--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Will Deacon <will.deacon@arm.com>
+Date: Thu, 30 Aug 2018 13:52:38 -0700
+Subject: ARC: atomics: unbork atomic_fetch_##op()
+
+From: Will Deacon <will.deacon@arm.com>
+
+[ Upstream commit 3fcbb8260a87efb691d837e8cd24e81f65b3eb70 ]
+
+In 4.19-rc1, Eugeniy reported weird boot and IO errors on ARC HSDK
+
+| INFO: task syslogd:77 blocked for more than 10 seconds.
+| Not tainted 4.19.0-rc1-00007-gf213acea4e88 #40
+| "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this
+| message.
+| syslogd D 0 77 76 0x00000000
+|
+| Stack Trace:
+| __switch_to+0x0/0xac
+| __schedule+0x1b2/0x730
+| io_schedule+0x5c/0xc0
+| __lock_page+0x98/0xdc
+| find_lock_entry+0x38/0x100
+| shmem_getpage_gfp.isra.3+0x82/0xbfc
+| shmem_fault+0x46/0x138
+| handle_mm_fault+0x5bc/0x924
+| do_page_fault+0x100/0x2b8
+| ret_from_exception+0x0/0x8
+
+He bisected to 84c6591103db ("locking/atomics,
+asm-generic/bitops/lock.h: Rewrite using atomic_fetch_*()")
+
+This commit however only unmasked the real issue introduced by commit
+4aef66c8ae9 ("locking/atomic, arch/arc: Fix build") which missed the
+retry-if-scond-failed branch in atomic_fetch_##op() macros.
+
+The bisected commit started using atomic_fetch_##op() macros for building
+the rest of atomics.
+
+Fixes: 4aef66c8ae9 ("locking/atomic, arch/arc: Fix build")
+Reported-by: Eugeniy Paltsev <paltsev@synopsys.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+[vgupta: wrote changelog]
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arc/include/asm/atomic.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arc/include/asm/atomic.h
++++ b/arch/arc/include/asm/atomic.h
+@@ -84,7 +84,7 @@ static inline int atomic_fetch_##op(int
+ "1: llock %[orig], [%[ctr]] \n" \
+ " " #asm_op " %[val], %[orig], %[i] \n" \
+ " scond %[val], [%[ctr]] \n" \
+- " \n" \
++ " bnz 1b \n" \
+ : [val] "=&r" (val), \
+ [orig] "=&r" (orig) \
+ : [ctr] "r" (&v->counter), \
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Anand Jain <anand.jain@oracle.com>
+Date: Mon, 6 Aug 2018 18:12:37 +0800
+Subject: btrfs: btrfs_shrink_device should call commit transaction at the end
+
+From: Anand Jain <anand.jain@oracle.com>
+
+[ Upstream commit 801660b040d132f67fac6a95910ad307c5929b49 ]
+
+Test case btrfs/164 reports use-after-free:
+
+[ 6712.084324] general protection fault: 0000 [#1] PREEMPT SMP
+..
+[ 6712.195423] btrfs_update_commit_device_size+0x75/0xf0 [btrfs]
+[ 6712.201424] btrfs_commit_transaction+0x57d/0xa90 [btrfs]
+[ 6712.206999] btrfs_rm_device+0x627/0x850 [btrfs]
+[ 6712.211800] btrfs_ioctl+0x2b03/0x3120 [btrfs]
+
+Reason for this is that btrfs_shrink_device adds the resized device to
+the fs_devices::resized_devices after it has called the last commit
+transaction.
+
+So the list fs_devices::resized_devices is not empty when
+btrfs_shrink_device returns. Now the parent function
+btrfs_rm_device calls:
+
+ btrfs_close_bdev(device);
+ call_rcu(&device->rcu, free_device_rcu);
+
+and then does the transactio ncommit. It goes through the
+fs_devices::resized_devices in btrfs_update_commit_device_size and
+leads to use-after-free.
+
+Fix this by making sure btrfs_shrink_device calls the last needed
+btrfs_commit_transaction before the return. This is consistent with what
+the grow counterpart does and this makes sure the on-disk state is
+persistent when the function returns.
+
+Reported-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
+Tested-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ update changelog ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -4517,7 +4517,12 @@ again:
+
+ /* Now btrfs_update_device() will change the on-disk size. */
+ ret = btrfs_update_device(trans, device);
+- btrfs_end_transaction(trans);
++ if (ret < 0) {
++ btrfs_abort_transaction(trans, ret);
++ btrfs_end_transaction(trans);
++ } else {
++ ret = btrfs_commit_transaction(trans);
++ }
+ done:
+ btrfs_free_path(path);
+ if (ret) {
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 31 Aug 2018 11:10:55 +0300
+Subject: cfg80211: fix a type issue in ieee80211_chandef_to_operating_class()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 8442938c3a2177ba16043b3a935f2c78266ad399 ]
+
+The "chandef->center_freq1" variable is a u32 but "freq" is a u16 so we
+are truncating away the high bits. I noticed this bug because in commit
+9cf0a0b4b64a ("cfg80211: Add support for 60GHz band channels 5 and 6")
+we made "freq <= 56160 + 2160 * 6" a valid requency when before it was
+only "freq <= 56160 + 2160 * 4" that was valid. It introduces a static
+checker warning:
+
+ net/wireless/util.c:1571 ieee80211_chandef_to_operating_class()
+ warn: always true condition '(freq <= 56160 + 2160 * 6) => (0-u16max <= 69120)'
+
+But really we probably shouldn't have been truncating the high bits
+away to begin with.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -1449,7 +1449,7 @@ bool ieee80211_chandef_to_operating_clas
+ u8 *op_class)
+ {
+ u8 vht_opclass;
+- u16 freq = chandef->center_freq1;
++ u32 freq = chandef->center_freq1;
+
+ if (freq >= 2412 && freq <= 2472) {
+ if (chandef->width > NL80211_CHAN_WIDTH_40)
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Arunk Khandavalli <akhandav@codeaurora.org>
+Date: Thu, 30 Aug 2018 00:40:16 +0300
+Subject: cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE
+
+From: Arunk Khandavalli <akhandav@codeaurora.org>
+
+[ Upstream commit 4f0223bfe9c3e62d8f45a85f1ef1b18a8a263ef9 ]
+
+nl80211_update_ft_ies() tried to validate NL80211_ATTR_IE with
+is_valid_ie_attr() before dereferencing it, but that helper function
+returns true in case of NULL pointer (i.e., attribute not included).
+This can result to dereferencing a NULL pointer. Fix that by explicitly
+checking that NL80211_ATTR_IE is included.
+
+Fixes: 355199e02b83 ("cfg80211: Extend support for IEEE 802.11r Fast BSS Transition")
+Signed-off-by: Arunk Khandavalli <akhandav@codeaurora.org>
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/nl80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -11679,6 +11679,7 @@ static int nl80211_update_ft_ies(struct
+ return -EOPNOTSUPP;
+
+ if (!info->attrs[NL80211_ATTR_MDID] ||
++ !info->attrs[NL80211_ATTR_IE] ||
+ !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
+ return -EINVAL;
+
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Jon Kuhn <jkuhn@barracuda.com>
+Date: Mon, 9 Jul 2018 14:33:14 +0000
+Subject: fs/cifs: don't translate SFM_SLASH (U+F026) to backslash
+
+From: Jon Kuhn <jkuhn@barracuda.com>
+
+[ Upstream commit c15e3f19a6d5c89b1209dc94b40e568177cb0921 ]
+
+When a Mac client saves an item containing a backslash to a file server
+the backslash is represented in the CIFS/SMB protocol as as U+F026.
+Before this change, listing a directory containing an item with a
+backslash in its name will return that item with the backslash
+represented with a true backslash character (U+005C) because
+convert_sfm_character mapped U+F026 to U+005C when interpretting the
+CIFS/SMB protocol response. However, attempting to open or stat the
+path using a true backslash will result in an error because
+convert_to_sfm_char does not map U+005C back to U+F026 causing the
+CIFS/SMB request to be made with the backslash represented as U+005C.
+
+This change simply prevents the U+F026 to U+005C conversion from
+happenning. This is analogous to how the code does not do any
+translation of UNI_SLASH (U+F000).
+
+Signed-off-by: Jon Kuhn <jkuhn@barracuda.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifs_unicode.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/fs/cifs/cifs_unicode.c
++++ b/fs/cifs/cifs_unicode.c
+@@ -105,9 +105,6 @@ convert_sfm_char(const __u16 src_char, c
+ case SFM_LESSTHAN:
+ *target = '<';
+ break;
+- case SFM_SLASH:
+- *target = '\\';
+- break;
+ case SFM_SPACE:
+ *target = ' ';
+ break;
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Michael Hennerich <michael.hennerich@analog.com>
+Date: Mon, 13 Aug 2018 15:57:44 +0200
+Subject: gpio: adp5588: Fix sleep-in-atomic-context bug
+
+From: Michael Hennerich <michael.hennerich@analog.com>
+
+[ Upstream commit 6537886cdc9a637711fd6da980dbb87c2c87c9aa ]
+
+This fixes:
+[BUG] gpio: gpio-adp5588: A possible sleep-in-atomic-context bug
+ in adp5588_gpio_write()
+[BUG] gpio: gpio-adp5588: A possible sleep-in-atomic-context bug
+ in adp5588_gpio_direction_input()
+
+Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-adp5588.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpio/gpio-adp5588.c
++++ b/drivers/gpio/gpio-adp5588.c
+@@ -41,6 +41,8 @@ struct adp5588_gpio {
+ uint8_t int_en[3];
+ uint8_t irq_mask[3];
+ uint8_t irq_stat[3];
++ uint8_t int_input_en[3];
++ uint8_t int_lvl_cached[3];
+ };
+
+ static int adp5588_gpio_read(struct i2c_client *client, u8 reg)
+@@ -173,12 +175,28 @@ static void adp5588_irq_bus_sync_unlock(
+ struct adp5588_gpio *dev = irq_data_get_irq_chip_data(d);
+ int i;
+
+- for (i = 0; i <= ADP5588_BANK(ADP5588_MAXGPIO); i++)
++ for (i = 0; i <= ADP5588_BANK(ADP5588_MAXGPIO); i++) {
++ if (dev->int_input_en[i]) {
++ mutex_lock(&dev->lock);
++ dev->dir[i] &= ~dev->int_input_en[i];
++ dev->int_input_en[i] = 0;
++ adp5588_gpio_write(dev->client, GPIO_DIR1 + i,
++ dev->dir[i]);
++ mutex_unlock(&dev->lock);
++ }
++
++ if (dev->int_lvl_cached[i] != dev->int_lvl[i]) {
++ dev->int_lvl_cached[i] = dev->int_lvl[i];
++ adp5588_gpio_write(dev->client, GPIO_INT_LVL1 + i,
++ dev->int_lvl[i]);
++ }
++
+ if (dev->int_en[i] ^ dev->irq_mask[i]) {
+ dev->int_en[i] = dev->irq_mask[i];
+ adp5588_gpio_write(dev->client, GPIO_INT_EN1 + i,
+ dev->int_en[i]);
+ }
++ }
+
+ mutex_unlock(&dev->irq_lock);
+ }
+@@ -221,9 +239,7 @@ static int adp5588_irq_set_type(struct i
+ else
+ return -EINVAL;
+
+- adp5588_gpio_direction_input(&dev->gpio_chip, gpio);
+- adp5588_gpio_write(dev->client, GPIO_INT_LVL1 + bank,
+- dev->int_lvl[bank]);
++ dev->int_input_en[bank] |= bit;
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Date: Fri, 31 Aug 2018 09:04:18 +0200
+Subject: gpio: Fix crash due to registration race
+
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+
+[ Upstream commit d49b48f088c323dbacae44dfbe56d9c985c8a2a1 ]
+
+gpiochip_add_data_with_key() adds the gpiochip to the gpio_devices list
+before of_gpiochip_add() is called, but it's only the latter which sets
+the ->of_xlate function pointer. gpiochip_find() can be called by
+someone else between these two actions, and it can find the chip and
+call of_gpiochip_match_node_and_xlate() which leads to the following
+crash due to a NULL ->of_xlate().
