--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sun, 15 Oct 2017 21:24:49 +0200
+Subject: ACPI / bus: Leave modalias empty for devices which are not present
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit 10809bb976648ac58194a629e3d7af99e7400297 ]
+
+Most Bay and Cherry Trail devices use a generic DSDT with all possible
+peripheral devices present in the DSDT, with their _STA returning 0x00 or
+0x0f based on AML variables which describe what is actually present on
+the board.
+
+Since ACPI device objects with a 0x00 status (not present) still get an
+entry under /sys/bus/acpi/devices, and those entry had an acpi:PNPID
+modalias, userspace would end up loading modules for non present hardware.
+
+This commit fixes this by leaving the modalias empty for non present
+devices. This results in 10 modules less being loaded with a generic
+distro kernel config on my Cherry Trail test-device (a GPD pocket).
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/device_sysfs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/acpi/device_sysfs.c b/drivers/acpi/device_sysfs.c
+index 7b2c48fde4e2..201c7ceb7052 100644
+--- a/drivers/acpi/device_sysfs.c
++++ b/drivers/acpi/device_sysfs.c
+@@ -146,6 +146,10 @@ static int create_pnp_modalias(struct acpi_device *acpi_dev, char *modalias,
+ int count;
+ struct acpi_hardware_id *id;
+
++ /* Avoid unnecessarily loading modules for non present devices. */
++ if (!acpi_device_is_present(acpi_dev))
++ return 0;
++
+ /*
+ * Since we skip ACPI_DT_NAMESPACE_HID from the modalias below, 0 should
+ * be returned if ACPI_DT_NAMESPACE_HID is the only ACPI/PNP ID in the
+--
+2.16.1
+
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Tue, 7 Nov 2017 11:10:29 -0800
+Subject: ARM: dts: NSP: Fix PPI interrupt types
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+
+[ Upstream commit 5f1aa51c7a1eef1c5a60b8334e32c89904964245 ]
+
+Booting a kernel results in the kernel warning us about the following
+PPI interrupts configuration:
+[ 0.105127] smp: Bringing up secondary CPUs ...
+[ 0.110545] GIC: PPI11 is secure or misconfigured
+[ 0.110551] GIC: PPI13 is secure or misconfigured
+
+Fix this by using the appropriate edge configuration for PPI11 and
+PPI13, this is similar to what was fixed for Northstar (BCM5301X) in
+commit 0e34079cd1f6 ("ARM: dts: BCM5301X: Correct GIC_PPI interrupt
+flags").
+
+Fixes: 7b2e987de207 ("ARM: NSP: add minimal Northstar Plus device tree")
+Fixes: 1a9d53cabaf4 ("ARM: dts: NSP: Add TWD Support to DT")
+Acked-by: Jon Mason <jon.mason@broadcom.com>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/bcm-nsp.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/bcm-nsp.dtsi
++++ b/arch/arm/boot/dts/bcm-nsp.dtsi
+@@ -85,7 +85,7 @@
+ timer@20200 {
+ compatible = "arm,cortex-a9-global-timer";
+ reg = <0x20200 0x100>;
+- interrupts = <GIC_PPI 11 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_PPI 11 IRQ_TYPE_EDGE_RISING>;
+ clocks = <&periph_clk>;
+ };
+
+@@ -93,7 +93,7 @@
+ compatible = "arm,cortex-a9-twd-timer";
+ reg = <0x20600 0x20>;
+ interrupts = <GIC_PPI 13 (GIC_CPU_MASK_SIMPLE(2) |
+- IRQ_TYPE_LEVEL_HIGH)>;
++ IRQ_TYPE_EDGE_RISING)>;
+ clocks = <&periph_clk>;
+ };
+
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Thomas Meyer <thomas@m3y3r.de>
+Date: Thu, 10 Aug 2017 10:53:53 +0200
+Subject: auxdisplay: img-ascii-lcd: Only build on archs that have IOMEM
+
+From: Thomas Meyer <thomas@m3y3r.de>
+
+
+[ Upstream commit 141cbfba1d0502006463aa80f57c64086226af1a ]
+
+This avoids the MODPOST error:
+
+ ERROR: "devm_ioremap_resource" [drivers/auxdisplay/img-ascii-lcd.ko] undefined!
+
+Signed-off-by: Thomas Meyer <thomas@m3y3r.de>
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/auxdisplay/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/auxdisplay/Kconfig
++++ b/drivers/auxdisplay/Kconfig
+@@ -121,6 +121,7 @@ config CFAG12864B_RATE
+
+ config IMG_ASCII_LCD
+ tristate "Imagination Technologies ASCII LCD Display"
++ depends on HAS_IOMEM
+ default y if MIPS_MALTA || MIPS_SEAD3
+ select SYSCON
+ help
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Michael Lyle <mlyle@lyle.org>
+Date: Fri, 24 Nov 2017 15:14:27 -0800
+Subject: bcache: check return value of register_shrinker
+
+From: Michael Lyle <mlyle@lyle.org>
+
+
+[ Upstream commit 6c4ca1e36cdc1a0a7a84797804b87920ccbebf51 ]
+
+register_shrinker is now __must_check, so check it to kill a warning.
+Caller of bch_btree_cache_alloc in super.c appropriately checks return
+value so this is fully plumbed through.
+
+This V2 fixes checkpatch warnings and improves the commit description,
+as I was too hasty getting the previous version out.
+
+Signed-off-by: Michael Lyle <mlyle@lyle.org>
+Reviewed-by: Vojtech Pavlik <vojtech@suse.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/btree.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/btree.c
++++ b/drivers/md/bcache/btree.c
+@@ -803,7 +803,10 @@ int bch_btree_cache_alloc(struct cache_s
+ c->shrink.scan_objects = bch_mca_scan;
+ c->shrink.seeks = 4;
+ c->shrink.batch = c->btree_pages * 2;
+- register_shrinker(&c->shrink);
++
++ if (register_shrinker(&c->shrink))
++ pr_warn("bcache: %s: could not register shrinker",
++ __func__);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Tue, 21 Nov 2017 20:46:49 +0100
+Subject: bnxt_en: Fix an error handling path in 'bnxt_get_module_eeprom()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit dea521a2b9f96e905fa2bb2f95e23ec00c2ec436 ]
+
+Error code returned by 'bnxt_read_sfp_module_eeprom_info()' is handled a
+few lines above when reading the A0 portion of the EEPROM.
+The same should be done when reading the A2 portion of the EEPROM.
+
+In order to correctly propagate an error, update 'rc' in this 2nd call as
+well, otherwise 0 (success) is returned.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+@@ -1843,8 +1843,8 @@ static int bnxt_get_module_eeprom(struct
+ /* Read A2 portion of the EEPROM */
+ if (length) {
+ start -= ETH_MODULE_SFF_8436_LEN;
+- bnxt_read_sfp_module_eeprom_info(bp, I2C_DEV_ADDR_A2, 1, start,
+- length, data);
++ rc = bnxt_read_sfp_module_eeprom_info(bp, I2C_DEV_ADDR_A2, 1,
++ start, length, data);
+ }
+ return rc;
+ }
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Josef Bacik <jbacik@fb.com>
+Date: Wed, 15 Nov 2017 16:20:52 -0500
+Subject: btrfs: fix deadlock when writing out space cache
+
+From: Josef Bacik <jbacik@fb.com>
+
+
+[ Upstream commit b77000ed558daa3bef0899d29bf171b8c9b5e6a8 ]
+
+If we fail to prepare our pages for whatever reason (out of memory in
+our case) we need to make sure to drop the block_group->data_rwsem,
+otherwise hilarity ensues.
+
+Signed-off-by: Josef Bacik <jbacik@fb.com>
+Reviewed-by: Omar Sandoval <osandov@fb.com>
+Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ add label and use existing unlocking code ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/free-space-cache.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/free-space-cache.c
++++ b/fs/btrfs/free-space-cache.c
+@@ -1253,7 +1253,7 @@ static int __btrfs_write_out_cache(struc
+ /* Lock all pages first so we can lock the extent safely. */
+ ret = io_ctl_prepare_pages(io_ctl, inode, 0);
+ if (ret)
+- goto out;
++ goto out_unlock;
+
+ lock_extent_bits(&BTRFS_I(inode)->io_tree, 0, i_size_read(inode) - 1,
+ &cached_state);
+@@ -1346,6 +1346,7 @@ out_nospc_locked:
+ out_nospc:
+ cleanup_write_cache_enospc(inode, io_ctl, &cached_state, &bitmap_list);
+
++out_unlock:
+ if (block_group && (block_group->flags & BTRFS_BLOCK_GROUP_DATA))
+ up_write(&block_group->data_rwsem);
+
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: James Hogan <jhogan@kernel.org>
+Date: Wed, 15 Nov 2017 21:17:55 +0000
+Subject: cpufreq: Add Loongson machine dependencies
+
+From: James Hogan <jhogan@kernel.org>
+
+
+[ Upstream commit 0d307935fefa6389eb726c6362351c162c949101 ]
+
+The MIPS loongson cpufreq drivers don't build unless configured for the
+correct machine type, due to dependency on machine specific architecture
+headers and symbols in machine specific platform code.
+
+More specifically loongson1-cpufreq.c uses RST_CPU_EN and RST_CPU,
+neither of which is defined in asm/mach-loongson32/regs-clk.h unless
+CONFIG_LOONGSON1_LS1B=y, and loongson2_cpufreq.c references
+loongson2_clockmod_table[], which is only defined in
+arch/mips/loongson64/lemote-2f/clock.c, i.e. when
+CONFIG_LEMOTE_MACH2F=y.
+
+Add these dependencies to Kconfig to avoid randconfig / allyesconfig
+build failures (e.g. when based on BMIPS which also has a cpufreq
+driver).
+
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/cpufreq/Kconfig
++++ b/drivers/cpufreq/Kconfig
+@@ -273,6 +273,7 @@ endif
+ if MIPS
+ config LOONGSON2_CPUFREQ
+ tristate "Loongson2 CPUFreq Driver"
++ depends on LEMOTE_MACH2F
+ help
+ This option adds a CPUFreq driver for loongson processors which
+ support software configurable cpu frequency.
+@@ -285,6 +286,7 @@ config LOONGSON2_CPUFREQ
+
+ config LOONGSON1_CPUFREQ
+ tristate "Loongson1 CPUFreq Driver"
++ depends on LOONGSON1_LS1B
+ help
+ This option adds a CPUFreq driver for loongson1 processors which
+ support software configurable cpu frequency.
--- /dev/null
+From foo@baz Thu Feb 1 13:58:04 CET 2018
+From: Abhishek Goel <huntbag@linux.vnet.ibm.com>
+Date: Wed, 15 Nov 2017 14:10:02 +0530
+Subject: cpupower : Fix cpupower working when cpu0 is offline
+
+From: Abhishek Goel <huntbag@linux.vnet.ibm.com>
+
+
+[ Upstream commit dbdc468f35ee827cab2753caa1c660bdb832243a ]
+
+cpuidle_monitor used to assume that cpu0 is always online which is not
+a valid assumption on POWER machines. This patch fixes this by getting
+the cpu on which the current thread is running, instead of always using
+cpu0 for monitoring which may not be online.
+
+Signed-off-by: Abhishek Goel <huntbag@linux.vnet.ibm.com>
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/power/cpupower/utils/idle_monitor/cpuidle_sysfs.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/tools/power/cpupower/utils/idle_monitor/cpuidle_sysfs.c
++++ b/tools/power/cpupower/utils/idle_monitor/cpuidle_sysfs.c
+@@ -130,15 +130,18 @@ static struct cpuidle_monitor *cpuidle_r
+ {
+ int num;
+ char *tmp;
++ int this_cpu;
++
++ this_cpu = sched_getcpu();
+
+ /* Assume idle state count is the same for all CPUs */
+- cpuidle_sysfs_monitor.hw_states_num = cpuidle_state_count(0);
++ cpuidle_sysfs_monitor.hw_states_num = cpuidle_state_count(this_cpu);
+
+ if (cpuidle_sysfs_monitor.hw_states_num <= 0)
+ return NULL;
+
+ for (num = 0; num < cpuidle_sysfs_monitor.hw_states_num; num++) {
+- tmp = cpuidle_state_name(0, num);
++ tmp = cpuidle_state_name(this_cpu, num);
+ if (tmp == NULL)
+ continue;
+
+@@ -146,7 +149,7 @@ static struct cpuidle_monitor *cpuidle_r
+ strncpy(cpuidle_cstates[num].name, tmp, CSTATE_NAME_LEN - 1);
+ free(tmp);
+
+- tmp = cpuidle_state_desc(0, num);
++ tmp = cpuidle_state_desc(this_cpu, num);
+ if (tmp == NULL)
+ continue;
+ strncpy(cpuidle_cstates[num].desc, tmp, CSTATE_DESC_LEN - 1);
--- /dev/null
+From foo@baz Thu Feb 1 13:58:04 CET 2018
+From: Abhishek Goel <huntbag@linux.vnet.ibm.com>
+Date: Tue, 7 Nov 2017 15:17:55 +0530
+Subject: cpupowerutils: bench - Fix cpu online check
+
+From: Abhishek Goel <huntbag@linux.vnet.ibm.com>
+
+
+[ Upstream commit 53d1cd6b125fb9d69303516a1179ebc3b72f797a ]
+
+cpupower_is_cpu_online was incorrectly checking for 0. This patch fixes
+this by checking for 1 when the cpu is online.
+
+Signed-off-by: Abhishek Goel <huntbag@linux.vnet.ibm.com>
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/power/cpupower/bench/system.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/power/cpupower/bench/system.c
++++ b/tools/power/cpupower/bench/system.c
+@@ -61,7 +61,7 @@ int set_cpufreq_governor(char *governor,
+
+ dprintf("set %s as cpufreq governor\n", governor);
+
+- if (cpupower_is_cpu_online(cpu) != 0) {
++ if (cpupower_is_cpu_online(cpu) != 1) {
+ perror("cpufreq_cpu_exists");
+ fprintf(stderr, "error: cpu %u does not exist\n", cpu);
+ return -1;
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: "Christian König" <christian.koenig@amd.com>
+Date: Fri, 24 Nov 2017 11:39:30 +0100
+Subject: drm/amdgpu: don't try to move pinned BOs
+
+From: "Christian König" <christian.koenig@amd.com>
+
+
+[ Upstream commit 6edc6910ba4cd6eab309263539c8f09b8ad772bf ]
+
+Never try to move pinned BOs during CS.
