--- /dev/null
+From c2432466f583cb719b35a41e757da587d9ab1d00 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 17 Nov 2017 12:08:40 +0100
+Subject: ALSA: hda: Fix too short HDMI/DP chmap reporting
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit c2432466f583cb719b35a41e757da587d9ab1d00 upstream.
+
+We got a regression report about the HD-audio HDMI chmap, where some
+surround channels are reported as UNKNOWN. The git bisection pointed
+the culprit at the commit 9b3dc8aa3fb1 ("ALSA: hda - Register chmap
+obj as priv data instead of codec"). The story behind scene is like
+this:
+
+- While moving the code out of the legacy HDA to the HDA common place,
+ the patch modifies the code to obtain the chmap array indirectly in
+ a byte array, and it expands it to kctl value array.
+- At the latter operation, the size of the array is wrongly passed by
+ sizeof() to the pointer.
+- It can be 4 on 32bit arch, thus too short for 6+ channels.
+ (And that's the reason why it didn't hit other persons; it's 8 on
+ 64bit arch, thus it's usually enough.)
+
+The code was further changed meanwhile, but the problem persisted.
+Let's fix it by correctly evaluating the array size.
+
+Fixes: 9b3dc8aa3fb1 ("ALSA: hda - Register chmap obj as priv data instead of codec")
+Reported-by: VDR User <user.vdr@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/hda/hdmi_chmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/hda/hdmi_chmap.c
++++ b/sound/hda/hdmi_chmap.c
+@@ -746,7 +746,7 @@ static int hdmi_chmap_ctl_get(struct snd
+ memset(pcm_chmap, 0, sizeof(pcm_chmap));
+ chmap->ops.get_chmap(chmap->hdac, pcm_idx, pcm_chmap);
+
+- for (i = 0; i < sizeof(chmap); i++)
++ for (i = 0; i < ARRAY_SIZE(pcm_chmap); i++)
+ ucontrol->value.integer.value[i] = pcm_chmap[i];
+
+ return 0;
--- /dev/null
+From 2d7fe6185722b0817bb345f62ab06b76a7b26542 Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Wed, 22 Nov 2017 15:21:32 +0800
+Subject: ALSA: hda/realtek - Fix ALC700 family no sound issue
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit 2d7fe6185722b0817bb345f62ab06b76a7b26542 upstream.
+
+It maybe the typo for ALC700 support patch.
+To fix the bit value on this patch.
+
+Fixes: 6fbae35a3170 ("ALSA: hda/realtek - Add support for new codecs ALC700/ALC701/ALC703")
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6272,7 +6272,7 @@ static int patch_alc269(struct hda_codec
+ case 0x10ec0703:
+ spec->codec_variant = ALC269_TYPE_ALC700;
+ spec->gen.mixer_nid = 0; /* ALC700 does not have any loopback mixer path */
+- alc_update_coef_idx(codec, 0x4a, 0, 1 << 15); /* Combo jack auto trigger control */
++ alc_update_coef_idx(codec, 0x4a, 1 << 15, 0); /* Combo jack auto trigger control */
+ break;
+
+ }
--- /dev/null
+From 20e3f985bb875fea4f86b04eba4b6cc29bfd6b71 Mon Sep 17 00:00:00 2001
+From: Henrik Eriksson <henrik.eriksson@axis.com>
+Date: Tue, 21 Nov 2017 09:29:28 +0100
+Subject: ALSA: pcm: update tstamp only if audio_tstamp changed
+
+From: Henrik Eriksson <henrik.eriksson@axis.com>
+
+commit 20e3f985bb875fea4f86b04eba4b6cc29bfd6b71 upstream.
+
+commit 3179f6200188 ("ALSA: core: add .get_time_info") had a side effect
+of changing the behaviour of the PCM runtime tstamp. Prior to this
+change tstamp was not updated by snd_pcm_update_hw_ptr0() unless the
+hw_ptr had moved, after this change tstamp was always updated.
+
+For an application using alsa-lib, doing snd_pcm_readi() followed by
+snd_pcm_status() to estimate the age of the read samples by subtracting
+status->avail * [sample rate] from status->tstamp this change degraded
+the accuracy of the estimate on devices where the pcm hw does not
+provide a granular hw_ptr, e.g., devices using
+soc-generic-dmaengine-pcm.c and a dma-engine with residue_granularity
+DMA_RESIDUE_GRANULARITY_DESCRIPTOR. The accuracy of the estimate
+depended on the latency between the PCM hw completing a period and the
+driver called snd_pcm_period_elapsed() to notify ALSA core, typically
+determined by interrupt handling latency. After the change the accuracy
+of the estimate depended on the latency between the PCM hw completing a
+period and the application calling snd_pcm_status(), determined by the
+scheduling of the application process. The maximum error of the
+estimate is one period length in both cases, but the error average and
+variance is smaller when it depends on interrupt latency.
+
+Instead of always updating tstamp, update it only if audio_tstamp
+changed.
+
+Fixes: 3179f6200188 ("ALSA: core: add .get_time_info")
+Suggested-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Henrik Eriksson <henrik.eriksson@axis.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_lib.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/sound/core/pcm_lib.c
++++ b/sound/core/pcm_lib.c
+@@ -264,8 +264,10 @@ static void update_audio_tstamp(struct s
+ runtime->rate);
+ *audio_tstamp = ns_to_timespec(audio_nsecs);
+ }
+- runtime->status->audio_tstamp = *audio_tstamp;
+- runtime->status->tstamp = *curr_tstamp;
++ if (!timespec_equal(&runtime->status->audio_tstamp, audio_tstamp)) {
++ runtime->status->audio_tstamp = *audio_tstamp;
++ runtime->status->tstamp = *curr_tstamp;
++ }
+
+ /*
+ * re-take a driver timestamp to let apps detect if the reference tstamp
--- /dev/null
+From 3d4e8303f2c747c8540a0a0126d0151514f6468b Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 21 Nov 2017 16:36:11 +0100
+Subject: ALSA: timer: Remove kernel warning at compat ioctl error paths
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 3d4e8303f2c747c8540a0a0126d0151514f6468b upstream.
+
+Some timer compat ioctls have NULL checks of timer instance with
+snd_BUG_ON() that bring up WARN_ON() when the debug option is set.
+Actually the condition can be met in the normal situation and it's
+confusing and bad to spew kernel warnings with stack trace there.
+Let's remove snd_BUG_ON() invocation and replace with the simple
+checks. Also, correct the error code to EBADFD to follow the native
+ioctl error handling.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer_compat.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/sound/core/timer_compat.c
++++ b/sound/core/timer_compat.c
+@@ -66,11 +66,11 @@ static int snd_timer_user_info_compat(st
+ struct snd_timer *t;
+
+ tu = file->private_data;
+- if (snd_BUG_ON(!tu->timeri))
+- return -ENXIO;
++ if (!tu->timeri)
++ return -EBADFD;
+ t = tu->timeri->timer;
+- if (snd_BUG_ON(!t))
+- return -ENXIO;
++ if (!t)
++ return -EBADFD;
+ memset(&info, 0, sizeof(info));
+ info.card = t->card ? t->card->number : -1;
+ if (t->hw.flags & SNDRV_TIMER_HW_SLAVE)
+@@ -99,8 +99,8 @@ static int snd_timer_user_status_compat(
+ struct snd_timer_status32 status;
+
+ tu = file->private_data;
+- if (snd_BUG_ON(!tu->timeri))
+- return -ENXIO;
++ if (!tu->timeri)
++ return -EBADFD;
+ memset(&status, 0, sizeof(status));
+ status.tstamp.tv_sec = tu->tstamp.tv_sec;
+ status.tstamp.tv_nsec = tu->tstamp.tv_nsec;
--- /dev/null
+From 0a62d6c966956d77397c32836a5bbfe3af786fc1 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 21 Nov 2017 17:28:06 +0100
+Subject: ALSA: usb-audio: Add sanity checks in v2 clock parsers
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 0a62d6c966956d77397c32836a5bbfe3af786fc1 upstream.
+
+The helper functions to parse and look for the clock source, selector
+and multiplier unit may return the descriptor with a too short length
+than required, while there is no sanity check in the caller side.
+Add some sanity checks in the parsers, at least, to guarantee the
+given descriptor size, for avoiding the potential crashes.
+
+Fixes: 79f920fbff56 ("ALSA: usb-audio: parse clock topology of UAC2 devices")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/clock.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/clock.c
++++ b/sound/usb/clock.c
+@@ -43,7 +43,7 @@ static struct uac_clock_source_descripto
+ while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
+ ctrl_iface->extralen,
+ cs, UAC2_CLOCK_SOURCE))) {
+- if (cs->bClockID == clock_id)
++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id)
+ return cs;
+ }
+
+@@ -59,8 +59,11 @@ static struct uac_clock_selector_descrip
+ while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
+ ctrl_iface->extralen,
+ cs, UAC2_CLOCK_SELECTOR))) {
+- if (cs->bClockID == clock_id)
++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) {
++ if (cs->bLength < 5 + cs->bNrInPins)
++ return NULL;
+ return cs;
++ }
+ }
+
+ return NULL;
+@@ -75,7 +78,7 @@ static struct uac_clock_multiplier_descr
+ while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
+ ctrl_iface->extralen,
+ cs, UAC2_CLOCK_MULTIPLIER))) {
+- if (cs->bClockID == clock_id)
++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id)
+ return cs;
+ }
+
--- /dev/null
+From d937cd6790a2bef2d07b500487646bd794c039bb Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 21 Nov 2017 16:55:51 +0100
+Subject: ALSA: usb-audio: Add sanity checks to FE parser
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d937cd6790a2bef2d07b500487646bd794c039bb upstream.
+
+When the usb-audio descriptor contains the malformed feature unit
+description with a too short length, the driver may access
+out-of-bounds. Add a sanity check of the header size at the beginning
+of parse_audio_feature_unit().
+
+Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1463,6 +1463,12 @@ static int parse_audio_feature_unit(stru
+ __u8 *bmaControls;
+
+ if (state->mixer->protocol == UAC_VERSION_1) {
++ if (hdr->bLength < 7) {
++ usb_audio_err(state->chip,
++ "unit %u: invalid UAC_FEATURE_UNIT descriptor\n",
++ unitid);
++ return -EINVAL;
++ }
+ csize = hdr->bControlSize;
+ if (!csize) {
+ usb_audio_dbg(state->chip,
+@@ -1480,6 +1486,12 @@ static int parse_audio_feature_unit(stru
+ }
+ } else {
+ struct uac2_feature_unit_descriptor *ftr = _ftr;
++ if (hdr->bLength < 6) {
++ usb_audio_err(state->chip,
++ "unit %u: invalid UAC_FEATURE_UNIT descriptor\n",
++ unitid);
++ return -EINVAL;
++ }
+ csize = 4;
+ channels = (hdr->bLength - 6) / 4 - 1;
+ bmaControls = ftr->bmaControls;
--- /dev/null
+From f658f17b5e0e339935dca23e77e0f3cad591926b Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 21 Nov 2017 17:00:32 +0100
+Subject: ALSA: usb-audio: Fix potential out-of-bound access at parsing SU
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f658f17b5e0e339935dca23e77e0f3cad591926b upstream.
+
+The usb-audio driver may trigger an out-of-bound access at parsing a
+malformed selector unit, as it checks the header length only after
+evaluating bNrInPins field, which can be already above the given
+length. Fix it by adding the length check beforehand.
+
+Fixes: 99fc86450c43 ("ALSA: usb-mixer: parse descriptors with structs")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -2092,7 +2092,8 @@ static int parse_audio_selector_unit(str
+ const struct usbmix_name_map *map;
+ char **namelist;
+
+- if (!desc->bNrInPins || desc->bLength < 5 + desc->bNrInPins) {
++ if (desc->bLength < 5 || !desc->bNrInPins ||
++ desc->bLength < 5 + desc->bNrInPins) {
+ usb_audio_err(state->chip,
+ "invalid SELECTOR UNIT descriptor %d\n", unitid);
+ return -EINVAL;
--- /dev/null
+From 8428a8ebde2db1e988e41a58497a28beb7ce1705 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 21 Nov 2017 17:07:43 +0100
+Subject: ALSA: usb-audio: Fix potential zero-division at parsing FU
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8428a8ebde2db1e988e41a58497a28beb7ce1705 upstream.
+
+parse_audio_feature_unit() contains a code dividing potentially with
+zero when a malformed FU descriptor is passed. Although there is
+already a sanity check, it checks only the value zero, hence it can
+still lead to a zero-division when a value 1 is passed there.
+
+Fix it by correcting the sanity check (and the error message
+thereof).
+
+Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1470,9 +1470,9 @@ static int parse_audio_feature_unit(stru
+ return -EINVAL;
+ }
+ csize = hdr->bControlSize;
+- if (!csize) {
++ if (csize <= 1) {
+ usb_audio_dbg(state->chip,
+- "unit %u: invalid bControlSize == 0\n",
++ "unit %u: invalid bControlSize <= 1\n",
+ unitid);
+ return -EINVAL;
+ }
--- /dev/null
+From f1601113ddc0339a745e702f4fb1ca37d4875e65 Mon Sep 17 00:00:00 2001
+From: Rameshwar Prasad Sahu <rsahu@apm.com>
+Date: Thu, 2 Nov 2017 16:31:07 +0530
+Subject: ata: fixes kernel crash while tracing ata_eh_link_autopsy event
+
+From: Rameshwar Prasad Sahu <rsahu@apm.com>
+
+commit f1601113ddc0339a745e702f4fb1ca37d4875e65 upstream.
+
+When tracing ata link error event, the kernel crashes when the disk is
+removed due to NULL pointer access by trace_ata_eh_link_autopsy API.
+This occurs as the dev is NULL when the disk disappeared. This patch
+fixes this crash by calling trace_ata_eh_link_autopsy only if "dev"
+is not NULL.
+
+v2 changes:
+ Removed direct passing "link" pointer instead of "dev" in trace API.