+
+ Unhandled prefetch abort: page domain fault (0x01b) at 0x00000000
+ Modules linked in: leds_gpio(+) gpio_generic(+)
+ CPU: 0 PID: 830 Comm: insmod Not tainted 4.18.0+ #43
+ Hardware name: ARM-Versatile Express
+ PC is at (null)
+ LR is at of_gpiochip_match_node_and_xlate+0x2c/0x38
+ Process insmod (pid: 830, stack limit = 0x(ptrval))
+ (of_gpiochip_match_node_and_xlate) from (gpiochip_find+0x48/0x84)
+ (gpiochip_find) from (of_get_named_gpiod_flags+0xa8/0x238)
+ (of_get_named_gpiod_flags) from (gpiod_get_from_of_node+0x2c/0xc8)
+ (gpiod_get_from_of_node) from (devm_fwnode_get_index_gpiod_from_child+0xb8/0x144)
+ (devm_fwnode_get_index_gpiod_from_child) from (gpio_led_probe+0x208/0x3c4 [leds_gpio])
+ (gpio_led_probe [leds_gpio]) from (platform_drv_probe+0x48/0x9c)
+ (platform_drv_probe) from (really_probe+0x1d0/0x3d4)
+ (really_probe) from (driver_probe_device+0x78/0x1c0)
+ (driver_probe_device) from (__driver_attach+0x120/0x13c)
+ (__driver_attach) from (bus_for_each_dev+0x68/0xb4)
+ (bus_for_each_dev) from (bus_add_driver+0x1a8/0x268)
+ (bus_add_driver) from (driver_register+0x78/0x10c)
+ (driver_register) from (do_one_initcall+0x54/0x1fc)
+ (do_one_initcall) from (do_init_module+0x64/0x1f4)
+ (do_init_module) from (load_module+0x2198/0x26ac)
+ (load_module) from (sys_finit_module+0xe0/0x110)
+ (sys_finit_module) from (ret_fast_syscall+0x0/0x54)
+
+One way to fix this would be to rework the hairy registration sequence
+in gpiochip_add_data_with_key(), but since I'd probably introduce a
+couple of new bugs if I attempted that, simply add a check for a
+non-NULL of_xlate function pointer in
+of_gpiochip_match_node_and_xlate(). This works since the driver looking
+for the gpio will simply fail to find the gpio and defer its probe and
+be reprobed when the driver which is registering the gpiochip has fully
+completed its probe.
+
+Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib-of.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpio/gpiolib-of.c
++++ b/drivers/gpio/gpiolib-of.c
+@@ -31,6 +31,7 @@ static int of_gpiochip_match_node_and_xl
+ struct of_phandle_args *gpiospec = data;
+
+ return chip->gpiodev->dev.of_node == gpiospec->np &&
++ chip->of_xlate &&
+ chip->of_xlate(chip, gpiospec, NULL) >= 0;
+ }
+
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 14 Aug 2018 16:07:03 +0200
+Subject: gpiolib-acpi: Register GpioInt ACPI event handlers from a late_initcall
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 78d3a92edbfb02e8cb83173cad84c3f2d5e1f070 ]
+
+GpioInt ACPI event handlers may see there IRQ triggered immediately
+after requesting the IRQ (esp. level triggered ones). This means that they
+may run before any other (builtin) drivers have had a chance to register
+their OpRegion handlers, leading to errors like this:
+
+[ 1.133274] ACPI Error: No handler for Region [PMOP] ((____ptrval____)) [UserDefinedRegion] (20180531/evregion-132)
+[ 1.133286] ACPI Error: Region UserDefinedRegion (ID=141) has no handler (20180531/exfldio-265)
+[ 1.133297] ACPI Error: Method parse/execution failed \_SB.GPO2._L01, AE_NOT_EXIST (20180531/psparse-516)
+
+We already defer the manual initial trigger of edge triggered interrupts
+by running it from a late_initcall handler, this commit replaces this with
+deferring the entire acpi_gpiochip_request_interrupts() call till then,
+fixing the problem of some OpRegions not being registered yet.
+
+Note that this removes the need to have a list of edge triggered handlers
+which need to run, since the entire acpi_gpiochip_request_interrupts() call
+is now delayed, acpi_gpiochip_request_interrupt() can call these directly
+now.
+
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib-acpi.c | 84 +++++++++++++++++++++++++-------------------
+ 1 file changed, 49 insertions(+), 35 deletions(-)
+
+--- a/drivers/gpio/gpiolib-acpi.c
++++ b/drivers/gpio/gpiolib-acpi.c
+@@ -25,7 +25,6 @@
+
+ struct acpi_gpio_event {
+ struct list_head node;
+- struct list_head initial_sync_list;
+ acpi_handle handle;
+ unsigned int pin;
+ unsigned int irq;
+@@ -49,10 +48,19 @@ struct acpi_gpio_chip {
+ struct mutex conn_lock;
+ struct gpio_chip *chip;
+ struct list_head events;
++ struct list_head deferred_req_irqs_list_entry;
+ };
+
+-static LIST_HEAD(acpi_gpio_initial_sync_list);
+-static DEFINE_MUTEX(acpi_gpio_initial_sync_list_lock);
++/*
++ * For gpiochips which call acpi_gpiochip_request_interrupts() before late_init
++ * (so builtin drivers) we register the ACPI GpioInt event handlers from a
++ * late_initcall_sync handler, so that other builtin drivers can register their
++ * OpRegions before the event handlers can run. This list contains gpiochips
++ * for which the acpi_gpiochip_request_interrupts() has been deferred.
++ */
++static DEFINE_MUTEX(acpi_gpio_deferred_req_irqs_lock);
++static LIST_HEAD(acpi_gpio_deferred_req_irqs_list);
++static bool acpi_gpio_deferred_req_irqs_done;
+
+ static int acpi_gpiochip_find(struct gpio_chip *gc, void *data)
+ {
+@@ -146,21 +154,6 @@ static struct gpio_desc *acpi_get_gpiod(
+ return gpiochip_get_desc(chip, offset);
+ }
+
+-static void acpi_gpio_add_to_initial_sync_list(struct acpi_gpio_event *event)
+-{
+- mutex_lock(&acpi_gpio_initial_sync_list_lock);
+- list_add(&event->initial_sync_list, &acpi_gpio_initial_sync_list);
+- mutex_unlock(&acpi_gpio_initial_sync_list_lock);
+-}
+-
+-static void acpi_gpio_del_from_initial_sync_list(struct acpi_gpio_event *event)
+-{
+- mutex_lock(&acpi_gpio_initial_sync_list_lock);
+- if (!list_empty(&event->initial_sync_list))
+- list_del_init(&event->initial_sync_list);
+- mutex_unlock(&acpi_gpio_initial_sync_list_lock);
+-}
+-
+ static irqreturn_t acpi_gpio_irq_handler(int irq, void *data)
+ {
+ struct acpi_gpio_event *event = data;
+@@ -290,7 +283,6 @@ static acpi_status acpi_gpiochip_request
+ event->irq = irq;
+ event->pin = pin;
+ event->desc = desc;
+- INIT_LIST_HEAD(&event->initial_sync_list);
+
+ ret = request_threaded_irq(event->irq, NULL, handler, irqflags,
+ "ACPI:Event", event);
+@@ -312,10 +304,9 @@ static acpi_status acpi_gpiochip_request
+ * may refer to OperationRegions from other (builtin) drivers which
+ * may be probed after us.
+ */
+- if (handler == acpi_gpio_irq_handler &&
+- (((irqflags & IRQF_TRIGGER_RISING) && value == 1) ||
+- ((irqflags & IRQF_TRIGGER_FALLING) && value == 0)))
+- acpi_gpio_add_to_initial_sync_list(event);
++ if (((irqflags & IRQF_TRIGGER_RISING) && value == 1) ||
++ ((irqflags & IRQF_TRIGGER_FALLING) && value == 0))
++ handler(event->irq, event);
+
+ return AE_OK;
+
+@@ -344,6 +335,7 @@ void acpi_gpiochip_request_interrupts(st
+ struct acpi_gpio_chip *acpi_gpio;
+ acpi_handle handle;
+ acpi_status status;
++ bool defer;
+
+ if (!chip->parent || !chip->to_irq)
+ return;
+@@ -356,6 +348,16 @@ void acpi_gpiochip_request_interrupts(st
+ if (ACPI_FAILURE(status))
+ return;
+
++ mutex_lock(&acpi_gpio_deferred_req_irqs_lock);
++ defer = !acpi_gpio_deferred_req_irqs_done;
++ if (defer)
++ list_add(&acpi_gpio->deferred_req_irqs_list_entry,
++ &acpi_gpio_deferred_req_irqs_list);
++ mutex_unlock(&acpi_gpio_deferred_req_irqs_lock);
++
++ if (defer)
++ return;
++
+ acpi_walk_resources(handle, "_AEI",
+ acpi_gpiochip_request_interrupt, acpi_gpio);
+ }
+@@ -386,11 +388,14 @@ void acpi_gpiochip_free_interrupts(struc
+ if (ACPI_FAILURE(status))
+ return;
+
++ mutex_lock(&acpi_gpio_deferred_req_irqs_lock);
++ if (!list_empty(&acpi_gpio->deferred_req_irqs_list_entry))
++ list_del_init(&acpi_gpio->deferred_req_irqs_list_entry);
++ mutex_unlock(&acpi_gpio_deferred_req_irqs_lock);
++
+ list_for_each_entry_safe_reverse(event, ep, &acpi_gpio->events, node) {
+ struct gpio_desc *desc;
+
+- acpi_gpio_del_from_initial_sync_list(event);
+-
+ if (irqd_is_wakeup_set(irq_get_irq_data(event->irq)))
+ disable_irq_wake(event->irq);
+
+@@ -1101,6 +1106,7 @@ void acpi_gpiochip_add(struct gpio_chip
+
+ acpi_gpio->chip = chip;
+ INIT_LIST_HEAD(&acpi_gpio->events);
++ INIT_LIST_HEAD(&acpi_gpio->deferred_req_irqs_list_entry);
+
+ status = acpi_attach_data(handle, acpi_gpio_chip_dh, acpi_gpio);
+ if (ACPI_FAILURE(status)) {
+@@ -1247,20 +1253,28 @@ bool acpi_can_fallback_to_crs(struct acp
+ return con_id == NULL;
+ }
+
+-/* Sync the initial state of handlers after all builtin drivers have probed */
+-static int acpi_gpio_initial_sync(void)
++/* Run deferred acpi_gpiochip_request_interrupts() */
++static int acpi_gpio_handle_deferred_request_interrupts(void)
+ {
+- struct acpi_gpio_event *event, *ep;
++ struct acpi_gpio_chip *acpi_gpio, *tmp;
++
++ mutex_lock(&acpi_gpio_deferred_req_irqs_lock);
++ list_for_each_entry_safe(acpi_gpio, tmp,
++ &acpi_gpio_deferred_req_irqs_list,
++ deferred_req_irqs_list_entry) {
++ acpi_handle handle;
+
+- mutex_lock(&acpi_gpio_initial_sync_list_lock);
+- list_for_each_entry_safe(event, ep, &acpi_gpio_initial_sync_list,
+- initial_sync_list) {
+- acpi_evaluate_object(event->handle, NULL, NULL, NULL);
+- list_del_init(&event->initial_sync_list);
++ handle = ACPI_HANDLE(acpi_gpio->chip->parent);
++ acpi_walk_resources(handle, "_AEI",
++ acpi_gpiochip_request_interrupt, acpi_gpio);
++
++ list_del_init(&acpi_gpio->deferred_req_irqs_list_entry);
+ }
+- mutex_unlock(&acpi_gpio_initial_sync_list_lock);
++
++ acpi_gpio_deferred_req_irqs_done = true;
++ mutex_unlock(&acpi_gpio_deferred_req_irqs_lock);
+
+ return 0;
+ }
+ /* We must use _sync so that this runs after the first deferred_probe run */
+-late_initcall_sync(acpi_gpio_initial_sync);
++late_initcall_sync(acpi_gpio_handle_deferred_request_interrupts);
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Mon, 13 Aug 2018 19:00:27 +0300
+Subject: gpiolib: acpi: Switch to cansleep version of GPIO library call
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 993b9bc5c47fda86f8ab4e53d68c6fea5ff2764a ]
+
+The commit ca876c7483b6
+
+ ("gpiolib-acpi: make sure we trigger edge events at least once on boot")
+
+added a initial value check for pin which is about to be locked as IRQ.
+Unfortunately, not all GPIO drivers can do that atomically. Thus,
+switch to cansleep version of the call. Otherwise we have a warning:
+
+...
+ WARNING: CPU: 2 PID: 1408 at drivers/gpio/gpiolib.c:2883 gpiod_get_value+0x46/0x50
+...
+ RIP: 0010:gpiod_get_value+0x46/0x50
+...
+
+The change tested on Intel Broxton with Whiskey Cove PMIC GPIO controller.
