--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Tue, 17 Oct 2017 18:29:22 -0400
+Subject: audit: Allow auditd to set pid to 0 to end auditing
+
+From: Steve Grubb <sgrubb@redhat.com>
+
+
+[ Upstream commit 33e8a907804428109ce1d12301c3365d619cc4df ]
+
+The API to end auditing has historically been for auditd to set the
+pid to 0. This patch restores that functionality.
+
+See: https://github.com/linux-audit/audit-kernel/issues/69
+
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Steve Grubb <sgrubb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/audit.c | 29 ++++++++++++++++-------------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -1197,25 +1197,28 @@ static int audit_receive_msg(struct sk_b
+ pid_t auditd_pid;
+ struct pid *req_pid = task_tgid(current);
+
+- /* sanity check - PID values must match */
+- if (new_pid != pid_vnr(req_pid))
++ /* Sanity check - PID values must match. Setting
++ * pid to 0 is how auditd ends auditing. */
++ if (new_pid && (new_pid != pid_vnr(req_pid)))
+ return -EINVAL;
+
+ /* test the auditd connection */
+ audit_replace(req_pid);
+
+ auditd_pid = auditd_pid_vnr();
+- /* only the current auditd can unregister itself */
+- if ((!new_pid) && (new_pid != auditd_pid)) {
+- audit_log_config_change("audit_pid", new_pid,
+- auditd_pid, 0);
+- return -EACCES;
+- }
+- /* replacing a healthy auditd is not allowed */
+- if (auditd_pid && new_pid) {
+- audit_log_config_change("audit_pid", new_pid,
+- auditd_pid, 0);
+- return -EEXIST;
++ if (auditd_pid) {
++ /* replacing a healthy auditd is not allowed */
++ if (new_pid) {
++ audit_log_config_change("audit_pid",
++ new_pid, auditd_pid, 0);
++ return -EEXIST;
++ }
++ /* only current auditd can unregister itself */
++ if (pid_vnr(req_pid) != auditd_pid) {
++ audit_log_config_change("audit_pid",
++ new_pid, auditd_pid, 0);
++ return -EACCES;
++ }
+ }
+
+ if (new_pid) {
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Paul Moore <paul@paul-moore.com>
+Date: Fri, 1 Sep 2017 09:44:34 -0400
+Subject: audit: ensure that 'audit=1' actually enables audit for PID 1
+
+From: Paul Moore <paul@paul-moore.com>
+
+
+[ Upstream commit 173743dd99a49c956b124a74c8aacb0384739a4c ]
+
+Prior to this patch we enabled audit in audit_init(), which is too
+late for PID 1 as the standard initcalls are run after the PID 1 task
+is forked. This means that we never allocate an audit_context (see
+audit_alloc()) for PID 1 and therefore miss a lot of audit events
+generated by PID 1.
+
+This patch enables audit as early as possible to help ensure that when
+PID 1 is forked it can allocate an audit_context if required.
+
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/audit.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -85,13 +85,13 @@ static int audit_initialized;
+ #define AUDIT_OFF 0
+ #define AUDIT_ON 1
+ #define AUDIT_LOCKED 2
+-u32 audit_enabled;
+-u32 audit_ever_enabled;
++u32 audit_enabled = AUDIT_OFF;
++u32 audit_ever_enabled = !!AUDIT_OFF;
+
+ EXPORT_SYMBOL_GPL(audit_enabled);
+
+ /* Default state when kernel boots without any parameters. */
+-static u32 audit_default;
++static u32 audit_default = AUDIT_OFF;
+
+ /* If auditing cannot proceed, audit_failure selects what happens. */
+ static u32 audit_failure = AUDIT_FAIL_PRINTK;
+@@ -1552,8 +1552,6 @@ static int __init audit_init(void)
+ register_pernet_subsys(&audit_net_ops);
+
+ audit_initialized = AUDIT_INITIALIZED;
+- audit_enabled = audit_default;
+- audit_ever_enabled |= !!audit_default;
+
+ kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
+ if (IS_ERR(kauditd_task)) {
+@@ -1575,6 +1573,8 @@ static int __init audit_enable(char *str
+ audit_default = !!simple_strtol(str, NULL, 0);
+ if (!audit_default)
+ audit_initialized = AUDIT_DISABLED;
++ audit_enabled = audit_default;
++ audit_ever_enabled = !!audit_enabled;
+
+ pr_info("%s\n", audit_default ?
