--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Marek Lindner <mareklindner@neomailbox.ch>
+Date: Fri, 7 Sep 2018 05:45:54 +0800
+Subject: batman-adv: fix backbone_gw refcount on queue_work() failure
+
+From: Marek Lindner <mareklindner@neomailbox.ch>
+
+[ Upstream commit 5af96b9c59c72fb2af2d19c5cc2f3cdcee391dff ]
+
+The backbone_gw refcounter is to be decreased by the queued work and
+currently is never decreased if the queue_work() call fails.
+Fix by checking the queue_work() return value and decrease refcount
+if necessary.
+
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -1767,6 +1767,7 @@ batadv_bla_loopdetect_check(struct batad
+ {
+ struct batadv_bla_backbone_gw *backbone_gw;
+ struct ethhdr *ethhdr;
++ bool ret;
+
+ ethhdr = eth_hdr(skb);
+
+@@ -1790,8 +1791,13 @@ batadv_bla_loopdetect_check(struct batad
+ if (unlikely(!backbone_gw))
+ return true;
+
+- queue_work(batadv_event_workqueue, &backbone_gw->report_work);
+- /* backbone_gw is unreferenced in the report work function function */
++ ret = queue_work(batadv_event_workqueue, &backbone_gw->report_work);
++
++ /* backbone_gw is unreferenced in the report work function function
++ * if queue_work() call was successful
++ */
++ if (!ret)
++ batadv_backbone_gw_put(backbone_gw);
+
+ return true;
+ }
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Marek Lindner <mareklindner@neomailbox.ch>
+Date: Fri, 7 Sep 2018 05:45:55 +0800
+Subject: batman-adv: fix hardif_neigh refcount on queue_work() failure
+
+From: Marek Lindner <mareklindner@neomailbox.ch>
+
+[ Upstream commit 4c4af6900844ab04c9434c972021d7b48610e06a ]
+
+The hardif_neigh refcounter is to be decreased by the queued work and
+currently is never decreased if the queue_work() call fails.
+Fix by checking the queue_work() return value and decrease refcount
+if necessary.
+
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_v_elp.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/bat_v_elp.c
++++ b/net/batman-adv/bat_v_elp.c
+@@ -243,6 +243,7 @@ static void batadv_v_elp_periodic_work(s
+ struct batadv_priv *bat_priv;
+ struct sk_buff *skb;
+ u32 elp_interval;
++ bool ret;
+
+ bat_v = container_of(work, struct batadv_hard_iface_bat_v, elp_wq.work);
+ hard_iface = container_of(bat_v, struct batadv_hard_iface, bat_v);
+@@ -304,8 +305,11 @@ static void batadv_v_elp_periodic_work(s
+ * may sleep and that is not allowed in an rcu protected
+ * context. Therefore schedule a task for that.
+ */
+- queue_work(batadv_event_workqueue,
+- &hardif_neigh->bat_v.metric_work);
++ ret = queue_work(batadv_event_workqueue,
++ &hardif_neigh->bat_v.metric_work);
++
++ if (!ret)
++ batadv_hardif_neigh_put(hardif_neigh);
+ }
+ rcu_read_unlock();
+
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 31 Aug 2018 16:56:29 +0200
+Subject: batman-adv: Fix segfault when writing to sysfs elp_interval
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit a25bab9d723a08bd0bdafb1529faf9094c690b70 ]
+
+The per hardif sysfs file "batman_adv/elp_interval" is using the generic
+functions to store/show uint values. The helper __batadv_store_uint_attr
+requires the softif net_device as parameter to print the resulting change
+as info text when the users writes to this file. It uses the helper
+function batadv_info to add it at the same time to the kernel ring buffer
+and to the batman-adv debug log (when CONFIG_BATMAN_ADV_DEBUG is enabled).
+
+The function batadv_info requires as first parameter the batman-adv softif
+net_device. This parameter is then used to find the private buffer which
+contains the debug log for this batman-adv interface. But
+batadv_store_throughput_override used as first argument the slave
+net_device. This slave device doesn't have the batadv_priv private data
+which is access by batadv_info.
+
+Writing to this file with CONFIG_BATMAN_ADV_DEBUG enabled can either lead
+to a segfault or to memory corruption.
+
+Fixes: 0744ff8fa8fa ("batman-adv: Add hard_iface specific sysfs wrapper macros for UINT")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/sysfs.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+--- a/net/batman-adv/sysfs.c
++++ b/net/batman-adv/sysfs.c
+@@ -187,7 +187,8 @@ ssize_t batadv_store_##_name(struct kobj
+ \
+ return __batadv_store_uint_attr(buff, count, _min, _max, \
+ _post_func, attr, \
+- &bat_priv->_var, net_dev); \
++ &bat_priv->_var, net_dev, \
++ NULL); \
+ }
+
+ #define BATADV_ATTR_SIF_SHOW_UINT(_name, _var) \
+@@ -261,7 +262,9 @@ ssize_t batadv_store_##_name(struct kobj
+ \
+ length = __batadv_store_uint_attr(buff, count, _min, _max, \
+ _post_func, attr, \
+- &hard_iface->_var, net_dev); \
++ &hard_iface->_var, \
++ hard_iface->soft_iface, \
++ net_dev); \
+ \
+ batadv_hardif_put(hard_iface); \
+ return length; \
+@@ -355,10 +358,12 @@ __batadv_store_bool_attr(char *buff, siz
+
+ static int batadv_store_uint_attr(const char *buff, size_t count,
+ struct net_device *net_dev,
++ struct net_device *slave_dev,
+ const char *attr_name,
+ unsigned int min, unsigned int max,
+ atomic_t *attr)
+ {
++ char ifname[IFNAMSIZ + 3] = "";
+ unsigned long uint_val;
+ int ret;
+
+@@ -384,8 +389,11 @@ static int batadv_store_uint_attr(const
+ if (atomic_read(attr) == uint_val)
+ return count;
+
+- batadv_info(net_dev, "%s: Changing from: %i to: %lu\n",
+- attr_name, atomic_read(attr), uint_val);
++ if (slave_dev)
++ snprintf(ifname, sizeof(ifname), "%s: ", slave_dev->name);
