--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Michael Scott <michael@opensourcefoundries.com>
+Date: Tue, 19 Jun 2018 16:44:06 -0700
+Subject: 6lowpan: iphc: reset mac_header after decompress to fix panic
+
+From: Michael Scott <michael@opensourcefoundries.com>
+
+[ Upstream commit 03bc05e1a4972f73b4eb8907aa373369e825c252 ]
+
+After decompression of 6lowpan socket data, an IPv6 header is inserted
+before the existing socket payload. After this, we reset the
+network_header value of the skb to account for the difference in payload
+size from prior to decompression + the addition of the IPv6 header.
+
+However, we fail to reset the mac_header value.
+
+Leaving the mac_header value untouched here, can cause a calculation
+error in net/packet/af_packet.c packet_rcv() function when an
+AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan
+interface.
+
+On line 2088, the data pointer is moved backward by the value returned
+from skb_mac_header(). If skb->data is adjusted so that it is before
+the skb->head pointer (which can happen when an old value of mac_header
+is left in place) the kernel generates a panic in net/core/skbuff.c
+line 1717.
+
+This panic can be generated by BLE 6lowpan interfaces (such as bt0) and
+802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan
+sources for compression and decompression.
+
+Signed-off-by: Michael Scott <michael@opensourcefoundries.com>
+Acked-by: Alexander Aring <aring@mojatatu.com>
+Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/6lowpan/iphc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/6lowpan/iphc.c
++++ b/net/6lowpan/iphc.c
+@@ -770,6 +770,7 @@ int lowpan_header_decompress(struct sk_b
+ hdr.hop_limit, &hdr.daddr);
+
+ skb_push(skb, sizeof(hdr));
++ skb_reset_mac_header(skb);
+ skb_reset_network_header(skb);
+ skb_copy_to_linear_data(skb, &hdr, sizeof(hdr));
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Ravi Chandra Sadineni <ravisadineni@chromium.org>
+Date: Wed, 27 Jun 2018 10:55:02 -0700
+Subject: ACPI / button: increment wakeup count only when notified
+
+From: Ravi Chandra Sadineni <ravisadineni@chromium.org>
+
+[ Upstream commit 7c058c7c74b3dbeb7d157c273959f87faf710350 ]
+
+Because acpi_lid_initialize_state() is called on every system
+resume and it triggers acpi_lid_notify_state() which invokes
+acpi_pm_wakeup_event() for the lid device, the lid's wakeup count is
+incremented even if the lid was not the source of the event that woke up
+the system. That behavior confuses user space deamons using
+wakeup_count to identify the potential system wakeup source. To avoid
+the confusion, only trigger acpi_pm_wakeup_event() in the
+acpi_button_notify() path and don't do that in the
+acpi_lid_initialize_state() path.
+
+Signed-off-by: Ravi Chandra Sadineni <ravisadineni@chromium.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/button.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/acpi/button.c
++++ b/drivers/acpi/button.c
+@@ -235,9 +235,6 @@ static int acpi_lid_notify_state(struct
+ button->last_time = ktime_get();
+ }
+
+- if (state)
+- acpi_pm_wakeup_event(&device->dev);
+-
+ ret = blocking_notifier_call_chain(&acpi_lid_notifier, state, device);
+ if (ret == NOTIFY_DONE)
+ ret = blocking_notifier_call_chain(&acpi_lid_notifier, state,
+@@ -366,7 +363,8 @@ int acpi_lid_open(void)
+ }
+ EXPORT_SYMBOL(acpi_lid_open);
+
+-static int acpi_lid_update_state(struct acpi_device *device)
++static int acpi_lid_update_state(struct acpi_device *device,
++ bool signal_wakeup)
+ {
+ int state;
+
+@@ -374,6 +372,9 @@ static int acpi_lid_update_state(struct
+ if (state < 0)
+ return state;
+
++ if (state && signal_wakeup)
++ acpi_pm_wakeup_event(&device->dev);
++
+ return acpi_lid_notify_state(device, state);
+ }
+
+@@ -384,7 +385,7 @@ static void acpi_lid_initialize_state(st
+ (void)acpi_lid_notify_state(device, 1);
+ break;
+ case ACPI_BUTTON_LID_INIT_METHOD:
+- (void)acpi_lid_update_state(device);
++ (void)acpi_lid_update_state(device, false);
+ break;
+ case ACPI_BUTTON_LID_INIT_IGNORE:
+ default:
+@@ -409,7 +410,7 @@ static void acpi_button_notify(struct ac
+ users = button->input->users;
+ mutex_unlock(&button->input->mutex);
+ if (users)
+- acpi_lid_update_state(device);
++ acpi_lid_update_state(device, true);
+ } else {
+ int keycode;
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Mon, 2 Jul 2018 09:34:29 +0200
+Subject: alarmtimer: Prevent overflow for relative nanosleep
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 5f936e19cc0ef97dbe3a56e9498922ad5ba1edef ]
+
+Air Icy reported:
+
+ UBSAN: Undefined behaviour in kernel/time/alarmtimer.c:811:7
+ signed integer overflow:
+ 1529859276030040771 + 9223372036854775807 cannot be represented in type 'long long int'
+ Call Trace:
+ alarm_timer_nsleep+0x44c/0x510 kernel/time/alarmtimer.c:811
+ __do_sys_clock_nanosleep kernel/time/posix-timers.c:1235 [inline]
+ __se_sys_clock_nanosleep kernel/time/posix-timers.c:1213 [inline]
+ __x64_sys_clock_nanosleep+0x326/0x4e0 kernel/time/posix-timers.c:1213
+ do_syscall_64+0xb8/0x3a0 arch/x86/entry/common.c:290
+
+alarm_timer_nsleep() uses ktime_add() to add the current time and the
+relative expiry value. ktime_add() has no sanity checks so the addition
+can overflow when the relative timeout is large enough.
+
+Use ktime_add_safe() which has the necessary sanity checks in place and
+limits the result to the valid range.
+
+Fixes: 9a7adcf5c6de ("timers: Posix interface for alarm-timers")
+Reported-by: Team OWL337 <icytxw@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: John Stultz <john.stultz@linaro.org>
+Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1807020926360.1595@nanos.tec.linutronix.de
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/time/alarmtimer.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/time/alarmtimer.c
++++ b/kernel/time/alarmtimer.c
+@@ -808,7 +808,8 @@ static int alarm_timer_nsleep(const cloc
+ /* Convert (if necessary) to absolute time */
+ if (flags != TIMER_ABSTIME) {
+ ktime_t now = alarm_bases[type].gettime();
+- exp = ktime_add(now, exp);
++
++ exp = ktime_add_safe(now, exp);
+ }
+
+ ret = alarmtimer_do_nsleep(&alarm, exp, type);
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Thu, 28 Jun 2018 15:28:24 +0800
+Subject: ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 1adca4b0cd65c14cb8b8c9c257720385869c3d5f ]
+
+This patch can make audio controller in AMD Raven Ridge gets runtime
+suspended to D3, to save ~1W power when it's not in use.
+
+Cc: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/hda_intel.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2535,7 +2535,8 @@ static const struct pci_device_id azx_id
+ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB },
+ /* AMD Raven */
+ { PCI_DEVICE(0x1022, 0x15e3),
+- .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB },
++ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB |
++ AZX_DCAPS_PM_RUNTIME },
+ /* ATI HDMI */
+ { PCI_DEVICE(0x1002, 0x0002),
+ .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS },
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Nicholas Mc Guire <hofrat@osadl.org>
+Date: Fri, 29 Jun 2018 19:07:42 +0200
+Subject: ALSA: snd-aoa: add of_node_put() in error path
+
+From: Nicholas Mc Guire <hofrat@osadl.org>
+
+[ Upstream commit 222bce5eb88d1af656419db04bcd84b2419fb900 ]
+
+ Both calls to of_find_node_by_name() and of_get_next_child() return a
+node pointer with refcount incremented thus it must be explicidly
+decremented here after the last usage. As we are assured to have a
+refcounted np either from the initial
+of_find_node_by_name(NULL, name); or from the of_get_next_child(gpio, np)
+in the while loop if we reached the error code path below, an
+x of_node_put(np) is needed.
+
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Fixes: commit f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/aoa/core/gpio-feature.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/aoa/core/gpio-feature.c
++++ b/sound/aoa/core/gpio-feature.c
+@@ -88,8 +88,10 @@ static struct device_node *get_gpio(char
+ }
+
+ reg = of_get_property(np, "reg", NULL);
+- if (!reg)
++ if (!reg) {
++ of_node_put(np);
+ return NULL;
++ }
+
+ *gpioptr = *reg;
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Kevin Hilman <khilman@baylibre.com>
+Date: Mon, 21 May 2018 13:08:32 -0700
+Subject: ARM: dts: dra7: fix DCAN node addresses
+
+From: Kevin Hilman <khilman@baylibre.com>
+
+[ Upstream commit 949bdcc8a97c6078f21c8d4966436b117f2e4cd3 ]
+
+Fix the DT node addresses to match the reg property addresses,
+which were verified to match the TRM:
+http://www.ti.com/lit/pdf/sprui30
+
+Cc: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Acked-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/dra7.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/dra7.dtsi
++++ b/arch/arm/boot/dts/dra7.dtsi
+@@ -1893,7 +1893,7 @@
+ };
+ };
+
+- dcan1: can@481cc000 {
++ dcan1: can@4ae3c000 {
+ compatible = "ti,dra7-d_can";
+ ti,hwmods = "dcan1";
+ reg = <0x4ae3c000 0x2000>;
+@@ -1903,7 +1903,7 @@
+ status = "disabled";
+ };
+
+- dcan2: can@481d0000 {
++ dcan2: can@48480000 {
+ compatible = "ti,dra7-d_can";
+ ti,hwmods = "dcan2";
+ reg = <0x48480000 0x2000>;
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Fri, 25 May 2018 16:01:48 +0530
+Subject: ARM: dts: ls1021a: Add missing cooling device properties for CPUs
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+[ Upstream commit 47768f372eae030db6fab5225f9504a820d2c07f ]
+
+The cooling device properties, like "#cooling-cells" and
+"dynamic-power-coefficient", should either be present for all the CPUs
+of a cluster or none. If these are present only for a subset of CPUs of
+a cluster then things will start falling apart as soon as the CPUs are
+brought online in a different order. For example, this will happen
+because the operating system looks for such properties in the CPU node
+it is trying to bring up, so that it can register a cooling device.
+
+Add such missing properties.
+
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/ls1021a.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/boot/dts/ls1021a.dtsi
++++ b/arch/arm/boot/dts/ls1021a.dtsi
+@@ -84,6 +84,7 @@
+ device_type = "cpu";
+ reg = <0xf01>;
+ clocks = <&clockgen 1 0>;
++ #cooling-cells = <2>;
+ };
+ };
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Fri, 25 May 2018 16:01:49 +0530
+Subject: arm: dts: mediatek: Add missing cooling device properties for CPUs
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+[ Upstream commit 0c7f7a5150023f3c6f0b27c4d4940ce3dfaf62cc ]
+
+The cooling device properties, like "#cooling-cells" and
+"dynamic-power-coefficient", should either be present for all the CPUs
+of a cluster or none. If these are present only for a subset of CPUs of
+a cluster then things will start falling apart as soon as the CPUs are
+brought online in a different order. For example, this will happen
+because the operating system looks for such properties in the CPU node
+it is trying to bring up, so that it can register a cooling device.
+
+Add such missing properties.
+
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/mt7623.dtsi | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/arm/boot/dts/mt7623.dtsi
++++ b/arch/arm/boot/dts/mt7623.dtsi
+@@ -92,6 +92,7 @@
+ <&apmixedsys CLK_APMIXED_MAINPLL>;
+ clock-names = "cpu", "intermediate";
+ operating-points-v2 = <&cpu_opp_table>;
++ #cooling-cells = <2>;
+ clock-frequency = <1300000000>;
+ };
+
+@@ -103,6 +104,7 @@
+ <&apmixedsys CLK_APMIXED_MAINPLL>;
+ clock-names = "cpu", "intermediate";
+ operating-points-v2 = <&cpu_opp_table>;
++ #cooling-cells = <2>;
+ clock-frequency = <1300000000>;
+ };
+
+@@ -114,6 +116,7 @@
+ <&apmixedsys CLK_APMIXED_MAINPLL>;
+ clock-names = "cpu", "intermediate";
+ operating-points-v2 = <&cpu_opp_table>;
++ #cooling-cells = <2>;
+ clock-frequency = <1300000000>;
+ };
+ };
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Dave Gerlach <d-gerlach@ti.com>
+Date: Thu, 21 Jun 2018 14:43:08 +0530
+Subject: ARM: hwmod: RTC: Don't assume lock/unlock will be called with irq enabled
+
+From: Dave Gerlach <d-gerlach@ti.com>
+
+[ Upstream commit 6d609b35c815ba20132b7b64bcca04516bb17c56 ]
+
+When the RTC lock and unlock functions were introduced it was likely
+assumed that they would always be called from irq enabled context, hence
+the use of local_irq_disable/enable. This is no longer true as the
+RTC+DDR path makes a late call during the suspend path after irqs
+have been disabled to enable the RTC hwmod which calls both unlock and
+lock, leading to IRQs being reenabled through the local_irq_enable call
+in omap_hwmod_rtc_lock call.
+
+To avoid this change the local_irq_disable/enable to
+local_irq_save/restore to ensure that from whatever context this is
+called the proper IRQ configuration is maintained.
+
+Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
+Signed-off-by: Keerthy <j-keerthy@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap2/omap_hwmod_reset.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/arch/arm/mach-omap2/omap_hwmod_reset.c
++++ b/arch/arm/mach-omap2/omap_hwmod_reset.c
+@@ -92,11 +92,13 @@ static void omap_rtc_wait_not_busy(struc
+ */
+ void omap_hwmod_rtc_unlock(struct omap_hwmod *oh)
+ {
+- local_irq_disable();
++ unsigned long flags;
++
++ local_irq_save(flags);
+ omap_rtc_wait_not_busy(oh);
+ omap_hwmod_write(OMAP_RTC_KICK0_VALUE, oh, OMAP_RTC_KICK0_REG);
+ omap_hwmod_write(OMAP_RTC_KICK1_VALUE, oh, OMAP_RTC_KICK1_REG);
+- local_irq_enable();
++ local_irq_restore(flags);
+ }
+
+ /**
+@@ -110,9 +112,11 @@ void omap_hwmod_rtc_unlock(struct omap_h
+ */
+ void omap_hwmod_rtc_lock(struct omap_hwmod *oh)
+ {
+- local_irq_disable();
++ unsigned long flags;
++
++ local_irq_save(flags);
+ omap_rtc_wait_not_busy(oh);
+ omap_hwmod_write(0x0, oh, OMAP_RTC_KICK0_REG);
+ omap_hwmod_write(0x0, oh, OMAP_RTC_KICK1_REG);
+- local_irq_enable();
++ local_irq_restore(flags);
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Ethan Tuttle <ethan@ethantuttle.com>
+Date: Tue, 19 Jun 2018 21:31:08 -0700
+Subject: ARM: mvebu: declare asm symbols as character arrays in pmsu.c
+
+From: Ethan Tuttle <ethan@ethantuttle.com>
+
+[ Upstream commit d0d378ff451a66e486488eec842e507d28145813 ]
+
+With CONFIG_FORTIFY_SOURCE, memcpy uses the declared size of operands to
+detect buffer overflows. If src or dest is declared as a char, attempts to
+copy more than byte will result in a fortify_panic().
+
+Address this problem in mvebu_setup_boot_addr_wa() by declaring
+mvebu_boot_wa_start and mvebu_boot_wa_end as character arrays. Also remove
+a couple addressof operators to avoid "arithmetic on pointer to an
+incomplete type" compiler error.
+
+See commit 54a7d50b9205 ("x86: mark kprobe templates as character arrays,
+not single characters") for a similar fix.
+
+Fixes "detected buffer overflow in memcpy" error during init on some mvebu
+systems (armada-370-xp, armada-375):
+
+(fortify_panic) from (mvebu_setup_boot_addr_wa+0xb0/0xb4)
+(mvebu_setup_boot_addr_wa) from (mvebu_v7_cpu_pm_init+0x154/0x204)
+(mvebu_v7_cpu_pm_init) from (do_one_initcall+0x7c/0x1a8)
+(do_one_initcall) from (kernel_init_freeable+0x1bc/0x254)
+(kernel_init_freeable) from (kernel_init+0x8/0x114)
+(kernel_init) from (ret_from_fork+0x14/0x2c)
+
+Signed-off-by: Ethan Tuttle <ethan@ethantuttle.com>
+Tested-by: Ethan Tuttle <ethan@ethantuttle.com>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-mvebu/pmsu.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/arm/mach-mvebu/pmsu.c
++++ b/arch/arm/mach-mvebu/pmsu.c
+@@ -116,8 +116,8 @@ void mvebu_pmsu_set_cpu_boot_addr(int hw
+ PMSU_BOOT_ADDR_REDIRECT_OFFSET(hw_cpu));
+ }
+
+-extern unsigned char mvebu_boot_wa_start;
+-extern unsigned char mvebu_boot_wa_end;
++extern unsigned char mvebu_boot_wa_start[];
++extern unsigned char mvebu_boot_wa_end[];
+
+ /*
+ * This function sets up the boot address workaround needed for SMP
+@@ -130,7 +130,7 @@ int mvebu_setup_boot_addr_wa(unsigned in
+ phys_addr_t resume_addr_reg)
+ {
+ void __iomem *sram_virt_base;
+- u32 code_len = &mvebu_boot_wa_end - &mvebu_boot_wa_start;
++ u32 code_len = mvebu_boot_wa_end - mvebu_boot_wa_start;
+
+ mvebu_mbus_del_window(BOOTROM_BASE, BOOTROM_SIZE);
+ mvebu_mbus_add_window_by_id(crypto_eng_target, crypto_eng_attribute,
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Date: Fri, 8 Jun 2018 15:21:15 +0300
+Subject: arm64: dts: renesas: Fix VSPD registers range
+
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+
+[ Upstream commit e21adc781bb45e810f1c396c4bc2c1624a4c25b9 ]
+
+The VSPD and FCPVD nodes have overlapping register ranges, as the FCPVD
+devices are mapped in the memory range usually used by the VSP LUT and
+CLU, which are not present in the VSPD. Fix this by shortening the VSPD
+registers range to 0x5000.
+
+Fixes: 9f8573e38a0b ("arm64: dts: renesas: r8a7795: Add VSP instances")
+Fixes: 291e0c4994d0 ("arm64: dts: r8a7795: Add support for R-Car H3 ES2.0")
+Fixes: f06ffdfbdd90 ("arm64: dts: r8a7796: Add VSP instances")
+Fixes: b4f92030d5d3 ("arm64: dts: renesas: r8a77970: add VSPD support")
+Fixes: 295952a183d3 ("arm64: dts: renesas: r8a77995: add VSP instances")
+Fixes: 85cb3229218a ("arm64: dts: renesas: r8a77965: Add VSP instances")
+Reported-by: Simon Horman <horms+renesas@verge.net.au>
+Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/renesas/r8a7795-es1.dtsi | 2 +-
+ arch/arm64/boot/dts/renesas/r8a7795.dtsi | 6 +++---
+ arch/arm64/boot/dts/renesas/r8a7796.dtsi | 6 +++---
+ arch/arm64/boot/dts/renesas/r8a77965.dtsi | 4 ++--
+ arch/arm64/boot/dts/renesas/r8a77970.dtsi | 2 +-
+ arch/arm64/boot/dts/renesas/r8a77995.dtsi | 4 ++--
+ 6 files changed, 12 insertions(+), 12 deletions(-)
+
+--- a/arch/arm64/boot/dts/renesas/r8a7795-es1.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a7795-es1.dtsi
+@@ -80,7 +80,7 @@
+
+ vspd3: vsp@fea38000 {
+ compatible = "renesas,vsp2";
+- reg = <0 0xfea38000 0 0x8000>;
++ reg = <0 0xfea38000 0 0x5000>;
+ interrupts = <GIC_SPI 469 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 620>;
+ power-domains = <&sysc R8A7795_PD_ALWAYS_ON>;
+--- a/arch/arm64/boot/dts/renesas/r8a7795.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a7795.dtsi
+@@ -2530,7 +2530,7 @@
+
+ vspd0: vsp@fea20000 {
+ compatible = "renesas,vsp2";
+- reg = <0 0xfea20000 0 0x8000>;
++ reg = <0 0xfea20000 0 0x5000>;
+ interrupts = <GIC_SPI 466 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 623>;
+ power-domains = <&sysc R8A7795_PD_ALWAYS_ON>;
+@@ -2541,7 +2541,7 @@
+
+ vspd1: vsp@fea28000 {
+ compatible = "renesas,vsp2";
+- reg = <0 0xfea28000 0 0x8000>;
++ reg = <0 0xfea28000 0 0x5000>;
+ interrupts = <GIC_SPI 467 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 622>;
+ power-domains = <&sysc R8A7795_PD_ALWAYS_ON>;
+@@ -2552,7 +2552,7 @@
+
+ vspd2: vsp@fea30000 {
+ compatible = "renesas,vsp2";
+- reg = <0 0xfea30000 0 0x8000>;
++ reg = <0 0xfea30000 0 0x5000>;
+ interrupts = <GIC_SPI 468 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 621>;
+ power-domains = <&sysc R8A7795_PD_ALWAYS_ON>;
+--- a/arch/arm64/boot/dts/renesas/r8a7796.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a7796.dtsi
+@@ -2212,7 +2212,7 @@
+
+ vspd0: vsp@fea20000 {
+ compatible = "renesas,vsp2";
+- reg = <0 0xfea20000 0 0x8000>;
++ reg = <0 0xfea20000 0 0x5000>;
+ interrupts = <GIC_SPI 466 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 623>;
+ power-domains = <&sysc R8A7796_PD_ALWAYS_ON>;
+@@ -2223,7 +2223,7 @@
+
+ vspd1: vsp@fea28000 {
+ compatible = "renesas,vsp2";
+- reg = <0 0xfea28000 0 0x8000>;
++ reg = <0 0xfea28000 0 0x5000>;
+ interrupts = <GIC_SPI 467 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 622>;
+ power-domains = <&sysc R8A7796_PD_ALWAYS_ON>;
+@@ -2234,7 +2234,7 @@
+
+ vspd2: vsp@fea30000 {
+ compatible = "renesas,vsp2";
+- reg = <0 0xfea30000 0 0x8000>;
++ reg = <0 0xfea30000 0 0x5000>;
+ interrupts = <GIC_SPI 468 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 621>;
+ power-domains = <&sysc R8A7796_PD_ALWAYS_ON>;
+--- a/arch/arm64/boot/dts/renesas/r8a77965.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a77965.dtsi
+@@ -1397,7 +1397,7 @@
+
+ vspd0: vsp@fea20000 {
+ compatible = "renesas,vsp2";
+- reg = <0 0xfea20000 0 0x8000>;
++ reg = <0 0xfea20000 0 0x5000>;
+ interrupts = <GIC_SPI 466 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 623>;
+ power-domains = <&sysc R8A77965_PD_ALWAYS_ON>;
+@@ -1416,7 +1416,7 @@
+
+ vspd1: vsp@fea28000 {
+ compatible = "renesas,vsp2";
+- reg = <0 0xfea28000 0 0x8000>;
++ reg = <0 0xfea28000 0 0x5000>;
+ interrupts = <GIC_SPI 467 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 622>;
+ power-domains = <&sysc R8A77965_PD_ALWAYS_ON>;
+--- a/arch/arm64/boot/dts/renesas/r8a77970.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a77970.dtsi
+@@ -776,7 +776,7 @@
+
+ vspd0: vsp@fea20000 {
+ compatible = "renesas,vsp2";
+- reg = <0 0xfea20000 0 0x8000>;
++ reg = <0 0xfea20000 0 0x5000>;
+ interrupts = <GIC_SPI 169 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 623>;
+ power-domains = <&sysc R8A77970_PD_ALWAYS_ON>;
+--- a/arch/arm64/boot/dts/renesas/r8a77995.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a77995.dtsi
+@@ -699,7 +699,7 @@
+
+ vspd0: vsp@fea20000 {
+ compatible = "renesas,vsp2";
+- reg = <0 0xfea20000 0 0x8000>;
++ reg = <0 0xfea20000 0 0x5000>;
+ interrupts = <GIC_SPI 466 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 623>;
+ power-domains = <&sysc R8A77995_PD_ALWAYS_ON>;
+@@ -709,7 +709,7 @@
+
+ vspd1: vsp@fea28000 {
+ compatible = "renesas,vsp2";
+- reg = <0 0xfea28000 0 0x8000>;
++ reg = <0 0xfea28000 0 0x5000>;
+ interrupts = <GIC_SPI 467 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 622>;
+ power-domains = <&sysc R8A77995_PD_ALWAYS_ON>;
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Thu, 14 Jun 2018 15:48:08 +0200
+Subject: arm64: dts: renesas: salvator-common: Fix adv7482 decimal unit addresses
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit c5a884838ce34681200b5a45b2330177036affd0 ]
+
+With recent dtc and W=1:
+
+ ...salvator-x.dtb: Warning (graph_port): /soc/i2c@e66d8000/video-receiver@70/port@10: graph node unit address error, expected "a"
+ ...salvator-x.dtb: Warning (graph_port): /soc/i2c@e66d8000/video-receiver@70/port@11: graph node unit address error, expected "b"
+
+Unit addresses are always hexadecimal (without prefix), while the bases
+of reg property values depend on their prefixes.
+
+Fixes: 908001d778eba06e ("arm64: dts: renesas: salvator-common: Add ADV7482 support")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Acked-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/renesas/salvator-common.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/boot/dts/renesas/salvator-common.dtsi
++++ b/arch/arm64/boot/dts/renesas/salvator-common.dtsi
+@@ -440,7 +440,7 @@
+ };
+ };
+
+- port@10 {
++ port@a {
+ reg = <10>;
+
+ adv7482_txa: endpoint {
+@@ -450,7 +450,7 @@
+ };
+ };
+
+- port@11 {
++ port@b {
+ reg = <11>;
+
+ adv7482_txb: endpoint {
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Liam Girdwood <liam.r.girdwood@linux.intel.com>
+Date: Thu, 14 Jun 2018 20:26:42 +0100
+Subject: ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs
+
+From: Liam Girdwood <liam.r.girdwood@linux.intel.com>
+
+[ Upstream commit e01b4f624278d5efe5fb5da585ca371947b16680 ]
+
+Sometime a component or topology may configure a DAI widget with no
+private data leading to a dev_dbg() dereferencne of this data.
+
+Fix this to check for non NULL private data and let users know if widget
+is missing DAI.
+
+Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/soc-dapm.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -4073,6 +4073,13 @@ int snd_soc_dapm_link_dai_widgets(struct
+ continue;
+ }
+
++ /* let users know there is no DAI to link */
++ if (!dai_w->priv) {
++ dev_dbg(card->dev, "dai widget %s has no DAI\n",
++ dai_w->name);
++ continue;
++ }
++
+ dai = dai_w->priv;
+
+ /* ...find all widgets with the same stream and link them */
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sun, 3 Jun 2018 15:42:32 +0200
+Subject: ASoC: Intel: bytcr_rt5640: Fix Acer Iconia 8 over-current detect threshold
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit f12a0a3c4cc6f594d7c2ea361f2396ae5c518d2c ]
+
+Change the over-current detect threshold on the Acer Iconia 8 from
+2000ua to 1500uA, this fixes headset button presses not being detected.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/intel/boards/bytcr_rt5640.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/intel/boards/bytcr_rt5640.c
++++ b/sound/soc/intel/boards/bytcr_rt5640.c
+@@ -404,7 +404,7 @@ static const struct dmi_system_id byt_rt
+ },
+ .driver_data = (void *)(BYT_RT5640_DMIC1_MAP |
+ BYT_RT5640_JD_SRC_JD1_IN4P |
+- BYT_RT5640_OVCD_TH_2000UA |
++ BYT_RT5640_OVCD_TH_1500UA |
+ BYT_RT5640_OVCD_SF_0P75 |
+ BYT_RT5640_SSP0_AIF1 |
+ BYT_RT5640_MCLK_EN),
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 27 Jun 2018 11:56:53 +0300
+Subject: ASoC: qdsp6: qdafe: fix some off by one bugs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit c54c1c5ee8e73b7cb752834e52e2129b1dab00bd ]
+
+The > should be >= or we could read one element beyond the end of the
+port_maps[] array.
+
+Fixes: 7fa2d70f9766 ("ASoC: qdsp6: q6afe: Add q6afe driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/qdsp6/q6afe.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/sound/soc/qcom/qdsp6/q6afe.c
++++ b/sound/soc/qcom/qdsp6/q6afe.c
+@@ -777,7 +777,7 @@ static int q6afe_callback(struct apr_dev
+ */
+ int q6afe_get_port_id(int index)
+ {
+- if (index < 0 || index > AFE_PORT_MAX)
++ if (index < 0 || index >= AFE_PORT_MAX)
+ return -EINVAL;
+
+ return port_maps[index].port_id;
+@@ -1014,7 +1014,7 @@ int q6afe_port_stop(struct q6afe_port *p
+
+ port_id = port->id;
+ index = port->token;
+- if (index < 0 || index > AFE_PORT_MAX) {
++ if (index < 0 || index >= AFE_PORT_MAX) {
+ dev_err(afe->dev, "AFE port index[%d] invalid!\n", index);
+ return -EINVAL;
+ }
+@@ -1355,7 +1355,7 @@ struct q6afe_port *q6afe_port_get_from_i
+ unsigned long flags;
+ int cfg_type;
+
+- if (id < 0 || id > AFE_PORT_MAX) {
++ if (id < 0 || id >= AFE_PORT_MAX) {
+ dev_err(dev, "AFE port token[%d] invalid!\n", id);
+ return ERR_PTR(-EINVAL);
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Date: Tue, 12 Jun 2018 05:52:17 +0000
+Subject: ASoC: rsnd: SSI parent cares SWSP bit
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit 203cdf51f28820bee7893b4be392847418e6f4ec ]
+
+SSICR has SWSP bit (= Serial WS Polarity) which decides WS pin 1st
+channel polarity (low or hi). This bit shouldn't exchange after running.
+
+Current SSI "parent" doesn't care SSICR, just controls clock only.
+Because of this behavior, if platform uses SSI0 as playback,
+SSI1 as capture, and if user starts capture -> playback order,
+SSI0 SSICR::SWSP bit exchanged 0 -> 1 during captureing, and it makes
+capture noise.
+This patch cares SSICR on SSI parent, too.
+Special thanks to Yokoyama-san
+
+Reported-by: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Tested-by: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/sh/rcar/ssi.c | 32 +++++++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+--- a/sound/soc/sh/rcar/ssi.c
++++ b/sound/soc/sh/rcar/ssi.c
+@@ -37,6 +37,7 @@
+ #define CHNL_4 (1 << 22) /* Channels */
+ #define CHNL_6 (2 << 22) /* Channels */
+ #define CHNL_8 (3 << 22) /* Channels */
++#define DWL_MASK (7 << 19) /* Data Word Length mask */
+ #define DWL_8 (0 << 19) /* Data Word Length */
+ #define DWL_16 (1 << 19) /* Data Word Length */
+ #define DWL_18 (2 << 19) /* Data Word Length */
+@@ -353,21 +354,18 @@ static void rsnd_ssi_config_init(struct
+ struct rsnd_dai *rdai = rsnd_io_to_rdai(io);
+ struct snd_pcm_runtime *runtime = rsnd_io_to_runtime(io);
+ struct rsnd_ssi *ssi = rsnd_mod_to_ssi(mod);
+- u32 cr_own;
+- u32 cr_mode;
+- u32 wsr;
++ u32 cr_own = ssi->cr_own;
++ u32 cr_mode = ssi->cr_mode;
++ u32 wsr = ssi->wsr;
+ int is_tdm;
+
+- if (rsnd_ssi_is_parent(mod, io))
+- return;
+-
+ is_tdm = rsnd_runtime_is_ssi_tdm(io);
+
+ /*
+ * always use 32bit system word.
+ * see also rsnd_ssi_master_clk_enable()
+ */
+- cr_own = FORCE | SWL_32;
++ cr_own |= FORCE | SWL_32;
+
+ if (rdai->bit_clk_inv)
+ cr_own |= SCKP;
+@@ -377,9 +375,18 @@ static void rsnd_ssi_config_init(struct
+ cr_own |= SDTA;
+ if (rdai->sys_delay)
+ cr_own |= DEL;
++
++ /*
++ * We shouldn't exchange SWSP after running.
++ * This means, parent needs to care it.
++ */
++ if (rsnd_ssi_is_parent(mod, io))
++ goto init_end;
++
+ if (rsnd_io_is_play(io))
+ cr_own |= TRMD;
+
++ cr_own &= ~DWL_MASK;
+ switch (snd_pcm_format_width(runtime->format)) {
+ case 16:
+ cr_own |= DWL_16;
+@@ -406,7 +413,7 @@ static void rsnd_ssi_config_init(struct
+ wsr |= WS_MODE;
+ cr_own |= CHNL_8;
+ }
+-
++init_end:
+ ssi->cr_own = cr_own;
+ ssi->cr_mode = cr_mode;
+ ssi->wsr = wsr;
+@@ -465,15 +472,18 @@ static int rsnd_ssi_quit(struct rsnd_mod
+ return -EIO;
+ }
+
+- if (!rsnd_ssi_is_parent(mod, io))
+- ssi->cr_own = 0;
+-
+ rsnd_ssi_master_clk_stop(mod, io);
+
+ rsnd_mod_power_off(mod);
+
+ ssi->usrcnt--;
+
++ if (!ssi->usrcnt) {
++ ssi->cr_own = 0;
++ ssi->cr_mode = 0;
++ ssi->wsr = 0;
++ }
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Thu, 7 Jun 2018 15:50:48 +0200
+Subject: ASoC: rt1305: Use ULL suffixes for 64-bit constants
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit 4f29b663c08d369fe320a148179996c94cf7d01b ]
+
+With gcc 4.1.2:
+
+ sound/soc/codecs/rt1305.c: In function ‘rt1305_calibrate’:
+ sound/soc/codecs/rt1305.c:1069: warning: integer constant is too large for ‘long’ type
+ sound/soc/codecs/rt1305.c:1086: warning: integer constant is too large for ‘long’ type
+
+Add the missing "ULL" suffixes to fix this.
+
+Fixes: 29bc643ddd7efb74 ("ASoC: rt1305: Add RT1305/RT1306 amplifier driver")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/rt1305.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/codecs/rt1305.c
++++ b/sound/soc/codecs/rt1305.c
+@@ -1066,7 +1066,7 @@ static void rt1305_calibrate(struct rt13
+ pr_debug("Left_rhl = 0x%x rh=0x%x rl=0x%x\n", rhl, rh, rl);
+ pr_info("Left channel %d.%dohm\n", (r0ohm/10), (r0ohm%10));
+
+- r0l = 562949953421312;
++ r0l = 562949953421312ULL;
+ if (rhl != 0)
+ do_div(r0l, rhl);
+ pr_debug("Left_r0 = 0x%llx\n", r0l);
+@@ -1083,7 +1083,7 @@ static void rt1305_calibrate(struct rt13
+ pr_debug("Right_rhl = 0x%x rh=0x%x rl=0x%x\n", rhl, rh, rl);
+ pr_info("Right channel %d.%dohm\n", (r0ohm/10), (r0ohm%10));
+
+- r0r = 562949953421312;
++ r0r = 562949953421312ULL;
+ if (rhl != 0)
+ do_div(r0r, rhl);
+ pr_debug("Right_r0 = 0x%llx\n", r0r);
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Fri, 1 Jun 2018 19:25:48 +0800
+Subject: ath10k: fix incorrect size of dma_free_coherent in ath10k_ce_alloc_src_ring_64
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 5a211627004e2cddd0ab8b9df19e5fb0bbe97634 ]
+
+sizeof(struct ce_desc) should be a copy-paste mistake
+just use sizeof(struct ce_desc_64) to avoid mem leak
+
+Fixes: b7ba83f7c414 ("ath10k: add support for shadow register for WNC3990")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/ce.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/ce.c
++++ b/drivers/net/wireless/ath/ath10k/ce.c
+@@ -1512,7 +1512,7 @@ ath10k_ce_alloc_src_ring_64(struct ath10
+ ret = ath10k_ce_alloc_shadow_base(ar, src_ring, nentries);
+ if (ret) {
+ dma_free_coherent(ar->dev,
+- (nentries * sizeof(struct ce_desc) +
++ (nentries * sizeof(struct ce_desc_64) +
+ CE_DESC_RING_ALIGN),
+ src_ring->base_addr_owner_space_unaligned,
+ base_addr);
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Sun, 27 May 2018 22:17:02 +0100
+Subject: ath10k: fix memory leak of tpc_stats
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 260e629bbf441585860e21d5e10d2e88437f47c8 ]
+
+Currently tpc_stats is allocated and is leaked on the return
+path if num_tx_chain is greater than WMI_TPC_TX_N_CHAIN. Avoid
+this leak by performing the check on num_tx_chain before the
+allocation of tpc_stats.
