--- /dev/null
+From foo@baz Thu Oct 4 12:43:46 PDT 2018
+From: Arunk Khandavalli <akhandav@codeaurora.org>
+Date: Thu, 30 Aug 2018 00:40:16 +0300
+Subject: cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE
+
+From: Arunk Khandavalli <akhandav@codeaurora.org>
+
+[ Upstream commit 4f0223bfe9c3e62d8f45a85f1ef1b18a8a263ef9 ]
+
+nl80211_update_ft_ies() tried to validate NL80211_ATTR_IE with
+is_valid_ie_attr() before dereferencing it, but that helper function
+returns true in case of NULL pointer (i.e., attribute not included).
+This can result to dereferencing a NULL pointer. Fix that by explicitly
+checking that NL80211_ATTR_IE is included.
+
+Fixes: 355199e02b83 ("cfg80211: Extend support for IEEE 802.11r Fast BSS Transition")
+Signed-off-by: Arunk Khandavalli <akhandav@codeaurora.org>
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/nl80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -9223,6 +9223,7 @@ static int nl80211_update_ft_ies(struct
+ return -EOPNOTSUPP;
+
+ if (!info->attrs[NL80211_ATTR_MDID] ||
++ !info->attrs[NL80211_ATTR_IE] ||
+ !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
+ return -EINVAL;
+
--- /dev/null
+From foo@baz Thu Oct 4 12:43:46 PDT 2018
+From: Jon Kuhn <jkuhn@barracuda.com>
+Date: Mon, 9 Jul 2018 14:33:14 +0000
+Subject: fs/cifs: don't translate SFM_SLASH (U+F026) to backslash
+
+From: Jon Kuhn <jkuhn@barracuda.com>
+
+[ Upstream commit c15e3f19a6d5c89b1209dc94b40e568177cb0921 ]
+
+When a Mac client saves an item containing a backslash to a file server
+the backslash is represented in the CIFS/SMB protocol as as U+F026.
+Before this change, listing a directory containing an item with a
+backslash in its name will return that item with the backslash
+represented with a true backslash character (U+005C) because
+convert_sfm_character mapped U+F026 to U+005C when interpretting the
+CIFS/SMB protocol response. However, attempting to open or stat the
+path using a true backslash will result in an error because
+convert_to_sfm_char does not map U+005C back to U+F026 causing the
+CIFS/SMB request to be made with the backslash represented as U+005C.
+
+This change simply prevents the U+F026 to U+005C conversion from
+happenning. This is analogous to how the code does not do any
+translation of UNI_SLASH (U+F000).
+
+Signed-off-by: Jon Kuhn <jkuhn@barracuda.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifs_unicode.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/fs/cifs/cifs_unicode.c
++++ b/fs/cifs/cifs_unicode.c
+@@ -136,9 +136,6 @@ convert_sfm_char(const __u16 src_char, c
+ case SFM_LESSTHAN:
+ *target = '<';
+ break;
+- case SFM_SLASH:
+- *target = '\\';
+- break;
+ case SFM_SPACE:
+ *target = ' ';
+ break;
--- /dev/null
+From foo@baz Thu Oct 4 12:43:46 PDT 2018
+From: Michael Hennerich <michael.hennerich@analog.com>
+Date: Mon, 13 Aug 2018 15:57:44 +0200
+Subject: gpio: adp5588: Fix sleep-in-atomic-context bug
+
