--- /dev/null
+From foo@baz Thu May 24 09:45:15 CEST 2018
+From: Nobutaka Okabe <nob77413@gmail.com>
+Date: Fri, 23 Mar 2018 19:18:22 +0900
+Subject: ALSA: usb-audio: Add native DSD support for Luxman DA-06
+
+From: Nobutaka Okabe <nob77413@gmail.com>
+
+[ Upstream commit 71426535f49fe6034d0e0db77608b91a0c1a022d ]
+
+Add native DSD support quirk for Luxman DA-06 DAC, by adding the
+PID/VID 1852:5065.
+
+Rename "is_marantz_denon_dac()" function to "is_itf_usb_dsd_2alts_dac()"
+to cover broader device family sharing the same USB audio
+implementation(*).
+For the same reason, rename "is_teac_dsd_dac()" function to
+"is_itf_usb_dsd_3alts_dac()".
+
+(*)
+These devices have the same USB controller "ITF-USB DSD", supplied by
+INTERFACE Co., Ltd.
+"ITF-USB DSD" USB controller has two patterns,
+
+Pattern 1. (2 altsets version)
+- Altset 0: for control
+- Altset 1: for stream (S32)
+- Altset 2: for stream (S32, DSD_U32)
+
+Pattern 2. (3 altsets version)
+- Altset 0: for control
+- Altset 1: for stream (S16)
+- Altset 2: for stream (S32)
+- Altset 3: for stream (S32, DSD_U32)
+
+"is_itf_usb_dsd_2alts_dac()" returns true, if the DAC has "Pattern 1"
+USB controller, and "is_itf_usb_dsd_3alts_dac()" returns true, if
+"Pattern2".
+
+Signed-off-by: Nobutaka Okabe <nob77413@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/quirks.c | 29 ++++++++++++++++-------------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1149,24 +1149,27 @@ bool snd_usb_get_sample_rate_quirk(struc
+ return false;
+ }
+
+-/* Marantz/Denon USB DACs need a vendor cmd to switch
++/* ITF-USB DSD based DACs need a vendor cmd to switch
+ * between PCM and native DSD mode
++ * (2 altsets version)
+ */
+-static bool is_marantz_denon_dac(unsigned int id)
++static bool is_itf_usb_dsd_2alts_dac(unsigned int id)
+ {
+ switch (id) {
+ case USB_ID(0x154e, 0x1003): /* Denon DA-300USB */
+ case USB_ID(0x154e, 0x3005): /* Marantz HD-DAC1 */
+ case USB_ID(0x154e, 0x3006): /* Marantz SA-14S1 */
++ case USB_ID(0x1852, 0x5065): /* Luxman DA-06 */
+ return true;
+ }
+ return false;
+ }
+
+-/* TEAC UD-501/UD-503/NT-503 USB DACs need a vendor cmd to switch
+- * between PCM/DOP and native DSD mode
++/* ITF-USB DSD based DACs need a vendor cmd to switch
++ * between PCM and native DSD mode
++ * (3 altsets version)
+ */
+-static bool is_teac_dsd_dac(unsigned int id)
++static bool is_itf_usb_dsd_3alts_dac(unsigned int id)
+ {
+ switch (id) {
+ case USB_ID(0x0644, 0x8043): /* TEAC UD-501/UD-503/NT-503 */
+@@ -1183,7 +1186,7 @@ int snd_usb_select_mode_quirk(struct snd
+ struct usb_device *dev = subs->dev;
+ int err;
+
+- if (is_marantz_denon_dac(subs->stream->chip->usb_id)) {
++ if (is_itf_usb_dsd_2alts_dac(subs->stream->chip->usb_id)) {
+ /* First switch to alt set 0, otherwise the mode switch cmd
+ * will not be accepted by the DAC
+ */
+@@ -1204,7 +1207,7 @@ int snd_usb_select_mode_quirk(struct snd
+ break;
+ }
+ mdelay(20);
+- } else if (is_teac_dsd_dac(subs->stream->chip->usb_id)) {
++ } else if (is_itf_usb_dsd_3alts_dac(subs->stream->chip->usb_id)) {
+ /* Vendor mode switch cmd is required. */
+ switch (fmt->altsetting) {
+ case 3: /* DSD mode (DSD_U32) requested */
+@@ -1300,10 +1303,10 @@ void snd_usb_ctl_msg_quirk(struct usb_de
+ (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS)
+ mdelay(20);
+
+- /* Marantz/Denon devices with USB DAC functionality need a delay
++ /* ITF-USB DSD based DACs functionality need a delay
+ * after each class compliant request
+ */
+- if (is_marantz_denon_dac(chip->usb_id)
++ if (is_itf_usb_dsd_2alts_dac(chip->usb_id)
+ && (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS)
+ mdelay(20);
+
+@@ -1390,14 +1393,14 @@ u64 snd_usb_interface_dsd_format_quirks(
+ break;
+ }
+
+- /* Denon/Marantz devices with USB DAC functionality */
+- if (is_marantz_denon_dac(chip->usb_id)) {
++ /* ITF-USB DSD based DACs (2 altsets version) */
++ if (is_itf_usb_dsd_2alts_dac(chip->usb_id)) {
+ if (fp->altsetting == 2)
+ return SNDRV_PCM_FMTBIT_DSD_U32_BE;
+ }
+
+- /* TEAC devices with USB DAC functionality */
+- if (is_teac_dsd_dac(chip->usb_id)) {
++ /* ITF-USB DSD based DACs (3 altsets version) */
++ if (is_itf_usb_dsd_3alts_dac(chip->usb_id)) {
+ if (fp->altsetting == 3)
+ return SNDRV_PCM_FMTBIT_DSD_U32_BE;
+ }
--- /dev/null
+From foo@baz Thu May 24 09:45:15 CEST 2018
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Sun, 11 Feb 2018 12:24:32 -0600
+Subject: Bluetooth: btusb: Add device ID for RTL8822BE
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+[ Upstream commit fed03fe7e55b7dc16077f672bd9d7bbe92b3a691 ]
+
+The Asus Z370-I contains a Realtek RTL8822BE device with an associated
+BT chip using a USB ID of 0b05:185c. This device is added to the driver.
+
+Signed-off-by: Hon Weng Chong <honwchong@gmail.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btusb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -377,6 +377,9 @@ static const struct usb_device_id blackl
+ { USB_DEVICE(0x13d3, 0x3461), .driver_info = BTUSB_REALTEK },
+ { USB_DEVICE(0x13d3, 0x3462), .driver_info = BTUSB_REALTEK },
+
++ /* Additional Realtek 8822BE Bluetooth devices */
++ { USB_DEVICE(0x0b05, 0x185c), .driver_info = BTUSB_REALTEK },
++
+ /* Silicon Wave based devices */
+ { USB_DEVICE(0x0c10, 0x0000), .driver_info = BTUSB_SWAVE },
+
--- /dev/null
+From foo@baz Thu May 24 09:45:15 CEST 2018
+From: Tedd Ho-Jeong An <tedd.an@intel.com>
+Date: Mon, 5 Feb 2018 14:20:36 -0800
+Subject: Bluetooth: btusb: Add support for Intel Bluetooth device 22560 [8087:0026]
+
+From: Tedd Ho-Jeong An <tedd.an@intel.com>
+
+[ Upstream commit 1ce0cec1c14cda7e514fa21b36c0f035203b447d ]
+
+The Intel Bluetooth device 22560 family (HarrisonPeak, QnJ, and IcyPeak)
+use the same firmware loading mechanism as previous generation,
+so include new USB product ID and whitelist the hardware variant.
+
+T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 16 Spd=12 MxCh= 0
+D: Ver= 2.01 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=8087 ProdID=0026 Rev= 0.01
+C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
+I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=1ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms
+
+Signed-off-by: Tedd Ho-Jeong An <tedd.an@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btusb.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -340,6 +340,7 @@ static const struct usb_device_id blackl
+
+ /* Intel Bluetooth devices */
+ { USB_DEVICE(0x8087, 0x0025), .driver_info = BTUSB_INTEL_NEW },
++ { USB_DEVICE(0x8087, 0x0026), .driver_info = BTUSB_INTEL_NEW },
+ { USB_DEVICE(0x8087, 0x07da), .driver_info = BTUSB_CSR },
+ { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL },
+ { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL },
+@@ -2086,6 +2087,8 @@ static int btusb_setup_intel_new(struct
+ case 0x0c: /* WsP */
+ case 0x11: /* JfP */
+ case 0x12: /* ThP */
++ case 0x13: /* HrP */
++ case 0x14: /* QnJ, IcP */
+ break;
+ default:
+ BT_ERR("%s: Unsupported Intel hardware variant (%u)",
+@@ -2178,6 +2181,8 @@ static int btusb_setup_intel_new(struct
+ break;
+ case 0x11: /* JfP */
+ case 0x12: /* ThP */
++ case 0x13: /* HrP */
++ case 0x14: /* QnJ, IcP */
+ snprintf(fwname, sizeof(fwname), "intel/ibt-%u-%u-%u.sfi",
+ le16_to_cpu(ver.hw_variant),
+ le16_to_cpu(ver.hw_revision),
+@@ -2209,6 +2214,8 @@ static int btusb_setup_intel_new(struct
+ break;
+ case 0x11: /* JfP */
+ case 0x12: /* ThP */
++ case 0x13: /* HrP */
++ case 0x14: /* QnJ, IcP */
+ snprintf(fwname, sizeof(fwname), "intel/ibt-%u-%u-%u.ddc",
+ le16_to_cpu(ver.hw_variant),
+ le16_to_cpu(ver.hw_revision),
--- /dev/null
+From foo@baz Thu May 24 09:45:15 CEST 2018
+From: Vicente Bergas <vicencb@gmail.com>
+Date: Tue, 20 Mar 2018 19:41:10 +0100
+Subject: Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB
+
+From: Vicente Bergas <vicencb@gmail.com>
+
+[ Upstream commit a41e0796396eeceff673af4a38feaee149c6ff86 ]
+
+This WiFi/Bluetooth USB dongle uses a Realtek chipset, so, use btrtl for it.
+
+Product information:
+https://wikidevi.com/wiki/Edimax_EW-7611ULB
+
+>From /sys/kernel/debug/usb/devices
+T: Bus=02 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0
+D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=7392 ProdID=a611 Rev= 2.00
+S: Manufacturer=Realtek
+S: Product=Edimax Wi-Fi N150 Bluetooth4.0 USB Adapter
+S: SerialNumber=00e04c000001
+C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=500mA
+A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01
+I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+I:* If#= 2 Alt= 0 #EPs= 6 Cls=ff(vend.) Sub=ff Prot=ff Driver=rtl8723bu
+E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=500us
+E: Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Tested-by: Vicente Bergas <vicencb@gmail.com>
+Signed-off-by: Vicente Bergas <vicencb@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btusb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -367,6 +367,9 @@ static const struct usb_device_id blackl
+ { USB_DEVICE(0x13d3, 0x3459), .driver_info = BTUSB_REALTEK },
+ { USB_DEVICE(0x13d3, 0x3494), .driver_info = BTUSB_REALTEK },
+
++ /* Additional Realtek 8723BU Bluetooth devices */
++ { USB_DEVICE(0x7392, 0xa611), .driver_info = BTUSB_REALTEK },
++
+ /* Additional Realtek 8821AE Bluetooth devices */
+ { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK },
+ { USB_DEVICE(0x13d3, 0x3414), .driver_info = BTUSB_REALTEK },
--- /dev/null
+From a7cfebcb7594a24609268f91299ab85ba064bf82 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 3 Apr 2018 14:33:49 +0200
+Subject: cfg80211: limit wiphy names to 128 bytes
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit a7cfebcb7594a24609268f91299ab85ba064bf82 upstream.
+
+There's currently no limit on wiphy names, other than netlink
+message size and memory limitations, but that causes issues when,
+for example, the wiphy name is used in a uevent, e.g. in rfkill
+where we use the same name for the rfkill instance, and then the
+buffer there is "only" 2k for the environment variables.
+
+This was reported by syzkaller, which used a 4k name.
+
+Limit the name to something reasonable, I randomly picked 128.
+
+Reported-by: syzbot+230d9e642a85d3fec29c@syzkaller.appspotmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/uapi/linux/nl80211.h | 2 ++
+ net/wireless/core.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+--- a/include/uapi/linux/nl80211.h
++++ b/include/uapi/linux/nl80211.h
+@@ -2618,6 +2618,8 @@ enum nl80211_attrs {
+ #define NL80211_ATTR_KEYS NL80211_ATTR_KEYS
+ #define NL80211_ATTR_FEATURE_FLAGS NL80211_ATTR_FEATURE_FLAGS
+
++#define NL80211_WIPHY_NAME_MAXLEN 128
++
+ #define NL80211_MAX_SUPP_RATES 32
+ #define NL80211_MAX_SUPP_HT_RATES 77
+ #define NL80211_MAX_SUPP_REG_RULES 64
+--- a/net/wireless/core.c
++++ b/net/wireless/core.c
+@@ -95,6 +95,9 @@ static int cfg80211_dev_check_name(struc
+
+ ASSERT_RTNL();
+
++ if (strlen(newname) > NL80211_WIPHY_NAME_MAXLEN)
++ return -EINVAL;
++
+ /* prohibit calling the thing phy%d when %d is not its number */
+ sscanf(newname, PHY_NAME "%d%n", &wiphy_idx, &taken);
+ if (taken == strlen(newname) && wiphy_idx != rdev->wiphy_idx) {
--- /dev/null
+From foo@baz Thu May 24 10:06:37 CEST 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Fri, 23 Feb 2018 10:01:40 +0100
+Subject: crypto: atmel-aes - fix the keys zeroing on errors
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit 5d804a5157dbaa64872a675923ae87161165c66b ]
+
+The Atmel AES driver uses memzero_explicit on the keys on error, but the
+variable zeroed isn't the right one because of a typo. Fix this by using
+the right variable.