+
+Detected by CoverityScan, CID#1469422 ("Resource Leak")
+Fixes: 4b190675ad06 ("ath10k: fix kernel panic while reading tpc_stats")
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/wmi.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/wmi.c
++++ b/drivers/net/wireless/ath/ath10k/wmi.c
+@@ -4602,10 +4602,6 @@ void ath10k_wmi_event_pdev_tpc_config(st
+
+ ev = (struct wmi_pdev_tpc_config_event *)skb->data;
+
+- tpc_stats = kzalloc(sizeof(*tpc_stats), GFP_ATOMIC);
+- if (!tpc_stats)
+- return;
+-
+ num_tx_chain = __le32_to_cpu(ev->num_tx_chain);
+
+ if (num_tx_chain > WMI_TPC_TX_N_CHAIN) {
+@@ -4614,6 +4610,10 @@ void ath10k_wmi_event_pdev_tpc_config(st
+ return;
+ }
+
++ tpc_stats = kzalloc(sizeof(*tpc_stats), GFP_ATOMIC);
++ if (!tpc_stats)
++ return;
++
+ ath10k_wmi_tpc_config_get_rate_code(rate_code, pream_table,
+ num_tx_chain);
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Ben Greear <greearb@candelatech.com>
+Date: Mon, 18 Jun 2018 17:00:56 +0300
+Subject: ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock
+
+From: Ben Greear <greearb@candelatech.com>
+
+[ Upstream commit 168f75f11fe68455e0d058a818ebccfc329d8685 ]
+
+While debugging driver crashes related to a buggy firmware
+crashing under load, I noticed that ath10k_htt_rx_ring_free
+could be called without being under lock. I'm not sure if this
+is the root cause of the crash or not, but it seems prudent to
+protect it.
+
+Originally tested on 4.16+ kernel with ath10k-ct 10.4 firmware
+running on 9984 NIC.
+
+Signed-off-by: Ben Greear <greearb@candelatech.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/htt_rx.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
+@@ -268,11 +268,12 @@ int ath10k_htt_rx_ring_refill(struct ath
+ spin_lock_bh(&htt->rx_ring.lock);
+ ret = ath10k_htt_rx_ring_fill_n(htt, (htt->rx_ring.fill_level -
+ htt->rx_ring.fill_cnt));
+- spin_unlock_bh(&htt->rx_ring.lock);
+
+ if (ret)
+ ath10k_htt_rx_ring_free(htt);
+
++ spin_unlock_bh(&htt->rx_ring.lock);
++
+ return ret;
+ }
+
+@@ -284,7 +285,9 @@ void ath10k_htt_rx_free(struct ath10k_ht
+ skb_queue_purge(&htt->rx_in_ord_compl_q);
+ skb_queue_purge(&htt->tx_fetch_ind_q);
+
++ spin_lock_bh(&htt->rx_ring.lock);
+ ath10k_htt_rx_ring_free(htt);
++ spin_unlock_bh(&htt->rx_ring.lock);
+
+ dma_free_coherent(htt->ar->dev,
+ ath10k_htt_get_rx_ring_size(htt),
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Alagu Sankar <alagusankar@silex-india.com>
+Date: Fri, 29 Jun 2018 16:28:00 +0300
+Subject: ath10k: sdio: set skb len for all rx packets
+
+From: Alagu Sankar <alagusankar@silex-india.com>
+
+[ Upstream commit 8530b4e7b22bc3bd8240579f3844c73947cd5f71 ]
+
+Without this, packets larger than 1500 will silently be dropped.
+Easily reproduced by sending a ping packet with a size larger
+than 1500.
+
+Co-Developed-by: Niklas Cassel <niklas.cassel@linaro.org>
+Signed-off-by: Alagu Sankar <alagusankar@silex-india.com>
+Signed-off-by: Niklas Cassel <niklas.cassel@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/sdio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/ath/ath10k/sdio.c
++++ b/drivers/net/wireless/ath/ath10k/sdio.c
+@@ -396,6 +396,7 @@ static int ath10k_sdio_mbox_rx_process_p
+ int ret;
+
+ payload_len = le16_to_cpu(htc_hdr->len);
++ skb->len = payload_len + sizeof(struct ath10k_htc_hdr);
+
+ if (trailer_present) {
+ trailer = skb->data + sizeof(*htc_hdr) +
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Alagu Sankar <alagusankar@silex-india.com>
+Date: Fri, 29 Jun 2018 16:27:56 +0300
+Subject: ath10k: sdio: use same endpoint id for all packets in a bundle
+
+From: Alagu Sankar <alagusankar@silex-india.com>
+
+[ Upstream commit 679e1f07c86221b7183dd69df7068fd42d0041f6 ]
+
+All packets in a bundle should use the same endpoint id as the
+first lookahead.
+
+This matches how things are done is ath6kl, however,
+this patch can theoretically handle several bundles
+in ath10k_sdio_mbox_rx_process_packets().
+
+Without this patch we get lots of errors about invalid endpoint id:
+
+ath10k_sdio mmc2:0001:1: invalid endpoint in look-ahead: 224
+ath10k_sdio mmc2:0001:1: failed to get pending recv messages: -12
+ath10k_sdio mmc2:0001:1: failed to process pending SDIO interrupts: -12
+
+Co-Developed-by: Niklas Cassel <niklas.cassel@linaro.org>
+Signed-off-by: Alagu Sankar <alagusankar@silex-india.com>
+Signed-off-by: Niklas Cassel <niklas.cassel@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/sdio.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/sdio.c
++++ b/drivers/net/wireless/ath/ath10k/sdio.c
+@@ -434,12 +434,14 @@ static int ath10k_sdio_mbox_rx_process_p
+ enum ath10k_htc_ep_id id;
+ int ret, i, *n_lookahead_local;
+ u32 *lookaheads_local;
++ int lookahead_idx = 0;
+
+ for (i = 0; i < ar_sdio->n_rx_pkts; i++) {
+ lookaheads_local = lookaheads;
+ n_lookahead_local = n_lookahead;
+
+- id = ((struct ath10k_htc_hdr *)&lookaheads[i])->eid;
++ id = ((struct ath10k_htc_hdr *)
++ &lookaheads[lookahead_idx++])->eid;
+
+ if (id >= ATH10K_HTC_EP_COUNT) {
+ ath10k_warn(ar, "invalid endpoint in look-ahead: %d\n",
+@@ -462,6 +464,7 @@ static int ath10k_sdio_mbox_rx_process_p
+ /* Only read lookahead's from RX trailers
+ * for the last packet in a bundle.
+ */
++ lookahead_idx--;
+ lookaheads_local = NULL;
+ n_lookahead_local = NULL;
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Brian Norris <briannorris@chromium.org>
+Date: Mon, 11 Jun 2018 14:09:43 -0700
+Subject: ath10k: snoc: use correct bus-specific pointer in RX retry
+
+From: Brian Norris <briannorris@chromium.org>
+
+[ Upstream commit 426a0f0b5a2fe1df3496ba299ee3521159dba302 ]
+
+We're 'ath10k_snoc', not 'ath10k_pci'. This probably means we're
+accessing junk data in ath10k_snoc_rx_replenish_retry(), unless
+'ath10k_snoc' and 'ath10k_pci' happen to have very similar struct
+layouts.
+
+Noticed by inspection.
+
+Fixes: d915105231ca ("ath10k: add hif rx methods for wcn3990")
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/snoc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/snoc.c
++++ b/drivers/net/wireless/ath/ath10k/snoc.c
+@@ -449,7 +449,7 @@ static void ath10k_snoc_htt_rx_cb(struct
+
+ static void ath10k_snoc_rx_replenish_retry(struct timer_list *t)
+ {
+- struct ath10k_pci *ar_snoc = from_timer(ar_snoc, t, rx_post_retry);
++ struct ath10k_snoc *ar_snoc = from_timer(ar_snoc, t, rx_post_retry);
+ struct ath10k *ar = ar_snoc->ar;
+
+ ath10k_snoc_rx_post(ar);
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Niklas Cassel <niklas.cassel@linaro.org>
+Date: Mon, 18 Jun 2018 17:00:49 +0300
+Subject: ath10k: transmit queued frames after processing rx packets
+
+From: Niklas Cassel <niklas.cassel@linaro.org>
+
+[ Upstream commit 3f04950f32d5d592ab4fcaecac2178558a6f7437 ]
+
+When running iperf on ath10k SDIO, TX can stop working:
+
+iperf -c 192.168.1.1 -i 1 -t 20 -w 10K
+[ 3] 0.0- 1.0 sec 2.00 MBytes 16.8 Mbits/sec
+[ 3] 1.0- 2.0 sec 3.12 MBytes 26.2 Mbits/sec
+[ 3] 2.0- 3.0 sec 3.25 MBytes 27.3 Mbits/sec
+[ 3] 3.0- 4.0 sec 655 KBytes 5.36 Mbits/sec
+[ 3] 4.0- 5.0 sec 0.00 Bytes 0.00 bits/sec
+[ 3] 5.0- 6.0 sec 0.00 Bytes 0.00 bits/sec
+[ 3] 6.0- 7.0 sec 0.00 Bytes 0.00 bits/sec
+[ 3] 7.0- 8.0 sec 0.00 Bytes 0.00 bits/sec
+[ 3] 8.0- 9.0 sec 0.00 Bytes 0.00 bits/sec
+[ 3] 9.0-10.0 sec 0.00 Bytes 0.00 bits/sec
+[ 3] 0.0-10.3 sec 9.01 MBytes 7.32 Mbits/sec
+
+There are frames in the ieee80211_txq and there are frames that have
+been removed from from this queue, but haven't yet been sent on the wire
+(num_pending_tx).
+
+When num_pending_tx reaches max_num_pending_tx, we will stop the queues
+by calling ieee80211_stop_queues().
+
+As frames that have previously been sent for transmission
+(num_pending_tx) are completed, we will decrease num_pending_tx and wake
+the queues by calling ieee80211_wake_queue(). ieee80211_wake_queue()
+does not call wake_tx_queue, so we might still have frames in the
+queue at this point.
+
+While the queues were stopped, the socket buffer might have filled up,
+and in order for user space to write more, we need to free the frames
+in the queue, since they are accounted to the socket. In order to free
+them, we first need to transmit them.
+
+This problem cannot be reproduced on low-latency devices, e.g. pci,
+since they call ath10k_mac_tx_push_pending() from
+ath10k_htt_txrx_compl_task(). ath10k_htt_txrx_compl_task() is not called
+on high-latency devices.
+Fix the problem by calling ath10k_mac_tx_push_pending(), after
+processing rx packets, just like for low-latency devices, also in the
+SDIO case. Since we are calling ath10k_mac_tx_push_pending() directly,
+we also need to export it.
+
+Signed-off-by: Niklas Cassel <niklas.cassel@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 1 +
+ drivers/net/wireless/ath/ath10k/sdio.c | 3 +++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -4054,6 +4054,7 @@ void ath10k_mac_tx_push_pending(struct a
+ rcu_read_unlock();
+ spin_unlock_bh(&ar->txqs_lock);
+ }
++EXPORT_SYMBOL(ath10k_mac_tx_push_pending);
+
+ /************/
+ /* Scanning */
+--- a/drivers/net/wireless/ath/ath10k/sdio.c
++++ b/drivers/net/wireless/ath/ath10k/sdio.c
+@@ -30,6 +30,7 @@
+ #include "debug.h"
+ #include "hif.h"
+ #include "htc.h"
++#include "mac.h"
+ #include "targaddrs.h"
+ #include "trace.h"
+ #include "sdio.h"
+@@ -1346,6 +1347,8 @@ static void ath10k_sdio_irq_handler(stru
+ break;
+ } while (time_before(jiffies, timeout) && !done);
+
++ ath10k_mac_tx_push_pending(ar);
++
+ sdio_claim_host(ar_sdio->func);
+
+ if (ret && ret != -ECANCELED)
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Bob Copeland <me@bobcopeland.com>
+Date: Thu, 21 Jun 2018 08:25:48 -0400
+Subject: ath10k: use locked skb_dequeue for rx completions
+
+From: Bob Copeland <me@bobcopeland.com>
+
+[ Upstream commit 62652555c616cad23a572f76cb5e870ab5395191 ]
+
+In our environment we are occasionally seeing the following stack trace
+in ath10k:
+
+Unable to handle kernel paging request at virtual address 0000a800
+pgd = c0204000
+[0000a800] *pgd=00000000
+Internal error: Oops: 17 [#1] SMP ARM
+Modules linked in: dwc3 dwc3_of_simple phy_qcom_dwc3 nf_nat xt_connmark
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.9.31 #2
+Hardware name: Generic DT based system
+task: c09f4f40 task.stack: c09ee000
+PC is at kfree_skb_list+0x1c/0x2c
+LR is at skb_release_data+0x6c/0x108
+pc : [<c065dcc4>] lr : [<c065da5c>] psr: 200f0113
+sp : c09efb68 ip : c09efb80 fp : c09efb7c
+r10: 00000000 r9 : 00000000 r8 : 043fddd1
+r7 : bf15d160 r6 : 00000000 r5 : d4ca2f00 r4 : ca7c6480
+r3 : 000000a0 r2 : 01000000 r1 : c0a57470 r0 : 0000a800
+Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 10c5787d Table: 56e6006a DAC: 00000051
+Process swapper/0 (pid: 0, stack limit = 0xc09ee210)
+Stack: (0xc09efb68 to 0xc09f0000)
+fb60: ca7c6480 d4ca2f00 c09efb9c c09efb80 c065da5c c065dcb4
+fb80: d4ca2f00 00000000 dcbf8400 bf15d160 c09efbb4 c09efba0 c065db28 c065d9fc
+fba0: d4ca2f00 00000000 c09efbcc c09efbb8 c065db48 c065db04 d4ca2f00 00000000
+fbc0: c09efbe4 c09efbd0 c065ddd0 c065db38 d4ca2f00 00000000 c09efc64 c09efbe8
+fbe0: bf09bd00 c065dd10 00000003 7fffffff c09efc24 dcbfc9c0 01200000 00000000
+fc00: 00000000 00000000 ddb7e440 c09e9440 c09efc48 1d195000 c09efc7c c09efc28
+fc20: c027bb68 c028aa00 ddb7e4f8 bf13231c ddb7e454 0004091f bf154571 d4ca2f00
+fc40: dcbf8d00 ca7c5df6 bf154538 01200000 00000000 bf154538 c09efd1c c09efc68
+fc60: bf132458 bf09bbbc ca7c5dec 00000041 bf154538 bf154539 000007bf bf154545
+fc80: bf154538 bf154538 bf154538 bf154538 bf154538 00000000 00000000 000016c1
+fca0: 00000001 c09efcb0 01200000 00000000 00000000 00000000 00000000 00000001
+fcc0: bf154539 00000041 00000000 00000007 00000000 000000d0 ffffffff 3160ffff
+fce0: 9ad93e97 3e973160 7bf09ad9 0004091f d4ca2f00 c09efdb0 dcbf94e8 00000000
+fd00: dcbf8d00 01200000 00000000 dcbf8d00 c09efd44 c09efd20 bf132544 bf132130
+fd20: dcbf8d00 00000000 d4ca2f00 c09efdb0 00000001 d4ca2f00 c09efdec c09efd48
+fd40: bf133630 bf1324d0 ca7c5cc0 000007c0 c09efd88 c09efd70 c0764230 c02277d8
+fd60: 200f0113 ffffffff dcbf94c8 bf000000 dcbf93b0 dcbf8d00 00000040 dcbf945c
+fd80: dcbf94e8 00000000 c09efdcc 00000000 c09efd90 c09efd90 00000000 00000024
+fda0: dcbf8d00 00000000 00000005 dcbf8d00 c09efdb0 c09efdb0 00000000 00000040
+fdc0: c09efdec dcbf8d00 dcbfc9c0 c09ed140 00000040 00000000 00000100 00000040
+fde0: c09efe14 c09efdf0 bf1739b4 bf132840 dcbfc9c0 ddb82140 c09ed140 1d195000
+fe00: 00000001 00000100 c09efe64 c09efe18 c067136c bf173958 ddb7fac8 c09f0d00
+fe20: 001df678 0000012c c09efe28 c09efe28 c09efe30 c09efe30 c0a7fb28 ffffe000
+fe40: c09f008c 00000003 00000008 c0a598c0 00000100 c09f0080 c09efeb4 c09efe68
+fe60: c02096e0 c0671278 c0494584 00000080 dd5c3300 c09f0d00 00000004 001df677
+fe80: 0000000a 00200100 dd5c3300 00000000 00000000 c09eaa70 00000060 dd410800
+fea0: c09ee000 00000000 c09efecc c09efeb8 c0227944 c02094c4 00000000 00000000
+fec0: c09efef4 c09efed0 c0268b64 c02278ac de802000 c09f1b1c c09eff20 c0a16cc0
+fee0: de803000 c09ee000 c09eff1c c09efef8 c020947c c0268ae0 c02103dc 600f0013
+ff00: ffffffff c09eff54 ffffe000 c09ee000 c09eff7c c09eff20 c021448c c0209424
+ff20: 00000001 00000000 00000000 c021ddc0 00000000 00000000 c09f1024 00000001
+ff40: ffffe000 c09f1078 00000000 c09eff7c c09eff80 c09eff70 c02103ec c02103dc
+ff60: 600f0013 ffffffff 00000051 00000000 c09eff8c c09eff80 c0763cc4 c02103bc
+ff80: c09effa4 c09eff90 c025f0e4 c0763c98 c0a59040 c09f1000 c09effb4 c09effa8
+ffa0: c075efe0 c025efd4 c09efff4 c09effb8 c097dcac c075ef7c ffffffff ffffffff
+ffc0: 00000000 c097d6c4 00000000 c09c1a28 c0a59294 c09f101c c09c1a24 c09f61c0
+ffe0: 4220406a 512f04d0 00000000 c09efff8 4220807c c097d95c 00000000 00000000
+[<c065dcc4>] (kfree_skb_list) from [<c065da5c>] (skb_release_data+0x6c/0x108)
+[<c065da5c>] (skb_release_data) from [<c065db28>] (skb_release_all+0x30/0x34)
+[<c065db28>] (skb_release_all) from [<c065db48>] (__kfree_skb+0x1c/0x9c)
+[<c065db48>] (__kfree_skb) from [<c065ddd0>] (consume_skb+0xcc/0xd8)
+[<c065ddd0>] (consume_skb) from [<bf09bd00>] (ieee80211_rx_napi+0x150/0x82c [mac80211])
+[<bf09bd00>] (ieee80211_rx_napi [mac80211]) from [<bf132458>] (ath10k_htt_t2h_msg_handler+0x15e8/0x19c4 [ath10k_core])
+[<bf132458>] (ath10k_htt_t2h_msg_handler [ath10k_core]) from [<bf132544>] (ath10k_htt_t2h_msg_handler+0x16d4/0x19c4 [ath10k_core])
+[<bf132544>] (ath10k_htt_t2h_msg_handler [ath10k_core]) from [<bf133630>] (ath10k_htt_txrx_compl_task+0xdfc/0x12cc [ath10k_core])
+[<bf133630>] (ath10k_htt_txrx_compl_task [ath10k_core]) from [<bf1739b4>] (ath10k_pci_napi_poll+0x68/0xf4 [ath10k_pci])
+[<bf1739b4>] (ath10k_pci_napi_poll [ath10k_pci]) from [<c067136c>] (net_rx_action+0x100/0x33c)
+[<c067136c>] (net_rx_action) from [<c02096e0>] (__do_softirq+0x228/0x31c)
+[<c02096e0>] (__do_softirq) from [<c0227944>] (irq_exit+0xa4/0x114)
+
+The trace points to a corrupt skb inside kfree_skb(), seemingly because
+one of the shared skb queues is getting corrupted. Most of the skb queues
+ath10k uses are local to a single call stack, but three are shared among
+multiple codepaths:
+
+ - rx_msdus_q,
+ - rx_in_ord_compl_q, and
+ - tx_fetch_ind_q
+
+Of the three, the first two are manipulated using the unlocked skb_queue
+functions without any additional lock protecting them. Use the locked
+variants of skb_queue_* functions to protect these manipulations.
+
+Signed-off-by: Bob Copeland <bobcopeland@fb.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/htt_rx.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
+@@ -1089,7 +1089,7 @@ static void ath10k_htt_rx_h_queue_msdu(s
+ status = IEEE80211_SKB_RXCB(skb);
+ *status = *rx_status;
+
+- __skb_queue_tail(&ar->htt.rx_msdus_q, skb);
++ skb_queue_tail(&ar->htt.rx_msdus_q, skb);
+ }
+
+ static void ath10k_process_rx(struct ath10k *ar, struct sk_buff *skb)
+@@ -2810,7 +2810,7 @@ bool ath10k_htt_t2h_msg_handler(struct a
+ break;
+ }
+ case HTT_T2H_MSG_TYPE_RX_IN_ORD_PADDR_IND: {
+- __skb_queue_tail(&htt->rx_in_ord_compl_q, skb);
++ skb_queue_tail(&htt->rx_in_ord_compl_q, skb);
+ return false;
+ }
+ case HTT_T2H_MSG_TYPE_TX_CREDIT_UPDATE_IND:
+@@ -2874,7 +2874,7 @@ static int ath10k_htt_rx_deliver_msdu(st
+ if (skb_queue_empty(&ar->htt.rx_msdus_q))
+ break;
+
+- skb = __skb_dequeue(&ar->htt.rx_msdus_q);
++ skb = skb_dequeue(&ar->htt.rx_msdus_q);
+ if (!skb)
+ break;
+ ath10k_process_rx(ar, skb);
+@@ -2905,7 +2905,7 @@ int ath10k_htt_txrx_compl_task(struct at
+ goto exit;
+ }
+
+- while ((skb = __skb_dequeue(&htt->rx_in_ord_compl_q))) {
++ while ((skb = skb_dequeue(&htt->rx_in_ord_compl_q))) {
+ spin_lock_bh(&htt->rx_ring.lock);
+ ret = ath10k_htt_rx_in_ord_ind(ar, skb);
+ spin_unlock_bh(&htt->rx_ring.lock);
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: "Ondrej Mosnáček" <omosnace@redhat.com>
+Date: Tue, 5 Jun 2018 11:00:10 +0200
+Subject: audit: Fix extended comparison of GID/EGID
+
+From: "Ondrej Mosnáček" <omosnace@redhat.com>
+
+[ Upstream commit af85d1772e31fed34165a1b3decef340cf4080c0 ]
+
+The audit_filter_rules() function in auditsc.c used the in_[e]group_p()
+functions to check GID/EGID match, but these functions use the current
+task's credentials, while the comparison should use the credentials of
+the task given to audit_filter_rules() as a parameter (tsk).
+
+Note that we can use group_search(cred->group_info, ...) as a
+replacement for both in_group_p and in_egroup_p as these functions only
+compare the parameter to cred->fsgid/egid and then call group_search.
+
+In fact, the usage of in_group_p was even more incorrect: it compares to
+cred->fsgid (which is usually equal to cred->egid) and not cred->gid.
+
+GitHub issue:
+https://github.com/linux-audit/audit-kernel/issues/82
+
+Fixes: 37eebe39c973 ("audit: improve GID/EGID comparation logic")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/auditsc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -494,20 +494,20 @@ static int audit_filter_rules(struct tas
+ result = audit_gid_comparator(cred->gid, f->op, f->gid);
+ if (f->op == Audit_equal) {
+ if (!result)
+- result = in_group_p(f->gid);
++ result = groups_search(cred->group_info, f->gid);
+ } else if (f->op == Audit_not_equal) {
+ if (result)
+- result = !in_group_p(f->gid);
++ result = !groups_search(cred->group_info, f->gid);
+ }
+ break;
+ case AUDIT_EGID:
+ result = audit_gid_comparator(cred->egid, f->op, f->gid);
+ if (f->op == Audit_equal) {
+ if (!result)
+- result = in_egroup_p(f->gid);
++ result = groups_search(cred->group_info, f->gid);
+ } else if (f->op == Audit_not_equal) {
+ if (result)
+- result = !in_egroup_p(f->gid);
++ result = !groups_search(cred->group_info, f->gid);
+ }
+ break;
+ case AUDIT_SGID:
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Johannes Berg <johannes@sipsolutions.net>
+Date: Wed, 20 Jun 2018 08:58:28 +0200
+Subject: bitfield: fix *_encode_bits()
+
+From: Johannes Berg <johannes@sipsolutions.net>
+
+[ Upstream commit e7d4a95da86e0b048702765bbdcdc968aaf312e7 ]
+
+There's a bug in *_encode_bits() in using ~field_multiplier() for
+the check whether or not the constant value fits into the field,
+this is wrong and clearly ~field_mask() was intended. This was
+triggering for me for both constant and non-constant values.
+
+Additionally, make this case actually into an compile error.
+Declaring the extern function that will never exist with just a
+warning is pointless as then later we'll just get a link error.
+
+While at it, also fix the indentation in those lines I'm touching.
+
+Finally, as suggested by Andy Shevchenko, add some tests and for
+that introduce also u8 helpers. The tests don't compile without
+the fix, showing that it's necessary.
+
+Fixes: 00b0c9b82663 ("Add primitives for manipulating bitfields both in host- and fixed-endian.")
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/bitfield.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/include/linux/bitfield.h
++++ b/include/linux/bitfield.h
+@@ -104,7 +104,7 @@
+ (typeof(_mask))(((_reg) & (_mask)) >> __bf_shf(_mask)); \
+ })
+
+-extern void __compiletime_warning("value doesn't fit into mask")
++extern void __compiletime_error("value doesn't fit into mask")
+ __field_overflow(void);
+ extern void __compiletime_error("bad bitfield mask")
+ __bad_mask(void);
+@@ -121,8 +121,8 @@ static __always_inline u64 field_mask(u6
+ #define ____MAKE_OP(type,base,to,from) \
+ static __always_inline __##type type##_encode_bits(base v, base field) \
+ { \
+- if (__builtin_constant_p(v) && (v & ~field_multiplier(field))) \
+- __field_overflow(); \
++ if (__builtin_constant_p(v) && (v & ~field_mask(field))) \
++ __field_overflow(); \
+ return to((v & field_mask(field)) * field_multiplier(field)); \
+ } \
+ static __always_inline __##type type##_replace_bits(__##type old, \
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Jian-Hong Pan <jian-hong@endlessm.com>
+Date: Fri, 25 May 2018 17:54:52 +0800
+Subject: Bluetooth: Add a new Realtek 8723DE ID 0bda:b009
+
+From: Jian-Hong Pan <jian-hong@endlessm.com>
+
+[ Upstream commit 45ae68b8cfc25bdbffc11248001c47ab1b76ff6e ]
+
+Without this patch we cannot turn on the Bluethooth adapter on HP
+14-bs007la.
+
+T: Bus=01 Lev=02 Prnt=03 Port=00 Cnt=01 Dev#= 4 Spd=12 MxCh= 0
+D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=0bda ProdID=b009 Rev= 2.00
+S: Manufacturer=Realtek
+S: Product=802.11n WLAN Adapter
+S: SerialNumber=00e04c000001
+C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+
+Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -374,6 +374,7 @@ static const struct usb_device_id blackl
+ { USB_DEVICE(0x7392, 0xa611), .driver_info = BTUSB_REALTEK },
+
+ /* Additional Realtek 8723DE Bluetooth devices */
++ { USB_DEVICE(0x0bda, 0xb009), .driver_info = BTUSB_REALTEK },
+ { USB_DEVICE(0x2ff8, 0xb011), .driver_info = BTUSB_REALTEK },
+
+ /* Additional Realtek 8821AE Bluetooth devices */
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Stefan Agner <stefan@agner.ch>
+Date: Sun, 17 Jun 2018 12:33:50 +0200
+Subject: brcmsmac: fix wrap around in conversion from constant to s16
+
+From: Stefan Agner <stefan@agner.ch>
+
+[ Upstream commit c9a61469fc97672a08b2f798830a55ea6e03dc4a ]
+
+The last value in the log_table wraps around to a negative value
+since s16 has a value range of -32768 to 32767. This is not what
+the table intends to represent. Use the closest positive value
+32767.
+
+This fixes a warning seen with clang:
+drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_qmath.c:216:2: warning:
+ implicit conversion from 'int' to 's16' (aka 'short') changes
+value from 32768
+ to -32768 [-Wconstant-conversion]
+ 32768
+ ^~~~~
+1 warning generated.
+
+Fixes: 4c0bfeaae9f9 ("brcmsmac: fix array out-of-bounds access in qm_log10")
+Cc: Tobias Regnery <tobias.regnery@gmail.com>
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_qmath.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_qmath.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_qmath.c
+@@ -213,7 +213,7 @@ static const s16 log_table[] = {
+ 30498,
+ 31267,
+ 32024,
+- 32768
++ 32767
+ };
+
+ #define LOG_TABLE_SIZE 32 /* log_table size */
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Stafford Horne <shorne@gmail.com>
+Date: Mon, 25 Jun 2018 21:45:37 +0900
+Subject: crypto: skcipher - Fix -Wstringop-truncation warnings
+
+From: Stafford Horne <shorne@gmail.com>
+
+[ Upstream commit cefd769fd0192c84d638f66da202459ed8ad63ba ]
+
+As of GCC 9.0.0 the build is reporting warnings like:
+
+ crypto/ablkcipher.c: In function ‘crypto_ablkcipher_report’:
+ crypto/ablkcipher.c:374:2: warning: ‘strncpy’ specified bound 64 equals destination size [-Wstringop-truncation]
+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<default>",
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ sizeof(rblkcipher.geniv));
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This means the strnycpy might create a non null terminated string. Fix this by
+explicitly performing '\0' termination.
+
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Max Filippov <jcmvbkbc@gmail.com>
+Cc: Eric Biggers <ebiggers3@gmail.com>
+Cc: Nick Desaulniers <nick.desaulniers@gmail.com>
+Signed-off-by: Stafford Horne <shorne@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/ablkcipher.c | 2 ++
+ crypto/blkcipher.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/crypto/ablkcipher.c
++++ b/crypto/ablkcipher.c
+@@ -368,6 +368,7 @@ static int crypto_ablkcipher_report(stru
+ strncpy(rblkcipher.type, "ablkcipher", sizeof(rblkcipher.type));
+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<default>",
+ sizeof(rblkcipher.geniv));
++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0';
+
+ rblkcipher.blocksize = alg->cra_blocksize;
+ rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize;
+@@ -442,6 +443,7 @@ static int crypto_givcipher_report(struc
+ strncpy(rblkcipher.type, "givcipher", sizeof(rblkcipher.type));
+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<built-in>",
+ sizeof(rblkcipher.geniv));
++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0';
+
+ rblkcipher.blocksize = alg->cra_blocksize;
+ rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize;
+--- a/crypto/blkcipher.c
++++ b/crypto/blkcipher.c
+@@ -510,6 +510,7 @@ static int crypto_blkcipher_report(struc
+ strncpy(rblkcipher.type, "blkcipher", sizeof(rblkcipher.type));
+ strncpy(rblkcipher.geniv, alg->cra_blkcipher.geniv ?: "<default>",
+ sizeof(rblkcipher.geniv));
++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0';
+
+ rblkcipher.blocksize = alg->cra_blocksize;
+ rblkcipher.min_keysize = alg->cra_blkcipher.min_keysize;
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Ganesh Goudar <ganeshgr@chelsio.com>
+Date: Wed, 4 Jul 2018 17:49:33 +0530
+Subject: cxgb4: Fix the condition to check if the card is T5
+
+From: Ganesh Goudar <ganeshgr@chelsio.com>
+
+[ Upstream commit dfecc759e64b0ea581468fe2359836f1998deac9 ]
+
+Use 'chip_ver' rather than 'chip' to check if the card
+is T5.
+
+Fixes: e8d452923ae6 ("cxgb4: clean up init_one")
+Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+@@ -5705,7 +5705,7 @@ static int init_one(struct pci_dev *pdev
+ if (t4_read_reg(adapter, LE_DB_CONFIG_A) & HASHEN_F) {
+ u32 hash_base, hash_reg;
+
+- if (chip <= CHELSIO_T5) {
++ if (chip_ver <= CHELSIO_T5) {
+ hash_reg = LE_DB_TID_HASHBASE_A;
+ hash_base = t4_read_reg(adapter, hash_reg);
+ adapter->tids.hash_base = hash_base / 4;
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Sat, 16 Jun 2018 19:02:03 -0700
+Subject: Documentation/process: fix reST table border error
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit cccd289f12d0e827070c847b1ff96ba02eb20eaf ]
+
+Fix reST error in Documentation/process/:
+
+Documentation/process/2.Process.rst:131: ERROR: Malformed table.
+Bottom/header table border does not match top border.
+
+Fixes: 8962e40c1993 ("docs: update kernel versions and dates in tables")
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Tim Bird <tbird20d@gmail.com>
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/process/2.Process.rst | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/process/2.Process.rst
++++ b/Documentation/process/2.Process.rst
+@@ -134,7 +134,7 @@ and their maintainers are:
+ 4.4 Greg Kroah-Hartman (very long-term stable kernel)
+ 4.9 Greg Kroah-Hartman
+ 4.14 Greg Kroah-Hartman
+- ====== ====================== ===========================
++ ====== ====================== ==============================
+
+ The selection of a kernel for long-term support is purely a matter of a
+ maintainer having the need and the time to maintain that release. There
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+Date: Tue, 12 Jun 2018 12:36:25 +0800
+Subject: drivers/tty: add error handling for pcmcia_loop_config
+
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+
+[ Upstream commit 85c634e919bd6ef17427f26a52920aeba12e16ee ]
+
+When pcmcia_loop_config fails, the lack of error-handling code may
+cause unexpected results.
+
+This patch adds error-handling code after calling pcmcia_loop_config.
+
+Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/serial_cs.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/8250/serial_cs.c
++++ b/drivers/tty/serial/8250/serial_cs.c
+@@ -638,8 +638,10 @@ static int serial_config(struct pcmcia_d
+ (link->has_func_id) &&
+ (link->socket->pcmcia_pfc == 0) &&
+ ((link->func_id == CISTPL_FUNCID_MULTI) ||
+- (link->func_id == CISTPL_FUNCID_SERIAL)))
+- pcmcia_loop_config(link, serial_check_for_multi, info);
++ (link->func_id == CISTPL_FUNCID_SERIAL))) {
++ if (pcmcia_loop_config(link, serial_check_for_multi, info))
++ goto failed;
++ }
+
+ /*
+ * Apply any multi-port quirk.
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Wed, 4 Jul 2018 08:22:11 -0500
+Subject: drm/amd/display/dc/dce: Fix multiple potential integer overflows
+
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+
+[ Upstream commit 6f3472a993e7cb63cde5d818dcabc8e42fc03744 ]
+
+Add suffix ULL to constant 5 and cast variables target_pix_clk_khz and
+feedback_divider to uint64_t in order to avoid multiple potential integer
+overflows and give the compiler complete information about the proper
+arithmetic to use.
+
+Notice that such constant and variables are used in contexts that
+expect expressions of type uint64_t (64 bits, unsigned). The current
+casts to uint64_t effectively apply to each expression as a whole,
+but they do not prevent them from being evaluated using 32-bit
+arithmetic instead of 64-bit arithmetic.
+
+Also, once the expressions are properly evaluated using 64-bit
+arithmentic, there is no need for the parentheses that enclose
+them.
