--- /dev/null
+From 475f0e96581fc91bc417913fecedcf1998638269 Mon Sep 17 00:00:00 2001
+From: Yufen Wang <wangyufen@huawei.com>
+Date: Fri, 2 Nov 2018 11:51:31 +0100
+Subject: ARM: 8808/1: kexec:offline panic_smp_self_stop CPU
+
+[ Upstream commit 82c08c3e7f171aa7f579b231d0abbc1d62e91974 ]
+
+In case panic() and panic() called at the same time on different CPUS.
+For example:
+CPU 0:
+ panic()
+ __crash_kexec
+ machine_crash_shutdown
+ crash_smp_send_stop
+ machine_kexec
+ BUG_ON(num_online_cpus() > 1);
+
+CPU 1:
+ panic()
+ local_irq_disable
+ panic_smp_self_stop
+
+If CPU 1 calls panic_smp_self_stop() before crash_smp_send_stop(), kdump
+fails. CPU1 can't receive the ipi irq, CPU1 will be always online.
+To fix this problem, this patch split out the panic_smp_self_stop()
+and add set_cpu_online(smp_processor_id(), false).
+
+Signed-off-by: Yufen Wang <wangyufen@huawei.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/smp.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
+index d2ce37da87d8..4b129aac7233 100644
+--- a/arch/arm/kernel/smp.c
++++ b/arch/arm/kernel/smp.c
+@@ -690,6 +690,21 @@ void smp_send_stop(void)
+ pr_warn("SMP: failed to stop secondary CPUs\n");
+ }
+
++/* In case panic() and panic() called at the same time on CPU1 and CPU2,
++ * and CPU 1 calls panic_smp_self_stop() before crash_smp_send_stop()
++ * CPU1 can't receive the ipi irqs from CPU2, CPU1 will be always online,
++ * kdump fails. So split out the panic_smp_self_stop() and add
++ * set_cpu_online(smp_processor_id(), false).
++ */
++void panic_smp_self_stop(void)
++{
++ pr_debug("CPU %u will stop doing anything useful since another CPU has paniced\n",
++ smp_processor_id());
++ set_cpu_online(smp_processor_id(), false);
++ while (1)
++ cpu_relax();
++}
++
+ /*
+ * not supported here
+ */
+--
+2.19.1
+
--- /dev/null
+From a206f78f12d9e827aef84e73f0142c1144a4b4ab Mon Sep 17 00:00:00 2001
+From: Russell King - ARM Linux <linux@armlinux.org.uk>
+Date: Fri, 7 Dec 2018 09:17:07 -0800
+Subject: ARM: dts: Fix OMAP4430 SDP Ethernet startup
+
+[ Upstream commit 84fb6c7feb1494ebb7d1ec8b95cfb7ada0264465 ]
+
+It was noticed that unbinding and rebinding the KSZ8851 ethernet
+resulted in the driver reporting "failed to read device ID" at probe.
+Probing the reset line with a 'scope while repeatedly attempting to
+bind the driver in a shell loop revealed that the KSZ8851 RSTN pin is
+constantly held at zero, meaning the device is held in reset, and
+does not respond on the SPI bus.
+
+Experimentation with the startup delay on the regulator set to 50ms
+shows that the reset is positively released after 20ms.
+
+Schematics for this board are not available, and the traces are buried
+in the inner layers of the board which makes tracing where the RSTN pin
+extremely difficult. We can only guess that the RSTN pin is wired to a
+reset generator chip driven off the ethernet supply, which fits the
+observed behaviour.
+
+Include this delay in the regulator startup delay - effectively
+treating the reset as a "supply stable" indicator.
+
+This can not be modelled as a delay in the KSZ8851 driver since the
+reset generation is board specific - if the RSTN pin had been wired to
+a GPIO, reset could be released earlier via the already provided support
+in the KSZ8851 driver.
+
+This also got confirmed by Peter Ujfalusi <peter.ujfalusi@ti.com> based
+on Blaze schematics that should be very close to SDP4430:
+
+TPS22902YFPR is used as the regulator switch (gpio48 controlled):
+Convert arm boot_lock to raw The VOUT is routed to TPS3808G01DBV.
+(SCH Note: Threshold set at 90%. Vsense: 0.405V).
+
+According to the TPS3808 data sheet the RESET delay time when Ct is
+open (this is the case in the schema): MIN/TYP/MAX: 12/20/28 ms.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+[tony@atomide.com: updated with notes from schematics from Peter]
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/omap4-sdp.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/boot/dts/omap4-sdp.dts b/arch/arm/boot/dts/omap4-sdp.dts
+index d728ec963111..891ba75fd459 100644
+--- a/arch/arm/boot/dts/omap4-sdp.dts
++++ b/arch/arm/boot/dts/omap4-sdp.dts
+@@ -33,6 +33,7 @@
+ gpio = <&gpio2 16 GPIO_ACTIVE_HIGH>; /* gpio line 48 */
+ enable-active-high;
+ regulator-boot-on;
++ startup-delay-us = <25000>;
+ };
+
+ vbat: fixedregulator-vbat {
+--
+2.19.1
+
--- /dev/null
+From 3a4560a4e39ec8c2edf3e72d69cd017d18a62537 Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Wed, 28 Nov 2018 18:53:10 +0100
+Subject: ARM: dts: mmp2: fix TWSI2
+
+[ Upstream commit 1147e05ac9fc2ef86a3691e7ca5c2db7602d81dd ]
+
+Marvell keeps their MMP2 datasheet secret, but there are good clues
+that TWSI2 is not on 0xd4025000 on that platform, not does it use
+IRQ 58. In fact, the IRQ 58 on MMP2 seems to be a signal processor:
+
+ arch/arm/mach-mmp/irqs.h:#define IRQ_MMP2_MSP 58
+
+I'm taking a somewhat educated guess that is probably a copy & paste
+error from PXA168 or PXA910 and that the real controller in fact hides
+at address 0xd4031000 and uses an interrupt line multiplexed via IRQ 17.
+
+I'm also copying some properties from TWSI1 that were missing or
+incorrect.
+
+Tested on a OLPC XO 1.75 machine, where the RTC is on TWSI2.
+
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Tested-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/mmp2.dtsi | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/boot/dts/mmp2.dtsi b/arch/arm/boot/dts/mmp2.dtsi
+index 766bbb8495b6..47e5b63339d1 100644
+--- a/arch/arm/boot/dts/mmp2.dtsi
++++ b/arch/arm/boot/dts/mmp2.dtsi
+@@ -220,12 +220,15 @@
+ status = "disabled";
+ };
+
+- twsi2: i2c@d4025000 {
++ twsi2: i2c@d4031000 {
+ compatible = "mrvl,mmp-twsi";
+- reg = <0xd4025000 0x1000>;
+- interrupts = <58>;
++ reg = <0xd4031000 0x1000>;
++ interrupt-parent = <&intcmux17>;
++ interrupts = <0>;
+ clocks = <&soc_clocks MMP2_CLK_TWSI1>;
+ resets = <&soc_clocks MMP2_CLK_TWSI1>;
++ #address-cells = <1>;
++ #size-cells = <0>;
+ status = "disabled";
+ };
+
+--
+2.19.1
+
--- /dev/null
+From 422047616e6f15c3944834c9447c6c6f260db73e Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 10 Dec 2018 21:43:01 +0100
+Subject: ARM: mmp: fix timer_init calls
+
+[ Upstream commit 12d3a30db4a3b3df5fbadf5974b9cf50544a9950 ]
+
+The change to passing the timer frequency as a function argument
+was a good idea, but caused a build failure for one user that
+was missed in the update:
+
+arch/arm/mach-mmp/time.c: In function 'mmp_dt_init_timer':
+arch/arm/mach-mmp/time.c:242:2: error: implicit declaration of function 'timer_init'; did you mean 'hrtimer_init'? [-Werror=implicit-function-declaration]
+
+Change that as well to fix the build error, and rename the
+function to put it into a proper namespace and make it clearer
+what is actually going on.
+
+I saw that the high 6500000 HZ frequency was previously only
+set with CONFIG_MMP2, but is now also used with MMP (pxa910),
+so I'm changing that back here. Please make sure that the
+frequencies are all correct now.
+
+Fixes: f36797ee4380 ("ARM: mmp/mmp2: dt: enable the clock")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-mmp/common.h | 2 +-
+ arch/arm/mach-mmp/mmp2.c | 2 +-
+ arch/arm/mach-mmp/pxa168.c | 2 +-
+ arch/arm/mach-mmp/pxa910.c | 2 +-
+ arch/arm/mach-mmp/time.c | 4 ++--
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm/mach-mmp/common.h b/arch/arm/mach-mmp/common.h
+index 9ffc0e4a87bf..f0f5170cacf0 100644
+--- a/arch/arm/mach-mmp/common.h
++++ b/arch/arm/mach-mmp/common.h
+@@ -1,7 +1,7 @@
+ #include <linux/reboot.h>
+ #define ARRAY_AND_SIZE(x) (x), ARRAY_SIZE(x)
+
+-extern void timer_init(int irq, unsigned long rate);
++extern void mmp_timer_init(int irq, unsigned long rate);
+
+ extern void __init mmp_map_io(void);
+ extern void mmp_restart(enum reboot_mode, const char *);
+diff --git a/arch/arm/mach-mmp/mmp2.c b/arch/arm/mach-mmp/mmp2.c
+index fb3e7e32c882..726c1a642dea 100644
+--- a/arch/arm/mach-mmp/mmp2.c
++++ b/arch/arm/mach-mmp/mmp2.c
+@@ -134,7 +134,7 @@ void __init mmp2_timer_init(void)
+ clk_rst = APBC_APBCLK | APBC_FNCLK | APBC_FNCLKSEL(1);
+ __raw_writel(clk_rst, APBC_TIMERS);
+
+- timer_init(IRQ_MMP2_TIMER1, 6500000);
++ mmp_timer_init(IRQ_MMP2_TIMER1, 6500000);
+ }
+
+ /* on-chip devices */
+diff --git a/arch/arm/mach-mmp/pxa168.c b/arch/arm/mach-mmp/pxa168.c
+index 77a358165a56..cdcf65ace3f9 100644
+--- a/arch/arm/mach-mmp/pxa168.c
++++ b/arch/arm/mach-mmp/pxa168.c
+@@ -79,7 +79,7 @@ void __init pxa168_timer_init(void)
+ /* 3.25MHz, bus/functional clock enabled, release reset */
+ __raw_writel(TIMER_CLK_RST, APBC_TIMERS);
+
+- timer_init(IRQ_PXA168_TIMER1, 6500000);
++ mmp_timer_init(IRQ_PXA168_TIMER1, 3250000);
+ }
+
+ void pxa168_clear_keypad_wakeup(void)
+diff --git a/arch/arm/mach-mmp/pxa910.c b/arch/arm/mach-mmp/pxa910.c
+index 1ccbba9ac495..d30a7d12bc98 100644
+--- a/arch/arm/mach-mmp/pxa910.c
++++ b/arch/arm/mach-mmp/pxa910.c
+@@ -116,7 +116,7 @@ void __init pxa910_timer_init(void)
+ __raw_writel(APBC_APBCLK | APBC_RST, APBC_TIMERS);
+ __raw_writel(TIMER_CLK_RST, APBC_TIMERS);
+
+- timer_init(IRQ_PXA910_AP1_TIMER1);
++ mmp_timer_init(IRQ_PXA910_AP1_TIMER1, 3250000);
+ }
+
+ /* on-chip devices */
+diff --git a/arch/arm/mach-mmp/time.c b/arch/arm/mach-mmp/time.c
+index 5f849cb996c7..c03ca8ffb92f 100644
+--- a/arch/arm/mach-mmp/time.c
++++ b/arch/arm/mach-mmp/time.c
+@@ -184,7 +184,7 @@ static struct irqaction timer_irq = {
+ .dev_id = &ckevt,
+ };
+
+-void __init timer_init(int irq, unsigned long rate)
++void __init mmp_timer_init(int irq, unsigned long rate)
+ {
+ timer_config();
+
+@@ -239,7 +239,7 @@ void __init mmp_dt_init_timer(void)
+ ret = -ENOMEM;
+ goto out;
+ }
+- timer_init(irq, rate);
++ mmp_timer_init(irq, rate);
+ return;
+ out:
+ pr_err("Failed to get timer from device tree with error:%d\n", ret);
+--
+2.19.1
+
--- /dev/null
+From 48332f50eff0c3102d2d16630934515e705358f7 Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Wed, 28 Nov 2018 18:53:20 +0100
+Subject: ARM: mmp/mmp2: dt: enable the clock
+
+[ Upstream commit f36797ee43802b367e59f0f9a9805304a4ff0c98 ]
+
+The device-tree booted MMP2 needs to enable the timer clock, otherwise
+it would stop ticking when the boot finishes.
+
+It can also use the clock rate from the clk, the non-DT boards need to
+keep using the hardcoded rates.
+
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-mmp/common.h | 2 +-
+ arch/arm/mach-mmp/mmp2.c | 2 +-
+ arch/arm/mach-mmp/pxa168.c | 2 +-
+ arch/arm/mach-mmp/time.c | 32 ++++++++++++++++++++------------
+ 4 files changed, 23 insertions(+), 15 deletions(-)
+
+diff --git a/arch/arm/mach-mmp/common.h b/arch/arm/mach-mmp/common.h
+index 7453a90c34bd..9ffc0e4a87bf 100644
+--- a/arch/arm/mach-mmp/common.h
++++ b/arch/arm/mach-mmp/common.h
+@@ -1,7 +1,7 @@
+ #include <linux/reboot.h>
+ #define ARRAY_AND_SIZE(x) (x), ARRAY_SIZE(x)
+
+-extern void timer_init(int irq);
++extern void timer_init(int irq, unsigned long rate);
+
+ extern void __init mmp_map_io(void);
+ extern void mmp_restart(enum reboot_mode, const char *);
+diff --git a/arch/arm/mach-mmp/mmp2.c b/arch/arm/mach-mmp/mmp2.c
+index afba5460cdaf..fb3e7e32c882 100644
+--- a/arch/arm/mach-mmp/mmp2.c
++++ b/arch/arm/mach-mmp/mmp2.c
+@@ -134,7 +134,7 @@ void __init mmp2_timer_init(void)
+ clk_rst = APBC_APBCLK | APBC_FNCLK | APBC_FNCLKSEL(1);
+ __raw_writel(clk_rst, APBC_TIMERS);
+
+- timer_init(IRQ_MMP2_TIMER1);
++ timer_init(IRQ_MMP2_TIMER1, 6500000);
+ }
+
+ /* on-chip devices */
+diff --git a/arch/arm/mach-mmp/pxa168.c b/arch/arm/mach-mmp/pxa168.c
+index 0f5f16fb8c66..77a358165a56 100644
+--- a/arch/arm/mach-mmp/pxa168.c
++++ b/arch/arm/mach-mmp/pxa168.c
+@@ -79,7 +79,7 @@ void __init pxa168_timer_init(void)
+ /* 3.25MHz, bus/functional clock enabled, release reset */
+ __raw_writel(TIMER_CLK_RST, APBC_TIMERS);
+
+- timer_init(IRQ_PXA168_TIMER1);
++ timer_init(IRQ_PXA168_TIMER1, 6500000);
+ }
+
+ void pxa168_clear_keypad_wakeup(void)
+diff --git a/arch/arm/mach-mmp/time.c b/arch/arm/mach-mmp/time.c
+index 3c2c92aaa0ae..5f849cb996c7 100644
+--- a/arch/arm/mach-mmp/time.c
++++ b/arch/arm/mach-mmp/time.c
+@@ -22,6 +22,7 @@
+ #include <linux/kernel.h>
+ #include <linux/interrupt.h>
+ #include <linux/clockchips.h>
++#include <linux/clk.h>
+
+ #include <linux/io.h>
+ #include <linux/irq.h>
+@@ -38,12 +39,6 @@
+ #include "cputype.h"
+ #include "clock.h"
+
+-#ifdef CONFIG_CPU_MMP2
+-#define MMP_CLOCK_FREQ 6500000
+-#else
+-#define MMP_CLOCK_FREQ 3250000
+-#endif
+-
+ #define TIMERS_VIRT_BASE TIMERS1_VIRT_BASE
+
+ #define MAX_DELTA (0xfffffffe)
+@@ -189,19 +184,18 @@ static struct irqaction timer_irq = {
+ .dev_id = &ckevt,
+ };
+
+-void __init timer_init(int irq)
++void __init timer_init(int irq, unsigned long rate)
+ {
+ timer_config();
+
+- sched_clock_register(mmp_read_sched_clock, 32, MMP_CLOCK_FREQ);
++ sched_clock_register(mmp_read_sched_clock, 32, rate);
+
+ ckevt.cpumask = cpumask_of(0);
+
+ setup_irq(irq, &timer_irq);
+
+- clocksource_register_hz(&cksrc, MMP_CLOCK_FREQ);
+- clockevents_config_and_register(&ckevt, MMP_CLOCK_FREQ,
+- MIN_DELTA, MAX_DELTA);
++ clocksource_register_hz(&cksrc, rate);
++ clockevents_config_and_register(&ckevt, rate, MIN_DELTA, MAX_DELTA);
+ }
+
+ #ifdef CONFIG_OF
+@@ -213,7 +207,9 @@ static const struct of_device_id mmp_timer_dt_ids[] = {
+ void __init mmp_dt_init_timer(void)
+ {
+ struct device_node *np;
++ struct clk *clk;
+ int irq, ret;
++ unsigned long rate;
+
+ np = of_find_matching_node(NULL, mmp_timer_dt_ids);
+ if (!np) {
+@@ -221,6 +217,18 @@ void __init mmp_dt_init_timer(void)
+ goto out;
+ }
+
++ clk = of_clk_get(np, 0);
++ if (!IS_ERR(clk)) {
++ ret = clk_prepare_enable(clk);
++ if (ret)
++ goto out;
++ rate = clk_get_rate(clk) / 2;
++ } else if (cpu_is_pj4()) {
++ rate = 6500000;
++ } else {
++ rate = 3250000;
++ }
++
+ irq = irq_of_parse_and_map(np, 0);
+ if (!irq) {
+ ret = -EINVAL;
+@@ -231,7 +239,7 @@ void __init mmp_dt_init_timer(void)
+ ret = -ENOMEM;
+ goto out;
+ }
+- timer_init(irq);
++ timer_init(irq, rate);
+ return;
+ out:
+ pr_err("Failed to get timer from device tree with error:%d\n", ret);
+--
+2.19.1
+
--- /dev/null
+From a6ecd7d955ceec4fa65b2c84b4ee98d2d1d35ab3 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Wed, 17 Oct 2018 17:52:07 -0700
+Subject: ARM: OMAP2+: hwmod: Fix some section annotations
+
+[ Upstream commit c10b26abeb53cabc1e6271a167d3f3d396ce0218 ]
+
+When building the kernel with Clang, the following section mismatch
+warnings appears:
+
+WARNING: vmlinux.o(.text+0x2d398): Section mismatch in reference from
+the function _setup() to the function .init.text:_setup_iclk_autoidle()
+The function _setup() references
+the function __init _setup_iclk_autoidle().
+This is often because _setup lacks a __init
+annotation or the annotation of _setup_iclk_autoidle is wrong.
+
+WARNING: vmlinux.o(.text+0x2d3a0): Section mismatch in reference from
+the function _setup() to the function .init.text:_setup_reset()
+The function _setup() references
+the function __init _setup_reset().
+This is often because _setup lacks a __init
+annotation or the annotation of _setup_reset is wrong.
+
+WARNING: vmlinux.o(.text+0x2d408): Section mismatch in reference from
+the function _setup() to the function .init.text:_setup_postsetup()
+The function _setup() references
+the function __init _setup_postsetup().
+This is often because _setup lacks a __init
+annotation or the annotation of _setup_postsetup is wrong.
+
+_setup is used in omap_hwmod_allocate_module, which isn't marked __init
+and looks like it shouldn't be, meaning to fix these warnings, those
+functions must be moved out of the init section, which this patch does.
+
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap2/omap_hwmod.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c
+index b5c1714ebfdd..bfc74954540c 100644
+--- a/arch/arm/mach-omap2/omap_hwmod.c
++++ b/arch/arm/mach-omap2/omap_hwmod.c
+@@ -2551,7 +2551,7 @@ static int __init _init(struct omap_hwmod *oh, void *data)
+ * a stub; implementing this properly requires iclk autoidle usecounting in
+ * the clock code. No return value.
+ */
+-static void __init _setup_iclk_autoidle(struct omap_hwmod *oh)
++static void _setup_iclk_autoidle(struct omap_hwmod *oh)
+ {
+ struct omap_hwmod_ocp_if *os;
+ struct list_head *p;
+@@ -2586,7 +2586,7 @@ static void __init _setup_iclk_autoidle(struct omap_hwmod *oh)
+ * reset. Returns 0 upon success or a negative error code upon
+ * failure.
+ */
+-static int __init _setup_reset(struct omap_hwmod *oh)
++static int _setup_reset(struct omap_hwmod *oh)
+ {
+ int r;
+
+@@ -2647,7 +2647,7 @@ static int __init _setup_reset(struct omap_hwmod *oh)
+ *
+ * No return value.
+ */
+-static void __init _setup_postsetup(struct omap_hwmod *oh)
++static void _setup_postsetup(struct omap_hwmod *oh)
+ {
+ u8 postsetup_state;
+
+--
+2.19.1
+
--- /dev/null
+From e4e16f3812bda4d0ea903f052fb297e4b3a44daf Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 10 Dec 2018 22:58:39 +0100
+Subject: ARM: pxa: avoid section mismatch warning
+
+[ Upstream commit 88af3209aa0881aa5ffd99664b6080a4be5f24e5 ]
+
+WARNING: vmlinux.o(.text+0x19f90): Section mismatch in reference from the function littleton_init_lcd() to the function .init.text:pxa_set_fb_info()
+The function littleton_init_lcd() references
+the function __init pxa_set_fb_info().
+This is often because littleton_init_lcd lacks a __init
+annotation or the annotation of pxa_set_fb_info is wrong.
+
+WARNING: vmlinux.o(.text+0xf824): Section mismatch in reference from the function zeus_register_ohci() to the function .init.text:pxa_set_ohci_info()
+The function zeus_register_ohci() references
+the function __init pxa_set_ohci_info().
+This is often because zeus_register_ohci lacks a __init
+annotation or the annotation of pxa_set_ohci_info is wrong.
+
+WARNING: vmlinux.o(.text+0xf95c): Section mismatch in reference from the function cm_x300_init_u2d() to the function .init.text:pxa3xx_set_u2d_info()
+The function cm_x300_init_u2d() references
+the function __init pxa3xx_set_u2d_info().
+This is often because cm_x300_init_u2d lacks a __init
+annotation or the annotation of pxa3xx_set_u2d_info is wrong.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-pxa/cm-x300.c | 2 +-
+ arch/arm/mach-pxa/littleton.c | 2 +-
+ arch/arm/mach-pxa/zeus.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/mach-pxa/cm-x300.c b/arch/arm/mach-pxa/cm-x300.c
+index 868448d2cd82..38ab30869821 100644
+--- a/arch/arm/mach-pxa/cm-x300.c
++++ b/arch/arm/mach-pxa/cm-x300.c
+@@ -547,7 +547,7 @@ static struct pxa3xx_u2d_platform_data cm_x300_u2d_platform_data = {
+ .exit = cm_x300_u2d_exit,
+ };
+
+-static void cm_x300_init_u2d(void)
++static void __init cm_x300_init_u2d(void)
+ {
+ pxa3xx_set_u2d_info(&cm_x300_u2d_platform_data);
+ }
+diff --git a/arch/arm/mach-pxa/littleton.c b/arch/arm/mach-pxa/littleton.c
+index 051c554776a6..ebdef6661f5f 100644
+--- a/arch/arm/mach-pxa/littleton.c
++++ b/arch/arm/mach-pxa/littleton.c
+@@ -183,7 +183,7 @@ static struct pxafb_mach_info littleton_lcd_info = {
+ .lcd_conn = LCD_COLOR_TFT_16BPP,
+ };
+
+-static void littleton_init_lcd(void)
++static void __init littleton_init_lcd(void)
+ {
+ pxa_set_fb_info(NULL, &littleton_lcd_info);
+ }
+diff --git a/arch/arm/mach-pxa/zeus.c b/arch/arm/mach-pxa/zeus.c
+index 3b94ecfb9426..3fcd5854bf5b 100644
+--- a/arch/arm/mach-pxa/zeus.c
++++ b/arch/arm/mach-pxa/zeus.c
+@@ -557,7 +557,7 @@ static struct pxaohci_platform_data zeus_ohci_platform_data = {
+ .flags = ENABLE_PORT_ALL | POWER_SENSE_LOW,
+ };
+
+-static void zeus_register_ohci(void)
++static void __init zeus_register_ohci(void)
+ {
+ /* Port 2 is shared between host and client interface. */
+ UP2OCR = UP2OCR_HXOE | UP2OCR_HXS | UP2OCR_DMPDE | UP2OCR_DPPDE;
+--
+2.19.1
+
--- /dev/null
+From 34c59e86dd9686e295cafd25c357a6dd189042a9 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Thu, 15 Nov 2018 22:42:01 +0000
+Subject: arm64: ftrace: don't adjust the LR value
+
+[ Upstream commit 6e803e2e6e367db9a0d6ecae1bd24bb5752011bd ]
+
+The core ftrace code requires that when it is handed the PC of an
+instrumented function, this PC is the address of the instrumented
+instruction. This is necessary so that the core ftrace code can identify
+the specific instrumentation site. Since the instrumented function will
+be a BL, the address of the instrumented function is LR - 4 at entry to
+the ftrace code.
+
+This fixup is applied in the mcount_get_pc and mcount_get_pc0 helpers,
+which acquire the PC of the instrumented function.
+
+The mcount_get_lr helper is used to acquire the LR of the instrumented
+function, whose value does not require this adjustment, and cannot be
+adjusted to anything meaningful. No adjustment of this value is made on
+other architectures, including arm. However, arm64 adjusts this value by
+4.
+
+This patch brings arm64 in line with other architectures and removes the
+adjustment of the LR value.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Torsten Duwe <duwe@suse.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/entry-ftrace.S | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/entry-ftrace.S b/arch/arm64/kernel/entry-ftrace.S
+index aef02d2af3b5..7a87d32e98f4 100644
+--- a/arch/arm64/kernel/entry-ftrace.S
++++ b/arch/arm64/kernel/entry-ftrace.S
+@@ -78,7 +78,6 @@
+ .macro mcount_get_lr reg
+ ldr \reg, [x29]
+ ldr \reg, [\reg, #8]
+- mcount_adjust_addr \reg, \reg
+ .endm
+
+ .macro mcount_get_lr_addr reg
+--
+2.19.1
+
--- /dev/null
+From 81170e43bcc199093d5cc7edbf705df3b1ca27eb Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Fri, 9 Nov 2018 15:07:10 +0000
+Subject: arm64: KVM: Skip MMIO insn after emulation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 0d640732dbebed0f10f18526de21652931f0b2f2 ]
+
+When we emulate an MMIO instruction, we advance the CPU state within
+decode_hsr(), before emulating the instruction effects.
+
+Having this logic in decode_hsr() is opaque, and advancing the state
+before emulation is problematic. It gets in the way of applying
+consistent single-step logic, and it prevents us from being able to fail
+an MMIO instruction with a synchronous exception.
+
+Clean this up by only advancing the CPU state *after* the effects of the
+instruction are emulated.
+
+Cc: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kvm/mmio.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm/kvm/mmio.c b/arch/arm/kvm/mmio.c
+index dac7ceb1a677..08443a15e6be 100644
+--- a/arch/arm/kvm/mmio.c
++++ b/arch/arm/kvm/mmio.c
+@@ -117,6 +117,12 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run)
+ vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data);
+ }
+
++ /*
++ * The MMIO instruction is emulated and should not be re-executed
++ * in the guest.
++ */
++ kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu));
++
+ return 0;
+ }
+
+@@ -144,11 +150,6 @@ static int decode_hsr(struct kvm_vcpu *vcpu, bool *is_write, int *len)
+ vcpu->arch.mmio_decode.sign_extend = sign_extend;
+ vcpu->arch.mmio_decode.rt = rt;
+
+- /*
+- * The MMIO instruction is emulated and should not be re-executed
+- * in the guest.
+- */
+- kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu));
+ return 0;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 21ebb4f74449b8d8d4c4ad86f8928ba4b49f682c Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Thu, 13 Dec 2018 00:08:38 -0200
+Subject: ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M
+
+[ Upstream commit add6883619a9e3bf9658eaff1a547354131bbcd9 ]
+
+eukrea-tlv320.c machine driver runs on non-DT platforms
+and include <asm/mach-types.h> header file in order to be able
+to use some machine_is_eukrea_xxx() macros.
+
+Building it for ARM64 causes the following build error:
+
+sound/soc/fsl/eukrea-tlv320.c:28:10: fatal error: asm/mach-types.h: No such file or directory
+
+Avoid this error by not allowing to build the SND_SOC_EUKREA_TLV320
+driver when ARM64 is selected.
+
+This is needed in preparation for the i.MX8M support.
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Acked-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/fsl/Kconfig b/sound/soc/fsl/Kconfig
+index 19bdcac71775..a732b3a065c9 100644
+--- a/sound/soc/fsl/Kconfig
++++ b/sound/soc/fsl/Kconfig
+@@ -220,7 +220,7 @@ config SND_SOC_PHYCORE_AC97
+
+ config SND_SOC_EUKREA_TLV320
+ tristate "Eukrea TLV320"
+- depends on ARCH_MXC && I2C
++ depends on ARCH_MXC && !ARM64 && I2C
+ select SND_SOC_TLV320AIC23_I2C
+ select SND_SOC_IMX_AUDMUX
+ select SND_SOC_IMX_SSI
+--
+2.19.1
+
--- /dev/null
+From bbea2a71aaca0e4d2ae1c06c33a1eec1c17e4810 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Sat, 3 Nov 2018 22:21:22 +0100
+Subject: ASoC: Intel: mrfld: fix uninitialized variable access
+
+[ Upstream commit 1539c7f23f256120f89f8b9ec53160790bce9ed2 ]
+
+Randconfig testing revealed a very old bug, with gcc-8:
+
+sound/soc/intel/atom/sst/sst_loader.c: In function 'sst_load_fw':
+sound/soc/intel/atom/sst/sst_loader.c:357:5: error: 'fw' may be used uninitialized in this function [-Werror=maybe-uninitialized]
+ if (fw == NULL) {
+ ^
+sound/soc/intel/atom/sst/sst_loader.c:354:25: note: 'fw' was declared here
+ const struct firmware *fw;
+
+We must check the return code of request_firmware() before we look at the
+pointer result that may be uninitialized when the function fails.