+
+Fixes: ca876c7483b6 ("gpiolib-acpi: make sure we trigger edge events at least once on boot")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib-acpi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpiolib-acpi.c
++++ b/drivers/gpio/gpiolib-acpi.c
+@@ -247,7 +247,7 @@ static acpi_status acpi_gpiochip_request
+
+ gpiod_direction_input(desc);
+
+- value = gpiod_get_value(desc);
++ value = gpiod_get_value_cansleep(desc);
+
+ ret = gpiochip_lock_as_irq(chip, pin);
+ if (ret) {
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Fri, 31 Aug 2018 23:30:48 +0900
+Subject: i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+[ Upstream commit 4c85609b08c4761eca0a40fd7beb06bc650f252d ]
+
+This driver currently emits a STOP if the next message is not
+I2C_MD_RD. It should not do it because it disturbs the I2C_RDWR
+ioctl, where read/write transactions are combined without STOP
+between.
+
+Issue STOP only when the message is the last one _or_ flagged with
+I2C_M_STOP.
+
+Fixes: 6a62974b667f ("i2c: uniphier_f: add UniPhier FIFO-builtin I2C driver")
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-uniphier-f.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-uniphier-f.c
++++ b/drivers/i2c/busses/i2c-uniphier-f.c
+@@ -401,11 +401,8 @@ static int uniphier_fi2c_master_xfer(str
+ return ret;
+
+ for (msg = msgs; msg < emsg; msg++) {
+- /* If next message is read, skip the stop condition */
+- bool stop = !(msg + 1 < emsg && msg[1].flags & I2C_M_RD);
+- /* but, force it if I2C_M_STOP is set */
+- if (msg->flags & I2C_M_STOP)
+- stop = true;
++ /* Emit STOP if it is the last message or I2C_M_STOP is set. */
++ bool stop = (msg + 1 == emsg) || (msg->flags & I2C_M_STOP);
+
+ ret = uniphier_fi2c_master_xfer_one(adap, msg, stop);
+ if (ret)
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Fri, 31 Aug 2018 23:30:47 +0900
+Subject: i2c: uniphier: issue STOP only for last message or I2C_M_STOP
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+[ Upstream commit 38f5d8d8cbb2ffa2b54315118185332329ec891c ]
+
+This driver currently emits a STOP if the next message is not
+I2C_MD_RD. It should not do it because it disturbs the I2C_RDWR
+ioctl, where read/write transactions are combined without STOP
+between.
+
+Issue STOP only when the message is the last one _or_ flagged with
+I2C_M_STOP.
+
+Fixes: dd6fd4a32793 ("i2c: uniphier: add UniPhier FIFO-less I2C driver")
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-uniphier.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-uniphier.c
++++ b/drivers/i2c/busses/i2c-uniphier.c
+@@ -248,11 +248,8 @@ static int uniphier_i2c_master_xfer(stru
+ return ret;
+
+ for (msg = msgs; msg < emsg; msg++) {
+- /* If next message is read, skip the stop condition */
+- bool stop = !(msg + 1 < emsg && msg[1].flags & I2C_M_RD);
+- /* but, force it if I2C_M_STOP is set */
+- if (msg->flags & I2C_M_STOP)
+- stop = true;
++ /* Emit STOP if it is the last message or I2C_M_STOP is set. */
++ bool stop = (msg + 1 == emsg) || (msg->flags & I2C_M_STOP);
+
+ ret = uniphier_i2c_master_xfer_one(adap, msg, stop);
+ if (ret)
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Mon, 20 Aug 2018 16:05:45 +1000
+Subject: KVM: PPC: Book3S HV: Don't truncate HPTE index in xlate function
+
+From: Paul Mackerras <paulus@ozlabs.org>
+
+[ Upstream commit 46dec40fb741f00f1864580130779aeeaf24fb3d ]
+
+This fixes a bug which causes guest virtual addresses to get translated
+to guest real addresses incorrectly when the guest is using the HPT MMU
+and has more than 256GB of RAM, or more specifically has a HPT larger
+than 2GB. This has showed up in testing as a failure of the host to
+emulate doorbell instructions correctly on POWER9 for HPT guests with
+more than 256GB of RAM.
+
+The bug is that the HPTE index in kvmppc_mmu_book3s_64_hv_xlate()
+is stored as an int, and in forming the HPTE address, the index gets
+shifted left 4 bits as an int before being signed-extended to 64 bits.
+The simple fix is to make the variable a long int, matching the
+return type of kvmppc_hv_find_lock_hpte(), which is what calculates
+the index.
+
+Fixes: 697d3899dcb4 ("KVM: PPC: Implement MMIO emulation support for Book3S HV guests")
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kvm/book3s_64_mmu_hv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kvm/book3s_64_mmu_hv.c
++++ b/arch/powerpc/kvm/book3s_64_mmu_hv.c
+@@ -355,7 +355,7 @@ static int kvmppc_mmu_book3s_64_hv_xlate
+ unsigned long pp, key;
+ unsigned long v, orig_v, gr;
+ __be64 *hptep;
+- int index;
++ long int index;
+ int virtmode = vcpu->arch.shregs.msr & (data ? MSR_DR : MSR_IR);
+
+ /* Get SLB entry */
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 30 Aug 2018 10:55:49 +0200
+Subject: mac80211: always account for A-MSDU header changes
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit aa58acf325b4aadeecae2bfc90658273b47dbace ]
+
+In the error path of changing the SKB headroom of the second
+A-MSDU subframe, we would not account for the already-changed
+length of the first frame that just got converted to be in
+A-MSDU format and thus is a bit longer now.
+
+Fix this by doing the necessary accounting.
+
+It would be possible to reorder the operations, but that would
+make the code more complex (to calculate the necessary pad),
+and the headroom expansion should not fail frequently enough
+to make that worthwhile.
+
+Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/tx.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3188,7 +3188,7 @@ static bool ieee80211_amsdu_aggregate(st
+
+ if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) +
+ 2 + pad))
+- goto out;
++ goto out_recalc;
+
+ ret = true;
+ data = skb_push(skb, ETH_ALEN + 2);
+@@ -3205,11 +3205,13 @@ static bool ieee80211_amsdu_aggregate(st
+ head->data_len += skb->len;
+ *frag_tail = skb;
+
+- flow->backlog += head->len - orig_len;
+- tin->backlog_bytes += head->len - orig_len;
+-
+- fq_recalc_backlog(fq, tin, flow);
++out_recalc:
++ if (head->len != orig_len) {
++ flow->backlog += head->len - orig_len;
++ tin->backlog_bytes += head->len - orig_len;
+
++ fq_recalc_backlog(fq, tin, flow);
++ }
+ out:
+ spin_unlock_bh(&fq->lock);
+
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Sara Sharon <sara.sharon@intel.com>
+Date: Wed, 29 Aug 2018 08:57:02 +0200
+Subject: mac80211: avoid kernel panic when building AMSDU from non-linear SKB
+
+From: Sara Sharon <sara.sharon@intel.com>
+
+[ Upstream commit 166ac9d55b0ab70b644e429be1f217fe8393cbd7 ]
+
+When building building AMSDU from non-linear SKB, we hit a
+kernel panic when trying to push the padding to the tail.
+Instead, put the padding at the head of the next subframe.
+This also fixes the A-MSDU subframes to not have the padding
+accounted in the length field and not have pad at all for
+the last subframe, both required by the spec.
+
+Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support")
+Signed-off-by: Sara Sharon <sara.sharon@intel.com>
+Reviewed-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/tx.c | 38 +++++++++++++++++++++-----------------
+ 1 file changed, 21 insertions(+), 17 deletions(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3022,27 +3022,18 @@ void ieee80211_clear_fast_xmit(struct st
+ }
+
+ static bool ieee80211_amsdu_realloc_pad(struct ieee80211_local *local,
+- struct sk_buff *skb, int headroom,
+- int *subframe_len)
++ struct sk_buff *skb, int headroom)
+ {
+- int amsdu_len = *subframe_len + sizeof(struct ethhdr);
+- int padding = (4 - amsdu_len) & 3;
+-
+- if (skb_headroom(skb) < headroom || skb_tailroom(skb) < padding) {
++ if (skb_headroom(skb) < headroom) {
+ I802_DEBUG_INC(local->tx_expand_skb_head);
+
+- if (pskb_expand_head(skb, headroom, padding, GFP_ATOMIC)) {
++ if (pskb_expand_head(skb, headroom, 0, GFP_ATOMIC)) {
+ wiphy_debug(local->hw.wiphy,
+ "failed to reallocate TX buffer\n");
+ return false;
+ }
+ }
+
+- if (padding) {
+- *subframe_len += padding;
+- skb_put_zero(skb, padding);
+- }
+-
+ return true;
+ }
+
+@@ -3066,8 +3057,7 @@ static bool ieee80211_amsdu_prepare_head
+ if (info->control.flags & IEEE80211_TX_CTRL_AMSDU)
+ return true;
+
+- if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr),
+- &subframe_len))
++ if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr)))
+ return false;
+
+ data = skb_push(skb, sizeof(*amsdu_hdr));
+@@ -3133,7 +3123,8 @@ static bool ieee80211_amsdu_aggregate(st
+ void *data;
+ bool ret = false;
+ unsigned int orig_len;
+- int n = 1, nfrags;
++ int n = 1, nfrags, pad = 0;
++ u16 hdrlen;
+
+ if (!ieee80211_hw_check(&local->hw, TX_AMSDU))
+ return false;
+@@ -3184,8 +3175,19 @@ static bool ieee80211_amsdu_aggregate(st
+ if (max_frags && nfrags > max_frags)
+ goto out;
+
+- if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) + 2,
+- &subframe_len))
++ /*
++ * Pad out the previous subframe to a multiple of 4 by adding the
++ * padding to the next one, that's being added. Note that head->len
++ * is the length of the full A-MSDU, but that works since each time
++ * we add a new subframe we pad out the previous one to a multiple
++ * of 4 and thus it no longer matters in the next round.
++ */
++ hdrlen = fast_tx->hdr_len - sizeof(rfc1042_header);
++ if ((head->len - hdrlen) & 3)
++ pad = 4 - ((head->len - hdrlen) & 3);
++
++ if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) +
++ 2 + pad))
+ goto out;
+
+ ret = true;
+@@ -3197,6 +3199,8 @@ static bool ieee80211_amsdu_aggregate(st
+ memcpy(data, &len, 2);
+ memcpy(data + 2, rfc1042_header, sizeof(rfc1042_header));
+
++ memset(skb_push(skb, pad), 0, pad);
++
+ head->len += skb->len;
+ head->data_len += skb->len;
+ *frag_tail = skb;
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Danek Duvall <duvall@comfychair.org>
+Date: Wed, 22 Aug 2018 16:01:04 -0700
+Subject: mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X
+
+From: Danek Duvall <duvall@comfychair.org>
+
+[ Upstream commit 67d1ba8a6dc83d90cd58b89fa6cbf9ae35a0cf7f ]
+
+The mod mask for VHT capabilities intends to say that you can override
+the number of STBC receive streams, and it does, but only by accident.
+The IEEE80211_VHT_CAP_RXSTBC_X aren't bits to be set, but values (albeit
+left-shifted). ORing the bits together gets the right answer, but we
+should use the _MASK macro here instead.
+
+Signed-off-by: Danek Duvall <duvall@comfychair.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/main.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/net/mac80211/main.c
++++ b/net/mac80211/main.c
+@@ -467,10 +467,7 @@ static const struct ieee80211_vht_cap ma
+ cpu_to_le32(IEEE80211_VHT_CAP_RXLDPC |
+ IEEE80211_VHT_CAP_SHORT_GI_80 |
+ IEEE80211_VHT_CAP_SHORT_GI_160 |
+- IEEE80211_VHT_CAP_RXSTBC_1 |
+- IEEE80211_VHT_CAP_RXSTBC_2 |
+- IEEE80211_VHT_CAP_RXSTBC_3 |
+- IEEE80211_VHT_CAP_RXSTBC_4 |
++ IEEE80211_VHT_CAP_RXSTBC_MASK |
+ IEEE80211_VHT_CAP_TXSTBC |
+ IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE |
+ IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE |
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Wed, 29 Aug 2018 21:03:25 +0200
+Subject: mac80211: do not convert to A-MSDU if frag/subframe limited
+
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+
+[ Upstream commit 1eb507903665442360a959136dfa3234c43db085 ]
+
+Do not start to aggregate packets in a A-MSDU frame (converting the
+first subframe to A-MSDU, adding the header) if max_tx_fragments or
+max_amsdu_subframes limits are already exceeded by it. In particular,
+this happens when drivers set the limit to 1 to avoid A-MSDUs at all.
