]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
patches for 4.14
authorSasha Levin <sashal@kernel.org>
Thu, 13 Dec 2018 15:21:13 +0000 (10:21 -0500)
committerSasha Levin <sashal@kernel.org>
Thu, 13 Dec 2018 15:21:13 +0000 (10:21 -0500)
Signed-off-by: Sasha Levin <sashal@kernel.org>
69 files changed:
queue-4.14/acpi-iort-fix-iort_get_platform_device_domain-uninit.patch [new file with mode: 0644]
queue-4.14/arm-dts-at91-sama5d2-use-the-divided-clock-for-smc.patch [new file with mode: 0644]
queue-4.14/arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch [new file with mode: 0644]
queue-4.14/arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch [new file with mode: 0644]
queue-4.14/arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch [new file with mode: 0644]
queue-4.14/asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch [new file with mode: 0644]
queue-4.14/asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch [new file with mode: 0644]
queue-4.14/asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch [new file with mode: 0644]
queue-4.14/asoc-omap-mcbsp-fix-latency-value-calculation-for-pm.patch [new file with mode: 0644]
queue-4.14/asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch [new file with mode: 0644]
queue-4.14/asoc-rsnd-fixup-clock-start-checker.patch [new file with mode: 0644]
queue-4.14/asoc-wm_adsp-fix-dma-unsafe-read-of-scratch-register.patch [new file with mode: 0644]
queue-4.14/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch [new file with mode: 0644]
queue-4.14/btrfs-send-fix-infinite-loop-due-to-directory-rename.patch [new file with mode: 0644]
queue-4.14/cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch [new file with mode: 0644]
queue-4.14/debugobjects-avoid-recursive-calls-with-kmemleak.patch [new file with mode: 0644]
queue-4.14/drm-amdgpu-add-delay-after-enable-rlc-ucode.patch [new file with mode: 0644]
queue-4.14/drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch [new file with mode: 0644]
queue-4.14/drm-meson-add-support-for-1080p25-mode.patch [new file with mode: 0644]
queue-4.14/exportfs-do-not-read-dentry-after-free.patch [new file with mode: 0644]
queue-4.14/fscache-cachefiles-remove-redundant-variable-cache.patch [new file with mode: 0644]
queue-4.14/fscache-fix-race-between-enablement-and-dropping-of-.patch [new file with mode: 0644]
queue-4.14/hfs-do-not-free-node-before-using.patch [new file with mode: 0644]
queue-4.14/hfsplus-do-not-free-node-before-using.patch [new file with mode: 0644]
queue-4.14/hwmon-ina2xx-fix-current-value-calculation.patch [new file with mode: 0644]
queue-4.14/hwmon-ina2xx-fix-null-id-pointer-in-probe.patch [new file with mode: 0644]
queue-4.14/hwmon-w83795-temp4_type-has-writable-permission.patch [new file with mode: 0644]
queue-4.14/ib-mlx5-fix-page-fault-handling-for-mw.patch [new file with mode: 0644]
queue-4.14/igb-fix-uninitialized-variables.patch [new file with mode: 0644]
queue-4.14/iio-hid-sensors-fix-iio_chan_info_raw-returning-wron.patch [new file with mode: 0644]
queue-4.14/ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch [new file with mode: 0644]
queue-4.14/ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch [new file with mode: 0644]
queue-4.14/kvm-x86-fix-empty-body-warnings.patch [new file with mode: 0644]
queue-4.14/mm-page_alloc.c-fix-calculation-of-pgdat-nr_zones.patch [new file with mode: 0644]
queue-4.14/net-hisilicon-remove-unexpected-free_netdev.patch [new file with mode: 0644]
queue-4.14/net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch [new file with mode: 0644]
queue-4.14/netfilter-ipv6-preserve-link-scope-traffic-original-.patch [new file with mode: 0644]
queue-4.14/netfilter-nf_tables-deactivate-expressions-in-rule-r.patch [new file with mode: 0644]
queue-4.14/netfilter-nf_tables-fix-use-after-free-when-deleting.patch [new file with mode: 0644]
queue-4.14/netfilter-xt_hashlimit-fix-a-possible-memory-leak-in.patch [new file with mode: 0644]
queue-4.14/nvme-flush-namespace-scanning-work-just-before-remov.patch [new file with mode: 0644]
queue-4.14/objtool-fix-double-free-in-.cold-detection-error-pat.patch [new file with mode: 0644]
queue-4.14/objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch [new file with mode: 0644]
queue-4.14/ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch [new file with mode: 0644]
queue-4.14/ocfs2-fix-potential-use-after-free.patch [new file with mode: 0644]
queue-4.14/pci-imx6-fix-link-training-status-detection-in-link-.patch [new file with mode: 0644]
queue-4.14/perf-tools-restore-proper-cwd-on-return-from-mnt-nam.patch [new file with mode: 0644]
queue-4.14/printk-add-console-owner-and-waiter-logic-to-load-ba.patch [new file with mode: 0644]
queue-4.14/printk-hide-console-waiter-logic-into-helpers.patch [new file with mode: 0644]
queue-4.14/printk-never-set-console_may_schedule-in-console_try.patch [new file with mode: 0644]
queue-4.14/printk-wake-klogd-when-passing-console_lock-owner.patch [new file with mode: 0644]
queue-4.14/pstore-ram-correctly-calculate-usable-prz-bytes.patch [new file with mode: 0644]
queue-4.14/rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch [new file with mode: 0644]
queue-4.14/rdma-rdmavt-fix-rvt_create_ah-function-signature.patch [new file with mode: 0644]
queue-4.14/revert-printk-never-set-console_may_schedule-in-cons.patch [new file with mode: 0644]
queue-4.14/revert-xen-balloon-mark-unallocated-host-memory-as-u.patch [new file with mode: 0644]
queue-4.14/s390-cpum_cf-reject-request-for-sampling-in-event-in.patch [new file with mode: 0644]
queue-4.14/selftests-add-script-to-stress-test-nft-packet-path-.patch [new file with mode: 0644]
queue-4.14/series
queue-4.14/staging-rtl8723bs-fix-the-return-value-in-case-of-er.patch [new file with mode: 0644]
queue-4.14/sysv-return-err-instead-of-0-in-__sysv_write_inode.patch [new file with mode: 0644]
queue-4.14/usb-gadget-u_ether-fix-unsafe-list-iteration.patch [new file with mode: 0644]
queue-4.14/usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch [new file with mode: 0644]
queue-4.14/usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch [new file with mode: 0644]
queue-4.14/usb-omap_udc-fix-rejection-of-out-transfers-when-dma.patch [new file with mode: 0644]
queue-4.14/usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch [new file with mode: 0644]
queue-4.14/usb-omap_udc-use-devm_request_irq.patch [new file with mode: 0644]
queue-4.14/x86-kvm-vmx-fix-old-style-function-declaration.patch [new file with mode: 0644]
queue-4.14/xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch [new file with mode: 0644]

diff --git a/queue-4.14/acpi-iort-fix-iort_get_platform_device_domain-uninit.patch b/queue-4.14/acpi-iort-fix-iort_get_platform_device_domain-uninit.patch
new file mode 100644 (file)
index 0000000..fef1a60
--- /dev/null
@@ -0,0 +1,54 @@
+From 18bbcbb336b736dfe9f583d3277c21fce9af1300 Mon Sep 17 00:00:00 2001
+From: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Date: Thu, 29 Nov 2018 09:55:59 +0000
+Subject: ACPI/IORT: Fix iort_get_platform_device_domain() uninitialized
+ pointer value
+
+[ Upstream commit ea2412dc21cc790335d319181dddc43682aef164 ]
+
+Running the Clang static analyzer on IORT code detected the following
+error:
+
+Logic error: Branch condition evaluates to a garbage value
+
+in
+
+iort_get_platform_device_domain()
+
+If the named component associated with a given device has no IORT
+mappings, iort_get_platform_device_domain() exits its MSI mapping loop
+with msi_parent pointer containing garbage, which can lead to erroneous
+code path execution.
+
+Initialize the msi_parent pointer, fixing the bug.
+
+Fixes: d4f54a186667 ("ACPI: platform: setup MSI domain for ACPI based
+platform device")
+Reported-by: Patrick Bellasi <patrick.bellasi@arm.com>
+Reviewed-by: Hanjun Guo <hanjun.guo@linaro.org>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Cc: Sudeep Holla <sudeep.holla@arm.com>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/arm64/iort.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c
+index de56394dd161..ca414910710e 100644
+--- a/drivers/acpi/arm64/iort.c
++++ b/drivers/acpi/arm64/iort.c
+@@ -547,7 +547,7 @@ struct irq_domain *iort_get_device_domain(struct device *dev, u32 req_id)
+  */
+ static struct irq_domain *iort_get_platform_device_domain(struct device *dev)
+ {
+-      struct acpi_iort_node *node, *msi_parent;
++      struct acpi_iort_node *node, *msi_parent = NULL;
+       struct fwnode_handle *iort_fwnode;
+       struct acpi_iort_its_group *its;
+       int i;
+-- 
+2.19.1
+
diff --git a/queue-4.14/arm-dts-at91-sama5d2-use-the-divided-clock-for-smc.patch b/queue-4.14/arm-dts-at91-sama5d2-use-the-divided-clock-for-smc.patch
new file mode 100644 (file)
index 0000000..6eafec5
--- /dev/null
@@ -0,0 +1,41 @@
+From c8477ccd7cb76bcae1e1eb2cfab018728a65228c Mon Sep 17 00:00:00 2001
+From: Romain Izard <romain.izard.pro@gmail.com>
+Date: Tue, 20 Nov 2018 17:57:37 +0100
+Subject: ARM: dts: at91: sama5d2: use the divided clock for SMC
+
+[ Upstream commit 4ab7ca092c3c7ac8b16aa28eba723a8868f82f14 ]
+
+The SAMA5D2 is different from SAMA5D3 and SAMA5D4, as there are two
+different clocks for the peripherals in the SoC. The Static Memory
+controller is connected to the divided master clock.
+
+Unfortunately, the device tree does not correctly show this and uses the
+master clock directly. This clock is then used by the code for the NAND
+controller to calculate the timings for the controller, and we end up with
+slow NAND Flash access.
+
+Fix the device tree, and the performance of Flash access is improved.
+
+Signed-off-by: Romain Izard <romain.izard.pro@gmail.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/sama5d2.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/sama5d2.dtsi b/arch/arm/boot/dts/sama5d2.dtsi
+index b1a26b42d190..a8e4b89097d9 100644
+--- a/arch/arm/boot/dts/sama5d2.dtsi
++++ b/arch/arm/boot/dts/sama5d2.dtsi
+@@ -308,7 +308,7 @@
+                                 0x1 0x0 0x60000000 0x10000000
+                                 0x2 0x0 0x70000000 0x10000000
+                                 0x3 0x0 0x80000000 0x10000000>;
+-                      clocks = <&mck>;
++                      clocks = <&h32ck>;
+                       status = "disabled";
+                       nand_controller: nand-controller {
+-- 
+2.19.1
+
diff --git a/queue-4.14/arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch b/queue-4.14/arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch
new file mode 100644 (file)
index 0000000..8fdc741
--- /dev/null
@@ -0,0 +1,36 @@
+From 4a7b9c7ae571fb5880fc271b2be83859744e30d8 Mon Sep 17 00:00:00 2001
+From: Adam Ford <aford173@gmail.com>
+Date: Sun, 28 Oct 2018 15:29:27 -0500
+Subject: ARM: dts: logicpd-somlv: Fix interrupt on mmc3_dat1
+
+[ Upstream commit 3d8b804bc528d3720ec0c39c212af92dafaf6e84 ]
+
+The interrupt on mmc3_dat1 is wrong which prevents this from
+appearing in /proc/interrupts.
+
+Fixes: ab8dd3aed011 ("ARM: DTS: Add minimal Support for Logic PD
+DM3730 SOM-LV") #Kernel 4.9+
+
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/logicpd-som-lv.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/logicpd-som-lv.dtsi b/arch/arm/boot/dts/logicpd-som-lv.dtsi
+index c335b923753a..a7883676f675 100644
+--- a/arch/arm/boot/dts/logicpd-som-lv.dtsi
++++ b/arch/arm/boot/dts/logicpd-som-lv.dtsi
+@@ -123,7 +123,7 @@
+ };
+ &mmc3 {
+-      interrupts-extended = <&intc 94 &omap3_pmx_core2 0x46>;
++      interrupts-extended = <&intc 94 &omap3_pmx_core 0x136>;
+       pinctrl-0 = <&mmc3_pins &wl127x_gpio>;
+       pinctrl-names = "default";
+       vmmc-supply = <&wl12xx_vmmc>;
+-- 
+2.19.1
+
diff --git a/queue-4.14/arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch b/queue-4.14/arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch
new file mode 100644 (file)
index 0000000..7da4945
--- /dev/null
@@ -0,0 +1,40 @@
+From 88c5b40290a1cb86b86bb403729bdeb38c44218f Mon Sep 17 00:00:00 2001
+From: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Date: Wed, 7 Nov 2018 22:30:31 +0100
+Subject: ARM: OMAP1: ams-delta: Fix possible use of uninitialized field
+
+[ Upstream commit cec83ff1241ec98113a19385ea9e9cfa9aa4125b ]
+
+While playing with initialization order of modem device, it has been
+discovered that under some circumstances (early console init, I
+believe) its .pm() callback may be called before the
+uart_port->private_data pointer is initialized from
+plat_serial8250_port->private_data, resulting in NULL pointer
+dereference.  Fix it by checking for uninitialized pointer before using
+it in modem_pm().
+
+Fixes: aabf31737a6a ("ARM: OMAP1: ams-delta: update the modem to use regulator API")
+Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap1/board-ams-delta.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm/mach-omap1/board-ams-delta.c b/arch/arm/mach-omap1/board-ams-delta.c
+index 6cbc69c92913..4174fa86bfb1 100644
+--- a/arch/arm/mach-omap1/board-ams-delta.c
++++ b/arch/arm/mach-omap1/board-ams-delta.c
+@@ -512,6 +512,9 @@ static void modem_pm(struct uart_port *port, unsigned int state, unsigned old)
+       struct modem_private_data *priv = port->private_data;
+       int ret;
++      if (!priv)
++              return;
++
+       if (IS_ERR(priv->regulator))
+               return;
+-- 
+2.19.1
+
diff --git a/queue-4.14/arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch b/queue-4.14/arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch
new file mode 100644 (file)
index 0000000..b7535fc
--- /dev/null
@@ -0,0 +1,45 @@
+From 229e4316c6c1801a4aabe1631a6f49e74f15ba67 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Wed, 17 Oct 2018 17:54:00 -0700
+Subject: ARM: OMAP2+: prm44xx: Fix section annotation on
+ omap44xx_prm_enable_io_wakeup
+
+[ Upstream commit eef3dc34a1e0b01d53328b88c25237bcc7323777 ]
+
+When building the kernel with Clang, the following section mismatch
+warning appears:
+
+WARNING: vmlinux.o(.text+0x38b3c): Section mismatch in reference from
+the function omap44xx_prm_late_init() to the function
+.init.text:omap44xx_prm_enable_io_wakeup()
+The function omap44xx_prm_late_init() references
+the function __init omap44xx_prm_enable_io_wakeup().
+This is often because omap44xx_prm_late_init lacks a __init
+annotation or the annotation of omap44xx_prm_enable_io_wakeup is wrong.
+
+Remove the __init annotation from omap44xx_prm_enable_io_wakeup so there
+is no more mismatch.
+
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap2/prm44xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-omap2/prm44xx.c b/arch/arm/mach-omap2/prm44xx.c
+index 1c0c1663f078..5affa9f5300b 100644
+--- a/arch/arm/mach-omap2/prm44xx.c
++++ b/arch/arm/mach-omap2/prm44xx.c
+@@ -344,7 +344,7 @@ static void omap44xx_prm_reconfigure_io_chain(void)
+  * to occur, WAKEUPENABLE bits must be set in the pad mux registers, and
+  * omap44xx_prm_reconfigure_io_chain() must be called.  No return value.
+  */
+-static void __init omap44xx_prm_enable_io_wakeup(void)
++static void omap44xx_prm_enable_io_wakeup(void)
+ {
+       s32 inst = omap4_prmst_get_prm_dev_inst();
+-- 
+2.19.1
+
diff --git a/queue-4.14/asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch b/queue-4.14/asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch
new file mode 100644 (file)
index 0000000..2f3f702
--- /dev/null
@@ -0,0 +1,57 @@
+From 14d7f10ca5bd0d0bdb7b04a72f88737de2a8b5b4 Mon Sep 17 00:00:00 2001
+From: Tzung-Bi Shih <tzungbi@google.com>
+Date: Wed, 14 Nov 2018 17:06:13 +0800
+Subject: ASoC: dapm: Recalculate audio map forcely when card instantiated
+
+[ Upstream commit 882eab6c28d23a970ae73b7eb831b169a672d456 ]
+
+Audio map are possible in wrong state before card->instantiated has
+been set to true.  Imaging the following examples:
+
+time 1: at the beginning
+
+  in:-1    in:-1    in:-1    in:-1
+ out:-1   out:-1   out:-1   out:-1
+ SIGGEN        A        B      Spk
+
+time 2: after someone called snd_soc_dapm_new_widgets()
+(e.g. create_fill_widget_route_map() in sound/soc/codecs/hdac_hdmi.c)
+
+   in:1     in:0     in:0     in:0
+  out:0    out:0    out:0    out:1
+ SIGGEN        A        B      Spk
+
+time 3: routes added
+
+   in:1     in:0     in:0     in:0
+  out:0    out:0    out:0    out:1
+ SIGGEN -----> A -----> B ---> Spk
+
+In the end, the path should be powered on but it did not.  At time 3,
+"in" of SIGGEN and "out" of Spk did not propagate to their neighbors
+because snd_soc_dapm_add_path() will not invalidate the paths if
+the card has not instantiated (i.e. card->instantiated is false).
+To correct the state of audio map, recalculate the whole map forcely.
+
+Signed-off-by: Tzung-Bi Shih <tzungbi@google.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index fee4b0ef5566..42c2a3065b77 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -2307,6 +2307,7 @@ static int snd_soc_instantiate_card(struct snd_soc_card *card)
+       }
+       card->instantiated = 1;
++      dapm_mark_endpoints_dirty(card);
+       snd_soc_dapm_sync(&card->dapm);
+       mutex_unlock(&card->mutex);
+       mutex_unlock(&client_mutex);
+-- 
+2.19.1
+
diff --git a/queue-4.14/asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch b/queue-4.14/asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch
new file mode 100644 (file)
index 0000000..f5c82a5
--- /dev/null
@@ -0,0 +1,159 @@
+From 29d08210bad2753c06936519eb52443ba46ad6ef Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Wed, 14 Nov 2018 14:58:20 +0200
+Subject: ASoC: omap-abe-twl6040: Fix missing audio card caused by deferred
+ probing
+
+[ Upstream commit 76836fd354922ebe4798a64fda01f8dc6a8b0984 ]
+
+The machine driver fails to probe in next-20181113 with:
+
+[    2.539093] omap-abe-twl6040 sound: ASoC: CODEC DAI twl6040-legacy not registered
+[    2.546630] omap-abe-twl6040 sound: devm_snd_soc_register_card() failed: -517
+...
+[    3.693206] omap-abe-twl6040 sound: ASoC: Both platform name/of_node are set for TWL6040
+[    3.701446] omap-abe-twl6040 sound: ASoC: failed to init link TWL6040
+[    3.708007] omap-abe-twl6040 sound: devm_snd_soc_register_card() failed: -22
+[    3.715148] omap-abe-twl6040: probe of sound failed with error -22
+
+Bisect pointed to a merge commit:
+first bad commit: [0f688ab20a540aafa984c5dbd68a71debebf4d7f] Merge remote-tracking branch 'net-next/master'
+
+and a diff between a working kernel does not reveal anything which would
+explain the change in behavior.
+
+Further investigation showed that on the second try of loading fails
+because the dai_link->platform is no longer NULL and it might be pointing
+to uninitialized memory.
+
+The fix is to move the snd_soc_dai_link and snd_soc_card inside of the
+abe_twl6040 struct, which is dynamically allocated every time the driver
+probes.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/omap/omap-abe-twl6040.c | 67 +++++++++++++------------------
+ 1 file changed, 29 insertions(+), 38 deletions(-)
+
+diff --git a/sound/soc/omap/omap-abe-twl6040.c b/sound/soc/omap/omap-abe-twl6040.c
+index 614b18d2f631..6fd143799534 100644
+--- a/sound/soc/omap/omap-abe-twl6040.c
++++ b/sound/soc/omap/omap-abe-twl6040.c
+@@ -36,6 +36,8 @@
+ #include "../codecs/twl6040.h"
+ struct abe_twl6040 {
++      struct snd_soc_card card;
++      struct snd_soc_dai_link dai_links[2];
+       int     jack_detection; /* board can detect jack events */
+       int     mclk_freq;      /* MCLK frequency speed for twl6040 */
+ };
+@@ -208,40 +210,10 @@ static int omap_abe_dmic_init(struct snd_soc_pcm_runtime *rtd)
+                               ARRAY_SIZE(dmic_audio_map));
+ }
+-/* Digital audio interface glue - connects codec <--> CPU */
+-static struct snd_soc_dai_link abe_twl6040_dai_links[] = {
+-      {
+-              .name = "TWL6040",
+-              .stream_name = "TWL6040",
+-              .codec_dai_name = "twl6040-legacy",
+-              .codec_name = "twl6040-codec",
+-              .init = omap_abe_twl6040_init,
+-              .ops = &omap_abe_ops,
+-      },
+-      {
+-              .name = "DMIC",
+-              .stream_name = "DMIC Capture",
+-              .codec_dai_name = "dmic-hifi",
+-              .codec_name = "dmic-codec",
+-              .init = omap_abe_dmic_init,
+-              .ops = &omap_abe_dmic_ops,
+-      },
+-};
+-
+-/* Audio machine driver */
+-static struct snd_soc_card omap_abe_card = {
+-      .owner = THIS_MODULE,
+-
+-      .dapm_widgets = twl6040_dapm_widgets,
+-      .num_dapm_widgets = ARRAY_SIZE(twl6040_dapm_widgets),
+-      .dapm_routes = audio_map,
+-      .num_dapm_routes = ARRAY_SIZE(audio_map),
+-};
+-
+ static int omap_abe_probe(struct platform_device *pdev)
+ {
+       struct device_node *node = pdev->dev.of_node;
+-      struct snd_soc_card *card = &omap_abe_card;
++      struct snd_soc_card *card;
+       struct device_node *dai_node;
+       struct abe_twl6040 *priv;
+       int num_links = 0;
+@@ -252,12 +224,18 @@ static int omap_abe_probe(struct platform_device *pdev)
+               return -ENODEV;
+       }
+-      card->dev = &pdev->dev;
+-
+       priv = devm_kzalloc(&pdev->dev, sizeof(struct abe_twl6040), GFP_KERNEL);
+       if (priv == NULL)
+               return -ENOMEM;
++      card = &priv->card;
++      card->dev = &pdev->dev;
++      card->owner = THIS_MODULE;
++      card->dapm_widgets = twl6040_dapm_widgets;
++      card->num_dapm_widgets = ARRAY_SIZE(twl6040_dapm_widgets);
++      card->dapm_routes = audio_map;
++      card->num_dapm_routes = ARRAY_SIZE(audio_map);
++
+       if (snd_soc_of_parse_card_name(card, "ti,model")) {
+               dev_err(&pdev->dev, "Card name is not provided\n");
+               return -ENODEV;
+@@ -274,14 +252,27 @@ static int omap_abe_probe(struct platform_device *pdev)
+               dev_err(&pdev->dev, "McPDM node is not provided\n");
+               return -EINVAL;
+       }
+-      abe_twl6040_dai_links[0].cpu_of_node = dai_node;
+-      abe_twl6040_dai_links[0].platform_of_node = dai_node;
++
++      priv->dai_links[0].name = "DMIC";
++      priv->dai_links[0].stream_name = "TWL6040";
++      priv->dai_links[0].cpu_of_node = dai_node;
++      priv->dai_links[0].platform_of_node = dai_node;
++      priv->dai_links[0].codec_dai_name = "twl6040-legacy";
++      priv->dai_links[0].codec_name = "twl6040-codec";
++      priv->dai_links[0].init = omap_abe_twl6040_init;
++      priv->dai_links[0].ops = &omap_abe_ops;
+       dai_node = of_parse_phandle(node, "ti,dmic", 0);
+       if (dai_node) {
+               num_links = 2;
+-              abe_twl6040_dai_links[1].cpu_of_node = dai_node;
+-              abe_twl6040_dai_links[1].platform_of_node = dai_node;
++              priv->dai_links[1].name = "TWL6040";
++              priv->dai_links[1].stream_name = "DMIC Capture";
++              priv->dai_links[1].cpu_of_node = dai_node;
++              priv->dai_links[1].platform_of_node = dai_node;
++              priv->dai_links[1].codec_dai_name = "dmic-hifi";
++              priv->dai_links[1].codec_name = "dmic-codec";
++              priv->dai_links[1].init = omap_abe_dmic_init;
++              priv->dai_links[1].ops = &omap_abe_dmic_ops;
+       } else {
+               num_links = 1;
+       }
+@@ -300,7 +291,7 @@ static int omap_abe_probe(struct platform_device *pdev)
+               return -ENODEV;
+       }
+-      card->dai_link = abe_twl6040_dai_links;
++      card->dai_link = priv->dai_links;
+       card->num_links = num_links;
+       snd_soc_card_set_drvdata(card, priv);
+-- 
+2.19.1
+
diff --git a/queue-4.14/asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch b/queue-4.14/asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch
new file mode 100644 (file)
index 0000000..ff07d53
--- /dev/null
@@ -0,0 +1,63 @@
+From ba2733060495b067b65a344aa2fa1fbc31bc1506 Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Wed, 14 Nov 2018 13:06:23 +0200
+Subject: ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE
+
+[ Upstream commit ffdcc3638c58d55a6fa68b6e5dfd4fb4109652eb ]
+
+We need to block sleep states which would require longer time to leave than
+the time the DMA must react to the DMA request in order to keep the FIFO
+serviced without overrun.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Acked-by: Jarkko Nikula <jarkko.nikula@bitmer.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/omap/omap-dmic.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/sound/soc/omap/omap-dmic.c b/sound/soc/omap/omap-dmic.c
+index 09db2aec12a3..776e809a8aab 100644
+--- a/sound/soc/omap/omap-dmic.c
++++ b/sound/soc/omap/omap-dmic.c
+@@ -48,6 +48,8 @@ struct omap_dmic {
+       struct device *dev;
+       void __iomem *io_base;
+       struct clk *fclk;
++      struct pm_qos_request pm_qos_req;
++      int latency;
+       int fclk_freq;
+       int out_freq;
+       int clk_div;
+@@ -124,6 +126,8 @@ static void omap_dmic_dai_shutdown(struct snd_pcm_substream *substream,
+       mutex_lock(&dmic->mutex);
++      pm_qos_remove_request(&dmic->pm_qos_req);
++
+       if (!dai->active)
+               dmic->active = 0;
+@@ -226,6 +230,8 @@ static int omap_dmic_dai_hw_params(struct snd_pcm_substream *substream,
+       /* packet size is threshold * channels */
+       dma_data = snd_soc_dai_get_dma_data(dai, substream);
+       dma_data->maxburst = dmic->threshold * channels;
++      dmic->latency = (OMAP_DMIC_THRES_MAX - dmic->threshold) * USEC_PER_SEC /
++                      params_rate(params);
+       return 0;
+ }
+@@ -236,6 +242,9 @@ static int omap_dmic_dai_prepare(struct snd_pcm_substream *substream,
+       struct omap_dmic *dmic = snd_soc_dai_get_drvdata(dai);
+       u32 ctrl;
++      if (pm_qos_request_active(&dmic->pm_qos_req))
++              pm_qos_update_request(&dmic->pm_qos_req, dmic->latency);
++
+       /* Configure uplink threshold */
+       omap_dmic_write(dmic, OMAP_DMIC_FIFO_CTRL_REG, dmic->threshold);
+-- 
+2.19.1
+
diff --git a/queue-4.14/asoc-omap-mcbsp-fix-latency-value-calculation-for-pm.patch b/queue-4.14/asoc-omap-mcbsp-fix-latency-value-calculation-for-pm.patch
new file mode 100644 (file)
index 0000000..a0c8b55
--- /dev/null
@@ -0,0 +1,38 @@
+From b9e1e81936f8347648fe68f59ee6f55c6bbdd4ca Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Wed, 14 Nov 2018 13:06:21 +0200
+Subject: ASoC: omap-mcbsp: Fix latency value calculation for pm_qos
+
+[ Upstream commit dd2f52d8991af9fe0928d59ec502ba52be7bc38d ]
+
+The latency number is in usec for the pm_qos. Correct the calculation to
+give us the time in usec
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Acked-by: Jarkko Nikula <jarkko.nikula@bitmer.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/omap/omap-mcbsp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/omap/omap-mcbsp.c b/sound/soc/omap/omap-mcbsp.c
+index 6b40bdbef336..47c2ed5ca492 100644
+--- a/sound/soc/omap/omap-mcbsp.c
++++ b/sound/soc/omap/omap-mcbsp.c
+@@ -308,9 +308,9 @@ static int omap_mcbsp_dai_hw_params(struct snd_pcm_substream *substream,
+                       pkt_size = channels;
+               }
+-              latency = ((((buffer_size - pkt_size) / channels) * 1000)
+-                               / (params->rate_num / params->rate_den));
+-
++              latency = (buffer_size - pkt_size) / channels;
++              latency = latency * USEC_PER_SEC /
++                        (params->rate_num / params->rate_den);
+               mcbsp->latency[substream->stream] = latency;
+               omap_mcbsp_set_threshold(substream, pkt_size);
+-- 
+2.19.1
+
diff --git a/queue-4.14/asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch b/queue-4.14/asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch
new file mode 100644 (file)
index 0000000..4b70e95
--- /dev/null
@@ -0,0 +1,127 @@
+From f37666e0f302884908ecc1490ab18c96b3939062 Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Wed, 14 Nov 2018 13:06:22 +0200
+Subject: ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with
+ CPU_IDLE
+
+[ Upstream commit 373a500e34aea97971c9d71e45edad458d3da98f ]
+
+We need to block sleep states which would require longer time to leave than
+the time the DMA must react to the DMA request in order to keep the FIFO
+serviced without under of overrun.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Acked-by: Jarkko Nikula <jarkko.nikula@bitmer.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/omap/omap-mcpdm.c | 43 ++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 42 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/omap/omap-mcpdm.c b/sound/soc/omap/omap-mcpdm.c
+index 64609c77a79d..44ffeb71cd1d 100644
+--- a/sound/soc/omap/omap-mcpdm.c
++++ b/sound/soc/omap/omap-mcpdm.c
+@@ -54,6 +54,8 @@ struct omap_mcpdm {
+       unsigned long phys_base;
+       void __iomem *io_base;
+       int irq;
++      struct pm_qos_request pm_qos_req;
++      int latency[2];
+       struct mutex mutex;
+@@ -277,6 +279,9 @@ static void omap_mcpdm_dai_shutdown(struct snd_pcm_substream *substream,
+                                 struct snd_soc_dai *dai)
+ {
+       struct omap_mcpdm *mcpdm = snd_soc_dai_get_drvdata(dai);
++      int tx = (substream->stream == SNDRV_PCM_STREAM_PLAYBACK);
++      int stream1 = tx ? SNDRV_PCM_STREAM_PLAYBACK : SNDRV_PCM_STREAM_CAPTURE;
++      int stream2 = tx ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
+       mutex_lock(&mcpdm->mutex);
+@@ -289,6 +294,14 @@ static void omap_mcpdm_dai_shutdown(struct snd_pcm_substream *substream,
+               }
+       }
++      if (mcpdm->latency[stream2])
++              pm_qos_update_request(&mcpdm->pm_qos_req,
++                                    mcpdm->latency[stream2]);
++      else if (mcpdm->latency[stream1])
++              pm_qos_remove_request(&mcpdm->pm_qos_req);
++
++      mcpdm->latency[stream1] = 0;
++
+       mutex_unlock(&mcpdm->mutex);
+ }
+@@ -300,7 +313,7 @@ static int omap_mcpdm_dai_hw_params(struct snd_pcm_substream *substream,
+       int stream = substream->stream;
+       struct snd_dmaengine_dai_dma_data *dma_data;
+       u32 threshold;
+-      int channels;
++      int channels, latency;
+       int link_mask = 0;
+       channels = params_channels(params);
+@@ -340,14 +353,25 @@ static int omap_mcpdm_dai_hw_params(struct snd_pcm_substream *substream,
+               dma_data->maxburst =
+                               (MCPDM_DN_THRES_MAX - threshold) * channels;
++              latency = threshold;
+       } else {
+               /* If playback is not running assume a stereo stream to come */
+               if (!mcpdm->config[!stream].link_mask)
+                       mcpdm->config[!stream].link_mask = (0x3 << 3);
+               dma_data->maxburst = threshold * channels;
++              latency = (MCPDM_DN_THRES_MAX - threshold);
+       }
++      /*
++       * The DMA must act to a DMA request within latency time (usec) to avoid
++       * under/overflow
++       */
++      mcpdm->latency[stream] = latency * USEC_PER_SEC / params_rate(params);
++
++      if (!mcpdm->latency[stream])
++              mcpdm->latency[stream] = 10;
++
+       /* Check if we need to restart McPDM with this stream */
+       if (mcpdm->config[stream].link_mask &&
+           mcpdm->config[stream].link_mask != link_mask)
+@@ -362,6 +386,20 @@ static int omap_mcpdm_prepare(struct snd_pcm_substream *substream,
+                                 struct snd_soc_dai *dai)
+ {
+       struct omap_mcpdm *mcpdm = snd_soc_dai_get_drvdata(dai);
++      struct pm_qos_request *pm_qos_req = &mcpdm->pm_qos_req;
++      int tx = (substream->stream == SNDRV_PCM_STREAM_PLAYBACK);
++      int stream1 = tx ? SNDRV_PCM_STREAM_PLAYBACK : SNDRV_PCM_STREAM_CAPTURE;
++      int stream2 = tx ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
++      int latency = mcpdm->latency[stream2];
++
++      /* Prevent omap hardware from hitting off between FIFO fills */
++      if (!latency || mcpdm->latency[stream1] < latency)
++              latency = mcpdm->latency[stream1];
++
++      if (pm_qos_request_active(pm_qos_req))
++              pm_qos_update_request(pm_qos_req, latency);
++      else if (latency)
++              pm_qos_add_request(pm_qos_req, PM_QOS_CPU_DMA_LATENCY, latency);
+       if (!omap_mcpdm_active(mcpdm)) {
+               omap_mcpdm_start(mcpdm);
+@@ -423,6 +461,9 @@ static int omap_mcpdm_remove(struct snd_soc_dai *dai)
+       free_irq(mcpdm->irq, (void *)mcpdm);
+       pm_runtime_disable(mcpdm->dev);
++      if (pm_qos_request_active(&mcpdm->pm_qos_req))
++              pm_qos_remove_request(&mcpdm->pm_qos_req);
++
+       return 0;
+ }
+-- 
+2.19.1
+
diff --git a/queue-4.14/asoc-rsnd-fixup-clock-start-checker.patch b/queue-4.14/asoc-rsnd-fixup-clock-start-checker.patch
new file mode 100644 (file)
index 0000000..8d195f8
--- /dev/null
@@ -0,0 +1,43 @@
+From 365d0e7c3acaf08a17092dbfa89992e6b2ddf0c6 Mon Sep 17 00:00:00 2001
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Date: Wed, 31 Oct 2018 00:48:12 +0000
+Subject: ASoC: rsnd: fixup clock start checker
+
+[ Upstream commit 3ee9a76a8c5a10e1bfb04b81db767c6d562ddaf3 ]
+
+commit 4d230d12710646 ("ASoC: rsnd: fixup not to call clk_get/set under
+non-atomic") fixuped clock start timing. But it exchanged clock start
+checker from ssi->usrcnt to ssi->rate.
