--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 8 Aug 2018 10:30:03 +0200
+Subject: ACPI / scan: Initialize status to ACPI_STA_DEFAULT
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 5971b0c1594d6c34e257101ed5fdffec65205c50 ]
+
+Since commit 63347db0affa "ACPI / scan: Use acpi_bus_get_status() to
+initialize ACPI_TYPE_DEVICE devs" the status field of normal acpi_devices
+gets set to 0 by acpi_bus_type_and_status() and filled with its actual
+value later when acpi_add_single_object() calls acpi_bus_get_status().
+
+This means that any acpi_match_device_ids() calls in between will always
+fail with -ENOENT.
+
+We already have a workaround for this, which temporary forces status to
+ACPI_STA_DEFAULT in drivers/acpi/x86/utils.c: acpi_device_always_present()
+and the next commit in this series adds another acpi_match_device_ids()
+call between status being initialized as 0 and the acpi_bus_get_status()
+call.
+
+Rather then adding another workaround, this commit makes
+acpi_bus_type_and_status() initialize status to ACPI_STA_DEFAULT, this is
+safe to do as the only code looking at status between the initialization
+and the acpi_bus_get_status() call is those acpi_match_device_ids() calls.
+
+Note this does mean that we need to (re)set status to 0 in case the
+acpi_bus_get_status() call fails.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/scan.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -1612,7 +1612,8 @@ static int acpi_add_single_object(struct
+ * Note this must be done before the get power-/wakeup_dev-flags calls.
+ */
+ if (type == ACPI_BUS_TYPE_DEVICE)
+- acpi_bus_get_status(device);
++ if (acpi_bus_get_status(device) < 0)
++ acpi_set_device_status(device, 0);
+
+ acpi_bus_get_power_flags(device);
+ acpi_bus_get_wakeup_device_flags(device);
+@@ -1690,7 +1691,7 @@ static int acpi_bus_type_and_status(acpi
+ * acpi_add_single_object updates this once we've an acpi_device
+ * so that acpi_bus_get_status' quirk handling can be used.
+ */
+- *sta = 0;
++ *sta = ACPI_STA_DEFAULT;
+ break;
+ case ACPI_TYPE_PROCESSOR:
+ *type = ACPI_BUS_TYPE_PROCESSOR;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Erik Schmauss <erik.schmauss@intel.com>
+Date: Fri, 10 Aug 2018 14:42:55 -0700
+Subject: ACPICA: ACPICA: add status check for acpi_hw_read before assigning return value
+
+From: Erik Schmauss <erik.schmauss@intel.com>
+
+[ Upstream commit f016b19a9275089a2ab06c2144567c2ad8d5d6ad ]
+
+The value coming from acpi_hw_read() should not be used if it
+returns an error code, so check the status returned by it before
+using that value in two places in acpi_hw_register_read().
+
+Reported-by: Mark Gross <mark.gross@intel.com>
+Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
+[ rjw: Changelog ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpica/hwregs.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/acpi/acpica/hwregs.c
++++ b/drivers/acpi/acpica/hwregs.c
+@@ -528,13 +528,18 @@ acpi_status acpi_hw_register_read(u32 re
+
+ status =
+ acpi_hw_read(&value64, &acpi_gbl_FADT.xpm2_control_block);
+- value = (u32)value64;
++ if (ACPI_SUCCESS(status)) {
++ value = (u32)value64;
++ }
+ break;
+
+ case ACPI_REGISTER_PM_TIMER: /* 32-bit access */
+
+ status = acpi_hw_read(&value64, &acpi_gbl_FADT.xpm_timer_block);
+- value = (u32)value64;
++ if (ACPI_SUCCESS(status)) {
++ value = (u32)value64;
++ }
++
+ break;
+
+ case ACPI_REGISTER_SMI_COMMAND_BLOCK: /* 8-bit access */
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 2 Aug 2018 11:38:23 +0300
+Subject: apparmor: fix an error code in __aa_create_ns()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 0a6b29230ec336189bab32498df3f06c8a6944d8 ]
+
+We should return error pointers in this function. Returning NULL
+results in a NULL dereference in the caller.
+
+Fixes: 73688d1ed0b8 ("apparmor: refactor prepare_ns() and make usable from different views")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/policy_ns.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/apparmor/policy_ns.c
++++ b/security/apparmor/policy_ns.c
+@@ -255,7 +255,7 @@ static struct aa_ns *__aa_create_ns(stru
+
+ ns = alloc_ns(parent->base.hname, name);
+ if (!ns)
+- return NULL;
++ return ERR_PTR(-ENOMEM);
+ ns->level = parent->level + 1;
+ mutex_lock_nested(&ns->lock, ns->level);
+ error = __aafs_ns_mkdir(ns, ns_subns_dir(parent), name, dir);
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Fri, 24 Aug 2018 16:06:34 +0100
+Subject: ARM: rockchip: Force CONFIG_PM on Rockchip systems
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+[ Upstream commit d1558dfd9f22c99a5b8e1354ad881ee40749da89 ]
+
+A number of the Rockchip-specific drivers (IOMMU, display controllers)
+are now assuming that CONFIG_PM is set, and may completely misbehave
+if that's not the case.
+
+Since there is hardly any reason for this configuration option not
+to be selected anyway, let's require it (in the same way Tegra already
+does).
+
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-rockchip/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/mach-rockchip/Kconfig
++++ b/arch/arm/mach-rockchip/Kconfig
+@@ -17,6 +17,7 @@ config ARCH_ROCKCHIP
+ select ARM_GLOBAL_TIMER
+ select CLKSRC_ARM_GLOBAL_TIMER_SCHED_CLOCK
+ select ZONE_DMA if ARM_LPAE
++ select PM
+ help
+ Support for Rockchip's Cortex-A9 Single-to-Quad-Core-SoCs
+ containing the RK2928, RK30xx and RK31xx series.
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Fri, 24 Aug 2018 16:06:35 +0100
+Subject: arm64: rockchip: Force CONFIG_PM on Rockchip systems
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+[ Upstream commit 7db7a8f5638a2ffe0c0c0d55b5186b6191fd6af7 ]
+
+A number of the Rockchip-specific drivers (IOMMU, display controllers)
+are now assuming that CONFIG_PM is set, and may completely misbehave
+if that's not the case.
+
+Since there is hardly any reason for this configuration option not
+to be selected anyway, let's require it (in the same way Tegra already
+does).
+
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/Kconfig.platforms | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm64/Kconfig.platforms
++++ b/arch/arm64/Kconfig.platforms
+@@ -151,6 +151,7 @@ config ARCH_ROCKCHIP
+ select GPIOLIB
+ select PINCTRL
+ select PINCTRL_ROCKCHIP
++ select PM
+ select ROCKCHIP_TIMER
+ help
+ This enables support for the ARMv8 based Rockchip chipsets,
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Matthias Kaehlcke <mka@chromium.org>
+Date: Tue, 7 Aug 2018 10:19:40 -0700
+Subject: ASoC: rt5677: Fix initialization of rt5677_of_match.data
+
+From: Matthias Kaehlcke <mka@chromium.org>
+
+[ Upstream commit f861e3e28a3016a2064d9f600eaa92a530b732b4 ]
+
+The driver expects to find the device id in rt5677_of_match.data, however
+it is currently assigned to rt5677_of_match.type. Fix this.
+
+The problem was found with the help of clang:
+ sound/soc/codecs/rt5677.c:5010:36: warning: expression which evaluates to
+ zero treated as a null pointer constant of type 'const void *'
+ [-Wnon-literal-null-conversion]
+ { .compatible = "realtek,rt5677", RT5677 },
+ ^~~~~~
+
+Fixes: ddc9e69b9dc2 ("ASoC: rt5677: Hide platform data in the module sources")
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/rt5677.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/codecs/rt5677.c
++++ b/sound/soc/codecs/rt5677.c
+@@ -5007,7 +5007,7 @@ static const struct regmap_config rt5677
+ };
+
+ static const struct of_device_id rt5677_of_match[] = {
+- { .compatible = "realtek,rt5677", RT5677 },
++ { .compatible = "realtek,rt5677", .data = (const void *)RT5677 },
+ { }
+ };
+ MODULE_DEVICE_TABLE(of, rt5677_of_match);
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Jianchao Wang <jianchao.w.wang@oracle.com>
+Date: Thu, 9 Aug 2018 08:34:17 -0600
+Subject: blk-mq: count the hctx as active before allocating tag
+
+From: Jianchao Wang <jianchao.w.wang@oracle.com>
+
+[ Upstream commit d263ed9926823c462f99a7679e18f0c9e5b8550d ]
+
+Currently, we count the hctx as active after allocate driver tag
+successfully. If a previously inactive hctx try to get tag first
+time, it may fails and need to wait. However, due to the stale tag
+->active_queues, the other shared-tags users are still able to
+occupy all driver tags while there is someone waiting for tag.
+Consequently, even if the previously inactive hctx is waked up, it
+still may not be able to get a tag and could be starved.
+
+To fix it, we count the hctx as active before try to allocate driver
+tag, then when it is waiting the tag, the other shared-tag users
+will reserve budget for it.
+
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jianchao Wang <jianchao.w.wang@oracle.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq-tag.c | 3 +++
+ block/blk-mq.c | 8 ++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/block/blk-mq-tag.c
++++ b/block/blk-mq-tag.c
+@@ -23,6 +23,9 @@ bool blk_mq_has_free_tags(struct blk_mq_
+
+ /*
+ * If a previously inactive queue goes active, bump the active user count.
++ * We need to do this before try to allocate driver tag, then even if fail
++ * to get tag when first time, the other shared-tag users could reserve
++ * budget for it.
+ */
+ bool __blk_mq_tag_busy(struct blk_mq_hw_ctx *hctx)
+ {
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -285,7 +285,7 @@ static struct request *blk_mq_rq_ctx_ini
+ rq->tag = -1;
+ rq->internal_tag = tag;
+ } else {
+- if (blk_mq_tag_busy(data->hctx)) {
++ if (data->hctx->flags & BLK_MQ_F_TAG_SHARED) {
+ rq_flags = RQF_MQ_INFLIGHT;
+ atomic_inc(&data->hctx->nr_active);
+ }
+@@ -367,6 +367,8 @@ static struct request *blk_mq_get_reques
+ if (!op_is_flush(op) && e->type->ops.mq.limit_depth &&
+ !(data->flags & BLK_MQ_REQ_RESERVED))
+ e->type->ops.mq.limit_depth(op, data);
++ } else {
++ blk_mq_tag_busy(data->hctx);
+ }
+
+ tag = blk_mq_get_tag(data);
+@@ -970,6 +972,7 @@ bool blk_mq_get_driver_tag(struct reques
+ .hctx = blk_mq_map_queue(rq->q, rq->mq_ctx->cpu),
+ .flags = wait ? 0 : BLK_MQ_REQ_NOWAIT,
+ };
++ bool shared;
+
+ might_sleep_if(wait);
+
+@@ -979,9 +982,10 @@ bool blk_mq_get_driver_tag(struct reques
+ if (blk_mq_tag_is_reserved(data.hctx->sched_tags, rq->internal_tag))
+ data.flags |= BLK_MQ_REQ_RESERVED;
+
++ shared = blk_mq_tag_busy(data.hctx);
+ rq->tag = blk_mq_get_tag(&data);
+ if (rq->tag >= 0) {
+- if (blk_mq_tag_busy(data.hctx)) {
++ if (shared) {
+ rq->rq_flags |= RQF_MQ_INFLIGHT;
+ atomic_inc(&data.hctx->nr_active);
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Greg Edwards <gedwards@ddn.com>
+Date: Wed, 8 Aug 2018 13:27:53 -0600
+Subject: block: bvec_nr_vecs() returns value for wrong slab
+
+From: Greg Edwards <gedwards@ddn.com>
+
+[ Upstream commit d6c02a9beb67f13d5f14f23e72fa9981e8b84477 ]
+
+In commit ed996a52c868 ("block: simplify and cleanup bvec pool
+handling"), the value of the slab index is incremented by one in
+bvec_alloc() after the allocation is done to indicate an index value of
+0 does not need to be later freed.
+
+bvec_nr_vecs() was not updated accordingly, and thus returns the wrong
+value. Decrement idx before performing the lookup.
+
+Fixes: ed996a52c868 ("block: simplify and cleanup bvec pool handling")
+Signed-off-by: Greg Edwards <gedwards@ddn.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/bio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -156,7 +156,7 @@ out:
+
+ unsigned int bvec_nr_vecs(unsigned short idx)
+ {
+- return bvec_slabs[idx].nr_vecs;
++ return bvec_slabs[--idx].nr_vecs;
+ }
+
+ void bvec_free(mempool_t *pool, struct bio_vec *bv, unsigned int idx)
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Jens Axboe <axboe@kernel.dk>
+Date: Tue, 14 Aug 2018 10:52:40 -0600
+Subject: block: don't warn for flush on read-only device
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit b089cfd95d32638335c551651a8e00fd2c4edb0b ]
+
+Don't warn for a flush issued to a read-only device. It's not strictly
+a writable command, as it doesn't change any on-media data by itself.
+
+Reported-by: Stefan Agner <stefan@agner.ch>
+Fixes: 721c7fc701c7 ("block: fail op_is_write() requests to read-only partitions")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -2159,7 +2159,9 @@ static inline bool should_fail_request(s
+
+ static inline bool bio_check_ro(struct bio *bio, struct hd_struct *part)
+ {
+- if (part->policy && op_is_write(bio_op(bio))) {
++ const int op = bio_op(bio);
++
++ if (part->policy && (op_is_write(op) && !op_is_flush(op))) {
+ char b[BDEVNAME_SIZE];
+
+ WARN_ONCE(1,
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Yonghong Song <yhs@fb.com>
+Date: Thu, 9 Aug 2018 08:55:19 -0700
+Subject: bpf: fix bpffs non-array map seq_show issue
+
+From: Yonghong Song <yhs@fb.com>
+
+[ Upstream commit dc1508a579e682a1e5f1ed0753390e0aa7c23a97 ]
+
+In function map_seq_next() of kernel/bpf/inode.c,
+the first key will be the "0" regardless of the map type.
+This works for array. But for hash type, if it happens
+key "0" is in the map, the bpffs map show will miss
+some items if the key "0" is not the first element of
+the first bucket.
+
+This patch fixed the issue by guaranteeing to get
+the first element, if the seq_show is just started,
+by passing NULL pointer key to map_get_next_key() callback.
+This way, no missing elements will occur for
+bpffs hash table show even if key "0" is in the map.
+
+Fixes: a26ca7c982cb5 ("bpf: btf: Add pretty print support to the basic arraymap")
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/inode.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/kernel/bpf/inode.c
++++ b/kernel/bpf/inode.c
+@@ -196,19 +196,21 @@ static void *map_seq_next(struct seq_fil
+ {
+ struct bpf_map *map = seq_file_to_map(m);
+ void *key = map_iter(m)->key;
++ void *prev_key;
+
+ if (map_iter(m)->done)
+ return NULL;
+
+ if (unlikely(v == SEQ_START_TOKEN))
+- goto done;
++ prev_key = NULL;
++ else
++ prev_key = key;
+
+- if (map->ops->map_get_next_key(map, key, key)) {
++ if (map->ops->map_get_next_key(map, prev_key, key)) {
+ map_iter(m)->done = true;
+ return NULL;
+ }
+
+-done:
+ ++(*pos);
+ return key;
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Thu, 16 Aug 2018 21:49:08 +0200
+Subject: bpf, sockmap: fix leakage of smap_psock_map_entry
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit d40b0116c94bd8fc2b63aae35ce8e66bb53bba42 ]
+
+While working on sockmap I noticed that we do not always kfree the
+struct smap_psock_map_entry list elements which track psocks attached
+to maps. In the case of sock_hash_ctx_update_elem(), these map entries
+are allocated outside of __sock_map_ctx_update_elem() with their
+linkage to the socket hash table filled. In the case of sock array,
+the map entries are allocated inside of __sock_map_ctx_update_elem()
+and added with their linkage to the psock->maps. Both additions are
+under psock->maps_lock each.
+
+Now, we drop these elements from their psock->maps list in a few
+occasions: i) in sock array via smap_list_map_remove() when an entry
+is either deleted from the map from user space, or updated via
+user space or BPF program where we drop the old socket at that map
+slot, or the sock array is freed via sock_map_free() and drops all
+its elements; ii) for sock hash via smap_list_hash_remove() in exactly
+the same occasions as just described for sock array; iii) in the
+bpf_tcp_close() where we remove the elements from the list via
+psock_map_pop() and iterate over them dropping themselves from either
+sock array or sock hash; and last but not least iv) once again in
+smap_gc_work() which is a callback for deferring the work once the
+psock refcount hit zero and thus the socket is being destroyed.
+
+Problem is that the only case where we kfree() the list entry is
+in case iv), which at that point should have an empty list in
+normal cases. So in cases from i) to iii) we unlink the elements
+without freeing where they go out of reach from us. Hence fix is
+to properly kfree() them as well to stop the leakage. Given these
+are all handled under psock->maps_lock there is no need for deferred
+RCU freeing.
+
+I later also ran with kmemleak detector and it confirmed the finding
+as well where in the state before the fix the object goes unreferenced
+while after the patch no kmemleak report related to BPF showed up.
+
+ [...]
+ unreferenced object 0xffff880378eadae0 (size 64):
+ comm "test_sockmap", pid 2225, jiffies 4294720701 (age 43.504s)
+ hex dump (first 32 bytes):
+ 00 01 00 00 00 00 ad de 00 02 00 00 00 00 ad de ................
+ 50 4d 75 5d 03 88 ff ff 00 00 00 00 00 00 00 00 PMu]............
+ backtrace:
+ [<000000005225ac3c>] sock_map_ctx_update_elem.isra.21+0xd8/0x210
+ [<0000000045dd6d3c>] bpf_sock_map_update+0x29/0x60
+ [<00000000877723aa>] ___bpf_prog_run+0x1e1f/0x4960
+ [<000000002ef89e83>] 0xffffffffffffffff
+ unreferenced object 0xffff880378ead240 (size 64):
+ comm "test_sockmap", pid 2225, jiffies 4294720701 (age 43.504s)
+ hex dump (first 32 bytes):
+ 00 01 00 00 00 00 ad de 00 02 00 00 00 00 ad de ................
+ 00 44 75 5d 03 88 ff ff 00 00 00 00 00 00 00 00 .Du]............
+ backtrace:
+ [<000000005225ac3c>] sock_map_ctx_update_elem.isra.21+0xd8/0x210
+ [<0000000030e37a3a>] sock_map_update_elem+0x125/0x240
+ [<000000002e5ce36e>] map_update_elem+0x4eb/0x7b0
+ [<00000000db453cc9>] __x64_sys_bpf+0x1f9/0x360
+ [<0000000000763660>] do_syscall_64+0x9a/0x300
+ [<00000000422a2bb2>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ [<000000002ef89e83>] 0xffffffffffffffff
+ [...]
+
+Fixes: e9db4ef6bf4c ("bpf: sockhash fix omitted bucket lock in sock_close")
+Fixes: 54fedb42c653 ("bpf: sockmap, fix smap_list_map_remove when psock is in many maps")
+Fixes: 2f857d04601a ("bpf: sockmap, remove STRPARSER map_flags and add multi-map support")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/sockmap.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/kernel/bpf/sockmap.c
++++ b/kernel/bpf/sockmap.c
+@@ -376,6 +376,7 @@ static void bpf_tcp_close(struct sock *s
+ }
+ raw_spin_unlock_bh(&b->lock);
+ }
++ kfree(e);
+ e = psock_map_pop(sk, psock);
+ }
+ rcu_read_unlock();
+@@ -1685,8 +1686,10 @@ static void smap_list_map_remove(struct
+
+ spin_lock_bh(&psock->maps_lock);
+ list_for_each_entry_safe(e, tmp, &psock->maps, list) {
+- if (e->entry == entry)
++ if (e->entry == entry) {
+ list_del(&e->list);
++ kfree(e);
++ }
+ }
+ spin_unlock_bh(&psock->maps_lock);
+ }
+@@ -1700,8 +1703,10 @@ static void smap_list_hash_remove(struct
+ list_for_each_entry_safe(e, tmp, &psock->maps, list) {
+ struct htab_elem *c = rcu_dereference(e->hash_link);
+
+- if (c == hash_link)
++ if (c == hash_link) {
+ list_del(&e->list);
++ kfree(e);
++ }
+ }
+ spin_unlock_bh(&psock->maps_lock);
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Thu, 16 Aug 2018 21:49:09 +0200
+Subject: bpf, sockmap: fix map elem deletion race with smap_stop_sock
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 166ab6f0a0702fdd4d865ad5090bf3094ed83428 ]
+
+The smap_start_sock() and smap_stop_sock() are each protected under
+the sock->sk_callback_lock from their call-sites except in the case
+of sock_map_delete_elem() where we drop the old socket from the map
+slot. This is racy because the same sock could be part of multiple
+sock maps, so we run smap_stop_sock() in parallel, and given at that
+point psock->strp_enabled might be true on both CPUs, we might for
+example wrongly restore the sk->sk_data_ready / sk->sk_write_space.
+Therefore, hold the sock->sk_callback_lock as well on delete. Looks
+like 2f857d04601a ("bpf: sockmap, remove STRPARSER map_flags and add
+multi-map support") had this right, but later on e9db4ef6bf4c ("bpf:
+sockhash fix omitted bucket lock in sock_close") removed it again
+from delete leaving this smap_stop_sock() instance unprotected.
+
+Fixes: e9db4ef6bf4c ("bpf: sockhash fix omitted bucket lock in sock_close")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/sockmap.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/bpf/sockmap.c
++++ b/kernel/bpf/sockmap.c
+@@ -1784,8 +1784,11 @@ static int sock_map_delete_elem(struct b
+ if (!psock)
+ goto out;
+
+- if (psock->bpf_parse)
++ if (psock->bpf_parse) {
++ write_lock_bh(&sock->sk_callback_lock);
+ smap_stop_sock(psock, sock);
++ write_unlock_bh(&sock->sk_callback_lock);
++ }
+ smap_list_map_remove(psock, &stab->sock_map[k]);
+ smap_release_sock(psock, sock);
+ out:
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Thu, 16 Aug 2018 21:49:10 +0200
+Subject: bpf, sockmap: fix sock_map_ctx_update_elem race with exist/noexist
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 585f5a6252ee43ec8feeee07387e3fcc7e8bb292 ]
+
+The current code in sock_map_ctx_update_elem() allows for BPF_EXIST
+and BPF_NOEXIST map update flags. While on array-like maps this approach
+is rather uncommon, e.g. bpf_fd_array_map_update_elem() and others
+enforce map update flags to be BPF_ANY such that xchg() can be used
+directly, the current implementation in sock map does not guarantee
+that such operation with BPF_EXIST / BPF_NOEXIST is atomic.
+
+The initial test does a READ_ONCE(stab->sock_map[i]) to fetch the
+socket from the slot which is then tested for NULL / non-NULL. However
+later after __sock_map_ctx_update_elem(), the actual update is done
+through osock = xchg(&stab->sock_map[i], sock). Problem is that in
+the meantime a different CPU could have updated / deleted a socket
+on that specific slot and thus flag contraints won't hold anymore.
+
+I've been thinking whether best would be to just break UAPI and do
+an enforcement of BPF_ANY to check if someone actually complains,
+however trouble is that already in BPF kselftest we use BPF_NOEXIST
+for the map update, and therefore it might have been copied into
+applications already. The fix to keep the current behavior intact
+would be to add a map lock similar to the sock hash bucket lock only
+for covering the whole map.
+
+Fixes: 174a79ff9515 ("bpf: sockmap with sk redirect support")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/sockmap.c | 106 +++++++++++++++++++++++++++------------------------
+ 1 file changed, 57 insertions(+), 49 deletions(-)
+
+--- a/kernel/bpf/sockmap.c
++++ b/kernel/bpf/sockmap.c
+@@ -58,6 +58,7 @@ struct bpf_stab {
+ struct bpf_map map;
+ struct sock **sock_map;
+ struct bpf_sock_progs progs;
++ raw_spinlock_t lock;
+ };
+
+ struct bucket {
+@@ -89,9 +90,9 @@ enum smap_psock_state {
+
+ struct smap_psock_map_entry {
+ struct list_head list;
++ struct bpf_map *map;
+ struct sock **entry;
+ struct htab_elem __rcu *hash_link;
+- struct bpf_htab __rcu *htab;
+ };
+
+ struct smap_psock {
+@@ -343,13 +344,18 @@ static void bpf_tcp_close(struct sock *s
+ e = psock_map_pop(sk, psock);
+ while (e) {
+ if (e->entry) {
+- osk = cmpxchg(e->entry, sk, NULL);
++ struct bpf_stab *stab = container_of(e->map, struct bpf_stab, map);
++
++ raw_spin_lock_bh(&stab->lock);
++ osk = *e->entry;
+ if (osk == sk) {
++ *e->entry = NULL;
+ smap_release_sock(psock, sk);
+ }
++ raw_spin_unlock_bh(&stab->lock);
+ } else {
+ struct htab_elem *link = rcu_dereference(e->hash_link);
+- struct bpf_htab *htab = rcu_dereference(e->htab);
++ struct bpf_htab *htab = container_of(e->map, struct bpf_htab, map);
+ struct hlist_head *head;
+ struct htab_elem *l;
+ struct bucket *b;
+@@ -1644,6 +1650,7 @@ static struct bpf_map *sock_map_alloc(un
+ return ERR_PTR(-ENOMEM);
+
+ bpf_map_init_from_attr(&stab->map, attr);
++ raw_spin_lock_init(&stab->lock);
+
+ /* make sure page count doesn't overflow */
+ cost = (u64) stab->map.max_entries * sizeof(struct sock *);
+@@ -1714,14 +1721,15 @@ static void sock_map_free(struct bpf_map
+ * and a grace period expire to ensure psock is really safe to remove.
+ */
+ rcu_read_lock();
++ raw_spin_lock_bh(&stab->lock);
+ for (i = 0; i < stab->map.max_entries; i++) {
+ struct smap_psock *psock;
+ struct sock *sock;
+
+- sock = xchg(&stab->sock_map[i], NULL);
++ sock = stab->sock_map[i];
+ if (!sock)
+ continue;
+-
++ stab->sock_map[i] = NULL;
+ psock = smap_psock_sk(sock);
+ /* This check handles a racing sock event that can get the
+ * sk_callback_lock before this case but after xchg happens
+@@ -1733,6 +1741,7 @@ static void sock_map_free(struct bpf_map
+ smap_release_sock(psock, sock);
+ }
+ }
++ raw_spin_unlock_bh(&stab->lock);
+ rcu_read_unlock();
+
+ sock_map_remove_complete(stab);
+@@ -1776,14 +1785,16 @@ static int sock_map_delete_elem(struct b
+ if (k >= map->max_entries)
+ return -EINVAL;
+
+- sock = xchg(&stab->sock_map[k], NULL);
++ raw_spin_lock_bh(&stab->lock);
++ sock = stab->sock_map[k];
++ stab->sock_map[k] = NULL;
++ raw_spin_unlock_bh(&stab->lock);
+ if (!sock)
+ return -EINVAL;
+
+ psock = smap_psock_sk(sock);
+ if (!psock)
+- goto out;
+-
++ return 0;
+ if (psock->bpf_parse) {
+ write_lock_bh(&sock->sk_callback_lock);
+ smap_stop_sock(psock, sock);
+@@ -1791,7 +1802,6 @@ static int sock_map_delete_elem(struct b
+ }
+ smap_list_map_remove(psock, &stab->sock_map[k]);
+ smap_release_sock(psock, sock);
+-out:
+ return 0;
+ }
+
+@@ -1827,11 +1837,9 @@ out:
+ static int __sock_map_ctx_update_elem(struct bpf_map *map,
+ struct bpf_sock_progs *progs,
+ struct sock *sock,
+- struct sock **map_link,
+ void *key)
+ {
+ struct bpf_prog *verdict, *parse, *tx_msg;
+- struct smap_psock_map_entry *e = NULL;
+ struct smap_psock *psock;
+ bool new = false;
+ int err = 0;
+@@ -1904,14 +1912,6 @@ static int __sock_map_ctx_update_elem(st
+ new = true;
+ }
+
+- if (map_link) {
+- e = kzalloc(sizeof(*e), GFP_ATOMIC | __GFP_NOWARN);
+- if (!e) {
+- err = -ENOMEM;
+- goto out_free;
+- }
+- }
+-
+ /* 3. At this point we have a reference to a valid psock that is
+ * running. Attach any BPF programs needed.
+ */
+@@ -1933,17 +1933,6 @@ static int __sock_map_ctx_update_elem(st
+ write_unlock_bh(&sock->sk_callback_lock);
+ }
+
+- /* 4. Place psock in sockmap for use and stop any programs on
+- * the old sock assuming its not the same sock we are replacing
+- * it with. Because we can only have a single set of programs if
+- * old_sock has a strp we can stop it.
+- */
+- if (map_link) {
+- e->entry = map_link;
+- spin_lock_bh(&psock->maps_lock);
+- list_add_tail(&e->list, &psock->maps);
+- spin_unlock_bh(&psock->maps_lock);
+- }
+ return err;
+ out_free:
+ smap_release_sock(psock, sock);
+@@ -1954,7 +1943,6 @@ out_progs:
+ }
+ if (tx_msg)
+ bpf_prog_put(tx_msg);
+- kfree(e);
+ return err;
+ }
+
+@@ -1964,36 +1952,57 @@ static int sock_map_ctx_update_elem(stru
+ {
+ struct bpf_stab *stab = container_of(map, struct bpf_stab, map);
+ struct bpf_sock_progs *progs = &stab->progs;
+- struct sock *osock, *sock;
++ struct sock *osock, *sock = skops->sk;
++ struct smap_psock_map_entry *e;
++ struct smap_psock *psock;
+ u32 i = *(u32 *)key;
+ int err;
+
+ if (unlikely(flags > BPF_EXIST))
+ return -EINVAL;
+-
+ if (unlikely(i >= stab->map.max_entries))
+ return -E2BIG;
+
+- sock = READ_ONCE(stab->sock_map[i]);
+- if (flags == BPF_EXIST && !sock)
+- return -ENOENT;
+- else if (flags == BPF_NOEXIST && sock)
+- return -EEXIST;
++ e = kzalloc(sizeof(*e), GFP_ATOMIC | __GFP_NOWARN);
++ if (!e)
++ return -ENOMEM;
+
+- sock = skops->sk;
+- err = __sock_map_ctx_update_elem(map, progs, sock, &stab->sock_map[i],
+- key);
++ err = __sock_map_ctx_update_elem(map, progs, sock, key);
+ if (err)
+ goto out;
+
+- osock = xchg(&stab->sock_map[i], sock);
+- if (osock) {
+- struct smap_psock *opsock = smap_psock_sk(osock);
++ /* psock guaranteed to be present. */
++ psock = smap_psock_sk(sock);
++ raw_spin_lock_bh(&stab->lock);
++ osock = stab->sock_map[i];
++ if (osock && flags == BPF_NOEXIST) {
++ err = -EEXIST;
++ goto out_unlock;
++ }
++ if (!osock && flags == BPF_EXIST) {
++ err = -ENOENT;
++ goto out_unlock;
++ }
++
++ e->entry = &stab->sock_map[i];
++ e->map = map;
++ spin_lock_bh(&psock->maps_lock);
++ list_add_tail(&e->list, &psock->maps);
++ spin_unlock_bh(&psock->maps_lock);
+
+- smap_list_map_remove(opsock, &stab->sock_map[i]);
+- smap_release_sock(opsock, osock);
++ stab->sock_map[i] = sock;
++ if (osock) {
++ psock = smap_psock_sk(osock);
++ smap_list_map_remove(psock, &stab->sock_map[i]);
++ smap_release_sock(psock, osock);
+ }
++ raw_spin_unlock_bh(&stab->lock);
++ return 0;
++out_unlock:
++ smap_release_sock(psock, sock);
++ raw_spin_unlock_bh(&stab->lock);
+ out:
++ kfree(e);
+ return err;
+ }
+
+@@ -2356,7 +2365,7 @@ static int sock_hash_ctx_update_elem(str
+ b = __select_bucket(htab, hash);
+ head = &b->head;
+
+- err = __sock_map_ctx_update_elem(map, progs, sock, NULL, key);
++ err = __sock_map_ctx_update_elem(map, progs, sock, key);
+ if (err)
+ goto err;
+
+@@ -2382,8 +2391,7 @@ static int sock_hash_ctx_update_elem(str
+ }
+
+ rcu_assign_pointer(e->hash_link, l_new);
+- rcu_assign_pointer(e->htab,
+- container_of(map, struct bpf_htab, map));
++ e->map = map;
+ spin_lock_bh(&psock->maps_lock);
+ list_add_tail(&e->list, &psock->maps);
+ spin_unlock_bh(&psock->maps_lock);
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Winnie Chang <winnie.chang@cypress.com>
+Date: Tue, 7 Aug 2018 21:19:41 -0500
+Subject: brcmfmac: fix brcmf_wiphy_wowl_params() NULL pointer dereference
+
+From: Winnie Chang <winnie.chang@cypress.com>
+
+[ Upstream commit 27a8aea13053700ad2a08189024df7e341d1ee51 ]
+
+The kernel BUG happens when wowl is enabled from firmware. In
+brcmf_wiphy_wowl_params(), cfg is a NULL pointer because it is
+drvr->config returned from wiphy_to_cfg(), and drvr->config is not set
+yet. To fix it, set drvr->config before brcmf_setup_wiphy() which
+calls brcmf_wiphy_wowl_params().
+
+Fixes: 856d5a011c86 ("brcmfmac: allocate struct brcmf_pub instance using wiphy_new()")
+Signed-off-by: Winnie Chang <winnie.chang@cypress.com>
+Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6926,15 +6926,15 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+ cfg->d11inf.io_type = (u8)io_type;
+ brcmu_d11_attach(&cfg->d11inf);
+
+- err = brcmf_setup_wiphy(wiphy, ifp);
+- if (err < 0)
+- goto priv_out;
+-
+ /* regulatory notifer below needs access to cfg so
+ * assign it now.
+ */
+ drvr->config = cfg;
+
++ err = brcmf_setup_wiphy(wiphy, ifp);
++ if (err < 0)
++ goto priv_out;
++
+ brcmf_dbg(INFO, "Registering custom regulatory\n");
+ wiphy->reg_notifier = brcmf_cfg80211_reg_notifier;
+ wiphy->regulatory_flags |= REGULATORY_CUSTOM_REG;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Qu Wenruo <wqu@suse.com>
+Date: Wed, 20 Jun 2018 15:38:58 +0800
+Subject: btrfs: check-integrity: Fix NULL pointer dereference for degraded mount
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 9912bbf6440ba0555e91d3306520da01872c7c1d ]
+
+Commit f8f84b2dfda5 ("btrfs: index check-integrity state hash by a dev_t")
+changed how btrfsic indexes device state.
+
+Now we need to access device->bdev->bd_dev, while for degraded mount
+it's completely possible to have device->bdev as NULL, thus it will
+trigger a NULL pointer dereference at mount time.
+
+Fix it by checking if the device is degraded before accessing
+device->bdev->bd_dev.
+
+There are a lot of other places accessing device->bdev->bd_dev, however
+the other call sites have either checked device->bdev, or the
+device->bdev is passed from btrfsic_map_block(), so it won't cause harm.
+
+Fixes: f8f84b2dfda5 ("btrfs: index check-integrity state hash by a dev_t")
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/check-integrity.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/check-integrity.c
++++ b/fs/btrfs/check-integrity.c
+@@ -1539,7 +1539,12 @@ static int btrfsic_map_block(struct btrf
+ }
+
+ device = multi->stripes[0].dev;
+- block_ctx_out->dev = btrfsic_dev_state_lookup(device->bdev->bd_dev);
++ if (test_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state) ||
++ !device->bdev || !device->name)
++ block_ctx_out->dev = NULL;
++ else
++ block_ctx_out->dev = btrfsic_dev_state_lookup(
++ device->bdev->bd_dev);
+ block_ctx_out->dev_bytenr = multi->stripes[0].physical;
+ block_ctx_out->start = bytenr;
+ block_ctx_out->len = len;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Anand Jain <anand.jain@oracle.com>
+Date: Tue, 29 May 2018 12:28:37 +0800
+Subject: btrfs: do btrfs_free_stale_devices outside of device_list_add
+
+From: Anand Jain <anand.jain@oracle.com>
+
+[ Upstream commit 4306a97449f9a0f9e5229af7889d4401315355aa ]
+
+btrfs_free_stale_devices() looks for device path reused for another
+filesystem, and deletes the older fs_devices::device entry.