+
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+[reword commit message to be more precise]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/tx.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3157,9 +3157,6 @@ static bool ieee80211_amsdu_aggregate(st
+ if (skb->len + head->len > max_amsdu_len)
+ goto out;
+
+- if (!ieee80211_amsdu_prepare_head(sdata, fast_tx, head))
+- goto out;
+-
+ nfrags = 1 + skb_shinfo(skb)->nr_frags;
+ nfrags += 1 + skb_shinfo(head)->nr_frags;
+ frag_tail = &skb_shinfo(head)->frag_list;
+@@ -3175,6 +3172,9 @@ static bool ieee80211_amsdu_aggregate(st
+ if (max_frags && nfrags > max_frags)
+ goto out;
+
++ if (!ieee80211_amsdu_prepare_head(sdata, fast_tx, head))
++ goto out;
++
+ /*
+ * Pad out the previous subframe to a multiple of 4 by adding the
+ * padding to the next one, that's being added. Note that head->len
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Fri, 31 Aug 2018 11:31:12 +0300
+Subject: mac80211: don't Tx a deauth frame if the AP forbade Tx
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit 6c18b27d6e5c6a7206364eae2b47bc8d8b2fa68f ]
+
+If the driver fails to properly prepare for the channel
+switch, mac80211 will disconnect. If the CSA IE had mode
+set to 1, it means that the clients are not allowed to send
+any Tx on the current channel, and that includes the
+deauthentication frame.
+
+Make sure that we don't send the deauthentication frame in
+this case.
+
+In iwlwifi, this caused a failure to flush queues since the
+firmware already closed the queues after having parsed the
+CSA IE. Then mac80211 would wait until the deauthentication
+frame would go out (drv_flush(drop=false)) and that would
+never happen.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mlme.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1280,6 +1280,16 @@ ieee80211_sta_process_chanswitch(struct
+ cbss->beacon_interval));
+ return;
+ drop_connection:
++ /*
++ * This is just so that the disconnect flow will know that
++ * we were trying to switch channel and failed. In case the
++ * mode is 1 (we are not allowed to Tx), we will know not to
++ * send a deauthentication frame. Those two fields will be
++ * reset when the disconnection worker runs.
++ */
++ sdata->vif.csa_active = true;
++ sdata->csa_block_tx = csa_ie.mode;
++
+ ieee80211_queue_work(&local->hw, &ifmgd->csa_connection_drop_work);
+ mutex_unlock(&local->chanctx_mtx);
+ mutex_unlock(&local->mtx);
+@@ -2450,6 +2460,7 @@ static void __ieee80211_disconnect(struc
+ struct ieee80211_local *local = sdata->local;
+ struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
+ u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
++ bool tx;
+
+ sdata_lock(sdata);
+ if (!ifmgd->associated) {
+@@ -2457,6 +2468,8 @@ static void __ieee80211_disconnect(struc
+ return;
+ }
+
++ tx = !sdata->csa_block_tx;
++
+ /* AP is probably out of range (or not reachable for another reason) so
+ * remove the bss struct for that AP.
+ */
+@@ -2464,7 +2477,7 @@ static void __ieee80211_disconnect(struc
+
+ ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
+ WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY,
+- true, frame_buf);
++ tx, frame_buf);
+ mutex_lock(&local->mtx);
+ sdata->vif.csa_active = false;
+ ifmgd->csa_waiting_bcn = false;
+@@ -2475,7 +2488,7 @@ static void __ieee80211_disconnect(struc
+ }
+ mutex_unlock(&local->mtx);
+
+- ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true,
++ ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), tx,
+ WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY);
+
+ sdata_unlock(sdata);
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Fri, 31 Aug 2018 11:31:06 +0300
+Subject: mac80211: fix a race between restart and CSA flows
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit f3ffb6c3a28963657eb8b02a795d75f2ebbd5ef4 ]
+
+We hit a problem with iwlwifi that was caused by a bug in
+mac80211. A bug in iwlwifi caused the firwmare to crash in
+certain cases in channel switch. Because of that bug,
+drv_pre_channel_switch would fail and trigger the restart
+flow.
+Now we had the hw restart worker which runs on the system's
+workqueue and the csa_connection_drop_work worker that runs
+on mac80211's workqueue that can run together. This is
+obviously problematic since the restart work wants to
+reconfigure the connection, while the csa_connection_drop_work
+worker does the exact opposite: it tries to disconnect.
+
+Fix this by cancelling the csa_connection_drop_work worker
+in the restart worker.
+
+Note that this can sound racy: we could have:
+
+driver iface_work CSA_work restart_work
++++++++++++++++++++++++++++++++++++++++++++++
+ |
+ <--drv_cs ---|
+<FW CRASH!>
+-CS FAILED-->
+ | |
+ | cancel_work(CSA)
+ schedule |
+ CSA work |
+ | |
+ Race between those 2
+
+But this is not possible because we flush the workqueue
+in the restart worker before we cancel the CSA worker.
+That would be bullet proof if we could guarantee that
+we schedule the CSA worker only from the iface_work
+which runs on the workqueue (and not on the system's
+workqueue), but unfortunately we do have an instance
+in which we schedule the CSA work outside the context
+of the workqueue (ieee80211_chswitch_done).
+
+Note also that we should probably cancel other workers
+like beacon_connection_loss_work and possibly others
+for different types of interfaces, at the very least,
+IBSS should suffer from the exact same problem, but for
+now, do the minimum to fix the actual bug that was actually
+experienced and reproduced.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/main.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/main.c
++++ b/net/mac80211/main.c
+@@ -255,8 +255,27 @@ static void ieee80211_restart_work(struc
+
+ flush_work(&local->radar_detected_work);
+ rtnl_lock();
+- list_for_each_entry(sdata, &local->interfaces, list)
++ list_for_each_entry(sdata, &local->interfaces, list) {
++ /*
++ * XXX: there may be more work for other vif types and even
++ * for station mode: a good thing would be to run most of
++ * the iface type's dependent _stop (ieee80211_mg_stop,
++ * ieee80211_ibss_stop) etc...
++ * For now, fix only the specific bug that was seen: race
++ * between csa_connection_drop_work and us.
++ */
++ if (sdata->vif.type == NL80211_IFTYPE_STATION) {
++ /*
++ * This worker is scheduled from the iface worker that
++ * runs on mac80211's workqueue, so we can't be
++ * scheduling this worker after the cancel right here.
++ * The exception is ieee80211_chswitch_done.
++ * Then we can have a race...
++ */
++ cancel_work_sync(&sdata->u.mgd.csa_connection_drop_work);
++ }
+ flush_delayed_work(&sdata->dec_tailroom_needed_wk);
++ }
+ ieee80211_scan_cancel(local);
+
+ /* make sure any new ROC will consider local->in_reconfig */
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Fri, 31 Aug 2018 01:04:13 +0200
+Subject: mac80211: fix an off-by-one issue in A-MSDU max_subframe computation
+
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+
+[ Upstream commit 66eb02d839e8495ae6b612e2d09ff599374b80e2 ]
+
+Initialize 'n' to 2 in order to take into account also the first
+packet in the estimation of max_subframe limit for a given A-MSDU
+since frag_tail pointer is NULL when ieee80211_amsdu_aggregate
+routine analyzes the second frame.
+
+Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3123,7 +3123,7 @@ static bool ieee80211_amsdu_aggregate(st
+ void *data;
+ bool ret = false;
+ unsigned int orig_len;
+- int n = 1, nfrags, pad = 0;
++ int n = 2, nfrags, pad = 0;
+ u16 hdrlen;
+
+ if (!ieee80211_hw_check(&local->hw, TX_AMSDU))
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Ilan Peer <ilan.peer@intel.com>
+Date: Fri, 31 Aug 2018 11:31:10 +0300
+Subject: mac80211: Fix station bandwidth setting after channel switch
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+[ Upstream commit 0007e94355fdb71a1cf5dba0754155cba08f0666 ]
+
+When performing a channel switch flow for a managed interface, the
+flow did not update the bandwidth of the AP station and the rate
+scale algorithm. In case of a channel width downgrade, this would
+result with the rate scale algorithm using a bandwidth that does not
+match the interface channel configuration.
+
+Fix this by updating the AP station bandwidth and rate scaling algorithm
+before the actual channel change in case of a bandwidth downgrade, or
+after the actual channel change in case of a bandwidth upgrade.
+
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mlme.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 53 insertions(+)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -988,6 +988,10 @@ static void ieee80211_chswitch_work(stru
+ */
+
+ if (sdata->reserved_chanctx) {
++ struct ieee80211_supported_band *sband = NULL;
++ struct sta_info *mgd_sta = NULL;
++ enum ieee80211_sta_rx_bandwidth bw = IEEE80211_STA_RX_BW_20;
++
+ /*
+ * with multi-vif csa driver may call ieee80211_csa_finish()
+ * many times while waiting for other interfaces to use their
+@@ -996,6 +1000,48 @@ static void ieee80211_chswitch_work(stru
+ if (sdata->reserved_ready)
+ goto out;
+
++ if (sdata->vif.bss_conf.chandef.width !=
++ sdata->csa_chandef.width) {
++ /*
++ * For managed interface, we need to also update the AP
++ * station bandwidth and align the rate scale algorithm
++ * on the bandwidth change. Here we only consider the
++ * bandwidth of the new channel definition (as channel
++ * switch flow does not have the full HT/VHT/HE
++ * information), assuming that if additional changes are
++ * required they would be done as part of the processing
++ * of the next beacon from the AP.
++ */
++ switch (sdata->csa_chandef.width) {
++ case NL80211_CHAN_WIDTH_20_NOHT:
++ case NL80211_CHAN_WIDTH_20:
++ default:
++ bw = IEEE80211_STA_RX_BW_20;
++ break;
++ case NL80211_CHAN_WIDTH_40:
++ bw = IEEE80211_STA_RX_BW_40;
++ break;
++ case NL80211_CHAN_WIDTH_80:
++ bw = IEEE80211_STA_RX_BW_80;
++ break;
++ case NL80211_CHAN_WIDTH_80P80:
++ case NL80211_CHAN_WIDTH_160:
++ bw = IEEE80211_STA_RX_BW_160;
++ break;
++ }
++
++ mgd_sta = sta_info_get(sdata, ifmgd->bssid);
++ sband =
++ local->hw.wiphy->bands[sdata->csa_chandef.chan->band];
++ }
++
++ if (sdata->vif.bss_conf.chandef.width >
++ sdata->csa_chandef.width) {
++ mgd_sta->sta.bandwidth = bw;
++ rate_control_rate_update(local, sband, mgd_sta,
++ IEEE80211_RC_BW_CHANGED);
++ }
++
+ ret = ieee80211_vif_use_reserved_context(sdata);
+ if (ret) {
+ sdata_info(sdata,
+@@ -1006,6 +1052,13 @@ static void ieee80211_chswitch_work(stru
+ goto out;
+ }
+
++ if (sdata->vif.bss_conf.chandef.width <
++ sdata->csa_chandef.width) {
++ mgd_sta->sta.bandwidth = bw;
++ rate_control_rate_update(local, sband, mgd_sta,
++ IEEE80211_RC_BW_CHANGED);
++ }
++
+ goto out;
+ }
+
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Yuan-Chi Pang <fu3mo6goo@gmail.com>
+Date: Wed, 29 Aug 2018 09:30:08 +0800
+Subject: mac80211: mesh: fix HWMP sequence numbering to follow standard
+
+From: Yuan-Chi Pang <fu3mo6goo@gmail.com>
+
+[ Upstream commit 1f631c3201fe5491808df143d8fcba81b3197ffd ]
+
+IEEE 802.11-2016 14.10.8.3 HWMP sequence numbering says:
+If it is a target mesh STA, it shall update its own HWMP SN to
+maximum (current HWMP SN, target HWMP SN in the PREQ element) + 1
+immediately before it generates a PREP element in response to a
+PREQ element.
+
+Signed-off-by: Yuan-Chi Pang <fu3mo6goo@gmail.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mesh_hwmp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/mac80211/mesh_hwmp.c
++++ b/net/mac80211/mesh_hwmp.c
+@@ -572,6 +572,10 @@ static void hwmp_preq_frame_process(stru
+ forward = false;
+ reply = true;
+ target_metric = 0;
++
++ if (SN_GT(target_sn, ifmsh->sn))
++ ifmsh->sn = target_sn;
++
+ if (time_after(jiffies, ifmsh->last_sn_update +
+ net_traversal_jiffies(sdata)) ||
+ time_before(jiffies, ifmsh->last_sn_update)) {
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: "Toke Høiland-Jørgensen" <toke@toke.dk>
+Date: Mon, 13 Aug 2018 14:16:25 +0200
+Subject: mac80211: Run TXQ teardown code before de-registering interfaces
+
+From: "Toke Høiland-Jørgensen" <toke@toke.dk>
+
+[ Upstream commit 77cfaf52eca5cac30ed029507e0cab065f888995 ]
+
+The TXQ teardown code can reference the vif data structures that are
+stored in the netdev private memory area if there are still packets on
+the queue when it is being freed. Since the TXQ teardown code is run
+after the netdevs are freed, this can lead to a use-after-free. Fix this
+by moving the TXQ teardown code to earlier in ieee80211_unregister_hw().
