--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Thu, 26 Jul 2018 20:16:35 -0700
+Subject: arc: fix build errors in arc/include/asm/delay.h
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 2423665ec53f2a29191b35382075e9834288a975 ]
+
+Fix build errors in arch/arc/'s delay.h:
+- add "extern unsigned long loops_per_jiffy;"
+- add <asm-generic/types.h> for "u64"
+
+In file included from ../drivers/infiniband/hw/cxgb3/cxio_hal.c:32:
+../arch/arc/include/asm/delay.h: In function '__udelay':
+../arch/arc/include/asm/delay.h:61:12: error: 'u64' undeclared (first use in this function)
+ loops = ((u64) usecs * 4295 * HZ * loops_per_jiffy) >> 32;
+ ^~~
+
+In file included from ../drivers/infiniband/hw/cxgb3/cxio_hal.c:32:
+../arch/arc/include/asm/delay.h: In function '__udelay':
+../arch/arc/include/asm/delay.h:63:37: error: 'loops_per_jiffy' undeclared (first use in this function)
+ loops = ((u64) usecs * 4295 * HZ * loops_per_jiffy) >> 32;
+ ^~~~~~~~~~~~~~~
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Vineet Gupta <vgupta@synopsys.com>
+Cc: linux-snps-arc@lists.infradead.org
+Cc: Elad Kanfi <eladkan@mellanox.com>
+Cc: Leon Romanovsky <leonro@mellanox.com>
+Cc: Ofer Levi <oferle@mellanox.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arc/include/asm/delay.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/arc/include/asm/delay.h
++++ b/arch/arc/include/asm/delay.h
+@@ -17,8 +17,11 @@
+ #ifndef __ASM_ARC_UDELAY_H
+ #define __ASM_ARC_UDELAY_H
+
++#include <asm-generic/types.h>
+ #include <asm/param.h> /* HZ */
+
++extern unsigned long loops_per_jiffy;
++
+ static inline void __delay(unsigned long loops)
+ {
+ __asm__ __volatile__(
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Thu, 26 Jul 2018 20:16:35 -0700
+Subject: arc: fix type warnings in arc/mm/cache.c
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit ec837d620c750c0d4996a907c8c4f7febe1bbeee ]
+
+Fix type warnings in arch/arc/mm/cache.c.
+
+../arch/arc/mm/cache.c: In function 'flush_anon_page':
+../arch/arc/mm/cache.c:1062:55: warning: passing argument 2 of '__flush_dcache_page' makes integer from pointer without a cast [-Wint-conversion]
+ __flush_dcache_page((phys_addr_t)page_address(page), page_address(page));
+ ^~~~~~~~~~~~~~~~~~
+../arch/arc/mm/cache.c:1013:59: note: expected 'long unsigned int' but argument is of type 'void *'
+ void __flush_dcache_page(phys_addr_t paddr, unsigned long vaddr)
+ ~~~~~~~~~~~~~~^~~~~
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Vineet Gupta <vgupta@synopsys.com>
+Cc: linux-snps-arc@lists.infradead.org
+Cc: Elad Kanfi <eladkan@mellanox.com>
+Cc: Leon Romanovsky <leonro@mellanox.com>
+Cc: Ofer Levi <oferle@mellanox.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arc/mm/cache_arc700.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/arc/mm/cache_arc700.c
++++ b/arch/arc/mm/cache_arc700.c
+@@ -642,7 +642,7 @@ void flush_cache_mm(struct mm_struct *mm
+ void flush_cache_page(struct vm_area_struct *vma, unsigned long u_vaddr,
+ unsigned long pfn)
+ {
+- unsigned int paddr = pfn << PAGE_SHIFT;
++ phys_addr_t paddr = pfn << PAGE_SHIFT;
+
+ u_vaddr &= PAGE_MASK;
+
+@@ -662,8 +662,9 @@ void flush_anon_page(struct vm_area_stru
+ unsigned long u_vaddr)
+ {
+ /* TBD: do we really need to clear the kernel mapping */
+- __flush_dcache_page(page_address(page), u_vaddr);
+- __flush_dcache_page(page_address(page), page_address(page));
++ __flush_dcache_page((phys_addr_t)page_address(page), u_vaddr);
++ __flush_dcache_page((phys_addr_t)page_address(page),
++ (phys_addr_t)page_address(page));
+
+ }
+
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 20 Jul 2018 19:30:57 +0200
+Subject: atl1c: reserve min skb headroom
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 6e56830776828d8ca9897fc4429eeab47c3bb432 ]
+
+Got crash report with following backtrace:
+BUG: unable to handle kernel paging request at ffff8801869daffe
+RIP: 0010:[<ffffffff816429c4>] [<ffffffff816429c4>] ip6_finish_output2+0x394/0x4c0
+RSP: 0018:ffff880186c83a98 EFLAGS: 00010283
+RAX: ffff8801869db00e ...
