--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Ofer Levi <oferle@mellanox.com>
+Date: Sat, 28 Jul 2018 10:54:41 +0300
+Subject: ARC: [plat-eznps] Add missing struct nps_host_reg_aux_dpc
+
+From: Ofer Levi <oferle@mellanox.com>
+
+[ Upstream commit 05b466bf846d2e8d2f0baf8dfd81a42cc933e237 ]
+
+Fixing compilation issue caused by missing struct nps_host_reg_aux_dpc
+definition.
+
+Fixes: 3f9cd874dcc87 ("ARC: [plat-eznps] avoid toggling of DPC register")
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Ofer Levi <oferle@mellanox.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arc/plat-eznps/include/plat/ctop.h | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/arch/arc/plat-eznps/include/plat/ctop.h
++++ b/arch/arc/plat-eznps/include/plat/ctop.h
+@@ -143,6 +143,15 @@ struct nps_host_reg_gim_p_int_dst {
+ };
+
+ /* AUX registers definition */
++struct nps_host_reg_aux_dpc {
++ union {
++ struct {
++ u32 ien:1, men:1, hen:1, reserved:29;
++ };
++ u32 value;
++ };
++};
++
+ struct nps_host_reg_aux_udmc {
+ union {
+ struct {
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Date: Thu, 26 Jul 2018 16:15:43 +0300
+Subject: ARC: dma [non-IOC] setup SMP_CACHE_BYTES and cache_line_size
+
+From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+
+[ Upstream commit eb2777397fd83a4a7eaa26984d09d3babb845d2a ]
+
+As for today we don't setup SMP_CACHE_BYTES and cache_line_size for
+ARC, so they are set to L1_CACHE_BYTES by default. L1 line length
+(L1_CACHE_BYTES) might be easily smaller than L2 line (which is
+usually the case BTW). This breaks code.
+
+For example this breaks ethernet infrastructure on HSDK/AXS103 boards
+with IOC disabled, involving manual cache flushes
+Functions which alloc and manage sk_buff packet data area rely on
+SMP_CACHE_BYTES define. In the result we can share last L2 cache
+line in sk_buff linear packet data area between DMA buffer and
+some useful data in other structure. So we can lose this data when
+we invalidate DMA buffer.
+
+ sk_buff linear packet data area
+ |
+ |
+ | skb->end skb->tail
+ V | |
+ V V
+----------------------------------------------.
+ packet data | <tail padding> | <useful data in other struct>
+----------------------------------------------.
+
+---------------------.--------------------------------------------------.
+ SLC line | SLC (L2 cache) line (128B) |
+---------------------.--------------------------------------------------.
+ ^ ^
+ | |
+ These cache lines will be invalidated when we invalidate skb
+ linear packet data area before DMA transaction starting.
+
+This leads to issues painful to debug as it reproduces only if
+(sk_buff->end - sk_buff->tail) < SLC_LINE_SIZE and
+if we have some useful data right after sk_buff->end.
+
+Fix that by hardcode SMP_CACHE_BYTES to max line length we may have.
+
+Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arc/Kconfig | 3 +++
+ arch/arc/include/asm/cache.h | 4 +++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/arc/Kconfig
++++ b/arch/arc/Kconfig
+@@ -45,6 +45,9 @@ config ARC
+ select HAVE_KERNEL_GZIP
+ select HAVE_KERNEL_LZMA
+
++config ARCH_HAS_CACHE_LINE_SIZE
++ def_bool y
++
+ config MIGHT_HAVE_PCI
+ bool
+
+--- a/arch/arc/include/asm/cache.h
++++ b/arch/arc/include/asm/cache.h
+@@ -48,7 +48,9 @@
+ })
+
+ /* Largest line length for either L1 or L2 is 128 bytes */
+-#define ARCH_DMA_MINALIGN 128
++#define SMP_CACHE_BYTES 128
++#define cache_line_size() SMP_CACHE_BYTES
++#define ARCH_DMA_MINALIGN SMP_CACHE_BYTES
+
+ extern void arc_cache_init(void);
+ extern char *arc_cache_mumbojumbo(int cpu_id, char *buf, int len);
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Thu, 26 Jul 2018 20:16:35 -0700
+Subject: arc: fix build errors in arc/include/asm/delay.h
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 2423665ec53f2a29191b35382075e9834288a975 ]
+
+Fix build errors in arch/arc/'s delay.h:
+- add "extern unsigned long loops_per_jiffy;"
+- add <asm-generic/types.h> for "u64"
+
+In file included from ../drivers/infiniband/hw/cxgb3/cxio_hal.c:32:
+../arch/arc/include/asm/delay.h: In function '__udelay':
+../arch/arc/include/asm/delay.h:61:12: error: 'u64' undeclared (first use in this function)
+ loops = ((u64) usecs * 4295 * HZ * loops_per_jiffy) >> 32;
+ ^~~
+
+In file included from ../drivers/infiniband/hw/cxgb3/cxio_hal.c:32:
+../arch/arc/include/asm/delay.h: In function '__udelay':
+../arch/arc/include/asm/delay.h:63:37: error: 'loops_per_jiffy' undeclared (first use in this function)
+ loops = ((u64) usecs * 4295 * HZ * loops_per_jiffy) >> 32;
+ ^~~~~~~~~~~~~~~
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Vineet Gupta <vgupta@synopsys.com>
+Cc: linux-snps-arc@lists.infradead.org
+Cc: Elad Kanfi <eladkan@mellanox.com>
+Cc: Leon Romanovsky <leonro@mellanox.com>
+Cc: Ofer Levi <oferle@mellanox.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arc/include/asm/delay.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/arc/include/asm/delay.h
++++ b/arch/arc/include/asm/delay.h
+@@ -17,8 +17,11 @@
+ #ifndef __ASM_ARC_UDELAY_H
+ #define __ASM_ARC_UDELAY_H
+
++#include <asm-generic/types.h>
+ #include <asm/param.h> /* HZ */
+
++extern unsigned long loops_per_jiffy;
++
+ static inline void __delay(unsigned long loops)
+ {
+ __asm__ __volatile__(
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Sun, 29 Jul 2018 11:10:51 -0700
+Subject: arc: [plat-eznps] fix data type errors in platform headers
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit b1f32ce1c3d2c11959b7e6a2c58dc5197c581966 ]
+
+Add <linux/types.h> to fix build errors.
+Both ctop.h and <soc/nps/common.h> use u32 types and cause many
+errors.
+
+Examples:
+../include/soc/nps/common.h:71:4: error: unknown type name 'u32'
+ u32 __reserved:20, cluster:4, core:4, thread:4;
+../include/soc/nps/common.h:76:3: error: unknown type name 'u32'
+ u32 value;
+../include/soc/nps/common.h:124:4: error: unknown type name 'u32'
+ u32 base:8, cl_x:4, cl_y:4,
+../include/soc/nps/common.h:127:3: error: unknown type name 'u32'
+ u32 value;
+
+../arch/arc/plat-eznps/include/plat/ctop.h:83:4: error: unknown type name 'u32'
+ u32 gen:1, gdis:1, clk_gate_dis:1, asb:1,
+../arch/arc/plat-eznps/include/plat/ctop.h:86:3: error: unknown type name 'u32'
+ u32 value;
+../arch/arc/plat-eznps/include/plat/ctop.h:93:4: error: unknown type name 'u32'
+ u32 csa:22, dmsid:6, __reserved:3, cs:1;
+../arch/arc/plat-eznps/include/plat/ctop.h:95:3: error: unknown type name 'u32'
+ u32 value;
+
+Cc: linux-snps-arc@lists.infradead.org
+Cc: Ofer Levi <oferle@mellanox.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arc/plat-eznps/include/plat/ctop.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arc/plat-eznps/include/plat/ctop.h
++++ b/arch/arc/plat-eznps/include/plat/ctop.h
+@@ -21,6 +21,7 @@
+ #error "Incorrect ctop.h include"
+ #endif
+
++#include <linux/types.h>
+ #include <soc/nps/common.h>
+
+ /* core auxiliary registers */
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Thu, 26 Jul 2018 20:16:35 -0700
+Subject: arc: [plat-eznps] fix printk warning in arc/plat-eznps/mtm.c
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 9e2ea405543d9ddfe05b351f1679e53bd9c11f80 ]
+
+Fix printk format warning in arch/arc/plat-eznps/mtm.c:
+
+In file included from ../include/linux/printk.h:7,
+ from ../include/linux/kernel.h:14,
+ from ../include/linux/list.h:9,
+ from ../include/linux/smp.h:12,
+ from ../arch/arc/plat-eznps/mtm.c:17:
+../arch/arc/plat-eznps/mtm.c: In function 'set_mtm_hs_ctr':
+../include/linux/kern_levels.h:5:18: warning: format '%d' expects argument of type 'int', but argument 2 has type 'long int' [-Wformat=]
+ #define KERN_SOH "\001" /* ASCII Start Of Header */
+ ^~~~~~
+../include/linux/kern_levels.h:11:18: note: in expansion of macro 'KERN_SOH'
+ #define KERN_ERR KERN_SOH "3" /* error conditions */
+ ^~~~~~~~
+../include/linux/printk.h:308:9: note: in expansion of macro 'KERN_ERR'
+ printk(KERN_ERR pr_fmt(fmt), ##__VA_ARGS__)
+ ^~~~~~~~
+../arch/arc/plat-eznps/mtm.c:166:3: note: in expansion of macro 'pr_err'
+ pr_err("** Invalid @nps_mtm_hs_ctr [%d] needs to be [%d:%d] (incl)\n",
+ ^~~~~~
+../arch/arc/plat-eznps/mtm.c:166:40: note: format string is defined here
+ pr_err("** Invalid @nps_mtm_hs_ctr [%d] needs to be [%d:%d] (incl)\n",
+ ~^
+ %ld
+The hs_ctr variable can just be int instead of long, so also change
+kstrtol() to kstrtoint() and leave the format string as %d.
+
+Also add 2 header files since they are used in mtm.c and we prefer
+not to depend on accidental/indirect #includes.
+
+Cc: linux-snps-arc@lists.infradead.org
+Cc: Ofer Levi <oferle@mellanox.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arc/plat-eznps/mtm.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/arc/plat-eznps/mtm.c
++++ b/arch/arc/plat-eznps/mtm.c
+@@ -15,6 +15,8 @@
+ */
+
+ #include <linux/smp.h>
++#include <linux/init.h>
++#include <linux/kernel.h>
+ #include <linux/io.h>
+ #include <linux/log2.h>
+ #include <asm/arcregs.h>
+@@ -157,10 +159,10 @@ void mtm_enable_core(unsigned int cpu)
+ /* Verify and set the value of the mtm hs counter */
+ static int __init set_mtm_hs_ctr(char *ctr_str)
+ {
+- long hs_ctr;
++ int hs_ctr;
+ int ret;
+
+- ret = kstrtol(ctr_str, 0, &hs_ctr);
++ ret = kstrtoint(ctr_str, 0, &hs_ctr);
+
+ if (ret || hs_ctr > MT_HS_CNT_MAX || hs_ctr < MT_HS_CNT_MIN) {
+ pr_err("** Invalid @nps_mtm_hs_ctr [%d] needs to be [%d:%d] (incl)\n",
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Thu, 26 Jul 2018 20:16:35 -0700
+Subject: arc: fix type warnings in arc/mm/cache.c
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit ec837d620c750c0d4996a907c8c4f7febe1bbeee ]
+
+Fix type warnings in arch/arc/mm/cache.c.
+
+../arch/arc/mm/cache.c: In function 'flush_anon_page':
+../arch/arc/mm/cache.c:1062:55: warning: passing argument 2 of '__flush_dcache_page' makes integer from pointer without a cast [-Wint-conversion]
+ __flush_dcache_page((phys_addr_t)page_address(page), page_address(page));
+ ^~~~~~~~~~~~~~~~~~
+../arch/arc/mm/cache.c:1013:59: note: expected 'long unsigned int' but argument is of type 'void *'
+ void __flush_dcache_page(phys_addr_t paddr, unsigned long vaddr)
+ ~~~~~~~~~~~~~~^~~~~
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Vineet Gupta <vgupta@synopsys.com>
+Cc: linux-snps-arc@lists.infradead.org
+Cc: Elad Kanfi <eladkan@mellanox.com>
+Cc: Leon Romanovsky <leonro@mellanox.com>
+Cc: Ofer Levi <oferle@mellanox.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arc/mm/cache.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/arc/mm/cache.c
++++ b/arch/arc/mm/cache.c
+@@ -1035,7 +1035,7 @@ void flush_cache_mm(struct mm_struct *mm
+ void flush_cache_page(struct vm_area_struct *vma, unsigned long u_vaddr,
+ unsigned long pfn)
+ {
+- unsigned int paddr = pfn << PAGE_SHIFT;
++ phys_addr_t paddr = pfn << PAGE_SHIFT;
+
+ u_vaddr &= PAGE_MASK;
+
+@@ -1055,8 +1055,9 @@ void flush_anon_page(struct vm_area_stru
+ unsigned long u_vaddr)
+ {
+ /* TBD: do we really need to clear the kernel mapping */
+- __flush_dcache_page(page_address(page), u_vaddr);
+- __flush_dcache_page(page_address(page), page_address(page));
++ __flush_dcache_page((phys_addr_t)page_address(page), u_vaddr);
++ __flush_dcache_page((phys_addr_t)page_address(page),
++ (phys_addr_t)page_address(page));
+
+ }
+
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 20 Jul 2018 19:30:57 +0200
+Subject: atl1c: reserve min skb headroom
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 6e56830776828d8ca9897fc4429eeab47c3bb432 ]
+
+Got crash report with following backtrace:
+BUG: unable to handle kernel paging request at ffff8801869daffe
+RIP: 0010:[<ffffffff816429c4>] [<ffffffff816429c4>] ip6_finish_output2+0x394/0x4c0
+RSP: 0018:ffff880186c83a98 EFLAGS: 00010283
+RAX: ffff8801869db00e ...
+ [<ffffffff81644cdc>] ip6_finish_output+0x8c/0xf0
+ [<ffffffff81644d97>] ip6_output+0x57/0x100
+ [<ffffffff81643dc9>] ip6_forward+0x4b9/0x840
+ [<ffffffff81645566>] ip6_rcv_finish+0x66/0xc0
+ [<ffffffff81645db9>] ipv6_rcv+0x319/0x530
+ [<ffffffff815892ac>] netif_receive_skb+0x1c/0x70
+ [<ffffffffc0060bec>] atl1c_clean+0x1ec/0x310 [atl1c]
+ ...
+
+The bad access is in neigh_hh_output(), at skb->data - 16 (HH_DATA_MOD).
+atl1c driver provided skb with no headroom, so 14 bytes (ethernet
+header) got pulled, but then 16 are copied.
+
+Reserve NET_SKB_PAD bytes headroom, like netdev_alloc_skb().
+
+Compile tested only; I lack hardware.
+
+Fixes: 7b7017642199 ("atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
+@@ -1685,6 +1685,7 @@ static struct sk_buff *atl1c_alloc_skb(s
+ skb = build_skb(page_address(page) + adapter->rx_page_offset,
+ adapter->rx_frag_size);
+ if (likely(skb)) {
++ skb_reserve(skb, NET_SKB_PAD);
+ adapter->rx_page_offset += adapter->rx_frag_size;
+ if (adapter->rx_page_offset >= PAGE_SIZE)
+ adapter->rx_page = NULL;
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
+Date: Tue, 24 Jul 2018 02:43:52 -0700
+Subject: bnx2x: Fix invalid memory access in rss hash config path.
+
+From: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
+
+[ Upstream commit ae2dcb28c24794a87e424a726a1cf1a61980f52d ]
+
+Rx hash/filter table configuration uses rss_conf_obj to configure filters
+in the hardware. This object is initialized only when the interface is
+brought up.
+This patch adds driver changes to configure rss params only when the device
+is in opened state. In port disabled case, the config will be cached in the
+driver structure which will be applied in the successive load path.
+
+Please consider applying it to 'net' branch.
+
+Signed-off-by: Sudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
+@@ -3387,14 +3387,18 @@ static int bnx2x_set_rss_flags(struct bn
+ DP(BNX2X_MSG_ETHTOOL,
+ "rss re-configured, UDP 4-tupple %s\n",
+ udp_rss_requested ? "enabled" : "disabled");
+- return bnx2x_rss(bp, &bp->rss_conf_obj, false, true);
++ if (bp->state == BNX2X_STATE_OPEN)
++ return bnx2x_rss(bp, &bp->rss_conf_obj, false,
++ true);
+ } else if ((info->flow_type == UDP_V6_FLOW) &&
+ (bp->rss_conf_obj.udp_rss_v6 != udp_rss_requested)) {
+ bp->rss_conf_obj.udp_rss_v6 = udp_rss_requested;
+ DP(BNX2X_MSG_ETHTOOL,
+ "rss re-configured, UDP 4-tupple %s\n",
+ udp_rss_requested ? "enabled" : "disabled");
+- return bnx2x_rss(bp, &bp->rss_conf_obj, false, true);
++ if (bp->state == BNX2X_STATE_OPEN)
++ return bnx2x_rss(bp, &bp->rss_conf_obj, false,
++ true);
+ }
+ return 0;
+
+@@ -3508,7 +3512,10 @@ static int bnx2x_set_rxfh(struct net_dev
+ bp->rss_conf_obj.ind_table[i] = indir[i] + bp->fp->cl_id;
+ }
+
+- return bnx2x_config_rss_eth(bp, false);
++ if (bp->state == BNX2X_STATE_OPEN)
++ return bnx2x_config_rss_eth(bp, false);
++
++ return 0;
+ }
+
+ /**
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Thu, 19 Jul 2018 18:18:35 +0200
+Subject: bpf, ppc64: fix unexpected r0=0 exit path inside bpf_xadd
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit b9c1e60e7bf4e64ac1b4f4d6d593f0bb57886973 ]
+
+None of the JITs is allowed to implement exit paths from the BPF
+insn mappings other than BPF_JMP | BPF_EXIT. In the BPF core code
+we have a couple of rewrites in eBPF (e.g. LD_ABS / LD_IND) and
+in eBPF to cBPF translation to retain old existing behavior where
+exceptions may occur; they are also tightly controlled by the
+verifier where it disallows some of the features such as BPF to
+BPF calls when legacy LD_ABS / LD_IND ops are present in the BPF
+program. During recent review of all BPF_XADD JIT implementations
+I noticed that the ppc64 one is buggy in that it contains two
+jumps to exit paths. This is problematic as this can bypass verifier
+expectations e.g. pointed out in commit f6b1b3bf0d5f ("bpf: fix
+subprog verifier bypass by div/mod by 0 exception"). The first
+exit path is obsoleted by the fix in ca36960211eb ("bpf: allow xadd
+only on aligned memory") anyway, and for the second one we need to
+do a fetch, add and store loop if the reservation from lwarx/ldarx
+was lost in the meantime.
+
+Fixes: 156d0e290e96 ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF")
+Reviewed-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Reviewed-by: Sandipan Das <sandipan@linux.vnet.ibm.com>
+Tested-by: Sandipan Das <sandipan@linux.vnet.ibm.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/net/bpf_jit_comp64.c | 29 +++++------------------------
+ 1 file changed, 5 insertions(+), 24 deletions(-)
+
+--- a/arch/powerpc/net/bpf_jit_comp64.c
++++ b/arch/powerpc/net/bpf_jit_comp64.c
+@@ -322,6 +322,7 @@ static int bpf_jit_build_body(struct bpf
+ u64 imm64;
+ u8 *func;
+ u32 true_cond;
++ u32 tmp_idx;
+
+ /*
+ * addrs[] maps a BPF bytecode address into a real offset from
+@@ -681,11 +682,7 @@ emit_clear:
+ case BPF_STX | BPF_XADD | BPF_W:
+ /* Get EA into TMP_REG_1 */
+ PPC_ADDI(b2p[TMP_REG_1], dst_reg, off);
+- /* error if EA is not word-aligned */
+- PPC_ANDI(b2p[TMP_REG_2], b2p[TMP_REG_1], 0x03);
+- PPC_BCC_SHORT(COND_EQ, (ctx->idx * 4) + 12);
+- PPC_LI(b2p[BPF_REG_0], 0);
+- PPC_JMP(exit_addr);
++ tmp_idx = ctx->idx * 4;
+ /* load value from memory into TMP_REG_2 */
+ PPC_BPF_LWARX(b2p[TMP_REG_2], 0, b2p[TMP_REG_1], 0);
+ /* add value from src_reg into this */
+@@ -693,32 +690,16 @@ emit_clear:
+ /* store result back */
+ PPC_BPF_STWCX(b2p[TMP_REG_2], 0, b2p[TMP_REG_1]);
+ /* we're done if this succeeded */
+- PPC_BCC_SHORT(COND_EQ, (ctx->idx * 4) + (7*4));
+- /* otherwise, let's try once more */
+- PPC_BPF_LWARX(b2p[TMP_REG_2], 0, b2p[TMP_REG_1], 0);
+- PPC_ADD(b2p[TMP_REG_2], b2p[TMP_REG_2], src_reg);
+- PPC_BPF_STWCX(b2p[TMP_REG_2], 0, b2p[TMP_REG_1]);
+- /* exit if the store was not successful */
+- PPC_LI(b2p[BPF_REG_0], 0);
+- PPC_BCC(COND_NE, exit_addr);
++ PPC_BCC_SHORT(COND_NE, tmp_idx);
+ break;
+ /* *(u64 *)(dst + off) += src */
+ case BPF_STX | BPF_XADD | BPF_DW:
+ PPC_ADDI(b2p[TMP_REG_1], dst_reg, off);
+- /* error if EA is not doubleword-aligned */
+- PPC_ANDI(b2p[TMP_REG_2], b2p[TMP_REG_1], 0x07);
+- PPC_BCC_SHORT(COND_EQ, (ctx->idx * 4) + (3*4));
+- PPC_LI(b2p[BPF_REG_0], 0);
+- PPC_JMP(exit_addr);
+- PPC_BPF_LDARX(b2p[TMP_REG_2], 0, b2p[TMP_REG_1], 0);
+- PPC_ADD(b2p[TMP_REG_2], b2p[TMP_REG_2], src_reg);
+- PPC_BPF_STDCX(b2p[TMP_REG_2], 0, b2p[TMP_REG_1]);
+- PPC_BCC_SHORT(COND_EQ, (ctx->idx * 4) + (7*4));
++ tmp_idx = ctx->idx * 4;
+ PPC_BPF_LDARX(b2p[TMP_REG_2], 0, b2p[TMP_REG_1], 0);
+ PPC_ADD(b2p[TMP_REG_2], b2p[TMP_REG_2], src_reg);
+ PPC_BPF_STDCX(b2p[TMP_REG_2], 0, b2p[TMP_REG_1]);
+- PPC_LI(b2p[BPF_REG_0], 0);
+- PPC_BCC(COND_NE, exit_addr);
++ PPC_BCC_SHORT(COND_NE, tmp_idx);
+ break;
+
+ /*
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Sun, 29 Jul 2018 00:28:31 +0900
+Subject: bpf: use GFP_ATOMIC instead of GFP_KERNEL in bpf_parse_prog()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 71eb5255f55bdb484d35ff7c9a1803f453dfbf82 ]
+
+bpf_parse_prog() is protected by rcu_read_lock().
+so that GFP_KERNEL is not allowed in the bpf_parse_prog().
+
+[51015.579396] =============================
+[51015.579418] WARNING: suspicious RCU usage
+[51015.579444] 4.18.0-rc6+ #208 Not tainted
+[51015.579464] -----------------------------
+[51015.579488] ./include/linux/rcupdate.h:303 Illegal context switch in RCU read-side critical section!
+[51015.579510] other info that might help us debug this:
+[51015.579532] rcu_scheduler_active = 2, debug_locks = 1
+[51015.579556] 2 locks held by ip/1861:
+[51015.579577] #0: 00000000a8c12fd1 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x2e0/0x910
+[51015.579711] #1: 00000000bf815f8e (rcu_read_lock){....}, at: lwtunnel_build_state+0x96/0x390
+[51015.579842] stack backtrace:
+[51015.579869] CPU: 0 PID: 1861 Comm: ip Not tainted 4.18.0-rc6+ #208
+[51015.579891] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
+[51015.579911] Call Trace:
+[51015.579950] dump_stack+0x74/0xbb
+[51015.580000] ___might_sleep+0x16b/0x3a0
+[51015.580047] __kmalloc_track_caller+0x220/0x380
+[51015.580077] kmemdup+0x1c/0x40
+[51015.580077] bpf_parse_prog+0x10e/0x230
+[51015.580164] ? kasan_kmalloc+0xa0/0xd0
+[51015.580164] ? bpf_destroy_state+0x30/0x30
+[51015.580164] ? bpf_build_state+0xe2/0x3e0
+[51015.580164] bpf_build_state+0x1bb/0x3e0
+[51015.580164] ? bpf_parse_prog+0x230/0x230
+[51015.580164] ? lock_is_held_type+0x123/0x1a0
+[51015.580164] lwtunnel_build_state+0x1aa/0x390
+[51015.580164] fib_create_info+0x1579/0x33d0
+[51015.580164] ? sched_clock_local+0xe2/0x150
+[51015.580164] ? fib_info_update_nh_saddr+0x1f0/0x1f0
+[51015.580164] ? sched_clock_local+0xe2/0x150
+[51015.580164] fib_table_insert+0x201/0x1990
+[51015.580164] ? lock_downgrade+0x610/0x610
+[51015.580164] ? fib_table_lookup+0x1920/0x1920
+[51015.580164] ? lwtunnel_valid_encap_type.part.6+0xcb/0x3a0
+[51015.580164] ? rtm_to_fib_config+0x637/0xbd0
+[51015.580164] inet_rtm_newroute+0xed/0x1b0
+[51015.580164] ? rtm_to_fib_config+0xbd0/0xbd0
+[51015.580164] rtnetlink_rcv_msg+0x331/0x910
+[ ... ]
+
+Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/lwt_bpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/lwt_bpf.c
++++ b/net/core/lwt_bpf.c
+@@ -217,7 +217,7 @@ static int bpf_parse_prog(struct nlattr
+ if (!tb[LWT_BPF_PROG_FD] || !tb[LWT_BPF_PROG_NAME])
+ return -EINVAL;
+
+- prog->name = nla_memdup(tb[LWT_BPF_PROG_NAME], GFP_KERNEL);
++ prog->name = nla_memdup(tb[LWT_BPF_PROG_NAME], GFP_ATOMIC);
+ if (!prog->name)
+ return -ENOMEM;
+
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+Date: Tue, 18 Jul 2017 16:25:49 -0700
+Subject: cachefiles: Fix refcounting bug in backing-file read monitoring
+
+From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+
+[ Upstream commit 934140ab028713a61de8bca58c05332416d037d1 ]
+
+cachefiles_read_waiter() has the right to access a 'monitor' object by
+virtue of being called under the waitqueue lock for one of the pages in its
+purview. However, it has no ref on that monitor object or on the
+associated operation.
+
+What it is allowed to do is to move the monitor object to the operation's
+to_do list, but once it drops the work_lock, it's actually no longer
+permitted to access that object. However, it is trying to enqueue the
+retrieval operation for processing - but it can only do this via a pointer
+in the monitor object, something it shouldn't be doing.
+
+If it doesn't enqueue the operation, the operation may not get processed.
+If the order is flipped so that the enqueue is first, then it's possible
+for the work processor to look at the to_do list before the monitor is
+enqueued upon it.
+
+Fix this by getting a ref on the operation so that we can trust that it
+will still be there once we've added the monitor to the to_do list and
+dropped the work_lock. The op can then be enqueued after the lock is
+dropped.
+
+The bug can manifest in one of a couple of ways. The first manifestation
+looks like:
+
+ FS-Cache:
+ FS-Cache: Assertion failed
+ FS-Cache: 6 == 5 is false
+ ------------[ cut here ]------------
+ kernel BUG at fs/fscache/operation.c:494!
+ RIP: 0010:fscache_put_operation+0x1e3/0x1f0
+ ...
+ fscache_op_work_func+0x26/0x50
+ process_one_work+0x131/0x290
+ worker_thread+0x45/0x360
+ kthread+0xf8/0x130
+ ? create_worker+0x190/0x190
+ ? kthread_cancel_work_sync+0x10/0x10
+ ret_from_fork+0x1f/0x30
+
+This is due to the operation being in the DEAD state (6) rather than
+INITIALISED, COMPLETE or CANCELLED (5) because it's already passed through
+fscache_put_operation().
+
+The bug can also manifest like the following:
+
+ kernel BUG at fs/fscache/operation.c:69!
+ ...
+ [exception RIP: fscache_enqueue_operation+246]
+ ...
+ #7 [ffff883fff083c10] fscache_enqueue_operation at ffffffffa0b793c6
+ #8 [ffff883fff083c28] cachefiles_read_waiter at ffffffffa0b15a48
+ #9 [ffff883fff083c48] __wake_up_common at ffffffff810af028
+
+I'm not entirely certain as to which is line 69 in Lei's kernel, so I'm not
+entirely clear which assertion failed.
+
+Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
+Reported-by: Lei Xue <carmark.dlut@gmail.com>
+Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
+Reported-by: Anthony DeRobertis <aderobertis@metrics.net>
+Reported-by: NeilBrown <neilb@suse.com>
+Reported-by: Daniel Axtens <dja@axtens.net>
+Reported-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cachefiles/rdwr.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/fs/cachefiles/rdwr.c
++++ b/fs/cachefiles/rdwr.c
+@@ -27,6 +27,7 @@ static int cachefiles_read_waiter(wait_q
+ struct cachefiles_one_read *monitor =
+ container_of(wait, struct cachefiles_one_read, monitor);
+ struct cachefiles_object *object;
++ struct fscache_retrieval *op = monitor->op;
+ struct wait_bit_key *key = _key;
+ struct page *page = wait->private;
+
+@@ -51,16 +52,22 @@ static int cachefiles_read_waiter(wait_q
+ list_del(&wait->entry);
+
+ /* move onto the action list and queue for FS-Cache thread pool */
+- ASSERT(monitor->op);
++ ASSERT(op);
+
+- object = container_of(monitor->op->op.object,
+- struct cachefiles_object, fscache);
++ /* We need to temporarily bump the usage count as we don't own a ref
++ * here otherwise cachefiles_read_copier() may free the op between the
++ * monitor being enqueued on the op->to_do list and the op getting
++ * enqueued on the work queue.
