--- /dev/null
+From 50fc7867683b89f9d838b0528490aa501eb0ac77 Mon Sep 17 00:00:00 2001
+From: Filippo Sironi <sironi@amazon.de>
+Date: Mon, 12 Nov 2018 12:26:30 +0000
+Subject: amd/iommu: Fix Guest Virtual APIC Log Tail Address Register
+
+[ Upstream commit ab99be4683d9db33b100497d463274ebd23bd67e ]
+
+This register should have been programmed with the physical address
+of the memory location containing the shadow tail pointer for
+the guest virtual APIC log instead of the base address.
+
+Fixes: 8bda0cfbdc1a ('iommu/amd: Detect and initialize guest vAPIC log')
+Signed-off-by: Filippo Sironi <sironi@amazon.de>
+Signed-off-by: Wei Wang <wawei@amazon.de>
+Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd_iommu_init.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
+index 6fe2d0346073..b97984a5ddad 100644
+--- a/drivers/iommu/amd_iommu_init.c
++++ b/drivers/iommu/amd_iommu_init.c
+@@ -796,7 +796,8 @@ static int iommu_init_ga_log(struct amd_iommu *iommu)
+ entry = iommu_virt_to_phys(iommu->ga_log) | GA_LOG_SIZE_512;
+ memcpy_toio(iommu->mmio_base + MMIO_GA_LOG_BASE_OFFSET,
+ &entry, sizeof(entry));
+- entry = (iommu_virt_to_phys(iommu->ga_log) & 0xFFFFFFFFFFFFFULL) & ~7ULL;
++ entry = (iommu_virt_to_phys(iommu->ga_log_tail) &
++ (BIT_ULL(52)-1)) & ~7ULL;
+ memcpy_toio(iommu->mmio_base + MMIO_GA_LOG_TAIL_OFFSET,
+ &entry, sizeof(entry));
+ writel(0x00, iommu->mmio_base + MMIO_GA_HEAD_OFFSET);
+--
+2.19.1
+
--- /dev/null
+From f8bc5f602b6604e4af39f2d6095fe66f4c388f72 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Wed, 7 Nov 2018 23:09:12 +0100
+Subject: batman-adv: Expand merged fragment buffer for full packet
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit d7d8bbb40a5b1f682ee6589e212934f4c6b8ad60 ]
+
+The complete size ("total_size") of the fragmented packet is stored in the
+fragment header and in the size of the fragment chain. When the fragments
+are ready for merge, the skbuff's tail of the first fragment is expanded to
+have enough room after the data pointer for at least total_size. This means
+that it gets expanded by total_size - first_skb->len.
+
+But this is ignoring the fact that after expanding the buffer, the fragment
+header is pulled by from this buffer. Assuming that the tailroom of the
+buffer was already 0, the buffer after the data pointer of the skbuff is
+now only total_size - len(fragment_header) large. When the merge function
+is then processing the remaining fragments, the code to copy the data over
+to the merged skbuff will cause an skb_over_panic when it tries to actually
+put enough data to fill the total_size bytes of the packet.
+
+The size of the skb_pull must therefore also be taken into account when the
+buffer's tailroom is expanded.
+
+Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
+Reported-by: Martin Weinelt <martin@darmstadt.freifunk.net>
+Co-authored-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/fragmentation.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
+index b6abd19ab23e..c6d37d22bd12 100644
+--- a/net/batman-adv/fragmentation.c
++++ b/net/batman-adv/fragmentation.c
+@@ -274,7 +274,7 @@ batadv_frag_merge_packets(struct hlist_head *chain)
+ kfree(entry);
+
+ packet = (struct batadv_frag_packet *)skb_out->data;
+- size = ntohs(packet->total_size);
++ size = ntohs(packet->total_size) + hdr_size;
+
+ /* Make room for the rest of the fragments. */
+ if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) {
+--
+2.19.1
+
--- /dev/null
+From a3a094342c3b6f146681e2a8459f33aa500339fe Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Tue, 30 Oct 2018 12:17:10 +0100
+Subject: batman-adv: Use explicit tvlv padding for ELP packets
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit f4156f9656feac21f4de712fac94fae964c5d402 ]
+
+The announcement messages of batman-adv COMPAT_VERSION 15 have the
+possibility to announce additional information via a dynamic TVLV part.
+This part is optional for the ELP packets and currently not parsed by the
+Linux implementation. Still out-of-tree versions are using it to transport
+things like neighbor hashes to optimize the rebroadcast behavior.
+
+Since the ELP broadcast packets are smaller than the minimal ethernet
+packet, it often has to be padded. This is often done (as specified in
+RFC894) with octets of zero and thus work perfectly fine with the TVLV
+part (making it a zero length and thus empty). But not all ethernet
+compatible hardware seems to follow this advice. To avoid ambiguous
+situations when parsing the TVLV header, just force the 4 bytes (TVLV
+length + padding) after the required ELP header to zero.
+
+Fixes: d6f94d91f766 ("batman-adv: ELP - adding basic infrastructure")
+Reported-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/bat_v_elp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c
+index e92dfedccc16..fbc132f4670e 100644
+--- a/net/batman-adv/bat_v_elp.c
++++ b/net/batman-adv/bat_v_elp.c
+@@ -338,19 +338,21 @@ out:
+ */
+ int batadv_v_elp_iface_enable(struct batadv_hard_iface *hard_iface)
+ {
++ static const size_t tvlv_padding = sizeof(__be32);
+ struct batadv_elp_packet *elp_packet;
+ unsigned char *elp_buff;
+ u32 random_seqno;
+ size_t size;
+ int res = -ENOMEM;
+
+- size = ETH_HLEN + NET_IP_ALIGN + BATADV_ELP_HLEN;
++ size = ETH_HLEN + NET_IP_ALIGN + BATADV_ELP_HLEN + tvlv_padding;
+ hard_iface->bat_v.elp_skb = dev_alloc_skb(size);
+ if (!hard_iface->bat_v.elp_skb)
+ goto out;
+
+ skb_reserve(hard_iface->bat_v.elp_skb, ETH_HLEN + NET_IP_ALIGN);
+- elp_buff = skb_put_zero(hard_iface->bat_v.elp_skb, BATADV_ELP_HLEN);
++ elp_buff = skb_put_zero(hard_iface->bat_v.elp_skb,
++ BATADV_ELP_HLEN + tvlv_padding);
+ elp_packet = (struct batadv_elp_packet *)elp_buff;
+
+ elp_packet->packet_type = BATADV_ELP;
+--
+2.19.1
+
--- /dev/null
+From c48046dd09533038ec9a98534eb7b2950acf9f50 Mon Sep 17 00:00:00 2001
+From: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
+Date: Sun, 11 Nov 2018 18:27:34 -0800
+Subject: bnx2x: Assign unique DMAE channel number for FW DMAE transactions.
+
+[ Upstream commit 77e461d14ed141253573eeeb4d34eccc51e38328 ]
+
+Driver assigns DMAE channel 0 for FW as part of START_RAMROD command. FW
+uses this channel for DMAE operations (e.g., TIME_SYNC implementation).
+Driver also uses the same channel 0 for DMAE operations for some of the PFs
+(e.g., PF0 on Port0). This could lead to concurrent access to the DMAE
+channel by FW and driver which is not legal. Hence need to assign unique
+DMAE id for FW.
+Currently following DMAE channels are used by the clients,
+ MFW - OCBB/OCSD functionality uses DMAE channel 14/15
+ Driver 0-3 and 8-11 (for PF dmae operations)
+ 4 and 12 (for stats requests)
+Assigning unique dmae_id '13' to the FW.
+
+Changes from previous version:
+------------------------------
+v2: Incorporated the review comments.
+
+Signed-off-by: Sudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
+Signed-off-by: Michal Kalderon <Michal.Kalderon@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x.h | 7 +++++++
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 1 +
+ 2 files changed, 8 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h
+index 828e2e56b75e..1b7f4342dab9 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h
+@@ -2187,6 +2187,13 @@ void bnx2x_igu_clear_sb_gen(struct bnx2x *bp, u8 func, u8 idu_sb_id,
+ #define PMF_DMAE_C(bp) (BP_PORT(bp) * MAX_DMAE_C_PER_PORT + \
+ E1HVN_MAX)
+
++/* Following is the DMAE channel number allocation for the clients.
++ * MFW: OCBB/OCSD implementations use DMAE channels 14/15 respectively.
++ * Driver: 0-3 and 8-11 (for PF dmae operations)
++ * 4 and 12 (for stats requests)
++ */
++#define BNX2X_FW_DMAE_C 13 /* Channel for FW DMAE operations */
++
+ /* PCIE link and speed */
+ #define PCICFG_LINK_WIDTH 0x1f00000
+ #define PCICFG_LINK_WIDTH_SHIFT 20
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
+index 8baf9d3eb4b1..453bfd83a070 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
+@@ -6149,6 +6149,7 @@ static inline int bnx2x_func_send_start(struct bnx2x *bp,
+ rdata->sd_vlan_tag = cpu_to_le16(start_params->sd_vlan_tag);
+ rdata->path_id = BP_PATH(bp);
+ rdata->network_cos_mode = start_params->network_cos_mode;
++ rdata->dmae_cmd_id = BNX2X_FW_DMAE_C;
+
+ rdata->vxlan_dst_port = cpu_to_le16(start_params->vxlan_dst_port);
+ rdata->geneve_dst_port = cpu_to_le16(start_params->geneve_dst_port);
+--
+2.19.1
+
--- /dev/null
+From ed3c1d63f4c6a85beebad2877bb9d41be478e792 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Fri, 26 Oct 2018 12:50:39 +0200
+Subject: brcmutil: really fix decoding channel info for 160 MHz bandwidth
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 3401d42c7ea2d064d15c66698ff8eb96553179ce ]
+
+Previous commit /adding/ support for 160 MHz chanspecs was incomplete.