+
+Signed-off-by: Rameshwar Prasad Sahu <rsahu@apm.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Fixes: 255c03d15a29 ("libata: Add tracepoints")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-eh.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -2329,8 +2329,8 @@ static void ata_eh_link_autopsy(struct a
+ if (dev->flags & ATA_DFLAG_DUBIOUS_XFER)
+ eflags |= ATA_EFLAG_DUBIOUS_XFER;
+ ehc->i.action |= ata_eh_speed_down(dev, eflags, all_err_mask);
++ trace_ata_eh_link_autopsy(dev, ehc->i.action, all_err_mask);
+ }
+- trace_ata_eh_link_autopsy(dev, ehc->i.action, all_err_mask);
+ DPRINTK("EXIT\n");
+ }
+
--- /dev/null
+From ecc0c469f27765ed1e2b967be0aa17cee1a60b76 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 17 Nov 2017 15:29:13 -0800
+Subject: autofs: don't fail mount for transient error
+
+From: NeilBrown <neilb@suse.com>
+
+commit ecc0c469f27765ed1e2b967be0aa17cee1a60b76 upstream.
+
+Currently if the autofs kernel module gets an error when writing to the
+pipe which links to the daemon, then it marks the whole moutpoint as
+catatonic, and it will stop working.
+
+It is possible that the error is transient. This can happen if the
+daemon is slow and more than 16 requests queue up. If a subsequent
+process tries to queue a request, and is then signalled, the write to
+the pipe will return -ERESTARTSYS and autofs will take that as total
+failure.
+
+So change the code to assess -ERESTARTSYS and -ENOMEM as transient
+failures which only abort the current request, not the whole mountpoint.
+
+It isn't a crash or a data corruption, but having autofs mountpoints
+suddenly stop working is rather inconvenient.
+
+Ian said:
+
+: And given the problems with a half dozen (or so) user space applications
+: consuming large amounts of CPU under heavy mount and umount activity this
+: could happen more easily than we expect.
+
+Link: http://lkml.kernel.org/r/87y3norvgp.fsf@notabene.neil.brown.name
+Signed-off-by: NeilBrown <neilb@suse.com>
+Acked-by: Ian Kent <raven@themaw.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/autofs4/waitq.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/fs/autofs4/waitq.c
++++ b/fs/autofs4/waitq.c
+@@ -87,7 +87,8 @@ static int autofs4_write(struct autofs_s
+ spin_unlock_irqrestore(¤t->sighand->siglock, flags);
+ }
+
+- return (bytes > 0);
++ /* if 'wr' returned 0 (impossible) we assume -EIO (safe) */
++ return bytes == 0 ? 0 : wr < 0 ? wr : -EIO;
+ }
+
+ static void autofs4_notify_daemon(struct autofs_sb_info *sbi,
+@@ -101,6 +102,7 @@ static void autofs4_notify_daemon(struct
+ } pkt;
+ struct file *pipe = NULL;
+ size_t pktsz;
++ int ret;
+
+ pr_debug("wait id = 0x%08lx, name = %.*s, type=%d\n",
+ (unsigned long) wq->wait_queue_token,
+@@ -175,7 +177,18 @@ static void autofs4_notify_daemon(struct
+ mutex_unlock(&sbi->wq_mutex);
+
+ if (autofs4_write(sbi, pipe, &pkt, pktsz))
++ switch (ret = autofs4_write(sbi, pipe, &pkt, pktsz)) {
++ case 0:
++ break;
++ case -ENOMEM:
++ case -ERESTARTSYS:
++ /* Just fail this one */
++ autofs4_wait_release(sbi, wq->wait_queue_token, ret);
++ break;
++ default:
+ autofs4_catatonic_mode(sbi);
++ break;
++ }
+ fput(pipe);
+ }
+
--- /dev/null
+From 91af8300d9c1d7c6b6a2fd754109e08d4798b8d8 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 13 Oct 2017 16:35:29 -0700
+Subject: bcache: check ca->alloc_thread initialized before wake up it
+
+From: Coly Li <colyli@suse.de>
+
+commit 91af8300d9c1d7c6b6a2fd754109e08d4798b8d8 upstream.
+
+In bcache code, sysfs entries are created before all resources get
+allocated, e.g. allocation thread of a cache set.
+
+There is posibility for NULL pointer deference if a resource is accessed
+but which is not initialized yet. Indeed Jorg Bornschein catches one on
+cache set allocation thread and gets a kernel oops.
+
+The reason for this bug is, when bch_bucket_alloc() is called during
+cache set registration and attaching, ca->alloc_thread is not properly
+allocated and initialized yet, call wake_up_process() on ca->alloc_thread
+triggers NULL pointer deference failure. A simple and fast fix is, before
+waking up ca->alloc_thread, checking whether it is allocated, and only
+wake up ca->alloc_thread when it is not NULL.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Reported-by: Jorg Bornschein <jb@capsec.org>
+Cc: Kent Overstreet <kent.overstreet@gmail.com>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/alloc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/alloc.c
++++ b/drivers/md/bcache/alloc.c
+@@ -404,7 +404,8 @@ long bch_bucket_alloc(struct cache *ca,
+
+ finish_wait(&ca->set->bucket_wait, &w);
+ out:
+- wake_up_process(ca->alloc_thread);
++ if (ca->alloc_thread)
++ wake_up_process(ca->alloc_thread);
+
+ trace_bcache_alloc(ca, reserve);
+
--- /dev/null
+From d59b23795933678c9638fd20c942d2b4f3cd6185 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Mon, 30 Oct 2017 14:46:31 -0700
+Subject: bcache: only permit to recovery read error when cache device is clean
+
+From: Coly Li <colyli@suse.de>
+
+commit d59b23795933678c9638fd20c942d2b4f3cd6185 upstream.
+
+When bcache does read I/Os, for example in writeback or writethrough mode,
+if a read request on cache device is failed, bcache will try to recovery
+the request by reading from cached device. If the data on cached device is
+not synced with cache device, then requester will get a stale data.
+
+For critical storage system like database, providing stale data from
+recovery may result an application level data corruption, which is
+unacceptible.
+
+With this patch, for a failed read request in writeback or writethrough
+mode, recovery a recoverable read request only happens when cache device
+is clean. That is to say, all data on cached device is up to update.
+
+For other cache modes in bcache, read request will never hit
+cached_dev_read_error(), they don't need this patch.
+
+Please note, because cache mode can be switched arbitrarily in run time, a
+writethrough mode might be switched from a writeback mode. Therefore
+checking dc->has_data in writethrough mode still makes sense.
+
+Changelog:
+V4: Fix parens error pointed by Michael Lyle.
+v3: By response from Kent Oversteet, he thinks recovering stale data is a
+ bug to fix, and option to permit it is unnecessary. So this version
+ the sysfs file is removed.
+v2: rename sysfs entry from allow_stale_data_on_failure to
+ allow_stale_data_on_failure, and fix the confusing commit log.
+v1: initial patch posted.
+
+[small change to patch comment spelling by mlyle]
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Michael Lyle <mlyle@lyle.org>
+Reported-by: Arne Wolf <awolf@lenovo.com>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Cc: Kent Overstreet <kent.overstreet@gmail.com>
+Cc: Nix <nix@esperi.org.uk>
+Cc: Kai Krakow <hurikhan77@gmail.com>
+Cc: Eric Wheeler <bcache@lists.ewheeler.net>
+Cc: Junhui Tang <tang.junhui@zte.com.cn>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/request.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/request.c
++++ b/drivers/md/bcache/request.c
+@@ -702,8 +702,16 @@ static void cached_dev_read_error(struct
+ {
+ struct search *s = container_of(cl, struct search, cl);
+ struct bio *bio = &s->bio.bio;
++ struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
+
+- if (s->recoverable) {
++ /*
++ * If cache device is dirty (dc->has_dirty is non-zero), then
++ * recovery a failed read request from cached device may get a
++ * stale data back. So read failure recovery is only permitted
++ * when cache device is clean.
++ */
++ if (s->recoverable &&
++ (dc && !atomic_read(&dc->has_dirty))) {
+ /* Retry from the backing device: */
+ trace_bcache_read_retry(s->orig_bio);
+
--- /dev/null
+From 4e9b6f20828ac880dbc1fa2fdbafae779473d1af Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Thu, 19 Oct 2017 10:00:48 -0700
+Subject: block: Fix a race between blk_cleanup_queue() and timeout handling
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+commit 4e9b6f20828ac880dbc1fa2fdbafae779473d1af upstream.
+
+Make sure that if the timeout timer fires after a queue has been
+marked "dying" that the affected requests are finished.
+
+Reported-by: chenxiang (M) <chenxiang66@hisilicon.com>
+Fixes: commit 287922eb0b18 ("block: defer timeouts to a workqueue")
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Tested-by: chenxiang (M) <chenxiang66@hisilicon.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Keith Busch <keith.busch@intel.com>
+Cc: Hannes Reinecke <hare@suse.com>
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-core.c | 2 ++
+ block/blk-timeout.c | 3 ---
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -282,6 +282,7 @@ EXPORT_SYMBOL(blk_stop_queue);
+ void blk_sync_queue(struct request_queue *q)
+ {
+ del_timer_sync(&q->timeout);
++ cancel_work_sync(&q->timeout_work);
+
+ if (q->mq_ops) {
+ struct blk_mq_hw_ctx *hctx;
+@@ -720,6 +721,7 @@ struct request_queue *blk_alloc_queue_no
+ setup_timer(&q->backing_dev_info.laptop_mode_wb_timer,
+ laptop_mode_timer_fn, (unsigned long) q);
+ setup_timer(&q->timeout, blk_rq_timed_out_timer, (unsigned long) q);
++ INIT_WORK(&q->timeout_work, NULL);
+ INIT_LIST_HEAD(&q->queue_head);
+ INIT_LIST_HEAD(&q->timeout_list);
+ INIT_LIST_HEAD(&q->icq_list);
+--- a/block/blk-timeout.c
++++ b/block/blk-timeout.c
+@@ -135,8 +135,6 @@ void blk_timeout_work(struct work_struct
+ struct request *rq, *tmp;
+ int next_set = 0;
+
+- if (blk_queue_enter(q, true))
+- return;
+ spin_lock_irqsave(q->queue_lock, flags);
+
+ list_for_each_entry_safe(rq, tmp, &q->timeout_list, timeout_list)
+@@ -146,7 +144,6 @@ void blk_timeout_work(struct work_struct
+ mod_timer(&q->timeout, round_jiffies_up(next));
+
+ spin_unlock_irqrestore(q->queue_lock, flags);
+- blk_queue_exit(q);
+ }
+
+ /**
--- /dev/null
+From b9a41d21dceadf8104812626ef85dc56ee8a60ed Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Wed, 1 Nov 2017 15:42:36 +0800
+Subject: dm: fix race between dm_get_from_kobject() and __dm_destroy()
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit b9a41d21dceadf8104812626ef85dc56ee8a60ed upstream.
+
+The following BUG_ON was hit when testing repeat creation and removal of
+DM devices:
+
+ kernel BUG at drivers/md/dm.c:2919!
+ CPU: 7 PID: 750 Comm: systemd-udevd Not tainted 4.1.44
+ Call Trace:
+ [<ffffffff81649e8b>] dm_get_from_kobject+0x34/0x3a
+ [<ffffffff81650ef1>] dm_attr_show+0x2b/0x5e
+ [<ffffffff817b46d1>] ? mutex_lock+0x26/0x44
+ [<ffffffff811df7f5>] sysfs_kf_seq_show+0x83/0xcf
+ [<ffffffff811de257>] kernfs_seq_show+0x23/0x25
+ [<ffffffff81199118>] seq_read+0x16f/0x325
+ [<ffffffff811de994>] kernfs_fop_read+0x3a/0x13f
+ [<ffffffff8117b625>] __vfs_read+0x26/0x9d
+ [<ffffffff8130eb59>] ? security_file_permission+0x3c/0x44
+ [<ffffffff8117bdb8>] ? rw_verify_area+0x83/0xd9
+ [<ffffffff8117be9d>] vfs_read+0x8f/0xcf
+ [<ffffffff81193e34>] ? __fdget_pos+0x12/0x41
+ [<ffffffff8117c686>] SyS_read+0x4b/0x76
+ [<ffffffff817b606e>] system_call_fastpath+0x12/0x71
+
+The bug can be easily triggered, if an extra delay (e.g. 10ms) is added
+between the test of DMF_FREEING & DMF_DELETING and dm_get() in
+dm_get_from_kobject().
+
+To fix it, we need to ensure the test of DMF_FREEING & DMF_DELETING and
+dm_get() are done in an atomic way, so _minor_lock is used.
+
+The other callers of dm_get() have also been checked to be OK: some
+callers invoke dm_get() under _minor_lock, some callers invoke it under
+_hash_lock, and dm_start_request() invoke it after increasing
+md->open_count.
+
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -2515,11 +2515,15 @@ struct mapped_device *dm_get_from_kobjec
+
+ md = container_of(kobj, struct mapped_device, kobj_holder.kobj);
+
+- if (test_bit(DMF_FREEING, &md->flags) ||
+- dm_deleting_md(md))
+- return NULL;
+-
++ spin_lock(&_minor_lock);
++ if (test_bit(DMF_FREEING, &md->flags) || dm_deleting_md(md)) {
++ md = NULL;
++ goto out;
++ }
+ dm_get(md);
++out:
++ spin_unlock(&_minor_lock);
++
+ return md;
+ }
+
--- /dev/null
+From db86be3a12d0b6e5c5b51c2ab2a48f06329cb590 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 22 Aug 2017 23:41:28 +0300
+Subject: eCryptfs: use after free in ecryptfs_release_messaging()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit db86be3a12d0b6e5c5b51c2ab2a48f06329cb590 upstream.
+
+We're freeing the list iterator so we should be using the _safe()
+version of hlist_for_each_entry().