+From: Michael Hennerich <michael.hennerich@analog.com>
+
+[ Upstream commit 6537886cdc9a637711fd6da980dbb87c2c87c9aa ]
+
+This fixes:
+[BUG] gpio: gpio-adp5588: A possible sleep-in-atomic-context bug
+ in adp5588_gpio_write()
+[BUG] gpio: gpio-adp5588: A possible sleep-in-atomic-context bug
+ in adp5588_gpio_direction_input()
+
+Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-adp5588.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpio/gpio-adp5588.c
++++ b/drivers/gpio/gpio-adp5588.c
+@@ -41,6 +41,8 @@ struct adp5588_gpio {
+ uint8_t int_en[3];
+ uint8_t irq_mask[3];
+ uint8_t irq_stat[3];
++ uint8_t int_input_en[3];
++ uint8_t int_lvl_cached[3];
+ };
+
+ static int adp5588_gpio_read(struct i2c_client *client, u8 reg)
+@@ -177,12 +179,28 @@ static void adp5588_irq_bus_sync_unlock(
+ struct adp5588_gpio *dev = irq_data_get_irq_chip_data(d);
+ int i;
+
+- for (i = 0; i <= ADP5588_BANK(ADP5588_MAXGPIO); i++)
++ for (i = 0; i <= ADP5588_BANK(ADP5588_MAXGPIO); i++) {
++ if (dev->int_input_en[i]) {
++ mutex_lock(&dev->lock);
++ dev->dir[i] &= ~dev->int_input_en[i];
++ dev->int_input_en[i] = 0;
++ adp5588_gpio_write(dev->client, GPIO_DIR1 + i,
++ dev->dir[i]);
++ mutex_unlock(&dev->lock);
++ }
++
++ if (dev->int_lvl_cached[i] != dev->int_lvl[i]) {
++ dev->int_lvl_cached[i] = dev->int_lvl[i];
++ adp5588_gpio_write(dev->client, GPIO_INT_LVL1 + i,
++ dev->int_lvl[i]);
++ }
++
+ if (dev->int_en[i] ^ dev->irq_mask[i]) {
+ dev->int_en[i] = dev->irq_mask[i];
+ adp5588_gpio_write(dev->client, GPIO_INT_EN1 + i,
+ dev->int_en[i]);
+ }
++ }
+
+ mutex_unlock(&dev->irq_lock);
+ }
+@@ -225,9 +243,7 @@ static int adp5588_irq_set_type(struct i
+ else
+ return -EINVAL;
+
+- adp5588_gpio_direction_input(&dev->gpio_chip, gpio);
+- adp5588_gpio_write(dev->client, GPIO_INT_LVL1 + bank,
+- dev->int_lvl[bank]);
++ dev->int_input_en[bank] |= bit;
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Oct 4 12:43:46 PDT 2018
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Mon, 20 Aug 2018 16:05:45 +1000
+Subject: KVM: PPC: Book3S HV: Don't truncate HPTE index in xlate function
+
+From: Paul Mackerras <paulus@ozlabs.org>
+
+[ Upstream commit 46dec40fb741f00f1864580130779aeeaf24fb3d ]
+
+This fixes a bug which causes guest virtual addresses to get translated
+to guest real addresses incorrectly when the guest is using the HPT MMU
+and has more than 256GB of RAM, or more specifically has a HPT larger
+than 2GB. This has showed up in testing as a failure of the host to
+emulate doorbell instructions correctly on POWER9 for HPT guests with
+more than 256GB of RAM.
+
+The bug is that the HPTE index in kvmppc_mmu_book3s_64_hv_xlate()
+is stored as an int, and in forming the HPTE address, the index gets
+shifted left 4 bits as an int before being signed-extended to 64 bits.
+The simple fix is to make the variable a long int, matching the
+return type of kvmppc_hv_find_lock_hpte(), which is what calculates
+the index.