+It didn't set bandwidth info and didn't extract control channel info. As
+the result it was also using uninitialized "sb" var.
+
+This change has been tested for two chanspecs found to be reported by
+some devices/firmwares:
+1) 60/160 (0xee32)
+ Before: chnum:50 control_ch_num:36
+ After: chnum:50 control_ch_num:60
+2) 120/160 (0xed72)
+ Before: chnum:114 control_ch_num:100
+ After: chnum:114 control_ch_num:120
+
+Fixes: 330994e8e8ec ("brcmfmac: fix for proper support of 160MHz bandwidth")
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c b/drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c
+index e7584b842dce..eb5db94f5745 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c
+@@ -193,6 +193,9 @@ static void brcmu_d11ac_decchspec(struct brcmu_chan *ch)
+ }
+ break;
+ case BRCMU_CHSPEC_D11AC_BW_160:
++ ch->bw = BRCMU_CHAN_BW_160;
++ ch->sb = brcmu_maskget16(ch->chspec, BRCMU_CHSPEC_D11AC_SB_MASK,
++ BRCMU_CHSPEC_D11AC_SB_SHIFT);
+ switch (ch->sb) {
+ case BRCMU_CHAN_SB_LLL:
+ ch->control_ch_num -= CH_70MHZ_APART;
+--
+2.19.1
+
--- /dev/null
+From 3629173a4b3453b08b1c04ea55cac89bafabfc1b Mon Sep 17 00:00:00 2001
+From: Fabrizio Castro <fabrizio.castro@bp.renesas.com>
+Date: Mon, 10 Sep 2018 11:43:13 +0100
+Subject: can: rcar_can: Fix erroneous registration
+
+[ Upstream commit 68c8d209cd4337da4fa04c672f0b62bb735969bc ]
+
+Assigning 2 to "renesas,can-clock-select" tricks the driver into
+registering the CAN interface, even though we don't want that.
+This patch improves one of the checks to prevent that from happening.
+
+Fixes: 862e2b6af9413b43 ("can: rcar_can: support all input clocks")
+Signed-off-by: Fabrizio Castro <fabrizio.castro@bp.renesas.com>
+Signed-off-by: Chris Paterson <Chris.Paterson2@renesas.com>
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/rcar/rcar_can.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/rcar/rcar_can.c b/drivers/net/can/rcar/rcar_can.c
+index 11662f479e76..771a46083739 100644
+--- a/drivers/net/can/rcar/rcar_can.c
++++ b/drivers/net/can/rcar/rcar_can.c
+@@ -24,6 +24,9 @@
+
+ #define RCAR_CAN_DRV_NAME "rcar_can"
+
++#define RCAR_SUPPORTED_CLOCKS (BIT(CLKR_CLKP1) | BIT(CLKR_CLKP2) | \
++ BIT(CLKR_CLKEXT))
++
+ /* Mailbox configuration:
+ * mailbox 60 - 63 - Rx FIFO mailboxes
+ * mailbox 56 - 59 - Tx FIFO mailboxes
+@@ -789,7 +792,7 @@ static int rcar_can_probe(struct platform_device *pdev)
+ goto fail_clk;
+ }
+
+- if (clock_select >= ARRAY_SIZE(clock_names)) {
++ if (!(BIT(clock_select) & RCAR_SUPPORTED_CLOCKS)) {
+ err = -EINVAL;
+ dev_err(&pdev->dev, "invalid CAN clock selected\n");
+ goto fail_clk;
+--
+2.19.1
+
--- /dev/null
+From 8a85dd2c1186ddbf45ce2c7a9787d8a9766ebf79 Mon Sep 17 00:00:00 2001
+From: Chanho Min <chanho.min@lge.com>
+Date: Mon, 12 Nov 2018 12:54:45 +0900
+Subject: exec: make de_thread() freezable
+
+[ Upstream commit c22397888f1eed98cd59f0a88f2a5f6925f80e15 ]
+
+Suspend fails due to the exec family of functions blocking the freezer.
+The casue is that de_thread() sleeps in TASK_UNINTERRUPTIBLE waiting for
+all sub-threads to die, and we have the deadlock if one of them is frozen.
+This also can occur with the schedule() waiting for the group thread leader
+to exit if it is frozen.
+
+In our machine, it causes freeze timeout as bellows.
+
+Freezing of tasks failed after 20.010 seconds (1 tasks refusing to freeze, wq_busy=0):
+setcpushares-ls D ffffffc00008ed70 0 5817 1483 0x0040000d
+ Call trace:
+[<ffffffc00008ed70>] __switch_to+0x88/0xa0
+[<ffffffc000d1c30c>] __schedule+0x1bc/0x720
+[<ffffffc000d1ca90>] schedule+0x40/0xa8
+[<ffffffc0001cd784>] flush_old_exec+0xdc/0x640
+[<ffffffc000220360>] load_elf_binary+0x2a8/0x1090
+[<ffffffc0001ccff4>] search_binary_handler+0x9c/0x240
+[<ffffffc00021c584>] load_script+0x20c/0x228
+[<ffffffc0001ccff4>] search_binary_handler+0x9c/0x240
+[<ffffffc0001ce8e0>] do_execveat_common.isra.14+0x4f8/0x6e8
+[<ffffffc0001cedd0>] compat_SyS_execve+0x38/0x48
+[<ffffffc00008de30>] el0_svc_naked+0x24/0x28
+
+To fix this, make de_thread() freezable. It looks safe and works fine.
+
+Suggested-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Chanho Min <chanho.min@lge.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/exec.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/exec.c b/fs/exec.c
+index 0da4d748b4e6..25c529f46aaa 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -62,6 +62,7 @@
+ #include <linux/oom.h>
+ #include <linux/compat.h>
+ #include <linux/vmalloc.h>
++#include <linux/freezer.h>
+
+ #include <linux/uaccess.h>
+ #include <asm/mmu_context.h>
+@@ -1079,7 +1080,7 @@ static int de_thread(struct task_struct *tsk)
+ while (sig->notify_count) {
+ __set_current_state(TASK_KILLABLE);
+ spin_unlock_irq(lock);
+- schedule();
++ freezable_schedule();
+ if (unlikely(__fatal_signal_pending(tsk)))
+ goto killed;
+ spin_lock_irq(lock);
+@@ -1107,7 +1108,7 @@ static int de_thread(struct task_struct *tsk)
+ __set_current_state(TASK_KILLABLE);
+ write_unlock_irq(&tasklist_lock);
+ cgroup_threadgroup_change_end(tsk);
+- schedule();
++ freezable_schedule();
+ if (unlikely(__fatal_signal_pending(tsk)))
+ goto killed;
+ }
+--
+2.19.1
+
--- /dev/null
+From 2574092c290e3126accd349c225d7263e94ff3df Mon Sep 17 00:00:00 2001
+From: Tigran Mkrtchyan <tigran.mkrtchyan@desy.de>
+Date: Wed, 21 Nov 2018 12:25:41 +0100
+Subject: flexfiles: use per-mirror specified stateid for IO
+
+[ Upstream commit bb21ce0ad227b69ec0f83279297ee44232105d96 ]
+
+rfc8435 says:
+
+ For tight coupling, ffds_stateid provides the stateid to be used by
+ the client to access the file.
+
+However current implementation replaces per-mirror provided stateid with
+by open or lock stateid.
+
+Ensure that per-mirror stateid is used by ff_layout_write_prepare_v4 and
+nfs4_ff_layout_prepare_ds.
+
+Signed-off-by: Tigran Mkrtchyan <tigran.mkrtchyan@desy.de>
+Signed-off-by: Rick Macklem <rmacklem@uoguelph.ca>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayout.c | 21 +++++++++------------
+ fs/nfs/flexfilelayout/flexfilelayout.h | 4 ++++
+ fs/nfs/flexfilelayout/flexfilelayoutdev.c | 19 +++++++++++++++++++
+ 3 files changed, 32 insertions(+), 12 deletions(-)
+
+diff --git a/fs/nfs/flexfilelayout/flexfilelayout.c b/fs/nfs/flexfilelayout/flexfilelayout.c
+index b0fa83a60754..13612a848378 100644
+--- a/fs/nfs/flexfilelayout/flexfilelayout.c
++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
+@@ -1365,12 +1365,7 @@ static void ff_layout_read_prepare_v4(struct rpc_task *task, void *data)
+ task))
+ return;
+
+- if (ff_layout_read_prepare_common(task, hdr))
+- return;
+-
+- if (nfs4_set_rw_stateid(&hdr->args.stateid, hdr->args.context,
+- hdr->args.lock_context, FMODE_READ) == -EIO)
+- rpc_exit(task, -EIO); /* lost lock, terminate I/O */
++ ff_layout_read_prepare_common(task, hdr);
+ }
+
+ static void ff_layout_read_call_done(struct rpc_task *task, void *data)
+@@ -1539,12 +1534,7 @@ static void ff_layout_write_prepare_v4(struct rpc_task *task, void *data)
+ task))
+ return;
+
+- if (ff_layout_write_prepare_common(task, hdr))
+- return;
+-
+- if (nfs4_set_rw_stateid(&hdr->args.stateid, hdr->args.context,
+- hdr->args.lock_context, FMODE_WRITE) == -EIO)
+- rpc_exit(task, -EIO); /* lost lock, terminate I/O */
++ ff_layout_write_prepare_common(task, hdr);
+ }
+
+ static void ff_layout_write_call_done(struct rpc_task *task, void *data)
+@@ -1734,6 +1724,10 @@ ff_layout_read_pagelist(struct nfs_pgio_header *hdr)
+ fh = nfs4_ff_layout_select_ds_fh(lseg, idx);
+ if (fh)
+ hdr->args.fh = fh;
++
++ if (!nfs4_ff_layout_select_ds_stateid(lseg, idx, &hdr->args.stateid))
++ goto out_failed;
++
+ /*
+ * Note that if we ever decide to split across DSes,
+ * then we may need to handle dense-like offsets.