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+@@ -416,6 +416,10 @@ static bool amdgpu_cs_try_evict(struct a
+ if (candidate == lobj)
+ break;
+
++ /* We can't move pinned BOs here */
++ if (bo->pin_count)
++ continue;
++
+ other = amdgpu_mem_type_to_domain(bo->tbo.mem.mem_type);
+
+ /* Check if this BO is in one of the domains we need space for */
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+Date: Wed, 1 Nov 2017 19:21:55 -0400
+Subject: drm/amdgpu: Fix SDMA load/unload sequence on HWS disabled mode
+
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+
+
+[ Upstream commit cf21654b40968609779751b34e7923180968fe5b ]
+
+Fix the SDMA load and unload sequence as suggested by HW document.
+
+Signed-off-by: shaoyun liu <shaoyun.liu@amd.com>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Acked-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c | 47 +++++++++++++++-------
+ 1 file changed, 34 insertions(+), 13 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c
+@@ -367,29 +367,50 @@ static int kgd_hqd_sdma_load(struct kgd_
+ {
+ struct amdgpu_device *adev = get_amdgpu_device(kgd);
+ struct cik_sdma_rlc_registers *m;
++ unsigned long end_jiffies;
+ uint32_t sdma_base_addr;
++ uint32_t data;
+
+ m = get_sdma_mqd(mqd);
+ sdma_base_addr = get_sdma_base_addr(m);
+
+- WREG32(sdma_base_addr + mmSDMA0_RLC0_VIRTUAL_ADDR,
+- m->sdma_rlc_virtual_addr);
++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL,
++ m->sdma_rlc_rb_cntl & (~SDMA0_RLC0_RB_CNTL__RB_ENABLE_MASK));
+
+- WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE,
+- m->sdma_rlc_rb_base);
++ end_jiffies = msecs_to_jiffies(2000) + jiffies;
++ while (true) {
++ data = RREG32(sdma_base_addr + mmSDMA0_RLC0_CONTEXT_STATUS);
++ if (data & SDMA0_RLC0_CONTEXT_STATUS__IDLE_MASK)
++ break;
++ if (time_after(jiffies, end_jiffies))
++ return -ETIME;
++ usleep_range(500, 1000);
++ }
++ if (m->sdma_engine_id) {
++ data = RREG32(mmSDMA1_GFX_CONTEXT_CNTL);
++ data = REG_SET_FIELD(data, SDMA1_GFX_CONTEXT_CNTL,
++ RESUME_CTX, 0);
++ WREG32(mmSDMA1_GFX_CONTEXT_CNTL, data);
++ } else {
++ data = RREG32(mmSDMA0_GFX_CONTEXT_CNTL);
++ data = REG_SET_FIELD(data, SDMA0_GFX_CONTEXT_CNTL,
++ RESUME_CTX, 0);
++ WREG32(mmSDMA0_GFX_CONTEXT_CNTL, data);
++ }
+
++ WREG32(sdma_base_addr + mmSDMA0_RLC0_DOORBELL,
++ m->sdma_rlc_doorbell);
++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR, 0);
++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_WPTR, 0);
++ WREG32(sdma_base_addr + mmSDMA0_RLC0_VIRTUAL_ADDR,
++ m->sdma_rlc_virtual_addr);
++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE, m->sdma_rlc_rb_base);
+ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE_HI,
+ m->sdma_rlc_rb_base_hi);
+-
+ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR_ADDR_LO,
+ m->sdma_rlc_rb_rptr_addr_lo);
+-
+ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR_ADDR_HI,
+ m->sdma_rlc_rb_rptr_addr_hi);
+-
+- WREG32(sdma_base_addr + mmSDMA0_RLC0_DOORBELL,
+- m->sdma_rlc_doorbell);
+-
+ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL,
+ m->sdma_rlc_rb_cntl);
+
+@@ -493,9 +514,9 @@ static int kgd_hqd_sdma_destroy(struct k
+ }
+
+ WREG32(sdma_base_addr + mmSDMA0_RLC0_DOORBELL, 0);
+- WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR, 0);
+- WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_WPTR, 0);
+- WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE, 0);
++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL,
++ RREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL) |
++ SDMA0_RLC0_RB_CNTL__RB_ENABLE_MASK);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+Date: Wed, 1 Nov 2017 19:21:57 -0400
+Subject: drm/amdkfd: Fix SDMA oversubsription handling
+
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+
+
+[ Upstream commit 8c946b8988acec785bcf67088b6bd0747f36d2d3 ]
+
+SDMA only supports a fixed number of queues. HWS cannot handle
+oversubscription.
+
+Signed-off-by: shaoyun liu <shaoyun.liu@amd.com>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 18 +++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
+@@ -205,6 +205,24 @@ int pqm_create_queue(struct process_queu
+
+ switch (type) {
+ case KFD_QUEUE_TYPE_SDMA:
++ if (dev->dqm->queue_count >=
++ CIK_SDMA_QUEUES_PER_ENGINE * CIK_SDMA_ENGINE_NUM) {
++ pr_err("Over-subscription is not allowed for SDMA.\n");
++ retval = -EPERM;
++ goto err_create_queue;
++ }
++
++ retval = create_cp_queue(pqm, dev, &q, properties, f, *qid);
++ if (retval != 0)
++ goto err_create_queue;
++ pqn->q = q;
++ pqn->kq = NULL;
++ retval = dev->dqm->ops.create_queue(dev->dqm, q, &pdd->qpd,
++ &q->properties.vmid);
++ pr_debug("DQM returned %d for create_queue\n", retval);
++ print_queue(q);
++ break;
++
+ case KFD_QUEUE_TYPE_COMPUTE:
+ /* check if there is over subscription */
+ if ((sched_policy == KFD_SCHED_POLICY_HWS_NO_OVERSUBSCRIPTION) &&
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: shaoyunl <Shaoyun.Liu@amd.com>
+Date: Wed, 1 Nov 2017 19:21:56 -0400
+Subject: drm/amdkfd: Fix SDMA ring buffer size calculation
+
+From: shaoyunl <Shaoyun.Liu@amd.com>
+
+
+[ Upstream commit d12fb13f23199faa7e536acec1db49068e5a067d ]
+
+ffs function return the position of the first bit set on 1 based.
+(bit zero returns 1).
+
+Signed-off-by: shaoyun liu <shaoyun.liu@amd.com>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c
+@@ -215,8 +215,8 @@ static int update_mqd_sdma(struct mqd_ma
+ BUG_ON(!mm || !mqd || !q);
+
+ m = get_sdma_mqd(mqd);
+- m->sdma_rlc_rb_cntl = ffs(q->queue_size / sizeof(unsigned int)) <<
+- SDMA0_RLC0_RB_CNTL__RB_SIZE__SHIFT |
++ m->sdma_rlc_rb_cntl = (ffs(q->queue_size / sizeof(unsigned int)) - 1)
++ << SDMA0_RLC0_RB_CNTL__RB_SIZE__SHIFT |
+ q->vmid << SDMA0_RLC0_RB_CNTL__RB_VMID__SHIFT |
+ 1 << SDMA0_RLC0_RB_CNTL__RPTR_WRITEBACK_ENABLE__SHIFT |
+ 6 << SDMA0_RLC0_RB_CNTL__RPTR_WRITEBACK_TIMER__SHIFT;
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
+Date: Tue, 7 Nov 2017 19:56:19 +0300
+Subject: drm/bridge: tc358767: do no fail on hi-res displays
+
+From: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
+
+
+[ Upstream commit cffd2b16c01c3431a7a7dd62e722af33490fc436 ]
+
+Do not fail data rates higher than 2.7 and more than 2 lanes.
+Try to fall back to 2.7Gbps and 2 lanes.
+
+Acked-by: Philipp Zabel <p.zabel@pengutronix.de>
+Reviewed-by: Andrzej Hajda <a.hajda@samsung.com>
+Signed-off-by: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1510073785-16108-2-git-send-email-andrey.gusakov@cogentembedded.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/bridge/tc358767.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/bridge/tc358767.c
++++ b/drivers/gpu/drm/bridge/tc358767.c
+@@ -603,8 +603,15 @@ static int tc_get_display_props(struct t
+ ret = drm_dp_link_probe(&tc->aux, &tc->link.base);
+ if (ret < 0)
+ goto err_dpcd_read;
+- if ((tc->link.base.rate != 162000) && (tc->link.base.rate != 270000))
+- goto err_dpcd_inval;
++ if (tc->link.base.rate != 162000 && tc->link.base.rate != 270000) {
++ dev_dbg(tc->dev, "Falling to 2.7 Gbps rate\n");
++ tc->link.base.rate = 270000;
++ }
++
++ if (tc->link.base.num_lanes > 2) {
++ dev_dbg(tc->dev, "Falling to 2 lanes\n");
++ tc->link.base.num_lanes = 2;
++ }
+
+ ret = drm_dp_dpcd_readb(&tc->aux, DP_MAX_DOWNSPREAD, tmp);
+ if (ret < 0)
+@@ -637,9 +644,6 @@ static int tc_get_display_props(struct t
+ err_dpcd_read:
+ dev_err(tc->dev, "failed to read DPCD: %d\n", ret);
+ return ret;
+-err_dpcd_inval:
+- dev_err(tc->dev, "invalid DPCD\n");
+- return -EINVAL;
+ }
+
+ static int tc_set_video_mode(struct tc_data *tc, struct drm_display_mode *mode)
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
+Date: Tue, 7 Nov 2017 19:56:20 +0300
+Subject: drm/bridge: tc358767: filter out too high modes
+
+From: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
+
+
+[ Upstream commit 99fc8e963a4c0203dba26a77cf737db6081bca14 ]
+
+Pixel clock limitation for DPI is 154 MHz. Do not accept modes
+with higher pixel clock rate.
+
+Reviewed-by: Andrzej Hajda <a.hajda@samsung.com>
+Signed-off-by: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1510073785-16108-3-git-send-email-andrey.gusakov@cogentembedded.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/bridge/tc358767.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/bridge/tc358767.c
++++ b/drivers/gpu/drm/bridge/tc358767.c
+@@ -1109,7 +1109,10 @@ static bool tc_bridge_mode_fixup(struct
+ static int tc_connector_mode_valid(struct drm_connector *connector,
+ struct drm_display_mode *mode)
+ {
+- /* Accept any mode */
++ /* DPI interface clock limitation: upto 154 MHz */
++ if (mode->clock > 154000)
++ return MODE_CLOCK_HIGH;
++
+ return MODE_OK;
+ }
+
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
+Date: Tue, 7 Nov 2017 19:56:24 +0300
+Subject: drm/bridge: tc358767: fix 1-lane behavior
+
+From: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
+
+
+[ Upstream commit 4dbd6c03fbf88299c573d676838896c6e06aade2 ]
+
+Use drm_dp_channel_eq_ok helper
+
+Acked-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1510073785-16108-7-git-send-email-andrey.gusakov@cogentembedded.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/bridge/tc358767.c | 13 +++----------
+ 1 file changed, 3 insertions(+), 10 deletions(-)
+
+--- a/drivers/gpu/drm/bridge/tc358767.c
++++ b/drivers/gpu/drm/bridge/tc358767.c
+@@ -819,8 +819,6 @@ static int tc_main_link_setup(struct tc_
+ unsigned int rate;
+ u32 dp_phy_ctrl;
+ int timeout;
+- bool aligned;
+- bool ready;
+ u32 value;
+ int ret;
+ u8 tmp[8];
+@@ -965,16 +963,15 @@ static int tc_main_link_setup(struct tc_
+ ret = drm_dp_dpcd_read_link_status(aux, tmp + 2);
+ if (ret < 0)
+ goto err_dpcd_read;
+- ready = (tmp[2] == ((DP_CHANNEL_EQ_BITS << 4) | /* Lane1 */
+- DP_CHANNEL_EQ_BITS)); /* Lane0 */
+- aligned = tmp[4] & DP_INTERLANE_ALIGN_DONE;
+- } while ((--timeout) && !(ready && aligned));
++ } while ((--timeout) &&
++ !(drm_dp_channel_eq_ok(tmp + 2, tc->link.base.num_lanes)));
+
+ if (timeout == 0) {
+ /* Read DPCD 0x200-0x201 */
+ ret = drm_dp_dpcd_read(aux, DP_SINK_COUNT, tmp, 2);
+ if (ret < 0)
+ goto err_dpcd_read;
++ dev_err(dev, "channel(s) EQ not ok\n");
+ dev_info(dev, "0x0200 SINK_COUNT: 0x%02x\n", tmp[0]);
+ dev_info(dev, "0x0201 DEVICE_SERVICE_IRQ_VECTOR: 0x%02x\n",
+ tmp[1]);
+@@ -985,10 +982,6 @@ static int tc_main_link_setup(struct tc_
+ dev_info(dev, "0x0206 ADJUST_REQUEST_LANE0_1: 0x%02x\n",
+ tmp[6]);
+
+- if (!ready)
+- dev_err(dev, "Lane0/1 not ready\n");
+- if (!aligned)
+- dev_err(dev, "Lane0/1 not aligned\n");
+ return -EAGAIN;
+ }
+
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
+Date: Tue, 7 Nov 2017 19:56:23 +0300
+Subject: drm/bridge: tc358767: fix AUXDATAn registers access
+
+From: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
+
+
+[ Upstream commit 9217c1abbc145a77d65c476cf2004a3df02104c7 ]
+
+First four bytes should go to DP0_AUXWDATA0. Due to bug if
+len > 4 first four bytes was writen to DP0_AUXWDATA1 and all
+data get shifted by 4 bytes. Fix it.