++ */
++ fscache_get_retrieval(op);
+
++ object = container_of(op->op.object, struct cachefiles_object, fscache);
+ spin_lock(&object->work_lock);
+- list_add_tail(&monitor->op_link, &monitor->op->to_do);
++ list_add_tail(&monitor->op_link, &op->to_do);
+ spin_unlock(&object->work_lock);
+
+- fscache_enqueue_retrieval(monitor->op);
++ fscache_enqueue_retrieval(op);
++ fscache_put_retrieval(op);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+Date: Thu, 21 Jun 2018 13:25:53 -0700
+Subject: cachefiles: Wait rather than BUG'ing on "Unexpected object collision"
+
+From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+
+[ Upstream commit c2412ac45a8f8f1cd582723c1a139608694d410d ]
+
+If we meet a conflicting object that is marked FSCACHE_OBJECT_IS_LIVE in
+the active object tree, we have been emitting a BUG after logging
+information about it and the new object.
+
+Instead, we should wait for the CACHEFILES_OBJECT_ACTIVE flag to be cleared
+on the old object (or return an error). The ACTIVE flag should be cleared
+after it has been removed from the active object tree. A timeout of 60s is
+used in the wait, so we shouldn't be able to get stuck there.
+
+Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
+Signed-off-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cachefiles/namei.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/cachefiles/namei.c
++++ b/fs/cachefiles/namei.c
+@@ -195,7 +195,6 @@ wait_for_old_object:
+ pr_err("\n");
+ pr_err("Error: Unexpected object collision\n");
+ cachefiles_printk_object(object, xobject);
+- BUG();
+ }
+ atomic_inc(&xobject->usage);
+ write_unlock(&cache->active_lock);
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Faiz Abbas <faiz_abbas@ti.com>
+Date: Tue, 3 Jul 2018 16:47:10 +0530
+Subject: can: m_can: Move accessing of message ram to after clocks are enabled
+
+From: Faiz Abbas <faiz_abbas@ti.com>
+
+[ Upstream commit 54e4a0c486041dc1c20593d997fafd67089e8408 ]
+
+MCAN message ram should only be accessed once clocks are enabled.
+Therefore, move the call to parse/init the message ram to after
+clocks are enabled.
+
+Signed-off-by: Faiz Abbas <faiz_abbas@ti.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/m_can/m_can.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -1637,8 +1637,6 @@ static int m_can_plat_probe(struct platf
+ priv->can.clock.freq = clk_get_rate(cclk);
+ priv->mram_base = mram_addr;
+
+- m_can_of_parse_mram(priv, mram_config_vals);
+-
+ platform_set_drvdata(pdev, dev);
+ SET_NETDEV_DEV(dev, &pdev->dev);
+
+@@ -1649,6 +1647,8 @@ static int m_can_plat_probe(struct platf
+ goto failed_free_dev;
+ }
+
++ m_can_of_parse_mram(priv, mram_config_vals);
++
+ devm_can_led_init(dev);
+
+ dev_info(&pdev->dev, "%s device registered (irq=%d, version=%d)\n",
+@@ -1698,8 +1698,6 @@ static __maybe_unused int m_can_resume(s
+
+ pinctrl_pm_select_default_state(dev);
+
+- m_can_init_ram(priv);
+-
+ priv->can.state = CAN_STATE_ERROR_ACTIVE;
+
+ if (netif_running(ndev)) {
+@@ -1709,6 +1707,7 @@ static __maybe_unused int m_can_resume(s
+ if (ret)
+ return ret;
+
++ m_can_init_ram(priv);
+ m_can_start(ndev);
+ netif_device_attach(ndev);
+ netif_start_queue(ndev);
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Nicholas Mc Guire <hofrat@osadl.org>
+Date: Mon, 9 Jul 2018 21:16:40 +0200
+Subject: can: mpc5xxx_can: check of_iomap return before use
+
+From: Nicholas Mc Guire <hofrat@osadl.org>
+
+[ Upstream commit b5c1a23b17e563b656cc9bb76ce5323b997d90e8 ]
+
+of_iomap() can return NULL so that return needs to be checked and NULL
+treated as failure. While at it also take care of the missing
+of_node_put() in the error path.
+
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Fixes: commit afa17a500a36 ("net/can: add driver for mscan family & mpc52xx_mscan")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/mscan/mpc5xxx_can.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/can/mscan/mpc5xxx_can.c
++++ b/drivers/net/can/mscan/mpc5xxx_can.c
+@@ -86,6 +86,11 @@ static u32 mpc52xx_can_get_clock(struct
+ return 0;
+ }
+ cdm = of_iomap(np_cdm, 0);
++ if (!cdm) {
++ of_node_put(np_cdm);
++ dev_err(&ofdev->dev, "can't map clock node!\n");
++ return 0;
++ }
+
+ if (in_8(&cdm->ipb_clk_sel) & 0x1)
+ freq *= 2;
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 1 Aug 2018 18:22:41 +0100
+Subject: drivers: net: lmc: fix case value for target abort error
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit afb41bb039656f0cecb54eeb8b2e2088201295f5 ]
+
+Current value for a target abort error is 0x010, however, this value
+should in fact be 0x002. As it stands, the range of error is 0..7 so
+it is currently never being detected. This bug has been in the driver
+since the early 2.6.12 days (or before).
+
+Detected by CoverityScan, CID#744290 ("Logically dead code")
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/lmc/lmc_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wan/lmc/lmc_main.c
++++ b/drivers/net/wan/lmc/lmc_main.c
+@@ -1371,7 +1371,7 @@ static irqreturn_t lmc_interrupt (int ir
+ case 0x001:
+ printk(KERN_WARNING "%s: Master Abort (naughty)\n", dev->name);
+ break;
+- case 0x010:
++ case 0x002:
+ printk(KERN_WARNING "%s: Target Abort (not so naughty)\n", dev->name);
+ break;
+ default:
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Sean Paul <seanpaul@chromium.org>
+Date: Tue, 3 Jul 2018 12:56:03 -0400
+Subject: drm/bridge: adv7511: Reset registers on hotplug
+
+From: Sean Paul <seanpaul@chromium.org>
+
+[ Upstream commit 5f3417569165a8ee57654217f73e0160312f409c ]
+
+The bridge loses its hw state when the cable is unplugged. If we detect
+this case in the hpd handler, reset its state.
+
+Reported-by: Rob Clark <robdclark@gmail.com>
+Tested-by: Rob Clark <robdclark@gmail.com>
+Reviewed-by: Archit Taneja <architt@codeaurora.org>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180703165648.120401-1-seanpaul@chromium.org
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+@@ -424,6 +424,18 @@ static void adv7511_hpd_work(struct work
+ else
+ status = connector_status_disconnected;
+
++ /*
++ * The bridge resets its registers on unplug. So when we get a plug
++ * event and we're already supposed to be powered, cycle the bridge to
++ * restore its state.
++ */
++ if (status == connector_status_connected &&
++ adv7511->connector.status == connector_status_disconnected &&
++ adv7511->powered) {
++ regcache_mark_dirty(adv7511->regmap);
++ adv7511_power_on(adv7511);
++ }
++
+ if (adv7511->connector.status != status) {
+ adv7511->connector.status = status;
+ drm_kms_helper_hotplug_event(adv7511->connector.dev);
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Wed, 11 Apr 2018 17:31:36 +0200
+Subject: drm/imx: imx-ldb: check if channel is enabled before printing warning
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+[ Upstream commit c80d673b91a6c81d765864e10f2b15110ee900ad ]
+
+If the second LVDS channel has been disabled in the DT when using dual-channel
+mode we should not print a warning.
+
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/imx/imx-ldb.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/imx/imx-ldb.c
++++ b/drivers/gpu/drm/imx/imx-ldb.c
+@@ -655,14 +655,14 @@ static int imx_ldb_bind(struct device *d
+ if (ret || i < 0 || i > 1)
+ return -EINVAL;
+
++ if (!of_device_is_available(child))
++ continue;
++
+ if (dual && i > 0) {
+ dev_warn(dev, "dual-channel mode, ignoring second output\n");
+ continue;
+ }
+
+- if (!of_device_is_available(child))
+- continue;
+-
+ channel = &imx_ldb->channel[i];
+ channel->ldb = imx_ldb;
+ channel->chno = i;
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Wed, 11 Apr 2018 17:31:35 +0200
+Subject: drm/imx: imx-ldb: disable LDB on driver bind
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+[ Upstream commit b58262396fabd43dc869b576e3defdd23b32fe94 ]
+
+The LVDS signal integrity is only guaranteed when the correct enable
+sequence (first IPU DI, then LDB) is used. If the LDB display output was
+active before the imx-drm driver is loaded (like when a bootsplash was
+active) the DI will be disabled by the full IPU reset we do when loading
+the driver. The LDB control registers are not part of the IPU range and
+thus will remain unchanged.
+
+This leads to the LDB still being active when the DI is getting enabled,
+effectively reversing the required enable sequence. Fix this by also
+disabling the LDB on driver bind.
+
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/imx/imx-ldb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/imx/imx-ldb.c
++++ b/drivers/gpu/drm/imx/imx-ldb.c
+@@ -612,6 +612,9 @@ static int imx_ldb_bind(struct device *d
+ return PTR_ERR(imx_ldb->regmap);
+ }
+
++ /* disable LDB by resetting the control register to POR default */
++ regmap_write(imx_ldb->regmap, IOMUXC_GPR2, 0);
++
+ imx_ldb->dev = dev;
+
+ if (of_id)
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Nicholas Mc Guire <hofrat@osadl.org>
+Date: Sat, 14 Jul 2018 14:32:12 +0200
+Subject: drm: re-enable error handling
+
+From: Nicholas Mc Guire <hofrat@osadl.org>
+
+[ Upstream commit d530b5f1ca0bb66958a2b714bebe40a1248b9c15 ]
+
+drm_legacy_ctxbitmap_next() returns idr_alloc() which can return
+-ENOMEM, -EINVAL or -ENOSPC none of which are -1 . but the call sites
+of drm_legacy_ctxbitmap_next() seem to be assuming that the error case
+would be -1 (original return of drm_ctxbitmap_next() prior to 2.6.23
+was actually -1). Thus reenable error handling by checking for < 0.
+
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Fixes: 62968144e673 ("drm: convert drm context code to use Linux idr")
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/1531571532-22733-1-git-send-email-hofrat@osadl.org
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_context.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_context.c
++++ b/drivers/gpu/drm/drm_context.c
+@@ -372,7 +372,7 @@ int drm_legacy_addctx(struct drm_device
+ ctx->handle = drm_legacy_ctxbitmap_next(dev);
+ }
+ DRM_DEBUG("%d\n", ctx->handle);
+- if (ctx->handle == -1) {
++ if (ctx->handle < 0) {
+ DRM_DEBUG("Not enough free contexts.\n");
+ /* Should this return -EBUSY instead? */
+ return -ENOMEM;
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Date: Mon, 30 Jul 2018 09:56:54 -0700
+Subject: enic: do not call enic_change_mtu in enic_probe
+
+From: Govindarajulu Varadarajan <gvaradar@cisco.com>
+
+[ Upstream commit cb5c6568867325f9905e80c96531d963bec8e5ea ]
+
+In commit ab123fe071c9 ("enic: handle mtu change for vf properly")
+ASSERT_RTNL() is added to _enic_change_mtu() to prevent it from being
+called without rtnl held. enic_probe() calls enic_change_mtu()
+without rtnl held. At this point netdev is not registered yet.
+Remove call to enic_change_mtu and assign the mtu to netdev->mtu.
+
+Fixes: ab123fe071c9 ("enic: handle mtu change for vf properly")
+Signed-off-by: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cisco/enic/enic_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -2843,7 +2843,6 @@ static int enic_probe(struct pci_dev *pd
+ */
+
+ enic->port_mtu = enic->config.mtu;
+- (void)enic_change_mtu(netdev, enic->port_mtu);
+
+ err = enic_set_mac_addr(netdev, enic->mac_addr);
+ if (err) {
+@@ -2930,6 +2929,7 @@ static int enic_probe(struct pci_dev *pd
+ /* MTU range: 68 - 9000 */
+ netdev->min_mtu = ENIC_MIN_MTU;
+ netdev->max_mtu = ENIC_MAX_MTU;
++ netdev->mtu = enic->port_mtu;
+
+ err = register_netdev(netdev);
+ if (err) {
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Date: Fri, 27 Jul 2018 11:19:29 -0700
+Subject: enic: handle mtu change for vf properly
+
+From: Govindarajulu Varadarajan <gvaradar@cisco.com>
+
+[ Upstream commit ab123fe071c9aa9680ecd62eb080eb26cff4892c ]
+
+When driver gets notification for mtu change, driver does not handle it for
+all RQs. It handles only RQ[0].
+
+Fix is to use enic_change_mtu() interface to change mtu for vf.
+
+Signed-off-by: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cisco/enic/enic_main.c | 78 +++++++++-------------------
+ 1 file changed, 27 insertions(+), 51 deletions(-)
+
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -2007,28 +2007,42 @@ static int enic_stop(struct net_device *
+ return 0;
+ }
+
++static int _enic_change_mtu(struct net_device *netdev, int new_mtu)
++{
++ bool running = netif_running(netdev);
++ int err = 0;
++
++ ASSERT_RTNL();
++ if (running) {
++ err = enic_stop(netdev);
++ if (err)
++ return err;
++ }
++
++ netdev->mtu = new_mtu;
++
++ if (running) {
++ err = enic_open(netdev);
++ if (err)
++ return err;
++ }
++
++ return 0;
++}
++
+ static int enic_change_mtu(struct net_device *netdev, int new_mtu)
+ {
+ struct enic *enic = netdev_priv(netdev);
+- int running = netif_running(netdev);
+
+ if (enic_is_dynamic(enic) || enic_is_sriov_vf(enic))
+ return -EOPNOTSUPP;
+
+- if (running)
+- enic_stop(netdev);
+-
+- netdev->mtu = new_mtu;
+-
+ if (netdev->mtu > enic->port_mtu)
+ netdev_warn(netdev,
+- "interface MTU (%d) set higher than port MTU (%d)\n",
+- netdev->mtu, enic->port_mtu);
+-
+- if (running)
+- enic_open(netdev);
++ "interface MTU (%d) set higher than port MTU (%d)\n",
++ netdev->mtu, enic->port_mtu);
+
+- return 0;
++ return _enic_change_mtu(netdev, new_mtu);
+ }
+
+ static void enic_change_mtu_work(struct work_struct *work)
+@@ -2036,47 +2050,9 @@ static void enic_change_mtu_work(struct
+ struct enic *enic = container_of(work, struct enic, change_mtu_work);
+ struct net_device *netdev = enic->netdev;
+ int new_mtu = vnic_dev_mtu(enic->vdev);
+- int err;
+- unsigned int i;
+-
+- new_mtu = max_t(int, ENIC_MIN_MTU, min_t(int, ENIC_MAX_MTU, new_mtu));
+
+ rtnl_lock();
+-
+- /* Stop RQ */
+- del_timer_sync(&enic->notify_timer);
+-
+- for (i = 0; i < enic->rq_count; i++)
+- napi_disable(&enic->napi[i]);
+-
+- vnic_intr_mask(&enic->intr[0]);
+- enic_synchronize_irqs(enic);
+- err = vnic_rq_disable(&enic->rq[0]);
+- if (err) {
+- rtnl_unlock();
+- netdev_err(netdev, "Unable to disable RQ.\n");
+- return;
+- }
+- vnic_rq_clean(&enic->rq[0], enic_free_rq_buf);
+- vnic_cq_clean(&enic->cq[0]);
+- vnic_intr_clean(&enic->intr[0]);
+-
+- /* Fill RQ with new_mtu-sized buffers */
+- netdev->mtu = new_mtu;
+- vnic_rq_fill(&enic->rq[0], enic_rq_alloc_buf);
+- /* Need at least one buffer on ring to get going */
+- if (vnic_rq_desc_used(&enic->rq[0]) == 0) {
+- rtnl_unlock();
+- netdev_err(netdev, "Unable to alloc receive buffers.\n");
+- return;
+- }
+-
+- /* Start RQ */
+- vnic_rq_enable(&enic->rq[0]);
+- napi_enable(&enic->napi[0]);
+- vnic_intr_unmask(&enic->intr[0]);
+- enic_notify_timer_start(enic);
+-
++ (void)_enic_change_mtu(netdev, new_mtu);
+ rtnl_unlock();
+
+ netdev_info(netdev, "interface MTU set as %d\n", netdev->mtu);
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Zhen Lei <thunder.leizhen@huawei.com>
+Date: Wed, 27 Jun 2018 11:49:28 +0800
+Subject: esp6: fix memleak on error path in esp6_input
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 7284fdf39a912322ce97de2d30def3c6068a418c ]
+
+This ought to be an omission in e6194923237 ("esp: Fix memleaks on error
+paths."). The memleak on error path in esp6_input is similar to esp_input
+of esp4.
+
+Fixes: e6194923237 ("esp: Fix memleaks on error paths.")
+Fixes: 3f29770723f ("ipsec: check return value of skb_to_sgvec always")
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/esp6.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/esp6.c
++++ b/net/ipv6/esp6.c
+@@ -651,8 +651,10 @@ skip_cow:
+
+ sg_init_table(sg, nfrags);
+ ret = skb_to_sgvec(skb, sg, 0, skb->len);
+- if (unlikely(ret < 0))
++ if (unlikely(ret < 0)) {
++ kfree(tmp);
+ goto out;
++ }
+
+ skb->ip_summed = CHECKSUM_NONE;
+
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 8 Jul 2018 19:36:02 -0400
+Subject: ext4: clear mmp sequence number when remounting read-only
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+[ Upstream commit 2dca60d98e241bea686004168f85208f215fc697 ]
+
+Previously, when an MMP-protected file system is remounted read-only,
+the kmmpd thread would exit the next time it woke up (a few seconds
+later), without resetting the MMP sequence number back to
+EXT4_MMP_SEQ_CLEAN.
+
+Fix this by explicitly killing the MMP thread when the file system is
+remounted read-only.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: Andreas Dilger <adilger@dilger.ca>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/mmp.c | 7 ++-----
+ fs/ext4/super.c | 2 ++
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+--- a/fs/ext4/mmp.c
++++ b/fs/ext4/mmp.c
+@@ -186,11 +186,8 @@ static int kmmpd(void *data)
+ goto exit_thread;
+ }
+
+- if (sb_rdonly(sb)) {
+- ext4_warning(sb, "kmmpd being stopped since filesystem "
+- "has been remounted as readonly.");
+- goto exit_thread;
+- }
++ if (sb_rdonly(sb))
++ break;
+
+ diff = jiffies - last_update_time;
+ if (diff < mmp_update_interval * HZ)
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -5163,6 +5163,8 @@ static int ext4_remount(struct super_blo
+
+ if (sbi->s_journal)
+ ext4_mark_recovery_complete(sb, es);
++ if (sbi->s_mmp_tsk)
++ kthread_stop(sbi->s_mmp_tsk);
+ } else {
+ /* Make sure we can mount this feature set readwrite */
+ if (ext4_has_feature_readonly(sb) ||
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+Date: Wed, 25 Jul 2018 14:31:20 +0100
+Subject: fscache: Allow cancelled operations to be enqueued
+
+From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+
+[ Upstream commit d0eb06afe712b7b103b6361f40a9a0c638524669 ]
+
+Alter the state-check assertion in fscache_enqueue_operation() to allow
+cancelled operations to be given processing time so they can be cleaned up.
+
+Also fix a debugging statement that was requiring such operations to have
+an object assigned.
+
+Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
+Reported-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fscache/operation.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/fscache/operation.c
++++ b/fs/fscache/operation.c
+@@ -66,7 +66,8 @@ void fscache_enqueue_operation(struct fs
+ ASSERT(op->processor != NULL);
+ ASSERT(fscache_object_is_available(op->object));
+ ASSERTCMP(atomic_read(&op->usage), >, 0);
+- ASSERTCMP(op->state, ==, FSCACHE_OP_ST_IN_PROGRESS);
++ ASSERTIFCMP(op->state != FSCACHE_OP_ST_IN_PROGRESS,
++ op->state, ==, FSCACHE_OP_ST_CANCELLED);
+
+ fscache_stat(&fscache_n_op_enqueue);
+ switch (op->flags & FSCACHE_OP_TYPE) {
+@@ -481,7 +482,8 @@ void fscache_put_operation(struct fscach
+ struct fscache_cache *cache;
+
+ _enter("{OBJ%x OP%x,%d}",
+- op->object->debug_id, op->debug_id, atomic_read(&op->usage));
++ op->object ? op->object->debug_id : 0,
++ op->debug_id, atomic_read(&op->usage));
+
+ ASSERTCMP(atomic_read(&op->usage), >, 0);
+
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Thu, 12 Jul 2018 17:25:06 +0200
+Subject: gpiolib-acpi: make sure we trigger edge events at least once on boot
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+[ Upstream commit ca876c7483b697b498868b1f575997191b077885 ]
+
+On some systems using edge triggered ACPI Event Interrupts, the initial
+state at boot is not setup by the firmware, instead relying on the edge
+irq event handler running at least once to setup the initial state.
+
+2 known examples of this are:
+
+1) The Surface 3 has its _LID state controlled by an ACPI operation region
+ triggered by a GPIO event:
+
+ OperationRegion (GPOR, GeneralPurposeIo, Zero, One)
+ Field (GPOR, ByteAcc, NoLock, Preserve)
+ {
+ Connection (
+ GpioIo (Shared, PullNone, 0x0000, 0x0000, IoRestrictionNone,
+ "\\_SB.GPO0", 0x00, ResourceConsumer, ,
+ )
+ { // Pin list
+ 0x004C
+ }
+ ),
+ HELD, 1
+ }
+
+ Method (_E4C, 0, Serialized) // _Exx: Edge-Triggered GPE
+ {
+ If ((HELD == One))
+ {
+ ^^LID.LIDB = One
+ }
+ Else
+ {
+ ^^LID.LIDB = Zero
+ Notify (LID, 0x80) // Status Change
+ }
+
+ Notify (^^PCI0.SPI1.NTRG, One) // Device Check
+ }
+
+ Currently, the state of LIDB is wrong until the user actually closes or
+ open the cover. We need to trigger the GPIO event once to update the
+ internal ACPI state.
+
+ Coincidentally, this also enables the Surface 2 integrated HID sensor hub
+ which also requires an ACPI gpio operation region to start initialization.
+
+2) Various Bay Trail based tablets come with an external USB mux and
+ TI T1210B USB phy to enable USB gadget mode. The mux is controlled by a
+ GPIO which is controlled by an edge triggered ACPI Event Interrupt which
+ monitors the micro-USB ID pin.
+
+ When the tablet is connected to a PC (or no cable is plugged in), the ID
+ pin is high and the tablet should be in gadget mode. But the GPIO
+ controlling the mux is initialized by the firmware so that the USB data
+ lines are muxed to the host controller.
+
+ This means that if the user wants to use gadget mode, the user needs to
+ first plug in a host-cable to force the ID pin low and then unplug it
+ and connect the tablet to a PC, to get the ACPI event handler to run and
+ switch the mux to device mode,
+
+This commit fixes both by running the event-handler once on boot.
+
+Note that the running of the event-handler is done from a late_initcall,
+this is done because the handler AML code may rely on OperationRegions
+registered by other builtin drivers. This avoids errors like these:
+
+[ 0.133026] ACPI Error: No handler for Region [XSCG] ((____ptrval____)) [GenericSerialBus] (20180531/evregion-132)
+[ 0.133036] ACPI Error: Region GenericSerialBus (ID=9) has no handler (20180531/exfldio-265)
+[ 0.133046] ACPI Error: Method parse/execution failed \_SB.GPO2._E12, AE_NOT_EXIST (20180531/psparse-516)
+
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+[hdegoede: Document BYT USB mux reliance on initial trigger]
+[hdegoede: Run event handler from a late_initcall, rather then immediately]
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib-acpi.c | 56 +++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 55 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpiolib-acpi.c
++++ b/drivers/gpio/gpiolib-acpi.c
+@@ -25,6 +25,7 @@
+
+ struct acpi_gpio_event {
+ struct list_head node;
++ struct list_head initial_sync_list;
+ acpi_handle handle;
+ unsigned int pin;
+ unsigned int irq;
+@@ -50,6 +51,9 @@ struct acpi_gpio_chip {
+ struct list_head events;
+ };
+
++static LIST_HEAD(acpi_gpio_initial_sync_list);
++static DEFINE_MUTEX(acpi_gpio_initial_sync_list_lock);
++
+ static int acpi_gpiochip_find(struct gpio_chip *gc, void *data)
+ {
+ if (!gc->parent)
+@@ -142,6 +146,21 @@ static struct gpio_desc *acpi_get_gpiod(
+ return gpiochip_get_desc(chip, offset);
+ }
+
++static void acpi_gpio_add_to_initial_sync_list(struct acpi_gpio_event *event)
++{
++ mutex_lock(&acpi_gpio_initial_sync_list_lock);
++ list_add(&event->initial_sync_list, &acpi_gpio_initial_sync_list);
++ mutex_unlock(&acpi_gpio_initial_sync_list_lock);
++}
++
++static void acpi_gpio_del_from_initial_sync_list(struct acpi_gpio_event *event)
++{
++ mutex_lock(&acpi_gpio_initial_sync_list_lock);
++ if (!list_empty(&event->initial_sync_list))
++ list_del_init(&event->initial_sync_list);
++ mutex_unlock(&acpi_gpio_initial_sync_list_lock);
++}
++
+ static irqreturn_t acpi_gpio_irq_handler(int irq, void *data)
+ {
+ struct acpi_gpio_event *event = data;
+@@ -193,7 +212,7 @@ static acpi_status acpi_gpiochip_request
+ irq_handler_t handler = NULL;
+ struct gpio_desc *desc;
+ unsigned long irqflags;
+- int ret, pin, irq;
++ int ret, pin, irq, value;
+
+ if (!acpi_gpio_get_irq_resource(ares, &agpio))
+ return AE_OK;
+@@ -228,6 +247,8 @@ static acpi_status acpi_gpiochip_request
+
+ gpiod_direction_input(desc);
+
++ value = gpiod_get_value(desc);
++
+ ret = gpiochip_lock_as_irq(chip, pin);
+ if (ret) {
+ dev_err(chip->parent, "Failed to lock GPIO as interrupt\n");
+@@ -269,6 +290,7 @@ static acpi_status acpi_gpiochip_request
+ event->irq = irq;
+ event->pin = pin;
+ event->desc = desc;
++ INIT_LIST_HEAD(&event->initial_sync_list);
+
+ ret = request_threaded_irq(event->irq, NULL, handler, irqflags,
+ "ACPI:Event", event);
+@@ -283,6 +305,18 @@ static acpi_status acpi_gpiochip_request
+ enable_irq_wake(irq);
+
+ list_add_tail(&event->node, &acpi_gpio->events);
++
++ /*
++ * Make sure we trigger the initial state of the IRQ when using RISING
++ * or FALLING. Note we run the handlers on late_init, the AML code
++ * may refer to OperationRegions from other (builtin) drivers which
++ * may be probed after us.
++ */
++ if (handler == acpi_gpio_irq_handler &&
++ (((irqflags & IRQF_TRIGGER_RISING) && value == 1) ||
++ ((irqflags & IRQF_TRIGGER_FALLING) && value == 0)))
++ acpi_gpio_add_to_initial_sync_list(event);
++
+ return AE_OK;
+
+ fail_free_event:
+@@ -355,6 +389,8 @@ void acpi_gpiochip_free_interrupts(struc
+ list_for_each_entry_safe_reverse(event, ep, &acpi_gpio->events, node) {
+ struct gpio_desc *desc;
+
++ acpi_gpio_del_from_initial_sync_list(event);
++
+ if (irqd_is_wakeup_set(irq_get_irq_data(event->irq)))
+ disable_irq_wake(event->irq);
+
+@@ -1210,3 +1246,21 @@ bool acpi_can_fallback_to_crs(struct acp
+
+ return con_id == NULL;
+ }
++
++/* Sync the initial state of handlers after all builtin drivers have probed */
++static int acpi_gpio_initial_sync(void)
++{
++ struct acpi_gpio_event *event, *ep;
++
++ mutex_lock(&acpi_gpio_initial_sync_list_lock);
++ list_for_each_entry_safe(event, ep, &acpi_gpio_initial_sync_list,
++ initial_sync_list) {
++ acpi_evaluate_object(event->handle, NULL, NULL, NULL);
++ list_del_init(&event->initial_sync_list);
++ }
++ mutex_unlock(&acpi_gpio_initial_sync_list_lock);
++
++ return 0;
++}
++/* We must use _sync so that this runs after the first deferred_probe run */
++late_initcall_sync(acpi_gpio_initial_sync);
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: dann frazier <dann.frazier@canonical.com>
+Date: Mon, 23 Jul 2018 16:55:40 -0600
+Subject: hinic: Link the logical network device to the pci device in sysfs
+
+From: dann frazier <dann.frazier@canonical.com>
+
+[ Upstream commit 7856e8616273098dc6c09a6e084afd98a283ff0d ]
+
+Otherwise interfaces get exposed under /sys/devices/virtual, which
+doesn't give udev the context it needs for PCI-based predictable
+interface names.