+
+Current rsnd_ssi_master_clk_start() is called from .prepare,
+but some player (for example GStreamer) might calls it many times.
+In such case, the checker might returns error even though it was not
+error. It should check ssi->usrcnt instead of ssi->rate.
+This patch fixup it. Without this patch, GStreamer can't switch
+48kHz / 44.1kHz.
+
+Reported-by: Yusuke Goda <yusuke.goda.sx@renesas.com>
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Tested-by: Yusuke Goda <yusuke.goda.sx@renesas.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sh/rcar/ssi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/sh/rcar/ssi.c b/sound/soc/sh/rcar/ssi.c
+index 34223c8c28a8..0db2791f7035 100644
+--- a/sound/soc/sh/rcar/ssi.c
++++ b/sound/soc/sh/rcar/ssi.c
+@@ -280,7 +280,7 @@ static int rsnd_ssi_master_clk_start(struct rsnd_mod *mod,
+       if (rsnd_ssi_is_multi_slave(mod, io))
+               return 0;
+-      if (ssi->rate) {
++      if (ssi->usrcnt > 1) {
+               if (ssi->rate != rate) {
+                       dev_err(dev, "SSI parent/child should use same rate\n");
+                       return -EINVAL;
+-- 
+2.19.1
+
diff --git a/queue-4.14/asoc-wm_adsp-fix-dma-unsafe-read-of-scratch-register.patch b/queue-4.14/asoc-wm_adsp-fix-dma-unsafe-read-of-scratch-register.patch
new file mode 100644 (file)
index 0000000..0acead1
--- /dev/null
@@ -0,0 +1,88 @@
+From bacaff98d6a4b88093e821465a450f7b1b984ae5 Mon Sep 17 00:00:00 2001
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+Date: Mon, 12 Nov 2018 13:36:38 +0000
+Subject: ASoC: wm_adsp: Fix dma-unsafe read of scratch registers
+
+[ Upstream commit 20e00db2f59bdddf8a8e241473ef8be94631d3ae ]
+
+Stack memory isn't DMA-safe so it isn't safe to use either
+regmap_raw_read or regmap_bulk_read to read into stack memory.
+
+The two functions to read the scratch registers were using
+stack memory and regmap_raw_read. It's not worth allocating
+memory just for this trivial read, and it isn't time-critical.
+A simple regmap_read for each register is sufficient.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wm_adsp.c | 37 ++++++++++++++++++++-----------------
+ 1 file changed, 20 insertions(+), 17 deletions(-)
+
+diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c
+index 989d093abda7..67330b6ab204 100644
+--- a/sound/soc/codecs/wm_adsp.c
++++ b/sound/soc/codecs/wm_adsp.c
+@@ -787,38 +787,41 @@ static unsigned int wm_adsp_region_to_reg(struct wm_adsp_region const *mem,
+ static void wm_adsp2_show_fw_status(struct wm_adsp *dsp)
+ {
+-      u16 scratch[4];
++      unsigned int scratch[4];
++      unsigned int addr = dsp->base + ADSP2_SCRATCH0;
++      unsigned int i;
+       int ret;
+-      ret = regmap_raw_read(dsp->regmap, dsp->base + ADSP2_SCRATCH0,
+-                              scratch, sizeof(scratch));
+-      if (ret) {
+-              adsp_err(dsp, "Failed to read SCRATCH regs: %d\n", ret);
+-              return;
++      for (i = 0; i < ARRAY_SIZE(scratch); ++i) {
++              ret = regmap_read(dsp->regmap, addr + i, &scratch[i]);
++              if (ret) {
++                      adsp_err(dsp, "Failed to read SCRATCH%u: %d\n", i, ret);
++                      return;
++              }
+       }
+       adsp_dbg(dsp, "FW SCRATCH 0:0x%x 1:0x%x 2:0x%x 3:0x%x\n",
+-               be16_to_cpu(scratch[0]),
+-               be16_to_cpu(scratch[1]),
+-               be16_to_cpu(scratch[2]),
+-               be16_to_cpu(scratch[3]));
++               scratch[0], scratch[1], scratch[2], scratch[3]);
+ }
+ static void wm_adsp2v2_show_fw_status(struct wm_adsp *dsp)
+ {
+-      u32 scratch[2];
++      unsigned int scratch[2];
+       int ret;
+-      ret = regmap_raw_read(dsp->regmap, dsp->base + ADSP2V2_SCRATCH0_1,
+-                            scratch, sizeof(scratch));
+-
++      ret = regmap_read(dsp->regmap, dsp->base + ADSP2V2_SCRATCH0_1,
++                        &scratch[0]);
+       if (ret) {
+-              adsp_err(dsp, "Failed to read SCRATCH regs: %d\n", ret);
++              adsp_err(dsp, "Failed to read SCRATCH0_1: %d\n", ret);
+               return;
+       }
+-      scratch[0] = be32_to_cpu(scratch[0]);
+-      scratch[1] = be32_to_cpu(scratch[1]);
++      ret = regmap_read(dsp->regmap, dsp->base + ADSP2V2_SCRATCH2_3,
++                        &scratch[1]);
++      if (ret) {
++              adsp_err(dsp, "Failed to read SCRATCH2_3: %d\n", ret);
++              return;
++      }
+       adsp_dbg(dsp, "FW SCRATCH 0:0x%x 1:0x%x 2:0x%x 3:0x%x\n",
+                scratch[0] & 0xFFFF,
+-- 
+2.19.1
+
diff --git a/queue-4.14/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch b/queue-4.14/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch
new file mode 100644 (file)
index 0000000..43d4c55
--- /dev/null
@@ -0,0 +1,44 @@
+From 0887094f736c365636a17498d7aeda78ce544a03 Mon Sep 17 00:00:00 2001
+From: Martynas Pumputis <m@lambda.lt>
+Date: Fri, 23 Nov 2018 17:43:26 +0100
+Subject: bpf: fix check of allowed specifiers in bpf_trace_printk
+
+[ Upstream commit 1efb6ee3edea57f57f9fb05dba8dcb3f7333f61f ]
+
+A format string consisting of "%p" or "%s" followed by an invalid
+specifier (e.g. "%p%\n" or "%s%") could pass the check which
+would make format_decode (lib/vsprintf.c) to warn.
+
+Fixes: 9c959c863f82 ("tracing: Allow BPF programs to call bpf_trace_printk()")
+Reported-by: syzbot+1ec5c5ec949c4adaa0c4@syzkaller.appspotmail.com
+Signed-off-by: Martynas Pumputis <m@lambda.lt>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/bpf_trace.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index 6350f64d5aa4..f9dd8fd055a6 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -161,11 +161,13 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1,
+                       i++;
+               } else if (fmt[i] == 'p' || fmt[i] == 's') {
+                       mod[fmt_cnt]++;
+-                      i++;
+-                      if (!isspace(fmt[i]) && !ispunct(fmt[i]) && fmt[i] != 0)
++                      /* disallow any further format extensions */
++                      if (fmt[i + 1] != 0 &&
++                          !isspace(fmt[i + 1]) &&
++                          !ispunct(fmt[i + 1]))
+                               return -EINVAL;
+                       fmt_cnt++;
+-                      if (fmt[i - 1] == 's') {
++                      if (fmt[i] == 's') {
+                               if (str_seen)
+                                       /* allow only one '%s' per fmt string */
+                                       return -EINVAL;
+-- 
+2.19.1
+
diff --git a/queue-4.14/btrfs-send-fix-infinite-loop-due-to-directory-rename.patch b/queue-4.14/btrfs-send-fix-infinite-loop-due-to-directory-rename.patch
new file mode 100644 (file)
index 0000000..bc199ce
--- /dev/null
@@ -0,0 +1,200 @@
+From 722daadac3d6596bc2d516854984950cbad7b0e5 Mon Sep 17 00:00:00 2001
+From: Robbie Ko <robbieko@synology.com>
+Date: Wed, 14 Nov 2018 18:32:37 +0000
+Subject: Btrfs: send, fix infinite loop due to directory rename dependencies
+
+[ Upstream commit a4390aee72713d9e73f1132bcdeb17d72fbbf974 ]
+
+When doing an incremental send, due to the need of delaying directory move
+(rename) operations we can end up in infinite loop at
+apply_children_dir_moves().
+
+An example scenario that triggers this problem is described below, where
+directory names correspond to the numbers of their respective inodes.
+
+Parent snapshot:
+
+ .
+ |--- 261/
+       |--- 271/
+             |--- 266/
+                   |--- 259/
+                   |--- 260/
+                   |     |--- 267
+                   |
+                   |--- 264/
+                   |     |--- 258/
+                   |           |--- 257/
+                   |
+                   |--- 265/
+                   |--- 268/
+                   |--- 269/
+                   |     |--- 262/
+                   |
+                   |--- 270/
+                   |--- 272/
+                   |     |--- 263/
+                   |     |--- 275/
+                   |
+                   |--- 274/
+                         |--- 273/
+
+Send snapshot:
+
+ .
+ |-- 275/
+      |-- 274/
+           |-- 273/
+                |-- 262/
+                     |-- 269/
+                          |-- 258/
+                               |-- 271/
+                                    |-- 268/
+                                         |-- 267/
+                                              |-- 270/
+                                                   |-- 259/
+                                                   |    |-- 265/
+                                                   |
+                                                   |-- 272/
+                                                        |-- 257/
+                                                             |-- 260/
+                                                             |-- 264/
+                                                                  |-- 263/
+                                                                       |-- 261/
+                                                                            |-- 266/
+
+When processing inode 257 we delay its move (rename) operation because its
+new parent in the send snapshot, inode 272, was not yet processed. Then
+when processing inode 272, we delay the move operation for that inode
+because inode 274 is its ancestor in the send snapshot. Finally we delay
+the move operation for inode 274 when processing it because inode 275 is
+its new parent in the send snapshot and was not yet moved.
+
+When finishing processing inode 275, we start to do the move operations
+that were previously delayed (at apply_children_dir_moves()), resulting in
+the following iterations:
+
+1) We issue the move operation for inode 274;
+
+2) Because inode 262 depended on the move operation of inode 274 (it was
+   delayed because 274 is its ancestor in the send snapshot), we issue the
+   move operation for inode 262;
+
+3) We issue the move operation for inode 272, because it was delayed by
+   inode 274 too (ancestor of 272 in the send snapshot);
+
+4) We issue the move operation for inode 269 (it was delayed by 262);
+
+5) We issue the move operation for inode 257 (it was delayed by 272);
+
+6) We issue the move operation for inode 260 (it was delayed by 272);
+
+7) We issue the move operation for inode 258 (it was delayed by 269);
+
+8) We issue the move operation for inode 264 (it was delayed by 257);
+
+9) We issue the move operation for inode 271 (it was delayed by 258);
+
+10) We issue the move operation for inode 263 (it was delayed by 264);
+
+11) We issue the move operation for inode 268 (it was delayed by 271);
+
+12) We verify if we can issue the move operation for inode 270 (it was
+    delayed by 271). We detect a path loop in the current state, because
+    inode 267 needs to be moved first before we can issue the move
+    operation for inode 270. So we delay again the move operation for
+    inode 270, this time we will attempt to do it after inode 267 is
+    moved;
+
+13) We issue the move operation for inode 261 (it was delayed by 263);
+
+14) We verify if we can issue the move operation for inode 266 (it was
+    delayed by 263). We detect a path loop in the current state, because
+    inode 270 needs to be moved first before we can issue the move
+    operation for inode 266. So we delay again the move operation for
+    inode 266, this time we will attempt to do it after inode 270 is
+    moved (its move operation was delayed in step 12);
+
+15) We issue the move operation for inode 267 (it was delayed by 268);
+
+16) We verify if we can issue the move operation for inode 266 (it was
+    delayed by 270). We detect a path loop in the current state, because
+    inode 270 needs to be moved first before we can issue the move
+    operation for inode 266. So we delay again the move operation for
+    inode 266, this time we will attempt to do it after inode 270 is
+    moved (its move operation was delayed in step 12). So here we added
+    again the same delayed move operation that we added in step 14;
+
+17) We attempt again to see if we can issue the move operation for inode
+    266, and as in step 16, we realize we can not due to a path loop in
+    the current state due to a dependency on inode 270. Again we delay
+    inode's 266 rename to happen after inode's 270 move operation, adding
+    the same dependency to the empty stack that we did in steps 14 and 16.
+    The next iteration will pick the same move dependency on the stack
+    (the only entry) and realize again there is still a path loop and then
+    again the same dependency to the stack, over and over, resulting in
+    an infinite loop.
+
+So fix this by preventing adding the same move dependency entries to the
+stack by removing each pending move record from the red black tree of
+pending moves. This way the next call to get_pending_dir_moves() will
+not return anything for the current parent inode.
+
+A test case for fstests, with this reproducer, follows soon.
+
+Signed-off-by: Robbie Ko <robbieko@synology.com>
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+[Wrote changelog with example and more clear explanation]
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index baf5a4cd7ffc..3f22af96d63b 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -3354,7 +3354,8 @@ static void free_pending_move(struct send_ctx *sctx, struct pending_dir_move *m)
+       kfree(m);
+ }
+-static void tail_append_pending_moves(struct pending_dir_move *moves,
++static void tail_append_pending_moves(struct send_ctx *sctx,
++                                    struct pending_dir_move *moves,
+                                     struct list_head *stack)
+ {
+       if (list_empty(&moves->list)) {
+@@ -3365,6 +3366,10 @@ static void tail_append_pending_moves(struct pending_dir_move *moves,
+               list_add_tail(&moves->list, stack);
+               list_splice_tail(&list, stack);
+       }
++      if (!RB_EMPTY_NODE(&moves->node)) {
++              rb_erase(&moves->node, &sctx->pending_dir_moves);
++              RB_CLEAR_NODE(&moves->node);
++      }
+ }
+ static int apply_children_dir_moves(struct send_ctx *sctx)
+@@ -3379,7 +3384,7 @@ static int apply_children_dir_moves(struct send_ctx *sctx)
+               return 0;
+       INIT_LIST_HEAD(&stack);
+-      tail_append_pending_moves(pm, &stack);
++      tail_append_pending_moves(sctx, pm, &stack);
+       while (!list_empty(&stack)) {
+               pm = list_first_entry(&stack, struct pending_dir_move, list);
+@@ -3390,7 +3395,7 @@ static int apply_children_dir_moves(struct send_ctx *sctx)
+                       goto out;
+               pm = get_pending_dir_moves(sctx, parent_ino);
+               if (pm)
+-                      tail_append_pending_moves(pm, &stack);
++                      tail_append_pending_moves(sctx, pm, &stack);
+       }
+       return 0;
+-- 
+2.19.1
+
diff --git a/queue-4.14/cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch b/queue-4.14/cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch
new file mode 100644 (file)
index 0000000..50532c4
--- /dev/null
@@ -0,0 +1,87 @@
+From 2b93e751541e2443ba725027be0fb1ffb6ed68bb Mon Sep 17 00:00:00 2001
+From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+Date: Mon, 24 Sep 2018 12:02:39 +1000
+Subject: cachefiles: Fix page leak in cachefiles_read_backing_file while
+ vmscan is active
+
+[ Upstream commit 9a24ce5b66f9c8190d63b15f4473600db4935f1f ]
+
+[Description]
+
+In a heavily loaded system where the system pagecache is nearing memory
+limits and fscache is enabled, pages can be leaked by fscache while trying
+read pages from cachefiles backend.  This can happen because two
+applications can be reading same page from a single mount, two threads can
+be trying to read the backing page at same time.  This results in one of
+the threads finding that a page for the backing file or netfs file is
+already in the radix tree.  During the error handling cachefiles does not
+clean up the reference on backing page, leading to page leak.
+
+[Fix]
+The fix is straightforward, to decrement the reference when error is
+encountered.
+
+  [dhowells: Note that I've removed the clearance and put of newpage as
+   they aren't attested in the commit message and don't appear to actually
+   achieve anything since a new page is only allocated is newpage!=NULL and
+   any residual new page is cleared before returning.]
+
+[Testing]
+I have tested the fix using following method for 12+ hrs.
+
+1) mkdir -p /mnt/nfs ; mount -o vers=3,fsc <server_ip>:/export /mnt/nfs
+2) create 10000 files of 2.8MB in a NFS mount.
+3) start a thread to simulate heavy VM presssure
+   (while true ; do echo 3 > /proc/sys/vm/drop_caches ; sleep 1 ; done)&
+4) start multiple parallel reader for data set at same time
+   find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
+   find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
+   find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
+   ..
+   ..
+   find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
+   find /mnt/nfs -type f | xargs -P 80 cat > /dev/null &
+5) finally check using cat /proc/fs/fscache/stats | grep -i pages ;
+   free -h , cat /proc/meminfo and page-types -r -b lru
+   to ensure all pages are freed.
+
+Reviewed-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Shantanu Goel <sgoel01@yahoo.com>
+Signed-off-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+[dja: forward ported to current upstream]
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cachefiles/rdwr.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c
+index 199eb396a1bb..54379cf7db7f 100644
+--- a/fs/cachefiles/rdwr.c
++++ b/fs/cachefiles/rdwr.c
+@@ -537,7 +537,10 @@ static int cachefiles_read_backing_file(struct cachefiles_object *object,
+                                           netpage->index, cachefiles_gfp);
+               if (ret < 0) {
+                       if (ret == -EEXIST) {
++                              put_page(backpage);
++                              backpage = NULL;
+                               put_page(netpage);
++                              netpage = NULL;
+                               fscache_retrieval_complete(op, 1);
+                               continue;
+                       }
+@@ -610,7 +613,10 @@ static int cachefiles_read_backing_file(struct cachefiles_object *object,
+                                           netpage->index, cachefiles_gfp);
+               if (ret < 0) {
+                       if (ret == -EEXIST) {
++                              put_page(backpage);
++                              backpage = NULL;
+                               put_page(netpage);
++                              netpage = NULL;
+                               fscache_retrieval_complete(op, 1);
+                               continue;
+                       }
+-- 
+2.19.1
+
diff --git a/queue-4.14/debugobjects-avoid-recursive-calls-with-kmemleak.patch b/queue-4.14/debugobjects-avoid-recursive-calls-with-kmemleak.patch
new file mode 100644 (file)
index 0000000..f6c51c3
--- /dev/null
@@ -0,0 +1,74 @@
+From a96df6ee95d61ad188e2011329519b8ad1caa33c Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@gmx.us>
+Date: Fri, 30 Nov 2018 14:09:48 -0800
+Subject: debugobjects: avoid recursive calls with kmemleak
+
+[ Upstream commit 8de456cf87ba863e028c4dd01bae44255ce3d835 ]
+
+CONFIG_DEBUG_OBJECTS_RCU_HEAD does not play well with kmemleak due to
+recursive calls.
+
+fill_pool
+  kmemleak_ignore
+    make_black_object
+      put_object
+        __call_rcu (kernel/rcu/tree.c)
+          debug_rcu_head_queue
+            debug_object_activate
+              debug_object_init
+                fill_pool
+                  kmemleak_ignore
+                    make_black_object
+                      ...
+
+So add SLAB_NOLEAKTRACE to kmem_cache_create() to not register newly
+allocated debug objects at all.
+
+Link: http://lkml.kernel.org/r/20181126165343.2339-1-cai@gmx.us
+Signed-off-by: Qian Cai <cai@gmx.us>
+Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
+Acked-by: Waiman Long <longman@redhat.com>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Yang Shi <yang.shi@linux.alibaba.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/debugobjects.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/lib/debugobjects.c b/lib/debugobjects.c
+index 99308479b1c8..bacb00a9cd9f 100644
+--- a/lib/debugobjects.c
++++ b/lib/debugobjects.c
+@@ -111,7 +111,6 @@ static void fill_pool(void)
+               if (!new)
+                       return;
+-              kmemleak_ignore(new);
+               raw_spin_lock_irqsave(&pool_lock, flags);
+               hlist_add_head(&new->node, &obj_pool);
+               debug_objects_allocated++;
+@@ -1085,7 +1084,6 @@ static int __init debug_objects_replace_static_objects(void)
+               obj = kmem_cache_zalloc(obj_cache, GFP_KERNEL);
+               if (!obj)
+                       goto free;
+-              kmemleak_ignore(obj);
+               hlist_add_head(&obj->node, &objects);
+       }
+@@ -1141,7 +1139,8 @@ void __init debug_objects_mem_init(void)
+       obj_cache = kmem_cache_create("debug_objects_cache",
+                                     sizeof (struct debug_obj), 0,
+-                                    SLAB_DEBUG_OBJECTS, NULL);
++                                    SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE,
++                                    NULL);
+       if (!obj_cache || debug_objects_replace_static_objects()) {
+               debug_objects_enabled = 0;
+-- 
+2.19.1
+
diff --git a/queue-4.14/drm-amdgpu-add-delay-after-enable-rlc-ucode.patch b/queue-4.14/drm-amdgpu-add-delay-after-enable-rlc-ucode.patch
new file mode 100644 (file)
index 0000000..ab5a6bb
--- /dev/null
@@ -0,0 +1,49 @@
+From 89535560893d136fcc20e05ed21a8f1219187b89 Mon Sep 17 00:00:00 2001
+From: shaoyunl <shaoyun.liu@amd.com>
+Date: Thu, 22 Nov 2018 11:45:24 -0500
+Subject: drm/amdgpu: Add delay after enable RLC ucode
+
+[ Upstream commit ad97d9de45835b6a0f71983b0ae0cffd7306730a ]
+
+Driver shouldn't try to access any GFX registers until RLC is idle.
+During the test, it took 12 seconds for RLC to clear the BUSY bit
+in RLC_GPM_STAT register which is un-acceptable for driver.
+As per RLC engineer, it would take RLC Ucode less than 10,000 GFXCLK
+cycles to finish its critical section. In a lowest 300M enginer clock
+setting(default from vbios), 50 us delay is enough.
+
+This commit fix the hang when RLC introduce the work around for XGMI
+which requires more cycles to setup more registers than normal
+
+Signed-off-by: shaoyunl <shaoyun.liu@amd.com>
+Acked-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+index 3981915e2311..b2eecfc9042e 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+@@ -1992,12 +1992,13 @@ static void gfx_v9_0_rlc_start(struct amdgpu_device *adev)
+ #endif
+       WREG32_FIELD15(GC, 0, RLC_CNTL, RLC_ENABLE_F32, 1);
++      udelay(50);
+       /* carrizo do enable cp interrupt after cp inited */
+-      if (!(adev->flags & AMD_IS_APU))
++      if (!(adev->flags & AMD_IS_APU)) {
+               gfx_v9_0_enable_gui_idle_interrupt(adev, true);
+-
+-      udelay(50);
++              udelay(50);
++      }
+ #ifdef AMDGPU_RLC_DEBUG_RETRY
+       /* RLC_GPM_GENERAL_6 : RLC Ucode version */
+-- 
+2.19.1
+
diff --git a/queue-4.14/drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch b/queue-4.14/drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch
new file mode 100644 (file)
index 0000000..512d26e
--- /dev/null
@@ -0,0 +1,94 @@
+From bc09d4cede6b2c019b8926af86a3d6f5ca9d0beb Mon Sep 17 00:00:00 2001
+From: "Y.C. Chen" <yc_chen@aspeedtech.com>
+Date: Thu, 22 Nov 2018 11:56:28 +0800
+Subject: drm/ast: fixed reading monitor EDID not stable issue
+
+[ Upstream commit 300625620314194d9e6d4f6dda71f2dc9cf62d9f ]
+
+v1: over-sample data to increase the stability with some specific monitors
+v2: refine to avoid infinite loop
+v3: remove un-necessary "volatile" declaration
+
+[airlied: fix two checkpatch warnings]
+
+Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1542858988-1127-1-git-send-email-yc_chen@aspeedtech.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/ast/ast_mode.c | 36 ++++++++++++++++++++++++++++------
+ 1 file changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/ast/ast_mode.c b/drivers/gpu/drm/ast/ast_mode.c
+index fae1176b2472..343867b182dd 100644
+--- a/drivers/gpu/drm/ast/ast_mode.c
++++ b/drivers/gpu/drm/ast/ast_mode.c
+@@ -973,9 +973,21 @@ static int get_clock(void *i2c_priv)
+ {
+       struct ast_i2c_chan *i2c = i2c_priv;
+       struct ast_private *ast = i2c->dev->dev_private;
+-      uint32_t val;
++      uint32_t val, val2, count, pass;
++
++      count = 0;
++      pass = 0;
++      val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01;
++      do {
++              val2 = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01;
++              if (val == val2) {
++                      pass++;
++              } else {
++                      pass = 0;
++                      val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01;
++              }
++      } while ((pass < 5) && (count++ < 0x10000));
+-      val = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4;
+       return val & 1 ? 1 : 0;
+ }
+@@ -983,9 +995,21 @@ static int get_data(void *i2c_priv)
+ {
+       struct ast_i2c_chan *i2c = i2c_priv;
+       struct ast_private *ast = i2c->dev->dev_private;
+-      uint32_t val;
++      uint32_t val, val2, count, pass;
++
++      count = 0;
++      pass = 0;
++      val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01;
++      do {
++              val2 = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01;
++              if (val == val2) {
++                      pass++;
++              } else {
++                      pass = 0;
++                      val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01;
++              }
++      } while ((pass < 5) && (count++ < 0x10000));
+-      val = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5;
+       return val & 1 ? 1 : 0;
+ }
+@@ -998,7 +1022,7 @@ static void set_clock(void *i2c_priv, int clock)
+       for (i = 0; i < 0x10000; i++) {
+               ujcrb7 = ((clock & 0x01) ? 0 : 1);
+-              ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xfe, ujcrb7);
++              ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xf4, ujcrb7);
+               jtemp = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x01);
+               if (ujcrb7 == jtemp)
+                       break;
+@@ -1014,7 +1038,7 @@ static void set_data(void *i2c_priv, int data)
+       for (i = 0; i < 0x10000; i++) {
+               ujcrb7 = ((data & 0x01) ? 0 : 1) << 2;
+-              ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xfb, ujcrb7);
++              ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xf1, ujcrb7);
+               jtemp = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x04);
+               if (ujcrb7 == jtemp)
+                       break;
+-- 
+2.19.1
+
diff --git a/queue-4.14/drm-meson-add-support-for-1080p25-mode.patch b/queue-4.14/drm-meson-add-support-for-1080p25-mode.patch
new file mode 100644 (file)
index 0000000..b2559c6
--- /dev/null
@@ -0,0 +1,35 @@
+From e771691b2f9901985c6e284ed55e30b8bc73eaca Mon Sep 17 00:00:00 2001
+From: Christian Hewitt <christianshewitt@gmail.com>
+Date: Wed, 21 Nov 2018 13:39:29 +0400
+Subject: drm/meson: add support for 1080p25 mode
+
+[ Upstream commit 31e1ab494559fb46de304cc6c2aed1528f94b298 ]
+
+This essential mode for PAL users is missing, so add it.