+
+Fixes: 697d3899dcb4 ("KVM: PPC: Implement MMIO emulation support for Book3S HV guests")
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kvm/book3s_64_mmu_hv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kvm/book3s_64_mmu_hv.c
++++ b/arch/powerpc/kvm/book3s_64_mmu_hv.c
+@@ -449,7 +449,7 @@ static int kvmppc_mmu_book3s_64_hv_xlate
+ unsigned long pp, key;
+ unsigned long v, gr;
+ __be64 *hptep;
+- int index;
++ long int index;
+ int virtmode = vcpu->arch.shregs.msr & (data ? MSR_DR : MSR_IR);
+
+ /* Get SLB entry */
--- /dev/null
+From foo@baz Thu Oct 4 12:43:46 PDT 2018
+From: Danek Duvall <duvall@comfychair.org>
+Date: Wed, 22 Aug 2018 16:01:04 -0700
+Subject: mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X
+
+From: Danek Duvall <duvall@comfychair.org>
+
+[ Upstream commit 67d1ba8a6dc83d90cd58b89fa6cbf9ae35a0cf7f ]
+
+The mod mask for VHT capabilities intends to say that you can override
+the number of STBC receive streams, and it does, but only by accident.
+The IEEE80211_VHT_CAP_RXSTBC_X aren't bits to be set, but values (albeit
+left-shifted). ORing the bits together gets the right answer, but we
+should use the _MASK macro here instead.
+
+Signed-off-by: Danek Duvall <duvall@comfychair.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/main.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/net/mac80211/main.c
++++ b/net/mac80211/main.c
+@@ -465,10 +465,7 @@ static const struct ieee80211_vht_cap ma
+ cpu_to_le32(IEEE80211_VHT_CAP_RXLDPC |
+ IEEE80211_VHT_CAP_SHORT_GI_80 |
+ IEEE80211_VHT_CAP_SHORT_GI_160 |
+- IEEE80211_VHT_CAP_RXSTBC_1 |
+- IEEE80211_VHT_CAP_RXSTBC_2 |
+- IEEE80211_VHT_CAP_RXSTBC_3 |
+- IEEE80211_VHT_CAP_RXSTBC_4 |
++ IEEE80211_VHT_CAP_RXSTBC_MASK |
+ IEEE80211_VHT_CAP_TXSTBC |
+ IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE |
+ IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE |
--- /dev/null
+From foo@baz Thu Oct 4 12:43:46 PDT 2018
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Fri, 31 Aug 2018 11:31:06 +0300
+Subject: mac80211: fix a race between restart and CSA flows
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit f3ffb6c3a28963657eb8b02a795d75f2ebbd5ef4 ]
+
+We hit a problem with iwlwifi that was caused by a bug in
+mac80211. A bug in iwlwifi caused the firwmare to crash in
+certain cases in channel switch. Because of that bug,
+drv_pre_channel_switch would fail and trigger the restart
+flow.
+Now we had the hw restart worker which runs on the system's
+workqueue and the csa_connection_drop_work worker that runs
+on mac80211's workqueue that can run together. This is
+obviously problematic since the restart work wants to
+reconfigure the connection, while the csa_connection_drop_work
+worker does the exact opposite: it tries to disconnect.
+
+Fix this by cancelling the csa_connection_drop_work worker
+in the restart worker.
+
+Note that this can sound racy: we could have:
+
+driver iface_work CSA_work restart_work
++++++++++++++++++++++++++++++++++++++++++++++
+ |
+ <--drv_cs ---|
+<FW CRASH!>
+-CS FAILED-->
+ | |
+ | cancel_work(CSA)
+ schedule |
+ CSA work |
+ | |
+ Race between those 2
+
+But this is not possible because we flush the workqueue
+in the restart worker before we cancel the CSA worker.
+That would be bullet proof if we could guarantee that
+we schedule the CSA worker only from the iface_work
+which runs on the workqueue (and not on the system's
+workqueue), but unfortunately we do have an instance
+in which we schedule the CSA work outside the context
+of the workqueue (ieee80211_chswitch_done).