+ [<ffffffff81644cdc>] ip6_finish_output+0x8c/0xf0
+ [<ffffffff81644d97>] ip6_output+0x57/0x100
+ [<ffffffff81643dc9>] ip6_forward+0x4b9/0x840
+ [<ffffffff81645566>] ip6_rcv_finish+0x66/0xc0
+ [<ffffffff81645db9>] ipv6_rcv+0x319/0x530
+ [<ffffffff815892ac>] netif_receive_skb+0x1c/0x70
+ [<ffffffffc0060bec>] atl1c_clean+0x1ec/0x310 [atl1c]
+ ...
+
+The bad access is in neigh_hh_output(), at skb->data - 16 (HH_DATA_MOD).
+atl1c driver provided skb with no headroom, so 14 bytes (ethernet
+header) got pulled, but then 16 are copied.
+
+Reserve NET_SKB_PAD bytes headroom, like netdev_alloc_skb().
+
+Compile tested only; I lack hardware.
+
+Fixes: 7b7017642199 ("atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
+@@ -1674,6 +1674,7 @@ static struct sk_buff *atl1c_alloc_skb(s
+ skb = build_skb(page_address(page) + adapter->rx_page_offset,
+ adapter->rx_frag_size);
+ if (likely(skb)) {
++ skb_reserve(skb, NET_SKB_PAD);
+ adapter->rx_page_offset += adapter->rx_frag_size;
+ if (adapter->rx_page_offset >= PAGE_SIZE)
+ adapter->rx_page = NULL;
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
+Date: Tue, 24 Jul 2018 02:43:52 -0700
+Subject: bnx2x: Fix invalid memory access in rss hash config path.
+
+From: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
+
+[ Upstream commit ae2dcb28c24794a87e424a726a1cf1a61980f52d ]
+
+Rx hash/filter table configuration uses rss_conf_obj to configure filters
+in the hardware. This object is initialized only when the interface is
+brought up.
+This patch adds driver changes to configure rss params only when the device
+is in opened state. In port disabled case, the config will be cached in the
+driver structure which will be applied in the successive load path.
+
+Please consider applying it to 'net' branch.
+
+Signed-off-by: Sudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
+@@ -3296,14 +3296,18 @@ static int bnx2x_set_rss_flags(struct bn
+ DP(BNX2X_MSG_ETHTOOL,
+ "rss re-configured, UDP 4-tupple %s\n",
+ udp_rss_requested ? "enabled" : "disabled");
+- return bnx2x_rss(bp, &bp->rss_conf_obj, false, true);
++ if (bp->state == BNX2X_STATE_OPEN)
++ return bnx2x_rss(bp, &bp->rss_conf_obj, false,
++ true);
+ } else if ((info->flow_type == UDP_V6_FLOW) &&
+ (bp->rss_conf_obj.udp_rss_v6 != udp_rss_requested)) {
+ bp->rss_conf_obj.udp_rss_v6 = udp_rss_requested;
+ DP(BNX2X_MSG_ETHTOOL,
+ "rss re-configured, UDP 4-tupple %s\n",
+ udp_rss_requested ? "enabled" : "disabled");
+- return bnx2x_rss(bp, &bp->rss_conf_obj, false, true);
++ if (bp->state == BNX2X_STATE_OPEN)
++ return bnx2x_rss(bp, &bp->rss_conf_obj, false,
++ true);
+ }
+ return 0;
+
+@@ -3401,7 +3405,10 @@ static int bnx2x_set_rxfh(struct net_dev
+ bp->rss_conf_obj.ind_table[i] = indir[i] + bp->fp->cl_id;
+ }
+
+- return bnx2x_config_rss_eth(bp, false);
++ if (bp->state == BNX2X_STATE_OPEN)
++ return bnx2x_config_rss_eth(bp, false);
++
++ return 0;
+ }
+
+ /**
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+Date: Tue, 18 Jul 2017 16:25:49 -0700
+Subject: cachefiles: Fix refcounting bug in backing-file read monitoring
+
+From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+
+[ Upstream commit 934140ab028713a61de8bca58c05332416d037d1 ]
+
+cachefiles_read_waiter() has the right to access a 'monitor' object by
+virtue of being called under the waitqueue lock for one of the pages in its
+purview. However, it has no ref on that monitor object or on the
+associated operation.