+
+Signed-off-by: dann frazier <dann.frazier@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/huawei/hinic/hinic_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/huawei/hinic/hinic_main.c
++++ b/drivers/net/ethernet/huawei/hinic/hinic_main.c
+@@ -981,6 +981,7 @@ static int nic_dev_init(struct pci_dev *
+ hinic_hwdev_cb_register(nic_dev->hwdev, HINIC_MGMT_MSG_CMD_LINK_STATUS,
+ nic_dev, link_status_event_handler);
+
++ SET_NETDEV_DEV(netdev, &pdev->dev);
+ err = register_netdev(netdev);
+ if (err) {
+ dev_err(&pdev->dev, "Failed to register netdev\n");
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Date: Fri, 13 Jul 2018 17:20:17 +0200
+Subject: i2c: davinci: Avoid zero value of CLKH
+
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+
+[ Upstream commit cc8de9a68599b261244ea453b38678229f06ada7 ]
+
+If CLKH is set to 0 I2C clock is not generated at all, so avoid this value
+and stretch the clock in this case.
+
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Acked-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-davinci.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-davinci.c
++++ b/drivers/i2c/busses/i2c-davinci.c
+@@ -234,12 +234,16 @@ static void i2c_davinci_calc_clk_divider
+ /*
+ * It's not always possible to have 1 to 2 ratio when d=7, so fall back
+ * to minimal possible clkh in this case.
++ *
++ * Note:
++ * CLKH is not allowed to be 0, in this case I2C clock is not generated
++ * at all
+ */
+- if (clk >= clkl + d) {
++ if (clk > clkl + d) {
+ clkh = clk - clkl - d;
+ clkl -= d;
+ } else {
+- clkh = 0;
++ clkh = 1;
+ clkl = clk - (d << 1);
+ }
+
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Peter Rosin <peda@axentia.se>
+Date: Fri, 20 Jul 2018 10:39:14 +0200
+Subject: i2c/mux, locking/core: Annotate the nested rt_mutex usage
+
+From: Peter Rosin <peda@axentia.se>
+
+[ Upstream commit 7b94ea50514d1a0dc94f02723b603c27bc0ea597 ]
+
+If an i2c topology has instances of nested muxes, then a lockdep splat
+is produced when when i2c_parent_lock_bus() is called. Here is an
+example:
+
+ ============================================
+ WARNING: possible recursive locking detected
+ --------------------------------------------
+ insmod/68159 is trying to acquire lock:
+ (i2c_register_adapter#2){+.+.}, at: i2c_parent_lock_bus+0x32/0x50 [i2c_mux]
+
+ but task is already holding lock:
+ (i2c_register_adapter#2){+.+.}, at: i2c_parent_lock_bus+0x32/0x50 [i2c_mux]
+
+ other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(i2c_register_adapter#2);
+ lock(i2c_register_adapter#2);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+ 1 lock held by insmod/68159:
+ #0: (i2c_register_adapter#2){+.+.}, at: i2c_parent_lock_bus+0x32/0x50 [i2c_mux]
+
+ stack backtrace:
+ CPU: 13 PID: 68159 Comm: insmod Tainted: G O
+ Call Trace:
+ dump_stack+0x67/0x98
+ __lock_acquire+0x162e/0x1780
+ lock_acquire+0xba/0x200
+ rt_mutex_lock+0x44/0x60
+ i2c_parent_lock_bus+0x32/0x50 [i2c_mux]
+ i2c_parent_lock_bus+0x3e/0x50 [i2c_mux]
+ i2c_smbus_xfer+0xf0/0x700
+ i2c_smbus_read_byte+0x42/0x70
+ my2c_init+0xa2/0x1000 [my2c]
+ do_one_initcall+0x51/0x192
+ do_init_module+0x62/0x216
+ load_module+0x20f9/0x2b50
+ SYSC_init_module+0x19a/0x1c0
+ SyS_init_module+0xe/0x10
+ do_syscall_64+0x6c/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+Reported-by: John Sperbeck <jsperbeck@google.com>
+Tested-by: John Sperbeck <jsperbeck@google.com>
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Deepa Dinamani <deepadinamani@google.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Chang <dpf@google.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Philippe Ombredanne <pombredanne@nexb.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Wolfram Sang <wsa@the-dreams.de>
+Link: http://lkml.kernel.org/r/20180720083914.1950-3-peda@axentia.se
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/i2c-core-base.c | 2 +-
+ drivers/i2c/i2c-mux.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/i2c/i2c-core-base.c
++++ b/drivers/i2c/i2c-core-base.c
+@@ -638,7 +638,7 @@ static int i2c_check_addr_busy(struct i2
+ static void i2c_adapter_lock_bus(struct i2c_adapter *adapter,
+ unsigned int flags)
+ {
+- rt_mutex_lock(&adapter->bus_lock);
++ rt_mutex_lock_nested(&adapter->bus_lock, i2c_adapter_depth(adapter));
+ }
+
+ /**
+--- a/drivers/i2c/i2c-mux.c
++++ b/drivers/i2c/i2c-mux.c
+@@ -144,7 +144,7 @@ static void i2c_mux_lock_bus(struct i2c_
+ struct i2c_mux_priv *priv = adapter->algo_data;
+ struct i2c_adapter *parent = priv->muxc->parent;
+
+- rt_mutex_lock(&parent->mux_lock);
++ rt_mutex_lock_nested(&parent->mux_lock, i2c_adapter_depth(adapter));
+ if (!(flags & I2C_LOCK_ROOT_ADAPTER))
+ return;
+ i2c_lock_bus(parent, flags);
+@@ -181,7 +181,7 @@ static void i2c_parent_lock_bus(struct i
+ struct i2c_mux_priv *priv = adapter->algo_data;
+ struct i2c_adapter *parent = priv->muxc->parent;
+
+- rt_mutex_lock(&parent->mux_lock);
++ rt_mutex_lock_nested(&parent->mux_lock, i2c_adapter_depth(adapter));
+ i2c_lock_bus(parent, flags);
+ }
+
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Davidlohr Bueso <dave@stgolabs.net>
+Date: Thu, 26 Jul 2018 16:37:19 -0700
+Subject: ipc/sem.c: prevent queue.status tearing in semop
+
+From: Davidlohr Bueso <dave@stgolabs.net>
+
+[ Upstream commit f075faa300acc4f6301e348acde0a4580ed5f77c ]
+
+In order for load/store tearing prevention to work, _all_ accesses to
+the variable in question need to be done around READ and WRITE_ONCE()
+macros. Ensure everyone does so for q->status variable for
+semtimedop().
+
+Link: http://lkml.kernel.org/r/20180717052654.676-1-dave@stgolabs.net
+Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ ipc/sem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/ipc/sem.c
++++ b/ipc/sem.c
+@@ -2041,7 +2041,7 @@ static long do_semtimedop(int semid, str
+ }
+
+ do {
+- queue.status = -EINTR;
++ WRITE_ONCE(queue.status, -EINTR);
+ queue.sleeper = current;
+
+ __set_current_state(TASK_INTERRUPTIBLE);
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Thu, 19 Jul 2018 10:31:00 -0700
+Subject: KVM: vmx: use local variable for current_vmptr when emulating VMPTRST
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+[ Upstream commit 0a06d4256674c4e041945b52044941995fee237d ]
+
+Do not expose the address of vmx->nested.current_vmptr to
+kvm_write_guest_virt_system() as the resulting __copy_to_user()
+call will trigger a WARN when CONFIG_HARDENED_USERCOPY is
+enabled.
+
+Opportunistically clean up variable names in handle_vmptrst()
+to improve readability, e.g. vmcs_gva is misleading as the
+memory operand of VMPTRST is plain memory, not a VMCS.
+
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Tested-by: Peter Shier <pshier@google.com>
+Reviewed-by: Peter Shier <pshier@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -8108,21 +8108,20 @@ static int handle_vmptrld(struct kvm_vcp
+ /* Emulate the VMPTRST instruction */
+ static int handle_vmptrst(struct kvm_vcpu *vcpu)
+ {
+- unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
+- u32 vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO);
+- gva_t vmcs_gva;
++ unsigned long exit_qual = vmcs_readl(EXIT_QUALIFICATION);
++ u32 instr_info = vmcs_read32(VMX_INSTRUCTION_INFO);
++ gpa_t current_vmptr = to_vmx(vcpu)->nested.current_vmptr;
+ struct x86_exception e;
++ gva_t gva;
+
+ if (!nested_vmx_check_permission(vcpu))
+ return 1;
+
+- if (get_vmx_mem_address(vcpu, exit_qualification,
+- vmx_instruction_info, true, &vmcs_gva))
++ if (get_vmx_mem_address(vcpu, exit_qual, instr_info, true, &gva))
+ return 1;
+ /* *_system ok, nested_vmx_check_permission has verified cpl=0 */
+- if (kvm_write_guest_virt_system(vcpu, vmcs_gva,
+- (void *)&to_vmx(vcpu)->nested.current_vmptr,
+- sizeof(u64), &e)) {
++ if (kvm_write_guest_virt_system(vcpu, gva, (void *)¤t_vmptr,
++ sizeof(gpa_t), &e)) {
+ kvm_inject_page_fault(vcpu, &e);
+ return 1;
+ }
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Peter Rosin <peda@axentia.se>
+Date: Fri, 20 Jul 2018 10:39:13 +0200
+Subject: locking/rtmutex: Allow specifying a subclass for nested locking
+
+From: Peter Rosin <peda@axentia.se>
+
+[ Upstream commit 62cedf3e60af03e47849fe2bd6a03ec179422a8a ]
+
+Needed for annotating rt_mutex locks.
+
+Tested-by: John Sperbeck <jsperbeck@google.com>
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Deepa Dinamani <deepadinamani@google.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Chang <dpf@google.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Philippe Ombredanne <pombredanne@nexb.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Wolfram Sang <wsa@the-dreams.de>
+Link: http://lkml.kernel.org/r/20180720083914.1950-2-peda@axentia.se
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/rtmutex.h | 7 +++++++
+ kernel/locking/rtmutex.c | 29 +++++++++++++++++++++++++----
+ 2 files changed, 32 insertions(+), 4 deletions(-)
+
+--- a/include/linux/rtmutex.h
++++ b/include/linux/rtmutex.h
+@@ -106,7 +106,14 @@ static inline int rt_mutex_is_locked(str
+ extern void __rt_mutex_init(struct rt_mutex *lock, const char *name, struct lock_class_key *key);
+ extern void rt_mutex_destroy(struct rt_mutex *lock);
+
++#ifdef CONFIG_DEBUG_LOCK_ALLOC
++extern void rt_mutex_lock_nested(struct rt_mutex *lock, unsigned int subclass);
++#define rt_mutex_lock(lock) rt_mutex_lock_nested(lock, 0)
++#else
+ extern void rt_mutex_lock(struct rt_mutex *lock);
++#define rt_mutex_lock_nested(lock, subclass) rt_mutex_lock(lock)
++#endif
++
+ extern int rt_mutex_lock_interruptible(struct rt_mutex *lock);
+ extern int rt_mutex_timed_lock(struct rt_mutex *lock,
+ struct hrtimer_sleeper *timeout);
+--- a/kernel/locking/rtmutex.c
++++ b/kernel/locking/rtmutex.c
+@@ -1466,6 +1466,29 @@ rt_mutex_fastunlock(struct rt_mutex *loc
+ rt_mutex_postunlock(&wake_q);
+ }
+
++static inline void __rt_mutex_lock(struct rt_mutex *lock, unsigned int subclass)
++{
++ might_sleep();
++
++ mutex_acquire(&lock->dep_map, subclass, 0, _RET_IP_);
++ rt_mutex_fastlock(lock, TASK_UNINTERRUPTIBLE, rt_mutex_slowlock);
++}
++
++#ifdef CONFIG_DEBUG_LOCK_ALLOC
++/**
++ * rt_mutex_lock_nested - lock a rt_mutex
++ *
++ * @lock: the rt_mutex to be locked
++ * @subclass: the lockdep subclass
++ */
++void __sched rt_mutex_lock_nested(struct rt_mutex *lock, unsigned int subclass)
++{
++ __rt_mutex_lock(lock, subclass);
++}
++EXPORT_SYMBOL_GPL(rt_mutex_lock_nested);
++#endif
++
++#ifndef CONFIG_DEBUG_LOCK_ALLOC
+ /**
+ * rt_mutex_lock - lock a rt_mutex
+ *
+@@ -1473,12 +1496,10 @@ rt_mutex_fastunlock(struct rt_mutex *loc
+ */
+ void __sched rt_mutex_lock(struct rt_mutex *lock)
+ {
+- might_sleep();
+-
+- mutex_acquire(&lock->dep_map, 0, 0, _RET_IP_);
+- rt_mutex_fastlock(lock, TASK_UNINTERRUPTIBLE, rt_mutex_slowlock);
++ __rt_mutex_lock(lock, 0);
+ }
+ EXPORT_SYMBOL_GPL(rt_mutex_lock);
++#endif
+
+ /**
+ * rt_mutex_lock_interruptible - lock a rt_mutex interruptible
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: "mpubbise@codeaurora.org" <mpubbise@codeaurora.org>
+Date: Mon, 2 Jul 2018 15:40:14 +0530
+Subject: mac80211: add stations tied to AP_VLANs during hw reconfig
+
+From: "mpubbise@codeaurora.org" <mpubbise@codeaurora.org>
+
+[ Upstream commit 19103a4bfb42f320395daa5616ece3e89e759d63 ]
+
+As part of hw reconfig, only stations linked to AP interfaces are added
+back to the driver ignoring those which are tied to AP_VLAN interfaces.
+
+It is true that there could be stations tied to the AP_VLAN interface while
+serving 4addr clients or when using AP_VLAN for VLAN operations; we should
+be adding these stations back to the driver as part of hw reconfig, failing
+to do so can cause functional issues.
+
+In the case of ath10k driver, the following errors were observed.
+
+ath10k_pci : failed to install key for non-existent peer XX:XX:XX:XX:XX:XX
+Workqueue: events_freezable ieee80211_restart_work [mac80211]
+(unwind_backtrace) from (show_stack+0x10/0x14)
+(show_stack) (dump_stack+0x80/0xa0)
+(dump_stack) (warn_slowpath_common+0x68/0x8c)
+(warn_slowpath_common) (warn_slowpath_null+0x18/0x20)
+(warn_slowpath_null) (ieee80211_enable_keys+0x88/0x154 [mac80211])
+(ieee80211_enable_keys) (ieee80211_reconfig+0xc90/0x19c8 [mac80211])
+(ieee80211_reconfig]) (ieee80211_restart_work+0x8c/0xa0 [mac80211])
+(ieee80211_restart_work) (process_one_work+0x284/0x488)
+(process_one_work) (worker_thread+0x228/0x360)
+(worker_thread) (kthread+0xd8/0xec)
+(kthread) (ret_from_fork+0x14/0x24)
+
+Also while bringing down the AP VAP, WARN_ONs and errors related to peer
+removal were observed.
+
+ath10k_pci : failed to clear all peer wep keys for vdev 0: -2
+ath10k_pci : failed to disassociate station: 8c:fd:f0:0a:8c:f5 vdev 0: -2
+(unwind_backtrace) (show_stack+0x10/0x14)
+(show_stack) (dump_stack+0x80/0xa0)
+(dump_stack) (warn_slowpath_common+0x68/0x8c)
+(warn_slowpath_common) (warn_slowpath_null+0x18/0x20)
+(warn_slowpath_null) (sta_set_sinfo+0xb98/0xc9c [mac80211])
+(sta_set_sinfo [mac80211]) (__sta_info_flush+0xf0/0x134 [mac80211])
+(__sta_info_flush [mac80211]) (ieee80211_stop_ap+0xe8/0x390 [mac80211])
+(ieee80211_stop_ap [mac80211]) (__cfg80211_stop_ap+0xe0/0x3dc [cfg80211])
+(__cfg80211_stop_ap [cfg80211]) (cfg80211_stop_ap+0x30/0x44 [cfg80211])
+(cfg80211_stop_ap [cfg80211]) (genl_rcv_msg+0x274/0x30c)
+(genl_rcv_msg) (netlink_rcv_skb+0x58/0xac)
+(netlink_rcv_skb) (genl_rcv+0x20/0x34)
+(genl_rcv) (netlink_unicast+0x11c/0x204)
+(netlink_unicast) (netlink_sendmsg+0x30c/0x370)
+(netlink_sendmsg) (sock_sendmsg+0x70/0x84)
+(sock_sendmsg) (___sys_sendmsg.part.3+0x188/0x228)
+(___sys_sendmsg.part.3) (__sys_sendmsg+0x4c/0x70)
+(__sys_sendmsg) (ret_fast_syscall+0x0/0x44)
+
+These issues got fixed by adding the stations which are
+tied to AP_VLANs back to the driver.
+
+Signed-off-by: Manikanta Pubbisetty <mpubbise@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/util.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -2068,7 +2068,8 @@ int ieee80211_reconfig(struct ieee80211_
+ if (!sta->uploaded)
+ continue;
+
+- if (sta->sdata->vif.type != NL80211_IFTYPE_AP)
++ if (sta->sdata->vif.type != NL80211_IFTYPE_AP &&
++ sta->sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
+ continue;
+
+ for (state = IEEE80211_STA_NOTEXIST;
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Mon, 23 Jul 2018 14:39:33 -0700
+Subject: media: staging: omap4iss: Include asm/cacheflush.h after generic includes
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 0894da849f145af51bde88a6b84f95b9c9e0bc66 ]
+
+Including asm/cacheflush.h first results in the following build error
+when trying to build sparc32:allmodconfig, because 'struct page' has not
+been declared, and the function declaration ends up creating a separate
+(private) declaration of struct page (as a result of function arguments
+being in the scope of the function declaration and definition, not in
+global scope).
+
+The C scoping rules do not just affect variable visibility, they also
+affect type declaration visibility.
+
+The end result is that when the actual call site is seen in
+<linux/highmem.h>, the 'struct page' type in the caller is not the same
+'struct page' that the function was declared with, resulting in:
+
+ In file included from arch/sparc/include/asm/page.h:10:0,
+ ...
+ from drivers/staging/media/omap4iss/iss_video.c:15:
+ include/linux/highmem.h: In function 'clear_user_highpage':
+ include/linux/highmem.h:137:31: error:
+ passing argument 1 of 'sparc_flush_page_to_ram' from incompatible
+ pointer type
+
+Include generic includes files first to fix the problem.
+
+Fixes: fc96d58c10162 ("[media] v4l: omap4iss: Add support for OMAP4 camera interface - Video devices")
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: David S. Miller <davem@davemloft.net>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+[ Added explanation of C scope rules - Linus ]
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/omap4iss/iss_video.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/media/omap4iss/iss_video.c
++++ b/drivers/staging/media/omap4iss/iss_video.c
+@@ -11,7 +11,6 @@
+ * (at your option) any later version.
+ */
+
+-#include <asm/cacheflush.h>
+ #include <linux/clk.h>
+ #include <linux/mm.h>
+ #include <linux/pagemap.h>
+@@ -24,6 +23,8 @@
+ #include <media/v4l2-ioctl.h>
+ #include <media/v4l2-mc.h>
+
++#include <asm/cacheflush.h>
++
+ #include "iss_video.h"
+ #include "iss.h"
+
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+Date: Thu, 2 Aug 2018 15:36:01 -0700
+Subject: memcg: remove memcg_cgroup::id from IDR on mem_cgroup_css_alloc() failure
+
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+
+[ Upstream commit 7e97de0b033bcac4fa9a35cef72e0c06e6a22c67 ]
+
+In case of memcg_online_kmem() failure, memcg_cgroup::id remains hashed
+in mem_cgroup_idr even after memcg memory is freed. This leads to leak
+of ID in mem_cgroup_idr.
+
+This patch adds removal into mem_cgroup_css_alloc(), which fixes the
+problem. For better readability, it adds a generic helper which is used
+in mem_cgroup_alloc() and mem_cgroup_id_put_many() as well.
+
+Link: http://lkml.kernel.org/r/152354470916.22460.14397070748001974638.stgit@localhost.localdomain
+Fixes 73f576c04b94 ("mm: memcontrol: fix cgroup creation failure after many small jobs")
+Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Acked-by: Vladimir Davydov <vdavydov.dev@gmail.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memcontrol.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -4110,6 +4110,14 @@ static struct cftype mem_cgroup_legacy_f
+
+ static DEFINE_IDR(mem_cgroup_idr);
+
++static void mem_cgroup_id_remove(struct mem_cgroup *memcg)
++{
++ if (memcg->id.id > 0) {
++ idr_remove(&mem_cgroup_idr, memcg->id.id);
++ memcg->id.id = 0;
++ }
++}
++
+ static void mem_cgroup_id_get_many(struct mem_cgroup *memcg, unsigned int n)
+ {
+ VM_BUG_ON(atomic_read(&memcg->id.ref) <= 0);
+@@ -4120,8 +4128,7 @@ static void mem_cgroup_id_put_many(struc
+ {
+ VM_BUG_ON(atomic_read(&memcg->id.ref) < n);
+ if (atomic_sub_and_test(n, &memcg->id.ref)) {
+- idr_remove(&mem_cgroup_idr, memcg->id.id);
+- memcg->id.id = 0;
++ mem_cgroup_id_remove(memcg);
+
+ /* Memcg ID pins CSS */
+ css_put(&memcg->css);
+@@ -4258,8 +4265,7 @@ static struct mem_cgroup *mem_cgroup_all
+ idr_replace(&mem_cgroup_idr, memcg, memcg->id.id);
+ return memcg;
+ fail:
+- if (memcg->id.id > 0)
+- idr_remove(&mem_cgroup_idr, memcg->id.id);
++ mem_cgroup_id_remove(memcg);
+ __mem_cgroup_free(memcg);
+ return NULL;
+ }
+@@ -4318,6 +4324,7 @@ mem_cgroup_css_alloc(struct cgroup_subsy
+
+ return &memcg->css;
+ fail:
++ mem_cgroup_id_remove(memcg);
+ mem_cgroup_free(memcg);
+ return ERR_PTR(-ENOMEM);
+ }
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Hugh Dickins <hughd@google.com>
+Date: Wed, 1 Aug 2018 11:31:52 -0700
+Subject: mm: delete historical BUG from zap_pmd_range()
+
+From: Hugh Dickins <hughd@google.com>
+
+[ Upstream commit 53406ed1bcfdabe4b5bc35e6d17946c6f9f563e2 ]
+
+Delete the old VM_BUG_ON_VMA() from zap_pmd_range(), which asserted
+that mmap_sem must be held when splitting an "anonymous" vma there.
+Whether that's still strictly true nowadays is not entirely clear,
+but the danger of sometimes crashing on the BUG is now fairly clear.
+
+Even with the new stricter rules for anonymous vma marking, the
+condition it checks for can possible trigger. Commit 44960f2a7b63
+("staging: ashmem: Fix SIGBUS crash when traversing mmaped ashmem
+pages") is good, and originally I thought it was safe from that
+VM_BUG_ON_VMA(), because the /dev/ashmem fd exposed to the user is
+disconnected from the vm_file in the vma, and madvise(,,MADV_REMOVE)
+insists on VM_SHARED.
+
+But after I read John's earlier mail, drawing attention to the
+vfs_fallocate() in there: I may be wrong, and I don't know if Android
+has THP in the config anyway, but it looks to me like an
+unmap_mapping_range() from ashmem's vfs_fallocate() could hit precisely
+the VM_BUG_ON_VMA(), once it's vma_is_anonymous().
+
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Kirill Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memory.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -1417,11 +1417,9 @@ static inline unsigned long zap_pmd_rang
+ do {
+ next = pmd_addr_end(addr, end);
+ if (is_swap_pmd(*pmd) || pmd_trans_huge(*pmd) || pmd_devmap(*pmd)) {
+- if (next - addr != HPAGE_PMD_SIZE) {
+- VM_BUG_ON_VMA(vma_is_anonymous(vma) &&
+- !rwsem_is_locked(&tlb->mm->mmap_sem), vma);
++ if (next - addr != HPAGE_PMD_SIZE)
+ __split_huge_pmd(vma, pmd, addr, false, NULL);
+- } else if (zap_huge_pmd(tlb, vma, pmd, addr))
++ else if (zap_huge_pmd(tlb, vma, pmd, addr))
+ goto next;
+ /* fall through */
+ }
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: "jie@chenjie6@huwei.com" <jie@chenjie6@huwei.com>
+Date: Fri, 10 Aug 2018 17:23:06 -0700
+Subject: mm/memory.c: check return value of ioremap_prot
+
+From: "jie@chenjie6@huwei.com" <jie@chenjie6@huwei.com>
+
+[ Upstream commit 24eee1e4c47977bdfb71d6f15f6011e7b6188d04 ]
+
+ioremap_prot() can return NULL which could lead to an oops.
+
+Link: http://lkml.kernel.org/r/1533195441-58594-1-git-send-email-chenjie6@huawei.com
+Signed-off-by: chen jie <chenjie6@huawei.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Li Zefan <lizefan@huawei.com>
+Cc: chenjie <chenjie6@huawei.com>
+Cc: Yang Shi <shy828301@gmail.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memory.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -4348,6 +4348,9 @@ int generic_access_phys(struct vm_area_s
+ return -EINVAL;
+
+ maddr = ioremap_prot(phys_addr, PAGE_ALIGN(len + offset), prot);
++ if (!maddr)
++ return -ENOMEM;
++
+ if (write)
+ memcpy_toio(maddr + offset, buf, len);
+ else
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Mon, 16 Jul 2018 12:11:34 -0400
+Subject: nbd: don't requeue the same request twice.
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit d7d94d48a272fd7583dc3c83acb8f5ed4ef456a4 ]
+
+We can race with the snd timeout and the per-request timeout and end up
+requeuing the same request twice. We can't use the send_complete
+completion to tell if everything is ok because we hold the tx_lock
+during send, so the timeout stuff will block waiting to mark the socket
+dead, and we could be marked complete and still requeue. Instead add a
+flag to the socket so we know whether we've been requeued yet.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/nbd.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -112,12 +112,15 @@ struct nbd_device {
+ struct task_struct *task_setup;
+ };
+
++#define NBD_CMD_REQUEUED 1
++
+ struct nbd_cmd {
+ struct nbd_device *nbd;
+ int index;
+ int cookie;
+ struct completion send_complete;
+ blk_status_t status;
++ unsigned long flags;
+ };
+
+ #if IS_ENABLED(CONFIG_DEBUG_FS)
+@@ -146,6 +149,14 @@ static inline struct device *nbd_to_dev(
+ return disk_to_dev(nbd->disk);
+ }
+
++static void nbd_requeue_cmd(struct nbd_cmd *cmd)
++{
++ struct request *req = blk_mq_rq_from_pdu(cmd);
++
++ if (!test_and_set_bit(NBD_CMD_REQUEUED, &cmd->flags))
++ blk_mq_requeue_request(req, true);
++}
++
+ static const char *nbdcmd_to_ascii(int cmd)
+ {
+ switch (cmd) {
+@@ -328,7 +339,7 @@ static enum blk_eh_timer_return nbd_xmit
+ nbd_mark_nsock_dead(nbd, nsock, 1);
+ mutex_unlock(&nsock->tx_lock);
+ }
+- blk_mq_requeue_request(req, true);
++ nbd_requeue_cmd(cmd);
+ nbd_config_put(nbd);
+ return BLK_EH_NOT_HANDLED;
+ }
+@@ -484,6 +495,7 @@ static int nbd_send_cmd(struct nbd_devic
+ nsock->pending = req;
+ nsock->sent = sent;
+ }
++ set_bit(NBD_CMD_REQUEUED, &cmd->flags);
+ return BLK_STS_RESOURCE;
+ }
+ dev_err_ratelimited(disk_to_dev(nbd->disk),
+@@ -525,6 +537,7 @@ send_pages:
+ */
+ nsock->pending = req;
+ nsock->sent = sent;
++ set_bit(NBD_CMD_REQUEUED, &cmd->flags);
+ return BLK_STS_RESOURCE;
+ }
+ dev_err(disk_to_dev(nbd->disk),
+@@ -793,7 +806,7 @@ again:
+ */
+ blk_mq_start_request(req);
+ if (unlikely(nsock->pending && nsock->pending != req)) {
+- blk_mq_requeue_request(req, true);
++ nbd_requeue_cmd(cmd);
+ ret = 0;
+ goto out;
+ }
+@@ -806,7 +819,7 @@ again:
+ dev_err_ratelimited(disk_to_dev(nbd->disk),
+ "Request send failed, requeueing\n");
+ nbd_mark_nsock_dead(nbd, nsock, 1);
+- blk_mq_requeue_request(req, true);
++ nbd_requeue_cmd(cmd);
+ ret = 0;
+ }
+ out:
+@@ -831,6 +844,7 @@ static blk_status_t nbd_queue_rq(struct
+ * done sending everything over the wire.
