--- /dev/null
+From 01b8cedfd0422326caae308641dcadaa85e0ca72 Mon Sep 17 00:00:00 2001
+From: Satish Babu Patakokila <sbpata@codeaurora.org>
+Date: Fri, 16 Jun 2017 17:33:40 -0700
+Subject: ASoC: compress: Derive substream from stream based on direction
+
+From: Satish Babu Patakokila <sbpata@codeaurora.org>
+
+commit 01b8cedfd0422326caae308641dcadaa85e0ca72 upstream.
+
+Currently compress driver hardcodes direction as playback to get
+substream from the stream. This results in getting the incorrect
+substream for compressed capture usecase.
+To fix this, remove the hardcoding and derive substream based on
+the stream direction.
+
+Signed-off-by: Satish Babu Patakokila <sbpata@codeaurora.org>
+Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
+Acked-By: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/soc-compress.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/soc-compress.c
++++ b/sound/soc/soc-compress.c
+@@ -68,7 +68,8 @@ out:
+ static int soc_compr_open_fe(struct snd_compr_stream *cstream)
+ {
+ struct snd_soc_pcm_runtime *fe = cstream->private_data;
+- struct snd_pcm_substream *fe_substream = fe->pcm->streams[0].substream;
++ struct snd_pcm_substream *fe_substream =
++ fe->pcm->streams[cstream->direction].substream;
+ struct snd_soc_platform *platform = fe->platform;
+ struct snd_soc_dpcm *dpcm;
+ struct snd_soc_dapm_widget_list *list;
+@@ -414,7 +415,8 @@ static int soc_compr_set_params_fe(struc
+ struct snd_compr_params *params)
+ {
+ struct snd_soc_pcm_runtime *fe = cstream->private_data;
+- struct snd_pcm_substream *fe_substream = fe->pcm->streams[0].substream;
++ struct snd_pcm_substream *fe_substream =
++ fe->pcm->streams[cstream->direction].substream;
+ struct snd_soc_platform *platform = fe->platform;
+ int ret = 0, stream;
+
--- /dev/null
+From 138d351eefb727ab9e41a3dc5f112ceb4f6e59f2 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 7 Jul 2017 14:45:49 -0700
+Subject: iscsi-target: Add login_keys_workaround attribute for non RFC initiators
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 138d351eefb727ab9e41a3dc5f112ceb4f6e59f2 upstream.
+
+This patch re-introduces part of a long standing login workaround that
+was recently dropped by:
+
+ commit 1c99de981f30b3e7868b8d20ce5479fa1c0fea46
+ Author: Nicholas Bellinger <nab@linux-iscsi.org>
+ Date: Sun Apr 2 13:36:44 2017 -0700
+
+ iscsi-target: Drop work-around for legacy GlobalSAN initiator
+
+Namely, the workaround for FirstBurstLength ended up being required by
+Mellanox Flexboot PXE boot ROMs as reported by Robert.
+
+So this patch re-adds the work-around for FirstBurstLength within
+iscsi_check_proposer_for_optional_reply(), and makes the key optional
+to respond when the initiator does not propose, nor respond to it.
+
+Also as requested by Arun, this patch introduces a new TPG attribute
+named 'login_keys_workaround' that controls the use of both the
+FirstBurstLength workaround, as well as the two other existing
+workarounds for gPXE iSCSI boot client.
+
+By default, the workaround is enabled with login_keys_workaround=1,
+since Mellanox FlexBoot requires it, and Arun has verified the Qlogic
+MSFT initiator already proposes FirstBurstLength, so it's uneffected
+by this re-adding this part of the original work-around.
+
+Reported-by: Robert LeBlanc <robert@leblancnet.us>
+Cc: Robert LeBlanc <robert@leblancnet.us>
+Reviewed-by: Arun Easi <arun.easi@cavium.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_configfs.c | 2 +
+ drivers/target/iscsi/iscsi_target_nego.c | 6 ++-
+ drivers/target/iscsi/iscsi_target_parameters.c | 41 +++++++++++++++++--------
+ drivers/target/iscsi/iscsi_target_parameters.h | 2 -
+ drivers/target/iscsi/iscsi_target_tpg.c | 19 +++++++++++
+ drivers/target/iscsi/iscsi_target_tpg.h | 1
+ include/target/iscsi/iscsi_target_core.h | 9 +++++
+ 7 files changed, 64 insertions(+), 16 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_configfs.c
++++ b/drivers/target/iscsi/iscsi_target_configfs.c
+@@ -802,6 +802,7 @@ DEF_TPG_ATTRIB(default_erl);
+ DEF_TPG_ATTRIB(t10_pi);
+ DEF_TPG_ATTRIB(fabric_prot_type);
+ DEF_TPG_ATTRIB(tpg_enabled_sendtargets);
++DEF_TPG_ATTRIB(login_keys_workaround);
+
+ static struct configfs_attribute *lio_target_tpg_attrib_attrs[] = {
+ &iscsi_tpg_attrib_attr_authentication,
+@@ -817,6 +818,7 @@ static struct configfs_attribute *lio_ta
+ &iscsi_tpg_attrib_attr_t10_pi,