+
+Fixes: 88b4a07e6610 ("[PATCH] eCryptfs: Public key transport mechanism")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/messaging.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/ecryptfs/messaging.c
++++ b/fs/ecryptfs/messaging.c
+@@ -442,15 +442,16 @@ void ecryptfs_release_messaging(void)
+ }
+ if (ecryptfs_daemon_hash) {
+ struct ecryptfs_daemon *daemon;
++ struct hlist_node *n;
+ int i;
+
+ mutex_lock(&ecryptfs_daemon_hash_mux);
+ for (i = 0; i < (1 << ecryptfs_hash_bits); i++) {
+ int rc;
+
+- hlist_for_each_entry(daemon,
+- &ecryptfs_daemon_hash[i],
+- euid_chain) {
++ hlist_for_each_entry_safe(daemon, n,
++ &ecryptfs_daemon_hash[i],
++ euid_chain) {
+ rc = ecryptfs_exorcise_daemon(daemon);
+ if (rc)
+ printk(KERN_ERR "%s: Error whilst "
--- /dev/null
+From 51e3ae81ec58e95f10a98ef3dd6d7bce5d8e35a2 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Fri, 6 Oct 2017 23:09:55 -0400
+Subject: ext4: fix interaction between i_size, fallocate, and delalloc after a crash
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 51e3ae81ec58e95f10a98ef3dd6d7bce5d8e35a2 upstream.
+
+If there are pending writes subject to delayed allocation, then i_size
+will show size after the writes have completed, while i_disksize
+contains the value of i_size on the disk (since the writes have not
+been persisted to disk).
+
+If fallocate(2) is called with the FALLOC_FL_KEEP_SIZE flag, either
+with or without the FALLOC_FL_ZERO_RANGE flag set, and the new size
+after the fallocate(2) is between i_size and i_disksize, then after a
+crash, if a journal commit has resulted in the changes made by the
+fallocate() call to be persisted after a crash, but the delayed
+allocation write has not resolved itself, i_size would not be updated,
+and this would cause the following e2fsck complaint:
+
+Inode 12, end of extent exceeds allowed value
+ (logical block 33, physical block 33441, len 7)
+
+This can only take place on a sparse file, where the fallocate(2) call
+is allocating blocks in a range which is before a pending delayed
+allocation write which is extending i_size. Since this situation is
+quite rare, and the window in which the crash must take place is
+typically < 30 seconds, in practice this condition will rarely happen.
+
+Nevertheless, it can be triggered in testing, and in particular by
+xfstests generic/456.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reported-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/extents.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -4803,7 +4803,8 @@ static long ext4_zero_range(struct file
+ }
+
+ if (!(mode & FALLOC_FL_KEEP_SIZE) &&
+- offset + len > i_size_read(inode)) {
++ (offset + len > i_size_read(inode) ||
++ offset + len > EXT4_I(inode)->i_disksize)) {
+ new_size = offset + len;
+ ret = inode_newsize_ok(inode, new_size);
+ if (ret)
+@@ -4974,7 +4975,8 @@ long ext4_fallocate(struct file *file, i
+ }
+
+ if (!(mode & FALLOC_FL_KEEP_SIZE) &&
+- offset + len > i_size_read(inode)) {
++ (offset + len > i_size_read(inode) ||
++ offset + len > EXT4_I(inode)->i_disksize)) {
+ new_size = offset + len;
+ ret = inode_newsize_ok(inode, new_size);
+ if (ret)
--- /dev/null
+From 11d49e9d089ccec81be87c2386dfdd010d7f7f6e Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 24 Sep 2017 18:36:44 -0400
+Subject: fix a page leak in vhost_scsi_iov_to_sgl() error recovery
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 11d49e9d089ccec81be87c2386dfdd010d7f7f6e upstream.
+
+we are advancing sg as we go, so the pages we need to drop in
+case of error are *before* the current sg.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vhost/scsi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/vhost/scsi.c
++++ b/drivers/vhost/scsi.c
+@@ -693,6 +693,7 @@ vhost_scsi_iov_to_sgl(struct vhost_scsi_
+ struct scatterlist *sg, int sg_count)
+ {
+ size_t off = iter->iov_offset;
++ struct scatterlist *p = sg;
+ int i, ret;
+
+ for (i = 0; i < iter->nr_segs; i++) {
+@@ -701,8 +702,8 @@ vhost_scsi_iov_to_sgl(struct vhost_scsi_
+
+ ret = vhost_scsi_map_to_sgl(cmd, base, len, sg, write);
+ if (ret < 0) {
+- for (i = 0; i < sg_count; i++) {
+- struct page *page = sg_page(&sg[i]);
++ while (p < sg) {
++ struct page *page = sg_page(p++);
+ if (page)
+ put_page(page);
+ }
--- /dev/null
+From 8ee031631546cf2f7859cc69593bd60bbdd70b46 Mon Sep 17 00:00:00 2001
+From: Tuomas Tynkkynen <tuomas@tuxera.com>
+Date: Wed, 6 Sep 2017 17:59:07 +0300
+Subject: fs/9p: Compare qid.path in v9fs_test_inode
+
+From: Tuomas Tynkkynen <tuomas@tuxera.com>
+
+commit 8ee031631546cf2f7859cc69593bd60bbdd70b46 upstream.
+
+Commit fd2421f54423 ("fs/9p: When doing inode lookup compare qid details
+and inode mode bits.") transformed v9fs_qid_iget() to use iget5_locked()
+instead of iget_locked(). However, the test() callback is not checking
+fid.path at all, which means that a lookup in the inode cache can now
+accidentally locate a completely wrong inode from the same inode hash
+bucket if the other fields (qid.type and qid.version) match.
+
+Fixes: fd2421f54423 ("fs/9p: When doing inode lookup compare qid details and inode mode bits.")
+Reviewed-by: Latchesar Ionkov <lucho@ionkov.net>
+Signed-off-by: Tuomas Tynkkynen <tuomas@tuxera.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/9p/vfs_inode.c | 3 +++
+ fs/9p/vfs_inode_dotl.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+--- a/fs/9p/vfs_inode.c
++++ b/fs/9p/vfs_inode.c
+@@ -483,6 +483,9 @@ static int v9fs_test_inode(struct inode
+
+ if (v9inode->qid.type != st->qid.type)
+ return 0;
++
++ if (v9inode->qid.path != st->qid.path)
++ return 0;
+ return 1;
+ }
+
+--- a/fs/9p/vfs_inode_dotl.c
++++ b/fs/9p/vfs_inode_dotl.c
+@@ -87,6 +87,9 @@ static int v9fs_test_inode_dotl(struct i
+
+ if (v9inode->qid.type != st->qid.type)
+ return 0;
++
++ if (v9inode->qid.path != st->qid.path)
++ return 0;
+ return 1;
+ }
+
--- /dev/null
+From 00ee9a1ca5080202bc37b44e998c3b2c74d45817 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Sat, 11 Nov 2017 17:51:25 +0100
+Subject: irqchip/gic-v3: Fix ppi-partitions lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 00ee9a1ca5080202bc37b44e998c3b2c74d45817 upstream.
+
+Fix child-node lookup during initialisation, which ended up searching
+the whole device tree depth-first starting at the parent rather than
+just matching on its children.
+
+To make things worse, the parent gic node was prematurely freed, while
+the ppi-partitions node was leaked.
+
+Fixes: e3825ba1af3a ("irqchip/gic-v3: Add support for partitioned PPIs")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-gic-v3.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/irqchip/irq-gic-v3.c
++++ b/drivers/irqchip/irq-gic-v3.c
+@@ -1022,18 +1022,18 @@ static void __init gic_populate_ppi_part
+ int nr_parts;
+ struct partition_affinity *parts;
+
+- parts_node = of_find_node_by_name(gic_node, "ppi-partitions");
++ parts_node = of_get_child_by_name(gic_node, "ppi-partitions");
+ if (!parts_node)
+ return;
+
+ nr_parts = of_get_child_count(parts_node);
+
+ if (!nr_parts)
+- return;
++ goto out_put_node;
+
+ parts = kzalloc(sizeof(*parts) * nr_parts, GFP_KERNEL);
+ if (WARN_ON(!parts))
+- return;
++ goto out_put_node;
+
+ for_each_child_of_node(parts_node, child_part) {
+ struct partition_affinity *part;
+@@ -1100,6 +1100,9 @@ static void __init gic_populate_ppi_part
+
+ gic_data.ppi_descs[i] = desc;
+ }
++
++out_put_node:
++ of_node_put(parts_node);
+ }
+
+ static void __init gic_of_setup_kvm_info(struct device_node *node)
--- /dev/null
+From 3fc9fb13a4b2576aeab86c62fd64eb29ab68659c Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 27 Oct 2017 20:52:56 -0700
+Subject: iscsi-target: Fix non-immediate TMR reference leak
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 3fc9fb13a4b2576aeab86c62fd64eb29ab68659c upstream.
+
+This patch fixes a se_cmd->cmd_kref reference leak that can
+occur when a non immediate TMR is proceeded our of command
+sequence number order, and CMDSN_LOWER_THAN_EXP is returned
+by iscsit_sequence_cmd().
+
+To address this bug, call target_put_sess_cmd() during this
+special case following what iscsit_process_scsi_cmd() does
+upon CMDSN_LOWER_THAN_EXP.
+
+Cc: Mike Christie <mchristi@redhat.com>
+Cc: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -2104,12 +2104,14 @@ attach:
+
+ if (!(hdr->opcode & ISCSI_OP_IMMEDIATE)) {
+ int cmdsn_ret = iscsit_sequence_cmd(conn, cmd, buf, hdr->cmdsn);
+- if (cmdsn_ret == CMDSN_HIGHER_THAN_EXP)
++ if (cmdsn_ret == CMDSN_HIGHER_THAN_EXP) {
+ out_of_order_cmdsn = 1;
+- else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP)
++ } else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP) {
++ target_put_sess_cmd(&cmd->se_cmd);
+ return 0;
+- else if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER)
++ } else if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER) {
+ return -1;
++ }
+ }
+ iscsit_ack_from_expstatsn(conn, be32_to_cpu(hdr->exp_statsn));
+
--- /dev/null
+From 34be4dbf87fc3e474a842305394534216d428f5d Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 19 Oct 2017 16:47:48 +0200
+Subject: isofs: fix timestamps beyond 2027
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 34be4dbf87fc3e474a842305394534216d428f5d upstream.
+
+isofs uses a 'char' variable to load the number of years since
+1900 for an inode timestamp. On architectures that use a signed
+char type by default, this results in an invalid date for
+anything beyond 2027.
+
+This changes the function argument to a 'u8' array, which
+is defined the same way on all architectures, and unambiguously
+lets us use years until 2155.
+
+This should be backported to all kernels that might still be
+in use by that date.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/isofs/isofs.h | 2 +-
+ fs/isofs/rock.h | 2 +-
+ fs/isofs/util.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/isofs/isofs.h
++++ b/fs/isofs/isofs.h
+@@ -103,7 +103,7 @@ static inline unsigned int isonum_733(ch
+ /* Ignore bigendian datum due to broken mastering programs */
+ return get_unaligned_le32(p);
+ }
+-extern int iso_date(char *, int);
++extern int iso_date(u8 *, int);
+
+ struct inode; /* To make gcc happy */
+
+--- a/fs/isofs/rock.h
++++ b/fs/isofs/rock.h
+@@ -65,7 +65,7 @@ struct RR_PL_s {
+ };
+
+ struct stamp {
+- char time[7];
++ __u8 time[7]; /* actually 6 unsigned, 1 signed */
+ } __attribute__ ((packed));
+
+ struct RR_TF_s {
+--- a/fs/isofs/util.c
++++ b/fs/isofs/util.c
+@@ -15,7 +15,7 @@
+ * to GMT. Thus we should always be correct.
+ */
+
+-int iso_date(char * p, int flag)
++int iso_date(u8 *p, int flag)
+ {
+ int year, month, day, hour, minute, second, tz;
+ int crtime;
--- /dev/null
+From b11270853fa3654f08d4a6a03b23ddb220512d8d Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 6 Nov 2017 21:57:26 -0800
+Subject: libceph: don't WARN() if user tries to add invalid key
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit b11270853fa3654f08d4a6a03b23ddb220512d8d upstream.
+
+The WARN_ON(!key->len) in set_secret() in net/ceph/crypto.c is hit if a
+user tries to add a key of type "ceph" with an invalid payload as
+follows (assuming CONFIG_CEPH_LIB=y):
+
+ echo -e -n '\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
+ | keyctl padd ceph desc @s
+
+This can be hit by fuzzers. As this is merely bad input and not a
+kernel bug, replace the WARN_ON() with return -EINVAL.
+
+Fixes: 7af3ea189a9a ("libceph: stop allocating a new cipher on every crypto request")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/crypto.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ceph/crypto.c
++++ b/net/ceph/crypto.c
+@@ -34,7 +34,9 @@ static int set_secret(struct ceph_crypto
+ return -ENOTSUPP;
+ }
+
+- WARN_ON(!key->len);
++ if (!key->len)
++ return -EINVAL;
++
+ key->key = kmemdup(buf, key->len, GFP_NOIO);
+ if (!key->key) {
+ ret = -ENOMEM;
--- /dev/null
+From dc3033e16c59a2c4e62b31341258a5786cbcee56 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Fri, 20 Oct 2017 17:33:18 +0300
+Subject: lockd: double unregister of inetaddr notifiers
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit dc3033e16c59a2c4e62b31341258a5786cbcee56 upstream.
+
+lockd_up() can call lockd_unregister_notifiers twice:
+inside lockd_start_svc() when it calls lockd_svc_exit_thread()
+and then in error path of lockd_up()
+
+Patch forces lockd_start_svc() to unregister notifiers in all error cases
+and removes extra unregister in error path of lockd_up().
+
+Fixes: cb7d224f82e4 "lockd: unregister notifier blocks if the service ..."