+
+Fixes: 9012c9544eea ("ASoC: Intel: mrfld - Add DSP load and management")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/atom/sst/sst_loader.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/intel/atom/sst/sst_loader.c b/sound/soc/intel/atom/sst/sst_loader.c
+index 33917146d9c4..054b1d514e8a 100644
+--- a/sound/soc/intel/atom/sst/sst_loader.c
++++ b/sound/soc/intel/atom/sst/sst_loader.c
+@@ -354,14 +354,14 @@ static int sst_request_fw(struct intel_sst_drv *sst)
+ const struct firmware *fw;
+
+ retval = request_firmware(&fw, sst->firmware_name, sst->dev);
+- if (fw == NULL) {
+- dev_err(sst->dev, "fw is returning as null\n");
+- return -EINVAL;
+- }
+ if (retval) {
+ dev_err(sst->dev, "request fw failed %d\n", retval);
+ return retval;
+ }
++ if (fw == NULL) {
++ dev_err(sst->dev, "fw is returning as null\n");
++ return -EINVAL;
++ }
+ mutex_lock(&sst->sst_lock);
+ retval = sst_cache_and_parse_fw(sst, fw);
+ mutex_unlock(&sst->sst_lock);
+--
+2.19.1
+
--- /dev/null
+From 2a5884c2a66c0d7d0a329fd890b4a66648d5ef57 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Fri, 2 Nov 2018 21:49:55 +0100
+Subject: ath9k: dynack: use authentication messages for 'late' ack
+
+[ Upstream commit 3831a2a0010c72e3956020cbf1057a1701a2e469 ]
+
+In order to properly support dynack in ad-hoc mode running
+wpa_supplicant, take into account authentication frames for
+'late ack' detection. This patch has been tested on devices
+mounted on offshore high-voltage stations connected through
+~24Km link
+
+Reported-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
+Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/dynack.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/dynack.c b/drivers/net/wireless/ath/ath9k/dynack.c
+index 7334c9b09e82..cc0dc966c512 100644
+--- a/drivers/net/wireless/ath/ath9k/dynack.c
++++ b/drivers/net/wireless/ath/ath9k/dynack.c
+@@ -187,7 +187,8 @@ void ath_dynack_sample_tx_ts(struct ath_hw *ah, struct sk_buff *skb,
+ /* late ACK */
+ if (ts->ts_status & ATH9K_TXERR_XRETRY) {
+ if (ieee80211_is_assoc_req(hdr->frame_control) ||
+- ieee80211_is_assoc_resp(hdr->frame_control)) {
++ ieee80211_is_assoc_resp(hdr->frame_control) ||
++ ieee80211_is_auth(hdr->frame_control)) {
+ ath_dbg(common, DYNACK, "late ack\n");
+ ath9k_hw_setslottime(ah, (LATEACK_TO - 3) / 2);
+ ath9k_hw_set_ack_timeout(ah, LATEACK_TO);
+--
+2.19.1
+
--- /dev/null
+From 92432dbb873e2e7783f730a930a2f3505cf8b5df Mon Sep 17 00:00:00 2001
+From: Finn Thain <fthain@telegraphics.com.au>
+Date: Mon, 31 Dec 2018 16:44:09 +1100
+Subject: block/swim3: Fix -EBUSY error when re-opening device after unmount
+
+[ Upstream commit 296dcc40f2f2e402facf7cd26cf3f2c8f4b17d47 ]
+
+When the block device is opened with FMODE_EXCL, ref_count is set to -1.
+This value doesn't get reset when the device is closed which means the
+device cannot be opened again. Fix this by checking for refcount <= 0
+in the release method.
+
+Reported-and-tested-by: Stan Johnson <userm57@yahoo.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: linuxppc-dev@lists.ozlabs.org
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/swim3.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/block/swim3.c b/drivers/block/swim3.c
+index c264f2d284a7..2e0a9e2531cb 100644
+--- a/drivers/block/swim3.c
++++ b/drivers/block/swim3.c
+@@ -1027,7 +1027,11 @@ static void floppy_release(struct gendisk *disk, fmode_t mode)
+ struct swim3 __iomem *sw = fs->swim3;
+
+ mutex_lock(&swim3_mutex);
+- if (fs->ref_count > 0 && --fs->ref_count == 0) {
++ if (fs->ref_count > 0)
++ --fs->ref_count;
++ else if (fs->ref_count == -1)
++ fs->ref_count = 0;
++ if (fs->ref_count == 0) {
+ swim3_action(fs, MOTOR_OFF);
+ out_8(&sw->control_bic, 0xff);
+ swim3_select(fs, RELAX);
+--
+2.19.1
+
--- /dev/null
+From 43688466b349d3e1c40ade54ab4f7ce0c6c884a2 Mon Sep 17 00:00:00 2001
+From: Johan Hedberg <johan.hedberg@intel.com>
+Date: Tue, 27 Nov 2018 11:37:46 +0200
+Subject: Bluetooth: Fix unnecessary error message for HCI request completion
+
+[ Upstream commit 1629db9c75342325868243d6bca5853017d91cf8 ]
+
+In case a command which completes in Command Status was sent using the
+hci_cmd_send-family of APIs there would be a misleading error in the
+hci_get_cmd_complete function, since the code would be trying to fetch
+the Command Complete parameters when there are none.
+
+Avoid the misleading error and silently bail out from the function in
+case the received event is a command status.
+
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Acked-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index d2f9eb169ba8..6f78489fdb13 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -5212,6 +5212,12 @@ static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
+ return true;
+ }
+
++ /* Check if request ended in Command Status - no way to retreive
++ * any extra parameters in this case.
++ */
++ if (hdr->evt == HCI_EV_CMD_STATUS)
++ return false;
++
+ if (hdr->evt != HCI_EV_CMD_COMPLETE) {
+ BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
+ return false;
+--
+2.19.1
+
--- /dev/null
+From ba5f16f3f3d5db7b77bfbfb854e69820e1711edb Mon Sep 17 00:00:00 2001
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Thu, 13 Dec 2018 08:06:16 +1000
+Subject: cifs: check ntwrk_buf_start for NULL before dereferencing it
+
+[ Upstream commit 59a63e479ce36a3f24444c3a36efe82b78e4a8e0 ]
+
+RHBZ: 1021460
+
+There is an issue where when multiple threads open/close the same directory
+ntwrk_buf_start might end up being NULL, causing the call to smbCalcSize
+later to oops with a NULL deref.
+
+The real bug is why this happens and why this can become NULL for an
+open cfile, which should not be allowed.
+This patch tries to avoid a oops until the time when we fix the underlying
+issue.
+
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/readdir.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c
+index ef24b4527459..68183872bf8b 100644
+--- a/fs/cifs/readdir.c
++++ b/fs/cifs/readdir.c
+@@ -655,7 +655,14 @@ find_cifs_entry(const unsigned int xid, struct cifs_tcon *tcon, loff_t pos,
+ /* scan and find it */
+ int i;
+ char *cur_ent;
+- char *end_of_smb = cfile->srch_inf.ntwrk_buf_start +
++ char *end_of_smb;
++
++ if (cfile->srch_inf.ntwrk_buf_start == NULL) {
++ cifs_dbg(VFS, "ntwrk_buf_start is NULL during readdir\n");
++ return -EIO;
++ }
++
++ end_of_smb = cfile->srch_inf.ntwrk_buf_start +
+ server->ops->calc_smb_size(
+ cfile->srch_inf.ntwrk_buf_start);
+
+--
+2.19.1
+
--- /dev/null
+From 3ac8bb1a9adb8fa6e56c97972bb99ca2fae244f3 Mon Sep 17 00:00:00 2001
+From: Anson Huang <anson.huang@nxp.com>
+Date: Fri, 30 Nov 2018 07:23:47 +0000
+Subject: clk: imx6sl: ensure MMDC CH0 handshake is bypassed
+
+[ Upstream commit 0efcc2c0fd2001a83240a8c3d71f67770484917e ]
+
+Same as other i.MX6 SoCs, ensure unused MMDC channel's
+handshake is bypassed, this is to make sure no request
+signal will be generated when periphe_clk_sel is changed
+or SRC warm reset is triggered.
+
+Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx6sl.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/clk/imx/clk-imx6sl.c b/drivers/clk/imx/clk-imx6sl.c
+index 5fd4ddac1bf1..f3d9dc2d2405 100644
+--- a/drivers/clk/imx/clk-imx6sl.c
++++ b/drivers/clk/imx/clk-imx6sl.c
+@@ -17,6 +17,8 @@
+
+ #include "clk.h"
+
++#define CCDR 0x4
++#define BM_CCM_CCDR_MMDC_CH0_MASK (1 << 17)
+ #define CCSR 0xc
+ #define BM_CCSR_PLL1_SW_CLK_SEL (1 << 2)
+ #define CACRR 0x10
+@@ -414,6 +416,10 @@ static void __init imx6sl_clocks_init(struct device_node *ccm_node)
+ clks[IMX6SL_CLK_USDHC3] = imx_clk_gate2("usdhc3", "usdhc3_podf", base + 0x80, 6);
+ clks[IMX6SL_CLK_USDHC4] = imx_clk_gate2("usdhc4", "usdhc4_podf", base + 0x80, 8);
+
++ /* Ensure the MMDC CH0 handshake is bypassed */
++ writel_relaxed(readl_relaxed(base + CCDR) |
++ BM_CCM_CCDR_MMDC_CH0_MASK, base + CCDR);
++
+ imx_check_clocks(clks, ARRAY_SIZE(clks));
+
+ clk_data.clks = clks;
+--
+2.19.1
+
--- /dev/null
+From 1257fb6b55a41552cb6a6812ff4c62d0dce5bdb8 Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Wed, 5 Dec 2018 18:11:51 +0800
+Subject: clk: sunxi-ng: a33: Set CLK_SET_RATE_PARENT for all audio module
+ clocks
+
+[ Upstream commit 6e6da2039c82271dd873b9ad2b902a692a7dd554 ]
+
+All the audio interfaces on Allwinner SoCs need to change their module
+clocks during operation, to switch between support for 44.1 kHz and 48
+kHz family sample rates. The clock rate for the module clocks is
+governed by their upstream audio PLL. The module clocks themselves only
+have a gate, and sometimes a divider or mux. Thus any rate changes need
+to be propagated upstream.
+
+Set the CLK_SET_RATE_PARENT flag for all audio module clocks to achieve
+this.
+
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/sunxi-ng/ccu-sun8i-a33.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/sunxi-ng/ccu-sun8i-a33.c b/drivers/clk/sunxi-ng/ccu-sun8i-a33.c
+index e1dc4e5b34e1..82add4670c53 100644
+--- a/drivers/clk/sunxi-ng/ccu-sun8i-a33.c
++++ b/drivers/clk/sunxi-ng/ccu-sun8i-a33.c
+@@ -362,10 +362,10 @@ static SUNXI_CCU_MP_WITH_MUX_GATE(spi1_clk, "spi1", mod0_default_parents, 0x0a4,
+ static const char * const i2s_parents[] = { "pll-audio-8x", "pll-audio-4x",
+ "pll-audio-2x", "pll-audio" };
+ static SUNXI_CCU_MUX_WITH_GATE(i2s0_clk, "i2s0", i2s_parents,
+- 0x0b0, 16, 2, BIT(31), 0);
++ 0x0b0, 16, 2, BIT(31), CLK_SET_RATE_PARENT);
+
+ static SUNXI_CCU_MUX_WITH_GATE(i2s1_clk, "i2s1", i2s_parents,
+- 0x0b4, 16, 2, BIT(31), 0);
++ 0x0b4, 16, 2, BIT(31), CLK_SET_RATE_PARENT);
+
+ /* TODO: the parent for most of the USB clocks is not known */
+ static SUNXI_CCU_GATE(usb_phy0_clk, "usb-phy0", "osc24M",
+@@ -442,7 +442,7 @@ static SUNXI_CCU_M_WITH_GATE(ve_clk, "ve", "pll-ve",
+ static SUNXI_CCU_GATE(ac_dig_clk, "ac-dig", "pll-audio",
+ 0x140, BIT(31), 0);
+ static SUNXI_CCU_GATE(ac_dig_4x_clk, "ac-dig-4x", "pll-audio-4x",
+- 0x140, BIT(30), 0);
++ 0x140, BIT(30), CLK_SET_RATE_PARENT);
+ static SUNXI_CCU_GATE(avs_clk, "avs", "osc24M",
+ 0x144, BIT(31), 0);
+
+--
+2.19.1
+
--- /dev/null
+From a1f3072ec74861a708e22cda4805fbd8bda6ae0a Mon Sep 17 00:00:00 2001
+From: Yangtao Li <tiny.windzz@gmail.com>
+Date: Mon, 10 Dec 2018 11:26:41 -0500
+Subject: cpuidle: big.LITTLE: fix refcount leak
+
+[ Upstream commit 9456823c842f346c74265fcd98d008d87a7eb6f5 ]
+
+of_find_node_by_path() acquires a reference to the node
+returned by it and that reference needs to be dropped by its caller.
+bl_idle_init() doesn't do that, so fix it.
+
+Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
+Acked-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpuidle/cpuidle-big_little.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/cpuidle/cpuidle-big_little.c b/drivers/cpuidle/cpuidle-big_little.c
+index db2ede565f1a..b44476a1b7ad 100644
+--- a/drivers/cpuidle/cpuidle-big_little.c
++++ b/drivers/cpuidle/cpuidle-big_little.c
+@@ -167,6 +167,7 @@ static int __init bl_idle_init(void)
+ {
+ int ret;
+ struct device_node *root = of_find_node_by_path("/");
++ const struct of_device_id *match_id;
+
+ if (!root)
+ return -ENODEV;
+@@ -174,7 +175,11 @@ static int __init bl_idle_init(void)
+ /*
+ * Initialize the driver just for a compliant set of machines
+ */
+- if (!of_match_node(compatible_machine_match, root))
++ match_id = of_match_node(compatible_machine_match, root);
++
++ of_node_put(root);
++
++ if (!match_id)
+ return -ENODEV;
+
+ if (!mcpm_is_available())
+--
+2.19.1
+
--- /dev/null
+From 36015c3c70e91bdf10d44daacfdc6945c413e202 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon, 10 Dec 2018 16:49:29 -0700
+Subject: crypto: ux500 - Use proper enum in cryp_set_dma_transfer
+
+[ Upstream commit 9d880c5945c748d8edcac30965f3349a602158c4 ]
+
+Clang warns when one enumerated type is implicitly converted to another:
+
+drivers/crypto/ux500/cryp/cryp_core.c:559:5: warning: implicit
+conversion from enumeration type 'enum dma_data_direction' to different
+enumeration type 'enum dma_transfer_direction' [-Wenum-conversion]
+ direction, DMA_CTRL_ACK);
+ ^~~~~~~~~
+drivers/crypto/ux500/cryp/cryp_core.c:583:5: warning: implicit
+conversion from enumeration type 'enum dma_data_direction' to different
+enumeration type 'enum dma_transfer_direction' [-Wenum-conversion]
+ direction,
+ ^~~~~~~~~
+2 warnings generated.
+
+dmaengine_prep_slave_sg expects an enum from dma_transfer_direction.
+Because we know the value of the dma_data_direction enum from the
+switch statement, we can just use the proper value from
+dma_transfer_direction so there is no more conversion.
+
+DMA_TO_DEVICE = DMA_MEM_TO_DEV = 1
+DMA_FROM_DEVICE = DMA_DEV_TO_MEM = 2
+
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ux500/cryp/cryp_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/ux500/cryp/cryp_core.c b/drivers/crypto/ux500/cryp/cryp_core.c
+index 790f7cadc1ed..efebc484e371 100644
+--- a/drivers/crypto/ux500/cryp/cryp_core.c
++++ b/drivers/crypto/ux500/cryp/cryp_core.c
+@@ -555,7 +555,7 @@ static int cryp_set_dma_transfer(struct cryp_ctx *ctx,
+ desc = dmaengine_prep_slave_sg(channel,
+ ctx->device->dma.sg_src,
+ ctx->device->dma.sg_src_len,
+- direction, DMA_CTRL_ACK);
++ DMA_MEM_TO_DEV, DMA_CTRL_ACK);
+ break;
+
+ case DMA_FROM_DEVICE:
+@@ -579,7 +579,7 @@ static int cryp_set_dma_transfer(struct cryp_ctx *ctx,
+ desc = dmaengine_prep_slave_sg(channel,
+ ctx->device->dma.sg_dst,
+ ctx->device->dma.sg_dst_len,
+- direction,
++ DMA_DEV_TO_MEM,
+ DMA_CTRL_ACK |
+ DMA_PREP_INTERRUPT);
+
+--
+2.19.1
+
--- /dev/null
+From 096d7b9a3432e5bccc43bfb330f134ef25ad6c79 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon, 10 Dec 2018 16:49:54 -0700
+Subject: crypto: ux500 - Use proper enum in hash_set_dma_transfer
+
+[ Upstream commit 5ac93f808338f4dd465402e91869702eb87db241 ]
+
+Clang warns when one enumerated type is implicitly converted to another:
+
+drivers/crypto/ux500/hash/hash_core.c:169:4: warning: implicit
+conversion from enumeration type 'enum dma_data_direction' to different
+enumeration type 'enum dma_transfer_direction' [-Wenum-conversion]
+ direction, DMA_CTRL_ACK | DMA_PREP_INTERRUPT);
+ ^~~~~~~~~
+1 warning generated.
+
+dmaengine_prep_slave_sg expects an enum from dma_transfer_direction.
+We know that the only direction supported by this function is
+DMA_TO_DEVICE because of the check at the top of this function so we can
+just use the equivalent value from dma_transfer_direction.
+
+DMA_TO_DEVICE = DMA_MEM_TO_DEV = 1
+
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ux500/hash/hash_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/ux500/hash/hash_core.c b/drivers/crypto/ux500/hash/hash_core.c
+index 9acccad26928..17c8e2b28c42 100644
+--- a/drivers/crypto/ux500/hash/hash_core.c
++++ b/drivers/crypto/ux500/hash/hash_core.c
+@@ -165,7 +165,7 @@ static int hash_set_dma_transfer(struct hash_ctx *ctx, struct scatterlist *sg,
+ __func__);
+ desc = dmaengine_prep_slave_sg(channel,
+ ctx->device->dma.sg, ctx->device->dma.sg_len,
+- direction, DMA_CTRL_ACK | DMA_PREP_INTERRUPT);
++ DMA_MEM_TO_DEV, DMA_CTRL_ACK | DMA_PREP_INTERRUPT);
+ if (!desc) {
+ dev_err(ctx->device->dev,
+ "%s: dmaengine_prep_slave_sg() failed!\n", __func__);
+--
+2.19.1
+
--- /dev/null
+From fa32130dba65210d3675dc2b7ef5c2045636e3de Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Fri, 14 Dec 2018 11:55:21 +0800
+Subject: cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan()
+
+[ Upstream commit 4f68ef64cd7feb1220232bd8f501d8aad340a099 ]
+
+The function cw1200_bss_info_changed() and cw1200_hw_scan() can be
+concurrently executed.
+The two functions both access a possible shared variable "frame.skb".
+
+This shared variable is freed by dev_kfree_skb() in cw1200_upload_beacon(),
+which is called by cw1200_bss_info_changed(). The free operation is
+protected by a mutex lock "priv->conf_mutex" in cw1200_bss_info_changed().
+
+In cw1200_hw_scan(), this shared variable is accessed without the
+protection of the mutex lock "priv->conf_mutex".
+Thus, concurrency use-after-free bugs may occur.
+
+To fix these bugs, the original calls to mutex_lock(&priv->conf_mutex) and
+mutex_unlock(&priv->conf_mutex) are moved to the places, which can
+protect the accesses to the shared variable.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/st/cw1200/scan.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/st/cw1200/scan.c b/drivers/net/wireless/st/cw1200/scan.c
+index 0a0ff7e31f5b..c5492d792f43 100644
+--- a/drivers/net/wireless/st/cw1200/scan.c
++++ b/drivers/net/wireless/st/cw1200/scan.c
+@@ -78,6 +78,10 @@ int cw1200_hw_scan(struct ieee80211_hw *hw,
+ if (req->n_ssids > WSM_SCAN_MAX_NUM_OF_SSIDS)
+ return -EINVAL;
+
++ /* will be unlocked in cw1200_scan_work() */
++ down(&priv->scan.lock);
++ mutex_lock(&priv->conf_mutex);
++
+ frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
+ req->ie_len);
+ if (!frame.skb)
+@@ -86,19 +90,15 @@ int cw1200_hw_scan(struct ieee80211_hw *hw,
+ if (req->ie_len)
+ memcpy(skb_put(frame.skb, req->ie_len), req->ie, req->ie_len);
+
+- /* will be unlocked in cw1200_scan_work() */
+- down(&priv->scan.lock);
+- mutex_lock(&priv->conf_mutex);
+-
+ ret = wsm_set_template_frame(priv, &frame);
+ if (!ret) {
+ /* Host want to be the probe responder. */
+ ret = wsm_set_probe_responder(priv, true);
+ }
+ if (ret) {
++ dev_kfree_skb(frame.skb);
+ mutex_unlock(&priv->conf_mutex);
+ up(&priv->scan.lock);
+- dev_kfree_skb(frame.skb);
+ return ret;
+ }
+
+@@ -120,10 +120,9 @@ int cw1200_hw_scan(struct ieee80211_hw *hw,
+ ++priv->scan.n_ssids;
+ }
+
+- mutex_unlock(&priv->conf_mutex);
+-
+ if (frame.skb)
+ dev_kfree_skb(frame.skb);
++ mutex_unlock(&priv->conf_mutex);
+ queue_work(priv->workqueue, &priv->scan.work);
+ return 0;
+ }
+--
+2.19.1
+
--- /dev/null
+From 50e5da2c050b0b6d14a1536e6d838fe78ff1e49c Mon Sep 17 00:00:00 2001
+From: Bob Peterson <rpeterso@redhat.com>
+Date: Thu, 8 Nov 2018 14:04:50 -0500
+Subject: dlm: Don't swamp the CPU with callbacks queued during recovery
+
+[ Upstream commit 216f0efd19b9cc32207934fd1b87a45f2c4c593e ]
+
+Before this patch, recovery would cause all callbacks to be delayed,
+put on a queue, and afterward they were all queued to the callback
+work queue. This patch does the same thing, but occasionally takes
+a break after 25 of them so it won't swamp the CPU at the expense
+of other RT processes like corosync.
+
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/ast.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/fs/dlm/ast.c b/fs/dlm/ast.c
+index dcea1e37a1b7..f18619bc2e09 100644
+--- a/fs/dlm/ast.c
++++ b/fs/dlm/ast.c
+@@ -290,6 +290,8 @@ void dlm_callback_suspend(struct dlm_ls *ls)
+ flush_workqueue(ls->ls_callback_wq);
+ }
+
++#define MAX_CB_QUEUE 25
++
+ void dlm_callback_resume(struct dlm_ls *ls)
+ {
+ struct dlm_lkb *lkb, *safe;
+@@ -300,15 +302,23 @@ void dlm_callback_resume(struct dlm_ls *ls)
+ if (!ls->ls_callback_wq)
+ return;
+
++more:
+ mutex_lock(&ls->ls_cb_mutex);
+ list_for_each_entry_safe(lkb, safe, &ls->ls_cb_delay, lkb_cb_list) {
+ list_del_init(&lkb->lkb_cb_list);
+ queue_work(ls->ls_callback_wq, &lkb->lkb_cb_work);
+ count++;
++ if (count == MAX_CB_QUEUE)
++ break;
+ }
+ mutex_unlock(&ls->ls_cb_mutex);
+
+ if (count)
+ log_rinfo(ls, "dlm_callback_resume %d", count);
++ if (count == MAX_CB_QUEUE) {
++ count = 0;
++ cond_resched();
++ goto more;
++ }
+ }
+
+--
+2.19.1
+
--- /dev/null
+From e7ffa726aeb0b6927d40025eb6d212bce74314b9 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Thu, 25 Oct 2018 11:05:25 -0700
+Subject: dmaengine: xilinx_dma: Remove __aligned attribute on
+ zynqmp_dma_desc_ll
+
+[ Upstream commit aeaebcc17cdf37065d2693865eeb1ff1c7dc5bf3 ]
+
+Clang warns:
+
+drivers/dma/xilinx/zynqmp_dma.c:166:4: warning: attribute 'aligned' is
+ignored, place it after "struct" to apply attribute to type declaration
+[-Wignored-attributes]
+}; __aligned(64)
+ ^
+./include/linux/compiler_types.h:200:38: note: expanded from macro
+'__aligned'
+ ^
+1 warning generated.
+
+As Nick pointed out in the previous version of this patch, the author
+likely intended for this struct to be 8-byte (64-bit) aligned, not
+64-byte, which is the default. Remove the hanging __aligned attribute.
+
+Fixes: b0cc417c1637 ("dmaengine: Add Xilinx zynqmp dma engine driver support")
+Reported-by: Nick Desaulniers <ndesaulniers@google.com>
+Suggested-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/zynqmp_dma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/xilinx/zynqmp_dma.c b/drivers/dma/xilinx/zynqmp_dma.c
+index 22658057fe27..9069fb854319 100644
+--- a/drivers/dma/xilinx/zynqmp_dma.c
++++ b/drivers/dma/xilinx/zynqmp_dma.c
+@@ -159,7 +159,7 @@ struct zynqmp_dma_desc_ll {
+ u32 ctrl;
+ u64 nxtdscraddr;
+ u64 rsvd;
+-}; __aligned(64)
++};
+
+ /**
+ * struct zynqmp_dma_desc_sw - Per Transaction structure
+--
+2.19.1
+
--- /dev/null
+From ca03c4bf1097e021786983d6da213c3e0ac54905 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Thu, 20 Dec 2018 17:23:43 +0100
+Subject: drbd: Avoid Clang warning about pointless switch statment
+
+[ Upstream commit a52c5a16cf19d8a85831bb1b915a221dd4ffae3c ]
+
+There are several warnings from Clang about no case statement matching
+the constant 0:
+
+In file included from drivers/block/drbd/drbd_receiver.c:48:
+In file included from drivers/block/drbd/drbd_int.h:48:
+In file included from ./include/linux/drbd_genl_api.h:54:
+In file included from ./include/linux/genl_magic_struct.h:236:
+./include/linux/drbd_genl.h:321:1: warning: no case matching constant
+switch condition '0'
+GENL_struct(DRBD_NLA_HELPER, 24, drbd_helper_info,
+^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+./include/linux/genl_magic_struct.h:220:10: note: expanded from macro
+'GENL_struct'
+ switch (0) {
+ ^
+
+Silence this warning by adding a 'case 0:' statement. Additionally,
+adjust the alignment of the statements in the ct_assert_unique macro to
+avoid a checkpatch warning.
+
+This solution was originally sent by Arnd Bergmann with a default case
+statement: https://lore.kernel.org/patchwork/patch/756723/
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/43
+Suggested-by: Lars Ellenberg <lars.ellenberg@linbit.com>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/genl_magic_struct.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/genl_magic_struct.h b/include/linux/genl_magic_struct.h
+index 6270a56e5edc..d0d6fdc22698 100644
+--- a/include/linux/genl_magic_struct.h
++++ b/include/linux/genl_magic_struct.h
+@@ -190,6 +190,7 @@ static inline void ct_assert_unique_operations(void)
+ {
+ switch (0) {
+ #include GENL_MAGIC_INCLUDE_FILE
++ case 0:
+ ;
+ }
+ }
+@@ -208,6 +209,7 @@ static inline void ct_assert_unique_top_level_attributes(void)
+ {
+ switch (0) {
+ #include GENL_MAGIC_INCLUDE_FILE
++ case 0:
+ ;
+ }
+ }
+@@ -217,7 +219,8 @@ static inline void ct_assert_unique_top_level_attributes(void)
+ static inline void ct_assert_unique_ ## s_name ## _attributes(void) \
+ { \
+ switch (0) { \
+- s_fields \
++ s_fields \
++ case 0: \
+ ; \
+ } \
+ }
+--
+2.19.1
+
--- /dev/null
+From da05ad5f25496aace48dd4f47c8bbaee790d650e Mon Sep 17 00:00:00 2001
+From: Lars Ellenberg <lars.ellenberg@linbit.com>
+Date: Thu, 20 Dec 2018 17:23:32 +0100
+Subject: drbd: disconnect, if the wrong UUIDs are attached on a connected peer
+
+[ Upstream commit b17b59602b6dcf8f97a7dc7bc489a48388d7063a ]
+
+With "on-no-data-accessible suspend-io", DRBD requires the next attach
+or connect to be to the very same data generation uuid tag it lost last.
+
+If we first lost connection to the peer,
+then later lost connection to our own disk,
+we would usually refuse to re-connect to the peer,
+because it presents the wrong data set.
+
+However, if the peer first connects without a disk,
+and then attached its disk, we accepted that same wrong data set,
+which would be "unexpected" by any user of that DRBD
+and cause "undefined results" (read: very likely data corruption).
+
+The fix is to forcefully disconnect as soon as we notice that the peer
+attached to the "wrong" dataset.
+
+Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/drbd/drbd_receiver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
+index 77d0f80f62f9..83957a1e15ed 100644
+--- a/drivers/block/drbd/drbd_receiver.c
++++ b/drivers/block/drbd/drbd_receiver.c
+@@ -4199,7 +4199,7 @@ static int receive_uuids(struct drbd_connection *connection, struct packet_info
+ kfree(device->p_uuid);
+ device->p_uuid = p_uuid;
+
+- if (device->state.conn < C_CONNECTED &&
++ if ((device->state.conn < C_CONNECTED || device->state.pdsk == D_DISKLESS) &&
+ device->state.disk < D_INCONSISTENT &&
+ device->state.role == R_PRIMARY &&
+ (device->ed_uuid & ~((u64)1)) != (p_uuid[UI_CURRENT] & ~((u64)1))) {
+--
+2.19.1
+
--- /dev/null
+From d75c26aa367d3cd52376b37b0f331760295eddf4 Mon Sep 17 00:00:00 2001
+From: Roland Kammerer <roland.kammerer@linbit.com>
+Date: Thu, 20 Dec 2018 17:23:28 +0100
+Subject: drbd: narrow rcu_read_lock in drbd_sync_handshake
+
+[ Upstream commit d29e89e34952a9ad02c77109c71a80043544296e ]
+
+So far there was the possibility that we called
+genlmsg_new(GFP_NOIO)/mutex_lock() while holding an rcu_read_lock().
+
+This included cases like:
+
+drbd_sync_handshake (acquire the RCU lock)
+ drbd_asb_recover_1p
+ drbd_khelper
+ drbd_bcast_event
+ genlmsg_new(GFP_NOIO) --> may sleep
+
+drbd_sync_handshake (acquire the RCU lock)
+ drbd_asb_recover_1p
+ drbd_khelper
+ notify_helper
+ genlmsg_new(GFP_NOIO) --> may sleep
+
+drbd_sync_handshake (acquire the RCU lock)
+ drbd_asb_recover_1p
+ drbd_khelper
+ notify_helper
+ mutex_lock --> may sleep
+
+While using GFP_ATOMIC whould have been possible in the first two cases,
+the real fix is to narrow the rcu_read_lock.
