--- /dev/null
+From cec768be1d85c18665dffa3b85ece9cb5d922815 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Oct 2018 10:59:28 +0200
+Subject: ACPI / scan: Create platform device for INT33FE ACPI nodes
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 589edb56b424876cbbf61547b987a1f57d7ea99d ]
+
+Bay and Cherry Trail devices with a Dollar Cove or Whiskey Cove PMIC
+have an ACPI node with a HID of INT33FE which is a "virtual" battery
+device implementing a standard ACPI battery interface which depends upon
+a proprietary, undocument OpRegion called BMOP. Since we do have docs
+for the actual fuel-gauges used on these boards we instead use native
+fuel-gauge drivers talking directly to the fuel-gauge ICs on boards which
+rely on this INT33FE device for their battery monitoring.
+
+On boards with a Dollar Cove PMIC the INT33FE device's resources (_CRS)
+describe a non-existing I2C client at address 0x6b with a bus-speed of
+100KHz. This is a problem on some boards since there are actual devices
+on that same bus which need a speed of 400KHz to function properly.
+
+This commit adds the INT33FE HID to the list of devices with I2C resources
+which should be enumerated as a platform-device rather then letting the
+i2c-core instantiate an i2c-client matching the first I2C resource,
+so that its bus-speed will not influence the max speed of the I2C bus.
+This fixes e.g. the touchscreen not working on the Teclast X98 II Plus.
+
+The INT33FE device on boards with a Whiskey Cove PMIC is somewhat special.
+Its first I2C resource is for a secondary I2C address of the PMIC itself,
+which is already described in an ACPI device with an INT34D3 HID.
+
+But it has 3 more I2C resources describing 3 other chips for which we do
+need to instantiate I2C clients and which need device-connections added
+between them for things to work properly. This special case is handled by
+the drivers/platform/x86/intel_cht_int33fe.c code.
+
+Before this commit that code was binding to the i2c-client instantiated
+for the secondary I2C address of the PMIC, since we now instantiate a
+platform device for the INT33FE device instead, this commit also changes
+the intel_cht_int33fe driver from an i2c driver to a platform driver.
+
+This also brings the intel_cht_int33fe drv inline with how we instantiate
+multiple i2c clients from a single ACPI device in other cases, as done
+by the drivers/platform/x86/i2c-multi-instantiate.c code.
+
+Reported-and-tested-by: Alexander Meiler <alex.meiler@protonmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/scan.c | 1 +
+ drivers/platform/x86/intel_cht_int33fe.c | 24 +++++++++---------------
+ 2 files changed, 10 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
+index e1b6231cfa1c5..1dcc48b9d33c9 100644
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -1550,6 +1550,7 @@ static bool acpi_device_enumeration_by_parent(struct acpi_device *device)
+ */
+ static const struct acpi_device_id i2c_multi_instantiate_ids[] = {
+ {"BSG1160", },
++ {"INT33FE", },
+ {}
+ };
+
+diff --git a/drivers/platform/x86/intel_cht_int33fe.c b/drivers/platform/x86/intel_cht_int33fe.c
+index a26f410800c21..f40b1c1921064 100644
+--- a/drivers/platform/x86/intel_cht_int33fe.c
++++ b/drivers/platform/x86/intel_cht_int33fe.c
+@@ -24,6 +24,7 @@
+ #include <linux/i2c.h>
+ #include <linux/interrupt.h>
+ #include <linux/module.h>
++#include <linux/platform_device.h>
+ #include <linux/regulator/consumer.h>
+ #include <linux/slab.h>
+
+@@ -88,9 +89,9 @@ static const struct property_entry fusb302_props[] = {
+ { }
+ };
+
+-static int cht_int33fe_probe(struct i2c_client *client)
++static int cht_int33fe_probe(struct platform_device *pdev)
+ {
+- struct device *dev = &client->dev;
++ struct device *dev = &pdev->dev;
+ struct i2c_board_info board_info;
+ struct cht_int33fe_data *data;
+ struct i2c_client *max17047;
+@@ -207,7 +208,7 @@ static int cht_int33fe_probe(struct i2c_client *client)
+ if (!data->pi3usb30532)
+ goto out_unregister_fusb302;
+
+- i2c_set_clientdata(client, data);
++ platform_set_drvdata(pdev, data);
+
+ return 0;
+
+@@ -223,9 +224,9 @@ static int cht_int33fe_probe(struct i2c_client *client)
+ return -EPROBE_DEFER; /* Wait for the i2c-adapter to load */
+ }
+
+-static int cht_int33fe_remove(struct i2c_client *i2c)
++static int cht_int33fe_remove(struct platform_device *pdev)
+ {
+- struct cht_int33fe_data *data = i2c_get_clientdata(i2c);
++ struct cht_int33fe_data *data = platform_get_drvdata(pdev);
+
+ i2c_unregister_device(data->pi3usb30532);
+ i2c_unregister_device(data->fusb302);
+@@ -237,29 +238,22 @@ static int cht_int33fe_remove(struct i2c_client *i2c)
+ return 0;
+ }
+
+-static const struct i2c_device_id cht_int33fe_i2c_id[] = {
+- { }
+-};
+-MODULE_DEVICE_TABLE(i2c, cht_int33fe_i2c_id);
+-
+ static const struct acpi_device_id cht_int33fe_acpi_ids[] = {
+ { "INT33FE", },
+ { }
+ };
+ MODULE_DEVICE_TABLE(acpi, cht_int33fe_acpi_ids);
+
+-static struct i2c_driver cht_int33fe_driver = {
++static struct platform_driver cht_int33fe_driver = {
+ .driver = {
+ .name = "Intel Cherry Trail ACPI INT33FE driver",
+ .acpi_match_table = ACPI_PTR(cht_int33fe_acpi_ids),
+ },
+- .probe_new = cht_int33fe_probe,
++ .probe = cht_int33fe_probe,
+ .remove = cht_int33fe_remove,
+- .id_table = cht_int33fe_i2c_id,
+- .disable_i2c_core_irq_mapping = true,
+ };
+
+-module_i2c_driver(cht_int33fe_driver);
++module_platform_driver(cht_int33fe_driver);
+
+ MODULE_DESCRIPTION("Intel Cherry Trail ACPI INT33FE pseudo device driver");
+ MODULE_AUTHOR("Hans de Goede <hdegoede@redhat.com>");
+--
+2.20.1
+
--- /dev/null
+From 7a31751956f58b2840986a0e9cdf8239244048d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Nov 2018 09:43:52 -0800
+Subject: ACPICA: Use %d for signed int print formatting instead of %u
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit f8ddf49b420112e28bdd23d7ad52d7991a0ccbe3 ]
+
+Fix warnings found using static analysis with cppcheck, use %d printf
+format specifier for signed ints rather than %u
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/acpi/tools/acpidump/apmain.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/power/acpi/tools/acpidump/apmain.c b/tools/power/acpi/tools/acpidump/apmain.c
+index db213171f8d99..2d9b94b631cb9 100644
+--- a/tools/power/acpi/tools/acpidump/apmain.c
++++ b/tools/power/acpi/tools/acpidump/apmain.c
+@@ -106,7 +106,7 @@ static int ap_insert_action(char *argument, u32 to_be_done)
+
+ current_action++;
+ if (current_action > AP_MAX_ACTIONS) {
+- fprintf(stderr, "Too many table options (max %u)\n",
++ fprintf(stderr, "Too many table options (max %d)\n",
+ AP_MAX_ACTIONS);
+ return (-1);
+ }
+--
+2.20.1
+
--- /dev/null
+From fe36a135c84db70641c0ccc90d6e62db519928bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Oct 2018 12:33:02 +0200
+Subject: ALSA: i2c/cs8427: Fix int to char conversion
+
+From: Philipp Klocke <philipp97kl@gmail.com>
+
+[ Upstream commit eb7ebfa3c1989aa8e59d5e68ab3cddd7df1bfb27 ]
+
+Compiling with clang yields the following warning:
+
+sound/i2c/cs8427.c:140:31: warning: implicit conversion from 'int'
+to 'char' changes value from 160 to -96 [-Wconstant-conversion]
+ data[0] = CS8427_REG_AUTOINC | CS8427_REG_CORU_DATABUF;
+ ~ ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~
+
+Because CS8427_REG_AUTOINC is defined as 128, it is too big for a
+char field.
+So change data from char to unsigned char, that it can hold the value.
+
+This patch does not change the generated code.
+
+Signed-off-by: Philipp Klocke <philipp97kl@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/i2c/cs8427.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/i2c/cs8427.c b/sound/i2c/cs8427.c
+index 2647309bc6757..8afa2f8884660 100644
+--- a/sound/i2c/cs8427.c
++++ b/sound/i2c/cs8427.c
+@@ -118,7 +118,7 @@ static int snd_cs8427_send_corudata(struct snd_i2c_device *device,
+ struct cs8427 *chip = device->private_data;
+ char *hw_data = udata ?
+ chip->playback.hw_udata : chip->playback.hw_status;
+- char data[32];
++ unsigned char data[32];
+ int err, idx;
+
+ if (!memcmp(hw_data, ndata, count))
+--
+2.20.1
+
--- /dev/null
+From e8460a5d7f716a4be964f92d71a24ddc84bc7bb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Oct 2018 14:25:22 +0900
+Subject: ALSA: isight: fix leak of reference to firewire unit in error path of
+ .probe callback
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+[ Upstream commit 51e68fb0929c29e47e9074ca3e99ffd6021a1c5a ]
+
+In some error paths, reference count of firewire unit is not decreased.
+This commit fixes the bug.
+
+Fixes: 5b14ec25a79b('ALSA: firewire: release reference count of firewire unit in .remove callback of bus driver')
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/firewire/isight.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/sound/firewire/isight.c b/sound/firewire/isight.c
+index 30957477e005e..0717ab9e48e3b 100644
+--- a/sound/firewire/isight.c
++++ b/sound/firewire/isight.c
+@@ -640,7 +640,7 @@ static int isight_probe(struct fw_unit *unit,
+ if (!isight->audio_base) {
+ dev_err(&unit->device, "audio unit base not found\n");
+ err = -ENXIO;
+- goto err_unit;
++ goto error;
+ }
+ fw_iso_resources_init(&isight->resources, unit);
+
+@@ -669,12 +669,12 @@ static int isight_probe(struct fw_unit *unit,
+ dev_set_drvdata(&unit->device, isight);
+
+ return 0;
+-
+-err_unit:
+- fw_unit_put(isight->unit);
+- mutex_destroy(&isight->mutex);
+ error:
+ snd_card_free(card);
++
++ mutex_destroy(&isight->mutex);
++ fw_unit_put(isight->unit);
++
+ return err;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 3b926e92e16573b8ea44ca212b8bcca6ba8c73a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Oct 2018 12:20:46 -0700
+Subject: amiflop: clean up on errors during setup
+
+From: Omar Sandoval <osandov@fb.com>
+
+[ Upstream commit 53d0f8dbde89cf6c862c7a62e00c6123e02cba41 ]
+
+The error handling in fd_probe_drives() doesn't clean up at all. Fix it
+up in preparation for converting to blk-mq. While we're here, get rid of
+the commented out amiga_floppy_remove().
+
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/amiflop.c | 84 ++++++++++++++++++++---------------------
+ 1 file changed, 40 insertions(+), 44 deletions(-)
+
+diff --git a/drivers/block/amiflop.c b/drivers/block/amiflop.c
+index 3aaf6af3ec23d..2158e130744e0 100644
+--- a/drivers/block/amiflop.c
++++ b/drivers/block/amiflop.c
+@@ -1701,11 +1701,41 @@ static const struct block_device_operations floppy_fops = {
+ .check_events = amiga_check_events,
+ };
+
++static struct gendisk *fd_alloc_disk(int drive)
++{
++ struct gendisk *disk;
++
++ disk = alloc_disk(1);
++ if (!disk)
++ goto out;
++
++ disk->queue = blk_init_queue(do_fd_request, &amiflop_lock);
++ if (IS_ERR(disk->queue)) {
++ disk->queue = NULL;
++ goto out_put_disk;
++ }
++
++ unit[drive].trackbuf = kmalloc(FLOPPY_MAX_SECTORS * 512, GFP_KERNEL);
++ if (!unit[drive].trackbuf)
++ goto out_cleanup_queue;
++
++ return disk;
++
++out_cleanup_queue:
++ blk_cleanup_queue(disk->queue);
++ disk->queue = NULL;
++out_put_disk:
++ put_disk(disk);
++out:
++ unit[drive].type->code = FD_NODRIVE;
++ return NULL;
++}
++
+ static int __init fd_probe_drives(void)
+ {
+ int drive,drives,nomem;
+
+- printk(KERN_INFO "FD: probing units\nfound ");
++ pr_info("FD: probing units\nfound");
+ drives=0;
+ nomem=0;
+ for(drive=0;drive<FD_MAX_UNITS;drive++) {
+@@ -1713,27 +1743,17 @@ static int __init fd_probe_drives(void)
+ fd_probe(drive);
+ if (unit[drive].type->code == FD_NODRIVE)
+ continue;
+- disk = alloc_disk(1);
++
++ disk = fd_alloc_disk(drive);
+ if (!disk) {
+- unit[drive].type->code = FD_NODRIVE;
++ pr_cont(" no mem for fd%d", drive);
++ nomem = 1;
+ continue;
+ }
+ unit[drive].gendisk = disk;
+-
+- disk->queue = blk_init_queue(do_fd_request, &amiflop_lock);
+- if (!disk->queue) {
+- unit[drive].type->code = FD_NODRIVE;
+- continue;
+- }
+-
+ drives++;
+- if ((unit[drive].trackbuf = kmalloc(FLOPPY_MAX_SECTORS * 512, GFP_KERNEL)) == NULL) {
+- printk("no mem for ");
+- unit[drive].type = &drive_types[num_dr_types - 1]; /* FD_NODRIVE */
+- drives--;
+- nomem = 1;
+- }
+- printk("fd%d ",drive);
++
++ pr_cont(" fd%d",drive);
+ disk->major = FLOPPY_MAJOR;
+ disk->first_minor = drive;
+ disk->fops = &floppy_fops;
+@@ -1744,11 +1764,11 @@ static int __init fd_probe_drives(void)
+ }
+ if ((drives > 0) || (nomem == 0)) {
+ if (drives == 0)
+- printk("no drives");
+- printk("\n");
++ pr_cont(" no drives");
++ pr_cont("\n");
+ return drives;
+ }
+- printk("\n");
++ pr_cont("\n");
+ return -ENOMEM;
+ }
+
+@@ -1831,30 +1851,6 @@ static int __init amiga_floppy_probe(struct platform_device *pdev)
+ return ret;
+ }
+
+-#if 0 /* not safe to unload */
+-static int __exit amiga_floppy_remove(struct platform_device *pdev)
+-{
+- int i;
+-
+- for( i = 0; i < FD_MAX_UNITS; i++) {
+- if (unit[i].type->code != FD_NODRIVE) {
+- struct request_queue *q = unit[i].gendisk->queue;
+- del_gendisk(unit[i].gendisk);
+- put_disk(unit[i].gendisk);
+- kfree(unit[i].trackbuf);
+- if (q)
+- blk_cleanup_queue(q);
+- }
+- }
+- blk_unregister_region(MKDEV(FLOPPY_MAJOR, 0), 256);
+- free_irq(IRQ_AMIGA_CIAA_TB, NULL);
+- free_irq(IRQ_AMIGA_DSKBLK, NULL);
+- custom.dmacon = DMAF_DISK; /* disable DMA */
+- amiga_chip_free(raw_buf);
+- unregister_blkdev(FLOPPY_MAJOR, "fd");
+-}
+-#endif
+-
+ static struct platform_driver amiga_floppy_driver = {
+ .driver = {
+ .name = "amiga-floppy",
+--
+2.20.1
+
--- /dev/null
+From c97793017eaeadbecd19fb4ecd30f1294494ec62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Oct 2018 15:28:01 +0000
+Subject: ARM: dts: imx6sx-sdb: Fix enet phy regulator
+
+From: Leonard Crestez <leonard.crestez@nxp.com>
+
+[ Upstream commit 1ad9fb750a104f51851c092edd7b3553f0218428 ]
+
+Bindings for "fixed-regulator" only explicitly support "gpio" property,
+not "gpios". Fix by correcting the property name.
+
+The enet PHYs on imx6sx-sdb needs to be explicitly reset after a power
+cycle, this can be handled by the phy-reset-gpios property. Sadly this
+is not handled on suspend: the fec driver turns phy-supply off but
+doesn't assert phy-reset-gpios again on resume.
+
+Since additional phy-level work is required to support powering off the
+phy in suspend fix the problem by just marking the regulator as
+"boot-on" "always-on" so that it's never turned off. This behavior is
+equivalent to older releases.
+
+Keep the phy-reset-gpios property on fec anyway because it is a correct
+description of board design.
+
+This issue was exposed by commit efdfeb079cc3 ("regulator: fixed:
+Convert to use GPIO descriptor only") which causes the "gpios" property
+to also be parsed. Before that commit the "gpios" property had no
+effect, PHY reset was only handled in the the bootloader.
+
+This fixes linux-next boot failures previously reported here:
+ https://lore.kernel.org/patchwork/patch/982437/#1177900
+ https://lore.kernel.org/patchwork/patch/994091/#1178304
+
+Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6sx-sdb.dtsi | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/imx6sx-sdb.dtsi b/arch/arm/boot/dts/imx6sx-sdb.dtsi
+index f8f31872fa144..d6d517e4922ff 100644
+--- a/arch/arm/boot/dts/imx6sx-sdb.dtsi
++++ b/arch/arm/boot/dts/imx6sx-sdb.dtsi
+@@ -115,7 +115,9 @@
+ regulator-name = "enet_3v3";
+ regulator-min-microvolt = <3300000>;
+ regulator-max-microvolt = <3300000>;
+- gpios = <&gpio2 6 GPIO_ACTIVE_LOW>;
++ gpio = <&gpio2 6 GPIO_ACTIVE_LOW>;
++ regulator-boot-on;
++ regulator-always-on;
+ };
+
+ reg_pcie_gpio: regulator-pcie-gpio {
+@@ -178,6 +180,7 @@
+ phy-supply = <®_enet_3v3>;
+ phy-mode = "rgmii";
+ phy-handle = <ðphy1>;
++ phy-reset-gpios = <&gpio2 7 GPIO_ACTIVE_LOW>;
+ status = "okay";
+
+ mdio {
+@@ -371,6 +374,8 @@
+ MX6SX_PAD_RGMII1_RD3__ENET1_RX_DATA_3 0x3081
+ MX6SX_PAD_RGMII1_RX_CTL__ENET1_RX_EN 0x3081
+ MX6SX_PAD_ENET2_RX_CLK__ENET2_REF_CLK_25M 0x91
++ /* phy reset */
++ MX6SX_PAD_ENET2_CRS__GPIO2_IO_7 0x10b0
+ >;
+ };
+
+--
+2.20.1
+
--- /dev/null
+From f32be5771f1875a113cd7b934118e62e51d35b3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Oct 2018 15:02:30 -0700
+Subject: arm64: lib: use C string functions with KASAN enabled
+
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+
+[ Upstream commit 19a2ca0fb560fd7be7b5293c6b652c6d6078dcde ]
+
+ARM64 has asm implementation of memchr(), memcmp(), str[r]chr(),
+str[n]cmp(), str[n]len(). KASAN don't see memory accesses in asm code,
+thus it can potentially miss many bugs.
+
+Ifdef out __HAVE_ARCH_* defines of these functions when KASAN is enabled,
+so the generic implementations from lib/string.c will be used.
+
+We can't just remove the asm functions because efistub uses them. And we
+can't have two non-weak functions either, so declare the asm functions as
+weak.
+
+Link: http://lkml.kernel.org/r/20180920135631.23833-2-aryabinin@virtuozzo.com
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Reported-by: Kyeongdon Kim <kyeongdon.kim@lge.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/string.h | 14 ++++++++------
+ arch/arm64/kernel/arm64ksyms.c | 7 +++++--
+ arch/arm64/lib/memchr.S | 2 +-
+ arch/arm64/lib/memcmp.S | 2 +-
+ arch/arm64/lib/strchr.S | 2 +-
+ arch/arm64/lib/strcmp.S | 2 +-
+ arch/arm64/lib/strlen.S | 2 +-
+ arch/arm64/lib/strncmp.S | 2 +-
+ arch/arm64/lib/strnlen.S | 2 +-
+ arch/arm64/lib/strrchr.S | 2 +-
+ 10 files changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/arch/arm64/include/asm/string.h b/arch/arm64/include/asm/string.h
+index dd95d33a5bd5d..03a6c256b7ec4 100644
+--- a/arch/arm64/include/asm/string.h
++++ b/arch/arm64/include/asm/string.h
+@@ -16,6 +16,7 @@
+ #ifndef __ASM_STRING_H
+ #define __ASM_STRING_H
+
++#ifndef CONFIG_KASAN
+ #define __HAVE_ARCH_STRRCHR
+ extern char *strrchr(const char *, int c);
+
+@@ -34,6 +35,13 @@ extern __kernel_size_t strlen(const char *);
+ #define __HAVE_ARCH_STRNLEN
+ extern __kernel_size_t strnlen(const char *, __kernel_size_t);
+
++#define __HAVE_ARCH_MEMCMP
++extern int memcmp(const void *, const void *, size_t);
++
++#define __HAVE_ARCH_MEMCHR
++extern void *memchr(const void *, int, __kernel_size_t);
++#endif
++
+ #define __HAVE_ARCH_MEMCPY
+ extern void *memcpy(void *, const void *, __kernel_size_t);
+ extern void *__memcpy(void *, const void *, __kernel_size_t);
+@@ -42,16 +50,10 @@ extern void *__memcpy(void *, const void *, __kernel_size_t);
+ extern void *memmove(void *, const void *, __kernel_size_t);
+ extern void *__memmove(void *, const void *, __kernel_size_t);
+
+-#define __HAVE_ARCH_MEMCHR
+-extern void *memchr(const void *, int, __kernel_size_t);
+-
+ #define __HAVE_ARCH_MEMSET
+ extern void *memset(void *, int, __kernel_size_t);
+ extern void *__memset(void *, int, __kernel_size_t);
+
+-#define __HAVE_ARCH_MEMCMP
+-extern int memcmp(const void *, const void *, size_t);
+-
+ #ifdef CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE
+ #define __HAVE_ARCH_MEMCPY_FLUSHCACHE
+ void memcpy_flushcache(void *dst, const void *src, size_t cnt);
+diff --git a/arch/arm64/kernel/arm64ksyms.c b/arch/arm64/kernel/arm64ksyms.c
+index d894a20b70b28..72f63a59b0088 100644
+--- a/arch/arm64/kernel/arm64ksyms.c
++++ b/arch/arm64/kernel/arm64ksyms.c
+@@ -44,20 +44,23 @@ EXPORT_SYMBOL(__arch_copy_in_user);
+ EXPORT_SYMBOL(memstart_addr);
+
+ /* string / mem functions */
++#ifndef CONFIG_KASAN
+ EXPORT_SYMBOL(strchr);
+ EXPORT_SYMBOL(strrchr);
+ EXPORT_SYMBOL(strcmp);
+ EXPORT_SYMBOL(strncmp);
+ EXPORT_SYMBOL(strlen);
+ EXPORT_SYMBOL(strnlen);
++EXPORT_SYMBOL(memcmp);
++EXPORT_SYMBOL(memchr);
++#endif
++
+ EXPORT_SYMBOL(memset);
+ EXPORT_SYMBOL(memcpy);
+ EXPORT_SYMBOL(memmove);
+ EXPORT_SYMBOL(__memset);
+ EXPORT_SYMBOL(__memcpy);
+ EXPORT_SYMBOL(__memmove);
+-EXPORT_SYMBOL(memchr);
+-EXPORT_SYMBOL(memcmp);
+
+ /* atomic bitops */
+ EXPORT_SYMBOL(set_bit);
+diff --git a/arch/arm64/lib/memchr.S b/arch/arm64/lib/memchr.S
+index 4444c1d25f4bb..0f164a4baf52a 100644
+--- a/arch/arm64/lib/memchr.S
++++ b/arch/arm64/lib/memchr.S
+@@ -30,7 +30,7 @@
+ * Returns:
+ * x0 - address of first occurrence of 'c' or 0
+ */
+-ENTRY(memchr)
++WEAK(memchr)
+ and w1, w1, #0xff
+ 1: subs x2, x2, #1
+ b.mi 2f
+diff --git a/arch/arm64/lib/memcmp.S b/arch/arm64/lib/memcmp.S
+index 2a4e239bd17a0..fb295f52e9f87 100644
+--- a/arch/arm64/lib/memcmp.S
++++ b/arch/arm64/lib/memcmp.S
+@@ -58,7 +58,7 @@ pos .req x11
+ limit_wd .req x12
+ mask .req x13
+
+-ENTRY(memcmp)
++WEAK(memcmp)
+ cbz limit, .Lret0
+ eor tmp1, src1, src2
+ tst tmp1, #7
+diff --git a/arch/arm64/lib/strchr.S b/arch/arm64/lib/strchr.S
+index dae0cf5591f99..7c83091d1bcdd 100644
+--- a/arch/arm64/lib/strchr.S
++++ b/arch/arm64/lib/strchr.S
+@@ -29,7 +29,7 @@
+ * Returns:
+ * x0 - address of first occurrence of 'c' or 0
+ */
+-ENTRY(strchr)
++WEAK(strchr)
+ and w1, w1, #0xff
+ 1: ldrb w2, [x0], #1
+ cmp w2, w1
+diff --git a/arch/arm64/lib/strcmp.S b/arch/arm64/lib/strcmp.S
+index 471fe61760ef6..7d5d15398bfbc 100644
+--- a/arch/arm64/lib/strcmp.S
++++ b/arch/arm64/lib/strcmp.S
+@@ -60,7 +60,7 @@ tmp3 .req x9
+ zeroones .req x10
+ pos .req x11
+
+-ENTRY(strcmp)
++WEAK(strcmp)
+ eor tmp1, src1, src2
+ mov zeroones, #REP8_01
+ tst tmp1, #7
+diff --git a/arch/arm64/lib/strlen.S b/arch/arm64/lib/strlen.S
+index 55ccc8e24c084..8e0b14205dcb4 100644
+--- a/arch/arm64/lib/strlen.S
++++ b/arch/arm64/lib/strlen.S
+@@ -56,7 +56,7 @@ pos .req x12
+ #define REP8_7f 0x7f7f7f7f7f7f7f7f
+ #define REP8_80 0x8080808080808080
+
+-ENTRY(strlen)
++WEAK(strlen)
+ mov zeroones, #REP8_01
+ bic src, srcin, #15
+ ands tmp1, srcin, #15
+diff --git a/arch/arm64/lib/strncmp.S b/arch/arm64/lib/strncmp.S
+index e267044761c6f..66bd145935d9e 100644
+--- a/arch/arm64/lib/strncmp.S
++++ b/arch/arm64/lib/strncmp.S
+@@ -64,7 +64,7 @@ limit_wd .req x13
+ mask .req x14
+ endloop .req x15
+
+-ENTRY(strncmp)
++WEAK(strncmp)
+ cbz limit, .Lret0
+ eor tmp1, src1, src2
+ mov zeroones, #REP8_01
+diff --git a/arch/arm64/lib/strnlen.S b/arch/arm64/lib/strnlen.S
+index eae38da6e0bb3..355be04441fe6 100644
+--- a/arch/arm64/lib/strnlen.S
++++ b/arch/arm64/lib/strnlen.S
+@@ -59,7 +59,7 @@ limit_wd .req x14
+ #define REP8_7f 0x7f7f7f7f7f7f7f7f
+ #define REP8_80 0x8080808080808080
+
+-ENTRY(strnlen)
++WEAK(strnlen)
+ cbz limit, .Lhit_limit
+ mov zeroones, #REP8_01
+ bic src, srcin, #15
+diff --git a/arch/arm64/lib/strrchr.S b/arch/arm64/lib/strrchr.S
+index f8e2784d57521..ea84924d59901 100644
+--- a/arch/arm64/lib/strrchr.S
++++ b/arch/arm64/lib/strrchr.S
+@@ -29,7 +29,7 @@
+ * Returns:
+ * x0 - address of last occurrence of 'c' or 0
+ */
+-ENTRY(strrchr)
++WEAK(strrchr)
+ mov x3, #0
+ and w1, w1, #0xff
+ 1: ldrb w2, [x0], #1
+--
+2.20.1
+
--- /dev/null
+From 59abe4aace12d5b11a020d4e29857739848e09b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 16:37:10 -0700
+Subject: arm64: makefile fix build of .i file in external module case
+
+From: Victor Kamensky <kamensky@cisco.com>
+
+[ Upstream commit 98356eb0ae499c63e78073ccedd9a5fc5c563288 ]
+
+After 'a66649dab350 arm64: fix vdso-offsets.h dependency' if
+one will try to build .i file in case of external kernel module,
+build fails complaining that prepare0 target is missing. This
+issue came up with SystemTap when it tries to build variety
+of .i files for its own generated kernel modules trying to
+figure given kernel features/capabilities.
+
+The issue is that prepare0 is defined in top level Makefile
+only if KBUILD_EXTMOD is not defined. .i file rule depends
+on prepare and in case KBUILD_EXTMOD defined top level Makefile
+contains empty rule for prepare. But after mentioned commit
+arch/arm64/Makefile would introduce dependency on prepare0
+through its own prepare target.
+
+Fix it to put proper ifdef KBUILD_EXTMOD around code introduced
+by mentioned commit. It matches what top level Makefile does.
+
+Acked-by: Kevin Brodsky <kevin.brodsky@arm.com>
+Signed-off-by: Victor Kamensky <kamensky@cisco.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/Makefile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
+index 5d8787f0ca5f9..9a5e281412116 100644
+--- a/arch/arm64/Makefile
++++ b/arch/arm64/Makefile
+@@ -148,6 +148,7 @@ archclean:
+ $(Q)$(MAKE) $(clean)=$(boot)
+ $(Q)$(MAKE) $(clean)=$(boot)/dts
+
++ifeq ($(KBUILD_EXTMOD),)
+ # We need to generate vdso-offsets.h before compiling certain files in kernel/.
+ # In order to do that, we should use the archprepare target, but we can't since
+ # asm-offsets.h is included in some files used to generate vdso-offsets.h, and
+@@ -157,6 +158,7 @@ archclean:
+ prepare: vdso_prepare
+ vdso_prepare: prepare0
+ $(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso include/generated/vdso-offsets.h
++endif
+
+ define archhelp
+ echo '* Image.gz - Compressed kernel image (arch/$(ARCH)/boot/Image.gz)'
+--
+2.20.1
+
--- /dev/null
+From ea6043d843ec0a2a017ac5453be96ce2a32e7364 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 12:47:29 +0200
+Subject: ASoC: tegra_sgtl5000: fix device_node refcounting
+
+From: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+
+[ Upstream commit a85227da2dcc291b762c8482a505bc7d0d2d4b07 ]
+
+Similar to the following:
+
+commit 4321723648b0 ("ASoC: tegra_alc5632: fix device_node refcounting")
+
+commit 7c5dfd549617 ("ASoC: tegra: fix device_node refcounting")
+
+Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Acked-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/tegra/tegra_sgtl5000.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/tegra/tegra_sgtl5000.c b/sound/soc/tegra/tegra_sgtl5000.c
+index 45a4aa9d2a479..901457da25ec3 100644
+--- a/sound/soc/tegra/tegra_sgtl5000.c
++++ b/sound/soc/tegra/tegra_sgtl5000.c
+@@ -149,14 +149,14 @@ static int tegra_sgtl5000_driver_probe(struct platform_device *pdev)
+ dev_err(&pdev->dev,
+ "Property 'nvidia,i2s-controller' missing/invalid\n");
+ ret = -EINVAL;
+- goto err;
++ goto err_put_codec_of_node;
+ }
+
+ tegra_sgtl5000_dai.platform_of_node = tegra_sgtl5000_dai.cpu_of_node;
+
+ ret = tegra_asoc_utils_init(&machine->util_data, &pdev->dev);
+ if (ret)
+- goto err;
++ goto err_put_cpu_of_node;
+
+ ret = snd_soc_register_card(card);
+ if (ret) {
+@@ -169,6 +169,13 @@ static int tegra_sgtl5000_driver_probe(struct platform_device *pdev)
+
+ err_fini_utils:
+ tegra_asoc_utils_fini(&machine->util_data);
++err_put_cpu_of_node:
++ of_node_put(tegra_sgtl5000_dai.cpu_of_node);
++ tegra_sgtl5000_dai.cpu_of_node = NULL;
++ tegra_sgtl5000_dai.platform_of_node = NULL;
++err_put_codec_of_node:
++ of_node_put(tegra_sgtl5000_dai.codec_of_node);
++ tegra_sgtl5000_dai.codec_of_node = NULL;
+ err:
+ return ret;
+ }
+@@ -183,6 +190,12 @@ static int tegra_sgtl5000_driver_remove(struct platform_device *pdev)
+
+ tegra_asoc_utils_fini(&machine->util_data);
+
++ of_node_put(tegra_sgtl5000_dai.cpu_of_node);
++ tegra_sgtl5000_dai.cpu_of_node = NULL;
++ tegra_sgtl5000_dai.platform_of_node = NULL;
++ of_node_put(tegra_sgtl5000_dai.codec_of_node);
++ tegra_sgtl5000_dai.codec_of_node = NULL;
++
+ return ret;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From f5fd13ce5be2b6d5dcbe5b76f75080a21b0bd41b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Oct 2018 15:55:26 +0800
+Subject: ath10k: allocate small size dma memory in ath10k_pci_diag_write_mem
+
+From: Carl Huang <cjhuang@codeaurora.org>
+
+[ Upstream commit 0738b4998c6d1caf9ca2447b946709a7278c70f1 ]
+
+ath10k_pci_diag_write_mem may allocate big size of the dma memory
+based on the parameter nbytes. Take firmware diag download as
+example, the biggest size is about 500K. In some systems, the
+allocation is likely to fail because it can't acquire such a large
+contiguous dma memory.
+
+The fix is to allocate a small size dma memory. In the loop,
+driver copies the data to the allocated dma memory and writes to
+the destination until all the data is written.
+
+Tested with QCA6174 PCI with
+firmware-6.bin_WLAN.RM.4.4.1-00119-QCARMSWP-1, this also affects
+QCA9377 PCI.
+
+Signed-off-by: Carl Huang <cjhuang@codeaurora.org>
+Reviewed-by: Brian Norris <briannorris@chomium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/pci.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c
+index 97fa5c74f2fe7..50a801a5d4f15 100644
+--- a/drivers/net/wireless/ath/ath10k/pci.c
++++ b/drivers/net/wireless/ath/ath10k/pci.c
+@@ -1054,10 +1054,9 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address,
+ struct ath10k_ce *ce = ath10k_ce_priv(ar);
+ int ret = 0;
+ u32 *buf;
+- unsigned int completed_nbytes, orig_nbytes, remaining_bytes;
++ unsigned int completed_nbytes, alloc_nbytes, remaining_bytes;
+ struct ath10k_ce_pipe *ce_diag;
+ void *data_buf = NULL;
+- u32 ce_data; /* Host buffer address in CE space */
+ dma_addr_t ce_data_base = 0;
+ int i;
+
+@@ -1071,9 +1070,10 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address,
+ * 1) 4-byte alignment
+ * 2) Buffer in DMA-able space
+ */
+- orig_nbytes = nbytes;
++ alloc_nbytes = min_t(unsigned int, nbytes, DIAG_TRANSFER_LIMIT);
++
+ data_buf = (unsigned char *)dma_alloc_coherent(ar->dev,
+- orig_nbytes,
++ alloc_nbytes,
+ &ce_data_base,
+ GFP_ATOMIC);
+ if (!data_buf) {
+@@ -1081,9 +1081,6 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address,
+ goto done;
+ }
+
+- /* Copy caller's data to allocated DMA buf */
+- memcpy(data_buf, data, orig_nbytes);
+-
+ /*
+ * The address supplied by the caller is in the
+ * Target CPU virtual address space.
+@@ -1096,12 +1093,14 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address,
+ */
+ address = ath10k_pci_targ_cpu_to_ce_addr(ar, address);
+
+- remaining_bytes = orig_nbytes;
+- ce_data = ce_data_base;
++ remaining_bytes = nbytes;
+ while (remaining_bytes) {
+ /* FIXME: check cast */
+ nbytes = min_t(int, remaining_bytes, DIAG_TRANSFER_LIMIT);
+
++ /* Copy caller's data to allocated DMA buf */
++ memcpy(data_buf, data, nbytes);
++
+ /* Set up to receive directly into Target(!) address */
+ ret = ce_diag->ops->ce_rx_post_buf(ce_diag, &address, address);
+ if (ret != 0)
+@@ -1111,7 +1110,7 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address,
+ * Request CE to send caller-supplied data that
+ * was copied to bounce buffer to Target(!) address.
+ */
+- ret = ath10k_ce_send_nolock(ce_diag, NULL, (u32)ce_data,
++ ret = ath10k_ce_send_nolock(ce_diag, NULL, ce_data_base,
+ nbytes, 0, 0);
+ if (ret != 0)
+ goto done;
+@@ -1152,12 +1151,12 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address,
+
+ remaining_bytes -= nbytes;
+ address += nbytes;
+- ce_data += nbytes;
++ data += nbytes;
+ }
+
+ done:
+ if (data_buf) {
+- dma_free_coherent(ar->dev, orig_nbytes, data_buf,
++ dma_free_coherent(ar->dev, alloc_nbytes, data_buf,
+ ce_data_base);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From be125d3100a005df25607e37986cc22fb6d3873a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Oct 2018 23:33:13 +0530
+Subject: ath10k: set probe request oui during driver start
+
+From: Rakesh Pillai <pillair@codeaurora.org>
+
+[ Upstream commit f1157695c527d4ee949ac83f743f80107751a70c ]
+
+Currently the wmi command for setting probe request
+oui, needed for mac randomization, is sent during
+the mac register. At this time, during the driver
+init the wmi has already been detached. This can
+cause unexpected behavior since the firmware is
+already down and the wmi has been detached.
+
+Send the wmi command for setting probe request
+oui during the driver start. This will make sure
+that the firmware is started and wmi is initialized
+before we send this command.
+
+Tested HW: WCN3990
+Tested FW: WLAN.HL.2.0-01188-QCAHLSWMTPLZ-1
+
+Fixes: 60e1d0fb290197fe505dff6e4e3b7e4d258dbf60
+Signed-off-by: Rakesh Pillai <pillair@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index d3d33cc2adfde..613ca74f1b286 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -4686,6 +4686,14 @@ static int ath10k_start(struct ieee80211_hw *hw)
+ goto err_core_stop;
+ }
+
++ if (test_bit(WMI_SERVICE_SPOOF_MAC_SUPPORT, ar->wmi.svc_map)) {
++ ret = ath10k_wmi_scan_prob_req_oui(ar, ar->mac_addr);
++ if (ret) {
++ ath10k_err(ar, "failed to set prob req oui: %i\n", ret);
++ goto err_core_stop;
++ }
++ }
++
+ if (test_bit(WMI_SERVICE_ADAPTIVE_OCS, ar->wmi.svc_map)) {
+ ret = ath10k_wmi_adaptive_qcs(ar, true);
+ if (ret) {
+@@ -8551,12 +8559,6 @@ int ath10k_mac_register(struct ath10k *ar)
+ }
+
+ if (test_bit(WMI_SERVICE_SPOOF_MAC_SUPPORT, ar->wmi.svc_map)) {
+- ret = ath10k_wmi_scan_prob_req_oui(ar, ar->mac_addr);
+- if (ret) {
+- ath10k_err(ar, "failed to set prob req oui: %i\n", ret);
+- goto err_dfs_detector_exit;
+- }
+-
+ ar->hw->wiphy->features |=
+ NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
+ }
+--
+2.20.1
+
--- /dev/null
+From 75420314d842547f6e31c0a7dd65b43c96fa3ee9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Nov 2018 14:35:22 +0200
+Subject: ath10k: snoc: fix unbalanced clock error handling
+
+From: Brian Norris <briannorris@chromium.org>
+
+[ Upstream commit 82e60d920e8ad70cd9a280ab156566755f1fe4aa ]
+
+Similar to regulator error handling, we should only start tearing down
+the 'i - 1' clock when clock 'i' fails to enable. Otherwise, we might
+end up with an unbalanced clock, where we never successfully enabled the
+clock, but we try to disable it anyway.
+
+Fixes: a6a793f98786 ("ath10k: vote for hardware resources for WCN3990")
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/snoc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/snoc.c b/drivers/net/wireless/ath/ath10k/snoc.c
+index fa1843a7e0fda..e2d78f77edb70 100644
+--- a/drivers/net/wireless/ath/ath10k/snoc.c
++++ b/drivers/net/wireless/ath/ath10k/snoc.c
+@@ -1190,7 +1190,7 @@ static int ath10k_wcn3990_clk_init(struct ath10k *ar)
+ return 0;
+
+ err_clock_config:
+- for (; i >= 0; i--) {
++ for (i = i - 1; i >= 0; i--) {
+ clk_info = &ar_snoc->clk[i];
+
+ if (!clk_info->handle)
+--
+2.20.1
+
--- /dev/null
+From 3a09c25fc383a5adebab794d3c54700c91aa2a50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Oct 2018 11:04:19 -0700
+Subject: atm: zatm: Fix empty body Clang warnings
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 64b9d16e2d02ca6e5dc8fcd30cfd52b0ecaaa8f4 ]
+
+Clang warns:
+
+drivers/atm/zatm.c:513:7: error: while loop has empty body
+[-Werror,-Wempty-body]
+ zwait;
+ ^
+drivers/atm/zatm.c:513:7: note: put the semicolon on a separate line to
+silence this warning
+
+Get rid of this warning by using an empty do-while loop. While we're at
+it, add parentheses to make it clear that this is a function-like macro.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/42
+Suggested-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/zatm.c | 42 +++++++++++++++++++++---------------------
+ 1 file changed, 21 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/atm/zatm.c b/drivers/atm/zatm.c
+index e89146ddede69..d5c76b50d3575 100644
+--- a/drivers/atm/zatm.c
++++ b/drivers/atm/zatm.c
+@@ -126,7 +126,7 @@ static unsigned long dummy[2] = {0,0};
+ #define zin_n(r) inl(zatm_dev->base+r*4)
+ #define zin(r) inl(zatm_dev->base+uPD98401_##r*4)
+ #define zout(v,r) outl(v,zatm_dev->base+uPD98401_##r*4)
+-#define zwait while (zin(CMR) & uPD98401_BUSY)
++#define zwait() do {} while (zin(CMR) & uPD98401_BUSY)
+
+ /* RX0, RX1, TX0, TX1 */
+ static const int mbx_entries[NR_MBX] = { 1024,1024,1024,1024 };
+@@ -140,7 +140,7 @@ static const int mbx_esize[NR_MBX] = { 16,16,4,4 }; /* entry size in bytes */
+
+ static void zpokel(struct zatm_dev *zatm_dev,u32 value,u32 addr)
+ {
+- zwait;
++ zwait();
+ zout(value,CER);
+ zout(uPD98401_IND_ACC | uPD98401_IA_BALL |
+ (uPD98401_IA_TGT_CM << uPD98401_IA_TGT_SHIFT) | addr,CMR);
+@@ -149,10 +149,10 @@ static void zpokel(struct zatm_dev *zatm_dev,u32 value,u32 addr)
+
+ static u32 zpeekl(struct zatm_dev *zatm_dev,u32 addr)
+ {
+- zwait;
++ zwait();
+ zout(uPD98401_IND_ACC | uPD98401_IA_BALL | uPD98401_IA_RW |
+ (uPD98401_IA_TGT_CM << uPD98401_IA_TGT_SHIFT) | addr,CMR);
+- zwait;
++ zwait();
+ return zin(CER);
+ }
+
+@@ -241,7 +241,7 @@ static void refill_pool(struct atm_dev *dev,int pool)
+ }
+ if (first) {
+ spin_lock_irqsave(&zatm_dev->lock, flags);
+- zwait;
++ zwait();
+ zout(virt_to_bus(first),CER);
+ zout(uPD98401_ADD_BAT | (pool << uPD98401_POOL_SHIFT) | count,
+ CMR);
+@@ -508,9 +508,9 @@ static int open_rx_first(struct atm_vcc *vcc)
+ }
+ if (zatm_vcc->pool < 0) return -EMSGSIZE;
+ spin_lock_irqsave(&zatm_dev->lock, flags);
+- zwait;
++ zwait();
+ zout(uPD98401_OPEN_CHAN,CMR);
+- zwait;
++ zwait();
+ DPRINTK("0x%x 0x%x\n",zin(CMR),zin(CER));
+ chan = (zin(CMR) & uPD98401_CHAN_ADDR) >> uPD98401_CHAN_ADDR_SHIFT;
+ spin_unlock_irqrestore(&zatm_dev->lock, flags);
+@@ -571,21 +571,21 @@ static void close_rx(struct atm_vcc *vcc)
+ pos = vcc->vci >> 1;
+ shift = (1-(vcc->vci & 1)) << 4;
+ zpokel(zatm_dev,zpeekl(zatm_dev,pos) & ~(0xffff << shift),pos);
+- zwait;
++ zwait();
+ zout(uPD98401_NOP,CMR);
+- zwait;
++ zwait();
+ zout(uPD98401_NOP,CMR);
+ spin_unlock_irqrestore(&zatm_dev->lock, flags);
+ }
+ spin_lock_irqsave(&zatm_dev->lock, flags);
+- zwait;
++ zwait();
+ zout(uPD98401_DEACT_CHAN | uPD98401_CHAN_RT | (zatm_vcc->rx_chan <<
+ uPD98401_CHAN_ADDR_SHIFT),CMR);
+- zwait;
++ zwait();
+ udelay(10); /* why oh why ... ? */
+ zout(uPD98401_CLOSE_CHAN | uPD98401_CHAN_RT | (zatm_vcc->rx_chan <<
+ uPD98401_CHAN_ADDR_SHIFT),CMR);
+- zwait;
++ zwait();
+ if (!(zin(CMR) & uPD98401_CHAN_ADDR))
+ printk(KERN_CRIT DEV_LABEL "(itf %d): can't close RX channel "
+ "%d\n",vcc->dev->number,zatm_vcc->rx_chan);
+@@ -699,7 +699,7 @@ printk("NONONONOO!!!!\n");
+ skb_queue_tail(&zatm_vcc->tx_queue,skb);
+ DPRINTK("QRP=0x%08lx\n",zpeekl(zatm_dev,zatm_vcc->tx_chan*VC_SIZE/4+
+ uPD98401_TXVC_QRP));
+- zwait;
++ zwait();
+ zout(uPD98401_TX_READY | (zatm_vcc->tx_chan <<
+ uPD98401_CHAN_ADDR_SHIFT),CMR);
+ spin_unlock_irqrestore(&zatm_dev->lock, flags);
+@@ -891,12 +891,12 @@ static void close_tx(struct atm_vcc *vcc)
+ }
+ spin_lock_irqsave(&zatm_dev->lock, flags);
+ #if 0
+- zwait;
++ zwait();
+ zout(uPD98401_DEACT_CHAN | (chan << uPD98401_CHAN_ADDR_SHIFT),CMR);
+ #endif
+- zwait;
++ zwait();
+ zout(uPD98401_CLOSE_CHAN | (chan << uPD98401_CHAN_ADDR_SHIFT),CMR);
+- zwait;
++ zwait();
+ if (!(zin(CMR) & uPD98401_CHAN_ADDR))
+ printk(KERN_CRIT DEV_LABEL "(itf %d): can't close TX channel "
+ "%d\n",vcc->dev->number,chan);
+@@ -926,9 +926,9 @@ static int open_tx_first(struct atm_vcc *vcc)
+ zatm_vcc->tx_chan = 0;
+ if (vcc->qos.txtp.traffic_class == ATM_NONE) return 0;
+ spin_lock_irqsave(&zatm_dev->lock, flags);
+- zwait;
++ zwait();
+ zout(uPD98401_OPEN_CHAN,CMR);
+- zwait;
++ zwait();
+ DPRINTK("0x%x 0x%x\n",zin(CMR),zin(CER));
+ chan = (zin(CMR) & uPD98401_CHAN_ADDR) >> uPD98401_CHAN_ADDR_SHIFT;
+ spin_unlock_irqrestore(&zatm_dev->lock, flags);
+@@ -1557,7 +1557,7 @@ static void zatm_phy_put(struct atm_dev *dev,unsigned char value,
+ struct zatm_dev *zatm_dev;
+
+ zatm_dev = ZATM_DEV(dev);
+- zwait;
++ zwait();
+ zout(value,CER);
+ zout(uPD98401_IND_ACC | uPD98401_IA_B0 |
+ (uPD98401_IA_TGT_PHY << uPD98401_IA_TGT_SHIFT) | addr,CMR);
+@@ -1569,10 +1569,10 @@ static unsigned char zatm_phy_get(struct atm_dev *dev,unsigned long addr)
+ struct zatm_dev *zatm_dev;
+
+ zatm_dev = ZATM_DEV(dev);
+- zwait;
++ zwait();
+ zout(uPD98401_IND_ACC | uPD98401_IA_B0 | uPD98401_IA_RW |
+ (uPD98401_IA_TGT_PHY << uPD98401_IA_TGT_SHIFT) | addr,CMR);
+- zwait;
++ zwait();
+ return zin(CER) & 0xff;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From f946fed60122e11dea3271778ebbcd915f14d895 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Oct 2018 16:22:57 -0400
+Subject: audit: print empty EXECVE args
+
+From: Richard Guy Briggs <rgb@redhat.com>
+
+[ Upstream commit ea956d8be91edc702a98b7fe1f9463e7ca8c42ab ]
+
+Empty executable arguments were being skipped when printing out the list
+of arguments in an EXECVE record, making it appear they were somehow
+lost. Include empty arguments as an itemized empty string.
+
+Reproducer:
+ autrace /bin/ls "" "/etc"
+ ausearch --start recent -m execve -i | grep EXECVE
+ type=EXECVE msg=audit(10/03/2018 13:04:03.208:1391) : argc=3 a0=/bin/ls a2=/etc
+
+With fix:
+ type=EXECVE msg=audit(10/03/2018 21:51:38.290:194) : argc=3 a0=/bin/ls a1= a2=/etc
+ type=EXECVE msg=audit(1538617898.290:194): argc=3 a0="/bin/ls" a1="" a2="/etc"
+
+Passes audit-testsuite. GH issue tracker at
+https://github.com/linux-audit/audit-kernel/issues/99
+
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+[PM: cleaned up the commit metadata]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/auditsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/auditsc.c b/kernel/auditsc.c
+index b2d1f043f17fb..1513873e23bd1 100644
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -1107,7 +1107,7 @@ static void audit_log_execve_info(struct audit_context *context,
+ }
+
+ /* write as much as we can to the audit log */
+- if (len_buf > 0) {
++ if (len_buf >= 0) {
+ /* NOTE: some magic numbers here - basically if we
+ * can't fit a reasonable amount of data into the
+ * existing audit buffer, flush it and start with
+--
+2.20.1
+
--- /dev/null
+From ddff561acebbe72b28e8fdc275bed2dc409a48cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Oct 2018 21:18:09 +0800
+Subject: block: call rq_qos_exit() after queue is frozen
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit c57cdf7a9e51d97a43e29b8f4a04157875104000 ]
+
+rq_qos_exit() removes the current q->rq_qos, this action has to be
+done after queue is frozen, otherwise the IO queue path may never
+be waken up, then IO hang is caused.
+
+So fixes this issue by moving rq_qos_exit() after queue is frozen.
+
+Cc: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-core.c | 3 +++
+ block/blk-sysfs.c | 2 --
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/block/blk-core.c b/block/blk-core.c
+index 074ae9376189b..ea33d6abdcfc9 100644
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -784,6 +784,9 @@ void blk_cleanup_queue(struct request_queue *q)
+ * prevent that q->request_fn() gets invoked after draining finished.
+ */
+ blk_freeze_queue(q);
++
++ rq_qos_exit(q);
++
+ spin_lock_irq(lock);
+ queue_flag_set(QUEUE_FLAG_DEAD, q);
+ spin_unlock_irq(lock);
+diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
+index bab47a17b96f4..8286640d4d663 100644
+--- a/block/blk-sysfs.c
++++ b/block/blk-sysfs.c
+@@ -997,8 +997,6 @@ void blk_unregister_queue(struct gendisk *disk)
+ kobject_del(&q->kobj);
+ blk_trace_remove_sysfs(disk_to_dev(disk));
+
+- rq_qos_exit(q);
+-
+ mutex_lock(&q->sysfs_lock);
+ if (q->request_fn || (q->mq_ops && q->elevator))
+ elv_unregister_queue(q);
+--
+2.20.1
+
--- /dev/null
+From adee829f5a4a75d77117174095e7019a3012af28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Oct 2018 19:52:14 +0800
+Subject: block: fix the DISCARD request merge
+
+From: Jianchao Wang <jianchao.w.wang@oracle.com>
+
+[ Upstream commit 69840466086d2248898020a08dda52732686c4e6 ]
+
+There are two cases when handle DISCARD merge.
+If max_discard_segments == 1, the bios/requests need to be contiguous
+to merge. If max_discard_segments > 1, it takes every bio as a range
+and different range needn't to be contiguous.
+
+But now, attempt_merge screws this up. It always consider contiguity
+for DISCARD for the case max_discard_segments > 1 and cannot merge
+contiguous DISCARD for the case max_discard_segments == 1, because
+rq_attempt_discard_merge always returns false in this case.
+This patch fixes both of the two cases above.
+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jianchao Wang <jianchao.w.wang@oracle.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-merge.c | 46 ++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 36 insertions(+), 10 deletions(-)
+
+diff --git a/block/blk-merge.c b/block/blk-merge.c
+index 2e042190a4f1c..1dced51de1c6c 100644
+--- a/block/blk-merge.c
++++ b/block/blk-merge.c
+@@ -669,6 +669,31 @@ static void blk_account_io_merge(struct request *req)
+ part_stat_unlock();
+ }
+ }
++/*
++ * Two cases of handling DISCARD merge:
++ * If max_discard_segments > 1, the driver takes every bio
++ * as a range and send them to controller together. The ranges
++ * needn't to be contiguous.
++ * Otherwise, the bios/requests will be handled as same as
++ * others which should be contiguous.
++ */
++static inline bool blk_discard_mergable(struct request *req)
++{
++ if (req_op(req) == REQ_OP_DISCARD &&
++ queue_max_discard_segments(req->q) > 1)
++ return true;
++ return false;
++}
++
++enum elv_merge blk_try_req_merge(struct request *req, struct request *next)
++{
++ if (blk_discard_mergable(req))
++ return ELEVATOR_DISCARD_MERGE;
++ else if (blk_rq_pos(req) + blk_rq_sectors(req) == blk_rq_pos(next))
++ return ELEVATOR_BACK_MERGE;
++
++ return ELEVATOR_NO_MERGE;
++}
+
+ /*
+ * For non-mq, this has to be called with the request spinlock acquired.
+@@ -686,12 +711,6 @@ static struct request *attempt_merge(struct request_queue *q,
+ if (req_op(req) != req_op(next))
+ return NULL;
+
+- /*
+- * not contiguous
+- */
+- if (blk_rq_pos(req) + blk_rq_sectors(req) != blk_rq_pos(next))
+- return NULL;
+-
+ if (rq_data_dir(req) != rq_data_dir(next)
+ || req->rq_disk != next->rq_disk
+ || req_no_special_merge(next))
+@@ -715,11 +734,19 @@ static struct request *attempt_merge(struct request_queue *q,
+ * counts here. Handle DISCARDs separately, as they
+ * have separate settings.
+ */
+- if (req_op(req) == REQ_OP_DISCARD) {
++
++ switch (blk_try_req_merge(req, next)) {
++ case ELEVATOR_DISCARD_MERGE:
+ if (!req_attempt_discard_merge(q, req, next))
+ return NULL;
+- } else if (!ll_merge_requests_fn(q, req, next))
++ break;
++ case ELEVATOR_BACK_MERGE:
++ if (!ll_merge_requests_fn(q, req, next))
++ return NULL;
++ break;
++ default:
+ return NULL;
++ }
+
+ /*
+ * If failfast settings disagree or any of the two is already
+@@ -843,8 +870,7 @@ bool blk_rq_merge_ok(struct request *rq, struct bio *bio)
+
+ enum elv_merge blk_try_merge(struct request *rq, struct bio *bio)
+ {
+- if (req_op(rq) == REQ_OP_DISCARD &&
+- queue_max_discard_segments(rq->q) > 1)
++ if (blk_discard_mergable(rq))
+ return ELEVATOR_DISCARD_MERGE;
+ else if (blk_rq_pos(rq) + blk_rq_sectors(rq) == bio->bi_iter.bi_sector)
+ return ELEVATOR_BACK_MERGE;
+--
+2.20.1
+
--- /dev/null
+From c775d7637b2601eb00d46c5430e0c70c11f7bc25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Oct 2018 20:42:25 +0000
+Subject: bpf, btf: fix a missing check bug in btf_parse
+
+From: Martin Lau <kafai@fb.com>
+
+[ Upstream commit 4a6998aff82a20a1aece86a186d8e5263f8b2315 ]
+
+Wenwen Wang reported:
+
+ In btf_parse(), the header of the user-space btf data 'btf_data'
+ is firstly parsed and verified through btf_parse_hdr().
+ In btf_parse_hdr(), the header is copied from user-space 'btf_data'
+ to kernel-space 'btf->hdr' and then verified. If no error happens
+ during the verification process, the whole data of 'btf_data',
+ including the header, is then copied to 'data' in btf_parse(). It
+ is obvious that the header is copied twice here. More importantly,
+ no check is enforced after the second copy to make sure the headers
+ obtained in these two copies are same. Given that 'btf_data' resides
+ in the user space, a malicious user can race to modify the header
+ between these two copies. By doing so, the user can inject
+ inconsistent data, which can cause undefined behavior of the
+ kernel and introduce potential security risk.
+
+This issue is similar to the one fixed in commit 8af03d1ae2e1 ("bpf:
+btf: Fix a missing check bug"). To fix it, this patch copies the user
+'btf_data' *before* parsing / verifying the BTF header.
+
+Fixes: 69b693f0aefa ("bpf: btf: Introduce BPF Type Format (BTF)")
+Signed-off-by: Martin KaFai Lau <kafai@fb.com>
+Co-developed-by: Wenwen Wang <wang6495@umn.edu>
+Acked-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/btf.c | 55 ++++++++++++++++++++++--------------------------
+ 1 file changed, 25 insertions(+), 30 deletions(-)
+
+diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
+index 378cef70341c4..cfa27b7d1168c 100644
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -2067,50 +2067,44 @@ static int btf_check_sec_info(struct btf_verifier_env *env,
+ return 0;
+ }
+
+-static int btf_parse_hdr(struct btf_verifier_env *env, void __user *btf_data,
+- u32 btf_data_size)
++static int btf_parse_hdr(struct btf_verifier_env *env)
+ {
++ u32 hdr_len, hdr_copy, btf_data_size;
+ const struct btf_header *hdr;
+- u32 hdr_len, hdr_copy;
+- /*
+- * Minimal part of the "struct btf_header" that
+- * contains the hdr_len.
+- */
+- struct btf_min_header {
+- u16 magic;
+- u8 version;
+- u8 flags;
+- u32 hdr_len;
+- } __user *min_hdr;
+ struct btf *btf;
+ int err;
+
+ btf = env->btf;
+- min_hdr = btf_data;
++ btf_data_size = btf->data_size;
+
+- if (btf_data_size < sizeof(*min_hdr)) {
++ if (btf_data_size <
++ offsetof(struct btf_header, hdr_len) + sizeof(hdr->hdr_len)) {
+ btf_verifier_log(env, "hdr_len not found");
+ return -EINVAL;
+ }
+
+- if (get_user(hdr_len, &min_hdr->hdr_len))
+- return -EFAULT;
+-
++ hdr = btf->data;
++ hdr_len = hdr->hdr_len;
+ if (btf_data_size < hdr_len) {
+ btf_verifier_log(env, "btf_header not found");
+ return -EINVAL;
+ }
+
+- err = bpf_check_uarg_tail_zero(btf_data, sizeof(btf->hdr), hdr_len);
+- if (err) {
+- if (err == -E2BIG)
+- btf_verifier_log(env, "Unsupported btf_header");
+- return err;
++ /* Ensure the unsupported header fields are zero */
++ if (hdr_len > sizeof(btf->hdr)) {
++ u8 *expected_zero = btf->data + sizeof(btf->hdr);
++ u8 *end = btf->data + hdr_len;
++
++ for (; expected_zero < end; expected_zero++) {
++ if (*expected_zero) {
++ btf_verifier_log(env, "Unsupported btf_header");
++ return -E2BIG;
++ }
++ }
+ }
+
+ hdr_copy = min_t(u32, hdr_len, sizeof(btf->hdr));
+- if (copy_from_user(&btf->hdr, btf_data, hdr_copy))
+- return -EFAULT;
++ memcpy(&btf->hdr, btf->data, hdr_copy);
+
+ hdr = &btf->hdr;
+
+@@ -2186,10 +2180,6 @@ static struct btf *btf_parse(void __user *btf_data, u32 btf_data_size,
+ }
+ env->btf = btf;
+
+- err = btf_parse_hdr(env, btf_data, btf_data_size);
+- if (err)
+- goto errout;
+-
+ data = kvmalloc(btf_data_size, GFP_KERNEL | __GFP_NOWARN);
+ if (!data) {
+ err = -ENOMEM;
+@@ -2198,13 +2188,18 @@ static struct btf *btf_parse(void __user *btf_data, u32 btf_data_size,
+
+ btf->data = data;
+ btf->data_size = btf_data_size;
+- btf->nohdr_data = btf->data + btf->hdr.hdr_len;
+
+ if (copy_from_user(data, btf_data, btf_data_size)) {
+ err = -EFAULT;
+ goto errout;
+ }
+
++ err = btf_parse_hdr(env);
++ if (err)
++ goto errout;
++
++ btf->nohdr_data = btf->data + btf->hdr.hdr_len;
++
+ err = btf_parse_str_sec(env);
+ if (err)
+ goto errout;
+--
+2.20.1
+
--- /dev/null
+From a92388eaaa842d82076873ff69e92638d03b2751 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Oct 2018 20:15:17 +0900
+Subject: bpf: devmap: fix wrong interface selection in notifier_call
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit f592f804831f1cf9d1f9966f58c80f150e6829b5 ]
+
+The dev_map_notification() removes interface in devmap if
+unregistering interface's ifindex is same.
+But only checking ifindex is not enough because other netns can have
+same ifindex. so that wrong interface selection could occurred.
+Hence netdev pointer comparison code is added.
+
+v2: compare netdev pointer instead of using net_eq() (Daniel Borkmann)
+v1: Initial patch
+
+Fixes: 2ddf71e23cc2 ("net: add notifier hooks for devmap bpf map")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/devmap.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
+index fc500ca464d00..1defea4b27553 100644
+--- a/kernel/bpf/devmap.c
++++ b/kernel/bpf/devmap.c
+@@ -520,8 +520,7 @@ static int dev_map_notification(struct notifier_block *notifier,
+ struct bpf_dtab_netdev *dev, *odev;
+
+ dev = READ_ONCE(dtab->netdev_map[i]);
+- if (!dev ||
+- dev->dev->ifindex != netdev->ifindex)
++ if (!dev || netdev != dev->dev)
+ continue;
+ odev = cmpxchg(&dtab->netdev_map[i], dev, NULL);
+ if (dev == odev)
+--
+2.20.1
+
--- /dev/null
+From 53d3fa613086f07f3091be45344cac70302932e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Oct 2018 19:21:39 +0300
+Subject: brcmsmac: AP mode: update beacon when TIM changes
+
+From: Ali MJ Al-Nasrawy <alimjalnasrawy@gmail.com>
+
+[ Upstream commit 2258ee58baa554609a3cc3996276e4276f537b6d ]
+
+Beacons are not updated to reflect TIM changes. This is not compliant with
+power-saving client stations as the beacons do not have valid TIM and can
+cause the network to stall at random occasions and to have highly variable
+latencies.
+Fix it by updating beacon templates on mac80211 set_tim callback.
+
+Addresses an issue described in:
+https://marc.info/?i=20180911163534.21312d08%20()%20manjaro
+
+Signed-off-by: Ali MJ Al-Nasrawy <alimjalnasrawy@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../broadcom/brcm80211/brcmsmac/mac80211_if.c | 26 +++++++++++++++++++
+ .../broadcom/brcm80211/brcmsmac/main.h | 1 +
+ 2 files changed, 27 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+index 6255fb6d97a70..81ff558046a8f 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+@@ -502,6 +502,7 @@ brcms_ops_add_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
+ }
+
+ spin_lock_bh(&wl->lock);
++ wl->wlc->vif = vif;
+ wl->mute_tx = false;
+ brcms_c_mute(wl->wlc, false);
+ if (vif->type == NL80211_IFTYPE_STATION)
+@@ -519,6 +520,11 @@ brcms_ops_add_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
+ static void
+ brcms_ops_remove_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
+ {
++ struct brcms_info *wl = hw->priv;
++
++ spin_lock_bh(&wl->lock);
++ wl->wlc->vif = NULL;
++ spin_unlock_bh(&wl->lock);
+ }
+
+ static int brcms_ops_config(struct ieee80211_hw *hw, u32 changed)
+@@ -937,6 +943,25 @@ static void brcms_ops_set_tsf(struct ieee80211_hw *hw,
+ spin_unlock_bh(&wl->lock);
+ }
+
++static int brcms_ops_beacon_set_tim(struct ieee80211_hw *hw,
++ struct ieee80211_sta *sta, bool set)
++{
++ struct brcms_info *wl = hw->priv;
++ struct sk_buff *beacon = NULL;
++ u16 tim_offset = 0;
++
++ spin_lock_bh(&wl->lock);
++ if (wl->wlc->vif)
++ beacon = ieee80211_beacon_get_tim(hw, wl->wlc->vif,
++ &tim_offset, NULL);
++ if (beacon)
++ brcms_c_set_new_beacon(wl->wlc, beacon, tim_offset,
++ wl->wlc->vif->bss_conf.dtim_period);
++ spin_unlock_bh(&wl->lock);
++
++ return 0;
++}
++
+ static const struct ieee80211_ops brcms_ops = {
+ .tx = brcms_ops_tx,
+ .start = brcms_ops_start,
+@@ -955,6 +980,7 @@ static const struct ieee80211_ops brcms_ops = {
+ .flush = brcms_ops_flush,
+ .get_tsf = brcms_ops_get_tsf,
+ .set_tsf = brcms_ops_set_tsf,
++ .set_tim = brcms_ops_beacon_set_tim,
+ };
+
+ void brcms_dpc(unsigned long data)
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.h b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.h
+index c4d135cff04ad..9f76b880814e8 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.h
+@@ -563,6 +563,7 @@ struct brcms_c_info {
+
+ struct wiphy *wiphy;
+ struct scb pri_scb;
++ struct ieee80211_vif *vif;
+
+ struct sk_buff *beacon;
+ u16 beacon_tim_offset;
+--
+2.20.1
+
--- /dev/null
+From b95ac72baedaad5d4289425eb7fa9f991a629557 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Oct 2018 19:12:35 +0300
+Subject: brcmsmac: never log "tid x is not agg'able" by default
+
+From: Ali MJ Al-Nasrawy <alimjalnasrawy@gmail.com>
+
+[ Upstream commit 96fca788e5788b7ea3b0050eb35a343637e0a465 ]
+
+This message greatly spams the log under heavy Tx of frames with BK access
+class which is especially true when operating as AP. It is also not informative
+as the "agg'ablity" of TIDs are set once and never change.
+Fix this by logging only in debug mode.
+
+Signed-off-by: Ali MJ Al-Nasrawy <alimjalnasrawy@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+index 81ff558046a8f..6188275b17e5a 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+@@ -846,8 +846,8 @@ brcms_ops_ampdu_action(struct ieee80211_hw *hw,
+ status = brcms_c_aggregatable(wl->wlc, tid);
+ spin_unlock_bh(&wl->lock);
+ if (!status) {
+- brcms_err(wl->wlc->hw->d11core,
+- "START: tid %d is not agg\'able\n", tid);
++ brcms_dbg_ht(wl->wlc->hw->d11core,
++ "START: tid %d is not agg\'able\n", tid);
+ return -EINVAL;
+ }
+ ieee80211_start_tx_ba_cb_irqsafe(vif, sta->addr, tid);
+--
+2.20.1
+
--- /dev/null
+From 0939a50c5ed676078eca7982136da5c006b6d056 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Nov 2018 16:39:28 +0100
+Subject: btrfs: avoid link error with CONFIG_NO_AUTO_INLINE
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 7e17916b35797396f681a3270245fd29c1e4c250 ]
+
+Note: this patch fixes a problem in a feature outside of btrfs ("kernel
+hacking: add a config option to disable compiler auto-inlining") and is
+applied ahead of time due to cross-subsystem dependencies.
+
+On 32-bit ARM with gcc-8, I see a link error with the addition of the
+CONFIG_NO_AUTO_INLINE option:
+
+fs/btrfs/super.o: In function `btrfs_statfs':
+super.c:(.text+0x67b8): undefined reference to `__aeabi_uldivmod'
+super.c:(.text+0x67fc): undefined reference to `__aeabi_uldivmod'
+super.c:(.text+0x6858): undefined reference to `__aeabi_uldivmod'
+super.c:(.text+0x6920): undefined reference to `__aeabi_uldivmod'
+super.c:(.text+0x693c): undefined reference to `__aeabi_uldivmod'
+fs/btrfs/super.o:super.c:(.text+0x6958): more undefined references to `__aeabi_uldivmod' follow
+
+So far this is the only file that shows the behavior, so I'd propose
+to just work around it by marking the functions as 'static inline'
+that normally get inlined here.
+
+The reference to __aeabi_uldivmod comes from a div_u64() which has an
+optimization for a constant division that uses a straight '/' operator
+when the result should be known to the compiler. My interpretation is
+that as we turn off inlining, gcc still expects the result to be constant
+but fails to use that constant value.
+
+Link: https://lkml.kernel.org/r/20181103153941.1881966-1-arnd@arndb.de
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: Changbin Du <changbin.du@gmail.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+[ add the note ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/super.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
+index 8888337a95b64..ddbad8d509490 100644
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -1919,7 +1919,7 @@ static int btrfs_remount(struct super_block *sb, int *flags, char *data)
+ }
+
+ /* Used to sort the devices by max_avail(descending sort) */
+-static int btrfs_cmp_device_free_bytes(const void *dev_info1,
++static inline int btrfs_cmp_device_free_bytes(const void *dev_info1,
+ const void *dev_info2)
+ {
+ if (((struct btrfs_device_info *)dev_info1)->max_avail >
+@@ -1948,8 +1948,8 @@ static inline void btrfs_descending_sort_devices(
+ * The helper to calc the free space on the devices that can be used to store
+ * file data.
+ */
+-static int btrfs_calc_avail_data_space(struct btrfs_fs_info *fs_info,
+- u64 *free_bytes)
++static inline int btrfs_calc_avail_data_space(struct btrfs_fs_info *fs_info,
++ u64 *free_bytes)
+ {
+ struct btrfs_device_info *devices_info;
+ struct btrfs_fs_devices *fs_devices = fs_info->fs_devices;
+--
+2.20.1
+
--- /dev/null
+From 073bae4e4424a5f9bd95a3f09a5a10e760c76f98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Sep 2018 11:07:33 +0800
+Subject: btrfs: defrag: use btrfs_mod_outstanding_extents in
+ cluster_pages_for_defrag
+
+From: Su Yue <suy.fnst@cn.fujitsu.com>
+
+[ Upstream commit 28c4a3e21ad030d7571ee9b1b246a5cbfd886627 ]
+
+Since commit 8b62f87bad9c ("Btrfs: rework outstanding_extents"),
+manual operations of outstanding_extent in btrfs_inode are replaced by
+btrfs_mod_outstanding_extents().
+The one in cluster_pages_for_defrag seems to be lost, so replace it
+of btrfs_mod_outstanding_extents().
+
+Fixes: 8b62f87bad9c ("Btrfs: rework outstanding_extents")
+Signed-off-by: Su Yue <suy.fnst@cn.fujitsu.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 7592beb53fc4e..00ff4349b4579 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -1337,7 +1337,7 @@ static int cluster_pages_for_defrag(struct inode *inode,
+
+ if (i_done != page_cnt) {
+ spin_lock(&BTRFS_I(inode)->lock);
+- BTRFS_I(inode)->outstanding_extents++;
++ btrfs_mod_outstanding_extents(BTRFS_I(inode), 1);
+ spin_unlock(&BTRFS_I(inode)->lock);
+ btrfs_delalloc_release_space(inode, data_reserved,
+ start_index << PAGE_SHIFT,
+--
+2.20.1
+
--- /dev/null
+From 8aee1065b1b8d7db6b0c2a0a83ad64afcc696374 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Sep 2018 11:35:10 +0300
+Subject: btrfs: handle error of get_old_root
+
+From: Nikolay Borisov <nborisov@suse.com>
+
+[ Upstream commit 315bed43fea532650933e7bba316a7601d439edf ]
+
+In btrfs_search_old_slot get_old_root is always used with the assumption
+it cannot fail. However, this is not true in rare circumstance it can
+fail and return null. This will lead to null point dereference when the
+header is read. Fix this by checking the return value and properly
+handling NULL by setting ret to -EIO and returning gracefully.
+
+Coverity-id: 1087503
+Signed-off-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
+index 9fd383285f0ea..fc764f350f05a 100644
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -3031,6 +3031,10 @@ int btrfs_search_old_slot(struct btrfs_root *root, const struct btrfs_key *key,
+
+ again:
+ b = get_old_root(root, time_seq);
++ if (!b) {
++ ret = -EIO;
++ goto done;
++ }
+ level = btrfs_header_level(b);
+ p->locks[level] = BTRFS_READ_LOCK;
+
+--
+2.20.1
+
--- /dev/null
+From 3acb988a940be5148bbe6bcb1b819b664a411ef9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Oct 2018 13:20:48 -0600
+Subject: cdrom: don't attempt to fiddle with cdo->capability
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit 8f94004e2a51a3ea195cf3447eb5d5906f36d8b3 ]
+
+We can't modify cdo->capability as it is defined as a const.
+Change the modification hack to just WARN_ON_ONCE() if we hit
+any of the invalid combinations.
+
+This fixes a regression for pcd, which doesn't work after the
+constify patch.
+
+Fixes: 853fe1bf7554 ("cdrom: Make device operations read-only")
+Tested-by: Ondrej Zary <linux@rainbow-software.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cdrom/cdrom.c | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
+index 27a82a559ab94..933268b8d6a54 100644
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -411,10 +411,10 @@ static int cdrom_get_disc_info(struct cdrom_device_info *cdi,
+ * hack to have the capability flags defined const, while we can still
+ * change it here without gcc complaining at every line.
+ */
+-#define ENSURE(call, bits) \
+-do { \
+- if (cdo->call == NULL) \
+- *change_capability &= ~(bits); \
++#define ENSURE(cdo, call, bits) \
++do { \
++ if (cdo->call == NULL) \
++ WARN_ON_ONCE((cdo)->capability & (bits)); \
+ } while (0)
+
+ /*
+@@ -590,7 +590,6 @@ int register_cdrom(struct cdrom_device_info *cdi)
+ {
+ static char banner_printed;
+ const struct cdrom_device_ops *cdo = cdi->ops;
+- int *change_capability = (int *)&cdo->capability; /* hack */
+
+ cd_dbg(CD_OPEN, "entering register_cdrom\n");
+
+@@ -602,16 +601,16 @@ int register_cdrom(struct cdrom_device_info *cdi)
+ cdrom_sysctl_register();
+ }
+
+- ENSURE(drive_status, CDC_DRIVE_STATUS);
++ ENSURE(cdo, drive_status, CDC_DRIVE_STATUS);
+ if (cdo->check_events == NULL && cdo->media_changed == NULL)
+- *change_capability = ~(CDC_MEDIA_CHANGED | CDC_SELECT_DISC);
+- ENSURE(tray_move, CDC_CLOSE_TRAY | CDC_OPEN_TRAY);
+- ENSURE(lock_door, CDC_LOCK);
+- ENSURE(select_speed, CDC_SELECT_SPEED);
+- ENSURE(get_last_session, CDC_MULTI_SESSION);
+- ENSURE(get_mcn, CDC_MCN);
+- ENSURE(reset, CDC_RESET);
+- ENSURE(generic_packet, CDC_GENERIC_PACKET);
++ WARN_ON_ONCE(cdo->capability & (CDC_MEDIA_CHANGED | CDC_SELECT_DISC));
++ ENSURE(cdo, tray_move, CDC_CLOSE_TRAY | CDC_OPEN_TRAY);
++ ENSURE(cdo, lock_door, CDC_LOCK);
++ ENSURE(cdo, select_speed, CDC_SELECT_SPEED);
++ ENSURE(cdo, get_last_session, CDC_MULTI_SESSION);
++ ENSURE(cdo, get_mcn, CDC_MCN);
++ ENSURE(cdo, reset, CDC_RESET);
++ ENSURE(cdo, generic_packet, CDC_GENERIC_PACKET);
+ cdi->mc_flags = 0;
+ cdi->options = CDO_USE_FFLAGS;
+
+--
+2.20.1
+
--- /dev/null
+From 3144def8bbb61fff3a917250da071e7c69816020 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Sep 2018 09:10:29 +0800
+Subject: ceph: fix dentry leak in ceph_readdir_prepopulate
+
+From: Yan, Zheng <zyan@redhat.com>
+
+[ Upstream commit c58f450bd61511d897efc2ea472c69630635b557 ]
+
+Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/inode.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
+index acb70a6a82f0f..1e438e0faf77e 100644
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -1694,7 +1694,6 @@ int ceph_readdir_prepopulate(struct ceph_mds_request *req,
+ if (IS_ERR(realdn)) {
+ err = PTR_ERR(realdn);
+ d_drop(dn);
+- dn = NULL;
+ goto next_item;
+ }
+ dn = realdn;
+--
+2.20.1
+
--- /dev/null
+From 7a1bb295a6859aadd6c421f85e48105bb587a022 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Oct 2018 18:54:28 +0100
+Subject: ceph: only allow punch hole mode in fallocate
+
+From: Luis Henriques <lhenriques@suse.com>
+
+[ Upstream commit bddff633ab7bc60a18a86ac8b322695b6f8594d0 ]
+
+Current implementation of cephfs fallocate isn't correct as it doesn't
+really reserve the space in the cluster, which means that a subsequent
+call to a write may actually fail due to lack of space. In fact, it is
+currently possible to fallocate an amount space that is larger than the
+free space in the cluster. It has behaved this way since the initial
+commit ad7a60de882a ("ceph: punch hole support").
+
+Since there's no easy solution to fix this at the moment, this patch
+simply removes support for all fallocate operations but
+FALLOC_FL_PUNCH_HOLE (which implies FALLOC_FL_KEEP_SIZE).
+
+Link: https://tracker.ceph.com/issues/36317
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/file.c | 45 +++++++++------------------------------------
+ 1 file changed, 9 insertions(+), 36 deletions(-)
+
+diff --git a/fs/ceph/file.c b/fs/ceph/file.c
+index 92ab204336829..91a7ad259bcf2 100644
+--- a/fs/ceph/file.c
++++ b/fs/ceph/file.c
+@@ -1735,7 +1735,6 @@ static long ceph_fallocate(struct file *file, int mode,
+ struct ceph_file_info *fi = file->private_data;
+ struct inode *inode = file_inode(file);
+ struct ceph_inode_info *ci = ceph_inode(inode);
+- struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
+ struct ceph_cap_flush *prealloc_cf;
+ int want, got = 0;
+ int dirty;
+@@ -1743,10 +1742,7 @@ static long ceph_fallocate(struct file *file, int mode,
+ loff_t endoff = 0;
+ loff_t size;
+
+- if ((offset + length) > max(i_size_read(inode), fsc->max_file_size))
+- return -EFBIG;
+-
+- if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE))
++ if (mode != (FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE))
+ return -EOPNOTSUPP;
+
+ if (!S_ISREG(inode->i_mode))
+@@ -1763,18 +1759,6 @@ static long ceph_fallocate(struct file *file, int mode,
+ goto unlock;
+ }
+
+- if (!(mode & (FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE)) &&
+- ceph_quota_is_max_bytes_exceeded(inode, offset + length)) {
+- ret = -EDQUOT;
+- goto unlock;
+- }
+-
+- if (ceph_osdmap_flag(&fsc->client->osdc, CEPH_OSDMAP_FULL) &&
+- !(mode & FALLOC_FL_PUNCH_HOLE)) {
+- ret = -ENOSPC;
+- goto unlock;
+- }
+-
+ if (ci->i_inline_version != CEPH_INLINE_NONE) {
+ ret = ceph_uninline_data(file, NULL);
+ if (ret < 0)
+@@ -1782,12 +1766,12 @@ static long ceph_fallocate(struct file *file, int mode,
+ }
+
+ size = i_size_read(inode);
+- if (!(mode & FALLOC_FL_KEEP_SIZE)) {
+- endoff = offset + length;
+- ret = inode_newsize_ok(inode, endoff);
+- if (ret)
+- goto unlock;
+- }
++
++ /* Are we punching a hole beyond EOF? */
++ if (offset >= size)
++ goto unlock;
++ if ((offset + length) > size)
++ length = size - offset;
+
+ if (fi->fmode & CEPH_FILE_MODE_LAZY)
+ want = CEPH_CAP_FILE_BUFFER | CEPH_CAP_FILE_LAZYIO;
+@@ -1798,16 +1782,8 @@ static long ceph_fallocate(struct file *file, int mode,
+ if (ret < 0)
+ goto unlock;
+
+- if (mode & FALLOC_FL_PUNCH_HOLE) {
+- if (offset < size)
+- ceph_zero_pagecache_range(inode, offset, length);
+- ret = ceph_zero_objects(inode, offset, length);
+- } else if (endoff > size) {
+- truncate_pagecache_range(inode, size, -1);
+- if (ceph_inode_set_size(inode, endoff))
+- ceph_check_caps(ceph_inode(inode),
+- CHECK_CAPS_AUTHONLY, NULL);
+- }
++ ceph_zero_pagecache_range(inode, offset, length);
++ ret = ceph_zero_objects(inode, offset, length);
+
+ if (!ret) {
+ spin_lock(&ci->i_ceph_lock);
+@@ -1817,9 +1793,6 @@ static long ceph_fallocate(struct file *file, int mode,
+ spin_unlock(&ci->i_ceph_lock);
+ if (dirty)
+ __mark_inode_dirty(inode, dirty);
+- if ((endoff > size) &&
+- ceph_quota_is_max_bytes_approaching(inode, endoff))
+- ceph_check_caps(ci, CHECK_CAPS_NODELAY, NULL);
+ }
+
+ ceph_put_cap_refs(ci, got);
+--
+2.20.1
+
--- /dev/null
+From 706f30547edc1338e719201dc6e9d99990c563dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Feb 2019 11:09:54 +0100
+Subject: cfg80211: call disconnect_wk when AP stops
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit e005bd7ddea06784c1eb91ac5bb6b171a94f3b05 ]
+
+Since we now prevent regulatory restore during STA disconnect
+if concurrent AP interfaces are active, we need to reschedule
+this check when the AP state changes. This fixes never doing
+a restore when an AP is the last interface to stop. Or to put
+it another way: we need to re-check after anything we check
+here changes.