+
+Reported-by: Ben Greear <greearb@candelatech.com>
+Tested-by: Ben Greear <greearb@candelatech.com>
+Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/main.c
++++ b/net/mac80211/main.c
+@@ -1171,6 +1171,7 @@ void ieee80211_unregister_hw(struct ieee
+ #if IS_ENABLED(CONFIG_IPV6)
+ unregister_inet6addr_notifier(&local->ifa6_notifier);
+ #endif
++ ieee80211_txq_teardown_flows(local);
+
+ rtnl_lock();
+
+@@ -1199,7 +1200,6 @@ void ieee80211_unregister_hw(struct ieee
+ skb_queue_purge(&local->skb_queue);
+ skb_queue_purge(&local->skb_queue_unreliable);
+ skb_queue_purge(&local->skb_queue_tdls_chsw);
+- ieee80211_txq_teardown_flows(local);
+
+ destroy_workqueue(local->workqueue);
+ wiphy_unregister(local->hw.wiphy);
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Fri, 31 Aug 2018 11:31:13 +0300
+Subject: mac80211: shorten the IBSS debug messages
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit c6e57b3896fc76299913b8cfd82d853bee8a2c84 ]
+
+When tracing is enabled, all the debug messages are recorded and must
+not exceed MAX_MSG_LEN (100) columns. Longer debug messages grant the
+user with:
+
+WARNING: CPU: 3 PID: 32642 at /tmp/wifi-core-20180806094828/src/iwlwifi-stack-dev/net/mac80211/./trace_msg.h:32 trace_event_raw_event_mac80211_msg_event+0xab/0xc0 [mac80211]
+Workqueue: phy1 ieee80211_iface_work [mac80211]
+ RIP: 0010:trace_event_raw_event_mac80211_msg_event+0xab/0xc0 [mac80211]
+ Call Trace:
+ __sdata_dbg+0xbd/0x120 [mac80211]
+ ieee80211_ibss_rx_queued_mgmt+0x15f/0x510 [mac80211]
+ ieee80211_iface_work+0x21d/0x320 [mac80211]
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/ibss.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -947,8 +947,8 @@ static void ieee80211_rx_mgmt_deauth_ibs
+ if (len < IEEE80211_DEAUTH_FRAME_LEN)
+ return;
+
+- ibss_dbg(sdata, "RX DeAuth SA=%pM DA=%pM BSSID=%pM (reason: %d)\n",
+- mgmt->sa, mgmt->da, mgmt->bssid, reason);
++ ibss_dbg(sdata, "RX DeAuth SA=%pM DA=%pM\n", mgmt->sa, mgmt->da);
++ ibss_dbg(sdata, "\tBSSID=%pM (reason: %d)\n", mgmt->bssid, reason);
+ sta_info_destroy_addr(sdata, mgmt->sa);
+ }
+
+@@ -966,9 +966,9 @@ static void ieee80211_rx_mgmt_auth_ibss(
+ auth_alg = le16_to_cpu(mgmt->u.auth.auth_alg);
+ auth_transaction = le16_to_cpu(mgmt->u.auth.auth_transaction);
+
+- ibss_dbg(sdata,
+- "RX Auth SA=%pM DA=%pM BSSID=%pM (auth_transaction=%d)\n",
+- mgmt->sa, mgmt->da, mgmt->bssid, auth_transaction);
++ ibss_dbg(sdata, "RX Auth SA=%pM DA=%pM\n", mgmt->sa, mgmt->da);
++ ibss_dbg(sdata, "\tBSSID=%pM (auth_transaction=%d)\n",
++ mgmt->bssid, auth_transaction);
+
+ if (auth_alg != WLAN_AUTH_OPEN || auth_transaction != 1)
+ return;
+@@ -1175,10 +1175,10 @@ static void ieee80211_rx_bss_info(struct
+ rx_timestamp = drv_get_tsf(local, sdata);
+ }
+
+- ibss_dbg(sdata,
+- "RX beacon SA=%pM BSSID=%pM TSF=0x%llx BCN=0x%llx diff=%lld @%lu\n",
++ ibss_dbg(sdata, "RX beacon SA=%pM BSSID=%pM TSF=0x%llx\n",
+ mgmt->sa, mgmt->bssid,
+- (unsigned long long)rx_timestamp,
++ (unsigned long long)rx_timestamp);
++ ibss_dbg(sdata, "\tBCN=0x%llx diff=%lld @%lu\n",
+ (unsigned long long)beacon_timestamp,
+ (unsigned long long)(rx_timestamp - beacon_timestamp),
+ jiffies);
+@@ -1537,9 +1537,9 @@ static void ieee80211_rx_mgmt_probe_req(
+
+ tx_last_beacon = drv_tx_last_beacon(local);
+
+- ibss_dbg(sdata,
+- "RX ProbeReq SA=%pM DA=%pM BSSID=%pM (tx_last_beacon=%d)\n",
+- mgmt->sa, mgmt->da, mgmt->bssid, tx_last_beacon);
++ ibss_dbg(sdata, "RX ProbeReq SA=%pM DA=%pM\n", mgmt->sa, mgmt->da);
++ ibss_dbg(sdata, "\tBSSID=%pM (tx_last_beacon=%d)\n",
++ mgmt->bssid, tx_last_beacon);
+
+ if (!tx_last_beacon && is_multicast_ether_addr(mgmt->da))
+ return;
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Danek Duvall <duvall@comfychair.org>
+Date: Wed, 22 Aug 2018 16:01:05 -0700
+Subject: mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X
+
+From: Danek Duvall <duvall@comfychair.org>
+
+[ Upstream commit d7c863a2f65e48f442379f4ee1846d52e0c5d24d ]
+
+The mac80211_hwsim driver intends to say that it supports up to four
+STBC receive streams, but instead it ends up saying something undefined.
+The IEEE80211_VHT_CAP_RXSTBC_X macros aren't independent bits that can
+be ORed together, but values. In this case, _4 is the appropriate one
+to use.
+
+Signed-off-by: Danek Duvall <duvall@comfychair.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -2632,9 +2632,6 @@ static int mac80211_hwsim_new_radio(stru
+ IEEE80211_VHT_CAP_SHORT_GI_80 |
+ IEEE80211_VHT_CAP_SHORT_GI_160 |
+ IEEE80211_VHT_CAP_TXSTBC |
+- IEEE80211_VHT_CAP_RXSTBC_1 |
+- IEEE80211_VHT_CAP_RXSTBC_2 |
+- IEEE80211_VHT_CAP_RXSTBC_3 |
+ IEEE80211_VHT_CAP_RXSTBC_4 |
+ IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_MASK;
+ sband->vht_cap.vht_mcs.rx_mcs_map =
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 15 Aug 2018 18:17:03 +0200
+Subject: mac80211_hwsim: require at least one channel
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 484004339d4514fde425f6e8a9f6a6cc979bb0c3 ]
+
+Syzbot continues to try to create mac80211_hwsim radios, and
+manages to pass parameters that are later checked with WARN_ON
+in cfg80211 - catch another one in hwsim directly.
+
+Reported-by: syzbot+2a12f11c306afe871c1f@syzkaller.appspotmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -3124,6 +3124,11 @@ static int hwsim_new_radio_nl(struct sk_
+ if (info->attrs[HWSIM_ATTR_CHANNELS])
+ param.channels = nla_get_u32(info->attrs[HWSIM_ATTR_CHANNELS]);
+
++ if (param.channels < 1) {
++ GENL_SET_ERR_MSG(info, "must have at least one channel");
++ return -EINVAL;
++ }
++
+ if (param.channels > CFG80211_MAX_NUM_DIFFERENT_CHANNELS) {
+ GENL_SET_ERR_MSG(info, "too many channels specified");
+ return -EINVAL;
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Shaohua Li <shli@fb.com>
+Date: Wed, 29 Aug 2018 11:05:42 -0700
+Subject: md/raid5-cache: disable reshape completely
+
+From: Shaohua Li <shli@fb.com>
+
+[ Upstream commit e254de6bcf3f5b6e78a92ac95fb91acef8adfe1a ]
+
+We don't support reshape yet if an array supports log device. Previously we
+determine the fact by checking ->log. However, ->log could be NULL after a log
+device is removed, but the array is still marked to support log device. Don't
+allow reshape in this case too. User can disable log device support by setting
+'consistency_policy' to 'resync' then do reshape.
+
+Reported-by: Xiao Ni <xni@redhat.com>
+Tested-by: Xiao Ni <xni@redhat.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid5-log.h | 5 +++++
+ drivers/md/raid5.c | 6 +++---
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/raid5-log.h
++++ b/drivers/md/raid5-log.h
+@@ -43,6 +43,11 @@ extern void ppl_write_stripe_run(struct
+ extern void ppl_stripe_write_finished(struct stripe_head *sh);
+ extern int ppl_modify_log(struct r5conf *conf, struct md_rdev *rdev, bool add);
+
++static inline bool raid5_has_log(struct r5conf *conf)
++{
++ return test_bit(MD_HAS_JOURNAL, &conf->mddev->flags);
++}
++
+ static inline bool raid5_has_ppl(struct r5conf *conf)
+ {
+ return test_bit(MD_HAS_PPL, &conf->mddev->flags);
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -736,7 +736,7 @@ static bool stripe_can_batch(struct stri
+ {
+ struct r5conf *conf = sh->raid_conf;
+
+- if (conf->log || raid5_has_ppl(conf))
++ if (raid5_has_log(conf) || raid5_has_ppl(conf))
+ return false;
+ return test_bit(STRIPE_BATCH_READY, &sh->state) &&
+ !test_bit(STRIPE_BITMAP_PENDING, &sh->state) &&
+@@ -7717,7 +7717,7 @@ static int raid5_resize(struct mddev *md
+ sector_t newsize;
+ struct r5conf *conf = mddev->private;
+
+- if (conf->log || raid5_has_ppl(conf))
++ if (raid5_has_log(conf) || raid5_has_ppl(conf))
+ return -EINVAL;
+ sectors &= ~((sector_t)conf->chunk_sectors - 1);
+ newsize = raid5_size(mddev, sectors, mddev->raid_disks);
+@@ -7768,7 +7768,7 @@ static int check_reshape(struct mddev *m
+ {
+ struct r5conf *conf = mddev->private;
+
+- if (conf->log || raid5_has_ppl(conf))
++ if (raid5_has_log(conf) || raid5_has_ppl(conf))
+ return -EINVAL;
+ if (mddev->delta_disks == 0 &&
+ mddev->new_layout == mddev->layout &&
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Sat, 1 Sep 2018 20:11:05 +0800
+Subject: net: cadence: Fix a sleep-in-atomic-context bug in macb_halt_tx()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 16fe10cf92783ed9ceb182d6ea2b8adf5e8ec1b8 ]
+
+The kernel module may sleep with holding a spinlock.
+
+The function call paths (from bottom to top) in Linux-4.16 are:
+
+[FUNC] usleep_range
+drivers/net/ethernet/cadence/macb_main.c, 648:
+ usleep_range in macb_halt_tx
+drivers/net/ethernet/cadence/macb_main.c, 730:
+ macb_halt_tx in macb_tx_error_task
+drivers/net/ethernet/cadence/macb_main.c, 721:
+ _raw_spin_lock_irqsave in macb_tx_error_task
+
+To fix this bug, usleep_range() is replaced with udelay().
+
+This bug is found by my static analysis tool DSAC.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -642,7 +642,7 @@ static int macb_halt_tx(struct macb *bp)
+ if (!(status & MACB_BIT(TGO)))
+ return 0;
+
+- usleep_range(10, 250);
++ udelay(250);
+ } while (time_before(halt_time, timeout));
+
+ return -ETIMEDOUT;
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Tony Lindgren <tony@atomide.com>
+Date: Wed, 29 Aug 2018 08:00:24 -0700
+Subject: net: ethernet: cpsw-phy-sel: prefer phandle for phy sel
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 18eb8aea7fb2fb4490e578b1b8a1096c34b2fc48 ]
+
+The cpsw-phy-sel device is not a child of the cpsw interconnect target
+module. It lives in the system control module.
+
+Let's fix this issue by trying to use cpsw-phy-sel phandle first if it
+exists and if not fall back to current usage of trying to find the
+cpsw-phy-sel child. That way the phy sel driver can be a child of the
+system control module where it belongs in the device tree.