+ "enabled (after initialization)" : "disabled (until reboot)");
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Wed, 8 Nov 2017 10:23:45 -0800
+Subject: blk-mq: Avoid that request queue removal can trigger list corruption
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+
+[ Upstream commit aba7afc5671c23beade64d10caf86e24a9105dab ]
+
+Avoid that removal of a request queue sporadically triggers the
+following warning:
+
+list_del corruption. next->prev should be ffff8807d649b970, but was 6b6b6b6b6b6b6b6b
+WARNING: CPU: 3 PID: 342 at lib/list_debug.c:56 __list_del_entry_valid+0x92/0xa0
+Call Trace:
+ process_one_work+0x11b/0x660
+ worker_thread+0x3d/0x3b0
+ kthread+0x129/0x140
+ ret_from_fork+0x27/0x40
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Hannes Reinecke <hare@suse.com>
+Cc: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -339,6 +339,7 @@ void blk_sync_queue(struct request_queue
+ struct blk_mq_hw_ctx *hctx;
+ int i;
+
++ cancel_delayed_work_sync(&q->requeue_work);
+ queue_for_each_hw_ctx(q, hctx, i)
+ cancel_delayed_work_sync(&hctx->run_work);
+ } else {
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Heinz Mauelshagen <heinzm@redhat.com>
+Date: Thu, 2 Nov 2017 19:58:28 +0100
+Subject: dm raid: fix panic when attempting to force a raid to sync
+
+From: Heinz Mauelshagen <heinzm@redhat.com>
+
+
+[ Upstream commit 233978449074ca7e45d9c959f9ec612d1b852893 ]
+
+Requesting a sync on an active raid device via a table reload
+(see 'sync' parameter in Documentation/device-mapper/dm-raid.txt)
+skips the super_load() call that defines the superblock size
+(rdev->sb_size) -- resulting in an oops if/when super_sync()->memset()
+is called.
+
+Fix by moving the initialization of the superblock start and size
+out of super_load() to the caller (analyse_superblocks).
+
+Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-raid.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -2143,13 +2143,6 @@ static int super_load(struct md_rdev *rd
+ struct dm_raid_superblock *refsb;
+ uint64_t events_sb, events_refsb;
+
+- rdev->sb_start = 0;
+- rdev->sb_size = bdev_logical_block_size(rdev->meta_bdev);
+- if (rdev->sb_size < sizeof(*sb) || rdev->sb_size > PAGE_SIZE) {
+- DMERR("superblock size of a logical block is no longer valid");
+- return -EINVAL;
+- }
+-
+ r = read_disk_sb(rdev, rdev->sb_size, false);
+ if (r)
+ return r;
+@@ -2494,6 +2487,17 @@ static int analyse_superblocks(struct dm
+ if (test_bit(Journal, &rdev->flags))
+ continue;
+
++ if (!rdev->meta_bdev)
++ continue;
++
++ /* Set superblock offset/size for metadata device. */
++ rdev->sb_start = 0;
++ rdev->sb_size = bdev_logical_block_size(rdev->meta_bdev);
++ if (rdev->sb_size < sizeof(struct dm_raid_superblock) || rdev->sb_size > PAGE_SIZE) {
++ DMERR("superblock size of a logical block is no longer valid");
++ return -EINVAL;
++ }
++
+ /*
+ * Skipping super_load due to CTR_FLAG_SYNC will cause
+ * the array to undergo initialization again as
+@@ -2506,9 +2510,6 @@ static int analyse_superblocks(struct dm
+ if (test_bit(__CTR_FLAG_SYNC, &rs->ctr_flags))
+ continue;
+
+- if (!rdev->meta_bdev)
+- continue;
+-
+ r = super_load(rdev, freshest);
+
+ switch (r) {
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Fri, 10 Nov 2017 15:59:17 +0800
+Subject: ide: ide-atapi: fix compile error with defining macro DEBUG
+
+From: Hongxu Jia <hongxu.jia@windriver.com>
+
+
+[ Upstream commit 8dc7a31fbce5e2dbbacd83d910da37105181b054 ]
+
+Compile ide-atapi failed with defining macro "DEBUG"
+...