+
+Note also that we should probably cancel other workers
+like beacon_connection_loss_work and possibly others
+for different types of interfaces, at the very least,
+IBSS should suffer from the exact same problem, but for
+now, do the minimum to fix the actual bug that was actually
+experienced and reproduced.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/main.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/main.c
++++ b/net/mac80211/main.c
+@@ -258,8 +258,27 @@ static void ieee80211_restart_work(struc
+ "%s called with hardware scan in progress\n", __func__);
+
+ rtnl_lock();
+- list_for_each_entry(sdata, &local->interfaces, list)
++ list_for_each_entry(sdata, &local->interfaces, list) {
++ /*
++ * XXX: there may be more work for other vif types and even
++ * for station mode: a good thing would be to run most of
++ * the iface type's dependent _stop (ieee80211_mg_stop,
++ * ieee80211_ibss_stop) etc...
++ * For now, fix only the specific bug that was seen: race
++ * between csa_connection_drop_work and us.
++ */
++ if (sdata->vif.type == NL80211_IFTYPE_STATION) {
++ /*
++ * This worker is scheduled from the iface worker that
++ * runs on mac80211's workqueue, so we can't be
++ * scheduling this worker after the cancel right here.
++ * The exception is ieee80211_chswitch_done.
++ * Then we can have a race...
++ */
++ cancel_work_sync(&sdata->u.mgd.csa_connection_drop_work);
++ }
+ flush_delayed_work(&sdata->dec_tailroom_needed_wk);
++ }
+ ieee80211_scan_cancel(local);
+ ieee80211_reconfig(local);
+ rtnl_unlock();
--- /dev/null
+From foo@baz Thu Oct 4 12:43:46 PDT 2018
+From: Ilan Peer <ilan.peer@intel.com>
+Date: Fri, 31 Aug 2018 11:31:10 +0300
+Subject: mac80211: Fix station bandwidth setting after channel switch
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+[ Upstream commit 0007e94355fdb71a1cf5dba0754155cba08f0666 ]
+
+When performing a channel switch flow for a managed interface, the
+flow did not update the bandwidth of the AP station and the rate
+scale algorithm. In case of a channel width downgrade, this would
+result with the rate scale algorithm using a bandwidth that does not
+match the interface channel configuration.
+
+Fix this by updating the AP station bandwidth and rate scaling algorithm
+before the actual channel change in case of a bandwidth downgrade, or
+after the actual channel change in case of a bandwidth upgrade.
+
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mlme.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 53 insertions(+)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -970,6 +970,10 @@ static void ieee80211_chswitch_work(stru
+ */
+
+ if (sdata->reserved_chanctx) {
++ struct ieee80211_supported_band *sband = NULL;
++ struct sta_info *mgd_sta = NULL;
++ enum ieee80211_sta_rx_bandwidth bw = IEEE80211_STA_RX_BW_20;
++
+ /*
+ * with multi-vif csa driver may call ieee80211_csa_finish()
+ * many times while waiting for other interfaces to use their
+@@ -978,6 +982,48 @@ static void ieee80211_chswitch_work(stru
+ if (sdata->reserved_ready)
+ goto out;
+
++ if (sdata->vif.bss_conf.chandef.width !=
++ sdata->csa_chandef.width) {
++ /*
++ * For managed interface, we need to also update the AP
++ * station bandwidth and align the rate scale algorithm
++ * on the bandwidth change. Here we only consider the
++ * bandwidth of the new channel definition (as channel
++ * switch flow does not have the full HT/VHT/HE
++ * information), assuming that if additional changes are
++ * required they would be done as part of the processing
++ * of the next beacon from the AP.