+@@ -1796,6 +1790,9 @@ ff_layout_write_pagelist(struct nfs_pgio_header *hdr, int sync)
+ if (fh)
+ hdr->args.fh = fh;
+
++ if (!nfs4_ff_layout_select_ds_stateid(lseg, idx, &hdr->args.stateid))
++ goto out_failed;
++
+ /*
+ * Note that if we ever decide to split across DSes,
+ * then we may need to handle dense-like offsets.
+diff --git a/fs/nfs/flexfilelayout/flexfilelayout.h b/fs/nfs/flexfilelayout/flexfilelayout.h
+index 679cb087ef3f..d6515f1584f3 100644
+--- a/fs/nfs/flexfilelayout/flexfilelayout.h
++++ b/fs/nfs/flexfilelayout/flexfilelayout.h
+@@ -214,6 +214,10 @@ unsigned int ff_layout_fetch_ds_ioerr(struct pnfs_layout_hdr *lo,
+ unsigned int maxnum);
+ struct nfs_fh *
+ nfs4_ff_layout_select_ds_fh(struct pnfs_layout_segment *lseg, u32 mirror_idx);
++int
++nfs4_ff_layout_select_ds_stateid(struct pnfs_layout_segment *lseg,
++ u32 mirror_idx,
++ nfs4_stateid *stateid);
+
+ struct nfs4_pnfs_ds *
+ nfs4_ff_layout_prepare_ds(struct pnfs_layout_segment *lseg, u32 ds_idx,
+diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+index d62279d3fc5d..9f69e83810ca 100644
+--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+@@ -369,6 +369,25 @@ out:
+ return fh;
+ }
+
++int
++nfs4_ff_layout_select_ds_stateid(struct pnfs_layout_segment *lseg,
++ u32 mirror_idx,
++ nfs4_stateid *stateid)
++{
++ struct nfs4_ff_layout_mirror *mirror = FF_LAYOUT_COMP(lseg, mirror_idx);
++
++ if (!ff_layout_mirror_valid(lseg, mirror, false)) {
++ pr_err_ratelimited("NFS: %s: No data server for mirror offset index %d\n",
++ __func__, mirror_idx);
++ goto out;
++ }
++
++ nfs4_stateid_copy(stateid, &mirror->stateid);
++ return 1;
++out:
++ return 0;
++}
++
+ /**
+ * nfs4_ff_layout_prepare_ds - prepare a DS connection for an RPC call
+ * @lseg: the layout segment we're operating on
+--
+2.19.1
+
--- /dev/null
+From 750e99dace1fcff071fc5adde67bc83e4299e248 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <brgl@bgdev.pl>
+Date: Thu, 8 Nov 2018 17:52:53 +0100
+Subject: gpio: mockup: fix indicated direction
+
+[ Upstream commit bff466bac59994cfcceabe4d0be5fdc1c20cd5b8 ]
+
+Commit 3edfb7bd76bd ("gpiolib: Show correct direction from the
+beginning") fixed an existing issue but broke libgpiod tests by
+changing the default direction of dummy lines to output.
+
+We don't break user-space so make gpio-mockup behave as before.
+
+Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-mockup.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpio/gpio-mockup.c b/drivers/gpio/gpio-mockup.c
+index 9532d86a82f7..d99c8d8da9a0 100644
+--- a/drivers/gpio/gpio-mockup.c
++++ b/drivers/gpio/gpio-mockup.c
+@@ -35,8 +35,8 @@
+ #define GPIO_MOCKUP_MAX_RANGES (GPIO_MOCKUP_MAX_GC * 2)
+
+ enum {
+- GPIO_MOCKUP_DIR_OUT = 0,
+- GPIO_MOCKUP_DIR_IN = 1,
++ GPIO_MOCKUP_DIR_IN = 0,
++ GPIO_MOCKUP_DIR_OUT = 1,
+ };
+
+ /*
+@@ -112,7 +112,7 @@ static int gpio_mockup_get_direction(struct gpio_chip *gc, unsigned int offset)
+ {
+ struct gpio_mockup_chip *chip = gpiochip_get_data(gc);
+
+- return chip->lines[offset].dir;
++ return !chip->lines[offset].dir;
+ }
+
+ static int gpio_mockup_name_lines(struct device *dev,
+--
+2.19.1
+
--- /dev/null
+From 38739936e388f9d96384a91d5d5ab8941dc61125 Mon Sep 17 00:00:00 2001
+From: Benson Leung <bleung@chromium.org>
+Date: Thu, 8 Nov 2018 15:59:21 -0800
+Subject: HID: input: Ignore battery reported by Symbol DS4308
+
+[ Upstream commit 0fd791841a6d67af1155a9c3de54dea51220721e ]
+
+The Motorola/Zebra Symbol DS4308-HD is a handheld USB barcode scanner
+which does not have a battery, but reports one anyway that always has
+capacity 2.
+
+Let's apply the IGNORE quirk to prevent it from being treated like a
+power supply so that userspaces don't get confused that this
+accessory is almost out of power and warn the user that they need to charge
+their wired barcode scanner.
+
+Reported here: https://bugs.chromium.org/p/chromium/issues/detail?id=804720
+
+Signed-off-by: Benson Leung <bleung@chromium.org>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-input.c | 3 +++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 3fc8c0d67592..87904d2adadb 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -1001,6 +1001,7 @@
+ #define USB_VENDOR_ID_SYMBOL 0x05e0
+ #define USB_DEVICE_ID_SYMBOL_SCANNER_1 0x0800
+ #define USB_DEVICE_ID_SYMBOL_SCANNER_2 0x1300
++#define USB_DEVICE_ID_SYMBOL_SCANNER_3 0x1200
+
+ #define USB_VENDOR_ID_SYNAPTICS 0x06cb
+ #define USB_DEVICE_ID_SYNAPTICS_TP 0x0001
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index bb984cc9753b..d146a9b545ee 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -325,6 +325,9 @@ static const struct hid_device_id hid_battery_quirks[] = {
+ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ELECOM,
+ USB_DEVICE_ID_ELECOM_BM084),
+ HID_BATTERY_QUIRK_IGNORE },
++ { HID_USB_DEVICE(USB_VENDOR_ID_SYMBOL,
++ USB_DEVICE_ID_SYMBOL_SCANNER_3),
++ HID_BATTERY_QUIRK_IGNORE },
+ {}
+ };
+
+--
+2.19.1
+
--- /dev/null
+From afb4265d313c7b2284236c5a5c4432a3487e32c1 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Wed, 14 Nov 2018 05:35:20 +0000
+Subject: HID: multitouch: Add pointstick support for Cirque Touchpad
+
+[ Upstream commit 12d43aacf9a74d0eb66fd0ea54ebeb79ca28940f ]
+
+Cirque Touchpad/Pointstick combo is similar to Alps devices, it requires
+MT_CLS_WIN_8_DUAL to expose its pointstick as a mouse.
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 3 +++
+ drivers/hid/hid-multitouch.c | 6 ++++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 87904d2adadb..fcc688df694c 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -266,6 +266,9 @@
+
+ #define USB_VENDOR_ID_CIDC 0x1677
+
++#define I2C_VENDOR_ID_CIRQUE 0x0488
++#define I2C_PRODUCT_ID_CIRQUE_121F 0x121F
++
+ #define USB_VENDOR_ID_CJTOUCH 0x24b8
+ #define USB_DEVICE_ID_CJTOUCH_MULTI_TOUCH_0020 0x0020
+ #define USB_DEVICE_ID_CJTOUCH_MULTI_TOUCH_0040 0x0040
+diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
+index c3b9bd5dba75..07d92d4a9f7c 100644
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -1474,6 +1474,12 @@ static const struct hid_device_id mt_devices[] = {
+ MT_USB_DEVICE(USB_VENDOR_ID_CHUNGHWAT,
+ USB_DEVICE_ID_CHUNGHWAT_MULTITOUCH) },
+
++ /* Cirque devices */
++ { .driver_data = MT_CLS_WIN_8_DUAL,
++ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8,
++ I2C_VENDOR_ID_CIRQUE,
++ I2C_PRODUCT_ID_CIRQUE_121F) },
++
+ /* CJTouch panels */
+ { .driver_data = MT_CLS_NSMU,
+ MT_USB_DEVICE(USB_VENDOR_ID_CJTOUCH,
+--
+2.19.1
+
--- /dev/null
+From a401cdf9f2648496f85464cd73483bed048a7a8c Mon Sep 17 00:00:00 2001
+From: Thomas Falcon <tlfalcon@linux.ibm.com>
+Date: Wed, 21 Nov 2018 11:17:58 -0600
+Subject: ibmvnic: Fix RX queue buffer cleanup
+
+[ Upstream commit b7cdec3d699db2e5985ad39de0f25d3b6111928e ]
+
+The wrong index is used when cleaning up RX buffer objects during release
+of RX queues. Update to use the correct index counter.