++
++ batadv_info(net_dev, "%s: %sChanging from: %i to: %lu\n",
++ attr_name, ifname, atomic_read(attr), uint_val);
+
+ atomic_set(attr, uint_val);
+ return count;
+@@ -396,12 +404,13 @@ static ssize_t __batadv_store_uint_attr(
+ void (*post_func)(struct net_device *),
+ const struct attribute *attr,
+ atomic_t *attr_store,
+- struct net_device *net_dev)
++ struct net_device *net_dev,
++ struct net_device *slave_dev)
+ {
+ int ret;
+
+- ret = batadv_store_uint_attr(buff, count, net_dev, attr->name, min, max,
+- attr_store);
++ ret = batadv_store_uint_attr(buff, count, net_dev, slave_dev,
++ attr->name, min, max, attr_store);
+ if (post_func && ret)
+ post_func(net_dev);
+
+@@ -570,7 +579,7 @@ static ssize_t batadv_store_gw_sel_class
+ return __batadv_store_uint_attr(buff, count, 1, BATADV_TQ_MAX_VALUE,
+ batadv_post_gw_reselect, attr,
+ &bat_priv->gw.sel_class,
+- bat_priv->soft_iface);
++ bat_priv->soft_iface, NULL);
+ }
+
+ static ssize_t batadv_show_gw_bwidth(struct kobject *kobj,
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 31 Aug 2018 16:46:47 +0200
+Subject: batman-adv: Fix segfault when writing to throughput_override
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit b9fd14c20871e6189f635e49b32d7789e430b3c8 ]
+
+The per hardif sysfs file "batman_adv/throughput_override" prints the
+resulting change as info text when the users writes to this file. It uses
+the helper function batadv_info to add it at the same time to the kernel
+ring buffer and to the batman-adv debug log (when CONFIG_BATMAN_ADV_DEBUG
+is enabled).
+
+The function batadv_info requires as first parameter the batman-adv softif
+net_device. This parameter is then used to find the private buffer which
+contains the debug log for this batman-adv interface. But
+batadv_store_throughput_override used as first argument the slave
+net_device. This slave device doesn't have the batadv_priv private data
+which is access by batadv_info.
+
+Writing to this file with CONFIG_BATMAN_ADV_DEBUG enabled can either lead
+to a segfault or to memory corruption.
+
+Fixes: 0b5ecc6811bd ("batman-adv: add throughput override attribute to hard_ifaces")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/sysfs.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/sysfs.c
++++ b/net/batman-adv/sysfs.c
+@@ -1084,8 +1084,9 @@ static ssize_t batadv_store_throughput_o
+ if (old_tp_override == tp_override)
+ goto out;
+
+- batadv_info(net_dev, "%s: Changing from: %u.%u MBit to: %u.%u MBit\n",
+- "throughput_override",
++ batadv_info(hard_iface->soft_iface,
++ "%s: %s: Changing from: %u.%u MBit to: %u.%u MBit\n",
++ "throughput_override", net_dev->name,
+ old_tp_override / 10, old_tp_override % 10,
+ tp_override / 10, tp_override % 10);
+
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 12 Aug 2018 21:04:44 +0200
+Subject: batman-adv: Prevent duplicated global TT entry
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit e7136e48ffdfb9f37b0820f619380485eb407361 ]
+
+The function batadv_tt_global_orig_entry_add is responsible for adding new
+tt_orig_list_entry to the orig_list. It first checks whether the entry
+already is in the list or not. If it is, then the creation of a new entry
+is aborted.
+
+But the lock for the list is only held when the list is really modified.
+This could lead to duplicated entries because another context could create
+an entry with the same key between the check and the list manipulation.
+
+The check and the manipulation of the list must therefore be in the same
+locked code section.
+
+Fixes: d657e621a0f5 ("batman-adv: add reference counting for type batadv_tt_orig_list_entry")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/translation-table.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -1550,6 +1550,8 @@ batadv_tt_global_orig_entry_add(struct b
+ {
+ struct batadv_tt_orig_list_entry *orig_entry;
+
++ spin_lock_bh(&tt_global->list_lock);
++
+ orig_entry = batadv_tt_global_orig_entry_find(tt_global, orig_node);
+ if (orig_entry) {
+ /* refresh the ttvn: the current value could be a bogus one that
+@@ -1570,16 +1572,16 @@ batadv_tt_global_orig_entry_add(struct b
+ orig_entry->ttvn = ttvn;
+ kref_init(&orig_entry->refcount);
+
+- spin_lock_bh(&tt_global->list_lock);
+ kref_get(&orig_entry->refcount);
+ hlist_add_head_rcu(&orig_entry->list,
+ &tt_global->orig_list);
+- spin_unlock_bh(&tt_global->list_lock);
+ atomic_inc(&tt_global->orig_list_count);
+
+ out:
+ if (orig_entry)
+ batadv_tt_orig_list_entry_put(orig_entry);
++
++ spin_unlock_bh(&tt_global->list_lock);
+ }
+
+ /**
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 12 Aug 2018 21:04:42 +0200
+Subject: batman-adv: Prevent duplicated nc_node entry
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit fa122fec8640eb7186ce5a41b83a4c1744ceef8f ]
+
+The function batadv_nc_get_nc_node is responsible for adding new nc_nodes
+to the in_coding_list and out_coding_list. It first checks whether the
+entry already is in the list or not. If it is, then the creation of a new
+entry is aborted.
+
+But the lock for the list is only held when the list is really modified.
+This could lead to duplicated entries because another context could create
+an entry with the same key between the check and the list manipulation.
+
+The check and the manipulation of the list must therefore be in the same
+locked code section.