+|drivers/ide/ide-atapi.c:285:52: error: 'struct request' has
+no member named 'cmd'; did you mean 'csd'?
+| debug_log("%s: rq->cmd[0]: 0x%x\n", __func__, rq->cmd[0]);
+...
+
+Since we split the scsi_request out of struct request, it missed
+do the same thing on debug_log
+
+Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request")
+
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ide/ide-atapi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/ide/ide-atapi.c
++++ b/drivers/ide/ide-atapi.c
+@@ -282,7 +282,7 @@ int ide_cd_expiry(ide_drive_t *drive)
+ struct request *rq = drive->hwif->rq;
+ unsigned long wait = 0;
+
+- debug_log("%s: rq->cmd[0]: 0x%x\n", __func__, rq->cmd[0]);
++ debug_log("%s: scsi_req(rq)->cmd[0]: 0x%x\n", __func__, scsi_req(rq)->cmd[0]);
+
+ /*
+ * Some commands are *slow* and normally take a long time to complete.
+@@ -463,7 +463,7 @@ static ide_startstop_t ide_pc_intr(ide_d
+ return ide_do_reset(drive);
+ }
+
+- debug_log("[cmd %x]: check condition\n", rq->cmd[0]);
++ debug_log("[cmd %x]: check condition\n", scsi_req(rq)->cmd[0]);
+
+ /* Retry operation */
+ ide_retry_pc(drive);
+@@ -531,7 +531,7 @@ static ide_startstop_t ide_pc_intr(ide_d
+ ide_pad_transfer(drive, write, bcount);
+
+ debug_log("[cmd %x] transferred %d bytes, padded %d bytes, resid: %u\n",
+- rq->cmd[0], done, bcount, scsi_req(rq)->resid_len);
++ scsi_req(rq)->cmd[0], done, bcount, scsi_req(rq)->resid_len);
+
+ /* And set the interrupt handler again */
+ ide_set_handler(drive, ide_pc_intr, timeout);
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Keefe Liu <liuqifa@huawei.com>
+Date: Thu, 9 Nov 2017 20:09:31 +0800
+Subject: ipvlan: fix ipv6 outbound device
+
+From: Keefe Liu <liuqifa@huawei.com>
+
+
+[ Upstream commit ca29fd7cce5a6444d57fb86517589a1a31c759e1 ]
+
+When process the outbound packet of ipv6, we should assign the master
+device to output device other than input device.
+
+Signed-off-by: Keefe Liu <liuqifa@huawei.com>
+Acked-by: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipvlan/ipvlan_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -409,7 +409,7 @@ static int ipvlan_process_v6_outbound(st
+ struct dst_entry *dst;
+ int err, ret = NET_XMIT_DROP;
+ struct flowi6 fl6 = {
+- .flowi6_iif = dev->ifindex,
++ .flowi6_oif = dev->ifindex,
+ .daddr = ip6h->daddr,
+ .saddr = ip6h->saddr,
+ .flowi6_flags = FLOWI_FLAG_ANYSRC,
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Thu, 12 Oct 2017 18:22:25 +0900
+Subject: kbuild: do not call cc-option before KBUILD_CFLAGS initialization
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+
+[ Upstream commit 433dc2ebe7d17dd21cba7ad5c362d37323592236 ]
+
+Some $(call cc-option,...) are invoked very early, even before
+KBUILD_CFLAGS, etc. are initialized.
+
+The returned string from $(call cc-option,...) depends on
+KBUILD_CPPFLAGS, KBUILD_CFLAGS, and GCC_PLUGINS_CFLAGS.
+
+Since they are exported, they are not empty when the top Makefile
+is recursively invoked.
+
+The recursion occurs in several places. For example, the top
+Makefile invokes itself for silentoldconfig. "make tinyconfig",
+"make rpm-pkg" are the cases, too.
+
+In those cases, the second call of cc-option from the same line
+runs a different shell command due to non-pristine KBUILD_CFLAGS.
+
+To get the same result all the time, KBUILD_* and GCC_PLUGINS_CFLAGS
+must be initialized before any call of cc-option. This avoids
+garbage data in the .cache.mk file.