+
+In preparation to handle locking in device_list_add, move
+btrfs_free_stale_devices outside as these two functions serve a
+different purpose.
+
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -750,7 +750,8 @@ error_brelse:
+ * error pointer when failed
+ */
+ static noinline struct btrfs_device *device_list_add(const char *path,
+- struct btrfs_super_block *disk_super)
++ struct btrfs_super_block *disk_super,
++ bool *new_device_added)
+ {
+ struct btrfs_device *device;
+ struct btrfs_fs_devices *fs_devices;
+@@ -796,7 +797,7 @@ static noinline struct btrfs_device *dev
+ mutex_unlock(&fs_devices->device_list_mutex);
+
+ device->fs_devices = fs_devices;
+- btrfs_free_stale_devices(path, device);
++ *new_device_added = true;
+
+ if (disk_super->label[0])
+ pr_info("BTRFS: device label %s devid %llu transid %llu %s\n",
+@@ -1221,6 +1222,7 @@ int btrfs_scan_one_device(const char *pa
+ struct btrfs_fs_devices **fs_devices_ret)
+ {
+ struct btrfs_super_block *disk_super;
++ bool new_device_added = false;
+ struct btrfs_device *device;
+ struct block_device *bdev;
+ struct page *page;
+@@ -1246,11 +1248,14 @@ int btrfs_scan_one_device(const char *pa
+ }
+
+ mutex_lock(&uuid_mutex);
+- device = device_list_add(path, disk_super);
+- if (IS_ERR(device))
++ device = device_list_add(path, disk_super, &new_device_added);
++ if (IS_ERR(device)) {
+ ret = PTR_ERR(device);
+- else
++ } else {
+ *fs_devices_ret = device->fs_devices;
++ if (new_device_added)
++ btrfs_free_stale_devices(path, device);
++ }
+ mutex_unlock(&uuid_mutex);
+
+ btrfs_release_disk_super(page);
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Qu Wenruo <wqu@suse.com>
+Date: Fri, 22 Jun 2018 12:35:00 +0800
+Subject: btrfs: Don't remove block group that still has pinned down bytes
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 43794446548730ac8461be30bbe47d5d027d1d16 ]
+
+[BUG]
+Under certain KVM load and LTP tests, it is possible to hit the
+following calltrace if quota is enabled:
+
+BTRFS critical (device vda2): unable to find logical 8820195328 length 4096
+BTRFS critical (device vda2): unable to find logical 8820195328 length 4096
+
+WARNING: CPU: 0 PID: 49 at ../block/blk-core.c:172 blk_status_to_errno+0x1a/0x30
+CPU: 0 PID: 49 Comm: kworker/u2:1 Not tainted 4.12.14-15-default #1 SLE15 (unreleased)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
+Workqueue: btrfs-endio-write btrfs_endio_write_helper [btrfs]
+task: ffff9f827b340bc0 task.stack: ffffb4f8c0304000
+RIP: 0010:blk_status_to_errno+0x1a/0x30
+Call Trace:
+ submit_extent_page+0x191/0x270 [btrfs]
+ ? btrfs_create_repair_bio+0x130/0x130 [btrfs]
+ __do_readpage+0x2d2/0x810 [btrfs]
+ ? btrfs_create_repair_bio+0x130/0x130 [btrfs]
+ ? run_one_async_done+0xc0/0xc0 [btrfs]
+ __extent_read_full_page+0xe7/0x100 [btrfs]
+ ? run_one_async_done+0xc0/0xc0 [btrfs]
+ read_extent_buffer_pages+0x1ab/0x2d0 [btrfs]
+ ? run_one_async_done+0xc0/0xc0 [btrfs]
+ btree_read_extent_buffer_pages+0x94/0xf0 [btrfs]
+ read_tree_block+0x31/0x60 [btrfs]
+ read_block_for_search.isra.35+0xf0/0x2e0 [btrfs]
+ btrfs_search_slot+0x46b/0xa00 [btrfs]
+ ? kmem_cache_alloc+0x1a8/0x510
+ ? btrfs_get_token_32+0x5b/0x120 [btrfs]
+ find_parent_nodes+0x11d/0xeb0 [btrfs]
+ ? leaf_space_used+0xb8/0xd0 [btrfs]
+ ? btrfs_leaf_free_space+0x49/0x90 [btrfs]
+ ? btrfs_find_all_roots_safe+0x93/0x100 [btrfs]
+ btrfs_find_all_roots_safe+0x93/0x100 [btrfs]
+ btrfs_find_all_roots+0x45/0x60 [btrfs]
+ btrfs_qgroup_trace_extent_post+0x20/0x40 [btrfs]
+ btrfs_add_delayed_data_ref+0x1a3/0x1d0 [btrfs]
+ btrfs_alloc_reserved_file_extent+0x38/0x40 [btrfs]
+ insert_reserved_file_extent.constprop.71+0x289/0x2e0 [btrfs]
+ btrfs_finish_ordered_io+0x2f4/0x7f0 [btrfs]
+ ? pick_next_task_fair+0x2cd/0x530
+ ? __switch_to+0x92/0x4b0
+ btrfs_worker_helper+0x81/0x300 [btrfs]
+ process_one_work+0x1da/0x3f0
+ worker_thread+0x2b/0x3f0
+ ? process_one_work+0x3f0/0x3f0
+ kthread+0x11a/0x130
+ ? kthread_create_on_node+0x40/0x40
+ ret_from_fork+0x35/0x40
+
+BTRFS critical (device vda2): unable to find logical 8820195328 length 16384
+BTRFS: error (device vda2) in btrfs_finish_ordered_io:3023: errno=-5 IO failure
+BTRFS info (device vda2): forced readonly
+BTRFS error (device vda2): pending csums is 2887680
+
+[CAUSE]
+It's caused by race with block group auto removal:
+
+- There is a meta block group X, which has only one tree block
+ The tree block belongs to fs tree 257.
+- In current transaction, some operation modified fs tree 257
+ The tree block gets COWed, so the block group X is empty, and marked
+ as unused, queued to be deleted.
+- Some workload (like fsync) wakes up cleaner_kthread()
+ Which will call btrfs_delete_unused_bgs() to remove unused block
+ groups.
+ So block group X along its chunk map get removed.
+- Some delalloc work finished for fs tree 257
+ Quota needs to get the original reference of the extent, which will
+ read tree blocks of commit root of 257.
+ Then since the chunk map gets removed, the above warning gets
+ triggered.
+
+[FIX]
+Just let btrfs_delete_unused_bgs() skip block group which still has
+pinned bytes.
+
+However there is a minor side effect: currently we only queue empty
+blocks at update_block_group(), and such empty block group with pinned
+bytes won't go through update_block_group() again, such block group
+won't be removed, until it gets new extent allocated and removed.
+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent-tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -10687,7 +10687,7 @@ void btrfs_delete_unused_bgs(struct btrf
+ /* Don't want to race with allocators so take the groups_sem */
+ down_write(&space_info->groups_sem);
+ spin_lock(&block_group->lock);
+- if (block_group->reserved ||
++ if (block_group->reserved || block_group->pinned ||
+ btrfs_block_group_used(&block_group->item) ||
+ block_group->ro ||
+ list_is_singular(&block_group->list)) {
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Qu Wenruo <wqu@suse.com>
+Date: Wed, 1 Aug 2018 10:37:20 +0800
+Subject: btrfs: Exit gracefully when chunk map cannot be inserted to the tree
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 64f64f43c89aca1782aa672e0586f6903c5d8979 ]
+
+It's entirely possible that a crafted btrfs image contains overlapping
+chunks.
+
+Although we can't detect such problem by tree-checker, it's not a
+catastrophic problem, current extent map can already detect such problem
+and return -EEXIST.
+
+We just only need to exit gracefully and fail the mount.
+
+Reported-by: Xu Wen <wen.xu@gatech.edu>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=200409
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -6563,10 +6563,14 @@ static int read_one_chunk(struct btrfs_f
+ write_lock(&map_tree->map_tree.lock);
+ ret = add_extent_mapping(&map_tree->map_tree, em, 0);
+ write_unlock(&map_tree->map_tree.lock);
+- BUG_ON(ret); /* Tree corruption */
++ if (ret < 0) {
++ btrfs_err(fs_info,
++ "failed to add chunk map, start=%llu len=%llu: %d",
++ em->start, em->len, ret);
++ }
+ free_extent_map(em);
+
+- return 0;
++ return ret;
+ }
+
+ static void fill_device_from_item(struct extent_buffer *leaf,
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Anand Jain <anand.jain@oracle.com>
+Date: Tue, 29 May 2018 14:10:20 +0800
+Subject: btrfs: extend locked section when adding a new device in device_list_add
+
+From: Anand Jain <anand.jain@oracle.com>
+
+[ Upstream commit 9c6d173ea6e4c8c939ae6c257c7fc18f7b320316 ]
+
+Make sure the device_list_lock is held the whole time:
+
+* when the device is being looked up
+* new device is initialized and put to the list
+* the list counters are updated (fs_devices::opened, fs_devices::total_devices)
+
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+[ update changelog ]
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -765,21 +765,26 @@ static noinline struct btrfs_device *dev
+ if (IS_ERR(fs_devices))
+ return ERR_CAST(fs_devices);
+
++ mutex_lock(&fs_devices->device_list_mutex);
+ list_add(&fs_devices->fs_list, &fs_uuids);
+
+ device = NULL;
+ } else {
++ mutex_lock(&fs_devices->device_list_mutex);
+ device = find_device(fs_devices, devid,
+ disk_super->dev_item.uuid);
+ }
+
+ if (!device) {
+- if (fs_devices->opened)
++ if (fs_devices->opened) {
++ mutex_unlock(&fs_devices->device_list_mutex);
+ return ERR_PTR(-EBUSY);
++ }
+
+ device = btrfs_alloc_device(NULL, &devid,
+ disk_super->dev_item.uuid);
+ if (IS_ERR(device)) {
++ mutex_unlock(&fs_devices->device_list_mutex);
+ /* we can safely leave the fs_devices entry around */
+ return device;
+ }
+@@ -787,14 +792,13 @@ static noinline struct btrfs_device *dev
+ name = rcu_string_strdup(path, GFP_NOFS);
+ if (!name) {
+ btrfs_free_device(device);
++ mutex_unlock(&fs_devices->device_list_mutex);
+ return ERR_PTR(-ENOMEM);
+ }
+ rcu_assign_pointer(device->name, name);
+
+- mutex_lock(&fs_devices->device_list_mutex);
+ list_add_rcu(&device->dev_list, &fs_devices->devices);
+ fs_devices->num_devices++;
+- mutex_unlock(&fs_devices->device_list_mutex);
+
+ device->fs_devices = fs_devices;
+ *new_device_added = true;
+@@ -841,12 +845,15 @@ static noinline struct btrfs_device *dev
+ * with larger generation number or the last-in if
+ * generation are equal.
+ */
++ mutex_unlock(&fs_devices->device_list_mutex);
+ return ERR_PTR(-EEXIST);
+ }
+
+ name = rcu_string_strdup(path, GFP_NOFS);
+- if (!name)
++ if (!name) {
++ mutex_unlock(&fs_devices->device_list_mutex);
+ return ERR_PTR(-ENOMEM);
++ }
+ rcu_string_free(device->name);
+ rcu_assign_pointer(device->name, name);
+ if (test_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state)) {
+@@ -866,6 +873,7 @@ static noinline struct btrfs_device *dev
+
+ fs_devices->total_devices = btrfs_super_num_devices(disk_super);
+
++ mutex_unlock(&fs_devices->device_list_mutex);
+ return device;
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Wed, 20 Jun 2018 10:03:33 -0700
+Subject: btrfs: Fix a C compliance issue
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+[ Upstream commit edf57cbf2b030781885e339f32e35a470d2f8eba ]
+
+The C programming language does not allow to use preprocessor statements
+inside macro arguments (pr_info() is defined as a macro). Hence rework
+the pr_info() statement in btrfs_print_mod_info() such that it becomes
+compliant. This patch allows tools like sparse to analyze the BTRFS
+source code.
+
+Fixes: 62e855771dac ("btrfs: convert printk(KERN_* to use pr_* calls")
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/super.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -2370,7 +2370,7 @@ static __cold void btrfs_interface_exit(
+
+ static void __init btrfs_print_mod_info(void)
+ {
+- pr_info("Btrfs loaded, crc32c=%s"
++ static const char options[] = ""
+ #ifdef CONFIG_BTRFS_DEBUG
+ ", debug=on"
+ #endif
+@@ -2383,8 +2383,8 @@ static void __init btrfs_print_mod_info(
+ #ifdef CONFIG_BTRFS_FS_REF_VERIFY
+ ", ref-verify=on"
+ #endif
+- "\n",
+- crc32c_impl());
++ ;
++ pr_info("Btrfs loaded, crc32c=%s%s\n", crc32c_impl(), options);
+ }
+
+ static int __init init_btrfs_fs(void)
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Anand Jain <anand.jain@oracle.com>
+Date: Tue, 3 Jul 2018 17:07:23 +0800
+Subject: btrfs: fix in-memory value of total_devices after seed device deletion
+
+From: Anand Jain <anand.jain@oracle.com>
+
+[ Upstream commit b4993e64f78a9605b45252fa9ba385c88a1f4ce9 ]
+
+In case of deleting the seed device the %cur_devices (seed) and the
+%fs_devices (parent) are different. Now, as the parent
+fs_devices::total_devices also maintains the total number of devices
+including the seed device, so decrement its in-memory value for the
+successful seed delete. We are already updating its corresponding
+on-disk btrfs_super_block::number_devices value.
+
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -2029,6 +2029,9 @@ int btrfs_rm_device(struct btrfs_fs_info
+
+ cur_devices->num_devices--;
+ cur_devices->total_devices--;
++ /* Update total_devices of the parent fs_devices if it's seed */
++ if (cur_devices != fs_devices)
++ fs_devices->total_devices--;
+
+ if (test_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state))
+ cur_devices->missing_devices--;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: David Sterba <dsterba@suse.com>
+Date: Tue, 19 Jun 2018 18:04:07 +0200
+Subject: btrfs: fix mount and ioctl device scan ioctl race
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 81ffd56b5745355b70d54ca4e1bdd0d64a66ff9f ]
+
+Technically this extends the critical section covered by uuid_mutex to:
+
+- parse early mount options -- here we can call device scan on paths
+ that can be passed as 'device=/dev/...'
+
+- scan the device passed to mount
+
+- open the devices related to the fs_devices -- this increases
+ fs_devices::opened
+
+The race can happen when mount calls one of the scans and there's
+another one called eg. by mkfs or 'btrfs dev scan':
+
+Mount Scan
+----- ----
+scan_one_device (dev1, fsid1)
+ scan_one_device (dev2, fsid1)
+ add the device
+ free stale devices
+ fsid1 fs_devices::opened == 0
+ find fsid1:dev1
+ free fsid1:dev1
+ if it's the last one,
+ free fs_devices of fsid1
+ too
+
+open_devices (dev1, fsid1)
+ dev1 not found
+
+When fixed, the uuid mutex will make sure that mount will increase
+fs_devices::opened and this will not be touched by the racing scan
+ioctl.
+
+Reported-and-tested-by: syzbot+909a5177749d7990ffa4@syzkaller.appspotmail.com
+Reported-and-tested-by: syzbot+ceb2606025ec1cc3479c@syzkaller.appspotmail.com
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/super.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -1557,19 +1557,19 @@ static struct dentry *btrfs_mount_root(s
+
+ mutex_lock(&uuid_mutex);
+ error = btrfs_parse_early_options(data, mode, fs_type, &fs_devices);
+- mutex_unlock(&uuid_mutex);
+- if (error)
++ if (error) {
++ mutex_unlock(&uuid_mutex);
+ goto error_fs_info;
++ }
+
+- mutex_lock(&uuid_mutex);
+ error = btrfs_scan_one_device(device_name, mode, fs_type, &fs_devices);
+- mutex_unlock(&uuid_mutex);
+- if (error)
++ if (error) {
++ mutex_unlock(&uuid_mutex);
+ goto error_fs_info;
++ }
+
+ fs_info->fs_devices = fs_devices;
+
+- mutex_lock(&uuid_mutex);
+ error = btrfs_open_devices(fs_devices, mode, fs_type);
+ mutex_unlock(&uuid_mutex);
+ if (error)
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: David Sterba <dsterba@suse.com>
+Date: Tue, 19 Jun 2018 17:09:47 +0200
+Subject: btrfs: lift uuid_mutex to callers of btrfs_open_devices
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit f5194e34cabaddd348a90f950e0a8188dd26cdc0 ]
+
+Prepartory work to fix race between mount and device scan.
+
+The callers will have to manage the critical section, eg. mount wants to
+scan and then call btrfs_open_devices without the ioctl scan walking in
+and modifying the fs devices in the meantime.
+
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/super.c | 2 ++
+ fs/btrfs/volumes.c | 4 ++--
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -1565,7 +1565,9 @@ static struct dentry *btrfs_mount_root(s
+ goto error_fs_info;
+ }
+
++ mutex_lock(&uuid_mutex);
+ error = btrfs_open_devices(fs_devices, mode, fs_type);
++ mutex_unlock(&uuid_mutex);
+ if (error)
+ goto error_fs_info;
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -1146,7 +1146,8 @@ int btrfs_open_devices(struct btrfs_fs_d
+ {
+ int ret;
+
+- mutex_lock(&uuid_mutex);
++ lockdep_assert_held(&uuid_mutex);
++
+ mutex_lock(&fs_devices->device_list_mutex);
+ if (fs_devices->opened) {
+ fs_devices->opened++;
+@@ -1156,7 +1157,6 @@ int btrfs_open_devices(struct btrfs_fs_d
+ ret = open_fs_devices(fs_devices, flags, holder);
+ }
+ mutex_unlock(&fs_devices->device_list_mutex);
+- mutex_unlock(&uuid_mutex);
+
+ return ret;
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: David Sterba <dsterba@suse.com>
+Date: Tue, 19 Jun 2018 17:50:25 +0200
+Subject: btrfs: lift uuid_mutex to callers of btrfs_parse_early_options
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 5139cff598d42b1e531f40c84691a7e945f04553 ]
+
+Prepartory work to fix race between mount and device scan.
+
+btrfs_parse_early_options calls the device scan from mount and we'll
+need to let mount completely manage the critical section.
+
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/super.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -892,6 +892,8 @@ static int btrfs_parse_early_options(con
+ char *device_name, *opts, *orig, *p;
+ int error = 0;
+
++ lockdep_assert_held(&uuid_mutex);
++
+ if (!options)
+ return 0;
+
+@@ -917,10 +919,8 @@ static int btrfs_parse_early_options(con
+ error = -ENOMEM;
+ goto out;
+ }
+- mutex_lock(&uuid_mutex);
+ error = btrfs_scan_one_device(device_name,
+ flags, holder, fs_devices);
+- mutex_unlock(&uuid_mutex);
+ kfree(device_name);
+ if (error)
+ goto out;
+@@ -1528,8 +1528,10 @@ static struct dentry *btrfs_mount_root(s
+ if (!(flags & SB_RDONLY))
+ mode |= FMODE_WRITE;
+
++ mutex_lock(&uuid_mutex);
+ error = btrfs_parse_early_options(data, mode, fs_type,
+ &fs_devices);
++ mutex_unlock(&uuid_mutex);
+ if (error) {
+ return ERR_PTR(error);
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: David Sterba <dsterba@suse.com>
+Date: Tue, 19 Jun 2018 16:37:36 +0200
+Subject: btrfs: lift uuid_mutex to callers of btrfs_scan_one_device
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 899f9307c33ce4758c30a076b10ed54d5c91c6e7 ]
+
+Prepartory work to fix race between mount and device scan.
+
+The callers will have to manage the critical section, eg. mount wants to
+scan and then call btrfs_open_devices without the ioctl scan walking in
+and modifying the fs devices in the meantime.
+
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/super.c | 12 +++++++++++-
+ fs/btrfs/volumes.c | 4 ++--
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -917,8 +917,10 @@ static int btrfs_parse_early_options(con
+ error = -ENOMEM;
+ goto out;
+ }
++ mutex_lock(&uuid_mutex);
+ error = btrfs_scan_one_device(device_name,
+ flags, holder, fs_devices);
++ mutex_unlock(&uuid_mutex);
+ kfree(device_name);
+ if (error)
+ goto out;
+@@ -1539,7 +1541,9 @@ static struct dentry *btrfs_mount_root(s
+ return ERR_PTR(error);
+ }
+
++ mutex_lock(&uuid_mutex);
+ error = btrfs_scan_one_device(device_name, mode, fs_type, &fs_devices);
++ mutex_unlock(&uuid_mutex);
+ if (error)
+ goto error_sec_opts;
+
+@@ -2236,15 +2240,21 @@ static long btrfs_control_ioctl(struct f
+
+ switch (cmd) {
+ case BTRFS_IOC_SCAN_DEV:
++ mutex_lock(&uuid_mutex);
+ ret = btrfs_scan_one_device(vol->name, FMODE_READ,
+ &btrfs_root_fs_type, &fs_devices);
++ mutex_unlock(&uuid_mutex);
+ break;
+ case BTRFS_IOC_DEVICES_READY:
++ mutex_lock(&uuid_mutex);
+ ret = btrfs_scan_one_device(vol->name, FMODE_READ,
+ &btrfs_root_fs_type, &fs_devices);
+- if (ret)
++ if (ret) {
++ mutex_unlock(&uuid_mutex);
+ break;
++ }
+ ret = !(fs_devices->num_devices == fs_devices->total_devices);
++ mutex_unlock(&uuid_mutex);
+ break;
+ case BTRFS_IOC_GET_SUPPORTED_FEATURES:
+ ret = btrfs_ioctl_get_supported_features((void __user*)arg);
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -1241,6 +1241,8 @@ int btrfs_scan_one_device(const char *pa
+ int ret = 0;
+ u64 bytenr;
+
++ lockdep_assert_held(&uuid_mutex);
++
+ /*
+ * we would like to check all the supers, but that would make
+ * a btrfs mount succeed after a mkfs from a different FS.
+@@ -1259,7 +1261,6 @@ int btrfs_scan_one_device(const char *pa
+ goto error_bdev_put;
+ }
+
+- mutex_lock(&uuid_mutex);
+ device = device_list_add(path, disk_super, &new_device_added);
+ if (IS_ERR(device)) {
+ ret = PTR_ERR(device);
+@@ -1268,7 +1269,6 @@ int btrfs_scan_one_device(const char *pa
+ if (new_device_added)
+ btrfs_free_stale_devices(path, device);
+ }
+- mutex_unlock(&uuid_mutex);
+
+ btrfs_release_disk_super(page);
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Qu Wenruo <wqu@suse.com>
+Date: Tue, 3 Jul 2018 17:10:07 +0800
+Subject: btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 389305b2aa68723c754f88d9dbd268a400e10664 ]
+
+Invalid reloc tree can cause kernel NULL pointer dereference when btrfs
+does some cleanup of the reloc roots.
+
+It turns out that fs_info::reloc_ctl can be NULL in
+btrfs_recover_relocation() as we allocate relocation control after all
+reloc roots have been verified.
+So when we hit: note, we haven't called set_reloc_control() thus
+fs_info::reloc_ctl is still NULL.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=199833
+Reported-by: Xu Wen <wen.xu@gatech.edu>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Tested-by: Gu Jinxiang <gujx@cn.fujitsu.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/relocation.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -1321,18 +1321,19 @@ static void __del_reloc_root(struct btrf
+ struct mapping_node *node = NULL;
+ struct reloc_control *rc = fs_info->reloc_ctl;
+
+- spin_lock(&rc->reloc_root_tree.lock);
+- rb_node = tree_search(&rc->reloc_root_tree.rb_root,
+- root->node->start);
+- if (rb_node) {
+- node = rb_entry(rb_node, struct mapping_node, rb_node);
+- rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root);
++ if (rc) {
++ spin_lock(&rc->reloc_root_tree.lock);
++ rb_node = tree_search(&rc->reloc_root_tree.rb_root,
++ root->node->start);
++ if (rb_node) {
++ node = rb_entry(rb_node, struct mapping_node, rb_node);
++ rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root);
++ }
++ spin_unlock(&rc->reloc_root_tree.lock);
++ if (!node)
++ return;
++ BUG_ON((struct btrfs_root *)node->data != root);
+ }
+- spin_unlock(&rc->reloc_root_tree.lock);
+-
+- if (!node)
+- return;
+- BUG_ON((struct btrfs_root *)node->data != root);
+
+ spin_lock(&fs_info->trans_lock);
+ list_del_init(&root->root_list);
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Anand Jain <anand.jain@oracle.com>
+Date: Tue, 29 May 2018 15:33:08 +0800
+Subject: btrfs: rename local devices for fs_devices in btrfs_free_stale_devices(
+
+From: Anand Jain <anand.jain@oracle.com>
+
+[ Upstream commit fa6d2ae540a200a17bb7ee769f9df22d411c9404 ]
+
+Over the years we named %fs_devices and %devices to represent the
+struct btrfs_fs_devices and the struct btrfs_device. So follow the same
+scheme here too. No functional changes.
+
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 35 +++++++++++++++++------------------
+ 1 file changed, 17 insertions(+), 18 deletions(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -634,43 +634,42 @@ static void pending_bios_fn(struct btrfs
+ * devices.
+ */
+ static void btrfs_free_stale_devices(const char *path,
+- struct btrfs_device *skip_dev)
++ struct btrfs_device *skip_device)
+ {
+- struct btrfs_fs_devices *fs_devs, *tmp_fs_devs;
+- struct btrfs_device *dev, *tmp_dev;
++ struct btrfs_fs_devices *fs_devices, *tmp_fs_devices;
++ struct btrfs_device *device, *tmp_device;
+
+- list_for_each_entry_safe(fs_devs, tmp_fs_devs, &fs_uuids, fs_list) {
+-
+- if (fs_devs->opened)
++ list_for_each_entry_safe(fs_devices, tmp_fs_devices, &fs_uuids, fs_list) {
++ if (fs_devices->opened)
+ continue;
+
+- list_for_each_entry_safe(dev, tmp_dev,
+- &fs_devs->devices, dev_list) {
++ list_for_each_entry_safe(device, tmp_device,
++ &fs_devices->devices, dev_list) {
+ int not_found = 0;
+
+- if (skip_dev && skip_dev == dev)
++ if (skip_device && skip_device == device)
+ continue;
+- if (path && !dev->name)
++ if (path && !device->name)
+ continue;
+
+ rcu_read_lock();
+ if (path)
+- not_found = strcmp(rcu_str_deref(dev->name),
++ not_found = strcmp(rcu_str_deref(device->name),
+ path);
+ rcu_read_unlock();
+ if (not_found)
+ continue;
+
+ /* delete the stale device */
+- if (fs_devs->num_devices == 1) {
+- btrfs_sysfs_remove_fsid(fs_devs);
+- list_del(&fs_devs->fs_list);
+- free_fs_devices(fs_devs);
++ if (fs_devices->num_devices == 1) {
++ btrfs_sysfs_remove_fsid(fs_devices);
++ list_del(&fs_devices->fs_list);
++ free_fs_devices(fs_devices);
+ break;
+ } else {
+- fs_devs->num_devices--;
+- list_del(&dev->dev_list);
+- btrfs_free_device(dev);
++ fs_devices->num_devices--;
++ list_del(&device->dev_list);
++ btrfs_free_device(device);
+ }
+ }
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: David Sterba <dsterba@suse.com>
+Date: Tue, 19 Jun 2018 18:01:24 +0200
+Subject: btrfs: reorder initialization before the mount locks uuid_mutex
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 399f7f4c42e8a58c8456264d5112287aefe44cf4 ]
+
+In preparation to take a big lock, move resource initialization before
+the critical section. It's not obvious from the diff, the desired order
+is:
+
+- initialize mount security options
+- allocate temporary fs_info
+- allocate superblock buffers
+
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/super.c | 30 ++++++++++++++----------------
+ 1 file changed, 14 insertions(+), 16 deletions(-)
+
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -1528,14 +1528,6 @@ static struct dentry *btrfs_mount_root(s
+ if (!(flags & SB_RDONLY))
+ mode |= FMODE_WRITE;
+
+- mutex_lock(&uuid_mutex);
+- error = btrfs_parse_early_options(data, mode, fs_type,
+- &fs_devices);
+- mutex_unlock(&uuid_mutex);
+- if (error) {
+- return ERR_PTR(error);
+- }
+-
+ security_init_mnt_opts(&new_sec_opts);
+ if (data) {
+ error = parse_security_options(data, &new_sec_opts);
+@@ -1543,12 +1535,6 @@ static struct dentry *btrfs_mount_root(s
+ return ERR_PTR(error);
+ }
+
+- mutex_lock(&uuid_mutex);
+- error = btrfs_scan_one_device(device_name, mode, fs_type, &fs_devices);
+- mutex_unlock(&uuid_mutex);
+- if (error)
+- goto error_sec_opts;
+-
+ /*
+ * Setup a dummy root and fs_info for test/set super. This is because
+ * we don't actually fill this stuff out until open_ctree, but we need
+@@ -1561,8 +1547,6 @@ static struct dentry *btrfs_mount_root(s
+ goto error_sec_opts;
+ }
+
+- fs_info->fs_devices = fs_devices;
+-
+ fs_info->super_copy = kzalloc(BTRFS_SUPER_INFO_SIZE, GFP_KERNEL);
+ fs_info->super_for_commit = kzalloc(BTRFS_SUPER_INFO_SIZE, GFP_KERNEL);
+ security_init_mnt_opts(&fs_info->security_opts);
+@@ -1572,6 +1556,20 @@ static struct dentry *btrfs_mount_root(s
+ }
+
+ mutex_lock(&uuid_mutex);
++ error = btrfs_parse_early_options(data, mode, fs_type, &fs_devices);
++ mutex_unlock(&uuid_mutex);
++ if (error)
++ goto error_fs_info;
++
++ mutex_lock(&uuid_mutex);
++ error = btrfs_scan_one_device(device_name, mode, fs_type, &fs_devices);
++ mutex_unlock(&uuid_mutex);
++ if (error)
++ goto error_fs_info;
++
++ fs_info->fs_devices = fs_devices;
++
++ mutex_lock(&uuid_mutex);
+ error = btrfs_open_devices(fs_devices, mode, fs_type);
+ mutex_unlock(&uuid_mutex);
+ if (error)
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
+Date: Tue, 31 Jul 2018 16:20:21 +0900
+Subject: btrfs: replace: Reset on-disk dev stats value after replace
+
+From: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
+
+[ Upstream commit 1e7e1f9e3aba00c9b9c323bfeeddafe69ff21ff6 ]
+
+on-disk devs stats value is updated in btrfs_run_dev_stats(),
+which is called during commit transaction, if device->dev_stats_ccnt
+is not zero.
+
+Since current replace operation does not touch dev_stats_ccnt,
+on-disk dev stats value is not updated. Therefore "btrfs device stats"
+may return old device's value after umount/mount
+(Example: See "btrfs ins dump-t -t DEV $DEV" after btrfs/100 finish).
+
+Fix this by just incrementing dev_stats_ccnt in
+btrfs_dev_replace_finishing() when replace is succeeded and this will
+update the values.
+
+Signed-off-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/dev-replace.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/btrfs/dev-replace.c
++++ b/fs/btrfs/dev-replace.c
+@@ -677,6 +677,12 @@ static int btrfs_dev_replace_finishing(s
+ btrfs_rm_dev_replace_unblocked(fs_info);
+
+ /*
++ * Increment dev_stats_ccnt so that btrfs_run_dev_stats() will
++ * update on-disk dev stats value during commit transaction
++ */
++ atomic_inc(&tgt_device->dev_stats_ccnt);
++
++ /*
+ * this is again a consistent state where no dev_replace procedure
+ * is running, the target device is part of the filesystem, the
+ * source device is not part of the filesystem anymore and its 1st
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Qu Wenruo <wqu@suse.com>
+Date: Tue, 3 Jul 2018 17:10:06 +0800
+Subject: btrfs: tree-checker: Detect invalid and empty essential trees
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit ba480dd4db9f1798541eb2d1c423fc95feee8d36 ]
+
+A crafted image has empty root tree block, which will later cause NULL
+pointer dereference.
+
+The following trees should never be empty:
+1) Tree root
+ Must contain at least root items for extent tree, device tree and fs
+ tree
+
+2) Chunk tree
+ Or we can't even bootstrap as it contains the mapping.
+
+3) Fs tree
+ At least inode item for top level inode (.).
+
+4) Device tree
+ Dev extents for chunks
+
+5) Extent tree
+ Must have corresponding extent for each chunk.
+
+If any of them is empty, we are sure the fs is corrupted and no need to
+mount it.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=199847
+Reported-by: Xu Wen <wen.xu@gatech.edu>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Tested-by: Gu Jinxiang <gujx@cn.fujitsu.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-checker.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/tree-checker.c
++++ b/fs/btrfs/tree-checker.c
+@@ -396,9 +396,22 @@ static int check_leaf(struct btrfs_fs_in
+ * skip this check for relocation trees.
+ */
+ if (nritems == 0 && !btrfs_header_flag(leaf, BTRFS_HEADER_FLAG_RELOC)) {
++ u64 owner = btrfs_header_owner(leaf);
+ struct btrfs_root *check_root;
+
+- key.objectid = btrfs_header_owner(leaf);
++ /* These trees must never be empty */
++ if (owner == BTRFS_ROOT_TREE_OBJECTID ||
++ owner == BTRFS_CHUNK_TREE_OBJECTID ||
++ owner == BTRFS_EXTENT_TREE_OBJECTID ||
++ owner == BTRFS_DEV_TREE_OBJECTID ||
++ owner == BTRFS_FS_TREE_OBJECTID ||
++ owner == BTRFS_DATA_RELOC_TREE_OBJECTID) {
++ generic_err(fs_info, leaf, 0,
++ "invalid root, root %llu must never be empty",
++ owner);
++ return -EUCLEAN;
++ }
++ key.objectid = owner;
+ key.type = BTRFS_ROOT_ITEM_KEY;
+ key.offset = (u64)-1;
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Anand Jain <anand.jain@oracle.com>
+Date: Tue, 29 May 2018 17:23:20 +0800
+Subject: btrfs: use device_list_mutex when removing stale devices
+
+From: Anand Jain <anand.jain@oracle.com>
+
+[ Upstream commit 7bcb8164ad9435068d9bc3b83b8a002c64d63ff6 ]
+
+btrfs_free_stale_devices() finds a stale (not opened) device matching
+path in the fs_uuid list. We are already under uuid_mutex so when we
+check for each fs_devices, hold the device_list_mutex too.
+
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -640,8 +640,11 @@ static void btrfs_free_stale_devices(con
+ struct btrfs_device *device, *tmp_device;
+
+ list_for_each_entry_safe(fs_devices, tmp_fs_devices, &fs_uuids, fs_list) {
+- if (fs_devices->opened)
++ mutex_lock(&fs_devices->device_list_mutex);
++ if (fs_devices->opened) {
++ mutex_unlock(&fs_devices->device_list_mutex);
+ continue;
++ }
+
+ list_for_each_entry_safe(device, tmp_device,
+ &fs_devices->devices, dev_list) {
+@@ -661,16 +664,18 @@ static void btrfs_free_stale_devices(con
+ continue;
+
+ /* delete the stale device */
+- if (fs_devices->num_devices == 1) {
+- btrfs_sysfs_remove_fsid(fs_devices);
+- list_del(&fs_devices->fs_list);
+- free_fs_devices(fs_devices);
++ fs_devices->num_devices--;
++ list_del(&device->dev_list);
++ btrfs_free_device(device);
++
++ if (fs_devices->num_devices == 0)
+ break;
+- } else {
+- fs_devices->num_devices--;
+- list_del(&device->dev_list);
+- btrfs_free_device(device);
+- }
++ }
++ mutex_unlock(&fs_devices->device_list_mutex);
++ if (fs_devices->num_devices == 0) {
++ btrfs_sysfs_remove_fsid(fs_devices);
++ list_del(&fs_devices->fs_list);
++ free_fs_devices(fs_devices);
+ }
+ }
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Tue, 7 Aug 2018 16:17:29 -0700
+Subject: cfq: Suppress compiler warnings about comparisons
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+[ Upstream commit f7ecb1b109da1006a08d5675debe60990e824432 ]
+
+This patch does not change any functionality but avoids that gcc
+reports the following warnings when building with W=1:
+
+block/cfq-iosched.c: In function ?cfq_back_seek_max_store?:
+block/cfq-iosched.c:4741:13: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
+ if (__data < (MIN)) \
+ ^
+block/cfq-iosched.c:4756:1: note: in expansion of macro ?STORE_FUNCTION?