+
+Addresses-Coverity-ID: 1460245 ("Unintentional integer overflow")
+Addresses-Coverity-ID: 1460286 ("Unintentional integer overflow")
+Addresses-Coverity-ID: 1460401 ("Unintentional integer overflow")
+Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)")
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dce/dce_clock_source.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/dce/dce_clock_source.c
++++ b/drivers/gpu/drm/amd/display/dc/dce/dce_clock_source.c
+@@ -133,7 +133,7 @@ static bool calculate_fb_and_fractional_
+ uint64_t feedback_divider;
+
+ feedback_divider =
+- (uint64_t)(target_pix_clk_khz * ref_divider * post_divider);
++ (uint64_t)target_pix_clk_khz * ref_divider * post_divider;
+ feedback_divider *= 10;
+ /* additional factor, since we divide by 10 afterwards */
+ feedback_divider *= (uint64_t)(calc_pll_cs->fract_fb_divider_factor);
+@@ -145,8 +145,8 @@ static bool calculate_fb_and_fractional_
+ * of fractional feedback decimal point and the fractional FB Divider precision
+ * is 2 then the equation becomes (ullfeedbackDivider + 5*100) / (10*100))*/
+
+- feedback_divider += (uint64_t)
+- (5 * calc_pll_cs->fract_fb_divider_precision_factor);
++ feedback_divider += 5ULL *
++ calc_pll_cs->fract_fb_divider_precision_factor;
+ feedback_divider =
+ div_u64(feedback_divider,
+ calc_pll_cs->fract_fb_divider_precision_factor * 10);
+@@ -203,8 +203,8 @@ static bool calc_fb_divider_checking_tol
+ &fract_feedback_divider);
+
+ /*Actual calculated value*/
+- actual_calc_clk_khz = (uint64_t)(feedback_divider *
+- calc_pll_cs->fract_fb_divider_factor) +
++ actual_calc_clk_khz = (uint64_t)feedback_divider *
++ calc_pll_cs->fract_fb_divider_factor +
+ fract_feedback_divider;
+ actual_calc_clk_khz *= calc_pll_cs->ref_freq_khz;
+ actual_calc_clk_khz =
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Wesley Chalmers <Wesley.Chalmers@amd.com>
+Date: Tue, 29 May 2018 17:45:05 -0400
+Subject: drm/amd/display: fix use of uninitialized memory
+
+From: Wesley Chalmers <Wesley.Chalmers@amd.com>
+
+[ Upstream commit f3e077d95ca0a016fdf3d6b1e97a9910dfdaff17 ]
+
+DML does not calculate chroma values for RQ when surface is not YUV, but DC
+will unconditionally use the uninitialized values for HW programming.
+This does not cause visual corruption since HW will ignore garbage chroma
+values when surface is not YUV, but causes presubmission tests to fail
+golden value comparison.
+
+Signed-off-by: Wesley Chalmers <Wesley.Chalmers@amd.com>
+Signed-off-by: Eryk Brol <eryk.brol@amd.com>
+Reviewed-by: Wenjing Liu <Wenjing.Liu@amd.com>
+Acked-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dml/dml1_display_rq_dlg_calc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/amd/display/dc/dml/dml1_display_rq_dlg_calc.c
++++ b/drivers/gpu/drm/amd/display/dc/dml/dml1_display_rq_dlg_calc.c
+@@ -239,6 +239,8 @@ void dml1_extract_rq_regs(
+ extract_rq_sizing_regs(mode_lib, &(rq_regs->rq_regs_l), rq_param.sizing.rq_l);
+ if (rq_param.yuv420)
+ extract_rq_sizing_regs(mode_lib, &(rq_regs->rq_regs_c), rq_param.sizing.rq_c);
++ else
++ memset(&(rq_regs->rq_regs_c), 0, sizeof(rq_regs->rq_regs_c));
+
+ rq_regs->rq_regs_l.swath_height = dml_log2(rq_param.dlg.rq_l.swath_height);
+ rq_regs->rq_regs_c.swath_height = dml_log2(rq_param.dlg.rq_c.swath_height);
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Fri, 25 May 2018 19:39:24 +0300
+Subject: drm/omap: gem: Fix mm_list locking
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+[ Upstream commit 5117bd898e8c0a31e8ab3a9b8523aecf0706e997 ]
+
+- None of the list walkings where protected.
+
+- Switch to a mutex since the list walking at device resume time can
+ sleep when pinning buffers through the tiler.
+
+Only thing we need to be careful with here is that while we walk the
+list we can't unreference any gem objects, since the final unref would
+result in a recursive deadlock. But the only functions that walk the
+list is the device resume and debugfs dumping, so all safe.
+
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/omapdrm/omap_debugfs.c | 2 ++
+ drivers/gpu/drm/omapdrm/omap_drv.c | 2 +-
+ drivers/gpu/drm/omapdrm/omap_drv.h | 2 +-
+ drivers/gpu/drm/omapdrm/omap_gem.c | 15 +++++++++------
+ 4 files changed, 13 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/omapdrm/omap_debugfs.c
++++ b/drivers/gpu/drm/omapdrm/omap_debugfs.c
+@@ -37,7 +37,9 @@ static int gem_show(struct seq_file *m,
+ return ret;
+
+ seq_printf(m, "All Objects:\n");
++ mutex_lock(&priv->list_lock);
+ omap_gem_describe_objects(&priv->obj_list, m);
++ mutex_unlock(&priv->list_lock);
+
+ mutex_unlock(&dev->struct_mutex);
+
+--- a/drivers/gpu/drm/omapdrm/omap_drv.c
++++ b/drivers/gpu/drm/omapdrm/omap_drv.c
+@@ -540,7 +540,7 @@ static int omapdrm_init(struct omap_drm_
+ priv->omaprev = soc ? (unsigned int)soc->data : 0;
+ priv->wq = alloc_ordered_workqueue("omapdrm", 0);
+
+- spin_lock_init(&priv->list_lock);
++ mutex_init(&priv->list_lock);
+ INIT_LIST_HEAD(&priv->obj_list);
+
+ /* Allocate and initialize the DRM device. */
+--- a/drivers/gpu/drm/omapdrm/omap_drv.h
++++ b/drivers/gpu/drm/omapdrm/omap_drv.h
+@@ -71,7 +71,7 @@ struct omap_drm_private {
+ struct workqueue_struct *wq;
+
+ /* lock for obj_list below */
+- spinlock_t list_lock;
++ struct mutex list_lock;
+
+ /* list of GEM objects: */
+ struct list_head obj_list;
+--- a/drivers/gpu/drm/omapdrm/omap_gem.c
++++ b/drivers/gpu/drm/omapdrm/omap_gem.c
+@@ -1001,6 +1001,7 @@ int omap_gem_resume(struct drm_device *d
+ struct omap_gem_object *omap_obj;
+ int ret = 0;
+
++ mutex_lock(&priv->list_lock);
+ list_for_each_entry(omap_obj, &priv->obj_list, mm_list) {
+ if (omap_obj->block) {
+ struct drm_gem_object *obj = &omap_obj->base;
+@@ -1012,12 +1013,14 @@ int omap_gem_resume(struct drm_device *d
+ omap_obj->roll, true);
+ if (ret) {
+ dev_err(dev->dev, "could not repin: %d\n", ret);
+- return ret;
++ goto done;
+ }
+ }
+ }
+
+- return 0;
++done:
++ mutex_unlock(&priv->list_lock);
++ return ret;
+ }
+ #endif
+
+@@ -1085,9 +1088,9 @@ void omap_gem_free_object(struct drm_gem
+
+ WARN_ON(!mutex_is_locked(&dev->struct_mutex));
+
+- spin_lock(&priv->list_lock);
++ mutex_lock(&priv->list_lock);
+ list_del(&omap_obj->mm_list);
+- spin_unlock(&priv->list_lock);
++ mutex_unlock(&priv->list_lock);
+
+ /* this means the object is still pinned.. which really should
+ * not happen. I think..
+@@ -1206,9 +1209,9 @@ struct drm_gem_object *omap_gem_new(stru
+ goto err_release;
+ }
+
+- spin_lock(&priv->list_lock);
++ mutex_lock(&priv->list_lock);
+ list_add(&omap_obj->mm_list, &priv->obj_list);
+- spin_unlock(&priv->list_lock);
++ mutex_unlock(&priv->list_lock);
+
+ return obj;
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Jernej Skrabec <jernej.skrabec@siol.net>
+Date: Mon, 25 Jun 2018 14:02:56 +0200
+Subject: drm/sun4i: Enable DW HDMI PHY clock
+
+From: Jernej Skrabec <jernej.skrabec@siol.net>
+
+[ Upstream commit 09773c532d30187f86a142901c27c93e629ce6ba ]
+
+Current DW HDMI PHY code never prepares and enables PHY clock after it is
+created. It's just used as it is. This may work in some cases, but it's
+clearly wrong. Fix it by adding proper calls to enable/disable PHY
+clock.
+
+Fixes: 4f86e81748fe ("drm/sun4i: Add support for H3 HDMI PHY variant")
+
+Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180625120304.7543-17-jernej.skrabec@siol.net
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c
++++ b/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c
+@@ -477,13 +477,15 @@ int sun8i_hdmi_phy_probe(struct sun8i_dw
+ dev_err(dev, "Couldn't create the PHY clock\n");
+ goto err_put_clk_pll0;
+ }
++
++ clk_prepare_enable(phy->clk_phy);
+ }
+
+ phy->rst_phy = of_reset_control_get_shared(node, "phy");
+ if (IS_ERR(phy->rst_phy)) {
+ dev_err(dev, "Could not get phy reset control\n");
+ ret = PTR_ERR(phy->rst_phy);
+- goto err_put_clk_pll0;
++ goto err_disable_clk_phy;
+ }
+
+ ret = reset_control_deassert(phy->rst_phy);
+@@ -514,6 +516,8 @@ err_deassert_rst_phy:
+ reset_control_assert(phy->rst_phy);
+ err_put_rst_phy:
+ reset_control_put(phy->rst_phy);
++err_disable_clk_phy:
++ clk_disable_unprepare(phy->clk_phy);
+ err_put_clk_pll0:
+ if (phy->variant->has_phy_clk)
+ clk_put(phy->clk_pll0);
+@@ -531,6 +535,7 @@ void sun8i_hdmi_phy_remove(struct sun8i_
+
+ clk_disable_unprepare(phy->clk_mod);
+ clk_disable_unprepare(phy->clk_bus);
++ clk_disable_unprepare(phy->clk_phy);
+
+ reset_control_assert(phy->rst_phy);
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Jernej Skrabec <jernej.skrabec@siol.net>
+Date: Mon, 25 Jun 2018 14:02:46 +0200
+Subject: drm/sun4i: Fix releasing node when enumerating enpoints
+
+From: Jernej Skrabec <jernej.skrabec@siol.net>
+
+[ Upstream commit 367c359aa8637b15ee8df6335c5a29b7623966ec ]
+
+sun4i_drv_add_endpoints() has a memory leak since it uses of_node_put()
+when remote is equal to NULL and does nothing when remote has a valid
+pointer.
+
+Invert the logic to fix memory leak.
+
+Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180625120304.7543-7-jernej.skrabec@siol.net
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/sun4i/sun4i_drv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/sun4i/sun4i_drv.c
++++ b/drivers/gpu/drm/sun4i/sun4i_drv.c
+@@ -283,7 +283,6 @@ static int sun4i_drv_add_endpoints(struc
+ remote = of_graph_get_remote_port_parent(ep);
+ if (!remote) {
+ DRM_DEBUG_DRIVER("Error retrieving the output node\n");
+- of_node_put(remote);
+ continue;
+ }
+
+@@ -297,11 +296,13 @@ static int sun4i_drv_add_endpoints(struc
+
+ if (of_graph_parse_endpoint(ep, &endpoint)) {
+ DRM_DEBUG_DRIVER("Couldn't parse endpoint\n");
++ of_node_put(remote);
+ continue;
+ }
+
+ if (!endpoint.id) {
+ DRM_DEBUG_DRIVER("Endpoint is our panel... skipping\n");
++ of_node_put(remote);
+ continue;
+ }
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Eric Anholt <eric@anholt.net>
+Date: Wed, 6 Jun 2018 10:48:51 -0700
+Subject: drm/v3d: Take a lock across GPU scheduler job creation and queuing.
+
+From: Eric Anholt <eric@anholt.net>
+
+[ Upstream commit 7122b68b8a9692dcc3acf89595f04c492872115f ]
+
+Between creation and queueing of a job, you need to prevent any other
+job from being created and queued. Otherwise the scheduler's fences
+may be signaled out of seqno order.
+
+v2: move mutex unlock to the error label.
+
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Fixes: 57692c94dcbe ("drm/v3d: Introduce a new DRM driver for Broadcom V3D V3.x+")
+Link: https://patchwork.freedesktop.org/patch/msgid/20180606174851.12433-1-eric@anholt.net
+Reviewed-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/v3d/v3d_drv.h | 5 +++++
+ drivers/gpu/drm/v3d/v3d_gem.c | 4 ++++
+ 2 files changed, 9 insertions(+)
+
+--- a/drivers/gpu/drm/v3d/v3d_drv.h
++++ b/drivers/gpu/drm/v3d/v3d_drv.h
+@@ -85,6 +85,11 @@ struct v3d_dev {
+ */
+ struct mutex reset_lock;
+
++ /* Lock taken when creating and pushing the GPU scheduler
++ * jobs, to keep the sched-fence seqnos in order.
++ */
++ struct mutex sched_lock;
++
+ struct {
+ u32 num_allocated;
+ u32 pages_allocated;
+--- a/drivers/gpu/drm/v3d/v3d_gem.c
++++ b/drivers/gpu/drm/v3d/v3d_gem.c
+@@ -550,6 +550,7 @@ v3d_submit_cl_ioctl(struct drm_device *d
+ if (ret)
+ goto fail;
+
++ mutex_lock(&v3d->sched_lock);
+ if (exec->bin.start != exec->bin.end) {
+ ret = drm_sched_job_init(&exec->bin.base,
+ &v3d->queue[V3D_BIN].sched,
+@@ -576,6 +577,7 @@ v3d_submit_cl_ioctl(struct drm_device *d
+ kref_get(&exec->refcount); /* put by scheduler job completion */
+ drm_sched_entity_push_job(&exec->render.base,
+ &v3d_priv->sched_entity[V3D_RENDER]);
++ mutex_unlock(&v3d->sched_lock);
+
+ v3d_attach_object_fences(exec);
+
+@@ -594,6 +596,7 @@ v3d_submit_cl_ioctl(struct drm_device *d
+ return 0;
+
+ fail_unreserve:
++ mutex_unlock(&v3d->sched_lock);
+ v3d_unlock_bo_reservations(dev, exec, &acquire_ctx);
+ fail:
+ v3d_exec_put(exec);
+@@ -615,6 +618,7 @@ v3d_gem_init(struct drm_device *dev)
+ spin_lock_init(&v3d->job_lock);
+ mutex_init(&v3d->bo_lock);
+ mutex_init(&v3d->reset_lock);
++ mutex_init(&v3d->sched_lock);
+
+ /* Note: We don't allocate address 0. Various bits of HW
+ * treat 0 as special, such as the occlusion query counters
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Eric Anholt <eric@anholt.net>
+Date: Fri, 16 Mar 2018 15:04:34 -0700
+Subject: drm/vc4: Add missing formats to vc4_format_mod_supported().
+
+From: Eric Anholt <eric@anholt.net>
+
+[ Upstream commit 1e871d65e375280757833d9fce91dda71980bdf5 ]
+
+Daniel's format_mod_supported() patch predated Dave's for NV21/61, and
+I didn't catch that when rebasing. This is a problem since the
+formats are now getting validated before being passed to the driver's
+atomic hooks.
+
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Acked-by: Daniel Stone <daniels@collabora.com>
+Cc: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Fixes: 423ad7b3cbd1 ("drm/vc4: Advertise supported modifiers for planes")
+Link: https://patchwork.freedesktop.org/patch/msgid/20180316220435.31416-2-eric@anholt.net
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/vc4/vc4_plane.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/vc4/vc4_plane.c
++++ b/drivers/gpu/drm/vc4/vc4_plane.c
+@@ -874,7 +874,9 @@ static bool vc4_format_mod_supported(str
+ case DRM_FORMAT_YUV420:
+ case DRM_FORMAT_YVU420:
+ case DRM_FORMAT_NV12:
++ case DRM_FORMAT_NV21:
+ case DRM_FORMAT_NV16:
++ case DRM_FORMAT_NV61:
+ default:
+ return (modifier == DRM_FORMAT_MOD_LINEAR);
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Maxime Ripard <maxime.ripard@bootlin.com>
+Date: Thu, 17 May 2018 15:37:59 +0200
+Subject: drm/vc4: plane: Expand the lower bits by repeating the higher bits
+
+From: Maxime Ripard <maxime.ripard@bootlin.com>
+
+[ Upstream commit 3257ec797d3a8c5232389eb1952d4451e80f3931 ]
+
+The vc4 HVS uses an internal RGB888 representation of the frames, and will
+by default expand formats using a lower depth using zeros.
+
+This causes an issue when we try to use other compositing software such as
+pixman that fill the missing bits by repeating the higher significant bits.
+As such, we can't check the display output in a reliable way by doing a
+software composition and an hardware one and compare both.
+
+To prevent this, force the same behaviour so that we can do such things.
+
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180517133759.25626-1-maxime.ripard@bootlin.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/vc4/vc4_plane.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/vc4/vc4_plane.c
++++ b/drivers/gpu/drm/vc4/vc4_plane.c
+@@ -543,6 +543,7 @@ static int vc4_plane_mode_set(struct drm
+ /* Control word */
+ vc4_dlist_write(vc4_state,
+ SCALER_CTL0_VALID |
++ VC4_SET_FIELD(SCALER_CTL0_RGBA_EXPAND_ROUND, SCALER_CTL0_RGBA_EXPAND) |
+ (format->pixel_order << SCALER_CTL0_ORDER_SHIFT) |
+ (format->hvs << SCALER_CTL0_PIXEL_FORMAT_SHIFT) |
+ VC4_SET_FIELD(tiling, SCALER_CTL0_TILING) |
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 10 Jun 2018 19:45:32 +0200
+Subject: EDAC, altera: Fix an error handling path in altr_s10_sdram_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 9d72fe1ce81bc757ecb6d57b58e5fd95b9ad1b26 ]
+
+If regmap_write() fails, we should release some resources as done in all
+the other error handling paths of the function.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Thor Thayer <thor.thayer@linux.intel.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20180610174532.22071-1-christophe.jaillet@wanadoo.fr
+Fixes: e9918d7fafae ("EDAC, altera: Handle SDRAM Uncorrectable Errors on Stratix10")
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/altera_edac.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/edac/altera_edac.c
++++ b/drivers/edac/altera_edac.c
+@@ -730,7 +730,8 @@ static int altr_s10_sdram_probe(struct p
+ S10_DDR0_IRQ_MASK)) {
+ edac_printk(KERN_ERR, EDAC_MC,
+ "Error clearing SDRAM ECC count\n");
+- return -ENODEV;
++ ret = -ENODEV;
++ goto err2;
+ }
+
+ if (regmap_update_bits(drvdata->mc_vbase, priv->ecc_irq_en_offset,
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 12 Jun 2018 14:43:34 +0200
+Subject: EDAC: Fix memleak in module init error path
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 4708aa85d50cc6e962dfa8acf5ad4e0d290a21db ]
+
+Make sure to use put_device() to free the initialised struct device so
+that resources managed by driver core also gets released in the event of
+a registration failure.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Cc: Denis Kirjanov <kirjanov@gmail.com>
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Fixes: 2d56b109e3a5 ("EDAC: Handle error path in edac_mc_sysfs_init() properly")
+Link: http://lkml.kernel.org/r/20180612124335.6420-1-johan@kernel.org
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/edac_mc_sysfs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/edac/edac_mc_sysfs.c
++++ b/drivers/edac/edac_mc_sysfs.c
+@@ -1075,14 +1075,14 @@ int __init edac_mc_sysfs_init(void)
+
+ err = device_add(mci_pdev);
+ if (err < 0)
+- goto out_dev_free;
++ goto out_put_device;
+
+ edac_dbg(0, "device %s created\n", dev_name(mci_pdev));
+
+ return 0;
+
+- out_dev_free:
+- kfree(mci_pdev);
++ out_put_device:
++ put_device(mci_pdev);
+ out:
+ return err;
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 12 Jun 2018 14:43:35 +0200
+Subject: EDAC, i7core: Fix memleaks and use-after-free on probe and remove
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 6c974d4dfafe5e9ee754f2a6fba0eb1864f1649e ]
+
+Make sure to free and deregister the addrmatch and chancounts devices
+allocated during probe in all error paths. Also fix use-after-free in a
+probe error path and in the remove success path where the devices were
+being put before before deregistration.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Fixes: 356f0a30860d ("i7core_edac: change the mem allocation scheme to make Documentation/kobject.txt happy")
+Link: http://lkml.kernel.org/r/20180612124335.6420-2-johan@kernel.org
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/i7core_edac.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+--- a/drivers/edac/i7core_edac.c
++++ b/drivers/edac/i7core_edac.c
+@@ -1177,15 +1177,14 @@ static int i7core_create_sysfs_devices(s
+
+ rc = device_add(pvt->addrmatch_dev);
+ if (rc < 0)
+- return rc;
++ goto err_put_addrmatch;
+
+ if (!pvt->is_registered) {
+ pvt->chancounts_dev = kzalloc(sizeof(*pvt->chancounts_dev),
+ GFP_KERNEL);
+ if (!pvt->chancounts_dev) {
+- put_device(pvt->addrmatch_dev);
+- device_del(pvt->addrmatch_dev);
+- return -ENOMEM;
++ rc = -ENOMEM;
++ goto err_del_addrmatch;
+ }
+
+ pvt->chancounts_dev->type = &all_channel_counts_type;
+@@ -1199,9 +1198,18 @@ static int i7core_create_sysfs_devices(s
+
+ rc = device_add(pvt->chancounts_dev);
+ if (rc < 0)
+- return rc;
++ goto err_put_chancounts;
+ }
+ return 0;
++
++err_put_chancounts:
++ put_device(pvt->chancounts_dev);
++err_del_addrmatch:
++ device_del(pvt->addrmatch_dev);
++err_put_addrmatch:
++ put_device(pvt->addrmatch_dev);
++
++ return rc;
+ }
+
+ static void i7core_delete_sysfs_devices(struct mem_ctl_info *mci)
+@@ -1211,11 +1219,11 @@ static void i7core_delete_sysfs_devices(
+ edac_dbg(1, "\n");
+
+ if (!pvt->is_registered) {
+- put_device(pvt->chancounts_dev);
+ device_del(pvt->chancounts_dev);
++ put_device(pvt->chancounts_dev);
+ }
+- put_device(pvt->addrmatch_dev);
+ device_del(pvt->addrmatch_dev);
++ put_device(pvt->addrmatch_dev);
+ }
+
+ /****************************************************************************
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Konstantin Khorenko <khorenko@virtuozzo.com>
+Date: Fri, 8 Jun 2018 17:27:11 +0300
+Subject: fs/lock: skip lock owner pid translation in case we are in init_pid_ns
+
+From: Konstantin Khorenko <khorenko@virtuozzo.com>
+
+[ Upstream commit 826d7bc9f013d01e92997883d2fd0c25f4af1f1c ]
+
+If the flock owner process is dead and its pid has been already freed,
+pid translation won't work, but we still want to show flock owner pid
+number when expecting /proc/$PID/fdinfo/$FD in init pidns.
+
+Reproducer:
+process A process A1 process A2
+fork()--------->
+exit() open()
+ flock()
+ fork()--------->
+ exit() sleep()
+
+Before the patch:
+================
+(root@vz7)/: cat /proc/${PID_A2}/fdinfo/3
+pos: 4
+flags: 02100002
+mnt_id: 257
+lock: (root@vz7)/:
+
+After the patch:
+===============
+(root@vz7)/:cat /proc/${PID_A2}/fdinfo/3
+pos: 4
+flags: 02100002
+mnt_id: 295
+lock: 1: FLOCK ADVISORY WRITE ${PID_A1} b6:f8a61:529946 0 EOF
+
+Fixes: 9d5b86ac13c5 ("fs/locks: Remove fl_nspid and use fs-specific l_pid for remote locks")
+Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
+Acked-by: Andrey Vagin <avagin@openvz.org>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/locks.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/locks.c
++++ b/fs/locks.c
+@@ -2072,6 +2072,13 @@ static pid_t locks_translate_pid(struct
+ return -1;
+ if (IS_REMOTELCK(fl))
+ return fl->fl_pid;
++ /*
++ * If the flock owner process is dead and its pid has been already
++ * freed, the translation below won't work, but we still want to show
++ * flock owner pid number in init pidns.
++ */
++ if (ns == &init_pid_ns)
++ return (pid_t)fl->fl_pid;
+
+ rcu_read_lock();
+ pid = find_pid_ns(fl->fl_pid, &init_pid_ns);
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Nadav Amit <namit@vmware.com>
+Date: Mon, 4 Jun 2018 06:58:14 -0700
+Subject: gpio: Fix wrong rounding in gpio-menz127
+
+From: Nadav Amit <namit@vmware.com>
+
+[ Upstream commit 7279d9917560bbd0d82813d6bf00490a82c06783 ]
+
+men_z127_debounce() tries to round up and down, but uses functions which
+are only suitable when the divider is a power of two, which is not the
+case. Use the appropriate ones.
+
+Found by static check. Compile tested.
+
+Fixes: f436bc2726c64 ("gpio: add driver for MEN 16Z127 GPIO controller")
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-menz127.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpio/gpio-menz127.c
++++ b/drivers/gpio/gpio-menz127.c
+@@ -56,9 +56,9 @@ static int men_z127_debounce(struct gpio
+ rnd = fls(debounce) - 1;
+
+ if (rnd && (debounce & BIT(rnd - 1)))
+- debounce = round_up(debounce, MEN_Z127_DB_MIN_US);
++ debounce = roundup(debounce, MEN_Z127_DB_MIN_US);
+ else
+- debounce = round_down(debounce, MEN_Z127_DB_MIN_US);
++ debounce = rounddown(debounce, MEN_Z127_DB_MIN_US);
+
+ if (debounce > MEN_Z127_DB_MAX_US)
+ debounce = MEN_Z127_DB_MAX_US;
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Tue, 17 Jul 2018 19:10:38 +0300
+Subject: gpio: tegra: Fix tegra_gpio_irq_set_type()
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+[ Upstream commit f78709a5d4114edc21a5d86586ed5e56e284f2bd ]
+
+Commit 36b312792b97 ("gpiolib: Respect error code of ->get_direction()")
+broke tegra_gpio_irq_set_type() because requesting of GPIO direction must
+be done after enabling GPIO function for a pin.
+
+This patch fixes drivers probe failure like this:
+
+ gpio gpiochip0: (tegra-gpio): gpiochip_lock_as_irq: cannot get GPIO direction
+ tegra-gpio 6000d000.gpio: unable to lock Tegra GPIO 144 as IRQ
+
+Fixes: 36b312792b97 ("gpiolib: Respect error code of ->get_direction()")
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-by: Jon Hunter <jonathanh@nvidia.com>
+Tested-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-tegra.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpio/gpio-tegra.c
++++ b/drivers/gpio/gpio-tegra.c
+@@ -323,13 +323,6 @@ static int tegra_gpio_irq_set_type(struc
+ return -EINVAL;
+ }
+
+- ret = gpiochip_lock_as_irq(&tgi->gc, gpio);
+- if (ret) {
+- dev_err(tgi->dev,
+- "unable to lock Tegra GPIO %u as IRQ\n", gpio);
+- return ret;
+- }
+-
+ spin_lock_irqsave(&bank->lvl_lock[port], flags);
+
+ val = tegra_gpio_readl(tgi, GPIO_INT_LVL(tgi, gpio));
+@@ -342,6 +335,14 @@ static int tegra_gpio_irq_set_type(struc
+ tegra_gpio_mask_write(tgi, GPIO_MSK_OE(tgi, gpio), gpio, 0);
+ tegra_gpio_enable(tgi, gpio);
+
++ ret = gpiochip_lock_as_irq(&tgi->gc, gpio);
++ if (ret) {
++ dev_err(tgi->dev,
++ "unable to lock Tegra GPIO %u as IRQ\n", gpio);
++ tegra_gpio_disable(tgi, gpio);
++ return ret;
++ }
++
+ if (type & (IRQ_TYPE_LEVEL_LOW | IRQ_TYPE_LEVEL_HIGH))
+ irq_set_handler_locked(d, handle_level_irq);
+ else if (type & (IRQ_TYPE_EDGE_FALLING | IRQ_TYPE_EDGE_RISING))
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+Date: Thu, 14 Jun 2018 21:37:17 +0800
+Subject: HID: hid-ntrig: add error handling for sysfs_create_group
+
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+
+[ Upstream commit 44d4d51de9a3534a2b63d69efda02a10e66541e4 ]
+
+When sysfs_create_group fails, the lack of error-handling code may
+cause unexpected results.
+
+This patch adds error-handling code after calling sysfs_create_group.
+
+Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-ntrig.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/hid/hid-ntrig.c
++++ b/drivers/hid/hid-ntrig.c
+@@ -955,6 +955,8 @@ static int ntrig_probe(struct hid_device
+
+ ret = sysfs_create_group(&hdev->dev.kobj,
+ &ntrig_attribute_group);
++ if (ret)
++ hid_err(hdev, "cannot create sysfs group\n");
+
+ return 0;
+ err_free:
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Stephen Boyd <swboyd@chromium.org>
+Date: Thu, 21 Jun 2018 19:27:16 -0700
+Subject: HID: i2c-hid: Use devm to allocate i2c_hid struct
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+[ Upstream commit d6f83894110de247a81392ab7ef89e5498df7e80 ]
+
+Use devm here to save some lines and prepare for bulk regulator usage in
+this driver. Otherwise, when we devm bulk get regulators we'll free the
+containing i2c_hid structure and try to put regulator pointers from
+freed memory.
+
+Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Dmitry Torokhov <dtor@chromium.org>
+Cc: Doug Anderson <dianders@chromium.org>
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/i2c-hid/i2c-hid.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -1004,18 +1004,18 @@ static int i2c_hid_probe(struct i2c_clie
+ return client->irq;
+ }
+
+- ihid = kzalloc(sizeof(struct i2c_hid), GFP_KERNEL);
++ ihid = devm_kzalloc(&client->dev, sizeof(*ihid), GFP_KERNEL);
+ if (!ihid)
+ return -ENOMEM;
+
+ if (client->dev.of_node) {
+ ret = i2c_hid_of_probe(client, &ihid->pdata);
+ if (ret)
+- goto err;
++ return ret;
+ } else if (!platform_data) {
+ ret = i2c_hid_acpi_pdata(client, &ihid->pdata);
+ if (ret)
+- goto err;
++ return ret;
+ } else {
+ ihid->pdata = *platform_data;
+ }
+@@ -1128,7 +1128,6 @@ err_regulator:
+
+ err:
+ i2c_hid_free_buffers(ihid);
+- kfree(ihid);
+ return ret;
+ }
+
+@@ -1152,8 +1151,6 @@ static int i2c_hid_remove(struct i2c_cli
+
+ regulator_disable(ihid->pdata.supply);
+
+- kfree(ihid);
+-
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Jul 2018 12:32:12 +0300
+Subject: IB/core: type promotion bug in rdma_rw_init_one_mr()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit c2d7c8ff89b22ddefb1ac2986c0d48444a667689 ]
+
+"nents" is an unsigned int, so if ib_map_mr_sg() returns a negative
+error code then it's type promoted to a high unsigned int which is
+treated as success.
+
+Fixes: a060b5629ab0 ("IB/core: generic RDMA READ/WRITE API")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/rw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/rw.c
++++ b/drivers/infiniband/core/rw.c
+@@ -87,7 +87,7 @@ static int rdma_rw_init_one_mr(struct ib
+ }
+
+ ret = ib_map_mr_sg(reg->mr, sg, nents, &offset, PAGE_SIZE);
+- if (ret < nents) {
++ if (ret < 0 || ret < nents) {
+ ib_mr_pool_put(qp, &qp->rdma_mrs, reg->mr);
+ return -EINVAL;
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Tarick Bedeir <tarick@google.com>
+Date: Mon, 2 Jul 2018 14:02:34 -0700
+Subject: IB/mlx4: Test port number before querying type.
+
+From: Tarick Bedeir <tarick@google.com>
+
+[ Upstream commit f1228867adaf8890826f2b59e4caddb1c5cc2df7 ]
+
+rdma_ah_find_type() can reach into ib_device->port_immutable with a
+potentially out-of-bounds port number, so check that the port number is
+valid first.
+
+Fixes: 44c58487d51a ("IB/core: Define 'ib' and 'roce' rdma_ah_attr types")
+Signed-off-by: Tarick Bedeir <tarick@google.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx4/qp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx4/qp.c
++++ b/drivers/infiniband/hw/mlx4/qp.c
+@@ -4047,9 +4047,9 @@ static void to_rdma_ah_attr(struct mlx4_
+ u8 port_num = path->sched_queue & 0x40 ? 2 : 1;
+
+ memset(ah_attr, 0, sizeof(*ah_attr));
+- ah_attr->type = rdma_ah_find_type(&ibdev->ib_dev, port_num);
+ if (port_num == 0 || port_num > dev->caps.num_ports)
+ return;
++ ah_attr->type = rdma_ah_find_type(&ibdev->ib_dev, port_num);
+
+ if (ah_attr->type == RDMA_AH_ATTR_TYPE_ROCE)
+ rdma_ah_set_sl(ah_attr, ((path->sched_queue >> 3) & 0x7) |
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Maor Gottlieb <maorg@mellanox.com>
+Date: Sun, 1 Jul 2018 15:50:17 +0300
+Subject: IB/mlx5: Fix GRE flow specification
+
+From: Maor Gottlieb <maorg@mellanox.com>
+
+[ Upstream commit a93b632c4531ff50c43d658447a45cbc11f488fd ]
+
+Currently the driver sets the mask of the gre_protocol to 0xffff
+without consideration in the user request.
+
+Fix it by copy the mask from the verbs spec.
+
+Fixes: da2f22ae7707 ("IB/mlx5: Add support for GRE flow specification")
+Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
+Reviewed-by: Ariel Levkovich <lariel@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -2699,7 +2699,7 @@ static int parse_flow_attr(struct mlx5_c
+ IPPROTO_GRE);
+
+ MLX5_SET(fte_match_set_misc, misc_params_c, gre_protocol,
+- 0xffff);
++ ntohs(ib_spec->gre.mask.protocol));
+ MLX5_SET(fte_match_set_misc, misc_params_v, gre_protocol,
+ ntohs(ib_spec->gre.val.protocol));
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: William Breathitt Gray <vilhelm.gray@gmail.com>
+Date: Thu, 24 May 2018 16:37:46 -0400
+Subject: iio: 104-quad-8: Fix off-by-one error in register selection
+
+From: William Breathitt Gray <vilhelm.gray@gmail.com>
+
+[ Upstream commit 2873c3f0e2bd12a7612e905c920c058855f4072a ]
+
+The reset flags operation is selected by bit 2 in the "Reset and Load
+Signals Decoders" register, not bit 1.
+
+Fixes: 28e5d3bb0325 ("iio: 104-quad-8: Add IIO support for the ACCES 104-QUAD-8")
+Signed-off-by: William Breathitt Gray <vilhelm.gray@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/counter/104-quad-8.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/counter/104-quad-8.c
++++ b/drivers/iio/counter/104-quad-8.c
+@@ -138,7 +138,7 @@ static int quad8_write_raw(struct iio_de
+ outb(val >> (8 * i), base_offset);
+
+ /* Reset Borrow, Carry, Compare, and Sign flags */
+- outb(0x02, base_offset + 1);
++ outb(0x04, base_offset + 1);
+ /* Reset Error flag */
+ outb(0x06, base_offset + 1);
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Tue, 26 Jun 2018 00:22:41 +0900
+Subject: iio: accel: adxl345: convert address field usage in iio_chan_spec
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+[ Upstream commit 9048f1f18a70a01eaa3c8e7166fdb2538929d780 ]
+
+Currently the address field in iio_chan_spec is filled with an accel
+data register address for the corresponding axis.
+
+In preparation for adding calibration offset support, this sets the
+address field to the index of accel data registers instead of the actual
+register address.
+
+This change makes it easier to access both accel registers and
+calibration offset registers with fewer lines of code as these are
+located in X-axis, Y-axis, Z-axis order.