+
+Move all calls of cc-option below the config targets because target
+compiler flags are unnecessary for Kconfig.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Makefile | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -373,9 +373,6 @@ LDFLAGS_MODULE =
+ CFLAGS_KERNEL =
+ AFLAGS_KERNEL =
+ LDFLAGS_vmlinux =
+-CFLAGS_GCOV := -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,)
+-CFLAGS_KCOV := $(call cc-option,-fsanitize-coverage=trace-pc,)
+-
+
+ # Use USERINCLUDE when you must reference the UAPI directories only.
+ USERINCLUDE := \
+@@ -394,21 +391,19 @@ LINUXINCLUDE := \
+ -I$(objtree)/include \
+ $(USERINCLUDE)
+
+-KBUILD_CPPFLAGS := -D__KERNEL__
+-
++KBUILD_AFLAGS := -D__ASSEMBLY__
+ KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
+ -fno-strict-aliasing -fno-common -fshort-wchar \
+ -Werror-implicit-function-declaration \
+ -Wno-format-security \
+- -std=gnu89 $(call cc-option,-fno-PIE)
+-
+-
++ -std=gnu89
++KBUILD_CPPFLAGS := -D__KERNEL__
+ KBUILD_AFLAGS_KERNEL :=
+ KBUILD_CFLAGS_KERNEL :=
+-KBUILD_AFLAGS := -D__ASSEMBLY__ $(call cc-option,-fno-PIE)
+ KBUILD_AFLAGS_MODULE := -DMODULE
+ KBUILD_CFLAGS_MODULE := -DMODULE
+ KBUILD_LDFLAGS_MODULE := -T $(srctree)/scripts/module-common.lds
++GCC_PLUGINS_CFLAGS :=
+
+ # Read KERNELRELEASE from include/config/kernel.release (if it exists)
+ KERNELRELEASE = $(shell cat include/config/kernel.release 2> /dev/null)
+@@ -421,7 +416,7 @@ export MAKE AWK GENKSYMS INSTALLKERNEL P
+ export HOSTCXX HOSTCXXFLAGS LDFLAGS_MODULE CHECK CHECKFLAGS
+
+ export KBUILD_CPPFLAGS NOSTDINC_FLAGS LINUXINCLUDE OBJCOPYFLAGS LDFLAGS
+-export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE CFLAGS_GCOV CFLAGS_KCOV CFLAGS_KASAN CFLAGS_UBSAN
++export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE CFLAGS_KASAN CFLAGS_UBSAN
+ export KBUILD_AFLAGS AFLAGS_KERNEL AFLAGS_MODULE
+ export KBUILD_AFLAGS_MODULE KBUILD_CFLAGS_MODULE KBUILD_LDFLAGS_MODULE
+ export KBUILD_AFLAGS_KERNEL KBUILD_CFLAGS_KERNEL
+@@ -622,6 +617,12 @@ endif
+ # Defaults to vmlinux, but the arch makefile usually adds further targets
+ all: vmlinux
+
++KBUILD_CFLAGS += $(call cc-option,-fno-PIE)
++KBUILD_AFLAGS += $(call cc-option,-fno-PIE)
++CFLAGS_GCOV := -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,)
++CFLAGS_KCOV := $(call cc-option,-fsanitize-coverage=trace-pc,)
++export CFLAGS_GCOV CFLAGS_KCOV
++
+ # The arch Makefile can set ARCH_{CPP,A,C}FLAGS to override the default
+ # values of the respective KBUILD_* variables
+ ARCH_CPPFLAGS :=
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Zdenek Kabelac <zkabelac@redhat.com>
+Date: Wed, 8 Nov 2017 13:44:56 +0100
+Subject: md: free unused memory after bitmap resize
+
+From: Zdenek Kabelac <zkabelac@redhat.com>
+
+
+[ Upstream commit 0868b99c214a3d55486c700de7c3f770b7243e7c ]
+
+When bitmap is resized, the old kalloced chunks just are not released
+once the resized bitmap starts to use new space.
+
+This fixes in particular kmemleak reports like this one:
+
+unreferenced object 0xffff8f4311e9c000 (size 4096):
+ comm "lvm", pid 19333, jiffies 4295263268 (age 528.265s)
+ hex dump (first 32 bytes):
+ 02 80 02 80 02 80 02 80 02 80 02 80 02 80 02 80 ................