+
+Fixes: 335e3713afb87 ("drm/meson: Add support for HDMI venc modes and settings")
+Signed-off-by: Christian Hewitt <christianshewitt@gmail.com>
+Acked-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1542793169-13008-1-git-send-email-christianshewitt@gmail.com
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_venc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/meson/meson_venc.c b/drivers/gpu/drm/meson/meson_venc.c
+index 9509017dbded..d5dfe7045cc6 100644
+--- a/drivers/gpu/drm/meson/meson_venc.c
++++ b/drivers/gpu/drm/meson/meson_venc.c
+@@ -714,6 +714,7 @@ struct meson_hdmi_venc_vic_mode {
+       { 5, &meson_hdmi_encp_mode_1080i60 },
+       { 20, &meson_hdmi_encp_mode_1080i50 },
+       { 32, &meson_hdmi_encp_mode_1080p24 },
++      { 33, &meson_hdmi_encp_mode_1080p50 },
+       { 34, &meson_hdmi_encp_mode_1080p30 },
+       { 31, &meson_hdmi_encp_mode_1080p50 },
+       { 16, &meson_hdmi_encp_mode_1080p60 },
+-- 
+2.19.1
+
diff --git a/queue-4.14/exportfs-do-not-read-dentry-after-free.patch b/queue-4.14/exportfs-do-not-read-dentry-after-free.patch
new file mode 100644 (file)
index 0000000..3a90332
--- /dev/null
@@ -0,0 +1,40 @@
+From 17c35afe4d7fcc3868ed6385bf35a13536b2f2f6 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Fri, 23 Nov 2018 15:56:33 +0800
+Subject: exportfs: do not read dentry after free
+
+[ Upstream commit 2084ac6c505a58f7efdec13eba633c6aaa085ca5 ]
+
+The function dentry_connected calls dput(dentry) to drop the previously
+acquired reference to dentry. In this case, dentry can be released.
+After that, IS_ROOT(dentry) checks the condition
+(dentry == dentry->d_parent), which may result in a use-after-free bug.
+This patch directly compares dentry with its parent obtained before
+dropping the reference.
+
+Fixes: a056cc8934c("exportfs: stop retrying once we race with
+rename/remove")
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/exportfs/expfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c
+index 329a5d103846..c22cc9d2a5c9 100644
+--- a/fs/exportfs/expfs.c
++++ b/fs/exportfs/expfs.c
+@@ -77,7 +77,7 @@ static bool dentry_connected(struct dentry *dentry)
+               struct dentry *parent = dget_parent(dentry);
+               dput(dentry);
+-              if (IS_ROOT(dentry)) {
++              if (dentry == parent) {
+                       dput(parent);
+                       return false;
+               }
+-- 
+2.19.1
+
diff --git a/queue-4.14/fscache-cachefiles-remove-redundant-variable-cache.patch b/queue-4.14/fscache-cachefiles-remove-redundant-variable-cache.patch
new file mode 100644 (file)
index 0000000..c0af9a2
--- /dev/null
@@ -0,0 +1,39 @@
+From 9c4c36c9037ae17f9ae1c444cc9e35e538e4c04b Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 17 Jul 2018 09:53:42 +0100
+Subject: fscache, cachefiles: remove redundant variable 'cache'
+
+[ Upstream commit 31ffa563833576bd49a8bf53120568312755e6e2 ]
+
+Variable 'cache' is being assigned but is never used hence it is
+redundant and can be removed.
+
+Cleans up clang warning:
+warning: variable 'cache' set but not used [-Wunused-but-set-variable]
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cachefiles/rdwr.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c
+index 54379cf7db7f..5e9176ec0d3a 100644
+--- a/fs/cachefiles/rdwr.c
++++ b/fs/cachefiles/rdwr.c
+@@ -969,11 +969,8 @@ int cachefiles_write_page(struct fscache_storage *op, struct page *page)
+ void cachefiles_uncache_page(struct fscache_object *_object, struct page *page)
+ {
+       struct cachefiles_object *object;
+-      struct cachefiles_cache *cache;
+       object = container_of(_object, struct cachefiles_object, fscache);
+-      cache = container_of(object->fscache.cache,
+-                           struct cachefiles_cache, cache);
+       _enter("%p,{%lu}", object, page->index);
+-- 
+2.19.1
+
diff --git a/queue-4.14/fscache-fix-race-between-enablement-and-dropping-of-.patch b/queue-4.14/fscache-fix-race-between-enablement-and-dropping-of-.patch
new file mode 100644 (file)
index 0000000..e6d0681
--- /dev/null
@@ -0,0 +1,74 @@
+From a508bde0aeff01e61975067e4059e3d4536c9797 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 26 Oct 2018 17:16:29 +1100
+Subject: fscache: fix race between enablement and dropping of object
+
+[ Upstream commit c5a94f434c82529afda290df3235e4d85873c5b4 ]
+
+It was observed that a process blocked indefintely in
+__fscache_read_or_alloc_page(), waiting for FSCACHE_COOKIE_LOOKING_UP
+to be cleared via fscache_wait_for_deferred_lookup().
+
+At this time, ->backing_objects was empty, which would normaly prevent
+__fscache_read_or_alloc_page() from getting to the point of waiting.
+This implies that ->backing_objects was cleared *after*
+__fscache_read_or_alloc_page was was entered.
+
+When an object is "killed" and then "dropped",
+FSCACHE_COOKIE_LOOKING_UP is cleared in fscache_lookup_failure(), then
+KILL_OBJECT and DROP_OBJECT are "called" and only in DROP_OBJECT is
+->backing_objects cleared.  This leaves a window where
+something else can set FSCACHE_COOKIE_LOOKING_UP and
+__fscache_read_or_alloc_page() can start waiting, before
+->backing_objects is cleared
+
+There is some uncertainty in this analysis, but it seems to be fit the
+observations.  Adding the wake in this patch will be handled correctly
+by __fscache_read_or_alloc_page(), as it checks if ->backing_objects
+is empty again, after waiting.
+
+Customer which reported the hang, also report that the hang cannot be
+reproduced with this fix.
+
+The backtrace for the blocked process looked like:
+
+PID: 29360  TASK: ffff881ff2ac0f80  CPU: 3   COMMAND: "zsh"
+ #0 [ffff881ff43efbf8] schedule at ffffffff815e56f1
+ #1 [ffff881ff43efc58] bit_wait at ffffffff815e64ed
+ #2 [ffff881ff43efc68] __wait_on_bit at ffffffff815e61b8
+ #3 [ffff881ff43efca0] out_of_line_wait_on_bit at ffffffff815e625e
+ #4 [ffff881ff43efd08] fscache_wait_for_deferred_lookup at ffffffffa04f2e8f [fscache]
+ #5 [ffff881ff43efd18] __fscache_read_or_alloc_page at ffffffffa04f2ffe [fscache]
+ #6 [ffff881ff43efd58] __nfs_readpage_from_fscache at ffffffffa0679668 [nfs]
+ #7 [ffff881ff43efd78] nfs_readpage at ffffffffa067092b [nfs]
+ #8 [ffff881ff43efda0] generic_file_read_iter at ffffffff81187a73
+ #9 [ffff881ff43efe50] nfs_file_read at ffffffffa066544b [nfs]
+#10 [ffff881ff43efe70] __vfs_read at ffffffff811fc756
+#11 [ffff881ff43efee8] vfs_read at ffffffff811fccfa
+#12 [ffff881ff43eff18] sys_read at ffffffff811fda62
+#13 [ffff881ff43eff50] entry_SYSCALL_64_fastpath at ffffffff815e986e
+
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fscache/object.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/fscache/object.c b/fs/fscache/object.c
+index 7a182c87f378..ab1d7f35f6c2 100644
+--- a/fs/fscache/object.c
++++ b/fs/fscache/object.c
+@@ -715,6 +715,9 @@ static const struct fscache_state *fscache_drop_object(struct fscache_object *ob
+       if (awaken)
+               wake_up_bit(&cookie->flags, FSCACHE_COOKIE_INVALIDATING);
++      if (test_and_clear_bit(FSCACHE_COOKIE_LOOKING_UP, &cookie->flags))
++              wake_up_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP);
++
+       /* Prevent a race with our last child, which has to signal EV_CLEARED
+        * before dropping our spinlock.
+-- 
+2.19.1
+
diff --git a/queue-4.14/hfs-do-not-free-node-before-using.patch b/queue-4.14/hfs-do-not-free-node-before-using.patch
new file mode 100644 (file)
index 0000000..796460c
--- /dev/null
@@ -0,0 +1,49 @@
+From 97edf96720f25835c61e0d9c993b7f2a76c421c2 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Fri, 30 Nov 2018 14:09:14 -0800
+Subject: hfs: do not free node before using
+
+[ Upstream commit ce96a407adef126870b3f4a1b73529dd8aa80f49 ]
+
+hfs_bmap_free() frees the node via hfs_bnode_put(node).  However, it
+then reads node->this when dumping error message on an error path, which
+may result in a use-after-free bug.  This patch frees the node only when
+it is never again used.
+
+Link: http://lkml.kernel.org/r/1542963889-128825-1-git-send-email-bianpan2016@163.com
+Fixes: a1185ffa2fc ("HFS rewrite")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Joe Perches <joe@perches.com>
+Cc: Ernesto A. Fernandez <ernesto.mnd.fernandez@gmail.com>
+Cc: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/btree.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c
+index 374b5688e29e..9bdff5e40626 100644
+--- a/fs/hfs/btree.c
++++ b/fs/hfs/btree.c
+@@ -329,13 +329,14 @@ void hfs_bmap_free(struct hfs_bnode *node)
+               nidx -= len * 8;
+               i = node->next;
+-              hfs_bnode_put(node);
+               if (!i) {
+                       /* panic */;
+                       pr_crit("unable to free bnode %u. bmap not found!\n",
+                               node->this);
++                      hfs_bnode_put(node);
+                       return;
+               }
++              hfs_bnode_put(node);
+               node = hfs_bnode_find(tree, i);
+               if (IS_ERR(node))
+                       return;
+-- 
+2.19.1
+
diff --git a/queue-4.14/hfsplus-do-not-free-node-before-using.patch b/queue-4.14/hfsplus-do-not-free-node-before-using.patch
new file mode 100644 (file)
index 0000000..887b5e5
--- /dev/null
@@ -0,0 +1,49 @@
+From f822f319656ac3f7510fd462843916fe3f584428 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Fri, 30 Nov 2018 14:09:18 -0800
+Subject: hfsplus: do not free node before using
+
+[ Upstream commit c7d7d620dcbd2a1c595092280ca943f2fced7bbd ]
+
+hfs_bmap_free() frees node via hfs_bnode_put(node).  However it then
+reads node->this when dumping error message on an error path, which may
+result in a use-after-free bug.  This patch frees node only when it is
+never used.
+
+Link: http://lkml.kernel.org/r/1543053441-66942-1-git-send-email-bianpan2016@163.com
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Ernesto A. Fernandez <ernesto.mnd.fernandez@gmail.com>
+Cc: Joe Perches <joe@perches.com>
+Cc: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/btree.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
+index de14b2b6881b..3de3bc4918b5 100644
+--- a/fs/hfsplus/btree.c
++++ b/fs/hfsplus/btree.c
+@@ -454,14 +454,15 @@ void hfs_bmap_free(struct hfs_bnode *node)
+               nidx -= len * 8;
+               i = node->next;
+-              hfs_bnode_put(node);
+               if (!i) {
+                       /* panic */;
+                       pr_crit("unable to free bnode %u. "
+                                       "bmap not found!\n",
+                               node->this);
++                      hfs_bnode_put(node);
+                       return;
+               }
++              hfs_bnode_put(node);
+               node = hfs_bnode_find(tree, i);
+               if (IS_ERR(node))
+                       return;
+-- 
+2.19.1
+
diff --git a/queue-4.14/hwmon-ina2xx-fix-current-value-calculation.patch b/queue-4.14/hwmon-ina2xx-fix-current-value-calculation.patch
new file mode 100644 (file)
index 0000000..52d16bd
--- /dev/null
@@ -0,0 +1,39 @@
+From aaf5820611f69e49b54a9572cfe9d44dde843487 Mon Sep 17 00:00:00 2001
+From: Nicolin Chen <nicoleotsuka@gmail.com>
+Date: Tue, 13 Nov 2018 19:48:54 -0800
+Subject: hwmon: (ina2xx) Fix current value calculation
+
+[ Upstream commit 38cd989ee38c16388cde89db5b734f9d55b905f9 ]
+
+The current register (04h) has a sign bit at MSB. The comments
+for this calculation also mention that it's a signed register.
+
+However, the regval is unsigned type so result of calculation
+turns out to be an incorrect value when current is negative.
+
+This patch simply fixes this by adding a casting to s16.
+
+Fixes: 5d389b125186c ("hwmon: (ina2xx) Make calibration register value fixed")
+Signed-off-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/ina2xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/ina2xx.c b/drivers/hwmon/ina2xx.c
+index c2252cf452f5..07ee19573b3f 100644
+--- a/drivers/hwmon/ina2xx.c
++++ b/drivers/hwmon/ina2xx.c
+@@ -274,7 +274,7 @@ static int ina2xx_get_value(struct ina2xx_data *data, u8 reg,
+               break;
+       case INA2XX_CURRENT:
+               /* signed register, result in mA */
+-              val = regval * data->current_lsb_uA;
++              val = (s16)regval * data->current_lsb_uA;
+               val = DIV_ROUND_CLOSEST(val, 1000);
+               break;
+       case INA2XX_CALIBRATION:
+-- 
+2.19.1
+
diff --git a/queue-4.14/hwmon-ina2xx-fix-null-id-pointer-in-probe.patch b/queue-4.14/hwmon-ina2xx-fix-null-id-pointer-in-probe.patch
new file mode 100644 (file)
index 0000000..55c295b
--- /dev/null
@@ -0,0 +1,68 @@
+From ddf874b9aaab17b8b1c89668babbc8fcae1179dc Mon Sep 17 00:00:00 2001
+From: Nicolin Chen <nicoleotsuka@gmail.com>
+Date: Fri, 9 Nov 2018 16:42:14 -0800
+Subject: hwmon (ina2xx) Fix NULL id pointer in probe()
+
+[ Upstream commit 70df9ebbd82c794ddfbb49d45b337f18d5588dc2 ]
+
+When using DT configurations, the id pointer might turn out to
+be NULL. Then the driver encounters NULL pointer access:
+
+  Unable to handle kernel read from unreadable memory at vaddr 00000018
+  [...]
+  PC is at ina2xx_probe+0x114/0x200
+  LR is at ina2xx_probe+0x10c/0x200
+  [...]
+  Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
+
+The reason is that i2c core returns the id pointer by matching
+id_table with client->name, while the client->name is actually
+using the name from the first string in the DT compatible list,
+not the best one. So i2c core would fail to match the id_table
+if the best matched compatible string isn't the first one, and
+then would return a NULL id pointer.
+
+This probably should be fixed in i2c core. But it doesn't hurt
+to make the driver robust. So this patch fixes it by using the
+"chip" that's added to unify both DT and non-DT configurations.
+
+Additionally, since id pointer could be null, so as id->name:
+  ina2xx 10-0047: power monitor (null) (Rshunt = 1000 uOhm)
+  ina2xx 10-0048: power monitor (null) (Rshunt = 10000 uOhm)
+
+So this patch also fixes NULL name pointer, using client->name
+to play safe and to align with hwmon->name.
+
+Fixes: bd0ddd4d0883 ("hwmon: (ina2xx) Add OF device ID table")
+Signed-off-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/ina2xx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/ina2xx.c b/drivers/hwmon/ina2xx.c
+index 71d3445ba869..c2252cf452f5 100644
+--- a/drivers/hwmon/ina2xx.c
++++ b/drivers/hwmon/ina2xx.c
+@@ -491,7 +491,7 @@ static int ina2xx_probe(struct i2c_client *client,
+       }
+       data->groups[group++] = &ina2xx_group;
+-      if (id->driver_data == ina226)
++      if (chip == ina226)
+               data->groups[group++] = &ina226_group;
+       hwmon_dev = devm_hwmon_device_register_with_groups(dev, client->name,
+@@ -500,7 +500,7 @@ static int ina2xx_probe(struct i2c_client *client,
+               return PTR_ERR(hwmon_dev);
+       dev_info(dev, "power monitor %s (Rshunt = %li uOhm)\n",
+-               id->name, data->rshunt);
++               client->name, data->rshunt);
+       return 0;
+ }
+-- 
+2.19.1
+
diff --git a/queue-4.14/hwmon-w83795-temp4_type-has-writable-permission.patch b/queue-4.14/hwmon-w83795-temp4_type-has-writable-permission.patch
new file mode 100644 (file)
index 0000000..eeb3668
--- /dev/null
@@ -0,0 +1,35 @@
+From 800452b6f93b7f5e6bab328c62a29f38b0e8ec77 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Thu, 15 Nov 2018 10:44:57 +0800
+Subject: hwmon: (w83795) temp4_type has writable permission
+
+[ Upstream commit 09aaf6813cfca4c18034fda7a43e68763f34abb1 ]
+
+Both datasheet and comments of store_temp_mode() tell us that temp1~4_type
+is writable, so fix it.
+
+Signed-off-by: Yao Wang <wangyao@lemote.com>
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Fixes: 39deb6993e7c (" hwmon: (w83795) Simplify temperature sensor type handling")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/w83795.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/w83795.c b/drivers/hwmon/w83795.c
+index 49276bbdac3d..1bb80f992aa8 100644
+--- a/drivers/hwmon/w83795.c
++++ b/drivers/hwmon/w83795.c
+@@ -1691,7 +1691,7 @@ store_sf_setup(struct device *dev, struct device_attribute *attr,
+  * somewhere else in the code
+  */
+ #define SENSOR_ATTR_TEMP(index) {                                     \
+-      SENSOR_ATTR_2(temp##index##_type, S_IRUGO | (index < 4 ? S_IWUSR : 0), \
++      SENSOR_ATTR_2(temp##index##_type, S_IRUGO | (index < 5 ? S_IWUSR : 0), \
+               show_temp_mode, store_temp_mode, NOT_USED, index - 1),  \
+       SENSOR_ATTR_2(temp##index##_input, S_IRUGO, show_temp,          \
+               NULL, TEMP_READ, index - 1),                            \
+-- 
+2.19.1
+
diff --git a/queue-4.14/ib-mlx5-fix-page-fault-handling-for-mw.patch b/queue-4.14/ib-mlx5-fix-page-fault-handling-for-mw.patch
new file mode 100644 (file)
index 0000000..ce33aa5
--- /dev/null
@@ -0,0 +1,40 @@
+From d132a6974b339d61bbeb230ab31325497694a69b Mon Sep 17 00:00:00 2001
+From: Artemy Kovalyov <artemyko@mellanox.com>
+Date: Sun, 25 Nov 2018 20:34:26 +0200
+Subject: IB/mlx5: Fix page fault handling for MW
+
+[ Upstream commit 75b7b86bdb0df37e08e44b6c1f99010967f81944 ]
+
+Memory windows are implemented with an indirect MKey, when a page fault
+event comes for a MW Mkey we need to find the MR at the end of the list of
+the indirect MKeys by iterating on all items from the first to the last.
+
+The offset calculated during this process has to be zeroed after the first
+iteration or the next iteration will start from a wrong address, resulting
+incorrect ODP faulting behavior.
+
+Fixes: db570d7deafb ("IB/mlx5: Add ODP support to MW")
+Signed-off-by: Artemy Kovalyov <artemyko@mellanox.com>
+Signed-off-by: Moni Shoua <monis@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/odp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/mlx5/odp.c b/drivers/infiniband/hw/mlx5/odp.c
+index 3d701c7a4c91..1ed94b6c0b0a 100644
+--- a/drivers/infiniband/hw/mlx5/odp.c
++++ b/drivers/infiniband/hw/mlx5/odp.c
+@@ -723,6 +723,7 @@ static int pagefault_single_data_segment(struct mlx5_ib_dev *dev,
+                       head = frame;
+                       bcnt -= frame->bcnt;
++                      offset = 0;
+               }
+               break;
+-- 
+2.19.1
+
diff --git a/queue-4.14/igb-fix-uninitialized-variables.patch b/queue-4.14/igb-fix-uninitialized-variables.patch
new file mode 100644 (file)
index 0000000..6282f36
--- /dev/null
@@ -0,0 +1,32 @@
+From 5f7288d2f14c23c4ad321355bd0c0878b5d77122 Mon Sep 17 00:00:00 2001
+From: Yunjian Wang <wangyunjian@huawei.com>
+Date: Tue, 6 Nov 2018 16:27:12 +0800
+Subject: igb: fix uninitialized variables
+
+[ Upstream commit e4c39f7926b4de355f7df75651d75003806aae09 ]
+
+This patch fixes the variable 'phy_word' may be used uninitialized.
+
+Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/e1000_i210.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/e1000_i210.c b/drivers/net/ethernet/intel/igb/e1000_i210.c
+index 07d48f2e3369..6766081f5ab9 100644
+--- a/drivers/net/ethernet/intel/igb/e1000_i210.c
++++ b/drivers/net/ethernet/intel/igb/e1000_i210.c
+@@ -862,6 +862,7 @@ s32 igb_pll_workaround_i210(struct e1000_hw *hw)
+               nvm_word = E1000_INVM_DEFAULT_AL;
+       tmp_nvm = nvm_word | E1000_INVM_PLL_WO_VAL;
+       igb_write_phy_reg_82580(hw, I347AT4_PAGE_SELECT, E1000_PHY_PLL_FREQ_PAGE);
++      phy_word = E1000_PHY_PLL_UNCONF;
+       for (i = 0; i < E1000_MAX_PLL_TRIES; i++) {
+               /* check current state directly from internal PHY */
+               igb_read_phy_reg_82580(hw, E1000_PHY_PLL_FREQ_REG, &phy_word);
+-- 
+2.19.1
+
diff --git a/queue-4.14/iio-hid-sensors-fix-iio_chan_info_raw-returning-wron.patch b/queue-4.14/iio-hid-sensors-fix-iio_chan_info_raw-returning-wron.patch
new file mode 100644 (file)
index 0000000..60cb255
--- /dev/null
@@ -0,0 +1,370 @@
+From 111a2fdbf77a48c77fe355f0aa7c90039b20f3d3 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 31 Oct 2018 15:20:05 +0100
+Subject: iio/hid-sensors: Fix IIO_CHAN_INFO_RAW returning wrong values for
+ signed numbers
+
+[ Upstream commit 0145b50566e7de5637e80ecba96c7f0e6fff1aad ]
+
+Before this commit sensor_hub_input_attr_get_raw_value() failed to take
+the signedness of 16 and 8 bit values into account, returning e.g.
+65436 instead of -100 for the z-axis reading of an accelerometer.
+
+This commit adds a new is_signed parameter to the function and makes all
+callers pass the appropriate value for this.