+
+Reported-by: Jia-Ju Bai <baijiaju1990@163.com>
+Reviewed-by: Lars Ellenberg <lars.ellenberg@linbit.com>
+Signed-off-by: Roland Kammerer <roland.kammerer@linbit.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/drbd/drbd_receiver.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
+index 942384f34e22..77d0f80f62f9 100644
+--- a/drivers/block/drbd/drbd_receiver.c
++++ b/drivers/block/drbd/drbd_receiver.c
+@@ -3421,7 +3421,7 @@ static enum drbd_conns drbd_sync_handshake(struct drbd_peer_device *peer_device,
+ enum drbd_conns rv = C_MASK;
+ enum drbd_disk_state mydisk;
+ struct net_conf *nc;
+- int hg, rule_nr, rr_conflict, tentative;
++ int hg, rule_nr, rr_conflict, tentative, always_asbp;
+
+ mydisk = device->state.disk;
+ if (mydisk == D_NEGOTIATING)
+@@ -3472,8 +3472,12 @@ static enum drbd_conns drbd_sync_handshake(struct drbd_peer_device *peer_device,
+
+ rcu_read_lock();
+ nc = rcu_dereference(peer_device->connection->net_conf);
++ always_asbp = nc->always_asbp;
++ rr_conflict = nc->rr_conflict;
++ tentative = nc->tentative;
++ rcu_read_unlock();
+
+- if (hg == 100 || (hg == -100 && nc->always_asbp)) {
++ if (hg == 100 || (hg == -100 && always_asbp)) {
+ int pcount = (device->state.role == R_PRIMARY)
+ + (peer_role == R_PRIMARY);
+ int forced = (hg == -100);
+@@ -3512,9 +3516,6 @@ static enum drbd_conns drbd_sync_handshake(struct drbd_peer_device *peer_device,
+ "Sync from %s node\n",
+ (hg < 0) ? "peer" : "this");
+ }
+- rr_conflict = nc->rr_conflict;
+- tentative = nc->tentative;
+- rcu_read_unlock();
+
+ if (hg == -100) {
+ /* FIXME this log message is not correct if we end up here
+--
+2.19.1
+
--- /dev/null
+From 371cf158b6956ef39f0ace0fcf8d4c91feca0d15 Mon Sep 17 00:00:00 2001
+From: Lars Ellenberg <lars.ellenberg@linbit.com>
+Date: Thu, 20 Dec 2018 17:23:41 +0100
+Subject: drbd: skip spurious timeout (ping-timeo) when failing promote
+
+[ Upstream commit 9848b6ddd8c92305252f94592c5e278574e7a6ac ]
+
+If you try to promote a Secondary while connected to a Primary
+and allow-two-primaries is NOT set, we will wait for "ping-timeout"
+to give this node a chance to detect a dead primary,
+in case the cluster manager noticed faster than we did.
+
+But if we then are *still* connected to a Primary,
+we fail (after an additional timeout of ping-timout).
+
+This change skips the spurious second timeout.
+
+Most people won't notice really,
+since "ping-timeout" by default is half a second.
+
+But in some installations, ping-timeout may be 10 or 20 seconds or more,
+and spuriously delaying the error return becomes annoying.
+
+Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/drbd/drbd_nl.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
+index f35db29cac76..abee91940a36 100644
+--- a/drivers/block/drbd/drbd_nl.c
++++ b/drivers/block/drbd/drbd_nl.c
+@@ -668,14 +668,15 @@ drbd_set_role(struct drbd_device *const device, enum drbd_role new_role, int for
+ if (rv == SS_TWO_PRIMARIES) {
+ /* Maybe the peer is detected as dead very soon...
+ retry at most once more in this case. */
+- int timeo;
+- rcu_read_lock();
+- nc = rcu_dereference(connection->net_conf);
+- timeo = nc ? (nc->ping_timeo + 1) * HZ / 10 : 1;
+- rcu_read_unlock();
+- schedule_timeout_interruptible(timeo);
+- if (try < max_tries)
++ if (try < max_tries) {
++ int timeo;
+ try = max_tries - 1;
++ rcu_read_lock();
++ nc = rcu_dereference(connection->net_conf);
++ timeo = nc ? (nc->ping_timeo + 1) * HZ / 10 : 1;
++ rcu_read_unlock();
++ schedule_timeout_interruptible(timeo);
++ }
+ continue;
+ }
+ if (rv < SS_SUCCESS) {
+--
+2.19.1
+
--- /dev/null
+From 4cb9f475bf2f7f417553d4c783281f4de5cfadfa Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 16 Oct 2018 11:55:49 +0200
+Subject: drm/bufs: Fix Spectre v1 vulnerability
+
+[ Upstream commit a37805098900a6e73a55b3a43b7d3bcd987bb3f4 ]
+
+idx can be indirectly controlled by user-space, hence leading to a
+potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/gpu/drm/drm_bufs.c:1420 drm_legacy_freebufs() warn: potential
+spectre issue 'dma->buflist' [r] (local cap)
+
+Fix this by sanitizing idx before using it to index dma->buflist
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181016095549.GA23586@embeddedor.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_bufs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c
+index adb1dd7fde5f..9ccd7d702cd3 100644
+--- a/drivers/gpu/drm/drm_bufs.c
++++ b/drivers/gpu/drm/drm_bufs.c
+@@ -36,6 +36,8 @@
+ #include <drm/drmP.h>
+ #include "drm_legacy.h"
+
++#include <linux/nospec.h>
++
+ static struct drm_map_list *drm_find_matching_map(struct drm_device *dev,
+ struct drm_local_map *map)
+ {
+@@ -1413,6 +1415,7 @@ int drm_legacy_freebufs(struct drm_device *dev, void *data,
+ idx, dma->buf_count - 1);
+ return -EINVAL;
+ }
++ idx = array_index_nospec(idx, dma->buf_count);
+ buf = dma->buflist[idx];
+ if (buf->file_priv != file_priv) {
+ DRM_ERROR("Process %d freeing buffer not owned\n",
+--
+2.19.1
+
--- /dev/null
+From ab4b4a66288158a7839fe604ba105044768d62ba Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@bootlin.com>
+Date: Fri, 9 Nov 2018 11:26:32 +0100
+Subject: drm/vc4: ->x_scaling[1] should never be set to VC4_SCALING_NONE
+
+[ Upstream commit 0560054da5673b25d56bea6c57c8d069673af73b ]
+
+For the YUV conversion to work properly, ->x_scaling[1] should never
+be set to VC4_SCALING_NONE, but vc4_get_scaling_mode() might return
+VC4_SCALING_NONE if the horizontal scaling ratio exactly matches the
+horizontal subsampling factor. Add a test to turn VC4_SCALING_NONE
+into VC4_SCALING_PPF when that happens.
+
+The old ->x_scaling[0] adjustment is dropped as I couldn't find any
+mention to this constraint in the spec and it's proven to be
+unnecessary (I tested various multi-planar YUV formats with scaling
+disabled, and all of them worked fine without this adjustment).
+
+Fixes: fc04023fafec ("drm/vc4: Add support for YUV planes.")
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181109102633.32603-1-boris.brezillon@bootlin.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_plane.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c
+index 70051bf0ee5c..0376c0c2fc66 100644
+--- a/drivers/gpu/drm/vc4/vc4_plane.c
++++ b/drivers/gpu/drm/vc4/vc4_plane.c
+@@ -345,12 +345,14 @@ static int vc4_plane_setup_clipping_and_scaling(struct drm_plane_state *state)
+ vc4_get_scaling_mode(vc4_state->src_h[1],
+ vc4_state->crtc_h);
+
+- /* YUV conversion requires that horizontal scaling be enabled,
+- * even on a plane that's otherwise 1:1. Looks like only PPF
+- * works in that case, so let's pick that one.
++ /* YUV conversion requires that horizontal scaling be enabled
++ * on the UV plane even if vc4_get_scaling_mode() returned
++ * VC4_SCALING_NONE (which can happen when the down-scaling
++ * ratio is 0.5). Let's force it to VC4_SCALING_PPF in this
++ * case.
+ */
+- if (vc4_state->is_unity)
+- vc4_state->x_scaling[0] = VC4_SCALING_PPF;
++ if (vc4_state->x_scaling[1] == VC4_SCALING_NONE)
++ vc4_state->x_scaling[1] = VC4_SCALING_PPF;
+ } else {
+ vc4_state->is_yuv = false;
+ vc4_state->x_scaling[1] = VC4_SCALING_NONE;
+--
+2.19.1
+
--- /dev/null
+From 9e3e0b396a9928eb33e3d7db094b6591927f0d8b Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Thu, 3 Jan 2019 15:28:07 -0800
+Subject: exec: load_script: don't blindly truncate shebang string
+
+[ Upstream commit 8099b047ecc431518b9bb6bdbba3549bbecdc343 ]
+
+load_script() simply truncates bprm->buf and this is very wrong if the
+length of shebang string exceeds BINPRM_BUF_SIZE-2. This can silently
+truncate i_arg or (worse) we can execute the wrong binary if buf[2:126]
+happens to be the valid executable path.
+
+Change load_script() to return ENOEXEC if it can't find '\n' or zero in
+bprm->buf. Note that '\0' can come from either
+prepare_binprm()->memset() or from kernel_read(), we do not care.
+
+Link: http://lkml.kernel.org/r/20181112160931.GA28463@redhat.com
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Ben Woodard <woodard@redhat.com>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_script.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c
+index afdf4e3cafc2..634bdbb23851 100644
+--- a/fs/binfmt_script.c
++++ b/fs/binfmt_script.c
+@@ -43,10 +43,14 @@ static int load_script(struct linux_binprm *bprm)
+ fput(bprm->file);
+ bprm->file = NULL;
+
+- bprm->buf[BINPRM_BUF_SIZE - 1] = '\0';
+- if ((cp = strchr(bprm->buf, '\n')) == NULL)
+- cp = bprm->buf+BINPRM_BUF_SIZE-1;
++ for (cp = bprm->buf+2;; cp++) {
++ if (cp >= bprm->buf + BINPRM_BUF_SIZE)
++ return -ENOEXEC;
++ if (!*cp || (*cp == '\n'))
++ break;
++ }
+ *cp = '\0';
++
+ while (cp > bprm->buf) {
+ cp--;
+ if ((*cp == ' ') || (*cp == '\t'))
+--
+2.19.1
+
--- /dev/null
+From 12ef0be5dbfdc31db1f75addcb6c3553a7827461 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Mon, 26 Nov 2018 14:20:32 -0800
+Subject: f2fs: avoid build warn of fall_through
+
+[ Upstream commit f5d5510e7389fa264337fb524346bac9eb93adc8 ]
+
+After merging the f2fs tree, today's linux-next build
+ (x86_64_allmodconfig) produced this warning:
+
+ In file included from fs/f2fs/dir.c:11:
+ fs/f2fs/f2fs.h: In function '__mark_inode_dirty_flag':
+ fs/f2fs/f2fs.h:2388:6: warning: this statement may fall through [-Wimplicit-fallthrough=]
+ if (set)
+ ^
+ fs/f2fs/f2fs.h:2390:2: note: here
+ case FI_DATA_EXIST:
+ ^~~~
+
+ Exposed by my use of -Wimplicit-fallthrough
+
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index 9c380885b0fc..662084490089 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -1635,6 +1635,7 @@ static inline void __mark_inode_dirty_flag(struct inode *inode,
+ case FI_INLINE_DENTRY:
+ if (set)
+ return;
++ /* fall through */
+ case FI_DATA_EXIST:
+ case FI_INLINE_DOTS:
+ f2fs_mark_inode_dirty_sync(inode);
+--
+2.19.1
+
--- /dev/null
+From 6c76dce2e36def770dd550d956099a5dc63810aa Mon Sep 17 00:00:00 2001
+From: Sahitya Tummala <stummala@codeaurora.org>
+Date: Tue, 18 Dec 2018 16:39:24 +0530
+Subject: f2fs: fix sbi->extent_list corruption issue
+
+[ Upstream commit e4589fa545e0020dbbc3c9bde35f35f949901392 ]
+
+When there is a failure in f2fs_fill_super() after/during
+the recovery of fsync'd nodes, it frees the current sbi and
+retries again. This time the mount is successful, but the files
+that got recovered before retry, still holds the extent tree,
+whose extent nodes list is corrupted since sbi and sbi->extent_list
+is freed up. The list_del corruption issue is observed when the
+file system is getting unmounted and when those recoverd files extent
+node is being freed up in the below context.
+
+list_del corruption. prev->next should be fffffff1e1ef5480, but was (null)
+<...>
+kernel BUG at kernel/msm-4.14/lib/list_debug.c:53!
+lr : __list_del_entry_valid+0x94/0xb4
+pc : __list_del_entry_valid+0x94/0xb4
+<...>
+Call trace:
+__list_del_entry_valid+0x94/0xb4
+__release_extent_node+0xb0/0x114
+__free_extent_tree+0x58/0x7c
+f2fs_shrink_extent_tree+0xdc/0x3b0
+f2fs_leave_shrinker+0x28/0x7c
+f2fs_put_super+0xfc/0x1e0
+generic_shutdown_super+0x70/0xf4
+kill_block_super+0x2c/0x5c
+kill_f2fs_super+0x44/0x50
+deactivate_locked_super+0x60/0x8c
+deactivate_super+0x68/0x74
+cleanup_mnt+0x40/0x78
+__cleanup_mnt+0x1c/0x28
+task_work_run+0x48/0xd0
+do_notify_resume+0x678/0xe98
+work_pending+0x8/0x14
+
+Fix this by not creating extents for those recovered files if shrinker is
+not registered yet. Once mount is successful and shrinker is registered,
+those files can have extents again.
+
+Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 11 ++++++++++-
+ fs/f2fs/shrinker.c | 2 +-
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index 662084490089..6c069c9c0bb6 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -1886,10 +1886,19 @@ static inline bool is_dot_dotdot(const struct qstr *str)
+
+ static inline bool f2fs_may_extent_tree(struct inode *inode)
+ {
+- if (!test_opt(F2FS_I_SB(inode), EXTENT_CACHE) ||
++ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
++
++ if (!test_opt(sbi, EXTENT_CACHE) ||
+ is_inode_flag_set(inode, FI_NO_EXTENT))
+ return false;
+
++ /*
++ * for recovered files during mount do not create extents
++ * if shrinker is not registered.
++ */
++ if (list_empty(&sbi->s_list))
++ return false;
++
+ return S_ISREG(inode->i_mode);
+ }
+
+diff --git a/fs/f2fs/shrinker.c b/fs/f2fs/shrinker.c
+index 46c915425923..a40bfa7fafec 100644
+--- a/fs/f2fs/shrinker.c
++++ b/fs/f2fs/shrinker.c
+@@ -136,6 +136,6 @@ void f2fs_leave_shrinker(struct f2fs_sb_info *sbi)
+ f2fs_shrink_extent_tree(sbi, __count_extent_cache(sbi));
+
+ spin_lock(&f2fs_list_lock);
+- list_del(&sbi->s_list);
++ list_del_init(&sbi->s_list);
+ spin_unlock(&f2fs_list_lock);
+ }
+--
+2.19.1
+
--- /dev/null
+From 8ce5882650228a86730078112e6f0dca17948fef Mon Sep 17 00:00:00 2001
+From: Tiezhu Yang <kernelpatch@126.com>
+Date: Wed, 21 Nov 2018 07:21:38 +0800
+Subject: f2fs: fix wrong return value of f2fs_acl_create
+
+[ Upstream commit f6176473a0c7472380eef72ebeb330cf9485bf0a ]
+
+When call f2fs_acl_create_masq() failed, the caller f2fs_acl_create()
+should return -EIO instead of -ENOMEM, this patch makes it consistent
+with posix_acl_create() which has been fixed in commit beaf226b863a
+("posix_acl: don't ignore return value of posix_acl_create_masq()").
+
+Fixes: 83dfe53c185e ("f2fs: fix reference leaks in f2fs_acl_create")
+Signed-off-by: Tiezhu Yang <kernelpatch@126.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/acl.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
+index 55aa29c0c78d..a9894089d9dc 100644
+--- a/fs/f2fs/acl.c
++++ b/fs/f2fs/acl.c
+@@ -348,12 +348,14 @@ static int f2fs_acl_create(struct inode *dir, umode_t *mode,
+ return PTR_ERR(p);
+
+ clone = f2fs_acl_clone(p, GFP_NOFS);
+- if (!clone)
+- goto no_mem;
++ if (!clone) {
++ ret = -ENOMEM;
++ goto release_acl;
++ }
+
+ ret = f2fs_acl_create_masq(clone, mode);
+ if (ret < 0)
+- goto no_mem_clone;
++ goto release_clone;
+
+ if (ret == 0)
+ posix_acl_release(clone);
+@@ -367,11 +369,11 @@ static int f2fs_acl_create(struct inode *dir, umode_t *mode,
+
+ return 0;
+
+-no_mem_clone:
++release_clone:
+ posix_acl_release(clone);
+-no_mem:
++release_acl:
+ posix_acl_release(p);
+- return -ENOMEM;
++ return ret;
+ }
+
+ int f2fs_init_acl(struct inode *inode, struct inode *dir, struct page *ipage,
+--
+2.19.1
+
--- /dev/null
+From 12a0cb2eb77fd42a7b80492e5fa21269f1abe121 Mon Sep 17 00:00:00 2001
+From: Yunlei He <heyunlei@huawei.com>
+Date: Tue, 6 Nov 2018 10:25:29 +0800
+Subject: f2fs: move dir data flush to write checkpoint process
+
+[ Upstream commit b61ac5b720146c619c7cdf17eff2551b934399e5 ]
+
+This patch move dir data flush to write checkpoint process, by
+doing this, it may reduce some time for dir fsync.
+
+pre:
+ -f2fs_do_sync_file enter
+ -file_write_and_wait_range <- flush & wait
+ -write_checkpoint
+ -do_checkpoint <- wait all
+ -f2fs_do_sync_file exit
+
+now:
+ -f2fs_do_sync_file enter
+ -write_checkpoint
+ -block_operations <- flush dir & no wait
+ -do_checkpoint <- wait all
+ -f2fs_do_sync_file exit
+
+Signed-off-by: Yunlei He <heyunlei@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index b768f495603e..f46ac1651bd5 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -198,6 +198,9 @@ static int f2fs_do_sync_file(struct file *file, loff_t start, loff_t end,
+
+ trace_f2fs_sync_file_enter(inode);
+
++ if (S_ISDIR(inode->i_mode))
++ goto go_write;
++
+ /* if fdatasync is triggered, let's do in-place-update */
+ if (datasync || get_dirty_pages(inode) <= SM_I(sbi)->min_fsync_blocks)
+ set_inode_flag(inode, FI_NEED_IPU);
+--
+2.19.1
+
--- /dev/null
+From 21ea1b6847fc7f69218dd0a1f8b24b960661c812 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= <noralf@tronnes.org>
+Date: Thu, 20 Dec 2018 19:13:09 +0100
+Subject: fbdev: fbcon: Fix unregister crash when more than one framebuffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 2122b40580dd9d0620398739c773d07a7b7939d0 ]
+
+When unregistering fbdev using unregister_framebuffer(), any bound
+console will unbind automatically. This is working fine if this is the
+only framebuffer, resulting in a switch to the dummy console. However if
+there is a fb0 and I unregister fb1 having a bound console, I eventually
+get a crash. The fastest way for me to trigger the crash is to do a
+reboot, resulting in this splat:
+
+[ 76.478825] WARNING: CPU: 0 PID: 527 at linux/kernel/workqueue.c:1442 __queue_work+0x2d4/0x41c
+[ 76.478849] Modules linked in: raspberrypi_hwmon gpio_backlight backlight bcm2835_rng rng_core [last unloaded: tinydrm]
+[ 76.478916] CPU: 0 PID: 527 Comm: systemd-udevd Not tainted 4.20.0-rc4+ #4
+[ 76.478933] Hardware name: BCM2835
+[ 76.478949] Backtrace:
+[ 76.478995] [<c010d388>] (dump_backtrace) from [<c010d670>] (show_stack+0x20/0x24)
+[ 76.479022] r6:00000000 r5:c0bc73be r4:00000000 r3:6fb5bf81
+[ 76.479060] [<c010d650>] (show_stack) from [<c08e82f4>] (dump_stack+0x20/0x28)
+[ 76.479102] [<c08e82d4>] (dump_stack) from [<c0120070>] (__warn+0xec/0x12c)
+[ 76.479134] [<c011ff84>] (__warn) from [<c01201e4>] (warn_slowpath_null+0x4c/0x58)
+[ 76.479165] r9:c0eb6944 r8:00000001 r7:c0e927f8 r6:c0bc73be r5:000005a2 r4:c0139e84
+[ 76.479197] [<c0120198>] (warn_slowpath_null) from [<c0139e84>] (__queue_work+0x2d4/0x41c)
+[ 76.479222] r6:d7666a00 r5:c0e918ee r4:dbc4e700
+[ 76.479251] [<c0139bb0>] (__queue_work) from [<c013a02c>] (queue_work_on+0x60/0x88)
+[ 76.479281] r10:c0496bf8 r9:00000100 r8:c0e92ae0 r7:00000001 r6:d9403700 r5:d7666a00
+[ 76.479298] r4:20000113
+[ 76.479348] [<c0139fcc>] (queue_work_on) from [<c0496c28>] (cursor_timer_handler+0x30/0x54)
+[ 76.479374] r7:d8a8fabc r6:c0e08088 r5:d8afdc5c r4:d8a8fabc
+[ 76.479413] [<c0496bf8>] (cursor_timer_handler) from [<c0178744>] (call_timer_fn+0x100/0x230)
+[ 76.479435] r4:c0e9192f r3:d758a340
+[ 76.479465] [<c0178644>] (call_timer_fn) from [<c0178980>] (expire_timers+0x10c/0x12c)
+[ 76.479495] r10:40000000 r9:c0e9192f r8:c0e92ae0 r7:d8afdccc r6:c0e19280 r5:c0496bf8
+[ 76.479513] r4:d8a8fabc
+[ 76.479541] [<c0178874>] (expire_timers) from [<c0179630>] (run_timer_softirq+0xa8/0x184)
+[ 76.479570] r9:00000001 r8:c0e19280 r7:00000000 r6:c0e08088 r5:c0e1a3e0 r4:c0e19280
+[ 76.479603] [<c0179588>] (run_timer_softirq) from [<c0102404>] (__do_softirq+0x1ac/0x3fc)
+[ 76.479632] r10:c0e91680 r9:d8afc020 r8:0000000a r7:00000100 r6:00000001 r5:00000002
+[ 76.479650] r4:c0eb65ec
+[ 76.479686] [<c0102258>] (__do_softirq) from [<c0124d10>] (irq_exit+0xe8/0x168)
+[ 76.479716] r10:d8d1a9b0 r9:d8afc000 r8:00000001 r7:d949c000 r6:00000000 r5:c0e8b3f0
+[ 76.479734] r4:00000000
+[ 76.479764] [<c0124c28>] (irq_exit) from [<c016b72c>] (__handle_domain_irq+0x94/0xb0)
+[ 76.479793] [<c016b698>] (__handle_domain_irq) from [<c01021dc>] (bcm2835_handle_irq+0x3c/0x48)
+[ 76.479823] r8:d8afdebc r7:d8afddfc r6:ffffffff r5:c0e089f8 r4:d8afddc8 r3:d8afddc8
+[ 76.479851] [<c01021a0>] (bcm2835_handle_irq) from [<c01019f0>] (__irq_svc+0x70/0x98)
+
+The problem is in the console rebinding in fbcon_fb_unbind(). It uses the
+virtual console index as the new framebuffer index to bind the console(s)
+to. The correct way is to use the con2fb_map lookup table to find the
+framebuffer index.
+
+Fixes: cfafca8067c6 ("fbdev: fbcon: console unregistration from unregister_framebuffer")
+Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
+Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/console/fbcon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c
+index 4db10d7990c9..178b507a6fe0 100644
+--- a/drivers/video/console/fbcon.c
++++ b/drivers/video/console/fbcon.c
+@@ -3030,7 +3030,7 @@ static int fbcon_fb_unbind(int idx)
+ for (i = first_fb_vc; i <= last_fb_vc; i++) {
+ if (con2fb_map[i] != idx &&
+ con2fb_map[i] != -1) {
+- new_idx = i;
++ new_idx = con2fb_map[i];
+ break;
+ }
+ }
+--
+2.19.1
+
--- /dev/null
+From 2a428d176a63363dc27796bb58f86e7470c84790 Mon Sep 17 00:00:00 2001
+From: Peter Rosin <peda@axentia.se>
+Date: Thu, 20 Dec 2018 19:13:07 +0100
+Subject: fbdev: fbmem: behave better with small rotated displays and many CPUs
+
+[ Upstream commit f75df8d4b4fabfad7e3cba2debfad12741c6fde7 ]
+
+Blitting an image with "negative" offsets is not working since there
+is no clipping. It hopefully just crashes. For the bootup logo, there
+is protection so that blitting does not happen as the image is drawn
+further and further to the right (ROTATE_UR) or further and further
+down (ROTATE_CW). There is however no protection when drawing in the
+opposite directions (ROTATE_UD and ROTATE_CCW).
+
+Add back this protection.
+
+The regression is 20-odd years old but the mindless warning-killing
+mentality displayed in commit 34bdb666f4b2 ("fbdev: fbmem: remove
+positive test on unsigned values") is also to blame, methinks.
+
+Fixes: 448d479747b8 ("fbdev: fb_do_show_logo() updates")
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Cc: Fabian Frederick <ffrederick@users.sourceforge.net>
+Cc: Geert Uytterhoeven <geert+renesas@glider.be>
+cc: Geoff Levand <geoff@infradead.org>
+Cc: James Simmons <jsimmons@users.sf.net>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/core/fbmem.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
+index 74273bc7ca9a..a1d93151c059 100644
+--- a/drivers/video/fbdev/core/fbmem.c
++++ b/drivers/video/fbdev/core/fbmem.c
+@@ -433,7 +433,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image,
+ image->dx += image->width + 8;
+ }
+ } else if (rotate == FB_ROTATE_UD) {
+- for (x = 0; x < num; x++) {
++ u32 dx = image->dx;
++
++ for (x = 0; x < num && image->dx <= dx; x++) {
+ info->fbops->fb_imageblit(info, image);
+ image->dx -= image->width + 8;
+ }
+@@ -445,7 +447,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image,
+ image->dy += image->height + 8;
+ }
+ } else if (rotate == FB_ROTATE_CCW) {
+- for (x = 0; x < num; x++) {
++ u32 dy = image->dy;
++
++ for (x = 0; x < num && image->dy <= dy; x++) {
+ info->fbops->fb_imageblit(info, image);
+ image->dy -= image->height + 8;
+ }
+--
+2.19.1
+
--- /dev/null
+From 460b09265b44296246bc7fc899052b2def13c69b Mon Sep 17 00:00:00 2001
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Thu, 29 Nov 2018 18:12:27 +0100
+Subject: firmware/efi: Add NULL pointer checks in efivars API functions
+
+[ Upstream commit ab2180a15ce54739fed381efb4cb12e78dfb1561 ]
+
+Since commit:
+
+ ce2e6db554fa ("brcmfmac: Add support for getting nvram contents from EFI variables")
+
+we have a device driver accessing the efivars API. Several functions in
+the efivars API assume __efivars is set, i.e., that they will be accessed
+only after efivars_register() has been called. However, the following NULL
+pointer access was reported calling efivar_entry_size() from the brcmfmac
+device driver:
+
+ Unable to handle kernel NULL pointer dereference at virtual address 00000008
+ pgd = 60bfa5f1
+ [00000008] *pgd=00000000
+ Internal error: Oops: 5 [#1] SMP ARM
+ ...
+ Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
+ Workqueue: events request_firmware_work_func
+ PC is at efivar_entry_size+0x28/0x90
+ LR is at brcmf_fw_complete_request+0x3f8/0x8d4 [brcmfmac]
+ pc : [<c0c40718>] lr : [<bf2a3ef4>] psr: a00d0113
+ sp : ede7fe28 ip : ee983410 fp : c1787f30
+ r10: 00000000 r9 : 00000000 r8 : bf2b2258
+ r7 : ee983000 r6 : c1604c48 r5 : ede7fe88 r4 : edf337c0
+ r3 : 00000000 r2 : 00000000 r1 : ede7fe88 r0 : c17712c8
+ Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+ Control: 10c5387d Table: ad16804a DAC: 00000051
+
+Disassembly showed that the local static variable __efivars is NULL,
+which is not entirely unexpected given that it is a non-EFI platform.
+
+So add a NULL pointer check to efivar_entry_size(), and to related
+functions while at it. In efivars_register() a couple of sanity checks
+are added as well.