+
+Fixes: 89a82ef87e01 ("crypto: atmel-authenc - add support to authenc(hmac(shaX), Y(aes)) modes")
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/atmel-aes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/atmel-aes.c
++++ b/drivers/crypto/atmel-aes.c
+@@ -2155,7 +2155,7 @@ static int atmel_aes_authenc_setkey(stru
+
+ badkey:
+ crypto_aead_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
+- memzero_explicit(&key, sizeof(keys));
++ memzero_explicit(&keys, sizeof(keys));
+ return -EINVAL;
+ }
+
--- /dev/null
+From foo@baz Thu May 24 10:06:37 CEST 2018
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Fri, 23 Feb 2018 23:33:07 +0100
+Subject: crypto: ccp - don't disable interrupts while setting up debugfs
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 79eb382b5e06a6dca5806465d7195d686a463ab0 ]
+
+I don't why we need take a single write lock and disable interrupts
+while setting up debugfs. This is what what happens when we try anyway:
+
+|ccp 0000:03:00.2: enabling device (0000 -> 0002)
+|BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:69
+|in_atomic(): 1, irqs_disabled(): 1, pid: 3, name: kworker/0:0
+|irq event stamp: 17150
+|hardirqs last enabled at (17149): [<0000000097a18c49>] restore_regs_and_return_to_kernel+0x0/0x23
+|hardirqs last disabled at (17150): [<000000000773b3a9>] _raw_write_lock_irqsave+0x1b/0x50
+|softirqs last enabled at (17148): [<0000000064d56155>] __do_softirq+0x3b8/0x4c1
+|softirqs last disabled at (17125): [<0000000092633c18>] irq_exit+0xb1/0xc0
+|CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.16.0-rc2+ #30
+|Workqueue: events work_for_cpu_fn
+|Call Trace:
+| dump_stack+0x7d/0xb6
+| ___might_sleep+0x1eb/0x250
+| down_write+0x17/0x60
+| start_creating+0x4c/0xe0
+| debugfs_create_dir+0x9/0x100
+| ccp5_debugfs_setup+0x191/0x1b0
+| ccp5_init+0x8a7/0x8c0
+| ccp_dev_init+0xb8/0xe0
+| sp_init+0x6c/0x90
+| sp_pci_probe+0x26e/0x590
+| local_pci_probe+0x3f/0x90
+| work_for_cpu_fn+0x11/0x20
+| process_one_work+0x1ff/0x650
+| worker_thread+0x1d4/0x3a0
+| kthread+0xfe/0x130
+| ret_from_fork+0x27/0x50
+
+If any locking is required, a simple mutex will do it.
+
+Cc: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Acked-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/ccp/ccp-debugfs.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/crypto/ccp/ccp-debugfs.c
++++ b/drivers/crypto/ccp/ccp-debugfs.c
+@@ -278,7 +278,7 @@ static const struct file_operations ccp_
+ };
+
+ static struct dentry *ccp_debugfs_dir;
+-static DEFINE_RWLOCK(ccp_debugfs_lock);
++static DEFINE_MUTEX(ccp_debugfs_lock);
+
+ #define MAX_NAME_LEN 20
+
+@@ -290,16 +290,15 @@ void ccp5_debugfs_setup(struct ccp_devic
+ struct dentry *debugfs_stats;
+ struct dentry *debugfs_q_instance;
+ struct dentry *debugfs_q_stats;
+- unsigned long flags;
+ int i;
+
+ if (!debugfs_initialized())
+ return;
+
+- write_lock_irqsave(&ccp_debugfs_lock, flags);
++ mutex_lock(&ccp_debugfs_lock);
+ if (!ccp_debugfs_dir)
+ ccp_debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL);
+- write_unlock_irqrestore(&ccp_debugfs_lock, flags);
++ mutex_unlock(&ccp_debugfs_lock);
+ if (!ccp_debugfs_dir)
+ return;
+
--- /dev/null
+From foo@baz Thu May 24 10:06:37 CEST 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Tue, 13 Feb 2018 09:26:51 +0100
+Subject: crypto: inside-secure - do not overwrite the threshold value
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit e1d24c0bb76648cdf789b168defb6e31adb0b1b1 ]
+
+This patch fixes the Inside Secure SafeXcel driver not to overwrite the
+interrupt threshold value. In certain cases the value of this register,
+which controls when to fire an interrupt, was overwritten. This lead to
+packet not being processed or acked as the driver never was aware of
+their completion.
+
+This patch fixes this behaviour by not setting the threshold when
+requests are being processed by the engine.
+
+Fixes: dc7e28a3286e ("crypto: inside-secure - dequeue all requests at once")
+Suggested-by: Ofer Heifetz <oferh@marvell.com>
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/inside-secure/safexcel.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/crypto/inside-secure/safexcel.c
++++ b/drivers/crypto/inside-secure/safexcel.c
+@@ -523,8 +523,7 @@ finalize:
+
+ if (!priv->ring[ring].busy) {
+ nreq -= safexcel_try_push_requests(priv, ring, nreq);
+- if (nreq)
+- priv->ring[ring].busy = true;
++ priv->ring[ring].busy = true;
+ }
+
+ priv->ring[ring].requests_left += nreq;
--- /dev/null
+From foo@baz Thu May 24 10:06:37 CEST 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Tue, 13 Feb 2018 09:26:54 +0100
+Subject: crypto: inside-secure - do not process request if no command was issued
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit 95831ceafc0de7d94a5fe86ebb1c2042317cc2cd ]
+
+This patch adds a check in the SafeXcel dequeue function, to avoid
+processing request further if no hardware command was issued. This can
+happen in certain cases where the ->send() function caches all the data
+that would have been send.
+
+Fixes: 809778e02cd4 ("crypto: inside-secure - fix hash when length is a multiple of a block")
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/inside-secure/safexcel.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/crypto/inside-secure/safexcel.c
++++ b/drivers/crypto/inside-secure/safexcel.c
+@@ -490,6 +490,15 @@ handle_req:
+ if (backlog)
+ backlog->complete(backlog, -EINPROGRESS);
+
++ /* In case the send() helper did not issue any command to push
++ * to the engine because the input data was cached, continue to
++ * dequeue other requests as this is valid and not an error.
++ */
++ if (!commands && !results) {
++ kfree(request);
++ continue;
++ }
++
+ spin_lock_bh(&priv->ring[ring].egress_lock);
+ list_add_tail(&request->list, &priv->ring[ring].list);
+ spin_unlock_bh(&priv->ring[ring].egress_lock);
--- /dev/null
+From foo@baz Thu May 24 10:06:37 CEST 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Tue, 13 Feb 2018 09:26:53 +0100
+Subject: crypto: inside-secure - fix the cache_len computation
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit 666a9c70b04fccabde5cea5e680ae1ae92460a62 ]
+
+This patch fixes the cache length computation as cache_len could end up
+being a negative value. The check between the queued size and the
+block size is updated to reflect the caching mechanism which can cache
+up to a full block size (included!).
+
+Fixes: 809778e02cd4 ("crypto: inside-secure - fix hash when length is a multiple of a block")
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/inside-secure/safexcel_hash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/inside-secure/safexcel_hash.c
++++ b/drivers/crypto/inside-secure/safexcel_hash.c
+@@ -187,7 +187,7 @@ static int safexcel_ahash_send_req(struc
+ int i, queued, len, cache_len, extra, n_cdesc = 0, ret = 0;
+
+ queued = len = req->len - req->processed;
+- if (queued < crypto_ahash_blocksize(ahash))
++ if (queued <= crypto_ahash_blocksize(ahash))
+ cache_len = queued;
+ else
+ cache_len = queued - areq->nbytes;
--- /dev/null
+From foo@baz Thu May 24 10:06:37 CEST 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Tue, 13 Feb 2018 09:26:52 +0100
+Subject: crypto: inside-secure - fix the extra cache computation
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit c1a8fa6e240ed4b99778d48ab790743565cb61c8 ]
+
+This patch fixes the extra cache computation when the queued data is a
+multiple of a block size. This fixes the hash support in some cases.
+
+Fixes: 809778e02cd4 ("crypto: inside-secure - fix hash when length is a multiple of a block")
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/inside-secure/safexcel_hash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/inside-secure/safexcel_hash.c
++++ b/drivers/crypto/inside-secure/safexcel_hash.c
+@@ -201,7 +201,7 @@ static int safexcel_ahash_send_req(struc
+ /* If this is not the last request and the queued data
+ * is a multiple of a block, cache the last one for now.
+ */
+- extra = queued - crypto_ahash_blocksize(ahash);
++ extra = crypto_ahash_blocksize(ahash);
+
+ if (extra) {
+ sg_pcopy_to_buffer(areq->src, sg_nents(areq->src),
--- /dev/null
+From foo@baz Thu May 24 10:06:37 CEST 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Tue, 13 Feb 2018 09:26:55 +0100
+Subject: crypto: inside-secure - fix the invalidation step during cra_exit
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit b7007dbccd92f7b8c00e590020bee542a48c6a2c ]
+
+When exiting a transformation, the cra_exit() helper is called in each
+driver providing one. The Inside Secure SafeXcel driver has one, which
+is responsible of freeing some areas and of sending one invalidation
+request to the crypto engine, to invalidate the context that was used
+during the transformation.
+
+We could see in some setups (when lots of transformations were being
+used with a short lifetime, and hence lots of cra_exit() calls) NULL
+pointer dereferences and other weird issues. All these issues were
+coming from accessing the tfm context.
+
+The issue is the invalidation request completion is checked using a
+wait_for_completion_interruptible() call in both the cipher and hash
+cra_exit() helpers. In some cases this was interrupted while the
+invalidation request wasn't processed yet. And then cra_exit() returned,
+and its caller was freeing the tfm instance. Only then the request was
+being handled by the SafeXcel driver, which lead to the said issues.
+
+This patch fixes this by using wait_for_completion() calls in these
+specific cases.
+
+Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver")
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/inside-secure/safexcel_cipher.c | 2 +-
+ drivers/crypto/inside-secure/safexcel_hash.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/inside-secure/safexcel_cipher.c
++++ b/drivers/crypto/inside-secure/safexcel_cipher.c
+@@ -456,7 +456,7 @@ static int safexcel_cipher_exit_inv(stru
+ queue_work(priv->ring[ring].workqueue,
+ &priv->ring[ring].work_data.work);
+
+- wait_for_completion_interruptible(&result.completion);
++ wait_for_completion(&result.completion);
+
+ if (result.error) {
+ dev_warn(priv->dev,
+--- a/drivers/crypto/inside-secure/safexcel_hash.c
++++ b/drivers/crypto/inside-secure/safexcel_hash.c
+@@ -496,7 +496,7 @@ static int safexcel_ahash_exit_inv(struc
+ queue_work(priv->ring[ring].workqueue,
+ &priv->ring[ring].work_data.work);
+
+- wait_for_completion_interruptible(&result.completion);
++ wait_for_completion(&result.completion);
+
+ if (result.error) {
+ dev_warn(priv->dev, "hash: completion error (%d)\n",
--- /dev/null
+From foo@baz Thu May 24 10:06:37 CEST 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Mon, 19 Mar 2018 09:21:13 +0100
+Subject: crypto: inside-secure - move the digest to the request context
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit b869648c060fbb00bf6578d13cbe83e6f85914bc ]
+
+This patches moves the digest information from the transformation
+context to the request context. This fixes cases where HMAC init
+functions were called and override the digest value for a short period
+of time, as the HMAC init functions call the SHA init one which reset
+the value. This lead to a small percentage of HMAC being incorrectly
+computed under heavy load.
+
+Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver")
+Suggested-by: Ofer Heifetz <oferh@marvell.com>
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+[Ofer here did all the work, from seeing the issue to understanding the
+root cause. I only made the patch.]