+
+While at it, this commit also fixes up some neighboring lines where
+statements were needlessly split over 2 lines to improve readability.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-sensor-custom.c                  |  2 +-
+ drivers/hid/hid-sensor-hub.c                     | 13 ++++++++++---
+ drivers/iio/accel/hid-sensor-accel-3d.c          |  5 ++++-
+ drivers/iio/gyro/hid-sensor-gyro-3d.c            |  5 ++++-
+ drivers/iio/humidity/hid-sensor-humidity.c       |  3 ++-
+ drivers/iio/light/hid-sensor-als.c               |  8 +++++---
+ drivers/iio/light/hid-sensor-prox.c              |  8 +++++---
+ drivers/iio/magnetometer/hid-sensor-magn-3d.c    |  8 +++++---
+ drivers/iio/orientation/hid-sensor-incl-3d.c     |  8 +++++---
+ drivers/iio/pressure/hid-sensor-press.c          |  8 +++++---
+ drivers/iio/temperature/hid-sensor-temperature.c |  3 ++-
+ drivers/rtc/rtc-hid-sensor-time.c                |  2 +-
+ include/linux/hid-sensor-hub.h                   |  4 +++-
+ 13 files changed, 52 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/hid/hid-sensor-custom.c b/drivers/hid/hid-sensor-custom.c
+index 0bcf041368c7..574126b649e9 100644
+--- a/drivers/hid/hid-sensor-custom.c
++++ b/drivers/hid/hid-sensor-custom.c
+@@ -358,7 +358,7 @@ static ssize_t show_value(struct device *dev, struct device_attribute *attr,
+                                               sensor_inst->hsdev,
+                                               sensor_inst->hsdev->usage,
+                                               usage, report_id,
+-                                              SENSOR_HUB_SYNC);
++                                              SENSOR_HUB_SYNC, false);
+       } else if (!strncmp(name, "units", strlen("units")))
+               value = sensor_inst->fields[field_index].attribute.units;
+       else if (!strncmp(name, "unit-expo", strlen("unit-expo")))
+diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
+index faba542d1b07..b5bd5cb7d532 100644
+--- a/drivers/hid/hid-sensor-hub.c
++++ b/drivers/hid/hid-sensor-hub.c
+@@ -299,7 +299,8 @@ EXPORT_SYMBOL_GPL(sensor_hub_get_feature);
+ int sensor_hub_input_attr_get_raw_value(struct hid_sensor_hub_device *hsdev,
+                                       u32 usage_id,
+                                       u32 attr_usage_id, u32 report_id,
+-                                      enum sensor_hub_read_flags flag)
++                                      enum sensor_hub_read_flags flag,
++                                      bool is_signed)
+ {
+       struct sensor_hub_data *data = hid_get_drvdata(hsdev->hdev);
+       unsigned long flags;
+@@ -331,10 +332,16 @@ int sensor_hub_input_attr_get_raw_value(struct hid_sensor_hub_device *hsdev,
+                                               &hsdev->pending.ready, HZ*5);
+               switch (hsdev->pending.raw_size) {
+               case 1:
+-                      ret_val = *(u8 *)hsdev->pending.raw_data;
++                      if (is_signed)
++                              ret_val = *(s8 *)hsdev->pending.raw_data;
++                      else
++                              ret_val = *(u8 *)hsdev->pending.raw_data;
+                       break;
+               case 2:
+-                      ret_val = *(u16 *)hsdev->pending.raw_data;
++                      if (is_signed)
++                              ret_val = *(s16 *)hsdev->pending.raw_data;
++                      else
++                              ret_val = *(u16 *)hsdev->pending.raw_data;
+                       break;
+               case 4:
+                       ret_val = *(u32 *)hsdev->pending.raw_data;
+diff --git a/drivers/iio/accel/hid-sensor-accel-3d.c b/drivers/iio/accel/hid-sensor-accel-3d.c
+index 2238a26aba63..f573d9c61fc3 100644
+--- a/drivers/iio/accel/hid-sensor-accel-3d.c
++++ b/drivers/iio/accel/hid-sensor-accel-3d.c
+@@ -149,6 +149,7 @@ static int accel_3d_read_raw(struct iio_dev *indio_dev,
+       int report_id = -1;
+       u32 address;
+       int ret_type;
++      s32 min;
+       struct hid_sensor_hub_device *hsdev =
+                                       accel_state->common_attributes.hsdev;
+@@ -158,12 +159,14 @@ static int accel_3d_read_raw(struct iio_dev *indio_dev,
+       case 0:
+               hid_sensor_power_state(&accel_state->common_attributes, true);
+               report_id = accel_state->accel[chan->scan_index].report_id;
++              min = accel_state->accel[chan->scan_index].logical_minimum;
+               address = accel_3d_addresses[chan->scan_index];
+               if (report_id >= 0)
+                       *val = sensor_hub_input_attr_get_raw_value(
+                                       accel_state->common_attributes.hsdev,
+                                       hsdev->usage, address, report_id,
+-                                      SENSOR_HUB_SYNC);
++                                      SENSOR_HUB_SYNC,
++                                      min < 0);
+               else {
+                       *val = 0;
+                       hid_sensor_power_state(&accel_state->common_attributes,
+diff --git a/drivers/iio/gyro/hid-sensor-gyro-3d.c b/drivers/iio/gyro/hid-sensor-gyro-3d.c
+index c67ce2ac4715..d9192eb41131 100644
+--- a/drivers/iio/gyro/hid-sensor-gyro-3d.c
++++ b/drivers/iio/gyro/hid-sensor-gyro-3d.c
+@@ -111,6 +111,7 @@ static int gyro_3d_read_raw(struct iio_dev *indio_dev,
+       int report_id = -1;
+       u32 address;
+       int ret_type;
++      s32 min;
+       *val = 0;
+       *val2 = 0;
+@@ -118,13 +119,15 @@ static int gyro_3d_read_raw(struct iio_dev *indio_dev,
+       case 0:
+               hid_sensor_power_state(&gyro_state->common_attributes, true);
+               report_id = gyro_state->gyro[chan->scan_index].report_id;
++              min = gyro_state->gyro[chan->scan_index].logical_minimum;
+               address = gyro_3d_addresses[chan->scan_index];
+               if (report_id >= 0)
+                       *val = sensor_hub_input_attr_get_raw_value(
+                                       gyro_state->common_attributes.hsdev,
+                                       HID_USAGE_SENSOR_GYRO_3D, address,
+                                       report_id,
+-                                      SENSOR_HUB_SYNC);
++                                      SENSOR_HUB_SYNC,
++                                      min < 0);
+               else {
+                       *val = 0;
+                       hid_sensor_power_state(&gyro_state->common_attributes,
+diff --git a/drivers/iio/humidity/hid-sensor-humidity.c b/drivers/iio/humidity/hid-sensor-humidity.c
+index 6e09c1acfe51..e53914d51ec3 100644
+--- a/drivers/iio/humidity/hid-sensor-humidity.c
++++ b/drivers/iio/humidity/hid-sensor-humidity.c
+@@ -75,7 +75,8 @@ static int humidity_read_raw(struct iio_dev *indio_dev,
+                               HID_USAGE_SENSOR_HUMIDITY,
+                               HID_USAGE_SENSOR_ATMOSPHERIC_HUMIDITY,
+                               humid_st->humidity_attr.report_id,
+-                              SENSOR_HUB_SYNC);
++                              SENSOR_HUB_SYNC,
++                              humid_st->humidity_attr.logical_minimum < 0);
+               hid_sensor_power_state(&humid_st->common_attributes, false);
+               return IIO_VAL_INT;
+diff --git a/drivers/iio/light/hid-sensor-als.c b/drivers/iio/light/hid-sensor-als.c
+index 059d964772c7..95ca86f50434 100644
+--- a/drivers/iio/light/hid-sensor-als.c
++++ b/drivers/iio/light/hid-sensor-als.c
+@@ -93,6 +93,7 @@ static int als_read_raw(struct iio_dev *indio_dev,
+       int report_id = -1;
+       u32 address;
+       int ret_type;
++      s32 min;
+       *val = 0;
+       *val2 = 0;
+@@ -102,8 +103,8 @@ static int als_read_raw(struct iio_dev *indio_dev,
+               case  CHANNEL_SCAN_INDEX_INTENSITY:
+               case  CHANNEL_SCAN_INDEX_ILLUM:
+                       report_id = als_state->als_illum.report_id;
+-                      address =
+-                      HID_USAGE_SENSOR_LIGHT_ILLUM;
++                      min = als_state->als_illum.logical_minimum;
++                      address = HID_USAGE_SENSOR_LIGHT_ILLUM;
+                       break;
+               default:
+                       report_id = -1;
+@@ -116,7 +117,8 @@ static int als_read_raw(struct iio_dev *indio_dev,
+                                       als_state->common_attributes.hsdev,
+                                       HID_USAGE_SENSOR_ALS, address,
+                                       report_id,
+-                                      SENSOR_HUB_SYNC);
++                                      SENSOR_HUB_SYNC,
++                                      min < 0);
+                       hid_sensor_power_state(&als_state->common_attributes,
+                                               false);
+               } else {
+diff --git a/drivers/iio/light/hid-sensor-prox.c b/drivers/iio/light/hid-sensor-prox.c
+index 73fced8a63b7..8c017abc4ee2 100644
+--- a/drivers/iio/light/hid-sensor-prox.c
++++ b/drivers/iio/light/hid-sensor-prox.c
+@@ -73,6 +73,7 @@ static int prox_read_raw(struct iio_dev *indio_dev,
+       int report_id = -1;
+       u32 address;
+       int ret_type;
++      s32 min;
+       *val = 0;
+       *val2 = 0;
+@@ -81,8 +82,8 @@ static int prox_read_raw(struct iio_dev *indio_dev,
+               switch (chan->scan_index) {
+               case  CHANNEL_SCAN_INDEX_PRESENCE:
+                       report_id = prox_state->prox_attr.report_id;
+-                      address =
+-                      HID_USAGE_SENSOR_HUMAN_PRESENCE;
++                      min = prox_state->prox_attr.logical_minimum;
++                      address = HID_USAGE_SENSOR_HUMAN_PRESENCE;
+                       break;
+               default:
+                       report_id = -1;
+@@ -95,7 +96,8 @@ static int prox_read_raw(struct iio_dev *indio_dev,
+                               prox_state->common_attributes.hsdev,
+                               HID_USAGE_SENSOR_PROX, address,
+                               report_id,
+-                              SENSOR_HUB_SYNC);
++                              SENSOR_HUB_SYNC,
++                              min < 0);
+                       hid_sensor_power_state(&prox_state->common_attributes,
+                                               false);
+               } else {
+diff --git a/drivers/iio/magnetometer/hid-sensor-magn-3d.c b/drivers/iio/magnetometer/hid-sensor-magn-3d.c
+index 0e791b02ed4a..b495107bd173 100644
+--- a/drivers/iio/magnetometer/hid-sensor-magn-3d.c
++++ b/drivers/iio/magnetometer/hid-sensor-magn-3d.c
+@@ -163,21 +163,23 @@ static int magn_3d_read_raw(struct iio_dev *indio_dev,
+       int report_id = -1;
+       u32 address;
+       int ret_type;
++      s32 min;
+       *val = 0;
+       *val2 = 0;
+       switch (mask) {
+       case 0:
+               hid_sensor_power_state(&magn_state->magn_flux_attributes, true);
+-              report_id =
+-                      magn_state->magn[chan->address].report_id;
++              report_id = magn_state->magn[chan->address].report_id;
++              min = magn_state->magn[chan->address].logical_minimum;
+               address = magn_3d_addresses[chan->address];
+               if (report_id >= 0)
+                       *val = sensor_hub_input_attr_get_raw_value(
+                               magn_state->magn_flux_attributes.hsdev,
+                               HID_USAGE_SENSOR_COMPASS_3D, address,
+                               report_id,
+-                              SENSOR_HUB_SYNC);
++                              SENSOR_HUB_SYNC,
++                              min < 0);
+               else {
+                       *val = 0;
+                       hid_sensor_power_state(
+diff --git a/drivers/iio/orientation/hid-sensor-incl-3d.c b/drivers/iio/orientation/hid-sensor-incl-3d.c
+index fd1b3696ee42..16c744bef021 100644
+--- a/drivers/iio/orientation/hid-sensor-incl-3d.c
++++ b/drivers/iio/orientation/hid-sensor-incl-3d.c
+@@ -111,21 +111,23 @@ static int incl_3d_read_raw(struct iio_dev *indio_dev,
+       int report_id = -1;
+       u32 address;
+       int ret_type;
++      s32 min;
+       *val = 0;
+       *val2 = 0;
+       switch (mask) {
+       case IIO_CHAN_INFO_RAW:
+               hid_sensor_power_state(&incl_state->common_attributes, true);
+-              report_id =
+-                      incl_state->incl[chan->scan_index].report_id;
++              report_id = incl_state->incl[chan->scan_index].report_id;
++              min = incl_state->incl[chan->scan_index].logical_minimum;
+               address = incl_3d_addresses[chan->scan_index];
+               if (report_id >= 0)
+                       *val = sensor_hub_input_attr_get_raw_value(
+                               incl_state->common_attributes.hsdev,
+                               HID_USAGE_SENSOR_INCLINOMETER_3D, address,
+                               report_id,
+-                              SENSOR_HUB_SYNC);
++                              SENSOR_HUB_SYNC,
++                              min < 0);
+               else {
+                       hid_sensor_power_state(&incl_state->common_attributes,
+                                               false);
+diff --git a/drivers/iio/pressure/hid-sensor-press.c b/drivers/iio/pressure/hid-sensor-press.c
+index 6848d8c80eff..1c49ef78f888 100644
+--- a/drivers/iio/pressure/hid-sensor-press.c
++++ b/drivers/iio/pressure/hid-sensor-press.c
+@@ -77,6 +77,7 @@ static int press_read_raw(struct iio_dev *indio_dev,
+       int report_id = -1;
+       u32 address;
+       int ret_type;
++      s32 min;
+       *val = 0;
+       *val2 = 0;
+@@ -85,8 +86,8 @@ static int press_read_raw(struct iio_dev *indio_dev,
+               switch (chan->scan_index) {
+               case  CHANNEL_SCAN_INDEX_PRESSURE:
+                       report_id = press_state->press_attr.report_id;
+-                      address =
+-                      HID_USAGE_SENSOR_ATMOSPHERIC_PRESSURE;
++                      min = press_state->press_attr.logical_minimum;
++                      address = HID_USAGE_SENSOR_ATMOSPHERIC_PRESSURE;
+                       break;
+               default:
+                       report_id = -1;
+@@ -99,7 +100,8 @@ static int press_read_raw(struct iio_dev *indio_dev,
+                               press_state->common_attributes.hsdev,
+                               HID_USAGE_SENSOR_PRESSURE, address,
+                               report_id,
+-                              SENSOR_HUB_SYNC);
++                              SENSOR_HUB_SYNC,
++                              min < 0);
+                       hid_sensor_power_state(&press_state->common_attributes,
+                                               false);
+               } else {
+diff --git a/drivers/iio/temperature/hid-sensor-temperature.c b/drivers/iio/temperature/hid-sensor-temperature.c
+index c01efeca4002..6ed5cd5742f1 100644
+--- a/drivers/iio/temperature/hid-sensor-temperature.c
++++ b/drivers/iio/temperature/hid-sensor-temperature.c
+@@ -76,7 +76,8 @@ static int temperature_read_raw(struct iio_dev *indio_dev,
+                       HID_USAGE_SENSOR_TEMPERATURE,
+                       HID_USAGE_SENSOR_DATA_ENVIRONMENTAL_TEMPERATURE,
+                       temp_st->temperature_attr.report_id,
+-                      SENSOR_HUB_SYNC);
++                      SENSOR_HUB_SYNC,
++                      temp_st->temperature_attr.logical_minimum < 0);
+               hid_sensor_power_state(
+                               &temp_st->common_attributes,
+                               false);
+diff --git a/drivers/rtc/rtc-hid-sensor-time.c b/drivers/rtc/rtc-hid-sensor-time.c
+index 2751dba850c6..3e1abb455472 100644
+--- a/drivers/rtc/rtc-hid-sensor-time.c
++++ b/drivers/rtc/rtc-hid-sensor-time.c
+@@ -213,7 +213,7 @@ static int hid_rtc_read_time(struct device *dev, struct rtc_time *tm)
+       /* get a report with all values through requesting one value */
+       sensor_hub_input_attr_get_raw_value(time_state->common_attributes.hsdev,
+                       HID_USAGE_SENSOR_TIME, hid_time_addresses[0],
+-                      time_state->info[0].report_id, SENSOR_HUB_SYNC);
++                      time_state->info[0].report_id, SENSOR_HUB_SYNC, false);
+       /* wait for all values (event) */
+       ret = wait_for_completion_killable_timeout(
+                       &time_state->comp_last_time, HZ*6);
+diff --git a/include/linux/hid-sensor-hub.h b/include/linux/hid-sensor-hub.h
+index fc7aae64dcde..000de6da3b1b 100644
+--- a/include/linux/hid-sensor-hub.h
++++ b/include/linux/hid-sensor-hub.h
+@@ -177,6 +177,7 @@ int sensor_hub_input_get_attribute_info(struct hid_sensor_hub_device *hsdev,
+ * @attr_usage_id:     Attribute usage id as per spec
+ * @report_id: Report id to look for
+ * @flag:      Synchronous or asynchronous read
++* @is_signed:   If true then fields < 32 bits will be sign-extended
+ *
+ * Issues a synchronous or asynchronous read request for an input attribute.
+ * Returns data upto 32 bits.
+@@ -190,7 +191,8 @@ enum sensor_hub_read_flags {
+ int sensor_hub_input_attr_get_raw_value(struct hid_sensor_hub_device *hsdev,
+                                       u32 usage_id,
+                                       u32 attr_usage_id, u32 report_id,
+-                                      enum sensor_hub_read_flags flag
++                                      enum sensor_hub_read_flags flag,
++                                      bool is_signed
+ );
+ /**
+-- 
+2.19.1
+
diff --git a/queue-4.14/ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch b/queue-4.14/ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch
new file mode 100644 (file)
index 0000000..8e72f92
--- /dev/null
@@ -0,0 +1,57 @@
+From 64915495dd2177f03d2ff2bc658ec14bddfc8010 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Thu, 15 Nov 2018 15:14:30 +0800
+Subject: ipvs: call ip_vs_dst_notifier earlier than ipv6_dev_notf
+
+[ Upstream commit 2a31e4bd9ad255ee40809b5c798c4b1c2b09703b ]
+
+ip_vs_dst_event is supposed to clean up all dst used in ipvs'
+destinations when a net dev is going down. But it works only
+when the dst's dev is the same as the dev from the event.
+
+Now with the same priority but late registration,
+ip_vs_dst_notifier is always called later than ipv6_dev_notf
+where the dst's dev is set to lo for NETDEV_DOWN event.
+
+As the dst's dev lo is not the same as the dev from the event
+in ip_vs_dst_event, ip_vs_dst_notifier doesn't actually work.
+Also as these dst have to wait for dest_trash_timer to clean
+them up. It would cause some non-permanent kernel warnings:
+
+  unregister_netdevice: waiting for br0 to become free. Usage count = 3
+
+To fix it, call ip_vs_dst_notifier earlier than ipv6_dev_notf
+by increasing its priority to ADDRCONF_NOTIFY_PRIORITY + 5.
+
+Note that for ipv4 route fib_netdev_notifier doesn't set dst's
+dev to lo in NETDEV_DOWN event, so this fix is only needed when
+IP_VS_IPV6 is defined.
+
+Fixes: 7a4f0761fce3 ("IPVS: init and cleanup restructuring")
+Reported-by: Li Shuang <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 327ebe786eeb..2f45c3ce77ef 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -4012,6 +4012,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct netns_ipvs *ipvs)
+ static struct notifier_block ip_vs_dst_notifier = {
+       .notifier_call = ip_vs_dst_event,
++#ifdef CONFIG_IP_VS_IPV6
++      .priority = ADDRCONF_NOTIFY_PRIORITY + 5,
++#endif
+ };
+ int __net_init ip_vs_control_net_init(struct netns_ipvs *ipvs)
+-- 
+2.19.1
+
diff --git a/queue-4.14/ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch b/queue-4.14/ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch
new file mode 100644 (file)
index 0000000..fb0e2fc
--- /dev/null
@@ -0,0 +1,43 @@
+From da68163210a3eb97c0867d750382e49859651bbe Mon Sep 17 00:00:00 2001
+From: Josh Elsasser <jelsasser@appneta.com>
+Date: Sat, 24 Nov 2018 12:57:33 -0800
+Subject: ixgbe: recognize 1000BaseLX SFP modules as 1Gbps
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit a8bf879af7b1999eba36303ce9cc60e0e7dd816c ]
+
+Add the two 1000BaseLX enum values to the X550's check for 1Gbps modules,
+allowing the core driver code to establish a link over this SFP type.
+
+This is done by the out-of-tree driver but the fix wasn't in mainline.
+
+Fixes: e23f33367882 ("ixgbe: Fix 1G and 10G link stability for X550EM_x SFP+”)
+Fixes: 6a14ee0cfb19 ("ixgbe: Add X550 support function pointers")
+Signed-off-by: Josh Elsasser <jelsasser@appneta.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
+index cf6a245db6d5..a37c951b0753 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
+@@ -2257,7 +2257,9 @@ static s32 ixgbe_get_link_capabilities_X550em(struct ixgbe_hw *hw,
+               *autoneg = false;
+               if (hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core0 ||
+-                  hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core1) {
++                  hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core1 ||
++                  hw->phy.sfp_type == ixgbe_sfp_type_1g_lx_core0 ||
++                  hw->phy.sfp_type == ixgbe_sfp_type_1g_lx_core1) {
+                       *speed = IXGBE_LINK_SPEED_1GB_FULL;
+                       return 0;
+               }
+-- 
+2.19.1
+
diff --git a/queue-4.14/kvm-x86-fix-empty-body-warnings.patch b/queue-4.14/kvm-x86-fix-empty-body-warnings.patch
new file mode 100644 (file)
index 0000000..2438125
--- /dev/null
@@ -0,0 +1,43 @@
+From 9fdfd5c2e4b25ac32947d4efcfc23c37063c4506 Mon Sep 17 00:00:00 2001
+From: Yi Wang <wang.yi59@zte.com.cn>
+Date: Thu, 8 Nov 2018 16:48:36 +0800
+Subject: KVM: x86: fix empty-body warnings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 354cb410d87314e2eda344feea84809e4261570a ]
+
+We get the following warnings about empty statements when building
+with 'W=1':
+
+arch/x86/kvm/lapic.c:632:53: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
+arch/x86/kvm/lapic.c:1907:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
+arch/x86/kvm/lapic.c:1936:65: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
+arch/x86/kvm/lapic.c:1975:44: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
+
+Rework the debug helper macro to get rid of these warnings.
+
+Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/lapic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
+index 13dfb55b84db..f7c34184342a 100644
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -55,7 +55,7 @@
+ #define PRIo64 "o"
+ /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
+-#define apic_debug(fmt, arg...)
++#define apic_debug(fmt, arg...) do {} while (0)
+ /* 14 is the version for Xeon and Pentium 8.4.8*/
+ #define APIC_VERSION                  (0x14UL | ((KVM_APIC_LVT_NUM - 1) << 16))
+-- 
+2.19.1
+
diff --git a/queue-4.14/mm-page_alloc.c-fix-calculation-of-pgdat-nr_zones.patch b/queue-4.14/mm-page_alloc.c-fix-calculation-of-pgdat-nr_zones.patch
new file mode 100644 (file)
index 0000000..873712e
--- /dev/null
@@ -0,0 +1,88 @@
+From 2f748e9cc3c41d2c9cddca31781867c0a558a650 Mon Sep 17 00:00:00 2001
+From: Wei Yang <richard.weiyang@gmail.com>
+Date: Fri, 30 Nov 2018 14:09:07 -0800
+Subject: mm/page_alloc.c: fix calculation of pgdat->nr_zones
+
+[ Upstream commit 8f416836c0d50b198cad1225132e5abebf8980dc ]
+
+init_currently_empty_zone() will adjust pgdat->nr_zones and set it to
+'zone_idx(zone) + 1' unconditionally.  This is correct in the normal
+case, while not exact in hot-plug situation.
+
+This function is used in two places:
+
+  * free_area_init_core()
+  * move_pfn_range_to_zone()
+
+In the first case, we are sure zone index increase monotonically.  While
+in the second one, this is under users control.
+
+One way to reproduce this is:
+----------------------------
+
+1. create a virtual machine with empty node1
+
+   -m 4G,slots=32,maxmem=32G \
+   -smp 4,maxcpus=8          \
+   -numa node,nodeid=0,mem=4G,cpus=0-3 \
+   -numa node,nodeid=1,mem=0G,cpus=4-7
+
+2. hot-add cpu 3-7
+
+   cpu-add [3-7]
+
+2. hot-add memory to nod1
+
+   object_add memory-backend-ram,id=ram0,size=1G
+   device_add pc-dimm,id=dimm0,memdev=ram0,node=1
+
+3. online memory with following order
+
+   echo online_movable > memory47/state
+   echo online > memory40/state
+
+After this, node1 will have its nr_zones equals to (ZONE_NORMAL + 1)
+instead of (ZONE_MOVABLE + 1).
+
+Michal said:
+ "Having an incorrect nr_zones might result in all sorts of problems
+  which would be quite hard to debug (e.g. reclaim not considering the
+  movable zone). I do not expect many users would suffer from this it
+  but still this is trivial and obviously right thing to do so
+  backporting to the stable tree shouldn't be harmful (last famous
+  words)"
+
+Link: http://lkml.kernel.org/r/20181117022022.9956-1-richard.weiyang@gmail.com
+Fixes: f1dd2cd13c4b ("mm, memory_hotplug: do not associate hotadded memory to zones until online")
+Signed-off-by: Wei Yang <richard.weiyang@gmail.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Cc: Anshuman Khandual <anshuman.khandual@arm.com>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/page_alloc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/mm/page_alloc.c b/mm/page_alloc.c
+index 6be91a1a00d9..a2f365f40433 100644
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -5544,8 +5544,10 @@ void __meminit init_currently_empty_zone(struct zone *zone,
+                                       unsigned long size)
+ {
+       struct pglist_data *pgdat = zone->zone_pgdat;
++      int zone_idx = zone_idx(zone) + 1;
+-      pgdat->nr_zones = zone_idx(zone) + 1;
++      if (zone_idx > pgdat->nr_zones)
++              pgdat->nr_zones = zone_idx;
+       zone->zone_start_pfn = zone_start_pfn;
+-- 
+2.19.1
+
diff --git a/queue-4.14/net-hisilicon-remove-unexpected-free_netdev.patch b/queue-4.14/net-hisilicon-remove-unexpected-free_netdev.patch
new file mode 100644 (file)
index 0000000..04f4cab
--- /dev/null
@@ -0,0 +1,37 @@
+From f6ad88c61e3b18385ca9a80776c927a09d2f4402 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Wed, 28 Nov 2018 15:30:24 +0800
+Subject: net: hisilicon: remove unexpected free_netdev
+
+[ Upstream commit c758940158bf29fe14e9d0f89d5848f227b48134 ]
+
+The net device ndev is freed via free_netdev when failing to register
+the device. The control flow then jumps to the error handling code
+block. ndev is used and freed again. Resulting in a use-after-free bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hip04_eth.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c
+index 0cec06bec63e..c27054b8ce81 100644
+--- a/drivers/net/ethernet/hisilicon/hip04_eth.c
++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c
+@@ -914,10 +914,8 @@ static int hip04_mac_probe(struct platform_device *pdev)
+       }
+       ret = register_netdev(ndev);
+-      if (ret) {
+-              free_netdev(ndev);
++      if (ret)
+               goto alloc_fail;
+-      }
+       return 0;
+-- 
+2.19.1
+
diff --git a/queue-4.14/net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch b/queue-4.14/net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch
new file mode 100644 (file)
index 0000000..6625546
--- /dev/null
@@ -0,0 +1,82 @@
+From 60dd75902fb124d8c7df7551fd33aad38ad692a1 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Mon, 26 Nov 2018 15:07:16 +0100
+Subject: net: thunderx: fix NULL pointer dereference in nic_remove
+
+[ Upstream commit 24a6d2dd263bc910de018c78d1148b3e33b94512 ]
+
+Fix a possible NULL pointer dereference in nic_remove routine
+removing the nicpf module if nic_probe fails.
+The issue can be triggered with the following reproducer:
+
+$rmmod nicvf
+$rmmod nicpf
+
+[  521.412008] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000014
+[  521.422777] Mem abort info:
+[  521.425561]   ESR = 0x96000004
+[  521.428624]   Exception class = DABT (current EL), IL = 32 bits
+[  521.434535]   SET = 0, FnV = 0
+[  521.437579]   EA = 0, S1PTW = 0
+[  521.440730] Data abort info:
+[  521.443603]   ISV = 0, ISS = 0x00000004
+[  521.447431]   CM = 0, WnR = 0
+[  521.450417] user pgtable: 4k pages, 48-bit VAs, pgdp = 0000000072a3da42
+[  521.457022] [0000000000000014] pgd=0000000000000000
+[  521.461916] Internal error: Oops: 96000004 [#1] SMP
+[  521.511801] Hardware name: GIGABYTE H270-T70/MT70-HD0, BIOS T49 02/02/2018
+[  521.518664] pstate: 80400005 (Nzcv daif +PAN -UAO)
+[  521.523451] pc : nic_remove+0x24/0x88 [nicpf]
+[  521.527808] lr : pci_device_remove+0x48/0xd8
+[  521.532066] sp : ffff000013433cc0
+[  521.535370] x29: ffff000013433cc0 x28: ffff810f6ac50000
+[  521.540672] x27: 0000000000000000 x26: 0000000000000000
+[  521.545974] x25: 0000000056000000 x24: 0000000000000015
+[  521.551274] x23: ffff8007ff89a110 x22: ffff000001667070
+[  521.556576] x21: ffff8007ffb170b0 x20: ffff8007ffb17000
+[  521.561877] x19: 0000000000000000 x18: 0000000000000025
+[  521.567178] x17: 0000000000000000 x16: 000000000000010ffc33ff98 x8 : 0000000000000000
+[  521.593683] x7 : 0000000000000000 x6 : 0000000000000001
+[  521.598983] x5 : 0000000000000002 x4 : 0000000000000003
+[  521.604284] x3 : ffff8007ffb17184 x2 : ffff8007ffb17184
+[  521.609585] x1 : ffff000001662118 x0 : ffff000008557be0
+[  521.614887] Process rmmod (pid: 1897, stack limit = 0x00000000859535c3)
+[  521.621490] Call trace:
+[  521.623928]  nic_remove+0x24/0x88 [nicpf]
+[  521.627927]  pci_device_remove+0x48/0xd8
+[  521.631847]  device_release_driver_internal+0x1b0/0x248
+[  521.637062]  driver_detach+0x50/0xc0
+[  521.640628]  bus_remove_driver+0x60/0x100
+[  521.644627]  driver_unregister+0x34/0x60
+[  521.648538]  pci_unregister_driver+0x24/0xd8
+[  521.652798]  nic_cleanup_module+0x14/0x111c [nicpf]
+[  521.657672]  __arm64_sys_delete_module+0x150/0x218
+[  521.662460]  el0_svc_handler+0x94/0x110
+[  521.666287]  el0_svc+0x8/0xc
+[  521.669160] Code: aa1e03e0 9102c295 d503201f f9404eb3 (b9401660)
+
+Fixes: 4863dea3fab0 ("net: Adding support for Cavium ThunderX network controller")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/thunder/nic_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/nic_main.c b/drivers/net/ethernet/cavium/thunder/nic_main.c
+index fb770b0182d3..d89ec4724efd 100644
+--- a/drivers/net/ethernet/cavium/thunder/nic_main.c
++++ b/drivers/net/ethernet/cavium/thunder/nic_main.c
+@@ -1376,6 +1376,9 @@ static void nic_remove(struct pci_dev *pdev)
+ {
+       struct nicpf *nic = pci_get_drvdata(pdev);
++      if (!nic)
++              return;
++
+       if (nic->flags & NIC_SRIOV_ENABLED)
+               pci_disable_sriov(pdev);
+-- 
+2.19.1
+
diff --git a/queue-4.14/netfilter-ipv6-preserve-link-scope-traffic-original-.patch b/queue-4.14/netfilter-ipv6-preserve-link-scope-traffic-original-.patch
new file mode 100644 (file)
index 0000000..b0bb2b6
--- /dev/null
@@ -0,0 +1,40 @@
+From c8acc82dca546a78d010277070ed7c7f9addb76b Mon Sep 17 00:00:00 2001
+From: Alin Nastac <alin.nastac@gmail.com>
+Date: Wed, 21 Nov 2018 14:00:30 +0100
+Subject: netfilter: ipv6: Preserve link scope traffic original oif
+
+[ Upstream commit 508b09046c0f21678652fb66fd1e9959d55591d2 ]
+
+When ip6_route_me_harder is invoked, it resets outgoing interface of:
+  - link-local scoped packets sent by neighbor discovery
+  - multicast packets sent by MLD host
+  - multicast packets send by MLD proxy daemon that sets outgoing
+    interface through IPV6_PKTINFO ipi6_ifindex
+
+Link-local and multicast packets must keep their original oif after
+ip6_route_me_harder is called.
+
+Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
+index 9bf260459f83..1f8b1a433b5d 100644
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -25,7 +25,8 @@ int ip6_route_me_harder(struct net *net, struct sk_buff *skb)
+       unsigned int hh_len;
+       struct dst_entry *dst;
+       struct flowi6 fl6 = {
+-              .flowi6_oif = sk ? sk->sk_bound_dev_if : 0,
++              .flowi6_oif = sk && sk->sk_bound_dev_if ? sk->sk_bound_dev_if :
++                      rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0,
+               .flowi6_mark = skb->mark,
+               .flowi6_uid = sock_net_uid(net, sk),
+               .daddr = iph->daddr,
+-- 
+2.19.1
+
diff --git a/queue-4.14/netfilter-nf_tables-deactivate-expressions-in-rule-r.patch b/queue-4.14/netfilter-nf_tables-deactivate-expressions-in-rule-r.patch
new file mode 100644 (file)
index 0000000..e27ac05
--- /dev/null
@@ -0,0 +1,94 @@
+From 7b9151b0fe7af5f3fc4152c399e591201900ff0f Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Wed, 28 Nov 2018 11:27:28 +0900
+Subject: netfilter: nf_tables: deactivate expressions in rule replecement
+ routine
+
+[ Upstream commit ca08987885a147643817d02bf260bc4756ce8cd4 ]
+
+There is no expression deactivation call from the rule replacement path,
+hence, chain counter is not decremented. A few steps to reproduce the
+problem:
+
+   %nft add table ip filter
+   %nft add chain ip filter c1
+   %nft add chain ip filter c1
+   %nft add rule ip filter c1 jump c2
+   %nft replace rule ip filter c1 handle 3 accept
+   %nft flush ruleset
+
+<jump c2> expression means immediate NFT_JUMP to chain c2.
+Reference count of chain c2 is increased when the rule is added.
+
+When rule is deleted or replaced, the reference counter of c2 should be
+decreased via nft_rule_expr_deactivate() which calls
+nft_immediate_deactivate().