+
+Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index 5c7134ccc1fd..14c53ed5cca6 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -457,8 +457,8 @@ static void release_rx_pools(struct ibmvnic_adapter *adapter)
+
+ for (j = 0; j < rx_pool->size; j++) {
+ if (rx_pool->rx_buff[j].skb) {
+- dev_kfree_skb_any(rx_pool->rx_buff[i].skb);
+- rx_pool->rx_buff[i].skb = NULL;
++ dev_kfree_skb_any(rx_pool->rx_buff[j].skb);
++ rx_pool->rx_buff[j].skb = NULL;
+ }
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 5e4766936ed54e522952d2449b8d8c897cace125 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 7 Nov 2018 14:18:50 +0100
+Subject: iommu/ipmmu-vmsa: Fix crash on early domain free
+
+[ Upstream commit e5b78f2e349eef5d4fca5dc1cf5a3b4b2cc27abd ]
+
+If iommu_ops.add_device() fails, iommu_ops.domain_free() is still
+called, leading to a crash, as the domain was only partially
+initialized:
+
+ ipmmu-vmsa e67b0000.mmu: Cannot accommodate DMA translation for IOMMU page tables
+ sata_rcar ee300000.sata: Unable to initialize IPMMU context
+ iommu: Failed to add device ee300000.sata to group 0: -22
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038
+ ...
+ Call trace:
+ ipmmu_domain_free+0x1c/0xa0
+ iommu_group_release+0x48/0x68
+ kobject_put+0x74/0xe8
+ kobject_del.part.0+0x3c/0x50
+ kobject_put+0x60/0xe8
+ iommu_group_get_for_dev+0xa8/0x1f0
+ ipmmu_add_device+0x1c/0x40
+ of_iommu_configure+0x118/0x190
+
+Fix this by checking if the domain's context already exists, before
+trying to destroy it.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Fixes: d25a2a16f0889 ('iommu: Add driver for Renesas VMSA-compatible IPMMU')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/ipmmu-vmsa.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/iommu/ipmmu-vmsa.c b/drivers/iommu/ipmmu-vmsa.c
+index 5d0ba5f644c4..777aff1f549f 100644
+--- a/drivers/iommu/ipmmu-vmsa.c
++++ b/drivers/iommu/ipmmu-vmsa.c
+@@ -424,6 +424,9 @@ static int ipmmu_domain_init_context(struct ipmmu_vmsa_domain *domain)
+
+ static void ipmmu_domain_destroy_context(struct ipmmu_vmsa_domain *domain)
+ {
++ if (!domain->mmu)
++ return;
++
+ /*
+ * Disable the context. Flush the TLB as required when modifying the
+ * context registers.
+--
+2.19.1
+
--- /dev/null
+From 093d8029677040f44cdefb3075a79307d9c53814 Mon Sep 17 00:00:00 2001
+From: Lu Baolu <baolu.lu@linux.intel.com>
+Date: Mon, 5 Nov 2018 10:18:58 +0800
+Subject: iommu/vt-d: Fix NULL pointer dereference in prq_event_thread()
+
+[ Upstream commit 19ed3e2dd8549c1a34914e8dad01b64e7837645a ]
+
+When handling page request without pasid event, go to "no_pasid"
+branch instead of "bad_req". Otherwise, a NULL pointer deference
+will happen there.
+
+Cc: Ashok Raj <ashok.raj@intel.com>
+Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
+Cc: Sohil Mehta <sohil.mehta@intel.com>
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Fixes: a222a7f0bb6c9 'iommu/vt-d: Implement page request handling'
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel-svm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c
+index d7def26ccf79..f5573bb9f450 100644
+--- a/drivers/iommu/intel-svm.c
++++ b/drivers/iommu/intel-svm.c
+@@ -589,7 +589,7 @@ static irqreturn_t prq_event_thread(int irq, void *d)
+ pr_err("%s: Page request without PASID: %08llx %08llx\n",
+ iommu->name, ((unsigned long long *)req)[0],
+ ((unsigned long long *)req)[1]);
+- goto bad_req;
++ goto no_pasid;
+ }
+
+ if (!svm || svm->pasid != req->pasid) {
+--
+2.19.1
+
--- /dev/null
+From f282099a777fa029348a089394c070fadf252809 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Wed, 21 Nov 2018 17:53:47 +0800
+Subject: iommu/vt-d: Use memunmap to free memremap
+
+[ Upstream commit 829383e183728dec7ed9150b949cd6de64127809 ]
+
+memunmap() should be used to free the return of memremap(), not
+iounmap().
+
+Fixes: dfddb969edf0 ('iommu/vt-d: Switch from ioremap_cache to memremap')
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel-iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
+index aaf3fed97477..e86c1c8ec7f6 100644
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -3086,7 +3086,7 @@ static int copy_context_table(struct intel_iommu *iommu,
+ }
+
+ if (old_ce)
+- iounmap(old_ce);
++ memunmap(old_ce);
+
+ ret = 0;
+ if (devfn < 0x80)
+--
+2.19.1
+
--- /dev/null
+From 4c61f96578dad7c8107d8235b926f28fa3fad684 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Tue, 9 Oct 2018 07:49:49 -0400
+Subject: media: omap3isp: Unregister media device as first
+
+[ Upstream commit 30efae3d789cd0714ef795545a46749236e29558 ]
+
+While there are issues related to object lifetime management, unregister the
+media device first when the driver is being unbound. This is slightly
+safer.
+
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/omap3isp/isp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c
+index 6e6e978263b0..c834fea5f9b0 100644
+--- a/drivers/media/platform/omap3isp/isp.c
++++ b/drivers/media/platform/omap3isp/isp.c
+@@ -1592,6 +1592,8 @@ static void isp_pm_complete(struct device *dev)
+
+ static void isp_unregister_entities(struct isp_device *isp)
+ {
++ media_device_unregister(&isp->media_dev);
++
+ omap3isp_csi2_unregister_entities(&isp->isp_csi2a);
+ omap3isp_ccp2_unregister_entities(&isp->isp_ccp2);
+ omap3isp_ccdc_unregister_entities(&isp->isp_ccdc);
+@@ -1602,7 +1604,6 @@ static void isp_unregister_entities(struct isp_device *isp)
+ omap3isp_stat_unregister_entities(&isp->isp_hist);
+
+ v4l2_device_unregister(&isp->v4l2_dev);
+- media_device_unregister(&isp->media_dev);
+ media_device_cleanup(&isp->media_dev);
+ }
+
+--
+2.19.1
+
--- /dev/null
+From e749131bec45d94ec897181ddb2ed6aac9479fef Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Wed, 15 Nov 2017 17:38:37 -0800
+Subject: mm: don't warn about allocations which stall for too long
+
+[ Upstream commit 400e22499dd92613821374c8c6c88c7225359980 ]
+
+Commit 63f53dea0c98 ("mm: warn about allocations which stall for too
+long") was a great step for reducing possibility of silent hang up
+problem caused by memory allocation stalls. But this commit reverts it,
+for it is possible to trigger OOM lockup and/or soft lockups when many
+threads concurrently called warn_alloc() (in order to warn about memory
+allocation stalls) due to current implementation of printk(), and it is
+difficult to obtain useful information due to limitation of synchronous
+warning approach.
+
+Current printk() implementation flushes all pending logs using the
+context of a thread which called console_unlock(). printk() should be
+able to flush all pending logs eventually unless somebody continues
+appending to printk() buffer.
+
+Since warn_alloc() started appending to printk() buffer while waiting
+for oom_kill_process() to make forward progress when oom_kill_process()
+is processing pending logs, it became possible for warn_alloc() to force
+oom_kill_process() loop inside printk(). As a result, warn_alloc()
+significantly increased possibility of preventing oom_kill_process()
+from making forward progress.
+
+---------- Pseudo code start ----------
+Before warn_alloc() was introduced:
+
+ retry:
+ if (mutex_trylock(&oom_lock)) {
+ while (atomic_read(&printk_pending_logs) > 0) {
+ atomic_dec(&printk_pending_logs);
+ print_one_log();
+ }
+ // Send SIGKILL here.
+ mutex_unlock(&oom_lock)
+ }
+ goto retry;
+
+After warn_alloc() was introduced:
+
+ retry:
+ if (mutex_trylock(&oom_lock)) {
+ while (atomic_read(&printk_pending_logs) > 0) {
+ atomic_dec(&printk_pending_logs);
+ print_one_log();
+ }
+ // Send SIGKILL here.
+ mutex_unlock(&oom_lock)
+ } else if (waited_for_10seconds()) {
+ atomic_inc(&printk_pending_logs);
+ }
+ goto retry;
+---------- Pseudo code end ----------
+
+Although waited_for_10seconds() becomes true once per 10 seconds,
+unbounded number of threads can call waited_for_10seconds() at the same
+time. Also, since threads doing waited_for_10seconds() keep doing
+almost busy loop, the thread doing print_one_log() can use little CPU
+resource. Therefore, this situation can be simplified like
+
+---------- Pseudo code start ----------
+ retry:
+ if (mutex_trylock(&oom_lock)) {
+ while (atomic_read(&printk_pending_logs) > 0) {
+ atomic_dec(&printk_pending_logs);
+ print_one_log();
+ }
+ // Send SIGKILL here.
+ mutex_unlock(&oom_lock)
+ } else {
+ atomic_inc(&printk_pending_logs);
+ }
+ goto retry;
+---------- Pseudo code end ----------
+
+when printk() is called faster than print_one_log() can process a log.
+
+One of possible mitigation would be to introduce a new lock in order to
+make sure that no other series of printk() (either oom_kill_process() or
+warn_alloc()) can append to printk() buffer when one series of printk()
+(either oom_kill_process() or warn_alloc()) is already in progress.
+
+Such serialization will also help obtaining kernel messages in readable
+form.
+
+---------- Pseudo code start ----------
+ retry:
+ if (mutex_trylock(&oom_lock)) {
+ mutex_lock(&oom_printk_lock);
+ while (atomic_read(&printk_pending_logs) > 0) {
+ atomic_dec(&printk_pending_logs);
+ print_one_log();
+ }
+ // Send SIGKILL here.