+ */
+ init_completion(&cmd->send_complete);
++ clear_bit(NBD_CMD_REQUEUED, &cmd->flags);
+
+ /* We can be called directly from the user space process, which means we
+ * could possibly have signals pending so our sendmsg will fail. In
+@@ -1446,6 +1460,7 @@ static int nbd_init_request(struct blk_m
+ {
+ struct nbd_cmd *cmd = blk_mq_rq_to_pdu(rq);
+ cmd->nbd = set->driver_data;
++ cmd->flags = 0;
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Mon, 16 Jul 2018 12:11:35 -0400
+Subject: nbd: handle unexpected replies better
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 8f3ea35929a0806ad1397db99a89ffee0140822a ]
+
+If the server or network is misbehaving and we get an unexpected reply
+we can sometimes miss the request not being started and wait on a
+request and never get a response, or even double complete the same
+request. Fix this by replacing the send_complete completion with just a
+per command lock. Add a per command cookie as well so that we can know
+if we're getting a double completion for a previous event. Also check
+to make sure we dont have REQUEUED set as that means we raced with the
+timeout handler and need to just let the retry occur.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/nbd.c | 75 ++++++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 61 insertions(+), 14 deletions(-)
+
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -116,11 +116,12 @@ struct nbd_device {
+
+ struct nbd_cmd {
+ struct nbd_device *nbd;
++ struct mutex lock;
+ int index;
+ int cookie;
+- struct completion send_complete;
+ blk_status_t status;
+ unsigned long flags;
++ u32 cmd_cookie;
+ };
+
+ #if IS_ENABLED(CONFIG_DEBUG_FS)
+@@ -157,6 +158,27 @@ static void nbd_requeue_cmd(struct nbd_c
+ blk_mq_requeue_request(req, true);
+ }
+
++#define NBD_COOKIE_BITS 32
++
++static u64 nbd_cmd_handle(struct nbd_cmd *cmd)
++{
++ struct request *req = blk_mq_rq_from_pdu(cmd);
++ u32 tag = blk_mq_unique_tag(req);
++ u64 cookie = cmd->cmd_cookie;
++
++ return (cookie << NBD_COOKIE_BITS) | tag;
++}
++
++static u32 nbd_handle_to_tag(u64 handle)
++{
++ return (u32)handle;
++}
++
++static u32 nbd_handle_to_cookie(u64 handle)
++{
++ return (u32)(handle >> NBD_COOKIE_BITS);
++}
++
+ static const char *nbdcmd_to_ascii(int cmd)
+ {
+ switch (cmd) {
+@@ -317,6 +339,9 @@ static enum blk_eh_timer_return nbd_xmit
+ }
+ config = nbd->config;
+
++ if (!mutex_trylock(&cmd->lock))
++ return BLK_EH_RESET_TIMER;
++
+ if (config->num_connections > 1) {
+ dev_err_ratelimited(nbd_to_dev(nbd),
+ "Connection timed out, retrying\n");
+@@ -339,6 +364,7 @@ static enum blk_eh_timer_return nbd_xmit
+ nbd_mark_nsock_dead(nbd, nsock, 1);
+ mutex_unlock(&nsock->tx_lock);
+ }
++ mutex_unlock(&cmd->lock);
+ nbd_requeue_cmd(cmd);
+ nbd_config_put(nbd);
+ return BLK_EH_NOT_HANDLED;
+@@ -349,6 +375,7 @@ static enum blk_eh_timer_return nbd_xmit
+ }
+ set_bit(NBD_TIMEDOUT, &config->runtime_flags);
+ cmd->status = BLK_STS_IOERR;
++ mutex_unlock(&cmd->lock);
+ sock_shutdown(nbd);
+ nbd_config_put(nbd);
+
+@@ -425,9 +452,9 @@ static int nbd_send_cmd(struct nbd_devic
+ struct iov_iter from;
+ unsigned long size = blk_rq_bytes(req);
+ struct bio *bio;
++ u64 handle;
+ u32 type;
+ u32 nbd_cmd_flags = 0;
+- u32 tag = blk_mq_unique_tag(req);
+ int sent = nsock->sent, skip = 0;
+
+ iov_iter_kvec(&from, WRITE | ITER_KVEC, &iov, 1, sizeof(request));
+@@ -469,6 +496,8 @@ static int nbd_send_cmd(struct nbd_devic
+ goto send_pages;
+ }
+ iov_iter_advance(&from, sent);
++ } else {
++ cmd->cmd_cookie++;
+ }
+ cmd->index = index;
+ cmd->cookie = nsock->cookie;
+@@ -477,7 +506,8 @@ static int nbd_send_cmd(struct nbd_devic
+ request.from = cpu_to_be64((u64)blk_rq_pos(req) << 9);
+ request.len = htonl(size);
+ }
+- memcpy(request.handle, &tag, sizeof(tag));
++ handle = nbd_cmd_handle(cmd);
++ memcpy(request.handle, &handle, sizeof(handle));
+
+ dev_dbg(nbd_to_dev(nbd), "request %p: sending control (%s@%llu,%uB)\n",
+ cmd, nbdcmd_to_ascii(type),
+@@ -570,10 +600,12 @@ static struct nbd_cmd *nbd_read_stat(str
+ struct nbd_reply reply;
+ struct nbd_cmd *cmd;
+ struct request *req = NULL;
++ u64 handle;
+ u16 hwq;
+ u32 tag;
+ struct kvec iov = {.iov_base = &reply, .iov_len = sizeof(reply)};
+ struct iov_iter to;
++ int ret = 0;
+
+ reply.magic = 0;
+ iov_iter_kvec(&to, READ | ITER_KVEC, &iov, 1, sizeof(reply));
+@@ -591,8 +623,8 @@ static struct nbd_cmd *nbd_read_stat(str
+ return ERR_PTR(-EPROTO);
+ }
+
+- memcpy(&tag, reply.handle, sizeof(u32));
+-
++ memcpy(&handle, reply.handle, sizeof(handle));
++ tag = nbd_handle_to_tag(handle);
+ hwq = blk_mq_unique_tag_to_hwq(tag);
+ if (hwq < nbd->tag_set.nr_hw_queues)
+ req = blk_mq_tag_to_rq(nbd->tag_set.tags[hwq],
+@@ -603,11 +635,25 @@ static struct nbd_cmd *nbd_read_stat(str
+ return ERR_PTR(-ENOENT);
+ }
+ cmd = blk_mq_rq_to_pdu(req);
++
++ mutex_lock(&cmd->lock);
++ if (cmd->cmd_cookie != nbd_handle_to_cookie(handle)) {
++ dev_err(disk_to_dev(nbd->disk), "Double reply on req %p, cmd_cookie %u, handle cookie %u\n",
++ req, cmd->cmd_cookie, nbd_handle_to_cookie(handle));
++ ret = -ENOENT;
++ goto out;
++ }
++ if (test_bit(NBD_CMD_REQUEUED, &cmd->flags)) {
++ dev_err(disk_to_dev(nbd->disk), "Raced with timeout on req %p\n",
++ req);
++ ret = -ENOENT;
++ goto out;
++ }
+ if (ntohl(reply.error)) {
+ dev_err(disk_to_dev(nbd->disk), "Other side returned error (%d)\n",
+ ntohl(reply.error));
+ cmd->status = BLK_STS_IOERR;
+- return cmd;
++ goto out;
+ }
+
+ dev_dbg(nbd_to_dev(nbd), "request %p: got reply\n", cmd);
+@@ -632,18 +678,18 @@ static struct nbd_cmd *nbd_read_stat(str
+ if (nbd_disconnected(config) ||
+ config->num_connections <= 1) {
+ cmd->status = BLK_STS_IOERR;
+- return cmd;
++ goto out;
+ }
+- return ERR_PTR(-EIO);
++ ret = -EIO;
++ goto out;
+ }
+ dev_dbg(nbd_to_dev(nbd), "request %p: got %d bytes data\n",
+ cmd, bvec.bv_len);
+ }
+- } else {
+- /* See the comment in nbd_queue_rq. */
+- wait_for_completion(&cmd->send_complete);
+ }
+- return cmd;
++out:
++ mutex_unlock(&cmd->lock);
++ return ret ? ERR_PTR(ret) : cmd;
+ }
+
+ static void recv_work(struct work_struct *work)
+@@ -843,7 +889,7 @@ static blk_status_t nbd_queue_rq(struct
+ * that the server is misbehaving (or there was an error) before we're
+ * done sending everything over the wire.
+ */
+- init_completion(&cmd->send_complete);
++ mutex_lock(&cmd->lock);
+ clear_bit(NBD_CMD_REQUEUED, &cmd->flags);
+
+ /* We can be called directly from the user space process, which means we
+@@ -856,7 +902,7 @@ static blk_status_t nbd_queue_rq(struct
+ ret = BLK_STS_IOERR;
+ else if (!ret)
+ ret = BLK_STS_OK;
+- complete(&cmd->send_complete);
++ mutex_unlock(&cmd->lock);
+
+ return ret;
+ }
+@@ -1461,6 +1507,7 @@ static int nbd_init_request(struct blk_m
+ struct nbd_cmd *cmd = blk_mq_rq_to_pdu(rq);
+ cmd->nbd = set->driver_data;
+ cmd->flags = 0;
++ mutex_init(&cmd->lock);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Date: Tue, 24 Jul 2018 10:09:53 +0530
+Subject: net: axienet: Fix double deregister of mdio
+
+From: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+
+[ Upstream commit 03bc7cab7d7218088412a75e141696a89059ab00 ]
+
+If the registration fails then mdio_unregister is called.
+However at unbind the unregister ia attempted again resulting
+in the below crash
+
+[ 73.544038] kernel BUG at drivers/net/phy/mdio_bus.c:415!
+[ 73.549362] Internal error: Oops - BUG: 0 [#1] SMP
+[ 73.554127] Modules linked in:
+[ 73.557168] CPU: 0 PID: 2249 Comm: sh Not tainted 4.14.0 #183
+[ 73.562895] Hardware name: xlnx,zynqmp (DT)
+[ 73.567062] task: ffffffc879e41180 task.stack: ffffff800cbe0000
+[ 73.572973] PC is at mdiobus_unregister+0x84/0x88
+[ 73.577656] LR is at axienet_mdio_teardown+0x18/0x30
+[ 73.582601] pc : [<ffffff80085fa4cc>] lr : [<ffffff8008616858>]
+pstate: 20000145
+[ 73.589981] sp : ffffff800cbe3c30
+[ 73.593277] x29: ffffff800cbe3c30 x28: ffffffc879e41180
+[ 73.598573] x27: ffffff8008a21000 x26: 0000000000000040
+[ 73.603868] x25: 0000000000000124 x24: ffffffc879efe920
+[ 73.609164] x23: 0000000000000060 x22: ffffffc879e02000
+[ 73.614459] x21: ffffffc879e02800 x20: ffffffc87b0b8870
+[ 73.619754] x19: ffffffc879e02800 x18: 000000000000025d
+[ 73.625050] x17: 0000007f9a719ad0 x16: ffffff8008195bd8
+[ 73.630345] x15: 0000007f9a6b3d00 x14: 0000000000000010
+[ 73.635640] x13: 74656e7265687465 x12: 0000000000000030
+[ 73.640935] x11: 0000000000000030 x10: 0101010101010101
+[ 73.646231] x9 : 241f394f42533300 x8 : ffffffc8799f6e98
+[ 73.651526] x7 : ffffffc8799f6f18 x6 : ffffffc87b0ba318
+[ 73.656822] x5 : ffffffc87b0ba498 x4 : 0000000000000000
+[ 73.662117] x3 : 0000000000000000 x2 : 0000000000000008
+[ 73.667412] x1 : 0000000000000004 x0 : ffffffc8799f4000
+[ 73.672708] Process sh (pid: 2249, stack limit = 0xffffff800cbe0000)
+
+Fix the same by making the bus NULL on unregister.
+
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c
++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c
+@@ -218,6 +218,7 @@ issue:
+ ret = of_mdiobus_register(bus, np1);
+ if (ret) {
+ mdiobus_free(bus);
++ lp->mii_bus = NULL;
+ return ret;
+ }
+ return 0;
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 19 Jul 2018 10:27:13 +0800
+Subject: net: caif: Add a missing rcu_read_unlock() in caif_flow_cb
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 64119e05f7b31e83e2555f6782e6cdc8f81c63f4 ]
+
+Add a missing rcu_read_unlock in the error path
+
+Fixes: c95567c80352 ("caif: added check for potential null return")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/caif/caif_dev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/caif/caif_dev.c
++++ b/net/caif/caif_dev.c
+@@ -131,8 +131,10 @@ static void caif_flow_cb(struct sk_buff
+ caifd = caif_get(skb->dev);
+
+ WARN_ON(caifd == NULL);
+- if (caifd == NULL)
++ if (!caifd) {
++ rcu_read_unlock();
+ return;
++ }
+
+ caifd_hold(caifd);
+ rcu_read_unlock();
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Sat, 21 Jul 2018 12:59:25 -0700
+Subject: net: prevent ISA drivers from building on PPC32
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit c9ce1fa1c24b08e13c2a3b5b1f94a19c9eaa982c ]
+
+Prevent drivers from building on PPC32 if they use isa_bus_to_virt(),
+isa_virt_to_bus(), or isa_page_to_bus(), which are not available and
+thus cause build errors.
+
+../drivers/net/ethernet/3com/3c515.c: In function 'corkscrew_open':
+../drivers/net/ethernet/3com/3c515.c:824:9: error: implicit declaration of function 'isa_virt_to_bus'; did you mean 'virt_to_bus'? [-Werror=implicit-function-declaration]
+
+../drivers/net/ethernet/amd/lance.c: In function 'lance_rx':
+../drivers/net/ethernet/amd/lance.c:1203:23: error: implicit declaration of function 'isa_bus_to_virt'; did you mean 'bus_to_virt'? [-Werror=implicit-function-declaration]
+
+../drivers/net/ethernet/amd/ni65.c: In function 'ni65_init_lance':
+../drivers/net/ethernet/amd/ni65.c:585:20: error: implicit declaration of function 'isa_virt_to_bus'; did you mean 'virt_to_bus'? [-Werror=implicit-function-declaration]
+
+../drivers/net/ethernet/cirrus/cs89x0.c: In function 'net_open':
+../drivers/net/ethernet/cirrus/cs89x0.c:897:20: error: implicit declaration of function 'isa_virt_to_bus'; did you mean 'virt_to_bus'? [-Werror=implicit-function-declaration]
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/3com/Kconfig | 2 +-
+ drivers/net/ethernet/amd/Kconfig | 4 ++--
+ drivers/net/ethernet/cirrus/Kconfig | 1 +
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/3com/Kconfig
++++ b/drivers/net/ethernet/3com/Kconfig
+@@ -32,7 +32,7 @@ config EL3
+
+ config 3C515
+ tristate "3c515 ISA \"Fast EtherLink\""
+- depends on ISA && ISA_DMA_API
++ depends on ISA && ISA_DMA_API && !PPC32
+ ---help---
+ If you have a 3Com ISA EtherLink XL "Corkscrew" 3c515 Fast Ethernet
+ network card, say Y here.
+--- a/drivers/net/ethernet/amd/Kconfig
++++ b/drivers/net/ethernet/amd/Kconfig
+@@ -44,7 +44,7 @@ config AMD8111_ETH
+
+ config LANCE
+ tristate "AMD LANCE and PCnet (AT1500 and NE2100) support"
+- depends on ISA && ISA_DMA_API && !ARM
++ depends on ISA && ISA_DMA_API && !ARM && !PPC32
+ ---help---
+ If you have a network (Ethernet) card of this type, say Y here.
+ Some LinkSys cards are of this type.
+@@ -138,7 +138,7 @@ config PCMCIA_NMCLAN
+
+ config NI65
+ tristate "NI6510 support"
+- depends on ISA && ISA_DMA_API && !ARM
++ depends on ISA && ISA_DMA_API && !ARM && !PPC32
+ ---help---
+ If you have a network (Ethernet) card of this type, say Y here.
+
+--- a/drivers/net/ethernet/cirrus/Kconfig
++++ b/drivers/net/ethernet/cirrus/Kconfig
+@@ -19,6 +19,7 @@ if NET_VENDOR_CIRRUS
+ config CS89x0
+ tristate "CS89x0 support"
+ depends on ISA || EISA || ARM
++ depends on !PPC32
+ ---help---
+ Support for CS89x0 chipset based Ethernet cards. If you have a
+ network (Ethernet) card of this type, say Y and read the file
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 17 Jul 2018 07:17:56 +0200
+Subject: netfilter: nf_tables: don't allow to rename to already-pending name
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit c6cc94df65c3174be92afbee638f11cbb5e606a7 ]
+
+Its possible to rename two chains to the same name in one
+transaction:
+
+nft add chain t c1
+nft add chain t c2
+nft 'rename chain t c1 c3;rename chain t c2 c3'
+
+This creates two chains named 'c3'.
+
+Appears to be harmless, both chains can still be deleted both
+by name or handle, but, nevertheless, its a bug.
+
+Walk transaction log and also compare vs. the pending renames.
+
+Both chains can still be deleted, but nevertheless it is a bug as
+we don't allow to create chains with identical names, so we should
+prevent this from happening-by-rename too.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 42 +++++++++++++++++++++++++++++-------------
+ 1 file changed, 29 insertions(+), 13 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1480,7 +1480,6 @@ static int nf_tables_updchain(struct nft
+ struct nft_base_chain *basechain;
+ struct nft_stats *stats = NULL;
+ struct nft_chain_hook hook;
+- const struct nlattr *name;
+ struct nf_hook_ops *ops;
+ struct nft_trans *trans;
+ int err, i;
+@@ -1531,12 +1530,11 @@ static int nf_tables_updchain(struct nft
+ return PTR_ERR(stats);
+ }
+
++ err = -ENOMEM;
+ trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
+ sizeof(struct nft_trans_chain));
+- if (trans == NULL) {
+- free_percpu(stats);
+- return -ENOMEM;
+- }
++ if (trans == NULL)
++ goto err;
+
+ nft_trans_chain_stats(trans) = stats;
+ nft_trans_chain_update(trans) = true;
+@@ -1546,19 +1544,37 @@ static int nf_tables_updchain(struct nft
+ else
+ nft_trans_chain_policy(trans) = -1;
+
+- name = nla[NFTA_CHAIN_NAME];
+- if (nla[NFTA_CHAIN_HANDLE] && name) {
+- nft_trans_chain_name(trans) =
+- nla_strdup(name, GFP_KERNEL);
+- if (!nft_trans_chain_name(trans)) {
+- kfree(trans);
+- free_percpu(stats);
+- return -ENOMEM;
++ if (nla[NFTA_CHAIN_HANDLE] &&
++ nla[NFTA_CHAIN_NAME]) {
++ struct nft_trans *tmp;
++ char *name;
++
++ err = -ENOMEM;
++ name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
++ if (!name)
++ goto err;
++
++ err = -EEXIST;
++ list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
++ if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
++ tmp->ctx.table == table &&
++ nft_trans_chain_update(tmp) &&
++ nft_trans_chain_name(tmp) &&
++ strcmp(name, nft_trans_chain_name(tmp)) == 0) {
++ kfree(name);
++ goto err;
++ }
+ }
++
++ nft_trans_chain_name(trans) = name;
+ }
+ list_add_tail(&trans->list, &ctx->net->nft.commit_list);
+
+ return 0;
++err:
++ free_percpu(stats);
++ kfree(trans);
++ return err;
+ }
+
+ static int nf_tables_newchain(struct net *net, struct sock *nlsk,
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 17 Jul 2018 07:17:55 +0200
+Subject: netfilter: nf_tables: fix memory leaks on chain rename
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 9f8aac0be21ed5f99bd5ba0ff315d710737d1794 ]
+
+The new name is stored in the transaction metadata, on commit,
+the pointers to the old and new names are swapped.
+
+Therefore in abort and commit case we have to free the
+pointer in the chain_trans container.
+
+In commit case, the pointer can be used by another cpu that
+is currently dumping the renamed chain, thus kfree needs to
+happen after waiting for rcu readers to complete.
+
+Fixes: b7263e071a ("netfilter: nf_tables: Allow chain name of up to 255 chars")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -5043,6 +5043,9 @@ static void nf_tables_commit_release(str
+ case NFT_MSG_DELTABLE:
+ nf_tables_table_destroy(&trans->ctx);
+ break;
++ case NFT_MSG_NEWCHAIN:
++ kfree(nft_trans_chain_name(trans));
++ break;
+ case NFT_MSG_DELCHAIN:
+ nf_tables_chain_destroy(trans->ctx.chain);
+ break;
+@@ -5100,13 +5103,15 @@ static int nf_tables_commit(struct net *
+ nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
+ break;
+ case NFT_MSG_NEWCHAIN:
+- if (nft_trans_chain_update(trans))
++ if (nft_trans_chain_update(trans)) {
+ nft_chain_commit_update(trans);
+- else
++ nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
++ /* trans destroyed after rcu grace period */
++ } else {
+ nft_clear(net, trans->ctx.chain);
+-
+- nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
+- nft_trans_destroy(trans);
++ nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
++ nft_trans_destroy(trans);
++ }
+ break;
+ case NFT_MSG_DELCHAIN:
+ list_del_rcu(&trans->ctx.chain->list);
+@@ -5246,7 +5251,7 @@ static int nf_tables_abort(struct net *n
+ case NFT_MSG_NEWCHAIN:
+ if (nft_trans_chain_update(trans)) {
+ free_percpu(nft_trans_chain_stats(trans));
+-
++ kfree(nft_trans_chain_name(trans));
+ nft_trans_destroy(trans);
+ } else {
+ trans->ctx.table->use--;
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Tue, 10 Jul 2018 23:21:08 +0900
+Subject: netfilter: nft_set_hash: add rcu_barrier() in the nft_rhash_destroy()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 9970a8e40d4c39e23d62d32540366d1d7d2cce9b ]
+
+GC of set uses call_rcu() to destroy elements.
+So that elements would be destroyed after destroying sets and chains.
+But, elements should be destroyed before destroying sets and chains.
+In order to wait calling call_rcu(), a rcu_barrier() is added.
+
+In order to test correctly, below patch should be applied.
+https://patchwork.ozlabs.org/patch/940883/
+
+test scripts:
+ %cat test.nft
+ table ip aa {
+ map map1 {
+ type ipv4_addr : verdict; flags timeout;
+ elements = {
+ 0 : jump a0,
+ 1 : jump a0,
+ 2 : jump a0,
+ 3 : jump a0,
+ 4 : jump a0,
+ 5 : jump a0,
+ 6 : jump a0,
+ 7 : jump a0,
+ 8 : jump a0,
+ 9 : jump a0,
+ }
+ timeout 1s;
+ }
+ chain a0 {
+ }
+ }
+ flush ruleset
+
+ [ ... ]
+
+ table ip aa {
+ map map1 {
+ type ipv4_addr : verdict; flags timeout;
+ elements = {
+ 0 : jump a0,
+ 1 : jump a0,
+ 2 : jump a0,
+ 3 : jump a0,
+ 4 : jump a0,
+ 5 : jump a0,
+ 6 : jump a0,
+ 7 : jump a0,
+ 8 : jump a0,
+ 9 : jump a0,
+ }
+ timeout 1s;
+ }
+ chain a0 {
+ }
+ }
+ flush ruleset
+
+Splat looks like:
+[ 200.795603] kernel BUG at net/netfilter/nf_tables_api.c:1363!
+[ 200.806944] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
+[ 200.812253] CPU: 1 PID: 1582 Comm: nft Not tainted 4.17.0+ #24
+[ 200.820297] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
+[ 200.830309] RIP: 0010:nf_tables_chain_destroy.isra.34+0x62/0x240 [nf_tables]
+[ 200.838317] Code: 43 50 85 c0 74 26 48 8b 45 00 48 8b 4d 08 ba 54 05 00 00 48 c7 c6 60 6d 29 c0 48 c7 c7 c0 65 29 c0
+4c 8b 40 08 e8 58 e5 fd f8 <0f> 0b 48 89 da 48 b8 00 00 00 00 00 fc ff
+[ 200.860366] RSP: 0000:ffff880118dbf4d0 EFLAGS: 00010282
+[ 200.866354] RAX: 0000000000000061 RBX: ffff88010cdeaf08 RCX: 0000000000000000
+[ 200.874355] RDX: 0000000000000061 RSI: 0000000000000008 RDI: ffffed00231b7e90
+[ 200.882361] RBP: ffff880118dbf4e8 R08: ffffed002373bcfb R09: ffffed002373bcfa
+[ 200.890354] R10: 0000000000000000 R11: ffffed002373bcfb R12: dead000000000200
+[ 200.898356] R13: dead000000000100 R14: ffffffffbb62af38 R15: dffffc0000000000
+[ 200.906354] FS: 00007fefc31fd700(0000) GS:ffff88011b800000(0000) knlGS:0000000000000000
+[ 200.915533] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 200.922355] CR2: 0000557f1c8e9128 CR3: 0000000106880000 CR4: 00000000001006e0
+[ 200.930353] Call Trace:
+[ 200.932351] ? nf_tables_commit+0x26f6/0x2c60 [nf_tables]
+[ 200.939525] ? nf_tables_setelem_notify.constprop.49+0x1a0/0x1a0 [nf_tables]
+[ 200.947525] ? nf_tables_delchain+0x6e0/0x6e0 [nf_tables]
+[ 200.952383] ? nft_add_set_elem+0x1700/0x1700 [nf_tables]
+[ 200.959532] ? nla_parse+0xab/0x230
+[ 200.963529] ? nfnetlink_rcv_batch+0xd06/0x10d0 [nfnetlink]
+[ 200.968384] ? nfnetlink_net_init+0x130/0x130 [nfnetlink]
+[ 200.975525] ? debug_show_all_locks+0x290/0x290
+[ 200.980363] ? debug_show_all_locks+0x290/0x290
+[ 200.986356] ? sched_clock_cpu+0x132/0x170
+[ 200.990352] ? find_held_lock+0x39/0x1b0
+[ 200.994355] ? sched_clock_local+0x10d/0x130
+[ 200.999531] ? memset+0x1f/0x40
+
+Fixes: 9d0982927e79 ("netfilter: nft_hash: add support for timeouts")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_set_hash.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netfilter/nft_set_hash.c
++++ b/net/netfilter/nft_set_hash.c
+@@ -359,6 +359,7 @@ static void nft_rhash_destroy(const stru
+ struct nft_rhash *priv = nft_set_priv(set);
+
+ cancel_delayed_work_sync(&priv->gc_work);
++ rcu_barrier();
+ rhashtable_free_and_destroy(&priv->ht, nft_rhash_elem_destroy,
+ (void *)set);
+ }
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: John Hurley <john.hurley@netronome.com>
+Date: Fri, 27 Jul 2018 20:56:52 -0700
+Subject: nfp: flower: fix port metadata conversion bug
+
+From: John Hurley <john.hurley@netronome.com>
+
+[ Upstream commit ee614c871014045b45fae149b7245fc22a0bbdd8 ]
+
+Function nfp_flower_repr_get_type_and_port expects an enum nfp_repr_type
+return value but, if the repr type is unknown, returns a value of type
+enum nfp_flower_cmsg_port_type. This means that if FW encodes the port
+ID in a way the driver does not understand instead of dropping the frame
+driver may attribute it to a physical port (uplink) provided the port
+number is less than physical port count.
+
+Fix this and ensure a net_device of NULL is returned if the repr can not
+be determined.
+
+Fixes: 1025351a88a4 ("nfp: add flower app")
+Signed-off-by: John Hurley <john.hurley@netronome.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/flower/main.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/main.c
+@@ -79,7 +79,7 @@ nfp_flower_repr_get_type_and_port(struct
+ return NFP_REPR_TYPE_VF;
+ }
+
+- return NFP_FLOWER_CMSG_PORT_TYPE_UNSPEC;
++ return __NFP_REPR_TYPE_MAX;
+ }
+
+ static struct net_device *
+@@ -90,6 +90,8 @@ nfp_flower_repr_get(struct nfp_app *app,
+ u8 port = 0;
+
+ repr_type = nfp_flower_repr_get_type_and_port(app, port_id, &port);
++ if (repr_type > NFP_REPR_TYPE_MAX)
++ return NULL;
+
+ reprs = rcu_dereference(app->reprs[repr_type]);
+ if (!reprs)
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Date: Sun, 8 Jul 2018 09:57:22 +0000
+Subject: nl80211: Add a missing break in parse_station_flags
+
+From: Bernd Edlinger <bernd.edlinger@hotmail.de>
+
+[ Upstream commit 5cf3006cc81d9aa09a10aa781fc065546b12919d ]
+
+I was looking at usually suppressed gcc warnings,
+[-Wimplicit-fallthrough=] in this case:
+
+The code definitely looks like a break is missing here.
+However I am not able to test the NL80211_IFTYPE_MESH_POINT,
+nor do I actually know what might be :)
+So please use this patch with caution and only if you are
+able to do some testing.
+
+Signed-off-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+[johannes: looks obvious enough to apply as is, interesting
+ though that it never seems to have been a problem]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/nl80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -4186,6 +4186,7 @@ static int parse_station_flags(struct ge
+ params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
+ BIT(NL80211_STA_FLAG_MFP) |
+ BIT(NL80211_STA_FLAG_AUTHORIZED);
++ break;
+ default:
+ return -EINVAL;
+ }
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri, 20 Jul 2018 10:39:07 +0200
+Subject: perf/x86/amd/ibs: Don't access non-started event
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit d2753e6b4882a637a0e8fb3b9c2e15f33265300e ]
+
+Paul Menzel reported the following bug:
+
+> Enabling the undefined behavior sanitizer and building GNU/Linux 4.18-rc5+
+> (with some unrelated commits) with GCC 8.1.0 from Debian Sid/unstable, the
+> warning below is shown.
+>
+> > [ 2.111913]
+> > ================================================================================
+> > [ 2.111917] UBSAN: Undefined behaviour in arch/x86/events/amd/ibs.c:582:24
+> > [ 2.111919] member access within null pointer of type 'struct perf_event'
+> > [ 2.111926] CPU: 0 PID: 144 Comm: udevadm Not tainted 4.18.0-rc5-00316-g4864b68cedf2 #104
+> > [ 2.111928] Hardware name: ASROCK E350M1/E350M1, BIOS TIMELESS 01/01/1970
+> > [ 2.111930] Call Trace:
+> > [ 2.111943] dump_stack+0x55/0x89
+> > [ 2.111949] ubsan_epilogue+0xb/0x33
+> > [ 2.111953] handle_null_ptr_deref+0x7f/0x90
+> > [ 2.111958] __ubsan_handle_type_mismatch_v1+0x55/0x60
+> > [ 2.111964] perf_ibs_handle_irq+0x596/0x620
+
+The code dereferences event before checking the STARTED bit. Patch
+below should cure the issue.