+ 02 80 02 80 02 80 02 80 02 80 02 80 02 80 02 80 ................
+ backtrace:
+ [<ffffffffa69471ca>] kmemleak_alloc+0x4a/0xa0
+ [<ffffffffa628c10e>] kmem_cache_alloc_trace+0x14e/0x2e0
+ [<ffffffffa676cfec>] bitmap_checkpage+0x7c/0x110
+ [<ffffffffa676d0c5>] bitmap_get_counter+0x45/0xd0
+ [<ffffffffa676d6b3>] bitmap_set_memory_bits+0x43/0xe0
+ [<ffffffffa676e41c>] bitmap_init_from_disk+0x23c/0x530
+ [<ffffffffa676f1ae>] bitmap_load+0xbe/0x160
+ [<ffffffffc04c47d3>] raid_preresume+0x203/0x2f0 [dm_raid]
+ [<ffffffffa677762f>] dm_table_resume_targets+0x4f/0xe0
+ [<ffffffffa6774b52>] dm_resume+0x122/0x140
+ [<ffffffffa6779b9f>] dev_suspend+0x18f/0x290
+ [<ffffffffa677a3a7>] ctl_ioctl+0x287/0x560
+ [<ffffffffa677a693>] dm_ctl_ioctl+0x13/0x20
+ [<ffffffffa62d6b46>] do_vfs_ioctl+0xa6/0x750
+ [<ffffffffa62d7269>] SyS_ioctl+0x79/0x90
+ [<ffffffffa6956d41>] entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+Signed-off-by: Zdenek Kabelac <zkabelac@redhat.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bitmap.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/md/bitmap.c
++++ b/drivers/md/bitmap.c
+@@ -2158,6 +2158,7 @@ int bitmap_resize(struct bitmap *bitmap,
+ for (k = 0; k < page; k++) {
+ kfree(new_bp[k].map);
+ }
++ kfree(new_bp);
+
+ /* restore some fields from old_counts */
+ bitmap->counts.bp = old_counts.bp;
+@@ -2208,6 +2209,14 @@ int bitmap_resize(struct bitmap *bitmap,
+ block += old_blocks;
+ }
+
++ if (bitmap->counts.bp != old_counts.bp) {
++ unsigned long k;
++ for (k = 0; k < old_counts.pages; k++)
++ if (!old_counts.bp[k].hijacked)
++ kfree(old_counts.bp[k].map);
++ kfree(old_counts.bp);
++ }
++
+ if (!init) {
+ int i;
+ while (block < (chunks << chunkshift)) {
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Israel Rukshin <israelr@mellanox.com>
+Date: Sun, 5 Nov 2017 08:43:01 +0000
+Subject: nvmet-rdma: update queue list during ib_device removal
+
+From: Israel Rukshin <israelr@mellanox.com>
+
+
+[ Upstream commit 43b92fd27aaef0f529c9321cfebbaec1d7b8f503 ]
+
+A NULL deref happens when nvmet_rdma_remove_one() is called more than once
+(e.g. while connected via 2 ports).
+The first call frees the queues related to the first ib_device but
+doesn't remove them from the queue list.
+While calling nvmet_rdma_remove_one() for the second ib_device it goes over
+the full queue list again and we get the NULL deref.
+
+Fixes: f1d4ef7d ("nvmet-rdma: register ib_client to not deadlock in device removal")
+Signed-off-by: Israel Rukshin <israelr@mellanox.com>
+Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
+Reviewed-by: Sagi Grimberg <sagi@grmberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/target/rdma.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/nvme/target/rdma.c
++++ b/drivers/nvme/target/rdma.c
+@@ -1512,15 +1512,17 @@ static struct nvmet_fabrics_ops nvmet_rd
+
+ static void nvmet_rdma_remove_one(struct ib_device *ib_device, void *client_data)
+ {
+- struct nvmet_rdma_queue *queue;
++ struct nvmet_rdma_queue *queue, *tmp;
+
+ /* Device is being removed, delete all queues using this device */
+ mutex_lock(&nvmet_rdma_queue_mutex);
+- list_for_each_entry(queue, &nvmet_rdma_queue_list, queue_list) {
++ list_for_each_entry_safe(queue, tmp, &nvmet_rdma_queue_list,
++ queue_list) {
+ if (queue->dev->device != ib_device)
+ continue;
+
+ pr_info("Removing queue %d\n", queue->idx);
++ list_del_init(&queue->queue_list);
+ __nvmet_rdma_queue_disconnect(queue);
+ }
+ mutex_unlock(&nvmet_rdma_queue_mutex);
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+Date: Thu, 24 Aug 2017 00:28:41 +0530
+Subject: powerpc/powernv/idle: Round up latency and residency values
+
+From: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+
+
+[ Upstream commit 8d4e10e9ed9450e18fbbf6a8872be0eac9fd4999 ]
+
+On PowerNV platforms, firmware provides exit latency and
+target residency for each of the idle states in nano
+seconds. Cpuidle framework expects the values in micro
+seconds. Round up to nearest micro seconds to avoid errors
+in cases where the values are defined as fractional micro
+seconds.