+ mutex_unlock(&oom_printk_lock);
+ mutex_unlock(&oom_lock)
+ } else {
+ if (mutex_trylock(&oom_printk_lock)) {
+ atomic_inc(&printk_pending_logs);
+ mutex_unlock(&oom_printk_lock);
+ }
+ }
+ goto retry;
+---------- Pseudo code end ----------
+
+But this commit does not go that direction, for we don't want to
+introduce a new lock dependency, and we unlikely be able to obtain
+useful information even if we serialized oom_kill_process() and
+warn_alloc().
+
+Synchronous approach is prone to unexpected results (e.g. too late [1],
+too frequent [2], overlooked [3]). As far as I know, warn_alloc() never
+helped with providing information other than "something is going wrong".
+I want to consider asynchronous approach which can obtain information
+during stalls with possibly relevant threads (e.g. the owner of
+oom_lock and kswapd-like threads) and serve as a trigger for actions
+(e.g. turn on/off tracepoints, ask libvirt daemon to take a memory dump
+of stalling KVM guest for diagnostic purpose).
+
+This commit temporarily loses ability to report e.g. OOM lockup due to
+unable to invoke the OOM killer due to !__GFP_FS allocation request.
+But asynchronous approach will be able to detect such situation and emit
+warning. Thus, let's remove warn_alloc().
+
+[1] https://bugzilla.kernel.org/show_bug.cgi?id=192981
+[2] http://lkml.kernel.org/r/CAM_iQpWuPVGc2ky8M-9yukECtS+zKjiDasNymX7rMcBjBFyM_A@mail.gmail.com
+[3] commit db73ee0d46379922 ("mm, vmscan: do not loop on too_many_isolated for ever"))
+
+Link: http://lkml.kernel.org/r/1509017339-4802-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reported-by: yuwang.yuwang <yuwang.yuwang@alibaba-inc.com>
+Reported-by: Johannes Weiner <hannes@cmpxchg.org>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Mel Gorman <mgorman@suse.de>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/page_alloc.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/mm/page_alloc.c b/mm/page_alloc.c
+index 2074f424dabf..6be91a1a00d9 100644
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -3862,8 +3862,6 @@ __alloc_pages_slowpath(gfp_t gfp_mask, unsigned int order,
+ enum compact_result compact_result;
+ int compaction_retries;
+ int no_progress_loops;
+- unsigned long alloc_start = jiffies;
+- unsigned int stall_timeout = 10 * HZ;
+ unsigned int cpuset_mems_cookie;
+ int reserve_flags;
+
+@@ -3983,14 +3981,6 @@ retry:
+ if (!can_direct_reclaim)
+ goto nopage;
+
+- /* Make sure we know about allocations which stall for too long */
+- if (time_after(jiffies, alloc_start + stall_timeout)) {
+- warn_alloc(gfp_mask & ~__GFP_NOWARN, ac->nodemask,
+- "page allocation stalls for %ums, order:%u",
+- jiffies_to_msecs(jiffies-alloc_start), order);
+- stall_timeout += 10 * HZ;
+- }
+-
+ /* Avoid recursion of direct reclaim */
+ if (current->flags & PF_MEMALLOC)
+ goto nopage;
+--
+2.19.1
+
--- /dev/null
+From 596f0ab2671d2770055242b28f4c9600b78985fb Mon Sep 17 00:00:00 2001
+From: Olof Johansson <olof@lixom.net>
+Date: Fri, 16 Nov 2018 19:43:27 -0800
+Subject: mtd: rawnand: qcom: Namespace prefix some commands
+
+[ Upstream commit 33bf5519ae5dd356b182a94e3622f42860274a38 ]
+
+PAGE_READ is used by RISC-V arch code included through mm headers,
+and it makes sense to bring in a prefix on these in the driver.
+
+drivers/mtd/nand/raw/qcom_nandc.c:153: warning: "PAGE_READ" redefined
+ #define PAGE_READ 0x2
+In file included from include/linux/memremap.h:7,
+ from include/linux/mm.h:27,
+ from include/linux/scatterlist.h:8,
+ from include/linux/dma-mapping.h:11,
+ from drivers/mtd/nand/raw/qcom_nandc.c:17:
+arch/riscv/include/asm/pgtable.h:48: note: this is the location of the previous definition
+
+Caught by riscv allmodconfig.
+
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/qcom_nandc.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/mtd/nand/qcom_nandc.c b/drivers/mtd/nand/qcom_nandc.c
+index b49ca02b399d..09d5f7df6023 100644
+--- a/drivers/mtd/nand/qcom_nandc.c
++++ b/drivers/mtd/nand/qcom_nandc.c
+@@ -149,15 +149,15 @@
+ #define NAND_VERSION_MINOR_SHIFT 16
+
+ /* NAND OP_CMDs */
+-#define PAGE_READ 0x2
+-#define PAGE_READ_WITH_ECC 0x3
+-#define PAGE_READ_WITH_ECC_SPARE 0x4
+-#define PROGRAM_PAGE 0x6
+-#define PAGE_PROGRAM_WITH_ECC 0x7
+-#define PROGRAM_PAGE_SPARE 0x9
+-#define BLOCK_ERASE 0xa
+-#define FETCH_ID 0xb
+-#define RESET_DEVICE 0xd
++#define OP_PAGE_READ 0x2
++#define OP_PAGE_READ_WITH_ECC 0x3
++#define OP_PAGE_READ_WITH_ECC_SPARE 0x4
++#define OP_PROGRAM_PAGE 0x6
++#define OP_PAGE_PROGRAM_WITH_ECC 0x7
++#define OP_PROGRAM_PAGE_SPARE 0x9
++#define OP_BLOCK_ERASE 0xa
++#define OP_FETCH_ID 0xb
++#define OP_RESET_DEVICE 0xd
+
+ /* Default Value for NAND_DEV_CMD_VLD */
+ #define NAND_DEV_CMD_VLD_VAL (READ_START_VLD | WRITE_START_VLD | \
+@@ -629,11 +629,11 @@ static void update_rw_regs(struct qcom_nand_host *host, int num_cw, bool read)
+
+ if (read) {
+ if (host->use_ecc)
+- cmd = PAGE_READ_WITH_ECC | PAGE_ACC | LAST_PAGE;
++ cmd = OP_PAGE_READ_WITH_ECC | PAGE_ACC | LAST_PAGE;
+ else
+- cmd = PAGE_READ | PAGE_ACC | LAST_PAGE;
++ cmd = OP_PAGE_READ | PAGE_ACC | LAST_PAGE;
+ } else {
+- cmd = PROGRAM_PAGE | PAGE_ACC | LAST_PAGE;
++ cmd = OP_PROGRAM_PAGE | PAGE_ACC | LAST_PAGE;
+ }
+
+ if (host->use_ecc) {
+@@ -1030,7 +1030,7 @@ static int nandc_param(struct qcom_nand_host *host)
+ * in use. we configure the controller to perform a raw read of 512
+ * bytes to read onfi params
+ */
+- nandc_set_reg(nandc, NAND_FLASH_CMD, PAGE_READ | PAGE_ACC | LAST_PAGE);
++ nandc_set_reg(nandc, NAND_FLASH_CMD, OP_PAGE_READ | PAGE_ACC | LAST_PAGE);
+ nandc_set_reg(nandc, NAND_ADDR0, 0);
+ nandc_set_reg(nandc, NAND_ADDR1, 0);
+ nandc_set_reg(nandc, NAND_DEV0_CFG0, 0 << CW_PER_PAGE
+@@ -1084,7 +1084,7 @@ static int erase_block(struct qcom_nand_host *host, int page_addr)
+ struct qcom_nand_controller *nandc = get_qcom_nand_controller(chip);
+
+ nandc_set_reg(nandc, NAND_FLASH_CMD,
+- BLOCK_ERASE | PAGE_ACC | LAST_PAGE);
++ OP_BLOCK_ERASE | PAGE_ACC | LAST_PAGE);
+ nandc_set_reg(nandc, NAND_ADDR0, page_addr);
+ nandc_set_reg(nandc, NAND_ADDR1, 0);
+ nandc_set_reg(nandc, NAND_DEV0_CFG0,
+@@ -1115,7 +1115,7 @@ static int read_id(struct qcom_nand_host *host, int column)
+ if (column == -1)
+ return 0;
+
+- nandc_set_reg(nandc, NAND_FLASH_CMD, FETCH_ID);
++ nandc_set_reg(nandc, NAND_FLASH_CMD, OP_FETCH_ID);
+ nandc_set_reg(nandc, NAND_ADDR0, column);
+ nandc_set_reg(nandc, NAND_ADDR1, 0);
+ nandc_set_reg(nandc, NAND_FLASH_CHIP_SELECT,
+@@ -1136,7 +1136,7 @@ static int reset(struct qcom_nand_host *host)
+ struct nand_chip *chip = &host->chip;
+ struct qcom_nand_controller *nandc = get_qcom_nand_controller(chip);
+
+- nandc_set_reg(nandc, NAND_FLASH_CMD, RESET_DEVICE);
++ nandc_set_reg(nandc, NAND_FLASH_CMD, OP_RESET_DEVICE);
+ nandc_set_reg(nandc, NAND_EXEC_CMD, 1);
+
+ write_reg_dma(nandc, NAND_FLASH_CMD, 1, NAND_BAM_NEXT_SGL);
+--
+2.19.1
+
--- /dev/null
+From a25aa784075fd84eba6eaaec8bcffc82565c5cc6 Mon Sep 17 00:00:00 2001
+From: Thor Thayer <thor.thayer@linux.intel.com>
+Date: Fri, 16 Nov 2018 08:25:49 -0600
+Subject: mtd: spi-nor: Fix Cadence QSPI page fault kernel panic
+
+[ Upstream commit a6a66f80c85e8e20573ca03fabf32445954a88d5 ]
+
+The current Cadence QSPI driver caused a kernel panic sporadically
+when writing to QSPI. The problem was caused by writing more bytes
+than needed because the QSPI operated on 4 bytes at a time.