+ &iscsi_tpg_attrib_attr_fabric_prot_type,
+ &iscsi_tpg_attrib_attr_tpg_enabled_sendtargets,
++ &iscsi_tpg_attrib_attr_login_keys_workaround,
+ NULL,
+ };
+
+--- a/drivers/target/iscsi/iscsi_target_nego.c
++++ b/drivers/target/iscsi/iscsi_target_nego.c
+@@ -819,7 +819,8 @@ static int iscsi_target_handle_csg_zero(
+ SENDER_TARGET,
+ login->rsp_buf,
+ &login->rsp_length,
+- conn->param_list);
++ conn->param_list,
++ conn->tpg->tpg_attrib.login_keys_workaround);
+ if (ret < 0)
+ return -1;
+
+@@ -889,7 +890,8 @@ static int iscsi_target_handle_csg_one(s
+ SENDER_TARGET,
+ login->rsp_buf,
+ &login->rsp_length,
+- conn->param_list);
++ conn->param_list,
++ conn->tpg->tpg_attrib.login_keys_workaround);
+ if (ret < 0) {
+ iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_INITIATOR_ERR,
+ ISCSI_LOGIN_STATUS_INIT_ERR);
+--- a/drivers/target/iscsi/iscsi_target_parameters.c
++++ b/drivers/target/iscsi/iscsi_target_parameters.c
+@@ -765,7 +765,8 @@ static int iscsi_check_for_auth_key(char
+ return 0;
+ }
+
+-static void iscsi_check_proposer_for_optional_reply(struct iscsi_param *param)
++static void iscsi_check_proposer_for_optional_reply(struct iscsi_param *param,
++ bool keys_workaround)
+ {
+ if (IS_TYPE_BOOL_AND(param)) {
+ if (!strcmp(param->value, NO))
+@@ -773,19 +774,31 @@ static void iscsi_check_proposer_for_opt
+ } else if (IS_TYPE_BOOL_OR(param)) {
+ if (!strcmp(param->value, YES))
+ SET_PSTATE_REPLY_OPTIONAL(param);
+- /*
+- * Required for gPXE iSCSI boot client
+- */
+- if (!strcmp(param->name, IMMEDIATEDATA))
+- SET_PSTATE_REPLY_OPTIONAL(param);
++
++ if (keys_workaround) {
++ /*
++ * Required for gPXE iSCSI boot client
++ */
++ if (!strcmp(param->name, IMMEDIATEDATA))
++ SET_PSTATE_REPLY_OPTIONAL(param);
++ }
+ } else if (IS_TYPE_NUMBER(param)) {
+ if (!strcmp(param->name, MAXRECVDATASEGMENTLENGTH))
+ SET_PSTATE_REPLY_OPTIONAL(param);
+- /*
+- * Required for gPXE iSCSI boot client
+- */
+- if (!strcmp(param->name, MAXCONNECTIONS))
+- SET_PSTATE_REPLY_OPTIONAL(param);
++
++ if (keys_workaround) {
++ /*
++ * Required for Mellanox Flexboot PXE boot ROM
++ */
++ if (!strcmp(param->name, FIRSTBURSTLENGTH))
++ SET_PSTATE_REPLY_OPTIONAL(param);
++
++ /*
++ * Required for gPXE iSCSI boot client
++ */
++ if (!strcmp(param->name, MAXCONNECTIONS))
++ SET_PSTATE_REPLY_OPTIONAL(param);
++ }
+ } else if (IS_PHASE_DECLARATIVE(param))
+ SET_PSTATE_REPLY_OPTIONAL(param);
+ }
+@@ -1422,7 +1435,8 @@ int iscsi_encode_text_output(
+ u8 sender,
+ char *textbuf,
+ u32 *length,
+- struct iscsi_param_list *param_list)
++ struct iscsi_param_list *param_list,
++ bool keys_workaround)
+ {
+ char *output_buf = NULL;
+ struct iscsi_extra_response *er;
+@@ -1458,7 +1472,8 @@ int iscsi_encode_text_output(
+ *length += 1;
+ output_buf = textbuf + *length;
+ SET_PSTATE_PROPOSER(param);
+- iscsi_check_proposer_for_optional_reply(param);
++ iscsi_check_proposer_for_optional_reply(param,
++ keys_workaround);
+ pr_debug("Sending key: %s=%s\n",
+ param->name, param->value);
+ }
+--- a/drivers/target/iscsi/iscsi_target_parameters.h
++++ b/drivers/target/iscsi/iscsi_target_parameters.h
+@@ -40,7 +40,7 @@ extern int iscsi_extract_key_value(char
+ extern int iscsi_update_param_value(struct iscsi_param *, char *);
+ extern int iscsi_decode_text_input(u8, u8, char *, u32, struct iscsi_conn *);
+ extern int iscsi_encode_text_output(u8, u8, char *, u32 *,
+- struct iscsi_param_list *);
++ struct iscsi_param_list *, bool);
+ extern int iscsi_check_negotiated_keys(struct iscsi_param_list *);
+ extern void iscsi_set_connection_parameters(struct iscsi_conn_ops *,
+ struct iscsi_param_list *);
+--- a/drivers/target/iscsi/iscsi_target_tpg.c
++++ b/drivers/target/iscsi/iscsi_target_tpg.c
+@@ -227,6 +227,7 @@ static void iscsit_set_default_tpg_attri
+ a->t10_pi = TA_DEFAULT_T10_PI;
+ a->fabric_prot_type = TA_DEFAULT_FABRIC_PROT_TYPE;
+ a->tpg_enabled_sendtargets = TA_DEFAULT_TPG_ENABLED_SENDTARGETS;
++ a->login_keys_workaround = TA_DEFAULT_LOGIN_KEYS_WORKAROUND;
+ }
+
+ int iscsit_tpg_add_portal_group(struct iscsi_tiqn *tiqn, struct iscsi_portal_group *tpg)
+@@ -899,3 +900,21 @@ int iscsit_ta_tpg_enabled_sendtargets(
+
+ return 0;
+ }
++
++int iscsit_ta_login_keys_workaround(
++ struct iscsi_portal_group *tpg,
++ u32 flag)
++{
++ struct iscsi_tpg_attrib *a = &tpg->tpg_attrib;
++
++ if ((flag != 0) && (flag != 1)) {
++ pr_err("Illegal value %d\n", flag);
++ return -EINVAL;
++ }
++