++ */
++ switch (sdata->csa_chandef.width) {
++ case NL80211_CHAN_WIDTH_20_NOHT:
++ case NL80211_CHAN_WIDTH_20:
++ default:
++ bw = IEEE80211_STA_RX_BW_20;
++ break;
++ case NL80211_CHAN_WIDTH_40:
++ bw = IEEE80211_STA_RX_BW_40;
++ break;
++ case NL80211_CHAN_WIDTH_80:
++ bw = IEEE80211_STA_RX_BW_80;
++ break;
++ case NL80211_CHAN_WIDTH_80P80:
++ case NL80211_CHAN_WIDTH_160:
++ bw = IEEE80211_STA_RX_BW_160;
++ break;
++ }
++
++ mgd_sta = sta_info_get(sdata, ifmgd->bssid);
++ sband =
++ local->hw.wiphy->bands[sdata->csa_chandef.chan->band];
++ }
++
++ if (sdata->vif.bss_conf.chandef.width >
++ sdata->csa_chandef.width) {
++ mgd_sta->sta.bandwidth = bw;
++ rate_control_rate_update(local, sband, mgd_sta,
++ IEEE80211_RC_BW_CHANGED);
++ }
++
+ ret = ieee80211_vif_use_reserved_context(sdata);
+ if (ret) {
+ sdata_info(sdata,
+@@ -988,6 +1034,13 @@ static void ieee80211_chswitch_work(stru
+ goto out;
+ }
+
++ if (sdata->vif.bss_conf.chandef.width <
++ sdata->csa_chandef.width) {
++ mgd_sta->sta.bandwidth = bw;
++ rate_control_rate_update(local, sband, mgd_sta,
++ IEEE80211_RC_BW_CHANGED);
++ }
++
+ goto out;
+ }
+
--- /dev/null
+From foo@baz Thu Oct 4 12:43:46 PDT 2018
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Fri, 31 Aug 2018 11:31:13 +0300
+Subject: mac80211: shorten the IBSS debug messages
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit c6e57b3896fc76299913b8cfd82d853bee8a2c84 ]
+
+When tracing is enabled, all the debug messages are recorded and must
+not exceed MAX_MSG_LEN (100) columns. Longer debug messages grant the
+user with:
+
+WARNING: CPU: 3 PID: 32642 at /tmp/wifi-core-20180806094828/src/iwlwifi-stack-dev/net/mac80211/./trace_msg.h:32 trace_event_raw_event_mac80211_msg_event+0xab/0xc0 [mac80211]
+Workqueue: phy1 ieee80211_iface_work [mac80211]
+ RIP: 0010:trace_event_raw_event_mac80211_msg_event+0xab/0xc0 [mac80211]
+ Call Trace:
+ __sdata_dbg+0xbd/0x120 [mac80211]
+ ieee80211_ibss_rx_queued_mgmt+0x15f/0x510 [mac80211]
+ ieee80211_iface_work+0x21d/0x320 [mac80211]
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/ibss.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -944,8 +944,8 @@ static void ieee80211_rx_mgmt_deauth_ibs
+ if (len < IEEE80211_DEAUTH_FRAME_LEN)
+ return;
+
+- ibss_dbg(sdata, "RX DeAuth SA=%pM DA=%pM BSSID=%pM (reason: %d)\n",
+- mgmt->sa, mgmt->da, mgmt->bssid, reason);
++ ibss_dbg(sdata, "RX DeAuth SA=%pM DA=%pM\n", mgmt->sa, mgmt->da);
++ ibss_dbg(sdata, "\tBSSID=%pM (reason: %d)\n", mgmt->bssid, reason);
+ sta_info_destroy_addr(sdata, mgmt->sa);
+ }
+
+@@ -963,9 +963,9 @@ static void ieee80211_rx_mgmt_auth_ibss(
+ auth_alg = le16_to_cpu(mgmt->u.auth.auth_alg);
+ auth_transaction = le16_to_cpu(mgmt->u.auth.auth_transaction);
+
+- ibss_dbg(sdata,
+- "RX Auth SA=%pM DA=%pM BSSID=%pM (auth_transaction=%d)\n",
+- mgmt->sa, mgmt->da, mgmt->bssid, auth_transaction);
++ ibss_dbg(sdata, "RX Auth SA=%pM DA=%pM\n", mgmt->sa, mgmt->da);
++ ibss_dbg(sdata, "\tBSSID=%pM (auth_transaction=%d)\n",
++ mgmt->bssid, auth_transaction);
+
+ if (auth_alg != WLAN_AUTH_OPEN || auth_transaction != 1)