+
+Cc: stable@vger.kernel.org
+Fixes: 113f3aaa81bd ("cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/ap.c | 2 ++
+ net/wireless/core.h | 2 ++
+ net/wireless/sme.c | 2 +-
+ 3 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/ap.c b/net/wireless/ap.c
+index 882d97bdc6bfd..550ac9d827fe7 100644
+--- a/net/wireless/ap.c
++++ b/net/wireless/ap.c
+@@ -41,6 +41,8 @@ int __cfg80211_stop_ap(struct cfg80211_registered_device *rdev,
+ cfg80211_sched_dfs_chan_update(rdev);
+ }
+
++ schedule_work(&cfg80211_disconnect_work);
++
+ return err;
+ }
+
+diff --git a/net/wireless/core.h b/net/wireless/core.h
+index 7f52ef5693203..f5d58652108dd 100644
+--- a/net/wireless/core.h
++++ b/net/wireless/core.h
+@@ -430,6 +430,8 @@ void cfg80211_process_wdev_events(struct wireless_dev *wdev);
+ bool cfg80211_does_bw_fit_range(const struct ieee80211_freq_range *freq_range,
+ u32 center_freq_khz, u32 bw_khz);
+
++extern struct work_struct cfg80211_disconnect_work;
++
+ /**
+ * cfg80211_chandef_dfs_usable - checks if chandef is DFS usable
+ * @wiphy: the wiphy to validate against
+diff --git a/net/wireless/sme.c b/net/wireless/sme.c
+index c7047c7b4e80f..07c2196e9d573 100644
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -667,7 +667,7 @@ static void disconnect_work(struct work_struct *work)
+ rtnl_unlock();
+ }
+
+-static DECLARE_WORK(cfg80211_disconnect_work, disconnect_work);
++DECLARE_WORK(cfg80211_disconnect_work, disconnect_work);
+
+
+ /*
+--
+2.20.1
+
--- /dev/null
+From e94ea7cec9132cb1444882607778fcea474971c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Oct 2018 14:42:59 +0530
+Subject: cfg80211: Prevent regulatory restore during STA disconnect in
+ concurrent interfaces
+
+From: Sriram R <srirrama@codeaurora.org>
+
+[ Upstream commit 113f3aaa81bd56aba02659786ed65cbd9cb9a6fc ]
+
+Currently when an AP and STA interfaces are active in the same or different
+radios, regulatory settings are restored whenever the STA disconnects. This
+restores all channel information including dfs states in all radios.
+For example, if an AP interface is active in one radio and STA in another,
+when radar is detected on the AP interface, the dfs state of the channel
+will be changed to UNAVAILABLE. But when the STA interface disconnects,
+this issues a regulatory disconnect hint which restores all regulatory
+settings in all the radios attached and thereby losing the stored dfs
+state on the other radio where the channel was marked as unavailable
+earlier. Hence prevent such regulatory restore whenever another active
+beaconing interface is present in the same or other radios.
+
+Signed-off-by: Sriram R <srirrama@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/sme.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/sme.c b/net/wireless/sme.c
+index d536b07582f8c..c7047c7b4e80f 100644
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -642,11 +642,15 @@ static bool cfg80211_is_all_idle(void)
+ * All devices must be idle as otherwise if you are actively
+ * scanning some new beacon hints could be learned and would
+ * count as new regulatory hints.
++ * Also if there is any other active beaconing interface we
++ * need not issue a disconnect hint and reset any info such
++ * as chan dfs state, etc.
+ */
+ list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
+ list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
+ wdev_lock(wdev);
+- if (wdev->conn || wdev->current_bss)
++ if (wdev->conn || wdev->current_bss ||
++ cfg80211_beaconing_iface_active(wdev))
+ is_all_idle = false;
+ wdev_unlock(wdev);
+ }
+--
+2.20.1
+
--- /dev/null
+From 75e419ea97aa284fc7eb665fa87140329032bd2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 16:21:39 +0200
+Subject: clk: at91: audio-pll: fix audio pmc type
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit 7fa75007b7d7421aea59ff2b12ab1bd65a5abfa6 ]
+
+The allocation for the audio pmc is using the size of struct clk_audio_pad
+instead of struct clk_audio_pmc. This works fine because the former is
+larger than the latter but it is safer to be correct.
+
+Fixes: ("0865805d82d4 clk: at91: add audio pll clock drivers")
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/at91/clk-audio-pll.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/at91/clk-audio-pll.c b/drivers/clk/at91/clk-audio-pll.c
+index da7bafcfbe706..b3eaf654fac98 100644
+--- a/drivers/clk/at91/clk-audio-pll.c
++++ b/drivers/clk/at91/clk-audio-pll.c
+@@ -509,7 +509,7 @@ static void __init of_sama5d2_clk_audio_pll_pad_setup(struct device_node *np)
+
+ static void __init of_sama5d2_clk_audio_pll_pmc_setup(struct device_node *np)
+ {
+- struct clk_audio_pad *apmc_ck;
++ struct clk_audio_pmc *apmc_ck;
+ struct clk_init_data init = {};
+
+ apmc_ck = kzalloc(sizeof(*apmc_ck), GFP_KERNEL);
+--
+2.20.1
+
--- /dev/null
+From b29913dc9df0b7c8dc0356f9c2afeed22828b60d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Sep 2018 14:01:44 +0200
+Subject: clk: mmp2: fix the clock id for sdh2_clk and sdh3_clk
+
+From: Lubomir Rintel <lkundrak@v3.sk>
+
+[ Upstream commit 4917fb90eec7c26dac1497ada3bd4a325f670fcc ]
+
+A typo that makes it impossible to get the correct clocks for
+MMP2_CLK_SDH2 and MMP2_CLK_SDH3.
+
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Fixes: 1ec770d92a62 ("clk: mmp: add mmp2 DT support for clock driver")
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/mmp/clk-of-mmp2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/mmp/clk-of-mmp2.c b/drivers/clk/mmp/clk-of-mmp2.c
+index 0fc75c3959570..d083b860f0833 100644
+--- a/drivers/clk/mmp/clk-of-mmp2.c
++++ b/drivers/clk/mmp/clk-of-mmp2.c
+@@ -227,8 +227,8 @@ static struct mmp_param_gate_clk apmu_gate_clks[] = {
+ /* The gate clocks has mux parent. */
+ {MMP2_CLK_SDH0, "sdh0_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH0, 0x1b, 0x1b, 0x0, 0, &sdh_lock},
+ {MMP2_CLK_SDH1, "sdh1_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH1, 0x1b, 0x1b, 0x0, 0, &sdh_lock},
+- {MMP2_CLK_SDH1, "sdh2_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH2, 0x1b, 0x1b, 0x0, 0, &sdh_lock},
+- {MMP2_CLK_SDH1, "sdh3_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH3, 0x1b, 0x1b, 0x0, 0, &sdh_lock},
++ {MMP2_CLK_SDH2, "sdh2_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH2, 0x1b, 0x1b, 0x0, 0, &sdh_lock},
++ {MMP2_CLK_SDH3, "sdh3_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH3, 0x1b, 0x1b, 0x0, 0, &sdh_lock},
+ {MMP2_CLK_DISP0, "disp0_clk", "disp0_div", CLK_SET_RATE_PARENT, APMU_DISP0, 0x1b, 0x1b, 0x0, 0, &disp0_lock},
+ {MMP2_CLK_DISP0_SPHY, "disp0_sphy_clk", "disp0_sphy_div", CLK_SET_RATE_PARENT, APMU_DISP0, 0x1024, 0x1024, 0x0, 0, &disp0_lock},
+ {MMP2_CLK_DISP1, "disp1_clk", "disp1_div", CLK_SET_RATE_PARENT, APMU_DISP1, 0x1b, 0x1b, 0x0, 0, &disp1_lock},
+--
+2.20.1
+
--- /dev/null
+From 101efbcd731a43a67527f3bb94f2720420c7180d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Oct 2018 15:07:29 +0800
+Subject: clk: sunxi-ng: enable so-said LDOs for A64 SoC's pll-mipi clock
+
+From: Icenowy Zheng <icenowy@aosc.io>
+
+[ Upstream commit 859783d1390035e29ba850963bded2b4ffdf43b5 ]
+
+In the user manual of A64 SoC, the bit 22 and 23 of pll-mipi control
+register is called "LDO{1,2}_EN", and according to the BSP source code
+from Allwinner , the LDOs are enabled during the clock's enabling
+process.
+
+The clock failed to generate output if the two LDOs are not enabled.
+
+Add the two bits to the clock's gate bits, so that the LDOs are enabled
+when the PLL is enabled.
+
+Fixes: c6a0637460c2 ("clk: sunxi-ng: Add A64 clocks")
+Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/sunxi-ng/ccu-sun50i-a64.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/sunxi-ng/ccu-sun50i-a64.c b/drivers/clk/sunxi-ng/ccu-sun50i-a64.c
+index ee9c12cf3f08c..2a60981799216 100644
+--- a/drivers/clk/sunxi-ng/ccu-sun50i-a64.c
++++ b/drivers/clk/sunxi-ng/ccu-sun50i-a64.c
+@@ -158,7 +158,12 @@ static SUNXI_CCU_NM_WITH_FRAC_GATE_LOCK(pll_gpu_clk, "pll-gpu",
+ #define SUN50I_A64_PLL_MIPI_REG 0x040
+
+ static struct ccu_nkm pll_mipi_clk = {
+- .enable = BIT(31),
++ /*
++ * The bit 23 and 22 are called "LDO{1,2}_EN" on the SoC's
++ * user manual, and by experiments the PLL doesn't work without
++ * these bits toggled.
++ */
++ .enable = BIT(31) | BIT(23) | BIT(22),
+ .lock = BIT(28),
+ .n = _SUNXI_CCU_MULT(8, 4),
+ .k = _SUNXI_CCU_MULT_MIN(4, 2, 2),
+--
+2.20.1
+
--- /dev/null
+From 75475ee91f989ba7e75a4d569eba640a74a77f0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Sep 2018 10:32:03 +0800
+Subject: clk: tegra: Fixes for MBIST work around
+
+From: Joseph Lo <josephl@nvidia.com>
+
+[ Upstream commit a4dbbceeee3e0ba670875a147237d6566de78840 ]
+
+Fix some incorrect data in LVL2 offset and bit mask.
+
+Fixes: e403d0057343 ("clk: tegra: MBIST work around for Tegra210")
+Signed-off-by: Joseph Lo <josephl@nvidia.com>
+Signed-off-by: Peter De Schrijver <pdeschrijver@nvidia.com>
+Acked-by: Jon Hunter <jonathanh@nvidia.com>
+Acked-by: Peter De Schrijver <pdeschrijver@nvidia.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/tegra/clk-tegra210.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/tegra/clk-tegra210.c b/drivers/clk/tegra/clk-tegra210.c
+index 080bfa24863ee..7264e97310348 100644
+--- a/drivers/clk/tegra/clk-tegra210.c
++++ b/drivers/clk/tegra/clk-tegra210.c
+@@ -2603,7 +2603,7 @@ static struct tegra210_domain_mbist_war tegra210_pg_mbist_war[] = {
+ [TEGRA_POWERGATE_MPE] = {
+ .handle_lvl2_ovr = tegra210_generic_mbist_war,
+ .lvl2_offset = LVL2_CLK_GATE_OVRE,
+- .lvl2_mask = BIT(2),
++ .lvl2_mask = BIT(29),
+ },
+ [TEGRA_POWERGATE_SOR] = {
+ .handle_lvl2_ovr = tegra210_generic_mbist_war,
+@@ -2654,14 +2654,14 @@ static struct tegra210_domain_mbist_war tegra210_pg_mbist_war[] = {
+ .num_clks = ARRAY_SIZE(nvdec_slcg_clkids),
+ .clk_init_data = nvdec_slcg_clkids,
+ .handle_lvl2_ovr = tegra210_generic_mbist_war,
+- .lvl2_offset = LVL2_CLK_GATE_OVRC,
++ .lvl2_offset = LVL2_CLK_GATE_OVRE,
+ .lvl2_mask = BIT(9) | BIT(31),
+ },
+ [TEGRA_POWERGATE_NVJPG] = {
+ .num_clks = ARRAY_SIZE(nvjpg_slcg_clkids),
+ .clk_init_data = nvjpg_slcg_clkids,
+ .handle_lvl2_ovr = tegra210_generic_mbist_war,
+- .lvl2_offset = LVL2_CLK_GATE_OVRC,
++ .lvl2_offset = LVL2_CLK_GATE_OVRE,
+ .lvl2_mask = BIT(9) | BIT(31),
+ },
+ [TEGRA_POWERGATE_AUD] = {
+--
+2.20.1
+
--- /dev/null
+From 39f80ea6dfbc62e90755e23a6f3206768202cd04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Oct 2018 21:30:50 +0300
+Subject: clk: tegra20: Turn EMC clock gate into divider
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+[ Upstream commit 514fddba845ed3a1b17e01e99cb3a2a52256a88a ]
+
+Kernel should never gate the EMC clock as it causes immediate lockup, so
+removing clk-gate functionality doesn't affect anything. Turning EMC clk
+gate into divider allows to implement glitch-less EMC scaling, avoiding
+reparenting to a backup clock.
+
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-by: Peter De Schrijver <pdeschrijver@nvidia.com>
+Acked-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/tegra/clk-tegra20.c | 36 ++++++++++++++++++++++++---------
+ 1 file changed, 26 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/clk/tegra/clk-tegra20.c b/drivers/clk/tegra/clk-tegra20.c
+index cc857d4d4a86e..68551effb5ca2 100644
+--- a/drivers/clk/tegra/clk-tegra20.c
++++ b/drivers/clk/tegra/clk-tegra20.c
+@@ -578,7 +578,6 @@ static struct tegra_clk tegra20_clks[tegra_clk_max] __initdata = {
+ [tegra_clk_afi] = { .dt_id = TEGRA20_CLK_AFI, .present = true },
+ [tegra_clk_fuse] = { .dt_id = TEGRA20_CLK_FUSE, .present = true },
+ [tegra_clk_kfuse] = { .dt_id = TEGRA20_CLK_KFUSE, .present = true },
+- [tegra_clk_emc] = { .dt_id = TEGRA20_CLK_EMC, .present = true },
+ };
+
+ static unsigned long tegra20_clk_measure_input_freq(void)
+@@ -799,6 +798,31 @@ static struct tegra_periph_init_data tegra_periph_nodiv_clk_list[] = {
+ TEGRA_INIT_DATA_NODIV("disp2", mux_pllpdc_clkm, CLK_SOURCE_DISP2, 30, 2, 26, 0, TEGRA20_CLK_DISP2),
+ };
+
++static void __init tegra20_emc_clk_init(void)
++{
++ struct clk *clk;
++
++ clk = clk_register_mux(NULL, "emc_mux", mux_pllmcp_clkm,
++ ARRAY_SIZE(mux_pllmcp_clkm),
++ CLK_SET_RATE_NO_REPARENT,
++ clk_base + CLK_SOURCE_EMC,
++ 30, 2, 0, &emc_lock);
++
++ clk = tegra_clk_register_mc("mc", "emc_mux", clk_base + CLK_SOURCE_EMC,
++ &emc_lock);
++ clks[TEGRA20_CLK_MC] = clk;
++
++ /*
++ * Note that 'emc_mux' source and 'emc' rate shouldn't be changed at
++ * the same time due to a HW bug, this won't happen because we're
++ * defining 'emc_mux' and 'emc' as distinct clocks.
++ */
++ clk = tegra_clk_register_divider("emc", "emc_mux",
++ clk_base + CLK_SOURCE_EMC, CLK_IS_CRITICAL,
++ TEGRA_DIVIDER_INT, 0, 8, 1, &emc_lock);
++ clks[TEGRA20_CLK_EMC] = clk;
++}
++
+ static void __init tegra20_periph_clk_init(void)
+ {
+ struct tegra_periph_init_data *data;
+@@ -812,15 +836,7 @@ static void __init tegra20_periph_clk_init(void)
+ clks[TEGRA20_CLK_AC97] = clk;
+
+ /* emc */
+- clk = clk_register_mux(NULL, "emc_mux", mux_pllmcp_clkm,
+- ARRAY_SIZE(mux_pllmcp_clkm),
+- CLK_SET_RATE_NO_REPARENT,
+- clk_base + CLK_SOURCE_EMC,
+- 30, 2, 0, &emc_lock);
+-
+- clk = tegra_clk_register_mc("mc", "emc_mux", clk_base + CLK_SOURCE_EMC,
+- &emc_lock);
+- clks[TEGRA20_CLK_MC] = clk;
++ tegra20_emc_clk_init();
+
+ /* dsi */
+ clk = tegra_clk_register_periph_gate("dsi", "pll_d", 0, clk_base, 0,
+--
+2.20.1
+
--- /dev/null
+From 51f563758cef49dd9b122293d5a90e069f592772 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Oct 2018 14:40:07 -0700
+Subject: crypto: ccree - avoid implicit enum conversion
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 18e732b8035d175181aae2ded127994cb01694f7 ]
+
+Clang warns when one enumerated type is implicitly converted to another
+and this happens in several locations in this driver, ultimately related
+to the set_cipher_{mode,config0} functions. set_cipher_mode expects a mode
+of type drv_cipher_mode and set_cipher_config0 expects a mode of type
+drv_crypto_direction.
+
+drivers/crypto/ccree/cc_ivgen.c:58:35: warning: implicit conversion from
+enumeration type 'enum cc_desc_direction' to different enumeration type
+'enum drv_crypto_direction' [-Wenum-conversion]
+ set_cipher_config0(&iv_seq[idx], DESC_DIRECTION_ENCRYPT_ENCRYPT);
+
+drivers/crypto/ccree/cc_hash.c:99:28: warning: implicit conversion from
+enumeration type 'enum cc_hash_conf_pad' to different enumeration type
+'enum drv_crypto_direction' [-Wenum-conversion]
+ set_cipher_config0(desc, HASH_DIGEST_RESULT_LITTLE_ENDIAN);
+
+drivers/crypto/ccree/cc_aead.c:1643:30: warning: implicit conversion
+from enumeration type 'enum drv_hash_hw_mode' to different enumeration
+type 'enum drv_cipher_mode' [-Wenum-conversion]
+ set_cipher_mode(&desc[idx], DRV_HASH_HW_GHASH);
+
+Since this fundamentally isn't a problem because these values just
+represent simple integers for a shift operation, make it clear to Clang
+that this is okay by making the mode parameter in both functions an int.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/46
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Acked-by: Gilad Ben-Yossef <gilad@benyossef.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccree/cc_hw_queue_defs.h | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/crypto/ccree/cc_hw_queue_defs.h b/drivers/crypto/ccree/cc_hw_queue_defs.h
+index a091ae57f9024..45985b955d2c8 100644
+--- a/drivers/crypto/ccree/cc_hw_queue_defs.h
++++ b/drivers/crypto/ccree/cc_hw_queue_defs.h
+@@ -449,8 +449,7 @@ static inline void set_flow_mode(struct cc_hw_desc *pdesc,
+ * @pdesc: pointer HW descriptor struct
+ * @mode: Any one of the modes defined in [CC7x-DESC]
+ */
+-static inline void set_cipher_mode(struct cc_hw_desc *pdesc,
+- enum drv_cipher_mode mode)
++static inline void set_cipher_mode(struct cc_hw_desc *pdesc, int mode)
+ {
+ pdesc->word[4] |= FIELD_PREP(WORD4_CIPHER_MODE, mode);
+ }
+@@ -461,8 +460,7 @@ static inline void set_cipher_mode(struct cc_hw_desc *pdesc,
+ * @pdesc: pointer HW descriptor struct
+ * @mode: Any one of the modes defined in [CC7x-DESC]
+ */
+-static inline void set_cipher_config0(struct cc_hw_desc *pdesc,
+- enum drv_crypto_direction mode)
++static inline void set_cipher_config0(struct cc_hw_desc *pdesc, int mode)
+ {
+ pdesc->word[4] |= FIELD_PREP(WORD4_CIPHER_CONF0, mode);
+ }
+--
+2.20.1
+
--- /dev/null
+From 257299e58bac3d2c676706b46d96f4221f25baac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Oct 2018 13:58:10 +0200
+Subject: crypto: testmgr - fix sizeof() on COMP_BUF_SIZE
+
+From: Michael Schupikov <michael@schupikov.de>
+
+[ Upstream commit 22a8118d329334833cd30f2ceb36d28e8cae8a4f ]
+
+After allocation, output and decomp_output both point to memory chunks of
+size COMP_BUF_SIZE. Then, only the first bytes are zeroed out using
+sizeof(COMP_BUF_SIZE) as parameter to memset(), because
+sizeof(COMP_BUF_SIZE) provides the size of the constant and not the size of
+allocated memory.
+
+Instead, the whole allocated memory is meant to be zeroed out. Use
+COMP_BUF_SIZE as parameter to memset() directly in order to accomplish
+this.
+
+Fixes: 336073840a872 ("crypto: testmgr - Allow different compression results")
+
+Signed-off-by: Michael Schupikov <michael@schupikov.de>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/testmgr.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/testmgr.c b/crypto/testmgr.c
+index 3664c26f4838e..13cb2ea99d6a5 100644
+--- a/crypto/testmgr.c
++++ b/crypto/testmgr.c
+@@ -1400,8 +1400,8 @@ static int test_comp(struct crypto_comp *tfm,
+ int ilen;
+ unsigned int dlen = COMP_BUF_SIZE;
+
+- memset(output, 0, sizeof(COMP_BUF_SIZE));
+- memset(decomp_output, 0, sizeof(COMP_BUF_SIZE));
++ memset(output, 0, COMP_BUF_SIZE);
++ memset(decomp_output, 0, COMP_BUF_SIZE);
+
+ ilen = ctemplate[i].inlen;
+ ret = crypto_comp_compress(tfm, ctemplate[i].input,
+@@ -1445,7 +1445,7 @@ static int test_comp(struct crypto_comp *tfm,
+ int ilen;
+ unsigned int dlen = COMP_BUF_SIZE;
+
+- memset(decomp_output, 0, sizeof(COMP_BUF_SIZE));
++ memset(decomp_output, 0, COMP_BUF_SIZE);
+
+ ilen = dtemplate[i].inlen;
+ ret = crypto_comp_decompress(tfm, dtemplate[i].input,
+--
+2.20.1
+
--- /dev/null
+From e33eeb880ae5b10c46e8de502e0fb4390b8f0a02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Nov 2018 14:18:22 -0600
+Subject: dlm: don't leak kernel pointer to userspace
+
+From: Tycho Andersen <tycho@tycho.ws>
+
+[ Upstream commit 9de30f3f7f4d31037cfbb7c787e1089c1944b3a7 ]
+
+In copy_result_to_user(), we first create a struct dlm_lock_result, which
+contains a struct dlm_lksb, the last member of which is a pointer to the
+lvb. Unfortunately, we copy the entire struct dlm_lksb to the result
+struct, which is then copied to userspace at the end of the function,
+leaking the contents of sb_lvbptr, which is a valid kernel pointer in some
+cases (indeed, later in the same function the data it points to is copied
+to userspace).
+
+It is an error to leak kernel pointers to userspace, as it undermines KASLR
+protections (see e.g. 65eea8edc31 ("floppy: Do not copy a kernel pointer to
+user memory in FDGETPRM ioctl") for another example of this).
+
+Signed-off-by: Tycho Andersen <tycho@tycho.ws>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/user.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/dlm/user.c b/fs/dlm/user.c
+index 2a669390cd7f6..13f29409600bb 100644
+--- a/fs/dlm/user.c
++++ b/fs/dlm/user.c
+@@ -702,7 +702,7 @@ static int copy_result_to_user(struct dlm_user_args *ua, int compat,
+ result.version[0] = DLM_DEVICE_VERSION_MAJOR;
+ result.version[1] = DLM_DEVICE_VERSION_MINOR;
+ result.version[2] = DLM_DEVICE_VERSION_PATCH;
+- memcpy(&result.lksb, &ua->lksb, sizeof(struct dlm_lksb));
++ memcpy(&result.lksb, &ua->lksb, offsetof(struct dlm_lksb, sb_lvbptr));
+ result.user_lksb = ua->user_lksb;
+
+ /* FIXME: dlm1 provides for the user's bastparam/addr to not be updated
+--
+2.20.1
+
--- /dev/null
+From 2fa9642df6ee4b008bb16936998f4bbc70797b06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Nov 2018 14:18:20 -0600
+Subject: dlm: fix invalid free
+
+From: Tycho Andersen <tycho@tycho.ws>
+
+[ Upstream commit d968b4e240cfe39d39d80483bac8bca8716fd93c ]
+
+dlm_config_nodes() does not allocate nodes on failure, so we should not
+free() nodes when it fails.
+
+Signed-off-by: Tycho Andersen <tycho@tycho.ws>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/member.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/dlm/member.c b/fs/dlm/member.c
+index 3fda3832cf6a6..cad6d85911a80 100644
+--- a/fs/dlm/member.c
++++ b/fs/dlm/member.c
+@@ -680,7 +680,7 @@ int dlm_ls_start(struct dlm_ls *ls)
+
+ error = dlm_config_nodes(ls->ls_name, &nodes, &count);
+ if (error < 0)
+- goto fail;
++ goto fail_rv;
+
+ spin_lock(&ls->ls_recover_lock);
+
+@@ -712,8 +712,9 @@ int dlm_ls_start(struct dlm_ls *ls)
+ return 0;
+
+ fail:
+- kfree(rv);
+ kfree(nodes);
++ fail_rv:
++ kfree(rv);
+ return error;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 6b8dece89c266147ad168da136403f5c4c8d85d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Oct 2018 20:24:25 +0200
+Subject: dm raid: avoid bitmap with raid4/5/6 journal device
+
+From: Heinz Mauelshagen <heinzm@redhat.com>
+
+[ Upstream commit d857ad75edf3c0066fcd920746f9dc75382b3324 ]
+
+With raid4/5/6, journal device and write intent bitmap are mutually exclusive.
+
+Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-raid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
+index b78a8a4d061ca..6c9b542882613 100644
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -2475,7 +2475,7 @@ static int super_validate(struct raid_set *rs, struct md_rdev *rdev)
+ }
+
+ /* Enable bitmap creation for RAID levels != 0 */
+- mddev->bitmap_info.offset = rt_is_raid0(rs->raid_type) ? 0 : to_sector(4096);
++ mddev->bitmap_info.offset = (rt_is_raid0(rs->raid_type) || rs->journal_dev.dev) ? 0 : to_sector(4096);
+ mddev->bitmap_info.default_offset = mddev->bitmap_info.offset;
+
+ if (!test_and_clear_bit(FirstUse, &rdev->flags)) {
+--
+2.20.1
+
--- /dev/null
+From 3b6805618c6988be31b14fd19745cb6a37e09aa3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Oct 2018 13:28:43 +0300
+Subject: EDAC, thunderx: Fix memory leak in thunderx_l2c_threaded_isr()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit d8c27ba86a2fd806d3957e5a9b30e66dfca2a61d ]
+
+Fix memory leak in L2c threaded interrupt handler.
+
+ [ bp: Rewrite commit message. ]
+
+Fixes: 41003396f932 ("EDAC, thunderx: Add Cavium ThunderX EDAC driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+CC: David Daney <david.daney@cavium.com>
+CC: Jan Glauber <jglauber@cavium.com>
+CC: Mauro Carvalho Chehab <mchehab@kernel.org>
+CC: Sergey Temerkhanov <s.temerkhanov@gmail.com>
+CC: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20181013102843.GG16086@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/thunderx_edac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/edac/thunderx_edac.c b/drivers/edac/thunderx_edac.c
+index c009d94f40c52..34be60fe68922 100644
+--- a/drivers/edac/thunderx_edac.c
++++ b/drivers/edac/thunderx_edac.c
+@@ -1884,7 +1884,7 @@ static irqreturn_t thunderx_l2c_threaded_isr(int irq, void *irq_id)
+ default:
+ dev_err(&l2c->pdev->dev, "Unsupported device: %04x\n",
+ l2c->pdev->device);
+- return IRQ_NONE;
++ goto err_free;
+ }
+
+ while (CIRC_CNT(l2c->ring_head, l2c->ring_tail,
+@@ -1906,7 +1906,7 @@ static irqreturn_t thunderx_l2c_threaded_isr(int irq, void *irq_id)
+ l2c->ring_tail++;
+ }
+
+- return IRQ_HANDLED;
++ ret = IRQ_HANDLED;
+
+ err_free:
+ kfree(other);
+--
+2.20.1
+
--- /dev/null
+From 68f776b75020521e4a0e0336eb227177f7d3a04f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jul 2018 18:15:16 +0800
+Subject: f2fs: fix to spread clear_cold_data()
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit 2baf07818549c8bb8d7b3437e889b86eab56d38e ]
+
+We need to drop PG_checked flag on page as well when we clear PG_uptodate
+flag, in order to avoid treating the page as GCing one later.
+
+Signed-off-by: Weichao Guo <guoweichao@huawei.com>
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/data.c | 8 +++++++-
+ fs/f2fs/dir.c | 1 +
+ fs/f2fs/segment.c | 4 +++-
+ 3 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
+index 3a2fd66769660..a7436ad194585 100644
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -1782,6 +1782,7 @@ int f2fs_do_write_data_page(struct f2fs_io_info *fio)
+ /* This page is already truncated */
+ if (fio->old_blkaddr == NULL_ADDR) {
+ ClearPageUptodate(page);
++ clear_cold_data(page);
+ goto out_writepage;
+ }
+ got_it:
+@@ -1957,8 +1958,10 @@ static int __write_data_page(struct page *page, bool *submitted,
+
+ out:
+ inode_dec_dirty_pages(inode);
+- if (err)
++ if (err) {
+ ClearPageUptodate(page);
++ clear_cold_data(page);
++ }
+
+ if (wbc->for_reclaim) {
+ f2fs_submit_merged_write_cond(sbi, inode, 0, page->index, DATA);
+@@ -2573,6 +2576,8 @@ void f2fs_invalidate_page(struct page *page, unsigned int offset,
+ }
+ }
+
++ clear_cold_data(page);
++
+ /* This is atomic written page, keep Private */
+ if (IS_ATOMIC_WRITTEN_PAGE(page))
+ return f2fs_drop_inmem_page(inode, page);
+@@ -2591,6 +2596,7 @@ int f2fs_release_page(struct page *page, gfp_t wait)
+ if (IS_ATOMIC_WRITTEN_PAGE(page))
+ return 0;
+
++ clear_cold_data(page);
+ set_page_private(page, 0);
+ ClearPagePrivate(page);
+ return 1;
+diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
+index ecc3a4e2be96d..cd611a57d04d7 100644
+--- a/fs/f2fs/dir.c
++++ b/fs/f2fs/dir.c
+@@ -733,6 +733,7 @@ void f2fs_delete_entry(struct f2fs_dir_entry *dentry, struct page *page,
+ clear_page_dirty_for_io(page);
+ ClearPagePrivate(page);
+ ClearPageUptodate(page);
++ clear_cold_data(page);
+ inode_dec_dirty_pages(dir);
+ f2fs_remove_dirty_inode(dir);
+ }
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index d78009694f3fd..43a07514c3574 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -277,8 +277,10 @@ static int __revoke_inmem_pages(struct inode *inode,
+ }
+ next:
+ /* we don't need to invalidate this in the sccessful status */
+- if (drop || recover)
++ if (drop || recover) {
+ ClearPageUptodate(page);
++ clear_cold_data(page);
++ }
+ set_page_private(page, 0);
+ ClearPagePrivate(page);
+ f2fs_put_page(page, 1);
+--
+2.20.1
+
--- /dev/null
+From 16cfb91fd52190c72d52d156b9940737f11a1321 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Oct 2018 19:06:15 +0800
+Subject: f2fs: spread f2fs_set_inode_flags()
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit 9149a5eb606152df158eb7d7da5a34e84b574189 ]
+
+This patch changes codes as below:
+- use f2fs_set_inode_flags() to update i_flags atomically to avoid
+potential race.
+- synchronize F2FS_I(inode)->i_flags to inode->i_flags in
+f2fs_new_inode().
+- use f2fs_set_inode_flags() to simply codes in f2fs_quota_{on,off}.
+
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 2 +-
+ fs/f2fs/namei.c | 2 ++
+ fs/f2fs/super.c | 5 ++---
+ 3 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index 2dc49a5419070..34e48bcf50874 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -3388,7 +3388,7 @@ static inline void f2fs_set_encrypted_inode(struct inode *inode)
+ {
+ #ifdef CONFIG_F2FS_FS_ENCRYPTION
+ file_set_encrypt(inode);
+- inode->i_flags |= S_ENCRYPTED;
++ f2fs_set_inode_flags(inode);
+ #endif
+ }
+
+diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
+index 1f67e389169f5..6b23dcbf52f45 100644
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -124,6 +124,8 @@ static struct inode *f2fs_new_inode(struct inode *dir, umode_t mode)
+ if (F2FS_I(inode)->i_flags & F2FS_PROJINHERIT_FL)
+ set_inode_flag(inode, FI_PROJ_INHERIT);
+
++ f2fs_set_inode_flags(inode);
++
+ trace_f2fs_new_inode(inode, 0);
+ return inode;
+
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index 15779123d0895..7a9cc64f5ca37 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1837,8 +1837,7 @@ static int f2fs_quota_on(struct super_block *sb, int type, int format_id,
+
+ inode_lock(inode);
+ F2FS_I(inode)->i_flags |= F2FS_NOATIME_FL | F2FS_IMMUTABLE_FL;
+- inode_set_flags(inode, S_NOATIME | S_IMMUTABLE,
+- S_NOATIME | S_IMMUTABLE);
++ f2fs_set_inode_flags(inode);
+ inode_unlock(inode);
+ f2fs_mark_inode_dirty_sync(inode, false);
+
+@@ -1863,7 +1862,7 @@ static int f2fs_quota_off(struct super_block *sb, int type)
+
+ inode_lock(inode);
+ F2FS_I(inode)->i_flags &= ~(F2FS_NOATIME_FL | F2FS_IMMUTABLE_FL);
+- inode_set_flags(inode, 0, S_NOATIME | S_IMMUTABLE);
++ f2fs_set_inode_flags(inode);
+ inode_unlock(inode);
+ f2fs_mark_inode_dirty_sync(inode, false);
+ out_put:
+--
+2.20.1
+
--- /dev/null
+From add3b77506f6e7069142a0374574ff089f3acee7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Oct 2018 12:18:28 -0700
+Subject: fm10k: ensure completer aborts are marked as non-fatal after a resume
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit e330af788998b0de4da4f5bd7ddd087507999800 ]
+
+VF drivers can trigger PCIe completer aborts any time they read a queue
+that they don't own. Even in nominal circumstances, it is not possible
+to prevent the VF driver from reading queues it doesn't own. VF drivers
+may attempt to read queues it previously owned, but which it no longer
+does due to a PF reset.
+
+Normally these completer aborts aren't an issue. However, on some
+platforms these trigger machine check errors. This is true even if we
+lower their severity from fatal to non-fatal. Indeed, we already have
+code for lowering the severity.
+
+We could attempt to mask these errors conditionally around resets, which
+is the most common time they would occur. However this would essentially
+be a race between the PF and VF drivers, and we may still occasionally
+see machine check exceptions on these strictly configured platforms.
+
+Instead, mask the errors entirely any time we resume VFs. By doing so,
+we prevent the completer aborts from being sent to the parent PCIe
+device, and thus these strict platforms will not upgrade them into
+machine check errors.
+
+Additionally, we don't lose any information by masking these errors,
+because we'll still report VFs which attempt to access queues via the
+FUM_BAD_VF_QACCESS errors.
+
+Without this change, on platforms where completer aborts cause machine
+check exceptions, the VF reading queues it doesn't own could crash the
+host system. Masking the completer abort prevents this, so we should
+mask it for good, and not just around a PCIe reset. Otherwise malicious
+or misconfigured VFs could cause the host system to crash.
+
+Because we are masking the error entirely, there is little reason to
+also keep setting the severity bit, so that code is also removed.
+
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/fm10k/fm10k_iov.c | 48 ++++++++++++--------
+ 1 file changed, 28 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_iov.c b/drivers/net/ethernet/intel/fm10k/fm10k_iov.c
+index e707d717012fa..618032612f52d 100644
+--- a/drivers/net/ethernet/intel/fm10k/fm10k_iov.c
++++ b/drivers/net/ethernet/intel/fm10k/fm10k_iov.c
+@@ -302,6 +302,28 @@ void fm10k_iov_suspend(struct pci_dev *pdev)
+ }
+ }
+
++static void fm10k_mask_aer_comp_abort(struct pci_dev *pdev)
++{
++ u32 err_mask;
++ int pos;
++
++ pos = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ERR);
++ if (!pos)
++ return;
++
++ /* Mask the completion abort bit in the ERR_UNCOR_MASK register,
++ * preventing the device from reporting these errors to the upstream
++ * PCIe root device. This avoids bringing down platforms which upgrade
++ * non-fatal completer aborts into machine check exceptions. Completer
++ * aborts can occur whenever a VF reads a queue it doesn't own.
++ */
++ pci_read_config_dword(pdev, pos + PCI_ERR_UNCOR_MASK, &err_mask);
++ err_mask |= PCI_ERR_UNC_COMP_ABORT;
++ pci_write_config_dword(pdev, pos + PCI_ERR_UNCOR_MASK, err_mask);
++
++ mmiowb();
++}
++
+ int fm10k_iov_resume(struct pci_dev *pdev)
+ {
+ struct fm10k_intfc *interface = pci_get_drvdata(pdev);
+@@ -317,6 +339,12 @@ int fm10k_iov_resume(struct pci_dev *pdev)
+ if (!iov_data)
+ return -ENOMEM;
+
++ /* Lower severity of completer abort error reporting as
++ * the VFs can trigger this any time they read a queue
++ * that they don't own.
++ */
++ fm10k_mask_aer_comp_abort(pdev);
++
+ /* allocate hardware resources for the VFs */
+ hw->iov.ops.assign_resources(hw, num_vfs, num_vfs);
+
+@@ -460,20 +488,6 @@ void fm10k_iov_disable(struct pci_dev *pdev)
+ fm10k_iov_free_data(pdev);
+ }
+
+-static void fm10k_disable_aer_comp_abort(struct pci_dev *pdev)
+-{
+- u32 err_sev;
+- int pos;
+-
+- pos = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ERR);
+- if (!pos)
+- return;
+-
+- pci_read_config_dword(pdev, pos + PCI_ERR_UNCOR_SEVER, &err_sev);
+- err_sev &= ~PCI_ERR_UNC_COMP_ABORT;
+- pci_write_config_dword(pdev, pos + PCI_ERR_UNCOR_SEVER, err_sev);
+-}
+-
+ int fm10k_iov_configure(struct pci_dev *pdev, int num_vfs)
+ {
+ int current_vfs = pci_num_vf(pdev);
+@@ -495,12 +509,6 @@ int fm10k_iov_configure(struct pci_dev *pdev, int num_vfs)
+
+ /* allocate VFs if not already allocated */
+ if (num_vfs && num_vfs != current_vfs) {
+- /* Disable completer abort error reporting as
+- * the VFs can trigger this any time they read a queue
+- * that they don't own.
+- */
+- fm10k_disable_aer_comp_abort(pdev);
+-
+ err = pci_enable_sriov(pdev, num_vfs);
+ if (err) {
+ dev_err(&pdev->dev,
+--
+2.20.1
+
--- /dev/null
+From 94e908cd484e97a5377f8b6178e92c634d6765d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Oct 2018 20:51:21 +0100
+Subject: fs/cifs: fix uninitialised variable warnings
+
+From: Garry McNulty <garrmcnu@gmail.com>
+
+[ Upstream commit ef2298a06d012973bbc592b86fe5ff730d4d0c63 ]
+
+In some error conditions, resp_buftype can be passed uninitialised to
+free_rsp_buf(), potentially resulting in a spurious debug message.
+If resp_buftype randomly had the value 1 (CIFS_SMALL_BUFFER) then this
+would log a debug message.
+The rsp pointer is initialised to NULL so there is no other side-effect.
+
+Detected by CoverityScan, CID 1438585 ("Uninitialized scalar variable")
+Detected by CoverityScan, CID 1438667 ("Uninitialized scalar variable")
+Detected by CoverityScan, CID 1438764 ("Uninitialized scalar variable")
+
+Signed-off-by: Garry McNulty <garrmcnu@gmail.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2pdu.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
+index b1f5d0d28335a..9194f17675c89 100644
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -2283,7 +2283,7 @@ SMB2_open(const unsigned int xid, struct cifs_open_parms *oparms, __le16 *path,
+ struct cifs_ses *ses = tcon->ses;
+ struct kvec iov[SMB2_CREATE_IOV_SIZE];
+ struct kvec rsp_iov = {NULL, 0};
+- int resp_buftype;
++ int resp_buftype = CIFS_NO_BUFFER;
+ int rc = 0;
+ int flags = 0;
+
+@@ -2570,7 +2570,7 @@ SMB2_close_flags(const unsigned int xid, struct cifs_tcon *tcon,
+ struct cifs_ses *ses = tcon->ses;
+ struct kvec iov[1];
+ struct kvec rsp_iov;
+- int resp_buftype;
++ int resp_buftype = CIFS_NO_BUFFER;
+ int rc = 0;
+
+ cifs_dbg(FYI, "Close\n");
+@@ -2723,7 +2723,7 @@ query_info(const unsigned int xid, struct cifs_tcon *tcon,
+ struct kvec iov[1];
+ struct kvec rsp_iov;
+ int rc = 0;
+- int resp_buftype;
++ int resp_buftype = CIFS_NO_BUFFER;
+ struct cifs_ses *ses = tcon->ses;
+ int flags = 0;
+
+--
+2.20.1
+
--- /dev/null
+From 43dd4d3e86e1d5092d1704eaaf3dbcf797a78b90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:06:35 -0700
+Subject: fs/hfs/extent.c: fix array out of bounds read of array extent
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 6c9a3f843a29d6894dfc40df338b91dbd78f0ae3 ]
+
+Currently extent and index i are both being incremented causing an array
+out of bounds read on extent[i]. Fix this by removing the extraneous
+increment of extent.
+
+Ernesto said:
+
+: This is only triggered when deleting a file with a resource fork. I
+: may be wrong because the documentation isn't clear, but I don't think
+: you can create those under linux. So I guess nobody was testing them.
+:
+: > A disk space leak, perhaps?
+:
+: That's what it looks like in general. hfs_free_extents() won't do
+: anything if the block count doesn't add up, and the error will be
+: ignored. Now, if the block count randomly does add up, we could see
+: some corruption.
+
+Detected by CoverityScan, CID#711541 ("Out of bounds read")
+
+Link: http://lkml.kernel.org/r/20180831140538.31566-1-colin.king@canonical.com
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Ernesto A. Fernndez <ernesto.mnd.fernandez@gmail.com>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
+Cc: Vyacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/extent.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/hfs/extent.c b/fs/hfs/extent.c
+index 5f1ff97a3b987..263d5028d9d18 100644
+--- a/fs/hfs/extent.c
++++ b/fs/hfs/extent.c
+@@ -304,7 +304,7 @@ int hfs_free_fork(struct super_block *sb, struct hfs_cat_file *file, int type)
+ return 0;
+
+ blocks = 0;
+- for (i = 0; i < 3; extent++, i++)
++ for (i = 0; i < 3; i++)
+ blocks += be16_to_cpu(extent[i].count);
+
+ res = hfs_free_extents(sb, extent, blocks, blocks);
+--
+2.20.1
+
--- /dev/null
+From 5211cefccbac16153cfd8eb575c94acbc26e4dfb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Oct 2018 15:02:52 -0700
+Subject: fs/ocfs2/dlm/dlmdebug.c: fix a sleep-in-atomic-context bug in
+ dlm_print_one_mle()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 999865764f5f128896402572b439269acb471022 ]
+
+The kernel module may sleep with holding a spinlock.
+
+The function call paths (from bottom to top) in Linux-4.16 are:
+
+[FUNC] get_zeroed_page(GFP_NOFS)
+fs/ocfs2/dlm/dlmdebug.c, 332: get_zeroed_page in dlm_print_one_mle
+fs/ocfs2/dlm/dlmmaster.c, 240: dlm_print_one_mle in __dlm_put_mle
+fs/ocfs2/dlm/dlmmaster.c, 255: __dlm_put_mle in dlm_put_mle
+fs/ocfs2/dlm/dlmmaster.c, 254: spin_lock in dlm_put_ml
+
+[FUNC] get_zeroed_page(GFP_NOFS)
+fs/ocfs2/dlm/dlmdebug.c, 332: get_zeroed_page in dlm_print_one_mle
+fs/ocfs2/dlm/dlmmaster.c, 240: dlm_print_one_mle in __dlm_put_mle
+fs/ocfs2/dlm/dlmmaster.c, 222: __dlm_put_mle in dlm_put_mle_inuse
+fs/ocfs2/dlm/dlmmaster.c, 219: spin_lock in dlm_put_mle_inuse
+
+To fix this bug, GFP_NOFS is replaced with GFP_ATOMIC.
+
+This bug is found by my static analysis tool DSAC.
+
+Link: http://lkml.kernel.org/r/20180901112528.27025-1-baijiaju1990@gmail.com
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Changwei Ge <ge.changwei@h3c.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/dlm/dlmdebug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ocfs2/dlm/dlmdebug.c b/fs/ocfs2/dlm/dlmdebug.c
+index 9b984cae4c4e0..1d6dc8422899b 100644
+--- a/fs/ocfs2/dlm/dlmdebug.c
++++ b/fs/ocfs2/dlm/dlmdebug.c
+@@ -329,7 +329,7 @@ void dlm_print_one_mle(struct dlm_master_list_entry *mle)
+ {
+ char *buf;
+
+- buf = (char *) get_zeroed_page(GFP_NOFS);
++ buf = (char *) get_zeroed_page(GFP_ATOMIC);
+ if (buf) {
+ dump_mle(mle, buf, PAGE_SIZE - 1);
+ free_page((unsigned long)buf);
+--
+2.20.1
+
--- /dev/null
+From 12a7af30a01be500bcb3dcd0387800bb3fa9f0a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Sep 2018 15:30:25 +0100
+Subject: gfs2: Fix marking bitmaps non-full
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit ec23df2b0cf3e1620f5db77972b7fb735f267eff ]
+
+Reservations in gfs can span multiple gfs2_bitmaps (but they won't span
+multiple resource groups). When removing a reservation, we want to
+clear the GBF_FULL flags of all involved gfs2_bitmaps, not just that of
+the first bitmap.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Reviewed-by: Steven Whitehouse <swhiteho@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/rgrp.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
+index 63e5387c84d26..c94c4ac1ae78b 100644
+--- a/fs/gfs2/rgrp.c
++++ b/fs/gfs2/rgrp.c
+@@ -642,7 +642,10 @@ static void __rs_deltree(struct gfs2_blkreserv *rs)
+ RB_CLEAR_NODE(&rs->rs_node);
+
+ if (rs->rs_free) {
+- struct gfs2_bitmap *bi = rbm_bi(&rs->rs_rbm);
++ u64 last_block = gfs2_rbm_to_block(&rs->rs_rbm) +
++ rs->rs_free - 1;
++ struct gfs2_rbm last_rbm = { .rgd = rs->rs_rbm.rgd, };
++ struct gfs2_bitmap *start, *last;
+
+ /* return reserved blocks to the rgrp */
+ BUG_ON(rs->rs_rbm.rgd->rd_reserved < rs->rs_free);
+@@ -653,7 +656,13 @@ static void __rs_deltree(struct gfs2_blkreserv *rs)
+ it will force the number to be recalculated later. */
+ rgd->rd_extfail_pt += rs->rs_free;
+ rs->rs_free = 0;
+- clear_bit(GBF_FULL, &bi->bi_flags);
++ if (gfs2_rbm_from_block(&last_rbm, last_block))
++ return;
++ start = rbm_bi(&rs->rs_rbm);
++ last = rbm_bi(&last_rbm);
++ do
++ clear_bit(GBF_FULL, &start->bi_flags);
++ while (start++ != last);
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From e68437aa37bc7fd57a750bf786019e0b28aed817 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Oct 2018 10:04:45 -0600
+Subject: gsmi: Fix bug in append_to_eventlog sysfs handler
+
+From: Duncan Laurie <dlaurie@chromium.org>
+
+[ Upstream commit 655603de68469adaff16842ac17a5aec9c9ce89b ]
+
+The sysfs handler should return the number of bytes consumed, which in the
+case of a successful write is the entire buffer. Also fix a bug where
+param.data_len was being set to (count - (2 * sizeof(u32))) instead of just
+(count - sizeof(u32)). The latter is correct because we skip over the
+leading u32 which is our param.type, but we were also incorrectly
+subtracting sizeof(u32) on the line where we were actually setting
+param.data_len:
+
+ param.data_len = count - sizeof(u32);
+
+This meant that for our example event.kernel_software_watchdog with total
+length 10 bytes, param.data_len was just 2 prior to this change.
+
+To test, successfully append an event to the log with gsmi sysfs.
+This sample event is for a "Kernel Software Watchdog"
+
+> xxd -g 1 event.kernel_software_watchdog
+0000000: 01 00 00 00 ad de 06 00 00 00
+
+> cat event.kernel_software_watchdog > /sys/firmware/gsmi/append_to_eventlog
+
+> mosys eventlog list | tail -1
+14 | 2012-06-25 10:14:14 | Kernl Event | Software Watchdog
+
+Signed-off-by: Duncan Laurie <dlaurie@chromium.org>
+Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
+Reviewed-by: Stefan Reinauer <reinauer@chromium.org>
+Signed-off-by: Furquan Shaikh <furquan@google.com>
+Tested-by: Furquan Shaikh <furquan@chromium.org>
+Reviewed-by: Aaron Durbin <adurbin@chromium.org>
+Reviewed-by: Justin TerAvest <teravest@chromium.org>
+[zwisler: updated changelog for 2nd bug fix and upstream]
+Signed-off-by: Ross Zwisler <zwisler@google.com>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/google/gsmi.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/firmware/google/gsmi.c b/drivers/firmware/google/gsmi.c
+index c8f169bf2e27d..62337be07afcb 100644
+--- a/drivers/firmware/google/gsmi.c
++++ b/drivers/firmware/google/gsmi.c
+@@ -480,11 +480,10 @@ static ssize_t eventlog_write(struct file *filp, struct kobject *kobj,
+ if (count < sizeof(u32))
+ return -EINVAL;
+ param.type = *(u32 *)buf;
+- count -= sizeof(u32);
+ buf += sizeof(u32);
+
+ /* The remaining buffer is the data payload */
+- if (count > gsmi_dev.data_buf->length)
++ if ((count - sizeof(u32)) > gsmi_dev.data_buf->length)
+ return -EINVAL;
+ param.data_len = count - sizeof(u32);
+
+@@ -504,7 +503,7 @@ static ssize_t eventlog_write(struct file *filp, struct kobject *kobj,
+
+ spin_unlock_irqrestore(&gsmi_dev.lock, flags);
+
+- return rc;
++ return (rc == 0) ? count : rc;
+
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 342dff25794566d46a643f3257959976b079bfea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:06:11 -0700
+Subject: hfs: fix BUG on bnode parent update
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit ef75bcc5763d130451a99825f247d301088b790b ]
+
+hfs_brec_update_parent() may hit BUG_ON() if the first record of both a
+leaf node and its parent are changed, and if this forces the parent to
+be split. It is not possible for this to happen on a valid hfs
+filesystem because the index nodes have fixed length keys.
+
+For reasons I ignore, the hfs module does have support for a number of
+hfsplus features. A corrupt btree header may report variable length
+keys and trigger this BUG, so it's better to fix it.
+
+Link: http://lkml.kernel.org/r/cf9b02d57f806217a2b1bf5db8c3e39730d8f603.1535682463.git.ernesto.mnd.fernandez@gmail.com
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Christoph Hellwig <hch@infradead.org>
+Cc: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/brec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c
+index da25c49203cc5..896396554bcc1 100644
+--- a/fs/hfs/brec.c
++++ b/fs/hfs/brec.c
+@@ -445,6 +445,7 @@ static int hfs_brec_update_parent(struct hfs_find_data *fd)
+ /* restore search_key */
+ hfs_bnode_read_key(node, fd->search_key, 14);
+ }
++ new_node = NULL;
+ }
+
+ if (!rec && node->parent)
+--
+2.20.1
+
--- /dev/null
+From bbadba50b16de08bed71b174faed41506963d511 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:06:24 -0700
+Subject: hfs: fix return value of hfs_get_block()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit 1267a07be5ebbff2d2739290f3d043ae137c15b4 ]
+
+Direct writes to empty inodes fail with EIO. The generic direct-io code
+is in part to blame (a patch has been submitted as "direct-io: allow
+direct writes to empty inodes"), but hfs is worse affected than the other
+filesystems because the fallback to buffered I/O doesn't happen.
+
+The problem is the return value of hfs_get_block() when called with
+!create. Change it to be more consistent with the other modules.
+
+Link: http://lkml.kernel.org/r/4538ab8c35ea37338490525f0f24cbc37227528c.1539195310.git.ernesto.mnd.fernandez@gmail.com
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Reviewed-by: Vyacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/extent.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfs/extent.c b/fs/hfs/extent.c
+index 0c638c6121526..5f1ff97a3b987 100644
+--- a/fs/hfs/extent.c
++++ b/fs/hfs/extent.c
+@@ -345,7 +345,9 @@ int hfs_get_block(struct inode *inode, sector_t block,
+ ablock = (u32)block / HFS_SB(sb)->fs_div;
+
+ if (block >= HFS_I(inode)->fs_blocks) {
+- if (block > HFS_I(inode)->fs_blocks || !create)
++ if (!create)
++ return 0;
++ if (block > HFS_I(inode)->fs_blocks)
+ return -EIO;
+ if (ablock >= HFS_I(inode)->alloc_blocks) {
+ res = hfs_extend_file(inode);
+--
+2.20.1
+
--- /dev/null
+From c82d04a6b8f806f12943cfacd9282c9f9164834e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:06:17 -0700
+Subject: hfs: prevent btree data loss on ENOSPC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit 54640c7502e5ed41fbf4eedd499e85f9acc9698f ]
+
+Inserting a new record in a btree may require splitting several of its
+nodes. If we hit ENOSPC halfway through, the new nodes will be left
+orphaned and their records will be lost. This could mean lost inodes or
+extents.
+
+Henceforth, check the available disk space before making any changes.
+This still leaves the potential problem of corruption on ENOMEM.
+
+There is no need to reserve space before deleting a catalog record, as we
+do for hfsplus. This difference is because hfs index nodes have fixed
+length keys.
+
+Link: http://lkml.kernel.org/r/ab5fc8a7d5ffccfd5f27b1cf2cb4ceb6c110da74.1536269131.git.ernesto.mnd.fernandez@gmail.com
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/btree.c | 41 +++++++++++++++++++++++++----------------
+ fs/hfs/btree.h | 1 +
+ fs/hfs/catalog.c | 16 ++++++++++++++++
+ fs/hfs/extent.c | 4 ++++
+ 4 files changed, 46 insertions(+), 16 deletions(-)
+
+diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c
+index 9bdff5e406261..19017d2961734 100644
+--- a/fs/hfs/btree.c
++++ b/fs/hfs/btree.c
+@@ -220,25 +220,17 @@ static struct hfs_bnode *hfs_bmap_new_bmap(struct hfs_bnode *prev, u32 idx)
+ return node;
+ }
+
+-struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
++/* Make sure @tree has enough space for the @rsvd_nodes */
++int hfs_bmap_reserve(struct hfs_btree *tree, int rsvd_nodes)
+ {
+- struct hfs_bnode *node, *next_node;
+- struct page **pagep;
+- u32 nidx, idx;
+- unsigned off;
+- u16 off16;
+- u16 len;
+- u8 *data, byte, m;
+- int i;
+-
+- while (!tree->free_nodes) {
+- struct inode *inode = tree->inode;
+- u32 count;
+- int res;
++ struct inode *inode = tree->inode;
++ u32 count;
++ int res;
+
++ while (tree->free_nodes < rsvd_nodes) {
+ res = hfs_extend_file(inode);
+ if (res)
+- return ERR_PTR(res);
++ return res;
+ HFS_I(inode)->phys_size = inode->i_size =
+ (loff_t)HFS_I(inode)->alloc_blocks *
+ HFS_SB(tree->sb)->alloc_blksz;
+@@ -246,9 +238,26 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
+ tree->sb->s_blocksize_bits;
+ inode_set_bytes(inode, inode->i_size);
+ count = inode->i_size >> tree->node_size_shift;
+- tree->free_nodes = count - tree->node_count;
++ tree->free_nodes += count - tree->node_count;
+ tree->node_count = count;
+ }
++ return 0;
++}
++
++struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
++{
++ struct hfs_bnode *node, *next_node;
++ struct page **pagep;
++ u32 nidx, idx;
++ unsigned off;
++ u16 off16;
++ u16 len;
++ u8 *data, byte, m;
++ int i, res;
++
++ res = hfs_bmap_reserve(tree, 1);
++ if (res)
++ return ERR_PTR(res);
+
+ nidx = 0;
+ node = hfs_bnode_find(tree, nidx);
+diff --git a/fs/hfs/btree.h b/fs/hfs/btree.h
+index c8b252dbb26c0..dcc2aab1b2c43 100644
+--- a/fs/hfs/btree.h
++++ b/fs/hfs/btree.h
+@@ -82,6 +82,7 @@ struct hfs_find_data {
+ extern struct hfs_btree *hfs_btree_open(struct super_block *, u32, btree_keycmp);
+ extern void hfs_btree_close(struct hfs_btree *);
+ extern void hfs_btree_write(struct hfs_btree *);
++extern int hfs_bmap_reserve(struct hfs_btree *, int);
+ extern struct hfs_bnode * hfs_bmap_alloc(struct hfs_btree *);
+ extern void hfs_bmap_free(struct hfs_bnode *node);
+
+diff --git a/fs/hfs/catalog.c b/fs/hfs/catalog.c
+index 8a66405b0f8b5..d365bf0b8c77d 100644
+--- a/fs/hfs/catalog.c
++++ b/fs/hfs/catalog.c
+@@ -97,6 +97,14 @@ int hfs_cat_create(u32 cnid, struct inode *dir, const struct qstr *str, struct i
+ if (err)
+ return err;
+
++ /*
++ * Fail early and avoid ENOSPC during the btree operations. We may
++ * have to split the root node at most once.
++ */
++ err = hfs_bmap_reserve(fd.tree, 2 * fd.tree->depth);
++ if (err)
++ goto err2;
++
+ hfs_cat_build_key(sb, fd.search_key, cnid, NULL);
+ entry_size = hfs_cat_build_thread(sb, &entry, S_ISDIR(inode->i_mode) ?
+ HFS_CDR_THD : HFS_CDR_FTH,
+@@ -295,6 +303,14 @@ int hfs_cat_move(u32 cnid, struct inode *src_dir, const struct qstr *src_name,
+ return err;
+ dst_fd = src_fd;
+
++ /*
++ * Fail early and avoid ENOSPC during the btree operations. We may
++ * have to split the root node at most once.
++ */
++ err = hfs_bmap_reserve(src_fd.tree, 2 * src_fd.tree->depth);
++ if (err)
++ goto out;
++
+ /* find the old dir entry and read the data */
+ hfs_cat_build_key(sb, src_fd.search_key, src_dir->i_ino, src_name);
+ err = hfs_brec_find(&src_fd);
+diff --git a/fs/hfs/extent.c b/fs/hfs/extent.c
+index 5d01826545809..0c638c6121526 100644
+--- a/fs/hfs/extent.c
++++ b/fs/hfs/extent.c
+@@ -117,6 +117,10 @@ static int __hfs_ext_write_extent(struct inode *inode, struct hfs_find_data *fd)
+ if (HFS_I(inode)->flags & HFS_FLG_EXT_NEW) {
+ if (res != -ENOENT)
+ return res;
++ /* Fail early and avoid ENOSPC during the btree operation */
++ res = hfs_bmap_reserve(fd->tree, fd->tree->depth + 1);
++ if (res)
++ return res;
+ hfs_brec_insert(fd, HFS_I(inode)->cached_extents, sizeof(hfs_extent_rec));
+ HFS_I(inode)->flags &= ~(HFS_FLG_EXT_DIRTY|HFS_FLG_EXT_NEW);
+ } else {
+--
+2.20.1
+
--- /dev/null
+From 938d3e4c967799e0282d29eaf281e62a380bea88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:06:31 -0700
+Subject: hfs: update timestamp on truncate()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit 8cd3cb5061730af085a3f9890a3352f162b4e20c ]
+
+The vfs takes care of updating mtime on ftruncate(), but on truncate() it
+must be done by the module.
+
+Link: http://lkml.kernel.org/r/e1611eda2985b672ed2d8677350b4ad8c2d07e8a.1539316825.git.ernesto.mnd.fernandez@gmail.com
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Reviewed-by: Vyacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/inode.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
+index a2dfa1b2a89c7..da243c84e93b0 100644
+--- a/fs/hfs/inode.c
++++ b/fs/hfs/inode.c
+@@ -642,6 +642,8 @@ int hfs_inode_setattr(struct dentry *dentry, struct iattr * attr)
+
+ truncate_setsize(inode, attr->ia_size);
+ hfs_file_truncate(inode);
++ inode->i_atime = inode->i_mtime = inode->i_ctime =
++ current_time(inode);
+ }
+
+ setattr_copy(inode, attr);
+--
+2.20.1
+
--- /dev/null
+From d1ce1b8b0edf4f3a620bd522fd1337e674b407b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:06:04 -0700
+Subject: hfsplus: fix BUG on bnode parent update
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit 19a9d0f1acf75e8be8cfba19c1a34e941846fa2b ]
+
+Creating, renaming or deleting a file may hit BUG_ON() if the first
+record of both a leaf node and its parent are changed, and if this
+forces the parent to be split. This bug is triggered by xfstests
+generic/027, somewhat rarely; here is a more reliable reproducer:
+
+ truncate -s 50M fs.iso
+ mkfs.hfsplus fs.iso
+ mount fs.iso /mnt
+ i=1000
+ while [ $i -le 2400 ]; do
+ touch /mnt/$i &>/dev/null
+ ((++i))
+ done
+ i=2400
+ while [ $i -ge 1000 ]; do
+ mv /mnt/$i /mnt/$(perl -e "print $i x61") &>/dev/null
+ ((--i))
+ done
+
+The issue is that a newly created bnode is being put twice. Reset
+new_node to NULL in hfs_brec_update_parent() before reaching goto again.
+
+Link: http://lkml.kernel.org/r/5ee1db09b60373a15890f6a7c835d00e76bf601d.1535682461.git.ernesto.mnd.fernandez@gmail.com
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Cc: Christoph Hellwig <hch@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/brec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c
+index aa17a392b4140..1918544a78716 100644
+--- a/fs/hfsplus/brec.c
++++ b/fs/hfsplus/brec.c
+@@ -449,6 +449,7 @@ static int hfs_brec_update_parent(struct hfs_find_data *fd)
+ /* restore search_key */
+ hfs_bnode_read_key(node, fd->search_key, 14);
+ }
++ new_node = NULL;
+ }
+
+ if (!rec && node->parent)
+--
+2.20.1
+
--- /dev/null
+From a334ef7591224a23072ca6b45d61d73747feb75a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:06:21 -0700
+Subject: hfsplus: fix return value of hfsplus_get_block()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit 839c3a6a5e1fbc8542d581911b35b2cb5cd29304 ]
+
+Direct writes to empty inodes fail with EIO. The generic direct-io code
+is in part to blame (a patch has been submitted as "direct-io: allow
+direct writes to empty inodes"), but hfsplus is worse affected than the
+other filesystems because the fallback to buffered I/O doesn't happen.
+
+The problem is the return value of hfsplus_get_block() when called with
+!create. Change it to be more consistent with the other modules.
+
+Link: http://lkml.kernel.org/r/2cd1301404ec7cf1e39c8f11a01a4302f1460ad6.1539195310.git.ernesto.mnd.fernandez@gmail.com
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Reviewed-by: Vyacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/extents.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/extents.c b/fs/hfsplus/extents.c
+index 8a8893d522ef3..a930ddd156819 100644
+--- a/fs/hfsplus/extents.c
++++ b/fs/hfsplus/extents.c
+@@ -237,7 +237,9 @@ int hfsplus_get_block(struct inode *inode, sector_t iblock,
+ ablock = iblock >> sbi->fs_shift;
+
+ if (iblock >= hip->fs_blocks) {
+- if (iblock > hip->fs_blocks || !create)
++ if (!create)
++ return 0;
++ if (iblock > hip->fs_blocks)
+ return -EIO;
+ if (ablock >= hip->alloc_blocks) {
+ res = hfsplus_file_extend(inode, false);
+--
+2.20.1
+
--- /dev/null
+From b928e37b6c86c3117457ec21aa9749e003f804cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:06:14 -0700
+Subject: hfsplus: prevent btree data loss on ENOSPC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit d92915c35bfaf763d78bf1d5ac7f183420e3bd99 ]
+
+Inserting or deleting a record in a btree may require splitting several of
+its nodes. If we hit ENOSPC halfway through, the new nodes will be left
+orphaned and their records will be lost. This could mean lost inodes,
+extents or xattrs.
+
+Henceforth, check the available disk space before making any changes.
+This still leaves the potential problem of corruption on ENOMEM.
+
+The patch can be tested with xfstests generic/027.
+
+Link: http://lkml.kernel.org/r/4596eef22fbda137b4ffa0272d92f0da15364421.1536269129.git.ernesto.mnd.fernandez@gmail.com
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/attributes.c | 10 ++++++++++
+ fs/hfsplus/btree.c | 44 ++++++++++++++++++++++++++---------------
+ fs/hfsplus/catalog.c | 24 ++++++++++++++++++++++
+ fs/hfsplus/extents.c | 4 ++++
+ fs/hfsplus/hfsplus_fs.h | 2 ++
+ 5 files changed, 68 insertions(+), 16 deletions(-)
+
+diff --git a/fs/hfsplus/attributes.c b/fs/hfsplus/attributes.c
+index 2bab6b3cdba48..e6d554476db41 100644
+--- a/fs/hfsplus/attributes.c
++++ b/fs/hfsplus/attributes.c
+@@ -217,6 +217,11 @@ int hfsplus_create_attr(struct inode *inode,
+ if (err)
+ goto failed_init_create_attr;
+
++ /* Fail early and avoid ENOSPC during the btree operation */
++ err = hfs_bmap_reserve(fd.tree, fd.tree->depth + 1);
++ if (err)
++ goto failed_create_attr;
++
+ if (name) {
+ err = hfsplus_attr_build_key(sb, fd.search_key,
+ inode->i_ino, name);
+@@ -313,6 +318,11 @@ int hfsplus_delete_attr(struct inode *inode, const char *name)
+ if (err)
+ return err;
+
++ /* Fail early and avoid ENOSPC during the btree operation */
++ err = hfs_bmap_reserve(fd.tree, fd.tree->depth);
++ if (err)
++ goto out;
++
+ if (name) {
+ err = hfsplus_attr_build_key(sb, fd.search_key,
+ inode->i_ino, name);
+diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
+index 3de3bc4918b55..66774f4cb4fd5 100644
+--- a/fs/hfsplus/btree.c
++++ b/fs/hfsplus/btree.c
+@@ -342,26 +342,21 @@ static struct hfs_bnode *hfs_bmap_new_bmap(struct hfs_bnode *prev, u32 idx)
+ return node;
+ }
+
+-struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
++/* Make sure @tree has enough space for the @rsvd_nodes */
++int hfs_bmap_reserve(struct hfs_btree *tree, int rsvd_nodes)
+ {
+- struct hfs_bnode *node, *next_node;
+- struct page **pagep;
+- u32 nidx, idx;
+- unsigned off;
+- u16 off16;
+- u16 len;
+- u8 *data, byte, m;
+- int i;
++ struct inode *inode = tree->inode;
++ struct hfsplus_inode_info *hip = HFSPLUS_I(inode);
++ u32 count;
++ int res;
+
+- while (!tree->free_nodes) {
+- struct inode *inode = tree->inode;
+- struct hfsplus_inode_info *hip = HFSPLUS_I(inode);
+- u32 count;
+- int res;
++ if (rsvd_nodes <= 0)
++ return 0;
+
++ while (tree->free_nodes < rsvd_nodes) {
+ res = hfsplus_file_extend(inode, hfs_bnode_need_zeroout(tree));
+ if (res)
+- return ERR_PTR(res);
++ return res;
+ hip->phys_size = inode->i_size =
+ (loff_t)hip->alloc_blocks <<
+ HFSPLUS_SB(tree->sb)->alloc_blksz_shift;
+@@ -369,9 +364,26 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
+ hip->alloc_blocks << HFSPLUS_SB(tree->sb)->fs_shift;
+ inode_set_bytes(inode, inode->i_size);
+ count = inode->i_size >> tree->node_size_shift;
+- tree->free_nodes = count - tree->node_count;
++ tree->free_nodes += count - tree->node_count;
+ tree->node_count = count;
+ }
++ return 0;
++}
++
++struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
++{
++ struct hfs_bnode *node, *next_node;
++ struct page **pagep;
++ u32 nidx, idx;
++ unsigned off;
++ u16 off16;
++ u16 len;
++ u8 *data, byte, m;
++ int i, res;
++
++ res = hfs_bmap_reserve(tree, 1);
++ if (res)
++ return ERR_PTR(res);
+
+ nidx = 0;
+ node = hfs_bnode_find(tree, nidx);
+diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
+index a196369ba779f..35472cba750e1 100644
+--- a/fs/hfsplus/catalog.c
++++ b/fs/hfsplus/catalog.c
+@@ -265,6 +265,14 @@ int hfsplus_create_cat(u32 cnid, struct inode *dir,
+ if (err)
+ return err;
+
++ /*
++ * Fail early and avoid ENOSPC during the btree operations. We may
++ * have to split the root node at most once.
++ */
++ err = hfs_bmap_reserve(fd.tree, 2 * fd.tree->depth);
++ if (err)
++ goto err2;
++
+ hfsplus_cat_build_key_with_cnid(sb, fd.search_key, cnid);
+ entry_size = hfsplus_fill_cat_thread(sb, &entry,
+ S_ISDIR(inode->i_mode) ?
+@@ -333,6 +341,14 @@ int hfsplus_delete_cat(u32 cnid, struct inode *dir, const struct qstr *str)
+ if (err)
+ return err;
+
++ /*
++ * Fail early and avoid ENOSPC during the btree operations. We may
++ * have to split the root node at most once.
++ */
++ err = hfs_bmap_reserve(fd.tree, 2 * (int)fd.tree->depth - 2);
++ if (err)
++ goto out;
++
+ if (!str) {
+ int len;
+
+@@ -433,6 +449,14 @@ int hfsplus_rename_cat(u32 cnid,
+ return err;
+ dst_fd = src_fd;
+
++ /*
++ * Fail early and avoid ENOSPC during the btree operations. We may
++ * have to split the root node at most twice.
++ */
++ err = hfs_bmap_reserve(src_fd.tree, 4 * (int)src_fd.tree->depth - 1);
++ if (err)
++ goto out;
++
+ /* find the old dir entry and read the data */
+ err = hfsplus_cat_build_key(sb, src_fd.search_key,
+ src_dir->i_ino, src_name);
+diff --git a/fs/hfsplus/extents.c b/fs/hfsplus/extents.c
+index 8e0f59767694b..8a8893d522ef3 100644
+--- a/fs/hfsplus/extents.c
++++ b/fs/hfsplus/extents.c
+@@ -100,6 +100,10 @@ static int __hfsplus_ext_write_extent(struct inode *inode,
+ if (hip->extent_state & HFSPLUS_EXT_NEW) {
+ if (res != -ENOENT)
+ return res;
++ /* Fail early and avoid ENOSPC during the btree operation */
++ res = hfs_bmap_reserve(fd->tree, fd->tree->depth + 1);
++ if (res)
++ return res;
+ hfs_brec_insert(fd, hip->cached_extents,
+ sizeof(hfsplus_extent_rec));
+ hip->extent_state &= ~(HFSPLUS_EXT_DIRTY | HFSPLUS_EXT_NEW);
+diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
+index 8e039435958a8..dd7ad9f13e3aa 100644
+--- a/fs/hfsplus/hfsplus_fs.h
++++ b/fs/hfsplus/hfsplus_fs.h
+@@ -311,6 +311,7 @@ static inline unsigned short hfsplus_min_io_size(struct super_block *sb)
+ #define hfs_btree_open hfsplus_btree_open
+ #define hfs_btree_close hfsplus_btree_close
+ #define hfs_btree_write hfsplus_btree_write
++#define hfs_bmap_reserve hfsplus_bmap_reserve
+ #define hfs_bmap_alloc hfsplus_bmap_alloc
+ #define hfs_bmap_free hfsplus_bmap_free
+ #define hfs_bnode_read hfsplus_bnode_read
+@@ -395,6 +396,7 @@ u32 hfsplus_calc_btree_clump_size(u32 block_size, u32 node_size, u64 sectors,
+ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id);
+ void hfs_btree_close(struct hfs_btree *tree);
+ int hfs_btree_write(struct hfs_btree *tree);
++int hfs_bmap_reserve(struct hfs_btree *tree, int rsvd_nodes);
+ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree);
+ void hfs_bmap_free(struct hfs_bnode *node);
+
+--
+2.20.1
+
--- /dev/null
+From 8d2566c171c905669614f1033467ffdc439b3459 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:06:27 -0700
+Subject: hfsplus: update timestamps on truncate()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit dc8844aada735890a6de109bef327f5df36a982e ]
+
+The vfs takes care of updating ctime and mtime on ftruncate(), but on
+truncate() it must be done by the module.
+
+This patch can be tested with xfstests generic/313.
+
+Link: http://lkml.kernel.org/r/9beb0913eea37288599e8e1b7cec8768fb52d1b8.1539316825.git.ernesto.mnd.fernandez@gmail.com
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Reviewed-by: Vyacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/inode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c
+index 8e9427a42b819..d7ab9d8c4b674 100644
+--- a/fs/hfsplus/inode.c
++++ b/fs/hfsplus/inode.c
+@@ -261,6 +261,7 @@ static int hfsplus_setattr(struct dentry *dentry, struct iattr *attr)
+ }
+ truncate_setsize(inode, attr->ia_size);
+ hfsplus_file_truncate(inode);
++ inode->i_mtime = inode->i_ctime = current_time(inode);
+ }
+
+ setattr_copy(inode, attr);
+--
+2.20.1
+
--- /dev/null
+From 5f91b71fcea9890a09004a77767f8bb255679d5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 12:01:48 +0900
+Subject: i2c: uniphier-f: fix occasional timeout error
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+[ Upstream commit 39226aaa85f002d695e3cafade3309e12ffdaecd ]
+
+Currently, a timeout error could happen at a repeated START condition.
+
+For a (non-repeated) START condition, the controller starts sending
+data when the UNIPHIER_FI2C_CR_STA bit is set. However, for a repeated
+START condition, the hardware starts running when the slave address is
+written to the TX FIFO - the write to the UNIPHIER_FI2C_CR register is
+actually unneeded.
+
+Because the hardware is already running before the IRQ is enabled for
+a repeated START, the driver may miss the IRQ event. In most cases,
+this problem does not show up since modern CPUs are much faster than
+the I2C transfer. However, it is still possible that a context switch
+happens after the controller starts, but before the IRQ register is
+set up.
+
+To fix this,
+
+ - Do not write UNIPHIER_FI2C_CR for repeated START conditions.
+
+ - Enable IRQ *before* writing the slave address to the TX FIFO.
+
+ - Disable IRQ for the current CPU while queuing up the TX FIFO;
+ If the CPU is interrupted by some task, the interrupt handler
+ might be invoked due to the empty TX FIFO before completing the
+ setup.
+
+Fixes: 6a62974b667f ("i2c: uniphier_f: add UniPhier FIFO-builtin I2C driver")
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-uniphier-f.c | 33 ++++++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-uniphier-f.c b/drivers/i2c/busses/i2c-uniphier-f.c
+index b9a0690b4fd73..bbd5b137aa216 100644
+--- a/drivers/i2c/busses/i2c-uniphier-f.c
++++ b/drivers/i2c/busses/i2c-uniphier-f.c
+@@ -260,6 +260,8 @@ static irqreturn_t uniphier_fi2c_interrupt(int irq, void *dev_id)
+ static void uniphier_fi2c_tx_init(struct uniphier_fi2c_priv *priv, u16 addr)
+ {
+ priv->enabled_irqs |= UNIPHIER_FI2C_INT_TE;
++ uniphier_fi2c_set_irqs(priv);
++
+ /* do not use TX byte counter */
+ writel(0, priv->membase + UNIPHIER_FI2C_TBC);
+ /* set slave address */
+@@ -292,6 +294,8 @@ static void uniphier_fi2c_rx_init(struct uniphier_fi2c_priv *priv, u16 addr)
+ priv->enabled_irqs |= UNIPHIER_FI2C_INT_RF;
+ }
+
++ uniphier_fi2c_set_irqs(priv);
++
+ /* set slave address with RD bit */
+ writel(UNIPHIER_FI2C_DTTX_CMD | UNIPHIER_FI2C_DTTX_RD | addr << 1,
+ priv->membase + UNIPHIER_FI2C_DTTX);
+@@ -315,14 +319,16 @@ static void uniphier_fi2c_recover(struct uniphier_fi2c_priv *priv)
+ }
+
+ static int uniphier_fi2c_master_xfer_one(struct i2c_adapter *adap,
+- struct i2c_msg *msg, bool stop)
++ struct i2c_msg *msg, bool repeat,
++ bool stop)
+ {
+ struct uniphier_fi2c_priv *priv = i2c_get_adapdata(adap);
+ bool is_read = msg->flags & I2C_M_RD;
+ unsigned long time_left, flags;
+
+- dev_dbg(&adap->dev, "%s: addr=0x%02x, len=%d, stop=%d\n",
+- is_read ? "receive" : "transmit", msg->addr, msg->len, stop);
++ dev_dbg(&adap->dev, "%s: addr=0x%02x, len=%d, repeat=%d, stop=%d\n",
++ is_read ? "receive" : "transmit", msg->addr, msg->len,
++ repeat, stop);
+
+ priv->len = msg->len;
+ priv->buf = msg->buf;
+@@ -338,16 +344,24 @@ static int uniphier_fi2c_master_xfer_one(struct i2c_adapter *adap,
+ writel(UNIPHIER_FI2C_RST_TBRST | UNIPHIER_FI2C_RST_RBRST,
+ priv->membase + UNIPHIER_FI2C_RST); /* reset TX/RX FIFO */
+
++ spin_lock_irqsave(&priv->lock, flags);
++
+ if (is_read)
+ uniphier_fi2c_rx_init(priv, msg->addr);
+ else
+ uniphier_fi2c_tx_init(priv, msg->addr);
+
+- uniphier_fi2c_set_irqs(priv);
+-
+ dev_dbg(&adap->dev, "start condition\n");
+- writel(UNIPHIER_FI2C_CR_MST | UNIPHIER_FI2C_CR_STA,
+- priv->membase + UNIPHIER_FI2C_CR);
++ /*
++ * For a repeated START condition, writing a slave address to the FIFO
++ * kicks the controller. So, the UNIPHIER_FI2C_CR register should be
++ * written only for a non-repeated START condition.
++ */
++ if (!repeat)
++ writel(UNIPHIER_FI2C_CR_MST | UNIPHIER_FI2C_CR_STA,
++ priv->membase + UNIPHIER_FI2C_CR);
++
++ spin_unlock_irqrestore(&priv->lock, flags);
+
+ time_left = wait_for_completion_timeout(&priv->comp, adap->timeout);
+
+@@ -408,6 +422,7 @@ static int uniphier_fi2c_master_xfer(struct i2c_adapter *adap,
+ struct i2c_msg *msgs, int num)
+ {
+ struct i2c_msg *msg, *emsg = msgs + num;
++ bool repeat = false;
+ int ret;
+
+ ret = uniphier_fi2c_check_bus_busy(adap);
+@@ -418,9 +433,11 @@ static int uniphier_fi2c_master_xfer(struct i2c_adapter *adap,
+ /* Emit STOP if it is the last message or I2C_M_STOP is set. */
+ bool stop = (msg + 1 == emsg) || (msg->flags & I2C_M_STOP);
+
+- ret = uniphier_fi2c_master_xfer_one(adap, msg, stop);
++ ret = uniphier_fi2c_master_xfer_one(adap, msg, repeat, stop);
+ if (ret)
+ return ret;
++
++ repeat = !stop;
+ }
+
+ return num;
+--
+2.20.1
+
--- /dev/null
+From 9c238b84226ca592dbeeb6c4106f4f19de901aa9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 12:01:49 +0900
+Subject: i2c: uniphier-f: fix race condition when IRQ is cleared
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+[ Upstream commit eaba68785c2d24ebf1f0d46c24e11b79cc2f94c7 ]
+
+The current IRQ handler clears all the IRQ status bits when it bails
+out. This is dangerous because it might clear away the status bits
+that have just been set while processing the current handler. If this
+happens, the IRQ event for the latest transfer is lost forever.
+
+The IRQ status bits must be cleared *before* the next transfer is
+kicked.
+
+Fixes: 6a62974b667f ("i2c: uniphier_f: add UniPhier FIFO-builtin I2C driver")
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-uniphier-f.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-uniphier-f.c b/drivers/i2c/busses/i2c-uniphier-f.c
+index bbd5b137aa216..928ea9930d17e 100644
+--- a/drivers/i2c/busses/i2c-uniphier-f.c
++++ b/drivers/i2c/busses/i2c-uniphier-f.c
+@@ -143,9 +143,10 @@ static void uniphier_fi2c_set_irqs(struct uniphier_fi2c_priv *priv)
+ writel(priv->enabled_irqs, priv->membase + UNIPHIER_FI2C_IE);
+ }
+
+-static void uniphier_fi2c_clear_irqs(struct uniphier_fi2c_priv *priv)
++static void uniphier_fi2c_clear_irqs(struct uniphier_fi2c_priv *priv,
++ u32 mask)
+ {
+- writel(-1, priv->membase + UNIPHIER_FI2C_IC);
++ writel(mask, priv->membase + UNIPHIER_FI2C_IC);
+ }
+
+ static void uniphier_fi2c_stop(struct uniphier_fi2c_priv *priv)
+@@ -172,6 +173,8 @@ static irqreturn_t uniphier_fi2c_interrupt(int irq, void *dev_id)
+ "interrupt: enabled_irqs=%04x, irq_status=%04x\n",
+ priv->enabled_irqs, irq_status);
+
++ uniphier_fi2c_clear_irqs(priv, irq_status);
++
+ if (irq_status & UNIPHIER_FI2C_INT_STOP)
+ goto complete;
+
+@@ -250,8 +253,6 @@ static irqreturn_t uniphier_fi2c_interrupt(int irq, void *dev_id)
+ }
+
+ handled:
+- uniphier_fi2c_clear_irqs(priv);
+-
+ spin_unlock(&priv->lock);
+
+ return IRQ_HANDLED;
+@@ -340,7 +341,7 @@ static int uniphier_fi2c_master_xfer_one(struct i2c_adapter *adap,
+ priv->flags |= UNIPHIER_FI2C_STOP;
+
+ reinit_completion(&priv->comp);
+- uniphier_fi2c_clear_irqs(priv);
++ uniphier_fi2c_clear_irqs(priv, U32_MAX);
+ writel(UNIPHIER_FI2C_RST_TBRST | UNIPHIER_FI2C_RST_RBRST,
+ priv->membase + UNIPHIER_FI2C_RST); /* reset TX/RX FIFO */
+
+--
+2.20.1
+
--- /dev/null
+From 3761cac4bb613fc13e665de11ba12e7c668cd24a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Dec 2018 12:55:25 +0900
+Subject: i2c: uniphier-f: fix timeout error after reading 8 bytes
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+[ Upstream commit c2a653deaa81f5a750c0dfcbaf9f8e5195cbe4a5 ]
+
+I was totally screwed up in commit eaba68785c2d ("i2c: uniphier-f:
+fix race condition when IRQ is cleared"). Since that commit, if the
+number of read bytes is multiple of the FIFO size (8, 16, 24... bytes),
+the STOP condition could be issued twice, depending on the timing.