+
+Reported-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Bhupesh Sharma <bhsharma@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Eric Snowberg <eric.snowberg@oracle.com>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Cc: Joe Perches <joe@perches.com>
+Cc: Julien Thierry <julien.thierry@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Nathan Chancellor <natechancellor@gmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+Cc: Sedat Dilek <sedat.dilek@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: YiFei Zhu <zhuyifei1999@gmail.com>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20181129171230.18699-9-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/vars.c | 99 +++++++++++++++++++++++++++++--------
+ 1 file changed, 78 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/firmware/efi/vars.c b/drivers/firmware/efi/vars.c
+index 9336ffdf6e2c..fceaafd67ec6 100644
+--- a/drivers/firmware/efi/vars.c
++++ b/drivers/firmware/efi/vars.c
+@@ -318,7 +318,12 @@ EXPORT_SYMBOL_GPL(efivar_variable_is_removable);
+ static efi_status_t
+ check_var_size(u32 attributes, unsigned long size)
+ {
+- const struct efivar_operations *fops = __efivars->ops;
++ const struct efivar_operations *fops;
++
++ if (!__efivars)
++ return EFI_UNSUPPORTED;
++
++ fops = __efivars->ops;
+
+ if (!fops->query_variable_store)
+ return EFI_UNSUPPORTED;
+@@ -329,7 +334,12 @@ check_var_size(u32 attributes, unsigned long size)
+ static efi_status_t
+ check_var_size_nonblocking(u32 attributes, unsigned long size)
+ {
+- const struct efivar_operations *fops = __efivars->ops;
++ const struct efivar_operations *fops;
++
++ if (!__efivars)
++ return EFI_UNSUPPORTED;
++
++ fops = __efivars->ops;
+
+ if (!fops->query_variable_store)
+ return EFI_UNSUPPORTED;
+@@ -429,13 +439,18 @@ static void dup_variable_bug(efi_char16_t *str16, efi_guid_t *vendor_guid,
+ int efivar_init(int (*func)(efi_char16_t *, efi_guid_t, unsigned long, void *),
+ void *data, bool duplicates, struct list_head *head)
+ {
+- const struct efivar_operations *ops = __efivars->ops;
++ const struct efivar_operations *ops;
+ unsigned long variable_name_size = 1024;
+ efi_char16_t *variable_name;
+ efi_status_t status;
+ efi_guid_t vendor_guid;
+ int err = 0;
+
++ if (!__efivars)
++ return -EFAULT;
++
++ ops = __efivars->ops;
++
+ variable_name = kzalloc(variable_name_size, GFP_KERNEL);
+ if (!variable_name) {
+ printk(KERN_ERR "efivars: Memory allocation failed.\n");
+@@ -583,12 +598,14 @@ static void efivar_entry_list_del_unlock(struct efivar_entry *entry)
+ */
+ int __efivar_entry_delete(struct efivar_entry *entry)
+ {
+- const struct efivar_operations *ops = __efivars->ops;
+ efi_status_t status;
+
+- status = ops->set_variable(entry->var.VariableName,
+- &entry->var.VendorGuid,
+- 0, 0, NULL);
++ if (!__efivars)
++ return -EINVAL;
++
++ status = __efivars->ops->set_variable(entry->var.VariableName,
++ &entry->var.VendorGuid,
++ 0, 0, NULL);
+
+ return efi_status_to_err(status);
+ }
+@@ -607,12 +624,17 @@ EXPORT_SYMBOL_GPL(__efivar_entry_delete);
+ */
+ int efivar_entry_delete(struct efivar_entry *entry)
+ {
+- const struct efivar_operations *ops = __efivars->ops;
++ const struct efivar_operations *ops;
+ efi_status_t status;
+
+ if (down_interruptible(&efivars_lock))
+ return -EINTR;
+
++ if (!__efivars) {
++ up(&efivars_lock);
++ return -EINVAL;
++ }
++ ops = __efivars->ops;
+ status = ops->set_variable(entry->var.VariableName,
+ &entry->var.VendorGuid,
+ 0, 0, NULL);
+@@ -650,13 +672,19 @@ EXPORT_SYMBOL_GPL(efivar_entry_delete);
+ int efivar_entry_set(struct efivar_entry *entry, u32 attributes,
+ unsigned long size, void *data, struct list_head *head)
+ {
+- const struct efivar_operations *ops = __efivars->ops;
++ const struct efivar_operations *ops;
+ efi_status_t status;
+ efi_char16_t *name = entry->var.VariableName;
+ efi_guid_t vendor = entry->var.VendorGuid;
+
+ if (down_interruptible(&efivars_lock))
+ return -EINTR;
++
++ if (!__efivars) {
++ up(&efivars_lock);
++ return -EINVAL;
++ }
++ ops = __efivars->ops;
+ if (head && efivar_entry_find(name, vendor, head, false)) {
+ up(&efivars_lock);
+ return -EEXIST;
+@@ -687,12 +715,17 @@ static int
+ efivar_entry_set_nonblocking(efi_char16_t *name, efi_guid_t vendor,
+ u32 attributes, unsigned long size, void *data)
+ {
+- const struct efivar_operations *ops = __efivars->ops;
++ const struct efivar_operations *ops;
+ efi_status_t status;
+
+ if (down_trylock(&efivars_lock))
+ return -EBUSY;
+
++ if (!__efivars) {
++ up(&efivars_lock);
++ return -EINVAL;
++ }
++
+ status = check_var_size_nonblocking(attributes,
+ size + ucs2_strsize(name, 1024));
+ if (status != EFI_SUCCESS) {
+@@ -700,6 +733,7 @@ efivar_entry_set_nonblocking(efi_char16_t *name, efi_guid_t vendor,
+ return -ENOSPC;
+ }
+
++ ops = __efivars->ops;
+ status = ops->set_variable_nonblocking(name, &vendor, attributes,
+ size, data);
+
+@@ -727,9 +761,13 @@ efivar_entry_set_nonblocking(efi_char16_t *name, efi_guid_t vendor,
+ int efivar_entry_set_safe(efi_char16_t *name, efi_guid_t vendor, u32 attributes,
+ bool block, unsigned long size, void *data)
+ {
+- const struct efivar_operations *ops = __efivars->ops;
++ const struct efivar_operations *ops;
+ efi_status_t status;
+
++ if (!__efivars)
++ return -EINVAL;
++
++ ops = __efivars->ops;
+ if (!ops->query_variable_store)
+ return -ENOSYS;
+
+@@ -829,13 +867,18 @@ EXPORT_SYMBOL_GPL(efivar_entry_find);
+ */
+ int efivar_entry_size(struct efivar_entry *entry, unsigned long *size)
+ {
+- const struct efivar_operations *ops = __efivars->ops;
++ const struct efivar_operations *ops;
+ efi_status_t status;
+
+ *size = 0;
+
+ if (down_interruptible(&efivars_lock))
+ return -EINTR;
++ if (!__efivars) {
++ up(&efivars_lock);
++ return -EINVAL;
++ }
++ ops = __efivars->ops;
+ status = ops->get_variable(entry->var.VariableName,
+ &entry->var.VendorGuid, NULL, size, NULL);
+ up(&efivars_lock);
+@@ -861,12 +904,14 @@ EXPORT_SYMBOL_GPL(efivar_entry_size);
+ int __efivar_entry_get(struct efivar_entry *entry, u32 *attributes,
+ unsigned long *size, void *data)
+ {
+- const struct efivar_operations *ops = __efivars->ops;
+ efi_status_t status;
+
+- status = ops->get_variable(entry->var.VariableName,
+- &entry->var.VendorGuid,
+- attributes, size, data);
++ if (!__efivars)
++ return -EINVAL;
++
++ status = __efivars->ops->get_variable(entry->var.VariableName,
++ &entry->var.VendorGuid,
++ attributes, size, data);
+
+ return efi_status_to_err(status);
+ }
+@@ -882,14 +927,19 @@ EXPORT_SYMBOL_GPL(__efivar_entry_get);
+ int efivar_entry_get(struct efivar_entry *entry, u32 *attributes,
+ unsigned long *size, void *data)
+ {
+- const struct efivar_operations *ops = __efivars->ops;
+ efi_status_t status;
+
+ if (down_interruptible(&efivars_lock))
+ return -EINTR;
+- status = ops->get_variable(entry->var.VariableName,
+- &entry->var.VendorGuid,
+- attributes, size, data);
++
++ if (!__efivars) {
++ up(&efivars_lock);
++ return -EINVAL;
++ }
++
++ status = __efivars->ops->get_variable(entry->var.VariableName,
++ &entry->var.VendorGuid,
++ attributes, size, data);
+ up(&efivars_lock);
+
+ return efi_status_to_err(status);
+@@ -921,7 +971,7 @@ EXPORT_SYMBOL_GPL(efivar_entry_get);
+ int efivar_entry_set_get_size(struct efivar_entry *entry, u32 attributes,
+ unsigned long *size, void *data, bool *set)
+ {
+- const struct efivar_operations *ops = __efivars->ops;
++ const struct efivar_operations *ops;
+ efi_char16_t *name = entry->var.VariableName;
+ efi_guid_t *vendor = &entry->var.VendorGuid;
+ efi_status_t status;
+@@ -940,6 +990,11 @@ int efivar_entry_set_get_size(struct efivar_entry *entry, u32 attributes,
+ if (down_interruptible(&efivars_lock))
+ return -EINTR;
+
++ if (!__efivars) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ /*
+ * Ensure that the available space hasn't shrunk below the safe level
+ */
+@@ -956,6 +1011,8 @@ int efivar_entry_set_get_size(struct efivar_entry *entry, u32 attributes,
+ }
+ }
+
++ ops = __efivars->ops;
++
+ status = ops->set_variable(name, vendor, attributes, *size, data);
+ if (status != EFI_SUCCESS) {
+ err = efi_status_to_err(status);
+--
+2.19.1
+
--- /dev/null
+From a705bac17a6d9b947e4300cc92169b11f950623f Mon Sep 17 00:00:00 2001
+From: Davidlohr Bueso <dave@stgolabs.net>
+Date: Thu, 3 Jan 2019 15:27:09 -0800
+Subject: fs/epoll: drop ovflist branch prediction
+
+[ Upstream commit 76699a67f3041ff4c7af6d6ee9be2bfbf1ffb671 ]
+
+The ep->ovflist is a secondary ready-list to temporarily store events
+that might occur when doing sproc without holding the ep->wq.lock. This
+accounts for every time we check for ready events and also send events
+back to userspace; both callbacks, particularly the latter because of
+copy_to_user, can account for a non-trivial time.
+
+As such, the unlikely() check to see if the pointer is being used, seems
+both misleading and sub-optimal. In fact, we go to an awful lot of
+trouble to sync both lists, and populating the ovflist is far from an
+uncommon scenario.
+
+For example, profiling a concurrent epoll_wait(2) benchmark, with
+CONFIG_PROFILE_ANNOTATED_BRANCHES shows that for a two threads a 33%
+incorrect rate was seen; and when incrementally increasing the number of
+epoll instances (which is used, for example for multiple queuing load
+balancing models), up to a 90% incorrect rate was seen.
+
+Similarly, by deleting the prediction, 3% throughput boost was seen
+across incremental threads.
+
+Link: http://lkml.kernel.org/r/20181108051006.18751-4-dave@stgolabs.net
+Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Jason Baron <jbaron@akamai.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/eventpoll.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index 3cbc30413add..a9c0bf8782f5 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -1040,7 +1040,7 @@ static int ep_poll_callback(wait_queue_t *wait, unsigned mode, int sync, void *k
+ * semantics). All the events that happen during that period of time are
+ * chained in ep->ovflist and requeued later on.
+ */
+- if (unlikely(ep->ovflist != EP_UNACTIVE_PTR)) {
++ if (ep->ovflist != EP_UNACTIVE_PTR) {
+ if (epi->next == EP_UNACTIVE_PTR) {
+ epi->next = ep->ovflist;
+ ep->ovflist = epi;
+--
+2.19.1
+
--- /dev/null
+From 161c6ea33a40f3775d2af91f3ae20c89048a3c19 Mon Sep 17 00:00:00 2001
+From: Benjamin Gordon <bmgordon@google.com>
+Date: Thu, 3 Jan 2019 15:25:56 -0800
+Subject: fs/proc/base.c: use ns_capable instead of capable for timerslack_ns
+
+[ Upstream commit 8da0b4f692c6d90b09c91f271517db746a22ff67 ]
+
+Access to timerslack_ns is controlled by a process having CAP_SYS_NICE
+in its effective capability set, but the current check looks in the root
+namespace instead of the process' user namespace. Since a process is
+allowed to do other activities controlled by CAP_SYS_NICE inside a
+namespace, it should also be able to adjust timerslack_ns.
+
+Link: http://lkml.kernel.org/r/20181030180012.232896-1-bmgordon@google.com
+Signed-off-by: Benjamin Gordon <bmgordon@google.com>
+Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: "Serge E. Hallyn" <serge@hallyn.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Arjan van de Ven <arjan@linux.intel.com>
+Cc: Oren Laadan <orenl@cellrox.com>
+Cc: Ruchi Kandoi <kandoiruchi@google.com>
+Cc: Rom Lemarchand <romlem@android.com>
+Cc: Todd Kjos <tkjos@google.com>
+Cc: Colin Cross <ccross@android.com>
+Cc: Nick Kralevich <nnk@google.com>
+Cc: Dmitry Shmidt <dimitrysh@google.com>
+Cc: Elliott Hughes <enh@google.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/proc/base.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 79702d405ba7..f73de326c630 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -2337,10 +2337,13 @@ static ssize_t timerslack_ns_write(struct file *file, const char __user *buf,
+ return -ESRCH;
+
+ if (p != current) {
+- if (!capable(CAP_SYS_NICE)) {
++ rcu_read_lock();
++ if (!ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) {
++ rcu_read_unlock();
+ count = -EPERM;
+ goto out;
+ }
++ rcu_read_unlock();
+
+ err = security_task_setscheduler(p);
+ if (err) {
+@@ -2373,11 +2376,14 @@ static int timerslack_ns_show(struct seq_file *m, void *v)
+ return -ESRCH;
+
+ if (p != current) {
+-
+- if (!capable(CAP_SYS_NICE)) {
++ rcu_read_lock();
++ if (!ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) {
++ rcu_read_unlock();
+ err = -EPERM;
+ goto out;
+ }
++ rcu_read_unlock();
++
+ err = security_task_getscheduler(p);
+ if (err)
+ goto out;
+--
+2.19.1
+
--- /dev/null
+From cd5fee2555faa00bd549aa4fdc5fa5a0c1a26716 Mon Sep 17 00:00:00 2001
+From: Scott Wood <oss@buserror.net>
+Date: Thu, 27 Dec 2018 18:29:09 -0600
+Subject: fsl/fman: Use GFP_ATOMIC in {memac,tgec}_add_hash_mac_address()
+
+[ Upstream commit 0d9c9a238faf925823bde866182c663b6d734f2e ]
+
+These functions are called from atomic context:
+
+[ 9.150239] BUG: sleeping function called from invalid context at /home/scott/git/linux/mm/slab.h:421
+[ 9.158159] in_atomic(): 1, irqs_disabled(): 0, pid: 4432, name: ip
+[ 9.163128] CPU: 8 PID: 4432 Comm: ip Not tainted 4.20.0-rc2-00169-g63d86876f324 #29
+[ 9.163130] Call Trace:
+[ 9.170701] [c0000002e899a980] [c0000000009c1068] .dump_stack+0xa8/0xec (unreliable)
+[ 9.177140] [c0000002e899aa10] [c00000000007a7b4] .___might_sleep+0x138/0x164
+[ 9.184440] [c0000002e899aa80] [c0000000001d5bac] .kmem_cache_alloc_trace+0x238/0x30c
+[ 9.191216] [c0000002e899ab40] [c00000000065ea1c] .memac_add_hash_mac_address+0x104/0x198
+[ 9.199464] [c0000002e899abd0] [c00000000065a788] .set_multi+0x1c8/0x218
+[ 9.206242] [c0000002e899ac80] [c0000000006615ec] .dpaa_set_rx_mode+0xdc/0x17c
+[ 9.213544] [c0000002e899ad00] [c00000000083d2b0] .__dev_set_rx_mode+0x80/0xd4
+[ 9.219535] [c0000002e899ad90] [c00000000083d334] .dev_set_rx_mode+0x30/0x54
+[ 9.225271] [c0000002e899ae10] [c00000000083d4a0] .__dev_open+0x148/0x1c8
+[ 9.230751] [c0000002e899aeb0] [c00000000083d934] .__dev_change_flags+0x19c/0x1e0
+[ 9.230755] [c0000002e899af60] [c00000000083d9a4] .dev_change_flags+0x2c/0x80
+[ 9.242752] [c0000002e899aff0] [c0000000008554ec] .do_setlink+0x350/0xf08
+[ 9.248228] [c0000002e899b170] [c000000000857ad0] .rtnl_newlink+0x588/0x7e0
+[ 9.253965] [c0000002e899b740] [c000000000852424] .rtnetlink_rcv_msg+0x3e0/0x498
+[ 9.261440] [c0000002e899b820] [c000000000884790] .netlink_rcv_skb+0x134/0x14c
+[ 9.267607] [c0000002e899b8e0] [c000000000851840] .rtnetlink_rcv+0x18/0x2c
+[ 9.274558] [c0000002e899b950] [c000000000883c8c] .netlink_unicast+0x214/0x318
+[ 9.281163] [c0000002e899ba00] [c000000000884220] .netlink_sendmsg+0x348/0x444
+[ 9.287076] [c0000002e899bae0] [c00000000080d13c] .sock_sendmsg+0x2c/0x54
+[ 9.287080] [c0000002e899bb50] [c0000000008106c0] .___sys_sendmsg+0x2d0/0x2d8
+[ 9.298375] [c0000002e899bd30] [c000000000811a80] .__sys_sendmsg+0x5c/0xb0
+[ 9.303939] [c0000002e899be20] [c0000000000006b0] system_call+0x60/0x6c
+
+Signed-off-by: Scott Wood <oss@buserror.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fman/fman_memac.c | 2 +-
+ drivers/net/ethernet/freescale/fman/fman_tgec.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fman/fman_memac.c b/drivers/net/ethernet/freescale/fman/fman_memac.c
+index 71a5ded9d1de..21dd5579130e 100644
+--- a/drivers/net/ethernet/freescale/fman/fman_memac.c
++++ b/drivers/net/ethernet/freescale/fman/fman_memac.c
+@@ -923,7 +923,7 @@ int memac_add_hash_mac_address(struct fman_mac *memac, enet_addr_t *eth_addr)
+ hash = get_mac_addr_hash_code(addr) & HASH_CTRL_ADDR_MASK;
+
+ /* Create element to be added to the driver hash table */
+- hash_entry = kmalloc(sizeof(*hash_entry), GFP_KERNEL);
++ hash_entry = kmalloc(sizeof(*hash_entry), GFP_ATOMIC);
+ if (!hash_entry)
+ return -ENOMEM;
+ hash_entry->addr = addr;
+diff --git a/drivers/net/ethernet/freescale/fman/fman_tgec.c b/drivers/net/ethernet/freescale/fman/fman_tgec.c
+index 4b0f3a50b293..e575259d20f4 100644
+--- a/drivers/net/ethernet/freescale/fman/fman_tgec.c
++++ b/drivers/net/ethernet/freescale/fman/fman_tgec.c
+@@ -551,7 +551,7 @@ int tgec_add_hash_mac_address(struct fman_mac *tgec, enet_addr_t *eth_addr)
+ hash = (crc >> TGEC_HASH_MCAST_SHIFT) & TGEC_HASH_ADR_MSK;
+
+ /* Create element to be added to the driver hash table */
+- hash_entry = kmalloc(sizeof(*hash_entry), GFP_KERNEL);
++ hash_entry = kmalloc(sizeof(*hash_entry), GFP_ATOMIC);
+ if (!hash_entry)
+ return -ENOMEM;
+ hash_entry->addr = addr;
+--
+2.19.1
+
--- /dev/null
+From 88b20fc389fdbb6d3eece87d9025aa5df26635d3 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wang6495@umn.edu>
+Date: Wed, 26 Dec 2018 20:15:13 -0600
+Subject: gdrom: fix a memory leak bug
+
+[ Upstream commit 093c48213ee37c3c3ff1cf5ac1aa2a9d8bc66017 ]
+
+In probe_gdrom(), the buffer pointed by 'gd.cd_info' is allocated through
+kzalloc() and is used to hold the information of the gdrom device. To
+register and unregister the device, the pointer 'gd.cd_info' is passed to
+the functions register_cdrom() and unregister_cdrom(), respectively.
+However, this buffer is not freed after it is used, which can cause a
+memory leak bug.
+
+This patch simply frees the buffer 'gd.cd_info' in exit_gdrom() to fix the
+above issue.
+
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cdrom/gdrom.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c
+index e2808fefbb78..1852d19d0d7b 100644
+--- a/drivers/cdrom/gdrom.c
++++ b/drivers/cdrom/gdrom.c
+@@ -882,6 +882,7 @@ static void __exit exit_gdrom(void)
+ platform_device_unregister(pd);
+ platform_driver_unregister(&gdrom_driver);
+ kfree(gd.toc);
++ kfree(gd.cd_info);
+ }
+
+ module_init(init_gdrom);
+--
+2.19.1
+
--- /dev/null
+From 9314a6344e1b5ffd392c4b9547d71f4fb068e2f6 Mon Sep 17 00:00:00 2001
+From: Steve Longerbeam <slongerbeam@gmail.com>
+Date: Wed, 19 Sep 2018 16:07:18 -0700
+Subject: gpu: ipu-v3: image-convert: Prevent race between run and unprepare
+
+[ Upstream commit 819bec35c8c9706185498c9222bd244e0781ad35 ]
+
+Prevent possible race by parallel threads between ipu_image_convert_run()
+and ipu_image_convert_unprepare(). This involves setting ctx->aborting
+to true unconditionally so that no new job runs can be queued during
+unprepare, and holding the ctx->aborting flag until the context is freed.
+
+Note that the "normal" ipu_image_convert_abort() case (e.g. not during
+context unprepare) should clear the ctx->aborting flag after aborting
+any active run and clearing the context's pending queue. This is because
+it should be possible to continue to use the conversion context and queue
+more runs after an abort.
+
+Signed-off-by: Steve Longerbeam <slongerbeam@gmail.com>
+Tested-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/ipu-v3/ipu-image-convert.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/ipu-v3/ipu-image-convert.c b/drivers/gpu/ipu-v3/ipu-image-convert.c
+index 805b6fa7b5f4..50b73f3876fb 100644
+--- a/drivers/gpu/ipu-v3/ipu-image-convert.c
++++ b/drivers/gpu/ipu-v3/ipu-image-convert.c
+@@ -1513,7 +1513,7 @@ unlock:
+ EXPORT_SYMBOL_GPL(ipu_image_convert_queue);
+
+ /* Abort any active or pending conversions for this context */
+-void ipu_image_convert_abort(struct ipu_image_convert_ctx *ctx)
++static void __ipu_image_convert_abort(struct ipu_image_convert_ctx *ctx)
+ {
+ struct ipu_image_convert_chan *chan = ctx->chan;
+ struct ipu_image_convert_priv *priv = chan->priv;
+@@ -1540,7 +1540,7 @@ void ipu_image_convert_abort(struct ipu_image_convert_ctx *ctx)
+
+ need_abort = (run_count || active_run);
+
+- ctx->aborting = need_abort;
++ ctx->aborting = true;
+
+ spin_unlock_irqrestore(&chan->irqlock, flags);
+
+@@ -1561,7 +1561,11 @@ void ipu_image_convert_abort(struct ipu_image_convert_ctx *ctx)
+ dev_warn(priv->ipu->dev, "%s: timeout\n", __func__);
+ force_abort(ctx);
+ }
++}
+
++void ipu_image_convert_abort(struct ipu_image_convert_ctx *ctx)
++{
++ __ipu_image_convert_abort(ctx);
+ ctx->aborting = false;
+ }
+ EXPORT_SYMBOL_GPL(ipu_image_convert_abort);
+@@ -1575,7 +1579,7 @@ void ipu_image_convert_unprepare(struct ipu_image_convert_ctx *ctx)
+ bool put_res;
+
+ /* make sure no runs are hanging around */
+- ipu_image_convert_abort(ctx);
++ __ipu_image_convert_abort(ctx);
+
+ dev_dbg(priv->ipu->dev, "%s: task %u: removing ctx %p\n", __func__,
+ chan->ic_task, ctx);
+--
+2.19.1
+
--- /dev/null
+From f18a907d5386cce1628cd956cdb0763f07ebe941 Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Mon, 24 Dec 2018 15:39:14 -0600
+Subject: HID: lenovo: Add checks to fix of_led_classdev_register
+
+[ Upstream commit 6ae16dfb61bce538d48b7fe98160fada446056c5 ]
+
+In lenovo_probe_tpkbd(), the function of_led_classdev_register() could
+return an error value that is unchecked. The fix adds these checks.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-lenovo.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-lenovo.c b/drivers/hid/hid-lenovo.c
+index 1ac4ff4d57a6..d409cc8759fc 100644
+--- a/drivers/hid/hid-lenovo.c
++++ b/drivers/hid/hid-lenovo.c
+@@ -713,7 +713,9 @@ static int lenovo_probe_tpkbd(struct hid_device *hdev)
+ data_pointer->led_mute.brightness_get = lenovo_led_brightness_get_tpkbd;
+ data_pointer->led_mute.brightness_set = lenovo_led_brightness_set_tpkbd;
+ data_pointer->led_mute.dev = dev;
+- led_classdev_register(dev, &data_pointer->led_mute);
++ ret = led_classdev_register(dev, &data_pointer->led_mute);
++ if (ret < 0)
++ goto err;
+
+ data_pointer->led_micmute.name = name_micmute;
+ data_pointer->led_micmute.brightness_get =
+@@ -721,7 +723,11 @@ static int lenovo_probe_tpkbd(struct hid_device *hdev)
+ data_pointer->led_micmute.brightness_set =
+ lenovo_led_brightness_set_tpkbd;
+ data_pointer->led_micmute.dev = dev;
+- led_classdev_register(dev, &data_pointer->led_micmute);
++ ret = led_classdev_register(dev, &data_pointer->led_micmute);
++ if (ret < 0) {
++ led_classdev_unregister(&data_pointer->led_mute);
++ goto err;
++ }
+
+ lenovo_features_set_tpkbd(hdev);
+
+--
+2.19.1
+
--- /dev/null
+From 40d6ffd4122d319fa1eac5dbc1058001dd78c42a Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 21 Dec 2018 13:10:39 -0600
+Subject: hwmon: (lm80) fix a missing check of bus read in lm80 probe
+
+[ Upstream commit 9aa3aa15f4c2f74f47afd6c5db4b420fadf3f315 ]
+
+In lm80_probe(), if lm80_read_value() fails, it returns a negative
+error number which is stored to data->fan[f_min] and will be further
+used. We should avoid using the data if the read fails.
+
+The fix checks if lm80_read_value() fails, and if so, returns with the
+error number.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/lm80.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/lm80.c b/drivers/hwmon/lm80.c
+index 47ddae6b7038..cb6606a0470d 100644
+--- a/drivers/hwmon/lm80.c
++++ b/drivers/hwmon/lm80.c
+@@ -628,6 +628,7 @@ static int lm80_probe(struct i2c_client *client,
+ struct device *dev = &client->dev;
+ struct device *hwmon_dev;
+ struct lm80_data *data;
++ int rv;
+
+ data = devm_kzalloc(dev, sizeof(struct lm80_data), GFP_KERNEL);
+ if (!data)
+@@ -640,8 +641,14 @@ static int lm80_probe(struct i2c_client *client,
+ lm80_init_client(client);
+
+ /* A few vars need to be filled upon startup */
+- data->fan[f_min][0] = lm80_read_value(client, LM80_REG_FAN_MIN(1));
+- data->fan[f_min][1] = lm80_read_value(client, LM80_REG_FAN_MIN(2));
++ rv = lm80_read_value(client, LM80_REG_FAN_MIN(1));
++ if (rv < 0)
++ return rv;
++ data->fan[f_min][0] = rv;
++ rv = lm80_read_value(client, LM80_REG_FAN_MIN(2));
++ if (rv < 0)
++ return rv;
++ data->fan[f_min][1] = rv;
+
+ hwmon_dev = devm_hwmon_device_register_with_groups(dev, client->name,
+ data, lm80_groups);
+--
+2.19.1
+
--- /dev/null
+From 8b66b9478d700ca407a0014a4066022c15f1d4a5 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 21 Dec 2018 13:01:33 -0600
+Subject: hwmon: (lm80) fix a missing check of the status of SMBus read
+
+[ Upstream commit c9c63915519b1def7043b184680f33c24cd49d7b ]
+
+If lm80_read_value() fails, it returns a negative number instead of the
+correct read data. Therefore, we should avoid using the data if it
+fails.
+
+The fix checks if lm80_read_value() fails, and if so, returns with the
+error number.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+[groeck: One variable for return values is enough]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/lm80.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/hwmon/lm80.c b/drivers/hwmon/lm80.c
+index 4bcd9b882948..47ddae6b7038 100644
+--- a/drivers/hwmon/lm80.c
++++ b/drivers/hwmon/lm80.c
+@@ -360,9 +360,11 @@ static ssize_t set_fan_div(struct device *dev, struct device_attribute *attr,
+ struct i2c_client *client = data->client;
+ unsigned long min, val;
+ u8 reg;
+- int err = kstrtoul(buf, 10, &val);
+- if (err < 0)
+- return err;
++ int rv;
++
++ rv = kstrtoul(buf, 10, &val);
++ if (rv < 0)
++ return rv;
+
+ /* Save fan_min */
+ mutex_lock(&data->update_lock);
+@@ -390,8 +392,11 @@ static ssize_t set_fan_div(struct device *dev, struct device_attribute *attr,
+ return -EINVAL;
+ }
+
+- reg = (lm80_read_value(client, LM80_REG_FANDIV) &
+- ~(3 << (2 * (nr + 1)))) | (data->fan_div[nr] << (2 * (nr + 1)));
++ rv = lm80_read_value(client, LM80_REG_FANDIV);
++ if (rv < 0)
++ return rv;
++ reg = (rv & ~(3 << (2 * (nr + 1))))
++ | (data->fan_div[nr] << (2 * (nr + 1)));
+ lm80_write_value(client, LM80_REG_FANDIV, reg);
+
+ /* Restore fan_min */
+--
+2.19.1
+
--- /dev/null
+From 49f17752b5e7ad566e921d6e8de578f3ce475e5b Mon Sep 17 00:00:00 2001
+From: "Adamski, Krzysztof (Nokia - PL/Wroclaw)" <krzysztof.adamski@nokia.com>
+Date: Mon, 10 Dec 2018 15:01:27 +0000
+Subject: i2c-axxia: check for error conditions first
+
+[ Upstream commit 4f5c85fe3a60ace555d09898166af372547f97fc ]
+
+It was observed that when using seqentional mode contrary to the
+documentation, the SS bit (which is supposed to only be set if
+automatic/sequence command completed normally), is sometimes set
+together with NA (NAK in address phase) causing transfer to falsely be
+considered successful.
+
+My assumption is that this does not happen during manual mode since the
+controller is stopping its work the moment it sets NA/ND bit in status
+register. This is not the case in Automatic/Sequentional mode where it
+is still working to send STOP condition and the actual status we get
+depends on the time when the ISR is run.
+
+This patch changes the order of checking status bits in ISR - error
+conditions are checked first and only if none of them occurred, the
+transfer may be considered successful. This is required to introduce
+using of sequentional mode in next patch.