+
+Splat looks like:
+[  214.396453] WARNING: CPU: 1 PID: 21 at net/netfilter/nf_tables_api.c:1432 nf_tables_chain_destroy.isra.38+0x2f9/0x3a0 [nf_tables]
+[  214.398983] Modules linked in: nf_tables nfnetlink
+[  214.398983] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 4.20.0-rc2+ #44
+[  214.398983] Workqueue: events nf_tables_trans_destroy_work [nf_tables]
+[  214.398983] RIP: 0010:nf_tables_chain_destroy.isra.38+0x2f9/0x3a0 [nf_tables]
+[  214.398983] Code: 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 8e 00 00 00 48 8b 7b 58 e8 e1 2c 4e c6 48 89 df e8 d9 2c 4e c6 eb 9a <0f> 0b eb 96 0f 0b e9 7e fe ff ff e8 a7 7e 4e c6 e9 a4 fe ff ff e8
+[  214.398983] RSP: 0018:ffff8881152874e8 EFLAGS: 00010202
+[  214.398983] RAX: 0000000000000001 RBX: ffff88810ef9fc28 RCX: ffff8881152876f0
+[  214.398983] RDX: dffffc0000000000 RSI: 1ffff11022a50ede RDI: ffff88810ef9fc78
+[  214.398983] RBP: 1ffff11022a50e9d R08: 0000000080000000 R09: 0000000000000000
+[  214.398983] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff11022a50eba
+[  214.398983] R13: ffff888114446e08 R14: ffff8881152876f0 R15: ffffed1022a50ed6
+[  214.398983] FS:  0000000000000000(0000) GS:ffff888116400000(0000) knlGS:0000000000000000
+[  214.398983] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  214.398983] CR2: 00007fab9bb5f868 CR3: 000000012aa16000 CR4: 00000000001006e0
+[  214.398983] Call Trace:
+[  214.398983]  ? nf_tables_table_destroy.isra.37+0x100/0x100 [nf_tables]
+[  214.398983]  ? __kasan_slab_free+0x145/0x180
+[  214.398983]  ? nf_tables_trans_destroy_work+0x439/0x830 [nf_tables]
+[  214.398983]  ? kfree+0xdb/0x280
+[  214.398983]  nf_tables_trans_destroy_work+0x5f5/0x830 [nf_tables]
+[ ... ]
+
+Fixes: bb7b40aecbf7 ("netfilter: nf_tables: bogus EBUSY in chain deletions")
+Reported by: Christoph Anton Mitterer <calestyo@scientia.net>
+Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914505
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=201791
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index ea1e57daf50e..623ec29ade26 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -2400,21 +2400,14 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
+       }
+       if (nlh->nlmsg_flags & NLM_F_REPLACE) {
+-              if (!nft_is_active_next(net, old_rule)) {
+-                      err = -ENOENT;
+-                      goto err2;
+-              }
+-              trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
+-                                         old_rule);
++              trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
+               if (trans == NULL) {
+                       err = -ENOMEM;
+                       goto err2;
+               }
+-              nft_deactivate_next(net, old_rule);
+-              chain->use--;
+-
+-              if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
+-                      err = -ENOMEM;
++              err = nft_delrule(&ctx, old_rule);
++              if (err < 0) {
++                      nft_trans_destroy(trans);
+                       goto err2;
+               }
+-- 
+2.19.1
+
diff --git a/queue-4.14/netfilter-nf_tables-fix-use-after-free-when-deleting.patch b/queue-4.14/netfilter-nf_tables-fix-use-after-free-when-deleting.patch
new file mode 100644 (file)
index 0000000..0340b12
--- /dev/null
@@ -0,0 +1,78 @@
+From 305e7d5b2ee9349f4d06d305b36e92e7ee5353d6 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 12 Nov 2018 22:43:45 +0100
+Subject: netfilter: nf_tables: fix use-after-free when deleting compat
+ expressions
+
+[ Upstream commit 29e3880109e357fdc607b4393f8308cef6af9413 ]
+
+nft_compat ops do not have static storage duration, unlike all other
+expressions.
+
+When nf_tables_expr_destroy() returns, expr->ops might have been
+free'd already, so we need to store next address before calling
+expression destructor.
+
+For same reason, we can't deref match pointer after nft_xt_put().
+
+This can be easily reproduced by adding msleep() before
+nft_match_destroy() returns.
+
+Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
+Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 5 +++--
+ net/netfilter/nft_compat.c    | 3 ++-
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 3ae365f92bff..ea1e57daf50e 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -2252,7 +2252,7 @@ static int nf_tables_getrule(struct net *net, struct sock *nlsk,
+ static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
+                                  struct nft_rule *rule)
+ {
+-      struct nft_expr *expr;
++      struct nft_expr *expr, *next;
+       /*
+        * Careful: some expressions might not be initialized in case this
+@@ -2260,8 +2260,9 @@ static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
+        */
+       expr = nft_expr_first(rule);
+       while (expr != nft_expr_last(rule) && expr->ops) {
++              next = nft_expr_next(expr);
+               nf_tables_expr_destroy(ctx, expr);
+-              expr = nft_expr_next(expr);
++              expr = next;
+       }
+       kfree(rule);
+ }
+diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
+index 6da1cec1494a..7533c2fd6b76 100644
+--- a/net/netfilter/nft_compat.c
++++ b/net/netfilter/nft_compat.c
+@@ -497,6 +497,7 @@ __nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr,
+                   void *info)
+ {
+       struct xt_match *match = expr->ops->data;
++      struct module *me = match->me;
+       struct xt_mtdtor_param par;
+       par.net = ctx->net;
+@@ -507,7 +508,7 @@ __nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr,
+               par.match->destroy(&par);
+       if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
+-              module_put(match->me);
++              module_put(me);
+ }
+ static void
+-- 
+2.19.1
+
diff --git a/queue-4.14/netfilter-xt_hashlimit-fix-a-possible-memory-leak-in.patch b/queue-4.14/netfilter-xt_hashlimit-fix-a-possible-memory-leak-in.patch
new file mode 100644 (file)
index 0000000..afc6bcb
--- /dev/null
@@ -0,0 +1,71 @@
+From 53445307e0485f8e22a9a0cfe1011f3d7ce13c36 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Fri, 16 Nov 2018 21:32:35 +0900
+Subject: netfilter: xt_hashlimit: fix a possible memory leak in
+ htable_create()
+
+[ Upstream commit b4e955e9f372035361fbc6f07b21fe2cc6a5be4a ]
+
+In the htable_create(), hinfo is allocated by vmalloc()
+So that if error occurred, hinfo should be freed.
+
+Fixes: 11d5f15723c9 ("netfilter: xt_hashlimit: Create revision 2 to support higher pps rates")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_hashlimit.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
+index 0c034597b9b8..fe8e8a1622b5 100644
+--- a/net/netfilter/xt_hashlimit.c
++++ b/net/netfilter/xt_hashlimit.c
+@@ -295,9 +295,10 @@ static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg,
+       /* copy match config into hashtable config */
+       ret = cfg_copy(&hinfo->cfg, (void *)cfg, 3);
+-
+-      if (ret)
++      if (ret) {
++              vfree(hinfo);
+               return ret;
++      }
+       hinfo->cfg.size = size;
+       if (hinfo->cfg.max == 0)
+@@ -814,7 +815,6 @@ hashlimit_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
+       int ret;
+       ret = cfg_copy(&cfg, (void *)&info->cfg, 1);
+-
+       if (ret)
+               return ret;
+@@ -830,7 +830,6 @@ hashlimit_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
+       int ret;
+       ret = cfg_copy(&cfg, (void *)&info->cfg, 2);
+-
+       if (ret)
+               return ret;
+@@ -920,7 +919,6 @@ static int hashlimit_mt_check_v1(const struct xt_mtchk_param *par)
+               return ret;
+       ret = cfg_copy(&cfg, (void *)&info->cfg, 1);
+-
+       if (ret)
+               return ret;
+@@ -939,7 +937,6 @@ static int hashlimit_mt_check_v2(const struct xt_mtchk_param *par)
+               return ret;
+       ret = cfg_copy(&cfg, (void *)&info->cfg, 2);
+-
+       if (ret)
+               return ret;
+-- 
+2.19.1
+
diff --git a/queue-4.14/nvme-flush-namespace-scanning-work-just-before-remov.patch b/queue-4.14/nvme-flush-namespace-scanning-work-just-before-remov.patch
new file mode 100644 (file)
index 0000000..7972c90
--- /dev/null
@@ -0,0 +1,53 @@
+From 15a65148d9047f27ce25446a9415fe589a7de7c9 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Wed, 21 Nov 2018 15:17:37 -0800
+Subject: nvme: flush namespace scanning work just before removing namespaces
+
+[ Upstream commit f6c8e432cb0479255322c5d0335b9f1699a0270c ]
+
+nvme_stop_ctrl can be called also for reset flow and there is no need to
+flush the scan_work as namespaces are not being removed. This can cause
+deadlock in rdma, fc and loop drivers since nvme_stop_ctrl barriers
+before controller teardown (and specifically I/O cancellation of the
+scan_work itself) takes place, but the scan_work will be blocked anyways
+so there is no need to flush it.
+
+Instead, move scan_work flush to nvme_remove_namespaces() where it really
+needs to flush.
+
+Reported-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Keith Busch <keith.busch@intel.com>
+Reviewed by: James Smart <jsmart2021@gmail.com>
+Tested-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 3a63d58d2ca9..65f3f1a34b6b 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -2572,6 +2572,9 @@ void nvme_remove_namespaces(struct nvme_ctrl *ctrl)
+ {
+       struct nvme_ns *ns, *next;
++      /* prevent racing with ns scanning */
++      flush_work(&ctrl->scan_work);
++
+       /*
+        * The dead states indicates the controller was not gracefully
+        * disconnected. In that case, we won't be able to flush any data while
+@@ -2743,7 +2746,6 @@ void nvme_stop_ctrl(struct nvme_ctrl *ctrl)
+ {
+       nvme_stop_keep_alive(ctrl);
+       flush_work(&ctrl->async_event_work);
+-      flush_work(&ctrl->scan_work);
+       cancel_work_sync(&ctrl->fw_act_work);
+ }
+ EXPORT_SYMBOL_GPL(nvme_stop_ctrl);
+-- 
+2.19.1
+
diff --git a/queue-4.14/objtool-fix-double-free-in-.cold-detection-error-pat.patch b/queue-4.14/objtool-fix-double-free-in-.cold-detection-error-pat.patch
new file mode 100644 (file)
index 0000000..5d69cb9
--- /dev/null
@@ -0,0 +1,42 @@
+From 227790208b2f902ad10753731dd6f04537cbaa84 Mon Sep 17 00:00:00 2001
+From: Artem Savkov <asavkov@redhat.com>
+Date: Tue, 20 Nov 2018 11:52:15 -0600
+Subject: objtool: Fix double-free in .cold detection error path
+
+[ Upstream commit 0b9301fb632f7111a3293a30cc5b20f1b82ed08d ]
+
+If read_symbols() fails during second list traversal (the one dealing
+with ".cold" subfunctions) it frees the symbol, but never deletes it
+from the list/hash_table resulting in symbol being freed again in
+elf_close(). Fix it by just returning an error, leaving cleanup to
+elf_close().
+
+Signed-off-by: Artem Savkov <asavkov@redhat.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions")
+Link: http://lkml.kernel.org/r/beac5a9b7da9e8be90223459dcbe07766ae437dd.1542736240.git.jpoimboe@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/objtool/elf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c
+index 0d1acb704f64..3616d626991e 100644
+--- a/tools/objtool/elf.c
++++ b/tools/objtool/elf.c
+@@ -312,7 +312,7 @@ static int read_symbols(struct elf *elf)
+                       if (!pfunc) {
+                               WARN("%s(): can't find parent function",
+                                    sym->name);
+-                              goto err;
++                              return -1;
+                       }
+                       sym->pfunc = pfunc;
+-- 
+2.19.1
+
diff --git a/queue-4.14/objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch b/queue-4.14/objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch
new file mode 100644 (file)
index 0000000..38680be
--- /dev/null
@@ -0,0 +1,76 @@
+From 4e86c37ba416617deec99032c08c92a784716adf Mon Sep 17 00:00:00 2001
+From: Artem Savkov <asavkov@redhat.com>
+Date: Tue, 20 Nov 2018 11:52:16 -0600
+Subject: objtool: Fix segfault in .cold detection with -ffunction-sections
+
+[ Upstream commit 22566c1603030f0a036ad564634b064ad1a55db2 ]
+
+Because find_symbol_by_name() traverses the same lists as
+read_symbols(), changing sym->name in place without copying it affects
+the result of find_symbol_by_name().  In the case where a ".cold"
+function precedes its parent in sec->symbol_list, it can result in a
+function being considered a parent of itself. This leads to function
+length being set to 0 and other consequent side-effects including a
+segfault in add_switch_table().  The effects of this bug are only
+visible when building with -ffunction-sections in KCFLAGS.
+
+Fix by copying the search string instead of modifying it in place.
+
+Signed-off-by: Artem Savkov <asavkov@redhat.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions")
+Link: http://lkml.kernel.org/r/910abd6b5a4945130fd44f787c24e07b9e07c8da.1542736240.git.jpoimboe@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/objtool/elf.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c
+index 3616d626991e..dd4ed7c3c062 100644
+--- a/tools/objtool/elf.c
++++ b/tools/objtool/elf.c
+@@ -31,6 +31,8 @@
+ #include "elf.h"
+ #include "warn.h"
++#define MAX_NAME_LEN 128
++
+ struct section *find_section_by_name(struct elf *elf, const char *name)
+ {
+       struct section *sec;
+@@ -298,6 +300,8 @@ static int read_symbols(struct elf *elf)
+       /* Create parent/child links for any cold subfunctions */
+       list_for_each_entry(sec, &elf->sections, list) {
+               list_for_each_entry(sym, &sec->symbol_list, list) {
++                      char pname[MAX_NAME_LEN + 1];
++                      size_t pnamelen;
+                       if (sym->type != STT_FUNC)
+                               continue;
+                       sym->pfunc = sym->cfunc = sym;
+@@ -305,9 +309,16 @@ static int read_symbols(struct elf *elf)
+                       if (!coldstr)
+                               continue;
+-                      coldstr[0] = '\0';
+-                      pfunc = find_symbol_by_name(elf, sym->name);
+-                      coldstr[0] = '.';
++                      pnamelen = coldstr - sym->name;
++                      if (pnamelen > MAX_NAME_LEN) {
++                              WARN("%s(): parent function name exceeds maximum length of %d characters",
++                                   sym->name, MAX_NAME_LEN);
++                              return -1;
++                      }
++
++                      strncpy(pname, sym->name, pnamelen);
++                      pname[pnamelen] = '\0';
++                      pfunc = find_symbol_by_name(elf, pname);
+                       if (!pfunc) {
+                               WARN("%s(): can't find parent function",
+-- 
+2.19.1
+
diff --git a/queue-4.14/ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch b/queue-4.14/ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch
new file mode 100644 (file)
index 0000000..1f33c3c
--- /dev/null
@@ -0,0 +1,147 @@
+From f940af68ddd1d3656b710a25d71ccbb7cf381f75 Mon Sep 17 00:00:00 2001
+From: Larry Chen <lchen@suse.com>
+Date: Fri, 30 Nov 2018 14:08:56 -0800
+Subject: ocfs2: fix deadlock caused by ocfs2_defrag_extent()
+
+[ Upstream commit e21e57445a64598b29a6f629688f9b9a39e7242a ]
+
+ocfs2_defrag_extent may fall into deadlock.
+
+ocfs2_ioctl_move_extents
+    ocfs2_ioctl_move_extents
+      ocfs2_move_extents
+        ocfs2_defrag_extent
+          ocfs2_lock_allocators_move_extents
+
+            ocfs2_reserve_clusters
+              inode_lock GLOBAL_BITMAP_SYSTEM_INODE
+
+         __ocfs2_flush_truncate_log
+              inode_lock GLOBAL_BITMAP_SYSTEM_INODE
+
+As backtrace shows above, ocfs2_reserve_clusters() will call inode_lock
+against the global bitmap if local allocator has not sufficient cluters.
+Once global bitmap could meet the demand, ocfs2_reserve_cluster will
+return success with global bitmap locked.
+
+After ocfs2_reserve_cluster(), if truncate log is full,
+__ocfs2_flush_truncate_log() will definitely fall into deadlock because
+it needs to inode_lock global bitmap, which has already been locked.
+
+To fix this bug, we could remove from
+ocfs2_lock_allocators_move_extents() the code which intends to lock
+global allocator, and put the removed code after
+__ocfs2_flush_truncate_log().
+
+ocfs2_lock_allocators_move_extents() is referred by 2 places, one is
+here, the other does not need the data allocator context, which means
+this patch does not affect the caller so far.
+
+Link: http://lkml.kernel.org/r/20181101071422.14470-1-lchen@suse.com
+Signed-off-by: Larry Chen <lchen@suse.com>
+Reviewed-by: Changwei Ge <ge.changwei@h3c.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/move_extents.c | 47 +++++++++++++++++++++++------------------
+ 1 file changed, 26 insertions(+), 21 deletions(-)
+
+diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
+index 7eb3b0a6347e..f55f82ca3425 100644
+--- a/fs/ocfs2/move_extents.c
++++ b/fs/ocfs2/move_extents.c
+@@ -156,18 +156,14 @@ static int __ocfs2_move_extent(handle_t *handle,
+ }
+ /*
+- * lock allocators, and reserving appropriate number of bits for
+- * meta blocks and data clusters.
+- *
+- * in some cases, we don't need to reserve clusters, just let data_ac
+- * be NULL.
++ * lock allocator, and reserve appropriate number of bits for
++ * meta blocks.
+  */
+-static int ocfs2_lock_allocators_move_extents(struct inode *inode,
++static int ocfs2_lock_meta_allocator_move_extents(struct inode *inode,
+                                       struct ocfs2_extent_tree *et,
+                                       u32 clusters_to_move,
+                                       u32 extents_to_split,
+                                       struct ocfs2_alloc_context **meta_ac,
+-                                      struct ocfs2_alloc_context **data_ac,
+                                       int extra_blocks,
+                                       int *credits)
+ {
+@@ -192,13 +188,6 @@ static int ocfs2_lock_allocators_move_extents(struct inode *inode,
+               goto out;
+       }
+-      if (data_ac) {
+-              ret = ocfs2_reserve_clusters(osb, clusters_to_move, data_ac);
+-              if (ret) {
+-                      mlog_errno(ret);
+-                      goto out;
+-              }
+-      }
+       *credits += ocfs2_calc_extend_credits(osb->sb, et->et_root_el);
+@@ -257,10 +246,10 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context,
+               }
+       }
+-      ret = ocfs2_lock_allocators_move_extents(inode, &context->et, *len, 1,
+-                                               &context->meta_ac,
+-                                               &context->data_ac,
+-                                               extra_blocks, &credits);
++      ret = ocfs2_lock_meta_allocator_move_extents(inode, &context->et,
++                                              *len, 1,
++                                              &context->meta_ac,
++                                              extra_blocks, &credits);
+       if (ret) {
+               mlog_errno(ret);
+               goto out;
+@@ -283,6 +272,21 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context,
+               }
+       }
++      /*
++       * Make sure ocfs2_reserve_cluster is called after
++       * __ocfs2_flush_truncate_log, otherwise, dead lock may happen.
++       *
++       * If ocfs2_reserve_cluster is called
++       * before __ocfs2_flush_truncate_log, dead lock on global bitmap
++       * may happen.
++       *
++       */
++      ret = ocfs2_reserve_clusters(osb, *len, &context->data_ac);
++      if (ret) {
++              mlog_errno(ret);
++              goto out_unlock_mutex;
++      }
++
+       handle = ocfs2_start_trans(osb, credits);
+       if (IS_ERR(handle)) {
+               ret = PTR_ERR(handle);
+@@ -600,9 +604,10 @@ static int ocfs2_move_extent(struct ocfs2_move_extents_context *context,
+               }
+       }
+-      ret = ocfs2_lock_allocators_move_extents(inode, &context->et, len, 1,
+-                                               &context->meta_ac,
+-                                               NULL, extra_blocks, &credits);
++      ret = ocfs2_lock_meta_allocator_move_extents(inode, &context->et,
++                                              len, 1,
++                                              &context->meta_ac,
++                                              extra_blocks, &credits);
+       if (ret) {
+               mlog_errno(ret);
+               goto out;
+-- 
+2.19.1
+
diff --git a/queue-4.14/ocfs2-fix-potential-use-after-free.patch b/queue-4.14/ocfs2-fix-potential-use-after-free.patch
new file mode 100644 (file)
index 0000000..419edd7
--- /dev/null
@@ -0,0 +1,47 @@
+From 1d77aaf4cf430c8c3b7dcd297664a819128a3d4a Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Fri, 30 Nov 2018 14:10:54 -0800
+Subject: ocfs2: fix potential use after free
+
+[ Upstream commit 164f7e586739d07eb56af6f6d66acebb11f315c8 ]
+
+ocfs2_get_dentry() calls iput(inode) to drop the reference count of
+inode, and if the reference count hits 0, inode is freed.  However, in
+this function, it then reads inode->i_generation, which may result in a
+use after free bug.  Move the put operation later.
+
+Link: http://lkml.kernel.org/r/1543109237-110227-1-git-send-email-bianpan2016@163.com
+Fixes: 781f200cb7a("ocfs2: Remove masklog ML_EXPORT.")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Changwei Ge <ge.changwei@h3c.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/export.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ocfs2/export.c b/fs/ocfs2/export.c
+index 9f88188060db..4bf8d5854b27 100644
+--- a/fs/ocfs2/export.c
++++ b/fs/ocfs2/export.c
+@@ -125,10 +125,10 @@ static struct dentry *ocfs2_get_dentry(struct super_block *sb,
+ check_gen:
+       if (handle->ih_generation != inode->i_generation) {
+-              iput(inode);
+               trace_ocfs2_get_dentry_generation((unsigned long long)blkno,
+                                                 handle->ih_generation,
+                                                 inode->i_generation);
++              iput(inode);
+               result = ERR_PTR(-ESTALE);
+               goto bail;
+       }
+-- 
+2.19.1
+
diff --git a/queue-4.14/pci-imx6-fix-link-training-status-detection-in-link-.patch b/queue-4.14/pci-imx6-fix-link-training-status-detection-in-link-.patch
new file mode 100644 (file)
index 0000000..7986754
--- /dev/null
@@ -0,0 +1,89 @@
+From f61f2360f24c22046ccc91179036ef3c2cffb106 Mon Sep 17 00:00:00 2001
+From: Trent Piepho <tpiepho@impinj.com>
+Date: Mon, 5 Nov 2018 18:11:36 +0000
+Subject: PCI: imx6: Fix link training status detection in link up check
+
+[ Upstream commit 68bc10bf992180f269816ff3d22eb30383138577 ]
+
+This bug was introduced in the interaction for two commits on either
+branch of the merge commit 562df5c8521e ("Merge branch
+'pci/host-designware' into next").
+
+Commit 4d107d3b5a68 ("PCI: imx6: Move link up check into
+imx6_pcie_wait_for_link()"), changed imx6_pcie_wait_for_link() to poll
+the link status register directly, checking for link up and not
+training, and made imx6_pcie_link_up() only check the link up bit (once,
+not a polling loop).
+
+While commit 886bc5ceb5cc ("PCI: designware: Add generic
+dw_pcie_wait_for_link()"), replaced the loop in
+imx6_pcie_wait_for_link() with a call to a new dwc core function, which
+polled imx6_pcie_link_up(), which still checked both link up and not
+training in a loop.
+
+When these two commits were merged, the version of
+imx6_pcie_wait_for_link() from 886bc5ceb5cc was kept, which eliminated
+the link training check placed there by 4d107d3b5a68. However, the
+version of imx6_pcie_link_up() from 4d107d3b5a68 was kept, which
+eliminated the link training check that had been there and was moved to
+imx6_pcie_wait_for_link().
+
+The result was the link training check got lost for the imx6 driver.
+
+Eliminate imx6_pcie_link_up() so that the default handler,
+dw_pcie_link_up(), is used instead. The default handler has the correct
+code, which checks for link up and also that it still is not training,
+fixing the regression.
+
+Fixes: 562df5c8521e ("Merge branch 'pci/host-designware' into next")
+Signed-off-by: Trent Piepho <tpiepho@impinj.com>
+[lorenzo.pieralisi@arm.com: rewrote the commit log]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Lucas Stach <l.stach@pengutronix.de>
+Cc: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Joao Pinto <Joao.Pinto@synopsys.com>
+Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Cc: Richard Zhu <hongxing.zhu@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/dwc/pci-imx6.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/pci/dwc/pci-imx6.c b/drivers/pci/dwc/pci-imx6.c
+index b73483534a5b..1f1069b70e45 100644
+--- a/drivers/pci/dwc/pci-imx6.c
++++ b/drivers/pci/dwc/pci-imx6.c
+@@ -83,8 +83,6 @@ struct imx6_pcie {
+ #define PCIE_PL_PFLR_FORCE_LINK                       (1 << 15)
+ #define PCIE_PHY_DEBUG_R0 (PL_OFFSET + 0x28)
+ #define PCIE_PHY_DEBUG_R1 (PL_OFFSET + 0x2c)
+-#define PCIE_PHY_DEBUG_R1_XMLH_LINK_IN_TRAINING       (1 << 29)
+-#define PCIE_PHY_DEBUG_R1_XMLH_LINK_UP                (1 << 4)
+ #define PCIE_PHY_CTRL (PL_OFFSET + 0x114)
+ #define PCIE_PHY_CTRL_DATA_LOC 0
+@@ -653,12 +651,6 @@ static int imx6_pcie_host_init(struct pcie_port *pp)
+       return 0;
+ }
+-static int imx6_pcie_link_up(struct dw_pcie *pci)
+-{
+-      return dw_pcie_readl_dbi(pci, PCIE_PHY_DEBUG_R1) &
+-                      PCIE_PHY_DEBUG_R1_XMLH_LINK_UP;
+-}
+-
+ static const struct dw_pcie_host_ops imx6_pcie_host_ops = {
+       .host_init = imx6_pcie_host_init,
+ };
+@@ -701,7 +693,7 @@ static int imx6_add_pcie_port(struct imx6_pcie *imx6_pcie,
+ }
+ static const struct dw_pcie_ops dw_pcie_ops = {
+-      .link_up = imx6_pcie_link_up,
++      /* No special ops needed, but pcie-designware still expects this struct */
+ };
+ static int imx6_pcie_probe(struct platform_device *pdev)
+-- 
+2.19.1
+
diff --git a/queue-4.14/perf-tools-restore-proper-cwd-on-return-from-mnt-nam.patch b/queue-4.14/perf-tools-restore-proper-cwd-on-return-from-mnt-nam.patch
new file mode 100644 (file)
index 0000000..26b1362
--- /dev/null
@@ -0,0 +1,129 @@
+From 26242ed8f4516a86ef2242075819ad95e513ba80 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Thu, 1 Nov 2018 18:00:01 +0100
+Subject: perf tools: Restore proper cwd on return from mnt namespace
+
+[ Upstream commit b01c1f69c8660eaeab7d365cd570103c5c073a02 ]
+
+When reporting on 'record' server we try to retrieve/use the mnt
+namespace of the profiled tasks. We use following API with cookie to
+hold the return namespace, roughly:
+
+  nsinfo__mountns_enter(struct nsinfo *nsi, struct nscookie *nc)
+    setns(newns, 0);
+  ...
+  new ns related open..
+  ...
+  nsinfo__mountns_exit(struct nscookie *nc)
+    setns(nc->oldns)
+
+Once finished we setns to old namespace, which also sets the current
+working directory (cwd) to "/", trashing the cwd we had.
+
+This is mostly fine, because we use absolute paths almost everywhere,
+but it screws up 'perf diff':
+
+  # perf diff
+  failed to open perf.data: No such file or directory  (try 'perf record' first)
+  ...
+
+Adding the current working directory to be part of the cookie and
+restoring it in the nsinfo__mountns_exit call.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Krister Johansen <kjlx@templeofstupid.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Fixes: 843ff37bb59e ("perf symbols: Find symbols in different mount namespace")
+Link: http://lkml.kernel.org/r/20181101170001.30019-1-jolsa@kernel.org
+[ No need to check for NULL args for free(), use zfree() for struct members ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/namespaces.c | 17 +++++++++++++++--
+ tools/perf/util/namespaces.h |  1 +
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/namespaces.c b/tools/perf/util/namespaces.c
+index 1ef0049860a8..eadc7ddacbf6 100644
+--- a/tools/perf/util/namespaces.c
++++ b/tools/perf/util/namespaces.c
+@@ -17,6 +17,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <asm/bug.h>
+ struct namespaces *namespaces__new(struct namespaces_event *event)
+ {
+@@ -185,6 +186,7 @@ void nsinfo__mountns_enter(struct nsinfo *nsi,
+       char curpath[PATH_MAX];
+       int oldns = -1;
+       int newns = -1;
++      char *oldcwd = NULL;
+       if (nc == NULL)
+               return;
+@@ -198,9 +200,13 @@ void nsinfo__mountns_enter(struct nsinfo *nsi,
+       if (snprintf(curpath, PATH_MAX, "/proc/self/ns/mnt") >= PATH_MAX)
+               return;
++      oldcwd = get_current_dir_name();
++      if (!oldcwd)
++              return;
++
+       oldns = open(curpath, O_RDONLY);
+       if (oldns < 0)
+-              return;
++              goto errout;
+       newns = open(nsi->mntns_path, O_RDONLY);
+       if (newns < 0)
+@@ -209,11 +215,13 @@ void nsinfo__mountns_enter(struct nsinfo *nsi,
+       if (setns(newns, CLONE_NEWNS) < 0)
+               goto errout;
++      nc->oldcwd = oldcwd;
+       nc->oldns = oldns;
+       nc->newns = newns;
+       return;
+ errout:
++      free(oldcwd);
+       if (oldns > -1)
+               close(oldns);
+       if (newns > -1)
+@@ -222,11 +230,16 @@ void nsinfo__mountns_enter(struct nsinfo *nsi,
+ void nsinfo__mountns_exit(struct nscookie *nc)
+ {
+-      if (nc == NULL || nc->oldns == -1 || nc->newns == -1)
++      if (nc == NULL || nc->oldns == -1 || nc->newns == -1 || !nc->oldcwd)
+               return;
+       setns(nc->oldns, CLONE_NEWNS);
++      if (nc->oldcwd) {
++              WARN_ON_ONCE(chdir(nc->oldcwd));
++              zfree(&nc->oldcwd);
++      }
++
+       if (nc->oldns > -1) {
+               close(nc->oldns);
+               nc->oldns = -1;
+diff --git a/tools/perf/util/namespaces.h b/tools/perf/util/namespaces.h
+index 05d82601c9a6..23584a6dd048 100644
+--- a/tools/perf/util/namespaces.h
++++ b/tools/perf/util/namespaces.h
+@@ -36,6 +36,7 @@ struct nsinfo {
+ struct nscookie {
+       int                     oldns;
+       int                     newns;
++      char                    *oldcwd;
+ };
+ int nsinfo__init(struct nsinfo *nsi);
+-- 
+2.19.1
+
diff --git a/queue-4.14/printk-add-console-owner-and-waiter-logic-to-load-ba.patch b/queue-4.14/printk-add-console-owner-and-waiter-logic-to-load-ba.patch
new file mode 100644 (file)
index 0000000..8dd9ebe
--- /dev/null
@@ -0,0 +1,358 @@
+From 51387793273eca2ed854aa5af2d84e0e7867b21a Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Wed, 10 Jan 2018 14:24:17 +0100
+Subject: printk: Add console owner and waiter logic to load balance console
+ writes
+
+[ Upstream commit dbdda842fe96f8932bae554f0adf463c27c42bc7 ]
+
+This patch implements what I discussed in Kernel Summit. I added
+lockdep annotation (hopefully correctly), and it hasn't had any splats
+(since I fixed some bugs in the first iterations). It did catch
+problems when I had the owner covering too much. But now that the owner
+is only set when actively calling the consoles, lockdep has stayed
+quiet.
