--- /dev/null
+From 6d944b76a2f46d2d432b903c211b49e3cef237e7 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Wed, 20 Mar 2019 13:14:00 -0700
+Subject: ARM: dts: rockchip: Fix gpu opp node names for rk3288
+
+[ Upstream commit d040e4e8deeaa8257d6aa260e29ad69832b5d630 ]
+
+The device tree compiler yells like this:
+ Warning (unit_address_vs_reg):
+ /gpu-opp-table/opp@100000000:
+ node has a unit name, but no reg property
+
+Let's match the cpu opp node names and use a dash.
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/rk3288.dtsi | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm/boot/dts/rk3288.dtsi b/arch/arm/boot/dts/rk3288.dtsi
+index f7a951afd281..5a7888581eea 100644
+--- a/arch/arm/boot/dts/rk3288.dtsi
++++ b/arch/arm/boot/dts/rk3288.dtsi
+@@ -1181,27 +1181,27 @@
+ gpu_opp_table: gpu-opp-table {
+ compatible = "operating-points-v2";
+
+- opp@100000000 {
++ opp-100000000 {
+ opp-hz = /bits/ 64 <100000000>;
+ opp-microvolt = <950000>;
+ };
+- opp@200000000 {
++ opp-200000000 {
+ opp-hz = /bits/ 64 <200000000>;
+ opp-microvolt = <950000>;
+ };
+- opp@300000000 {
++ opp-300000000 {
+ opp-hz = /bits/ 64 <300000000>;
+ opp-microvolt = <1000000>;
+ };
+- opp@400000000 {
++ opp-400000000 {
+ opp-hz = /bits/ 64 <400000000>;
+ opp-microvolt = <1100000>;
+ };
+- opp@500000000 {
++ opp-500000000 {
+ opp-hz = /bits/ 64 <500000000>;
+ opp-microvolt = <1200000>;
+ };
+- opp@600000000 {
++ opp-600000000 {
+ opp-hz = /bits/ 64 <600000000>;
+ opp-microvolt = <1250000>;
+ };
+--
+2.20.1
+
--- /dev/null
+From 1f605b3f68183b5a35ed334eae354538eb428769 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 25 Mar 2019 16:50:43 +0100
+Subject: ARM: iop: don't use using 64-bit DMA masks
+
+[ Upstream commit 2125801ccce19249708ca3245d48998e70569ab8 ]
+
+clang warns about statically defined DMA masks from the DMA_BIT_MASK
+macro with length 64:
+
+ arch/arm/mach-iop13xx/setup.c:303:35: error: shift count >= width of type [-Werror,-Wshift-count-overflow]
+ static u64 iop13xx_adma_dmamask = DMA_BIT_MASK(64);
+ ^~~~~~~~~~~~~~~~
+ include/linux/dma-mapping.h:141:54: note: expanded from macro 'DMA_BIT_MASK'
+ #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
+ ^ ~~~
+
+The ones in iop shouldn't really be 64 bit masks, so changing them
+to what the driver can support avoids the warning.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-iop13xx/setup.c | 8 ++++----
+ arch/arm/mach-iop13xx/tpmi.c | 10 +++++-----
+ arch/arm/plat-iop/adma.c | 6 +++---
+ 3 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/arch/arm/mach-iop13xx/setup.c b/arch/arm/mach-iop13xx/setup.c
+index 53c316f7301e..fe4932fda01d 100644
+--- a/arch/arm/mach-iop13xx/setup.c
++++ b/arch/arm/mach-iop13xx/setup.c
+@@ -300,7 +300,7 @@ static struct resource iop13xx_adma_2_resources[] = {
+ }
+ };
+
+-static u64 iop13xx_adma_dmamask = DMA_BIT_MASK(64);
++static u64 iop13xx_adma_dmamask = DMA_BIT_MASK(32);
+ static struct iop_adma_platform_data iop13xx_adma_0_data = {
+ .hw_id = 0,
+ .pool_size = PAGE_SIZE,
+@@ -324,7 +324,7 @@ static struct platform_device iop13xx_adma_0_channel = {
+ .resource = iop13xx_adma_0_resources,
+ .dev = {
+ .dma_mask = &iop13xx_adma_dmamask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ .platform_data = (void *) &iop13xx_adma_0_data,
+ },
+ };
+@@ -336,7 +336,7 @@ static struct platform_device iop13xx_adma_1_channel = {
+ .resource = iop13xx_adma_1_resources,
+ .dev = {
+ .dma_mask = &iop13xx_adma_dmamask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ .platform_data = (void *) &iop13xx_adma_1_data,
+ },
+ };
+@@ -348,7 +348,7 @@ static struct platform_device iop13xx_adma_2_channel = {
+ .resource = iop13xx_adma_2_resources,
+ .dev = {
+ .dma_mask = &iop13xx_adma_dmamask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ .platform_data = (void *) &iop13xx_adma_2_data,
+ },
+ };
+diff --git a/arch/arm/mach-iop13xx/tpmi.c b/arch/arm/mach-iop13xx/tpmi.c
+index db511ec2b1df..116feb6b261e 100644
+--- a/arch/arm/mach-iop13xx/tpmi.c
++++ b/arch/arm/mach-iop13xx/tpmi.c
+@@ -152,7 +152,7 @@ static struct resource iop13xx_tpmi_3_resources[] = {
+ }
+ };
+
+-u64 iop13xx_tpmi_mask = DMA_BIT_MASK(64);
++u64 iop13xx_tpmi_mask = DMA_BIT_MASK(32);
+ static struct platform_device iop13xx_tpmi_0_device = {
+ .name = "iop-tpmi",
+ .id = 0,
+@@ -160,7 +160,7 @@ static struct platform_device iop13xx_tpmi_0_device = {
+ .resource = iop13xx_tpmi_0_resources,
+ .dev = {
+ .dma_mask = &iop13xx_tpmi_mask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ },
+ };
+
+@@ -171,7 +171,7 @@ static struct platform_device iop13xx_tpmi_1_device = {
+ .resource = iop13xx_tpmi_1_resources,
+ .dev = {
+ .dma_mask = &iop13xx_tpmi_mask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ },
+ };
+
+@@ -182,7 +182,7 @@ static struct platform_device iop13xx_tpmi_2_device = {
+ .resource = iop13xx_tpmi_2_resources,
+ .dev = {
+ .dma_mask = &iop13xx_tpmi_mask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ },
+ };
+
+@@ -193,7 +193,7 @@ static struct platform_device iop13xx_tpmi_3_device = {
+ .resource = iop13xx_tpmi_3_resources,
+ .dev = {
+ .dma_mask = &iop13xx_tpmi_mask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ },
+ };
+
+diff --git a/arch/arm/plat-iop/adma.c b/arch/arm/plat-iop/adma.c
+index a4d1f8de3b5b..d9612221e484 100644
+--- a/arch/arm/plat-iop/adma.c
++++ b/arch/arm/plat-iop/adma.c
+@@ -143,7 +143,7 @@ struct platform_device iop3xx_dma_0_channel = {
+ .resource = iop3xx_dma_0_resources,
+ .dev = {
+ .dma_mask = &iop3xx_adma_dmamask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ .platform_data = (void *) &iop3xx_dma_0_data,
+ },
+ };
+@@ -155,7 +155,7 @@ struct platform_device iop3xx_dma_1_channel = {
+ .resource = iop3xx_dma_1_resources,
+ .dev = {
+ .dma_mask = &iop3xx_adma_dmamask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ .platform_data = (void *) &iop3xx_dma_1_data,
+ },
+ };
+@@ -167,7 +167,7 @@ struct platform_device iop3xx_aau_channel = {
+ .resource = iop3xx_aau_resources,
+ .dev = {
+ .dma_mask = &iop3xx_adma_dmamask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ .platform_data = (void *) &iop3xx_aau_data,
+ },
+ };
+--
+2.20.1
+
--- /dev/null
+From a9a2271f6b93b5537b678ba22e3b3d8de38abee1 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 25 Mar 2019 16:50:42 +0100
+Subject: ARM: orion: don't use using 64-bit DMA masks
+
+[ Upstream commit cd92d74d67c811dc22544430b9ac3029f5bd64c5 ]
+
+clang warns about statically defined DMA masks from the DMA_BIT_MASK
+macro with length 64:
+
+arch/arm/plat-orion/common.c:625:29: error: shift count >= width of type [-Werror,-Wshift-count-overflow]
+ .coherent_dma_mask = DMA_BIT_MASK(64),
+ ^~~~~~~~~~~~~~~~
+include/linux/dma-mapping.h:141:54: note: expanded from macro 'DMA_BIT_MASK'
+ #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
+
+The ones in orion shouldn't really be 64 bit masks, so changing them
+to what the driver can support avoids the warning.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/plat-orion/common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/plat-orion/common.c b/arch/arm/plat-orion/common.c
+index a2399fd66e97..1e970873439c 100644
+--- a/arch/arm/plat-orion/common.c
++++ b/arch/arm/plat-orion/common.c
+@@ -622,7 +622,7 @@ static struct platform_device orion_xor0_shared = {
+ .resource = orion_xor0_shared_resources,
+ .dev = {
+ .dma_mask = &orion_xor_dmamask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ .platform_data = &orion_xor0_pdata,
+ },
+ };
+@@ -683,7 +683,7 @@ static struct platform_device orion_xor1_shared = {
+ .resource = orion_xor1_shared_resources,
+ .dev = {
+ .dma_mask = &orion_xor_dmamask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ .platform_data = &orion_xor1_pdata,
+ },
+ };
+--
+2.20.1
+
--- /dev/null
+From 17159337be2eec48ba613447173f192ad9af18a3 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 23 Feb 2019 14:27:10 +0100
+Subject: batman-adv: Reduce claim hash refcnt only for removed entry
+
+[ Upstream commit 4ba104f468bbfc27362c393815d03aa18fb7a20f ]
+
+The batadv_hash_remove is a function which searches the hashtable for an
+entry using a needle, a hashtable bucket selection function and a compare
+function. It will lock the bucket list and delete an entry when the compare
+function matches it with the needle. It returns the pointer to the
+hlist_node which matches or NULL when no entry matches the needle.
+
+The batadv_bla_del_claim is not itself protected in anyway to avoid that
+any other function is modifying the hashtable between the search for the
+entry and the call to batadv_hash_remove. It can therefore happen that the
+entry either doesn't exist anymore or an entry was deleted which is not the
+same object as the needle. In such an situation, the reference counter (for
+the reference stored in the hashtable) must not be reduced for the needle.
+Instead the reference counter of the actually removed entry has to be
+reduced.
+
+Otherwise the reference counter will underflow and the object might be
+freed before all its references were dropped. The kref helpers reported
+this problem as:
+
+ refcount_t: underflow; use-after-free.
+
+Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
+index c3c848f64fdd..c761c0c233e4 100644
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -803,6 +803,8 @@ static void batadv_bla_del_claim(struct batadv_priv *bat_priv,
+ const u8 *mac, const unsigned short vid)
+ {
+ struct batadv_bla_claim search_claim, *claim;
++ struct batadv_bla_claim *claim_removed_entry;
++ struct hlist_node *claim_removed_node;
+
+ ether_addr_copy(search_claim.addr, mac);
+ search_claim.vid = vid;
+@@ -813,10 +815,18 @@ static void batadv_bla_del_claim(struct batadv_priv *bat_priv,
+ batadv_dbg(BATADV_DBG_BLA, bat_priv, "%s(): %pM, vid %d\n", __func__,
+ mac, batadv_print_vid(vid));
+
+- batadv_hash_remove(bat_priv->bla.claim_hash, batadv_compare_claim,
+- batadv_choose_claim, claim);
+- batadv_claim_put(claim); /* reference from the hash is gone */
++ claim_removed_node = batadv_hash_remove(bat_priv->bla.claim_hash,
++ batadv_compare_claim,
++ batadv_choose_claim, claim);
++ if (!claim_removed_node)
++ goto free_claim;
+
++ /* reference from the hash is gone */
++ claim_removed_entry = hlist_entry(claim_removed_node,
++ struct batadv_bla_claim, hash_entry);
++ batadv_claim_put(claim_removed_entry);
++
++free_claim:
+ /* don't need the reference from hash_find() anymore */
+ batadv_claim_put(claim);
+ }
+--
+2.20.1
+
--- /dev/null
+From d900604a454b739224664055df7e23fafe924f7f Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 23 Feb 2019 14:27:10 +0100
+Subject: batman-adv: Reduce tt_global hash refcnt only for removed entry
+
+[ Upstream commit f131a56880d10932931e74773fb8702894a94a75 ]
+
+The batadv_hash_remove is a function which searches the hashtable for an
+entry using a needle, a hashtable bucket selection function and a compare
+function. It will lock the bucket list and delete an entry when the compare
+function matches it with the needle. It returns the pointer to the
+hlist_node which matches or NULL when no entry matches the needle.