+
+Without this fix, we cannot have a proper interconnect target module
+hierarchy in device tree for things like genpd.
+
+Note that deferred probe is mostly not supported by cpsw and this patch
+does not attempt to fix that. In case deferred probe support is needed,
+this could be added to cpsw_slave_open() and phy_connect() so they start
+handling and returning errors.
+
+For documenting it, looks like the cpsw-phy-sel is used for all cpsw device
+tree nodes. It's missing the related binding documentation, so let's also
+update the binding documentation accordingly.
+
+Cc: devicetree@vger.kernel.org
+Cc: Andrew Lunn <andrew@lunn.ch>
+Cc: Grygorii Strashko <grygorii.strashko@ti.com>
+Cc: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Murali Karicheri <m-karicheri2@ti.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/cpsw-phy-sel.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/ti/cpsw-phy-sel.c
++++ b/drivers/net/ethernet/ti/cpsw-phy-sel.c
+@@ -170,10 +170,13 @@ void cpsw_phy_sel(struct device *dev, ph
+ struct device_node *node;
+ struct cpsw_phy_sel_priv *priv;
+
+- node = of_get_child_by_name(dev->of_node, "cpsw-phy-sel");
++ node = of_parse_phandle(dev->of_node, "cpsw-phy-sel", 0);
+ if (!node) {
+- dev_err(dev, "Phy mode driver DT not found\n");
+- return;
++ node = of_get_child_by_name(dev->of_node, "cpsw-phy-sel");
++ if (!node) {
++ dev_err(dev, "Phy mode driver DT not found\n");
++ return;
++ }
+ }
+
+ dev = bus_find_device(&platform_bus_type, NULL, node, match);
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Peng Li <lipeng321@huawei.com>
+Date: Mon, 27 Aug 2018 09:59:30 +0800
+Subject: net: hns: add netif_carrier_off before change speed and duplex
+
+From: Peng Li <lipeng321@huawei.com>
+
+[ Upstream commit 455c4401fe7a538facaffb35b906ce19f1ece474 ]
+
+If there are packets in hardware when changing the speed
+or duplex, it may cause hardware hang up.
+
+This patch adds netif_carrier_off before change speed and
+duplex in ethtool_ops.set_link_ksettings, and adds
+netif_carrier_on after complete the change.
+
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns/hns_ethtool.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
+@@ -243,7 +243,9 @@ static int hns_nic_set_link_ksettings(st
+ }
+
+ if (h->dev->ops->adjust_link) {
++ netif_carrier_off(net_dev);
+ h->dev->ops->adjust_link(h, (int)speed, cmd->base.duplex);
++ netif_carrier_on(net_dev);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Peng Li <lipeng321@huawei.com>
+Date: Mon, 27 Aug 2018 09:59:29 +0800
+Subject: net: hns: add the code for cleaning pkt in chip
+
+From: Peng Li <lipeng321@huawei.com>
+
+[ Upstream commit 31fabbee8f5c658c3fa1603c66e9e4f51ea8c2c6 ]
+
+If there are packets in hardware when changing the speed
+or duplex, it may cause hardware hang up.
+
+This patch adds the code for waiting chip to clean the all
+pkts(TX & RX) in chip when the driver uses the function named
+"adjust link".
+
+This patch cleans the pkts as follows:
+1) close rx of chip, close tx of protocol stack.
+2) wait rcb, ppe, mac to clean.
+3) adjust link
+4) open rx of chip, open tx of protocol stack.
+
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns/hnae.h | 2
+ drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c | 67 ++++++++++++++++++++-
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c | 36 +++++++++++
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 44 +++++++++++++
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.h | 8 ++
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c | 29 +++++++++
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.h | 3
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c | 23 +++++++
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.h | 1
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c | 23 +++++++
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.h | 1
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h | 1
+ drivers/net/ethernet/hisilicon/hns/hns_enet.c | 21 +++++-
+ 13 files changed, 255 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns/hnae.h
++++ b/drivers/net/ethernet/hisilicon/hns/hnae.h
+@@ -486,6 +486,8 @@ struct hnae_ae_ops {
+ u8 *auto_neg, u16 *speed, u8 *duplex);
+ void (*toggle_ring_irq)(struct hnae_ring *ring, u32 val);
+ void (*adjust_link)(struct hnae_handle *handle, int speed, int duplex);
++ bool (*need_adjust_link)(struct hnae_handle *handle,
++ int speed, int duplex);
+ int (*set_loopback)(struct hnae_handle *handle,
+ enum hnae_loop loop_mode, int en);
+ void (*get_ring_bdnum_limit)(struct hnae_queue *queue,
+--- a/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c
+@@ -155,6 +155,41 @@ static void hns_ae_put_handle(struct hna
+ hns_ae_get_ring_pair(handle->qs[i])->used_by_vf = 0;
+ }
+
++static int hns_ae_wait_flow_down(struct hnae_handle *handle)
++{
++ struct dsaf_device *dsaf_dev;
++ struct hns_ppe_cb *ppe_cb;
++ struct hnae_vf_cb *vf_cb;
++ int ret;
++ int i;
++
++ for (i = 0; i < handle->q_num; i++) {
++ ret = hns_rcb_wait_tx_ring_clean(handle->qs[i]);
++ if (ret)
++ return ret;
++ }
++
++ ppe_cb = hns_get_ppe_cb(handle);
++ ret = hns_ppe_wait_tx_fifo_clean(ppe_cb);
++ if (ret)
++ return ret;
++
++ dsaf_dev = hns_ae_get_dsaf_dev(handle->dev);
++ if (!dsaf_dev)
++ return -EINVAL;
++ ret = hns_dsaf_wait_pkt_clean(dsaf_dev, handle->dport_id);
++ if (ret)
++ return ret;
++
++ vf_cb = hns_ae_get_vf_cb(handle);
++ ret = hns_mac_wait_fifo_clean(vf_cb->mac_cb);
++ if (ret)
++ return ret;
++
++ mdelay(10);
++ return 0;
++}
++
+ static void hns_ae_ring_enable_all(struct hnae_handle *handle, int val)
+ {
+ int q_num = handle->q_num;
+@@ -399,12 +434,41 @@ static int hns_ae_get_mac_info(struct hn
+ return hns_mac_get_port_info(mac_cb, auto_neg, speed, duplex);
+ }
+
++static bool hns_ae_need_adjust_link(struct hnae_handle *handle, int speed,
++ int duplex)
++{
++ struct hns_mac_cb *mac_cb = hns_get_mac_cb(handle);
++
++ return hns_mac_need_adjust_link(mac_cb, speed, duplex);
++}
++
+ static void hns_ae_adjust_link(struct hnae_handle *handle, int speed,
+ int duplex)
+ {
+ struct hns_mac_cb *mac_cb = hns_get_mac_cb(handle);
+
+- hns_mac_adjust_link(mac_cb, speed, duplex);
++ switch (mac_cb->dsaf_dev->dsaf_ver) {
++ case AE_VERSION_1:
++ hns_mac_adjust_link(mac_cb, speed, duplex);
++ break;
++
++ case AE_VERSION_2:
++ /* chip need to clear all pkt inside */
++ hns_mac_disable(mac_cb, MAC_COMM_MODE_RX);
++ if (hns_ae_wait_flow_down(handle)) {
++ hns_mac_enable(mac_cb, MAC_COMM_MODE_RX);
++ break;
++ }
++
++ hns_mac_adjust_link(mac_cb, speed, duplex);
++ hns_mac_enable(mac_cb, MAC_COMM_MODE_RX);
++ break;
++
++ default:
++ break;
++ }
++
++ return;
+ }
+
+ static void hns_ae_get_ring_bdnum_limit(struct hnae_queue *queue,
+@@ -902,6 +966,7 @@ static struct hnae_ae_ops hns_dsaf_ops =
+ .get_status = hns_ae_get_link_status,
+ .get_info = hns_ae_get_mac_info,
+ .adjust_link = hns_ae_adjust_link,
++ .need_adjust_link = hns_ae_need_adjust_link,
+ .set_loopback = hns_ae_config_loopback,
+ .get_ring_bdnum_limit = hns_ae_get_ring_bdnum_limit,
+ .get_pauseparam = hns_ae_get_pauseparam,
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c
+@@ -257,6 +257,16 @@ static void hns_gmac_get_pausefrm_cfg(vo
+ *tx_pause_en = dsaf_get_bit(pause_en, GMAC_PAUSE_EN_TX_FDFC_B);
+ }
+
++static bool hns_gmac_need_adjust_link(void *mac_drv, enum mac_speed speed,
++ int duplex)
++{
++ struct mac_driver *drv = (struct mac_driver *)mac_drv;
++ struct hns_mac_cb *mac_cb = drv->mac_cb;
++
++ return (mac_cb->speed != speed) ||
++ (mac_cb->half_duplex == duplex);
++}
++
+ static int hns_gmac_adjust_link(void *mac_drv, enum mac_speed speed,
+ u32 full_duplex)
+ {
+@@ -309,6 +319,30 @@ static void hns_gmac_set_promisc(void *m
+ hns_gmac_set_uc_match(mac_drv, en);
+ }
+
++int hns_gmac_wait_fifo_clean(void *mac_drv)
++{
++ struct mac_driver *drv = (struct mac_driver *)mac_drv;
++ int wait_cnt;
++ u32 val;
++
++ wait_cnt = 0;
++ while (wait_cnt++ < HNS_MAX_WAIT_CNT) {
++ val = dsaf_read_dev(drv, GMAC_FIFO_STATE_REG);
++ /* bit5~bit0 is not send complete pkts */
++ if ((val & 0x3f) == 0)
++ break;
++ usleep_range(100, 200);
++ }
++
++ if (wait_cnt >= HNS_MAX_WAIT_CNT) {
++ dev_err(drv->dev,
++ "hns ge %d fifo was not idle.\n", drv->mac_id);
++ return -EBUSY;
++ }
++
++ return 0;
++}
++
+ static void hns_gmac_init(void *mac_drv)
+ {
+ u32 port;
+@@ -690,6 +724,7 @@ void *hns_gmac_config(struct hns_mac_cb
+ mac_drv->mac_disable = hns_gmac_disable;
+ mac_drv->mac_free = hns_gmac_free;
+ mac_drv->adjust_link = hns_gmac_adjust_link;
++ mac_drv->need_adjust_link = hns_gmac_need_adjust_link;
+ mac_drv->set_tx_auto_pause_frames = hns_gmac_set_tx_auto_pause_frames;
+ mac_drv->config_max_frame_length = hns_gmac_config_max_frame_length;
+ mac_drv->mac_pausefrm_cfg = hns_gmac_pause_frm_cfg;
+@@ -717,6 +752,7 @@ void *hns_gmac_config(struct hns_mac_cb
+ mac_drv->get_strings = hns_gmac_get_strings;
+ mac_drv->update_stats = hns_gmac_update_stats;
+ mac_drv->set_promiscuous = hns_gmac_set_promisc;
++ mac_drv->wait_fifo_clean = hns_gmac_wait_fifo_clean;
+
+ return (void *)mac_drv;
+ }
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c
+@@ -114,6 +114,26 @@ int hns_mac_get_port_info(struct hns_mac
+ return 0;
+ }
+
++/**
++ *hns_mac_is_adjust_link - check is need change mac speed and duplex register