+ return;
+@@ -1130,10 +1130,10 @@ static void ieee80211_rx_bss_info(struct
+ rx_timestamp = drv_get_tsf(local, sdata);
+ }
+
+- ibss_dbg(sdata,
+- "RX beacon SA=%pM BSSID=%pM TSF=0x%llx BCN=0x%llx diff=%lld @%lu\n",
++ ibss_dbg(sdata, "RX beacon SA=%pM BSSID=%pM TSF=0x%llx\n",
+ mgmt->sa, mgmt->bssid,
+- (unsigned long long)rx_timestamp,
++ (unsigned long long)rx_timestamp);
++ ibss_dbg(sdata, "\tBCN=0x%llx diff=%lld @%lu\n",
+ (unsigned long long)beacon_timestamp,
+ (unsigned long long)(rx_timestamp - beacon_timestamp),
+ jiffies);
+@@ -1414,9 +1414,9 @@ static void ieee80211_rx_mgmt_probe_req(
+
+ tx_last_beacon = drv_tx_last_beacon(local);
+
+- ibss_dbg(sdata,
+- "RX ProbeReq SA=%pM DA=%pM BSSID=%pM (tx_last_beacon=%d)\n",
+- mgmt->sa, mgmt->da, mgmt->bssid, tx_last_beacon);
++ ibss_dbg(sdata, "RX ProbeReq SA=%pM DA=%pM\n", mgmt->sa, mgmt->da);
++ ibss_dbg(sdata, "\tBSSID=%pM (tx_last_beacon=%d)\n",
++ mgmt->bssid, tx_last_beacon);
+
+ if (!tx_last_beacon && is_multicast_ether_addr(mgmt->da))
+ return;
--- /dev/null
+From foo@baz Thu Oct 4 12:43:46 PDT 2018
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Sat, 1 Sep 2018 20:11:05 +0800
+Subject: net: cadence: Fix a sleep-in-atomic-context bug in macb_halt_tx()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 16fe10cf92783ed9ceb182d6ea2b8adf5e8ec1b8 ]
+
+The kernel module may sleep with holding a spinlock.
+
+The function call paths (from bottom to top) in Linux-4.16 are:
+
+[FUNC] usleep_range
+drivers/net/ethernet/cadence/macb_main.c, 648:
+ usleep_range in macb_halt_tx
+drivers/net/ethernet/cadence/macb_main.c, 730:
+ macb_halt_tx in macb_tx_error_task
+drivers/net/ethernet/cadence/macb_main.c, 721:
+ _raw_spin_lock_irqsave in macb_tx_error_task
+
+To fix this bug, usleep_range() is replaced with udelay().
+
+This bug is found by my static analysis tool DSAC.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cadence/macb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/cadence/macb.c
++++ b/drivers/net/ethernet/cadence/macb.c
+@@ -464,7 +464,7 @@ static int macb_halt_tx(struct macb *bp)
+ if (!(status & MACB_BIT(TGO)))
+ return 0;
+
+- usleep_range(10, 250);
++ udelay(250);
+ } while (time_before(halt_time, timeout));
+
+ return -ETIMEDOUT;
--- /dev/null
+From foo@baz Thu Oct 4 12:43:46 PDT 2018
+From: Tony Lindgren <tony@atomide.com>
+Date: Wed, 29 Aug 2018 08:00:24 -0700
+Subject: net: ethernet: cpsw-phy-sel: prefer phandle for phy sel
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 18eb8aea7fb2fb4490e578b1b8a1096c34b2fc48 ]
+
+The cpsw-phy-sel device is not a child of the cpsw interconnect target
+module. It lives in the system control module.
+
+Let's fix this issue by trying to use cpsw-phy-sel phandle first if it
+exists and if not fall back to current usage of trying to find the
+cpsw-phy-sel child. That way the phy sel driver can be a child of the
+system control module where it belongs in the device tree.
+
+Without this fix, we cannot have a proper interconnect target module
+hierarchy in device tree for things like genpd.