+
+Fixes: d56b1705e28c ("batman-adv: network coding - detect coding nodes and remove these after timeout")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/network-coding.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+--- a/net/batman-adv/network-coding.c
++++ b/net/batman-adv/network-coding.c
+@@ -845,16 +845,27 @@ batadv_nc_get_nc_node(struct batadv_priv
+ spinlock_t *lock; /* Used to lock list selected by "int in_coding" */
+ struct list_head *list;
+
++ /* Select ingoing or outgoing coding node */
++ if (in_coding) {
++ lock = &orig_neigh_node->in_coding_list_lock;
++ list = &orig_neigh_node->in_coding_list;
++ } else {
++ lock = &orig_neigh_node->out_coding_list_lock;
++ list = &orig_neigh_node->out_coding_list;
++ }
++
++ spin_lock_bh(lock);
++
+ /* Check if nc_node is already added */
+ nc_node = batadv_nc_find_nc_node(orig_node, orig_neigh_node, in_coding);
+
+ /* Node found */
+ if (nc_node)
+- return nc_node;
++ goto unlock;
+
+ nc_node = kzalloc(sizeof(*nc_node), GFP_ATOMIC);
+ if (!nc_node)
+- return NULL;
++ goto unlock;
+
+ /* Initialize nc_node */
+ INIT_LIST_HEAD(&nc_node->list);
+@@ -863,22 +874,14 @@ batadv_nc_get_nc_node(struct batadv_priv
+ kref_get(&orig_neigh_node->refcount);
+ nc_node->orig_node = orig_neigh_node;
+
+- /* Select ingoing or outgoing coding node */
+- if (in_coding) {
+- lock = &orig_neigh_node->in_coding_list_lock;
+- list = &orig_neigh_node->in_coding_list;
+- } else {
+- lock = &orig_neigh_node->out_coding_list_lock;
+- list = &orig_neigh_node->out_coding_list;
+- }
+-
+ batadv_dbg(BATADV_DBG_NC, bat_priv, "Adding nc_node %pM -> %pM\n",
+ nc_node->addr, nc_node->orig_node->orig);
+
+ /* Add nc_node to orig_node */
+- spin_lock_bh(lock);
+ kref_get(&nc_node->refcount);
+ list_add_tail_rcu(&nc_node->list, list);
++
++unlock:
+ spin_unlock_bh(lock);
+
+ return nc_node;
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 12 Aug 2018 21:04:43 +0200
+Subject: batman-adv: Prevent duplicated softif_vlan entry
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit 94cb82f594ed86be303398d6dfc7640a6f1d45d4 ]
+
+The function batadv_softif_vlan_get is responsible for adding new
+softif_vlan to the softif_vlan_list. It first checks whether the entry
+already is in the list or not. If it is, then the creation of a new entry
+is aborted.
+
+But the lock for the list is only held when the list is really modified.
+This could lead to duplicated entries because another context could create
+an entry with the same key between the check and the list manipulation.
+
+The check and the manipulation of the list must therefore be in the same
+locked code section.
+
+Fixes: 5d2c05b21337 ("batman-adv: add per VLAN interface attribute framework")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/soft-interface.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+--- a/net/batman-adv/soft-interface.c
++++ b/net/batman-adv/soft-interface.c
+@@ -565,15 +565,20 @@ int batadv_softif_create_vlan(struct bat
+ struct batadv_softif_vlan *vlan;
+ int err;
+
++ spin_lock_bh(&bat_priv->softif_vlan_list_lock);
++
+ vlan = batadv_softif_vlan_get(bat_priv, vid);
+ if (vlan) {
+ batadv_softif_vlan_put(vlan);
++ spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
+ return -EEXIST;
+ }
+
+ vlan = kzalloc(sizeof(*vlan), GFP_ATOMIC);
+- if (!vlan)
++ if (!vlan) {
++ spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
+ return -ENOMEM;
++ }
+
+ vlan->bat_priv = bat_priv;
+ vlan->vid = vid;
+@@ -581,17 +586,23 @@ int batadv_softif_create_vlan(struct bat
+
+ atomic_set(&vlan->ap_isolation, 0);
+
++ kref_get(&vlan->refcount);
++ hlist_add_head_rcu(&vlan->list, &bat_priv->softif_vlan_list);
++ spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
++
++ /* batadv_sysfs_add_vlan cannot be in the spinlock section due to the
++ * sleeping behavior of the sysfs functions and the fs_reclaim lock
++ */
+ err = batadv_sysfs_add_vlan(bat_priv->soft_iface, vlan);
+ if (err) {
+- kfree(vlan);
++ /* ref for the function */
++ batadv_softif_vlan_put(vlan);
++
++ /* ref for the list */
++ batadv_softif_vlan_put(vlan);
+ return err;
+ }
+
+- spin_lock_bh(&bat_priv->softif_vlan_list_lock);
+- kref_get(&vlan->refcount);
+- hlist_add_head_rcu(&vlan->list, &bat_priv->softif_vlan_list);
+- spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
+-
+ /* add a new TT local entry. This one will be marked with the NOPURGE
+ * flag
+ */
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 12 Aug 2018 21:04:45 +0200
+Subject: batman-adv: Prevent duplicated tvlv handler
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit ae3cdc97dc10c7a3b31f297dab429bfb774c9ccb ]
+
+The function batadv_tvlv_handler_register is responsible for adding new
+tvlv_handler to the handler_list. It first checks whether the entry
+already is in the list or not. If it is, then the creation of a new entry
+is aborted.
+
+But the lock for the list is only held when the list is really modified.
+This could lead to duplicated entries because another context could create
+an entry with the same key between the check and the list manipulation.
+
+The check and the manipulation of the list must therefore be in the same
+locked code section.