+
+Acked-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1510073785-16108-6-git-send-email-andrey.gusakov@cogentembedded.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/bridge/tc358767.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/bridge/tc358767.c
++++ b/drivers/gpu/drm/bridge/tc358767.c
+@@ -318,7 +318,7 @@ static ssize_t tc_aux_transfer(struct dr
+ tmp = (tmp << 8) | buf[i];
+ i++;
+ if (((i % 4) == 0) || (i == size)) {
+- tc_write(DP0_AUXWDATA(i >> 2), tmp);
++ tc_write(DP0_AUXWDATA((i - 1) >> 2), tmp);
+ tmp = 0;
+ }
+ }
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
+Date: Tue, 7 Nov 2017 19:56:21 +0300
+Subject: drm/bridge: tc358767: fix DP0_MISC register set
+
+From: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
+
+
+[ Upstream commit f3b8adbe1911f66fd3cab1aaa74f0f66b7ceda25 ]
+
+Remove shift from TU_SIZE_RECOMMENDED define as it used to
+calculate max_tu_symbols.
+
+Acked-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1510073785-16108-4-git-send-email-andrey.gusakov@cogentembedded.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/bridge/tc358767.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/bridge/tc358767.c
++++ b/drivers/gpu/drm/bridge/tc358767.c
+@@ -97,7 +97,7 @@
+ #define DP0_ACTIVEVAL 0x0650
+ #define DP0_SYNCVAL 0x0654
+ #define DP0_MISC 0x0658
+-#define TU_SIZE_RECOMMENDED (0x3f << 16) /* LSCLK cycles per TU */
++#define TU_SIZE_RECOMMENDED (63) /* LSCLK cycles per TU */
+ #define BPC_6 (0 << 5)
+ #define BPC_8 (1 << 5)
+
+@@ -716,7 +716,8 @@ static int tc_set_video_mode(struct tc_d
+ * Must be less than tu_size.
+ */
+ max_tu_symbol = TU_SIZE_RECOMMENDED - 1;
+- tc_write(DP0_MISC, (max_tu_symbol << 23) | TU_SIZE_RECOMMENDED | BPC_8);
++ tc_write(DP0_MISC, (max_tu_symbol << 23) | (TU_SIZE_RECOMMENDED << 16) |
++ BPC_8);
+
+ return 0;
+ err:
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
+Date: Tue, 7 Nov 2017 19:56:22 +0300
+Subject: drm/bridge: tc358767: fix timing calculations
+
+From: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
+
+
+[ Upstream commit 66d1c3b94d5d59e4325e61a78d520f92c043d645 ]
+
+Fields in HTIM01 and HTIM02 regs should be even.
+Recomended thresh_dly value is max_tu_symbol.
+Remove set of VPCTRL0.VSDELAY as it is related to DSI input
+interface. Currently driver supports only DPI.
+
+Acked-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1510073785-16108-5-git-send-email-andrey.gusakov@cogentembedded.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/bridge/tc358767.c | 34 ++++++++++++++++++++--------------
+ 1 file changed, 20 insertions(+), 14 deletions(-)
+
+--- a/drivers/gpu/drm/bridge/tc358767.c
++++ b/drivers/gpu/drm/bridge/tc358767.c
+@@ -659,6 +659,14 @@ static int tc_set_video_mode(struct tc_d
+ int lower_margin = mode->vsync_start - mode->vdisplay;
+ int vsync_len = mode->vsync_end - mode->vsync_start;
+
++ /*
++ * Recommended maximum number of symbols transferred in a transfer unit:
++ * DIV_ROUND_UP((input active video bandwidth in bytes) * tu_size,
++ * (output active video bandwidth in bytes))
++ * Must be less than tu_size.
++ */
++ max_tu_symbol = TU_SIZE_RECOMMENDED - 1;
++
+ dev_dbg(tc->dev, "set mode %dx%d\n",
+ mode->hdisplay, mode->vdisplay);
+ dev_dbg(tc->dev, "H margin %d,%d sync %d\n",
+@@ -668,13 +676,18 @@ static int tc_set_video_mode(struct tc_d
+ dev_dbg(tc->dev, "total: %dx%d\n", mode->htotal, mode->vtotal);
+
+
+- /* LCD Ctl Frame Size */
+- tc_write(VPCTRL0, (0x40 << 20) /* VSDELAY */ |
++ /*
++ * LCD Ctl Frame Size
++ * datasheet is not clear of vsdelay in case of DPI
++ * assume we do not need any delay when DPI is a source of
++ * sync signals
++ */
++ tc_write(VPCTRL0, (0 << 20) /* VSDELAY */ |
+ OPXLFMT_RGB888 | FRMSYNC_DISABLED | MSF_DISABLED);
+- tc_write(HTIM01, (left_margin << 16) | /* H back porch */
+- (hsync_len << 0)); /* Hsync */
+- tc_write(HTIM02, (right_margin << 16) | /* H front porch */
+- (mode->hdisplay << 0)); /* width */
++ tc_write(HTIM01, (ALIGN(left_margin, 2) << 16) | /* H back porch */
++ (ALIGN(hsync_len, 2) << 0)); /* Hsync */
++ tc_write(HTIM02, (ALIGN(right_margin, 2) << 16) | /* H front porch */
++ (ALIGN(mode->hdisplay, 2) << 0)); /* width */
+ tc_write(VTIM01, (upper_margin << 16) | /* V back porch */
+ (vsync_len << 0)); /* Vsync */
+ tc_write(VTIM02, (lower_margin << 16) | /* V front porch */
+@@ -693,7 +706,7 @@ static int tc_set_video_mode(struct tc_d
+ /* DP Main Stream Attributes */
+ vid_sync_dly = hsync_len + left_margin + mode->hdisplay;
+ tc_write(DP0_VIDSYNCDELAY,
+- (0x003e << 16) | /* thresh_dly */
++ (max_tu_symbol << 16) | /* thresh_dly */
+ (vid_sync_dly << 0));
+
+ tc_write(DP0_TOTALVAL, (mode->vtotal << 16) | (mode->htotal));
+@@ -709,13 +722,6 @@ static int tc_set_video_mode(struct tc_d
+ tc_write(DPIPXLFMT, VS_POL_ACTIVE_LOW | HS_POL_ACTIVE_LOW |
+ DE_POL_ACTIVE_HIGH | SUB_CFG_TYPE_CONFIG1 | DPI_BPP_RGB888);
+
+- /*
+- * Recommended maximum number of symbols transferred in a transfer unit:
+- * DIV_ROUND_UP((input active video bandwidth in bytes) * tu_size,
+- * (output active video bandwidth in bytes))
+- * Must be less than tu_size.
+- */
+- max_tu_symbol = TU_SIZE_RECOMMENDED - 1;
+ tc_write(DP0_MISC, (max_tu_symbol << 23) | (TU_SIZE_RECOMMENDED << 16) |
+ BPC_8);
+
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 24 Sep 2017 08:01:03 +0200
+Subject: drm/omap: Fix error handling path in 'omap_dmm_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 8677b1ac2db021ab30bb1fa34f1e56ebe0051ec3 ]
+
+If we don't find a matching device node, we must free the memory allocated
+in 'omap_dmm' a few lines above.
+
+Fixes: 7cb0d6c17b96 ("drm/omap: fix TILER on OMAP5")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
++++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
+@@ -638,7 +638,8 @@ static int omap_dmm_probe(struct platfor
+ match = of_match_node(dmm_of_match, dev->dev.of_node);
+ if (!match) {
+ dev_err(&dev->dev, "failed to find matching device node\n");
+- return -ENODEV;
++ ret = -ENODEV;
++ goto fail;
+ }
+
+ omap_dmm->plat_data = match->data;
--- /dev/null
+From foo@baz Thu Feb 1 13:58:04 CET 2018
+From: Stefan Schake <stschake@gmail.com>
+Date: Fri, 10 Nov 2017 02:05:06 +0100
+Subject: drm/vc4: Account for interrupts in flight
+
+From: Stefan Schake <stschake@gmail.com>
+
+
+[ Upstream commit 253696ccd613fbdaa5aba1de44c461a058e0a114 ]
+
+Synchronously disable the IRQ to make the following cancel_work_sync
+invocation effective.
+
+An interrupt in flight could enqueue further overflow mem work. As we
+free the binner BO immediately following vc4_irq_uninstall this caused
+a NULL pointer dereference in the work callback vc4_overflow_mem_work.
+
+Link: https://github.com/anholt/linux/issues/114
+Signed-off-by: Stefan Schake <stschake@gmail.com>
+Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Link: https://patchwork.freedesktop.org/patch/msgid/1510275907-993-2-git-send-email-stschake@gmail.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/vc4/vc4_irq.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/vc4/vc4_irq.c
++++ b/drivers/gpu/drm/vc4/vc4_irq.c
+@@ -208,6 +208,9 @@ vc4_irq_postinstall(struct drm_device *d
+ {
+ struct vc4_dev *vc4 = to_vc4_dev(dev);
+
++ /* Undo the effects of a previous vc4_irq_uninstall. */
++ enable_irq(dev->irq);
++
+ /* Enable both the render done and out of memory interrupts. */
+ V3D_WRITE(V3D_INTENA, V3D_DRIVER_IRQS);
+
+@@ -225,6 +228,9 @@ vc4_irq_uninstall(struct drm_device *dev
+ /* Clear any pending interrupts we might have left. */
+ V3D_WRITE(V3D_INTCTL, V3D_DRIVER_IRQS);
+
++ /* Finish any interrupt handler still in flight. */
++ disable_irq(dev->irq);
++
+ cancel_work_sync(&vc4->overflow_mem_work);
+ }
+
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Stefan Schake <stschake@gmail.com>
+Date: Fri, 29 Dec 2017 17:05:43 +0100
+Subject: drm/vc4: Move IRQ enable to PM path
+
+From: Stefan Schake <stschake@gmail.com>
+
+
+[ Upstream commit ce9caf2f79a5aa170a4b6456a03db639eed9c988 ]
+
+We were calling enable_irq on bind, where it was already enabled previously
+by the IRQ helper. Additionally, dev->irq is not set correctly until after
+postinstall and so was always zero here, triggering a warning in 4.15.
+Fix both by moving the enable to the power management resume path, where we
+know there was a previous disable invocation during suspend.
+
+Fixes: 253696ccd613 ("drm/vc4: Account for interrupts in flight")
+Signed-off-by: Stefan Schake <stschake@gmail.com>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Link: https://patchwork.freedesktop.org/patch/msgid/1514563543-32511-1-git-send-email-stschake@gmail.com
+Tested-by: Stefan Wahren <stefan.wahren@i2se.com>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/vc4/vc4_irq.c | 3 ---
+ drivers/gpu/drm/vc4/vc4_v3d.c | 3 +++
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/vc4/vc4_irq.c
++++ b/drivers/gpu/drm/vc4/vc4_irq.c
+@@ -208,9 +208,6 @@ vc4_irq_postinstall(struct drm_device *d
+ {
+ struct vc4_dev *vc4 = to_vc4_dev(dev);
+
+- /* Undo the effects of a previous vc4_irq_uninstall. */
+- enable_irq(dev->irq);
+-
+ /* Enable both the render done and out of memory interrupts. */
+ V3D_WRITE(V3D_INTENA, V3D_DRIVER_IRQS);
+
+--- a/drivers/gpu/drm/vc4/vc4_v3d.c
++++ b/drivers/gpu/drm/vc4/vc4_v3d.c
+@@ -173,6 +173,9 @@ static int vc4_v3d_runtime_resume(struct
+ struct vc4_dev *vc4 = v3d->vc4;
+
+ vc4_v3d_init_hw(vc4->dev);
++
++ /* We disabled the IRQ as part of vc4_irq_uninstall in suspend. */
++ enable_irq(vc4->dev->irq);
+ vc4_irq_postinstall(vc4->dev);
+
+ return 0;
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Mon, 6 Nov 2017 16:22:48 +0300
+Subject: grace: replace BUG_ON by WARN_ONCE in exit_net hook
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+
+[ Upstream commit b872285751c1af010e12d02bce7069e2061a58ca ]
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs_common/grace.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs_common/grace.c
++++ b/fs/nfs_common/grace.c
+@@ -104,7 +104,9 @@ grace_exit_net(struct net *net)
+ {
+ struct list_head *grace_list = net_generic(net, grace_net_id);
+
+- BUG_ON(!list_empty(grace_list));
++ WARN_ONCE(!list_empty(grace_list),
++ "net %x %s: grace_list is not empty\n",
++ net->ns.inum, __func__);
+ }
+
+ static struct pernet_operations grace_net_ops = {
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Robert Lippert <roblip@gmail.com>
+Date: Mon, 27 Nov 2017 15:51:55 -0800
+Subject: hwmon: (pmbus) Use 64bit math for DIRECT format values
+
+From: Robert Lippert <roblip@gmail.com>
+
+
+[ Upstream commit bd467e4eababe4c04272c1e646f066db02734c79 ]
+
+Power values in the 100s of watt range can easily blow past
+32bit math limits when processing everything in microwatts.
+
+Use 64bit math instead to avoid these issues on common 32bit ARM
+BMC platforms.