+ STORE_FUNCTION(cfq_back_seek_max_store, &cfqd->cfq_back_max, 0, UINT_MAX, 0);
+ ^~~~~~~~~~~~~~
+block/cfq-iosched.c: In function ?cfq_slice_idle_store?:
+block/cfq-iosched.c:4741:13: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
+ if (__data < (MIN)) \
+ ^
+block/cfq-iosched.c:4759:1: note: in expansion of macro ?STORE_FUNCTION?
+ STORE_FUNCTION(cfq_slice_idle_store, &cfqd->cfq_slice_idle, 0, UINT_MAX, 1);
+ ^~~~~~~~~~~~~~
+block/cfq-iosched.c: In function ?cfq_group_idle_store?:
+block/cfq-iosched.c:4741:13: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
+ if (__data < (MIN)) \
+ ^
+block/cfq-iosched.c:4760:1: note: in expansion of macro ?STORE_FUNCTION?
+ STORE_FUNCTION(cfq_group_idle_store, &cfqd->cfq_group_idle, 0, UINT_MAX, 1);
+ ^~~~~~~~~~~~~~
+block/cfq-iosched.c: In function ?cfq_low_latency_store?:
+block/cfq-iosched.c:4741:13: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
+ if (__data < (MIN)) \
+ ^
+block/cfq-iosched.c:4765:1: note: in expansion of macro ?STORE_FUNCTION?
+ STORE_FUNCTION(cfq_low_latency_store, &cfqd->cfq_latency, 0, 1, 0);
+ ^~~~~~~~~~~~~~
+block/cfq-iosched.c: In function ?cfq_slice_idle_us_store?:
+block/cfq-iosched.c:4775:13: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
+ if (__data < (MIN)) \
+ ^
+block/cfq-iosched.c:4782:1: note: in expansion of macro ?USEC_STORE_FUNCTION?
+ USEC_STORE_FUNCTION(cfq_slice_idle_us_store, &cfqd->cfq_slice_idle, 0, UINT_MAX);
+ ^~~~~~~~~~~~~~~~~~~
+block/cfq-iosched.c: In function ?cfq_group_idle_us_store?:
+block/cfq-iosched.c:4775:13: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
+ if (__data < (MIN)) \
+ ^
+block/cfq-iosched.c:4783:1: note: in expansion of macro ?USEC_STORE_FUNCTION?
+ USEC_STORE_FUNCTION(cfq_group_idle_us_store, &cfqd->cfq_group_idle, 0, UINT_MAX);
+ ^~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/cfq-iosched.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+--- a/block/cfq-iosched.c
++++ b/block/cfq-iosched.c
+@@ -4735,12 +4735,13 @@ USEC_SHOW_FUNCTION(cfq_target_latency_us
+ static ssize_t __FUNC(struct elevator_queue *e, const char *page, size_t count) \
+ { \
+ struct cfq_data *cfqd = e->elevator_data; \
+- unsigned int __data; \
++ unsigned int __data, __min = (MIN), __max = (MAX); \
++ \
+ cfq_var_store(&__data, (page)); \
+- if (__data < (MIN)) \
+- __data = (MIN); \
+- else if (__data > (MAX)) \
+- __data = (MAX); \
++ if (__data < __min) \
++ __data = __min; \
++ else if (__data > __max) \
++ __data = __max; \
+ if (__CONV) \
+ *(__PTR) = (u64)__data * NSEC_PER_MSEC; \
+ else \
+@@ -4769,12 +4770,13 @@ STORE_FUNCTION(cfq_target_latency_store,
+ static ssize_t __FUNC(struct elevator_queue *e, const char *page, size_t count) \
+ { \
+ struct cfq_data *cfqd = e->elevator_data; \
+- unsigned int __data; \
++ unsigned int __data, __min = (MIN), __max = (MAX); \
++ \
+ cfq_var_store(&__data, (page)); \
+- if (__data < (MIN)) \
+- __data = (MIN); \
+- else if (__data > (MAX)) \
+- __data = (MAX); \
++ if (__data < __min) \
++ __data = __min; \
++ else if (__data > __max) \
++ __data = __max; \
+ *(__PTR) = (u64)__data * NSEC_PER_USEC; \
+ return count; \
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Wed, 22 Aug 2018 12:19:24 +1000
+Subject: cifs: check if SMB2 PDU size has been padded and suppress the warning
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+[ Upstream commit e6c47dd0da1e3a484e778046fc10da0b20606a86 ]
+
+Some SMB2/3 servers, Win2016 but possibly others too, adds padding
+not only between PDUs in a compound but also to the final PDU.
+This padding extends the PDU to a multiple of 8 bytes.
+
+Check if the unexpected length looks like this might be the case
+and avoid triggering the log messages for :
+
+ "SMB2 server sent bad RFC1001 len %d not %d\n"
+
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2misc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/cifs/smb2misc.c
++++ b/fs/cifs/smb2misc.c
+@@ -241,6 +241,13 @@ smb2_check_message(char *buf, unsigned i
+ return 0;
+
+ /*
++ * Some windows servers (win2016) will pad also the final
++ * PDU in a compound to 8 bytes.
++ */
++ if (((clc_len + 7) & ~7) == len)
++ return 0;
++
++ /*
+ * MacOS server pads after SMB2.1 write response with 3 bytes
+ * of junk. Other servers match RFC1001 len to actual
+ * SMB2/SMB3 frame length (header + smb2 response specific data)
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Aurelien Aptel <aaptel@suse.com>
+Date: Tue, 19 Jun 2018 15:18:48 -0700
+Subject: CIFS: fix memory leak and remove dead code
+
+From: Aurelien Aptel <aaptel@suse.com>
+
+[ Upstream commit 256b4c3f03d77d8c0dc69e3a6ceb3afd0d1810bd ]
+
+also fixes error code in smb311_posix_mkdir() (where
+the error assignment needs to go before the goto)
+a typo that Dan Carpenter and Paulo and Gustavo
+pointed out.
+
+Signed-off-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Reviewed-by: Paulo Alcantara <palcantara@suse.de>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2pdu.c | 101 ++++++++++++++++++++++++++----------------------------
+ 1 file changed, 50 insertions(+), 51 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -1928,7 +1928,7 @@ int smb311_posix_mkdir(const unsigned in
+ {
+ struct smb_rqst rqst;
+ struct smb2_create_req *req;
+- struct smb2_create_rsp *rsp;
++ struct smb2_create_rsp *rsp = NULL;
+ struct TCP_Server_Info *server;
+ struct cifs_ses *ses = tcon->ses;
+ struct kvec iov[3]; /* make sure at least one for each open context */
+@@ -1943,27 +1943,31 @@ int smb311_posix_mkdir(const unsigned in
+ char *pc_buf = NULL;
+ int flags = 0;
+ unsigned int total_len;
+- __le16 *path = cifs_convert_path_to_utf16(full_path, cifs_sb);
+-
+- if (!path)
+- return -ENOMEM;
++ __le16 *utf16_path = NULL;
+
+ cifs_dbg(FYI, "mkdir\n");
+
++ /* resource #1: path allocation */
++ utf16_path = cifs_convert_path_to_utf16(full_path, cifs_sb);
++ if (!utf16_path)
++ return -ENOMEM;
++
+ if (ses && (ses->server))
+ server = ses->server;
+- else
+- return -EIO;
++ else {
++ rc = -EIO;
++ goto err_free_path;
++ }
+
++ /* resource #2: request */
+ rc = smb2_plain_req_init(SMB2_CREATE, tcon, (void **) &req, &total_len);
+-
+ if (rc)
+- return rc;
++ goto err_free_path;
++
+
+ if (smb3_encryption_required(tcon))
+ flags |= CIFS_TRANSFORM_REQ;
+
+-
+ req->ImpersonationLevel = IL_IMPERSONATION;
+ req->DesiredAccess = cpu_to_le32(FILE_WRITE_ATTRIBUTES);
+ /* File attributes ignored on open (used in create though) */
+@@ -1992,50 +1996,44 @@ int smb311_posix_mkdir(const unsigned in
+ req->sync_hdr.Flags |= SMB2_FLAGS_DFS_OPERATIONS;
+ rc = alloc_path_with_tree_prefix(©_path, ©_size,
+ &name_len,
+- tcon->treeName, path);
+- if (rc) {
+- cifs_small_buf_release(req);
+- return rc;
+- }
++ tcon->treeName, utf16_path);
++ if (rc)
++ goto err_free_req;
++
+ req->NameLength = cpu_to_le16(name_len * 2);
+ uni_path_len = copy_size;
+- path = copy_path;
++ /* free before overwriting resource */
++ kfree(utf16_path);
++ utf16_path = copy_path;
+ } else {
+- uni_path_len = (2 * UniStrnlen((wchar_t *)path, PATH_MAX)) + 2;
++ uni_path_len = (2 * UniStrnlen((wchar_t *)utf16_path, PATH_MAX)) + 2;
+ /* MUST set path len (NameLength) to 0 opening root of share */
+ req->NameLength = cpu_to_le16(uni_path_len - 2);
+ if (uni_path_len % 8 != 0) {
+ copy_size = roundup(uni_path_len, 8);
+ copy_path = kzalloc(copy_size, GFP_KERNEL);
+ if (!copy_path) {
+- cifs_small_buf_release(req);
+- return -ENOMEM;
++ rc = -ENOMEM;
++ goto err_free_req;
+ }
+- memcpy((char *)copy_path, (const char *)path,
++ memcpy((char *)copy_path, (const char *)utf16_path,
+ uni_path_len);
+ uni_path_len = copy_size;
+- path = copy_path;
++ /* free before overwriting resource */
++ kfree(utf16_path);
++ utf16_path = copy_path;
+ }
+ }
+
+ iov[1].iov_len = uni_path_len;
+- iov[1].iov_base = path;
++ iov[1].iov_base = utf16_path;
+ req->RequestedOplockLevel = SMB2_OPLOCK_LEVEL_NONE;
+
+ if (tcon->posix_extensions) {
+- if (n_iov > 2) {
+- struct create_context *ccontext =
+- (struct create_context *)iov[n_iov-1].iov_base;
+- ccontext->Next =
+- cpu_to_le32(iov[n_iov-1].iov_len);
+- }
+-
++ /* resource #3: posix buf */
+ rc = add_posix_context(iov, &n_iov, mode);
+- if (rc) {
+- cifs_small_buf_release(req);
+- kfree(copy_path);
+- return rc;
+- }
++ if (rc)
++ goto err_free_req;
+ pc_buf = iov[n_iov-1].iov_base;
+ }
+
+@@ -2044,32 +2042,33 @@ int smb311_posix_mkdir(const unsigned in
+ rqst.rq_iov = iov;
+ rqst.rq_nvec = n_iov;
+
+- rc = cifs_send_recv(xid, ses, &rqst, &resp_buftype, flags,
+- &rsp_iov);
+-
+- cifs_small_buf_release(req);
+- rsp = (struct smb2_create_rsp *)rsp_iov.iov_base;
+-
+- if (rc != 0) {
++ /* resource #4: response buffer */
++ rc = cifs_send_recv(xid, ses, &rqst, &resp_buftype, flags, &rsp_iov);
++ if (rc) {
+ cifs_stats_fail_inc(tcon, SMB2_CREATE_HE);
+ trace_smb3_posix_mkdir_err(xid, tcon->tid, ses->Suid,
+- CREATE_NOT_FILE, FILE_WRITE_ATTRIBUTES, rc);
+- goto smb311_mkdir_exit;
+- } else
+- trace_smb3_posix_mkdir_done(xid, rsp->PersistentFileId, tcon->tid,
+- ses->Suid, CREATE_NOT_FILE,
+- FILE_WRITE_ATTRIBUTES);
++ CREATE_NOT_FILE,
++ FILE_WRITE_ATTRIBUTES, rc);
++ goto err_free_rsp_buf;
++ }
++
++ rsp = (struct smb2_create_rsp *)rsp_iov.iov_base;
++ trace_smb3_posix_mkdir_done(xid, rsp->PersistentFileId, tcon->tid,
++ ses->Suid, CREATE_NOT_FILE,
++ FILE_WRITE_ATTRIBUTES);
+
+ SMB2_close(xid, tcon, rsp->PersistentFileId, rsp->VolatileFileId);
+
+ /* Eventually save off posix specific response info and timestaps */
+
+-smb311_mkdir_exit:
+- kfree(copy_path);
+- kfree(pc_buf);
++err_free_rsp_buf:
+ free_rsp_buf(resp_buftype, rsp);
++ kfree(pc_buf);
++err_free_req:
++ cifs_small_buf_release(req);
++err_free_path:
++ kfree(utf16_path);
+ return rc;
+-
+ }
+ #endif /* SMB311 */
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Levin Du <djw@t-chip.com.cn>
+Date: Sat, 4 Aug 2018 15:31:02 +0800
+Subject: clk: rockchip: Add pclk_rkpwm_pmu to PMU critical clocks in rk3399
+
+From: Levin Du <djw@t-chip.com.cn>
+
+[ Upstream commit 640332d1a089909df08bc9f3e42888a2019c66e2 ]
+
+PWM2 is commonly used to control voltage of PWM regulator of VDD_LOG in
+RK3399. On the Firefly-RK3399 board, PWM2 outputs 40 KHz square wave
+from power on and the VDD_LOG is about 0.9V. When the kernel boots
+normally into the system, the PWM2 keeps outputing PWM signal.
+
+But the kernel hangs randomly after "Starting kernel ..." line on that
+board. When it happens, PWM2 outputs high level which causes VDD_LOG
+drops to 0.4V below the normal operating voltage.
+
+By adding "pclk_rkpwm_pmu" to the rk3399_pmucru_critical_clocks array,
+PWM clock is ensured to be prepared at startup and the PWM2 output is
+normal. After repeated tests, the early boot hang is gone.
+
+This patch works on both Firefly-RK3399 and ROC-RK3399-PC boards.
+
+Signed-off-by: Levin Du <djw@t-chip.com.cn>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/rockchip/clk-rk3399.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/clk/rockchip/clk-rk3399.c
++++ b/drivers/clk/rockchip/clk-rk3399.c
+@@ -1523,6 +1523,7 @@ static const char *const rk3399_pmucru_c
+ "pclk_pmu_src",
+ "fclk_cm0s_src_pmu",
+ "clk_timer_src_pmu",
++ "pclk_rkpwm_pmu",
+ };
+
+ static void __init rk3399_clk_init(struct device_node *np)
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Denis Efremov <efremov@linux.com>
+Date: Fri, 10 Aug 2018 23:25:55 +0300
+Subject: coccicheck: return proper error code on fail
+
+From: Denis Efremov <efremov@linux.com>
+
+[ Upstream commit 512ddf7d7db056edfed3159ea7cb4e4a5eefddd4 ]
+
+If coccicheck fails, it should return an error code distinct from zero
+to signal about an internal problem. Current code instead of exiting with
+the tool's error code returns the error code of 'echo "coccicheck failed"'
+which is almost always equals to zero, thus failing the original intention
+of alerting about a problem. This patch fixes the code.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Denis Efremov <efremov@linux.com>
+Acked-by: Julia Lawall <julia.lawall@lip6.fr>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/coccicheck | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/scripts/coccicheck
++++ b/scripts/coccicheck
+@@ -128,9 +128,10 @@ run_cmd_parmap() {
+ fi
+ echo $@ >>$DEBUG_FILE
+ $@ 2>>$DEBUG_FILE
+- if [[ $? -ne 0 ]]; then
++ err=$?
++ if [[ $err -ne 0 ]]; then
+ echo "coccicheck failed"
+- exit $?
++ exit $err
+ fi
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: John Pittman <jpittman@redhat.com>
+Date: Mon, 6 Aug 2018 15:53:12 -0400
+Subject: dm kcopyd: avoid softlockup in run_complete_job
+
+From: John Pittman <jpittman@redhat.com>
+
+[ Upstream commit 784c9a29e99eb40b842c29ecf1cc3a79e00fb629 ]
+
+It was reported that softlockups occur when using dm-snapshot ontop of
+slow (rbd) storage. E.g.:
+
+[ 4047.990647] watchdog: BUG: soft lockup - CPU#10 stuck for 22s! [kworker/10:23:26177]
+...
+[ 4048.034151] Workqueue: kcopyd do_work [dm_mod]
+[ 4048.034156] RIP: 0010:copy_callback+0x41/0x160 [dm_snapshot]
+...
+[ 4048.034190] Call Trace:
+[ 4048.034196] ? __chunk_is_tracked+0x70/0x70 [dm_snapshot]
+[ 4048.034200] run_complete_job+0x5f/0xb0 [dm_mod]
+[ 4048.034205] process_jobs+0x91/0x220 [dm_mod]
+[ 4048.034210] ? kcopyd_put_pages+0x40/0x40 [dm_mod]
+[ 4048.034214] do_work+0x46/0xa0 [dm_mod]
+[ 4048.034219] process_one_work+0x171/0x370
+[ 4048.034221] worker_thread+0x1fc/0x3f0
+[ 4048.034224] kthread+0xf8/0x130
+[ 4048.034226] ? max_active_store+0x80/0x80
+[ 4048.034227] ? kthread_bind+0x10/0x10
+[ 4048.034231] ret_from_fork+0x35/0x40
+[ 4048.034233] Kernel panic - not syncing: softlockup: hung tasks
+
+Fix this by calling cond_resched() after run_complete_job()'s callout to
+the dm_kcopyd_notify_fn (which is dm-snap.c:copy_callback in the above
+trace).
+
+Signed-off-by: John Pittman <jpittman@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-kcopyd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/md/dm-kcopyd.c
++++ b/drivers/md/dm-kcopyd.c
+@@ -487,6 +487,8 @@ static int run_complete_job(struct kcopy
+ if (atomic_dec_and_test(&kc->nr_jobs))
+ wake_up(&kc->destroyq);
+
++ cond_resched();
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Date: Fri, 3 Aug 2018 10:40:20 -0400
+Subject: drm/amd/display: Guard against null crtc in CRC IRQ
+
+From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+
+[ Upstream commit dddc0557e3a02499ce336b1e2e67f5afaecccc80 ]
+
+[Why]
+
+A null pointer deference can occur if crtc is null in
+amdgpu_dm_crtc_handle_crc_irq. This can happen if get_crtc_by_otg_inst
+returns NULL during dm_crtc_high_irq, leading to a hang in some IGT
+test cases.
+
+[How]
+
+Check that CRTC is non-null before accessing its fields.
+
+Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Reviewed-by: Sun peng Li <Sunpeng.Li@amd.com>
+Acked-by: Leo Li <sunpeng.li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c
+@@ -98,10 +98,16 @@ int amdgpu_dm_crtc_set_crc_source(struct
+ */
+ void amdgpu_dm_crtc_handle_crc_irq(struct drm_crtc *crtc)
+ {
+- struct dm_crtc_state *crtc_state = to_dm_crtc_state(crtc->state);
+- struct dc_stream_state *stream_state = crtc_state->stream;
++ struct dm_crtc_state *crtc_state;
++ struct dc_stream_state *stream_state;
+ uint32_t crcs[3];
+
++ if (crtc == NULL)
++ return;
++
++ crtc_state = to_dm_crtc_state(crtc->state);
++ stream_state = crtc_state->stream;
++
+ /* Early return if CRC capture is not enabled. */
+ if (!crtc_state->crc_enabled)
+ return;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: David Francis <David.Francis@amd.com>
+Date: Wed, 18 Jul 2018 16:03:30 -0400
+Subject: drm/amd/display: Read back max backlight value at boot
+
+From: David Francis <David.Francis@amd.com>
+
+[ Upstream commit 53a53f8687faf492df2644d8c18ff0217fc18730 ]
+
+[Why]
+If there is no program explicitly setting the backlight
+brightness (for example, during a minimal install of linux), the
+hardware defaults to maximum brightness but the backlight_device
+defaults to 0 value. Thus, settings displays the wrong brightness
+value.
+
+[How]
+When creating the backlight device, set brightness to max
+
+Signed-off-by: David Francis <David.Francis@amd.com>
+Reviewed-by: Harry Wentland <Harry.Wentland@amd.com>
+Acked-by: Bhawanpreet Lakha <Bhawanpreet.Lakha@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -1334,6 +1334,7 @@ amdgpu_dm_register_backlight_device(stru
+ struct backlight_properties props = { 0 };
+
+ props.max_brightness = AMDGPU_MAX_BL_LEVEL;
++ props.brightness = AMDGPU_MAX_BL_LEVEL;
+ props.type = BACKLIGHT_RAW;
+
+ snprintf(bl_name, sizeof(bl_name), "amdgpu_bl%d",
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Mon, 23 Jul 2018 14:27:23 +0200
+Subject: drm/etnaviv: fix crash in GPU suspend when init failed due to buffer placement
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+[ Upstream commit 5b147465532365dc4e2fee8499d6ca1f52dd0d16 ]
+
+When the suballocator was unable to provide a suitable buffer for the MMUv1
+linear window, we roll back the GPU initialization. As the GPU is runtime
+resumed at that point we need to clear the kernel cmdbuf suballoc entry to
+properly skip any attempt to manipulate the cmdbuf when the GPU gets shut
+down in the runtime suspend later on.
+
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_gpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+@@ -799,6 +799,7 @@ int etnaviv_gpu_init(struct etnaviv_gpu
+
+ free_buffer:
+ etnaviv_cmdbuf_free(&gpu->buffer);
++ gpu->buffer.suballoc = NULL;
+ destroy_iommu:
+ etnaviv_iommu_destroy(gpu->mmu);
+ gpu->mmu = NULL;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Chao Yu <yuchao0@huawei.com>
+Date: Sun, 5 Aug 2018 23:02:22 +0800
+Subject: f2fs: avoid race between zero_range and background GC
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit c7079853c859c910b9d047a37891b4aafb8f8dd7 ]
+
+Thread A Background GC
+- f2fs_zero_range
+ - truncate_pagecache_range
+ - gc_data_segment
+ - get_read_data_page
+ - move_data_page
+ - set_page_dirty
+ - set_cold_data
+ - f2fs_do_zero_range
+ - dn->data_blkaddr = NEW_ADDR;
+ - f2fs_set_data_blkaddr
+
+Actually, we don't need to set dirty & checked flag on the page, since
+all valid data in the page should be zeroed by zero_range().
+
+Use i_gc_rwsem[WRITE] to avoid such race condition.
+
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/file.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -1295,8 +1295,6 @@ static int f2fs_zero_range(struct inode
+ if (ret)
+ goto out_sem;
+
+- truncate_pagecache_range(inode, offset, offset + len - 1);
+-
+ pg_start = ((unsigned long long) offset) >> PAGE_SHIFT;
+ pg_end = ((unsigned long long) offset + len) >> PAGE_SHIFT;
+
+@@ -1326,12 +1324,19 @@ static int f2fs_zero_range(struct inode
+ unsigned int end_offset;
+ pgoff_t end;
+
++ down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
++
++ truncate_pagecache_range(inode,
++ (loff_t)index << PAGE_SHIFT,
++ ((loff_t)pg_end << PAGE_SHIFT) - 1);
++
+ f2fs_lock_op(sbi);
+
+ set_new_dnode(&dn, inode, NULL, NULL, 0);
+ ret = f2fs_get_dnode_of_data(&dn, index, ALLOC_NODE);
+ if (ret) {
+ f2fs_unlock_op(sbi);
++ up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
+ goto out;
+ }
+
+@@ -1340,7 +1345,9 @@ static int f2fs_zero_range(struct inode
+
+ ret = f2fs_do_zero_range(&dn, index, end);
+ f2fs_put_dnode(&dn);
++
+ f2fs_unlock_op(sbi);
++ up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
+
+ f2fs_balance_fs(sbi, dn.node_changed);
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Chao Yu <yuchao0@huawei.com>
+Date: Sun, 5 Aug 2018 23:04:25 +0800
+Subject: f2fs: fix avoid race between truncate and background GC
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit a33c150237a20d97a174243bc658c86502f9d370 ]
+
+Thread A Background GC
+- f2fs_setattr isize to 0
+ - truncate_setsize
+ - gc_data_segment
+ - f2fs_get_read_data_page page #0
+ - set_page_dirty
+ - set_cold_data
+ - f2fs_truncate
+
+- f2fs_setattr isize to 4k
+- read 4k <--- hit data in cached page #0
+
+Above race condition can cause read out invalid data in a truncated
+page, fix it by i_gc_rwsem[WRITE] lock.
+
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/data.c | 4 ++++
+ fs/f2fs/file.c | 37 +++++++++++++++++++++++--------------
+ 2 files changed, 27 insertions(+), 14 deletions(-)
+
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -2149,8 +2149,12 @@ static void f2fs_write_failed(struct add
+
+ if (to > i_size) {
+ down_write(&F2FS_I(inode)->i_mmap_sem);
++ down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
++
+ truncate_pagecache(inode, i_size);
+ f2fs_truncate_blocks(inode, i_size, true);
++
++ up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
+ up_write(&F2FS_I(inode)->i_mmap_sem);
+ }
+ }
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -782,22 +782,26 @@ int f2fs_setattr(struct dentry *dentry,
+ }
+
+ if (attr->ia_valid & ATTR_SIZE) {
+- if (attr->ia_size <= i_size_read(inode)) {
+- down_write(&F2FS_I(inode)->i_mmap_sem);
+- truncate_setsize(inode, attr->ia_size);
++ bool to_smaller = (attr->ia_size <= i_size_read(inode));
++
++ down_write(&F2FS_I(inode)->i_mmap_sem);
++ down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
++
++ truncate_setsize(inode, attr->ia_size);
++
++ if (to_smaller)
+ err = f2fs_truncate(inode);
+- up_write(&F2FS_I(inode)->i_mmap_sem);
+- if (err)
+- return err;
+- } else {
+- /*
+- * do not trim all blocks after i_size if target size is
+- * larger than i_size.
+- */
+- down_write(&F2FS_I(inode)->i_mmap_sem);
+- truncate_setsize(inode, attr->ia_size);
+- up_write(&F2FS_I(inode)->i_mmap_sem);
++ /*
++ * do not trim all blocks after i_size if target size is
++ * larger than i_size.
++ */
++ up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
++ up_write(&F2FS_I(inode)->i_mmap_sem);
++
++ if (err)
++ return err;
+
++ if (!to_smaller) {
+ /* should convert inline inode here */
+ if (!f2fs_may_inline_data(inode)) {
+ err = f2fs_convert_inline_inode(inode);
+@@ -944,13 +948,18 @@ static int punch_hole(struct inode *inod
+
+ blk_start = (loff_t)pg_start << PAGE_SHIFT;
+ blk_end = (loff_t)pg_end << PAGE_SHIFT;
++
+ down_write(&F2FS_I(inode)->i_mmap_sem);
++ down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
++
+ truncate_inode_pages_range(mapping, blk_start,
+ blk_end - 1);
+
+ f2fs_lock_op(sbi);
+ ret = f2fs_truncate_hole(inode, pg_start, pg_end);
+ f2fs_unlock_op(sbi);
++
++ up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
+ up_write(&F2FS_I(inode)->i_mmap_sem);
+ }
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Chao Yu <yuchao0@huawei.com>
+Date: Sun, 29 Jul 2018 12:16:59 +0800
+Subject: f2fs: fix to clear PG_checked flag in set_page_dirty()
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit 66110abc4c931f879d70e83e1281f891699364bf ]
+
+PG_checked flag will be set on data page during GC, later, we can
+recognize such page by the flag and migrate page to cold segment.
+
+But previously, we don't clear this flag when invalidating data page,
+after page redirtying, we will write it into wrong log.
+
+Let's clear PG_checked flag in set_page_dirty() to avoid this.
+
+Signed-off-by: Weichao Guo <guoweichao@huawei.com>
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/data.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -2494,6 +2494,10 @@ static int f2fs_set_data_page_dirty(stru
+ if (!PageUptodate(page))
+ SetPageUptodate(page);
+
++ /* don't remain PG_checked flag which was set during GC */
++ if (is_cold_data(page))
++ clear_cold_data(page);
++
+ if (f2fs_is_atomic_file(inode) && !f2fs_is_commit_atomic_write(inode)) {
+ if (!IS_ATOMIC_WRITTEN_PAGE(page)) {
+ f2fs_register_inmem_page(inode, page);
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Date: Tue, 21 Aug 2018 21:59:44 -0700
+Subject: fat: validate ->i_start before using
+
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+
+[ Upstream commit 0afa9626667c3659ef8bd82d42a11e39fedf235c ]
+
+On corrupted FATfs may have invalid ->i_start. To handle it, this checks
+->i_start before using, and return proper error code.
+
+Link: http://lkml.kernel.org/r/87o9f8y1t5.fsf_-_@mail.parknet.co.jp
+Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Tested-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Cc: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fat/cache.c | 19 ++++++++++++-------
+ fs/fat/fat.h | 5 +++++
+ fs/fat/fatent.c | 6 +++---
+ 3 files changed, 20 insertions(+), 10 deletions(-)
+
+--- a/fs/fat/cache.c
++++ b/fs/fat/cache.c
+@@ -225,7 +225,8 @@ static inline void cache_init(struct fat
+ int fat_get_cluster(struct inode *inode, int cluster, int *fclus, int *dclus)
+ {
+ struct super_block *sb = inode->i_sb;
+- const int limit = sb->s_maxbytes >> MSDOS_SB(sb)->cluster_bits;
++ struct msdos_sb_info *sbi = MSDOS_SB(sb);
++ const int limit = sb->s_maxbytes >> sbi->cluster_bits;
+ struct fat_entry fatent;
+ struct fat_cache_id cid;
+ int nr;
+@@ -234,6 +235,12 @@ int fat_get_cluster(struct inode *inode,
+
+ *fclus = 0;
+ *dclus = MSDOS_I(inode)->i_start;
++ if (!fat_valid_entry(sbi, *dclus)) {
++ fat_fs_error_ratelimit(sb,
++ "%s: invalid start cluster (i_pos %lld, start %08x)",
++ __func__, MSDOS_I(inode)->i_pos, *dclus);
++ return -EIO;
++ }
+ if (cluster == 0)
+ return 0;
+
+@@ -250,9 +257,8 @@ int fat_get_cluster(struct inode *inode,
+ /* prevent the infinite loop of cluster chain */
+ if (*fclus > limit) {
+ fat_fs_error_ratelimit(sb,
+- "%s: detected the cluster chain loop"
+- " (i_pos %lld)", __func__,
+- MSDOS_I(inode)->i_pos);
++ "%s: detected the cluster chain loop (i_pos %lld)",
++ __func__, MSDOS_I(inode)->i_pos);
+ nr = -EIO;
+ goto out;
+ }
+@@ -262,9 +268,8 @@ int fat_get_cluster(struct inode *inode,
+ goto out;
+ else if (nr == FAT_ENT_FREE) {
+ fat_fs_error_ratelimit(sb,
+- "%s: invalid cluster chain (i_pos %lld)",
+- __func__,
+- MSDOS_I(inode)->i_pos);
++ "%s: invalid cluster chain (i_pos %lld)",
++ __func__, MSDOS_I(inode)->i_pos);
+ nr = -EIO;
+ goto out;
+ } else if (nr == FAT_ENT_EOF) {
+--- a/fs/fat/fat.h
++++ b/fs/fat/fat.h
+@@ -348,6 +348,11 @@ static inline void fatent_brelse(struct
+ fatent->fat_inode = NULL;
+ }
+
++static inline bool fat_valid_entry(struct msdos_sb_info *sbi, int entry)
++{
++ return FAT_START_ENT <= entry && entry < sbi->max_cluster;
++}
++
+ extern void fat_ent_access_init(struct super_block *sb);
+ extern int fat_ent_read(struct inode *inode, struct fat_entry *fatent,
+ int entry);
+--- a/fs/fat/fatent.c
++++ b/fs/fat/fatent.c
+@@ -23,7 +23,7 @@ static void fat12_ent_blocknr(struct sup
+ {
+ struct msdos_sb_info *sbi = MSDOS_SB(sb);
+ int bytes = entry + (entry >> 1);
+- WARN_ON(entry < FAT_START_ENT || sbi->max_cluster <= entry);
++ WARN_ON(!fat_valid_entry(sbi, entry));
+ *offset = bytes & (sb->s_blocksize - 1);
+ *blocknr = sbi->fat_start + (bytes >> sb->s_blocksize_bits);
+ }
+@@ -33,7 +33,7 @@ static void fat_ent_blocknr(struct super
+ {
+ struct msdos_sb_info *sbi = MSDOS_SB(sb);
+ int bytes = (entry << sbi->fatent_shift);
+- WARN_ON(entry < FAT_START_ENT || sbi->max_cluster <= entry);
++ WARN_ON(!fat_valid_entry(sbi, entry));
+ *offset = bytes & (sb->s_blocksize - 1);
+ *blocknr = sbi->fat_start + (bytes >> sb->s_blocksize_bits);
+ }
+@@ -353,7 +353,7 @@ int fat_ent_read(struct inode *inode, st
+ int err, offset;
+ sector_t blocknr;
+
+- if (entry < FAT_START_ENT || sbi->max_cluster <= entry) {
++ if (!fat_valid_entry(sbi, entry)) {
+ fatent_brelse(fatent);
+ fat_fs_error(sb, "invalid access to FAT (entry 0x%08x)", entry);
+ return -EIO;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Jann Horn <jannh@google.com>
+Date: Tue, 21 Aug 2018 22:00:58 -0700
+Subject: fork: don't copy inconsistent signal handler state to child
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit 06e62a46bbba20aa5286102016a04214bb446141 ]
+
+Before this change, if a multithreaded process forks while one of its
+threads is changing a signal handler using sigaction(), the memcpy() in
+copy_sighand() can race with the struct assignment in do_sigaction(). It
+isn't clear whether this can cause corruption of the userspace signal
+handler pointer, but it definitely can cause inconsistency between
+different fields of struct sigaction.
+
+Take the appropriate spinlock to avoid this.
+
+I have tested that this patch prevents inconsistency between sa_sigaction
+and sa_flags, which is possible before this patch.
+
+Link: http://lkml.kernel.org/r/20180702145108.73189-1-jannh@google.com
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/fork.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1417,7 +1417,9 @@ static int copy_sighand(unsigned long cl
+ return -ENOMEM;
+
+ atomic_set(&sig->count, 1);
++ spin_lock_irq(¤t->sighand->siglock);
+ memcpy(sig->action, current->sighand->action, sizeof(sig->action));
++ spin_unlock_irq(¤t->sighand->siglock);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 17 Aug 2018 15:44:34 -0700
+Subject: fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit 6cd00a01f0c1ae6a852b09c59b8dd55cc6c35d1d ]
+
+Since only dentry->d_name.len + 1 bytes out of DNAME_INLINE_LEN bytes
+are initialized at __d_alloc(), we can't copy the whole size
+unconditionally.
+
+ WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (ffff8fa27465ac50)
+ 636f6e66696766732e746d70000000000010000000000000020000000188ffff
+ i i i i i i i i i i i i i u u u u u u u u u u i i i i i u u u u
+ ^
+ RIP: 0010:take_dentry_name_snapshot+0x28/0x50
+ RSP: 0018:ffffa83000f5bdf8 EFLAGS: 00010246
+ RAX: 0000000000000020 RBX: ffff8fa274b20550 RCX: 0000000000000002
+ RDX: ffffa83000f5be40 RSI: ffff8fa27465ac50 RDI: ffffa83000f5be60
+ RBP: ffffa83000f5bdf8 R08: ffffa83000f5be48 R09: 0000000000000001
+ R10: ffff8fa27465ac00 R11: ffff8fa27465acc0 R12: ffff8fa27465ac00
+ R13: ffff8fa27465acc0 R14: 0000000000000000 R15: 0000000000000000
+ FS: 00007f79737ac8c0(0000) GS:ffffffff8fc30000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: ffff8fa274c0b000 CR3: 0000000134aa7002 CR4: 00000000000606f0
+ take_dentry_name_snapshot+0x28/0x50
+ vfs_rename+0x128/0x870
+ SyS_rename+0x3b2/0x3d0
+ entry_SYSCALL_64_fastpath+0x1a/0xa4
+ 0xffffffffffffffff
+
+Link: http://lkml.kernel.org/r/201709131912.GBG39012.QMJLOVFSFFOOtH@I-love.SAKURA.ne.jp
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: Vegard Nossum <vegard.nossum@gmail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dcache.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -292,7 +292,8 @@ void take_dentry_name_snapshot(struct na
+ spin_unlock(&dentry->d_lock);
+ name->name = p->name;
+ } else {
+- memcpy(name->inline_name, dentry->d_iname, DNAME_INLINE_LEN);
++ memcpy(name->inline_name, dentry->d_iname,
++ dentry->d_name.len + 1);
+ spin_unlock(&dentry->d_lock);
+ name->name = name->inline_name;
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: James Morse <james.morse@arm.com>
+Date: Tue, 21 Aug 2018 21:54:48 -0700
+Subject: fs/proc/kcore.c: use __pa_symbol() for KCORE_TEXT list entries
+
+From: James Morse <james.morse@arm.com>
+
+[ Upstream commit df865e8337c397471b95f51017fea559bc8abb4a ]
+
+elf_kcore_store_hdr() uses __pa() to find the physical address of
+KCORE_RAM or KCORE_TEXT entries exported as program headers.