+
+Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/tvlv.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/tvlv.c
++++ b/net/batman-adv/tvlv.c
+@@ -528,15 +528,20 @@ void batadv_tvlv_handler_register(struct
+ {
+ struct batadv_tvlv_handler *tvlv_handler;
+
++ spin_lock_bh(&bat_priv->tvlv.handler_list_lock);
++
+ tvlv_handler = batadv_tvlv_handler_get(bat_priv, type, version);
+ if (tvlv_handler) {
++ spin_unlock_bh(&bat_priv->tvlv.handler_list_lock);
+ batadv_tvlv_handler_put(tvlv_handler);
+ return;
+ }
+
+ tvlv_handler = kzalloc(sizeof(*tvlv_handler), GFP_ATOMIC);
+- if (!tvlv_handler)
++ if (!tvlv_handler) {
++ spin_unlock_bh(&bat_priv->tvlv.handler_list_lock);
+ return;
++ }
+
+ tvlv_handler->ogm_handler = optr;
+ tvlv_handler->unicast_handler = uptr;
+@@ -546,7 +551,6 @@ void batadv_tvlv_handler_register(struct
+ kref_init(&tvlv_handler->refcount);
+ INIT_HLIST_NODE(&tvlv_handler->list);
+
+- spin_lock_bh(&bat_priv->tvlv.handler_list_lock);
+ kref_get(&tvlv_handler->refcount);
+ hlist_add_head_rcu(&tvlv_handler->list, &bat_priv->tvlv.handler_list);
+ spin_unlock_bh(&bat_priv->tvlv.handler_list_lock);
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Keerthy <j-keerthy@ti.com>
+Date: Wed, 8 Aug 2018 18:44:59 +0530
+Subject: clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-am43 SoCs
+
+From: Keerthy <j-keerthy@ti.com>
+
+[ Upstream commit 3b7d96a0dbb6b630878597a1838fc39f808b761b ]
+
+The 32k clocksource is NONSTOP for non-am43 SoCs. Hence
+add the flag for all the other SoCs.
+
+Reported-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Keerthy <j-keerthy@ti.com>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clocksource/timer-ti-32k.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/clocksource/timer-ti-32k.c
++++ b/drivers/clocksource/timer-ti-32k.c
+@@ -98,6 +98,9 @@ static int __init ti_32k_timer_init(stru
+ return -ENXIO;
+ }
+
++ if (!of_machine_is_compatible("ti,am43"))
++ ti_32k_timer.cs.flags |= CLOCK_SOURCE_SUSPEND_NONSTOP;
++
+ ti_32k_timer.counter = ti_32k_timer.base;
+
+ /*
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Alexandru Gheorghe <alexandru-cosmin.gheorghe@arm.com>
+Date: Mon, 16 Jul 2018 11:07:07 +0100
+Subject: drm: mali-dp: Call drm_crtc_vblank_reset on device init
+
+From: Alexandru Gheorghe <alexandru-cosmin.gheorghe@arm.com>
+
+[ Upstream commit 69be1984ded00a11b1ed0888c6d8e4f35370372f ]
+
+Currently, if userspace calls drm_wait_vblank before the crtc is
+activated the crtc vblank_enable hook is called, which in case of
+malidp driver triggers some warninngs. This happens because on
+device init we don't inform the drm core about the vblank state
+by calling drm_crtc_vblank_on/off/reset which together with
+drm_vblank_get have some magic that prevents calling drm_vblank_enable
+when crtc is off.
+
+Signed-off-by: Alexandru Gheorghe <alexandru-cosmin.gheorghe@arm.com>
+Acked-by: Liviu Dudau <liviu.dudau@arm.com>
+Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/arm/malidp_drv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/arm/malidp_drv.c
++++ b/drivers/gpu/drm/arm/malidp_drv.c
+@@ -378,6 +378,7 @@ static int malidp_bind(struct device *de
+ goto irq_init_fail;
+
+ ret = drm_vblank_init(drm, drm->mode_config.num_crtc);
++ drm_crtc_vblank_reset(&malidp->crtc);
+ if (ret < 0) {
+ DRM_ERROR("failed to initialise vblank\n");
+ goto vblank_fail;
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Michael Schmitz <schmitzmic@gmail.com>
+Date: Mon, 17 Sep 2018 15:27:49 -0700
+Subject: Input: atakbd - fix Atari CapsLock behaviour
+
+From: Michael Schmitz <schmitzmic@gmail.com>
+
+[ Upstream commit 52d2c7bf7c90217fbe875d2d76f310979c48eb83 ]
+
+The CapsLock key on Atari keyboards is not a toggle, it does send the
+normal make and break scancodes.
+
+Drop the CapsLock toggle handling code, which did cause the CapsLock
+key to merely act as a Shift key.
+
+Tested-by: Michael Schmitz <schmitzmic@gmail.com>
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+Signed-off-by: Andreas Schwab <schwab@linux-m68k.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/atakbd.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+--- a/drivers/input/keyboard/atakbd.c
++++ b/drivers/input/keyboard/atakbd.c
+@@ -189,14 +189,8 @@ static void atakbd_interrupt(unsigned ch
+
+ scancode = atakbd_keycode[scancode];
+
+- if (scancode == KEY_CAPSLOCK) { /* CapsLock is a toggle switch key on Amiga */
+- input_report_key(atakbd_dev, scancode, 1);
+- input_report_key(atakbd_dev, scancode, 0);
+- input_sync(atakbd_dev);
+- } else {
+- input_report_key(atakbd_dev, scancode, down);
+- input_sync(atakbd_dev);
+- }
++ input_report_key(atakbd_dev, scancode, down);
++ input_sync(atakbd_dev);
+ } else /* scancodes >= 0xf3 are mouse data, most likely */
+ printk(KERN_INFO "atakbd: unhandled scancode %x\n", scancode);
+
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Andreas Schwab <schwab@linux-m68k.org>
+Date: Mon, 17 Sep 2018 12:43:34 -0700
+Subject: Input: atakbd - fix Atari keymap
+
+From: Andreas Schwab <schwab@linux-m68k.org>
+
+[ Upstream commit 9e62df51be993035c577371ffee5477697a56aad ]
+
+Fix errors in Atari keymap (mostly in keypad, help and undo keys).
+
+Patch provided on debian-68k ML by Andreas Schwab <schwab@linux-m68k.org>,
+keymap array size and unhandled scancode limit adjusted to 0x73 by me.