+
+Fixes: 442aba78728e ("hwmon: PMBus device driver")
+Signed-off-by: Robert Lippert <rlippert@google.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/pmbus/pmbus_core.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/drivers/hwmon/pmbus/pmbus_core.c
++++ b/drivers/hwmon/pmbus/pmbus_core.c
+@@ -20,6 +20,7 @@
+ */
+
+ #include <linux/kernel.h>
++#include <linux/math64.h>
+ #include <linux/module.h>
+ #include <linux/init.h>
+ #include <linux/err.h>
+@@ -476,8 +477,8 @@ static long pmbus_reg2data_linear(struct
+ static long pmbus_reg2data_direct(struct pmbus_data *data,
+ struct pmbus_sensor *sensor)
+ {
+- long val = (s16) sensor->data;
+- long m, b, R;
++ s64 b, val = (s16)sensor->data;
++ s32 m, R;
+
+ m = data->info->m[sensor->class];
+ b = data->info->b[sensor->class];
+@@ -505,11 +506,12 @@ static long pmbus_reg2data_direct(struct
+ R--;
+ }
+ while (R < 0) {
+- val = DIV_ROUND_CLOSEST(val, 10);
++ val = div_s64(val + 5LL, 10L); /* round closest */
+ R++;
+ }
+
+- return (val - b) / m;
++ val = div_s64(val - b, m);
++ return clamp_val(val, LONG_MIN, LONG_MAX);
+ }
+
+ /*
+@@ -629,7 +631,8 @@ static u16 pmbus_data2reg_linear(struct
+ static u16 pmbus_data2reg_direct(struct pmbus_data *data,
+ struct pmbus_sensor *sensor, long val)
+ {
+- long m, b, R;
++ s64 b, val64 = val;
++ s32 m, R;
+
+ m = data->info->m[sensor->class];
+ b = data->info->b[sensor->class];
+@@ -646,18 +649,18 @@ static u16 pmbus_data2reg_direct(struct
+ R -= 3; /* Adjust R and b for data in milli-units */
+ b *= 1000;
+ }
+- val = val * m + b;
++ val64 = val64 * m + b;
+
+ while (R > 0) {
+- val *= 10;
++ val64 *= 10;
+ R--;
+ }
+ while (R < 0) {
+- val = DIV_ROUND_CLOSEST(val, 10);
++ val64 = div_s64(val64 + 5LL, 10L); /* round closest */
+ R++;
+ }
+
+- return val;
++ return (u16)clamp_val(val64, S16_MIN, S16_MAX);
+ }
+
+ static u16 pmbus_data2reg_vid(struct pmbus_data *data,
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Wed, 15 Nov 2017 14:12:30 +0200
+Subject: iwlwifi: mvm: fix the TX queue hang timeout for MONITOR vif type
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+
+[ Upstream commit d1b275ffec459c5ae12b5c7086c84175696e5a9f ]
+
+The MONITOR type is missing in the interface type switch.
+Add it.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/utils.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/utils.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/utils.c
+@@ -1040,6 +1040,8 @@ unsigned int iwl_mvm_get_wd_timeout(stru
+ return le32_to_cpu(txq_timer->p2p_go);
+ case NL80211_IFTYPE_P2P_DEVICE:
+ return le32_to_cpu(txq_timer->p2p_device);
++ case NL80211_IFTYPE_MONITOR:
++ return default_timeout;
+ default:
+ WARN_ON(1);
+ return mvm->cfg->base_params->wd_timeout;
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Yisheng Xie <xieyisheng1@huawei.com>
+Date: Wed, 29 Nov 2017 16:11:08 -0800
+Subject: kmemleak: add scheduling point to kmemleak_scan()
+
+From: Yisheng Xie <xieyisheng1@huawei.com>
+
+
+[ Upstream commit bde5f6bc68db51128f875a756e9082a6c6ff7b4c ]
+
+kmemleak_scan() will scan struct page for each node and it can be really
+large and resulting in a soft lockup. We have seen a soft lockup when
+do scan while compile kernel:
+
+ watchdog: BUG: soft lockup - CPU#53 stuck for 22s! [bash:10287]
+ [...]
+ Call Trace:
+ kmemleak_scan+0x21a/0x4c0
+ kmemleak_write+0x312/0x350
+ full_proxy_write+0x5a/0xa0
+ __vfs_write+0x33/0x150
+ vfs_write+0xad/0x1a0
+ SyS_write+0x52/0xc0
+ do_syscall_64+0x61/0x1a0
+ entry_SYSCALL64_slow_path+0x25/0x25
+
+Fix this by adding cond_resched every MAX_SCAN_SIZE.
+
+Link: http://lkml.kernel.org/r/1511439788-20099-1-git-send-email-xieyisheng1@huawei.com
+Signed-off-by: Yisheng Xie <xieyisheng1@huawei.com>
+Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kmemleak.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/kmemleak.c
++++ b/mm/kmemleak.c
+@@ -1442,6 +1442,8 @@ static void kmemleak_scan(void)
+ if (page_count(page) == 0)
+ continue;
+ scan_block(page, page + 1, NULL);
++ if (!(pfn % (MAX_SCAN_SIZE / sizeof(*page))))
++ cond_resched();
+ }
+ }
+ put_online_mems();
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Mon, 20 Nov 2017 14:52:21 -0800
+Subject: KVM: VMX: Fix rflags cache during vCPU reset
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+
+[ Upstream commit c37c28730bb031cc8a44a130c2555c0f3efbe2d0 ]
+
+Reported by syzkaller:
+
+ *** Guest State ***
+ CR0: actual=0x0000000080010031, shadow=0x0000000060000010, gh_mask=fffffffffffffff7
+ CR4: actual=0x0000000000002061, shadow=0x0000000000000000, gh_mask=ffffffffffffe8f1
+ CR3 = 0x000000002081e000
+ RSP = 0x000000000000fffa RIP = 0x0000000000000000
+ RFLAGS=0x00023000 DR7 = 0x00000000000000
+ ^^^^^^^^^^
+ ------------[ cut here ]------------
+ WARNING: CPU: 6 PID: 24431 at /home/kernel/linux/arch/x86/kvm//x86.c:7302 kvm_arch_vcpu_ioctl_run+0x651/0x2ea0 [kvm]
+ CPU: 6 PID: 24431 Comm: reprotest Tainted: G W OE 4.14.0+ #26
+ RIP: 0010:kvm_arch_vcpu_ioctl_run+0x651/0x2ea0 [kvm]
+ RSP: 0018:ffff880291d179e0 EFLAGS: 00010202
+ Call Trace:
+ kvm_vcpu_ioctl+0x479/0x880 [kvm]
+ do_vfs_ioctl+0x142/0x9a0
+ SyS_ioctl+0x74/0x80
+ entry_SYSCALL_64_fastpath+0x23/0x9a
+
+The failed vmentry is triggered by the following beautified testcase:
+
+ #include <unistd.h>
+ #include <sys/syscall.h>
+ #include <string.h>
+ #include <stdint.h>
+ #include <linux/kvm.h>
+ #include <fcntl.h>
+ #include <sys/ioctl.h>
+
+ long r[5];
+ int main()
+ {
+ struct kvm_debugregs dr = { 0 };
+
+ r[2] = open("/dev/kvm", O_RDONLY);
+ r[3] = ioctl(r[2], KVM_CREATE_VM, 0);
+ r[4] = ioctl(r[3], KVM_CREATE_VCPU, 7);
+ struct kvm_guest_debug debug = {
+ .control = 0xf0403,
+ .arch = {
+ .debugreg[6] = 0x2,
+ .debugreg[7] = 0x2
+ }
+ };
+ ioctl(r[4], KVM_SET_GUEST_DEBUG, &debug);
+ ioctl(r[4], KVM_RUN, 0);
+ }
+
+which testcase tries to setup the processor specific debug
+registers and configure vCPU for handling guest debug events through
+KVM_SET_GUEST_DEBUG. The KVM_SET_GUEST_DEBUG ioctl will get and set
+rflags in order to set TF bit if single step is needed. All regs' caches
+are reset to avail and GUEST_RFLAGS vmcs field is reset to 0x2 during vCPU
+reset. However, the cache of rflags is not reset during vCPU reset. The
+function vmx_get_rflags() returns an unreset rflags cache value since
+the cache is marked avail, it is 0 after boot. Vmentry fails if the
+rflags reserved bit 1 is 0.
+
+This patch fixes it by resetting both the GUEST_RFLAGS vmcs field and
+its cache to 0x2 during vCPU reset.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Nadav Amit <nadav.amit@gmail.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -5194,7 +5194,7 @@ static void vmx_vcpu_reset(struct kvm_vc
+ vmcs_write64(GUEST_IA32_DEBUGCTL, 0);
+ }
+
+- vmcs_writel(GUEST_RFLAGS, 0x02);
++ kvm_set_rflags(vcpu, X86_EFLAGS_FIXED);
+ kvm_rip_write(vcpu, 0xfff0);
+
+ vmcs_writel(GUEST_GDTR_BASE, 0);
--- /dev/null
+From foo@baz Thu Feb 1 13:58:04 CET 2018
+From: Liran Alon <liran.alon@oracle.com>
+Date: Sun, 5 Nov 2017 16:56:34 +0200
+Subject: KVM: x86: Don't re-execute instruction when not passing CR2 value
+
+From: Liran Alon <liran.alon@oracle.com>
+
+
+[ Upstream commit 9b8ae63798cb97e785a667ff27e43fa6220cb734 ]
+
+In case of instruction-decode failure or emulation failure,
+x86_emulate_instruction() will call reexecute_instruction() which will
+attempt to use the cr2 value passed to x86_emulate_instruction().
+However, when x86_emulate_instruction() is called from
+emulate_instruction(), cr2 is not passed (passed as 0) and therefore
+it doesn't make sense to execute reexecute_instruction() logic at all.
+
+Fixes: 51d8b66199e9 ("KVM: cleanup emulate_instruction")
+
+Signed-off-by: Liran Alon <liran.alon@oracle.com>
+Reviewed-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/kvm_host.h | 3 ++-
+ arch/x86/kvm/vmx.c | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1113,7 +1113,8 @@ int x86_emulate_instruction(struct kvm_v
+ static inline int emulate_instruction(struct kvm_vcpu *vcpu,
+ int emulation_type)
+ {
+- return x86_emulate_instruction(vcpu, 0, emulation_type, NULL, 0);
++ return x86_emulate_instruction(vcpu, 0,
++ emulation_type | EMULTYPE_NO_REEXECUTE, NULL, 0);
+ }
+
+ void kvm_enable_efer_bits(u64);
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6257,7 +6257,7 @@ static int handle_invalid_guest_state(st
+ if (test_bit(KVM_REQ_EVENT, &vcpu->requests))
+ return 1;
+
+- err = emulate_instruction(vcpu, EMULTYPE_NO_REEXECUTE);
++ err = emulate_instruction(vcpu, 0);
+
+ if (err == EMULATE_USER_EXIT) {
+ ++vcpu->stat.mmio_exits;
--- /dev/null
+From foo@baz Thu Feb 1 13:58:04 CET 2018
+From: Liran Alon <liran.alon@oracle.com>
+Date: Sun, 5 Nov 2017 16:56:33 +0200
+Subject: KVM: x86: emulator: Return to user-mode on L1 CPL=0 emulation failure
+
+From: Liran Alon <liran.alon@oracle.com>
+
+
+[ Upstream commit 1f4dcb3b213235e642088709a1c54964d23365e9 ]
+
+On this case, handle_emulation_failure() fills kvm_run with
+internal-error information which it expects to be delivered
+to user-mode for further processing.
+However, the code reports a wrong return-value which makes KVM to never
+return to user-mode on this scenario.
+
+Fixes: 6d77dbfc88e3 ("KVM: inject #UD if instruction emulation fails and exit to
+userspace")
+
+Signed-off-by: Liran Alon <liran.alon@oracle.com>
+Reviewed-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -5308,7 +5308,7 @@ static int handle_emulation_failure(stru
+ vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
+ vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
+ vcpu->run->internal.ndata = 0;
+- r = EMULATE_FAIL;
++ r = EMULATE_USER_EXIT;
+ }
+ kvm_queue_exception(vcpu, UD_VECTOR);
+
--- /dev/null
+From foo@baz Thu Feb 1 13:58:04 CET 2018
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Sun, 5 Nov 2017 16:54:47 -0800
+Subject: KVM: X86: Fix operand/address-size during instruction decoding
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+
+[ Upstream commit 3853be2603191829b442b64dac6ae8ba0c027bf9 ]
+
+Pedro reported:
+ During tests that we conducted on KVM, we noticed that executing a "PUSH %ES"
+ instruction under KVM produces different results on both memory and the SP
+ register depending on whether EPT support is enabled. With EPT the SP is
+ reduced by 4 bytes (and the written value is 0-padded) but without EPT support
+ it is only reduced by 2 bytes. The difference can be observed when the CS.DB
+ field is 1 (32-bit) but not when it's 0 (16-bit).
+
+The internal segment descriptor cache exist even in real/vm8096 mode. The CS.D
+also should be respected instead of just default operand/address-size/66H
+prefix/67H prefix during instruction decoding. This patch fixes it by also
+adjusting operand/address-size according to CS.D.
+
+Reported-by: Pedro Fonseca <pfonseca@cs.washington.edu>
+Tested-by: Pedro Fonseca <pfonseca@cs.washington.edu>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Nadav Amit <nadav.amit@gmail.com>
+Cc: Pedro Fonseca <pfonseca@cs.washington.edu>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/emulate.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -4990,6 +4990,8 @@ int x86_decode_insn(struct x86_emulate_c
+ bool op_prefix = false;
+ bool has_seg_override = false;
+ struct opcode opcode;
++ u16 dummy;
++ struct desc_struct desc;
+
+ ctxt->memop.type = OP_NONE;
+ ctxt->memopp = NULL;
+@@ -5008,6 +5010,11 @@ int x86_decode_insn(struct x86_emulate_c
+ switch (mode) {
+ case X86EMUL_MODE_REAL:
+ case X86EMUL_MODE_VM86:
++ def_op_bytes = def_ad_bytes = 2;
++ ctxt->ops->get_segment(ctxt, &dummy, &desc, NULL, VCPU_SREG_CS);
++ if (desc.d)
++ def_op_bytes = def_ad_bytes = 4;
++ break;
+ case X86EMUL_MODE_PROT16:
+ def_op_bytes = def_ad_bytes = 2;
+ break;
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Wanpeng Li <kernellwp@gmail.com>
+Date: Mon, 20 Nov 2017 14:55:05 -0800
+Subject: KVM: X86: Fix softlockup when get the current kvmclock
+
+From: Wanpeng Li <kernellwp@gmail.com>
+
+
+[ Upstream commit e70b57a6ce4e8b92a56a615ae79bdb2bd66035e7 ]
+
+ watchdog: BUG: soft lockup - CPU#6 stuck for 22s! [qemu-system-x86:10185]
+ CPU: 6 PID: 10185 Comm: qemu-system-x86 Tainted: G OE 4.14.0-rc4+ #4
+ RIP: 0010:kvm_get_time_scale+0x4e/0xa0 [kvm]
+ Call Trace:
+ get_time_ref_counter+0x5a/0x80 [kvm]
+ kvm_hv_process_stimers+0x120/0x5f0 [kvm]
+ kvm_arch_vcpu_ioctl_run+0x4b4/0x1690 [kvm]
+ kvm_vcpu_ioctl+0x33a/0x620 [kvm]
+ do_vfs_ioctl+0xa1/0x5d0
+ SyS_ioctl+0x79/0x90
+ entry_SYSCALL_64_fastpath+0x1e/0xa9
+
+This can be reproduced when running kvm-unit-tests/hyperv_stimer.flat and
+cpu-hotplug stress simultaneously. __this_cpu_read(cpu_tsc_khz) returns 0
+(set in kvmclock_cpu_down_prep()) when the pCPU is unhotplug which results
+in kvm_get_time_scale() gets into an infinite loop.