+
+The batadv_tt_global_free is not itself protected in anyway to avoid that
+any other function is modifying the hashtable between the search for the
+entry and the call to batadv_hash_remove. It can therefore happen that the
+entry either doesn't exist anymore or an entry was deleted which is not the
+same object as the needle. In such an situation, the reference counter (for
+the reference stored in the hashtable) must not be reduced for the needle.
+Instead the reference counter of the actually removed entry has to be
+reduced.
+
+Otherwise the reference counter will underflow and the object might be
+freed before all its references were dropped. The kref helpers reported
+this problem as:
+
+ refcount_t: underflow; use-after-free.
+
+Fixes: 7683fdc1e886 ("batman-adv: protect the local and the global trans-tables with rcu")
+Reported-by: Martin Weinelt <martin@linuxlounge.net>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/translation-table.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index 6c3e446abeed..020a8adc4cce 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -614,14 +614,26 @@ static void batadv_tt_global_free(struct batadv_priv *bat_priv,
+ struct batadv_tt_global_entry *tt_global,
+ const char *message)
+ {
++ struct batadv_tt_global_entry *tt_removed_entry;
++ struct hlist_node *tt_removed_node;
++
+ batadv_dbg(BATADV_DBG_TT, bat_priv,
+ "Deleting global tt entry %pM (vid: %d): %s\n",
+ tt_global->common.addr,
+ batadv_print_vid(tt_global->common.vid), message);
+
+- batadv_hash_remove(bat_priv->tt.global_hash, batadv_compare_tt,
+- batadv_choose_tt, &tt_global->common);
+- batadv_tt_global_entry_put(tt_global);
++ tt_removed_node = batadv_hash_remove(bat_priv->tt.global_hash,
++ batadv_compare_tt,
++ batadv_choose_tt,
++ &tt_global->common);
++ if (!tt_removed_node)
++ return;
++
++ /* drop reference of remove hash entry */
++ tt_removed_entry = hlist_entry(tt_removed_node,
++ struct batadv_tt_global_entry,
++ common.hash_entry);
++ batadv_tt_global_entry_put(tt_removed_entry);
+ }
+
+ /**
+--
+2.20.1
+
--- /dev/null
+From 6d3e8f70353f4ebe6ee48a289a8173fc2686c8ea Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 23 Feb 2019 14:27:10 +0100
+Subject: batman-adv: Reduce tt_local hash refcnt only for removed entry
+
+[ Upstream commit 3d65b9accab4a7ed5038f6df403fbd5e298398c7 ]
+
+The batadv_hash_remove is a function which searches the hashtable for an
+entry using a needle, a hashtable bucket selection function and a compare
+function. It will lock the bucket list and delete an entry when the compare
+function matches it with the needle. It returns the pointer to the
+hlist_node which matches or NULL when no entry matches the needle.
+
+The batadv_tt_local_remove is not itself protected in anyway to avoid that
+any other function is modifying the hashtable between the search for the
+entry and the call to batadv_hash_remove. It can therefore happen that the
+entry either doesn't exist anymore or an entry was deleted which is not the
+same object as the needle. In such an situation, the reference counter (for
+the reference stored in the hashtable) must not be reduced for the needle.
+Instead the reference counter of the actually removed entry has to be
+reduced.
+
+Otherwise the reference counter will underflow and the object might be
+freed before all its references were dropped. The kref helpers reported
+this problem as:
+
+ refcount_t: underflow; use-after-free.
+
+Fixes: ef72706a0543 ("batman-adv: protect tt_local_entry from concurrent delete events")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/translation-table.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index 9da3455847ff..6c3e446abeed 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -1313,9 +1313,10 @@ u16 batadv_tt_local_remove(struct batadv_priv *bat_priv, const u8 *addr,
+ unsigned short vid, const char *message,
+ bool roaming)
+ {
++ struct batadv_tt_local_entry *tt_removed_entry;
+ struct batadv_tt_local_entry *tt_local_entry;
+ u16 flags, curr_flags = BATADV_NO_FLAGS;
+- void *tt_entry_exists;
++ struct hlist_node *tt_removed_node;
+
+ tt_local_entry = batadv_tt_local_hash_find(bat_priv, addr, vid);
+ if (!tt_local_entry)
+@@ -1344,15 +1345,18 @@ u16 batadv_tt_local_remove(struct batadv_priv *bat_priv, const u8 *addr,
+ */
+ batadv_tt_local_event(bat_priv, tt_local_entry, BATADV_TT_CLIENT_DEL);
+
+- tt_entry_exists = batadv_hash_remove(bat_priv->tt.local_hash,
++ tt_removed_node = batadv_hash_remove(bat_priv->tt.local_hash,
+ batadv_compare_tt,
+ batadv_choose_tt,
+ &tt_local_entry->common);
+- if (!tt_entry_exists)
++ if (!tt_removed_node)
+ goto out;
+
+- /* extra call to free the local tt entry */
+- batadv_tt_local_entry_put(tt_local_entry);
++ /* drop reference of remove hash entry */
++ tt_removed_entry = hlist_entry(tt_removed_node,
++ struct batadv_tt_local_entry,
++ common.hash_entry);
++ batadv_tt_local_entry_put(tt_removed_entry);
+
+ out:
+ if (tt_local_entry)
+--
+2.20.1
+
--- /dev/null
+From 3be8b08dba3901cfb05c14d2ffbb563d09a30a5c Mon Sep 17 00:00:00 2001
+From: Konstantin Khorenko <khorenko@virtuozzo.com>
+Date: Thu, 28 Mar 2019 13:29:21 +0300
+Subject: bonding: show full hw address in sysfs for slave entries
+
+[ Upstream commit 18bebc6dd3281955240062655a4df35eef2c46b3 ]
+
+Bond expects ethernet hwaddr for its slave, but it can be longer than 6
+bytes - infiniband interface for example.
+
+ # cat /sys/devices/<skipped>/net/ib0/address
+ 80:00:02:08:fe:80:00:00:00:00:00:00:7c:fe:90:03:00:be:5d:e1
+
+ # cat /sys/devices/<skipped>/net/ib0/bonding_slave/perm_hwaddr
+ 80:00:02:08:fe:80
+
+So print full hwaddr in sysfs "bonding_slave/perm_hwaddr" as well.
+
+Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_sysfs_slave.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/bonding/bond_sysfs_slave.c b/drivers/net/bonding/bond_sysfs_slave.c
+index 7d16c51e6913..641a532b67cb 100644
+--- a/drivers/net/bonding/bond_sysfs_slave.c
++++ b/drivers/net/bonding/bond_sysfs_slave.c
+@@ -55,7 +55,9 @@ static SLAVE_ATTR_RO(link_failure_count);
+
+ static ssize_t perm_hwaddr_show(struct slave *slave, char *buf)
+ {
+- return sprintf(buf, "%pM\n", slave->perm_hwaddr);
++ return sprintf(buf, "%*phC\n",
++ slave->dev->addr_len,
++ slave->perm_hwaddr);
+ }
+ static SLAVE_ATTR_RO(perm_hwaddr);
+
+--
+2.20.1
+
--- /dev/null
+From 06a470933b0f5aef5c63d5bcd70c6dc3166e0798 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue, 26 Mar 2019 01:43:37 +0000
+Subject: debugfs: fix use-after-free on symlink traversal
+
+[ Upstream commit 93b919da64c15b90953f96a536e5e61df896ca57 ]
+
+symlink body shouldn't be freed without an RCU delay. Switch debugfs to
+->destroy_inode() and use of call_rcu(); free both the inode and symlink
+body in the callback. Similar to solution for bpf, only here it's even
+more obvious that ->evict_inode() can be dropped.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/debugfs/inode.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
+index ccfe1e1cb6bc..f4df6feec271 100644
+--- a/fs/debugfs/inode.c
++++ b/fs/debugfs/inode.c
+@@ -170,19 +170,24 @@ static int debugfs_show_options(struct seq_file *m, struct dentry *root)
+ return 0;
+ }
+
+-static void debugfs_evict_inode(struct inode *inode)
++static void debugfs_i_callback(struct rcu_head *head)
+ {
+- truncate_inode_pages_final(&inode->i_data);
+- clear_inode(inode);
++ struct inode *inode = container_of(head, struct inode, i_rcu);
+ if (S_ISLNK(inode->i_mode))
+ kfree(inode->i_link);
++ free_inode_nonrcu(inode);
++}
++
++static void debugfs_destroy_inode(struct inode *inode)
++{
++ call_rcu(&inode->i_rcu, debugfs_i_callback);
+ }
+
+ static const struct super_operations debugfs_super_operations = {
+ .statfs = simple_statfs,
+ .remount_fs = debugfs_remount,
+ .show_options = debugfs_show_options,
+- .evict_inode = debugfs_evict_inode,
++ .destroy_inode = debugfs_destroy_inode,
+ };
+
+ static struct vfsmount *debugfs_automount(struct path *path)
+--
+2.20.1
+
--- /dev/null
+From d7cf54737b0ccac3b6b50538f59bf63d0cf8748d Mon Sep 17 00:00:00 2001
+From: "He, Bo" <bo.he@intel.com>
+Date: Thu, 14 Mar 2019 02:28:21 +0000
+Subject: HID: debug: fix race condition with between rdesc_show() and device
+ removal
+
+[ Upstream commit cef0d4948cb0a02db37ebfdc320e127c77ab1637 ]
+
+There is a race condition that could happen if hid_debug_rdesc_show()
+is running while hdev is in the process of going away (device removal,
+system suspend, etc) which could result in NULL pointer dereference:
+
+ BUG: unable to handle kernel paging request at 0000000783316040
+ CPU: 1 PID: 1512 Comm: getevent Tainted: G U O 4.19.20-quilt-2e5dc0ac-00029-gc455a447dd55 #1
+ RIP: 0010:hid_dump_device+0x9b/0x160
+ Call Trace:
+ hid_debug_rdesc_show+0x72/0x1d0
+ seq_read+0xe0/0x410
+ full_proxy_read+0x5f/0x90
+ __vfs_read+0x3a/0x170
+ vfs_read+0xa0/0x150
+ ksys_read+0x58/0xc0
+ __x64_sys_read+0x1a/0x20
+ do_syscall_64+0x55/0x110
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Grab driver_input_lock to make sure the input device exists throughout the
+whole process of dumping the rdesc.
+
+[jkosina@suse.cz: update changelog a bit]
+Signed-off-by: he, bo <bo.he@intel.com>
+Signed-off-by: "Zhang, Jun" <jun.zhang@intel.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-debug.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c
+index a90967cd4987..a0bcbb633b67 100644
+--- a/drivers/hid/hid-debug.c
++++ b/drivers/hid/hid-debug.c
+@@ -1060,10 +1060,15 @@ static int hid_debug_rdesc_show(struct seq_file *f, void *p)
+ seq_printf(f, "\n\n");
+
+ /* dump parsed data and input mappings */
++ if (down_interruptible(&hdev->driver_input_lock))
++ return 0;
++
+ hid_dump_device(hdev, f);
+ seq_printf(f, "\n");
+ hid_dump_input_mapping(hdev, f);
+
++ up(&hdev->driver_input_lock);
++
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 1ce0b2126a9106eac60d025fb985b92f0c911ca9 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Tue, 2 Apr 2019 09:57:13 -0700
+Subject: HID: input: add mapping for Assistant key
+
+[ Upstream commit ce856634af8cda3490947df8ac1ef5843e6356af ]
+
+According to HUTRR89 usage 0x1cb from the consumer page was assigned to
+allow launching desktop-aware assistant application, so let's add the
+mapping.