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/lockd/svc.c | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+--- a/fs/lockd/svc.c
++++ b/fs/lockd/svc.c
+@@ -365,6 +365,7 @@ static int lockd_start_svc(struct svc_se
+ printk(KERN_WARNING
+ "lockd_up: svc_rqst allocation failed, error=%d\n",
+ error);
++ lockd_unregister_notifiers();
+ goto out_rqst;
+ }
+
+@@ -455,13 +456,16 @@ int lockd_up(struct net *net)
+ }
+
+ error = lockd_up_net(serv, net);
+- if (error < 0)
+- goto err_net;
++ if (error < 0) {
++ lockd_unregister_notifiers();
++ goto err_put;
++ }
+
+ error = lockd_start_svc(serv);
+- if (error < 0)
+- goto err_start;
+-
++ if (error < 0) {
++ lockd_down_net(serv, net);
++ goto err_put;
++ }
+ nlmsvc_users++;
+ /*
+ * Note: svc_serv structures have an initial use count of 1,
+@@ -472,12 +476,6 @@ err_put:
+ err_create:
+ mutex_unlock(&nlmsvc_mutex);
+ return error;
+-
+-err_start:
+- lockd_down_net(serv, net);
+-err_net:
+- lockd_unregister_notifiers();
+- goto err_put;
+ }
+ EXPORT_SYMBOL_GPL(lockd_up);
+
--- /dev/null
+From 07d70913dce59f3c8e5d0ca76250861158a9ca6c Mon Sep 17 00:00:00 2001
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Date: Wed, 11 Oct 2017 12:40:55 +0200
+Subject: mfd: lpc_ich: Avoton/Rangeley uses SPI_BYT method
+
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+
+commit 07d70913dce59f3c8e5d0ca76250861158a9ca6c upstream.
+
+Avoton/Rangeley are based on Silvermount micro-architecture, like
+Bay Trail, and uses the INTEL_SPI_BYT method to drive SPI.
+
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/lpc_ich.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mfd/lpc_ich.c
++++ b/drivers/mfd/lpc_ich.c
+@@ -506,6 +506,7 @@ static struct lpc_ich_info lpc_chipset_i
+ .name = "Avoton SoC",
+ .iTCO_version = 3,
+ .gpio_version = AVOTON_GPIO,
++ .spi_type = INTEL_SPI_BYT,
+ },
+ [LPC_BAYTRAIL] = {
+ .name = "Bay Trail SoC",
--- /dev/null
+From 56a46acf62af5ba44fca2f3f1c7c25a2d5385b19 Mon Sep 17 00:00:00 2001
+From: Mirko Parthey <mirko.parthey@web.de>
+Date: Thu, 18 May 2017 21:30:03 +0200
+Subject: MIPS: BCM47XX: Fix LED inversion for WRT54GSv1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mirko Parthey <mirko.parthey@web.de>
+
+commit 56a46acf62af5ba44fca2f3f1c7c25a2d5385b19 upstream.
+
+The WLAN LED on the Linksys WRT54GSv1 is active low, but the software
+treats it as active high. Fix the inverted logic.
+
+Fixes: 7bb26b169116 ("MIPS: BCM47xx: Fix LEDs on WRT54GS V1.0")
+Signed-off-by: Mirko Parthey <mirko.parthey@web.de>
+Looks-ok-by: Rafał Miłecki <zajec5@gmail.com>
+Cc: Hauke Mehrtens <hauke@hauke-m.de>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16071/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/bcm47xx/leds.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/bcm47xx/leds.c
++++ b/arch/mips/bcm47xx/leds.c
+@@ -330,7 +330,7 @@ bcm47xx_leds_linksys_wrt54g3gv2[] __init
+ /* Verified on: WRT54GS V1.0 */
+ static const struct gpio_led
+ bcm47xx_leds_linksys_wrt54g_type_0101[] __initconst = {
+- BCM47XX_GPIO_LED(0, "green", "wlan", 0, LEDS_GPIO_DEFSTATE_OFF),
++ BCM47XX_GPIO_LED(0, "green", "wlan", 1, LEDS_GPIO_DEFSTATE_OFF),
+ BCM47XX_GPIO_LED(1, "green", "power", 0, LEDS_GPIO_DEFSTATE_ON),
+ BCM47XX_GPIO_LED(7, "green", "dmz", 1, LEDS_GPIO_DEFSTATE_OFF),
+ };
--- /dev/null
+From 3cad14d56adbf7d621fc5a35db42f3acc0a2d6e8 Mon Sep 17 00:00:00 2001
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Sun, 5 Nov 2017 14:30:52 +0900
+Subject: MIPS: dts: remove bogus bcm96358nb4ser.dtb from dtb-y entry
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+commit 3cad14d56adbf7d621fc5a35db42f3acc0a2d6e8 upstream.
+
+arch/mips/boot/dts/brcm/bcm96358nb4ser.dts does not exist, so
+we cannot build bcm96358nb4ser.dtb .
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Fixes: 695835511f96 ("MIPS: BMIPS: rename bcm96358nb4ser to bcm6358-neufbox4-sercom")
+Acked-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/boot/dts/brcm/Makefile | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/mips/boot/dts/brcm/Makefile
++++ b/arch/mips/boot/dts/brcm/Makefile
+@@ -22,7 +22,6 @@ dtb-$(CONFIG_DT_NONE) += \
+ bcm63268-comtrend-vr-3032u.dtb \
+ bcm93384wvg.dtb \
+ bcm93384wvg_viper.dtb \
+- bcm96358nb4ser.dtb \
+ bcm96368mvwg.dtb \
+ bcm9ejtagprb.dtb \
+ bcm97125cbmb.dtb \
--- /dev/null
+From 547da673173de51f73887377eb275304775064ad Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@mips.com>
+Date: Tue, 7 Nov 2017 19:09:20 +0000
+Subject: MIPS: Fix an n32 core file generation regset support regression
+
+From: Maciej W. Rozycki <macro@mips.com>
+
+commit 547da673173de51f73887377eb275304775064ad upstream.
+
+Fix a commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view.")
+regression, then activated by commit 6a9c001b7ec3 ("MIPS: Switch ELF
+core dumper to use regsets.)", that caused n32 processes to dump o32
+core files by failing to set the EF_MIPS_ABI2 flag in the ELF core file
+header's `e_flags' member:
+
+$ file tls-core
+tls-core: ELF 32-bit MSB executable, MIPS, N32 MIPS64 rel2 version 1 (SYSV), [...]
+$ ./tls-core
+Aborted (core dumped)
+$ file core
+core: ELF 32-bit MSB core file MIPS, MIPS-I version 1 (SYSV), SVR4-style
+$
+
+Previously the flag was set as the result of a:
+
+statement placed in arch/mips/kernel/binfmt_elfn32.c, however in the
+regset case, i.e. when CORE_DUMP_USE_REGSET is set, ELF_CORE_EFLAGS is
+no longer used by `fill_note_info' in fs/binfmt_elf.c, and instead the
+`->e_flags' member of the regset view chosen is. We have the views
+defined in arch/mips/kernel/ptrace.c, however only an o32 and an n64
+one, and the latter is used for n32 as well. Consequently an o32 core
+file is incorrectly dumped from n32 processes (the ELF32 vs ELF64 class
+is chosen elsewhere, and the 32-bit one is correctly selected for n32).
+
+Correct the issue then by defining an n32 regset view and using it as
+appropriate. Issue discovered in GDB testing.
+
+Fixes: 7aeb753b5353 ("MIPS: Implement task_user_regset_view.")
+Signed-off-by: Maciej W. Rozycki <macro@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Djordje Todorovic <djordje.todorovic@rt-rk.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/17617/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/ptrace.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -647,6 +647,19 @@ static const struct user_regset_view use
+ .n = ARRAY_SIZE(mips64_regsets),
+ };
+
++#ifdef CONFIG_MIPS32_N32
++
++static const struct user_regset_view user_mipsn32_view = {
++ .name = "mipsn32",
++ .e_flags = EF_MIPS_ABI2,
++ .e_machine = ELF_ARCH,
++ .ei_osabi = ELF_OSABI,
++ .regsets = mips64_regsets,
++ .n = ARRAY_SIZE(mips64_regsets),
++};
++
++#endif /* CONFIG_MIPS32_N32 */
++
+ #endif /* CONFIG_64BIT */
+
+ const struct user_regset_view *task_user_regset_view(struct task_struct *task)
+@@ -658,6 +671,10 @@ const struct user_regset_view *task_user
+ if (test_tsk_thread_flag(task, TIF_32BIT_REGS))
+ return &user_mips_view;
+ #endif
++#ifdef CONFIG_MIPS32_N32
++ if (test_tsk_thread_flag(task, TIF_32BIT_ADDR))
++ return &user_mipsn32_view;
++#endif
+ return &user_mips64_view;
+ #endif
+ }
--- /dev/null
+From c7fd89a6407ea3a44a2a2fa12d290162c42499c4 Mon Sep 17 00:00:00 2001
+From: James Hogan <jhogan@kernel.org>
+Date: Fri, 10 Nov 2017 11:46:54 +0000
+Subject: MIPS: Fix odd fp register warnings with MIPS64r2
+
+From: James Hogan <jhogan@kernel.org>
+
+commit c7fd89a6407ea3a44a2a2fa12d290162c42499c4 upstream.
+
+Building 32-bit MIPS64r2 kernels produces warnings like the following
+on certain toolchains (such as GNU assembler 2.24.90, but not GNU
+assembler 2.28.51) since commit 22b8ba765a72 ("MIPS: Fix MIPS64 FP
+save/restore on 32-bit kernels"), due to the exposure of fpu_save_16odd
+from fpu_save_double and fpu_restore_16odd from fpu_restore_double:
+
+arch/mips/kernel/r4k_fpu.S:47: Warning: float register should be even, was 1
+...
+arch/mips/kernel/r4k_fpu.S:59: Warning: float register should be even, was 1
+...
+
+This appears to be because .set mips64r2 does not change the FPU ABI to
+64-bit when -march=mips64r2 (or e.g. -march=xlp) is provided on the
+command line on that toolchain, from the default FPU ABI of 32-bit due
+to the -mabi=32. This makes access to the odd FPU registers invalid.
+
+Fix by explicitly changing the FPU ABI with .set fp=64 directives in
+fpu_save_16odd and fpu_restore_16odd, and moving the undefine of fp up
+in asmmacro.h so fp doesn't turn into $30.
+
+Fixes: 22b8ba765a72 ("MIPS: Fix MIPS64 FP save/restore on 32-bit kernels")
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Paul Burton <paul.burton@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/17656/
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/asmmacro.h | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/arch/mips/include/asm/asmmacro.h
++++ b/arch/mips/include/asm/asmmacro.h
+@@ -19,6 +19,9 @@
+ #include <asm/asmmacro-64.h>
+ #endif
+
++/* preprocessor replaces the fp in ".set fp=64" with $30 otherwise */
++#undef fp
++
+ /*
+ * Helper macros for generating raw instruction encodings.
+ */
+@@ -105,6 +108,7 @@
+ .macro fpu_save_16odd thread
+ .set push
+ .set mips64r2
++ .set fp=64
+ SET_HARDFLOAT
+ sdc1 $f1, THREAD_FPR1(\thread)
+ sdc1 $f3, THREAD_FPR3(\thread)
+@@ -163,6 +167,7 @@
+ .macro fpu_restore_16odd thread
+ .set push
+ .set mips64r2
++ .set fp=64
+ SET_HARDFLOAT
+ ldc1 $f1, THREAD_FPR1(\thread)
+ ldc1 $f3, THREAD_FPR3(\thread)
+@@ -234,9 +239,6 @@
+ .endm
+
+ #ifdef TOOLCHAIN_SUPPORTS_MSA
+-/* preprocessor replaces the fp in ".set fp=64" with $30 otherwise */
+-#undef fp
+-
+ .macro _cfcmsa rd, cs
+ .set push
+ .set mips32r2
--- /dev/null
+From 8593b18ad348733b5d5ddfa0c79dcabf51dff308 Mon Sep 17 00:00:00 2001
+From: John Crispin <john@phrozen.org>
+Date: Mon, 20 Feb 2017 10:29:43 +0100
+Subject: MIPS: pci: Remove KERN_WARN instance inside the mt7620 driver
+
+From: John Crispin <john@phrozen.org>
+
+commit 8593b18ad348733b5d5ddfa0c79dcabf51dff308 upstream.
+
+Switch the printk() call to the prefered pr_warn() api.
+
+Fixes: 7e5873d3755c ("MIPS: pci: Add MT7620a PCIE driver")
+Signed-off-by: John Crispin <john@phrozen.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/15321/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/pci/pci-mt7620.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/pci/pci-mt7620.c
++++ b/arch/mips/pci/pci-mt7620.c
+@@ -121,7 +121,7 @@ static int wait_pciephy_busy(void)
+ else
+ break;
+ if (retry++ > WAITRETRY_MAX) {
+- printk(KERN_WARN "PCIE-PHY retry failed.\n");
++ pr_warn("PCIE-PHY retry failed.\n");
+ return -1;
+ }
+ }
--- /dev/null
+From 30863e38ebeb500a31cecee8096fb5002677dd9b Mon Sep 17 00:00:00 2001
+From: Brent Taylor <motobud@gmail.com>
+Date: Mon, 30 Oct 2017 22:32:45 -0500
+Subject: mtd: nand: Fix writing mtdoops to nand flash.
+
+From: Brent Taylor <motobud@gmail.com>
+
+commit 30863e38ebeb500a31cecee8096fb5002677dd9b upstream.
+
+When mtdoops calls mtd_panic_write(), it eventually calls
+panic_nand_write() in nand_base.c. In order to properly wait for the
+nand chip to be ready in panic_nand_wait(), the chip must first be
+selected.
+
+When using the atmel nand flash controller, a panic would occur due to
+a NULL pointer exception.
+
+Fixes: 2af7c6539931 ("mtd: Add panic_write for NAND flashes")
+Signed-off-by: Brent Taylor <motobud@gmail.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/nand_base.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/nand/nand_base.c
++++ b/drivers/mtd/nand/nand_base.c
+@@ -2935,15 +2935,18 @@ static int panic_nand_write(struct mtd_i
+ size_t *retlen, const uint8_t *buf)
+ {
+ struct nand_chip *chip = mtd_to_nand(mtd);
++ int chipnr = (int)(to >> chip->chip_shift);
+ struct mtd_oob_ops ops;
+ int ret;
+
+- /* Wait for the device to get ready */
+- panic_nand_wait(mtd, chip, 400);
+-
+ /* Grab the device */
+ panic_nand_get_device(chip, mtd, FL_WRITING);
+
++ chip->select_chip(mtd, chipnr);
++
++ /* Wait for the device to get ready */
++ panic_nand_wait(mtd, chip, 400);
++
+ memset(&ops, 0, sizeof(ops));
+ ops.len = len;
+ ops.datbuf = (uint8_t *)buf;
--- /dev/null
+From 1d2fcdcf33339c7c8016243de0f7f31cf6845e8d Mon Sep 17 00:00:00 2001
+From: Xiaolei Li <xiaolei.li@mediatek.com>
+Date: Mon, 30 Oct 2017 10:39:56 +0800
+Subject: mtd: nand: mtk: fix infinite ECC decode IRQ issue
+
+From: Xiaolei Li <xiaolei.li@mediatek.com>
+
+commit 1d2fcdcf33339c7c8016243de0f7f31cf6845e8d upstream.