+
+This patch fixes it by treating the unhotplug pCPU as not using master clock.
+
+Reviewed-by: Radim Krčmář <rkrcmar@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1751,10 +1751,13 @@ static u64 __get_kvmclock_ns(struct kvm
+ /* both __this_cpu_read() and rdtsc() should be on the same cpu */
+ get_cpu();
+
+- kvm_get_time_scale(NSEC_PER_SEC, __this_cpu_read(cpu_tsc_khz) * 1000LL,
+- &hv_clock.tsc_shift,
+- &hv_clock.tsc_to_system_mul);
+- ret = __pvclock_read_cycles(&hv_clock, rdtsc());
++ if (__this_cpu_read(cpu_tsc_khz)) {
++ kvm_get_time_scale(NSEC_PER_SEC, __this_cpu_read(cpu_tsc_khz) * 1000LL,
++ &hv_clock.tsc_shift,
++ &hv_clock.tsc_to_system_mul);
++ ret = __pvclock_read_cycles(&hv_clock, rdtsc());
++ } else
++ ret = ktime_get_boot_ns() + ka->kvmclock_offset;
+
+ put_cpu();
+
--- /dev/null
+From foo@baz Thu Feb 1 13:58:04 CET 2018
+From: Nikita Leshenko <nikita.leshchenko@oracle.com>
+Date: Sun, 5 Nov 2017 15:52:32 +0200
+Subject: KVM: x86: ioapic: Clear Remote IRR when entry is switched to edge-triggered
+
+From: Nikita Leshenko <nikita.leshchenko@oracle.com>
+
+
+[ Upstream commit a8bfec2930525808c01f038825d1df3904638631 ]
+
+Some OSes (Linux, Xen) use this behavior to clear the Remote IRR bit for
+IOAPICs without an EOI register. They simulate the EOI message manually
+by changing the trigger mode to edge and then back to level, with the
+entry being masked during this.
+
+QEMU implements this feature in commit ed1263c363c9
+("ioapic: clear remote irr bit for edge-triggered interrupts")
+
+As a side effect, this commit removes an incorrect behavior where Remote
+IRR was cleared when the redirection table entry was rewritten. This is not
+consistent with the manual and also opens an opportunity for a strange
+behavior when a redirection table entry is modified from an interrupt
+handler that handles the same entry: The modification will clear the
+Remote IRR bit even though the interrupt handler is still running.
+
+Signed-off-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
+Reviewed-by: Liran Alon <liran.alon@oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Reviewed-by: Steve Rutherford <srutherford@google.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/ioapic.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c
+index a7ac8688bba8..4b573c8694ac 100644
+--- a/arch/x86/kvm/ioapic.c
++++ b/arch/x86/kvm/ioapic.c
+@@ -306,8 +306,17 @@ static void ioapic_write_indirect(struct kvm_ioapic *ioapic, u32 val)
+ } else {
+ e->bits &= ~0xffffffffULL;
+ e->bits |= (u32) val;
+- e->fields.remote_irr = 0;
+ }
++
++ /*
++ * Some OSes (Linux, Xen) assume that Remote IRR bit will
++ * be cleared by IOAPIC hardware when the entry is configured
++ * as edge-triggered. This behavior is used to simulate an
++ * explicit EOI on IOAPICs that don't have the EOI register.
++ */
++ if (e->fields.trig_mode == IOAPIC_EDGE_TRIG)
++ e->fields.remote_irr = 0;
++
+ mask_after = e->fields.mask;
+ if (mask_before != mask_after)
+ kvm_fire_mask_notifiers(ioapic->kvm, KVM_IRQCHIP_IOAPIC, index, mask_after);
+--
+2.16.1
+
--- /dev/null
+From foo@baz Thu Feb 1 13:58:04 CET 2018
+From: Nikita Leshenko <nikita.leshchenko@oracle.com>
+Date: Sun, 5 Nov 2017 15:52:29 +0200
+Subject: KVM: x86: ioapic: Fix level-triggered EOI and IOAPIC reconfigure race
+
+From: Nikita Leshenko <nikita.leshchenko@oracle.com>
+
+
+[ Upstream commit 0fc5a36dd6b345eb0d251a65c236e53bead3eef7 ]
+
+KVM uses ioapic_handled_vectors to track vectors that need to notify the
+IOAPIC on EOI. The problem is that IOAPIC can be reconfigured while an
+interrupt with old configuration is pending or running and
+ioapic_handled_vectors only remembers the newest configuration;
+thus EOI from the old interrupt is not delievered to the IOAPIC.
+
+A previous commit db2bdcbbbd32
+("KVM: x86: fix edge EOI and IOAPIC reconfig race")
+addressed this issue by adding pending edge-triggered interrupts to
+ioapic_handled_vectors, fixing this race for edge-triggered interrupts.
+The commit explicitly ignored level-triggered interrupts,
+but this race applies to them as well:
+
+1) IOAPIC sends a level triggered interrupt vector to VCPU0
+2) VCPU0's handler deasserts the irq line and reconfigures the IOAPIC
+ to route the vector to VCPU1. The reconfiguration rewrites only the
+ upper 32 bits of the IOREDTBLn register. (Causes KVM to update
+ ioapic_handled_vectors for VCPU0 and it no longer includes the vector.)
+3) VCPU0 sends EOI for the vector, but it's not delievered to the
+ IOAPIC because the ioapic_handled_vectors doesn't include the vector.
+4) New interrupts are not delievered to VCPU1 because remote_irr bit
+ is set forever.
+
+Therefore, the correct behavior is to add all pending and running
+interrupts to ioapic_handled_vectors.
+
+This commit introduces a slight performance hit similar to
+commit db2bdcbbbd32 ("KVM: x86: fix edge EOI and IOAPIC reconfig race")
+for the rare case that the vector is reused by a non-IOAPIC source on
+VCPU0. We prefer to keep solution simple and not handle this case just
+as the original commit does.
+
+Fixes: db2bdcbbbd32 ("KVM: x86: fix edge EOI and IOAPIC reconfig race")
+
+Signed-off-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
+Reviewed-by: Liran Alon <liran.alon@oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/ioapic.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c
+index 6e219e5c07d2..a7ac8688bba8 100644
+--- a/arch/x86/kvm/ioapic.c
++++ b/arch/x86/kvm/ioapic.c
+@@ -257,8 +257,7 @@ void kvm_ioapic_scan_entry(struct kvm_vcpu *vcpu, ulong *ioapic_handled_vectors)
+ index == RTC_GSI) {
+ if (kvm_apic_match_dest(vcpu, NULL, 0,
+ e->fields.dest_id, e->fields.dest_mode) ||
+- (e->fields.trig_mode == IOAPIC_EDGE_TRIG &&
+- kvm_apic_pending_eoi(vcpu, e->fields.vector)))
++ kvm_apic_pending_eoi(vcpu, e->fields.vector))
+ __set_bit(e->fields.vector,
+ ioapic_handled_vectors);
+ }
+--
+2.16.1
+
--- /dev/null
+From foo@baz Thu Feb 1 13:58:04 CET 2018
+From: Nikita Leshenko <nikita.leshchenko@oracle.com>
+Date: Sun, 5 Nov 2017 15:52:33 +0200
+Subject: KVM: x86: ioapic: Preserve read-only values in the redirection table
+
+From: Nikita Leshenko <nikita.leshchenko@oracle.com>
+
+
+[ Upstream commit b200dded0a6974a3b69599832b2203483920ab25 ]
+
+According to 82093AA (IOAPIC) manual, Remote IRR and Delivery Status are
+read-only. QEMU implements the bits as RO in commit 479c2a1cb7fb
+("ioapic: keep RO bits for IOAPIC entry").
+
+Signed-off-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
+Reviewed-by: Liran Alon <liran.alon@oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Reviewed-by: Steve Rutherford <srutherford@google.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/ioapic.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/x86/kvm/ioapic.c
++++ b/arch/x86/kvm/ioapic.c
+@@ -278,6 +278,7 @@ static void ioapic_write_indirect(struct
+ {
+ unsigned index;
+ bool mask_before, mask_after;
++ int old_remote_irr, old_delivery_status;
+ union kvm_ioapic_redirect_entry *e;
+
+ switch (ioapic->ioregsel) {
+@@ -300,6 +301,9 @@ static void ioapic_write_indirect(struct
+ return;
+ e = &ioapic->redirtbl[index];
+ mask_before = e->fields.mask;
++ /* Preserve read-only fields */
++ old_remote_irr = e->fields.remote_irr;
++ old_delivery_status = e->fields.delivery_status;
+ if (ioapic->ioregsel & 1) {
+ e->bits &= 0xffffffff;
+ e->bits |= (u64) val << 32;
+@@ -307,6 +311,8 @@ static void ioapic_write_indirect(struct
+ e->bits &= ~0xffffffffULL;
+ e->bits |= (u32) val;
+ }
++ e->fields.remote_irr = old_remote_irr;
++ e->fields.delivery_status = old_delivery_status;
+
+ /*
+ * Some OSes (Linux, Xen) assume that Remote IRR bit will
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Mon, 13 Nov 2017 07:25:40 +0300
+Subject: lockd: fix "list_add double add" caused by legacy signal interface
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+
+[ Upstream commit 81833de1a46edce9ca20cfe079872ac1c20ef359 ]
+
+restart_grace() uses hardcoded init_net.
+It can cause to "list_add double add" in following scenario:
+
+1) nfsd and lockd was started in several net namespaces
+2) nfsd in init_net was stopped (lockd was not stopped because
+ it have users from another net namespaces)
+3) lockd got signal, called restart_grace() -> set_grace_period()
+ and enabled lock_manager in hardcoded init_net.
+4) nfsd in init_net is started again,
+ its lockd_up() calls set_grace_period() and tries to add
+ lock_manager into init_net 2nd time.
+
+Jeff Layton suggest:
+"Make it safe to call locks_start_grace multiple times on the same
+lock_manager. If it's already on the global grace_list, then don't try
+to add it again. (But we don't intentionally add twice, so for now we
+WARN about that case.)
+
+With this change, we also need to ensure that the nfsd4 lock manager
+initializes the list before we call locks_start_grace. While we're at
+it, move the rest of the nfsd_net initialization into
+nfs4_state_create_net. I see no reason to have it spread over two
+functions like it is today."
+
+Suggested patch was updated to generate warning in described situation.
+
+Suggested-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs_common/grace.c | 6 +++++-
+ fs/nfsd/nfs4state.c | 7 ++++---
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs_common/grace.c
++++ b/fs/nfs_common/grace.c
+@@ -30,7 +30,11 @@ locks_start_grace(struct net *net, struc
+ struct list_head *grace_list = net_generic(net, grace_net_id);
+
+ spin_lock(&grace_lock);
+- list_add(&lm->list, grace_list);
++ if (list_empty(&lm->list))
++ list_add(&lm->list, grace_list);
++ else
++ WARN(1, "double list_add attempt detected in net %x %s\n",
++ net->ns.inum, (net == &init_net) ? "(init_net)" : "");
+ spin_unlock(&grace_lock);
+ }
+ EXPORT_SYMBOL_GPL(locks_start_grace);
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -7012,6 +7012,10 @@ static int nfs4_state_create_net(struct
+ INIT_LIST_HEAD(&nn->sessionid_hashtbl[i]);
+ nn->conf_name_tree = RB_ROOT;
+ nn->unconf_name_tree = RB_ROOT;
++ nn->boot_time = get_seconds();
++ nn->grace_ended = false;
++ nn->nfsd4_manager.block_opens = true;
++ INIT_LIST_HEAD(&nn->nfsd4_manager.list);
+ INIT_LIST_HEAD(&nn->client_lru);
+ INIT_LIST_HEAD(&nn->close_lru);
+ INIT_LIST_HEAD(&nn->del_recall_lru);
+@@ -7069,9 +7073,6 @@ nfs4_state_start_net(struct net *net)
+ ret = nfs4_state_create_net(net);
+ if (ret)
+ return ret;
+- nn->boot_time = get_seconds();
+- nn->grace_ended = false;
+- nn->nfsd4_manager.block_opens = true;
+ locks_start_grace(net, &nn->nfsd4_manager);
+ nfsd4_client_tracking_init(net);
+ printk(KERN_INFO "NFSD: starting %ld-second grace period (net %p)\n",
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Chun-Yeow Yeoh <yeohchunyeow@gmail.com>
+Date: Tue, 14 Nov 2017 23:20:05 +0800
+Subject: mac80211: fix the update of path metric for RANN frame
+
+From: Chun-Yeow Yeoh <yeohchunyeow@gmail.com>
+
+
+[ Upstream commit fbbdad5edf0bb59786a51b94a9d006bc8c2da9a2 ]
+
+The previous path metric update from RANN frame has not considered
+the own link metric toward the transmitting mesh STA. Fix this.