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-input.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index d146a9b545ee..1aa7d268686b 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -973,6 +973,7 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
+ case 0x1b8: map_key_clear(KEY_VIDEO); break;
+ case 0x1bc: map_key_clear(KEY_MESSENGER); break;
+ case 0x1bd: map_key_clear(KEY_INFO); break;
++ case 0x1cb: map_key_clear(KEY_ASSISTANT); break;
+ case 0x201: map_key_clear(KEY_NEW); break;
+ case 0x202: map_key_clear(KEY_OPEN); break;
+ case 0x203: map_key_clear(KEY_CLOSE); break;
+--
+2.20.1
+
--- /dev/null
+From c9c08ae2b2065d1a59670f6af1747ac0fb78a4d7 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Thu, 14 Mar 2019 00:24:02 -0500
+Subject: HID: logitech: check the return value of
+ create_singlethread_workqueue
+
+[ Upstream commit 6c44b15e1c9076d925d5236ddadf1318b0a25ce2 ]
+
+create_singlethread_workqueue may fail and return NULL. The fix checks if it is
+NULL to avoid NULL pointer dereference. Also, the fix moves the call of
+create_singlethread_workqueue earlier to avoid resource-release issues.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-logitech-hidpp.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
+index 614054af904a..b83d4173fc7f 100644
+--- a/drivers/hid/hid-logitech-hidpp.c
++++ b/drivers/hid/hid-logitech-hidpp.c
+@@ -1907,6 +1907,13 @@ static int hidpp_ff_init(struct hidpp_device *hidpp, u8 feature_index)
+ kfree(data);
+ return -ENOMEM;
+ }
++ data->wq = create_singlethread_workqueue("hidpp-ff-sendqueue");
++ if (!data->wq) {
++ kfree(data->effect_ids);
++ kfree(data);
++ return -ENOMEM;
++ }
++
+ data->hidpp = hidpp;
+ data->feature_index = feature_index;
+ data->version = version;
+@@ -1951,7 +1958,6 @@ static int hidpp_ff_init(struct hidpp_device *hidpp, u8 feature_index)
+ /* ignore boost value at response.fap.params[2] */
+
+ /* init the hardware command queue */
+- data->wq = create_singlethread_workqueue("hidpp-ff-sendqueue");
+ atomic_set(&data->workqueue_size, 0);
+
+ /* initialize with zero autocenter to get wheel in usable state */
+--
+2.20.1
+
--- /dev/null
+From 82700cc4c42fcc3458afe5f09fe529d65dfd4557 Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Fri, 5 Apr 2019 18:39:06 -0700
+Subject: hugetlbfs: fix memory leak for resv_map
+
+[ Upstream commit 58b6e5e8f1addd44583d61b0a03c0f5519527e35 ]
+
+When mknod is used to create a block special file in hugetlbfs, it will
+allocate an inode and kmalloc a 'struct resv_map' via resv_map_alloc().
+inode->i_mapping->private_data will point the newly allocated resv_map.
+However, when the device special file is opened bd_acquire() will set
+inode->i_mapping to bd_inode->i_mapping. Thus the pointer to the
+allocated resv_map is lost and the structure is leaked.
+
+Programs to reproduce:
+ mount -t hugetlbfs nodev hugetlbfs
+ mknod hugetlbfs/dev b 0 0
+ exec 30<> hugetlbfs/dev
+ umount hugetlbfs/
+
+resv_map structures are only needed for inodes which can have associated
+page allocations. To fix the leak, only allocate resv_map for those
+inodes which could possibly be associated with page allocations.
+
+Link: http://lkml.kernel.org/r/20190401213101.16476-1-mike.kravetz@oracle.com
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Reported-by: Yufen Yu <yuyufen@huawei.com>
+Suggested-by: Yufen Yu <yuyufen@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hugetlbfs/inode.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
+index eb6f3de29f69..dd28a9b287da 100644
+--- a/fs/hugetlbfs/inode.c
++++ b/fs/hugetlbfs/inode.c
+@@ -730,11 +730,17 @@ static struct inode *hugetlbfs_get_inode(struct super_block *sb,
+ umode_t mode, dev_t dev)
+ {
+ struct inode *inode;
+- struct resv_map *resv_map;
++ struct resv_map *resv_map = NULL;
+
+- resv_map = resv_map_alloc();
+- if (!resv_map)
+- return NULL;
++ /*
++ * Reserve maps are only needed for inodes that can have associated
++ * page allocations.
++ */
++ if (S_ISREG(mode) || S_ISLNK(mode)) {
++ resv_map = resv_map_alloc();
++ if (!resv_map)
++ return NULL;
++ }
+
+ inode = new_inode(sb);
+ if (inode) {
+@@ -766,8 +772,10 @@ static struct inode *hugetlbfs_get_inode(struct super_block *sb,
+ break;
+ }
+ lockdep_annotate_inode_mutex_key(inode);
+- } else
+- kref_put(&resv_map->refs, resv_map_release);
++ } else {
++ if (resv_map)
++ kref_put(&resv_map->refs, resv_map_release);
++ }
+
+ return inode;
+ }
+--
+2.20.1
+
--- /dev/null
+From b84ac7bb61a1c65c7267d8d81618190f77492f17 Mon Sep 17 00:00:00 2001
+From: Arvind Sankar <niveditas98@gmail.com>
+Date: Sat, 2 Mar 2019 11:01:17 -0500
+Subject: igb: Fix WARN_ONCE on runtime suspend
+
+[ Upstream commit dabb8338be533c18f50255cf39ff4f66d4dabdbe ]
+
+The runtime_suspend device callbacks are not supposed to save
+configuration state or change the power state. Commit fb29f76cc566
+("igb: Fix an issue that PME is not enabled during runtime suspend")
+changed the driver to not save configuration state during runtime
+suspend, however the driver callback still put the device into a
+low-power state. This causes a warning in the pci pm core and results in
+pci_pm_runtime_suspend not calling pci_save_state or pci_finish_runtime_suspend.
+
+Fix this by not changing the power state either, leaving that to pci pm
+core, and make the same change for suspend callback as well.
+
+Also move a couple of defines into the appropriate header file instead
+of inline in the .c file.
+
+Fixes: fb29f76cc566 ("igb: Fix an issue that PME is not enabled during runtime suspend")
+Signed-off-by: Arvind Sankar <niveditas98@gmail.com>
+Reviewed-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/intel/igb/e1000_defines.h | 2 +
+ drivers/net/ethernet/intel/igb/igb_main.c | 57 +++----------------
+ 2 files changed, 10 insertions(+), 49 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/e1000_defines.h b/drivers/net/ethernet/intel/igb/e1000_defines.h
+index 1de82f247312..d258a75c934b 100644
+--- a/drivers/net/ethernet/intel/igb/e1000_defines.h
++++ b/drivers/net/ethernet/intel/igb/e1000_defines.h
+@@ -214,6 +214,8 @@
+ /* enable link status from external LINK_0 and LINK_1 pins */
+ #define E1000_CTRL_SWDPIN0 0x00040000 /* SWDPIN 0 value */
+ #define E1000_CTRL_SWDPIN1 0x00080000 /* SWDPIN 1 value */
++#define E1000_CTRL_ADVD3WUC 0x00100000 /* D3 WUC */
++#define E1000_CTRL_EN_PHY_PWR_MGMT 0x00200000 /* PHY PM enable */
+ #define E1000_CTRL_SDP0_DIR 0x00400000 /* SDP0 Data direction */
+ #define E1000_CTRL_SDP1_DIR 0x00800000 /* SDP1 Data direction */
+ #define E1000_CTRL_RST 0x04000000 /* Global reset */
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 8892ea5cbb01..71b235f935d9 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -7934,9 +7934,7 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake,
+ struct e1000_hw *hw = &adapter->hw;
+ u32 ctrl, rctl, status;
+ u32 wufc = runtime ? E1000_WUFC_LNKC : adapter->wol;
+-#ifdef CONFIG_PM
+- int retval = 0;
+-#endif
++ bool wake;
+
+ rtnl_lock();
+ netif_device_detach(netdev);
+@@ -7949,14 +7947,6 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake,
+ igb_clear_interrupt_scheme(adapter);
+ rtnl_unlock();
+
+-#ifdef CONFIG_PM
+- if (!runtime) {
+- retval = pci_save_state(pdev);
+- if (retval)
+- return retval;
+- }
+-#endif
+-
+ status = rd32(E1000_STATUS);
+ if (status & E1000_STATUS_LU)
+ wufc &= ~E1000_WUFC_LNKC;
+@@ -7973,10 +7963,6 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake,
+ }
+
+ ctrl = rd32(E1000_CTRL);
+- /* advertise wake from D3Cold */
+- #define E1000_CTRL_ADVD3WUC 0x00100000
+- /* phy power management enable */
+- #define E1000_CTRL_EN_PHY_PWR_MGMT 0x00200000
+ ctrl |= E1000_CTRL_ADVD3WUC;
+ wr32(E1000_CTRL, ctrl);
+
+@@ -7990,12 +7976,15 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake,
+ wr32(E1000_WUFC, 0);
+ }
+
+- *enable_wake = wufc || adapter->en_mng_pt;
+- if (!*enable_wake)
++ wake = wufc || adapter->en_mng_pt;
++ if (!wake)
+ igb_power_down_link(adapter);
+ else
+ igb_power_up_link(adapter);
+
++ if (enable_wake)
++ *enable_wake = wake;
++
+ /* Release control of h/w to f/w. If f/w is AMT enabled, this
+ * would have already happened in close and is redundant.
+ */
+@@ -8038,22 +8027,7 @@ static void igb_deliver_wake_packet(struct net_device *netdev)
+
+ static int __maybe_unused igb_suspend(struct device *dev)
+ {
+- int retval;
+- bool wake;
+- struct pci_dev *pdev = to_pci_dev(dev);
+-
+- retval = __igb_shutdown(pdev, &wake, 0);
+- if (retval)
+- return retval;
+-
+- if (wake) {
+- pci_prepare_to_sleep(pdev);
+- } else {
+- pci_wake_from_d3(pdev, false);
+- pci_set_power_state(pdev, PCI_D3hot);
+- }
+-
+- return 0;
++ return __igb_shutdown(to_pci_dev(dev), NULL, 0);
+ }
+
+ static int __maybe_unused igb_resume(struct device *dev)
+@@ -8124,22 +8098,7 @@ static int __maybe_unused igb_runtime_idle(struct device *dev)
+
+ static int __maybe_unused igb_runtime_suspend(struct device *dev)
+ {
+- struct pci_dev *pdev = to_pci_dev(dev);
+- int retval;
+- bool wake;
+-
+- retval = __igb_shutdown(pdev, &wake, 1);
+- if (retval)
+- return retval;
+-
+- if (wake) {
+- pci_prepare_to_sleep(pdev);
+- } else {
+- pci_wake_from_d3(pdev, false);
+- pci_set_power_state(pdev, PCI_D3hot);
+- }
+-
+- return 0;
++ return __igb_shutdown(to_pci_dev(dev), NULL, 1);
+ }
+
+ static int __maybe_unused igb_runtime_resume(struct device *dev)
+--
+2.20.1
+
--- /dev/null
+From 63d6fdb4d327fc2a27fc3868382a37a37707279a Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue, 26 Mar 2019 01:39:50 +0000
+Subject: jffs2: fix use-after-free on symlink traversal
+
+[ Upstream commit 4fdcfab5b5537c21891e22e65996d4d0dd8ab4ca ]
+
+free the symlink body after the same RCU delay we have for freeing the
+struct inode itself, so that traversal during RCU pathwalk wouldn't step
+into freed memory.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jffs2/readinode.c | 5 -----
+ fs/jffs2/super.c | 5 ++++-
+ 2 files changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/fs/jffs2/readinode.c b/fs/jffs2/readinode.c
+index 389ea53ea487..bccfc40b3a74 100644
+--- a/fs/jffs2/readinode.c
++++ b/fs/jffs2/readinode.c
+@@ -1414,11 +1414,6 @@ void jffs2_do_clear_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f)
+
+ jffs2_kill_fragtree(&f->fragtree, deleted?c:NULL);
+
+- if (f->target) {
+- kfree(f->target);
+- f->target = NULL;
+- }
+-
+ fds = f->dents;
+ while(fds) {
+ fd = fds;
+diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c
+index 83340496645b..9a9f30eddbbb 100644
+--- a/fs/jffs2/super.c
++++ b/fs/jffs2/super.c
+@@ -47,7 +47,10 @@ static struct inode *jffs2_alloc_inode(struct super_block *sb)
+ static void jffs2_i_callback(struct rcu_head *head)
+ {
+ struct inode *inode = container_of(head, struct inode, i_rcu);
+- kmem_cache_free(jffs2_inode_cachep, JFFS2_INODE_INFO(inode));
++ struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
++
++ kfree(f->target);
++ kmem_cache_free(jffs2_inode_cachep, f);
+ }
+
+ static void jffs2_destroy_inode(struct inode *inode)
+--
+2.20.1
+
--- /dev/null
+From 112d096bc4b04a4485b0204dcee635929d2cb235 Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Fri, 5 Apr 2019 18:38:49 -0700
+Subject: kmemleak: powerpc: skip scanning holes in the .bss section
+
+[ Upstream commit 298a32b132087550d3fa80641ca58323c5dfd4d9 ]
+
+Commit 2d4f567103ff ("KVM: PPC: Introduce kvm_tmp framework") adds
+kvm_tmp[] into the .bss section and then free the rest of unused spaces
+back to the page allocator.