+
+Signed-off-by: Krzysztof Adamski <krzysztof.adamski@nokia.com>
+Reviewed-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-axxia.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-axxia.c b/drivers/i2c/busses/i2c-axxia.c
+index 96a6d5df9b26..b0962897bc45 100644
+--- a/drivers/i2c/busses/i2c-axxia.c
++++ b/drivers/i2c/busses/i2c-axxia.c
+@@ -296,22 +296,7 @@ static irqreturn_t axxia_i2c_isr(int irq, void *_dev)
+ i2c_int_disable(idev, MST_STATUS_TFL);
+ }
+
+- if (status & MST_STATUS_SCC) {
+- /* Stop completed */
+- i2c_int_disable(idev, ~MST_STATUS_TSS);
+- complete(&idev->msg_complete);
+- } else if (status & MST_STATUS_SNS) {
+- /* Transfer done */
+- i2c_int_disable(idev, ~MST_STATUS_TSS);
+- if (i2c_m_rd(idev->msg) && idev->msg_xfrd < idev->msg->len)
+- axxia_i2c_empty_rx_fifo(idev);
+- complete(&idev->msg_complete);
+- } else if (status & MST_STATUS_TSS) {
+- /* Transfer timeout */
+- idev->msg_err = -ETIMEDOUT;
+- i2c_int_disable(idev, ~MST_STATUS_TSS);
+- complete(&idev->msg_complete);
+- } else if (unlikely(status & MST_STATUS_ERR)) {
++ if (unlikely(status & MST_STATUS_ERR)) {
+ /* Transfer error */
+ i2c_int_disable(idev, ~0);
+ if (status & MST_STATUS_AL)
+@@ -328,6 +313,21 @@ static irqreturn_t axxia_i2c_isr(int irq, void *_dev)
+ readl(idev->base + MST_TX_BYTES_XFRD),
+ readl(idev->base + MST_TX_XFER));
+ complete(&idev->msg_complete);
++ } else if (status & MST_STATUS_SCC) {
++ /* Stop completed */
++ i2c_int_disable(idev, ~MST_STATUS_TSS);
++ complete(&idev->msg_complete);
++ } else if (status & MST_STATUS_SNS) {
++ /* Transfer done */
++ i2c_int_disable(idev, ~MST_STATUS_TSS);
++ if (i2c_m_rd(idev->msg) && idev->msg_xfrd < idev->msg->len)
++ axxia_i2c_empty_rx_fifo(idev);
++ complete(&idev->msg_complete);
++ } else if (status & MST_STATUS_TSS) {
++ /* Transfer timeout */
++ idev->msg_err = -ETIMEDOUT;
++ i2c_int_disable(idev, ~MST_STATUS_TSS);
++ complete(&idev->msg_complete);
+ }
+
+ out:
+--
+2.19.1
+
--- /dev/null
+From 26cb84ec0316f1d9bf8d020cf8d21f2508cb14f9 Mon Sep 17 00:00:00 2001
+From: Konstantin Khorenko <khorenko@virtuozzo.com>
+Date: Fri, 23 Nov 2018 19:10:28 +0300
+Subject: i40e: define proper net_device::neigh_priv_len
+
+[ Upstream commit 31389b53b3e0b535867af9090a5d19ec64768d55 ]
+
+Out of bound read reported by KASan.
+
+i40iw_net_event() reads unconditionally 16 bytes from
+neigh->primary_key while the memory allocated for
+"neighbour" struct is evaluated in neigh_alloc() as
+
+ tbl->entry_size + dev->neigh_priv_len
+
+where "dev" is a net_device.
+
+But the driver does not setup dev->neigh_priv_len and
+we read beyond the neigh entry allocated memory,
+so the patch in the next mail fixes this.
+
+Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 57c7456a5751..7836072d3f63 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -9194,6 +9194,9 @@ static int i40e_config_netdev(struct i40e_vsi *vsi)
+ ether_addr_copy(netdev->dev_addr, mac_addr);
+ ether_addr_copy(netdev->perm_addr, mac_addr);
+
++ /* i40iw_net_event() reads 16 bytes from neigh->primary_key */
++ netdev->neigh_priv_len = sizeof(u32) * 4;
++
+ netdev->priv_flags |= IFF_UNICAST_FLT;
+ netdev->priv_flags |= IFF_SUPP_NOFCS;
+ /* Setup netdev TC information */
+--
+2.19.1
+
--- /dev/null
+From 95ab09685d90ae9ae7719c9ed9ae87f028bb107b Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Mon, 3 Dec 2018 13:54:38 +0800
+Subject: igb: Fix an issue that PME is not enabled during runtime suspend
+
+[ Upstream commit 1fb3a7a75e2efcc83ef21f2434069cddd6fae6f5 ]
+
+I210 ethernet card doesn't wakeup when a cable gets plugged. It's
+because its PME is not set.
+
+Since commit 42eca2302146 ("PCI: Don't touch card regs after runtime
+suspend D3"), if the PCI state is saved, pci_pm_runtime_suspend() stops
+calling pci_finish_runtime_suspend(), which enables the PCI PME.
+
+To fix the issue, let's not to save PCI states when it's runtime
+suspend, to let the PCI subsystem enables PME.
+
+Fixes: 42eca2302146 ("PCI: Don't touch card regs after runtime suspend D3")
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 3a61491421b1..82e48e355fb9 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -7564,9 +7564,11 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake,
+ rtnl_unlock();
+
+ #ifdef CONFIG_PM
+- retval = pci_save_state(pdev);
+- if (retval)
+- return retval;
++ if (!runtime) {
++ retval = pci_save_state(pdev);
++ if (retval)
++ return retval;
++ }
+ #endif
+
+ status = rd32(E1000_STATUS);
+--
+2.19.1
+
--- /dev/null
+From de80371b4c1ba4b1916dc600d24bfdfd73521973 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 20 Nov 2018 12:10:14 +0100
+Subject: iio: accel: kxcjk1013: Add KIOX010A ACPI Hardware-ID
+
+[ Upstream commit 7f6232e69539971cf9eaed07a6c14ab4a2361133 ]
+
+Various 2-in-1's use KIOX010A and KIOX020A as HIDs for 2 KXCJ91008
+accelerometers. The KIOX010A HID is for the one in the base and the
+KIOX020A for the accelerometer in the keyboard.
+
+Since userspace does not have a way yet to deal with (or ignore) the
+accelerometer in the keyboard, this commit just adds the KIOX010A HID
+for now so that display rotation will work.
+
+Related: https://github.com/hadess/iio-sensor-proxy/issues/166
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/kxcjk-1013.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/iio/accel/kxcjk-1013.c b/drivers/iio/accel/kxcjk-1013.c
+index 3f968c46e667..784636800361 100644
+--- a/drivers/iio/accel/kxcjk-1013.c
++++ b/drivers/iio/accel/kxcjk-1013.c
+@@ -1393,6 +1393,7 @@ static const struct acpi_device_id kx_acpi_match[] = {
+ {"KXCJ1008", KXCJ91008},
+ {"KXCJ9000", KXCJ91008},
+ {"KIOX000A", KXCJ91008},
++ {"KIOX010A", KXCJ91008}, /* KXCJ91008 inside the display of a 2-in-1 */
+ {"KXTJ1009", KXTJ21009},
+ {"SMO8500", KXCJ91008},
+ { },
+--
+2.19.1
+
--- /dev/null
+From f6e867518d2277b4559763851b1ebdd14ebbc2c6 Mon Sep 17 00:00:00 2001
+From: Yu Zhao <yuzhao@google.com>
+Date: Thu, 6 Dec 2018 14:39:15 -0700
+Subject: iommu/amd: Fix amd_iommu=force_isolation
+
+[ Upstream commit c12b08ebbe16f0d3a96a116d86709b04c1ee8e74 ]
+
+The parameter is still there but it's ignored. We need to check its
+value before deciding to go into passthrough mode for AMD IOMMU v2
+capable device.
+
+We occasionally use this parameter to force v2 capable device into
+translation mode to debug memory corruption that we suspect is
+caused by DMA writes.
+
+To address the following comment from Joerg Roedel on the first
+version, v2 capability of device is completely ignored.
+> This breaks the iommu_v2 use-case, as it needs a direct mapping for the
+> devices that support it.
+
+And from Documentation/admin-guide/kernel-parameters.txt:
+ This option does not override iommu=pt
+
+Fixes: aafd8ba0ca74 ("iommu/amd: Implement add_device and remove_device")
+
+Signed-off-by: Yu Zhao <yuzhao@google.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd_iommu.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index bba1b9f2f782..e984418ffa2a 100644
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -464,7 +464,14 @@ static int iommu_init_device(struct device *dev)
+
+ dev_data->alias = get_alias(dev);
+
+- if (dev_is_pci(dev) && pci_iommuv2_capable(to_pci_dev(dev))) {
++ /*
++ * By default we use passthrough mode for IOMMUv2 capable device.
++ * But if amd_iommu=force_isolation is set (e.g. to debug DMA to
++ * invalid address), we ignore the capability for the device so
++ * it'll be forced to go into translation mode.
++ */
++ if ((iommu_pass_through || !amd_iommu_force_isolation) &&
++ dev_is_pci(dev) && pci_iommuv2_capable(to_pci_dev(dev))) {
+ struct amd_iommu *iommu;
+
+ iommu = amd_iommu_rlookup_table[dev_data->devid];
+--
+2.19.1
+
--- /dev/null
+From f6fc41358bc5a3dbe1308d991315911a20de5a8e Mon Sep 17 00:00:00 2001
+From: Vivek Gautam <vivek.gautam@codeaurora.org>
+Date: Tue, 4 Dec 2018 11:52:13 +0530
+Subject: iommu/arm-smmu: Add support for qcom,smmu-v2 variant
+
+[ Upstream commit 89cddc563743cb1e0068867ac97013b2a5bf86aa ]
+
+qcom,smmu-v2 is an arm,smmu-v2 implementation with specific
+clock and power requirements.
+On msm8996, multiple cores, viz. mdss, video, etc. use this
+smmu. On sdm845, this smmu is used with gpu.
+Add bindings for the same.
+
+Signed-off-by: Vivek Gautam <vivek.gautam@codeaurora.org>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Reviewed-by: Tomasz Figa <tfiga@chromium.org>
+Tested-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/arm-smmu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/iommu/arm-smmu.c b/drivers/iommu/arm-smmu.c
+index 5a9a4416f467..f7ecb30a0bac 100644
+--- a/drivers/iommu/arm-smmu.c
++++ b/drivers/iommu/arm-smmu.c
+@@ -297,6 +297,7 @@ enum arm_smmu_implementation {
+ GENERIC_SMMU,
+ ARM_MMU500,
+ CAVIUM_SMMUV2,
++ QCOM_SMMUV2,
+ };
+
+ struct arm_smmu_s2cr {
+@@ -1894,6 +1895,7 @@ ARM_SMMU_MATCH_DATA(smmu_generic_v2, ARM_SMMU_V2, GENERIC_SMMU);
+ ARM_SMMU_MATCH_DATA(arm_mmu401, ARM_SMMU_V1_64K, GENERIC_SMMU);
+ ARM_SMMU_MATCH_DATA(arm_mmu500, ARM_SMMU_V2, ARM_MMU500);
+ ARM_SMMU_MATCH_DATA(cavium_smmuv2, ARM_SMMU_V2, CAVIUM_SMMUV2);
++ARM_SMMU_MATCH_DATA(qcom_smmuv2, ARM_SMMU_V2, QCOM_SMMUV2);
+
+ static const struct of_device_id arm_smmu_of_match[] = {
+ { .compatible = "arm,smmu-v1", .data = &smmu_generic_v1 },
+@@ -1902,6 +1904,7 @@ static const struct of_device_id arm_smmu_of_match[] = {
+ { .compatible = "arm,mmu-401", .data = &arm_mmu401 },
+ { .compatible = "arm,mmu-500", .data = &arm_mmu500 },
+ { .compatible = "cavium,smmu-v2", .data = &cavium_smmuv2 },
++ { .compatible = "qcom,smmu-v2", .data = &qcom_smmuv2 },
+ { },
+ };
+ MODULE_DEVICE_TABLE(of, arm_smmu_of_match);
+--
+2.19.1
+
--- /dev/null
+From 7715d878621cbbe642b87c22d1876257fa051862 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Wed, 7 Nov 2018 22:58:24 +0000
+Subject: iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer
+
+[ Upstream commit a868e8530441286342f90c1fd9c5f24de3aa2880 ]
+
+After removing an entry from a queue (e.g. reading an event in
+arm_smmu_evtq_thread()) it is necessary to advance the MMIO consumer
+pointer to free the queue slot back to the SMMU. A memory barrier is
+required here so that all reads targetting the queue entry have
+completed before the consumer pointer is updated.
+
+The implementation of queue_inc_cons() relies on a writel() to complete
+the previous reads, but this is incorrect because writel() is only
+guaranteed to complete prior writes. This patch replaces the call to
+writel() with an mb(); writel_relaxed() sequence, which gives us the
+read->write ordering which we require.
+
+Cc: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/arm-smmu-v3.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c
+index ff4be1174ff0..7bd98585d78d 100644
+--- a/drivers/iommu/arm-smmu-v3.c
++++ b/drivers/iommu/arm-smmu-v3.c
+@@ -697,7 +697,13 @@ static void queue_inc_cons(struct arm_smmu_queue *q)
+ u32 cons = (Q_WRP(q, q->cons) | Q_IDX(q, q->cons)) + 1;
+
+ q->cons = Q_OVF(q, q->cons) | Q_WRP(q, cons) | Q_IDX(q, cons);
+- writel(q->cons, q->cons_reg);
++
++ /*
++ * Ensure that all CPU accesses (reads and writes) to the queue
++ * are complete before we update the cons pointer.
++ */
++ mb();
++ writel_relaxed(q->cons, q->cons_reg);
+ }
+
+ static int queue_sync_prod(struct arm_smmu_queue *q)
+--
+2.19.1
+
--- /dev/null
+From fae10c15ac20e4dd443aa7c028f7c576954efddc Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Wed, 26 Dec 2018 22:09:34 +0800
+Subject: isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug
+ in HFCPCI_l1hw()
+
+[ Upstream commit 7418e6520f22a2e35815122fa5a53d5bbfa2c10f ]
+
+In drivers/isdn/hisax/hfc_pci.c, the functions hfcpci_interrupt() and
+HFCPCI_l1hw() may be concurrently executed.
+
+HFCPCI_l1hw()
+ line 1173: if (!cs->tx_skb)
+
+hfcpci_interrupt()
+ line 942: spin_lock_irqsave();
+ line 1066: dev_kfree_skb_irq(cs->tx_skb);
+
+Thus, a possible concurrency use-after-free bug may occur
+in HFCPCI_l1hw().
+
+To fix these bugs, the calls to spin_lock_irqsave() and
+spin_unlock_irqrestore() are added in HFCPCI_l1hw(), to protect the
+access to cs->tx_skb.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/hisax/hfc_pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/isdn/hisax/hfc_pci.c b/drivers/isdn/hisax/hfc_pci.c
+index 90449e1e91e5..1b1453d62fed 100644
+--- a/drivers/isdn/hisax/hfc_pci.c
++++ b/drivers/isdn/hisax/hfc_pci.c
+@@ -1169,11 +1169,13 @@ HFCPCI_l1hw(struct PStack *st, int pr, void *arg)
+ if (cs->debug & L1_DEB_LAPD)
+ debugl1(cs, "-> PH_REQUEST_PULL");
+ #endif
++ spin_lock_irqsave(&cs->lock, flags);
+ if (!cs->tx_skb) {
+ test_and_clear_bit(FLG_L1_PULL_REQ, &st->l1.Flags);
+ st->l1.l1l2(st, PH_PULL | CONFIRM, NULL);
+ } else
+ test_and_set_bit(FLG_L1_PULL_REQ, &st->l1.Flags);
++ spin_unlock_irqrestore(&cs->lock, flags);
+ break;
+ case (HW_RESET | REQUEST):
+ spin_lock_irqsave(&cs->lock, flags);
+--
+2.19.1
+
--- /dev/null
+From a42c36e8cb87761d21d0eda8b48d1dbc2ea40b99 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Thu, 3 Jan 2019 15:26:31 -0800
+Subject: kernel/hung_task.c: break RCU locks based on jiffies
+
+[ Upstream commit 304ae42739b108305f8d7b3eb3c1aec7c2b643a9 ]
+
+check_hung_uninterruptible_tasks() is currently calling rcu_lock_break()
+for every 1024 threads. But check_hung_task() is very slow if printk()
+was called, and is very fast otherwise.
+
+If many threads within some 1024 threads called printk(), the RCU grace
+period might be extended enough to trigger RCU stall warnings.
+Therefore, calling rcu_lock_break() for every some fixed jiffies will be
+safer.
+
+Link: http://lkml.kernel.org/r/1544800658-11423-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Acked-by: Paul E. McKenney <paulmck@linux.ibm.com>
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/hung_task.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/hung_task.c b/kernel/hung_task.c
+index 2b59c82cc3e1..fd781a468f32 100644
+--- a/kernel/hung_task.c
++++ b/kernel/hung_task.c
+@@ -30,7 +30,7 @@ int __read_mostly sysctl_hung_task_check_count = PID_MAX_LIMIT;
+ * is disabled during the critical section. It also controls the size of
+ * the RCU grace period. So it needs to be upper-bound.
+ */
+-#define HUNG_TASK_BATCHING 1024
++#define HUNG_TASK_LOCK_BREAK (HZ / 10)
+
+ /*
+ * Zero means infinite timeout - no checking done:
+@@ -158,7 +158,7 @@ static bool rcu_lock_break(struct task_struct *g, struct task_struct *t)
+ static void check_hung_uninterruptible_tasks(unsigned long timeout)
+ {
+ int max_count = sysctl_hung_task_check_count;
+- int batch_count = HUNG_TASK_BATCHING;
++ unsigned long last_break = jiffies;
+ struct task_struct *g, *t;
+
+ /*
+@@ -172,10 +172,10 @@ static void check_hung_uninterruptible_tasks(unsigned long timeout)
+ for_each_process_thread(g, t) {
+ if (!max_count--)
+ goto unlock;
+- if (!--batch_count) {
+- batch_count = HUNG_TASK_BATCHING;
++ if (time_after(jiffies, last_break + HUNG_TASK_LOCK_BREAK)) {
+ if (!rcu_lock_break(g, t))
+ goto unlock;
++ last_break = jiffies;
+ }
+ /* use "==" to skip the TASK_KILLABLE tasks waiting on NFS */
+ if (t->state == TASK_UNINTERRUPTIBLE)
+--
+2.19.1
+
--- /dev/null
+From a92919085eff9bd84723d1b2684398275ee5f645 Mon Sep 17 00:00:00 2001
+From: Michael Mueller <mimu@linux.ibm.com>
+Date: Fri, 30 Nov 2018 15:32:06 +0100
+Subject: KVM: s390: unregister debug feature on failing arch init
+
+[ Upstream commit 308c3e6673b012beecb96ef04cc65f4a0e7cdd99 ]
+
+Make sure the debug feature and its allocated resources get
+released upon unsuccessful architecture initialization.
+
+A related indication of the issue will be reported as kernel
+message.
+
+Signed-off-by: Michael Mueller <mimu@linux.ibm.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Reviewed-by: Pierre Morel <pmorel@linux.ibm.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Message-Id: <20181130143215.69496-2-mimu@linux.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kvm/kvm-s390.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
+index 2032ab81b2d7..c82b73f111b5 100644
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -319,19 +319,30 @@ static void kvm_s390_cpu_feat_init(void)
+
+ int kvm_arch_init(void *opaque)
+ {
++ int rc;
++
+ kvm_s390_dbf = debug_register("kvm-trace", 32, 1, 7 * sizeof(long));
+ if (!kvm_s390_dbf)
+ return -ENOMEM;
+
+ if (debug_register_view(kvm_s390_dbf, &debug_sprintf_view)) {
+- debug_unregister(kvm_s390_dbf);
+- return -ENOMEM;
++ rc = -ENOMEM;
++ goto out_debug_unreg;
+ }
+
+ kvm_s390_cpu_feat_init();
+
+ /* Register floating interrupt controller interface. */
+- return kvm_register_device_ops(&kvm_flic_ops, KVM_DEV_TYPE_FLIC);
++ rc = kvm_register_device_ops(&kvm_flic_ops, KVM_DEV_TYPE_FLIC);
++ if (rc) {
++ pr_err("Failed to register FLIC rc=%d\n", rc);
++ goto out_debug_unreg;
++ }
++ return 0;
++
++out_debug_unreg:
++ debug_unregister(kvm_s390_dbf);
++ return rc;
+ }
+
+ void kvm_arch_exit(void)
+--
+2.19.1
+
--- /dev/null
+From d03bb8aa2a13f00e52c1b8994be6594425fb2591 Mon Sep 17 00:00:00 2001
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Wed, 19 Dec 2018 12:06:13 +0100
+Subject: KVM: x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit e87555e550cef4941579cd879759a7c0dee24e68 ]
+
+AMD doesn't seem to implement MSR_IA32_MCG_EXT_CTL and svm code in kvm
+knows nothing about it, however, this MSR is among emulated_msrs and
+thus returned with KVM_GET_MSR_INDEX_LIST. The consequent KVM_GET_MSRS,
+of course, fails.
+
+Report the MSR as unsupported to not confuse userspace.
+
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/svm.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index fa1b0e3c8a06..c8efacf2e65f 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -5223,6 +5223,13 @@ static bool svm_cpu_has_accelerated_tpr(void)
+
+ static bool svm_has_emulated_msr(int index)
+ {
++ switch (index) {
++ case MSR_IA32_MCG_EXT_CTL:
++ return false;
++ default:
++ break;
++ }
++
+ return true;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 031a81b23e3d7d5de4f0a0312a5406488da55360 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Sat, 15 Dec 2018 11:03:12 +0200
+Subject: mac80211: fix radiotap vendor presence bitmap handling
+
+[ Upstream commit efc38dd7d5fa5c8cdd0c917c5d00947aa0539443 ]
+
+Due to the alignment handling, it actually matters where in the code
+we add the 4 bytes for the presence bitmap to the length; the first
+field is the timestamp with 8 byte alignment so we need to add the
+space for the extra vendor namespace presence bitmap *before* we do
+any alignment for the fields.
+
+Move the presence bitmap length accounting to the right place to fix
+the alignment for the data properly.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/rx.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 93c332737e86..af02d2136a06 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -152,6 +152,9 @@ ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local,
+ /* allocate extra bitmaps */
+ if (status->chains)
+ len += 4 * hweight8(status->chains);
++ /* vendor presence bitmap */
++ if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA)
++ len += 4;
+
+ if (ieee80211_have_rx_timestamp(status)) {
+ len = ALIGN(len, 8);
+@@ -193,8 +196,6 @@ ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local,
+ if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
+ struct ieee80211_vendor_radiotap *rtap = (void *)skb->data;
+
+- /* vendor presence bitmap */
+- len += 4;
+ /* alignment for fixed 6-byte vendor data header */
+ len = ALIGN(len, 2);
+ /* vendor data header */
+--
+2.19.1
+
--- /dev/null
+From b8c6e7f2c5ecf65fd12f162a053e040a18bb6519 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Thu, 8 Nov 2018 04:51:51 -0500
+Subject: media: adv*/tc358743/ths8200: fill in min width/height/pixelclock
+
+[ Upstream commit 2912289a518077ddb8214e05336700148e97e235 ]
+
+The v4l2_dv_timings_cap struct is used to do sanity checks when setting and
+enumerating DV timings, ensuring that only valid timings as per the HW
+capabilities are allowed.
+
+However, many drivers just filled in 0 for the minimum width, height or
+pixelclock frequency. This can cause timings with e.g. 0 as width and height
+to be accepted, which will in turn lead to a potential division by zero.
+
+Fill in proper values are minimum boundaries. 640x350 was chosen since it is
+the smallest resolution in v4l2-dv-timings.h. Same for 13 MHz as the lowest
+pixelclock frequency (it's slightly below the minimum of 13.5 MHz in the
+v4l2-dv-timings.h header).
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ad9389b.c | 2 +-
+ drivers/media/i2c/adv7511.c | 2 +-
+ drivers/media/i2c/adv7604.c | 4 ++--
+ drivers/media/i2c/adv7842.c | 4 ++--
+ drivers/media/i2c/tc358743.c | 2 +-
+ drivers/media/i2c/ths8200.c | 2 +-
+ 6 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/media/i2c/ad9389b.c b/drivers/media/i2c/ad9389b.c
+index 50f354144ee7..2abbbc6392c0 100644
+--- a/drivers/media/i2c/ad9389b.c
++++ b/drivers/media/i2c/ad9389b.c
+@@ -590,7 +590,7 @@ static const struct v4l2_dv_timings_cap ad9389b_timings_cap = {
+ .type = V4L2_DV_BT_656_1120,
+ /* keep this initialization for compatibility with GCC < 4.4.6 */
+ .reserved = { 0 },
+- V4L2_INIT_BT_TIMINGS(0, 1920, 0, 1200, 25000000, 170000000,
++ V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1200, 25000000, 170000000,
+ V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT |
+ V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT,
+ V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_REDUCED_BLANKING |
+diff --git a/drivers/media/i2c/adv7511.c b/drivers/media/i2c/adv7511.c
+index 5ba0f21bcfe4..5f1c8ee8a50e 100644
+--- a/drivers/media/i2c/adv7511.c
++++ b/drivers/media/i2c/adv7511.c
+@@ -142,7 +142,7 @@ static const struct v4l2_dv_timings_cap adv7511_timings_cap = {
+ .type = V4L2_DV_BT_656_1120,
+ /* keep this initialization for compatibility with GCC < 4.4.6 */
+ .reserved = { 0 },
+- V4L2_INIT_BT_TIMINGS(0, ADV7511_MAX_WIDTH, 0, ADV7511_MAX_HEIGHT,
++ V4L2_INIT_BT_TIMINGS(640, ADV7511_MAX_WIDTH, 350, ADV7511_MAX_HEIGHT,
+ ADV7511_MIN_PIXELCLOCK, ADV7511_MAX_PIXELCLOCK,
+ V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT |
+ V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT,
+diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c
+index 7b1935ab03c8..ce6f93074ae0 100644
+--- a/drivers/media/i2c/adv7604.c
++++ b/drivers/media/i2c/adv7604.c
+@@ -777,7 +777,7 @@ static const struct v4l2_dv_timings_cap adv7604_timings_cap_analog = {
+ .type = V4L2_DV_BT_656_1120,
+ /* keep this initialization for compatibility with GCC < 4.4.6 */
+ .reserved = { 0 },
+- V4L2_INIT_BT_TIMINGS(0, 1920, 0, 1200, 25000000, 170000000,
++ V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1200, 25000000, 170000000,
+ V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT |
+ V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT,
+ V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_REDUCED_BLANKING |
+@@ -788,7 +788,7 @@ static const struct v4l2_dv_timings_cap adv76xx_timings_cap_digital = {
+ .type = V4L2_DV_BT_656_1120,
+ /* keep this initialization for compatibility with GCC < 4.4.6 */
+ .reserved = { 0 },
+- V4L2_INIT_BT_TIMINGS(0, 1920, 0, 1200, 25000000, 225000000,
++ V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1200, 25000000, 225000000,
+ V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT |
+ V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT,
+ V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_REDUCED_BLANKING |
+diff --git a/drivers/media/i2c/adv7842.c b/drivers/media/i2c/adv7842.c
+index 8c2a52e280af..cf3b42c9417e 100644
+--- a/drivers/media/i2c/adv7842.c
++++ b/drivers/media/i2c/adv7842.c
+@@ -676,7 +676,7 @@ static const struct v4l2_dv_timings_cap adv7842_timings_cap_analog = {
+ .type = V4L2_DV_BT_656_1120,
+ /* keep this initialization for compatibility with GCC < 4.4.6 */
+ .reserved = { 0 },
+- V4L2_INIT_BT_TIMINGS(0, 1920, 0, 1200, 25000000, 170000000,
++ V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1200, 25000000, 170000000,
+ V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT |
+ V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT,
+ V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_REDUCED_BLANKING |
+@@ -687,7 +687,7 @@ static const struct v4l2_dv_timings_cap adv7842_timings_cap_digital = {
+ .type = V4L2_DV_BT_656_1120,
+ /* keep this initialization for compatibility with GCC < 4.4.6 */
+ .reserved = { 0 },
+- V4L2_INIT_BT_TIMINGS(0, 1920, 0, 1200, 25000000, 225000000,
++ V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1200, 25000000, 225000000,
+ V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT |
+ V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT,
+ V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_REDUCED_BLANKING |
+diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
+index 0f572bff64f5..7ebcb9473956 100644
+--- a/drivers/media/i2c/tc358743.c
++++ b/drivers/media/i2c/tc358743.c
+@@ -66,7 +66,7 @@ static const struct v4l2_dv_timings_cap tc358743_timings_cap = {
+ /* keep this initialization for compatibility with GCC < 4.4.6 */
+ .reserved = { 0 },
+ /* Pixel clock from REF_01 p. 20. Min/max height/width are unknown */
+- V4L2_INIT_BT_TIMINGS(1, 10000, 1, 10000, 0, 165000000,
++ V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1200, 13000000, 165000000,
+ V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT |
+ V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT,
+ V4L2_DV_BT_CAP_PROGRESSIVE |
+diff --git a/drivers/media/i2c/ths8200.c b/drivers/media/i2c/ths8200.c
+index 42340e364cea..e06e2de87f90 100644
+--- a/drivers/media/i2c/ths8200.c
++++ b/drivers/media/i2c/ths8200.c
+@@ -49,7 +49,7 @@ static const struct v4l2_dv_timings_cap ths8200_timings_cap = {
+ .type = V4L2_DV_BT_656_1120,
+ /* keep this initialization for compatibility with GCC < 4.4.6 */
+ .reserved = { 0 },
+- V4L2_INIT_BT_TIMINGS(0, 1920, 0, 1080, 25000000, 148500000,
++ V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1080, 25000000, 148500000,
+ V4L2_DV_BT_STD_CEA861, V4L2_DV_BT_CAP_PROGRESSIVE)
+ };
+
+--
+2.19.1
+
--- /dev/null
+From acac6635618c29d7155543903c562bfb1f61aed7 Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Fri, 23 Nov 2018 16:56:26 -0500
+Subject: media: DaVinci-VPBE: fix error handling in vpbe_initialize()
+
+[ Upstream commit aa35dc3c71950e3fec3e230c06c27c0fbd0067f8 ]
+
+If vpbe_set_default_output() or vpbe_set_default_mode() fails,
+vpbe_initialize() returns error code without releasing resources.
+
+The patch adds error handling for that case.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/davinci/vpbe.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/davinci/vpbe.c b/drivers/media/platform/davinci/vpbe.c
+index 9a6c2cc38acb..abce9c4a1a8e 100644
+--- a/drivers/media/platform/davinci/vpbe.c
++++ b/drivers/media/platform/davinci/vpbe.c
+@@ -753,7 +753,7 @@ static int vpbe_initialize(struct device *dev, struct vpbe_device *vpbe_dev)
+ if (ret) {
+ v4l2_err(&vpbe_dev->v4l2_dev, "Failed to set default output %s",
+ def_output);
+- return ret;
++ goto fail_kfree_amp;
+ }
+
+ printk(KERN_NOTICE "Setting default mode to %s\n", def_mode);
+@@ -761,12 +761,15 @@ static int vpbe_initialize(struct device *dev, struct vpbe_device *vpbe_dev)
+ if (ret) {
+ v4l2_err(&vpbe_dev->v4l2_dev, "Failed to set default mode %s",
+ def_mode);
+- return ret;
++ goto fail_kfree_amp;
+ }
+ vpbe_dev->initialized = 1;
+ /* TBD handling of bootargs for default output and mode */
+ return 0;
+
++fail_kfree_amp:
++ mutex_lock(&vpbe_dev->lock);
++ kfree(vpbe_dev->amp);
+ fail_kfree_encoders:
+ kfree(vpbe_dev->encoders);
+ fail_dev_unregister:
+--
+2.19.1
+
--- /dev/null
+From 6634045246967c133c6783f6297a83ec8b28156a Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Sat, 20 Oct 2018 13:50:19 -0400
+Subject: media: mtk-vcodec: Release device nodes in mtk_vcodec_init_enc_pm()
+
+[ Upstream commit 8ea0f2ba0fa3f91ea1b8d823a54b042026ada6b3 ]
+
+of_parse_phandle() returns the device node with refcount incremented.