+
+For MT2701 NAND Controller, there may generate infinite ECC decode IRQ
+during long time burn test on some platforms. Once this issue occurred,
+the ECC decode IRQ status cannot be cleared in the IRQ handler function,
+and threads cannot be scheduled.
+
+ECC HW generates decode IRQ each sector, so there will have more than one
+decode IRQ if read one page of large page NAND.
+
+Currently, ECC IRQ handle flow is that we will check whether it is decode
+IRQ at first by reading the register ECC_DECIRQ_STA. This is a read-clear
+type register. If this IRQ is decode IRQ, then the ECC IRQ signal will be
+cleared at the same time.
+Secondly, we will check whether all sectors are decoded by reading the
+register ECC_DECDONE. This is because the current IRQ may be not dealed
+in time, and the next sectors have been decoded before reading the
+register ECC_DECIRQ_STA. Then, the next sectors's decode IRQs will not
+be generated.
+Thirdly, if all sectors are decoded by comparing with ecc->sectors, then we
+will complete ecc->done, set ecc->sectors as 0, and disable ECC IRQ by
+programming the register ECC_IRQ_REG(op) as 0. Otherwise, wait for the
+next ECC IRQ.
+
+But, there is a timing issue between step one and two. When we read the
+reigster ECC_DECIRQ_STA, all sectors are decoded except the last sector,
+and the ECC IRQ signal is cleared. But the last sector is decoded before
+reading ECC_DECDONE, so the ECC IRQ signal is enabled again by ECC HW, and
+it means we will receive one extra ECC IRQ later. In step three, we will
+find that all sectors were decoded, then disable ECC IRQ and return.
+When deal with the extra ECC IRQ, the ECC IRQ status cannot be cleared
+anymore. That is because the register ECC_DECIRQ_STA can only be cleared
+when the register ECC_IRQ_REG(op) is enabled. But actually we have
+disabled ECC IRQ in the previous ECC IRQ handle. So, there will
+keep receiving ECC decode IRQ.
+
+Now, we read the register ECC_DECIRQ_STA once again before completing the
+ecc done event. This ensures that there will be no extra ECC decode IRQ.
+
+Also, remove writel(0, ecc->regs + ECC_IRQ_REG(op)) from irq handler,
+because ECC IRQ is disabled in mtk_ecc_disable(). And clear ECC_DECIRQ_STA
+in mtk_ecc_disable() in case there is a timeout to wait decode IRQ.
+
+Fixes: 1d6b1e464950 ("mtd: mediatek: driver for MTK Smart Device")
+Signed-off-by: Xiaolei Li <xiaolei.li@mediatek.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/mtk_ecc.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/nand/mtk_ecc.c
++++ b/drivers/mtd/nand/mtk_ecc.c
+@@ -116,6 +116,11 @@ static irqreturn_t mtk_ecc_irq(int irq,
+ op = ECC_DECODE;
+ dec = readw(ecc->regs + ECC_DECDONE);
+ if (dec & ecc->sectors) {
++ /*
++ * Clear decode IRQ status once again to ensure that
++ * there will be no extra IRQ.
++ */
++ readw(ecc->regs + ECC_DECIRQ_STA);
+ ecc->sectors = 0;
+ complete(&ecc->done);
+ } else {
+@@ -131,8 +136,6 @@ static irqreturn_t mtk_ecc_irq(int irq,
+ }
+ }
+
+- writel(0, ecc->regs + ECC_IRQ_REG(op));
+-
+ return IRQ_HANDLED;
+ }
+
+@@ -342,6 +345,12 @@ void mtk_ecc_disable(struct mtk_ecc *ecc
+
+ /* disable it */
+ mtk_ecc_wait_idle(ecc, op);
++ if (op == ECC_DECODE)
++ /*
++ * Clear decode IRQ status in case there is a timeout to wait
++ * decode IRQ.
++ */
++ readw(ecc->regs + ECC_DECIRQ_STA);
+ writew(0, ecc->regs + ECC_IRQ_REG(op));
+ writew(ECC_OP_DISABLE, ecc->regs + ECC_CTL_REG(op));
+
--- /dev/null
+From 739c64414f01748a36e7d82c8e0611dea94412bd Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Fri, 20 Oct 2017 15:16:21 +0300
+Subject: mtd: nand: omap2: Fix subpage write
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit 739c64414f01748a36e7d82c8e0611dea94412bd upstream.
+
+Since v4.12, NAND subpage writes were causing a NULL pointer
+dereference on OMAP platforms (omap2-nand) using OMAP_ECC_BCH4_CODE_HW,
+OMAP_ECC_BCH8_CODE_HW and OMAP_ECC_BCH16_CODE_HW.
+
+This is because for those ECC modes, omap_calculate_ecc_bch()
+generates ECC bytes for the entire (multi-sector) page and this can
+overflow the ECC buffer provided by nand_write_subpage_hwecc()
+as it expects ecc.calculate() to return ECC bytes for just one sector.
+
+However, the root cause of the problem is present since v3.9
+but was not seen then as NAND buffers were being allocated
+as one big chunk prior to commit 3deb9979c731 ("mtd: nand: allocate
+aligned buffers if NAND_OWN_BUFFERS is unset").
+
+Fix the issue by providing a OMAP optimized write_subpage()
+implementation.
+
+Fixes: 62116e5171e0 ("mtd: nand: omap2: Support for hardware BCH error correction.")
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/omap2.c | 339 +++++++++++++++++++++++++++++++----------------
+ 1 file changed, 224 insertions(+), 115 deletions(-)
+
+--- a/drivers/mtd/nand/omap2.c
++++ b/drivers/mtd/nand/omap2.c
+@@ -1133,129 +1133,172 @@ static u8 bch8_polynomial[] = {0xef, 0x
+ 0x97, 0x79, 0xe5, 0x24, 0xb5};
+
+ /**
+- * omap_calculate_ecc_bch - Generate bytes of ECC bytes
++ * _omap_calculate_ecc_bch - Generate ECC bytes for one sector
+ * @mtd: MTD device structure
+ * @dat: The pointer to data on which ecc is computed
+ * @ecc_code: The ecc_code buffer
++ * @i: The sector number (for a multi sector page)
+ *
+- * Support calculating of BCH4/8 ecc vectors for the page
++ * Support calculating of BCH4/8/16 ECC vectors for one sector
++ * within a page. Sector number is in @i.
+ */
+-static int __maybe_unused omap_calculate_ecc_bch(struct mtd_info *mtd,
+- const u_char *dat, u_char *ecc_calc)
++static int _omap_calculate_ecc_bch(struct mtd_info *mtd,
++ const u_char *dat, u_char *ecc_calc, int i)
+ {
+ struct omap_nand_info *info = mtd_to_omap(mtd);
+ int eccbytes = info->nand.ecc.bytes;
+ struct gpmc_nand_regs *gpmc_regs = &info->reg;
+ u8 *ecc_code;
+- unsigned long nsectors, bch_val1, bch_val2, bch_val3, bch_val4;
++ unsigned long bch_val1, bch_val2, bch_val3, bch_val4;
+ u32 val;
+- int i, j;
++ int j;
++
++ ecc_code = ecc_calc;
++ switch (info->ecc_opt) {
++ case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW:
++ case OMAP_ECC_BCH8_CODE_HW:
++ bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]);
++ bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]);
++ bch_val3 = readl(gpmc_regs->gpmc_bch_result2[i]);
++ bch_val4 = readl(gpmc_regs->gpmc_bch_result3[i]);
++ *ecc_code++ = (bch_val4 & 0xFF);
++ *ecc_code++ = ((bch_val3 >> 24) & 0xFF);
++ *ecc_code++ = ((bch_val3 >> 16) & 0xFF);
++ *ecc_code++ = ((bch_val3 >> 8) & 0xFF);
++ *ecc_code++ = (bch_val3 & 0xFF);
++ *ecc_code++ = ((bch_val2 >> 24) & 0xFF);
++ *ecc_code++ = ((bch_val2 >> 16) & 0xFF);
++ *ecc_code++ = ((bch_val2 >> 8) & 0xFF);
++ *ecc_code++ = (bch_val2 & 0xFF);
++ *ecc_code++ = ((bch_val1 >> 24) & 0xFF);
++ *ecc_code++ = ((bch_val1 >> 16) & 0xFF);
++ *ecc_code++ = ((bch_val1 >> 8) & 0xFF);
++ *ecc_code++ = (bch_val1 & 0xFF);
++ break;
++ case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW:
++ case OMAP_ECC_BCH4_CODE_HW:
++ bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]);
++ bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]);
++ *ecc_code++ = ((bch_val2 >> 12) & 0xFF);
++ *ecc_code++ = ((bch_val2 >> 4) & 0xFF);
++ *ecc_code++ = ((bch_val2 & 0xF) << 4) |
++ ((bch_val1 >> 28) & 0xF);
++ *ecc_code++ = ((bch_val1 >> 20) & 0xFF);
++ *ecc_code++ = ((bch_val1 >> 12) & 0xFF);
++ *ecc_code++ = ((bch_val1 >> 4) & 0xFF);
++ *ecc_code++ = ((bch_val1 & 0xF) << 4);
++ break;
++ case OMAP_ECC_BCH16_CODE_HW:
++ val = readl(gpmc_regs->gpmc_bch_result6[i]);
++ ecc_code[0] = ((val >> 8) & 0xFF);
++ ecc_code[1] = ((val >> 0) & 0xFF);
++ val = readl(gpmc_regs->gpmc_bch_result5[i]);
++ ecc_code[2] = ((val >> 24) & 0xFF);
++ ecc_code[3] = ((val >> 16) & 0xFF);
++ ecc_code[4] = ((val >> 8) & 0xFF);
++ ecc_code[5] = ((val >> 0) & 0xFF);
++ val = readl(gpmc_regs->gpmc_bch_result4[i]);
++ ecc_code[6] = ((val >> 24) & 0xFF);
++ ecc_code[7] = ((val >> 16) & 0xFF);
++ ecc_code[8] = ((val >> 8) & 0xFF);
++ ecc_code[9] = ((val >> 0) & 0xFF);
++ val = readl(gpmc_regs->gpmc_bch_result3[i]);
++ ecc_code[10] = ((val >> 24) & 0xFF);
++ ecc_code[11] = ((val >> 16) & 0xFF);
++ ecc_code[12] = ((val >> 8) & 0xFF);
++ ecc_code[13] = ((val >> 0) & 0xFF);
++ val = readl(gpmc_regs->gpmc_bch_result2[i]);
++ ecc_code[14] = ((val >> 24) & 0xFF);
++ ecc_code[15] = ((val >> 16) & 0xFF);
++ ecc_code[16] = ((val >> 8) & 0xFF);
++ ecc_code[17] = ((val >> 0) & 0xFF);
++ val = readl(gpmc_regs->gpmc_bch_result1[i]);
++ ecc_code[18] = ((val >> 24) & 0xFF);
++ ecc_code[19] = ((val >> 16) & 0xFF);
++ ecc_code[20] = ((val >> 8) & 0xFF);
++ ecc_code[21] = ((val >> 0) & 0xFF);
++ val = readl(gpmc_regs->gpmc_bch_result0[i]);
++ ecc_code[22] = ((val >> 24) & 0xFF);
++ ecc_code[23] = ((val >> 16) & 0xFF);
++ ecc_code[24] = ((val >> 8) & 0xFF);
++ ecc_code[25] = ((val >> 0) & 0xFF);
++ break;
++ default:
++ return -EINVAL;
++ }
++
++ /* ECC scheme specific syndrome customizations */
++ switch (info->ecc_opt) {
++ case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW:
++ /* Add constant polynomial to remainder, so that
++ * ECC of blank pages results in 0x0 on reading back
++ */
++ for (j = 0; j < eccbytes; j++)
++ ecc_calc[j] ^= bch4_polynomial[j];
++ break;
++ case OMAP_ECC_BCH4_CODE_HW:
++ /* Set 8th ECC byte as 0x0 for ROM compatibility */
++ ecc_calc[eccbytes - 1] = 0x0;
++ break;
++ case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW:
++ /* Add constant polynomial to remainder, so that
++ * ECC of blank pages results in 0x0 on reading back
++ */
++ for (j = 0; j < eccbytes; j++)
++ ecc_calc[j] ^= bch8_polynomial[j];
++ break;
++ case OMAP_ECC_BCH8_CODE_HW:
++ /* Set 14th ECC byte as 0x0 for ROM compatibility */
++ ecc_calc[eccbytes - 1] = 0x0;
++ break;
++ case OMAP_ECC_BCH16_CODE_HW:
++ break;
++ default:
++ return -EINVAL;
++ }
++
++ return 0;
++}
++
++/**
++ * omap_calculate_ecc_bch_sw - ECC generator for sector for SW based correction
++ * @mtd: MTD device structure
++ * @dat: The pointer to data on which ecc is computed
++ * @ecc_code: The ecc_code buffer
++ *
++ * Support calculating of BCH4/8/16 ECC vectors for one sector. This is used
++ * when SW based correction is required as ECC is required for one sector
++ * at a time.
++ */
++static int omap_calculate_ecc_bch_sw(struct mtd_info *mtd,
++ const u_char *dat, u_char *ecc_calc)
++{
++ return _omap_calculate_ecc_bch(mtd, dat, ecc_calc, 0);
++}
++
++/**
++ * omap_calculate_ecc_bch_multi - Generate ECC for multiple sectors
++ * @mtd: MTD device structure
++ * @dat: The pointer to data on which ecc is computed
++ * @ecc_code: The ecc_code buffer
++ *
++ * Support calculating of BCH4/8/16 ecc vectors for the entire page in one go.