+
+kernel_init
+ kvm_guest_init
+ kvm_free_tmp
+ free_reserved_area
+ free_unref_page
+ free_unref_page_prepare
+
+With DEBUG_PAGEALLOC=y, it will unmap those pages from kernel. As the
+result, kmemleak scan will trigger a panic when it scans the .bss
+section with unmapped pages.
+
+This patch creates dedicated kmemleak objects for the .data, .bss and
+potentially .data..ro_after_init sections to allow partial freeing via
+the kmemleak_free_part() in the powerpc kvm_free_tmp() function.
+
+Link: http://lkml.kernel.org/r/20190321171917.62049-1-catalin.marinas@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Reported-by: Qian Cai <cai@lca.pw>
+Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
+Tested-by: Qian Cai <cai@lca.pw>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Avi Kivity <avi@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krcmar <rkrcmar@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/kvm.c | 7 +++++++
+ mm/kmemleak.c | 16 +++++++++++-----
+ 2 files changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/arch/powerpc/kernel/kvm.c b/arch/powerpc/kernel/kvm.c
+index 9ad37f827a97..7b59cc853abf 100644
+--- a/arch/powerpc/kernel/kvm.c
++++ b/arch/powerpc/kernel/kvm.c
+@@ -22,6 +22,7 @@
+ #include <linux/kvm_host.h>
+ #include <linux/init.h>
+ #include <linux/export.h>
++#include <linux/kmemleak.h>
+ #include <linux/kvm_para.h>
+ #include <linux/slab.h>
+ #include <linux/of.h>
+@@ -712,6 +713,12 @@ static void kvm_use_magic_page(void)
+
+ static __init void kvm_free_tmp(void)
+ {
++ /*
++ * Inform kmemleak about the hole in the .bss section since the
++ * corresponding pages will be unmapped with DEBUG_PAGEALLOC=y.
++ */
++ kmemleak_free_part(&kvm_tmp[kvm_tmp_index],
++ ARRAY_SIZE(kvm_tmp) - kvm_tmp_index);
+ free_reserved_area(&kvm_tmp[kvm_tmp_index],
+ &kvm_tmp[ARRAY_SIZE(kvm_tmp)], -1, NULL);
+ }
+diff --git a/mm/kmemleak.c b/mm/kmemleak.c
+index d9e0be2a8189..337be9aacb7a 100644
+--- a/mm/kmemleak.c
++++ b/mm/kmemleak.c
+@@ -1492,11 +1492,6 @@ static void kmemleak_scan(void)
+ }
+ rcu_read_unlock();
+
+- /* data/bss scanning */
+- scan_large_block(_sdata, _edata);
+- scan_large_block(__bss_start, __bss_stop);
+- scan_large_block(__start_ro_after_init, __end_ro_after_init);
+-
+ #ifdef CONFIG_SMP
+ /* per-cpu sections scanning */
+ for_each_possible_cpu(i)
+@@ -2027,6 +2022,17 @@ void __init kmemleak_init(void)
+ }
+ local_irq_restore(flags);
+
++ /* register the data/bss sections */
++ create_object((unsigned long)_sdata, _edata - _sdata,
++ KMEMLEAK_GREY, GFP_ATOMIC);
++ create_object((unsigned long)__bss_start, __bss_stop - __bss_start,
++ KMEMLEAK_GREY, GFP_ATOMIC);
++ /* only register .data..ro_after_init if not within .data */
++ if (__start_ro_after_init < _sdata || __end_ro_after_init > _edata)
++ create_object((unsigned long)__start_ro_after_init,
++ __end_ro_after_init - __start_ro_after_init,
++ KMEMLEAK_GREY, GFP_ATOMIC);
++
+ /*
+ * This is the point where tracking allocations is safe. Automatic
+ * scanning is started during the late initcall. Add the early logged
+--
+2.20.1
+
--- /dev/null
+From 51b55a2022aae2f719076a18285d93ab5ac5d20a Mon Sep 17 00:00:00 2001
+From: Yonglong Liu <liuyonglong@huawei.com>
+Date: Thu, 4 Apr 2019 16:46:45 +0800
+Subject: net: hns: fix ICMP6 neighbor solicitation messages discard problem
+
+[ Upstream commit f058e46855dcbc28edb2ed4736f38a71fd19cadb ]
+
+ICMP6 neighbor solicitation messages will be discard by the Hip06
+chips, because of not setting forwarding pool. Enable promisc mode
+has the same problem.
+
+This patch fix the wrong forwarding table configs for the multicast
+vague matching when enable promisc mode, and add forwarding pool
+for the forwarding table.
+
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/hisilicon/hns/hns_dsaf_main.c | 33 +++++++++++++++----
+ 1 file changed, 27 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c
+index 7e82dfbb4340..7d0f3cd8a002 100644
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c
+@@ -2743,6 +2743,17 @@ int hns_dsaf_get_regs_count(void)
+ return DSAF_DUMP_REGS_NUM;
+ }
+
++static int hns_dsaf_get_port_id(u8 port)
++{
++ if (port < DSAF_SERVICE_NW_NUM)
++ return port;
++
++ if (port >= DSAF_BASE_INNER_PORT_NUM)
++ return port - DSAF_BASE_INNER_PORT_NUM + DSAF_SERVICE_NW_NUM;
++
++ return -EINVAL;
++}
++
+ static void set_promisc_tcam_enable(struct dsaf_device *dsaf_dev, u32 port)
+ {
+ struct dsaf_tbl_tcam_ucast_cfg tbl_tcam_ucast = {0, 1, 0, 0, 0x80};
+@@ -2808,23 +2819,33 @@ static void set_promisc_tcam_enable(struct dsaf_device *dsaf_dev, u32 port)
+ memset(&temp_key, 0x0, sizeof(temp_key));
+ mask_entry.addr[0] = 0x01;
+ hns_dsaf_set_mac_key(dsaf_dev, &mask_key, mask_entry.in_vlan_id,
+- port, mask_entry.addr);
++ 0xf, mask_entry.addr);
+ tbl_tcam_mcast.tbl_mcast_item_vld = 1;
+ tbl_tcam_mcast.tbl_mcast_old_en = 0;
+
+- if (port < DSAF_SERVICE_NW_NUM) {
+- mskid = port;
+- } else if (port >= DSAF_BASE_INNER_PORT_NUM) {
+- mskid = port - DSAF_BASE_INNER_PORT_NUM + DSAF_SERVICE_NW_NUM;
+- } else {
++ /* set MAC port to handle multicast */
++ mskid = hns_dsaf_get_port_id(port);
++ if (mskid == -EINVAL) {
+ dev_err(dsaf_dev->dev, "%s,pnum(%d)error,key(%#x:%#x)\n",
+ dsaf_dev->ae_dev.name, port,
+ mask_key.high.val, mask_key.low.val);
+ return;
+ }
++ dsaf_set_bit(tbl_tcam_mcast.tbl_mcast_port_msk[mskid / 32],
++ mskid % 32, 1);
+
++ /* set pool bit map to handle multicast */
++ mskid = hns_dsaf_get_port_id(port_num);
++ if (mskid == -EINVAL) {
++ dev_err(dsaf_dev->dev,
++ "%s, pool bit map pnum(%d)error,key(%#x:%#x)\n",
++ dsaf_dev->ae_dev.name, port_num,
++ mask_key.high.val, mask_key.low.val);
++ return;
++ }
+ dsaf_set_bit(tbl_tcam_mcast.tbl_mcast_port_msk[mskid / 32],
+ mskid % 32, 1);
++
+ memcpy(&temp_key, &mask_key, sizeof(mask_key));
+ hns_dsaf_tcam_mc_cfg_vague(dsaf_dev, entry_index, &tbl_tcam_data_mc,
+ (struct dsaf_tbl_tcam_data *)(&mask_key),
+--
+2.20.1
+
--- /dev/null
+From e3130a5eea1224cedd35e6e4efa51654ed0503e5 Mon Sep 17 00:00:00 2001
+From: Liubin Shu <shuliubin@huawei.com>
+Date: Thu, 4 Apr 2019 16:46:42 +0800
+Subject: net: hns: fix KASAN: use-after-free in hns_nic_net_xmit_hw()
+
+[ Upstream commit 3a39a12ad364a9acd1038ba8da67cd8430f30de4 ]
+
+This patch is trying to fix the issue due to:
+[27237.844750] BUG: KASAN: use-after-free in hns_nic_net_xmit_hw+0x708/0xa18[hns_enet_drv]
+
+After hnae_queue_xmit() in hns_nic_net_xmit_hw(), can be
+interrupted by interruptions, and than call hns_nic_tx_poll_one()
+to handle the new packets, and free the skb. So, when turn back to
+hns_nic_net_xmit_hw(), calling skb->len will cause use-after-free.
+
+This patch update tx ring statistics in hns_nic_tx_poll_one() to
+fix the bug.
+
+Signed-off-by: Liubin Shu <shuliubin@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns/hns_enet.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
+index d30c28fba249..15739eae3da1 100644
+--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
+@@ -376,8 +376,6 @@ netdev_tx_t hns_nic_net_xmit_hw(struct net_device *ndev,
+ wmb(); /* commit all data before submit */
+ assert(skb->queue_mapping < priv->ae_handle->q_num);
+ hnae_queue_xmit(priv->ae_handle->qs[skb->queue_mapping], buf_num);
+- ring->stats.tx_pkts++;
+- ring->stats.tx_bytes += skb->len;
+
+ return NETDEV_TX_OK;
+
+@@ -1099,6 +1097,9 @@ static int hns_nic_tx_poll_one(struct hns_nic_ring_data *ring_data,
+ /* issue prefetch for next Tx descriptor */
+ prefetch(&ring->desc_cb[ring->next_to_clean]);
+ }
++ /* update tx ring statistics. */
++ ring->stats.tx_pkts += pkts;
++ ring->stats.tx_bytes += bytes;
+
+ NETIF_TX_UNLOCK(ring);
+
+--
+2.20.1
+
--- /dev/null
+From 52fc647ff8f5c72cebe8191eb9633e93bb11c24e Mon Sep 17 00:00:00 2001
+From: Yonglong Liu <liuyonglong@huawei.com>
+Date: Thu, 4 Apr 2019 16:46:44 +0800
+Subject: net: hns: Fix probabilistic memory overwrite when HNS driver
+ initialized
+
+[ Upstream commit c0b0984426814f3a9251873b689e67d34d8ccd84 ]
+
+When reboot the system again and again, may cause a memory
+overwrite.
+
+[ 15.638922] systemd[1]: Reached target Swap.