+
+The warning should not trigger, if I analyzed the thing correctly.
+(And Paul's testing confirms this.)
+
+Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Paul Menzel <pmenzel+linux-x86@molgen.mpg.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Link: http://lkml.kernel.org/r/alpine.DEB.2.21.1807200958390.1580@nanos.tec.linutronix.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/amd/ibs.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/events/amd/ibs.c
++++ b/arch/x86/events/amd/ibs.c
+@@ -579,7 +579,7 @@ static int perf_ibs_handle_irq(struct pe
+ {
+ struct cpu_perf_ibs *pcpu = this_cpu_ptr(perf_ibs->pcpu);
+ struct perf_event *event = pcpu->event;
+- struct hw_perf_event *hwc = &event->hw;
++ struct hw_perf_event *hwc;
+ struct perf_sample_data data;
+ struct perf_raw_record raw;
+ struct pt_regs regs;
+@@ -602,6 +602,10 @@ fail:
+ return 0;
+ }
+
++ if (WARN_ON_ONCE(!event))
++ goto fail;
++
++ hwc = &event->hw;
+ msr = hwc->config_base;
+ buf = ibs_data.regs;
+ rdmsrl(msr, *buf);
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
+Date: Wed, 18 Jul 2018 22:50:04 -0700
+Subject: qed: Correct Multicast API to reflect existence of 256 approximate buckets.
+
+From: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
+
+[ Upstream commit 25c020a90919632b3425c19dc09188d56b9ed59a ]
+
+FW hsi contains 256 approximation buckets which are split in ramrod into
+eight u32 values, but driver is using eight 'unsigned long' variables.
+
+This patch fixes the mcast logic by making the API utilize u32.
+
+Fixes: 83aeb933 ("qed*: Trivial modifications")
+Signed-off-by: Sudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
+Signed-off-by: Ariel Elior <ariel.elior@cavium.com>
+Signed-off-by: Michal Kalderon <Michal.Kalderon@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_l2.c | 15 +++++++--------
+ drivers/net/ethernet/qlogic/qed/qed_l2.h | 2 +-
+ drivers/net/ethernet/qlogic/qed/qed_sriov.c | 2 +-
+ drivers/net/ethernet/qlogic/qed/qed_vf.c | 4 ++--
+ drivers/net/ethernet/qlogic/qed/qed_vf.h | 7 ++++++-
+ 5 files changed, 17 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_l2.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_l2.c
+@@ -663,7 +663,7 @@ qed_sp_update_mcast_bin(struct qed_hwfn
+
+ p_ramrod->common.update_approx_mcast_flg = 1;
+ for (i = 0; i < ETH_MULTICAST_MAC_BINS_IN_REGS; i++) {
+- u32 *p_bins = (u32 *)p_params->bins;
++ u32 *p_bins = p_params->bins;
+
+ p_ramrod->approx_mcast.bins[i] = cpu_to_le32(p_bins[i]);
+ }
+@@ -1474,8 +1474,8 @@ qed_sp_eth_filter_mcast(struct qed_hwfn
+ enum spq_mode comp_mode,
+ struct qed_spq_comp_cb *p_comp_data)
+ {
+- unsigned long bins[ETH_MULTICAST_MAC_BINS_IN_REGS];
+ struct vport_update_ramrod_data *p_ramrod = NULL;
++ u32 bins[ETH_MULTICAST_MAC_BINS_IN_REGS];
+ struct qed_spq_entry *p_ent = NULL;
+ struct qed_sp_init_data init_data;
+ u8 abs_vport_id = 0;
+@@ -1511,26 +1511,25 @@ qed_sp_eth_filter_mcast(struct qed_hwfn
+ /* explicitly clear out the entire vector */
+ memset(&p_ramrod->approx_mcast.bins, 0,
+ sizeof(p_ramrod->approx_mcast.bins));
+- memset(bins, 0, sizeof(unsigned long) *
+- ETH_MULTICAST_MAC_BINS_IN_REGS);
++ memset(bins, 0, sizeof(bins));
+ /* filter ADD op is explicit set op and it removes
+ * any existing filters for the vport
+ */
+ if (p_filter_cmd->opcode == QED_FILTER_ADD) {
+ for (i = 0; i < p_filter_cmd->num_mc_addrs; i++) {
+- u32 bit;
++ u32 bit, nbits;
+
+ bit = qed_mcast_bin_from_mac(p_filter_cmd->mac[i]);
+- __set_bit(bit, bins);
++ nbits = sizeof(u32) * BITS_PER_BYTE;
++ bins[bit / nbits] |= 1 << (bit % nbits);
+ }
+
+ /* Convert to correct endianity */
+ for (i = 0; i < ETH_MULTICAST_MAC_BINS_IN_REGS; i++) {
+ struct vport_update_ramrod_mcast *p_ramrod_bins;
+- u32 *p_bins = (u32 *)bins;
+
+ p_ramrod_bins = &p_ramrod->approx_mcast;
+- p_ramrod_bins->bins[i] = cpu_to_le32(p_bins[i]);
++ p_ramrod_bins->bins[i] = cpu_to_le32(bins[i]);
+ }
+ }
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_l2.h
++++ b/drivers/net/ethernet/qlogic/qed/qed_l2.h
+@@ -214,7 +214,7 @@ struct qed_sp_vport_update_params {
+ u8 anti_spoofing_en;
+ u8 update_accept_any_vlan_flg;
+ u8 accept_any_vlan;
+- unsigned long bins[8];
++ u32 bins[8];
+ struct qed_rss_params *rss_params;
+ struct qed_filter_accept_flags accept_flags;
+ struct qed_sge_tpa_params *sge_tpa_params;
+--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c
+@@ -2826,7 +2826,7 @@ qed_iov_vp_update_mcast_bin_param(struct
+
+ p_data->update_approx_mcast_flg = 1;
+ memcpy(p_data->bins, p_mcast_tlv->bins,
+- sizeof(unsigned long) * ETH_MULTICAST_MAC_BINS_IN_REGS);
++ sizeof(u32) * ETH_MULTICAST_MAC_BINS_IN_REGS);
+ *tlvs_mask |= 1 << QED_IOV_VP_UPDATE_MCAST;
+ }
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c
+@@ -1126,7 +1126,7 @@ int qed_vf_pf_vport_update(struct qed_hw
+ resp_size += sizeof(struct pfvf_def_resp_tlv);
+
+ memcpy(p_mcast_tlv->bins, p_params->bins,
+- sizeof(unsigned long) * ETH_MULTICAST_MAC_BINS_IN_REGS);
++ sizeof(u32) * ETH_MULTICAST_MAC_BINS_IN_REGS);
+ }
+
+ update_rx = p_params->accept_flags.update_rx_mode_config;
+@@ -1272,7 +1272,7 @@ void qed_vf_pf_filter_mcast(struct qed_h
+ u32 bit;
+
+ bit = qed_mcast_bin_from_mac(p_filter_cmd->mac[i]);
+- __set_bit(bit, sp_params.bins);
++ sp_params.bins[bit / 32] |= 1 << (bit % 32);
+ }
+ }
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_vf.h
++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.h
+@@ -392,7 +392,12 @@ struct vfpf_vport_update_mcast_bin_tlv {
+ struct channel_tlv tl;
+ u8 padding[4];
+
+- u64 bins[8];
++ /* There are only 256 approx bins, and in HSI they're divided into
++ * 32-bit values. As old VFs used to set-bit to the values on its side,
++ * the upper half of the array is never expected to contain any data.
++ */
++ u64 bins[4];
++ u64 obsolete_bins[4];
+ };
+
+ struct vfpf_vport_update_accept_param_tlv {
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
+Date: Wed, 18 Jul 2018 22:50:02 -0700
+Subject: qed: Fix link flap issue due to mismatching EEE capabilities.
+
+From: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
+
+[ Upstream commit 4ad95a93a702ec4f4fb5159b822797ba67b8cbbe ]
+
+Apparently, MFW publishes EEE capabilities even for Fiber-boards that don't
+support them, and later since qed internally sets adv_caps it would cause
+link-flap avoidance (LFA) to fail when driver would initiate the link.
+This in turn delays the link, causing traffic to fail.
+
+Driver has been modified to not to ask MFW for any EEE config if EEE isn't
+to be enabled.
+
+Fixes: 645874e5 ("qed: Add support for Energy efficient ethernet.")
+Signed-off-by: Sudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
+Signed-off-by: Ariel Elior <ariel.elior@cavium.com>
+Signed-off-by: Michal Kalderon <Michal.Kalderon@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_mcp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
+@@ -1279,9 +1279,15 @@ int qed_mcp_set_link(struct qed_hwfn *p_
+ phy_cfg.pause |= (params->pause.forced_tx) ? ETH_PAUSE_TX : 0;
+ phy_cfg.adv_speed = params->speed.advertised_speeds;
+ phy_cfg.loopback_mode = params->loopback_mode;
+- if (p_hwfn->mcp_info->capabilities & FW_MB_PARAM_FEATURE_SUPPORT_EEE) {
+- if (params->eee.enable)
+- phy_cfg.eee_cfg |= EEE_CFG_EEE_ENABLED;
++
++ /* There are MFWs that share this capability regardless of whether
++ * this is feasible or not. And given that at the very least adv_caps
++ * would be set internally by qed, we want to make sure LFA would
++ * still work.
++ */
++ if ((p_hwfn->mcp_info->capabilities &
++ FW_MB_PARAM_FEATURE_SUPPORT_EEE) && params->eee.enable) {
++ phy_cfg.eee_cfg |= EEE_CFG_EEE_ENABLED;
+ if (params->eee.tx_lpi_enable)
+ phy_cfg.eee_cfg |= EEE_CFG_TX_LPI;
+ if (params->eee.adv_caps & QED_EEE_1G_ADV)
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
+Date: Wed, 18 Jul 2018 22:50:03 -0700
+Subject: qed: Fix possible race for the link state value.
+
+From: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
+
+[ Upstream commit 58874c7b246109d8efb2b0099d1aa296d6bfc3fa ]
+
+There's a possible race where driver can read link status in mid-transition
+and see that virtual-link is up yet speed is 0. Since in this
+mid-transition we're guaranteed to see a mailbox from MFW soon, we can
+afford to treat this as link down.
+
+Fixes: cc875c2e ("qed: Add link support")
+Signed-off-by: Sudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
+Signed-off-by: Ariel Elior <ariel.elior@cavium.com>
+Signed-off-by: Michal Kalderon <Michal.Kalderon@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_mcp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
+@@ -1182,6 +1182,7 @@ static void qed_mcp_handle_link_change(s
+ break;
+ default:
+ p_link->speed = 0;
++ p_link->link_up = 0;
+ }
+
+ if (p_link->link_up && p_link->speed)
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Aleksander Morgado <aleksander@aleksander.es>
+Date: Tue, 24 Jul 2018 01:31:07 +0200
+Subject: qmi_wwan: fix interface number for DW5821e production firmware
+
+From: Aleksander Morgado <aleksander@aleksander.es>
+
+[ Upstream commit f25e1392fdb556290957142ac2da33a02cbff403 ]
+
+The original mapping for the DW5821e was done using a development
+version of the firmware. Confirmed with the vendor that the final
+USB layout ends up exposing the QMI control/data ports in USB
+config #1, interface #0, not in interface #1 (which is now a HID
+interface).
+
+T: Bus=01 Lev=03 Prnt=04 Port=00 Cnt=01 Dev#= 16 Spd=480 MxCh= 0
+D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 2
+P: Vendor=413c ProdID=81d7 Rev=03.18
+S: Manufacturer=DELL
+S: Product=DW5821e Snapdragon X20 LTE
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+I: If#= 1 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=00 Prot=00 Driver=usbhid
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+
+Fixes: e7e197edd09c25 ("qmi_wwan: add support for the Dell Wireless 5821e module")
+Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1245,7 +1245,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x413c, 0x81b3, 8)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */
+ {QMI_FIXED_INTF(0x413c, 0x81b6, 8)}, /* Dell Wireless 5811e */
+ {QMI_FIXED_INTF(0x413c, 0x81b6, 10)}, /* Dell Wireless 5811e */
+- {QMI_FIXED_INTF(0x413c, 0x81d7, 1)}, /* Dell Wireless 5821e */
++ {QMI_FIXED_INTF(0x413c, 0x81d7, 0)}, /* Dell Wireless 5821e */
+ {QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)}, /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */
+ {QMI_FIXED_INTF(0x03f0, 0x9d1d, 1)}, /* HP lt4120 Snapdragon X5 LTE */
+ {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: "Rafał Miłecki" <rafal@milecki.pl>
+Date: Fri, 27 Jul 2018 13:13:39 +0200
+Subject: Revert "MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum"
+
+From: "Rafał Miłecki" <rafal@milecki.pl>
+
+[ Upstream commit d5ea019f8a381f88545bb26993b62ec24a2796b7 ]
+
+This reverts commit 2a027b47dba6 ("MIPS: BCM47XX: Enable 74K Core
+ExternalSync for PCIe erratum").
+
+Enabling ExternalSync caused a regression for BCM4718A1 (used e.g. in
+Netgear E3000 and ASUS RT-N16): it simply hangs during PCIe
+initialization. It's likely that BCM4717A1 is also affected.
+
+I didn't notice that earlier as the only BCM47XX devices with PCIe I
+own are:
+1) BCM4706 with 2 x 14e4:4331
+2) BCM4706 with 14e4:4360 and 14e4:4331
+it appears that BCM4706 is unaffected.
+
+While BCM5300X-ES300-RDS.pdf seems to document that erratum and its
+workarounds (according to quotes provided by Tokunori) it seems not even
+Broadcom follows them.
+
+According to the provided info Broadcom should define CONF7_ES in their
+SDK's mipsinc.h and implement workaround in the si_mips_init(). Checking
+both didn't reveal such code. It *could* mean Broadcom also had some
+problems with the given workaround.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Reported-by: Michael Marley <michael@michaelmarley.com>
+Patchwork: https://patchwork.linux-mips.org/patch/20032/
+URL: https://bugs.openwrt.org/index.php?do=details&task_id=1688
+Cc: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+Cc: Hauke Mehrtens <hauke@hauke-m.de>
+Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/bcm47xx/setup.c | 6 ------
+ arch/mips/include/asm/mipsregs.h | 3 ---
+ 2 files changed, 9 deletions(-)
+
+--- a/arch/mips/bcm47xx/setup.c
++++ b/arch/mips/bcm47xx/setup.c
+@@ -212,12 +212,6 @@ static int __init bcm47xx_cpu_fixes(void
+ */
+ if (bcm47xx_bus.bcma.bus.chipinfo.id == BCMA_CHIP_ID_BCM4706)
+ cpu_wait = NULL;
+-
+- /*
+- * BCM47XX Erratum "R10: PCIe Transactions Periodically Fail"
+- * Enable ExternalSync for sync instruction to take effect
+- */
+- set_c0_config7(MIPS_CONF7_ES);
+ break;
+ #endif
+ }
+--- a/arch/mips/include/asm/mipsregs.h
++++ b/arch/mips/include/asm/mipsregs.h
+@@ -680,8 +680,6 @@
+ #define MIPS_CONF7_WII (_ULCAST_(1) << 31)
+
+ #define MIPS_CONF7_RPS (_ULCAST_(1) << 2)
+-/* ExternalSync */
+-#define MIPS_CONF7_ES (_ULCAST_(1) << 8)
+
+ #define MIPS_CONF7_IAR (_ULCAST_(1) << 10)
+ #define MIPS_CONF7_AR (_ULCAST_(1) << 16)
+@@ -2747,7 +2745,6 @@ __BUILD_SET_C0(status)
+ __BUILD_SET_C0(cause)
+ __BUILD_SET_C0(config)
+ __BUILD_SET_C0(config5)
+-__BUILD_SET_C0(config7)
+ __BUILD_SET_C0(intcontrol)
+ __BUILD_SET_C0(intctl)
+ __BUILD_SET_C0(srsmap)
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Hailong Liu <liu.hailong6@zte.com.cn>
+Date: Wed, 18 Jul 2018 08:46:55 +0800
+Subject: sched/rt: Restore rt_runtime after disabling RT_RUNTIME_SHARE
+
+From: Hailong Liu <liu.hailong6@zte.com.cn>
+
+[ Upstream commit f3d133ee0a17d5694c6f21873eec9863e11fa423 ]
+
+NO_RT_RUNTIME_SHARE feature is used to prevent a CPU borrow enough
+runtime with a spin-rt-task.
+
+However, if RT_RUNTIME_SHARE feature is enabled and rt_rq has borrowd
+enough rt_runtime at the beginning, rt_runtime can't be restored to
+its initial bandwidth rt_runtime after we disable RT_RUNTIME_SHARE.
+
+E.g. on my PC with 4 cores, procedure to reproduce:
+1) Make sure RT_RUNTIME_SHARE is enabled
+ cat /sys/kernel/debug/sched_features
+ GENTLE_FAIR_SLEEPERS START_DEBIT NO_NEXT_BUDDY LAST_BUDDY
+ CACHE_HOT_BUDDY WAKEUP_PREEMPTION NO_HRTICK NO_DOUBLE_TICK
+ LB_BIAS NONTASK_CAPACITY TTWU_QUEUE NO_SIS_AVG_CPU SIS_PROP
+ NO_WARN_DOUBLE_CLOCK RT_PUSH_IPI RT_RUNTIME_SHARE NO_LB_MIN
+ ATTACH_AGE_LOAD WA_IDLE WA_WEIGHT WA_BIAS
+2) Start a spin-rt-task
+ ./loop_rr &
+3) set affinity to the last cpu
+ taskset -p 8 $pid_of_loop_rr
+4) Observe that last cpu have borrowed enough runtime.
+ cat /proc/sched_debug | grep rt_runtime
+ .rt_runtime : 950.000000
+ .rt_runtime : 900.000000
+ .rt_runtime : 950.000000
+ .rt_runtime : 1000.000000
+5) Disable RT_RUNTIME_SHARE
+ echo NO_RT_RUNTIME_SHARE > /sys/kernel/debug/sched_features
+6) Observe that rt_runtime can not been restored
+ cat /proc/sched_debug | grep rt_runtime
+ .rt_runtime : 950.000000
+ .rt_runtime : 900.000000
+ .rt_runtime : 950.000000
+ .rt_runtime : 1000.000000
+
+This patch help to restore rt_runtime after we disable
+RT_RUNTIME_SHARE.
+
+Signed-off-by: Hailong Liu <liu.hailong6@zte.com.cn>
+Signed-off-by: Jiang Biao <jiang.biao2@zte.com.cn>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: zhong.weidong@zte.com.cn
+Link: http://lkml.kernel.org/r/1531874815-39357-1-git-send-email-liu.hailong6@zte.com.cn
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/rt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/sched/rt.c
++++ b/kernel/sched/rt.c
+@@ -837,6 +837,8 @@ static int do_sched_rt_period_timer(stru
+ * can be time-consuming. Try to avoid it when possible.
+ */
+ raw_spin_lock(&rt_rq->rt_runtime_lock);
++ if (!sched_feat(RT_RUNTIME_SHARE) && rt_rq->rt_runtime != RUNTIME_INF)
++ rt_rq->rt_runtime = rt_b->rt_runtime;
+ skip = !rt_rq->rt_time && !rt_rq->rt_nr_running;
+ raw_spin_unlock(&rt_rq->rt_runtime_lock);
+ if (skip)
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Tue, 31 Jul 2018 15:46:03 +0200
+Subject: scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+[ Upstream commit 1550ec458e0cf1a40a170ab1f4c46e3f52860f65 ]
+
+When receiving a LOGO request we forget to clear the FC_RP_STARTED flag
+before starting the rport delete routine.
+
+As the started flag was not cleared, we're not deleting the rport but
+waiting for a restart and thus are keeping the reference count of the rdata
+object at 1.
+
+This leads to the following kmemleak report:
+unreferenced object 0xffff88006542aa00 (size 512):
+ comm "kworker/0:2", pid 24, jiffies 4294899222 (age 226.880s)
+ hex dump (first 32 bytes):
+ 68 96 fe 65 00 88 ff ff 00 00 00 00 00 00 00 00 h..e............
+ 01 00 00 00 08 00 00 00 02 c5 45 24 ac b8 00 10 ..........E$....
+ backtrace:
+ [<(____ptrval____)>] fcoe_ctlr_vn_add.isra.5+0x7f/0x770 [libfcoe]
+ [<(____ptrval____)>] fcoe_ctlr_vn_recv+0x12af/0x27f0 [libfcoe]
+ [<(____ptrval____)>] fcoe_ctlr_recv_work+0xd01/0x32f0 [libfcoe]
+ [<(____ptrval____)>] process_one_work+0x7ff/0x1420
+ [<(____ptrval____)>] worker_thread+0x87/0xef0
+ [<(____ptrval____)>] kthread+0x2db/0x390
+ [<(____ptrval____)>] ret_from_fork+0x35/0x40
+ [<(____ptrval____)>] 0xffffffffffffffff
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Reported-by: ard <ard@kwaak.net>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/libfc/fc_rport.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/libfc/fc_rport.c
++++ b/drivers/scsi/libfc/fc_rport.c
+@@ -2164,6 +2164,7 @@ static void fc_rport_recv_logo_req(struc
+ FC_RPORT_DBG(rdata, "Received LOGO request while in state %s\n",
+ fc_rport_state(rdata));
+
++ rdata->flags &= ~FC_RP_STARTED;
+ fc_rport_enter_delete(rdata, RPORT_EV_STOP);
+ mutex_unlock(&rdata->rp_mutex);
+ kref_put(&rdata->kref, fc_rport_destroy);
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Tue, 31 Jul 2018 15:46:02 +0200
+Subject: scsi: fcoe: drop frames in ELS LOGO error path
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+[ Upstream commit 63d0e3dffda311e77b9a8c500d59084e960a824a ]
+
+Drop the frames in the ELS LOGO error path instead of just returning an
+error.
+
+This fixes the following kmemleak report:
+unreferenced object 0xffff880064cb1000 (size 424):
+ comm "kworker/0:2", pid 24, jiffies 4294904293 (age 68.504s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<(____ptrval____)>] _fc_frame_alloc+0x2c/0x180 [libfc]
+ [<(____ptrval____)>] fc_lport_enter_logo+0x106/0x360 [libfc]
+ [<(____ptrval____)>] fc_fabric_logoff+0x8c/0xc0 [libfc]
+ [<(____ptrval____)>] fcoe_if_destroy+0x79/0x3b0 [fcoe]
+ [<(____ptrval____)>] fcoe_destroy_work+0xd2/0x170 [fcoe]
+ [<(____ptrval____)>] process_one_work+0x7ff/0x1420
+ [<(____ptrval____)>] worker_thread+0x87/0xef0
+ [<(____ptrval____)>] kthread+0x2db/0x390
+ [<(____ptrval____)>] ret_from_fork+0x35/0x40
+ [<(____ptrval____)>] 0xffffffffffffffff
+
+which can be triggered by issuing
+echo eth0 > /sys/bus/fcoe/ctlr_destroy
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/fcoe/fcoe_ctlr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/fcoe/fcoe_ctlr.c
++++ b/drivers/scsi/fcoe/fcoe_ctlr.c
+@@ -754,9 +754,9 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr
+ case ELS_LOGO:
+ if (fip->mode == FIP_MODE_VN2VN) {
+ if (fip->state != FIP_ST_VNMP_UP)
+- return -EINVAL;
++ goto drop;
+ if (ntoh24(fh->fh_d_id) == FC_FID_FLOGI)
+- return -EINVAL;
++ goto drop;
+ } else {
+ if (fip->state != FIP_ST_ENABLED)
+ return 0;
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Tue, 31 Jul 2018 15:46:01 +0200
+Subject: scsi: fcoe: fix use-after-free in fcoe_ctlr_els_send
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+[ Upstream commit 2d7d4fd35e6e15b47c13c70368da83add19f01e7 ]
+
+KASAN reports a use-after-free in fcoe_ctlr_els_send() when we're sending a
+LOGO and have FIP debugging enabled. This is because we're first freeing
+the skb and then printing the frame's DID. But the DID is a member of the
+FC frame header which in turn is the skb's payload.
+
+Exchange the debug print and kfree_skb() calls so we're not touching the
+freed data.
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/fcoe/fcoe_ctlr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/fcoe/fcoe_ctlr.c
++++ b/drivers/scsi/fcoe/fcoe_ctlr.c
+@@ -799,9 +799,9 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr
+ fip->send(fip, skb);
+ return -EINPROGRESS;
+ drop:
+- kfree_skb(skb);
+ LIBFCOE_FIP_DBG(fip, "drop els_send op %u d_id %x\n",
+ op, ntoh24(fh->fh_d_id));
++ kfree_skb(skb);
+ return -EINVAL;
+ }
+ EXPORT_SYMBOL(fcoe_ctlr_els_send);
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Varun Prakash <varun@chelsio.com>
+Date: Wed, 11 Jul 2018 22:09:52 +0530
+Subject: scsi: libiscsi: fix possible NULL pointer dereference in case of TMF
+
+From: Varun Prakash <varun@chelsio.com>
+
+[ Upstream commit a17037e7d59075053b522048742a08ac9500bde8 ]
+
+In iscsi_check_tmf_restrictions() task->hdr is dereferenced to print the
+opcode, it is possible that task->hdr is NULL.
+
+There are two cases based on opcode argument:
+
+1. ISCSI_OP_SCSI_CMD - In this case alloc_pdu() is called
+after iscsi_check_tmf_restrictions()
+
+iscsi_prep_scsi_cmd_pdu() -> iscsi_check_tmf_restrictions() -> alloc_pdu().
+
+Transport drivers allocate memory for iSCSI hdr in alloc_pdu() and assign
+it to task->hdr. In case of TMF task->hdr will be NULL resulting in NULL
+pointer dereference.
+
+2. ISCSI_OP_SCSI_DATA_OUT - In this case transport driver can free the
+memory for iSCSI hdr after transmitting the pdu so task->hdr can be NULL or
+invalid.
+
+This patch fixes this issue by removing task->hdr->opcode from the printk
+statement.
+
+Signed-off-by: Varun Prakash <varun@chelsio.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/libiscsi.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/scsi/libiscsi.c
++++ b/drivers/scsi/libiscsi.c
+@@ -284,11 +284,11 @@ static int iscsi_check_tmf_restrictions(
+ */
+ if (opcode != ISCSI_OP_SCSI_DATA_OUT) {
+ iscsi_conn_printk(KERN_INFO, conn,
+- "task [op %x/%x itt "
++ "task [op %x itt "
+ "0x%x/0x%x] "
+ "rejected.\n",
+- task->hdr->opcode, opcode,
+- task->itt, task->hdr_itt);
++ opcode, task->itt,
++ task->hdr_itt);
+ return -EACCES;
+ }
+ /*
+@@ -297,10 +297,10 @@ static int iscsi_check_tmf_restrictions(
+ */
+ if (conn->session->fast_abort) {
+ iscsi_conn_printk(KERN_INFO, conn,
+- "task [op %x/%x itt "
++ "task [op %x itt "
+ "0x%x/0x%x] fast abort.\n",
+- task->hdr->opcode, opcode,
+- task->itt, task->hdr_itt);
++ opcode, task->itt,
++ task->hdr_itt);
+ return -EACCES;
+ }
+ break;
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Varun Prakash <varun@chelsio.com>
+Date: Wed, 11 Jul 2018 22:03:43 +0530
+Subject: scsi: target: iscsi: cxgbit: fix max iso npdu calculation
+
+From: Varun Prakash <varun@chelsio.com>
+
+[ Upstream commit 1b350ea0c2f4df9aa30426614c8eb755a8c32814 ]
+
+- rounddown CXGBIT_MAX_ISO_PAYLOAD by csk->emss before calculating
+ max_iso_npdu to get max TCP payload in multiple of mss.
+
+- call cxgbit_set_digest() before cxgbit_set_iso_npdu() to set
+ csk->submode, it is used in calculating number of iso pdus.
+
+Signed-off-by: Varun Prakash <varun@chelsio.com>
+Reviewed-by: Mike Christie <mchristi@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/iscsi/cxgbit/cxgbit_target.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/drivers/target/iscsi/cxgbit/cxgbit_target.c
++++ b/drivers/target/iscsi/cxgbit/cxgbit_target.c
+@@ -652,6 +652,7 @@ static int cxgbit_set_iso_npdu(struct cx
+ struct iscsi_param *param;
+ u32 mrdsl, mbl;
+ u32 max_npdu, max_iso_npdu;
++ u32 max_iso_payload;
+
+ if (conn->login->leading_connection) {
+ param = iscsi_find_param_from_key(MAXBURSTLENGTH,
+@@ -670,8 +671,10 @@ static int cxgbit_set_iso_npdu(struct cx
+ mrdsl = conn_ops->MaxRecvDataSegmentLength;
+ max_npdu = mbl / mrdsl;
+
+- max_iso_npdu = CXGBIT_MAX_ISO_PAYLOAD /
+- (ISCSI_HDR_LEN + mrdsl +
++ max_iso_payload = rounddown(CXGBIT_MAX_ISO_PAYLOAD, csk->emss);
++
++ max_iso_npdu = max_iso_payload /
++ (ISCSI_HDR_LEN + mrdsl +
+ cxgbit_digest_len[csk->submode]);
+
+ csk->max_iso_npdu = min(max_npdu, max_iso_npdu);
+@@ -741,6 +744,9 @@ static int cxgbit_set_params(struct iscs
+ if (conn_ops->MaxRecvDataSegmentLength > cdev->mdsl)
+ conn_ops->MaxRecvDataSegmentLength = cdev->mdsl;
+
++ if (cxgbit_set_digest(csk))
++ return -1;
++
+ if (conn->login->leading_connection) {
+ param = iscsi_find_param_from_key(ERRORRECOVERYLEVEL,
+ conn->param_list);
+@@ -764,7 +770,7 @@ static int cxgbit_set_params(struct iscs
+ if (is_t5(cdev->lldi.adapter_type))
+ goto enable_ddp;
+ else
+- goto enable_digest;
++ return 0;
+ }
+
+ if (test_bit(CDEV_ISO_ENABLE, &cdev->flags)) {
+@@ -781,10 +787,6 @@ enable_ddp:
+ }
+ }
+
+-enable_digest:
+- if (cxgbit_set_digest(csk))
+- return -1;
+-
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Jim Gill <jgill@vmware.com>
+Date: Thu, 2 Aug 2018 14:13:30 -0700
+Subject: scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED
+
+From: Jim Gill <jgill@vmware.com>
+
+[ Upstream commit e95153b64d03c2b6e8d62e51bdcc33fcad6e0856 ]
+
+Commands that are reset are returned with status
+SAM_STAT_COMMAND_TERMINATED. PVSCSI currently returns DID_OK |
+SAM_STAT_COMMAND_TERMINATED which fails the command. Instead, set hostbyte
+to DID_RESET to allow upper layers to retry.