+
+Cc: Eva Rachel Retuya <eraretuya@gmail.com>
+Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/accel/adxl345_core.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/drivers/iio/accel/adxl345_core.c
++++ b/drivers/iio/accel/adxl345_core.c
+@@ -21,6 +21,8 @@
+ #define ADXL345_REG_DATAX0 0x32
+ #define ADXL345_REG_DATAY0 0x34
+ #define ADXL345_REG_DATAZ0 0x36
++#define ADXL345_REG_DATA_AXIS(index) \
++ (ADXL345_REG_DATAX0 + (index) * sizeof(__le16))
+
+ #define ADXL345_POWER_CTL_MEASURE BIT(3)
+ #define ADXL345_POWER_CTL_STANDBY 0x00
+@@ -47,19 +49,19 @@ struct adxl345_data {
+ u8 data_range;
+ };
+
+-#define ADXL345_CHANNEL(reg, axis) { \
++#define ADXL345_CHANNEL(index, axis) { \
+ .type = IIO_ACCEL, \
+ .modified = 1, \
+ .channel2 = IIO_MOD_##axis, \
+- .address = reg, \
++ .address = index, \
+ .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), \
+ .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), \
+ }
+
+ static const struct iio_chan_spec adxl345_channels[] = {
+- ADXL345_CHANNEL(ADXL345_REG_DATAX0, X),
+- ADXL345_CHANNEL(ADXL345_REG_DATAY0, Y),
+- ADXL345_CHANNEL(ADXL345_REG_DATAZ0, Z),
++ ADXL345_CHANNEL(0, X),
++ ADXL345_CHANNEL(1, Y),
++ ADXL345_CHANNEL(2, Z),
+ };
+
+ static int adxl345_read_raw(struct iio_dev *indio_dev,
+@@ -67,7 +69,7 @@ static int adxl345_read_raw(struct iio_d
+ int *val, int *val2, long mask)
+ {
+ struct adxl345_data *data = iio_priv(indio_dev);
+- __le16 regval;
++ __le16 accel;
+ int ret;
+
+ switch (mask) {
+@@ -77,12 +79,13 @@ static int adxl345_read_raw(struct iio_d
+ * ADXL345_REG_DATA(X0/Y0/Z0) contain the least significant byte
+ * and ADXL345_REG_DATA(X0/Y0/Z0) + 1 the most significant byte
+ */
+- ret = regmap_bulk_read(data->regmap, chan->address, ®val,
+- sizeof(regval));
++ ret = regmap_bulk_read(data->regmap,
++ ADXL345_REG_DATA_AXIS(chan->address),
++ &accel, sizeof(accel));
+ if (ret < 0)
+ return ret;
+
+- *val = sign_extend32(le16_to_cpu(regval), 12);
++ *val = sign_extend32(le16_to_cpu(accel), 12);
+ return IIO_VAL_INT;
+ case IIO_CHAN_INFO_SCALE:
+ *val = 0;
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Mon, 25 Jun 2018 00:05:21 +0900
+Subject: iio: adc: ina2xx: avoid kthread_stop() with stale task_struct
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+[ Upstream commit 7d6cd21d82bacab2d1786fe5e989e4815b75d9a3 ]
+
+When the buffer is enabled for ina2xx driver, a dedicated kthread is
+invoked to capture mesurement data. When the buffer is disabled, the
+kthread is stopped.
+
+However if the kthread gets register access errors, it immediately exits
+and when the malfunctional buffer is disabled, the stale task_struct
+pointer is accessed as there is no kthread to be stopped.
+
+A similar issue in the usbip driver is prevented by kthread_get_run and
+kthread_stop_put helpers by increasing usage count of the task_struct.
+This change applies the same solution.
+
+Cc: Stefan Brüns <stefan.bruens@rwth-aachen.de>
+Cc: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Fixes: c43a102e67db ("iio: ina2xx: add support for TI INA2xx Power Monitors")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ina2xx-adc.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/adc/ina2xx-adc.c
++++ b/drivers/iio/adc/ina2xx-adc.c
+@@ -30,6 +30,7 @@
+ #include <linux/module.h>
+ #include <linux/of_device.h>
+ #include <linux/regmap.h>
++#include <linux/sched/task.h>
+ #include <linux/util_macros.h>
+
+ #include <linux/platform_data/ina2xx.h>
+@@ -826,6 +827,7 @@ static int ina2xx_buffer_enable(struct i
+ {
+ struct ina2xx_chip_info *chip = iio_priv(indio_dev);
+ unsigned int sampling_us = SAMPLING_PERIOD(chip);
++ struct task_struct *task;
+
+ dev_dbg(&indio_dev->dev, "Enabling buffer w/ scan_mask %02x, freq = %d, avg =%u\n",
+ (unsigned int)(*indio_dev->active_scan_mask),
+@@ -835,11 +837,17 @@ static int ina2xx_buffer_enable(struct i
+ dev_dbg(&indio_dev->dev, "Async readout mode: %d\n",
+ chip->allow_async_readout);
+
+- chip->task = kthread_run(ina2xx_capture_thread, (void *)indio_dev,
+- "%s:%d-%uus", indio_dev->name, indio_dev->id,
+- sampling_us);
++ task = kthread_create(ina2xx_capture_thread, (void *)indio_dev,
++ "%s:%d-%uus", indio_dev->name, indio_dev->id,
++ sampling_us);
++ if (IS_ERR(task))
++ return PTR_ERR(task);
++
++ get_task_struct(task);
++ wake_up_process(task);
++ chip->task = task;
+
+- return PTR_ERR_OR_ZERO(chip->task);
++ return 0;
+ }
+
+ static int ina2xx_buffer_disable(struct iio_dev *indio_dev)
+@@ -848,6 +856,7 @@ static int ina2xx_buffer_disable(struct
+
+ if (chip->task) {
+ kthread_stop(chip->task);
++ put_task_struct(chip->task);
+ chip->task = NULL;
+ }
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Mon, 2 Jul 2018 10:06:51 -0700
+Subject: include/rdma/opa_addr.h: Fix an endianness issue
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+[ Upstream commit 4eefd62c17a9a5e7576207e84f3d2b4f73aba750 ]
+
+IB_MULTICAST_LID_BASE is defined as follows:
+
+ #define IB_MULTICAST_LID_BASE cpu_to_be16(0xC000)
+
+Hence use be16_to_cpu() to convert it to CPU endianness. Compile-tested
+only.
+
+Fixes: af808ece5ce9 ("IB/SA: Check dlid before SA agent queries for ClassPortInfo")
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: Venkata Sandeep Dhanalakota <venkata.s.dhanalakota@intel.com>
+Cc: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Cc: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/rdma/opa_addr.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/rdma/opa_addr.h
++++ b/include/rdma/opa_addr.h
+@@ -120,7 +120,7 @@ static inline bool rdma_is_valid_unicast
+ if (attr->type == RDMA_AH_ATTR_TYPE_IB) {
+ if (!rdma_ah_get_dlid(attr) ||
+ rdma_ah_get_dlid(attr) >=
+- be32_to_cpu(IB_MULTICAST_LID_BASE))
++ be16_to_cpu(IB_MULTICAST_LID_BASE))
+ return false;
+ } else if (attr->type == RDMA_AH_ATTR_TYPE_OPA) {
+ if (!rdma_ah_get_dlid(attr) ||
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
+Date: Tue, 12 Jun 2018 15:03:36 -0700
+Subject: Input: xen-kbdfront - fix multi-touch XenStore node's locations
+
+From: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
+
+[ Upstream commit ce6f7d087e2b037f47349c1c36ac97678d02e394 ]
+
+kbdif protocol describes multi-touch device parameters as a
+part of frontend's XenBus configuration nodes while they
+belong to backend's configuration. Fix this by reading the
+parameters as defined by the protocol.
+
+Fixes: 49aac8204da5 ("Input: xen-kbdfront - add multi-touch support")
+
+Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/xen-kbdfront.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/input/misc/xen-kbdfront.c
++++ b/drivers/input/misc/xen-kbdfront.c
+@@ -229,7 +229,7 @@ static int xenkbd_probe(struct xenbus_de
+ }
+ }
+
+- touch = xenbus_read_unsigned(dev->nodename,
++ touch = xenbus_read_unsigned(dev->otherend,
+ XENKBD_FIELD_FEAT_MTOUCH, 0);
+ if (touch) {
+ ret = xenbus_write(XBT_NIL, dev->nodename,
+@@ -304,13 +304,13 @@ static int xenkbd_probe(struct xenbus_de
+ if (!mtouch)
+ goto error_nomem;
+
+- num_cont = xenbus_read_unsigned(info->xbdev->nodename,
++ num_cont = xenbus_read_unsigned(info->xbdev->otherend,
+ XENKBD_FIELD_MT_NUM_CONTACTS,
+ 1);
+- width = xenbus_read_unsigned(info->xbdev->nodename,
++ width = xenbus_read_unsigned(info->xbdev->otherend,
+ XENKBD_FIELD_MT_WIDTH,
+ XENFB_WIDTH);
+- height = xenbus_read_unsigned(info->xbdev->nodename,
++ height = xenbus_read_unsigned(info->xbdev->otherend,
+ XENKBD_FIELD_MT_HEIGHT,
+ XENFB_HEIGHT);
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Tue, 19 Jun 2018 15:10:55 -0700
+Subject: iomap: complete partial direct I/O writes synchronously
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit ebf00be37de35788cad72f4f20b4a39e30c0be4a ]
+
+According to xfstest generic/240, applications seem to expect direct I/O
+writes to either complete as a whole or to fail; short direct I/O writes
+are apparently not appreciated. This means that when only part of an
+asynchronous direct I/O write succeeds, we can either fail the entire
+write, or we can wait for the partial write to complete and retry the
+remaining write as buffered I/O. The old __blockdev_direct_IO helper
+has code for waiting for partial writes to complete; the new
+iomap_dio_rw iomap helper does not.
+
+The above mentioned fallback mode is needed for gfs2, which doesn't
+allow block allocations under direct I/O to avoid taking cluster-wide
+exclusive locks. As a consequence, an asynchronous direct I/O write to
+a file range that contains a hole will result in a short write. In that
+case, wait for the short write to complete to allow gfs2 to recover.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/iomap.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/fs/iomap.c
++++ b/fs/iomap.c
+@@ -811,6 +811,7 @@ struct iomap_dio {
+ atomic_t ref;
+ unsigned flags;
+ int error;
++ bool wait_for_completion;
+
+ union {
+ /* used during submission and for synchronous completion: */
+@@ -914,9 +915,8 @@ static void iomap_dio_bio_end_io(struct
+ iomap_dio_set_error(dio, blk_status_to_errno(bio->bi_status));
+
+ if (atomic_dec_and_test(&dio->ref)) {
+- if (is_sync_kiocb(dio->iocb)) {
++ if (dio->wait_for_completion) {
+ struct task_struct *waiter = dio->submit.waiter;
+-
+ WRITE_ONCE(dio->submit.waiter, NULL);
+ wake_up_process(waiter);
+ } else if (dio->flags & IOMAP_DIO_WRITE) {
+@@ -1131,13 +1131,12 @@ iomap_dio_rw(struct kiocb *iocb, struct
+ dio->end_io = end_io;
+ dio->error = 0;
+ dio->flags = 0;
++ dio->wait_for_completion = is_sync_kiocb(iocb);
+
+ dio->submit.iter = iter;
+- if (is_sync_kiocb(iocb)) {
+- dio->submit.waiter = current;
+- dio->submit.cookie = BLK_QC_T_NONE;
+- dio->submit.last_queue = NULL;
+- }
++ dio->submit.waiter = current;
++ dio->submit.cookie = BLK_QC_T_NONE;
++ dio->submit.last_queue = NULL;
+
+ if (iov_iter_rw(iter) == READ) {
+ if (pos >= dio->i_size)
+@@ -1187,7 +1186,7 @@ iomap_dio_rw(struct kiocb *iocb, struct
+ dio_warn_stale_pagecache(iocb->ki_filp);
+ ret = 0;
+
+- if (iov_iter_rw(iter) == WRITE && !is_sync_kiocb(iocb) &&
++ if (iov_iter_rw(iter) == WRITE && !dio->wait_for_completion &&
+ !inode->i_sb->s_dio_done_wq) {
+ ret = sb_init_dio_done_wq(inode->i_sb);
+ if (ret < 0)
+@@ -1202,8 +1201,10 @@ iomap_dio_rw(struct kiocb *iocb, struct
+ iomap_dio_actor);
+ if (ret <= 0) {
+ /* magic error code to fall back to buffered I/O */
+- if (ret == -ENOTBLK)
++ if (ret == -ENOTBLK) {
++ dio->wait_for_completion = true;
+ ret = 0;
++ }
+ break;
+ }
+ pos += ret;
+@@ -1224,7 +1225,7 @@ iomap_dio_rw(struct kiocb *iocb, struct
+ dio->flags &= ~IOMAP_DIO_NEED_SYNC;
+
+ if (!atomic_dec_and_test(&dio->ref)) {
+- if (!is_sync_kiocb(iocb))
++ if (!dio->wait_for_completion)
+ return -EIOCBQUEUED;
+
+ for (;;) {
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Zhen Lei <thunder.leizhen@huawei.com>
+Date: Wed, 6 Jun 2018 10:18:46 +0800
+Subject: iommu/amd: make sure TLB to be flushed before IOVA freed
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 3c120143f584360a13614787e23ae2cdcb5e5ccd ]
+
+Although the mapping has already been removed in the page table, it maybe
+still exist in TLB. Suppose the freed IOVAs is reused by others before the
+flush operation completed, the new user can not correctly access to its
+meomory.
+
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Fixes: b1516a14657a ('iommu/amd: Implement flush queue')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/amd_iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -2405,9 +2405,9 @@ static void __unmap_single(struct dma_op
+ }
+
+ if (amd_iommu_unmap_flush) {
+- dma_ops_free_iova(dma_dom, dma_addr, pages);
+ domain_flush_tlb(&dma_dom->domain);
+ domain_flush_complete(&dma_dom->domain);
++ dma_ops_free_iova(dma_dom, dma_addr, pages);
+ } else {
+ pages = __roundup_pow_of_two(pages);
+ queue_iova(&dma_dom->iovad, dma_addr >> PAGE_SHIFT, pages, 0);
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Niklas Cassel <niklas.cassel@linaro.org>
+Date: Tue, 12 Jun 2018 16:06:10 +0200
+Subject: iommu/msm: Don't call iommu_device_{,un}link from atomic context
+
+From: Niklas Cassel <niklas.cassel@linaro.org>
+
+[ Upstream commit 379521462e4add27f3514da8e4ab1fd7a54fe1c7 ]
+
+Fixes the following splat during boot:
+
+BUG: sleeping function called from invalid context at kernel/locking/mutex.c:747
+in_atomic(): 1, irqs_disabled(): 128, pid: 77, name: kworker/2:1
+4 locks held by kworker/2:1/77:
+ #0: (ptrval) ((wq_completion)"events"){+.+.}, at: process_one_work+0x1fc/0x8fc
+ #1: (ptrval) (deferred_probe_work){+.+.}, at: process_one_work+0x1fc/0x8fc
+ #2: (ptrval) (&dev->mutex){....}, at: __device_attach+0x40/0x178
+ #3: (ptrval) (msm_iommu_lock){....}, at: msm_iommu_add_device+0x28/0xcc
+irq event stamp: 348
+hardirqs last enabled at (347): [<c049dc18>] kfree+0xe0/0x3c0
+hardirqs last disabled at (348): [<c0c35cac>] _raw_spin_lock_irqsave+0x2c/0x68
+softirqs last enabled at (0): [<c0322fd8>] copy_process.part.5+0x280/0x1a68
+softirqs last disabled at (0): [<00000000>] (null)
+Preemption disabled at:
+[<00000000>] (null)
+CPU: 2 PID: 77 Comm: kworker/2:1 Not tainted 4.17.0-rc5-wt-ath-01075-gaca0516bb4cf #239
+Hardware name: Generic DT based system
+Workqueue: events deferred_probe_work_func
+[<c0314e00>] (unwind_backtrace) from [<c030fc70>] (show_stack+0x20/0x24)
+[<c030fc70>] (show_stack) from [<c0c16ad8>] (dump_stack+0xa0/0xcc)
+[<c0c16ad8>] (dump_stack) from [<c035a978>] (___might_sleep+0x1f8/0x2d4)
+ath10k_sdio mmc2:0001:1: Direct firmware load for ath10k/QCA9377/hw1.0/board-2.bin failed with error -2
+[<c035a978>] (___might_sleep) from [<c035aac4>] (__might_sleep+0x70/0xa8)
+[<c035aac4>] (__might_sleep) from [<c0c3066c>] (__mutex_lock+0x50/0xb28)
+[<c0c3066c>] (__mutex_lock) from [<c0c31170>] (mutex_lock_nested+0x2c/0x34)
+ath10k_sdio mmc2:0001:1: board_file api 1 bmi_id N/A crc32 544289f7
+[<c0c31170>] (mutex_lock_nested) from [<c052d798>] (kernfs_find_and_get_ns+0x30/0x5c)
+[<c052d798>] (kernfs_find_and_get_ns) from [<c0531cc8>] (sysfs_add_link_to_group+0x28/0x58)
+[<c0531cc8>] (sysfs_add_link_to_group) from [<c07ef75c>] (iommu_device_link+0x50/0xb4)
+[<c07ef75c>] (iommu_device_link) from [<c07f2288>] (msm_iommu_add_device+0xa0/0xcc)
+[<c07f2288>] (msm_iommu_add_device) from [<c07ec6d0>] (add_iommu_group+0x3c/0x64)
+[<c07ec6d0>] (add_iommu_group) from [<c07f9d40>] (bus_for_each_dev+0x84/0xc4)
+[<c07f9d40>] (bus_for_each_dev) from [<c07ec7c8>] (bus_set_iommu+0xd0/0x10c)
+[<c07ec7c8>] (bus_set_iommu) from [<c07f1a68>] (msm_iommu_probe+0x5b8/0x66c)
+[<c07f1a68>] (msm_iommu_probe) from [<c07feaa8>] (platform_drv_probe+0x60/0xbc)
+[<c07feaa8>] (platform_drv_probe) from [<c07fc1fc>] (driver_probe_device+0x30c/0x4cc)
+[<c07fc1fc>] (driver_probe_device) from [<c07fc59c>] (__device_attach_driver+0xac/0x14c)
+[<c07fc59c>] (__device_attach_driver) from [<c07f9e14>] (bus_for_each_drv+0x68/0xc8)
+[<c07f9e14>] (bus_for_each_drv) from [<c07fbd3c>] (__device_attach+0xe4/0x178)
+[<c07fbd3c>] (__device_attach) from [<c07fc698>] (device_initial_probe+0x1c/0x20)
+[<c07fc698>] (device_initial_probe) from [<c07faee8>] (bus_probe_device+0x98/0xa0)
+[<c07faee8>] (bus_probe_device) from [<c07fb4f4>] (deferred_probe_work_func+0x74/0x198)
+[<c07fb4f4>] (deferred_probe_work_func) from [<c0348eb4>] (process_one_work+0x2c4/0x8fc)
+[<c0348eb4>] (process_one_work) from [<c03497b0>] (worker_thread+0x2c4/0x5cc)
+[<c03497b0>] (worker_thread) from [<c0350d10>] (kthread+0x180/0x188)
+[<c0350d10>] (kthread) from [<c03010b4>] (ret_from_fork+0x14/0x20)
+
+Fixes: 42df43b36163 ("iommu/msm: Make use of iommu_device_register interface")
+Signed-off-by: Niklas Cassel <niklas.cassel@linaro.org>
+Reviewed-by: Vivek Gautam <vivek.gautam@codeaurora.org>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/msm_iommu.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+--- a/drivers/iommu/msm_iommu.c
++++ b/drivers/iommu/msm_iommu.c
+@@ -395,20 +395,15 @@ static int msm_iommu_add_device(struct d
+ struct msm_iommu_dev *iommu;
+ struct iommu_group *group;
+ unsigned long flags;
+- int ret = 0;
+
+ spin_lock_irqsave(&msm_iommu_lock, flags);
+-
+ iommu = find_iommu_for_dev(dev);
++ spin_unlock_irqrestore(&msm_iommu_lock, flags);
++
+ if (iommu)
+ iommu_device_link(&iommu->iommu, dev);
+ else
+- ret = -ENODEV;
+-
+- spin_unlock_irqrestore(&msm_iommu_lock, flags);
+-
+- if (ret)
+- return ret;
++ return -ENODEV;
+
+ group = iommu_group_get_for_dev(dev);
+ if (IS_ERR(group))
+@@ -425,13 +420,12 @@ static void msm_iommu_remove_device(stru
+ unsigned long flags;
+
+ spin_lock_irqsave(&msm_iommu_lock, flags);
+-
+ iommu = find_iommu_for_dev(dev);
++ spin_unlock_irqrestore(&msm_iommu_lock, flags);
++
+ if (iommu)
+ iommu_device_unlink(&iommu->iommu, dev);
+
+- spin_unlock_irqrestore(&msm_iommu_lock, flags);
+-
+ iommu_group_remove_device(dev);
+ }
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Guoqing Jiang <gqjiang@suse.com>
+Date: Mon, 2 Jul 2018 16:26:24 +0800
+Subject: md-cluster: clear another node's suspend_area after the copy is finished
+
+From: Guoqing Jiang <gqjiang@suse.com>
+
+[ Upstream commit 010228e4a932ca1e8365e3b58c8e1e44c16ff793 ]
+
+When one node leaves cluster or stops the resyncing
+(resync or recovery) array, then other nodes need to
+call recover_bitmaps to continue the unfinished task.
+
+But we need to clear suspend_area later after other
+nodes copy the resync information to their bitmap
+(by call bitmap_copy_from_slot). Otherwise, all nodes
+could write to the suspend_area even the suspend_area
+is not handled by any node, because area_resyncing
+returns 0 at the beginning of raid1_write_request.
+Which means one node could write suspend_area while
+another node is resyncing the same area, then data
+could be inconsistent.
+
+So let's clear suspend_area later to avoid above issue
+with the protection of bm lock. Also it is straightforward
+to clear suspend_area after nodes have copied the resync
+info to bitmap.
+
+Signed-off-by: Guoqing Jiang <gqjiang@suse.com>
+Reviewed-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md-cluster.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+--- a/drivers/md/md-cluster.c
++++ b/drivers/md/md-cluster.c
+@@ -304,15 +304,6 @@ static void recover_bitmaps(struct md_th
+ while (cinfo->recovery_map) {
+ slot = fls64((u64)cinfo->recovery_map) - 1;
+
+- /* Clear suspend_area associated with the bitmap */
+- spin_lock_irq(&cinfo->suspend_lock);
+- list_for_each_entry_safe(s, tmp, &cinfo->suspend_list, list)
+- if (slot == s->slot) {
+- list_del(&s->list);
+- kfree(s);
+- }
+- spin_unlock_irq(&cinfo->suspend_lock);
+-
+ snprintf(str, 64, "bitmap%04d", slot);
+ bm_lockres = lockres_init(mddev, str, NULL, 1);
+ if (!bm_lockres) {
+@@ -331,6 +322,16 @@ static void recover_bitmaps(struct md_th
+ pr_err("md-cluster: Could not copy data from bitmap %d\n", slot);
+ goto clear_bit;
+ }
++
++ /* Clear suspend_area associated with the bitmap */
++ spin_lock_irq(&cinfo->suspend_lock);
++ list_for_each_entry_safe(s, tmp, &cinfo->suspend_list, list)
++ if (slot == s->slot) {
++ list_del(&s->list);
++ kfree(s);
++ }
++ spin_unlock_irq(&cinfo->suspend_lock);
++
+ if (hi > 0) {
+ if (lo < mddev->recovery_cp)
+ mddev->recovery_cp = lo;
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Date: Tue, 15 May 2018 05:21:45 -0400
+Subject: media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt()
+
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+
+[ Upstream commit 7c1b9a5aeed91bef98988ac0fcf38c8c1f4f9a3a ]
+
+This patch fixes potential NULL pointer dereference as indicated
+by the following static checker warning:
+
+drivers/media/platform/exynos4-is/fimc-isp-video.c:408 isp_video_try_fmt_mplane()
+error: NULL dereference inside function '__isp_video_try_fmt(isp, &f->fmt.pix_mp, (0))()'.
+
+Fixes: 34947b8aebe3: ("[media] exynos4-is: Add the FIMC-IS ISP capture DMA driver")
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/exynos4-is/fimc-isp-video.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/platform/exynos4-is/fimc-isp-video.c
++++ b/drivers/media/platform/exynos4-is/fimc-isp-video.c
+@@ -384,12 +384,17 @@ static void __isp_video_try_fmt(struct f
+ struct v4l2_pix_format_mplane *pixm,
+ const struct fimc_fmt **fmt)
+ {
+- *fmt = fimc_isp_find_format(&pixm->pixelformat, NULL, 2);
++ const struct fimc_fmt *__fmt;
++
++ __fmt = fimc_isp_find_format(&pixm->pixelformat, NULL, 2);
++
++ if (fmt)
++ *fmt = __fmt;
+
+ pixm->colorspace = V4L2_COLORSPACE_SRGB;
+ pixm->field = V4L2_FIELD_NONE;
+- pixm->num_planes = (*fmt)->memplanes;
+- pixm->pixelformat = (*fmt)->fourcc;
++ pixm->num_planes = __fmt->memplanes;
++ pixm->pixelformat = __fmt->fourcc;
+ /*
+ * TODO: double check with the docmentation these width/height
+ * constraints are correct.
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Fri, 29 Jun 2018 17:49:22 -0400
+Subject: media: fsl-viu: fix error handling in viu_of_probe()
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+[ Upstream commit 662a99e145661c2b35155cf375044deae9b79896 ]
+
+viu_of_probe() ignores fails in i2c_get_adapter(),
+tries to unlock uninitialized mutex on error path.
+
+The patch streamlining the error handling in viu_of_probe().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/fsl-viu.c | 38 +++++++++++++++++++++++---------------
+ 1 file changed, 23 insertions(+), 15 deletions(-)
+
+--- a/drivers/media/platform/fsl-viu.c
++++ b/drivers/media/platform/fsl-viu.c
+@@ -1414,7 +1414,7 @@ static int viu_of_probe(struct platform_
+ sizeof(struct viu_reg), DRV_NAME)) {
+ dev_err(&op->dev, "Error while requesting mem region\n");
+ ret = -EBUSY;
+- goto err;
++ goto err_irq;
+ }
+
+ /* remap registers */
+@@ -1422,7 +1422,7 @@ static int viu_of_probe(struct platform_
+ if (!viu_regs) {
+ dev_err(&op->dev, "Can't map register set\n");
+ ret = -ENOMEM;
+- goto err;
++ goto err_irq;
+ }
+
+ /* Prepare our private structure */
+@@ -1430,7 +1430,7 @@ static int viu_of_probe(struct platform_
+ if (!viu_dev) {
+ dev_err(&op->dev, "Can't allocate private structure\n");
+ ret = -ENOMEM;
+- goto err;
++ goto err_irq;
+ }
+
+ viu_dev->vr = viu_regs;
+@@ -1446,16 +1446,21 @@ static int viu_of_probe(struct platform_
+ ret = v4l2_device_register(viu_dev->dev, &viu_dev->v4l2_dev);
+ if (ret < 0) {
+ dev_err(&op->dev, "v4l2_device_register() failed: %d\n", ret);
+- goto err;
++ goto err_irq;
+ }
+
+ ad = i2c_get_adapter(0);
++ if (!ad) {
++ ret = -EFAULT;
++ dev_err(&op->dev, "couldn't get i2c adapter\n");
++ goto err_v4l2;
++ }
+
+ v4l2_ctrl_handler_init(&viu_dev->hdl, 5);
+ if (viu_dev->hdl.error) {
+ ret = viu_dev->hdl.error;
+ dev_err(&op->dev, "couldn't register control\n");
+- goto err_vdev;
++ goto err_i2c;
+ }
+ /* This control handler will inherit the control(s) from the
+ sub-device(s). */
+@@ -1471,7 +1476,7 @@ static int viu_of_probe(struct platform_
+ vdev = video_device_alloc();
+ if (vdev == NULL) {
+ ret = -ENOMEM;
+- goto err_vdev;
++ goto err_hdl;
+ }
+
+ *vdev = viu_template;
+@@ -1492,7 +1497,7 @@ static int viu_of_probe(struct platform_
+ ret = video_register_device(viu_dev->vdev, VFL_TYPE_GRABBER, -1);
+ if (ret < 0) {
+ video_device_release(viu_dev->vdev);
+- goto err_vdev;
++ goto err_unlock;
+ }
+
+ /* enable VIU clock */
+@@ -1500,12 +1505,12 @@ static int viu_of_probe(struct platform_
+ if (IS_ERR(clk)) {
+ dev_err(&op->dev, "failed to lookup the clock!\n");
+ ret = PTR_ERR(clk);
+- goto err_clk;
++ goto err_vdev;
+ }
+ ret = clk_prepare_enable(clk);
+ if (ret) {
+ dev_err(&op->dev, "failed to enable the clock!\n");
+- goto err_clk;
++ goto err_vdev;
+ }
+ viu_dev->clk = clk;
+
+@@ -1516,7 +1521,7 @@ static int viu_of_probe(struct platform_
+ if (request_irq(viu_dev->irq, viu_intr, 0, "viu", (void *)viu_dev)) {
+ dev_err(&op->dev, "Request VIU IRQ failed.\n");
+ ret = -ENODEV;
+- goto err_irq;
++ goto err_clk;
+ }
+
+ mutex_unlock(&viu_dev->lock);
+@@ -1524,16 +1529,19 @@ static int viu_of_probe(struct platform_
+ dev_info(&op->dev, "Freescale VIU Video Capture Board\n");
+ return ret;
+
+-err_irq:
+- clk_disable_unprepare(viu_dev->clk);
+ err_clk:
+- video_unregister_device(viu_dev->vdev);
++ clk_disable_unprepare(viu_dev->clk);
+ err_vdev:
+- v4l2_ctrl_handler_free(&viu_dev->hdl);
++ video_unregister_device(viu_dev->vdev);
++err_unlock:
+ mutex_unlock(&viu_dev->lock);
++err_hdl:
++ v4l2_ctrl_handler_free(&viu_dev->hdl);
++err_i2c:
+ i2c_put_adapter(ad);
++err_v4l2:
+ v4l2_device_unregister(&viu_dev->v4l2_dev);
+-err:
++err_irq:
+ irq_dispose_mapping(viu_irq);
+ return ret;
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Sat, 9 Jun 2018 08:22:45 -0400
+Subject: media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data
+
+From: Javier Martinez Canillas <javierm@redhat.com>
+
+[ Upstream commit 2ec7debd44b49927a6e2861521994cc075a389ed ]
+
+The struct clk_init_data init variable is declared in the isp_xclk_init()
+function so is an automatic variable allocated in the stack. But it's not
+explicitly zero-initialized, so some init fields are left uninitialized.
+
+This causes the data structure to have undefined values that may confuse
+the common clock framework when the clock is registered.
+
+For example, the uninitialized .flags field could have the CLK_IS_CRITICAL
+bit set, causing the framework to wrongly prepare the clk on registration.
+This leads to the isp_xclk_prepare() callback being called, which in turn
+calls to the omap3isp_get() function that increments the isp dev refcount.
+
+Since this omap3isp_get() call is unexpected, this leads to an unbalanced
+omap3isp_get() call that prevents the requested IRQ to be later enabled,
+due the refcount not being 0 when the correct omap3isp_get() call happens.
+
+Fixes: 9b28ee3c9122 ("[media] omap3isp: Use the common clock framework")
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/omap3isp/isp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/platform/omap3isp/isp.c
++++ b/drivers/media/platform/omap3isp/isp.c
+@@ -300,7 +300,7 @@ static struct clk *isp_xclk_src_get(stru
+ static int isp_xclk_init(struct isp_device *isp)
+ {
+ struct device_node *np = isp->dev->of_node;
+- struct clk_init_data init;
++ struct clk_init_data init = { 0 };
+ unsigned int i;
+
+ for (i = 0; i < ARRAY_SIZE(isp->xclks); ++i)
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Sun, 6 May 2018 10:19:19 -0400
+Subject: media: ov772x: add checks for register read errors
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+[ Upstream commit 30f3b17eaf4913e9e56be15915ce57aae69db701 ]
+
+This change adds checks for register read errors and returns correct
+error code.
+
+Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Cc: Hans Verkuil <hans.verkuil@cisco.com>
+Reviewed-by: Jacopo Mondi <jacopo@jmondi.org>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ov772x.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/i2c/ov772x.c
++++ b/drivers/media/i2c/ov772x.c
+@@ -1136,7 +1136,7 @@ static int ov772x_set_fmt(struct v4l2_su
+ static int ov772x_video_probe(struct ov772x_priv *priv)
+ {
+ struct i2c_client *client = v4l2_get_subdevdata(&priv->subdev);
+- u8 pid, ver;
++ int pid, ver, midh, midl;
+ const char *devname;
+ int ret;
+
+@@ -1146,7 +1146,11 @@ static int ov772x_video_probe(struct ov7
+
+ /* Check and show product ID and manufacturer ID. */
+ pid = ov772x_read(client, PID);
++ if (pid < 0)
++ return pid;
+ ver = ov772x_read(client, VER);
++ if (ver < 0)
++ return ver;
+
+ switch (VERSION(pid, ver)) {
+ case OV7720:
+@@ -1162,13 +1166,17 @@ static int ov772x_video_probe(struct ov7
+ goto done;
+ }
+
++ midh = ov772x_read(client, MIDH);
++ if (midh < 0)
++ return midh;
++ midl = ov772x_read(client, MIDL);
++ if (midl < 0)
++ return midl;
++
+ dev_info(&client->dev,
+ "%s Product ID %0x:%0x Manufacturer ID %x:%x\n",
+- devname,
+- pid,
+- ver,
+- ov772x_read(client, MIDH),
+- ov772x_read(client, MIDL));
++ devname, pid, ver, midh, midl);
++
+ ret = v4l2_ctrl_handler_setup(&priv->hdl);
+
+ done:
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Sun, 6 May 2018 10:19:18 -0400
+Subject: media: ov772x: allow i2c controllers without I2C_FUNC_PROTOCOL_MANGLING
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+[ Upstream commit 0b964d183cbf3f95a062ad9f3eec87ffa2790558 ]
+
+The ov772x driver only works when the i2c controller have
+I2C_FUNC_PROTOCOL_MANGLING. However, many i2c controller drivers don't
+support it.
+
+The reason that the ov772x requires I2C_FUNC_PROTOCOL_MANGLING is that
+it doesn't support repeated starts.
+
+This changes the reading ov772x register method so that it doesn't
+require I2C_FUNC_PROTOCOL_MANGLING by calling two separated i2c messages.
+
+Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Cc: Hans Verkuil <hans.verkuil@cisco.com>
+Cc: Wolfram Sang <wsa@the-dreams.de>
+Reviewed-by: Jacopo Mondi <jacopo+renesas@jmondi.org>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ov772x.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/i2c/ov772x.c
++++ b/drivers/media/i2c/ov772x.c
+@@ -542,9 +542,19 @@ static struct ov772x_priv *to_ov772x(str
+ return container_of(sd, struct ov772x_priv, subdev);
+ }
+
+-static inline int ov772x_read(struct i2c_client *client, u8 addr)
++static int ov772x_read(struct i2c_client *client, u8 addr)
+ {
+- return i2c_smbus_read_byte_data(client, addr);
++ int ret;
++ u8 val;
++
++ ret = i2c_master_send(client, &addr, 1);
++ if (ret < 0)
++ return ret;
++ ret = i2c_master_recv(client, &val, 1);
++ if (ret < 0)
++ return ret;
++
++ return val;
+ }
+
+ static inline int ov772x_write(struct i2c_client *client, u8 addr, u8 value)
+@@ -1263,13 +1273,11 @@ static int ov772x_probe(struct i2c_clien
+ return -EINVAL;
+ }
+
+- if (!i2c_check_functionality(adapter, I2C_FUNC_SMBUS_BYTE_DATA |
+- I2C_FUNC_PROTOCOL_MANGLING)) {
++ if (!i2c_check_functionality(adapter, I2C_FUNC_SMBUS_BYTE_DATA)) {
+ dev_err(&adapter->dev,
+- "I2C-Adapter doesn't support SMBUS_BYTE_DATA or PROTOCOL_MANGLING\n");
++ "I2C-Adapter doesn't support SMBUS_BYTE_DATA\n");
+ return -EIO;
+ }
+- client->flags |= I2C_CLIENT_SCCB;
+
+ priv = devm_kzalloc(&client->dev, sizeof(*priv), GFP_KERNEL);
+ if (!priv)
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Sun, 10 Jun 2018 11:42:01 -0400
+Subject: media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+[ Upstream commit 30ed2b83343bd1e07884ca7355dac70d25ffc158 ]
+
+When the subdevice doesn't provide s_power core ops callback, the
+v4l2_subdev_call for s_power returns -ENOIOCTLCMD. If the subdevice
+doesn't have the special handling for its power saving mode, the s_power
+isn't required. So -ENOIOCTLCMD from the v4l2_subdev_call should be
+ignored.
