--- /dev/null
+From f4083e1793dd26425420f37fcf950b02d00e1ea9 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Date: Thu, 13 Sep 2018 16:48:08 +0100
+Subject: ARM: 8799/1: mm: fix pci_ioremap_io() offset check
+
+[ Upstream commit 3a58ac65e2d7969bcdf1b6acb70fa4d12a88e53e ]
+
+IO_SPACE_LIMIT is the ending address of the PCI IO space, i.e
+something like 0xfffff (and not 0x100000).
+
+Therefore, when offset = 0xf0000 is passed as argument, this function
+fails even though the offset + SZ_64K fits below the
+IO_SPACE_LIMIT. This makes the last chunk of 64 KB of the I/O space
+not usable as it cannot be mapped.
+
+This patch fixes that by substracing 1 to offset + SZ_64K, so that we
+compare the addrss of the last byte of the I/O space against
+IO_SPACE_LIMIT instead of the address of the first byte of what is
+after the I/O space.
+
+Fixes: c2794437091a4 ("ARM: Add fixed PCI i/o mapping")
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Acked-by: Nicolas Pitre <nico@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/ioremap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mm/ioremap.c b/arch/arm/mm/ioremap.c
+index fc91205ff46c..5bf9443cfbaa 100644
+--- a/arch/arm/mm/ioremap.c
++++ b/arch/arm/mm/ioremap.c
+@@ -473,7 +473,7 @@ void pci_ioremap_set_mem_type(int mem_type)
+
+ int pci_ioremap_io(unsigned int offset, phys_addr_t phys_addr)
+ {
+- BUG_ON(offset + SZ_64K > IO_SPACE_LIMIT);
++ BUG_ON(offset + SZ_64K - 1 > IO_SPACE_LIMIT);
+
+ return ioremap_page_range(PCI_IO_VIRT_BASE + offset,
+ PCI_IO_VIRT_BASE + offset + SZ_64K,
+--
+2.17.1
+
--- /dev/null
+From 42406885dafa2ad8f9b2d437b70bacec223233ae Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Wed, 19 Sep 2018 17:14:01 -0700
+Subject: ARM: dts: BCM63xx: Fix incorrect interrupt specifiers
+
+[ Upstream commit 3ab97942d0213b6583a5408630a8cbbfbf54730f ]
+
+A number of our interrupts were incorrectly specified, fix both the PPI
+and SPI interrupts to be correct.
+
+Fixes: b5762cacc411 ("ARM: bcm63138: add NAND DT support")
+Fixes: 46d4bca0445a ("ARM: BCM63XX: add BCM63138 minimal Device Tree")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/bcm63138.dtsi | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm/boot/dts/bcm63138.dtsi b/arch/arm/boot/dts/bcm63138.dtsi
+index 43ee992ccdcf..6df61518776f 100644
+--- a/arch/arm/boot/dts/bcm63138.dtsi
++++ b/arch/arm/boot/dts/bcm63138.dtsi
+@@ -106,21 +106,23 @@
+ global_timer: timer@1e200 {
+ compatible = "arm,cortex-a9-global-timer";
+ reg = <0x1e200 0x20>;
+- interrupts = <GIC_PPI 11 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_PPI 11 IRQ_TYPE_EDGE_RISING>;
+ clocks = <&axi_clk>;
+ };
+
+ local_timer: local-timer@1e600 {
+ compatible = "arm,cortex-a9-twd-timer";
+ reg = <0x1e600 0x20>;
+- interrupts = <GIC_PPI 13 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_PPI 13 (GIC_CPU_MASK_SIMPLE(2) |
++ IRQ_TYPE_EDGE_RISING)>;
+ clocks = <&axi_clk>;
+ };
+
+ twd_watchdog: watchdog@1e620 {
+ compatible = "arm,cortex-a9-twd-wdt";
+ reg = <0x1e620 0x20>;
+- interrupts = <GIC_PPI 14 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_PPI 14 (GIC_CPU_MASK_SIMPLE(2) |
++ IRQ_TYPE_LEVEL_HIGH)>;
+ };
+
+ armpll: armpll {
+@@ -158,7 +160,7 @@
+ serial0: serial@600 {
+ compatible = "brcm,bcm6345-uart";
+ reg = <0x600 0x1b>;
+- interrupts = <GIC_SPI 32 0>;
++ interrupts = <GIC_SPI 32 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&periph_clk>;
+ clock-names = "periph";
+ status = "disabled";
+@@ -167,7 +169,7 @@
+ serial1: serial@620 {
+ compatible = "brcm,bcm6345-uart";
+ reg = <0x620 0x1b>;
+- interrupts = <GIC_SPI 33 0>;
++ interrupts = <GIC_SPI 33 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&periph_clk>;
+ clock-names = "periph";
+ status = "disabled";
+@@ -180,7 +182,7 @@
+ reg = <0x2000 0x600>, <0xf0 0x10>;
+ reg-names = "nand", "nand-int-base";
+ status = "disabled";
+- interrupts = <GIC_SPI 38 0>;
++ interrupts = <GIC_SPI 38 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "nand";
+ };
+
+--
+2.17.1
+
--- /dev/null
+From d7ace5b84ff675f2cf3489e144a15fd9d11b6821 Mon Sep 17 00:00:00 2001
+From: Sascha Hauer <s.hauer@pengutronix.de>
+Date: Wed, 12 Sep 2018 08:23:01 +0200
+Subject: ARM: dts: imx53-qsb: disable 1.2GHz OPP
+
+[ Upstream commit eea96566c189c77e5272585984eb2729881a2f1d ]
+
+The maximum CPU frequency for the i.MX53 QSB is 1GHz, so disable the
+1.2GHz OPP. This makes the board work again with configs that have
+cpufreq enabled like imx_v6_v7_defconfig on which the board stopped
+working with the addition of cpufreq-dt support.
+
+Fixes: 791f416608 ("ARM: dts: imx53: add cpufreq-dt support")
+
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx53-qsb-common.dtsi | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/arch/arm/boot/dts/imx53-qsb-common.dtsi b/arch/arm/boot/dts/imx53-qsb-common.dtsi
+index 683dcbe27cbd..8c11190c5218 100644
+--- a/arch/arm/boot/dts/imx53-qsb-common.dtsi
++++ b/arch/arm/boot/dts/imx53-qsb-common.dtsi
+@@ -130,6 +130,17 @@
+ };
+ };
+
++&cpu0 {
++ /* CPU rated to 1GHz, not 1.2GHz as per the default settings */
++ operating-points = <
++ /* kHz uV */
++ 166666 850000
++ 400000 900000
++ 800000 1050000
++ 1000000 1200000
++ >;
++};
++
+ &esdhc1 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_esdhc1>;
+--
+2.17.1
+
--- /dev/null
+From 9b2a2e640f37403791b707d7a68087281d000d20 Mon Sep 17 00:00:00 2001
+From: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Date: Thu, 22 Feb 2018 15:38:25 +0100
+Subject: ARM: tegra: Fix ULPI regression on Tegra20
+
+[ Upstream commit 4c9a27a6c66d4427f3cba4019d4ba738fe99fa87 ]
+
+Since commit f8f8f1d04494 ("clk: Don't touch hardware when reparenting
+during registration") ULPI has been broken on Tegra20 leading to the
+following error message during boot:
+
+[ 1.974698] ulpi_phy_power_on: ulpi write failed
+[ 1.979384] tegra-ehci c5004000.usb: Failed to power on the phy
+[ 1.985434] tegra-ehci: probe of c5004000.usb failed with error -110
+
+Debugging through the changes and finally also consulting the TRM
+revealed that rather than the CDEV2 clock off OSC requiring such pin
+muxing actually the PLL_P_OUT4 clock is in use. It looks like so far it
+just worked by chance of that one having been enabled which Stephen's
+commit now changed when reparenting sclk away from pll_p_out4 leaving
+that one disabled. Fix this by properly assigning the PLL_P_OUT4 clock
+as the ULPI PHY clock.
+
+Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Reviewed-by: Dmitry Osipenko <digetx@gmail.com>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/tegra20.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/tegra20.dtsi b/arch/arm/boot/dts/tegra20.dtsi
+index 914f59166a99..2780e68a853b 100644
+--- a/arch/arm/boot/dts/tegra20.dtsi
++++ b/arch/arm/boot/dts/tegra20.dtsi
+@@ -706,7 +706,7 @@
+ phy_type = "ulpi";
+ clocks = <&tegra_car TEGRA20_CLK_USB2>,
+ <&tegra_car TEGRA20_CLK_PLL_U>,
+- <&tegra_car TEGRA20_CLK_CDEV2>;
++ <&tegra_car TEGRA20_CLK_PLL_P_OUT4>;
+ clock-names = "reg", "pll_u", "ulpi-link";
+ resets = <&tegra_car 58>, <&tegra_car 22>;
+ reset-names = "usb", "utmi-pads";
+--
+2.17.1
+
--- /dev/null
+From 7e053f0afd9e8fb3c1116910bdf2a578b6edae9b Mon Sep 17 00:00:00 2001
+From: Steve Capper <steve.capper@arm.com>
+Date: Fri, 21 Sep 2018 16:34:04 +0100
+Subject: arm64: hugetlb: Fix handling of young ptes
+
+[ Upstream commit 469ed9d823b7d240d6b9574f061ded7c3834c167 ]
+
+In the contiguous bit hugetlb break-before-make code we assume that all
+hugetlb pages are young.
+
+In fact, remove_migration_pte is able to place an old hugetlb pte so
+this assumption is not valid.
+
+This patch fixes the contiguous hugetlb scanning code to preserve young
+ptes.
+
+Fixes: d8bdcff28764 ("arm64: hugetlb: Add break-before-make logic for contiguous entries")
+Signed-off-by: Steve Capper <steve.capper@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/mm/hugetlbpage.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/mm/hugetlbpage.c b/arch/arm64/mm/hugetlbpage.c
+index 6cb0fa92a651..9f6ae9686dac 100644
+--- a/arch/arm64/mm/hugetlbpage.c
++++ b/arch/arm64/mm/hugetlbpage.c
+@@ -118,11 +118,14 @@ static pte_t get_clear_flush(struct mm_struct *mm,
+
+ /*
+ * If HW_AFDBM is enabled, then the HW could turn on
+- * the dirty bit for any page in the set, so check
+- * them all. All hugetlb entries are already young.
++ * the dirty or accessed bit for any page in the set,
++ * so check them all.
+ */
+ if (pte_dirty(pte))
+ orig_pte = pte_mkdirty(orig_pte);
++
++ if (pte_young(pte))
++ orig_pte = pte_mkyoung(orig_pte);
+ }
+
+ if (valid)
+@@ -347,10 +350,13 @@ int huge_ptep_set_access_flags(struct vm_area_struct *vma,
+ if (!pte_same(orig_pte, pte))
+ changed = 1;
+
+- /* Make sure we don't lose the dirty state */
++ /* Make sure we don't lose the dirty or young state */
+ if (pte_dirty(orig_pte))
+ pte = pte_mkdirty(pte);
+
++ if (pte_young(orig_pte))
++ pte = pte_mkyoung(pte);
++
+ hugeprot = pte_pgprot(pte);
+ for (i = 0; i < ncontig; i++, ptep++, addr += pgsize, pfn += dpfn)
+ set_pte_at(vma->vm_mm, addr, ptep, pfn_pte(pfn, hugeprot));
+--
+2.17.1
+
--- /dev/null
+From 90b206094660e41b59f4d6616f2c78301bb44d74 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:50 -0700
+Subject: asix: Check for supported Wake-on-LAN modes
+
+[ Upstream commit c4ce446e33d7a0e978256ac6fea4c80e59d9de5f ]
+
+The driver currently silently accepts unsupported Wake-on-LAN modes
+(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user,
+which is confusing.
+
+Fixes: 2e55cc7210fe ("[PATCH] USB: usbnet (3/9) module for ASIX Ethernet adapters")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/asix_common.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
+index 522d2900cd1d..e9fcf6ef716a 100644
+--- a/drivers/net/usb/asix_common.c
++++ b/drivers/net/usb/asix_common.c
+@@ -607,6 +607,9 @@ int asix_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo)
+ struct usbnet *dev = netdev_priv(net);
+ u8 opt = 0;
+
++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC))
++ return -EINVAL;
++
+ if (wolinfo->wolopts & WAKE_PHY)
+ opt |= AX_MONITOR_LINK;
+ if (wolinfo->wolopts & WAKE_MAGIC)
+--
+2.17.1
+
--- /dev/null
+From ed84b7def3eb05a84bd871e1209541aeb0a081fd Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:51 -0700
+Subject: ax88179_178a: Check for supported Wake-on-LAN modes
+
+[ Upstream commit 5ba6b4aa9a410c5e2c6417df52b5e2118ea9b467 ]
+
+The driver currently silently accepts unsupported Wake-on-LAN modes
+(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user,
+which is confusing.
+
+Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/ax88179_178a.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c
+index f32261ecd215..0f69b77e8502 100644
+--- a/drivers/net/usb/ax88179_178a.c
++++ b/drivers/net/usb/ax88179_178a.c
+@@ -566,6 +566,9 @@ ax88179_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo)
+ struct usbnet *dev = netdev_priv(net);
+ u8 opt = 0;
+
++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC))
++ return -EINVAL;
++
+ if (wolinfo->wolopts & WAKE_PHY)
+ opt |= AX_MONITOR_MODE_RWLC;
+ if (wolinfo->wolopts & WAKE_MAGIC)
+--
+2.17.1
+
--- /dev/null
+From 4390a84790f333c871dff83c183d78f9b3a05a60 Mon Sep 17 00:00:00 2001
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Wed, 3 Oct 2018 15:20:58 +0200
+Subject: be2net: don't flip hw_features when VXLANs are added/deleted
+
+[ Upstream commit 2d52527e80c2dc0c5f43f50adf183781262ec565 ]
+
+the be2net implementation of .ndo_tunnel_{add,del}() changes the value of
+NETIF_F_GSO_UDP_TUNNEL bit in 'features' and 'hw_features', but it forgets
+to call netdev_features_change(). Moreover, ethtool setting for that bit
+can potentially be reverted after a tunnel is added or removed.
+
+GSO already does software segmentation when 'hw_enc_features' is 0, even
+if VXLAN offload is turned on. In addition, commit 096de2f83ebc ("benet:
+stricter vxlan offloading check in be_features_check") avoids hardware
+segmentation of non-VXLAN tunneled packets, or VXLAN packets having wrong
+destination port. So, it's safe to avoid flipping the above feature on
+addition/deletion of VXLAN tunnels.
+
+Fixes: 630f4b70567f ("be2net: Export tunnel offloads only when a VxLAN tunnel is created")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/emulex/benet/be_main.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
+index 7e2b70c2bba3..39f399741647 100644
+--- a/drivers/net/ethernet/emulex/benet/be_main.c
++++ b/drivers/net/ethernet/emulex/benet/be_main.c
+@@ -3900,8 +3900,6 @@ static int be_enable_vxlan_offloads(struct be_adapter *adapter)
+ netdev->hw_enc_features |= NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM |
+ NETIF_F_TSO | NETIF_F_TSO6 |
+ NETIF_F_GSO_UDP_TUNNEL;
+- netdev->hw_features |= NETIF_F_GSO_UDP_TUNNEL;
+- netdev->features |= NETIF_F_GSO_UDP_TUNNEL;
+
+ dev_info(dev, "Enabled VxLAN offloads for UDP port %d\n",
+ be16_to_cpu(port));
+@@ -3923,8 +3921,6 @@ static void be_disable_vxlan_offloads(struct be_adapter *adapter)
+ adapter->vxlan_port = 0;
+
+ netdev->hw_enc_features = 0;
+- netdev->hw_features &= ~(NETIF_F_GSO_UDP_TUNNEL);
+- netdev->features &= ~(NETIF_F_GSO_UDP_TUNNEL);
+ }
+
+ static void be_calculate_vf_res(struct be_adapter *adapter, u16 num_vfs,
+@@ -5215,6 +5211,7 @@ static void be_netdev_init(struct net_device *netdev)
+ struct be_adapter *adapter = netdev_priv(netdev);
+
+ netdev->hw_features |= NETIF_F_SG | NETIF_F_TSO | NETIF_F_TSO6 |
++ NETIF_F_GSO_UDP_TUNNEL |
+ NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM | NETIF_F_RXCSUM |
+ NETIF_F_HW_VLAN_CTAG_TX;
+ if ((be_if_cap_flags(adapter) & BE_IF_FLAGS_RSS))
+--
+2.17.1
+
--- /dev/null
+From ff41c804599bfad2d6611caa97579e31336fd140 Mon Sep 17 00:00:00 2001
+From: Matias Karhumaa <matias.karhumaa@gmail.com>
+Date: Wed, 26 Sep 2018 09:13:46 +0300
+Subject: Bluetooth: SMP: fix crash in unpairing
+
+[ Upstream commit cb28c306b93b71f2741ce1a5a66289db26715f4d ]
+
+In case unpair_device() was called through mgmt interface at the same time
+when pairing was in progress, Bluetooth kernel module crash was seen.
+
+[ 600.351225] general protection fault: 0000 [#1] SMP PTI
+[ 600.351235] CPU: 1 PID: 11096 Comm: btmgmt Tainted: G OE 4.19.0-rc1+ #1
+[ 600.351238] Hardware name: Dell Inc. Latitude E5440/08RCYC, BIOS A18 05/14/2017
+[ 600.351272] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth]
+[ 600.351276] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01
+[ 600.351279] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246
+[ 600.351282] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60
+[ 600.351285] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500
+[ 600.351287] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00
+[ 600.351290] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800
+[ 600.351292] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00
+[ 600.351295] FS: 00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000
+[ 600.351298] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 600.351300] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0
+[ 600.351302] Call Trace:
+[ 600.351325] smp_failure+0x4f/0x70 [bluetooth]
+[ 600.351345] smp_cancel_pairing+0x74/0x80 [bluetooth]
+[ 600.351370] unpair_device+0x1c1/0x330 [bluetooth]
+[ 600.351399] hci_sock_sendmsg+0x960/0x9f0 [bluetooth]
+[ 600.351409] ? apparmor_socket_sendmsg+0x1e/0x20
+[ 600.351417] sock_sendmsg+0x3e/0x50
+[ 600.351422] sock_write_iter+0x85/0xf0
+[ 600.351429] do_iter_readv_writev+0x12b/0x1b0
+[ 600.351434] do_iter_write+0x87/0x1a0
+[ 600.351439] vfs_writev+0x98/0x110
+[ 600.351443] ? ep_poll+0x16d/0x3d0
+[ 600.351447] ? ep_modify+0x73/0x170
+[ 600.351451] do_writev+0x61/0xf0
+[ 600.351455] ? do_writev+0x61/0xf0
+[ 600.351460] __x64_sys_writev+0x1c/0x20
+[ 600.351465] do_syscall_64+0x5a/0x110
+[ 600.351471] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 600.351474] RIP: 0033:0x7fb2bdb62fe0
+[ 600.351477] Code: 73 01 c3 48 8b 0d b8 6e 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 69 c7 2c 00 00 75 10 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de 80 01 00 48 89 04 24
+[ 600.351479] RSP: 002b:00007ffe062cb8f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
+[ 600.351484] RAX: ffffffffffffffda RBX: 000000000255b3d0 RCX: 00007fb2bdb62fe0
+[ 600.351487] RDX: 0000000000000001 RSI: 00007ffe062cb920 RDI: 0000000000000004
+[ 600.351490] RBP: 00007ffe062cb920 R08: 000000000255bd80 R09: 0000000000000000
+[ 600.351494] R10: 0000000000000353 R11: 0000000000000246 R12: 0000000000000001
+[ 600.351497] R13: 00007ffe062cbbe0 R14: 0000000000000000 R15: 0000000000000000
+[ 600.351501] Modules linked in: algif_hash algif_skcipher af_alg cmac ipt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c br_netfilter bridge stp llc overlay arc4 nls_iso8859_1 dm_crypt intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp dell_laptop kvm_intel crct10dif_pclmul dell_smm_hwmon crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper intel_cstate intel_rapl_perf uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media hid_multitouch input_leds joydev serio_raw dell_wmi snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic dell_smbios dcdbas sparse_keymap
+[ 600.351569] snd_hda_intel btusb snd_hda_codec btrtl btbcm btintel snd_hda_core bluetooth(OE) snd_hwdep snd_pcm iwlmvm ecdh_generic wmi_bmof dell_wmi_descriptor snd_seq_midi mac80211 snd_seq_midi_event lpc_ich iwlwifi snd_rawmidi snd_seq snd_seq_device snd_timer cfg80211 snd soundcore mei_me mei dell_rbtn dell_smo8800 mac_hid parport_pc ppdev lp parport autofs4 hid_generic usbhid hid i915 nouveau kvmgt vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi psmouse ahci sdhci_pci cqhci libahci fb_sys_fops sdhci drm e1000e video wmi
+[ 600.351637] ---[ end trace e49e9f1df09c94fb ]---
+[ 600.351664] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth]
+[ 600.351666] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01
+[ 600.351669] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246
+[ 600.351672] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60
+[ 600.351674] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500
+[ 600.351676] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00
+[ 600.351679] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800
+[ 600.351681] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00
+[ 600.351684] FS: 00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000
+[ 600.351686] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 600.351689] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0
+
+Crash happened because list_del_rcu() was called twice for smp->ltk. This
+was possible if unpair_device was called right after ltk was generated
+but before keys were distributed.
+
+In this commit smp_cancel_pairing was refactored to cancel pairing if it
+is in progress and otherwise just removes keys. Once keys are removed from
+rcu list, pointers to smp context's keys are set to NULL to make sure
+removed list items are not accessed later.
+
+This commit also adjusts the functionality of mgmt unpair_device() little
+bit. Previously pairing was canceled only if pairing was in state that
+keys were already generated. With this commit unpair_device() cancels
+pairing already in earlier states.
+
+Bug was found by fuzzing kernel SMP implementation using Synopsys
+Defensics.
+
+Reported-by: Pekka Oikarainen <pekka.oikarainen@synopsys.com>
+Signed-off-by: Matias Karhumaa <matias.karhumaa@gmail.com>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 7 ++-----
+ net/bluetooth/smp.c | 29 +++++++++++++++++++++++++----
+ net/bluetooth/smp.h | 3 ++-
+ 3 files changed, 29 insertions(+), 10 deletions(-)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 1fba2a03f8ae..ba24f613c0fc 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -2298,9 +2298,8 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
+ /* LE address type */
+ addr_type = le_addr_type(cp->addr.type);
+
+- hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type);
+-
+- err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type);
++ /* Abort any ongoing SMP pairing. Removes ltk and irk if they exist. */
++ err = smp_cancel_and_remove_pairing(hdev, &cp->addr.bdaddr, addr_type);
+ if (err < 0) {
+ err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
+ MGMT_STATUS_NOT_PAIRED, &rp,
+@@ -2314,8 +2313,6 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
+ goto done;
+ }
+
+- /* Abort any ongoing SMP pairing */
+- smp_cancel_pairing(conn);
+
+ /* Defer clearing up the connection parameters until closing to
+ * give a chance of keeping them if a repairing happens.
+diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
+index a27704ff13a9..dbcc439fc78b 100644
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -2410,30 +2410,51 @@ unlock:
+ return ret;
+ }
+
+-void smp_cancel_pairing(struct hci_conn *hcon)
++int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
++ u8 addr_type)
+ {
+- struct l2cap_conn *conn = hcon->l2cap_data;
++ struct hci_conn *hcon;
++ struct l2cap_conn *conn;
+ struct l2cap_chan *chan;
+ struct smp_chan *smp;
++ int err;
++
++ err = hci_remove_ltk(hdev, bdaddr, addr_type);
++ hci_remove_irk(hdev, bdaddr, addr_type);
++
++ hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
++ if (!hcon)
++ goto done;
+
++ conn = hcon->l2cap_data;
+ if (!conn)
+- return;
++ goto done;
+
+ chan = conn->smp;
+ if (!chan)
+- return;
++ goto done;
+
+ l2cap_chan_lock(chan);
+
+ smp = chan->data;
+ if (smp) {
++ /* Set keys to NULL to make sure smp_failure() does not try to
++ * remove and free already invalidated rcu list entries. */
++ smp->ltk = NULL;
++ smp->slave_ltk = NULL;
++ smp->remote_irk = NULL;
++
+ if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
+ smp_failure(conn, 0);
+ else
+ smp_failure(conn, SMP_UNSPECIFIED);
++ err = 0;
+ }
+
+ l2cap_chan_unlock(chan);
++
++done:
++ return err;
+ }
+
+ static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
+diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
+index 0ff6247eaa6c..121edadd5f8d 100644
+--- a/net/bluetooth/smp.h
++++ b/net/bluetooth/smp.h
+@@ -181,7 +181,8 @@ enum smp_key_pref {
+ };
+
+ /* SMP Commands */
+-void smp_cancel_pairing(struct hci_conn *hcon);
++int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
++ u8 addr_type);
+ bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
+ enum smp_key_pref key_pref);
+ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level);
+--
+2.17.1
+
--- /dev/null
+From cbf7569dbe4d517f8e82bb9fbf14dad22b260c46 Mon Sep 17 00:00:00 2001
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Mon, 23 Apr 2018 15:39:23 -0700
+Subject: bpf: sockmap, map_release does not hold refcnt for pinned maps
+
+[ Upstream commit ba6b8de423f8d0dee48d6030288ed81c03ddf9f0 ]
+
+Relying on map_release hook to decrement the reference counts when a
+map is removed only works if the map is not being pinned. In the
+pinned case the ref is decremented immediately and the BPF programs
+released. After this BPF programs may not be in-use which is not
+what the user would expect.
+
+This patch moves the release logic into bpf_map_put_uref() and brings
+sockmap in-line with how a similar case is handled in prog array maps.
+
+Fixes: 3d9e952697de ("bpf: sockmap, fix leaking maps with attached but not detached progs")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf.h | 2 +-
+ kernel/bpf/arraymap.c | 3 ++-
+ kernel/bpf/sockmap.c | 4 ++--
+ kernel/bpf/syscall.c | 4 ++--
+ 4 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index 5c5be80ce802..c9d2a1a3ef11 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -27,6 +27,7 @@ struct bpf_map_ops {
+ void (*map_release)(struct bpf_map *map, struct file *map_file);
+ void (*map_free)(struct bpf_map *map);
+ int (*map_get_next_key)(struct bpf_map *map, void *key, void *next_key);
++ void (*map_release_uref)(struct bpf_map *map);
+
+ /* funcs callable from userspace and from eBPF programs */
+ void *(*map_lookup_elem)(struct bpf_map *map, void *key);
+@@ -300,7 +301,6 @@ int bpf_stackmap_copy(struct bpf_map *map, void *key, void *value);
+ int bpf_fd_array_map_update_elem(struct bpf_map *map, struct file *map_file,
+ void *key, void *value, u64 map_flags);
+ int bpf_fd_array_map_lookup_elem(struct bpf_map *map, void *key, u32 *value);
+-void bpf_fd_array_map_clear(struct bpf_map *map);
+ int bpf_fd_htab_map_update_elem(struct bpf_map *map, struct file *map_file,
+ void *key, void *value, u64 map_flags);
+ int bpf_fd_htab_map_lookup_elem(struct bpf_map *map, void *key, u32 *value);
+diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
+index f57d0bdf3c9e..a8f55ea4146b 100644
+--- a/kernel/bpf/arraymap.c
++++ b/kernel/bpf/arraymap.c
+@@ -467,7 +467,7 @@ static u32 prog_fd_array_sys_lookup_elem(void *ptr)
+ }
+
+ /* decrement refcnt of all bpf_progs that are stored in this map */
+-void bpf_fd_array_map_clear(struct bpf_map *map)
++static void bpf_fd_array_map_clear(struct bpf_map *map)
+ {
+ struct bpf_array *array = container_of(map, struct bpf_array, map);
+ int i;
+@@ -485,6 +485,7 @@ const struct bpf_map_ops prog_array_map_ops = {
+ .map_fd_get_ptr = prog_fd_array_get_ptr,
+ .map_fd_put_ptr = prog_fd_array_put_ptr,
+ .map_fd_sys_lookup_elem = prog_fd_array_sys_lookup_elem,
++ .map_release_uref = bpf_fd_array_map_clear,
+ };
+
+ static struct bpf_event_entry *bpf_event_entry_gen(struct file *perf_file,
+diff --git a/kernel/bpf/sockmap.c b/kernel/bpf/sockmap.c
+index 20eaddfa691c..22991e19c01c 100644
+--- a/kernel/bpf/sockmap.c
++++ b/kernel/bpf/sockmap.c
+@@ -875,7 +875,7 @@ static int sock_map_update_elem(struct bpf_map *map,
+ return err;
+ }
+
+-static void sock_map_release(struct bpf_map *map, struct file *map_file)
++static void sock_map_release(struct bpf_map *map)
+ {
+ struct bpf_stab *stab = container_of(map, struct bpf_stab, map);
+ struct bpf_prog *orig;
+@@ -895,7 +895,7 @@ const struct bpf_map_ops sock_map_ops = {
+ .map_get_next_key = sock_map_get_next_key,
+ .map_update_elem = sock_map_update_elem,
+ .map_delete_elem = sock_map_delete_elem,
+- .map_release = sock_map_release,
++ .map_release_uref = sock_map_release,
+ };
+
+ BPF_CALL_4(bpf_sock_map_update, struct bpf_sock_ops_kern *, bpf_sock,
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index 4e933219fec6..ea22d0b6a9f0 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -214,8 +214,8 @@ static void bpf_map_free_deferred(struct work_struct *work)
+ static void bpf_map_put_uref(struct bpf_map *map)
+ {
+ if (atomic_dec_and_test(&map->usercnt)) {
+- if (map->map_type == BPF_MAP_TYPE_PROG_ARRAY)
+- bpf_fd_array_map_clear(map);
++ if (map->ops->map_release_uref)
++ map->ops->map_release_uref(map);
+ }
+ }
+
+--
+2.17.1
+
--- /dev/null
+From cc0bacb1c97fb719b4d20060d7ab77367207a004 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Wed, 27 Jun 2018 18:19:55 +0800
+Subject: btrfs: quota: Set rescan progress to (u64)-1 if we hit last leaf
+
+[ Upstream commit 6f7de19ed3d4d3526ca5eca428009f97cf969c2f ]
+
+Commit ff3d27a048d9 ("btrfs: qgroup: Finish rescan when hit the last leaf
+of extent tree") added a new exit for rescan finish.
+
+However after finishing quota rescan, we set
+fs_info->qgroup_rescan_progress to (u64)-1 before we exit through the
+original exit path.
+While we missed that assignment of (u64)-1 in the new exit path.
+
+The end result is, the quota status item doesn't have the same value.
+(-1 vs the last bytenr + 1)
+Although it doesn't affect quota accounting, it's still better to keep
+the original behavior.
+
+Reported-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
+Fixes: ff3d27a048d9 ("btrfs: qgroup: Finish rescan when hit the last leaf of extent tree")
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/qgroup.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
+index 473ad5985aa3..47dec283628d 100644
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -2603,8 +2603,10 @@ out:
+ }
+ btrfs_put_tree_mod_seq(fs_info, &tree_mod_seq_elem);
+
+- if (done && !ret)
++ if (done && !ret) {
+ ret = 1;
++ fs_info->qgroup_rescan_progress.objectid = (u64)-1;
++ }
+ return ret;
+ }
+
+--
+2.17.1
+
--- /dev/null
+From 5bae10b798c5c111db4341707a83388852c8d9d0 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 5 Sep 2018 18:52:22 +0300
+Subject: cfg80211: Address some corner cases in scan result channel updating
+
+[ Upstream commit 119f94a6fefcc76d47075b83d2b73d04c895df78 ]
+
+cfg80211_get_bss_channel() is used to update the RX channel based on the
+available frame payload information (channel number from DSSS Parameter
+Set element or HT Operation element). This is needed on 2.4 GHz channels
+where frames may be received on neighboring channels due to overlapping
+frequency range.
+
+This might of some use on the 5 GHz band in some corner cases, but
+things are more complex there since there is no n:1 or 1:n mapping
+between channel numbers and frequencies due to multiple different
+starting frequencies in different operating classes. This could result
+in ieee80211_channel_to_frequency() returning incorrect frequency and
+ieee80211_get_channel() returning incorrect channel information (or
+indication of no match). In the previous implementation, this could
+result in some scan results being dropped completely, e.g., for the 4.9
+GHz channels. That prevented connection to such BSSs.
+
+Fix this by using the driver-provided channel pointer if
+ieee80211_get_channel() does not find matching channel data for the
+channel number in the frame payload and if the scan is done with 5 MHz
+or 10 MHz channel bandwidth. While doing this, also add comments
+describing what the function is trying to achieve to make it easier to
+understand what happens here and why.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 58 ++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 49 insertions(+), 9 deletions(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index f6c5fe482506..5ed0ed0559dc 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -1055,13 +1055,23 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev,
+ return NULL;
+ }
+
++/*
++ * Update RX channel information based on the available frame payload
++ * information. This is mainly for the 2.4 GHz band where frames can be received
++ * from neighboring channels and the Beacon frames use the DSSS Parameter Set
++ * element to indicate the current (transmitting) channel, but this might also
++ * be needed on other bands if RX frequency does not match with the actual
++ * operating channel of a BSS.
++ */
+ static struct ieee80211_channel *
+ cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen,
+- struct ieee80211_channel *channel)
++ struct ieee80211_channel *channel,
++ enum nl80211_bss_scan_width scan_width)
+ {
+ const u8 *tmp;
+ u32 freq;
+ int channel_number = -1;
++ struct ieee80211_channel *alt_channel;
+
+ tmp = cfg80211_find_ie(WLAN_EID_DS_PARAMS, ie, ielen);
+ if (tmp && tmp[1] == 1) {
+@@ -1075,16 +1085,45 @@ cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen,
+ }
+ }
+
+- if (channel_number < 0)
++ if (channel_number < 0) {
++ /* No channel information in frame payload */
+ return channel;
++ }
+
+ freq = ieee80211_channel_to_frequency(channel_number, channel->band);
+- channel = ieee80211_get_channel(wiphy, freq);
+- if (!channel)
+- return NULL;
+- if (channel->flags & IEEE80211_CHAN_DISABLED)
++ alt_channel = ieee80211_get_channel(wiphy, freq);
++ if (!alt_channel) {
++ if (channel->band == NL80211_BAND_2GHZ) {
++ /*
++ * Better not allow unexpected channels when that could
++ * be going beyond the 1-11 range (e.g., discovering
++ * BSS on channel 12 when radio is configured for
++ * channel 11.
++ */
++ return NULL;
++ }
++
++ /* No match for the payload channel number - ignore it */
++ return channel;
++ }
++
++ if (scan_width == NL80211_BSS_CHAN_WIDTH_10 ||
++ scan_width == NL80211_BSS_CHAN_WIDTH_5) {
++ /*
++ * Ignore channel number in 5 and 10 MHz channels where there
++ * may not be an n:1 or 1:n mapping between frequencies and
++ * channel numbers.
++ */
++ return channel;
++ }
++
++ /*
++ * Use the channel determined through the payload channel number
++ * instead of the RX channel reported by the driver.
++ */
++ if (alt_channel->flags & IEEE80211_CHAN_DISABLED)
+ return NULL;
+- return channel;
++ return alt_channel;
+ }
+
+ /* Returned bss is reference counted and must be cleaned up appropriately. */
+@@ -1109,7 +1148,8 @@ cfg80211_inform_bss_data(struct wiphy *wiphy,
+ (data->signal < 0 || data->signal > 100)))
+ return NULL;
+
+- channel = cfg80211_get_bss_channel(wiphy, ie, ielen, data->chan);
++ channel = cfg80211_get_bss_channel(wiphy, ie, ielen, data->chan,
++ data->scan_width);
+ if (!channel)
+ return NULL;
+
+@@ -1207,7 +1247,7 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy,
+ return NULL;
+
+ channel = cfg80211_get_bss_channel(wiphy, mgmt->u.beacon.variable,
+- ielen, data->chan);
++ ielen, data->chan, data->scan_width);
+ if (!channel)
+ return NULL;
+
+--
+2.17.1
+
--- /dev/null
+From 89abd480dd913a67258467200c70e800aa38978b Mon Sep 17 00:00:00 2001
+From: Yu Zhao <yuzhao@google.com>
+Date: Thu, 27 Sep 2018 17:05:04 -0600
+Subject: cfg80211: fix use-after-free in reg_process_hint()
+
+[ Upstream commit 1db58529454742f67ebd96e3588315e880b72837 ]
+
+reg_process_hint_country_ie() can free regulatory_request and return
+REG_REQ_ALREADY_SET. We shouldn't use regulatory_request after it's
+called. KASAN error was observed when this happens.