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/inside-secure/safexcel_hash.c | 30 ++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+--- a/drivers/crypto/inside-secure/safexcel_hash.c
++++ b/drivers/crypto/inside-secure/safexcel_hash.c
+@@ -21,7 +21,6 @@ struct safexcel_ahash_ctx {
+ struct safexcel_crypto_priv *priv;
+
+ u32 alg;
+- u32 digest;
+
+ u32 ipad[SHA1_DIGEST_SIZE / sizeof(u32)];
+ u32 opad[SHA1_DIGEST_SIZE / sizeof(u32)];
+@@ -35,6 +34,8 @@ struct safexcel_ahash_req {
+
+ int nents;
+
++ u32 digest;
++
+ u8 state_sz; /* expected sate size, only set once */
+ u32 state[SHA256_DIGEST_SIZE / sizeof(u32)] __aligned(sizeof(u32));
+
+@@ -49,6 +50,8 @@ struct safexcel_ahash_export_state {
+ u64 len;
+ u64 processed;
+
++ u32 digest;
++
+ u32 state[SHA256_DIGEST_SIZE / sizeof(u32)];
+ u8 cache[SHA256_BLOCK_SIZE];
+ };
+@@ -82,9 +85,9 @@ static void safexcel_context_control(str
+
+ cdesc->control_data.control0 |= CONTEXT_CONTROL_TYPE_HASH_OUT;
+ cdesc->control_data.control0 |= ctx->alg;
+- cdesc->control_data.control0 |= ctx->digest;
++ cdesc->control_data.control0 |= req->digest;
+
+- if (ctx->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED) {
++ if (req->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED) {
+ if (req->processed) {
+ if (ctx->alg == CONTEXT_CONTROL_CRYPTO_ALG_SHA1)
+ cdesc->control_data.control0 |= CONTEXT_CONTROL_SIZE(6);
+@@ -112,7 +115,7 @@ static void safexcel_context_control(str
+ if (req->finish)
+ ctx->base.ctxr->data[i] = cpu_to_le32(req->processed / blocksize);
+ }
+- } else if (ctx->digest == CONTEXT_CONTROL_DIGEST_HMAC) {
++ } else if (req->digest == CONTEXT_CONTROL_DIGEST_HMAC) {
+ cdesc->control_data.control0 |= CONTEXT_CONTROL_SIZE(10);
+
+ memcpy(ctx->base.ctxr->data, ctx->ipad, digestsize);
+@@ -550,7 +553,7 @@ static int safexcel_ahash_enqueue(struct
+ if (ctx->base.ctxr) {
+ if (priv->version == EIP197 &&
+ !ctx->base.needs_inv && req->processed &&
+- ctx->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED)
++ req->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED)
+ /* We're still setting needs_inv here, even though it is
+ * cleared right away, because the needs_inv flag can be
+ * set in other functions and we want to keep the same
+@@ -585,7 +588,6 @@ static int safexcel_ahash_enqueue(struct
+
+ static int safexcel_ahash_update(struct ahash_request *areq)
+ {
+- struct safexcel_ahash_ctx *ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(areq));
+ struct safexcel_ahash_req *req = ahash_request_ctx(areq);
+ struct crypto_ahash *ahash = crypto_ahash_reqtfm(areq);
+
+@@ -601,7 +603,7 @@ static int safexcel_ahash_update(struct
+ * We're not doing partial updates when performing an hmac request.
+ * Everything will be handled by the final() call.
+ */
+- if (ctx->digest == CONTEXT_CONTROL_DIGEST_HMAC)
++ if (req->digest == CONTEXT_CONTROL_DIGEST_HMAC)
+ return 0;
+
+ if (req->hmac)
+@@ -660,6 +662,8 @@ static int safexcel_ahash_export(struct
+ export->len = req->len;
+ export->processed = req->processed;
+
++ export->digest = req->digest;
++
+ memcpy(export->state, req->state, req->state_sz);
+ memcpy(export->cache, req->cache, crypto_ahash_blocksize(ahash));
+
+@@ -680,6 +684,8 @@ static int safexcel_ahash_import(struct
+ req->len = export->len;
+ req->processed = export->processed;
+
++ req->digest = export->digest;
++
+ memcpy(req->cache, export->cache, crypto_ahash_blocksize(ahash));
+ memcpy(req->state, export->state, req->state_sz);
+
+@@ -716,7 +722,7 @@ static int safexcel_sha1_init(struct aha
+ req->state[4] = SHA1_H4;
+
+ ctx->alg = CONTEXT_CONTROL_CRYPTO_ALG_SHA1;
+- ctx->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED;
++ req->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED;
+ req->state_sz = SHA1_DIGEST_SIZE;
+
+ return 0;
+@@ -783,10 +789,10 @@ struct safexcel_alg_template safexcel_al
+
+ static int safexcel_hmac_sha1_init(struct ahash_request *areq)
+ {
+- struct safexcel_ahash_ctx *ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(areq));
++ struct safexcel_ahash_req *req = ahash_request_ctx(areq);
+
+ safexcel_sha1_init(areq);
+- ctx->digest = CONTEXT_CONTROL_DIGEST_HMAC;
++ req->digest = CONTEXT_CONTROL_DIGEST_HMAC;
+ return 0;
+ }
+
+@@ -1024,7 +1030,7 @@ static int safexcel_sha256_init(struct a
+ req->state[7] = SHA256_H7;
+
+ ctx->alg = CONTEXT_CONTROL_CRYPTO_ALG_SHA256;
+- ctx->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED;
++ req->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED;
+ req->state_sz = SHA256_DIGEST_SIZE;
+
+ return 0;
+@@ -1086,7 +1092,7 @@ static int safexcel_sha224_init(struct a
+ req->state[7] = SHA224_H7;
+
+ ctx->alg = CONTEXT_CONTROL_CRYPTO_ALG_SHA224;
+- ctx->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED;
++ req->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED;
+ req->state_sz = SHA256_DIGEST_SIZE;
+
+ return 0;
--- /dev/null
+From foo@baz Thu May 24 10:06:37 CEST 2018
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Mon, 26 Feb 2018 14:45:12 +0100
+Subject: crypto: inside-secure - wait for the request to complete if in the backlog
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit 4dc5475ae0375ea4f9283dfd9b2ddc91b20d4c4b ]
+
+This patch updates the safexcel_hmac_init_pad() function to also wait
+for completion when the digest return code is -EBUSY, as it would mean
+the request is in the backlog to be processed later.
+
+Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver")
+Suggested-by: Ofer Heifetz <oferh@marvell.com>
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/inside-secure/safexcel_hash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/inside-secure/safexcel_hash.c
++++ b/drivers/crypto/inside-secure/safexcel_hash.c
+@@ -845,7 +845,7 @@ static int safexcel_hmac_init_pad(struct
+ init_completion(&result.completion);
+
+ ret = crypto_ahash_digest(areq);
+- if (ret == -EINPROGRESS) {
++ if (ret == -EINPROGRESS || ret == -EBUSY) {
+ wait_for_completion_interruptible(&result.completion);
+ ret = result.error;
+ }
--- /dev/null
+From foo@baz Thu May 24 10:06:37 CEST 2018
+From: Peter Robinson <pbrobinson@gmail.com>
+Date: Sun, 11 Feb 2018 23:15:37 +0000
+Subject: crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss
+
+From: Peter Robinson <pbrobinson@gmail.com>
+
+[ Upstream commit 7c73cf4cc2ac16465f5102437dc0a12d66671bd6 ]
+
+The MODULE_ALIAS is required to enable the sun4i-ss driver to load
+automatically when built at a module. Tested on a Cubietruck.
+
+Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator")
+Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/sunxi-ss/sun4i-ss-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/crypto/sunxi-ss/sun4i-ss-core.c
++++ b/drivers/crypto/sunxi-ss/sun4i-ss-core.c
+@@ -451,6 +451,7 @@ static struct platform_driver sun4i_ss_d
+
+ module_platform_driver(sun4i_ss_driver);
+
++MODULE_ALIAS("platform:sun4i-ss");
+ MODULE_DESCRIPTION("Allwinner Security System cryptographic accelerator");
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Corentin LABBE <clabbe.montjoie@gmail.com>");
--- /dev/null
+From 66072c29328717072fd84aaff3e070e3f008ba77 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 18 May 2018 16:09:16 -0700
+Subject: hfsplus: stop workqueue when fill_super() failed
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 66072c29328717072fd84aaff3e070e3f008ba77 upstream.
+
+syzbot is reporting ODEBUG messages at hfsplus_fill_super() [1]. This
+is because hfsplus_fill_super() forgot to call cancel_delayed_work_sync().
+
+As far as I can see, it is hfsplus_mark_mdb_dirty() from
+hfsplus_new_inode() in hfsplus_fill_super() that calls
+queue_delayed_work(). Therefore, I assume that hfsplus_new_inode() does
+not fail if queue_delayed_work() was called, and the out_put_hidden_dir
+label is the appropriate location to call cancel_delayed_work_sync().
+
+[1] https://syzkaller.appspot.com/bug?id=a66f45e96fdbeb76b796bf46eb25ea878c42a6c9
+
+Link: http://lkml.kernel.org/r/964a8b27-cd69-357c-fe78-76b066056201@I-love.SAKURA.ne.jp
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+4f2e5f086147d543ab03@syzkaller.appspotmail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Ernesto A. Fernandez <ernesto.mnd.fernandez@gmail.com>
+Cc: Vyacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/hfsplus/super.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -588,6 +588,7 @@ static int hfsplus_fill_super(struct sup
+ return 0;
+
+ out_put_hidden_dir:
++ cancel_delayed_work_sync(&sbi->sync_work);
+ iput(sbi->hidden_dir);
+ out_put_root:
+ dput(sb->s_root);
--- /dev/null
+From 2d1d4c1e591fd40bd7dafd868a249d7d00e215d5 Mon Sep 17 00:00:00 2001
+From: Omar Sandoval <osandov@fb.com>
+Date: Mon, 26 Mar 2018 21:39:11 -0700
+Subject: loop: don't call into filesystem while holding lo_ctl_mutex
+
+From: Omar Sandoval <osandov@fb.com>
+
+commit 2d1d4c1e591fd40bd7dafd868a249d7d00e215d5 upstream.
+
+We hit an issue where a loop device on NFS was stuck in
+loop_get_status() doing vfs_getattr() after the NFS server died, which
+caused a pile-up of uninterruptible processes waiting on lo_ctl_mutex.
+There's no reason to hold this lock while we wait on the filesystem;
+let's drop it so that other processes can do their thing. We need to
+grab a reference on lo_backing_file while we use it, and we can get rid
+of the check on lo_device, which has been unnecessary since commit
+a34c0ae9ebd6 ("[PATCH] loop: remove the bio remapping capability") in
+the linux-history tree.
+
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/loop.c | 38 ++++++++++++++++++++++++--------------
+ 1 file changed, 24 insertions(+), 14 deletions(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1171,21 +1171,17 @@ loop_set_status(struct loop_device *lo,
+ static int
+ loop_get_status(struct loop_device *lo, struct loop_info64 *info)
+ {
+- struct file *file = lo->lo_backing_file;
++ struct file *file;
+ struct kstat stat;
+- int error;
++ int ret;
+
+- if (lo->lo_state != Lo_bound)
++ if (lo->lo_state != Lo_bound) {
++ mutex_unlock(&lo->lo_ctl_mutex);
+ return -ENXIO;
+- error = vfs_getattr(&file->f_path, &stat,
+- STATX_INO, AT_STATX_SYNC_AS_STAT);
+- if (error)
+- return error;
++ }
++
+ memset(info, 0, sizeof(*info));
+ info->lo_number = lo->lo_number;
+- info->lo_device = huge_encode_dev(stat.dev);
+- info->lo_inode = stat.ino;
+- info->lo_rdevice = huge_encode_dev(lo->lo_device ? stat.rdev : stat.dev);
+ info->lo_offset = lo->lo_offset;
+ info->lo_sizelimit = lo->lo_sizelimit;
+ info->lo_flags = lo->lo_flags;
+@@ -1198,7 +1194,19 @@ loop_get_status(struct loop_device *lo,
+ memcpy(info->lo_encrypt_key, lo->lo_encrypt_key,
+ lo->lo_encrypt_key_size);
+ }
+- return 0;
++
++ /* Drop lo_ctl_mutex while we call into the filesystem. */
++ file = get_file(lo->lo_backing_file);
++ mutex_unlock(&lo->lo_ctl_mutex);
++ ret = vfs_getattr(&file->f_path, &stat, STATX_INO,
++ AT_STATX_SYNC_AS_STAT);
++ if (!ret) {
++ info->lo_device = huge_encode_dev(stat.dev);
++ info->lo_inode = stat.ino;
++ info->lo_rdevice = huge_encode_dev(stat.rdev);
++ }
++ fput(file);
++ return ret;
+ }
+
+ static void
+@@ -1378,7 +1386,8 @@ static int lo_ioctl(struct block_device
+ break;
+ case LOOP_GET_STATUS:
+ err = loop_get_status_old(lo, (struct loop_info __user *) arg);
+- break;
++ /* loop_get_status() unlocks lo_ctl_mutex */
++ goto out_unlocked;
+ case LOOP_SET_STATUS64:
+ err = -EPERM;
+ if ((mode & FMODE_WRITE) || capable(CAP_SYS_ADMIN))
+@@ -1387,7 +1396,8 @@ static int lo_ioctl(struct block_device
+ break;
+ case LOOP_GET_STATUS64:
+ err = loop_get_status64(lo, (struct loop_info64 __user *) arg);
+- break;
++ /* loop_get_status() unlocks lo_ctl_mutex */
++ goto out_unlocked;
+ case LOOP_SET_CAPACITY:
+ err = -EPERM;
+ if ((mode & FMODE_WRITE) || capable(CAP_SYS_ADMIN))
+@@ -1548,7 +1558,7 @@ static int lo_compat_ioctl(struct block_
+ mutex_lock(&lo->lo_ctl_mutex);
+ err = loop_get_status_compat(
+ lo, (struct compat_loop_info __user *) arg);
+- mutex_unlock(&lo->lo_ctl_mutex);
++ /* loop_get_status() unlocks lo_ctl_mutex */
+ break;
+ case LOOP_SET_CAPACITY:
+ case LOOP_CLR_FD:
--- /dev/null
+From bdac616db9bbadb90b7d6a406144571015e138f7 Mon Sep 17 00:00:00 2001
+From: Omar Sandoval <osandov@fb.com>
+Date: Fri, 6 Apr 2018 09:57:03 -0700
+Subject: loop: fix LOOP_GET_STATUS lock imbalance
+
+From: Omar Sandoval <osandov@fb.com>
+
+commit bdac616db9bbadb90b7d6a406144571015e138f7 upstream.