+There are two nodes that are used temporary in mtk_vcodec_init_enc_pm(),
+but their refcounts are not decremented.
+
+The patch adds one of_node_put() and fixes returning error codes.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_pm.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_pm.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_pm.c
+index 3e73e9db781f..7c025045ea90 100644
+--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_pm.c
++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_pm.c
+@@ -41,25 +41,27 @@ int mtk_vcodec_init_enc_pm(struct mtk_vcodec_dev *mtkdev)
+ node = of_parse_phandle(dev->of_node, "mediatek,larb", 0);
+ if (!node) {
+ mtk_v4l2_err("no mediatek,larb found");
+- return -1;
++ return -ENODEV;
+ }
+ pdev = of_find_device_by_node(node);
++ of_node_put(node);
+ if (!pdev) {
+ mtk_v4l2_err("no mediatek,larb device found");
+- return -1;
++ return -ENODEV;
+ }
+ pm->larbvenc = &pdev->dev;
+
+ node = of_parse_phandle(dev->of_node, "mediatek,larb", 1);
+ if (!node) {
+ mtk_v4l2_err("no mediatek,larb found");
+- return -1;
++ return -ENODEV;
+ }
+
+ pdev = of_find_device_by_node(node);
++ of_node_put(node);
+ if (!pdev) {
+ mtk_v4l2_err("no mediatek,larb device found");
+- return -1;
++ return -ENODEV;
+ }
+
+ pm->larbvenclt = &pdev->dev;
+--
+2.19.1
+
--- /dev/null
+From ed523b2bd1c15b580191ee6cc64e50b0b36e76e1 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Mon, 5 Nov 2018 16:45:04 +0800
+Subject: memstick: Prevent memstick host from getting runtime suspended during
+ card detection
+
+[ Upstream commit e03e303edf1c63e6dd455ccd568c74e93ef3ba8c ]
+
+We can use MEMSTICK_POWER_{ON,OFF} along with pm_runtime_{get,put}
+helpers to let memstick host support runtime pm.
+
+The rpm count may go down to zero before the memstick host powers on, so
+the host can be runtime suspended.
+
+So before doing card detection, increment the rpm count to avoid the
+host gets runtime suspended. Balance the rpm count after card detection
+is done.
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memstick/core/memstick.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/memstick/core/memstick.c b/drivers/memstick/core/memstick.c
+index a0547dbf9806..4d673a626db4 100644
+--- a/drivers/memstick/core/memstick.c
++++ b/drivers/memstick/core/memstick.c
+@@ -18,6 +18,7 @@
+ #include <linux/delay.h>
+ #include <linux/slab.h>
+ #include <linux/module.h>
++#include <linux/pm_runtime.h>
+
+ #define DRIVER_NAME "memstick"
+
+@@ -436,6 +437,7 @@ static void memstick_check(struct work_struct *work)
+ struct memstick_dev *card;
+
+ dev_dbg(&host->dev, "memstick_check started\n");
++ pm_runtime_get_noresume(host->dev.parent);
+ mutex_lock(&host->lock);
+ if (!host->card) {
+ if (memstick_power_on(host))
+@@ -479,6 +481,7 @@ out_power_off:
+ host->set_param(host, MEMSTICK_POWER, MEMSTICK_POWER_OFF);
+
+ mutex_unlock(&host->lock);
++ pm_runtime_put(host->dev.parent);
+ dev_dbg(&host->dev, "memstick_check finished\n");
+ }
+
+--
+2.19.1
+
--- /dev/null
+From b73e297d66e990e5268ee28ab104ffb1ae891fa1 Mon Sep 17 00:00:00 2001
+From: Jiong Wang <jiong.wang@netronome.com>
+Date: Mon, 3 Dec 2018 17:27:54 -0500
+Subject: mips: bpf: fix encoding bug for mm_srlv32_op
+
+[ Upstream commit 17f6c83fb5ebf7db4fcc94a5be4c22d5a7bfe428 ]
+
+For micro-mips, srlv inside POOL32A encoding space should use 0x50
+sub-opcode, NOT 0x90.
+
+Some early version ISA doc describes the encoding as 0x90 for both srlv and
+srav, this looks to me was a typo. I checked Binutils libopcode
+implementation which is using 0x50 for srlv and 0x90 for srav.
+
+v1->v2:
+ - Keep mm_srlv32_op sorted by value.
+
+Fixes: f31318fdf324 ("MIPS: uasm: Add srlv uasm instruction")
+Cc: Markos Chandras <markos.chandras@imgtec.com>
+Cc: Paul Burton <paul.burton@mips.com>
+Cc: linux-mips@vger.kernel.org
+Acked-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Jiong Wang <jiong.wang@netronome.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/uapi/asm/inst.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/include/uapi/asm/inst.h b/arch/mips/include/uapi/asm/inst.h
+index 711d9b8465b8..377d5179ea3b 100644
+--- a/arch/mips/include/uapi/asm/inst.h
++++ b/arch/mips/include/uapi/asm/inst.h
+@@ -361,8 +361,8 @@ enum mm_32a_minor_op {
+ mm_ext_op = 0x02c,
+ mm_pool32axf_op = 0x03c,
+ mm_srl32_op = 0x040,
++ mm_srlv32_op = 0x050,
+ mm_sra_op = 0x080,
+- mm_srlv32_op = 0x090,
+ mm_rotr_op = 0x0c0,
+ mm_lwxs_op = 0x118,
+ mm_addu32_op = 0x150,
+--
+2.19.1
+
--- /dev/null
+From 273e24fc1dabe21e320f6dba909f328786f20913 Mon Sep 17 00:00:00 2001
+From: Stefan Roese <sr@denx.de>
+Date: Mon, 17 Dec 2018 10:47:48 +0100
+Subject: MIPS: ralink: Select CONFIG_CPU_MIPSR2_IRQ_VI on MT7620/8
+
+[ Upstream commit 0b15394475e3bcaf35ca4bf22fc55d56df67224e ]
+
+Testing has shown, that when using mainline U-Boot on MT7688 based
+boards, the system may hang or crash while mounting the root-fs. The
+main issue here is that mainline U-Boot configures EBase to a value
+near the end of system memory. And with CONFIG_CPU_MIPSR2_IRQ_VI
+disabled, trap_init() will not allocate a new area to place the
+exception handler. The original value will be used and the handler
+will be copied to this location, which might already be used by some
+userspace application.
+
+The MT7688 supports VI - its config3 register is 0x00002420, so VInt
+(Bit 5) is set. But without setting CONFIG_CPU_MIPSR2_IRQ_VI this
+bit will not be evaluated to result in "cpu_has_vi" being set. This
+patch now selects CONFIG_CPU_MIPSR2_IRQ_VI on MT7620/8 which results
+trap_init() to allocate some memory for the exception handler.
+
+Please note that this issue was not seen with the Mediatek U-Boot
+version, as it does not touch EBase (stays at default of 0x8000.0000).
+This is strictly also not correct as the kernel (_text) resides
+here.
+
+Signed-off-by: Stefan Roese <sr@denx.de>
+[paul.burton@mips.com: s/beeing/being/]
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: John Crispin <blogic@openwrt.org>
+Cc: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/ralink/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/mips/ralink/Kconfig b/arch/mips/ralink/Kconfig
+index 813826a456ca..55a5fee781e8 100644
+--- a/arch/mips/ralink/Kconfig
++++ b/arch/mips/ralink/Kconfig
+@@ -38,6 +38,7 @@ choice
+
+ config SOC_MT7620
+ bool "MT7620/8"
++ select CPU_MIPSR2_IRQ_VI
+ select HW_HAS_PCI
+
+ config SOC_MT7621
+--
+2.19.1
+
--- /dev/null
+From ecec7ff76818803bae34551583247bb64201dbe1 Mon Sep 17 00:00:00 2001
+From: Sami Tolvanen <samitolvanen@google.com>
+Date: Tue, 23 Oct 2018 15:15:35 -0700
+Subject: modpost: validate symbol names also in find_elf_symbol
+
+[ Upstream commit 5818c683a619c534c113e1f66d24f636defc29bc ]
+
+If an ARM mapping symbol shares an address with a valid symbol,
+find_elf_symbol can currently return the mapping symbol instead, as the
+symbol is not validated. This can result in confusing warnings:
+
+ WARNING: vmlinux.o(.text+0x18f4028): Section mismatch in reference
+ from the function set_reset_devices() to the variable .init.text:$x.0
+
+This change adds a call to is_valid_name to find_elf_symbol, similarly
+to how it's already used in find_elf_symbol2.
+
+Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/mod/modpost.c | 50 ++++++++++++++++++++++---------------------
+ 1 file changed, 26 insertions(+), 24 deletions(-)
+
+diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
+index 88b3dc19bbae..fdf5bbfd00cd 100644
+--- a/scripts/mod/modpost.c
++++ b/scripts/mod/modpost.c
+@@ -1198,6 +1198,30 @@ static int secref_whitelist(const struct sectioncheck *mismatch,
+ return 1;
+ }
+
++static inline int is_arm_mapping_symbol(const char *str)
++{
++ return str[0] == '$' && strchr("axtd", str[1])
++ && (str[2] == '\0' || str[2] == '.');
++}
++
++/*
++ * If there's no name there, ignore it; likewise, ignore it if it's
++ * one of the magic symbols emitted used by current ARM tools.
++ *
++ * Otherwise if find_symbols_between() returns those symbols, they'll
++ * fail the whitelist tests and cause lots of false alarms ... fixable
++ * only by merging __exit and __init sections into __text, bloating
++ * the kernel (which is especially evil on embedded platforms).
++ */
++static inline int is_valid_name(struct elf_info *elf, Elf_Sym *sym)
++{
++ const char *name = elf->strtab + sym->st_name;
++
++ if (!name || !strlen(name))
++ return 0;
++ return !is_arm_mapping_symbol(name);
++}
++
+ /**
+ * Find symbol based on relocation record info.
+ * In some cases the symbol supplied is a valid symbol so
+@@ -1223,6 +1247,8 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr,
+ continue;
+ if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
+ continue;
++ if (!is_valid_name(elf, sym))
++ continue;
+ if (sym->st_value == addr)
+ return sym;
+ /* Find a symbol nearby - addr are maybe negative */
+@@ -1241,30 +1267,6 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr,
+ return NULL;
+ }
+
+-static inline int is_arm_mapping_symbol(const char *str)
+-{
+- return str[0] == '$' && strchr("axtd", str[1])
+- && (str[2] == '\0' || str[2] == '.');
+-}
+-
+-/*
+- * If there's no name there, ignore it; likewise, ignore it if it's
+- * one of the magic symbols emitted used by current ARM tools.
+- *
+- * Otherwise if find_symbols_between() returns those symbols, they'll
+- * fail the whitelist tests and cause lots of false alarms ... fixable
+- * only by merging __exit and __init sections into __text, bloating
+- * the kernel (which is especially evil on embedded platforms).
+- */
+-static inline int is_valid_name(struct elf_info *elf, Elf_Sym *sym)
+-{
+- const char *name = elf->strtab + sym->st_name;
+-
+- if (!name || !strlen(name))
+- return 0;
+- return !is_arm_mapping_symbol(name);
+-}
+-
+ /*
+ * Find symbols before or equal addr and after addr - in the section sec.
+ * If we find two symbols with equal offset prefer one with a valid name.
+--
+2.19.1
+
--- /dev/null
+From caf2b4c5d6100ac65e8f4b58efc8d3d4ad056b8a Mon Sep 17 00:00:00 2001
+From: Chris Perl <cperl@janestreet.com>
+Date: Mon, 17 Dec 2018 10:56:38 -0500
+Subject: NFS: nfs_compare_mount_options always compare auth flavors.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 594d1644cd59447f4fceb592448d5cd09eb09b5e ]
+
+This patch removes the check from nfs_compare_mount_options to see if a
+`sec' option was passed for the current mount before comparing auth
+flavors and instead just always compares auth flavors.
+
+Consider the following scenario:
+
+You have a server with the address 192.168.1.1 and two exports /export/a
+and /export/b. The first export supports `sys' and `krb5' security, the
+second just `sys'.
+
+Assume you start with no mounts from the server.
+
+The following results in EIOs being returned as the kernel nfs client
+incorrectly thinks it can share the underlying `struct nfs_server's:
+
+$ mkdir /tmp/{a,b}
+$ sudo mount -t nfs -o vers=3,sec=krb5 192.168.1.1:/export/a /tmp/a
+$ sudo mount -t nfs -o vers=3 192.168.1.1:/export/b /tmp/b
+$ df >/dev/null
+df: ‘/tmp/b’: Input/output error
+
+Signed-off-by: Chris Perl <cperl@janestreet.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/super.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index 2fdb8f5a7b69..35aef192a13f 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -2403,8 +2403,7 @@ static int nfs_compare_mount_options(const struct super_block *s, const struct n
+ goto Ebusy;
+ if (a->acdirmax != b->acdirmax)
+ goto Ebusy;
+- if (b->auth_info.flavor_len > 0 &&
+- clnt_a->cl_auth->au_flavor != clnt_b->cl_auth->au_flavor)
++ if (clnt_a->cl_auth->au_flavor != clnt_b->cl_auth->au_flavor)
+ goto Ebusy;
+ return 1;
+ Ebusy:
+--
+2.19.1
+
--- /dev/null
+From 09a32620f777108a54c292112ccc7b5384b07d68 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Tue, 27 Nov 2018 15:54:17 -0500
+Subject: nfsd4: fix crash on writing v4_end_grace before nfsd startup
+
+[ Upstream commit 62a063b8e7d1db684db3f207261a466fa3194e72 ]
+
+Anatoly Trosinenko reports that this:
+
+1) Checkout fresh master Linux branch (tested with commit e195ca6cb)
+2) Copy x84_64-config-4.14 to .config, then enable NFS server v4 and build
+3) From `kvm-xfstests shell`:
+
+results in NULL dereference in locks_end_grace.
+
+Check that nfsd has been started before trying to end the grace period.
+
+Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfsctl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
+index 36b2af931e06..797a155c9a67 100644
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -1103,6 +1103,8 @@ static ssize_t write_v4_end_grace(struct file *file, char *buf, size_t size)
+ case 'Y':
+ case 'y':
+ case '1':
++ if (nn->nfsd_serv)
++ return -EBUSY;
+ nfsd4_end_grace(nn);
+ break;
+ default:
+--
+2.19.1
+
--- /dev/null
+From 469b3441f05bcd30e875a03b099801a542e460c6 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Tue, 25 Dec 2018 01:56:14 -0600
+Subject: niu: fix missing checks of niu_pci_eeprom_read
+
+[ Upstream commit 26fd962bde0b15e54234fe762d86bc0349df1de4 ]
+
+niu_pci_eeprom_read() may fail, so we should check its return value
+before using the read data.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Acked-by: Shannon Nelson <shannon.lee.nelson@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sun/niu.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c
+index e45e2f14fb94..fe5b0ac8c631 100644
+--- a/drivers/net/ethernet/sun/niu.c
++++ b/drivers/net/ethernet/sun/niu.c
+@@ -8121,6 +8121,8 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end)
+ start += 3;
+
+ prop_len = niu_pci_eeprom_read(np, start + 4);
++ if (prop_len < 0)
++ return prop_len;
+ err = niu_pci_vpd_get_propname(np, start + 5, namebuf, 64);
+ if (err < 0)
+ return err;
+@@ -8165,8 +8167,12 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end)
+ netif_printk(np, probe, KERN_DEBUG, np->dev,
+ "VPD_SCAN: Reading in property [%s] len[%d]\n",
+ namebuf, prop_len);
+- for (i = 0; i < prop_len; i++)
+- *prop_buf++ = niu_pci_eeprom_read(np, off + i);
++ for (i = 0; i < prop_len; i++) {
++ err = niu_pci_eeprom_read(np, off + i);
++ if (err >= 0)
++ *prop_buf = err;
++ ++prop_buf;
++ }
+ }
+
+ start += len;
+--
+2.19.1
+
--- /dev/null
+From f87644edb9d80a08470f26268abab1d125eff930 Mon Sep 17 00:00:00 2001
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Fri, 28 Dec 2018 00:32:57 -0800
+Subject: ocfs2: don't clear bh uptodate for block read
+
+[ Upstream commit 70306d9dce75abde855cefaf32b3f71eed8602a3 ]
+
+For sync io read in ocfs2_read_blocks_sync(), first clear bh uptodate flag
+and submit the io, second wait io done, last check whether bh uptodate, if
+not return io error.
+
+If two sync io for the same bh were issued, it could be the first io done
+and set uptodate flag, but just before check that flag, the second io came
+in and cleared uptodate, then ocfs2_read_blocks_sync() for the first io
+will return IO error.
+
+Indeed it's not necessary to clear uptodate flag, as the io end handler
+end_buffer_read_sync() will set or clear it based on io succeed or failed.
+
+The following message was found from a nfs server but the underlying
+storage returned no error.
+
+[4106438.567376] (nfsd,7146,3):ocfs2_get_suballoc_slot_bit:2780 ERROR: read block 1238823695 failed -5
+[4106438.567569] (nfsd,7146,3):ocfs2_get_suballoc_slot_bit:2812 ERROR: status = -5
+[4106438.567611] (nfsd,7146,3):ocfs2_test_inode_bit:2894 ERROR: get alloc slot and bit failed -5
+[4106438.567643] (nfsd,7146,3):ocfs2_test_inode_bit:2932 ERROR: status = -5
+[4106438.567675] (nfsd,7146,3):ocfs2_get_dentry:94 ERROR: test inode bit failed -5
+
+Same issue in non sync read ocfs2_read_blocks(), fixed it as well.
+
+Link: http://lkml.kernel.org/r/20181121020023.3034-4-junxiao.bi@oracle.com
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: Changwei Ge <ge.changwei@h3c.com>
+Reviewed-by: Yiwen Jiang <jiangyiwen@huawei.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Mark Fasheh <mfasheh@versity.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/buffer_head_io.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c
+index 25c8b328c43d..935bac253991 100644
+--- a/fs/ocfs2/buffer_head_io.c
++++ b/fs/ocfs2/buffer_head_io.c
+@@ -151,7 +151,6 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
+ #endif
+ }
+
+- clear_buffer_uptodate(bh);
+ get_bh(bh); /* for end_buffer_read_sync() */
+ bh->b_end_io = end_buffer_read_sync;
+ submit_bh(REQ_OP_READ, 0, bh);
+@@ -305,7 +304,6 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
+ continue;
+ }
+
+- clear_buffer_uptodate(bh);
+ get_bh(bh); /* for end_buffer_read_sync() */
+ if (validate)
+ set_buffer_needs_validate(bh);
+--
+2.19.1
+
--- /dev/null
+From 6fc24a806f4a9b5ce58e522d2270a949d90b0748 Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Thu, 6 Dec 2018 11:02:57 -0300
+Subject: perf header: Fix unchecked usage of strncpy()
+
+[ Upstream commit 7572588085a13d5db02bf159542189f52fdb507e ]
+
+The strncpy() function may leave the destination string buffer
+unterminated, better use strlcpy() that we have a __weak fallback
+implementation for systems without it.
+
+This fixes this warning on an Alpine Linux Edge system with gcc 8.2:
+
+ util/header.c: In function 'perf_event__synthesize_event_update_unit':
+ util/header.c:3586:2: error: 'strncpy' output truncated before terminating nul copying as many bytes from a string as its length [-Werror=stringop-truncation]
+ strncpy(ev->data, evsel->unit, size);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ util/header.c:3579:16: note: length computed here
+ size_t size = strlen(evsel->unit);
+ ^~~~~~~~~~~~~~~~~~~
+
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Fixes: a6e5281780d1 ("perf tools: Add event_update event unit type")
+Link: https://lkml.kernel.org/n/tip-fiikh5nay70bv4zskw2aa858@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/header.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
+index ab36aa5585b4..a11f6760cce8 100644
+--- a/tools/perf/util/header.c
++++ b/tools/perf/util/header.c
+@@ -2988,7 +2988,7 @@ perf_event__synthesize_event_update_unit(struct perf_tool *tool,
+ if (ev == NULL)
+ return -ENOMEM;
+
+- strncpy(ev->data, evsel->unit, size);
++ strlcpy(ev->data, evsel->unit, size + 1);
+ err = process(tool, (union perf_event *)ev, NULL, NULL);
+ free(ev);
+ return err;
+--
+2.19.1
+
--- /dev/null
+From 0f0f63d3c42ae0ce14a8cdc8fee46c26b0fdf318 Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Thu, 6 Dec 2018 11:50:08 -0300
+Subject: perf probe: Fix unchecked usage of strncpy()
+
+[ Upstream commit bef0b8970f27da5ca223e522a174d03e2587761d ]
+
+The strncpy() function may leave the destination string buffer
+unterminated, better use strlcpy() that we have a __weak fallback
+implementation for systems without it.
+
+In this case the 'target' buffer is coming from a list of build-ids that
+are expected to have a len of at most (SBUILD_ID_SIZE - 1) chars, so
+probably we're safe, but since we're using strncpy() here, use strlcpy()
+instead to provide the intended safety checking without the using the
+problematic strncpy() function.
+
+This fixes this warning on an Alpine Linux Edge system with gcc 8.2:
+
+ util/probe-file.c: In function 'probe_cache__open.isra.5':
+ util/probe-file.c:427:3: error: 'strncpy' specified bound 41 equals destination size [-Werror=stringop-truncation]
+ strncpy(sbuildid, target, SBUILD_ID_SIZE);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ cc1: all warnings being treated as errors
+
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Fixes: 1f3736c9c833 ("perf probe: Show all cached probes")
+Link: https://lkml.kernel.org/n/tip-l7n8ggc9kl38qtdlouke5yp5@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/probe-file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/probe-file.c b/tools/perf/util/probe-file.c
+index 436b64731f65..b9507a8d0e30 100644
+--- a/tools/perf/util/probe-file.c
++++ b/tools/perf/util/probe-file.c
+@@ -414,7 +414,7 @@ static int probe_cache__open(struct probe_cache *pcache, const char *target)
+
+ if (target && build_id_cache__cached(target)) {
+ /* This is a cached buildid */
+- strncpy(sbuildid, target, SBUILD_ID_SIZE);
++ strlcpy(sbuildid, target, SBUILD_ID_SIZE);
+ dir_name = build_id_cache__linkname(sbuildid, NULL, 0);
+ goto found;
+ }
+--
+2.19.1
+
--- /dev/null
+From 82ea2a6af5096225a6728e691398a08978c26869 Mon Sep 17 00:00:00 2001
+From: Pu Wen <puwen@hygon.cn>
+Date: Mon, 12 Nov 2018 15:40:51 +0800
+Subject: perf tools: Add Hygon Dhyana support
+
+[ Upstream commit 4787eff3fa88f62fede6ed7afa06477ae6bf984d ]
+
+The tool perf is useful for the performance analysis on the Hygon Dhyana
+platform. But right now there is no Hygon support for it to analyze the
+KVM guest os data. So add Hygon Dhyana support to it by checking vendor
+string to share the code path of AMD.
+
+Signed-off-by: Pu Wen <puwen@hygon.cn>
+Acked-by: Borislav Petkov <bp@suse.de>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/1542008451-31735-1-git-send-email-puwen@hygon.cn
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/arch/x86/util/kvm-stat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/arch/x86/util/kvm-stat.c b/tools/perf/arch/x86/util/kvm-stat.c
+index b63d4be655a2..2020e12a856f 100644
+--- a/tools/perf/arch/x86/util/kvm-stat.c
++++ b/tools/perf/arch/x86/util/kvm-stat.c
+@@ -154,7 +154,7 @@ int cpu_isa_init(struct perf_kvm_stat *kvm, const char *cpuid)
+ if (strstr(cpuid, "Intel")) {
+ kvm->exit_reasons = vmx_exit_reasons;
+ kvm->exit_reasons_isa = "VMX";
+- } else if (strstr(cpuid, "AMD")) {
++ } else if (strstr(cpuid, "AMD") || strstr(cpuid, "Hygon")) {
+ kvm->exit_reasons = svm_exit_reasons;
+ kvm->exit_reasons_isa = "SVM";
+ } else
+--
+2.19.1
+
--- /dev/null
+From 246431dc5882cdd5df2ab16e0a6bc937bed1125c Mon Sep 17 00:00:00 2001
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Sun, 9 Dec 2018 20:50:50 +0100
+Subject: pinctrl: meson: meson8: fix the GPIO function for the GPIOAO pins
+
+[ Upstream commit 42f9b48cc5402be11d2364275eb18c257d2a79e8 ]
+
+The GPIOAO pins (as well as the two exotic GPIO_BSD_EN and GPIO_TEST_N)
+only belong to the pin controller in the AO domain. With the current
+definition these pins cannot be referred to in .dts files as group
+(which is possible on GXBB and GXL for example).
+
+Add a separate "gpio_aobus" function to fix the mapping between the pin
+controller and the GPIO pins in the AO domain. This is similar to how
+the GXBB and GXL drivers implement this functionality.
+
+Fixes: 9dab1868ec0db4 ("pinctrl: amlogic: Make driver independent from two-domain configuration")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/meson/pinctrl-meson8.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/pinctrl/meson/pinctrl-meson8.c b/drivers/pinctrl/meson/pinctrl-meson8.c
+index 07f1cb21c1b8..0de7fa414beb 100644
+--- a/drivers/pinctrl/meson/pinctrl-meson8.c
++++ b/drivers/pinctrl/meson/pinctrl-meson8.c
+@@ -736,7 +736,9 @@ static const char * const gpio_groups[] = {
+ "BOOT_5", "BOOT_6", "BOOT_7", "BOOT_8", "BOOT_9",
+ "BOOT_10", "BOOT_11", "BOOT_12", "BOOT_13", "BOOT_14",
+ "BOOT_15", "BOOT_16", "BOOT_17", "BOOT_18",
++};
+
++static const char * const gpio_aobus_groups[] = {
+ "GPIOAO_0", "GPIOAO_1", "GPIOAO_2", "GPIOAO_3",
+ "GPIOAO_4", "GPIOAO_5", "GPIOAO_6", "GPIOAO_7",
+ "GPIOAO_8", "GPIOAO_9", "GPIOAO_10", "GPIOAO_11",
+@@ -908,6 +910,7 @@ static struct meson_pmx_func meson8_cbus_functions[] = {
+ };
+
+ static struct meson_pmx_func meson8_aobus_functions[] = {
++ FUNCTION(gpio_aobus),
+ FUNCTION(uart_ao),
+ FUNCTION(remote),
+ FUNCTION(i2c_slave_ao),
+--
+2.19.1
+
--- /dev/null
+From dfd28184b0967d5978b6f36bc8a6e9c07e3fb7f1 Mon Sep 17 00:00:00 2001
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Sun, 9 Dec 2018 20:50:51 +0100
+Subject: pinctrl: meson: meson8b: fix the GPIO function for the GPIOAO pins
+
+[ Upstream commit 2b745ac3cceb8fc1d9985990c8241a821ea97e53 ]
+
+The GPIOAO pins (as well as the two exotic GPIO_BSD_EN and GPIO_TEST_N)
+only belong to the pin controller in the AO domain. With the current
+definition these pins cannot be referred to in .dts files as group
+(which is possible on GXBB and GXL for example).
+
+Add a separate "gpio_aobus" function to fix the mapping between the pin
+controller and the GPIO pins in the AO domain. This is similar to how
+the GXBB and GXL drivers implement this functionality.
+
+Fixes: 9dab1868ec0db4 ("pinctrl: amlogic: Make driver independent from two-domain configuration")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/meson/pinctrl-meson8b.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pinctrl/meson/pinctrl-meson8b.c b/drivers/pinctrl/meson/pinctrl-meson8b.c
+index f87ef5a0ee6c..cbe5f5cbddb8 100644
+--- a/drivers/pinctrl/meson/pinctrl-meson8b.c
++++ b/drivers/pinctrl/meson/pinctrl-meson8b.c
+@@ -643,16 +643,18 @@ static const char * const gpio_groups[] = {
+ "BOOT_10", "BOOT_11", "BOOT_12", "BOOT_13", "BOOT_14",
+ "BOOT_15", "BOOT_16", "BOOT_17", "BOOT_18",
+
+- "GPIOAO_0", "GPIOAO_1", "GPIOAO_2", "GPIOAO_3",
+- "GPIOAO_4", "GPIOAO_5", "GPIOAO_6", "GPIOAO_7",
+- "GPIOAO_8", "GPIOAO_9", "GPIOAO_10", "GPIOAO_11",
+- "GPIOAO_12", "GPIOAO_13", "GPIO_BSD_EN", "GPIO_TEST_N",
+-
+ "DIF_0_P", "DIF_0_N", "DIF_1_P", "DIF_1_N",
+ "DIF_2_P", "DIF_2_N", "DIF_3_P", "DIF_3_N",
+ "DIF_4_P", "DIF_4_N"
+ };
+
++static const char * const gpio_aobus_groups[] = {
++ "GPIOAO_0", "GPIOAO_1", "GPIOAO_2", "GPIOAO_3",
++ "GPIOAO_4", "GPIOAO_5", "GPIOAO_6", "GPIOAO_7",
++ "GPIOAO_8", "GPIOAO_9", "GPIOAO_10", "GPIOAO_11",
++ "GPIOAO_12", "GPIOAO_13", "GPIO_BSD_EN", "GPIO_TEST_N"
++};
++
+ static const char * const sd_a_groups[] = {
+ "sd_d0_a", "sd_d1_a", "sd_d2_a", "sd_d3_a", "sd_clk_a",
+ "sd_cmd_a"
+@@ -868,6 +870,7 @@ static struct meson_pmx_func meson8b_cbus_functions[] = {
+ };
+
+ static struct meson_pmx_func meson8b_aobus_functions[] = {
++ FUNCTION(gpio_aobus),
+ FUNCTION(uart_ao),
+ FUNCTION(uart_ao_b),
+ FUNCTION(i2c_slave_ao),
+--
+2.19.1
+
--- /dev/null
+From 16ae996532296a0d654a819e515dc387f4837e5c Mon Sep 17 00:00:00 2001
+From: Frank Rowand <frank.rowand@sony.com>
+Date: Thu, 4 Oct 2018 20:27:16 -0700
+Subject: powerpc/pseries: add of_node_put() in dlpar_detach_node()
+
+[ Upstream commit 5b3f5c408d8cc59b87e47f1ab9803dbd006e4a91 ]
+
+The previous commit, "of: overlay: add missing of_node_get() in
+__of_attach_node_sysfs" added a missing of_node_get() to
+__of_attach_node_sysfs(). This results in a refcount imbalance
+for nodes attached with dlpar_attach_node(). The calling sequence
+from dlpar_attach_node() to __of_attach_node_sysfs() is:
+
+ dlpar_attach_node()
+ of_attach_node()
+ __of_attach_node_sysfs()
+
+For more detailed description of the node refcount, see
+commit 68baf692c435 ("powerpc/pseries: Fix of_node_put() underflow
+during DLPAR remove").