+
+Reported-by: Michael65535
+Signed-off-by: Chun-Yeow Yeoh <yeohchunyeow@gmail.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mesh_hwmp.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/net/mac80211/mesh_hwmp.c
++++ b/net/mac80211/mesh_hwmp.c
+@@ -788,7 +788,7 @@ static void hwmp_rann_frame_process(stru
+ struct mesh_path *mpath;
+ u8 ttl, flags, hopcount;
+ const u8 *orig_addr;
+- u32 orig_sn, metric, metric_txsta, interval;
++ u32 orig_sn, new_metric, orig_metric, last_hop_metric, interval;
+ bool root_is_gate;
+
+ ttl = rann->rann_ttl;
+@@ -799,7 +799,7 @@ static void hwmp_rann_frame_process(stru
+ interval = le32_to_cpu(rann->rann_interval);
+ hopcount = rann->rann_hopcount;
+ hopcount++;
+- metric = le32_to_cpu(rann->rann_metric);
++ orig_metric = le32_to_cpu(rann->rann_metric);
+
+ /* Ignore our own RANNs */
+ if (ether_addr_equal(orig_addr, sdata->vif.addr))
+@@ -816,7 +816,10 @@ static void hwmp_rann_frame_process(stru
+ return;
+ }
+
+- metric_txsta = airtime_link_metric_get(local, sta);
++ last_hop_metric = airtime_link_metric_get(local, sta);
++ new_metric = orig_metric + last_hop_metric;
++ if (new_metric < orig_metric)
++ new_metric = MAX_METRIC;
+
+ mpath = mesh_path_lookup(sdata, orig_addr);
+ if (!mpath) {
+@@ -829,7 +832,7 @@ static void hwmp_rann_frame_process(stru
+ }
+
+ if (!(SN_LT(mpath->sn, orig_sn)) &&
+- !(mpath->sn == orig_sn && metric < mpath->rann_metric)) {
++ !(mpath->sn == orig_sn && new_metric < mpath->rann_metric)) {
+ rcu_read_unlock();
+ return;
+ }
+@@ -847,7 +850,7 @@ static void hwmp_rann_frame_process(stru
+ }
+
+ mpath->sn = orig_sn;
+- mpath->rann_metric = metric + metric_txsta;
++ mpath->rann_metric = new_metric;
+ mpath->is_root = true;
+ /* Recording RANNs sender address to send individually
+ * addressed PREQs destined for root mesh STA */
+@@ -867,7 +870,7 @@ static void hwmp_rann_frame_process(stru
+ mesh_path_sel_frame_tx(MPATH_RANN, flags, orig_addr,
+ orig_sn, 0, NULL, 0, broadcast_addr,
+ hopcount, ttl, interval,
+- metric + metric_txsta, 0, sdata);
++ new_metric, 0, sdata);
+ }
+
+ rcu_read_unlock();
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Icenowy Zheng <icenowy@aosc.io>
+Date: Sun, 16 Apr 2017 02:51:16 -0400
+Subject: media: usbtv: add a new usbid
+
+From: Icenowy Zheng <icenowy@aosc.io>
+
+
+[ Upstream commit 04226916d2360f56d57ad00bc48d2d1854d1e0b0 ]
+
+A new usbid of UTV007 is found in a newly bought device.
+
+The usbid is 1f71:3301.
+
+The ID on the chip is:
+UTV007
+A89029.1
+1520L18K1
+
+Both video and audio is tested with the modified usbtv driver.
+
+Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
+Acked-by: Lubomir Rintel <lkundrak@v3.sk>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/usbtv/usbtv-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/usb/usbtv/usbtv-core.c
++++ b/drivers/media/usb/usbtv/usbtv-core.c
+@@ -141,6 +141,7 @@ static void usbtv_disconnect(struct usb_
+
+ static struct usb_device_id usbtv_id_table[] = {
+ { USB_DEVICE(0x1b71, 0x3002) },
++ { USB_DEVICE(0x1f71, 0x3301) },
+ {}
+ };
+ MODULE_DEVICE_TABLE(usb, usbtv_id_table);
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 29 Nov 2017 11:01:09 +0100
+Subject: net: ethernet: xilinx: Mark XILINX_LL_TEMAC broken on 64-bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+
+[ Upstream commit 15bfe05c8d6386f1a90e9340d15336e85e32aad6 ]
+
+On 64-bit (e.g. powerpc64/allmodconfig):
+
+ drivers/net/ethernet/xilinx/ll_temac_main.c: In function 'temac_start_xmit_done':
+ drivers/net/ethernet/xilinx/ll_temac_main.c:633:22: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
+ dev_kfree_skb_irq((struct sk_buff *)cur_p->app4);
+ ^
+
+cdmac_bd.app4 is u32, so it is too small to hold a kernel pointer.
+
+Note that several other fields in struct cdmac_bd are also too small to
+hold physical addresses on 64-bit platforms.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/xilinx/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/xilinx/Kconfig
++++ b/drivers/net/ethernet/xilinx/Kconfig
+@@ -34,6 +34,7 @@ config XILINX_AXI_EMAC
+ config XILINX_LL_TEMAC
+ tristate "Xilinx LL TEMAC (LocalLink Tri-mode Ethernet MAC) driver"
+ depends on (PPC || MICROBLAZE)
++ depends on !64BIT || BROKEN
+ select PHYLIB
+ ---help---
+ This driver supports the Xilinx 10/100/1000 LocalLink TEMAC
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Andrew Elble <aweits@rit.edu>
+Date: Thu, 9 Nov 2017 13:41:10 -0500
+Subject: nfsd: check for use of the closed special stateid
+
+From: Andrew Elble <aweits@rit.edu>
+
+
+[ Upstream commit ae254dac721d44c0bfebe2795df87459e2e88219 ]
+
+Prevent the use of the closed (invalid) special stateid by clients.
+
+Signed-off-by: Andrew Elble <aweits@rit.edu>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -72,6 +72,7 @@ static u64 current_sessionid = 1;
+ #define ZERO_STATEID(stateid) (!memcmp((stateid), &zero_stateid, sizeof(stateid_t)))
+ #define ONE_STATEID(stateid) (!memcmp((stateid), &one_stateid, sizeof(stateid_t)))
+ #define CURRENT_STATEID(stateid) (!memcmp((stateid), ¤tstateid, sizeof(stateid_t)))
++#define CLOSE_STATEID(stateid) (!memcmp((stateid), &close_stateid, sizeof(stateid_t)))
+
+ /* forward declarations */
+ static bool check_for_locks(struct nfs4_file *fp, struct nfs4_lockowner *lowner);
+@@ -4869,7 +4870,8 @@ static __be32 nfsd4_validate_stateid(str
+ struct nfs4_stid *s;
+ __be32 status = nfserr_bad_stateid;
+
+- if (ZERO_STATEID(stateid) || ONE_STATEID(stateid))
++ if (ZERO_STATEID(stateid) || ONE_STATEID(stateid) ||
++ CLOSE_STATEID(stateid))
+ return status;
+ /* Client debugging aid. */
+ if (!same_clid(&stateid->si_opaque.so_clid, &cl->cl_clientid)) {
+@@ -4927,7 +4929,8 @@ nfsd4_lookup_stateid(struct nfsd4_compou
+ else if (typemask & NFS4_DELEG_STID)
+ typemask |= NFS4_REVOKED_DELEG_STID;
+
+- if (ZERO_STATEID(stateid) || ONE_STATEID(stateid))
++ if (ZERO_STATEID(stateid) || ONE_STATEID(stateid) ||
++ CLOSE_STATEID(stateid))
+ return nfserr_bad_stateid;
+ status = lookup_clientid(&stateid->si_opaque.so_clid, cstate, nn);
+ if (status == nfserr_stale_clientid) {
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Fri, 3 Nov 2017 08:00:12 -0400
+Subject: nfsd: CLOSE SHOULD return the invalid special stateid for NFSv4.x (x>0)
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+
+[ Upstream commit fb500a7cfee7f2f447d2bbf30cb59629feab6ac1 ]
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -63,6 +63,9 @@ static const stateid_t zero_stateid = {
+ static const stateid_t currentstateid = {
+ .si_generation = 1,
+ };
++static const stateid_t close_stateid = {
++ .si_generation = 0xffffffffU,
++};
+
+ static u64 current_sessionid = 1;
+
+@@ -5407,6 +5410,11 @@ nfsd4_close(struct svc_rqst *rqstp, stru
+ nfsd4_close_open_stateid(stp);
+ mutex_unlock(&stp->st_mutex);
+
++ /* See RFC5661 sectionm 18.2.4 */
++ if (stp->st_stid.sc_client->cl_minorversion)
++ memcpy(&close->cl_stateid, &close_stateid,
++ sizeof(close->cl_stateid));
++
+ /* put reference from nfs4_preprocess_seqid_op */
+ nfs4_put_stid(&stp->st_stid);
+ out:
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Fri, 3 Nov 2017 08:00:15 -0400
+Subject: nfsd: Ensure we check stateid validity in the seqid operation checks
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+
+[ Upstream commit 9271d7e509c1bfc0b9a418caec29ec8d1ac38270 ]
+
+After taking the stateid st_mutex, we want to know that the stateid
+still represents valid state before performing any non-idempotent
+actions.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -5178,15 +5178,9 @@ static __be32 nfs4_seqid_op_checks(struc
+ status = nfsd4_check_seqid(cstate, sop, seqid);
+ if (status)
+ return status;
+- if (stp->st_stid.sc_type == NFS4_CLOSED_STID
+- || stp->st_stid.sc_type == NFS4_REVOKED_DELEG_STID)
+- /*
+- * "Closed" stateid's exist *only* to return
+- * nfserr_replay_me from the previous step, and
+- * revoked delegations are kept only for free_stateid.
+- */
+- return nfserr_bad_stateid;
+- mutex_lock(&stp->st_mutex);
++ status = nfsd4_lock_ol_stateid(stp);
++ if (status != nfs_ok)
++ return status;
+ status = check_stateid_generation(stateid, &stp->st_stid.sc_stateid, nfsd4_has_session(cstate));
+ if (status == nfs_ok)
+ status = nfs4_check_fh(current_fh, &stp->st_stid);
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: zhangliping <zhangliping02@baidu.com>
+Date: Sat, 25 Nov 2017 22:02:12 +0800
+Subject: openvswitch: fix the incorrect flow action alloc size
+
+From: zhangliping <zhangliping02@baidu.com>
+
+
+[ Upstream commit 67c8d22a73128ff910e2287567132530abcf5b71 ]
+
+If we want to add a datapath flow, which has more than 500 vxlan outputs'
+action, we will get the following error reports:
+ openvswitch: netlink: Flow action size 32832 bytes exceeds max
+ openvswitch: netlink: Flow action size 32832 bytes exceeds max
+ openvswitch: netlink: Actions may not be safe on all matching packets
+ ... ...
+
+It seems that we can simply enlarge the MAX_ACTIONS_BUFSIZE to fix it, but
+this is not the root cause. For example, for a vxlan output action, we need
+about 60 bytes for the nlattr, but after it is converted to the flow
+action, it only occupies 24 bytes. This means that we can still support
+more than 1000 vxlan output actions for a single datapath flow under the
+the current 32k max limitation.
+
+So even if the nla_len(attr) is larger than MAX_ACTIONS_BUFSIZE, we
+shouldn't report EINVAL and keep it move on, as the judgement can be
+done by the reserve_sfa_size.
+
+Signed-off-by: zhangliping <zhangliping02@baidu.com>
+Acked-by: Pravin B Shelar <pshelar@ovn.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/flow_netlink.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/net/openvswitch/flow_netlink.c
++++ b/net/openvswitch/flow_netlink.c
+@@ -1789,14 +1789,11 @@ int ovs_nla_put_mask(const struct sw_flo
+
+ #define MAX_ACTIONS_BUFSIZE (32 * 1024)
+
+-static struct sw_flow_actions *nla_alloc_flow_actions(int size, bool log)
++static struct sw_flow_actions *nla_alloc_flow_actions(int size)
+ {
+ struct sw_flow_actions *sfa;
+
+- if (size > MAX_ACTIONS_BUFSIZE) {
+- OVS_NLERR(log, "Flow action size %u bytes exceeds max", size);
+- return ERR_PTR(-EINVAL);
+- }
++ WARN_ON_ONCE(size > MAX_ACTIONS_BUFSIZE);
+
+ sfa = kmalloc(sizeof(*sfa) + size, GFP_KERNEL);
+ if (!sfa)
+@@ -1869,12 +1866,15 @@ static struct nlattr *reserve_sfa_size(s
+ new_acts_size = ksize(*sfa) * 2;
+
+ if (new_acts_size > MAX_ACTIONS_BUFSIZE) {
+- if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size)
++ if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {
++ OVS_NLERR(log, "Flow action size exceeds max %u",
++ MAX_ACTIONS_BUFSIZE);
+ return ERR_PTR(-EMSGSIZE);
++ }
+ new_acts_size = MAX_ACTIONS_BUFSIZE;
+ }
+
+- acts = nla_alloc_flow_actions(new_acts_size, log);
++ acts = nla_alloc_flow_actions(new_acts_size);
+ if (IS_ERR(acts))
+ return (void *)acts;
+
+@@ -2500,7 +2500,7 @@ int ovs_nla_copy_actions(struct net *net
+ {
+ int err;
+
+- *sfa = nla_alloc_flow_actions(nla_len(attr), log);
++ *sfa = nla_alloc_flow_actions(min(nla_len(attr), MAX_ACTIONS_BUFSIZE));
+ if (IS_ERR(*sfa))
+ return PTR_ERR(*sfa);
+
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Wed, 29 Nov 2017 22:34:50 +0900
+Subject: quota: Check for register_shrinker() failure.