+
+Commit 2d1d4c1e591f made loop_get_status() drop lo_ctx_mutex before
+returning, but the loop_get_status_old(), loop_get_status64(), and
+loop_get_status_compat() wrappers don't call loop_get_status() if the
+passed argument is NULL. The callers expect that the lock is dropped, so
+make sure we drop it in that case, too.
+
+Reported-by: syzbot+31e8daa8b3fc129e75f2@syzkaller.appspotmail.com
+Fixes: 2d1d4c1e591f ("loop: don't call into filesystem while holding lo_ctl_mutex")
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/loop.c | 33 ++++++++++++++++++---------------
+ 1 file changed, 18 insertions(+), 15 deletions(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1287,12 +1287,13 @@ static int
+ loop_get_status_old(struct loop_device *lo, struct loop_info __user *arg) {
+ struct loop_info info;
+ struct loop_info64 info64;
+- int err = 0;
++ int err;
+
+- if (!arg)
+- err = -EINVAL;
+- if (!err)
+- err = loop_get_status(lo, &info64);
++ if (!arg) {
++ mutex_unlock(&lo->lo_ctl_mutex);
++ return -EINVAL;
++ }
++ err = loop_get_status(lo, &info64);
+ if (!err)
+ err = loop_info64_to_old(&info64, &info);
+ if (!err && copy_to_user(arg, &info, sizeof(info)))
+@@ -1304,12 +1305,13 @@ loop_get_status_old(struct loop_device *
+ static int
+ loop_get_status64(struct loop_device *lo, struct loop_info64 __user *arg) {
+ struct loop_info64 info64;
+- int err = 0;
++ int err;
+
+- if (!arg)
+- err = -EINVAL;
+- if (!err)
+- err = loop_get_status(lo, &info64);
++ if (!arg) {
++ mutex_unlock(&lo->lo_ctl_mutex);
++ return -EINVAL;
++ }
++ err = loop_get_status(lo, &info64);
+ if (!err && copy_to_user(arg, &info64, sizeof(info64)))
+ err = -EFAULT;
+
+@@ -1530,12 +1532,13 @@ loop_get_status_compat(struct loop_devic
+ struct compat_loop_info __user *arg)
+ {
+ struct loop_info64 info64;
+- int err = 0;
++ int err;
+
+- if (!arg)
+- err = -EINVAL;
+- if (!err)
+- err = loop_get_status(lo, &info64);
++ if (!arg) {
++ mutex_unlock(&lo->lo_ctl_mutex);
++ return -EINVAL;
++ }
++ err = loop_get_status(lo, &info64);
+ if (!err)
+ err = loop_info64_to_compat(&info64, arg);
+ return err;
--- /dev/null
+From foo@baz Thu May 24 09:45:15 CEST 2018
+From: Brad Love <brad@nextdimension.cc>
+Date: Thu, 4 Jan 2018 19:04:13 -0500
+Subject: media: em28xx: USB bulk packet size fix
+
+From: Brad Love <brad@nextdimension.cc>
+
+[ Upstream commit c7c7e8d7803406daa21e96d00c357de8b77b6764 ]
+
+Hauppauge em28xx bulk devices exhibit continuity errors and corrupted
+packets, when run in VMWare virtual machines. Unknown if other
+manufacturers bulk models exhibit the same issue. KVM/Qemu is unaffected.
+
+According to documentation the maximum packet multiplier for em28xx in bulk
+transfer mode is 256 * 188 bytes. This changes the size of bulk transfers
+to maximum supported value and have a bonus beneficial alignment.
+
+Before:
+
+After:
+
+This sets up USB to expect just as many bytes as the em28xx is set to emit.
+
+Successful usage under load afterwards natively and in both VMWare
+and KVM/Qemu virtual machines.
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Reviewed-by: Michael Ira Krufky <mkrufky@linuxtv.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/em28xx/em28xx.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/em28xx/em28xx.h
++++ b/drivers/media/usb/em28xx/em28xx.h
+@@ -191,7 +191,7 @@
+ USB 2.0 spec says bulk packet size is always 512 bytes
+ */
+ #define EM28XX_BULK_PACKET_MULTIPLIER 384
+-#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 384
++#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 94
+
+ #define EM28XX_INTERLACED_DEFAULT 1
+
--- /dev/null
+From foo@baz Thu May 24 09:45:15 CEST 2018
+From: Brad Love <brad@nextdimension.cc>
+Date: Fri, 5 Jan 2018 09:57:12 -0500
+Subject: media: lgdt3306a: Fix module count mismatch on usb unplug
+
+From: Brad Love <brad@nextdimension.cc>
+
+[ Upstream commit 835d66173a38538c072a7c393d02360dcfac8582 ]
+
+When used as an i2c device there is a module usage count mismatch on
+removal, preventing the driver from being used thereafter. dvb_attach
+increments the usage count so it is properly balanced on removal.
+
+On disconnect of Hauppauge SoloHD/DualHD before:
+
+lsmod | grep lgdt3306a
+lgdt3306a 28672 -1
+i2c_mux 16384 1 lgdt3306a
+
+On disconnect of Hauppauge SoloHD/DualHD after:
+
+lsmod | grep lgdt3306a
+lgdt3306a 28672 0
+i2c_mux 16384 1 lgdt3306a
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-frontends/lgdt3306a.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-frontends/lgdt3306a.c
++++ b/drivers/media/dvb-frontends/lgdt3306a.c
+@@ -2169,7 +2169,7 @@ static int lgdt3306a_probe(struct i2c_cl
+ sizeof(struct lgdt3306a_config));
+
+ config->i2c_addr = client->addr;
+- fe = lgdt3306a_attach(config, client->adapter);
++ fe = dvb_attach(lgdt3306a_attach, config, client->adapter);
+ if (fe == NULL) {
+ ret = -ENODEV;
+ goto err_fe;
s390-use-expoline-thunks-in-the-bpf-jit.patch
scsi-sg-allocate-with-__gfp_zero-in-sg_build_indirect.patch
scsi-zfcp-fix-infinite-iteration-on-erp-ready-list.patch
+bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch
+alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch
+usb-dwc3-add-softreset-phy-synchonization-delay.patch
+usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch
+usb-dwc3-makefile-fix-link-error-on-randconfig.patch
+xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch
+usb-dwc2-fix-interval-type-issue.patch
+usb-dwc2-hcd-fix-host-channel-halt-flow.patch
+usb-dwc2-host-fix-transaction-errors-in-host-mode.patch
+usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch
+usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch
+usbip-correct-maximum-value-of-config_usbip_vhci_hc_ports.patch
+usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch
+usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch
+media-lgdt3306a-fix-module-count-mismatch-on-usb-unplug.patch
+media-em28xx-usb-bulk-packet-size-fix.patch
+bluetooth-btusb-add-device-id-for-rtl8822be.patch
+bluetooth-btusb-add-support-for-intel-bluetooth-device-22560.patch
+xhci-show-what-usb-release-number-the-xhc-supports-from-protocol-capablity.patch
+loop-don-t-call-into-filesystem-while-holding-lo_ctl_mutex.patch
+loop-fix-loop_get_status-lock-imbalance.patch
+cfg80211-limit-wiphy-names-to-128-bytes.patch
+hfsplus-stop-workqueue-when-fill_super-failed.patch
+x86-kexec-avoid-double-free_page-upon-do_kexec_load-failure.patch
+staging-bcm2835-audio-release-resources-on-module_exit.patch
+staging-fsl-dpaa2-eth-fix-incorrect-kfree.patch
+staging-lustre-fix-bug-in-osc_enter_cache_try.patch
+staging-fsl-dpaa2-eth-fix-incorrect-casts.patch
+staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch
+staging-ks7010-use-constants-from-ieee80211_eid-instead-of-literal-ints.patch
+staging-lustre-lmv-correctly-iput-lmo_root.patch
+crypto-inside-secure-move-the-digest-to-the-request-context.patch
+crypto-inside-secure-wait-for-the-request-to-complete-if-in-the-backlog.patch
+crypto-atmel-aes-fix-the-keys-zeroing-on-errors.patch
+crypto-ccp-don-t-disable-interrupts-while-setting-up-debugfs.patch
+crypto-inside-secure-do-not-process-request-if-no-command-was-issued.patch
+crypto-inside-secure-fix-the-cache_len-computation.patch
+crypto-inside-secure-fix-the-extra-cache-computation.patch
+crypto-inside-secure-do-not-overwrite-the-threshold-value.patch
+crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch
+crypto-inside-secure-fix-the-invalidation-step-during-cra_exit.patch
--- /dev/null
+From foo@baz Thu May 24 10:04:42 CEST 2018
+From: Kirill Marinushkin <k.marinushkin@gmail.com>
+Date: Fri, 23 Mar 2018 20:32:54 +0100
+Subject: staging: bcm2835-audio: Release resources on module_exit()
+
+From: Kirill Marinushkin <k.marinushkin@gmail.com>
+
+[ Upstream commit 626118b472d2eb45f83a0276a18d3e6a01c69f6a ]
+
+In the current implementation, `rmmod snd_bcm2835` does not release
+resources properly. It causes an oops when trying to list sound devices.
+
+This commit fixes it.
+
+The details WRT allocation / free are described below.