+If this happens, the controller will go wrong, resulting in the timeout
+error.
+
+It was more than 3 years ago when I wrote this driver, so my memory
+about this hardware was vague. Please let me correct the description
+in the commit log of eaba68785c2d.
+
+Clearing the IRQ status on exiting the IRQ handler is absolutely
+fine. This controller makes a pause while any IRQ status is asserted.
+If the IRQ status is cleared first, the hardware may start the next
+transaction before the IRQ handler finishes what it supposed to do.
+
+This partially reverts the bad commit with clear comments so that I
+will never repeat this mistake.
+
+I also investigated what is happening at the last moment of the read
+mode. The UNIPHIER_FI2C_INT_RF interrupt is asserted a bit earlier
+(by half a period of the clock cycle) than UNIPHIER_FI2C_INT_RB.
+
+I consulted a hardware engineer, and I got the following information:
+
+UNIPHIER_FI2C_INT_RF
+ asserted at the falling edge of SCL at the 8th bit.
+
+UNIPHIER_FI2C_INT_RB
+ asserted at the rising edge of SCL at the 9th (ACK) bit.
+
+In order to avoid calling uniphier_fi2c_stop() twice, check the latter
+interrupt. I also commented this because it is obscure hardware internal.
+
+Fixes: eaba68785c2d ("i2c: uniphier-f: fix race condition when IRQ is cleared")
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-uniphier-f.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-uniphier-f.c b/drivers/i2c/busses/i2c-uniphier-f.c
+index 928ea9930d17e..dd0687e36a47b 100644
+--- a/drivers/i2c/busses/i2c-uniphier-f.c
++++ b/drivers/i2c/busses/i2c-uniphier-f.c
+@@ -173,8 +173,6 @@ static irqreturn_t uniphier_fi2c_interrupt(int irq, void *dev_id)
+ "interrupt: enabled_irqs=%04x, irq_status=%04x\n",
+ priv->enabled_irqs, irq_status);
+
+- uniphier_fi2c_clear_irqs(priv, irq_status);
+-
+ if (irq_status & UNIPHIER_FI2C_INT_STOP)
+ goto complete;
+
+@@ -214,7 +212,13 @@ static irqreturn_t uniphier_fi2c_interrupt(int irq, void *dev_id)
+
+ if (irq_status & (UNIPHIER_FI2C_INT_RF | UNIPHIER_FI2C_INT_RB)) {
+ uniphier_fi2c_drain_rxfifo(priv);
+- if (!priv->len)
++ /*
++ * If the number of bytes to read is multiple of the FIFO size
++ * (msg->len == 8, 16, 24, ...), the INT_RF bit is set a little
++ * earlier than INT_RB. We wait for INT_RB to confirm the
++ * completion of the current message.
++ */
++ if (!priv->len && (irq_status & UNIPHIER_FI2C_INT_RB))
+ goto data_done;
+
+ if (unlikely(priv->flags & UNIPHIER_FI2C_MANUAL_NACK)) {
+@@ -253,6 +257,13 @@ static irqreturn_t uniphier_fi2c_interrupt(int irq, void *dev_id)
+ }
+
+ handled:
++ /*
++ * This controller makes a pause while any bit of the IRQ status is
++ * asserted. Clear the asserted bit to kick the controller just before
++ * exiting the handler.
++ */
++ uniphier_fi2c_clear_irqs(priv, irq_status);
++
+ spin_unlock(&priv->lock);
+
+ return IRQ_HANDLED;
+--
+2.20.1
+
--- /dev/null
+From 93bddcc4d87b82b6dae0cbe4f70dabb3261d382d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 12:01:47 +0900
+Subject: i2c: uniphier-f: make driver robust against concurrency
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+[ Upstream commit f1fdcbbdf45d9609f3d4063b67e9ea941ba3a58f ]
+
+This is unlikely to happen, but it is possible for a CPU to enter
+the interrupt handler just after wait_for_completion_timeout() has
+expired. If this happens, the hardware is accessed from multiple
+contexts concurrently.
+
+Disable the IRQ after wait_for_completion_timeout(), and do nothing
+from the handler when the IRQ is disabled.
+
+Fixes: 6a62974b667f ("i2c: uniphier_f: add UniPhier FIFO-builtin I2C driver")
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-uniphier-f.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-uniphier-f.c b/drivers/i2c/busses/i2c-uniphier-f.c
+index bc26ec822e268..b9a0690b4fd73 100644
+--- a/drivers/i2c/busses/i2c-uniphier-f.c
++++ b/drivers/i2c/busses/i2c-uniphier-f.c
+@@ -98,6 +98,7 @@ struct uniphier_fi2c_priv {
+ unsigned int flags;
+ unsigned int busy_cnt;
+ unsigned int clk_cycle;
++ spinlock_t lock; /* IRQ synchronization */
+ };
+
+ static void uniphier_fi2c_fill_txfifo(struct uniphier_fi2c_priv *priv,
+@@ -162,7 +163,10 @@ static irqreturn_t uniphier_fi2c_interrupt(int irq, void *dev_id)
+ struct uniphier_fi2c_priv *priv = dev_id;
+ u32 irq_status;
+
++ spin_lock(&priv->lock);
++
+ irq_status = readl(priv->membase + UNIPHIER_FI2C_INT);
++ irq_status &= priv->enabled_irqs;
+
+ dev_dbg(&priv->adap.dev,
+ "interrupt: enabled_irqs=%04x, irq_status=%04x\n",
+@@ -230,6 +234,8 @@ static irqreturn_t uniphier_fi2c_interrupt(int irq, void *dev_id)
+ goto handled;
+ }
+
++ spin_unlock(&priv->lock);
++
+ return IRQ_NONE;
+
+ data_done:
+@@ -246,6 +252,8 @@ static irqreturn_t uniphier_fi2c_interrupt(int irq, void *dev_id)
+ handled:
+ uniphier_fi2c_clear_irqs(priv);
+
++ spin_unlock(&priv->lock);
++
+ return IRQ_HANDLED;
+ }
+
+@@ -311,7 +319,7 @@ static int uniphier_fi2c_master_xfer_one(struct i2c_adapter *adap,
+ {
+ struct uniphier_fi2c_priv *priv = i2c_get_adapdata(adap);
+ bool is_read = msg->flags & I2C_M_RD;
+- unsigned long time_left;
++ unsigned long time_left, flags;
+
+ dev_dbg(&adap->dev, "%s: addr=0x%02x, len=%d, stop=%d\n",
+ is_read ? "receive" : "transmit", msg->addr, msg->len, stop);
+@@ -342,6 +350,12 @@ static int uniphier_fi2c_master_xfer_one(struct i2c_adapter *adap,
+ priv->membase + UNIPHIER_FI2C_CR);
+
+ time_left = wait_for_completion_timeout(&priv->comp, adap->timeout);
++
++ spin_lock_irqsave(&priv->lock, flags);
++ priv->enabled_irqs = 0;
++ uniphier_fi2c_set_irqs(priv);
++ spin_unlock_irqrestore(&priv->lock, flags);
++
+ if (!time_left) {
+ dev_err(&adap->dev, "transaction timeout.\n");
+ uniphier_fi2c_recover(priv);
+@@ -546,6 +560,7 @@ static int uniphier_fi2c_probe(struct platform_device *pdev)
+
+ priv->clk_cycle = clk_rate / bus_speed;
+ init_completion(&priv->comp);
++ spin_lock_init(&priv->lock);
+ priv->adap.owner = THIS_MODULE;
+ priv->adap.algo = &uniphier_fi2c_algo;
+ priv->adap.dev.parent = dev;
+--
+2.20.1
+
--- /dev/null
+From decc82e346f7a318b738d205439b0ded54ddb406 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Oct 2018 13:13:39 +0200
+Subject: igb: shorten maximum PHC timecounter update interval
+
+From: Miroslav Lichvar <mlichvar@redhat.com>
+
+[ Upstream commit 094bf4d0e9657f6ea1ee3d7e07ce3970796949ce ]
+
+The timecounter needs to be updated at least once per ~550 seconds in
+order to avoid a 40-bit SYSTIM timestamp to be misinterpreted as an old
+timestamp.
+
+Since commit 500462a9d ("timers: Switch to a non-cascading wheel"),
+scheduling of delayed work seems to be less accurate and a requested
+delay of 540 seconds may actually be longer than 550 seconds. Shorten
+the delay to 480 seconds to be sure the timecounter is updated in time.
+
+This fixes an issue with HW timestamps on 82580/I350/I354 being off by
+~1100 seconds for few seconds every ~9 minutes.
+
+Cc: Jacob Keller <jacob.e.keller@intel.com>
+Cc: Richard Cochran <richardcochran@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_ptp.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_ptp.c b/drivers/net/ethernet/intel/igb/igb_ptp.c
+index 9f4d700e09df3..29ced6b74d364 100644
+--- a/drivers/net/ethernet/intel/igb/igb_ptp.c
++++ b/drivers/net/ethernet/intel/igb/igb_ptp.c
+@@ -51,9 +51,15 @@
+ *
+ * The 40 bit 82580 SYSTIM overflows every
+ * 2^40 * 10^-9 / 60 = 18.3 minutes.
++ *
++ * SYSTIM is converted to real time using a timecounter. As
++ * timecounter_cyc2time() allows old timestamps, the timecounter
++ * needs to be updated at least once per half of the SYSTIM interval.
++ * Scheduling of delayed work is not very accurate, so we aim for 8
++ * minutes to be sure the actual interval is shorter than 9.16 minutes.
+ */
+
+-#define IGB_SYSTIM_OVERFLOW_PERIOD (HZ * 60 * 9)
++#define IGB_SYSTIM_OVERFLOW_PERIOD (HZ * 60 * 8)
+ #define IGB_PTP_TX_TIMEOUT (HZ * 15)
+ #define INCPERIOD_82576 BIT(E1000_TIMINCA_16NS_SHIFT)
+ #define INCVALUE_82576_MASK GENMASK(E1000_TIMINCA_16NS_SHIFT - 1, 0)
+--
+2.20.1
+
--- /dev/null
+From 7a3bd14fd21d69a8e5be3be003ea788f45c8533f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Oct 2018 11:30:35 +0800
+Subject: ipv4/igmp: fix v1/v2 switchback timeout based on rfc3376, 8.12
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 966c37f2d77eb44d47af8e919267b1ba675b2eca ]
+
+Similiar with ipv6 mcast commit 89225d1ce6af3 ("net: ipv6: mld: fix v1/v2
+switchback timeout to rfc3810, 9.12.")
+
+i) RFC3376 8.12. Older Version Querier Present Timeout says:
+
+ The Older Version Querier Interval is the time-out for transitioning
+ a host back to IGMPv3 mode once an older version query is heard.
+ When an older version query is received, hosts set their Older
+ Version Querier Present Timer to Older Version Querier Interval.
+
+ This value MUST be ((the Robustness Variable) times (the Query
+ Interval in the last Query received)) plus (one Query Response
+ Interval).
+
+Currently we only use a hardcode value IGMP_V1/v2_ROUTER_PRESENT_TIMEOUT.
+Fix it by adding two new items mr_qi(Query Interval) and mr_qri(Query Response
+Interval) in struct in_device.
+
+Now we can calculate the switchback time via (mr_qrv * mr_qi) + mr_qri.
+We need update these values when receive IGMPv3 queries.
+
+Reported-by: Ying Xu <yinxu@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/inetdevice.h | 4 ++-
+ net/ipv4/igmp.c | 53 ++++++++++++++++++++++++++------------
+ 2 files changed, 39 insertions(+), 18 deletions(-)
+
+diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
+index c759d1cbcedd8..a64f21a97369a 100644
+--- a/include/linux/inetdevice.h
++++ b/include/linux/inetdevice.h
+@@ -37,7 +37,9 @@ struct in_device {
+ unsigned long mr_v1_seen;
+ unsigned long mr_v2_seen;
+ unsigned long mr_maxdelay;
+- unsigned char mr_qrv;
++ unsigned long mr_qi; /* Query Interval */
++ unsigned long mr_qri; /* Query Response Interval */
++ unsigned char mr_qrv; /* Query Robustness Variable */
+ unsigned char mr_gq_running;
+ unsigned char mr_ifc_count;
+ struct timer_list mr_gq_timer; /* general query timer */
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index b2240b7f225d5..523d26f5e22e2 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -111,13 +111,10 @@
+ #ifdef CONFIG_IP_MULTICAST
+ /* Parameter names and values are taken from igmp-v2-06 draft */
+
+-#define IGMP_V1_ROUTER_PRESENT_TIMEOUT (400*HZ)
+-#define IGMP_V2_ROUTER_PRESENT_TIMEOUT (400*HZ)
+ #define IGMP_V2_UNSOLICITED_REPORT_INTERVAL (10*HZ)
+ #define IGMP_V3_UNSOLICITED_REPORT_INTERVAL (1*HZ)
++#define IGMP_QUERY_INTERVAL (125*HZ)
+ #define IGMP_QUERY_RESPONSE_INTERVAL (10*HZ)
+-#define IGMP_QUERY_ROBUSTNESS_VARIABLE 2
+-
+
+ #define IGMP_INITIAL_REPORT_DELAY (1)
+
+@@ -953,13 +950,15 @@ static bool igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb,
+
+ max_delay = IGMP_QUERY_RESPONSE_INTERVAL;
+ in_dev->mr_v1_seen = jiffies +
+- IGMP_V1_ROUTER_PRESENT_TIMEOUT;
++ (in_dev->mr_qrv * in_dev->mr_qi) +
++ in_dev->mr_qri;
+ group = 0;
+ } else {
+ /* v2 router present */
+ max_delay = ih->code*(HZ/IGMP_TIMER_SCALE);
+ in_dev->mr_v2_seen = jiffies +
+- IGMP_V2_ROUTER_PRESENT_TIMEOUT;
++ (in_dev->mr_qrv * in_dev->mr_qi) +
++ in_dev->mr_qri;
+ }
+ /* cancel the interface change timer */
+ in_dev->mr_ifc_count = 0;
+@@ -999,8 +998,21 @@ static bool igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb,
+ if (!max_delay)
+ max_delay = 1; /* can't mod w/ 0 */
+ in_dev->mr_maxdelay = max_delay;
+- if (ih3->qrv)
+- in_dev->mr_qrv = ih3->qrv;
++
++ /* RFC3376, 4.1.6. QRV and 4.1.7. QQIC, when the most recently
++ * received value was zero, use the default or statically
++ * configured value.
++ */
++ in_dev->mr_qrv = ih3->qrv ?: net->ipv4.sysctl_igmp_qrv;
++ in_dev->mr_qi = IGMPV3_QQIC(ih3->qqic)*HZ ?: IGMP_QUERY_INTERVAL;
++
++ /* RFC3376, 8.3. Query Response Interval:
++ * The number of seconds represented by the [Query Response
++ * Interval] must be less than the [Query Interval].
++ */
++ if (in_dev->mr_qri >= in_dev->mr_qi)
++ in_dev->mr_qri = (in_dev->mr_qi/HZ - 1)*HZ;
++
+ if (!group) { /* general query */
+ if (ih3->nsrcs)
+ return true; /* no sources allowed */
+@@ -1738,18 +1750,30 @@ void ip_mc_down(struct in_device *in_dev)
+ ip_mc_dec_group(in_dev, IGMP_ALL_HOSTS);
+ }
+
+-void ip_mc_init_dev(struct in_device *in_dev)
+-{
+ #ifdef CONFIG_IP_MULTICAST
++static void ip_mc_reset(struct in_device *in_dev)
++{
+ struct net *net = dev_net(in_dev->dev);
++
++ in_dev->mr_qi = IGMP_QUERY_INTERVAL;
++ in_dev->mr_qri = IGMP_QUERY_RESPONSE_INTERVAL;
++ in_dev->mr_qrv = net->ipv4.sysctl_igmp_qrv;
++}
++#else
++static void ip_mc_reset(struct in_device *in_dev)
++{
++}
+ #endif
++
++void ip_mc_init_dev(struct in_device *in_dev)
++{
+ ASSERT_RTNL();
+
+ #ifdef CONFIG_IP_MULTICAST
+ timer_setup(&in_dev->mr_gq_timer, igmp_gq_timer_expire, 0);
+ timer_setup(&in_dev->mr_ifc_timer, igmp_ifc_timer_expire, 0);
+- in_dev->mr_qrv = net->ipv4.sysctl_igmp_qrv;
+ #endif
++ ip_mc_reset(in_dev);
+
+ spin_lock_init(&in_dev->mc_tomb_lock);
+ }
+@@ -1759,15 +1783,10 @@ void ip_mc_init_dev(struct in_device *in_dev)
+ void ip_mc_up(struct in_device *in_dev)
+ {
+ struct ip_mc_list *pmc;
+-#ifdef CONFIG_IP_MULTICAST
+- struct net *net = dev_net(in_dev->dev);
+-#endif
+
+ ASSERT_RTNL();
+
+-#ifdef CONFIG_IP_MULTICAST
+- in_dev->mr_qrv = net->ipv4.sysctl_igmp_qrv;
+-#endif
++ ip_mc_reset(in_dev);
+ ip_mc_inc_group(in_dev, IGMP_ALL_HOSTS);
+
+ for_each_pmc_rtnl(in_dev, pmc) {
+--
+2.20.1
+
--- /dev/null
+From 21c5e53df6068d00d5a7f2a6155be3ba8f61368e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Dec 2018 15:27:38 -0800
+Subject: ipv6: Fix handling of LLA with VRF and sockets bound to VRF
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit c2027d1e17582903e368abf5d4838b22a98f2b7b ]
+
+A recent commit allows sockets bound to a VRF to receive ipv6 link local
+packets. However, it only works for UDP and worse TCP connection attempts
+to the LLA with the only listener bound to the VRF just hang where as
+before the client gets a reset and connection refused. Fix by adjusting
+ir_iif for LL addresses and packets received through a device enslaved
+to a VRF.
+
+Fixes: 6f12fa775530 ("vrf: mark skb for multicast or link-local as enslaved to VRF")
+Reported-by: Donald Sharp <sharpd@cumulusnetworks.com>
+Cc: Mike Manning <mmanning@vyatta.att-mail.com>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/tcp_ipv6.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index e7cdfa92c3820..9a117a79af659 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -734,6 +734,7 @@ static void tcp_v6_init_req(struct request_sock *req,
+ const struct sock *sk_listener,
+ struct sk_buff *skb)
+ {
++ bool l3_slave = ipv6_l3mdev_skb(TCP_SKB_CB(skb)->header.h6.flags);
+ struct inet_request_sock *ireq = inet_rsk(req);
+ const struct ipv6_pinfo *np = inet6_sk(sk_listener);
+
+@@ -741,7 +742,7 @@ static void tcp_v6_init_req(struct request_sock *req,
+ ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
+
+ /* So that link locals have meaning */
+- if (!sk_listener->sk_bound_dev_if &&
++ if ((!sk_listener->sk_bound_dev_if || l3_slave) &&
+ ipv6_addr_type(&ireq->ir_v6_rmt_addr) & IPV6_ADDR_LINKLOCAL)
+ ireq->ir_iif = tcp_v6_iif(skb);
+
+--
+2.20.1
+
--- /dev/null
+From ac29588786c5c315e46f9d845b59e27b31701029 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Nov 2018 00:35:05 +0000
+Subject: irq/matrix: Fix memory overallocation
+
+From: Michael Kelley <mikelley@microsoft.com>
+
+[ Upstream commit 57f01796f14fecf00d330fe39c8d2477ced9cd79 ]
+
+IRQ_MATRIX_SIZE is the number of longs needed for a bitmap, multiplied by
+the size of a long, yielding a byte count. But it is used to size an array
+of longs, which is way more memory than is needed.
+
+Change IRQ_MATRIX_SIZE so it is just the number of longs needed and the
+arrays come out the correct size.
+
+Fixes: 2f75d9e1c905 ("genirq: Implement bitmap matrix allocator")
+Signed-off-by: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: KY Srinivasan <kys@microsoft.com>
+Link: https://lkml.kernel.org/r/1541032428-10392-1-git-send-email-mikelley@microsoft.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/irq/matrix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/irq/matrix.c b/kernel/irq/matrix.c
+index 92337703ca9fd..30cc217b86318 100644
+--- a/kernel/irq/matrix.c
++++ b/kernel/irq/matrix.c
+@@ -8,7 +8,7 @@
+ #include <linux/cpu.h>
+ #include <linux/irq.h>
+
+-#define IRQ_MATRIX_SIZE (BITS_TO_LONGS(IRQ_MATRIX_BITS) * sizeof(unsigned long))
++#define IRQ_MATRIX_SIZE (BITS_TO_LONGS(IRQ_MATRIX_BITS))
+
+ struct cpumap {
+ unsigned int available;
+--
+2.20.1
+
--- /dev/null
+From 7039a57396329fc2abc2323d7da4a5216628c5fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:07:13 -0700
+Subject: kernel/panic.c: do not append newline to the stack protector panic
+ string
+
+From: Borislav Petkov <bp@suse.de>
+
+[ Upstream commit 95c4fb78fb23081472465ca20d5d31c4b780ed82 ]
+
+... because panic() itself already does this. Otherwise you have
+line-broken trailer:
+
+ [ 1.836965] ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: pgd_alloc+0x29e/0x2a0
+ [ 1.836965] ]---
+
+Link: http://lkml.kernel.org/r/20181008202901.7894-1-bp@alien8.de
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
+Cc: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/panic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/panic.c b/kernel/panic.c
+index 72e001e3753e3..8138a676fb7d1 100644
+--- a/kernel/panic.c
++++ b/kernel/panic.c
+@@ -636,7 +636,7 @@ device_initcall(register_warn_debugfs);
+ */
+ __visible void __stack_chk_fail(void)
+ {
+- panic("stack-protector: Kernel stack is corrupted in: %pB\n",
++ panic("stack-protector: Kernel stack is corrupted in: %pB",
+ __builtin_return_address(0));
+ }
+ EXPORT_SYMBOL(__stack_chk_fail);
+--
+2.20.1
+
--- /dev/null
+From cfceae8b67e36504e0e7180fd7ebf27942310088 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Oct 2018 16:59:51 -0400
+Subject: kprobes, x86/ptrace.h: Make regs_get_kernel_stack_nth() not fault on
+ bad stack
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+[ Upstream commit c2712b858187f5bcd7b042fe4daa3ba3a12635c0 ]
+
+Andy had some concerns about using regs_get_kernel_stack_nth() in a new
+function regs_get_kernel_argument() as if there's any error in the stack
+code, it could cause a bad memory access. To be on the safe side, call
+probe_kernel_read() on the stack address to be extra careful in accessing
+the memory. A helper function, regs_get_kernel_stack_nth_addr(), was added
+to just return the stack address (or NULL if not on the stack), that will be
+used to find the address (and could be used by other functions) and read the
+address with kernel_probe_read().
+
+Requested-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20181017165951.09119177@gandalf.local.home
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/ptrace.h | 42 +++++++++++++++++++++++++++++------
+ 1 file changed, 35 insertions(+), 7 deletions(-)
+
+diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
+index 6de1fd3d00974..ee696efec99fd 100644
+--- a/arch/x86/include/asm/ptrace.h
++++ b/arch/x86/include/asm/ptrace.h
+@@ -236,24 +236,52 @@ static inline int regs_within_kernel_stack(struct pt_regs *regs,
+ (kernel_stack_pointer(regs) & ~(THREAD_SIZE - 1)));
+ }
+
++/**
++ * regs_get_kernel_stack_nth_addr() - get the address of the Nth entry on stack
++ * @regs: pt_regs which contains kernel stack pointer.
++ * @n: stack entry number.
++ *
++ * regs_get_kernel_stack_nth() returns the address of the @n th entry of the
++ * kernel stack which is specified by @regs. If the @n th entry is NOT in
++ * the kernel stack, this returns NULL.
++ */
++static inline unsigned long *regs_get_kernel_stack_nth_addr(struct pt_regs *regs, unsigned int n)
++{
++ unsigned long *addr = (unsigned long *)kernel_stack_pointer(regs);
++
++ addr += n;
++ if (regs_within_kernel_stack(regs, (unsigned long)addr))
++ return addr;
++ else
++ return NULL;
++}
++
++/* To avoid include hell, we can't include uaccess.h */
++extern long probe_kernel_read(void *dst, const void *src, size_t size);
++
+ /**
+ * regs_get_kernel_stack_nth() - get Nth entry of the stack
+ * @regs: pt_regs which contains kernel stack pointer.
+ * @n: stack entry number.
+ *
+ * regs_get_kernel_stack_nth() returns @n th entry of the kernel stack which
+- * is specified by @regs. If the @n th entry is NOT in the kernel stack,
++ * is specified by @regs. If the @n th entry is NOT in the kernel stack
+ * this returns 0.
+ */
+ static inline unsigned long regs_get_kernel_stack_nth(struct pt_regs *regs,
+ unsigned int n)
+ {
+- unsigned long *addr = (unsigned long *)kernel_stack_pointer(regs);
+- addr += n;
+- if (regs_within_kernel_stack(regs, (unsigned long)addr))
+- return *addr;
+- else
+- return 0;
++ unsigned long *addr;
++ unsigned long val;
++ long ret;
++
++ addr = regs_get_kernel_stack_nth_addr(regs, n);
++ if (addr) {
++ ret = probe_kernel_read(&val, addr, sizeof(val));
++ if (!ret)
++ return val;
++ }
++ return 0;
+ }
+
+ #define arch_has_single_step() (1)
+--
+2.20.1
+
--- /dev/null
+From b38768f761605d0f16b2afec42de40bea3dc061f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Sep 2018 09:23:46 -0700
+Subject: KVM: nVMX: move check_vmentry_postreqs() call to
+ nested_vmx_enter_non_root_mode()
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+[ Upstream commit 7671ce21b13b9596163a29f4712cb2451a9b97dc ]
+
+In preparation of supporting checkpoint/restore for nested state,
+commit ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
+modified check_vmentry_postreqs() to only perform the guest EFER
+consistency checks when nested_run_pending is true. But, in the
+normal nested VMEntry flow, nested_run_pending is only set after
+check_vmentry_postreqs(), i.e. the consistency check is being skipped.
+
+Alternatively, nested_run_pending could be set prior to calling
+check_vmentry_postreqs() in nested_vmx_run(), but placing the
+consistency checks in nested_vmx_enter_non_root_mode() allows us
+to split prepare_vmcs02() and interleave the preparation with
+the consistency checks without having to change the call sites
+of nested_vmx_enter_non_root_mode(). In other words, the rest
+of the consistency check code in nested_vmx_run() will be joining
+the postreqs checks in future patches.
+
+Fixes: ca0bde28f2ed ("kvm: nVMX: Split VMCS checks from nested_vmx_run()")
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: Jim Mattson <jmattson@google.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index fe7fdd666f091..bdf019f322117 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -12694,6 +12694,9 @@ static int enter_vmx_non_root_mode(struct kvm_vcpu *vcpu, u32 *exit_qual)
+ if (likely(!evaluate_pending_interrupts) && kvm_vcpu_apicv_active(vcpu))
+ evaluate_pending_interrupts |= vmx_has_apicv_interrupt(vcpu);
+
++ if (from_vmentry && check_vmentry_postreqs(vcpu, vmcs12, exit_qual))
++ return EXIT_REASON_INVALID_STATE;
++
+ enter_guest_mode(vcpu);
+
+ if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
+@@ -12836,13 +12839,6 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
+ */
+ skip_emulated_instruction(vcpu);
+
+- ret = check_vmentry_postreqs(vcpu, vmcs12, &exit_qual);
+- if (ret) {
+- nested_vmx_entry_failure(vcpu, vmcs12,
+- EXIT_REASON_INVALID_STATE, exit_qual);
+- return 1;
+- }
+-
+ /*
+ * We're finally done with prerequisite checking, and can start with
+ * the nested entry.
+--
+2.20.1
+
--- /dev/null
+From 7078c99ff363dfea464934fa522b900a6a6fe285 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Sep 2018 09:23:42 -0700
+Subject: KVM: nVMX: reset cache/shadows when switching loaded VMCS
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+[ Upstream commit b7031fd40fcc741b0f9b0c04c8d844e445858b84 ]
+
+Reset the vm_{entry,exit}_controls_shadow variables as well as the
+segment cache after loading a new VMCS in vmx_switch_vmcs(). The
+shadows/cache track VMCS data, i.e. they're stale every time we
+switch to a new VMCS regardless of reason.
+
+This fixes a bug where stale control shadows would be consumed after
+a nested VMExit due to a failed consistency check.
+
+Suggested-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 1ab4bb3d6a040..fe7fdd666f091 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -11013,6 +11013,10 @@ static void vmx_switch_vmcs(struct kvm_vcpu *vcpu, struct loaded_vmcs *vmcs)
+ vmx->loaded_vmcs = vmcs;
+ vmx_vcpu_load(vcpu, cpu);
+ put_cpu();
++
++ vm_entry_controls_reset_shadow(vmx);
++ vm_exit_controls_reset_shadow(vmx);
++ vmx_segment_cache_clear(vmx);
+ }
+
+ /*
+@@ -12699,7 +12703,6 @@ static int enter_vmx_non_root_mode(struct kvm_vcpu *vcpu, u32 *exit_qual)
+ vmx->nested.vmcs01_guest_bndcfgs = vmcs_read64(GUEST_BNDCFGS);
+
+ vmx_switch_vmcs(vcpu, &vmx->nested.vmcs02);
+- vmx_segment_cache_clear(vmx);
+
+ if (vmcs12->cpu_based_vm_exec_control & CPU_BASED_USE_TSC_OFFSETING)
+ vcpu->arch.tsc_offset += vmcs12->tsc_offset;
+@@ -13530,9 +13533,6 @@ static void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 exit_reason,
+ }
+
+ vmx_switch_vmcs(vcpu, &vmx->vmcs01);
+- vm_entry_controls_reset_shadow(vmx);
+- vm_exit_controls_reset_shadow(vmx);
+- vmx_segment_cache_clear(vmx);
+
+ /* Update any VMCS fields that might have changed while L2 ran */
+ vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, vmx->msr_autoload.host.nr);
+--
+2.20.1
+
--- /dev/null
+From 57684ca41c62d95a4dc925821dfda4ade539369c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Oct 2018 19:40:43 +0200
+Subject: KVM/x86: Fix invvpid and invept register operand size in 64-bit mode
+
+From: Uros Bizjak <ubizjak@gmail.com>
+
+[ Upstream commit 5ebb272b2ea7e02911a03a893f8d922d49f9bb4a ]
+
+Register operand size of invvpid and invept instruction in 64-bit mode
+has always 64 bits. Adjust inline function argument type to reflect
+correct size.
+
+Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index bdf019f322117..0b7559bf15ea7 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2079,7 +2079,7 @@ static int __find_msr_index(struct vcpu_vmx *vmx, u32 msr)
+ return -1;
+ }
+
+-static inline void __invvpid(int ext, u16 vpid, gva_t gva)
++static inline void __invvpid(unsigned long ext, u16 vpid, gva_t gva)
+ {
+ struct {
+ u64 vpid : 16;
+@@ -2094,7 +2094,7 @@ static inline void __invvpid(int ext, u16 vpid, gva_t gva)
+ BUG_ON(error);
+ }
+
+-static inline void __invept(int ext, u64 eptp, gpa_t gpa)
++static inline void __invept(unsigned long ext, u64 eptp, gpa_t gpa)
+ {
+ struct {
+ u64 eptp, gpa;
+--
+2.20.1
+
--- /dev/null
+From ba39334851e0fc835153a08f19f3db8043fb14bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:05:14 -0700
+Subject: lib/bitmap.c: fix remaining space computation in
+ bitmap_print_to_pagebuf
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+[ Upstream commit ce1091d471107dbf6f91db66a480a25950c9b9ff ]
+
+For various alignments of buf, the current expression computes
+
+4096 ok
+4095 ok
+8190
+8189
+...
+4097
+
+i.e., if the caller has already written two bytes into the page buffer,
+len is 8190 rather than 4094, because PTR_ALIGN aligns up to the next
+boundary. So if the printed version of the bitmap is huge, scnprintf()
+ends up writing beyond the page boundary.
+
+I don't think any current callers actually write anything before
+bitmap_print_to_pagebuf, but the API seems to be designed to allow it.
+
+[akpm@linux-foundation.org: use offset_in_page(), per Andy]
+[akpm@linux-foundation.org: include mm.h for offset_in_page()]
+Link: http://lkml.kernel.org/r/20180818131623.8755-7-linux@rasmusvillemoes.dk
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: Yury Norov <ynorov@caviumnetworks.com>
+Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Cc: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/bitmap.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/lib/bitmap.c b/lib/bitmap.c
+index 2fd07f6df0b85..c4ca9ceb09fe3 100644
+--- a/lib/bitmap.c
++++ b/lib/bitmap.c
+@@ -13,6 +13,7 @@
+ #include <linux/bitops.h>
+ #include <linux/bug.h>
+ #include <linux/kernel.h>
++#include <linux/mm.h>
+ #include <linux/slab.h>
+ #include <linux/string.h>
+ #include <linux/uaccess.h>
+@@ -466,14 +467,15 @@ EXPORT_SYMBOL(bitmap_parse_user);
+ * ranges if list is specified or hex digits grouped into comma-separated
+ * sets of 8 digits/set. Returns the number of characters written to buf.
+ *
+- * It is assumed that @buf is a pointer into a PAGE_SIZE area and that
+- * sufficient storage remains at @buf to accommodate the
+- * bitmap_print_to_pagebuf() output.
++ * It is assumed that @buf is a pointer into a PAGE_SIZE, page-aligned
++ * area and that sufficient storage remains at @buf to accommodate the
++ * bitmap_print_to_pagebuf() output. Returns the number of characters
++ * actually printed to @buf, excluding terminating '\0'.
+ */
+ int bitmap_print_to_pagebuf(bool list, char *buf, const unsigned long *maskp,
+ int nmaskbits)
+ {
+- ptrdiff_t len = PTR_ALIGN(buf + PAGE_SIZE - 1, PAGE_SIZE) - buf;
++ ptrdiff_t len = PAGE_SIZE - offset_in_page(buf);
+ int n = 0;
+
+ if (len > 1)
+--
+2.20.1
+
--- /dev/null
+From ca687fcd3d331adc426e3a015eda4914e95c80cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:05:07 -0700
+Subject: linux/bitmap.h: fix type of nbits in bitmap_shift_right()
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+[ Upstream commit d9873969fa8725dc6a5a21ab788c057fd8719751 ]
+
+Most other bitmap API, including the OOL version __bitmap_shift_right,
+take unsigned nbits. This was accidentally left out from 2fbad29917c98.
+
+Link: http://lkml.kernel.org/r/20180818131623.8755-5-linux@rasmusvillemoes.dk
+Fixes: 2fbad29917c98 ("lib: bitmap: change bitmap_shift_right to take unsigned parameters")
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Reported-by: Yury Norov <ynorov@caviumnetworks.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Cc: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bitmap.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/bitmap.h b/include/linux/bitmap.h
+index a9805bacbd7ca..b71a033c781ef 100644
+--- a/include/linux/bitmap.h
++++ b/include/linux/bitmap.h
+@@ -403,7 +403,7 @@ static __always_inline void bitmap_clear(unsigned long *map, unsigned int start,
+ }
+
+ static inline void bitmap_shift_right(unsigned long *dst, const unsigned long *src,
+- unsigned int shift, int nbits)
++ unsigned int shift, unsigned int nbits)
+ {
+ if (small_const_nbits(nbits))
+ *dst = (*src & BITMAP_LAST_WORD_MASK(nbits)) >> shift;
+--
+2.20.1
+
--- /dev/null
+From fc871d358ffce038fd9ab05210d6265d8d0a12cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:04:59 -0700
+Subject: linux/bitmap.h: handle constant zero-size bitmaps correctly
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+[ Upstream commit 7275b097851a5e2e0dd4da039c7e96b59ac5314e ]
+
+The static inlines in bitmap.h do not handle a compile-time constant
+nbits==0 correctly (they dereference the passed src or dst pointers,
+despite only 0 words being valid to access). I had the 0-day buildbot
+chew on a patch [1] that would cause build failures for such cases without
+complaining, suggesting that we don't have any such users currently, at
+least for the 70 .config/arch combinations that was built. Should any
+turn up, make sure they use the out-of-line versions, which do handle
+nbits==0 correctly.
+
+This is of course not the most efficient, but it's much less churn than
+teaching all the static inlines an "if (zero_const_nbits())", and since we
+don't have any current instances, this doesn't affect existing code at
+all.
+
+[1] lkml.kernel.org/r/20180815085539.27485-1-linux@rasmusvillemoes.dk
+
+Link: http://lkml.kernel.org/r/20180818131623.8755-3-linux@rasmusvillemoes.dk
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: Yury Norov <ynorov@caviumnetworks.com>
+Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Cc: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bitmap.h | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/bitmap.h b/include/linux/bitmap.h
+index acf5e8df3504f..a9805bacbd7ca 100644
+--- a/include/linux/bitmap.h
++++ b/include/linux/bitmap.h
+@@ -204,8 +204,13 @@ extern int bitmap_print_to_pagebuf(bool list, char *buf,
+ #define BITMAP_FIRST_WORD_MASK(start) (~0UL << ((start) & (BITS_PER_LONG - 1)))
+ #define BITMAP_LAST_WORD_MASK(nbits) (~0UL >> (-(nbits) & (BITS_PER_LONG - 1)))
+
++/*
++ * The static inlines below do not handle constant nbits==0 correctly,
++ * so make such users (should any ever turn up) call the out-of-line
++ * versions.
++ */
+ #define small_const_nbits(nbits) \
+- (__builtin_constant_p(nbits) && (nbits) <= BITS_PER_LONG)
++ (__builtin_constant_p(nbits) && (nbits) <= BITS_PER_LONG && (nbits) > 0)
+
+ static inline void bitmap_zero(unsigned long *dst, unsigned int nbits)
+ {
+--
+2.20.1
+
--- /dev/null
+From 66b224e3c2deee467cb7cc611cc5eab0badeb39a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Sep 2018 14:44:25 +0200
+Subject: m68k: fix command-line parsing when passed from u-boot
+
+From: Angelo Dureghello <angelo@sysam.it>
+
+[ Upstream commit 381fdd62c38344a771aed06adaf14aae65c47454 ]
+
+This patch fixes command_line array zero-terminated
+one byte over the end of the array, causing boot to hang.
+
+Signed-off-by: Angelo Dureghello <angelo@sysam.it>
+Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/kernel/uboot.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/m68k/kernel/uboot.c b/arch/m68k/kernel/uboot.c
+index b29c3b241e1bb..1070828770645 100644
+--- a/arch/m68k/kernel/uboot.c
++++ b/arch/m68k/kernel/uboot.c
+@@ -102,5 +102,5 @@ __init void process_uboot_commandline(char *commandp, int size)
+ }
+
+ parse_uboot_commandline(commandp, len);
+- commandp[size - 1] = 0;
++ commandp[len - 1] = 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 36cf80dc7f85bfe3353edf22f92fe133166c6088 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Oct 2018 11:18:49 +1100
+Subject: macintosh/windfarm_smu_sat: Fix debug output
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+[ Upstream commit fc0c8b36d379a046525eacb9c3323ca635283757 ]
+
+There's some antiquated debug output that's trying
+to do a hand-made hexdump and turning into horrible
+1-byte-per-line output these days.
+
+Use print_hex_dump() instead
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/macintosh/windfarm_smu_sat.c | 25 +++++++------------------
+ 1 file changed, 7 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/macintosh/windfarm_smu_sat.c b/drivers/macintosh/windfarm_smu_sat.c
+index da7f4fc1a51d1..a0f61eb853c55 100644
+--- a/drivers/macintosh/windfarm_smu_sat.c
++++ b/drivers/macintosh/windfarm_smu_sat.c
+@@ -22,14 +22,6 @@
+
+ #define VERSION "1.0"
+
+-#define DEBUG
+-
+-#ifdef DEBUG
+-#define DBG(args...) printk(args)
+-#else
+-#define DBG(args...) do { } while(0)
+-#endif
+-
+ /* If the cache is older than 800ms we'll refetch it */
+ #define MAX_AGE msecs_to_jiffies(800)
+
+@@ -106,13 +98,10 @@ struct smu_sdbp_header *smu_sat_get_sdb_partition(unsigned int sat_id, int id,
+ buf[i+2] = data[3];
+ buf[i+3] = data[2];
+ }
+-#ifdef DEBUG
+- DBG(KERN_DEBUG "sat %d partition %x:", sat_id, id);
+- for (i = 0; i < len; ++i)
+- DBG(" %x", buf[i]);
+- DBG("\n");
+-#endif
+
++ printk(KERN_DEBUG "sat %d partition %x:", sat_id, id);
++ print_hex_dump(KERN_DEBUG, " ", DUMP_PREFIX_OFFSET,
++ 16, 1, buf, len, false);
+ if (size)
+ *size = len;
+ return (struct smu_sdbp_header *) buf;
+@@ -132,13 +121,13 @@ static int wf_sat_read_cache(struct wf_sat *sat)
+ if (err < 0)
+ return err;
+ sat->last_read = jiffies;
++
+ #ifdef LOTSA_DEBUG
+ {
+ int i;
+- DBG(KERN_DEBUG "wf_sat_get: data is");
+- for (i = 0; i < 16; ++i)
+- DBG(" %.2x", sat->cache[i]);
+- DBG("\n");
++ printk(KERN_DEBUG "wf_sat_get: data is");
++ print_hex_dump(KERN_DEBUG, " ", DUMP_PREFIX_OFFSET,
++ 16, 1, sat->cache, 16, false);
+ }
+ #endif
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From a3c28aa5c8f1f6a201bf078c0977fef1de0bd48c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Oct 2018 09:33:10 +0100
+Subject: macsec: let the administrator set UP state even if lowerdev is down
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 07bddef9839378bd6f95b393cf24c420529b4ef1 ]
+
+Currently, the kernel doesn't let the administrator set a macsec device
+up unless its lower device is currently up. This is inconsistent, as a
+macsec device that is up won't automatically go down when its lower
+device goes down.
+
+Now that linkstate propagation works, there's really no reason for this
+limitation, so let's remove it.
+
+Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
+Reported-by: Radu Rendec <radu.rendec@gmail.com>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 50acd8c9d7f53..10a8ef2d025a1 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -2813,9 +2813,6 @@ static int macsec_dev_open(struct net_device *dev)
+ struct net_device *real_dev = macsec->real_dev;
+ int err;
+
+- if (!(real_dev->flags & IFF_UP))
+- return -ENETDOWN;
+-
+ err = dev_uc_add(real_dev, dev->dev_addr);
+ if (err < 0)
+ return err;
+--
+2.20.1
+
--- /dev/null
+From 23f3f719c5e9be035725153521df626b63e854db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Oct 2018 09:33:09 +0100
+Subject: macsec: update operstate when lower device changes
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit e6ac075882b2afcdf2d5ab328ce4ab42a1eb9593 ]
+
+Like all other virtual devices (macvlan, vlan), the operstate of a
+macsec device should match the state of its lower device. This is done
+by calling netif_stacked_transfer_operstate from its netdevice notifier.
+
+We also need to call netif_stacked_transfer_operstate when a new macsec
+device is created, so that its operstate is set properly. This is only
+relevant when we try to bring the device up directly when we create it.
+
+Radu Rendec proposed a similar patch, inspired from the 802.1q driver,
+that included changing the administrative state of the macsec device,
+instead of just the operstate. This version is similar to what the
+macvlan driver does, and updates only the operstate.
+
+Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
+Reported-by: Radu Rendec <radu.rendec@gmail.com>
+Reported-by: Patrick Talbert <ptalbert@redhat.com>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 05115fb0c97a9..50acd8c9d7f53 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -3305,6 +3305,9 @@ static int macsec_newlink(struct net *net, struct net_device *dev,
+ if (err < 0)
+ goto del_dev;
+
++ netif_stacked_transfer_operstate(real_dev, dev);
++ linkwatch_fire_event(dev);
++
+ macsec_generation++;
+
+ return 0;
+@@ -3489,6 +3492,20 @@ static int macsec_notify(struct notifier_block *this, unsigned long event,
+ return NOTIFY_DONE;
+
+ switch (event) {
++ case NETDEV_DOWN:
++ case NETDEV_UP:
++ case NETDEV_CHANGE: {
++ struct macsec_dev *m, *n;
++ struct macsec_rxh_data *rxd;
++
++ rxd = macsec_data_rtnl(real_dev);
++ list_for_each_entry_safe(m, n, &rxd->secys, secys) {
++ struct net_device *dev = m->secy.netdev;
++
++ netif_stacked_transfer_operstate(real_dev, dev);
++ }
++ break;
++ }
+ case NETDEV_UNREGISTER: {
+ struct macsec_dev *m, *n;
+ struct macsec_rxh_data *rxd;
+--
+2.20.1
+
--- /dev/null
+From af9aba19164480f5f1485f65812f7b06295d9c0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Oct 2018 11:34:30 -0400
+Subject: media: ov13858: Check for possible null pointer
+
+From: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com>
+
+[ Upstream commit 35629182eb8f931b0de6ed38c0efac58e922c801 ]
+
+Check for possible null pointer to avoid crash.
+
+Signed-off-by: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov13858.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/i2c/ov13858.c b/drivers/media/i2c/ov13858.c
+index 0e7a85c4996c7..afd66d243403b 100644
+--- a/drivers/media/i2c/ov13858.c
++++ b/drivers/media/i2c/ov13858.c
+@@ -1612,7 +1612,8 @@ static int ov13858_init_controls(struct ov13858 *ov13858)
+ OV13858_NUM_OF_LINK_FREQS - 1,
+ 0,
+ link_freq_menu_items);
+- ov13858->link_freq->flags |= V4L2_CTRL_FLAG_READ_ONLY;
++ if (ov13858->link_freq)
++ ov13858->link_freq->flags |= V4L2_CTRL_FLAG_READ_ONLY;
+
+ pixel_rate_max = link_freq_to_pixel_rate(link_freq_menu_items[0]);
+ pixel_rate_min = link_freq_to_pixel_rate(link_freq_menu_items[1]);
+@@ -1635,7 +1636,8 @@ static int ov13858_init_controls(struct ov13858 *ov13858)
+ ov13858->hblank = v4l2_ctrl_new_std(
+ ctrl_hdlr, &ov13858_ctrl_ops, V4L2_CID_HBLANK,
+ hblank, hblank, 1, hblank);
+- ov13858->hblank->flags |= V4L2_CTRL_FLAG_READ_ONLY;
++ if (ov13858->hblank)
++ ov13858->hblank->flags |= V4L2_CTRL_FLAG_READ_ONLY;
+
+ exposure_max = mode->vts_def - 8;
+ ov13858->exposure = v4l2_ctrl_new_std(
+--
+2.20.1
+
--- /dev/null
+From 6bf69089cc7e6b5cc34ebf0844ad5148c3f9b77f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Aug 2018 19:52:44 +0530
+Subject: mfd: arizona: Correct calling of runtime_put_sync
+
+From: Sapthagiri Baratam <sapthagiri.baratam@cirrus.com>
+
+[ Upstream commit 6b269a41a4520f7eb639e61a45ebbb9c9267d5e0 ]
+
+Don't call runtime_put_sync when clk32k_ref is ARIZONA_32KZ_MCLK2
+as there is no corresponding runtime_get_sync call.
+
+MCLK1 is not in the AoD power domain so if it is used as 32kHz clock
+source we need to hold a runtime PM reference to keep the device from
+going into low power mode.
+
+Fixes: cdd8da8cc66b ("mfd: arizona: Add gating of external MCLKn clocks")
+Signed-off-by: Sapthagiri Baratam <sapthagiri.baratam@cirrus.com>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/arizona-core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mfd/arizona-core.c b/drivers/mfd/arizona-core.c
+index 47d6d40f41cd5..a4403a57ddc89 100644
+--- a/drivers/mfd/arizona-core.c
++++ b/drivers/mfd/arizona-core.c
+@@ -52,8 +52,10 @@ int arizona_clk32k_enable(struct arizona *arizona)
+ if (ret != 0)
+ goto err_ref;
+ ret = clk_prepare_enable(arizona->mclk[ARIZONA_MCLK1]);
+- if (ret != 0)
+- goto err_pm;
++ if (ret != 0) {
++ pm_runtime_put_sync(arizona->dev);
++ goto err_ref;
++ }
+ break;
+ case ARIZONA_32KZ_MCLK2:
+ ret = clk_prepare_enable(arizona->mclk[ARIZONA_MCLK2]);
+@@ -67,8 +69,6 @@ int arizona_clk32k_enable(struct arizona *arizona)
+ ARIZONA_CLK_32K_ENA);
+ }
+
+-err_pm:
+- pm_runtime_put_sync(arizona->dev);
+ err_ref:
+ if (ret != 0)
+ arizona->clk32k_ref--;
+--
+2.20.1
+
--- /dev/null
+From b82ceee9d2726a68a0daf2292ca7e17e7e891f61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Aug 2018 19:52:52 +0300
+Subject: mfd: intel_soc_pmic_bxtwc: Chain power button IRQs as well
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 9f8ddee1dab836ca758ca8fc555ab5a3aaa5d3fd ]
+
+Power button IRQ actually has a second level of interrupts to
+distinguish between UI and POWER buttons. Moreover, current
+implementation looks awkward in approach to handle second level IRQs by
+first level related IRQ chip.
+
+To address above issues, split power button IRQ to be chained as well.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/intel_soc_pmic_bxtwc.c | 41 ++++++++++++++++++++++--------
+ include/linux/mfd/intel_soc_pmic.h | 1 +
+ 2 files changed, 32 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/mfd/intel_soc_pmic_bxtwc.c b/drivers/mfd/intel_soc_pmic_bxtwc.c
+index 15bc052704a6d..9ca1f8c015de9 100644
+--- a/drivers/mfd/intel_soc_pmic_bxtwc.c
++++ b/drivers/mfd/intel_soc_pmic_bxtwc.c
+@@ -31,8 +31,8 @@
+
+ /* Interrupt Status Registers */
+ #define BXTWC_IRQLVL1 0x4E02
+-#define BXTWC_PWRBTNIRQ 0x4E03
+
++#define BXTWC_PWRBTNIRQ 0x4E03
+ #define BXTWC_THRM0IRQ 0x4E04
+ #define BXTWC_THRM1IRQ 0x4E05
+ #define BXTWC_THRM2IRQ 0x4E06
+@@ -47,10 +47,9 @@
+
+ /* Interrupt MASK Registers */
+ #define BXTWC_MIRQLVL1 0x4E0E
+-#define BXTWC_MPWRTNIRQ 0x4E0F
+-
+ #define BXTWC_MIRQLVL1_MCHGR BIT(5)
+
++#define BXTWC_MPWRBTNIRQ 0x4E0F
+ #define BXTWC_MTHRM0IRQ 0x4E12
+ #define BXTWC_MTHRM1IRQ 0x4E13
+ #define BXTWC_MTHRM2IRQ 0x4E14
+@@ -66,9 +65,7 @@
+ /* Whiskey Cove PMIC share same ACPI ID between different platforms */
+ #define BROXTON_PMIC_WC_HRV 4
+
+-/* Manage in two IRQ chips since mask registers are not consecutive */
+ enum bxtwc_irqs {
+- /* Level 1 */
+ BXTWC_PWRBTN_LVL1_IRQ = 0,
+ BXTWC_TMU_LVL1_IRQ,
+ BXTWC_THRM_LVL1_IRQ,
+@@ -77,9 +74,11 @@ enum bxtwc_irqs {
+ BXTWC_CHGR_LVL1_IRQ,
+ BXTWC_GPIO_LVL1_IRQ,
+ BXTWC_CRIT_LVL1_IRQ,
++};
+
+- /* Level 2 */
+- BXTWC_PWRBTN_IRQ,
++enum bxtwc_irqs_pwrbtn {
++ BXTWC_PWRBTN_IRQ = 0,
++ BXTWC_UIBTN_IRQ,
+ };
+
+ enum bxtwc_irqs_bcu {
+@@ -113,7 +112,10 @@ static const struct regmap_irq bxtwc_regmap_irqs[] = {
+ REGMAP_IRQ_REG(BXTWC_CHGR_LVL1_IRQ, 0, BIT(5)),
+ REGMAP_IRQ_REG(BXTWC_GPIO_LVL1_IRQ, 0, BIT(6)),
+ REGMAP_IRQ_REG(BXTWC_CRIT_LVL1_IRQ, 0, BIT(7)),
+- REGMAP_IRQ_REG(BXTWC_PWRBTN_IRQ, 1, 0x03),
++};
++
++static const struct regmap_irq bxtwc_regmap_irqs_pwrbtn[] = {
++ REGMAP_IRQ_REG(BXTWC_PWRBTN_IRQ, 0, 0x01),
+ };
+
+ static const struct regmap_irq bxtwc_regmap_irqs_bcu[] = {
+@@ -125,7 +127,7 @@ static const struct regmap_irq bxtwc_regmap_irqs_adc[] = {
+ };
+
+ static const struct regmap_irq bxtwc_regmap_irqs_chgr[] = {
+- REGMAP_IRQ_REG(BXTWC_USBC_IRQ, 0, BIT(5)),
++ REGMAP_IRQ_REG(BXTWC_USBC_IRQ, 0, 0x20),
+ REGMAP_IRQ_REG(BXTWC_CHGR0_IRQ, 0, 0x1f),
+ REGMAP_IRQ_REG(BXTWC_CHGR1_IRQ, 1, 0x1f),
+ };
+@@ -144,7 +146,16 @@ static struct regmap_irq_chip bxtwc_regmap_irq_chip = {
+ .mask_base = BXTWC_MIRQLVL1,
+ .irqs = bxtwc_regmap_irqs,
+ .num_irqs = ARRAY_SIZE(bxtwc_regmap_irqs),
+- .num_regs = 2,
++ .num_regs = 1,
++};
++
++static struct regmap_irq_chip bxtwc_regmap_irq_chip_pwrbtn = {
++ .name = "bxtwc_irq_chip_pwrbtn",
++ .status_base = BXTWC_PWRBTNIRQ,
++ .mask_base = BXTWC_MPWRBTNIRQ,
++ .irqs = bxtwc_regmap_irqs_pwrbtn,
++ .num_irqs = ARRAY_SIZE(bxtwc_regmap_irqs_pwrbtn),
++ .num_regs = 1,
+ };
+
+ static struct regmap_irq_chip bxtwc_regmap_irq_chip_tmu = {
+@@ -472,6 +483,16 @@ static int bxtwc_probe(struct platform_device *pdev)
+ return ret;
+ }
+
++ ret = bxtwc_add_chained_irq_chip(pmic, pmic->irq_chip_data,
++ BXTWC_PWRBTN_LVL1_IRQ,
++ IRQF_ONESHOT,
++ &bxtwc_regmap_irq_chip_pwrbtn,
++ &pmic->irq_chip_data_pwrbtn);
++ if (ret) {
++ dev_err(&pdev->dev, "Failed to add PWRBTN IRQ chip\n");
++ return ret;
++ }
++
+ ret = bxtwc_add_chained_irq_chip(pmic, pmic->irq_chip_data,
+ BXTWC_TMU_LVL1_IRQ,
+ IRQF_ONESHOT,
+diff --git a/include/linux/mfd/intel_soc_pmic.h b/include/linux/mfd/intel_soc_pmic.h
+index 5aacdb017a9f6..806a4f095312b 100644
+--- a/include/linux/mfd/intel_soc_pmic.h
++++ b/include/linux/mfd/intel_soc_pmic.h
+@@ -25,6 +25,7 @@ struct intel_soc_pmic {
+ int irq;
+ struct regmap *regmap;
+ struct regmap_irq_chip_data *irq_chip_data;
++ struct regmap_irq_chip_data *irq_chip_data_pwrbtn;
+ struct regmap_irq_chip_data *irq_chip_data_tmu;
+ struct regmap_irq_chip_data *irq_chip_data_bcu;
+ struct regmap_irq_chip_data *irq_chip_data_adc;
+--
+2.20.1
+
--- /dev/null
+From c93992ae9b538e722bd008e1292f6bcf478027c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Sep 2018 13:54:07 +0200
+Subject: mfd: max8997: Enale irq-wakeup unconditionally
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+[ Upstream commit efddff27c886e729a7f84a7205bd84d7d4af7336 ]
+
+IRQ wake up support for MAX8997 driver was initially configured by
+respective property in pdata. However, after the driver conversion to
+device-tree, setting it was left as 'todo'. Nowadays most of other PMIC MFD
+drivers initialized from device-tree assume that they can be an irq wakeup
+source, so enable it also for MAX8997. This fixes support for wakeup from
+MAX8997 RTC alarm.
+
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/max8997.c | 8 +-------
+ include/linux/mfd/max8997.h | 1 -
+ 2 files changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/drivers/mfd/max8997.c b/drivers/mfd/max8997.c
+index 3f554c4475218..d1495d76bf2c3 100644
+--- a/drivers/mfd/max8997.c
++++ b/drivers/mfd/max8997.c
+@@ -153,12 +153,6 @@ static struct max8997_platform_data *max8997_i2c_parse_dt_pdata(
+
+ pd->ono = irq_of_parse_and_map(dev->of_node, 1);
+
+- /*
+- * ToDo: the 'wakeup' member in the platform data is more of a linux
+- * specfic information. Hence, there is no binding for that yet and
+- * not parsed here.
+- */
+-
+ return pd;
+ }
+
+@@ -246,7 +240,7 @@ static int max8997_i2c_probe(struct i2c_client *i2c,
+ */
+
+ /* MAX8997 has a power button input. */
+- device_init_wakeup(max8997->dev, pdata->wakeup);
++ device_init_wakeup(max8997->dev, true);
+
+ return ret;
+
+diff --git a/include/linux/mfd/max8997.h b/include/linux/mfd/max8997.h
+index cf815577bd686..3ae1fe743bc34 100644
+--- a/include/linux/mfd/max8997.h
++++ b/include/linux/mfd/max8997.h
+@@ -178,7 +178,6 @@ struct max8997_led_platform_data {
+ struct max8997_platform_data {
+ /* IRQ */
+ int ono;
+- int wakeup;
+
+ /* ---- PMIC ---- */
+ struct max8997_regulator_data *regulators;
+--
+2.20.1
+
--- /dev/null
+From 23b5322c2111e26d21acb5236e48fb5825d6c9f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Aug 2018 17:02:40 -0300
+Subject: mfd: mc13xxx-core: Fix PMIC shutdown when reading ADC values
+
+From: Fabio Estevam <fabio.estevam@nxp.com>
+
+[ Upstream commit 55143439b7b501882bea9d95a54adfe00ffc79a3 ]
+
+When trying to read any MC13892 ADC channel on a imx51-babbage board:
+
+The MC13892 PMIC shutdowns completely.
+
+After debugging this issue and comparing the MC13892 and MC13783
+initializations done in the vendor kernel, it was noticed that the
+CHRGRAWDIV bit of the ADC0 register was not being set.
+
+This bit is set by default after power on, but the driver was
+clearing it.
+
+After setting this bit it is possible to read the ADC values correctly.
+
+Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
+Tested-by: Chris Healy <cphealy@gmail.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/mc13xxx-core.c | 3 ++-
+ include/linux/mfd/mc13xxx.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/mc13xxx-core.c b/drivers/mfd/mc13xxx-core.c
+index 234febfe6398b..d0bf50e3568d7 100644
+--- a/drivers/mfd/mc13xxx-core.c
++++ b/drivers/mfd/mc13xxx-core.c
+@@ -278,7 +278,8 @@ int mc13xxx_adc_do_conversion(struct mc13xxx *mc13xxx, unsigned int mode,
+ if (ret)
+ goto out;
+
+- adc0 = MC13XXX_ADC0_ADINC1 | MC13XXX_ADC0_ADINC2;
++ adc0 = MC13XXX_ADC0_ADINC1 | MC13XXX_ADC0_ADINC2 |
++ MC13XXX_ADC0_CHRGRAWDIV;
+ adc1 = MC13XXX_ADC1_ADEN | MC13XXX_ADC1_ADTRIGIGN | MC13XXX_ADC1_ASC;
+
+ /*
+diff --git a/include/linux/mfd/mc13xxx.h b/include/linux/mfd/mc13xxx.h
+index 54a3cd808f9e6..2ad9bdc0a5ec8 100644
+--- a/include/linux/mfd/mc13xxx.h
++++ b/include/linux/mfd/mc13xxx.h
+@@ -249,6 +249,7 @@ struct mc13xxx_platform_data {
+ #define MC13XXX_ADC0_TSMOD0 (1 << 12)
+ #define MC13XXX_ADC0_TSMOD1 (1 << 13)
+ #define MC13XXX_ADC0_TSMOD2 (1 << 14)
++#define MC13XXX_ADC0_CHRGRAWDIV (1 << 15)
+ #define MC13XXX_ADC0_ADINC1 (1 << 16)
+ #define MC13XXX_ADC0_ADINC2 (1 << 17)
+
+--
+2.20.1
+
--- /dev/null
+From 668b44d7132d521b2d3ed285c50dfac424f3df65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Oct 2018 18:38:28 -0500
+Subject: misc: mic: fix a DMA pool free failure
+
+From: Wenwen Wang <wang6495@umn.edu>
+
+[ Upstream commit 6b995f4eec34745f6cb20d66d5277611f0b3c3fa ]
+
+In _scif_prog_signal(), the boolean variable 'x100' is used to indicate
+whether the MIC Coprocessor is X100. If 'x100' is true, the status
+descriptor will be used to write the value to the destination. Otherwise, a
+DMA pool will be allocated for this purpose. Specifically, if the DMA pool
+is allocated successfully, two memory addresses will be returned. One is
+for the CPU and the other is for the device to access the DMA pool. The
+former is stored to the variable 'status' and the latter is stored to the
+variable 'src'. After the allocation, the address in 'src' is saved to
+'status->src_dma_addr', which is actually in the DMA pool, and 'src' is
+then modified.
+
+Later on, if an error occurs, the execution flow will transfer to the label
+'dma_fail', which will check 'x100' and free up the allocated DMA pool if
+'x100' is false. The point here is that 'status->src_dma_addr' is used for
+freeing up the DMA pool. As mentioned before, 'status->src_dma_addr' is in
+the DMA pool. And thus, the device is able to modify this data. This can
+potentially cause failures when freeing up the DMA pool because of the
+modified device address.
+
+This patch avoids the above issue by using the variable 'src' (with
+necessary calculation) to free up the DMA pool.
+
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/mic/scif/scif_fence.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/misc/mic/scif/scif_fence.c b/drivers/misc/mic/scif/scif_fence.c
+index cac3bcc308a7e..7bb929f05d852 100644
+--- a/drivers/misc/mic/scif/scif_fence.c
++++ b/drivers/misc/mic/scif/scif_fence.c
+@@ -272,7 +272,7 @@ static int _scif_prog_signal(scif_epd_t epd, dma_addr_t dst, u64 val)
+ dma_fail:
+ if (!x100)
+ dma_pool_free(ep->remote_dev->signal_pool, status,
+- status->src_dma_addr);
++ src - offsetof(struct scif_status, val));
+ alloc_fail:
+ return err;
+ }
+--
+2.20.1
+
--- /dev/null
+From 174e5bf74741655d470538da3f49c541c884f6f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Oct 2018 11:00:30 -0700
+Subject: mISDN: Fix type of switch control variable in ctrl_teimanager
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit aeb5e02aca91522733eb1db595ac607d30c87767 ]
+
+Clang warns (trimmed for brevity):
+
+drivers/isdn/mISDN/tei.c:1193:7: warning: overflow converting case value
+to switch condition type (2147764552 to 18446744071562348872) [-Wswitch]
+ case IMHOLD_L1:
+ ^
+drivers/isdn/mISDN/tei.c:1187:7: warning: overflow converting case value
+to switch condition type (2147764550 to 18446744071562348870) [-Wswitch]
+ case IMCLEAR_L2:
+ ^
+2 warnings generated.
+
+The root cause is that the _IOC macro can generate really large numbers,
+which don't find into type int. My research into how GCC and Clang are
+handling this at a low level didn't prove fruitful and surveying the
+kernel tree shows that aside from here and a few places in the scsi
+subsystem, everything that uses _IOC is at least of type 'unsigned int'.
+Make that change here because as nothing in this function cares about
+the signedness of the variable and it removes ambiguity, which is never
+good when dealing with compilers.
+
+While we're here, remove the unnecessary local variable ret (just return
+-EINVAL and 0 directly).
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/67
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/mISDN/tei.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/isdn/mISDN/tei.c b/drivers/isdn/mISDN/tei.c
+index 12d9e5f4beb1f..58635b5f296f0 100644
+--- a/drivers/isdn/mISDN/tei.c
++++ b/drivers/isdn/mISDN/tei.c
+@@ -1180,8 +1180,7 @@ static int
+ ctrl_teimanager(struct manager *mgr, void *arg)
+ {
+ /* currently we only have one option */
+- int *val = (int *)arg;
+- int ret = 0;
++ unsigned int *val = (unsigned int *)arg;
+
+ switch (val[0]) {
+ case IMCLEAR_L2:
+@@ -1197,9 +1196,9 @@ ctrl_teimanager(struct manager *mgr, void *arg)
+ test_and_clear_bit(OPTION_L1_HOLD, &mgr->options);
+ break;
+ default:
+- ret = -EINVAL;
++ return -EINVAL;
+ }
+- return ret;
++ return 0;
+ }
+
+ /* This function does create a L2 for fixed TEI in NT Mode */
+--
+2.20.1
+
--- /dev/null
+From fd34bc1daa9befc502dd79d50fabfdedbddfe772 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:04:32 -0700
+Subject: mm/gup_benchmark.c: prevent integer overflow in ioctl
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 4b408c74ee5a0b74fc9265c2fe39b0e7dec7c056 ]
+
+The concern here is that "gup->size" is a u64 and "nr_pages" is unsigned
+long. On 32 bit systems we could trick the kernel into allocating fewer
+pages than expected.
+
+Link: http://lkml.kernel.org/r/20181025061546.hnhkv33diogf2uis@kili.mountain
+Fixes: 64c349f4ae78 ("mm: add infrastructure for get_user_pages_fast() benchmarking")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Stephen Rothwell <sfr@canb.auug.org.au>
+Cc: Keith Busch <keith.busch@intel.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/gup_benchmark.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/mm/gup_benchmark.c b/mm/gup_benchmark.c
+index 7405c9d89d651..7e6f2d2dafb55 100644
+--- a/mm/gup_benchmark.c
++++ b/mm/gup_benchmark.c
+@@ -23,6 +23,9 @@ static int __gup_benchmark_ioctl(unsigned int cmd,
+ int nr;
+ struct page **pages;
+
++ if (gup->size > ULONG_MAX)
++ return -EINVAL;
++
+ nr_pages = gup->size / PAGE_SIZE;
+ pages = kvcalloc(nr_pages, sizeof(void *), GFP_KERNEL);
+ if (!pages)
+--
+2.20.1
+
--- /dev/null
+From 25153ee8103959e72ea1c81a9dc62bc2a078f2cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Nov 2018 15:47:49 -0700
+Subject: mm: handle no memcg case in memcg_kmem_charge() properly
+
+From: Roman Gushchin <guro@fb.com>
+
+[ Upstream commit e68599a3c3ad0f3171a7cb4e48aa6f9a69381902 ]
+
+Mike Galbraith reported a regression caused by the commit 9b6f7e163cd0
+("mm: rework memcg kernel stack accounting") on a system with
+"cgroup_disable=memory" boot option: the system panics with the following
+stack trace:
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000000000000f8
+ PGD 0 P4D 0
+ Oops: 0002 [#1] PREEMPT SMP PTI
+ CPU: 0 PID: 1 Comm: systemd Not tainted 4.19.0-preempt+ #410
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20180531_142017-buildhw-08.phx2.fed4
+ RIP: 0010:page_counter_try_charge+0x22/0xc0
+ Code: 41 5d c3 c3 0f 1f 40 00 0f 1f 44 00 00 48 85 ff 0f 84 a7 00 00 00 41 56 48 89 f8 49 89 fe 49
+ Call Trace:
+ try_charge+0xcb/0x780
+ memcg_kmem_charge_memcg+0x28/0x80
+ memcg_kmem_charge+0x8b/0x1d0
+ copy_process.part.41+0x1ca/0x2070
+ _do_fork+0xd7/0x3d0
+ do_syscall_64+0x5a/0x180
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The problem occurs because get_mem_cgroup_from_current() returns the NULL
+pointer if memory controller is disabled. Let's check if this is a case
+at the beginning of memcg_kmem_charge() and just return 0 if
+mem_cgroup_disabled() returns true. This is how we handle this case in
+many other places in the memory controller code.
+
+Link: http://lkml.kernel.org/r/20181029215123.17830-1-guro@fb.com
+Fixes: 9b6f7e163cd0 ("mm: rework memcg kernel stack accounting")
+Signed-off-by: Roman Gushchin <guro@fb.com>
+Reported-by: Mike Galbraith <efault@gmx.de>
+Acked-by: Rik van Riel <riel@surriel.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
+Cc: Shakeel Butt <shakeelb@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/memcontrol.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mm/memcontrol.c b/mm/memcontrol.c
+index 5af38d8a9afd3..3a3d109dce215 100644
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -2678,7 +2678,7 @@ int memcg_kmem_charge(struct page *page, gfp_t gfp, int order)
+ struct mem_cgroup *memcg;
+ int ret = 0;
+
+- if (memcg_kmem_bypass())
++ if (mem_cgroup_disabled() || memcg_kmem_bypass())
+ return 0;
+
+ memcg = get_mem_cgroup_from_current();
+--
+2.20.1
+
--- /dev/null
+From f0f886e7786b80e12f11757f0459fc3f2cd52050 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Apr 2019 12:07:17 +0800
+Subject: mm/memory_hotplug: Do not unlock when fails to take the
+ device_hotplug_lock
+
+From: zhong jiang <zhongjiang@huawei.com>
+
+[ Upstream commit d2ab99403ee00d8014e651728a4702ea1ae5e52c ]
+
+When adding the memory by probing memory block in sysfs interface, there is an
+obvious issue that we will unlock the device_hotplug_lock when fails to takes it.
+
+That issue was introduced in Commit 8df1d0e4a265
+("mm/memory_hotplug: make add_memory() take the device_hotplug_lock")
+
+We should drop out in time when fails to take the device_hotplug_lock.
+
+Fixes: 8df1d0e4a265 ("mm/memory_hotplug: make add_memory() take the device_hotplug_lock")
+Reported-by: Yang yingliang <yangyingliang@huawei.com>
+Signed-off-by: zhong jiang <zhongjiang@huawei.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/memory.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/base/memory.c b/drivers/base/memory.c
+index 0f8e77f78cc80..ac1574a696100 100644
+--- a/drivers/base/memory.c
++++ b/drivers/base/memory.c
+@@ -510,7 +510,7 @@ memory_probe_store(struct device *dev, struct device_attribute *attr,
+
+ ret = lock_device_hotplug_sysfs();
+ if (ret)
+- goto out;
++ return ret;
+
+ nid = memory_add_physaddr_to_nid(phys_addr);
+ ret = __add_memory(nid, phys_addr,
+--
+2.20.1
+
--- /dev/null
+From 7f7930ca5b6b874ccf039758d259913718b27499 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:10:29 -0700
+Subject: mm/memory_hotplug: fix online/offline_pages called w.o.
+ mem_hotplug_lock
+
+From: David Hildenbrand <david@redhat.com>
+
+[ Upstream commit 381eab4a6ee81266f8dddc62e57376c7e584e5b8 ]
+
+There seem to be some problems as result of 30467e0b3be ("mm, hotplug:
+fix concurrent memory hot-add deadlock"), which tried to fix a possible
+lock inversion reported and discussed in [1] due to the two locks
+ a) device_lock()
+ b) mem_hotplug_lock
+
+While add_memory() first takes b), followed by a) during
+bus_probe_device(), onlining of memory from user space first took a),
+followed by b), exposing a possible deadlock.
+
+In [1], and it was decided to not make use of device_hotplug_lock, but
+rather to enforce a locking order.
+
+The problems I spotted related to this:
+
+1. Memory block device attributes: While .state first calls
+ mem_hotplug_begin() and the calls device_online() - which takes
+ device_lock() - .online does no longer call mem_hotplug_begin(), so
+ effectively calls online_pages() without mem_hotplug_lock.
+
+2. device_online() should be called under device_hotplug_lock, however
+ onlining memory during add_memory() does not take care of that.
+
+In addition, I think there is also something wrong about the locking in
+
+3. arch/powerpc/platforms/powernv/memtrace.c calls offline_pages()
+ without locks. This was introduced after 30467e0b3be. And skimming over
+ the code, I assume it could need some more care in regards to locking
+ (e.g. device_online() called without device_hotplug_lock. This will
+ be addressed in the following patches.
+
+Now that we hold the device_hotplug_lock when
+- adding memory (e.g. via add_memory()/add_memory_resource())
+- removing memory (e.g. via remove_memory())
+- device_online()/device_offline()
+
+We can move mem_hotplug_lock usage back into
+online_pages()/offline_pages().
+
+Why is mem_hotplug_lock still needed? Essentially to make
+get_online_mems()/put_online_mems() be very fast (relying on
+device_hotplug_lock would be very slow), and to serialize against
+addition of memory that does not create memory block devices (hmm).
+
+[1] http://driverdev.linuxdriverproject.org/pipermail/ driverdev-devel/
+ 2015-February/065324.html
+
+This patch is partly based on a patch by Vitaly Kuznetsov.
+
+Link: http://lkml.kernel.org/r/20180925091457.28651-4-david@redhat.com
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Pavel Tatashin <pavel.tatashin@microsoft.com>
+Reviewed-by: Rashmica Gupta <rashmica.g@gmail.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Len Brown <lenb@kernel.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: "K. Y. Srinivasan" <kys@microsoft.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Rashmica Gupta <rashmica.g@gmail.com>
+Cc: Michael Neuling <mikey@neuling.org>
+Cc: Balbir Singh <bsingharora@gmail.com>
+Cc: Kate Stewart <kstewart@linuxfoundation.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Philippe Ombredanne <pombredanne@nexb.com>
+Cc: Pavel Tatashin <pavel.tatashin@microsoft.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: YASUAKI ISHIMATSU <yasu.isimatu@gmail.com>
+Cc: Mathieu Malaterre <malat@debian.org>
+Cc: John Allen <jallen@linux.vnet.ibm.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Nathan Fontenot <nfont@linux.vnet.ibm.com>
+Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/memory.c | 13 +------------
+ mm/memory_hotplug.c | 28 ++++++++++++++++++++--------
+ 2 files changed, 21 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/base/memory.c b/drivers/base/memory.c
+index 07901cacfec63..0f8e77f78cc80 100644
+--- a/drivers/base/memory.c
++++ b/drivers/base/memory.c
+@@ -228,7 +228,6 @@ static bool pages_correctly_probed(unsigned long start_pfn)
+ /*
+ * MEMORY_HOTPLUG depends on SPARSEMEM in mm/Kconfig, so it is
+ * OK to have direct references to sparsemem variables in here.
+- * Must already be protected by mem_hotplug_begin().
+ */
+ static int
+ memory_block_action(unsigned long phys_index, unsigned long action, int online_type)
+@@ -294,7 +293,6 @@ static int memory_subsys_online(struct device *dev)
+ if (mem->online_type < 0)
+ mem->online_type = MMOP_ONLINE_KEEP;
+
+- /* Already under protection of mem_hotplug_begin() */
+ ret = memory_block_change_state(mem, MEM_ONLINE, MEM_OFFLINE);
+
+ /* clear online_type */
+@@ -341,19 +339,11 @@ store_mem_state(struct device *dev,
+ goto err;
+ }
+
+- /*
+- * Memory hotplug needs to hold mem_hotplug_begin() for probe to find
+- * the correct memory block to online before doing device_online(dev),
+- * which will take dev->mutex. Take the lock early to prevent an
+- * inversion, memory_subsys_online() callbacks will be implemented by
+- * assuming it's already protected.
+- */
+- mem_hotplug_begin();
+-
+ switch (online_type) {
+ case MMOP_ONLINE_KERNEL:
+ case MMOP_ONLINE_MOVABLE:
+ case MMOP_ONLINE_KEEP:
++ /* mem->online_type is protected by device_hotplug_lock */
+ mem->online_type = online_type;
+ ret = device_online(&mem->dev);
+ break;
+@@ -364,7 +354,6 @@ store_mem_state(struct device *dev,
+ ret = -EINVAL; /* should never happen */
+ }
+
+- mem_hotplug_done();
+ err:
+ unlock_device_hotplug();
+
+diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
+index 0db85bffa3892..3a0a87e7c40ad 100644
+--- a/mm/memory_hotplug.c
++++ b/mm/memory_hotplug.c
+@@ -846,7 +846,6 @@ static struct zone * __meminit move_pfn_range(int online_type, int nid,
+ return zone;
+ }
+
+-/* Must be protected by mem_hotplug_begin() or a device_lock */
+ int __ref online_pages(unsigned long pfn, unsigned long nr_pages, int online_type)
+ {
+ unsigned long flags;
+@@ -858,6 +857,8 @@ int __ref online_pages(unsigned long pfn, unsigned long nr_pages, int online_typ
+ struct memory_notify arg;
+ struct memory_block *mem;
+
++ mem_hotplug_begin();
++
+ /*
+ * We can't use pfn_to_nid() because nid might be stored in struct page
+ * which is not yet initialized. Instead, we find nid from memory block.
+@@ -923,6 +924,7 @@ int __ref online_pages(unsigned long pfn, unsigned long nr_pages, int online_typ
+
+ if (onlined_pages)
+ memory_notify(MEM_ONLINE, &arg);
++ mem_hotplug_done();
+ return 0;
+
+ failed_addition:
+@@ -930,6 +932,7 @@ int __ref online_pages(unsigned long pfn, unsigned long nr_pages, int online_typ
+ (unsigned long long) pfn << PAGE_SHIFT,
+ (((unsigned long long) pfn + nr_pages) << PAGE_SHIFT) - 1);
+ memory_notify(MEM_CANCEL_ONLINE, &arg);
++ mem_hotplug_done();
+ return ret;
+ }
+ #endif /* CONFIG_MEMORY_HOTPLUG_SPARSE */
+@@ -1134,20 +1137,20 @@ int __ref add_memory_resource(int nid, struct resource *res, bool online)
+ /* create new memmap entry */
+ firmware_map_add_hotplug(start, start + size, "System RAM");
+
++ /* device_online() will take the lock when calling online_pages() */
++ mem_hotplug_done();
++
+ /* online pages if requested */
+ if (online)
+ walk_memory_range(PFN_DOWN(start), PFN_UP(start + size - 1),
+ NULL, online_memory_block);
+
+- goto out;
+-
++ return ret;
+ error:
+ /* rollback pgdat allocation and others */
+ if (new_node)
+ rollback_node_hotadd(nid);
+ memblock_remove(start, size);
+-
+-out:
+ mem_hotplug_done();
+ return ret;
+ }
+@@ -1614,10 +1617,16 @@ static int __ref __offline_pages(unsigned long start_pfn,
+ return -EINVAL;
+ if (!IS_ALIGNED(end_pfn, pageblock_nr_pages))
+ return -EINVAL;
++
++ mem_hotplug_begin();
++
+ /* This makes hotplug much easier...and readable.
+ we assume this for now. .*/
+- if (!test_pages_in_a_zone(start_pfn, end_pfn, &valid_start, &valid_end))
++ if (!test_pages_in_a_zone(start_pfn, end_pfn, &valid_start,
++ &valid_end)) {
++ mem_hotplug_done();
+ return -EINVAL;
++ }
+
+ zone = page_zone(pfn_to_page(valid_start));
+ node = zone_to_nid(zone);
+@@ -1626,8 +1635,10 @@ static int __ref __offline_pages(unsigned long start_pfn,
+ /* set above range as isolated */
+ ret = start_isolate_page_range(start_pfn, end_pfn,
+ MIGRATE_MOVABLE, true);
+- if (ret)
++ if (ret) {
++ mem_hotplug_done();
+ return ret;
++ }
+
+ arg.start_pfn = start_pfn;
+ arg.nr_pages = nr_pages;
+@@ -1698,6 +1709,7 @@ static int __ref __offline_pages(unsigned long start_pfn,
+ writeback_set_ratelimit();
+
+ memory_notify(MEM_OFFLINE, &arg);
++ mem_hotplug_done();
+ return 0;
+
+ failed_removal:
+@@ -1707,10 +1719,10 @@ static int __ref __offline_pages(unsigned long start_pfn,
+ memory_notify(MEM_CANCEL_OFFLINE, &arg);
+ /* pushback to free area */
+ undo_isolate_page_range(start_pfn, end_pfn, MIGRATE_MOVABLE);
++ mem_hotplug_done();
+ return ret;
+ }
+
+-/* Must be protected by mem_hotplug_begin() or a device_lock */
+ int offline_pages(unsigned long start_pfn, unsigned long nr_pages)
+ {
+ return __offline_pages(start_pfn, start_pfn + nr_pages);
+--
+2.20.1
+
--- /dev/null
+From bf6f31b488da85ec238d01bcd949e93b392e78f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:10:24 -0700
+Subject: mm/memory_hotplug: make add_memory() take the device_hotplug_lock
+
+From: David Hildenbrand <david@redhat.com>
+
+[ Upstream commit 8df1d0e4a265f25dc1e7e7624ccdbcb4a6630c89 ]
+
+add_memory() currently does not take the device_hotplug_lock, however
+is aleady called under the lock from
+ arch/powerpc/platforms/pseries/hotplug-memory.c
+ drivers/acpi/acpi_memhotplug.c
+to synchronize against CPU hot-remove and similar.
+
+In general, we should hold the device_hotplug_lock when adding memory to
+synchronize against online/offline request (e.g. from user space) - which
+already resulted in lock inversions due to device_lock() and
+mem_hotplug_lock - see 30467e0b3be ("mm, hotplug: fix concurrent memory
+hot-add deadlock"). add_memory()/add_memory_resource() will create memory
+block devices, so this really feels like the right thing to do.
+
+Holding the device_hotplug_lock makes sure that a memory block device
+can really only be accessed (e.g. via .online/.state) from user space,
+once the memory has been fully added to the system.
+
+The lock is not held yet in
+ drivers/xen/balloon.c
+ arch/powerpc/platforms/powernv/memtrace.c
+ drivers/s390/char/sclp_cmd.c
+ drivers/hv/hv_balloon.c
+So, let's either use the locked variants or take the lock.
+
+Don't export add_memory_resource(), as it once was exported to be used by
+XEN, which is never built as a module. If somebody requires it, we also
+have to export a locked variant (as device_hotplug_lock is never
+exported).