++ */
++static int omap_calculate_ecc_bch_multi(struct mtd_info *mtd,
++ const u_char *dat, u_char *ecc_calc)
++{
++ struct omap_nand_info *info = mtd_to_omap(mtd);
++ int eccbytes = info->nand.ecc.bytes;
++ unsigned long nsectors;
++ int i, ret;
+
+ nsectors = ((readl(info->reg.gpmc_ecc_config) >> 4) & 0x7) + 1;
+ for (i = 0; i < nsectors; i++) {
+- ecc_code = ecc_calc;
+- switch (info->ecc_opt) {
+- case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW:
+- case OMAP_ECC_BCH8_CODE_HW:
+- bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]);
+- bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]);
+- bch_val3 = readl(gpmc_regs->gpmc_bch_result2[i]);
+- bch_val4 = readl(gpmc_regs->gpmc_bch_result3[i]);
+- *ecc_code++ = (bch_val4 & 0xFF);
+- *ecc_code++ = ((bch_val3 >> 24) & 0xFF);
+- *ecc_code++ = ((bch_val3 >> 16) & 0xFF);
+- *ecc_code++ = ((bch_val3 >> 8) & 0xFF);
+- *ecc_code++ = (bch_val3 & 0xFF);
+- *ecc_code++ = ((bch_val2 >> 24) & 0xFF);
+- *ecc_code++ = ((bch_val2 >> 16) & 0xFF);
+- *ecc_code++ = ((bch_val2 >> 8) & 0xFF);
+- *ecc_code++ = (bch_val2 & 0xFF);
+- *ecc_code++ = ((bch_val1 >> 24) & 0xFF);
+- *ecc_code++ = ((bch_val1 >> 16) & 0xFF);
+- *ecc_code++ = ((bch_val1 >> 8) & 0xFF);
+- *ecc_code++ = (bch_val1 & 0xFF);
+- break;
+- case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW:
+- case OMAP_ECC_BCH4_CODE_HW:
+- bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]);
+- bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]);
+- *ecc_code++ = ((bch_val2 >> 12) & 0xFF);
+- *ecc_code++ = ((bch_val2 >> 4) & 0xFF);
+- *ecc_code++ = ((bch_val2 & 0xF) << 4) |
+- ((bch_val1 >> 28) & 0xF);
+- *ecc_code++ = ((bch_val1 >> 20) & 0xFF);
+- *ecc_code++ = ((bch_val1 >> 12) & 0xFF);
+- *ecc_code++ = ((bch_val1 >> 4) & 0xFF);
+- *ecc_code++ = ((bch_val1 & 0xF) << 4);
+- break;
+- case OMAP_ECC_BCH16_CODE_HW:
+- val = readl(gpmc_regs->gpmc_bch_result6[i]);
+- ecc_code[0] = ((val >> 8) & 0xFF);
+- ecc_code[1] = ((val >> 0) & 0xFF);
+- val = readl(gpmc_regs->gpmc_bch_result5[i]);
+- ecc_code[2] = ((val >> 24) & 0xFF);
+- ecc_code[3] = ((val >> 16) & 0xFF);
+- ecc_code[4] = ((val >> 8) & 0xFF);
+- ecc_code[5] = ((val >> 0) & 0xFF);
+- val = readl(gpmc_regs->gpmc_bch_result4[i]);
+- ecc_code[6] = ((val >> 24) & 0xFF);
+- ecc_code[7] = ((val >> 16) & 0xFF);
+- ecc_code[8] = ((val >> 8) & 0xFF);
+- ecc_code[9] = ((val >> 0) & 0xFF);
+- val = readl(gpmc_regs->gpmc_bch_result3[i]);
+- ecc_code[10] = ((val >> 24) & 0xFF);
+- ecc_code[11] = ((val >> 16) & 0xFF);
+- ecc_code[12] = ((val >> 8) & 0xFF);
+- ecc_code[13] = ((val >> 0) & 0xFF);
+- val = readl(gpmc_regs->gpmc_bch_result2[i]);
+- ecc_code[14] = ((val >> 24) & 0xFF);
+- ecc_code[15] = ((val >> 16) & 0xFF);
+- ecc_code[16] = ((val >> 8) & 0xFF);
+- ecc_code[17] = ((val >> 0) & 0xFF);
+- val = readl(gpmc_regs->gpmc_bch_result1[i]);
+- ecc_code[18] = ((val >> 24) & 0xFF);
+- ecc_code[19] = ((val >> 16) & 0xFF);
+- ecc_code[20] = ((val >> 8) & 0xFF);
+- ecc_code[21] = ((val >> 0) & 0xFF);
+- val = readl(gpmc_regs->gpmc_bch_result0[i]);
+- ecc_code[22] = ((val >> 24) & 0xFF);
+- ecc_code[23] = ((val >> 16) & 0xFF);
+- ecc_code[24] = ((val >> 8) & 0xFF);
+- ecc_code[25] = ((val >> 0) & 0xFF);
+- break;
+- default:
+- return -EINVAL;
+- }
+-
+- /* ECC scheme specific syndrome customizations */
+- switch (info->ecc_opt) {
+- case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW:
+- /* Add constant polynomial to remainder, so that
+- * ECC of blank pages results in 0x0 on reading back */
+- for (j = 0; j < eccbytes; j++)
+- ecc_calc[j] ^= bch4_polynomial[j];
+- break;
+- case OMAP_ECC_BCH4_CODE_HW:
+- /* Set 8th ECC byte as 0x0 for ROM compatibility */
+- ecc_calc[eccbytes - 1] = 0x0;
+- break;
+- case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW:
+- /* Add constant polynomial to remainder, so that
+- * ECC of blank pages results in 0x0 on reading back */
+- for (j = 0; j < eccbytes; j++)
+- ecc_calc[j] ^= bch8_polynomial[j];
+- break;
+- case OMAP_ECC_BCH8_CODE_HW:
+- /* Set 14th ECC byte as 0x0 for ROM compatibility */
+- ecc_calc[eccbytes - 1] = 0x0;
+- break;
+- case OMAP_ECC_BCH16_CODE_HW:
+- break;
+- default:
+- return -EINVAL;
+- }
++ ret = _omap_calculate_ecc_bch(mtd, dat, ecc_calc, i);
++ if (ret)
++ return ret;
+
+- ecc_calc += eccbytes;
++ ecc_calc += eccbytes;
+ }
+
+ return 0;
+@@ -1496,7 +1539,7 @@ static int omap_write_page_bch(struct mt
+ chip->write_buf(mtd, buf, mtd->writesize);
+
+ /* Update ecc vector from GPMC result registers */
+- chip->ecc.calculate(mtd, buf, &ecc_calc[0]);
++ omap_calculate_ecc_bch_multi(mtd, buf, &ecc_calc[0]);
+
+ ret = mtd_ooblayout_set_eccbytes(mtd, ecc_calc, chip->oob_poi, 0,
+ chip->ecc.total);
+@@ -1509,6 +1552,72 @@ static int omap_write_page_bch(struct mt
+ }
+
+ /**
++ * omap_write_subpage_bch - BCH hardware ECC based subpage write
++ * @mtd: mtd info structure
++ * @chip: nand chip info structure
++ * @offset: column address of subpage within the page
++ * @data_len: data length
++ * @buf: data buffer
++ * @oob_required: must write chip->oob_poi to OOB
++ * @page: page number to write
++ *
++ * OMAP optimized subpage write method.
++ */
++static int omap_write_subpage_bch(struct mtd_info *mtd,
++ struct nand_chip *chip, u32 offset,
++ u32 data_len, const u8 *buf,
++ int oob_required, int page)
++{
++ u8 *ecc_calc = chip->buffers->ecccalc;
++ int ecc_size = chip->ecc.size;
++ int ecc_bytes = chip->ecc.bytes;
++ int ecc_steps = chip->ecc.steps;
++ u32 start_step = offset / ecc_size;
++ u32 end_step = (offset + data_len - 1) / ecc_size;
++ int step, ret = 0;
++
++ /*
++ * Write entire page at one go as it would be optimal
++ * as ECC is calculated by hardware.
++ * ECC is calculated for all subpages but we choose
++ * only what we want.
++ */
++
++ /* Enable GPMC ECC engine */
++ chip->ecc.hwctl(mtd, NAND_ECC_WRITE);
++
++ /* Write data */
++ chip->write_buf(mtd, buf, mtd->writesize);
++
++ for (step = 0; step < ecc_steps; step++) {
++ /* mask ECC of un-touched subpages by padding 0xFF */
++ if (step < start_step || step > end_step)
++ memset(ecc_calc, 0xff, ecc_bytes);
++ else
++ ret = _omap_calculate_ecc_bch(mtd, buf, ecc_calc, step);
++
++ if (ret)
++ return ret;
++
++ buf += ecc_size;
++ ecc_calc += ecc_bytes;
++ }
++
++ /* copy calculated ECC for whole page to chip->buffer->oob */
++ /* this include masked-value(0xFF) for unwritten subpages */
++ ecc_calc = chip->buffers->ecccalc;
++ ret = mtd_ooblayout_set_eccbytes(mtd, ecc_calc, chip->oob_poi, 0,
++ chip->ecc.total);
++ if (ret)
++ return ret;
++
++ /* write OOB buffer to NAND device */
++ chip->write_buf(mtd, chip->oob_poi, mtd->oobsize);
++
++ return 0;
++}
++
++/**
+ * omap_read_page_bch - BCH ecc based page read function for entire page
+ * @mtd: mtd info structure
+ * @chip: nand chip info structure
+@@ -1544,7 +1653,7 @@ static int omap_read_page_bch(struct mtd
+ chip->ecc.total);
+
+ /* Calculate ecc bytes */
+- chip->ecc.calculate(mtd, buf, ecc_calc);
++ omap_calculate_ecc_bch_multi(mtd, buf, ecc_calc);
+
+ ret = mtd_ooblayout_get_eccbytes(mtd, ecc_code, chip->oob_poi, 0,
+ chip->ecc.total);
+@@ -2044,7 +2153,7 @@ static int omap_nand_probe(struct platfo
+ nand_chip->ecc.strength = 4;
+ nand_chip->ecc.hwctl = omap_enable_hwecc_bch;
+ nand_chip->ecc.correct = nand_bch_correct_data;
+- nand_chip->ecc.calculate = omap_calculate_ecc_bch;
++ nand_chip->ecc.calculate = omap_calculate_ecc_bch_sw;
+ mtd_set_ooblayout(mtd, &omap_sw_ooblayout_ops);
+ /* Reserve one byte for the OMAP marker */
+ oobbytes_per_step = nand_chip->ecc.bytes + 1;
+@@ -2066,9 +2175,9 @@ static int omap_nand_probe(struct platfo
+ nand_chip->ecc.strength = 4;
+ nand_chip->ecc.hwctl = omap_enable_hwecc_bch;
+ nand_chip->ecc.correct = omap_elm_correct_data;
+- nand_chip->ecc.calculate = omap_calculate_ecc_bch;
+ nand_chip->ecc.read_page = omap_read_page_bch;
+ nand_chip->ecc.write_page = omap_write_page_bch;
++ nand_chip->ecc.write_subpage = omap_write_subpage_bch;
+ mtd_set_ooblayout(mtd, &omap_ooblayout_ops);
+ oobbytes_per_step = nand_chip->ecc.bytes;
+
+@@ -2087,7 +2196,7 @@ static int omap_nand_probe(struct platfo
+ nand_chip->ecc.strength = 8;
+ nand_chip->ecc.hwctl = omap_enable_hwecc_bch;
+ nand_chip->ecc.correct = nand_bch_correct_data;
+- nand_chip->ecc.calculate = omap_calculate_ecc_bch;
++ nand_chip->ecc.calculate = omap_calculate_ecc_bch_sw;
+ mtd_set_ooblayout(mtd, &omap_sw_ooblayout_ops);
+ /* Reserve one byte for the OMAP marker */
+ oobbytes_per_step = nand_chip->ecc.bytes + 1;
+@@ -2109,9 +2218,9 @@ static int omap_nand_probe(struct platfo
+ nand_chip->ecc.strength = 8;
+ nand_chip->ecc.hwctl = omap_enable_hwecc_bch;
+ nand_chip->ecc.correct = omap_elm_correct_data;
+- nand_chip->ecc.calculate = omap_calculate_ecc_bch;
+ nand_chip->ecc.read_page = omap_read_page_bch;
+ nand_chip->ecc.write_page = omap_write_page_bch;
++ nand_chip->ecc.write_subpage = omap_write_subpage_bch;
+ mtd_set_ooblayout(mtd, &omap_ooblayout_ops);
+ oobbytes_per_step = nand_chip->ecc.bytes;
+
+@@ -2131,9 +2240,9 @@ static int omap_nand_probe(struct platfo
+ nand_chip->ecc.strength = 16;
+ nand_chip->ecc.hwctl = omap_enable_hwecc_bch;
+ nand_chip->ecc.correct = omap_elm_correct_data;
+- nand_chip->ecc.calculate = omap_calculate_ecc_bch;
+ nand_chip->ecc.read_page = omap_read_page_bch;
+ nand_chip->ecc.write_page = omap_write_page_bch;
++ nand_chip->ecc.write_subpage = omap_write_subpage_bch;
+ mtd_set_ooblayout(mtd, &omap_ooblayout_ops);
+ oobbytes_per_step = nand_chip->ecc.bytes;
+
--- /dev/null
+From 3944369db701f075092357b511fd9f5755771585 Mon Sep 17 00:00:00 2001
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Date: Wed, 1 Nov 2017 15:48:43 -0400
+Subject: NFS: Avoid RCU usage in tracepoints
+
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+
+commit 3944369db701f075092357b511fd9f5755771585 upstream.
+
+There isn't an obvious way to acquire and release the RCU lock during a
+tracepoint, so we can't use the rpc_peeraddr2str() function here.
+Instead, rely on the client's cl_hostname, which should have similar
+enough information without needing an rcu_dereference().