+
+Cc: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Acked-by: Sylwester Nawrocki <sylvester.nawrocki@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/s3c-camif/camif-capture.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/platform/s3c-camif/camif-capture.c
++++ b/drivers/media/platform/s3c-camif/camif-capture.c
+@@ -117,6 +117,8 @@ static int sensor_set_power(struct camif
+
+ if (camif->sensor.power_count == !on)
+ err = v4l2_subdev_call(sensor->sd, core, s_power, on);
++ if (err == -ENOIOCTLCMD)
++ err = 0;
+ if (!err)
+ sensor->power_count += on ? 1 : -1;
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Sun, 10 Jun 2018 11:42:26 -0400
+Subject: media: soc_camera: ov772x: correct setting of banding filter
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+[ Upstream commit 22216ec41e919682c15345e95928f266e8ba6f9e ]
+
+The banding filter ON/OFF is controlled via bit 5 of COM8 register. It
+is attempted to be enabled in ov772x_set_params() by the following line.
+
+ ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, 1);
+
+But this unexpectedly results disabling the banding filter, because the
+mask and set bits are exclusive.
+
+On the other hand, ov772x_s_ctrl() correctly sets the bit by:
+
+ ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, BNDF_ON_OFF);
+
+The same fix was already applied to non-soc_camera version of ov772x
+driver in the commit commit a024ee14cd36 ("media: ov772x: correct setting
+of banding filter")
+
+Cc: Jacopo Mondi <jacopo+renesas@jmondi.org>
+Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Cc: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/soc_camera/ov772x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/soc_camera/ov772x.c
++++ b/drivers/media/i2c/soc_camera/ov772x.c
+@@ -834,7 +834,7 @@ static int ov772x_set_params(struct ov77
+ * set COM8
+ */
+ if (priv->band_filter) {
+- ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, 1);
++ ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, BNDF_ON_OFF);
+ if (!ret)
+ ret = ov772x_mask_set(client, BDBASE,
+ 0xff, 256 - priv->band_filter);
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Peter Seiderer <ps.report@gmx.net>
+Date: Thu, 15 Mar 2018 15:13:22 -0400
+Subject: media: staging/imx: fill vb2_v4l2_buffer field entry
+
+From: Peter Seiderer <ps.report@gmx.net>
+
+[ Upstream commit a38d4b71cb7a12b65317f4e3d59883a918957719 ]
+
+- fixes gstreamer v4l2src warning:
+
+ 0:00:00.716640334 349 0x164f720 WARN v4l2bufferpool gstv4l2bufferpool.c:1195:gst_v4l2_buffer_pool_dqbuf:<v4l2src0:pool:src> Driver should never set v4l2_buffer.field to ANY
+
+- fixes v4l2-compliance test failure:
+
+ Streaming ioctls:
+ test read/write: OK (Not Supported)
+ Video Capture:
+ Buffer: 0 Sequence: 0 Field: Any Timestamp: 58.383658s
+ fail: v4l2-test-buffers.cpp(297): g_field() == V4L2_FIELD_ANY
+
+Signed-off-by: Peter Seiderer <ps.report@gmx.net>
+Reviewed-by: Steve Longerbeam <steve_longerbeam@mentor.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/imx/imx-ic-prpencvf.c | 1 +
+ drivers/staging/media/imx/imx-media-csi.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/staging/media/imx/imx-ic-prpencvf.c
++++ b/drivers/staging/media/imx/imx-ic-prpencvf.c
+@@ -210,6 +210,7 @@ static void prp_vb2_buf_done(struct prp_
+
+ done = priv->active_vb2_buf[priv->ipu_buf_num];
+ if (done) {
++ done->vbuf.field = vdev->fmt.fmt.pix.field;
+ vb = &done->vbuf.vb2_buf;
+ vb->timestamp = ktime_get_ns();
+ vb2_buffer_done(vb, priv->nfb4eof ?
+--- a/drivers/staging/media/imx/imx-media-csi.c
++++ b/drivers/staging/media/imx/imx-media-csi.c
+@@ -236,6 +236,7 @@ static void csi_vb2_buf_done(struct csi_
+
+ done = priv->active_vb2_buf[priv->ipu_buf_num];
+ if (done) {
++ done->vbuf.field = vdev->fmt.fmt.pix.field;
+ vb = &done->vbuf.vb2_buf;
+ vb->timestamp = ktime_get_ns();
+ vb2_buffer_done(vb, priv->nfb4eof ?
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+Date: Mon, 11 Jun 2018 00:39:20 -0400
+Subject: media: tm6000: add error handling for dvb_register_adapter
+
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+
+[ Upstream commit e95d7c6eb94c634852eaa5ff4caf3db05b5d2e86 ]
+
+When dvb_register_adapter fails, the lack of error-handling code may
+cause unexpected results.
+
+This patch adds error-handling code after calling dvb_register_adapter.
+
+Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
+[hans.verkuil@cisco.com: use pr_err and fix typo: adater -> adapter]
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/tm6000/tm6000-dvb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/media/usb/tm6000/tm6000-dvb.c
++++ b/drivers/media/usb/tm6000/tm6000-dvb.c
+@@ -266,6 +266,11 @@ static int register_dvb(struct tm6000_co
+
+ ret = dvb_register_adapter(&dvb->adapter, "Trident TVMaster 6000 DVB-T",
+ THIS_MODULE, &dev->udev->dev, adapter_nr);
++ if (ret < 0) {
++ pr_err("tm6000: couldn't register the adapter!\n");
++ goto err;
++ }
++
+ dvb->adapter.priv = dev;
+
+ if (dvb->frontend) {
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Mon, 16 Apr 2018 23:47:43 +0900
+Subject: MIPS: boot: fix build rule of vmlinux.its.S
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+[ Upstream commit 67e09db507db3e1642ddce512a4313d20addd6e5 ]
+
+As Documentation/kbuild/makefile.txt says, it is a typical mistake
+to forget the FORCE prerequisite for the rule invoked by if_changed.
+
+Add the FORCE to the prerequisite, but it must be filtered-out from
+the files passed to the 'cat' command. Because this rule generates
+.vmlinux.its.S.cmd, vmlinux.its.S must be specified as targets so
+that the .cmd file is included.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Patchwork: https://patchwork.linux-mips.org/patch/19097/
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/boot/Makefile | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/boot/Makefile
++++ b/arch/mips/boot/Makefile
+@@ -118,10 +118,12 @@ ifeq ($(ADDR_BITS),64)
+ itb_addr_cells = 2
+ endif
+
++targets += vmlinux.its.S
++
+ quiet_cmd_its_cat = CAT $@
+- cmd_its_cat = cat $^ >$@
++ cmd_its_cat = cat $(filter-out $(PHONY), $^) >$@
+
+-$(obj)/vmlinux.its.S: $(addprefix $(srctree)/arch/mips/$(PLATFORM)/,$(ITS_INPUTS))
++$(obj)/vmlinux.its.S: $(addprefix $(srctree)/arch/mips/$(PLATFORM)/,$(ITS_INPUTS)) FORCE
+ $(call if_changed,its_cat)
+
+ quiet_cmd_cpp_its_S = ITS $@
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Sat, 26 May 2018 09:45:59 +0000
+Subject: misc: ibmvmc: Use GFP_ATOMIC under spin lock
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 97b715b62e5b4c6edb75d023f556fd09a46cb4e1 ]
+
+The function alloc_dma_buffer() is called from ibmvmc_add_buffer(),
+in which a spin lock be held here, so we should use GFP_ATOMIC when
+a lock is held.
+
+Fixes: 0eca353e7ae7 ("misc: IBM Virtual Management Channel Driver (VMC)")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Reviewed-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/ibmvmc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/ibmvmc.c
++++ b/drivers/misc/ibmvmc.c
+@@ -273,7 +273,7 @@ static void *alloc_dma_buffer(struct vio
+ dma_addr_t *dma_handle)
+ {
+ /* allocate memory */
+- void *buffer = kzalloc(size, GFP_KERNEL);
++ void *buffer = kzalloc(size, GFP_ATOMIC);
+
+ if (!buffer) {
+ *dma_handle = 0;
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 3 Jul 2018 12:05:48 +0200
+Subject: misc: sram: enable clock before registering regions
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit d5b9653dd2bb7a2b1c8cc783c5d3b607bbb6b271 ]
+
+Make sure to enable the clock before registering regions and exporting
+partitions to user space at which point we must be prepared for I/O.
+
+Fixes: ee895ccdf776 ("misc: sram: fix enabled clock leak on error path")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/sram.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/misc/sram.c
++++ b/drivers/misc/sram.c
+@@ -391,23 +391,23 @@ static int sram_probe(struct platform_de
+ if (IS_ERR(sram->pool))
+ return PTR_ERR(sram->pool);
+
+- ret = sram_reserve_regions(sram, res);
+- if (ret)
+- return ret;
+-
+ sram->clk = devm_clk_get(sram->dev, NULL);
+ if (IS_ERR(sram->clk))
+ sram->clk = NULL;
+ else
+ clk_prepare_enable(sram->clk);
+
++ ret = sram_reserve_regions(sram, res);
++ if (ret)
++ goto err_disable_clk;
++
+ platform_set_drvdata(pdev, sram);
+
+ init_func = of_device_get_match_data(&pdev->dev);
+ if (init_func) {
+ ret = init_func();
+ if (ret)
+- goto err_disable_clk;
++ goto err_free_partitions;
+ }
+
+ dev_dbg(sram->dev, "SRAM pool: %zu KiB @ 0x%p\n",
+@@ -415,10 +415,11 @@ static int sram_probe(struct platform_de
+
+ return 0;
+
++err_free_partitions:
++ sram_free_partitions(sram);
+ err_disable_clk:
+ if (sram->clk)
+ clk_disable_unprepare(sram->clk);
+- sram_free_partitions(sram);
+
+ return ret;
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Jessica Yu <jeyu@kernel.org>
+Date: Tue, 5 Jun 2018 10:22:52 +0200
+Subject: module: exclude SHN_UNDEF symbols from kallsyms api
+
+From: Jessica Yu <jeyu@kernel.org>
+
+[ Upstream commit 9f2d1e68cf4d641def734adaccfc3823d3575e6c ]
+
+Livepatch modules are special in that we preserve their entire symbol
+tables in order to be able to apply relocations after module load. The
+unwanted side effect of this is that undefined (SHN_UNDEF) symbols of
+livepatch modules are accessible via the kallsyms api and this can
+confuse symbol resolution in livepatch (klp_find_object_symbol()) and
+cause subtle bugs in livepatch.
+
+Have the module kallsyms api skip over SHN_UNDEF symbols. These symbols
+are usually not available for normal modules anyway as we cut down their
+symbol tables to just the core (non-undefined) symbols, so this should
+really just affect livepatch modules. Note that this patch doesn't
+affect the display of undefined symbols in /proc/kallsyms.
+
+Reported-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Tested-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Jessica Yu <jeyu@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/module.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -4067,7 +4067,7 @@ static unsigned long mod_find_symname(st
+
+ for (i = 0; i < kallsyms->num_symtab; i++)
+ if (strcmp(name, symname(kallsyms, i)) == 0 &&
+- kallsyms->symtab[i].st_info != 'U')
++ kallsyms->symtab[i].st_shndx != SHN_UNDEF)
+ return kallsyms->symtab[i].st_value;
+ return 0;
+ }
+@@ -4113,6 +4113,10 @@ int module_kallsyms_on_each_symbol(int (
+ if (mod->state == MODULE_STATE_UNFORMED)
+ continue;
+ for (i = 0; i < kallsyms->num_symtab; i++) {
++
++ if (kallsyms->symtab[i].st_shndx == SHN_UNDEF)
++ continue;
++
+ ret = fn(data, symname(kallsyms, i),
+ mod, kallsyms->symtab[i].st_value);
+ if (ret != 0)
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Mon, 4 Jun 2018 11:19:41 +0200
+Subject: mt76x2: fix mrr idx/count estimation in mt76x2_mac_fill_tx_status()
+
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+
+[ Upstream commit 2d1e9be0016230f3707812243561fbd16f1aea4b ]
+
+Fix mcs and attempt count estimation in mt76x2_mac_fill_tx_status routine
+if the number of tx retries reported by the hw is grater than
+IEEE80211_TX_MAX_RATES
+
+Fixes: 7bc04215a66b ("mt76: add driver code for MT76x2e")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76x2_mac.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt76x2_mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76x2_mac.c
+@@ -439,15 +439,13 @@ mt76x2_mac_fill_tx_status(struct mt76x2_
+ if (last_rate < IEEE80211_TX_MAX_RATES - 1)
+ rate[last_rate + 1].idx = -1;
+
+- cur_idx = rate[last_rate].idx + st->retry;
++ cur_idx = rate[last_rate].idx + last_rate;
+ for (i = 0; i <= last_rate; i++) {
+ rate[i].flags = rate[last_rate].flags;
+ rate[i].idx = max_t(int, 0, cur_idx - i);
+ rate[i].count = 1;
+ }
+-
+- if (last_rate > 0)
+- rate[last_rate - 1].count = st->retry + 1 - last_rate;
++ rate[last_rate].count = st->retry + 1 - last_rate;
+
+ info->status.ampdu_len = n_frames;
+ info->status.ampdu_ack_len = st->success ? n_frames : 0;
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Peter Rosin <peda@axentia.se>
+Date: Thu, 29 Mar 2018 15:10:54 +0200
+Subject: mtd: rawnand: atmel: add module param to avoid using dma
+
+From: Peter Rosin <peda@axentia.se>
+
+[ Upstream commit efc6362c6f8c1e74b340e2611f1b35e7d557ce7b ]
+
+On a sama5d31 with a Full-HD dual LVDS panel (132MHz pixel clock) NAND
+flash accesses have a tendency to cause display disturbances. Add a
+module param to disable DMA from the NAND controller, since that fixes
+the display problem for me.
+
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Reviewed-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/atmel/nand-controller.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/raw/atmel/nand-controller.c
++++ b/drivers/mtd/nand/raw/atmel/nand-controller.c
+@@ -129,6 +129,11 @@
+ #define DEFAULT_TIMEOUT_MS 1000
+ #define MIN_DMA_LEN 128
+
++static bool atmel_nand_avoid_dma __read_mostly;
++
++MODULE_PARM_DESC(avoiddma, "Avoid using DMA");
++module_param_named(avoiddma, atmel_nand_avoid_dma, bool, 0400);
++
+ enum atmel_nand_rb_type {
+ ATMEL_NAND_NO_RB,
+ ATMEL_NAND_NATIVE_RB,
+@@ -1977,7 +1982,7 @@ static int atmel_nand_controller_init(st
+ return ret;
+ }
+
+- if (nc->caps->has_dma) {
++ if (nc->caps->has_dma && !atmel_nand_avoid_dma) {
+ dma_cap_mask_t mask;
+
+ dma_cap_zero(mask);
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Yunsheng Lin <linyunsheng@huawei.com>
+Date: Fri, 6 Jul 2018 11:27:56 +0100
+Subject: net: hns3: Fix for mac pause not disable in pfc mode
+
+From: Yunsheng Lin <linyunsheng@huawei.com>
+
+[ Upstream commit 6d0ec65cb5810f9bf08671be008785bb8c84d39f ]
+
+When pfc pause mode is enable, the mac pause mode need to be
+disabled, otherwise the pfc pause packet will not be sent when
+congestion happens.
+
+This patch fixes by disabling the mac pause when pfc pause is
+enabled.
+
+Fixes: 848440544b41 ("net: hns3: Add support of TX Scheduler & Shaper to HNS3 driver")
+Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Salil Mehta <salil.mehta@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
+@@ -1223,6 +1223,10 @@ static int hclge_mac_pause_setup_hw(stru
+ tx_en = true;
+ rx_en = true;
+ break;
++ case HCLGE_FC_PFC:
++ tx_en = false;
++ rx_en = false;
++ break;
+ default:
+ tx_en = true;
+ rx_en = true;
+@@ -1240,8 +1244,9 @@ int hclge_pause_setup_hw(struct hclge_de
+ if (ret)
+ return ret;
+
+- if (hdev->tm_info.fc_mode != HCLGE_FC_PFC)
+- return hclge_mac_pause_setup_hw(hdev);
++ ret = hclge_mac_pause_setup_hw(hdev);
++ if (ret)
++ return ret;
+
+ /* Only DCB-supported dev supports qset back pressure and pfc cmd */
+ if (!hnae3_dev_dcb_supported(hdev))
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Fuyun Liang <liangfuyun1@huawei.com>
+Date: Fri, 6 Jul 2018 11:27:59 +0100
+Subject: net: hns3: Fix for mailbox message truncated problem
+
+From: Fuyun Liang <liangfuyun1@huawei.com>
+
+[ Upstream commit ead5bd4d35c0a14d5ce1474177718c678dff5205 ]
+
+The payload of mailbox message is 16 byte and the value of
+HCLGE_MBX_MAX_ARQ_MSG_SIZE is 8. A message truncated problem will
+happen when mailbox message is converted to ARQ message. This patch
+replaces HCLGE_MBX_MAX_ARQ_MSG_SIZE with the size of ARQ message in
+hclgevf_mbx_handler to fix this problem.
+
+Fixes: b11a0bb231f3 ("net: hns3: Add mailbox support to VF driver")
+Signed-off-by: Fuyun Liang <liangfuyun1@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Salil Mehta <salil.mehta@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c
+@@ -208,7 +208,8 @@ void hclgevf_mbx_handler(struct hclgevf_
+
+ /* tail the async message in arq */
+ msg_q = hdev->arq.msg_q[hdev->arq.tail];
+- memcpy(&msg_q[0], req->msg, HCLGE_MBX_MAX_ARQ_MSG_SIZE);
++ memcpy(&msg_q[0], req->msg,
++ HCLGE_MBX_MAX_ARQ_MSG_SIZE * sizeof(u16));
+ hclge_mbx_tail_ptr_move_arq(hdev->arq);
+ hdev->arq.count++;
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Yunsheng Lin <linyunsheng@huawei.com>
+Date: Fri, 6 Jul 2018 11:28:02 +0100
+Subject: net: hns3: Fix get_vector ops in hclgevf_main module
+
+From: Yunsheng Lin <linyunsheng@huawei.com>
+
+[ Upstream commit 03718db97bfb57535f3aa8110f0cbe0c616a67c0 ]
+
+The hclgevf_free_vector function expects the caller to pass
+the vector_id to it, and hclgevf_put_vector pass vector to
+it now, which will cause vector allocation problem.
+
+This patch fixes it by converting vector into vector_id before
+calling hclgevf_free_vector.
+
+Fixes: e2cb1dec9779 ("net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support")
+Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Salil Mehta <salil.mehta@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -648,8 +648,17 @@ static int hclgevf_unmap_ring_from_vecto
+ static int hclgevf_put_vector(struct hnae3_handle *handle, int vector)
+ {
+ struct hclgevf_dev *hdev = hclgevf_ae_get_hdev(handle);
++ int vector_id;
+
+- hclgevf_free_vector(hdev, vector);
++ vector_id = hclgevf_get_vector_index(hdev, vector);
++ if (vector_id < 0) {
++ dev_err(&handle->pdev->dev,
++ "hclgevf_put_vector get vector index fail. ret =%d\n",
++ vector_id);
++ return vector_id;
++ }
++
++ hclgevf_free_vector(hdev, vector_id);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Yunsheng Lin <linyunsheng@huawei.com>
+Date: Fri, 6 Jul 2018 11:28:01 +0100
+Subject: net: hns3: Fix warning bug when doing lp selftest
+
+From: Yunsheng Lin <linyunsheng@huawei.com>
+
+[ Upstream commit d7099d15478e89edb9bc6c6e3ab4cd341884a367 ]
+
+The napi_alloc_skb is excepted to be called under the
+non-preemptible code path when it is called by hns3_clean_rx_ring
+during loopback selftest, otherwise the below warning will be
+logged:
+
+[ 92.420780] BUG: using smp_processor_id() in preemptible
+[00000000] code: ethtool/1873
+<SNIP>
+[ 92.463202] check_preemption_disabled+0xf8/0x100
+[ 92.467893] debug_smp_processor_id+0x1c/0x28
+[ 92.472239] __napi_alloc_skb+0x30/0x130
+[ 92.476158] hns3_clean_rx_ring+0x118/0x5f0 [hns3]
+[ 92.480941] hns3_self_test+0x32c/0x4d0 [hns3]
+[ 92.485375] ethtool_self_test+0xdc/0x1e8
+[ 92.489372] dev_ethtool+0x1020/0x1da8
+[ 92.493109] dev_ioctl+0x188/0x3a0
+[ 92.496499] sock_do_ioctl+0xf4/0x208
+[ 92.500148] sock_ioctl+0x228/0x3e8
+[ 92.503626] do_vfs_ioctl+0xc4/0x880
+[ 92.507189] SyS_ioctl+0x94/0xa8
+[ 92.510404] el0_svc_naked+0x30/0x34
+
+This patch fix it by disabling preemption when calling
+hns3_clean_rx_ring during loopback selftest.
+
+Fixes: c39c4d98dc65 ("net: hns3: Add mac loopback selftest support in hns3 driver")
+Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Salil Mehta <salil.mehta@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+@@ -201,7 +201,9 @@ static u32 hns3_lb_check_rx_ring(struct
+ rx_group = &ring->tqp_vector->rx_group;
+ pre_rx_pkt = rx_group->total_packets;
+
++ preempt_disable();
+ hns3_clean_rx_ring(ring, budget, hns3_lb_check_skb_data);
++ preempt_enable();
+
+ rcv_good_pkt_total += (rx_group->total_packets - pre_rx_pkt);
+ rx_group->total_packets = pre_rx_pkt;
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Brandon Maier <brandon.maier@rockwellcollins.com>
+Date: Tue, 26 Jun 2018 12:50:48 -0500
+Subject: net: phy: xgmiitorgmii: Check phy_driver ready before accessing
+
+From: Brandon Maier <brandon.maier@rockwellcollins.com>
+
+[ Upstream commit ab4e6ee578e88a659938db8fbf33720bc048d29c ]
+
+Since a phy_device is added to the global mdio_bus list during
+phy_device_register(), but a phy_device's phy_driver doesn't get
+attached until phy_probe(). It's possible of_phy_find_device() in
+xgmiitorgmii will return a valid phy with a NULL phy_driver. Leading to
+a NULL pointer access during the memcpy().
+
+Fixes this Oops:
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000000
+pgd = c0004000
+[00000000] *pgd=00000000
+Internal error: Oops: 5 [#1] PREEMPT SMP ARM
+Modules linked in:
+CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.40 #1
+Hardware name: Xilinx Zynq Platform
+task: ce4c8d00 task.stack: ce4ca000
+PC is at memcpy+0x48/0x330
+LR is at xgmiitorgmii_probe+0x90/0xe8
+pc : [<c074bc68>] lr : [<c0529548>] psr: 20000013
+sp : ce4cbb54 ip : 00000000 fp : ce4cbb8c
+r10: 00000000 r9 : 00000000 r8 : c0c49178
+r7 : 00000000 r6 : cdc14718 r5 : ce762800 r4 : cdc14710
+r3 : 00000000 r2 : 00000054 r1 : 00000000 r0 : cdc14718
+Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 18c5387d Table: 0000404a DAC: 00000051
+Process swapper/0 (pid: 1, stack limit = 0xce4ca210)
+...
+[<c074bc68>] (memcpy) from [<c0529548>] (xgmiitorgmii_probe+0x90/0xe8)
+[<c0529548>] (xgmiitorgmii_probe) from [<c0526a94>] (mdio_probe+0x28/0x34)
+[<c0526a94>] (mdio_probe) from [<c04db98c>] (driver_probe_device+0x254/0x414)
+[<c04db98c>] (driver_probe_device) from [<c04dbd58>] (__device_attach_driver+0xac/0x10c)
+[<c04dbd58>] (__device_attach_driver) from [<c04d96f4>] (bus_for_each_drv+0x84/0xc8)
+[<c04d96f4>] (bus_for_each_drv) from [<c04db5bc>] (__device_attach+0xd0/0x134)
+[<c04db5bc>] (__device_attach) from [<c04dbdd4>] (device_initial_probe+0x1c/0x20)
+[<c04dbdd4>] (device_initial_probe) from [<c04da8fc>] (bus_probe_device+0x98/0xa0)
+[<c04da8fc>] (bus_probe_device) from [<c04d8660>] (device_add+0x43c/0x5d0)
+[<c04d8660>] (device_add) from [<c0526cb8>] (mdio_device_register+0x34/0x80)
+[<c0526cb8>] (mdio_device_register) from [<c0580b48>] (of_mdiobus_register+0x170/0x30c)
+[<c0580b48>] (of_mdiobus_register) from [<c05349c4>] (macb_probe+0x710/0xc00)
+[<c05349c4>] (macb_probe) from [<c04dd700>] (platform_drv_probe+0x44/0x80)
+[<c04dd700>] (platform_drv_probe) from [<c04db98c>] (driver_probe_device+0x254/0x414)
+[<c04db98c>] (driver_probe_device) from [<c04dbc58>] (__driver_attach+0x10c/0x118)
+[<c04dbc58>] (__driver_attach) from [<c04d9600>] (bus_for_each_dev+0x8c/0xd0)
+[<c04d9600>] (bus_for_each_dev) from [<c04db1fc>] (driver_attach+0x2c/0x30)
+[<c04db1fc>] (driver_attach) from [<c04daa98>] (bus_add_driver+0x50/0x260)
+[<c04daa98>] (bus_add_driver) from [<c04dc440>] (driver_register+0x88/0x108)
+[<c04dc440>] (driver_register) from [<c04dd6b4>] (__platform_driver_register+0x50/0x58)
+[<c04dd6b4>] (__platform_driver_register) from [<c0b31248>] (macb_driver_init+0x24/0x28)
+[<c0b31248>] (macb_driver_init) from [<c010203c>] (do_one_initcall+0x60/0x1a4)
+[<c010203c>] (do_one_initcall) from [<c0b00f78>] (kernel_init_freeable+0x15c/0x1f8)
+[<c0b00f78>] (kernel_init_freeable) from [<c0763d10>] (kernel_init+0x18/0x124)
+[<c0763d10>] (kernel_init) from [<c0112d74>] (ret_from_fork+0x14/0x20)
+Code: ba000002 f5d1f03c f5d1f05c f5d1f07c (e8b151f8)
+---[ end trace 3e4ec21905820a1f ]---
+
+Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/xilinx_gmii2rgmii.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/phy/xilinx_gmii2rgmii.c
++++ b/drivers/net/phy/xilinx_gmii2rgmii.c
+@@ -84,6 +84,11 @@ static int xgmiitorgmii_probe(struct mdi
+ return -EPROBE_DEFER;
+ }
+
++ if (!priv->phy_dev->drv) {
++ dev_info(dev, "Attached phy not ready\n");
++ return -EPROBE_DEFER;
++ }
++
+ priv->addr = mdiodev->addr;
+ priv->phy_drv = priv->phy_dev->drv;
+ memcpy(&priv->conv_phy_drv, priv->phy_dev->drv,
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Brandon Maier <brandon.maier@rockwellcollins.com>
+Date: Tue, 26 Jun 2018 12:50:50 -0500
+Subject: net: phy: xgmiitorgmii: Check read_status results
+
+From: Brandon Maier <brandon.maier@rockwellcollins.com>
+
+[ Upstream commit 8d0752d11312be830c33e84dfd1016e6a47c2938 ]
+
+We're ignoring the result of the attached phy device's read_status().
+Return it so we can detect errors.
+
+Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/xilinx_gmii2rgmii.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/phy/xilinx_gmii2rgmii.c
++++ b/drivers/net/phy/xilinx_gmii2rgmii.c
+@@ -40,8 +40,11 @@ static int xgmiitorgmii_read_status(stru
+ {
+ struct gmii2rgmii *priv = phydev->priv;
+ u16 val = 0;
++ int err;
+
+- priv->phy_drv->read_status(phydev);
++ err = priv->phy_drv->read_status(phydev);
++ if (err < 0)
++ return err;
+
+ val = mdiobus_read(phydev->mdio.bus, priv->addr, XILINX_GMII2RGMII_REG);
+ val &= ~XILINX_GMII2RGMII_SPEED_MASK;
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Wed, 13 Jun 2018 15:21:35 -0400
+Subject: nfsd: fix corrupted reply to badly ordered compound
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+[ Upstream commit 5b7b15aee641904ae269be9846610a3950cbd64c ]
+
+We're encoding a single op in the reply but leaving the number of ops
+zero, so the reply makes no sense.
+
+Somewhat academic as this isn't a case any real client will hit, though
+in theory perhaps that could change in a future protocol extension.
+
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4proc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1726,6 +1726,7 @@ nfsd4_proc_compound(struct svc_rqst *rqs
+ if (status) {
+ op = &args->ops[0];
+ op->status = status;
++ resp->opcnt = 1;
+ goto encode_op;
+ }
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Frederic Weisbecker <frederic@kernel.org>
+Date: Tue, 26 Jun 2018 04:58:48 +0200
+Subject: perf/hw_breakpoint: Split attribute parse and commit
+
+From: Frederic Weisbecker <frederic@kernel.org>
+
+[ Upstream commit 9a4903dde2c8633c5fcf887b98c4e047a6154a54 ]
+
+arch_validate_hwbkpt_settings() mixes up attribute check and commit into
+a single code entity. Therefore the validation may return an error due to
+incorrect atributes while still leaving halfway modified architecture
+breakpoint data.
+
+This is harmless when we deal with a new breakpoint but it becomes a
+problem when we modify an existing breakpoint.
+
+Split attribute parse and commit to fix that. The architecture is
+passed a "struct arch_hw_breakpoint" to fill on top of the new attr
+and the core takes care about copying the backend data once it's fully
+validated. The architectures then need to implement the new API.
+
+Original-patch-by: Andy Lutomirski <luto@kernel.org>
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Chris Zankel <chris@zankel.net>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Joel Fernandes <joel.opensrc@gmail.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Max Filippov <jcmvbkbc@gmail.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Rich Felker <dalias@libc.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Link: http://lkml.kernel.org/r/1529981939-8231-2-git-send-email-frederic@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/events/hw_breakpoint.c | 57 ++++++++++++++++++++++++++++++------------
+ 1 file changed, 41 insertions(+), 16 deletions(-)
+
+--- a/kernel/events/hw_breakpoint.c
++++ b/kernel/events/hw_breakpoint.c
+@@ -400,16 +400,35 @@ int dbg_release_bp_slot(struct perf_even
+ return 0;
+ }
+
+-static int validate_hw_breakpoint(struct perf_event *bp)
++#ifndef hw_breakpoint_arch_parse
++int hw_breakpoint_arch_parse(struct perf_event *bp,
++ const struct perf_event_attr *attr,
++ struct arch_hw_breakpoint *hw)
+ {
+- int ret;
++ int err;
+
+- ret = arch_validate_hwbkpt_settings(bp);
+- if (ret)
+- return ret;
++ err = arch_validate_hwbkpt_settings(bp);
++ if (err)
++ return err;
++
++ *hw = bp->hw.info;
++
++ return 0;
++}
++#endif
++
++static int hw_breakpoint_parse(struct perf_event *bp,
++ const struct perf_event_attr *attr,
++ struct arch_hw_breakpoint *hw)
++{
++ int err;
++
++ err = hw_breakpoint_arch_parse(bp, attr, hw);
++ if (err)
++ return err;
+
+ if (arch_check_bp_in_kernelspace(bp)) {
+- if (bp->attr.exclude_kernel)
++ if (attr->exclude_kernel)
+ return -EINVAL;
+ /*
+ * Don't let unprivileged users set a breakpoint in the trap
+@@ -424,19 +443,22 @@ static int validate_hw_breakpoint(struct
+
+ int register_perf_hw_breakpoint(struct perf_event *bp)
+ {
+- int ret;
++ struct arch_hw_breakpoint hw;
++ int err;
+
+- ret = reserve_bp_slot(bp);
+- if (ret)
+- return ret;
+-
+- ret = validate_hw_breakpoint(bp);
++ err = reserve_bp_slot(bp);
++ if (err)
++ return err;
+
+- /* if arch_validate_hwbkpt_settings() fails then release bp slot */
+- if (ret)
++ err = hw_breakpoint_parse(bp, &bp->attr, &hw);
++ if (err) {
+ release_bp_slot(bp);
++ return err;
++ }
++
++ bp->hw.info = hw;
+
+- return ret;
++ return 0;
+ }
+
+ /**
+@@ -464,6 +486,7 @@ modify_user_hw_breakpoint_check(struct p
+ u64 old_len = bp->attr.bp_len;
+ int old_type = bp->attr.bp_type;
+ bool modify = attr->bp_type != old_type;
++ struct arch_hw_breakpoint hw;
+ int err = 0;
+
+ bp->attr.bp_addr = attr->bp_addr;
+@@ -473,7 +496,7 @@ modify_user_hw_breakpoint_check(struct p
+ if (check && memcmp(&bp->attr, attr, sizeof(*attr)))
+ return -EINVAL;
+
+- err = validate_hw_breakpoint(bp);
++ err = hw_breakpoint_parse(bp, attr, &hw);
+ if (!err && modify)
+ err = modify_bp_slot(bp, old_type);
+
+@@ -484,7 +507,9 @@ modify_user_hw_breakpoint_check(struct p
+ return err;
+ }
+
++ bp->hw.info = hw;
+ bp->attr.disabled = attr->disabled;
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Sandipan Das <sandipan@linux.ibm.com>
+Date: Thu, 26 Jul 2018 22:47:33 +0530
+Subject: perf tests: Fix indexing when invoking subtests
+
+From: Sandipan Das <sandipan@linux.ibm.com>
+
+[ Upstream commit aa90f9f9554616d5738f7bedb4a8f0e5e14d1bc6 ]
+
+Recently, the subtest numbering was changed to start from 1. While it
+is fine for displaying results, this should not be the case when the
+subtests are actually invoked.
+
+Typically, the subtests are stored in zero-indexed arrays and invoked
+based on the index passed to the main test function. Since the index
+now starts from 1, the second subtest in the array (index 1) gets
+invoked instead of the first (index 0). This applies to all of the
+following subtests but for the last one, the subtest always fails
+because it does not meet the boundary condition of the subtest index
+being lesser than the number of subtests.
+
+This can be observed on powerpc64 and x86_64 systems running Fedora 28
+as shown below.
+
+Before:
+
+ # perf test "builtin clang support"
+ 55: builtin clang support :
+ 55.1: builtin clang compile C source to IR : Ok
+ 55.2: builtin clang compile C source to ELF object : FAILED!
+
+ # perf test "LLVM search and compile"
+ 38: LLVM search and compile :
+ 38.1: Basic BPF llvm compile : Ok
+ 38.2: kbuild searching : Ok
+ 38.3: Compile source for BPF prologue generation : Ok
+ 38.4: Compile source for BPF relocation : FAILED!
+
+ # perf test "BPF filter"
+ 40: BPF filter :
+ 40.1: Basic BPF filtering : Ok
+ 40.2: BPF pinning : Ok
+ 40.3: BPF prologue generation : Ok
+ 40.4: BPF relocation checker : FAILED!
+
+After:
+
+ # perf test "builtin clang support"
+ 55: builtin clang support :
+ 55.1: builtin clang compile C source to IR : Ok
+ 55.2: builtin clang compile C source to ELF object : Ok
+
+ # perf test "LLVM search and compile"
+ 38: LLVM search and compile :
+ 38.1: Basic BPF llvm compile : Ok
+ 38.2: kbuild searching : Ok
+ 38.3: Compile source for BPF prologue generation : Ok
+ 38.4: Compile source for BPF relocation : Ok
+
+ # perf test "BPF filter"
+ 40: BPF filter :
+ 40.1: Basic BPF filtering : Ok
+ 40.2: BPF pinning : Ok
+ 40.3: BPF prologue generation : Ok
+ 40.4: BPF relocation checker : Ok
+
+Signed-off-by: Sandipan Das <sandipan@linux.ibm.com>
+Reported-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Hendrik Brueckner <brueckner@linux.ibm.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Cc: Thomas Richter <tmricht@linux.ibm.com>
+Fixes: 9ef0112442bd ("perf test: Fix subtest number when showing results")
+Link: http://lkml.kernel.org/r/20180726171733.33208-1-sandipan@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/tests/builtin-test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/tests/builtin-test.c
++++ b/tools/perf/tests/builtin-test.c
+@@ -385,7 +385,7 @@ static int test_and_print(struct test *t
+ if (!t->subtest.get_nr)
+ pr_debug("%s:", t->desc);
+ else
+- pr_debug("%s subtest %d:", t->desc, subtest);
++ pr_debug("%s subtest %d:", t->desc, subtest + 1);
+
+ switch (err) {
+ case TEST_OK:
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Tue, 5 Jun 2018 08:38:45 -0700
+Subject: perf/x86/intel/lbr: Fix incomplete LBR call stack
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 0592e57b24e7e05ec1f4c50b9666c013abff7017 ]
+
+LBR has a limited stack size. If a task has a deeper call stack than
+LBR's stack size, only the overflowed part is reported. A complete call
+stack may not be reconstructed by perf tool.