+
+Link: http://lkml.kernel.org/r/20180925091457.28651-3-david@redhat.com
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Pavel Tatashin <pavel.tatashin@microsoft.com>
+Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Rashmica Gupta <rashmica.g@gmail.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Len Brown <lenb@kernel.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Nathan Fontenot <nfont@linux.vnet.ibm.com>
+Cc: John Allen <jallen@linux.vnet.ibm.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Mathieu Malaterre <malat@debian.org>
+Cc: Pavel Tatashin <pavel.tatashin@microsoft.com>
+Cc: YASUAKI ISHIMATSU <yasu.isimatu@gmail.com>
+Cc: Balbir Singh <bsingharora@gmail.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Kate Stewart <kstewart@linuxfoundation.org>
+Cc: "K. Y. Srinivasan" <kys@microsoft.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Michael Neuling <mikey@neuling.org>
+Cc: Philippe Ombredanne <pombredanne@nexb.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../platforms/pseries/hotplug-memory.c | 2 +-
+ drivers/acpi/acpi_memhotplug.c | 2 +-
+ drivers/base/memory.c | 9 ++++++--
+ drivers/xen/balloon.c | 3 +++
+ include/linux/memory_hotplug.h | 1 +
+ mm/memory_hotplug.c | 22 ++++++++++++++++---
+ 6 files changed, 32 insertions(+), 7 deletions(-)
+
+diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c
+index 2f166136bb50a..d93ff494e7781 100644
+--- a/arch/powerpc/platforms/pseries/hotplug-memory.c
++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c
+@@ -676,7 +676,7 @@ static int dlpar_add_lmb(struct drmem_lmb *lmb)
+ nid = memory_add_physaddr_to_nid(lmb->base_addr);
+
+ /* Add the memory */
+- rc = add_memory(nid, lmb->base_addr, block_sz);
++ rc = __add_memory(nid, lmb->base_addr, block_sz);
+ if (rc) {
+ invalidate_lmb_associativity_index(lmb);
+ return rc;
+diff --git a/drivers/acpi/acpi_memhotplug.c b/drivers/acpi/acpi_memhotplug.c
+index 6b0d3ef7309cb..2ccfbb61ca899 100644
+--- a/drivers/acpi/acpi_memhotplug.c
++++ b/drivers/acpi/acpi_memhotplug.c
+@@ -228,7 +228,7 @@ static int acpi_memory_enable_device(struct acpi_memory_device *mem_device)
+ if (node < 0)
+ node = memory_add_physaddr_to_nid(info->start_addr);
+
+- result = add_memory(node, info->start_addr, info->length);
++ result = __add_memory(node, info->start_addr, info->length);
+
+ /*
+ * If the memory block has been used by the kernel, add_memory()
+diff --git a/drivers/base/memory.c b/drivers/base/memory.c
+index 85ee64d0a44e9..07901cacfec63 100644
+--- a/drivers/base/memory.c
++++ b/drivers/base/memory.c
+@@ -519,15 +519,20 @@ memory_probe_store(struct device *dev, struct device_attribute *attr,
+ if (phys_addr & ((pages_per_block << PAGE_SHIFT) - 1))
+ return -EINVAL;
+
++ ret = lock_device_hotplug_sysfs();
++ if (ret)
++ goto out;
++
+ nid = memory_add_physaddr_to_nid(phys_addr);
+- ret = add_memory(nid, phys_addr,
+- MIN_MEMORY_BLOCK_SIZE * sections_per_block);
++ ret = __add_memory(nid, phys_addr,
++ MIN_MEMORY_BLOCK_SIZE * sections_per_block);
+
+ if (ret)
+ goto out;
+
+ ret = count;
+ out:
++ unlock_device_hotplug();
+ return ret;
+ }
+
+diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
+index d4e8b717ce2b2..747a15acbce37 100644
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -350,7 +350,10 @@ static enum bp_state reserve_additional_memory(void)
+ * callers drop the mutex before trying again.
+ */
+ mutex_unlock(&balloon_mutex);
++ /* add_memory_resource() requires the device_hotplug lock */
++ lock_device_hotplug();
+ rc = add_memory_resource(nid, resource, memhp_auto_online);
++ unlock_device_hotplug();
+ mutex_lock(&balloon_mutex);
+
+ if (rc) {
+diff --git a/include/linux/memory_hotplug.h b/include/linux/memory_hotplug.h
+index 34a28227068dc..16487052017d5 100644
+--- a/include/linux/memory_hotplug.h
++++ b/include/linux/memory_hotplug.h
+@@ -322,6 +322,7 @@ static inline void remove_memory(int nid, u64 start, u64 size) {}
+ extern void __ref free_area_init_core_hotplug(int nid);
+ extern int walk_memory_range(unsigned long start_pfn, unsigned long end_pfn,
+ void *arg, int (*func)(struct memory_block *, void *));
++extern int __add_memory(int nid, u64 start, u64 size);
+ extern int add_memory(int nid, u64 start, u64 size);
+ extern int add_memory_resource(int nid, struct resource *resource, bool online);
+ extern int arch_add_memory(int nid, u64 start, u64 size,
+diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
+index 7965112eb0635..0db85bffa3892 100644
+--- a/mm/memory_hotplug.c
++++ b/mm/memory_hotplug.c
+@@ -1077,7 +1077,12 @@ static int online_memory_block(struct memory_block *mem, void *arg)
+ return device_online(&mem->dev);
+ }
+
+-/* we are OK calling __meminit stuff here - we have CONFIG_MEMORY_HOTPLUG */
++/*
++ * NOTE: The caller must call lock_device_hotplug() to serialize hotplug
++ * and online/offline operations (triggered e.g. by sysfs).
++ *
++ * we are OK calling __meminit stuff here - we have CONFIG_MEMORY_HOTPLUG
++ */
+ int __ref add_memory_resource(int nid, struct resource *res, bool online)
+ {
+ u64 start, size;
+@@ -1146,9 +1151,9 @@ int __ref add_memory_resource(int nid, struct resource *res, bool online)
+ mem_hotplug_done();
+ return ret;
+ }
+-EXPORT_SYMBOL_GPL(add_memory_resource);
+
+-int __ref add_memory(int nid, u64 start, u64 size)
++/* requires device_hotplug_lock, see add_memory_resource() */
++int __ref __add_memory(int nid, u64 start, u64 size)
+ {
+ struct resource *res;
+ int ret;
+@@ -1162,6 +1167,17 @@ int __ref add_memory(int nid, u64 start, u64 size)
+ release_memory_resource(res);
+ return ret;
+ }
++
++int add_memory(int nid, u64 start, u64 size)
++{
++ int rc;
++
++ lock_device_hotplug();
++ rc = __add_memory(nid, start, size);
++ unlock_device_hotplug();
++
++ return rc;
++}
+ EXPORT_SYMBOL_GPL(add_memory);
+
+ #ifdef CONFIG_MEMORY_HOTREMOVE
+--
+2.20.1
+
--- /dev/null
+From fa06d164597ceff116ac818d4c44d4973c627bc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Oct 2018 15:09:45 -0700
+Subject: mm/page-writeback.c: fix range_cyclic writeback vs writepages
+ deadlock
+
+From: Dave Chinner <dchinner@redhat.com>
+
+[ Upstream commit 64081362e8ff4587b4554087f3cfc73d3e0a4cd7 ]
+
+We've recently seen a workload on XFS filesystems with a repeatable
+deadlock between background writeback and a multi-process application
+doing concurrent writes and fsyncs to a small range of a file.
+
+range_cyclic
+writeback Process 1 Process 2
+
+xfs_vm_writepages
+ write_cache_pages
+ writeback_index = 2
+ cycled = 0
+ ....
+ find page 2 dirty
+ lock Page 2
+ ->writepage
+ page 2 writeback
+ page 2 clean
+ page 2 added to bio
+ no more pages
+ write()
+ locks page 1
+ dirties page 1
+ locks page 2
+ dirties page 1
+ fsync()
+ ....
+ xfs_vm_writepages
+ write_cache_pages
+ start index 0
+ find page 1 towrite
+ lock Page 1
+ ->writepage
+ page 1 writeback
+ page 1 clean
+ page 1 added to bio
+ find page 2 towrite
+ lock Page 2
+ page 2 is writeback
+ <blocks>
+ write()
+ locks page 1
+ dirties page 1
+ fsync()
+ ....
+ xfs_vm_writepages
+ write_cache_pages
+ start index 0
+
+ !done && !cycled
+ sets index to 0, restarts lookup
+ find page 1 dirty
+ find page 1 towrite
+ lock Page 1
+ page 1 is writeback
+ <blocks>
+
+ lock Page 1
+ <blocks>
+
+DEADLOCK because:
+
+ - process 1 needs page 2 writeback to complete to make
+ enough progress to issue IO pending for page 1
+ - writeback needs page 1 writeback to complete so process 2
+ can progress and unlock the page it is blocked on, then it
+ can issue the IO pending for page 2
+ - process 2 can't make progress until process 1 issues IO
+ for page 1
+
+The underlying cause of the problem here is that range_cyclic writeback is
+processing pages in descending index order as we hold higher index pages
+in a structure controlled from above write_cache_pages(). The
+write_cache_pages() caller needs to be able to submit these pages for IO
+before write_cache_pages restarts writeback at mapping index 0 to avoid
+wcp inverting the page lock/writeback wait order.
+
+generic_writepages() is not susceptible to this bug as it has no private
+context held across write_cache_pages() - filesystems using this
+infrastructure always submit pages in ->writepage immediately and so there
+is no problem with range_cyclic going back to mapping index 0.
+
+However:
+ mpage_writepages() has a private bio context,
+ exofs_writepages() has page_collect
+ fuse_writepages() has fuse_fill_wb_data
+ nfs_writepages() has nfs_pageio_descriptor
+ xfs_vm_writepages() has xfs_writepage_ctx
+
+All of these ->writepages implementations can hold pages under writeback
+in their private structures until write_cache_pages() returns, and hence
+they are all susceptible to this deadlock.
+
+Also worth noting is that ext4 has it's own bastardised version of
+write_cache_pages() and so it /may/ have an equivalent deadlock. I looked
+at the code long enough to understand that it has a similar retry loop for
+range_cyclic writeback reaching the end of the file and then promptly ran
+away before my eyes bled too much. I'll leave it for the ext4 developers
+to determine if their code is actually has this deadlock and how to fix it
+if it has.
+
+There's a few ways I can see avoid this deadlock. There's probably more,
+but these are the first I've though of:
+
+1. get rid of range_cyclic altogether
+
+2. range_cyclic always stops at EOF, and we start again from
+writeback index 0 on the next call into write_cache_pages()
+
+2a. wcp also returns EAGAIN to ->writepages implementations to
+indicate range cyclic has hit EOF. writepages implementations can
+then flush the current context and call wpc again to continue. i.e.
+lift the retry into the ->writepages implementation
+
+3. range_cyclic uses trylock_page() rather than lock_page(), and it
+skips pages it can't lock without blocking. It will already do this
+for pages under writeback, so this seems like a no-brainer
+
+3a. all non-WB_SYNC_ALL writeback uses trylock_page() to avoid
+blocking as per pages under writeback.
+
+I don't think #1 is an option - range_cyclic prevents frequently
+dirtied lower file offset from starving background writeback of
+rarely touched higher file offsets.
+
+#2 is simple, and I don't think it will have any impact on
+performance as going back to the start of the file implies an
+immediate seek. We'll have exactly the same number of seeks if we
+switch writeback to another inode, and then come back to this one
+later and restart from index 0.
+
+#2a is pretty much "status quo without the deadlock". Moving the
+retry loop up into the wcp caller means we can issue IO on the
+pending pages before calling wcp again, and so avoid locking or
+waiting on pages in the wrong order. I'm not convinced we need to do
+this given that we get the same thing from #2 on the next writeback
+call from the writeback infrastructure.
+
+#3 is really just a band-aid - it doesn't fix the access/wait
+inversion problem, just prevents it from becoming a deadlock
+situation. I'd prefer we fix the inversion, not sweep it under the
+carpet like this.
+
+#3a is really an optimisation that just so happens to include the
+band-aid fix of #3.
+
+So it seems that the simplest way to fix this issue is to implement
+solution #2
+
+Link: http://lkml.kernel.org/r/20181005054526.21507-1-david@fromorbit.com
+Signed-off-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Jan Kara <jack@suse.de>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/page-writeback.c | 33 +++++++++++++++------------------
+ 1 file changed, 15 insertions(+), 18 deletions(-)
+
+diff --git a/mm/page-writeback.c b/mm/page-writeback.c
+index ea4fd3af3b4bd..43df0c52e1ccb 100644
+--- a/mm/page-writeback.c
++++ b/mm/page-writeback.c
+@@ -2149,6 +2149,13 @@ EXPORT_SYMBOL(tag_pages_for_writeback);
+ * not miss some pages (e.g., because some other process has cleared TOWRITE
+ * tag we set). The rule we follow is that TOWRITE tag can be cleared only
+ * by the process clearing the DIRTY tag (and submitting the page for IO).
++ *
++ * To avoid deadlocks between range_cyclic writeback and callers that hold
++ * pages in PageWriteback to aggregate IO until write_cache_pages() returns,
++ * we do not loop back to the start of the file. Doing so causes a page
++ * lock/page writeback access order inversion - we should only ever lock
++ * multiple pages in ascending page->index order, and looping back to the start
++ * of the file violates that rule and causes deadlocks.
+ */
+ int write_cache_pages(struct address_space *mapping,
+ struct writeback_control *wbc, writepage_t writepage,
+@@ -2163,7 +2170,6 @@ int write_cache_pages(struct address_space *mapping,
+ pgoff_t index;
+ pgoff_t end; /* Inclusive */
+ pgoff_t done_index;
+- int cycled;
+ int range_whole = 0;
+ int tag;
+
+@@ -2171,23 +2177,17 @@ int write_cache_pages(struct address_space *mapping,
+ if (wbc->range_cyclic) {
+ writeback_index = mapping->writeback_index; /* prev offset */
+ index = writeback_index;
+- if (index == 0)
+- cycled = 1;
+- else
+- cycled = 0;
+ end = -1;
+ } else {
+ index = wbc->range_start >> PAGE_SHIFT;
+ end = wbc->range_end >> PAGE_SHIFT;
+ if (wbc->range_start == 0 && wbc->range_end == LLONG_MAX)
+ range_whole = 1;
+- cycled = 1; /* ignore range_cyclic tests */
+ }
+ if (wbc->sync_mode == WB_SYNC_ALL || wbc->tagged_writepages)
+ tag = PAGECACHE_TAG_TOWRITE;
+ else
+ tag = PAGECACHE_TAG_DIRTY;
+-retry:
+ if (wbc->sync_mode == WB_SYNC_ALL || wbc->tagged_writepages)
+ tag_pages_for_writeback(mapping, index, end);
+ done_index = index;
+@@ -2279,17 +2279,14 @@ int write_cache_pages(struct address_space *mapping,
+ pagevec_release(&pvec);
+ cond_resched();
+ }
+- if (!cycled && !done) {
+- /*
+- * range_cyclic:
+- * We hit the last page and there is more work to be done: wrap
+- * back to the start of the file
+- */
+- cycled = 1;
+- index = 0;
+- end = writeback_index - 1;
+- goto retry;
+- }
++
++ /*
++ * If we hit the last page and there is more work to be done: wrap
++ * back the index back to the start of the file for the next
++ * time we are called.
++ */
++ if (wbc->range_cyclic && !done)
++ done_index = 0;
+ if (wbc->range_cyclic || (range_whole && wbc->nr_to_write > 0))
+ mapping->writeback_index = done_index;
+
+--
+2.20.1
+
--- /dev/null
+From d063d2d7417e4a30c5f449eeb300b39ebf1c1287 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2019 17:35:00 -0800
+Subject: mm/page_io.c: do not free shared swap slots
+
+From: Vinayak Menon <vinmenon@codeaurora.org>
+
+[ Upstream commit 5df373e95689b9519b8557da7c5bd0db0856d776 ]
+
+The following race is observed due to which a processes faulting on a
+swap entry, finds the page neither in swapcache nor swap. This causes
+zram to give a zero filled page that gets mapped to the process,
+resulting in a user space crash later.
+
+Consider parent and child processes Pa and Pb sharing the same swap slot
+with swap_count 2. Swap is on zram with SWP_SYNCHRONOUS_IO set.
+Virtual address 'VA' of Pa and Pb points to the shared swap entry.
+
+Pa Pb
+
+fault on VA fault on VA
+do_swap_page do_swap_page
+lookup_swap_cache fails lookup_swap_cache fails
+ Pb scheduled out
+swapin_readahead (deletes zram entry)
+swap_free (makes swap_count 1)
+ Pb scheduled in
+ swap_readpage (swap_count == 1)
+ Takes SWP_SYNCHRONOUS_IO path
+ zram enrty absent
+ zram gives a zero filled page
+
+Fix this by making sure that swap slot is freed only when swap count
+drops down to one.
+
+Link: http://lkml.kernel.org/r/1571743294-14285-1-git-send-email-vinmenon@codeaurora.org
+Fixes: aa8d22a11da9 ("mm: swap: SWP_SYNCHRONOUS_IO: skip swapcache only if swapped page has no other reference")
+Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>
+Suggested-by: Minchan Kim <minchan@google.com>
+Acked-by: Minchan Kim <minchan@kernel.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/page_io.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/mm/page_io.c b/mm/page_io.c
+index aafd19ec1db46..08d2eae58fcee 100644
+--- a/mm/page_io.c
++++ b/mm/page_io.c
+@@ -76,6 +76,7 @@ static void swap_slot_free_notify(struct page *page)
+ {
+ struct swap_info_struct *sis;
+ struct gendisk *disk;
++ swp_entry_t entry;
+
+ /*
+ * There is no guarantee that the page is in swap cache - the software
+@@ -107,11 +108,11 @@ static void swap_slot_free_notify(struct page *page)
+ * we again wish to reclaim it.
+ */
+ disk = sis->bdev->bd_disk;
+- if (disk->fops->swap_slot_free_notify) {
+- swp_entry_t entry;
++ entry.val = page_private(page);
++ if (disk->fops->swap_slot_free_notify &&
++ __swap_count(sis, entry) == 1) {
+ unsigned long offset;
+
+- entry.val = page_private(page);
+ offset = swp_offset(entry);
+
+ SetPageDirty(page);
+--
+2.20.1
+
--- /dev/null
+From 178698eaf168ac33573f10696b56428d3edd84be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Oct 2018 15:10:36 -0700
+Subject: mm: thp: fix MADV_DONTNEED vs migrate_misplaced_transhuge_page race
+ condition
+
+From: Andrea Arcangeli <aarcange@redhat.com>
+
+[ Upstream commit d7c3393413fe7e7dc54498ea200ea94742d61e18 ]
+
+Patch series "migrate_misplaced_transhuge_page race conditions".
+
+Aaron found a new instance of the THP MADV_DONTNEED race against
+pmdp_clear_flush* variants, that was apparently left unfixed.
+
+While looking into the race found by Aaron, I may have found two more
+issues in migrate_misplaced_transhuge_page.
+
+These race conditions would not cause kernel instability, but they'd
+corrupt userland data or leave data non zero after MADV_DONTNEED.
+
+I did only minor testing, and I don't expect to be able to reproduce this
+(especially the lack of ->invalidate_range before migrate_page_copy,
+requires the latest iommu hardware or infiniband to reproduce). The last
+patch is noop for x86 and it needs further review from maintainers of
+archs that implement flush_cache_range() (not in CC yet).
+
+To avoid confusion, it's not the first patch that introduces the bug fixed
+in the second patch, even before removing the
+pmdp_huge_clear_flush_notify, that _notify suffix was called after
+migrate_page_copy already run.
+
+This patch (of 3):
+
+This is a corollary of ced108037c2aa ("thp: fix MADV_DONTNEED vs. numa
+balancing race"), 58ceeb6bec8 ("thp: fix MADV_DONTNEED vs. MADV_FREE
+race") and 5b7abeae3af8c ("thp: fix MADV_DONTNEED vs clear soft dirty
+race).
+
+When the above three fixes where posted Dave asked
+https://lkml.kernel.org/r/929b3844-aec2-0111-fef7-8002f9d4e2b9@intel.com
+but apparently this was missed.
+
+The pmdp_clear_flush* in migrate_misplaced_transhuge_page() was introduced
+in a54a407fbf7 ("mm: Close races between THP migration and PMD numa
+clearing").
+
+The important part of such commit is only the part where the page lock is
+not released until the first do_huge_pmd_numa_page() finished disarming
+the pagenuma/protnone.
+
+The addition of pmdp_clear_flush() wasn't beneficial to such commit and
+there's no commentary about such an addition either.
+
+I guess the pmdp_clear_flush() in such commit was added just in case for
+safety, but it ended up introducing the MADV_DONTNEED race condition found
+by Aaron.
+
+At that point in time nobody thought of such kind of MADV_DONTNEED race
+conditions yet (they were fixed later) so the code may have looked more
+robust by adding the pmdp_clear_flush().
+
+This specific race condition won't destabilize the kernel, but it can
+confuse userland because after MADV_DONTNEED the memory won't be zeroed
+out.
+
+This also optimizes the code and removes a superfluous TLB flush.
+
+[akpm@linux-foundation.org: reflow comment to 80 cols, fix grammar and typo (beacuse)]
+Link: http://lkml.kernel.org/r/20181013002430.698-2-aarcange@redhat.com
+Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
+Reported-by: Aaron Tomlin <atomlin@redhat.com>
+Acked-by: Mel Gorman <mgorman@suse.de>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Jerome Glisse <jglisse@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/migrate.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/mm/migrate.c b/mm/migrate.c
+index 0c48191a90368..4d3588c012034 100644
+--- a/mm/migrate.c
++++ b/mm/migrate.c
+@@ -2048,15 +2048,26 @@ int migrate_misplaced_transhuge_page(struct mm_struct *mm,
+ entry = maybe_pmd_mkwrite(pmd_mkdirty(entry), vma);
+
+ /*
+- * Clear the old entry under pagetable lock and establish the new PTE.
+- * Any parallel GUP will either observe the old page blocking on the
+- * page lock, block on the page table lock or observe the new page.
+- * The SetPageUptodate on the new page and page_add_new_anon_rmap
+- * guarantee the copy is visible before the pagetable update.
++ * Overwrite the old entry under pagetable lock and establish
++ * the new PTE. Any parallel GUP will either observe the old
++ * page blocking on the page lock, block on the page table
++ * lock or observe the new page. The SetPageUptodate on the
++ * new page and page_add_new_anon_rmap guarantee the copy is
++ * visible before the pagetable update.
+ */
+ flush_cache_range(vma, mmun_start, mmun_end);
+ page_add_anon_rmap(new_page, vma, mmun_start, true);
+- pmdp_huge_clear_flush_notify(vma, mmun_start, pmd);
++ /*
++ * At this point the pmd is numa/protnone (i.e. non present) and the TLB
++ * has already been flushed globally. So no TLB can be currently
++ * caching this non present pmd mapping. There's no need to clear the
++ * pmd before doing set_pmd_at(), nor to flush the TLB after
++ * set_pmd_at(). Clearing the pmd here would introduce a race
++ * condition against MADV_DONTNEED, because MADV_DONTNEED only holds the
++ * mmap_sem for reading. If the pmd is set to NULL at any given time,
++ * MADV_DONTNEED won't wait on the pmd lock and it'll skip clearing this
++ * pmd.
++ */
+ set_pmd_at(mm, mmun_start, pmd, entry);
+ update_mmu_cache_pmd(vma, address, &entry);
+
+@@ -2070,7 +2081,7 @@ int migrate_misplaced_transhuge_page(struct mm_struct *mm,
+ * No need to double call mmu_notifier->invalidate_range() callback as
+ * the above pmdp_huge_clear_flush_notify() did already call it.
+ */
+- mmu_notifier_invalidate_range_only_end(mm, mmun_start, mmun_end);
++ mmu_notifier_invalidate_range_end(mm, mmun_start, mmun_end);
+
+ /* Take an "isolate" reference and put new page on the LRU. */
+ get_page(new_page);
+--
+2.20.1
+
--- /dev/null
+From c8acf7ffca78e4249cfbc04ae3f0d50f176dd7e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Oct 2018 15:20:46 +0800
+Subject: mmc: mediatek: fill the actual clock for mmc debugfs
+
+From: Chaotian Jing <chaotian.jing@mediatek.com>
+
+[ Upstream commit 56f6cbbed0463f1c78d602b17c315916cc1cd238 ]
+
+as the mmc core layer has the mmc->actual_clock, so fill it
+and drop msdc_host->sclk.
+
+Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mtk-sd.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c
+index f171cce5197de..621c914dc5c01 100644
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -390,7 +390,6 @@ struct msdc_host {
+ struct clk *src_clk_cg; /* msdc source clock control gate */
+ u32 mclk; /* mmc subsystem clock frequency */
+ u32 src_clk_freq; /* source clock frequency */
+- u32 sclk; /* SD/MS bus clock frequency */
+ unsigned char timing;
+ bool vqmmc_enabled;
+ u32 latch_ck;
+@@ -635,10 +634,10 @@ static void msdc_set_timeout(struct msdc_host *host, u32 ns, u32 clks)
+
+ host->timeout_ns = ns;
+ host->timeout_clks = clks;
+- if (host->sclk == 0) {
++ if (host->mmc->actual_clock == 0) {
+ timeout = 0;
+ } else {
+- clk_ns = 1000000000UL / host->sclk;
++ clk_ns = 1000000000UL / host->mmc->actual_clock;
+ timeout = (ns + clk_ns - 1) / clk_ns + clks;
+ /* in 1048576 sclk cycle unit */
+ timeout = (timeout + (0x1 << 20) - 1) >> 20;
+@@ -683,6 +682,7 @@ static void msdc_set_mclk(struct msdc_host *host, unsigned char timing, u32 hz)
+ if (!hz) {
+ dev_dbg(host->dev, "set mclk to 0\n");
+ host->mclk = 0;
++ host->mmc->actual_clock = 0;
+ sdr_clr_bits(host->base + MSDC_CFG, MSDC_CFG_CKPDN);
+ return;
+ }
+@@ -761,7 +761,7 @@ static void msdc_set_mclk(struct msdc_host *host, unsigned char timing, u32 hz)
+ while (!(readl(host->base + MSDC_CFG) & MSDC_CFG_CKSTB))
+ cpu_relax();
+ sdr_set_bits(host->base + MSDC_CFG, MSDC_CFG_CKPDN);
+- host->sclk = sclk;
++ host->mmc->actual_clock = sclk;
+ host->mclk = hz;
+ host->timing = timing;
+ /* need because clk changed. */
+@@ -772,7 +772,7 @@ static void msdc_set_mclk(struct msdc_host *host, unsigned char timing, u32 hz)
+ * mmc_select_hs400() will drop to 50Mhz and High speed mode,
+ * tune result of hs200/200Mhz is not suitable for 50Mhz
+ */
+- if (host->sclk <= 52000000) {
++ if (host->mmc->actual_clock <= 52000000) {
+ writel(host->def_tune_para.iocon, host->base + MSDC_IOCON);
+ writel(host->def_tune_para.pad_tune, host->base + tune_reg);
+ } else {
+@@ -787,7 +787,8 @@ static void msdc_set_mclk(struct msdc_host *host, unsigned char timing, u32 hz)
+ sdr_set_field(host->base + tune_reg,
+ MSDC_PAD_TUNE_CMDRRDLY,
+ host->hs400_cmd_int_delay);
+- dev_dbg(host->dev, "sclk: %d, timing: %d\n", host->sclk, timing);
++ dev_dbg(host->dev, "sclk: %d, timing: %d\n", host->mmc->actual_clock,
++ timing);
+ }
+
+ static inline u32 msdc_cmd_find_resp(struct msdc_host *host,
+--
+2.20.1
+
--- /dev/null
+From 3542124aab42f3839cfe96219bbd9d7a70f72cdd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Oct 2018 15:20:47 +0800
+Subject: mmc: mediatek: fix cannot receive new request when msdc_cmd_is_ready
+ fail
+
+From: Chaotian Jing <chaotian.jing@mediatek.com>
+
+[ Upstream commit f38a9774ddde9d79b3487dd888edd8b8623552af ]
+
+when msdc_cmd_is_ready return fail, the req_timeout work has not been
+inited and cancel_delayed_work() will return false, then, the request
+return directly and never call mmc_request_done().
+
+so need call mod_delayed_work() before msdc_cmd_is_ready()
+
+Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mtk-sd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c
+index 621c914dc5c01..673f6a9616cd9 100644
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -1056,6 +1056,7 @@ static void msdc_start_command(struct msdc_host *host,
+ WARN_ON(host->cmd);
+ host->cmd = cmd;
+
++ mod_delayed_work(system_wq, &host->req_timeout, DAT_TIMEOUT);
+ if (!msdc_cmd_is_ready(host, mrq, cmd))
+ return;
+
+@@ -1067,7 +1068,6 @@ static void msdc_start_command(struct msdc_host *host,
+
+ cmd->error = 0;
+ rawcmd = msdc_cmd_prepare_raw_cmd(host, mrq, cmd);
+- mod_delayed_work(system_wq, &host->req_timeout, DAT_TIMEOUT);
+
+ sdr_set_bits(host->base + MSDC_INTEN, cmd_ints_mask);
+ writel(cmd->arg, host->base + SDC_ARG);
+--
+2.20.1
+
--- /dev/null
+From 164f766b70aa86081aa8bc55e51cfab786bb629b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Oct 2018 10:39:24 +0200
+Subject: mt76: do not store aggregation sequence number for null-data frames
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 5155938d8a0fe0e0251435cae02539e81fb8e407 ]
+
+Fixes a rare corner case where a BlockAckReq might get the wrong
+sequence number.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/tx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/tx.c b/drivers/net/wireless/mediatek/mt76/tx.c
+index 20447fdce4c33..227e5ebfe3dc2 100644
+--- a/drivers/net/wireless/mediatek/mt76/tx.c
++++ b/drivers/net/wireless/mediatek/mt76/tx.c
+@@ -148,7 +148,8 @@ mt76_check_agg_ssn(struct mt76_txq *mtxq, struct sk_buff *skb)
+ {
+ struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
+
+- if (!ieee80211_is_data_qos(hdr->frame_control))
++ if (!ieee80211_is_data_qos(hdr->frame_control) ||
++ !ieee80211_is_data_present(hdr->frame_control))
+ return;
+
+ mtxq->agg_ssn = le16_to_cpu(hdr->seq_ctrl) + 0x10;
+--
+2.20.1
+
--- /dev/null
+From b2721a62c6bb4bffa2f381d5232a15113d46fd60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Oct 2018 10:57:06 +0200
+Subject: mt76x0: phy: fix restore phase in mt76x0_phy_recalibrate_after_assoc
+
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+
+[ Upstream commit 4df942733fd26d9378a4a00619be348c771e0190 ]
+
+Fix restore value configured in MT_BBP(IBI, 9) register in
+mt76x0_phy_recalibrate_after_assoc routine.
+
+Fixes: 10de7a8b4ab9 ("mt76x0: phy files")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76x0/phy.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76x0/phy.c b/drivers/net/wireless/mediatek/mt76/mt76x0/phy.c
+index 14e8c575f6c3e..924c761f34fd9 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76x0/phy.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76x0/phy.c
+@@ -793,9 +793,8 @@ void mt76x0_phy_recalibrate_after_assoc(struct mt76x0_dev *dev)
+ mt76_wr(dev, MT_TX_ALC_CFG_0, 0);
+ usleep_range(500, 700);
+
+- reg_val = mt76_rr(dev, 0x2124);
+- reg_val &= 0xffffff7e;
+- mt76_wr(dev, 0x2124, reg_val);
++ reg_val = mt76_rr(dev, MT_BBP(IBI, 9));
++ mt76_wr(dev, MT_BBP(IBI, 9), 0xffffff7e);
+
+ mt76x0_mcu_calibrate(dev, MCU_CAL_RXDCOC, 0);
+
+@@ -806,7 +805,7 @@ void mt76x0_phy_recalibrate_after_assoc(struct mt76x0_dev *dev)
+ mt76x0_mcu_calibrate(dev, MCU_CAL_RXIQ, is_5ghz);
+ mt76x0_mcu_calibrate(dev, MCU_CAL_RX_GROUP_DELAY, is_5ghz);
+
+- mt76_wr(dev, 0x2124, reg_val);
++ mt76_wr(dev, MT_BBP(IBI, 9), reg_val);
+ mt76_wr(dev, MT_TX_ALC_CFG_0, tx_alc);
+ msleep(100);
+
+--
+2.20.1
+
--- /dev/null
+From 3b4dac79b1f5693bf5525bae47aea8580b086aeb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Feb 2019 15:59:38 +0200
+Subject: mwifiex: Fix NL80211_TX_POWER_LIMITED
+
+From: Adrian Bunk <bunk@kernel.org>
+
+[ Upstream commit 65a576e27309120e0621f54d5c81eb9128bd56be ]
+
+NL80211_TX_POWER_LIMITED was treated as NL80211_TX_POWER_AUTOMATIC,
+which is the opposite of what should happen and can cause nasty
+regulatory problems.
+
+if/else converted to a switch without default to make gcc warn
+on unhandled enum values.
+
+Signed-off-by: Adrian Bunk <bunk@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/cfg80211.c | 13 +++++++++++--
+ drivers/net/wireless/marvell/mwifiex/ioctl.h | 1 +
+ drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 11 +++++++----
+ 3 files changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+index 47ec5293c045d..7b74ef71bef1d 100644
+--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+@@ -376,11 +376,20 @@ mwifiex_cfg80211_set_tx_power(struct wiphy *wiphy,
+ struct mwifiex_power_cfg power_cfg;
+ int dbm = MBM_TO_DBM(mbm);
+
+- if (type == NL80211_TX_POWER_FIXED) {
++ switch (type) {
++ case NL80211_TX_POWER_FIXED:
+ power_cfg.is_power_auto = 0;
++ power_cfg.is_power_fixed = 1;
+ power_cfg.power_level = dbm;
+- } else {
++ break;
++ case NL80211_TX_POWER_LIMITED:
++ power_cfg.is_power_auto = 0;
++ power_cfg.is_power_fixed = 0;
++ power_cfg.power_level = dbm;
++ break;
++ case NL80211_TX_POWER_AUTOMATIC:
+ power_cfg.is_power_auto = 1;
++ break;
+ }
+
+ priv = mwifiex_get_priv(adapter, MWIFIEX_BSS_ROLE_ANY);
+diff --git a/drivers/net/wireless/marvell/mwifiex/ioctl.h b/drivers/net/wireless/marvell/mwifiex/ioctl.h
+index 48e154e1865df..0dd592ea6e833 100644
+--- a/drivers/net/wireless/marvell/mwifiex/ioctl.h
++++ b/drivers/net/wireless/marvell/mwifiex/ioctl.h
+@@ -267,6 +267,7 @@ struct mwifiex_ds_encrypt_key {
+
+ struct mwifiex_power_cfg {
+ u32 is_power_auto;
++ u32 is_power_fixed;
+ u32 power_level;
+ };
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+index 843d65bba1811..74e50566db1f2 100644
+--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
++++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+@@ -688,6 +688,9 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv,
+ txp_cfg = (struct host_cmd_ds_txpwr_cfg *) buf;
+ txp_cfg->action = cpu_to_le16(HostCmd_ACT_GEN_SET);
+ if (!power_cfg->is_power_auto) {
++ u16 dbm_min = power_cfg->is_power_fixed ?
++ dbm : priv->min_tx_power_level;
++
+ txp_cfg->mode = cpu_to_le32(1);
+ pg_tlv = (struct mwifiex_types_power_group *)
+ (buf + sizeof(struct host_cmd_ds_txpwr_cfg));
+@@ -702,7 +705,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv,
+ pg->last_rate_code = 0x03;
+ pg->modulation_class = MOD_CLASS_HR_DSSS;
+ pg->power_step = 0;
+- pg->power_min = (s8) dbm;
++ pg->power_min = (s8) dbm_min;
+ pg->power_max = (s8) dbm;
+ pg++;
+ /* Power group for modulation class OFDM */
+@@ -710,7 +713,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv,
+ pg->last_rate_code = 0x07;
+ pg->modulation_class = MOD_CLASS_OFDM;
+ pg->power_step = 0;
+- pg->power_min = (s8) dbm;
++ pg->power_min = (s8) dbm_min;
+ pg->power_max = (s8) dbm;
+ pg++;
+ /* Power group for modulation class HTBW20 */
+@@ -718,7 +721,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv,
+ pg->last_rate_code = 0x20;
+ pg->modulation_class = MOD_CLASS_HT;
+ pg->power_step = 0;
+- pg->power_min = (s8) dbm;
++ pg->power_min = (s8) dbm_min;
+ pg->power_max = (s8) dbm;
+ pg->ht_bandwidth = HT_BW_20;
+ pg++;
+@@ -727,7 +730,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv,
+ pg->last_rate_code = 0x20;
+ pg->modulation_class = MOD_CLASS_HT;
+ pg->power_step = 0;
+- pg->power_min = (s8) dbm;
++ pg->power_min = (s8) dbm_min;
+ pg->power_max = (s8) dbm;
+ pg->ht_bandwidth = HT_BW_40;
+ }
+--
+2.20.1
+
--- /dev/null
+From 1b16423a6a5fa14682ce3d6bb1f57b5877212055 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Oct 2018 10:24:14 +0800
+Subject: nds32: Fix bug in bitfield.h
+
+From: Nickhu <nickhu@andestech.com>
+
+[ Upstream commit 9aaafac8cffa1c1edb66e19a63841b7c86be07ca ]
+
+There two bitfield bug for perfomance counter
+in bitfield.h:
+
+ PFM_CTL_offSEL1 21 --> 16
+ PFM_CTL_offSEL2 27 --> 22
+
+This commit fix it.
+
+Signed-off-by: Nickhu <nickhu@andestech.com>
+Acked-by: Greentime Hu <greentime@andestech.com>
+Signed-off-by: Greentime Hu <greentime@andestech.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/nds32/include/asm/bitfield.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/nds32/include/asm/bitfield.h b/arch/nds32/include/asm/bitfield.h
+index 8e84fc385b946..19b2841219adf 100644
+--- a/arch/nds32/include/asm/bitfield.h
++++ b/arch/nds32/include/asm/bitfield.h
+@@ -692,8 +692,8 @@
+ #define PFM_CTL_offKU1 13 /* Enable user mode event counting for PFMC1 */
+ #define PFM_CTL_offKU2 14 /* Enable user mode event counting for PFMC2 */
+ #define PFM_CTL_offSEL0 15 /* The event selection for PFMC0 */
+-#define PFM_CTL_offSEL1 21 /* The event selection for PFMC1 */
+-#define PFM_CTL_offSEL2 27 /* The event selection for PFMC2 */
++#define PFM_CTL_offSEL1 16 /* The event selection for PFMC1 */
++#define PFM_CTL_offSEL2 22 /* The event selection for PFMC2 */
+ /* bit 28:31 reserved */
+
+ #define PFM_CTL_mskEN0 ( 0x01 << PFM_CTL_offEN0 )
+--
+2.20.1
+
--- /dev/null
+From 37b0d20affe3adcce67b5447f7aae176ca422378 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Nov 2018 02:08:43 +0000
+Subject: net: bcmgenet: return correct value 'ret' from bcmgenet_power_down
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 0db55093b56618088b9a1d445eb6e43b311bea33 ]
+
+Fixes gcc '-Wunused-but-set-variable' warning:
+
+drivers/net/ethernet/broadcom/genet/bcmgenet.c: In function 'bcmgenet_power_down':
+drivers/net/ethernet/broadcom/genet/bcmgenet.c:1136:6: warning:
+ variable 'ret' set but not used [-Wunused-but-set-variable]
+
+bcmgenet_power_down should return 'ret' instead of 0.
+
+Fixes: ca8cf341903f ("net: bcmgenet: propagate errors from bcmgenet_power_down")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+index bb60104b4f805..338d223804343 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -1169,7 +1169,7 @@ static int bcmgenet_power_down(struct bcmgenet_priv *priv,
+ break;
+ }
+
+- return 0;
++ return ret;
+ }
+
+ static void bcmgenet_power_up(struct bcmgenet_priv *priv,
+--
+2.20.1
+
--- /dev/null
+From 4ee7a0e6dab7a57b79646b8e077a69a7a180ba13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Nov 2018 22:31:41 +0900
+Subject: net: bpfilter: fix iptables failure if bpfilter_umh is disabled
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 97adaddaa6db7a8af81b9b11e30cbe3628cd6700 ]
+
+When iptables command is executed, ip_{set/get}sockopt() try to upload
+bpfilter.ko if bpfilter is enabled. if it couldn't find bpfilter.ko,
+command is failed.
+bpfilter.ko is generated if CONFIG_BPFILTER_UMH is enabled.
+ip_{set/get}sockopt() only checks CONFIG_BPFILTER.
+So that if CONFIG_BPFILTER is enabled and CONFIG_BPFILTER_UMH is disabled,
+iptables command is always failed.
+
+test config:
+ CONFIG_BPFILTER=y
+ # CONFIG_BPFILTER_UMH is not set
+
+test command:
+ %iptables -L
+ iptables: No chain/target/match by that name.
+
+Fixes: d2ba09c17a06 ("net: add skeleton of bpfilter kernel module")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_sockglue.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+index b7a26120d5521..82f341e84faec 100644
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -1244,7 +1244,7 @@ int ip_setsockopt(struct sock *sk, int level,
+ return -ENOPROTOOPT;
+
+ err = do_ip_setsockopt(sk, level, optname, optval, optlen);
+-#ifdef CONFIG_BPFILTER
++#if IS_ENABLED(CONFIG_BPFILTER_UMH)
+ if (optname >= BPFILTER_IPT_SO_SET_REPLACE &&
+ optname < BPFILTER_IPT_SET_MAX)
+ err = bpfilter_ip_set_sockopt(sk, optname, optval, optlen);
+@@ -1557,7 +1557,7 @@ int ip_getsockopt(struct sock *sk, int level,
+ int err;
+
+ err = do_ip_getsockopt(sk, level, optname, optval, optlen, 0);
+-#ifdef CONFIG_BPFILTER
++#if IS_ENABLED(CONFIG_BPFILTER_UMH)
+ if (optname >= BPFILTER_IPT_SO_GET_INFO &&
+ optname < BPFILTER_IPT_GET_MAX)
+ err = bpfilter_ip_get_sockopt(sk, optname, optval, optlen);
+@@ -1594,7 +1594,7 @@ int compat_ip_getsockopt(struct sock *sk, int level, int optname,
+ err = do_ip_getsockopt(sk, level, optname, optval, optlen,
+ MSG_CMSG_COMPAT);
+
+-#ifdef CONFIG_BPFILTER
++#if IS_ENABLED(CONFIG_BPFILTER_UMH)
+ if (optname >= BPFILTER_IPT_SO_GET_INFO &&
+ optname < BPFILTER_IPT_GET_MAX)
+ err = bpfilter_ip_get_sockopt(sk, optname, optval, optlen);
+--
+2.20.1
+
--- /dev/null
+From 06b969cb6f018e8e57486f515b123d41187f769c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Oct 2018 08:39:13 -0700
+Subject: net: do not abort bulk send on BQL status
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit fe60faa5063822f2d555f4f326c7dd72a60929bf ]
+
+Before calling dev_hard_start_xmit(), upper layers tried
+to cook optimal skb list based on BQL budget.
+
+Problem is that GSO packets can end up comsuming more than
+the BQL budget.
+
+Breaking the loop is not useful, since requeued packets
+are ahead of any packets still in the qdisc.
+
+It is also more expensive, since next TX completion will
+push these packets later, while skbs are not in cpu caches.
+
+It is also a behavior difference with TSO packets, that can
+break the BQL limit by a large amount.
+
+Note that drivers should use __netdev_tx_sent_queue()
+in order to have optimal xmit_more support, and avoid
+useless atomic operations as shown in the following patch.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index e96c88b1465d7..91179febdeee1 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3277,7 +3277,7 @@ struct sk_buff *dev_hard_start_xmit(struct sk_buff *first, struct net_device *de
+ }
+
+ skb = next;
+- if (netif_xmit_stopped(txq) && skb) {
++ if (netif_tx_queue_stopped(txq) && skb) {
+ rc = NETDEV_TX_BUSY;
+ break;
+ }
+--
+2.20.1
+
--- /dev/null
+From 11b541d9232668b217863d5dae7a4874d51d770d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Nov 2018 15:15:16 -0800
+Subject: net: dsa: bcm_sf2: Turn on PHY to allow successful registration
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit c04a17d2a9ccf1eaba1c5a56f83e997540a70556 ]
+
+We are binding to the PHY using the SF2 slave MDIO bus that we create,
+binding involves reading the PHY's MII_PHYSID1/2 which won't be possible
+if the PHY is turned off. Temporarily turn it on/off for the bus probing
+to succeeed. This fixes unbind/bind problems where the port connecting
+to that PHY would be in error since it could not connect to it.
+
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/bcm_sf2.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
+index ca3655d28e00f..17cec68e56b4f 100644
+--- a/drivers/net/dsa/bcm_sf2.c
++++ b/drivers/net/dsa/bcm_sf2.c
+@@ -1099,12 +1099,16 @@ static int bcm_sf2_sw_probe(struct platform_device *pdev)
+ return ret;
+ }
+
++ bcm_sf2_gphy_enable_set(priv->dev->ds, true);
++
+ ret = bcm_sf2_mdio_register(ds);
+ if (ret) {
+ pr_err("failed to register MDIO bus\n");
+ return ret;
+ }
+
++ bcm_sf2_gphy_enable_set(priv->dev->ds, false);
++
+ ret = bcm_sf2_cfp_rst(priv);
+ if (ret) {
+ pr_err("failed to reset CFP\n");
+--
+2.20.1
+
--- /dev/null
+From cbcca0e8517133e96bb8511ae4cbee313c89648e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Oct 2018 14:40:31 +0200
+Subject: net: dsa: mv88e6xxx: Fix 88E6141/6341 2500mbps SERDES speed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <marek.behun@nic.cz>
+
+[ Upstream commit 26422340da467538cd65eaa9c65538039ee99c8c ]
+
+This is a fix for the port_set_speed method for the Topaz family.
+Currently the same method is used as for the Peridot family, but
+this is wrong for the SERDES port.
+
+On Topaz, the SERDES port is port 5, not 9 and 10 as in Peridot.
+Moreover setting alt_bit on Topaz only makes sense for port 0 (for
+(differentiating 100mbps vs 200mbps). The SERDES port does not
+support more than 2500mbps, so alt_bit does not make any difference.
+
+Signed-off-by: Marek Behún <marek.behun@nic.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 4 ++--
+ drivers/net/dsa/mv88e6xxx/port.c | 25 +++++++++++++++++++++++--
+ drivers/net/dsa/mv88e6xxx/port.h | 1 +
+ 3 files changed, 26 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
+index d075f0f7a3de8..411ae9961bf4f 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -3028,7 +3028,7 @@ static const struct mv88e6xxx_ops mv88e6141_ops = {
+ .port_set_link = mv88e6xxx_port_set_link,
+ .port_set_duplex = mv88e6xxx_port_set_duplex,
+ .port_set_rgmii_delay = mv88e6390_port_set_rgmii_delay,
+- .port_set_speed = mv88e6390_port_set_speed,
++ .port_set_speed = mv88e6341_port_set_speed,
+ .port_tag_remap = mv88e6095_port_tag_remap,
+ .port_set_frame_mode = mv88e6351_port_set_frame_mode,
+ .port_set_egress_floods = mv88e6352_port_set_egress_floods,
+@@ -3649,7 +3649,7 @@ static const struct mv88e6xxx_ops mv88e6341_ops = {
+ .port_set_link = mv88e6xxx_port_set_link,
+ .port_set_duplex = mv88e6xxx_port_set_duplex,
+ .port_set_rgmii_delay = mv88e6390_port_set_rgmii_delay,
+- .port_set_speed = mv88e6390_port_set_speed,
++ .port_set_speed = mv88e6341_port_set_speed,
+ .port_tag_remap = mv88e6095_port_tag_remap,
+ .port_set_frame_mode = mv88e6351_port_set_frame_mode,
+ .port_set_egress_floods = mv88e6352_port_set_egress_floods,
+diff --git a/drivers/net/dsa/mv88e6xxx/port.c b/drivers/net/dsa/mv88e6xxx/port.c
+index fdeddbfa829da..2f16a310c110e 100644
+--- a/drivers/net/dsa/mv88e6xxx/port.c
++++ b/drivers/net/dsa/mv88e6xxx/port.c
+@@ -228,8 +228,11 @@ static int mv88e6xxx_port_set_speed(struct mv88e6xxx_chip *chip, int port,
+ ctrl = MV88E6XXX_PORT_MAC_CTL_SPEED_1000;
+ break;
+ case 2500:
+- ctrl = MV88E6390_PORT_MAC_CTL_SPEED_10000 |
+- MV88E6390_PORT_MAC_CTL_ALTSPEED;
++ if (alt_bit)
++ ctrl = MV88E6390_PORT_MAC_CTL_SPEED_10000 |
++ MV88E6390_PORT_MAC_CTL_ALTSPEED;
++ else
++ ctrl = MV88E6390_PORT_MAC_CTL_SPEED_10000;
+ break;
+ case 10000:
+ /* all bits set, fall through... */
+@@ -291,6 +294,24 @@ int mv88e6185_port_set_speed(struct mv88e6xxx_chip *chip, int port, int speed)
+ return mv88e6xxx_port_set_speed(chip, port, speed, false, false);
+ }
+
++/* Support 10, 100, 200, 1000, 2500 Mbps (e.g. 88E6341) */
++int mv88e6341_port_set_speed(struct mv88e6xxx_chip *chip, int port, int speed)
++{
++ if (speed == SPEED_MAX)
++ speed = port < 5 ? 1000 : 2500;
++
++ if (speed > 2500)
++ return -EOPNOTSUPP;
++
++ if (speed == 200 && port != 0)
++ return -EOPNOTSUPP;
++
++ if (speed == 2500 && port < 5)
++ return -EOPNOTSUPP;
++
++ return mv88e6xxx_port_set_speed(chip, port, speed, !port, true);
++}
++
+ /* Support 10, 100, 200, 1000 Mbps (e.g. 88E6352 family) */
+ int mv88e6352_port_set_speed(struct mv88e6xxx_chip *chip, int port, int speed)
+ {
+diff --git a/drivers/net/dsa/mv88e6xxx/port.h b/drivers/net/dsa/mv88e6xxx/port.h
+index 95b59f5eb3931..cbb64a7683e28 100644
+--- a/drivers/net/dsa/mv88e6xxx/port.h
++++ b/drivers/net/dsa/mv88e6xxx/port.h
+@@ -280,6 +280,7 @@ int mv88e6xxx_port_set_duplex(struct mv88e6xxx_chip *chip, int port, int dup);
+
+ int mv88e6065_port_set_speed(struct mv88e6xxx_chip *chip, int port, int speed);
+ int mv88e6185_port_set_speed(struct mv88e6xxx_chip *chip, int port, int speed);
++int mv88e6341_port_set_speed(struct mv88e6xxx_chip *chip, int port, int speed);
+ int mv88e6352_port_set_speed(struct mv88e6xxx_chip *chip, int port, int speed);
+ int mv88e6390_port_set_speed(struct mv88e6xxx_chip *chip, int port, int speed);
+ int mv88e6390x_port_set_speed(struct mv88e6xxx_chip *chip, int port, int speed);
+--
+2.20.1
+
--- /dev/null
+From 31fb6c6b2f11ae9ac42bdbcc02a0e4af754a45f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Oct 2018 10:04:21 +0000
+Subject: net: ena: Fix Kconfig dependency on X86
+
+From: Netanel Belgazal <netanel@amazon.com>
+
+[ Upstream commit 8c590f9776386b8f697fd0b7ed6142ae6e3de79e ]
+
+The Kconfig limitation of X86 is to too wide.
+The ENA driver only requires a little endian dependency.
+
+Change the dependency to be on little endian CPU.
+
+Signed-off-by: Netanel Belgazal <netanel@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/amazon/Kconfig b/drivers/net/ethernet/amazon/Kconfig
+index 99b30353541ab..9e87d7b8360f5 100644
+--- a/drivers/net/ethernet/amazon/Kconfig
++++ b/drivers/net/ethernet/amazon/Kconfig
+@@ -17,7 +17,7 @@ if NET_VENDOR_AMAZON
+
+ config ENA_ETHERNET
+ tristate "Elastic Network Adapter (ENA) support"
+- depends on (PCI_MSI && X86)
++ depends on PCI_MSI && !CPU_BIG_ENDIAN
+ ---help---
+ This driver supports Elastic Network Adapter (ENA)"
+
+--
+2.20.1
+
--- /dev/null
+From ac0222780d29974bf7dd78e5dd6257edf59f221e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Oct 2018 14:51:23 -0700
+Subject: net: ethernet: cadence: fix socket buffer corruption problem
+
+From: Tristram Ha <Tristram.Ha@microchip.com>
+
+[ Upstream commit 899ecaedd15599c22553d158f53b127cc1632dc2 ]
+
+Socket buffer is not re-created when headroom is 2 and tailroom is 1.
+
+Signed-off-by: Tristram Ha <Tristram.Ha@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 74eeb3a985bf1..f175b20ac510a 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -1721,7 +1721,7 @@ static int macb_pad_and_fcs(struct sk_buff **skb, struct net_device *ndev)
+ padlen = 0;
+ /* No room for FCS, need to reallocate skb. */
+ else
+- padlen = ETH_FCS_LEN - tailroom;
++ padlen = ETH_FCS_LEN;
+ } else {
+ /* Add room for FCS. */
+ padlen += ETH_FCS_LEN;
+--
+2.20.1
+
--- /dev/null
+From bc25578a2d099d48c56214a5ce22bbbd85cdb42b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Oct 2018 21:51:36 +0300
+Subject: net: ethernet: ti: cpsw: unsync mcast entries while switch promisc
+ mode
+
+From: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
+
+[ Upstream commit 9737cc99dd14b5b8b9d267618a6061feade8ea68 ]
+
+After flushing all mcast entries from the table, the ones contained in
+mc list of ndev are not restored when promisc mode is toggled off,
+because they are considered as synched with ALE, thus, in order to
+restore them after promisc mode - reset syncing info. This fix
+touches only switch mode devices, including single port boards
+like Beagle Bone.
+
+Fixes: commit 5da1948969bc
+("net: ethernet: ti: cpsw: fix lost of mcast packets while rx_mode update")
+
+Signed-off-by: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
+Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/cpsw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c
+index 1afed85550c0a..8417d4c178447 100644
+--- a/drivers/net/ethernet/ti/cpsw.c
++++ b/drivers/net/ethernet/ti/cpsw.c
+@@ -642,6 +642,7 @@ static void cpsw_set_promiscious(struct net_device *ndev, bool enable)
+
+ /* Clear all mcast from ALE */
+ cpsw_ale_flush_multicast(ale, ALE_ALL_PORTS, -1);
++ __dev_mc_unsync(ndev, NULL);
+
+ /* Flood All Unicast Packets to Host port */
+ cpsw_ale_control_set(ale, 0, ALE_P0_UNI_FLOOD, 1);
+--
+2.20.1
+
--- /dev/null
+From 5fb8c7bb883f68848de3d0c258b8b801a0bec4a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 14:57:26 +0900
+Subject: net: fix warning in af_unix
+
+From: Kyeongdon Kim <kyeongdon.kim@lge.com>
+
+[ Upstream commit 33c4368ee2589c165aebd8d388cbd91e9adb9688 ]
+
+This fixes the "'hash' may be used uninitialized in this function"
+
+net/unix/af_unix.c:1041:20: warning: 'hash' may be used uninitialized in this function [-Wmaybe-uninitialized]
+ addr->hash = hash ^ sk->sk_type;
+
+Signed-off-by: Kyeongdon Kim <kyeongdon.kim@lge.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 231b6c032d2c3..d2d6ff0c6265d 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -225,6 +225,8 @@ static inline void unix_release_addr(struct unix_address *addr)
+
+ static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned int *hashp)
+ {
++ *hashp = 0;
++
+ if (len <= sizeof(short) || len > sizeof(*sunaddr))
+ return -EINVAL;
+ if (!sunaddr || sunaddr->sun_family != AF_UNIX)
+--
+2.20.1
+
--- /dev/null
+From f6119ee0244adaacb8af7d90a096b5abf786d89f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 21:50:44 +0800
+Subject: net: hns3: bugfix for buffer not free problem during resetting
+
+From: Huazhong Tan <tanhuazhong@huawei.com>
+
+[ Upstream commit 73b907a083b8a8c1c62cb494bc9fbe6ae086c460 ]
+
+When hns3_get_ring_config()/hns3_queue_to_ring()/
+hns3_get_vector_ring_chain() failed during resetting, the allocated
+memory has not been freed before these three functions return. So
+this patch adds error handler in these functions to fix it.
+
+Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/hisilicon/hns3/hns3_enet.c | 24 ++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index e11a7de20b8f4..3708f149d0a6a 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -2547,7 +2547,7 @@ static int hns3_get_vector_ring_chain(struct hns3_enet_tqp_vector *tqp_vector,
+ chain = devm_kzalloc(&pdev->dev, sizeof(*chain),
+ GFP_KERNEL);
+ if (!chain)
+- return -ENOMEM;
++ goto err_free_chain;
+
+ cur_chain->next = chain;
+ chain->tqp_index = tx_ring->tqp->tqp_index;
+@@ -2577,7 +2577,7 @@ static int hns3_get_vector_ring_chain(struct hns3_enet_tqp_vector *tqp_vector,
+ while (rx_ring) {
+ chain = devm_kzalloc(&pdev->dev, sizeof(*chain), GFP_KERNEL);
+ if (!chain)
+- return -ENOMEM;
++ goto err_free_chain;
+
+ cur_chain->next = chain;
+ chain->tqp_index = rx_ring->tqp->tqp_index;
+@@ -2592,6 +2592,16 @@ static int hns3_get_vector_ring_chain(struct hns3_enet_tqp_vector *tqp_vector,
+ }
+
+ return 0;
++
++err_free_chain:
++ cur_chain = head->next;
++ while (cur_chain) {
++ chain = cur_chain->next;
++ devm_kfree(&pdev->dev, chain);
++ cur_chain = chain;
++ }
++
++ return -ENOMEM;
+ }
+
+ static void hns3_free_vector_ring_chain(struct hns3_enet_tqp_vector *tqp_vector,
+@@ -2836,8 +2846,10 @@ static int hns3_queue_to_ring(struct hnae3_queue *tqp,
+ return ret;
+
+ ret = hns3_ring_get_cfg(tqp, priv, HNAE3_RING_TYPE_RX);
+- if (ret)
++ if (ret) {
++ devm_kfree(priv->dev, priv->ring_data[tqp->tqp_index].ring);
+ return ret;
++ }
+
+ return 0;
+ }
+@@ -2864,6 +2876,12 @@ static int hns3_get_ring_config(struct hns3_nic_priv *priv)
+
+ return 0;
+ err:
++ while (i--) {
++ devm_kfree(priv->dev, priv->ring_data[i].ring);
++ devm_kfree(priv->dev,
++ priv->ring_data[i + h->kinfo.num_tqps].ring);
++ }
++
+ devm_kfree(&pdev->dev, priv->ring_data);
+ return ret;
+ }
+--
+2.20.1
+
--- /dev/null
+From 36bd93fe57f3ee97e4d4807df0c0e655551b720a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 21:50:49 +0800
+Subject: net: hns3: bugfix for hclge_mdio_write and hclge_mdio_read
+
+From: Huazhong Tan <tanhuazhong@huawei.com>
+
+[ Upstream commit 1c12493809924deda6c0834cb2f2c5a6dc786390 ]
+
+When there is a PHY, the driver needs to complete some operations through
+MDIO during reset reinitialization, so HCLGE_STATE_CMD_DISABLE is more
+suitable than HCLGE_STATE_RST_HANDLING to prevent the MDIO operation from
+being sent during the hardware reset.
+
+Fixes: b50ae26c57cb ("net: hns3: never send command queue message to IMP when reset)
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+index 398971a062f47..03491e8ebb730 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+@@ -54,7 +54,7 @@ static int hclge_mdio_write(struct mii_bus *bus, int phyid, int regnum,
+ struct hclge_desc desc;
+ int ret;
+
+- if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state))
++ if (test_bit(HCLGE_STATE_CMD_DISABLE, &hdev->state))
+ return 0;
+
+ hclge_cmd_setup_basic_desc(&desc, HCLGE_OPC_MDIO_CONFIG, false);
+@@ -92,7 +92,7 @@ static int hclge_mdio_read(struct mii_bus *bus, int phyid, int regnum)
+ struct hclge_desc desc;
+ int ret;
+
+- if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state))
++ if (test_bit(HCLGE_STATE_CMD_DISABLE, &hdev->state))
+ return 0;
+
+ hclge_cmd_setup_basic_desc(&desc, HCLGE_OPC_MDIO_CONFIG, true);
+--
+2.20.1
+
--- /dev/null
+From e8e41d4e598b2397d0b6e98d26003e827cbbf3af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 21:50:48 +0800
+Subject: net: hns3: bugfix for is_valid_csq_clean_head()
+
+From: Huazhong Tan <tanhuazhong@huawei.com>
+
+[ Upstream commit 6d71ec6cbf74ac9c2823ef751b1baa5b889bb3ac ]
+
+The HEAD pointer of the hardware command queue maybe equal to the command
+queue's next_to_use in the driver, so that does not belong to the invalid
+HEAD pointer, since the hardware may not process the command in time,
+causing the HEAD pointer to be too late to update. The variables' name
+in this function is unreadable, so give them a more readable one.
+
+Fixes: 3ff504908f95 ("net: hns3: fix a dead loop in hclge_cmd_csq_clean")
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c
+index 68026a5ad7e77..690f62ed87dca 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.c
+@@ -24,15 +24,15 @@ static int hclge_ring_space(struct hclge_cmq_ring *ring)
+ return ring->desc_num - used - 1;
+ }
+
+-static int is_valid_csq_clean_head(struct hclge_cmq_ring *ring, int h)
++static int is_valid_csq_clean_head(struct hclge_cmq_ring *ring, int head)
+ {
+- int u = ring->next_to_use;
+- int c = ring->next_to_clean;
++ int ntu = ring->next_to_use;
++ int ntc = ring->next_to_clean;
+
+- if (unlikely(h >= ring->desc_num))
+- return 0;
++ if (ntu > ntc)
++ return head >= ntc && head <= ntu;
+
+- return u > c ? (h > c && h <= u) : (h > c || h <= u);
++ return head >= ntc || head <= ntu;
+ }
+
+ static int hclge_alloc_cmd_desc(struct hclge_cmq_ring *ring)
+--
+2.20.1
+
--- /dev/null
+From 2105bab07b34f4866309b12a077f50ffcdf5f2a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 21:50:45 +0800
+Subject: net: hns3: bugfix for reporting unknown vector0 interrupt repeatly
+ problem
+
+From: Huazhong Tan <tanhuazhong@huawei.com>
+
+[ Upstream commit 0d4411408a7fb9aad0645f23911d9bfdd2ce3177 ]
+
+The current driver supports handling two vector0 interrupts, reset and
+mailbox. When the hardware reports an interrupt of another type of
+interrupt source, if the driver does not process the interrupt, but
+enables the interrupt, the hardware will repeatedly report the unknown
+interrupt.
+
+Therefore, the driver enables the vector0 interrupt after clearing the
+known type of interrupt source. Other conditions are not enabled.
+
+Fixes: cd8c5c269b1d ("net: hns3: Fix for hclge_reset running repeatly problem")
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index b04df79f393f8..f8cc8d1f0b209 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -2574,7 +2574,7 @@ static irqreturn_t hclge_misc_irq_handle(int irq, void *data)
+ }
+
+ /* clear the source of interrupt if it is not cause by reset */
+- if (event_cause != HCLGE_VECTOR0_EVENT_RST) {
++ if (event_cause == HCLGE_VECTOR0_EVENT_MBX) {
+ hclge_clear_event_cause(hdev, event_cause, clearval);
+ hclge_enable_vector(&hdev->misc_vector, true);
+ }
+--
+2.20.1
+
--- /dev/null
+From 81b91606ae6965ccf5691dd6d162d3617ce9bee0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Oct 2018 20:24:26 +0900
+Subject: net: socionext: Stop PHY before resetting netsec
+
+From: Masahisa Kojima <masahisa.kojima@linaro.org>
+
+[ Upstream commit 8e850f25b5812aefedec6732732eb10e7b47cb5c ]
+
+In ndo_stop, driver resets the netsec ethernet controller IP.
+When the netsec IP is reset, HW running mode turns to NRM mode
+and driver has to wait until this mode transition completes.
+
+But mode transition to NRM will not complete if the PHY is
+in normal operation state. Netsec IP requires PHY is in
+power down state when it is reset.
+
+This modification stops the PHY before resetting netsec.
+
+Together with this modification, phy_addr is stored in netsec_priv
+structure because ndev->phydev is not yet ready in ndo_init.
+
+Fixes: 533dd11a12f6 ("net: socionext: Add Synquacer NetSec driver")
+Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
+Signed-off-by: Yoshitoyo Osaki <osaki.yoshitoyo@socionext.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/socionext/netsec.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/socionext/netsec.c b/drivers/net/ethernet/socionext/netsec.c
+index d2caeb9edc044..28d582c18afb9 100644
+--- a/drivers/net/ethernet/socionext/netsec.c
++++ b/drivers/net/ethernet/socionext/netsec.c
+@@ -274,6 +274,7 @@ struct netsec_priv {
+ struct clk *clk;
+ u32 msg_enable;
+ u32 freq;
++ u32 phy_addr;
+ bool rx_cksum_offload_flag;
+ };
+
+@@ -1346,11 +1347,11 @@ static int netsec_netdev_stop(struct net_device *ndev)
+ netsec_uninit_pkt_dring(priv, NETSEC_RING_TX);
+ netsec_uninit_pkt_dring(priv, NETSEC_RING_RX);
+
+- ret = netsec_reset_hardware(priv, false);
+-
+ phy_stop(ndev->phydev);
+ phy_disconnect(ndev->phydev);
+
++ ret = netsec_reset_hardware(priv, false);
++
+ pm_runtime_put_sync(priv->dev);
+
+ return ret;
+@@ -1360,6 +1361,7 @@ static int netsec_netdev_init(struct net_device *ndev)
+ {
+ struct netsec_priv *priv = netdev_priv(ndev);
+ int ret;
++ u16 data;
+
+ ret = netsec_alloc_dring(priv, NETSEC_RING_TX);
+ if (ret)
+@@ -1369,6 +1371,11 @@ static int netsec_netdev_init(struct net_device *ndev)
+ if (ret)
+ goto err1;
+
++ /* set phy power down */
++ data = netsec_phy_read(priv->mii_bus, priv->phy_addr, MII_BMCR) |
++ BMCR_PDOWN;
++ netsec_phy_write(priv->mii_bus, priv->phy_addr, MII_BMCR, data);
++
+ ret = netsec_reset_hardware(priv, true);
+ if (ret)
+ goto err2;
+@@ -1418,7 +1425,7 @@ static const struct net_device_ops netsec_netdev_ops = {
+ };
+
+ static int netsec_of_probe(struct platform_device *pdev,
+- struct netsec_priv *priv)
++ struct netsec_priv *priv, u32 *phy_addr)
+ {
+ priv->phy_np = of_parse_phandle(pdev->dev.of_node, "phy-handle", 0);
+ if (!priv->phy_np) {
+@@ -1426,6 +1433,8 @@ static int netsec_of_probe(struct platform_device *pdev,
+ return -EINVAL;
+ }
+
++ *phy_addr = of_mdio_parse_addr(&pdev->dev, priv->phy_np);
++
+ priv->clk = devm_clk_get(&pdev->dev, NULL); /* get by 'phy_ref_clk' */
+ if (IS_ERR(priv->clk)) {
+ dev_err(&pdev->dev, "phy_ref_clk not found\n");
+@@ -1626,12 +1635,14 @@ static int netsec_probe(struct platform_device *pdev)
+ }
+
+ if (dev_of_node(&pdev->dev))
+- ret = netsec_of_probe(pdev, priv);
++ ret = netsec_of_probe(pdev, priv, &phy_addr);
+ else
+ ret = netsec_acpi_probe(pdev, priv, &phy_addr);
+ if (ret)
+ goto free_ndev;
+
++ priv->phy_addr = phy_addr;
++
+ if (!priv->freq) {
+ dev_err(&pdev->dev, "missing PHY reference clock frequency\n");
+ ret = -ENODEV;
+--
+2.20.1
+
--- /dev/null
+From e25e056ecefd61a0f9d1d46fe5a9f770256a8af4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 15:19:09 -0700
+Subject: nfp: bpf: protect against mis-initializing atomic counters
+
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+
+[ Upstream commit 527db74b71ee5a279f818aae51f2c26b4e5c7648 ]
+
+Atomic operations on the NFP are currently always in big endian.
+The driver keeps track of regions of memory storing atomic values
+and byte swaps them accordingly. There are corner cases where
+the map values may be initialized before the driver knows they
+are used as atomic counters. This can happen either when the
+datapath is performing the update and the stack contents are
+unknown or when map is updated before the program which will
+use it for atomic values is loaded.
+
+To avoid situation where user initializes the value to 0 1 2 3
+and then after loading a program which uses the word as an atomic
+counter starts reading 3 2 1 0 - only allow atomic counters to be
+initialized to endian-neutral values.
+
+For updates from the datapath the stack information may not be
+as precise, so just allow initializing such values to 0.
+
+Example code which would break:
+struct bpf_map_def SEC("maps") rxcnt = {
+ .type = BPF_MAP_TYPE_HASH,
+ .key_size = sizeof(__u32),
+ .value_size = sizeof(__u64),
+ .max_entries = 1,
+};
+
+int xdp_prog1()
+{
+ __u64 nonzeroval = 3;
+ __u32 key = 0;
+ __u64 *value;
+
+ value = bpf_map_lookup_elem(&rxcnt, &key);
+ if (!value)
+ bpf_map_update_elem(&rxcnt, &key, &nonzeroval, BPF_ANY);
+ else
+ __sync_fetch_and_add(value, 1);
+
+ return XDP_PASS;
+}
+
+$ offload bpftool map dump
+key: 00 00 00 00 value: 00 00 00 03 00 00 00 00
+
+should be:
+
+$ offload bpftool map dump
+key: 00 00 00 00 value: 03 00 00 00 00 00 00 00
+
+Reported-by: David Beckett <david.beckett@netronome.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Reviewed-by: Quentin Monnet <quentin.monnet@netronome.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/netronome/nfp/bpf/main.h | 7 ++-
+ .../net/ethernet/netronome/nfp/bpf/offload.c | 18 +++++-
+ .../net/ethernet/netronome/nfp/bpf/verifier.c | 58 +++++++++++++++++--
+ 3 files changed, 76 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/netronome/nfp/bpf/main.h b/drivers/net/ethernet/netronome/nfp/bpf/main.h
+index dbd00982fd2b6..2134045e14c36 100644
+--- a/drivers/net/ethernet/netronome/nfp/bpf/main.h
++++ b/drivers/net/ethernet/netronome/nfp/bpf/main.h
+@@ -206,6 +206,11 @@ enum nfp_bpf_map_use {
+ NFP_MAP_USE_ATOMIC_CNT,
+ };
+
++struct nfp_bpf_map_word {
++ unsigned char type :4;
++ unsigned char non_zero_update :1;
++};
++
+ /**
+ * struct nfp_bpf_map - private per-map data attached to BPF maps for offload
+ * @offmap: pointer to the offloaded BPF map
+@@ -219,7 +224,7 @@ struct nfp_bpf_map {
+ struct nfp_app_bpf *bpf;
+ u32 tid;
+ struct list_head l;
+- enum nfp_bpf_map_use use_map[];
++ struct nfp_bpf_map_word use_map[];
+ };
+
+ struct nfp_bpf_neutral_map {
+diff --git a/drivers/net/ethernet/netronome/nfp/bpf/offload.c b/drivers/net/ethernet/netronome/nfp/bpf/offload.c
+index 1ccd6371a15b5..6140e4650b71c 100644
+--- a/drivers/net/ethernet/netronome/nfp/bpf/offload.c
++++ b/drivers/net/ethernet/netronome/nfp/bpf/offload.c
+@@ -299,10 +299,25 @@ static void nfp_map_bpf_byte_swap(struct nfp_bpf_map *nfp_map, void *value)
+ unsigned int i;
+
+ for (i = 0; i < DIV_ROUND_UP(nfp_map->offmap->map.value_size, 4); i++)
+- if (nfp_map->use_map[i] == NFP_MAP_USE_ATOMIC_CNT)
++ if (nfp_map->use_map[i].type == NFP_MAP_USE_ATOMIC_CNT)
+ word[i] = (__force u32)cpu_to_be32(word[i]);
+ }
+
++/* Mark value as unsafely initialized in case it becomes atomic later
++ * and we didn't byte swap something non-byte swap neutral.
++ */
++static void
++nfp_map_bpf_byte_swap_record(struct nfp_bpf_map *nfp_map, void *value)
++{
++ u32 *word = value;
++ unsigned int i;
++
++ for (i = 0; i < DIV_ROUND_UP(nfp_map->offmap->map.value_size, 4); i++)
++ if (nfp_map->use_map[i].type == NFP_MAP_UNUSED &&
++ word[i] != (__force u32)cpu_to_be32(word[i]))
++ nfp_map->use_map[i].non_zero_update = 1;
++}
++
+ static int
+ nfp_bpf_map_lookup_entry(struct bpf_offloaded_map *offmap,
+ void *key, void *value)
+@@ -322,6 +337,7 @@ nfp_bpf_map_update_entry(struct bpf_offloaded_map *offmap,
+ void *key, void *value, u64 flags)
+ {
+ nfp_map_bpf_byte_swap(offmap->dev_priv, value);
++ nfp_map_bpf_byte_swap_record(offmap->dev_priv, value);
+ return nfp_bpf_ctrl_update_entry(offmap, key, value, flags);
+ }
+
+diff --git a/drivers/net/ethernet/netronome/nfp/bpf/verifier.c b/drivers/net/ethernet/netronome/nfp/bpf/verifier.c
+index a6e9248669e14..db7e186dae56d 100644
+--- a/drivers/net/ethernet/netronome/nfp/bpf/verifier.c
++++ b/drivers/net/ethernet/netronome/nfp/bpf/verifier.c
+@@ -108,6 +108,46 @@ nfp_record_adjust_head(struct nfp_app_bpf *bpf, struct nfp_prog *nfp_prog,
+ nfp_prog->adjust_head_location = location;
+ }
+
++static bool nfp_bpf_map_update_value_ok(struct bpf_verifier_env *env)
++{
++ const struct bpf_reg_state *reg1 = cur_regs(env) + BPF_REG_1;
++ const struct bpf_reg_state *reg3 = cur_regs(env) + BPF_REG_3;
++ struct bpf_offloaded_map *offmap;
++ struct bpf_func_state *state;
++ struct nfp_bpf_map *nfp_map;
++ int off, i;
++
++ state = env->cur_state->frame[reg3->frameno];
++
++ /* We need to record each time update happens with non-zero words,
++ * in case such word is used in atomic operations.
++ * Implicitly depend on nfp_bpf_stack_arg_ok(reg3) being run before.
++ */
++
++ offmap = map_to_offmap(reg1->map_ptr);
++ nfp_map = offmap->dev_priv;
++ off = reg3->off + reg3->var_off.value;
++
++ for (i = 0; i < offmap->map.value_size; i++) {
++ struct bpf_stack_state *stack_entry;
++ unsigned int soff;
++
++ soff = -(off + i) - 1;
++ stack_entry = &state->stack[soff / BPF_REG_SIZE];
++ if (stack_entry->slot_type[soff % BPF_REG_SIZE] == STACK_ZERO)
++ continue;
++
++ if (nfp_map->use_map[i / 4].type == NFP_MAP_USE_ATOMIC_CNT) {
++ pr_vlog(env, "value at offset %d/%d may be non-zero, bpf_map_update_elem() is required to initialize atomic counters to zero to avoid offload endian issues\n",
++ i, soff);
++ return false;
++ }
++ nfp_map->use_map[i / 4].non_zero_update = 1;
++ }
++
++ return true;
++}
++
+ static int
+ nfp_bpf_stack_arg_ok(const char *fname, struct bpf_verifier_env *env,
+ const struct bpf_reg_state *reg,
+@@ -198,7 +238,8 @@ nfp_bpf_check_call(struct nfp_prog *nfp_prog, struct bpf_verifier_env *env,
+ bpf->helpers.map_update, reg1) ||
+ !nfp_bpf_stack_arg_ok("map_update", env, reg2,
+ meta->func_id ? &meta->arg2 : NULL) ||
+- !nfp_bpf_stack_arg_ok("map_update", env, reg3, NULL))
++ !nfp_bpf_stack_arg_ok("map_update", env, reg3, NULL) ||
++ !nfp_bpf_map_update_value_ok(env))
+ return -EOPNOTSUPP;
+ break;
+
+@@ -376,15 +417,22 @@ nfp_bpf_map_mark_used_one(struct bpf_verifier_env *env,
+ struct nfp_bpf_map *nfp_map,
+ unsigned int off, enum nfp_bpf_map_use use)
+ {
+- if (nfp_map->use_map[off / 4] != NFP_MAP_UNUSED &&
+- nfp_map->use_map[off / 4] != use) {
++ if (nfp_map->use_map[off / 4].type != NFP_MAP_UNUSED &&
++ nfp_map->use_map[off / 4].type != use) {
+ pr_vlog(env, "map value use type conflict %s vs %s off: %u\n",
+- nfp_bpf_map_use_name(nfp_map->use_map[off / 4]),
++ nfp_bpf_map_use_name(nfp_map->use_map[off / 4].type),
+ nfp_bpf_map_use_name(use), off);
+ return -EOPNOTSUPP;
+ }
+
+- nfp_map->use_map[off / 4] = use;
++ if (nfp_map->use_map[off / 4].non_zero_update &&
++ use == NFP_MAP_USE_ATOMIC_CNT) {
++ pr_vlog(env, "atomic counter in map value may already be initialized to non-zero value off: %u\n",
++ off);
++ return -EOPNOTSUPP;
++ }
++
++ nfp_map->use_map[off / 4].type = use;
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From cb3301b3c89268192423e811ae3b687a493d5331 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Aug 2018 17:13:59 -0700
+Subject: ntb: intel: fix return value for ndev_vec_mask()
+
+From: Dave Jiang <dave.jiang@intel.com>
+
+[ Upstream commit 7756e2b5d68c36e170a111dceea22f7365f83256 ]
+
+ndev_vec_mask() should be returning u64 mask value instead of int.
+Otherwise the mask value returned can be incorrect for larger
+vectors.
+
+Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers")
+
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Tested-by: Lucas Van <lucas.van@intel.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/hw/intel/ntb_hw_gen1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ntb/hw/intel/ntb_hw_gen1.c b/drivers/ntb/hw/intel/ntb_hw_gen1.c
+index 6aa5732272791..2ad263f708da7 100644
+--- a/drivers/ntb/hw/intel/ntb_hw_gen1.c
++++ b/drivers/ntb/hw/intel/ntb_hw_gen1.c
+@@ -265,7 +265,7 @@ static inline int ndev_db_clear_mask(struct intel_ntb_dev *ndev, u64 db_bits,
+ return 0;
+ }
+
+-static inline int ndev_vec_mask(struct intel_ntb_dev *ndev, int db_vector)
++static inline u64 ndev_vec_mask(struct intel_ntb_dev *ndev, int db_vector)
+ {
+ u64 shift, mask;
+
+--
+2.20.1
+
--- /dev/null
+From 6454c1032b5d3bbdd0d43f7280b3f994aa5fc3ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Jun 2018 16:13:12 -0400
+Subject: ntb_netdev: fix sleep time mismatch
+
+From: Jon Mason <jdmason@kudzu.us>
+
+[ Upstream commit a861594b1b7ffd630f335b351c4e9f938feadb8e ]
+
+The tx_time should be in usecs (according to the comment above the
+variable), but the setting of the timer during the rearming is done in
+msecs. Change it to match the expected units.
+
+Fixes: e74bfeedad08 ("NTB: Add flow control to the ntb_netdev")
+Suggested-by: Gerd W. Haeussler <gerd.haeussler@cesys-it.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Acked-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ntb_netdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c
+index b12023bc2cab5..df8d49ad48c38 100644
+--- a/drivers/net/ntb_netdev.c
++++ b/drivers/net/ntb_netdev.c
+@@ -236,7 +236,7 @@ static void ntb_netdev_tx_timer(struct timer_list *t)
+ struct net_device *ndev = dev->ndev;
+
+ if (ntb_transport_tx_free_entry(dev->qp) < tx_stop) {
+- mod_timer(&dev->tx_timer, jiffies + msecs_to_jiffies(tx_time));
++ mod_timer(&dev->tx_timer, jiffies + usecs_to_jiffies(tx_time));
+ } else {
+ /* Make sure anybody stopping the queue after this sees the new
+ * value of ntb_transport_tx_free_entry()
+--
+2.20.1
+
--- /dev/null
+From 3ddb76d4c2f9420995f188881d6343c1f57b5fc5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Oct 2018 13:15:29 -0600
+Subject: nvme-pci: fix conflicting p2p resource adds
+
+From: Keith Busch <keith.busch@intel.com>
+
+[ Upstream commit 9fe5c59ff6a1e5e26a39b75489a1420e7eaaf0b1 ]
+
+The nvme pci driver had been adding its CMB resource to the P2P DMA
+subsystem everytime on on a controller reset. This results in the
+following warning:
+
+ ------------[ cut here ]------------
+ nvme 0000:00:03.0: Conflicting mapping in same section
+ WARNING: CPU: 7 PID: 81 at kernel/memremap.c:155 devm_memremap_pages+0xa6/0x380
+ ...
+ Call Trace:
+ pci_p2pdma_add_resource+0x153/0x370
+ nvme_reset_work+0x28c/0x17b1 [nvme]
+ ? add_timer+0x107/0x1e0
+ ? dequeue_entity+0x81/0x660
+ ? dequeue_entity+0x3b0/0x660
+ ? pick_next_task_fair+0xaf/0x610
+ ? __switch_to+0xbc/0x410
+ process_one_work+0x1cf/0x350
+ worker_thread+0x215/0x3d0
+ ? process_one_work+0x350/0x350
+ kthread+0x107/0x120
+ ? kthread_park+0x80/0x80
+ ret_from_fork+0x1f/0x30
+ ---[ end trace f7ea76ac6ee72727 ]---
+ nvme nvme0: failed to register the CMB
+
+This patch fixes this by registering the CMB with P2P only once.
+
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 9479c0db08f62..124f41157173e 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -1652,6 +1652,9 @@ static void nvme_map_cmb(struct nvme_dev *dev)
+ struct pci_dev *pdev = to_pci_dev(dev->dev);
+ int bar;
+
++ if (dev->cmb_size)
++ return;
++
+ dev->cmbsz = readl(dev->bar + NVME_REG_CMBSZ);
+ if (!dev->cmbsz)
+ return;
+@@ -2136,7 +2139,6 @@ static void nvme_pci_disable(struct nvme_dev *dev)
+ {
+ struct pci_dev *pdev = to_pci_dev(dev->dev);
+
+- nvme_release_cmb(dev);
+ pci_free_irq_vectors(pdev);
+
+ if (pci_is_enabled(pdev)) {
+@@ -2595,6 +2597,7 @@ static void nvme_remove(struct pci_dev *pdev)
+ nvme_stop_ctrl(&dev->ctrl);
+ nvme_remove_namespaces(&dev->ctrl);
+ nvme_dev_disable(dev, true);
++ nvme_release_cmb(dev);
+ nvme_free_host_mem(dev);
+ nvme_dev_remove_admin(dev);
+ nvme_free_queues(dev, 0);
+--
+2.20.1
+
--- /dev/null
+From 642dad6b535f8a84606fbb0d89e9247a25e505bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Oct 2018 10:19:06 -0600
+Subject: nvme-pci: fix hot removal during error handling
+
+From: Keith Busch <keith.busch@intel.com>
+
+[ Upstream commit cb4bfda62afa25b4eee3d635d33fccdd9485dd7c ]
+
+A removal waits for the reset_work to complete. If a surprise removal
+occurs around the same time as an error triggered controller reset, and
+reset work happened to dispatch a command to the removed controller, the
+command won't be recovered since the timeout work doesn't do anything
+during error recovery. We wouldn't want to wait for timeout handling
+anyway, so this patch fixes this by disabling the controller and killing
+admin queues prior to syncing with the reset_work.