+
+Reported-by: Dave Jones <davej@codemonkey.org.uk>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4trace.h | 24 ++++++------------------
+ 1 file changed, 6 insertions(+), 18 deletions(-)
+
+--- a/fs/nfs/nfs4trace.h
++++ b/fs/nfs/nfs4trace.h
+@@ -201,17 +201,13 @@ DECLARE_EVENT_CLASS(nfs4_clientid_event,
+ TP_ARGS(clp, error),
+
+ TP_STRUCT__entry(
+- __string(dstaddr,
+- rpc_peeraddr2str(clp->cl_rpcclient,
+- RPC_DISPLAY_ADDR))
++ __string(dstaddr, clp->cl_hostname)
+ __field(int, error)
+ ),
+
+ TP_fast_assign(
+ __entry->error = error;
+- __assign_str(dstaddr,
+- rpc_peeraddr2str(clp->cl_rpcclient,
+- RPC_DISPLAY_ADDR));
++ __assign_str(dstaddr, clp->cl_hostname);
+ ),
+
+ TP_printk(
+@@ -1103,9 +1099,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_callback_
+ __field(dev_t, dev)
+ __field(u32, fhandle)
+ __field(u64, fileid)
+- __string(dstaddr, clp ?
+- rpc_peeraddr2str(clp->cl_rpcclient,
+- RPC_DISPLAY_ADDR) : "unknown")
++ __string(dstaddr, clp ? clp->cl_hostname : "unknown")
+ ),
+
+ TP_fast_assign(
+@@ -1118,9 +1112,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_callback_
+ __entry->fileid = 0;
+ __entry->dev = 0;
+ }
+- __assign_str(dstaddr, clp ?
+- rpc_peeraddr2str(clp->cl_rpcclient,
+- RPC_DISPLAY_ADDR) : "unknown")
++ __assign_str(dstaddr, clp ? clp->cl_hostname : "unknown")
+ ),
+
+ TP_printk(
+@@ -1162,9 +1154,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_stateid_c
+ __field(dev_t, dev)
+ __field(u32, fhandle)
+ __field(u64, fileid)
+- __string(dstaddr, clp ?
+- rpc_peeraddr2str(clp->cl_rpcclient,
+- RPC_DISPLAY_ADDR) : "unknown")
++ __string(dstaddr, clp ? clp->cl_hostname : "unknown")
+ __field(int, stateid_seq)
+ __field(u32, stateid_hash)
+ ),
+@@ -1179,9 +1169,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_stateid_c
+ __entry->fileid = 0;
+ __entry->dev = 0;
+ }
+- __assign_str(dstaddr, clp ?
+- rpc_peeraddr2str(clp->cl_rpcclient,
+- RPC_DISPLAY_ADDR) : "unknown")
++ __assign_str(dstaddr, clp ? clp->cl_hostname : "unknown")
+ __entry->stateid_seq =
+ be32_to_cpu(stateid->seqid);
+ __entry->stateid_hash =
--- /dev/null
+From f02fee227e5f21981152850744a6084ff3fa94ee Mon Sep 17 00:00:00 2001
+From: Joshua Watt <jpewhacker@gmail.com>
+Date: Tue, 7 Nov 2017 16:25:47 -0600
+Subject: NFS: Fix typo in nomigration mount option
+
+From: Joshua Watt <jpewhacker@gmail.com>
+
+commit f02fee227e5f21981152850744a6084ff3fa94ee upstream.
+
+The option was incorrectly masking off all other options.
+
+Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -1339,7 +1339,7 @@ static int nfs_parse_mount_options(char
+ mnt->options |= NFS_OPTION_MIGRATION;
+ break;
+ case Opt_nomigration:
+- mnt->options &= NFS_OPTION_MIGRATION;
++ mnt->options &= ~NFS_OPTION_MIGRATION;
+ break;
+
+ /*
--- /dev/null
+From c05cefcc72416a37eba5a2b35f0704ed758a9145 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Sun, 5 Nov 2017 15:45:22 -0500
+Subject: nfs: Fix ugly referral attributes
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit c05cefcc72416a37eba5a2b35f0704ed758a9145 upstream.
+
+Before traversing a referral and performing a mount, the mounted-on
+directory looks strange:
+
+dr-xr-xr-x. 2 4294967294 4294967294 0 Dec 31 1969 dir.0
+
+nfs4_get_referral is wiping out any cached attributes with what was
+returned via GETATTR(fs_locations), but the bit mask for that
+operation does not request any file attributes.
+
+Retrieve owner and timestamp information so that the memcpy in
+nfs4_get_referral fills in more attributes.
+
+Changes since v1:
+- Don't request attributes that the client unconditionally replaces
+- Request only MOUNTED_ON_FILEID or FILEID attribute, not both
+- encode_fs_locations() doesn't use the third bitmask word
+
+Fixes: 6b97fd3da1ea ("NFSv4: Follow a referral")
+Suggested-by: Pradeep Thomas <pradeepthomas@gmail.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -256,15 +256,12 @@ const u32 nfs4_fsinfo_bitmap[3] = { FATT
+ };
+
+ const u32 nfs4_fs_locations_bitmap[3] = {
+- FATTR4_WORD0_TYPE
+- | FATTR4_WORD0_CHANGE
++ FATTR4_WORD0_CHANGE
+ | FATTR4_WORD0_SIZE
+ | FATTR4_WORD0_FSID
+ | FATTR4_WORD0_FILEID
+ | FATTR4_WORD0_FS_LOCATIONS,
+- FATTR4_WORD1_MODE
+- | FATTR4_WORD1_NUMLINKS
+- | FATTR4_WORD1_OWNER
++ FATTR4_WORD1_OWNER
+ | FATTR4_WORD1_OWNER_GROUP
+ | FATTR4_WORD1_RAWDEV
+ | FATTR4_WORD1_SPACE_USED
+@@ -6678,9 +6675,7 @@ static int _nfs4_proc_fs_locations(struc
+ struct page *page)
+ {
+ struct nfs_server *server = NFS_SERVER(dir);
+- u32 bitmask[3] = {
+- [0] = FATTR4_WORD0_FSID | FATTR4_WORD0_FS_LOCATIONS,
+- };
++ u32 bitmask[3];
+ struct nfs4_fs_locations_arg args = {
+ .dir_fh = NFS_FH(dir),
+ .name = name,
+@@ -6699,12 +6694,15 @@ static int _nfs4_proc_fs_locations(struc
+
+ dprintk("%s: start\n", __func__);
+
++ bitmask[0] = nfs4_fattr_bitmap[0] | FATTR4_WORD0_FS_LOCATIONS;
++ bitmask[1] = nfs4_fattr_bitmap[1];
++
+ /* Ask for the fileid of the absent filesystem if mounted_on_fileid
+ * is not supported */
+ if (NFS_SERVER(dir)->attr_bitmask[1] & FATTR4_WORD1_MOUNTED_ON_FILEID)
+- bitmask[1] |= FATTR4_WORD1_MOUNTED_ON_FILEID;
++ bitmask[0] &= ~FATTR4_WORD0_FILEID;
+ else
+- bitmask[0] |= FATTR4_WORD0_FILEID;
++ bitmask[1] &= ~FATTR4_WORD1_MOUNTED_ON_FILEID;
+
+ nfs_fattr_init(&fs_locations->fattr);
+ fs_locations->server = server;
--- /dev/null
+From 95da1b3a5aded124dd1bda1e3cdb876184813140 Mon Sep 17 00:00:00 2001
+From: Andrew Elble <aweits@rit.edu>
+Date: Fri, 3 Nov 2017 14:06:31 -0400
+Subject: nfsd: deal with revoked delegations appropriately
+
+From: Andrew Elble <aweits@rit.edu>
+
+commit 95da1b3a5aded124dd1bda1e3cdb876184813140 upstream.
+
+If a delegation has been revoked by the server, operations using that
+delegation should error out with NFS4ERR_DELEG_REVOKED in the >4.1
+case, and NFS4ERR_BAD_STATEID otherwise.
+
+The server needs NFSv4.1 clients to explicitly free revoked delegations.
+If the server returns NFS4ERR_DELEG_REVOKED, the client will do that;
+otherwise it may just forget about the delegation and be unable to
+recover when it later sees SEQ4_STATUS_RECALLABLE_STATE_REVOKED set on a
+SEQUENCE reply. That can cause the Linux 4.1 client to loop in its
+stage manager.
+
+Signed-off-by: Andrew Elble <aweits@rit.edu>
+Reviewed-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4state.c | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -3967,7 +3967,8 @@ static struct nfs4_delegation *find_dele
+ {
+ struct nfs4_stid *ret;
+
+- ret = find_stateid_by_type(cl, s, NFS4_DELEG_STID);
++ ret = find_stateid_by_type(cl, s,
++ NFS4_DELEG_STID|NFS4_REVOKED_DELEG_STID);
+ if (!ret)
+ return NULL;
+ return delegstateid(ret);
+@@ -3990,6 +3991,12 @@ nfs4_check_deleg(struct nfs4_client *cl,
+ deleg = find_deleg_stateid(cl, &open->op_delegate_stateid);
+ if (deleg == NULL)
+ goto out;
++ if (deleg->dl_stid.sc_type == NFS4_REVOKED_DELEG_STID) {
++ nfs4_put_stid(&deleg->dl_stid);
++ if (cl->cl_minorversion)
++ status = nfserr_deleg_revoked;
++ goto out;
++ }
+ flags = share_access_to_flags(open->op_share_access);
+ status = nfs4_check_delegmode(deleg, flags);
+ if (status) {
+@@ -4858,6 +4865,16 @@ nfsd4_lookup_stateid(struct nfsd4_compou
+ struct nfs4_stid **s, struct nfsd_net *nn)
+ {
+ __be32 status;
++ bool return_revoked = false;
++
++ /*
++ * only return revoked delegations if explicitly asked.
++ * otherwise we report revoked or bad_stateid status.
++ */
++ if (typemask & NFS4_REVOKED_DELEG_STID)
++ return_revoked = true;
++ else if (typemask & NFS4_DELEG_STID)
++ typemask |= NFS4_REVOKED_DELEG_STID;
+
+ if (ZERO_STATEID(stateid) || ONE_STATEID(stateid))
+ return nfserr_bad_stateid;
+@@ -4872,6 +4889,12 @@ nfsd4_lookup_stateid(struct nfsd4_compou
+ *s = find_stateid_by_type(cstate->clp, stateid, typemask);
+ if (!*s)
+ return nfserr_bad_stateid;
++ if (((*s)->sc_type == NFS4_REVOKED_DELEG_STID) && !return_revoked) {
++ nfs4_put_stid(*s);
++ if (cstate->minorversion)
++ return nfserr_deleg_revoked;
++ return nfserr_bad_stateid;
++ }
+ return nfs_ok;
+ }
+
--- /dev/null
+From 31ccb1f7ba3cfe29631587d451cf5bb8ab593550 Mon Sep 17 00:00:00 2001
+From: Andreas Rohner <andreas.rohner@gmx.net>
+Date: Fri, 17 Nov 2017 15:29:35 -0800
+Subject: nilfs2: fix race condition that causes file system corruption
+
+From: Andreas Rohner <andreas.rohner@gmx.net>
+
+commit 31ccb1f7ba3cfe29631587d451cf5bb8ab593550 upstream.
+
+There is a race condition between nilfs_dirty_inode() and
+nilfs_set_file_dirty().
+
+When a file is opened, nilfs_dirty_inode() is called to update the
+access timestamp in the inode. It calls __nilfs_mark_inode_dirty() in a
+separate transaction. __nilfs_mark_inode_dirty() caches the ifile
+buffer_head in the i_bh field of the inode info structure and marks it
+as dirty.
+
+After some data was written to the file in another transaction, the
+function nilfs_set_file_dirty() is called, which adds the inode to the
+ns_dirty_files list.
+
+Then the segment construction calls nilfs_segctor_collect_dirty_files(),
+which goes through the ns_dirty_files list and checks the i_bh field.
+If there is a cached buffer_head in i_bh it is not marked as dirty
+again.
+
+Since nilfs_dirty_inode() and nilfs_set_file_dirty() use separate
+transactions, it is possible that a segment construction that writes out
+the ifile occurs in-between the two. If this happens the inode is not
+on the ns_dirty_files list, but its ifile block is still marked as dirty
+and written out.
+
+In the next segment construction, the data for the file is written out
+and nilfs_bmap_propagate() updates the b-tree. Eventually the bmap root
+is written into the i_bh block, which is not dirty, because it was
+written out in another segment construction.
+
+As a result the bmap update can be lost, which leads to file system
+corruption. Either the virtual block address points to an unallocated
+DAT block, or the DAT entry will be reused for something different.
+
+The error can remain undetected for a long time. A typical error
+message would be one of the "bad btree" errors or a warning that a DAT
+entry could not be found.
+
+This bug can be reproduced reliably by a simple benchmark that creates
+and overwrites millions of 4k files.
+
+Link: http://lkml.kernel.org/r/1509367935-3086-2-git-send-email-konishi.ryusuke@lab.ntt.co.jp
+Signed-off-by: Andreas Rohner <andreas.rohner@gmx.net>
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Tested-by: Andreas Rohner <andreas.rohner@gmx.net>
+Tested-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nilfs2/segment.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/nilfs2/segment.c
++++ b/fs/nilfs2/segment.c
+@@ -1956,8 +1956,6 @@ static int nilfs_segctor_collect_dirty_f
+ err, ii->vfs_inode.i_ino);
+ return err;
+ }
+- mark_buffer_dirty(ibh);
+- nilfs_mdt_mark_dirty(ifile);
+ spin_lock(&nilfs->ns_inode_lock);
+ if (likely(!ii->i_bh))
+ ii->i_bh = ibh;
+@@ -1966,6 +1964,10 @@ static int nilfs_segctor_collect_dirty_f
+ goto retry;
+ }
+
++ // Always redirty the buffer to avoid race condition
++ mark_buffer_dirty(ii->i_bh);
++ nilfs_mdt_mark_dirty(ifile);
++
+ clear_bit(NILFS_I_QUEUED, &ii->i_state);
+ set_bit(NILFS_I_BUSY, &ii->i_state);
+ list_move_tail(&ii->i_dirty, &sci->sc_dirty_files);
--- /dev/null
+From fc09785de0a364427a5df63d703bae9a306ed116 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Tue, 26 Sep 2017 17:11:33 +0200
+Subject: p54: don't unregister leds when they are not initialized
+
+From: Andrey Konovalov <andreyknvl@google.com>
+
+commit fc09785de0a364427a5df63d703bae9a306ed116 upstream.