+
+BUG: KASAN: use-after-free in reg_process_hint+0x839/0x8aa [cfg80211]
+Read of size 4 at addr ffff8800c430d434 by task kworker/1:3/89
+<snipped>
+Workqueue: events reg_todo [cfg80211]
+Call Trace:
+ dump_stack+0xc1/0x10c
+ ? _atomic_dec_and_lock+0x1ad/0x1ad
+ ? _raw_spin_lock_irqsave+0xa0/0xd2
+ print_address_description+0x86/0x26f
+ ? reg_process_hint+0x839/0x8aa [cfg80211]
+ kasan_report+0x241/0x29b
+ reg_process_hint+0x839/0x8aa [cfg80211]
+ reg_todo+0x204/0x5b9 [cfg80211]
+ process_one_work+0x55f/0x8d0
+ ? worker_detach_from_pool+0x1b5/0x1b5
+ ? _raw_spin_unlock_irq+0x65/0xdd
+ ? _raw_spin_unlock_irqrestore+0xf3/0xf3
+ worker_thread+0x5dd/0x841
+ ? kthread_parkme+0x1d/0x1d
+ kthread+0x270/0x285
+ ? pr_cont_work+0xe3/0xe3
+ ? rcu_read_unlock_sched_notrace+0xca/0xca
+ ret_from_fork+0x22/0x40
+
+Allocated by task 2718:
+ set_track+0x63/0xfa
+ __kmalloc+0x119/0x1ac
+ regulatory_hint_country_ie+0x38/0x329 [cfg80211]
+ __cfg80211_connect_result+0x854/0xadd [cfg80211]
+ cfg80211_rx_assoc_resp+0x3bc/0x4f0 [cfg80211]
+smsc95xx v1.0.6
+ ieee80211_sta_rx_queued_mgmt+0x1803/0x7ed5 [mac80211]
+ ieee80211_iface_work+0x411/0x696 [mac80211]
+ process_one_work+0x55f/0x8d0
+ worker_thread+0x5dd/0x841
+ kthread+0x270/0x285
+ ret_from_fork+0x22/0x40
+
+Freed by task 89:
+ set_track+0x63/0xfa
+ kasan_slab_free+0x6a/0x87
+ kfree+0xdc/0x470
+ reg_process_hint+0x31e/0x8aa [cfg80211]
+ reg_todo+0x204/0x5b9 [cfg80211]
+ process_one_work+0x55f/0x8d0
+ worker_thread+0x5dd/0x841
+ kthread+0x270/0x285
+ ret_from_fork+0x22/0x40
+<snipped>
+
+Signed-off-by: Yu Zhao <yuzhao@google.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/reg.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/wireless/reg.c b/net/wireless/reg.c
+index 6f032c7b8732..bd91de416035 100644
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -2170,11 +2170,12 @@ static void reg_process_hint(struct regulatory_request *reg_request)
+ {
+ struct wiphy *wiphy = NULL;
+ enum reg_request_treatment treatment;
++ enum nl80211_reg_initiator initiator = reg_request->initiator;
+
+ if (reg_request->wiphy_idx != WIPHY_IDX_INVALID)
+ wiphy = wiphy_idx_to_wiphy(reg_request->wiphy_idx);
+
+- switch (reg_request->initiator) {
++ switch (initiator) {
+ case NL80211_REGDOM_SET_BY_CORE:
+ treatment = reg_process_hint_core(reg_request);
+ break;
+@@ -2192,7 +2193,7 @@ static void reg_process_hint(struct regulatory_request *reg_request)
+ treatment = reg_process_hint_country_ie(wiphy, reg_request);
+ break;
+ default:
+- WARN(1, "invalid initiator %d\n", reg_request->initiator);
++ WARN(1, "invalid initiator %d\n", initiator);
+ goto out_free;
+ }
+
+@@ -2207,7 +2208,7 @@ static void reg_process_hint(struct regulatory_request *reg_request)
+ */
+ if (treatment == REG_REQ_ALREADY_SET && wiphy &&
+ wiphy->regulatory_flags & REGULATORY_STRICT_REG) {
+- wiphy_update_regulatory(wiphy, reg_request->initiator);
++ wiphy_update_regulatory(wiphy, initiator);
+ wiphy_all_share_dfs_chan_state(wiphy);
+ reg_check_channels();
+ }
+--
+2.17.1
+
--- /dev/null
+From 842900e4f74ae93b26224ae799c8959b40e0a6dd Mon Sep 17 00:00:00 2001
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Date: Wed, 5 Sep 2018 08:06:12 +0300
+Subject: cfg80211: reg: Init wiphy_idx in regulatory_hint_core()
+
+[ Upstream commit 24f33e64fcd0d50a4b1a8e5b41bd0257aa66b0e8 ]
+
+Core regulatory hints didn't set wiphy_idx to WIPHY_IDX_INVALID. Since
+the regulatory request is zeroed, wiphy_idx was always implicitly set to
+0. This resulted in updating only phy #0.
+Fix that.
+
+Fixes: 806a9e39670b ("cfg80211: make regulatory_request use wiphy_idx instead of wiphy")
+Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+[add fixes tag]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/reg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/wireless/reg.c b/net/wireless/reg.c
+index 6e94f6934a0e..6f032c7b8732 100644
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -2384,6 +2384,7 @@ static int regulatory_hint_core(const char *alpha2)
+ request->alpha2[0] = alpha2[0];
+ request->alpha2[1] = alpha2[1];
+ request->initiator = NL80211_REGDOM_SET_BY_CORE;
++ request->wiphy_idx = WIPHY_IDX_INVALID;
+
+ queue_regulatory_request(request);
+
+--
+2.17.1
+
--- /dev/null
+From 7fd5ec500bf76d8e55c7b4f29aa0e9204c2900d6 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Thu, 5 Apr 2018 14:57:11 +0200
+Subject: cifs: Use ULL suffix for 64-bit constant
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 3995bbf53bd2047f2720c6fdd4bf38f6d942a0c0 ]
+
+On 32-bit (e.g. with m68k-linux-gnu-gcc-4.1):
+
+ fs/cifs/inode.c: In function ‘simple_hashstr’:
+ fs/cifs/inode.c:713: warning: integer constant is too large for ‘long’ type
+
+Fixes: 7ea884c77e5c97f1 ("smb3: Fix root directory when server returns inode number of zero")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
+index 2cd0b3053439..d01cbca84701 100644
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -712,7 +712,7 @@ cgfi_exit:
+ /* Simple function to return a 64 bit hash of string. Rarely called */
+ static __u64 simple_hashstr(const char *str)
+ {
+- const __u64 hash_mult = 1125899906842597L; /* a big enough prime */
++ const __u64 hash_mult = 1125899906842597ULL; /* a big enough prime */
+ __u64 hash = 0;
+
+ while (*str)
+--
+2.17.1
+
--- /dev/null
+From be1c75c407e6c0beedb213c812e707a0fea11959 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Mon, 20 Aug 2018 15:36:17 -0700
+Subject: compiler.h: Allow arch-specific asm/compiler.h
+
+[ Upstream commit 04f264d3a8b0eb25d378127bd78c3c9a0261c828 ]
+
+We have a need to override the definition of
+barrier_before_unreachable() for MIPS, which means we either need to add
+architecture-specific code into linux/compiler-gcc.h or we need to allow
+the architecture to provide a header that can define the macro before
+the generic definition. The latter seems like the better approach.
+
+A straightforward approach to the per-arch header is to make use of
+asm-generic to provide a default empty header & adjust architectures
+which don't need anything specific to make use of that by adding the
+header to generic-y. Unfortunately this doesn't work so well due to
+commit 28128c61e08e ("kconfig.h: Include compiler types to avoid missed
+struct attributes") which caused linux/compiler_types.h to be included
+in the compilation of every C file via the -include linux/kconfig.h flag
+in c_flags.
+
+Because the -include flag is present for all C files we compile, we need
+the architecture-provided header to be present before any C files are
+compiled. If any C files can be compiled prior to the asm-generic header
+wrappers being generated then we hit a build failure due to missing
+header. Such cases do exist - one pointed out by the kbuild test robot
+is the compilation of arch/ia64/kernel/nr-irqs.c, which occurs as part
+of the archprepare target [1].
+
+This leaves us with a few options:
+
+ 1) Use generic-y & fix any build failures we find by enforcing
+ ordering such that the asm-generic target occurs before any C
+ compilation, such that linux/compiler_types.h can always include
+ the generated asm-generic wrapper which in turn includes the empty
+ asm-generic header. This would rely on us finding all the
+ problematic cases - I don't know for sure that the ia64 issue is
+ the only one.
+
+ 2) Add an actual empty header to each architecture, so that we don't
+ need the generated asm-generic wrapper. This seems messy.
+
+ 3) Give up & add #ifdef CONFIG_MIPS or similar to
+ linux/compiler_types.h. This seems messy too.
+
+ 4) Include the arch header only when it's actually needed, removing
+ the need for the asm-generic wrapper for all other architectures.
+
+This patch allows us to use approach 4, by including an asm/compiler.h
+header from linux/compiler_types.h after the inclusion of the
+compiler-specific linux/compiler-*.h header(s). We do this
+conditionally, only when CONFIG_HAVE_ARCH_COMPILER_H is selected, in
+order to avoid the need for asm-generic wrappers & the associated build
+ordering issue described above. The asm/compiler.h header is included
+after the generic linux/compiler-*.h header(s) for consistency with the
+way linux/compiler-intel.h & linux/compiler-clang.h are included after
+the linux/compiler-gcc.h header that they override.
+
+[1] https://lists.01.org/pipermail/kbuild-all/2018-August/051175.html
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Reviewed-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Patchwork: https://patchwork.linux-mips.org/patch/20269/
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-arch@vger.kernel.org
+Cc: linux-kbuild@vger.kernel.org
+Cc: linux-mips@linux-mips.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/Kconfig | 8 ++++++++
+ include/linux/compiler_types.h | 12 ++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/arch/Kconfig b/arch/Kconfig
+index 40dc31fea90c..77b3e21c4844 100644
+--- a/arch/Kconfig
++++ b/arch/Kconfig
+@@ -965,4 +965,12 @@ config REFCOUNT_FULL
+ against various use-after-free conditions that can be used in
+ security flaw exploits.
+
++config HAVE_ARCH_COMPILER_H
++ bool
++ help
++ An architecture can select this if it provides an
++ asm/compiler.h header that should be included after
++ linux/compiler-*.h in order to override macro definitions that those
++ headers generally provide.
++
+ source "kernel/gcov/Kconfig"
+diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
+index 6b79a9bba9a7..4be464a07612 100644
+--- a/include/linux/compiler_types.h
++++ b/include/linux/compiler_types.h
+@@ -78,6 +78,18 @@ extern void __chk_io_ptr(const volatile void __iomem *);
+ #include <linux/compiler-clang.h>
+ #endif
+
++/*
++ * Some architectures need to provide custom definitions of macros provided
++ * by linux/compiler-*.h, and can do so using asm/compiler.h. We include that
++ * conditionally rather than using an asm-generic wrapper in order to avoid
++ * build failures if any C compilation, which will include this file via an
++ * -include argument in c_flags, occurs prior to the asm-generic wrappers being
++ * generated.
++ */
++#ifdef CONFIG_HAVE_ARCH_COMPILER_H
++#include <asm/compiler.h>
++#endif
++
+ /*
+ * Generic compiler-dependent macros required for kernel
+ * build go below this comment. Actual compiler/compiler version
+--
+2.17.1
+
--- /dev/null
+From 1cd588ef15a881a487f33f9ecbe724c4d467537d Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@linux-mips.org>
+Date: Tue, 2 Oct 2018 14:23:45 +0100
+Subject: declance: Fix continuation with the adapter identification message
+
+[ Upstream commit fe3a83af6a50199bf250fa331e94216912f79395 ]
+
+Fix a commit 4bcc595ccd80 ("printk: reinstate KERN_CONT for printing
+continuation lines") regression with the `declance' driver, which caused
+the adapter identification message to be split between two lines, e.g.:
+
+declance.c: v0.011 by Linux MIPS DECstation task force
+tc6: PMAD-AA
+, addr = 08:00:2b:1b:2a:6a, irq = 14
+tc6: registered as eth0.
+
+Address that properly, by printing identification with a single call,
+making the messages now look like:
+
+declance.c: v0.011 by Linux MIPS DECstation task force
+tc6: PMAD-AA, addr = 08:00:2b:1b:2a:6a, irq = 14
+tc6: registered as eth0.
+
+Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
+Fixes: 4bcc595ccd80 ("printk: reinstate KERN_CONT for printing continuation lines")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/declance.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/declance.c b/drivers/net/ethernet/amd/declance.c
+index 82cc81385033..c7cde58feaf7 100644
+--- a/drivers/net/ethernet/amd/declance.c
++++ b/drivers/net/ethernet/amd/declance.c
+@@ -1029,6 +1029,7 @@ static int dec_lance_probe(struct device *bdev, const int type)
+ int i, ret;
+ unsigned long esar_base;
+ unsigned char *esar;
++ const char *desc;
+
+ if (dec_lance_debug && version_printed++ == 0)
+ printk(version);
+@@ -1214,19 +1215,20 @@ static int dec_lance_probe(struct device *bdev, const int type)
+ */
+ switch (type) {
+ case ASIC_LANCE:
+- printk("%s: IOASIC onboard LANCE", name);
++ desc = "IOASIC onboard LANCE";
+ break;
+ case PMAD_LANCE:
+- printk("%s: PMAD-AA", name);
++ desc = "PMAD-AA";
+ break;
+ case PMAX_LANCE:
+- printk("%s: PMAX onboard LANCE", name);
++ desc = "PMAX onboard LANCE";
+ break;
+ }
+ for (i = 0; i < 6; i++)
+ dev->dev_addr[i] = esar[i * 4];
+
+- printk(", addr = %pM, irq = %d\n", dev->dev_addr, dev->irq);
++ printk("%s: %s, addr = %pM, irq = %d\n",
++ name, desc, dev->dev_addr, dev->irq);
+
+ dev->netdev_ops = &lance_netdev_ops;
+ dev->watchdog_timeo = 5*HZ;
+--
+2.17.1
+
--- /dev/null
+From e484c4fe29719f9d789793c7c491b9e17f21fb4e Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Tue, 13 Feb 2018 14:50:50 +0100
+Subject: dm integrity: fail early if required HMAC key is not available
+
+[ Upstream commit e16b4f99f0f79682a7efe191a8ce694d87ca9fc8 ]
+
+Since crypto API commit 9fa68f62004 ("crypto: hash - prevent using keyed
+hashes without setting key") dm-integrity cannot use keyed algorithms
+without the key being set.
+
+The dm-integrity recognizes this too late (during use of HMAC), so it
+allows creation and formatting of superblock, but the device is in fact
+unusable.
+
+Fix it by detecting the key requirement in integrity table constructor.
+
+Signed-off-by: Milan Broz <gmazyland@gmail.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-integrity.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c
+index 898286ed47a1..b10e4c5641ea 100644
+--- a/drivers/md/dm-integrity.c
++++ b/drivers/md/dm-integrity.c
+@@ -2547,6 +2547,9 @@ static int get_mac(struct crypto_shash **hash, struct alg_spec *a, char **error,
+ *error = error_key;
+ return r;
+ }
++ } else if (crypto_shash_get_flags(*hash) & CRYPTO_TFM_NEED_KEY) {
++ *error = error_key;
++ return -ENOKEY;
+ }
+ }
+
+--
+2.17.1
+
--- /dev/null
+From 87a723814f701ecbcbfcef6ffee495c36e783ec0 Mon Sep 17 00:00:00 2001
+From: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Date: Mon, 18 Jun 2018 10:01:05 -0700
+Subject: enic: do not overwrite error code
+
+[ Upstream commit 56f772279a762984f6e9ebbf24a7c829faba5712 ]
+
+In failure path, we overwrite err to what vnic_rq_disable() returns. In
+case it returns 0, enic_open() returns success in case of error.
+
+Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Fixes: e8588e268509 ("enic: enable rq before updating rq descriptors")
+Signed-off-by: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cisco/enic/enic_main.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c
+index 2bfaf3e118b1..03f4fee1bbc9 100644
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -1879,7 +1879,7 @@ static int enic_open(struct net_device *netdev)
+ {
+ struct enic *enic = netdev_priv(netdev);
+ unsigned int i;
+- int err;
++ int err, ret;
+
+ err = enic_request_intr(enic);
+ if (err) {
+@@ -1936,10 +1936,9 @@ static int enic_open(struct net_device *netdev)
+
+ err_out_free_rq:
+ for (i = 0; i < enic->rq_count; i++) {
+- err = vnic_rq_disable(&enic->rq[i]);
+- if (err)
+- return err;
+- vnic_rq_clean(&enic->rq[i], enic_free_rq_buf);
++ ret = vnic_rq_disable(&enic->rq[i]);
++ if (!ret)
++ vnic_rq_clean(&enic->rq[i], enic_free_rq_buf);
+ }
+ enic_dev_notify_unset(enic);
+ err_out_free_intr:
+--
+2.17.1
+
--- /dev/null
+From a9f45d5e972429fbe1c9fc13997d62e9f94f4727 Mon Sep 17 00:00:00 2001
+From: Khazhismel Kumykov <khazhy@google.com>
+Date: Fri, 12 Oct 2018 21:34:40 -0700
+Subject: fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters()
+
+[ Upstream commit ac081c3be3fae6d0cc3e1862507fca3862d30b67 ]
+
+On non-preempt kernels this loop can take a long time (more than 50 ticks)
+processing through entries.
+
+Link: http://lkml.kernel.org/r/20181010172623.57033-1-khazhy@google.com
+Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
+Acked-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fat/fatent.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/fat/fatent.c b/fs/fat/fatent.c
+index a40f36b1b292..9635df94db7d 100644
+--- a/fs/fat/fatent.c
++++ b/fs/fat/fatent.c
+@@ -681,6 +681,7 @@ int fat_count_free_clusters(struct super_block *sb)
+ if (ops->ent_get(&fatent) == FAT_ENT_FREE)
+ free++;
+ } while (fat_ent_next(sbi, &fatent));
++ cond_resched();
+ }
+ sbi->free_clusters = free;
+ sbi->free_clus_valid = 1;
+--
+2.17.1
+
--- /dev/null
+From 1f2ea7a3a4b710072f70a3abecb6ef3f331b54cf Mon Sep 17 00:00:00 2001
+From: Alex Vesker <valex@mellanox.com>
+Date: Thu, 21 Dec 2017 17:38:27 +0200
+Subject: IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush
+
+[ Upstream commit 1f80bd6a6cc8358b81194e1f5fc16449947396ec ]
+
+The locking order of vlan_rwsem (LOCK A) and then rtnl (LOCK B),
+contradicts other flows such as ipoib_open possibly causing a deadlock.
+To prevent this deadlock heavy flush is called with RTNL locked and
+only then tries to acquire vlan_rwsem.
+This deadlock is possible only when there are child interfaces.
+
+[ 140.941758] ======================================================
+[ 140.946276] WARNING: possible circular locking dependency detected
+[ 140.950950] 4.15.0-rc1+ #9 Tainted: G O
+[ 140.954797] ------------------------------------------------------
+[ 140.959424] kworker/u32:1/146 is trying to acquire lock:
+[ 140.963450] (rtnl_mutex){+.+.}, at: [<ffffffffc083516a>] __ipoib_ib_dev_flush+0x2da/0x4e0 [ib_ipoib]
+[ 140.970006]
+but task is already holding lock:
+[ 140.975141] (&priv->vlan_rwsem){++++}, at: [<ffffffffc0834ee1>] __ipoib_ib_dev_flush+0x51/0x4e0 [ib_ipoib]
+[ 140.982105]
+which lock already depends on the new lock.
+[ 140.990023]
+the existing dependency chain (in reverse order) is:
+[ 140.998650]
+-> #1 (&priv->vlan_rwsem){++++}:
+[ 141.005276] down_read+0x4d/0xb0
+[ 141.009560] ipoib_open+0xad/0x120 [ib_ipoib]
+[ 141.014400] __dev_open+0xcb/0x140
+[ 141.017919] __dev_change_flags+0x1a4/0x1e0
+[ 141.022133] dev_change_flags+0x23/0x60
+[ 141.025695] devinet_ioctl+0x704/0x7d0
+[ 141.029156] sock_do_ioctl+0x20/0x50
+[ 141.032526] sock_ioctl+0x221/0x300
+[ 141.036079] do_vfs_ioctl+0xa6/0x6d0
+[ 141.039656] SyS_ioctl+0x74/0x80
+[ 141.042811] entry_SYSCALL_64_fastpath+0x1f/0x96
+[ 141.046891]
+-> #0 (rtnl_mutex){+.+.}:
+[ 141.051701] lock_acquire+0xd4/0x220
+[ 141.055212] __mutex_lock+0x88/0x970
+[ 141.058631] __ipoib_ib_dev_flush+0x2da/0x4e0 [ib_ipoib]
+[ 141.063160] __ipoib_ib_dev_flush+0x71/0x4e0 [ib_ipoib]
+[ 141.067648] process_one_work+0x1f5/0x610
+[ 141.071429] worker_thread+0x4a/0x3f0
+[ 141.074890] kthread+0x141/0x180
+[ 141.078085] ret_from_fork+0x24/0x30
+[ 141.081559]
+
+other info that might help us debug this:
+[ 141.088967] Possible unsafe locking scenario:
+[ 141.094280] CPU0 CPU1
+[ 141.097953] ---- ----
+[ 141.101640] lock(&priv->vlan_rwsem);
+[ 141.104771] lock(rtnl_mutex);
+[ 141.109207] lock(&priv->vlan_rwsem);
+[ 141.114032] lock(rtnl_mutex);
+[ 141.116800]
+ *** DEADLOCK ***
+
+Fixes: b4b678b06f6e ("IB/ipoib: Grab rtnl lock on heavy flush when calling ndo_open/stop")
+Signed-off-by: Alex Vesker <valex@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_ib.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_ib.c b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+index c97384c914a4..d77e8e2ae05f 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+@@ -1203,13 +1203,10 @@ static void __ipoib_ib_dev_flush(struct ipoib_dev_priv *priv,
+ ipoib_ib_dev_down(dev);
+
+ if (level == IPOIB_FLUSH_HEAVY) {
+- rtnl_lock();
+ if (test_bit(IPOIB_FLAG_INITIALIZED, &priv->flags))
+ ipoib_ib_dev_stop(dev);
+
+- result = ipoib_ib_dev_open(dev);
+- rtnl_unlock();
+- if (result)
++ if (ipoib_ib_dev_open(dev))
+ return;
+
+ if (netif_queue_stopped(dev))
+@@ -1249,7 +1246,9 @@ void ipoib_ib_dev_flush_heavy(struct work_struct *work)
+ struct ipoib_dev_priv *priv =
+ container_of(work, struct ipoib_dev_priv, flush_heavy);
+
++ rtnl_lock();
+ __ipoib_ib_dev_flush(priv, IPOIB_FLUSH_HEAVY, 0);
++ rtnl_unlock();
+ }
+
+ void ipoib_ib_dev_cleanup(struct net_device *dev)
+--
+2.17.1
+
--- /dev/null
+From c28f984774a199f061f8cdd3bd40d16f9026265c Mon Sep 17 00:00:00 2001
+From: Noa Osherovich <noaos@mellanox.com>
+Date: Sun, 25 Feb 2018 13:39:51 +0200
+Subject: IB/mlx5: Avoid passing an invalid QP type to firmware
+
+[ Upstream commit e7b169f34403becd3c9fd3b6e46614ab788f2187 ]
+
+During QP creation, the mlx5 driver translates the QP type to an
+internal value which is passed on to FW. There was no check to make
+sure that the translated value is valid, and -EINVAL was coerced into
+the mailbox command.
+
+Current firmware refuses this as an invalid QP type, but future/past
+firmware may do something else.
+
+Fixes: 09a7d9eca1a6c ('{net,IB}/mlx5: QP/XRCD commands via mlx5 ifc')
+Reviewed-by: Ilya Lesokhin <ilyal@mellanox.com>
+Signed-off-by: Noa Osherovich <noaos@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/qp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
+index ef9ee6c328a1..dfc190055167 100644
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -1527,6 +1527,7 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd,
+ u32 uidx = MLX5_IB_DEFAULT_UIDX;
+ struct mlx5_ib_create_qp ucmd;
+ struct mlx5_ib_qp_base *base;
++ int mlx5_st;
+ void *qpc;
+ u32 *in;
+ int err;
+@@ -1535,6 +1536,10 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd,
+ spin_lock_init(&qp->sq.lock);
+ spin_lock_init(&qp->rq.lock);
+
++ mlx5_st = to_mlx5_st(init_attr->qp_type);
++ if (mlx5_st < 0)
++ return -EINVAL;
++
+ if (init_attr->rwq_ind_tbl) {
+ if (!udata)
+ return -ENOSYS;
+@@ -1688,7 +1693,7 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd,
+
+ qpc = MLX5_ADDR_OF(create_qp_in, in, qpc);
+
+- MLX5_SET(qpc, qpc, st, to_mlx5_st(init_attr->qp_type));
++ MLX5_SET(qpc, qpc, st, mlx5_st);
+ MLX5_SET(qpc, qpc, pm_state, MLX5_QP_PM_MIGRATED);
+
+ if (init_attr->qp_type != MLX5_IB_QPT_REG_UMR)
+--
+2.17.1
+
--- /dev/null
+From a852796bce1e4bcb58b0f3e10bf77c00dc097e7d Mon Sep 17 00:00:00 2001
+From: Doug Ledford <dledford@redhat.com>
+Date: Mon, 9 Oct 2017 09:11:32 -0400
+Subject: IB/rxe: put the pool on allocation failure
+
+[ Upstream commit 6b9f8970cd30929cb6b372fa44fa66da9e59c650 ]
+
+If the allocation of elem fails, it is not sufficient to simply check
+for NULL and return. We need to also put our reference on the pool or
+else we will leave the pool with a permanent ref count and we will never
+be able to free it.
+
+Fixes: 4831ca9e4a8e ("IB/rxe: check for allocation failure on elem")
+Suggested-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_pool.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_pool.c b/drivers/infiniband/sw/rxe/rxe_pool.c
+index 3b4916680018..b4a8acc7bb7d 100644
+--- a/drivers/infiniband/sw/rxe/rxe_pool.c
++++ b/drivers/infiniband/sw/rxe/rxe_pool.c
+@@ -394,23 +394,25 @@ void *rxe_alloc(struct rxe_pool *pool)
+
+ kref_get(&pool->rxe->ref_cnt);
+
+- if (atomic_inc_return(&pool->num_elem) > pool->max_elem) {
+- atomic_dec(&pool->num_elem);
+- rxe_dev_put(pool->rxe);
+- rxe_pool_put(pool);
+- return NULL;
+- }
++ if (atomic_inc_return(&pool->num_elem) > pool->max_elem)
++ goto out_put_pool;
+
+ elem = kmem_cache_zalloc(pool_cache(pool),
+ (pool->flags & RXE_POOL_ATOMIC) ?
+ GFP_ATOMIC : GFP_KERNEL);
+ if (!elem)
+- return NULL;
++ goto out_put_pool;
+
+ elem->pool = pool;
+ kref_init(&elem->ref_cnt);
+
+ return elem;
++
++out_put_pool:
++ atomic_dec(&pool->num_elem);
++ rxe_dev_put(pool->rxe);
++ rxe_pool_put(pool);
++ return NULL;
+ }
+
+ void rxe_elem_release(struct kref *kref)
+--
+2.17.1
+
--- /dev/null
+From 4f3ae23e0741a5578e4f67d34b6a35c151a2910b Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@mellanox.com>
+Date: Wed, 13 Jun 2018 11:19:42 -0600
+Subject: IB/usnic: Update with bug fixes from core code
+
+[ Upstream commit 43cbd64b1fdc1da89abdad88a022d9e87a98e9c6 ]
+
+usnic has a modified version of the core codes' ib_umem_get() and
+related, and the copy misses many of the bug fixes done over the years:
+
+Commit bc3e53f682d9 ("mm: distinguish between mlocked and pinned pages")
+Commit 87773dd56d54 ("IB: ib_umem_release() should decrement mm->pinned_vm
+ from ib_umem_get")
+Commit 8494057ab5e4 ("IB/uverbs: Prevent integer overflow in ib_umem_get
+ address arithmetic")
+Commit 8abaae62f3fd ("IB/core: disallow registering 0-sized memory region")
+Commit 66578b0b2f69 ("IB/core: don't disallow registering region starting
+ at 0x0")
+Commit 53376fedb9da ("RDMA/core: not to set page dirty bit if it's already
+ set.")
+Commit 8e907ed48827 ("IB/umem: Use the correct mm during ib_umem_release")
+
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/usnic/usnic_ib_verbs.c | 2 +-
+ drivers/infiniband/hw/usnic/usnic_uiom.c | 40 ++++++++++++++------
+ drivers/infiniband/hw/usnic/usnic_uiom.h | 5 ++-
+ 3 files changed, 33 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c
+index e4113ef09315..3c3453d213dc 100644
+--- a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c
++++ b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c
+@@ -642,7 +642,7 @@ int usnic_ib_dereg_mr(struct ib_mr *ibmr)
+
+ usnic_dbg("va 0x%lx length 0x%zx\n", mr->umem->va, mr->umem->length);
+
+- usnic_uiom_reg_release(mr->umem, ibmr->pd->uobject->context->closing);
++ usnic_uiom_reg_release(mr->umem, ibmr->uobject->context);
+ kfree(mr);
+ return 0;
+ }
+diff --git a/drivers/infiniband/hw/usnic/usnic_uiom.c b/drivers/infiniband/hw/usnic/usnic_uiom.c
+index 4381c0a9a873..9dd39daa602b 100644
+--- a/drivers/infiniband/hw/usnic/usnic_uiom.c
++++ b/drivers/infiniband/hw/usnic/usnic_uiom.c
+@@ -41,6 +41,7 @@
+ #include <linux/workqueue.h>
+ #include <linux/list.h>
+ #include <linux/pci.h>
++#include <rdma/ib_verbs.h>
+
+ #include "usnic_log.h"
+ #include "usnic_uiom.h"
+@@ -88,7 +89,7 @@ static void usnic_uiom_put_pages(struct list_head *chunk_list, int dirty)
+ for_each_sg(chunk->page_list, sg, chunk->nents, i) {
+ page = sg_page(sg);
+ pa = sg_phys(sg);
+- if (dirty)
++ if (!PageDirty(page) && dirty)
+ set_page_dirty_lock(page);
+ put_page(page);
+ usnic_dbg("pa: %pa\n", &pa);
+@@ -114,6 +115,16 @@ static int usnic_uiom_get_pages(unsigned long addr, size_t size, int writable,
+ dma_addr_t pa;
+ unsigned int gup_flags;
+
++ /*
++ * If the combination of the addr and size requested for this memory
++ * region causes an integer overflow, return error.
++ */
++ if (((addr + size) < addr) || PAGE_ALIGN(addr + size) < (addr + size))
++ return -EINVAL;
++
++ if (!size)
++ return -EINVAL;
++
+ if (!can_do_mlock())
+ return -EPERM;
+
+@@ -127,7 +138,7 @@ static int usnic_uiom_get_pages(unsigned long addr, size_t size, int writable,
+
+ down_write(¤t->mm->mmap_sem);
+
+- locked = npages + current->mm->locked_vm;
++ locked = npages + current->mm->pinned_vm;
+ lock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
+
+ if ((locked > lock_limit) && !capable(CAP_IPC_LOCK)) {
+@@ -143,7 +154,7 @@ static int usnic_uiom_get_pages(unsigned long addr, size_t size, int writable,
+ ret = 0;
+
+ while (npages) {
+- ret = get_user_pages(cur_base,
++ ret = get_user_pages_longterm(cur_base,
+ min_t(unsigned long, npages,
+ PAGE_SIZE / sizeof(struct page *)),
+ gup_flags, page_list, NULL);
+@@ -186,7 +197,7 @@ out:
+ if (ret < 0)
+ usnic_uiom_put_pages(chunk_list, 0);
+ else
+- current->mm->locked_vm = locked;
++ current->mm->pinned_vm = locked;
+
+ up_write(¤t->mm->mmap_sem);
+ free_page((unsigned long) page_list);
+@@ -420,18 +431,22 @@ out_free_uiomr:
+ return ERR_PTR(err);
+ }
+
+-void usnic_uiom_reg_release(struct usnic_uiom_reg *uiomr, int closing)
++void usnic_uiom_reg_release(struct usnic_uiom_reg *uiomr,
++ struct ib_ucontext *ucontext)
+ {
++ struct task_struct *task;
+ struct mm_struct *mm;
+ unsigned long diff;
+
+ __usnic_uiom_reg_release(uiomr->pd, uiomr, 1);
+
+- mm = get_task_mm(current);
+- if (!mm) {
+- kfree(uiomr);
+- return;
+- }
++ task = get_pid_task(ucontext->tgid, PIDTYPE_PID);
++ if (!task)
++ goto out;
++ mm = get_task_mm(task);
++ put_task_struct(task);
++ if (!mm)
++ goto out;
+
+ diff = PAGE_ALIGN(uiomr->length + uiomr->offset) >> PAGE_SHIFT;
+
+@@ -443,7 +458,7 @@ void usnic_uiom_reg_release(struct usnic_uiom_reg *uiomr, int closing)
+ * up here and not be able to take the mmap_sem. In that case
+ * we defer the vm_locked accounting to the system workqueue.
+ */
+- if (closing) {
++ if (ucontext->closing) {
+ if (!down_write_trylock(&mm->mmap_sem)) {
+ INIT_WORK(&uiomr->work, usnic_uiom_reg_account);
+ uiomr->mm = mm;
+@@ -455,9 +470,10 @@ void usnic_uiom_reg_release(struct usnic_uiom_reg *uiomr, int closing)
+ } else
+ down_write(&mm->mmap_sem);
+
+- current->mm->locked_vm -= diff;
++ mm->pinned_vm -= diff;
+ up_write(&mm->mmap_sem);
+ mmput(mm);
++out:
+ kfree(uiomr);
+ }
+
+diff --git a/drivers/infiniband/hw/usnic/usnic_uiom.h b/drivers/infiniband/hw/usnic/usnic_uiom.h
+index 431efe4143f4..8c096acff123 100644
+--- a/drivers/infiniband/hw/usnic/usnic_uiom.h
++++ b/drivers/infiniband/hw/usnic/usnic_uiom.h
+@@ -39,6 +39,8 @@
+
+ #include "usnic_uiom_interval_tree.h"
+
++struct ib_ucontext;
++
+ #define USNIC_UIOM_READ (1)
+ #define USNIC_UIOM_WRITE (2)
+
+@@ -89,7 +91,8 @@ void usnic_uiom_free_dev_list(struct device **devs);
+ struct usnic_uiom_reg *usnic_uiom_reg_get(struct usnic_uiom_pd *pd,
+ unsigned long addr, size_t size,
+ int access, int dmasync);
+-void usnic_uiom_reg_release(struct usnic_uiom_reg *uiomr, int closing);
++void usnic_uiom_reg_release(struct usnic_uiom_reg *uiomr,
++ struct ib_ucontext *ucontext);
+ int usnic_uiom_init(char *drv_name);
+ void usnic_uiom_fini(void);
+ #endif /* USNIC_UIOM_H_ */
+--
+2.17.1
+
--- /dev/null
+From 0d9f767b1f71a1a8d1d82fc80a004a3168f6ee99 Mon Sep 17 00:00:00 2001
+From: Phil Reid <preid@electromag.com.au>
+Date: Tue, 5 Jun 2018 14:15:10 +0800
+Subject: iio: buffer: fix the function signature to match implementation
+
+[ Upstream commit 92397a6c38d139d50fabbe9e2dc09b61d53b2377 ]
+
+linux/iio/buffer-dma.h was not updated to when length was changed to
+unsigned int.