+
+Tested-by: Michael Schmitz <schmitzmic@gmail.com>
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+Signed-off-by: Andreas Schwab <schwab@linux-m68k.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/atakbd.c | 64 ++++++++++++++++------------------------
+ 1 file changed, 26 insertions(+), 38 deletions(-)
+
+--- a/drivers/input/keyboard/atakbd.c
++++ b/drivers/input/keyboard/atakbd.c
+@@ -79,8 +79,7 @@ MODULE_LICENSE("GPL");
+ */
+
+
+-static unsigned char atakbd_keycode[0x72] = { /* American layout */
+- [0] = KEY_GRAVE,
++static unsigned char atakbd_keycode[0x73] = { /* American layout */
+ [1] = KEY_ESC,
+ [2] = KEY_1,
+ [3] = KEY_2,
+@@ -121,9 +120,9 @@ static unsigned char atakbd_keycode[0x72
+ [38] = KEY_L,
+ [39] = KEY_SEMICOLON,
+ [40] = KEY_APOSTROPHE,
+- [41] = KEY_BACKSLASH, /* FIXME, '#' */
++ [41] = KEY_GRAVE,
+ [42] = KEY_LEFTSHIFT,
+- [43] = KEY_GRAVE, /* FIXME: '~' */
++ [43] = KEY_BACKSLASH,
+ [44] = KEY_Z,
+ [45] = KEY_X,
+ [46] = KEY_C,
+@@ -149,45 +148,34 @@ static unsigned char atakbd_keycode[0x72
+ [66] = KEY_F8,
+ [67] = KEY_F9,
+ [68] = KEY_F10,
+- [69] = KEY_ESC,
+- [70] = KEY_DELETE,
+- [71] = KEY_KP7,
+- [72] = KEY_KP8,
+- [73] = KEY_KP9,
++ [71] = KEY_HOME,
++ [72] = KEY_UP,
+ [74] = KEY_KPMINUS,
+- [75] = KEY_KP4,
+- [76] = KEY_KP5,
+- [77] = KEY_KP6,
++ [75] = KEY_LEFT,
++ [77] = KEY_RIGHT,
+ [78] = KEY_KPPLUS,
+- [79] = KEY_KP1,
+- [80] = KEY_KP2,
+- [81] = KEY_KP3,
+- [82] = KEY_KP0,
+- [83] = KEY_KPDOT,
+- [90] = KEY_KPLEFTPAREN,
+- [91] = KEY_KPRIGHTPAREN,
+- [92] = KEY_KPASTERISK, /* FIXME */
+- [93] = KEY_KPASTERISK,
+- [94] = KEY_KPPLUS,
+- [95] = KEY_HELP,
++ [80] = KEY_DOWN,
++ [82] = KEY_INSERT,
++ [83] = KEY_DELETE,
+ [96] = KEY_102ND,
+- [97] = KEY_KPASTERISK, /* FIXME */
+- [98] = KEY_KPSLASH,
++ [97] = KEY_UNDO,
++ [98] = KEY_HELP,
+ [99] = KEY_KPLEFTPAREN,
+ [100] = KEY_KPRIGHTPAREN,
+ [101] = KEY_KPSLASH,
+ [102] = KEY_KPASTERISK,
+- [103] = KEY_UP,
+- [104] = KEY_KPASTERISK, /* FIXME */
+- [105] = KEY_LEFT,
+- [106] = KEY_RIGHT,
+- [107] = KEY_KPASTERISK, /* FIXME */
+- [108] = KEY_DOWN,
+- [109] = KEY_KPASTERISK, /* FIXME */
+- [110] = KEY_KPASTERISK, /* FIXME */
+- [111] = KEY_KPASTERISK, /* FIXME */
+- [112] = KEY_KPASTERISK, /* FIXME */
+- [113] = KEY_KPASTERISK /* FIXME */
++ [103] = KEY_KP7,
++ [104] = KEY_KP8,
++ [105] = KEY_KP9,
++ [106] = KEY_KP4,
++ [107] = KEY_KP5,
++ [108] = KEY_KP6,
++ [109] = KEY_KP1,
++ [110] = KEY_KP2,
++ [111] = KEY_KP3,
++ [112] = KEY_KP0,
++ [113] = KEY_KPDOT,
++ [114] = KEY_KPENTER,
+ };
+
+ static struct input_dev *atakbd_dev;
+@@ -195,7 +183,7 @@ static struct input_dev *atakbd_dev;
+ static void atakbd_interrupt(unsigned char scancode, char down)
+ {
+
+- if (scancode < 0x72) { /* scancodes < 0xf2 are keys */
++ if (scancode < 0x73) { /* scancodes < 0xf3 are keys */
+
+ // report raw events here?
+
+@@ -209,7 +197,7 @@ static void atakbd_interrupt(unsigned ch
+ input_report_key(atakbd_dev, scancode, down);
+ input_sync(atakbd_dev);
+ }
+- } else /* scancodes >= 0xf2 are mouse data, most likely */
++ } else /* scancodes >= 0xf3 are mouse data, most likely */
+ printk(KERN_INFO "atakbd: unhandled scancode %x\n", scancode);
+
+ return;
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Arindam Nath <arindam.nath@amd.com>
+Date: Tue, 18 Sep 2018 15:40:58 +0530
+Subject: iommu/amd: Return devid as alias for ACPI HID devices
+
+From: Arindam Nath <arindam.nath@amd.com>
+
+[ Upstream commit 5ebb1bc2d63d90dd204169e21fd7a0b4bb8c776e ]
+
+ACPI HID devices do not actually have an alias for
+them in the IVRS. But dev_data->alias is still used
+for indexing into the IOMMU device table for devices
+being handled by the IOMMU. So for ACPI HID devices,
+we simply return the corresponding devid as an alias,
+as parsed from IVRS table.
+
+Signed-off-by: Arindam Nath <arindam.nath@amd.com>
+Fixes: 2bf9a0a12749 ('iommu/amd: Add iommu support for ACPI HID devices')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/amd_iommu.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -288,7 +288,13 @@ static u16 get_alias(struct device *dev)
+
+ /* The callers make sure that get_device_id() does not fail here */
+ devid = get_device_id(dev);
++
++ /* For ACPI HID devices, we simply return the devid as such */
++ if (!dev_is_pci(dev))
++ return devid;
++
+ ivrs_alias = amd_iommu_alias_table[devid];
++
+ pci_for_each_dma_alias(pdev, __last_alias, &pci_alias);
+
+ if (ivrs_alias == pci_alias)
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Jozef Balga <jozef.balga@gmail.com>
+Date: Tue, 21 Aug 2018 05:01:04 -0400
+Subject: media: af9035: prevent buffer overflow on write
+
+From: Jozef Balga <jozef.balga@gmail.com>
+
+[ Upstream commit 312f73b648626a0526a3aceebb0a3192aaba05ce ]
+
+When less than 3 bytes are written to the device, memcpy is called with
+negative array size which leads to buffer overflow and kernel panic. This
+patch adds a condition and returns -EOPNOTSUPP instead.