+
+Device structure WRT allocation:
+
+pdev
+ \childdev[]
+ \card
+ \chip
+ \pcm
+ \ctl
+
+Allocation / register sequence:
+
+* childdev: devm_kzalloc - freed during driver detach
+* childdev: device_initialize - freed during device_unregister
+* pdev: devres_alloc - freed during driver detach
+* childdev: device_add - removed during device_unregister
+* pdev, childdev: devres_add - freed during driver detach
+* card: snd_card_new - freed during snd_card_free
+* chip: kzalloc - freed during kfree
+* card, chip: snd_device_new - freed during snd_device_free
+* chip: new_pcm - TODO: free pcm
+* chip: new_ctl - TODO: free ctl
+* card: snd_card_register - unregistered during snd_card_free
+
+Free / unregister sequence:
+
+* card: snd_card_free
+* card, chip: snd_device_free
+* childdev: device_unregister
+* chip: kfree
+
+Steps to reproduce the issue before this commit:
+
+~~~~
+$ rmmod snd_bcm2835
+$ aplay -L
+[ 138.648130] Unable to handle kernel paging request at virtual address 7f1343c0
+[ 138.660415] pgd = ad8f0000
+[ 138.665567] [7f1343c0] *pgd=3864c811, *pte=00000000, *ppte=00000000
+[ 138.674887] Internal error: Oops: 7 [#1] SMP ARM
+[ 138.683571] Modules linked in: sha256_generic cfg80211 rfkill snd_pcm snd_timer
+ snd fixed uio_pdrv_genirq uio ip_tables x_tables ipv6 [last unloaded: snd_bcm2835
+]
+[ 138.706594] CPU: 3 PID: 463 Comm: aplay Tainted: G WC 4.15.0-rc1-v
+7+ #6
+[ 138.719833] Hardware name: BCM2835
+[ 138.726016] task: b877ac00 task.stack: aebec000
+[ 138.733408] PC is at try_module_get+0x38/0x24c
+[ 138.740813] LR is at snd_ctl_open+0x58/0x194 [snd]
+[ 138.748485] pc : [<801c4d5c>] lr : [<7f0e6b2c>] psr: 20000013
+[ 138.757709] sp : aebedd60 ip : aebedd88 fp : aebedd84
+[ 138.765884] r10: 00000000 r9 : 00000004 r8 : 7f0ed440
+[ 138.774040] r7 : b7e469b0 r6 : 7f0e6b2c r5 : afd91900 r4 : 7f1343c0
+[ 138.783571] r3 : aebec000 r2 : 00000001 r1 : b877ac00 r0 : 7f1343c0
+[ 138.793084] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
+[ 138.803300] Control: 10c5387d Table: 2d8f006a DAC: 00000055
+[ 138.812064] Process aplay (pid: 463, stack limit = 0xaebec210)
+[ 138.820868] Stack: (0xaebedd60 to 0xaebee000)
+[ 138.828207] dd60: 00000000 b848d000 afd91900 00000000 b7e469b0 7f0ed440 aebedda4 aebedd88
+[ 138.842371] dd80: 7f0e6b2c 801c4d30 afd91900 7f0ea4dc 00000000 b7e469b0 aebeddcc aebedda8
+[ 138.856611] dda0: 7f0e250c 7f0e6ae0 7f0e2464 b8478ec0 b7e469b0 afd91900 7f0ea388 00000000
+[ 138.870864] ddc0: aebeddf4 aebeddd0 802ce590 7f0e2470 8090ab64 afd91900 afd91900 b7e469b0
+[ 138.885301] dde0: afd91908 802ce4e4 aebede1c aebeddf8 802c57b4 802ce4f0 afd91900 aebedea8
+[ 138.900110] de00: b7fa4c00 00000000 00000000 00000004 aebede3c aebede20 802c6ba8 802c56b4
+[ 138.915260] de20: aebedea8 00000000 aebedf5c 00000000 aebedea4 aebede40 802d9a68 802c6b58
+[ 138.930661] de40: b874ddd0 00000000 00000000 00000001 00000041 00000000 afd91900 aebede70
+[ 138.946402] de60: 00000000 00000000 00000002 b7e469b0 b8a87610 b8d6ab80 801852f8 00080000
+[ 138.962314] de80: aebedf5c aebedea8 00000001 80108464 aebec000 00000000 aebedf4c aebedea8
+[ 138.978414] dea0: 802dacd4 802d970c b8a87610 b8d6ab80 a7982bc6 00000009 af363019 b9231480
+[ 138.994617] dec0: 00000000 b8c038a0 b7e469b0 00000101 00000002 00000238 00000000 00000000
+[ 139.010823] dee0: 00000000 aebedee8 00080000 0000000f aebedf3c aebedf00 802ed7e4 80843f94
+[ 139.027025] df00: 00000003 00080000 b9231490 b9231480 00000000 00080000 af363000 00000000
+[ 139.043229] df20: 00000005 00000002 ffffff9c 00000000 00080000 ffffff9c af363000 00000003
+[ 139.059430] df40: aebedf94 aebedf50 802c6f70 802dac70 aebec000 00000000 00000001 00000000
+[ 139.075629] df60: 00020000 00000004 00000100 00000001 7ebe577c 0002e038 00000000 00000005
+[ 139.091828] df80: 80108464 aebec000 aebedfa4 aebedf98 802c7060 802c6e6c 00000000 aebedfa8
+[ 139.108025] dfa0: 801082c0 802c7040 7ebe577c 0002e038 7ebe577c 00080000 00000b98 e81c8400
+[ 139.124222] dfc0: 7ebe577c 0002e038 00000000 00000005 7ebe57e4 00a20af8 7ebe57f0 76f87394
+[ 139.140419] dfe0: 00000000 7ebe55c4 76ec88e8 76df1d9c 60000010 7ebe577c 00000000 00000000
+[ 139.156715] [<801c4d5c>] (try_module_get) from [<7f0e6b2c>] (snd_ctl_open+0x58/0x194 [snd])
+[ 139.173222] [<7f0e6b2c>] (snd_ctl_open [snd]) from [<7f0e250c>] (snd_open+0xa8/0x14c [snd])
+[ 139.189683] [<7f0e250c>] (snd_open [snd]) from [<802ce590>] (chrdev_open+0xac/0x188)
+[ 139.205465] [<802ce590>] (chrdev_open) from [<802c57b4>] (do_dentry_open+0x10c/0x314)
+[ 139.221347] [<802c57b4>] (do_dentry_open) from [<802c6ba8>] (vfs_open+0x5c/0x88)
+[ 139.236788] [<802c6ba8>] (vfs_open) from [<802d9a68>] (path_openat+0x368/0x944)
+[ 139.248270] [<802d9a68>] (path_openat) from [<802dacd4>] (do_filp_open+0x70/0xc4)
+[ 139.263731] [<802dacd4>] (do_filp_open) from [<802c6f70>] (do_sys_open+0x110/0x1d4)
+[ 139.279378] [<802c6f70>] (do_sys_open) from [<802c7060>] (SyS_open+0x2c/0x30)
+[ 139.290647] [<802c7060>] (SyS_open) from [<801082c0>] (ret_fast_syscall+0x0/0x28)
+[ 139.306021] Code: e3c3303f e5932004 e2822001 e5832004 (e5943000)
+[ 139.316265] ---[ end trace 7f3f7f6193b663ed ]---
+[ 139.324956] note: aplay[463] exited with preempt_count 1
+~~~~
+
+Signed-off-by: Kirill Marinushkin <k.marinushkin@gmail.com>
+Cc: Eric Anholt <eric@anholt.net>
+Cc: Stefan Wahren <stefan.wahren@i2se.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Cc: Ray Jui <rjui@broadcom.com>
+Cc: Scott Branden <sbranden@broadcom.com>
+Cc: bcm-kernel-feedback-list@broadcom.com
+Cc: Michael Zoran <mzoran@crowfest.net>
+Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: linux-rpi-kernel@lists.infradead.org
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: devel@driverdev.osuosl.org
+Cc: linux-kernel@vger.kernel.org
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/vc04_services/bcm2835-audio/bcm2835.c | 54 ++++++++----------
+ 1 file changed, 25 insertions(+), 29 deletions(-)
+
+--- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835.c
++++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835.c
+@@ -25,6 +25,10 @@ MODULE_PARM_DESC(enable_compat_alsa,
+ static void snd_devm_unregister_child(struct device *dev, void *res)
+ {
+ struct device *childdev = *(struct device **)res;
++ struct bcm2835_chip *chip = dev_get_drvdata(childdev);
++ struct snd_card *card = chip->card;
++
++ snd_card_free(card);
+
+ device_unregister(childdev);
+ }
+@@ -50,6 +54,13 @@ static int snd_devm_add_child(struct dev
+ return 0;
+ }
+
++static void snd_bcm2835_release(struct device *dev)
++{
++ struct bcm2835_chip *chip = dev_get_drvdata(dev);
++
++ kfree(chip);
++}
++
+ static struct device *
+ snd_create_device(struct device *parent,
+ struct device_driver *driver,
+@@ -65,6 +76,7 @@ snd_create_device(struct device *parent,
+ device_initialize(device);
+ device->parent = parent;
+ device->driver = driver;
++ device->release = snd_bcm2835_release;
+
+ dev_set_name(device, "%s", name);
+
+@@ -75,18 +87,19 @@ snd_create_device(struct device *parent,
+ return device;
+ }
+
+-static int snd_bcm2835_free(struct bcm2835_chip *chip)
+-{
+- kfree(chip);
+- return 0;
+-}
+-
+ /* component-destructor
+ * (see "Management of Cards and Components")
+ */
+ static int snd_bcm2835_dev_free(struct snd_device *device)
+ {
+- return snd_bcm2835_free(device->device_data);
++ struct bcm2835_chip *chip = device->device_data;
++ struct snd_card *card = chip->card;
++
++ /* TODO: free pcm, ctl */
++
++ snd_device_free(card, chip);
++
++ return 0;
+ }
+
+ /* chip-specific constructor
+@@ -111,7 +124,7 @@ static int snd_bcm2835_create(struct snd
+
+ err = snd_device_new(card, SNDRV_DEV_LOWLEVEL, chip, &ops);
+ if (err) {
+- snd_bcm2835_free(chip);
++ kfree(chip);
+ return err;
+ }
+
+@@ -119,31 +132,14 @@ static int snd_bcm2835_create(struct snd
+ return 0;
+ }
+
+-static void snd_devm_card_free(struct device *dev, void *res)
++static struct snd_card *snd_bcm2835_card_new(struct device *dev)
+ {
+- struct snd_card *snd_card = *(struct snd_card **)res;
+-
+- snd_card_free(snd_card);
+-}
+-
+-static struct snd_card *snd_devm_card_new(struct device *dev)
+-{
+- struct snd_card **dr;
+ struct snd_card *card;
+ int ret;
+
+- dr = devres_alloc(snd_devm_card_free, sizeof(*dr), GFP_KERNEL);
+- if (!dr)
+- return ERR_PTR(-ENOMEM);
+-
+ ret = snd_card_new(dev, -1, NULL, THIS_MODULE, 0, &card);
+- if (ret) {
+- devres_free(dr);
++ if (ret)
+ return ERR_PTR(ret);
+- }
+-
+- *dr = card;
+- devres_add(dev, dr);
+
+ return card;
+ }
+@@ -260,7 +256,7 @@ static int snd_add_child_device(struct d
+ return PTR_ERR(child);
+ }
+
+- card = snd_devm_card_new(child);
++ card = snd_bcm2835_card_new(child);
+ if (IS_ERR(card)) {
+ dev_err(child, "Failed to create card");
+ return PTR_ERR(card);
+@@ -302,7 +298,7 @@ static int snd_add_child_device(struct d
+ return err;
+ }
+
+- dev_set_drvdata(child, card);
++ dev_set_drvdata(child, chip);
+ dev_info(child, "card created with %d channels\n", numchans);
+
+ return 0;
--- /dev/null
+From foo@baz Thu May 24 10:04:42 CEST 2018
+From: Ioana Radulescu <ruxandra.radulescu@nxp.com>
+Date: Mon, 26 Feb 2018 10:28:06 -0600
+Subject: staging: fsl-dpaa2/eth: Fix incorrect casts
+
+From: Ioana Radulescu <ruxandra.radulescu@nxp.com>
+
+[ Upstream commit 75c583ab9709692a60871d4719006391cde8dc1d ]
+
+The DPAA2 Ethernet driver incorrectly assumes virtual addresses
+are always 64b long, which causes compiler errors when building
+for a 32b platform.
+
+Fix this by using explicit casts to uintptr_t where necessary.
+
+Signed-off-by: Ioana Radulescu <ruxandra.radulescu@nxp.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c
++++ b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c
+@@ -324,7 +324,7 @@ static int consume_frames(struct dpaa2_e
+ }
+
+ fd = dpaa2_dq_fd(dq);
+- fq = (struct dpaa2_eth_fq *)dpaa2_dq_fqd_ctx(dq);
++ fq = (struct dpaa2_eth_fq *)(uintptr_t)dpaa2_dq_fqd_ctx(dq);
+ fq->stats.frames++;
+
+ fq->consume(priv, ch, fd, &ch->napi, fq->flowid);
+@@ -1908,7 +1908,7 @@ static int setup_rx_flow(struct dpaa2_et
+ queue.destination.id = fq->channel->dpcon_id;
+ queue.destination.type = DPNI_DEST_DPCON;
+ queue.destination.priority = 1;
+- queue.user_context = (u64)fq;
++ queue.user_context = (u64)(uintptr_t)fq;
+ err = dpni_set_queue(priv->mc_io, 0, priv->mc_token,
+ DPNI_QUEUE_RX, 0, fq->flowid,
+ DPNI_QUEUE_OPT_USER_CTX | DPNI_QUEUE_OPT_DEST,
+@@ -1960,7 +1960,7 @@ static int setup_tx_flow(struct dpaa2_et
+ queue.destination.id = fq->channel->dpcon_id;
+ queue.destination.type = DPNI_DEST_DPCON;
+ queue.destination.priority = 0;
+- queue.user_context = (u64)fq;
++ queue.user_context = (u64)(uintptr_t)fq;
+ err = dpni_set_queue(priv->mc_io, 0, priv->mc_token,
+ DPNI_QUEUE_TX_CONFIRM, 0, fq->flowid,
+ DPNI_QUEUE_OPT_USER_CTX | DPNI_QUEUE_OPT_DEST,
--- /dev/null
+From foo@baz Thu May 24 10:04:42 CEST 2018
+From: Ioana Radulescu <ruxandra.radulescu@nxp.com>
+Date: Wed, 14 Mar 2018 15:04:51 -0500
+Subject: staging: fsl-dpaa2/eth: Fix incorrect kfree
+
+From: Ioana Radulescu <ruxandra.radulescu@nxp.com>
+
+[ Upstream commit 6a9bbe53db9a5aa0be9788aa8a2c250dee55444b ]
+
+Use netdev_alloc_frag() instead of kmalloc to allocate space for
+the S/G table of egress multi-buffer frames.
+
+This fixes a bug where an unaligned pointer received from the
+allocator would be overwritten with the 64B aligned value,
+leading to a wrong address being later passed to kfree.
+
+Signed-off-by: Ioana Radulescu <ruxandra.radulescu@nxp.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c
++++ b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c
+@@ -374,12 +374,14 @@ static int build_sg_fd(struct dpaa2_eth_
+ /* Prepare the HW SGT structure */
+ sgt_buf_size = priv->tx_data_offset +
+ sizeof(struct dpaa2_sg_entry) * (1 + num_dma_bufs);
+- sgt_buf = kzalloc(sgt_buf_size + DPAA2_ETH_TX_BUF_ALIGN, GFP_ATOMIC);
++ sgt_buf = netdev_alloc_frag(sgt_buf_size + DPAA2_ETH_TX_BUF_ALIGN);
+ if (unlikely(!sgt_buf)) {
+ err = -ENOMEM;
+ goto sgt_buf_alloc_failed;
+ }
+ sgt_buf = PTR_ALIGN(sgt_buf, DPAA2_ETH_TX_BUF_ALIGN);
++ memset(sgt_buf, 0, sgt_buf_size);
++
+ sgt = (struct dpaa2_sg_entry *)(sgt_buf + priv->tx_data_offset);
+
+ /* Fill in the HW SGT structure.
+@@ -421,7 +423,7 @@ static int build_sg_fd(struct dpaa2_eth_
+ return 0;
+
+ dma_map_single_failed:
+- kfree(sgt_buf);
++ skb_free_frag(sgt_buf);
+ sgt_buf_alloc_failed:
+ dma_unmap_sg(dev, scl, num_sg, DMA_BIDIRECTIONAL);
+ dma_map_sg_failed:
+@@ -525,9 +527,9 @@ static void free_tx_fd(const struct dpaa
+ return;
+ }
+
+- /* Free SGT buffer kmalloc'ed on tx */
++ /* Free SGT buffer allocated on tx */
+ if (fd_format != dpaa2_fd_single)
+- kfree(skbh);
++ skb_free_frag(skbh);
+
+ /* Move on with skb release */
+ dev_kfree_skb(skb);
--- /dev/null
+From foo@baz Thu May 24 10:04:42 CEST 2018
+From: Quytelda Kahja <quytelda@tamalin.org>
+Date: Wed, 28 Feb 2018 21:19:07 -0800
+Subject: staging: ks7010: Use constants from ieee80211_eid instead of literal ints.