+
+Fixes: c043ec1ca5ba ("iio:buffer: make length types match kfifo types")
+Signed-off-by: Phil Reid <preid@electromag.com.au>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/iio/buffer-dma.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/iio/buffer-dma.h b/include/linux/iio/buffer-dma.h
+index 767467d886de..67c75372b691 100644
+--- a/include/linux/iio/buffer-dma.h
++++ b/include/linux/iio/buffer-dma.h
+@@ -141,7 +141,7 @@ int iio_dma_buffer_read(struct iio_buffer *buffer, size_t n,
+ char __user *user_buffer);
+ size_t iio_dma_buffer_data_available(struct iio_buffer *buffer);
+ int iio_dma_buffer_set_bytes_per_datum(struct iio_buffer *buffer, size_t bpd);
+-int iio_dma_buffer_set_length(struct iio_buffer *buffer, int length);
++int iio_dma_buffer_set_length(struct iio_buffer *buffer, unsigned int length);
+ int iio_dma_buffer_request_update(struct iio_buffer *buffer);
+
+ int iio_dma_buffer_init(struct iio_dma_buffer_queue *queue,
+--
+2.17.1
+
--- /dev/null
+From a92b5cd08830b36f17cd65b30bb365f0cf43b4e1 Mon Sep 17 00:00:00 2001
+From: Liad Kaufman <liad.kaufman@intel.com>
+Date: Tue, 31 Oct 2017 15:54:50 +0200
+Subject: iwlwifi: dbg: allow wrt collection before ALIVE
+
+[ Upstream commit dfd4b08cf44f27587e2053e006e43a1603328006 ]
+
+Even if no ALIVE was received, the WRT data can still
+be collected. Add this.
+
+Signed-off-by: Liad Kaufman <liad.kaufman@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+index 2fa7ec466275..839010417241 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+@@ -950,7 +950,20 @@ int iwl_fw_dbg_collect_desc(struct iwl_fw_runtime *fwrt,
+ if (trigger)
+ delay = msecs_to_jiffies(le32_to_cpu(trigger->stop_delay));
+
+- if (WARN(fwrt->trans->state == IWL_TRANS_NO_FW,
++ /*
++ * If the loading of the FW completed successfully, the next step is to
++ * get the SMEM config data. Thus, if fwrt->smem_cfg.num_lmacs is non
++ * zero, the FW was already loaded successully. If the state is "NO_FW"
++ * in such a case - WARN and exit, since FW may be dead. Otherwise, we
++ * can try to collect the data, since FW might just not be fully
++ * loaded (no "ALIVE" yet), and the debug data is accessible.
++ *
++ * Corner case: got the FW alive but crashed before getting the SMEM
++ * config. In such a case, due to HW access problems, we might
++ * collect garbage.
++ */
++ if (WARN((fwrt->trans->state == IWL_TRANS_NO_FW) &&
++ fwrt->smem_cfg.num_lmacs,
+ "Can't collect dbg data when FW isn't alive\n"))
+ return -EIO;
+
+--
+2.17.1
+
--- /dev/null
+From f47dee2a37c910dbf4c6dbc22b09b1221ad95f2a Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Tue, 7 Nov 2017 23:54:17 +0200
+Subject: iwlwifi: fix the ALIVE notification layout
+
+[ Upstream commit 5cd2d8fc6c6bca979ac5dd8ad0e41153f1f982f9 ]
+
+The ucode_major and ucode_minor were swapped. This has
+no practical consequences since those fields are not used.
+Same goes for umac_major and umac_minor which were only
+printed under certain debug flags.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/api/alive.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/api/alive.h b/drivers/net/wireless/intel/iwlwifi/fw/api/alive.h
+index 3684a3e180e5..007bfe7656a4 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/api/alive.h
++++ b/drivers/net/wireless/intel/iwlwifi/fw/api/alive.h
+@@ -95,8 +95,8 @@ enum {
+ #define IWL_ALIVE_FLG_RFKILL BIT(0)
+
+ struct iwl_lmac_alive {
+- __le32 ucode_minor;
+ __le32 ucode_major;
++ __le32 ucode_minor;
+ u8 ver_subtype;
+ u8 ver_type;
+ u8 mac;
+@@ -113,8 +113,8 @@ struct iwl_lmac_alive {
+ } __packed; /* UCODE_ALIVE_NTFY_API_S_VER_3 */
+
+ struct iwl_umac_alive {
+- __le32 umac_minor; /* UMAC version: minor */
+ __le32 umac_major; /* UMAC version: major */
++ __le32 umac_minor; /* UMAC version: minor */
+ __le32 error_info_addr; /* SRAM address for UMAC error log */
+ __le32 dbg_print_buff_addr;
+ } __packed; /* UMAC_ALIVE_DATA_API_S_VER_2 */
+--
+2.17.1
+
--- /dev/null
+From 00323326d0b80aa9bc116c93f10c596c2440e8d1 Mon Sep 17 00:00:00 2001
+From: Sara Sharon <sara.sharon@intel.com>
+Date: Sun, 29 Oct 2017 10:46:39 +0200
+Subject: iwlwifi: mvm: check for short GI only for OFDM
+
+[ Upstream commit 4c59ff5a9a9c54cc26c807dc2fa6933f7e9fa4ef ]
+
+This bit will be used in CCK to indicate short preamble.
+
+Signed-off-by: Sara Sharon <sara.sharon@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/rx.c | 3 ++-
+ drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 4 +++-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rx.c b/drivers/net/wireless/intel/iwlwifi/mvm/rx.c
+index 2d14a58cbdd7..c73e4be9bde3 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rx.c
+@@ -439,7 +439,8 @@ void iwl_mvm_rx_rx_mpdu(struct iwl_mvm *mvm, struct napi_struct *napi,
+ rx_status->bw = RATE_INFO_BW_160;
+ break;
+ }
+- if (rate_n_flags & RATE_MCS_SGI_MSK)
++ if (!(rate_n_flags & RATE_MCS_CCK_MSK) &&
++ rate_n_flags & RATE_MCS_SGI_MSK)
+ rx_status->enc_flags |= RX_ENC_FLAG_SHORT_GI;
+ if (rate_n_flags & RATE_HT_MCS_GF_MSK)
+ rx_status->enc_flags |= RX_ENC_FLAG_HT_GF;
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+index e2196dc35dc6..8ba8c70571fb 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+@@ -981,7 +981,9 @@ void iwl_mvm_rx_mpdu_mq(struct iwl_mvm *mvm, struct napi_struct *napi,
+ rx_status->bw = RATE_INFO_BW_160;
+ break;
+ }
+- if (rate_n_flags & RATE_MCS_SGI_MSK)
++
++ if (!(rate_n_flags & RATE_MCS_CCK_MSK) &&
++ rate_n_flags & RATE_MCS_SGI_MSK)
+ rx_status->enc_flags |= RX_ENC_FLAG_SHORT_GI;
+ if (rate_n_flags & RATE_HT_MCS_GF_MSK)
+ rx_status->enc_flags |= RX_ENC_FLAG_HT_GF;
+--
+2.17.1
+
--- /dev/null
+From 0c174e427f62b739835b3e78923ef30b9466bebe Mon Sep 17 00:00:00 2001
+From: Stefan Agner <stefan@agner.ch>
+Date: Mon, 19 Mar 2018 22:12:53 +0100
+Subject: kbuild: set no-integrated-as before incl. arch Makefile
+
+[ Upstream commit 0f0e8de334c54c38818a4a5390a39aa09deff5bf ]
+
+In order to make sure compiler flag detection for ARM works
+correctly the no-integrated-as flags need to be set before
+including the arch specific Makefile.
+
+Fixes: cfe17c9bbe6a ("kbuild: move cc-option and cc-disable-warning after incl. arch Makefile")
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 16d1a18496fb..8cc08595b760 100644
+--- a/Makefile
++++ b/Makefile
+@@ -487,6 +487,8 @@ CLANG_GCC_TC := --gcc-toolchain=$(GCC_TOOLCHAIN)
+ endif
+ KBUILD_CFLAGS += $(CLANG_TARGET) $(CLANG_GCC_TC)
+ KBUILD_AFLAGS += $(CLANG_TARGET) $(CLANG_GCC_TC)
++KBUILD_CFLAGS += $(call cc-option, -no-integrated-as)
++KBUILD_AFLAGS += $(call cc-option, -no-integrated-as)
+ endif
+
+ RETPOLINE_CFLAGS_GCC := -mindirect-branch=thunk-extern -mindirect-branch-register
+@@ -721,8 +723,6 @@ KBUILD_CFLAGS += $(call cc-disable-warning, tautological-compare)
+ # See modpost pattern 2
+ KBUILD_CFLAGS += $(call cc-option, -mno-global-merge,)
+ KBUILD_CFLAGS += $(call cc-option, -fcatch-undefined-behavior)
+-KBUILD_CFLAGS += $(call cc-option, -no-integrated-as)
+-KBUILD_AFLAGS += $(call cc-option, -no-integrated-as)
+ else
+
+ # These warnings generated too much noise in a regular build.
+--
+2.17.1
+
--- /dev/null
+From 513949532d2b504c1ae4877d24dc49651dfb81e2 Mon Sep 17 00:00:00 2001
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Thu, 9 Aug 2018 15:47:06 +0900
+Subject: kconfig: fix the rule of mainmenu_stmt symbol
+
+[ Upstream commit 56869d45e364244a721de34ce9c5dc9ed022779e ]
+
+The rule of mainmenu_stmt does not have debug print of zconf_lineno(),
+but if it had, it would print a wrong line number for the same reason
+as commit b2d00d7c61c8 ("kconfig: fix line numbers for if-entries in
+menu tree").
+
+The mainmenu_stmt does not need to eat following empty lines because
+they are reduced to common_stmt.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/zconf.y | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/scripts/kconfig/zconf.y b/scripts/kconfig/zconf.y
+index 126e3f2e1ed7..2b0adeb5fc42 100644
+--- a/scripts/kconfig/zconf.y
++++ b/scripts/kconfig/zconf.y
+@@ -31,7 +31,7 @@ struct symbol *symbol_hash[SYMBOL_HASHSIZE];
+ static struct menu *current_menu, *current_entry;
+
+ %}
+-%expect 31
++%expect 30
+
+ %union
+ {
+@@ -112,7 +112,7 @@ start: mainmenu_stmt stmt_list | no_mainmenu_stmt stmt_list;
+
+ /* mainmenu entry */
+
+-mainmenu_stmt: T_MAINMENU prompt nl
++mainmenu_stmt: T_MAINMENU prompt T_EOL
+ {
+ menu_add_prompt(P_MENU, $2, NULL);
+ };
+--
+2.17.1
+
--- /dev/null
+From 28c096e07e581289f13d45750fc24c948f3516cc Mon Sep 17 00:00:00 2001
+From: KarimAllah Ahmed <karahmed@amazon.de>
+Date: Wed, 28 Feb 2018 19:06:48 +0100
+Subject: KVM: x86: Update the exit_qualification access bits while walking an
+ address
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit ddd6f0e94d3153951580d5b88b9d97c7e26a0e00 ]
+
+... to avoid having a stale value when handling an EPT misconfig for MMIO
+regions.
+
+MMIO regions that are not passed-through to the guest are handled through
+EPT misconfigs. The first time a certain MMIO page is touched it causes an
+EPT violation, then KVM marks the EPT entry to cause an EPT misconfig
+instead. Any subsequent accesses to the entry will generate an EPT
+misconfig.
+
+Things gets slightly complicated with nested guest handling for MMIO
+regions that are not passed through from L0 (i.e. emulated by L0
+user-space).
+
+An EPT violation for one of these MMIO regions from L2, exits to L0
+hypervisor. L0 would then look at the EPT12 mapping for L1 hypervisor and
+realize it is not present (or not sufficient to serve the request). Then L0
+injects an EPT violation to L1. L1 would then update its EPT mappings. The
+EXIT_QUALIFICATION value for L1 would come from exit_qualification variable
+in "struct vcpu". The problem is that this variable is only updated on EPT
+violation and not on EPT misconfig. So if an EPT violation because of a
+read happened first, then an EPT misconfig because of a write happened
+afterwards. The L0 hypervisor will still contain exit_qualification value
+from the previous read instead of the write and end up injecting an EPT
+violation to the L1 hypervisor with an out of date EXIT_QUALIFICATION.
+
+The EPT violation that is injected from L0 to L1 needs to have the correct
+EXIT_QUALIFICATION specially for the access bits because the individual
+access bits for MMIO EPTs are updated only on actual access of this
+specific type. So for the example above, the L1 hypervisor will keep
+updating only the read bit in the EPT then resume the L2 guest. The L2
+guest would end up causing another exit where the L0 *again* will inject
+another EPT violation to L1 hypervisor with *again* an out of date
+exit_qualification which indicates a read and not a write. Then this
+ping-pong just keeps happening without making any forward progress.
+
+The behavior of mapping MMIO regions changed in:
+
+ commit a340b3e229b24 ("kvm: Map PFN-type memory regions as writable (if possible)")
+
+... where an EPT violation for a read would also fixup the write bits to
+avoid another EPT violation which by acciddent would fix the bug mentioned
+above.
+
+This commit fixes this situation and ensures that the access bits for the
+exit_qualifcation is up to date. That ensures that even L1 hypervisor
+running with a KVM version before the commit mentioned above would still
+work.
+
+( The description above assumes EPT to be available and used by L1
+ hypervisor + the L1 hypervisor is passing through the MMIO region to the L2
+ guest while this MMIO region is emulated by the L0 user-space ).
+
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: x86@kernel.org
+Cc: kvm@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: KarimAllah Ahmed <karahmed@amazon.de>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/paging_tmpl.h | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
+index 5abae72266b7..6288e9d7068e 100644
+--- a/arch/x86/kvm/paging_tmpl.h
++++ b/arch/x86/kvm/paging_tmpl.h
+@@ -452,14 +452,21 @@ error:
+ * done by is_rsvd_bits_set() above.
+ *
+ * We set up the value of exit_qualification to inject:
+- * [2:0] - Derive from [2:0] of real exit_qualification at EPT violation
++ * [2:0] - Derive from the access bits. The exit_qualification might be
++ * out of date if it is serving an EPT misconfiguration.
+ * [5:3] - Calculated by the page walk of the guest EPT page tables
+ * [7:8] - Derived from [7:8] of real exit_qualification
+ *
+ * The other bits are set to 0.
+ */
+ if (!(errcode & PFERR_RSVD_MASK)) {
+- vcpu->arch.exit_qualification &= 0x187;
++ vcpu->arch.exit_qualification &= 0x180;
++ if (write_fault)
++ vcpu->arch.exit_qualification |= EPT_VIOLATION_ACC_WRITE;
++ if (user_fault)
++ vcpu->arch.exit_qualification |= EPT_VIOLATION_ACC_READ;
++ if (fetch_fault)
++ vcpu->arch.exit_qualification |= EPT_VIOLATION_ACC_INSTR;
+ vcpu->arch.exit_qualification |= (pte_access & 0x7) << 3;
+ }
+ #endif
+--
+2.17.1
+
--- /dev/null
+From bf762feae7ea6a3a0bcf7ba59f1458c25833ee78 Mon Sep 17 00:00:00 2001
+From: James Chapman <jchapman@katalix.com>
+Date: Wed, 3 Jan 2018 22:48:06 +0000
+Subject: l2tp: remove configurable payload offset
+
+[ Upstream commit 900631ee6a2651dc4fbaecb8ef9fa5f1e3378853 ]
+
+If L2TP_ATTR_OFFSET is set to a non-zero value in L2TPv3 tunnels, it
+results in L2TPv3 packets being transmitted which might not be
+compliant with the L2TPv3 RFC. This patch has l2tp ignore the offset
+setting and send all packets with no offset.
+
+In more detail:
+
+L2TPv2 supports a variable offset from the L2TPv2 header to the
+payload. The offset value is indicated by an optional field in the
+L2TP header. Our L2TP implementation already detects the presence of
+the optional offset and skips that many bytes when handling data
+received packets. All transmitted packets are always transmitted with
+no offset.
+
+L2TPv3 has no optional offset field in the L2TPv3 packet
+header. Instead, L2TPv3 defines optional fields in a "Layer-2 Specific
+Sublayer". At the time when the original L2TP code was written, there
+was talk at IETF of offset being implemented in a new Layer-2 Specific
+Sublayer. A L2TP_ATTR_OFFSET netlink attribute was added so that this
+offset could be configured and the intention was to allow it to be
+also used to set the tx offset for L2TPv2. However, no L2TPv3 offset
+was ever specified and the L2TP_ATTR_OFFSET parameter was forgotten
+about.
+
+Setting L2TP_ATTR_OFFSET results in L2TPv3 packets being transmitted
+with the specified number of bytes padding between L2TPv3 header and
+payload. This is not compliant with L2TPv3 RFC3931. This change
+removes the configurable offset altogether while retaining
+L2TP_ATTR_OFFSET for backwards compatibility. Any L2TP_ATTR_OFFSET
+value is ignored.
+
+Signed-off-by: James Chapman <jchapman@katalix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 14 ++++----------
+ net/l2tp/l2tp_core.h | 3 ---
+ net/l2tp/l2tp_debugfs.c | 4 ++--
+ net/l2tp/l2tp_netlink.c | 3 ---
+ 4 files changed, 6 insertions(+), 18 deletions(-)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index 5c87f1d3e525..33ea389ee015 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -808,10 +808,8 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
+ }
+ }
+
+- /* Session data offset is handled differently for L2TPv2 and
+- * L2TPv3. For L2TPv2, there is an optional 16-bit value in
+- * the header. For L2TPv3, the offset is negotiated using AVPs
+- * in the session setup control protocol.
++ /* Session data offset is defined only for L2TPv2 and is
++ * indicated by an optional 16-bit value in the header.
+ */
+ if (tunnel->version == L2TP_HDR_VER_2) {
+ /* If offset bit set, skip it. */
+@@ -819,8 +817,7 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
+ offset = ntohs(*(__be16 *)ptr);
+ ptr += 2 + offset;
+ }
+- } else
+- ptr += session->offset;
++ }
+
+ offset = ptr - optr;
+ if (!pskb_may_pull(skb, offset))
+@@ -1104,8 +1101,6 @@ static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
+ }
+ bufp += session->l2specific_len;
+ }
+- if (session->offset)
+- bufp += session->offset;
+
+ return bufp - optr;
+ }
+@@ -1779,7 +1774,7 @@ void l2tp_session_set_header_len(struct l2tp_session *session, int version)
+ if (session->send_seq)
+ session->hdr_len += 4;
+ } else {
+- session->hdr_len = 4 + session->cookie_len + session->l2specific_len + session->offset;
++ session->hdr_len = 4 + session->cookie_len + session->l2specific_len;
+ if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP)
+ session->hdr_len += 4;
+ }
+@@ -1830,7 +1825,6 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn
+ session->recv_seq = cfg->recv_seq;
+ session->lns_mode = cfg->lns_mode;
+ session->reorder_timeout = cfg->reorder_timeout;
+- session->offset = cfg->offset;
+ session->l2specific_type = cfg->l2specific_type;
+ session->l2specific_len = cfg->l2specific_len;
+ session->cookie_len = cfg->cookie_len;
+diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
+index 9e2f1fda1b03..0a58c0754526 100644
+--- a/net/l2tp/l2tp_core.h
++++ b/net/l2tp/l2tp_core.h
+@@ -59,7 +59,6 @@ struct l2tp_session_cfg {
+ int debug; /* bitmask of debug message
+ * categories */
+ u16 vlan_id; /* VLAN pseudowire only */
+- u16 offset; /* offset to payload */
+ u16 l2specific_len; /* Layer 2 specific length */
+ u16 l2specific_type; /* Layer 2 specific type */
+ u8 cookie[8]; /* optional cookie */
+@@ -86,8 +85,6 @@ struct l2tp_session {
+ int cookie_len;
+ u8 peer_cookie[8];
+ int peer_cookie_len;
+- u16 offset; /* offset from end of L2TP header
+- to beginning of data */
+ u16 l2specific_len;
+ u16 l2specific_type;
+ u16 hdr_len;
+diff --git a/net/l2tp/l2tp_debugfs.c b/net/l2tp/l2tp_debugfs.c
+index 53bae54c4d6e..534cad03b9e9 100644
+--- a/net/l2tp/l2tp_debugfs.c
++++ b/net/l2tp/l2tp_debugfs.c
+@@ -180,8 +180,8 @@ static void l2tp_dfs_seq_session_show(struct seq_file *m, void *v)
+ session->lns_mode ? "LNS" : "LAC",
+ session->debug,
+ jiffies_to_msecs(session->reorder_timeout));
+- seq_printf(m, " offset %hu l2specific %hu/%hu\n",
+- session->offset, session->l2specific_type, session->l2specific_len);
++ seq_printf(m, " offset 0 l2specific %hu/%hu\n",
++ session->l2specific_type, session->l2specific_len);
+ if (session->cookie_len) {
+ seq_printf(m, " cookie %02x%02x%02x%02x",
+ session->cookie[0], session->cookie[1],
+diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
+index c28223d8092b..001797ce4084 100644
+--- a/net/l2tp/l2tp_netlink.c
++++ b/net/l2tp/l2tp_netlink.c
+@@ -549,9 +549,6 @@ static int l2tp_nl_cmd_session_create(struct sk_buff *skb, struct genl_info *inf
+ }
+
+ if (tunnel->version > 2) {
+- if (info->attrs[L2TP_ATTR_OFFSET])
+- cfg.offset = nla_get_u16(info->attrs[L2TP_ATTR_OFFSET]);
+-
+ if (info->attrs[L2TP_ATTR_DATA_SEQ])
+ cfg.data_seq = nla_get_u8(info->attrs[L2TP_ATTR_DATA_SEQ]);
+
+--
+2.17.1
+
--- /dev/null
+From 9d3b098121030d1280b9920f84f8d30333991244 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:52 -0700
+Subject: lan78xx: Check for supported Wake-on-LAN modes
+
+[ Upstream commit eb9ad088f96653a26b340f7c447c44cf023d5cdc ]
+
+The driver supports a fair amount of Wake-on-LAN modes, but is not
+checking that the user specified one that is supported.
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Woojung Huh <Woojung.Huh@Microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 17 ++++-------------
+ 1 file changed, 4 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index 9e3f632e22f1..00ddcaf09014 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -1375,19 +1375,10 @@ static int lan78xx_set_wol(struct net_device *netdev,
+ if (ret < 0)
+ return ret;
+
+- pdata->wol = 0;
+- if (wol->wolopts & WAKE_UCAST)
+- pdata->wol |= WAKE_UCAST;
+- if (wol->wolopts & WAKE_MCAST)
+- pdata->wol |= WAKE_MCAST;
+- if (wol->wolopts & WAKE_BCAST)
+- pdata->wol |= WAKE_BCAST;
+- if (wol->wolopts & WAKE_MAGIC)
+- pdata->wol |= WAKE_MAGIC;
+- if (wol->wolopts & WAKE_PHY)
+- pdata->wol |= WAKE_PHY;
+- if (wol->wolopts & WAKE_ARP)
+- pdata->wol |= WAKE_ARP;
++ if (wol->wolopts & ~WAKE_ALL)
++ return -EINVAL;
++
++ pdata->wol = wol->wolopts;
+
+ device_set_wakeup_enable(&dev->udev->dev, (bool)wol->wolopts);
+
+--
+2.17.1
+
--- /dev/null
+From 4da2e724c79fef7cc78a7bdac234c323f4ca861b Mon Sep 17 00:00:00 2001
+From: Phil Elwell <phil@raspberrypi.org>
+Date: Tue, 10 Apr 2018 13:18:25 +0100
+Subject: lan78xx: Don't reset the interface on open
+
+[ Upstream commit 47b998653fea4ef69e3e89574956386f262bccca ]
+
+Commit 92571a1aae40 ("lan78xx: Connect phy early") moves the PHY
+initialisation into lan78xx_probe, but lan78xx_open subsequently calls
+lan78xx_reset. As well as forcing a second round of link negotiation,
+this reset frequently prevents the phy interrupt from being generated
+(even though the link is up), rendering the interface unusable.
+
+Fix this issue by removing the lan78xx_reset call from lan78xx_open.
+
+Fixes: 92571a1aae40 ("lan78xx: Connect phy early")
+Signed-off-by: Phil Elwell <phil@raspberrypi.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index 9e3f632e22f1..a090112880fd 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -2517,10 +2517,6 @@ static int lan78xx_open(struct net_device *net)
+ if (ret < 0)
+ goto out;
+
+- ret = lan78xx_reset(dev);
+- if (ret < 0)
+- goto done;
+-
+ phy_start(net->phydev);
+
+ netif_dbg(dev, ifup, dev->net, "phy initialised successfully");
+--
+2.17.1
+
--- /dev/null
+From 23f250873edd991257f1c044ae0c8eb11ca66e04 Mon Sep 17 00:00:00 2001
+From: Daniel Mack <daniel@zonque.org>
+Date: Mon, 8 Oct 2018 22:03:57 +0200
+Subject: libertas: call into generic suspend code before turning off power
+
+[ Upstream commit 4f666675cdff0b986195413215eb062b7da6586f ]
+
+When powering down a SDIO connected card during suspend, make sure to call
+into the generic lbs_suspend() function before pulling the plug. This will
+make sure the card is successfully deregistered from the system to avoid
+communication to the card starving out.
+
+Fixes: 7444a8092906 ("libertas: fix suspend and resume for SDIO connected cards")
+Signed-off-by: Daniel Mack <daniel@zonque.org>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas/if_sdio.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/libertas/if_sdio.c b/drivers/net/wireless/marvell/libertas/if_sdio.c
+index 43743c26c071..39bf85d0ade0 100644
+--- a/drivers/net/wireless/marvell/libertas/if_sdio.c
++++ b/drivers/net/wireless/marvell/libertas/if_sdio.c
+@@ -1317,6 +1317,10 @@ static int if_sdio_suspend(struct device *dev)
+ if (priv->wol_criteria == EHS_REMOVE_WAKEUP) {
+ dev_info(dev, "Suspend without wake params -- powering down card\n");
+ if (priv->fw_ready) {
++ ret = lbs_suspend(priv);
++ if (ret)
++ return ret;
++
+ priv->power_up_on_resume = true;
+ if_sdio_power_off(card);
+ }
+--
+2.17.1
+
--- /dev/null
+From 60aebe4162958ce04e3558f507b3736297d683f3 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Tue, 2 Oct 2018 14:48:49 -0700
+Subject: locking/ww_mutex: Fix runtime warning in the WW mutex selftest
+
+[ Upstream commit e4a02ed2aaf447fa849e3254bfdb3b9b01e1e520 ]
+
+If CONFIG_WW_MUTEX_SELFTEST=y is enabled, booting an image
+in an arm64 virtual machine results in the following
+traceback if 8 CPUs are enabled:
+
+ DEBUG_LOCKS_WARN_ON(__owner_task(owner) != current)
+ WARNING: CPU: 2 PID: 537 at kernel/locking/mutex.c:1033 __mutex_unlock_slowpath+0x1a8/0x2e0
+ ...
+ Call trace:
+ __mutex_unlock_slowpath()
+ ww_mutex_unlock()
+ test_cycle_work()
+ process_one_work()
+ worker_thread()
+ kthread()
+ ret_from_fork()
+
+If requesting b_mutex fails with -EDEADLK, the error variable
+is reassigned to the return value from calling ww_mutex_lock
+on a_mutex again. If this call fails, a_mutex is not locked.
+It is, however, unconditionally unlocked subsequently, causing
+the reported warning. Fix the problem by using two error variables.
+
+With this change, the selftest still fails as follows:
+
+ cyclic deadlock not resolved, ret[7/8] = -35
+
+However, the traceback is gone.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Fixes: d1b42b800e5d0 ("locking/ww_mutex: Add kselftests for resolving ww_mutex cyclic deadlocks")
+Link: http://lkml.kernel.org/r/1538516929-9734-1-git-send-email-linux@roeck-us.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/test-ww_mutex.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/locking/test-ww_mutex.c b/kernel/locking/test-ww_mutex.c
+index 0e4cd64ad2c0..654977862b06 100644
+--- a/kernel/locking/test-ww_mutex.c
++++ b/kernel/locking/test-ww_mutex.c
+@@ -260,7 +260,7 @@ static void test_cycle_work(struct work_struct *work)
+ {
+ struct test_cycle *cycle = container_of(work, typeof(*cycle), work);
+ struct ww_acquire_ctx ctx;
+- int err;
++ int err, erra = 0;
+
+ ww_acquire_init(&ctx, &ww_class);
+ ww_mutex_lock(&cycle->a_mutex, &ctx);
+@@ -270,17 +270,19 @@ static void test_cycle_work(struct work_struct *work)
+
+ err = ww_mutex_lock(cycle->b_mutex, &ctx);
+ if (err == -EDEADLK) {
++ err = 0;
+ ww_mutex_unlock(&cycle->a_mutex);
+ ww_mutex_lock_slow(cycle->b_mutex, &ctx);
+- err = ww_mutex_lock(&cycle->a_mutex, &ctx);
++ erra = ww_mutex_lock(&cycle->a_mutex, &ctx);
+ }
+
+ if (!err)
+ ww_mutex_unlock(cycle->b_mutex);
+- ww_mutex_unlock(&cycle->a_mutex);
++ if (!erra)
++ ww_mutex_unlock(&cycle->a_mutex);
+ ww_acquire_fini(&ctx);
+
+- cycle->result = err;
++ cycle->result = err ?: erra;
+ }
+
+ static int __test_cycle(unsigned int nthreads)
+--
+2.17.1
+
--- /dev/null
+From 1f2af8d4c9fae26f03f25c44f28cc8f5b887f9e8 Mon Sep 17 00:00:00 2001
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Date: Wed, 5 Sep 2018 08:06:13 +0300
+Subject: mac80211: Always report TX status
+
+[ Upstream commit 8682250b3c1b75a45feb7452bc413d004cfe3778 ]
+
+If a frame is dropped for any reason, mac80211 wouldn't report the TX
+status back to user space.
+
+As the user space may rely on the TX_STATUS to kick its state
+machines, resends etc, it's better to just report this frame as not
+acked instead.
+
+Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/status.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/net/mac80211/status.c b/net/mac80211/status.c
+index da7427a41529..ccac205e5853 100644
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -470,11 +470,6 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local,
+ if (!skb)
+ return;
+
+- if (dropped) {
+- dev_kfree_skb_any(skb);
+- return;
+- }
+-
+ if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) {
+ u64 cookie = IEEE80211_SKB_CB(skb)->ack.cookie;
+ struct ieee80211_sub_if_data *sdata;
+@@ -495,6 +490,8 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local,
+ }
+ rcu_read_unlock();
+
++ dev_kfree_skb_any(skb);
++ } else if (dropped) {
+ dev_kfree_skb_any(skb);
+ } else {
+ /* consumes skb */
+--
+2.17.1
+
--- /dev/null
+From 15378144b81b766b5245e1c30c144f5d3aa7941d Mon Sep 17 00:00:00 2001
+From: Bob Copeland <me@bobcopeland.com>
+Date: Wed, 5 Sep 2018 06:22:59 -0400
+Subject: mac80211: fix pending queue hang due to TX_DROP
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 6eae4a6c2be387fec41b0d2782c4fffb57159498 ]
+
+In our environment running lots of mesh nodes, we are seeing the
+pending queue hang periodically, with the debugfs queues file showing
+lines such as:
+
+ 00: 0x00000000/348
+
+i.e. there are a large number of frames but no stop reason set.
+
+One way this could happen is if queue processing from the pending
+tasklet exited early without processing all frames, and without having
+some future event (incoming frame, stop reason flag, ...) to reschedule
+it.
+
+Exactly this can occur today if ieee80211_tx() returns false due to
+packet drops or power-save buffering in the tx handlers. In the
+past, this function would return true in such cases, and the change
+to false doesn't seem to be intentional. Fix this case by reverting
+to the previous behavior.
+
+Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue")
+Signed-off-by: Bob Copeland <bobcopeland@fb.com>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index d8fddd88bf46..a17a56032a21 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -1837,7 +1837,7 @@ static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata,
+ sdata->vif.hw_queue[skb_get_queue_mapping(skb)];
+
+ if (invoke_tx_handlers_early(&tx))
+- return false;
++ return true;
+
+ if (ieee80211_queue_skb(local, sdata, tx.sta, tx.skb))
+ return true;
+--
+2.17.1
+
--- /dev/null
+From d13bc605c6a73208ce20ddc99dbcb8481cd134c2 Mon Sep 17 00:00:00 2001
+From: Yuan-Chi Pang <fu3mo6goo@gmail.com>
+Date: Thu, 6 Sep 2018 16:57:48 +0800
+Subject: mac80211: fix TX status reporting for ieee80211s
+
+[ Upstream commit c42055105785580563535e6d3143cad95c7ac7ee ]
+
+TX status reporting to ieee80211s is through ieee80211s_update_metric.
+There are two problems about ieee80211s_update_metric:
+
+1. The purpose is to estimate the fail probability
+to a specific link. No need to restrict to data frame.
+
+2. Current implementation does not work if wireless driver does not
+pass tx_status with skb.
+
+Fix this by removing ieee80211_is_data condition, passing
+ieee80211_tx_status directly to ieee80211s_update_metric, and
+putting it in both __ieee80211_tx_status and ieee80211_tx_status_ext.
+
+Signed-off-by: Yuan-Chi Pang <fu3mo6goo@gmail.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh.h | 3 ++-
+ net/mac80211/mesh_hwmp.c | 9 +++------
+ net/mac80211/status.c | 4 +++-
+ 3 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/net/mac80211/mesh.h b/net/mac80211/mesh.h
+index 7e5f271e3c30..4f1c61637ce3 100644
+--- a/net/mac80211/mesh.h
++++ b/net/mac80211/mesh.h
+@@ -217,7 +217,8 @@ void mesh_rmc_free(struct ieee80211_sub_if_data *sdata);
+ int mesh_rmc_init(struct ieee80211_sub_if_data *sdata);
+ void ieee80211s_init(void);
+ void ieee80211s_update_metric(struct ieee80211_local *local,
+- struct sta_info *sta, struct sk_buff *skb);
++ struct sta_info *sta,
++ struct ieee80211_tx_status *st);
+ void ieee80211_mesh_init_sdata(struct ieee80211_sub_if_data *sdata);
+ void ieee80211_mesh_teardown_sdata(struct ieee80211_sub_if_data *sdata);
+ int ieee80211_start_mesh(struct ieee80211_sub_if_data *sdata);
+diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
+index 055ea36ff27b..fab0764c315f 100644
+--- a/net/mac80211/mesh_hwmp.c
++++ b/net/mac80211/mesh_hwmp.c
+@@ -295,15 +295,12 @@ int mesh_path_error_tx(struct ieee80211_sub_if_data *sdata,
+ }
+
+ void ieee80211s_update_metric(struct ieee80211_local *local,
+- struct sta_info *sta, struct sk_buff *skb)
++ struct sta_info *sta,
++ struct ieee80211_tx_status *st)
+ {
+- struct ieee80211_tx_info *txinfo = IEEE80211_SKB_CB(skb);
+- struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
++ struct ieee80211_tx_info *txinfo = st->info;
+ int failed;
+
+- if (!ieee80211_is_data(hdr->frame_control))
+- return;
+-
+ failed = !(txinfo->flags & IEEE80211_TX_STAT_ACK);
+
+ /* moving average, scaled to 100.