+
+This trips CONFIG_DEBUG_VIRTUAL's checks, as the KCORE_TEXT entries are
+not in the linear map.
+
+Handle these two cases separately, using __pa_symbol() for the KCORE_TEXT
+entries.
+
+Link: http://lkml.kernel.org/r/20180711131944.15252-1-james.morse@arm.com
+Signed-off-by: James Morse <james.morse@arm.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Omar Sandoval <osandov@fb.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/kcore.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/proc/kcore.c
++++ b/fs/proc/kcore.c
+@@ -384,8 +384,10 @@ static void elf_kcore_store_hdr(char *bu
+ phdr->p_flags = PF_R|PF_W|PF_X;
+ phdr->p_offset = kc_vaddr_to_offset(m->addr) + dataoff;
+ phdr->p_vaddr = (size_t)m->addr;
+- if (m->type == KCORE_RAM || m->type == KCORE_TEXT)
++ if (m->type == KCORE_RAM)
+ phdr->p_paddr = __pa(m->addr);
++ else if (m->type == KCORE_TEXT)
++ phdr->p_paddr = __pa_symbol(m->addr);
+ else
+ phdr->p_paddr = (elf_addr_t)-1;
+ phdr->p_filesz = phdr->p_memsz = m->size;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 23 Aug 2018 17:00:55 -0700
+Subject: fs/proc/vmcore.c: hide vmcoredd_mmap_dumps() for nommu builds
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit a2036a1ef2ee91acab01a0ae4a534070691a42ec ]
+
+Without CONFIG_MMU, we get a build warning:
+
+ fs/proc/vmcore.c:228:12: error: 'vmcoredd_mmap_dumps' defined but not used [-Werror=unused-function]
+ static int vmcoredd_mmap_dumps(struct vm_area_struct *vma, unsigned long dst,
+
+The function is only referenced from an #ifdef'ed caller, so
+this uses the same #ifdef around it.
+
+Link: http://lkml.kernel.org/r/20180525213526.2117790-1-arnd@arndb.de
+Fixes: 7efe48df8a3d ("vmcore: append device dumps to vmcore as elf notes")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Cc: Ganesh Goudar <ganeshgr@chelsio.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/vmcore.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/proc/vmcore.c
++++ b/fs/proc/vmcore.c
+@@ -225,6 +225,7 @@ out_unlock:
+ return ret;
+ }
+
++#ifdef CONFIG_MMU
+ static int vmcoredd_mmap_dumps(struct vm_area_struct *vma, unsigned long dst,
+ u64 start, size_t size)
+ {
+@@ -259,6 +260,7 @@ out_unlock:
+ mutex_unlock(&vmcoredd_mutex);
+ return ret;
+ }
++#endif /* CONFIG_MMU */
+ #endif /* CONFIG_PROC_VMCORE_DEVICE_DUMP */
+
+ /* Read from the ELF header and then the crash dump. On error, negative value is
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: "Ernesto A. FernĂ¡ndez" <ernesto.mnd.fernandez@gmail.com>
+Date: Thu, 23 Aug 2018 17:00:31 -0700
+Subject: hfs: prevent crash on exit from failed search
+
+From: "Ernesto A. FernĂ¡ndez" <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit dc2572791d3a41bab94400af2b6bca9d71ccd303 ]
+
+hfs_find_exit() expects fd->bnode to be NULL after a search has failed.
+hfs_brec_insert() may instead set it to an error-valued pointer. Fix
+this to prevent a crash.
+
+Link: http://lkml.kernel.org/r/53d9749a029c41b4016c495fc5838c9dba3afc52.1530294815.git.ernesto.mnd.fernandez@gmail.com
+Signed-off-by: Ernesto A. FernĂ¡ndez <ernesto.mnd.fernandez@gmail.com>
+Cc: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Cc: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/hfs/brec.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/hfs/brec.c
++++ b/fs/hfs/brec.c
+@@ -75,9 +75,10 @@ int hfs_brec_insert(struct hfs_find_data
+ if (!fd->bnode) {
+ if (!tree->root)
+ hfs_btree_inc_height(tree);
+- fd->bnode = hfs_bnode_find(tree, tree->leaf_head);
+- if (IS_ERR(fd->bnode))
+- return PTR_ERR(fd->bnode);
++ node = hfs_bnode_find(tree, tree->leaf_head);
++ if (IS_ERR(node))
++ return PTR_ERR(node);
++ fd->bnode = node;
+ fd->record = -1;
+ }
+ new_node = NULL;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Tue, 21 Aug 2018 21:59:12 -0700
+Subject: hfsplus: don't return 0 when fill_super() failed
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit 7464726cb5998846306ed0a7d6714afb2e37b25d ]
+
+syzbot is reporting NULL pointer dereference at mount_fs() [1]. This is
+because hfsplus_fill_super() is by error returning 0 when
+hfsplus_fill_super() detected invalid filesystem image, and mount_bdev()
+is returning NULL because dget(s->s_root) == NULL if s->s_root == NULL,
+and mount_fs() is accessing root->d_sb because IS_ERR(root) == false if
+root == NULL. Fix this by returning -EINVAL when hfsplus_fill_super()
+detected invalid filesystem image.
+
+[1] https://syzkaller.appspot.com/bug?id=21acb6850cecbc960c927229e597158cf35f33d0
+
+Link: http://lkml.kernel.org/r/d83ce31a-874c-dd5b-f790-41405983a5be@I-love.SAKURA.ne.jp
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+01ffaf5d9568dd1609f7@syzkaller.appspotmail.com>
+Reviewed-by: Ernesto A. FernĂ¡ndez <ernesto.mnd.fernandez@gmail.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/hfsplus/super.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -524,8 +524,10 @@ static int hfsplus_fill_super(struct sup
+ goto out_put_root;
+ if (!hfs_brec_read(&fd, &entry, sizeof(entry))) {
+ hfs_find_exit(&fd);
+- if (entry.type != cpu_to_be16(HFSPLUS_FOLDER))
++ if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
++ err = -EINVAL;
+ goto out_put_root;
++ }
+ inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id));
+ if (IS_ERR(inode)) {
+ err = PTR_ERR(inode);
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: "Ernesto A. FernĂ¡ndez" <ernesto.mnd.fernandez@gmail.com>
+Date: Thu, 23 Aug 2018 17:00:25 -0700
+Subject: hfsplus: fix NULL dereference in hfsplus_lookup()
+
+From: "Ernesto A. FernĂ¡ndez" <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit a7ec7a4193a2eb3b5341243fc0b621c1ac9e4ec4 ]
+
+An HFS+ filesystem can be mounted read-only without having a metadata
+directory, which is needed to support hardlinks. But if the catalog
+data is corrupted, a directory lookup may still find dentries claiming
+to be hardlinks.
+
+hfsplus_lookup() does check that ->hidden_dir is not NULL in such a
+situation, but mistakenly does so after dereferencing it for the first
+time. Reorder this check to prevent a crash.
+
+This happens when looking up corrupted catalog data (dentry) on a
+filesystem with no metadata directory (this could only ever happen on a
+read-only mount). Wen Xu sent the replication steps in detail to the
+fsdevel list: https://bugzilla.kernel.org/show_bug.cgi?id=200297
+
+Link: http://lkml.kernel.org/r/20180712215344.q44dyrhymm4ajkao@eaf
+Signed-off-by: Ernesto A. FernĂ¡ndez <ernesto.mnd.fernandez@gmail.com>
+Reported-by: Wen Xu <wen.xu@gatech.edu>
+Cc: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/hfsplus/dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/hfsplus/dir.c
++++ b/fs/hfsplus/dir.c
+@@ -78,13 +78,13 @@ again:
+ cpu_to_be32(HFSP_HARDLINK_TYPE) &&
+ entry.file.user_info.fdCreator ==
+ cpu_to_be32(HFSP_HFSPLUS_CREATOR) &&
++ HFSPLUS_SB(sb)->hidden_dir &&
+ (entry.file.create_date ==
+ HFSPLUS_I(HFSPLUS_SB(sb)->hidden_dir)->
+ create_date ||
+ entry.file.create_date ==
+ HFSPLUS_I(d_inode(sb->s_root))->
+- create_date) &&
+- HFSPLUS_SB(sb)->hidden_dir) {
++ create_date)) {
+ struct qstr str;
+ char name[32];
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sun, 12 Aug 2018 12:53:21 +0200
+Subject: i2c: core: ACPI: Make acpi_gsb_i2c_read_bytes() check i2c_transfer return value
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 0a30446c0dca3483c384b54a431cc951e15f7e79 ]
+
+Currently acpi_gsb_i2c_read_bytes() directly returns i2c_transfer's return
+value. i2c_transfer returns a value < 0 on error and 2 (for 2 successfully
+executed transfers) on success. But the ACPI code expects 0 on success, so
+currently acpi_gsb_i2c_read_bytes()'s caller does:
+
+ if (status > 0)
+ status = 0;
+
+This commit makes acpi_gsb_i2c_read_bytes() return a value which can be
+directly consumed by the ACPI code, mirroring acpi_gsb_i2c_write_bytes(),
+this commit also makes acpi_gsb_i2c_read_bytes() explitcly check that
+i2c_transfer returns 2, rather then accepting any value > 0.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/i2c-core-acpi.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/i2c/i2c-core-acpi.c
++++ b/drivers/i2c/i2c-core-acpi.c
+@@ -453,8 +453,12 @@ static int acpi_gsb_i2c_read_bytes(struc
+ else
+ dev_err(&client->adapter->dev, "i2c read %d bytes from client@%#x starting at reg %#x failed, error: %d\n",
+ data_len, client->addr, cmd, ret);
+- } else {
++ /* 2 transfers must have completed successfully */
++ } else if (ret == 2) {
+ memcpy(data, buffer, data_len);
++ ret = 0;
++ } else {
++ ret = -EIO;
+ }
+
+ kfree(buffer);
+@@ -595,8 +599,6 @@ i2c_acpi_space_handler(u32 function, acp
+ if (action == ACPI_READ) {
+ status = acpi_gsb_i2c_read_bytes(client, command,
+ gsb->data, info->access_length);
+- if (status > 0)
+- status = 0;
+ } else {
+ status = acpi_gsb_i2c_write_bytes(client, command,
+ gsb->data, info->access_length);
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
+Date: Wed, 15 Aug 2018 22:54:49 -0700
+Subject: IB/hfi1: Invalid NUMA node information can cause a divide by zero
+
+From: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
+
+[ Upstream commit c513de490f808d8480346f9a58e6a4a5f3de12e7 ]
+
+If the system BIOS does not supply NUMA node information to the
+PCI devices, the NUMA node is selected by choosing the current
+node.
+
+This can lead to the following crash:
+
+divide error: 0000 SMP
+CPU: 0 PID: 4 Comm: kworker/0:0 Tainted: G IOE
+------------ 3.10.0-693.21.1.el7.x86_64 #1
+Hardware name: Intel Corporation S2600KP/S2600KP, BIOS
+SE5C610.86B.01.01.0005.101720141054 10/17/2014
+Workqueue: events work_for_cpu_fn
+task: ffff880174480fd0 ti: ffff880174488000 task.ti: ffff880174488000
+RIP: 0010: [<ffffffffc020ac69>] hfi1_dev_affinity_init+0x129/0x6a0 [hfi1]
+RSP: 0018:ffff88017448bbf8 EFLAGS: 00010246
+RAX: 0000000000000011 RBX: ffff88107ffba6c0 RCX: ffff88085c22e130
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880824ad0000
+RBP: ffff88017448bc48 R08: 0000000000000011 R09: 0000000000000002
+R10: ffff8808582b6ca0 R11: 0000000000003151 R12: ffff8808582b6ca0
+R13: ffff8808582b6518 R14: ffff8808582b6010 R15: 0000000000000012
+FS: 0000000000000000(0000) GS:ffff88085ec00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007efc707404f0 CR3: 0000000001a02000 CR4: 00000000001607f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Call Trace:
+ hfi1_init_dd+0x14b3/0x27a0 [hfi1]
+ ? pcie_capability_write_word+0x46/0x70
+ ? hfi1_pcie_init+0xc0/0x200 [hfi1]
+ do_init_one+0x153/0x4c0 [hfi1]
+ ? sched_clock_cpu+0x85/0xc0
+ init_one+0x1b5/0x260 [hfi1]
+ local_pci_probe+0x4a/0xb0
+ work_for_cpu_fn+0x1a/0x30
+ process_one_work+0x17f/0x440
+ worker_thread+0x278/0x3c0
+ ? manage_workers.isra.24+0x2a0/0x2a0
+ kthread+0xd1/0xe0
+ ? insert_kthread_work+0x40/0x40
+ ret_from_fork+0x77/0xb0
+ ? insert_kthread_work+0x40/0x40
+
+If the BIOS is not supplying NUMA information:
+ - set the default table count to 1 for all possible nodes
+ - select node 0 (instead of current NUMA) node to get consistent
+ performance
+ - generate an error indicating that the BIOS should be upgraded
+
+Reviewed-by: Gary Leshner <gary.s.leshner@intel.com>
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/hfi1/affinity.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/affinity.c
++++ b/drivers/infiniband/hw/hfi1/affinity.c
+@@ -198,7 +198,7 @@ int node_affinity_init(void)
+ while ((dev = pci_get_device(ids->vendor, ids->device, dev))) {
+ node = pcibus_to_node(dev->bus);
+ if (node < 0)
+- node = numa_node_id();
++ goto out;
+
+ hfi1_per_node_cntr[node]++;
+ }
+@@ -206,6 +206,18 @@ int node_affinity_init(void)
+ }
+
+ return 0;
++
++out:
++ /*
++ * Invalid PCI NUMA node information found, note it, and populate
++ * our database 1:1.
++ */
++ pr_err("HFI: Invalid PCI NUMA node. Performance may be affected\n");
++ pr_err("HFI: System BIOS may need to be upgraded\n");
++ for (node = 0; node < node_affinity.num_possible_nodes; node++)
++ hfi1_per_node_cntr[node] = 1;
++
++ return 0;
+ }
+
+ static void node_affinity_destroy(struct hfi1_affinity_node *entry)
+@@ -622,8 +634,14 @@ int hfi1_dev_affinity_init(struct hfi1_d
+ int curr_cpu, possible, i, ret;
+ bool new_entry = false;
+
+- if (node < 0)
+- node = numa_node_id();
++ /*
++ * If the BIOS does not have the NUMA node information set, select
++ * NUMA 0 so we get consistent performance.
++ */
++ if (node < 0) {
++ dd_dev_err(dd, "Invalid PCI NUMA node. Performance may be affected\n");
++ node = 0;
++ }
+ dd->node = node;
+
+ local_mask = cpumask_of_node(dd->node);
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 6 Aug 2018 15:10:40 -0700
+Subject: Input: do not use WARN() in input_alloc_absinfo()
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit 100294cee9a98bfd4d6cb2d1c8a8aef0e959b0c4 ]
+
+Some of fuzzers set panic_on_warn=1 so that they can handle WARN()ings
+the same way they handle full-blown kernel crashes. We used WARN() in
+input_alloc_absinfo() to get a better idea where memory allocation
+failed, but since then kmalloc() and friends started dumping call stack on
+memory allocation failures anyway, so we are not getting anything extra
+from WARN().
+
+Because of the above, let's replace WARN with dev_err(). We use dev_err()
+instead of simply removing message and relying on kcalloc() to give us
+stack dump so that we'd know the instance of hardware device to which we
+were trying to attach input device.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Acked-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/input.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/input/input.c
++++ b/drivers/input/input.c
+@@ -480,11 +480,19 @@ EXPORT_SYMBOL(input_inject_event);
+ */
+ void input_alloc_absinfo(struct input_dev *dev)
+ {
+- if (!dev->absinfo)
+- dev->absinfo = kcalloc(ABS_CNT, sizeof(*dev->absinfo),
+- GFP_KERNEL);
++ if (dev->absinfo)
++ return;
+
+- WARN(!dev->absinfo, "%s(): kcalloc() failed?\n", __func__);
++ dev->absinfo = kcalloc(ABS_CNT, sizeof(*dev->absinfo), GFP_KERNEL);
++ if (!dev->absinfo) {
++ dev_err(dev->dev.parent ?: &dev->dev,
++ "%s: unable to allocate memory\n", __func__);
++ /*
++ * We will handle this allocation failure in
++ * input_register_device() when we refuse to register input
++ * device with ABS bits but without absinfo.
++ */
++ }
+ }
+ EXPORT_SYMBOL(input_alloc_absinfo);
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Ralf Goebel <ralf.goebel@imago-technologies.com>
+Date: Mon, 6 Aug 2018 17:00:36 +0200
+Subject: iommu/omap: Fix cache flushes on L2 table entries
+
+From: Ralf Goebel <ralf.goebel@imago-technologies.com>
+
+[ Upstream commit 04c532a1cdc7e423656c07937aa4b5c1c2b064f9 ]
+
+The base address used for DMA operations on the second-level table
+did incorrectly include the offset for the table entry. The offset
+was then added again which lead to incorrect behavior.
+
+Operations on the L1 table are not affected.
+
+The calculation of the base address is changed to point to the
+beginning of the L2 table.
+
+Fixes: bfee0cf0ee1d ("iommu/omap: Use DMA-API for performing cache flushes")
+Acked-by: Suman Anna <s-anna@ti.com>
+Signed-off-by: Ralf Goebel <ralf.goebel@imago-technologies.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/omap-iommu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iommu/omap-iommu.c
++++ b/drivers/iommu/omap-iommu.c
+@@ -550,7 +550,7 @@ static u32 *iopte_alloc(struct omap_iomm
+
+ pte_ready:
+ iopte = iopte_offset(iopgd, da);
+- *pt_dma = virt_to_phys(iopte);
++ *pt_dma = iopgd_page_paddr(iopgd);
+ dev_vdbg(obj->dev,
+ "%s: da:%08x pgd:%p *pgd:%08x pte:%p *pte:%08x\n",
+ __func__, da, iopgd, *iopgd, iopte, *iopte);
+@@ -738,7 +738,7 @@ static size_t iopgtable_clear_entry_core
+ }
+ bytes *= nent;
+ memset(iopte, 0, nent * sizeof(*iopte));
+- pt_dma = virt_to_phys(iopte);
++ pt_dma = iopgd_page_paddr(iopgd);
+ flush_iopte_range(obj->dev, pt_dma, pt_offset, nent);
+
+ /*
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Fri, 24 Aug 2018 16:06:36 +0100
+Subject: iommu/rockchip: Handle errors returned from PM framework
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+[ Upstream commit 3fc7c5c0cff3150e471f5fd12f59971c6d2c6513 ]
+
+pm_runtime_get_if_in_use can fail: either PM has been disabled
+altogether (-EINVAL), or the device hasn't been enabled yet (0).
+Sadly, the Rockchip IOMMU driver tends to conflate the two things
+by considering a non-zero return value as successful.
+
+This has the consequence of hiding other bugs, so let's handle this
+case throughout the driver, with a WARN_ON_ONCE so that we can try
+and work out what happened.
+
+Fixes: 0f181d3cf7d98 ("iommu/rockchip: Add runtime PM support")
+Reviewed-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/rockchip-iommu.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+--- a/drivers/iommu/rockchip-iommu.c
++++ b/drivers/iommu/rockchip-iommu.c
+@@ -521,10 +521,11 @@ static irqreturn_t rk_iommu_irq(int irq,
+ u32 int_status;
+ dma_addr_t iova;
+ irqreturn_t ret = IRQ_NONE;
+- int i;
++ int i, err;
+
+- if (WARN_ON(!pm_runtime_get_if_in_use(iommu->dev)))
+- return 0;
++ err = pm_runtime_get_if_in_use(iommu->dev);
++ if (WARN_ON_ONCE(err <= 0))
++ return ret;
+
+ if (WARN_ON(clk_bulk_enable(iommu->num_clocks, iommu->clocks)))
+ goto out;
+@@ -620,11 +621,15 @@ static void rk_iommu_zap_iova(struct rk_
+ spin_lock_irqsave(&rk_domain->iommus_lock, flags);
+ list_for_each(pos, &rk_domain->iommus) {
+ struct rk_iommu *iommu;
++ int ret;
+
+ iommu = list_entry(pos, struct rk_iommu, node);
+
+ /* Only zap TLBs of IOMMUs that are powered on. */
+- if (pm_runtime_get_if_in_use(iommu->dev)) {
++ ret = pm_runtime_get_if_in_use(iommu->dev);
++ if (WARN_ON_ONCE(ret < 0))
++ continue;
++ if (ret) {
+ WARN_ON(clk_bulk_enable(iommu->num_clocks,
+ iommu->clocks));
+ rk_iommu_zap_lines(iommu, iova, size);
+@@ -891,6 +896,7 @@ static void rk_iommu_detach_device(struc
+ struct rk_iommu *iommu;
+ struct rk_iommu_domain *rk_domain = to_rk_domain(domain);
+ unsigned long flags;
++ int ret;
+
+ /* Allow 'virtual devices' (eg drm) to detach from domain */
+ iommu = rk_iommu_from_dev(dev);
+@@ -909,7 +915,9 @@ static void rk_iommu_detach_device(struc
+ list_del_init(&iommu->node);
+ spin_unlock_irqrestore(&rk_domain->iommus_lock, flags);
+
+- if (pm_runtime_get_if_in_use(iommu->dev)) {
++ ret = pm_runtime_get_if_in_use(iommu->dev);
++ WARN_ON_ONCE(ret < 0);
++ if (ret > 0) {
+ rk_iommu_disable(iommu);
+ pm_runtime_put(iommu->dev);
+ }
+@@ -946,7 +954,8 @@ static int rk_iommu_attach_device(struct
+ list_add_tail(&iommu->node, &rk_domain->iommus);
+ spin_unlock_irqrestore(&rk_domain->iommus_lock, flags);
+
+- if (!pm_runtime_get_if_in_use(iommu->dev))
++ ret = pm_runtime_get_if_in_use(iommu->dev);
++ if (!ret || WARN_ON_ONCE(ret < 0))
+ return 0;
+
+ ret = rk_iommu_enable(iommu);
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Fri, 24 Aug 2018 16:06:37 +0100
+Subject: iommu/rockchip: Move irq request past pm_runtime_enable
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+[ Upstream commit 1aa55ca9b14af6cfd987ce4fdaf548f7067a5d07 ]
+
+Enabling the interrupt early, before power has been applied to the
+device, can result in an interrupt being delivered too early if:
+
+- the IOMMU shares an interrupt with a VOP
+- the VOP has a pending interrupt (after a kexec, for example)
+
+In these conditions, we end-up taking the interrupt without
+the IOMMU being ready to handle the interrupt (not powered on).
+
+Moving the interrupt request past the pm_runtime_enable() call
+makes sure we can at least access the IOMMU registers. Note that
+this is only a partial fix, and that the VOP interrupt will still
+be screaming until the VOP driver kicks in, which advocates for
+a more synchronized interrupt enabling/disabling approach.
+
+Fixes: 0f181d3cf7d98 ("iommu/rockchip: Add runtime PM support")
+Reviewed-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/rockchip-iommu.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+--- a/drivers/iommu/rockchip-iommu.c
++++ b/drivers/iommu/rockchip-iommu.c
+@@ -1161,17 +1161,6 @@ static int rk_iommu_probe(struct platfor
+ if (iommu->num_mmu == 0)
+ return PTR_ERR(iommu->bases[0]);
+
+- i = 0;
+- while ((irq = platform_get_irq(pdev, i++)) != -ENXIO) {
+- if (irq < 0)
+- return irq;
+-
+- err = devm_request_irq(iommu->dev, irq, rk_iommu_irq,
+- IRQF_SHARED, dev_name(dev), iommu);
+- if (err)
+- return err;
+- }
+-
+ iommu->reset_disabled = device_property_read_bool(dev,
+ "rockchip,disable-mmu-reset");
+
+@@ -1228,6 +1217,19 @@ static int rk_iommu_probe(struct platfor
+
+ pm_runtime_enable(dev);
+
++ i = 0;
++ while ((irq = platform_get_irq(pdev, i++)) != -ENXIO) {
++ if (irq < 0)
++ return irq;
++
++ err = devm_request_irq(iommu->dev, irq, rk_iommu_irq,
++ IRQF_SHARED, dev_name(dev), iommu);
++ if (err) {
++ pm_runtime_disable(dev);
++ goto err_remove_sysfs;
++ }
++ }
++
+ return 0;
+ err_remove_sysfs:
+ iommu_device_sysfs_remove(&iommu->iommu);
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Tan Hu <tan.hu@zte.com.cn>
+Date: Wed, 25 Jul 2018 15:23:07 +0800
+Subject: ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest()
+
+From: Tan Hu <tan.hu@zte.com.cn>
+
+[ Upstream commit a53b42c11815d2357e31a9403ae3950517525894 ]
+
+We came across infinite loop in ipvs when using ipvs in docker
+env.
+
+When ipvs receives new packets and cannot find an ipvs connection,
+it will create a new connection, then if the dest is unavailable
+(i.e. IP_VS_DEST_F_AVAILABLE), the packet will be dropped sliently.
+
+But if the dropped packet is the first packet of this connection,
+the connection control timer never has a chance to start and the
+ipvs connection cannot be released. This will lead to memory leak, or
+infinite loop in cleanup_net() when net namespace is released like
+this:
+
+ ip_vs_conn_net_cleanup at ffffffffa0a9f31a [ip_vs]
+ __ip_vs_cleanup at ffffffffa0a9f60a [ip_vs]
+ ops_exit_list at ffffffff81567a49
+ cleanup_net at ffffffff81568b40
+ process_one_work at ffffffff810a851b
+ worker_thread at ffffffff810a9356
+ kthread at ffffffff810b0b6f
+ ret_from_fork at ffffffff81697a18
+
+race condition:
+ CPU1 CPU2
+ ip_vs_in()
+ ip_vs_conn_new()
+ ip_vs_del_dest()
+ __ip_vs_unlink_dest()
+ ~IP_VS_DEST_F_AVAILABLE
+ cp->dest && !IP_VS_DEST_F_AVAILABLE
+ __ip_vs_conn_put
+ ...
+ cleanup_net ---> infinite looping
+
+Fix this by checking whether the timer already started.
+
+Signed-off-by: Tan Hu <tan.hu@zte.com.cn>
+Reviewed-by: Jiang Biao <jiang.biao2@zte.com.cn>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipvs/ip_vs_core.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -1972,13 +1972,20 @@ ip_vs_in(struct netns_ipvs *ipvs, unsign
+ if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
+ /* the destination server is not available */
+
+- if (sysctl_expire_nodest_conn(ipvs)) {
++ __u32 flags = cp->flags;
++
++ /* when timer already started, silently drop the packet.*/
++ if (timer_pending(&cp->timer))
++ __ip_vs_conn_put(cp);
++ else
++ ip_vs_conn_put(cp);
++
++ if (sysctl_expire_nodest_conn(ipvs) &&
++ !(flags & IP_VS_CONN_F_ONE_PACKET)) {
+ /* try to expire the connection immediately */
+ ip_vs_conn_expire_now(cp);
+ }
+- /* don't restart its timer, and silently
+- drop the packet. */
+- __ip_vs_conn_put(cp);
++
+ return NF_DROP;
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Jonas Gorski <jonas.gorski@gmail.com>
+Date: Thu, 9 Aug 2018 10:59:01 +0200
+Subject: irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit 0702bc4d2fe793018ad9aa0eb14bff7f526c4095 ]
+
+When compiling bmips with SMP disabled, the build fails with:
+
+drivers/irqchip/irq-bcm7038-l1.o: In function `bcm7038_l1_cpu_offline':
+drivers/irqchip/irq-bcm7038-l1.c:242: undefined reference to `irq_set_affinity_locked'
+make[5]: *** [vmlinux] Error 1
+
+Fix this by adding and setting bcm7038_l1_cpu_offline only when actually
+compiling for SMP. It wouldn't have been used anyway, as it requires
+CPU_HOTPLUG, which in turn requires SMP.
+
+Fixes: 34c535793bcb ("irqchip/bcm7038-l1: Implement irq_cpu_offline() callback")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-bcm7038-l1.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/irqchip/irq-bcm7038-l1.c
++++ b/drivers/irqchip/irq-bcm7038-l1.c
+@@ -217,6 +217,7 @@ static int bcm7038_l1_set_affinity(struc
+ return 0;
+ }
+
++#ifdef CONFIG_SMP
+ static void bcm7038_l1_cpu_offline(struct irq_data *d)
+ {
+ struct cpumask *mask = irq_data_get_affinity_mask(d);
+@@ -241,6 +242,7 @@ static void bcm7038_l1_cpu_offline(struc
+ }
+ irq_set_affinity_locked(d, &new_affinity, false);
+ }
++#endif
+
+ static int __init bcm7038_l1_init_one(struct device_node *dn,
+ unsigned int idx,
+@@ -293,7 +295,9 @@ static struct irq_chip bcm7038_l1_irq_ch
+ .irq_mask = bcm7038_l1_mask,
+ .irq_unmask = bcm7038_l1_unmask,
+ .irq_set_affinity = bcm7038_l1_set_affinity,
++#ifdef CONFIG_SMP
+ .irq_cpu_offline = bcm7038_l1_cpu_offline,
++#endif
+ };
+
+ static int bcm7038_l1_map(struct irq_domain *d, unsigned int virq,
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 8 Aug 2018 15:03:19 +0300
+Subject: irqchip/stm32: Fix init error handling
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 4096165d55218a6f58b6c2ebc5d2428aa0aa70e4 ]
+
+If there are any errors in stm32_exti_host_init() then it leads to a
+NULL dereference in the callers. The function should clean up after
+itself.
+
+Fixes: f9fc1745501e ("irqchip/stm32: Add host and driver data structures")
+Reviewed-by: Ludovic Barre <ludovic.barre@st.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-stm32-exti.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+--- a/drivers/irqchip/irq-stm32-exti.c
++++ b/drivers/irqchip/irq-stm32-exti.c
+@@ -602,17 +602,24 @@ stm32_exti_host_data *stm32_exti_host_in
+ sizeof(struct stm32_exti_chip_data),
+ GFP_KERNEL);
+ if (!host_data->chips_data)
+- return NULL;
++ goto free_host_data;
+
+ host_data->base = of_iomap(node, 0);
+ if (!host_data->base) {
+ pr_err("%pOF: Unable to map registers\n", node);
+- return NULL;
++ goto free_chips_data;
+ }
+
+ stm32_host_data = host_data;
+
+ return host_data;
++
++free_chips_data:
++ kfree(host_data->chips_data);
++free_host_data:
++ kfree(host_data);
++
++ return NULL;
+ }
+
+ static struct
+@@ -664,10 +671,8 @@ static int __init stm32_exti_init(const
+ struct irq_domain *domain;
+
+ host_data = stm32_exti_host_init(drv_data, node);
+- if (!host_data) {
+- ret = -ENOMEM;
+- goto out_free_mem;
+- }
++ if (!host_data)
++ return -ENOMEM;
+
+ domain = irq_domain_add_linear(node, drv_data->bank_nr * IRQS_PER_BANK,
+ &irq_exti_domain_ops, NULL);
+@@ -724,7 +729,6 @@ out_free_domain:
+ irq_domain_remove(domain);
+ out_unmap:
+ iounmap(host_data->base);
+-out_free_mem:
+ kfree(host_data->chips_data);
+ kfree(host_data);
+ return ret;
+@@ -751,10 +755,8 @@ __init stm32_exti_hierarchy_init(const s
+ }
+
+ host_data = stm32_exti_host_init(drv_data, node);
+- if (!host_data) {
+- ret = -ENOMEM;
+- goto out_free_mem;
+- }
++ if (!host_data)
++ return -ENOMEM;
+
+ for (i = 0; i < drv_data->bank_nr; i++)
+ stm32_exti_chip_init(host_data, i, node);
+@@ -776,7 +778,6 @@ __init stm32_exti_hierarchy_init(const s
+
+ out_unmap:
+ iounmap(host_data->base);
+-out_free_mem:
+ kfree(host_data->chips_data);
+ kfree(host_data);
+ return ret;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Jim Mattson <jmattson@google.com>
+Date: Fri, 27 Jul 2018 09:18:50 -0700
+Subject: kvm: nVMX: Fix fault vector for VMX operation at CPL > 0
+
+From: Jim Mattson <jmattson@google.com>
+
+[ Upstream commit 36090bf43a6b835a42f515cb515ff6fa293a25fe ]
+
+The fault that should be raised for a privilege level violation is #GP
+rather than #UD.
+
+Fixes: 727ba748e110b4 ("kvm: nVMX: Enforce cpl=0 for VMX instructions")
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -8123,7 +8123,7 @@ static int handle_vmon(struct kvm_vcpu *
+
+ /* CPL=0 must be checked manually. */
+ if (vmx_get_cpl(vcpu)) {
+- kvm_queue_exception(vcpu, UD_VECTOR);
++ kvm_inject_gp(vcpu, 0);
+ return 1;
+ }
+
+@@ -8187,7 +8187,7 @@ static int handle_vmon(struct kvm_vcpu *
+ static int nested_vmx_check_permission(struct kvm_vcpu *vcpu)
+ {
+ if (vmx_get_cpl(vcpu)) {
+- kvm_queue_exception(vcpu, UD_VECTOR);
++ kvm_inject_gp(vcpu, 0);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Mon, 23 Jul 2018 12:32:42 -0700
+Subject: KVM: vmx: track host_state.loaded using a loaded_vmcs pointer
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+[ Upstream commit bd9966de4e14fb559e89a06f7f5c9aab2cc028b9 ]
+
+Using 'struct loaded_vmcs*' to track whether the CPU registers
+contain host or guest state kills two birds with one stone.
+
+ 1. The (effective) boolean host_state.loaded is poorly named.
+ It does not track whether or not host state is loaded into
+ the CPU registers (which most readers would expect), but
+ rather tracks if host state has been saved AND guest state
+ is loaded.
+
+ 2. Using a loaded_vmcs pointer provides a more robust framework
+ for the optimized guest/host state switching, especially when
+ consideration per-VMCS enhancements. To that end, WARN_ONCE
+ if we try to switch to host state with a different VMCS than
+ was last used to save host state.
+
+Resolve an occurrence of the new WARN by setting loaded_vmcs after
+the call to vmx_vcpu_put() in vmx_switch_vmcs().
+
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -939,17 +939,21 @@ struct vcpu_vmx {
+ /*
+ * loaded_vmcs points to the VMCS currently used in this vcpu. For a
+ * non-nested (L1) guest, it always points to vmcs01. For a nested
+- * guest (L2), it points to a different VMCS.
++ * guest (L2), it points to a different VMCS. loaded_cpu_state points
++ * to the VMCS whose state is loaded into the CPU registers that only
++ * need to be switched when transitioning to/from the kernel; a NULL
++ * value indicates that host state is loaded.
+ */
+ struct loaded_vmcs vmcs01;
+ struct loaded_vmcs *loaded_vmcs;
++ struct loaded_vmcs *loaded_cpu_state;
+ bool __launched; /* temporary, used in vmx_vcpu_run */
+ struct msr_autoload {
+ struct vmx_msrs guest;
+ struct vmx_msrs host;
+ } msr_autoload;
++
+ struct {
+- int loaded;
+ u16 fs_sel, gs_sel, ldt_sel;
+ #ifdef CONFIG_X86_64
+ u16 ds_sel, es_sel;
+@@ -2750,10 +2754,11 @@ static void vmx_save_host_state(struct k
+ #endif
+ int i;
+
+- if (vmx->host_state.loaded)
++ if (vmx->loaded_cpu_state)
+ return;
+
+- vmx->host_state.loaded = 1;
++ vmx->loaded_cpu_state = vmx->loaded_vmcs;
++
+ /*
+ * Set host fs and gs selectors. Unfortunately, 22.2.3 does not
+ * allow segment selectors with cpl > 0 or ti == 1.