++ *@mac_cb: mac device
++ *@speed: phy device speed
++ *@duplex:phy device duplex
++ *
++ */
++bool hns_mac_need_adjust_link(struct hns_mac_cb *mac_cb, int speed, int duplex)
++{
++ struct mac_driver *mac_ctrl_drv;
++
++ mac_ctrl_drv = (struct mac_driver *)(mac_cb->priv.mac);
++
++ if (mac_ctrl_drv->need_adjust_link)
++ return mac_ctrl_drv->need_adjust_link(mac_ctrl_drv,
++ (enum mac_speed)speed, duplex);
++ else
++ return true;
++}
++
+ void hns_mac_adjust_link(struct hns_mac_cb *mac_cb, int speed, int duplex)
+ {
+ int ret;
+@@ -432,6 +452,16 @@ int hns_mac_vm_config_bc_en(struct hns_m
+ return 0;
+ }
+
++int hns_mac_wait_fifo_clean(struct hns_mac_cb *mac_cb)
++{
++ struct mac_driver *drv = hns_mac_get_drv(mac_cb);
++
++ if (drv->wait_fifo_clean)
++ return drv->wait_fifo_clean(drv);
++
++ return 0;
++}
++
+ void hns_mac_reset(struct hns_mac_cb *mac_cb)
+ {
+ struct mac_driver *drv = hns_mac_get_drv(mac_cb);
+@@ -1001,6 +1031,20 @@ static int hns_mac_get_max_port_num(stru
+ return DSAF_MAX_PORT_NUM;
+ }
+
++void hns_mac_enable(struct hns_mac_cb *mac_cb, enum mac_commom_mode mode)
++{
++ struct mac_driver *mac_ctrl_drv = hns_mac_get_drv(mac_cb);
++
++ mac_ctrl_drv->mac_enable(mac_cb->priv.mac, mode);
++}
++
++void hns_mac_disable(struct hns_mac_cb *mac_cb, enum mac_commom_mode mode)
++{
++ struct mac_driver *mac_ctrl_drv = hns_mac_get_drv(mac_cb);
++
++ mac_ctrl_drv->mac_disable(mac_cb->priv.mac, mode);
++}
++
+ /**
+ * hns_mac_init - init mac
+ * @dsaf_dev: dsa fabric device struct pointer
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.h
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.h
+@@ -356,6 +356,9 @@ struct mac_driver {
+ /*adjust mac mode of port,include speed and duplex*/
+ int (*adjust_link)(void *mac_drv, enum mac_speed speed,
+ u32 full_duplex);
++ /* need adjust link */
++ bool (*need_adjust_link)(void *mac_drv, enum mac_speed speed,
++ int duplex);
+ /* config autoegotaite mode of port*/
+ void (*set_an_mode)(void *mac_drv, u8 enable);
+ /* config loopbank mode */
+@@ -394,6 +397,7 @@ struct mac_driver {
+ void (*get_info)(void *mac_drv, struct mac_info *mac_info);
+
+ void (*update_stats)(void *mac_drv);
++ int (*wait_fifo_clean)(void *mac_drv);
+
+ enum mac_mode mac_mode;
+ u8 mac_id;
+@@ -427,6 +431,7 @@ void *hns_xgmac_config(struct hns_mac_cb
+
+ int hns_mac_init(struct dsaf_device *dsaf_dev);
+ void mac_adjust_link(struct net_device *net_dev);
++bool hns_mac_need_adjust_link(struct hns_mac_cb *mac_cb, int speed, int duplex);
+ void hns_mac_get_link_status(struct hns_mac_cb *mac_cb, u32 *link_status);
+ int hns_mac_change_vf_addr(struct hns_mac_cb *mac_cb, u32 vmid, char *addr);
+ int hns_mac_set_multi(struct hns_mac_cb *mac_cb,
+@@ -463,5 +468,8 @@ int hns_mac_add_uc_addr(struct hns_mac_c
+ int hns_mac_rm_uc_addr(struct hns_mac_cb *mac_cb, u8 vf_id,
+ const unsigned char *addr);
+ int hns_mac_clr_multicast(struct hns_mac_cb *mac_cb, int vfn);
++void hns_mac_enable(struct hns_mac_cb *mac_cb, enum mac_commom_mode mode);
++void hns_mac_disable(struct hns_mac_cb *mac_cb, enum mac_commom_mode mode);
++int hns_mac_wait_fifo_clean(struct hns_mac_cb *mac_cb);
+
+ #endif /* _HNS_DSAF_MAC_H */
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c
+@@ -2720,6 +2720,35 @@ void hns_dsaf_set_promisc_tcam(struct ds
+ soft_mac_entry->index = enable ? entry_index : DSAF_INVALID_ENTRY_IDX;
+ }
+
++int hns_dsaf_wait_pkt_clean(struct dsaf_device *dsaf_dev, int port)
++{
++ u32 val, val_tmp;
++ int wait_cnt;
++
++ if (port >= DSAF_SERVICE_NW_NUM)
++ return 0;
++
++ wait_cnt = 0;
++ while (wait_cnt++ < HNS_MAX_WAIT_CNT) {
++ val = dsaf_read_dev(dsaf_dev, DSAF_VOQ_IN_PKT_NUM_0_REG +
++ (port + DSAF_XGE_NUM) * 0x40);
++ val_tmp = dsaf_read_dev(dsaf_dev, DSAF_VOQ_OUT_PKT_NUM_0_REG +
++ (port + DSAF_XGE_NUM) * 0x40);
++ if (val == val_tmp)
++ break;
++
++ usleep_range(100, 200);
++ }
++
++ if (wait_cnt >= HNS_MAX_WAIT_CNT) {
++ dev_err(dsaf_dev->dev, "hns dsaf clean wait timeout(%u - %u).\n",
++ val, val_tmp);
++ return -EBUSY;
++ }
++
++ return 0;
++}
++
+ /**
+ * dsaf_probe - probo dsaf dev
+ * @pdev: dasf platform device
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.h
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.h
+@@ -44,6 +44,8 @@ struct hns_mac_cb;
+ #define DSAF_ROCE_CREDIT_CHN 8
+ #define DSAF_ROCE_CHAN_MODE 3
+
++#define HNS_MAX_WAIT_CNT 10000
++
+ enum dsaf_roce_port_mode {
+ DSAF_ROCE_6PORT_MODE,
+ DSAF_ROCE_4PORT_MODE,
+@@ -463,5 +465,6 @@ int hns_dsaf_rm_mac_addr(
+
+ int hns_dsaf_clr_mac_mc_port(struct dsaf_device *dsaf_dev,
+ u8 mac_id, u8 port_num);
++int hns_dsaf_wait_pkt_clean(struct dsaf_device *dsaf_dev, int port);
+
+ #endif /* __HNS_DSAF_MAIN_H__ */
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c
+@@ -274,6 +274,29 @@ static void hns_ppe_exc_irq_en(struct hn
+ dsaf_write_dev(ppe_cb, PPE_INTEN_REG, msk_vlue & vld_msk);
+ }
+
++int hns_ppe_wait_tx_fifo_clean(struct hns_ppe_cb *ppe_cb)
++{
++ int wait_cnt;
++ u32 val;
++
++ wait_cnt = 0;
++ while (wait_cnt++ < HNS_MAX_WAIT_CNT) {
++ val = dsaf_read_dev(ppe_cb, PPE_CURR_TX_FIFO0_REG) & 0x3ffU;
++ if (!val)
++ break;
++
++ usleep_range(100, 200);
++ }
++
++ if (wait_cnt >= HNS_MAX_WAIT_CNT) {
++ dev_err(ppe_cb->dev, "hns ppe tx fifo clean wait timeout, still has %u pkt.\n",
++ val);
++ return -EBUSY;
++ }
++
++ return 0;
++}
++
+ /**
+ * ppe_init_hw - init ppe
+ * @ppe_cb: ppe device
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.h
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.h
+@@ -100,6 +100,7 @@ struct ppe_common_cb {
+
+ };
+
++int hns_ppe_wait_tx_fifo_clean(struct hns_ppe_cb *ppe_cb);
+ int hns_ppe_init(struct dsaf_device *dsaf_dev);
+
+ void hns_ppe_uninit(struct dsaf_device *dsaf_dev);
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c
+@@ -66,6 +66,29 @@ void hns_rcb_wait_fbd_clean(struct hnae_
+ "queue(%d) wait fbd(%d) clean fail!!\n", i, fbd_num);
+ }
+
++int hns_rcb_wait_tx_ring_clean(struct hnae_queue *qs)
++{
++ u32 head, tail;
++ int wait_cnt;
++
++ tail = dsaf_read_dev(&qs->tx_ring, RCB_REG_TAIL);
++ wait_cnt = 0;
++ while (wait_cnt++ < HNS_MAX_WAIT_CNT) {
++ head = dsaf_read_dev(&qs->tx_ring, RCB_REG_HEAD);
++ if (tail == head)
++ break;
++
++ usleep_range(100, 200);
++ }
++
++ if (wait_cnt >= HNS_MAX_WAIT_CNT) {
++ dev_err(qs->dev->dev, "rcb wait timeout, head not equal to tail.\n");
++ return -EBUSY;
++ }
++
++ return 0;
++}
++
+ /**
+ *hns_rcb_reset_ring_hw - ring reset
+ *@q: ring struct pointer
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.h
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.h
+@@ -136,6 +136,7 @@ void hns_rcbv2_int_clr_hw(struct hnae_qu
+ void hns_rcb_init_hw(struct ring_pair_cb *ring);
+ void hns_rcb_reset_ring_hw(struct hnae_queue *q);
+ void hns_rcb_wait_fbd_clean(struct hnae_queue **qs, int q_num, u32 flag);
++int hns_rcb_wait_tx_ring_clean(struct hnae_queue *qs);
+ u32 hns_rcb_get_rx_coalesced_frames(
+ struct rcb_common_cb *rcb_common, u32 port_idx);
+ u32 hns_rcb_get_tx_coalesced_frames(
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h
+@@ -464,6 +464,7 @@
+ #define RCB_RING_INTMSK_TX_OVERTIME_REG 0x000C4
+ #define RCB_RING_INTSTS_TX_OVERTIME_REG 0x000C8
+
++#define GMAC_FIFO_STATE_REG 0x0000UL
+ #define GMAC_DUPLEX_TYPE_REG 0x0008UL
+ #define GMAC_FD_FC_TYPE_REG 0x000CUL
+ #define GMAC_TX_WATER_LINE_REG 0x0010UL
+--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
+@@ -1212,11 +1212,26 @@ static void hns_nic_adjust_link(struct n
+ struct hnae_handle *h = priv->ae_handle;
+ int state = 1;
+
++ /* If there is no phy, do not need adjust link */
+ if (ndev->phydev) {
+- h->dev->ops->adjust_link(h, ndev->phydev->speed,
+- ndev->phydev->duplex);
+- state = ndev->phydev->link;
++ /* When phy link down, do nothing */
++ if (ndev->phydev->link == 0)
++ return;
++
++ if (h->dev->ops->need_adjust_link(h, ndev->phydev->speed,
++ ndev->phydev->duplex)) {
++ /* because Hi161X chip don't support to change gmac
++ * speed and duplex with traffic. Delay 200ms to
++ * make sure there is no more data in chip FIFO.
++ */
++ netif_carrier_off(ndev);
++ msleep(200);
++ h->dev->ops->adjust_link(h, ndev->phydev->speed,
++ ndev->phydev->duplex);
++ netif_carrier_on(ndev);
++ }
+ }
++
+ state = state && h->dev->ops->get_status(h);
+
+ if (state != priv->link) {
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Xiao Ni <xni@redhat.com>
+Date: Thu, 30 Aug 2018 15:57:09 +0800
+Subject: RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0
+
+From: Xiao Ni <xni@redhat.com>
+
+[ Upstream commit 1d0ffd264204eba1861865560f1f7f7a92919384 ]
+
+In raid10 reshape_request it gets max_sectors in read_balance. If the underlayer disks
+have bad blocks, the max_sectors is less than last. It will call goto read_more many
+times. It calls raise_barrier(conf, sectors_done != 0) every time. In this condition
+sectors_done is not 0. So the value passed to the argument force of raise_barrier is
+true.
+
+In raise_barrier it checks conf->barrier when force is true. If force is true and
+conf->barrier is 0, it panic. In this case reshape_request submits bio to under layer
+disks. And in the callback function of the bio it calls lower_barrier. If the bio
+finishes before calling raise_barrier again, it can trigger the BUG_ON.
+
+Add one pair of raise_barrier/lower_barrier to fix this bug.