+diff --git a/net/mac80211/status.c b/net/mac80211/status.c
+index ccac205e5853..bdf131ed5ce8 100644
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -797,7 +797,7 @@ static void __ieee80211_tx_status(struct ieee80211_hw *hw,
+
+ rate_control_tx_status(local, sband, status);
+ if (ieee80211_vif_is_mesh(&sta->sdata->vif))
+- ieee80211s_update_metric(local, sta, skb);
++ ieee80211s_update_metric(local, sta, status);
+
+ if (!(info->flags & IEEE80211_TX_CTL_INJECTED) && acked)
+ ieee80211_frame_acked(sta, skb);
+@@ -958,6 +958,8 @@ void ieee80211_tx_status_ext(struct ieee80211_hw *hw,
+ }
+
+ rate_control_tx_status(local, sband, status);
++ if (ieee80211_vif_is_mesh(&sta->sdata->vif))
++ ieee80211s_update_metric(local, sta, status);
+ }
+
+ if (acked || noack_success) {
+--
+2.17.1
+
--- /dev/null
+From 2c2e5293df6d3b188aedebb20246d85bcecb2f10 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 5 Sep 2018 13:34:02 +0200
+Subject: mac80211: TDLS: fix skb queue/priority assignment
+
+[ Upstream commit cb59bc14e830028d2244861216df038165d7625d ]
+
+If the TDLS setup happens over a connection to an AP that
+doesn't have QoS, we nevertheless assign a non-zero TID
+(skb->priority) and queue mapping, which may confuse us or
+drivers later.
+
+Fix it by just assigning the special skb->priority and then
+using ieee80211_select_queue() just like other data frames
+would go through.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tdls.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
+index 91093d4a2f84..6e7aa65cf345 100644
+--- a/net/mac80211/tdls.c
++++ b/net/mac80211/tdls.c
+@@ -16,6 +16,7 @@
+ #include "ieee80211_i.h"
+ #include "driver-ops.h"
+ #include "rate.h"
++#include "wme.h"
+
+ /* give usermode some time for retries in setting up the TDLS session */
+ #define TDLS_PEER_SETUP_TIMEOUT (15 * HZ)
+@@ -1006,14 +1007,13 @@ ieee80211_tdls_prep_mgmt_packet(struct wiphy *wiphy, struct net_device *dev,
+ switch (action_code) {
+ case WLAN_TDLS_SETUP_REQUEST:
+ case WLAN_TDLS_SETUP_RESPONSE:
+- skb_set_queue_mapping(skb, IEEE80211_AC_BK);
+- skb->priority = 2;
++ skb->priority = 256 + 2;
+ break;
+ default:
+- skb_set_queue_mapping(skb, IEEE80211_AC_VI);
+- skb->priority = 5;
++ skb->priority = 256 + 5;
+ break;
+ }
++ skb_set_queue_mapping(skb, ieee80211_select_queue(sdata, skb));
+
+ /*
+ * Set the WLAN_TDLS_TEARDOWN flag to indicate a teardown in progress.
+--
+2.17.1
+
--- /dev/null
+From c347be5a961bf6de3e769d8c2cb278647b311cfc Mon Sep 17 00:00:00 2001
+From: Martin Willi <martin@strongswan.org>
+Date: Tue, 25 Sep 2018 09:51:02 +0200
+Subject: mac80211_hwsim: do not omit multicast announce of first added radio
+
+[ Upstream commit 28ef8b49a338dc1844e86b7954cfffc7dfa2660a ]
+
+The allocation of hwsim radio identifiers uses a post-increment from 0,
+so the first radio has idx 0. This idx is explicitly excluded from
+multicast announcements ever since, but it is unclear why.
+
+Drop that idx check and announce the first radio as well. This makes
+userspace happy if it relies on these events.
+
+Signed-off-by: Martin Willi <martin@strongswan.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
+index aafa7aa18fbd..477f9f2f6626 100644
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -2730,8 +2730,7 @@ static int mac80211_hwsim_new_radio(struct genl_info *info,
+ list_add_tail(&data->list, &hwsim_radios);
+ spin_unlock_bh(&hwsim_radio_lock);
+
+- if (idx > 0)
+- hwsim_mcast_new_radio(idx, info, param);
++ hwsim_mcast_new_radio(idx, info, param);
+
+ return idx;
+
+--
+2.17.1
+
--- /dev/null
+From 11a0823bb137b7ba18e3947cf773464206fdd461 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Mon, 20 Aug 2018 15:36:18 -0700
+Subject: MIPS: Workaround GCC __builtin_unreachable reordering bug
+
+[ Upstream commit 906d441febc0de974b2a6ef848a8f058f3bfada3 ]
+
+Some versions of GCC for the MIPS architecture suffer from a bug which
+can lead to instructions from beyond an unreachable statement being
+incorrectly reordered into earlier branch delay slots if the unreachable
+statement is the only content of a case in a switch statement. This can
+lead to seemingly random behaviour, such as invalid memory accesses from
+incorrectly reordered loads or stores, and link failures on microMIPS
+builds.
+
+See this potential GCC fix for details:
+
+ https://gcc.gnu.org/ml/gcc-patches/2015-09/msg00360.html
+
+Runtime problems resulting from this bug were initially observed using a
+maltasmvp_defconfig v4.4 kernel built using GCC 4.9.2 (from a Codescape
+SDK 2015.06-05 toolchain), with the result being an address exception
+taken after log messages about the L1 caches (during probe of the L2
+cache):
+
+ Initmem setup node 0 [mem 0x0000000080000000-0x000000009fffffff]
+ VPE topology {2,2} total 4
+ Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
+ Primary data cache 64kB, 4-way, PIPT, no aliases, linesize 32 bytes
+ <AdEL exception here>
+
+This is early enough that the kernel exception vectors are not in use,
+so any further output depends upon the bootloader. This is reproducible
+in QEMU where no further output occurs - ie. the system hangs here.
+Given the nature of the bug it may potentially be hit with differing
+symptoms. The bug is known to affect GCC versions as recent as 7.3, and
+it is unclear whether GCC 8 fixed it or just happens not to encounter
+the bug in the testcase found at the link above due to differing
+optimizations.
+
+This bug can be worked around by placing a volatile asm statement, which
+GCC is prevented from reordering past, prior to the
+__builtin_unreachable call.
+
+That was actually done already for other reasons by commit 173a3efd3edb
+("bug.h: work around GCC PR82365 in BUG()"), but creates problems for
+microMIPS builds due to the lack of a .insn directive. The microMIPS ISA
+allows for interlinking with regular MIPS32 code by repurposing bit 0 of
+the program counter as an ISA mode bit. To switch modes one changes the
+value of this bit in the PC. However typical branch instructions encode
+their offsets as multiples of 2-byte instruction halfwords, which means
+they cannot change ISA mode - this must be done using either an indirect
+branch (a jump-register in MIPS terminology) or a dedicated jalx
+instruction. In order to ensure that regular branches don't attempt to
+target code in a different ISA which they can't actually switch to, the
+linker will check that branch targets are code in the same ISA as the
+branch.
+
+Unfortunately our empty asm volatile statements don't qualify as code,
+and the link for microMIPS builds fails with errors such as:
+
+ arch/mips/mm/dma-default.s:3265: Error: branch to a symbol in another ISA mode
+ arch/mips/mm/dma-default.s:5027: Error: branch to a symbol in another ISA mode
+
+Resolve this by adding a .insn directive within the asm statement which
+declares that what comes next is code. This may or may not be true,
+since we don't really know what comes next, but as this code is in an
+unreachable path anyway that doesn't matter since we won't execute it.
+
+We do this in asm/compiler.h & select CONFIG_HAVE_ARCH_COMPILER_H in
+order to have this included by linux/compiler_types.h after
+linux/compiler-gcc.h. This will result in asm/compiler.h being included
+in all C compilations via the -include linux/compiler_types.h argument
+in c_flags, which should be harmless.
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: 173a3efd3edb ("bug.h: work around GCC PR82365 in BUG()")
+Patchwork: https://patchwork.linux-mips.org/patch/20270/
+Cc: James Hogan <jhogan@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: linux-mips@linux-mips.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/Kconfig | 1 +
+ arch/mips/include/asm/compiler.h | 35 ++++++++++++++++++++++++++++++++
+ 2 files changed, 36 insertions(+)
+
+diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
+index c82457b0e733..23e3d3e0ee5b 100644
+--- a/arch/mips/Kconfig
++++ b/arch/mips/Kconfig
+@@ -29,6 +29,7 @@ config MIPS
+ select GENERIC_SMP_IDLE_THREAD
+ select GENERIC_TIME_VSYSCALL
+ select HANDLE_DOMAIN_IRQ
++ select HAVE_ARCH_COMPILER_H
+ select HAVE_ARCH_JUMP_LABEL
+ select HAVE_ARCH_KGDB
+ select HAVE_ARCH_MMAP_RND_BITS if MMU
+diff --git a/arch/mips/include/asm/compiler.h b/arch/mips/include/asm/compiler.h
+index e081a265f422..cc2eb1b06050 100644
+--- a/arch/mips/include/asm/compiler.h
++++ b/arch/mips/include/asm/compiler.h
+@@ -8,6 +8,41 @@
+ #ifndef _ASM_COMPILER_H
+ #define _ASM_COMPILER_H
+
++/*
++ * With GCC 4.5 onwards we can use __builtin_unreachable to indicate to the
++ * compiler that a particular code path will never be hit. This allows it to be
++ * optimised out of the generated binary.
++ *
++ * Unfortunately at least GCC 4.6.3 through 7.3.0 inclusive suffer from a bug
++ * that can lead to instructions from beyond an unreachable statement being
++ * incorrectly reordered into earlier delay slots if the unreachable statement
++ * is the only content of a case in a switch statement. This can lead to
++ * seemingly random behaviour, such as invalid memory accesses from incorrectly
++ * reordered loads or stores. See this potential GCC fix for details:
++ *
++ * https://gcc.gnu.org/ml/gcc-patches/2015-09/msg00360.html
++ *
++ * It is unclear whether GCC 8 onwards suffer from the same issue - nothing
++ * relevant is mentioned in GCC 8 release notes and nothing obviously relevant
++ * stands out in GCC commit logs, but these newer GCC versions generate very
++ * different code for the testcase which doesn't exhibit the bug.
++ *
++ * GCC also handles stack allocation suboptimally when calling noreturn
++ * functions or calling __builtin_unreachable():
++ *
++ * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82365
++ *
++ * We work around both of these issues by placing a volatile asm statement,
++ * which GCC is prevented from reordering past, prior to __builtin_unreachable
++ * calls.
++ *
++ * The .insn statement is required to ensure that any branches to the
++ * statement, which sadly must be kept due to the asm statement, are known to
++ * be branches to code and satisfy linker requirements for microMIPS kernels.
++ */
++#undef barrier_before_unreachable
++#define barrier_before_unreachable() asm volatile(".insn")
++
+ #if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4)
+ #define GCC_IMM_ASM() "n"
+ #define GCC_REG_ACCUM "$0"
+--
+2.17.1
+
--- /dev/null
+From 56958e48bc7b3a37655f80021f5472fd073b105b Mon Sep 17 00:00:00 2001
+From: John Keeping <john@metanate.com>
+Date: Thu, 1 Mar 2018 10:36:25 +0000
+Subject: mmc: dw_mmc-rockchip: correct property names in debug
+
+[ Upstream commit e988867fd774d00aeaf5d3c332032bf5b97a4147 ]
+
+Following up the device tree fixed in commits e78c637127ee ("ARM: dts:
+rockchip: Fix DWMMC clocks") and ca9eee95a2de ("arm64: dts: rockchip:
+Fix DWMMC clocks", 2018-02-15), avoid confusion by using the correct
+property name in the debug output if clocks are not found.
+
+Signed-off-by: John Keeping <john@metanate.com>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Reviewed-by: Shawn Lin <shawn.lin@rock-chips.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/dw_mmc-rockchip.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mmc/host/dw_mmc-rockchip.c b/drivers/mmc/host/dw_mmc-rockchip.c
+index 339295212935..40d7de2eea12 100644
+--- a/drivers/mmc/host/dw_mmc-rockchip.c
++++ b/drivers/mmc/host/dw_mmc-rockchip.c
+@@ -282,11 +282,11 @@ static int dw_mci_rk3288_parse_dt(struct dw_mci *host)
+
+ priv->drv_clk = devm_clk_get(host->dev, "ciu-drive");
+ if (IS_ERR(priv->drv_clk))
+- dev_dbg(host->dev, "ciu_drv not available\n");
++ dev_dbg(host->dev, "ciu-drive not available\n");
+
+ priv->sample_clk = devm_clk_get(host->dev, "ciu-sample");
+ if (IS_ERR(priv->sample_clk))
+- dev_dbg(host->dev, "ciu_sample not available\n");
++ dev_dbg(host->dev, "ciu-sample not available\n");
+
+ host->priv = priv;
+
+--
+2.17.1
+
--- /dev/null
+From 00b697e536dad51b07b016764448e3421d943a70 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wang6495@umn.edu>
+Date: Fri, 5 Oct 2018 08:48:27 -0500
+Subject: net: cxgb3_main: fix a missing-check bug
+
+[ Upstream commit 2c05d88818ab6571816b93edce4d53703870d7ae ]
+
+In cxgb_extension_ioctl(), the command of the ioctl is firstly copied from
+the user-space buffer 'useraddr' to 'cmd' and checked through the
+switch statement. If the command is not as expected, an error code
+EOPNOTSUPP is returned. In the following execution, i.e., the cases of the
+switch statement, the whole buffer of 'useraddr' is copied again to a
+specific data structure, according to what kind of command is requested.
+However, after the second copy, there is no re-check on the newly-copied
+command. Given that the buffer 'useraddr' is in the user space, a malicious
+user can race to change the command between the two copies. By doing so,
+the attacker can supply malicious data to the kernel and cause undefined
+behavior.
+
+This patch adds a re-check in each case of the switch statement if there is
+a second copy in that case, to re-check whether the command obtained in the
+second copy is the same as the one in the first copy. If not, an error code
+EINVAL is returned.
+
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+index bf291e90cdb0..79053d2ce7a3 100644
+--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+@@ -2159,6 +2159,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EPERM;
+ if (copy_from_user(&t, useraddr, sizeof(t)))
+ return -EFAULT;
++ if (t.cmd != CHELSIO_SET_QSET_PARAMS)
++ return -EINVAL;
+ if (t.qset_idx >= SGE_QSETS)
+ return -EINVAL;
+ if (!in_range(t.intr_lat, 0, M_NEWTIMER) ||
+@@ -2258,6 +2260,9 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ if (copy_from_user(&t, useraddr, sizeof(t)))
+ return -EFAULT;
+
++ if (t.cmd != CHELSIO_GET_QSET_PARAMS)
++ return -EINVAL;
++
+ /* Display qsets for all ports when offload enabled */
+ if (test_bit(OFFLOAD_DEVMAP_BIT, &adapter->open_device_map)) {
+ q1 = 0;
+@@ -2303,6 +2308,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EBUSY;
+ if (copy_from_user(&edata, useraddr, sizeof(edata)))
+ return -EFAULT;
++ if (edata.cmd != CHELSIO_SET_QSET_NUM)
++ return -EINVAL;
+ if (edata.val < 1 ||
+ (edata.val > 1 && !(adapter->flags & USING_MSIX)))
+ return -EINVAL;
+@@ -2343,6 +2350,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EPERM;
+ if (copy_from_user(&t, useraddr, sizeof(t)))
+ return -EFAULT;
++ if (t.cmd != CHELSIO_LOAD_FW)
++ return -EINVAL;
+ /* Check t.len sanity ? */
+ fw_data = memdup_user(useraddr + sizeof(t), t.len);
+ if (IS_ERR(fw_data))
+@@ -2366,6 +2375,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EBUSY;
+ if (copy_from_user(&m, useraddr, sizeof(m)))
+ return -EFAULT;
++ if (m.cmd != CHELSIO_SETMTUTAB)
++ return -EINVAL;
+ if (m.nmtus != NMTUS)
+ return -EINVAL;
+ if (m.mtus[0] < 81) /* accommodate SACK */
+@@ -2407,6 +2418,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EBUSY;
+ if (copy_from_user(&m, useraddr, sizeof(m)))
+ return -EFAULT;
++ if (m.cmd != CHELSIO_SET_PM)
++ return -EINVAL;
+ if (!is_power_of_2(m.rx_pg_sz) ||
+ !is_power_of_2(m.tx_pg_sz))
+ return -EINVAL; /* not power of 2 */
+@@ -2440,6 +2453,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EIO; /* need the memory controllers */
+ if (copy_from_user(&t, useraddr, sizeof(t)))
+ return -EFAULT;
++ if (t.cmd != CHELSIO_GET_MEM)
++ return -EINVAL;
+ if ((t.addr & 7) || (t.len & 7))
+ return -EINVAL;
+ if (t.mem_id == MEM_CM)
+@@ -2492,6 +2507,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+ return -EAGAIN;
+ if (copy_from_user(&t, useraddr, sizeof(t)))
+ return -EFAULT;
++ if (t.cmd != CHELSIO_SET_TRACE_FILTER)
++ return -EINVAL;
+
+ tp = (const struct trace_params *)&t.sip;
+ if (t.config_tx)
+--
+2.17.1
+
--- /dev/null
+From ed53771291313756c7e09885ef8b2150ba587452 Mon Sep 17 00:00:00 2001
+From: Arthur Kiyanovski <akiyano@amazon.com>
+Date: Tue, 9 Oct 2018 11:21:29 +0300
+Subject: net: ena: fix NULL dereference due to untimely napi initialization
+
+[ Upstream commit 78a55d05def95144ca5fa9a64c49b2a0636a9866 ]
+
+napi poll functions should be initialized before running request_irq(),
+to handle a rare condition where there is a pending interrupt, causing
+the ISR to fire immediately while the poll function wasn't set yet,
+causing a NULL dereference.
+
+Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)")
+Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+index 08c9c99a8331..3c7813f04962 100644
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -1571,8 +1571,6 @@ static int ena_up_complete(struct ena_adapter *adapter)
+ if (rc)
+ return rc;
+
+- ena_init_napi(adapter);
+-
+ ena_change_mtu(adapter->netdev, adapter->netdev->mtu);
+
+ ena_refill_all_rx_bufs(adapter);
+@@ -1726,6 +1724,13 @@ static int ena_up(struct ena_adapter *adapter)
+
+ ena_setup_io_intr(adapter);
+
++ /* napi poll functions should be initialized before running
++ * request_irq(), to handle a rare condition where there is a pending
++ * interrupt, causing the ISR to fire immediately while the poll
++ * function wasn't set yet, causing a null dereference
++ */
++ ena_init_napi(adapter);
++
+ rc = ena_request_io_irq(adapter);
+ if (rc)
+ goto err_req_irq;
+--
+2.17.1
+
--- /dev/null
+From e55fa23ccbcfc83ac29b4c09c9dec86d4b60b6d5 Mon Sep 17 00:00:00 2001
+From: Arthur Kiyanovski <akiyano@amazon.com>
+Date: Tue, 9 Oct 2018 11:21:27 +0300
+Subject: net: ena: fix warning in rmmod caused by double iounmap
+
+[ Upstream commit d79c3888bde6581da7ff9f9d6f581900ecb5e632 ]
+
+Memory mapped with devm_ioremap is automatically freed when the driver
+is disconnected from the device. Therefore there is no need to
+explicitly call devm_iounmap.
+
+Fixes: 0857d92f71b6 ("net: ena: add missing unmap bars on device removal")
+Fixes: 411838e7b41c ("net: ena: fix rare kernel crash when bar memory remap fails")
+Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+index 60b3ee29d82c..08c9c99a8331 100644
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -3059,15 +3059,8 @@ err_rss_init:
+
+ static void ena_release_bars(struct ena_com_dev *ena_dev, struct pci_dev *pdev)
+ {
+- int release_bars;
++ int release_bars = pci_select_bars(pdev, IORESOURCE_MEM) & ENA_BAR_MASK;
+
+- if (ena_dev->mem_bar)
+- devm_iounmap(&pdev->dev, ena_dev->mem_bar);
+-
+- if (ena_dev->reg_bar)
+- devm_iounmap(&pdev->dev, ena_dev->reg_bar);
+-
+- release_bars = pci_select_bars(pdev, IORESOURCE_MEM) & ENA_BAR_MASK;
+ pci_release_selected_regions(pdev, release_bars);
+ }
+
+--
+2.17.1
+
--- /dev/null
+From 1707ca6872080a3b268e82b9d808924987650883 Mon Sep 17 00:00:00 2001
+From: Rickard x Andersson <rickaran@axis.com>
+Date: Tue, 2 Oct 2018 14:49:32 +0200
+Subject: net: fec: fix rare tx timeout
+
+[ Upstream commit 657ade07df72847f591ccdb36bd9b91ed0edbac3 ]
+
+During certain heavy network loads TX could time out
+with TX ring dump.
+TX is sometimes never restarted after reaching
+"tx_stop_threshold" because function "fec_enet_tx_queue"
+only tests the first queue.
+
+In addition the TX timeout callback function failed to
+recover because it also operated only on the first queue.
+
+Signed-off-by: Rickard x Andersson <rickaran@axis.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index eb2ea231c7ca..8bfa6ef826a9 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -1155,7 +1155,7 @@ static void fec_enet_timeout_work(struct work_struct *work)
+ napi_disable(&fep->napi);
+ netif_tx_lock_bh(ndev);
+ fec_restart(ndev);
+- netif_wake_queue(ndev);
++ netif_tx_wake_all_queues(ndev);
+ netif_tx_unlock_bh(ndev);
+ napi_enable(&fep->napi);
+ }
+@@ -1270,7 +1270,7 @@ skb_done:
+
+ /* Since we have freed up a buffer, the ring is no longer full
+ */
+- if (netif_queue_stopped(ndev)) {
++ if (netif_tx_queue_stopped(nq)) {
+ entries_free = fec_enet_get_free_txdesc_num(txq);
+ if (entries_free >= txq->tx_wake_threshold)
+ netif_tx_wake_queue(nq);
+@@ -1747,7 +1747,7 @@ static void fec_enet_adjust_link(struct net_device *ndev)
+ napi_disable(&fep->napi);
+ netif_tx_lock_bh(ndev);
+ fec_restart(ndev);
+- netif_wake_queue(ndev);
++ netif_tx_wake_all_queues(ndev);
+ netif_tx_unlock_bh(ndev);
+ napi_enable(&fep->napi);
+ }
+@@ -2249,7 +2249,7 @@ static int fec_enet_set_pauseparam(struct net_device *ndev,
+ napi_disable(&fep->napi);
+ netif_tx_lock_bh(ndev);
+ fec_restart(ndev);
+- netif_wake_queue(ndev);
++ netif_tx_wake_all_queues(ndev);
+ netif_tx_unlock_bh(ndev);
+ napi_enable(&fep->napi);
+ }
+--
+2.17.1
+
--- /dev/null
+From d668bd281249df319124c1ca3902aef429965e9e Mon Sep 17 00:00:00 2001
+From: Michal Simek <michal.simek@xilinx.com>
+Date: Tue, 25 Sep 2018 08:32:50 +0200
+Subject: net: macb: Clean 64b dma addresses if they are not detected
+
+[ Upstream commit e1e5d8a9fe737d94ccc0ccbaf0c97f69a8f3e000 ]
+
+Clear ADDR64 dma bit in DMACFG register in case that HW_DMA_CAP_64B is
+not detected on 64bit system.
+The issue was observed when bootloader(u-boot) does not check macb
+feature at DCFG6 register (DAW64_OFFSET) and enabling 64bit dma support
+by default. Then macb driver is reading DMACFG register back and only
+adding 64bit dma configuration but not cleaning it out.
+
+Signed-off-by: Michal Simek <michal.simek@xilinx.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index b4f92de1efbd..d6f8d6c8b0f1 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -2000,6 +2000,7 @@ static void macb_configure_dma(struct macb *bp)
+ else
+ dmacfg &= ~GEM_BIT(TXCOEN);
+
++ dmacfg &= ~GEM_BIT(ADDR64);
+ #ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT
+ if (bp->hw_dma_cap & HW_DMA_CAP_64B)
+ dmacfg |= GEM_BIT(ADDR64);
+--
+2.17.1
+
--- /dev/null
+From a5a3edf588b8b7f8581f09262deafa82ba91106e Mon Sep 17 00:00:00 2001
+From: Israel Rukshin <israelr@mellanox.com>
+Date: Thu, 12 Apr 2018 09:49:11 +0000
+Subject: net/mlx5: Fix mlx5_get_vector_affinity function
+
+[ Upstream commit 6082d9c9c94a408d7409b5f2e4e42ac9e8b16d0d ]
+
+Adding the vector offset when calling to mlx5_vector2eqn() is wrong.
+This is because mlx5_vector2eqn() checks if EQ index is equal to vector number
+and the fact that the internal completion vectors that mlx5 allocates
+don't get an EQ index.
+
+The second problem here is that using effective_affinity_mask gives the same
+CPU for different vectors.
+This leads to unmapped queues when calling it from blk_mq_rdma_map_queues().
+This doesn't happen when using affinity_hint mask.
+
+Fixes: 2572cf57d75a ("mlx5: fix mlx5_get_vector_affinity to start from completion vector 0")
+Fixes: 05e0cc84e00c ("net/mlx5: Fix get vector affinity helper function")
+Signed-off-by: Israel Rukshin <israelr@mellanox.com>
+Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 2 +-
+ include/linux/mlx5/driver.h | 12 +++---------
+ 2 files changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index ab70194a73db..c3a4f5d92391 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -3911,7 +3911,7 @@ mlx5_ib_get_vector_affinity(struct ib_device *ibdev, int comp_vector)
+ {
+ struct mlx5_ib_dev *dev = to_mdev(ibdev);
+
+- return mlx5_get_vector_affinity(dev->mdev, comp_vector);
++ return mlx5_get_vector_affinity_hint(dev->mdev, comp_vector);
+ }
+
+ static void *mlx5_ib_add(struct mlx5_core_dev *mdev)
+diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
+index c4d19e77fea8..5eff332092bc 100644
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -1193,25 +1193,19 @@ enum {
+ };
+
+ static inline const struct cpumask *
+-mlx5_get_vector_affinity(struct mlx5_core_dev *dev, int vector)
++mlx5_get_vector_affinity_hint(struct mlx5_core_dev *dev, int vector)
+ {
+- const struct cpumask *mask;
+ struct irq_desc *desc;
+ unsigned int irq;
+ int eqn;
+ int err;
+
+- err = mlx5_vector2eqn(dev, MLX5_EQ_VEC_COMP_BASE + vector, &eqn, &irq);
++ err = mlx5_vector2eqn(dev, vector, &eqn, &irq);
+ if (err)
+ return NULL;
+
+ desc = irq_to_desc(irq);
+-#ifdef CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK
+- mask = irq_data_get_effective_affinity_mask(&desc->irq_data);
+-#else
+- mask = desc->irq_common_data.affinity;
+-#endif
+- return mask;
++ return desc->affinity_hint;
+ }
+
+ #endif /* MLX5_DRIVER_H */
+--
+2.17.1
+
--- /dev/null
+From a491edc7ae707950453221f5d79fcf17defb3fa8 Mon Sep 17 00:00:00 2001
+From: Shay Agroskin <shayag@mellanox.com>
+Date: Wed, 27 Jun 2018 15:43:07 +0300
+Subject: net/mlx5e: Refine ets validation function
+
+[ Upstream commit e279d634f3d57452eb106a0c0e99a6add3fba1a6 ]
+
+Removed an error message received when configuring ETS total
+bandwidth to be zero.
+Our hardware doesn't support such configuration, so we shall
+reject it in the driver. Nevertheless, we removed the error message
+in order to eliminate error messages caused by old userspace tools
+who try to pass such configuration.
+
+Fixes: ff0891915cd7 ("net/mlx5e: Fix ETS BW check")
+Signed-off-by: Shay Agroskin <shayag@mellanox.com>
+Reviewed-by: Huy Nguyen <huyn@mellanox.com>
+Reviewed-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
+index 9d64d0759ee9..a5dd99aaf321 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
+@@ -257,7 +257,8 @@ int mlx5e_dcbnl_ieee_setets_core(struct mlx5e_priv *priv, struct ieee_ets *ets)
+ }
+
+ static int mlx5e_dbcnl_validate_ets(struct net_device *netdev,
+- struct ieee_ets *ets)
++ struct ieee_ets *ets,
++ bool zero_sum_allowed)
+ {
+ bool have_ets_tc = false;
+ int bw_sum = 0;
+@@ -282,8 +283,9 @@ static int mlx5e_dbcnl_validate_ets(struct net_device *netdev,
+ }
+
+ if (have_ets_tc && bw_sum != 100) {
+- netdev_err(netdev,
+- "Failed to validate ETS: BW sum is illegal\n");
++ if (bw_sum || (!bw_sum && !zero_sum_allowed))
++ netdev_err(netdev,
++ "Failed to validate ETS: BW sum is illegal\n");
+ return -EINVAL;
+ }
+ return 0;
+@@ -298,7 +300,7 @@ static int mlx5e_dcbnl_ieee_setets(struct net_device *netdev,
+ if (!MLX5_CAP_GEN(priv->mdev, ets))
+ return -EOPNOTSUPP;
+
+- err = mlx5e_dbcnl_validate_ets(netdev, ets);
++ err = mlx5e_dbcnl_validate_ets(netdev, ets, false);
+ if (err)
+ return err;
+
+@@ -477,12 +479,9 @@ static u8 mlx5e_dcbnl_setall(struct net_device *netdev)
+ ets.prio_tc[i] = cee_cfg->prio_to_pg_map[i];
+ }
+
+- err = mlx5e_dbcnl_validate_ets(netdev, &ets);
+- if (err) {
+- netdev_err(netdev,
+- "%s, Failed to validate ETS: %d\n", __func__, err);
++ err = mlx5e_dbcnl_validate_ets(netdev, &ets, true);
++ if (err)
+ goto out;
+- }
+
+ err = mlx5e_dcbnl_ieee_setets_core(priv, &ets);
+ if (err) {
+--
+2.17.1
+
--- /dev/null
+From 35419394cd2763525c4f216b1549050f8c61f223 Mon Sep 17 00:00:00 2001
+From: Kevin Hao <haokexin@gmail.com>
+Date: Tue, 20 Mar 2018 09:44:52 +0800
+Subject: net: phy: Add general dummy stubs for MMD register access
+
+[ Upstream commit 5df7af85ecd88e8b5f1f31d6456c3cf38a8bbdda ]
+
+For some phy devices, even though they don't support the MMD extended
+register access, it does have some side effect if we are trying to
+read/write the MMD registers via indirect method. So introduce general
+dummy stubs for MMD register access which these devices can use to avoid
+such side effect.
+
+Fixes: b6b5e8a69118 ("gianfar: Disable EEE autoneg by default")
+Signed-off-by: Kevin Hao <haokexin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy_device.c | 17 +++++++++++++++++
+ include/linux/phy.h | 4 ++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index a174d05a9752..fe76e2c4022a 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -1641,6 +1641,23 @@ int genphy_config_init(struct phy_device *phydev)
+ }
+ EXPORT_SYMBOL(genphy_config_init);
+
++/* This is used for the phy device which doesn't support the MMD extended
++ * register access, but it does have side effect when we are trying to access
++ * the MMD register via indirect method.
++ */
++int genphy_read_mmd_unsupported(struct phy_device *phdev, int devad, u16 regnum)
++{
++ return -EOPNOTSUPP;
++}
++EXPORT_SYMBOL(genphy_read_mmd_unsupported);
++
++int genphy_write_mmd_unsupported(struct phy_device *phdev, int devnum,
++ u16 regnum, u16 val)
++{
++ return -EOPNOTSUPP;
++}
++EXPORT_SYMBOL(genphy_write_mmd_unsupported);
++
+ int genphy_suspend(struct phy_device *phydev)
+ {
+ int value;
+diff --git a/include/linux/phy.h b/include/linux/phy.h
+index dca9e926b88f..efc04c2d92c9 100644
+--- a/include/linux/phy.h
++++ b/include/linux/phy.h
+@@ -879,6 +879,10 @@ static inline int genphy_no_soft_reset(struct phy_device *phydev)
+ {
+ return 0;
+ }
++int genphy_read_mmd_unsupported(struct phy_device *phdev, int devad,
++ u16 regnum);
++int genphy_write_mmd_unsupported(struct phy_device *phdev, int devnum,
++ u16 regnum, u16 val);
+
+ /* Clause 45 PHY */
+ int genphy_c45_restart_aneg(struct phy_device *phydev);
+--
+2.17.1
+
--- /dev/null
+From 30cbc64528ccdf4d0418929c9ad5441c84482841 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Sun, 20 May 2018 20:49:47 -0700
+Subject: net: phy: phylink: Don't release NULL GPIO
+
+[ Upstream commit 3bcd47726c3b744fd08781795cca905cc59a1382 ]
+
+If CONFIG_GPIOLIB is disabled, gpiod_put() becomes a stub that produces a
+warning, this helped identify that we could be attempting to release a NULL
+pl->link_gpio GPIO descriptor, so guard against that.
+
+Fixes: daab3349ad1a ("net: phy: phylink: Release link GPIO")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phylink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c
+index e4a6ed88b9cf..79f28b9186c6 100644
+--- a/drivers/net/phy/phylink.c
++++ b/drivers/net/phy/phylink.c
+@@ -561,7 +561,7 @@ void phylink_destroy(struct phylink *pl)
+ {
+ if (pl->sfp_bus)
+ sfp_unregister_upstream(pl->sfp_bus);
+- if (!IS_ERR(pl->link_gpio))
++ if (!IS_ERR_OR_NULL(pl->link_gpio))
+ gpiod_put(pl->link_gpio);
+
+ cancel_work_sync(&pl->resolve);
+--
+2.17.1
+
--- /dev/null
+From 3e11919c3a1a2229c066b64cf19dc9c1131aeb0a Mon Sep 17 00:00:00 2001
+From: Kevin Hao <haokexin@gmail.com>
+Date: Tue, 20 Mar 2018 09:44:53 +0800
+Subject: net: phy: realtek: Use the dummy stubs for MMD register access for
+ rtl8211b
+
+[ Upstream commit 0231b1a074c672f8c00da00a57144072890d816b ]
+
+The Ethernet on mpc8315erdb is broken since commit b6b5e8a69118
+("gianfar: Disable EEE autoneg by default"). The reason is that
+even though the rtl8211b doesn't support the MMD extended registers
+access, it does return some random values if we trying to access
+the MMD register via indirect method. This makes it seem that the
+EEE is supported by this phy device. And the subsequent writing to
+the MMD registers does cause the phy malfunction. So use the dummy
+stubs for the MMD register access to fix this issue.
+
+Fixes: b6b5e8a69118 ("gianfar: Disable EEE autoneg by default")
+Signed-off-by: Kevin Hao <haokexin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/realtek.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/phy/realtek.c b/drivers/net/phy/realtek.c
+index 9cbe645e3d89..7d38af5ed4b5 100644
+--- a/drivers/net/phy/realtek.c
++++ b/drivers/net/phy/realtek.c
+@@ -138,6 +138,8 @@ static struct phy_driver realtek_drvs[] = {
+ .read_status = &genphy_read_status,
+ .ack_interrupt = &rtl821x_ack_interrupt,
+ .config_intr = &rtl8211b_config_intr,
++ .read_mmd = &genphy_read_mmd_unsupported,
++ .write_mmd = &genphy_write_mmd_unsupported,
+ }, {
+ .phy_id = 0x001cc914,
+ .name = "RTL8211DN Gigabit Ethernet",
+--
+2.17.1
+
--- /dev/null
+From 43b0e3c60fa3f668288a7723f7cf7c301cbfe3d3 Mon Sep 17 00:00:00 2001
+From: Sean Tranchetti <stranche@codeaurora.org>
+Date: Tue, 2 Oct 2018 18:52:01 -0600
+Subject: net: qualcomm: rmnet: Skip processing loopback packets
+
+[ Upstream commit a07f388e2cde2be74b263f85df6f672fea0305a1 ]
+
+RMNET RX handler was processing invalid packets that were
+originally sent on the real device and were looped back via
+dev_loopback_xmit(). This was detected using syzkaller.