+
+From: Quytelda Kahja <quytelda@tamalin.org>
+
+[ Upstream commit dc13498ab47fdfae3cda4df712beb2e4244b3fe0 ]
+
+The case statement in get_ap_information() should not use literal integers
+to parse information element IDs when these values are provided by name
+in 'enum ieee80211_eid' in the header 'linux/ieee80211.h'.
+
+Signed-off-by: Quytelda Kahja <quytelda@tamalin.org>
+Reviewed-by: Tobin C. Harding <me@tobin.cc>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/ks7010/ks_hostif.c | 31 +++++++++++++++----------------
+ drivers/staging/ks7010/ks_hostif.h | 1 +
+ 2 files changed, 16 insertions(+), 16 deletions(-)
+
+--- a/drivers/staging/ks7010/ks_hostif.c
++++ b/drivers/staging/ks7010/ks_hostif.c
+@@ -242,9 +242,8 @@ int get_ap_information(struct ks_wlan_pr
+ offset = 0;
+
+ while (bsize > offset) {
+- /* DPRINTK(4, "Element ID=%d\n",*bp); */
+- switch (*bp) {
+- case 0: /* ssid */
++ switch (*bp) { /* Information Element ID */
++ case WLAN_EID_SSID:
+ if (*(bp + 1) <= SSID_MAX_SIZE) {
+ ap->ssid.size = *(bp + 1);
+ } else {
+@@ -254,8 +253,8 @@ int get_ap_information(struct ks_wlan_pr
+ }
+ memcpy(ap->ssid.body, bp + 2, ap->ssid.size);
+ break;
+- case 1: /* rate */
+- case 50: /* ext rate */
++ case WLAN_EID_SUPP_RATES:
++ case WLAN_EID_EXT_SUPP_RATES:
+ if ((*(bp + 1) + ap->rate_set.size) <=
+ RATE_SET_MAX_SIZE) {
+ memcpy(&ap->rate_set.body[ap->rate_set.size],
+@@ -271,9 +270,9 @@ int get_ap_information(struct ks_wlan_pr
+ (RATE_SET_MAX_SIZE - ap->rate_set.size);
+ }
+ break;
+- case 3: /* DS parameter */
++ case WLAN_EID_DS_PARAMS:
+ break;
+- case 48: /* RSN(WPA2) */
++ case WLAN_EID_RSN:
+ ap->rsn_ie.id = *bp;
+ if (*(bp + 1) <= RSN_IE_BODY_MAX) {
+ ap->rsn_ie.size = *(bp + 1);
+@@ -284,8 +283,8 @@ int get_ap_information(struct ks_wlan_pr
+ }
+ memcpy(ap->rsn_ie.body, bp + 2, ap->rsn_ie.size);
+ break;
+- case 221: /* WPA */
+- if (memcmp(bp + 2, "\x00\x50\xf2\x01", 4) == 0) { /* WPA OUI check */
++ case WLAN_EID_VENDOR_SPECIFIC: /* WPA */
++ if (memcmp(bp + 2, "\x00\x50\xf2\x01", 4) == 0) { /* WPA OUI check */
+ ap->wpa_ie.id = *bp;
+ if (*(bp + 1) <= RSN_IE_BODY_MAX) {
+ ap->wpa_ie.size = *(bp + 1);
+@@ -300,18 +299,18 @@ int get_ap_information(struct ks_wlan_pr
+ }
+ break;
+
+- case 2: /* FH parameter */
+- case 4: /* CF parameter */
+- case 5: /* TIM */
+- case 6: /* IBSS parameter */
+- case 7: /* Country */
+- case 42: /* ERP information */
+- case 47: /* Reserve ID 47 Broadcom AP */
++ case WLAN_EID_FH_PARAMS:
++ case WLAN_EID_CF_PARAMS:
++ case WLAN_EID_TIM:
++ case WLAN_EID_IBSS_PARAMS:
++ case WLAN_EID_COUNTRY:
++ case WLAN_EID_ERP_INFO:
+ break;
+ default:
+ DPRINTK(4, "unknown Element ID=%d\n", *bp);
+ break;
+ }
++
+ offset += 2; /* id & size field */
+ offset += *(bp + 1); /* +size offset */
+ bp += (*(bp + 1) + 2); /* pointer update */
+--- a/drivers/staging/ks7010/ks_hostif.h
++++ b/drivers/staging/ks7010/ks_hostif.h
+@@ -13,6 +13,7 @@
+ #define _KS_HOSTIF_H_
+
+ #include <linux/compiler.h>
++#include <linux/ieee80211.h>
+
+ /*
+ * HOST-MAC I/F events
--- /dev/null
+From foo@baz Thu May 24 10:04:42 CEST 2018
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 2 Mar 2018 10:31:25 +1100
+Subject: staging: lustre: fix bug in osc_enter_cache_try
+
+From: NeilBrown <neilb@suse.com>
+
+[ Upstream commit 2fab9faf9b27298c4536c1c1b14072ab18b8f80b ]
+
+The lustre-release patch commit bdc5bb52c554 ("LU-4933 osc:
+Automatically increase the max_dirty_mb") changed
+
+- if (cli->cl_dirty + PAGE_CACHE_SIZE <= cli->cl_dirty_max &&
++ if (cli->cl_dirty_pages < cli->cl_dirty_max_pages &&
+
+When this patch landed in Linux a couple of years later, it landed as
+
+- if (cli->cl_dirty + PAGE_SIZE <= cli->cl_dirty_max &&
++ if (cli->cl_dirty_pages <= cli->cl_dirty_max_pages &&
+
+which is clearly different ('<=' vs '<'), and allows cl_dirty_pages to
+increase beyond cl_dirty_max_pages - which causes a latter assertion
+to fails.
+
+Fixes: 3147b268400a ("staging: lustre: osc: Automatically increase the max_dirty_mb")
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/lustre/lustre/include/obd.h | 2 +-
+ drivers/staging/lustre/lustre/osc/osc_cache.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/lustre/lustre/include/obd.h
++++ b/drivers/staging/lustre/lustre/include/obd.h
+@@ -191,7 +191,7 @@ struct client_obd {
+ struct sptlrpc_flavor cl_flvr_mgc; /* fixed flavor of mgc->mgs */
+
+ /* the grant values are protected by loi_list_lock below */
+- unsigned long cl_dirty_pages; /* all _dirty_ in pahges */
++ unsigned long cl_dirty_pages; /* all _dirty_ in pages */
+ unsigned long cl_dirty_max_pages; /* allowed w/o rpc */
+ unsigned long cl_dirty_transit; /* dirty synchronous */
+ unsigned long cl_avail_grant; /* bytes of credit for ost */
+--- a/drivers/staging/lustre/lustre/osc/osc_cache.c
++++ b/drivers/staging/lustre/lustre/osc/osc_cache.c
+@@ -1530,7 +1530,7 @@ static int osc_enter_cache_try(struct cl
+ if (rc < 0)
+ return 0;
+
+- if (cli->cl_dirty_pages <= cli->cl_dirty_max_pages &&
++ if (cli->cl_dirty_pages < cli->cl_dirty_max_pages &&
+ atomic_long_read(&obd_dirty_pages) + 1 <= obd_max_dirty_pages) {
+ osc_consume_write_grant(cli, &oap->oap_brw_page);
+ if (transient) {
--- /dev/null
+From foo@baz Thu May 24 10:04:42 CEST 2018
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 23 Feb 2018 09:09:33 +1100
+Subject: staging: lustre: lmv: correctly iput lmo_root
+
+From: NeilBrown <neilb@suse.com>
+
+[ Upstream commit 17556cdbe6ed70a6a20e597b228628f7f34387f8 ]
+
+Commit 8f18c8a48b73 ("staging: lustre: lmv: separate master object
+with master stripe") changed how lmo_root inodes were managed,
+particularly when LMV_HASH_FLAG_MIGRATION is not set.
+Previously lsm_md_oinfo[0].lmo_root was always a borrowed
+inode reference and didn't need to by iput().
+Since the change, that special case only applies when
+LMV_HASH_FLAG_MIGRATION is set
+
+In the upstream (lustre-release) version of this patch [Commit
+60e07b972114 ("LU-4690 lod: separate master object with master
+stripe")] the for loop in the lmv_unpack_md() was changed to count
+from 0 and to ignore entry 0 if LMV_HASH_FLAG_MIGRATION is set.
+In the patch that got applied to Linux, that change was missing,
+so lsm_md_oinfo[0].lmo_root is never iput().
+This results in a "VFS: Busy inodes" warning at unmount.
+
+Fixes: 8f18c8a48b73 ("staging: lustre: lmv: separate master object with master stripe")
+Signed-off-by: NeilBrown <neilb@suse.com>
+Reviewed-by: James Simmons <jsimmons@infradead.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/lustre/lustre/lmv/lmv_obd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/lustre/lustre/lmv/lmv_obd.c
++++ b/drivers/staging/lustre/lustre/lmv/lmv_obd.c
+@@ -2695,7 +2695,7 @@ static int lmv_unpackmd(struct obd_expor
+ if (lsm && !lmm) {
+ int i;
+
+- for (i = 1; i < lsm->lsm_md_stripe_count; i++) {
++ for (i = 0; i < lsm->lsm_md_stripe_count; i++) {
+ /*
+ * For migrating inode, the master stripe and master
+ * object will be the same, so do not need iput, see
--- /dev/null
+From foo@baz Thu May 24 10:04:42 CEST 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 28 Feb 2018 11:28:49 +0000
+Subject: staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit e1a7418529e33bc4efc346324557251a16a3e79b ]
+
+Currently the allocation of priv->oldaddr is not null checked which will
+lead to subsequent errors when accessing priv->oldaddr. Fix this with
+a null pointer check and a return of -ENOMEM on allocation failure.
+
+Detected with Coccinelle:
+drivers/staging/rtl8192u/r8192U_core.c:1708:2-15: alloc with no test,
+possible model on line 1723
+
+Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8192u/r8192U_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/staging/rtl8192u/r8192U_core.c
++++ b/drivers/staging/rtl8192u/r8192U_core.c
+@@ -1706,6 +1706,8 @@ static short rtl8192_usb_initendpoints(s
+
+ priv->rx_urb[16] = usb_alloc_urb(0, GFP_KERNEL);
+ priv->oldaddr = kmalloc(16, GFP_KERNEL);
++ if (!priv->oldaddr)
++ return -ENOMEM;
+ oldaddr = priv->oldaddr;
+ align = ((long)oldaddr) & 3;
+ if (align) {
--- /dev/null
+From foo@baz Thu May 24 09:45:15 CEST 2018
+From: Grigor Tovmasyan <Grigor.Tovmasyan@synopsys.com>
+Date: Tue, 6 Feb 2018 19:07:38 +0400
+Subject: usb: dwc2: Fix interval type issue
+
+From: Grigor Tovmasyan <Grigor.Tovmasyan@synopsys.com>
+
+[ Upstream commit 12814a3f8f9b247531d7863170cc82b3fe4218fd ]
+
+The maximum value that unsigned char can hold is 255, meanwhile
+the maximum value of interval is 2^(bIntervalMax-1)=2^15.
+
+Signed-off-by: Grigor Tovmasyan <tovmasya@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/core.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc2/core.h
++++ b/drivers/usb/dwc2/core.h
+@@ -217,7 +217,7 @@ struct dwc2_hsotg_ep {
+ unsigned char dir_in;
+ unsigned char index;
+ unsigned char mc;
+- unsigned char interval;
++ u16 interval;
+
+ unsigned int halted:1;
+ unsigned int periodic:1;
--- /dev/null
+From foo@baz Thu May 24 09:45:15 CEST 2018
+From: Minas Harutyunyan <hminas@synopsys.com>
+Date: Fri, 19 Jan 2018 14:43:53 +0400
+Subject: usb: dwc2: hcd: Fix host channel halt flow
+
+From: Minas Harutyunyan <hminas@synopsys.com>
+
+[ Upstream commit a82c7abdf8fc3b09c4a0ed2eee6d43ecef2ccdb0 ]
+
+According databook in Buffer and External DMA mode
+non-split periodic channels can't be halted.
+
+Acked-by: John Youn <johnyoun@synopsys.com>
+Signed-off-by: Minas Harutyunyan <hminas@synopsys.com>
+Signed-off-by: Grigor Tovmasyan <tovmasya@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/hcd.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/usb/dwc2/hcd.c
++++ b/drivers/usb/dwc2/hcd.c
+@@ -989,6 +989,24 @@ void dwc2_hc_halt(struct dwc2_hsotg *hso
+
+ if (dbg_hc(chan))
+ dev_vdbg(hsotg->dev, "%s()\n", __func__);
++
++ /*
++ * In buffer DMA or external DMA mode channel can't be halted
++ * for non-split periodic channels. At the end of the next
++ * uframe/frame (in the worst case), the core generates a channel
++ * halted and disables the channel automatically.