+
+Signed-off-by: Xiao Ni <xni@redhat.com>
+Suggested-by: Neil Brown <neilb@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid10.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -4394,11 +4394,12 @@ static sector_t reshape_request(struct m
+ allow_barrier(conf);
+ }
+
++ raise_barrier(conf, 0);
+ read_more:
+ /* Now schedule reads for blocks from sector_nr to last */
+ r10_bio = raid10_alloc_init_r10buf(conf);
+ r10_bio->state = 0;
+- raise_barrier(conf, sectors_done != 0);
++ raise_barrier(conf, 1);
+ atomic_set(&r10_bio->remaining, 0);
+ r10_bio->mddev = mddev;
+ r10_bio->sector = sector_nr;
+@@ -4494,6 +4495,8 @@ read_more:
+ if (sector_nr <= last)
+ goto read_more;
+
++ lower_barrier(conf);
++
+ /* Now that we have done the whole section we can
+ * update reshape_progress
+ */
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Varun Prakash <varun@chelsio.com>
+Date: Sat, 11 Aug 2018 21:03:58 +0530
+Subject: scsi: csiostor: add a check for NULL pointer after kmalloc()
+
+From: Varun Prakash <varun@chelsio.com>
+
+[ Upstream commit 89809b028b6f54187b7d81a0c69b35d394c52e62 ]
+
+Reported-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Varun Prakash <varun@chelsio.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/csiostor/csio_hw.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/drivers/scsi/csiostor/csio_hw.c
++++ b/drivers/scsi/csiostor/csio_hw.c
+@@ -2010,8 +2010,8 @@ bye:
+ }
+
+ /*
+- * Returns -EINVAL if attempts to flash the firmware failed
+- * else returns 0,
++ * Returns -EINVAL if attempts to flash the firmware failed,
++ * -ENOMEM if memory allocation failed else returns 0,
+ * if flashing was not attempted because the card had the
+ * latest firmware ECANCELED is returned
+ */
+@@ -2039,6 +2039,13 @@ csio_hw_flash_fw(struct csio_hw *hw, int
+ return -EINVAL;
+ }
+
++ /* allocate memory to read the header of the firmware on the
++ * card
++ */
++ card_fw = kmalloc(sizeof(*card_fw), GFP_KERNEL);
++ if (!card_fw)
++ return -ENOMEM;
++
+ if (csio_is_t5(pci_dev->device & CSIO_HW_CHIP_MASK))
+ fw_bin_file = FW_FNAME_T5;
+ else
+@@ -2052,11 +2059,6 @@ csio_hw_flash_fw(struct csio_hw *hw, int
+ fw_size = fw->size;
+ }
+
+- /* allocate memory to read the header of the firmware on the
+- * card
+- */
+- card_fw = kmalloc(sizeof(*card_fw), GFP_KERNEL);
+-
+ /* upgrade FW logic */
+ ret = csio_hw_prep_fw(hw, fw_info, fw_data, fw_size, card_fw,
+ hw->fw_state, reset);
drm-amd-pp-initialize-result-to-before-or-ing-in-data.patch
drm-amdgpu-add-another-atpx-quirk-for-topaz.patch
serial-mvebu-uart-fix-reporting-of-effective-csize-to-userspace.patch
+tools-power-turbostat-fix-possible-sprintf-buffer-overflow.patch
+mac80211-run-txq-teardown-code-before-de-registering-interfaces.patch
+mac80211_hwsim-require-at-least-one-channel.patch
+kvm-ppc-book3s-hv-don-t-truncate-hpte-index-in-xlate-function.patch
+btrfs-btrfs_shrink_device-should-call-commit-transaction-at-the-end.patch
+scsi-csiostor-add-a-check-for-null-pointer-after-kmalloc.patch
+mac80211-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch
+mac80211_hwsim-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch
+gpio-adp5588-fix-sleep-in-atomic-context-bug.patch
+mac80211-mesh-fix-hwmp-sequence-numbering-to-follow-standard.patch
+mac80211-avoid-kernel-panic-when-building-amsdu-from-non-linear-skb.patch
+gpiolib-acpi-switch-to-cansleep-version-of-gpio-library-call.patch
+gpiolib-acpi-register-gpioint-acpi-event-handlers-from-a-late_initcall.patch
+net-hns-add-the-code-for-cleaning-pkt-in-chip.patch
+net-hns-add-netif_carrier_off-before-change-speed-and-duplex.patch
+cfg80211-nl80211_update_ft_ies-to-validate-nl80211_attr_ie.patch
+mac80211-do-not-convert-to-a-msdu-if-frag-subframe-limited.patch
+mac80211-always-account-for-a-msdu-header-changes.patch
+tools-kvm_stat-fix-python3-issues.patch
+tools-kvm_stat-fix-handling-of-invalid-paths-in-debugfs-provider.patch
+gpio-fix-crash-due-to-registration-race.patch
+arc-atomics-unbork-atomic_fetch_-op.patch
+md-raid5-cache-disable-reshape-completely.patch
+raid10-bug_on-in-raise_barrier-when-force-is-true-and-conf-barrier-is-0.patch
+net-ethernet-cpsw-phy-sel-prefer-phandle-for-phy-sel.patch
+i2c-uniphier-issue-stop-only-for-last-message-or-i2c_m_stop.patch
+i2c-uniphier-f-issue-stop-only-for-last-message-or-i2c_m_stop.patch
+net-cadence-fix-a-sleep-in-atomic-context-bug-in-macb_halt_tx.patch
+fs-cifs-don-t-translate-sfm_slash-u-f026-to-backslash.patch
+mac80211-fix-an-off-by-one-issue-in-a-msdu-max_subframe-computation.patch
+cfg80211-fix-a-type-issue-in-ieee80211_chandef_to_operating_class.patch
+mac80211-fix-a-race-between-restart-and-csa-flows.patch
+mac80211-fix-station-bandwidth-setting-after-channel-switch.patch
+mac80211-don-t-tx-a-deauth-frame-if-the-ap-forbade-tx.patch
+mac80211-shorten-the-ibss-debug-messages.patch
+tools-vm-slabinfo.c-fix-sign-compare-warning.patch
+tools-vm-page-types.c-fix-defined-but-not-used-warning.patch
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Stefan Raspl <stefan.raspl@de.ibm.com>
+Date: Fri, 24 Aug 2018 14:03:56 +0200
+Subject: tools/kvm_stat: fix handling of invalid paths in debugfs provider
+
+From: Stefan Raspl <stefan.raspl@de.ibm.com>
+
+[ Upstream commit 617c66b9f236d20f11cecbb3f45e6d5675b2fae1 ]
+
+When filtering by guest, kvm_stat displays garbage when the guest is
+destroyed - see sample output below.
+We add code to remove the invalid paths from the providers, so at least
+no more garbage is displayed.
+Here's a sample output to illustrate:
+
+ kvm statistics - pid 13986 (foo)
+
+ Event Total %Total CurAvg/s
+ diagnose_258 -2 0.0 0
+ deliver_program_interruption -3 0.0 0
+ diagnose_308 -4 0.0 0
+ halt_poll_invalid -91 0.0 -6
+ deliver_service_signal -244 0.0 -16
+ halt_successful_poll -250 0.1 -17
+ exit_pei -285 0.1 -19
+ exit_external_request -312 0.1 -21
+ diagnose_9c -328 0.1 -22
+ userspace_handled -713 0.1 -47
+ halt_attempted_poll -939 0.2 -62
+ deliver_emergency_signal -3126 0.6 -208
+ halt_wakeup -7199 1.5 -481
+ exit_wait_state -7379 1.5 -493
+ diagnose_500 -56499 11.5 -3757
+ exit_null -85491 17.4 -5685
+ diagnose_44 -133300 27.1 -8874
+ exit_instruction -195898 39.8 -13037
+ Total -492063
+
+Signed-off-by: Stefan Raspl <raspl@linux.vnet.ibm.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/kvm/kvm_stat/kvm_stat | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/tools/kvm/kvm_stat/kvm_stat
++++ b/tools/kvm/kvm_stat/kvm_stat
+@@ -731,6 +731,13 @@ class DebugfsProvider(Provider):
+ self.do_read = True
+ self.reset()
+
++ def _verify_paths(self):
++ """Remove invalid paths"""
++ for path in self.paths:
++ if not os.path.exists(os.path.join(PATH_DEBUGFS_KVM, path)):
++ self.paths.remove(path)
++ continue
++
+ def read(self, reset=0, by_guest=0):
+ """Returns a dict with format:'file name / field -> current value'.
+
+@@ -745,6 +752,7 @@ class DebugfsProvider(Provider):
+ # If no debugfs filtering support is available, then don't read.
+ if not self.do_read:
+ return results
++ self._verify_paths()
+
+ paths = self.paths
+ if self._pid == 0:
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Stefan Raspl <stefan.raspl@de.ibm.com>
+Date: Fri, 24 Aug 2018 14:03:55 +0200
+Subject: tools/kvm_stat: fix python3 issues
+
+From: Stefan Raspl <stefan.raspl@de.ibm.com>
+
+[ Upstream commit 58f33cfe73076b6497bada4f7b5bda961ed68083 ]
+
+Python3 returns a float for a regular division - switch to a division
+operator that returns an integer.
+Furthermore, filters return a generator object instead of the actual
+list - wrap result in yet another list, which makes it still work in
+both, Python2 and 3.
+
+Signed-off-by: Stefan Raspl <raspl@linux.ibm.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/kvm/kvm_stat/kvm_stat | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/tools/kvm/kvm_stat/kvm_stat
++++ b/tools/kvm/kvm_stat/kvm_stat
+@@ -724,7 +724,7 @@ class DebugfsProvider(Provider):
+ if len(vms) == 0:
+ self.do_read = False
+
+- self.paths = filter(lambda x: "{}-".format(pid) in x, vms)
++ self.paths = list(filter(lambda x: "{}-".format(pid) in x, vms))
+
+ else:
+ self.paths = []
+@@ -1119,10 +1119,10 @@ class Tui(object):
+ (x, term_width) = self.screen.getmaxyx()
+ row = 2
+ for line in text:
+- start = (term_width - len(line)) / 2
++ start = (term_width - len(line)) // 2
+ self.screen.addstr(row, start, line)
+ row += 1
+- self.screen.addstr(row + 1, (term_width - len(hint)) / 2, hint,
++ self.screen.addstr(row + 1, (term_width - len(hint)) // 2, hint,
+ curses.A_STANDOUT)
+ self.screen.getkey()
+
--- /dev/null
+From 46c2797826cc6d1ae36fcbd966e76f9fa1907eef Mon Sep 17 00:00:00 2001
+From: Len Brown <len.brown@intel.com>
+Date: Fri, 8 Dec 2017 17:38:17 -0500
+Subject: tools/power turbostat: fix possible sprintf buffer overflow
+
+From: Len Brown <len.brown@intel.com>
+
+commit 46c2797826cc6d1ae36fcbd966e76f9fa1907eef upstream.
+
+Signed-off-by: Len Brown <len.brown@intel.com>
+Cc: Alakesh Haloi <alakeshh@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/power/x86/turbostat/turbostat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -1485,7 +1485,7 @@ int get_mp(int cpu, struct msr_counter *
+ if (get_msr(cpu, mp->msr_num, counterp))
+ return -1;
+ } else {
+- char path[128];
++ char path[128 + PATH_BYTES];
+
+ if (mp->flags & SYSFS_PERCPU) {
+ sprintf(path, "/sys/devices/system/cpu/cpu%d/%s",
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Date: Tue, 4 Sep 2018 15:45:51 -0700
+Subject: tools/vm/page-types.c: fix "defined but not used" warning
+
+From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+
+[ Upstream commit 7ab660f8baecfe26c1c267fa8e64d2073feae2bb ]
+
+debugfs_known_mountpoints[] is not used any more, so let's remove it.
+
+Link: http://lkml.kernel.org/r/1535102651-19418-1-git-send-email-n-horiguchi@ah.jp.nec.com
+Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Matthew Wilcox <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/vm/page-types.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/tools/vm/page-types.c
++++ b/tools/vm/page-types.c
+@@ -155,12 +155,6 @@ static const char * const page_flag_name
+ };
+
+
+-static const char * const debugfs_known_mountpoints[] = {
+- "/sys/kernel/debug",
+- "/debug",
+- 0,
+-};
+-
+ /*
+ * data structures
+ */
--- /dev/null
+From foo@baz Thu Oct 4 12:33:16 PDT 2018
+From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Date: Tue, 4 Sep 2018 15:45:48 -0700
+Subject: tools/vm/slabinfo.c: fix sign-compare warning
+
+From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+
+[ Upstream commit 904506562e0856f2535d876407d087c9459d345b ]
+
+Currently we get the following compiler warning:
+
+ slabinfo.c:854:22: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
+ if (s->object_size < min_objsize)
+ ^
+
+due to the mismatch of signed/unsigned comparison. ->object_size and
+->slab_size are never expected to be negative, so let's define them as
+unsigned int.
+
+[n-horiguchi@ah.jp.nec.com: convert everything - none of these can be negative]
+ Link: http://lkml.kernel.org/r/20180826234947.GA9787@hori1.linux.bs1.fc.nec.co.jp
+Link: http://lkml.kernel.org/r/1535103134-20239-1-git-send-email-n-horiguchi@ah.jp.nec.com
+Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Matthew Wilcox <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/vm/slabinfo.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/vm/slabinfo.c
++++ b/tools/vm/slabinfo.c
+@@ -30,8 +30,8 @@ struct slabinfo {
+ int alias;
+ int refs;
+ int aliases, align, cache_dma, cpu_slabs, destroy_by_rcu;
+- int hwcache_align, object_size, objs_per_slab;
+- int sanity_checks, slab_size, store_user, trace;
++ unsigned int hwcache_align, object_size, objs_per_slab;
++ unsigned int sanity_checks, slab_size, store_user, trace;
+ int order, poison, reclaim_account, red_zone;
+ unsigned long partial, objects, slabs, objects_partial, objects_total;
+ unsigned long alloc_fastpath, alloc_slowpath;
projects / thirdparty / kernel / stable-queue.git / commitdiff