+
+What it is allowed to do is to move the monitor object to the operation's
+to_do list, but once it drops the work_lock, it's actually no longer
+permitted to access that object. However, it is trying to enqueue the
+retrieval operation for processing - but it can only do this via a pointer
+in the monitor object, something it shouldn't be doing.
+
+If it doesn't enqueue the operation, the operation may not get processed.
+If the order is flipped so that the enqueue is first, then it's possible
+for the work processor to look at the to_do list before the monitor is
+enqueued upon it.
+
+Fix this by getting a ref on the operation so that we can trust that it
+will still be there once we've added the monitor to the to_do list and
+dropped the work_lock. The op can then be enqueued after the lock is
+dropped.
+
+The bug can manifest in one of a couple of ways. The first manifestation
+looks like:
+
+ FS-Cache:
+ FS-Cache: Assertion failed
+ FS-Cache: 6 == 5 is false
+ ------------[ cut here ]------------
+ kernel BUG at fs/fscache/operation.c:494!
+ RIP: 0010:fscache_put_operation+0x1e3/0x1f0
+ ...
+ fscache_op_work_func+0x26/0x50
+ process_one_work+0x131/0x290
+ worker_thread+0x45/0x360
+ kthread+0xf8/0x130
+ ? create_worker+0x190/0x190
+ ? kthread_cancel_work_sync+0x10/0x10
+ ret_from_fork+0x1f/0x30
+
+This is due to the operation being in the DEAD state (6) rather than
+INITIALISED, COMPLETE or CANCELLED (5) because it's already passed through
+fscache_put_operation().
+
+The bug can also manifest like the following:
+
+ kernel BUG at fs/fscache/operation.c:69!
+ ...
+ [exception RIP: fscache_enqueue_operation+246]
+ ...
+ #7 [ffff883fff083c10] fscache_enqueue_operation at ffffffffa0b793c6
+ #8 [ffff883fff083c28] cachefiles_read_waiter at ffffffffa0b15a48
+ #9 [ffff883fff083c48] __wake_up_common at ffffffff810af028
+
+I'm not entirely certain as to which is line 69 in Lei's kernel, so I'm not
+entirely clear which assertion failed.
+
+Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
+Reported-by: Lei Xue <carmark.dlut@gmail.com>
+Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
+Reported-by: Anthony DeRobertis <aderobertis@metrics.net>
+Reported-by: NeilBrown <neilb@suse.com>
+Reported-by: Daniel Axtens <dja@axtens.net>
+Reported-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cachefiles/rdwr.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/fs/cachefiles/rdwr.c
++++ b/fs/cachefiles/rdwr.c
+@@ -27,6 +27,7 @@ static int cachefiles_read_waiter(wait_q
+ struct cachefiles_one_read *monitor =
+ container_of(wait, struct cachefiles_one_read, monitor);
+ struct cachefiles_object *object;
++ struct fscache_retrieval *op = monitor->op;
+ struct wait_bit_key *key = _key;
+ struct page *page = wait->private;
+
+@@ -51,16 +52,22 @@ static int cachefiles_read_waiter(wait_q
+ list_del(&wait->task_list);
+
+ /* move onto the action list and queue for FS-Cache thread pool */
+- ASSERT(monitor->op);
++ ASSERT(op);
+
+- object = container_of(monitor->op->op.object,
+- struct cachefiles_object, fscache);
++ /* We need to temporarily bump the usage count as we don't own a ref
++ * here otherwise cachefiles_read_copier() may free the op between the
++ * monitor being enqueued on the op->to_do list and the op getting
++ * enqueued on the work queue.
++ */
++ fscache_get_retrieval(op);
+
++ object = container_of(op->op.object, struct cachefiles_object, fscache);
+ spin_lock(&object->work_lock);
+- list_add_tail(&monitor->op_link, &monitor->op->to_do);
++ list_add_tail(&monitor->op_link, &op->to_do);
+ spin_unlock(&object->work_lock);
+
+- fscache_enqueue_retrieval(monitor->op);
++ fscache_enqueue_retrieval(op);
++ fscache_put_retrieval(op);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+Date: Thu, 21 Jun 2018 13:25:53 -0700
+Subject: cachefiles: Wait rather than BUG'ing on "Unexpected object collision"
+
+From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+
+[ Upstream commit c2412ac45a8f8f1cd582723c1a139608694d410d ]
+
+If we meet a conflicting object that is marked FSCACHE_OBJECT_IS_LIVE in
+the active object tree, we have been emitting a BUG after logging
+information about it and the new object.