+Fixes bugzilla issue 64871
+
+[mchehab+samsung@kernel.org: fix a merge conflict and changed the
+ condition to match the patch's comment, e. g. len == 3 could
+ also be valid]
+Signed-off-by: Jozef Balga <jozef.balga@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/dvb-usb-v2/af9035.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb-v2/af9035.c
++++ b/drivers/media/usb/dvb-usb-v2/af9035.c
+@@ -406,8 +406,10 @@ static int af9035_i2c_master_xfer(struct
+ msg[0].addr == (state->af9033_i2c_addr[1] >> 1))
+ reg |= 0x100000;
+
+- ret = af9035_wr_regs(d, reg, &msg[0].buf[3],
+- msg[0].len - 3);
++ ret = (msg[0].len >= 3) ? af9035_wr_regs(d, reg,
++ &msg[0].buf[3],
++ msg[0].len - 3)
++ : -EOPNOTSUPP;
+ } else {
+ /* I2C write */
+ u8 buf[MAX_XFER_SIZE];
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Fri, 21 Sep 2018 02:44:12 -0700
+Subject: net/mlx4: Use cpumask_available for eq->affinity_mask
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 8ac1ee6f4d62e781e3b3fd8b9c42b70371427669 ]
+
+Clang warns that the address of a pointer will always evaluated as true
+in a boolean context:
+
+drivers/net/ethernet/mellanox/mlx4/eq.c:243:11: warning: address of
+array 'eq->affinity_mask' will always evaluate to 'true'
+[-Wpointer-bool-conversion]
+ if (!eq->affinity_mask || cpumask_empty(eq->affinity_mask))
+ ~~~~~^~~~~~~~~~~~~
+1 warning generated.
+
+Use cpumask_available, introduced in commit f7e30f01a9e2 ("cpumask: Add
+helper cpumask_available()"), which does the proper checking and avoids
+this warning.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/86
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/eq.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/eq.c
++++ b/drivers/net/ethernet/mellanox/mlx4/eq.c
+@@ -240,7 +240,8 @@ static void mlx4_set_eq_affinity_hint(st
+ struct mlx4_dev *dev = &priv->dev;
+ struct mlx4_eq *eq = &priv->eq_table.eq[vec];
+
+- if (!eq->affinity_mask || cpumask_empty(eq->affinity_mask))
++ if (!cpumask_available(eq->affinity_mask) ||
++ cpumask_empty(eq->affinity_mask))
+ return;
+
+ hint_err = irq_set_affinity_hint(eq->irq, eq->affinity_mask);
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Michael Neuling <mikey@neuling.org>
+Date: Tue, 25 Sep 2018 19:36:47 +1000
+Subject: powerpc/tm: Avoid possible userspace r1 corruption on reclaim
+
+From: Michael Neuling <mikey@neuling.org>
+
+[ Upstream commit 96dc89d526ef77604376f06220e3d2931a0bfd58 ]
+
+Current we store the userspace r1 to PACATMSCRATCH before finally
+saving it to the thread struct.
+
+In theory an exception could be taken here (like a machine check or
+SLB miss) that could write PACATMSCRATCH and hence corrupt the
+userspace r1. The SLB fault currently doesn't touch PACATMSCRATCH, but
+others do.
+
+We've never actually seen this happen but it's theoretically
+possible. Either way, the code is fragile as it is.
+
+This patch saves r1 to the kernel stack (which can't fault) before we
+turn MSR[RI] back on. PACATMSCRATCH is still used but only with
+MSR[RI] off. We then copy r1 from the kernel stack to the thread
+struct once we have MSR[RI] back on.
+
+Suggested-by: Breno Leitao <leitao@debian.org>
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/tm.S | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/tm.S
++++ b/arch/powerpc/kernel/tm.S
+@@ -169,6 +169,13 @@ _GLOBAL(tm_reclaim)
+ std r11, GPR11(r1) /* Temporary stash */
+
+ /*
++ * Move the saved user r1 to the kernel stack in case PACATMSCRATCH is
++ * clobbered by an exception once we turn on MSR_RI below.
++ */
++ ld r11, PACATMSCRATCH(r13)
++ std r11, GPR1(r1)
++
++ /*
+ * Store r13 away so we can free up the scratch SPR for the SLB fault
+ * handler (needed once we start accessing the thread_struct).
+ */
+@@ -204,7 +211,7 @@ _GLOBAL(tm_reclaim)
+ SAVE_GPR(8, r7) /* user r8 */
+ SAVE_GPR(9, r7) /* user r9 */
+ SAVE_GPR(10, r7) /* user r10 */
+- ld r3, PACATMSCRATCH(r13) /* user r1 */
++ ld r3, GPR1(r1) /* user r1 */
+ ld r4, GPR7(r1) /* user r7 */
+ ld r5, GPR11(r1) /* user r11 */
+ ld r6, GPR12(r1) /* user r12 */
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Michael Neuling <mikey@neuling.org>
+Date: Mon, 24 Sep 2018 17:27:04 +1000
+Subject: powerpc/tm: Fix userspace r13 corruption
+
+From: Michael Neuling <mikey@neuling.org>
+
+[ Upstream commit cf13435b730a502e814c63c84d93db131e563f5f ]
+
+When we treclaim we store the userspace checkpointed r13 to a scratch
+SPR and then later save the scratch SPR to the user thread struct.
+
+Unfortunately, this doesn't work as accessing the user thread struct
+can take an SLB fault and the SLB fault handler will write the same
+scratch SPRG that now contains the userspace r13.
+
+To fix this, we store r13 to the kernel stack (which can't fault)
+before we access the user thread struct.