+
+Default idle state of 'snooze' has exit latency of zero. If
+other states have fractional micro second exit latency, they
+would get rounded down to zero micro second and make cpuidle
+framework choose deeper idle state when snooze loop is the
+right choice.
+
+Reported-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+Reviewed-by: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpuidle/cpuidle-powernv.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/cpuidle/cpuidle-powernv.c
++++ b/drivers/cpuidle/cpuidle-powernv.c
+@@ -384,9 +384,9 @@ static int powernv_add_idle_states(void)
+ * Firmware passes residency and latency values in ns.
+ * cpuidle expects it in us.
+ */
+- exit_latency = latency_ns[i] / 1000;
++ exit_latency = DIV_ROUND_UP(latency_ns[i], 1000);
+ if (!rc)
+- target_residency = residency_ns[i] / 1000;
++ target_residency = DIV_ROUND_UP(residency_ns[i], 1000);
+ else
+ target_residency = 0;
+
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Leon Romanovsky <leon@kernel.org>
+Date: Wed, 25 Oct 2017 23:10:19 +0300
+Subject: RDMA/cxgb4: Annotate r2 and stag as __be32
+
+From: Leon Romanovsky <leon@kernel.org>
+
+
+[ Upstream commit 7d7d065a5eec7e218174d5c64a9f53f99ffdb119 ]
+
+Chelsio cxgb4 HW is big-endian, hence there is need to properly
+annotate r2 and stag fields as __be32 and not __u32 to fix the
+following sparse warnings.
+
+ drivers/infiniband/hw/cxgb4/qp.c:614:16:
+ warning: incorrect type in assignment (different base types)
+ expected unsigned int [unsigned] [usertype] r2
+ got restricted __be32 [usertype] <noident>
+ drivers/infiniband/hw/cxgb4/qp.c:615:18:
+ warning: incorrect type in assignment (different base types)
+ expected unsigned int [unsigned] [usertype] stag
+ got restricted __be32 [usertype] <noident>
+
+Cc: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Reviewed-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/cxgb4/t4fw_ri_api.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/cxgb4/t4fw_ri_api.h
++++ b/drivers/infiniband/hw/cxgb4/t4fw_ri_api.h
+@@ -675,8 +675,8 @@ struct fw_ri_fr_nsmr_tpte_wr {
+ __u16 wrid;
+ __u8 r1[3];
+ __u8 len16;
+- __u32 r2;
+- __u32 stag;
++ __be32 r2;
++ __be32 stag;
+ struct fw_ri_tpte tpte;
+ __u64 pbl[2];
+ };
fcntl-don-t-cap-l_start-and-l_end-values-for-f_getlk64-in-compat-syscall.patch
fix-kcm_clone.patch
kvm-arm-arm64-vgic-its-preserve-the-revious-read-from-the-pending-table.patch
+kbuild-do-not-call-cc-option-before-kbuild_cflags-initialization.patch
+powerpc-powernv-idle-round-up-latency-and-residency-values.patch
+ipvlan-fix-ipv6-outbound-device.patch
+ide-ide-atapi-fix-compile-error-with-defining-macro-debug.patch
+blk-mq-avoid-that-request-queue-removal-can-trigger-list-corruption.patch
+nvmet-rdma-update-queue-list-during-ib_device-removal.patch
+audit-allow-auditd-to-set-pid-to-0-to-end-auditing.patch
+audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch
+dm-raid-fix-panic-when-attempting-to-force-a-raid-to-sync.patch