++ a->login_keys_workaround = flag;
++ pr_debug("iSCSI_TPG[%hu] - TPG enabled bit for login keys workaround: %s ",
++ tpg->tpgt, (a->login_keys_workaround) ? "ON" : "OFF");
++
++ return 0;
++}
+--- a/drivers/target/iscsi/iscsi_target_tpg.h
++++ b/drivers/target/iscsi/iscsi_target_tpg.h
+@@ -39,5 +39,6 @@ extern int iscsit_ta_default_erl(struct
+ extern int iscsit_ta_t10_pi(struct iscsi_portal_group *, u32);
+ extern int iscsit_ta_fabric_prot_type(struct iscsi_portal_group *, u32);
+ extern int iscsit_ta_tpg_enabled_sendtargets(struct iscsi_portal_group *, u32);
++extern int iscsit_ta_login_keys_workaround(struct iscsi_portal_group *, u32);
+
+ #endif /* ISCSI_TARGET_TPG_H */
+--- a/include/target/iscsi/iscsi_target_core.h
++++ b/include/target/iscsi/iscsi_target_core.h
+@@ -64,6 +64,14 @@
+ #define TA_DEFAULT_FABRIC_PROT_TYPE 0
+ /* TPG status needs to be enabled to return sendtargets discovery endpoint info */
+ #define TA_DEFAULT_TPG_ENABLED_SENDTARGETS 1
++/*
++ * Used to control the sending of keys with optional to respond state bit,
++ * as a workaround for non RFC compliant initiators,that do not propose,
++ * nor respond to specific keys required for login to complete.
++ *
++ * See iscsi_check_proposer_for_optional_reply() for more details.
++ */
++#define TA_DEFAULT_LOGIN_KEYS_WORKAROUND 1
+
+ #define ISCSI_IOV_DATA_BUFFER 5
+
+@@ -766,6 +774,7 @@ struct iscsi_tpg_attrib {
+ u8 t10_pi;
+ u32 fabric_prot_type;
+ u32 tpg_enabled_sendtargets;
++ u32 login_keys_workaround;
+ struct iscsi_portal_group *tpg;
+ };
+
--- /dev/null
+From c6e83cac3eda5f7dd32ee1453df2f7abb5c6cd46 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Wed, 28 Jun 2017 16:56:18 +0200
+Subject: PM / Domains: Fix unsafe iteration over modified list of device links
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit c6e83cac3eda5f7dd32ee1453df2f7abb5c6cd46 upstream.
+
+pm_genpd_remove_subdomain() iterates over domain's master_links list and
+removes matching element thus it has to use safe version of list
+iteration.
+
+Fixes: f721889ff65a ("PM / Domains: Support for generic I/O PM domains (v8)")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/power/domain.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/power/domain.c
++++ b/drivers/base/power/domain.c
+@@ -1244,7 +1244,7 @@ EXPORT_SYMBOL_GPL(pm_genpd_add_subdomain
+ int pm_genpd_remove_subdomain(struct generic_pm_domain *genpd,
+ struct generic_pm_domain *subdomain)
+ {
+- struct gpd_link *link;
++ struct gpd_link *l, *link;
+ int ret = -EINVAL;
+
+ if (IS_ERR_OR_NULL(genpd) || IS_ERR_OR_NULL(subdomain))
+@@ -1260,7 +1260,7 @@ int pm_genpd_remove_subdomain(struct gen
+ goto out;
+ }
+
+- list_for_each_entry(link, &genpd->master_links, master_node) {
++ list_for_each_entry_safe(link, l, &genpd->master_links, master_node) {
+ if (link->slave != subdomain)
+ continue;
+
--- /dev/null
+From b556b15dc04e9b9b98790f04c21acf5e24f994b2 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Wed, 28 Jun 2017 16:56:19 +0200
+Subject: PM / Domains: Fix unsafe iteration over modified list of domain providers
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit b556b15dc04e9b9b98790f04c21acf5e24f994b2 upstream.
+
+of_genpd_del_provider() iterates over list of domain provides and
+removes matching element thus it has to use safe version of list
+iteration.
+
+Fixes: aa42240ab254 (PM / Domains: Add generic OF-based PM domain look-up)
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/power/domain.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/power/domain.c
++++ b/drivers/base/power/domain.c
+@@ -1607,12 +1607,12 @@ EXPORT_SYMBOL_GPL(of_genpd_add_provider_
+ */
+ void of_genpd_del_provider(struct device_node *np)
+ {
+- struct of_genpd_provider *cp;
++ struct of_genpd_provider *cp, *tmp;
+ struct generic_pm_domain *gpd;
+
+ mutex_lock(&gpd_list_lock);
+ mutex_lock(&of_genpd_mutex);
+- list_for_each_entry(cp, &of_genpd_providers, link) {
++ list_for_each_entry_safe(cp, tmp, &of_genpd_providers, link) {
+ if (cp->node == np) {
+ /*
+ * For each PM domain associated with the
--- /dev/null
+From a7e2d1bce4c1db471f1cbc0c4666a3112bbf0994 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Wed, 28 Jun 2017 16:56:20 +0200
+Subject: PM / Domains: Fix unsafe iteration over modified list of domains
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit a7e2d1bce4c1db471f1cbc0c4666a3112bbf0994 upstream.