+
+Here's the design again:
+
+I added a "console_owner" which is set to a task that is actively
+writing to the consoles. It is *not* the same as the owner of the
+console_lock. It is only set when doing the calls to the console
+functions. It is protected by a console_owner_lock which is a raw spin
+lock.
+
+There is a console_waiter. This is set when there is an active console
+owner that is not current, and waiter is not set. This too is protected
+by console_owner_lock.
+
+In printk() when it tries to write to the consoles, we have:
+
+       if (console_trylock())
+               console_unlock();
+
+Now I added an else, which will check if there is an active owner, and
+no current waiter. If that is the case, then console_waiter is set, and
+the task goes into a spin until it is no longer set.
+
+When the active console owner finishes writing the current message to
+the consoles, it grabs the console_owner_lock and sees if there is a
+waiter, and clears console_owner.
+
+If there is a waiter, then it breaks out of the loop, clears the waiter
+flag (because that will release the waiter from its spin), and exits.
+Note, it does *not* release the console semaphore. Because it is a
+semaphore, there is no owner. Another task may release it. This means
+that the waiter is guaranteed to be the new console owner! Which it
+becomes.
+
+Then the waiter calls console_unlock() and continues to write to the
+consoles.
+
+If another task comes along and does a printk() it too can become the
+new waiter, and we wash rinse and repeat!
+
+By Petr Mladek about possible new deadlocks:
+
+The thing is that we move console_sem only to printk() call
+that normally calls console_unlock() as well. It means that
+the transferred owner should not bring new type of dependencies.
+As Steven said somewhere: "If there is a deadlock, it was
+there even before."
+
+We could look at it from this side. The possible deadlock would
+look like:
+
+CPU0                            CPU1
+
+console_unlock()
+
+  console_owner = current;
+
+                               spin_lockA()
+                                 printk()
+                                   spin = true;
+                                   while (...)
+
+    call_console_drivers()
+      spin_lockA()
+
+This would be a deadlock. CPU0 would wait for the lock A.
+While CPU1 would own the lockA and would wait for CPU0
+to finish calling the console drivers and pass the console_sem
+owner.
+
+But if the above is true than the following scenario was
+already possible before:
+
+CPU0
+
+spin_lockA()
+  printk()
+    console_unlock()
+      call_console_drivers()
+       spin_lockA()
+
+By other words, this deadlock was there even before. Such
+deadlocks are prevented by using printk_deferred() in
+the sections guarded by the lock A.
+
+By Steven Rostedt:
+
+To demonstrate the issue, this module has been shown to lock up a
+system with 4 CPUs and a slow console (like a serial console). It is
+also able to lock up a 8 CPU system with only a fast (VGA) console, by
+passing in "loops=100". The changes in this commit prevent this module
+from locking up the system.
+
+ #include <linux/module.h>
+ #include <linux/delay.h>
+ #include <linux/sched.h>
+ #include <linux/mutex.h>
+ #include <linux/workqueue.h>
+ #include <linux/hrtimer.h>
+
+ static bool stop_testing;
+ static unsigned int loops = 1;
+
+ static void preempt_printk_workfn(struct work_struct *work)
+ {
+       int i;
+
+       while (!READ_ONCE(stop_testing)) {
+               for (i = 0; i < loops && !READ_ONCE(stop_testing); i++) {
+                       preempt_disable();
+                       pr_emerg("%5d%-75s\n", smp_processor_id(),
+                                " XXX NOPREEMPT");
+                       preempt_enable();
+               }
+               msleep(1);
+       }
+ }
+
+ static struct work_struct __percpu *works;
+
+ static void finish(void)
+ {
+       int cpu;
+
+       WRITE_ONCE(stop_testing, true);
+       for_each_online_cpu(cpu)
+               flush_work(per_cpu_ptr(works, cpu));
+       free_percpu(works);
+ }
+
+ static int __init test_init(void)
+ {
+       int cpu;
+
+       works = alloc_percpu(struct work_struct);
+       if (!works)
+               return -ENOMEM;
+
+       /*
+        * This is just a test module. This will break if you
+        * do any CPU hot plugging between loading and
+        * unloading the module.
+        */
+
+       for_each_online_cpu(cpu) {
+               struct work_struct *work = per_cpu_ptr(works, cpu);
+
+               INIT_WORK(work, &preempt_printk_workfn);
+               schedule_work_on(cpu, work);
+       }
+
+       return 0;
+ }
+
+ static void __exit test_exit(void)
+ {
+       finish();
+ }
+
+ module_param(loops, uint, 0);
+ module_init(test_init);
+ module_exit(test_exit);
+ MODULE_LICENSE("GPL");
+
+Link: http://lkml.kernel.org/r/20180110132418.7080-2-pmladek@suse.com
+Cc: akpm@linux-foundation.org
+Cc: linux-mm@kvack.org
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Mel Gorman <mgorman@suse.de>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: Byungchul Park <byungchul.park@lge.com>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Pavel Machek <pavel@ucw.cz>
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+[pmladek@suse.com: Commit message about possible deadlocks]
+Acked-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/printk/printk.c | 108 ++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 107 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
+index 7161312593dd..b88b402444d6 100644
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -86,8 +86,15 @@ EXPORT_SYMBOL_GPL(console_drivers);
+ static struct lockdep_map console_lock_dep_map = {
+       .name = "console_lock"
+ };
++static struct lockdep_map console_owner_dep_map = {
++      .name = "console_owner"
++};
+ #endif
++static DEFINE_RAW_SPINLOCK(console_owner_lock);
++static struct task_struct *console_owner;
++static bool console_waiter;
++
+ enum devkmsg_log_bits {
+       __DEVKMSG_LOG_BIT_ON = 0,
+       __DEVKMSG_LOG_BIT_OFF,
+@@ -1767,8 +1774,56 @@ asmlinkage int vprintk_emit(int facility, int level,
+                * semaphore.  The release will print out buffers and wake up
+                * /dev/kmsg and syslog() users.
+                */
+-              if (console_trylock())
++              if (console_trylock()) {
+                       console_unlock();
++              } else {
++                      struct task_struct *owner = NULL;
++                      bool waiter;
++                      bool spin = false;
++
++                      printk_safe_enter_irqsave(flags);
++
++                      raw_spin_lock(&console_owner_lock);
++                      owner = READ_ONCE(console_owner);
++                      waiter = READ_ONCE(console_waiter);
++                      if (!waiter && owner && owner != current) {
++                              WRITE_ONCE(console_waiter, true);
++                              spin = true;
++                      }
++                      raw_spin_unlock(&console_owner_lock);
++
++                      /*
++                       * If there is an active printk() writing to the
++                       * consoles, instead of having it write our data too,
++                       * see if we can offload that load from the active
++                       * printer, and do some printing ourselves.
++                       * Go into a spin only if there isn't already a waiter
++                       * spinning, and there is an active printer, and
++                       * that active printer isn't us (recursive printk?).
++                       */
++                      if (spin) {
++                              /* We spin waiting for the owner to release us */
++                              spin_acquire(&console_owner_dep_map, 0, 0, _THIS_IP_);
++                              /* Owner will clear console_waiter on hand off */
++                              while (READ_ONCE(console_waiter))
++                                      cpu_relax();
++
++                              spin_release(&console_owner_dep_map, 1, _THIS_IP_);
++                              printk_safe_exit_irqrestore(flags);
++
++                              /*
++                               * The owner passed the console lock to us.
++                               * Since we did not spin on console lock, annotate
++                               * this as a trylock. Otherwise lockdep will
++                               * complain.
++                               */
++                              mutex_acquire(&console_lock_dep_map, 0, 1, _THIS_IP_);
++                              console_unlock();
++                              printk_safe_enter_irqsave(flags);
++                      }
++                      printk_safe_exit_irqrestore(flags);
++
++              }
+       }
+       return printed_len;
+@@ -2155,6 +2210,7 @@ void console_unlock(void)
+       static u64 seen_seq;
+       unsigned long flags;
+       bool wake_klogd = false;
++      bool waiter = false;
+       bool do_cond_resched, retry;
+       if (console_suspended) {
+@@ -2243,14 +2299,64 @@ void console_unlock(void)
+               console_seq++;
+               raw_spin_unlock(&logbuf_lock);
++              /*
++               * While actively printing out messages, if another printk()
++               * were to occur on another CPU, it may wait for this one to
++               * finish. This task can not be preempted if there is a
++               * waiter waiting to take over.
++               */
++              raw_spin_lock(&console_owner_lock);
++              console_owner = current;
++              raw_spin_unlock(&console_owner_lock);
++
++              /* The waiter may spin on us after setting console_owner */
++              spin_acquire(&console_owner_dep_map, 0, 0, _THIS_IP_);
++
+               stop_critical_timings();        /* don't trace print latency */
+               call_console_drivers(ext_text, ext_len, text, len);
+               start_critical_timings();
++
++              raw_spin_lock(&console_owner_lock);
++              waiter = READ_ONCE(console_waiter);
++              console_owner = NULL;
++              raw_spin_unlock(&console_owner_lock);
++
++              /*
++               * If there is a waiter waiting for us, then pass the
++               * rest of the work load over to that waiter.
++               */
++              if (waiter)
++                      break;
++
++              /* There was no waiter, and nothing will spin on us here */
++              spin_release(&console_owner_dep_map, 1, _THIS_IP_);
++
+               printk_safe_exit_irqrestore(flags);
+               if (do_cond_resched)
+                       cond_resched();
+       }
++
++      /*
++       * If there is an active waiter waiting on the console_lock.
++       * Pass off the printing to the waiter, and the waiter
++       * will continue printing on its CPU, and when all writing
++       * has finished, the last printer will wake up klogd.
++       */
++      if (waiter) {
++              WRITE_ONCE(console_waiter, false);
++              /* The waiter is now free to continue */
++              spin_release(&console_owner_dep_map, 1, _THIS_IP_);
++              /*
++               * Hand off console_lock to waiter. The waiter will perform
++               * the up(). After this, the waiter is the console_lock owner.
++               */
++              mutex_release(&console_lock_dep_map, 1, _THIS_IP_);
++              printk_safe_exit_irqrestore(flags);
++              /* Note, if waiter is set, logbuf_lock is not held */
++              return;
++      }
++
+       console_locked = 0;
+       /* Release the exclusive_console once it is used */
+-- 
+2.19.1
+
diff --git a/queue-4.14/printk-hide-console-waiter-logic-into-helpers.patch b/queue-4.14/printk-hide-console-waiter-logic-into-helpers.patch
new file mode 100644 (file)
index 0000000..007ad99
--- /dev/null
@@ -0,0 +1,354 @@
+From 93f9028c6b41efe1761e168acf3b97180fd09a35 Mon Sep 17 00:00:00 2001
+From: Petr Mladek <pmladek@suse.com>
+Date: Fri, 12 Jan 2018 17:08:37 +0100
+Subject: printk: Hide console waiter logic into helpers
+
+[ Upstream commit c162d5b4338d72deed61aa65ed0f2f4ba2bbc8ab ]
+
+The commit ("printk: Add console owner and waiter logic to load balance
+console writes") made vprintk_emit() and console_unlock() even more
+complicated.
+
+This patch extracts the new code into 3 helper functions. They should
+help to keep it rather self-contained. It will be easier to use and
+maintain.
+
+This patch just shuffles the existing code. It does not change
+the functionality.
+
+Link: http://lkml.kernel.org/r/20180112160837.GD24497@linux.suse
+Cc: akpm@linux-foundation.org
+Cc: linux-mm@kvack.org
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Mel Gorman <mgorman@suse.de>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: rostedt@home.goodmis.org
+Cc: Byungchul Park <byungchul.park@lge.com>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Pavel Machek <pavel@ucw.cz>
+Cc: linux-kernel@vger.kernel.org
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Acked-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/printk/printk.c | 245 +++++++++++++++++++++++++----------------
+ 1 file changed, 148 insertions(+), 97 deletions(-)
+
+diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
+index b88b402444d6..2d1c2700bd85 100644
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -86,15 +86,8 @@ EXPORT_SYMBOL_GPL(console_drivers);
+ static struct lockdep_map console_lock_dep_map = {
+       .name = "console_lock"
+ };
+-static struct lockdep_map console_owner_dep_map = {
+-      .name = "console_owner"
+-};
+ #endif
+-static DEFINE_RAW_SPINLOCK(console_owner_lock);
+-static struct task_struct *console_owner;
+-static bool console_waiter;
+-
+ enum devkmsg_log_bits {
+       __DEVKMSG_LOG_BIT_ON = 0,
+       __DEVKMSG_LOG_BIT_OFF,
+@@ -1555,6 +1548,146 @@ SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len)
+       return do_syslog(type, buf, len, SYSLOG_FROM_READER);
+ }
++/*
++ * Special console_lock variants that help to reduce the risk of soft-lockups.
++ * They allow to pass console_lock to another printk() call using a busy wait.
++ */
++
++#ifdef CONFIG_LOCKDEP
++static struct lockdep_map console_owner_dep_map = {
++      .name = "console_owner"
++};
++#endif
++
++static DEFINE_RAW_SPINLOCK(console_owner_lock);
++static struct task_struct *console_owner;
++static bool console_waiter;
++
++/**
++ * console_lock_spinning_enable - mark beginning of code where another
++ *    thread might safely busy wait
++ *
++ * This basically converts console_lock into a spinlock. This marks
++ * the section where the console_lock owner can not sleep, because
++ * there may be a waiter spinning (like a spinlock). Also it must be
++ * ready to hand over the lock at the end of the section.
++ */
++static void console_lock_spinning_enable(void)
++{
++      raw_spin_lock(&console_owner_lock);
++      console_owner = current;
++      raw_spin_unlock(&console_owner_lock);
++
++      /* The waiter may spin on us after setting console_owner */
++      spin_acquire(&console_owner_dep_map, 0, 0, _THIS_IP_);
++}
++
++/**
++ * console_lock_spinning_disable_and_check - mark end of code where another
++ *    thread was able to busy wait and check if there is a waiter
++ *
++ * This is called at the end of the section where spinning is allowed.
++ * It has two functions. First, it is a signal that it is no longer
++ * safe to start busy waiting for the lock. Second, it checks if
++ * there is a busy waiter and passes the lock rights to her.
++ *
++ * Important: Callers lose the lock if there was a busy waiter.
++ *    They must not touch items synchronized by console_lock
++ *    in this case.
++ *
++ * Return: 1 if the lock rights were passed, 0 otherwise.
++ */
++static int console_lock_spinning_disable_and_check(void)
++{
++      int waiter;
++
++      raw_spin_lock(&console_owner_lock);
++      waiter = READ_ONCE(console_waiter);
++      console_owner = NULL;
++      raw_spin_unlock(&console_owner_lock);
++
++      if (!waiter) {
++              spin_release(&console_owner_dep_map, 1, _THIS_IP_);
++              return 0;
++      }
++
++      /* The waiter is now free to continue */
++      WRITE_ONCE(console_waiter, false);
++
++      spin_release(&console_owner_dep_map, 1, _THIS_IP_);
++
++      /*
++       * Hand off console_lock to waiter. The waiter will perform
++       * the up(). After this, the waiter is the console_lock owner.
++       */
++      mutex_release(&console_lock_dep_map, 1, _THIS_IP_);
++      return 1;
++}
++
++/**
++ * console_trylock_spinning - try to get console_lock by busy waiting
++ *
++ * This allows to busy wait for the console_lock when the current
++ * owner is running in specially marked sections. It means that
++ * the current owner is running and cannot reschedule until it
++ * is ready to lose the lock.
++ *
++ * Return: 1 if we got the lock, 0 othrewise
++ */
++static int console_trylock_spinning(void)
++{
++      struct task_struct *owner = NULL;
++      bool waiter;
++      bool spin = false;
++      unsigned long flags;
++
++      if (console_trylock())
++              return 1;
++
++      printk_safe_enter_irqsave(flags);
++
++      raw_spin_lock(&console_owner_lock);
++      owner = READ_ONCE(console_owner);
++      waiter = READ_ONCE(console_waiter);
++      if (!waiter && owner && owner != current) {
++              WRITE_ONCE(console_waiter, true);
++              spin = true;
++      }
++      raw_spin_unlock(&console_owner_lock);
++
++      /*
++       * If there is an active printk() writing to the
++       * consoles, instead of having it write our data too,
++       * see if we can offload that load from the active
++       * printer, and do some printing ourselves.
++       * Go into a spin only if there isn't already a waiter
++       * spinning, and there is an active printer, and
++       * that active printer isn't us (recursive printk?).
++       */
++      if (!spin) {
++              printk_safe_exit_irqrestore(flags);
++              return 0;
++      }
++
++      /* We spin waiting for the owner to release us */
++      spin_acquire(&console_owner_dep_map, 0, 0, _THIS_IP_);
++      /* Owner will clear console_waiter on hand off */
++      while (READ_ONCE(console_waiter))
++              cpu_relax();
++      spin_release(&console_owner_dep_map, 1, _THIS_IP_);
++
++      printk_safe_exit_irqrestore(flags);
++      /*
++       * The owner passed the console lock to us.
++       * Since we did not spin on console lock, annotate
++       * this as a trylock. Otherwise lockdep will
++       * complain.
++       */
++      mutex_acquire(&console_lock_dep_map, 0, 1, _THIS_IP_);
++
++      return 1;
++}
++
+ /*
+  * Call the console drivers, asking them to write out
+  * log_buf[start] to log_buf[end - 1].
+@@ -1774,56 +1907,8 @@ asmlinkage int vprintk_emit(int facility, int level,
+                * semaphore.  The release will print out buffers and wake up
+                * /dev/kmsg and syslog() users.
+                */
+-              if (console_trylock()) {
++              if (console_trylock_spinning())
+                       console_unlock();
+-              } else {
+-                      struct task_struct *owner = NULL;
+-                      bool waiter;
+-                      bool spin = false;
+-
+-                      printk_safe_enter_irqsave(flags);
+-
+-                      raw_spin_lock(&console_owner_lock);
+-                      owner = READ_ONCE(console_owner);
+-                      waiter = READ_ONCE(console_waiter);
+-                      if (!waiter && owner && owner != current) {
+-                              WRITE_ONCE(console_waiter, true);
+-                              spin = true;
+-                      }
+-                      raw_spin_unlock(&console_owner_lock);
+-
+-                      /*
+-                       * If there is an active printk() writing to the
+-                       * consoles, instead of having it write our data too,
+-                       * see if we can offload that load from the active
+-                       * printer, and do some printing ourselves.
+-                       * Go into a spin only if there isn't already a waiter
+-                       * spinning, and there is an active printer, and
+-                       * that active printer isn't us (recursive printk?).
+-                       */
+-                      if (spin) {
+-                              /* We spin waiting for the owner to release us */
+-                              spin_acquire(&console_owner_dep_map, 0, 0, _THIS_IP_);
+-                              /* Owner will clear console_waiter on hand off */
+-                              while (READ_ONCE(console_waiter))
+-                                      cpu_relax();
+-
+-                              spin_release(&console_owner_dep_map, 1, _THIS_IP_);
+-                              printk_safe_exit_irqrestore(flags);
+-
+-                              /*
+-                               * The owner passed the console lock to us.
+-                               * Since we did not spin on console lock, annotate
+-                               * this as a trylock. Otherwise lockdep will
+-                               * complain.
+-                               */
+-                              mutex_acquire(&console_lock_dep_map, 0, 1, _THIS_IP_);
+-                              console_unlock();
+-                              printk_safe_enter_irqsave(flags);
+-                      }
+-                      printk_safe_exit_irqrestore(flags);
+-
+-              }
+       }
+       return printed_len;
+@@ -1924,6 +2009,8 @@ static ssize_t msg_print_ext_header(char *buf, size_t size,
+ static ssize_t msg_print_ext_body(char *buf, size_t size,
+                                 char *dict, size_t dict_len,
+                                 char *text, size_t text_len) { return 0; }
++static void console_lock_spinning_enable(void) { }
++static int console_lock_spinning_disable_and_check(void) { return 0; }
+ static void call_console_drivers(const char *ext_text, size_t ext_len,
+                                const char *text, size_t len) {}
+ static size_t msg_print_text(const struct printk_log *msg,
+@@ -2210,7 +2297,6 @@ void console_unlock(void)
+       static u64 seen_seq;
+       unsigned long flags;
+       bool wake_klogd = false;
+-      bool waiter = false;
+       bool do_cond_resched, retry;
+       if (console_suspended) {
+@@ -2305,31 +2391,16 @@ void console_unlock(void)
+                * finish. This task can not be preempted if there is a
+                * waiter waiting to take over.
+                */
+-              raw_spin_lock(&console_owner_lock);
+-              console_owner = current;
+-              raw_spin_unlock(&console_owner_lock);
+-
+-              /* The waiter may spin on us after setting console_owner */
+-              spin_acquire(&console_owner_dep_map, 0, 0, _THIS_IP_);
++              console_lock_spinning_enable();
+               stop_critical_timings();        /* don't trace print latency */
+               call_console_drivers(ext_text, ext_len, text, len);
+               start_critical_timings();
+-              raw_spin_lock(&console_owner_lock);
+-              waiter = READ_ONCE(console_waiter);
+-              console_owner = NULL;
+-              raw_spin_unlock(&console_owner_lock);
+-
+-              /*
+-               * If there is a waiter waiting for us, then pass the
+-               * rest of the work load over to that waiter.
+-               */
+-              if (waiter)
+-                      break;
+-
+-              /* There was no waiter, and nothing will spin on us here */
+-              spin_release(&console_owner_dep_map, 1, _THIS_IP_);
++              if (console_lock_spinning_disable_and_check()) {
++                      printk_safe_exit_irqrestore(flags);
++                      return;
++              }
+               printk_safe_exit_irqrestore(flags);
+@@ -2337,26 +2408,6 @@ void console_unlock(void)
+                       cond_resched();
+       }
+-      /*
+-       * If there is an active waiter waiting on the console_lock.
+-       * Pass off the printing to the waiter, and the waiter
+-       * will continue printing on its CPU, and when all writing
+-       * has finished, the last printer will wake up klogd.
+-       */
+-      if (waiter) {
+-              WRITE_ONCE(console_waiter, false);
+-              /* The waiter is now free to continue */
+-              spin_release(&console_owner_dep_map, 1, _THIS_IP_);
+-              /*
+-               * Hand off console_lock to waiter. The waiter will perform
+-               * the up(). After this, the waiter is the console_lock owner.
+-               */
+-              mutex_release(&console_lock_dep_map, 1, _THIS_IP_);
+-              printk_safe_exit_irqrestore(flags);
+-              /* Note, if waiter is set, logbuf_lock is not held */
+-              return;
+-      }
+-
+       console_locked = 0;
+       /* Release the exclusive_console once it is used */
+-- 
+2.19.1
+
diff --git a/queue-4.14/printk-never-set-console_may_schedule-in-console_try.patch b/queue-4.14/printk-never-set-console_may_schedule-in-console_try.patch
new file mode 100644 (file)
index 0000000..fbe4f7d
--- /dev/null
@@ -0,0 +1,113 @@
+From 8c3e1e2293af4d4224811cec39e8815ef94be2d2 Mon Sep 17 00:00:00 2001
+From: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
+Date: Tue, 16 Jan 2018 13:47:16 +0900
+Subject: printk: Never set console_may_schedule in console_trylock()
+
+[ Upstream commit fd5f7cde1b85d4c8e09ca46ce948e008a2377f64 ]
+
+This patch, basically, reverts commit 6b97a20d3a79 ("printk:
+set may_schedule for some of console_trylock() callers").
+That commit was a mistake, it introduced a big dependency
+on the scheduler, by enabling preemption under console_sem
+in printk()->console_unlock() path, which is rather too
+critical. The patch did not significantly reduce the
+possibilities of printk() lockups, but made it possible to
+stall printk(), as has been reported by Tetsuo Handa [1].
+
+Another issues is that preemption under console_sem also
+messes up with Steven Rostedt's hand off scheme, by making
+it possible to sleep with console_sem both in console_unlock()
+and in vprintk_emit(), after acquiring the console_sem
+ownership (anywhere between printk_safe_exit_irqrestore() in
+console_trylock_spinning() and printk_safe_enter_irqsave()
+in console_unlock()). This makes hand off less likely and,
+at the same time, may result in a significant amount of
+pending logbuf messages. Preempted console_sem owner makes
+it impossible for other CPUs to emit logbuf messages, but
+does not make it impossible for other CPUs to append new
+messages to the logbuf.
+
+Reinstate the old behavior and make printk() non-preemptible.
+Should any printk() lockup reports arrive they must be handled
+in a different way.
+
+[1] http://lkml.kernel.org/r/201603022101.CAH73907.OVOOMFHFFtQJSL%20()%20I-love%20!%20SAKURA%20!%20ne%20!%20jp
+Fixes: 6b97a20d3a79 ("printk: set may_schedule for some of console_trylock() callers")
+Link: http://lkml.kernel.org/r/20180116044716.GE6607@jagdpanzerIV
+To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: akpm@linux-foundation.org
+Cc: linux-mm@kvack.org
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Mel Gorman <mgorman@suse.de>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Byungchul Park <byungchul.park@lge.com>
+Cc: Pavel Machek <pavel@ucw.cz>
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/printk/printk.c | 22 ++++++++--------------
+ 1 file changed, 8 insertions(+), 14 deletions(-)
+
+diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
+index 2d1c2700bd85..2f654a79f80b 100644
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -1902,6 +1902,12 @@ asmlinkage int vprintk_emit(int facility, int level,
+       /* If called from the scheduler, we can not call up(). */
+       if (!in_sched) {
++              /*
++               * Disable preemption to avoid being preempted while holding
++               * console_sem which would prevent anyone from printing to
++               * console
++               */
++              preempt_disable();
+               /*
+                * Try to acquire and then immediately release the console
+                * semaphore.  The release will print out buffers and wake up
+@@ -1909,6 +1915,7 @@ asmlinkage int vprintk_emit(int facility, int level,
+                */
+               if (console_trylock_spinning())
+                       console_unlock();
++              preempt_enable();
+       }
+       return printed_len;
+@@ -2225,20 +2232,7 @@ int console_trylock(void)
+               return 0;
+       }
+       console_locked = 1;
+-      /*
+-       * When PREEMPT_COUNT disabled we can't reliably detect if it's
+-       * safe to schedule (e.g. calling printk while holding a spin_lock),
+-       * because preempt_disable()/preempt_enable() are just barriers there
+-       * and preempt_count() is always 0.
+-       *
+-       * RCU read sections have a separate preemption counter when
+-       * PREEMPT_RCU enabled thus we must take extra care and check
+-       * rcu_preempt_depth(), otherwise RCU read sections modify
+-       * preempt_count().
+-       */
+-      console_may_schedule = !oops_in_progress &&
+-                      preemptible() &&
+-                      !rcu_preempt_depth();
++      console_may_schedule = 0;
+       return 1;
+ }
+ EXPORT_SYMBOL(console_trylock);
+-- 
+2.19.1
+
diff --git a/queue-4.14/printk-wake-klogd-when-passing-console_lock-owner.patch b/queue-4.14/printk-wake-klogd-when-passing-console_lock-owner.patch
new file mode 100644 (file)
index 0000000..7c4caf3
--- /dev/null
@@ -0,0 +1,94 @@
+From adcc7accbc8d54cd9ba446a87e44b85e7c5cfa06 Mon Sep 17 00:00:00 2001
+From: Petr Mladek <pmladek@suse.com>
+Date: Mon, 26 Feb 2018 15:44:20 +0100
+Subject: printk: Wake klogd when passing console_lock owner
+
+[ Upstream commit c14376de3a1befa70d9811ca2872d47367b48767 ]
+
+wake_klogd is a local variable in console_unlock(). The information
+is lost when the console_lock owner using the busy wait added by
+the commit dbdda842fe96f8932 ("printk: Add console owner and waiter
+logic to load balance console writes"). The following race is
+possible:
+
+CPU0                           CPU1
+console_unlock()
+
+  for (;;)
+     /* calling console for last message */
+
+                               printk()
+                                 log_store()
+                                   log_next_seq++;
+
+     /* see new message */
+     if (seen_seq != log_next_seq) {
+       wake_klogd = true;
+       seen_seq = log_next_seq;
+     }
+
+     console_lock_spinning_enable();
+
+                                 if (console_trylock_spinning())
+                                    /* spinning */
+
+     if (console_lock_spinning_disable_and_check()) {
+       printk_safe_exit_irqrestore(flags);
+       return;
+
+                                 console_unlock()
+                                   if (seen_seq != log_next_seq) {
+                                   /* already seen */
+                                   /* nothing to do */
+
+Result: Nobody would wakeup klogd.
+
+One solution would be to make a global variable from wake_klogd.
+But then we would need to manipulate it under a lock or so.
+
+This patch wakes klogd also when console_lock is passed to the
+spinning waiter. It looks like the right way to go. Also userspace
+should have a chance to see and store any "flood" of messages.
+
+Note that the very late klogd wake up was a historic solution.
+It made sense on single CPU systems or when sys_syslog() operations
+were synchronized using the big kernel lock like in v2.1.113.
+But it is questionable these days.
+
+Fixes: dbdda842fe96f8932 ("printk: Add console owner and waiter logic to load balance console writes")
+Link: http://lkml.kernel.org/r/20180226155734.dzwg3aovqnwtvkoy@pathway.suse.cz
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: linux-kernel@vger.kernel.org
+Cc: Tejun Heo <tj@kernel.org>
+Suggested-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/printk/printk.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
+index 2f654a79f80b..2e2c86dd226f 100644
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -2393,7 +2393,7 @@ void console_unlock(void)
+               if (console_lock_spinning_disable_and_check()) {
+                       printk_safe_exit_irqrestore(flags);
+-                      return;
++                      goto out;
+               }
+               printk_safe_exit_irqrestore(flags);
+@@ -2426,6 +2426,7 @@ void console_unlock(void)
+       if (retry && console_trylock())
+               goto again;
++out:
+       if (wake_klogd)
+               wake_up_klogd();
+ }
+-- 
+2.19.1
+
diff --git a/queue-4.14/pstore-ram-correctly-calculate-usable-prz-bytes.patch b/queue-4.14/pstore-ram-correctly-calculate-usable-prz-bytes.patch
new file mode 100644 (file)
index 0000000..40282bc
--- /dev/null
@@ -0,0 +1,80 @@
+From cbf75875d5f6442a3a0bdfd7f35cf6afaf7e2829 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 1 Nov 2018 16:17:22 -0700
+Subject: pstore/ram: Correctly calculate usable PRZ bytes
+
+[ Upstream commit 89d328f637b9904b6d4c9af73c8a608b8dd4d6f8 ]
+
+The actual number of bytes stored in a PRZ is smaller than the
+bytes requested by platform data, since there is a header on each
+PRZ. Additionally, if ECC is enabled, there are trailing bytes used
+as well. Normally this mismatch doesn't matter since PRZs are circular
+buffers and the leading "overflow" bytes are just thrown away. However, in
+the case of a compressed record, this rather badly corrupts the results.