+@@ -2815,11 +2820,14 @@ static void vmx_save_host_state(struct k
+
+ static void __vmx_load_host_state(struct vcpu_vmx *vmx)
+ {
+- if (!vmx->host_state.loaded)
++ if (!vmx->loaded_cpu_state)
+ return;
+
++ WARN_ON_ONCE(vmx->loaded_cpu_state != vmx->loaded_vmcs);
++
+ ++vmx->vcpu.stat.host_state_reload;
+- vmx->host_state.loaded = 0;
++ vmx->loaded_cpu_state = NULL;
++
+ #ifdef CONFIG_X86_64
+ if (is_long_mode(&vmx->vcpu))
+ rdmsrl(MSR_KERNEL_GS_BASE, vmx->msr_guest_kernel_gs_base);
+@@ -10517,8 +10525,8 @@ static void vmx_switch_vmcs(struct kvm_v
+ return;
+
+ cpu = get_cpu();
+- vmx->loaded_vmcs = vmcs;
+ vmx_vcpu_put(vcpu);
++ vmx->loaded_vmcs = vmcs;
+ vmx_vcpu_load(vcpu, cpu);
+ put_cpu();
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Fri, 3 Aug 2018 20:59:51 -0700
+Subject: mfd: sm501: Set coherent_dma_mask when creating subdevices
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 2f606da78230f09cf1a71fde6ee91d0c710fa2b2 ]
+
+Instantiating the sm501 OHCI subdevice results in a kernel warning.
+
+sm501-usb sm501-usb: SM501 OHCI
+sm501-usb sm501-usb: new USB bus registered, assigned bus number 1
+WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516
+ohci_init+0x194/0x2d8
+Modules linked in:
+
+CPU: 0 PID: 1 Comm: swapper Tainted: G W
+4.18.0-rc7-00178-g0b5b1f9a78b5 #1
+PC is at ohci_init+0x194/0x2d8
+PR is at ohci_init+0x168/0x2d8
+PC : 8c27844c SP : 8f81dd94 SR : 40008001
+TEA : 29613060
+R0 : 00000000 R1 : 00000000 R2 : 00000000 R3 : 00000202
+R4 : 8fa98b88 R5 : 8c277e68 R6 : 00000000 R7 : 00000000
+R8 : 8f965814 R9 : 8c388100 R10 : 8fa98800 R11 : 8fa98928
+R12 : 8c48302c R13 : 8fa98920 R14 : 8c48302c
+MACH: 00000096 MACL: 0000017c GBR : 00000000 PR : 8c278420
+
+Call trace:
+ [<(ptrval)>] usb_add_hcd+0x1e8/0x6ec
+ [<(ptrval)>] _dev_info+0x0/0x54
+ [<(ptrval)>] arch_local_save_flags+0x0/0x8
+ [<(ptrval)>] arch_local_irq_restore+0x0/0x24
+ [<(ptrval)>] ohci_hcd_sm501_drv_probe+0x114/0x2d8
+...
+
+Initialize coherent_dma_mask when creating SM501 subdevices to fix
+the problem.
+
+Fixes: b6d6454fdb66f ("mfd: SM501 core driver")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mfd/sm501.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mfd/sm501.c
++++ b/drivers/mfd/sm501.c
+@@ -715,6 +715,7 @@ sm501_create_subdev(struct sm501_devdata
+ smdev->pdev.name = name;
+ smdev->pdev.id = sm->pdev_id;
+ smdev->pdev.dev.parent = sm->dev;
++ smdev->pdev.dev.coherent_dma_mask = 0xffffffff;
+
+ if (res_count) {
+ smdev->pdev.resource = (struct resource *)(smdev+1);
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Fri, 17 Aug 2018 15:46:57 -0700
+Subject: mm/fadvise.c: fix signed overflow UBSAN complaint
+
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+
+[ Upstream commit a718e28f538441a3b6612da9ff226973376cdf0f ]
+
+Signed integer overflow is undefined according to the C standard. The
+overflow in ksys_fadvise64_64() is deliberate, but since it is signed
+overflow, UBSAN complains:
+
+ UBSAN: Undefined behaviour in mm/fadvise.c:76:10
+ signed integer overflow:
+ 4 + 9223372036854775805 cannot be represented in type 'long long int'
+
+Use unsigned types to do math. Unsigned overflow is defined so UBSAN
+will not complain about it. This patch doesn't change generated code.
+
+[akpm@linux-foundation.org: add comment explaining the casts]
+Link: http://lkml.kernel.org/r/20180629184453.7614-1-aryabinin@virtuozzo.com
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Reported-by: <icytxw@gmail.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/fadvise.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/mm/fadvise.c
++++ b/mm/fadvise.c
+@@ -72,8 +72,12 @@ int ksys_fadvise64_64(int fd, loff_t off
+ goto out;
+ }
+
+- /* Careful about overflows. Len == 0 means "as much as possible" */
+- endbyte = offset + len;
++ /*
++ * Careful about overflows. Len == 0 means "as much as possible". Use
++ * unsigned math because signed overflows are undefined and UBSan
++ * complains.
++ */
++ endbyte = (u64)offset + (u64)len;
+ if (!len || endbyte < len)
+ endbyte = -1;
+ else
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Date: Fri, 17 Aug 2018 15:47:07 -0700
+Subject: mm: make DEFERRED_STRUCT_PAGE_INIT explicitly depend on SPARSEMEM
+
+From: Mike Rapoport <rppt@linux.vnet.ibm.com>
+
+[ Upstream commit d39f8fb4b7776dcb09ec3bf7a321547083078ee3 ]
+
+The deferred memory initialization relies on section definitions, e.g
+PAGES_PER_SECTION, that are only available when CONFIG_SPARSEMEM=y on
+most architectures.
+
+Initially DEFERRED_STRUCT_PAGE_INIT depended on explicit
+ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT configuration option, but since
+the commit 2e3ca40f03bb13709df4 ("mm: relax deferred struct page
+requirements") this requirement was relaxed and now it is possible to
+enable DEFERRED_STRUCT_PAGE_INIT on architectures that support
+DISCONTINGMEM and NO_BOOTMEM which causes build failures.
+
+For instance, setting SMP=y and DEFERRED_STRUCT_PAGE_INIT=y on arc
+causes the following build failure:
+
+ CC mm/page_alloc.o
+ mm/page_alloc.c: In function 'update_defer_init':
+ mm/page_alloc.c:321:14: error: 'PAGES_PER_SECTION'
+ undeclared (first use in this function); did you mean 'USEC_PER_SEC'?
+ (pfn & (PAGES_PER_SECTION - 1)) == 0) {
+ ^~~~~~~~~~~~~~~~~
+ USEC_PER_SEC
+ mm/page_alloc.c:321:14: note: each undeclared identifier is reported only once for each function it appears in
+ In file included from include/linux/cache.h:5:0,
+ from include/linux/printk.h:9,
+ from include/linux/kernel.h:14,
+ from include/asm-generic/bug.h:18,
+ from arch/arc/include/asm/bug.h:32,
+ from include/linux/bug.h:5,
+ from include/linux/mmdebug.h:5,
+ from include/linux/mm.h:9,
+ from mm/page_alloc.c:18:
+ mm/page_alloc.c: In function 'deferred_grow_zone':
+ mm/page_alloc.c:1624:52: error: 'PAGES_PER_SECTION' undeclared (first use in this function); did you mean 'USEC_PER_SEC'?
+ unsigned long nr_pages_needed = ALIGN(1 << order, PAGES_PER_SECTION);
+ ^
+ include/uapi/linux/kernel.h:11:47: note: in definition of macro '__ALIGN_KERNEL_MASK'
+ #define __ALIGN_KERNEL_MASK(x, mask) (((x) + (mask)) & ~(mask))
+ ^~~~
+ include/linux/kernel.h:58:22: note: in expansion of macro '__ALIGN_KERNEL'
+ #define ALIGN(x, a) __ALIGN_KERNEL((x), (a))
+ ^~~~~~~~~~~~~~
+ mm/page_alloc.c:1624:34: note: in expansion of macro 'ALIGN'
+ unsigned long nr_pages_needed = ALIGN(1 << order, PAGES_PER_SECTION);
+ ^~~~~
+ In file included from include/asm-generic/bug.h:18:0,
+ from arch/arc/include/asm/bug.h:32,
+ from include/linux/bug.h:5,
+ from include/linux/mmdebug.h:5,
+ from include/linux/mm.h:9,
+ from mm/page_alloc.c:18:
+ mm/page_alloc.c: In function 'free_area_init_node':
+ mm/page_alloc.c:6379:50: error: 'PAGES_PER_SECTION' undeclared (first use in this function); did you mean 'USEC_PER_SEC'?
+ pgdat->static_init_pgcnt = min_t(unsigned long, PAGES_PER_SECTION,
+ ^
+ include/linux/kernel.h:812:22: note: in definition of macro '__typecheck'
+ (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1)))
+ ^
+ include/linux/kernel.h:836:24: note: in expansion of macro '__safe_cmp'
+ __builtin_choose_expr(__safe_cmp(x, y), \
+ ^~~~~~~~~~
+ include/linux/kernel.h:904:27: note: in expansion of macro '__careful_cmp'
+ #define min_t(type, x, y) __careful_cmp((type)(x), (type)(y), <)
+ ^~~~~~~~~~~~~
+ mm/page_alloc.c:6379:29: note: in expansion of macro 'min_t'
+ pgdat->static_init_pgcnt = min_t(unsigned long, PAGES_PER_SECTION,
+ ^~~~~
+ include/linux/kernel.h:836:2: error: first argument to '__builtin_choose_expr' not a constant
+ __builtin_choose_expr(__safe_cmp(x, y), \
+ ^
+ include/linux/kernel.h:904:27: note: in expansion of macro '__careful_cmp'
+ #define min_t(type, x, y) __careful_cmp((type)(x), (type)(y), <)
+ ^~~~~~~~~~~~~
+ mm/page_alloc.c:6379:29: note: in expansion of macro 'min_t'
+ pgdat->static_init_pgcnt = min_t(unsigned long, PAGES_PER_SECTION,
+ ^~~~~
+ scripts/Makefile.build:317: recipe for target 'mm/page_alloc.o' failed
+
+Let's make the DEFERRED_STRUCT_PAGE_INIT explicitly depend on SPARSEMEM
+as the systems that support DISCONTIGMEM do not seem to have that huge
+amounts of memory that would make DEFERRED_STRUCT_PAGE_INIT relevant.
+
+Link: http://lkml.kernel.org/r/1530279308-24988-1-git-send-email-rppt@linux.vnet.ibm.com
+Signed-off-by: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Pavel Tatashin <pasha.tatashin@oracle.com>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Pasha Tatashin <Pavel.Tatashin@microsoft.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/Kconfig
++++ b/mm/Kconfig
+@@ -635,7 +635,7 @@ config DEFERRED_STRUCT_PAGE_INIT
+ bool "Defer initialisation of struct pages to kthreads"
+ default n
+ depends on NO_BOOTMEM
+- depends on !FLATMEM
++ depends on SPARSEMEM
+ depends on !NEED_PER_CPU_KM
+ help
+ Ordinarily all struct pages are initialised during early boot in a
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Date: Tue, 17 Jul 2018 19:14:45 -0700
+Subject: net/9p: fix error path of p9_virtio_probe
+
+From: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+
+[ Upstream commit 92aef4675d5b1b55404e1532379e343bed0e5cf2 ]
+
+Currently when virtio_find_single_vq fails, we go through del_vqs which
+throws a warning (Trying to free already-free IRQ). Skip del_vqs if vq
+allocation failed.
+
+Link: http://lkml.kernel.org/r/20180524101021.49880-1-jean-philippe.brucker@arm.com
+Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Cc: Eric Van Hensbergen <ericvh@gmail.com>
+Cc: Ron Minnich <rminnich@sandia.gov>
+Cc: Latchesar Ionkov <lucho@ionkov.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/9p/trans_virtio.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/9p/trans_virtio.c
++++ b/net/9p/trans_virtio.c
+@@ -571,7 +571,7 @@ static int p9_virtio_probe(struct virtio
+ chan->vq = virtio_find_single_vq(vdev, req_done, "requests");
+ if (IS_ERR(chan->vq)) {
+ err = PTR_ERR(chan->vq);
+- goto out_free_vq;
++ goto out_free_chan;
+ }
+ chan->vq->vdev->priv = chan;
+ spin_lock_init(&chan->lock);
+@@ -624,6 +624,7 @@ out_free_tag:
+ kfree(tag);
+ out_free_vq:
+ vdev->config->del_vqs(vdev);
++out_free_chan:
+ kfree(chan);
+ fail:
+ return err;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+Date: Mon, 23 Jul 2018 20:42:53 +0200
+Subject: net/9p/trans_fd.c: fix race by holding the lock
+
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+
+[ Upstream commit 9f476d7c540cb57556d3cc7e78704e6cd5100f5f ]
+
+It may be possible to run p9_fd_cancel() with a deleted req->req_list
+and incur in a double del. To fix hold the client->lock while changing
+the status, so the other threads will be synchronized.
+
+Link: http://lkml.kernel.org/r/20180723184253.6682-1-tomasbortoli@gmail.com
+Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
+Reported-by: syzbot+735d926e9d1317c3310c@syzkaller.appspotmail.com
+To: Eric Van Hensbergen <ericvh@gmail.com>
+To: Ron Minnich <rminnich@sandia.gov>
+To: Latchesar Ionkov <lucho@ionkov.net>
+Cc: Yiwen Jiang <jiangyiwen@huwei.com>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/9p/trans_fd.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/9p/trans_fd.c
++++ b/net/9p/trans_fd.c
+@@ -199,15 +199,14 @@ static void p9_mux_poll_stop(struct p9_c
+ static void p9_conn_cancel(struct p9_conn *m, int err)
+ {
+ struct p9_req_t *req, *rtmp;
+- unsigned long flags;
+ LIST_HEAD(cancel_list);
+
+ p9_debug(P9_DEBUG_ERROR, "mux %p err %d\n", m, err);
+
+- spin_lock_irqsave(&m->client->lock, flags);
++ spin_lock(&m->client->lock);
+
+ if (m->err) {
+- spin_unlock_irqrestore(&m->client->lock, flags);
++ spin_unlock(&m->client->lock);
+ return;
+ }
+
+@@ -219,7 +218,6 @@ static void p9_conn_cancel(struct p9_con
+ list_for_each_entry_safe(req, rtmp, &m->unsent_req_list, req_list) {
+ list_move(&req->req_list, &cancel_list);
+ }
+- spin_unlock_irqrestore(&m->client->lock, flags);
+
+ list_for_each_entry_safe(req, rtmp, &cancel_list, req_list) {
+ p9_debug(P9_DEBUG_ERROR, "call back req %p\n", req);
+@@ -228,6 +226,7 @@ static void p9_conn_cancel(struct p9_con
+ req->t_err = err;
+ p9_client_cb(m->client, req, REQ_STATUS_ERROR);
+ }
++ spin_unlock(&m->client->lock);
+ }
+
+ static __poll_t
+@@ -375,8 +374,9 @@ static void p9_read_work(struct work_str
+ if (m->req->status != REQ_STATUS_ERROR)
+ status = REQ_STATUS_RCVD;
+ list_del(&m->req->req_list);
+- spin_unlock(&m->client->lock);
++ /* update req->status while holding client->lock */
+ p9_client_cb(m->client, m->req, status);
++ spin_unlock(&m->client->lock);
+ m->rc.sdata = NULL;
+ m->rc.offset = 0;
+ m->rc.capacity = 0;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Xi Wang <wangxi11@huawei.com>
+Date: Tue, 14 Aug 2018 17:13:13 +0100
+Subject: net: hns3: Fix for command format parsing error in hclge_is_all_function_id_zero
+
+From: Xi Wang <wangxi11@huawei.com>
+
+[ Upstream commit 6c39d5278e62956238a681e4cfc69fae5507fc57 ]
+
+According to the functional specification of hardware, the first
+descriptor of response from command 'lookup vlan talbe' is not valid.
+Currently, the first descriptor is parsed as normal value, which will
+cause an expected error.
+
+This patch fixes this problem by skipping the first descriptor.
+
+Fixes: 46a3df9f9718 ("net: hns3: Add HNS3 Acceleration Engine & Compatibility Layer Support")
+Signed-off-by: Xi Wang <wangxi11@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Salil Mehta <salil.mehta@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -3911,7 +3911,7 @@ static bool hclge_is_all_function_id_zer
+ #define HCLGE_FUNC_NUMBER_PER_DESC 6
+ int i, j;
+
+- for (i = 0; i < HCLGE_DESC_NUMBER; i++)
++ for (i = 1; i < HCLGE_DESC_NUMBER; i++)
+ for (j = 0; j < HCLGE_FUNC_NUMBER_PER_DESC; j++)
+ if (desc[i].data[j])
+ return false;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Jian Shen <shenjian15@huawei.com>
+Date: Tue, 14 Aug 2018 17:13:15 +0100
+Subject: net: hns3: Fix for phy link issue when using marvell phy driver
+
+From: Jian Shen <shenjian15@huawei.com>
+
+[ Upstream commit 60081dcc4fce385ade26d3145b2479789df0b7e5 ]
+
+For marvell phy m88e1510, bit SUPPORTED_FIBRE of phydev->supported
+is default on. Both phy_resume() and phy_suspend() will check the
+SUPPORTED_FIBRE bit and write register of fibre page.
+
+Currently in hns3 driver, the SUPPORTED_FIBRE bit will be cleared
+after phy_connect_direct() finished. Because phy_resume() is called
+in phy_connect_direct(), and phy_suspend() is called when disconnect
+phy device, so the operation for fibre page register is not symmetrical.
+It will cause phy link issue when reload hns3 driver.
+
+This patch fixes it by disable the SUPPORTED_FIBRE before connecting
+phy.
+
+Fixes: 256727da7395 ("net: hns3: Add MDIO support to HNS3 Ethernet driver for hip08 SoC")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Salil Mehta <salil.mehta@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+@@ -208,6 +208,8 @@ int hclge_mac_start_phy(struct hclge_dev
+ if (!phydev)
+ return 0;
+
++ phydev->supported &= ~SUPPORTED_FIBRE;
++
+ ret = phy_connect_direct(netdev, phydev,
+ hclge_mac_adjust_link,
+ PHY_INTERFACE_MODE_SGMII);
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Tariq Toukan <tariqt@mellanox.com>
+Date: Mon, 13 Aug 2018 12:21:58 +0300
+Subject: net/xdp: Fix suspicious RCU usage warning
+
+From: Tariq Toukan <tariqt@mellanox.com>
+
+[ Upstream commit 21b172ee11b6ec260bd7e6a27b11a8a8d392fce5 ]
+
+Fix the warning below by calling rhashtable_lookup_fast.
+Also, make some code movements for better quality and human
+readability.
+
+[ 342.450870] WARNING: suspicious RCU usage
+[ 342.455856] 4.18.0-rc2+ #17 Tainted: G O
+[ 342.462210] -----------------------------
+[ 342.467202] ./include/linux/rhashtable.h:481 suspicious rcu_dereference_check() usage!
+[ 342.476568]
+[ 342.476568] other info that might help us debug this:
+[ 342.476568]
+[ 342.486978]
+[ 342.486978] rcu_scheduler_active = 2, debug_locks = 1
+[ 342.495211] 4 locks held by modprobe/3934:
+[ 342.500265] #0: 00000000e23116b2 (mlx5_intf_mutex){+.+.}, at:
+mlx5_unregister_interface+0x18/0x90 [mlx5_core]
+[ 342.511953] #1: 00000000ca16db96 (rtnl_mutex){+.+.}, at: unregister_netdev+0xe/0x20
+[ 342.521109] #2: 00000000a46e2c4b (&priv->state_lock){+.+.}, at: mlx5e_close+0x29/0x60
+[mlx5_core]
+[ 342.531642] #3: 0000000060c5bde3 (mem_id_lock){+.+.}, at: xdp_rxq_info_unreg+0x93/0x6b0
+[ 342.541206]
+[ 342.541206] stack backtrace:
+[ 342.547075] CPU: 12 PID: 3934 Comm: modprobe Tainted: G O 4.18.0-rc2+ #17
+[ 342.556621] Hardware name: Dell Inc. PowerEdge R730/0H21J3, BIOS 1.5.4 10/002/2015
+[ 342.565606] Call Trace:
+[ 342.568861] dump_stack+0x78/0xb3
+[ 342.573086] xdp_rxq_info_unreg+0x3f5/0x6b0
+[ 342.578285] ? __call_rcu+0x220/0x300
+[ 342.582911] mlx5e_free_rq+0x38/0xc0 [mlx5_core]
+[ 342.588602] mlx5e_close_channel+0x20/0x120 [mlx5_core]
+[ 342.594976] mlx5e_close_channels+0x26/0x40 [mlx5_core]
+[ 342.601345] mlx5e_close_locked+0x44/0x50 [mlx5_core]
+[ 342.607519] mlx5e_close+0x42/0x60 [mlx5_core]
+[ 342.613005] __dev_close_many+0xb1/0x120
+[ 342.617911] dev_close_many+0xa2/0x170
+[ 342.622622] rollback_registered_many+0x148/0x460
+[ 342.628401] ? __lock_acquire+0x48d/0x11b0
+[ 342.633498] ? unregister_netdev+0xe/0x20
+[ 342.638495] rollback_registered+0x56/0x90
+[ 342.643588] unregister_netdevice_queue+0x7e/0x100
+[ 342.649461] unregister_netdev+0x18/0x20
+[ 342.654362] mlx5e_remove+0x2a/0x50 [mlx5_core]
+[ 342.659944] mlx5_remove_device+0xe5/0x110 [mlx5_core]
+[ 342.666208] mlx5_unregister_interface+0x39/0x90 [mlx5_core]
+[ 342.673038] cleanup+0x5/0xbfc [mlx5_core]
+[ 342.678094] __x64_sys_delete_module+0x16b/0x240
+[ 342.683725] ? do_syscall_64+0x1c/0x210
+[ 342.688476] do_syscall_64+0x5a/0x210
+[ 342.693025] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 8d5d88527587 ("xdp: rhashtable with allocator ID to pointer mapping")
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Suggested-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Jesper Dangaard Brouer <brouer@redhat.com>
+Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/xdp.c | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
+
+--- a/net/core/xdp.c
++++ b/net/core/xdp.c
+@@ -95,23 +95,15 @@ static void __xdp_rxq_info_unreg_mem_mod
+ {
+ struct xdp_mem_allocator *xa;
+ int id = xdp_rxq->mem.id;
+- int err;
+
+ if (id == 0)
+ return;
+
+ mutex_lock(&mem_id_lock);
+
+- xa = rhashtable_lookup(mem_id_ht, &id, mem_id_rht_params);
+- if (!xa) {
+- mutex_unlock(&mem_id_lock);
+- return;
+- }
+-
+- err = rhashtable_remove_fast(mem_id_ht, &xa->node, mem_id_rht_params);
+- WARN_ON(err);
+-
+- call_rcu(&xa->rcu, __xdp_mem_allocator_rcu_free);
++ xa = rhashtable_lookup_fast(mem_id_ht, &id, mem_id_rht_params);
++ if (xa && !rhashtable_remove_fast(mem_id_ht, &xa->node, mem_id_rht_params))
++ call_rcu(&xa->rcu, __xdp_mem_allocator_rcu_free);
+
+ mutex_unlock(&mem_id_lock);
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 31 Jul 2018 13:41:23 +0200
+Subject: netfilter: fix memory leaks on netlink_dump_start error
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 3e673b23b541b8e7f773b2d378d6eb99831741cd ]
+
+Shaochun Chen points out we leak dumper filter state allocations
+stored in dump_control->data in case there is an error before netlink sets
+cb_running (after which ->done will be called at some point).
+
+In order to fix this, add .start functions and move allocations there.
+
+Same pattern as used in commit 90fd131afc565159c9e0ea742f082b337e10f8c6
+("netfilter: nf_tables: move dumper state allocation into ->start").
+
+Reported-by: shaochun chen <cscnull@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 26 +++++++++++++++++---------
+ net/netfilter/nfnetlink_acct.c | 29 +++++++++++++----------------
+ 2 files changed, 30 insertions(+), 25 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -821,6 +821,21 @@ ctnetlink_alloc_filter(const struct nlat
+ #endif
+ }
+
++static int ctnetlink_start(struct netlink_callback *cb)
++{
++ const struct nlattr * const *cda = cb->data;
++ struct ctnetlink_filter *filter = NULL;
++
++ if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
++ filter = ctnetlink_alloc_filter(cda);
++ if (IS_ERR(filter))
++ return PTR_ERR(filter);
++ }
++
++ cb->data = filter;
++ return 0;
++}
++
+ static int ctnetlink_filter_match(struct nf_conn *ct, void *data)
+ {
+ struct ctnetlink_filter *filter = data;
+@@ -1240,19 +1255,12 @@ static int ctnetlink_get_conntrack(struc
+
+ if (nlh->nlmsg_flags & NLM_F_DUMP) {
+ struct netlink_dump_control c = {
++ .start = ctnetlink_start,
+ .dump = ctnetlink_dump_table,
+ .done = ctnetlink_done,
++ .data = (void *)cda,
+ };
+
+- if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
+- struct ctnetlink_filter *filter;
+-
+- filter = ctnetlink_alloc_filter(cda);
+- if (IS_ERR(filter))
+- return PTR_ERR(filter);
+-
+- c.data = filter;
+- }
+ return netlink_dump_start(ctnl, skb, nlh, &c);
+ }
+
+--- a/net/netfilter/nfnetlink_acct.c
++++ b/net/netfilter/nfnetlink_acct.c
+@@ -238,29 +238,33 @@ static const struct nla_policy filter_po
+ [NFACCT_FILTER_VALUE] = { .type = NLA_U32 },
+ };
+
+-static struct nfacct_filter *
+-nfacct_filter_alloc(const struct nlattr * const attr)
++static int nfnl_acct_start(struct netlink_callback *cb)
+ {
+- struct nfacct_filter *filter;
++ const struct nlattr *const attr = cb->data;
+ struct nlattr *tb[NFACCT_FILTER_MAX + 1];
++ struct nfacct_filter *filter;
+ int err;
+
++ if (!attr)
++ return 0;
++
+ err = nla_parse_nested(tb, NFACCT_FILTER_MAX, attr, filter_policy,
+ NULL);
+ if (err < 0)
+- return ERR_PTR(err);
++ return err;
+
+ if (!tb[NFACCT_FILTER_MASK] || !tb[NFACCT_FILTER_VALUE])
+- return ERR_PTR(-EINVAL);
++ return -EINVAL;
+
+ filter = kzalloc(sizeof(struct nfacct_filter), GFP_KERNEL);
+ if (!filter)
+- return ERR_PTR(-ENOMEM);
++ return -ENOMEM;
+
+ filter->mask = ntohl(nla_get_be32(tb[NFACCT_FILTER_MASK]));
+ filter->value = ntohl(nla_get_be32(tb[NFACCT_FILTER_VALUE]));
++ cb->data = filter;
+
+- return filter;
++ return 0;
+ }
+
+ static int nfnl_acct_get(struct net *net, struct sock *nfnl,
+@@ -275,18 +279,11 @@ static int nfnl_acct_get(struct net *net
+ if (nlh->nlmsg_flags & NLM_F_DUMP) {
+ struct netlink_dump_control c = {
+ .dump = nfnl_acct_dump,
++ .start = nfnl_acct_start,
+ .done = nfnl_acct_done,
++ .data = (void *)tb[NFACCT_FILTER],
+ };
+
+- if (tb[NFACCT_FILTER]) {
+- struct nfacct_filter *filter;
+-
+- filter = nfacct_filter_alloc(tb[NFACCT_FILTER]);
+- if (IS_ERR(filter))
+- return PTR_ERR(filter);
+-
+- c.data = filter;
+- }
+ return netlink_dump_start(nfnl, skb, nlh, &c);
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 25 Jul 2018 21:38:43 +0200
+Subject: netfilter: ip6t_rpfilter: set F_IFACE for linklocal addresses
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit da786717e0894886301ed2536843c13f9e8fd53e ]
+
+Roman reports that DHCPv6 client no longer sees replies from server
+due to
+
+ip6tables -t raw -A PREROUTING -m rpfilter --invert -j DROP
+
+rule. We need to set the F_IFACE flag for linklocal addresses, they
+are scoped per-device.
+
+Fixes: 47b7e7f82802 ("netfilter: don't set F_IFACE on ipv6 fib lookups")
+Reported-by: Roman Mamedov <rm@romanrm.net>
+Tested-by: Roman Mamedov <rm@romanrm.net>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/netfilter/ip6t_rpfilter.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/netfilter/ip6t_rpfilter.c
++++ b/net/ipv6/netfilter/ip6t_rpfilter.c
+@@ -26,6 +26,12 @@ static bool rpfilter_addr_unicast(const
+ return addr_type & IPV6_ADDR_UNICAST;
+ }
+
++static bool rpfilter_addr_linklocal(const struct in6_addr *addr)
++{
++ int addr_type = ipv6_addr_type(addr);
++ return addr_type & IPV6_ADDR_LINKLOCAL;
++}
++
+ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb,
+ const struct net_device *dev, u8 flags)
+ {
+@@ -48,7 +54,11 @@ static bool rpfilter_lookup_reverse6(str
+ }
+
+ fl6.flowi6_mark = flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0;
+- if ((flags & XT_RPFILTER_LOOSE) == 0)
++
++ if (rpfilter_addr_linklocal(&iph->saddr)) {
++ lookup_flags |= RT6_LOOKUP_F_IFACE;
++ fl6.flowi6_oif = dev->ifindex;
++ } else if ((flags & XT_RPFILTER_LOOSE) == 0)
+ fl6.flowi6_oif = dev->ifindex;
+
+ rt = (void *)ip6_route_lookup(net, &fl6, skb, lookup_flags);
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Michal Hocko <mhocko@suse.com>
+Date: Tue, 7 Aug 2018 21:54:00 +0200
+Subject: netfilter: x_tables: do not fail xt_alloc_table_info too easilly
+
+From: Michal Hocko <mhocko@suse.com>
+
+[ Upstream commit a148ce15375fc664ad64762c751c0c2aecb2cafe ]
+
+eacd86ca3b03 ("net/netfilter/x_tables.c: use kvmalloc()
+in xt_alloc_table_info()") has unintentionally fortified
+xt_alloc_table_info allocation when __GFP_RETRY has been dropped from
+the vmalloc fallback. Later on there was a syzbot report that this
+can lead to OOM killer invocations when tables are too large and
+0537250fdc6c ("netfilter: x_tables: make allocation less aggressive")
+has been merged to restore the original behavior. Georgi Nikolov however
+noticed that he is not able to install his iptables anymore so this can
+be seen as a regression.
+
+The primary argument for 0537250fdc6c was that this allocation path
+shouldn't really trigger the OOM killer and kill innocent tasks. On the
+other hand the interface requires root and as such should allow what the
+admin asks for. Root inside a namespaces makes this more complicated
+because those might be not trusted in general. If they are not then such
+namespaces should be restricted anyway. Therefore drop the __GFP_NORETRY
+and replace it by __GFP_ACCOUNT to enfore memcg constrains on it.
+
+Fixes: 0537250fdc6c ("netfilter: x_tables: make allocation less aggressive")
+Reported-by: Georgi Nikolov <gnikolov@icdsoft.com>
+Suggested-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/x_tables.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -1178,12 +1178,7 @@ struct xt_table_info *xt_alloc_table_inf
+ if (sz < sizeof(*info) || sz >= XT_MAX_TABLE_SIZE)
+ return NULL;
+
+- /* __GFP_NORETRY is not fully supported by kvmalloc but it should
+- * work reasonably well if sz is too large and bail out rather
+- * than shoot all processes down before realizing there is nothing
+- * more to reclaim.
+- */
+- info = kvmalloc(sz, GFP_KERNEL | __GFP_NORETRY);
++ info = kvmalloc(sz, GFP_KERNEL_ACCOUNT);
+ if (!info)
+ return NULL;
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Thu, 2 Aug 2018 05:42:04 +0000
+Subject: NFSv4: Fix error handling in nfs4_sp4_select_mode()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 72bf75cfc00c02aa66ef6133048f37aa5d88825c ]
+
+Error code is set in the error handling cases but never used. Fix it.
+
+Fixes: 937e3133cd0b ("NFSv4.1: Ensure we clear the SP4_MACH_CRED flags in nfs4_sp4_select_mode()")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -7734,7 +7734,7 @@ static int nfs4_sp4_select_mode(struct n
+ }
+ out:
+ clp->cl_sp4_flags = flags;
+- return 0;
++ return ret;
+ }
+
+ struct nfs41_exchange_id_data {
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Myron Stowe <myron.stowe@redhat.com>
+Date: Mon, 13 Aug 2018 12:19:46 -0600
+Subject: PCI: Match Root Port's MPS to endpoint's MPSS as necessary
+
+From: Myron Stowe <myron.stowe@redhat.com>
+
+[ Upstream commit 9f0e89359775ee21fe1ea732e34edb52aef5addf ]
+
+In commit 27d868b5e6cf ("PCI: Set MPS to match upstream bridge"), we made
+sure every device's MPS setting matches its upstream bridge, making it more
+likely that a hot-added device will work in a system with an optimized MPS
+configuration.
+
+Recently I've started encountering systems where the endpoint device's MPSS
+capability is less than its Root Port's current MPS value, thus the
+endpoint is not capable of matching its upstream bridge's MPS setting (see:
+bugzilla via "Link:" below). This leaves the system vulnerable - the
+upstream Root Port could respond with larger TLPs than the device can
+handle, and the device will consider them to be 'Malformed'.
+
+One could use the "pci=pcie_bus_safe" kernel parameter to work around the
+issue, but that forces a user to supply a kernel parameter to get the
+system to function reliably and may end up limiting MPS settings of other
+unrelated, sub-topologies which could benefit from maintaining their larger
+values.
+
+Augment Keith's approach to include tuning down a Root Port's MPS setting
+when its hot-added endpoint device is not capable of matching it.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=200527
+Signed-off-by: Myron Stowe <myron.stowe@redhat.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Jon Mason <jdmason@kudzu.us>
+Cc: Keith Busch <keith.busch@intel.com>
+Cc: Sinan Kaya <okaya@kernel.org>
+Cc: Dongdong Liu <liudongdong3@huawei.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/probe.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1725,7 +1725,7 @@ int pci_setup_device(struct pci_dev *dev
+ static void pci_configure_mps(struct pci_dev *dev)
+ {
+ struct pci_dev *bridge = pci_upstream_bridge(dev);
+- int mps, p_mps, rc;
++ int mps, mpss, p_mps, rc;
+
+ if (!pci_is_pcie(dev) || !bridge || !pci_is_pcie(bridge))
+ return;
+@@ -1753,6 +1753,14 @@ static void pci_configure_mps(struct pci
+ if (pcie_bus_config != PCIE_BUS_DEFAULT)
+ return;
+
++ mpss = 128 << dev->pcie_mpss;
++ if (mpss < p_mps && pci_pcie_type(bridge) == PCI_EXP_TYPE_ROOT_PORT) {
++ pcie_set_mps(bridge, mpss);
++ pci_info(dev, "Upstream bridge's Max Payload Size set to %d (was %d, max %d)\n",
++ mpss, p_mps, 128 << bridge->pcie_mpss);
++ p_mps = pcie_get_mps(bridge);
++ }
++
+ rc = pcie_set_mps(dev, p_mps);
+ if (rc) {
+ pci_warn(dev, "can't set Max Payload Size to %d; if necessary, use \"pci=pcie_bus_safe\" and report a bug\n",
+@@ -1761,7 +1769,7 @@ static void pci_configure_mps(struct pci
+ }
+
+ pci_info(dev, "Max Payload Size set to %d (was %d, max %d)\n",
+- p_mps, mps, 128 << dev->pcie_mpss);
++ p_mps, mps, mpss);
+ }
+
+ static struct hpp_type0 pci_default_type0 = {
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Date: Fri, 3 Aug 2018 16:38:44 +0200
+Subject: PCI: mvebu: Fix I/O space end address calculation
+
+From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+
+[ Upstream commit dfd0309fd7b30a5baffaf47b2fccb88b46d64d69 ]
+
+pcie->realio.end should be the address of last byte of the area,
+therefore using resource_size() of another resource is not correct, we
+must substract 1 to get the address of the last byte.