+
+Current code doesn't access all LBR registers. It only read the ones
+below the TOS. The LBR registers above the TOS will be discarded
+unconditionally.
+
+When a CALL is captured, the TOS is incremented by 1 , modulo max LBR
+stack size. The LBR HW only records the call stack information to the
+register which the TOS points to. It will not touch other LBR
+registers. So the registers above the TOS probably still store the valid
+call stack information for an overflowed call stack, which need to be
+reported.
+
+To retrieve complete call stack information, we need to start from TOS,
+read all LBR registers until an invalid entry is detected.
+0s can be used to detect the invalid entry, because:
+
+ - When a RET is captured, the HW zeros the LBR register which TOS points
+ to, then decreases the TOS.
+ - The LBR registers are reset to 0 when adding a new LBR event or
+ scheduling an existing LBR event.
+ - A taken branch at IP 0 is not expected
+
+The context switch code is also modified to save/restore all valid LBR
+registers. Furthermore, the LBR registers, which don't have valid call
+stack information, need to be reset in restore, because they may be
+polluted while swapped out.
+
+Here is a small test program, tchain_deep.
+Its call stack is deeper than 32.
+
+ noinline void f33(void)
+ {
+ int i;
+
+ for (i = 0; i < 10000000;) {
+ if (i%2)
+ i++;
+ else
+ i++;
+ }
+ }
+
+ noinline void f32(void)
+ {
+ f33();
+ }
+
+ noinline void f31(void)
+ {
+ f32();
+ }
+
+ ... ...
+
+ noinline void f1(void)
+ {
+ f2();
+ }
+
+ int main()
+ {
+ f1();
+ }
+
+Here is the test result on SKX. The max stack size of SKX is 32.
+
+Without the patch:
+
+ $ perf record -e cycles --call-graph lbr -- ./tchain_deep
+ $ perf report --stdio
+ #
+ # Children Self Command Shared Object Symbol
+ # ........ ........ ........... ................ .................
+ #
+ 100.00% 99.99% tchain_deep tchain_deep [.] f33
+ |
+ --99.99%--f30
+ f31
+ f32
+ f33
+
+With the patch:
+
+ $ perf record -e cycles --call-graph lbr -- ./tchain_deep
+ $ perf report --stdio
+ # Children Self Command Shared Object Symbol
+ # ........ ........ ........... ................ ..................
+ #
+ 99.99% 0.00% tchain_deep tchain_deep [.] f1
+ |
+ ---f1
+ f2
+ f3
+ f4
+ f5
+ f6
+ f7
+ f8
+ f9
+ f10
+ f11
+ f12
+ f13
+ f14
+ f15
+ f16
+ f17
+ f18
+ f19
+ f20
+ f21
+ f22
+ f23
+ f24
+ f25
+ f26
+ f27
+ f28
+ f29
+ f30
+ f31
+ f32
+ f33
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: acme@kernel.org
+Cc: eranian@google.com
+Link: https://lore.kernel.org/lkml/1528213126-4312-1-git-send-email-kan.liang@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/lbr.c | 32 ++++++++++++++++++++++++++------
+ arch/x86/events/perf_event.h | 1 +
+ 2 files changed, 27 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/events/intel/lbr.c
++++ b/arch/x86/events/intel/lbr.c
+@@ -346,7 +346,7 @@ static void __intel_pmu_lbr_restore(stru
+
+ mask = x86_pmu.lbr_nr - 1;
+ tos = task_ctx->tos;
+- for (i = 0; i < tos; i++) {
++ for (i = 0; i < task_ctx->valid_lbrs; i++) {
+ lbr_idx = (tos - i) & mask;
+ wrlbr_from(lbr_idx, task_ctx->lbr_from[i]);
+ wrlbr_to (lbr_idx, task_ctx->lbr_to[i]);
+@@ -354,6 +354,15 @@ static void __intel_pmu_lbr_restore(stru
+ if (x86_pmu.intel_cap.lbr_format == LBR_FORMAT_INFO)
+ wrmsrl(MSR_LBR_INFO_0 + lbr_idx, task_ctx->lbr_info[i]);
+ }
++
++ for (; i < x86_pmu.lbr_nr; i++) {
++ lbr_idx = (tos - i) & mask;
++ wrlbr_from(lbr_idx, 0);
++ wrlbr_to(lbr_idx, 0);
++ if (x86_pmu.intel_cap.lbr_format == LBR_FORMAT_INFO)
++ wrmsrl(MSR_LBR_INFO_0 + lbr_idx, 0);
++ }
++
+ wrmsrl(x86_pmu.lbr_tos, tos);
+ task_ctx->lbr_stack_state = LBR_NONE;
+ }
+@@ -361,7 +370,7 @@ static void __intel_pmu_lbr_restore(stru
+ static void __intel_pmu_lbr_save(struct x86_perf_task_context *task_ctx)
+ {
+ unsigned lbr_idx, mask;
+- u64 tos;
++ u64 tos, from;
+ int i;
+
+ if (task_ctx->lbr_callstack_users == 0) {
+@@ -371,13 +380,17 @@ static void __intel_pmu_lbr_save(struct
+
+ mask = x86_pmu.lbr_nr - 1;
+ tos = intel_pmu_lbr_tos();
+- for (i = 0; i < tos; i++) {
++ for (i = 0; i < x86_pmu.lbr_nr; i++) {
+ lbr_idx = (tos - i) & mask;
+- task_ctx->lbr_from[i] = rdlbr_from(lbr_idx);
++ from = rdlbr_from(lbr_idx);
++ if (!from)
++ break;
++ task_ctx->lbr_from[i] = from;
+ task_ctx->lbr_to[i] = rdlbr_to(lbr_idx);
+ if (x86_pmu.intel_cap.lbr_format == LBR_FORMAT_INFO)
+ rdmsrl(MSR_LBR_INFO_0 + lbr_idx, task_ctx->lbr_info[i]);
+ }
++ task_ctx->valid_lbrs = i;
+ task_ctx->tos = tos;
+ task_ctx->lbr_stack_state = LBR_VALID;
+ }
+@@ -531,7 +544,7 @@ static void intel_pmu_lbr_read_32(struct
+ */
+ static void intel_pmu_lbr_read_64(struct cpu_hw_events *cpuc)
+ {
+- bool need_info = false;
++ bool need_info = false, call_stack = false;
+ unsigned long mask = x86_pmu.lbr_nr - 1;
+ int lbr_format = x86_pmu.intel_cap.lbr_format;
+ u64 tos = intel_pmu_lbr_tos();
+@@ -542,7 +555,7 @@ static void intel_pmu_lbr_read_64(struct
+ if (cpuc->lbr_sel) {
+ need_info = !(cpuc->lbr_sel->config & LBR_NO_INFO);
+ if (cpuc->lbr_sel->config & LBR_CALL_STACK)
+- num = tos;
++ call_stack = true;
+ }
+
+ for (i = 0; i < num; i++) {
+@@ -555,6 +568,13 @@ static void intel_pmu_lbr_read_64(struct
+ from = rdlbr_from(lbr_idx);
+ to = rdlbr_to(lbr_idx);
+
++ /*
++ * Read LBR call stack entries
++ * until invalid entry (0s) is detected.
++ */
++ if (call_stack && !from)
++ break;
++
+ if (lbr_format == LBR_FORMAT_INFO && need_info) {
+ u64 info;
+
+--- a/arch/x86/events/perf_event.h
++++ b/arch/x86/events/perf_event.h
+@@ -648,6 +648,7 @@ struct x86_perf_task_context {
+ u64 lbr_to[MAX_LBR_ENTRIES];
+ u64 lbr_info[MAX_LBR_ENTRIES];
+ int tos;
++ int valid_lbrs;
+ int lbr_callstack_users;
+ int lbr_stack_state;
+ };
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: "João Paulo Rechi Vita" <jprvita@gmail.com>
+Date: Fri, 29 Jun 2018 15:12:46 -0700
+Subject: platform/x86: asus-wireless: Fix uninitialized symbol usage
+
+From: "João Paulo Rechi Vita" <jprvita@gmail.com>
+
+[ Upstream commit eca4c4e47eb0658ad251f0bff465e23c055377da ]
+
+'ret' will not be initialized if acpi_evaluate_integer() returns through
+an error path, so it should not be used in this case. This fixes the
+following Smatch static analyser error:
+
+ drivers/platform/x86/asus-wireless.c:76 asus_wireless_method() error:
+ uninitialized symbol 'ret'.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: João Paulo Rechi Vita <jprvita@endlessm.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/asus-wireless.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+--- a/drivers/platform/x86/asus-wireless.c
++++ b/drivers/platform/x86/asus-wireless.c
+@@ -52,13 +52,12 @@ static const struct acpi_device_id devic
+ };
+ MODULE_DEVICE_TABLE(acpi, device_ids);
+
+-static u64 asus_wireless_method(acpi_handle handle, const char *method,
+- int param)
++static acpi_status asus_wireless_method(acpi_handle handle, const char *method,
++ int param, u64 *ret)
+ {
+ struct acpi_object_list p;
+ union acpi_object obj;
+ acpi_status s;
+- u64 ret;
+
+ acpi_handle_debug(handle, "Evaluating method %s, parameter %#x\n",
+ method, param);
+@@ -67,24 +66,27 @@ static u64 asus_wireless_method(acpi_han
+ p.count = 1;
+ p.pointer = &obj;
+
+- s = acpi_evaluate_integer(handle, (acpi_string) method, &p, &ret);
++ s = acpi_evaluate_integer(handle, (acpi_string) method, &p, ret);
+ if (ACPI_FAILURE(s))
+ acpi_handle_err(handle,
+ "Failed to eval method %s, param %#x (%d)\n",
+ method, param, s);
+- acpi_handle_debug(handle, "%s returned %#llx\n", method, ret);
+- return ret;
++ else
++ acpi_handle_debug(handle, "%s returned %#llx\n", method, *ret);
++
++ return s;
+ }
+
+ static enum led_brightness led_state_get(struct led_classdev *led)
+ {
+ struct asus_wireless_data *data;
+- int s;
++ acpi_status s;
++ u64 ret;
+
+ data = container_of(led, struct asus_wireless_data, led);
+ s = asus_wireless_method(acpi_device_handle(data->adev), "HSWC",
+- data->hswc_params->status);
+- if (s == data->hswc_params->on)
++ data->hswc_params->status, &ret);
++ if (ACPI_SUCCESS(s) && ret == data->hswc_params->on)
+ return LED_FULL;
+ return LED_OFF;
+ }
+@@ -92,10 +94,11 @@ static enum led_brightness led_state_get
+ static void led_state_update(struct work_struct *work)
+ {
+ struct asus_wireless_data *data;
++ u64 ret;
+
+ data = container_of(work, struct asus_wireless_data, led_work);
+ asus_wireless_method(acpi_device_handle(data->adev), "HSWC",
+- data->led_state);
++ data->led_state, &ret);
+ }
+
+ static void led_state_set(struct led_classdev *led, enum led_brightness value)
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue, 26 Jun 2018 15:21:31 +0200
+Subject: posix-timers: Make forward callback return s64
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 6fec64e1c92d5c715c6d0f50786daa7708266bde ]
+
+The posix timer ti_overrun handling is broken because the forwarding
+functions can return a huge number of overruns which does not fit in an
+int. As a consequence timer_getoverrun(2) and siginfo::si_overrun can turn
+into random number generators.
+
+As a first step to address that let the timer_forward() callbacks return
+the full 64 bit value.
+
+Cast it to (int) temporarily until k_itimer::ti_overrun is converted to
+64bit and the conversion to user space visible values is sanitized.
+
+Reported-by: Team OWL337 <icytxw@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: John Stultz <john.stultz@linaro.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Michael Kerrisk <mtk.manpages@gmail.com>
+Link: https://lkml.kernel.org/r/20180626132704.922098090@linutronix.de
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/time/alarmtimer.c | 4 ++--
+ kernel/time/posix-timers.c | 6 +++---
+ kernel/time/posix-timers.h | 2 +-
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/kernel/time/alarmtimer.c
++++ b/kernel/time/alarmtimer.c
+@@ -581,11 +581,11 @@ static void alarm_timer_rearm(struct k_i
+ * @timr: Pointer to the posixtimer data struct
+ * @now: Current time to forward the timer against
+ */
+-static int alarm_timer_forward(struct k_itimer *timr, ktime_t now)
++static s64 alarm_timer_forward(struct k_itimer *timr, ktime_t now)
+ {
+ struct alarm *alarm = &timr->it.alarm.alarmtimer;
+
+- return (int) alarm_forward(alarm, timr->it_interval, now);
++ return alarm_forward(alarm, timr->it_interval, now);
+ }
+
+ /**
+--- a/kernel/time/posix-timers.c
++++ b/kernel/time/posix-timers.c
+@@ -645,11 +645,11 @@ static ktime_t common_hrtimer_remaining(
+ return __hrtimer_expires_remaining_adjusted(timer, now);
+ }
+
+-static int common_hrtimer_forward(struct k_itimer *timr, ktime_t now)
++static s64 common_hrtimer_forward(struct k_itimer *timr, ktime_t now)
+ {
+ struct hrtimer *timer = &timr->it.real.timer;
+
+- return (int)hrtimer_forward(timer, now, timr->it_interval);
++ return hrtimer_forward(timer, now, timr->it_interval);
+ }
+
+ /*
+@@ -702,7 +702,7 @@ void common_timer_get(struct k_itimer *t
+ * expiry time forward by intervals, so expiry is > now.
+ */
+ if (iv && (timr->it_requeue_pending & REQUEUE_PENDING || sig_none))
+- timr->it_overrun += kc->timer_forward(timr, now);
++ timr->it_overrun += (int)kc->timer_forward(timr, now);
+
+ remaining = kc->timer_remaining(timr, now);
+ /* Return 0 only, when the timer is expired and not pending */
+--- a/kernel/time/posix-timers.h
++++ b/kernel/time/posix-timers.h
+@@ -19,7 +19,7 @@ struct k_clock {
+ void (*timer_get)(struct k_itimer *timr,
+ struct itimerspec64 *cur_setting);
+ void (*timer_rearm)(struct k_itimer *timr);
+- int (*timer_forward)(struct k_itimer *timr, ktime_t now);
++ s64 (*timer_forward)(struct k_itimer *timr, ktime_t now);
+ ktime_t (*timer_remaining)(struct k_itimer *timr, ktime_t now);
+ int (*timer_try_to_cancel)(struct k_itimer *timr);
+ void (*timer_arm)(struct k_itimer *timr, ktime_t expires,
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue, 26 Jun 2018 15:21:32 +0200
+Subject: posix-timers: Sanitize overrun handling
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 78c9c4dfbf8c04883941445a195276bb4bb92c76 ]
+
+The posix timer overrun handling is broken because the forwarding functions
+can return a huge number of overruns which does not fit in an int. As a
+consequence timer_getoverrun(2) and siginfo::si_overrun can turn into
+random number generators.
+
+The k_clock::timer_forward() callbacks return a 64 bit value now. Make
+k_itimer::ti_overrun[_last] 64bit as well, so the kernel internal
+accounting is correct. 3Remove the temporary (int) casts.
+
+Add a helper function which clamps the overrun value returned to user space
+via timer_getoverrun(2) or siginfo::si_overrun limited to a positive value
+between 0 and INT_MAX. INT_MAX is an indicator for user space that the
+overrun value has been clamped.
+
+Reported-by: Team OWL337 <icytxw@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: John Stultz <john.stultz@linaro.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Michael Kerrisk <mtk.manpages@gmail.com>
+Link: https://lkml.kernel.org/r/20180626132705.018623573@linutronix.de
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/posix-timers.h | 4 ++--
+ kernel/time/posix-cpu-timers.c | 2 +-
+ kernel/time/posix-timers.c | 31 ++++++++++++++++++++-----------
+ 3 files changed, 23 insertions(+), 14 deletions(-)
+
+--- a/include/linux/posix-timers.h
++++ b/include/linux/posix-timers.h
+@@ -95,8 +95,8 @@ struct k_itimer {
+ clockid_t it_clock;
+ timer_t it_id;
+ int it_active;
+- int it_overrun;
+- int it_overrun_last;
++ s64 it_overrun;
++ s64 it_overrun_last;
+ int it_requeue_pending;
+ int it_sigev_notify;
+ ktime_t it_interval;
+--- a/kernel/time/posix-cpu-timers.c
++++ b/kernel/time/posix-cpu-timers.c
+@@ -85,7 +85,7 @@ static void bump_cpu_timer(struct k_itim
+ continue;
+
+ timer->it.cpu.expires += incr;
+- timer->it_overrun += 1 << i;
++ timer->it_overrun += 1LL << i;
+ delta -= incr;
+ }
+ }
+--- a/kernel/time/posix-timers.c
++++ b/kernel/time/posix-timers.c
+@@ -283,6 +283,17 @@ static __init int init_posix_timers(void
+ }
+ __initcall(init_posix_timers);
+
++/*
++ * The siginfo si_overrun field and the return value of timer_getoverrun(2)
++ * are of type int. Clamp the overrun value to INT_MAX
++ */
++static inline int timer_overrun_to_int(struct k_itimer *timr, int baseval)
++{
++ s64 sum = timr->it_overrun_last + (s64)baseval;
++
++ return sum > (s64)INT_MAX ? INT_MAX : (int)sum;
++}
++
+ static void common_hrtimer_rearm(struct k_itimer *timr)
+ {
+ struct hrtimer *timer = &timr->it.real.timer;
+@@ -290,9 +301,8 @@ static void common_hrtimer_rearm(struct
+ if (!timr->it_interval)
+ return;
+
+- timr->it_overrun += (unsigned int) hrtimer_forward(timer,
+- timer->base->get_time(),
+- timr->it_interval);
++ timr->it_overrun += hrtimer_forward(timer, timer->base->get_time(),
++ timr->it_interval);
+ hrtimer_restart(timer);
+ }
+
+@@ -321,10 +331,10 @@ void posixtimer_rearm(struct siginfo *in
+
+ timr->it_active = 1;
+ timr->it_overrun_last = timr->it_overrun;
+- timr->it_overrun = -1;
++ timr->it_overrun = -1LL;
+ ++timr->it_requeue_pending;
+
+- info->si_overrun += timr->it_overrun_last;
++ info->si_overrun = timer_overrun_to_int(timr, info->si_overrun);
+ }
+
+ unlock_timer(timr, flags);
+@@ -418,9 +428,8 @@ static enum hrtimer_restart posix_timer_
+ now = ktime_add(now, kj);
+ }
+ #endif
+- timr->it_overrun += (unsigned int)
+- hrtimer_forward(timer, now,
+- timr->it_interval);
++ timr->it_overrun += hrtimer_forward(timer, now,
++ timr->it_interval);
+ ret = HRTIMER_RESTART;
+ ++timr->it_requeue_pending;
+ timr->it_active = 1;
+@@ -524,7 +533,7 @@ static int do_timer_create(clockid_t whi
+ new_timer->it_id = (timer_t) new_timer_id;
+ new_timer->it_clock = which_clock;
+ new_timer->kclock = kc;
+- new_timer->it_overrun = -1;
++ new_timer->it_overrun = -1LL;
+
+ if (event) {
+ rcu_read_lock();
+@@ -702,7 +711,7 @@ void common_timer_get(struct k_itimer *t
+ * expiry time forward by intervals, so expiry is > now.
+ */
+ if (iv && (timr->it_requeue_pending & REQUEUE_PENDING || sig_none))
+- timr->it_overrun += (int)kc->timer_forward(timr, now);
++ timr->it_overrun += kc->timer_forward(timr, now);
+
+ remaining = kc->timer_remaining(timr, now);
+ /* Return 0 only, when the timer is expired and not pending */
+@@ -789,7 +798,7 @@ SYSCALL_DEFINE1(timer_getoverrun, timer_
+ if (!timr)
+ return -EINVAL;
+
+- overrun = timr->it_overrun_last;
++ overrun = timer_overrun_to_int(timr, 0);
+ unlock_timer(timr, flags);
+
+ return overrun;
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Mon, 25 Jun 2018 09:51:48 +0200
+Subject: power: remove possible deadlock when unregistering power_supply
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+[ Upstream commit 3ffa6583e24e1ad1abab836d24bfc9d2308074e5 ]
+
+If a device gets removed right after having registered a power_supply node,
+we might enter in a deadlock between the remove call (that has a lock on
+the parent device) and the deferred register work.
+
+Allow the deferred register work to exit without taking the lock when
+we are in the remove state.
+
+Stack trace on a Ubuntu 16.04:
+
+[16072.109121] INFO: task kworker/u16:2:1180 blocked for more than 120 seconds.
+[16072.109127] Not tainted 4.13.0-41-generic #46~16.04.1-Ubuntu
+[16072.109129] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+[16072.109132] kworker/u16:2 D 0 1180 2 0x80000000
+[16072.109142] Workqueue: events_power_efficient power_supply_deferred_register_work
+[16072.109144] Call Trace:
+[16072.109152] __schedule+0x3d6/0x8b0
+[16072.109155] schedule+0x36/0x80
+[16072.109158] schedule_preempt_disabled+0xe/0x10
+[16072.109161] __mutex_lock.isra.2+0x2ab/0x4e0
+[16072.109166] __mutex_lock_slowpath+0x13/0x20
+[16072.109168] ? __mutex_lock_slowpath+0x13/0x20
+[16072.109171] mutex_lock+0x2f/0x40
+[16072.109174] power_supply_deferred_register_work+0x2b/0x50
+[16072.109179] process_one_work+0x15b/0x410
+[16072.109182] worker_thread+0x4b/0x460
+[16072.109186] kthread+0x10c/0x140
+[16072.109189] ? process_one_work+0x410/0x410
+[16072.109191] ? kthread_create_on_node+0x70/0x70
+[16072.109194] ret_from_fork+0x35/0x40
+[16072.109199] INFO: task test:2257 blocked for more than 120 seconds.
+[16072.109202] Not tainted 4.13.0-41-generic #46~16.04.1-Ubuntu
+[16072.109204] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+[16072.109206] test D 0 2257 2256 0x00000004
+[16072.109208] Call Trace:
+[16072.109211] __schedule+0x3d6/0x8b0
+[16072.109215] schedule+0x36/0x80
+[16072.109218] schedule_timeout+0x1f3/0x360
+[16072.109221] ? check_preempt_curr+0x5a/0xa0
+[16072.109224] ? ttwu_do_wakeup+0x1e/0x150
+[16072.109227] wait_for_completion+0xb4/0x140
+[16072.109230] ? wait_for_completion+0xb4/0x140
+[16072.109233] ? wake_up_q+0x70/0x70
+[16072.109236] flush_work+0x129/0x1e0
+[16072.109240] ? worker_detach_from_pool+0xb0/0xb0
+[16072.109243] __cancel_work_timer+0x10f/0x190
+[16072.109247] ? device_del+0x264/0x310
+[16072.109250] ? __wake_up+0x44/0x50
+[16072.109253] cancel_delayed_work_sync+0x13/0x20
+[16072.109257] power_supply_unregister+0x37/0xb0
+[16072.109260] devm_power_supply_release+0x11/0x20
+[16072.109263] release_nodes+0x110/0x200
+[16072.109266] devres_release_group+0x7c/0xb0
+[16072.109274] wacom_remove+0xc2/0x110 [wacom]
+[16072.109279] hid_device_remove+0x6e/0xd0 [hid]
+[16072.109284] device_release_driver_internal+0x158/0x210
+[16072.109288] device_release_driver+0x12/0x20
+[16072.109291] bus_remove_device+0xec/0x160
+[16072.109293] device_del+0x1de/0x310
+[16072.109298] hid_destroy_device+0x27/0x60 [hid]
+[16072.109303] usbhid_disconnect+0x51/0x70 [usbhid]
+[16072.109308] usb_unbind_interface+0x77/0x270
+[16072.109311] device_release_driver_internal+0x158/0x210
+[16072.109315] device_release_driver+0x12/0x20
+[16072.109318] usb_driver_release_interface+0x77/0x80
+[16072.109321] proc_ioctl+0x20f/0x250
+[16072.109325] usbdev_do_ioctl+0x57f/0x1140
+[16072.109327] ? __wake_up+0x44/0x50
+[16072.109331] usbdev_ioctl+0xe/0x20
+[16072.109336] do_vfs_ioctl+0xa4/0x600
+[16072.109339] ? vfs_write+0x15a/0x1b0
+[16072.109343] SyS_ioctl+0x79/0x90
+[16072.109347] entry_SYSCALL_64_fastpath+0x24/0xab
+[16072.109349] RIP: 0033:0x7f20da807f47
+[16072.109351] RSP: 002b:00007ffc422ae398 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+[16072.109353] RAX: ffffffffffffffda RBX: 00000000010b8560 RCX: 00007f20da807f47
+[16072.109355] RDX: 00007ffc422ae3a0 RSI: 00000000c0105512 RDI: 0000000000000009
+[16072.109356] RBP: 0000000000000000 R08: 00007ffc422ae3e0 R09: 0000000000000010
+[16072.109357] R10: 00000000000000a6 R11: 0000000000000246 R12: 0000000000000000
+[16072.109359] R13: 00000000010b8560 R14: 00007ffc422ae2e0 R15: 0000000000000000
+
+Reported-and-tested-by: Richard Hughes <rhughes@redhat.com>
+Tested-by: Aaron Skomra <Aaron.Skomra@wacom.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Fixes: 7f1a57fdd6cb ("power_supply: Fix possible NULL pointer dereference on early uevent")
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/power_supply_core.c | 11 +++++++++--
+ include/linux/power_supply.h | 1 +
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/power/supply/power_supply_core.c
++++ b/drivers/power/supply/power_supply_core.c
+@@ -14,6 +14,7 @@
+ #include <linux/types.h>
+ #include <linux/init.h>
+ #include <linux/slab.h>
++#include <linux/delay.h>
+ #include <linux/device.h>
+ #include <linux/notifier.h>
+ #include <linux/err.h>
+@@ -140,8 +141,13 @@ static void power_supply_deferred_regist
+ struct power_supply *psy = container_of(work, struct power_supply,
+ deferred_register_work.work);
+
+- if (psy->dev.parent)
+- mutex_lock(&psy->dev.parent->mutex);
++ if (psy->dev.parent) {
++ while (!mutex_trylock(&psy->dev.parent->mutex)) {
++ if (psy->removing)
++ return;
++ msleep(10);
++ }
++ }
+
+ power_supply_changed(psy);
+
+@@ -1082,6 +1088,7 @@ EXPORT_SYMBOL_GPL(devm_power_supply_regi
+ void power_supply_unregister(struct power_supply *psy)
+ {
+ WARN_ON(atomic_dec_return(&psy->use_cnt));
++ psy->removing = true;
+ cancel_work_sync(&psy->changed_work);
+ cancel_delayed_work_sync(&psy->deferred_register_work);
+ sysfs_remove_link(&psy->dev.kobj, "powers");
+--- a/include/linux/power_supply.h
++++ b/include/linux/power_supply.h
+@@ -269,6 +269,7 @@ struct power_supply {
+ spinlock_t changed_lock;
+ bool changed;
+ bool initialized;
++ bool removing;
+ atomic_t use_cnt;
+ #ifdef CONFIG_THERMAL
+ struct thermal_zone_device *tzd;
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 23 May 2018 15:33:21 +0200
+Subject: power: supply: axp288_charger: Fix initial constant_charge_current value
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit f2a42595f0865886a2d40524b0e9d15600848670 ]
+
+We should look at val which contains the value read from the register,
+not ret which is always 0 on a successful read.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Fixes: eac53b3664f59 ("power: supply: axp288_charger: Drop platform_data dependency")
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/axp288_charger.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/power/supply/axp288_charger.c
++++ b/drivers/power/supply/axp288_charger.c
+@@ -718,7 +718,7 @@ static int charger_init_hw_regs(struct a
+ }
+
+ /* Determine charge current limit */
+- cc = (ret & CHRG_CCCV_CC_MASK) >> CHRG_CCCV_CC_BIT_POS;
++ cc = (val & CHRG_CCCV_CC_MASK) >> CHRG_CCCV_CC_BIT_POS;
+ cc = (cc * CHRG_CCCV_CC_LSB_RES) + CHRG_CCCV_CC_OFFSET;
+ info->cc = cc;
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Mon, 18 Jun 2018 16:54:32 +0100
+Subject: power: vexpress: fix corruption in notifier registration
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit 09bebb1adb21ecd04adf7ccb3b06f73e3a851e93 ]
+
+Vexpress platforms provide two different restart handlers: SYS_REBOOT
+that restart the entire system, while DB_RESET only restarts the
+daughter board containing the CPU. DB_RESET is overridden by SYS_REBOOT
+if it exists.
+
+notifier_chain_register used in register_restart_handler by design
+relies on notifiers to be registered once only, however vexpress restart
+notifier can get registered twice. When this happen it corrupts list
+of notifiers, as result some notifiers can be not called on proper
+event, traverse on list can be cycled forever, and second unregister
+can access already freed memory.
+
+So far, since this was the only restart handler in the system, no issue
+was observed even if the same notifier was registered twice. However
+commit 6c5c0d48b686 ("watchdog: sp805: add restart handler") added
+support for SP805 restart handlers and since the system under test
+contains two vexpress restart and two SP805 watchdog instances, it was
+observed that during the boot traversing the restart handler list looped
+forever as there's a cycle in that list resulting in boot hang.
+
+This patch fixes the issues by ensuring that the notifier is installed
+only once.
+
+Cc: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Fixes: 46c99ac66222 ("power/reset: vexpress: Register with kernel restart handler")
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/reset/vexpress-poweroff.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/power/reset/vexpress-poweroff.c
++++ b/drivers/power/reset/vexpress-poweroff.c
+@@ -35,6 +35,7 @@ static void vexpress_reset_do(struct dev
+ }
+
+ static struct device *vexpress_power_off_device;
++static atomic_t vexpress_restart_nb_refcnt = ATOMIC_INIT(0);
+
+ static void vexpress_power_off(void)
+ {
+@@ -99,10 +100,13 @@ static int _vexpress_register_restart_ha
+ int err;
+
+ vexpress_restart_device = dev;
+- err = register_restart_handler(&vexpress_restart_nb);
+- if (err) {
+- dev_err(dev, "cannot register restart handler (err=%d)\n", err);
+- return err;
++ if (atomic_inc_return(&vexpress_restart_nb_refcnt) == 1) {
++ err = register_restart_handler(&vexpress_restart_nb);
++ if (err) {
++ dev_err(dev, "cannot register restart handler (err=%d)\n", err);
++ atomic_dec(&vexpress_restart_nb_refcnt);
++ return err;
++ }
+ }
+ device_create_file(dev, &dev_attr_active);
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Hari Bathini <hbathini@linux.ibm.com>
+Date: Thu, 28 Jun 2018 10:49:56 +0530
+Subject: powerpc/kdump: Handle crashkernel memory reservation failure
+
+From: Hari Bathini <hbathini@linux.ibm.com>
+
+[ Upstream commit 8950329c4a64c6d3ca0bc34711a1afbd9ce05657 ]
+
+Memory reservation for crashkernel could fail if there are holes around
+kdump kernel offset (128M). Fail gracefully in such cases and print an
+error message.
+
+Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
+Tested-by: David Gibson <dgibson@redhat.com>
+Reviewed-by: Dave Young <dyoung@redhat.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/machine_kexec.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/machine_kexec.c
++++ b/arch/powerpc/kernel/machine_kexec.c
+@@ -188,7 +188,12 @@ void __init reserve_crashkernel(void)
+ (unsigned long)(crashk_res.start >> 20),
+ (unsigned long)(memblock_phys_mem_size() >> 20));
+
+- memblock_reserve(crashk_res.start, crash_size);
++ if (!memblock_is_region_memory(crashk_res.start, crash_size) ||
++ memblock_reserve(crashk_res.start, crash_size)) {
++ pr_err("Failed to reserve memory for crashkernel!\n");
++ crashk_res.start = crashk_res.end = 0;
++ return;
++ }
+ }
+
+ int overlaps_crashkernel(unsigned long start, unsigned long size)
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Fri, 1 Jun 2018 18:06:16 +1000
+Subject: powerpc/powernv/ioda2: Reduce upper limit for DMA window size
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+[ Upstream commit d3d4ffaae439981e1e441ebb125aa3588627c5d8 ]
+
+We use PHB in mode1 which uses bit 59 to select a correct DMA window.
+However there is mode2 which uses bits 59:55 and allows up to 32 DMA
+windows per a PE.
+
+Even though documentation does not clearly specify that, it seems that
+the actual hardware does not support bits 59:55 even in mode1, in other
+words we can create a window as big as 1<<58 but DMA simply won't work.
+
+This reduces the upper limit from 59 to 55 bits to let the userspace know
+about the hardware limits.
+
+Fixes: 7aafac11e3 "powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested"
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/pci-ioda.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/powernv/pci-ioda.c
++++ b/arch/powerpc/platforms/powernv/pci-ioda.c
+@@ -2841,7 +2841,7 @@ static long pnv_pci_ioda2_table_alloc_pa
+ level_shift = entries_shift + 3;
+ level_shift = max_t(unsigned, level_shift, PAGE_SHIFT);
+
+- if ((level_shift - 3) * levels + page_shift >= 60)
++ if ((level_shift - 3) * levels + page_shift >= 55)
+ return -EINVAL;
+
+ /* Allocate TCE table */
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Jul 2018 12:58:02 +0300
+Subject: RDMA/bnxt_re: Fix a bunch of off by one bugs in qplib_fp.c
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit c1dfc0114c901b4f46c85ceff0491debf2b2a2ec ]
+
+The srq->swq[] is allocated in bnxt_qplib_create_srq(). It has
+srq->hwq.max_elements elements so these tests should be > instead of >=
+or we might go beyond the end of the array.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_fp.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+@@ -2354,7 +2354,7 @@ static int bnxt_qplib_cq_process_res_rc(
+ srq = qp->srq;
+ if (!srq)
+ return -EINVAL;
+- if (wr_id_idx > srq->hwq.max_elements) {
++ if (wr_id_idx >= srq->hwq.max_elements) {
+ dev_err(&cq->hwq.pdev->dev,
+ "QPLIB: FP: CQ Process RC ");
+ dev_err(&cq->hwq.pdev->dev,
+@@ -2369,7 +2369,7 @@ static int bnxt_qplib_cq_process_res_rc(
+ *pcqe = cqe;
+ } else {
+ rq = &qp->rq;
+- if (wr_id_idx > rq->hwq.max_elements) {
++ if (wr_id_idx >= rq->hwq.max_elements) {
+ dev_err(&cq->hwq.pdev->dev,
+ "QPLIB: FP: CQ Process RC ");
+ dev_err(&cq->hwq.pdev->dev,
+@@ -2437,7 +2437,7 @@ static int bnxt_qplib_cq_process_res_ud(
+ if (!srq)
+ return -EINVAL;
+
+- if (wr_id_idx > srq->hwq.max_elements) {
++ if (wr_id_idx >= srq->hwq.max_elements) {
+ dev_err(&cq->hwq.pdev->dev,
+ "QPLIB: FP: CQ Process UD ");
+ dev_err(&cq->hwq.pdev->dev,
+@@ -2452,7 +2452,7 @@ static int bnxt_qplib_cq_process_res_ud(
+ *pcqe = cqe;
+ } else {
+ rq = &qp->rq;
+- if (wr_id_idx > rq->hwq.max_elements) {
++ if (wr_id_idx >= rq->hwq.max_elements) {
+ dev_err(&cq->hwq.pdev->dev,
+ "QPLIB: FP: CQ Process UD ");
+ dev_err(&cq->hwq.pdev->dev,
+@@ -2546,7 +2546,7 @@ static int bnxt_qplib_cq_process_res_raw
+ "QPLIB: FP: SRQ used but not defined??");
+ return -EINVAL;
+ }
+- if (wr_id_idx > srq->hwq.max_elements) {
++ if (wr_id_idx >= srq->hwq.max_elements) {
+ dev_err(&cq->hwq.pdev->dev,
+ "QPLIB: FP: CQ Process Raw/QP1 ");
+ dev_err(&cq->hwq.pdev->dev,
+@@ -2561,7 +2561,7 @@ static int bnxt_qplib_cq_process_res_raw
+ *pcqe = cqe;
+ } else {
+ rq = &qp->rq;
+- if (wr_id_idx > rq->hwq.max_elements) {
++ if (wr_id_idx >= rq->hwq.max_elements) {
+ dev_err(&cq->hwq.pdev->dev,
+ "QPLIB: FP: CQ Process Raw/QP1 RQ wr_id ");
+ dev_err(&cq->hwq.pdev->dev,
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Jul 2018 12:57:11 +0300
+Subject: RDMA/bnxt_re: Fix a couple off by one bugs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 474e5a86067e5f12c97d1db8b170c7f45b53097a ]
+
+The sgid_tbl->tbl[] array is allocated in bnxt_qplib_alloc_sgid_tbl().