+
+This corruption was visible with "ramoops.mem_size=204800 ramoops.ecc=1".
+Any stored crashes would not be uncompressable (producing a pstorefs
+"dmesg-*.enc.z" file), and triggering errors at boot:
+
+  [    2.790759] pstore: crypto_comp_decompress failed, ret = -22!
+
+Backporting this depends on commit 70ad35db3321 ("pstore: Convert console
+write to use ->write_buf")
+
+Reported-by: Joel Fernandes <joel@joelfernandes.org>
+Fixes: b0aad7a99c1d ("pstore: Add compression support to pstore")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/pstore/ram.c        | 15 ++++++---------
+ include/linux/pstore.h |  5 ++++-
+ 2 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c
+index 7125b398d312..9f7e546d7050 100644
+--- a/fs/pstore/ram.c
++++ b/fs/pstore/ram.c
+@@ -804,17 +804,14 @@ static int ramoops_probe(struct platform_device *pdev)
+       cxt->pstore.data = cxt;
+       /*
+-       * Console can handle any buffer size, so prefer LOG_LINE_MAX. If we
+-       * have to handle dumps, we must have at least record_size buffer. And
+-       * for ftrace, bufsize is irrelevant (if bufsize is 0, buf will be
+-       * ZERO_SIZE_PTR).
++       * Since bufsize is only used for dmesg crash dumps, it
++       * must match the size of the dprz record (after PRZ header
++       * and ECC bytes have been accounted for).
+        */
+-      if (cxt->console_size)
+-              cxt->pstore.bufsize = 1024; /* LOG_LINE_MAX */
+-      cxt->pstore.bufsize = max(cxt->record_size, cxt->pstore.bufsize);
+-      cxt->pstore.buf = kmalloc(cxt->pstore.bufsize, GFP_KERNEL);
++      cxt->pstore.bufsize = cxt->dprzs[0]->buffer_size;
++      cxt->pstore.buf = kzalloc(cxt->pstore.bufsize, GFP_KERNEL);
+       if (!cxt->pstore.buf) {
+-              pr_err("cannot allocate pstore buffer\n");
++              pr_err("cannot allocate pstore crash dump buffer\n");
+               err = -ENOMEM;
+               goto fail_clear;
+       }
+diff --git a/include/linux/pstore.h b/include/linux/pstore.h
+index 61f806a7fe29..170bb981d2fd 100644
+--- a/include/linux/pstore.h
++++ b/include/linux/pstore.h
+@@ -90,7 +90,10 @@ struct pstore_record {
+  *
+  * @buf_lock: spinlock to serialize access to @buf
+  * @buf:      preallocated crash dump buffer
+- * @bufsize:  size of @buf available for crash dump writes
++ * @bufsize:  size of @buf available for crash dump bytes (must match
++ *            smallest number of bytes available for writing to a
++ *            backend entry, since compressed bytes don't take kindly
++ *            to being truncated)
+  *
+  * @read_mutex:       serializes @open, @read, @close, and @erase callbacks
+  * @flags:    bitfield of frontends the backend can accept writes for
+-- 
+2.19.1
+
diff --git a/queue-4.14/rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch b/queue-4.14/rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch
new file mode 100644 (file)
index 0000000..2f1a3b1
--- /dev/null
@@ -0,0 +1,67 @@
+From 6ac4e44b87deeed9d0f2627988b85e4c7419bbfe Mon Sep 17 00:00:00 2001
+From: Majd Dibbiny <majd@mellanox.com>
+Date: Mon, 5 Nov 2018 08:07:37 +0200
+Subject: RDMA/mlx5: Fix fence type for IB_WR_LOCAL_INV WR
+
+[ Upstream commit 074fca3a18e7e1e0d4d7dcc9d7badc43b90232f4 ]
+
+Currently, for IB_WR_LOCAL_INV WR, when the next fence is None, the
+current fence will be SMALL instead of Normal Fence.
+
+Without this patch krping doesn't work on CX-5 devices and throws
+following error:
+
+The error messages are from CX5 driver are: (from server side)
+[ 710.434014] mlx5_0:dump_cqe:278:(pid 2712): dump error cqe
+[ 710.434016] 00000000 00000000 00000000 00000000
+[ 710.434016] 00000000 00000000 00000000 00000000
+[ 710.434017] 00000000 00000000 00000000 00000000
+[ 710.434018] 00000000 93003204 100000b8 000524d2
+[ 710.434019] krping: cq completion failed with wr_id 0 status 4 opcode 128 vender_err 32
+
+Fixed the logic to set the correct fence type.
+
+Fixes: 6e8484c5cf07 ("RDMA/mlx5: set UMR wqe fence according to HCA cap")
+Signed-off-by: Majd Dibbiny <majd@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/qp.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
+index dfc190055167..964c3a0bbf16 100644
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -3928,17 +3928,18 @@ int mlx5_ib_post_send(struct ib_qp *ibqp, struct ib_send_wr *wr,
+                       goto out;
+               }
+-              if (wr->opcode == IB_WR_LOCAL_INV ||
+-                  wr->opcode == IB_WR_REG_MR) {
++              if (wr->opcode == IB_WR_REG_MR) {
+                       fence = dev->umr_fence;
+                       next_fence = MLX5_FENCE_MODE_INITIATOR_SMALL;
+-              } else if (wr->send_flags & IB_SEND_FENCE) {
+-                      if (qp->next_fence)
+-                              fence = MLX5_FENCE_MODE_SMALL_AND_FENCE;
+-                      else
+-                              fence = MLX5_FENCE_MODE_FENCE;
+-              } else {
+-                      fence = qp->next_fence;
++              } else  {
++                      if (wr->send_flags & IB_SEND_FENCE) {
++                              if (qp->next_fence)
++                                      fence = MLX5_FENCE_MODE_SMALL_AND_FENCE;
++                              else
++                                      fence = MLX5_FENCE_MODE_FENCE;
++                      } else {
++                              fence = qp->next_fence;
++                      }
+               }
+               switch (ibqp->qp_type) {
+-- 
+2.19.1
+
diff --git a/queue-4.14/rdma-rdmavt-fix-rvt_create_ah-function-signature.patch b/queue-4.14/rdma-rdmavt-fix-rvt_create_ah-function-signature.patch
new file mode 100644 (file)
index 0000000..5c6d8c7
--- /dev/null
@@ -0,0 +1,63 @@
+From c8c3702cd7c2a1d6f03bd5ff0bfc3370cf426bce Mon Sep 17 00:00:00 2001
+From: Kamal Heib <kamalheib1@gmail.com>
+Date: Thu, 15 Nov 2018 09:49:38 -0800
+Subject: RDMA/rdmavt: Fix rvt_create_ah function signature
+
+[ Upstream commit 4f32fb921b153ae9ea280e02a3e91509fffc03d3 ]
+
+rdmavt uses a crazy system that looses the type checking when assinging
+functions to struct ib_device function pointers. Because of this the
+signature to this function was not changed when the below commit revised
+things.
+
+Fix the signature so we are not calling a function pointer with a
+mismatched signature.
+
+Fixes: 477864c8fcd9 ("IB/core: Let create_ah return extended response to user")
+Signed-off-by: Kamal Heib <kamalheib1@gmail.com>
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rdmavt/ah.c | 4 +++-
+ drivers/infiniband/sw/rdmavt/ah.h | 3 ++-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rdmavt/ah.c b/drivers/infiniband/sw/rdmavt/ah.c
+index ba3639a0d77c..48ea5b8207f0 100644
+--- a/drivers/infiniband/sw/rdmavt/ah.c
++++ b/drivers/infiniband/sw/rdmavt/ah.c
+@@ -91,13 +91,15 @@ EXPORT_SYMBOL(rvt_check_ah);
+  * rvt_create_ah - create an address handle
+  * @pd: the protection domain
+  * @ah_attr: the attributes of the AH
++ * @udata: pointer to user's input output buffer information.
+  *
+  * This may be called from interrupt context.
+  *
+  * Return: newly allocated ah
+  */
+ struct ib_ah *rvt_create_ah(struct ib_pd *pd,
+-                          struct rdma_ah_attr *ah_attr)
++                          struct rdma_ah_attr *ah_attr,
++                          struct ib_udata *udata)
+ {
+       struct rvt_ah *ah;
+       struct rvt_dev_info *dev = ib_to_rvt(pd->device);
+diff --git a/drivers/infiniband/sw/rdmavt/ah.h b/drivers/infiniband/sw/rdmavt/ah.h
+index 16105af99189..25271b48a683 100644
+--- a/drivers/infiniband/sw/rdmavt/ah.h
++++ b/drivers/infiniband/sw/rdmavt/ah.h
+@@ -51,7 +51,8 @@
+ #include <rdma/rdma_vt.h>
+ struct ib_ah *rvt_create_ah(struct ib_pd *pd,
+-                          struct rdma_ah_attr *ah_attr);
++                          struct rdma_ah_attr *ah_attr,
++                          struct ib_udata *udata);
+ int rvt_destroy_ah(struct ib_ah *ibah);
+ int rvt_modify_ah(struct ib_ah *ibah, struct rdma_ah_attr *ah_attr);
+ int rvt_query_ah(struct ib_ah *ibah, struct rdma_ah_attr *ah_attr);
+-- 
+2.19.1
+
diff --git a/queue-4.14/revert-printk-never-set-console_may_schedule-in-cons.patch b/queue-4.14/revert-printk-never-set-console_may_schedule-in-cons.patch
new file mode 100644 (file)
index 0000000..d230991
--- /dev/null
@@ -0,0 +1,63 @@
+From cb0a0747c9f61f745643396c4524551198a828ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Dec 2018 09:24:35 -0500
+Subject: Revert "printk: Never set console_may_schedule in console_trylock()"
+
+This reverts commit c9b8d580b3fb0ab65d37c372aef19a318fda3199.
+
+This is just a technical revert to make the printk fix apply cleanly,
+this patch will be re-picked in about 3 commits.
+---
+ kernel/printk/printk.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
+index a9cf2e15f6a3..7161312593dd 100644
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -1762,12 +1762,6 @@ asmlinkage int vprintk_emit(int facility, int level,
+       /* If called from the scheduler, we can not call up(). */
+       if (!in_sched) {
+-              /*
+-               * Disable preemption to avoid being preempted while holding
+-               * console_sem which would prevent anyone from printing to
+-               * console
+-               */
+-              preempt_disable();
+               /*
+                * Try to acquire and then immediately release the console
+                * semaphore.  The release will print out buffers and wake up
+@@ -1775,7 +1769,6 @@ asmlinkage int vprintk_emit(int facility, int level,
+                */
+               if (console_trylock())
+                       console_unlock();
+-              preempt_enable();
+       }
+       return printed_len;
+@@ -2090,7 +2083,20 @@ int console_trylock(void)
+               return 0;
+       }
+       console_locked = 1;
+-      console_may_schedule = 0;
++      /*
++       * When PREEMPT_COUNT disabled we can't reliably detect if it's
++       * safe to schedule (e.g. calling printk while holding a spin_lock),
++       * because preempt_disable()/preempt_enable() are just barriers there
++       * and preempt_count() is always 0.
++       *
++       * RCU read sections have a separate preemption counter when
++       * PREEMPT_RCU enabled thus we must take extra care and check
++       * rcu_preempt_depth(), otherwise RCU read sections modify
++       * preempt_count().
++       */
++      console_may_schedule = !oops_in_progress &&
++                      preemptible() &&
++                      !rcu_preempt_depth();
+       return 1;
+ }
+ EXPORT_SYMBOL(console_trylock);
+-- 
+2.19.1
+
diff --git a/queue-4.14/revert-xen-balloon-mark-unallocated-host-memory-as-u.patch b/queue-4.14/revert-xen-balloon-mark-unallocated-host-memory-as-u.patch
new file mode 100644 (file)
index 0000000..3cf3c4f
--- /dev/null
@@ -0,0 +1,266 @@
+From 93c6372949af346b896809eb0caf7da9abf44ac2 Mon Sep 17 00:00:00 2001
+From: Igor Druzhinin <igor.druzhinin@citrix.com>
+Date: Tue, 27 Nov 2018 20:58:21 +0000
+Subject: Revert "xen/balloon: Mark unallocated host memory as UNUSABLE"
+
+[ Upstream commit 123664101aa2156d05251704fc63f9bcbf77741a ]
+
+This reverts commit b3cf8528bb21febb650a7ecbf080d0647be40b9f.
+
+That commit unintentionally broke Xen balloon memory hotplug with
+"hotplug_unpopulated" set to 1. As long as "System RAM" resource
+got assigned under a new "Unusable memory" resource in IO/Mem tree
+any attempt to online this memory would fail due to general kernel
+restrictions on having "System RAM" resources as 1st level only.
+
+The original issue that commit has tried to workaround fa564ad96366
+("x86/PCI: Enable a 64bit BAR on AMD Family 15h (Models 00-1f, 30-3f,
+60-7f)") also got amended by the following 03a551734 ("x86/PCI: Move
+and shrink AMD 64-bit window to avoid conflict") which made the
+original fix to Xen ballooning unnecessary.
+
+Signed-off-by: Igor Druzhinin <igor.druzhinin@citrix.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/enlighten.c | 78 ----------------------------------------
+ arch/x86/xen/setup.c     |  6 ++--
+ drivers/xen/balloon.c    | 65 +++++----------------------------
+ include/xen/balloon.h    |  5 ---
+ 4 files changed, 13 insertions(+), 141 deletions(-)
+
+diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
+index df208af3cd74..515d5e4414c2 100644
+--- a/arch/x86/xen/enlighten.c
++++ b/arch/x86/xen/enlighten.c
+@@ -7,7 +7,6 @@
+ #include <xen/features.h>
+ #include <xen/page.h>
+-#include <xen/interface/memory.h>
+ #include <asm/xen/hypercall.h>
+ #include <asm/xen/hypervisor.h>
+@@ -336,80 +335,3 @@ void xen_arch_unregister_cpu(int num)
+ }
+ EXPORT_SYMBOL(xen_arch_unregister_cpu);
+ #endif
+-
+-#ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG
+-void __init arch_xen_balloon_init(struct resource *hostmem_resource)
+-{
+-      struct xen_memory_map memmap;
+-      int rc;
+-      unsigned int i, last_guest_ram;
+-      phys_addr_t max_addr = PFN_PHYS(max_pfn);
+-      struct e820_table *xen_e820_table;
+-      const struct e820_entry *entry;
+-      struct resource *res;
+-
+-      if (!xen_initial_domain())
+-              return;
+-
+-      xen_e820_table = kmalloc(sizeof(*xen_e820_table), GFP_KERNEL);
+-      if (!xen_e820_table)
+-              return;
+-
+-      memmap.nr_entries = ARRAY_SIZE(xen_e820_table->entries);
+-      set_xen_guest_handle(memmap.buffer, xen_e820_table->entries);
+-      rc = HYPERVISOR_memory_op(XENMEM_machine_memory_map, &memmap);
+-      if (rc) {
+-              pr_warn("%s: Can't read host e820 (%d)\n", __func__, rc);
+-              goto out;
+-      }
+-
+-      last_guest_ram = 0;
+-      for (i = 0; i < memmap.nr_entries; i++) {
+-              if (xen_e820_table->entries[i].addr >= max_addr)
+-                      break;
+-              if (xen_e820_table->entries[i].type == E820_TYPE_RAM)
+-                      last_guest_ram = i;
+-      }
+-
+-      entry = &xen_e820_table->entries[last_guest_ram];
+-      if (max_addr >= entry->addr + entry->size)
+-              goto out; /* No unallocated host RAM. */
+-
+-      hostmem_resource->start = max_addr;
+-      hostmem_resource->end = entry->addr + entry->size;
+-
+-      /*
+-       * Mark non-RAM regions between the end of dom0 RAM and end of host RAM
+-       * as unavailable. The rest of that region can be used for hotplug-based
+-       * ballooning.
+-       */
+-      for (; i < memmap.nr_entries; i++) {
+-              entry = &xen_e820_table->entries[i];
+-
+-              if (entry->type == E820_TYPE_RAM)
+-                      continue;
+-
+-              if (entry->addr >= hostmem_resource->end)
+-                      break;
+-
+-              res = kzalloc(sizeof(*res), GFP_KERNEL);
+-              if (!res)
+-                      goto out;
+-
+-              res->name = "Unavailable host RAM";
+-              res->start = entry->addr;
+-              res->end = (entry->addr + entry->size < hostmem_resource->end) ?
+-                          entry->addr + entry->size : hostmem_resource->end;
+-              rc = insert_resource(hostmem_resource, res);
+-              if (rc) {
+-                      pr_warn("%s: Can't insert [%llx - %llx) (%d)\n",
+-                              __func__, res->start, res->end, rc);
+-                      kfree(res);
+-                      goto  out;
+-              }
+-      }
+-
+- out:
+-      kfree(xen_e820_table);
+-}
+-#endif /* CONFIG_XEN_BALLOON_MEMORY_HOTPLUG */
+diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
+index 6e0d2086eacb..c114ca767b3b 100644
+--- a/arch/x86/xen/setup.c
++++ b/arch/x86/xen/setup.c
+@@ -808,6 +808,7 @@ char * __init xen_memory_setup(void)
+       addr = xen_e820_table.entries[0].addr;
+       size = xen_e820_table.entries[0].size;
+       while (i < xen_e820_table.nr_entries) {
++              bool discard = false;
+               chunk_size = size;
+               type = xen_e820_table.entries[i].type;
+@@ -823,10 +824,11 @@ char * __init xen_memory_setup(void)
+                               xen_add_extra_mem(pfn_s, n_pfns);
+                               xen_max_p2m_pfn = pfn_s + n_pfns;
+                       } else
+-                              type = E820_TYPE_UNUSABLE;
++                              discard = true;
+               }
+-              xen_align_and_add_e820_region(addr, chunk_size, type);
++              if (!discard)
++                      xen_align_and_add_e820_region(addr, chunk_size, type);
+               addr += chunk_size;
+               size -= chunk_size;
+diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
+index 065f0b607373..f77e499afddd 100644
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -257,25 +257,10 @@ static void release_memory_resource(struct resource *resource)
+       kfree(resource);
+ }
+-/*
+- * Host memory not allocated to dom0. We can use this range for hotplug-based
+- * ballooning.
+- *
+- * It's a type-less resource. Setting IORESOURCE_MEM will make resource
+- * management algorithms (arch_remove_reservations()) look into guest e820,
+- * which we don't want.
+- */
+-static struct resource hostmem_resource = {
+-      .name   = "Host RAM",
+-};
+-
+-void __attribute__((weak)) __init arch_xen_balloon_init(struct resource *res)
+-{}
+-
+ static struct resource *additional_memory_resource(phys_addr_t size)
+ {
+-      struct resource *res, *res_hostmem;
+-      int ret = -ENOMEM;
++      struct resource *res;
++      int ret;
+       res = kzalloc(sizeof(*res), GFP_KERNEL);
+       if (!res)
+@@ -284,42 +269,13 @@ static struct resource *additional_memory_resource(phys_addr_t size)
+       res->name = "System RAM";
+       res->flags = IORESOURCE_SYSTEM_RAM | IORESOURCE_BUSY;
+-      res_hostmem = kzalloc(sizeof(*res), GFP_KERNEL);
+-      if (res_hostmem) {
+-              /* Try to grab a range from hostmem */
+-              res_hostmem->name = "Host memory";
+-              ret = allocate_resource(&hostmem_resource, res_hostmem,
+-                                      size, 0, -1,
+-                                      PAGES_PER_SECTION * PAGE_SIZE, NULL, NULL);
+-      }
+-
+-      if (!ret) {
+-              /*
+-               * Insert this resource into iomem. Because hostmem_resource
+-               * tracks portion of guest e820 marked as UNUSABLE noone else
+-               * should try to use it.
+-               */
+-              res->start = res_hostmem->start;
+-              res->end = res_hostmem->end;
+-              ret = insert_resource(&iomem_resource, res);
+-              if (ret < 0) {
+-                      pr_err("Can't insert iomem_resource [%llx - %llx]\n",
+-                              res->start, res->end);
+-                      release_memory_resource(res_hostmem);
+-                      res_hostmem = NULL;
+-                      res->start = res->end = 0;
+-              }
+-      }
+-
+-      if (ret) {
+-              ret = allocate_resource(&iomem_resource, res,
+-                                      size, 0, -1,
+-                                      PAGES_PER_SECTION * PAGE_SIZE, NULL, NULL);
+-              if (ret < 0) {
+-                      pr_err("Cannot allocate new System RAM resource\n");
+-                      kfree(res);
+-                      return NULL;
+-              }
++      ret = allocate_resource(&iomem_resource, res,
++                              size, 0, -1,
++                              PAGES_PER_SECTION * PAGE_SIZE, NULL, NULL);
++      if (ret < 0) {
++              pr_err("Cannot allocate new System RAM resource\n");
++              kfree(res);
++              return NULL;
+       }
+ #ifdef CONFIG_SPARSEMEM
+@@ -331,7 +287,6 @@ static struct resource *additional_memory_resource(phys_addr_t size)
+                       pr_err("New System RAM resource outside addressable RAM (%lu > %lu)\n",
+                              pfn, limit);
+                       release_memory_resource(res);
+-                      release_memory_resource(res_hostmem);
+                       return NULL;
+               }
+       }
+@@ -810,8 +765,6 @@ static int __init balloon_init(void)
+       set_online_page_callback(&xen_online_page);
+       register_memory_notifier(&xen_memory_nb);
+       register_sysctl_table(xen_root);
+-
+-      arch_xen_balloon_init(&hostmem_resource);
+ #endif
+ #ifdef CONFIG_XEN_PV
+diff --git a/include/xen/balloon.h b/include/xen/balloon.h
+index 61f410fd74e4..4914b93a23f2 100644
+--- a/include/xen/balloon.h
++++ b/include/xen/balloon.h
+@@ -44,8 +44,3 @@ static inline void xen_balloon_init(void)
+ {
+ }
+ #endif
+-
+-#ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG
+-struct resource;
+-void arch_xen_balloon_init(struct resource *hostmem_resource);
+-#endif
+-- 
+2.19.1
+
diff --git a/queue-4.14/s390-cpum_cf-reject-request-for-sampling-in-event-in.patch b/queue-4.14/s390-cpum_cf-reject-request-for-sampling-in-event-in.patch
new file mode 100644 (file)
index 0000000..75e125d
--- /dev/null
@@ -0,0 +1,113 @@
+From 9df84abaa4cc452b004626a67572b5762aaeb2e1 Mon Sep 17 00:00:00 2001
+From: Thomas Richter <tmricht@linux.ibm.com>
+Date: Tue, 13 Nov 2018 15:38:22 +0000
+Subject: s390/cpum_cf: Reject request for sampling in event initialization
+
+[ Upstream commit 613a41b0d16e617f46776a93b975a1eeea96417c ]
+
+On s390 command perf top fails
+[root@s35lp76 perf] # ./perf top -F100000  --stdio
+   Error:
+   cycles: PMU Hardware doesn't support sampling/overflow-interrupts.
+       Try 'perf stat'
+[root@s35lp76 perf] #
+
+Using event -e rb0000 works as designed.  Event rb0000 is the event
+number of the sampling facility for basic sampling.
+
+During system start up the following PMUs are installed in the kernel's
+PMU list (from head to tail):
+   cpum_cf --> s390 PMU counter facility device driver
+   cpum_sf --> s390 PMU sampling facility device driver
+   uprobe
+   kprobe
+   tracepoint
+   task_clock
+   cpu_clock
+
+Perf top executes following functions and calls perf_event_open(2) system
+call with different parameters many times:
+
+cmd_top
+--> __cmd_top
+    --> perf_evlist__add_default
+        --> __perf_evlist__add_default
+            --> perf_evlist__new_cycles (creates event type:0 (HW)
+                                       config 0 (CPU_CYCLES)
+               --> perf_event_attr__set_max_precise_ip
+                   Uses perf_event_open(2) to detect correct
+                   precise_ip level. Fails 3 times on s390 which is ok.
+
+Then functions cmd_top
+--> __cmd_top
+    --> perf_top__start_counters
+        -->perf_evlist__config
+          --> perf_can_comm_exec
+               --> perf_probe_api
+                  This functions test support for the following events:
+                  "cycles:u", "instructions:u", "cpu-clock:u" using
+                  --> perf_do_probe_api
+                      --> perf_event_open_cloexec
+                          Test the close on exec flag support with
+                          perf_event_open(2).
+                      perf_do_probe_api returns true if the event is
+                      supported.
+                      The function returns true because event cpu-clock is
+                      supported by the PMU cpu_clock.
+                      This is achieved by many calls to perf_event_open(2).
+
+Function perf_top__start_counters now calls perf_evsel__open() for every
+event, which is the default event cpu_cycles (config:0) and type HARDWARE
+(type:0) which a predfined frequence of 4000.
+
+Given the above order of the PMU list, the PMU cpum_cf gets called first
+and returns 0, which indicates support for this sampling. The event is
+fully allocated in the function perf_event_open (file kernel/event/core.c
+near line 10521 and the following check fails:
+
+        event = perf_event_alloc(&attr, cpu, task, group_leader, NULL,
+                                NULL, NULL, cgroup_fd);
+       if (IS_ERR(event)) {
+               err = PTR_ERR(event);
+               goto err_cred;
+       }
+
+        if (is_sampling_event(event)) {
+               if (event->pmu->capabilities & PERF_PMU_CAP_NO_INTERRUPT) {
+                       err = -EOPNOTSUPP;
+                       goto err_alloc;
+               }
+       }
+
+The check for the interrupt capabilities fails and the system call
+perf_event_open() returns -EOPNOTSUPP (-95).
+
+Add a check to return -ENODEV when sampling is requested in PMU cpum_cf.
+This allows common kernel code in the perf_event_open() system call to
+test the next PMU in above list.
+
+Fixes: 97b1198fece0 (" "s390, perf: Use common PMU interrupt disabled code")
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/perf_cpum_cf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/s390/kernel/perf_cpum_cf.c b/arch/s390/kernel/perf_cpum_cf.c
+index 61e91fee8467..edf6a61f0a64 100644
+--- a/arch/s390/kernel/perf_cpum_cf.c
++++ b/arch/s390/kernel/perf_cpum_cf.c
+@@ -349,6 +349,8 @@ static int __hw_perf_event_init(struct perf_event *event)
+               break;
+       case PERF_TYPE_HARDWARE:
++              if (is_sampling_event(event))   /* No sampling support */
++                      return -ENOENT;
+               ev = attr->config;
+               /* Count user space (problem-state) only */
+               if (!attr->exclude_user && attr->exclude_kernel) {
+-- 
+2.19.1
+
diff --git a/queue-4.14/selftests-add-script-to-stress-test-nft-packet-path-.patch b/queue-4.14/selftests-add-script-to-stress-test-nft-packet-path-.patch
new file mode 100644 (file)
index 0000000..8dbc57d
--- /dev/null
@@ -0,0 +1,150 @@
+From d3be2b10c062f97e5eea943fb856de9543c7fe9d Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 31 Oct 2018 18:26:21 +0100
+Subject: selftests: add script to stress-test nft packet path vs. control
+ plane
+
+[ Upstream commit 25d8bcedbf4329895dbaf9dd67baa6f18dad918c ]
+
+Start flood ping for each cpu while loading/flushing rulesets to make
+sure we do not access already-free'd rules from nf_tables evaluation loop.
+
+Also add this to TARGETS so 'make run_tests' in selftest dir runs it
+automatically.
+
+This would have caught the bug fixed in previous change
+("netfilter: nf_tables: do not skip inactive chains during generation update")
+sooner.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/Makefile              |  1 +
+ tools/testing/selftests/netfilter/Makefile    |  6 ++
+ tools/testing/selftests/netfilter/config      |  2 +
+ .../selftests/netfilter/nft_trans_stress.sh   | 78 +++++++++++++++++++
+ 4 files changed, 87 insertions(+)
+ create mode 100644 tools/testing/selftests/netfilter/Makefile
+ create mode 100644 tools/testing/selftests/netfilter/config
+ create mode 100755 tools/testing/selftests/netfilter/nft_trans_stress.sh
+
+diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile
+index ea300e7818a7..10b89f5b9af7 100644
+--- a/tools/testing/selftests/Makefile
++++ b/tools/testing/selftests/Makefile
+@@ -20,6 +20,7 @@ TARGETS += memory-hotplug
+ TARGETS += mount
+ TARGETS += mqueue
+ TARGETS += net
++TARGETS += netfilter
+ TARGETS += nsfs
+ TARGETS += powerpc
+ TARGETS += pstore
+diff --git a/tools/testing/selftests/netfilter/Makefile b/tools/testing/selftests/netfilter/Makefile
+new file mode 100644
+index 000000000000..47ed6cef93fb
+--- /dev/null
++++ b/tools/testing/selftests/netfilter/Makefile
+@@ -0,0 +1,6 @@
++# SPDX-License-Identifier: GPL-2.0
++# Makefile for netfilter selftests
++
++TEST_PROGS := nft_trans_stress.sh
++
++include ../lib.mk
+diff --git a/tools/testing/selftests/netfilter/config b/tools/testing/selftests/netfilter/config
+new file mode 100644
+index 000000000000..1017313e41a8
+--- /dev/null
++++ b/tools/testing/selftests/netfilter/config
+@@ -0,0 +1,2 @@
++CONFIG_NET_NS=y
++NF_TABLES_INET=y
+diff --git a/tools/testing/selftests/netfilter/nft_trans_stress.sh b/tools/testing/selftests/netfilter/nft_trans_stress.sh
+new file mode 100755
+index 000000000000..f1affd12c4b1
+--- /dev/null
++++ b/tools/testing/selftests/netfilter/nft_trans_stress.sh
+@@ -0,0 +1,78 @@
++#!/bin/bash
++#
++# This test is for stress-testing the nf_tables config plane path vs.
++# packet path processing: Make sure we never release rules that are
++# still visible to other cpus.
++#
++# set -e
++
++# Kselftest framework requirement - SKIP code is 4.