+
+Tested by copying a large file between two pvscsi disks on same adapter
+while performing a bus reset at 1-second intervals. Before fix, commands
+sometimes fail with DID_OK. After fix, commands observed to fail with
+DID_RESET.
+
+Signed-off-by: Jim Gill <jgill@vmware.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/vmw_pvscsi.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/vmw_pvscsi.c
++++ b/drivers/scsi/vmw_pvscsi.c
+@@ -561,9 +561,14 @@ static void pvscsi_complete_request(stru
+ (btstat == BTSTAT_SUCCESS ||
+ btstat == BTSTAT_LINKED_COMMAND_COMPLETED ||
+ btstat == BTSTAT_LINKED_COMMAND_COMPLETED_WITH_FLAG)) {
+- cmd->result = (DID_OK << 16) | sdstat;
+- if (sdstat == SAM_STAT_CHECK_CONDITION && cmd->sense_buffer)
+- cmd->result |= (DRIVER_SENSE << 24);
++ if (sdstat == SAM_STAT_COMMAND_TERMINATED) {
++ cmd->result = (DID_RESET << 16);
++ } else {
++ cmd->result = (DID_OK << 16) | sdstat;
++ if (sdstat == SAM_STAT_CHECK_CONDITION &&
++ cmd->sense_buffer)
++ cmd->result |= (DRIVER_SENSE << 24);
++ }
+ } else
+ switch (btstat) {
+ case BTSTAT_SUCCESS:
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Sat, 14 Jul 2018 01:28:44 +0900
+Subject: selftests/ftrace: Add snapshot and tracing_on test case
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit 82f4f3e69c5c29bce940dd87a2c0f16c51d48d17 ]
+
+Add a testcase for checking snapshot and tracing_on
+relationship. This ensures that the snapshotting doesn't
+affect current tracing on/off settings.
+
+Link: http://lkml.kernel.org/r/153149932412.11274.15289227592627901488.stgit@devbox
+
+Cc: Tom Zanussi <tom.zanussi@linux.intel.com>
+Cc: Hiraku Toyooka <hiraku.toyooka@cybertrust.co.jp>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: linux-kselftest@vger.kernel.org
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/ftrace/test.d/00basic/snapshot.tc | 28 ++++++++++++++
+ 1 file changed, 28 insertions(+)
+ create mode 100644 tools/testing/selftests/ftrace/test.d/00basic/snapshot.tc
+
+--- /dev/null
++++ b/tools/testing/selftests/ftrace/test.d/00basic/snapshot.tc
+@@ -0,0 +1,28 @@
++#!/bin/sh
++# description: Snapshot and tracing setting
++# flags: instance
++
++[ ! -f snapshot ] && exit_unsupported
++
++echo "Set tracing off"
++echo 0 > tracing_on
++
++echo "Allocate and take a snapshot"
++echo 1 > snapshot
++
++# Since trace buffer is empty, snapshot is also empty, but allocated
++grep -q "Snapshot is allocated" snapshot
++
++echo "Ensure keep tracing off"
++test `cat tracing_on` -eq 0
++
++echo "Set tracing on"
++echo 1 > tracing_on
++
++echo "Take a snapshot again"
++echo 1 > snapshot
++
++echo "Ensure keep tracing on"
++test `cat tracing_on` -eq 1
++
++exit 0
crypto-vmx-use-skcipher-for-ctr-fallback.patch
+vti6-fix-pmtu-caching-and-reporting-on-xmit.patch
+xfrm-fix-missing-dst_release-after-policy-blocking-lbcast-and-multicast.patch
+xfrm-free-skb-if-nlsk-pointer-is-null.patch
+esp6-fix-memleak-on-error-path-in-esp6_input.patch
+mac80211-add-stations-tied-to-ap_vlans-during-hw-reconfig.patch
+ext4-clear-mmp-sequence-number-when-remounting-read-only.patch
+nl80211-add-a-missing-break-in-parse_station_flags.patch
+drm-bridge-adv7511-reset-registers-on-hotplug.patch
+scsi-target-iscsi-cxgbit-fix-max-iso-npdu-calculation.patch
+scsi-libiscsi-fix-possible-null-pointer-dereference-in-case-of-tmf.patch
+drm-re-enable-error-handling.patch
+drm-imx-imx-ldb-disable-ldb-on-driver-bind.patch
+drm-imx-imx-ldb-check-if-channel-is-enabled-before-printing-warning.patch
+nbd-don-t-requeue-the-same-request-twice.patch
+nbd-handle-unexpected-replies-better.patch
+usb-gadget-r8a66597-fix-two-possible-sleep-in-atomic-context-bugs-in-init_controller.patch
+usb-gadget-r8a66597-fix-a-possible-sleep-in-atomic-context-bugs-in-r8a66597_queue.patch
+usb-gadget-f_uac2-fix-error-handling-in-afunc_bind-again.patch
+usb-gadget-u_audio-fix-pcm-card-naming-in-g_audio_setup.patch
+usb-gadget-u_audio-update-hw_ptr-in-iso_complete-after-data-copied.patch
+usb-gadget-u_audio-remove-caching-of-stream-buffer-parameters.patch
+usb-gadget-u_audio-remove-cached-period-bytes-value.patch
+usb-gadget-u_audio-protect-stream-runtime-fields-with-stream-spinlock.patch
+usb-phy-fix-ppc64-build-errors-in-phy-fsl-usb.c.patch
+tools-usb-ffs-test-fix-build-on-big-endian-systems.patch
+usb-gadget-f_uac2-fix-endianness-of-struct-cntrl_-_lay3.patch
+netfilter-nft_set_hash-add-rcu_barrier-in-the-nft_rhash_destroy.patch
+bpf-ppc64-fix-unexpected-r0-0-exit-path-inside-bpf_xadd.patch
+netfilter-nf_tables-fix-memory-leaks-on-chain-rename.patch
+netfilter-nf_tables-don-t-allow-to-rename-to-already-pending-name.patch
+kvm-vmx-use-local-variable-for-current_vmptr-when-emulating-vmptrst.patch
+tools-power-turbostat-fix-s-on-up-systems.patch
+net-caif-add-a-missing-rcu_read_unlock-in-caif_flow_cb.patch
+qed-fix-link-flap-issue-due-to-mismatching-eee-capabilities.patch
+qed-fix-possible-race-for-the-link-state-value.patch
+qed-correct-multicast-api-to-reflect-existence-of-256-approximate-buckets.patch
+atl1c-reserve-min-skb-headroom.patch
+net-prevent-isa-drivers-from-building-on-ppc32.patch
+can-mpc5xxx_can-check-of_iomap-return-before-use.patch
+can-m_can-move-accessing-of-message-ram-to-after-clocks-are-enabled.patch
+i2c-davinci-avoid-zero-value-of-clkh.patch
+perf-x86-amd-ibs-don-t-access-non-started-event.patch
+media-staging-omap4iss-include-asm-cacheflush.h-after-generic-includes.patch
+bnx2x-fix-invalid-memory-access-in-rss-hash-config-path.patch
+qmi_wwan-fix-interface-number-for-dw5821e-production-firmware.patch
+net-axienet-fix-double-deregister-of-mdio.patch
+locking-rtmutex-allow-specifying-a-subclass-for-nested-locking.patch
+i2c-mux-locking-core-annotate-the-nested-rt_mutex-usage.patch
+sched-rt-restore-rt_runtime-after-disabling-rt_runtime_share.patch
+x86-boot-fix-if_changed-build-flip-flop-bug.patch
+fscache-allow-cancelled-operations-to-be-enqueued.patch
+cachefiles-fix-refcounting-bug-in-backing-file-read-monitoring.patch
+cachefiles-wait-rather-than-bug-ing-on-unexpected-object-collision.patch
+selftests-ftrace-add-snapshot-and-tracing_on-test-case.patch
+hinic-link-the-logical-network-device-to-the-pci-device-in-sysfs.patch
+ipc-sem.c-prevent-queue.status-tearing-in-semop.patch
+zswap-re-check-zswap_is_full-after-do-zswap_shrink.patch
+tools-power-turbostat-read-extended-processor-family-from-cpuid.patch
+revert-mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch
+arc-dma-setup-smp_cache_bytes-and-cache_line_size.patch
+bpf-use-gfp_atomic-instead-of-gfp_kernel-in-bpf_parse_prog.patch
+nfp-flower-fix-port-metadata-conversion-bug.patch
+enic-handle-mtu-change-for-vf-properly.patch
+arc-add-missing-struct-nps_host_reg_aux_dpc.patch
+arc-fix-data-type-errors-in-platform-headers.patch
+arc-fix-printk-warning-in-arc-plat-eznps-mtm.c.patch
+arc-fix-build-errors-in-arc-include-asm-delay.h.patch
+arc-fix-type-warnings-in-arc-mm-cache.c.patch
+sparc-time-add-missing-__init-to-init_tick_ops.patch
+sparc-use-asm-generic-version-of-msi.h.patch
+enic-do-not-call-enic_change_mtu-in-enic_probe.patch
+squashfs-metadata-2-electric-boogaloo.patch
+mm-delete-historical-bug-from-zap_pmd_range.patch
+squashfs-compute-expected-length-from-inode-size-rather-than-block-length.patch
+drivers-net-lmc-fix-case-value-for-target-abort-error.patch
+memcg-remove-memcg_cgroup-id-from-idr-on-mem_cgroup_css_alloc-failure.patch
+gpiolib-acpi-make-sure-we-trigger-edge-events-at-least-once-on-boot.patch
+scsi-fcoe-fix-use-after-free-in-fcoe_ctlr_els_send.patch
+scsi-fcoe-drop-frames-in-els-logo-error-path.patch
+scsi-fcoe-clear-fc_rp_started-flags-when-receiving-a-logo.patch
+scsi-vmw_pvscsi-return-did_reset-for-status-sam_stat_command_terminated.patch
+mm-memory.c-check-return-value-of-ioremap_prot.patch
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Wed, 6 Jun 2018 10:11:10 -0400
+Subject: sparc/time: Add missing __init to init_tick_ops()
+
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+
+[ Upstream commit 6f57ed681ed817a4ec444e83f3aa2ad695d5ef34 ]
+
+Code that was added to force gcc not to inline any function that isn't
+explicitly declared as inline uncovered that init_tick_ops() isn't
+marked as "__init". It is only called by __init functions and more
+importantly it too calls an __init function which would require it to be
+__init as well.
+
+Link: http://lkml.kernel.org/r/201806060444.hdHcKOBy%fengguang.wu@intel.com
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/kernel/time_64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/sparc/kernel/time_64.c
++++ b/arch/sparc/kernel/time_64.c
+@@ -813,7 +813,7 @@ static void __init get_tick_patch(void)
+ }
+ }
+
+-static void init_tick_ops(struct sparc64_tick_ops *ops)
++static void __init init_tick_ops(struct sparc64_tick_ops *ops)
+ {
+ unsigned long freq, quotient, tick;
+
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Date: Tue, 24 Jul 2018 13:53:05 +0200
+Subject: sparc: use asm-generic version of msi.h
+
+From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+
+[ Upstream commit 12be1036c536f849ad6f9bba73cffa708aa965c3 ]
+
+This is necessary to be able to include <linux/msi.h> when
+CONFIG_GENERIC_MSI_IRQ_DOMAIN is enabled. Without this, a build with
+CONFIG_GENERIC_MSI_IRQ_DOMAIN fails with:
+
+ In file included from drivers//ata/ahci.c:45:0:
+>> include/linux/msi.h:226:10: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'?
+ msi_alloc_info_t *arg);
+ ^~~~~~~~~~~~~~~~
+ sg_alloc_fn
+ include/linux/msi.h:230:9: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'?
+ msi_alloc_info_t *arg);
+ ^~~~~~~~~~~~~~~~
+ sg_alloc_fn
+ include/linux/msi.h:239:12: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'?
+ msi_alloc_info_t *arg);
+ ^~~~~~~~~~~~~~~~
+ sg_alloc_fn
+ include/linux/msi.h:240:22: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'?
+ void (*msi_finish)(msi_alloc_info_t *arg, int retval);
+ ^~~~~~~~~~~~~~~~
+ sg_alloc_fn
+ include/linux/msi.h:241:20: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'?
+ void (*set_desc)(msi_alloc_info_t *arg,
+ ^~~~~~~~~~~~~~~~
+ sg_alloc_fn
+ include/linux/msi.h:316:18: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'?
+ int nvec, msi_alloc_info_t *args);
+ ^~~~~~~~~~~~~~~~
+ sg_alloc_fn
+ include/linux/msi.h:318:29: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'?
+ int virq, int nvec, msi_alloc_info_t *args);
+ ^~~~~~~~~~~~~~~~
+ sg_alloc_fn
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/include/asm/Kbuild | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/sparc/include/asm/Kbuild
++++ b/arch/sparc/include/asm/Kbuild
+@@ -14,6 +14,7 @@ generic-y += local64.h
+ generic-y += mcs_spinlock.h
+ generic-y += mm-arch-hooks.h
+ generic-y += module.h
++generic-y += msi.h
+ generic-y += preempt.h
+ generic-y += rwsem.h
+ generic-y += serial.h
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Thu, 2 Aug 2018 16:45:15 +0100
+Subject: Squashfs: Compute expected length from inode size rather than block length
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+[ Upstream commit a3f94cb99a854fa381fe7fadd97c4f61633717a5 ]
+
+Previously in squashfs_readpage() when copying data into the page
+cache, it used the length of the datablock read from the filesystem
+(after decompression). However, if the filesystem has been corrupted
+this data block may be short, which will leave pages unfilled.
+
+The fix for this is to compute the expected number of bytes to copy
+from the inode size, and use this to detect if the block is short.
+
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Cc: Анатолий Тросиненко <anatoly.trosinenko@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/squashfs/file.c | 25 ++++++++++---------------
+ fs/squashfs/file_cache.c | 4 ++--
+ fs/squashfs/file_direct.c | 16 +++++++++++-----
+ fs/squashfs/squashfs.h | 2 +-
+ 4 files changed, 24 insertions(+), 23 deletions(-)
+
+--- a/fs/squashfs/file.c
++++ b/fs/squashfs/file.c
+@@ -431,10 +431,9 @@ skip_page:
+ }
+
+ /* Read datablock stored packed inside a fragment (tail-end packed block) */
+-static int squashfs_readpage_fragment(struct page *page)
++static int squashfs_readpage_fragment(struct page *page, int expected)
+ {
+ struct inode *inode = page->mapping->host;
+- struct squashfs_sb_info *msblk = inode->i_sb->s_fs_info;
+ struct squashfs_cache_entry *buffer = squashfs_get_fragment(inode->i_sb,
+ squashfs_i(inode)->fragment_block,
+ squashfs_i(inode)->fragment_size);
+@@ -445,23 +444,16 @@ static int squashfs_readpage_fragment(st
+ squashfs_i(inode)->fragment_block,
+ squashfs_i(inode)->fragment_size);
+ else
+- squashfs_copy_cache(page, buffer, i_size_read(inode) &
+- (msblk->block_size - 1),
++ squashfs_copy_cache(page, buffer, expected,
+ squashfs_i(inode)->fragment_offset);
+
+ squashfs_cache_put(buffer);
+ return res;
+ }
+
+-static int squashfs_readpage_sparse(struct page *page, int index, int file_end)
++static int squashfs_readpage_sparse(struct page *page, int expected)
+ {
+- struct inode *inode = page->mapping->host;
+- struct squashfs_sb_info *msblk = inode->i_sb->s_fs_info;
+- int bytes = index == file_end ?
+- (i_size_read(inode) & (msblk->block_size - 1)) :
+- msblk->block_size;
+-
+- squashfs_copy_cache(page, NULL, bytes, 0);
++ squashfs_copy_cache(page, NULL, expected, 0);
+ return 0;
+ }
+
+@@ -471,6 +463,9 @@ static int squashfs_readpage(struct file
+ struct squashfs_sb_info *msblk = inode->i_sb->s_fs_info;
+ int index = page->index >> (msblk->block_log - PAGE_SHIFT);
+ int file_end = i_size_read(inode) >> msblk->block_log;
++ int expected = index == file_end ?
++ (i_size_read(inode) & (msblk->block_size - 1)) :
++ msblk->block_size;
+ int res;
+ void *pageaddr;
+
+@@ -489,11 +484,11 @@ static int squashfs_readpage(struct file
+ goto error_out;
+
+ if (bsize == 0)
+- res = squashfs_readpage_sparse(page, index, file_end);
++ res = squashfs_readpage_sparse(page, expected);
+ else
+- res = squashfs_readpage_block(page, block, bsize);
++ res = squashfs_readpage_block(page, block, bsize, expected);
+ } else
+- res = squashfs_readpage_fragment(page);
++ res = squashfs_readpage_fragment(page, expected);
+
+ if (!res)
+ return 0;
+--- a/fs/squashfs/file_cache.c
++++ b/fs/squashfs/file_cache.c
+@@ -20,7 +20,7 @@
+ #include "squashfs.h"
+
+ /* Read separately compressed datablock and memcopy into page cache */
+-int squashfs_readpage_block(struct page *page, u64 block, int bsize)
++int squashfs_readpage_block(struct page *page, u64 block, int bsize, int expected)
+ {
+ struct inode *i = page->mapping->host;
+ struct squashfs_cache_entry *buffer = squashfs_get_datablock(i->i_sb,
+@@ -31,7 +31,7 @@ int squashfs_readpage_block(struct page
+ ERROR("Unable to read page, block %llx, size %x\n", block,
+ bsize);
+ else
+- squashfs_copy_cache(page, buffer, buffer->length, 0);
++ squashfs_copy_cache(page, buffer, expected, 0);
+
+ squashfs_cache_put(buffer);
+ return res;
+--- a/fs/squashfs/file_direct.c
++++ b/fs/squashfs/file_direct.c
+@@ -21,10 +21,11 @@
+ #include "page_actor.h"
+
+ static int squashfs_read_cache(struct page *target_page, u64 block, int bsize,
+- int pages, struct page **page);
++ int pages, struct page **page, int bytes);
+
+ /* Read separately compressed datablock directly into page cache */
+-int squashfs_readpage_block(struct page *target_page, u64 block, int bsize)
++int squashfs_readpage_block(struct page *target_page, u64 block, int bsize,
++ int expected)
+
+ {
+ struct inode *inode = target_page->mapping->host;
+@@ -83,7 +84,7 @@ int squashfs_readpage_block(struct page
+ * using an intermediate buffer.
+ */
+ res = squashfs_read_cache(target_page, block, bsize, pages,
+- page);
++ page, expected);
+ if (res < 0)
+ goto mark_errored;
+
+@@ -95,6 +96,11 @@ int squashfs_readpage_block(struct page
+ if (res < 0)
+ goto mark_errored;
+
++ if (res != expected) {
++ res = -EIO;
++ goto mark_errored;
++ }
++
+ /* Last page may have trailing bytes not filled */
+ bytes = res % PAGE_SIZE;
+ if (bytes) {
+@@ -138,12 +144,12 @@ out:
+
+
+ static int squashfs_read_cache(struct page *target_page, u64 block, int bsize,
+- int pages, struct page **page)
++ int pages, struct page **page, int bytes)
+ {
+ struct inode *i = target_page->mapping->host;
+ struct squashfs_cache_entry *buffer = squashfs_get_datablock(i->i_sb,
+ block, bsize);
+- int bytes = buffer->length, res = buffer->error, n, offset = 0;
++ int res = buffer->error, n, offset = 0;
+
+ if (res) {
+ ERROR("Unable to read page, block %llx, size %x\n", block,
+--- a/fs/squashfs/squashfs.h
++++ b/fs/squashfs/squashfs.h
+@@ -72,7 +72,7 @@ void squashfs_copy_cache(struct page *,
+ int);
+
+ /* file_xxx.c */
+-extern int squashfs_readpage_block(struct page *, u64, int);
++extern int squashfs_readpage_block(struct page *, u64, int, int);
+
+ /* id.c */
+ extern int squashfs_get_id(struct super_block *, unsigned int, unsigned int *);
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 1 Aug 2018 10:38:43 -0700
+Subject: squashfs metadata 2: electric boogaloo
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit cdbb65c4c7ead680ebe54f4f0d486e2847a500ea ]
+
+Anatoly continues to find issues with fuzzed squashfs images.
+
+This time, corrupt, missing, or undersized data for the page filling
+wasn't checked for, because the squashfs_{copy,read}_cache() functions
+did the squashfs_copy_data() call without checking the resulting data
+size.
+
+Which could result in the page cache pages being incompletely filled in,
+and no error indication to the user space reading garbage data.
+
+So make a helper function for the "fill in pages" case, because the
+exact same incomplete sequence existed in two places.
+
+[ I should have made a squashfs branch for these things, but I didn't
+ intend to start doing them in the first place.
+
+ My historical connection through cramfs is why I got into looking at
+ these issues at all, and every time I (continue to) think it's a
+ one-off.
+
+ Because _this_ time is always the last time. Right? - Linus ]
+
+Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Phillip Lougher <phillip@squashfs.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/squashfs/file.c | 25 ++++++++++++++++++-------
+ fs/squashfs/file_direct.c | 8 +-------
+ fs/squashfs/squashfs.h | 1 +
+ 3 files changed, 20 insertions(+), 14 deletions(-)
+
+--- a/fs/squashfs/file.c
++++ b/fs/squashfs/file.c
+@@ -374,13 +374,29 @@ static int read_blocklist(struct inode *
+ return squashfs_block_size(size);
+ }
+
++void squashfs_fill_page(struct page *page, struct squashfs_cache_entry *buffer, int offset, int avail)
++{
++ int copied;
++ void *pageaddr;
++
++ pageaddr = kmap_atomic(page);
++ copied = squashfs_copy_data(pageaddr, buffer, offset, avail);
++ memset(pageaddr + copied, 0, PAGE_SIZE - copied);
++ kunmap_atomic(pageaddr);
++
++ flush_dcache_page(page);
++ if (copied == avail)
++ SetPageUptodate(page);
++ else
++ SetPageError(page);
++}
++
+ /* Copy data into page cache */
+ void squashfs_copy_cache(struct page *page, struct squashfs_cache_entry *buffer,
+ int bytes, int offset)
+ {
+ struct inode *inode = page->mapping->host;
+ struct squashfs_sb_info *msblk = inode->i_sb->s_fs_info;
+- void *pageaddr;
+ int i, mask = (1 << (msblk->block_log - PAGE_SHIFT)) - 1;
+ int start_index = page->index & ~mask, end_index = start_index | mask;
+
+@@ -406,12 +422,7 @@ void squashfs_copy_cache(struct page *pa
+ if (PageUptodate(push_page))
+ goto skip_page;
+
+- pageaddr = kmap_atomic(push_page);
+- squashfs_copy_data(pageaddr, buffer, offset, avail);
+- memset(pageaddr + avail, 0, PAGE_SIZE - avail);
+- kunmap_atomic(pageaddr);
+- flush_dcache_page(push_page);
+- SetPageUptodate(push_page);
++ squashfs_fill_page(push_page, buffer, offset, avail);
+ skip_page:
+ unlock_page(push_page);
+ if (i != page->index)
+--- a/fs/squashfs/file_direct.c
++++ b/fs/squashfs/file_direct.c
+@@ -144,7 +144,6 @@ static int squashfs_read_cache(struct pa
+ struct squashfs_cache_entry *buffer = squashfs_get_datablock(i->i_sb,
+ block, bsize);
+ int bytes = buffer->length, res = buffer->error, n, offset = 0;
+- void *pageaddr;
+
+ if (res) {
+ ERROR("Unable to read page, block %llx, size %x\n", block,
+@@ -159,12 +158,7 @@ static int squashfs_read_cache(struct pa
+ if (page[n] == NULL)
+ continue;
+
+- pageaddr = kmap_atomic(page[n]);
+- squashfs_copy_data(pageaddr, buffer, offset, avail);
+- memset(pageaddr + avail, 0, PAGE_SIZE - avail);
+- kunmap_atomic(pageaddr);
+- flush_dcache_page(page[n]);
+- SetPageUptodate(page[n]);
++ squashfs_fill_page(page[n], buffer, offset, avail);
+ unlock_page(page[n]);
+ if (page[n] != target_page)
+ put_page(page[n]);
+--- a/fs/squashfs/squashfs.h
++++ b/fs/squashfs/squashfs.h
+@@ -67,6 +67,7 @@ extern __le64 *squashfs_read_fragment_in
+ u64, u64, unsigned int);
+
+ /* file.c */
++void squashfs_fill_page(struct page *, struct squashfs_cache_entry *, int, int);
+ void squashfs_copy_cache(struct page *, struct squashfs_cache_entry *, int,
+ int);
+
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Len Brown <len.brown@intel.com>
+Date: Fri, 20 Jul 2018 14:47:03 -0400
+Subject: tools/power turbostat: fix -S on UP systems
+
+From: Len Brown <len.brown@intel.com>
+
+[ Upstream commit 9d83601a9cc1884d1b5706ee2acc661d558c6838 ]
+
+The -S (system summary) option failed to print any data on a 1-processor system.
+
+Reported-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -1038,9 +1038,7 @@ void format_all_counters(struct thread_d
+ if (!printed || !summary_only)
+ print_header("\t");
+
+- if (topo.num_cpus > 1)
+- format_counters(&average.threads, &average.cores,
+- &average.packages);
++ format_counters(&average.threads, &average.cores, &average.packages);
+
+ printed = 1;
+
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Calvin Walton <calvin.walton@kepstin.ca>
+Date: Fri, 27 Jul 2018 07:50:53 -0400
+Subject: tools/power turbostat: Read extended processor family from CPUID
+
+From: Calvin Walton <calvin.walton@kepstin.ca>
+
+[ Upstream commit 5aa3d1a20a233d4a5f1ec3d62da3f19d9afea682 ]
+
+This fixes the reported family on modern AMD processors (e.g. Ryzen,
+which is family 0x17). Previously these processors all showed up as
+family 0xf.
+
+See the document
+https://support.amd.com/TechDocs/56255_OSRR.pdf
+section CPUID_Fn00000001_EAX for how to calculate the family
+from the BaseFamily and ExtFamily values.
+
+This matches the code in arch/x86/lib/cpu.c
+
+Signed-off-by: Calvin Walton <calvin.walton@kepstin.ca>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -4029,7 +4029,9 @@ void process_cpuid()
+ family = (fms >> 8) & 0xf;
+ model = (fms >> 4) & 0xf;
+ stepping = fms & 0xf;
+- if (family == 6 || family == 0xf)
++ if (family == 0xf)
++ family += (fms >> 20) & 0xff;
++ if (family >= 6)
+ model += ((fms >> 16) & 0xf) << 4;
+
+ if (!quiet) {
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Peter Senna Tschudin <peter.senna@gmail.com>
+Date: Tue, 10 Jul 2018 16:01:45 +0200
+Subject: tools: usb: ffs-test: Fix build on big endian systems
+
+From: Peter Senna Tschudin <peter.senna@gmail.com>
+
+[ Upstream commit a2b22dddc7bb6110ac3b5ed1a60aa9279836fadb ]
+
+The tools/usb/ffs-test.c file defines cpu_to_le16/32 by using the C
+library htole16/32 function calls. However, cpu_to_le16/32 are used when
+initializing structures, i.e in a context where a function call is not
+allowed.
+
+It works fine on little endian systems because htole16/32 are defined by
+the C library as no-ops. But on big-endian systems, they are actually
+doing something, which might involve calling a function, causing build
+failures, such as:
+
+ ffs-test.c:48:25: error: initializer element is not constant
+ #define cpu_to_le32(x) htole32(x)
+ ^~~~~~~
+ ffs-test.c:128:12: note: in expansion of macro ‘cpu_to_le32’
+ .magic = cpu_to_le32(FUNCTIONFS_DESCRIPTORS_MAGIC_V2),
+ ^~~~~~~~~~~
+
+To solve this, we code cpu_to_le16/32 in a way that allows them to be
+used when initializing structures. This fix was imported from
+meta-openembedded/android-tools/fix-big-endian-build.patch written by
+Thomas Petazzoni <thomas.petazzoni@free-electrons.com>.
+
+CC: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Signed-off-by: Peter Senna Tschudin <peter.senna@gmail.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/usb/ffs-test.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/tools/usb/ffs-test.c
++++ b/tools/usb/ffs-test.c
+@@ -44,12 +44,25 @@
+
+ /******************** Little Endian Handling ********************************/
+
+-#define cpu_to_le16(x) htole16(x)
+-#define cpu_to_le32(x) htole32(x)
++/*
++ * cpu_to_le16/32 are used when initializing structures, a context where a
++ * function call is not allowed. To solve this, we code cpu_to_le16/32 in a way
++ * that allows them to be used when initializing structures.