+
+Tested-by: Alan Tull <atull@kernel.org>
+Acked-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Frank Rowand <frank.rowand@sony.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/dlpar.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/powerpc/platforms/pseries/dlpar.c b/arch/powerpc/platforms/pseries/dlpar.c
+index 72ae2cdbcd6a..999b04819d69 100644
+--- a/arch/powerpc/platforms/pseries/dlpar.c
++++ b/arch/powerpc/platforms/pseries/dlpar.c
+@@ -288,6 +288,8 @@ int dlpar_detach_node(struct device_node *dn)
+ if (rc)
+ return rc;
+
++ of_node_put(dn);
++
+ return 0;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 996bfa401f8e176c2c5aeea7f88f760583b9efef Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Mon, 10 Dec 2018 06:50:09 +0000
+Subject: powerpc/uaccess: fix warning/error with access_ok()
+
+[ Upstream commit 05a4ab823983d9136a460b7b5e0d49ee709a6f86 ]
+
+With the following piece of code, the following compilation warning
+is encountered:
+
+ if (_IOC_DIR(ioc) != _IOC_NONE) {
+ int verify = _IOC_DIR(ioc) & _IOC_READ ? VERIFY_WRITE : VERIFY_READ;
+
+ if (!access_ok(verify, ioarg, _IOC_SIZE(ioc))) {
+
+drivers/platform/test/dev.c: In function 'my_ioctl':
+drivers/platform/test/dev.c:219:7: warning: unused variable 'verify' [-Wunused-variable]
+ int verify = _IOC_DIR(ioc) & _IOC_READ ? VERIFY_WRITE : VERIFY_READ;
+
+This patch fixes it by referencing 'type' in the macro allthough
+doing nothing with it.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/uaccess.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
+index c266227fdd5b..31913b3ac7ab 100644
+--- a/arch/powerpc/include/asm/uaccess.h
++++ b/arch/powerpc/include/asm/uaccess.h
+@@ -59,7 +59,7 @@
+ #endif
+
+ #define access_ok(type, addr, size) \
+- (__chk_user_ptr(addr), \
++ (__chk_user_ptr(addr), (void)(type), \
+ __access_ok((__force unsigned long)(addr), (size), get_fs()))
+
+ /*
+--
+2.19.1
+
--- /dev/null
+From 89fd677279f9a4ad0ce34bca89b70cef8481e614 Mon Sep 17 00:00:00 2001
+From: Cheng Lin <cheng.lin130@zte.com.cn>
+Date: Thu, 3 Jan 2019 15:26:13 -0800
+Subject: proc/sysctl: fix return error for proc_doulongvec_minmax()
+
+[ Upstream commit 09be178400829dddc1189b50a7888495dd26aa84 ]
+
+If the number of input parameters is less than the total parameters, an
+EINVAL error will be returned.
+
+For example, we use proc_doulongvec_minmax to pass up to two parameters
+with kern_table:
+
+{
+ .procname = "monitor_signals",
+ .data = &monitor_sigs,
+ .maxlen = 2*sizeof(unsigned long),
+ .mode = 0644,
+ .proc_handler = proc_doulongvec_minmax,
+},
+
+Reproduce:
+
+When passing two parameters, it's work normal. But passing only one
+parameter, an error "Invalid argument"(EINVAL) is returned.
+
+ [root@cl150 ~]# echo 1 2 > /proc/sys/kernel/monitor_signals
+ [root@cl150 ~]# cat /proc/sys/kernel/monitor_signals
+ 1 2
+ [root@cl150 ~]# echo 3 > /proc/sys/kernel/monitor_signals
+ -bash: echo: write error: Invalid argument
+ [root@cl150 ~]# echo $?
+ 1
+ [root@cl150 ~]# cat /proc/sys/kernel/monitor_signals
+ 3 2
+ [root@cl150 ~]#
+
+The following is the result after apply this patch. No error is
+returned when the number of input parameters is less than the total
+parameters.
+
+ [root@cl150 ~]# echo 1 2 > /proc/sys/kernel/monitor_signals
+ [root@cl150 ~]# cat /proc/sys/kernel/monitor_signals
+ 1 2
+ [root@cl150 ~]# echo 3 > /proc/sys/kernel/monitor_signals
+ [root@cl150 ~]# echo $?
+ 0
+ [root@cl150 ~]# cat /proc/sys/kernel/monitor_signals
+ 3 2
+ [root@cl150 ~]#
+
+There are three processing functions dealing with digital parameters,
+__do_proc_dointvec/__do_proc_douintvec/__do_proc_doulongvec_minmax.
+
+This patch deals with __do_proc_doulongvec_minmax, just as
+__do_proc_dointvec does, adding a check for parameters 'left'. In
+__do_proc_douintvec, its code implementation explicitly does not support
+multiple inputs.
+
+static int __do_proc_douintvec(...){
+ ...
+ /*
+ * Arrays are not supported, keep this simple. *Do not* add
+ * support for them.
+ */
+ if (vleft != 1) {
+ *lenp = 0;
+ return -EINVAL;
+ }
+ ...
+}
+
+So, just __do_proc_doulongvec_minmax has the problem. And most use of
+proc_doulongvec_minmax/proc_doulongvec_ms_jiffies_minmax just have one
+parameter.
+
+Link: http://lkml.kernel.org/r/1544081775-15720-1-git-send-email-cheng.lin130@zte.com.cn
+Signed-off-by: Cheng Lin <cheng.lin130@zte.com.cn>
+Acked-by: Luis Chamberlain <mcgrof@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sysctl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/sysctl.c b/kernel/sysctl.c
+index 23f658d311c0..93c7b02279b9 100644
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -2503,6 +2503,8 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
+ bool neg;
+
+ left -= proc_skip_spaces(&p);
++ if (!left)
++ break;
+
+ err = proc_get_long(&p, &left, &val, &neg,
+ proc_wspace_sep,
+--
+2.19.1
+
--- /dev/null
+From faaa0c8b1c82ef7377be303b8590d25e269a30ef Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Fri, 9 Nov 2018 11:14:43 +0100
+Subject: ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl
+
+[ Upstream commit 83d0bdc7390b890905634186baaa294475cd6a06 ]
+
+If a gettime64 call fails, return the error and avoid copying data back
+to user.
+
+Cc: Richard Cochran <richardcochran@gmail.com>
+Cc: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ptp/ptp_chardev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
+index a421d6c551b6..ecb41eacd74b 100644
+--- a/drivers/ptp/ptp_chardev.c
++++ b/drivers/ptp/ptp_chardev.c
+@@ -228,7 +228,9 @@ long ptp_ioctl(struct posix_clock *pc, unsigned int cmd, unsigned long arg)
+ pct->sec = ts.tv_sec;
+ pct->nsec = ts.tv_nsec;
+ pct++;
+- ptp->info->gettime64(ptp->info, &ts);
++ err = ptp->info->gettime64(ptp->info, &ts);
++ if (err)
++ goto out;
+ pct->sec = ts.tv_sec;
+ pct->nsec = ts.tv_nsec;
+ pct++;
+@@ -281,6 +283,7 @@ long ptp_ioctl(struct posix_clock *pc, unsigned int cmd, unsigned long arg)
+ break;
+ }
+
++out:
+ kfree(sysoff);
+ return err;
+ }
+--
+2.19.1
+
--- /dev/null
+From b4eade0da12fef78b4a1f45bb5be48026d8183c7 Mon Sep 17 00:00:00 2001
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Sat, 24 Nov 2018 21:14:16 +0300
+Subject: sata_rcar: fix deferred probing
+
+[ Upstream commit 9f83cfdb1ace3ef268ecc6fda50058d2ec37d603 ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-EINVAL, so if it returns -EPROBE_DEFER, the driver would fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error code upstream, still checking/overriding IRQ0 as libata regards it
+as "no IRQ" (thus polling) anyway...
+
+Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/sata_rcar.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ata/sata_rcar.c b/drivers/ata/sata_rcar.c
+index e83a3d3421b9..07e146b772ea 100644
+--- a/drivers/ata/sata_rcar.c
++++ b/drivers/ata/sata_rcar.c
+@@ -872,7 +872,9 @@ static int sata_rcar_probe(struct platform_device *pdev)
+ int ret = 0;
+
+ irq = platform_get_irq(pdev, 0);
+- if (irq <= 0)
++ if (irq < 0)
++ return irq;
++ if (!irq)
+ return -EINVAL;
+
+ priv = devm_kzalloc(&pdev->dev, sizeof(struct sata_rcar_priv),
+--
+2.19.1
+
--- /dev/null
+From 3193a64c2a0d1a80dc4817f43148ba14a520e668 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Fri, 28 Dec 2018 00:31:25 -0800
+Subject: scripts/decode_stacktrace: only strip base path when a prefix of the
+ path
+
+[ Upstream commit 67a28de47faa83585dd644bd4c31e5a1d9346c50 ]
+
+Running something like:
+
+ decodecode vmlinux .
+
+leads to interested results where not only the leading "." gets stripped
+from the displayed paths, but also anywhere in the string, displaying
+something like:
+
+ kvm_vcpu_check_block (arch/arm64/kvm/virt/kvm/kvm_mainc:2141)
+
+which doesn't help further processing.
+
+Fix it by only stripping the base path if it is a prefix of the path.
+
+Link: http://lkml.kernel.org/r/20181210174659.31054-3-marc.zyngier@arm.com
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/decode_stacktrace.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/decode_stacktrace.sh b/scripts/decode_stacktrace.sh
+index c332684e1b5a..edde8250195c 100755
+--- a/scripts/decode_stacktrace.sh
++++ b/scripts/decode_stacktrace.sh
+@@ -77,7 +77,7 @@ parse_symbol() {
+ fi
+
+ # Strip out the base of the path
+- code=${code//$basepath/""}
++ code=${code//^$basepath/""}
+
+ # In the case of inlines, move everything to same line
+ code=${code//$'\n'/' '}
+--
+2.19.1
+
--- /dev/null
+From 6134b95ce32ebb758a8592f8b63c7ce37659b431 Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 23 Oct 2018 13:41:07 -0700
+Subject: scsi: lpfc: Correct LCB RJT handling
+
+[ Upstream commit b114d9009d386276bfc3352289fc235781ae3353 ]
+
+When LCB's are rejected, if beaconing was already in progress, the
+Reason Code Explanation was not being set. Should have been set to
+command in progress.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_els.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
+index fc7addaf24da..4905455bbfc7 100644
+--- a/drivers/scsi/lpfc/lpfc_els.c
++++ b/drivers/scsi/lpfc/lpfc_els.c
+@@ -5396,6 +5396,9 @@ error:
+ stat = (struct ls_rjt *)(pcmd + sizeof(uint32_t));
+ stat->un.b.lsRjtRsnCode = LSRJT_UNABLE_TPC;
+
++ if (shdr_add_status == ADD_STATUS_OPERATION_ALREADY_ACTIVE)
++ stat->un.b.lsRjtRsnCodeExp = LSEXP_CMD_IN_PROGRESS;
++
+ elsiocb->iocb_cmpl = lpfc_cmpl_els_rsp;
+ phba->fc_stat.elsXmitLSRJT++;
+ rc = lpfc_sli_issue_iocb(phba, LPFC_ELS_RING, elsiocb, 0);
+--
+2.19.1
+
--- /dev/null
+From e594806a02bbff13e96079023c22eccdfdf0f65b Mon Sep 17 00:00:00 2001
+From: Mahesh Rajashekhara <mahesh.rajashekhara@microsemi.com>
+Date: Fri, 7 Dec 2018 16:28:29 -0600
+Subject: scsi: smartpqi: correct host serial num for ssa
+
+[ Upstream commit b2346b5030cf9458f30a84028d9fe904b8c942a7 ]
+
+Reviewed-by: Scott Benesh <scott.benesh@microsemi.com>
+Reviewed-by: Ajish Koshy <ajish.koshy@microsemi.com>
+Reviewed-by: Murthy Bhat <murthy.bhat@microsemi.com>
+Reviewed-by: Mahesh Rajashekhara <mahesh.rajashekhara@microsemi.com>
+Reviewed-by: Dave Carroll <david.carroll@microsemi.com>
+Reviewed-by: Scott Teel <scott.teel@microsemi.com>
+Reviewed-by: Kevin Barnett <kevin.barnett@microsemi.com>
+Signed-off-by: Mahesh Rajashekhara <mahesh.rajashekhara@microsemi.com>
+Signed-off-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/smartpqi/smartpqi_init.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c
+index b2b969990a5d..9a208961cc0b 100644
+--- a/drivers/scsi/smartpqi/smartpqi_init.c
++++ b/drivers/scsi/smartpqi/smartpqi_init.c
+@@ -473,6 +473,7 @@ struct bmic_host_wellness_driver_version {
+ u8 driver_version_tag[2];
+ __le16 driver_version_length;
+ char driver_version[32];
++ u8 dont_write_tag[2];
+ u8 end_tag[2];
+ };
+
+@@ -502,6 +503,8 @@ static int pqi_write_driver_version_to_host_wellness(
+ strncpy(buffer->driver_version, DRIVER_VERSION,
+ sizeof(buffer->driver_version) - 1);
+ buffer->driver_version[sizeof(buffer->driver_version) - 1] = '\0';
++ buffer->dont_write_tag[0] = 'D';
++ buffer->dont_write_tag[1] = 'W';
+ buffer->end_tag[0] = 'Z';
+ buffer->end_tag[1] = 'Z';
+
+--
+2.19.1
+
--- /dev/null
+From 7e579de0a0e7126f1eb6834601760d9dffc2503f Mon Sep 17 00:00:00 2001
+From: Dave Carroll <david.carroll@microsemi.com>
+Date: Fri, 7 Dec 2018 16:29:45 -0600
+Subject: scsi: smartpqi: correct volume status
+
+[ Upstream commit 7ff44499bafbd376115f0bb6b578d980f56ee13b ]
+
+- fix race condition when a unit is deleted after an RLL,
+ and before we have gotten the LV_STATUS page of the unit.
+ - In this case we will get a standard inquiry, rather than
+ the desired page. This will result in a unit presented
+ which no longer exists.
+ - If we ask for LV_STATUS, insure we get LV_STATUS
+
+Reviewed-by: Murthy Bhat <murthy.bhat@microsemi.com>
+Reviewed-by: Mahesh Rajashekhara <mahesh.rajashekhara@microsemi.com>
+Reviewed-by: Scott Teel <scott.teel@microsemi.com>
+Reviewed-by: Kevin Barnett <kevin.barnett@microsemi.com>
+Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
+Signed-off-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/smartpqi/smartpqi_init.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c
+index 9a208961cc0b..06a062455404 100644
+--- a/drivers/scsi/smartpqi/smartpqi_init.c
++++ b/drivers/scsi/smartpqi/smartpqi_init.c
+@@ -983,6 +983,9 @@ static void pqi_get_volume_status(struct pqi_ctrl_info *ctrl_info,
+ if (rc)
+ goto out;
+
++ if (vpd->page_code != CISS_VPD_LV_STATUS)
++ goto out;
++
+ page_length = offsetof(struct ciss_vpd_logical_volume_status,
+ volume_status) + vpd->page_length;
+ if (page_length < sizeof(*vpd))
+--
+2.19.1
+
--- /dev/null
+From 86c63f6a1c5e5b87516f6af8e081af462c9c2558 Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Fri, 19 Oct 2018 15:21:08 +1100
+Subject: seq_buf: Make seq_buf_puts() null-terminate the buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 0464ed24380905d640030d368cd84a4e4d1e15e2 ]
+
+Currently seq_buf_puts() will happily create a non null-terminated
+string for you in the buffer. This is particularly dangerous if the
+buffer is on the stack.
+
+For example:
+
+ char buf[8];
+ char secret = "secret";
+ struct seq_buf s;
+
+ seq_buf_init(&s, buf, sizeof(buf));
+ seq_buf_puts(&s, "foo");
+ printk("Message is %s\n", buf);
+
+Can result in:
+
+ Message is fooªªªªªsecret
+
+We could require all users to memset() their buffer to zero before
+use. But that seems likely to be forgotten and lead to bugs.
+
+Instead we can change seq_buf_puts() to always leave the buffer in a
+null-terminated state.
+
+The only downside is that this makes the buffer 1 character smaller
+for seq_buf_puts(), but that seems like a good trade off.
+
+Link: http://lkml.kernel.org/r/20181019042109.8064-1-mpe@ellerman.id.au
+
+Acked-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/seq_buf.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/seq_buf.c b/lib/seq_buf.c
+index cb18469e1f49..5954f9fb6675 100644
+--- a/lib/seq_buf.c
++++ b/lib/seq_buf.c
+@@ -143,9 +143,13 @@ int seq_buf_puts(struct seq_buf *s, const char *str)
+
+ WARN_ON(s->size == 0);
+
++ /* Add 1 to len for the trailing null byte which must be there */
++ len += 1;
++
+ if (seq_buf_can_fit(s, len)) {
+ memcpy(s->buffer + s->len, str, len);
+- s->len += len;
++ /* Don't count the trailing null byte against the capacity */
++ s->len += len - 1;
+ return 0;
+ }
+ seq_buf_set_overflow(s);
+--
+2.19.1
+
--- /dev/null
+From e5dd5ebc5f3f1056d9c891e98eddade02f3e15bf Mon Sep 17 00:00:00 2001
+From: Andy Duan <fugang.duan@nxp.com>
+Date: Tue, 16 Oct 2018 07:32:22 +0000
+Subject: serial: fsl_lpuart: clear parity enable bit when disable parity
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 397bd9211fe014b347ca8f95a8f4e1017bac1aeb ]
+
+Current driver only enable parity enable bit and never clear it
+when user set the termios. The fix clear the parity enable bit when
+PARENB flag is not set in termios->c_cflag.
+
+Cc: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Andy Duan <fugang.duan@nxp.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/fsl_lpuart.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c
+index e2ec04904f54..5c471c3481bd 100644
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -1344,6 +1344,8 @@ lpuart_set_termios(struct uart_port *port, struct ktermios *termios,
+ else
+ cr1 &= ~UARTCR1_PT;
+ }
++ } else {
++ cr1 &= ~UARTCR1_PE;
+ }
+
+ /* ask the core to calculate the divisor */
+@@ -1487,6 +1489,8 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios,
+ else
+ ctrl &= ~UARTCTRL_PT;
+ }
++ } else {
++ ctrl &= ~UARTCTRL_PE;
+ }
+
+ /* ask the core to calculate the divisor */
+--
+2.19.1
+
--- /dev/null
+drm-bufs-fix-spectre-v1-vulnerability.patch
+staging-iio-adc-ad7280a-handle-error-from-__ad7280_r.patch
+asoc-intel-mrfld-fix-uninitialized-variable-access.patch
+gpu-ipu-v3-image-convert-prevent-race-between-run-an.patch
+ath9k-dynack-use-authentication-messages-for-late-ac.patch
+scsi-lpfc-correct-lcb-rjt-handling.patch
+arm-8808-1-kexec-offline-panic_smp_self_stop-cpu.patch
+dlm-don-t-swamp-the-cpu-with-callbacks-queued-during.patch
+x86-pci-fix-broadcom-cnb20le-unintended-sign-extensi.patch
+powerpc-pseries-add-of_node_put-in-dlpar_detach_node.patch
+drm-vc4-x_scaling-1-should-never-be-set-to-vc4_scali.patch
+serial-fsl_lpuart-clear-parity-enable-bit-when-disab.patch
+ptp-check-gettime64-return-code-in-ptp_sys_offset-io.patch
+staging-iio-ad2s90-make-probe-handle-spi_setup-failu.patch
+staging-iio-ad7780-update-voltage-on-read.patch
+arm-omap2-hwmod-fix-some-section-annotations.patch
+modpost-validate-symbol-names-also-in-find_elf_symbo.patch
+perf-tools-add-hygon-dhyana-support.patch
+soc-tegra-don-t-leak-device-tree-node-reference.patch
+media-mtk-vcodec-release-device-nodes-in-mtk_vcodec_.patch
+dmaengine-xilinx_dma-remove-__aligned-attribute-on-z.patch
+iio-accel-kxcjk1013-add-kiox010a-acpi-hardware-id.patch
+media-adv-tc358743-ths8200-fill-in-min-width-height-.patch
+f2fs-move-dir-data-flush-to-write-checkpoint-process.patch
+f2fs-avoid-build-warn-of-fall_through.patch
+f2fs-fix-wrong-return-value-of-f2fs_acl_create.patch
+sunvdc-do-not-spin-in-an-infinite-loop-when-vio_ldc_.patch
+soc-bcm-brcmstb-don-t-leak-device-tree-node-referenc.patch
+nfsd4-fix-crash-on-writing-v4_end_grace-before-nfsd-.patch
+thermal-do-not-clear-passive-state-during-system-sle.patch
+firmware-efi-add-null-pointer-checks-in-efivars-api-.patch
+arm64-ftrace-don-t-adjust-the-lr-value.patch
+arm-dts-mmp2-fix-twsi2.patch
+arm-mmp-mmp2-dt-enable-the-clock.patch
+x86-fpu-add-might_fault-to-user_insn.patch
+media-davinci-vpbe-fix-error-handling-in-vpbe_initia.patch
+smack-fix-access-permissions-for-keyring.patch
+usb-hub-delay-hub-autosuspend-if-usb3-port-is-still-.patch
+timekeeping-use-proper-seqcount-initializer.patch
+clk-sunxi-ng-a33-set-clk_set_rate_parent-for-all-aud.patch
+iommu-amd-fix-amd_iommu-force_isolation.patch
+arm-dts-fix-omap4430-sdp-ethernet-startup.patch
+mips-bpf-fix-encoding-bug-for-mm_srlv32_op.patch
+tracing-have-trace_stack-nr_entries-compare-not-be-s.patch
+iommu-arm-smmu-add-support-for-qcom-smmu-v2-variant.patch
+iommu-arm-smmu-v3-use-explicit-mb-when-moving-cons-p.patch
+sata_rcar-fix-deferred-probing.patch
+clk-imx6sl-ensure-mmdc-ch0-handshake-is-bypassed.patch
+cpuidle-big.little-fix-refcount-leak.patch
+i2c-axxia-check-for-error-conditions-first.patch
+udf-fix-bug-on-corrupted-inode.patch
+arm-pxa-avoid-section-mismatch-warning.patch
+asoc-fsl-fix-snd_soc_eukrea_tlv320-build-error-on-i..patch
+arm-mmp-fix-timer_init-calls.patch
+memstick-prevent-memstick-host-from-getting-runtime-.patch
+tty-serial-samsung-properly-set-flags-in-autocts-mod.patch
+perf-header-fix-unchecked-usage-of-strncpy.patch
+perf-probe-fix-unchecked-usage-of-strncpy.patch
+kvm-s390-unregister-debug-feature-on-failing-arch-in.patch
+arm64-kvm-skip-mmio-insn-after-emulation.patch
+powerpc-uaccess-fix-warning-error-with-access_ok.patch
+mac80211-fix-radiotap-vendor-presence-bitmap-handlin.patch
+xfrm6_tunnel-fix-spi-check-in-__xfrm6_tunnel_alloc_s.patch
+bluetooth-fix-unnecessary-error-message-for-hci-requ.patch
+scsi-smartpqi-correct-host-serial-num-for-ssa.patch
+scsi-smartpqi-correct-volume-status.patch
+cw1200-fix-concurrency-use-after-free-bugs-in-cw1200.patch
+drbd-narrow-rcu_read_lock-in-drbd_sync_handshake.patch
+drbd-disconnect-if-the-wrong-uuids-are-attached-on-a.patch
+drbd-skip-spurious-timeout-ping-timeo-when-failing-p.patch
+drbd-avoid-clang-warning-about-pointless-switch-stat.patch
+video-clps711x-fb-release-disp-device-node-in-probe.patch
+fbdev-fbmem-behave-better-with-small-rotated-display.patch
+i40e-define-proper-net_device-neigh_priv_len.patch
+igb-fix-an-issue-that-pme-is-not-enabled-during-runt.patch
+fbdev-fbcon-fix-unregister-crash-when-more-than-one-.patch
+pinctrl-meson-meson8-fix-the-gpio-function-for-the-g.patch
+pinctrl-meson-meson8b-fix-the-gpio-function-for-the-.patch
+kvm-x86-svm-report-msr_ia32_mcg_ext_ctl-as-unsupport.patch
+nfs-nfs_compare_mount_options-always-compare-auth-fl.patch
+hwmon-lm80-fix-a-missing-check-of-the-status-of-smbu.patch
+hwmon-lm80-fix-a-missing-check-of-bus-read-in-lm80-p.patch
+seq_buf-make-seq_buf_puts-null-terminate-the-buffer.patch
+crypto-ux500-use-proper-enum-in-cryp_set_dma_transfe.patch
+crypto-ux500-use-proper-enum-in-hash_set_dma_transfe.patch
+mips-ralink-select-config_cpu_mipsr2_irq_vi-on-mt762.patch
+cifs-check-ntwrk_buf_start-for-null-before-dereferen.patch
+um-avoid-marking-pages-with-changed-protection.patch
+niu-fix-missing-checks-of-niu_pci_eeprom_read.patch
+f2fs-fix-sbi-extent_list-corruption-issue.patch
+scripts-decode_stacktrace-only-strip-base-path-when-.patch
+ocfs2-don-t-clear-bh-uptodate-for-block-read.patch
+isdn-hisax-hfc_pci-fix-a-possible-concurrency-use-af.patch
+gdrom-fix-a-memory-leak-bug.patch
+fsl-fman-use-gfp_atomic-in-memac-tgec-_add_hash_mac_.patch
+block-swim3-fix-ebusy-error-when-re-opening-device-a.patch
+thermal-generic-adc-fix-adc-to-temp-interpolation.patch
+hid-lenovo-add-checks-to-fix-of_led_classdev_registe.patch
+fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch
+kernel-hung_task.c-break-rcu-locks-based-on-jiffies.patch
+proc-sysctl-fix-return-error-for-proc_doulongvec_min.patch
+fs-epoll-drop-ovflist-branch-prediction.patch
+exec-load_script-don-t-blindly-truncate-shebang-stri.patch
--- /dev/null
+From 30673d6465da7d1b0fcd3af76224034845a64236 Mon Sep 17 00:00:00 2001
+From: Zoran Markovic <zmarkovic@sierrawireless.com>
+Date: Wed, 17 Oct 2018 16:25:44 -0700
+Subject: smack: fix access permissions for keyring
+
+[ Upstream commit 5b841bfab695e3b8ae793172a9ff7990f99cc3e2 ]
+
+Function smack_key_permission() only issues smack requests for the
+following operations:
+ - KEY_NEED_READ (issues MAY_READ)
+ - KEY_NEED_WRITE (issues MAY_WRITE)
+ - KEY_NEED_LINK (issues MAY_WRITE)
+ - KEY_NEED_SETATTR (issues MAY_WRITE)
+A blank smack request is issued in all other cases, resulting in
+smack access being granted if there is any rule defined between
+subject and object, or denied with -EACCES otherwise.
+
+Request MAY_READ access for KEY_NEED_SEARCH and KEY_NEED_VIEW.
+Fix the logic in the unlikely case when both MAY_READ and
+MAY_WRITE are needed. Validate access permission field for valid
+contents.
+
+Signed-off-by: Zoran Markovic <zmarkovic@sierrawireless.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Cc: Casey Schaufler <casey@schaufler-ca.com>
+Cc: James Morris <jmorris@namei.org>
+Cc: "Serge E. Hallyn" <serge@hallyn.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smack_lsm.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index fb7c534fb57d..aeb3ba70f907 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -4362,6 +4362,12 @@ static int smack_key_permission(key_ref_t key_ref,
+ int request = 0;
+ int rc;
+
++ /*
++ * Validate requested permissions
++ */
++ if (perm & ~KEY_NEED_ALL)
++ return -EINVAL;
++
+ keyp = key_ref_to_ptr(key_ref);
+ if (keyp == NULL)
+ return -EINVAL;
+@@ -4381,10 +4387,10 @@ static int smack_key_permission(key_ref_t key_ref,
+ ad.a.u.key_struct.key = keyp->serial;
+ ad.a.u.key_struct.key_desc = keyp->description;
+ #endif
+- if (perm & KEY_NEED_READ)
+- request = MAY_READ;
++ if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW))
++ request |= MAY_READ;
+ if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR))
+- request = MAY_WRITE;
++ request |= MAY_WRITE;
+ rc = smk_access(tkp, keyp->security, request, &ad);
+ rc = smk_bu_note("key access", tkp, keyp->security, request, rc);
+ return rc;
+--
+2.19.1
+
--- /dev/null
+From a74f1279a57edd08060cb8f26c38a3a2796cedad Mon Sep 17 00:00:00 2001
+From: Yangtao Li <tiny.windzz@gmail.com>
+Date: Sat, 24 Nov 2018 09:52:23 -0500
+Subject: soc: bcm: brcmstb: Don't leak device tree node reference
+
+[ Upstream commit 1861a7f07e02292830a1ca256328d370deefea30 ]
+
+of_find_node_by_path() acquires a reference to the node returned by it
+and that reference needs to be dropped by its caller. soc_is_brcmstb()
+doesn't do that, so fix it.
+
+[treding: slightly rewrite to avoid inline comparison]
+
+Fixes: d52fad262041 ("soc: add stubs for brcmstb SoC's")
+Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/bcm/brcmstb/common.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/soc/bcm/brcmstb/common.c b/drivers/soc/bcm/brcmstb/common.c
+index 94e7335553f4..3f6063b639ac 100644
+--- a/drivers/soc/bcm/brcmstb/common.c
++++ b/drivers/soc/bcm/brcmstb/common.c
+@@ -31,13 +31,17 @@ static const struct of_device_id brcmstb_machine_match[] = {
+
+ bool soc_is_brcmstb(void)
+ {
++ const struct of_device_id *match;
+ struct device_node *root;
+
+ root = of_find_node_by_path("/");
+ if (!root)
+ return false;
+
+- return of_match_node(brcmstb_machine_match, root) != NULL;
++ match = of_match_node(brcmstb_machine_match, root);
++ of_node_put(root);
++
++ return match != NULL;
+ }
+
+ static const struct of_device_id sun_top_ctrl_match[] = {
+--
+2.19.1
+
--- /dev/null
+From 2898c5c9680a38bf60eb07f028a7662f6520a87f Mon Sep 17 00:00:00 2001
+From: Yangtao Li <tiny.windzz@gmail.com>
+Date: Wed, 21 Nov 2018 07:49:12 -0500
+Subject: soc/tegra: Don't leak device tree node reference
+
+[ Upstream commit 9eb40fa2cd2d1f6829e7b49bb22692f754b9cfe0 ]
+
+of_find_node_by_path() acquires a reference to the node returned by it
+and that reference needs to be dropped by its caller. soc_is_tegra()
+doesn't do that, so fix it.