+
+Fixes: 11be65472a427 ("PCI: mvebu: Adapt to the new device tree layout")
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pci-mvebu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/controller/pci-mvebu.c
++++ b/drivers/pci/controller/pci-mvebu.c
+@@ -1219,7 +1219,7 @@ static int mvebu_pcie_probe(struct platf
+ pcie->realio.start = PCIBIOS_MIN_IO;
+ pcie->realio.end = min_t(resource_size_t,
+ IO_SPACE_LIMIT,
+- resource_size(&pcie->io));
++ resource_size(&pcie->io) - 1);
+ } else
+ pcie->realio = pcie->io;
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Kim Phillips <kim.phillips@arm.com>
+Date: Fri, 10 Aug 2018 17:45:12 -0500
+Subject: perf arm spe: Fix uninitialized record error variable
+
+From: Kim Phillips <kim.phillips@arm.com>
+
+[ Upstream commit 344353366591acf659a0d0dea498611da78d67e2 ]
+
+The auxtrace init variable 'err' was not being initialized, leading perf
+to abort early in an SPE record command when there was no explicit
+error, rather only based whatever memory contents were on the stack.
+Initialize it explicitly on getting an SPE successfully, the same way
+cs-etm does.
+
+Signed-off-by: Kim Phillips <kim.phillips@arm.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Dongjiu Geng <gengdongjiu@huawei.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Fixes: ffd3d18c20b8 ("perf tools: Add ARM Statistical Profiling Extensions (SPE) support")
+Link: http://lkml.kernel.org/r/20180810174512.52900813e57cbccf18ce99a2@arm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/arch/arm64/util/arm-spe.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/perf/arch/arm64/util/arm-spe.c
++++ b/tools/perf/arch/arm64/util/arm-spe.c
+@@ -194,6 +194,7 @@ struct auxtrace_record *arm_spe_recordin
+ sper->itr.read_finish = arm_spe_read_finish;
+ sper->itr.alignment = 0;
+
++ *err = 0;
+ return &sper->itr;
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Sandipan Das <sandipan@linux.ibm.com>
+Date: Thu, 9 Aug 2018 21:49:29 +0530
+Subject: perf probe powerpc: Fix trace event post-processing
+
+From: Sandipan Das <sandipan@linux.ibm.com>
+
+[ Upstream commit 354b064b8ebc1e1ede58550ca9e08bfa81e6af43 ]
+
+In some cases, a symbol may have multiple aliases. Attempting to add an
+entry probe for such symbols results in a probe being added at an
+incorrect location while it fails altogether for return probes. This is
+only applicable for binaries with debug information.
+
+During the arch-dependent post-processing, the offset from the start of
+the symbol at which the probe is to be attached is determined and added
+to the start address of the symbol to get the probe's location. In case
+there are multiple aliases, this offset gets added multiple times for
+each alias of the symbol and we end up with an incorrect probe location.
+
+This can be verified on a powerpc64le system as shown below.
+
+ $ nm /lib/modules/$(uname -r)/build/vmlinux | grep "sys_open$"
+ ...
+ c000000000414290 T __se_sys_open
+ c000000000414290 T sys_open
+
+ $ objdump -d /lib/modules/$(uname -r)/build/vmlinux | grep -A 10 "<__se_sys_open>:"
+
+ c000000000414290 <__se_sys_open>:
+ c000000000414290: 19 01 4c 3c addis r2,r12,281
+ c000000000414294: 70 c4 42 38 addi r2,r2,-15248
+ c000000000414298: a6 02 08 7c mflr r0
+ c00000000041429c: e8 ff a1 fb std r29,-24(r1)
+ c0000000004142a0: f0 ff c1 fb std r30,-16(r1)
+ c0000000004142a4: f8 ff e1 fb std r31,-8(r1)
+ c0000000004142a8: 10 00 01 f8 std r0,16(r1)
+ c0000000004142ac: c1 ff 21 f8 stdu r1,-64(r1)
+ c0000000004142b0: 78 23 9f 7c mr r31,r4
+ c0000000004142b4: 78 1b 7e 7c mr r30,r3
+
+ For both the entry probe and the return probe, the probe location
+ should be _text+4276888 (0xc000000000414298). Since another alias
+ exists for 'sys_open', the post-processing code will end up adding
+ the offset (8 for powerpc64le) twice and perf will attempt to add
+ the probe at _text+4276896 (0xc0000000004142a0) instead.
+
+Before:
+
+ # perf probe -v -a sys_open
+
+ probe-definition(0): sys_open
+ symbol:sys_open file:(null) line:0 offset:0 return:0 lazy:(null)
+ 0 arguments
+ Looking at the vmlinux_path (8 entries long)
+ Using /lib/modules/4.18.0-rc8+/build/vmlinux for symbols
+ Open Debuginfo file: /lib/modules/4.18.0-rc8+/build/vmlinux
+ Try to find probe point from debuginfo.
+ Symbol sys_open address found : c000000000414290
+ Matched function: __se_sys_open [2ad03a0]
+ Probe point found: __se_sys_open+0
+ Found 1 probe_trace_events.
+ Opening /sys/kernel/debug/tracing/kprobe_events write=1
+ Writing event: p:probe/sys_open _text+4276896
+ Added new event:
+ probe:sys_open (on sys_open)
+ ...
+
+ # perf probe -v -a sys_open%return $retval
+
+ probe-definition(0): sys_open%return
+ symbol:sys_open file:(null) line:0 offset:0 return:1 lazy:(null)
+ 0 arguments
+ Looking at the vmlinux_path (8 entries long)
+ Using /lib/modules/4.18.0-rc8+/build/vmlinux for symbols
+ Open Debuginfo file: /lib/modules/4.18.0-rc8+/build/vmlinux
+ Try to find probe point from debuginfo.
+ Symbol sys_open address found : c000000000414290
+ Matched function: __se_sys_open [2ad03a0]
+ Probe point found: __se_sys_open+0
+ Found 1 probe_trace_events.
+ Opening /sys/kernel/debug/tracing/README write=0
+ Opening /sys/kernel/debug/tracing/kprobe_events write=1
+ Parsing probe_events: p:probe/sys_open _text+4276896
+ Group:probe Event:sys_open probe:p
+ Writing event: r:probe/sys_open__return _text+4276896
+ Failed to write event: Invalid argument
+ Error: Failed to add events. Reason: Invalid argument (Code: -22)
+
+After:
+
+ # perf probe -v -a sys_open
+
+ probe-definition(0): sys_open
+ symbol:sys_open file:(null) line:0 offset:0 return:0 lazy:(null)
+ 0 arguments
+ Looking at the vmlinux_path (8 entries long)
+ Using /lib/modules/4.18.0-rc8+/build/vmlinux for symbols
+ Open Debuginfo file: /lib/modules/4.18.0-rc8+/build/vmlinux
+ Try to find probe point from debuginfo.
+ Symbol sys_open address found : c000000000414290
+ Matched function: __se_sys_open [2ad03a0]
+ Probe point found: __se_sys_open+0
+ Found 1 probe_trace_events.
+ Opening /sys/kernel/debug/tracing/kprobe_events write=1
+ Writing event: p:probe/sys_open _text+4276888
+ Added new event:
+ probe:sys_open (on sys_open)
+ ...
+
+ # perf probe -v -a sys_open%return $retval
+
+ probe-definition(0): sys_open%return
+ symbol:sys_open file:(null) line:0 offset:0 return:1 lazy:(null)
+ 0 arguments
+ Looking at the vmlinux_path (8 entries long)
+ Using /lib/modules/4.18.0-rc8+/build/vmlinux for symbols
+ Open Debuginfo file: /lib/modules/4.18.0-rc8+/build/vmlinux
+ Try to find probe point from debuginfo.
+ Symbol sys_open address found : c000000000414290
+ Matched function: __se_sys_open [2ad03a0]
+ Probe point found: __se_sys_open+0
+ Found 1 probe_trace_events.
+ Opening /sys/kernel/debug/tracing/README write=0
+ Opening /sys/kernel/debug/tracing/kprobe_events write=1
+ Parsing probe_events: p:probe/sys_open _text+4276888
+ Group:probe Event:sys_open probe:p
+ Writing event: r:probe/sys_open__return _text+4276888
+ Added new event:
+ probe:sys_open__return (on sys_open%return)
+ ...
+
+Reported-by: Aneesh Kumar <aneesh.kumar@linux.vnet.ibm.com>
+Signed-off-by: Sandipan Das <sandipan@linux.ibm.com>
+Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Cc: Aneesh Kumar <aneesh.kumar@linux.vnet.ibm.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Fixes: 99e608b5954c ("perf probe ppc64le: Fix probe location when using DWARF")
+Link: http://lkml.kernel.org/r/20180809161929.35058-1-sandipan@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/arch/powerpc/util/sym-handling.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/arch/powerpc/util/sym-handling.c
++++ b/tools/perf/arch/powerpc/util/sym-handling.c
+@@ -141,8 +141,10 @@ void arch__post_process_probe_trace_even
+ for (i = 0; i < ntevs; i++) {
+ tev = &pev->tevs[i];
+ map__for_each_symbol(map, sym, tmp) {
+- if (map->unmap_ip(map, sym->start) == tev->point.address)
++ if (map->unmap_ip(map, sym->start) == tev->point.address) {
+ arch__fix_tev_from_maps(pev, tev, map, sym);
++ break;
++ }
+ }
+ }
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Fri, 17 Aug 2018 13:45:56 +0200
+Subject: perf python: Fix pyrf_evlist__read_on_cpu() interface
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit 721f0dfc3ce821c6a32820ab63edfb48ed4af075 ]
+
+Jaroslav reported errors from valgrind over perf python script:
+
+ # echo 0 > /sys/devices/system/cpu/cpu4/online
+ # valgrind ./test.py
+ ==7524== Memcheck, a memory error detector
+ ...
+ ==7524== Command: ./test.py
+ ==7524==
+ pid 7526 exited
+ ==7524== Invalid read of size 8
+ ==7524== at 0xCC2C2B3: perf_mmap__read_forward (evlist.c:780)
+ ==7524== by 0xCC2A681: pyrf_evlist__read_on_cpu (python.c:959)
+ ...
+ ==7524== Address 0x65c4868 is 16 bytes after a block of size 459,36..
+ ==7524== at 0x4C2B955: calloc (vg_replace_malloc.c:711)
+ ==7524== by 0xCC2F484: zalloc (util.h:35)
+ ==7524== by 0xCC2F484: perf_evlist__alloc_mmap (evlist.c:978)
+ ...
+
+The reason for this is in the python interface, that allows a script to
+pass arbitrary cpu number, which is then used to access struct
+perf_evlist::mmap array. That's obviously wrong and works only when if
+all cpus are available and fails if some cpu is missing, like in the
+example above.
+
+This patch makes pyrf_evlist__read_on_cpu() search the evlist's maps
+array for the proper map to access.
+
+It's linear search at the moment. Based on the way how is the
+read_on_cpu used, I don't think we need to be fast in here. But we
+could add some hash in the middle to make it fast/er.
+
+We don't allow python interface to set write_backward event attribute,
+so it's safe to check only evlist's mmaps.
+
+Reported-by: Jaroslav Å karvada <jskarvad@redhat.com>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Joe Mario <jmario@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20180817114556.28000-3-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/python.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/util/python.c
++++ b/tools/perf/util/python.c
+@@ -11,6 +11,7 @@
+ #include "cpumap.h"
+ #include "print_binary.h"
+ #include "thread_map.h"
++#include "mmap.h"
+
+ #if PY_MAJOR_VERSION < 3
+ #define _PyUnicode_FromString(arg) \
+@@ -976,6 +977,20 @@ static PyObject *pyrf_evlist__add(struct
+ return Py_BuildValue("i", evlist->nr_entries);
+ }
+
++static struct perf_mmap *get_md(struct perf_evlist *evlist, int cpu)
++{
++ int i;
++
++ for (i = 0; i < evlist->nr_mmaps; i++) {
++ struct perf_mmap *md = &evlist->mmap[i];
++
++ if (md->cpu == cpu)
++ return md;
++ }
++
++ return NULL;
++}
++
+ static PyObject *pyrf_evlist__read_on_cpu(struct pyrf_evlist *pevlist,
+ PyObject *args, PyObject *kwargs)
+ {
+@@ -990,7 +1005,10 @@ static PyObject *pyrf_evlist__read_on_cp
+ &cpu, &sample_id_all))
+ return NULL;
+
+- md = &evlist->mmap[cpu];
++ md = get_md(evlist, cpu);
++ if (!md)
++ return NULL;
++
+ if (perf_mmap__read_init(md) < 0)
+ goto end;
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Benno Evers <bevers@mesosphere.com>
+Date: Fri, 10 Aug 2018 15:36:13 +0200
+Subject: perf tools: Check for null when copying nsinfo.
+
+From: Benno Evers <bevers@mesosphere.com>
+
+[ Upstream commit 3f4417d693b43fa240ac8bde4487f67745ca23d8 ]
+
+The argument to nsinfo__copy() was assumed to be valid, but some code paths
+exist that will lead to NULL being passed.
+
+In particular, running 'perf script -D' on a perf.data file containing an
+PERF_RECORD_MMAP event associating the '[vdso]' dso with pid 0 earlier in
+the event stream will lead to a segfault.
+
+Since all calling code is already checking for a non-null return value,
+just return NULL for this case as well.
+
+Signed-off-by: Benno Evers <bevers@mesosphere.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Krister Johansen <kjlx@templeofstupid.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20180810133614.9925-1-bevers@mesosphere.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/namespaces.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/tools/perf/util/namespaces.c
++++ b/tools/perf/util/namespaces.c
+@@ -139,6 +139,9 @@ struct nsinfo *nsinfo__copy(struct nsinf
+ {
+ struct nsinfo *nnsi;
+
++ if (nsi == NULL)
++ return NULL;
++
+ nnsi = calloc(1, sizeof(*nnsi));
+ if (nnsi != NULL) {
+ nnsi->pid = nsi->pid;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Anton Vasilyev <vasilyev@ispras.ru>
+Date: Mon, 6 Aug 2018 19:06:35 +0300
+Subject: pinctrl: axp209: Fix NULL pointer dereference after allocation
+
+From: Anton Vasilyev <vasilyev@ispras.ru>
+
+[ Upstream commit 504c76979bccec66e4c2e41f6a006e49e284466f ]
+
+There is no check that allocation in axp20x_funcs_groups_from_mask
+is successful.
+The patch adds corresponding check and return values.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Acked-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-axp209.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-axp209.c
++++ b/drivers/pinctrl/pinctrl-axp209.c
+@@ -316,7 +316,7 @@ static const struct pinctrl_ops axp20x_p
+ .get_group_pins = axp20x_group_pins,
+ };
+
+-static void axp20x_funcs_groups_from_mask(struct device *dev, unsigned int mask,
++static int axp20x_funcs_groups_from_mask(struct device *dev, unsigned int mask,
+ unsigned int mask_len,
+ struct axp20x_pinctrl_function *func,
+ const struct pinctrl_pin_desc *pins)
+@@ -331,18 +331,22 @@ static void axp20x_funcs_groups_from_mas
+ func->groups = devm_kcalloc(dev,
+ ngroups, sizeof(const char *),
+ GFP_KERNEL);
++ if (!func->groups)
++ return -ENOMEM;
+ group = func->groups;
+ for_each_set_bit(bit, &mask_cpy, mask_len) {
+ *group = pins[bit].name;
+ group++;
+ }
+ }
++
++ return 0;
+ }
+
+-static void axp20x_build_funcs_groups(struct platform_device *pdev)
++static int axp20x_build_funcs_groups(struct platform_device *pdev)
+ {
+ struct axp20x_pctl *pctl = platform_get_drvdata(pdev);
+- int i, pin, npins = pctl->desc->npins;
++ int i, ret, pin, npins = pctl->desc->npins;
+
+ pctl->funcs[AXP20X_FUNC_GPIO_OUT].name = "gpio_out";
+ pctl->funcs[AXP20X_FUNC_GPIO_OUT].muxval = AXP20X_MUX_GPIO_OUT;
+@@ -366,13 +370,19 @@ static void axp20x_build_funcs_groups(st
+ pctl->funcs[i].groups[pin] = pctl->desc->pins[pin].name;
+ }
+
+- axp20x_funcs_groups_from_mask(&pdev->dev, pctl->desc->ldo_mask,
++ ret = axp20x_funcs_groups_from_mask(&pdev->dev, pctl->desc->ldo_mask,
+ npins, &pctl->funcs[AXP20X_FUNC_LDO],
+ pctl->desc->pins);
++ if (ret)
++ return ret;
+
+- axp20x_funcs_groups_from_mask(&pdev->dev, pctl->desc->adc_mask,
++ ret = axp20x_funcs_groups_from_mask(&pdev->dev, pctl->desc->adc_mask,
+ npins, &pctl->funcs[AXP20X_FUNC_ADC],
+ pctl->desc->pins);
++ if (ret)
++ return ret;
++
++ return 0;
+ }
+
+ static const struct of_device_id axp20x_pctl_match[] = {
+@@ -424,7 +434,11 @@ static int axp20x_pctl_probe(struct plat
+
+ platform_set_drvdata(pdev, pctl);
+
+- axp20x_build_funcs_groups(pdev);
++ ret = axp20x_build_funcs_groups(pdev);
++ if (ret) {
++ dev_err(&pdev->dev, "failed to build groups\n");
++ return ret;
++ }
+
+ pctrl_desc = devm_kzalloc(&pdev->dev, sizeof(*pctrl_desc), GFP_KERNEL);
+ if (!pctrl_desc)
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Aleh Filipovich <aleh@vaolix.com>
+Date: Fri, 10 Aug 2018 22:07:25 +0200
+Subject: platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360
+
+From: Aleh Filipovich <aleh@vaolix.com>
+
+[ Upstream commit 880b29ac107d15644bf4da228376ba3cd6af6d71 ]
+
+Add entry to WMI keymap for lid flip event on Asus UX360.
+
+On Asus Zenbook ux360 flipping lid from/to tablet mode triggers
+keyscan code 0xfa which cannot be handled and results in kernel
+log message "Unknown key fa pressed".
+
+Signed-off-by: Aleh Filipovich<aleh@appnexus.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/asus-nb-wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/platform/x86/asus-nb-wmi.c
++++ b/drivers/platform/x86/asus-nb-wmi.c
+@@ -496,6 +496,7 @@ static const struct key_entry asus_nb_wm
+ { KE_KEY, 0xC4, { KEY_KBDILLUMUP } },
+ { KE_KEY, 0xC5, { KEY_KBDILLUMDOWN } },
+ { KE_IGNORE, 0xC6, }, /* Ambient Light Sensor notification */
++ { KE_KEY, 0xFA, { KEY_PROG2 } }, /* Lid flip action */
+ { KE_END, 0},
+ };
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Wed, 15 Aug 2018 09:12:07 -0700
+Subject: platform/x86: intel_punit_ipc: fix build errors
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 340fd4cff43f18bace9358d4decdc9b6ed0715be ]
+
+Fix build errors by #including <linux/io.h>.
+
+../drivers/platform/x86/intel_punit_ipc.c: In function 'ipc_read_status':
+../drivers/platform/x86/intel_punit_ipc.c:55:2: error: implicit declaration of function 'readl' [-Werror=implicit-function-declaration]
+ return readl(ipcdev->base[type][BASE_IFACE]);
+../drivers/platform/x86/intel_punit_ipc.c: In function 'ipc_write_cmd':
+../drivers/platform/x86/intel_punit_ipc.c:60:2: error: implicit declaration of function 'writel' [-Werror=implicit-function-declaration]
+ writel(cmd, ipcdev->base[type][BASE_IFACE]);
+
+Fixes: 447ae3166702 ("x86: Don't include linux/irq.h from asm/hardirq.h")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Zha Qipeng <qipeng.zha@intel.com>
+Cc: platform-driver-x86@vger.kernel.org
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/intel_punit_ipc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/platform/x86/intel_punit_ipc.c
++++ b/drivers/platform/x86/intel_punit_ipc.c
+@@ -17,6 +17,7 @@
+ #include <linux/bitops.h>
+ #include <linux/device.h>
+ #include <linux/interrupt.h>
++#include <linux/io.h>
+ #include <linux/platform_device.h>
+ #include <asm/intel_punit_ipc.h>
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Thu, 26 Jul 2018 22:42:44 +1000
+Subject: powerpc/64s: Make rfi_flush_fallback a little more robust
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit 78ee9946371f5848ddfc88ab1a43867df8f17d83 ]
+
+Because rfi_flush_fallback runs immediately before the return to
+userspace it currently runs with the user r1 (stack pointer). This
+means if we oops in there we will report a bad kernel stack pointer in
+the exception entry path, eg:
+
+ Bad kernel stack pointer 7ffff7150e40 at c0000000000023b4
+ Oops: Bad kernel stack pointer, sig: 6 [#1]
+ LE SMP NR_CPUS=32 NUMA PowerNV
+ Modules linked in:
+ CPU: 0 PID: 1246 Comm: klogd Not tainted 4.18.0-rc2-gcc-7.3.1-00175-g0443f8a69ba3 #7
+ NIP: c0000000000023b4 LR: 0000000010053e00 CTR: 0000000000000040
+ REGS: c0000000fffe7d40 TRAP: 4100 Not tainted (4.18.0-rc2-gcc-7.3.1-00175-g0443f8a69ba3)
+ MSR: 9000000002803031 <SF,HV,VEC,VSX,FP,ME,IR,DR,LE> CR: 44000442 XER: 20000000
+ CFAR: c00000000000bac8 IRQMASK: c0000000f1e66a80
+ GPR00: 0000000002000000 00007ffff7150e40 00007fff93a99900 0000000000000020
+ ...
+ NIP [c0000000000023b4] rfi_flush_fallback+0x34/0x80
+ LR [0000000010053e00] 0x10053e00
+
+Although the NIP tells us where we were, and the TRAP number tells us
+what happened, it would still be nicer if we could report the actual
+exception rather than barfing about the stack pointer.
+
+We an do that fairly simply by loading the kernel stack pointer on
+entry and restoring the user value before returning. That way we see a
+regular oops such as:
+
+ Unrecoverable exception 4100 at c00000000000239c
+ Oops: Unrecoverable exception, sig: 6 [#1]
+ LE SMP NR_CPUS=32 NUMA PowerNV
+ Modules linked in:
+ CPU: 0 PID: 1251 Comm: klogd Not tainted 4.18.0-rc3-gcc-7.3.1-00097-g4ebfcac65acd-dirty #40
+ NIP: c00000000000239c LR: 0000000010053e00 CTR: 0000000000000040
+ REGS: c0000000f1e17bb0 TRAP: 4100 Not tainted (4.18.0-rc3-gcc-7.3.1-00097-g4ebfcac65acd-dirty)
+ MSR: 9000000002803031 <SF,HV,VEC,VSX,FP,ME,IR,DR,LE> CR: 44000442 XER: 20000000
+ CFAR: c00000000000bac8 IRQMASK: 0
+ ...
+ NIP [c00000000000239c] rfi_flush_fallback+0x3c/0x80
+ LR [0000000010053e00] 0x10053e00
+ Call Trace:
+ [c0000000f1e17e30] [c00000000000b9e4] system_call+0x5c/0x70 (unreliable)
+
+Note this shouldn't make the kernel stack pointer vulnerable to a
+meltdown attack, because it should be flushed from the cache before we
+return to userspace. The user r1 value will be in the cache, because
+we load it in the return path, but that is harmless.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/exceptions-64s.S | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/powerpc/kernel/exceptions-64s.S
++++ b/arch/powerpc/kernel/exceptions-64s.S
+@@ -1526,6 +1526,8 @@ TRAMP_REAL_BEGIN(stf_barrier_fallback)
+ TRAMP_REAL_BEGIN(rfi_flush_fallback)
+ SET_SCRATCH0(r13);
+ GET_PACA(r13);
++ std r1,PACA_EXRFI+EX_R12(r13)
++ ld r1,PACAKSAVE(r13)
+ std r9,PACA_EXRFI+EX_R9(r13)
+ std r10,PACA_EXRFI+EX_R10(r13)
+ std r11,PACA_EXRFI+EX_R11(r13)
+@@ -1560,12 +1562,15 @@ TRAMP_REAL_BEGIN(rfi_flush_fallback)
+ ld r9,PACA_EXRFI+EX_R9(r13)
+ ld r10,PACA_EXRFI+EX_R10(r13)
+ ld r11,PACA_EXRFI+EX_R11(r13)
++ ld r1,PACA_EXRFI+EX_R12(r13)
+ GET_SCRATCH0(r13);
+ rfid
+
+ TRAMP_REAL_BEGIN(hrfi_flush_fallback)
+ SET_SCRATCH0(r13);
+ GET_PACA(r13);
++ std r1,PACA_EXRFI+EX_R12(r13)
++ ld r1,PACAKSAVE(r13)
+ std r9,PACA_EXRFI+EX_R9(r13)
+ std r10,PACA_EXRFI+EX_R10(r13)
+ std r11,PACA_EXRFI+EX_R11(r13)
+@@ -1600,6 +1605,7 @@ TRAMP_REAL_BEGIN(hrfi_flush_fallback)
+ ld r9,PACA_EXRFI+EX_R9(r13)
+ ld r10,PACA_EXRFI+EX_R10(r13)
+ ld r11,PACA_EXRFI+EX_R11(r13)
++ ld r1,PACA_EXRFI+EX_R12(r13)
+ GET_SCRATCH0(r13);
+ hrfid
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 8 Aug 2018 14:57:24 +0300
+Subject: powerpc: Fix size calculation using resource_size()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit c42d3be0c06f0c1c416054022aa535c08a1f9b39 ]
+
+The problem is the the calculation should be "end - start + 1" but the
+plus one is missing in this calculation.
+
+Fixes: 8626816e905e ("powerpc: add support for MPIC message register API")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/sysdev/mpic_msgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/sysdev/mpic_msgr.c
++++ b/arch/powerpc/sysdev/mpic_msgr.c
+@@ -196,7 +196,7 @@ static int mpic_msgr_probe(struct platfo
+
+ /* IO map the message register block. */
+ of_address_to_resource(np, 0, &rsrc);
+- msgr_block_addr = ioremap(rsrc.start, rsrc.end - rsrc.start);
++ msgr_block_addr = ioremap(rsrc.start, resource_size(&rsrc));
+ if (!msgr_block_addr) {
+ dev_err(&dev->dev, "Failed to iomap MPIC message registers");
+ return -EFAULT;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Sun, 15 Jul 2018 10:34:46 -0700
+Subject: powerpc/platforms/85xx: fix t1042rdb_diu.c build errors & warning
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit f5daf77a55ef0e695cc90c440ed6503073ac5e07 ]
+
+Fix build errors and warnings in t1042rdb_diu.c by adding header files
+and MODULE_LICENSE().
+
+../arch/powerpc/platforms/85xx/t1042rdb_diu.c:152:1: warning: data definition has no type or storage class
+ early_initcall(t1042rdb_diu_init);
+../arch/powerpc/platforms/85xx/t1042rdb_diu.c:152:1: error: type defaults to 'int' in declaration of 'early_initcall' [-Werror=implicit-int]
+../arch/powerpc/platforms/85xx/t1042rdb_diu.c:152:1: warning: parameter names (without types) in function declaration
+
+and
+WARNING: modpost: missing MODULE_LICENSE() in arch/powerpc/platforms/85xx/t1042rdb_diu.o
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Scott Wood <oss@buserror.net>
+Cc: Kumar Gala <galak@kernel.crashing.org>
+Cc: linuxppc-dev@lists.ozlabs.org
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/85xx/t1042rdb_diu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/powerpc/platforms/85xx/t1042rdb_diu.c
++++ b/arch/powerpc/platforms/85xx/t1042rdb_diu.c
+@@ -9,8 +9,10 @@
+ * option) any later version.
+ */
+
++#include <linux/init.h>
+ #include <linux/io.h>
+ #include <linux/kernel.h>
++#include <linux/module.h>
+ #include <linux/of.h>
+ #include <linux/of_address.h>
+
+@@ -150,3 +152,5 @@ static int __init t1042rdb_diu_init(void
+ }
+
+ early_initcall(t1042rdb_diu_init);
++
++MODULE_LICENSE("GPL");
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+Date: Wed, 4 Jul 2018 23:27:02 +0530
+Subject: powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX.
+
+From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+
+[ Upstream commit 74e96bf44f430cf7a01de19ba6cf49b361cdfd6e ]
+
+The global mce data buffer that used to copy rtas error log is of 2048
+(RTAS_ERROR_LOG_MAX) bytes in size. Before the copy we read
+extended_log_length from rtas error log header, then use max of
+extended_log_length and RTAS_ERROR_LOG_MAX as a size of data to be copied.
+Ideally the platform (phyp) will never send extended error log with
+size > 2048. But if that happens, then we have a risk of buffer overrun
+and corruption. Fix this by using min_t instead.
+
+Fixes: d368514c3097 ("powerpc: Fix corruption when grabbing FWNMI data")
+Reported-by: Michal Suchanek <msuchanek@suse.com>
+Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/pseries/ras.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/pseries/ras.c
++++ b/arch/powerpc/platforms/pseries/ras.c
+@@ -371,7 +371,7 @@ static struct rtas_error_log *fwnmi_get_
+ int len, error_log_length;
+
+ error_log_length = 8 + rtas_error_extended_log_length(h);
+- len = max_t(int, error_log_length, RTAS_ERROR_LOG_MAX);
++ len = min_t(int, error_log_length, RTAS_ERROR_LOG_MAX);
+ memset(global_mce_data_buf, 0, RTAS_ERROR_LOG_MAX);
+ memcpy(global_mce_data_buf, h, len);
+ errhdr = (struct rtas_error_log *)global_mce_data_buf;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Date: Fri, 17 Aug 2018 20:24:39 +0530
+Subject: powerpc/topology: Get topology for shared processors at boot
+
+From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+
+[ Upstream commit 2ea62630681027c455117aa471ea3ab8bb099ead ]
+
+On a shared LPAR, Phyp will not update the CPU associativity at boot
+time. Just after the boot system does recognize itself as a shared
+LPAR and trigger a request for correct CPU associativity. But by then
+the scheduler would have already created/destroyed its sched domains.
+
+This causes
+ - Broken load balance across Nodes causing islands of cores.
+ - Performance degradation esp if the system is lightly loaded
+ - dmesg to wrongly report all CPUs to be in Node 0.
+ - Messages in dmesg saying borken topology.
+ - With commit 051f3ca02e46 ("sched/topology: Introduce NUMA identity
+ node sched domain"), can cause rcu stalls at boot up.
+
+The sched_domains_numa_masks table which is used to generate cpumasks
+is only created at boot time just before creating sched domains and
+never updated. Hence, its better to get the topology correct before
+the sched domains are created.
+
+For example on 64 core Power 8 shared LPAR, dmesg reports
+
+ Brought up 512 CPUs
+ Node 0 CPUs: 0-511
+ Node 1 CPUs:
+ Node 2 CPUs:
+ Node 3 CPUs:
+ Node 4 CPUs:
+ Node 5 CPUs:
+ Node 6 CPUs:
+ Node 7 CPUs:
+ Node 8 CPUs:
+ Node 9 CPUs:
+ Node 10 CPUs:
+ Node 11 CPUs:
+ ...
+ BUG: arch topology borken
+ the DIE domain not a subset of the NUMA domain
+ BUG: arch topology borken
+ the DIE domain not a subset of the NUMA domain
+
+numactl/lscpu output will still be correct with cores spreading across
+all nodes:
+
+ Socket(s): 64
+ NUMA node(s): 12
+ Model: 2.0 (pvr 004d 0200)
+ Model name: POWER8 (architected), altivec supported
+ Hypervisor vendor: pHyp
+ Virtualization type: para
+ L1d cache: 64K
+ L1i cache: 32K
+ NUMA node0 CPU(s): 0-7,32-39,64-71,96-103,176-183,272-279,368-375,464-471
+ NUMA node1 CPU(s): 8-15,40-47,72-79,104-111,184-191,280-287,376-383,472-479
+ NUMA node2 CPU(s): 16-23,48-55,80-87,112-119,192-199,288-295,384-391,480-487
+ NUMA node3 CPU(s): 24-31,56-63,88-95,120-127,200-207,296-303,392-399,488-495
+ NUMA node4 CPU(s): 208-215,304-311,400-407,496-503
+ NUMA node5 CPU(s): 168-175,264-271,360-367,456-463
+ NUMA node6 CPU(s): 128-135,224-231,320-327,416-423
+ NUMA node7 CPU(s): 136-143,232-239,328-335,424-431
+ NUMA node8 CPU(s): 216-223,312-319,408-415,504-511
+ NUMA node9 CPU(s): 144-151,240-247,336-343,432-439
+ NUMA node10 CPU(s): 152-159,248-255,344-351,440-447
+ NUMA node11 CPU(s): 160-167,256-263,352-359,448-455
+
+Currently on this LPAR, the scheduler detects 2 levels of Numa and
+created numa sched domains for all CPUs, but it finds a single DIE
+domain consisting of all CPUs. Hence it deletes all numa sched
+domains.
+
+To address this, detect the shared processor and update topology soon
+after CPUs are setup so that correct topology is updated just before
+scheduler creates sched domain.
+
+With the fix, dmesg reports:
+
+ numa: Node 0 CPUs: 0-7 32-39 64-71 96-103 176-183 272-279 368-375 464-471
+ numa: Node 1 CPUs: 8-15 40-47 72-79 104-111 184-191 280-287 376-383 472-479
+ numa: Node 2 CPUs: 16-23 48-55 80-87 112-119 192-199 288-295 384-391 480-487
+ numa: Node 3 CPUs: 24-31 56-63 88-95 120-127 200-207 296-303 392-399 488-495
+ numa: Node 4 CPUs: 208-215 304-311 400-407 496-503
+ numa: Node 5 CPUs: 168-175 264-271 360-367 456-463
+ numa: Node 6 CPUs: 128-135 224-231 320-327 416-423
+ numa: Node 7 CPUs: 136-143 232-239 328-335 424-431
+ numa: Node 8 CPUs: 216-223 312-319 408-415 504-511
+ numa: Node 9 CPUs: 144-151 240-247 336-343 432-439
+ numa: Node 10 CPUs: 152-159 248-255 344-351 440-447
+ numa: Node 11 CPUs: 160-167 256-263 352-359 448-455
+
+and lscpu also reports:
+
+ Socket(s): 64
+ NUMA node(s): 12
+ Model: 2.0 (pvr 004d 0200)
+ Model name: POWER8 (architected), altivec supported
+ Hypervisor vendor: pHyp
+ Virtualization type: para
+ L1d cache: 64K
+ L1i cache: 32K
+ NUMA node0 CPU(s): 0-7,32-39,64-71,96-103,176-183,272-279,368-375,464-471
+ NUMA node1 CPU(s): 8-15,40-47,72-79,104-111,184-191,280-287,376-383,472-479
+ NUMA node2 CPU(s): 16-23,48-55,80-87,112-119,192-199,288-295,384-391,480-487
+ NUMA node3 CPU(s): 24-31,56-63,88-95,120-127,200-207,296-303,392-399,488-495
+ NUMA node4 CPU(s): 208-215,304-311,400-407,496-503
+ NUMA node5 CPU(s): 168-175,264-271,360-367,456-463
+ NUMA node6 CPU(s): 128-135,224-231,320-327,416-423
+ NUMA node7 CPU(s): 136-143,232-239,328-335,424-431
+ NUMA node8 CPU(s): 216-223,312-319,408-415,504-511
+ NUMA node9 CPU(s): 144-151,240-247,336-343,432-439
+ NUMA node10 CPU(s): 152-159,248-255,344-351,440-447
+ NUMA node11 CPU(s): 160-167,256-263,352-359,448-455
+
+Reported-by: Manjunatha H R <manjuhr1@in.ibm.com>
+Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+[mpe: Trim / format change log]
+Tested-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/topology.h | 5 +++++
+ arch/powerpc/kernel/smp.c | 5 +++++
+ arch/powerpc/mm/numa.c | 20 ++++++++++----------
+ 3 files changed, 20 insertions(+), 10 deletions(-)
+
+--- a/arch/powerpc/include/asm/topology.h
++++ b/arch/powerpc/include/asm/topology.h
+@@ -92,6 +92,7 @@ extern int stop_topology_update(void);
+ extern int prrn_is_enabled(void);
+ extern int find_and_online_cpu_nid(int cpu);
+ extern int timed_topology_update(int nsecs);
++extern void __init shared_proc_topology_init(void);
+ #else
+ static inline int start_topology_update(void)
+ {
+@@ -113,6 +114,10 @@ static inline int timed_topology_update(
+ {
+ return 0;
+ }
++
++#ifdef CONFIG_SMP
++static inline void shared_proc_topology_init(void) {}
++#endif
+ #endif /* CONFIG_NUMA && CONFIG_PPC_SPLPAR */
+
+ #include <asm-generic/topology.h>
+--- a/arch/powerpc/kernel/smp.c
++++ b/arch/powerpc/kernel/smp.c
+@@ -1156,6 +1156,11 @@ void __init smp_cpus_done(unsigned int m
+ if (smp_ops && smp_ops->bringup_done)
+ smp_ops->bringup_done();
+
++ /*
++ * On a shared LPAR, associativity needs to be requested.