++ */
++ if ((hsotg->params.g_dma && !hsotg->params.g_dma_desc) ||
++ hsotg->hw_params.arch == GHWCFG2_EXT_DMA_ARCH) {
++ if (!chan->do_split &&
++ (chan->ep_type == USB_ENDPOINT_XFER_ISOC ||
++ chan->ep_type == USB_ENDPOINT_XFER_INT)) {
++ dev_err(hsotg->dev, "%s() Channel can't be halted\n",
++ __func__);
++ return;
++ }
++ }
++
+ if (halt_status == DWC2_HC_XFER_NO_HALT_STATUS)
+ dev_err(hsotg->dev, "!!! halt_status = %d !!!\n", halt_status);
+
--- /dev/null
+From foo@baz Thu May 24 09:45:15 CEST 2018
+From: Minas Harutyunyan <hminas@synopsys.com>
+Date: Fri, 19 Jan 2018 14:44:20 +0400
+Subject: usb: dwc2: host: Fix transaction errors in host mode
+
+From: Minas Harutyunyan <hminas@synopsys.com>
+
+[ Upstream commit 92a8dd26464e1f21f1d869ec53717bd2c1200d63 ]
+
+Added missing GUSBCFG programming in host mode, which fixes
+transaction errors issue on HiKey and Altera Cyclone V boards.
+
+These field even if was programmed in device mode (in function
+dwc2_hsotg_core_init_disconnected()) will be resetting to POR values
+after core soft reset applied.
+So, each time when switching to host mode required to set this field
+to correct value.
+
+Acked-by: John Youn <johnyoun@synopsys.com>
+Signed-off-by: Minas Harutyunyan <hminas@synopsys.com>
+Signed-off-by: Grigor Tovmasyan <tovmasya@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/hcd.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc2/hcd.c
++++ b/drivers/usb/dwc2/hcd.c
+@@ -2340,10 +2340,22 @@ static int dwc2_core_init(struct dwc2_hs
+ */
+ static void dwc2_core_host_init(struct dwc2_hsotg *hsotg)
+ {
+- u32 hcfg, hfir, otgctl;
++ u32 hcfg, hfir, otgctl, usbcfg;
+
+ dev_dbg(hsotg->dev, "%s(%p)\n", __func__, hsotg);
+
++ /* Set HS/FS Timeout Calibration to 7 (max available value).
++ * The number of PHY clocks that the application programs in
++ * this field is added to the high/full speed interpacket timeout
++ * duration in the core to account for any additional delays
++ * introduced by the PHY. This can be required, because the delay
++ * introduced by the PHY in generating the linestate condition
++ * can vary from one PHY to another.
++ */
++ usbcfg = dwc2_readl(hsotg->regs + GUSBCFG);
++ usbcfg |= GUSBCFG_TOUTCAL(7);
++ dwc2_writel(usbcfg, hsotg->regs + GUSBCFG);
++
+ /* Restart the Phy Clock */
+ dwc2_writel(0, hsotg->regs + PCGCTL);
+
--- /dev/null
+From foo@baz Thu May 24 09:45:15 CEST 2018
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Fri, 16 Mar 2018 15:33:48 -0700
+Subject: usb: dwc3: Add SoftReset PHY synchonization delay
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+[ Upstream commit fab3833338779e1e668bd58d1f76d601657304b8 ]
+
+>From DWC_usb31 programming guide section 1.3.2, once DWC3_DCTL_CSFTRST
+bit is cleared, we must wait at least 50ms before accessing the PHY
+domain (synchronization delay).
+
+Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -232,7 +232,7 @@ static int dwc3_core_soft_reset(struct d
+ do {
+ reg = dwc3_readl(dwc->regs, DWC3_DCTL);
+ if (!(reg & DWC3_DCTL_CSFTRST))
+- return 0;
++ goto done;
+
+ udelay(1);
+ } while (--retries);
+@@ -241,6 +241,17 @@ static int dwc3_core_soft_reset(struct d
+ phy_exit(dwc->usb2_generic_phy);
+
+ return -ETIMEDOUT;
++
++done:
++ /*
++ * For DWC_usb31 controller, once DWC3_DCTL_CSFTRST bit is cleared,
++ * we must wait at least 50ms before accessing the PHY domain
++ * (synchronization delay). DWC_usb31 programming guide section 1.3.2.
++ */
++ if (dwc3_is_usb31(dwc))
++ msleep(50);
++
++ return 0;
+ }
+
+ /*
--- /dev/null
+From foo@baz Thu May 24 09:45:15 CEST 2018
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+Date: Thu, 22 Mar 2018 10:45:20 +0200
+Subject: usb: dwc3: Makefile: fix link error on randconfig
+
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+
+[ Upstream commit de948a74ad6f0eefddf36d765b8f2dd6df82caa0 ]
+
+If building a kernel without FTRACE but with TRACING, dwc3.ko fails to
+link due to missing trace events. Fix this by using the correct
+Kconfig symbol on Makefile.
+
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/Makefile
++++ b/drivers/usb/dwc3/Makefile
+@@ -6,7 +6,7 @@ obj-$(CONFIG_USB_DWC3) += dwc3.o
+
+ dwc3-y := core.o
+
+-ifneq ($(CONFIG_FTRACE),)
++ifneq ($(CONFIG_TRACING),)
+ dwc3-y += trace.o
+ endif
+
--- /dev/null
+From foo@baz Thu May 24 09:45:15 CEST 2018
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Fri, 16 Mar 2018 15:33:54 -0700
+Subject: usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+[ Upstream commit 0cab8d26d6e5e053b2bed3356992aaa71dc93628 ]
+
+Update two GTXFIFOSIZ bit fields for the DWC_usb31 controller. TXFDEP
+is a 15-bit value instead of 16-bit value, and bit 15 is TXFRAMNUM.
+
+The GTXFIFOSIZ register for DWC_usb31 is as follows:
+ +-------+-----------+----------------------------------+
+ | BITS | Name | Description |
+ +=======+===========+==================================+
+ | 31:16 | TXFSTADDR | Transmit FIFOn RAM Start Address |
+ | 15 | TXFRAMNUM | Asynchronous/Periodic TXFIFO |
+ | 14:0 | TXFDEP | TXFIFO Depth |
+ +-------+-----------+----------------------------------+
+
+Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/dwc3/core.h
++++ b/drivers/usb/dwc3/core.h
+@@ -241,6 +241,8 @@
+ #define DWC3_GUSB3PIPECTL_TX_DEEPH(n) ((n) << 1)
+
+ /* Global TX Fifo Size Register */
++#define DWC31_GTXFIFOSIZ_TXFRAMNUM BIT(15) /* DWC_usb31 only */
++#define DWC31_GTXFIFOSIZ_TXFDEF(n) ((n) & 0x7fff) /* DWC_usb31 only */
+ #define DWC3_GTXFIFOSIZ_TXFDEF(n) ((n) & 0xffff)
+ #define DWC3_GTXFIFOSIZ_TXFSTADDR(n) ((n) & 0xffff0000)
+
--- /dev/null
+From foo@baz Thu May 24 09:45:15 CEST 2018
+From: Chris Dickens <christopher.a.dickens@gmail.com>
+Date: Sun, 31 Dec 2017 18:59:42 -0800
+Subject: usb: gadget: composite: fix incorrect handling of OS desc requests
+
+From: Chris Dickens <christopher.a.dickens@gmail.com>
+
+[ Upstream commit 5d6ae4f0da8a64a185074dabb1b2f8c148efa741 ]
+
+When handling an OS descriptor request, one of the first operations is
+to zero out the request buffer using the wLength from the setup packet.
+There is no bounds checking, so a wLength > 4096 would clobber memory
+adjacent to the request buffer. Fix this by taking the min of wLength
+and the request buffer length prior to the memset. While at it, define
+the buffer length in a header file so that magic numbers don't appear
+throughout the code.
+
+When returning data to the host, the data length should be the min of
+the wLength and the valid data we have to return. Currently we are
+returning wLength, thus requests for a wLength greater than the amount
+of data in the OS descriptor buffer would return invalid (albeit zero'd)
+data following the valid descriptor data. Fix this by counting the
+number of bytes when constructing the data and using this when
+determining the length of the request.
+
+Signed-off-by: Chris Dickens <christopher.a.dickens@gmail.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/composite.c | 40 +++++++++++++++++++---------------------
+ include/linux/usb/composite.h | 3 +++
+ 2 files changed, 22 insertions(+), 21 deletions(-)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -1422,7 +1422,7 @@ static int count_ext_compat(struct usb_c
+ return res;
+ }
+
+-static void fill_ext_compat(struct usb_configuration *c, u8 *buf)
++static int fill_ext_compat(struct usb_configuration *c, u8 *buf)
+ {
+ int i, count;
+
+@@ -1449,10 +1449,12 @@ static void fill_ext_compat(struct usb_c
+ buf += 23;
+ }
+ count += 24;
+- if (count >= 4096)
+- return;
++ if (count + 24 >= USB_COMP_EP0_OS_DESC_BUFSIZ)
++ return count;
+ }
+ }
++
++ return count;
+ }
+
+ static int count_ext_prop(struct usb_configuration *c, int interface)
+@@ -1497,25 +1499,20 @@ static int fill_ext_prop(struct usb_conf
+ struct usb_os_desc *d;
+ struct usb_os_desc_ext_prop *ext_prop;
+ int j, count, n, ret;
+- u8 *start = buf;
+
+ f = c->interface[interface];
++ count = 10; /* header length */
+ for (j = 0; j < f->os_desc_n; ++j) {
+ if (interface != f->os_desc_table[j].if_id)
+ continue;
+ d = f->os_desc_table[j].os_desc;
+ if (d)
+ list_for_each_entry(ext_prop, &d->ext_prop, entry) {
+- /* 4kB minus header length */
+- n = buf - start;
+- if (n >= 4086)
+- return 0;
+-
+- count = ext_prop->data_len +
++ n = ext_prop->data_len +
+ ext_prop->name_len + 14;
+- if (count > 4086 - n)
+- return -EINVAL;
+- usb_ext_prop_put_size(buf, count);
++ if (count + n >= USB_COMP_EP0_OS_DESC_BUFSIZ)
++ return count;
++ usb_ext_prop_put_size(buf, n);
+ usb_ext_prop_put_type(buf, ext_prop->type);
+ ret = usb_ext_prop_put_name(buf, ext_prop->name,
+ ext_prop->name_len);
+@@ -1541,11 +1538,12 @@ static int fill_ext_prop(struct usb_conf
+ default:
+ return -EINVAL;
+ }
+- buf += count;
++ buf += n;
++ count += n;
+ }
+ }
+
+- return 0;
++ return count;
+ }
+
+ /*
+@@ -1827,6 +1825,7 @@ unknown:
+ req->complete = composite_setup_complete;
+ buf = req->buf;
+ os_desc_cfg = cdev->os_desc_config;
++ w_length = min_t(u16, w_length, USB_COMP_EP0_OS_DESC_BUFSIZ);
+ memset(buf, 0, w_length);
+ buf[5] = 0x01;
+ switch (ctrl->bRequestType & USB_RECIP_MASK) {
+@@ -1850,8 +1849,8 @@ unknown:
+ count += 16; /* header */
+ put_unaligned_le32(count, buf);
+ buf += 16;
+- fill_ext_compat(os_desc_cfg, buf);
+- value = w_length;
++ value = fill_ext_compat(os_desc_cfg, buf);
++ value = min_t(u16, w_length, value);
+ }
+ break;
+ case USB_RECIP_INTERFACE:
+@@ -1880,8 +1879,7 @@ unknown:
+ interface, buf);
+ if (value < 0)
+ return value;
+-
+- value = w_length;
++ value = min_t(u16, w_length, value);
+ }
+ break;
+ }
+@@ -2156,8 +2154,8 @@ int composite_os_desc_req_prepare(struct
+ goto end;
+ }
+
+- /* OS feature descriptor length <= 4kB */
+- cdev->os_desc_req->buf = kmalloc(4096, GFP_KERNEL);
++ cdev->os_desc_req->buf = kmalloc(USB_COMP_EP0_OS_DESC_BUFSIZ,
++ GFP_KERNEL);
+ if (!cdev->os_desc_req->buf) {
+ ret = -ENOMEM;
+ usb_ep_free_request(ep0, cdev->os_desc_req);
+--- a/include/linux/usb/composite.h
++++ b/include/linux/usb/composite.h
+@@ -54,6 +54,9 @@
+ /* big enough to hold our biggest descriptor */
+ #define USB_COMP_EP0_BUFSIZ 1024
+
++/* OS feature descriptor length <= 4kB */
++#define USB_COMP_EP0_OS_DESC_BUFSIZ 4096
++
+ #define USB_MS_TO_HS_INTERVAL(x) (ilog2((x * 1000 / 125)) + 1)
+ struct usb_configuration;
+
--- /dev/null
+From foo@baz Thu May 24 09:45:15 CEST 2018
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Fri, 12 Jan 2018 11:05:02 +0100
+Subject: usb: gadget: ffs: Execute copy_to_user() with USER_DS set
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+[ Upstream commit 4058ebf33cb0be88ca516f968eda24ab7b6b93e4 ]
+
+When using a AIO read() operation on the function FS gadget driver a URB is
+submitted asynchronously and on URB completion the received data is copied
+to the userspace buffer associated with the read operation.
+
+This is done from a kernel worker thread invoking copy_to_user() (through
+copy_to_iter()). And while the user space process memory is made available
+to the kernel thread using use_mm(), some architecture require in addition
+to this that the operation runs with USER_DS set. Otherwise the userspace
+memory access will fail.
+
+For example on ARM64 with Privileged Access Never (PAN) and User Access
+Override (UAO) enabled the following crash occurs.