+
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index a64a8bca0d5b9..9479c0db08f62 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2583,13 +2583,12 @@ static void nvme_remove(struct pci_dev *pdev)
+ struct nvme_dev *dev = pci_get_drvdata(pdev);
+
+ nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DELETING);
+-
+- cancel_work_sync(&dev->ctrl.reset_work);
+ pci_set_drvdata(pdev, NULL);
+
+ if (!pci_device_is_present(pdev)) {
+ nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DEAD);
+ nvme_dev_disable(dev, true);
++ nvme_dev_remove_admin(dev);
+ }
+
+ flush_work(&dev->ctrl.reset_work);
+--
+2.20.1
+
--- /dev/null
+From e8635052bbd4b695564d0ff2121235da96ceac88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Nov 2018 16:58:10 +0100
+Subject: nvme-pci: fix surprise removal
+
+From: Igor Konopko <igor.j.konopko@intel.com>
+
+[ Upstream commit 751a0cc0cd3a0d51e6aaf6fd3b8bd31f4ecfaf3e ]
+
+When a PCIe NVMe device is not present, nvme_dev_remove_admin() calls
+blk_cleanup_queue() on the admin queue, which frees the hctx for that
+queue. Moments later, on the same path nvme_kill_queues() calls
+blk_mq_unquiesce_queue() on admin queue and tries to access hctx of it,
+which leads to following OOPS:
+
+Oops: 0000 [#1] SMP PTI
+RIP: 0010:sbitmap_any_bit_set+0xb/0x40
+Call Trace:
+ blk_mq_run_hw_queue+0xd5/0x150
+ blk_mq_run_hw_queues+0x3a/0x50
+ nvme_kill_queues+0x26/0x50
+ nvme_remove_namespaces+0xb2/0xc0
+ nvme_remove+0x60/0x140
+ pci_device_remove+0x3b/0xb0
+
+Fixes: cb4bfda62afa2 ("nvme-pci: fix hot removal during error handling")
+Signed-off-by: Igor Konopko <igor.j.konopko@intel.com>
+Reviewed-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 5d0f99bcc987f..44da9fe5b27b8 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -3647,7 +3647,7 @@ void nvme_kill_queues(struct nvme_ctrl *ctrl)
+ down_read(&ctrl->namespaces_rwsem);
+
+ /* Forcibly unquiesce queues to avoid blocking dispatch */
+- if (ctrl->admin_q)
++ if (ctrl->admin_q && !blk_queue_dying(ctrl->admin_q))
+ blk_mq_unquiesce_queue(ctrl->admin_q);
+
+ list_for_each_entry(ns, &ctrl->namespaces, list)
+--
+2.20.1
+
--- /dev/null
+From ff030338f2187c52d4c9da481e63ad7c7db682e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Oct 2018 14:28:52 -0700
+Subject: nvmet: avoid integer overflow in the discard code
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 8eacd1bd21d6913ec27e6120e9a8733352e191d3 ]
+
+Although I'm not sure whether it is a good idea to support large discard
+commands, I think integer overflow for discard ranges larger than 4 GB
+should be avoided. This patch avoids that smatch reports the following:
+
+drivers/nvme/target/io-cmd-file.c:249:1 nvmet_file_execute_discard() warn: should '((range.nlb)) << req->ns->blksize_shift' be a 64 bit type?
+
+Fixes: d5eff33ee6f8 ("nvmet: add simple file backed ns support")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/io-cmd-file.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/target/io-cmd-file.c b/drivers/nvme/target/io-cmd-file.c
+index 81a9dc5290a87..39d972e2595f0 100644
+--- a/drivers/nvme/target/io-cmd-file.c
++++ b/drivers/nvme/target/io-cmd-file.c
+@@ -246,7 +246,8 @@ static void nvmet_file_execute_discard(struct nvmet_req *req)
+ break;
+
+ offset = le64_to_cpu(range.slba) << req->ns->blksize_shift;
+- len = le32_to_cpu(range.nlb) << req->ns->blksize_shift;
++ len = le32_to_cpu(range.nlb);
++ len <<= req->ns->blksize_shift;
+ if (offset + len > req->ns->size) {
+ ret = NVME_SC_LBA_RANGE | NVME_SC_DNR;
+ break;
+--
+2.20.1
+
--- /dev/null
+From bbcfa117fd8eb6d991bc9024f608f0b66e06272c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Oct 2018 08:08:20 -0700
+Subject: nvmet-fcloop: suppress a compiler warning
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 1216e9ef18b84f4fb5934792368fb01eb3540520 ]
+
+Building with W=1 enables the compiler warning -Wimplicit-fallthrough=3. That
+option does not recognize the fall-through comment in the fcloop driver. Add
+a fall-through comment that is recognized for -Wimplicit-fallthrough=3. This
+patch avoids that the compiler reports the following warning when building
+with W=1:
+
+drivers/nvme/target/fcloop.c:647:6: warning: this statement may fall through [-Wimplicit-fallthrough=]
+ if (op == NVMET_FCOP_READDATA)
+ ^
+
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/fcloop.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/nvme/target/fcloop.c b/drivers/nvme/target/fcloop.c
+index 5251689a1d9ac..291f4121f516a 100644
+--- a/drivers/nvme/target/fcloop.c
++++ b/drivers/nvme/target/fcloop.c
+@@ -648,6 +648,7 @@ fcloop_fcp_op(struct nvmet_fc_target_port *tgtport,
+ break;
+
+ /* Fall-Thru to RSP handling */
++ /* FALLTHRU */
+
+ case NVMET_FCOP_RSP:
+ if (fcpreq) {
+--
+2.20.1
+
--- /dev/null
+From 00bf06093d2ea15b0a89e8aa1df4cbdcbe11c3bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Nov 2018 15:48:19 -0700
+Subject: ocfs2: don't put and assigning null to bh allocated outside
+
+From: Changwei Ge <ge.changwei@h3c.com>
+
+[ Upstream commit cf76c78595ca87548ca5e45c862ac9e0949c4687 ]
+
+ocfs2_read_blocks() and ocfs2_read_blocks_sync() are both used to read
+several blocks from disk. Currently, the input argument *bhs* can be
+NULL or NOT. It depends on the caller's behavior. If the function
+fails in reading blocks from disk, the corresponding bh will be assigned
+to NULL and put.
+
+Obviously, above process for non-NULL input bh is not appropriate.
+Because the caller doesn't even know its bhs are put and re-assigned.
+
+If buffer head is managed by caller, ocfs2_read_blocks and
+ocfs2_read_blocks_sync() should not evaluate it to NULL. It will cause
+caller accessing illegal memory, thus crash.
+
+Link: http://lkml.kernel.org/r/HK2PR06MB045285E0F4FBB561F9F2F9B3D5680@HK2PR06MB0452.apcprd06.prod.outlook.com
+Signed-off-by: Changwei Ge <ge.changwei@h3c.com>
+Reviewed-by: Guozhonghua <guozhonghua@h3c.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Changwei Ge <ge.changwei@h3c.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/buffer_head_io.c | 77 ++++++++++++++++++++++++++++++---------
+ 1 file changed, 59 insertions(+), 18 deletions(-)
+
+diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c
+index 9f8250df99f1f..f9b84f7a3e4bb 100644
+--- a/fs/ocfs2/buffer_head_io.c
++++ b/fs/ocfs2/buffer_head_io.c
+@@ -99,25 +99,34 @@ int ocfs2_write_block(struct ocfs2_super *osb, struct buffer_head *bh,
+ return ret;
+ }
+
++/* Caller must provide a bhs[] with all NULL or non-NULL entries, so it
++ * will be easier to handle read failure.
++ */
+ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
+ unsigned int nr, struct buffer_head *bhs[])
+ {
+ int status = 0;
+ unsigned int i;
+ struct buffer_head *bh;
++ int new_bh = 0;
+
+ trace_ocfs2_read_blocks_sync((unsigned long long)block, nr);
+
+ if (!nr)
+ goto bail;
+
++ /* Don't put buffer head and re-assign it to NULL if it is allocated
++ * outside since the caller can't be aware of this alternation!
++ */
++ new_bh = (bhs[0] == NULL);
++
+ for (i = 0 ; i < nr ; i++) {
+ if (bhs[i] == NULL) {
+ bhs[i] = sb_getblk(osb->sb, block++);
+ if (bhs[i] == NULL) {
+ status = -ENOMEM;
+ mlog_errno(status);
+- goto bail;
++ break;
+ }
+ }
+ bh = bhs[i];
+@@ -157,9 +166,26 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
+ submit_bh(REQ_OP_READ, 0, bh);
+ }
+
++read_failure:
+ for (i = nr; i > 0; i--) {
+ bh = bhs[i - 1];
+
++ if (unlikely(status)) {
++ if (new_bh && bh) {
++ /* If middle bh fails, let previous bh
++ * finish its read and then put it to
++ * aovoid bh leak
++ */
++ if (!buffer_jbd(bh))
++ wait_on_buffer(bh);
++ put_bh(bh);
++ bhs[i - 1] = NULL;
++ } else if (bh && buffer_uptodate(bh)) {
++ clear_buffer_uptodate(bh);
++ }
++ continue;
++ }
++
+ /* No need to wait on the buffer if it's managed by JBD. */
+ if (!buffer_jbd(bh))
+ wait_on_buffer(bh);
+@@ -169,8 +195,7 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
+ * so we can safely record this and loop back
+ * to cleanup the other buffers. */
+ status = -EIO;
+- put_bh(bh);
+- bhs[i - 1] = NULL;
++ goto read_failure;
+ }
+ }
+
+@@ -178,6 +203,9 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
+ return status;
+ }
+
++/* Caller must provide a bhs[] with all NULL or non-NULL entries, so it
++ * will be easier to handle read failure.
++ */
+ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
+ struct buffer_head *bhs[], int flags,
+ int (*validate)(struct super_block *sb,
+@@ -187,6 +215,7 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
+ int i, ignore_cache = 0;
+ struct buffer_head *bh;
+ struct super_block *sb = ocfs2_metadata_cache_get_super(ci);
++ int new_bh = 0;
+
+ trace_ocfs2_read_blocks_begin(ci, (unsigned long long)block, nr, flags);
+
+@@ -212,6 +241,11 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
+ goto bail;
+ }
+
++ /* Don't put buffer head and re-assign it to NULL if it is allocated
++ * outside since the caller can't be aware of this alternation!
++ */
++ new_bh = (bhs[0] == NULL);
++
+ ocfs2_metadata_cache_io_lock(ci);
+ for (i = 0 ; i < nr ; i++) {
+ if (bhs[i] == NULL) {
+@@ -220,7 +254,8 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
+ ocfs2_metadata_cache_io_unlock(ci);
+ status = -ENOMEM;
+ mlog_errno(status);
+- goto bail;
++ /* Don't forget to put previous bh! */
++ break;
+ }
+ }
+ bh = bhs[i];
+@@ -314,16 +349,27 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
+ }
+ }
+
+- status = 0;
+-
++read_failure:
+ for (i = (nr - 1); i >= 0; i--) {
+ bh = bhs[i];
+
+ if (!(flags & OCFS2_BH_READAHEAD)) {
+- if (status) {
+- /* Clear the rest of the buffers on error */
+- put_bh(bh);
+- bhs[i] = NULL;
++ if (unlikely(status)) {
++ /* Clear the buffers on error including those
++ * ever succeeded in reading
++ */
++ if (new_bh && bh) {
++ /* If middle bh fails, let previous bh
++ * finish its read and then put it to
++ * aovoid bh leak
++ */
++ if (!buffer_jbd(bh))
++ wait_on_buffer(bh);
++ put_bh(bh);
++ bhs[i] = NULL;
++ } else if (bh && buffer_uptodate(bh)) {
++ clear_buffer_uptodate(bh);
++ }
+ continue;
+ }
+ /* We know this can't have changed as we hold the
+@@ -341,9 +387,7 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
+ * uptodate. */
+ status = -EIO;
+ clear_buffer_needs_validate(bh);
+- put_bh(bh);
+- bhs[i] = NULL;
+- continue;
++ goto read_failure;
+ }
+
+ if (buffer_needs_validate(bh)) {
+@@ -353,11 +397,8 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
+ BUG_ON(buffer_jbd(bh));
+ clear_buffer_needs_validate(bh);
+ status = validate(sb, bh);
+- if (status) {
+- put_bh(bh);
+- bhs[i] = NULL;
+- continue;
+- }
++ if (status)
++ goto read_failure;
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From d3f6201eb62e2f5952556a7f33570f71b61ba152 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Nov 2018 15:48:11 -0700
+Subject: ocfs2: don't use iocb when EIOCBQUEUED returns
+
+From: Changwei Ge <ge.changwei@h3c.com>
+
+[ Upstream commit 9e985787750db8aae87f02b67e908f28ac4d6b83 ]
+
+When -EIOCBQUEUED returns, it means that aio_complete() will be called
+from dio_complete(), which is an asynchronous progress against
+write_iter. Generally, IO is a very slow progress than executing
+instruction, but we still can't take the risk to access a freed iocb.
+
+And we do face a BUG crash issue. Using the crash tool, iocb is
+obviously freed already.
+
+ crash> struct -x kiocb ffff881a350f5900
+ struct kiocb {
+ ki_filp = 0xffff881a350f5a80,
+ ki_pos = 0x0,
+ ki_complete = 0x0,
+ private = 0x0,
+ ki_flags = 0x0
+ }
+
+And the backtrace shows:
+ ocfs2_file_write_iter+0xcaa/0xd00 [ocfs2]
+ aio_run_iocb+0x229/0x2f0
+ do_io_submit+0x291/0x540
+ SyS_io_submit+0x10/0x20
+ system_call_fastpath+0x16/0x75
+
+Link: http://lkml.kernel.org/r/1523361653-14439-1-git-send-email-ge.changwei@h3c.com
+Signed-off-by: Changwei Ge <ge.changwei@h3c.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/file.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
+index a847fe52c56ee..a3e077fcfeb9b 100644
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2389,7 +2389,7 @@ static ssize_t ocfs2_file_write_iter(struct kiocb *iocb,
+
+ written = __generic_file_write_iter(iocb, from);
+ /* buffered aio wouldn't have proper lock coverage today */
+- BUG_ON(written == -EIOCBQUEUED && !(iocb->ki_flags & IOCB_DIRECT));
++ BUG_ON(written == -EIOCBQUEUED && !direct_io);
+
+ /*
+ * deep in g_f_a_w_n()->ocfs2_direct_IO we pass in a ocfs2_dio_end_io
+@@ -2509,7 +2509,7 @@ static ssize_t ocfs2_file_read_iter(struct kiocb *iocb,
+ trace_generic_file_read_iter_ret(ret);
+
+ /* buffered aio wouldn't have proper lock coverage today */
+- BUG_ON(ret == -EIOCBQUEUED && !(iocb->ki_flags & IOCB_DIRECT));
++ BUG_ON(ret == -EIOCBQUEUED && !direct_io);
+
+ /* see ocfs2_file_write_iter */
+ if (ret == -EIOCBQUEUED || !ocfs2_iocb_is_rw_locked(iocb)) {
+--
+2.20.1
+
--- /dev/null
+From 899f1bd93d3ee80d27529698c2f54c2bab3ce8ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Nov 2018 15:48:27 -0700
+Subject: ocfs2: fix clusters leak in ocfs2_defrag_extent()
+
+From: Larry Chen <lchen@suse.com>
+
+[ Upstream commit 6194ae4242dec0c9d604bc05df83aa9260a899e4 ]
+
+ocfs2_defrag_extent() might leak allocated clusters. When the file
+system has insufficient space, the number of claimed clusters might be
+less than the caller wants. If that happens, the original code might
+directly commit the transaction without returning clusters.
+
+This patch is based on code in ocfs2_add_clusters_in_btree().
+
+[akpm@linux-foundation.org: include localalloc.h, reduce scope of data_ac]
+Link: http://lkml.kernel.org/r/20180904041621.16874-3-lchen@suse.com
+Signed-off-by: Larry Chen <lchen@suse.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Changwei Ge <ge.changwei@h3c.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/move_extents.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
+index f55f82ca34250..1565dd8e8856e 100644
+--- a/fs/ocfs2/move_extents.c
++++ b/fs/ocfs2/move_extents.c
+@@ -25,6 +25,7 @@
+ #include "ocfs2_ioctl.h"
+
+ #include "alloc.h"
++#include "localalloc.h"
+ #include "aops.h"
+ #include "dlmglue.h"
+ #include "extent_map.h"
+@@ -222,6 +223,7 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context,
+ struct ocfs2_refcount_tree *ref_tree = NULL;
+ u32 new_phys_cpos, new_len;
+ u64 phys_blkno = ocfs2_clusters_to_blocks(inode->i_sb, phys_cpos);
++ int need_free = 0;
+
+ if ((ext_flags & OCFS2_EXT_REFCOUNTED) && *len) {
+ BUG_ON(!ocfs2_is_refcount_inode(inode));
+@@ -312,6 +314,7 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context,
+ if (!partial) {
+ context->range->me_flags &= ~OCFS2_MOVE_EXT_FL_COMPLETE;
+ ret = -ENOSPC;
++ need_free = 1;
+ goto out_commit;
+ }
+ }
+@@ -336,6 +339,20 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context,
+ mlog_errno(ret);
+
+ out_commit:
++ if (need_free && context->data_ac) {
++ struct ocfs2_alloc_context *data_ac = context->data_ac;
++
++ if (context->data_ac->ac_which == OCFS2_AC_USE_LOCAL)
++ ocfs2_free_local_alloc_bits(osb, handle, data_ac,
++ new_phys_cpos, new_len);
++ else
++ ocfs2_free_clusters(handle,
++ data_ac->ac_inode,
++ data_ac->ac_bh,
++ ocfs2_clusters_to_blocks(osb->sb, new_phys_cpos),
++ new_len);
++ }
++
+ ocfs2_commit_trans(osb, handle);
+
+ out_unlock_mutex:
+--
+2.20.1
+
--- /dev/null
+From 315122df44c17eac55eea7c9160aec780ef2d62e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Nov 2018 15:48:07 -0700
+Subject: ocfs2: without quota support, avoid calling quota recovery
+
+From: Guozhonghua <guozhonghua@h3c.com>
+
+[ Upstream commit 21158ca85b73ddd0088076a5209cfd040513a8b5 ]
+
+During one dead node's recovery by other node, quota recovery work will
+be queued. We should avoid calling quota when it is not supported, so
+check the quota flags.
+
+Link: http://lkml.kernel.org/r/71604351584F6A4EBAE558C676F37CA401071AC9FB@H3CMLB12-EX.srv.huawei-3com.com
+Signed-off-by: guozhonghua <guozhonghua@h3c.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Changwei Ge <ge.changwei@h3c.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/journal.c | 51 ++++++++++++++++++++++++++++++----------------
+ 1 file changed, 34 insertions(+), 17 deletions(-)
+
+diff --git a/fs/ocfs2/journal.c b/fs/ocfs2/journal.c
+index c492cbb2410f6..babb0ec76d676 100644
+--- a/fs/ocfs2/journal.c
++++ b/fs/ocfs2/journal.c
+@@ -1379,15 +1379,23 @@ static int __ocfs2_recovery_thread(void *arg)
+ int rm_quota_used = 0, i;
+ struct ocfs2_quota_recovery *qrec;
+
++ /* Whether the quota supported. */
++ int quota_enabled = OCFS2_HAS_RO_COMPAT_FEATURE(osb->sb,
++ OCFS2_FEATURE_RO_COMPAT_USRQUOTA)
++ || OCFS2_HAS_RO_COMPAT_FEATURE(osb->sb,
++ OCFS2_FEATURE_RO_COMPAT_GRPQUOTA);
++
+ status = ocfs2_wait_on_mount(osb);
+ if (status < 0) {
+ goto bail;
+ }
+
+- rm_quota = kcalloc(osb->max_slots, sizeof(int), GFP_NOFS);
+- if (!rm_quota) {
+- status = -ENOMEM;
+- goto bail;
++ if (quota_enabled) {
++ rm_quota = kcalloc(osb->max_slots, sizeof(int), GFP_NOFS);
++ if (!rm_quota) {
++ status = -ENOMEM;
++ goto bail;
++ }
+ }
+ restart:
+ status = ocfs2_super_lock(osb, 1);
+@@ -1423,9 +1431,14 @@ static int __ocfs2_recovery_thread(void *arg)
+ * then quota usage would be out of sync until some node takes
+ * the slot. So we remember which nodes need quota recovery
+ * and when everything else is done, we recover quotas. */
+- for (i = 0; i < rm_quota_used && rm_quota[i] != slot_num; i++);
+- if (i == rm_quota_used)
+- rm_quota[rm_quota_used++] = slot_num;
++ if (quota_enabled) {
++ for (i = 0; i < rm_quota_used
++ && rm_quota[i] != slot_num; i++)
++ ;
++
++ if (i == rm_quota_used)
++ rm_quota[rm_quota_used++] = slot_num;
++ }
+
+ status = ocfs2_recover_node(osb, node_num, slot_num);
+ skip_recovery:
+@@ -1453,16 +1466,19 @@ static int __ocfs2_recovery_thread(void *arg)
+ /* Now it is right time to recover quotas... We have to do this under
+ * superblock lock so that no one can start using the slot (and crash)
+ * before we recover it */
+- for (i = 0; i < rm_quota_used; i++) {
+- qrec = ocfs2_begin_quota_recovery(osb, rm_quota[i]);
+- if (IS_ERR(qrec)) {
+- status = PTR_ERR(qrec);
+- mlog_errno(status);
+- continue;
++ if (quota_enabled) {
++ for (i = 0; i < rm_quota_used; i++) {
++ qrec = ocfs2_begin_quota_recovery(osb, rm_quota[i]);
++ if (IS_ERR(qrec)) {
++ status = PTR_ERR(qrec);
++ mlog_errno(status);
++ continue;
++ }
++ ocfs2_queue_recovery_completion(osb->journal,
++ rm_quota[i],
++ NULL, NULL, qrec,
++ ORPHAN_NEED_TRUNCATE);
+ }
+- ocfs2_queue_recovery_completion(osb->journal, rm_quota[i],
+- NULL, NULL, qrec,
+- ORPHAN_NEED_TRUNCATE);
+ }
+
+ ocfs2_super_unlock(osb, 1);
+@@ -1484,7 +1500,8 @@ static int __ocfs2_recovery_thread(void *arg)
+
+ mutex_unlock(&osb->recovery_lock);
+
+- kfree(rm_quota);
++ if (quota_enabled)
++ kfree(rm_quota);
+
+ /* no one is callint kthread_stop() for us so the kthread() api
+ * requires that we call do_exit(). And it isn't exported, but
+--
+2.20.1
+
--- /dev/null
+From ba47d32e2b0684ada5ba7952383cbfb1f878d962 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Oct 2018 19:38:26 -0700
+Subject: of: unittest: allow base devicetree to have symbol metadata
+
+From: Frank Rowand <frank.rowand@sony.com>
+
+[ Upstream commit 5babefb7f7ab1f23861336d511cc666fa45ede82 ]
+
+The overlay metadata nodes in the FDT created from testcases.dts
+are not handled properly.
+
+The __fixups__ and __local_fixups__ node were added to the live
+devicetree, but should not be.
+
+Only the first property in the /__symbols__ node was added to the
+live devicetree if the live devicetree already contained a
+/__symbols node. All of the node's properties must be added.
+
+Tested-by: Alan Tull <atull@kernel.org>
+Signed-off-by: Frank Rowand <frank.rowand@sony.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/unittest.c | 43 +++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 35 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
+index bac4b4bbc33de..e8997cdb228cb 100644
+--- a/drivers/of/unittest.c
++++ b/drivers/of/unittest.c
+@@ -1067,20 +1067,44 @@ static void __init of_unittest_platform_populate(void)
+ * of np into dup node (present in live tree) and
+ * updates parent of children of np to dup.
+ *
+- * @np: node already present in live tree
++ * @np: node whose properties are being added to the live tree
+ * @dup: node present in live tree to be updated
+ */
+ static void update_node_properties(struct device_node *np,
+ struct device_node *dup)
+ {
+ struct property *prop;
++ struct property *save_next;
+ struct device_node *child;
+-
+- for_each_property_of_node(np, prop)
+- of_add_property(dup, prop);
++ int ret;
+
+ for_each_child_of_node(np, child)
+ child->parent = dup;
++
++ /*
++ * "unittest internal error: unable to add testdata property"
++ *
++ * If this message reports a property in node '/__symbols__' then
++ * the respective unittest overlay contains a label that has the
++ * same name as a label in the live devicetree. The label will
++ * be in the live devicetree only if the devicetree source was
++ * compiled with the '-@' option. If you encounter this error,
++ * please consider renaming __all__ of the labels in the unittest
++ * overlay dts files with an odd prefix that is unlikely to be
++ * used in a real devicetree.
++ */
++
++ /*
++ * open code for_each_property_of_node() because of_add_property()
++ * sets prop->next to NULL
++ */
++ for (prop = np->properties; prop != NULL; prop = save_next) {
++ save_next = prop->next;
++ ret = of_add_property(dup, prop);
++ if (ret)
++ pr_err("unittest internal error: unable to add testdata property %pOF/%s",
++ np, prop->name);
++ }
+ }
+
+ /**
+@@ -1089,18 +1113,23 @@ static void update_node_properties(struct device_node *np,
+ *
+ * @np: Node to attach to live tree
+ */
+-static int attach_node_and_children(struct device_node *np)
++static void attach_node_and_children(struct device_node *np)
+ {
+ struct device_node *next, *dup, *child;
+ unsigned long flags;
+ const char *full_name;
+
+ full_name = kasprintf(GFP_KERNEL, "%pOF", np);
++
++ if (!strcmp(full_name, "/__local_fixups__") ||
++ !strcmp(full_name, "/__fixups__"))
++ return;
++
+ dup = of_find_node_by_path(full_name);
+ kfree(full_name);
+ if (dup) {
+ update_node_properties(np, dup);
+- return 0;
++ return;
+ }
+
+ child = np->child;
+@@ -1121,8 +1150,6 @@ static int attach_node_and_children(struct device_node *np)
+ attach_node_and_children(child);
+ child = next;
+ }
+-
+- return 0;
+ }
+
+ /**
+--
+2.20.1
+
--- /dev/null
+From 40d0b5ec8a731b1049a6b25b8bcb59b0c9f05a70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Oct 2018 20:40:21 -0700
+Subject: of: unittest: initialize args before calling of_*parse_*()
+
+From: Frank Rowand <frank.rowand@sony.com>
+
+[ Upstream commit eeb07c573ec307c53fe2f6ac6d8d11c261f64006 ]
+
+Callers of of_irq_parse_one() blindly use the pointer args.np
+without checking whether of_irq_parse_one() had an error and
+thus did not set the value of args.np. Initialize args to
+zero so that using the format "%pOF" to show the value of
+args.np will show "(null)" when of_irq_parse_one() has an
+error. This prevents the dereference of a random value.
+
+Make the same fix for callers of of_parse_phandle_with_args()
+and of_parse_phandle_with_args_map().
+
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Tested-by: Alan Tull <atull@kernel.org>
+Signed-off-by: Frank Rowand <frank.rowand@sony.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/unittest.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
+index e8997cdb228cb..68f52966bbc04 100644
+--- a/drivers/of/unittest.c
++++ b/drivers/of/unittest.c
+@@ -375,6 +375,7 @@ static void __init of_unittest_parse_phandle_with_args(void)
+ for (i = 0; i < 8; i++) {
+ bool passed = true;
+
++ memset(&args, 0, sizeof(args));
+ rc = of_parse_phandle_with_args(np, "phandle-list",
+ "#phandle-cells", i, &args);
+
+@@ -428,6 +429,7 @@ static void __init of_unittest_parse_phandle_with_args(void)
+ }
+
+ /* Check for missing list property */
++ memset(&args, 0, sizeof(args));
+ rc = of_parse_phandle_with_args(np, "phandle-list-missing",
+ "#phandle-cells", 0, &args);
+ unittest(rc == -ENOENT, "expected:%i got:%i\n", -ENOENT, rc);
+@@ -436,6 +438,7 @@ static void __init of_unittest_parse_phandle_with_args(void)
+ unittest(rc == -ENOENT, "expected:%i got:%i\n", -ENOENT, rc);
+
+ /* Check for missing cells property */
++ memset(&args, 0, sizeof(args));
+ rc = of_parse_phandle_with_args(np, "phandle-list",
+ "#phandle-cells-missing", 0, &args);
+ unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc);
+@@ -444,6 +447,7 @@ static void __init of_unittest_parse_phandle_with_args(void)
+ unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc);
+
+ /* Check for bad phandle in list */
++ memset(&args, 0, sizeof(args));
+ rc = of_parse_phandle_with_args(np, "phandle-list-bad-phandle",
+ "#phandle-cells", 0, &args);
+ unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc);
+@@ -452,6 +456,7 @@ static void __init of_unittest_parse_phandle_with_args(void)
+ unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc);
+
+ /* Check for incorrectly formed argument list */
++ memset(&args, 0, sizeof(args));
+ rc = of_parse_phandle_with_args(np, "phandle-list-bad-args",
+ "#phandle-cells", 1, &args);
+ unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc);
+@@ -502,6 +507,7 @@ static void __init of_unittest_parse_phandle_with_args_map(void)
+ for (i = 0; i < 8; i++) {
+ bool passed = true;
+
++ memset(&args, 0, sizeof(args));
+ rc = of_parse_phandle_with_args_map(np, "phandle-list",
+ "phandle", i, &args);
+
+@@ -559,21 +565,25 @@ static void __init of_unittest_parse_phandle_with_args_map(void)
+ }
+
+ /* Check for missing list property */
++ memset(&args, 0, sizeof(args));
+ rc = of_parse_phandle_with_args_map(np, "phandle-list-missing",
+ "phandle", 0, &args);
+ unittest(rc == -ENOENT, "expected:%i got:%i\n", -ENOENT, rc);
+
+ /* Check for missing cells,map,mask property */
++ memset(&args, 0, sizeof(args));
+ rc = of_parse_phandle_with_args_map(np, "phandle-list",
+ "phandle-missing", 0, &args);
+ unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc);
+
+ /* Check for bad phandle in list */
++ memset(&args, 0, sizeof(args));
+ rc = of_parse_phandle_with_args_map(np, "phandle-list-bad-phandle",
+ "phandle", 0, &args);
+ unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc);
+
+ /* Check for incorrectly formed argument list */
++ memset(&args, 0, sizeof(args));
+ rc = of_parse_phandle_with_args_map(np, "phandle-list-bad-args",
+ "phandle", 1, &args);
+ unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc);
+@@ -783,7 +793,7 @@ static void __init of_unittest_parse_interrupts(void)
+ for (i = 0; i < 4; i++) {
+ bool passed = true;
+
+- args.args_count = 0;
++ memset(&args, 0, sizeof(args));
+ rc = of_irq_parse_one(np, i, &args);
+
+ passed &= !rc;
+@@ -804,7 +814,7 @@ static void __init of_unittest_parse_interrupts(void)
+ for (i = 0; i < 4; i++) {
+ bool passed = true;
+
+- args.args_count = 0;
++ memset(&args, 0, sizeof(args));
+ rc = of_irq_parse_one(np, i, &args);
+
+ /* Test the values from tests-phandle.dtsi */
+@@ -860,6 +870,7 @@ static void __init of_unittest_parse_interrupts_extended(void)
+ for (i = 0; i < 7; i++) {
+ bool passed = true;
+
++ memset(&args, 0, sizeof(args));
+ rc = of_irq_parse_one(np, i, &args);
+
+ /* Test the values from tests-phandle.dtsi */
+--
+2.20.1
+
--- /dev/null
+From d937835530e09333ee238c86eb6058f8824a07cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Nov 2018 16:36:55 +0100
+Subject: openvswitch: fix linking without CONFIG_NF_CONNTRACK_LABELS
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit a277d516de5f498c91d91189717ef7e01102ad27 ]
+
+When CONFIG_CC_OPTIMIZE_FOR_DEBUGGING is enabled, the compiler
+fails to optimize out a dead code path, which leads to a link failure:
+
+net/openvswitch/conntrack.o: In function `ovs_ct_set_labels':
+conntrack.c:(.text+0x2e60): undefined reference to `nf_connlabels_replace'
+
+In this configuration, we can take a shortcut, and completely
+remove the contrack label code. This may also help the regular
+optimization.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/conntrack.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
+index 35ae64cbef33f..46aa1aa51db41 100644
+--- a/net/openvswitch/conntrack.c
++++ b/net/openvswitch/conntrack.c
+@@ -1199,7 +1199,8 @@ static int ovs_ct_commit(struct net *net, struct sw_flow_key *key,
+ &info->labels.mask);
+ if (err)
+ return err;
+- } else if (labels_nonzero(&info->labels.mask)) {
++ } else if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) &&
++ labels_nonzero(&info->labels.mask)) {
+ err = ovs_ct_set_labels(ct, key, &info->labels.value,
+ &info->labels.mask);
+ if (err)
+--
+2.20.1
+
--- /dev/null
+From 7ee3fde68665bc2d225c5942077e2ef02ae7bae4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Oct 2018 17:15:54 +0100
+Subject: PCI: cadence: Write MSI data with 32bits
+
+From: Alan Douglas <adouglas@cadence.com>
+
+[ Upstream commit e81e36a96bb56f243b5ac1d114c37c086761595b ]
+
+According to the PCIe specification, although the MSI data is only
+16bits, the upper 16bits should be written as 0. Use writel
+instead of writew when writing the MSI data to the host.
+
+Fixes: 37dddf14f1ae ("PCI: cadence: Add EndPoint Controller driver for Cadence PCIe controller")
+Signed-off-by: Alan Douglas <adouglas@cadence.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-cadence-ep.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/pcie-cadence-ep.c b/drivers/pci/controller/pcie-cadence-ep.c
+index 6692654798d44..c3a088910f48d 100644
+--- a/drivers/pci/controller/pcie-cadence-ep.c
++++ b/drivers/pci/controller/pcie-cadence-ep.c
+@@ -355,7 +355,7 @@ static int cdns_pcie_ep_send_msi_irq(struct cdns_pcie_ep *ep, u8 fn,
+ ep->irq_pci_addr = (pci_addr & ~pci_addr_mask);
+ ep->irq_pci_fn = fn;
+ }
+- writew(data, ep->irq_cpu_addr + (pci_addr & pci_addr_mask));
++ writel(data, ep->irq_cpu_addr + (pci_addr & pci_addr_mask));
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 9e8651111cc2af06b8c56d948d467df93c551f23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Oct 2018 13:10:54 +0530
+Subject: PCI: keystone: Use quirk to limit MRRS for K2G
+
+From: Kishon Vijay Abraham I <kishon@ti.com>
+
+[ Upstream commit 148e340c0696369fadbbddc8f4bef801ed247d71 ]
+
+PCI controller in K2G also has a limitation that memory read request
+size (MRRS) must not exceed 256 bytes. Use the quirk to limit MRRS
+(added for K2HK, K2L and K2E) for K2G as well.
+
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pci-keystone.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/pci/controller/dwc/pci-keystone.c b/drivers/pci/controller/dwc/pci-keystone.c
+index 5e199e7d2d4fd..765357b87ff69 100644
+--- a/drivers/pci/controller/dwc/pci-keystone.c
++++ b/drivers/pci/controller/dwc/pci-keystone.c
+@@ -36,6 +36,7 @@
+ #define PCIE_RC_K2HK 0xb008
+ #define PCIE_RC_K2E 0xb009
+ #define PCIE_RC_K2L 0xb00a
++#define PCIE_RC_K2G 0xb00b
+
+ #define to_keystone_pcie(x) dev_get_drvdata((x)->dev)
+
+@@ -50,6 +51,8 @@ static void quirk_limit_mrrs(struct pci_dev *dev)
+ .class = PCI_CLASS_BRIDGE_PCI << 8, .class_mask = ~0, },
+ { PCI_DEVICE(PCI_VENDOR_ID_TI, PCIE_RC_K2L),
+ .class = PCI_CLASS_BRIDGE_PCI << 8, .class_mask = ~0, },
++ { PCI_DEVICE(PCI_VENDOR_ID_TI, PCIE_RC_K2G),
++ .class = PCI_CLASS_BRIDGE_PCI << 8, .class_mask = ~0, },
+ { 0, },
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 30ac5dbdeeee830d6636f3ac3ab8c2f97bc89f81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Oct 2018 16:08:53 +0800
+Subject: PCI: mediatek: Fix class type for MT7622 to PCI_CLASS_BRIDGE_PCI
+
+From: Honghui Zhang <honghui.zhang@mediatek.com>
+
+[ Upstream commit a7f172ab6a8e755e60311f27512034b0441ef421 ]
+
+commit 101c92dc80c8 ("PCI: mediatek: Set up vendor ID and class
+type for MT7622") erroneously set the class type for MT7622 to
+PCI_CLASS_BRIDGE_HOST.
+
+The PCIe controller of MT7622 integrates a Root Port that has type 1
+configuration space header and related bridge windows.
+
+The HW default value of this bridge's class type is invalid.
+
+Fix its class type and set it to PCI_CLASS_BRIDGE_PCI to
+match the hardware implementation.
+
+Fixes: 101c92dc80c8 ("PCI: mediatek: Set up vendor ID and class type for MT7622")
+Signed-off-by: Honghui Zhang <honghui.zhang@mediatek.com>
+[lorenzo.pieralisi@arm.com: reworked the commit log]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Acked-by: Ryder Lee <ryder.lee@mediatek.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-mediatek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/pcie-mediatek.c b/drivers/pci/controller/pcie-mediatek.c
+index 0d100f56cb884..8d1364c317747 100644
+--- a/drivers/pci/controller/pcie-mediatek.c
++++ b/drivers/pci/controller/pcie-mediatek.c
+@@ -432,7 +432,7 @@ static int mtk_pcie_startup_port_v2(struct mtk_pcie_port *port)
+ val = PCI_VENDOR_ID_MEDIATEK;
+ writew(val, port->base + PCIE_CONF_VEND_ID);
+
+- val = PCI_CLASS_BRIDGE_HOST;
++ val = PCI_CLASS_BRIDGE_PCI;
+ writew(val, port->base + PCIE_CONF_CLASS_ID);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From dd1fb162dd2c7edaff750750cd99fb6bae0fb389 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Oct 2018 16:08:56 +0800
+Subject: PCI: mediatek: Fixup MSI enablement logic by enabling MSI before
+ clocks
+
+From: Honghui Zhang <honghui.zhang@mediatek.com>
+
+[ Upstream commit 3828d60fd2ef99f97a677c1f95af2ab3e65e2576 ]
+
+Commit 43e6409db64d ("PCI: mediatek: Add MSI support for MT2712 and
+MT7622") added MSI support but enabled MSI in the wrong place, at a step
+in the probe sequence where clocks were not still enabled.
+
+Fix this issue by calling mtk_pcie_enable_msi() in mtk_pcie_startup_port_v2()
+since clocks are enabled when mtk_pcie_startup_port_v2() is called.
+
+To avoid forward declaration of mtk_pcie_enable_msi(), move the
+mtk_pcie_startup_port_v2() function definition in the file.
+
+Fixes: 43e6409db64d ("PCI: mediatek: Add MSI support for MT2712 and MT7622")
+Signed-off-by: Honghui Zhang <honghui.zhang@mediatek.com>
+[lorenzo.pieralisi@arm.com: squashed commit and adapted log]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Acked-by: Ryder Lee <ryder.lee@mediatek.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-mediatek.c | 143 +++++++++++++------------
+ 1 file changed, 72 insertions(+), 71 deletions(-)
+
+diff --git a/drivers/pci/controller/pcie-mediatek.c b/drivers/pci/controller/pcie-mediatek.c
+index 8d1364c317747..1bfbceb9f4458 100644
+--- a/drivers/pci/controller/pcie-mediatek.c
++++ b/drivers/pci/controller/pcie-mediatek.c
+@@ -394,75 +394,6 @@ static struct pci_ops mtk_pcie_ops_v2 = {
+ .write = mtk_pcie_config_write,
+ };
+
+-static int mtk_pcie_startup_port_v2(struct mtk_pcie_port *port)
+-{
+- struct mtk_pcie *pcie = port->pcie;
+- struct resource *mem = &pcie->mem;
+- const struct mtk_pcie_soc *soc = port->pcie->soc;
+- u32 val;
+- size_t size;
+- int err;
+-
+- /* MT7622 platforms need to enable LTSSM and ASPM from PCIe subsys */
+- if (pcie->base) {
+- val = readl(pcie->base + PCIE_SYS_CFG_V2);
+- val |= PCIE_CSR_LTSSM_EN(port->slot) |
+- PCIE_CSR_ASPM_L1_EN(port->slot);
+- writel(val, pcie->base + PCIE_SYS_CFG_V2);
+- }
+-
+- /* Assert all reset signals */
+- writel(0, port->base + PCIE_RST_CTRL);
+-
+- /*
+- * Enable PCIe link down reset, if link status changed from link up to
+- * link down, this will reset MAC control registers and configuration
+- * space.
+- */
+- writel(PCIE_LINKDOWN_RST_EN, port->base + PCIE_RST_CTRL);
+-
+- /* De-assert PHY, PE, PIPE, MAC and configuration reset */
+- val = readl(port->base + PCIE_RST_CTRL);
+- val |= PCIE_PHY_RSTB | PCIE_PERSTB | PCIE_PIPE_SRSTB |
+- PCIE_MAC_SRSTB | PCIE_CRSTB;
+- writel(val, port->base + PCIE_RST_CTRL);
+-
+- /* Set up vendor ID and class code */
+- if (soc->need_fix_class_id) {
+- val = PCI_VENDOR_ID_MEDIATEK;
+- writew(val, port->base + PCIE_CONF_VEND_ID);
+-
+- val = PCI_CLASS_BRIDGE_PCI;
+- writew(val, port->base + PCIE_CONF_CLASS_ID);
+- }
+-
+- /* 100ms timeout value should be enough for Gen1/2 training */
+- err = readl_poll_timeout(port->base + PCIE_LINK_STATUS_V2, val,
+- !!(val & PCIE_PORT_LINKUP_V2), 20,
+- 100 * USEC_PER_MSEC);
+- if (err)
+- return -ETIMEDOUT;
+-
+- /* Set INTx mask */
+- val = readl(port->base + PCIE_INT_MASK);
+- val &= ~INTX_MASK;
+- writel(val, port->base + PCIE_INT_MASK);
+-
+- /* Set AHB to PCIe translation windows */
+- size = mem->end - mem->start;
+- val = lower_32_bits(mem->start) | AHB2PCIE_SIZE(fls(size));
+- writel(val, port->base + PCIE_AHB_TRANS_BASE0_L);
+-
+- val = upper_32_bits(mem->start);
+- writel(val, port->base + PCIE_AHB_TRANS_BASE0_H);
+-
+- /* Set PCIe to AXI translation memory space.*/
+- val = fls(0xffffffff) | WIN_ENABLE;
+- writel(val, port->base + PCIE_AXI_WINDOW0);
+-
+- return 0;
+-}
+-
+ static void mtk_compose_msi_msg(struct irq_data *data, struct msi_msg *msg)
+ {
+ struct mtk_pcie_port *port = irq_data_get_irq_chip_data(data);
+@@ -639,8 +570,6 @@ static int mtk_pcie_init_irq_domain(struct mtk_pcie_port *port,
+ ret = mtk_pcie_allocate_msi_domains(port);
+ if (ret)
+ return ret;
+-
+- mtk_pcie_enable_msi(port);
+ }
+
+ return 0;
+@@ -707,6 +636,78 @@ static int mtk_pcie_setup_irq(struct mtk_pcie_port *port,
+ return 0;
+ }
+
++static int mtk_pcie_startup_port_v2(struct mtk_pcie_port *port)
++{
++ struct mtk_pcie *pcie = port->pcie;
++ struct resource *mem = &pcie->mem;
++ const struct mtk_pcie_soc *soc = port->pcie->soc;
++ u32 val;
++ size_t size;
++ int err;
++
++ /* MT7622 platforms need to enable LTSSM and ASPM from PCIe subsys */
++ if (pcie->base) {
++ val = readl(pcie->base + PCIE_SYS_CFG_V2);
++ val |= PCIE_CSR_LTSSM_EN(port->slot) |
++ PCIE_CSR_ASPM_L1_EN(port->slot);
++ writel(val, pcie->base + PCIE_SYS_CFG_V2);
++ }
++
++ /* Assert all reset signals */
++ writel(0, port->base + PCIE_RST_CTRL);
++
++ /*
++ * Enable PCIe link down reset, if link status changed from link up to
++ * link down, this will reset MAC control registers and configuration
++ * space.
++ */
++ writel(PCIE_LINKDOWN_RST_EN, port->base + PCIE_RST_CTRL);
++
++ /* De-assert PHY, PE, PIPE, MAC and configuration reset */
++ val = readl(port->base + PCIE_RST_CTRL);
++ val |= PCIE_PHY_RSTB | PCIE_PERSTB | PCIE_PIPE_SRSTB |
++ PCIE_MAC_SRSTB | PCIE_CRSTB;
++ writel(val, port->base + PCIE_RST_CTRL);
++
++ /* Set up vendor ID and class code */
++ if (soc->need_fix_class_id) {
++ val = PCI_VENDOR_ID_MEDIATEK;
++ writew(val, port->base + PCIE_CONF_VEND_ID);
++
++ val = PCI_CLASS_BRIDGE_PCI;
++ writew(val, port->base + PCIE_CONF_CLASS_ID);
++ }
++
++ /* 100ms timeout value should be enough for Gen1/2 training */
++ err = readl_poll_timeout(port->base + PCIE_LINK_STATUS_V2, val,
++ !!(val & PCIE_PORT_LINKUP_V2), 20,
++ 100 * USEC_PER_MSEC);
++ if (err)
++ return -ETIMEDOUT;
++
++ /* Set INTx mask */
++ val = readl(port->base + PCIE_INT_MASK);
++ val &= ~INTX_MASK;
++ writel(val, port->base + PCIE_INT_MASK);
++
++ if (IS_ENABLED(CONFIG_PCI_MSI))
++ mtk_pcie_enable_msi(port);
++
++ /* Set AHB to PCIe translation windows */
++ size = mem->end - mem->start;
++ val = lower_32_bits(mem->start) | AHB2PCIE_SIZE(fls(size));
++ writel(val, port->base + PCIE_AHB_TRANS_BASE0_L);
++
++ val = upper_32_bits(mem->start);
++ writel(val, port->base + PCIE_AHB_TRANS_BASE0_H);
++
++ /* Set PCIe to AXI translation memory space.*/
++ val = fls(0xffffffff) | WIN_ENABLE;
++ writel(val, port->base + PCIE_AXI_WINDOW0);
++
++ return 0;
++}
++
+ static void __iomem *mtk_pcie_map_bus(struct pci_bus *bus,
+ unsigned int devfn, int where)
+ {
+--
+2.20.1
+
--- /dev/null
+From 0bf2f584c88756cb2ba82f3934d4727eaaa3a4d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Oct 2018 18:48:07 -0600
+Subject: PCI: vmd: Detach resources after stopping root bus
+
+From: Jon Derrick <jonathan.derrick@intel.com>
+
+[ Upstream commit dc8af3a827df6d4bb925d3b81b7ec94a7cce9482 ]
+
+The VMD removal path calls pci_stop_root_busi(), which tears down the pcie
+tree, including detaching all of the attached drivers. During driver
+detachment, devices may use pci_release_region() to release resources.
+This path relies on the resource being accessible in resource tree.
+
+By detaching the child domain from the parent resource domain prior to
+stopping the bus, we are preventing the list traversal from finding the
+resource to be freed. If we instead detach the resource after stopping
+the bus, we will have properly freed the resource and detaching is
+simply accounting at that point.
+
+Without this order, the resource is never freed and is orphaned on VMD
+removal, leading to a warning:
+
+[ 181.940162] Trying to free nonexistent resource <e5a10000-e5a13fff>
+
+Fixes: 2c2c5c5cd213 ("x86/PCI: VMD: Attach VMD resources to parent domain's resource tree")
+Signed-off-by: Jon Derrick <jonathan.derrick@intel.com>
+[lorenzo.pieralisi@arm.com: updated commit log]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/vmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/vmd.c b/drivers/pci/controller/vmd.c
+index 65eaa6b618685..ab36e5ca1aca3 100644
+--- a/drivers/pci/controller/vmd.c
++++ b/drivers/pci/controller/vmd.c
+@@ -818,12 +818,12 @@ static void vmd_remove(struct pci_dev *dev)
+ {
+ struct vmd_dev *vmd = pci_get_drvdata(dev);
+
+- vmd_detach_resources(vmd);
+ sysfs_remove_link(&vmd->dev->dev.kobj, "domain");
+ pci_stop_root_bus(vmd->bus);
+ pci_remove_root_bus(vmd->bus);
+ vmd_cleanup_srcu(vmd);
+ vmd_teardown_dma_ops(vmd);
++ vmd_detach_resources(vmd);
+ irq_domain_remove(vmd->irq_domain);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From d361862f7dfded16da8d72219a5c53b925e7de28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Oct 2018 17:46:54 -0700
+Subject: pinctrl: bcm2835: Use define directive for BCM2835_PINCONF_PARAM_PULL
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit b40ac08ff886302a6aa457fd72e94a969f50e245 ]
+
+Clang warns when one enumerated type is implicitly converted to another:
+
+drivers/pinctrl/bcm/pinctrl-bcm2835.c:707:40: warning: implicit
+conversion from enumeration type 'enum bcm2835_pinconf_param' to
+different enumeration type 'enum pin_config_param' [-Wenum-conversion]
+ configs[0] = pinconf_to_config_packed(BCM2835_PINCONF_PARAM_PULL, pull);
+ ~~~~~~~~~~~~~~~~~~~~~~~~ ^~~~~~~~~~~~~~~~~~~~~~~~~~
+1 warning generated.
+
+It is expected that pinctrl drivers can extend pin_config_param because
+of the gap between PIN_CONFIG_END and PIN_CONFIG_MAX so this conversion
+isn't an issue. Most drivers that take advantage of this define the
+PIN_CONFIG variables as constants, rather than enumerated values. Do the
+same thing here so that Clang no longer warns.
+
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/bcm/pinctrl-bcm2835.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pinctrl/bcm/pinctrl-bcm2835.c b/drivers/pinctrl/bcm/pinctrl-bcm2835.c
+index 08925d24180b0..1bd3c10ce1893 100644
+--- a/drivers/pinctrl/bcm/pinctrl-bcm2835.c
++++ b/drivers/pinctrl/bcm/pinctrl-bcm2835.c
+@@ -72,10 +72,8 @@
+ #define GPIO_REG_OFFSET(p) ((p) / 32)
+ #define GPIO_REG_SHIFT(p) ((p) % 32)
+
+-enum bcm2835_pinconf_param {
+- /* argument: bcm2835_pinconf_pull */
+- BCM2835_PINCONF_PARAM_PULL = (PIN_CONFIG_END + 1),
+-};
++/* argument: bcm2835_pinconf_pull */
++#define BCM2835_PINCONF_PARAM_PULL (PIN_CONFIG_END + 1)
+
+ struct bcm2835_pinctrl {
+ struct device *dev;
+--
+2.20.1
+
--- /dev/null
+From 0caba36c5a37ac6bfffd09b6c88943f49aae4d73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Nov 2018 08:00:08 -0700
+Subject: pinctrl: lpc18xx: Use define directive for PIN_CONFIG_GPIO_PIN_INT
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit f24bfb39975c241374cadebbd037c17960cf1412 ]
+
+Clang warns when one enumerated type is implicitly converted to another:
+
+drivers/pinctrl/pinctrl-lpc18xx.c:643:29: warning: implicit conversion
+from enumeration type 'enum lpc18xx_pin_config_param' to different
+enumeration type 'enum pin_config_param' [-Wenum-conversion]
+ {"nxp,gpio-pin-interrupt", PIN_CONFIG_GPIO_PIN_INT, 0},
+ ~ ^~~~~~~~~~~~~~~~~~~~~~~
+drivers/pinctrl/pinctrl-lpc18xx.c:648:12: warning: implicit conversion
+from enumeration type 'enum lpc18xx_pin_config_param' to different
+enumeration type 'enum pin_config_param' [-Wenum-conversion]
+ PCONFDUMP(PIN_CONFIG_GPIO_PIN_INT, "gpio pin int", NULL, true),
+ ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+./include/linux/pinctrl/pinconf-generic.h:163:11: note: expanded from
+macro 'PCONFDUMP'
+ .param = a, .display = b, .format = c, .has_arg = d \
+ ^
+2 warnings generated.
+
+It is expected that pinctrl drivers can extend pin_config_param because
+of the gap between PIN_CONFIG_END and PIN_CONFIG_MAX so this conversion
+isn't an issue. Most drivers that take advantage of this define the
+PIN_CONFIG variables as constants, rather than enumerated values. Do the
+same thing here so that Clang no longer warns.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/140
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-lpc18xx.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/pinctrl/pinctrl-lpc18xx.c b/drivers/pinctrl/pinctrl-lpc18xx.c
+index 190f17e4bbdaf..1d3b88e6ab862 100644
+--- a/drivers/pinctrl/pinctrl-lpc18xx.c
++++ b/drivers/pinctrl/pinctrl-lpc18xx.c
+@@ -630,14 +630,8 @@ static const struct pinctrl_pin_desc lpc18xx_pins[] = {
+ LPC18XX_PIN(i2c0_sda, PIN_I2C0_SDA),
+ };
+
+-/**
+- * enum lpc18xx_pin_config_param - possible pin configuration parameters
+- * @PIN_CONFIG_GPIO_PIN_INT: route gpio to the gpio pin interrupt
+- * controller.
+- */
+-enum lpc18xx_pin_config_param {
+- PIN_CONFIG_GPIO_PIN_INT = PIN_CONFIG_END + 1,
+-};
++/* PIN_CONFIG_GPIO_PIN_INT: route gpio to the gpio pin interrupt controller */
++#define PIN_CONFIG_GPIO_PIN_INT (PIN_CONFIG_END + 1)
+
+ static const struct pinconf_generic_params lpc18xx_params[] = {
+ {"nxp,gpio-pin-interrupt", PIN_CONFIG_GPIO_PIN_INT, 0},
+--
+2.20.1
+
--- /dev/null
+From 4467d97a7b6ae69d77fcefeca8296a15b7468fc8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Oct 2018 17:13:13 +0200
+Subject: pinctrl: madera: Fix uninitialized variable bug in madera_mux_set_mux
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+[ Upstream commit 4fe81669df50889ff1072c030c59df5f1fa6534e ]
+
+There is a potential execution path in which variable *ret* is checked
+in an IF statement, and then its value is used to report an error at
+line 659 without being properly initialized previously:
+
+659 if (ret)
+660 dev_err(priv->dev, "Failed to write to 0x%x (%d)\n", reg, ret);
+
+Fix this by initializing variable *ret* to 0 in order to
+avoid unpredictable or unintended results.
+
+Addresses-Coverity-ID: 1471969 ("Uninitialized scalar variable")
+Fixes: 218d72a77b0b ("pinctrl: madera: Add driver for Cirrus Logic Madera codecs")
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/cirrus/pinctrl-madera-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/cirrus/pinctrl-madera-core.c b/drivers/pinctrl/cirrus/pinctrl-madera-core.c
+index c4f4d904e4a61..618e04407ac85 100644
+--- a/drivers/pinctrl/cirrus/pinctrl-madera-core.c
++++ b/drivers/pinctrl/cirrus/pinctrl-madera-core.c
+@@ -608,7 +608,7 @@ static int madera_mux_set_mux(struct pinctrl_dev *pctldev,
+ unsigned int n_chip_groups = priv->chip->n_pin_groups;
+ const char *func_name = madera_mux_funcs[selector].name;
+ unsigned int reg;
+- int i, ret;
++ int i, ret = 0;
+
+ dev_dbg(priv->dev, "%s selecting %u (%s) for group %u (%s)\n",
+ __func__, selector, func_name, group,
+--
+2.20.1
+
--- /dev/null
+From ae6d91c07d7de3f995b0a02f92e8705e3fb7d56d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Oct 2018 20:11:47 -0400
+Subject: pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues
+
+From: Brian Masney <masneyb@onstation.org>
+
+[ Upstream commit 149a96047237574b756d872007c006acd0cc6687 ]
+
+When attempting to setup up a gpio hog, device probing would repeatedly
+fail with -EPROBE_DEFERED errors. It was caused by a circular dependency
+between the gpio and pinctrl frameworks. If the gpio-ranges property is
+present in device tree, then the gpio framework will handle the gpio pin
+registration and eliminate the circular dependency.
+
+See Christian Lamparter's commit a86caa9ba5d7 ("pinctrl: msm: fix
+gpio-hog related boot issues") for a detailed commit message that
+explains the issue in much more detail. The code comment in this commit
+came from Christian's commit.
+
+Signed-off-by: Brian Masney <masneyb@onstation.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/qcom/pinctrl-spmi-gpio.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c b/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c
+index cf82db78e69e6..0c30f5eb4c714 100644
+--- a/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c
++++ b/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c
+@@ -1028,10 +1028,23 @@ static int pmic_gpio_probe(struct platform_device *pdev)
+ return ret;
+ }
+
+- ret = gpiochip_add_pin_range(&state->chip, dev_name(dev), 0, 0, npins);
+- if (ret) {
+- dev_err(dev, "failed to add pin range\n");
+- goto err_range;
++ /*
++ * For DeviceTree-supported systems, the gpio core checks the
++ * pinctrl's device node for the "gpio-ranges" property.
++ * If it is present, it takes care of adding the pin ranges
++ * for the driver. In this case the driver can skip ahead.
++ *
++ * In order to remain compatible with older, existing DeviceTree
++ * files which don't set the "gpio-ranges" property or systems that
++ * utilize ACPI the driver has to call gpiochip_add_pin_range().
++ */
++ if (!of_property_read_bool(dev->of_node, "gpio-ranges")) {
++ ret = gpiochip_add_pin_range(&state->chip, dev_name(dev), 0, 0,
++ npins);
++ if (ret) {
++ dev_err(dev, "failed to add pin range\n");
++ goto err_range;
++ }
+ }
+
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From d2e489cae581d865f514e9a1cc7395b30ad3487f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 08:22:28 +0200
+Subject: pinctrl: sunxi: Fix a memory leak in 'sunxi_pinctrl_build_state()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit a93a676b079144009f55fff2ab0e34c3b7258c8a ]
+
+If 'krealloc()' fails, 'pctl->functions' is set to NULL.
+We should instead use a temp variable in order to be able to free the
+previously allocated memeory, in case of OOM.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/sunxi/pinctrl-sunxi.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pinctrl/sunxi/pinctrl-sunxi.c b/drivers/pinctrl/sunxi/pinctrl-sunxi.c
+index 26ebedc1f6d31..61aaaf58c5993 100644
+--- a/drivers/pinctrl/sunxi/pinctrl-sunxi.c
++++ b/drivers/pinctrl/sunxi/pinctrl-sunxi.c
+@@ -1042,6 +1042,7 @@ static int sunxi_pinctrl_add_function(struct sunxi_pinctrl *pctl,
+ static int sunxi_pinctrl_build_state(struct platform_device *pdev)
+ {
+ struct sunxi_pinctrl *pctl = platform_get_drvdata(pdev);
++ void *ptr;
+ int i;
+
+ /*
+@@ -1108,13 +1109,15 @@ static int sunxi_pinctrl_build_state(struct platform_device *pdev)
+ }
+
+ /* And now allocated and fill the array for real */
+- pctl->functions = krealloc(pctl->functions,
+- pctl->nfunctions * sizeof(*pctl->functions),
+- GFP_KERNEL);
+- if (!pctl->functions) {
++ ptr = krealloc(pctl->functions,
++ pctl->nfunctions * sizeof(*pctl->functions),
++ GFP_KERNEL);
++ if (!ptr) {
+ kfree(pctl->functions);
++ pctl->functions = NULL;
+ return -ENOMEM;
+ }
++ pctl->functions = ptr;
+
+ for (i = 0; i < pctl->desc->npins; i++) {
+ const struct sunxi_desc_pin *pin = pctl->desc->pins + i;
+--
+2.20.1
+
--- /dev/null
+From ad8cd10bbb636bbf63e5ccfe5aecc834a554f092 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Nov 2018 01:56:40 -0700
+Subject: pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit cd8a145a066a1a3beb0ae615c7cb2ee4217418d7 ]
+
+Clang warns when one enumerated type is implicitly converted to another:
+
+drivers/pinctrl/pinctrl-zynq.c:985:18: warning: implicit conversion from
+enumeration type 'enum zynq_pin_config_param' to different enumeration
+type 'enum pin_config_param' [-Wenum-conversion]
+ {"io-standard", PIN_CONFIG_IOSTANDARD, zynq_iostd_lvcmos18},
+ ~ ^~~~~~~~~~~~~~~~~~~~~
+drivers/pinctrl/pinctrl-zynq.c:990:16: warning: implicit conversion from
+enumeration type 'enum zynq_pin_config_param' to different enumeration
+type 'enum pin_config_param' [-Wenum-conversion]
+ = { PCONFDUMP(PIN_CONFIG_IOSTANDARD, "IO-standard", NULL, true),
+ ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+./include/linux/pinctrl/pinconf-generic.h:163:11: note: expanded from
+macro 'PCONFDUMP'
+ .param = a, .display = b, .format = c, .has_arg = d \
+ ^
+2 warnings generated.
+
+It is expected that pinctrl drivers can extend pin_config_param because
+of the gap between PIN_CONFIG_END and PIN_CONFIG_MAX so this conversion
+isn't an issue. Most drivers that take advantage of this define the
+PIN_CONFIG variables as constants, rather than enumerated values. Do the
+same thing here so that Clang no longer warns.
+
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Acked-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-zynq.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/pinctrl/pinctrl-zynq.c b/drivers/pinctrl/pinctrl-zynq.c
+index a0daf27042bd0..90fd37e8207bf 100644
+--- a/drivers/pinctrl/pinctrl-zynq.c
++++ b/drivers/pinctrl/pinctrl-zynq.c
+@@ -971,15 +971,12 @@ enum zynq_io_standards {
+ zynq_iostd_max
+ };
+
+-/**
+- * enum zynq_pin_config_param - possible pin configuration parameters
+- * @PIN_CONFIG_IOSTANDARD: if the pin can select an IO standard, the argument to
++/*
++ * PIN_CONFIG_IOSTANDARD: if the pin can select an IO standard, the argument to
+ * this parameter (on a custom format) tells the driver which alternative
+ * IO standard to use.
+ */
+-enum zynq_pin_config_param {
+- PIN_CONFIG_IOSTANDARD = PIN_CONFIG_END + 1,
+-};
++#define PIN_CONFIG_IOSTANDARD (PIN_CONFIG_END + 1)
+
+ static const struct pinconf_generic_params zynq_dt_params[] = {
+ {"io-standard", PIN_CONFIG_IOSTANDARD, zynq_iostd_lvcmos18},
+--
+2.20.1
+
--- /dev/null
+From 81120482ed4bf3cb3dce753509d6e2ed9db8e938 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Oct 2018 16:38:15 +0200
+Subject: PM / Domains: Deal with multiple states but no governor in genpd
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+[ Upstream commit 2c9b7f8772033cc8bafbd4eefe2ca605bf3eb094 ]
+
+A caller of pm_genpd_init() that provides some states for the genpd via the
+->states pointer in the struct generic_pm_domain, should also provide a
+governor. This because it's the job of the governor to pick a state that
+satisfies the constraints.
+
+Therefore, let's print a warning to inform the user about such bogus
+configuration and avoid to bail out, by instead picking the shallowest
+state before genpd invokes the ->power_off() callback.
+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Reviewed-by: Lina Iyer <ilina@codeaurora.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/domain.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c
+index bf5be0bfaf773..52c292d0908a2 100644
+--- a/drivers/base/power/domain.c
++++ b/drivers/base/power/domain.c
+@@ -467,6 +467,10 @@ static int genpd_power_off(struct generic_pm_domain *genpd, bool one_dev_on,
+ return -EAGAIN;
+ }
+
++ /* Default to shallowest state. */
++ if (!genpd->gov)
++ genpd->state_idx = 0;
++
+ if (genpd->power_off) {
+ int ret;
+
+@@ -1686,6 +1690,8 @@ int pm_genpd_init(struct generic_pm_domain *genpd,
+ ret = genpd_set_default_power_state(genpd);
+ if (ret)
+ return ret;
++ } else if (!gov) {
++ pr_warn("%s : no governor for states\n", genpd->name);
+ }
+
+ device_initialize(&genpd->dev);
+--
+2.20.1
+
--- /dev/null
+From 0b29d00fe3b569eecb0f53a4528edca92a0f1bb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Aug 2018 18:11:27 +1000
+Subject: powerpc/64s/radix: Fix radix__flush_tlb_collapsed_pmd double flushing
+ pmd
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit dd76ff5af35350fd6d5bb5b069e73b6017f66893 ]
+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/mm/tlb-radix.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/powerpc/mm/tlb-radix.c b/arch/powerpc/mm/tlb-radix.c
+index 796ff5de26d09..1749f15fc0705 100644
+--- a/arch/powerpc/mm/tlb-radix.c
++++ b/arch/powerpc/mm/tlb-radix.c
+@@ -1072,7 +1072,6 @@ void radix__flush_tlb_collapsed_pmd(struct mm_struct *mm, unsigned long addr)
+ goto local;
+ }
+ _tlbie_va_range(addr, end, pid, PAGE_SIZE, mmu_virtual_psize, true);
+- goto local;
+ } else {
+ local:
+ _tlbiel_va_range(addr, end, pid, PAGE_SIZE, mmu_virtual_psize, true);
+--
+2.20.1
+
--- /dev/null
+From 097e3730530724d858b159c363572e51bd32574d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Oct 2018 13:15:22 +1030
+Subject: powerpc/boot: Disable vector instructions
+
+From: Joel Stanley <joel@jms.id.au>
+
+[ Upstream commit e8e132e6885962582784b6fa16a80d07ea739c0f ]
+
+This will avoid auto-vectorisation when building with higher
+optimisation levels.
+
+We don't know if the machine can support VSX and even if it's present
+it's probably not going to be enabled at this point in boot.
+
+These flag were both added prior to GCC 4.6 which is the minimum
+compiler version supported by upstream, thanks to Segher for the
+details.
+
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/boot/Makefile b/arch/powerpc/boot/Makefile
+index 25e3184f11f78..7d5ddf53750ce 100644
+--- a/arch/powerpc/boot/Makefile
++++ b/arch/powerpc/boot/Makefile
+@@ -32,8 +32,8 @@ else
+ endif
+
+ BOOTCFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
+- -fno-strict-aliasing -Os -msoft-float -pipe \
+- -fomit-frame-pointer -fno-builtin -fPIC -nostdinc \
++ -fno-strict-aliasing -Os -msoft-float -mno-altivec -mno-vsx \
++ -pipe -fomit-frame-pointer -fno-builtin -fPIC -nostdinc \
+ -D$(compress-y)
+
+ ifdef CONFIG_PPC64_BOOT_WRAPPER
+--
+2.20.1
+
--- /dev/null
+From ae11cb856f41a81dad6c9db4589d721e27ea13eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Oct 2018 09:58:03 +1030
+Subject: powerpc/boot: Fix opal console in boot wrapper
+
+From: Joel Stanley <joel@jms.id.au>
+
+[ Upstream commit 1a855eaccf353f7ed1d51a3d4b3af727ccbd81ca ]
+
+As of commit 10c77dba40ff ("powerpc/boot: Fix build failure in 32-bit
+boot wrapper") the opal code is hidden behind CONFIG_PPC64_BOOT_WRAPPER,
+but the boot wrapper avoids include/linux, so it does not get the normal
+Kconfig flags.
+
+We can drop the guard entirely as in commit f8e8e69cea49 ("powerpc/boot:
+Only build OPAL code when necessary") the makefile only includes opal.c
+in the build if CONFIG_PPC64_BOOT_WRAPPER is set.
+
+Fixes: 10c77dba40ff ("powerpc/boot: Fix build failure in 32-bit boot wrapper")
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/opal.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/arch/powerpc/boot/opal.c b/arch/powerpc/boot/opal.c
+index 0272570d02de1..dfb199ef5b949 100644
+--- a/arch/powerpc/boot/opal.c
++++ b/arch/powerpc/boot/opal.c
+@@ -13,8 +13,6 @@
+ #include <libfdt.h>
+ #include "../include/asm/opal-api.h"
+
+-#ifdef CONFIG_PPC64_BOOT_WRAPPER
+-
+ /* Global OPAL struct used by opal-call.S */
+ struct opal {
+ u64 base;
+@@ -101,9 +99,3 @@ int opal_console_init(void *devp, struct serial_console_data *scdp)
+
+ return 0;
+ }
+-#else
+-int opal_console_init(void *devp, struct serial_console_data *scdp)
+-{
+- return -1;
+-}
+-#endif /* __powerpc64__ */
+--
+2.20.1
+
--- /dev/null
+From c15de758ec2adad5326ede6ef65b30ed3f04589b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Sep 2018 11:23:21 +1000
+Subject: powerpc/eeh: Fix null deref for devices removed during EEH
+
+From: Sam Bobroff <sbobroff@linux.ibm.com>
+
+[ Upstream commit bcbe3730531239abd45ab6c6af4a18078b37dd47 ]
+
+If a device is removed during EEH processing (either by a driver's
+handler or as part of recovery), it can lead to a null dereference
+in eeh_pe_report_edev().
+
+To handle this, skip devices that have been removed.
+
+Signed-off-by: Sam Bobroff <sbobroff@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/eeh_driver.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c
+index 110eba400de7c..af1f3d5f9a0f7 100644
+--- a/arch/powerpc/kernel/eeh_driver.c
++++ b/arch/powerpc/kernel/eeh_driver.c
+@@ -281,6 +281,10 @@ static void eeh_pe_report_edev(struct eeh_dev *edev, eeh_report_fn fn,
+ struct pci_driver *driver;
+ enum pci_ers_result new_result;
+
++ if (!edev->pdev) {
++ eeh_edev_info(edev, "no device");
++ return;
++ }
+ device_lock(&edev->pdev->dev);
+ if (eeh_edev_actionable(edev)) {
+ driver = eeh_pcid_get(edev->pdev);
+--
+2.20.1
+
--- /dev/null
+From 27de9a20479dbc7e19c766c8ef8a7aced8ffda24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Sep 2018 11:23:22 +1000
+Subject: powerpc/eeh: Fix use of EEH_PE_KEEP on wrong field
+
+From: Sam Bobroff <sbobroff@linux.ibm.com>
+
+[ Upstream commit 473af09b56dc4be68e4af33220ceca6be67aa60d ]
+
+eeh_add_to_parent_pe() sometimes removes the EEH_PE_KEEP flag, but it
+incorrectly removes it from pe->type, instead of pe->state.
+
+However, rather than clearing it from the correct field, remove it.
+Inspection of the code shows that it can't ever have had any effect
+(even if it had been cleared from the correct field), because the
+field is never tested after it is cleared by the statement in
+question.
+
+The clear statement was added by commit 807a827d4e74 ("powerpc/eeh:
+Keep PE during hotplug"), but it didn't explain why it was necessary.
+
+Signed-off-by: Sam Bobroff <sbobroff@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/eeh_pe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c
+index 1b238ecc553e2..210d239a93950 100644
+--- a/arch/powerpc/kernel/eeh_pe.c
++++ b/arch/powerpc/kernel/eeh_pe.c
+@@ -379,7 +379,7 @@ int eeh_add_to_parent_pe(struct eeh_dev *edev)
+ while (parent) {
+ if (!(parent->type & EEH_PE_INVALID))
+ break;
+- parent->type &= ~(EEH_PE_INVALID | EEH_PE_KEEP);
++ parent->type &= ~EEH_PE_INVALID;
+ parent = parent->parent;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 955e38773b37be602b4c745c8756cc7ac1b3354b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Oct 2018 19:44:58 +0300
+Subject: powerpc: Fix signedness bug in update_flash_db()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 014704e6f54189a203cc14c7c0bb411b940241bc ]
+
+The "count < sizeof(struct os_area_db)" comparison is type promoted to
+size_t so negative values of "count" are treated as very high values
+and we accidentally return success instead of a negative error code.
+
+This doesn't really change runtime much but it fixes a static checker
+warning.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Geoff Levand <geoff@infradead.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/ps3/os-area.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/ps3/os-area.c b/arch/powerpc/platforms/ps3/os-area.c
+index cdbfc5cfd6f38..f5387ad822798 100644
+--- a/arch/powerpc/platforms/ps3/os-area.c
++++ b/arch/powerpc/platforms/ps3/os-area.c
+@@ -664,7 +664,7 @@ static int update_flash_db(void)
+ db_set_64(db, &os_area_db_id_rtc_diff, saved_params.rtc_diff);
+
+ count = os_area_flash_write(db, sizeof(struct os_area_db), pos);
+- if (count < sizeof(struct os_area_db)) {
++ if (count < 0 || count < sizeof(struct os_area_db)) {
+ pr_debug("%s: os_area_flash_write failed %zd\n", __func__,
+ count);
+ error = count < 0 ? count : -EIO;
+--
+2.20.1
+
--- /dev/null
+From 5d25548a9a24c14960c810ce090398d08911b4cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Aug 2018 22:29:26 +1000
+Subject: powerpc/mm/radix: Fix off-by-one in split mapping logic
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit 5c6499b7041b43807dfaeda28aa87fc0e62558f7 ]
+
+When we have CONFIG_STRICT_KERNEL_RWX enabled, we try to split the
+kernel linear (1:1) mapping so that the kernel text is in a separate
+page to kernel data, so we can mark the former read-only.
+
+We could achieve that just by always using 64K pages for the linear
+mapping, but we try to be smarter. Instead we use huge pages when
+possible, and only switch to smaller pages when necessary.
+
+However we have an off-by-one bug in that logic, which causes us to
+calculate the wrong boundary between text and data.
+
+For example with the end of the kernel text at 16M we see:
+
+ radix-mmu: Mapped 0x0000000000000000-0x0000000001200000 with 64.0 KiB pages
+ radix-mmu: Mapped 0x0000000001200000-0x0000000040000000 with 2.00 MiB pages
+ radix-mmu: Mapped 0x0000000040000000-0x0000000100000000 with 1.00 GiB pages
+
+ie. we mapped from 0 to 18M with 64K pages, even though the boundary
+between text and data is at 16M.
+
+With the fix we see we're correctly hitting the 16M boundary:
+
+ radix-mmu: Mapped 0x0000000000000000-0x0000000001000000 with 64.0 KiB pages
+ radix-mmu: Mapped 0x0000000001000000-0x0000000040000000 with 2.00 MiB pages
+ radix-mmu: Mapped 0x0000000040000000-0x0000000100000000 with 1.00 GiB pages
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/mm/pgtable-radix.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/mm/pgtable-radix.c b/arch/powerpc/mm/pgtable-radix.c
+index 3ea4c1f107d7e..24a2eadc8c21a 100644
+--- a/arch/powerpc/mm/pgtable-radix.c
++++ b/arch/powerpc/mm/pgtable-radix.c
+@@ -294,14 +294,14 @@ static int __meminit create_physical_mapping(unsigned long start,
+ }
+
+ if (split_text_mapping && (mapping_size == PUD_SIZE) &&
+- (addr <= __pa_symbol(__init_begin)) &&
++ (addr < __pa_symbol(__init_begin)) &&
+ (addr + mapping_size) >= __pa_symbol(_stext)) {
+ max_mapping_size = PMD_SIZE;
+ goto retry;
+ }
+
+ if (split_text_mapping && (mapping_size == PMD_SIZE) &&
+- (addr <= __pa_symbol(__init_begin)) &&
++ (addr < __pa_symbol(__init_begin)) &&
+ (addr + mapping_size) >= __pa_symbol(_stext)) {
+ mapping_size = PAGE_SIZE;
+ psize = mmu_virtual_psize;
+--
+2.20.1
+
--- /dev/null
+From 5a53f4b951f6a26c3ed850502a714f30a1449d8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Aug 2018 20:48:22 +1000
+Subject: powerpc/mm/radix: Fix overuse of small pages in splitting logic
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit 3b5657ed5b4e27ccf593a41ff3c5aa27dae8df18 ]
+
+When we have CONFIG_STRICT_KERNEL_RWX enabled, we want to split the
+linear mapping at the text/data boundary so we can map the kernel text
+read only.
+
+But the current logic uses small pages for the entire text section,
+regardless of whether a larger page size would fit. eg. with the
+boundary at 16M we could use 2M pages, but instead we use 64K pages up
+to the 16M boundary:
+
+ Mapped 0x0000000000000000-0x0000000001000000 with 64.0 KiB pages
+ Mapped 0x0000000001000000-0x0000000040000000 with 2.00 MiB pages
+ Mapped 0x0000000040000000-0x0000000100000000 with 1.00 GiB pages
+
+This is because the test is checking if addr is < __init_begin
+and addr + mapping_size is >= _stext. But that is true for all pages
+between _stext and __init_begin.
+
+Instead what we want to check is if we are crossing the text/data
+boundary, which is at __init_begin. With that fixed we see:
+
+ Mapped 0x0000000000000000-0x0000000000e00000 with 2.00 MiB pages
+ Mapped 0x0000000000e00000-0x0000000001000000 with 64.0 KiB pages
+ Mapped 0x0000000001000000-0x0000000040000000 with 2.00 MiB pages
+ Mapped 0x0000000040000000-0x0000000100000000 with 1.00 GiB pages
+
+ie. we're correctly using 2MB pages below __init_begin, but we still
+drop down to 64K pages unnecessarily at the boundary.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/mm/pgtable-radix.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/mm/pgtable-radix.c b/arch/powerpc/mm/pgtable-radix.c
+index 24a2eadc8c21a..b387c7b917b7e 100644
+--- a/arch/powerpc/mm/pgtable-radix.c
++++ b/arch/powerpc/mm/pgtable-radix.c
+@@ -295,14 +295,14 @@ static int __meminit create_physical_mapping(unsigned long start,
+
+ if (split_text_mapping && (mapping_size == PUD_SIZE) &&
+ (addr < __pa_symbol(__init_begin)) &&
+- (addr + mapping_size) >= __pa_symbol(_stext)) {
++ (addr + mapping_size) >= __pa_symbol(__init_begin)) {
+ max_mapping_size = PMD_SIZE;
+ goto retry;
+ }
+
+ if (split_text_mapping && (mapping_size == PMD_SIZE) &&
+ (addr < __pa_symbol(__init_begin)) &&
+- (addr + mapping_size) >= __pa_symbol(_stext)) {
++ (addr + mapping_size) >= __pa_symbol(__init_begin)) {
+ mapping_size = PAGE_SIZE;
+ psize = mmu_virtual_psize;
+ }
+--
+2.20.1
+
--- /dev/null
+From 9d5fbef7abc72c9e49de7ec5309c5f18892b6239 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Aug 2018 21:05:20 +1000
+Subject: powerpc/mm/radix: Fix small page at boundary when splitting
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit 81d1b54dec95209ab5e5be2cf37182885f998753 ]
+
+When we have CONFIG_STRICT_KERNEL_RWX enabled, we want to split the
+linear mapping at the text/data boundary so we can map the kernel
+text read only.
+
+Currently we always use a small page at the text/data boundary, even
+when that's not necessary:
+
+ Mapped 0x0000000000000000-0x0000000000e00000 with 2.00 MiB pages
+ Mapped 0x0000000000e00000-0x0000000001000000 with 64.0 KiB pages
+ Mapped 0x0000000001000000-0x0000000040000000 with 2.00 MiB pages
+
+This is because the check that the mapping crosses the __init_begin
+boundary is too strict, it also returns true when we map exactly up to
+the boundary.
+
+So fix it to check that the mapping would actually map past
+__init_begin, and with that we see:
+
+ Mapped 0x0000000000000000-0x0000000040000000 with 2.00 MiB pages
+ Mapped 0x0000000040000000-0x0000000100000000 with 1.00 GiB pages
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/mm/pgtable-radix.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/mm/pgtable-radix.c b/arch/powerpc/mm/pgtable-radix.c
+index b387c7b917b7e..69caeb5bccb21 100644
+--- a/arch/powerpc/mm/pgtable-radix.c
++++ b/arch/powerpc/mm/pgtable-radix.c
+@@ -295,14 +295,14 @@ static int __meminit create_physical_mapping(unsigned long start,
+
+ if (split_text_mapping && (mapping_size == PUD_SIZE) &&
+ (addr < __pa_symbol(__init_begin)) &&
+- (addr + mapping_size) >= __pa_symbol(__init_begin)) {
++ (addr + mapping_size) > __pa_symbol(__init_begin)) {
+ max_mapping_size = PMD_SIZE;
+ goto retry;
+ }
+
+ if (split_text_mapping && (mapping_size == PMD_SIZE) &&
+ (addr < __pa_symbol(__init_begin)) &&
+- (addr + mapping_size) >= __pa_symbol(__init_begin)) {
++ (addr + mapping_size) > __pa_symbol(__init_begin)) {
+ mapping_size = PAGE_SIZE;
+ psize = mmu_virtual_psize;
+ }
+--
+2.20.1
+
--- /dev/null
+From a6a3603722f154f24fb35445bb583399c16eaab8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 15:10:33 -0700
+Subject: powerpc/powernv: hold device_hotplug_lock when calling
+ device_online()
+
+From: David Hildenbrand <david@redhat.com>
+
+[ Upstream commit cec1680591d6d5b10ecc10f370210089416e98af ]
+
+device_online() should be called with device_hotplug_lock() held.
+
+Link: http://lkml.kernel.org/r/20180925091457.28651-5-david@redhat.com
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Pavel Tatashin <pavel.tatashin@microsoft.com>
+Reviewed-by: Rashmica Gupta <rashmica.g@gmail.com>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Rashmica Gupta <rashmica.g@gmail.com>
+Cc: Balbir Singh <bsingharora@gmail.com>
+Cc: Michael Neuling <mikey@neuling.org>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: John Allen <jallen@linux.vnet.ibm.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Kate Stewart <kstewart@linuxfoundation.org>
+Cc: "K. Y. Srinivasan" <kys@microsoft.com>
+Cc: Len Brown <lenb@kernel.org>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Mathieu Malaterre <malat@debian.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Nathan Fontenot <nfont@linux.vnet.ibm.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Philippe Ombredanne <pombredanne@nexb.com>
+Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: YASUAKI ISHIMATSU <yasu.isimatu@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/powernv/memtrace.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/powerpc/platforms/powernv/memtrace.c b/arch/powerpc/platforms/powernv/memtrace.c
+index 232bf5987f91d..dd3cc4632b9ae 100644
+--- a/arch/powerpc/platforms/powernv/memtrace.c
++++ b/arch/powerpc/platforms/powernv/memtrace.c
+@@ -244,9 +244,11 @@ static int memtrace_online(void)
+ * we need to online the memory ourselves.