++ * Hence, get numa topology before dumping cpu topology
++ */
++ shared_proc_topology_init();
+ dump_numa_cpu_topology();
+
+ /*
+--- a/arch/powerpc/mm/numa.c
++++ b/arch/powerpc/mm/numa.c
+@@ -1078,7 +1078,6 @@ static int prrn_enabled;
+ static void reset_topology_timer(void);
+ static int topology_timer_secs = 1;
+ static int topology_inited;
+-static int topology_update_needed;
+
+ /*
+ * Change polling interval for associativity changes.
+@@ -1306,11 +1305,8 @@ int numa_update_cpu_topology(bool cpus_l
+ struct device *dev;
+ int weight, new_nid, i = 0;
+
+- if (!prrn_enabled && !vphn_enabled) {
+- if (!topology_inited)
+- topology_update_needed = 1;
++ if (!prrn_enabled && !vphn_enabled && topology_inited)
+ return 0;
+- }
+
+ weight = cpumask_weight(&cpu_associativity_changes_mask);
+ if (!weight)
+@@ -1423,7 +1419,6 @@ int numa_update_cpu_topology(bool cpus_l
+
+ out:
+ kfree(updates);
+- topology_update_needed = 0;
+ return changed;
+ }
+
+@@ -1551,6 +1546,15 @@ int prrn_is_enabled(void)
+ return prrn_enabled;
+ }
+
++void __init shared_proc_topology_init(void)
++{
++ if (lppaca_shared_proc(get_lppaca())) {
++ bitmap_fill(cpumask_bits(&cpu_associativity_changes_mask),
++ nr_cpumask_bits);
++ numa_update_cpu_topology(false);
++ }
++}
++
+ static int topology_read(struct seq_file *file, void *v)
+ {
+ if (vphn_enabled || prrn_enabled)
+@@ -1608,10 +1612,6 @@ static int topology_update_init(void)
+ return -ENOMEM;
+
+ topology_inited = 1;
+- if (topology_update_needed)
+- bitmap_fill(cpumask_bits(&cpu_associativity_changes_mask),
+- nr_cpumask_bits);
+-
+ return 0;
+ }
+ device_initcall(topology_update_init);
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Tue, 10 Jul 2018 16:20:56 +1000
+Subject: powerpc/uaccess: Enable get_user(u64, *p) on 32-bit
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit f7a6947cd49b7ff4e03f1b4f7e7b223003d752ca ]
+
+Currently if you build a 32-bit powerpc kernel and use get_user() to
+load a u64 value it will fail to build with eg:
+
+ kernel/rseq.o: In function `rseq_get_rseq_cs':
+ kernel/rseq.c:123: undefined reference to `__get_user_bad'
+
+This is hitting the check in __get_user_size() that makes sure the
+size we're copying doesn't exceed the size of the destination:
+
+ #define __get_user_size(x, ptr, size, retval)
+ do {
+ retval = 0;
+ __chk_user_ptr(ptr);
+ if (size > sizeof(x))
+ (x) = __get_user_bad();
+
+Which doesn't immediately make sense because the size of the
+destination is u64, but it's not really, because __get_user_check()
+etc. internally create an unsigned long and copy into that:
+
+ #define __get_user_check(x, ptr, size)
+ ({
+ long __gu_err = -EFAULT;
+ unsigned long __gu_val = 0;
+
+The problem being that on 32-bit unsigned long is not big enough to
+hold a u64. We can fix this with a trick from hpa in the x86 code, we
+statically check the type of x and set the type of __gu_val to either
+unsigned long or unsigned long long.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/uaccess.h | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/include/asm/uaccess.h
++++ b/arch/powerpc/include/asm/uaccess.h
+@@ -250,10 +250,17 @@ do { \
+ } \
+ } while (0)
+
++/*
++ * This is a type: either unsigned long, if the argument fits into
++ * that type, or otherwise unsigned long long.
++ */
++#define __long_type(x) \
++ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
++
+ #define __get_user_nocheck(x, ptr, size) \
+ ({ \
+ long __gu_err; \
+- unsigned long __gu_val; \
++ __long_type(*(ptr)) __gu_val; \
+ const __typeof__(*(ptr)) __user *__gu_addr = (ptr); \
+ __chk_user_ptr(ptr); \
+ if (!is_kernel_addr((unsigned long)__gu_addr)) \
+@@ -267,7 +274,7 @@ do { \
+ #define __get_user_check(x, ptr, size) \
+ ({ \
+ long __gu_err = -EFAULT; \
+- unsigned long __gu_val = 0; \
++ __long_type(*(ptr)) __gu_val = 0; \
+ const __typeof__(*(ptr)) __user *__gu_addr = (ptr); \
+ might_fault(); \
+ if (access_ok(VERIFY_READ, __gu_addr, (size))) { \
+@@ -281,7 +288,7 @@ do { \
+ #define __get_user_nosleep(x, ptr, size) \
+ ({ \
+ long __gu_err; \
+- unsigned long __gu_val; \
++ __long_type(*(ptr)) __gu_val; \
+ const __typeof__(*(ptr)) __user *__gu_addr = (ptr); \
+ __chk_user_ptr(ptr); \
+ barrier_nospec(); \
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Wed, 1 Aug 2018 12:57:20 +0200
+Subject: pwm: meson: Fix mux clock names
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit b96e9eb62841c519ba1db32d036628be3cdef91f ]
+
+Current clock name looks like this:
+/soc/bus@ffd00000/pwm@1b000#mux0
+
+This is bad because CCF uses the clock to create a directory in clk debugfs.
+With such name, the directory creation (silently) fails and the debugfs
+entry end up being created at the debugfs root.
+
+With this change, the clock name will now be:
+ffd1b000.pwm#mux0
+
+This matches the clock naming scheme used in the ethernet and mmc driver.
+It also fixes the problem with debugfs.
+
+Fixes: 36af66a79056 ("pwm: Convert to using %pOF instead of full_name")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Acked-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pwm/pwm-meson.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/pwm/pwm-meson.c
++++ b/drivers/pwm/pwm-meson.c
+@@ -458,7 +458,6 @@ static int meson_pwm_init_channels(struc
+ struct meson_pwm_channel *channels)
+ {
+ struct device *dev = meson->chip.dev;
+- struct device_node *np = dev->of_node;
+ struct clk_init_data init;
+ unsigned int i;
+ char name[255];
+@@ -467,7 +466,7 @@ static int meson_pwm_init_channels(struc
+ for (i = 0; i < meson->chip.npwm; i++) {
+ struct meson_pwm_channel *channel = &channels[i];
+
+- snprintf(name, sizeof(name), "%pOF#mux%u", np, i);
++ snprintf(name, sizeof(name), "%s#mux%u", dev_name(dev), i);
+
+ init.name = name;
+ init.ops = &clk_mux_ops;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Gal Pressman <pressmangal@gmail.com>
+Date: Thu, 9 Aug 2018 22:00:47 +0300
+Subject: RDMA/hns: Fix usage of bitmap allocation functions return values
+
+From: Gal Pressman <pressmangal@gmail.com>
+
+[ Upstream commit a1ceeca679dccc492235f0f629d9e9f7b3d51ca8 ]
+
+hns bitmap allocation functions return 0 on success and -1 on failure.
+Callers of these functions wrongly used their return value as an errno,
+fix that by making a proper conversion.
+
+Fixes: a598c6f4c5a8 ("IB/hns: Simplify function of pd alloc and qp alloc")
+Signed-off-by: Gal Pressman <pressmangal@gmail.com>
+Acked-by: Lijun Ou <oulijun@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_pd.c | 2 +-
+ drivers/infiniband/hw/hns/hns_roce_qp.c | 5 ++++-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/hns/hns_roce_pd.c
++++ b/drivers/infiniband/hw/hns/hns_roce_pd.c
+@@ -37,7 +37,7 @@
+
+ static int hns_roce_pd_alloc(struct hns_roce_dev *hr_dev, unsigned long *pdn)
+ {
+- return hns_roce_bitmap_alloc(&hr_dev->pd_bitmap, pdn);
++ return hns_roce_bitmap_alloc(&hr_dev->pd_bitmap, pdn) ? -ENOMEM : 0;
+ }
+
+ static void hns_roce_pd_free(struct hns_roce_dev *hr_dev, unsigned long pdn)
+--- a/drivers/infiniband/hw/hns/hns_roce_qp.c
++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
+@@ -115,7 +115,10 @@ static int hns_roce_reserve_range_qp(str
+ {
+ struct hns_roce_qp_table *qp_table = &hr_dev->qp_table;
+
+- return hns_roce_bitmap_alloc_range(&qp_table->bitmap, cnt, align, base);
++ return hns_roce_bitmap_alloc_range(&qp_table->bitmap, cnt, align,
++ base) ?
++ -ENOMEM :
++ 0;
+ }
+
+ enum hns_roce_qp_state to_hns_roce_state(enum ib_qp_state state)
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 7 Aug 2018 19:34:16 +0800
+Subject: RDS: IB: fix 'passing zero to ERR_PTR()' warning
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 5941923da29e84bc9e2a1abb2c14fffaf8d71e2f ]
+
+Fix a static code checker warning:
+ net/rds/ib_frmr.c:82 rds_ib_alloc_frmr() warn: passing zero to 'ERR_PTR'
+
+The error path for ib_alloc_mr failure should set err to PTR_ERR.
+
+Fixes: 1659185fb4d0 ("RDS: IB: Support Fastreg MR (FRMR) memory registration mode")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/ib_frmr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rds/ib_frmr.c
++++ b/net/rds/ib_frmr.c
+@@ -61,6 +61,7 @@ static struct rds_ib_mr *rds_ib_alloc_fr
+ pool->fmr_attr.max_pages);
+ if (IS_ERR(frmr->mr)) {
+ pr_warn("RDS/IB: %s failed to allocate MR", __func__);
++ err = PTR_ERR(frmr->mr);
+ goto out_no_cigar;
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 21 Aug 2018 21:59:34 -0700
+Subject: reiserfs: change j_timestamp type to time64_t
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 8b73ce6a4bae4fe12bcb2c361c0da4183c2e1b6f ]
+
+This uses the deprecated time_t type but is write-only, and could be
+removed, but as Jeff explains, having a timestamp can be usefule for
+post-mortem analysis in crash dumps.
+
+In order to remove one of the last instances of time_t, this changes the
+type to time64_t, same as j_trans_start_time.
+
+Link: http://lkml.kernel.org/r/20180622133315.221210-1-arnd@arndb.de
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/reiserfs/reiserfs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/reiserfs/reiserfs.h
++++ b/fs/reiserfs/reiserfs.h
+@@ -271,7 +271,7 @@ struct reiserfs_journal_list {
+
+ struct mutex j_commit_mutex;
+ unsigned int j_trans_id;
+- time_t j_timestamp;
++ time64_t j_timestamp; /* write-only but useful for crash dump analysis */
+ struct reiserfs_list_bitmap *j_list_bitmap;
+ struct buffer_head *j_commit_bh; /* commit buffer head */
+ struct reiserfs_journal_cnode *j_realblock;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Palmer Dabbelt <palmer@sifive.com>
+Date: Wed, 4 Jul 2018 14:07:14 -0700
+Subject: RISC-V: Use KBUILD_CFLAGS instead of KCFLAGS when building the vDSO
+
+From: Palmer Dabbelt <palmer@sifive.com>
+
+[ Upstream commit 4938c79bd0f5f3650c8c2cd4cdc972f0a6962ce4 ]
+
+If you use a 64-bit compiler to build a 32-bit kernel then you'll get an
+error when building the vDSO due to a library mismatch. The happens
+because the relevant "-march" argument isn't supplied to the GCC run
+that generates one of the vDSO intermediate files.
+
+I'm not actually sure what the right thing to do here is as I'm not
+particularly familiar with the kernel build system. I poked the
+documentation and it appears that KCFLAGS is the correct thing to do
+(it's suggested that should be used when building modules), but we set
+KBUILD_CFLAGS in arch/riscv/Makefile.
+
+This does at least fix the build error.
+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/vdso/Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/riscv/kernel/vdso/Makefile
++++ b/arch/riscv/kernel/vdso/Makefile
+@@ -52,8 +52,8 @@ $(obj)/%.so: $(obj)/%.so.dbg FORCE
+ # Add -lgcc so rv32 gets static muldi3 and lshrdi3 definitions.
+ # Make sure only to export the intended __vdso_xxx symbol offsets.
+ quiet_cmd_vdsold = VDSOLD $@
+- cmd_vdsold = $(CC) $(KCFLAGS) $(call cc-option, -no-pie) -nostdlib $(SYSCFLAGS_$(@F)) \
+- -Wl,-T,$(filter-out FORCE,$^) -o $@.tmp -lgcc && \
++ cmd_vdsold = $(CC) $(KBUILD_CFLAGS) $(call cc-option, -no-pie) -nostdlib -nostartfiles $(SYSCFLAGS_$(@F)) \
++ -Wl,-T,$(filter-out FORCE,$^) -o $@.tmp && \
+ $(CROSS_COMPILE)objcopy \
+ $(patsubst %, -G __vdso_%, $(vdso-syms)) $@.tmp $@
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Stefan Haberland <sth@linux.ibm.com>
+Date: Wed, 25 Jul 2018 14:00:47 +0200
+Subject: s390/dasd: fix hanging offline processing due to canceled worker
+
+From: Stefan Haberland <sth@linux.ibm.com>
+
+[ Upstream commit 669f3765b755fd8739ab46ce3a9c6292ce8b3d2a ]
+
+During offline processing two worker threads are canceled without
+freeing the device reference which leads to a hanging offline process.
+
+Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/block/dasd_eckd.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -2035,8 +2035,11 @@ static int dasd_eckd_basic_to_ready(stru
+
+ static int dasd_eckd_online_to_ready(struct dasd_device *device)
+ {
+- cancel_work_sync(&device->reload_device);
+- cancel_work_sync(&device->kick_validate);
++ if (cancel_work_sync(&device->reload_device))
++ dasd_put_device(device);
++ if (cancel_work_sync(&device->kick_validate))
++ dasd_put_device(device);
++
+ return 0;
+ };
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Stefan Haberland <sth@linux.ibm.com>
+Date: Wed, 25 Jul 2018 13:27:10 +0200
+Subject: s390/dasd: fix panic for failed online processing
+
+From: Stefan Haberland <sth@linux.ibm.com>
+
+[ Upstream commit 7c6553d4db03350dad0110c3224194c19df76a8f ]
+
+Fix a panic that occurs for a device that got an error in
+dasd_eckd_check_characteristics() during online processing.
+For example the read configuration data command may have failed.
+
+If this error occurs the device is not being set online and the earlier
+invoked steps during online processing are rolled back. Therefore
+dasd_eckd_uncheck_device() is called which needs a valid private
+structure. But this pointer is not valid if
+dasd_eckd_check_characteristics() has failed.
+
+Check for a valid device->private pointer to prevent a panic.
+
+Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/block/dasd_eckd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -1780,6 +1780,9 @@ static void dasd_eckd_uncheck_device(str
+ struct dasd_eckd_private *private = device->private;
+ int i;
+
++ if (!private)
++ return;
++
+ dasd_alias_disconnect_device_from_lcu(device);
+ private->ned = NULL;
+ private->sneq = NULL;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Philipp Rudo <prudo@linux.ibm.com>
+Date: Mon, 13 Aug 2018 11:16:57 +0200
+Subject: s390/kdump: Fix memleak in nt_vmcoreinfo
+
+From: Philipp Rudo <prudo@linux.ibm.com>
+
+[ Upstream commit 2d2e7075b87181ed0c675e4936e20bdadba02e1f ]
+
+The vmcoreinfo of a crashed system is potentially fragmented. Thus the
+crash kernel has an intermediate step where the vmcoreinfo is copied into a
+temporary, continuous buffer in the crash kernel memory. This temporary
+buffer is never freed. Free it now to prevent the memleak.
+
+While at it replace all occurrences of "VMCOREINFO" by its corresponding
+macro to prevent potential renaming issues.
+
+Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
+Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/crash_dump.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/arch/s390/kernel/crash_dump.c
++++ b/arch/s390/kernel/crash_dump.c
+@@ -404,11 +404,13 @@ static void *get_vmcoreinfo_old(unsigned
+ if (copy_oldmem_kernel(nt_name, addr + sizeof(note),
+ sizeof(nt_name) - 1))
+ return NULL;
+- if (strcmp(nt_name, "VMCOREINFO") != 0)
++ if (strcmp(nt_name, VMCOREINFO_NOTE_NAME) != 0)
+ return NULL;
+ vmcoreinfo = kzalloc_panic(note.n_descsz);
+- if (copy_oldmem_kernel(vmcoreinfo, addr + 24, note.n_descsz))
++ if (copy_oldmem_kernel(vmcoreinfo, addr + 24, note.n_descsz)) {
++ kfree(vmcoreinfo);
+ return NULL;
++ }
+ *size = note.n_descsz;
+ return vmcoreinfo;
+ }
+@@ -418,15 +420,20 @@ static void *get_vmcoreinfo_old(unsigned
+ */
+ static void *nt_vmcoreinfo(void *ptr)
+ {
++ const char *name = VMCOREINFO_NOTE_NAME;
+ unsigned long size;
+ void *vmcoreinfo;
+
+ vmcoreinfo = os_info_old_entry(OS_INFO_VMCOREINFO, &size);
+- if (!vmcoreinfo)
+- vmcoreinfo = get_vmcoreinfo_old(&size);
++ if (vmcoreinfo)
++ return nt_init_name(ptr, 0, vmcoreinfo, size, name);
++
++ vmcoreinfo = get_vmcoreinfo_old(&size);
+ if (!vmcoreinfo)
+ return ptr;
+- return nt_init_name(ptr, 0, vmcoreinfo, size, "VMCOREINFO");
++ ptr = nt_init_name(ptr, 0, vmcoreinfo, size, name);
++ kfree(vmcoreinfo);
++ return ptr;
+ }
+
+ /*
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Jesper Dangaard Brouer <brouer@redhat.com>
+Date: Wed, 15 Aug 2018 16:57:14 +0200
+Subject: samples/bpf: all XDP samples should unload xdp/bpf prog on SIGTERM
+
+From: Jesper Dangaard Brouer <brouer@redhat.com>
+
+[ Upstream commit 817b89beb9d8876450fcde9155e17425c329569d ]
+
+It is common XDP practice to unload/deattach the XDP bpf program,
+when the XDP sample program is Ctrl-C interrupted (SIGINT) or
+killed (SIGTERM).
+
+The samples/bpf programs xdp_redirect_cpu and xdp_rxq_info,
+forgot to trap signal SIGTERM (which is the default signal used
+by the kill command).
+
+This was discovered by Red Hat QA, which automated scripts depend
+on killing the XDP sample program after a timeout period.
+
+Fixes: fad3917e361b ("samples/bpf: add cpumap sample program xdp_redirect_cpu")
+Fixes: 0fca931a6f21 ("samples/bpf: program demonstrating access to xdp_rxq_info")
+Reported-by: Jean-Tsung Hsiao <jhsiao@redhat.com>
+Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ samples/bpf/xdp_redirect_cpu_user.c | 3 ++-
+ samples/bpf/xdp_rxq_info_user.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/samples/bpf/xdp_redirect_cpu_user.c
++++ b/samples/bpf/xdp_redirect_cpu_user.c
+@@ -679,8 +679,9 @@ int main(int argc, char **argv)
+ return EXIT_FAIL_OPTION;
+ }
+
+- /* Remove XDP program when program is interrupted */
++ /* Remove XDP program when program is interrupted or killed */
+ signal(SIGINT, int_exit);
++ signal(SIGTERM, int_exit);
+
+ if (bpf_set_link_xdp_fd(ifindex, prog_fd[prog_num], xdp_flags) < 0) {
+ fprintf(stderr, "link set xdp fd failed\n");
+--- a/samples/bpf/xdp_rxq_info_user.c
++++ b/samples/bpf/xdp_rxq_info_user.c
+@@ -534,8 +534,9 @@ int main(int argc, char **argv)
+ exit(EXIT_FAIL_BPF);
+ }
+
+- /* Remove XDP program when program is interrupted */
++ /* Remove XDP program when program is interrupted or killed */
+ signal(SIGINT, int_exit);
++ signal(SIGTERM, int_exit);
+
+ if (bpf_set_link_xdp_fd(ifindex, prog_fd, xdp_flags) < 0) {
+ fprintf(stderr, "link set xdp fd failed\n");
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Wed, 15 Aug 2018 12:30:38 -0700
+Subject: scripts: modpost: check memory allocation results
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 1f3aa9002dc6a0d59a4b599b4fc8f01cf43ef014 ]
+
+Fix missing error check for memory allocation functions in
+scripts/mod/modpost.c.
+
+Fixes kernel bugzilla #200319:
+https://bugzilla.kernel.org/show_bug.cgi?id=200319
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Yuexing Wang <wangyxlandq@gmail.com>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/mod/modpost.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/scripts/mod/modpost.c
++++ b/scripts/mod/modpost.c
+@@ -672,7 +672,7 @@ static void handle_modversions(struct mo
+ if (ELF_ST_TYPE(sym->st_info) == STT_SPARC_REGISTER)
+ break;
+ if (symname[0] == '.') {
+- char *munged = strdup(symname);
++ char *munged = NOFAIL(strdup(symname));
+ munged[0] = '_';
+ munged[1] = toupper(munged[1]);
+ symname = munged;
+@@ -1318,7 +1318,7 @@ static Elf_Sym *find_elf_symbol2(struct
+ static char *sec2annotation(const char *s)
+ {
+ if (match(s, init_exit_sections)) {
+- char *p = malloc(20);
++ char *p = NOFAIL(malloc(20));
+ char *r = p;
+
+ *p++ = '_';
+@@ -1338,7 +1338,7 @@ static char *sec2annotation(const char *
+ strcat(p, " ");
+ return r;
+ } else {
+- return strdup("");
++ return NOFAIL(strdup(""));
+ }
+ }
+
+@@ -2036,7 +2036,7 @@ void buf_write(struct buffer *buf, const
+ {
+ if (buf->size - buf->pos < len) {
+ buf->size += len + SZ;
+- buf->p = realloc(buf->p, buf->size);
++ buf->p = NOFAIL(realloc(buf->p, buf->size));
+ }
+ strncpy(buf->p + buf->pos, s, len);
+ buf->pos += len;
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 8 Aug 2018 17:29:09 +0300
+Subject: scsi: aic94xx: fix an error code in aic94xx_init()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 0756c57bce3d26da2592d834d8910b6887021701 ]
+
+We accidentally return success instead of -ENOMEM on this error path.
+
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Reviewed-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/aic94xx/aic94xx_init.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/aic94xx/aic94xx_init.c
++++ b/drivers/scsi/aic94xx/aic94xx_init.c
+@@ -1030,8 +1030,10 @@ static int __init aic94xx_init(void)
+
+ aic94xx_transport_template =
+ sas_domain_attach_transport(&aic94xx_transport_functions);
+- if (!aic94xx_transport_template)
++ if (!aic94xx_transport_template) {
++ err = -ENOMEM;
+ goto out_destroy_caches;
++ }
+
+ err = pci_register_driver(&aic94xx_pci_driver);
+ if (err)
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Breno Leitao <leitao@debian.org>
+Date: Tue, 7 Aug 2018 11:15:39 -0300
+Subject: selftests/powerpc: Kill child processes on SIGINT
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 7c27a26e1ed5a7dd709aa19685d2c98f64e1cf0c ]
+
+There are some powerpc selftests, as tm/tm-unavailable, that run for a long
+period (>120 seconds), and if it is interrupted, as pressing CRTL-C
+(SIGINT), the foreground process (harness) dies but the child process and
+threads continue to execute (with PPID = 1 now) in background.
+
+In this case, you'd think the whole test exited, but there are remaining
+threads and processes being executed in background. Sometimes these
+zombies processes are doing annoying things, as consuming the whole CPU or
+dumping things to STDOUT.
+
+This patch fixes this problem by attaching an empty signal handler to
+SIGINT in the harness process. This handler will interrupt (EINTR) the
+parent process waitpid() call, letting the code to follow through the
+normal flow, which will kill all the processes in the child process group.
+
+This patch also fixes a typo.
+
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Signed-off-by: Gustavo Romero <gromero@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/powerpc/harness.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/tools/testing/selftests/powerpc/harness.c
++++ b/tools/testing/selftests/powerpc/harness.c
+@@ -85,13 +85,13 @@ wait:
+ return status;
+ }
+
+-static void alarm_handler(int signum)
++static void sig_handler(int signum)
+ {
+- /* Jut wake us up from waitpid */
++ /* Just wake us up from waitpid */
+ }
+
+-static struct sigaction alarm_action = {
+- .sa_handler = alarm_handler,
++static struct sigaction sig_action = {
++ .sa_handler = sig_handler,
+ };
+
+ void test_harness_set_timeout(uint64_t time)
+@@ -106,8 +106,14 @@ int test_harness(int (test_function)(voi
+ test_start(name);
+ test_set_git_version(GIT_VERSION);
+
+- if (sigaction(SIGALRM, &alarm_action, NULL)) {
+- perror("sigaction");
++ if (sigaction(SIGINT, &sig_action, NULL)) {
++ perror("sigaction (sigint)");
++ test_error(name);
++ return 1;
++ }
++
++ if (sigaction(SIGALRM, &sig_action, NULL)) {
++ perror("sigaction (sigalrm)");
+ test_error(name);
+ return 1;
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: nixiaoming <nixiaoming@huawei.com>
+Date: Sun, 5 Aug 2018 17:10:36 +0800
+Subject: selinux: cleanup dentry and inodes on error in selinuxfs
+
+From: nixiaoming <nixiaoming@huawei.com>
+
+[ Upstream commit 7e4237faa7213c1cc1d0aa65a44c67ba4729ce9f ]
+
+If the resource requested by d_alloc_name is not added to the linked
+list through d_add, then dput needs to be called to release the
+subsequent abnormal branch to avoid resource leakage.
+
+Add missing dput to selinuxfs.c
+
+Signed-off-by: nixiaoming <nixiaoming@huawei.com>
+[PM: tweak the subject line]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/selinuxfs.c | 33 +++++++++++++++++++++++++--------
+ 1 file changed, 25 insertions(+), 8 deletions(-)
+
+--- a/security/selinux/selinuxfs.c
++++ b/security/selinux/selinuxfs.c
+@@ -1365,13 +1365,18 @@ static int sel_make_bools(struct selinux
+
+ ret = -ENOMEM;
+ inode = sel_make_inode(dir->d_sb, S_IFREG | S_IRUGO | S_IWUSR);
+- if (!inode)
++ if (!inode) {
++ dput(dentry);
+ goto out;
++ }
+
+ ret = -ENAMETOOLONG;
+ len = snprintf(page, PAGE_SIZE, "/%s/%s", BOOL_DIR_NAME, names[i]);
+- if (len >= PAGE_SIZE)
++ if (len >= PAGE_SIZE) {
++ dput(dentry);
++ iput(inode);
+ goto out;
++ }
+
+ isec = (struct inode_security_struct *)inode->i_security;
+ ret = security_genfs_sid(fsi->state, "selinuxfs", page,
+@@ -1586,8 +1591,10 @@ static int sel_make_avc_files(struct den
+ return -ENOMEM;
+
+ inode = sel_make_inode(dir->d_sb, S_IFREG|files[i].mode);
+- if (!inode)
++ if (!inode) {
++ dput(dentry);
+ return -ENOMEM;
++ }
+
+ inode->i_fop = files[i].ops;
+ inode->i_ino = ++fsi->last_ino;
+@@ -1632,8 +1639,10 @@ static int sel_make_initcon_files(struct
+ return -ENOMEM;
+
+ inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO);
+- if (!inode)
++ if (!inode) {
++ dput(dentry);
+ return -ENOMEM;
++ }
+
+ inode->i_fop = &sel_initcon_ops;
+ inode->i_ino = i|SEL_INITCON_INO_OFFSET;
+@@ -1733,8 +1742,10 @@ static int sel_make_perm_files(char *obj
+
+ rc = -ENOMEM;
+ inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO);
+- if (!inode)
++ if (!inode) {
++ dput(dentry);
+ goto out;
++ }
+
+ inode->i_fop = &sel_perm_ops;
+ /* i+1 since perm values are 1-indexed */
+@@ -1763,8 +1774,10 @@ static int sel_make_class_dir_entries(ch
+ return -ENOMEM;
+
+ inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO);
+- if (!inode)
++ if (!inode) {
++ dput(dentry);
+ return -ENOMEM;
++ }
+
+ inode->i_fop = &sel_class_ops;
+ inode->i_ino = sel_class_to_ino(index);
+@@ -1838,8 +1851,10 @@ static int sel_make_policycap(struct sel
+ return -ENOMEM;
+
+ inode = sel_make_inode(fsi->sb, S_IFREG | 0444);
+- if (inode == NULL)
++ if (inode == NULL) {
++ dput(dentry);
+ return -ENOMEM;
++ }
+
+ inode->i_fop = &sel_policycap_ops;
+ inode->i_ino = iter | SEL_POLICYCAP_INO_OFFSET;
+@@ -1932,8 +1947,10 @@ static int sel_fill_super(struct super_b
+
+ ret = -ENOMEM;
+ inode = sel_make_inode(sb, S_IFCHR | S_IRUGO | S_IWUGO);
+- if (!inode)
++ if (!inode) {
++ dput(dentry);
+ goto err;
++ }
+
+ inode->i_ino = ++fsi->last_ino;
+ isec = (struct inode_security_struct *)inode->i_security;
mlxsw-spectrum_switchdev-do-not-leak-rifs-when-removing-bridge.patch
vhost-correctly-check-the-iova-range-when-waking-virtqueue.patch
hv_netvsc-ignore-devices-that-are-not-pci.patch
+cifs-check-if-smb2-pdu-size-has-been-padded-and-suppress-the-warning.patch
+hfsplus-don-t-return-0-when-fill_super-failed.patch
+hfs-prevent-crash-on-exit-from-failed-search.patch
+sunrpc-don-t-use-stack-buffer-with-scatterlist.patch
+fork-don-t-copy-inconsistent-signal-handler-state-to-child.patch
+fs-proc-vmcore.c-hide-vmcoredd_mmap_dumps-for-nommu-builds.patch
+reiserfs-change-j_timestamp-type-to-time64_t.patch
+iommu-rockchip-handle-errors-returned-from-pm-framework.patch
+hfsplus-fix-null-dereference-in-hfsplus_lookup.patch
+iommu-rockchip-move-irq-request-past-pm_runtime_enable.patch
+fs-proc-kcore.c-use-__pa_symbol-for-kcore_text-list-entries.patch
+fat-validate-i_start-before-using.patch
+workqueue-skip-lockdep-wq-dependency-in-cancel_work_sync.patch
+workqueue-re-add-lockdep-dependencies-for-flushing.patch
+scripts-modpost-check-memory-allocation-results.patch
+apparmor-fix-an-error-code-in-__aa_create_ns.patch
+virtio-pci-legacy-validate-queue-pfn.patch
+x86-mce-add-notifier_block-forward-declaration.patch
+i2c-core-acpi-make-acpi_gsb_i2c_read_bytes-check-i2c_transfer-return-value.patch
+ib-hfi1-invalid-numa-node-information-can-cause-a-divide-by-zero.patch
+pwm-meson-fix-mux-clock-names.patch
+perf-python-fix-pyrf_evlist__read_on_cpu-interface.patch
+powerpc-topology-get-topology-for-shared-processors-at-boot.patch
+mm-fadvise.c-fix-signed-overflow-ubsan-complaint.patch
+mm-make-deferred_struct_page_init-explicitly-depend-on-sparsemem.patch
+fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_snapshot.patch
+platform-x86-intel_punit_ipc-fix-build-errors.patch
+bpf-sockmap-fix-map-elem-deletion-race-with-smap_stop_sock.patch
+tcp-ulp-fix-leftover-icsk_ulp_ops-preventing-sock-from-reattach.patch
+bpf-sockmap-fix-sock_map_ctx_update_elem-race-with-exist-noexist.patch
+net-xdp-fix-suspicious-rcu-usage-warning.patch
+bpf-sockmap-fix-leakage-of-smap_psock_map_entry.patch
+samples-bpf-all-xdp-samples-should-unload-xdp-bpf-prog-on-sigterm.patch
+netfilter-ip6t_rpfilter-set-f_iface-for-linklocal-addresses.patch
+s390-kdump-fix-memleak-in-nt_vmcoreinfo.patch
+ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_dest.patch
+mfd-sm501-set-coherent_dma_mask-when-creating-subdevices.patch
+netfilter-x_tables-do-not-fail-xt_alloc_table_info-too-easilly.patch
+tracing-handle-cc_flags_ftrace-more-accurately.patch
+platform-x86-asus-nb-wmi-add-keymap-entry-for-lid-flip-action-on-ux360.patch
+netfilter-fix-memory-leaks-on-netlink_dump_start-error.patch
+tcp-ulp-add-alias-for-all-ulp-modules.patch
+ubi-initialize-fastmap-checkmapping-correctly.patch
+rdma-hns-fix-usage-of-bitmap-allocation-functions-return-values.patch
+acpica-acpica-add-status-check-for-acpi_hw_read-before-assigning-return-value.patch
+perf-arm-spe-fix-uninitialized-record-error-variable.patch
+net-hns3-fix-for-command-format-parsing-error-in-hclge_is_all_function_id_zero.patch
+block-don-t-warn-for-flush-on-read-only-device.patch
+net-hns3-fix-for-phy-link-issue-when-using-marvell-phy-driver.patch
+pci-match-root-port-s-mps-to-endpoint-s-mpss-as-necessary.patch
+drm-amd-display-guard-against-null-crtc-in-crc-irq.patch
+coccicheck-return-proper-error-code-on-fail.patch
+perf-tools-check-for-null-when-copying-nsinfo.patch
+f2fs-avoid-race-between-zero_range-and-background-gc.patch
+f2fs-fix-avoid-race-between-truncate-and-background-gc.patch
+risc-v-use-kbuild_cflags-instead-of-kcflags-when-building-the-vdso.patch
+irqchip-stm32-fix-init-error-handling.patch
+irqchip-bcm7038-l1-hide-cpu-offline-callback-when-building-for-smp.patch
+net-9p-trans_fd.c-fix-race-by-holding-the-lock.patch
+net-9p-fix-error-path-of-p9_virtio_probe.patch
+f2fs-fix-to-clear-pg_checked-flag-in-set_page_dirty.patch
+pinctrl-axp209-fix-null-pointer-dereference-after-allocation.patch
+bpf-fix-bpffs-non-array-map-seq_show-issue.patch
+powerpc-uaccess-enable-get_user-u64-p-on-32-bit.patch
+powerpc-fix-size-calculation-using-resource_size.patch
+perf-probe-powerpc-fix-trace-event-post-processing.patch
+block-bvec_nr_vecs-returns-value-for-wrong-slab.patch
+brcmfmac-fix-brcmf_wiphy_wowl_params-null-pointer-dereference.patch
+s390-dasd-fix-hanging-offline-processing-due-to-canceled-worker.patch
+s390-dasd-fix-panic-for-failed-online-processing.patch
+acpi-scan-initialize-status-to-acpi_sta_default.patch
+blk-mq-count-the-hctx-as-active-before-allocating-tag.patch
+scsi-aic94xx-fix-an-error-code-in-aic94xx_init.patch
+nfsv4-fix-error-handling-in-nfs4_sp4_select_mode.patch
+input-do-not-use-warn-in-input_alloc_absinfo.patch
+xen-balloon-fix-balloon-initialization-for-pvh-dom0.patch
+pci-mvebu-fix-i-o-space-end-address-calculation.patch
+dm-kcopyd-avoid-softlockup-in-run_complete_job.patch
+staging-comedi-ni_mio_common-fix-subdevice-flags-for-pfi-subdevice.patch
+asoc-rt5677-fix-initialization-of-rt5677_of_match.data.patch
+iommu-omap-fix-cache-flushes-on-l2-table-entries.patch
+selftests-powerpc-kill-child-processes-on-sigint.patch
+selinux-cleanup-dentry-and-inodes-on-error-in-selinuxfs.patch
+rds-ib-fix-passing-zero-to-err_ptr-warning.patch
+cfq-suppress-compiler-warnings-about-comparisons.patch
+smb3-fix-reset-of-bytes-read-and-written-stats.patch
+cifs-fix-memory-leak-and-remove-dead-code.patch
+smb3-number-of-requests-sent-should-be-displayed-for-smb3-not-just-cifs.patch
+smb3-if-server-does-not-support-posix-do-not-allow-posix-mount-option.patch
+powerpc-platforms-85xx-fix-t1042rdb_diu.c-build-errors-warning.patch
+powerpc-64s-make-rfi_flush_fallback-a-little-more-robust.patch
+um-fix-parallel-building-with-o-option.patch
+powerpc-pseries-avoid-using-the-size-greater-than-rtas_error_log_max.patch
+clk-rockchip-add-pclk_rkpwm_pmu-to-pmu-critical-clocks-in-rk3399.patch
+drm-amd-display-read-back-max-backlight-value-at-boot.patch
+kvm-vmx-track-host_state.loaded-using-a-loaded_vmcs-pointer.patch
+kvm-nvmx-fix-fault-vector-for-vmx-operation-at-cpl-0.patch
+drm-etnaviv-fix-crash-in-gpu-suspend-when-init-failed-due-to-buffer-placement.patch
+btrfs-exit-gracefully-when-chunk-map-cannot-be-inserted-to-the-tree.patch
+btrfs-replace-reset-on-disk-dev-stats-value-after-replace.patch
+btrfs-fix-in-memory-value-of-total_devices-after-seed-device-deletion.patch
+btrfs-relocation-only-remove-reloc-rb_trees-if-reloc-control-has-been-initialized.patch
+btrfs-tree-checker-detect-invalid-and-empty-essential-trees.patch
+btrfs-check-integrity-fix-null-pointer-dereference-for-degraded-mount.patch
+btrfs-lift-uuid_mutex-to-callers-of-btrfs_open_devices.patch
+btrfs-don-t-remove-block-group-that-still-has-pinned-down-bytes.patch
+btrfs-fix-a-c-compliance-issue.patch
+arm64-rockchip-force-config_pm-on-rockchip-systems.patch
+arm-rockchip-force-config_pm-on-rockchip-systems.patch
+btrfs-do-btrfs_free_stale_devices-outside-of-device_list_add.patch
+btrfs-extend-locked-section-when-adding-a-new-device-in-device_list_add.patch
+btrfs-rename-local-devices-for-fs_devices-in-btrfs_free_stale_devices.patch
+btrfs-use-device_list_mutex-when-removing-stale-devices.patch
+btrfs-lift-uuid_mutex-to-callers-of-btrfs_scan_one_device.patch
+btrfs-lift-uuid_mutex-to-callers-of-btrfs_parse_early_options.patch
+btrfs-reorder-initialization-before-the-mount-locks-uuid_mutex.patch
+btrfs-fix-mount-and-ioctl-device-scan-ioctl-race.patch
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Steve French <stfrench@microsoft.com>
+Date: Wed, 1 Aug 2018 00:56:12 -0500
+Subject: smb3: fix reset of bytes read and written stats
+
+From: Steve French <stfrench@microsoft.com>
+
+[ Upstream commit c281bc0c7412308c7ec0888904f7c99353da4796 ]
+
+echo 0 > /proc/fs/cifs/Stats is supposed to reset the stats
+but there were four (see example below) that were not reset
+(bytes read and witten, total vfs ops and max ops
+at one time).