+
+Fixes: ceed73a2cf4a ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation")
+Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
+Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c
+index 929fb8d96ec0..8d979fef5fc7 100644
+--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c
++++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c
+@@ -205,6 +205,9 @@ rx_handler_result_t rmnet_rx_handler(struct sk_buff **pskb)
+ if (!skb)
+ return RX_HANDLER_CONSUMED;
+
++ if (skb->pkt_type == PACKET_LOOPBACK)
++ return RX_HANDLER_PASS;
++
+ dev = skb->dev;
+ port = rmnet_get_port(dev);
+
+--
+2.17.1
+
--- /dev/null
+From 9ce3efb296e1a51dab14291f74bc376db57261c9 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 13 Aug 2018 23:50:41 +0200
+Subject: net: stmmac: mark PM functions as __maybe_unused
+
+[ Upstream commit 81a8b0799632627b587af31ecd06112397e4ec36 ]
+
+The newly added suspend/resume functions cause a build warning
+when CONFIG_PM is disabled:
+
+drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c:324:12: error: 'stmmac_pci_resume' defined but not used [-Werror=unused-function]
+drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c:306:12: error: 'stmmac_pci_suspend' defined but not used [-Werror=unused-function]
+
+Mark them as __maybe_unused so gcc can drop them silently.
+
+Fixes: b7d0f08e9129 ("net: stmmac: Fix WoL for PCI-based setups")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+index 6a393b16a1fc..c54a50dbd5ac 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+@@ -303,7 +303,7 @@ static void stmmac_pci_remove(struct pci_dev *pdev)
+ pci_disable_device(pdev);
+ }
+
+-static int stmmac_pci_suspend(struct device *dev)
++static int __maybe_unused stmmac_pci_suspend(struct device *dev)
+ {
+ struct pci_dev *pdev = to_pci_dev(dev);
+ int ret;
+@@ -321,7 +321,7 @@ static int stmmac_pci_suspend(struct device *dev)
+ return 0;
+ }
+
+-static int stmmac_pci_resume(struct device *dev)
++static int __maybe_unused stmmac_pci_resume(struct device *dev)
+ {
+ struct pci_dev *pdev = to_pci_dev(dev);
+ int ret;
+--
+2.17.1
+
--- /dev/null
+From c26046e9e05243361a32e5b934f8c6acf3d56247 Mon Sep 17 00:00:00 2001
+From: David Ahern <dsahern@gmail.com>
+Date: Mon, 17 Sep 2018 08:20:36 -0700
+Subject: netfilter: bridge: Don't sabotage nf_hook calls from an l3mdev
+
+[ Upstream commit a173f066c7cfc031acb8f541708041e009fc9812 ]
+
+For starters, the bridge netfilter code registers operations that
+are invoked any time nh_hook is called. Specifically, ip_sabotage_in
+watches for nested calls for NF_INET_PRE_ROUTING when a bridge is in
+the stack.
+
+Packet wise, the bridge netfilter hook runs first. br_nf_pre_routing
+allocates nf_bridge, sets in_prerouting to 1 and calls NF_HOOK for
+NF_INET_PRE_ROUTING. It's finish function, br_nf_pre_routing_finish,
+then resets in_prerouting flag to 0 and the packet continues up the
+stack. The packet eventually makes it to the VRF driver and it invokes
+nf_hook for NF_INET_PRE_ROUTING in case any rules have been added against
+the vrf device.
+
+Because of the registered operations the call to nf_hook causes
+ip_sabotage_in to be invoked. That function sees the nf_bridge on the
+skb and that in_prerouting is not set. Thinking it is an invalid nested
+call it steals (drops) the packet.
+
+Update ip_sabotage_in to recognize that the bridge or one of its upper
+devices (e.g., vlan) can be enslaved to a VRF (L3 master device) and
+allow the packet to go through the nf_hook a second time.
+
+Fixes: 73e20b761acf ("net: vrf: Add support for PREROUTING rules on vrf device")
+Reported-by: D'Souza, Nelson <ndsouza@ciena.com>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_netfilter_hooks.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index c2eea1b8737a..7582f28ab306 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -832,7 +832,8 @@ static unsigned int ip_sabotage_in(void *priv,
+ struct sk_buff *skb,
+ const struct nf_hook_state *state)
+ {
+- if (skb->nf_bridge && !skb->nf_bridge->in_prerouting) {
++ if (skb->nf_bridge && !skb->nf_bridge->in_prerouting &&
++ !netif_is_l3_master(skb->dev)) {
+ state->okfn(state->net, state->sk, skb);
+ return NF_STOLEN;
+ }
+--
+2.17.1
+
--- /dev/null
+From 84f4d7e74d1c1804401da83685c3a3ef0e72ddc5 Mon Sep 17 00:00:00 2001
+From: Masashi Honma <masashi.honma@gmail.com>
+Date: Tue, 25 Sep 2018 11:15:01 +0900
+Subject: nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds
+
+[ Upstream commit 1222a16014888ed9733c11e221730d4a8196222b ]
+
+Use array_index_nospec() to sanitize i with respect to speculation.
+
+Note that the user doesn't control i directly, but can make it out
+of bounds by not finding a threshold in the array.
+
+Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
+[add note about user control, as explained by Masashi]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 5e7c9b361e8a..46e9812d13c0 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -9720,7 +9720,7 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
+ struct wireless_dev *wdev = dev->ieee80211_ptr;
+ s32 last, low, high;
+ u32 hyst;
+- int i, n;
++ int i, n, low_index;
+ int err;
+
+ /* RSSI reporting disabled? */
+@@ -9757,10 +9757,19 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
+ if (last < wdev->cqm_config->rssi_thresholds[i])
+ break;
+
+- low = i > 0 ?
+- (wdev->cqm_config->rssi_thresholds[i - 1] - hyst) : S32_MIN;
+- high = i < n ?
+- (wdev->cqm_config->rssi_thresholds[i] + hyst - 1) : S32_MAX;
++ low_index = i - 1;
++ if (low_index >= 0) {
++ low_index = array_index_nospec(low_index, n);
++ low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
++ } else {
++ low = S32_MIN;
++ }
++ if (i < n) {
++ i = array_index_nospec(i, n);
++ high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
++ } else {
++ high = S32_MAX;
++ }
+
+ return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
+ }
+--
+2.17.1
+
--- /dev/null
+From 86e3ccc91c0644a80cd8e1073eebdcda099ff45a Mon Sep 17 00:00:00 2001
+From: Masashi Honma <masashi.honma@gmail.com>
+Date: Tue, 25 Sep 2018 11:15:00 +0900
+Subject: nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT
+
+[ Upstream commit 30fe6d50eb088783c8729c7d930f65296b2b3fa7 ]
+
+Use array_index_nospec() to sanitize ridx with respect to speculation.
+
+Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 3de415bca391..5e7c9b361e8a 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -3480,6 +3480,7 @@ static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
+ return false;
+
+ /* check availability */
++ ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
+ if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
+ mcs[ridx] |= rbit;
+ else
+--
+2.17.1
+
--- /dev/null
+From 836acf2b617a3bd29da17ca307b47b15fdda9e3d Mon Sep 17 00:00:00 2001
+From: Larry Chen <lchen@suse.com>
+Date: Fri, 5 Oct 2018 15:51:37 -0700
+Subject: ocfs2: fix crash in ocfs2_duplicate_clusters_by_page()
+
+[ Upstream commit 69eb7765b9c6902444c89c54e7043242faf981e5 ]
+
+ocfs2_duplicate_clusters_by_page() may crash if one of the extent's pages
+is dirty. When a page has not been written back, it is still in dirty
+state. If ocfs2_duplicate_clusters_by_page() is called against the dirty
+page, the crash happens.
+
+To fix this bug, we can just unlock the page and wait until the page until
+its not dirty.
+
+The following is the backtrace:
+
+kernel BUG at /root/code/ocfs2/refcounttree.c:2961!
+[exception RIP: ocfs2_duplicate_clusters_by_page+822]
+__ocfs2_move_extent+0x80/0x450 [ocfs2]
+? __ocfs2_claim_clusters+0x130/0x250 [ocfs2]
+ocfs2_defrag_extent+0x5b8/0x5e0 [ocfs2]
+__ocfs2_move_extents_range+0x2a4/0x470 [ocfs2]
+ocfs2_move_extents+0x180/0x3b0 [ocfs2]
+? ocfs2_wait_for_recovery+0x13/0x70 [ocfs2]
+ocfs2_ioctl_move_extents+0x133/0x2d0 [ocfs2]
+ocfs2_ioctl+0x253/0x640 [ocfs2]
+do_vfs_ioctl+0x90/0x5f0
+SyS_ioctl+0x74/0x80
+do_syscall_64+0x74/0x140
+entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Once we find the page is dirty, we do not wait until it's clean, rather we
+use write_one_page() to write it back
+
+Link: http://lkml.kernel.org/r/20180829074740.9438-1-lchen@suse.com
+[lchen@suse.com: update comments]
+ Link: http://lkml.kernel.org/r/20180830075041.14879-1-lchen@suse.com
+[akpm@linux-foundation.org: coding-style fixes]
+Signed-off-by: Larry Chen <lchen@suse.com>
+Acked-by: Changwei Ge <ge.changwei@h3c.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/refcounttree.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c
+index 1b1283f07941..824f407df1db 100644
+--- a/fs/ocfs2/refcounttree.c
++++ b/fs/ocfs2/refcounttree.c
+@@ -2946,6 +2946,7 @@ int ocfs2_duplicate_clusters_by_page(handle_t *handle,
+ if (map_end & (PAGE_SIZE - 1))
+ to = map_end & (PAGE_SIZE - 1);
+
++retry:
+ page = find_or_create_page(mapping, page_index, GFP_NOFS);
+ if (!page) {
+ ret = -ENOMEM;
+@@ -2954,11 +2955,18 @@ int ocfs2_duplicate_clusters_by_page(handle_t *handle,
+ }
+
+ /*
+- * In case PAGE_SIZE <= CLUSTER_SIZE, This page
+- * can't be dirtied before we CoW it out.
++ * In case PAGE_SIZE <= CLUSTER_SIZE, we do not expect a dirty
++ * page, so write it back.
+ */
+- if (PAGE_SIZE <= OCFS2_SB(sb)->s_clustersize)
+- BUG_ON(PageDirty(page));
++ if (PAGE_SIZE <= OCFS2_SB(sb)->s_clustersize) {
++ if (PageDirty(page)) {
++ /*
++ * write_on_page will unlock the page on return
++ */
++ ret = write_one_page(page);
++ goto retry;
++ }
++ }
+
+ if (!PageUptodate(page)) {
+ ret = block_read_full_page(page, ocfs2_get_block);
+--
+2.17.1
+
--- /dev/null
+From 4d03d78f1cec54ebbe22f53d8546f0f353102bed Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Tue, 25 Sep 2018 17:58:35 +0200
+Subject: perf/core: Fix perf_pmu_unregister() locking
+
+[ Upstream commit a9f9772114c8b07ae75bcb3654bd017461248095 ]
+
+When we unregister a PMU, we fail to serialize the @pmu_idr properly.
+Fix that by doing the entire thing under pmu_lock.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: 2e80a82a49c4 ("perf: Dynamic pmu types")
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 4dbce29a9313..ee1c07c0b833 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -9020,9 +9020,7 @@ static void free_pmu_context(struct pmu *pmu)
+ if (pmu->task_ctx_nr > perf_invalid_context)
+ return;
+
+- mutex_lock(&pmus_lock);
+ free_percpu(pmu->pmu_cpu_context);
+- mutex_unlock(&pmus_lock);
+ }
+
+ /*
+@@ -9278,12 +9276,8 @@ EXPORT_SYMBOL_GPL(perf_pmu_register);
+
+ void perf_pmu_unregister(struct pmu *pmu)
+ {
+- int remove_device;
+-
+ mutex_lock(&pmus_lock);
+- remove_device = pmu_bus_running;
+ list_del_rcu(&pmu->entry);
+- mutex_unlock(&pmus_lock);
+
+ /*
+ * We dereference the pmu list under both SRCU and regular RCU, so
+@@ -9295,13 +9289,14 @@ void perf_pmu_unregister(struct pmu *pmu)
+ free_percpu(pmu->pmu_disable_count);
+ if (pmu->type >= PERF_TYPE_MAX)
+ idr_remove(&pmu_idr, pmu->type);
+- if (remove_device) {
++ if (pmu_bus_running) {
+ if (pmu->nr_addr_filters)
+ device_remove_file(pmu->dev, &dev_attr_nr_addr_filters);
+ device_del(pmu->dev);
+ put_device(pmu->dev);
+ }
+ free_pmu_context(pmu);
++ mutex_unlock(&pmus_lock);
+ }
+ EXPORT_SYMBOL_GPL(perf_pmu_unregister);
+
+--
+2.17.1
+
--- /dev/null
+From 59937dbd6b3739db90ee572500871b658813a3af Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Tue, 18 Sep 2018 16:08:02 -0300
+Subject: perf python: Use -Wno-redundant-decls to build with PYTHON=python3
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 05a2f54679861deb188750ba2a70187000b2c71f ]
+
+When building in ClearLinux using 'make PYTHON=python3' with gcc 8.2.1
+it fails with:
+
+ GEN /tmp/build/perf/python/perf.so
+ In file included from /usr/include/python3.7m/Python.h:126,
+ from /git/linux/tools/perf/util/python.c:2:
+ /usr/include/python3.7m/import.h:58:24: error: redundant redeclaration of ‘_PyImport_AddModuleObject’ [-Werror=redundant-decls]
+ PyAPI_FUNC(PyObject *) _PyImport_AddModuleObject(PyObject *, PyObject *);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~
+ /usr/include/python3.7m/import.h:47:24: note: previous declaration of ‘_PyImport_AddModuleObject’ was here
+ PyAPI_FUNC(PyObject *) _PyImport_AddModuleObject(PyObject *name,
+ ^~~~~~~~~~~~~~~~~~~~~~~~~
+ cc1: all warnings being treated as errors
+ error: command 'gcc' failed with exit status 1
+
+And indeed there is a redundant declaration in that Python.h file, one
+with parameter names and the other without, so just add
+-Wno-error=redundant-decls to the python setup instructions.
+
+Now perf builds with gcc in ClearLinux with the following Dockerfile:
+
+ # docker.io/acmel/linux-perf-tools-build-clearlinux:latest
+ FROM docker.io/clearlinux:latest
+ MAINTAINER Arnaldo Carvalho de Melo <acme@kernel.org>
+ RUN swupd update && \
+ swupd bundle-add sysadmin-basic-dev
+ RUN mkdir -m 777 -p /git /tmp/build/perf /tmp/build/objtool /tmp/build/linux && \
+ groupadd -r perfbuilder && \
+ useradd -m -r -g perfbuilder perfbuilder && \
+ chown -R perfbuilder.perfbuilder /tmp/build/ /git/
+ USER perfbuilder
+ COPY rx_and_build.sh /
+ ENV EXTRA_MAKE_ARGS=PYTHON=python3
+ ENTRYPOINT ["/rx_and_build.sh"]
+
+Now to figure out why the build fails with clang, that is present in the
+above container as detected by the rx_and_build.sh script:
+
+ clang version 6.0.1 (tags/RELEASE_601/final)
+ Target: x86_64-unknown-linux-gnu
+ Thread model: posix
+ InstalledDir: /usr/sbin
+ make: Entering directory '/git/linux/tools/perf'
+ BUILD: Doing 'make -j4' parallel build
+ HOSTCC /tmp/build/perf/fixdep.o
+ HOSTLD /tmp/build/perf/fixdep-in.o
+ LINK /tmp/build/perf/fixdep
+
+ Auto-detecting system features:
+ ... dwarf: [ OFF ]
+ ... dwarf_getlocations: [ OFF ]
+ ... glibc: [ OFF ]
+ ... gtk2: [ OFF ]
+ ... libaudit: [ OFF ]
+ ... libbfd: [ OFF ]
+ ... libelf: [ OFF ]
+ ... libnuma: [ OFF ]
+ ... numa_num_possible_cpus: [ OFF ]
+ ... libperl: [ OFF ]
+ ... libpython: [ OFF ]
+ ... libslang: [ OFF ]
+ ... libcrypto: [ OFF ]
+ ... libunwind: [ OFF ]
+ ... libdw-dwarf-unwind: [ OFF ]
+ ... zlib: [ OFF ]
+ ... lzma: [ OFF ]
+ ... get_cpuid: [ OFF ]
+ ... bpf: [ OFF ]
+
+ Makefile.config:331: *** No gnu/libc-version.h found, please install glibc-dev[el]. Stop.
+ make[1]: *** [Makefile.perf:206: sub-make] Error 2
+ make: *** [Makefile:70: all] Error 2
+ make: Leaving directory '/git/linux/tools/perf'
+
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Thiago Macieira <thiago.macieira@intel.com>
+Cc: Wang Nan <wangnan0@huawei.com>
+Link: https://lkml.kernel.org/n/tip-c3khb9ac86s00qxzjrueomme@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/setup.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/setup.py b/tools/perf/util/setup.py
+index da4df7fd43a2..23f1bf175179 100644
+--- a/tools/perf/util/setup.py
++++ b/tools/perf/util/setup.py
+@@ -27,7 +27,7 @@ class install_lib(_install_lib):
+
+ cflags = getenv('CFLAGS', '').split()
+ # switch off several checks (need to be at the end of cflags list)
+-cflags += ['-fno-strict-aliasing', '-Wno-write-strings', '-Wno-unused-parameter' ]
++cflags += ['-fno-strict-aliasing', '-Wno-write-strings', '-Wno-unused-parameter', '-Wno-redundant-decls' ]
+ if cc != "clang":
+ cflags += ['-Wno-cast-function-type' ]
+
+--
+2.17.1
+
--- /dev/null
+From 6095101fc3568806f4503db78320cc351e8cbf79 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@redhat.com>
+Date: Sun, 23 Sep 2018 18:13:43 +0200
+Subject: perf/ring_buffer: Prevent concurent ring buffer access
+
+[ Upstream commit cd6fb677ce7e460c25bdd66f689734102ec7d642 ]
+
+Some of the scheduling tracepoints allow the perf_tp_event
+code to write to ring buffer under different cpu than the
+code is running on.
+
+This results in corrupted ring buffer data demonstrated in
+following perf commands:
+
+ # perf record -e 'sched:sched_switch,sched:sched_wakeup' perf bench sched messaging
+ # Running 'sched/messaging' benchmark:
+ # 20 sender and receiver processes per group
+ # 10 groups == 400 processes run
+
+ Total time: 0.383 [sec]
+ [ perf record: Woken up 8 times to write data ]
+ 0x42b890 [0]: failed to process type: -1765585640
+ [ perf record: Captured and wrote 4.825 MB perf.data (29669 samples) ]
+
+ # perf report --stdio
+ 0x42b890 [0]: failed to process type: -1765585640
+
+The reason for the corruption are some of the scheduling tracepoints,
+that have __perf_task dfined and thus allow to store data to another
+cpu ring buffer:
+
+ sched_waking
+ sched_wakeup
+ sched_wakeup_new
+ sched_stat_wait
+ sched_stat_sleep
+ sched_stat_iowait
+ sched_stat_blocked
+
+The perf_tp_event function first store samples for current cpu
+related events defined for tracepoint:
+
+ hlist_for_each_entry_rcu(event, head, hlist_entry)
+ perf_swevent_event(event, count, &data, regs);
+
+And then iterates events of the 'task' and store the sample
+for any task's event that passes tracepoint checks:
+
+ ctx = rcu_dereference(task->perf_event_ctxp[perf_sw_context]);
+
+ list_for_each_entry_rcu(event, &ctx->event_list, event_entry) {
+ if (event->attr.type != PERF_TYPE_TRACEPOINT)
+ continue;
+ if (event->attr.config != entry->type)
+ continue;
+
+ perf_swevent_event(event, count, &data, regs);
+ }
+
+Above code can race with same code running on another cpu,
+ending up with 2 cpus trying to store under the same ring
+buffer, which is specifically not allowed.
+
+This patch prevents the problem, by allowing only events with the same
+current cpu to receive the event.
+
+NOTE: this requires the use of (per-task-)per-cpu buffers for this
+feature to work; perf-record does this.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+[peterz: small edits to Changelog]
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andrew Vagin <avagin@openvz.org>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: e6dab5ffab59 ("perf/trace: Add ability to set a target task for events")
+Link: http://lkml.kernel.org/r/20180923161343.GB15054@krava
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index ee1c07c0b833..991af683ef9e 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -8058,6 +8058,8 @@ void perf_tp_event(u16 event_type, u64 count, void *record, int entry_size,
+ goto unlock;
+
+ list_for_each_entry_rcu(event, &ctx->event_list, event_entry) {
++ if (event->cpu != smp_processor_id())
++ continue;
+ if (event->attr.type != PERF_TYPE_TRACEPOINT)
+ continue;
+ if (event->attr.config != entry->type)
+--
+2.17.1
+
--- /dev/null
+From 76260dd81000f45f223bf8ec27bc5704438e1a59 Mon Sep 17 00:00:00 2001
+From: Sandipan Das <sandipan@linux.ibm.com>
+Date: Thu, 26 Jul 2018 22:47:33 +0530
+Subject: perf tests: Fix indexing when invoking subtests
+
+[ Upstream commit aa90f9f9554616d5738f7bedb4a8f0e5e14d1bc6 ]
+
+Recently, the subtest numbering was changed to start from 1. While it
+is fine for displaying results, this should not be the case when the
+subtests are actually invoked.
+
+Typically, the subtests are stored in zero-indexed arrays and invoked
+based on the index passed to the main test function. Since the index
+now starts from 1, the second subtest in the array (index 1) gets
+invoked instead of the first (index 0). This applies to all of the
+following subtests but for the last one, the subtest always fails
+because it does not meet the boundary condition of the subtest index
+being lesser than the number of subtests.
+
+This can be observed on powerpc64 and x86_64 systems running Fedora 28
+as shown below.
+
+Before:
+
+ # perf test "builtin clang support"
+ 55: builtin clang support :
+ 55.1: builtin clang compile C source to IR : Ok
+ 55.2: builtin clang compile C source to ELF object : FAILED!
+
+ # perf test "LLVM search and compile"
+ 38: LLVM search and compile :
+ 38.1: Basic BPF llvm compile : Ok
+ 38.2: kbuild searching : Ok
+ 38.3: Compile source for BPF prologue generation : Ok
+ 38.4: Compile source for BPF relocation : FAILED!
+
+ # perf test "BPF filter"
+ 40: BPF filter :
+ 40.1: Basic BPF filtering : Ok
+ 40.2: BPF pinning : Ok
+ 40.3: BPF prologue generation : Ok
+ 40.4: BPF relocation checker : FAILED!
+
+After:
+
+ # perf test "builtin clang support"
+ 55: builtin clang support :
+ 55.1: builtin clang compile C source to IR : Ok
+ 55.2: builtin clang compile C source to ELF object : Ok
+
+ # perf test "LLVM search and compile"
+ 38: LLVM search and compile :
+ 38.1: Basic BPF llvm compile : Ok
+ 38.2: kbuild searching : Ok
+ 38.3: Compile source for BPF prologue generation : Ok
+ 38.4: Compile source for BPF relocation : Ok
+
+ # perf test "BPF filter"
+ 40: BPF filter :
+ 40.1: Basic BPF filtering : Ok
+ 40.2: BPF pinning : Ok
+ 40.3: BPF prologue generation : Ok
+ 40.4: BPF relocation checker : Ok
+
+Signed-off-by: Sandipan Das <sandipan@linux.ibm.com>
+Reported-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Hendrik Brueckner <brueckner@linux.ibm.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Cc: Thomas Richter <tmricht@linux.ibm.com>
+Fixes: 9ef0112442bd ("perf test: Fix subtest number when showing results")
+Link: http://lkml.kernel.org/r/20180726171733.33208-1-sandipan@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/builtin-test.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/tests/builtin-test.c b/tools/perf/tests/builtin-test.c
+index 5966f1f9b160..1c9bc3516f8b 100644
+--- a/tools/perf/tests/builtin-test.c
++++ b/tools/perf/tests/builtin-test.c
+@@ -375,7 +375,7 @@ static int test_and_print(struct test *t, bool force_skip, int subtest)
+ if (!t->subtest.get_nr)
+ pr_debug("%s:", t->desc);
+ else
+- pr_debug("%s subtest %d:", t->desc, subtest);
++ pr_debug("%s subtest %d:", t->desc, subtest + 1);
+
+ switch (err) {
+ case TEST_OK:
+@@ -589,7 +589,7 @@ static int __cmd_test(int argc, const char *argv[], struct intlist *skiplist)
+ for (subi = 0; subi < subn; subi++) {
+ pr_info("%2d.%1d: %-*s:", i, subi + 1, subw,
+ t->subtest.get_desc(subi));
+- err = test_and_print(t, skip, subi + 1);
++ err = test_and_print(t, skip, subi);
+ if (err != TEST_OK && t->subtest.skip_if_fail)
+ skip = true;
+ }
+--
+2.17.1
+
--- /dev/null
+From 89bca763d695099b7e38a3fc1e9e5bb209932722 Mon Sep 17 00:00:00 2001
+From: "Natarajan, Janakarajan" <Janakarajan.Natarajan@amd.com>
+Date: Thu, 27 Sep 2018 15:51:55 +0000
+Subject: perf/x86/amd/uncore: Set ThreadMask and SliceMask for L3 Cache perf
+ events
+
+[ Upstream commit d7cbbe49a9304520181fb8c9272d1327deec8453 ]
+
+In Family 17h, some L3 Cache Performance events require the ThreadMask
+and SliceMask to be set. For other events, these fields do not affect
+the count either way.
+
+Set ThreadMask and SliceMask to 0xFF and 0xF respectively.
+
+Signed-off-by: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: H . Peter Anvin <hpa@zytor.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Suravee <Suravee.Suthikulpanit@amd.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Link: http://lkml.kernel.org/r/Message-ID:
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/amd/uncore.c | 10 ++++++++++
+ arch/x86/include/asm/perf_event.h | 8 ++++++++
+ 2 files changed, 18 insertions(+)
+
+diff --git a/arch/x86/events/amd/uncore.c b/arch/x86/events/amd/uncore.c
+index f5cbbba99283..4e1d7483b78c 100644
+--- a/arch/x86/events/amd/uncore.c
++++ b/arch/x86/events/amd/uncore.c
+@@ -35,6 +35,7 @@
+
+ static int num_counters_llc;
+ static int num_counters_nb;
++static bool l3_mask;
+
+ static HLIST_HEAD(uncore_unused_list);
+
+@@ -208,6 +209,13 @@ static int amd_uncore_event_init(struct perf_event *event)
+ hwc->config = event->attr.config & AMD64_RAW_EVENT_MASK_NB;
+ hwc->idx = -1;
+
++ /*
++ * SliceMask and ThreadMask need to be set for certain L3 events in
++ * Family 17h. For other events, the two fields do not affect the count.
++ */
++ if (l3_mask)
++ hwc->config |= (AMD64_L3_SLICE_MASK | AMD64_L3_THREAD_MASK);
++
+ if (event->cpu < 0)
+ return -EINVAL;
+
+@@ -542,6 +550,7 @@ static int __init amd_uncore_init(void)
+ amd_llc_pmu.name = "amd_l3";
+ format_attr_event_df.show = &event_show_df;
+ format_attr_event_l3.show = &event_show_l3;
++ l3_mask = true;
+ } else {
+ num_counters_nb = NUM_COUNTERS_NB;
+ num_counters_llc = NUM_COUNTERS_L2;
+@@ -549,6 +558,7 @@ static int __init amd_uncore_init(void)
+ amd_llc_pmu.name = "amd_l2";
+ format_attr_event_df = format_attr_event;
+ format_attr_event_l3 = format_attr_event;
++ l3_mask = false;
+ }
+
+ amd_nb_pmu.attr_groups = amd_uncore_attr_groups_df;
+diff --git a/arch/x86/include/asm/perf_event.h b/arch/x86/include/asm/perf_event.h
+index 12f54082f4c8..78241b736f2a 100644
+--- a/arch/x86/include/asm/perf_event.h
++++ b/arch/x86/include/asm/perf_event.h
+@@ -46,6 +46,14 @@
+ #define INTEL_ARCH_EVENT_MASK \
+ (ARCH_PERFMON_EVENTSEL_UMASK | ARCH_PERFMON_EVENTSEL_EVENT)
+
++#define AMD64_L3_SLICE_SHIFT 48
++#define AMD64_L3_SLICE_MASK \
++ ((0xFULL) << AMD64_L3_SLICE_SHIFT)
++
++#define AMD64_L3_THREAD_SHIFT 56
++#define AMD64_L3_THREAD_MASK \
++ ((0xFFULL) << AMD64_L3_THREAD_SHIFT)
++
+ #define X86_RAW_EVENT_MASK \
+ (ARCH_PERFMON_EVENTSEL_EVENT | \
+ ARCH_PERFMON_EVENTSEL_UMASK | \
+--
+2.17.1
+
--- /dev/null
+From 5834c733e2d3e9c980d372235ab5dd3b3b2aedb5 Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Fri, 21 Sep 2018 07:07:06 -0700
+Subject: perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX
+
+[ Upstream commit 9d92cfeaf5215158d26d2991be7f7ff865cb98f3 ]
+
+The counters on M3UPI Link 0 and Link 3 don't count properly, and writing
+0 to these counters may causes system crash on some machines.
+
+The PCI BDF addresses of the M3UPI in the current code are incorrect.
+
+The correct addresses should be:
+
+ D18:F1 0x204D
+ D18:F2 0x204E
+ D18:F5 0x204D
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: cd34cd97b7b4 ("perf/x86/intel/uncore: Add Skylake server uncore support")
+Link: http://lkml.kernel.org/r/1537538826-55489-1-git-send-email-kan.liang@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore_snbep.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
+index 2dae3f585c01..a68aba8a482f 100644
+--- a/arch/x86/events/intel/uncore_snbep.c
++++ b/arch/x86/events/intel/uncore_snbep.c
+@@ -3807,16 +3807,16 @@ static const struct pci_device_id skx_uncore_pci_ids[] = {
+ .driver_data = UNCORE_PCI_DEV_FULL_DATA(21, 5, SKX_PCI_UNCORE_M2PCIE, 3),
+ },
+ { /* M3UPI0 Link 0 */
+- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204C),
+- .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 0, SKX_PCI_UNCORE_M3UPI, 0),
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204D),
++ .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 1, SKX_PCI_UNCORE_M3UPI, 0),
+ },
+ { /* M3UPI0 Link 1 */
+- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204D),
+- .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 1, SKX_PCI_UNCORE_M3UPI, 1),
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204E),
++ .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 2, SKX_PCI_UNCORE_M3UPI, 1),
+ },
+ { /* M3UPI1 Link 2 */
+- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204C),
+- .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 4, SKX_PCI_UNCORE_M3UPI, 2),
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204D),
++ .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 5, SKX_PCI_UNCORE_M3UPI, 2),
+ },
+ { /* end: all zeroes */ }
+ };
+--
+2.17.1
+
--- /dev/null
+From 9116944f269da83f589a33f2dd031c5aed08727e Mon Sep 17 00:00:00 2001
+From: Corentin Labbe <clabbe@baylibre.com>
+Date: Wed, 14 Feb 2018 12:17:47 +0000
+Subject: powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit c1e150ceb61e4a585bad156da15c33bfe89f5858 ]
+
+When CONFIG_NUMA is not set, the build fails with:
+
+ arch/powerpc/platforms/pseries/hotplug-cpu.c:335:4:
+ error: déclaration implicite de la fonction « update_numa_cpu_lookup_table »
+
+So we have to add update_numa_cpu_lookup_table() as an empty function
+when CONFIG_NUMA is not set.
+
+Fixes: 1d9a090783be ("powerpc/numa: Invalidate numa_cpu_lookup_table on cpu remove")
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/topology.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/powerpc/include/asm/topology.h b/arch/powerpc/include/asm/topology.h
+index d5f2ee882f74..66c72b356ac0 100644
+--- a/arch/powerpc/include/asm/topology.h
++++ b/arch/powerpc/include/asm/topology.h
+@@ -81,6 +81,9 @@ static inline int numa_update_cpu_topology(bool cpus_locked)
+ {
+ return 0;
+ }
++
++static inline void update_numa_cpu_lookup_table(unsigned int cpu, int node) {}
++
+ #endif /* CONFIG_NUMA */
+
+ #if defined(CONFIG_NUMA) && defined(CONFIG_PPC_SPLPAR)
+--
+2.17.1
+
--- /dev/null
+From ab2f2bfd0f9f7a850be192e55f24f464af9589ed Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Wed, 26 Sep 2018 18:11:22 +0200
+Subject: pxa168fb: prepare the clock
+
+[ Upstream commit d85536cde91fcfed6fb8d983783bd2b92c843939 ]
+
+Add missing prepare/unprepare operations for fbi->clk,
+this fixes following kernel warning:
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 0 PID: 1 at drivers/clk/clk.c:874 clk_core_enable+0x2c/0x1b0
+ Enabling unprepared disp0_clk
+ Modules linked in:
+ CPU: 0 PID: 1 Comm: swapper Not tainted 4.18.0-rc8-00032-g02b43ddd4f21-dirty #25
+ Hardware name: Marvell MMP2 (Device Tree Support)
+ [<c010f7cc>] (unwind_backtrace) from [<c010cc6c>] (show_stack+0x10/0x14)
+ [<c010cc6c>] (show_stack) from [<c011dab4>] (__warn+0xd8/0xf0)
+ [<c011dab4>] (__warn) from [<c011db10>] (warn_slowpath_fmt+0x44/0x6c)
+ [<c011db10>] (warn_slowpath_fmt) from [<c043898c>] (clk_core_enable+0x2c/0x1b0)
+ [<c043898c>] (clk_core_enable) from [<c0439ec8>] (clk_core_enable_lock+0x18/0x2c)
+ [<c0439ec8>] (clk_core_enable_lock) from [<c0436698>] (pxa168fb_probe+0x464/0x6ac)
+ [<c0436698>] (pxa168fb_probe) from [<c04779a0>] (platform_drv_probe+0x48/0x94)
+ [<c04779a0>] (platform_drv_probe) from [<c0475bec>] (driver_probe_device+0x328/0x470)
+ [<c0475bec>] (driver_probe_device) from [<c0475de4>] (__driver_attach+0xb0/0x124)
+ [<c0475de4>] (__driver_attach) from [<c0473c38>] (bus_for_each_dev+0x64/0xa0)
+ [<c0473c38>] (bus_for_each_dev) from [<c0474ee0>] (bus_add_driver+0x1b8/0x230)
+ [<c0474ee0>] (bus_add_driver) from [<c0476a20>] (driver_register+0xac/0xf0)
+ [<c0476a20>] (driver_register) from [<c0102dd4>] (do_one_initcall+0xb8/0x1f0)
+ [<c0102dd4>] (do_one_initcall) from [<c0b010a0>] (kernel_init_freeable+0x294/0x2e0)
+ [<c0b010a0>] (kernel_init_freeable) from [<c07e9eb8>] (kernel_init+0x8/0x10c)
+ [<c07e9eb8>] (kernel_init) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
+ Exception stack(0xd008bfb0 to 0xd008bff8)
+ bfa0: 00000000 00000000 00000000 00000000
+ bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+ bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
+ ---[ end trace c0af40f9e2ed7cb4 ]---
+
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+[b.zolnierkie: enhance patch description a bit]
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/pxa168fb.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/video/fbdev/pxa168fb.c b/drivers/video/fbdev/pxa168fb.c
+index def3a501acd6..d059d04c63ac 100644
+--- a/drivers/video/fbdev/pxa168fb.c
++++ b/drivers/video/fbdev/pxa168fb.c
+@@ -712,7 +712,7 @@ static int pxa168fb_probe(struct platform_device *pdev)
+ /*
+ * enable controller clock
+ */
+- clk_enable(fbi->clk);
++ clk_prepare_enable(fbi->clk);
+
+ pxa168fb_set_par(info);
+
+@@ -767,7 +767,7 @@ static int pxa168fb_probe(struct platform_device *pdev)
+ failed_free_cmap:
+ fb_dealloc_cmap(&info->cmap);
+ failed_free_clk:
+- clk_disable(fbi->clk);
++ clk_disable_unprepare(fbi->clk);
+ failed_free_fbmem:
+ dma_free_coherent(fbi->dev, info->fix.smem_len,
+ info->screen_base, fbi->fb_start_dma);
+@@ -807,7 +807,7 @@ static int pxa168fb_remove(struct platform_device *pdev)
+ dma_free_wc(fbi->dev, PAGE_ALIGN(info->fix.smem_len),
+ info->screen_base, info->fix.smem_start);
+
+- clk_disable(fbi->clk);
++ clk_disable_unprepare(fbi->clk);
+
+ framebuffer_release(info);
+
+--
+2.17.1
+
--- /dev/null
+From 3d84b01f0a7f19248a0de0f9343c645a348981f5 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon, 24 Sep 2018 15:17:03 -0700
+Subject: qed: Avoid constant logical operation warning in qed_vf_pf_acquire
+
+[ Upstream commit 1c492a9d55ba99079210ed901dd8a5423f980487 ]
+
+Clang warns when a constant is used in a boolean context as it thinks a
+bitwise operation may have been intended.