++ */
++
++#if __BYTE_ORDER == __LITTLE_ENDIAN
++#define cpu_to_le16(x) (x)
++#define cpu_to_le32(x) (x)
++#else
++#define cpu_to_le16(x) ((((x) >> 8) & 0xffu) | (((x) & 0xffu) << 8))
++#define cpu_to_le32(x) \
++ ((((x) & 0xff000000u) >> 24) | (((x) & 0x00ff0000u) >> 8) | \
++ (((x) & 0x0000ff00u) << 8) | (((x) & 0x000000ffu) << 24))
++#endif
++
+ #define le32_to_cpu(x) le32toh(x)
+ #define le16_to_cpu(x) le16toh(x)
+
+-
+ /******************** Messages and Errors ***********************************/
+
+ static const char argv0[] = "ffs-test";
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Eugeniu Rosca <roscaeugeniu@gmail.com>
+Date: Mon, 2 Jul 2018 23:46:47 +0200
+Subject: usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3'
+
+From: Eugeniu Rosca <roscaeugeniu@gmail.com>
+
+[ Upstream commit eec24f2a0d4dc3b1d95a3ccd2feb523ede3ba775 ]
+
+The list [1] of commits doing endianness fixes in USB subsystem is long
+due to below quote from USB spec Revision 2.0 from April 27, 2000:
+
+------------
+8.1 Byte/Bit Ordering
+
+Multiple byte fields in standard descriptors, requests, and responses
+are interpreted as and moved over the bus in little-endian order, i.e.
+LSB to MSB.
+------------
+
+This commit belongs to the same family.
+
+[1] Example of endianness fixes in USB subsystem:
+commit 14e1d56cbea6 ("usb: gadget: f_uac2: endianness fixes.")
+commit 42370b821168 ("usb: gadget: f_uac1: endianness fixes.")
+commit 63afd5cc7877 ("USB: chaoskey: fix Alea quirk on big-endian hosts")
+commit 74098c4ac782 ("usb: gadget: acm: fix endianness in notifications")
+commit cdd7928df0d2 ("ACM gadget: fix endianness in notifications")
+commit 323ece54e076 ("cdc-wdm: fix endianness bug in debug statements")
+commit e102609f1072 ("usb: gadget: uvc: Fix endianness mismatches")
+ list goes on
+
+Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Reviewed-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_uac2.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_uac2.c
++++ b/drivers/usb/gadget/function/f_uac2.c
+@@ -442,14 +442,14 @@ static struct usb_descriptor_header *hs_
+ };
+
+ struct cntrl_cur_lay3 {
+- __u32 dCUR;
++ __le32 dCUR;
+ };
+
+ struct cntrl_range_lay3 {
+- __u16 wNumSubRanges;
+- __u32 dMIN;
+- __u32 dMAX;
+- __u32 dRES;
++ __le16 wNumSubRanges;
++ __le32 dMIN;
++ __le32 dMAX;
++ __le32 dRES;
+ } __packed;
+
+ static void set_ep_max_packet_size(const struct f_uac2_opts *uac2_opts,
+@@ -707,9 +707,9 @@ in_rq_cur(struct usb_function *fn, const
+ memset(&c, 0, sizeof(struct cntrl_cur_lay3));
+
+ if (entity_id == USB_IN_CLK_ID)
+- c.dCUR = p_srate;
++ c.dCUR = cpu_to_le32(p_srate);
+ else if (entity_id == USB_OUT_CLK_ID)
+- c.dCUR = c_srate;
++ c.dCUR = cpu_to_le32(c_srate);
+
+ value = min_t(unsigned, w_length, sizeof c);
+ memcpy(req->buf, &c, value);
+@@ -746,15 +746,15 @@ in_rq_range(struct usb_function *fn, con
+
+ if (control_selector == UAC2_CS_CONTROL_SAM_FREQ) {
+ if (entity_id == USB_IN_CLK_ID)
+- r.dMIN = p_srate;
++ r.dMIN = cpu_to_le32(p_srate);
+ else if (entity_id == USB_OUT_CLK_ID)
+- r.dMIN = c_srate;
++ r.dMIN = cpu_to_le32(c_srate);
+ else
+ return -EOPNOTSUPP;
+
+ r.dMAX = r.dMIN;
+ r.dRES = 0;
+- r.wNumSubRanges = 1;
++ r.wNumSubRanges = cpu_to_le16(1);
+
+ value = min_t(unsigned, w_length, sizeof r);
+ memcpy(req->buf, &r, value);
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Eugeniu Rosca <erosca@de.adit-jv.com>
+Date: Thu, 21 Jun 2018 17:22:46 +0200
+Subject: usb: gadget: f_uac2: fix error handling in afunc_bind (again)
+
+From: Eugeniu Rosca <erosca@de.adit-jv.com>
+
+[ Upstream commit e87581fe0509020f77ebf0b7c4c1c338c6a4bcf6 ]
+
+If usb_ep_autoconfig() fails (i.e. returns a null endpoint descriptor),
+we expect afunc_bind() to fail (i.e. return a negative error code).
+
+However, due to v4.10-rc1 commit f1d3861d63a5 ("usb: gadget: f_uac2: fix
+error handling at afunc_bind"), afunc_bind() returns zero, telling the
+caller that it succeeded. This then generates NULL pointer dereference
+in below scenario on Rcar H3-ES20-Salvator-X target:
+
+rcar-gen3:/home/root# modprobe g_audio
+[ 626.521155] g_audio gadget: afunc_bind:565 Error!
+[ 626.526319] g_audio gadget: Linux USB Audio Gadget, version: Feb 2, 2012
+[ 626.533405] g_audio gadget: g_audio ready
+rcar-gen3:/home/root#
+rcar-gen3:/home/root# modprobe -r g_audio
+[ 728.256707] ==================================================================
+[ 728.264293] BUG: KASAN: null-ptr-deref in u_audio_stop_capture+0x70/0x268 [u_audio]
+[ 728.272244] Read of size 8 at addr 00000000000000a0 by task modprobe/2545
+[ 728.279309]
+[ 728.280849] CPU: 0 PID: 2545 Comm: modprobe Tainted: G WC 4.14.47+ #152
+[ 728.288778] Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT)
+[ 728.296454] Call trace:
+[ 728.299151] [<ffff2000080925ac>] dump_backtrace+0x0/0x364
+[ 728.304808] [<ffff200008092924>] show_stack+0x14/0x1c
+[ 728.310081] [<ffff200008f8d5cc>] dump_stack+0x108/0x174
+[ 728.315522] [<ffff2000083c77c8>] kasan_report+0x1fc/0x354
+[ 728.321134] [<ffff2000083c611c>] __asan_load8+0x24/0x94
+[ 728.326600] [<ffff2000021e1618>] u_audio_stop_capture+0x70/0x268 [u_audio]
+[ 728.333735] [<ffff2000021f8b7c>] afunc_disable+0x44/0x60 [usb_f_uac2]
+[ 728.340503] [<ffff20000218177c>] usb_remove_function+0x9c/0x210 [libcomposite]
+[ 728.348060] [<ffff200002183320>] remove_config.isra.2+0x1d8/0x218 [libcomposite]
+[ 728.355788] [<ffff200002186c54>] __composite_unbind+0x104/0x1f8 [libcomposite]
+[ 728.363339] [<ffff200002186d58>] composite_unbind+0x10/0x18 [libcomposite]
+[ 728.370536] [<ffff20000152f158>] usb_gadget_remove_driver+0xc0/0x170 [udc_core]
+[ 728.378172] [<ffff20000153154c>] usb_gadget_unregister_driver+0x1cc/0x258 [udc_core]
+[ 728.386274] [<ffff200002180de8>] usb_composite_unregister+0x10/0x18 [libcomposite]
+[ 728.394116] [<ffff2000021d035c>] audio_driver_exit+0x14/0x28 [g_audio]
+[ 728.400878] [<ffff200008213ed4>] SyS_delete_module+0x288/0x32c
+[ 728.406935] Exception stack(0xffff8006cf6c7ec0 to 0xffff8006cf6c8000)
+[ 728.413624] 7ec0: 0000000006136428 0000000000000800 0000000000000000 0000ffffd706efe8
+[ 728.421718] 7ee0: 0000ffffd706efe9 000000000000000a 1999999999999999 0000000000000000
+[ 728.429792] 7f00: 000000000000006a 000000000042c078 0000000000000000 0000000000000005
+[ 728.437870] 7f20: 0000000000000000 0000000000000000 0000000000000004 0000000000000000
+[ 728.445952] 7f40: 000000000042bfc8 0000ffffbc7c8f40 0000000000000000 00000000061363c0
+[ 728.454035] 7f60: 0000000006136428 0000000000000000 0000000000000000 0000000006136428
+[ 728.462114] 7f80: 000000000042c000 0000ffffd7071448 000000000042c000 0000000000000000
+[ 728.470190] 7fa0: 00000000061350c0 0000ffffd7070010 000000000041129c 0000ffffd7070010
+[ 728.478281] 7fc0: 0000ffffbc7c8f48 0000000060000000 0000000006136428 000000000000006a
+[ 728.486351] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+[ 728.494434] [<ffff200008084780>] el0_svc_naked+0x34/0x38
+[ 728.499957] ==================================================================
+[ 728.507801] Unable to handle kernel NULL pointer dereference at virtual address 000000a0
+[ 728.517742] Mem abort info:
+[ 728.520993] Exception class = DABT (current EL), IL = 32 bits
+[ 728.527375] SET = 0, FnV = 0
+[ 728.530731] EA = 0, S1PTW = 0
+[ 728.534361] Data abort info:
+[ 728.537650] ISV = 0, ISS = 0x00000006
+[ 728.541863] CM = 0, WnR = 0
+[ 728.545167] user pgtable: 4k pages, 48-bit VAs, pgd = ffff8006c6100000
+[ 728.552156] [00000000000000a0] *pgd=0000000716a8d003
+[ 728.557519] , *pud=00000007116fc003
+[ 728.561259] , *pmd=0000000000000000
+[ 728.564985] Internal error: Oops: 96000006 [#1] PREEMPT SMP
+[ 728.570815] Modules linked in:
+[ 728.574023] usb_f_uac2
+[ 728.576560] u_audio
+[ 728.578827] g_audio(-)
+[ 728.581361] libcomposite
+[ 728.584071] configfs
+[ 728.586428] aes_ce_blk
+[ 728.588960] sata_rcar
+[ 728.591421] crypto_simd
+[ 728.594039] cryptd
+[ 728.596217] libata
+[ 728.598396] aes_ce_cipher
+[ 728.601188] crc32_ce
+[ 728.603542] ghash_ce
+[ 728.605896] gf128mul
+[ 728.608250] aes_arm64
+[ 728.610692] scsi_mod
+[ 728.613046] sha2_ce
+[ 728.615313] xhci_plat_hcd
+[ 728.618106] sha256_arm64
+[ 728.620811] sha1_ce
+[ 728.623077] renesas_usbhs
+[ 728.625869] xhci_hcd
+[ 728.628243] renesas_usb3
+[ 728.630948] sha1_generic
+[ 728.633670] ravb_streaming(C)
+[ 728.636814] udc_core
+[ 728.639168] cpufreq_dt
+[ 728.641697] rcar_gen3_thermal
+[ 728.644840] usb_dmac
+[ 728.647194] pwm_rcar
+[ 728.649548] thermal_sys
+[ 728.652165] virt_dma
+[ 728.654519] mch_core(C)
+[ 728.657137] pwm_bl
+[ 728.659315] snd_soc_rcar
+[ 728.662020] snd_aloop
+[ 728.664462] snd_soc_generic_card
+[ 728.667869] snd_soc_ak4613
+[ 728.670749] ipv6
+[ 728.672768] autofs4
+[ 728.675052] CPU: 0 PID: 2545 Comm: modprobe Tainted: G B WC 4.14.47+ #152
+[ 728.682973] Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT)
+[ 728.690637] task: ffff8006ced38000 task.stack: ffff8006cf6c0000
+[ 728.696814] PC is at u_audio_stop_capture+0x70/0x268 [u_audio]
+[ 728.702896] LR is at u_audio_stop_capture+0x70/0x268 [u_audio]
+[ 728.708964] pc : [<ffff2000021e1618>] lr : [<ffff2000021e1618>] pstate: 60000145
+[ 728.716620] sp : ffff8006cf6c7a50
+[ 728.720154] x29: ffff8006cf6c7a50
+[ 728.723760] x28: ffff8006ced38000
+[ 728.727272] x27: ffff200008fd7000
+[ 728.730857] x26: ffff2000021d2340
+[ 728.734361] x25: 0000000000000000
+[ 728.737948] x24: ffff200009e94b08
+[ 728.741452] x23: 00000000000000a0
+[ 728.745052] x22: 00000000000000a8
+[ 728.748558] x21: 1ffff000d9ed8f7c
+[ 728.752142] x20: ffff8006d671a800
+[ 728.755646] x19: 0000000000000000
+[ 728.759231] x18: 0000000000000000
+[ 728.762736] x17: 0000ffffbc7c8f40
+[ 728.766320] x16: ffff200008213c4c
+[ 728.769823] x15: 0000000000000000
+[ 728.773408] x14: 0720072007200720
+[ 728.776912] x13: 0720072007200720
+[ 728.780497] x12: ffffffffffffffff
+[ 728.784001] x11: 0000000000000040
+[ 728.787598] x10: 0000000000001600
+[ 728.791103] x9 : ffff8006cf6c77a0
+[ 728.794689] x8 : ffff8006ced39660
+[ 728.798193] x7 : ffff20000811c738
+[ 728.801794] x6 : 0000000000000000
+[ 728.805299] x5 : dfff200000000000
+[ 728.808885] x4 : ffff8006ced38000
+[ 728.812390] x3 : ffff200008fb46e8
+[ 728.815976] x2 : 0000000000000007
+[ 728.819480] x1 : 3ba68643e7431500
+[ 728.823066] x0 : 0000000000000000
+[ 728.826574] Process modprobe (pid: 2545, stack limit = 0xffff8006cf6c0000)
+[ 728.833704] Call trace:
+[ 728.836292] Exception stack(0xffff8006cf6c7910 to 0xffff8006cf6c7a50)
+[ 728.842987] 7900: 0000000000000000 3ba68643e7431500
+[ 728.851084] 7920: 0000000000000007 ffff200008fb46e8 ffff8006ced38000 dfff200000000000
+[ 728.859173] 7940: 0000000000000000 ffff20000811c738 ffff8006ced39660 ffff8006cf6c77a0
+[ 728.867248] 7960: 0000000000001600 0000000000000040 ffffffffffffffff 0720072007200720
+[ 728.875323] 7980: 0720072007200720 0000000000000000 ffff200008213c4c 0000ffffbc7c8f40
+[ 728.883412] 79a0: 0000000000000000 0000000000000000 ffff8006d671a800 1ffff000d9ed8f7c
+[ 728.891485] 79c0: 00000000000000a8 00000000000000a0 ffff200009e94b08 0000000000000000
+[ 728.899561] 79e0: ffff2000021d2340 ffff200008fd7000 ffff8006ced38000 ffff8006cf6c7a50
+[ 728.907636] 7a00: ffff2000021e1618 ffff8006cf6c7a50 ffff2000021e1618 0000000060000145
+[ 728.915710] 7a20: 0000000000000008 0000000000000000 0000ffffffffffff 3ba68643e7431500
+[ 728.923780] 7a40: ffff8006cf6c7a50 ffff2000021e1618
+[ 728.928880] [<ffff2000021e1618>] u_audio_stop_capture+0x70/0x268 [u_audio]
+[ 728.936032] [<ffff2000021f8b7c>] afunc_disable+0x44/0x60 [usb_f_uac2]
+[ 728.942822] [<ffff20000218177c>] usb_remove_function+0x9c/0x210 [libcomposite]
+[ 728.950385] [<ffff200002183320>] remove_config.isra.2+0x1d8/0x218 [libcomposite]
+[ 728.958134] [<ffff200002186c54>] __composite_unbind+0x104/0x1f8 [libcomposite]
+[ 728.965689] [<ffff200002186d58>] composite_unbind+0x10/0x18 [libcomposite]
+[ 728.972882] [<ffff20000152f158>] usb_gadget_remove_driver+0xc0/0x170 [udc_core]
+[ 728.980522] [<ffff20000153154c>] usb_gadget_unregister_driver+0x1cc/0x258 [udc_core]
+[ 728.988638] [<ffff200002180de8>] usb_composite_unregister+0x10/0x18 [libcomposite]
+[ 728.996472] [<ffff2000021d035c>] audio_driver_exit+0x14/0x28 [g_audio]
+[ 729.003231] [<ffff200008213ed4>] SyS_delete_module+0x288/0x32c
+[ 729.009278] Exception stack(0xffff8006cf6c7ec0 to 0xffff8006cf6c8000)
+[ 729.015946] 7ec0: 0000000006136428 0000000000000800 0000000000000000 0000ffffd706efe8
+[ 729.024022] 7ee0: 0000ffffd706efe9 000000000000000a 1999999999999999 0000000000000000
+[ 729.032099] 7f00: 000000000000006a 000000000042c078 0000000000000000 0000000000000005
+[ 729.040172] 7f20: 0000000000000000 0000000000000000 0000000000000004 0000000000000000
+[ 729.048263] 7f40: 000000000042bfc8 0000ffffbc7c8f40 0000000000000000 00000000061363c0
+[ 729.056337] 7f60: 0000000006136428 0000000000000000 0000000000000000 0000000006136428
+[ 729.064411] 7f80: 000000000042c000 0000ffffd7071448 000000000042c000 0000000000000000
+[ 729.072484] 7fa0: 00000000061350c0 0000ffffd7070010 000000000041129c 0000ffffd7070010
+[ 729.080563] 7fc0: 0000ffffbc7c8f48 0000000060000000 0000000006136428 000000000000006a
+[ 729.088636] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+[ 729.096733] [<ffff200008084780>] el0_svc_naked+0x34/0x38
+[ 729.102259] Code: 9597d1b3 aa1703e0 9102a276 958792b9 (f9405275)
+[ 729.108617] ---[ end trace 7560c5fa3d100243 ]---
+
+After this patch is applied, the issue is fixed:
+rcar-gen3:/home/root# modprobe g_audio
+[ 59.217127] g_audio gadget: afunc_bind:565 Error!
+[ 59.222329] g_audio ee020000.usb: failed to start g_audio: -19
+modprobe: ERROR: could not insert 'g_audio': No such device
+rcar-gen3:/home/root# modprobe -r g_audio
+rcar-gen3:/home/root#
+
+Fixes: f1d3861d63a5 ("usb: gadget: f_uac2: fix error handling at afunc_bind")
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_uac2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_uac2.c
++++ b/drivers/usb/gadget/function/f_uac2.c
+@@ -563,13 +563,13 @@ afunc_bind(struct usb_configuration *cfg
+ agdev->out_ep = usb_ep_autoconfig(gadget, &fs_epout_desc);
+ if (!agdev->out_ep) {
+ dev_err(dev, "%s:%d Error!\n", __func__, __LINE__);
+- return ret;
++ return -ENODEV;
+ }
+
+ agdev->in_ep = usb_ep_autoconfig(gadget, &fs_epin_desc);
+ if (!agdev->in_ep) {
+ dev_err(dev, "%s:%d Error!\n", __func__, __LINE__);
+- return ret;
++ return -ENODEV;
+ }
+
+ agdev->in_ep_maxpsize = max_t(u16,
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Wed, 20 Jun 2018 11:55:08 +0800
+Subject: usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit f36b507c14c4b6e634463a610294e9cb0065c8ea ]
+
+The driver may sleep in an interrupt handler.
+The function call path (from bottom to top) in Linux-4.16.7 is:
+
+[FUNC] r8a66597_queue(GFP_KERNEL)
+drivers/usb/gadget/udc/r8a66597-udc.c, 1193:
+ r8a66597_queue in get_status
+drivers/usb/gadget/udc/r8a66597-udc.c, 1301:
+ get_status in setup_packet
+drivers/usb/gadget/udc/r8a66597-udc.c, 1381:
+ setup_packet in irq_control_stage
+drivers/usb/gadget/udc/r8a66597-udc.c, 1508:
+ irq_control_stage in r8a66597_irq (interrupt handler)
+
+To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC.
+
+This bug is found by my static analysis tool (DSAC-2) and checked by
+my code review.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/r8a66597-udc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/udc/r8a66597-udc.c
++++ b/drivers/usb/gadget/udc/r8a66597-udc.c
+@@ -1193,7 +1193,7 @@ __acquires(r8a66597->lock)
+ r8a66597->ep0_req->length = 2;
+ /* AV: what happens if we get called again before that gets through? */
+ spin_unlock(&r8a66597->lock);
+- r8a66597_queue(r8a66597->gadget.ep0, r8a66597->ep0_req, GFP_KERNEL);
++ r8a66597_queue(r8a66597->gadget.ep0, r8a66597->ep0_req, GFP_ATOMIC);
+ spin_lock(&r8a66597->lock);
+ }
+
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Wed, 20 Jun 2018 11:54:53 +0800
+Subject: usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 0602088b10a7c0b4e044a810678ef93d7cc5bf48 ]
+
+The driver may sleep with holding a spinlock.
+The function call paths (from bottom to top) in Linux-4.16.7 are:
+
+[FUNC] msleep
+drivers/usb/gadget/udc/r8a66597-udc.c, 839:
+ msleep in init_controller
+drivers/usb/gadget/udc/r8a66597-udc.c, 96:
+ init_controller in r8a66597_usb_disconnect
+drivers/usb/gadget/udc/r8a66597-udc.c, 93:
+ spin_lock in r8a66597_usb_disconnect
+
+[FUNC] msleep
+drivers/usb/gadget/udc/r8a66597-udc.c, 835:
+ msleep in init_controller
+drivers/usb/gadget/udc/r8a66597-udc.c, 96:
+ init_controller in r8a66597_usb_disconnect
+drivers/usb/gadget/udc/r8a66597-udc.c, 93:
+ spin_lock in r8a66597_usb_disconnect
+
+To fix these bugs, msleep() is replaced with mdelay().
+
+This bug is found by my static analysis tool (DSAC-2) and checked by
+my code review.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/r8a66597-udc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/udc/r8a66597-udc.c
++++ b/drivers/usb/gadget/udc/r8a66597-udc.c
+@@ -835,11 +835,11 @@ static void init_controller(struct r8a66
+
+ r8a66597_bset(r8a66597, XCKE, SYSCFG0);
+
+- msleep(3);
++ mdelay(3);
+
+ r8a66597_bset(r8a66597, PLLC, SYSCFG0);
+
+- msleep(1);
++ mdelay(1);
+
+ r8a66597_bset(r8a66597, SCKE, SYSCFG0);
+
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Eugeniu Rosca <erosca@de.adit-jv.com>
+Date: Thu, 21 Jun 2018 17:22:47 +0200
+Subject: usb: gadget: u_audio: fix pcm/card naming in g_audio_setup()
+
+From: Eugeniu Rosca <erosca@de.adit-jv.com>
+
+[ Upstream commit dfa042fa310caa475667b8c38d852f14439e0b01 ]
+
+Fix below smatch (v0.5.0-4443-g69e9094e11c1) warnings:
+drivers/usb/gadget/function/u_audio.c:607 g_audio_setup() warn: strcpy() 'pcm_name' of unknown size might be too large for 'pcm->name'
+drivers/usb/gadget/function/u_audio.c:614 g_audio_setup() warn: strcpy() 'card_name' of unknown size might be too large for 'card->driver'
+drivers/usb/gadget/function/u_audio.c:615 g_audio_setup() warn: strcpy() 'card_name' of unknown size might be too large for 'card->shortname'
+
+Below commits performed a similar 's/strcpy/strlcpy/' rework:
+* v2.6.31 commit 8372d4980fbc ("ALSA: ctxfi - Fix PCM device naming")
+* v4.14 commit 003d3e70dbeb ("ALSA: ad1848: fix format string overflow warning")
+* v4.14 commit 6d8b04de87e1 ("ALSA: cs423x: fix format string overflow warning")
+
+Fixes: eb9fecb9e69b ("usb: gadget: f_uac2: split out audio core")
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/u_audio.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/function/u_audio.c
++++ b/drivers/usb/gadget/function/u_audio.c
+@@ -604,15 +604,15 @@ int g_audio_setup(struct g_audio *g_audi
+ if (err < 0)
+ goto snd_fail;
+
+- strcpy(pcm->name, pcm_name);
++ strlcpy(pcm->name, pcm_name, sizeof(pcm->name));
+ pcm->private_data = uac;
+ uac->pcm = pcm;
+
+ snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_PLAYBACK, &uac_pcm_ops);
+ snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_CAPTURE, &uac_pcm_ops);
+
+- strcpy(card->driver, card_name);
+- strcpy(card->shortname, card_name);
++ strlcpy(card->driver, card_name, sizeof(card->driver));
++ strlcpy(card->shortname, card_name, sizeof(card->shortname));
+ sprintf(card->longname, "%s %i", card_name, card->dev->id);
+
+ snd_pcm_lib_preallocate_pages_for_all(pcm, SNDRV_DMA_TYPE_CONTINUOUS,
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
+Date: Thu, 21 Jun 2018 17:22:52 +0200
+Subject: usb: gadget: u_audio: protect stream runtime fields with stream spinlock
+
+From: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
+
+[ Upstream commit 56bc61587daadef67712068f251c4ef2e3932d94 ]
+
+The change protects almost the whole body of u_audio_iso_complete()
+function by PCM stream lock, this is mainly sufficient to avoid a race
+between USB request completion and stream termination, the change
+prevents a possibility of invalid memory access in interrupt context
+by memcpy():
+
+ Unable to handle kernel paging request at virtual address 00004e80
+ pgd = c0004000
+ [00004e80] *pgd=00000000
+ Internal error: Oops: 817 [#1] PREEMPT SMP ARM
+ CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: G C 3.14.54+ #117
+ task: da180b80 ti: da192000 task.ti: da192000
+ PC is at memcpy+0x50/0x330
+ LR is at 0xcdd92b0e
+ pc : [<c029ef30>] lr : [<cdd92b0e>] psr: 20000193
+ sp : da193ce4 ip : dd86ae26 fp : 0000b180
+ r10: daf81680 r9 : 00000000 r8 : d58a01ea
+ r7 : 2c0b43e4 r6 : acdfb08b r5 : 01a271cf r4 : 87389377
+ r3 : 69469782 r2 : 00000020 r1 : daf82fe0 r0 : 00004e80
+ Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
+ Control: 10c5387d Table: 2b70804a DAC: 00000015
+ Process ksoftirqd/0 (pid: 3, stack limit = 0xda192238)
+
+Also added a check for potential !runtime condition, commonly it is
+done by PCM_RUNTIME_CHECK(substream) in the beginning, however this
+does not completely prevent from oopses in u_audio_iso_complete(),
+because the proper protection scheme must be implemented in PCM
+library functions.