+ */
+ if (!memhp_auto_online) {
++ lock_device_hotplug();
+ walk_memory_range(PFN_DOWN(ent->start),
+ PFN_UP(ent->start + ent->size - 1),
+ NULL, online_mem_block);
++ unlock_device_hotplug();
+ }
+
+ /*
+--
+2.20.1
+
--- /dev/null
+From 9a1c1d735ab74b56d7bc502cb2f64905162d16b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Oct 2018 10:57:22 -0300
+Subject: powerpc/process: Fix flush_all_to_thread for SPE
+
+From: Felipe Rechia <felipe.rechia@datacom.com.br>
+
+[ Upstream commit e901378578c62202594cba0f6c076f3df365ec91 ]
+
+Fix a bug introduced by the creation of flush_all_to_thread() for
+processors that have SPE (Signal Processing Engine) and use it to
+compute floating-point operations.
+
+>From userspace perspective, the problem was seen in attempts of
+computing floating-point operations which should generate exceptions.
+For example:
+
+ fork();
+ float x = 0.0 / 0.0;
+ isnan(x); // forked process returns False (should be True)
+
+The operation above also should always cause the SPEFSCR FINV bit to
+be set. However, the SPE floating-point exceptions were turned off
+after a fork().
+
+Kernel versions prior to the bug used flush_spe_to_thread(), which
+first saves SPEFSCR register values in tsk->thread and then calls
+giveup_spe(tsk).
+
+After commit 579e633e764e, the save_all() function was called first
+to giveup_spe(), and then the SPEFSCR register values were saved in
+tsk->thread. This would save the SPEFSCR register values after
+disabling SPE for that thread, causing the bug described above.
+
+Fixes 579e633e764e ("powerpc: create flush_all_to_thread()")
+Signed-off-by: Felipe Rechia <felipe.rechia@datacom.com.br>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/process.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
+index 909c9407e392a..02b69a68139cc 100644
+--- a/arch/powerpc/kernel/process.c
++++ b/arch/powerpc/kernel/process.c
+@@ -575,12 +575,11 @@ void flush_all_to_thread(struct task_struct *tsk)
+ if (tsk->thread.regs) {
+ preempt_disable();
+ BUG_ON(tsk != current);
+- save_all(tsk);
+-
+ #ifdef CONFIG_SPE
+ if (tsk->thread.regs->msr & MSR_SPE)
+ tsk->thread.spefscr = mfspr(SPRN_SPEFSCR);
+ #endif
++ save_all(tsk);
+
+ preempt_enable();
+ }
+--
+2.20.1
+
--- /dev/null
+From 47ca9489914f41b05844313d0a6821a1a4b78347 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 17:20:05 +0530
+Subject: powerpc/pseries: Export raw per-CPU VPA data via debugfs
+
+From: Aravinda Prasad <aravinda@linux.vnet.ibm.com>
+
+[ Upstream commit c6c26fb55e8e4b3fc376be5611685990a17de27a ]
+
+This patch exports the raw per-CPU VPA data via debugfs.
+A per-CPU file is created which exports the VPA data of
+that CPU to help debug some of the VPA related issues or
+to analyze the per-CPU VPA related statistics.
+
+v3: Removed offline CPU check.
+
+v2: Included offline CPU check and other review comments.
+
+Signed-off-by: Aravinda Prasad <aravinda@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/lpar.c | 54 +++++++++++++++++++++++++++
+ 1 file changed, 54 insertions(+)
+
+diff --git a/arch/powerpc/platforms/pseries/lpar.c b/arch/powerpc/platforms/pseries/lpar.c
+index ea602f7f97ce1..49e3a88b6a0c1 100644
+--- a/arch/powerpc/platforms/pseries/lpar.c
++++ b/arch/powerpc/platforms/pseries/lpar.c
+@@ -48,6 +48,7 @@
+ #include <asm/kexec.h>
+ #include <asm/fadump.h>
+ #include <asm/asm-prototypes.h>
++#include <asm/debugfs.h>
+
+ #include "pseries.h"
+
+@@ -1032,3 +1033,56 @@ static int __init reserve_vrma_context_id(void)
+ return 0;
+ }
+ machine_device_initcall(pseries, reserve_vrma_context_id);
++
++#ifdef CONFIG_DEBUG_FS
++/* debugfs file interface for vpa data */
++static ssize_t vpa_file_read(struct file *filp, char __user *buf, size_t len,
++ loff_t *pos)
++{
++ int cpu = (long)filp->private_data;
++ struct lppaca *lppaca = &lppaca_of(cpu);
++
++ return simple_read_from_buffer(buf, len, pos, lppaca,
++ sizeof(struct lppaca));
++}
++
++static const struct file_operations vpa_fops = {
++ .open = simple_open,
++ .read = vpa_file_read,
++ .llseek = default_llseek,
++};
++
++static int __init vpa_debugfs_init(void)
++{
++ char name[16];
++ long i;
++ static struct dentry *vpa_dir;
++
++ if (!firmware_has_feature(FW_FEATURE_SPLPAR))
++ return 0;
++
++ vpa_dir = debugfs_create_dir("vpa", powerpc_debugfs_root);
++ if (!vpa_dir) {
++ pr_warn("%s: can't create vpa root dir\n", __func__);
++ return -ENOMEM;
++ }
++
++ /* set up the per-cpu vpa file*/
++ for_each_possible_cpu(i) {
++ struct dentry *d;
++
++ sprintf(name, "cpu-%ld", i);
++
++ d = debugfs_create_file(name, 0400, vpa_dir, (void *)i,
++ &vpa_fops);
++ if (!d) {
++ pr_warn("%s: can't create per-cpu vpa file\n",
++ __func__);
++ return -ENOMEM;
++ }
++ }
++
++ return 0;
++}
++machine_arch_initcall(pseries, vpa_debugfs_init);
++#endif /* CONFIG_DEBUG_FS */
+--
+2.20.1
+
--- /dev/null
+From 121d65ca8d1f2deeea31168e6675da2940c40da8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Oct 2018 11:39:34 +1030
+Subject: powerpc/xmon: Relax frame size for clang
+
+From: Joel Stanley <joel@jms.id.au>
+
+[ Upstream commit 9c87156cce5a63735d1218f0096a65c50a7a32aa ]
+
+When building with clang (8 trunk, 7.0 release) the frame size limit is
+hit:
+
+ arch/powerpc/xmon/xmon.c:452:12: warning: stack frame size of 2576
+ bytes in function 'xmon_core' [-Wframe-larger-than=]
+
+Some investigation by Naveen indicates this is due to clang saving the
+addresses to printf format strings on the stack.
+
+While this issue is investigated, bump up the frame size limit for xmon
+when building with clang.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/252
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/xmon/Makefile | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/powerpc/xmon/Makefile b/arch/powerpc/xmon/Makefile
+index 9d7d8e6d705c4..9ba44e190e5e4 100644
+--- a/arch/powerpc/xmon/Makefile
++++ b/arch/powerpc/xmon/Makefile
+@@ -13,6 +13,12 @@ UBSAN_SANITIZE := n
+ ORIG_CFLAGS := $(KBUILD_CFLAGS)
+ KBUILD_CFLAGS = $(subst $(CC_FLAGS_FTRACE),,$(ORIG_CFLAGS))
+
++ifdef CONFIG_CC_IS_CLANG
++# clang stores addresses on the stack causing the frame size to blow
++# out. See https://github.com/ClangBuiltLinux/linux/issues/252
++KBUILD_CFLAGS += -Wframe-larger-than=4096
++endif
++
+ ccflags-$(CONFIG_PPC64) := $(NO_MINIMAL_TOC)
+
+ obj-y += xmon.o nonstdio.o spr_access.o
+--
+2.20.1
+
--- /dev/null
+From ae514acf8a7dc18ae4e9d38c4179048463293b3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Oct 2018 20:33:08 +0900
+Subject: printk: fix integer overflow in setup_log_buf()
+
+From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+
+[ Upstream commit d2130e82e9454304e9b91ba9da551b5989af8c27 ]
+
+The way we calculate logbuf free space percentage overflows signed
+integer:
+
+ int free;
+
+ free = __LOG_BUF_LEN - log_next_idx;
+ pr_info("early log buf free: %u(%u%%)\n",
+ free, (free * 100) / __LOG_BUF_LEN);
+
+We support LOG_BUF_LEN of up to 1<<25 bytes. Since setup_log_buf() is
+called during early init, logbuf is mostly empty, so
+
+ __LOG_BUF_LEN - log_next_idx
+
+is close to 1<<25. Thus when we multiply it by 100, we overflow signed
+integer value range: 100 is 2^6 + 2^5 + 2^2.
+
+Example, booting with LOG_BUF_LEN 1<<25 and log_buf_len=2G
+boot param:
+
+[ 0.075317] log_buf_len: -2147483648 bytes
+[ 0.075319] early log buf free: 33549896(-28%)
+
+Make "free" unsigned integer and use appropriate printk() specifier.
+
+Link: http://lkml.kernel.org/r/20181010113308.9337-1-sergey.senozhatsky@gmail.com
+To: Steven Rostedt <rostedt@goodmis.org>
+Cc: linux-kernel@vger.kernel.org
+Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
+Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/printk/printk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
+index 59ceaed1aeed7..845efadaf7ecf 100644
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -1105,7 +1105,7 @@ void __init setup_log_buf(int early)
+ {
+ unsigned long flags;
+ char *new_log_buf;
+- int free;
++ unsigned int free;
+
+ if (log_buf != __log_buf)
+ return;
+--
+2.20.1
+
--- /dev/null
+From 00988218f8cb25a6f0b5d063d1409c4bc517c2ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Oct 2018 11:38:35 +0900
+Subject: printk: lock/unlock console only for new logbuf entries
+
+From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+
+[ Upstream commit 3ac37a93fa9217e576bebfd4ba3e80edaaeb2289 ]
+
+Prior to commit 5c2992ee7fd8a29 ("printk: remove console flushing special
+cases for partial buffered lines") we would do console_cont_flush()
+for each pr_cont() to print cont fragments, so console_unlock() would
+actually print data:
+
+ pr_cont();
+ console_lock();
+ console_unlock()
+ console_cont_flush(); // print cont fragment
+ ...
+ pr_cont();
+ console_lock();
+ console_unlock()
+ console_cont_flush(); // print cont fragment
+
+We don't do console_cont_flush() anymore, so when we do pr_cont()
+console_unlock() does nothing (unless we flushed the cont buffer):
+
+ pr_cont();
+ console_lock();
+ console_unlock(); // noop
+ ...
+ pr_cont();
+ console_lock();
+ console_unlock(); // noop
+ ...
+ pr_cont();
+ cont_flush();
+ console_lock();
+ console_unlock(); // print data
+
+We also wakeup klogd purposelessly for pr_cont() output - un-flushed
+cont buffer is not stored in log_buf; there is nothing to pull.
+
+Thus we can console_lock()/console_unlock()/wake_up_klogd() only when
+we know that we log_store()-ed a message and there is something to
+print to the consoles/syslog.
+
+Link: http://lkml.kernel.org/r/20181002023836.4487-3-sergey.senozhatsky@gmail.com
+To: Steven Rostedt <rostedt@goodmis.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Dmitriy Vyukov <dvyukov@google.com>
+Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: LKML <linux-kernel@vger.kernel.org>
+Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
+Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/printk/printk.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
+index c7b3d5489937d..59ceaed1aeed7 100644
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -1901,8 +1901,9 @@ asmlinkage int vprintk_emit(int facility, int level,
+ const char *fmt, va_list args)
+ {
+ int printed_len;
+- bool in_sched = false;
++ bool in_sched = false, pending_output;
+ unsigned long flags;
++ u64 curr_log_seq;
+
+ if (level == LOGLEVEL_SCHED) {
+ level = LOGLEVEL_DEFAULT;
+@@ -1914,11 +1915,13 @@ asmlinkage int vprintk_emit(int facility, int level,
+
+ /* This stops the holder of console_sem just where we want him */
+ logbuf_lock_irqsave(flags);
++ curr_log_seq = log_next_seq;
+ printed_len = vprintk_store(facility, level, dict, dictlen, fmt, args);
++ pending_output = (curr_log_seq != log_next_seq);
+ logbuf_unlock_irqrestore(flags);
+
+ /* If called from the scheduler, we can not call up(). */
+- if (!in_sched) {
++ if (!in_sched && pending_output) {
+ /*
+ * Disable preemption to avoid being preempted while holding
+ * console_sem which would prevent anyone from printing to
+@@ -1935,7 +1938,8 @@ asmlinkage int vprintk_emit(int facility, int level,
+ preempt_enable();
+ }
+
+- wake_up_klogd();
++ if (pending_output)
++ wake_up_klogd();
+ return printed_len;
+ }
+ EXPORT_SYMBOL(vprintk_emit);
+--
+2.20.1
+
--- /dev/null
+From 49b75c0754be466bd8ff622654d2568cd10f1c73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Sep 2018 20:53:46 -0400
+Subject: pty: fix compat ioctls
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 50f45326afab723df529eca54095e2feac24da2d ]
+
+pointer-taking ones need compat_ptr(); int-taking one doesn't.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/pty.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
+index 678406e0948b2..00099a8439d21 100644
+--- a/drivers/tty/pty.c
++++ b/drivers/tty/pty.c
+@@ -28,6 +28,7 @@
+ #include <linux/mount.h>
+ #include <linux/file.h>
+ #include <linux/ioctl.h>
++#include <linux/compat.h>
+
+ #undef TTY_DEBUG_HANGUP
+ #ifdef TTY_DEBUG_HANGUP
+@@ -488,6 +489,7 @@ static int pty_bsd_ioctl(struct tty_struct *tty,
+ return -ENOIOCTLCMD;
+ }
+
++#ifdef CONFIG_COMPAT
+ static long pty_bsd_compat_ioctl(struct tty_struct *tty,
+ unsigned int cmd, unsigned long arg)
+ {
+@@ -495,8 +497,11 @@ static long pty_bsd_compat_ioctl(struct tty_struct *tty,
+ * PTY ioctls don't require any special translation between 32-bit and
+ * 64-bit userspace, they are already compatible.
+ */
+- return pty_bsd_ioctl(tty, cmd, arg);
++ return pty_bsd_ioctl(tty, cmd, (unsigned long)compat_ptr(arg));
+ }
++#else
++#define pty_bsd_compat_ioctl NULL
++#endif
+
+ static int legacy_count = CONFIG_LEGACY_PTY_COUNT;
+ /*
+@@ -676,6 +681,7 @@ static int pty_unix98_ioctl(struct tty_struct *tty,
+ return -ENOIOCTLCMD;
+ }
+
++#ifdef CONFIG_COMPAT
+ static long pty_unix98_compat_ioctl(struct tty_struct *tty,
+ unsigned int cmd, unsigned long arg)
+ {
+@@ -683,8 +689,12 @@ static long pty_unix98_compat_ioctl(struct tty_struct *tty,
+ * PTY ioctls don't require any special translation between 32-bit and
+ * 64-bit userspace, they are already compatible.
+ */
+- return pty_unix98_ioctl(tty, cmd, arg);
++ return pty_unix98_ioctl(tty, cmd,
++ cmd == TIOCSIG ? arg : (unsigned long)compat_ptr(arg));
+ }
++#else
++#define pty_unix98_compat_ioctl NULL
++#endif
+
+ /**
+ * ptm_unix98_lookup - find a pty master
+--
+2.20.1
+
--- /dev/null
+From 3e21d9e86c58e67ba3892e11b980b404acb00158 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Oct 2018 17:12:02 +0200
+Subject: pwm: lpss: Only set update bit if we are actually changing the
+ settings
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 2153bbc12f77fb2203276befc0f0dddbfb023bb1 ]
+
+According to the datasheet the update bit must be set if the on-time-div
+or the base-unit changes.
+
+Now that we properly order device resume on Cherry Trail so that the GFX0
+_PS0 method no longer exits with an error, we end up with a sequence of
+events where we are writing the same values twice in a row.
+
+First the _PS0 method restores the duty cycle of 0% the GPU driver set
+on suspend and then the GPU driver first updates just the enabled bit in
+the pwm_state from 0 to 1, causing us to write the same values again,
+before restoring the pre-suspend duty-cycle in a separate pwm_apply call.
+
+When writing the update bit the second time, without changing any of
+the values the update bit clears immediately / instantly, instead of
+staying 1 for a while as usual. After this the next setting of the update
+bit seems to be ignored, causing the restoring of the pre-suspend
+duty-cycle to not get applied. This makes the backlight come up with
+a 0% dutycycle after suspend/resume.
+
+Any further brightness changes after this do work.
+
+This commit moves the setting of the update bit into pwm_lpss_prepare()
+and only sets the bit if we have actually changed any of the values.
+
+This avoids the setting of the update bit the second time we configure
+the PWM to 0% dutycycle, this fixes the backlight coming up with 0%
+duty-cycle after a suspend/resume.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-lpss.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pwm/pwm-lpss.c b/drivers/pwm/pwm-lpss.c
+index 4721a264bac25..1e69c1c9ec096 100644
+--- a/drivers/pwm/pwm-lpss.c
++++ b/drivers/pwm/pwm-lpss.c
+@@ -97,7 +97,7 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm,
+ unsigned long long on_time_div;
+ unsigned long c = lpwm->info->clk_rate, base_unit_range;
+ unsigned long long base_unit, freq = NSEC_PER_SEC;
+- u32 ctrl;
++ u32 orig_ctrl, ctrl;
+
+ do_div(freq, period_ns);
+
+@@ -114,13 +114,17 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm,
+ do_div(on_time_div, period_ns);
+ on_time_div = 255ULL - on_time_div;
+
+- ctrl = pwm_lpss_read(pwm);
++ orig_ctrl = ctrl = pwm_lpss_read(pwm);
+ ctrl &= ~PWM_ON_TIME_DIV_MASK;
+ ctrl &= ~(base_unit_range << PWM_BASE_UNIT_SHIFT);
+ base_unit &= base_unit_range;
+ ctrl |= (u32) base_unit << PWM_BASE_UNIT_SHIFT;
+ ctrl |= on_time_div;
+- pwm_lpss_write(pwm, ctrl);
++
++ if (orig_ctrl != ctrl) {
++ pwm_lpss_write(pwm, ctrl);
++ pwm_lpss_write(pwm, ctrl | PWM_SW_UPDATE);
++ }
+ }
+
+ static inline void pwm_lpss_cond_enable(struct pwm_device *pwm, bool cond)
+@@ -144,7 +148,6 @@ static int pwm_lpss_apply(struct pwm_chip *chip, struct pwm_device *pwm,
+ return ret;
+ }
+ pwm_lpss_prepare(lpwm, pwm, state->duty_cycle, state->period);
+- pwm_lpss_write(pwm, pwm_lpss_read(pwm) | PWM_SW_UPDATE);
+ pwm_lpss_cond_enable(pwm, lpwm->info->bypass == false);
+ ret = pwm_lpss_wait_for_update(pwm);
+ if (ret) {
+@@ -157,7 +160,6 @@ static int pwm_lpss_apply(struct pwm_chip *chip, struct pwm_device *pwm,
+ if (ret)
+ return ret;
+ pwm_lpss_prepare(lpwm, pwm, state->duty_cycle, state->period);
+- pwm_lpss_write(pwm, pwm_lpss_read(pwm) | PWM_SW_UPDATE);
+ return pwm_lpss_wait_for_update(pwm);
+ }
+ } else if (pwm_is_enabled(pwm)) {
+--
+2.20.1
+
--- /dev/null
+From 4c192a9b0a060267f6875ad59dc5ba8cb6701206 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 03:59:18 -0700
+Subject: qed: Align local and global PTT to propagate through the APIs.
+
+From: Rahul Verma <Rahul.Verma@cavium.com>
+
+[ Upstream commit 706d08913d1f68610c32b4a001026aa989878dd9 ]
+
+ Align the use of local PTT to propagate through the qed_mcp* API's.
+ Global ptt should not be used.
+
+ Register access should be done through layers. Register address is
+ mapped into a PTT, PF translation table. Several interface functions
+ require a PTT to direct read/write into register. There is a pool of
+ PTT maintained, and several PTT are used simultaneously to access
+ device registers in different flows. Same PTT should not be used in
+ flows that can run concurrently.
+ To avoid running out of PTT resources, too many PTT should not be
+ acquired without releasing them. Every PF has a global PTT, which is
+ used throughout the life of PF, in most important flows for register
+ access. Generic functions acquire the PTT locally and release after
+ the use. This patch aligns the use of Global PTT and Local PTT
+ accordingly.
+
+Signed-off-by: Rahul Verma <rahul.verma@cavium.com>
+Signed-off-by: Ariel Elior <ariel.elior@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed.h | 2 +-
+ drivers/net/ethernet/qlogic/qed/qed_main.c | 22 ++++++++++++++----
+ drivers/net/ethernet/qlogic/qed/qed_mcp.c | 27 ++++++++++------------
+ drivers/net/ethernet/qlogic/qed/qed_mcp.h | 5 ++--
+ drivers/net/ethernet/qlogic/qed/qed_vf.c | 2 +-
+ 5 files changed, 35 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed.h b/drivers/net/ethernet/qlogic/qed/qed.h
+index a60e1c8d470a0..32e786a3952b1 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed.h
++++ b/drivers/net/ethernet/qlogic/qed/qed.h
+@@ -914,7 +914,7 @@ u16 qed_get_cm_pq_idx_llt_mtc(struct qed_hwfn *p_hwfn, u8 tc);
+ /* Prototypes */
+ int qed_fill_dev_info(struct qed_dev *cdev,
+ struct qed_dev_info *dev_info);
+-void qed_link_update(struct qed_hwfn *hwfn);
++void qed_link_update(struct qed_hwfn *hwfn, struct qed_ptt *ptt);
+ u32 qed_unzip_data(struct qed_hwfn *p_hwfn,
+ u32 input_len, u8 *input_buf,
+ u32 max_size, u8 *unzip_buf);
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c
+index 637687b766ff0..049a83b40e469 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_main.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c
+@@ -1462,6 +1462,7 @@ static int qed_get_link_data(struct qed_hwfn *hwfn,
+ }
+
+ static void qed_fill_link(struct qed_hwfn *hwfn,
++ struct qed_ptt *ptt,
+ struct qed_link_output *if_link)
+ {
+ struct qed_mcp_link_params params;
+@@ -1542,7 +1543,7 @@ static void qed_fill_link(struct qed_hwfn *hwfn,
+
+ /* TODO - fill duplex properly */
+ if_link->duplex = DUPLEX_FULL;
+- qed_mcp_get_media_type(hwfn->cdev, &media_type);
++ qed_mcp_get_media_type(hwfn, ptt, &media_type);
+ if_link->port = qed_get_port_type(media_type);
+
+ if_link->autoneg = params.speed.autoneg;
+@@ -1598,21 +1599,34 @@ static void qed_fill_link(struct qed_hwfn *hwfn,
+ static void qed_get_current_link(struct qed_dev *cdev,
+ struct qed_link_output *if_link)
+ {
++ struct qed_hwfn *hwfn;
++ struct qed_ptt *ptt;
+ int i;
+
+- qed_fill_link(&cdev->hwfns[0], if_link);
++ hwfn = &cdev->hwfns[0];
++ if (IS_PF(cdev)) {
++ ptt = qed_ptt_acquire(hwfn);
++ if (ptt) {
++ qed_fill_link(hwfn, ptt, if_link);
++ qed_ptt_release(hwfn, ptt);
++ } else {
++ DP_NOTICE(hwfn, "Failed to fill link; No PTT\n");
++ }
++ } else {
++ qed_fill_link(hwfn, NULL, if_link);
++ }
+
+ for_each_hwfn(cdev, i)
+ qed_inform_vf_link_state(&cdev->hwfns[i]);
+ }
+
+-void qed_link_update(struct qed_hwfn *hwfn)
++void qed_link_update(struct qed_hwfn *hwfn, struct qed_ptt *ptt)
+ {
+ void *cookie = hwfn->cdev->ops_cookie;
+ struct qed_common_cb_ops *op = hwfn->cdev->protocol_ops.common;
+ struct qed_link_output if_link;
+
+- qed_fill_link(hwfn, &if_link);
++ qed_fill_link(hwfn, ptt, &if_link);
+ qed_inform_vf_link_state(hwfn);
+
+ if (IS_LEAD_HWFN(hwfn) && cookie)
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_mcp.c b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
+index 58c7eb9d8e1b8..938ace333af10 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
+@@ -1382,7 +1382,7 @@ static void qed_mcp_handle_link_change(struct qed_hwfn *p_hwfn,
+ if (p_hwfn->mcp_info->capabilities & FW_MB_PARAM_FEATURE_SUPPORT_EEE)
+ qed_mcp_read_eee_config(p_hwfn, p_ptt, p_link);
+
+- qed_link_update(p_hwfn);
++ qed_link_update(p_hwfn, p_ptt);
+ out:
+ spin_unlock_bh(&p_hwfn->mcp_info->link_lock);
+ }
+@@ -1849,12 +1849,10 @@ int qed_mcp_get_mbi_ver(struct qed_hwfn *p_hwfn,
+ return 0;
+ }
+
+-int qed_mcp_get_media_type(struct qed_dev *cdev, u32 *p_media_type)
++int qed_mcp_get_media_type(struct qed_hwfn *p_hwfn,
++ struct qed_ptt *p_ptt, u32 *p_media_type)
+ {
+- struct qed_hwfn *p_hwfn = &cdev->hwfns[0];
+- struct qed_ptt *p_ptt;
+-
+- if (IS_VF(cdev))
++ if (IS_VF(p_hwfn->cdev))
+ return -EINVAL;
+
+ if (!qed_mcp_is_init(p_hwfn)) {
+@@ -1862,16 +1860,15 @@ int qed_mcp_get_media_type(struct qed_dev *cdev, u32 *p_media_type)
+ return -EBUSY;
+ }
+
+- *p_media_type = MEDIA_UNSPECIFIED;
+-
+- p_ptt = qed_ptt_acquire(p_hwfn);
+- if (!p_ptt)
+- return -EBUSY;
+-
+- *p_media_type = qed_rd(p_hwfn, p_ptt, p_hwfn->mcp_info->port_addr +
+- offsetof(struct public_port, media_type));
++ if (!p_ptt) {
++ *p_media_type = MEDIA_UNSPECIFIED;
++ return -EINVAL;
++ }
+
+- qed_ptt_release(p_hwfn, p_ptt);
++ *p_media_type = qed_rd(p_hwfn, p_ptt,
++ p_hwfn->mcp_info->port_addr +
++ offsetof(struct public_port,
++ media_type));
+
+ return 0;
+ }
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_mcp.h b/drivers/net/ethernet/qlogic/qed/qed_mcp.h
+index 85e6b3989e7a9..80a6b5d1ff338 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.h
++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.h
+@@ -322,14 +322,15 @@ int qed_mcp_get_mbi_ver(struct qed_hwfn *p_hwfn,
+ * @brief Get media type value of the port.
+ *
+ * @param cdev - qed dev pointer
++ * @param p_ptt
+ * @param mfw_ver - media type value
+ *
+ * @return int -
+ * 0 - Operation was successul.
+ * -EBUSY - Operation failed
+ */
+-int qed_mcp_get_media_type(struct qed_dev *cdev,
+- u32 *media_type);
++int qed_mcp_get_media_type(struct qed_hwfn *p_hwfn,
++ struct qed_ptt *p_ptt, u32 *media_type);
+
+ /**
+ * @brief General function for sending commands to the MCP
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_vf.c b/drivers/net/ethernet/qlogic/qed/qed_vf.c
+index 6ab3fb008139d..5dda547772c13 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c
+@@ -1698,7 +1698,7 @@ static void qed_handle_bulletin_change(struct qed_hwfn *hwfn)
+ ops->ports_update(cookie, vxlan_port, geneve_port);
+
+ /* Always update link configuration according to bulletin */
+- qed_link_update(hwfn);
++ qed_link_update(hwfn, NULL);
+ }
+
+ void qed_iov_vf_task(struct work_struct *work)
+--
+2.20.1
+
--- /dev/null
+From c7a54b9615fc02af36d3d386475c119106671298 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Oct 2018 23:11:11 +0300
+Subject: qlcnic: fix a return in qlcnic_dcb_get_capability()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit c94f026fb742b2d3199422751dbc4f6fc0e753d8 ]
+
+These functions are supposed to return one on failure and zero on
+success. Returning a zero here could cause uninitialized variable
+bugs in several of the callers. For example:
+
+ drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:1660 get_iscsi_dcb_priority()
+ error: uninitialized symbol 'caps'.
+
+Fixes: 48365e485275 ("qlcnic: dcb: Add support for CEE Netlink interface.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c
+index 4b76c69fe86d2..834208e55f7b8 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c
+@@ -883,7 +883,7 @@ static u8 qlcnic_dcb_get_capability(struct net_device *netdev, int capid,
+ struct qlcnic_adapter *adapter = netdev_priv(netdev);
+
+ if (!test_bit(QLCNIC_DCB_STATE, &adapter->dcb->state))
+- return 0;
++ return 1;
+
+ switch (capid) {
+ case DCB_CAP_ATTR_PG:
+--
+2.20.1
+
--- /dev/null
+From 85f12988b725d7ea21051f71e203f00861df256a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Oct 2018 03:27:55 -0700
+Subject: RDMA/bnxt_re: Avoid NULL check after accessing the pointer
+
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+
+[ Upstream commit eae4ad1b0c9a77ef0cbac212d58d46976eaacfc1 ]
+
+This is reported by smatch check. rcfw->creq_bar_reg_iomem is accessed in
+bnxt_qplib_rcfw_stop_irq and this variable check afterwards doesn't make
+sense. Also, rcfw->creq_bar_reg_iomem will never be NULL. So Removing
+this check.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: 6e04b1035689 ("RDMA/bnxt_re: Fix broken RoCE driver due to recent L2 driver changes")
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+index 6637df77d2365..8b3b5fdc19bbb 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+@@ -614,13 +614,8 @@ void bnxt_qplib_disable_rcfw_channel(struct bnxt_qplib_rcfw *rcfw)
+
+ bnxt_qplib_rcfw_stop_irq(rcfw, true);
+
+- if (rcfw->cmdq_bar_reg_iomem)
+- iounmap(rcfw->cmdq_bar_reg_iomem);
+- rcfw->cmdq_bar_reg_iomem = NULL;
+-
+- if (rcfw->creq_bar_reg_iomem)
+- iounmap(rcfw->creq_bar_reg_iomem);
+- rcfw->creq_bar_reg_iomem = NULL;
++ iounmap(rcfw->cmdq_bar_reg_iomem);
++ iounmap(rcfw->creq_bar_reg_iomem);
+
+ indx = find_first_bit(rcfw->cmdq_bitmap, rcfw->bmap_size);
+ if (indx != rcfw->bmap_size)
+@@ -629,6 +624,8 @@ void bnxt_qplib_disable_rcfw_channel(struct bnxt_qplib_rcfw *rcfw)
+ kfree(rcfw->cmdq_bitmap);
+ rcfw->bmap_size = 0;
+
++ rcfw->cmdq_bar_reg_iomem = NULL;
++ rcfw->creq_bar_reg_iomem = NULL;
+ rcfw->aeq_handler = NULL;
+ rcfw->vector = 0;
+ }
+@@ -714,6 +711,8 @@ int bnxt_qplib_enable_rcfw_channel(struct pci_dev *pdev,
+ dev_err(&rcfw->pdev->dev,
+ "QPLIB: CREQ BAR region %d mapping failed",
+ rcfw->creq_bar_reg);
++ iounmap(rcfw->cmdq_bar_reg_iomem);
++ rcfw->cmdq_bar_reg_iomem = NULL;
+ return -ENOMEM;
+ }
+ rcfw->creq_qp_event_processed = 0;
+--
+2.20.1
+
--- /dev/null
+From 7beef960f63d9bf3ab3a2aad4f95890cc0365459 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Oct 2018 03:28:04 -0700
+Subject: RDMA/bnxt_re: Avoid resource leak in case the NQ registration fails
+
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+
+[ Upstream commit 5df950994934814a8b91f0cf9f653842d2ba082d ]
+
+In case the NQ alloc/enable fails, free up the already allocated/enabled
+NQ before reporting failure. Also, track the alloc/enable using proper
+state checking.
+
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/bnxt_re.h | 2 ++
+ drivers/infiniband/hw/bnxt_re/main.c | 31 ++++++++++++++++++-------
+ 2 files changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/bnxt_re.h b/drivers/infiniband/hw/bnxt_re/bnxt_re.h
+index 96f76896488da..802942adea8e8 100644
+--- a/drivers/infiniband/hw/bnxt_re/bnxt_re.h
++++ b/drivers/infiniband/hw/bnxt_re/bnxt_re.h
+@@ -120,6 +120,8 @@ struct bnxt_re_dev {
+ #define BNXT_RE_FLAG_HAVE_L2_REF 3
+ #define BNXT_RE_FLAG_RCFW_CHANNEL_EN 4
+ #define BNXT_RE_FLAG_QOS_WORK_REG 5
++#define BNXT_RE_FLAG_RESOURCES_ALLOCATED 7
++#define BNXT_RE_FLAG_RESOURCES_INITIALIZED 8
+ #define BNXT_RE_FLAG_ISSUE_ROCE_STATS 29
+ struct net_device *netdev;
+ unsigned int version, major, minor;
+diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c
+index 7ffad368c5fa1..589b0d4677d52 100644
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -864,10 +864,8 @@ static void bnxt_re_cleanup_res(struct bnxt_re_dev *rdev)
+ {
+ int i;
+
+- if (rdev->nq[0].hwq.max_elements) {
+- for (i = 1; i < rdev->num_msix; i++)
+- bnxt_qplib_disable_nq(&rdev->nq[i - 1]);
+- }
++ for (i = 1; i < rdev->num_msix; i++)
++ bnxt_qplib_disable_nq(&rdev->nq[i - 1]);
+
+ if (rdev->qplib_res.rcfw)
+ bnxt_qplib_cleanup_res(&rdev->qplib_res);
+@@ -876,6 +874,7 @@ static void bnxt_re_cleanup_res(struct bnxt_re_dev *rdev)
+ static int bnxt_re_init_res(struct bnxt_re_dev *rdev)
+ {
+ int rc = 0, i;
++ int num_vec_enabled = 0;
+
+ bnxt_qplib_init_res(&rdev->qplib_res);
+
+@@ -891,9 +890,13 @@ static int bnxt_re_init_res(struct bnxt_re_dev *rdev)
+ "Failed to enable NQ with rc = 0x%x", rc);
+ goto fail;
+ }
++ num_vec_enabled++;
+ }
+ return 0;
+ fail:
++ for (i = num_vec_enabled; i >= 0; i--)
++ bnxt_qplib_disable_nq(&rdev->nq[i]);
++
+ return rc;
+ }
+
+@@ -925,6 +928,7 @@ static void bnxt_re_free_res(struct bnxt_re_dev *rdev)
+ static int bnxt_re_alloc_res(struct bnxt_re_dev *rdev)
+ {
+ int rc = 0, i;
++ int num_vec_created = 0;
+
+ /* Configure and allocate resources for qplib */
+ rdev->qplib_res.rcfw = &rdev->rcfw;
+@@ -951,7 +955,7 @@ static int bnxt_re_alloc_res(struct bnxt_re_dev *rdev)
+ if (rc) {
+ dev_err(rdev_to_dev(rdev), "Alloc Failed NQ%d rc:%#x",
+ i, rc);
+- goto dealloc_dpi;
++ goto free_nq;
+ }
+ rc = bnxt_re_net_ring_alloc
+ (rdev, rdev->nq[i].hwq.pbl[PBL_LVL_0].pg_map_arr,
+@@ -964,14 +968,17 @@ static int bnxt_re_alloc_res(struct bnxt_re_dev *rdev)
+ dev_err(rdev_to_dev(rdev),
+ "Failed to allocate NQ fw id with rc = 0x%x",
+ rc);
++ bnxt_qplib_free_nq(&rdev->nq[i]);
+ goto free_nq;
+ }
++ num_vec_created++;
+ }
+ return 0;
+ free_nq:
+- for (i = 0; i < rdev->num_msix - 1; i++)
++ for (i = num_vec_created; i >= 0; i--) {
++ bnxt_re_net_ring_free(rdev, rdev->nq[i].ring_id);
+ bnxt_qplib_free_nq(&rdev->nq[i]);
+-dealloc_dpi:
++ }
+ bnxt_qplib_dealloc_dpi(&rdev->qplib_res,
+ &rdev->qplib_res.dpi_tbl,
+ &rdev->dpi_privileged);
+@@ -1206,8 +1213,11 @@ static void bnxt_re_ib_unreg(struct bnxt_re_dev *rdev)
+ if (test_and_clear_bit(BNXT_RE_FLAG_QOS_WORK_REG, &rdev->flags))
+ cancel_delayed_work(&rdev->worker);
+
+- bnxt_re_cleanup_res(rdev);
+- bnxt_re_free_res(rdev);
++ if (test_and_clear_bit(BNXT_RE_FLAG_RESOURCES_INITIALIZED,
++ &rdev->flags))
++ bnxt_re_cleanup_res(rdev);
++ if (test_and_clear_bit(BNXT_RE_FLAG_RESOURCES_ALLOCATED, &rdev->flags))
++ bnxt_re_free_res(rdev);
+
+ if (test_and_clear_bit(BNXT_RE_FLAG_RCFW_CHANNEL_EN, &rdev->flags)) {
+ rc = bnxt_qplib_deinit_rcfw(&rdev->rcfw);
+@@ -1337,12 +1347,15 @@ static int bnxt_re_ib_reg(struct bnxt_re_dev *rdev)
+ pr_err("Failed to allocate resources: %#x\n", rc);
+ goto fail;
+ }
++ set_bit(BNXT_RE_FLAG_RESOURCES_ALLOCATED, &rdev->flags);
+ rc = bnxt_re_init_res(rdev);
+ if (rc) {
+ pr_err("Failed to initialize resources: %#x\n", rc);
+ goto fail;
+ }
+
++ set_bit(BNXT_RE_FLAG_RESOURCES_INITIALIZED, &rdev->flags);
++
+ if (!rdev->is_virtfn) {
+ rc = bnxt_re_setup_qos(rdev);
+ if (rc)
+--
+2.20.1
+
--- /dev/null
+From 6a16f1c2af54020fdeae7dde31d15f5cae89548a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Oct 2018 03:28:01 -0700
+Subject: RDMA/bnxt_re: Fix qp async event reporting
+
+From: Devesh Sharma <devesh.sharma@broadcom.com>
+
+[ Upstream commit 4c01f2e3a906a0d2d798be5751c331cf501bc129 ]
+
+Reports affiliated async event on the qp-async event channel instead of
+global event channel.
+
+Signed-off-by: Devesh Sharma <devesh.sharma@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/main.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c
+index 22bd9784fa2ea..7ffad368c5fa1 100644
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -989,12 +989,17 @@ static void bnxt_re_dispatch_event(struct ib_device *ibdev, struct ib_qp *qp,
+ struct ib_event ib_event;
+
+ ib_event.device = ibdev;
+- if (qp)
++ if (qp) {
+ ib_event.element.qp = qp;
+- else
++ ib_event.event = event;
++ if (qp->event_handler)
++ qp->event_handler(&ib_event, qp->qp_context);
++
++ } else {
+ ib_event.element.port_num = port_num;
+- ib_event.event = event;
+- ib_dispatch_event(&ib_event);
++ ib_event.event = event;
++ ib_dispatch_event(&ib_event);
++ }
+ }
+
+ #define HWRM_QUEUE_PRI2COS_QCFG_INPUT_FLAGS_IVLAN 0x02
+--
+2.20.1
+
--- /dev/null
+From 3b564e0edf13f14f9d1e7b50c7c1155d1d2b561b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Oct 2018 16:52:31 +0800
+Subject: RISC-V: Avoid corrupting the upper 32-bit of phys_addr_t in ioremap
+
+From: Vincent Chen <vincentc@andestech.com>
+
+[ Upstream commit 827a438156e4c423b6875a092e272933952a2910 ]
+
+For 32bit, the upper 32-bit of phys_addr_t will be flushed to zero
+after AND with PAGE_MASK because the data type of PAGE_MASK is
+unsigned long. To fix this problem, the page alignment is done by
+subtracting the page offset instead of AND with PAGE_MASK.
+
+Signed-off-by: Vincent Chen <vincentc@andestech.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/mm/ioremap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/mm/ioremap.c b/arch/riscv/mm/ioremap.c
+index 70ef2724cdf61..bd2f2db557cc5 100644
+--- a/arch/riscv/mm/ioremap.c
++++ b/arch/riscv/mm/ioremap.c
+@@ -42,7 +42,7 @@ static void __iomem *__ioremap_caller(phys_addr_t addr, size_t size,
+
+ /* Page-align mappings */
+ offset = addr & (~PAGE_MASK);
+- addr &= PAGE_MASK;
++ addr -= offset;
+ size = PAGE_ALIGN(size + offset);
+
+ area = get_vm_area_caller(size, VM_IOREMAP, caller);
+--
+2.20.1
+
--- /dev/null
+From db82eff83aed52b27588e82f044648166c4c1606 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Oct 2018 13:43:45 -0700
+Subject: rtc: s35390a: Change buf's type to u8 in s35390a_init
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit ef0f02fd69a02b50e468a4ddbe33e3d81671e248 ]
+
+Clang warns:
+
+drivers/rtc/rtc-s35390a.c:124:27: warning: implicit conversion from
+'int' to 'char' changes value from 192 to -64 [-Wconstant-conversion]
+ buf = S35390A_FLAG_RESET | S35390A_FLAG_24H;
+ ~ ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~
+1 warning generated.
+
+Update buf to be an unsigned 8-bit integer, which matches the buf member
+in struct i2c_msg.
+
+https://github.com/ClangBuiltLinux/linux/issues/145
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-s35390a.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-s35390a.c b/drivers/rtc/rtc-s35390a.c
+index 77feb603cd4c0..3c64dbb08109a 100644
+--- a/drivers/rtc/rtc-s35390a.c
++++ b/drivers/rtc/rtc-s35390a.c
+@@ -108,7 +108,7 @@ static int s35390a_get_reg(struct s35390a *s35390a, int reg, char *buf, int len)
+
+ static int s35390a_init(struct s35390a *s35390a)
+ {
+- char buf;
++ u8 buf;
+ int ret;
+ unsigned initcount = 0;
+
+--
+2.20.1
+
--- /dev/null
+From d4f86e2a3212793ceed5e76f3ae5cbdacaf53ab0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Oct 2018 13:51:03 +0200
+Subject: rtl8xxxu: Fix missing break in switch
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+[ Upstream commit 307b00c5e695857ca92fc6a4b8ab6c48f988a1b1 ]
+
+Add missing break statement in order to prevent the code from falling
+through to the default case.
+
+Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index 505ab1b055ff4..2b4fcdf4ec5bb 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -5691,6 +5691,7 @@ static int rtl8xxxu_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+ break;
+ case WLAN_CIPHER_SUITE_TKIP:
+ key->flags |= IEEE80211_KEY_FLAG_GENERATE_MMIC;
++ break;
+ default:
+ return -EOPNOTSUPP;
+ }
+--
+2.20.1
+
--- /dev/null
+From 82a9c3eb95f7edbb7e1f9bf5ce0166bcb53c776a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Nov 2018 19:25:30 +0800
+Subject: rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information
+
+From: Shaokun Zhang <zhangshaokun@hisilicon.com>
+
+[ Upstream commit 7d129adff3afbd3a449bc3593f2064ac546d58d3 ]
+
+RT_TRACE shows REG_MCUFWDL value as a decimal value with a '0x'
+prefix, which is somewhat misleading.
+
+Fix it to print hexadecimal, as was intended.
+
+Cc: Ping-Ke Shih <pkshih@realtek.com>
+Cc: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Shaokun Zhang <zhangshaokun@hisilicon.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c
+index 85cedd083d2b8..75bfa9dfef4aa 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c
+@@ -173,7 +173,7 @@ static int _rtl92d_fw_init(struct ieee80211_hw *hw)
+ rtl_read_byte(rtlpriv, FW_MAC1_READY));
+ }
+ RT_TRACE(rtlpriv, COMP_FW, DBG_DMESG,
+- "Polling FW ready fail!! REG_MCUFWDL:0x%08ul\n",
++ "Polling FW ready fail!! REG_MCUFWDL:0x%08x\n",
+ rtl_read_dword(rtlpriv, REG_MCUFWDL));
+ return -1;
+ }
+--
+2.20.1
+
--- /dev/null
+From ef33751b94f6c59229e3734fcf74dbc5bfb834e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Oct 2018 14:39:29 +0100
+Subject: s390/perf: Return error when debug_register fails
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+[ Upstream commit ec0c0bb489727de0d4dca6a00be6970ab8a3b30a ]
+
+Return an error when the function debug_register() fails allocating
+the debug handle.
+Also remove the registered debug handle when the initialization fails
+later on.
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/perf_cpum_sf.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
+index 44404836e9d11..df92c2af99b69 100644
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -2045,14 +2045,17 @@ static int __init init_cpum_sampling_pmu(void)
+ }
+
+ sfdbg = debug_register(KMSG_COMPONENT, 2, 1, 80);
+- if (!sfdbg)
++ if (!sfdbg) {
+ pr_err("Registering for s390dbf failed\n");
++ return -ENOMEM;
++ }
+ debug_register_view(sfdbg, &debug_sprintf_view);
+
+ err = register_external_irq(EXT_IRQ_MEASURE_ALERT,
+ cpumf_measurement_alert);
+ if (err) {
+ pr_cpumsf_err(RS_INIT_FAILURE_ALRT);
++ debug_unregister(sfdbg);
+ goto out;
+ }
+
+@@ -2061,6 +2064,7 @@ static int __init init_cpum_sampling_pmu(void)
+ pr_cpumsf_err(RS_INIT_FAILURE_PERF);
+ unregister_external_irq(EXT_IRQ_MEASURE_ALERT,
+ cpumf_measurement_alert);
++ debug_unregister(sfdbg);
+ goto out;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 6b66fc2cf64a176a82783dd811aff5c7160aef0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Sep 2018 16:12:07 +0100
+Subject: sched/fair: Don't increase sd->balance_interval on newidle balance
+
+From: Valentin Schneider <valentin.schneider@arm.com>
+
+[ Upstream commit 3f130a37c442d5c4d66531b240ebe9abfef426b5 ]
+
+When load_balance() fails to move some load because of task affinity,
+we end up increasing sd->balance_interval to delay the next periodic
+balance in the hopes that next time we look, that annoying pinned
+task(s) will be gone.
+
+However, idle_balance() pays no attention to sd->balance_interval, yet
+it will still lead to an increase in balance_interval in case of
+pinned tasks.
+
+If we're going through several newidle balances (e.g. we have a
+periodic task), this can lead to a huge increase of the
+balance_interval in a very small amount of time.
+
+To prevent that, don't increase the balance interval when going
+through a newidle balance.
+
+This is a similar approach to what is done in commit 58b26c4c0257
+("sched: Increment cache_nice_tries only on periodic lb"), where we
+disregard newidle balance and rely on periodic balance for more stable
+results.
+
+Signed-off-by: Valentin Schneider <valentin.schneider@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Dietmar.Eggemann@arm.com
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: patrick.bellasi@arm.com
+Cc: vincent.guittot@linaro.org
+Link: http://lkml.kernel.org/r/1537974727-30788-2-git-send-email-valentin.schneider@arm.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index e5e8f67218728..f77fcd37b226f 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -8819,13 +8819,22 @@ static int load_balance(int this_cpu, struct rq *this_rq,
+ sd->nr_balance_failed = 0;
+
+ out_one_pinned:
++ ld_moved = 0;
++
++ /*
++ * idle_balance() disregards balance intervals, so we could repeatedly
++ * reach this code, which would lead to balance_interval skyrocketting
++ * in a short amount of time. Skip the balance_interval increase logic
++ * to avoid that.
++ */
++ if (env.idle == CPU_NEWLY_IDLE)
++ goto out;
++
+ /* tune up the balancing interval */
+ if (((env.flags & LBF_ALL_PINNED) &&
+ sd->balance_interval < MAX_PINNED_INTERVAL) ||
+ (sd->balance_interval < sd->max_interval))
+ sd->balance_interval *= 2;
+-
+- ld_moved = 0;
+ out:
+ return ld_moved;
+ }
+--
+2.20.1
+
--- /dev/null
+From 60ee5850b7c80c29f65bc3449285e92f8cf76cb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Nov 2018 14:22:25 +0100
+Subject: sched/topology: Fix off by one bug
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 993f0b0510dad98b4e6e39506834dab0d13fd539 ]
+
+With the addition of the NUMA identity level, we increased @level by
+one and will run off the end of the array in the distance sort loop.
+
+Fixed: 051f3ca02e46 ("sched/topology: Introduce NUMA identity node sched domain")
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c
+index c0a7514649715..74b694392f2fd 100644
+--- a/kernel/sched/topology.c
++++ b/kernel/sched/topology.c
+@@ -1329,7 +1329,7 @@ void sched_init_numa(void)
+ int level = 0;
+ int i, j, k;
+
+- sched_domains_numa_distance = kzalloc(sizeof(int) * nr_node_ids, GFP_KERNEL);
++ sched_domains_numa_distance = kzalloc(sizeof(int) * (nr_node_ids + 1), GFP_KERNEL);
+ if (!sched_domains_numa_distance)
+ return;
+
+--
+2.20.1
+
--- /dev/null
+From d73ada59ed8c699a24c261e17c7d9b89763cba47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Sep 2018 16:56:52 -0700
+Subject: scsi: bfa: Avoid implicit enum conversion in
+ bfad_im_post_vendor_event
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 761c830ec7b3d0674b3ad89cefd77a692634e305 ]
+
+Clang warns when one enumerated type is implicitly converted to another.
+
+drivers/scsi/bfa/bfa_fcs_lport.c:379:26: warning: implicit conversion
+from enumeration type 'enum bfa_lport_aen_event' to different
+enumeration type 'enum bfa_ioc_aen_event' [-Wenum-conversion]
+ BFA_AEN_CAT_LPORT, event);
+ ^~~~~
+
+The root cause of these warnings is the bfad_im_post_vendor_event
+function, which expects a value from enum bfa_ioc_aen_event but there
+are multiple instances of values from enums bfa_port_aen_event,
+bfa_audit_aen_event, and bfa_lport_aen_event being used in this
+function.
+
+Given that this doesn't appear to be a problem since cat helps with
+differentiating the events, just change evt's type to int so that no
+conversion needs to happen and Clang won't warn. Update aen_type's type
+in bfa_aen_entry_s as members that hold enumerated types should be int.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/147
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/bfa/bfa_defs_svc.h | 2 +-
+ drivers/scsi/bfa/bfad_im.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/bfa/bfa_defs_svc.h b/drivers/scsi/bfa/bfa_defs_svc.h
+index 3d0c96a5c8735..c19c26e0e405e 100644
+--- a/drivers/scsi/bfa/bfa_defs_svc.h
++++ b/drivers/scsi/bfa/bfa_defs_svc.h
+@@ -1453,7 +1453,7 @@ union bfa_aen_data_u {
+ struct bfa_aen_entry_s {
+ struct list_head qe;
+ enum bfa_aen_category aen_category;
+- u32 aen_type;
++ int aen_type;
+ union bfa_aen_data_u aen_data;
+ u64 aen_tv_sec;
+ u64 aen_tv_usec;
+diff --git a/drivers/scsi/bfa/bfad_im.h b/drivers/scsi/bfa/bfad_im.h
+index e61ed8dad0b4f..bd4ac187fd8e7 100644
+--- a/drivers/scsi/bfa/bfad_im.h
++++ b/drivers/scsi/bfa/bfad_im.h
+@@ -143,7 +143,7 @@ struct bfad_im_s {
+ static inline void bfad_im_post_vendor_event(struct bfa_aen_entry_s *entry,
+ struct bfad_s *drv, int cnt,
+ enum bfa_aen_category cat,
+- enum bfa_ioc_aen_event evt)
++ int evt)
+ {
+ struct timespec64 ts;
+
+--
+2.20.1
+
--- /dev/null
+From 22484b097b50c9c6a21e2c0a3a6d1f3a98508a98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Oct 2018 16:17:15 +0200
+Subject: scsi: dc395x: fix DMA API usage in sg_update_list
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 6c404a68bf83b4135a8a9aa1c388ebdf98e8ba7f ]
+
+We need to transfer device ownership to the CPU before we can manipulate
+the mapped data.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/dc395x.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c
+index 08161df64ead5..3943347ec3c7c 100644
+--- a/drivers/scsi/dc395x.c
++++ b/drivers/scsi/dc395x.c
+@@ -1969,6 +1969,11 @@ static void sg_update_list(struct ScsiReqBlk *srb, u32 left)
+ xferred -= psge->length;
+ } else {
+ /* Partial SG entry done */
++ pci_dma_sync_single_for_cpu(srb->dcb->
++ acb->dev,
++ srb->sg_bus_addr,
++ SEGMENTX_LEN,
++ PCI_DMA_TODEVICE);
+ psge->length -= xferred;
+ psge->address += xferred;
+ srb->sg_index = idx;
+--
+2.20.1
+
--- /dev/null
+From 2aec38f560d2a0961696d8f5cf6fe3070e1acfc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Oct 2018 16:17:14 +0200
+Subject: scsi: dc395x: fix dma API usage in srb_done
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 3a5bd7021184dec2946f2a4d7a8943f8a5713e52 ]
+
+We can't just transfer ownership to the CPU and then unmap, as this will
+break with swiotlb.
+
+Instead unmap the command and sense buffer a little earlier in the I/O
+completion handler and get rid of the pci_dma_sync_sg_for_cpu call
+entirely.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/dc395x.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c
+index 1ed2cd82129d2..08161df64ead5 100644
+--- a/drivers/scsi/dc395x.c
++++ b/drivers/scsi/dc395x.c
+@@ -3447,14 +3447,12 @@ static void srb_done(struct AdapterCtlBlk *acb, struct DeviceCtlBlk *dcb,
+ }
+ }
+
+- if (dir != PCI_DMA_NONE && scsi_sg_count(cmd))
+- pci_dma_sync_sg_for_cpu(acb->dev, scsi_sglist(cmd),
+- scsi_sg_count(cmd), dir);
+-
+ ckc_only = 0;
+ /* Check Error Conditions */
+ ckc_e:
+
++ pci_unmap_srb(acb, srb);
++
+ if (cmd->cmnd[0] == INQUIRY) {
+ unsigned char *base = NULL;
+ struct ScsiInqData *ptr;
+@@ -3507,7 +3505,6 @@ static void srb_done(struct AdapterCtlBlk *acb, struct DeviceCtlBlk *dcb,
+ cmd, cmd->result);
+ srb_free_insert(acb, srb);
+ }
+- pci_unmap_srb(acb, srb);
+
+ cmd->scsi_done(cmd);
+ waiting_process_next(acb);
+--
+2.20.1
+
--- /dev/null
+From fa88653cc527e9d6522042b700811c61035cbfce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Sep 2018 23:06:28 +0800
+Subject: scsi: hisi_sas: Feed back linkrate(max/min) when re-attached
+
+From: Luo Jiaxing <luojiaxing@huawei.com>
+
+[ Upstream commit 5a54691f874ab29ec82f08bc6936866a3ccdaa91 ]
+
+At directly attached situation, if the user modifies the sysfs interface
+of maximum_linkrate and minimum_linkrate to renegotiate the linkrate
+between SAS controller and target, the value of both files mentioned
+above should have change to user setting after renegotiate is over, but
+it remains unchanged.
+
+To fix this bug, maximum_linkrate and minimum_linkrate will be directly
+fed back to relevant sas_phy structure.
+
+Signed-off-by: Luo Jiaxing <luojiaxing@huawei.com>
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hisi_sas/hisi_sas_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
+index fd9d82c9033de..e9747379384b2 100644
+--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
+@@ -906,6 +906,9 @@ static void hisi_sas_phy_set_linkrate(struct hisi_hba *hisi_hba, int phy_no,
+ _r.maximum_linkrate = max;
+ _r.minimum_linkrate = min;
+
++ sas_phy->phy->maximum_linkrate = max;
++ sas_phy->phy->minimum_linkrate = min;
++
+ hisi_hba->hw->phy_disable(hisi_hba, phy_no);
+ msleep(100);
+ hisi_hba->hw->phy_set_linkrate(hisi_hba, phy_no, &_r);
+--
+2.20.1
+
--- /dev/null
+From dc190faed314b738a3e491206138e9135e7172ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Oct 2018 18:59:39 +0200
+Subject: scsi: hisi_sas: Fix NULL pointer dereference
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+[ Upstream commit f4445bb93d82a984657b469e63118c2794a4c3d3 ]
+
+There is a NULL pointer dereference in case *slot* happens to be NULL at
+lines 1053 and 1878:
+
+struct hisi_sas_cq *cq =
+ &hisi_hba->cq[slot->dlvry_queue];
+
+Notice that *slot* is being NULL checked at lines 1057 and 1881:
+if (slot), which implies it may be NULL.
+
+Fix this by placing the declaration and definition of variable cq, which
+contains the pointer dereference slot->dlvry_queue, after slot has been
+properly NULL checked.
+
+Addresses-Coverity-ID: 1474515 ("Dereference before null check")
+Addresses-Coverity-ID: 1474520 ("Dereference before null check")
+Fixes: 584f53fe5f52 ("scsi: hisi_sas: Fix the race between IO completion and timeout for SMP/internal IO")
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Reviewed-by: Xiang Chen <chenxiang66@hisilicon.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hisi_sas/hisi_sas_main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
+index d4a2625a44232..f478d1f50dfc0 100644
+--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
+@@ -1025,11 +1025,11 @@ static int hisi_sas_exec_internal_tmf_task(struct domain_device *device,
+ if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
+ if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
+ struct hisi_sas_slot *slot = task->lldd_task;
+- struct hisi_sas_cq *cq =
+- &hisi_hba->cq[slot->dlvry_queue];
+
+ dev_err(dev, "abort tmf: TMF task timeout and not done\n");
+ if (slot) {
++ struct hisi_sas_cq *cq =
++ &hisi_hba->cq[slot->dlvry_queue];
+ /*
+ * flush tasklet to avoid free'ing task
+ * before using task in IO completion
+@@ -1856,10 +1856,10 @@ hisi_sas_internal_task_abort(struct hisi_hba *hisi_hba,
+ if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
+ if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
+ struct hisi_sas_slot *slot = task->lldd_task;
+- struct hisi_sas_cq *cq =
+- &hisi_hba->cq[slot->dlvry_queue];
+
+ if (slot) {
++ struct hisi_sas_cq *cq =
++ &hisi_hba->cq[slot->dlvry_queue];
+ /*
+ * flush tasklet to avoid free'ing task
+ * before using task in IO completion
+--
+2.20.1
+
--- /dev/null
+From 4ed2eb125e78374b862cd23d34cb56022cc44500 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Sep 2018 23:06:30 +0800
+Subject: scsi: hisi_sas: Fix the race between IO completion and timeout for
+ SMP/internal IO
+
+From: Xiang Chen <chenxiang66@hisilicon.com>
+
+[ Upstream commit 584f53fe5f529d877968c711a095923c1ed12307 ]
+
+If SMP/internal IO times out, we will possibly free the task immediately.
+
+However if the IO actually completes at the same time, the IO completion
+may refer to task which has been freed.
+
+So to solve the issue, flush the tasklet to finish IO completion before
+free'ing slot/task.
+
+Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hisi_sas/hisi_sas_main.c | 55 ++++++++++++++++++++++-----
+ 1 file changed, 46 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
+index e9747379384b2..d4a2625a44232 100644
+--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
+@@ -955,8 +955,7 @@ static int hisi_sas_control_phy(struct asd_sas_phy *sas_phy, enum phy_func func,
+
+ static void hisi_sas_task_done(struct sas_task *task)
+ {
+- if (!del_timer(&task->slow_task->timer))
+- return;
++ del_timer(&task->slow_task->timer);
+ complete(&task->slow_task->completion);
+ }
+
+@@ -965,13 +964,17 @@ static void hisi_sas_tmf_timedout(struct timer_list *t)
+ struct sas_task_slow *slow = from_timer(slow, t, timer);
+ struct sas_task *task = slow->task;
+ unsigned long flags;
++ bool is_completed = true;
+
+ spin_lock_irqsave(&task->task_state_lock, flags);
+- if (!(task->task_state_flags & SAS_TASK_STATE_DONE))
++ if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
+ task->task_state_flags |= SAS_TASK_STATE_ABORTED;
++ is_completed = false;
++ }
+ spin_unlock_irqrestore(&task->task_state_lock, flags);
+
+- complete(&task->slow_task->completion);
++ if (!is_completed)
++ complete(&task->slow_task->completion);
+ }
+
+ #define TASK_TIMEOUT 20
+@@ -1022,10 +1025,18 @@ static int hisi_sas_exec_internal_tmf_task(struct domain_device *device,
+ if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
+ if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
+ struct hisi_sas_slot *slot = task->lldd_task;
++ struct hisi_sas_cq *cq =
++ &hisi_hba->cq[slot->dlvry_queue];
+
+ dev_err(dev, "abort tmf: TMF task timeout and not done\n");
+- if (slot)
++ if (slot) {
++ /*
++ * flush tasklet to avoid free'ing task
++ * before using task in IO completion
++ */
++ tasklet_kill(&cq->tasklet);
+ slot->task = NULL;
++ }
+
+ goto ex_err;
+ } else
+@@ -1401,6 +1412,17 @@ static int hisi_sas_abort_task(struct sas_task *task)
+
+ spin_lock_irqsave(&task->task_state_lock, flags);
+ if (task->task_state_flags & SAS_TASK_STATE_DONE) {
++ struct hisi_sas_slot *slot = task->lldd_task;
++ struct hisi_sas_cq *cq;
++
++ if (slot) {
++ /*
++ * flush tasklet to avoid free'ing task
++ * before using task in IO completion
++ */
++ cq = &hisi_hba->cq[slot->dlvry_queue];
++ tasklet_kill(&cq->tasklet);
++ }
+ spin_unlock_irqrestore(&task->task_state_lock, flags);
+ rc = TMF_RESP_FUNC_COMPLETE;
+ goto out;
+@@ -1456,12 +1478,19 @@ static int hisi_sas_abort_task(struct sas_task *task)
+ /* SMP */
+ struct hisi_sas_slot *slot = task->lldd_task;
+ u32 tag = slot->idx;
++ struct hisi_sas_cq *cq = &hisi_hba->cq[slot->dlvry_queue];
+
+ rc = hisi_sas_internal_task_abort(hisi_hba, device,
+ HISI_SAS_INT_ABT_CMD, tag);
+ if (((rc < 0) || (rc == TMF_RESP_FUNC_FAILED)) &&
+- task->lldd_task)
+- hisi_sas_do_release_task(hisi_hba, task, slot);
++ task->lldd_task) {
++ /*
++ * flush tasklet to avoid free'ing task
++ * before using task in IO completion
++ */
++ tasklet_kill(&cq->tasklet);
++ slot->task = NULL;
++ }
+ }
+
+ out:
+@@ -1827,9 +1856,17 @@ hisi_sas_internal_task_abort(struct hisi_hba *hisi_hba,
+ if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
+ if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
+ struct hisi_sas_slot *slot = task->lldd_task;
+-
+- if (slot)
++ struct hisi_sas_cq *cq =
++ &hisi_hba->cq[slot->dlvry_queue];
++
++ if (slot) {
++ /*
++ * flush tasklet to avoid free'ing task
++ * before using task in IO completion
++ */
++ tasklet_kill(&cq->tasklet);
+ slot->task = NULL;
++ }
+ dev_err(dev, "internal task abort: timeout and not done.\n");
+ res = -EIO;
+ goto exit;
+--
+2.20.1
+
--- /dev/null
+From 820ec8569f38d152339386f6cbfa0e73e8935850 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Sep 2018 23:06:31 +0800
+Subject: scsi: hisi_sas: Free slot later in slot_complete_vx_hw()
+
+From: Xiang Chen <chenxiang66@hisilicon.com>
+
+[ Upstream commit 3e178f3ecfcf91a258e832b0f0843a4cfd9059ac ]
+
+If an SSP/SMP IO times out, it may be actually in reality be
+simultaneously processing completion of the slot in
+slot_complete_vx_hw().
+
+Then if the slot is freed in slot_complete_vx_hw() (this IPTT is freed
+and it may be re-used by other slot), and we may abort the wrong slot in
+hisi_sas_abort_task().
+
+So to solve the issue, free the slot after the check of
+SAS_TASK_STATE_ABORTED in slot_complete_vx_hw().
+
+Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 2 +-
+ drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c
+index 1c4ea58da1ae1..c4774d63d5d04 100644
+--- a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c
++++ b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c
+@@ -2481,7 +2481,6 @@ slot_complete_v2_hw(struct hisi_hba *hisi_hba, struct hisi_sas_slot *slot)
+ }
+
+ out:
+- hisi_sas_slot_task_free(hisi_hba, task, slot);
+ sts = ts->stat;
+ spin_lock_irqsave(&task->task_state_lock, flags);
+ if (task->task_state_flags & SAS_TASK_STATE_ABORTED) {
+@@ -2491,6 +2490,7 @@ slot_complete_v2_hw(struct hisi_hba *hisi_hba, struct hisi_sas_slot *slot)
+ }
+ task->task_state_flags |= SAS_TASK_STATE_DONE;
+ spin_unlock_irqrestore(&task->task_state_lock, flags);
++ hisi_sas_slot_task_free(hisi_hba, task, slot);
+
+ if (!is_internal && (task->task_proto != SAS_PROTOCOL_SMP)) {
+ spin_lock_irqsave(&device->done_lock, flags);
+diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+index 3922b17e2ea39..fb2a5969181b5 100644
+--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+@@ -1749,7 +1749,6 @@ slot_complete_v3_hw(struct hisi_hba *hisi_hba, struct hisi_sas_slot *slot)
+ }
+
+ out:
+- hisi_sas_slot_task_free(hisi_hba, task, slot);
+ sts = ts->stat;
+ spin_lock_irqsave(&task->task_state_lock, flags);
+ if (task->task_state_flags & SAS_TASK_STATE_ABORTED) {
+@@ -1759,6 +1758,7 @@ slot_complete_v3_hw(struct hisi_hba *hisi_hba, struct hisi_sas_slot *slot)
+ }
+ task->task_state_flags |= SAS_TASK_STATE_DONE;
+ spin_unlock_irqrestore(&task->task_state_lock, flags);
++ hisi_sas_slot_task_free(hisi_hba, task, slot);
+
+ if (!is_internal && (task->task_proto != SAS_PROTOCOL_SMP)) {
+ spin_lock_irqsave(&device->done_lock, flags);
+--
+2.20.1
+
--- /dev/null
+From ea4b086b7750318290e0936c62f1a5f3f2d9b0cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 11:12:23 +0200
+Subject: scsi: ips: fix missing break in switch
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+[ Upstream commit 5d25ff7a544889bc4b749fda31778d6a18dddbcb ]
+
+Add missing break statement in order to prevent the code from falling
+through to case TEST_UNIT_READY.
+
+Addresses-Coverity-ID: 1357338 ("Missing break in switch")
+Suggested-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ips.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/ips.c b/drivers/scsi/ips.c
+index bd6ac6b5980a1..fe587ef1741d4 100644
+--- a/drivers/scsi/ips.c
++++ b/drivers/scsi/ips.c
+@@ -3485,6 +3485,7 @@ ips_send_cmd(ips_ha_t * ha, ips_scb_t * scb)
+
+ case START_STOP:
+ scb->scsi_cmd->result = DID_OK << 16;
++ break;
+
+ case TEST_UNIT_READY:
+ case INQUIRY:
+--
+2.20.1
+
--- /dev/null
+From 9f7098458c786fb9ceef9d8d03a733536ddbb932 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Sep 2018 17:12:00 -0700
+Subject: scsi: isci: Change sci_controller_start_task's return type to
+ sci_status
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 362b5da3dfceada6e74ecdd7af3991bbe42c0c0f ]
+
+Clang warns when an enumerated type is implicitly converted to another.
+
+drivers/scsi/isci/request.c:3476:13: warning: implicit conversion from
+enumeration type 'enum sci_task_status' to different enumeration type
+'enum sci_status' [-Wenum-conversion]
+ status = sci_controller_start_task(ihost,
+ ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/scsi/isci/host.c:2744:10: warning: implicit conversion from
+enumeration type 'enum sci_status' to different enumeration type 'enum
+sci_task_status' [-Wenum-conversion]
+ return SCI_SUCCESS;
+ ~~~~~~ ^~~~~~~~~~~
+drivers/scsi/isci/host.c:2753:9: warning: implicit conversion from
+enumeration type 'enum sci_status' to different enumeration type 'enum
+sci_task_status' [-Wenum-conversion]
+ return status;
+ ~~~~~~ ^~~~~~
+
+Avoid all of these implicit conversion by just making
+sci_controller_start_task use sci_status. This silences
+Clang and has no functional change since sci_task_status
+has all of its values mapped to something in sci_status.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/153
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/isci/host.c | 8 ++++----
+ drivers/scsi/isci/host.h | 2 +-
+ drivers/scsi/isci/task.c | 4 ++--
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/scsi/isci/host.c b/drivers/scsi/isci/host.c
+index 1ee3868ade079..7b5deae68d33b 100644
+--- a/drivers/scsi/isci/host.c
++++ b/drivers/scsi/isci/host.c
+@@ -2717,9 +2717,9 @@ enum sci_status sci_controller_continue_io(struct isci_request *ireq)
+ * the task management request.
+ * @task_request: the handle to the task request object to start.
+ */
+-enum sci_task_status sci_controller_start_task(struct isci_host *ihost,
+- struct isci_remote_device *idev,
+- struct isci_request *ireq)
++enum sci_status sci_controller_start_task(struct isci_host *ihost,
++ struct isci_remote_device *idev,
++ struct isci_request *ireq)
+ {
+ enum sci_status status;
+
+@@ -2728,7 +2728,7 @@ enum sci_task_status sci_controller_start_task(struct isci_host *ihost,
+ "%s: SCIC Controller starting task from invalid "
+ "state\n",
+ __func__);
+- return SCI_TASK_FAILURE_INVALID_STATE;
++ return SCI_FAILURE_INVALID_STATE;
+ }
+
+ status = sci_remote_device_start_task(ihost, idev, ireq);
+diff --git a/drivers/scsi/isci/host.h b/drivers/scsi/isci/host.h
+index b3539928073c6..6bc3f022630a2 100644
+--- a/drivers/scsi/isci/host.h
++++ b/drivers/scsi/isci/host.h
+@@ -489,7 +489,7 @@ enum sci_status sci_controller_start_io(
+ struct isci_remote_device *idev,
+ struct isci_request *ireq);
+
+-enum sci_task_status sci_controller_start_task(
++enum sci_status sci_controller_start_task(
+ struct isci_host *ihost,
+ struct isci_remote_device *idev,
+ struct isci_request *ireq);
+diff --git a/drivers/scsi/isci/task.c b/drivers/scsi/isci/task.c
+index 6dcaed0c1fc8c..fb6eba331ac6e 100644
+--- a/drivers/scsi/isci/task.c
++++ b/drivers/scsi/isci/task.c
+@@ -258,7 +258,7 @@ static int isci_task_execute_tmf(struct isci_host *ihost,
+ struct isci_tmf *tmf, unsigned long timeout_ms)
+ {
+ DECLARE_COMPLETION_ONSTACK(completion);
+- enum sci_task_status status = SCI_TASK_FAILURE;
++ enum sci_status status = SCI_FAILURE;
+ struct isci_request *ireq;
+ int ret = TMF_RESP_FUNC_FAILED;
+ unsigned long flags;
+@@ -301,7 +301,7 @@ static int isci_task_execute_tmf(struct isci_host *ihost,
+ /* start the TMF io. */
+ status = sci_controller_start_task(ihost, idev, ireq);
+
+- if (status != SCI_TASK_SUCCESS) {
++ if (status != SCI_SUCCESS) {
+ dev_dbg(&ihost->pdev->dev,
+ "%s: start_io failed - status = 0x%x, request = %p\n",
+ __func__,
+--
+2.20.1
+
--- /dev/null
+From 742b9bb978de01dbc08f6c1a2a4448b9decbd868 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Sep 2018 17:11:50 -0700
+Subject: scsi: isci: Use proper enumerated type in atapi_d2h_reg_frame_handler
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit e9e9a103528c7e199ead6e5374c9c52cf16b5802 ]
+
+Clang warns when one enumerated type is implicitly converted to another.
+
+drivers/scsi/isci/request.c:1629:13: warning: implicit conversion from
+enumeration type 'enum sci_io_status' to different enumeration type
+'enum sci_status' [-Wenum-conversion]
+ status = SCI_IO_FAILURE_RESPONSE_VALID;
+ ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/scsi/isci/request.c:1631:12: warning: implicit conversion from
+enumeration type 'enum sci_io_status' to different enumeration type
+'enum sci_status' [-Wenum-conversion]
+ status = SCI_IO_FAILURE_RESPONSE_VALID;
+ ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+status is of type sci_status but SCI_IO_FAILURE_RESPONSE_VALID is of
+type sci_io_status. Use SCI_FAILURE_IO_RESPONSE_VALID, which is from
+sci_status and has SCI_IO_FAILURE_RESPONSE_VALID's exact value since
+that is what SCI_IO_FAILURE_RESPONSE_VALID is mapped to in the isci.h
+file.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/153
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/isci/request.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/isci/request.c b/drivers/scsi/isci/request.c
+index ed197bc8e801a..2f151708b59ae 100644
+--- a/drivers/scsi/isci/request.c
++++ b/drivers/scsi/isci/request.c
+@@ -1626,9 +1626,9 @@ static enum sci_status atapi_d2h_reg_frame_handler(struct isci_request *ireq,
+
+ if (status == SCI_SUCCESS) {
+ if (ireq->stp.rsp.status & ATA_ERR)
+- status = SCI_IO_FAILURE_RESPONSE_VALID;
++ status = SCI_FAILURE_IO_RESPONSE_VALID;
+ } else {
+- status = SCI_IO_FAILURE_RESPONSE_VALID;
++ status = SCI_FAILURE_IO_RESPONSE_VALID;
+ }
+
+ if (status != SCI_SUCCESS) {
+--
+2.20.1
+
--- /dev/null
+From 360d0ed781b4cb7dc2fd951cb7fe1ed18b759ff4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Oct 2018 18:06:15 -0700
+Subject: scsi: iscsi_tcp: Explicitly cast param in iscsi_sw_tcp_host_get_param
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 20054597f169090109fc3f0dfa1a48583f4178a4 ]
+
+Clang warns when one enumerated type is implicitly converted to another.
+
+drivers/scsi/iscsi_tcp.c:803:15: warning: implicit conversion from
+enumeration type 'enum iscsi_host_param' to different enumeration type
+'enum iscsi_param' [-Wenum-conversion]
+ &addr, param, buf);
+ ^~~~~
+1 warning generated.
+
+iscsi_conn_get_addr_param handles ISCSI_HOST_PARAM_IPADDRESS just fine
+so add an explicit cast to iscsi_param to make it clear to Clang that
+this is expected behavior.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/153
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/iscsi_tcp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
+index b025a0b743417..23354f206533b 100644
+--- a/drivers/scsi/iscsi_tcp.c
++++ b/drivers/scsi/iscsi_tcp.c
+@@ -800,7 +800,8 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
+ return rc;
+
+ return iscsi_conn_get_addr_param((struct sockaddr_storage *)
+- &addr, param, buf);
++ &addr,
++ (enum iscsi_param)param, buf);
+ default:
+ return iscsi_host_get_param(shost, param, buf);
+ }
+--
+2.20.1
+
--- /dev/null
+From 84085f81f86b03912ba4881446186e418b475f3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Oct 2018 13:41:09 -0700
+Subject: scsi: lpfc: Correct loss of fc4 type on remote port address change
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit d83ca3ea833d7a66d49225e4191c4e37cab8f079 ]
+
+An address change for a remote port cause PRLI for the wrong protocol
+to be sent. The node copy done in the discovery code skipped copying
+the fc4 protocols supported as well.
+
+Fix the copy logic for the address change. Beefed up log messages in
+this area as well.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_els.c | 27 +++++++++++++++++++++++----
+ drivers/scsi/lpfc/lpfc_nportdisc.c | 5 +++--
+ 2 files changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
+index e263a486b1c6c..222fa9b7f4788 100644
+--- a/drivers/scsi/lpfc/lpfc_els.c
++++ b/drivers/scsi/lpfc/lpfc_els.c
+@@ -1556,8 +1556,10 @@ lpfc_plogi_confirm_nport(struct lpfc_hba *phba, uint32_t *prsp,
+ */
+ new_ndlp = lpfc_findnode_wwpn(vport, &sp->portName);
+
++ /* return immediately if the WWPN matches ndlp */
+ if (new_ndlp == ndlp && NLP_CHK_NODE_ACT(new_ndlp))
+ return ndlp;
++
+ if (phba->sli_rev == LPFC_SLI_REV4) {
+ active_rrqs_xri_bitmap = mempool_alloc(phba->active_rrq_pool,
+ GFP_KERNEL);
+@@ -1566,9 +1568,13 @@ lpfc_plogi_confirm_nport(struct lpfc_hba *phba, uint32_t *prsp,
+ phba->cfg_rrq_xri_bitmap_sz);
+ }
+
+- lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
+- "3178 PLOGI confirm: ndlp %p x%x: new_ndlp %p\n",
+- ndlp, ndlp->nlp_DID, new_ndlp);
++ lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS | LOG_NODE,
++ "3178 PLOGI confirm: ndlp x%x x%x x%x: "
++ "new_ndlp x%x x%x x%x\n",
++ ndlp->nlp_DID, ndlp->nlp_flag, ndlp->nlp_fc4_type,
++ (new_ndlp ? new_ndlp->nlp_DID : 0),
++ (new_ndlp ? new_ndlp->nlp_flag : 0),
++ (new_ndlp ? new_ndlp->nlp_fc4_type : 0));
+
+ if (!new_ndlp) {
+ rc = memcmp(&ndlp->nlp_portname, name,
+@@ -1617,6 +1623,14 @@ lpfc_plogi_confirm_nport(struct lpfc_hba *phba, uint32_t *prsp,
+ phba->cfg_rrq_xri_bitmap_sz);
+ }
+
++ /* At this point in this routine, we know new_ndlp will be
++ * returned. however, any previous GID_FTs that were done
++ * would have updated nlp_fc4_type in ndlp, so we must ensure
++ * new_ndlp has the right value.
++ */
++ if (vport->fc_flag & FC_FABRIC)
++ new_ndlp->nlp_fc4_type = ndlp->nlp_fc4_type;
++
+ lpfc_unreg_rpi(vport, new_ndlp);
+ new_ndlp->nlp_DID = ndlp->nlp_DID;
+ new_ndlp->nlp_prev_state = ndlp->nlp_prev_state;
+@@ -1666,7 +1680,6 @@ lpfc_plogi_confirm_nport(struct lpfc_hba *phba, uint32_t *prsp,
+ if (ndlp->nrport) {
+ ndlp->nrport = NULL;
+ lpfc_nlp_put(ndlp);
+- new_ndlp->nlp_fc4_type = ndlp->nlp_fc4_type;
+ }
+
+ /* We shall actually free the ndlp with both nlp_DID and
+@@ -1740,6 +1753,12 @@ lpfc_plogi_confirm_nport(struct lpfc_hba *phba, uint32_t *prsp,
+ active_rrqs_xri_bitmap)
+ mempool_free(active_rrqs_xri_bitmap,
+ phba->active_rrq_pool);
++
++ lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS | LOG_NODE,
++ "3173 PLOGI confirm exit: new_ndlp x%x x%x x%x\n",
++ new_ndlp->nlp_DID, new_ndlp->nlp_flag,
++ new_ndlp->nlp_fc4_type);
++
+ return new_ndlp;
+ }
+
+diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
+index c15f3265eefeb..bd8dc6a2243c0 100644
+--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
+@@ -2868,8 +2868,9 @@ lpfc_disc_state_machine(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
+ /* DSM in event <evt> on NPort <nlp_DID> in state <cur_state> */
+ lpfc_printf_vlog(vport, KERN_INFO, LOG_DISCOVERY,
+ "0211 DSM in event x%x on NPort x%x in "
+- "state %d Data: x%x\n",
+- evt, ndlp->nlp_DID, cur_state, ndlp->nlp_flag);
++ "state %d Data: x%x x%x\n",
++ evt, ndlp->nlp_DID, cur_state,
++ ndlp->nlp_flag, ndlp->nlp_fc4_type);
+
+ lpfc_debugfs_disc_trc(vport, LPFC_DISC_TRC_DSM,
+ "DSM in: evt:%d ste:%d did:x%x",
+--
+2.20.1
+
--- /dev/null
+From eeff6c7b9b6997b4565bb508f3629f981ab096b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Oct 2018 13:41:06 -0700
+Subject: scsi: lpfc: fcoe: Fix link down issue after 1000+ link bounces
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 036cad1f1ac9ce03e2db94b8460f98eaf1e1ee4c ]
+
+On FCoE adapters, when running link bounce test in a loop, initiator
+failed to login with switch switch and required driver reload to
+recover. Switch reached a point where all subsequent FLOGIs would be
+LS_RJT'd. Further testing showed the condition to be related to not
+performing FCF discovery between FLOGI's.