+
+drivers/net/ethernet/qlogic/qed/qed_vf.c:415:27: warning: use of logical
+'&&' with constant operand [-Wconstant-logical-operand]
+ if (!p_iov->b_pre_fp_hsi &&
+ ^
+drivers/net/ethernet/qlogic/qed/qed_vf.c:415:27: note: use '&' for a
+bitwise operation
+ if (!p_iov->b_pre_fp_hsi &&
+ ^~
+ &
+drivers/net/ethernet/qlogic/qed/qed_vf.c:415:27: note: remove constant
+to silence this warning
+ if (!p_iov->b_pre_fp_hsi &&
+ ~^~
+1 warning generated.
+
+This has been here since commit 1fe614d10f45 ("qed: Relax VF firmware
+requirements") and I am not entirely sure why since 0 isn't a special
+case. Just remove the statement causing Clang to warn since it isn't
+required.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/126
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_vf.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_vf.c b/drivers/net/ethernet/qlogic/qed/qed_vf.c
+index b8b1a791a4fa..dd8ebf6d380f 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c
+@@ -413,7 +413,6 @@ static int qed_vf_pf_acquire(struct qed_hwfn *p_hwfn)
+ }
+
+ if (!p_iov->b_pre_fp_hsi &&
+- ETH_HSI_VER_MINOR &&
+ (resp->pfdev_info.minor_fp_hsi < ETH_HSI_VER_MINOR)) {
+ DP_INFO(p_hwfn,
+ "PF is using older fastpath HSI; %02x.%02x is configured\n",
+--
+2.17.1
+
--- /dev/null
+From 290f6ccd915a3fc96744f5cca83e31b06696927e Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon, 24 Sep 2018 14:42:12 -0700
+Subject: qed: Avoid implicit enum conversion in qed_iwarp_parse_rx_pkt
+
+[ Upstream commit 77f2d753819b7d50c16abfb778caf1fe075faed0 ]
+
+Clang warns when one enumerated type is implicitly converted to another.
+
+drivers/net/ethernet/qlogic/qed/qed_iwarp.c:1713:25: warning: implicit
+conversion from enumeration type 'enum tcp_ip_version' to different
+enumeration type 'enum qed_tcp_ip_version' [-Wenum-conversion]
+ cm_info->ip_version = TCP_IPV4;
+ ~ ^~~~~~~~
+drivers/net/ethernet/qlogic/qed/qed_iwarp.c:1733:25: warning: implicit
+conversion from enumeration type 'enum tcp_ip_version' to different
+enumeration type 'enum qed_tcp_ip_version' [-Wenum-conversion]
+ cm_info->ip_version = TCP_IPV6;
+ ~ ^~~~~~~~
+2 warnings generated.
+
+Use the appropriate values from the expected type, qed_tcp_ip_version:
+
+TCP_IPV4 = QED_TCP_IPV4 = 0
+TCP_IPV6 = QED_TCP_IPV6 = 1
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/125
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_iwarp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c
+index e41f28602535..eb666877d1aa 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c
+@@ -1672,7 +1672,7 @@ qed_iwarp_parse_rx_pkt(struct qed_hwfn *p_hwfn,
+
+ cm_info->local_ip[0] = ntohl(iph->daddr);
+ cm_info->remote_ip[0] = ntohl(iph->saddr);
+- cm_info->ip_version = TCP_IPV4;
++ cm_info->ip_version = QED_TCP_IPV4;
+
+ ip_hlen = (iph->ihl) * sizeof(u32);
+ *payload_len = ntohs(iph->tot_len) - ip_hlen;
+@@ -1692,7 +1692,7 @@ qed_iwarp_parse_rx_pkt(struct qed_hwfn *p_hwfn,
+ cm_info->remote_ip[i] =
+ ntohl(ip6h->saddr.in6_u.u6_addr32[i]);
+ }
+- cm_info->ip_version = TCP_IPV6;
++ cm_info->ip_version = QED_TCP_IPV6;
+
+ ip_hlen = sizeof(*ip6h);
+ *payload_len = ntohs(ip6h->payload_len);
+--
+2.17.1
+
--- /dev/null
+From e33f52077f6e9bd4eabf73d562a20209bf719008 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon, 24 Sep 2018 14:34:53 -0700
+Subject: qed: Avoid implicit enum conversion in qed_roce_mode_to_flavor
+
+[ Upstream commit d3a315795b4ce8b105a64a90699103121bde04a8 ]
+
+Clang warns when one enumerated type is implicitly converted to another.
+
+drivers/net/ethernet/qlogic/qed/qed_roce.c:153:12: warning: implicit
+conversion from enumeration type 'enum roce_mode' to different
+enumeration type 'enum roce_flavor' [-Wenum-conversion]
+ flavor = ROCE_V2_IPV6;
+ ~ ^~~~~~~~~~~~
+drivers/net/ethernet/qlogic/qed/qed_roce.c:156:12: warning: implicit
+conversion from enumeration type 'enum roce_mode' to different
+enumeration type 'enum roce_flavor' [-Wenum-conversion]
+ flavor = MAX_ROCE_MODE;
+ ~ ^~~~~~~~~~~~~
+2 warnings generated.
+
+Use the appropriate values from the expected type, roce_flavor:
+
+ROCE_V2_IPV6 = RROCE_IPV6 = 2
+MAX_ROCE_MODE = MAX_ROCE_FLAVOR = 3
+
+While we're add it, ditch the local variable flavor, we can just return
+the value directly from the switch statement.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/125
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_roce.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_roce.c b/drivers/net/ethernet/qlogic/qed/qed_roce.c
+index fb7c2d1562ae..bedbf840fd7d 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_roce.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_roce.c
+@@ -129,23 +129,16 @@ static void qed_rdma_copy_gids(struct qed_rdma_qp *qp, __le32 *src_gid,
+
+ static enum roce_flavor qed_roce_mode_to_flavor(enum roce_mode roce_mode)
+ {
+- enum roce_flavor flavor;
+-
+ switch (roce_mode) {
+ case ROCE_V1:
+- flavor = PLAIN_ROCE;
+- break;
++ return PLAIN_ROCE;
+ case ROCE_V2_IPV4:
+- flavor = RROCE_IPV4;
+- break;
++ return RROCE_IPV4;
+ case ROCE_V2_IPV6:
+- flavor = ROCE_V2_IPV6;
+- break;
++ return RROCE_IPV6;
+ default:
+- flavor = MAX_ROCE_MODE;
+- break;
++ return MAX_ROCE_FLAVOR;
+ }
+- return flavor;
+ }
+
+ void qed_roce_free_cid_pair(struct qed_hwfn *p_hwfn, u16 cid)
+--
+2.17.1
+
--- /dev/null
+From 344a0437d4bc34c098ca38a60931d21be8cfb55d Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon, 24 Sep 2018 13:53:34 -0700
+Subject: qed: Avoid implicit enum conversion in qed_set_tunn_cls_info
+
+[ Upstream commit a898fba32229efd5e6b6154f83fa86a7145156b9 ]
+
+Clang warns when one enumerated type is implicitly converted to another.
+
+drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:163:25: warning:
+implicit conversion from enumeration type 'enum tunnel_clss' to
+different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion]
+ p_tun->vxlan.tun_cls = type;
+ ~ ^~~~
+drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:165:26: warning:
+implicit conversion from enumeration type 'enum tunnel_clss' to
+different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion]
+ p_tun->l2_gre.tun_cls = type;
+ ~ ^~~~
+drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:167:26: warning:
+implicit conversion from enumeration type 'enum tunnel_clss' to
+different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion]
+ p_tun->ip_gre.tun_cls = type;
+ ~ ^~~~
+drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:169:29: warning:
+implicit conversion from enumeration type 'enum tunnel_clss' to
+different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion]
+ p_tun->l2_geneve.tun_cls = type;
+ ~ ^~~~
+drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:171:29: warning:
+implicit conversion from enumeration type 'enum tunnel_clss' to
+different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion]
+ p_tun->ip_geneve.tun_cls = type;
+ ~ ^~~~
+5 warnings generated.
+
+Avoid this by changing type to an int.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/125
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_sp_commands.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_sp_commands.c b/drivers/net/ethernet/qlogic/qed/qed_sp_commands.c
+index 46d0c3cb83a5..d7c5965328be 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_sp_commands.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_sp_commands.c
+@@ -154,7 +154,7 @@ qed_set_pf_update_tunn_mode(struct qed_tunnel_info *p_tun,
+ static void qed_set_tunn_cls_info(struct qed_tunnel_info *p_tun,
+ struct qed_tunnel_info *p_src)
+ {
+- enum tunnel_clss type;
++ int type;
+
+ p_tun->b_update_rx_cls = p_src->b_update_rx_cls;
+ p_tun->b_update_tx_cls = p_src->b_update_tx_cls;
+--
+2.17.1
+
--- /dev/null
+From 8ccd720755ecb2cfcd6d83977cf295d6c712cbf7 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon, 24 Sep 2018 14:05:27 -0700
+Subject: qed: Fix mask parameter in qed_vf_prep_tunn_req_tlv
+
+[ Upstream commit db803f36e56f23b5a2266807e190d1dc11554d54 ]
+
+Clang complains when one enumerated type is implicitly converted to
+another.
+
+drivers/net/ethernet/qlogic/qed/qed_vf.c:686:6: warning: implicit
+conversion from enumeration type 'enum qed_tunn_mode' to different
+enumeration type 'enum qed_tunn_clss' [-Wenum-conversion]
+ QED_MODE_L2GENEVE_TUNN,
+ ^~~~~~~~~~~~~~~~~~~~~~
+
+Update mask's parameter to expect qed_tunn_mode, which is what was
+intended.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/125
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_vf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_vf.c b/drivers/net/ethernet/qlogic/qed/qed_vf.c
+index 6eb85db69f9a..b8b1a791a4fa 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c
+@@ -572,7 +572,7 @@ free_p_iov:
+ static void
+ __qed_vf_prep_tunn_req_tlv(struct vfpf_update_tunn_param_tlv *p_req,
+ struct qed_tunn_update_type *p_src,
+- enum qed_tunn_clss mask, u8 *p_cls)
++ enum qed_tunn_mode mask, u8 *p_cls)
+ {
+ if (p_src->b_update_mode) {
+ p_req->tun_mode_update_mask |= BIT(mask);
+@@ -587,7 +587,7 @@ __qed_vf_prep_tunn_req_tlv(struct vfpf_update_tunn_param_tlv *p_req,
+ static void
+ qed_vf_prep_tunn_req_tlv(struct vfpf_update_tunn_param_tlv *p_req,
+ struct qed_tunn_update_type *p_src,
+- enum qed_tunn_clss mask,
++ enum qed_tunn_mode mask,
+ u8 *p_cls, struct qed_tunn_update_udp_port *p_port,
+ u8 *p_update_port, u16 *p_udp_port)
+ {
+--
+2.17.1
+
--- /dev/null
+From a8369f14ea622193dcb73595df00720a959cf5cd Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:54 -0700
+Subject: r8152: Check for supported Wake-on-LAN Modes
+
+[ Upstream commit f2750df1548bd8a2b060eb609fc43ca82811af4c ]
+
+The driver does not check for Wake-on-LAN modes specified by an user,
+but will conditionally set the device as wake-up enabled or not based on
+that, which could be a very confusing user experience.
+
+Fixes: 21ff2e8976b1 ("r8152: support WOL")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index 0fa64cc1a011..66beff4d7646 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -4497,6 +4497,9 @@ static int rtl8152_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol)
+ if (!rtl_can_wakeup(tp))
+ return -EOPNOTSUPP;
+
++ if (wol->wolopts & ~WAKE_ANY)
++ return -EINVAL;
++
+ ret = usb_autopm_get_interface(tp->intf);
+ if (ret < 0)
+ goto out_set_wol;
+--
+2.17.1
+
--- /dev/null
+From f137052871d01e7485273b64338c58db591172d9 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 8 Oct 2018 15:46:01 +0100
+Subject: rxrpc: Don't check RXRPC_CALL_TX_LAST after calling
+ rxrpc_rotate_tx_window()
+
+[ Upstream commit c479d5f2c2e1ce609da08c075054440d97ddff52 ]
+
+We should only call the function to end a call's Tx phase if we rotated the
+marked-last packet out of the transmission buffer.
+
+Make rxrpc_rotate_tx_window() return an indication of whether it just
+rotated the packet marked as the last out of the transmit buffer, carrying
+the information out of the locked section in that function.
+
+We can then check the return value instead of examining RXRPC_CALL_TX_LAST.
+
+Fixes: 70790dbe3f66 ("rxrpc: Pass the last Tx packet marker in the annotation buffer")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/input.c | 35 +++++++++++++++++++----------------
+ 1 file changed, 19 insertions(+), 16 deletions(-)
+
+diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
+index 5edb636dbc4d..3a501bf0fc1a 100644
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -216,10 +216,11 @@ static void rxrpc_send_ping(struct rxrpc_call *call, struct sk_buff *skb,
+ /*
+ * Apply a hard ACK by advancing the Tx window.
+ */
+-static void rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
++static bool rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
+ struct rxrpc_ack_summary *summary)
+ {
+ struct sk_buff *skb, *list = NULL;
++ bool rot_last = false;
+ int ix;
+ u8 annotation;
+
+@@ -243,15 +244,17 @@ static void rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
+ skb->next = list;
+ list = skb;
+
+- if (annotation & RXRPC_TX_ANNO_LAST)
++ if (annotation & RXRPC_TX_ANNO_LAST) {
+ set_bit(RXRPC_CALL_TX_LAST, &call->flags);
++ rot_last = true;
++ }
+ if ((annotation & RXRPC_TX_ANNO_MASK) != RXRPC_TX_ANNO_ACK)
+ summary->nr_rot_new_acks++;
+ }
+
+ spin_unlock(&call->lock);
+
+- trace_rxrpc_transmit(call, (test_bit(RXRPC_CALL_TX_LAST, &call->flags) ?
++ trace_rxrpc_transmit(call, (rot_last ?
+ rxrpc_transmit_rotate_last :
+ rxrpc_transmit_rotate));
+ wake_up(&call->waitq);
+@@ -262,6 +265,8 @@ static void rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to,
+ skb->next = NULL;
+ rxrpc_free_skb(skb, rxrpc_skb_tx_freed);
+ }
++
++ return rot_last;
+ }
+
+ /*
+@@ -332,11 +337,11 @@ static bool rxrpc_receiving_reply(struct rxrpc_call *call)
+ ktime_get_real());
+ }
+
+- if (!test_bit(RXRPC_CALL_TX_LAST, &call->flags))
+- rxrpc_rotate_tx_window(call, top, &summary);
+ if (!test_bit(RXRPC_CALL_TX_LAST, &call->flags)) {
+- rxrpc_proto_abort("TXL", call, top);
+- return false;
++ if (!rxrpc_rotate_tx_window(call, top, &summary)) {
++ rxrpc_proto_abort("TXL", call, top);
++ return false;
++ }
+ }
+ if (!rxrpc_end_tx_phase(call, true, "ETD"))
+ return false;
+@@ -837,8 +842,12 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb,
+ if (nr_acks > call->tx_top - hard_ack)
+ return rxrpc_proto_abort("AKN", call, 0);
+
+- if (after(hard_ack, call->tx_hard_ack))
+- rxrpc_rotate_tx_window(call, hard_ack, &summary);
++ if (after(hard_ack, call->tx_hard_ack)) {
++ if (rxrpc_rotate_tx_window(call, hard_ack, &summary)) {
++ rxrpc_end_tx_phase(call, false, "ETA");
++ return;
++ }
++ }
+
+ if (nr_acks > 0) {
+ if (skb_copy_bits(skb, offset, buf.acks, nr_acks) < 0)
+@@ -847,11 +856,6 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb,
+ &summary);
+ }
+
+- if (test_bit(RXRPC_CALL_TX_LAST, &call->flags)) {
+- rxrpc_end_tx_phase(call, false, "ETA");
+- return;
+- }
+-
+ if (call->rxtx_annotations[call->tx_top & RXRPC_RXTX_BUFF_MASK] &
+ RXRPC_TX_ANNO_LAST &&
+ summary.nr_acks == call->tx_top - hard_ack &&
+@@ -873,8 +877,7 @@ static void rxrpc_input_ackall(struct rxrpc_call *call, struct sk_buff *skb)
+
+ _proto("Rx ACKALL %%%u", sp->hdr.serial);
+
+- rxrpc_rotate_tx_window(call, call->tx_top, &summary);
+- if (test_bit(RXRPC_CALL_TX_LAST, &call->flags))
++ if (rxrpc_rotate_tx_window(call, call->tx_top, &summary))
+ rxrpc_end_tx_phase(call, false, "ETL");
+ }
+
+--
+2.17.1
+
--- /dev/null
+From e2c3fe34b2c9bebe0dbee9f733bf9d2aae20875a Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 8 Oct 2018 15:46:17 +0100
+Subject: rxrpc: Fix connection-level abort handling
+
+[ Upstream commit 647530924f47c93db472ee3cf43b7ef1425581b6 ]
+
+Fix connection-level abort handling to cache the abort and error codes
+properly so that a new incoming call can be properly aborted if it races
+with the parent connection being aborted by another CPU.
+
+The abort_code and error parameters can then be dropped from
+rxrpc_abort_calls().
+
+Fixes: f5c17aaeb2ae ("rxrpc: Calls should only have one terminal state")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/ar-internal.h | 4 ++--
+ net/rxrpc/call_accept.c | 4 ++--
+ net/rxrpc/conn_event.c | 26 +++++++++++++++-----------
+ 3 files changed, 19 insertions(+), 15 deletions(-)
+
+diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
+index e6c2c4f56fb1..71c7f1dd4599 100644
+--- a/net/rxrpc/ar-internal.h
++++ b/net/rxrpc/ar-internal.h
+@@ -424,8 +424,7 @@ struct rxrpc_connection {
+ spinlock_t state_lock; /* state-change lock */
+ enum rxrpc_conn_cache_state cache_state;
+ enum rxrpc_conn_proto_state state; /* current state of connection */
+- u32 local_abort; /* local abort code */
+- u32 remote_abort; /* remote abort code */
++ u32 abort_code; /* Abort code of connection abort */
+ int debug_id; /* debug ID for printks */
+ atomic_t serial; /* packet serial number counter */
+ unsigned int hi_serial; /* highest serial number received */
+@@ -435,6 +434,7 @@ struct rxrpc_connection {
+ u8 security_size; /* security header size */
+ u8 security_ix; /* security type */
+ u8 out_clientflag; /* RXRPC_CLIENT_INITIATED if we are client */
++ short error; /* Local error code */
+ };
+
+ /*
+diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c
+index 62b1581d44a5..2dd13f5c47c8 100644
+--- a/net/rxrpc/call_accept.c
++++ b/net/rxrpc/call_accept.c
+@@ -418,11 +418,11 @@ found_service:
+
+ case RXRPC_CONN_REMOTELY_ABORTED:
+ rxrpc_set_call_completion(call, RXRPC_CALL_REMOTELY_ABORTED,
+- conn->remote_abort, -ECONNABORTED);
++ conn->abort_code, conn->error);
+ break;
+ case RXRPC_CONN_LOCALLY_ABORTED:
+ rxrpc_abort_call("CON", call, sp->hdr.seq,
+- conn->local_abort, -ECONNABORTED);
++ conn->abort_code, conn->error);
+ break;
+ default:
+ BUG();
+diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
+index 0435c4167a1a..75ec1ad595b7 100644
+--- a/net/rxrpc/conn_event.c
++++ b/net/rxrpc/conn_event.c
+@@ -117,7 +117,7 @@ static void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn,
+
+ switch (chan->last_type) {
+ case RXRPC_PACKET_TYPE_ABORT:
+- _proto("Tx ABORT %%%u { %d } [re]", serial, conn->local_abort);
++ _proto("Tx ABORT %%%u { %d } [re]", serial, conn->abort_code);
+ break;
+ case RXRPC_PACKET_TYPE_ACK:
+ trace_rxrpc_tx_ack(NULL, serial, chan->last_seq, 0,
+@@ -135,13 +135,12 @@ static void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn,
+ * pass a connection-level abort onto all calls on that connection
+ */
+ static void rxrpc_abort_calls(struct rxrpc_connection *conn,
+- enum rxrpc_call_completion compl,
+- u32 abort_code, int error)
++ enum rxrpc_call_completion compl)
+ {
+ struct rxrpc_call *call;
+ int i;
+
+- _enter("{%d},%x", conn->debug_id, abort_code);
++ _enter("{%d},%x", conn->debug_id, conn->abort_code);
+
+ spin_lock(&conn->channel_lock);
+
+@@ -153,9 +152,11 @@ static void rxrpc_abort_calls(struct rxrpc_connection *conn,
+ if (compl == RXRPC_CALL_LOCALLY_ABORTED)
+ trace_rxrpc_abort("CON", call->cid,
+ call->call_id, 0,
+- abort_code, error);
++ conn->abort_code,
++ conn->error);
+ if (rxrpc_set_call_completion(call, compl,
+- abort_code, error))
++ conn->abort_code,
++ conn->error))
+ rxrpc_notify_socket(call);
+ }
+ }
+@@ -188,10 +189,12 @@ static int rxrpc_abort_connection(struct rxrpc_connection *conn,
+ return 0;
+ }
+
++ conn->error = error;
++ conn->abort_code = abort_code;
+ conn->state = RXRPC_CONN_LOCALLY_ABORTED;
+ spin_unlock_bh(&conn->state_lock);
+
+- rxrpc_abort_calls(conn, RXRPC_CALL_LOCALLY_ABORTED, abort_code, error);
++ rxrpc_abort_calls(conn, RXRPC_CALL_LOCALLY_ABORTED);
+
+ msg.msg_name = &conn->params.peer->srx.transport;
+ msg.msg_namelen = conn->params.peer->srx.transport_len;
+@@ -210,7 +213,7 @@ static int rxrpc_abort_connection(struct rxrpc_connection *conn,
+ whdr._rsvd = 0;
+ whdr.serviceId = htons(conn->service_id);
+
+- word = htonl(conn->local_abort);
++ word = htonl(conn->abort_code);
+
+ iov[0].iov_base = &whdr;
+ iov[0].iov_len = sizeof(whdr);
+@@ -221,7 +224,7 @@ static int rxrpc_abort_connection(struct rxrpc_connection *conn,
+
+ serial = atomic_inc_return(&conn->serial);
+ whdr.serial = htonl(serial);
+- _proto("Tx CONN ABORT %%%u { %d }", serial, conn->local_abort);
++ _proto("Tx CONN ABORT %%%u { %d }", serial, conn->abort_code);
+
+ ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
+ if (ret < 0) {
+@@ -289,9 +292,10 @@ static int rxrpc_process_event(struct rxrpc_connection *conn,
+ abort_code = ntohl(wtmp);
+ _proto("Rx ABORT %%%u { ac=%d }", sp->hdr.serial, abort_code);
+
++ conn->error = -ECONNABORTED;
++ conn->abort_code = abort_code;
+ conn->state = RXRPC_CONN_REMOTELY_ABORTED;
+- rxrpc_abort_calls(conn, RXRPC_CALL_REMOTELY_ABORTED,
+- abort_code, -ECONNABORTED);
++ rxrpc_abort_calls(conn, RXRPC_CALL_REMOTELY_ABORTED);
+ return -ECONNABORTED;
+
+ case RXRPC_PACKET_TYPE_CHALLENGE:
+--
+2.17.1
+
--- /dev/null
+From 5d2c08bd6887a5038e72f523b3edc53add313b7b Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 8 Oct 2018 15:46:11 +0100
+Subject: rxrpc: Only take the rwind and mtu values from latest ACK
+
+[ Upstream commit 298bc15b2079c324e82d0a6fda39c3d762af7282 ]
+
+Move the out-of-order and duplicate ACK packet check to before the call to
+rxrpc_input_ackinfo() so that the receive window size and MTU size are only
+checked in the latest ACK packet and don't regress.
+
+Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/input.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
+index 3a501bf0fc1a..ea506a77f3c8 100644
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -806,6 +806,16 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb,
+ rxrpc_propose_ack_respond_to_ack);
+ }
+
++ /* Discard any out-of-order or duplicate ACKs. */
++ if (before_eq(sp->hdr.serial, call->acks_latest)) {
++ _debug("discard ACK %d <= %d",
++ sp->hdr.serial, call->acks_latest);
++ return;
++ }
++ call->acks_latest_ts = skb->tstamp;
++ call->acks_latest = sp->hdr.serial;
++
++ /* Parse rwind and mtu sizes if provided. */
+ ioffset = offset + nr_acks + 3;
+ if (skb->len >= ioffset + sizeof(buf.info)) {
+ if (skb_copy_bits(skb, ioffset, &buf.info, sizeof(buf.info)) < 0)
+@@ -827,15 +837,6 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb,
+ return;
+ }
+
+- /* Discard any out-of-order or duplicate ACKs. */
+- if (before_eq(sp->hdr.serial, call->acks_latest)) {
+- _debug("discard ACK %d <= %d",
+- sp->hdr.serial, call->acks_latest);
+- return;
+- }
+- call->acks_latest_ts = skb->tstamp;
+- call->acks_latest = sp->hdr.serial;
+-
+ if (before(hard_ack, call->tx_hard_ack) ||
+ after(hard_ack, call->tx_top))
+ return rxrpc_proto_abort("AKW", call, 0);
+--
+2.17.1
+
--- /dev/null
+From 4604265508b1754702731011cdb097b49b0f814b Mon Sep 17 00:00:00 2001
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Thu, 19 Apr 2018 12:52:06 +0200
+Subject: s390/qeth: fix error handling in adapter command callbacks
+
+[ Upstream commit 686c97ee29c886ee07d17987d0059874c5c3b5af ]
+
+Make sure to check both return code fields before(!) processing the
+command response. Otherwise we risk operating on invalid data.
+
+This matches an earlier fix for SETASSPARMS commands, see
+commit ad3cbf613329 ("s390/qeth: fix error handling in checksum cmd callback").
+
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/qeth_core_main.c | 85 ++++++++++++++-----------------
+ 1 file changed, 37 insertions(+), 48 deletions(-)
+
+diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c
+index 4f2747cd15a6..169dd7127f9e 100644
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -3001,28 +3001,23 @@ static int qeth_send_startlan(struct qeth_card *card)
+ return rc;
+ }
+
+-static int qeth_default_setadapterparms_cb(struct qeth_card *card,
+- struct qeth_reply *reply, unsigned long data)
++static int qeth_setadpparms_inspect_rc(struct qeth_ipa_cmd *cmd)
+ {
+- struct qeth_ipa_cmd *cmd;
+-
+- QETH_CARD_TEXT(card, 4, "defadpcb");
+-
+- cmd = (struct qeth_ipa_cmd *) data;
+- if (cmd->hdr.return_code == 0)
++ if (!cmd->hdr.return_code)
+ cmd->hdr.return_code =
+ cmd->data.setadapterparms.hdr.return_code;
+- return 0;
++ return cmd->hdr.return_code;
+ }
+
+ static int qeth_query_setadapterparms_cb(struct qeth_card *card,
+ struct qeth_reply *reply, unsigned long data)
+ {
+- struct qeth_ipa_cmd *cmd;
++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data;
+
+ QETH_CARD_TEXT(card, 3, "quyadpcb");
++ if (qeth_setadpparms_inspect_rc(cmd))
++ return 0;
+
+- cmd = (struct qeth_ipa_cmd *) data;
+ if (cmd->data.setadapterparms.data.query_cmds_supp.lan_type & 0x7f) {
+ card->info.link_type =
+ cmd->data.setadapterparms.data.query_cmds_supp.lan_type;
+@@ -3030,7 +3025,7 @@ static int qeth_query_setadapterparms_cb(struct qeth_card *card,
+ }
+ card->options.adp.supported_funcs =
+ cmd->data.setadapterparms.data.query_cmds_supp.supported_cmds;
+- return qeth_default_setadapterparms_cb(card, reply, (unsigned long)cmd);
++ return 0;
+ }
+
+ static struct qeth_cmd_buffer *qeth_get_adapter_cmd(struct qeth_card *card,
+@@ -3122,22 +3117,20 @@ EXPORT_SYMBOL_GPL(qeth_query_ipassists);
+ static int qeth_query_switch_attributes_cb(struct qeth_card *card,
+ struct qeth_reply *reply, unsigned long data)
+ {
+- struct qeth_ipa_cmd *cmd;
+- struct qeth_switch_info *sw_info;
++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data;
+ struct qeth_query_switch_attributes *attrs;
++ struct qeth_switch_info *sw_info;
+
+ QETH_CARD_TEXT(card, 2, "qswiatcb");
+- cmd = (struct qeth_ipa_cmd *) data;
+- sw_info = (struct qeth_switch_info *)reply->param;
+- if (cmd->data.setadapterparms.hdr.return_code == 0) {
+- attrs = &cmd->data.setadapterparms.data.query_switch_attributes;
+- sw_info->capabilities = attrs->capabilities;
+- sw_info->settings = attrs->settings;
+- QETH_CARD_TEXT_(card, 2, "%04x%04x", sw_info->capabilities,
+- sw_info->settings);
+- }
+- qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd);
++ if (qeth_setadpparms_inspect_rc(cmd))
++ return 0;
+
++ sw_info = (struct qeth_switch_info *)reply->param;
++ attrs = &cmd->data.setadapterparms.data.query_switch_attributes;
++ sw_info->capabilities = attrs->capabilities;
++ sw_info->settings = attrs->settings;
++ QETH_CARD_TEXT_(card, 2, "%04x%04x", sw_info->capabilities,
++ sw_info->settings);
+ return 0;
+ }
+
+@@ -4188,16 +4181,13 @@ EXPORT_SYMBOL_GPL(qeth_do_send_packet);
+ static int qeth_setadp_promisc_mode_cb(struct qeth_card *card,
+ struct qeth_reply *reply, unsigned long data)
+ {
+- struct qeth_ipa_cmd *cmd;
++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data;
+ struct qeth_ipacmd_setadpparms *setparms;
+
+ QETH_CARD_TEXT(card, 4, "prmadpcb");
+
+- cmd = (struct qeth_ipa_cmd *) data;
+ setparms = &(cmd->data.setadapterparms);
+-
+- qeth_default_setadapterparms_cb(card, reply, (unsigned long)cmd);
+- if (cmd->hdr.return_code) {
++ if (qeth_setadpparms_inspect_rc(cmd)) {
+ QETH_CARD_TEXT_(card, 4, "prmrc%x", cmd->hdr.return_code);
+ setparms->data.mode = SET_PROMISC_MODE_OFF;
+ }
+@@ -4267,11 +4257,12 @@ EXPORT_SYMBOL_GPL(qeth_get_stats);
+ static int qeth_setadpparms_change_macaddr_cb(struct qeth_card *card,
+ struct qeth_reply *reply, unsigned long data)
+ {
+- struct qeth_ipa_cmd *cmd;
++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data;
+
+ QETH_CARD_TEXT(card, 4, "chgmaccb");
++ if (qeth_setadpparms_inspect_rc(cmd))
++ return 0;
+
+- cmd = (struct qeth_ipa_cmd *) data;
+ if (!card->options.layer2 ||
+ !(card->info.mac_bits & QETH_LAYER2_MAC_READ)) {
+ memcpy(card->dev->dev_addr,
+@@ -4279,7 +4270,6 @@ static int qeth_setadpparms_change_macaddr_cb(struct qeth_card *card,
+ OSA_ADDR_LEN);
+ card->info.mac_bits |= QETH_LAYER2_MAC_READ;
+ }
+- qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd);
+ return 0;
+ }
+
+@@ -4310,13 +4300,15 @@ EXPORT_SYMBOL_GPL(qeth_setadpparms_change_macaddr);
+ static int qeth_setadpparms_set_access_ctrl_cb(struct qeth_card *card,
+ struct qeth_reply *reply, unsigned long data)
+ {
+- struct qeth_ipa_cmd *cmd;
++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data;
+ struct qeth_set_access_ctrl *access_ctrl_req;
+ int fallback = *(int *)reply->param;
+
+ QETH_CARD_TEXT(card, 4, "setaccb");
++ if (cmd->hdr.return_code)
++ return 0;
++ qeth_setadpparms_inspect_rc(cmd);
+
+- cmd = (struct qeth_ipa_cmd *) data;
+ access_ctrl_req = &cmd->data.setadapterparms.data.set_access_ctrl;
+ QETH_DBF_TEXT_(SETUP, 2, "setaccb");
+ QETH_DBF_TEXT_(SETUP, 2, "%s", card->gdev->dev.kobj.name);
+@@ -4389,7 +4381,6 @@ static int qeth_setadpparms_set_access_ctrl_cb(struct qeth_card *card,
+ card->options.isolation = card->options.prev_isolation;
+ break;
+ }
+- qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd);
+ return 0;
+ }
+
+@@ -4677,14 +4668,15 @@ out:
+ static int qeth_setadpparms_query_oat_cb(struct qeth_card *card,
+ struct qeth_reply *reply, unsigned long data)
+ {
+- struct qeth_ipa_cmd *cmd;
++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *)data;
+ struct qeth_qoat_priv *priv;
+ char *resdata;
+ int resdatalen;
+
+ QETH_CARD_TEXT(card, 3, "qoatcb");
++ if (qeth_setadpparms_inspect_rc(cmd))
++ return 0;
+
+- cmd = (struct qeth_ipa_cmd *)data;
+ priv = (struct qeth_qoat_priv *)reply->param;
+ resdatalen = cmd->data.setadapterparms.hdr.cmdlength;
+ resdata = (char *)data + 28;
+@@ -4778,21 +4770,18 @@ out:
+ static int qeth_query_card_info_cb(struct qeth_card *card,
+ struct qeth_reply *reply, unsigned long data)
+ {
+- struct qeth_ipa_cmd *cmd;
++ struct carrier_info *carrier_info = (struct carrier_info *)reply->param;
++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *)data;
+ struct qeth_query_card_info *card_info;
+- struct carrier_info *carrier_info;
+
+ QETH_CARD_TEXT(card, 2, "qcrdincb");
+- carrier_info = (struct carrier_info *)reply->param;
+- cmd = (struct qeth_ipa_cmd *)data;
+- card_info = &cmd->data.setadapterparms.data.card_info;
+- if (cmd->data.setadapterparms.hdr.return_code == 0) {
+- carrier_info->card_type = card_info->card_type;
+- carrier_info->port_mode = card_info->port_mode;
+- carrier_info->port_speed = card_info->port_speed;
+- }
++ if (qeth_setadpparms_inspect_rc(cmd))
++ return 0;
+
+- qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd);
++ card_info = &cmd->data.setadapterparms.data.card_info;
++ carrier_info->card_type = card_info->card_type;
++ carrier_info->port_mode = card_info->port_mode;
++ carrier_info->port_speed = card_info->port_speed;
+ return 0;
+ }
+
+--
+2.17.1
+
--- /dev/null
+From 9bdc44aeee703a488ac2e5c8ce082ceea34d937a Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 28 Nov 2017 14:25:25 +0100
+Subject: scsi: aacraid: address UBSAN warning regression
+
+[ Upstream commit d18539754d97876503275efc7d00a1901bb0cfad ]
+
+As reported by Meelis Roos, my previous patch causes an incorrect
+calculation of the timeout, through an undefined signed integer
+overflow:
+
+[ 12.228155] UBSAN: Undefined behaviour in drivers/scsi/aacraid/commsup.c:2514:49
+[ 12.228229] signed integer overflow:
+[ 12.228283] 964297611 * 250 cannot be represented in type 'long int'
+
+The problem is that doing a multiplication with HZ first and then
+dividing by USEC_PER_SEC worked correctly for 32-bit microseconds,
+but not for 32-bit nanoseconds, which would require up to 41 bits.