+md-free-unused-memory-after-bitmap-resize.patch
+rdma-cxgb4-annotate-r2-and-stag-as-__be32.patch
+x86-intel_rdt-fix-potential-deadlock-during-resctrl-unmount.patch
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Reinette Chatre <reinette.chatre@intel.com>
+Date: Fri, 20 Oct 2017 02:16:58 -0700
+Subject: x86/intel_rdt: Fix potential deadlock during resctrl unmount
+
+From: Reinette Chatre <reinette.chatre@intel.com>
+
+
+[ Upstream commit 36b6f9fcb8928c06b6638a4cf91bc9d69bb49aa2 ]
+
+Lockdep warns about a potential deadlock:
+
+[ 66.782842] ======================================================
+[ 66.782888] WARNING: possible circular locking dependency detected
+[ 66.782937] 4.14.0-rc2-test-test+ #48 Not tainted
+[ 66.782983] ------------------------------------------------------
+[ 66.783052] umount/336 is trying to acquire lock:
+[ 66.783117] (cpu_hotplug_lock.rw_sem){++++}, at: [<ffffffff81032395>] rdt_kill_sb+0x215/0x390
+[ 66.783193]
+ but task is already holding lock:
+[ 66.783244] (rdtgroup_mutex){+.+.}, at: [<ffffffff810321b6>] rdt_kill_sb+0x36/0x390
+[ 66.783305]
+ which lock already depends on the new lock.
+
+[ 66.783364]
+ the existing dependency chain (in reverse order) is:
+[ 66.783419]
+ -> #3 (rdtgroup_mutex){+.+.}:
+[ 66.783467] __lock_acquire+0x1293/0x13f0
+[ 66.783509] lock_acquire+0xaf/0x220
+[ 66.783543] __mutex_lock+0x71/0x9b0
+[ 66.783575] mutex_lock_nested+0x1b/0x20
+[ 66.783610] intel_rdt_online_cpu+0x3b/0x430
+[ 66.783649] cpuhp_invoke_callback+0xab/0x8e0
+[ 66.783687] cpuhp_thread_fun+0x7a/0x150
+[ 66.783722] smpboot_thread_fn+0x1cc/0x270
+[ 66.783764] kthread+0x16e/0x190
+[ 66.783794] ret_from_fork+0x27/0x40
+[ 66.783825]
+ -> #2 (cpuhp_state){+.+.}:
+[ 66.783870] __lock_acquire+0x1293/0x13f0
+[ 66.783906] lock_acquire+0xaf/0x220
+[ 66.783938] cpuhp_issue_call+0x102/0x170
+[ 66.783974] __cpuhp_setup_state_cpuslocked+0x154/0x2a0
+[ 66.784023] __cpuhp_setup_state+0xc7/0x170
+[ 66.784061] page_writeback_init+0x43/0x67
+[ 66.784097] pagecache_init+0x43/0x4a
+[ 66.784131] start_kernel+0x3ad/0x3f7
+[ 66.784165] x86_64_start_reservations+0x2a/0x2c
+[ 66.784204] x86_64_start_kernel+0x72/0x75
+[ 66.784241] verify_cpu+0x0/0xfb
+[ 66.784270]
+ -> #1 (cpuhp_state_mutex){+.+.}:
+[ 66.784319] __lock_acquire+0x1293/0x13f0
+[ 66.784355] lock_acquire+0xaf/0x220
+[ 66.784387] __mutex_lock+0x71/0x9b0
+[ 66.784419] mutex_lock_nested+0x1b/0x20
+[ 66.784454] __cpuhp_setup_state_cpuslocked+0x52/0x2a0
+[ 66.784497] __cpuhp_setup_state+0xc7/0x170
+[ 66.784535] page_alloc_init+0x28/0x30
+[ 66.784569] start_kernel+0x148/0x3f7
+[ 66.784602] x86_64_start_reservations+0x2a/0x2c
+[ 66.784642] x86_64_start_kernel+0x72/0x75
+[ 66.784678] verify_cpu+0x0/0xfb
+[ 66.784707]
+ -> #0 (cpu_hotplug_lock.rw_sem){++++}:
+[ 66.784759] check_prev_add+0x32f/0x6e0
+[ 66.784794] __lock_acquire+0x1293/0x13f0
+[ 66.784830] lock_acquire+0xaf/0x220
+[ 66.784863] cpus_read_lock+0x3d/0xb0
+[ 66.784896] rdt_kill_sb+0x215/0x390
+[ 66.784930] deactivate_locked_super+0x3e/0x70