+
+ieee80211_register_hw() in p54_register_common() may fail and leds won't
+get initialized. Currently p54_unregister_common() doesn't check that and
+always calls p54_unregister_leds(). The fix is to check priv->registered
+flag before calling p54_unregister_leds().
+
+Found by syzkaller.
+
+INFO: trying to register non-static key.
+the code is fine but needs lockdep annotation.
+turning off the locking correctness validator.
+CPU: 1 PID: 1404 Comm: kworker/1:1 Not tainted
+4.14.0-rc1-42251-gebb2c2437d80-dirty #205
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Workqueue: usb_hub_wq hub_event
+Call Trace:
+ __dump_stack lib/dump_stack.c:16
+ dump_stack+0x292/0x395 lib/dump_stack.c:52
+ register_lock_class+0x6c4/0x1a00 kernel/locking/lockdep.c:769
+ __lock_acquire+0x27e/0x4550 kernel/locking/lockdep.c:3385
+ lock_acquire+0x259/0x620 kernel/locking/lockdep.c:4002
+ flush_work+0xf0/0x8c0 kernel/workqueue.c:2886
+ __cancel_work_timer+0x51d/0x870 kernel/workqueue.c:2961
+ cancel_delayed_work_sync+0x1f/0x30 kernel/workqueue.c:3081
+ p54_unregister_leds+0x6c/0xc0 drivers/net/wireless/intersil/p54/led.c:160
+ p54_unregister_common+0x3d/0xb0 drivers/net/wireless/intersil/p54/main.c:856
+ p54u_disconnect+0x86/0x120 drivers/net/wireless/intersil/p54/p54usb.c:1073
+ usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
+ __device_release_driver drivers/base/dd.c:861
+ device_release_driver_internal+0x4f4/0x5c0 drivers/base/dd.c:893
+ device_release_driver+0x1e/0x30 drivers/base/dd.c:918
+ bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
+ device_del+0x5c4/0xab0 drivers/base/core.c:1985
+ usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170
+ usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
+ hub_port_connect drivers/usb/core/hub.c:4754
+ hub_port_connect_change drivers/usb/core/hub.c:5009
+ port_event drivers/usb/core/hub.c:5115
+ hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195
+ process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
+ process_scheduled_works kernel/workqueue.c:2179
+ worker_thread+0xb2b/0x1850 kernel/workqueue.c:2255
+ kthread+0x3a1/0x470 kernel/kthread.c:231
+ ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
+
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Acked-by: Christian Lamparter <chunkeey@googlemail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intersil/p54/main.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/intersil/p54/main.c
++++ b/drivers/net/wireless/intersil/p54/main.c
+@@ -852,12 +852,11 @@ void p54_unregister_common(struct ieee80
+ {
+ struct p54_common *priv = dev->priv;
+
+-#ifdef CONFIG_P54_LEDS
+- p54_unregister_leds(priv);
+-#endif /* CONFIG_P54_LEDS */
+-
+ if (priv->registered) {
+ priv->registered = false;
++#ifdef CONFIG_P54_LEDS
++ p54_unregister_leds(priv);
++#endif /* CONFIG_P54_LEDS */
+ ieee80211_unregister_hw(dev);
+ }
+
--- /dev/null
+From bfa62a52cad93686bb8d8171ea5288813248a7c6 Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Thu, 9 Nov 2017 11:59:24 +0100
+Subject: rt2x00usb: mark device removed when get ENOENT usb error
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit bfa62a52cad93686bb8d8171ea5288813248a7c6 upstream.
+
+ENOENT usb error mean "specified interface or endpoint does not exist or
+is not enabled". Mark device not present when we encounter this error
+similar like we do with ENODEV error.
+
+Otherwise we can have infinite loop in rt2x00usb_work_rxdone(), because
+we remove and put again RX entries to the queue infinitely.
+
+We can have similar situation when submit urb will fail all the time
+with other error, so we need consider to limit number of entries
+processed by rxdone work. But for now, since the patch fixes
+reproducible soft lockup issue on single processor systems
+and taken ENOENT error meaning, let apply this fix.
+
+Patch adds additional ENOENT check not only in rx kick routine, but
+also on other places where we check for ENODEV error.
+
+Reported-by: Richard Genoud <richard.genoud@gmail.com>
+Debugged-by: Richard Genoud <richard.genoud@gmail.com>
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Tested-by: Richard Genoud <richard.genoud@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ralink/rt2x00/rt2x00usb.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c
+@@ -57,7 +57,7 @@ int rt2x00usb_vendor_request(struct rt2x
+ if (status >= 0)
+ return 0;
+
+- if (status == -ENODEV) {
++ if (status == -ENODEV || status == -ENOENT) {
+ /* Device has disappeared. */
+ clear_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags);
+ break;
+@@ -321,7 +321,7 @@ static bool rt2x00usb_kick_tx_entry(stru
+
+ status = usb_submit_urb(entry_priv->urb, GFP_ATOMIC);
+ if (status) {
+- if (status == -ENODEV)
++ if (status == -ENODEV || status == -ENOENT)
+ clear_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags);
+ set_bit(ENTRY_DATA_IO_FAILED, &entry->flags);
+ rt2x00lib_dmadone(entry);
+@@ -410,7 +410,7 @@ static bool rt2x00usb_kick_rx_entry(stru
+
+ status = usb_submit_urb(entry_priv->urb, GFP_ATOMIC);
+ if (status) {
+- if (status == -ENODEV)
++ if (status == -ENODEV || status == -ENOENT)
+ clear_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags);
+ set_bit(ENTRY_DATA_IO_FAILED, &entry->flags);
+ rt2x00lib_dmadone(entry);
--- /dev/null
+From 3f2a162fab15aee243178b5308bb5d1206fc4043 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 6 Nov 2017 14:55:35 +0100
+Subject: rtlwifi: fix uninitialized rtlhal->last_suspend_sec time
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 3f2a162fab15aee243178b5308bb5d1206fc4043 upstream.
+
+We set rtlhal->last_suspend_sec to an uninitialized stack variable,
+but unfortunately gcc never warned about this, I only found it
+while working on another patch. I opened a gcc bug for this.
+
+Presumably the value of rtlhal->last_suspend_sec is not all that
+important, but it does get used, so we probably want the
+patch backported to stable kernels.
+
+Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82839
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c
+@@ -1378,6 +1378,7 @@ static void _rtl8821ae_get_wakeup_reason
+
+ ppsc->wakeup_reason = 0;
+
++ do_gettimeofday(&ts);
+ rtlhal->last_suspend_sec = ts.tv_sec;
+
+ switch (fw_reason) {
--- /dev/null
+From 519ce2f933fa14acf69d5c8cabcc18711943d629 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Thu, 14 Sep 2017 13:17:44 -0500
+Subject: rtlwifi: rtl8192ee: Fix memory leak when loading firmware
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 519ce2f933fa14acf69d5c8cabcc18711943d629 upstream.
+
+In routine rtl92ee_set_fw_rsvdpagepkt(), the driver allocates an skb, but
+never calls rtl_cmd_send_packet(), which will free the buffer. All other
+rtlwifi drivers perform this operation correctly.
+
+This problem has been in the driver since it was included in the kernel.
+Fortunately, each firmware load only leaks 4 buffers, which likely
+explains why it has not previously been detected.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c
+@@ -664,7 +664,7 @@ void rtl92ee_set_fw_rsvdpagepkt(struct i
+ struct rtl_priv *rtlpriv = rtl_priv(hw);
+ struct rtl_mac *mac = rtl_mac(rtl_priv(hw));
+ struct sk_buff *skb = NULL;
+-
++ bool rtstatus;
+ u32 totalpacketlen;
+ u8 u1rsvdpageloc[5] = { 0 };
+ bool b_dlok = false;
+@@ -727,7 +727,9 @@ void rtl92ee_set_fw_rsvdpagepkt(struct i
+ memcpy((u8 *)skb_put(skb, totalpacketlen),
+ &reserved_page_packet, totalpacketlen);
+
+- b_dlok = true;
++ rtstatus = rtl_cmd_send_packet(hw, skb);
++ if (rtstatus)
++ b_dlok = true;
+
+ if (b_dlok) {
+ RT_TRACE(rtlpriv, COMP_POWER, DBG_LOUD ,
alsa-hda-add-raven-pci-id.patch
dm-bufio-fix-integer-overflow-when-limiting-maximum-cache-size.patch
dm-allocate-struct-mapped_device-with-kvzalloc.patch
+mips-pci-remove-kern_warn-instance-inside-the-mt7620-driver.patch
+dm-fix-race-between-dm_get_from_kobject-and-__dm_destroy.patch
+mips-fix-odd-fp-register-warnings-with-mips64r2.patch
+mips-dts-remove-bogus-bcm96358nb4ser.dtb-from-dtb-y-entry.patch
+mips-fix-an-n32-core-file-generation-regset-support-regression.patch
+mips-bcm47xx-fix-led-inversion-for-wrt54gsv1.patch
+rt2x00usb-mark-device-removed-when-get-enoent-usb-error.patch
+autofs-don-t-fail-mount-for-transient-error.patch
+nilfs2-fix-race-condition-that-causes-file-system-corruption.patch
+ecryptfs-use-after-free-in-ecryptfs_release_messaging.patch
+libceph-don-t-warn-if-user-tries-to-add-invalid-key.patch
+bcache-check-ca-alloc_thread-initialized-before-wake-up-it.patch
+bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch
+isofs-fix-timestamps-beyond-2027.patch
+nfs-fix-typo-in-nomigration-mount-option.patch
+nfs-fix-ugly-referral-attributes.patch
+nfs-avoid-rcu-usage-in-tracepoints.patch
+nfsd-deal-with-revoked-delegations-appropriately.patch
+rtlwifi-rtl8192ee-fix-memory-leak-when-loading-firmware.patch
+rtlwifi-fix-uninitialized-rtlhal-last_suspend_sec-time.patch
+ata-fixes-kernel-crash-while-tracing-ata_eh_link_autopsy-event.patch
+ext4-fix-interaction-between-i_size-fallocate-and-delalloc-after-a-crash.patch
+alsa-pcm-update-tstamp-only-if-audio_tstamp-changed.patch
+alsa-usb-audio-add-sanity-checks-to-fe-parser.patch
+alsa-usb-audio-fix-potential-out-of-bound-access-at-parsing-su.patch
+alsa-usb-audio-fix-potential-zero-division-at-parsing-fu.patch
+alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch
+alsa-timer-remove-kernel-warning-at-compat-ioctl-error-paths.patch
+alsa-hda-fix-too-short-hdmi-dp-chmap-reporting.patch
+alsa-hda-realtek-fix-alc700-family-no-sound-issue.patch
+mfd-lpc_ich-avoton-rangeley-uses-spi_byt-method.patch
+fix-a-page-leak-in-vhost_scsi_iov_to_sgl-error-recovery.patch
+fs-9p-compare-qid.path-in-v9fs_test_inode.patch
+iscsi-target-fix-non-immediate-tmr-reference-leak.patch
+target-fix-queue_full-scsi-task-attribute-handling.patch
+mtd-nand-omap2-fix-subpage-write.patch
+mtd-nand-fix-writing-mtdoops-to-nand-flash.patch
+mtd-nand-mtk-fix-infinite-ecc-decode-irq-issue.patch
+p54-don-t-unregister-leds-when-they-are-not-initialized.patch
+block-fix-a-race-between-blk_cleanup_queue-and-timeout-handling.patch
+irqchip-gic-v3-fix-ppi-partitions-lookup.patch
+lockd-double-unregister-of-inetaddr-notifiers.patch
--- /dev/null
+From 1c79df1f349fb6050016cea4ef1dfbc3853a5685 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 22 Sep 2017 16:48:28 -0700
+Subject: target: Fix QUEUE_FULL + SCSI task attribute handling
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 1c79df1f349fb6050016cea4ef1dfbc3853a5685 upstream.
+
+This patch fixes a bug during QUEUE_FULL where transport_complete_qf()
+calls transport_complete_task_attr() after it's already been invoked
+by target_complete_ok_work() or transport_generic_request_failure()
+during initial completion, preceeding QUEUE_FULL.
+
+This will result in se_device->simple_cmds, se_device->dev_cur_ordered_id
+and/or se_device->dev_ordered_sync being updated multiple times for
+a single se_cmd.
+
+To address this bug, clear SCF_TASK_ATTR_SET after the first call
+to transport_complete_task_attr(), and avoid updating SCSI task
+attribute related counters for any subsequent calls.
+
+Also, when a se_cmd is deferred due to ordered tags and executed
+via target_restart_delayed_cmds(), set CMD_T_SENT before execution
+matching what target_execute_cmd() does.
+
+Cc: Michael Cyr <mikecyr@linux.vnet.ibm.com>
+Cc: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+Cc: Mike Christie <mchristi@redhat.com>
+Cc: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -1976,6 +1976,8 @@ static void target_restart_delayed_cmds(
+ list_del(&cmd->se_delayed_node);
+ spin_unlock(&dev->delayed_cmd_lock);
+
++ cmd->transport_state |= CMD_T_SENT;
++
+ __target_execute_cmd(cmd, true);
+
+ if (cmd->sam_task_attr == TCM_ORDERED_TAG)
+@@ -2013,6 +2015,8 @@ static void transport_complete_task_attr
+ pr_debug("Incremented dev_cur_ordered_id: %u for ORDERED\n",
+ dev->dev_cur_ordered_id);
+ }
++ cmd->se_cmd_flags &= ~SCF_TASK_ATTR_SET;
++
+ restart:
+ target_restart_delayed_cmds(dev);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