++ksft_skip=4
++
++testns=testns1
++tables="foo bar baz quux"
++
++nft --version > /dev/null 2>&1
++if [ $? -ne 0 ];then
++      echo "SKIP: Could not run test without nft tool"
++      exit $ksft_skip
++fi
++
++ip -Version > /dev/null 2>&1
++if [ $? -ne 0 ];then
++      echo "SKIP: Could not run test without ip tool"
++      exit $ksft_skip
++fi
++
++tmp=$(mktemp)
++
++for table in $tables; do
++      echo add table inet "$table" >> "$tmp"
++      echo flush table inet "$table" >> "$tmp"
++
++      echo "add chain inet $table INPUT { type filter hook input priority 0; }" >> "$tmp"
++      echo "add chain inet $table OUTPUT { type filter hook output priority 0; }" >> "$tmp"
++      for c in $(seq 1 400); do
++              chain=$(printf "chain%03u" "$c")
++              echo "add chain inet $table $chain" >> "$tmp"
++      done
++
++      for c in $(seq 1 400); do
++              chain=$(printf "chain%03u" "$c")
++              for BASE in INPUT OUTPUT; do
++                      echo "add rule inet $table $BASE counter jump $chain" >> "$tmp"
++              done
++              echo "add rule inet $table $chain counter return" >> "$tmp"
++      done
++done
++
++ip netns add "$testns"
++ip -netns "$testns" link set lo up
++
++lscpu | grep ^CPU\(s\): | ( read cpu cpunum ;
++cpunum=$((cpunum-1))
++for i in $(seq 0 $cpunum);do
++      mask=$(printf 0x%x $((1<<$i)))
++        ip netns exec "$testns" taskset $mask ping -4 127.0.0.1 -fq > /dev/null &
++        ip netns exec "$testns" taskset $mask ping -6 ::1 -fq > /dev/null &
++done)
++
++sleep 1
++
++for i in $(seq 1 10) ; do ip netns exec "$testns" nft -f "$tmp" & done
++
++for table in $tables;do
++      randsleep=$((RANDOM%10))
++      sleep $randsleep
++      ip netns exec "$testns" nft delete table inet $table 2>/dev/null
++done
++
++randsleep=$((RANDOM%10))
++sleep $randsleep
++
++pkill -9 ping
++
++wait
++
++rm -f "$tmp"
++ip netns del "$testns"
+-- 
+2.19.1
+
index 721240db74c9badb1b3ce837b2af9fec4d7d495b..565192d40f07466989243d5b980ea905dd0df803 100644 (file)
@@ -13,3 +13,71 @@ tcp-do-not-underestimate-rwnd_limited.patch
 tcp-fix-null-ref-in-tail-loss-probe.patch
 tun-forbid-iface-creation-with-rtnl-ops.patch
 virtio-net-keep-vnet-header-zeroed-after-processing-xdp.patch
+arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch
+asoc-rsnd-fixup-clock-start-checker.patch
+staging-rtl8723bs-fix-the-return-value-in-case-of-er.patch
+arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch
+arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch
+sysv-return-err-instead-of-0-in-__sysv_write_inode.patch
+selftests-add-script-to-stress-test-nft-packet-path-.patch
+netfilter-nf_tables-fix-use-after-free-when-deleting.patch
+hwmon-ina2xx-fix-null-id-pointer-in-probe.patch
+asoc-wm_adsp-fix-dma-unsafe-read-of-scratch-register.patch
+s390-cpum_cf-reject-request-for-sampling-in-event-in.patch
+hwmon-ina2xx-fix-current-value-calculation.patch
+asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch
+asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch
+iio-hid-sensors-fix-iio_chan_info_raw-returning-wron.patch
+netfilter-xt_hashlimit-fix-a-possible-memory-leak-in.patch
+hwmon-w83795-temp4_type-has-writable-permission.patch
+perf-tools-restore-proper-cwd-on-return-from-mnt-nam.patch
+pci-imx6-fix-link-training-status-detection-in-link-.patch
+objtool-fix-double-free-in-.cold-detection-error-pat.patch
+objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch
+arm-dts-at91-sama5d2-use-the-divided-clock-for-smc.patch
+btrfs-send-fix-infinite-loop-due-to-directory-rename.patch
+rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch
+rdma-rdmavt-fix-rvt_create_ah-function-signature.patch
+asoc-omap-mcbsp-fix-latency-value-calculation-for-pm.patch
+asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch
+asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch
+exportfs-do-not-read-dentry-after-free.patch
+bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch
+ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch
+usb-omap_udc-use-devm_request_irq.patch
+usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch
+usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch
+usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch
+usb-omap_udc-fix-rejection-of-out-transfers-when-dma.patch
+drm-meson-add-support-for-1080p25-mode.patch
+netfilter-ipv6-preserve-link-scope-traffic-original-.patch
+ib-mlx5-fix-page-fault-handling-for-mw.patch
+kvm-x86-fix-empty-body-warnings.patch
+x86-kvm-vmx-fix-old-style-function-declaration.patch
+net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch
+usb-gadget-u_ether-fix-unsafe-list-iteration.patch
+netfilter-nf_tables-deactivate-expressions-in-rule-r.patch
+cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch
+igb-fix-uninitialized-variables.patch
+ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch
+net-hisilicon-remove-unexpected-free_netdev.patch
+drm-amdgpu-add-delay-after-enable-rlc-ucode.patch
+drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch
+xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch
+revert-xen-balloon-mark-unallocated-host-memory-as-u.patch
+pstore-ram-correctly-calculate-usable-prz-bytes.patch
+fscache-fix-race-between-enablement-and-dropping-of-.patch
+fscache-cachefiles-remove-redundant-variable-cache.patch
+nvme-flush-namespace-scanning-work-just-before-remov.patch
+acpi-iort-fix-iort_get_platform_device_domain-uninit.patch
+ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch
+mm-page_alloc.c-fix-calculation-of-pgdat-nr_zones.patch
+hfs-do-not-free-node-before-using.patch
+hfsplus-do-not-free-node-before-using.patch
+debugobjects-avoid-recursive-calls-with-kmemleak.patch
+ocfs2-fix-potential-use-after-free.patch
+revert-printk-never-set-console_may_schedule-in-cons.patch
+printk-add-console-owner-and-waiter-logic-to-load-ba.patch
+printk-hide-console-waiter-logic-into-helpers.patch
+printk-never-set-console_may_schedule-in-console_try.patch
+printk-wake-klogd-when-passing-console_lock-owner.patch
diff --git a/queue-4.14/staging-rtl8723bs-fix-the-return-value-in-case-of-er.patch b/queue-4.14/staging-rtl8723bs-fix-the-return-value-in-case-of-er.patch
new file mode 100644 (file)
index 0000000..13a8ec2
--- /dev/null
@@ -0,0 +1,37 @@
+From 02c244d15c78913e92478a1be1b315a96ddf6a98 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Wed, 17 Oct 2018 10:15:34 +0200
+Subject: staging: rtl8723bs: Fix the return value in case of error in
+ 'rtw_wx_read32()'
+
+[ Upstream commit c3e43d8b958bd6849817393483e805d8638a8ab7 ]
+
+We return 0 unconditionally in 'rtw_wx_read32()'.
+However, 'ret' is set to some error codes in several error handling paths.
+
+Return 'ret' instead to propagate the error code.
+
+Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
+index d5e5f830f2a1..1b61da61690b 100644
+--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
++++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
+@@ -2383,7 +2383,7 @@ static int rtw_wx_read32(struct net_device *dev,
+ exit:
+       kfree(ptmp);
+-      return 0;
++      return ret;
+ }
+ static int rtw_wx_write32(struct net_device *dev,
+-- 
+2.19.1
+
diff --git a/queue-4.14/sysv-return-err-instead-of-0-in-__sysv_write_inode.patch b/queue-4.14/sysv-return-err-instead-of-0-in-__sysv_write_inode.patch
new file mode 100644 (file)
index 0000000..a6ab846
--- /dev/null
@@ -0,0 +1,39 @@
+From 2612113d65289176dce23c18d131344bd724739b Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Sat, 10 Nov 2018 04:13:24 +0000
+Subject: sysv: return 'err' instead of 0 in __sysv_write_inode
+
+[ Upstream commit c4b7d1ba7d263b74bb72e9325262a67139605cde ]
+
+Fixes gcc '-Wunused-but-set-variable' warning:
+
+fs/sysv/inode.c: In function '__sysv_write_inode':
+fs/sysv/inode.c:239:6: warning:
+ variable 'err' set but not used [-Wunused-but-set-variable]
+
+__sysv_write_inode should return 'err' instead of 0
+
+Fixes: 05459ca81ac3 ("repair sysv_write_inode(), switch sysv to simple_fsync()")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/sysv/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/sysv/inode.c b/fs/sysv/inode.c
+index 3c47b7d5d4cf..9e0874d1524c 100644
+--- a/fs/sysv/inode.c
++++ b/fs/sysv/inode.c
+@@ -275,7 +275,7 @@ static int __sysv_write_inode(struct inode *inode, int wait)
+                 }
+         }
+       brelse(bh);
+-      return 0;
++      return err;
+ }
+ int sysv_write_inode(struct inode *inode, struct writeback_control *wbc)
+-- 
+2.19.1
+
diff --git a/queue-4.14/usb-gadget-u_ether-fix-unsafe-list-iteration.patch b/queue-4.14/usb-gadget-u_ether-fix-unsafe-list-iteration.patch
new file mode 100644 (file)
index 0000000..f7e6b24
--- /dev/null
@@ -0,0 +1,103 @@
+From e7aea1f6c46f7c995aea81c62e656ca559eca649 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Mon, 19 Nov 2018 16:49:05 +0100
+Subject: usb: gadget: u_ether: fix unsafe list iteration
+
+[ Upstream commit c9287fa657b3328b4549c0ab39ea7f197a3d6a50 ]
+
+list_for_each_entry_safe() is not safe for deleting entries from the
+list if the spin lock, which protects it, is released and reacquired during
+the list iteration. Fix this issue by replacing this construction with
+a simple check if list is empty and removing the first entry in each
+iteration. This is almost equivalent to a revert of the commit mentioned in
+the Fixes: tag.
+
+This patch fixes following issue:
+--->8---
+Unable to handle kernel NULL pointer dereference at virtual address 00000104
+pgd = (ptrval)
+[00000104] *pgd=00000000
+Internal error: Oops: 817 [#1] PREEMPT SMP ARM
+Modules linked in:
+CPU: 1 PID: 84 Comm: kworker/1:1 Not tainted 4.20.0-rc2-next-20181114-00009-g8266b35ec404 #1061
+Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
+Workqueue: events eth_work
+PC is at rx_fill+0x60/0xac
+LR is at _raw_spin_lock_irqsave+0x50/0x5c
+pc : [<c065fee0>]    lr : [<c0a056b8>]    psr: 80000093
+sp : ee7fbee8  ip : 00000100  fp : 00000000
+r10: 006000c0  r9 : c10b0ab0  r8 : ee7eb5c0
+r7 : ee7eb614  r6 : ee7eb5ec  r5 : 000000dc  r4 : ee12ac00
+r3 : ee12ac24  r2 : 00000200  r1 : 60000013  r0 : ee7eb5ec
+Flags: Nzcv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment none
+Control: 10c5387d  Table: 6d5dc04a  DAC: 00000051
+Process kworker/1:1 (pid: 84, stack limit = 0x(ptrval))
+Stack: (0xee7fbee8 to 0xee7fc000)
+...
+[<c065fee0>] (rx_fill) from [<c0143b7c>] (process_one_work+0x200/0x738)
+[<c0143b7c>] (process_one_work) from [<c0144118>] (worker_thread+0x2c/0x4c8)
+[<c0144118>] (worker_thread) from [<c014a8a4>] (kthread+0x128/0x164)
+[<c014a8a4>] (kthread) from [<c01010b4>] (ret_from_fork+0x14/0x20)
+Exception stack(0xee7fbfb0 to 0xee7fbff8)
+...
+---[ end trace 64480bc835eba7d6 ]---
+
+Fixes: fea14e68ff5e ("usb: gadget: u_ether: use better list accessors")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/u_ether.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
+index bdbc3fdc7c4f..3a0e4f5d7b83 100644
+--- a/drivers/usb/gadget/function/u_ether.c
++++ b/drivers/usb/gadget/function/u_ether.c
+@@ -405,12 +405,12 @@ static int alloc_requests(struct eth_dev *dev, struct gether *link, unsigned n)
+ static void rx_fill(struct eth_dev *dev, gfp_t gfp_flags)
+ {
+       struct usb_request      *req;
+-      struct usb_request      *tmp;
+       unsigned long           flags;
+       /* fill unused rxq slots with some skb */
+       spin_lock_irqsave(&dev->req_lock, flags);
+-      list_for_each_entry_safe(req, tmp, &dev->rx_reqs, list) {
++      while (!list_empty(&dev->rx_reqs)) {
++              req = list_first_entry(&dev->rx_reqs, struct usb_request, list);
+               list_del_init(&req->list);
+               spin_unlock_irqrestore(&dev->req_lock, flags);
+@@ -1125,7 +1125,6 @@ void gether_disconnect(struct gether *link)
+ {
+       struct eth_dev          *dev = link->ioport;
+       struct usb_request      *req;
+-      struct usb_request      *tmp;
+       WARN_ON(!dev);
+       if (!dev)
+@@ -1142,7 +1141,8 @@ void gether_disconnect(struct gether *link)
+        */
+       usb_ep_disable(link->in_ep);
+       spin_lock(&dev->req_lock);
+-      list_for_each_entry_safe(req, tmp, &dev->tx_reqs, list) {
++      while (!list_empty(&dev->tx_reqs)) {
++              req = list_first_entry(&dev->tx_reqs, struct usb_request, list);
+               list_del(&req->list);
+               spin_unlock(&dev->req_lock);
+@@ -1154,7 +1154,8 @@ void gether_disconnect(struct gether *link)
+       usb_ep_disable(link->out_ep);
+       spin_lock(&dev->req_lock);
+-      list_for_each_entry_safe(req, tmp, &dev->rx_reqs, list) {
++      while (!list_empty(&dev->rx_reqs)) {
++              req = list_first_entry(&dev->rx_reqs, struct usb_request, list);
+               list_del(&req->list);
+               spin_unlock(&dev->req_lock);
+-- 
+2.19.1
+
diff --git a/queue-4.14/usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch b/queue-4.14/usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch
new file mode 100644 (file)
index 0000000..6956d30
--- /dev/null
@@ -0,0 +1,114 @@
+From ac231912151575c4c8f93fd858fdaa1dfb4c8d68 Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sun, 25 Nov 2018 00:17:05 +0200
+Subject: USB: omap_udc: fix crashes on probe error and module removal
+
+[ Upstream commit 99f700366fcea1aa2fa3c49c99f371670c3c62f8 ]
+
+We currently crash if usb_add_gadget_udc_release() fails, since the
+udc->done is not initialized until in the remove function.
+Furthermore, on module removal the udc data is accessed although
+the release function is already triggered by usb_del_gadget_udc()
+early in the function.
+
+Fix by rewriting the release and remove functions, basically moving
+all the cleanup into the release function, and doing the completion
+only in the module removal case.
+
+The patch fixes omap_udc module probe with a failing gadged, and also
+allows the removal of omap_udc. Tested by running "modprobe omap_udc;
+modprobe -r omap_udc" in a loop.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/omap_udc.c | 50 ++++++++++++-------------------
+ 1 file changed, 19 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c
+index e515c85ef0c5..d45dc14ef0a2 100644
+--- a/drivers/usb/gadget/udc/omap_udc.c
++++ b/drivers/usb/gadget/udc/omap_udc.c
+@@ -2612,9 +2612,22 @@ omap_ep_setup(char *name, u8 addr, u8 type,
+ static void omap_udc_release(struct device *dev)
+ {
+-      complete(udc->done);
++      pullup_disable(udc);
++      if (!IS_ERR_OR_NULL(udc->transceiver)) {
++              usb_put_phy(udc->transceiver);
++              udc->transceiver = NULL;
++      }
++      omap_writew(0, UDC_SYSCON1);
++      remove_proc_file();
++      if (udc->dc_clk) {
++              if (udc->clk_requested)
++                      omap_udc_enable_clock(0);
++              clk_put(udc->hhc_clk);
++              clk_put(udc->dc_clk);
++      }
++      if (udc->done)
++              complete(udc->done);
+       kfree(udc);
+-      udc = NULL;
+ }
+ static int
+@@ -2919,12 +2932,8 @@ static int omap_udc_probe(struct platform_device *pdev)
+       }
+       create_proc_file();
+-      status = usb_add_gadget_udc_release(&pdev->dev, &udc->gadget,
+-                      omap_udc_release);
+-      if (!status)
+-              return 0;
+-
+-      remove_proc_file();
++      return usb_add_gadget_udc_release(&pdev->dev, &udc->gadget,
++                                        omap_udc_release);
+ cleanup1:
+       kfree(udc);
+@@ -2951,36 +2960,15 @@ static int omap_udc_remove(struct platform_device *pdev)
+ {
+       DECLARE_COMPLETION_ONSTACK(done);
+-      if (!udc)
+-              return -ENODEV;
+-
+-      usb_del_gadget_udc(&udc->gadget);
+-      if (udc->driver)
+-              return -EBUSY;
+-
+       udc->done = &done;
+-      pullup_disable(udc);
+-      if (!IS_ERR_OR_NULL(udc->transceiver)) {
+-              usb_put_phy(udc->transceiver);
+-              udc->transceiver = NULL;
+-      }
+-      omap_writew(0, UDC_SYSCON1);
+-
+-      remove_proc_file();
++      usb_del_gadget_udc(&udc->gadget);
+-      if (udc->dc_clk) {
+-              if (udc->clk_requested)
+-                      omap_udc_enable_clock(0);
+-              clk_put(udc->hhc_clk);
+-              clk_put(udc->dc_clk);
+-      }
++      wait_for_completion(&done);
+       release_mem_region(pdev->resource[0].start,
+                       pdev->resource[0].end - pdev->resource[0].start + 1);
+-      wait_for_completion(&done);
+-
+       return 0;
+ }
+-- 
+2.19.1
+
diff --git a/queue-4.14/usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch b/queue-4.14/usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch
new file mode 100644 (file)
index 0000000..da2cf15
--- /dev/null
@@ -0,0 +1,41 @@
+From 788fdc74dcb0ad647ea08d699b15b2d128638e9e Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sun, 25 Nov 2018 00:17:06 +0200
+Subject: USB: omap_udc: fix omap_udc_start() on 15xx machines
+
+[ Upstream commit 6ca6695f576b8453fe68865e84d25946d63b10ad ]
+
+On OMAP 15xx machines there are no transceivers, and omap_udc_start()
+always fails as it forgot to adjust the default return value.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/omap_udc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c
+index d45dc14ef0a2..9060b3af27ff 100644
+--- a/drivers/usb/gadget/udc/omap_udc.c
++++ b/drivers/usb/gadget/udc/omap_udc.c
+@@ -2045,7 +2045,7 @@ static inline int machine_without_vbus_sense(void)
+ static int omap_udc_start(struct usb_gadget *g,
+               struct usb_gadget_driver *driver)
+ {
+-      int             status = -ENODEV;
++      int             status;
+       struct omap_ep  *ep;
+       unsigned long   flags;
+@@ -2083,6 +2083,7 @@ static int omap_udc_start(struct usb_gadget *g,
+                       goto done;
+               }
+       } else {
++              status = 0;
+               if (can_pullup(udc))
+                       pullup_enable(udc);
+               else
+-- 
+2.19.1
+
diff --git a/queue-4.14/usb-omap_udc-fix-rejection-of-out-transfers-when-dma.patch b/queue-4.14/usb-omap_udc-fix-rejection-of-out-transfers-when-dma.patch
new file mode 100644 (file)
index 0000000..4a11d52
--- /dev/null
@@ -0,0 +1,35 @@
+From 40a991e545dfcb5b9403d118c619e7ba81bdb30a Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sun, 25 Nov 2018 00:17:08 +0200
+Subject: USB: omap_udc: fix rejection of out transfers when DMA is used
+
+[ Upstream commit 069caf5950dfa75d0526cd89c439ff9d9d3136d8 ]
+
+Commit 387f869d2579 ("usb: gadget: u_ether: conditionally align
+transfer size") started aligning transfer size only if requested,
+breaking omap_udc DMA mode. Set quirk_ep_out_aligned_size to restore
+the old behaviour.
+
+Fixes: 387f869d2579 ("usb: gadget: u_ether: conditionally align transfer size")
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/omap_udc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c
+index c8facc8aa87e..ee0b87a0773c 100644
+--- a/drivers/usb/gadget/udc/omap_udc.c
++++ b/drivers/usb/gadget/udc/omap_udc.c
+@@ -2661,6 +2661,7 @@ omap_udc_setup(struct platform_device *odev, struct usb_phy *xceiv)
+       udc->gadget.speed = USB_SPEED_UNKNOWN;
+       udc->gadget.max_speed = USB_SPEED_FULL;
+       udc->gadget.name = driver_name;
++      udc->gadget.quirk_ep_out_aligned_size = 1;
+       udc->transceiver = xceiv;
+       /* ep0 is special; put it right after the SETUP buffer */
+-- 
+2.19.1
+
diff --git a/queue-4.14/usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch b/queue-4.14/usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch
new file mode 100644 (file)
index 0000000..68ef486
--- /dev/null
@@ -0,0 +1,32 @@
+From d6a6956f6fc14aba470aa79d5891586cadcf0257 Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sun, 25 Nov 2018 00:17:07 +0200
+Subject: USB: omap_udc: fix USB gadget functionality on Palm Tungsten E
+
+[ Upstream commit 2c2322fbcab8102b8cadc09d66714700a2da42c2 ]
+
+On Palm TE nothing happens when you try to use gadget drivers and plug
+the USB cable. Fix by adding the board to the vbus sense quirk list.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/omap_udc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c
+index 9060b3af27ff..c8facc8aa87e 100644
+--- a/drivers/usb/gadget/udc/omap_udc.c
++++ b/drivers/usb/gadget/udc/omap_udc.c
+@@ -2037,6 +2037,7 @@ static inline int machine_without_vbus_sense(void)
+ {
+       return machine_is_omap_innovator()
+               || machine_is_omap_osk()
++              || machine_is_omap_palmte()
+               || machine_is_sx1()
+               /* No known omap7xx boards with vbus sense */
+               || cpu_is_omap7xx();
+-- 
+2.19.1
+
diff --git a/queue-4.14/usb-omap_udc-use-devm_request_irq.patch b/queue-4.14/usb-omap_udc-use-devm_request_irq.patch
new file mode 100644 (file)
index 0000000..3532204
--- /dev/null
@@ -0,0 +1,102 @@
+From 6c47a2b7de242e15c3782f87bae986bc8354483b Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sun, 25 Nov 2018 00:17:04 +0200
+Subject: USB: omap_udc: use devm_request_irq()
+
+[ Upstream commit 286afdde1640d8ea8916a0f05e811441fbbf4b9d ]
+
+The current code fails to release the third irq on the error path
+(observed by reading the code), and we get also multiple WARNs with
+failing gadget drivers due to duplicate IRQ releases. Fix by using
+devm_request_irq().
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/omap_udc.c | 37 +++++++++----------------------
+ 1 file changed, 10 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c
+index f05ba6825bfe..e515c85ef0c5 100644
+--- a/drivers/usb/gadget/udc/omap_udc.c
++++ b/drivers/usb/gadget/udc/omap_udc.c
+@@ -2886,8 +2886,8 @@ static int omap_udc_probe(struct platform_device *pdev)
+               udc->clr_halt = UDC_RESET_EP;
+       /* USB general purpose IRQ:  ep0, state changes, dma, etc */
+-      status = request_irq(pdev->resource[1].start, omap_udc_irq,
+-                      0, driver_name, udc);
++      status = devm_request_irq(&pdev->dev, pdev->resource[1].start,
++                                omap_udc_irq, 0, driver_name, udc);
+       if (status != 0) {
+               ERR("can't get irq %d, err %d\n",
+                       (int) pdev->resource[1].start, status);
+@@ -2895,20 +2895,20 @@ static int omap_udc_probe(struct platform_device *pdev)
+       }
+       /* USB "non-iso" IRQ (PIO for all but ep0) */
+-      status = request_irq(pdev->resource[2].start, omap_udc_pio_irq,
+-                      0, "omap_udc pio", udc);
++      status = devm_request_irq(&pdev->dev, pdev->resource[2].start,
++                                omap_udc_pio_irq, 0, "omap_udc pio", udc);
+       if (status != 0) {
+               ERR("can't get irq %d, err %d\n",
+                       (int) pdev->resource[2].start, status);
+-              goto cleanup2;
++              goto cleanup1;
+       }
+ #ifdef        USE_ISO
+-      status = request_irq(pdev->resource[3].start, omap_udc_iso_irq,
+-                      0, "omap_udc iso", udc);
++      status = devm_request_irq(&pdev->dev, pdev->resource[3].start,
++                                omap_udc_iso_irq, 0, "omap_udc iso", udc);
+       if (status != 0) {
+               ERR("can't get irq %d, err %d\n",
+                       (int) pdev->resource[3].start, status);
+-              goto cleanup3;
++              goto cleanup1;
+       }
+ #endif
+       if (cpu_is_omap16xx() || cpu_is_omap7xx()) {
+@@ -2921,22 +2921,11 @@ static int omap_udc_probe(struct platform_device *pdev)
+       create_proc_file();
+       status = usb_add_gadget_udc_release(&pdev->dev, &udc->gadget,
+                       omap_udc_release);
+-      if (status)
+-              goto cleanup4;
+-
+-      return 0;
++      if (!status)
++              return 0;
+-cleanup4:
+       remove_proc_file();
+-#ifdef        USE_ISO
+-cleanup3:
+-      free_irq(pdev->resource[2].start, udc);
+-#endif
+-
+-cleanup2:
+-      free_irq(pdev->resource[1].start, udc);
+-
+ cleanup1:
+       kfree(udc);
+       udc = NULL;
+@@ -2980,12 +2969,6 @@ static int omap_udc_remove(struct platform_device *pdev)
+       remove_proc_file();
+-#ifdef        USE_ISO
+-      free_irq(pdev->resource[3].start, udc);
+-#endif
+-      free_irq(pdev->resource[2].start, udc);
+-      free_irq(pdev->resource[1].start, udc);
+-
+       if (udc->dc_clk) {
+               if (udc->clk_requested)
+                       omap_udc_enable_clock(0);
+-- 
+2.19.1
+
diff --git a/queue-4.14/x86-kvm-vmx-fix-old-style-function-declaration.patch b/queue-4.14/x86-kvm-vmx-fix-old-style-function-declaration.patch
new file mode 100644 (file)
index 0000000..ed51528
--- /dev/null
@@ -0,0 +1,68 @@
+From df1d782b948d7419692a0589744469d9f95e3c36 Mon Sep 17 00:00:00 2001
+From: Yi Wang <wang.yi59@zte.com.cn>
+Date: Thu, 8 Nov 2018 11:22:21 +0800
+Subject: x86/kvm/vmx: fix old-style function declaration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 1e4329ee2c52692ea42cc677fb2133519718b34a ]
+
+The inline keyword which is not at the beginning of the function
+declaration may trigger the following build warnings, so let's fix it:
+
+arch/x86/kvm/vmx.c:1309:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration]
+arch/x86/kvm/vmx.c:5947:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration]
+arch/x86/kvm/vmx.c:5985:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration]
+arch/x86/kvm/vmx.c:6023:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration]
+
+Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index ec588cf4fe95..4353580b659a 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -1089,7 +1089,7 @@ static void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked);
+ static bool nested_vmx_is_page_fault_vmexit(struct vmcs12 *vmcs12,
+                                           u16 error_code);
+ static void vmx_update_msr_bitmap(struct kvm_vcpu *vcpu);
+-static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bitmap,
++static __always_inline void vmx_disable_intercept_for_msr(unsigned long *msr_bitmap,
+                                                         u32 msr, int type);
+ static DEFINE_PER_CPU(struct vmcs *, vmxarea);
+@@ -5227,7 +5227,7 @@ static void free_vpid(int vpid)
+       spin_unlock(&vmx_vpid_lock);
+ }
+-static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bitmap,
++static __always_inline void vmx_disable_intercept_for_msr(unsigned long *msr_bitmap,
+                                                         u32 msr, int type)
+ {
+       int f = sizeof(unsigned long);
+@@ -5262,7 +5262,7 @@ static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bit
+       }
+ }
+-static void __always_inline vmx_enable_intercept_for_msr(unsigned long *msr_bitmap,
++static __always_inline void vmx_enable_intercept_for_msr(unsigned long *msr_bitmap,
+                                                        u32 msr, int type)
+ {
+       int f = sizeof(unsigned long);
+@@ -5297,7 +5297,7 @@ static void __always_inline vmx_enable_intercept_for_msr(unsigned long *msr_bitm
+       }
+ }
+-static void __always_inline vmx_set_intercept_for_msr(unsigned long *msr_bitmap,
++static __always_inline void vmx_set_intercept_for_msr(unsigned long *msr_bitmap,
+                                                     u32 msr, int type, bool value)
+ {
+       if (value)
+-- 
+2.19.1
+
diff --git a/queue-4.14/xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch b/queue-4.14/xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch
new file mode 100644 (file)
index 0000000..e36c25e
--- /dev/null
@@ -0,0 +1,37 @@
+From 4bc124afbb47061883a7a2ff017a727caff927df Mon Sep 17 00:00:00 2001
+From: Srikanth Boddepalli <boddepalli.srikanth@gmail.com>
+Date: Tue, 27 Nov 2018 19:53:27 +0530
+Subject: xen: xlate_mmu: add missing header to fix 'W=1' warning
+
+[ Upstream commit 72791ac854fea36034fa7976b748fde585008e78 ]
+
+Add a missing header otherwise compiler warns about missed prototype:
+
+drivers/xen/xlate_mmu.c:183:5: warning: no previous prototype for 'xen_xlate_unmap_gfn_range?' [-Wmissing-prototypes]
+  int xen_xlate_unmap_gfn_range(struct vm_area_struct *vma,
+      ^~~~~~~~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Srikanth Boddepalli <boddepalli.srikanth@gmail.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Reviewed-by: Joey Pabalinas <joeypabalinas@gmail.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/xlate_mmu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/xen/xlate_mmu.c b/drivers/xen/xlate_mmu.c
+index 23f1387b3ef7..e7df65d32c91 100644
+--- a/drivers/xen/xlate_mmu.c
++++ b/drivers/xen/xlate_mmu.c
+@@ -36,6 +36,7 @@
+ #include <asm/xen/hypervisor.h>
+ #include <xen/xen.h>
++#include <xen/xen-ops.h>
+ #include <xen/page.h>
+ #include <xen/interface/xen.h>
+ #include <xen/interface/memory.h>
+-- 
+2.19.1
+