+
+Instead, we should wait for the CACHEFILES_OBJECT_ACTIVE flag to be cleared
+on the old object (or return an error). The ACTIVE flag should be cleared
+after it has been removed from the active object tree. A timeout of 60s is
+used in the wait, so we shouldn't be able to get stuck there.
+
+Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
+Signed-off-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cachefiles/namei.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/cachefiles/namei.c
++++ b/fs/cachefiles/namei.c
+@@ -193,7 +193,6 @@ wait_for_old_object:
+ pr_err("\n");
+ pr_err("Error: Unexpected object collision\n");
+ cachefiles_printk_object(object, xobject);
+- BUG();
+ }
+ atomic_inc(&xobject->usage);
+ write_unlock(&cache->active_lock);
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Nicholas Mc Guire <hofrat@osadl.org>
+Date: Mon, 9 Jul 2018 21:16:40 +0200
+Subject: can: mpc5xxx_can: check of_iomap return before use
+
+From: Nicholas Mc Guire <hofrat@osadl.org>
+
+[ Upstream commit b5c1a23b17e563b656cc9bb76ce5323b997d90e8 ]
+
+of_iomap() can return NULL so that return needs to be checked and NULL
+treated as failure. While at it also take care of the missing
+of_node_put() in the error path.
+
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Fixes: commit afa17a500a36 ("net/can: add driver for mscan family & mpc52xx_mscan")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/mscan/mpc5xxx_can.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/can/mscan/mpc5xxx_can.c
++++ b/drivers/net/can/mscan/mpc5xxx_can.c
+@@ -86,6 +86,11 @@ static u32 mpc52xx_can_get_clock(struct
+ return 0;
+ }
+ cdm = of_iomap(np_cdm, 0);
++ if (!cdm) {
++ of_node_put(np_cdm);
++ dev_err(&ofdev->dev, "can't map clock node!\n");
++ return 0;
++ }
+
+ if (in_8(&cdm->ipb_clk_sel) & 0x1)
+ freq *= 2;
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 1 Aug 2018 18:22:41 +0100
+Subject: drivers: net: lmc: fix case value for target abort error
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit afb41bb039656f0cecb54eeb8b2e2088201295f5 ]
+
+Current value for a target abort error is 0x010, however, this value
+should in fact be 0x002. As it stands, the range of error is 0..7 so
+it is currently never being detected. This bug has been in the driver
+since the early 2.6.12 days (or before).
+
+Detected by CoverityScan, CID#744290 ("Logically dead code")
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/lmc/lmc_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wan/lmc/lmc_main.c
++++ b/drivers/net/wan/lmc/lmc_main.c
+@@ -1384,7 +1384,7 @@ static irqreturn_t lmc_interrupt (int ir
+ case 0x001:
+ printk(KERN_WARNING "%s: Master Abort (naughty)\n", dev->name);
+ break;
+- case 0x010:
++ case 0x002:
+ printk(KERN_WARNING "%s: Target Abort (not so naughty)\n", dev->name);
+ break;
+ default:
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Wed, 11 Apr 2018 17:31:36 +0200
+Subject: drm/imx: imx-ldb: check if channel is enabled before printing warning
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+[ Upstream commit c80d673b91a6c81d765864e10f2b15110ee900ad ]
+
+If the second LVDS channel has been disabled in the DT when using dual-channel
+mode we should not print a warning.
+
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/imx-drm/imx-ldb.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/imx-drm/imx-ldb.c
++++ b/drivers/staging/imx-drm/imx-ldb.c
+@@ -500,14 +500,14 @@ static int imx_ldb_bind(struct device *d
+ if (ret || i < 0 || i > 1)
+ return -EINVAL;
+
++ if (!of_device_is_available(child))
++ continue;
++
+ if (dual && i > 0) {
+ dev_warn(dev, "dual-channel mode, ignoring second output\n");
+ continue;
+ }
+
+- if (!of_device_is_available(child))
+- continue;
+-
+ channel = &imx_ldb->channel[i];
+ channel->ldb = imx_ldb;
+ channel->chno = i;
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Wed, 11 Apr 2018 17:31:35 +0200
+Subject: drm/imx: imx-ldb: disable LDB on driver bind
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+[ Upstream commit b58262396fabd43dc869b576e3defdd23b32fe94 ]
+
+The LVDS signal integrity is only guaranteed when the correct enable
+sequence (first IPU DI, then LDB) is used. If the LDB display output was
+active before the imx-drm driver is loaded (like when a bootsplash was
+active) the DI will be disabled by the full IPU reset we do when loading
+the driver. The LDB control registers are not part of the IPU range and
+thus will remain unchanged.