+[ 66.784968] deactivate_super+0x40/0x60
+[ 66.785003] cleanup_mnt+0x3f/0x80
+[ 66.785034] __cleanup_mnt+0x12/0x20
+[ 66.785070] task_work_run+0x8b/0xc0
+[ 66.785103] exit_to_usermode_loop+0x94/0xa0
+[ 66.786804] syscall_return_slowpath+0xe8/0x150
+[ 66.788502] entry_SYSCALL_64_fastpath+0xab/0xad
+[ 66.790194]
+ other info that might help us debug this:
+
+[ 66.795139] Chain exists of:
+ cpu_hotplug_lock.rw_sem --> cpuhp_state --> rdtgroup_mutex
+
+[ 66.800035] Possible unsafe locking scenario:
+
+[ 66.803267] CPU0 CPU1
+[ 66.804867] ---- ----
+[ 66.806443] lock(rdtgroup_mutex);
+[ 66.808002] lock(cpuhp_state);
+[ 66.809565] lock(rdtgroup_mutex);
+[ 66.811110] lock(cpu_hotplug_lock.rw_sem);
+[ 66.812608]
+ *** DEADLOCK ***
+
+[ 66.816983] 2 locks held by umount/336:
+[ 66.818418] #0: (&type->s_umount_key#35){+.+.}, at: [<ffffffff81229738>] deactivate_super+0x38/0x60
+[ 66.819922] #1: (rdtgroup_mutex){+.+.}, at: [<ffffffff810321b6>] rdt_kill_sb+0x36/0x390
+
+When the resctrl filesystem is unmounted the locks should be obtain in the
+locks in the same order as was done when the cpus came online:
+
+ cpu_hotplug_lock before rdtgroup_mutex.
+
+This also requires to switch the static_branch_disable() calls to the
+_cpulocked variant because now cpu hotplug lock is held already.
+
+[ tglx: Switched to cpus_read_[un]lock ]
+
+Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+Acked-by: Vikas Shivappa <vikas.shivappa@linux.intel.com>
+Acked-by: Fenghua Yu <fenghua.yu@intel.com>
+Acked-by: Tony Luck <tony.luck@intel.com>
+Link: https://lkml.kernel.org/r/cc292e76be073f7260604651711c47b09fd0dc81.1508490116.git.reinette.chatre@intel.com
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/intel_rdt_rdtgroup.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
++++ b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
+@@ -1297,9 +1297,7 @@ static void rmdir_all_sub(void)
+ kfree(rdtgrp);
+ }
+ /* Notify online CPUs to update per cpu storage and PQR_ASSOC MSR */
+- get_online_cpus();
+ update_closid_rmid(cpu_online_mask, &rdtgroup_default);
+- put_online_cpus();
+
+ kernfs_remove(kn_info);
+ kernfs_remove(kn_mongrp);
+@@ -1310,6 +1308,7 @@ static void rdt_kill_sb(struct super_blo
+ {
+ struct rdt_resource *r;
+
++ cpus_read_lock();
+ mutex_lock(&rdtgroup_mutex);
+
+ /*Put everything back to default values. */
+@@ -1317,11 +1316,12 @@ static void rdt_kill_sb(struct super_blo
+ reset_all_ctrls(r);
+ cdp_disable();
+ rmdir_all_sub();
+- static_branch_disable(&rdt_alloc_enable_key);
+- static_branch_disable(&rdt_mon_enable_key);
+- static_branch_disable(&rdt_enable_key);
++ static_branch_disable_cpuslocked(&rdt_alloc_enable_key);
++ static_branch_disable_cpuslocked(&rdt_mon_enable_key);
++ static_branch_disable_cpuslocked(&rdt_enable_key);
+ kernfs_kill_sb(sb);
+ mutex_unlock(&rdtgroup_mutex);
++ cpus_read_unlock();
+ }
+
+ static struct file_system_type rdt_fs_type = {
projects / thirdparty / kernel / stable-queue.git / commitdiff