+It has sgid_tbl->max elements. So the > should be >= to prevent
+accessing one element beyond the end of the array.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_sp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+@@ -197,7 +197,7 @@ int bnxt_qplib_get_sgid(struct bnxt_qpli
+ struct bnxt_qplib_sgid_tbl *sgid_tbl, int index,
+ struct bnxt_qplib_gid *gid)
+ {
+- if (index > sgid_tbl->max) {
++ if (index >= sgid_tbl->max) {
+ dev_err(&res->pdev->dev,
+ "QPLIB: Index %d exceeded SGID table max (%d)",
+ index, sgid_tbl->max);
+@@ -402,7 +402,7 @@ int bnxt_qplib_get_pkey(struct bnxt_qpli
+ *pkey = 0xFFFF;
+ return 0;
+ }
+- if (index > pkey_tbl->max) {
++ if (index >= pkey_tbl->max) {
+ dev_err(&res->pdev->dev,
+ "QPLIB: Index %d exceeded PKEY table max (%d)",
+ index, pkey_tbl->max);
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Sun, 1 Jul 2018 19:36:24 +0300
+Subject: RDMA/i40w: Hold read semaphore while looking after VMA
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+[ Upstream commit 5d9a2b0e28759e319a623da33940dbb3ce952b7d ]
+
+VMA lookup is supposed to be performed while mmap_sem is held.
+
+Fixes: f26c7c83395b ("i40iw: Add 2MB page support")
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/i40iw/i40iw_verbs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c
+@@ -1409,6 +1409,7 @@ static void i40iw_set_hugetlb_values(u64
+ struct vm_area_struct *vma;
+ struct hstate *h;
+
++ down_read(¤t->mm->mmap_sem);
+ vma = find_vma(current->mm, addr);
+ if (vma && is_vm_hugetlb_page(vma)) {
+ h = hstate_vma(vma);
+@@ -1417,6 +1418,7 @@ static void i40iw_set_hugetlb_values(u64
+ iwmr->page_msk = huge_page_mask(h);
+ }
+ }
++ up_read(¤t->mm->mmap_sem);
+ }
+
+ /**
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Sun, 24 Jun 2018 11:23:47 +0300
+Subject: RDMA/uverbs: Don't overwrite NULL pointer with ZERO_SIZE_PTR
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+[ Upstream commit a5cc9831af05e658543593abaee45a29d061bac4 ]
+
+Number of specs is provided by user and in valid case can be equal to zero.
+Such argument causes to call to kcalloc() with zero-length request and in
+return the ZERO_SIZE_PTR is assigned. This pointer is different from NULL
+and makes various if (..) checks to success.
+
+Fixes: b6ba4a9aa59f ("IB/uverbs: Add support for flow counters")
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/uverbs_cmd.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -2812,6 +2812,9 @@ static struct ib_uflow_resources *flow_r
+ if (!resources)
+ goto err_res;
+
++ if (!num_specs)
++ goto out;
++
+ resources->counters =
+ kcalloc(num_specs, sizeof(*resources->counters), GFP_KERNEL);
+
+@@ -2824,8 +2827,8 @@ static struct ib_uflow_resources *flow_r
+ if (!resources->collection)
+ goto err_collection;
+
++out:
+ resources->max = num_specs;
+-
+ return resources;
+
+ err_collection:
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 5 Jun 2018 14:31:39 +0300
+Subject: rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit ae636fb1554833ee5133ca47bf4b2791b6739c52 ]
+
+This is a static checker fix, not something I have tested. The issue
+is that on the second iteration through the loop, we jump forward by
+le32_to_cpu(auth_req->length) bytes. The problem is that if the length
+is more than "buflen" then we end up with a negative "buflen". A
+negative buflen is type promoted to a high positive value and the loop
+continues but it's accessing beyond the end of the buffer.
+
+I believe the "auth_req->length" comes from the firmware and if the
+firmware is malicious or buggy, you're already toasted so the impact of
+this bug is probably not very severe.
+
+Fixes: 030645aceb3d ("rndis_wlan: handle 802.11 indications from device")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/rndis_wlan.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/rndis_wlan.c
++++ b/drivers/net/wireless/rndis_wlan.c
+@@ -2928,6 +2928,8 @@ static void rndis_wlan_auth_indication(s
+
+ while (buflen >= sizeof(*auth_req)) {
+ auth_req = (void *)buf;
++ if (buflen < le32_to_cpu(auth_req->length))
++ return;
+ type = "unknown";
+ flags = le32_to_cpu(auth_req->flags);
+ pairwise_error = false;
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Sun, 24 Jun 2018 09:21:59 +0200
+Subject: s390/dasd: correct numa_node in dasd_alloc_queue
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+[ Upstream commit b17e3abb0af404cb62ad4ef1a5962f58b06e2b78 ]
+
+The numa_node field of the tag_set struct has to be explicitly
+initialized, otherwise it stays as 0, which is a valid numa node id and
+cause memory allocation failure if node 0 is offline.
+
+Acked-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/block/dasd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/s390/block/dasd.c
++++ b/drivers/s390/block/dasd.c
+@@ -3127,6 +3127,7 @@ static int dasd_alloc_queue(struct dasd_
+ block->tag_set.nr_hw_queues = nr_hw_queues;
+ block->tag_set.queue_depth = queue_depth;
+ block->tag_set.flags = BLK_MQ_F_SHOULD_MERGE;
++ block->tag_set.numa_node = NUMA_NO_NODE;
+
+ rc = blk_mq_alloc_tag_set(&block->tag_set);
+ if (rc)
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Sun, 17 Jun 2018 00:30:43 +0200
+Subject: s390/extmem: fix gcc 8 stringop-overflow warning
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+[ Upstream commit 6b2ddf33baec23dace85bd647e3fc4ac070963e8 ]
+
+arch/s390/mm/extmem.c: In function '__segment_load':
+arch/s390/mm/extmem.c:436:2: warning: 'strncat' specified bound 7 equals
+source length [-Wstringop-overflow=]
+ strncat(seg->res_name, " (DCSS)", 7);
+
+What gcc complains about here is the misuse of strncat function, which
+in this case does not limit a number of bytes taken from "src", so it is
+in the end the same as strcat(seg->res_name, " (DCSS)");
+
+Keeping in mind that a res_name is 15 bytes, strncat in this case
+would overflow the buffer and write 0 into alignment byte between the
+fields in the struct. To avoid that increasing res_name size to 16,
+and reusing strlcat.
+
+Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/mm/extmem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/mm/extmem.c
++++ b/arch/s390/mm/extmem.c
+@@ -80,7 +80,7 @@ struct qin64 {
+ struct dcss_segment {
+ struct list_head list;
+ char dcss_name[8];
+- char res_name[15];
++ char res_name[16];
+ unsigned long start_addr;
+ unsigned long end;
+ atomic_t ref_count;
+@@ -433,7 +433,7 @@ __segment_load (char *name, int do_nonsh
+ memcpy(&seg->res_name, seg->dcss_name, 8);
+ EBCASC(seg->res_name, 8);
+ seg->res_name[8] = '\0';
+- strncat(seg->res_name, " (DCSS)", 7);
++ strlcat(seg->res_name, " (DCSS)", sizeof(seg->res_name));
+ seg->res->name = seg->res_name;
+ rc = seg->vm_segtype;
+ if (rc == SEG_TYPE_SC ||
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Sun, 24 Jun 2018 12:17:43 +0200
+Subject: s390/mm: correct allocate_pgste proc_handler callback
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+[ Upstream commit 5bedf8aa03c28cb8dc98bdd32a41b66d8f7d3eaa ]
+
+Since proc_dointvec does not perform value range control,
+proc_dointvec_minmax should be used to limit value range, which is
+clearly intended here, as the internal representation of the value:
+
+unsigned int alloc_pgste:1;
+
+In fact it currently works, since we have
+
+ mm->context.alloc_pgste = page_table_allocate_pgste || ...
+
+... since commit 23fefe119ceb5 ("s390/kvm: avoid global config of vm.alloc_pgste=1")
+
+Before that it was
+
+ mm->context.alloc_pgste = page_table_allocate_pgste;
+
+which was broken. That was introduced with commit 0b46e0a3ec0d7 ("s390/kvm:
+remove delayed reallocation of page tables for KVM").
+
+Fixes: 0b46e0a3ec0d7 ("s390/kvm: remove delayed reallocation of page tables for KVM")
+Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/mm/pgalloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/mm/pgalloc.c
++++ b/arch/s390/mm/pgalloc.c
+@@ -28,7 +28,7 @@ static struct ctl_table page_table_sysct
+ .data = &page_table_allocate_pgste,
+ .maxlen = sizeof(int),
+ .mode = S_IRUGO | S_IWUSR,
+- .proc_handler = proc_dointvec,
++ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &page_table_allocate_pgste_min,
+ .extra2 = &page_table_allocate_pgste_max,
+ },
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Mon, 25 Jun 2018 14:30:42 +0200
+Subject: s390/scm_blk: correct numa_node in scm_blk_dev_setup
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+[ Upstream commit d642d6262f4fcfa5d200ec6e218c17f0c15b3390 ]
+
+The numa_node field of the tag_set struct has to be explicitly
+initialized, otherwise it stays as 0, which is a valid numa node id and
+cause memory allocation failure if node 0 is offline.
+
+Acked-by: Sebastian Ott <sebott@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/block/scm_blk.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/s390/block/scm_blk.c
++++ b/drivers/s390/block/scm_blk.c
+@@ -455,6 +455,7 @@ int scm_blk_dev_setup(struct scm_blk_dev
+ bdev->tag_set.nr_hw_queues = nr_requests;
+ bdev->tag_set.queue_depth = nr_requests_per_io * nr_requests;
+ bdev->tag_set.flags = BLK_MQ_F_SHOULD_MERGE;
++ bdev->tag_set.numa_node = NUMA_NO_NODE;
+
+ ret = blk_mq_alloc_tag_set(&bdev->tag_set);
+ if (ret)
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Mon, 2 Jul 2018 10:54:02 +0200
+Subject: s390/sysinfo: add missing #ifdef CONFIG_PROC_FS
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+[ Upstream commit 9f35b818a2f90fb6cb291aa0c9f835d4f0974a9a ]
+
+Get rid of this compile warning for !PROC_FS:
+
+ CC arch/s390/kernel/sysinfo.o
+arch/s390/kernel/sysinfo.c:275:12: warning: 'sysinfo_show' defined but not used [-Wunused-function]
+ static int sysinfo_show(struct seq_file *m, void *v)
+
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/sysinfo.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/s390/kernel/sysinfo.c
++++ b/arch/s390/kernel/sysinfo.c
+@@ -59,6 +59,8 @@ int stsi(void *sysinfo, int fc, int sel1
+ }
+ EXPORT_SYMBOL(stsi);
+
++#ifdef CONFIG_PROC_FS
++
+ static bool convert_ext_name(unsigned char encoding, char *name, size_t len)
+ {
+ switch (encoding) {
+@@ -301,6 +303,8 @@ static int __init sysinfo_create_proc(vo
+ }
+ device_initcall(sysinfo_create_proc);
+
++#endif /* CONFIG_PROC_FS */
++
+ /*
+ * Service levels interface.
+ */
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+Date: Tue, 12 Jun 2018 11:13:00 +0800
+Subject: scsi: bnx2i: add error handling for ioremap_nocache
+
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+
+[ Upstream commit aa154ea885eb0c2407457ce9c1538d78c95456fa ]
+
+When ioremap_nocache fails, the lack of error-handling code may cause
+unexpected results.
+
+This patch adds error-handling code after calling ioremap_nocache.
+
+Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Acked-by: Manish Rangankar <Manish.Rangankar@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/bnx2i/bnx2i_hwi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/bnx2i/bnx2i_hwi.c
++++ b/drivers/scsi/bnx2i/bnx2i_hwi.c
+@@ -2727,6 +2727,8 @@ int bnx2i_map_ep_dbell_regs(struct bnx2i
+ BNX2X_DOORBELL_PCI_BAR);
+ reg_off = (1 << BNX2X_DB_SHIFT) * (cid_num & 0x1FFFF);
+ ep->qp.ctx_base = ioremap_nocache(reg_base + reg_off, 4);
++ if (!ep->qp.ctx_base)
++ return -ENOMEM;
+ goto arm_cq;
+ }
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Xiaofei Tan <tanxiaofei@huawei.com>
+Date: Thu, 31 May 2018 20:50:44 +0800
+Subject: scsi: hisi_sas: Fix the conflict between dev gone and host reset
+
+From: Xiaofei Tan <tanxiaofei@huawei.com>
+
+[ Upstream commit d2fc401e47529d9ffd2673a5395d56002e31ad98 ]
+
+There is a possible conflict when a device is removed and host reset occurs
+concurrently.
+
+The reason is that then the device is notified as gone, we try to clear the
+ITCT, which is notified via an interrupt. The dev gone function pends on
+this event with a completion, which is completed when the ITCT interrupt
+occurs.
+
+But host reset will disable all interrupts, the wait_for_completion() may
+wait indefinitely.
+
+This patch adds an semaphore to synchronise this two processes. The
+semaphore is taken by the host reset as the basis of synchronising.
+
+Signed-off-by: Xiaofei Tan <tanxiaofei@huawei.com>
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/hisi_sas/hisi_sas.h | 1 +
+ drivers/scsi/hisi_sas/hisi_sas_main.c | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+--- a/drivers/scsi/hisi_sas/hisi_sas.h
++++ b/drivers/scsi/hisi_sas/hisi_sas.h
+@@ -277,6 +277,7 @@ struct hisi_hba {
+
+ int n_phy;
+ spinlock_t lock;
++ struct semaphore sem;
+
+ struct timer_list timer;
+ struct workqueue_struct *wq;
+--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
+@@ -914,7 +914,9 @@ static void hisi_sas_dev_gone(struct dom
+
+ hisi_sas_dereg_device(hisi_hba, device);
+
++ down(&hisi_hba->sem);
+ hisi_hba->hw->clear_itct(hisi_hba, sas_dev);
++ up(&hisi_hba->sem);
+ device->lldd_dev = NULL;
+ }
+
+@@ -1364,6 +1366,7 @@ static int hisi_sas_controller_reset(str
+ if (test_and_set_bit(HISI_SAS_RESET_BIT, &hisi_hba->flags))
+ return -1;
+
++ down(&hisi_hba->sem);
+ dev_info(dev, "controller resetting...\n");
+ old_state = hisi_hba->hw->get_phys_state(hisi_hba);
+
+@@ -1378,6 +1381,7 @@ static int hisi_sas_controller_reset(str
+ if (rc) {
+ dev_warn(dev, "controller reset failed (%d)\n", rc);
+ clear_bit(HISI_SAS_REJECT_CMD_BIT, &hisi_hba->flags);
++ up(&hisi_hba->sem);
+ scsi_unblock_requests(shost);
+ goto out;
+ }
+@@ -1388,6 +1392,7 @@ static int hisi_sas_controller_reset(str
+ hisi_hba->hw->phys_init(hisi_hba);
+ msleep(1000);
+ hisi_sas_refresh_port_id(hisi_hba);
++ up(&hisi_hba->sem);
+
+ if (hisi_hba->reject_stp_links_msk)
+ hisi_sas_terminate_stp_reject(hisi_hba);
+@@ -2016,6 +2021,7 @@ int hisi_sas_alloc(struct hisi_hba *hisi
+ struct device *dev = hisi_hba->dev;
+ int i, s, max_command_entries = hisi_hba->hw->max_command_entries;
+
++ sema_init(&hisi_hba->sem, 1);
+ spin_lock_init(&hisi_hba->lock);
+ for (i = 0; i < hisi_hba->n_phy; i++) {
+ hisi_sas_phy_init(hisi_hba, i);
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Breno Leitao <leitao@debian.org>
+Date: Tue, 26 Jun 2018 17:35:16 -0300
+Subject: scsi: ibmvscsi: Improve strings handling
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 1262dc09dc9ae7bf4ad00b6a2c5ed6a6936bcd10 ]
+
+Currently an open firmware property is copied into partition_name variable
+without keeping a room for \0.
+
+Later one, this variable (partition_name), which is 97 bytes long, is
+strncpyed into ibmvcsci_host_data->madapter_info->partition_name, which is
+96 bytes long, possibly truncating it 'again' and removing the \0.
+
+This patch simply decreases the partition name to 96 and just copy using
+strlcpy() which guarantees that the string is \0 terminated. I think there
+is no issue if this there is a truncation in this very first copy, i.e,
+when the open firmware property is read and copied into the driver for the
+very first time;
+
+This issue also causes the following warning on GCC 8:
+
+ drivers/scsi/ibmvscsi/ibmvscsi.c:281:2: warning: strncpy output may be truncated copying 96 bytes from a string of length 96 [-Wstringop-truncation]
+ ...
+ inlined from ibmvscsi_probe at drivers/scsi/ibmvscsi/ibmvscsi.c:2221:7:
+ drivers/scsi/ibmvscsi/ibmvscsi.c:265:3: warning: strncpy specified bound 97 equals destination size [-Wstringop-truncation]
+
+CC: Bart Van Assche <bart.vanassche@wdc.com>
+CC: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Acked-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ibmvscsi/ibmvscsi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ibmvscsi/ibmvscsi.c
++++ b/drivers/scsi/ibmvscsi/ibmvscsi.c
+@@ -93,7 +93,7 @@ static int max_requests = IBMVSCSI_MAX_R
+ static int max_events = IBMVSCSI_MAX_REQUESTS_DEFAULT + 2;
+ static int fast_fail = 1;
+ static int client_reserve = 1;
+-static char partition_name[97] = "UNKNOWN";
++static char partition_name[96] = "UNKNOWN";
+ static unsigned int partition_number = -1;
+ static LIST_HEAD(ibmvscsi_head);
+
+@@ -262,7 +262,7 @@ static void gather_partition_info(void)
+
+ ppartition_name = of_get_property(of_root, "ibm,partition-name", NULL);
+ if (ppartition_name)
+- strncpy(partition_name, ppartition_name,
++ strlcpy(partition_name, ppartition_name,
+ sizeof(partition_name));
+ p_number_ptr = of_get_property(of_root, "ibm,partition-no", NULL);
+ if (p_number_ptr)
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Fri, 22 Jun 2018 14:54:49 -0700
+Subject: scsi: klist: Make it safe to use klists in atomic context
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+[ Upstream commit 624fa7790f80575a4ec28fbdb2034097dc18d051 ]
+
+In the scsi_transport_srp implementation it cannot be avoided to
+iterate over a klist from atomic context when using the legacy block
+layer instead of blk-mq. Hence this patch that makes it safe to use
+klists in atomic context. This patch avoids that lockdep reports the
+following:
+
+WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
+ Possible interrupt unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&(&k->k_lock)->rlock);
+ local_irq_disable();
+ lock(&(&q->__queue_lock)->rlock);
+ lock(&(&k->k_lock)->rlock);
+ <Interrupt>
+ lock(&(&q->__queue_lock)->rlock);
+
+stack backtrace:
+Workqueue: kblockd blk_timeout_work
+Call Trace:
+ dump_stack+0xa4/0xf5
+ check_usage+0x6e6/0x700
+ __lock_acquire+0x185d/0x1b50
+ lock_acquire+0xd2/0x260
+ _raw_spin_lock+0x32/0x50
+ klist_next+0x47/0x190
+ device_for_each_child+0x8e/0x100
+ srp_timed_out+0xaf/0x1d0 [scsi_transport_srp]
+ scsi_times_out+0xd4/0x410 [scsi_mod]
+ blk_rq_timed_out+0x36/0x70
+ blk_timeout_work+0x1b5/0x220
+ process_one_work+0x4fe/0xad0
+ worker_thread+0x63/0x5a0
+ kthread+0x1c1/0x1e0
+ ret_from_fork+0x24/0x30
+
+See also commit c9ddf73476ff ("scsi: scsi_transport_srp: Fix shost to
+rport translation").
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: James Bottomley <jejb@linux.vnet.ibm.com>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/klist.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/lib/klist.c
++++ b/lib/klist.c
+@@ -336,8 +336,9 @@ struct klist_node *klist_prev(struct kli
+ void (*put)(struct klist_node *) = i->i_klist->put;
+ struct klist_node *last = i->i_cur;
+ struct klist_node *prev;
++ unsigned long flags;
+
+- spin_lock(&i->i_klist->k_lock);
++ spin_lock_irqsave(&i->i_klist->k_lock, flags);
+
+ if (last) {
+ prev = to_klist_node(last->n_node.prev);
+@@ -356,7 +357,7 @@ struct klist_node *klist_prev(struct kli
+ prev = to_klist_node(prev->n_node.prev);
+ }
+
+- spin_unlock(&i->i_klist->k_lock);
++ spin_unlock_irqrestore(&i->i_klist->k_lock, flags);
+
+ if (put && last)
+ put(last);
+@@ -377,8 +378,9 @@ struct klist_node *klist_next(struct kli
+ void (*put)(struct klist_node *) = i->i_klist->put;
+ struct klist_node *last = i->i_cur;
+ struct klist_node *next;
++ unsigned long flags;
+
+- spin_lock(&i->i_klist->k_lock);
++ spin_lock_irqsave(&i->i_klist->k_lock, flags);
+
+ if (last) {
+ next = to_klist_node(last->n_node.next);
+@@ -397,7 +399,7 @@ struct klist_node *klist_next(struct kli
+ next = to_klist_node(next->n_node.next);
+ }
+
+- spin_unlock(&i->i_klist->k_lock);
++ spin_unlock_irqrestore(&i->i_klist->k_lock, flags);
+
+ if (put && last)
+ put(last);
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
+Date: Mon, 4 Jun 2018 03:45:10 -0700
+Subject: scsi: megaraid_sas: Update controller info during resume
+
+From: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
+
+[ Upstream commit c3b10a55abc943a526aaecd7e860b15671beb906 ]
+
+There is a possibility that firmware on the controller was upgraded before
+system was suspended. During resume, driver needs to read updated
+controller properties.
+
+Signed-off-by: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/megaraid/megaraid_sas_base.c
++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
+@@ -6789,6 +6789,9 @@ megasas_resume(struct pci_dev *pdev)
+ goto fail_init_mfi;
+ }
+
++ if (megasas_get_ctrl_info(instance) != DCMD_SUCCESS)
++ goto fail_init_mfi;
++
+ tasklet_init(&instance->isr_tasklet, instance->instancet->tasklet,
+ (unsigned long)instance);
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Thu, 28 Jun 2018 13:48:57 -0500
+Subject: scsi: target: Avoid that EXTENDED COPY commands trigger lock inversion
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+[ Upstream commit 36d4cb460bcbe2a1323732a6e4bb9dd783284368 ]
+
+The approach for adding a device to the devices_idr data structure and for
+removing it is as follows:
+
+* &dev->dev_group.cg_item is initialized before a device is added to
+ devices_idr.
+
+* If the reference count of a device drops to zero then
+ target_free_device() removes the device from devices_idr.
+
+* All devices_idr manipulations are protected by device_mutex.
+
+This means that increasing the reference count of a device is sufficient to
+prevent removal from devices_idr and also that it is safe access
+dev_group.cg_item for any device that is referenced by devices_idr. Use
+this to modify target_find_device() and target_for_each_device() such that
+these functions no longer introduce a dependency between device_mutex and
+the configfs root inode mutex.
+
+Note: it is safe to pass a NULL pointer to config_item_put() and also to
+config_item_get_unless_zero().
+
+This patch prevents that lockdep reports the following complaint:
+
+======================================================
+WARNING: possible circular locking dependency detected
+4.12.0-rc1-dbg+ #1 Not tainted
+------------------------------------------------------
+rmdir/12053 is trying to acquire lock:
+ (device_mutex#2){+.+.+.}, at: [<ffffffffa010afce>]
+target_free_device+0xae/0xf0 [target_core_mod]
+
+but task is already holding lock:
+ (&sb->s_type->i_mutex_key#14){++++++}, at: [<ffffffff811c5c30>]
+vfs_rmdir+0x50/0x140
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #1 (&sb->s_type->i_mutex_key#14){++++++}:
+ lock_acquire+0x59/0x80
+ down_write+0x36/0x70
+ configfs_depend_item+0x3a/0xb0 [configfs]
+ target_depend_item+0x13/0x20 [target_core_mod]
+ target_xcopy_locate_se_dev_e4_iter+0x87/0x100 [target_core_mod]
+ target_devices_idr_iter+0x16/0x20 [target_core_mod]
+ idr_for_each+0x39/0xc0
+ target_for_each_device+0x36/0x50 [target_core_mod]
+ target_xcopy_locate_se_dev_e4+0x28/0x80 [target_core_mod]
+ target_xcopy_do_work+0x2e9/0xdd0 [target_core_mod]
+ process_one_work+0x1ca/0x3f0
+ worker_thread+0x49/0x3b0
+ kthread+0x109/0x140
+ ret_from_fork+0x31/0x40
+
+-> #0 (device_mutex#2){+.+.+.}:
+ __lock_acquire+0x101f/0x11d0
+ lock_acquire+0x59/0x80
+ __mutex_lock+0x7e/0x950
+ mutex_lock_nested+0x16/0x20
+ target_free_device+0xae/0xf0 [target_core_mod]
+ target_core_dev_release+0x10/0x20 [target_core_mod]
+ config_item_put+0x6e/0xb0 [configfs]
+ configfs_rmdir+0x1a6/0x300 [configfs]
+ vfs_rmdir+0xb7/0x140
+ do_rmdir+0x1f4/0x200
+ SyS_rmdir+0x11/0x20
+ entry_SYSCALL_64_fastpath+0x23/0xc2
+
+other info that might help us debug this:
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&sb->s_type->i_mutex_key#14);
+ lock(device_mutex#2);
+ lock(&sb->s_type->i_mutex_key#14);
+ lock(device_mutex#2);
+
+ *** DEADLOCK ***
+
+3 locks held by rmdir/12053:
+ #0: (sb_writers#10){.+.+.+}, at: [<ffffffff811e223f>]
+mnt_want_write+0x1f/0x50
+ #1: (&sb->s_type->i_mutex_key#14/1){+.+.+.}, at: [<ffffffff811cb97e>]
+do_rmdir+0x15e/0x200
+ #2: (&sb->s_type->i_mutex_key#14){++++++}, at: [<ffffffff811c5c30>]
+vfs_rmdir+0x50/0x140
+
+stack backtrace:
+CPU: 3 PID: 12053 Comm: rmdir Not tainted 4.12.0-rc1-dbg+ #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+1.0.0-prebuilt.qemu-project.org 04/01/2014
+Call Trace:
+ dump_stack+0x86/0xcf
+ print_circular_bug+0x1c7/0x220
+ __lock_acquire+0x101f/0x11d0
+ lock_acquire+0x59/0x80
+ __mutex_lock+0x7e/0x950
+ mutex_lock_nested+0x16/0x20
+ target_free_device+0xae/0xf0 [target_core_mod]
+ target_core_dev_release+0x10/0x20 [target_core_mod]
+ config_item_put+0x6e/0xb0 [configfs]
+ configfs_rmdir+0x1a6/0x300 [configfs]
+ vfs_rmdir+0xb7/0x140
+ do_rmdir+0x1f4/0x200
+ SyS_rmdir+0x11/0x20
+ entry_SYSCALL_64_fastpath+0x23/0xc2
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+[Rebased to handle conflict withe target_find_device removal]
+Signed-off-by: Mike Christie <mchristi@redhat.com>
+
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_device.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+--- a/drivers/target/target_core_device.c
++++ b/drivers/target/target_core_device.c
+@@ -904,14 +904,20 @@ struct se_device *target_find_device(int
+ EXPORT_SYMBOL(target_find_device);
+
+ struct devices_idr_iter {
++ struct config_item *prev_item;
+ int (*fn)(struct se_device *dev, void *data);
+ void *data;
+ };
+
+ static int target_devices_idr_iter(int id, void *p, void *data)
++ __must_hold(&device_mutex)
+ {
+ struct devices_idr_iter *iter = data;
+ struct se_device *dev = p;
++ int ret;
++
++ config_item_put(iter->prev_item);
++ iter->prev_item = NULL;
+
+ /*
+ * We add the device early to the idr, so it can be used
+@@ -922,7 +928,15 @@ static int target_devices_idr_iter(int i
+ if (!(dev->dev_flags & DF_CONFIGURED))
+ return 0;
+
+- return iter->fn(dev, iter->data);
++ iter->prev_item = config_item_get_unless_zero(&dev->dev_group.cg_item);
++ if (!iter->prev_item)
++ return 0;
++ mutex_unlock(&device_mutex);
++
++ ret = iter->fn(dev, iter->data);
++
++ mutex_lock(&device_mutex);
++ return ret;
+ }
+
+ /**
+@@ -936,15 +950,13 @@ static int target_devices_idr_iter(int i
+ int target_for_each_device(int (*fn)(struct se_device *dev, void *data),
+ void *data)
+ {
+- struct devices_idr_iter iter;
++ struct devices_idr_iter iter = { .fn = fn, .data = data };
+ int ret;
+
+- iter.fn = fn;
+- iter.data = data;
+-
+ mutex_lock(&device_mutex);
+ ret = idr_for_each(&devices_idr, target_devices_idr_iter, &iter);
+ mutex_unlock(&device_mutex);
++ config_item_put(iter.prev_item);
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Fri, 22 Jun 2018 14:53:01 -0700
+Subject: scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+[ Upstream commit 35bea5c84fd13c643cce63f0b5cd4b148f8c901d ]
+
+Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Reviewed-by: Mike Christie <mchristi@redhat.com>
+Cc: Mike Christie <mchristi@redhat.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/iscsi/iscsi_target_tpg.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_tpg.c
++++ b/drivers/target/iscsi/iscsi_target_tpg.c
+@@ -636,8 +636,7 @@ int iscsit_ta_authentication(struct iscs
+ none = strstr(buf1, NONE);
+ if (none)
+ goto out;
+- strncat(buf1, ",", strlen(","));
+- strncat(buf1, NONE, strlen(NONE));
++ strlcat(buf1, "," NONE, sizeof(buf1));
+ if (iscsi_update_param_value(param, buf1) < 0)
+ return -EINVAL;
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Petr Machata <petrm@mellanox.com>
+Date: Thu, 28 Jun 2018 18:56:33 +0200
+Subject: selftests: forwarding: Tweak tc filters for mirror-to-gretap tests
+
+From: Petr Machata <petrm@mellanox.com>
+
+[ Upstream commit ec9fdc99f5a6a2cfe4061e807fcb0cc1129f0a2d ]
+
+When running mirror_gre_bridge_1d_vlan tests on veth, several issues
+cause spurious failures:
+
+- vlan_ethtype should be ip, not ipv6 even in mirror-to-ip6gretap case,
+ because the overlay packet is still IPv4.
+- Similarly ip_proto matches the innermost IP protocol, so can't be used
+ to filter out GRE packet. Drop the corresponding condition.
+- Because the above fixes the filters to match in slow path as well,
+ they need to be made skip_hw so as not to double-count packets.
+
+Signed-off-by: Petr Machata <petrm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/forwarding/mirror_gre_bridge_1d_vlan.sh | 6 ++++--
+ tools/testing/selftests/net/forwarding/mirror_gre_lib.sh | 2 +-
+ tools/testing/selftests/net/forwarding/mirror_gre_vlan_bridge_1q.sh | 6 ++++--
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+
+--- a/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1d_vlan.sh
++++ b/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1d_vlan.sh
+@@ -74,12 +74,14 @@ test_vlan_match()
+
+ test_gretap()
+ {
+- test_vlan_match gt4 'vlan_id 555 vlan_ethtype ip' "mirror to gretap"
++ test_vlan_match gt4 'skip_hw vlan_id 555 vlan_ethtype ip' \
++ "mirror to gretap"
+ }
+
+ test_ip6gretap()
+ {
+- test_vlan_match gt6 'vlan_id 555 vlan_ethtype ipv6' "mirror to ip6gretap"
++ test_vlan_match gt6 'skip_hw vlan_id 555 vlan_ethtype ip' \
++ "mirror to ip6gretap"
+ }
+
+ test_gretap_stp()
+--- a/tools/testing/selftests/net/forwarding/mirror_gre_lib.sh
++++ b/tools/testing/selftests/net/forwarding/mirror_gre_lib.sh
+@@ -62,7 +62,7 @@ full_test_span_gre_dir_vlan_ips()
+ "$backward_type" "$ip1" "$ip2"
+
+ tc filter add dev $h3 ingress pref 77 prot 802.1q \
+- flower $vlan_match ip_proto 0x2f \
++ flower $vlan_match \
+ action pass
+ mirror_test v$h1 $ip1 $ip2 $h3 77 10
+ tc filter del dev $h3 ingress pref 77
+--- a/tools/testing/selftests/net/forwarding/mirror_gre_vlan_bridge_1q.sh
++++ b/tools/testing/selftests/net/forwarding/mirror_gre_vlan_bridge_1q.sh
+@@ -79,12 +79,14 @@ test_vlan_match()
+
+ test_gretap()
+ {
+- test_vlan_match gt4 'vlan_id 555 vlan_ethtype ip' "mirror to gretap"
++ test_vlan_match gt4 'skip_hw vlan_id 555 vlan_ethtype ip' \
++ "mirror to gretap"
+ }
+
+ test_ip6gretap()
+ {
+- test_vlan_match gt6 'vlan_id 555 vlan_ethtype ipv6' "mirror to ip6gretap"
++ test_vlan_match gt6 'skip_hw vlan_id 555 vlan_ethtype ip' \
++ "mirror to ip6gretap"
+ }
+
+ test_span_gre_forbidden_cpu()
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Mon, 11 Jun 2018 19:30:35 +0200
+Subject: serial: pxa: Fix an error handling path in 'serial_pxa_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 95a0e656580fab3128c7bee5f660c50784f53651 ]
+
+If port.line is out of range, we still need to release some resources, or
+we will leak them.
+
+Fixes: afc7851fab83 ("serial: pxa: Fix out-of-bounds access through serial port index")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/pxa.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/pxa.c
++++ b/drivers/tty/serial/pxa.c
+@@ -887,7 +887,8 @@ static int serial_pxa_probe(struct platf
+ goto err_clk;
+ if (sport->port.line >= ARRAY_SIZE(serial_pxa_ports)) {
+ dev_err(&dev->dev, "serial%d out of range\n", sport->port.line);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err_clk;
+ }
+ snprintf(sport->name, PXA_NAME_LEN - 1, "UART%d", sport->port.line + 1);
+
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 6 Jul 2018 11:08:36 +0200
+Subject: serial: sh-sci: Stop RX FIFO timer during port shutdown
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit c5a9262fa8bfed0dddc7466ef10fcd292e2af61b ]
+
+The RX FIFO timer may be armed when the port is shut down, hence the
+timer function may still be called afterwards.
+
+Fix this race condition by deleting the timer during port shutdown.