+[ 15.667561] tun: Universal TUN/TAP device driver, 1.6
+[ 15.676756] Bridge firewalling registered
+[ 17.344135] Unable to handle kernel paging request at virtual address 0000000200000040
+[ 17.352179] Mem abort info:
+[ 17.355007] ESR = 0x96000004
+[ 17.358105] Exception class = DABT (current EL), IL = 32 bits
+[ 17.364112] SET = 0, FnV = 0
+[ 17.367209] EA = 0, S1PTW = 0
+[ 17.370393] Data abort info:
+[ 17.373315] ISV = 0, ISS = 0x00000004
+[ 17.377206] CM = 0, WnR = 0
+[ 17.380214] user pgtable: 4k pages, 48-bit VAs, pgdp = (____ptrval____)
+[ 17.386926] [0000000200000040] pgd=0000000000000000
+[ 17.391878] Internal error: Oops: 96000004 [#1] SMP
+[ 17.396824] CPU: 23 PID: 95 Comm: kworker/u130:0 Tainted: G E 4.19.25-1.2.78.aarch64 #1
+[ 17.414175] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.54 08/16/2018
+[ 17.425615] Workqueue: events_unbound async_run_entry_fn
+[ 17.435151] pstate: 00000005 (nzcv daif -PAN -UAO)
+[ 17.444139] pc : __mutex_lock.isra.1+0x74/0x540
+[ 17.453002] lr : __mutex_lock.isra.1+0x3c/0x540
+[ 17.461701] sp : ffff000100d9bb60
+[ 17.469146] x29: ffff000100d9bb60 x28: 0000000000000000
+[ 17.478547] x27: 0000000000000000 x26: ffff802fb8945000
+[ 17.488063] x25: 0000000000000000 x24: ffff802fa32081a8
+[ 17.497381] x23: 0000000000000002 x22: ffff801fa2b15220
+[ 17.506701] x21: ffff000009809000 x20: ffff802fa23a0888
+[ 17.515980] x19: ffff801fa2b15220 x18: 0000000000000000
+[ 17.525272] x17: 0000000200000000 x16: 0000000200000000
+[ 17.534511] x15: 0000000000000000 x14: 0000000000000000
+[ 17.543652] x13: ffff000008d95db8 x12: 000000000000000d
+[ 17.552780] x11: ffff000008d95d90 x10: 0000000000000b00
+[ 17.561819] x9 : ffff000100d9bb90 x8 : ffff802fb89d6560
+[ 17.570829] x7 : 0000000000000004 x6 : 00000004a1801d05
+[ 17.579839] x5 : 0000000000000000 x4 : 0000000000000000
+[ 17.588852] x3 : ffff802fb89d5a00 x2 : 0000000000000000
+[ 17.597734] x1 : 0000000200000000 x0 : 0000000200000000
+[ 17.606631] Process kworker/u130:0 (pid: 95, stack limit = 0x(____ptrval____))
+[ 17.617438] Call trace:
+[ 17.623349] __mutex_lock.isra.1+0x74/0x540
+[ 17.630927] __mutex_lock_slowpath+0x24/0x30
+[ 17.638602] mutex_lock+0x50/0x60
+[ 17.645295] drain_workqueue+0x34/0x198
+[ 17.652623] __sas_drain_work+0x7c/0x168
+[ 17.659903] sas_drain_work+0x60/0x68
+[ 17.666947] hisi_sas_scan_finished+0x30/0x40 [hisi_sas_main]
+[ 17.676129] do_scsi_scan_host+0x70/0xb0
+[ 17.683534] do_scan_async+0x20/0x228
+[ 17.690586] async_run_entry_fn+0x4c/0x1d0
+[ 17.697997] process_one_work+0x1b4/0x3f8
+[ 17.705296] worker_thread+0x54/0x470
+
+Every time the call trace is not the same, but the overwrite address
+is always the same:
+Unable to handle kernel paging request at virtual address 0000000200000040
+
+The root cause is, when write the reg XGMAC_MAC_TX_LF_RF_CONTROL_REG,
+didn't use the io_base offset.
+
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c
+index 51e7e9f5af49..70de7b5d28af 100644
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c
+@@ -129,7 +129,7 @@ static void hns_xgmac_lf_rf_control_init(struct mac_driver *mac_drv)
+ dsaf_set_bit(val, XGMAC_UNIDIR_EN_B, 0);
+ dsaf_set_bit(val, XGMAC_RF_TX_EN_B, 1);
+ dsaf_set_field(val, XGMAC_LF_RF_INSERT_M, XGMAC_LF_RF_INSERT_S, 0);
+- dsaf_write_reg(mac_drv, XGMAC_MAC_TX_LF_RF_CONTROL_REG, val);
++ dsaf_write_dev(mac_drv, XGMAC_MAC_TX_LF_RF_CONTROL_REG, val);
+ }
+
+ /**
+--
+2.20.1
+
--- /dev/null
+From e7844ac8c1bd66d1ad0db13cb12bcdf57bbb270b Mon Sep 17 00:00:00 2001
+From: Yonglong Liu <liuyonglong@huawei.com>
+Date: Thu, 4 Apr 2019 16:46:46 +0800
+Subject: net: hns: Fix WARNING when remove HNS driver with SMMU enabled
+
+[ Upstream commit 8601a99d7c0256b7a7fdd1ab14cf6c1f1dfcadc6 ]
+
+When enable SMMU, remove HNS driver will cause a WARNING:
+
+[ 141.924177] WARNING: CPU: 36 PID: 2708 at drivers/iommu/dma-iommu.c:443 __iommu_dma_unmap+0xc0/0xc8
+[ 141.954673] Modules linked in: hns_enet_drv(-)
+[ 141.963615] CPU: 36 PID: 2708 Comm: rmmod Tainted: G W 5.0.0-rc1-28723-gb729c57de95c-dirty #32
+[ 141.983593] Hardware name: Huawei D05/D05, BIOS Hisilicon D05 UEFI Nemo 1.8 RC0 08/31/2017
+[ 142.000244] pstate: 60000005 (nZCv daif -PAN -UAO)
+[ 142.009886] pc : __iommu_dma_unmap+0xc0/0xc8
+[ 142.018476] lr : __iommu_dma_unmap+0xc0/0xc8
+[ 142.027066] sp : ffff000013533b90
+[ 142.033728] x29: ffff000013533b90 x28: ffff8013e6983600
+[ 142.044420] x27: 0000000000000000 x26: 0000000000000000
+[ 142.055113] x25: 0000000056000000 x24: 0000000000000015
+[ 142.065806] x23: 0000000000000028 x22: ffff8013e66eee68
+[ 142.076499] x21: ffff8013db919800 x20: 0000ffffefbff000
+[ 142.087192] x19: 0000000000001000 x18: 0000000000000007
+[ 142.097885] x17: 000000000000000e x16: 0000000000000001
+[ 142.108578] x15: 0000000000000019 x14: 363139343a70616d
+[ 142.119270] x13: 6e75656761705f67 x12: 0000000000000000
+[ 142.129963] x11: 00000000ffffffff x10: 0000000000000006
+[ 142.140656] x9 : 1346c1aa88093500 x8 : ffff0000114de4e0
+[ 142.151349] x7 : 6662666578303d72 x6 : ffff0000105ffec8
+[ 142.162042] x5 : 0000000000000000 x4 : 0000000000000000
+[ 142.172734] x3 : 00000000ffffffff x2 : ffff0000114de500
+[ 142.183427] x1 : 0000000000000000 x0 : 0000000000000035
+[ 142.194120] Call trace:
+[ 142.199030] __iommu_dma_unmap+0xc0/0xc8
+[ 142.206920] iommu_dma_unmap_page+0x20/0x28
+[ 142.215335] __iommu_unmap_page+0x40/0x60
+[ 142.223399] hnae_unmap_buffer+0x110/0x134
+[ 142.231639] hnae_free_desc+0x6c/0x10c
+[ 142.239177] hnae_fini_ring+0x14/0x34
+[ 142.246540] hnae_fini_queue+0x2c/0x40
+[ 142.254080] hnae_put_handle+0x38/0xcc
+[ 142.261619] hns_nic_dev_remove+0x54/0xfc [hns_enet_drv]
+[ 142.272312] platform_drv_remove+0x24/0x64
+[ 142.280552] device_release_driver_internal+0x17c/0x20c
+[ 142.291070] driver_detach+0x4c/0x90
+[ 142.298259] bus_remove_driver+0x5c/0xd8
+[ 142.306148] driver_unregister+0x2c/0x54
+[ 142.314037] platform_driver_unregister+0x10/0x18
+[ 142.323505] hns_nic_dev_driver_exit+0x14/0xf0c [hns_enet_drv]
+[ 142.335248] __arm64_sys_delete_module+0x214/0x25c
+[ 142.344891] el0_svc_common+0xb0/0x10c
+[ 142.352430] el0_svc_handler+0x24/0x80
+[ 142.359968] el0_svc+0x8/0x7c0
+[ 142.366104] ---[ end trace 60ad1cd58e63c407 ]---
+
+The tx ring buffer map when xmit and unmap when xmit done. So in
+hnae_init_ring() did not map tx ring buffer, but in hnae_fini_ring()
+have a unmap operation for tx ring buffer, which is already unmapped
+when xmit done, than cause this WARNING.
+
+The hnae_alloc_buffers() is called in hnae_init_ring(),
+so the hnae_free_buffers() should be in hnae_fini_ring(), not in
+hnae_free_desc().
+
+In hnae_fini_ring(), adds a check is_rx_ring() as in hnae_init_ring().
+When the ring buffer is tx ring, adds a piece of code to ensure that
+the tx ring is unmap.
+
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns/hnae.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns/hnae.c b/drivers/net/ethernet/hisilicon/hns/hnae.c
+index 79d03f8ee7b1..c7fa97a7e1f4 100644
+--- a/drivers/net/ethernet/hisilicon/hns/hnae.c
++++ b/drivers/net/ethernet/hisilicon/hns/hnae.c
+@@ -150,7 +150,6 @@ static int hnae_alloc_buffers(struct hnae_ring *ring)
+ /* free desc along with its attached buffer */
+ static void hnae_free_desc(struct hnae_ring *ring)
+ {
+- hnae_free_buffers(ring);
+ dma_unmap_single(ring_to_dev(ring), ring->desc_dma_addr,
+ ring->desc_num * sizeof(ring->desc[0]),
+ ring_to_dma_dir(ring));
+@@ -183,6 +182,9 @@ static int hnae_alloc_desc(struct hnae_ring *ring)
+ /* fini ring, also free the buffer for the ring */
+ static void hnae_fini_ring(struct hnae_ring *ring)
+ {
++ if (is_rx_ring(ring))
++ hnae_free_buffers(ring);
++
+ hnae_free_desc(ring);
+ kfree(ring->desc_cb);
+ ring->desc_cb = NULL;
+--
+2.20.1
+
--- /dev/null
+From 1527cbfce34725ca76355f2c4042ae2c0b85a5c6 Mon Sep 17 00:00:00 2001
+From: Yonglong Liu <liuyonglong@huawei.com>
+Date: Thu, 4 Apr 2019 16:46:43 +0800
+Subject: net: hns: Use NAPI_POLL_WEIGHT for hns driver
+
+[ Upstream commit acb1ce15a61154aa501891d67ebf79bc9ea26818 ]
+
+When the HNS driver loaded, always have an error print:
+"netif_napi_add() called with weight 256"
+
+This is because the kernel checks the NAPI polling weights
+requested by drivers and it prints an error message if a driver
+requests a weight bigger than 64.
+
+So use NAPI_POLL_WEIGHT to fix it.