+
+of_genpd_remove_last() iterates over list of domains and removes
+matching element thus it has to use safe version of list iteration.
+
+Fixes: 17926551c98a (PM / Domains: Add support for removing nested PM domains by provider)
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/power/domain.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/power/domain.c
++++ b/drivers/base/power/domain.c
+@@ -1752,14 +1752,14 @@ EXPORT_SYMBOL_GPL(of_genpd_add_subdomain
+ */
+ struct generic_pm_domain *of_genpd_remove_last(struct device_node *np)
+ {
+- struct generic_pm_domain *gpd, *genpd = ERR_PTR(-ENOENT);
++ struct generic_pm_domain *gpd, *tmp, *genpd = ERR_PTR(-ENOENT);
+ int ret;
+
+ if (IS_ERR_OR_NULL(np))
+ return ERR_PTR(-EINVAL);
+
+ mutex_lock(&gpd_list_lock);
+- list_for_each_entry(gpd, &gpd_list, gpd_list_node) {
++ list_for_each_entry_safe(gpd, tmp, &gpd_list, gpd_list_node) {
+ if (gpd->provider == &np->fwnode) {
+ ret = genpd_remove(gpd);
+ genpd = ret ? ERR_PTR(ret) : gpd;
--- /dev/null
+From 01e6a61aceb82e13bec29502a8eb70d9574f97ad Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Tue, 11 Jul 2017 22:10:54 +1000
+Subject: powerpc/64: Fix atomic64_inc_not_zero() to return an int
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 01e6a61aceb82e13bec29502a8eb70d9574f97ad upstream.
+
+Although it's not documented anywhere, there is an expectation that
+atomic64_inc_not_zero() returns a result which fits in an int. This is
+the behaviour implemented on all arches except powerpc.
+
+This has caused at least one bug in practice, in the percpu-refcount
+code, where the long result from our atomic64_inc_not_zero() was
+truncated to an int leading to lost references and stuck systems. That
+was worked around in that code in commit 966d2b04e070 ("percpu-refcount:
+fix reference leak during percpu-atomic transition").
+
+To the best of my grepping abilities there are no other callers
+in-tree which truncate the value, but we should fix it anyway. Because
+the breakage is subtle and potentially very harmful I'm also tagging
+it for stable.
+
+Code generation is largely unaffected because in most cases the
+callers are just using the result for a test anyway. In particular the
+case of fget() that was mentioned in commit a6cf7ed5119f
+("powerpc/atomic: Implement atomic*_inc_not_zero") generates exactly
+the same code.
+
+Fixes: a6cf7ed5119f ("powerpc/atomic: Implement atomic*_inc_not_zero")
+Noticed-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/atomic.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/include/asm/atomic.h
++++ b/arch/powerpc/include/asm/atomic.h
+@@ -560,7 +560,7 @@ static __inline__ int atomic64_add_unles
+ * Atomically increments @v by 1, so long as @v is non-zero.
+ * Returns non-zero if @v was non-zero, and zero otherwise.
+ */
+-static __inline__ long atomic64_inc_not_zero(atomic64_t *v)
++static __inline__ int atomic64_inc_not_zero(atomic64_t *v)
+ {
+ long t1, t2;
+
+@@ -579,7 +579,7 @@ static __inline__ long atomic64_inc_not_
+ : "r" (&v->counter)
+ : "cc", "xer", "memory");
+
+- return t1;
++ return t1 != 0;
+ }
+
+ #endif /* __powerpc64__ */
--- /dev/null
+From 2400fd822f467cb4c886c879d8ad99feac9cf319 Mon Sep 17 00:00:00 2001
+From: Oliver O'Halloran <oohall@gmail.com>
+Date: Thu, 6 Jul 2017 18:46:43 +1000
+Subject: powerpc/asm: Mark cr0 as clobbered in mftb()
+
+From: Oliver O'Halloran <oohall@gmail.com>
+
+commit 2400fd822f467cb4c886c879d8ad99feac9cf319 upstream.
+
+The workaround for the CELL timebase bug does not correctly mark cr0 as
+being clobbered. This means GCC doesn't know that the asm block changes cr0 and
+might leave the result of an unrelated comparison in cr0 across the block, which
+we then trash, leading to basically random behaviour.
+
+Fixes: 859deea949c3 ("[POWERPC] Cell timebase bug workaround")
+Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
+[mpe: Tweak change log and flag for stable]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/reg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/include/asm/reg.h
++++ b/arch/powerpc/include/asm/reg.h
+@@ -1283,7 +1283,7 @@ static inline void msr_check_and_clear(u
+ " .llong 0\n" \
+ ".previous" \
+ : "=r" (rval) \
+- : "i" (CPU_FTR_CELL_TB_BUG), "i" (SPRN_TBRL)); \
++ : "i" (CPU_FTR_CELL_TB_BUG), "i" (SPRN_TBRL) : "cr0"); \
+ rval;})
+ #else
+ #define mftb() ({unsigned long rval; \
--- /dev/null
+From 87c4b83e0fe234a1f0eed131ab6fa232036860d5 Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Thu, 15 Jun 2017 09:46:38 +1000
+Subject: powerpc: Fix emulation of mcrf in emulate_step()
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 87c4b83e0fe234a1f0eed131ab6fa232036860d5 upstream.
+
+The mcrf emulation code was using the CR field number directly as the shift
+value, without taking into account that CR fields are numbered from 0-7 starting
+at the high bits. That meant it was looking at the CR fields in the reverse
+order.