+
+Fix by monitoring FLOGI failures and once a repeated error is seen
+repeat FCF discovery.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_els.c | 2 ++
+ drivers/scsi/lpfc/lpfc_hbadisc.c | 20 ++++++++++++++++++++
+ drivers/scsi/lpfc/lpfc_init.c | 2 +-
+ drivers/scsi/lpfc/lpfc_sli.c | 11 ++---------
+ drivers/scsi/lpfc/lpfc_sli4.h | 1 +
+ 5 files changed, 26 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
+index f3c6801c0b312..8bf916b9a987d 100644
+--- a/drivers/scsi/lpfc/lpfc_els.c
++++ b/drivers/scsi/lpfc/lpfc_els.c
+@@ -1157,6 +1157,7 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
+ phba->fcf.fcf_flag &= ~FCF_DISCOVERY;
+ phba->hba_flag &= ~(FCF_RR_INPROG | HBA_DEVLOSS_TMO);
+ spin_unlock_irq(&phba->hbalock);
++ phba->fcf.fcf_redisc_attempted = 0; /* reset */
+ goto out;
+ }
+ if (!rc) {
+@@ -1171,6 +1172,7 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
+ phba->fcf.fcf_flag &= ~FCF_DISCOVERY;
+ phba->hba_flag &= ~(FCF_RR_INPROG | HBA_DEVLOSS_TMO);
+ spin_unlock_irq(&phba->hbalock);
++ phba->fcf.fcf_redisc_attempted = 0; /* reset */
+ goto out;
+ }
+ }
+diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
+index db183d1f34ab2..0d19e5f6b3bcc 100644
+--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
+@@ -1997,6 +1997,26 @@ int lpfc_sli4_fcf_rr_next_proc(struct lpfc_vport *vport, uint16_t fcf_index)
+ "failover and change port state:x%x/x%x\n",
+ phba->pport->port_state, LPFC_VPORT_UNKNOWN);
+ phba->pport->port_state = LPFC_VPORT_UNKNOWN;
++
++ if (!phba->fcf.fcf_redisc_attempted) {
++ lpfc_unregister_fcf(phba);
++
++ rc = lpfc_sli4_redisc_fcf_table(phba);
++ if (!rc) {
++ lpfc_printf_log(phba, KERN_INFO, LOG_FIP,
++ "3195 Rediscover FCF table\n");
++ phba->fcf.fcf_redisc_attempted = 1;
++ lpfc_sli4_clear_fcf_rr_bmask(phba);
++ } else {
++ lpfc_printf_log(phba, KERN_WARNING, LOG_FIP,
++ "3196 Rediscover FCF table "
++ "failed. Status:x%x\n", rc);
++ }
++ } else {
++ lpfc_printf_log(phba, KERN_WARNING, LOG_FIP,
++ "3197 Already rediscover FCF table "
++ "attempted. No more retry\n");
++ }
+ goto stop_flogi_current_fcf;
+ } else {
+ lpfc_printf_log(phba, KERN_INFO, LOG_FIP | LOG_ELS,
+diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
+index 9acb5b44ce4c1..a7d3e532e0f58 100644
+--- a/drivers/scsi/lpfc/lpfc_init.c
++++ b/drivers/scsi/lpfc/lpfc_init.c
+@@ -5044,7 +5044,7 @@ lpfc_sli4_async_fip_evt(struct lpfc_hba *phba,
+ break;
+ }
+ /* If fast FCF failover rescan event is pending, do nothing */
+- if (phba->fcf.fcf_flag & FCF_REDISC_EVT) {
++ if (phba->fcf.fcf_flag & (FCF_REDISC_EVT | FCF_REDISC_PEND)) {
+ spin_unlock_irq(&phba->hbalock);
+ break;
+ }
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index e704297618e06..3361ae75578f2 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -18431,15 +18431,8 @@ lpfc_sli4_fcf_rr_next_index_get(struct lpfc_hba *phba)
+ goto initial_priority;
+ lpfc_printf_log(phba, KERN_WARNING, LOG_FIP,
+ "2844 No roundrobin failover FCF available\n");
+- if (next_fcf_index >= LPFC_SLI4_FCF_TBL_INDX_MAX)
+- return LPFC_FCOE_FCF_NEXT_NONE;
+- else {
+- lpfc_printf_log(phba, KERN_WARNING, LOG_FIP,
+- "3063 Only FCF available idx %d, flag %x\n",
+- next_fcf_index,
+- phba->fcf.fcf_pri[next_fcf_index].fcf_rec.flag);
+- return next_fcf_index;
+- }
++
++ return LPFC_FCOE_FCF_NEXT_NONE;
+ }
+
+ if (next_fcf_index < LPFC_SLI4_FCF_TBL_INDX_MAX &&
+diff --git a/drivers/scsi/lpfc/lpfc_sli4.h b/drivers/scsi/lpfc/lpfc_sli4.h
+index 399c0015c5465..3dcc6615a23b2 100644
+--- a/drivers/scsi/lpfc/lpfc_sli4.h
++++ b/drivers/scsi/lpfc/lpfc_sli4.h
+@@ -279,6 +279,7 @@ struct lpfc_fcf {
+ #define FCF_REDISC_EVT 0x100 /* FCF rediscovery event to worker thread */
+ #define FCF_REDISC_FOV 0x200 /* Post FCF rediscovery fast failover */
+ #define FCF_REDISC_PROG (FCF_REDISC_PEND | FCF_REDISC_EVT)
++ uint16_t fcf_redisc_attempted;
+ uint32_t addr_mode;
+ uint32_t eligible_fcf_cnt;
+ struct lpfc_fcf_rec current_rec;
+--
+2.20.1
+
--- /dev/null
+From 306dc850a44560d80d16f53d0c33ad62de622e2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Oct 2018 13:41:08 -0700
+Subject: scsi: lpfc: Fix odd recovery in duplicate FLOGIs in point-to-point
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit d496b9a7246cb9813da1fe49e14edbbbf8e232d5 ]
+
+Testing a point-to-point topology and a case of re-FLOGI without
+intervening link bouncing, showed an odd interaction with firmware and
+a resulting scenario where the driver no longer probed after accepting
+the new FLOGI.
+
+Work around the firmware issue by issuing a link bounce if a FLOGI is
+received after the link is already up and FLOGI's accepted.
+
+While debugging the issue, realized that some debug traces should be
+clarified to help in the future.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc.h | 1 +
+ drivers/scsi/lpfc/lpfc_els.c | 66 ++++++++++++++++++++++++++------
+ drivers/scsi/lpfc/lpfc_hbadisc.c | 9 +++++
+ 3 files changed, 64 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
+index 43732e8d13473..ebcfcbb8b4ccc 100644
+--- a/drivers/scsi/lpfc/lpfc.h
++++ b/drivers/scsi/lpfc/lpfc.h
+@@ -490,6 +490,7 @@ struct lpfc_vport {
+ struct nvme_fc_local_port *localport;
+ uint8_t nvmei_support; /* driver supports NVME Initiator */
+ uint32_t last_fcp_wqidx;
++ uint32_t rcv_flogi_cnt; /* How many unsol FLOGIs ACK'd. */
+ };
+
+ struct hbq_s {
+diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
+index 8bf916b9a987d..e263a486b1c6c 100644
+--- a/drivers/scsi/lpfc/lpfc_els.c
++++ b/drivers/scsi/lpfc/lpfc_els.c
+@@ -1057,9 +1057,9 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
+ goto flogifail;
+
+ lpfc_printf_vlog(vport, KERN_WARNING, LOG_ELS,
+- "0150 FLOGI failure Status:x%x/x%x TMO:x%x\n",
++ "0150 FLOGI failure Status:x%x/x%x xri x%x TMO:x%x\n",
+ irsp->ulpStatus, irsp->un.ulpWord[4],
+- irsp->ulpTimeout);
++ cmdiocb->sli4_xritag, irsp->ulpTimeout);
+
+ /* FLOGI failed, so there is no fabric */
+ spin_lock_irq(shost->host_lock);
+@@ -1113,7 +1113,8 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
+ /* FLOGI completes successfully */
+ lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
+ "0101 FLOGI completes successfully, I/O tag:x%x, "
+- "Data: x%x x%x x%x x%x x%x x%x\n", cmdiocb->iotag,
++ "xri x%x Data: x%x x%x x%x x%x x%x %x\n",
++ cmdiocb->iotag, cmdiocb->sli4_xritag,
+ irsp->un.ulpWord[4], sp->cmn.e_d_tov,
+ sp->cmn.w2.r_a_tov, sp->cmn.edtovResolution,
+ vport->port_state, vport->fc_flag);
+@@ -4266,14 +4267,6 @@ lpfc_els_rsp_acc(struct lpfc_vport *vport, uint32_t flag,
+ default:
+ return 1;
+ }
+- /* Xmit ELS ACC response tag <ulpIoTag> */
+- lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
+- "0128 Xmit ELS ACC response tag x%x, XRI: x%x, "
+- "DID: x%x, nlp_flag: x%x nlp_state: x%x RPI: x%x "
+- "fc_flag x%x\n",
+- elsiocb->iotag, elsiocb->iocb.ulpContext,
+- ndlp->nlp_DID, ndlp->nlp_flag, ndlp->nlp_state,
+- ndlp->nlp_rpi, vport->fc_flag);
+ if (ndlp->nlp_flag & NLP_LOGO_ACC) {
+ spin_lock_irq(shost->host_lock);
+ if (!(ndlp->nlp_flag & NLP_RPI_REGISTERED ||
+@@ -4442,6 +4435,15 @@ lpfc_els_rsp_adisc_acc(struct lpfc_vport *vport, struct lpfc_iocbq *oldiocb,
+ lpfc_els_free_iocb(phba, elsiocb);
+ return 1;
+ }
++
++ /* Xmit ELS ACC response tag <ulpIoTag> */
++ lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
++ "0128 Xmit ELS ACC response Status: x%x, IoTag: x%x, "
++ "XRI: x%x, DID: x%x, nlp_flag: x%x nlp_state: x%x "
++ "RPI: x%x, fc_flag x%x\n",
++ rc, elsiocb->iotag, elsiocb->sli4_xritag,
++ ndlp->nlp_DID, ndlp->nlp_flag, ndlp->nlp_state,
++ ndlp->nlp_rpi, vport->fc_flag);
+ return 0;
+ }
+
+@@ -6452,6 +6454,11 @@ lpfc_els_rcv_flogi(struct lpfc_vport *vport, struct lpfc_iocbq *cmdiocb,
+ port_state = vport->port_state;
+ vport->fc_flag |= FC_PT2PT;
+ vport->fc_flag &= ~(FC_FABRIC | FC_PUBLIC_LOOP);
++
++ /* Acking an unsol FLOGI. Count 1 for link bounce
++ * work-around.
++ */
++ vport->rcv_flogi_cnt++;
+ spin_unlock_irq(shost->host_lock);
+ lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
+ "3311 Rcv Flogi PS x%x new PS x%x "
+@@ -7849,8 +7856,9 @@ lpfc_els_unsol_buffer(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
+ struct ls_rjt stat;
+ uint32_t *payload;
+ uint32_t cmd, did, newnode;
+- uint8_t rjt_exp, rjt_err = 0;
++ uint8_t rjt_exp, rjt_err = 0, init_link = 0;
+ IOCB_t *icmd = &elsiocb->iocb;
++ LPFC_MBOXQ_t *mbox;
+
+ if (!vport || !(elsiocb->context2))
+ goto dropit;
+@@ -7999,6 +8007,19 @@ lpfc_els_unsol_buffer(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
+ did, vport->port_state, ndlp->nlp_flag);
+
+ phba->fc_stat.elsRcvFLOGI++;
++
++ /* If the driver believes fabric discovery is done and is ready,
++ * bounce the link. There is some descrepancy.
++ */
++ if (vport->port_state >= LPFC_LOCAL_CFG_LINK &&
++ vport->fc_flag & FC_PT2PT &&
++ vport->rcv_flogi_cnt >= 1) {
++ rjt_err = LSRJT_LOGICAL_BSY;
++ rjt_exp = LSEXP_NOTHING_MORE;
++ init_link++;
++ goto lsrjt;
++ }
++
+ lpfc_els_rcv_flogi(vport, elsiocb, ndlp);
+ if (newnode)
+ lpfc_nlp_put(ndlp);
+@@ -8227,6 +8248,27 @@ lpfc_els_unsol_buffer(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
+
+ lpfc_nlp_put(elsiocb->context1);
+ elsiocb->context1 = NULL;
++
++ /* Special case. Driver received an unsolicited command that
++ * unsupportable given the driver's current state. Reset the
++ * link and start over.
++ */
++ if (init_link) {
++ mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
++ if (!mbox)
++ return;
++ lpfc_linkdown(phba);
++ lpfc_init_link(phba, mbox,
++ phba->cfg_topology,
++ phba->cfg_link_speed);
++ mbox->u.mb.un.varInitLnk.lipsr_AL_PA = 0;
++ mbox->mbox_cmpl = lpfc_sli_def_mbox_cmpl;
++ mbox->vport = vport;
++ if (lpfc_sli_issue_mbox(phba, mbox, MBX_NOWAIT) ==
++ MBX_NOT_FINISHED)
++ mempool_free(mbox, phba->mbox_mem_pool);
++ }
++
+ return;
+
+ dropit:
+diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
+index 0d19e5f6b3bcc..68f223882d96b 100644
+--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
+@@ -952,6 +952,7 @@ lpfc_linkdown(struct lpfc_hba *phba)
+ }
+ spin_lock_irq(shost->host_lock);
+ phba->pport->fc_flag &= ~(FC_PT2PT | FC_PT2PT_PLOGI);
++ phba->pport->rcv_flogi_cnt = 0;
+ spin_unlock_irq(shost->host_lock);
+ }
+ return 0;
+@@ -1023,6 +1024,7 @@ lpfc_linkup(struct lpfc_hba *phba)
+ {
+ struct lpfc_vport **vports;
+ int i;
++ struct Scsi_Host *shost = lpfc_shost_from_vport(phba->pport);
+
+ phba->link_state = LPFC_LINK_UP;
+
+@@ -1036,6 +1038,13 @@ lpfc_linkup(struct lpfc_hba *phba)
+ lpfc_linkup_port(vports[i]);
+ lpfc_destroy_vport_work_array(phba, vports);
+
++ /* Clear the pport flogi counter in case the link down was
++ * absorbed without an ACQE. No lock here - in worker thread
++ * and discovery is synchronized.
++ */
++ spin_lock_irq(shost->host_lock);
++ phba->pport->rcv_flogi_cnt = 0;
++ spin_unlock_irq(shost->host_lock);
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 87efe7042af654fee2e782e852d71b40961745aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 23:37:44 -0700
+Subject: scsi: megaraid_sas: Fix goto labels in error handling
+
+From: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
+
+[ Upstream commit 8a25fa17b6ed6e6c8101e9c68a10ae68a9025f2c ]
+
+During init, if pci_alloc_irq_vectors() fails, the driver has not yet setup
+the IRQs. Fix the goto labels and error handling for this case.
+
+Signed-off-by: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/megaraid/megaraid_sas_base.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
+index 2f94ab9c23540..2f31d266339f8 100644
+--- a/drivers/scsi/megaraid/megaraid_sas_base.c
++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
+@@ -5410,7 +5410,7 @@ static int megasas_init_fw(struct megasas_instance *instance)
+ if (!instance->msix_vectors) {
+ i = pci_alloc_irq_vectors(instance->pdev, 1, 1, PCI_IRQ_LEGACY);
+ if (i < 0)
+- goto fail_setup_irqs;
++ goto fail_init_adapter;
+ }
+
+ megasas_setup_reply_map(instance);
+@@ -5619,9 +5619,8 @@ static int megasas_init_fw(struct megasas_instance *instance)
+
+ fail_get_ld_pd_list:
+ instance->instancet->disable_intr(instance);
+-fail_init_adapter:
+ megasas_destroy_irqs(instance);
+-fail_setup_irqs:
++fail_init_adapter:
+ if (instance->msix_vectors)
+ pci_free_irq_vectors(instance->pdev);
+ instance->msix_vectors = 0;
+--
+2.20.1
+
--- /dev/null
+From 0918a9cf2e0dce6e1adb1cad65fdfe84b7deb14a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 23:37:41 -0700
+Subject: scsi: megaraid_sas: Fix msleep granularity
+
+From: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
+
+[ Upstream commit 9155cf30a3c4ef97e225d6daddf9bd4b173267e8 ]
+
+In megasas_transition_to_ready() driver waits 180seconds for controller to
+change FW state. Here we are calling msleep(1) in a loop for this. As
+explained in timers-howto.txt, msleep(1) will actually sleep longer than
+1ms. If a faulty controller is connected, we will end up waiting for much
+more than 180 seconds causing unnecessary delays during load.
+
+Change the granularity of msleep() call from 1ms to 1000ms.
+
+Signed-off-by: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/megaraid/megaraid_sas_base.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
+index bc37666f998e6..2f94ab9c23540 100644
+--- a/drivers/scsi/megaraid/megaraid_sas_base.c
++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
+@@ -3894,12 +3894,12 @@ megasas_transition_to_ready(struct megasas_instance *instance, int ocr)
+ /*
+ * The cur_state should not last for more than max_wait secs
+ */
+- for (i = 0; i < (max_wait * 1000); i++) {
++ for (i = 0; i < max_wait; i++) {
+ curr_abs_state = instance->instancet->
+ read_fw_status_reg(instance->reg_set);
+
+ if (abs_state == curr_abs_state) {
+- msleep(1);
++ msleep(1000);
+ } else
+ break;
+ }
+--
+2.20.1
+
--- /dev/null
+From 86f5141d1d5fccd91c534aa1050fd512fe4cecd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Oct 2018 18:53:37 +0530
+Subject: scsi: mpt3sas: Don't modify EEDPTagMode field setting on SAS3.5 HBA
+ devices
+
+From: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
+
+[ Upstream commit 6cd1bc7b9b5075d395ba0120923903873fc7ea0e ]
+
+If EEDPTagMode field in manufacturing page11 is set then unset it. This is
+needed to fix a hardware bug only in SAS3/SAS2 cards. So, skipping
+EEDPTagMode changes in Manufacturing page11 for SAS 3.5 controllers.
+
+Signed-off-by: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
+Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c
+index d2ab52026014f..2c556c7fcf0dc 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
+@@ -4117,7 +4117,7 @@ _base_static_config_pages(struct MPT3SAS_ADAPTER *ioc)
+ * flag unset in NVDATA.
+ */
+ mpt3sas_config_get_manufacturing_pg11(ioc, &mpi_reply, &ioc->manu_pg11);
+- if (ioc->manu_pg11.EEDPTagMode == 0) {
++ if (!ioc->is_gen35_ioc && ioc->manu_pg11.EEDPTagMode == 0) {
+ pr_err("%s: overriding NVDATA EEDPTagMode setting\n",
+ ioc->name);
+ ioc->manu_pg11.EEDPTagMode &= ~0x3;
+--
+2.20.1
+
--- /dev/null
+From 492f0d92e176b6b612860182be227f05e02e1ffa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Oct 2018 18:53:38 +0530
+Subject: scsi: mpt3sas: Fix driver modifying persistent data in Manufacturing
+ page11
+
+From: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
+
+[ Upstream commit 97f35194093362a63b33caba2485521ddabe2c95 ]
+
+Currently driver is modifying both current & NVRAM/persistent data in
+Manufacturing page11. Driver should change only current copy of
+Manufacturing page11. It should not modify the persistent data.
+
+So removed the section of code where driver is modifying the persistent
+data of Manufacturing page11.
+
+Signed-off-by: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
+Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_config.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_config.c b/drivers/scsi/mpt3sas/mpt3sas_config.c
+index d29a2dcc7d0ec..9b01c5a7aebd9 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_config.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_config.c
+@@ -692,10 +692,6 @@ mpt3sas_config_set_manufacturing_pg11(struct MPT3SAS_ADAPTER *ioc,
+ r = _config_request(ioc, &mpi_request, mpi_reply,
+ MPT3_CONFIG_PAGE_DEFAULT_TIMEOUT, config_page,
+ sizeof(*config_page));
+- mpi_request.Action = MPI2_CONFIG_ACTION_PAGE_WRITE_NVRAM;
+- r = _config_request(ioc, &mpi_request, mpi_reply,
+- MPT3_CONFIG_PAGE_DEFAULT_TIMEOUT, config_page,
+- sizeof(*config_page));
+ out:
+ return r;
+ }
+--
+2.20.1
+
--- /dev/null
+From 10c07dd7daffb304c66a01826ab94a05115d422a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Oct 2018 18:53:36 +0530
+Subject: scsi: mpt3sas: Fix Sync cache command failure during driver unload
+
+From: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
+
+[ Upstream commit 9029a72500b95578a35877a43473b82cb0386c53 ]
+
+This is to fix SYNC CACHE and START STOP command failures with
+DID_NO_CONNECT during driver unload.
+
+In driver's IO submission patch (i.e. in driver's .queuecommand()) driver
+won't allow any SCSI commands to the IOC when ioc->remove_host flag is set
+and hence SYNC CACHE commands which are issued to the target drives (where
+write cache is enabled) during driver unload time is failed with
+DID_NO_CONNECT status.
+
+Now modified the driver to allow SYNC CACHE and START STOP commands to IOC,
+even when remove_host flag is set.
+
+Signed-off-by: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
+Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 36 +++++++++++++++++++++++++++-
+ 1 file changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+index 73d661a0ecbb9..d3c944d997039 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -3791,6 +3791,40 @@ _scsih_tm_tr_complete(struct MPT3SAS_ADAPTER *ioc, u16 smid, u8 msix_index,
+ return _scsih_check_for_pending_tm(ioc, smid);
+ }
+
++/** _scsih_allow_scmd_to_device - check whether scmd needs to
++ * issue to IOC or not.
++ * @ioc: per adapter object
++ * @scmd: pointer to scsi command object
++ *
++ * Returns true if scmd can be issued to IOC otherwise returns false.
++ */
++inline bool _scsih_allow_scmd_to_device(struct MPT3SAS_ADAPTER *ioc,
++ struct scsi_cmnd *scmd)
++{
++
++ if (ioc->pci_error_recovery)
++ return false;
++
++ if (ioc->hba_mpi_version_belonged == MPI2_VERSION) {
++ if (ioc->remove_host)
++ return false;
++
++ return true;
++ }
++
++ if (ioc->remove_host) {
++
++ switch (scmd->cmnd[0]) {
++ case SYNCHRONIZE_CACHE:
++ case START_STOP:
++ return true;
++ default:
++ return false;
++ }
++ }
++
++ return true;
++}
+
+ /**
+ * _scsih_sas_control_complete - completion routine
+@@ -4623,7 +4657,7 @@ scsih_qcmd(struct Scsi_Host *shost, struct scsi_cmnd *scmd)
+ return 0;
+ }
+
+- if (ioc->pci_error_recovery || ioc->remove_host) {
++ if (!(_scsih_allow_scmd_to_device(ioc, scmd))) {
+ scmd->result = DID_NO_CONNECT << 16;
+ scmd->scsi_done(scmd);
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From 7894c359510cc3305b1113a71b2dd85e007fa597 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 16:31:25 +1100
+Subject: scsi: zorro_esp: Limit DMA transfers to 65535 bytes
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit b7ded0e8b0d11b6df1c4e5aa23a26e6629c21985 ]
+
+The core driver, esp_scsi, does not use the ESP_CONFIG2_FENAB bit, so the
+chip's Transfer Counter register is only 16 bits wide (not 24). A larger
+transfer cannot work and will theoretically result in a failed command
+and a "DMA length is zero" error.
+
+Fixes: 3109e5ae0311 ("scsi: zorro_esp: New driver for Amiga Zorro NCR53C9x boards")
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Cc: Michael Schmitz <schmitzmic@gmail.com>
+Tested-by: Michael Schmitz <schmitzmic@gmail.com>
+Reviewed-by: Michael Schmitz <schmitzmic@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/zorro_esp.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/drivers/scsi/zorro_esp.c b/drivers/scsi/zorro_esp.c
+index bb70882e6b56e..be79127db5946 100644
+--- a/drivers/scsi/zorro_esp.c
++++ b/drivers/scsi/zorro_esp.c
+@@ -245,7 +245,7 @@ static int fastlane_esp_irq_pending(struct esp *esp)
+ static u32 zorro_esp_dma_length_limit(struct esp *esp, u32 dma_addr,
+ u32 dma_len)
+ {
+- return dma_len > 0xFFFFFF ? 0xFFFFFF : dma_len;
++ return dma_len > 0xFFFF ? 0xFFFF : dma_len;
+ }
+
+ static void zorro_esp_reset_dma(struct esp *esp)
+@@ -484,7 +484,6 @@ static void zorro_esp_send_blz1230_dma_cmd(struct esp *esp, u32 addr,
+ scsi_esp_cmd(esp, ESP_CMD_DMA);
+ zorro_esp_write8(esp, (esp_count >> 0) & 0xff, ESP_TCLOW);
+ zorro_esp_write8(esp, (esp_count >> 8) & 0xff, ESP_TCMED);
+- zorro_esp_write8(esp, (esp_count >> 16) & 0xff, ESP_TCHI);
+
+ scsi_esp_cmd(esp, cmd);
+ }
+@@ -529,7 +528,6 @@ static void zorro_esp_send_blz1230II_dma_cmd(struct esp *esp, u32 addr,
+ scsi_esp_cmd(esp, ESP_CMD_DMA);
+ zorro_esp_write8(esp, (esp_count >> 0) & 0xff, ESP_TCLOW);
+ zorro_esp_write8(esp, (esp_count >> 8) & 0xff, ESP_TCMED);
+- zorro_esp_write8(esp, (esp_count >> 16) & 0xff, ESP_TCHI);
+
+ scsi_esp_cmd(esp, cmd);
+ }
+@@ -574,7 +572,6 @@ static void zorro_esp_send_blz2060_dma_cmd(struct esp *esp, u32 addr,
+ scsi_esp_cmd(esp, ESP_CMD_DMA);
+ zorro_esp_write8(esp, (esp_count >> 0) & 0xff, ESP_TCLOW);
+ zorro_esp_write8(esp, (esp_count >> 8) & 0xff, ESP_TCMED);
+- zorro_esp_write8(esp, (esp_count >> 16) & 0xff, ESP_TCHI);
+
+ scsi_esp_cmd(esp, cmd);
+ }
+@@ -599,7 +596,6 @@ static void zorro_esp_send_cyber_dma_cmd(struct esp *esp, u32 addr,
+
+ zorro_esp_write8(esp, (esp_count >> 0) & 0xff, ESP_TCLOW);
+ zorro_esp_write8(esp, (esp_count >> 8) & 0xff, ESP_TCMED);
+- zorro_esp_write8(esp, (esp_count >> 16) & 0xff, ESP_TCHI);
+
+ if (write) {
+ /* DMA receive */
+@@ -649,7 +645,6 @@ static void zorro_esp_send_cyberII_dma_cmd(struct esp *esp, u32 addr,
+
+ zorro_esp_write8(esp, (esp_count >> 0) & 0xff, ESP_TCLOW);
+ zorro_esp_write8(esp, (esp_count >> 8) & 0xff, ESP_TCMED);
+- zorro_esp_write8(esp, (esp_count >> 16) & 0xff, ESP_TCHI);
+
+ if (write) {
+ /* DMA receive */
+@@ -691,7 +686,6 @@ static void zorro_esp_send_fastlane_dma_cmd(struct esp *esp, u32 addr,
+
+ zorro_esp_write8(esp, (esp_count >> 0) & 0xff, ESP_TCLOW);
+ zorro_esp_write8(esp, (esp_count >> 8) & 0xff, ESP_TCMED);
+- zorro_esp_write8(esp, (esp_count >> 16) & 0xff, ESP_TCHI);
+
+ if (write) {
+ /* DMA receive */
+--
+2.20.1
+
--- /dev/null
+From 7a03f8e915af9ea87404013e53b13550d2eab4a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Oct 2018 03:07:51 +0800
+Subject: sctp: use sk_wmem_queued to check for writable space
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit cd305c74b0f8b49748a79a8f67fc8e5e3e0c4794 ]
+
+sk->sk_wmem_queued is used to count the size of chunks in out queue
+while sk->sk_wmem_alloc is for counting the size of chunks has been
+sent. sctp is increasing both of them before enqueuing the chunks,
+and using sk->sk_wmem_alloc to check for writable space.
+
+However, sk_wmem_alloc is also increased by 1 for the skb allocked
+for sending in sctp_packet_transmit() but it will not wake up the
+waiters when sk_wmem_alloc is decreased in this skb's destructor.
+
+If msg size is equal to sk_sndbuf and sendmsg is waiting for sndbuf,
+the check 'msg_len <= sctp_wspace(asoc)' in sctp_wait_for_sndbuf()
+will keep waiting if there's a skb allocked in sctp_packet_transmit,
+and later even if this skb got freed, the waiting thread will never
+get waked up.
+
+This issue has been there since very beginning, so we change to use
+sk->sk_wmem_queued to check for writable space as sk_wmem_queued is
+not increased for the skb allocked for sending, also as TCP does.
+
+SOCK_SNDBUF_LOCK check is also removed here as it's for tx buf auto
+tuning which I will add in another patch.
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/socket.c | 38 +++++++++-----------------------------
+ 1 file changed, 9 insertions(+), 29 deletions(-)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index c766315527226..e7a11cd7633f5 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -83,7 +83,7 @@
+ #include <net/sctp/stream_sched.h>
+
+ /* Forward declarations for internal helper functions. */
+-static int sctp_writeable(struct sock *sk);
++static bool sctp_writeable(struct sock *sk);
+ static void sctp_wfree(struct sk_buff *skb);
+ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+ size_t msg_len);
+@@ -119,25 +119,10 @@ static void sctp_enter_memory_pressure(struct sock *sk)
+ /* Get the sndbuf space available at the time on the association. */
+ static inline int sctp_wspace(struct sctp_association *asoc)
+ {
+- int amt;
++ struct sock *sk = asoc->base.sk;
+
+- if (asoc->ep->sndbuf_policy)
+- amt = asoc->sndbuf_used;
+- else
+- amt = sk_wmem_alloc_get(asoc->base.sk);
+-
+- if (amt >= asoc->base.sk->sk_sndbuf) {
+- if (asoc->base.sk->sk_userlocks & SOCK_SNDBUF_LOCK)
+- amt = 0;
+- else {
+- amt = sk_stream_wspace(asoc->base.sk);
+- if (amt < 0)
+- amt = 0;
+- }
+- } else {
+- amt = asoc->base.sk->sk_sndbuf - amt;
+- }
+- return amt;
++ return asoc->ep->sndbuf_policy ? sk->sk_sndbuf - asoc->sndbuf_used
++ : sk_stream_wspace(sk);
+ }
+
+ /* Increment the used sndbuf space count of the corresponding association by
+@@ -1928,10 +1913,10 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
+ asoc->pmtu_pending = 0;
+ }
+
+- if (sctp_wspace(asoc) < msg_len)
++ if (sctp_wspace(asoc) < (int)msg_len)
+ sctp_prsctp_prune(asoc, sinfo, msg_len - sctp_wspace(asoc));
+
+- if (!sctp_wspace(asoc)) {
++ if (sctp_wspace(asoc) <= 0) {
+ timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
+ err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
+ if (err)
+@@ -8516,7 +8501,7 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+ goto do_error;
+ if (signal_pending(current))
+ goto do_interrupted;
+- if (msg_len <= sctp_wspace(asoc))
++ if ((int)msg_len <= sctp_wspace(asoc))
+ break;
+
+ /* Let another process have a go. Since we are going
+@@ -8591,14 +8576,9 @@ void sctp_write_space(struct sock *sk)
+ * UDP-style sockets or TCP-style sockets, this code should work.
+ * - Daisy
+ */
+-static int sctp_writeable(struct sock *sk)
++static bool sctp_writeable(struct sock *sk)
+ {
+- int amt = 0;
+-
+- amt = sk->sk_sndbuf - sk_wmem_alloc_get(sk);
+- if (amt < 0)
+- amt = 0;
+- return amt;
++ return sk->sk_sndbuf > sk->sk_wmem_queued;
+ }
+
+ /* Wait for an association to go into ESTABLISHED state. If timeout is 0,
+--
+2.20.1
+
--- /dev/null
+From 38359c2a6ecc61b84f16c10331bf572911877641 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Oct 2018 23:18:36 +0800
+Subject: selftests/bpf: fix file resource leak in load_kallsyms
+
+From: Peng Hao <peng.hao2@zte.com.cn>
+
+[ Upstream commit 1bd70d2eba9d90eb787634361f0f6fa2c86b3f6d ]
+
+FILE pointer variable f is opened but never closed.
+
+Signed-off-by: Peng Hao <peng.hao2@zte.com.cn>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/trace_helpers.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/trace_helpers.c b/tools/testing/selftests/bpf/trace_helpers.c
+index cf156b3536798..82922f13dcd3a 100644
+--- a/tools/testing/selftests/bpf/trace_helpers.c
++++ b/tools/testing/selftests/bpf/trace_helpers.c
+@@ -41,6 +41,7 @@ int load_kallsyms(void)
+ syms[i].name = strdup(func);
+ i++;
+ }
++ fclose(f);
+ sym_cnt = i;
+ qsort(syms, sym_cnt, sizeof(struct ksym), ksym_cmp);
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From cc7a39ef1a084bc45994e4d0a360fa977e7938a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Oct 2018 22:58:44 +0100
+Subject: selftests/bpf: fix return value comparison for tests in
+ test_libbpf.sh
+
+From: Quentin Monnet <quentin.monnet@netronome.com>
+
+[ Upstream commit c5fa5d602221362f8341ecd9e32d83194abf5bd9 ]
+
+The return value for each test in test_libbpf.sh is compared with
+
+ if (( $? == 0 )) ; then ...
+
+This works well with bash, but not with dash, that /bin/sh is aliased to
+on some systems (such as Ubuntu).
+
+Let's replace this comparison by something that works on both shells.
+
+Signed-off-by: Quentin Monnet <quentin.monnet@netronome.com>
+Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_libbpf.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/test_libbpf.sh b/tools/testing/selftests/bpf/test_libbpf.sh
+index 8b1bc96d8e0cc..2989b2e2d856d 100755
+--- a/tools/testing/selftests/bpf/test_libbpf.sh
++++ b/tools/testing/selftests/bpf/test_libbpf.sh
+@@ -6,7 +6,7 @@ export TESTNAME=test_libbpf
+ # Determine selftest success via shell exit code
+ exit_handler()
+ {
+- if (( $? == 0 )); then
++ if [ $? -eq 0 ]; then
+ echo "selftests: $TESTNAME [PASS]";
+ else
+ echo "$TESTNAME: failed at file $LAST_LOADED" 1>&2
+--
+2.20.1
+
--- /dev/null
+From c7d3ed3713ab98c349d399bb749d14979da92d7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Oct 2018 03:53:50 +0800
+Subject: selftests: fix warning: "_GNU_SOURCE" redefined
+
+From: Peng Hao <peng.hao2@zte.com.cn>
+
+[ Upstream commit 0387662d1b6c5ad2950d8e94d5e380af3f15c05c ]
+
+Makefile contains -D_GNU_SOURCE. remove define "_GNU_SOURCE"
+in c files.
+
+Signed-off-by: Peng Hao <peng.hao2@zte.com.cn>
+Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/proc/fd-001-lookup.c | 2 +-
+ tools/testing/selftests/proc/fd-003-kthread.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/proc/fd-001-lookup.c b/tools/testing/selftests/proc/fd-001-lookup.c
+index a2010dfb21104..60d7948e7124f 100644
+--- a/tools/testing/selftests/proc/fd-001-lookup.c
++++ b/tools/testing/selftests/proc/fd-001-lookup.c
+@@ -14,7 +14,7 @@
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+ // Test /proc/*/fd lookup.
+-#define _GNU_SOURCE
++
+ #undef NDEBUG
+ #include <assert.h>
+ #include <dirent.h>
+diff --git a/tools/testing/selftests/proc/fd-003-kthread.c b/tools/testing/selftests/proc/fd-003-kthread.c
+index 1d659d55368c2..dc591f97b63d4 100644
+--- a/tools/testing/selftests/proc/fd-003-kthread.c
++++ b/tools/testing/selftests/proc/fd-003-kthread.c
+@@ -14,7 +14,7 @@
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+ // Test that /proc/$KERNEL_THREAD/fd/ is empty.
+-#define _GNU_SOURCE
++
+ #undef NDEBUG
+ #include <sys/syscall.h>
+ #include <assert.h>
+--
+2.20.1
+
--- /dev/null
+From f24ec9c0a8d60f4bfb29c369a3e618e28ad6dbb6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Aug 2018 23:16:13 +0900
+Subject: selftests/ftrace: Fix to test kprobe $comm arg only if available
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit 2452c96e617a0ff6fb2692e55217a3fa57a7322c ]
+
+Test $comm in kprobe-event argument syntax testcase
+only if it is supported on the kernel because
+$comm has been introduced 4.8 kernel.
+So on older stable kernel, it should be skipped.
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc
+index d026ff4e562f3..92ffb3bd33d82 100644
+--- a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc
++++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc
+@@ -78,8 +78,11 @@ test_badarg "\$stackp" "\$stack0+10" "\$stack1-10"
+ echo "r ${PROBEFUNC} \$retval" > kprobe_events
+ ! echo "p ${PROBEFUNC} \$retval" > kprobe_events
+
++# $comm was introduced in 4.8, older kernels reject it.
++if grep -A1 "fetcharg:" README | grep -q '\$comm' ; then
+ : "Comm access"
+ test_goodarg "\$comm"
++fi
+
+ : "Indirect memory access"
+ test_goodarg "+0(${GOODREG})" "-0(${GOODREG})" "+10(\$stack)" \
+--
+2.20.1
+
--- /dev/null
+From 541c45a9a4e689f2c33abc51a17b946a9dd150ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 16:13:46 +0200
+Subject: selftests: kvm: Fix -Wformat warnings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrea Parri <andrea.parri@amarulasolutions.com>
+
+[ Upstream commit fb363e2d20351e1d16629df19e7bce1a31b3227a ]
+
+Fixes the following warnings:
+
+dirty_log_test.c: In function ‘help’:
+dirty_log_test.c:216:9: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 2 has type ‘int’ [-Wformat=]
+ printf(" -i: specify iteration counts (default: %"PRIu64")\n",
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In file included from include/test_util.h:18:0,
+ from dirty_log_test.c:16:
+/usr/include/inttypes.h:105:34: note: format string is defined here
+ # define PRIu64 __PRI64_PREFIX "u"
+dirty_log_test.c:218:9: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 2 has type ‘int’ [-Wformat=]
+ printf(" -I: specify interval in ms (default: %"PRIu64" ms)\n",
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In file included from include/test_util.h:18:0,
+ from dirty_log_test.c:16:
+/usr/include/inttypes.h:105:34: note: format string is defined here
+ # define PRIu64 __PRI64_PREFIX "u"
+
+Signed-off-by: Andrea Parri <andrea.parri@amarulasolutions.com>
+Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kvm/dirty_log_test.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/kvm/dirty_log_test.c b/tools/testing/selftests/kvm/dirty_log_test.c
+index 0c2cdc105f968..a9c4b5e21d7e7 100644
+--- a/tools/testing/selftests/kvm/dirty_log_test.c
++++ b/tools/testing/selftests/kvm/dirty_log_test.c
+@@ -31,9 +31,9 @@
+ /* How many pages to dirty for each guest loop */
+ #define TEST_PAGES_PER_LOOP 1024
+ /* How many host loops to run (one KVM_GET_DIRTY_LOG for each loop) */
+-#define TEST_HOST_LOOP_N 32
++#define TEST_HOST_LOOP_N 32UL
+ /* Interval for each host loop (ms) */
+-#define TEST_HOST_LOOP_INTERVAL 10
++#define TEST_HOST_LOOP_INTERVAL 10UL
+
+ /*
+ * Guest variables. We use these variables to share data between host
+--
+2.20.1
+
--- /dev/null
+From c79aa9a3cff2a3bd34fdc6e31192184666660c5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Oct 2018 22:23:53 +1100
+Subject: selftests/powerpc/cache_shape: Fix out-of-tree build
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit 69f8117f17b332a68cd8f4bf8c2d0d3d5b84efc5 ]
+
+Use TEST_GEN_PROGS and don't redefine all, this makes the out-of-tree
+build work. We need to move the extra dependencies below the include
+of lib.mk, because it adds the $(OUTPUT) prefix if it's defined.
+
+We can also drop the clean rule, lib.mk does it for us.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/powerpc/cache_shape/Makefile | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/tools/testing/selftests/powerpc/cache_shape/Makefile b/tools/testing/selftests/powerpc/cache_shape/Makefile
+index ede4d3dae7505..689f6c8ebcd8d 100644
+--- a/tools/testing/selftests/powerpc/cache_shape/Makefile
++++ b/tools/testing/selftests/powerpc/cache_shape/Makefile
+@@ -1,12 +1,7 @@
+ # SPDX-License-Identifier: GPL-2.0
+-TEST_PROGS := cache_shape
+-
+-all: $(TEST_PROGS)
+-
+-$(TEST_PROGS): ../harness.c ../utils.c
++TEST_GEN_PROGS := cache_shape
+
+ top_srcdir = ../../../../..
+ include ../../lib.mk
+
+-clean:
+- rm -f $(TEST_PROGS) *.o
++$(TEST_GEN_PROGS): ../harness.c ../utils.c
+--
+2.20.1
+
--- /dev/null
+From 496cdc0820d4dff1537af1d7bccbb26be8b24818 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Oct 2018 22:23:49 +1100
+Subject: selftests/powerpc/ptrace: Fix out-of-tree build
+
+From: Joel Stanley <joel@jms.id.au>
+
+[ Upstream commit c39b79082a38a4f8c801790edecbbb4d62ed2992 ]
+
+We should use TEST_GEN_PROGS, not TEST_PROGS. That tells the selftests
+makefile (lib.mk) that those tests are generated (built), and so it
+adds the $(OUTPUT) prefix for us, making the out-of-tree build work
+correctly.
+
+It also means we don't need our own clean rule, lib.mk does it.
+
+We also have to update the ptrace-pkey and core-pkey rules to use
+$(OUTPUT).
+
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/powerpc/ptrace/Makefile | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/tools/testing/selftests/powerpc/ptrace/Makefile b/tools/testing/selftests/powerpc/ptrace/Makefile
+index 923d531265f8c..9f9423430059e 100644
+--- a/tools/testing/selftests/powerpc/ptrace/Makefile
++++ b/tools/testing/selftests/powerpc/ptrace/Makefile
+@@ -1,5 +1,5 @@
+ # SPDX-License-Identifier: GPL-2.0
+-TEST_PROGS := ptrace-gpr ptrace-tm-gpr ptrace-tm-spd-gpr \
++TEST_GEN_PROGS := ptrace-gpr ptrace-tm-gpr ptrace-tm-spd-gpr \
+ ptrace-tar ptrace-tm-tar ptrace-tm-spd-tar ptrace-vsx ptrace-tm-vsx \
+ ptrace-tm-spd-vsx ptrace-tm-spr ptrace-hwbreak ptrace-pkey core-pkey \
+ perf-hwbreak
+@@ -7,14 +7,9 @@ TEST_PROGS := ptrace-gpr ptrace-tm-gpr ptrace-tm-spd-gpr \
+ top_srcdir = ../../../../..
+ include ../../lib.mk
+
+-all: $(TEST_PROGS)
+-
+ CFLAGS += -m64 -I../../../../../usr/include -I../tm -mhtm -fno-pie
+
+-ptrace-pkey core-pkey: child.h
+-ptrace-pkey core-pkey: LDLIBS += -pthread
+-
+-$(TEST_PROGS): ../harness.c ../utils.c ../lib/reg.S ptrace.h
++$(OUTPUT)/ptrace-pkey $(OUTPUT)/core-pkey: child.h
++$(OUTPUT)/ptrace-pkey $(OUTPUT)/core-pkey: LDLIBS += -pthread
+
+-clean:
+- rm -f $(TEST_PROGS) *.o
++$(TEST_GEN_PROGS): ../harness.c ../utils.c ../lib/reg.S ptrace.h
+--
+2.20.1
+
--- /dev/null
+From 1192be0cdf3796da93addc85ba2ce586da1cad6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Oct 2018 22:23:50 +1100
+Subject: selftests/powerpc/signal: Fix out-of-tree build
+
+From: Joel Stanley <joel@jms.id.au>
+
+[ Upstream commit 27825349d7b238533a47e3d98b8bb0efd886b752 ]
+
+We should use TEST_GEN_PROGS, not TEST_PROGS. That tells the selftests
+makefile (lib.mk) that those tests are generated (built), and so it
+adds the $(OUTPUT) prefix for us, making the out-of-tree build work
+correctly.
+
+It also means we don't need our own clean rule, lib.mk does it.
+
+We also have to update the signal_tm rule to use $(OUTPUT).
+
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/powerpc/signal/Makefile | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/tools/testing/selftests/powerpc/signal/Makefile b/tools/testing/selftests/powerpc/signal/Makefile
+index 1fca25c6ace06..209a958dca127 100644
+--- a/tools/testing/selftests/powerpc/signal/Makefile
++++ b/tools/testing/selftests/powerpc/signal/Makefile
+@@ -1,15 +1,10 @@
+ # SPDX-License-Identifier: GPL-2.0
+-TEST_PROGS := signal signal_tm
+-
+-all: $(TEST_PROGS)
+-
+-$(TEST_PROGS): ../harness.c ../utils.c signal.S
++TEST_GEN_PROGS := signal signal_tm
+
+ CFLAGS += -maltivec
+-signal_tm: CFLAGS += -mhtm
++$(OUTPUT)/signal_tm: CFLAGS += -mhtm
+
+ top_srcdir = ../../../../..
+ include ../../lib.mk
+
+-clean:
+- rm -f $(TEST_PROGS) *.o
++$(TEST_GEN_PROGS): ../harness.c ../utils.c signal.S
+--
+2.20.1
+
--- /dev/null
+From d10d7460a3ebdc75aa58daca508b623120256007 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Oct 2018 22:23:52 +1100
+Subject: selftests/powerpc/switch_endian: Fix out-of-tree build
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit 266bac361d5677e61a6815bd29abeb3bdced2b07 ]
+
+For the out-of-tree build to work we need to tell switch_endian_test
+to look for check-reversed.S in $(OUTPUT).
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/powerpc/switch_endian/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/powerpc/switch_endian/Makefile b/tools/testing/selftests/powerpc/switch_endian/Makefile
+index fcd2dcb8972ba..bdc081afedb0f 100644
+--- a/tools/testing/selftests/powerpc/switch_endian/Makefile
++++ b/tools/testing/selftests/powerpc/switch_endian/Makefile
+@@ -8,6 +8,7 @@ EXTRA_CLEAN = $(OUTPUT)/*.o $(OUTPUT)/check-reversed.S
+ top_srcdir = ../../../../..
+ include ../../lib.mk
+
++$(OUTPUT)/switch_endian_test: ASFLAGS += -I $(OUTPUT)
+ $(OUTPUT)/switch_endian_test: $(OUTPUT)/check-reversed.S
+
+ $(OUTPUT)/check-reversed.o: $(OUTPUT)/check.o
+--
+2.20.1
+
--- /dev/null
+From 1653a533d327e4fa7fd4ca3945e144720a9cc061 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Sep 2018 15:23:08 -0600
+Subject: selftests: watchdog: Fix error message.
+
+From: Jerry Hoemann <jerry.hoemann@hpe.com>
+
+[ Upstream commit 04d5e4bd37516ad60854eb74592c7dbddd75d277 ]
+
+Printf's say errno but print the string version of error.
+Make consistent.
+
+Signed-off-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/watchdog/watchdog-test.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/watchdog/watchdog-test.c b/tools/testing/selftests/watchdog/watchdog-test.c
+index e029e2017280f..f1c6e025cbe54 100644
+--- a/tools/testing/selftests/watchdog/watchdog-test.c
++++ b/tools/testing/selftests/watchdog/watchdog-test.c
+@@ -109,7 +109,7 @@ int main(int argc, char *argv[])
+ printf("Last boot is caused by: %s.\n", (flags != 0) ?
+ "Watchdog" : "Power-On-Reset");
+ else
+- printf("WDIOC_GETBOOTSTATUS errno '%s'\n", strerror(errno));
++ printf("WDIOC_GETBOOTSTATUS error '%s'\n", strerror(errno));
+ break;
+ case 'd':
+ flags = WDIOS_DISABLECARD;
+@@ -117,7 +117,7 @@ int main(int argc, char *argv[])
+ if (!ret)
+ printf("Watchdog card disabled.\n");
+ else
+- printf("WDIOS_DISABLECARD errno '%s'\n", strerror(errno));
++ printf("WDIOS_DISABLECARD error '%s'\n", strerror(errno));
+ break;
+ case 'e':
+ flags = WDIOS_ENABLECARD;
+@@ -125,7 +125,7 @@ int main(int argc, char *argv[])
+ if (!ret)
+ printf("Watchdog card enabled.\n");
+ else
+- printf("WDIOS_ENABLECARD errno '%s'\n", strerror(errno));
++ printf("WDIOS_ENABLECARD error '%s'\n", strerror(errno));
+ break;
+ case 'p':
+ ping_rate = strtoul(optarg, NULL, 0);
+@@ -139,7 +139,7 @@ int main(int argc, char *argv[])
+ if (!ret)
+ printf("Watchdog timeout set to %u seconds.\n", flags);
+ else
+- printf("WDIOC_SETTIMEOUT errno '%s'\n", strerror(errno));
++ printf("WDIOC_SETTIMEOUT error '%s'\n", strerror(errno));
+ break;
+ default:
+ usage(argv[0]);
+--
+2.20.1
+
--- /dev/null
+From 91e0a0784b12f9801ab1d52c443472639699a8d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Sep 2018 13:07:11 -0600
+Subject: selftests: watchdog: fix message when /dev/watchdog open fails
+
+From: Shuah Khan (Samsung OSG) <shuah@kernel.org>
+
+[ Upstream commit 9a244229a4b850b11952a0df79607c69b18fd8df ]
+
+When /dev/watchdog open fails, watchdog exits with "watchdog not enabled"
+message. This is incorrect when open fails due to insufficient privilege.
+
+Fix message to clearly state the reason when open fails with EACCESS when
+a non-root user runs it.
+
+Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/watchdog/watchdog-test.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/watchdog/watchdog-test.c b/tools/testing/selftests/watchdog/watchdog-test.c
+index 6e290874b70e2..e029e2017280f 100644
+--- a/tools/testing/selftests/watchdog/watchdog-test.c
++++ b/tools/testing/selftests/watchdog/watchdog-test.c
+@@ -89,7 +89,13 @@ int main(int argc, char *argv[])
+ fd = open("/dev/watchdog", O_WRONLY);
+
+ if (fd == -1) {
+- printf("Watchdog device not enabled.\n");
++ if (errno == ENOENT)
++ printf("Watchdog device not enabled.\n");
++ else if (errno == EACCES)
++ printf("Run watchdog as root.\n");
++ else
++ printf("Watchdog device open failed %s\n",
++ strerror(errno));
+ exit(-1);
+ }
+
+--
+2.20.1
+
drm-amd-powerplay-issue-no-ppsmc_msg_getcurrpkgpwr-on-unsupported-asics.patch
drm-i915-pmu-frequency-is-reported-as-accumulated-cycles.patch
drm-i915-userptr-try-to-acquire-the-page-lock-around-set_page_dirty.patch
+mwifiex-fix-nl80211_tx_power_limited.patch
+alsa-isight-fix-leak-of-reference-to-firewire-unit-i.patch
+crypto-testmgr-fix-sizeof-on-comp_buf_size.patch
+printk-lock-unlock-console-only-for-new-logbuf-entri.patch
+printk-fix-integer-overflow-in-setup_log_buf.patch
+pinctrl-madera-fix-uninitialized-variable-bug-in-mad.patch
+pci-cadence-write-msi-data-with-32bits.patch
+gfs2-fix-marking-bitmaps-non-full.patch
+pty-fix-compat-ioctls.patch
+synclink_gt-fix-compat_ioctl.patch
+powerpc-fix-signedness-bug-in-update_flash_db.patch
+powerpc-boot-fix-opal-console-in-boot-wrapper.patch
+powerpc-boot-disable-vector-instructions.patch
+powerpc-eeh-fix-null-deref-for-devices-removed-durin.patch
+powerpc-eeh-fix-use-of-eeh_pe_keep-on-wrong-field.patch
+edac-thunderx-fix-memory-leak-in-thunderx_l2c_thread.patch
+mt76-do-not-store-aggregation-sequence-number-for-nu.patch
+mt76x0-phy-fix-restore-phase-in-mt76x0_phy_recalibra.patch
+brcmsmac-ap-mode-update-beacon-when-tim-changes.patch
+ath10k-set-probe-request-oui-during-driver-start.patch
+ath10k-allocate-small-size-dma-memory-in-ath10k_pci_.patch
+skd-fixup-usage-of-legacy-io-api.patch
+cdrom-don-t-attempt-to-fiddle-with-cdo-capability.patch
+spi-sh-msiof-fix-deferred-probing.patch
+mmc-mediatek-fill-the-actual-clock-for-mmc-debugfs.patch
+mmc-mediatek-fix-cannot-receive-new-request-when-msd.patch
+pci-mediatek-fix-class-type-for-mt7622-to-pci_class_.patch
+btrfs-defrag-use-btrfs_mod_outstanding_extents-in-cl.patch
+btrfs-handle-error-of-get_old_root.patch
+gsmi-fix-bug-in-append_to_eventlog-sysfs-handler.patch
+misc-mic-fix-a-dma-pool-free-failure.patch
+w1-iad-register-is-yet-readable-trough-iad-sys-file..patch
+m68k-fix-command-line-parsing-when-passed-from-u-boo.patch
+scsi-hisi_sas-feed-back-linkrate-max-min-when-re-att.patch
+scsi-hisi_sas-fix-the-race-between-io-completion-and.patch
+scsi-hisi_sas-free-slot-later-in-slot_complete_vx_hw.patch
+rdma-bnxt_re-avoid-null-check-after-accessing-the-po.patch
+rdma-bnxt_re-fix-qp-async-event-reporting.patch
+rdma-bnxt_re-avoid-resource-leak-in-case-the-nq-regi.patch
+pinctrl-sunxi-fix-a-memory-leak-in-sunxi_pinctrl_bui.patch
+pwm-lpss-only-set-update-bit-if-we-are-actually-chan.patch
+amiflop-clean-up-on-errors-during-setup.patch
+qed-align-local-and-global-ptt-to-propagate-through-.patch
+scsi-ips-fix-missing-break-in-switch.patch
+nfp-bpf-protect-against-mis-initializing-atomic-coun.patch
+kvm-nvmx-reset-cache-shadows-when-switching-loaded-v.patch
+kvm-nvmx-move-check_vmentry_postreqs-call-to-nested_.patch
+kvm-x86-fix-invvpid-and-invept-register-operand-size.patch
+clk-tegra-fixes-for-mbist-work-around.patch
+scsi-isci-use-proper-enumerated-type-in-atapi_d2h_re.patch
+scsi-isci-change-sci_controller_start_task-s-return-.patch
+scsi-bfa-avoid-implicit-enum-conversion-in-bfad_im_p.patch
+scsi-iscsi_tcp-explicitly-cast-param-in-iscsi_sw_tcp.patch
+crypto-ccree-avoid-implicit-enum-conversion.patch
+nvmet-avoid-integer-overflow-in-the-discard-code.patch
+nvmet-fcloop-suppress-a-compiler-warning.patch
+nvme-pci-fix-hot-removal-during-error-handling.patch
+pci-mediatek-fixup-msi-enablement-logic-by-enabling-.patch
+clk-mmp2-fix-the-clock-id-for-sdh2_clk-and-sdh3_clk.patch
+clk-at91-audio-pll-fix-audio-pmc-type.patch
+asoc-tegra_sgtl5000-fix-device_node-refcounting.patch
+scsi-dc395x-fix-dma-api-usage-in-srb_done.patch
+scsi-dc395x-fix-dma-api-usage-in-sg_update_list.patch
+scsi-zorro_esp-limit-dma-transfers-to-65535-bytes.patch
+net-dsa-mv88e6xxx-fix-88e6141-6341-2500mbps-serdes-s.patch
+net-fix-warning-in-af_unix.patch
+net-ena-fix-kconfig-dependency-on-x86.patch
+xfs-fix-use-after-free-race-in-xfs_buf_rele.patch
+xfs-clear-ail-delwri-queued-bufs-on-unmount-of-shutd.patch
+kprobes-x86-ptrace.h-make-regs_get_kernel_stack_nth-.patch
+acpi-scan-create-platform-device-for-int33fe-acpi-no.patch
+pm-domains-deal-with-multiple-states-but-no-governor.patch
+alsa-i2c-cs8427-fix-int-to-char-conversion.patch
+macintosh-windfarm_smu_sat-fix-debug-output.patch
+pci-vmd-detach-resources-after-stopping-root-bus.patch
+usb-misc-appledisplay-fix-backlight-update_status-re.patch
+usbip-tools-fix-atoi-on-non-null-terminated-string.patch
+sctp-use-sk_wmem_queued-to-check-for-writable-space.patch
+dm-raid-avoid-bitmap-with-raid4-5-6-journal-device.patch
+selftests-bpf-fix-file-resource-leak-in-load_kallsym.patch
+sunrpc-fix-a-compile-warning-for-cmpxchg64.patch
+sunrpc-safely-reallow-resvport-min-max-inversion.patch
+atm-zatm-fix-empty-body-clang-warnings.patch
+s390-perf-return-error-when-debug_register-fails.patch
+swiotlb-do-not-panic-on-mapping-failures.patch
+spi-omap2-mcspi-set-fifo-dma-trigger-level-to-word-l.patch
+x86-intel_rdt-prevent-pseudo-locking-from-using-stal.patch
+sparc-fix-parport-build-warnings.patch
+scsi-hisi_sas-fix-null-pointer-dereference.patch
+powerpc-pseries-export-raw-per-cpu-vpa-data-via-debu.patch
+powerpc-mm-radix-fix-off-by-one-in-split-mapping-log.patch
+powerpc-mm-radix-fix-overuse-of-small-pages-in-split.patch
+powerpc-mm-radix-fix-small-page-at-boundary-when-spl.patch
+powerpc-64s-radix-fix-radix__flush_tlb_collapsed_pmd.patch
+selftests-bpf-fix-return-value-comparison-for-tests-.patch
+tools-bpftool-fix-completion-for-bpftool-map-update.patch
+ceph-fix-dentry-leak-in-ceph_readdir_prepopulate.patch
+ceph-only-allow-punch-hole-mode-in-fallocate.patch
+rtc-s35390a-change-buf-s-type-to-u8-in-s35390a_init.patch
+risc-v-avoid-corrupting-the-upper-32-bit-of-phys_add.patch
+thermal-armada-fix-a-test-in-probe.patch
+f2fs-fix-to-spread-clear_cold_data.patch
+f2fs-spread-f2fs_set_inode_flags.patch
+misdn-fix-type-of-switch-control-variable-in-ctrl_te.patch
+qlcnic-fix-a-return-in-qlcnic_dcb_get_capability.patch
+net-ethernet-ti-cpsw-unsync-mcast-entries-while-swit.patch
+mfd-arizona-correct-calling-of-runtime_put_sync.patch
+mfd-mc13xxx-core-fix-pmic-shutdown-when-reading-adc-.patch
+mfd-intel_soc_pmic_bxtwc-chain-power-button-irqs-as-.patch
+mfd-max8997-enale-irq-wakeup-unconditionally.patch
+net-socionext-stop-phy-before-resetting-netsec.patch
+fs-cifs-fix-uninitialised-variable-warnings.patch
+spi-uniphier-fix-incorrect-property-items.patch
+selftests-ftrace-fix-to-test-kprobe-comm-arg-only-if.patch
+selftests-watchdog-fix-message-when-dev-watchdog-ope.patch
+selftests-watchdog-fix-error-message.patch
+selftests-kvm-fix-wformat-warnings.patch
+selftests-fix-warning-_gnu_source-redefined.patch
+thermal-rcar_thermal-fix-duplicate-irq-request.patch
+thermal-rcar_thermal-prevent-hardware-access-during-.patch
+net-ethernet-cadence-fix-socket-buffer-corruption-pr.patch
+bpf-devmap-fix-wrong-interface-selection-in-notifier.patch
+bpf-btf-fix-a-missing-check-bug-in-btf_parse.patch
+powerpc-process-fix-flush_all_to_thread-for-spe.patch
+sparc64-rework-xchg-definition-to-avoid-warnings.patch
+arm64-lib-use-c-string-functions-with-kasan-enabled.patch
+fs-ocfs2-dlm-dlmdebug.c-fix-a-sleep-in-atomic-contex.patch
+mm-page-writeback.c-fix-range_cyclic-writeback-vs-wr.patch
+tools-testing-selftests-vm-gup_benchmark.c-fix-write.patch
+mm-thp-fix-madv_dontneed-vs-migrate_misplaced_transh.patch
+macsec-update-operstate-when-lower-device-changes.patch
+macsec-let-the-administrator-set-up-state-even-if-lo.patch
+block-fix-the-discard-request-merge.patch
+i2c-uniphier-f-make-driver-robust-against-concurrenc.patch
+i2c-uniphier-f-fix-occasional-timeout-error.patch
+i2c-uniphier-f-fix-race-condition-when-irq-is-cleare.patch
+um-make-line-tty-semantics-use-true-write-irq.patch
+vfs-avoid-problematic-remapping-requests-into-partia.patch
+ipv4-igmp-fix-v1-v2-switchback-timeout-based-on-rfc3.patch
+powerpc-xmon-relax-frame-size-for-clang.patch
+selftests-powerpc-ptrace-fix-out-of-tree-build.patch
+selftests-powerpc-signal-fix-out-of-tree-build.patch
+selftests-powerpc-switch_endian-fix-out-of-tree-buil.patch
+selftests-powerpc-cache_shape-fix-out-of-tree-build.patch
+block-call-rq_qos_exit-after-queue-is-frozen.patch
+mm-gup_benchmark.c-prevent-integer-overflow-in-ioctl.patch
+linux-bitmap.h-handle-constant-zero-size-bitmaps-cor.patch
+linux-bitmap.h-fix-type-of-nbits-in-bitmap_shift_rig.patch
+lib-bitmap.c-fix-remaining-space-computation-in-bitm.patch
+hfsplus-fix-bug-on-bnode-parent-update.patch
+hfs-fix-bug-on-bnode-parent-update.patch
+hfsplus-prevent-btree-data-loss-on-enospc.patch
+hfs-prevent-btree-data-loss-on-enospc.patch
+hfsplus-fix-return-value-of-hfsplus_get_block.patch
+hfs-fix-return-value-of-hfs_get_block.patch
+hfsplus-update-timestamps-on-truncate.patch
+hfs-update-timestamp-on-truncate.patch
+fs-hfs-extent.c-fix-array-out-of-bounds-read-of-arra.patch
+kernel-panic.c-do-not-append-newline-to-the-stack-pr.patch
+mm-memory_hotplug-make-add_memory-take-the-device_ho.patch
+mm-memory_hotplug-fix-online-offline_pages-called-w..patch
+powerpc-powernv-hold-device_hotplug_lock-when-callin.patch
+igb-shorten-maximum-phc-timecounter-update-interval.patch
+fm10k-ensure-completer-aborts-are-marked-as-non-fata.patch
+net-hns3-bugfix-for-buffer-not-free-problem-during-r.patch
+net-hns3-bugfix-for-reporting-unknown-vector0-interr.patch
+net-hns3-bugfix-for-is_valid_csq_clean_head.patch
+net-hns3-bugfix-for-hclge_mdio_write-and-hclge_mdio_.patch
+ntb_netdev-fix-sleep-time-mismatch.patch
+ntb-intel-fix-return-value-for-ndev_vec_mask.patch
+irq-matrix-fix-memory-overallocation.patch
+nvme-pci-fix-conflicting-p2p-resource-adds.patch
+arm64-makefile-fix-build-of-.i-file-in-external-modu.patch
+tools-power-turbosat-fix-amd-apic-id-output.patch
+mm-handle-no-memcg-case-in-memcg_kmem_charge-properl.patch
+ocfs2-without-quota-support-avoid-calling-quota-reco.patch
+ocfs2-don-t-use-iocb-when-eiocbqueued-returns.patch
+ocfs2-don-t-put-and-assigning-null-to-bh-allocated-o.patch
+ocfs2-fix-clusters-leak-in-ocfs2_defrag_extent.patch
+net-do-not-abort-bulk-send-on-bql-status.patch
+sched-topology-fix-off-by-one-bug.patch
+sched-fair-don-t-increase-sd-balance_interval-on-new.patch
+openvswitch-fix-linking-without-config_nf_conntrack_.patch
+arm-dts-imx6sx-sdb-fix-enet-phy-regulator.patch
+clk-sunxi-ng-enable-so-said-ldos-for-a64-soc-s-pll-m.patch
+soc-bcm-brcmstb-fix-re-entry-point-with-a-thumb2_ker.patch
+audit-print-empty-execve-args.patch
+sock_diag-fix-autoloading-of-the-raw_diag-module.patch
+net-bpfilter-fix-iptables-failure-if-bpfilter_umh-is.patch
+nds32-fix-bug-in-bitfield.h.patch
+media-ov13858-check-for-possible-null-pointer.patch
+btrfs-avoid-link-error-with-config_no_auto_inline.patch
+wil6210-fix-debugfs-memory-access-alignment.patch
+wil6210-fix-l2-rx-status-handling.patch
+wil6210-fix-rgf_caf_icr-address-for-talyn-mb.patch
+wil6210-fix-locking-in-wmi_call.patch
+ath10k-snoc-fix-unbalanced-clock-error-handling.patch
+wlcore-fix-the-return-value-in-case-of-error-in-wlco.patch
+rtl8xxxu-fix-missing-break-in-switch.patch
+brcmsmac-never-log-tid-x-is-not-agg-able-by-default.patch
+wireless-airo-potential-buffer-overflow-in-sprintf.patch
+rtlwifi-rtl8192de-fix-misleading-reg_mcufwdl-informa.patch
+net-dsa-bcm_sf2-turn-on-phy-to-allow-successful-regi.patch
+scsi-mpt3sas-fix-sync-cache-command-failure-during-d.patch
+scsi-mpt3sas-don-t-modify-eedptagmode-field-setting-.patch
+scsi-mpt3sas-fix-driver-modifying-persistent-data-in.patch
+scsi-megaraid_sas-fix-msleep-granularity.patch
+scsi-megaraid_sas-fix-goto-labels-in-error-handling.patch
+scsi-lpfc-fcoe-fix-link-down-issue-after-1000-link-b.patch
+scsi-lpfc-fix-odd-recovery-in-duplicate-flogis-in-po.patch
+scsi-lpfc-correct-loss-of-fc4-type-on-remote-port-ad.patch
+usb-typec-tcpm-charge-current-handling-for-sink-duri.patch
+dlm-fix-invalid-free.patch
+dlm-don-t-leak-kernel-pointer-to-userspace.patch
+vrf-mark-skb-for-multicast-or-link-local-as-enslaved.patch
+clk-tegra20-turn-emc-clock-gate-into-divider.patch
+acpica-use-d-for-signed-int-print-formatting-instead.patch
+net-bcmgenet-return-correct-value-ret-from-bcmgenet_.patch
+sock-reset-dst-when-changing-sk_mark-via-setsockopt.patch
+of-unittest-allow-base-devicetree-to-have-symbol-met.patch
+of-unittest-initialize-args-before-calling-of_-parse.patch
+tools-bpftool-pass-an-argument-to-silence-open_obj_p.patch
+cfg80211-prevent-regulatory-restore-during-sta-disco.patch
+pinctrl-qcom-spmi-gpio-fix-gpio-hog-related-boot-iss.patch
+pinctrl-bcm2835-use-define-directive-for-bcm2835_pin.patch
+pinctrl-lpc18xx-use-define-directive-for-pin_config_.patch
+pinctrl-zynq-use-define-directive-for-pin_config_io_.patch
+pci-keystone-use-quirk-to-limit-mrrs-for-k2g.patch
+nvme-pci-fix-surprise-removal.patch
+spi-omap2-mcspi-fix-dma-and-fifo-event-trigger-size-.patch
+i2c-uniphier-f-fix-timeout-error-after-reading-8-byt.patch
+mm-memory_hotplug-do-not-unlock-when-fails-to-take-t.patch
+ipv6-fix-handling-of-lla-with-vrf-and-sockets-bound-.patch
+cfg80211-call-disconnect_wk-when-ap-stops.patch
+mm-page_io.c-do-not-free-shared-swap-slots.patch
--- /dev/null
+From bff1bcd0dcbfdfda92a9ae3faabe90a825614b11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Oct 2018 14:56:14 -0600
+Subject: skd: fixup usage of legacy IO API
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit 6d1f9dfde7343c4ebfb8f84dcb333af571bb3b22 ]
+
+We need to be using the mq variant of request requeue here.
+
+Fixes: ca33dd92968b ("skd: Convert to blk-mq")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/skd_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/skd_main.c b/drivers/block/skd_main.c
+index 87b9e7fbf0621..27323fa23997d 100644
+--- a/drivers/block/skd_main.c
++++ b/drivers/block/skd_main.c
+@@ -1416,7 +1416,7 @@ static void skd_resolve_req_exception(struct skd_device *skdev,
+
+ case SKD_CHECK_STATUS_BUSY_IMMINENT:
+ skd_log_skreq(skdev, skreq, "retry(busy)");
+- blk_requeue_request(skdev->queue, req);
++ blk_mq_requeue_request(req, true);
+ dev_info(&skdev->pdev->dev, "drive BUSY imminent\n");
+ skdev->state = SKD_DRVR_STATE_BUSY_IMMINENT;
+ skdev->timer_countdown = SKD_TIMER_MINUTES(20);
+@@ -1426,7 +1426,7 @@ static void skd_resolve_req_exception(struct skd_device *skdev,
+ case SKD_CHECK_STATUS_REQUEUE_REQUEST:
+ if ((unsigned long) ++req->special < SKD_MAX_RETRIES) {
+ skd_log_skreq(skdev, skreq, "retry");
+- blk_requeue_request(skdev->queue, req);
++ blk_mq_requeue_request(req, true);
+ break;
+ }
+ /* fall through */
+--
+2.20.1
+
--- /dev/null
+From de92c81293cfee4bd18f0059d897dabe7c007d39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Sep 2018 12:27:11 -0700
+Subject: soc: bcm: brcmstb: Fix re-entry point with a THUMB2_KERNEL
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit fb14ada11d62fb849fc357a25ef8016ba438ba10 ]
+
+When the kernel is built with CONFIG_THUMB2_KERNEL we would set the
+kernel's resume entry point to be a function that is already built as
+Thumb-2 code while the boot agent doing the resume is in ARM mode, so
+this does not work. There is a header label defined: cpu_resume_arm
+which we can use to do the switching for us.
+
+Fixes: 0b741b8234c8 ("soc: bcm: brcmstb: Add support for S2/S3/S5 suspend states (ARM)")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/bcm/brcmstb/pm/pm-arm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/bcm/brcmstb/pm/pm-arm.c b/drivers/soc/bcm/brcmstb/pm/pm-arm.c
+index a5577dd5eb087..8ee06347447c0 100644
+--- a/drivers/soc/bcm/brcmstb/pm/pm-arm.c
++++ b/drivers/soc/bcm/brcmstb/pm/pm-arm.c
+@@ -404,7 +404,7 @@ noinline int brcmstb_pm_s3_finish(void)
+ {
+ struct brcmstb_s3_params *params = ctrl.s3_params;
+ dma_addr_t params_pa = ctrl.s3_params_pa;
+- phys_addr_t reentry = virt_to_phys(&cpu_resume);
++ phys_addr_t reentry = virt_to_phys(&cpu_resume_arm);
+ enum bsp_initiate_command cmd;
+ u32 flags;
+
+--
+2.20.1
+
--- /dev/null
+From 8a070911f50356de4d5bbafae6e9a2d32740e96f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Nov 2018 08:13:35 -0600
+Subject: sock: Reset dst when changing sk_mark via setsockopt
+
+From: David Barmann <david.barmann@stackpath.com>
+
+[ Upstream commit 50254256f382c56bde87d970f3d0d02fdb76ec70 ]
+
+When setting the SO_MARK socket option, if the mark changes, the dst
+needs to be reset so that a new route lookup is performed.
+
+This fixes the case where an application wants to change routing by
+setting a new sk_mark. If this is done after some packets have already
+been sent, the dst is cached and has no effect.
+
+Signed-off-by: David Barmann <david.barmann@stackpath.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index ba4f843cdd1d1..948fd687292a6 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -951,10 +951,12 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
+ clear_bit(SOCK_PASSSEC, &sock->flags);
+ break;
+ case SO_MARK:
+- if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
++ if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+ ret = -EPERM;
+- else
++ } else if (val != sk->sk_mark) {
+ sk->sk_mark = val;
++ sk_dst_reset(sk);
++ }
+ break;
+
+ case SO_RXQ_OVFL:
+--
+2.20.1
+
--- /dev/null
+From b07e5c0fe0cd8bd7d9ff1405ad56d071b869a0a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Nov 2018 22:37:15 -0800
+Subject: sock_diag: fix autoloading of the raw_diag module
+
+From: Andrei Vagin <avagin@gmail.com>
+
+[ Upstream commit c34c1287778b080ed692c0a46a8e345206cc29e6 ]
+
+IPPROTO_RAW isn't registred as an inet protocol, so
+inet_protos[protocol] is always NULL for it.
+
+Cc: Cyrill Gorcunov <gorcunov@gmail.com>
+Cc: Xin Long <lucien.xin@gmail.com>
+Fixes: bf2ae2e4bf93 ("sock_diag: request _diag module only when the family or proto has been registered")
+Signed-off-by: Andrei Vagin <avagin@gmail.com>
+Reviewed-by: Cyrill Gorcunov <gorcunov@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 6c11078217769..ba4f843cdd1d1 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -3347,6 +3347,7 @@ int sock_load_diag_module(int family, int protocol)
+
+ #ifdef CONFIG_INET
+ if (family == AF_INET &&
++ protocol != IPPROTO_RAW &&
+ !rcu_access_pointer(inet_protos[protocol]))
+ return -ENOENT;
+ #endif
+--
+2.20.1
+
--- /dev/null
+From fa5934885b8897dfc52ad31c8a857f05858a6067 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Oct 2018 10:52:52 -0700
+Subject: sparc: Fix parport build warnings.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit 46b8306480fb424abd525acc1763da1c63a27d8a ]
+
+If PARPORT_PC_FIFO is not enabled, do not provide the dma lock
+macros and lock definition. Otherwise:
+
+./arch/sparc/include/asm/parport.h:24:24: warning: ‘dma_spin_lock’ defined but not used [-Wunused-variable]
+ static DEFINE_SPINLOCK(dma_spin_lock);
+ ^~~~~~~~~~~~~
+./include/linux/spinlock_types.h:81:39: note: in definition of macro ‘DEFINE_SPINLOCK’
+ #define DEFINE_SPINLOCK(x) spinlock_t x = __SPIN_LOCK_UNLOCKED(x)
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/include/asm/parport.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/sparc/include/asm/parport.h b/arch/sparc/include/asm/parport.h
+index 05df5f0430535..3c5a1c620f0f7 100644
+--- a/arch/sparc/include/asm/parport.h
++++ b/arch/sparc/include/asm/parport.h
+@@ -21,6 +21,7 @@
+ */
+ #define HAS_DMA
+
++#ifdef CONFIG_PARPORT_PC_FIFO
+ static DEFINE_SPINLOCK(dma_spin_lock);
+
+ #define claim_dma_lock() \
+@@ -31,6 +32,7 @@ static DEFINE_SPINLOCK(dma_spin_lock);
+
+ #define release_dma_lock(__flags) \
+ spin_unlock_irqrestore(&dma_spin_lock, __flags);
++#endif
+
+ static struct sparc_ebus_info {
+ struct ebus_dma_info info;
+--
+2.20.1
+
--- /dev/null
+From 153f8c9b6f44818a37087cc9419c8d29ea0a7426 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Oct 2018 15:39:49 -0700
+Subject: sparc64: Rework xchg() definition to avoid warnings.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit 6c2fc9cddc1ffdef8ada1dc8404e5affae849953 ]
+
+Such as:
+
+fs/ocfs2/file.c: In function ‘ocfs2_file_write_iter’:
+./arch/sparc/include/asm/cmpxchg_64.h:55:22: warning: value computed is not used [-Wunused-value]
+ #define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr))))
+
+and
+
+drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c: In function ‘ixgbevf_xdp_setup’:
+./arch/sparc/include/asm/cmpxchg_64.h:55:22: warning: value computed is not used [-Wunused-value]
+ #define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr))))
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/include/asm/cmpxchg_64.h | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/sparc/include/asm/cmpxchg_64.h b/arch/sparc/include/asm/cmpxchg_64.h
+index f71ef3729888f..316faa0130bab 100644
+--- a/arch/sparc/include/asm/cmpxchg_64.h
++++ b/arch/sparc/include/asm/cmpxchg_64.h
+@@ -52,7 +52,12 @@ static inline unsigned long xchg64(__volatile__ unsigned long *m, unsigned long
+ return val;
+ }
+
+-#define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr))))
++#define xchg(ptr,x) \
++({ __typeof__(*(ptr)) __ret; \
++ __ret = (__typeof__(*(ptr))) \
++ __xchg((unsigned long)(x), (ptr), sizeof(*(ptr))); \
++ __ret; \
++})
+
+ void __xchg_called_with_bad_pointer(void);
+
+--
+2.20.1
+
--- /dev/null
+From 839116a693787a060160a2ebb0fab5fd707ac6dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jan 2019 12:28:32 +0530
+Subject: spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch
+
+From: Vignesh R <vigneshr@ti.com>
+
+[ Upstream commit baf8b9f8d260c55a86405f70a384c29cda888476 ]
+
+Commit b682cffa3ac6 ("spi: omap2-mcspi: Set FIFO DMA trigger level to word length")
+broke SPI transfers where bits_per_word != 8. This is because of
+mimsatch between McSPI FIFO level event trigger size (SPI word length) and
+DMA request size(word length * maxburst). This leads to data
+corruption, lockup and errors like:
+
+ spi1.0: EOW timed out
+
+Fix this by setting DMA maxburst size to 1 so that
+McSPI FIFO level event trigger size matches DMA request size.
+
+Fixes: b682cffa3ac6 ("spi: omap2-mcspi: Set FIFO DMA trigger level to word length")
+Cc: stable@vger.kernel.org
+Reported-by: David Lechner <david@lechnology.com>
+Tested-by: David Lechner <david@lechnology.com>
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-omap2-mcspi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-omap2-mcspi.c b/drivers/spi/spi-omap2-mcspi.c
+index f50cb8a4b4138..eb2d2de172af3 100644
+--- a/drivers/spi/spi-omap2-mcspi.c
++++ b/drivers/spi/spi-omap2-mcspi.c
+@@ -607,8 +607,8 @@ omap2_mcspi_txrx_dma(struct spi_device *spi, struct spi_transfer *xfer)
+ cfg.dst_addr = cs->phys + OMAP2_MCSPI_TX0;
+ cfg.src_addr_width = width;
+ cfg.dst_addr_width = width;
+- cfg.src_maxburst = es;
+- cfg.dst_maxburst = es;
++ cfg.src_maxburst = 1;
++ cfg.dst_maxburst = 1;
+
+ rx = xfer->rx_buf;
+ tx = xfer->tx_buf;
+--
+2.20.1
+
--- /dev/null
+From e46ac8b464e3c04e32ef33c32677351c9c68be6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Oct 2018 12:08:28 +0530
+Subject: spi: omap2-mcspi: Set FIFO DMA trigger level to word length
+
+From: Vignesh R <vigneshr@ti.com>
+
+[ Upstream commit b682cffa3ac6d9d9e16e9b413c45caee3b391fab ]
+
+McSPI has 32 byte FIFO in Transmit-Receive mode. Current code tries to
+configuration FIFO watermark level for DMA trigger to be GCD of transfer
+length and max FIFO size which would mean trigger level may be set to 32
+for transmit-receive mode if length is aligned. This does not work in
+case of SPI slave mode where FIFO always needs to have data ready
+whenever master starts the clock. With DMA trigger size of 32 there will
+be a small window during slave TX where DMA is still putting data into
+FIFO but master would have started clock for next byte, resulting in
+shifting out of stale data. Similarly, on Slave RX side there may be RX
+FIFO overflow
+Fix this by setting FIFO watermark for DMA trigger to word
+length. This means DMA is triggered as soon as FIFO has space for word
+length bytes and DMA would make sure FIFO is almost always full
+therefore improving FIFO occupancy in both master and slave mode.
+
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-omap2-mcspi.c | 26 +++++++-------------------
+ 1 file changed, 7 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/spi/spi-omap2-mcspi.c b/drivers/spi/spi-omap2-mcspi.c
+index e2be7da743438..f50cb8a4b4138 100644
+--- a/drivers/spi/spi-omap2-mcspi.c
++++ b/drivers/spi/spi-omap2-mcspi.c
+@@ -299,7 +299,7 @@ static void omap2_mcspi_set_fifo(const struct spi_device *spi,
+ struct omap2_mcspi_cs *cs = spi->controller_state;
+ struct omap2_mcspi *mcspi;
+ unsigned int wcnt;
+- int max_fifo_depth, fifo_depth, bytes_per_word;
++ int max_fifo_depth, bytes_per_word;
+ u32 chconf, xferlevel;
+
+ mcspi = spi_master_get_devdata(master);
+@@ -315,10 +315,6 @@ static void omap2_mcspi_set_fifo(const struct spi_device *spi,
+ else
+ max_fifo_depth = OMAP2_MCSPI_MAX_FIFODEPTH;
+
+- fifo_depth = gcd(t->len, max_fifo_depth);
+- if (fifo_depth < 2 || fifo_depth % bytes_per_word != 0)
+- goto disable_fifo;
+-
+ wcnt = t->len / bytes_per_word;
+ if (wcnt > OMAP2_MCSPI_MAX_FIFOWCNT)
+ goto disable_fifo;
+@@ -326,16 +322,17 @@ static void omap2_mcspi_set_fifo(const struct spi_device *spi,
+ xferlevel = wcnt << 16;
+ if (t->rx_buf != NULL) {
+ chconf |= OMAP2_MCSPI_CHCONF_FFER;
+- xferlevel |= (fifo_depth - 1) << 8;
++ xferlevel |= (bytes_per_word - 1) << 8;
+ }
++
+ if (t->tx_buf != NULL) {
+ chconf |= OMAP2_MCSPI_CHCONF_FFET;
+- xferlevel |= fifo_depth - 1;
++ xferlevel |= bytes_per_word - 1;
+ }
+
+ mcspi_write_reg(master, OMAP2_MCSPI_XFERLEVEL, xferlevel);
+ mcspi_write_chconf0(spi, chconf);
+- mcspi->fifo_depth = fifo_depth;
++ mcspi->fifo_depth = max_fifo_depth;
+
+ return;
+ }
+@@ -585,7 +582,6 @@ omap2_mcspi_txrx_dma(struct spi_device *spi, struct spi_transfer *xfer)
+ struct dma_slave_config cfg;
+ enum dma_slave_buswidth width;
+ unsigned es;
+- u32 burst;
+ void __iomem *chstat_reg;
+ void __iomem *irqstat_reg;
+ int wait_res;
+@@ -605,22 +601,14 @@ omap2_mcspi_txrx_dma(struct spi_device *spi, struct spi_transfer *xfer)
+ }
+
+ count = xfer->len;
+- burst = 1;
+-
+- if (mcspi->fifo_depth > 0) {
+- if (count > mcspi->fifo_depth)
+- burst = mcspi->fifo_depth / es;
+- else
+- burst = count / es;
+- }
+
+ memset(&cfg, 0, sizeof(cfg));
+ cfg.src_addr = cs->phys + OMAP2_MCSPI_RX0;
+ cfg.dst_addr = cs->phys + OMAP2_MCSPI_TX0;
+ cfg.src_addr_width = width;
+ cfg.dst_addr_width = width;
+- cfg.src_maxburst = burst;
+- cfg.dst_maxburst = burst;
++ cfg.src_maxburst = es;
++ cfg.dst_maxburst = es;
+
+ rx = xfer->rx_buf;
+ tx = xfer->tx_buf;
+--
+2.20.1
+
--- /dev/null
+From 5bd4378601fc90abd3b46de2ce152e94d46db397 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Oct 2018 22:48:22 +0300
+Subject: spi: sh-msiof: fix deferred probing
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+[ Upstream commit f34c6e6257aa477cdfe7e9bbbecd3c5648ecda69 ]
+
+Since commit 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+platform_get_irq() can return -EPROBE_DEFER. However, the driver overrides
+an error returned by that function with -ENOENT which breaks the deferred
+probing. Propagate upstream an error code returned by platform_get_irq()
+and remove the bogus "platform" from the error message, while at it...
+
+Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-sh-msiof.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-sh-msiof.c b/drivers/spi/spi-sh-msiof.c
+index 101cd6aae2ea5..30ea0a2068e09 100644
+--- a/drivers/spi/spi-sh-msiof.c
++++ b/drivers/spi/spi-sh-msiof.c
+@@ -1343,8 +1343,8 @@ static int sh_msiof_spi_probe(struct platform_device *pdev)
+
+ i = platform_get_irq(pdev, 0);
+ if (i < 0) {
+- dev_err(&pdev->dev, "cannot get platform IRQ\n");
+- ret = -ENOENT;
++ dev_err(&pdev->dev, "cannot get IRQ\n");
++ ret = i;
+ goto err1;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 3325b3c316d35652e09c4bc75c4f6a3b5cffe3f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Oct 2018 18:34:29 +0900
+Subject: spi: uniphier: fix incorrect property items
+
+From: Keiji Hayashibara <hayashibara.keiji@socionext.com>
+
+[ Upstream commit 3511ba7d4ca6f39e2d060bb94e42a41ad1fee7bf ]
+
+This commit fixes incorrect property because it was different
+from the actual.