+
+Found by running P8 guest + powervm + disable_1tb_segments + TM. Seen
+as a random userspace segfault with r13 looking like a kernel address.
+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Reviewed-by: Breno Leitao <leitao@debian.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/tm.S | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/tm.S
++++ b/arch/powerpc/kernel/tm.S
+@@ -166,13 +166,20 @@ _GLOBAL(tm_reclaim)
+ std r1, PACATMSCRATCH(r13)
+ ld r1, PACAR1(r13)
+
+- /* Store the PPR in r11 and reset to decent value */
+ std r11, GPR11(r1) /* Temporary stash */
+
++ /*
++ * Store r13 away so we can free up the scratch SPR for the SLB fault
++ * handler (needed once we start accessing the thread_struct).
++ */
++ GET_SCRATCH0(r11)
++ std r11, GPR13(r1)
++
+ /* Reset MSR RI so we can take SLB faults again */
+ li r11, MSR_RI
+ mtmsrd r11, 1
+
++ /* Store the PPR in r11 and reset to decent value */
+ mfspr r11, SPRN_PPR
+ HMT_MEDIUM
+
+@@ -201,7 +208,7 @@ _GLOBAL(tm_reclaim)
+ ld r4, GPR7(r1) /* user r7 */
+ ld r5, GPR11(r1) /* user r11 */
+ ld r6, GPR12(r1) /* user r12 */
+- GET_SCRATCH0(8) /* user r13 */
++ ld r8, GPR13(r1) /* user r13 */
+ std r3, GPR1(r7)
+ std r4, GPR7(r7)
+ std r5, GPR11(r7)
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
+Date: Tue, 18 Sep 2018 12:22:26 +0200
+Subject: ravb: do not write 1 to reserved bits
+
+From: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
+
+[ Upstream commit 2fe397a3959de8a472f165e6d152f64cb77fa2cc ]
+
+EtherAVB hardware requires 0 to be written to status register bits in
+order to clear them, however, care must be taken not to:
+
+1. Clear other bits, by writing zero to them
+2. Write one to reserved bits
+
+This patch corrects the ravb driver with respect to the second point above.
+This is done by defining reserved bit masks for the affected registers and,
+after auditing the code, ensure all sites that may write a one to a
+reserved bit use are suitably masked.
+
+Signed-off-by: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
+Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
+Reviewed-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/renesas/ravb.h | 5 +++++
+ drivers/net/ethernet/renesas/ravb_main.c | 11 ++++++-----
+ drivers/net/ethernet/renesas/ravb_ptp.c | 2 +-
+ 3 files changed, 12 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/renesas/ravb.h
++++ b/drivers/net/ethernet/renesas/ravb.h
+@@ -421,6 +421,7 @@ enum EIS_BIT {
+ EIS_CULF1 = 0x00000080,
+ EIS_TFFF = 0x00000100,
+ EIS_QFS = 0x00010000,
++ EIS_RESERVED = (GENMASK(31, 17) | GENMASK(15, 11)),
+ };
+
+ /* RIC0 */
+@@ -465,6 +466,7 @@ enum RIS0_BIT {
+ RIS0_FRF15 = 0x00008000,
+ RIS0_FRF16 = 0x00010000,
+ RIS0_FRF17 = 0x00020000,
++ RIS0_RESERVED = GENMASK(31, 18),
+ };
+
+ /* RIC1 */
+@@ -521,6 +523,7 @@ enum RIS2_BIT {
+ RIS2_QFF16 = 0x00010000,
+ RIS2_QFF17 = 0x00020000,
+ RIS2_RFFF = 0x80000000,
++ RIS2_RESERVED = GENMASK(30, 18),
+ };
+
+ /* TIC */
+@@ -537,6 +540,7 @@ enum TIS_BIT {
+ TIS_FTF1 = 0x00000002, /* Undocumented? */
+ TIS_TFUF = 0x00000100,
+ TIS_TFWF = 0x00000200,
++ TIS_RESERVED = (GENMASK(31, 20) | GENMASK(15, 12) | GENMASK(7, 4))
+ };
+
+ /* ISS */
+@@ -610,6 +614,7 @@ enum GIC_BIT {
+ enum GIS_BIT {
+ GIS_PTCF = 0x00000001, /* Undocumented? */
+ GIS_PTMF = 0x00000004,
++ GIS_RESERVED = GENMASK(15, 10),
+ };
+
+ /* GIE (R-Car Gen3 only) */
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -717,10 +717,11 @@ static void ravb_error_interrupt(struct
+ u32 eis, ris2;
+
+ eis = ravb_read(ndev, EIS);
+- ravb_write(ndev, ~EIS_QFS, EIS);
++ ravb_write(ndev, ~(EIS_QFS | EIS_RESERVED), EIS);
+ if (eis & EIS_QFS) {
+ ris2 = ravb_read(ndev, RIS2);
+- ravb_write(ndev, ~(RIS2_QFF0 | RIS2_RFFF), RIS2);
++ ravb_write(ndev, ~(RIS2_QFF0 | RIS2_RFFF | RIS2_RESERVED),
++ RIS2);
+
+ /* Receive Descriptor Empty int */
+ if (ris2 & RIS2_QFF0)
+@@ -773,7 +774,7 @@ static bool ravb_timestamp_interrupt(str
+ u32 tis = ravb_read(ndev, TIS);
+
+ if (tis & TIS_TFUF) {
+- ravb_write(ndev, ~TIS_TFUF, TIS);
++ ravb_write(ndev, ~(TIS_TFUF | TIS_RESERVED), TIS);
+ ravb_get_tx_tstamp(ndev);
+ return true;
+ }
+@@ -908,7 +909,7 @@ static int ravb_poll(struct napi_struct
+ /* Processing RX Descriptor Ring */
+ if (ris0 & mask) {
+ /* Clear RX interrupt */
+- ravb_write(ndev, ~mask, RIS0);
++ ravb_write(ndev, ~(mask | RIS0_RESERVED), RIS0);
+ if (ravb_rx(ndev, "a, q))
+ goto out;
+ }
+@@ -916,7 +917,7 @@ static int ravb_poll(struct napi_struct
+ if (tis & mask) {
+ spin_lock_irqsave(&priv->lock, flags);
+ /* Clear TX interrupt */
+- ravb_write(ndev, ~mask, TIS);
++ ravb_write(ndev, ~(mask | TIS_RESERVED), TIS);
+ ravb_tx_free(ndev, q, true);
+ netif_wake_subqueue(ndev, q);
+ mmiowb();
+--- a/drivers/net/ethernet/renesas/ravb_ptp.c
++++ b/drivers/net/ethernet/renesas/ravb_ptp.c
+@@ -319,7 +319,7 @@ void ravb_ptp_interrupt(struct net_devic
+ }
+ }
+
+- ravb_write(ndev, ~gis, GIS);
++ ravb_write(ndev, ~(gis | GIS_RESERVED), GIS);
+ }
+
+ void ravb_ptp_init(struct net_device *ndev, struct platform_device *pdev)
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: James Cowgill <jcowgill@debian.org>
+Date: Thu, 6 Sep 2018 22:57:56 +0100
+Subject: RISC-V: include linux/ftrace.h in asm-prototypes.h
+
+From: James Cowgill <jcowgill@debian.org>
+
+[ Upstream commit 57a489786de9ec37d6e25ef1305dc337047f0236 ]
+
+Building a riscv kernel with CONFIG_FUNCTION_TRACER and
+CONFIG_MODVERSIONS enabled results in these two warnings:
+
+ MODPOST vmlinux.o
+WARNING: EXPORT symbol "return_to_handler" [vmlinux] version generation failed, symbol will not be versioned.