+<snip>
+[ 11.202044] Unable to handle kernel paging request at virtual address bffd3000
+[ 11.209254] pgd = e463054d
+[ 11.211948] [bffd3000] *pgd=2fffb811, *pte=00000000, *ppte=00000000
+[ 11.218202] Internal error: Oops: 7 [#1] SMP ARM
+[ 11.222797] Modules linked in:
+[ 11.225844] CPU: 1 PID: 1317 Comm: systemd-hwdb Not tainted 4.17.7-d0c45cd44a8f
+[ 11.235796] Hardware name: Altera SOCFPGA Arria10
+[ 11.240487] PC is at __raw_writesl+0x70/0xd4
+[ 11.244741] LR is at cqspi_write+0x1a0/0x2cc
+</snip>
+On a page boundary limit the number of bytes copied from the tx buffer
+to remain within the page.
+
+This patch uses a temporary buffer to hold the 4 bytes to write and then
+copies only the bytes required from the tx buffer.
+
+Reported-by: Adrian Amborzewicz <adrian.ambrozewicz@intel.com>
+Signed-off-by: Thor Thayer <thor.thayer@linux.intel.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/spi-nor/cadence-quadspi.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/mtd/spi-nor/cadence-quadspi.c b/drivers/mtd/spi-nor/cadence-quadspi.c
+index 8d89204b90d2..f22dd34f4f83 100644
+--- a/drivers/mtd/spi-nor/cadence-quadspi.c
++++ b/drivers/mtd/spi-nor/cadence-quadspi.c
+@@ -625,9 +625,23 @@ static int cqspi_indirect_write_execute(struct spi_nor *nor,
+ reg_base + CQSPI_REG_INDIRECTWR);
+
+ while (remaining > 0) {
++ size_t write_words, mod_bytes;
++
+ write_bytes = remaining > page_size ? page_size : remaining;
+- iowrite32_rep(cqspi->ahb_base, txbuf,
+- DIV_ROUND_UP(write_bytes, 4));
++ write_words = write_bytes / 4;
++ mod_bytes = write_bytes % 4;
++ /* Write 4 bytes at a time then single bytes. */
++ if (write_words) {
++ iowrite32_rep(cqspi->ahb_base, txbuf, write_words);
++ txbuf += (write_words * 4);
++ }
++ if (mod_bytes) {
++ unsigned int temp = 0xFFFFFFFF;
++
++ memcpy(&temp, txbuf, mod_bytes);
++ iowrite32(temp, cqspi->ahb_base);
++ txbuf += mod_bytes;
++ }
+
+ ret = wait_for_completion_timeout(&cqspi->transfer_complete,
+ msecs_to_jiffies
+@@ -638,7 +652,6 @@ static int cqspi_indirect_write_execute(struct spi_nor *nor,
+ goto failwr;
+ }
+
+- txbuf += write_bytes;
+ remaining -= write_bytes;
+
+ if (remaining > 0)
+--
+2.19.1
+
--- /dev/null
+From e94fb562680c41101a9caf7afc0cd40065e1b5ed Mon Sep 17 00:00:00 2001
+From: Yangtao Li <tiny.windzz@gmail.com>
+Date: Thu, 22 Nov 2018 07:34:41 -0500
+Subject: net: amd: add missing of_node_put()
+
+[ Upstream commit c44c749d3b6fdfca39002e7e48e03fe9f9fe37a3 ]
+
+of_find_node_by_path() acquires a reference to the node
+returned by it and that reference needs to be dropped by its caller.
+This place doesn't do that, so fix it.
+
+Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/sunlance.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/amd/sunlance.c b/drivers/net/ethernet/amd/sunlance.c
+index 291ca5187f12..9845e07d40cd 100644
+--- a/drivers/net/ethernet/amd/sunlance.c
++++ b/drivers/net/ethernet/amd/sunlance.c
+@@ -1418,7 +1418,7 @@ static int sparc_lance_probe_one(struct platform_device *op,
+
+ prop = of_get_property(nd, "tpe-link-test?", NULL);
+ if (!prop)
+- goto no_link_test;
++ goto node_put;
+
+ if (strcmp(prop, "true")) {
+ printk(KERN_NOTICE "SunLance: warning: overriding option "
+@@ -1427,6 +1427,8 @@ static int sparc_lance_probe_one(struct platform_device *op,
+ "to ecd@skynet.be\n");
+ auxio_set_lte(AUXIO_LTE_ON);
+ }
++node_put:
++ of_node_put(nd);
+ no_link_test:
+ lp->auto_select = 1;
+ lp->tpe = 0;
+--
+2.19.1
+
--- /dev/null
+From e8befa5531654494e3b31392f481d4091865c4ba Mon Sep 17 00:00:00 2001
+From: Vincent Chen <vincentc@andestech.com>
+Date: Wed, 21 Nov 2018 09:38:11 +0800
+Subject: net: faraday: ftmac100: remove netif_running(netdev) check before
+ disabling interrupts
+
+[ Upstream commit 426a593e641ebf0d9288f0a2fcab644a86820220 ]
+
+In the original ftmac100_interrupt(), the interrupts are only disabled when
+the condition "netif_running(netdev)" is true. However, this condition
+causes kerenl hang in the following case. When the user requests to
+disable the network device, kernel will clear the bit __LINK_STATE_START
+from the dev->state and then call the driver's ndo_stop function. Network
+device interrupts are not blocked during this process. If an interrupt
+occurs between clearing __LINK_STATE_START and stopping network device,
+kernel cannot disable the interrupts due to the condition
+"netif_running(netdev)" in the ISR. Hence, kernel will hang due to the
+continuous interruption of the network device.
+
+In order to solve the above problem, the interrupts of the network device
+should always be disabled in the ISR without being restricted by the
+condition "netif_running(netdev)".
+
+[V2]
+Remove unnecessary curly braces.
+
+Signed-off-by: Vincent Chen <vincentc@andestech.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/faraday/ftmac100.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/faraday/ftmac100.c b/drivers/net/ethernet/faraday/ftmac100.c
+index 66928a922824..415fd93e9930 100644
+--- a/drivers/net/ethernet/faraday/ftmac100.c
++++ b/drivers/net/ethernet/faraday/ftmac100.c
+@@ -870,11 +870,10 @@ static irqreturn_t ftmac100_interrupt(int irq, void *dev_id)
+ struct net_device *netdev = dev_id;
+ struct ftmac100 *priv = netdev_priv(netdev);
+
+- if (likely(netif_running(netdev))) {
+- /* Disable interrupts for polling */
+- ftmac100_disable_all_int(priv);
++ /* Disable interrupts for polling */
++ ftmac100_disable_all_int(priv);
++ if (likely(netif_running(netdev)))
+ napi_schedule(&priv->napi);
+- }
+
+ return IRQ_HANDLED;
+ }
+--
+2.19.1
+
--- /dev/null
+From 608b4b2258f6a36be033995c1de2cf7077e0467c Mon Sep 17 00:00:00 2001
+From: Aya Levin <ayal@mellanox.com>
+Date: Thu, 15 Nov 2018 18:05:15 +0200
+Subject: net/mlx4: Fix UBSAN warning of signed integer overflow
+
+[ Upstream commit a463146e67c848cbab5ce706d6528281b7cded08 ]
+
+UBSAN: Undefined behavior in
+drivers/net/ethernet/mellanox/mlx4/resource_tracker.c:626:29
+signed integer overflow: 1802201963 + 1802201963 cannot be represented
+in type 'int'
+
+The union of res_reserved and res_port_rsvd[MLX4_MAX_PORTS] monitors
+granting of reserved resources. The grant operation is calculated and
+protected, thus both members of the union cannot be negative. Changed
+type of res_reserved and of res_port_rsvd[MLX4_MAX_PORTS] from signed
+int to unsigned int, allowing large value.
+
+Fixes: 5a0d0a6161ae ("mlx4: Structures and init/teardown for VF resource quotas")
+Signed-off-by: Aya Levin <ayal@mellanox.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/mlx4.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/mlx4.h b/drivers/net/ethernet/mellanox/mlx4/mlx4.h
+index c68da1986e51..aaeb446bba62 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/mlx4.h
++++ b/drivers/net/ethernet/mellanox/mlx4/mlx4.h
+@@ -541,8 +541,8 @@ struct slave_list {
+ struct resource_allocator {
+ spinlock_t alloc_lock; /* protect quotas */
+ union {
+- int res_reserved;
+- int res_port_rsvd[MLX4_MAX_PORTS];
++ unsigned int res_reserved;
++ unsigned int res_port_rsvd[MLX4_MAX_PORTS];
+ };
+ union {
+ int res_free;
+--
+2.19.1
+
--- /dev/null
+From d36180d5c9fb1a7d75dcf3b444018765d4fb669c Mon Sep 17 00:00:00 2001
+From: Tariq Toukan <tariqt@mellanox.com>
+Date: Thu, 15 Nov 2018 18:05:14 +0200
+Subject: net/mlx4_core: Fix uninitialized variable compilation warning
+
+[ Upstream commit 3ea7e7ea53c9f6ee41cb69a29c375fe9dd9a56a7 ]
+
+Initialize the uid variable to zero to avoid the compilation warning.