+
+Fixes: cf87c3f6b647 ("powerpc: Emulate icbi, mcrf and conditional-trap instructions")
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/lib/sstep.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/lib/sstep.c
++++ b/arch/powerpc/lib/sstep.c
+@@ -687,8 +687,10 @@ int __kprobes analyse_instr(struct instr
+ case 19:
+ switch ((instr >> 1) & 0x3ff) {
+ case 0: /* mcrf */
+- rd = (instr >> 21) & 0x1c;
+- ra = (instr >> 16) & 0x1c;
++ rd = 7 - ((instr >> 23) & 0x7);
++ ra = 7 - ((instr >> 18) & 0x7);
++ rd *= 4;
++ ra *= 4;
+ val = (regs->ccr >> ra) & 0xf;
+ regs->ccr = (regs->ccr & ~(0xfUL << rd)) | (val << rd);
+ goto instr_done;
--- /dev/null
+From 64e756c55aa46fc18fd53e8f3598b73b528d8637 Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Thu, 15 Jun 2017 09:46:39 +1000
+Subject: powerpc: Fix emulation of mfocrf in emulate_step()
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 64e756c55aa46fc18fd53e8f3598b73b528d8637 upstream.
+
+From POWER4 onwards, mfocrf() only places the specified CR field into
+the destination GPR, and the rest of it is set to 0. The PowerPC AS
+from version 3.0 now requires this behaviour.
+
+The emulation code currently puts the entire CR into the destination GPR.
+Fix it.
+
+Fixes: 6888199f7fe5 ("[POWERPC] Emulate more instructions in software")
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/lib/sstep.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/arch/powerpc/lib/sstep.c
++++ b/arch/powerpc/lib/sstep.c
+@@ -970,6 +970,19 @@ int __kprobes analyse_instr(struct instr
+ #endif
+
+ case 19: /* mfcr */
++ if ((instr >> 20) & 1) {
++ imm = 0xf0000000UL;
++ for (sh = 0; sh < 8; ++sh) {
++ if (instr & (0x80000 >> sh)) {
++ regs->gpr[rd] = regs->ccr & imm;
++ break;
++ }
++ imm >>= 4;
++ }
++
++ goto instr_done;
++ }
++
+ regs->gpr[rd] = regs->ccr;
+ regs->gpr[rd] &= 0xffffffffUL;
+ goto instr_done;
--- /dev/null
+From c6bb0b8d426a8cf865ca9c8a532cc3a2927cfceb Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Sat, 8 Jul 2017 07:45:32 -0500
+Subject: powerpc/mm/radix: Properly clear process table entry
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit c6bb0b8d426a8cf865ca9c8a532cc3a2927cfceb upstream.
+
+On radix, the process table entry we want to clear when destroying a
+context is entry 0, not entry 1. This has no *immediate* consequence
+on Power9, but it can cause other bugs to become worse.
+
+Fixes: 7e381c0ff618 ("powerpc/mm/radix: Add mmu context handling callback for radix")
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/mmu_context_book3s64.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/mm/mmu_context_book3s64.c
++++ b/arch/powerpc/mm/mmu_context_book3s64.c
+@@ -167,9 +167,15 @@ void destroy_context(struct mm_struct *m
+ mm->context.cop_lockp = NULL;
+ #endif /* CONFIG_PPC_ICSWX */
+
+- if (radix_enabled())
+- process_tb[mm->context.id].prtb1 = 0;
+- else
++ if (radix_enabled()) {
++ /*
++ * Radix doesn't have a valid bit in the process table
++ * entries. However we know that at least P9 implementation
++ * will avoid caching an entry with an invalid RTS field,
++ * and 0 is invalid. So this will do.
++ */
++ process_tb[mm->context.id].prtb0 = 0;
++ } else
+ subpage_prot_free(mm);
+ destroy_pagetable_page(mm);
+ __destroy_context(mm->context.id);
--- /dev/null
+From e71ff982ae4c17d176e9f0132157d54973788377 Mon Sep 17 00:00:00 2001
+From: Balbir Singh <bsingharora@gmail.com>
+Date: Thu, 29 Jun 2017 03:04:07 +1000
+Subject: powerpc/pseries: Fix passing of pp0 in updatepp() and updateboltedpp()
+
+From: Balbir Singh <bsingharora@gmail.com>
+
+commit e71ff982ae4c17d176e9f0132157d54973788377 upstream.
+
+Once upon a time there were only two PP (page protection) bits. In ISA
+2.03 an additional PP bit was added, but because of the layout of the
+HPTE it could not be made contiguous with the existing PP bits.
+
+The result is that we now have three PP bits, named pp0, pp1, pp2,
+where pp0 occupies bit 63 of dword 1 of the HPTE and pp1 and pp2
+occupy bits 1 and 0 respectively. Until recently Linux hasn't used
+pp0, however with the addition of _PAGE_KERNEL_RO we started using it.
+
+The problem arises in the LPAR code, where we need to translate the PP
+bits into the argument for the H_PROTECT hypercall. Currently the code
+only passes bits 0-2 of newpp, which covers pp1, pp2 and N (no
+execute), meaning pp0 is not passed to the hypervisor at all.
+
+We can't simply pass it through in bit 63, as that would collide with a
+different field in the flags argument, as defined in PAPR. Instead we
+have to shift it down to bit 8 (IBM bit 55).