+
+...
+0 session 0 share reconnects
+Total vfs operations: 100 maximum at one time: 2
+
+1) \\localhost\test
+SMBs: 0
+Bytes read: 502092 Bytes written: 31457286
+TreeConnects: 0 total 0 failed
+TreeDisconnects: 0 total 0 failed
+...
+
+This patch fixes cifs_stats_proc_write to properly reset
+those four.
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifs_debug.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/cifs/cifs_debug.c
++++ b/fs/cifs/cifs_debug.c
+@@ -383,6 +383,10 @@ static ssize_t cifs_stats_proc_write(str
+ atomic_set(&totBufAllocCount, 0);
+ atomic_set(&totSmBufAllocCount, 0);
+ #endif /* CONFIG_CIFS_STATS2 */
++ spin_lock(&GlobalMid_Lock);
++ GlobalMaxActiveXid = 0;
++ GlobalCurrentXid = 0;
++ spin_unlock(&GlobalMid_Lock);
+ spin_lock(&cifs_tcp_ses_lock);
+ list_for_each(tmp1, &cifs_tcp_ses_list) {
+ server = list_entry(tmp1, struct TCP_Server_Info,
+@@ -395,6 +399,10 @@ static ssize_t cifs_stats_proc_write(str
+ struct cifs_tcon,
+ tcon_list);
+ atomic_set(&tcon->num_smbs_sent, 0);
++ spin_lock(&tcon->stat_lock);
++ tcon->bytes_read = 0;
++ tcon->bytes_written = 0;
++ spin_unlock(&tcon->stat_lock);
+ if (server->ops->clear_stats)
+ server->ops->clear_stats(tcon);
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Steve French <stfrench@microsoft.com>
+Date: Mon, 18 Jun 2018 14:01:59 -0500
+Subject: smb3: if server does not support posix do not allow posix mount option
+
+From: Steve French <stfrench@microsoft.com>
+
+[ Upstream commit 8505c8bfd85a260c9dc5c47e15bd8c5357fcbcd2 ]
+
+If user specifies "posix" on an SMB3.11 mount, then fail the mount
+if server does not return the POSIX negotiate context indicating
+support for posix.
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/connect.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -3031,11 +3031,15 @@ cifs_get_tcon(struct cifs_ses *ses, stru
+ }
+
+ #ifdef CONFIG_CIFS_SMB311
+- if ((volume_info->linux_ext) && (ses->server->posix_ext_supported)) {
+- if (ses->server->vals->protocol_id == SMB311_PROT_ID) {
++ if (volume_info->linux_ext) {
++ if (ses->server->posix_ext_supported) {
+ tcon->posix_extensions = true;
+ printk_once(KERN_WARNING
+ "SMB3.11 POSIX Extensions are experimental\n");
++ } else {
++ cifs_dbg(VFS, "Server does not support mounting with posix SMB3.11 extensions.\n");
++ rc = -EOPNOTSUPP;
++ goto out_fail;
+ }
+ }
+ #endif /* 311 */
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Steve French <stfrench@microsoft.com>
+Date: Mon, 23 Jul 2018 09:15:18 -0500
+Subject: SMB3: Number of requests sent should be displayed for SMB3 not just CIFS
+
+From: Steve French <stfrench@microsoft.com>
+
+[ Upstream commit 289131e1f1e6ad8c661ec05e176b8f0915672059 ]
+
+For SMB2/SMB3 the number of requests sent was not displayed
+in /proc/fs/cifs/Stats unless CONFIG_CIFS_STATS2 was
+enabled (only number of failed requests displayed). As
+with earlier dialects, we should be displaying these
+counters if CONFIG_CIFS_STATS is enabled. They
+are important for debugging.
+
+e.g. when you cat /proc/fs/cifs/Stats (before the patch)
+Resources in use
+CIFS Session: 1
+Share (unique mount targets): 2
+SMB Request/Response Buffer: 1 Pool size: 5
+SMB Small Req/Resp Buffer: 1 Pool size: 30
+Operations (MIDs): 0
+
+0 session 0 share reconnects
+Total vfs operations: 690 maximum at one time: 2
+
+1) \\localhost\test
+SMBs: 975
+Negotiates: 0 sent 0 failed
+SessionSetups: 0 sent 0 failed
+Logoffs: 0 sent 0 failed
+TreeConnects: 0 sent 0 failed
+TreeDisconnects: 0 sent 0 failed
+Creates: 0 sent 2 failed
+Closes: 0 sent 0 failed
+Flushes: 0 sent 0 failed
+Reads: 0 sent 0 failed
+Writes: 0 sent 0 failed
+Locks: 0 sent 0 failed
+IOCTLs: 0 sent 1 failed
+Cancels: 0 sent 0 failed
+Echos: 0 sent 0 failed
+QueryDirectories: 0 sent 63 failed
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2pdu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -360,7 +360,7 @@ smb2_plain_req_init(__le16 smb2_command,
+ total_len);
+
+ if (tcon != NULL) {
+-#ifdef CONFIG_CIFS_STATS2
++#ifdef CONFIG_CIFS_STATS
+ uint16_t com_code = le16_to_cpu(smb2_command);
+ cifs_stats_inc(&tcon->stats.smb2_stats.smb2_com_sent[com_code]);
+ #endif
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 6 Aug 2018 11:05:13 +0100
+Subject: staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+[ Upstream commit e083926b3e269d4064825dcf2ad50c636fddf8cf ]
+
+The PFI subdevice flags indicate that the subdevice is readable and
+writeable, but that is only true for the supported "M-series" boards,
+not the older "E-series" boards. Only set the SDF_READABLE and
+SDF_WRITABLE subdevice flags for the M-series boards. These two flags
+are mainly for informational purposes.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/ni_mio_common.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/ni_mio_common.c
++++ b/drivers/staging/comedi/drivers/ni_mio_common.c
+@@ -5446,11 +5446,11 @@ static int ni_E_init(struct comedi_devic
+ /* Digital I/O (PFI) subdevice */
+ s = &dev->subdevices[NI_PFI_DIO_SUBDEV];
+ s->type = COMEDI_SUBD_DIO;
+- s->subdev_flags = SDF_READABLE | SDF_WRITABLE | SDF_INTERNAL;
+ s->maxdata = 1;
+ if (devpriv->is_m_series) {
+ s->n_chan = 16;
+ s->insn_bits = ni_pfi_insn_bits;
++ s->subdev_flags = SDF_READABLE | SDF_WRITABLE | SDF_INTERNAL;
+
+ ni_writew(dev, s->state, NI_M_PFI_DO_REG);
+ for (i = 0; i < NUM_PFI_OUTPUT_SELECT_REGS; ++i) {
+@@ -5459,6 +5459,7 @@ static int ni_E_init(struct comedi_devic
+ }
+ } else {
+ s->n_chan = 10;
++ s->subdev_flags = SDF_INTERNAL;
+ }
+ s->insn_config = ni_pfi_insn_config;
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Laura Abbott <labbott@redhat.com>
+Date: Fri, 17 Aug 2018 14:43:54 -0700
+Subject: sunrpc: Don't use stack buffer with scatterlist
+
+From: Laura Abbott <labbott@redhat.com>
+
+[ Upstream commit 44090cc876926277329e1608bafc01b9f6da627f ]
+
+Fedora got a bug report from NFS:
+
+kernel BUG at include/linux/scatterlist.h:143!
+...
+RIP: 0010:sg_init_one+0x7d/0x90
+..
+ make_checksum+0x4e7/0x760 [rpcsec_gss_krb5]
+ gss_get_mic_kerberos+0x26e/0x310 [rpcsec_gss_krb5]
+ gss_marshal+0x126/0x1a0 [auth_rpcgss]
+ ? __local_bh_enable_ip+0x80/0xe0
+ ? call_transmit_status+0x1d0/0x1d0 [sunrpc]
+ call_transmit+0x137/0x230 [sunrpc]
+ __rpc_execute+0x9b/0x490 [sunrpc]
+ rpc_run_task+0x119/0x150 [sunrpc]
+ nfs4_run_exchange_id+0x1bd/0x250 [nfsv4]
+ _nfs4_proc_exchange_id+0x2d/0x490 [nfsv4]
+ nfs41_discover_server_trunking+0x1c/0xa0 [nfsv4]
+ nfs4_discover_server_trunking+0x80/0x270 [nfsv4]
+ nfs4_init_client+0x16e/0x240 [nfsv4]
+ ? nfs_get_client+0x4c9/0x5d0 [nfs]
+ ? _raw_spin_unlock+0x24/0x30
+ ? nfs_get_client+0x4c9/0x5d0 [nfs]
+ nfs4_set_client+0xb2/0x100 [nfsv4]
+ nfs4_create_server+0xff/0x290 [nfsv4]
+ nfs4_remote_mount+0x28/0x50 [nfsv4]
+ mount_fs+0x3b/0x16a
+ vfs_kern_mount.part.35+0x54/0x160
+ nfs_do_root_mount+0x7f/0xc0 [nfsv4]
+ nfs4_try_mount+0x43/0x70 [nfsv4]
+ ? get_nfs_version+0x21/0x80 [nfs]
+ nfs_fs_mount+0x789/0xbf0 [nfs]
+ ? pcpu_alloc+0x6ca/0x7e0
+ ? nfs_clone_super+0x70/0x70 [nfs]
+ ? nfs_parse_mount_options+0xb40/0xb40 [nfs]
+ mount_fs+0x3b/0x16a
+ vfs_kern_mount.part.35+0x54/0x160
+ do_mount+0x1fd/0xd50
+ ksys_mount+0xba/0xd0
+ __x64_sys_mount+0x21/0x30
+ do_syscall_64+0x60/0x1f0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+This is BUG_ON(!virt_addr_valid(buf)) triggered by using a stack
+allocated buffer with a scatterlist. Convert the buffer for
+rc4salt to be dynamically allocated instead.
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1615258
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/auth_gss/gss_krb5_crypto.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/sunrpc/auth_gss/gss_krb5_crypto.c
++++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
+@@ -169,7 +169,7 @@ make_checksum_hmac_md5(struct krb5_ctx *
+ struct scatterlist sg[1];
+ int err = -1;
+ u8 *checksumdata;
+- u8 rc4salt[4];
++ u8 *rc4salt;
+ struct crypto_ahash *md5;
+ struct crypto_ahash *hmac_md5;
+ struct ahash_request *req;
+@@ -183,14 +183,18 @@ make_checksum_hmac_md5(struct krb5_ctx *
+ return GSS_S_FAILURE;
+ }
+
++ rc4salt = kmalloc_array(4, sizeof(*rc4salt), GFP_NOFS);
++ if (!rc4salt)
++ return GSS_S_FAILURE;
++
+ if (arcfour_hmac_md5_usage_to_salt(usage, rc4salt)) {
+ dprintk("%s: invalid usage value %u\n", __func__, usage);
+- return GSS_S_FAILURE;
++ goto out_free_rc4salt;
+ }
+
+ checksumdata = kmalloc(GSS_KRB5_MAX_CKSUM_LEN, GFP_NOFS);
+ if (!checksumdata)
+- return GSS_S_FAILURE;
++ goto out_free_rc4salt;
+
+ md5 = crypto_alloc_ahash("md5", 0, CRYPTO_ALG_ASYNC);
+ if (IS_ERR(md5))
+@@ -258,6 +262,8 @@ out_free_md5:
+ crypto_free_ahash(md5);
+ out_free_cksum:
+ kfree(checksumdata);
++out_free_rc4salt:
++ kfree(rc4salt);
+ return err ? GSS_S_FAILURE : 0;
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Thu, 16 Aug 2018 21:49:06 +0200
+Subject: tcp, ulp: add alias for all ulp modules
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 037b0b86ecf5646f8eae777d8b52ff8b401692ec ]
+
+Lets not turn the TCP ULP lookup into an arbitrary module loader as
+we only intend to load ULP modules through this mechanism, not other
+unrelated kernel modules:
+
+ [root@bar]# cat foo.c
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <linux/tcp.h>
+ #include <linux/in.h>
+
+ int main(void)
+ {
+ int sock = socket(PF_INET, SOCK_STREAM, 0);
+ setsockopt(sock, IPPROTO_TCP, TCP_ULP, "sctp", sizeof("sctp"));
+ return 0;
+ }
+
+ [root@bar]# gcc foo.c -O2 -Wall
+ [root@bar]# lsmod | grep sctp
+ [root@bar]# ./a.out
+ [root@bar]# lsmod | grep sctp
+ sctp 1077248 4
+ libcrc32c 16384 3 nf_conntrack,nf_nat,sctp
+ [root@bar]#
+
+Fix it by adding module alias to TCP ULP modules, so probing module
+via request_module() will be limited to tcp-ulp-[name]. The existing
+modules like kTLS will load fine given tcp-ulp-tls alias, but others
+will fail to load:
+
+ [root@bar]# lsmod | grep sctp
+ [root@bar]# ./a.out
+ [root@bar]# lsmod | grep sctp
+ [root@bar]#
+
+Sockmap is not affected from this since it's either built-in or not.
+
+Fixes: 734942cc4ea6 ("tcp: ULP infrastructure")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tcp.h | 4 ++++
+ net/ipv4/tcp_ulp.c | 2 +-
+ net/tls/tls_main.c | 1 +
+ 3 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -2023,6 +2023,10 @@ int tcp_set_ulp_id(struct sock *sk, cons
+ void tcp_get_available_ulp(char *buf, size_t len);
+ void tcp_cleanup_ulp(struct sock *sk);
+
++#define MODULE_ALIAS_TCP_ULP(name) \
++ __MODULE_INFO(alias, alias_userspace, name); \
++ __MODULE_INFO(alias, alias_tcp_ulp, "tcp-ulp-" name)
++
+ /* Call BPF_SOCK_OPS program that returns an int. If the return value
+ * is < 0, then the BPF op failed (for example if the loaded BPF
+ * program does not support the chosen operation or there is no BPF
+--- a/net/ipv4/tcp_ulp.c
++++ b/net/ipv4/tcp_ulp.c
+@@ -51,7 +51,7 @@ static const struct tcp_ulp_ops *__tcp_u
+ #ifdef CONFIG_MODULES
+ if (!ulp && capable(CAP_NET_ADMIN)) {
+ rcu_read_unlock();
+- request_module("%s", name);
++ request_module("tcp-ulp-%s", name);
+ rcu_read_lock();
+ ulp = tcp_ulp_find(name);
+ }
+--- a/net/tls/tls_main.c
++++ b/net/tls/tls_main.c
+@@ -45,6 +45,7 @@
+ MODULE_AUTHOR("Mellanox Technologies");
+ MODULE_DESCRIPTION("Transport Layer Security Support");
+ MODULE_LICENSE("Dual BSD/GPL");
++MODULE_ALIAS_TCP_ULP("tls");
+
+ enum {
+ TLSV4,
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Thu, 16 Aug 2018 21:49:07 +0200
+Subject: tcp, ulp: fix leftover icsk_ulp_ops preventing sock from reattach
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 90545cdc3f2b2ea700e24335610cd181e73756da ]
+
+I found that in BPF sockmap programs once we either delete a socket
+from the map or we updated a map slot and the old socket was purged
+from the map that these socket can never get reattached into a map
+even though their related psock has been dropped entirely at that
+point.
+
+Reason is that tcp_cleanup_ulp() leaves the old icsk->icsk_ulp_ops
+intact, so that on the next tcp_set_ulp_id() the kernel returns an
+-EEXIST thinking there is still some active ULP attached.
+
+BPF sockmap is the only one that has this issue as the other user,
+kTLS, only calls tcp_cleanup_ulp() from tcp_v4_destroy_sock() whereas
+sockmap semantics allow dropping the socket from the map with all
+related psock state being cleaned up.
+
+Fixes: 1aa12bdf1bfb ("bpf: sockmap, add sock close() hook to remove socks")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_ulp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv4/tcp_ulp.c
++++ b/net/ipv4/tcp_ulp.c
+@@ -129,6 +129,8 @@ void tcp_cleanup_ulp(struct sock *sk)
+ if (icsk->icsk_ulp_ops->release)
+ icsk->icsk_ulp_ops->release(sk);
+ module_put(icsk->icsk_ulp_ops->owner);
++
++ icsk->icsk_ulp_ops = NULL;
+ }
+
+ /* Change upper layer protocol for socket */
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Mon, 6 Aug 2018 15:17:42 +0200
+Subject: tracing: Handle CC_FLAGS_FTRACE more accurately
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+[ Upstream commit f28bc3c32c059ab4d13f52155fabd3e20f477f65 ]
+
+CC_FLAGS_FTRACE is exported and later used to remove ftrace relevant
+build flags from files which should be built without ftrace support.
+For that reason add -mfentry to CC_FLAGS_FTRACE as well. That fixes
+a problem with vdso32 build on s390, where -mfentry could not be used
+together with -m31 flag.
+
+At the same time flags like -pg and -mfentry are not relevant for asm
+files, so avoid adding them to KBUILD_AFLAGS.
+
+Introduce CC_FLAGS_USING instead of CC_USING_FENTRY to collect
+-DCC_USING_FENTRY (and future alike) which are relevant for both
+KBUILD_CFLAGS and KBUILD_AFLAGS.
+
+Link: http://lkml.kernel.org/r/patch-1.thread-aa7b8d.git-42971afe87de.your-ad-here.call-01533557518-ext-9465@work.hours
+
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Makefile | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -747,12 +747,15 @@ ifdef CONFIG_FUNCTION_TRACER
+ ifndef CC_FLAGS_FTRACE
+ CC_FLAGS_FTRACE := -pg
+ endif
+-export CC_FLAGS_FTRACE
+ ifdef CONFIG_HAVE_FENTRY
+-CC_USING_FENTRY := $(call cc-option, -mfentry -DCC_USING_FENTRY)
++ ifeq ($(call cc-option-yn, -mfentry),y)
++ CC_FLAGS_FTRACE += -mfentry
++ CC_FLAGS_USING += -DCC_USING_FENTRY
++ endif
+ endif
+-KBUILD_CFLAGS += $(CC_FLAGS_FTRACE) $(CC_USING_FENTRY)
+-KBUILD_AFLAGS += $(CC_USING_FENTRY)
++export CC_FLAGS_FTRACE
++KBUILD_CFLAGS += $(CC_FLAGS_FTRACE) $(CC_FLAGS_USING)
++KBUILD_AFLAGS += $(CC_FLAGS_USING)
+ ifdef CONFIG_DYNAMIC_FTRACE
+ ifdef CONFIG_HAVE_C_RECORDMCOUNT
+ BUILD_C_RECORDMCOUNT := y
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Richard Weinberger <richard@nod.at>
+Date: Tue, 12 Jun 2018 09:33:16 +0200
+Subject: ubi: Initialize Fastmap checkmapping correctly
+
+From: Richard Weinberger <richard@nod.at>
+
+[ Upstream commit 25677478474a91fa1b46f19a4a591a9848bca6fb ]
+
+We cannot do it last, otherwithse it will be skipped for dynamic
+volumes.
+
+Reported-by: Lachmann, Juergen <juergen.lachmann@harman.com>
+Fixes: 34653fd8c46e ("ubi: fastmap: Check each mapping only once")
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/ubi/vtbl.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/mtd/ubi/vtbl.c
++++ b/drivers/mtd/ubi/vtbl.c
+@@ -579,6 +579,16 @@ static int init_volumes(struct ubi_devic
+ reserved_pebs += vol->reserved_pebs;
+
+ /*
++ * We use ubi->peb_count and not vol->reserved_pebs because
++ * we want to keep the code simple. Otherwise we'd have to
++ * resize/check the bitmap upon volume resize too.
++ * Allocating a few bytes more does not hurt.
++ */
++ err = ubi_fastmap_init_checkmap(vol, ubi->peb_count);
++ if (err)
++ return err;
++
++ /*
+ * In case of dynamic volume UBI knows nothing about how many
+ * data is stored there. So assume the whole volume is used.
+ */
+@@ -620,16 +630,6 @@ static int init_volumes(struct ubi_devic
+ (long long)(vol->used_ebs - 1) * vol->usable_leb_size;
+ vol->used_bytes += av->last_data_size;
+ vol->last_eb_bytes = av->last_data_size;
+-
+- /*
+- * We use ubi->peb_count and not vol->reserved_pebs because
+- * we want to keep the code simple. Otherwise we'd have to
+- * resize/check the bitmap upon volume resize too.
+- * Allocating a few bytes more does not hurt.
+- */
+- err = ubi_fastmap_init_checkmap(vol, ubi->peb_count);
+- if (err)
+- return err;
+ }
+
+ /* And add the layout volume */
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Sat, 4 Aug 2018 13:47:01 +0900
+Subject: um: fix parallel building with O= option
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+[ Upstream commit 13d3d01e26b942ada7cfced68ccb6db49597874a ]
+
+Randy Dunlap reports UML occasionally fails to build with -j<N> and
+O=<builddir> options.
+
+ make[1]: Entering directory '/home/rdunlap/mmotm-2018-0802-1529/UM64'
+ UPD include/generated/uapi/linux/version.h
+ WRAP arch/x86/include/generated/asm/dma-contiguous.h
+ WRAP arch/x86/include/generated/asm/export.h
+ WRAP arch/x86/include/generated/asm/early_ioremap.h
+ WRAP arch/x86/include/generated/asm/mcs_spinlock.h
+ WRAP arch/x86/include/generated/asm/mm-arch-hooks.h
+ WRAP arch/x86/include/generated/uapi/asm/bpf_perf_event.h
+ WRAP arch/x86/include/generated/uapi/asm/poll.h
+ GEN ./Makefile
+ make[2]: *** No rule to make target 'archheaders'. Stop.
+ arch/um/Makefile:119: recipe for target 'archheaders' failed
+ make[1]: *** [archheaders] Error 2
+ make[1]: *** Waiting for unfinished jobs....
+ UPD include/config/kernel.release
+ make[1]: *** wait: No child processes. Stop.
+ Makefile:146: recipe for target 'sub-make' failed
+ make: *** [sub-make] Error 2
+
+The cause of the problem is the use of '$(MAKE) KBUILD_SRC=',
+which recurses to the top Makefile via the $(objtree)/Makefile
+generated by scripts/mkmakefile.
+
+When you run "make -j<N> O=<builddir> ARCH=um", Make can execute
+'archheaders' and 'outputmakefile' targets simultaneously because
+there is no dependency between them.
+
+If it happens,
+
+ $(Q)$(MAKE) KBUILD_SRC= ARCH=$(HEADER_ARCH) archheaders
+
+... tries to run $(objtree)/Makefile that is being updated.
+
+The correct way for the recursion is
+
+ $(Q)$(MAKE) -f $(srctree)/Makefile ARCH=$(HEADER_ARCH) archheaders
+
+..., which does not rely on the generated Makefile.
+
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Acked-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/um/Makefile | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/um/Makefile
++++ b/arch/um/Makefile
+@@ -122,8 +122,7 @@ archheaders:
+ $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.asm-generic \
+ kbuild-file=$(HOST_DIR)/include/uapi/asm/Kbuild \
+ obj=$(HOST_DIR)/include/generated/uapi/asm
+- $(Q)$(MAKE) KBUILD_SRC= ARCH=$(HEADER_ARCH) archheaders
+-
++ $(Q)$(MAKE) -f $(srctree)/Makefile ARCH=$(HEADER_ARCH) archheaders
+
+ archprepare: include/generated/user_constants.h
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Wed, 18 Jul 2018 10:18:45 +0100
+Subject: virtio: pci-legacy: Validate queue pfn
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+[ Upstream commit 69599206ea9a3f8f2e94d46580579cbf9d08ad6c ]
+
+Legacy PCI over virtio uses a 32bit PFN for the queue. If the
+queue pfn is too large to fit in 32bits, which we could hit on
+arm64 systems with 52bit physical addresses (even with 64K page
+size), we simply miss out a proper link to the other side of
+the queue.
+
+Add a check to validate the PFN, rather than silently breaking
+the devices.
+
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Christoffer Dall <cdall@kernel.org>
+Cc: Peter Maydel <peter.maydell@linaro.org>
+Cc: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/virtio/virtio_pci_legacy.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/virtio/virtio_pci_legacy.c
++++ b/drivers/virtio/virtio_pci_legacy.c
+@@ -122,6 +122,7 @@ static struct virtqueue *setup_vq(struct
+ struct virtqueue *vq;
+ u16 num;
+ int err;
++ u64 q_pfn;
+
+ /* Select the queue we're interested in */
+ iowrite16(index, vp_dev->ioaddr + VIRTIO_PCI_QUEUE_SEL);
+@@ -141,9 +142,17 @@ static struct virtqueue *setup_vq(struct
+ if (!vq)
+ return ERR_PTR(-ENOMEM);
+
++ q_pfn = virtqueue_get_desc_addr(vq) >> VIRTIO_PCI_QUEUE_ADDR_SHIFT;
++ if (q_pfn >> 32) {
++ dev_err(&vp_dev->pci_dev->dev,
++ "platform bug: legacy virtio-mmio must not be used with RAM above 0x%llxGB\n",
++ 0x1ULL << (32 + PAGE_SHIFT - 30));
++ err = -E2BIG;
++ goto out_del_vq;
++ }
++
+ /* activate the queue */
+- iowrite32(virtqueue_get_desc_addr(vq) >> VIRTIO_PCI_QUEUE_ADDR_SHIFT,
+- vp_dev->ioaddr + VIRTIO_PCI_QUEUE_PFN);
++ iowrite32(q_pfn, vp_dev->ioaddr + VIRTIO_PCI_QUEUE_PFN);
+
+ vq->priv = (void __force *)vp_dev->ioaddr + VIRTIO_PCI_QUEUE_NOTIFY;
+
+@@ -160,6 +169,7 @@ static struct virtqueue *setup_vq(struct
+
+ out_deactivate:
+ iowrite32(0, vp_dev->ioaddr + VIRTIO_PCI_QUEUE_PFN);
++out_del_vq:
+ vring_del_virtqueue(vq);
+ return ERR_PTR(err);
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 22 Aug 2018 11:49:04 +0200
+Subject: workqueue: re-add lockdep dependencies for flushing
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 87915adc3f0acdf03c776df42e308e5a155c19af ]
+
+In flush_work(), we need to create a lockdep dependency so that
+the following scenario is appropriately tagged as a problem:
+
+ work_function()
+ {
+ mutex_lock(&mutex);
+ ...
+ }
+
+ other_function()
+ {
+ mutex_lock(&mutex);
+ flush_work(&work); // or cancel_work_sync(&work);
+ }
+
+This is a problem since the work might be running and be blocked
+on trying to acquire the mutex.
+
+Similarly, in flush_workqueue().
+
+These were removed after cross-release partially caught these
+problems, but now cross-release was reverted anyway. IMHO the
+removal was erroneous anyway though, since lockdep should be
+able to catch potential problems, not just actual ones, and
+cross-release would only have caught the problem when actually
+invoking wait_for_completion().
+
+Fixes: fd1a5b04dfb8 ("workqueue: Remove now redundant lock acquisitions wrt. workqueue flushes")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/workqueue.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -2652,6 +2652,9 @@ void flush_workqueue(struct workqueue_st
+ if (WARN_ON(!wq_online))
+ return;
+
++ lock_map_acquire(&wq->lockdep_map);
++ lock_map_release(&wq->lockdep_map);
++
+ mutex_lock(&wq->mutex);
+
+ /*
+@@ -2905,6 +2908,11 @@ static bool __flush_work(struct work_str
+ if (WARN_ON(!wq_online))
+ return false;
+
++ if (!from_cancel) {
++ lock_map_acquire(&work->lockdep_map);
++ lock_map_release(&work->lockdep_map);
++ }
++
+ if (start_flush_work(work, &barr, from_cancel)) {
+ wait_for_completion(&barr.done);
+ destroy_work_on_stack(&barr.work);
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 22 Aug 2018 11:49:03 +0200
+Subject: workqueue: skip lockdep wq dependency in cancel_work_sync()
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit d6e89786bed977f37f55ffca11e563f6d2b1e3b5 ]
+
+In cancel_work_sync(), we can only have one of two cases, even
+with an ordered workqueue:
+ * the work isn't running, just cancelled before it started
+ * the work is running, but then nothing else can be on the
+ workqueue before it
+
+Thus, we need to skip the lockdep workqueue dependency handling,
+otherwise we get false positive reports from lockdep saying that
+we have a potential deadlock when the workqueue also has other
+work items with locking, e.g.
+
+ work1_function() { mutex_lock(&mutex); ... }
+ work2_function() { /* nothing */ }
+
+ other_function() {
+ queue_work(ordered_wq, &work1);
+ queue_work(ordered_wq, &work2);
+ mutex_lock(&mutex);
+ cancel_work_sync(&work2);
+ }
+
+As described above, this isn't a problem, but lockdep will
+currently flag it as if cancel_work_sync() was flush_work(),
+which *is* a problem.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/workqueue.c | 37 ++++++++++++++++++++++---------------
+ 1 file changed, 22 insertions(+), 15 deletions(-)
+
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -2843,7 +2843,8 @@ reflush:
+ }
+ EXPORT_SYMBOL_GPL(drain_workqueue);
+
+-static bool start_flush_work(struct work_struct *work, struct wq_barrier *barr)
++static bool start_flush_work(struct work_struct *work, struct wq_barrier *barr,
++ bool from_cancel)
+ {
+ struct worker *worker = NULL;
+ struct worker_pool *pool;
+@@ -2885,7 +2886,8 @@ static bool start_flush_work(struct work
+ * workqueues the deadlock happens when the rescuer stalls, blocking
+ * forward progress.
+ */
+- if (pwq->wq->saved_max_active == 1 || pwq->wq->rescuer) {
++ if (!from_cancel &&
++ (pwq->wq->saved_max_active == 1 || pwq->wq->rescuer)) {
+ lock_map_acquire(&pwq->wq->lockdep_map);
+ lock_map_release(&pwq->wq->lockdep_map);
+ }
+@@ -2896,6 +2898,22 @@ already_gone:
+ return false;
+ }
+
++static bool __flush_work(struct work_struct *work, bool from_cancel)
++{
++ struct wq_barrier barr;
++
++ if (WARN_ON(!wq_online))
++ return false;
++
++ if (start_flush_work(work, &barr, from_cancel)) {
++ wait_for_completion(&barr.done);
++ destroy_work_on_stack(&barr.work);
++ return true;
++ } else {
++ return false;
++ }
++}
++
+ /**
+ * flush_work - wait for a work to finish executing the last queueing instance
+ * @work: the work to flush
+@@ -2909,18 +2927,7 @@ already_gone:
+ */
+ bool flush_work(struct work_struct *work)
+ {
+- struct wq_barrier barr;
+-
+- if (WARN_ON(!wq_online))
+- return false;
+-
+- if (start_flush_work(work, &barr)) {
+- wait_for_completion(&barr.done);
+- destroy_work_on_stack(&barr.work);
+- return true;
+- } else {
+- return false;
+- }
++ return __flush_work(work, false);
+ }
+ EXPORT_SYMBOL_GPL(flush_work);
+
+@@ -2986,7 +2993,7 @@ static bool __cancel_work_timer(struct w
+ * isn't executing.
+ */
+ if (wq_online)
+- flush_work(work);
++ __flush_work(work, true);
+
+ clear_work_data(work);
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 17 Aug 2018 12:01:36 +0200
+Subject: x86/mce: Add notifier_block forward declaration
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 704ae091b061082b37a9968621af4c290c641d50 ]
+
+Without linux/irq.h, there is no declaration of notifier_block, leading to
+a build warning:
+
+In file included from arch/x86/kernel/cpu/mcheck/threshold.c:10:
+arch/x86/include/asm/mce.h:151:46: error: 'struct notifier_block' declared inside parameter list will not be visible outside of this definition or declaration [-Werror]
+
+It's sufficient to declare the struct tag here, which avoids pulling in
+more header files.
+
+Fixes: 447ae3166702 ("x86: Don't include linux/irq.h from asm/hardirq.h")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Nicolai Stange <nstange@suse.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20180817100156.3009043-1-arnd@arndb.de
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/mce.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/include/asm/mce.h
++++ b/arch/x86/include/asm/mce.h
+@@ -148,6 +148,7 @@ enum mce_notifier_prios {
+ MCE_PRIO_LOWEST = 0,
+ };
+
++struct notifier_block;
+ extern void mce_register_decode_chain(struct notifier_block *nb);
+ extern void mce_unregister_decode_chain(struct notifier_block *nb);
+
--- /dev/null
+From foo@baz Tue Sep 11 12:05:55 CEST 2018
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Wed, 8 Aug 2018 13:46:41 +0200
+Subject: xen/balloon: fix balloon initialization for PVH Dom0
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+[ Upstream commit 3596924a233e45aa918c961a902170fc4916461b ]
+
+The current balloon code tries to calculate a delta factor for the
+balloon target when running in HVM mode in order to account for memory
+used by the firmware.
+
+This workaround for memory accounting doesn't work properly on a PVH
+Dom0, that has a static-max value different from the target value even
+at startup. Note that this is not a problem for DomUs because guests are
+started with a static-max value that matches the amount of RAM in the
+memory map.
+
+Fix this by forcefully setting target_diff for Dom0, regardless of
+it's mode.
+
+Reported-by: Gabriel Bercarug <bercarug@amazon.com>
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/xen-balloon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/xen/xen-balloon.c
++++ b/drivers/xen/xen-balloon.c
+@@ -81,7 +81,7 @@ static void watch_target(struct xenbus_w
+ static_max = new_target;
+ else
+ static_max >>= PAGE_SHIFT - 10;
+- target_diff = xen_pv_domain() ? 0
++ target_diff = (xen_pv_domain() || xen_initial_domain()) ? 0
+ : static_max - balloon_stats.target_pages;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