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+
+[ Upstream commit 88bc0ede8d35edc969350852894dc864a2dc1859 ]
+
+register_shrinker() might return -ENOMEM error since Linux 3.12.
+Call panic() as with other failure checks in this function if
+register_shrinker() failed.
+
+Fixes: 1d3d4437eae1 ("vmscan: per-node deferred work")
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: Jan Kara <jack@suse.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/quota/dquot.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -2985,7 +2985,8 @@ static int __init dquot_init(void)
+ pr_info("VFS: Dquot-cache hash table entries: %ld (order %ld,"
+ " %ld bytes)\n", nr_hash, order, (PAGE_SIZE << order));
+
+- register_shrinker(&dqcache_shrinker);
++ if (register_shrinker(&dqcache_shrinker))
++ panic("Cannot register dquot shrinker");
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Jeff Layton <jlayton@redhat.com>
+Date: Mon, 30 Oct 2017 11:20:15 -0400
+Subject: reiserfs: remove unneeded i_version bump
+
+From: Jeff Layton <jlayton@redhat.com>
+
+
+[ Upstream commit 9f97df50c52c2887432debb6238f4e43567386a5 ]
+
+The i_version field in reiserfs is not initialized and is only ever
+updated here. Nothing ever views it, so just remove it.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/reiserfs/super.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/reiserfs/super.c
++++ b/fs/reiserfs/super.c
+@@ -2521,7 +2521,6 @@ out:
+ return err;
+ if (inode->i_size < off + len - towrite)
+ i_size_write(inode, off + len - towrite);
+- inode->i_version++;
+ inode->i_mtime = inode->i_ctime = current_time(inode);
+ mark_inode_dirty(inode);
+ return len - towrite;
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: "Guilherme G. Piccoli" <gpiccoli@linux.vnet.ibm.com>
+Date: Fri, 17 Nov 2017 19:14:55 -0200
+Subject: scsi: aacraid: Prevent crash in case of free interrupt during scsi EH path
+
+From: "Guilherme G. Piccoli" <gpiccoli@linux.vnet.ibm.com>
+
+
+[ Upstream commit e4717292ddebcfe231651b5aff9fa19ca158d178 ]
+
+As part of the scsi EH path, aacraid performs a reinitialization of the
+adapter, which encompass freeing resources and IRQs, NULLifying lots of
+pointers, and then initialize it all over again. We've identified a
+problem during the free IRQ portion of this path if CONFIG_DEBUG_SHIRQ
+is enabled on kernel config file.
+
+Happens that, in case this flag was set, right after free_irq()
+effectively clears the interrupt, it checks if it was requested as
+IRQF_SHARED. In positive case, it performs another call to the IRQ
+handler on driver. Problem is: since aacraid currently free some
+resources *before* freeing the IRQ, once free_irq() path calls the
+handler again (due to CONFIG_DEBUG_SHIRQ), aacraid crashes due to NULL
+pointer dereference with the following trace:
+
+ aac_src_intr_message+0xf8/0x740 [aacraid]
+ __free_irq+0x33c/0x4a0
+ free_irq+0x78/0xb0
+ aac_free_irq+0x13c/0x150 [aacraid]
+ aac_reset_adapter+0x2e8/0x970 [aacraid]
+ aac_eh_reset+0x3a8/0x5d0 [aacraid]
+ scsi_try_host_reset+0x74/0x180
+ scsi_eh_ready_devs+0xc70/0x1510
+ scsi_error_handler+0x624/0xa20
+
+This patch prevents the crash by changing the order of the
+deinitialization in this path of aacraid: first we clear the IRQ, then
+we free other resources. No functional change intended.
+
+Signed-off-by: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
+Reviewed-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/aacraid/commsup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/aacraid/commsup.c
++++ b/drivers/scsi/aacraid/commsup.c
+@@ -1416,13 +1416,13 @@ static int _aac_reset_adapter(struct aac
+ * will ensure that i/o is queisced and the card is flushed in that
+ * case.
+ */
++ aac_free_irq(aac);
+ aac_fib_map_free(aac);
+ pci_free_consistent(aac->pdev, aac->comm_size, aac->comm_addr, aac->comm_phys);
+ aac->comm_addr = NULL;
+ aac->comm_phys = 0;
+ kfree(aac->queues);
+ aac->queues = NULL;
+- aac_free_irq(aac);
+ kfree(aac->fsa_dev);
+ aac->fsa_dev = NULL;
+ quirks = aac_get_driver_ident(index)->quirks;
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+Date: Mon, 20 Nov 2017 08:12:29 -0600
+Subject: scsi: ufs: ufshcd: fix potential NULL pointer dereference in ufshcd_config_vreg
+
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+
+
+[ Upstream commit 727535903bea924c4f73abb202c4b3e85fff0ca4 ]
+
+_vreg_ is being dereferenced before it is null checked, hence there is a
+potential null pointer dereference.
+
+Fix this by moving the pointer dereference after _vreg_ has been null
+checked.
+
+This issue was detected with the help of Coccinelle.
+
+Fixes: aa4976130934 ("ufs: Add regulator enable support")
+Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
+Reviewed-by: Subhash Jadavani <subhashj@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -5327,12 +5327,15 @@ static int ufshcd_config_vreg(struct dev
+ struct ufs_vreg *vreg, bool on)
+ {
+ int ret = 0;
+- struct regulator *reg = vreg->reg;
+- const char *name = vreg->name;
++ struct regulator *reg;
++ const char *name;
+ int min_uV, uA_load;
+
+ BUG_ON(!vreg);
+
++ reg = vreg->reg;
++ name = vreg->name;
++
+ if (regulator_count_voltages(reg) > 0) {
+ min_uV = on ? vreg->min_uV : 0;
+ ret = regulator_set_voltage(reg, min_uV, vreg->max_uV);
gpio-ath79-add-missing-module_description-license.patch
mtd-nand-denali_pci-add-missing-module_description-author-license.patch
igb-free-irqs-when-device-is-hotplugged.patch
+drm-vc4-account-for-interrupts-in-flight.patch
+cpupowerutils-bench-fix-cpu-online-check.patch
+cpupower-fix-cpupower-working-when-cpu0-is-offline.patch
+kvm-x86-emulator-return-to-user-mode-on-l1-cpl-0-emulation-failure.patch
+kvm-x86-don-t-re-execute-instruction-when-not-passing-cr2-value.patch
+kvm-x86-fix-operand-address-size-during-instruction-decoding.patch
+kvm-x86-ioapic-fix-level-triggered-eoi-and-ioapic-reconfigure-race.patch
+kvm-x86-ioapic-clear-remote-irr-when-entry-is-switched-to-edge-triggered.patch
+acpi-bus-leave-modalias-empty-for-devices-which-are-not-present.patch
+kvm-x86-ioapic-preserve-read-only-values-in-the-redirection-table.patch
+cpufreq-add-loongson-machine-dependencies.patch
+bcache-check-return-value-of-register_shrinker.patch
+drm-amdgpu-fix-sdma-load-unload-sequence-on-hws-disabled-mode.patch
+drm-amdkfd-fix-sdma-ring-buffer-size-calculation.patch
+drm-amdkfd-fix-sdma-oversubsription-handling.patch
+openvswitch-fix-the-incorrect-flow-action-alloc-size.patch
+mac80211-fix-the-update-of-path-metric-for-rann-frame.patch
+btrfs-fix-deadlock-when-writing-out-space-cache.patch
+reiserfs-remove-unneeded-i_version-bump.patch
+kvm-x86-fix-softlockup-when-get-the-current-kvmclock.patch
+kvm-vmx-fix-rflags-cache-during-vcpu-reset.patch
+xfs-always-free-inline-data-before-resetting-inode-fork-during-ifree.patch
+xen-netfront-remove-warning-when-unloading-module.patch
+auxdisplay-img-ascii-lcd-only-build-on-archs-that-have-iomem.patch
+nfsd-close-should-return-the-invalid-special-stateid-for-nfsv4.x-x-0.patch
+nfsd-ensure-we-check-stateid-validity-in-the-seqid-operation-checks.patch
+grace-replace-bug_on-by-warn_once-in-exit_net-hook.patch
+nfsd-check-for-use-of-the-closed-special-stateid.patch
+lockd-fix-list_add-double-add-caused-by-legacy-signal-interface.patch
+hwmon-pmbus-use-64bit-math-for-direct-format-values.patch
+bnxt_en-fix-an-error-handling-path-in-bnxt_get_module_eeprom.patch
+xfs-fortify-xfs_alloc_buftarg-error-handling.patch
+drm-amdgpu-don-t-try-to-move-pinned-bos.patch
+net-ethernet-xilinx-mark-xilinx_ll_temac-broken-on-64-bit.patch
+quota-check-for-register_shrinker-failure.patch
+sunrpc-allow-connect-to-return-ehostunreach.patch
+kmemleak-add-scheduling-point-to-kmemleak_scan.patch
+drm-bridge-tc358767-do-no-fail-on-hi-res-displays.patch
+drm-bridge-tc358767-filter-out-too-high-modes.patch
+drm-bridge-tc358767-fix-dp0_misc-register-set.patch
+drm-bridge-tc358767-fix-timing-calculations.patch
+drm-bridge-tc358767-fix-auxdatan-registers-access.patch
+drm-bridge-tc358767-fix-1-lane-behavior.patch
+drm-omap-fix-error-handling-path-in-omap_dmm_probe.patch
+xfs-ubsan-fixes.patch
+xfs-properly-retry-failed-dquot-items-in-case-of-error-during-buffer-writeback.patch
+scsi-aacraid-prevent-crash-in-case-of-free-interrupt-during-scsi-eh-path.patch
+scsi-ufs-ufshcd-fix-potential-null-pointer-dereference-in-ufshcd_config_vreg.patch
+iwlwifi-mvm-fix-the-tx-queue-hang-timeout-for-monitor-vif-type.patch
+arm-dts-nsp-fix-ppi-interrupt-types.patch
+media-usbtv-add-a-new-usbid.patch
+usb-gadget-don-t-dereference-g-until-after-it-has-been-null-checked.patch
+staging-rtl8188eu-fix-incorrect-response-to-siocgiwessid.patch
+drm-vc4-move-irq-enable-to-pm-path.patch
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Sat, 25 Nov 2017 13:32:38 -0600
+Subject: staging: rtl8188eu: Fix incorrect response to SIOCGIWESSID
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+
+[ Upstream commit b77992d2df9e47144354d1b25328b180afa33442 ]
+
+When not associated with an AP, wifi device drivers should respond to the
+SIOCGIWESSID ioctl with a zero-length string for the SSID, which is the
+behavior expected by dhcpcd.
+
+Currently, this driver returns an error code (-1) from the ioctl call,
+which causes dhcpcd to assume that the device is not a wireless interface
+and therefore it fails to work correctly with it thereafter.
+
+This problem was reported and tested at
+https://github.com/lwfinger/rtl8188eu/issues/234.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 14 ++++----------
+ 1 file changed, 4 insertions(+), 10 deletions(-)
+
+--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
++++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+@@ -1397,19 +1397,13 @@ static int rtw_wx_get_essid(struct net_d
+ if ((check_fwstate(pmlmepriv, _FW_LINKED)) ||
+ (check_fwstate(pmlmepriv, WIFI_ADHOC_MASTER_STATE))) {
+ len = pcur_bss->Ssid.SsidLength;
+-
+- wrqu->essid.length = len;
+-
+ memcpy(extra, pcur_bss->Ssid.Ssid, len);
+-
+- wrqu->essid.flags = 1;
+ } else {
+- ret = -1;
+- goto exit;
++ len = 0;
++ *extra = 0;
+ }
+-
+-exit:
+-
++ wrqu->essid.length = len;
++ wrqu->essid.flags = 1;
+
+ return ret;
+ }
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Fri, 24 Nov 2017 12:00:24 -0500
+Subject: SUNRPC: Allow connect to return EHOSTUNREACH
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+
+[ Upstream commit 4ba161a793d5f43757c35feff258d9f20a082940 ]
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/xprtsock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -2381,6 +2381,7 @@ static void xs_tcp_setup_socket(struct w
+ case -ECONNREFUSED:
+ case -ECONNRESET:
+ case -ENETUNREACH:
++ case -EHOSTUNREACH:
+ case -EADDRINUSE:
+ case -ENOBUFS:
+ /* retry with existing socket, after a delay */
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 14 Nov 2017 16:18:28 +0000
+Subject: usb: gadget: don't dereference g until after it has been null checked
+
+From: Colin Ian King <colin.king@canonical.com>
+
+
+[ Upstream commit b2fc059fa549fe6881d4c1f8d698b0f50bcd16ec ]
+
+Avoid dereferencing pointer g until after g has been sanity null checked;
+move the assignment of cdev much later when it is required into a more
+local scope.
+
+Detected by CoverityScan, CID#1222135 ("Dereference before null check")
+
+Fixes: b785ea7ce662 ("usb: gadget: composite: fix ep->maxburst initialization")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/composite.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -150,7 +150,6 @@ int config_ep_by_speed(struct usb_gadget
+ struct usb_function *f,
+ struct usb_ep *_ep)
+ {
+- struct usb_composite_dev *cdev = get_gadget_data(g);
+ struct usb_endpoint_descriptor *chosen_desc = NULL;
+ struct usb_descriptor_header **speed_desc = NULL;
+
+@@ -229,8 +228,12 @@ ep_found:
+ _ep->maxburst = comp_desc->bMaxBurst + 1;
+ break;
+ default:
+- if (comp_desc->bMaxBurst != 0)
++ if (comp_desc->bMaxBurst != 0) {
++ struct usb_composite_dev *cdev;
++
++ cdev = get_gadget_data(g);
+ ERROR(cdev, "ep0 bMaxBurst must be 0\n");
++ }
+ _ep->maxburst = 1;
+ break;
+ }
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Eduardo Otubo <otubo@redhat.com>
+Date: Thu, 23 Nov 2017 15:18:35 +0100
+Subject: xen-netfront: remove warning when unloading module
+
+From: Eduardo Otubo <otubo@redhat.com>
+
+
+[ Upstream commit 5b5971df3bc2775107ddad164018a8a8db633b81 ]
+
+v2:
+ * Replace busy wait with wait_event()/wake_up_all()
+ * Cannot garantee that at the time xennet_remove is called, the
+ xen_netback state will not be XenbusStateClosed, so added a
+ condition for that
+ * There's a small chance for the xen_netback state is
+ XenbusStateUnknown by the time the xen_netfront switches to Closed,
+ so added a condition for that.