+
+Fixes: 039403765e5da3c6 ("serial: sh-sci: SCIFA/B RX FIFO software timeout")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/sh-sci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -2099,6 +2099,8 @@ static void sci_shutdown(struct uart_por
+ }
+ #endif
+
++ if (s->rx_trigger > 1 && s->rx_fifo_timeout > 0)
++ del_timer_sync(&s->rx_fifo_timer);
+ sci_free_irq(s);
+ sci_free_dma(port);
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>
+Date: Thu, 28 Jun 2018 09:57:42 +0200
+Subject: siox: don't create a thread without starting it
+
+From: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit e890591413819eeb604207ad3261ba617b2ec0bb ]
+
+When a siox master device is registered a kthread is created that is
+only started when triggered by userspace. So this thread might be in
+TASK_UNINTERRUPTIBLE state for long and trigger a warning
+
+ [ 241.130465] INFO: task siox-0:626 blocked for more than 120 seconds.
+
+with the respective debug settings enabled. It might be right to put an
+unstarted thread to TASK_IDLE (in kernel/kthread.c:kthread()) instead,
+but independant of this discussion it is cleaner for
+siox_master_register() to start the thread immediately. The effect is
+that it enters its own waiting state and then stays in state TASK_IDLE
+which doesn't trigger the above warning.
+
+As siox_poll_thread() uses some variables of the device the
+initialisation of these is moved before thread creation.
+
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Acked-by: Gavin Schenk <g.schenk@eckelmann.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/siox/siox-core.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/siox/siox-core.c
++++ b/drivers/siox/siox-core.c
+@@ -715,17 +715,17 @@ int siox_master_register(struct siox_mas
+
+ dev_set_name(&smaster->dev, "siox-%d", smaster->busno);
+
++ mutex_init(&smaster->lock);
++ INIT_LIST_HEAD(&smaster->devices);
++
+ smaster->last_poll = jiffies;
+- smaster->poll_thread = kthread_create(siox_poll_thread, smaster,
+- "siox-%d", smaster->busno);
++ smaster->poll_thread = kthread_run(siox_poll_thread, smaster,
++ "siox-%d", smaster->busno);
+ if (IS_ERR(smaster->poll_thread)) {
+ smaster->active = 0;
+ return PTR_ERR(smaster->poll_thread);
+ }
+
+- mutex_init(&smaster->lock);
+- INIT_LIST_HEAD(&smaster->devices);
+-
+ ret = device_add(&smaster->dev);
+ if (ret)
+ kthread_stop(smaster->poll_thread);
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: "Jan Kundrát" <jan.kundrat@cesnet.cz>
+Date: Mon, 4 Jun 2018 16:34:25 +0200
+Subject: spi: orion: fix CS GPIO handling again
+
+From: "Jan Kundrát" <jan.kundrat@cesnet.cz>
+
+[ Upstream commit fb9acf5f1f21f1de193523ff780bda375b4c2e21 ]
+
+The code did not de-assert any CS GPIOs before probing slaves. This
+means that several CS signals could be active at once, garbling the
+communication. Whether this was actually a problem depended on the type
+of the SPI device attached (so my "spidev" for userspace access worked
+correctly because its probe was effectively a no-op), and on the state
+of the GPIO pins at SoC's boot.
+
+The code was already iterating through all DT children of the SPI
+controller, so this change re-uses that loop for CS GPIO setup as well.
+This means that this might change the number of the HW CS signal which
+is picked for all GPIO CS devices. Previously, the lowest one was used,
+but we now use the first one from the DT.
+
+With this move of the code, we can also finally initialize each GPIO CS
+lane before registering the SPI controller (which in turn probes for
+slaves).
+
+I tried to fix this in 544248623b95 already, but that only did it half
+way by registering the GPIOs properly. That patch failed to set their
+logic signals early enough, though.
+
+Signed-off-by: Jan Kundrát <jan.kundrat@cesnet.cz>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-orion.c | 77 ++++++++++++++++++++++++------------------------
+ 1 file changed, 40 insertions(+), 37 deletions(-)
+
+--- a/drivers/spi/spi-orion.c
++++ b/drivers/spi/spi-orion.c
+@@ -20,6 +20,7 @@
+ #include <linux/of.h>
+ #include <linux/of_address.h>
+ #include <linux/of_device.h>
++#include <linux/of_gpio.h>
+ #include <linux/clk.h>
+ #include <linux/sizes.h>
+ #include <linux/gpio.h>
+@@ -681,9 +682,9 @@ static int orion_spi_probe(struct platfo
+ goto out_rel_axi_clk;
+ }
+
+- /* Scan all SPI devices of this controller for direct mapped devices */
+ for_each_available_child_of_node(pdev->dev.of_node, np) {
+ u32 cs;
++ int cs_gpio;
+
+ /* Get chip-select number from the "reg" property */
+ status = of_property_read_u32(np, "reg", &cs);
+@@ -695,6 +696,44 @@ static int orion_spi_probe(struct platfo
+ }
+
+ /*
++ * Initialize the CS GPIO:
++ * - properly request the actual GPIO signal
++ * - de-assert the logical signal so that all GPIO CS lines
++ * are inactive when probing for slaves
++ * - find an unused physical CS which will be driven for any
++ * slave which uses a CS GPIO
++ */
++ cs_gpio = of_get_named_gpio(pdev->dev.of_node, "cs-gpios", cs);
++ if (cs_gpio > 0) {
++ char *gpio_name;
++ int cs_flags;
++
++ if (spi->unused_hw_gpio == -1) {
++ dev_info(&pdev->dev,
++ "Selected unused HW CS#%d for any GPIO CSes\n",
++ cs);
++ spi->unused_hw_gpio = cs;
++ }
++
++ gpio_name = devm_kasprintf(&pdev->dev, GFP_KERNEL,
++ "%s-CS%d", dev_name(&pdev->dev), cs);
++ if (!gpio_name) {
++ status = -ENOMEM;
++ goto out_rel_axi_clk;
++ }
++
++ cs_flags = of_property_read_bool(np, "spi-cs-high") ?
++ GPIOF_OUT_INIT_LOW : GPIOF_OUT_INIT_HIGH;
++ status = devm_gpio_request_one(&pdev->dev, cs_gpio,
++ cs_flags, gpio_name);
++ if (status) {
++ dev_err(&pdev->dev,
++ "Can't request GPIO for CS %d\n", cs);
++ goto out_rel_axi_clk;
++ }
++ }
++
++ /*
+ * Check if an address is configured for this SPI device. If
+ * not, the MBus mapping via the 'ranges' property in the 'soc'
+ * node is not configured and this device should not use the
+@@ -740,44 +779,8 @@ static int orion_spi_probe(struct platfo
+ if (status < 0)
+ goto out_rel_pm;
+
+- if (master->cs_gpios) {
+- int i;
+- for (i = 0; i < master->num_chipselect; ++i) {
+- char *gpio_name;
+-
+- if (!gpio_is_valid(master->cs_gpios[i])) {
+- continue;
+- }
+-
+- gpio_name = devm_kasprintf(&pdev->dev, GFP_KERNEL,
+- "%s-CS%d", dev_name(&pdev->dev), i);
+- if (!gpio_name) {
+- status = -ENOMEM;
+- goto out_rel_master;
+- }
+-
+- status = devm_gpio_request(&pdev->dev,
+- master->cs_gpios[i], gpio_name);
+- if (status) {
+- dev_err(&pdev->dev,
+- "Can't request GPIO for CS %d\n",
+- master->cs_gpios[i]);
+- goto out_rel_master;
+- }
+- if (spi->unused_hw_gpio == -1) {
+- dev_info(&pdev->dev,
+- "Selected unused HW CS#%d for any GPIO CSes\n",
+- i);
+- spi->unused_hw_gpio = i;
+- }
+- }
+- }
+-
+-
+ return status;
+
+-out_rel_master:
+- spi_unregister_master(master);
+ out_rel_pm:
+ pm_runtime_disable(&pdev->dev);
+ out_rel_axi_clk:
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Alistair Strachan <astrachan@google.com>
+Date: Tue, 19 Jun 2018 17:57:35 -0700
+Subject: staging: android: ashmem: Fix mmap size validation
+
+From: Alistair Strachan <astrachan@google.com>
+
+[ Upstream commit 8632c614565d0c5fdde527889601c018e97b6384 ]
+
+The ashmem driver did not check that the size/offset of the vma passed
+to its .mmap() function was not larger than the ashmem object being
+mapped. This could cause mmap() to succeed, even though accessing parts
+of the mapping would later fail with a segmentation fault.
+
+Ensure an error is returned by the ashmem_mmap() function if the vma
+size is larger than the ashmem object size. This enables safer handling
+of the problem in userspace.
+
+Cc: Todd Kjos <tkjos@android.com>
+Cc: devel@driverdev.osuosl.org
+Cc: linux-kernel@vger.kernel.org
+Cc: kernel-team@android.com
+Cc: Joel Fernandes <joel@joelfernandes.org>
+Signed-off-by: Alistair Strachan <astrachan@google.com>
+Acked-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Reviewed-by: Martijn Coenen <maco@android.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/android/ashmem.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -366,6 +366,12 @@ static int ashmem_mmap(struct file *file
+ goto out;
+ }
+
++ /* requested mapping size larger than object size */
++ if (vma->vm_end - vma->vm_start > PAGE_ALIGN(asma->size)) {
++ ret = -EINVAL;
++ goto out;
++ }
++
+ /* requested protection bits must match our allowed protection mask */
+ if (unlikely((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask, 0)) &
+ calc_vm_prot_bits(PROT_MASK, 0))) {
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Rosen Penev <rosenp@gmail.com>
+Date: Sat, 16 Jun 2018 19:17:50 -0700
+Subject: staging: mt7621-dts: Fix remaining pcie warnings
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit d0233204fbc10f003d1ef077f57341c2feca4002 ]
+
+This currently fixes the remaining dtb warnings:
+
+Node /pcie@1e140000/pcie0 has a reg or ranges property, but no unit name
+Node /pcie@1e140000/pcie1 has a reg or ranges property, but no unit name
+Node /pcie@1e140000/pcie2 has a reg or ranges property, but no unit name
+Node /pcie@1e140000/pcie0 node name is not "pci" or "pcie"
+Node /pcie@1e140000/pcie0 missing ranges for PCI bridge (or not a bridge)
+Node /pcie@1e140000/pcie0 missing bus-range for PCI bridge
+Node /pcie@1e140000/pcie1 node name is not "pci" or "pcie"
+Node /pcie@1e140000/pcie1 missing ranges for PCI bridge (or not a bridge)
+Node /pcie@1e140000/pcie1 missing bus-range for PCI bridge
+Node /pcie@1e140000/pcie2 node name is not "pci" or "pcie"
+Node /pcie@1e140000/pcie2 missing ranges for PCI bridge (or not a bridge)
+Node /pcie@1e140000/pcie2 missing bus-range for PCI bridge
+Warning (unit_address_format): Failed prerequisite 'pci_bridge'
+Warning (pci_device_reg): Failed prerequisite 'pci_bridge'
+Warning (pci_device_bus_num): Failed prerequisite 'pci_bridge'
+
+device_type was removed since according to documentation, it's deprecated
+for pci(e) devices.
+
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/mt7621-dts/gbpc1.dts | 2 ++
+ drivers/staging/mt7621-dts/mt7621.dtsi | 21 +++++++++------------
+ 2 files changed, 11 insertions(+), 12 deletions(-)
+
+--- a/drivers/staging/mt7621-dts/gbpc1.dts
++++ b/drivers/staging/mt7621-dts/gbpc1.dts
+@@ -113,6 +113,8 @@
+ };
+
+ &pcie {
++ pinctrl-names = "default";
++ pinctrl-0 = <&pcie_pins>;
+ status = "okay";
+ };
+
+--- a/drivers/staging/mt7621-dts/mt7621.dtsi
++++ b/drivers/staging/mt7621-dts/mt7621.dtsi
+@@ -447,31 +447,28 @@
+ clocks = <&clkctrl 24 &clkctrl 25 &clkctrl 26>;
+ clock-names = "pcie0", "pcie1", "pcie2";
+
+- pcie0 {
++ pcie@0,0 {
+ reg = <0x0000 0 0 0 0>;
+-
+ #address-cells = <3>;
+ #size-cells = <2>;
+-
+- device_type = "pci";
++ ranges;
++ bus-range = <0x00 0xff>;
+ };
+
+- pcie1 {
++ pcie@1,0 {
+ reg = <0x0800 0 0 0 0>;
+-
+ #address-cells = <3>;
+ #size-cells = <2>;
+-
+- device_type = "pci";
++ ranges;
++ bus-range = <0x00 0xff>;
+ };
+
+- pcie2 {
++ pcie@2,0 {
+ reg = <0x1000 0 0 0 0>;
+-
+ #address-cells = <3>;
+ #size-cells = <2>;
+-
+- device_type = "pci";
++ ranges;
++ bus-range = <0x00 0xff>;
+ };
+ };
+ };
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Kamal Heib <kamalheib1@gmail.com>
+Date: Tue, 19 Jun 2018 20:04:08 +0300
+Subject: staging: mt7621-eth: Fix memory leak in mtk_add_mac() error path
+
+From: Kamal Heib <kamalheib1@gmail.com>
+
+[ Upstream commit 85e1d42663a0c163002961d2685be952067b0dc2 ]
+
+Fix memory leak in error path of mtk_add_mac() by make sure to free
+the allocated netdev.
+
+Fixes: e3cbf478f846 ('staging: mt7621-eth: add the drivers core files')
+Signed-off-by: Kamal Heib <kamalheib1@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/mt7621-eth/mtk_eth_soc.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/mt7621-eth/mtk_eth_soc.c
++++ b/drivers/staging/mt7621-eth/mtk_eth_soc.c
+@@ -2012,8 +2012,10 @@ static int mtk_add_mac(struct mtk_eth *e
+ mac->hw_stats = devm_kzalloc(eth->dev,
+ sizeof(*mac->hw_stats),
+ GFP_KERNEL);
+- if (!mac->hw_stats)
+- return -ENOMEM;
++ if (!mac->hw_stats) {
++ err = -ENOMEM;
++ goto free_netdev;
++ }
+ spin_lock_init(&mac->hw_stats->stats_lock);
+ mac->hw_stats->reg_offset = id * MTK_STAT_OFFSET;
+ }
+@@ -2037,7 +2039,8 @@ static int mtk_add_mac(struct mtk_eth *e
+ err = register_netdev(eth->netdev[id]);
+ if (err) {
+ dev_err(eth->dev, "error bringing up device\n");
+- return err;
++ err = -ENOMEM;
++ goto free_netdev;
+ }
+ eth->netdev[id]->irq = eth->irq;
+ netif_info(eth, probe, eth->netdev[id],
+@@ -2045,6 +2048,10 @@ static int mtk_add_mac(struct mtk_eth *e
+ eth->netdev[id]->base_addr, eth->netdev[id]->irq);
+
+ return 0;
++
++free_netdev:
++ free_netdev(eth->netdev[id]);
++ return err;
+ }
+
+ static int mtk_probe(struct platform_device *pdev)
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Hugo Lefeuvre <hle@owl.eu.com>
+Date: Wed, 13 Jun 2018 21:04:38 -0400
+Subject: staging: pi433: fix race condition in pi433_ioctl
+
+From: Hugo Lefeuvre <hle@owl.eu.com>
+
+[ Upstream commit 6de4ef65a8c6f53ce7eef06666410bc3b6e4b624 ]
+
+In the PI433_IOC_WR_TX_CFG case in pi433_ioctl, instance->tx_cfg is
+modified via
+
+copy_from_user(&instance->tx_cfg, argp, sizeof(struct pi433_tx_cfg)))
+
+without any kind of synchronization. In the case where two threads
+would execute this same command concurrently the tx_cfg field might
+enter in an inconsistent state.
+
+Additionally: if ioctl(PI433_IOC_WR_TX_CFG) and write() execute
+concurrently the tx config might be modified while it is being
+copied to the fifo, resulting in potential data corruption.
+
+Fix: Get instance->tx_cfg_lock before modifying tx config in the
+PI433_IOC_WR_TX_CFG case in pi433_ioctl.
+
+Also, do not copy data directly from user space to instance->tx_cfg.
+Instead use a temporary buffer allowing future checks for correctness
+of copied data and simpler code.
+
+Signed-off-by: Hugo Lefeuvre <hle@owl.eu.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/pi433/pi433_if.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/pi433/pi433_if.c
++++ b/drivers/staging/pi433/pi433_if.c
+@@ -880,6 +880,7 @@ pi433_ioctl(struct file *filp, unsigned
+ int retval = 0;
+ struct pi433_instance *instance;
+ struct pi433_device *device;
++ struct pi433_tx_cfg tx_cfg;
+ void __user *argp = (void __user *)arg;
+
+ /* Check type and command number */
+@@ -902,9 +903,11 @@ pi433_ioctl(struct file *filp, unsigned
+ return -EFAULT;
+ break;
+ case PI433_IOC_WR_TX_CFG:
+- if (copy_from_user(&instance->tx_cfg, argp,
+- sizeof(struct pi433_tx_cfg)))
++ if (copy_from_user(&tx_cfg, argp, sizeof(struct pi433_tx_cfg)))
+ return -EFAULT;
++ mutex_lock(&device->tx_fifo_lock);
++ memcpy(&instance->tx_cfg, &tx_cfg, sizeof(struct pi433_tx_cfg));
++ mutex_unlock(&device->tx_fifo_lock);
+ break;
+ case PI433_IOC_RD_RX_CFG:
+ if (copy_to_user(argp, &device->rx_cfg,
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Mon, 2 Jul 2018 14:27:35 +0100
+Subject: staging: rts5208: fix missing error check on call to rtsx_write_register
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit c5fae4f4fd28189b1062fb8ef7b21fec37cb8b17 ]
+
+Currently the check on error return from the call to rtsx_write_register
+is checking the error status from the previous call. Fix this by adding
+in the missing assignment of retval.
+
+Detected by CoverityScan, CID#709877
+
+Fixes: fa590c222fba ("staging: rts5208: add support for rts5208 and rts5288")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rts5208/sd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rts5208/sd.c
++++ b/drivers/staging/rts5208/sd.c
+@@ -4996,7 +4996,7 @@ int sd_execute_write_data(struct scsi_cm
+ goto sd_execute_write_cmd_failed;
+ }
+
+- rtsx_write_register(chip, SD_BYTE_CNT_L, 0xFF, 0x00);
++ retval = rtsx_write_register(chip, SD_BYTE_CNT_L, 0xFF, 0x00);
+ if (retval != STATUS_SUCCESS) {
+ rtsx_trace(chip);
+ goto sd_execute_write_cmd_failed;
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Jean-Christophe Dubois <jcd@tribudubois.net>
+Date: Sun, 1 Jul 2018 00:10:50 +0200
+Subject: thermal: i.MX: Allow thermal probe to fail gracefully in case of bad calibration.
+
+From: Jean-Christophe Dubois <jcd@tribudubois.net>
+
+[ Upstream commit be926ceeb4efc3bf44cb9b56f5c71aac9b1f8bbe ]
+
+Without this fix, the thermal probe on i.MX6 might trigger a division
+by zero exception later in the probe if the calibration does fail.
+
+Note: This linux behavior (Division by zero in kernel) has been triggered
+on a Qemu i.MX6 emulation where parameters in nvmem were not set. With this
+fix the division by zero is not triggeed anymore as the thermal probe does
+fail early.
+
+Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net>
+Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/imx_thermal.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/thermal/imx_thermal.c
++++ b/drivers/thermal/imx_thermal.c
+@@ -604,7 +604,10 @@ static int imx_init_from_nvmem_cells(str
+ ret = nvmem_cell_read_u32(&pdev->dev, "calib", &val);
+ if (ret)
+ return ret;
+- imx_init_calib(pdev, val);
++
++ ret = imx_init_calib(pdev, val);
++ if (ret)
++ return ret;
+
+ ret = nvmem_cell_read_u32(&pdev->dev, "temp_grade", &val);
+ if (ret)
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+Date: Fri, 8 Jun 2018 23:58:15 -0700
+Subject: tsl2550: fix lux1_input error in low light
+
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+
+[ Upstream commit ce054546cc2c26891cefa2f284d90d93b52205de ]
+
+ADC channel 0 photodiode detects both infrared + visible light,
+but ADC channel 1 just detects infrared. However, the latter is a bit
+more sensitive in that range so complete darkness or low light causes
+a error condition in which the chan0 - chan1 is negative that
+results in a -EAGAIN.
+
+This patch changes the resulting lux1_input sysfs attribute message from
+"Resource temporarily unavailable" to a user-grokable lux value of 0.
+
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/tsl2550.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/tsl2550.c
++++ b/drivers/misc/tsl2550.c
+@@ -177,7 +177,7 @@ static int tsl2550_calculate_lux(u8 ch0,
+ } else
+ lux = 0;
+ else
+- return -EAGAIN;
++ return 0;
+
+ /* LUX range check */
+ return lux > TSL2550_MAX_LUX ? TSL2550_MAX_LUX : lux;
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 4 Jul 2018 17:02:18 +0200
+Subject: USB: serial: kobil_sct: fix modem-status error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit a420b5d939ee58f1d950f0ea782834056520aeaa ]
+
+Make sure to return -EIO in case of a short modem-status read request.
+
+While at it, split the debug message to not include the (zeroed)
+transfer-buffer content in case of errors.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/kobil_sct.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/kobil_sct.c
++++ b/drivers/usb/serial/kobil_sct.c
+@@ -393,12 +393,20 @@ static int kobil_tiocmget(struct tty_str
+ transfer_buffer_length,
+ KOBIL_TIMEOUT);
+
+- dev_dbg(&port->dev, "%s - Send get_status_line_state URB returns: %i. Statusline: %02x\n",
+- __func__, result, transfer_buffer[0]);
++ dev_dbg(&port->dev, "Send get_status_line_state URB returns: %i\n",
++ result);
++ if (result < 1) {
++ if (result >= 0)
++ result = -EIO;
++ goto out_free;
++ }
++
++ dev_dbg(&port->dev, "Statusline: %02x\n", transfer_buffer[0]);
+
+ result = 0;
+ if ((transfer_buffer[0] & SUSBCR_GSL_DSR) != 0)
+ result = TIOCM_DSR;
++out_free:
+ kfree(transfer_buffer);
+ return result;
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+Date: Sun, 1 Jul 2018 19:32:04 +0200
+Subject: usb: wusbcore: security: cast sizeof to int for comparison
+
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+
+[ Upstream commit d3ac5598c5010a8999978ebbcca3b1c6188ca36b ]
+
+Comparing an int to a size, which is unsigned, causes the int to become
+unsigned, giving the wrong result. usb_get_descriptor can return a
+negative error code.
+
+A simplified version of the semantic match that finds this problem is as
+follows: (http://coccinelle.lip6.fr/)
+
+// <smpl>
+@@
+int x;
+expression e,e1;
+identifier f;
+@@
+
+*x = f(...);
+... when != x = e1
+ when != if (x < 0 || ...) { ... return ...; }
+*x < sizeof(e)
+// </smpl>
+
+Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/wusbcore/security.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/wusbcore/security.c
++++ b/drivers/usb/wusbcore/security.c
+@@ -217,7 +217,7 @@ int wusb_dev_sec_add(struct wusbhc *wusb
+
+ result = usb_get_descriptor(usb_dev, USB_DT_SECURITY,
+ 0, secd, sizeof(*secd));
+- if (result < sizeof(*secd)) {
++ if (result < (int)sizeof(*secd)) {
+ dev_err(dev, "Can't read security descriptor or "
+ "not enough data: %d\n", result);
+ goto out;
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Anton Vasilyev <vasilyev@ispras.ru>
+Date: Fri, 6 Jul 2018 15:32:53 +0300
+Subject: uwb: hwa-rc: fix memory leak at probe
+
+From: Anton Vasilyev <vasilyev@ispras.ru>
+
+[ Upstream commit 11b71782c1d10d9bccc31825cf84291cd7588a1e ]
+
+hwarc_probe() allocates memory for hwarc, but does not free it
+if uwb_rc_add() or hwarc_get_version() fail.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/uwb/hwa-rc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/uwb/hwa-rc.c
++++ b/drivers/uwb/hwa-rc.c
+@@ -873,6 +873,7 @@ error_get_version:
+ error_rc_add:
+ usb_put_intf(iface);
+ usb_put_dev(hwarc->usb_dev);
++ kfree(hwarc);
+ error_alloc:
+ uwb_rc_put(uwb_rc);
+ error_rc_alloc:
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Date: Tue, 3 Jul 2018 16:31:32 +0900
+Subject: vhost_net: Avoid tx vring kicks during busyloop
+
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+
+[ Upstream commit 027b17603b030f1334ade079b7a3e986569c956b ]
+
+Under heavy load vhost busypoll may run without suppressing
+notification. For example tx zerocopy callback can push tx work while
+handle_tx() is running, then busyloop exits due to vhost_has_work()
+condition and enables notification but immediately reenters handle_tx()
+because the pushed work was tx. In this case handle_tx() tries to
+disable notification again, but when using event_idx it by design
+cannot. Then busyloop will run without suppressing notification.
+Another example is the case where handle_tx() tries to enable
+notification but avail idx is advanced so disables it again. This case
+also leads to the same situation with event_idx.
+
+The problem is that once we enter this situation busyloop does not work
+under heavy load for considerable amount of time, because notification
+is likely to happen during busyloop and handle_tx() immediately enables
+notification after notification happens. Specifically busyloop detects
+notification by vhost_has_work() and then handle_tx() calls
+vhost_enable_notify(). Because the detected work was the tx work, it
+enters handle_tx(), and enters busyloop without suppression again.
+This is likely to be repeated, so with event_idx we are almost not able
+to suppress notification in this case.
+
+To fix this, poll the work instead of enabling notification when
+busypoll is interrupted by something. IMHO vhost_has_work() is kind of
+interruption rather than a signal to completely cancel the busypoll, so
+let's run busypoll after the necessary work is done.
+
+Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/net.c | 35 ++++++++++++++++++++++-------------
+ 1 file changed, 22 insertions(+), 13 deletions(-)
+
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -396,13 +396,10 @@ static inline unsigned long busy_clock(v
+ return local_clock() >> 10;
+ }
+
+-static bool vhost_can_busy_poll(struct vhost_dev *dev,
+- unsigned long endtime)
++static bool vhost_can_busy_poll(unsigned long endtime)
+ {
+- return likely(!need_resched()) &&
+- likely(!time_after(busy_clock(), endtime)) &&
+- likely(!signal_pending(current)) &&
+- !vhost_has_work(dev);
++ return likely(!need_resched() && !time_after(busy_clock(), endtime) &&
++ !signal_pending(current));
+ }
+
+ static void vhost_net_disable_vq(struct vhost_net *n,
+@@ -434,7 +431,8 @@ static int vhost_net_enable_vq(struct vh
+ static int vhost_net_tx_get_vq_desc(struct vhost_net *net,
+ struct vhost_virtqueue *vq,
+ struct iovec iov[], unsigned int iov_size,
+- unsigned int *out_num, unsigned int *in_num)
++ unsigned int *out_num, unsigned int *in_num,
++ bool *busyloop_intr)
+ {
+ unsigned long uninitialized_var(endtime);
+ int r = vhost_get_vq_desc(vq, vq->iov, ARRAY_SIZE(vq->iov),
+@@ -443,9 +441,15 @@ static int vhost_net_tx_get_vq_desc(stru
+ if (r == vq->num && vq->busyloop_timeout) {
+ preempt_disable();
+ endtime = busy_clock() + vq->busyloop_timeout;
+- while (vhost_can_busy_poll(vq->dev, endtime) &&
+- vhost_vq_avail_empty(vq->dev, vq))
++ while (vhost_can_busy_poll(endtime)) {
++ if (vhost_has_work(vq->dev)) {
++ *busyloop_intr = true;
++ break;
++ }
++ if (!vhost_vq_avail_empty(vq->dev, vq))
++ break;
+ cpu_relax();
++ }
+ preempt_enable();
+ r = vhost_get_vq_desc(vq, vq->iov, ARRAY_SIZE(vq->iov),
+ out_num, in_num, NULL, NULL);
+@@ -501,20 +505,24 @@ static void handle_tx(struct vhost_net *
+ zcopy = nvq->ubufs;
+
+ for (;;) {
++ bool busyloop_intr;
++
+ /* Release DMAs done buffers first */
+ if (zcopy)
+ vhost_zerocopy_signal_used(net, vq);
+
+-
++ busyloop_intr = false;
+ head = vhost_net_tx_get_vq_desc(net, vq, vq->iov,
+ ARRAY_SIZE(vq->iov),
+- &out, &in);
++ &out, &in, &busyloop_intr);
+ /* On error, stop handling until the next kick. */
+ if (unlikely(head < 0))
+ break;
+ /* Nothing new? Wait for eventfd to tell us they refilled. */
+ if (head == vq->num) {
+- if (unlikely(vhost_enable_notify(&net->dev, vq))) {
++ if (unlikely(busyloop_intr)) {
++ vhost_poll_queue(&vq->poll);
++ } else if (unlikely(vhost_enable_notify(&net->dev, vq))) {
+ vhost_disable_notify(&net->dev, vq);
+ continue;
+ }
+@@ -663,7 +671,8 @@ static int vhost_net_rx_peek_head_len(st
+ preempt_disable();
+ endtime = busy_clock() + vq->busyloop_timeout;
+
+- while (vhost_can_busy_poll(&net->dev, endtime) &&
++ while (vhost_can_busy_poll(endtime) &&
++ !vhost_has_work(&net->dev) &&
+ !sk_has_rx_data(sk) &&
+ vhost_vq_avail_empty(&net->dev, vq))
+ cpu_relax();
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Jul 2018 12:33:34 +0300
+Subject: vmci: type promotion bug in qp_host_get_user_memory()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 7fb2fd4e25fc1fb10dcb30b5519de257cfeae84c ]
+
+The problem is that if get_user_pages_fast() fails and returns a
+negative error code, it gets type promoted to a high positive value and
+treated as a success.
+
+Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/vmw_vmci/vmci_queue_pair.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c
++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c
+@@ -668,7 +668,7 @@ static int qp_host_get_user_memory(u64 p
+ retval = get_user_pages_fast((uintptr_t) produce_uva,
+ produce_q->kernel_if->num_pages, 1,
+ produce_q->kernel_if->u.h.header_page);
+- if (retval < produce_q->kernel_if->num_pages) {
++ if (retval < (int)produce_q->kernel_if->num_pages) {
+ pr_debug("get_user_pages_fast(produce) failed (retval=%d)",
+ retval);
+ qp_release_pages(produce_q->kernel_if->u.h.header_page,
+@@ -680,7 +680,7 @@ static int qp_host_get_user_memory(u64 p
+ retval = get_user_pages_fast((uintptr_t) consume_uva,
+ consume_q->kernel_if->num_pages, 1,
+ consume_q->kernel_if->u.h.header_page);
+- if (retval < consume_q->kernel_if->num_pages) {
++ if (retval < (int)consume_q->kernel_if->num_pages) {
+ pr_debug("get_user_pages_fast(consume) failed (retval=%d)",
+ retval);
+ qp_release_pages(consume_q->kernel_if->u.h.header_page,
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Tony Lindgren <tony@atomide.com>
+Date: Tue, 19 Jun 2018 02:43:35 -0700
+Subject: wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 4ec7cece87b3ed21ffcd407c62fb2f151a366bc1 ]
+
+Otherwise we can get:
+
+WARNING: CPU: 0 PID: 55 at drivers/net/wireless/ti/wlcore/io.h:84
+
+I've only seen this few times with the runtime PM patches enabled
+so this one is probably not needed before that. This seems to
+work currently based on the current PM implementation timer. Let's
+apply this separately though in case others are hitting this issue.
+
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ti/wlcore/cmd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/wireless/ti/wlcore/cmd.c
++++ b/drivers/net/wireless/ti/wlcore/cmd.c
+@@ -35,6 +35,7 @@
+ #include "wl12xx_80211.h"
+ #include "cmd.h"
+ #include "event.h"
++#include "ps.h"
+ #include "tx.h"
+ #include "hw_ops.h"
+
+@@ -191,6 +192,10 @@ int wlcore_cmd_wait_for_event_or_timeout
+
+ timeout_time = jiffies + msecs_to_jiffies(WL1271_EVENT_TIMEOUT);
+
++ ret = wl1271_ps_elp_wakeup(wl);
++ if (ret < 0)
++ return ret;
++
+ do {
+ if (time_after(jiffies, timeout_time)) {
+ wl1271_debug(DEBUG_CMD, "timeout waiting for event %d",
+@@ -222,6 +227,7 @@ int wlcore_cmd_wait_for_event_or_timeout
+ } while (!event);
+
+ out:
++ wl1271_ps_elp_sleep(wl);
+ kfree(events_vector);
+ return ret;
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Jan Beulich <JBeulich@suse.com>
+Date: Mon, 2 Jul 2018 04:47:57 -0600
+Subject: x86/entry/64: Add two more instruction suffixes
+
+From: Jan Beulich <JBeulich@suse.com>
+
+[ Upstream commit 6709812f094d96543b443645c68daaa32d3d3e77 ]
+
+Sadly, other than claimed in:
+
+ a368d7fd2a ("x86/entry/64: Add instruction suffix")
+
+... there are two more instances which want to be adjusted.
+
+As said there, omitting suffixes from instructions in AT&T mode is bad
+practice when operand size cannot be determined by the assembler from
+register operands, and is likely going to be warned about by upstream
+gas in the future (mine does already).
+
+Add the other missing suffixes here as well.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/5B3A02DD02000078001CFB78@prv1-mh.provo.novell.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/entry/entry_64.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/entry/entry_64.S
++++ b/arch/x86/entry/entry_64.S
+@@ -92,7 +92,7 @@ END(native_usergs_sysret64)
+ .endm
+
+ .macro TRACE_IRQS_IRETQ_DEBUG
+- bt $9, EFLAGS(%rsp) /* interrupts off? */
++ btl $9, EFLAGS(%rsp) /* interrupts off? */
+ jnc 1f
+ TRACE_IRQS_ON_DEBUG
+ 1:
+@@ -701,7 +701,7 @@ retint_kernel:
+ #ifdef CONFIG_PREEMPT
+ /* Interrupts are off */
+ /* Check if we need preemption */
+- bt $9, EFLAGS(%rsp) /* were interrupts off? */
++ btl $9, EFLAGS(%rsp) /* were interrupts off? */
+ jnc 1f
+ 0: cmpl $0, PER_CPU_VAR(__preempt_count)
+ jnz 1f
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Fri, 6 Jul 2018 09:08:01 -0700
+Subject: x86/numa_emulation: Fix emulated-to-physical node mapping
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+[ Upstream commit 3b6c62f363a19ce82bf378187ab97c9dc01e3927 ]
+
+Without this change the distance table calculation for emulated nodes
+may use the wrong numa node and report an incorrect distance.
+
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Wei Yang <richard.weiyang@gmail.com>
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/153089328103.27680.14778434392225818887.stgit@dwillia2-desk3.amr.corp.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/numa_emulation.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/mm/numa_emulation.c
++++ b/arch/x86/mm/numa_emulation.c
+@@ -61,7 +61,7 @@ static int __init emu_setup_memblk(struc
+ eb->nid = nid;
+
+ if (emu_nid_to_phys[nid] == NUMA_NO_NODE)
+- emu_nid_to_phys[nid] = nid;
++ emu_nid_to_phys[nid] = pb->nid;
+
+ pb->start += size;
+ if (pb->start >= pb->end) {
--- /dev/null
+From foo@baz Sat Sep 29 04:24:28 PDT 2018
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Fri, 29 Jun 2018 22:31:10 +0300
+Subject: x86/tsc: Add missing header to tsc_msr.c
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit dbd0fbc76c77daac08ddd245afdcbade0d506e19 ]
+
+Add a missing header otherwise compiler warns about missed prototype:
+
+CC arch/x86/kernel/tsc_msr.o
+arch/x86/kernel/tsc_msr.c:73:15: warning: no previous prototype for ‘cpu_khz_from_msr’ [-Wmissing-prototypes]
+ unsigned long cpu_khz_from_msr(void)
+ ^~~~~~~~~~~~~~~~
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Pavel Tatashin <pasha.tatashin@oracle.com>
+Link: https://lkml.kernel.org/r/20180629193113.84425-4-andriy.shevchenko@linux.intel.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/tsc_msr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kernel/tsc_msr.c
++++ b/arch/x86/kernel/tsc_msr.c
+@@ -12,6 +12,7 @@
+ #include <asm/setup.h>
+ #include <asm/apic.h>
+ #include <asm/param.h>
++#include <asm/tsc.h>
+
+ #define MAX_NUM_FREQS 9
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