+
+Note that deferred probe is mostly not supported by cpsw and this patch
+does not attempt to fix that. In case deferred probe support is needed,
+this could be added to cpsw_slave_open() and phy_connect() so they start
+handling and returning errors.
+
+For documenting it, looks like the cpsw-phy-sel is used for all cpsw device
+tree nodes. It's missing the related binding documentation, so let's also
+update the binding documentation accordingly.
+
+Cc: devicetree@vger.kernel.org
+Cc: Andrew Lunn <andrew@lunn.ch>
+Cc: Grygorii Strashko <grygorii.strashko@ti.com>
+Cc: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Murali Karicheri <m-karicheri2@ti.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/cpsw-phy-sel.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/ti/cpsw-phy-sel.c
++++ b/drivers/net/ethernet/ti/cpsw-phy-sel.c
+@@ -145,10 +145,13 @@ void cpsw_phy_sel(struct device *dev, ph
+ struct device_node *node;
+ struct cpsw_phy_sel_priv *priv;
+
+- node = of_get_child_by_name(dev->of_node, "cpsw-phy-sel");
++ node = of_parse_phandle(dev->of_node, "cpsw-phy-sel", 0);
+ if (!node) {
+- dev_err(dev, "Phy mode driver DT not found\n");
+- return;
++ node = of_get_child_by_name(dev->of_node, "cpsw-phy-sel");
++ if (!node) {
++ dev_err(dev, "Phy mode driver DT not found\n");
++ return;
++ }
+ }
+
+ dev = bus_find_device(&platform_bus_type, NULL, node, match);
--- /dev/null
+From foo@baz Thu Oct 4 12:43:46 PDT 2018
+From: Xiao Ni <xni@redhat.com>
+Date: Thu, 30 Aug 2018 15:57:09 +0800
+Subject: RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0
+
+From: Xiao Ni <xni@redhat.com>
+
+[ Upstream commit 1d0ffd264204eba1861865560f1f7f7a92919384 ]
+
+In raid10 reshape_request it gets max_sectors in read_balance. If the underlayer disks
+have bad blocks, the max_sectors is less than last. It will call goto read_more many
+times. It calls raise_barrier(conf, sectors_done != 0) every time. In this condition
+sectors_done is not 0. So the value passed to the argument force of raise_barrier is
+true.
+
+In raise_barrier it checks conf->barrier when force is true. If force is true and
+conf->barrier is 0, it panic. In this case reshape_request submits bio to under layer
+disks. And in the callback function of the bio it calls lower_barrier. If the bio
+finishes before calling raise_barrier again, it can trigger the BUG_ON.
+
+Add one pair of raise_barrier/lower_barrier to fix this bug.
+
+Signed-off-by: Xiao Ni <xni@redhat.com>
+Suggested-by: Neil Brown <neilb@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid10.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -4423,11 +4423,12 @@ static sector_t reshape_request(struct m
+ allow_barrier(conf);
+ }
+
++ raise_barrier(conf, 0);
+ read_more:
+ /* Now schedule reads for blocks from sector_nr to last */
+ r10_bio = mempool_alloc(conf->r10buf_pool, GFP_NOIO);
+ r10_bio->state = 0;
+- raise_barrier(conf, sectors_done != 0);
++ raise_barrier(conf, 1);
+ atomic_set(&r10_bio->remaining, 0);
+ r10_bio->mddev = mddev;
+ r10_bio->sector = sector_nr;
+@@ -4532,6 +4533,8 @@ bio_full:
+ if (sector_nr <= last)
+ goto read_more;
+
++ lower_barrier(conf);
++
+ /* Now that we have done the whole section we can
+ * update reshape_progress
+ */
hwmon-adt7475-make-adt7475_read_word-return-errors.patch
arm64-kvm-sanitize-pstate.m-when-being-set-from-userspace.patch
media-v4l-event-prevent-freeing-event-subscriptions-while-accessed.patch