+
+An example of *not fixed* oops due to substream->runtime->*
+dereference by snd_pcm_running(substream) from
+snd_pcm_period_elapsed(), where substream->runtime is gone while
+waiting the substream lock:
+
+ Unable to handle kernel paging request at virtual address 6b6b6b6b
+ pgd = db7e4000
+ [6b6b6b6b] *pgd=00000000
+ CPU: 0 PID: 193 Comm: klogd Tainted: G C 3.14.54+ #118
+ task: db5ac500 ti: db60c000 task.ti: db60c000
+ PC is at snd_pcm_period_elapsed+0x48/0xd8 [snd_pcm]
+ LR is at snd_pcm_period_elapsed+0x40/0xd8 [snd_pcm]
+ pc : [<>] lr : [<>] psr: 60000193
+ Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
+ Control: 10c5387d Table: 2b7e404a DAC: 00000015
+ Process klogd (pid: 193, stack limit = 0xdb60c238)
+ [<>] (snd_pcm_period_elapsed [snd_pcm]) from [<>] (udc_irq+0x500/0xbbc)
+ [<>] (udc_irq) from [<>] (ci_irq+0x280/0x304)
+ [<>] (ci_irq) from [<>] (handle_irq_event_percpu+0xa4/0x40c)
+ [<>] (handle_irq_event_percpu) from [<>] (handle_irq_event+0x3c/0x5c)
+ [<>] (handle_irq_event) from [<>] (handle_fasteoi_irq+0xc4/0x110)
+ [<>] (handle_fasteoi_irq) from [<>] (generic_handle_irq+0x20/0x30)
+ [<>] (generic_handle_irq) from [<>] (handle_IRQ+0x80/0xc0)
+ [<>] (handle_IRQ) from [<>] (gic_handle_irq+0x3c/0x60)
+ [<>] (gic_handle_irq) from [<>] (__irq_svc+0x44/0x78)
+
+Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
+[erosca: W/o this patch, with minimal instrumentation [1], I can
+ consistently reproduce BUG: KASAN: use-after-free [2]]
+
+[1] Instrumentation to reproduce issue [2]:
+ diff --git a/drivers/usb/gadget/function/u_audio.c b/drivers/usb/gadget/function/u_audio.c
+ index a72295c953bb..bd0b308024fe 100644
+ --- a/drivers/usb/gadget/function/u_audio.c
+ +++ b/drivers/usb/gadget/function/u_audio.c
+ @@ -16,6 +16,7 @@
+ #include <sound/core.h>
+ #include <sound/pcm.h>
+ #include <sound/pcm_params.h>
+ +#include <linux/delay.h>
+
+ #include "u_audio.h"
+
+ @@ -147,6 +148,8 @@ static void u_audio_iso_complete(struct usb_ep *ep, struct usb_request *req)
+
+ spin_unlock_irqrestore(&prm->lock, flags);
+
+ + udelay(500); //delay here to increase probability of parallel activities
+ +
+ /* Pack USB load in ALSA ring buffer */
+ pending = prm->dma_bytes - hw_ptr;
+
+[2] After applying [1], below BUG occurs on Rcar-H3-Salvator-X board:
+==================================================================
+BUG: KASAN: use-after-free in u_audio_iso_complete+0x24c/0x520 [u_audio]
+Read of size 8 at addr ffff8006cafcc248 by task swapper/0/0
+
+CPU: 0 PID: 0 Comm: swapper/0 Tainted: G WC 4.14.47+ #160
+Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT)
+Call trace:
+[<ffff2000080925ac>] dump_backtrace+0x0/0x364
+[<ffff200008092924>] show_stack+0x14/0x1c
+[<ffff200008f8dbcc>] dump_stack+0x108/0x174
+[<ffff2000083c71b8>] print_address_description+0x7c/0x32c
+[<ffff2000083c78e8>] kasan_report+0x324/0x354
+[<ffff2000083c6114>] __asan_load8+0x24/0x94
+[<ffff2000021d1b34>] u_audio_iso_complete+0x24c/0x520 [u_audio]
+[<ffff20000152fe50>] usb_gadget_giveback_request+0x480/0x4d0 [udc_core]
+[<ffff200001860ab8>] usbhsg_queue_done+0x100/0x130 [renesas_usbhs]
+[<ffff20000185f814>] usbhsf_pkt_handler+0x1a4/0x298 [renesas_usbhs]
+[<ffff20000185fb38>] usbhsf_irq_ready+0x128/0x178 [renesas_usbhs]
+[<ffff200001859cc8>] usbhs_interrupt+0x440/0x490 [renesas_usbhs]
+[<ffff2000081a0288>] __handle_irq_event_percpu+0x594/0xa58
+[<ffff2000081a07d0>] handle_irq_event_percpu+0x84/0x12c
+[<ffff2000081a0928>] handle_irq_event+0xb0/0x10c
+[<ffff2000081a8384>] handle_fasteoi_irq+0x1e0/0x2ec
+[<ffff20000819e5f8>] generic_handle_irq+0x2c/0x44
+[<ffff20000819f0d0>] __handle_domain_irq+0x190/0x194
+[<ffff20000808177c>] gic_handle_irq+0x80/0xac
+Exception stack(0xffff200009e97c80 to 0xffff200009e97dc0)
+7c80: 0000000000000000 0000000000000000 0000000000000003 ffff200008179298
+7ca0: ffff20000ae1c180 dfff200000000000 0000000000000000 ffff2000081f9a88
+7cc0: ffff200009eb5960 ffff200009e97cf0 0000000000001600 ffff0400041b064b
+7ce0: 0000000000000000 0000000000000002 0000000200000001 0000000000000001
+7d00: ffff20000842197c 0000ffff958c4970 0000000000000000 ffff8006da0d5b80
+7d20: ffff8006d4678498 0000000000000000 000000126bde0a8b ffff8006d4678480
+7d40: 0000000000000000 000000126bdbea64 ffff200008fd0000 ffff8006fffff980
+7d60: 00000000495f0018 ffff200009e97dc0 ffff200008b6c4ec ffff200009e97dc0
+7d80: ffff200008b6c4f0 0000000020000145 ffff8006da0d5b80 ffff8006d4678498
+7da0: ffffffffffffffff ffff8006d4678498 ffff200009e97dc0 ffff200008b6c4f0
+[<ffff200008084034>] el1_irq+0xb4/0x12c
+[<ffff200008b6c4f0>] cpuidle_enter_state+0x818/0x844
+[<ffff200008b6c59c>] cpuidle_enter+0x18/0x20
+[<ffff20000815f2e4>] call_cpuidle+0x98/0x9c
+[<ffff20000815f674>] do_idle+0x214/0x264
+[<ffff20000815facc>] cpu_startup_entry+0x20/0x24
+[<ffff200008fb09d8>] rest_init+0x30c/0x320
+[<ffff2000095f1338>] start_kernel+0x570/0x5b0
+---<-snip->---
+
+Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/u_audio.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/u_audio.c
++++ b/drivers/usb/gadget/function/u_audio.c
+@@ -25,6 +25,7 @@
+ #include <sound/core.h>
+ #include <sound/pcm.h>
+ #include <sound/pcm_params.h>
++#include <linux/delay.h>
+
+ #include "u_audio.h"
+
+@@ -88,7 +89,7 @@ static const struct snd_pcm_hardware uac
+ static void u_audio_iso_complete(struct usb_ep *ep, struct usb_request *req)
+ {
+ unsigned pending;
+- unsigned long flags;
++ unsigned long flags, flags2;
+ unsigned int hw_ptr;
+ int status = req->status;
+ struct uac_req *ur = req->context;
+@@ -115,7 +116,14 @@ static void u_audio_iso_complete(struct
+ if (!substream)
+ goto exit;
+
++ snd_pcm_stream_lock_irqsave(substream, flags2);
++
+ runtime = substream->runtime;
++ if (!runtime || !snd_pcm_running(substream)) {
++ snd_pcm_stream_unlock_irqrestore(substream, flags2);
++ goto exit;
++ }
++
+ spin_lock_irqsave(&prm->lock, flags);
+
+ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
+@@ -146,6 +154,8 @@ static void u_audio_iso_complete(struct
+
+ spin_unlock_irqrestore(&prm->lock, flags);
+
++ udelay(500); //delay here to increase probability of parallel activities
++
+ /* Pack USB load in ALSA ring buffer */
+ pending = runtime->dma_bytes - hw_ptr;
+
+@@ -174,6 +184,7 @@ static void u_audio_iso_complete(struct
+ prm->hw_ptr = (hw_ptr + req->actual) % runtime->dma_bytes;
+ hw_ptr = prm->hw_ptr;
+ spin_unlock_irqrestore(&prm->lock, flags);
++ snd_pcm_stream_unlock_irqrestore(substream, flags2);
+
+ if ((hw_ptr % snd_pcm_lib_period_bytes(substream)) < req->actual)
+ snd_pcm_period_elapsed(substream);
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
+Date: Thu, 21 Jun 2018 17:22:50 +0200
+Subject: usb: gadget: u_audio: remove cached period bytes value
+
+From: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
+
+[ Upstream commit 773e53d50e227b0c03d0bb434c1636f6c49c75b2 ]
+
+Substream period size potentially can be changed in runtime, however
+this is not accounted in the data copying routine, the change replaces
+the cached value with an actual value from substream runtime.
+
+As a side effect the change also removes a potential division by zero
+in u_audio_iso_complete() function, if there is a race with
+uac_pcm_hw_free(), which sets prm->period_size to 0.
+
+Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
+Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/u_audio.c | 40 ++++------------------------------
+ 1 file changed, 5 insertions(+), 35 deletions(-)
+
+--- a/drivers/usb/gadget/function/u_audio.c
++++ b/drivers/usb/gadget/function/u_audio.c
+@@ -49,8 +49,6 @@ struct uac_rtd_params {
+
+ void *rbuf;
+
+- size_t period_size;
+-
+ unsigned max_psize; /* MaxPacketSize of endpoint */
+ struct uac_req *ureq;
+
+@@ -92,7 +90,6 @@ static void u_audio_iso_complete(struct
+ unsigned pending;
+ unsigned long flags;
+ unsigned int hw_ptr;
+- bool update_alsa = false;
+ int status = req->status;
+ struct uac_req *ur = req->context;
+ struct snd_pcm_substream *substream;
+@@ -145,11 +142,6 @@ static void u_audio_iso_complete(struct
+ req->actual = req->length;
+ }
+
+- pending = prm->hw_ptr % prm->period_size;
+- pending += req->actual;
+- if (pending >= prm->period_size)
+- update_alsa = true;
+-
+ hw_ptr = prm->hw_ptr;
+
+ spin_unlock_irqrestore(&prm->lock, flags);
+@@ -180,14 +172,15 @@ static void u_audio_iso_complete(struct
+ spin_lock_irqsave(&prm->lock, flags);
+ /* update hw_ptr after data is copied to memory */
+ prm->hw_ptr = (hw_ptr + req->actual) % runtime->dma_bytes;
++ hw_ptr = prm->hw_ptr;
+ spin_unlock_irqrestore(&prm->lock, flags);
+
++ if ((hw_ptr % snd_pcm_lib_period_bytes(substream)) < req->actual)
++ snd_pcm_period_elapsed(substream);
++
+ exit:
+ if (usb_ep_queue(ep, req, GFP_ATOMIC))
+ dev_err(uac->card->dev, "%d Error!\n", __LINE__);
+-
+- if (update_alsa)
+- snd_pcm_period_elapsed(substream);
+ }
+
+ static int uac_pcm_trigger(struct snd_pcm_substream *substream, int cmd)
+@@ -250,35 +243,12 @@ static snd_pcm_uframes_t uac_pcm_pointer
+ static int uac_pcm_hw_params(struct snd_pcm_substream *substream,
+ struct snd_pcm_hw_params *hw_params)
+ {
+- struct snd_uac_chip *uac = snd_pcm_substream_chip(substream);
+- struct uac_rtd_params *prm;
+- int err;
+-
+- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
+- prm = &uac->p_prm;
+- else
+- prm = &uac->c_prm;
+-
+- err = snd_pcm_lib_malloc_pages(substream,
++ return snd_pcm_lib_malloc_pages(substream,
+ params_buffer_bytes(hw_params));
+- if (err >= 0)
+- prm->period_size = params_period_bytes(hw_params);
+-
+- return err;
+ }
+
+ static int uac_pcm_hw_free(struct snd_pcm_substream *substream)
+ {
+- struct snd_uac_chip *uac = snd_pcm_substream_chip(substream);
+- struct uac_rtd_params *prm;
+-
+- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
+- prm = &uac->p_prm;
+- else
+- prm = &uac->c_prm;
+-
+- prm->period_size = 0;
+-
+ return snd_pcm_lib_free_pages(substream);
+ }
+
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
+Date: Thu, 21 Jun 2018 17:22:49 +0200
+Subject: usb: gadget: u_audio: remove caching of stream buffer parameters
+
+From: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
+
+[ Upstream commit 96afb54ece0ee903d23a7ac04ddc461413b972c4 ]
+
+There is no necessity to copy PCM stream ring buffer area and size
+properties to UAC private data structure, these values can be got
+from substream itself.
+
+The change gives more control on substream and avoid stale caching.
+
+Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
+Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/u_audio.c | 30 +++++++++++++-----------------
+ 1 file changed, 13 insertions(+), 17 deletions(-)
+
+--- a/drivers/usb/gadget/function/u_audio.c
++++ b/drivers/usb/gadget/function/u_audio.c
+@@ -41,9 +41,6 @@ struct uac_req {
+ struct uac_rtd_params {
+ struct snd_uac_chip *uac; /* parent chip */
+ bool ep_enabled; /* if the ep is enabled */
+- /* Size of the ring buffer */
+- size_t dma_bytes;
+- unsigned char *dma_area;
+
+ struct snd_pcm_substream *ss;
+
+@@ -99,6 +96,7 @@ static void u_audio_iso_complete(struct
+ int status = req->status;
+ struct uac_req *ur = req->context;
+ struct snd_pcm_substream *substream;
++ struct snd_pcm_runtime *runtime;
+ struct uac_rtd_params *prm = ur->pp;
+ struct snd_uac_chip *uac = prm->uac;
+
+@@ -120,6 +118,7 @@ static void u_audio_iso_complete(struct
+ if (!substream)
+ goto exit;
+
++ runtime = substream->runtime;
+ spin_lock_irqsave(&prm->lock, flags);
+
+ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
+@@ -156,29 +155,31 @@ static void u_audio_iso_complete(struct
+ spin_unlock_irqrestore(&prm->lock, flags);
+
+ /* Pack USB load in ALSA ring buffer */
+- pending = prm->dma_bytes - hw_ptr;
++ pending = runtime->dma_bytes - hw_ptr;
+
+ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
+ if (unlikely(pending < req->actual)) {
+- memcpy(req->buf, prm->dma_area + hw_ptr, pending);
+- memcpy(req->buf + pending, prm->dma_area,
++ memcpy(req->buf, runtime->dma_area + hw_ptr, pending);
++ memcpy(req->buf + pending, runtime->dma_area,
+ req->actual - pending);
+ } else {
+- memcpy(req->buf, prm->dma_area + hw_ptr, req->actual);
++ memcpy(req->buf, runtime->dma_area + hw_ptr,
++ req->actual);
+ }
+ } else {
+ if (unlikely(pending < req->actual)) {
+- memcpy(prm->dma_area + hw_ptr, req->buf, pending);
+- memcpy(prm->dma_area, req->buf + pending,
++ memcpy(runtime->dma_area + hw_ptr, req->buf, pending);
++ memcpy(runtime->dma_area, req->buf + pending,
+ req->actual - pending);
+ } else {
+- memcpy(prm->dma_area + hw_ptr, req->buf, req->actual);
++ memcpy(runtime->dma_area + hw_ptr, req->buf,
++ req->actual);
+ }
+ }
+
+ spin_lock_irqsave(&prm->lock, flags);
+ /* update hw_ptr after data is copied to memory */
+- prm->hw_ptr = (hw_ptr + req->actual) % prm->dma_bytes;
++ prm->hw_ptr = (hw_ptr + req->actual) % runtime->dma_bytes;
+ spin_unlock_irqrestore(&prm->lock, flags);
+
+ exit:
+@@ -260,11 +261,8 @@ static int uac_pcm_hw_params(struct snd_
+
+ err = snd_pcm_lib_malloc_pages(substream,
+ params_buffer_bytes(hw_params));
+- if (err >= 0) {
+- prm->dma_bytes = substream->runtime->dma_bytes;
+- prm->dma_area = substream->runtime->dma_area;
++ if (err >= 0)
+ prm->period_size = params_period_bytes(hw_params);
+- }
+
+ return err;
+ }
+@@ -279,8 +277,6 @@ static int uac_pcm_hw_free(struct snd_pc
+ else
+ prm = &uac->c_prm;
+
+- prm->dma_area = NULL;
+- prm->dma_bytes = 0;
+ prm->period_size = 0;
+
+ return snd_pcm_lib_free_pages(substream);
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Joshua Frkuska <joshua_frkuska@mentor.com>
+Date: Thu, 21 Jun 2018 17:22:48 +0200
+Subject: usb: gadget: u_audio: update hw_ptr in iso_complete after data copied
+
+From: Joshua Frkuska <joshua_frkuska@mentor.com>
+
+[ Upstream commit 6b37bd78d30c890e575a1bda22978d1d2a233362 ]
+
+In u_audio_iso_complete, the runtime hw_ptr is updated before the
+data is actually copied over to/from the buffer/dma area. When
+ALSA uses this hw_ptr, the data may not actually be available to
+be used. This causes trash/stale audio to play/record. This
+patch updates the hw_ptr after the data has been copied to avoid
+this.
+
+Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
+Signed-off-by: Joshua Frkuska <joshua_frkuska@mentor.com>
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/u_audio.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/u_audio.c
++++ b/drivers/usb/gadget/function/u_audio.c
+@@ -152,7 +152,6 @@ static void u_audio_iso_complete(struct
+ update_alsa = true;
+
+ hw_ptr = prm->hw_ptr;
+- prm->hw_ptr = (prm->hw_ptr + req->actual) % prm->dma_bytes;
+
+ spin_unlock_irqrestore(&prm->lock, flags);
+
+@@ -177,6 +176,11 @@ static void u_audio_iso_complete(struct
+ }
+ }
+
++ spin_lock_irqsave(&prm->lock, flags);
++ /* update hw_ptr after data is copied to memory */
++ prm->hw_ptr = (hw_ptr + req->actual) % prm->dma_bytes;
++ spin_unlock_irqrestore(&prm->lock, flags);
++
+ exit:
+ if (usb_ep_queue(ep, req, GFP_ATOMIC))
+ dev_err(uac->card->dev, "%d Error!\n", __LINE__);
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Sun, 15 Jul 2018 10:37:37 -0700
+Subject: usb/phy: fix PPC64 build errors in phy-fsl-usb.c
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit a39ba90a1cc7010edb0a7132e1b67f3d80b994e9 ]
+
+Fix build errors when built for PPC64:
+These variables are only used on PPC32 so they don't need to be
+initialized for PPC64.
+
+../drivers/usb/phy/phy-fsl-usb.c: In function 'usb_otg_start':
+../drivers/usb/phy/phy-fsl-usb.c:865:3: error: '_fsl_readl' undeclared (first use in this function); did you mean 'fsl_readl'?
+ _fsl_readl = _fsl_readl_be;
+../drivers/usb/phy/phy-fsl-usb.c:865:16: error: '_fsl_readl_be' undeclared (first use in this function); did you mean 'fsl_readl'?
+ _fsl_readl = _fsl_readl_be;
+../drivers/usb/phy/phy-fsl-usb.c:866:3: error: '_fsl_writel' undeclared (first use in this function); did you mean 'fsl_writel'?
+ _fsl_writel = _fsl_writel_be;
+../drivers/usb/phy/phy-fsl-usb.c:866:17: error: '_fsl_writel_be' undeclared (first use in this function); did you mean 'fsl_writel'?
+ _fsl_writel = _fsl_writel_be;
+../drivers/usb/phy/phy-fsl-usb.c:868:16: error: '_fsl_readl_le' undeclared (first use in this function); did you mean 'fsl_readl'?
+ _fsl_readl = _fsl_readl_le;
+../drivers/usb/phy/phy-fsl-usb.c:869:17: error: '_fsl_writel_le' undeclared (first use in this function); did you mean 'fsl_writel'?
+ _fsl_writel = _fsl_writel_le;
+
+and the sysfs "show" function return type should be ssize_t, not int:
+
+../drivers/usb/phy/phy-fsl-usb.c:1042:49: error: initialization of 'ssize_t (*)(struct device *, struct device_attribute *, char *)' {aka 'long int (*)(struct device *, struct device_attribute *, char *)'} from incompatible pointer type 'int (*)(struct device *, struct device_attribute *, char *)' [-Werror=incompatible-pointer-types]
+ static DEVICE_ATTR(fsl_usb2_otg_state, S_IRUGO, show_fsl_usb2_otg_state, NULL);
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Felipe Balbi <balbi@kernel.org>
+Cc: linux-usb@vger.kernel.org
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: linuxppc-dev@lists.ozlabs.org
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/phy/phy-fsl-usb.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/phy/phy-fsl-usb.c
++++ b/drivers/usb/phy/phy-fsl-usb.c
+@@ -874,6 +874,7 @@ int usb_otg_start(struct platform_device
+ if (pdata->init && pdata->init(pdev) != 0)
+ return -EINVAL;
+
++#ifdef CONFIG_PPC32
+ if (pdata->big_endian_mmio) {
+ _fsl_readl = _fsl_readl_be;
+ _fsl_writel = _fsl_writel_be;
+@@ -881,6 +882,7 @@ int usb_otg_start(struct platform_device
+ _fsl_readl = _fsl_readl_le;
+ _fsl_writel = _fsl_writel_le;
+ }
++#endif
+
+ /* request irq */
+ p_otg->irq = platform_get_irq(pdev, 0);
+@@ -971,7 +973,7 @@ int usb_otg_start(struct platform_device
+ /*
+ * state file in sysfs
+ */
+-static int show_fsl_usb2_otg_state(struct device *dev,
++static ssize_t show_fsl_usb2_otg_state(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+ struct otg_fsm *fsm = &fsl_otg_dev->fsm;
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Eyal Birger <eyal.birger@gmail.com>
+Date: Thu, 7 Jun 2018 10:11:02 +0300
+Subject: vti6: fix PMTU caching and reporting on xmit
+
+From: Eyal Birger <eyal.birger@gmail.com>
+
+[ Upstream commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ]
+
+When setting the skb->dst before doing the MTU check, the route PMTU
+caching and reporting is done on the new dst which is about to be
+released.
+
+Instead, PMTU handling should be done using the original dst.
+
+This is aligned with IPv4 VTI.
+
+Fixes: ccd740cbc6 ("vti6: Add pmtu handling to vti6_xmit.")
+Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_vti.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -480,10 +480,6 @@ vti6_xmit(struct sk_buff *skb, struct ne
+ goto tx_err_dst_release;
+ }
+
+- skb_scrub_packet(skb, !net_eq(t->net, dev_net(dev)));
+- skb_dst_set(skb, dst);
+- skb->dev = skb_dst(skb)->dev;
+-
+ mtu = dst_mtu(dst);
+ if (!skb->ignore_df && skb->len > mtu) {
+ skb_dst_update_pmtu(skb, mtu);
+@@ -498,9 +494,14 @@ vti6_xmit(struct sk_buff *skb, struct ne
+ htonl(mtu));
+ }
+
+- return -EMSGSIZE;
++ err = -EMSGSIZE;
++ goto tx_err_dst_release;
+ }
+
++ skb_scrub_packet(skb, !net_eq(t->net, dev_net(dev)));
++ skb_dst_set(skb, dst);
++ skb->dev = skb_dst(skb)->dev;
++
+ err = dst_output(t->net, skb->sk, skb);
+ if (net_xmit_eval(err) == 0) {
+ struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 24 Jul 2018 16:08:27 -0700
+Subject: x86/boot: Fix if_changed build flip/flop bug
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 92a4728608a8fd228c572bc8ff50dd98aa0ddf2a ]
+
+Dirk Gouders reported that two consecutive "make" invocations on an
+already compiled tree will show alternating behaviors:
+
+$ make
+ CALL scripts/checksyscalls.sh
+ DESCEND objtool
+ CHK include/generated/compile.h
+ DATAREL arch/x86/boot/compressed/vmlinux
+Kernel: arch/x86/boot/bzImage is ready (#48)
+ Building modules, stage 2.
+ MODPOST 165 modules
+
+$ make
+ CALL scripts/checksyscalls.sh
+ DESCEND objtool
+ CHK include/generated/compile.h
+ LD arch/x86/boot/compressed/vmlinux
+ ZOFFSET arch/x86/boot/zoffset.h
+ AS arch/x86/boot/header.o
+ LD arch/x86/boot/setup.elf
+ OBJCOPY arch/x86/boot/setup.bin
+ OBJCOPY arch/x86/boot/vmlinux.bin
+ BUILD arch/x86/boot/bzImage
+Setup is 15644 bytes (padded to 15872 bytes).
+System is 6663 kB
+CRC 3eb90f40
+Kernel: arch/x86/boot/bzImage is ready (#48)
+ Building modules, stage 2.
+ MODPOST 165 modules
+
+He bisected it back to:
+
+ commit 98f78525371b ("x86/boot: Refuse to build with data relocations")
+
+The root cause was the use of the "if_changed" kbuild function multiple
+times for the same target. It was designed to only be used once per
+target, otherwise it will effectively always trigger, flipping back and
+forth between the two commands getting recorded by "if_changed". Instead,
+this patch merges the two commands into a single function to get stable
+build artifacts (i.e. .vmlinux.cmd), and a single build behavior.
+
+Bisected-and-Reported-by: Dirk Gouders <dirk@gouders.net>
+Fix-Suggested-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20180724230827.GA37823@beast
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/boot/compressed/Makefile | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/boot/compressed/Makefile
++++ b/arch/x86/boot/compressed/Makefile
+@@ -104,9 +104,13 @@ define cmd_check_data_rel
+ done
+ endef
+
++# We need to run two commands under "if_changed", so merge them into a
++# single invocation.
++quiet_cmd_check-and-link-vmlinux = LD $@
++ cmd_check-and-link-vmlinux = $(cmd_check_data_rel); $(cmd_ld)
++
+ $(obj)/vmlinux: $(vmlinux-objs-y) FORCE
+- $(call if_changed,check_data_rel)
+- $(call if_changed,ld)
++ $(call if_changed,check-and-link-vmlinux)
+
+ OBJCOPYFLAGS_vmlinux.bin := -R .comment -S
+ $(obj)/vmlinux.bin: vmlinux FORCE
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+Date: Thu, 21 Jun 2018 09:30:47 +0300
+Subject: xfrm: fix missing dst_release() after policy blocking lbcast and multicast
+
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+
+[ Upstream commit 8cc88773855f988d6a3bbf102bbd9dd9c828eb81 ]
+
+Fix missing dst_release() when local broadcast or multicast traffic is
+xfrm policy blocked.
+
+For IPv4 this results to dst leak: ip_route_output_flow() allocates
+dst_entry via __ip_route_output_key() and passes it to
+xfrm_lookup_route(). xfrm_lookup returns ERR_PTR(-EPERM) that is
+propagated. The dst that was allocated is never released.
+
+IPv4 local broadcast testcase:
+ ping -b 192.168.1.255 &
+ sleep 1
+ ip xfrm policy add src 0.0.0.0/0 dst 192.168.1.255/32 dir out action block
+
+IPv4 multicast testcase:
+ ping 224.0.0.1 &
+ sleep 1
+ ip xfrm policy add src 0.0.0.0/0 dst 224.0.0.1/32 dir out action block
+
+For IPv6 the missing dst_release() causes trouble e.g. when used in netns:
+ ip netns add TEST
+ ip netns exec TEST ip link set lo up
+ ip link add dummy0 type dummy
+ ip link set dev dummy0 netns TEST
+ ip netns exec TEST ip addr add fd00::1111 dev dummy0
+ ip netns exec TEST ip link set dummy0 up
+ ip netns exec TEST ping -6 -c 5 ff02::1%dummy0 &
+ sleep 1
+ ip netns exec TEST ip xfrm policy add src ::/0 dst ff02::1 dir out action block
+ wait
+ ip netns del TEST
+
+After netns deletion we see:
+[ 258.239097] unregister_netdevice: waiting for lo to become free. Usage count = 2
+[ 268.279061] unregister_netdevice: waiting for lo to become free. Usage count = 2
+[ 278.367018] unregister_netdevice: waiting for lo to become free. Usage count = 2
+[ 288.375259] unregister_netdevice: waiting for lo to become free. Usage count = 2
+
+Fixes: ac37e2515c1a ("xfrm: release dst_orig in case of error in xfrm_lookup()")
+Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_policy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -2285,6 +2285,9 @@ struct dst_entry *xfrm_lookup_route(stru
+ if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE)
+ return make_blackhole(net, dst_orig->ops->family, dst_orig);
+
++ if (IS_ERR(dst))
++ dst_release(dst_orig);
++
+ return dst;
+ }
+ EXPORT_SYMBOL(xfrm_lookup_route);
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 25 Jun 2018 14:00:07 +0200
+Subject: xfrm: free skb if nlsk pointer is NULL
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 86126b77dcd551ce223e7293bb55854e3df05646 ]
+
+nlmsg_multicast() always frees the skb, so in case we cannot call
+it we must do that ourselves.
+
+Fixes: 21ee543edc0dea ("xfrm: fix race between netns cleanup and state expire notification")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_user.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1021,10 +1021,12 @@ static inline int xfrm_nlmsg_multicast(s
+ {
+ struct sock *nlsk = rcu_dereference(net->xfrm.nlsk);
+
+- if (nlsk)
+- return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC);
+- else
+- return -1;
++ if (!nlsk) {
++ kfree_skb(skb);
++ return -EPIPE;
++ }
++
++ return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC);
+ }
+
+ static inline size_t xfrm_spdinfo_msgsize(void)
--- /dev/null
+From foo@baz Sun Aug 26 09:13:00 CEST 2018
+From: Li Wang <liwang@redhat.com>
+Date: Thu, 26 Jul 2018 16:37:42 -0700
+Subject: zswap: re-check zswap_is_full() after do zswap_shrink()
+
+From: Li Wang <liwang@redhat.com>
+
+[ Upstream commit 16e536ef47f567289a5699abee9ff7bb304bc12d ]
+
+/sys/../zswap/stored_pages keeps rising in a zswap test with
+"zswap.max_pool_percent=0" parameter. But it should not compress or
+store pages any more since there is no space in the compressed pool.
+
+Reproduce steps:
+ 1. Boot kernel with "zswap.enabled=1"
+ 2. Set the max_pool_percent to 0
+ # echo 0 > /sys/module/zswap/parameters/max_pool_percent
+ 3. Do memory stress test to see if some pages have been compressed
+ # stress --vm 1 --vm-bytes $mem_available"M" --timeout 60s
+ 4. Watching the 'stored_pages' number increasing or not
+
+The root cause is:
+
+ When zswap_max_pool_percent is set to 0 via kernel parameter,
+ zswap_is_full() will always return true due to zswap_shrink(). But if
+ the shinking is able to reclain a page successfully the code then
+ proceeds to compressing/storing another page, so the value of
+ stored_pages will keep changing.
+
+To solve the issue, this patch adds a zswap_is_full() check again after
+ zswap_shrink() to make sure it's now under the max_pool_percent, and to
+ not compress/store if we reached the limit.
+
+Link: http://lkml.kernel.org/r/20180530103936.17812-1-liwang@redhat.com
+Signed-off-by: Li Wang <liwang@redhat.com>
+Acked-by: Dan Streetman <ddstreet@ieee.org>
+Cc: Seth Jennings <sjenning@redhat.com>
+Cc: Huang Ying <huang.ying.caritas@gmail.com>
+Cc: Yu Zhao <yuzhao@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/zswap.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/mm/zswap.c
++++ b/mm/zswap.c
+@@ -989,6 +989,15 @@ static int zswap_frontswap_store(unsigne
+ ret = -ENOMEM;
+ goto reject;
+ }
++
++ /* A second zswap_is_full() check after
++ * zswap_shrink() to make sure it's now
++ * under the max_pool_percent
++ */
++ if (zswap_is_full()) {
++ ret = -ENOMEM;
++ goto reject;
++ }
+ }
+
+ /* allocate entry */
projects / thirdparty / kernel / stable-queue.git / commitdiff