+
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns/hns_enet.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
+index 15739eae3da1..8fd040817804 100644
+--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
+@@ -29,9 +29,6 @@
+
+ #define SERVICE_TIMER_HZ (1 * HZ)
+
+-#define NIC_TX_CLEAN_MAX_NUM 256
+-#define NIC_RX_CLEAN_MAX_NUM 64
+-
+ #define RCB_IRQ_NOT_INITED 0
+ #define RCB_IRQ_INITED 1
+ #define HNS_BUFFER_SIZE_2048 2048
+@@ -2270,7 +2267,7 @@ static int hns_nic_init_ring_data(struct hns_nic_priv *priv)
+ hns_nic_tx_fini_pro_v2;
+
+ netif_napi_add(priv->netdev, &rd->napi,
+- hns_nic_common_poll, NIC_TX_CLEAN_MAX_NUM);
++ hns_nic_common_poll, NAPI_POLL_WEIGHT);
+ rd->ring->irq_init_flag = RCB_IRQ_NOT_INITED;
+ }
+ for (i = h->q_num; i < h->q_num * 2; i++) {
+@@ -2283,7 +2280,7 @@ static int hns_nic_init_ring_data(struct hns_nic_priv *priv)
+ hns_nic_rx_fini_pro_v2;
+
+ netif_napi_add(priv->netdev, &rd->napi,
+- hns_nic_common_poll, NIC_RX_CLEAN_MAX_NUM);
++ hns_nic_common_poll, NAPI_POLL_WEIGHT);
+ rd->ring->irq_init_flag = RCB_IRQ_NOT_INITED;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From f882b8519f47128ccdabe58a0e558742d7be51da Mon Sep 17 00:00:00 2001
+From: Omri Kahalon <omrik@mellanox.com>
+Date: Sun, 24 Feb 2019 16:31:08 +0200
+Subject: net/mlx5: E-Switch, Fix esw manager vport indication for more vport
+ commands
+
+[ Upstream commit eca4a928585ac08147e5cc8e2111ecbc6279ee31 ]
+
+Traditionally, the PF (Physical Function) which resides on vport 0 was
+the E-switch manager. Since the ECPF (Embedded CPU Physical Function),
+which resides on vport 0xfffe, was introduced as the E-Switch manager,
+the assumption that the E-switch manager is on vport 0 is incorrect.
+
+Since the eswitch code already uses the actual vport value, all we
+need is to always set other_vport=1.
+
+Signed-off-by: Omri Kahalon <omrik@mellanox.com>
+Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+index d2914116af8e..090d54275a7d 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+@@ -79,8 +79,7 @@ static int arm_vport_context_events_cmd(struct mlx5_core_dev *dev, u16 vport,
+ opcode, MLX5_CMD_OP_MODIFY_NIC_VPORT_CONTEXT);
+ MLX5_SET(modify_nic_vport_context_in, in, field_select.change_event, 1);
+ MLX5_SET(modify_nic_vport_context_in, in, vport_number, vport);
+- if (vport)
+- MLX5_SET(modify_nic_vport_context_in, in, other_vport, 1);
++ MLX5_SET(modify_nic_vport_context_in, in, other_vport, 1);
+ nic_vport_ctx = MLX5_ADDR_OF(modify_nic_vport_context_in,
+ in, nic_vport_context);
+
+@@ -108,8 +107,7 @@ static int modify_esw_vport_context_cmd(struct mlx5_core_dev *dev, u16 vport,
+ MLX5_SET(modify_esw_vport_context_in, in, opcode,
+ MLX5_CMD_OP_MODIFY_ESW_VPORT_CONTEXT);
+ MLX5_SET(modify_esw_vport_context_in, in, vport_number, vport);
+- if (vport)
+- MLX5_SET(modify_esw_vport_context_in, in, other_vport, 1);
++ MLX5_SET(modify_esw_vport_context_in, in, other_vport, 1);
+ return mlx5_cmd_exec(dev, in, inlen, out, sizeof(out));
+ }
+
+--
+2.20.1
+
--- /dev/null
+From e6a61d133758528d2fe7d1187be61abc4842c7b3 Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@nokia.com>
+Date: Wed, 27 Mar 2019 22:35:40 +0200
+Subject: net: stmmac: don't log oversized frames
+
+[ Upstream commit 057a0c5642a2ff2db7c421cdcde34294a23bf37b ]
+
+This is log is harmful as it can trigger multiple times per packet. Delete
+it.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@nokia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/norm_desc.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c
+index db4cee57bb24..66c17bab5997 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c
++++ b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c
+@@ -91,8 +91,6 @@ static int ndesc_get_rx_status(void *data, struct stmmac_extra_stats *x,
+ return dma_own;
+
+ if (unlikely(!(rdes0 & RDES0_LAST_DESCRIPTOR))) {
+- pr_warn("%s: Oversized frame spanned multiple buffers\n",
+- __func__);
+ stats->rx_length_errors++;
+ return discard_frame;
+ }
+--
+2.20.1
+
--- /dev/null
+From 4cf6345dd90f3c3d69f6971768224453d1cf0e14 Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@nokia.com>
+Date: Wed, 27 Mar 2019 22:35:38 +0200
+Subject: net: stmmac: don't overwrite discard_frame status
+
+[ Upstream commit 1b746ce8b397e58f9e40ce5c63b7198de6930482 ]
+
+If we have error bits set, the discard_frame status will get overwritten
+by checksum bit checks, which might set the status back to good one.
+Fix by checking the COE status only if the frame is good.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@nokia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/enh_desc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
+index acd65a4f94d4..cdfe9a350ac0 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
++++ b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
+@@ -231,9 +231,10 @@ static int enh_desc_get_rx_status(void *data, struct stmmac_extra_stats *x,
+ * It doesn't match with the information reported into the databook.
+ * At any rate, we need to understand if the CSUM hw computation is ok
+ * and report this info to the upper layers. */
+- ret = enh_desc_coe_rdes0(!!(rdes0 & RDES0_IPC_CSUM_ERROR),
+- !!(rdes0 & RDES0_FRAME_TYPE),
+- !!(rdes0 & ERDES0_RX_MAC_ADDR));
++ if (likely(ret == good_frame))
++ ret = enh_desc_coe_rdes0(!!(rdes0 & RDES0_IPC_CSUM_ERROR),
++ !!(rdes0 & RDES0_FRAME_TYPE),
++ !!(rdes0 & ERDES0_RX_MAC_ADDR));
+
+ if (unlikely(rdes0 & RDES0_DRIBBLING))
+ x->dribbling_bit++;
+--
+2.20.1
+
--- /dev/null
+From fe79ff63d1d358097f2462cfebf03d0fc567ac59 Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@nokia.com>
+Date: Wed, 27 Mar 2019 22:35:39 +0200
+Subject: net: stmmac: fix dropping of multi-descriptor RX frames
+
+[ Upstream commit 8ac0c24fe1c256af6644caf3d311029440ec2fbd ]
+
+Packets without the last descriptor set should be dropped early. If we
+receive a frame larger than the DMA buffer, the HW will continue using the
+next descriptor. Driver mistakes these as individual frames, and sometimes
+a truncated frame (without the LD set) may look like a valid packet.
+
+This fixes a strange issue where the system replies to 4098-byte ping
+although the MTU/DMA buffer size is set to 4096, and yet at the same
+time it's logging an oversized packet.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@nokia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/enh_desc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
+index cdfe9a350ac0..f2150efddc88 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
++++ b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
+@@ -201,6 +201,11 @@ static int enh_desc_get_rx_status(void *data, struct stmmac_extra_stats *x,
+ if (unlikely(rdes0 & RDES0_OWN))
+ return dma_own;
+
++ if (unlikely(!(rdes0 & RDES0_LAST_DESCRIPTOR))) {
++ stats->rx_length_errors++;
++ return discard_frame;
++ }
++
+ if (unlikely(rdes0 & RDES0_ERROR_SUMMARY)) {
+ if (unlikely(rdes0 & RDES0_DESCRIPTOR_ERROR)) {
+ x->rx_desc++;
+--
+2.20.1
+
--- /dev/null
+From 1eb89f4a73080781a42c8f9d8aa8771e0c534fa3 Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@nokia.com>
+Date: Wed, 27 Mar 2019 22:35:36 +0200
+Subject: net: stmmac: ratelimit RX error logs
+
+[ Upstream commit 972c9be784e077bc56472c78243e0326e525b689 ]
+
+Ratelimit RX error logs.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@nokia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index ecf3f8c1bc0e..0f85e540001f 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -3413,9 +3413,10 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+ * ignored
+ */
+ if (frame_len > priv->dma_buf_sz) {
+- netdev_err(priv->dev,
+- "len %d larger than size (%d)\n",
+- frame_len, priv->dma_buf_sz);
++ if (net_ratelimit())
++ netdev_err(priv->dev,
++ "len %d larger than size (%d)\n",
++ frame_len, priv->dma_buf_sz);
+ priv->dev->stats.rx_length_errors++;
+ break;
+ }
+@@ -3473,9 +3474,10 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+ } else {
+ skb = rx_q->rx_skbuff[entry];
+ if (unlikely(!skb)) {
+- netdev_err(priv->dev,
+- "%s: Inconsistent Rx chain\n",
+- priv->dev->name);
++ if (net_ratelimit())
++ netdev_err(priv->dev,
++ "%s: Inconsistent Rx chain\n",
++ priv->dev->name);
+ priv->dev->stats.rx_dropped++;
+ break;
+ }
+--
+2.20.1
+
--- /dev/null
+From 786129269de8bf8d722b19ff691533dc0c3b5d6a Mon Sep 17 00:00:00 2001
+From: Yufen Yu <yuyufen@huawei.com>
+Date: Wed, 13 Mar 2019 18:54:59 +0100
+Subject: nvme-loop: init nvmet_ctrl fatal_err_work when allocate
+
+[ Upstream commit d11de63f2b519f0a162b834013b6d3a46dbf3886 ]
+
+After commit 4d43d395fe (workqueue: Try to catch flush_work() without
+INIT_WORK()), it can cause warning when delete nvme-loop device, trace
+like:
+
+[ 76.601272] Call Trace:
+[ 76.601646] ? del_timer+0x72/0xa0
+[ 76.602156] __cancel_work_timer+0x1ae/0x270
+[ 76.602791] cancel_work_sync+0x14/0x20
+[ 76.603407] nvmet_ctrl_free+0x1b7/0x2f0 [nvmet]
+[ 76.604091] ? free_percpu+0x168/0x300
+[ 76.604652] nvmet_sq_destroy+0x106/0x240 [nvmet]
+[ 76.605346] nvme_loop_destroy_admin_queue+0x30/0x60 [nvme_loop]
+[ 76.606220] nvme_loop_shutdown_ctrl+0xc3/0xf0 [nvme_loop]
+[ 76.607026] nvme_loop_delete_ctrl_host+0x19/0x30 [nvme_loop]
+[ 76.607871] nvme_do_delete_ctrl+0x75/0xb0
+[ 76.608477] nvme_sysfs_delete+0x7d/0xc0
+[ 76.609057] dev_attr_store+0x24/0x40
+[ 76.609603] sysfs_kf_write+0x4c/0x60
+[ 76.610144] kernfs_fop_write+0x19a/0x260
+[ 76.610742] __vfs_write+0x1c/0x60
+[ 76.611246] vfs_write+0xfa/0x280
+[ 76.611739] ksys_write+0x6e/0x120
+[ 76.612238] __x64_sys_write+0x1e/0x30
+[ 76.612787] do_syscall_64+0xbf/0x3a0
+[ 76.613329] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+We fix it by moving fatal_err_work init to nvmet_alloc_ctrl(), which may
+more reasonable.