+
+Fixes: e58e87adc8bf ("powerpc/mm: Update _PAGE_KERNEL_RO")
+Signed-off-by: Balbir Singh <bsingharora@gmail.com>
+[mpe: Simplify the test, rework change log]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/pseries/lpar.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/pseries/lpar.c
++++ b/arch/powerpc/platforms/pseries/lpar.c
+@@ -279,7 +279,7 @@ static long pSeries_lpar_hpte_updatepp(u
+ int ssize, unsigned long inv_flags)
+ {
+ unsigned long lpar_rc;
+- unsigned long flags = (newpp & 7) | H_AVPN;
++ unsigned long flags;
+ unsigned long want_v;
+
+ want_v = hpte_encode_avpn(vpn, psize, ssize);
+@@ -287,6 +287,11 @@ static long pSeries_lpar_hpte_updatepp(u
+ pr_devel(" update: avpnv=%016lx, hash=%016lx, f=%lx, psize: %d ...",
+ want_v, slot, flags, psize);
+
++ flags = (newpp & 7) | H_AVPN;
++ if (mmu_has_feature(MMU_FTR_KERNEL_RO))
++ /* Move pp0 into bit 8 (IBM 55) */
++ flags |= (newpp & HPTE_R_PP0) >> 55;
++
+ lpar_rc = plpar_pte_protect(flags, slot, want_v);
+
+ if (lpar_rc == H_NOT_FOUND) {
+@@ -358,6 +363,10 @@ static void pSeries_lpar_hpte_updatebolt
+ BUG_ON(slot == -1);
+
+ flags = newpp & 7;
++ if (mmu_has_feature(MMU_FTR_KERNEL_RO))
++ /* Move pp0 into bit 8 (IBM 55) */
++ flags |= (newpp & HPTE_R_PP0) >> 55;
++
+ lpar_rc = plpar_pte_protect(flags, slot, 0);
+
+ BUG_ON(lpar_rc != H_SUCCESS);
--- /dev/null
+From f9279c968c257ee39b0d7bd2571a4d231a67bcc1 Mon Sep 17 00:00:00 2001
+From: "Ewan D. Milne" <emilne@redhat.com>
+Date: Tue, 27 Jun 2017 14:55:58 -0400
+Subject: scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state
+
+From: Ewan D. Milne <emilne@redhat.com>
+
+commit f9279c968c257ee39b0d7bd2571a4d231a67bcc1 upstream.
+
+The addition of the STARGET_REMOVE state had the side effect of
+introducing a race condition that can cause a crash.
+
+scsi_target_reap_ref_release() checks the starget->state to
+see if it still in STARGET_CREATED, and if so, skips calling
+transport_remove_device() and device_del(), because the starget->state
+is only set to STARGET_RUNNING after scsi_target_add() has called
+device_add() and transport_add_device().
+
+However, if an rport loss occurs while a target is being scanned,
+it can happen that scsi_remove_target() will be called while the
+starget is still in the STARGET_CREATED state. In this case, the
+starget->state will be set to STARGET_REMOVE, and as a result,
+scsi_target_reap_ref_release() will take the wrong path. The end
+result is a panic:
+
+[ 1255.356653] Oops: 0000 [#1] SMP
+[ 1255.360154] Modules linked in: x86_pkg_temp_thermal kvm_intel kvm irqbypass crc32c_intel ghash_clmulni_i
+[ 1255.393234] CPU: 5 PID: 149 Comm: kworker/u96:4 Tainted: G W 4.11.0+ #8
+[ 1255.401879] Hardware name: Dell Inc. PowerEdge R320/08VT7V, BIOS 2.0.22 11/19/2013
+[ 1255.410327] Workqueue: scsi_wq_6 fc_scsi_scan_rport [scsi_transport_fc]
+[ 1255.417720] task: ffff88060ca8c8c0 task.stack: ffffc900048a8000
+[ 1255.424331] RIP: 0010:kernfs_find_ns+0x13/0xc0
+[ 1255.429287] RSP: 0018:ffffc900048abbf0 EFLAGS: 00010246
+[ 1255.435123] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+[ 1255.443083] RDX: 0000000000000000 RSI: ffffffff8188d659 RDI: 0000000000000000
+[ 1255.451043] RBP: ffffc900048abc10 R08: 0000000000000000 R09: 0000012433fe0025
+[ 1255.459005] R10: 0000000025e5a4b5 R11: 0000000025e5a4b5 R12: ffffffff8188d659
+[ 1255.466972] R13: 0000000000000000 R14: ffff8805f55e5088 R15: 0000000000000000
+[ 1255.474931] FS: 0000000000000000(0000) GS:ffff880616b40000(0000) knlGS:0000000000000000
+[ 1255.483959] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1255.490370] CR2: 0000000000000068 CR3: 0000000001c09000 CR4: 00000000000406e0
+[ 1255.498332] Call Trace:
+[ 1255.501058] kernfs_find_and_get_ns+0x31/0x60
+[ 1255.505916] sysfs_unmerge_group+0x1d/0x60
+[ 1255.510498] dpm_sysfs_remove+0x22/0x60
+[ 1255.514783] device_del+0xf4/0x2e0
+[ 1255.518577] ? device_remove_file+0x19/0x20
+[ 1255.523241] attribute_container_class_device_del+0x1a/0x20
+[ 1255.529457] transport_remove_classdev+0x4e/0x60
+[ 1255.534607] ? transport_add_class_device+0x40/0x40
+[ 1255.540046] attribute_container_device_trigger+0xb0/0xc0
+[ 1255.546069] transport_remove_device+0x15/0x20
+[ 1255.551025] scsi_target_reap_ref_release+0x25/0x40
+[ 1255.556467] scsi_target_reap+0x2e/0x40
+[ 1255.560744] __scsi_scan_target+0xaa/0x5b0
+[ 1255.565312] scsi_scan_target+0xec/0x100
+[ 1255.569689] fc_scsi_scan_rport+0xb1/0xc0 [scsi_transport_fc]
+[ 1255.576099] process_one_work+0x14b/0x390
+[ 1255.580569] worker_thread+0x4b/0x390
+[ 1255.584651] kthread+0x109/0x140
+[ 1255.588251] ? rescuer_thread+0x330/0x330
+[ 1255.592730] ? kthread_park+0x60/0x60
+[ 1255.596815] ret_from_fork+0x29/0x40
+[ 1255.600801] Code: 24 08 48 83 42 40 01 5b 41 5c 5d c3 66 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90
+[ 1255.621876] RIP: kernfs_find_ns+0x13/0xc0 RSP: ffffc900048abbf0
+[ 1255.628479] CR2: 0000000000000068
+[ 1255.632756] ---[ end trace 34a69ba0477d036f ]---
+
+Fix this by adding another scsi_target state STARGET_CREATED_REMOVE
+to distinguish this case.