+The parameters of '#address-cells' and '#size-cells' were removed,
+and 'interrupts', 'pinctrl-names' and 'pinctrl-0' were added.
+
+Fixes: 4dcd5c2781f3 ("spi: add DT bindings for UniPhier SPI controller")
+Signed-off-by: Keiji Hayashibara <hayashibara.keiji@socionext.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../devicetree/bindings/spi/spi-uniphier.txt | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/spi/spi-uniphier.txt b/Documentation/devicetree/bindings/spi/spi-uniphier.txt
+index 504a4ecfc7b16..b04e66a52de5d 100644
+--- a/Documentation/devicetree/bindings/spi/spi-uniphier.txt
++++ b/Documentation/devicetree/bindings/spi/spi-uniphier.txt
+@@ -5,18 +5,20 @@ UniPhier SoCs have SCSSI which supports SPI single channel.
+ Required properties:
+ - compatible: should be "socionext,uniphier-scssi"
+ - reg: address and length of the spi master registers
+- - #address-cells: must be <1>, see spi-bus.txt
+- - #size-cells: must be <0>, see spi-bus.txt
+- - clocks: A phandle to the clock for the device.
+- - resets: A phandle to the reset control for the device.
++ - interrupts: a single interrupt specifier
++ - pinctrl-names: should be "default"
++ - pinctrl-0: pin control state for the default mode
++ - clocks: a phandle to the clock for the device
++ - resets: a phandle to the reset control for the device
+
+ Example:
+
+ spi0: spi@54006000 {
+ compatible = "socionext,uniphier-scssi";
+ reg = <0x54006000 0x100>;
+- #address-cells = <1>;
+- #size-cells = <0>;
++ interrupts = <0 39 4>;
++ pinctrl-names = "default";
++ pinctrl-0 = <&pinctrl_spi0>;
+ clocks = <&peri_clk 11>;
+ resets = <&peri_rst 11>;
+ };
+--
+2.20.1
+
--- /dev/null
+From f30f16157943334b0e6d7e5692ae5fcd7739f1f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Oct 2018 17:03:56 -0400
+Subject: SUNRPC: Fix a compile warning for cmpxchg64()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit e732f4485a150492b286f3efc06f9b34dd6b9995 ]
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/auth_gss/gss_krb5_seal.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c
+index eaad9bc7a0bdc..e1f0571843c8c 100644
+--- a/net/sunrpc/auth_gss/gss_krb5_seal.c
++++ b/net/sunrpc/auth_gss/gss_krb5_seal.c
+@@ -63,6 +63,7 @@
+ #include <linux/sunrpc/gss_krb5.h>
+ #include <linux/random.h>
+ #include <linux/crypto.h>
++#include <linux/atomic.h>
+
+ #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
+ # define RPCDBG_FACILITY RPCDBG_AUTH
+--
+2.20.1
+
--- /dev/null
+From 5bbb7c0fe1b98317618016bfef65d44d87221cad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Oct 2018 15:27:02 -0400
+Subject: sunrpc: safely reallow resvport min/max inversion
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+[ Upstream commit 826799e66e8683e5698e140bb9ef69afc8c0014e ]
+
+Commits ffb6ca33b04b and e08ea3a96fc7 prevent setting xprt_min_resvport
+greater than xprt_max_resvport, but may also break simple code that sets
+one parameter then the other, if the new range does not overlap the old.
+
+Also it looks racy to me, unless there's some serialization I'm not
+seeing. Granted it would probably require malicious privileged processes
+(unless there's a chance these might eventually be settable in unprivileged
+containers), but still it seems better not to let userspace panic the
+kernel.
+
+Simpler seems to be to allow setting the parameters to whatever you want
+but interpret xprt_min_resvport > xprt_max_resvport as the empty range.
+
+Fixes: ffb6ca33b04b "sunrpc: Prevent resvport min/max inversion..."
+Fixes: e08ea3a96fc7 "sunrpc: Prevent rexvport min/max inversion..."
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/xprtsock.c | 34 ++++++++++++++++++----------------
+ 1 file changed, 18 insertions(+), 16 deletions(-)
+
+diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
+index c0d7875a64ffc..9dc059dea689d 100644
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -129,7 +129,7 @@ static struct ctl_table xs_tunables_table[] = {
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &xprt_min_resvport_limit,
+- .extra2 = &xprt_max_resvport
++ .extra2 = &xprt_max_resvport_limit
+ },
+ {
+ .procname = "max_resvport",
+@@ -137,7 +137,7 @@ static struct ctl_table xs_tunables_table[] = {
+ .maxlen = sizeof(unsigned int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+- .extra1 = &xprt_min_resvport,
++ .extra1 = &xprt_min_resvport_limit,
+ .extra2 = &xprt_max_resvport_limit
+ },
+ {
+@@ -1776,11 +1776,17 @@ static void xs_udp_timer(struct rpc_xprt *xprt, struct rpc_task *task)
+ spin_unlock_bh(&xprt->transport_lock);
+ }
+
+-static unsigned short xs_get_random_port(void)
++static int xs_get_random_port(void)
+ {
+- unsigned short range = xprt_max_resvport - xprt_min_resvport + 1;
+- unsigned short rand = (unsigned short) prandom_u32() % range;
+- return rand + xprt_min_resvport;
++ unsigned short min = xprt_min_resvport, max = xprt_max_resvport;
++ unsigned short range;
++ unsigned short rand;
++
++ if (max < min)
++ return -EADDRINUSE;
++ range = max - min + 1;
++ rand = (unsigned short) prandom_u32() % range;
++ return rand + min;
+ }
+
+ /**
+@@ -1836,9 +1842,9 @@ static void xs_set_srcport(struct sock_xprt *transport, struct socket *sock)
+ transport->srcport = xs_sock_getport(sock);
+ }
+
+-static unsigned short xs_get_srcport(struct sock_xprt *transport)
++static int xs_get_srcport(struct sock_xprt *transport)
+ {
+- unsigned short port = transport->srcport;
++ int port = transport->srcport;
+
+ if (port == 0 && transport->xprt.resvport)
+ port = xs_get_random_port();
+@@ -1859,7 +1865,7 @@ static int xs_bind(struct sock_xprt *transport, struct socket *sock)
+ {
+ struct sockaddr_storage myaddr;
+ int err, nloop = 0;
+- unsigned short port = xs_get_srcport(transport);
++ int port = xs_get_srcport(transport);
+ unsigned short last;
+
+ /*
+@@ -1877,8 +1883,8 @@ static int xs_bind(struct sock_xprt *transport, struct socket *sock)
+ * transport->xprt.resvport == 1) xs_get_srcport above will
+ * ensure that port is non-zero and we will bind as needed.
+ */
+- if (port == 0)
+- return 0;
++ if (port <= 0)
++ return port;
+
+ memcpy(&myaddr, &transport->srcaddr, transport->xprt.addrlen);
+ do {
+@@ -3319,12 +3325,8 @@ static int param_set_uint_minmax(const char *val,
+
+ static int param_set_portnr(const char *val, const struct kernel_param *kp)
+ {
+- if (kp->arg == &xprt_min_resvport)
+- return param_set_uint_minmax(val, kp,
+- RPC_MIN_RESVPORT,
+- xprt_max_resvport);
+ return param_set_uint_minmax(val, kp,
+- xprt_min_resvport,
++ RPC_MIN_RESVPORT,
+ RPC_MAX_RESVPORT);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 06b4773e0db0a9bbe293d16b4f8a760a05a788d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Apr 2018 10:38:08 +0200
+Subject: swiotlb: do not panic on mapping failures
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 8088546832aa2c0d8f99dd56edf6384f8a9b63b3 ]
+
+All properly written drivers now have error handling in the
+dma_map_single / dma_map_page callers. As swiotlb_tbl_map_single already
+prints a useful warning when running out of swiotlb pool space we can
+also remove swiotlb_full entirely as it serves no purpose now.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/dma/swiotlb.c | 33 +--------------------------------
+ 1 file changed, 1 insertion(+), 32 deletions(-)
+
+diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c
+index 4f8a6dbf0b609..2a8c41f12d450 100644
+--- a/kernel/dma/swiotlb.c
++++ b/kernel/dma/swiotlb.c
+@@ -761,34 +761,6 @@ static bool swiotlb_free_buffer(struct device *dev, size_t size,
+ return true;
+ }
+
+-static void
+-swiotlb_full(struct device *dev, size_t size, enum dma_data_direction dir,
+- int do_panic)
+-{
+- if (swiotlb_force == SWIOTLB_NO_FORCE)
+- return;
+-
+- /*
+- * Ran out of IOMMU space for this operation. This is very bad.
+- * Unfortunately the drivers cannot handle this operation properly.
+- * unless they check for dma_mapping_error (most don't)
+- * When the mapping is small enough return a static buffer to limit
+- * the damage, or panic when the transfer is too big.
+- */
+- dev_err_ratelimited(dev, "DMA: Out of SW-IOMMU space for %zu bytes\n",
+- size);
+-
+- if (size <= io_tlb_overflow || !do_panic)
+- return;
+-
+- if (dir == DMA_BIDIRECTIONAL)
+- panic("DMA: Random memory could be DMA accessed\n");
+- if (dir == DMA_FROM_DEVICE)
+- panic("DMA: Random memory could be DMA written\n");
+- if (dir == DMA_TO_DEVICE)
+- panic("DMA: Random memory could be DMA read\n");
+-}
+-
+ /*
+ * Map a single buffer of the indicated size for DMA in streaming mode. The
+ * physical address to use is returned.
+@@ -817,10 +789,8 @@ dma_addr_t swiotlb_map_page(struct device *dev, struct page *page,
+
+ /* Oh well, have to allocate and map a bounce buffer. */
+ map = map_single(dev, phys, size, dir, attrs);
+- if (map == SWIOTLB_MAP_ERROR) {
+- swiotlb_full(dev, size, dir, 1);
++ if (map == SWIOTLB_MAP_ERROR)
+ return __phys_to_dma(dev, io_tlb_overflow_buffer);
+- }
+
+ dev_addr = __phys_to_dma(dev, map);
+
+@@ -954,7 +924,6 @@ swiotlb_map_sg_attrs(struct device *hwdev, struct scatterlist *sgl, int nelems,
+ if (map == SWIOTLB_MAP_ERROR) {
+ /* Don't panic here, we expect map_sg users
+ to do proper error handling. */
+- swiotlb_full(hwdev, sg->length, dir, 0);
+ attrs |= DMA_ATTR_SKIP_CPU_SYNC;
+ swiotlb_unmap_sg_attrs(hwdev, sgl, i, dir,
+ attrs);
+--
+2.20.1
+
--- /dev/null
+From 6d6da81b0aca17a2d372dfc0d28799cf39e2dbad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Sep 2018 20:57:18 -0400
+Subject: synclink_gt(): fix compat_ioctl()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 27230e51349fde075598c1b59d15e1ff802f3f6e ]
+
+compat_ptr() for pointer-taking ones...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/synclink_gt.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c
+index a94086597ebd6..b88ecf102764e 100644
+--- a/drivers/tty/synclink_gt.c
++++ b/drivers/tty/synclink_gt.c
+@@ -1186,14 +1186,13 @@ static long slgt_compat_ioctl(struct tty_struct *tty,
+ unsigned int cmd, unsigned long arg)
+ {
+ struct slgt_info *info = tty->driver_data;
+- int rc = -ENOIOCTLCMD;
++ int rc;
+
+ if (sanity_check(info, tty->name, "compat_ioctl"))
+ return -ENODEV;
+ DBGINFO(("%s compat_ioctl() cmd=%08X\n", info->device_name, cmd));
+
+ switch (cmd) {
+-
+ case MGSL_IOCSPARAMS32:
+ rc = set_params32(info, compat_ptr(arg));
+ break;
+@@ -1213,18 +1212,11 @@ static long slgt_compat_ioctl(struct tty_struct *tty,
+ case MGSL_IOCWAITGPIO:
+ case MGSL_IOCGXSYNC:
+ case MGSL_IOCGXCTRL:
+- case MGSL_IOCSTXIDLE:
+- case MGSL_IOCTXENABLE:
+- case MGSL_IOCRXENABLE:
+- case MGSL_IOCTXABORT:
+- case TIOCMIWAIT:
+- case MGSL_IOCSIF:
+- case MGSL_IOCSXSYNC:
+- case MGSL_IOCSXCTRL:
+- rc = ioctl(tty, cmd, arg);
++ rc = ioctl(tty, cmd, (unsigned long)compat_ptr(arg));
+ break;
++ default:
++ rc = ioctl(tty, cmd, arg);
+ }
+-
+ DBGINFO(("%s compat_ioctl() cmd=%08X rc=%d\n", info->device_name, cmd, rc));
+ return rc;
+ }
+--
+2.20.1
+
--- /dev/null
+From a3e4b346a68dd361a860fbb753bb1ceeb08e4701 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Sep 2018 13:35:00 +0300
+Subject: thermal: armada: fix a test in probe()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit d1d2c290b3c04b65fa6132eeebe50a070746d8f6 ]
+
+The platform_get_resource() function doesn't return error pointers, it
+returns NULL on error.
+
+Fixes: 3d4e51844a4e ("thermal: armada: convert driver to syscon register accesses")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/armada_thermal.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/thermal/armada_thermal.c b/drivers/thermal/armada_thermal.c
+index e16b3cb1808c5..1c9830b2c84da 100644
+--- a/drivers/thermal/armada_thermal.c
++++ b/drivers/thermal/armada_thermal.c
+@@ -526,8 +526,8 @@ static int armada_thermal_probe_legacy(struct platform_device *pdev,
+
+ /* First memory region points towards the status register */
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+- if (IS_ERR(res))
+- return PTR_ERR(res);
++ if (!res)
++ return -EIO;
+
+ /*
+ * Edit the resource start address and length to map over all the
+--
+2.20.1
+
--- /dev/null
+From 6b2ce9d99636523227a34bf6acb6184a521f22d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Oct 2018 23:47:34 +0300
+Subject: thermal: rcar_thermal: fix duplicate IRQ request
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+[ Upstream commit df016bbba63743bbef9ff5c6c282561211dd72cc ]
+
+The driver on R8A77995 requests the same IRQ twice since
+platform_get_resource() is always called for the 1st IRQ resource.
+
+Fixes: 1969d9dc2079 ("thermal: rcar_thermal: add r8a77995 support")
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Reviewed-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/rcar_thermal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/rcar_thermal.c b/drivers/thermal/rcar_thermal.c
+index 8df2ce94c28d8..edaa4058686b7 100644
+--- a/drivers/thermal/rcar_thermal.c
++++ b/drivers/thermal/rcar_thermal.c
+@@ -493,7 +493,7 @@ static int rcar_thermal_probe(struct platform_device *pdev)
+ pm_runtime_get_sync(dev);
+
+ for (i = 0; i < chip->nirqs; i++) {
+- irq = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
++ irq = platform_get_resource(pdev, IORESOURCE_IRQ, i);
+ if (!irq)
+ continue;
+ if (!common->base) {
+--
+2.20.1
+
--- /dev/null
+From 76223ab43bfda107a5ab2dce21d96132138a9f20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Oct 2018 09:20:15 +0200
+Subject: thermal: rcar_thermal: Prevent hardware access during system suspend
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 3a31386217628ffe2491695be2db933c25dde785 ]
+
+On r8a7791/koelsch, sometimes the following message is printed during
+system suspend:
+
+ rcar_thermal e61f0000.thermal: thermal sensor was broken
+
+This happens if the workqueue runs while the device is already
+suspended. Fix this by using the freezable system workqueue instead,
+cfr. commit 51e20d0e3a60cf46 ("thermal: Prevent polling from happening
+during system suspend").
+
+Fixes: e0a5172e9eec7f0d ("thermal: rcar: add interrupt support")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/rcar_thermal.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/thermal/rcar_thermal.c b/drivers/thermal/rcar_thermal.c
+index edaa4058686b7..4dc30e7890f6c 100644
+--- a/drivers/thermal/rcar_thermal.c
++++ b/drivers/thermal/rcar_thermal.c
+@@ -434,8 +434,8 @@ static irqreturn_t rcar_thermal_irq(int irq, void *data)
+ rcar_thermal_for_each_priv(priv, common) {
+ if (rcar_thermal_had_changed(priv, status)) {
+ rcar_thermal_irq_disable(priv);
+- schedule_delayed_work(&priv->work,
+- msecs_to_jiffies(300));
++ queue_delayed_work(system_freezable_wq, &priv->work,
++ msecs_to_jiffies(300));
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From df2958c0f54285c8ca29757eba5c20d7c6424c77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Oct 2018 23:01:50 +0100
+Subject: tools: bpftool: fix completion for "bpftool map update"
+
+From: Quentin Monnet <quentin.monnet@netronome.com>
+
+[ Upstream commit fe8ecccc10b3adc071de05ca7af728ca1a4ac9aa ]
+
+When trying to complete "bpftool map update" commands, the call to
+printf would print an error message that would show on the command line
+if no map is found to complete the command line.
+
+Fix it by making sure we have map ids to complete the line with, before
+we try to print something.
+
+Signed-off-by: Quentin Monnet <quentin.monnet@netronome.com>
+Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/bash-completion/bpftool | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/bpf/bpftool/bash-completion/bpftool b/tools/bpf/bpftool/bash-completion/bpftool
+index 598066c401912..c2b6b2176f3b7 100644
+--- a/tools/bpf/bpftool/bash-completion/bpftool
++++ b/tools/bpf/bpftool/bash-completion/bpftool
+@@ -143,7 +143,7 @@ _bpftool_map_update_map_type()
+ local type
+ type=$(bpftool -jp map show $keyword $ref | \
+ command sed -n 's/.*"type": "\(.*\)",$/\1/p')
+- printf $type
++ [[ -n $type ]] && printf $type
+ }
+
+ _bpftool_map_update_get_id()
+--
+2.20.1
+
--- /dev/null
+From 155ea8a70c704c732814dd13a6bbe1ea708a48a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Nov 2018 11:52:27 +0000
+Subject: tools: bpftool: pass an argument to silence open_obj_pinned()
+
+From: Quentin Monnet <quentin.monnet@netronome.com>
+
+[ Upstream commit f120919f9905a2cad9dea792a28a11fb623f72c1 ]
+
+Function open_obj_pinned() prints error messages when it fails to open a
+link in the BPF virtual file system. However, in some occasions it is
+not desirable to print an error, for example when we parse all links
+under the bpffs root, and the error is due to some paths actually being
+symbolic links.
+
+Example output:
+
+ # ls -l /sys/fs/bpf/
+ lrwxrwxrwx 1 root root 0 Oct 18 19:00 ip -> /sys/fs/bpf/tc/
+ drwx------ 3 root root 0 Oct 18 19:00 tc
+ lrwxrwxrwx 1 root root 0 Oct 18 19:00 xdp -> /sys/fs/bpf/tc/
+
+ # bpftool --bpffs prog show
+ Error: bpf obj get (/sys/fs/bpf): Permission denied
+ Error: bpf obj get (/sys/fs/bpf): Permission denied
+
+ # strace -e bpf bpftool --bpffs prog show
+ bpf(BPF_OBJ_GET, {pathname="/sys/fs/bpf/ip", bpf_fd=0}, 72) = -1 EACCES (Permission denied)
+ Error: bpf obj get (/sys/fs/bpf): Permission denied
+ bpf(BPF_OBJ_GET, {pathname="/sys/fs/bpf/xdp", bpf_fd=0}, 72) = -1 EACCES (Permission denied)
+ Error: bpf obj get (/sys/fs/bpf): Permission denied
+ ...
+
+To fix it, pass a bool as a second argument to the function, and prevent
+it from printing an error when the argument is set to true.
+
+Signed-off-by: Quentin Monnet <quentin.monnet@netronome.com>
+Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/common.c | 15 ++++++++-------
+ tools/bpf/bpftool/main.h | 2 +-
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c
+index be7aebff0c1e5..158469f57461d 100644
+--- a/tools/bpf/bpftool/common.c
++++ b/tools/bpf/bpftool/common.c
+@@ -130,16 +130,17 @@ static int mnt_bpffs(const char *target, char *buff, size_t bufflen)
+ return 0;
+ }
+
+-int open_obj_pinned(char *path)
++int open_obj_pinned(char *path, bool quiet)
+ {
+ int fd;
+
+ fd = bpf_obj_get(path);
+ if (fd < 0) {
+- p_err("bpf obj get (%s): %s", path,
+- errno == EACCES && !is_bpffs(dirname(path)) ?
+- "directory not in bpf file system (bpffs)" :
+- strerror(errno));
++ if (!quiet)
++ p_err("bpf obj get (%s): %s", path,
++ errno == EACCES && !is_bpffs(dirname(path)) ?
++ "directory not in bpf file system (bpffs)" :
++ strerror(errno));
+ return -1;
+ }
+
+@@ -151,7 +152,7 @@ int open_obj_pinned_any(char *path, enum bpf_obj_type exp_type)
+ enum bpf_obj_type type;
+ int fd;
+
+- fd = open_obj_pinned(path);
++ fd = open_obj_pinned(path, false);
+ if (fd < 0)
+ return -1;
+
+@@ -384,7 +385,7 @@ int build_pinned_obj_table(struct pinned_obj_table *tab,
+ while ((ftse = fts_read(fts))) {
+ if (!(ftse->fts_info & FTS_F))
+ continue;
+- fd = open_obj_pinned(ftse->fts_path);
++ fd = open_obj_pinned(ftse->fts_path, true);
+ if (fd < 0)
+ continue;
+
+diff --git a/tools/bpf/bpftool/main.h b/tools/bpf/bpftool/main.h
+index 238e734d75b3e..057a227bdb9f9 100644
+--- a/tools/bpf/bpftool/main.h
++++ b/tools/bpf/bpftool/main.h
+@@ -126,7 +126,7 @@ int cmd_select(const struct cmd *cmds, int argc, char **argv,
+ int get_fd_type(int fd);
+ const char *get_fd_type_name(enum bpf_obj_type type);
+ char *get_fdinfo(int fd, const char *key);
+-int open_obj_pinned(char *path);
++int open_obj_pinned(char *path, bool quiet);
+ int open_obj_pinned_any(char *path, enum bpf_obj_type exp_type);
+ int do_pin_any(int argc, char **argv, int (*get_fd_by_id)(__u32));
+ int do_pin_fd(int fd, const char *name);
+--
+2.20.1
+
--- /dev/null
+From 1a8a01fe2bc9bac3bf376820a3e4bac2d64f028d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Aug 2018 20:22:28 -0400
+Subject: tools/power turbosat: fix AMD APIC-id output
+
+From: Len Brown <len.brown@intel.com>
+
+[ Upstream commit 3404155190ce09a1e5d8407e968fc19aac4493e3 ]
+
+turbostat recently gained a feature adding APIC and X2APIC columns.
+While they are disabled by-default, they are enabled with --debug
+or when explicitly requested, eg.
+
+$ sudo turbostat --quiet --show Package,Node,Core,CPU,APIC,X2APIC date
+
+But these columns erroneously showed zeros on AMD hardware.
+This patch corrects the APIC and X2APIC [sic] columns on AMD.
+
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 93 +++++++++++++++++----------
+ 1 file changed, 60 insertions(+), 33 deletions(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index 823bbc741ad7a..02d123871ef95 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -1,6 +1,6 @@
+ /*
+ * turbostat -- show CPU frequency and C-state residency
+- * on modern Intel turbo-capable processors.
++ * on modern Intel and AMD processors.
+ *
+ * Copyright (c) 2013 Intel Corporation.
+ * Len Brown <len.brown@intel.com>
+@@ -71,6 +71,8 @@ unsigned int do_irtl_snb;
+ unsigned int do_irtl_hsw;
+ unsigned int units = 1000000; /* MHz etc */
+ unsigned int genuine_intel;
++unsigned int authentic_amd;
++unsigned int max_level, max_extended_level;
+ unsigned int has_invariant_tsc;
+ unsigned int do_nhm_platform_info;
+ unsigned int no_MSR_MISC_PWR_MGMT;
+@@ -1667,30 +1669,51 @@ int get_mp(int cpu, struct msr_counter *mp, unsigned long long *counterp)
+
+ void get_apic_id(struct thread_data *t)
+ {
+- unsigned int eax, ebx, ecx, edx, max_level;
++ unsigned int eax, ebx, ecx, edx;
+
+- eax = ebx = ecx = edx = 0;
++ if (DO_BIC(BIC_APIC)) {
++ eax = ebx = ecx = edx = 0;
++ __cpuid(1, eax, ebx, ecx, edx);
+
+- if (!genuine_intel)
++ t->apic_id = (ebx >> 24) & 0xff;
++ }
++
++ if (!DO_BIC(BIC_X2APIC))
+ return;
+
+- __cpuid(0, max_level, ebx, ecx, edx);
++ if (authentic_amd) {
++ unsigned int topology_extensions;
+
+- __cpuid(1, eax, ebx, ecx, edx);
+- t->apic_id = (ebx >> 24) & 0xf;
++ if (max_extended_level < 0x8000001e)
++ return;
+
+- if (max_level < 0xb)
++ eax = ebx = ecx = edx = 0;
++ __cpuid(0x80000001, eax, ebx, ecx, edx);
++ topology_extensions = ecx & (1 << 22);
++
++ if (topology_extensions == 0)
++ return;
++
++ eax = ebx = ecx = edx = 0;
++ __cpuid(0x8000001e, eax, ebx, ecx, edx);
++
++ t->x2apic_id = eax;
+ return;
++ }
+
+- if (!DO_BIC(BIC_X2APIC))
++ if (!genuine_intel)
++ return;
++
++ if (max_level < 0xb)
+ return;
+
+ ecx = 0;
+ __cpuid(0xb, eax, ebx, ecx, edx);
+ t->x2apic_id = edx;
+
+- if (debug && (t->apic_id != t->x2apic_id))
+- fprintf(outf, "cpu%d: apic 0x%x x2apic 0x%x\n", t->cpu_id, t->apic_id, t->x2apic_id);
++ if (debug && (t->apic_id != (t->x2apic_id & 0xff)))
++ fprintf(outf, "cpu%d: BIOS BUG: apic 0x%x x2apic 0x%x\n",
++ t->cpu_id, t->apic_id, t->x2apic_id);
+ }
+
+ /*
+@@ -4439,16 +4462,18 @@ void decode_c6_demotion_policy_msr(void)
+
+ void process_cpuid()
+ {
+- unsigned int eax, ebx, ecx, edx, max_level, max_extended_level;
+- unsigned int fms, family, model, stepping;
++ unsigned int eax, ebx, ecx, edx;
++ unsigned int fms, family, model, stepping, ecx_flags, edx_flags;
+ unsigned int has_turbo;
+
+ eax = ebx = ecx = edx = 0;
+
+ __cpuid(0, max_level, ebx, ecx, edx);
+
+- if (ebx == 0x756e6547 && edx == 0x49656e69 && ecx == 0x6c65746e)
++ if (ebx == 0x756e6547 && ecx == 0x6c65746e && edx == 0x49656e69)
+ genuine_intel = 1;
++ else if (ebx == 0x68747541 && ecx == 0x444d4163 && edx == 0x69746e65)
++ authentic_amd = 1;
+
+ if (!quiet)
+ fprintf(outf, "CPUID(0): %.4s%.4s%.4s ",
+@@ -4462,25 +4487,8 @@ void process_cpuid()
+ family += (fms >> 20) & 0xff;
+ if (family >= 6)
+ model += ((fms >> 16) & 0xf) << 4;
+-
+- if (!quiet) {
+- fprintf(outf, "%d CPUID levels; family:model:stepping 0x%x:%x:%x (%d:%d:%d)\n",
+- max_level, family, model, stepping, family, model, stepping);
+- fprintf(outf, "CPUID(1): %s %s %s %s %s %s %s %s %s %s\n",
+- ecx & (1 << 0) ? "SSE3" : "-",
+- ecx & (1 << 3) ? "MONITOR" : "-",
+- ecx & (1 << 6) ? "SMX" : "-",
+- ecx & (1 << 7) ? "EIST" : "-",
+- ecx & (1 << 8) ? "TM2" : "-",
+- edx & (1 << 4) ? "TSC" : "-",
+- edx & (1 << 5) ? "MSR" : "-",
+- edx & (1 << 22) ? "ACPI-TM" : "-",
+- edx & (1 << 28) ? "HT" : "-",
+- edx & (1 << 29) ? "TM" : "-");
+- }
+-
+- if (!(edx & (1 << 5)))
+- errx(1, "CPUID: no MSR");
++ ecx_flags = ecx;
++ edx_flags = edx;
+
+ /*
+ * check max extended function levels of CPUID.
+@@ -4490,6 +4498,25 @@ void process_cpuid()
+ ebx = ecx = edx = 0;
+ __cpuid(0x80000000, max_extended_level, ebx, ecx, edx);
+
++ if (!quiet) {
++ fprintf(outf, "0x%x CPUID levels; 0x%x xlevels; family:model:stepping 0x%x:%x:%x (%d:%d:%d)\n",
++ max_level, max_extended_level, family, model, stepping, family, model, stepping);
++ fprintf(outf, "CPUID(1): %s %s %s %s %s %s %s %s %s %s\n",
++ ecx_flags & (1 << 0) ? "SSE3" : "-",
++ ecx_flags & (1 << 3) ? "MONITOR" : "-",
++ ecx_flags & (1 << 6) ? "SMX" : "-",
++ ecx_flags & (1 << 7) ? "EIST" : "-",
++ ecx_flags & (1 << 8) ? "TM2" : "-",
++ edx_flags & (1 << 4) ? "TSC" : "-",
++ edx_flags & (1 << 5) ? "MSR" : "-",
++ edx_flags & (1 << 22) ? "ACPI-TM" : "-",
++ edx_flags & (1 << 28) ? "HT" : "-",
++ edx_flags & (1 << 29) ? "TM" : "-");
++ }
++
++ if (!(edx_flags & (1 << 5)))
++ errx(1, "CPUID: no MSR");
++
+ if (max_extended_level >= 0x80000007) {
+
+ /*
+--
+2.20.1
+
--- /dev/null
+From 57bc0dcf1843fc140f9b11627020ddb9e892f8e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Oct 2018 15:09:59 -0700
+Subject: tools/testing/selftests/vm/gup_benchmark.c: fix 'write' flag usage
+
+From: Keith Busch <keith.busch@intel.com>
+
+[ Upstream commit 319e0bec1aecb36c5ac6d23812af487ff2c8f47f ]
+
+If the '-w' parameter was provided, the benchmark would exit due to a
+mssing 'break'.
+
+Link: http://lkml.kernel.org/r/20181010195605.10689-3-keith.busch@intel.com
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vm/gup_benchmark.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/vm/gup_benchmark.c b/tools/testing/selftests/vm/gup_benchmark.c
+index 9601bc24454d9..17da711f26afb 100644
+--- a/tools/testing/selftests/vm/gup_benchmark.c
++++ b/tools/testing/selftests/vm/gup_benchmark.c
+@@ -51,6 +51,7 @@ int main(int argc, char **argv)
+ break;
+ case 'w':
+ write = 1;
++ break;
+ default:
+ return -1;
+ }
+--
+2.20.1
+
--- /dev/null
+From 30fbb2062d18d7c839fb521cb2d11c7d844f4a97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Sep 2018 08:47:13 +0100
+Subject: um: Make line/tty semantics use true write IRQ
+
+From: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+
+[ Upstream commit 917e2fd2c53eb3c4162f5397555cbd394390d4bc ]
+
+This fixes a long standing bug where large amounts of output
+could freeze the tty (most commonly seen on stdio console).
+While the bug has always been there it became more pronounced
+after moving to the new interrupt controller.
+
+The line semantics are now changed to have true IRQ write
+semantics which should further improve the tty/line subsystem
+stability and performance
+
+Signed-off-by: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/drivers/line.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/um/drivers/line.c b/arch/um/drivers/line.c
+index 8d80b27502e6a..7e524efed5848 100644
+--- a/arch/um/drivers/line.c
++++ b/arch/um/drivers/line.c
+@@ -261,7 +261,7 @@ static irqreturn_t line_write_interrupt(int irq, void *data)
+ if (err == 0) {
+ spin_unlock(&line->lock);
+ return IRQ_NONE;
+- } else if (err < 0) {
++ } else if ((err < 0) && (err != -EAGAIN)) {
+ line->head = line->buffer;
+ line->tail = line->buffer;
+ }
+@@ -284,7 +284,7 @@ int line_setup_irq(int fd, int input, int output, struct line *line, void *data)
+ if (err)
+ return err;
+ if (output)
+- err = um_request_irq(driver->write_irq, fd, IRQ_NONE,
++ err = um_request_irq(driver->write_irq, fd, IRQ_WRITE,
+ line_write_interrupt, IRQF_SHARED,
+ driver->write_irq_name, data);
+ return err;
+--
+2.20.1
+
--- /dev/null
+From 49b95a6006e3a18da4aaf9cf769dca8e515b1c41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 14:20:08 +0200
+Subject: USB: misc: appledisplay: fix backlight update_status return code
+
+From: Mattias Jacobsson <2pi@mok.nu>
+
+[ Upstream commit 090158555ff8d194a98616034100b16697dd80d0 ]
+
+Upon success the update_status handler returns a positive number
+corresponding to the number of bytes transferred by usb_control_msg.
+However the return code of the update_status handler should indicate if
+an error occurred(negative) or how many bytes of the user's input to sysfs
+that was consumed. Return code zero indicates all bytes were consumed.
+
+The bug can for example result in the update_status handler being called
+twice, the second time with only the "unconsumed" part of the user's input
+to sysfs. Effectively setting an incorrect brightness.
+
+Change the update_status handler to return zero for all successful
+transactions and forward usb_control_msg's error code upon failure.
+
+Signed-off-by: Mattias Jacobsson <2pi@mok.nu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/misc/appledisplay.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c
+index 1c6da8d6cccf8..39ca31b4de466 100644
+--- a/drivers/usb/misc/appledisplay.c
++++ b/drivers/usb/misc/appledisplay.c
+@@ -148,8 +148,11 @@ static int appledisplay_bl_update_status(struct backlight_device *bd)
+ pdata->msgdata, 2,
+ ACD_USB_TIMEOUT);
+ mutex_unlock(&pdata->sysfslock);
+-
+- return retval;
++
++ if (retval < 0)
++ return retval;
++ else
++ return 0;
+ }
+
+ static int appledisplay_bl_get_brightness(struct backlight_device *bd)
+--
+2.20.1
+
--- /dev/null
+From eaa9b3f743efe30175b4021d1a4c0712f5316361 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Oct 2018 12:45:01 -0700
+Subject: usb: typec: tcpm: charge current handling for sink during hard reset
+
+From: Badhri Jagan Sridharan <badhri@google.com>
+
+[ Upstream commit 157c0f2f641a9938382b092c64548ebdabfe25e0 ]
+
+During the initial connect to a non-pd port, sink would hard reset
+twice before deeming that the port partner is non-pd. TCPM sets the
+the charge path to false during the hard reset. This causes unnecessary
+connects/disconnects of charge path and makes port take longer to
+charge from the non-pd ports. Avoid this by not setting the charge path
+to false unless the partner has already identified to be pd capable.
+
+When partner is a pd port, set the charge path to false in
+SNK_HARD_RESET_SINK_OFF. Set the current limits to default value based
+of CC pull up and resume the charge path when port enters
+SNK_HARD_RESET_SINK_ON.
+
+Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+
+--------
+Changes in V3:
+Rebase on top of usb-next
+
+Changes in V2:
+Based on feedback of jackp@codeaurora.org
+- vsafe_5v_hard_reset flag from tcpc_config is removed
+- Patch only differentiates between pd port partner and non-pd port
+partner
+
+V1 version of the patch is here:
+https://lkml.org/lkml/2018/9/14/11
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/tcpm.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/typec/tcpm.c b/drivers/usb/typec/tcpm.c
+index 819ae3b2bd7e8..39cf190012393 100644
+--- a/drivers/usb/typec/tcpm.c
++++ b/drivers/usb/typec/tcpm.c
+@@ -3322,7 +3322,8 @@ static void run_state_machine(struct tcpm_port *port)
+ case SNK_HARD_RESET_SINK_OFF:
+ memset(&port->pps_data, 0, sizeof(port->pps_data));
+ tcpm_set_vconn(port, false);
+- tcpm_set_charge(port, false);
++ if (port->pd_capable)
++ tcpm_set_charge(port, false);
+ tcpm_set_roles(port, port->self_powered, TYPEC_SINK,
+ TYPEC_DEVICE);
+ /*
+@@ -3354,6 +3355,12 @@ static void run_state_machine(struct tcpm_port *port)
+ * Similar, dual-mode ports in source mode should transition
+ * to PE_SNK_Transition_to_default.
+ */
++ if (port->pd_capable) {
++ tcpm_set_current_limit(port,
++ tcpm_get_current_limit(port),
++ 5000);
++ tcpm_set_charge(port, true);
++ }
+ tcpm_set_attached_state(port, true);
+ tcpm_set_state(port, SNK_STARTUP, 0);
+ break;
+--
+2.20.1
+
--- /dev/null
+From ad757433caed94132ac6fdf9147124ab93019c00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 19:03:43 +0100
+Subject: usbip: tools: fix atoi() on non-null terminated string
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit e325808c0051b16729ffd472ff887c6cae5c6317 ]
+
+Currently the call to atoi is being passed a single char string
+that is not null terminated, so there is a potential read overrun
+along the stack when parsing for an integer value. Fix this by
+instead using a 2 char string that is initialized to all zeros
+to ensure that a 1 char read into the string is always terminated
+with a \0.
+
+Detected by cppcheck:
+"Invalid atoi() argument nr 1. A nul-terminated string is required."
+
+Fixes: 3391ba0e2792 ("usbip: tools: Extract generic code to be shared with vudc backend")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/usb/usbip/libsrc/usbip_host_common.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tools/usb/usbip/libsrc/usbip_host_common.c b/tools/usb/usbip/libsrc/usbip_host_common.c
+index dc93fadbee963..d79c7581b175f 100644
+--- a/tools/usb/usbip/libsrc/usbip_host_common.c
++++ b/tools/usb/usbip/libsrc/usbip_host_common.c
+@@ -43,7 +43,7 @@ static int32_t read_attr_usbip_status(struct usbip_usb_device *udev)
+ int size;
+ int fd;
+ int length;
+- char status;
++ char status[2] = { 0 };
+ int value = 0;
+
+ size = snprintf(status_attr_path, sizeof(status_attr_path),
+@@ -61,14 +61,14 @@ static int32_t read_attr_usbip_status(struct usbip_usb_device *udev)
+ return -1;
+ }
+
+- length = read(fd, &status, 1);
++ length = read(fd, status, 1);
+ if (length < 0) {
+ err("error reading attribute %s", status_attr_path);
+ close(fd);
+ return -1;
+ }
+
+- value = atoi(&status);
++ value = atoi(status);
+
+ return value;
+ }
+--
+2.20.1
+
--- /dev/null
+From 93bf37e5e299593429412339fa49ee0d1f7dac5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Oct 2018 10:40:55 +1100
+Subject: vfs: avoid problematic remapping requests into partial EOF block
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit 07d19dc9fbe9128378b9e226abe886fd8fd473df ]
+
+A deduplication data corruption is exposed in XFS and btrfs. It is
+caused by extending the block match range to include the partial EOF
+block, but then allowing unknown data beyond EOF to be considered a
+"match" to data in the destination file because the comparison is only
+made to the end of the source file. This corrupts the destination file
+when the source extent is shared with it.
+
+The VFS remapping prep functions only support whole block dedupe, but
+we still need to appear to support whole file dedupe correctly. Hence
+if the dedupe request includes the last block of the souce file, don't
+include it in the actual dedupe operation. If the rest of the range
+dedupes successfully, then reject the entire request. A subsequent
+patch will enable us to shorten dedupe requests correctly.
+
+When reflinking sub-file ranges, a data corruption can occur when the
+source file range includes a partial EOF block. This shares the unknown
+data beyond EOF into the second file at a position inside EOF, exposing
+stale data in the second file.
+
+If the reflink request includes the last block of the souce file, only
+proceed with the reflink operation if it lands at or past the
+destination file's current EOF. If it lands within the destination file
+EOF, reject the entire request with -EINVAL and make the caller go the
+hard way. A subsequent patch will enable us to shorten reflink requests
+correctly.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Dave Chinner <david@fromorbit.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/read_write.c | 33 +++++++++++++++++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+
+diff --git a/fs/read_write.c b/fs/read_write.c
+index 5fb5ee5b8cd70..2195380620d02 100644
+--- a/fs/read_write.c
++++ b/fs/read_write.c
+@@ -1715,6 +1715,34 @@ static int clone_verify_area(struct file *file, loff_t pos, u64 len, bool write)
+
+ return security_file_permission(file, write ? MAY_WRITE : MAY_READ);
+ }
++/*
++ * Ensure that we don't remap a partial EOF block in the middle of something
++ * else. Assume that the offsets have already been checked for block
++ * alignment.
++ *
++ * For deduplication we always scale down to the previous block because we
++ * can't meaningfully compare post-EOF contents.
++ *
++ * For clone we only link a partial EOF block above the destination file's EOF.
++ */
++static int generic_remap_check_len(struct inode *inode_in,
++ struct inode *inode_out,
++ loff_t pos_out,
++ u64 *len,
++ bool is_dedupe)
++{
++ u64 blkmask = i_blocksize(inode_in) - 1;
++
++ if ((*len & blkmask) == 0)
++ return 0;
++
++ if (is_dedupe)
++ *len &= ~blkmask;
++ else if (pos_out + *len < i_size_read(inode_out))
++ return -EINVAL;
++
++ return 0;
++}
+
+ /*
+ * Check that the two inodes are eligible for cloning, the ranges make
+@@ -1821,6 +1849,11 @@ int vfs_clone_file_prep_inodes(struct inode *inode_in, loff_t pos_in,
+ return -EBADE;
+ }
+
++ ret = generic_remap_check_len(inode_in, inode_out, pos_out, len,
++ is_dedupe);
++ if (ret)
++ return ret;
++
+ return 1;
+ }
+ EXPORT_SYMBOL(vfs_clone_file_prep_inodes);
+--
+2.20.1
+
--- /dev/null
+From 28d31a8b66b7f21e8c92d4e959a5ff294af0bc36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Nov 2018 15:36:07 +0000
+Subject: vrf: mark skb for multicast or link-local as enslaved to VRF
+
+From: Mike Manning <mmanning@vyatta.att-mail.com>
+
+[ Upstream commit 6f12fa775530195a501fb090d092c637f32d0cc5 ]
+
+The skb for packets that are multicast or to a link-local address are
+not marked as being enslaved to a VRF, if they are received on a socket
+bound to the VRF. This is needed for ND and it is preferable for the
+kernel not to have to deal with the additional use-cases if ll or mcast
+packets are handled as enslaved. However, this does not allow service
+instances listening on unbound and bound to VRF sockets to distinguish
+the VRF used, if packets are sent as multicast or to a link-local
+address. The fix is for the VRF driver to also mark these skb as being
+enslaved to the VRF.
+
+Signed-off-by: Mike Manning <mmanning@vyatta.att-mail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Tested-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vrf.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
+index 9f895083bc0aa..7f5ee6bb44300 100644
+--- a/drivers/net/vrf.c
++++ b/drivers/net/vrf.c
+@@ -993,24 +993,23 @@ static struct sk_buff *vrf_ip6_rcv(struct net_device *vrf_dev,
+ struct sk_buff *skb)
+ {
+ int orig_iif = skb->skb_iif;
+- bool need_strict;
++ bool need_strict = rt6_need_strict(&ipv6_hdr(skb)->daddr);
++ bool is_ndisc = ipv6_ndisc_frame(skb);
+
+- /* loopback traffic; do not push through packet taps again.
+- * Reset pkt_type for upper layers to process skb
++ /* loopback, multicast & non-ND link-local traffic; do not push through
++ * packet taps again. Reset pkt_type for upper layers to process skb
+ */
+- if (skb->pkt_type == PACKET_LOOPBACK) {
++ if (skb->pkt_type == PACKET_LOOPBACK || (need_strict && !is_ndisc)) {
+ skb->dev = vrf_dev;
+ skb->skb_iif = vrf_dev->ifindex;
+ IP6CB(skb)->flags |= IP6SKB_L3SLAVE;
+- skb->pkt_type = PACKET_HOST;
++ if (skb->pkt_type == PACKET_LOOPBACK)
++ skb->pkt_type = PACKET_HOST;
+ goto out;
+ }
+
+- /* if packet is NDISC or addressed to multicast or link-local
+- * then keep the ingress interface
+- */
+- need_strict = rt6_need_strict(&ipv6_hdr(skb)->daddr);
+- if (!ipv6_ndisc_frame(skb) && !need_strict) {
++ /* if packet is NDISC then keep the ingress interface */
++ if (!is_ndisc) {
+ vrf_rx_stats(vrf_dev, skb->len);
+ skb->dev = vrf_dev;
+ skb->skb_iif = vrf_dev->ifindex;
+--
+2.20.1
+
--- /dev/null
+From 5814658977279227ea45941f0d3ef45698b49563 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Oct 2018 19:47:45 +0200
+Subject: w1: IAD Register is yet readable trough iad sys file. Fix snprintf
+ (%u for unsigned, count for max size).
+
+From: Julien Folly <julien.folly@gmail.com>
+
+[ Upstream commit 6eaafbb6998e999467cf78a76e155ee00e372b14 ]
+
+IAD Register is yet readable trough the "iad" sys file.
+
+A write to the "iad" sys file enables or disables the current
+measurement, but it was not possible to get the measured value by
+reading it.
+Fix: %u in snprintf for unsigned values (vdd and vad)
+Fix: Avoid possibles overflows (Usage of the 'count' variables)
+
+Signed-off-by: Julien Folly <julien.folly@gmail.com>
+Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/w1/slaves/w1_ds2438.c | 66 +++++++++++++++++++++++++++--------
+ 1 file changed, 52 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/w1/slaves/w1_ds2438.c b/drivers/w1/slaves/w1_ds2438.c
+index bf641a191d077..7c4e33dbee4d5 100644
+--- a/drivers/w1/slaves/w1_ds2438.c
++++ b/drivers/w1/slaves/w1_ds2438.c
+@@ -186,8 +186,8 @@ static int w1_ds2438_change_config_bit(struct w1_slave *sl, u8 mask, u8 value)
+ return -1;
+ }
+
+-static uint16_t w1_ds2438_get_voltage(struct w1_slave *sl,
+- int adc_input, uint16_t *voltage)
++static int w1_ds2438_get_voltage(struct w1_slave *sl,
++ int adc_input, uint16_t *voltage)
+ {
+ unsigned int retries = W1_DS2438_RETRIES;
+ u8 w1_buf[DS2438_PAGE_SIZE + 1 /*for CRC*/];
+@@ -235,6 +235,25 @@ static uint16_t w1_ds2438_get_voltage(struct w1_slave *sl,
+ return ret;
+ }
+
++static int w1_ds2438_get_current(struct w1_slave *sl, int16_t *voltage)
++{
++ u8 w1_buf[DS2438_PAGE_SIZE + 1 /*for CRC*/];
++ int ret;
++
++ mutex_lock(&sl->master->bus_mutex);
++
++ if (w1_ds2438_get_page(sl, 0, w1_buf) == 0) {
++ /* The voltage measured across current sense resistor RSENS. */
++ *voltage = (((int16_t) w1_buf[DS2438_CURRENT_MSB]) << 8) | ((int16_t) w1_buf[DS2438_CURRENT_LSB]);
++ ret = 0;
++ } else
++ ret = -1;
++
++ mutex_unlock(&sl->master->bus_mutex);
++
++ return ret;
++}
++
+ static ssize_t iad_write(struct file *filp, struct kobject *kobj,
+ struct bin_attribute *bin_attr, char *buf,
+ loff_t off, size_t count)
+@@ -257,6 +276,27 @@ static ssize_t iad_write(struct file *filp, struct kobject *kobj,
+ return ret;
+ }
+
++static ssize_t iad_read(struct file *filp, struct kobject *kobj,
++ struct bin_attribute *bin_attr, char *buf,
++ loff_t off, size_t count)
++{
++ struct w1_slave *sl = kobj_to_w1_slave(kobj);
++ int ret;
++ int16_t voltage;
++
++ if (off != 0)
++ return 0;
++ if (!buf)
++ return -EINVAL;
++
++ if (w1_ds2438_get_current(sl, &voltage) == 0) {
++ ret = snprintf(buf, count, "%i\n", voltage);
++ } else
++ ret = -EIO;
++
++ return ret;
++}
++
+ static ssize_t page0_read(struct file *filp, struct kobject *kobj,
+ struct bin_attribute *bin_attr, char *buf,
+ loff_t off, size_t count)
+@@ -272,9 +312,13 @@ static ssize_t page0_read(struct file *filp, struct kobject *kobj,
+
+ mutex_lock(&sl->master->bus_mutex);
+
++ /* Read no more than page0 size */
++ if (count > DS2438_PAGE_SIZE)
++ count = DS2438_PAGE_SIZE;
++
+ if (w1_ds2438_get_page(sl, 0, w1_buf) == 0) {
+- memcpy(buf, &w1_buf, DS2438_PAGE_SIZE);
+- ret = DS2438_PAGE_SIZE;
++ memcpy(buf, &w1_buf, count);
++ ret = count;
+ } else
+ ret = -EIO;
+
+@@ -289,7 +333,6 @@ static ssize_t temperature_read(struct file *filp, struct kobject *kobj,
+ {
+ struct w1_slave *sl = kobj_to_w1_slave(kobj);
+ int ret;
+- ssize_t c = PAGE_SIZE;
+ int16_t temp;
+
+ if (off != 0)
+@@ -298,8 +341,7 @@ static ssize_t temperature_read(struct file *filp, struct kobject *kobj,
+ return -EINVAL;
+
+ if (w1_ds2438_get_temperature(sl, &temp) == 0) {
+- c -= snprintf(buf + PAGE_SIZE - c, c, "%d\n", temp);
+- ret = PAGE_SIZE - c;
++ ret = snprintf(buf, count, "%i\n", temp);
+ } else
+ ret = -EIO;
+
+@@ -312,7 +354,6 @@ static ssize_t vad_read(struct file *filp, struct kobject *kobj,
+ {
+ struct w1_slave *sl = kobj_to_w1_slave(kobj);
+ int ret;
+- ssize_t c = PAGE_SIZE;
+ uint16_t voltage;
+
+ if (off != 0)
+@@ -321,8 +362,7 @@ static ssize_t vad_read(struct file *filp, struct kobject *kobj,
+ return -EINVAL;
+
+ if (w1_ds2438_get_voltage(sl, DS2438_ADC_INPUT_VAD, &voltage) == 0) {
+- c -= snprintf(buf + PAGE_SIZE - c, c, "%d\n", voltage);
+- ret = PAGE_SIZE - c;
++ ret = snprintf(buf, count, "%u\n", voltage);
+ } else
+ ret = -EIO;
+
+@@ -335,7 +375,6 @@ static ssize_t vdd_read(struct file *filp, struct kobject *kobj,
+ {
+ struct w1_slave *sl = kobj_to_w1_slave(kobj);
+ int ret;
+- ssize_t c = PAGE_SIZE;
+ uint16_t voltage;
+
+ if (off != 0)
+@@ -344,15 +383,14 @@ static ssize_t vdd_read(struct file *filp, struct kobject *kobj,
+ return -EINVAL;
+
+ if (w1_ds2438_get_voltage(sl, DS2438_ADC_INPUT_VDD, &voltage) == 0) {
+- c -= snprintf(buf + PAGE_SIZE - c, c, "%d\n", voltage);
+- ret = PAGE_SIZE - c;
++ ret = snprintf(buf, count, "%u\n", voltage);
+ } else
+ ret = -EIO;
+
+ return ret;
+ }
+
+-static BIN_ATTR(iad, S_IRUGO | S_IWUSR | S_IWGRP, NULL, iad_write, 1);
++static BIN_ATTR(iad, S_IRUGO | S_IWUSR | S_IWGRP, iad_read, iad_write, 0);
+ static BIN_ATTR_RO(page0, DS2438_PAGE_SIZE);
+ static BIN_ATTR_RO(temperature, 0/* real length varies */);
+ static BIN_ATTR_RO(vad, 0/* real length varies */);
+--
+2.20.1
+
--- /dev/null
+From e4368dd3c649bf5ee2ffac8882da55520291517a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Oct 2018 10:52:18 +0200
+Subject: wil6210: fix debugfs memory access alignment
+
+From: Ahmad Masri <amasri@codeaurora.org>
+
+[ Upstream commit 84ec040d0fb25197584d28a0dedc355503cd19b9 ]
+
+All wil6210 device memory access should be 4 bytes aligned. In io
+blob wil6210 did not force alignment for read function, this caused
+alignment fault on some platforms.
+Fixing that by accessing all 4 lower bytes and return to host the
+requested data.
+
+Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wil6210/debugfs.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/wil6210/debugfs.c b/drivers/net/wireless/ath/wil6210/debugfs.c
+index ceace95b1595c..44296c0159252 100644
+--- a/drivers/net/wireless/ath/wil6210/debugfs.c
++++ b/drivers/net/wireless/ath/wil6210/debugfs.c
+@@ -662,10 +662,10 @@ static ssize_t wil_read_file_ioblob(struct file *file, char __user *user_buf,
+ enum { max_count = 4096 };
+ struct wil_blob_wrapper *wil_blob = file->private_data;
+ struct wil6210_priv *wil = wil_blob->wil;
+- loff_t pos = *ppos;
++ loff_t aligned_pos, pos = *ppos;
+ size_t available = wil_blob->blob.size;
+ void *buf;
+- size_t ret;
++ size_t unaligned_bytes, aligned_count, ret;
+ int rc;
+
+ if (test_bit(wil_status_suspending, wil_blob->wil->status) ||
+@@ -683,7 +683,12 @@ static ssize_t wil_read_file_ioblob(struct file *file, char __user *user_buf,
+ if (count > max_count)
+ count = max_count;
+
+- buf = kmalloc(count, GFP_KERNEL);
++ /* set pos to 4 bytes aligned */
++ unaligned_bytes = pos % 4;
++ aligned_pos = pos - unaligned_bytes;
++ aligned_count = count + unaligned_bytes;
++
++ buf = kmalloc(aligned_count, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+
+@@ -694,9 +699,9 @@ static ssize_t wil_read_file_ioblob(struct file *file, char __user *user_buf,
+ }
+
+ wil_memcpy_fromio_32(buf, (const void __iomem *)
+- wil_blob->blob.data + pos, count);
++ wil_blob->blob.data + aligned_pos, aligned_count);
+
+- ret = copy_to_user(user_buf, buf, count);
++ ret = copy_to_user(user_buf, buf + unaligned_bytes, count);
+
+ wil_pm_runtime_put(wil);
+
+--
+2.20.1
+
--- /dev/null
+From d76976f3388b493a74b362f69d59e4207b837b24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Oct 2018 10:52:19 +0200
+Subject: wil6210: fix L2 RX status handling
+
+From: Maya Erez <merez@codeaurora.org>
+
+[ Upstream commit 04de15010aa42a92add66b159e3ae44b4287390f ]
+
+L2 RX status errors should not be treated as a bitmap and the actual
+error values should be checked.
+Print L2 errors as wil_err_ratelimited for easier debugging
+when such errors occurs.
+
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wil6210/txrx_edma.c | 23 ++++++++++----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/wil6210/txrx_edma.c b/drivers/net/wireless/ath/wil6210/txrx_edma.c
+index 409a6fa8b6c8f..5fa8d6ad66482 100644
+--- a/drivers/net/wireless/ath/wil6210/txrx_edma.c
++++ b/drivers/net/wireless/ath/wil6210/txrx_edma.c
+@@ -808,23 +808,24 @@ static int wil_rx_error_check_edma(struct wil6210_priv *wil,
+ wil_dbg_txrx(wil, "L2 RX error, l2_rx_status=0x%x\n",
+ l2_rx_status);
+ /* Due to HW issue, KEY error will trigger a MIC error */
+- if (l2_rx_status & WIL_RX_EDMA_ERROR_MIC) {
+- wil_dbg_txrx(wil,
+- "L2 MIC/KEY error, dropping packet\n");
++ if (l2_rx_status == WIL_RX_EDMA_ERROR_MIC) {
++ wil_err_ratelimited(wil,
++ "L2 MIC/KEY error, dropping packet\n");
+ stats->rx_mic_error++;
+ }
+- if (l2_rx_status & WIL_RX_EDMA_ERROR_KEY) {
+- wil_dbg_txrx(wil, "L2 KEY error, dropping packet\n");
++ if (l2_rx_status == WIL_RX_EDMA_ERROR_KEY) {
++ wil_err_ratelimited(wil,
++ "L2 KEY error, dropping packet\n");
+ stats->rx_key_error++;
+ }
+- if (l2_rx_status & WIL_RX_EDMA_ERROR_REPLAY) {
+- wil_dbg_txrx(wil,
+- "L2 REPLAY error, dropping packet\n");
++ if (l2_rx_status == WIL_RX_EDMA_ERROR_REPLAY) {
++ wil_err_ratelimited(wil,
++ "L2 REPLAY error, dropping packet\n");
+ stats->rx_replay++;
+ }
+- if (l2_rx_status & WIL_RX_EDMA_ERROR_AMSDU) {
+- wil_dbg_txrx(wil,
+- "L2 AMSDU error, dropping packet\n");
++ if (l2_rx_status == WIL_RX_EDMA_ERROR_AMSDU) {
++ wil_err_ratelimited(wil,
++ "L2 AMSDU error, dropping packet\n");
+ stats->rx_amsdu_error++;
+ }
+ return -EFAULT;
+--
+2.20.1
+
--- /dev/null
+From a508b07a2abc173afc36b6426947bcc9438a558e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Oct 2018 10:52:24 +0200
+Subject: wil6210: fix locking in wmi_call
+
+From: Lior David <liord@codeaurora.org>
+
+[ Upstream commit dc57731dbd535880fe6ced31c229262c34df7d64 ]
+
+Switch from spin_lock to spin_lock_irqsave, because
+wmi_ev_lock is used inside interrupt handler.
+
+Signed-off-by: Lior David <liord@codeaurora.org>
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wil6210/wmi.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c
+index 2010f771478df..8a603432f5317 100644
+--- a/drivers/net/wireless/ath/wil6210/wmi.c
++++ b/drivers/net/wireless/ath/wil6210/wmi.c
+@@ -1639,16 +1639,17 @@ int wmi_call(struct wil6210_priv *wil, u16 cmdid, u8 mid, void *buf, u16 len,
+ {
+ int rc;
+ unsigned long remain;
++ ulong flags;
+
+ mutex_lock(&wil->wmi_mutex);
+
+- spin_lock(&wil->wmi_ev_lock);
++ spin_lock_irqsave(&wil->wmi_ev_lock, flags);
+ wil->reply_id = reply_id;
+ wil->reply_mid = mid;
+ wil->reply_buf = reply;
+ wil->reply_size = reply_size;
+ reinit_completion(&wil->wmi_call);
+- spin_unlock(&wil->wmi_ev_lock);
++ spin_unlock_irqrestore(&wil->wmi_ev_lock, flags);
+
+ rc = __wmi_send(wil, cmdid, mid, buf, len);
+ if (rc)
+@@ -1668,12 +1669,12 @@ int wmi_call(struct wil6210_priv *wil, u16 cmdid, u8 mid, void *buf, u16 len,
+ }
+
+ out:
+- spin_lock(&wil->wmi_ev_lock);
++ spin_lock_irqsave(&wil->wmi_ev_lock, flags);
+ wil->reply_id = 0;
+ wil->reply_mid = U8_MAX;
+ wil->reply_buf = NULL;
+ wil->reply_size = 0;
+- spin_unlock(&wil->wmi_ev_lock);
++ spin_unlock_irqrestore(&wil->wmi_ev_lock, flags);
+
+ mutex_unlock(&wil->wmi_mutex);
+
+--
+2.20.1
+
--- /dev/null
+From d353349b7047f68e79931afce204c1a6d772a0e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Oct 2018 10:52:20 +0200
+Subject: wil6210: fix RGF_CAF_ICR address for Talyn-MB
+
+From: Maya Erez <merez@codeaurora.org>
+
+[ Upstream commit 7c69709f8ed27197b16aa1c3f9b0744402b2fa02 ]
+
+RGF_CAF_ICR register location has changed in Talyn-MB.
+Add RGF_CAF_ICR_TALYN_MB to support the new address.
+
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wil6210/main.c | 11 +++++++++--
+ drivers/net/wireless/ath/wil6210/wil6210.h | 1 +
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/wil6210/main.c b/drivers/net/wireless/ath/wil6210/main.c
+index 920cb233f4db7..10673fa9388ec 100644
+--- a/drivers/net/wireless/ath/wil6210/main.c
++++ b/drivers/net/wireless/ath/wil6210/main.c
+@@ -1397,8 +1397,15 @@ static void wil_pre_fw_config(struct wil6210_priv *wil)
+ wil6210_clear_irq(wil);
+ /* CAF_ICR - clear and mask */
+ /* it is W1C, clear by writing back same value */
+- wil_s(wil, RGF_CAF_ICR + offsetof(struct RGF_ICR, ICR), 0);
+- wil_w(wil, RGF_CAF_ICR + offsetof(struct RGF_ICR, IMV), ~0);
++ if (wil->hw_version < HW_VER_TALYN_MB) {
++ wil_s(wil, RGF_CAF_ICR + offsetof(struct RGF_ICR, ICR), 0);
++ wil_w(wil, RGF_CAF_ICR + offsetof(struct RGF_ICR, IMV), ~0);
++ } else {
++ wil_s(wil,
++ RGF_CAF_ICR_TALYN_MB + offsetof(struct RGF_ICR, ICR), 0);
++ wil_w(wil, RGF_CAF_ICR_TALYN_MB +
++ offsetof(struct RGF_ICR, IMV), ~0);
++ }
+ /* clear PAL_UNIT_ICR (potential D0->D3 leftover)
+ * In Talyn-MB host cannot access this register due to
+ * access control, hence PAL_UNIT_ICR is cleared by the FW
+diff --git a/drivers/net/wireless/ath/wil6210/wil6210.h b/drivers/net/wireless/ath/wil6210/wil6210.h
+index 17c294b1ead13..75fe1a3b70466 100644
+--- a/drivers/net/wireless/ath/wil6210/wil6210.h
++++ b/drivers/net/wireless/ath/wil6210/wil6210.h
+@@ -319,6 +319,7 @@ struct RGF_ICR {
+ /* MAC timer, usec, for packet lifetime */
+ #define RGF_MAC_MTRL_COUNTER_0 (0x886aa8)
+
++#define RGF_CAF_ICR_TALYN_MB (0x8893d4) /* struct RGF_ICR */
+ #define RGF_CAF_ICR (0x88946c) /* struct RGF_ICR */
+ #define RGF_CAF_OSC_CONTROL (0x88afa4)
+ #define BIT_CAF_OSC_XTAL_EN BIT(0)
+--
+2.20.1
+
--- /dev/null
+From 3989c2ca3cde389f105a81a334f68f23c919d5d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Oct 2018 11:33:34 +0300
+Subject: wireless: airo: potential buffer overflow in sprintf()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 3d39e1bb1c88f32820c5f9271f2c8c2fb9a52bac ]
+
+It looks like we wanted to print a maximum of BSSList_rid.ssidLen bytes
+of the ssid, but we accidentally use "%*s" (width) instead of "%.*s"
+(precision) so if the ssid doesn't have a NUL terminator this could lead
+to an overflow.
+
+Static analysis. Not tested.
+
+Fixes: e174961ca1a0 ("net: convert print_mac to %pM")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/cisco/airo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c
+index 04dd7a9365938..5512c7f73fce8 100644
+--- a/drivers/net/wireless/cisco/airo.c
++++ b/drivers/net/wireless/cisco/airo.c
+@@ -5462,7 +5462,7 @@ static int proc_BSSList_open( struct inode *inode, struct file *file ) {
+ we have to add a spin lock... */
+ rc = readBSSListRid(ai, doLoseSync, &BSSList_rid);
+ while(rc == 0 && BSSList_rid.index != cpu_to_le16(0xffff)) {
+- ptr += sprintf(ptr, "%pM %*s rssi = %d",
++ ptr += sprintf(ptr, "%pM %.*s rssi = %d",
+ BSSList_rid.bssid,
+ (int)BSSList_rid.ssidLen,
+ BSSList_rid.ssid,
+--
+2.20.1
+
--- /dev/null
+From f27c727aeac68a38c93ae477f7248fa4580124d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Oct 2018 09:39:40 +0200
+Subject: wlcore: Fix the return value in case of error in
+ 'wlcore_vendor_cmd_smart_config_start()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 3419348a97bcc256238101129d69b600ceb5cc70 ]
+
+We return 0 unconditionally at the end of
+'wlcore_vendor_cmd_smart_config_start()'.
+However, 'ret' is set to some error codes in several error handling paths
+and we already return some error codes at the beginning of the function.
+
+Return 'ret' instead to propagate the error code.
+
+Fixes: 80ff8063e87c ("wlcore: handle smart config vendor commands")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wlcore/vendor_cmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ti/wlcore/vendor_cmd.c b/drivers/net/wireless/ti/wlcore/vendor_cmd.c
+index dbe78d8491eff..7f34ec077ee57 100644
+--- a/drivers/net/wireless/ti/wlcore/vendor_cmd.c
++++ b/drivers/net/wireless/ti/wlcore/vendor_cmd.c
+@@ -70,7 +70,7 @@ wlcore_vendor_cmd_smart_config_start(struct wiphy *wiphy,
+ out:
+ mutex_unlock(&wl->mutex);
+
+- return 0;
++ return ret;
+ }
+
+ static int
+--
+2.20.1
+
--- /dev/null
+From f010bf96ce685ad60587cc1b89de3b56e3d85cb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Oct 2018 15:51:01 -0700
+Subject: x86/intel_rdt: Prevent pseudo-locking from using stale pointers
+
+From: Jithu Joseph <jithu.joseph@intel.com>
+
+[ Upstream commit b61b8bba18fe2b63d38fdaf9b83de25e2d787dfe ]
+
+When the last CPU in an rdt_domain goes offline, its rdt_domain struct gets
+freed. Current pseudo-locking code is unaware of this scenario and tries to
+dereference the freed structure in a few places.
+
+Add checks to prevent pseudo-locking code from doing this.
+
+While further work is needed to seamlessly restore resource groups (not
+just pseudo-locking) to their configuration when the domain is brought back
+online, the immediate issue of invalid pointers is addressed here.
+
+Fixes: f4e80d67a5274 ("x86/intel_rdt: Resctrl files reflect pseudo-locked information")
+Fixes: 443810fe61605 ("x86/intel_rdt: Create debugfs files for pseudo-locking testing")
+Fixes: 746e08590b864 ("x86/intel_rdt: Create character device exposing pseudo-locked region")
+Fixes: 33dc3e410a0d9 ("x86/intel_rdt: Make CPU information accessible for pseudo-locked regions")
+Signed-off-by: Jithu Joseph <jithu.joseph@intel.com>
+Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: fenghua.yu@intel.com
+Cc: tony.luck@intel.com
+Cc: gavin.hindman@intel.com
+Cc: hpa@zytor.com
+Link: https://lkml.kernel.org/r/231f742dbb7b00a31cc104416860e27dba6b072d.1539384145.git.reinette.chatre@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/intel_rdt.c | 7 ++++
+ arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c | 12 +++++--
+ arch/x86/kernel/cpu/intel_rdt_pseudo_lock.c | 10 ++++++
+ arch/x86/kernel/cpu/intel_rdt_rdtgroup.c | 38 +++++++++++++++------
+ 4 files changed, 55 insertions(+), 12 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/intel_rdt.c b/arch/x86/kernel/cpu/intel_rdt.c
+index cc43c5abd187b..b99a04da70f61 100644
+--- a/arch/x86/kernel/cpu/intel_rdt.c
++++ b/arch/x86/kernel/cpu/intel_rdt.c
+@@ -610,6 +610,13 @@ static void domain_remove_cpu(int cpu, struct rdt_resource *r)
+ cancel_delayed_work(&d->cqm_limbo);
+ }
+
++ /*
++ * rdt_domain "d" is going to be freed below, so clear
++ * its pointer from pseudo_lock_region struct.
++ */
++ if (d->plr)
++ d->plr->d = NULL;
++
+ kfree(d->ctrl_val);
+ kfree(d->mbps_val);
+ kfree(d->rmid_busy_llc);
+diff --git a/arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c b/arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c
+index 968ace3c6d730..c8b72aff55e00 100644
+--- a/arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c
++++ b/arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c
+@@ -408,8 +408,16 @@ int rdtgroup_schemata_show(struct kernfs_open_file *of,
+ for_each_alloc_enabled_rdt_resource(r)
+ seq_printf(s, "%s:uninitialized\n", r->name);
+ } else if (rdtgrp->mode == RDT_MODE_PSEUDO_LOCKED) {
+- seq_printf(s, "%s:%d=%x\n", rdtgrp->plr->r->name,
+- rdtgrp->plr->d->id, rdtgrp->plr->cbm);
++ if (!rdtgrp->plr->d) {
++ rdt_last_cmd_clear();
++ rdt_last_cmd_puts("Cache domain offline\n");
++ ret = -ENODEV;
++ } else {
++ seq_printf(s, "%s:%d=%x\n",
++ rdtgrp->plr->r->name,
++ rdtgrp->plr->d->id,
++ rdtgrp->plr->cbm);
++ }
+ } else {
+ closid = rdtgrp->closid;
+ for_each_alloc_enabled_rdt_resource(r) {
+diff --git a/arch/x86/kernel/cpu/intel_rdt_pseudo_lock.c b/arch/x86/kernel/cpu/intel_rdt_pseudo_lock.c
+index 912d53939f4f4..a999a58ca3318 100644
+--- a/arch/x86/kernel/cpu/intel_rdt_pseudo_lock.c
++++ b/arch/x86/kernel/cpu/intel_rdt_pseudo_lock.c
+@@ -1116,6 +1116,11 @@ static int pseudo_lock_measure_cycles(struct rdtgroup *rdtgrp, int sel)
+ goto out;
+ }
+
++ if (!plr->d) {
++ ret = -ENODEV;
++ goto out;
++ }
++
+ plr->thread_done = 0;
+ cpu = cpumask_first(&plr->d->cpu_mask);
+ if (!cpu_online(cpu)) {
+@@ -1429,6 +1434,11 @@ static int pseudo_lock_dev_mmap(struct file *filp, struct vm_area_struct *vma)
+
+ plr = rdtgrp->plr;
+
++ if (!plr->d) {
++ mutex_unlock(&rdtgroup_mutex);
++ return -ENODEV;
++ }
++
+ /*
+ * Task is required to run with affinity to the cpus associated
+ * with the pseudo-locked region. If this is not the case the task
+diff --git a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
+index ad64031e82dcd..a2d7e6646cce8 100644
+--- a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
++++ b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
+@@ -268,17 +268,27 @@ static int rdtgroup_cpus_show(struct kernfs_open_file *of,
+ struct seq_file *s, void *v)
+ {
+ struct rdtgroup *rdtgrp;
++ struct cpumask *mask;
+ int ret = 0;
+
+ rdtgrp = rdtgroup_kn_lock_live(of->kn);
+
+ if (rdtgrp) {
+- if (rdtgrp->mode == RDT_MODE_PSEUDO_LOCKED)
+- seq_printf(s, is_cpu_list(of) ? "%*pbl\n" : "%*pb\n",
+- cpumask_pr_args(&rdtgrp->plr->d->cpu_mask));
+- else
++ if (rdtgrp->mode == RDT_MODE_PSEUDO_LOCKED) {
++ if (!rdtgrp->plr->d) {
++ rdt_last_cmd_clear();
++ rdt_last_cmd_puts("Cache domain offline\n");
++ ret = -ENODEV;
++ } else {
++ mask = &rdtgrp->plr->d->cpu_mask;
++ seq_printf(s, is_cpu_list(of) ?
++ "%*pbl\n" : "%*pb\n",
++ cpumask_pr_args(mask));
++ }
++ } else {
+ seq_printf(s, is_cpu_list(of) ? "%*pbl\n" : "%*pb\n",
+ cpumask_pr_args(&rdtgrp->cpu_mask));
++ }
+ } else {
+ ret = -ENOENT;
+ }
+@@ -1286,6 +1296,7 @@ static int rdtgroup_size_show(struct kernfs_open_file *of,
+ struct rdt_resource *r;
+ struct rdt_domain *d;
+ unsigned int size;
++ int ret = 0;
+ bool sep;
+ u32 ctrl;
+
+@@ -1296,11 +1307,18 @@ static int rdtgroup_size_show(struct kernfs_open_file *of,
+ }
+
+ if (rdtgrp->mode == RDT_MODE_PSEUDO_LOCKED) {
+- seq_printf(s, "%*s:", max_name_width, rdtgrp->plr->r->name);
+- size = rdtgroup_cbm_to_size(rdtgrp->plr->r,
+- rdtgrp->plr->d,
+- rdtgrp->plr->cbm);
+- seq_printf(s, "%d=%u\n", rdtgrp->plr->d->id, size);
++ if (!rdtgrp->plr->d) {
++ rdt_last_cmd_clear();
++ rdt_last_cmd_puts("Cache domain offline\n");
++ ret = -ENODEV;
++ } else {
++ seq_printf(s, "%*s:", max_name_width,
++ rdtgrp->plr->r->name);
++ size = rdtgroup_cbm_to_size(rdtgrp->plr->r,
++ rdtgrp->plr->d,
++ rdtgrp->plr->cbm);
++ seq_printf(s, "%d=%u\n", rdtgrp->plr->d->id, size);
++ }
+ goto out;
+ }
+
+@@ -1330,7 +1348,7 @@ static int rdtgroup_size_show(struct kernfs_open_file *of,
+ out:
+ rdtgroup_kn_unlock(of->kn);
+
+- return 0;
++ return ret;
+ }
+
+ /* rdtgroup information files for one cache resource. */
+--
+2.20.1
+
--- /dev/null
+From cc4bb5daef83d85b41d2158bf3857b2151de0169 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Oct 2018 17:21:49 +1100
+Subject: xfs: clear ail delwri queued bufs on unmount of shutdown fs
+
+From: Brian Foster <bfoster@redhat.com>
+
+[ Upstream commit efc3289cf8d39c34502a7cc9695ca2fa125aad0c ]
+
+In the typical unmount case, the AIL is forced out by the unmount
+sequence before the xfsaild task is stopped. Since AIL items are
+removed on writeback completion, this means that the AIL
+->ail_buf_list delwri queue has been drained. This is not always
+true in the shutdown case, however.
+
+It's possible for buffers to sit on a delwri queue for a period of
+time across submission attempts if said items are locked or have
+been relogged and pinned since first added to the queue. If the
+attempt to log such an item results in a log I/O error, the error
+processing can shutdown the fs, remove the item from the AIL, stale
+the buffer (dropping the LRU reference) and clear its delwri queue
+state. The latter bit means the buffer will be released from a
+delwri queue on the next submission attempt, but this might never
+occur if the filesystem has shutdown and the AIL is empty.
+
+This means that such buffers are held indefinitely by the AIL delwri
+queue across destruction of the AIL. Aside from being a memory leak,
+these buffers can also hold references to in-core perag structures.
+The latter problem manifests as a generic/475 failure, reproducing
+the following asserts at unmount time:
+
+ XFS: Assertion failed: atomic_read(&pag->pag_ref) == 0,
+ file: fs/xfs/xfs_mount.c, line: 151
+ XFS: Assertion failed: atomic_read(&pag->pag_ref) == 0,
+ file: fs/xfs/xfs_mount.c, line: 132
+
+To prevent this problem, clear the AIL delwri queue as a final step
+before xfsaild() exit. The !empty state should never occur in the
+normal case, so add an assert to catch unexpected problems going
+forward.
+
+[dgc: add comment explaining need for xfs_buf_delwri_cancel() after
+ calling xfs_buf_delwri_submit_nowait().]
+
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Signed-off-by: Dave Chinner <david@fromorbit.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_buf.c | 7 +++++++
+ fs/xfs/xfs_trans_ail.c | 28 ++++++++++++++++++++++------
+ 2 files changed, 29 insertions(+), 6 deletions(-)
+
+diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
+index f4a89c94c931b..e36124546d0db 100644
+--- a/fs/xfs/xfs_buf.c
++++ b/fs/xfs/xfs_buf.c
+@@ -2025,6 +2025,13 @@ xfs_buf_delwri_submit_buffers(
+ * is only safely useable for callers that can track I/O completion by higher
+ * level means, e.g. AIL pushing as the @buffer_list is consumed in this
+ * function.
++ *
++ * Note: this function will skip buffers it would block on, and in doing so
++ * leaves them on @buffer_list so they can be retried on a later pass. As such,
++ * it is up to the caller to ensure that the buffer list is fully submitted or
++ * cancelled appropriately when they are finished with the list. Failure to
++ * cancel or resubmit the list until it is empty will result in leaked buffers
++ * at unmount time.
+ */
+ int
+ xfs_buf_delwri_submit_nowait(
+diff --git a/fs/xfs/xfs_trans_ail.c b/fs/xfs/xfs_trans_ail.c
+index 55326f971cb36..d3a4e89bf4a0d 100644
+--- a/fs/xfs/xfs_trans_ail.c
++++ b/fs/xfs/xfs_trans_ail.c
+@@ -531,17 +531,33 @@ xfsaild(
+ set_current_state(TASK_INTERRUPTIBLE);
+
+ /*
+- * Check kthread_should_stop() after we set the task state
+- * to guarantee that we either see the stop bit and exit or
+- * the task state is reset to runnable such that it's not
+- * scheduled out indefinitely and detects the stop bit at
+- * next iteration.
+- *
++ * Check kthread_should_stop() after we set the task state to
++ * guarantee that we either see the stop bit and exit or the
++ * task state is reset to runnable such that it's not scheduled
++ * out indefinitely and detects the stop bit at next iteration.
+ * A memory barrier is included in above task state set to
+ * serialize again kthread_stop().
+ */
+ if (kthread_should_stop()) {
+ __set_current_state(TASK_RUNNING);
++
++ /*
++ * The caller forces out the AIL before stopping the
++ * thread in the common case, which means the delwri
++ * queue is drained. In the shutdown case, the queue may
++ * still hold relogged buffers that haven't been
++ * submitted because they were pinned since added to the
++ * queue.
++ *
++ * Log I/O error processing stales the underlying buffer
++ * and clears the delwri state, expecting the buf to be
++ * removed on the next submission attempt. That won't
++ * happen if we're shutting down, so this is the last
++ * opportunity to release such buffers from the queue.
++ */
++ ASSERT(list_empty(&ailp->ail_buf_list) ||
++ XFS_FORCED_SHUTDOWN(ailp->ail_mount));
++ xfs_buf_delwri_cancel(&ailp->ail_buf_list);
+ break;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 5ae9d161715233d7f5638b42b6288795da395d93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Oct 2018 17:21:29 +1100
+Subject: xfs: fix use-after-free race in xfs_buf_rele
+
+From: Dave Chinner <dchinner@redhat.com>
+
+[ Upstream commit 37fd1678245f7a5898c1b05128bc481fb403c290 ]
+
+When looking at a 4.18 based KASAN use after free report, I noticed
+that racing xfs_buf_rele() may race on dropping the last reference
+to the buffer and taking the buffer lock. This was the symptom
+displayed by the KASAN report, but the actual issue that was
+reported had already been fixed in 4.19-rc1 by commit e339dd8d8b04
+("xfs: use sync buffer I/O for sync delwri queue submission").
+
+Despite this, I think there is still an issue with xfs_buf_rele()
+in this code:
+
+ release = atomic_dec_and_lock(&bp->b_hold, &pag->pag_buf_lock);
+ spin_lock(&bp->b_lock);
+ if (!release) {
+.....
+
+If two threads race on the b_lock after both dropping a reference
+and one getting dropping the last reference so release = true, we
+end up with:
+
+CPU 0 CPU 1
+atomic_dec_and_lock()
+ atomic_dec_and_lock()
+ spin_lock(&bp->b_lock)
+spin_lock(&bp->b_lock)
+<spins>
+ <release = true bp->b_lru_ref = 0>
+ <remove from lists>
+ freebuf = true
+ spin_unlock(&bp->b_lock)
+ xfs_buf_free(bp)
+<gets lock, reading and writing freed memory>
+<accesses freed memory>
+spin_unlock(&bp->b_lock) <reads/writes freed memory>
+
+IOWs, we can't safely take bp->b_lock after dropping the hold
+reference because the buffer may go away at any time after we
+drop that reference. However, this can be fixed simply by taking the
+bp->b_lock before we drop the reference.
+
+It is safe to nest the pag_buf_lock inside bp->b_lock as the
+pag_buf_lock is only used to serialise against lookup in
+xfs_buf_find() and no other locks are held over or under the
+pag_buf_lock there. Make this clear by documenting the buffer lock
+orders at the top of the file.
+
+Signed-off-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com
+Signed-off-by: Dave Chinner <david@fromorbit.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_buf.c | 38 +++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 37 insertions(+), 1 deletion(-)
+
+diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
+index e839907e8492f..f4a89c94c931b 100644
+--- a/fs/xfs/xfs_buf.c
++++ b/fs/xfs/xfs_buf.c
+@@ -37,6 +37,32 @@ static kmem_zone_t *xfs_buf_zone;
+ #define xb_to_gfp(flags) \
+ ((((flags) & XBF_READ_AHEAD) ? __GFP_NORETRY : GFP_NOFS) | __GFP_NOWARN)
+
++/*
++ * Locking orders
++ *
++ * xfs_buf_ioacct_inc:
++ * xfs_buf_ioacct_dec:
++ * b_sema (caller holds)
++ * b_lock
++ *
++ * xfs_buf_stale:
++ * b_sema (caller holds)
++ * b_lock
++ * lru_lock
++ *
++ * xfs_buf_rele:
++ * b_lock
++ * pag_buf_lock
++ * lru_lock
++ *
++ * xfs_buftarg_wait_rele
++ * lru_lock
++ * b_lock (trylock due to inversion)
++ *
++ * xfs_buftarg_isolate
++ * lru_lock
++ * b_lock (trylock due to inversion)
++ */
+
+ static inline int
+ xfs_buf_is_vmapped(
+@@ -1006,8 +1032,18 @@ xfs_buf_rele(
+
+ ASSERT(atomic_read(&bp->b_hold) > 0);
+
+- release = atomic_dec_and_lock(&bp->b_hold, &pag->pag_buf_lock);
++ /*
++ * We grab the b_lock here first to serialise racing xfs_buf_rele()
++ * calls. The pag_buf_lock being taken on the last reference only
++ * serialises against racing lookups in xfs_buf_find(). IOWs, the second
++ * to last reference we drop here is not serialised against the last
++ * reference until we take bp->b_lock. Hence if we don't grab b_lock
++ * first, the last "release" reference can win the race to the lock and
++ * free the buffer before the second-to-last reference is processed,
++ * leading to a use-after-free scenario.
++ */
+ spin_lock(&bp->b_lock);
++ release = atomic_dec_and_lock(&bp->b_hold, &pag->pag_buf_lock);
+ if (!release) {
+ /*
+ * Drop the in-flight state if the buffer is already on the LRU
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