+
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/core.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
+index 5fa7856f6b34..09a39f4aaf82 100644
+--- a/drivers/nvme/target/core.c
++++ b/drivers/nvme/target/core.c
+@@ -746,6 +746,15 @@ bool nvmet_host_allowed(struct nvmet_req *req, struct nvmet_subsys *subsys,
+ return __nvmet_host_allowed(subsys, hostnqn);
+ }
+
++static void nvmet_fatal_error_handler(struct work_struct *work)
++{
++ struct nvmet_ctrl *ctrl =
++ container_of(work, struct nvmet_ctrl, fatal_err_work);
++
++ pr_err("ctrl %d fatal error occurred!\n", ctrl->cntlid);
++ ctrl->ops->delete_ctrl(ctrl);
++}
++
+ u16 nvmet_alloc_ctrl(const char *subsysnqn, const char *hostnqn,
+ struct nvmet_req *req, u32 kato, struct nvmet_ctrl **ctrlp)
+ {
+@@ -785,6 +794,7 @@ u16 nvmet_alloc_ctrl(const char *subsysnqn, const char *hostnqn,
+
+ INIT_WORK(&ctrl->async_event_work, nvmet_async_event_work);
+ INIT_LIST_HEAD(&ctrl->async_events);
++ INIT_WORK(&ctrl->fatal_err_work, nvmet_fatal_error_handler);
+
+ memcpy(ctrl->subsysnqn, subsysnqn, NVMF_NQN_SIZE);
+ memcpy(ctrl->hostnqn, hostnqn, NVMF_NQN_SIZE);
+@@ -887,21 +897,11 @@ void nvmet_ctrl_put(struct nvmet_ctrl *ctrl)
+ kref_put(&ctrl->ref, nvmet_ctrl_free);
+ }
+
+-static void nvmet_fatal_error_handler(struct work_struct *work)
+-{
+- struct nvmet_ctrl *ctrl =
+- container_of(work, struct nvmet_ctrl, fatal_err_work);
+-
+- pr_err("ctrl %d fatal error occurred!\n", ctrl->cntlid);
+- ctrl->ops->delete_ctrl(ctrl);
+-}
+-
+ void nvmet_ctrl_fatal_error(struct nvmet_ctrl *ctrl)
+ {
+ mutex_lock(&ctrl->lock);
+ if (!(ctrl->csts & NVME_CSTS_CFS)) {
+ ctrl->csts |= NVME_CSTS_CFS;
+- INIT_WORK(&ctrl->fatal_err_work, nvmet_fatal_error_handler);
+ schedule_work(&ctrl->fatal_err_work);
+ }
+ mutex_unlock(&ctrl->lock);
+--
+2.20.1
+
--- /dev/null
+From 710cf8dd462dbab9e67a9e1af219c2a8435ae8dc Mon Sep 17 00:00:00 2001
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Tue, 2 Apr 2019 12:26:36 +0200
+Subject: rtc: da9063: set uie_unsupported when relevant
+
+[ Upstream commit 882c5e552ffd06856de42261460f46e18319d259 ]
+
+The DA9063AD doesn't support alarms on any seconds and its granularity is
+the minute. Set uie_unsupported in that case.
+
+Reported-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Acked-by: Steve Twiss <stwiss.opensource@diasemi.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-da9063.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/rtc/rtc-da9063.c b/drivers/rtc/rtc-da9063.c
+index f85cae240f12..7e92e491c2e7 100644
+--- a/drivers/rtc/rtc-da9063.c
++++ b/drivers/rtc/rtc-da9063.c
+@@ -480,6 +480,13 @@ static int da9063_rtc_probe(struct platform_device *pdev)
+ da9063_data_to_tm(data, &rtc->alarm_time, rtc);
+ rtc->rtc_sync = false;
+
++ /*
++ * TODO: some models have alarms on a minute boundary but still support
++ * real hardware interrupts. Add this once the core supports it.
++ */
++ if (config->rtc_data_start != RTC_SEC)
++ rtc->rtc_dev->uie_unsupported = 1;
++
+ irq_alarm = platform_get_irq_byname(pdev, "ALARM");
+ ret = devm_request_threaded_irq(&pdev->dev, irq_alarm, NULL,
+ da9063_alarm_event,
+--
+2.20.1
+
--- /dev/null
+From 8f79aa2a76e913a9d307ae16c1c0c573d2099674 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 20 Mar 2019 11:32:14 +0100
+Subject: rtc: sh: Fix invalid alarm warning for non-enabled alarm
+
+[ Upstream commit 15d82d22498784966df8e4696174a16b02cc1052 ]
+
+When no alarm has been programmed on RSK-RZA1, an error message is
+printed during boot:
+
+ rtc rtc0: invalid alarm value: 2019-03-14T255:255:255
+
+sh_rtc_read_alarm_value() returns 0xff when querying a hardware alarm
+field that is not enabled. __rtc_read_alarm() validates the received
+alarm values, and fills in missing fields when needed.
+While 0xff is handled fine for the year, month, and day fields, and
+corrected as considered being out-of-range, this is not the case for the
+hour, minute, and second fields, where -1 is expected for missing
+fields.
+
+Fix this by returning -1 instead, as this value is handled fine for all
+fields.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-sh.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-sh.c b/drivers/rtc/rtc-sh.c
+index 6c2d3989f967..9b6a927149a4 100644
+--- a/drivers/rtc/rtc-sh.c
++++ b/drivers/rtc/rtc-sh.c
+@@ -462,7 +462,7 @@ static int sh_rtc_set_time(struct device *dev, struct rtc_time *tm)
+ static inline int sh_rtc_read_alarm_value(struct sh_rtc *rtc, int reg_off)
+ {
+ unsigned int byte;
+- int value = 0xff; /* return 0xff for ignored values */
++ int value = -1; /* return -1 for ignored values */
+
+ byte = readb(rtc->regbase + reg_off);
+ if (byte & AR_ENB) {
+--
+2.20.1
+
--- /dev/null
+From c1372fd6e92f4b070161e8f4eda6e8a9e6b35aec Mon Sep 17 00:00:00 2001
+From: Xose Vazquez Perez <xose.vazquez@gmail.com>
+Date: Sat, 30 Mar 2019 15:43:31 +0100
+Subject: scsi: core: add new RDAC LENOVO/DE_Series device
+
+[ Upstream commit 1cb1d2c64e812928fe0a40b8f7e74523d0283dbe ]
+
+Blacklist "Universal Xport" LUN. It's used for in-band storage array
+management. Also add model to the rdac dh family.
+
+Cc: Martin Wilck <mwilck@suse.com>
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: NetApp RDAC team <ng-eseries-upstream-maintainers@netapp.com>
+Cc: Christophe Varoqui <christophe.varoqui@opensvc.com>
+Cc: James E.J. Bottomley <jejb@linux.vnet.ibm.com>
+Cc: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: SCSI ML <linux-scsi@vger.kernel.org>
+Cc: DM ML <dm-devel@redhat.com>
+Signed-off-by: Xose Vazquez Perez <xose.vazquez@gmail.com>
+Reviewed-by: Martin Wilck <mwilck@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_devinfo.c | 1 +
+ drivers/scsi/scsi_dh.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c
+index 6b594bc7d94a..022fcd2e4702 100644
+--- a/drivers/scsi/scsi_devinfo.c
++++ b/drivers/scsi/scsi_devinfo.c
+@@ -248,6 +248,7 @@ static struct {
+ {"NETAPP", "Universal Xport", "*", BLIST_NO_ULD_ATTACH},
+ {"LSI", "Universal Xport", "*", BLIST_NO_ULD_ATTACH},
+ {"ENGENIO", "Universal Xport", "*", BLIST_NO_ULD_ATTACH},
++ {"LENOVO", "Universal Xport", "*", BLIST_NO_ULD_ATTACH},
+ {"SMSC", "USB 2 HS-CF", NULL, BLIST_SPARSELUN | BLIST_INQUIRY_36},
+ {"SONY", "CD-ROM CDU-8001", NULL, BLIST_BORKEN},
+ {"SONY", "TSL", NULL, BLIST_FORCELUN}, /* DDS3 & DDS4 autoloaders */
+diff --git a/drivers/scsi/scsi_dh.c b/drivers/scsi/scsi_dh.c
+index 375cede0c534..c9bc6f058424 100644
+--- a/drivers/scsi/scsi_dh.c
++++ b/drivers/scsi/scsi_dh.c
+@@ -75,6 +75,7 @@ static const struct scsi_dh_blist scsi_dh_blist[] = {
+ {"NETAPP", "INF-01-00", "rdac", },
+ {"LSI", "INF-01-00", "rdac", },
+ {"ENGENIO", "INF-01-00", "rdac", },
++ {"LENOVO", "DE_Series", "rdac", },
+ {NULL, NULL, NULL },
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 25f1f17ea35f080919b29e3993c2c00a7d0e27f9 Mon Sep 17 00:00:00 2001
+From: Michael Kelley <mikelley@microsoft.com>
+Date: Mon, 1 Apr 2019 16:10:52 +0000
+Subject: scsi: storvsc: Fix calculation of sub-channel count
+
+[ Upstream commit 382e06d11e075a40b4094b6ef809f8d4bcc7ab2a ]
+
+When the number of sub-channels offered by Hyper-V is >= the number of CPUs
+in the VM, calculate the correct number of sub-channels. The current code
+produces one too many.
+
+This scenario arises only when the number of CPUs is artificially
+restricted (for example, with maxcpus=<n> on the kernel boot line), because
+Hyper-V normally offers a sub-channel count < number of CPUs. While the
+current code doesn't break, the extra sub-channel is unbalanced across the
+CPUs (for example, a total of 5 channels on a VM with 4 CPUs).
+
+Signed-off-by: Michael Kelley <mikelley@microsoft.com>
+Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Reviewed-by: Long Li <longli@microsoft.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/storvsc_drv.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
+index beb585ddc07d..5adeb1e4b186 100644
+--- a/drivers/scsi/storvsc_drv.c
++++ b/drivers/scsi/storvsc_drv.c
+@@ -658,13 +658,22 @@ static void handle_sc_creation(struct vmbus_channel *new_sc)
+ static void handle_multichannel_storage(struct hv_device *device, int max_chns)
+ {
+ struct storvsc_device *stor_device;
+- int num_cpus = num_online_cpus();
+ int num_sc;
+ struct storvsc_cmd_request *request;
+ struct vstor_packet *vstor_packet;
+ int ret, t;
+
+- num_sc = ((max_chns > num_cpus) ? num_cpus : max_chns);
++ /*
++ * If the number of CPUs is artificially restricted, such as
++ * with maxcpus=1 on the kernel boot line, Hyper-V could offer
++ * sub-channels >= the number of CPUs. These sub-channels
++ * should not be created. The primary channel is already created
++ * and assigned to one CPU, so check against # CPUs - 1.
++ */
++ num_sc = min((int)(num_online_cpus() - 1), max_chns);
++ if (!num_sc)
++ return;
++
+ stor_device = get_out_stor_device(device);
+ if (!stor_device)
+ return;
+--
+2.20.1
+
usb-core-fix-unterminated-string-returned-by-usb_string.patch
usb-core-fix-bug-caused-by-duplicate-interface-pm-usage-counter.patch
mm-do-not-stall-register_shrinker.patch
+nvme-loop-init-nvmet_ctrl-fatal_err_work-when-alloca.patch
+hid-logitech-check-the-return-value-of-create_single.patch
+hid-debug-fix-race-condition-with-between-rdesc_show.patch
+rtc-sh-fix-invalid-alarm-warning-for-non-enabled-ala.patch
+batman-adv-reduce-claim-hash-refcnt-only-for-removed.patch
+batman-adv-reduce-tt_local-hash-refcnt-only-for-remo.patch
+batman-adv-reduce-tt_global-hash-refcnt-only-for-rem.patch
+arm-dts-rockchip-fix-gpu-opp-node-names-for-rk3288.patch
+igb-fix-warn_once-on-runtime-suspend.patch
+net-mlx5-e-switch-fix-esw-manager-vport-indication-f.patch
+bonding-show-full-hw-address-in-sysfs-for-slave-entr.patch
+net-stmmac-ratelimit-rx-error-logs.patch
+net-stmmac-don-t-overwrite-discard_frame-status.patch
+net-stmmac-fix-dropping-of-multi-descriptor-rx-frame.patch
+net-stmmac-don-t-log-oversized-frames.patch
+jffs2-fix-use-after-free-on-symlink-traversal.patch
+debugfs-fix-use-after-free-on-symlink-traversal.patch
+rtc-da9063-set-uie_unsupported-when-relevant.patch
+hid-input-add-mapping-for-assistant-key.patch
+vfio-pci-use-correct-format-characters.patch
+scsi-core-add-new-rdac-lenovo-de_series-device.patch
+scsi-storvsc-fix-calculation-of-sub-channel-count.patch
+net-hns-fix-kasan-use-after-free-in-hns_nic_net_xmit.patch
+net-hns-use-napi_poll_weight-for-hns-driver.patch
+net-hns-fix-probabilistic-memory-overwrite-when-hns-.patch
+net-hns-fix-icmp6-neighbor-solicitation-messages-dis.patch
+net-hns-fix-warning-when-remove-hns-driver-with-smmu.patch
+kmemleak-powerpc-skip-scanning-holes-in-the-.bss-sec.patch
+hugetlbfs-fix-memory-leak-for-resv_map.patch
+sh-fix-multiple-function-definition-build-errors.patch
+xsysace-fix-error-handling-in-ace_setup.patch
+arm-orion-don-t-use-using-64-bit-dma-masks.patch
+arm-iop-don-t-use-using-64-bit-dma-masks.patch
--- /dev/null
+From 96894918936dfe80a782db66c0c5164bab65a2f6 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Fri, 5 Apr 2019 18:39:30 -0700
+Subject: sh: fix multiple function definition build errors
+
+[ Upstream commit acaf892ecbf5be7710ae05a61fd43c668f68ad95 ]
+
+Many of the sh CPU-types have their own plat_irq_setup() and
+arch_init_clk_ops() functions, so these same (empty) functions in
+arch/sh/boards/of-generic.c are not needed and cause build errors.