+
+Fixes: f05795d3d771 ("scsi: Add intermediate STARGET_REMOVE state to scsi_target_state")
+Reported-by: David Jeffery <djeffery@redhat.com>
+Signed-off-by: Ewan D. Milne <emilne@redhat.com>
+Reviewed-by: Laurence Oberman <loberman@redhat.com>
+Tested-by: Laurence Oberman <loberman@redhat.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_scan.c | 5 +++--
+ drivers/scsi/scsi_sysfs.c | 8 ++++++--
+ include/scsi/scsi_device.h | 1 +
+ 3 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/scsi_scan.c
++++ b/drivers/scsi/scsi_scan.c
+@@ -384,11 +384,12 @@ static void scsi_target_reap_ref_release
+ = container_of(kref, struct scsi_target, reap_ref);
+
+ /*
+- * if we get here and the target is still in the CREATED state that
++ * if we get here and the target is still in a CREATED state that
+ * means it was allocated but never made visible (because a scan
+ * turned up no LUNs), so don't call device_del() on it.
+ */
+- if (starget->state != STARGET_CREATED) {
++ if ((starget->state != STARGET_CREATED) &&
++ (starget->state != STARGET_CREATED_REMOVE)) {
+ transport_remove_device(&starget->dev);
+ device_del(&starget->dev);
+ }
+--- a/drivers/scsi/scsi_sysfs.c
++++ b/drivers/scsi/scsi_sysfs.c
+@@ -1370,11 +1370,15 @@ restart:
+ spin_lock_irqsave(shost->host_lock, flags);
+ list_for_each_entry(starget, &shost->__targets, siblings) {
+ if (starget->state == STARGET_DEL ||
+- starget->state == STARGET_REMOVE)
++ starget->state == STARGET_REMOVE ||
++ starget->state == STARGET_CREATED_REMOVE)
+ continue;
+ if (starget->dev.parent == dev || &starget->dev == dev) {
+ kref_get(&starget->reap_ref);
+- starget->state = STARGET_REMOVE;
++ if (starget->state == STARGET_CREATED)
++ starget->state = STARGET_CREATED_REMOVE;
++ else
++ starget->state = STARGET_REMOVE;
+ spin_unlock_irqrestore(shost->host_lock, flags);
+ __scsi_remove_target(starget);
+ scsi_target_reap(starget);
+--- a/include/scsi/scsi_device.h
++++ b/include/scsi/scsi_device.h
+@@ -248,6 +248,7 @@ enum scsi_target_state {
+ STARGET_CREATED = 1,
+ STARGET_RUNNING,
+ STARGET_REMOVE,
++ STARGET_CREATED_REMOVE,
+ STARGET_DEL,
+ };
+
--- /dev/null
+From 62e62ffd95539b9220894a7900a619e0f3ef4756 Mon Sep 17 00:00:00 2001
+From: Maurizio Lombardi <mlombard@redhat.com>
+Date: Tue, 27 Jun 2017 11:53:27 +0200
+Subject: scsi: ses: do not add a device to an enclosure if enclosure_add_links() fails.
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+commit 62e62ffd95539b9220894a7900a619e0f3ef4756 upstream.
+
+The enclosure_add_device() function should fail if it can't create the
+relevant sysfs links.
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Tested-by: Douglas Miller <dougmill@linux.vnet.ibm.com>
+Acked-by: James Bottomley <jejb@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/enclosure.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/misc/enclosure.c
++++ b/drivers/misc/enclosure.c
+@@ -375,6 +375,7 @@ int enclosure_add_device(struct enclosur
+ struct device *dev)
+ {
+ struct enclosure_component *cdev;
++ int err;
+
+ if (!edev || component >= edev->components)
+ return -EINVAL;
+@@ -384,12 +385,17 @@ int enclosure_add_device(struct enclosur
+ if (cdev->dev == dev)
+ return -EEXIST;
+
+- if (cdev->dev)
++ if (cdev->dev) {
+ enclosure_remove_links(cdev);
+-
+- put_device(cdev->dev);
++ put_device(cdev->dev);
++ }
+ cdev->dev = get_device(dev);
+- return enclosure_add_links(cdev);
++ err = enclosure_add_links(cdev);
++ if (err) {
++ put_device(cdev->dev);
++ cdev->dev = NULL;
++ }
++ return err;
+ }
+ EXPORT_SYMBOL_GPL(enclosure_add_device);
+
wlcore-fix-64k-page-support.patch
btrfs-don-t-clear-sgid-when-inheriting-acls.patch
igb-explicitly-select-page-0-at-initialization.patch
+asoc-compress-derive-substream-from-stream-based-on-direction.patch
+pm-domains-fix-unsafe-iteration-over-modified-list-of-device-links.patch
+pm-domains-fix-unsafe-iteration-over-modified-list-of-domain-providers.patch
+pm-domains-fix-unsafe-iteration-over-modified-list-of-domains.patch
+scsi-ses-do-not-add-a-device-to-an-enclosure-if-enclosure_add_links-fails.patch
+scsi-add-starget_created_remove-state-to-scsi_target_state.patch
+iscsi-target-add-login_keys_workaround-attribute-for-non-rfc-initiators.patch
+xen-scsiback-fix-a-tmr-related-use-after-free.patch
+powerpc-pseries-fix-passing-of-pp0-in-updatepp-and-updateboltedpp.patch
+powerpc-64-fix-atomic64_inc_not_zero-to-return-an-int.patch
+powerpc-fix-emulation-of-mcrf-in-emulate_step.patch
+powerpc-fix-emulation-of-mfocrf-in-emulate_step.patch
+powerpc-asm-mark-cr0-as-clobbered-in-mftb.patch
+powerpc-mm-radix-properly-clear-process-table-entry.patch
--- /dev/null
+From 9f4ab18ac51dc87345a9cbd2527e6acf7a0a9335 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+Date: Tue, 23 May 2017 16:48:36 -0700
+Subject: xen/scsiback: Fix a TMR related use-after-free
+
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+
+commit 9f4ab18ac51dc87345a9cbd2527e6acf7a0a9335 upstream.