+
+This reworks the calculation to first convert the nanoseconds into
+jiffies, which should give us the same result as before and not overflow.
+
+Unfortunately I did not understand the exact intention of the algorithm,
+in particular the part where we add half a second, so it's possible that
+there is still a preexisting problem in this function. I added a comment
+that this would be handled more nicely using usleep_range(), which
+generally works better for waking up at a particular time than the
+current schedule_timeout() based implementation. I did not feel
+comfortable trying to implement that without being sure what the
+intent is here though.
+
+Fixes: 820f18865912 ("scsi: aacraid: use timespec64 instead of timeval")
+Tested-by: Meelis Roos <mroos@linux.ee>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/aacraid/commsup.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c
+index 998788a967be..3e38bae6ecde 100644
+--- a/drivers/scsi/aacraid/commsup.c
++++ b/drivers/scsi/aacraid/commsup.c
+@@ -2506,8 +2506,8 @@ int aac_command_thread(void *data)
+ /* Synchronize our watches */
+ if (((NSEC_PER_SEC - (NSEC_PER_SEC / HZ)) > now.tv_nsec)
+ && (now.tv_nsec > (NSEC_PER_SEC / HZ)))
+- difference = (((NSEC_PER_SEC - now.tv_nsec) * HZ)
+- + NSEC_PER_SEC / 2) / NSEC_PER_SEC;
++ difference = HZ + HZ / 2 -
++ now.tv_nsec / (NSEC_PER_SEC / HZ);
+ else {
+ if (now.tv_nsec > NSEC_PER_SEC / 2)
+ ++now.tv_sec;
+@@ -2531,6 +2531,10 @@ int aac_command_thread(void *data)
+ if (kthread_should_stop())
+ break;
+
++ /*
++ * we probably want usleep_range() here instead of the
++ * jiffies computation
++ */
+ schedule_timeout(difference);
+
+ if (kthread_should_stop())
+--
+2.17.1
+
--- /dev/null
+From d4f098080c76ab32d6feefbc22aaecf51c15a613 Mon Sep 17 00:00:00 2001
+From: Brian King <brking@linux.vnet.ibm.com>
+Date: Wed, 14 Mar 2018 17:13:39 -0500
+Subject: scsi: ibmvfc: Avoid unnecessary port relogin
+
+[ Upstream commit 09dd15e0d9547ca424de4043bcd429bab6f285c8 ]
+
+Following an RSCN, ibmvfc will issue an ADISC to determine if the
+underlying target has changed, comparing the SCSI ID, WWPN, and WWNN to
+determine how to handle the rport in discovery. However, the comparison
+of the WWPN and WWNN was performing a memcmp between a big endian field
+against a CPU endian field, which resulted in the wrong answer on LE
+systems. This was observed as unexpected errors getting logged at boot
+time as targets were getting relogins when not needed.
+
+Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ibmvscsi/ibmvfc.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c
+index b491af31a5f8..a06b24a61622 100644
+--- a/drivers/scsi/ibmvscsi/ibmvfc.c
++++ b/drivers/scsi/ibmvscsi/ibmvfc.c
+@@ -3580,11 +3580,9 @@ static void ibmvfc_tgt_implicit_logout(struct ibmvfc_target *tgt)
+ static int ibmvfc_adisc_needs_plogi(struct ibmvfc_passthru_mad *mad,
+ struct ibmvfc_target *tgt)
+ {
+- if (memcmp(&mad->fc_iu.response[2], &tgt->ids.port_name,
+- sizeof(tgt->ids.port_name)))
++ if (wwn_to_u64((u8 *)&mad->fc_iu.response[2]) != tgt->ids.port_name)
+ return 1;
+- if (memcmp(&mad->fc_iu.response[4], &tgt->ids.node_name,
+- sizeof(tgt->ids.node_name)))
++ if (wwn_to_u64((u8 *)&mad->fc_iu.response[4]) != tgt->ids.node_name)
+ return 1;
+ if (be32_to_cpu(mad->fc_iu.response[6]) != tgt->scsi_id)
+ return 1;
+--
+2.17.1
+
--- /dev/null
+From e3bfb18a3900bc13c03f2e4e751f748b2bc8f2e0 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Tue, 20 Mar 2018 21:05:48 +0000
+Subject: scsi: qla2xxx: Avoid double completion of abort command
+
+[ Upstream commit 3a9910d7b686546dcc9986e790af17e148f1c888 ]
+
+qla2x00_tmf_sp_done() now deletes the timer that will run
+qla2x00_tmf_iocb_timeout(), but doesn't check whether the timer already
+expired. Check the return value from del_timer() to avoid calling
+complete() a second time.
+
+Fixes: 4440e46d5db7 ("[SCSI] qla2xxx: Add IOCB Abort command asynchronous ...")
+Fixes: 1514839b3664 ("scsi: qla2xxx: Fix NULL pointer crash due to active ...")
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index 1d42d38f5a45..0e19f6bc24ff 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -1365,8 +1365,8 @@ qla24xx_abort_sp_done(void *ptr, int res)
+ srb_t *sp = ptr;
+ struct srb_iocb *abt = &sp->u.iocb_cmd;
+
+- del_timer(&sp->u.iocb_cmd.timer);
+- complete(&abt->u.abt.comp);
++ if (del_timer(&sp->u.iocb_cmd.timer))
++ complete(&abt->u.abt.comp);
+ }
+
+ int
+--
+2.17.1
+
--- /dev/null
+From 54b515f523e4c36975275c902e0a29818962b9ac Mon Sep 17 00:00:00 2001
+From: "Martin K. Petersen" <martin.petersen@oracle.com>
+Date: Wed, 14 Mar 2018 12:15:56 -0400
+Subject: scsi: sd: Remember that READ CAPACITY(16) succeeded
+
+[ Upstream commit 597d74005ba85e87c256cd732128ebf7faf54247 ]
+
+The USB storage glue sets the try_rc_10_first flag in an attempt to
+avoid wedging poorly implemented legacy USB devices.
+
+If the device capacity is too large to be expressed in the provided
+response buffer field of READ CAPACITY(10), a well-behaved device will
+set the reported capacity to 0xFFFFFFFF. We will then attempt to issue a
+READ CAPACITY(16) to obtain the real capacity.
+
+Since this part of the discovery logic is not covered by the first_scan
+flag, a warning will be printed a couple of times times per revalidate
+attempt if we upgrade from READ CAPACITY(10) to READ CAPACITY(16).
+
+Remember that we have successfully issued READ CAPACITY(16) so we can
+take the fast path on subsequent revalidate attempts.
+
+Reported-by: Menion <menion@gmail.com>
+Reviewed-by: Laurence Oberman <loberman@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/sd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index 4a532318b211..b0dd8bdfdf98 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -2497,6 +2497,8 @@ sd_read_capacity(struct scsi_disk *sdkp, unsigned char *buffer)
+ sector_size = old_sector_size;
+ goto got_data;
+ }
++ /* Remember that READ CAPACITY(16) succeeded */
++ sdp->try_rc_10_first = 0;
+ }
+ }
+
+--
+2.17.1
+
--- /dev/null
+From ec8eebac3b967e52b4770b759ed3df00e2d7101c Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Tue, 22 May 2018 16:14:27 +1000
+Subject: selftests/powerpc: Add ptrace hw breakpoint test
+
+[ Upstream commit 9c2ddfe55c42bf4b9bc336a0650ab78f9222a159 ]
+
+This test the ptrace hw breakpoints via PTRACE_SET_DEBUGREG and
+PPC_PTRACE_SETHWDEBUG. This test was use to find the bugs fixed by
+these recent commits:
+
+ 4f7c06e26e powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG
+ cd6ef7eebf powerpc/ptrace: Fix enforcement of DAWR constraints
+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+[mpe: Add SPDX tag, clang format it]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/powerpc/ptrace/.gitignore | 1 +
+ .../testing/selftests/powerpc/ptrace/Makefile | 2 +-
+ .../selftests/powerpc/ptrace/ptrace-hwbreak.c | 342 ++++++++++++++++++
+ 3 files changed, 344 insertions(+), 1 deletion(-)
+ create mode 100644 tools/testing/selftests/powerpc/ptrace/ptrace-hwbreak.c
+
+diff --git a/tools/testing/selftests/powerpc/ptrace/.gitignore b/tools/testing/selftests/powerpc/ptrace/.gitignore
+index 349acfafc95b..9dcc16ea8179 100644
+--- a/tools/testing/selftests/powerpc/ptrace/.gitignore
++++ b/tools/testing/selftests/powerpc/ptrace/.gitignore
+@@ -8,3 +8,4 @@ ptrace-vsx
+ ptrace-tm-vsx
+ ptrace-tm-spd-vsx
+ ptrace-tm-spr
++ptrace-hwbreak
+diff --git a/tools/testing/selftests/powerpc/ptrace/Makefile b/tools/testing/selftests/powerpc/ptrace/Makefile
+index 480305266504..0e2f4601d1a8 100644
+--- a/tools/testing/selftests/powerpc/ptrace/Makefile
++++ b/tools/testing/selftests/powerpc/ptrace/Makefile
+@@ -1,7 +1,7 @@
+ # SPDX-License-Identifier: GPL-2.0
+ TEST_PROGS := ptrace-gpr ptrace-tm-gpr ptrace-tm-spd-gpr \
+ ptrace-tar ptrace-tm-tar ptrace-tm-spd-tar ptrace-vsx ptrace-tm-vsx \
+- ptrace-tm-spd-vsx ptrace-tm-spr
++ ptrace-tm-spd-vsx ptrace-tm-spr ptrace-hwbreak
+
+ include ../../lib.mk
+
+diff --git a/tools/testing/selftests/powerpc/ptrace/ptrace-hwbreak.c b/tools/testing/selftests/powerpc/ptrace/ptrace-hwbreak.c
+new file mode 100644
+index 000000000000..3066d310f32b
+--- /dev/null
++++ b/tools/testing/selftests/powerpc/ptrace/ptrace-hwbreak.c
+@@ -0,0 +1,342 @@
++// SPDX-License-Identifier: GPL-2.0+
++
++/*
++ * Ptrace test for hw breakpoints
++ *
++ * Based on tools/testing/selftests/breakpoints/breakpoint_test.c
++ *
++ * This test forks and the parent then traces the child doing various
++ * types of ptrace enabled breakpoints
++ *
++ * Copyright (C) 2018 Michael Neuling, IBM Corporation.
++ */
++
++#include <sys/ptrace.h>
++#include <unistd.h>
++#include <stddef.h>
++#include <sys/user.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <signal.h>
++#include <sys/types.h>
++#include <sys/wait.h>
++#include "ptrace.h"
++
++/* Breakpoint access modes */
++enum {
++ BP_X = 1,
++ BP_RW = 2,
++ BP_W = 4,
++};
++
++static pid_t child_pid;
++static struct ppc_debug_info dbginfo;
++
++static void get_dbginfo(void)
++{
++ int ret;
++
++ ret = ptrace(PPC_PTRACE_GETHWDBGINFO, child_pid, NULL, &dbginfo);
++ if (ret) {
++ perror("Can't get breakpoint info\n");
++ exit(-1);
++ }
++}
++
++static bool hwbreak_present(void)
++{
++ return (dbginfo.num_data_bps != 0);
++}
++
++static bool dawr_present(void)
++{
++ return !!(dbginfo.features & PPC_DEBUG_FEATURE_DATA_BP_DAWR);
++}
++
++static void set_breakpoint_addr(void *addr)
++{
++ int ret;
++
++ ret = ptrace(PTRACE_SET_DEBUGREG, child_pid, 0, addr);
++ if (ret) {
++ perror("Can't set breakpoint addr\n");
++ exit(-1);
++ }
++}
++
++static int set_hwbreakpoint_addr(void *addr, int range)
++{
++ int ret;
++
++ struct ppc_hw_breakpoint info;
++
++ info.version = 1;
++ info.trigger_type = PPC_BREAKPOINT_TRIGGER_RW;
++ info.addr_mode = PPC_BREAKPOINT_MODE_EXACT;
++ if (range > 0)
++ info.addr_mode = PPC_BREAKPOINT_MODE_RANGE_INCLUSIVE;
++ info.condition_mode = PPC_BREAKPOINT_CONDITION_NONE;
++ info.addr = (__u64)addr;
++ info.addr2 = (__u64)addr + range;
++ info.condition_value = 0;
++
++ ret = ptrace(PPC_PTRACE_SETHWDEBUG, child_pid, 0, &info);
++ if (ret < 0) {
++ perror("Can't set breakpoint\n");
++ exit(-1);
++ }
++ return ret;
++}
++
++static int del_hwbreakpoint_addr(int watchpoint_handle)
++{
++ int ret;
++
++ ret = ptrace(PPC_PTRACE_DELHWDEBUG, child_pid, 0, watchpoint_handle);
++ if (ret < 0) {
++ perror("Can't delete hw breakpoint\n");
++ exit(-1);
++ }
++ return ret;
++}
++
++#define DAWR_LENGTH_MAX 512
++
++/* Dummy variables to test read/write accesses */
++static unsigned long long
++ dummy_array[DAWR_LENGTH_MAX / sizeof(unsigned long long)]
++ __attribute__((aligned(512)));
++static unsigned long long *dummy_var = dummy_array;
++
++static void write_var(int len)
++{
++ long long *plval;
++ char *pcval;
++ short *psval;
++ int *pival;
++
++ switch (len) {
++ case 1:
++ pcval = (char *)dummy_var;
++ *pcval = 0xff;
++ break;
++ case 2:
++ psval = (short *)dummy_var;
++ *psval = 0xffff;
++ break;
++ case 4:
++ pival = (int *)dummy_var;
++ *pival = 0xffffffff;
++ break;
++ case 8:
++ plval = (long long *)dummy_var;
++ *plval = 0xffffffffffffffffLL;
++ break;
++ }
++}
++
++static void read_var(int len)
++{
++ char cval __attribute__((unused));
++ short sval __attribute__((unused));
++ int ival __attribute__((unused));
++ long long lval __attribute__((unused));
++
++ switch (len) {
++ case 1:
++ cval = *(char *)dummy_var;
++ break;
++ case 2:
++ sval = *(short *)dummy_var;
++ break;
++ case 4:
++ ival = *(int *)dummy_var;
++ break;
++ case 8:
++ lval = *(long long *)dummy_var;
++ break;
++ }
++}
++
++/*
++ * Do the r/w accesses to trigger the breakpoints. And run
++ * the usual traps.
++ */
++static void trigger_tests(void)
++{
++ int len, ret;
++
++ ret = ptrace(PTRACE_TRACEME, 0, NULL, 0);
++ if (ret) {
++ perror("Can't be traced?\n");
++ return;
++ }
++
++ /* Wake up father so that it sets up the first test */
++ kill(getpid(), SIGUSR1);
++
++ /* Test write watchpoints */
++ for (len = 1; len <= sizeof(long); len <<= 1)
++ write_var(len);
++
++ /* Test read/write watchpoints (on read accesses) */
++ for (len = 1; len <= sizeof(long); len <<= 1)
++ read_var(len);
++
++ /* Test when breakpoint is unset */
++
++ /* Test write watchpoints */
++ for (len = 1; len <= sizeof(long); len <<= 1)
++ write_var(len);
++
++ /* Test read/write watchpoints (on read accesses) */
++ for (len = 1; len <= sizeof(long); len <<= 1)
++ read_var(len);
++}
++
++static void check_success(const char *msg)
++{
++ const char *msg2;
++ int status;
++
++ /* Wait for the child to SIGTRAP */
++ wait(&status);
++
++ msg2 = "Failed";
++
++ if (WIFSTOPPED(status) && WSTOPSIG(status) == SIGTRAP) {
++ msg2 = "Child process hit the breakpoint";
++ }
++
++ printf("%s Result: [%s]\n", msg, msg2);
++}
++
++static void launch_watchpoints(char *buf, int mode, int len,
++ struct ppc_debug_info *dbginfo, bool dawr)
++{
++ const char *mode_str;
++ unsigned long data = (unsigned long)(dummy_var);
++ int wh, range;
++
++ data &= ~0x7UL;
++
++ if (mode == BP_W) {
++ data |= (1UL << 1);
++ mode_str = "write";
++ } else {
++ data |= (1UL << 0);
++ data |= (1UL << 1);
++ mode_str = "read";
++ }
++
++ /* Set DABR_TRANSLATION bit */
++ data |= (1UL << 2);
++
++ /* use PTRACE_SET_DEBUGREG breakpoints */
++ set_breakpoint_addr((void *)data);
++ ptrace(PTRACE_CONT, child_pid, NULL, 0);
++ sprintf(buf, "Test %s watchpoint with len: %d ", mode_str, len);
++ check_success(buf);
++ /* Unregister hw brkpoint */
++ set_breakpoint_addr(NULL);
++
++ data = (data & ~7); /* remove dabr control bits */
++
++ /* use PPC_PTRACE_SETHWDEBUG breakpoint */
++ if (!(dbginfo->features & PPC_DEBUG_FEATURE_DATA_BP_RANGE))
++ return; /* not supported */
++ wh = set_hwbreakpoint_addr((void *)data, 0);
++ ptrace(PTRACE_CONT, child_pid, NULL, 0);
++ sprintf(buf, "Test %s watchpoint with len: %d ", mode_str, len);
++ check_success(buf);
++ /* Unregister hw brkpoint */
++ del_hwbreakpoint_addr(wh);
++
++ /* try a wider range */
++ range = 8;
++ if (dawr)
++ range = 512 - ((int)data & (DAWR_LENGTH_MAX - 1));
++ wh = set_hwbreakpoint_addr((void *)data, range);
++ ptrace(PTRACE_CONT, child_pid, NULL, 0);
++ sprintf(buf, "Test %s watchpoint with len: %d ", mode_str, len);
++ check_success(buf);
++ /* Unregister hw brkpoint */
++ del_hwbreakpoint_addr(wh);
++}
++
++/* Set the breakpoints and check the child successfully trigger them */
++static int launch_tests(bool dawr)
++{
++ char buf[1024];
++ int len, i, status;
++
++ struct ppc_debug_info dbginfo;
++
++ i = ptrace(PPC_PTRACE_GETHWDBGINFO, child_pid, NULL, &dbginfo);
++ if (i) {
++ perror("Can't set breakpoint info\n");
++ exit(-1);
++ }
++ if (!(dbginfo.features & PPC_DEBUG_FEATURE_DATA_BP_RANGE))
++ printf("WARNING: Kernel doesn't support PPC_PTRACE_SETHWDEBUG\n");
++
++ /* Write watchpoint */
++ for (len = 1; len <= sizeof(long); len <<= 1)
++ launch_watchpoints(buf, BP_W, len, &dbginfo, dawr);
++
++ /* Read-Write watchpoint */
++ for (len = 1; len <= sizeof(long); len <<= 1)
++ launch_watchpoints(buf, BP_RW, len, &dbginfo, dawr);
++
++ ptrace(PTRACE_CONT, child_pid, NULL, 0);
++
++ /*
++ * Now we have unregistered the breakpoint, access by child
++ * should not cause SIGTRAP.
++ */
++
++ wait(&status);
++
++ if (WIFSTOPPED(status) && WSTOPSIG(status) == SIGTRAP) {
++ printf("FAIL: Child process hit the breakpoint, which is not expected\n");
++ ptrace(PTRACE_CONT, child_pid, NULL, 0);
++ return TEST_FAIL;
++ }
++
++ if (WIFEXITED(status))
++ printf("Child exited normally\n");
++
++ return TEST_PASS;
++}
++
++static int ptrace_hwbreak(void)
++{
++ pid_t pid;
++ int ret;
++ bool dawr;
++
++ pid = fork();
++ if (!pid) {
++ trigger_tests();
++ return 0;
++ }
++
++ wait(NULL);
++
++ child_pid = pid;
++
++ get_dbginfo();
++ SKIP_IF(!hwbreak_present());
++ dawr = dawr_present();
++
++ ret = launch_tests(dawr);
++
++ wait(NULL);
++
++ return ret;
++}
++
++int main(int argc, char **argv, char **envp)
++{
++ return test_harness(ptrace_hwbreak, "ptrace-hwbreak");
++}
+--
+2.17.1
+
--- /dev/null
+From 6560fba319a41080fa4b08ec84572314f1d41fe2 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Thu, 11 Oct 2018 10:54:52 +0200
+Subject: selftests: rtnetlink.sh explicitly requires bash.
+
+[ Upstream commit 3c718e677c2b35b449992adc36ecce883c467e98 ]
+
+the script rtnetlink.sh requires a bash-only features (sleep with sub-second
+precision). This may cause random test failure if the default shell is not
+bash.
+Address the above explicitly requiring bash as the script interpreter.
+
+Fixes: 33b01b7b4f19 ("selftests: add rtnetlink test script")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/rtnetlink.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh
+index 57b5ff576240..891130daac7c 100755
+--- a/tools/testing/selftests/net/rtnetlink.sh
++++ b/tools/testing/selftests/net/rtnetlink.sh
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ #
+ # This test is for checking rtnetlink callpaths, and get as much coverage as possible.
+ #
+--
+2.17.1
+
--- /dev/null
+xfrm-validate-address-prefix-lengths-in-the-xfrm-sel.patch
+xfrm6-call-kfree_skb-when-skb-is-toobig.patch
+xfrm-reset-transport-header-back-to-network-header-a.patch
+xfrm-reset-crypto_done-when-iterating-over-multiple-.patch
+mac80211-always-report-tx-status.patch
+cfg80211-reg-init-wiphy_idx-in-regulatory_hint_core.patch
+mac80211-fix-pending-queue-hang-due-to-tx_drop.patch
+cfg80211-address-some-corner-cases-in-scan-result-ch.patch
+mac80211-tdls-fix-skb-queue-priority-assignment.patch
+mac80211-fix-tx-status-reporting-for-ieee80211s.patch
+xfrm-fix-null-pointer-dereference-when-skb_dst_force.patch
+arm-8799-1-mm-fix-pci_ioremap_io-offset-check.patch
+xfrm-validate-template-mode.patch
+netfilter-bridge-don-t-sabotage-nf_hook-calls-from-a.patch
+arm64-hugetlb-fix-handling-of-young-ptes.patch
+arm-dts-bcm63xx-fix-incorrect-interrupt-specifiers.patch
+net-macb-clean-64b-dma-addresses-if-they-are-not-det.patch
+soc-fsl-qbman-qman-avoid-allocating-from-non-existin.patch
+soc-fsl-qe-fix-copy-paste-bug-in-ucc_get_tdm_sync_sh.patch
+nl80211-fix-possible-spectre-v1-for-nl80211_txrate_h.patch
+mac80211_hwsim-do-not-omit-multicast-announce-of-fir.patch
+bluetooth-smp-fix-crash-in-unpairing.patch
+pxa168fb-prepare-the-clock.patch
+qed-avoid-implicit-enum-conversion-in-qed_set_tunn_c.patch
+qed-fix-mask-parameter-in-qed_vf_prep_tunn_req_tlv.patch
+qed-avoid-implicit-enum-conversion-in-qed_roce_mode_.patch
+qed-avoid-constant-logical-operation-warning-in-qed_.patch
+qed-avoid-implicit-enum-conversion-in-qed_iwarp_pars.patch
+nl80211-fix-possible-spectre-v1-for-cqm-rssi-thresho.patch
+asix-check-for-supported-wake-on-lan-modes.patch
+ax88179_178a-check-for-supported-wake-on-lan-modes.patch
+lan78xx-check-for-supported-wake-on-lan-modes.patch
+sr9800-check-for-supported-wake-on-lan-modes.patch
+r8152-check-for-supported-wake-on-lan-modes.patch
+smsc75xx-check-for-wake-on-lan-modes.patch
+smsc95xx-check-for-wake-on-lan-modes.patch
+cfg80211-fix-use-after-free-in-reg_process_hint.patch
+perf-core-fix-perf_pmu_unregister-locking.patch
+perf-ring_buffer-prevent-concurent-ring-buffer-acces.patch
+perf-x86-intel-uncore-fix-pci-bdf-address-of-m3upi-o.patch
+perf-x86-amd-uncore-set-threadmask-and-slicemask-for.patch
+net-fec-fix-rare-tx-timeout.patch
+declance-fix-continuation-with-the-adapter-identific.patch
+net-qualcomm-rmnet-skip-processing-loopback-packets.patch
+locking-ww_mutex-fix-runtime-warning-in-the-ww-mutex.patch
+be2net-don-t-flip-hw_features-when-vxlans-are-added-.patch
+net-cxgb3_main-fix-a-missing-check-bug.patch
+yam-fix-a-missing-check-bug.patch
+ocfs2-fix-crash-in-ocfs2_duplicate_clusters_by_page.patch
+iwlwifi-mvm-check-for-short-gi-only-for-ofdm.patch
+iwlwifi-dbg-allow-wrt-collection-before-alive.patch
+iwlwifi-fix-the-alive-notification-layout.patch
+x86-power-fix-some-ordering-bugs-in-__restore_proces.patch
+tools-testing-nvdimm-unit-test-clear-error-commands.patch
+usbip-vhci_hcd-update-status-file-header-and-format.patch
+scsi-aacraid-address-ubsan-warning-regression.patch
+ib-ipoib-fix-lockdep-issue-found-on-ipoib_ib_dev_hea.patch
+ib-rxe-put-the-pool-on-allocation-failure.patch
+s390-qeth-fix-error-handling-in-adapter-command-call.patch
+net-mlx5-fix-mlx5_get_vector_affinity-function.patch
+powerpc-pseries-add-empty-update_numa_cpu_lookup_tab.patch
+dm-integrity-fail-early-if-required-hmac-key-is-not-.patch
+net-phy-realtek-use-the-dummy-stubs-for-mmd-register.patch
+net-phy-add-general-dummy-stubs-for-mmd-register-acc.patch
+net-mlx5e-refine-ets-validation-function.patch
+scsi-qla2xxx-avoid-double-completion-of-abort-comman.patch
+kbuild-set-no-integrated-as-before-incl.-arch-makefi.patch
+ib-mlx5-avoid-passing-an-invalid-qp-type-to-firmware.patch
+arm-tegra-fix-ulpi-regression-on-tegra20.patch
+l2tp-remove-configurable-payload-offset.patch
+cifs-use-ull-suffix-for-64-bit-constant.patch
+test_bpf-fix-testing-with-config_bpf_jit_always_on-y.patch
+kvm-x86-update-the-exit_qualification-access-bits-wh.patch
+sparc64-fix-regression-in-pmdp_invalidate.patch
+tpm-move-the-delay_msec-increment-after-sleep-in-tpm.patch
+bpf-sockmap-map_release-does-not-hold-refcnt-for-pin.patch
+tpm-tpm_crb-relinquish-locality-on-error-path.patch
+xen-netfront-update-features-after-registering-netde.patch
+xen-netfront-fix-mismatched-rtnl_unlock.patch
+ib-usnic-update-with-bug-fixes-from-core-code.patch
+mmc-dw_mmc-rockchip-correct-property-names-in-debug.patch
+mips-workaround-gcc-__builtin_unreachable-reordering.patch
+lan78xx-don-t-reset-the-interface-on-open.patch
+enic-do-not-overwrite-error-code.patch
+iio-buffer-fix-the-function-signature-to-match-imple.patch
+selftests-powerpc-add-ptrace-hw-breakpoint-test.patch
+scsi-ibmvfc-avoid-unnecessary-port-relogin.patch
+scsi-sd-remember-that-read-capacity-16-succeeded.patch
+btrfs-quota-set-rescan-progress-to-u64-1-if-we-hit-l.patch
+net-phy-phylink-don-t-release-null-gpio.patch
+x86-paravirt-fix-some-warning-messages.patch
+net-stmmac-mark-pm-functions-as-__maybe_unused.patch
+kconfig-fix-the-rule-of-mainmenu_stmt-symbol.patch
+libertas-call-into-generic-suspend-code-before-turni.patch
+perf-tests-fix-indexing-when-invoking-subtests.patch
+compiler.h-allow-arch-specific-asm-compiler.h.patch
+arm-dts-imx53-qsb-disable-1.2ghz-opp.patch
+perf-python-use-wno-redundant-decls-to-build-with-py.patch
+rxrpc-don-t-check-rxrpc_call_tx_last-after-calling-r.patch
+rxrpc-only-take-the-rwind-and-mtu-values-from-latest.patch
+rxrpc-fix-connection-level-abort-handling.patch
+net-ena-fix-warning-in-rmmod-caused-by-double-iounma.patch
+net-ena-fix-null-dereference-due-to-untimely-napi-in.patch
+selftests-rtnetlink.sh-explicitly-requires-bash.patch
+fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch
--- /dev/null
+From 8bc4c33893d4cbacd0e56951a85f1e6e16d3a313 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:55 -0700
+Subject: smsc75xx: Check for Wake-on-LAN modes
+
+[ Upstream commit 9c734b2769a73eea2e9e9767c0e0bf839ff23679 ]
+
+The driver does not check for Wake-on-LAN modes specified by an user,
+but will conditionally set the device as wake-up enabled or not based on
+that, which could be a very confusing user experience.
+
+Fixes: 6c636503260d ("smsc75xx: add wol magic packet support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc75xx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
+index b64b1ee56d2d..ec287c9741e8 100644
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -731,6 +731,9 @@ static int smsc75xx_ethtool_set_wol(struct net_device *net,
+ struct smsc75xx_priv *pdata = (struct smsc75xx_priv *)(dev->data[0]);
+ int ret;
+
++ if (wolinfo->wolopts & ~SUPPORTED_WAKE)
++ return -EINVAL;
++
+ pdata->wolopts = wolinfo->wolopts & SUPPORTED_WAKE;
+
+ ret = device_set_wakeup_enable(&dev->udev->dev, pdata->wolopts);
+--
+2.17.1
+
--- /dev/null
+From cef7137dde4345eca393d20fc942d73ec57bb69a Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:56 -0700
+Subject: smsc95xx: Check for Wake-on-LAN modes
+
+[ Upstream commit c530c471ba37bdd9fe1c7185b01455c00ae606fb ]
+
+The driver does not check for Wake-on-LAN modes specified by an user,
+but will conditionally set the device as wake-up enabled or not based on
+that, which could be a very confusing user experience.
+
+Fixes: e0e474a83c18 ("smsc95xx: add wol magic packet support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc95xx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index 309b88acd3d0..99e684e39d35 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -774,6 +774,9 @@ static int smsc95xx_ethtool_set_wol(struct net_device *net,
+ struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]);
+ int ret;
+
++ if (wolinfo->wolopts & ~SUPPORTED_WAKE)
++ return -EINVAL;
++
+ pdata->wolopts = wolinfo->wolopts & SUPPORTED_WAKE;
+
+ ret = device_set_wakeup_enable(&dev->udev->dev, pdata->wolopts);
+--
+2.17.1
+
--- /dev/null
+From 45b9d64cc3c81073e70b636e447a50f6752e1443 Mon Sep 17 00:00:00 2001
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Thu, 23 Aug 2018 23:36:00 +0200
+Subject: soc: fsl: qbman: qman: avoid allocating from non existing gen_pool
+
+[ Upstream commit 64e9e22e68512da8df3c9a7430f07621e48db3c2 ]
+
+If the qman driver didn't probe, calling qman_alloc_fqid_range,
+qman_alloc_pool_range or qman_alloc_cgrid_range (as done in dpaa_eth) will
+pass a NULL pointer to gen_pool_alloc, leading to a NULL pointer
+dereference.
+
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Reviewed-by: Roy Pledge <roy.pledge@nxp.com>
+Signed-off-by: Li Yang <leoyang.li@nxp.com>
+(cherry picked from commit f72487a2788aa70c3aee1d0ebd5470de9bac953a)
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qbman/qman.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c
+index 0c6065dba48a..4f27e95efcdd 100644
+--- a/drivers/soc/fsl/qbman/qman.c
++++ b/drivers/soc/fsl/qbman/qman.c
+@@ -2699,6 +2699,9 @@ static int qman_alloc_range(struct gen_pool *p, u32 *result, u32 cnt)
+ {
+ unsigned long addr;
+
++ if (!p)
++ return -ENODEV;
++
+ addr = gen_pool_alloc(p, cnt);
+ if (!addr)
+ return -ENOMEM;
+--
+2.17.1
+
--- /dev/null
+From e5ca4611a496a600331d0f1f396c6e5ea0d67bc1 Mon Sep 17 00:00:00 2001
+From: Zhao Qiang <qiang.zhao@nxp.com>
+Date: Thu, 1 Feb 2018 14:54:32 +0800
+Subject: soc: fsl: qe: Fix copy/paste bug in ucc_get_tdm_sync_shift()
+
+[ Upstream commit 96fc74333f84cfdf8d434c6c07254e215e2aad00 ]
+
+There is a copy and paste bug so we accidentally use the RX_ shift when
+we're in TX_ mode.
+
+Fixes: bb8b2062aff3 ("fsl/qe: setup clock source for TDM mode")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
+Signed-off-by: Li Yang <leoyang.li@nxp.com>
+(cherry picked from commit 3cb31b634052ed458922e0c8e2b4b093d7fb60b9)
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qe/ucc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/fsl/qe/ucc.c b/drivers/soc/fsl/qe/ucc.c
+index c646d8713861..681f7d4b7724 100644
+--- a/drivers/soc/fsl/qe/ucc.c
++++ b/drivers/soc/fsl/qe/ucc.c
+@@ -626,7 +626,7 @@ static u32 ucc_get_tdm_sync_shift(enum comm_dir mode, u32 tdm_num)
+ {
+ u32 shift;
+
+- shift = (mode == COMM_DIR_RX) ? RX_SYNC_SHIFT_BASE : RX_SYNC_SHIFT_BASE;
++ shift = (mode == COMM_DIR_RX) ? RX_SYNC_SHIFT_BASE : TX_SYNC_SHIFT_BASE;
+ shift -= tdm_num * 2;
+
+ return shift;
+--
+2.17.1
+
--- /dev/null
+From dad594e3b4862ec8e179767e08a32742f2c1dbce Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Thu, 15 Mar 2018 14:18:00 -0700
+Subject: sparc64: Fix regression in pmdp_invalidate().
+
+[ Upstream commit cfb61b5e3e09f8b49bc4d685429df75f45127adc ]
+
+pmdp_invalidate() was changed to update the pmd atomically
+(to not lose dirty/access bits) and return the original pmd
+value.
+
+However, in doing so, we lost a lot of the essential work that
+set_pmd_at() does, namely to update hugepage mapping counts and
+queuing up the batched TLB flush entry.
+
+Thus we were not flushing entries out of the TLB when making
+such PMD changes.
+
+Fix this by abstracting the accounting work of set_pmd_at() out into a
+separate function, and call it from pmdp_establish().