+WARNING: EXPORT symbol "_mcount" [vmlinux] version generation failed, symbol will not be versioned.
+
+When exporting symbols from an assembly file, the MODVERSIONS code
+requires their prototypes to be defined in asm-prototypes.h (see
+scripts/Makefile.build). Since both of these symbols have prototypes
+defined in linux/ftrace.h, include this header from RISC-V's
+asm-prototypes.h.
+
+Reported-by: Karsten Merker <merker@debian.org>
+Signed-off-by: James Cowgill <jcowgill@debian.org>
+Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/include/asm/asm-prototypes.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+ create mode 100644 arch/riscv/include/asm/asm-prototypes.h
+
+--- /dev/null
++++ b/arch/riscv/include/asm/asm-prototypes.h
+@@ -0,0 +1,7 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++#ifndef _ASM_RISCV_PROTOTYPES_H
++
++#include <linux/ftrace.h>
++#include <asm-generic/asm-prototypes.h>
++
++#endif /* _ASM_RISCV_PROTOTYPES_H */
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Laura Abbott <labbott@redhat.com>
+Date: Tue, 11 Sep 2018 12:22:26 -0700
+Subject: scsi: ibmvscsis: Ensure partition name is properly NUL terminated
+
+From: Laura Abbott <labbott@redhat.com>
+
+[ Upstream commit adad633af7b970bfa5dd1b624a4afc83cac9b235 ]
+
+While reviewing another part of the code, Kees noticed that the strncpy of the
+partition name might not always be NUL terminated. Switch to using strscpy
+which does this safely.
+
+Reported-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
++++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
+@@ -3345,7 +3345,7 @@ static int ibmvscsis_probe(struct vio_de
+ snprintf(vscsi->eye, sizeof(vscsi->eye), "VSCSI %s", vdev->name);
+
+ vscsi->dds.unit_id = vdev->unit_address;
+- strncpy(vscsi->dds.partition_name, partition_name,
++ strscpy(vscsi->dds.partition_name, partition_name,
+ sizeof(vscsi->dds.partition_name));
+ vscsi->dds.partition_num = partition_number;
+
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Laura Abbott <labbott@redhat.com>
+Date: Tue, 11 Sep 2018 12:22:25 -0700
+Subject: scsi: ibmvscsis: Fix a stringop-overflow warning
+
+From: Laura Abbott <labbott@redhat.com>
+
+[ Upstream commit d792d4c4fc866ae224b0b0ca2aabd87d23b4d6cc ]
+
+There's currently a warning about string overflow with strncat:
+
+drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c: In function 'ibmvscsis_probe':
+drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c:3479:2: error: 'strncat' specified
+bound 64 equals destination size [-Werror=stringop-overflow=]
+ strncat(vscsi->eye, vdev->name, MAX_EYE);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Switch to a single snprintf instead of a strcpy + strcat to handle this
+cleanly.
+
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Suggested-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
++++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
+@@ -3342,8 +3342,7 @@ static int ibmvscsis_probe(struct vio_de
+ vscsi->dds.window[LOCAL].liobn,
+ vscsi->dds.window[REMOTE].liobn);
+
+- strcpy(vscsi->eye, "VSCSI ");
+- strncat(vscsi->eye, vdev->name, MAX_EYE);
++ snprintf(vscsi->eye, sizeof(vscsi->eye), "VSCSI %s", vdev->name);
+
+ vscsi->dds.unit_id = vdev->unit_address;
+ strncpy(vscsi->dds.partition_name, partition_name,
--- /dev/null
+From foo@baz Thu Oct 18 11:11:32 CEST 2018
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Fri, 21 Sep 2018 09:01:01 +0200
+Subject: scsi: sd: don't crash the host on invalid commands
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+[ Upstream commit f1f1fadacaf08b7cf11714c0c29f8fa4d4ef68a9 ]
+
+When sd_init_command() get's a command with a unknown req_op() it crashes the
+system via BUG().
+
+This makes debugging the actual reason for the broken request cmd_flags pretty
+hard as the system is down before it's able to write out debugging data on the
+serial console or the trace buffer.
+
+Change the BUG() to a WARN_ON() and return BLKPREP_KILL to fail gracefully and
+return an I/O error to the producer of the request.
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: Bart Van Assche <bvanassche@acm.org>
+Cc: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -1158,7 +1158,8 @@ static int sd_init_command(struct scsi_c
+ case REQ_OP_WRITE:
+ return sd_setup_read_write_cmnd(cmd);
+ default:
+- BUG();
++ WARN_ON_ONCE(1);
++ return BLKPREP_KILL;
+ }
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