+
+scsiback_release_cmd() must not dereference se_cmd->se_tmr_req
+because that memory is freed by target_free_cmd_mem() before
+scsiback_release_cmd() is called. Fix this use-after-free by
+inlining struct scsiback_tmr into struct vscsibk_pend.
+
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Hannes Reinecke <hare@suse.com>
+Cc: David Disseldorp <ddiss@suse.de>
+Cc: xen-devel@lists.xenproject.org
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xen-scsiback.c | 33 +++++++++------------------------
+ 1 file changed, 9 insertions(+), 24 deletions(-)
+
+--- a/drivers/xen/xen-scsiback.c
++++ b/drivers/xen/xen-scsiback.c
+@@ -134,9 +134,7 @@ struct vscsibk_pend {
+ struct page *pages[VSCSI_MAX_GRANTS];
+
+ struct se_cmd se_cmd;
+-};
+
+-struct scsiback_tmr {
+ atomic_t tmr_complete;
+ wait_queue_head_t tmr_wait;
+ };
+@@ -599,26 +597,20 @@ static void scsiback_device_action(struc
+ struct scsiback_tpg *tpg = pending_req->v2p->tpg;
+ struct scsiback_nexus *nexus = tpg->tpg_nexus;
+ struct se_cmd *se_cmd = &pending_req->se_cmd;
+- struct scsiback_tmr *tmr;
+ u64 unpacked_lun = pending_req->v2p->lun;
+ int rc, err = FAILED;
+
+- tmr = kzalloc(sizeof(struct scsiback_tmr), GFP_KERNEL);
+- if (!tmr) {
+- target_put_sess_cmd(se_cmd);
+- goto err;
+- }
+-
+- init_waitqueue_head(&tmr->tmr_wait);
++ init_waitqueue_head(&pending_req->tmr_wait);
+
+ rc = target_submit_tmr(&pending_req->se_cmd, nexus->tvn_se_sess,
+ &pending_req->sense_buffer[0],
+- unpacked_lun, tmr, act, GFP_KERNEL,
++ unpacked_lun, NULL, act, GFP_KERNEL,
+ tag, TARGET_SCF_ACK_KREF);
+ if (rc)
+ goto err;
+
+- wait_event(tmr->tmr_wait, atomic_read(&tmr->tmr_complete));
++ wait_event(pending_req->tmr_wait,
++ atomic_read(&pending_req->tmr_complete));
+
+ err = (se_cmd->se_tmr_req->response == TMR_FUNCTION_COMPLETE) ?
+ SUCCESS : FAILED;
+@@ -626,9 +618,8 @@ static void scsiback_device_action(struc
+ scsiback_do_resp_with_sense(NULL, err, 0, pending_req);
+ transport_generic_free_cmd(&pending_req->se_cmd, 1);
+ return;
++
+ err:
+- if (tmr)
+- kfree(tmr);
+ scsiback_do_resp_with_sense(NULL, err, 0, pending_req);
+ }
+
+@@ -1389,12 +1380,6 @@ static int scsiback_check_stop_free(stru
+ static void scsiback_release_cmd(struct se_cmd *se_cmd)
+ {
+ struct se_session *se_sess = se_cmd->se_sess;
+- struct se_tmr_req *se_tmr = se_cmd->se_tmr_req;
+-
+- if (se_tmr && se_cmd->se_cmd_flags & SCF_SCSI_TMR_CDB) {
+- struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr;
+- kfree(tmr);
+- }
+
+ percpu_ida_free(&se_sess->sess_tag_pool, se_cmd->map_tag);
+ }
+@@ -1455,11 +1440,11 @@ static int scsiback_queue_status(struct
+
+ static void scsiback_queue_tm_rsp(struct se_cmd *se_cmd)
+ {
+- struct se_tmr_req *se_tmr = se_cmd->se_tmr_req;
+- struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr;
++ struct vscsibk_pend *pending_req = container_of(se_cmd,
++ struct vscsibk_pend, se_cmd);
+
+- atomic_set(&tmr->tmr_complete, 1);
+- wake_up(&tmr->tmr_wait);
++ atomic_set(&pending_req->tmr_complete, 1);
++ wake_up(&pending_req->tmr_wait);
+ }
+
+ static void scsiback_aborted_task(struct se_cmd *se_cmd)
projects / thirdparty / kernel / stable-queue.git / commitdiff