+
+ Internal error: Accessing user space memory with fs=KERNEL_DS: 9600004f [#1] SMP
+ Modules linked in:
+ CPU: 2 PID: 1636 Comm: kworker/2:1 Not tainted 4.9.0-04081-g8ab2dfb-dirty #487
+ Hardware name: ZynqMP ZCU102 Rev1.0 (DT)
+ Workqueue: events ffs_user_copy_worker
+ task: ffffffc87afc8080 task.stack: ffffffc87a00c000
+ PC is at __arch_copy_to_user+0x190/0x220
+ LR is at copy_to_iter+0x78/0x3c8
+ [...]
+ [<ffffff800847b790>] __arch_copy_to_user+0x190/0x220
+ [<ffffff80086f25d8>] ffs_user_copy_worker+0x70/0x130
+ [<ffffff80080b8c64>] process_one_work+0x1dc/0x460
+ [<ffffff80080b8f38>] worker_thread+0x50/0x4b0
+ [<ffffff80080bf5a0>] kthread+0xd8/0xf0
+ [<ffffff8008083680>] ret_from_fork+0x10/0x50
+
+Address this by placing a set_fs(USER_DS) before of the copy operation
+and revert it again once the copy operation has finished.
+
+This patch is analogous to commit d7ffde35e31a ("vhost: use USER_DS in
+vhost_worker thread") which addresses the same underlying issue.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -758,9 +758,13 @@ static void ffs_user_copy_worker(struct
+ bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD;
+
+ if (io_data->read && ret > 0) {
++ mm_segment_t oldfs = get_fs();
++
++ set_fs(USER_DS);
+ use_mm(io_data->mm);
+ ret = ffs_copy_to_iter(io_data->buf, ret, &io_data->data);
+ unuse_mm(io_data->mm);
++ set_fs(oldfs);
+ }
+
+ io_data->kiocb->ki_complete(io_data->kiocb, ret, ret);
--- /dev/null
+From foo@baz Thu May 24 09:45:15 CEST 2018
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Fri, 12 Jan 2018 11:26:16 +0100
+Subject: usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+[ Upstream commit 946ef68ad4e45aa048a5fb41ce8823ed29da866a ]
+
+Some UDC drivers (like the DWC3) expect that the response to a setup()
+request is queued from within the setup function itself so that it is
+available as soon as setup() has completed.
+
+Upon receiving a setup request the function fs driver creates an event that
+is made available to userspace. And only once userspace has acknowledged
+that event the response to the setup request is queued.
+
+So it violates the requirement of those UDC drivers and random failures can
+be observed. This is basically a race condition and if userspace is able to
+read the event and queue the response fast enough all is good. But if it is
+not, for example because other processes are currently scheduled to run,
+the USB host that sent the setup request will observe an error.
+
+To avoid this the gadget framework provides the USB_GADGET_DELAYED_STATUS
+return code. If a setup() callback returns this value the UDC driver is
+aware that response is not yet available and can uses the appropriate
+methods to handle this case.
+
+Since in the case of function fs the response will never be available when
+the setup() function returns make sure that this status code is used.
+
+This fixed random occasional failures that were previously observed on a
+DWC3 based system under high system load.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -3238,7 +3238,7 @@ static int ffs_func_setup(struct usb_fun
+ __ffs_event_add(ffs, FUNCTIONFS_SETUP);
+ spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
+
+- return 0;
++ return USB_GADGET_DELAYED_STATUS;
+ }
+
+ static bool ffs_func_req_match(struct usb_function *f,
--- /dev/null
+From foo@baz Thu May 24 09:45:15 CEST 2018
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Tue, 6 Feb 2018 09:50:40 +0100
+Subject: usb: gadget: udc: change comparison to bitshift when dealing with a mask
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit ac87e560f7c0f91b62012e9a159c0681a373b922 ]
+
+Due to a typo, the mask was destroyed by a comparison instead of a bit
+shift.
+
+Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/goku_udc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/udc/goku_udc.h
++++ b/drivers/usb/gadget/udc/goku_udc.h
+@@ -25,7 +25,7 @@ struct goku_udc_regs {
+ # define INT_EP1DATASET 0x00040
+ # define INT_EP2DATASET 0x00080
+ # define INT_EP3DATASET 0x00100
+-#define INT_EPnNAK(n) (0x00100 < (n)) /* 0 < n < 4 */
++#define INT_EPnNAK(n) (0x00100 << (n)) /* 0 < n < 4 */
+ # define INT_EP1NAK 0x00200
+ # define INT_EP2NAK 0x00400
+ # define INT_EP3NAK 0x00800
--- /dev/null
+From foo@baz Thu May 24 09:45:15 CEST 2018
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 29 Jan 2018 00:04:18 +0000
+Subject: usbip: Correct maximum value of CONFIG_USBIP_VHCI_HC_PORTS
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+[ Upstream commit 351a8d4837ae0d61744e64262c3a80ab92ff3e42 ]
+
+Now that usbip supports USB3, the maximum number of ports allowed
+on a hub is 15 (USB_SS_MAXPORTS), not 31 (USB_MAXCHILDREN).
+
+Reported-by: Gianluigi Tiesi <sherpya@netfarm.it>
+Reported-by: Borissh1983 <borissh1983@gmail.com>
+References: https://bugs.debian.org/878866
+Fixes: 1c9de5bf4286 ("usbip: vhci-hcd: Add USB3 SuperSpeed support")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/usbip/Kconfig
++++ b/drivers/usb/usbip/Kconfig
+@@ -27,7 +27,7 @@ config USBIP_VHCI_HCD
+
+ config USBIP_VHCI_HC_PORTS
+ int "Number of ports per USB/IP virtual host controller"
+- range 1 31
++ range 1 15
+ default 8
+ depends on USBIP_VHCI_HCD
+ ---help---
--- /dev/null
+From a466ef76b815b86748d9870ef2a430af7b39c710 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Wed, 9 May 2018 19:42:20 +0900
+Subject: x86/kexec: Avoid double free_page() upon do_kexec_load() failure
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit a466ef76b815b86748d9870ef2a430af7b39c710 upstream.
+
+>From ff82bedd3e12f0d3353282054ae48c3bd8c72012 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Wed, 9 May 2018 12:12:39 +0900
+Subject: x86/kexec: Avoid double free_page() upon do_kexec_load() failure
+
+syzbot is reporting crashes after memory allocation failure inside
+do_kexec_load() [1]. This is because free_transition_pgtable() is called
+by both init_transition_pgtable() and machine_kexec_cleanup() when memory
+allocation failed inside init_transition_pgtable().
+
+Regarding 32bit code, machine_kexec_free_page_tables() is called by both
+machine_kexec_alloc_page_tables() and machine_kexec_cleanup() when memory
+allocation failed inside machine_kexec_alloc_page_tables().
+
+Fix this by leaving the error handling to machine_kexec_cleanup()
+(and optionally setting NULL after free_page()).
+
+[1] https://syzkaller.appspot.com/bug?id=91e52396168cf2bdd572fe1e1bc0bc645c1c6b40
+
+Fixes: f5deb79679af6eb4 ("x86: kexec: Use one page table in x86_64 machine_kexec")
+Fixes: 92be3d6bdf2cb349 ("kexec/i386: allocate page table pages dynamically")
+Reported-by: syzbot <syzbot+d96f60296ef613fe1d69@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Baoquan He <bhe@redhat.com>
+Cc: thomas.lendacky@amd.com
+Cc: prudo@linux.vnet.ibm.com
+Cc: Huang Ying <ying.huang@intel.com>
+Cc: syzkaller-bugs@googlegroups.com
+Cc: takahiro.akashi@linaro.org
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: akpm@linux-foundation.org
+Cc: dyoung@redhat.com
+Cc: kirill.shutemov@linux.intel.com
+Link: https://lkml.kernel.org/r/201805091942.DGG12448.tMFVFSJFQOOLHO@I-love.SAKURA.ne.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/machine_kexec_32.c | 6 +++++-
+ arch/x86/kernel/machine_kexec_64.c | 5 ++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/machine_kexec_32.c
++++ b/arch/x86/kernel/machine_kexec_32.c
+@@ -57,12 +57,17 @@ static void load_segments(void)
+ static void machine_kexec_free_page_tables(struct kimage *image)
+ {
+ free_page((unsigned long)image->arch.pgd);
++ image->arch.pgd = NULL;
+ #ifdef CONFIG_X86_PAE
+ free_page((unsigned long)image->arch.pmd0);
++ image->arch.pmd0 = NULL;
+ free_page((unsigned long)image->arch.pmd1);
++ image->arch.pmd1 = NULL;
+ #endif
+ free_page((unsigned long)image->arch.pte0);
++ image->arch.pte0 = NULL;
+ free_page((unsigned long)image->arch.pte1);
++ image->arch.pte1 = NULL;
+ }
+
+ static int machine_kexec_alloc_page_tables(struct kimage *image)
+@@ -79,7 +84,6 @@ static int machine_kexec_alloc_page_tabl
+ !image->arch.pmd0 || !image->arch.pmd1 ||
+ #endif
+ !image->arch.pte0 || !image->arch.pte1) {
+- machine_kexec_free_page_tables(image);
+ return -ENOMEM;
+ }
+ return 0;
+--- a/arch/x86/kernel/machine_kexec_64.c
++++ b/arch/x86/kernel/machine_kexec_64.c
+@@ -38,9 +38,13 @@ static struct kexec_file_ops *kexec_file
+ static void free_transition_pgtable(struct kimage *image)
+ {
+ free_page((unsigned long)image->arch.p4d);
++ image->arch.p4d = NULL;
+ free_page((unsigned long)image->arch.pud);
++ image->arch.pud = NULL;
+ free_page((unsigned long)image->arch.pmd);
++ image->arch.pmd = NULL;
+ free_page((unsigned long)image->arch.pte);
++ image->arch.pte = NULL;
+ }
+
+ static int init_transition_pgtable(struct kimage *image, pgd_t *pgd)
+@@ -90,7 +94,6 @@ static int init_transition_pgtable(struc
+ set_pte(pte, pfn_pte(paddr >> PAGE_SHIFT, PAGE_KERNEL_EXEC_NOENC));
+ return 0;
+ err:
+- free_transition_pgtable(image);
+ return result;
+ }
+
--- /dev/null
+From foo@baz Thu May 24 09:45:15 CEST 2018
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Fri, 16 Mar 2018 16:33:06 +0200
+Subject: xhci: Show what USB release number the xHC supports from protocol capablity
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit 0ee78c101425aae681c631ba59c6ac7f44b1d83a ]
+
+xhci driver displays the supported xHC USB revision in a message during
+driver load:
+
+"Host supports USB 3.1 Enhanced SuperSpeed"
+
+Get the USB minor revision number from the xhci protocol capability.
+This will show the correct supported revisions for new USB 3.2 and later
+hosts
+
+Don't rely on the SBRN (serial bus revision number) register, it's often
+showing 0x30 (USB3.0) for hosts that support USB 3.1
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -4769,6 +4769,7 @@ int xhci_gen_setup(struct usb_hcd *hcd,
+ * quirks
+ */
+ struct device *dev = hcd->self.sysdev;
++ unsigned int minor_rev;
+ int retval;
+
+ /* Accept arbitrarily long scatter-gather lists */
+@@ -4796,12 +4797,19 @@ int xhci_gen_setup(struct usb_hcd *hcd,
+ */
+ hcd->has_tt = 1;
+ } else {
+- /* Some 3.1 hosts return sbrn 0x30, can't rely on sbrn alone */
+- if (xhci->sbrn == 0x31 || xhci->usb3_rhub.min_rev >= 1) {
+- xhci_info(xhci, "Host supports USB 3.1 Enhanced SuperSpeed\n");
++ /*
++ * Some 3.1 hosts return sbrn 0x30, use xhci supported protocol
++ * minor revision instead of sbrn
++ */
++ minor_rev = xhci->usb3_rhub.min_rev;
++ if (minor_rev) {
+ hcd->speed = HCD_USB31;
+ hcd->self.root_hub->speed = USB_SPEED_SUPER_PLUS;
+ }
++ xhci_info(xhci, "Host supports USB 3.%x %s SuperSpeed\n",
++ minor_rev,
++ minor_rev ? "Enhanced" : "");
++
+ /* xHCI private pointer was set in xhci_pci_probe for the second
+ * registered roothub.
+ */
--- /dev/null
+From foo@baz Thu May 24 09:45:15 CEST 2018
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Fri, 16 Mar 2018 16:33:01 +0200
+Subject: xhci: zero usb device slot_id member when disabling and freeing a xhci slot
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit a400efe455f7b61ac9a801ac8d0d01f8c8d82dd5 ]
+
+set udev->slot_id to zero when disabling and freeing the xhci slot.
+Prevents usb core from calling xhci with a stale slot id.
+
+xHC controller may be reset during resume to recover from some error.
+All slots are unusable as they are disabled and freed.
+xhci driver starts slot enumeration again from 1 in the order they are
+enabled. In the worst case a stale udev->slot_id for one device matches
+a newly enabled slot_id for a different device, causing us to
+perform a action on the wrong device.
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-mem.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -913,6 +913,8 @@ void xhci_free_virt_device(struct xhci_h
+ if (dev->out_ctx)
+ xhci_free_container_ctx(xhci, dev->out_ctx);
+
++ if (dev->udev && dev->udev->slot_id)
++ dev->udev->slot_id = 0;
+ kfree(xhci->devs[slot_id]);
+ xhci->devs[slot_id] = NULL;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