+
+When unloading module xen_netfront from guest, dmesg would output
+warning messages like below:
+
+ [ 105.236836] xen:grant_table: WARNING: g.e. 0x903 still in use!
+ [ 105.236839] deferring g.e. 0x903 (pfn 0x35805)
+
+This problem relies on netfront and netback being out of sync. By the time
+netfront revokes the g.e.'s netback didn't have enough time to free all of
+them, hence displaying the warnings on dmesg.
+
+The trick here is to make netfront to wait until netback frees all the g.e.'s
+and only then continue to cleanup for the module removal, and this is done by
+manipulating both device states.
+
+Signed-off-by: Eduardo Otubo <otubo@redhat.com>
+Acked-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netfront.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -86,6 +86,8 @@ struct netfront_cb {
+ /* IRQ name is queue name with "-tx" or "-rx" appended */
+ #define IRQ_NAME_SIZE (QUEUE_NAME_SIZE + 3)
+
++static DECLARE_WAIT_QUEUE_HEAD(module_unload_q);
++
+ struct netfront_stats {
+ u64 packets;
+ u64 bytes;
+@@ -2051,10 +2053,12 @@ static void netback_changed(struct xenbu
+ break;
+
+ case XenbusStateClosed:
++ wake_up_all(&module_unload_q);
+ if (dev->state == XenbusStateClosed)
+ break;
+ /* Missed the backend's CLOSING state -- fallthrough */
+ case XenbusStateClosing:
++ wake_up_all(&module_unload_q);
+ xenbus_frontend_closed(dev);
+ break;
+ }
+@@ -2160,6 +2164,20 @@ static int xennet_remove(struct xenbus_d
+
+ dev_dbg(&dev->dev, "%s\n", dev->nodename);
+
++ if (xenbus_read_driver_state(dev->otherend) != XenbusStateClosed) {
++ xenbus_switch_state(dev, XenbusStateClosing);
++ wait_event(module_unload_q,
++ xenbus_read_driver_state(dev->otherend) ==
++ XenbusStateClosing);
++
++ xenbus_switch_state(dev, XenbusStateClosed);
++ wait_event(module_unload_q,
++ xenbus_read_driver_state(dev->otherend) ==
++ XenbusStateClosed ||
++ xenbus_read_driver_state(dev->otherend) ==
++ XenbusStateUnknown);
++ }
++
+ xennet_disconnect_backend(info);
+
+ unregister_netdev(info->netdev);
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Wed, 22 Nov 2017 12:21:07 -0800
+Subject: xfs: always free inline data before resetting inode fork during ifree
+
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+
+
+[ Upstream commit 98c4f78dcdd8cec112d1cbc5e9a792ee6e5ab7a6 ]
+
+In xfs_ifree, we reset the data/attr forks to extents format without
+bothering to free any inline data buffer that might still be around
+after all the blocks have been truncated off the file. Prior to commit
+43518812d2 ("xfs: remove support for inlining data/extents into the
+inode fork") nobody noticed because the leftover inline data after
+truncation was small enough to fit inside the inline buffer inside the
+fork itself.
+
+However, now that we've removed the inline buffer, we /always/ have to
+free the inline data buffer or else we leak them like crazy. This test
+was found by turning on kmemleak for generic/001 or generic/388.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_inode.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/fs/xfs/xfs_inode.c
++++ b/fs/xfs/xfs_inode.c
+@@ -2430,6 +2430,24 @@ retry:
+ }
+
+ /*
++ * Free any local-format buffers sitting around before we reset to
++ * extents format.
++ */
++static inline void
++xfs_ifree_local_data(
++ struct xfs_inode *ip,
++ int whichfork)
++{
++ struct xfs_ifork *ifp;
++
++ if (XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_LOCAL)
++ return;
++
++ ifp = XFS_IFORK_PTR(ip, whichfork);
++ xfs_idata_realloc(ip, -ifp->if_bytes, whichfork);
++}
++
++/*
+ * This is called to return an inode to the inode free list.
+ * The inode should already be truncated to 0 length and have
+ * no pages associated with it. This routine also assumes that
+@@ -2466,6 +2484,9 @@ xfs_ifree(
+ if (error)
+ return error;
+
++ xfs_ifree_local_data(ip, XFS_DATA_FORK);
++ xfs_ifree_local_data(ip, XFS_ATTR_FORK);
++
+ VFS_I(ip)->i_mode = 0; /* mark incore inode as free */
+ ip->i_d.di_flags = 0;
+ ip->i_d.di_dmevmask = 0;
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Michal Hocko <mhocko@suse.com>
+Date: Thu, 23 Nov 2017 17:13:40 +0100
+Subject: xfs: fortify xfs_alloc_buftarg error handling
+
+From: Michal Hocko <mhocko@suse.com>
+
+
+[ Upstream commit d210a9874b8f6166579408131cb74495caff1958 ]
+
+percpu_counter_init failure path doesn't clean up &btp->bt_lru list.
+Call list_lru_destroy in that error path. Similarly register_shrinker
+error path is not handled.
+
+While it is unlikely to trigger these error path, it is not impossible
+especially the later might fail with large NUMAs. Let's handle the
+failure to make the code more robust.
+
+Noticed-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_buf.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/fs/xfs/xfs_buf.c
++++ b/fs/xfs/xfs_buf.c
+@@ -1785,22 +1785,27 @@ xfs_alloc_buftarg(
+ btp->bt_bdi = blk_get_backing_dev_info(bdev);
+
+ if (xfs_setsize_buftarg_early(btp, bdev))
+- goto error;
++ goto error_free;
+
+ if (list_lru_init(&btp->bt_lru))
+- goto error;
++ goto error_free;
+
+ if (percpu_counter_init(&btp->bt_io_count, 0, GFP_KERNEL))
+- goto error;
++ goto error_lru;
+
+ btp->bt_shrinker.count_objects = xfs_buftarg_shrink_count;
+ btp->bt_shrinker.scan_objects = xfs_buftarg_shrink_scan;
+ btp->bt_shrinker.seeks = DEFAULT_SEEKS;
+ btp->bt_shrinker.flags = SHRINKER_NUMA_AWARE;
+- register_shrinker(&btp->bt_shrinker);
++ if (register_shrinker(&btp->bt_shrinker))
++ goto error_pcpu;
+ return btp;
+
+-error:
++error_pcpu:
++ percpu_counter_destroy(&btp->bt_io_count);
++error_lru:
++ list_lru_destroy(&btp->bt_lru);
++error_free:
+ kmem_free(btp);
+ return NULL;
+ }
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: Carlos Maiolino <cmaiolino@redhat.com>
+Date: Tue, 28 Nov 2017 08:54:10 -0800
+Subject: xfs: Properly retry failed dquot items in case of error during buffer writeback
+
+From: Carlos Maiolino <cmaiolino@redhat.com>
+
+
+[ Upstream commit 373b0589dc8d58bc09c9a28d03611ae4fb216057 ]
+
+Once the inode item writeback errors is already fixed, it's time to fix the same
+problem in dquot code.
+
+Although there were no reports of users hitting this bug in dquot code (at least
+none I've seen), the bug is there and I was already planning to fix it when the
+correct approach to fix the inodes part was decided.
+
+This patch aims to fix the same problem in dquot code, regarding failed buffers
+being unable to be resubmitted once they are flush locked.
+
+Tested with the recently test-case sent to fstests list by Hou Tao.
+
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_dquot.c | 14 +++++++++++---
+ fs/xfs/xfs_dquot_item.c | 40 ++++++++++++++++++++++++++++++++++++++--
+ 2 files changed, 49 insertions(+), 5 deletions(-)
+
+--- a/fs/xfs/xfs_dquot.c
++++ b/fs/xfs/xfs_dquot.c
+@@ -1004,14 +1004,22 @@ xfs_qm_dqflush_done(
+ * holding the lock before removing the dquot from the AIL.
+ */
+ if ((lip->li_flags & XFS_LI_IN_AIL) &&
+- lip->li_lsn == qip->qli_flush_lsn) {
++ ((lip->li_lsn == qip->qli_flush_lsn) ||
++ (lip->li_flags & XFS_LI_FAILED))) {
+
+ /* xfs_trans_ail_delete() drops the AIL lock. */
+ spin_lock(&ailp->xa_lock);
+- if (lip->li_lsn == qip->qli_flush_lsn)
++ if (lip->li_lsn == qip->qli_flush_lsn) {
+ xfs_trans_ail_delete(ailp, lip, SHUTDOWN_CORRUPT_INCORE);
+- else
++ } else {
++ /*
++ * Clear the failed state since we are about to drop the
++ * flush lock
++ */
++ if (lip->li_flags & XFS_LI_FAILED)
++ xfs_clear_li_failed(lip);
+ spin_unlock(&ailp->xa_lock);
++ }
+ }
+
+ /*
+--- a/fs/xfs/xfs_dquot_item.c
++++ b/fs/xfs/xfs_dquot_item.c
+@@ -137,6 +137,26 @@ xfs_qm_dqunpin_wait(
+ wait_event(dqp->q_pinwait, (atomic_read(&dqp->q_pincount) == 0));
+ }
+
++/*
++ * Callback used to mark a buffer with XFS_LI_FAILED when items in the buffer
++ * have been failed during writeback
++ *
++ * this informs the AIL that the dquot is already flush locked on the next push,
++ * and acquires a hold on the buffer to ensure that it isn't reclaimed before
++ * dirty data makes it to disk.
++ */
++STATIC void
++xfs_dquot_item_error(
++ struct xfs_log_item *lip,
++ struct xfs_buf *bp)
++{
++ struct xfs_dquot *dqp;
++
++ dqp = DQUOT_ITEM(lip)->qli_dquot;
++ ASSERT(!completion_done(&dqp->q_flush));
++ xfs_set_li_failed(lip, bp);
++}
++
+ STATIC uint
+ xfs_qm_dquot_logitem_push(
+ struct xfs_log_item *lip,
+@@ -144,13 +164,28 @@ xfs_qm_dquot_logitem_push(
+ __acquires(&lip->li_ailp->xa_lock)
+ {
+ struct xfs_dquot *dqp = DQUOT_ITEM(lip)->qli_dquot;
+- struct xfs_buf *bp = NULL;
++ struct xfs_buf *bp = lip->li_buf;
+ uint rval = XFS_ITEM_SUCCESS;
+ int error;
+
+ if (atomic_read(&dqp->q_pincount) > 0)
+ return XFS_ITEM_PINNED;
+
++ /*
++ * The buffer containing this item failed to be written back
++ * previously. Resubmit the buffer for IO
++ */
++ if (lip->li_flags & XFS_LI_FAILED) {
++ if (!xfs_buf_trylock(bp))
++ return XFS_ITEM_LOCKED;
++
++ if (!xfs_buf_resubmit_failed_buffers(bp, lip, buffer_list))
++ rval = XFS_ITEM_FLUSHING;
++
++ xfs_buf_unlock(bp);
++ return rval;
++ }
++
+ if (!xfs_dqlock_nowait(dqp))
+ return XFS_ITEM_LOCKED;
+
+@@ -242,7 +277,8 @@ static const struct xfs_item_ops xfs_dqu
+ .iop_unlock = xfs_qm_dquot_logitem_unlock,
+ .iop_committed = xfs_qm_dquot_logitem_committed,
+ .iop_push = xfs_qm_dquot_logitem_push,
+- .iop_committing = xfs_qm_dquot_logitem_committing
++ .iop_committing = xfs_qm_dquot_logitem_committing,
++ .iop_error = xfs_dquot_item_error
+ };
+
+ /*
--- /dev/null
+From foo@baz Thu Feb 1 14:00:34 CET 2018
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Mon, 27 Nov 2017 09:50:17 -0800
+Subject: xfs: ubsan fixes
+
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+
+
+[ Upstream commit 22a6c83777ac7c17d6c63891beeeac24cf5da450 ]
+
+Fix some complaints from the UBSAN about signed integer addition overflows.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_aops.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -391,7 +391,7 @@ xfs_map_blocks(
+ (ip->i_df.if_flags & XFS_IFEXTENTS));
+ ASSERT(offset <= mp->m_super->s_maxbytes);
+
+- if (offset + count > mp->m_super->s_maxbytes)
++ if ((xfs_ufsize_t)offset + count > mp->m_super->s_maxbytes)
+ count = mp->m_super->s_maxbytes - offset;
+ end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + count);
+ offset_fsb = XFS_B_TO_FSBT(mp, offset);
+@@ -1295,7 +1295,7 @@ xfs_map_trim_size(
+ if (mapping_size > size)
+ mapping_size = size;
+ if (offset < i_size_read(inode) &&
+- offset + mapping_size >= i_size_read(inode)) {
++ (xfs_ufsize_t)offset + mapping_size >= i_size_read(inode)) {
+ /* limit mapping to block that spans EOF */
+ mapping_size = roundup_64(i_size_read(inode) - offset,
+ i_blocksize(inode));
+@@ -1347,7 +1347,7 @@ __xfs_get_blocks(
+ lockmode = xfs_ilock_data_map_shared(ip);
+
+ ASSERT(offset <= mp->m_super->s_maxbytes);
+- if (offset + size > mp->m_super->s_maxbytes)
++ if ((xfs_ufsize_t)offset + size > mp->m_super->s_maxbytes)
+ size = mp->m_super->s_maxbytes - offset;
+ end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + size);
+ offset_fsb = XFS_B_TO_FSBT(mp, offset);
projects / thirdparty / kernel / stable-queue.git / commitdiff