+
+If there is some case where these empty functions are needed, they can
+be retained by marking them as "__weak" while at the same time making
+builds that do not need them succeed.
+
+Fixes these build errors:
+
+arch/sh/boards/of-generic.o: In function `plat_irq_setup':
+(.init.text+0x134): multiple definition of `plat_irq_setup'
+arch/sh/kernel/cpu/sh2/setup-sh7619.o:(.init.text+0x30): first defined here
+arch/sh/boards/of-generic.o: In function `arch_init_clk_ops':
+(.init.text+0x118): multiple definition of `arch_init_clk_ops'
+arch/sh/kernel/cpu/sh2/clock-sh7619.o:(.init.text+0x0): first defined here
+
+Link: http://lkml.kernel.org/r/9ee4e0c5-f100-86a2-bd4d-1d3287ceab31@infradead.org
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kbuild test robot <lkp@intel.com>
+Cc: Takashi Iwai <tiwai@suse.de>
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Cc: Rich Felker <dalias@libc.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/boards/of-generic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/sh/boards/of-generic.c b/arch/sh/boards/of-generic.c
+index 4feb7c86f4ac..5e83ea12303b 100644
+--- a/arch/sh/boards/of-generic.c
++++ b/arch/sh/boards/of-generic.c
+@@ -180,10 +180,10 @@ static struct sh_machine_vector __initmv sh_of_generic_mv = {
+
+ struct sh_clk_ops;
+
+-void __init arch_init_clk_ops(struct sh_clk_ops **ops, int idx)
++void __init __weak arch_init_clk_ops(struct sh_clk_ops **ops, int idx)
+ {
+ }
+
+-void __init plat_irq_setup(void)
++void __init __weak plat_irq_setup(void)
+ {
+ }
+--
+2.20.1
+
--- /dev/null
+From 49844f2c78fd9cbd8e8bc5ce9dede7e6333a01b8 Mon Sep 17 00:00:00 2001
+From: Louis Taylor <louis@kragniz.eu>
+Date: Wed, 3 Apr 2019 12:36:20 -0600
+Subject: vfio/pci: use correct format characters
+
+[ Upstream commit 426b046b748d1f47e096e05bdcc6fb4172791307 ]
+
+When compiling with -Wformat, clang emits the following warnings:
+
+drivers/vfio/pci/vfio_pci.c:1601:5: warning: format specifies type
+ 'unsigned short' but the argument has type 'unsigned int' [-Wformat]
+ vendor, device, subvendor, subdevice,
+ ^~~~~~
+
+drivers/vfio/pci/vfio_pci.c:1601:13: warning: format specifies type
+ 'unsigned short' but the argument has type 'unsigned int' [-Wformat]
+ vendor, device, subvendor, subdevice,
+ ^~~~~~
+
+drivers/vfio/pci/vfio_pci.c:1601:21: warning: format specifies type
+ 'unsigned short' but the argument has type 'unsigned int' [-Wformat]
+ vendor, device, subvendor, subdevice,
+ ^~~~~~~~~
+
+drivers/vfio/pci/vfio_pci.c:1601:32: warning: format specifies type
+ 'unsigned short' but the argument has type 'unsigned int' [-Wformat]
+ vendor, device, subvendor, subdevice,
+ ^~~~~~~~~
+
+drivers/vfio/pci/vfio_pci.c:1605:5: warning: format specifies type
+ 'unsigned short' but the argument has type 'unsigned int' [-Wformat]
+ vendor, device, subvendor, subdevice,
+ ^~~~~~
+
+drivers/vfio/pci/vfio_pci.c:1605:13: warning: format specifies type
+ 'unsigned short' but the argument has type 'unsigned int' [-Wformat]
+ vendor, device, subvendor, subdevice,
+ ^~~~~~
+
+drivers/vfio/pci/vfio_pci.c:1605:21: warning: format specifies type
+ 'unsigned short' but the argument has type 'unsigned int' [-Wformat]
+ vendor, device, subvendor, subdevice,
+ ^~~~~~~~~
+
+drivers/vfio/pci/vfio_pci.c:1605:32: warning: format specifies type
+ 'unsigned short' but the argument has type 'unsigned int' [-Wformat]
+ vendor, device, subvendor, subdevice,
+ ^~~~~~~~~
+The types of these arguments are unconditionally defined, so this patch
+updates the format character to the correct ones for unsigned ints.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/378
+Signed-off-by: Louis Taylor <louis@kragniz.eu>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/vfio_pci.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
+index 695b9d1a1aae..6f5cc67e343e 100644
+--- a/drivers/vfio/pci/vfio_pci.c
++++ b/drivers/vfio/pci/vfio_pci.c
+@@ -1443,11 +1443,11 @@ static void __init vfio_pci_fill_ids(void)
+ rc = pci_add_dynid(&vfio_pci_driver, vendor, device,
+ subvendor, subdevice, class, class_mask, 0);
+ if (rc)
+- pr_warn("failed to add dynamic id [%04hx:%04hx[%04hx:%04hx]] class %#08x/%08x (%d)\n",
++ pr_warn("failed to add dynamic id [%04x:%04x[%04x:%04x]] class %#08x/%08x (%d)\n",
+ vendor, device, subvendor, subdevice,
+ class, class_mask, rc);
+ else
+- pr_info("add [%04hx:%04hx[%04hx:%04hx]] class %#08x/%08x\n",
++ pr_info("add [%04x:%04x[%04x:%04x]] class %#08x/%08x\n",
+ vendor, device, subvendor, subdevice,
+ class, class_mask);
+ }
+--
+2.20.1
+
--- /dev/null
+From 6a8e0fe72d5cd3f582e3e828f9d0d9e368c8dfc9 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Tue, 19 Feb 2019 08:49:56 -0800
+Subject: xsysace: Fix error handling in ace_setup
+
+[ Upstream commit 47b16820c490149c2923e8474048f2c6e7557cab ]
+
+If xace hardware reports a bad version number, the error handling code
+in ace_setup() calls put_disk(), followed by queue cleanup. However, since
+the disk data structure has the queue pointer set, put_disk() also
+cleans and releases the queue. This results in blk_cleanup_queue()
+accessing an already released data structure, which in turn may result
+in a crash such as the following.
+
+[ 10.681671] BUG: Kernel NULL pointer dereference at 0x00000040
+[ 10.681826] Faulting instruction address: 0xc0431480
+[ 10.682072] Oops: Kernel access of bad area, sig: 11 [#1]
+[ 10.682251] BE PAGE_SIZE=4K PREEMPT Xilinx Virtex440
+[ 10.682387] Modules linked in:
+[ 10.682528] CPU: 0 PID: 1 Comm: swapper Tainted: G W 5.0.0-rc6-next-20190218+ #2
+[ 10.682733] NIP: c0431480 LR: c043147c CTR: c0422ad8
+[ 10.682863] REGS: cf82fbe0 TRAP: 0300 Tainted: G W (5.0.0-rc6-next-20190218+)
+[ 10.683065] MSR: 00029000 <CE,EE,ME> CR: 22000222 XER: 00000000
+[ 10.683236] DEAR: 00000040 ESR: 00000000
+[ 10.683236] GPR00: c043147c cf82fc90 cf82ccc0 00000000 00000000 00000000 00000002 00000000
+[ 10.683236] GPR08: 00000000 00000000 c04310bc 00000000 22000222 00000000 c0002c54 00000000
+[ 10.683236] GPR16: 00000000 00000001 c09aa39c c09021b0 c09021dc 00000007 c0a68c08 00000000
+[ 10.683236] GPR24: 00000001 ced6d400 ced6dcf0 c0815d9c 00000000 00000000 00000000 cedf0800
+[ 10.684331] NIP [c0431480] blk_mq_run_hw_queue+0x28/0x114
+[ 10.684473] LR [c043147c] blk_mq_run_hw_queue+0x24/0x114
+[ 10.684602] Call Trace:
+[ 10.684671] [cf82fc90] [c043147c] blk_mq_run_hw_queue+0x24/0x114 (unreliable)
+[ 10.684854] [cf82fcc0] [c04315bc] blk_mq_run_hw_queues+0x50/0x7c
+[ 10.685002] [cf82fce0] [c0422b24] blk_set_queue_dying+0x30/0x68
+[ 10.685154] [cf82fcf0] [c0423ec0] blk_cleanup_queue+0x34/0x14c
+[ 10.685306] [cf82fd10] [c054d73c] ace_probe+0x3dc/0x508
+[ 10.685445] [cf82fd50] [c052d740] platform_drv_probe+0x4c/0xb8
+[ 10.685592] [cf82fd70] [c052abb0] really_probe+0x20c/0x32c
+[ 10.685728] [cf82fda0] [c052ae58] driver_probe_device+0x68/0x464
+[ 10.685877] [cf82fdc0] [c052b500] device_driver_attach+0xb4/0xe4
+[ 10.686024] [cf82fde0] [c052b5dc] __driver_attach+0xac/0xfc
+[ 10.686161] [cf82fe00] [c0528428] bus_for_each_dev+0x80/0xc0
+[ 10.686314] [cf82fe30] [c0529b3c] bus_add_driver+0x144/0x234
+[ 10.686457] [cf82fe50] [c052c46c] driver_register+0x88/0x15c
+[ 10.686610] [cf82fe60] [c09de288] ace_init+0x4c/0xac
+[ 10.686742] [cf82fe80] [c0002730] do_one_initcall+0xac/0x330
+[ 10.686888] [cf82fee0] [c09aafd0] kernel_init_freeable+0x34c/0x478
+[ 10.687043] [cf82ff30] [c0002c6c] kernel_init+0x18/0x114
+[ 10.687188] [cf82ff40] [c000f2f0] ret_from_kernel_thread+0x14/0x1c
+[ 10.687349] Instruction dump:
+[ 10.687435] 3863ffd4 4bfffd70 9421ffd0 7c0802a6 93c10028 7c9e2378 93e1002c 38810008
+[ 10.687637] 7c7f1b78 90010034 4bfffc25 813f008c <81290040> 75290100 4182002c 80810008
+[ 10.688056] ---[ end trace 13c9ff51d41b9d40 ]---
+
+Fix the problem by setting the disk queue pointer to NULL before calling
+put_disk(). A more comprehensive fix might be to rearrange the code
+to check the hardware version before initializing data structures,
+but I don't know if this would have undesirable side effects, and
+it would increase the complexity of backporting the fix to older kernels.
+
+Fixes: 74489a91dd43a ("Add support for Xilinx SystemACE CompactFlash interface")
+Acked-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/xsysace.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/block/xsysace.c b/drivers/block/xsysace.c
+index 14459d66ef0c..51ff7ee1b2b1 100644
+--- a/drivers/block/xsysace.c
++++ b/drivers/block/xsysace.c
+@@ -1063,6 +1063,8 @@ static int ace_setup(struct ace_device *ace)
+ return 0;
+
+ err_read:
++ /* prevent double queue cleanup */
++ ace->gd->queue = NULL;
+ put_disk(ace->gd);
+ err_alloc_disk:
+ blk_cleanup_queue(ace->queue);
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