+
+Fixes: a8e654f01cb7 ("sparc64: update pmdp_invalidate() to return old pmd value")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/mm/tlb.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c
+index 847ddffbf38a..b5cfab711651 100644
+--- a/arch/sparc/mm/tlb.c
++++ b/arch/sparc/mm/tlb.c
+@@ -163,13 +163,10 @@ static void tlb_batch_pmd_scan(struct mm_struct *mm, unsigned long vaddr,
+ pte_unmap(pte);
+ }
+
+-void set_pmd_at(struct mm_struct *mm, unsigned long addr,
+- pmd_t *pmdp, pmd_t pmd)
+-{
+- pmd_t orig = *pmdp;
+-
+- *pmdp = pmd;
+
++static void __set_pmd_acct(struct mm_struct *mm, unsigned long addr,
++ pmd_t orig, pmd_t pmd)
++{
+ if (mm == &init_mm)
+ return;
+
+@@ -219,6 +216,15 @@ void set_pmd_at(struct mm_struct *mm, unsigned long addr,
+ }
+ }
+
++void set_pmd_at(struct mm_struct *mm, unsigned long addr,
++ pmd_t *pmdp, pmd_t pmd)
++{
++ pmd_t orig = *pmdp;
++
++ *pmdp = pmd;
++ __set_pmd_acct(mm, addr, orig, pmd);
++}
++
+ static inline pmd_t pmdp_establish(struct vm_area_struct *vma,
+ unsigned long address, pmd_t *pmdp, pmd_t pmd)
+ {
+@@ -227,6 +233,7 @@ static inline pmd_t pmdp_establish(struct vm_area_struct *vma,
+ do {
+ old = *pmdp;
+ } while (cmpxchg64(&pmdp->pmd, old.pmd, pmd.pmd) != old.pmd);
++ __set_pmd_acct(vma->vm_mm, address, old, pmd);
+
+ return old;
+ }
+--
+2.17.1
+
--- /dev/null
+From c1328329c97b585efd29a5d014528aa60396af9c Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:53 -0700
+Subject: sr9800: Check for supported Wake-on-LAN modes
+
+[ Upstream commit c5cb93e994ffb43b7b3b1ff10b9f928f54574a36 ]
+
+The driver currently silently accepts unsupported Wake-on-LAN modes
+(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user,
+which is confusing.
+
+Fixes: 19a38d8e0aa3 ("USB2NET : SR9800 : One chip USB2.0 USB2NET SR9800 Device Driver Support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/sr9800.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c
+index 9277a0f228df..35f39f23d881 100644
+--- a/drivers/net/usb/sr9800.c
++++ b/drivers/net/usb/sr9800.c
+@@ -421,6 +421,9 @@ sr_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo)
+ struct usbnet *dev = netdev_priv(net);
+ u8 opt = 0;
+
++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC))
++ return -EINVAL;
++
+ if (wolinfo->wolopts & WAKE_PHY)
+ opt |= SR_MONITOR_LINK;
+ if (wolinfo->wolopts & WAKE_MAGIC)
+--
+2.17.1
+
--- /dev/null
+From b1871a8aec3c2583e6a2636d8f75c142a8921bc2 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Tue, 20 Mar 2018 09:58:51 -0300
+Subject: test_bpf: Fix testing with CONFIG_BPF_JIT_ALWAYS_ON=y on other arches
+
+[ Upstream commit 52fda36d63bfc8c8e8ae5eda8eb5ac6f52cd67ed ]
+
+Function bpf_fill_maxinsns11 is designed to not be able to be JITed on
+x86_64. So, it fails when CONFIG_BPF_JIT_ALWAYS_ON=y, and
+commit 09584b406742 ("bpf: fix selftests/bpf test_kmod.sh failure when
+CONFIG_BPF_JIT_ALWAYS_ON=y") makes sure that failure is detected on that
+case.
+
+However, it does not fail on other architectures, which have a different
+JIT compiler design. So, test_bpf has started to fail to load on those.
+
+After this fix, test_bpf loads fine on both x86_64 and ppc64el.
+
+Fixes: 09584b406742 ("bpf: fix selftests/bpf test_kmod.sh failure when CONFIG_BPF_JIT_ALWAYS_ON=y")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Reviewed-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/test_bpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/test_bpf.c b/lib/test_bpf.c
+index 64701b4c9900..75ebf2bbc2ee 100644
+--- a/lib/test_bpf.c
++++ b/lib/test_bpf.c
+@@ -5427,7 +5427,7 @@ static struct bpf_test tests[] = {
+ {
+ "BPF_MAXINSNS: Jump, gap, jump, ...",
+ { },
+-#ifdef CONFIG_BPF_JIT_ALWAYS_ON
++#if defined(CONFIG_BPF_JIT_ALWAYS_ON) && defined(CONFIG_X86)
+ CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL,
+ #else
+ CLASSIC | FLAG_NO_DATA,
+--
+2.17.1
+
--- /dev/null
+From 3bc9ad5b5151a933bcd0a45faebbc84c4b95d642 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Sun, 12 Nov 2017 14:54:23 -0800
+Subject: tools/testing/nvdimm: unit test clear-error commands
+
+[ Upstream commit fb2a1748355161e050e9f49f1ea9a0ae707a148b ]
+
+Validate command parsing in acpi_nfit_ctl for the clear error command.
+This tests for a crash condition introduced by commit 4b27db7e26cd
+"acpi, nfit: add support for the _LSI, _LSR, and _LSW label methods".
+
+Cc: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/nvdimm/test/nfit.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/tools/testing/nvdimm/test/nfit.c b/tools/testing/nvdimm/test/nfit.c
+index bef419d4266d..3ad0b3a3317b 100644
+--- a/tools/testing/nvdimm/test/nfit.c
++++ b/tools/testing/nvdimm/test/nfit.c
+@@ -1589,6 +1589,7 @@ static int nfit_ctl_test(struct device *dev)
+ unsigned long mask, cmd_size, offset;
+ union {
+ struct nd_cmd_get_config_size cfg_size;
++ struct nd_cmd_clear_error clear_err;
+ struct nd_cmd_ars_status ars_stat;
+ struct nd_cmd_ars_cap ars_cap;
+ char buf[sizeof(struct nd_cmd_ars_status)
+@@ -1767,6 +1768,23 @@ static int nfit_ctl_test(struct device *dev)
+ return -EIO;
+ }
+
++ /* test clear error */
++ cmd_size = sizeof(cmds.clear_err);
++ cmds.clear_err = (struct nd_cmd_clear_error) {
++ .length = 512,
++ .cleared = 512,
++ };
++ rc = setup_result(cmds.buf, cmd_size);
++ if (rc)
++ return rc;
++ rc = acpi_nfit_ctl(&acpi_desc->nd_desc, NULL, ND_CMD_CLEAR_ERROR,
++ cmds.buf, cmd_size, &cmd_rc);
++ if (rc < 0 || cmd_rc) {
++ dev_dbg(dev, "%s: failed at: %d rc: %d cmd_rc: %d\n",
++ __func__, __LINE__, rc, cmd_rc);
++ return -EIO;
++ }
++
+ return 0;
+ }
+
+--
+2.17.1
+
--- /dev/null
+From 9334f3f80ca3962589f1ab3627d2b0cedf9bfa39 Mon Sep 17 00:00:00 2001
+From: Nayna Jain <nayna@linux.vnet.ibm.com>
+Date: Mon, 2 Apr 2018 21:50:06 +0530
+Subject: tpm: move the delay_msec increment after sleep in tpm_transmit()
+
+[ Upstream commit 92980756979a9c51be0275f395f4e89c42cf199a ]
+
+Commit e2fb992d82c6 ("tpm: add retry logic") introduced a new loop to
+handle the TPM2_RC_RETRY error. The loop retries the command after
+sleeping for the specified time, which is incremented exponentially in
+every iteration.
+
+Unfortunately, the loop doubles the time before sleeping, causing the
+initial sleep to be doubled. This patch fixes the initial sleep time.
+
+Fixes: commit e2fb992d82c6 ("tpm: add retry logic")
+Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>
+Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/tpm-interface.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
+index a2070ab86c82..89d5915b1a3f 100644
+--- a/drivers/char/tpm/tpm-interface.c
++++ b/drivers/char/tpm/tpm-interface.c
+@@ -611,12 +611,13 @@ ssize_t tpm_transmit(struct tpm_chip *chip, struct tpm_space *space,
+ rc = be32_to_cpu(header->return_code);
+ if (rc != TPM2_RC_RETRY)
+ break;
+- delay_msec *= 2;
++
+ if (delay_msec > TPM2_DURATION_LONG) {
+ dev_err(&chip->dev, "TPM is in retry loop\n");
+ break;
+ }
+ tpm_msleep(delay_msec);
++ delay_msec *= 2;
+ memcpy(buf, save, save_size);
+ }
+ return ret;
+--
+2.17.1
+
--- /dev/null
+From 2670a7d1a87458370ce0ed4ec3e9a1149dbef658 Mon Sep 17 00:00:00 2001
+From: "Winkler, Tomas" <tomas.winkler@intel.com>
+Date: Sat, 7 Apr 2018 19:12:36 +0300
+Subject: tpm: tpm_crb: relinquish locality on error path.
+
+[ Upstream commit 1fbad3028664e114d210dc65d768947a3a553eaa ]
+
+In crb_map_io() function, __crb_request_locality() is called prior
+to crb_cmd_ready(), but if one of the consecutive function fails
+the flow bails out instead of trying to relinquish locality.
+This patch adds goto jump to __crb_relinquish_locality() on the error path.
+
+Fixes: 888d867df441 (tpm: cmd_ready command can be issued only after granting locality)
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/tpm_crb.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
+index 5c7ce5aaaf6f..b4ad169836e9 100644
+--- a/drivers/char/tpm/tpm_crb.c
++++ b/drivers/char/tpm/tpm_crb.c
+@@ -520,8 +520,10 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
+
+ priv->regs_t = crb_map_res(dev, priv, &io_res, buf->control_address,
+ sizeof(struct crb_regs_tail));
+- if (IS_ERR(priv->regs_t))
+- return PTR_ERR(priv->regs_t);
++ if (IS_ERR(priv->regs_t)) {
++ ret = PTR_ERR(priv->regs_t);
++ goto out_relinquish_locality;
++ }
+
+ /*
+ * PTT HW bug w/a: wake up the device to access
+@@ -529,7 +531,7 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
+ */
+ ret = __crb_cmd_ready(dev, priv);
+ if (ret)
+- return ret;
++ goto out_relinquish_locality;
+
+ pa_high = ioread32(&priv->regs_t->ctrl_cmd_pa_high);
+ pa_low = ioread32(&priv->regs_t->ctrl_cmd_pa_low);
+@@ -574,6 +576,8 @@ out:
+
+ __crb_go_idle(dev, priv);
+
++out_relinquish_locality:
++
+ __crb_relinquish_locality(dev, priv, 0);
+
+ return ret;
+--
+2.17.1
+
--- /dev/null
+From 947dc6d0315fec4fe932cff5334ecdf4435a4af6 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <shuahkh@osg.samsung.com>
+Date: Thu, 18 Jan 2018 17:25:30 -0700
+Subject: usbip: vhci_hcd: update 'status' file header and format
+
+[ Upstream commit 5468099c747240ed97dbb34340fece8ca87be34f ]
+
+Commit 2f2d0088eb93
+("usbip: prevent vhci_hcd driver from leaking a socket pointer address")
+in the /sys/devices/platform/vhci_hcd/status.
+
+Fix the header and field alignment to reflect the changes and make it
+easier to read.
+
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/usbip/vhci_sysfs.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c
+index 4a22a9f06d96..eb7898353457 100644
+--- a/drivers/usb/usbip/vhci_sysfs.c
++++ b/drivers/usb/usbip/vhci_sysfs.c
+@@ -34,10 +34,10 @@
+
+ /*
+ * output example:
+- * hub port sta spd dev sockfd local_busid
+- * hs 0000 004 000 00000000 3 1-2.3
++ * hub port sta spd dev sockfd local_busid
++ * hs 0000 004 000 00000000 000003 1-2.3
+ * ................................................
+- * ss 0008 004 000 00000000 4 2-3.4
++ * ss 0008 004 000 00000000 000004 2-3.4
+ * ................................................
+ *
+ * Output includes socket fd instead of socket pointer address to avoid
+@@ -61,13 +61,13 @@ static void port_show_vhci(char **out, int hub, int port, struct vhci_device *vd
+ if (vdev->ud.status == VDEV_ST_USED) {
+ *out += sprintf(*out, "%03u %08x ",
+ vdev->speed, vdev->devid);
+- *out += sprintf(*out, "%u %s",
++ *out += sprintf(*out, "%06u %s",
+ vdev->ud.sockfd,
+ dev_name(&vdev->udev->dev));
+
+ } else {
+ *out += sprintf(*out, "000 00000000 ");
+- *out += sprintf(*out, "0000000000000000 0-0");
++ *out += sprintf(*out, "000000 0-0");
+ }
+
+ *out += sprintf(*out, "\n");
+@@ -165,7 +165,7 @@ static ssize_t status_show(struct device *dev,
+ int pdev_nr;
+
+ out += sprintf(out,
+- "hub port sta spd dev socket local_busid\n");
++ "hub port sta spd dev sockfd local_busid\n");
+
+ pdev_nr = status_name_to_id(attr->attr.name);
+ if (pdev_nr < 0)
+--
+2.17.1
+
--- /dev/null
+From 9228f85982060b7a0740e6ae4df9228954787736 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 19 Sep 2018 13:35:53 +0300
+Subject: x86/paravirt: Fix some warning messages
+
+[ Upstream commit 571d0563c8881595f4ab027aef9ed1c55e3e7b7c ]
+
+The first argument to WARN_ONCE() is a condition.
+
+Fixes: 5800dc5c19f3 ("x86/paravirt: Fix spectre-v2 mitigations for paravirt guests")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Alok Kataria <akataria@vmware.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: virtualization@lists.linux-foundation.org
+Cc: kernel-janitors@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180919103553.GD9238@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/paravirt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/paravirt.c b/arch/x86/kernel/paravirt.c
+index f3559b84cd75..04da826381c9 100644
+--- a/arch/x86/kernel/paravirt.c
++++ b/arch/x86/kernel/paravirt.c
+@@ -90,7 +90,7 @@ unsigned paravirt_patch_call(void *insnbuf,
+
+ if (len < 5) {
+ #ifdef CONFIG_RETPOLINE
+- WARN_ONCE("Failing to patch indirect CALL in %ps\n", (void *)addr);
++ WARN_ONCE(1, "Failing to patch indirect CALL in %ps\n", (void *)addr);
+ #endif
+ return len; /* call too long for patch site */
+ }
+@@ -110,7 +110,7 @@ unsigned paravirt_patch_jmp(void *insnbuf, const void *target,
+
+ if (len < 5) {
+ #ifdef CONFIG_RETPOLINE
+- WARN_ONCE("Failing to patch indirect JMP in %ps\n", (void *)addr);
++ WARN_ONCE(1, "Failing to patch indirect JMP in %ps\n", (void *)addr);
+ #endif
+ return len; /* call too long for patch site */
+ }
+--
+2.17.1
+
--- /dev/null
+From 6d8e4b401a392f5a36b747c2763ec98aded49b36 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Thu, 30 Nov 2017 07:57:57 -0800
+Subject: x86/power: Fix some ordering bugs in __restore_processor_context()
+
+[ Upstream commit 5b06bbcfc2c621da3009da8decb7511500c293ed ]
+
+__restore_processor_context() had a couple of ordering bugs. It
+restored GSBASE after calling load_gs_index(), and the latter can
+call into tracing code. It also tried to restore segment registers
+before restoring the LDT, which is straight-up wrong.
+
+Reorder the code so that we restore GSBASE, then the descriptor
+tables, then the segments.
+
+This fixes two bugs. First, it fixes a regression that broke resume
+under certain configurations due to irqflag tracing in
+native_load_gs_index(). Second, it fixes resume when the userspace
+process that initiated suspect had funny segments. The latter can be
+reproduced by compiling this:
+
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * ldt_echo.c - Echo argv[1] while using an LDT segment
+ */
+
+int main(int argc, char **argv)
+{
+ int ret;
+ size_t len;
+ char *buf;
+
+ const struct user_desc desc = {
+ .entry_number = 0,
+ .base_addr = 0,
+ .limit = 0xfffff,
+ .seg_32bit = 1,
+ .contents = 0, /* Data, grow-up */
+ .read_exec_only = 0,
+ .limit_in_pages = 1,
+ .seg_not_present = 0,
+ .useable = 0
+ };
+
+ if (argc != 2)
+ errx(1, "Usage: %s STRING", argv[0]);
+
+ len = asprintf(&buf, "%s\n", argv[1]);
+ if (len < 0)
+ errx(1, "Out of memory");
+
+ ret = syscall(SYS_modify_ldt, 1, &desc, sizeof(desc));
+ if (ret < -1)
+ errno = -ret;
+ if (ret)
+ err(1, "modify_ldt");
+
+ asm volatile ("movw %0, %%es" :: "rm" ((unsigned short)7));
+ write(1, buf, len);
+ return 0;
+}
+
+and running ldt_echo >/sys/power/mem
+
+Without the fix, the latter causes a triple fault on resume.
+
+Fixes: ca37e57bbe0c ("x86/entry/64: Add missing irqflags tracing to native_load_gs_index()")
+Reported-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lkml.kernel.org/r/6b31721ea92f51ea839e79bd97ade4a75b1eeea2.1512057304.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/power/cpu.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c
+index 04d5157fe7f8..a51d2dfb57d1 100644
+--- a/arch/x86/power/cpu.c
++++ b/arch/x86/power/cpu.c
+@@ -228,8 +228,20 @@ static void notrace __restore_processor_state(struct saved_context *ctxt)
+ load_idt((const struct desc_ptr *)&ctxt->idt_limit);
+ #endif
+
++#ifdef CONFIG_X86_64
+ /*
+- * segment registers
++ * We need GSBASE restored before percpu access can work.
++ * percpu access can happen in exception handlers or in complicated
++ * helpers like load_gs_index().
++ */
++ wrmsrl(MSR_GS_BASE, ctxt->gs_base);
++#endif
++
++ fix_processor_context();
++
++ /*
++ * Restore segment registers. This happens after restoring the GDT
++ * and LDT, which happen in fix_processor_context().
+ */
+ #ifdef CONFIG_X86_32
+ loadsegment(es, ctxt->es);
+@@ -250,13 +262,14 @@ static void notrace __restore_processor_state(struct saved_context *ctxt)
+ load_gs_index(ctxt->gs);
+ asm volatile ("movw %0, %%ss" :: "r" (ctxt->ss));
+
++ /*
++ * Restore FSBASE and user GSBASE after reloading the respective
++ * segment selectors.
++ */
+ wrmsrl(MSR_FS_BASE, ctxt->fs_base);
+- wrmsrl(MSR_GS_BASE, ctxt->gs_base);
+ wrmsrl(MSR_KERNEL_GS_BASE, ctxt->gs_kernel_base);
+ #endif
+
+- fix_processor_context();
+-
+ do_fpu_end();
+ tsc_verify_tsc_adjust(true);
+ x86_platform.restore_sched_clock_state();
+--
+2.17.1
+
--- /dev/null
+From 944fe4692c0ca713140780a335af17c0836f3d6e Mon Sep 17 00:00:00 2001
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+Date: Thu, 21 Jun 2018 14:00:20 +0100
+Subject: xen-netfront: Fix mismatched rtnl_unlock
+
+[ Upstream commit cb257783c2927b73614b20f915a91ff78aa6f3e8 ]
+
+Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open")
+Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/xen-netfront.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
+index ca239912c0e6..6ea95b316256 100644
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -1824,7 +1824,7 @@ static int talk_to_netback(struct xenbus_device *dev,
+ err = xen_net_read_mac(dev, info->netdev->dev_addr);
+ if (err) {
+ xenbus_dev_fatal(dev, err, "parsing %s/mac", dev->nodename);
+- goto out;
++ goto out_unlocked;
+ }
+
+ rtnl_lock();
+@@ -1939,6 +1939,7 @@ abort_transaction_no_dev_fatal:
+ xennet_destroy_queues(info);
+ out:
+ rtnl_unlock();
++out_unlocked:
+ device_unregister(&dev->dev);
+ return err;
+ }
+--
+2.17.1
+
--- /dev/null
+From be7c28dc5af1c822e514f3abd56e57ef607fa6f8 Mon Sep 17 00:00:00 2001
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+Date: Thu, 21 Jun 2018 14:00:21 +0100
+Subject: xen-netfront: Update features after registering netdev
+
+[ Upstream commit 45c8184c1bed1ca8a7f02918552063a00b909bf5 ]
+
+Update the features after calling register_netdev() otherwise the
+device features are not set up correctly and it not possible to change
+the MTU of the device. After this change, the features reported by
+ethtool match the device's features before the commit which introduced
+the issue and it is possible to change the device's MTU.
+
+Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open")
+Reported-by: Liam Shepherd <liam@dancer.es>
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/xen-netfront.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
+index 1a40fc3517a8..ca239912c0e6 100644
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -1964,10 +1964,6 @@ static int xennet_connect(struct net_device *dev)
+ /* talk_to_netback() sets the correct number of queues */
+ num_queues = dev->real_num_tx_queues;
+
+- rtnl_lock();
+- netdev_update_features(dev);
+- rtnl_unlock();
+-
+ if (dev->reg_state == NETREG_UNINITIALIZED) {
+ err = register_netdev(dev);
+ if (err) {
+@@ -1977,6 +1973,10 @@ static int xennet_connect(struct net_device *dev)
+ }
+ }
+
++ rtnl_lock();
++ netdev_update_features(dev);
++ rtnl_unlock();
++
+ /*
+ * All public and private state should now be sane. Get
+ * ready to start sending and receiving packets and give the driver
+--
+2.17.1
+
--- /dev/null
+From 42d70ec2c8ba528fb8e5c7fd7e53b5cb77999c3c Mon Sep 17 00:00:00 2001
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Tue, 11 Sep 2018 10:31:15 +0200
+Subject: xfrm: Fix NULL pointer dereference when skb_dst_force clears the
+ dst_entry.
+
+[ Upstream commit 9e1437937807b0122e8da1ca8765be2adca9aee6 ]
+
+Since commit 222d7dbd258d ("net: prevent dst uses after free")
+skb_dst_force() might clear the dst_entry attached to the skb.
+The xfrm code don't expect this to happen, so we crash with
+a NULL pointer dereference in this case. Fix it by checking
+skb_dst(skb) for NULL after skb_dst_force() and drop the packet
+in cast the dst_entry was cleared.
+
+Fixes: 222d7dbd258d ("net: prevent dst uses after free")
+Reported-by: Tobias Hommel <netdev-list@genoetigt.de>
+Reported-by: Kristian Evensen <kristian.evensen@gmail.com>
+Reported-by: Wolfgang Walter <linux@stwm.de>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_output.c | 4 ++++
+ net/xfrm/xfrm_policy.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
+index 35610cc881a9..c47660fba498 100644
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -101,6 +101,10 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
+ spin_unlock_bh(&x->lock);
+
+ skb_dst_force(skb);
++ if (!skb_dst(skb)) {
++ XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
++ goto error_nolock;
++ }
+
+ if (xfrm_offload(skb)) {
+ x->type_offload->encap(x, skb);
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 2fb7a78308e1..37c32e73aaef 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -2550,6 +2550,10 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
+ }
+
+ skb_dst_force(skb);
++ if (!skb_dst(skb)) {
++ XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
++ return 0;
++ }
+
+ dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, XFRM_LOOKUP_QUEUE);
+ if (IS_ERR(dst)) {
+--
+2.17.1
+
--- /dev/null
+From 29eda3b79c74026362d846441993b6cefb06dfa0 Mon Sep 17 00:00:00 2001
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Date: Mon, 3 Sep 2018 04:36:53 -0700
+Subject: xfrm: reset crypto_done when iterating over multiple input xfrms
+
+[ Upstream commit 782710e333a526780d65918d669cb96646983ba2 ]
+
+We only support one offloaded xfrm (we do not have devices that
+can handle more than one offload), so reset crypto_done in
+xfrm_input() when iterating over multiple transforms in xfrm_input,
+so that we can invoke the appropriate x->type->input for the
+non-offloaded transforms
+
+Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
+Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_input.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
+index 9f492dc417d5..8e75319dd9c0 100644
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -453,6 +453,7 @@ resume:
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
+ goto drop;
+ }
++ crypto_done = false;
+ } while (!err);
+
+ err = xfrm_rcv_cb(skb, family, x->type->proto, 0);
+--
+2.17.1
+
--- /dev/null
+From 183d6a00329c68e35c04058968294bcc7b55b888 Mon Sep 17 00:00:00 2001
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Date: Mon, 3 Sep 2018 04:36:52 -0700
+Subject: xfrm: reset transport header back to network header after all input
+ transforms ahave been applied
+
+[ Upstream commit bfc0698bebcb16d19ecfc89574ad4d696955e5d3 ]
+
+A policy may have been set up with multiple transforms (e.g., ESP
+and ipcomp). In this situation, the ingress IPsec processing
+iterates in xfrm_input() and applies each transform in turn,
+processing the nexthdr to find any additional xfrm that may apply.
+
+This patch resets the transport header back to network header
+only after the last transformation so that subsequent xfrms
+can find the correct transport header.
+
+Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")
+Suggested-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/xfrm4_input.c | 1 +
+ net/ipv4/xfrm4_mode_transport.c | 4 +---
+ net/ipv6/xfrm6_input.c | 1 +
+ net/ipv6/xfrm6_mode_transport.c | 4 +---
+ 4 files changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
+index bcfc00e88756..f8de2482a529 100644
+--- a/net/ipv4/xfrm4_input.c
++++ b/net/ipv4/xfrm4_input.c
+@@ -67,6 +67,7 @@ int xfrm4_transport_finish(struct sk_buff *skb, int async)
+
+ if (xo && (xo->flags & XFRM_GRO)) {
+ skb_mac_header_rebuild(skb);
++ skb_reset_transport_header(skb);
+ return 0;
+ }
+
+diff --git a/net/ipv4/xfrm4_mode_transport.c b/net/ipv4/xfrm4_mode_transport.c
+index 3d36644890bb..1ad2c2c4e250 100644
+--- a/net/ipv4/xfrm4_mode_transport.c
++++ b/net/ipv4/xfrm4_mode_transport.c
+@@ -46,7 +46,6 @@ static int xfrm4_transport_output(struct xfrm_state *x, struct sk_buff *skb)
+ static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ int ihl = skb->data - skb_transport_header(skb);
+- struct xfrm_offload *xo = xfrm_offload(skb);
+
+ if (skb->transport_header != skb->network_header) {
+ memmove(skb_transport_header(skb),
+@@ -54,8 +53,7 @@ static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ skb->network_header = skb->transport_header;
+ }
+ ip_hdr(skb)->tot_len = htons(skb->len + ihl);
+- if (!xo || !(xo->flags & XFRM_GRO))
+- skb_reset_transport_header(skb);
++ skb_reset_transport_header(skb);
+ return 0;
+ }
+
+diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
+index 841f4a07438e..9ef490dddcea 100644
+--- a/net/ipv6/xfrm6_input.c
++++ b/net/ipv6/xfrm6_input.c
+@@ -59,6 +59,7 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async)
+
+ if (xo && (xo->flags & XFRM_GRO)) {
+ skb_mac_header_rebuild(skb);
++ skb_reset_transport_header(skb);
+ return -1;
+ }
+
+diff --git a/net/ipv6/xfrm6_mode_transport.c b/net/ipv6/xfrm6_mode_transport.c
+index 9ad07a91708e..3c29da5defe6 100644
+--- a/net/ipv6/xfrm6_mode_transport.c
++++ b/net/ipv6/xfrm6_mode_transport.c
+@@ -51,7 +51,6 @@ static int xfrm6_transport_output(struct xfrm_state *x, struct sk_buff *skb)
+ static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ int ihl = skb->data - skb_transport_header(skb);
+- struct xfrm_offload *xo = xfrm_offload(skb);
+
+ if (skb->transport_header != skb->network_header) {
+ memmove(skb_transport_header(skb),
+@@ -60,8 +59,7 @@ static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ }
+ ipv6_hdr(skb)->payload_len = htons(skb->len + ihl -
+ sizeof(struct ipv6hdr));
+- if (!xo || !(xo->flags & XFRM_GRO))
+- skb_reset_transport_header(skb);
++ skb_reset_transport_header(skb);
+ return 0;
+ }
+
+--
+2.17.1
+
--- /dev/null
+From 7f57c55fc4ef3472efce83eaf1150debbbd91b02 Mon Sep 17 00:00:00 2001
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Wed, 1 Aug 2018 13:45:11 +0200
+Subject: xfrm: Validate address prefix lengths in the xfrm selector.
+
+[ Upstream commit 07bf7908950a8b14e81aa1807e3c667eab39287a ]
+
+We don't validate the address prefix lengths in the xfrm
+selector we got from userspace. This can lead to undefined
+behaviour in the address matching functions if the prefix
+is too big for the given address family. Fix this by checking
+the prefixes and refuse SA/policy insertation when a prefix
+is invalid.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Air Icy <icytxw@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 5554d28a32eb..4292347bf45e 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -151,10 +151,16 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
+ err = -EINVAL;
+ switch (p->family) {
+ case AF_INET:
++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
++ goto out;
++
+ break;
+
+ case AF_INET6:
+ #if IS_ENABLED(CONFIG_IPV6)
++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
++ goto out;
++
+ break;
+ #else
+ err = -EAFNOSUPPORT;
+@@ -1353,10 +1359,16 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
+
+ switch (p->sel.family) {
+ case AF_INET:
++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
++ return -EINVAL;
++
+ break;
+
+ case AF_INET6:
+ #if IS_ENABLED(CONFIG_IPV6)
++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
++ return -EINVAL;
++
+ break;
+ #else
+ return -EAFNOSUPPORT;
+--
+2.17.1
+
--- /dev/null
+From 365754580edf19e2bc47d3ba8ad64f7368d29618 Mon Sep 17 00:00:00 2001
+From: Sean Tranchetti <stranche@codeaurora.org>
+Date: Wed, 19 Sep 2018 13:54:56 -0600
+Subject: xfrm: validate template mode
+
+[ Upstream commit 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa ]
+
+XFRM mode parameters passed as part of the user templates
+in the IP_XFRM_POLICY are never properly validated. Passing
+values other than valid XFRM modes can cause stack-out-of-bounds
+reads to occur later in the XFRM processing:
+
+[ 140.535608] ================================================================
+[ 140.543058] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x17e4/0x1cc4
+[ 140.550306] Read of size 4 at addr ffffffc0238a7a58 by task repro/5148
+[ 140.557369]
+[ 140.558927] Call trace:
+[ 140.558936] dump_backtrace+0x0/0x388
+[ 140.558940] show_stack+0x24/0x30
+[ 140.558946] __dump_stack+0x24/0x2c
+[ 140.558949] dump_stack+0x8c/0xd0
+[ 140.558956] print_address_description+0x74/0x234
+[ 140.558960] kasan_report+0x240/0x264
+[ 140.558963] __asan_report_load4_noabort+0x2c/0x38
+[ 140.558967] xfrm_state_find+0x17e4/0x1cc4
+[ 140.558971] xfrm_resolve_and_create_bundle+0x40c/0x1fb8
+[ 140.558975] xfrm_lookup+0x238/0x1444
+[ 140.558977] xfrm_lookup_route+0x48/0x11c
+[ 140.558984] ip_route_output_flow+0x88/0xc4
+[ 140.558991] raw_sendmsg+0xa74/0x266c
+[ 140.558996] inet_sendmsg+0x258/0x3b0
+[ 140.559002] sock_sendmsg+0xbc/0xec
+[ 140.559005] SyS_sendto+0x3a8/0x5a8
+[ 140.559008] el0_svc_naked+0x34/0x38
+[ 140.559009]
+[ 140.592245] page dumped because: kasan: bad access detected
+[ 140.597981] page_owner info is not active (free page?)
+[ 140.603267]
+[ 140.653503] ================================================================
+
+Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 4292347bf45e..4e8319766f2b 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1449,6 +1449,9 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
+ (ut[i].family != prev_family))
+ return -EINVAL;
+
++ if (ut[i].mode >= XFRM_MODE_MAX)
++ return -EINVAL;
++
+ prev_family = ut[i].family;
+
+ switch (ut[i].family) {
+--
+2.17.1
+
--- /dev/null
+From 9ad83d055c6cb50a5d20d340a2e2755bb3acb9a5 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Fri, 31 Aug 2018 08:38:49 -0300
+Subject: xfrm6: call kfree_skb when skb is toobig
+
+[ Upstream commit 215ab0f021c9fea3c18b75e7d522400ee6a49990 ]
+
+After commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ("vti6: fix PMTU caching
+and reporting on xmit"), some too big skbs might be potentially passed down to
+__xfrm6_output, causing it to fail to transmit but not free the skb, causing a
+leak of skb, and consequentially a leak of dst references.
+
+After running pmtu.sh, that shows as failure to unregister devices in a namespace:
+
+[ 311.397671] unregister_netdevice: waiting for veth_b to become free. Usage count = 1
+
+The fix is to call kfree_skb in case of transmit failures.
+
+Fixes: dd767856a36e ("xfrm6: Don't call icmpv6_send on local error")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/xfrm6_output.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
+index 8ae87d4ec5ff..29dae7f2ff14 100644
+--- a/net/ipv6/xfrm6_output.c
++++ b/net/ipv6/xfrm6_output.c
+@@ -170,9 +170,11 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
+
+ if (toobig && xfrm6_local_dontfrag(skb)) {
+ xfrm6_local_rxpmtu(skb, mtu);
++ kfree_skb(skb);
+ return -EMSGSIZE;
+ } else if (!skb->ignore_df && toobig && skb->sk) {
+ xfrm_local_error(skb, mtu);
++ kfree_skb(skb);
+ return -EMSGSIZE;
+ }
+
+--
+2.17.1
+
--- /dev/null
+From 18cdb1b4983079b867b1a279c76db160aeeeb1f5 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wang6495@umn.edu>
+Date: Fri, 5 Oct 2018 10:59:36 -0500
+Subject: yam: fix a missing-check bug
+
+[ Upstream commit 0781168e23a2fc8dceb989f11fc5b39b3ccacc35 ]
+
+In yam_ioctl(), the concrete ioctl command is firstly copied from the
+user-space buffer 'ifr->ifr_data' to 'ioctl_cmd' and checked through the
+following switch statement. If the command is not as expected, an error
+code EINVAL is returned. In the following execution the buffer
+'ifr->ifr_data' is copied again in the cases of the switch statement to
+specific data structures according to what kind of ioctl command is
+requested. However, after the second copy, no re-check is enforced on the
+newly-copied command. Given that the buffer 'ifr->ifr_data' is in the user
+space, a malicious user can race to change the command between the two
+copies. This way, the attacker can inject inconsistent data and cause
+undefined behavior.
+
+This patch adds a re-check in each case of the switch statement if there is
+a second copy in that case, to re-check whether the command obtained in the
+second copy is the same as the one in the first copy. If not, an error code
+EINVAL will be returned.
+
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hamradio/yam.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/hamradio/yam.c b/drivers/net/hamradio/yam.c
+index 7a7c5224a336..16a6e1193912 100644
+--- a/drivers/net/hamradio/yam.c
++++ b/drivers/net/hamradio/yam.c
+@@ -980,6 +980,8 @@ static int yam_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+ sizeof(struct yamdrv_ioctl_mcs));
+ if (IS_ERR(ym))
+ return PTR_ERR(ym);
++ if (ym->cmd != SIOCYAMSMCS)
++ return -EINVAL;
+ if (ym->bitrate > YAM_MAXBITRATE) {
+ kfree(ym);
+ return -EINVAL;
+@@ -995,6 +997,8 @@ static int yam_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+ if (copy_from_user(&yi, ifr->ifr_data, sizeof(struct yamdrv_ioctl_cfg)))
+ return -EFAULT;
+
++ if (yi.cmd != SIOCYAMSCFG)
++ return -EINVAL;
+ if ((yi.cfg.mask & YAM_IOBASE) && netif_running(dev))
+ return -EINVAL; /* Cannot change this parameter when up */
+ if ((yi.cfg.mask & YAM_IRQ) && netif_running(dev))
+--
+2.17.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