+
+Fixes: 7a89399ffad7 ("net/mlx4: Add mlx4_bitmap zone allocator")
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/alloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/alloc.c b/drivers/net/ethernet/mellanox/mlx4/alloc.c
+index 6dabd983e7e0..94f4dc4a77e9 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/alloc.c
++++ b/drivers/net/ethernet/mellanox/mlx4/alloc.c
+@@ -337,7 +337,7 @@ void mlx4_zone_allocator_destroy(struct mlx4_zone_allocator *zone_alloc)
+ static u32 __mlx4_alloc_from_zone(struct mlx4_zone_entry *zone, int count,
+ int align, u32 skip_mask, u32 *puid)
+ {
+- u32 uid;
++ u32 uid = 0;
+ u32 res;
+ struct mlx4_zone_allocator *zone_alloc = zone->allocator;
+ struct mlx4_zone_entry *curr_node;
+--
+2.19.1
+
--- /dev/null
+From b98b48fc2d9774cec9a8d62df36cc97bdb112eaa Mon Sep 17 00:00:00 2001
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Thu, 15 Nov 2018 18:05:13 +0200
+Subject: net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command
+
+[ Upstream commit bd85fbc2038a1bbe84990b23ff69b6fc81a32b2c ]
+
+When re-registering a user mr, the mpt information for the
+existing mr when running SRIOV is obtained via the QUERY_MPT
+fw command. The returned information includes the mpt's lkey.
+
+This retrieved mpt information is used to move the mpt back
+to hardware ownership in the rereg flow (via the SW2HW_MPT
+fw command when running SRIOV).
+
+The fw API spec states that for SW2HW_MPT, the lkey field
+must be zero. Any ConnectX-3 PF driver which checks for strict spec
+adherence will return failure for SW2HW_MPT if the lkey field is not
+zero (although the fw in practice ignores this field for SW2HW_MPT).
+
+Thus, in order to conform to the fw API spec, set the lkey field to zero
+before invoking SW2HW_MPT when running SRIOV.
+
+Fixes: e630664c8383 ("mlx4_core: Add helper functions to support MR re-registration")
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/mr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/mr.c b/drivers/net/ethernet/mellanox/mlx4/mr.c
+index c7c0764991c9..20043f82c1d8 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/mr.c
++++ b/drivers/net/ethernet/mellanox/mlx4/mr.c
+@@ -363,6 +363,7 @@ int mlx4_mr_hw_write_mpt(struct mlx4_dev *dev, struct mlx4_mr *mmr,
+ container_of((void *)mpt_entry, struct mlx4_cmd_mailbox,
+ buf);
+
++ (*mpt_entry)->lkey = 0;
+ err = mlx4_SW2HW_MPT(dev, mailbox, key);
+ }
+
+--
+2.19.1
+
--- /dev/null
+From f196a73abc76ba60359774c8dcfcf78450feb614 Mon Sep 17 00:00:00 2001
+From: Denis Bolotin <denis.bolotin@cavium.com>
+Date: Mon, 19 Nov 2018 16:28:30 +0200
+Subject: qed: Fix bitmap_weight() check
+
+[ Upstream commit 276d43f0ae963312c0cd0e2b9a85fd11ac65dfcc ]
+
+Fix the condition which verifies that only one flag is set. The API
+bitmap_weight() should receive size in bits instead of bytes.
+
+Fixes: b5a9ee7cf3be ("qed: Revise QM cofiguration")
+Signed-off-by: Denis Bolotin <denis.bolotin@cavium.com>
+Signed-off-by: Michal Kalderon <michal.kalderon@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_dev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+index ef2374699726..a51cd1028ecb 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+@@ -440,8 +440,11 @@ static u16 *qed_init_qm_get_idx_from_flags(struct qed_hwfn *p_hwfn,
+ struct qed_qm_info *qm_info = &p_hwfn->qm_info;
+
+ /* Can't have multiple flags set here */
+- if (bitmap_weight((unsigned long *)&pq_flags, sizeof(pq_flags)) > 1)
++ if (bitmap_weight((unsigned long *)&pq_flags,
++ sizeof(pq_flags) * BITS_PER_BYTE) > 1) {
++ DP_ERR(p_hwfn, "requested multiple pq flags 0x%x\n", pq_flags);
+ goto err;
++ }
+
+ switch (pq_flags) {
+ case PQ_FLAGS_RLS:
+--
+2.19.1
+
--- /dev/null
+From 287ce99b178bec7c739503c4f8802611c413b5c1 Mon Sep 17 00:00:00 2001
+From: Denis Bolotin <denis.bolotin@cavium.com>
+Date: Mon, 12 Nov 2018 12:50:20 +0200
+Subject: qed: Fix PTT leak in qed_drain()
+
+[ Upstream commit 9aaa4e8ba12972d674caeefbc5f88d83235dd697 ]
+
+Release PTT before entering error flow.
+
+Signed-off-by: Denis Bolotin <denis.bolotin@cavium.com>
+Signed-off-by: Michal Kalderon <michal.kalderon@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c
+index 954f7ce4cf28..ecc2d4296526 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_main.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c
+@@ -1561,9 +1561,9 @@ static int qed_drain(struct qed_dev *cdev)
+ return -EBUSY;
+ }
+ rc = qed_mcp_drain(hwfn, ptt);
++ qed_ptt_release(hwfn, ptt);
+ if (rc)
+ return rc;
+- qed_ptt_release(hwfn, ptt);
+ }
+
+ return 0;
+--
+2.19.1
+
--- /dev/null
+From 94be0722b5a90bcce33893338a8f70a4d25df6a3 Mon Sep 17 00:00:00 2001
+From: Denis Bolotin <denis.bolotin@cavium.com>
+Date: Mon, 19 Nov 2018 16:28:31 +0200
+Subject: qed: Fix QM getters to always return a valid pq
+
+[ Upstream commit eb62cca9bee842e5b23bd0ddfb1f271ca95e8759 ]
+
+The getter callers doesn't know the valid Physical Queues (PQ) values.
+This patch makes sure that a valid PQ will always be returned.
+
+The patch consists of 3 fixes:
+
+ - When qed_init_qm_get_idx_from_flags() receives a disabled flag, it
+ returned PQ 0, which can potentially be another function's pq. Verify
+ that flag is enabled, otherwise return default start_pq.
+
+ - When qed_init_qm_get_idx_from_flags() receives an unknown flag, it
+ returned NULL and could lead to a segmentation fault. Return default
+ start_pq instead.
+
+ - A modulo operation was added to MCOS/VFS PQ getters to make sure the
+ PQ returned is in range of the required flag.
+
+Fixes: b5a9ee7cf3be ("qed: Revise QM cofiguration")
+Signed-off-by: Denis Bolotin <denis.bolotin@cavium.com>
+Signed-off-by: Michal Kalderon <michal.kalderon@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_dev.c | 24 +++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+index a51cd1028ecb..16953c4ebd71 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+@@ -446,6 +446,11 @@ static u16 *qed_init_qm_get_idx_from_flags(struct qed_hwfn *p_hwfn,
+ goto err;
+ }
+
++ if (!(qed_get_pq_flags(p_hwfn) & pq_flags)) {
++ DP_ERR(p_hwfn, "pq flag 0x%x is not set\n", pq_flags);
++ goto err;
++ }
++
+ switch (pq_flags) {
+ case PQ_FLAGS_RLS:
+ return &qm_info->first_rl_pq;
+@@ -468,8 +473,7 @@ static u16 *qed_init_qm_get_idx_from_flags(struct qed_hwfn *p_hwfn,
+ }
+
+ err:
+- DP_ERR(p_hwfn, "BAD pq flags %d\n", pq_flags);
+- return NULL;
++ return &qm_info->start_pq;
+ }
+
+ /* save pq index in qm info */
+@@ -493,20 +497,32 @@ u16 qed_get_cm_pq_idx_mcos(struct qed_hwfn *p_hwfn, u8 tc)
+ {
+ u8 max_tc = qed_init_qm_get_num_tcs(p_hwfn);
+
++ if (max_tc == 0) {
++ DP_ERR(p_hwfn, "pq with flag 0x%lx do not exist\n",
++ PQ_FLAGS_MCOS);
++ return p_hwfn->qm_info.start_pq;
++ }
++
+ if (tc > max_tc)
+ DP_ERR(p_hwfn, "tc %d must be smaller than %d\n", tc, max_tc);
+
+- return qed_get_cm_pq_idx(p_hwfn, PQ_FLAGS_MCOS) + tc;
++ return qed_get_cm_pq_idx(p_hwfn, PQ_FLAGS_MCOS) + (tc % max_tc);
+ }
+
+ u16 qed_get_cm_pq_idx_vf(struct qed_hwfn *p_hwfn, u16 vf)
+ {
+ u16 max_vf = qed_init_qm_get_num_vfs(p_hwfn);
+
++ if (max_vf == 0) {
++ DP_ERR(p_hwfn, "pq with flag 0x%lx do not exist\n",
++ PQ_FLAGS_VFS);
++ return p_hwfn->qm_info.start_pq;
++ }
++
+ if (vf > max_vf)
+ DP_ERR(p_hwfn, "vf %d must be smaller than %d\n", vf, max_vf);
+
+- return qed_get_cm_pq_idx(p_hwfn, PQ_FLAGS_VFS) + vf;
++ return qed_get_cm_pq_idx(p_hwfn, PQ_FLAGS_VFS) + (vf % max_vf);
+ }
+
+ u16 qed_get_cm_pq_idx_rl(struct qed_hwfn *p_hwfn, u8 rl)
+--
+2.19.1
+
--- /dev/null
+From b6ea5c6721a7c256d4db6a0bdc8a6ede8f319d5c Mon Sep 17 00:00:00 2001
+From: Denis Bolotin <denis.bolotin@cavium.com>
+Date: Mon, 12 Nov 2018 12:50:23 +0200
+Subject: qed: Fix reading wrong value in loop condition
+
+[ Upstream commit ed4eac20dcffdad47709422e0cb925981b056668 ]
+
+The value of "sb_index" is written by the hardware. Reading its value and
+writing it to "index" must finish before checking the loop condition.
