot.c | 21 +++++++++++++++++++++
+ include/linux/efi.h | 7 ++++++-
+ 2 files changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
+index 725624b6c0c05..8fd3cedd9accd 100644
+--- a/arch/x86/kernel/reboot.c
++++ b/arch/x86/kernel/reboot.c
+@@ -81,6 +81,19 @@ static int __init set_bios_reboot(const struct dmi_system_id *d)
+ return 0;
+ }
+
++/*
++ * Some machines don't handle the default ACPI reboot method and
++ * require the EFI reboot method:
++ */
++static int __init set_efi_reboot(const struct dmi_system_id *d)
++{
++ if (reboot_type != BOOT_EFI && !efi_runtime_disabled()) {
++ reboot_type = BOOT_EFI;
++ pr_info("%s series board detected. Selecting EFI-method for reboot.\n", d->ident);
++ }
++ return 0;
++}
++
+ void __noreturn machine_real_restart(unsigned int type)
+ {
+ local_irq_disable();
+@@ -166,6 +179,14 @@ static const struct dmi_system_id reboot_dmi_table[] __initconst = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "AOA110"),
+ },
+ },
++ { /* Handle reboot issue on Acer TravelMate X514-51T */
++ .callback = set_efi_reboot,
++ .ident = "Acer TravelMate X514-51T",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate X514-51T"),
++ },
++ },
+
+ /* Apple */
+ { /* Handle problems with rebooting on Apple MacBook5 */
+diff --git a/include/linux/efi.h b/include/linux/efi.h
+index a86485ac7c878..de05a43025292 100644
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -1598,7 +1598,12 @@ efi_status_t efi_setup_gop(efi_system_table_t *sys_table_arg,
+ struct screen_info *si, efi_guid_t *proto,
+ unsigned long size);
+
+-bool efi_runtime_disabled(void);
++#ifdef CONFIG_EFI
++extern bool efi_runtime_disabled(void);
++#else
++static inline bool efi_runtime_disabled(void) { return true; }
++#endif
++
+ extern void efi_call_virt_check_flags(unsigned long flags, const char *call);
+
+ enum efi_secureboot_mode {
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