+
+Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
+Acked-by: Jon Hunter <jonathanh@nvidia.com>
+[treding: slightly rewrite to avoid inline comparison]
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/tegra/common.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/soc/tegra/common.c b/drivers/soc/tegra/common.c
+index cd8f41351add..7bfb154d6fa5 100644
+--- a/drivers/soc/tegra/common.c
++++ b/drivers/soc/tegra/common.c
+@@ -22,11 +22,15 @@ static const struct of_device_id tegra_machine_match[] = {
+
+ bool soc_is_tegra(void)
+ {
++ const struct of_device_id *match;
+ struct device_node *root;
+
+ root = of_find_node_by_path("/");
+ if (!root)
+ return false;
+
+- return of_match_node(tegra_machine_match, root) != NULL;
++ match = of_match_node(tegra_machine_match, root);
++ of_node_put(root);
++
++ return match != NULL;
+ }
+--
+2.19.1
+
--- /dev/null
+From c22e7b1aab4328dcb6f4915c9988992e3022e43d Mon Sep 17 00:00:00 2001
+From: Matheus Tavares <matheus.bernardino@usp.br>
+Date: Sat, 3 Nov 2018 19:49:44 -0300
+Subject: staging:iio:ad2s90: Make probe handle spi_setup failure
+
+[ Upstream commit b3a3eafeef769c6982e15f83631dcbf8d1794efb ]
+
+Previously, ad2s90_probe ignored the return code from spi_setup, not
+handling its possible failure. This patch makes ad2s90_probe check if
+the code is an error code and, if so, do the following:
+
+- Call dev_err with an appropriate error message.
+- Return the spi_setup's error code.
+
+Note: The 'return ret' statement could be out of the 'if' block, but
+this whole block will be moved up in the function in the patch:
+'staging:iio:ad2s90: Move device registration to the end of probe'.
+
+Signed-off-by: Matheus Tavares <matheus.bernardino@usp.br>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/iio/resolver/ad2s90.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/iio/resolver/ad2s90.c b/drivers/staging/iio/resolver/ad2s90.c
+index 5b1c0db33e7f..b44253eb62ec 100644
+--- a/drivers/staging/iio/resolver/ad2s90.c
++++ b/drivers/staging/iio/resolver/ad2s90.c
+@@ -86,7 +86,12 @@ static int ad2s90_probe(struct spi_device *spi)
+ /* need 600ns between CS and the first falling edge of SCLK */
+ spi->max_speed_hz = 830000;
+ spi->mode = SPI_MODE_3;
+- spi_setup(spi);
++ ret = spi_setup(spi);
++
++ if (ret < 0) {
++ dev_err(&spi->dev, "spi_setup failed!\n");
++ return ret;
++ }
+
+ return 0;
+ }
+--
+2.19.1
+
--- /dev/null
+From 75af5e5de290237ad8e4557f745ecf92cb8b38cf Mon Sep 17 00:00:00 2001
+From: Renato Lui Geh <renatogeh@gmail.com>
+Date: Mon, 5 Nov 2018 17:14:58 -0200
+Subject: staging: iio: ad7780: update voltage on read
+
+[ Upstream commit 336650c785b62c3bea7c8cf6061c933a90241f67 ]
+
+The ad7780 driver previously did not read the correct device output, as
+it read an outdated value set at initialization. It now updates its
+voltage on read.
+
+Signed-off-by: Renato Lui Geh <renatogeh@gmail.com>
+Acked-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/iio/adc/ad7780.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/iio/adc/ad7780.c b/drivers/staging/iio/adc/ad7780.c
+index c9a0c2aa602f..5d163386ab6e 100644
+--- a/drivers/staging/iio/adc/ad7780.c
++++ b/drivers/staging/iio/adc/ad7780.c
+@@ -87,12 +87,16 @@ static int ad7780_read_raw(struct iio_dev *indio_dev,
+ long m)
+ {
+ struct ad7780_state *st = iio_priv(indio_dev);
++ int voltage_uv;
+
+ switch (m) {
+ case IIO_CHAN_INFO_RAW:
+ return ad_sigma_delta_single_conversion(indio_dev, chan, val);
+ case IIO_CHAN_INFO_SCALE:
+- *val = st->int_vref_mv * st->gain;
++ voltage_uv = regulator_get_voltage(st->reg);
++ if (voltage_uv < 0)
++ return voltage_uv;
++ *val = (voltage_uv / 1000) * st->gain;
+ *val2 = chan->scan_type.realbits - 1;
+ return IIO_VAL_FRACTIONAL_LOG2;
+ case IIO_CHAN_INFO_OFFSET:
+--
+2.19.1
+
--- /dev/null
+From 1f55bdb7ed6c96a44b60cb09013a0998ccd07a6c Mon Sep 17 00:00:00 2001
+From: Slawomir Stepien <sst@poczta.fm>
+Date: Sat, 20 Oct 2018 23:04:11 +0200
+Subject: staging: iio: adc: ad7280a: handle error from __ad7280_read32()
+
+[ Upstream commit 0559ef7fde67bc6c83c6eb6329dbd6649528263e ]
+
+Inside __ad7280_read32(), the spi_sync_transfer() can fail with negative
+error code. This change will ensure that this error is being passed up
+in the call stack, so it can be handled.
+
+Signed-off-by: Slawomir Stepien <sst@poczta.fm>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/iio/adc/ad7280a.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/staging/iio/adc/ad7280a.c b/drivers/staging/iio/adc/ad7280a.c
+index b460dda7eb65..dec25fadba8c 100644
+--- a/drivers/staging/iio/adc/ad7280a.c
++++ b/drivers/staging/iio/adc/ad7280a.c
+@@ -250,7 +250,9 @@ static int ad7280_read(struct ad7280_state *st, unsigned int devaddr,
+ if (ret)
+ return ret;
+
+- __ad7280_read32(st, &tmp);
++ ret = __ad7280_read32(st, &tmp);
++ if (ret)
++ return ret;
+
+ if (ad7280_check_crc(st, tmp))
+ return -EIO;
+@@ -288,7 +290,9 @@ static int ad7280_read_channel(struct ad7280_state *st, unsigned int devaddr,
+
+ ad7280_delay(st);
+
+- __ad7280_read32(st, &tmp);
++ ret = __ad7280_read32(st, &tmp);
++ if (ret)
++ return ret;
+
+ if (ad7280_check_crc(st, tmp))
+ return -EIO;
+@@ -321,7 +325,9 @@ static int ad7280_read_all_channels(struct ad7280_state *st, unsigned int cnt,
+ ad7280_delay(st);
+
+ for (i = 0; i < cnt; i++) {
+- __ad7280_read32(st, &tmp);
++ ret = __ad7280_read32(st, &tmp);
++ if (ret)
++ return ret;
+
+ if (ad7280_check_crc(st, tmp))
+ return -EIO;
+@@ -364,7 +370,10 @@ static int ad7280_chain_setup(struct ad7280_state *st)
+ return ret;
+
+ for (n = 0; n <= AD7280A_MAX_CHAIN; n++) {
+- __ad7280_read32(st, &val);
++ ret = __ad7280_read32(st, &val);
++ if (ret)
++ return ret;
++
+ if (val == 0)
+ return n - 1;
+
+--
+2.19.1
+
--- /dev/null
+From 1c82b3abe8774152d8e82c24d0f246518875dbd7 Mon Sep 17 00:00:00 2001
+From: Young Xiao <YangX92@hotmail.com>
+Date: Wed, 28 Nov 2018 12:36:39 +0000
+Subject: sunvdc: Do not spin in an infinite loop when vio_ldc_send() returns
+ EAGAIN
+
+[ Upstream commit a11f6ca9aef989b56cd31ff4ee2af4fb31a172ec ]
+
+__vdc_tx_trigger should only loop on EAGAIN a finite
+number of times.
+
+See commit adddc32d6fde ("sunvnet: Do not spin in an
+infinite loop when vio_ldc_send() returns EAGAIN") for detail.
+
+Signed-off-by: Young Xiao <YangX92@hotmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/sunvdc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c
+index cab157331c4e..c6d43a2a807d 100644
+--- a/drivers/block/sunvdc.c
++++ b/drivers/block/sunvdc.c
+@@ -40,6 +40,8 @@ MODULE_VERSION(DRV_MODULE_VERSION);
+ #define WAITING_FOR_GEN_CMD 0x04
+ #define WAITING_FOR_ANY -1
+
++#define VDC_MAX_RETRIES 10
++
+ static struct workqueue_struct *sunvdc_wq;
+
+ struct vdc_req_entry {
+@@ -419,6 +421,7 @@ static int __vdc_tx_trigger(struct vdc_port *port)
+ .end_idx = dr->prod,
+ };
+ int err, delay;
++ int retries = 0;
+
+ hdr.seq = dr->snd_nxt;
+ delay = 1;
+@@ -431,6 +434,8 @@ static int __vdc_tx_trigger(struct vdc_port *port)
+ udelay(delay);
+ if ((delay <<= 1) > 128)
+ delay = 128;
++ if (retries++ > VDC_MAX_RETRIES)
++ break;
+ } while (err == -EAGAIN);
+
+ if (err == -ENOTCONN)
+--
+2.19.1
+
--- /dev/null
+From db2d8c2ab5ceb8d2acf76312f2dfc94674f20a26 Mon Sep 17 00:00:00 2001
+From: Wei Wang <wvw@google.com>
+Date: Wed, 7 Nov 2018 14:36:11 -0800
+Subject: Thermal: do not clear passive state during system sleep
+
+[ Upstream commit 964f4843a455d2ffb199512b08be8d5f077c4cac ]
+
+commit ff140fea847e ("Thermal: handle thermal zone device properly
+during system sleep") added PM hook to call thermal zone reset during
+sleep. However resetting thermal zone will also clear the passive state
+and thus cancel the polling queue which leads the passive cooling device
+state not being cleared properly after sleep.
+
+thermal_pm_notify => thermal_zone_device_reset set passive to 0
+thermal_zone_trip_update will skip update passive as `old_target ==
+instance->target'.
+monitor_thermal_zone => thermal_zone_device_set_polling will cancel
+tz->poll_queue, so the cooling device state will not be changed
+afterwards.
+
+Reported-by: Kame Wang <kamewang@google.com>
+Signed-off-by: Wei Wang <wvw@google.com>
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/thermal_core.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
+index 226b0b4aced6..cd82ae34ddfa 100644
+--- a/drivers/thermal/thermal_core.c
++++ b/drivers/thermal/thermal_core.c
+@@ -597,16 +597,20 @@ static void update_temperature(struct thermal_zone_device *tz)
+ tz->last_temperature, tz->temperature);
+ }
+
+-static void thermal_zone_device_reset(struct thermal_zone_device *tz)
++static void thermal_zone_device_init(struct thermal_zone_device *tz)
+ {
+ struct thermal_instance *pos;
+-
+ tz->temperature = THERMAL_TEMP_INVALID;
+- tz->passive = 0;
+ list_for_each_entry(pos, &tz->thermal_instances, tz_node)
+ pos->initialized = false;
+ }
+
++static void thermal_zone_device_reset(struct thermal_zone_device *tz)
++{
++ tz->passive = 0;
++ thermal_zone_device_init(tz);
++}
++
+ void thermal_zone_device_update(struct thermal_zone_device *tz,
+ enum thermal_notify_event event)
+ {
+@@ -2297,7 +2301,7 @@ static int thermal_pm_notify(struct notifier_block *nb,
+ case PM_POST_SUSPEND:
+ atomic_set(&in_suspend, 0);
+ list_for_each_entry(tz, &thermal_tz_list, node) {
+- thermal_zone_device_reset(tz);
++ thermal_zone_device_init(tz);
+ thermal_zone_device_update(tz,
+ THERMAL_EVENT_UNSPECIFIED);
+ }
+--
+2.19.1
+
--- /dev/null
+From ed28dea6faaa1d3d461e2bff87b569479e4b2c25 Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+Date: Sun, 23 Dec 2018 23:26:44 -0800
+Subject: thermal: generic-adc: Fix adc to temp interpolation
+
+[ Upstream commit 9d216211fded20fff301d0317af3238d8383634c ]
+
+First correct the edge case to return the last element if we're
+outside the range, rather than at the last element, so that
+interpolation is not omitted for points between the two last entries in
+the table.
+
+Then correct the formula to perform linear interpolation based the two
+points surrounding the read ADC value. The indices for temp are kept as
+"hi" and "lo" to pair with the adc indices, but there's no requirement
+that the temperature is provided in descendent order. mult_frac() is
+used to prevent issues with overflowing the int.
+
+Cc: Laxman Dewangan <ldewangan@nvidia.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/thermal-generic-adc.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/thermal/thermal-generic-adc.c b/drivers/thermal/thermal-generic-adc.c
+index 73f55d6a1721..ad601e5b4175 100644
+--- a/drivers/thermal/thermal-generic-adc.c
++++ b/drivers/thermal/thermal-generic-adc.c
+@@ -26,7 +26,7 @@ struct gadc_thermal_info {
+
+ static int gadc_thermal_adc_to_temp(struct gadc_thermal_info *gti, int val)
+ {
+- int temp, adc_hi, adc_lo;
++ int temp, temp_hi, temp_lo, adc_hi, adc_lo;
+ int i;
+
+ for (i = 0; i < gti->nlookup_table; i++) {
+@@ -36,13 +36,17 @@ static int gadc_thermal_adc_to_temp(struct gadc_thermal_info *gti, int val)
+
+ if (i == 0) {
+ temp = gti->lookup_table[0];
+- } else if (i >= (gti->nlookup_table - 1)) {
++ } else if (i >= gti->nlookup_table) {
+ temp = gti->lookup_table[2 * (gti->nlookup_table - 1)];
+ } else {
+ adc_hi = gti->lookup_table[2 * i - 1];
+ adc_lo = gti->lookup_table[2 * i + 1];
+- temp = gti->lookup_table[2 * i];
+- temp -= ((val - adc_lo) * 1000) / (adc_hi - adc_lo);
++
++ temp_hi = gti->lookup_table[2 * i - 2];
++ temp_lo = gti->lookup_table[2 * i];
++
++ temp = temp_hi + mult_frac(temp_lo - temp_hi, val - adc_hi,
++ adc_lo - adc_hi);
+ }
+
+ return temp;
+--
+2.19.1
+
--- /dev/null
+From 02237aa1ef35c6b3e19094c932f42451eaac6d11 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 28 Nov 2018 15:43:09 -0800
+Subject: timekeeping: Use proper seqcount initializer
+
+[ Upstream commit ce10a5b3954f2514af726beb78ed8d7350c5e41c ]
+
+tk_core.seq is initialized open coded, but that misses to initialize the
+lockdep map when lockdep is enabled. Lockdep splats involving tk_core seq
+consequently lack a name and are hard to read.
+
+Use the proper initializer which takes care of the lockdep map
+initialization.
+
+[ tglx: Massaged changelog ]
+
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: peterz@infradead.org
+Cc: tj@kernel.org
+Cc: johannes.berg@intel.com
+Link: https://lkml.kernel.org/r/20181128234325.110011-12-bvanassche@acm.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/timekeeping.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
+index d831827d7ab0..e24e1f0c5690 100644
+--- a/kernel/time/timekeeping.c
++++ b/kernel/time/timekeeping.c
+@@ -39,7 +39,9 @@
+ static struct {
+ seqcount_t seq;
+ struct timekeeper timekeeper;
+-} tk_core ____cacheline_aligned;
++} tk_core ____cacheline_aligned = {
++ .seq = SEQCNT_ZERO(tk_core.seq),
++};
+
+ static DEFINE_RAW_SPINLOCK(timekeeper_lock);
+ static struct timekeeper shadow_timekeeper;
+--
+2.19.1
+
--- /dev/null
+From 524d1667c8df34808d91ea4fb2d1a8235d86fc4d Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 20 Jun 2018 14:08:00 +0300
+Subject: tracing: Have trace_stack nr_entries compare not be so subtle
+
+[ Upstream commit ca16b0fbb05242f18da9d810c07d3882ffed831c ]
+
+Dan Carpenter reviewed the trace_stack.c code and figured he found an off by
+one bug.
+
+ "From reviewing the code, it seems possible for
+ stack_trace_max.nr_entries to be set to .max_entries and in that case we
+ would be reading one element beyond the end of the stack_dump_trace[]
+ array. If it's not set to .max_entries then the bug doesn't affect
+ runtime."
+
+Although it looks to be the case, it is not. Because we have:
+
+ static unsigned long stack_dump_trace[STACK_TRACE_ENTRIES+1] =
+ { [0 ... (STACK_TRACE_ENTRIES)] = ULONG_MAX };
+
+ struct stack_trace stack_trace_max = {
+ .max_entries = STACK_TRACE_ENTRIES - 1,
+ .entries = &stack_dump_trace[0],
+ };
+
+And:
+
+ stack_trace_max.nr_entries = x;
+ for (; x < i; x++)
+ stack_dump_trace[x] = ULONG_MAX;
+
+Even if nr_entries equals max_entries, indexing with it into the
+stack_dump_trace[] array will not overflow the array. But if it is the case,
+the second part of the conditional that tests stack_dump_trace[nr_entries]
+to ULONG_MAX will always be true.
+
+By applying Dan's patch, it removes the subtle aspect of it and makes the if
+conditional slightly more efficient.
+
+Link: http://lkml.kernel.org/r/20180620110758.crunhd5bfep7zuiz@kili.mountain
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_stack.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace_stack.c b/kernel/trace/trace_stack.c
+index 2a1abbaca10e..f9255740411e 100644
+--- a/kernel/trace/trace_stack.c
++++ b/kernel/trace/trace_stack.c
+@@ -290,7 +290,7 @@ __next(struct seq_file *m, loff_t *pos)
+ {
+ long n = *pos - 1;
+
+- if (n > stack_trace_max.nr_entries || stack_dump_trace[n] == ULONG_MAX)
++ if (n >= stack_trace_max.nr_entries || stack_dump_trace[n] == ULONG_MAX)
+ return NULL;
+
+ m->private = (void *)n;
+--
+2.19.1
+
--- /dev/null
+From 1ebf90f8d9b6db29f32b03c20d76caf50202169f Mon Sep 17 00:00:00 2001
+From: Beomho Seo <beomho.seo@samsung.com>
+Date: Fri, 14 Dec 2018 12:34:08 +0100
+Subject: tty: serial: samsung: Properly set flags in autoCTS mode
+
+[ Upstream commit 31e933645742ee6719d37573a27cce0761dcf92b ]
+
+Commit 391f93f2ec9f ("serial: core: Rework hw-assited flow control support")
+has changed the way the autoCTS mode is handled.
+
+According to that change, serial drivers which enable H/W autoCTS mode must
+set UPSTAT_AUTOCTS to prevent the serial core from inadvertently disabling
+TX. This patch adds proper handling of UPSTAT_AUTOCTS flag.
+
+Signed-off-by: Beomho Seo <beomho.seo@samsung.com>
+[mszyprow: rephrased commit message]
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/samsung.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
+index 5609305b3676..01ff8ec78023 100644
+--- a/drivers/tty/serial/samsung.c
++++ b/drivers/tty/serial/samsung.c
+@@ -1335,11 +1335,14 @@ static void s3c24xx_serial_set_termios(struct uart_port *port,
+ wr_regl(port, S3C2410_ULCON, ulcon);
+ wr_regl(port, S3C2410_UBRDIV, quot);
+
++ port->status &= ~UPSTAT_AUTOCTS;
++
+ umcon = rd_regl(port, S3C2410_UMCON);
+ if (termios->c_cflag & CRTSCTS) {
+ umcon |= S3C2410_UMCOM_AFC;
+ /* Disable RTS when RX FIFO contains 63 bytes */
+ umcon &= ~S3C2412_UMCON_AFC_8;
++ port->status = UPSTAT_AUTOCTS;
+ } else {
+ umcon &= ~S3C2410_UMCOM_AFC;
+ }
+--
+2.19.1
+
--- /dev/null
+From 66a581d5782e9e4fddf09deb37431bc41ef51b0c Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 12 Dec 2018 14:29:20 +0100
+Subject: udf: Fix BUG on corrupted inode
+
+[ Upstream commit d288d95842f1503414b7eebce3773bac3390457e ]
+
+When inode is corrupted so that extent type is invalid, some functions
+(such as udf_truncate_extents()) will just BUG. Check that extent type
+is valid when loading the inode to memory.
+
+Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/inode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index 035943501b9f..fd817022cb9b 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1372,6 +1372,12 @@ reread:
+
+ iinfo->i_alloc_type = le16_to_cpu(fe->icbTag.flags) &
+ ICBTAG_FLAG_AD_MASK;
++ if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_SHORT &&
++ iinfo->i_alloc_type != ICBTAG_FLAG_AD_LONG &&
++ iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB) {
++ ret = -EIO;
++ goto out;
++ }
+ iinfo->i_unique = 0;
+ iinfo->i_lenEAttr = 0;
+ iinfo->i_lenExtents = 0;
+--
+2.19.1
+
--- /dev/null
+From c26727564812ddf86f9156b1280fda041d09d5af Mon Sep 17 00:00:00 2001
+From: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Date: Wed, 5 Dec 2018 12:37:41 +0000
+Subject: um: Avoid marking pages with "changed protection"
+
+[ Upstream commit 8892d8545f2d0342b9c550defbfb165db237044b ]
+
+Changing protection is a very high cost operation in UML
+because in addition to an extra syscall it also interrupts
+mmap merge sequences generated by the tlb.
+
+While the condition is not particularly common it is worth
+avoiding.
+
+Signed-off-by: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/include/asm/pgtable.h | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/arch/um/include/asm/pgtable.h b/arch/um/include/asm/pgtable.h
+index 7485398d0737..9c04562310b3 100644
+--- a/arch/um/include/asm/pgtable.h
++++ b/arch/um/include/asm/pgtable.h
+@@ -197,12 +197,17 @@ static inline pte_t pte_mkold(pte_t pte)
+
+ static inline pte_t pte_wrprotect(pte_t pte)
+ {
+- pte_clear_bits(pte, _PAGE_RW);
++ if (likely(pte_get_bits(pte, _PAGE_RW)))
++ pte_clear_bits(pte, _PAGE_RW);
++ else
++ return pte;
+ return(pte_mknewprot(pte));
+ }
+
+ static inline pte_t pte_mkread(pte_t pte)
+ {
++ if (unlikely(pte_get_bits(pte, _PAGE_USER)))
++ return pte;
+ pte_set_bits(pte, _PAGE_USER);
+ return(pte_mknewprot(pte));
+ }
+@@ -221,6 +226,8 @@ static inline pte_t pte_mkyoung(pte_t pte)
+
+ static inline pte_t pte_mkwrite(pte_t pte)
+ {
++ if (unlikely(pte_get_bits(pte, _PAGE_RW)))
++ return pte;
+ pte_set_bits(pte, _PAGE_RW);
+ return(pte_mknewprot(pte));
+ }
+--
+2.19.1
+
--- /dev/null
+From 21dda6d39a3636b68ee54ed7632ed8934dcd0167 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Wed, 28 Nov 2018 15:55:21 +0200
+Subject: usb: hub: delay hub autosuspend if USB3 port is still link training
+
+[ Upstream commit e86108940e541febf35813402ff29fa6f4a9ac0b ]
+
+When initializing a hub we want to give a USB3 port in link training
+the same debounce delay time before autosuspening the hub as already
+trained, connected enabled ports.
+
+USB3 ports won't reach the enabled state with "current connect status" and
+"connect status change" bits set until the USB3 link training finishes.
+
+Catching the port in link training (polling) and adding the debounce delay
+prevents unnecessary failed attempts to autosuspend the hub.
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/hub.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 67679f619c3b..7b6919086539 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -1108,6 +1108,16 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
+ USB_PORT_FEAT_ENABLE);
+ }
+
++ /*
++ * Add debounce if USB3 link is in polling/link training state.
++ * Link will automatically transition to Enabled state after
++ * link training completes.
++ */
++ if (hub_is_superspeed(hdev) &&
++ ((portstatus & USB_PORT_STAT_LINK_STATE) ==
++ USB_SS_PORT_LS_POLLING))
++ need_debounce_delay = true;
++
+ /* Clear status-change flags; we'll debounce later */
+ if (portchange & USB_PORT_STAT_C_CONNECTION) {
+ need_debounce_delay = true;
+--
+2.19.1
+
--- /dev/null
+From 3d39e72ec503b32afbbb23a6cd969c49b5df4aa7 Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Thu, 20 Dec 2018 19:13:07 +0100
+Subject: video: clps711x-fb: release disp device node in probe()
+
+[ Upstream commit fdac751355cd76e049f628afe6acb8ff4b1399f7 ]
+
+clps711x_fb_probe() increments refcnt of disp device node by
+of_parse_phandle() and leaves it undecremented on both
+successful and error paths.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Cc: Alexander Shiyan <shc_work@mail.ru>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/clps711x-fb.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/clps711x-fb.c b/drivers/video/fbdev/clps711x-fb.c
+index ff561073ee4e..42f909618f04 100644
+--- a/drivers/video/fbdev/clps711x-fb.c
++++ b/drivers/video/fbdev/clps711x-fb.c
+@@ -287,14 +287,17 @@ static int clps711x_fb_probe(struct platform_device *pdev)
+ }
+
+ ret = of_get_fb_videomode(disp, &cfb->mode, OF_USE_NATIVE_MODE);
+- if (ret)
++ if (ret) {
++ of_node_put(disp);
+ goto out_fb_release;
++ }
+
+ of_property_read_u32(disp, "ac-prescale", &cfb->ac_prescale);
+ cfb->cmap_invert = of_property_read_bool(disp, "cmap-invert");
+
+ ret = of_property_read_u32(disp, "bits-per-pixel",
+ &info->var.bits_per_pixel);
++ of_node_put(disp);
+ if (ret)
+ goto out_fb_release;
+
+--
+2.19.1
+
--- /dev/null
+From 010a5049d67c4d0a3c0d607b7e307849a54c87a6 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Wed, 28 Nov 2018 23:20:11 +0100
+Subject: x86/fpu: Add might_fault() to user_insn()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 6637401c35b2f327a35d27f44bda05e327f2f017 ]
+
+Every user of user_insn() passes an user memory pointer to this macro.
+
+Add might_fault() to user_insn() so we can spot users which are using
+this macro in sections where page faulting is not allowed.
+
+ [ bp: Space it out to make it more visible. ]
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Rik van Riel <riel@surriel.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: kvm ML <kvm@vger.kernel.org>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20181128222035.2996-6-bigeasy@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/fpu/internal.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h
+index 499d6ed0e376..21d6fa27b4a9 100644
+--- a/arch/x86/include/asm/fpu/internal.h
++++ b/arch/x86/include/asm/fpu/internal.h
+@@ -97,6 +97,9 @@ extern void fpstate_sanitize_xstate(struct fpu *fpu);
+ #define user_insn(insn, output, input...) \
+ ({ \
+ int err; \
++ \
++ might_fault(); \
++ \
+ asm volatile(ASM_STAC "\n" \
+ "1:" #insn "\n\t" \
+ "2: " ASM_CLAC "\n" \
+--
+2.19.1
+
--- /dev/null
+From f64c862d43119755e4fcc6fe6af24cbd93309b71 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 25 Oct 2018 14:52:31 +0100
+Subject: x86/PCI: Fix Broadcom CNB20LE unintended sign extension (redux)
+
+[ Upstream commit 53bb565fc5439f2c8c57a786feea5946804aa3e9 ]
+
+In the expression "word1 << 16", word1 starts as u16, but is promoted to a
+signed int, then sign-extended to resource_size_t, which is probably not
+what was intended. Cast to resource_size_t to avoid the sign extension.
+
+This fixes an identical issue as fixed by commit 0b2d70764bb3 ("x86/PCI:
+Fix Broadcom CNB20LE unintended sign extension") back in 2014.
+
+Detected by CoverityScan, CID#138749, 138750 ("Unintended sign extension")
+
+Fixes: 3f6ea84a3035 ("PCI: read memory ranges out of Broadcom CNB20LE host bridge")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Bjorn Helgaas <helgaas@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/pci/broadcom_bus.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/pci/broadcom_bus.c b/arch/x86/pci/broadcom_bus.c
+index 526536c81ddc..ca1e8e6dccc8 100644
+--- a/arch/x86/pci/broadcom_bus.c
++++ b/arch/x86/pci/broadcom_bus.c
+@@ -50,8 +50,8 @@ static void __init cnb20le_res(u8 bus, u8 slot, u8 func)
+ word1 = read_pci_config_16(bus, slot, func, 0xc0);
+ word2 = read_pci_config_16(bus, slot, func, 0xc2);
+ if (word1 != word2) {
+- res.start = (word1 << 16) | 0x0000;
+- res.end = (word2 << 16) | 0xffff;
++ res.start = ((resource_size_t) word1 << 16) | 0x0000;
++ res.end = ((resource_size_t) word2 << 16) | 0xffff;
+ res.flags = IORESOURCE_MEM;
+ update_res(info, res.start, res.end, res.flags, 0);
+ }
+--
+2.19.1
+
--- /dev/null
+From 17635b2a0c2f71b165241df9e8d3167ff0116183 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 19 Dec 2018 14:45:09 +0800
+Subject: xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi
+
+[ Upstream commit fa89a4593b927b3f59c3b69379f31d3b22272e4e ]
+
+gcc warn this:
+
+net/ipv6/xfrm6_tunnel.c:143 __xfrm6_tunnel_alloc_spi() warn:
+ always true condition '(spi <= 4294967295) => (0-u32max <= u32max)'
+
+'spi' is u32, which always not greater than XFRM6_TUNNEL_SPI_MAX
+because of wrap around. So the second forloop will never reach.
+
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/xfrm6_tunnel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
+index e1c0bbe7996c..3a2701d42f47 100644
+--- a/net/ipv6/xfrm6_tunnel.c
++++ b/net/ipv6/xfrm6_tunnel.c
+@@ -144,6 +144,9 @@ static u32 __xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr)
+ index = __xfrm6_tunnel_spi_check(net, spi);
+ if (index >= 0)
+ goto alloc_spi;
++
++ if (spi == XFRM6_TUNNEL_SPI_MAX)
++ break;
+ }
+ for (spi = XFRM6_TUNNEL_SPI_MIN; spi < xfrm6_tn->spi; spi++) {
+ index = __xfrm6_tunnel_spi_check(net, spi);
+--
+2.19.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