+kvm-ppc-book3s-hv-don-t-truncate-hpte-index-in-xlate-function.patch
+mac80211-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch
+gpio-adp5588-fix-sleep-in-atomic-context-bug.patch
+cfg80211-nl80211_update_ft_ies-to-validate-nl80211_attr_ie.patch
+raid10-bug_on-in-raise_barrier-when-force-is-true-and-conf-barrier-is-0.patch
+net-ethernet-cpsw-phy-sel-prefer-phandle-for-phy-sel.patch
+net-cadence-fix-a-sleep-in-atomic-context-bug-in-macb_halt_tx.patch
+fs-cifs-don-t-translate-sfm_slash-u-f026-to-backslash.patch
+mac80211-fix-a-race-between-restart-and-csa-flows.patch
+mac80211-fix-station-bandwidth-setting-after-channel-switch.patch
+mac80211-shorten-the-ibss-debug-messages.patch
+tools-vm-slabinfo.c-fix-sign-compare-warning.patch
+tools-vm-page-types.c-fix-defined-but-not-used-warning.patch
--- /dev/null
+From foo@baz Thu Oct 4 12:43:46 PDT 2018
+From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Date: Tue, 4 Sep 2018 15:45:51 -0700
+Subject: tools/vm/page-types.c: fix "defined but not used" warning
+
+From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+
+[ Upstream commit 7ab660f8baecfe26c1c267fa8e64d2073feae2bb ]
+
+debugfs_known_mountpoints[] is not used any more, so let's remove it.
+
+Link: http://lkml.kernel.org/r/1535102651-19418-1-git-send-email-n-horiguchi@ah.jp.nec.com
+Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Matthew Wilcox <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/vm/page-types.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/tools/vm/page-types.c
++++ b/tools/vm/page-types.c
+@@ -151,12 +151,6 @@ static const char * const page_flag_name
+ };
+
+
+-static const char * const debugfs_known_mountpoints[] = {
+- "/sys/kernel/debug",
+- "/debug",
+- 0,
+-};
+-
+ /*
+ * data structures
+ */
--- /dev/null
+From foo@baz Thu Oct 4 12:43:46 PDT 2018
+From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Date: Tue, 4 Sep 2018 15:45:48 -0700
+Subject: tools/vm/slabinfo.c: fix sign-compare warning
+
+From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+
+[ Upstream commit 904506562e0856f2535d876407d087c9459d345b ]
+
+Currently we get the following compiler warning:
+
+ slabinfo.c:854:22: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
+ if (s->object_size < min_objsize)
+ ^
+
+due to the mismatch of signed/unsigned comparison. ->object_size and
+->slab_size are never expected to be negative, so let's define them as
+unsigned int.
+
+[n-horiguchi@ah.jp.nec.com: convert everything - none of these can be negative]
+ Link: http://lkml.kernel.org/r/20180826234947.GA9787@hori1.linux.bs1.fc.nec.co.jp
+Link: http://lkml.kernel.org/r/1535103134-20239-1-git-send-email-n-horiguchi@ah.jp.nec.com
+Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Matthew Wilcox <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/vm/slabinfo.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/vm/slabinfo.c
++++ b/tools/vm/slabinfo.c
+@@ -29,8 +29,8 @@ struct slabinfo {
+ int alias;
+ int refs;
+ int aliases, align, cache_dma, cpu_slabs, destroy_by_rcu;
+- int hwcache_align, object_size, objs_per_slab;
+- int sanity_checks, slab_size, store_user, trace;
++ unsigned int hwcache_align, object_size, objs_per_slab;
++ unsigned int sanity_checks, slab_size, store_user, trace;
+ int order, poison, reclaim_account, red_zone;
+ unsigned long partial, objects, slabs, objects_partial, objects_total;
+ unsigned long alloc_fastpath, alloc_slowpath;
projects / thirdparty / kernel / stable-queue.git / commitdiff