+
+Signed-off-by: Denis Bolotin <denis.bolotin@cavium.com>
+Signed-off-by: Michal Kalderon <michal.kalderon@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_int.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_int.c b/drivers/net/ethernet/qlogic/qed/qed_int.c
+index 719cdbfe1695..7746417130bd 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_int.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_int.c
+@@ -992,6 +992,8 @@ static int qed_int_attentions(struct qed_hwfn *p_hwfn)
+ */
+ do {
+ index = p_sb_attn->sb_index;
++ /* finish reading index before the loop condition */
++ dma_rmb();
+ attn_bits = le32_to_cpu(p_sb_attn->atten_bits);
+ attn_acks = le32_to_cpu(p_sb_attn->atten_ack);
+ } while (index != p_sb_attn->sb_index);
+--
+2.19.1
+
--- /dev/null
+From aa543e5685a9a7f4061059e1f04e9c33ec3ade7e Mon Sep 17 00:00:00 2001
+From: Shen Jing <jingx.shen@intel.com>
+Date: Thu, 1 Nov 2018 15:35:17 +0530
+Subject: Revert "usb: gadget: ffs: Fix BUG when userland exits with submitted
+ AIO transfers"
+
+[ Upstream commit a9c859033f6ec772f8e3228c343bb1321584ae0e ]
+
+This reverts commit b4194da3f9087dd38d91b40f9bec42d59ce589a8
+since it causes list corruption followed by kernel panic:
+
+Workqueue: adb ffs_aio_cancel_worker
+RIP: 0010:__list_add_valid+0x4d/0x70
+Call Trace:
+insert_work+0x47/0xb0
+__queue_work+0xf6/0x400
+queue_work_on+0x65/0x70
+dwc3_gadget_giveback+0x44/0x50 [dwc3]
+dwc3_gadget_ep_dequeue+0x83/0x2d0 [dwc3]
+? finish_wait+0x80/0x80
+usb_ep_dequeue+0x1e/0x90
+process_one_work+0x18c/0x3b0
+worker_thread+0x3c/0x390
+? process_one_work+0x3b0/0x3b0
+kthread+0x11e/0x140
+? kthread_create_worker_on_cpu+0x70/0x70
+ret_from_fork+0x3a/0x50
+
+This issue is seen with warm reboot stability testing.
+
+Signed-off-by: Shen Jing <jingx.shen@intel.com>
+Signed-off-by: Saranya Gopal <saranya.gopal@intel.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 26 ++++++++------------------
+ 1 file changed, 8 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
+index 17467545391b..52e6897fa35a 100644
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -219,7 +219,6 @@ struct ffs_io_data {
+
+ struct mm_struct *mm;
+ struct work_struct work;
+- struct work_struct cancellation_work;
+
+ struct usb_ep *ep;
+ struct usb_request *req;
+@@ -1074,31 +1073,22 @@ ffs_epfile_open(struct inode *inode, struct file *file)
+ return 0;
+ }
+
+-static void ffs_aio_cancel_worker(struct work_struct *work)
+-{
+- struct ffs_io_data *io_data = container_of(work, struct ffs_io_data,
+- cancellation_work);
+-
+- ENTER();
+-
+- usb_ep_dequeue(io_data->ep, io_data->req);
+-}
+-
+ static int ffs_aio_cancel(struct kiocb *kiocb)
+ {
+ struct ffs_io_data *io_data = kiocb->private;
+- struct ffs_data *ffs = io_data->ffs;
++ struct ffs_epfile *epfile = kiocb->ki_filp->private_data;
+ int value;
+
+ ENTER();
+
+- if (likely(io_data && io_data->ep && io_data->req)) {
+- INIT_WORK(&io_data->cancellation_work, ffs_aio_cancel_worker);
+- queue_work(ffs->io_completion_wq, &io_data->cancellation_work);
+- value = -EINPROGRESS;
+- } else {
++ spin_lock_irq(&epfile->ffs->eps_lock);
++
++ if (likely(io_data && io_data->ep && io_data->req))
++ value = usb_ep_dequeue(io_data->ep, io_data->req);
++ else
+ value = -EINVAL;
+- }
++
++ spin_unlock_irq(&epfile->ffs->eps_lock);
+
+ return value;
+ }
+--
+2.19.1
+
--- /dev/null
+media-omap3isp-unregister-media-device-as-first.patch
+iommu-vt-d-fix-null-pointer-dereference-in-prq_event.patch
+brcmutil-really-fix-decoding-channel-info-for-160-mh.patch
+iommu-ipmmu-vmsa-fix-crash-on-early-domain-free.patch
+can-rcar_can-fix-erroneous-registration.patch
+test_firmware-fix-error-return-getting-clobbered.patch
+hid-input-ignore-battery-reported-by-symbol-ds4308.patch
+batman-adv-use-explicit-tvlv-padding-for-elp-packets.patch
+batman-adv-expand-merged-fragment-buffer-for-full-pa.patch
+amd-iommu-fix-guest-virtual-apic-log-tail-address-re.patch
+bnx2x-assign-unique-dmae-channel-number-for-fw-dmae-.patch
+qed-fix-ptt-leak-in-qed_drain.patch
+qed-fix-reading-wrong-value-in-loop-condition.patch
+revert-usb-gadget-ffs-fix-bug-when-userland-exits-wi.patch
+net-mlx4_core-zero-out-lkey-field-in-sw2hw_mpt-fw-co.patch
+net-mlx4_core-fix-uninitialized-variable-compilation.patch
+net-mlx4-fix-ubsan-warning-of-signed-integer-overflo.patch
+gpio-mockup-fix-indicated-direction.patch
+mtd-rawnand-qcom-namespace-prefix-some-commands.patch
+exec-make-de_thread-freezable.patch
+hid-multitouch-add-pointstick-support-for-cirque-tou.patch
+mtd-spi-nor-fix-cadence-qspi-page-fault-kernel-panic.patch
+qed-fix-bitmap_weight-check.patch
+qed-fix-qm-getters-to-always-return-a-valid-pq.patch
+net-faraday-ftmac100-remove-netif_running-netdev-che.patch
+iommu-vt-d-use-memunmap-to-free-memremap.patch
+flexfiles-use-per-mirror-specified-stateid-for-io.patch
+ibmvnic-fix-rx-queue-buffer-cleanup.patch
+team-no-need-to-do-team_notify_peers-or-team_mcast_r.patch
+net-amd-add-missing-of_node_put.patch
+mm-don-t-warn-about-allocations-which-stall-for-too-.patch
--- /dev/null
+From 2752a663e2647dacd3edabc64b26004bf9dfe2ea Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Thu, 22 Nov 2018 16:15:28 +0800
+Subject: team: no need to do team_notify_peers or team_mcast_rejoin when
+ disabling port
+
+[ Upstream commit 5ed9dc99107144f83b6c1bb52a69b58875baf540 ]
+
+team_notify_peers() will send ARP and NA to notify peers. team_mcast_rejoin()
+will send multicast join group message to notify peers. We should do this when
+enabling/changed to a new port. But it doesn't make sense to do it when a port
+is disabled.
+
+On the other hand, when we set mcast_rejoin_count to 2, and do a failover,
+team_port_disable() will increase mcast_rejoin.count_pending to 2 and then
+team_port_enable() will increase mcast_rejoin.count_pending to 4. We will send
+4 mcast rejoin messages at latest, which will make user confused. The same
+with notify_peers.count.
+
+Fix it by deleting team_notify_peers() and team_mcast_rejoin() in
+team_port_disable().
+
+Reported-by: Liang Li <liali@redhat.com>
+Fixes: fc423ff00df3a ("team: add peer notification")
+Fixes: 492b200efdd20 ("team: add support for sending multicast rejoins")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/team/team.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index 817451a1efd6..bd455a6cc82c 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -989,8 +989,6 @@ static void team_port_disable(struct team *team,
+ team->en_port_count--;
+ team_queue_override_port_del(team, port);
+ team_adjust_ops(team);
+- team_notify_peers(team);
+- team_mcast_rejoin(team);
+ team_lower_state_changed(port);
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 8042d71e8ae0df399a9bb0b163b273a22ed7a614 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 19 Oct 2018 13:58:01 +0100
+Subject: test_firmware: fix error return getting clobbered
+
+[ Upstream commit 8bb0a88600f0267cfcc245d34f8c4abe8c282713 ]
+
+In the case where eq->fw->size > PAGE_SIZE the error return rc
+is being set to EINVAL however this is being overwritten to
+rc = req->fw->size because the error exit path via label 'out' is
+not being taken. Fix this by adding the jump to the error exit
+path 'out'.
+
+Detected by CoverityScan, CID#1453465 ("Unused value")
+
+Fixes: c92316bf8e94 ("test_firmware: add batched firmware tests")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/test_firmware.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/test_firmware.c b/lib/test_firmware.c
+index e7008688769b..71d371f97138 100644
+--- a/lib/test_firmware.c
++++ b/lib/test_firmware.c
+@@ -838,6 +838,7 @@ static ssize_t read_firmware_show(struct device *dev,
+ if (req->fw->size > PAGE_SIZE) {
+ pr_err("Testing interface must use PAGE_SIZE firmware for now\n");
+ rc = -EINVAL;
++ goto out;
+ }
+ memcpy(buf, req->fw->data, req->fw->size);
+
+--
+2.19.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