+
+This leads to the LDB still being active when the DI is getting enabled,
+effectively reversing the required enable sequence. Fix this by also
+disabling the LDB on driver bind.
+
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/imx-drm/imx-ldb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/staging/imx-drm/imx-ldb.c
++++ b/drivers/staging/imx-drm/imx-ldb.c
+@@ -460,6 +460,9 @@ static int imx_ldb_bind(struct device *d
+ return PTR_ERR(imx_ldb->regmap);
+ }
+
++ /* disable LDB by resetting the control register to POR default */
++ regmap_write(imx_ldb->regmap, IOMUXC_GPR2, 0);
++
+ imx_ldb->dev = dev;
+
+ if (of_id)
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Nicholas Mc Guire <hofrat@osadl.org>
+Date: Sat, 14 Jul 2018 14:32:12 +0200
+Subject: drm: re-enable error handling
+
+From: Nicholas Mc Guire <hofrat@osadl.org>
+
+[ Upstream commit d530b5f1ca0bb66958a2b714bebe40a1248b9c15 ]
+
+drm_legacy_ctxbitmap_next() returns idr_alloc() which can return
+-ENOMEM, -EINVAL or -ENOSPC none of which are -1 . but the call sites
+of drm_legacy_ctxbitmap_next() seem to be assuming that the error case
+would be -1 (original return of drm_ctxbitmap_next() prior to 2.6.23
+was actually -1). Thus reenable error handling by checking for < 0.
+
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Fixes: 62968144e673 ("drm: convert drm context code to use Linux idr")
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/1531571532-22733-1-git-send-email-hofrat@osadl.org
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_context.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_context.c
++++ b/drivers/gpu/drm/drm_context.c
+@@ -341,7 +341,7 @@ int drm_legacy_addctx(struct drm_device
+ ctx->handle = drm_legacy_ctxbitmap_next(dev);
+ }
+ DRM_DEBUG("%d\n", ctx->handle);
+- if (ctx->handle == -1) {
++ if (ctx->handle < 0) {
+ DRM_DEBUG("Not enough free contexts.\n");
+ /* Should this return -EBUSY instead? */
+ return -ENOMEM;
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Date: Fri, 27 Jul 2018 11:19:29 -0700
+Subject: enic: handle mtu change for vf properly
+
+From: Govindarajulu Varadarajan <gvaradar@cisco.com>
+
+[ Upstream commit ab123fe071c9aa9680ecd62eb080eb26cff4892c ]
+
+When driver gets notification for mtu change, driver does not handle it for
+all RQs. It handles only RQ[0].
+
+Fix is to use enic_change_mtu() interface to change mtu for vf.
+
+Signed-off-by: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cisco/enic/enic_main.c | 78 +++++++++-------------------
+ 1 file changed, 27 insertions(+), 51 deletions(-)
+
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -1717,10 +1717,32 @@ static int enic_stop(struct net_device *
+ return 0;
+ }
+
++static int _enic_change_mtu(struct net_device *netdev, int new_mtu)
++{
++ bool running = netif_running(netdev);
++ int err = 0;
++
++ ASSERT_RTNL();
++ if (running) {
++ err = enic_stop(netdev);
++ if (err)
++ return err;
++ }
++
++ netdev->mtu = new_mtu;
++
++ if (running) {
++ err = enic_open(netdev);
++ if (err)
++ return err;
++ }
++
++ return 0;
++}
++
+ static int enic_change_mtu(struct net_device *netdev, int new_mtu)
+ {
+ struct enic *enic = netdev_priv(netdev);
+- int running = netif_running(netdev);
+
+ if (new_mtu < ENIC_MIN_MTU || new_mtu > ENIC_MAX_MTU)
+ return -EINVAL;
+@@ -1728,20 +1750,12 @@ static int enic_change_mtu(struct net_de
+ if (enic_is_dynamic(enic) || enic_is_sriov_vf(enic))
+ return -EOPNOTSUPP;
+
+- if (running)
+- enic_stop(netdev);
+-
+- netdev->mtu = new_mtu;
+-
+ if (netdev->mtu > enic->port_mtu)
+ netdev_warn(netdev,
+- "interface MTU (%d) set higher than port MTU (%d)\n",
+- netdev->mtu, enic->port_mtu);
+-
+- if (running)
+- enic_open(netdev);
++ "interface MTU (%d) set higher than port MTU (%d)\n",
++ netdev->mtu, enic->port_mtu);
+
+- return 0;
++ return _enic_change_mtu(netdev, new_mtu);
+ }
+
+ static void enic_change_mtu_work(struct work_struct *work)
+@@ -1749,47 +1763,9 @@ static void enic_change_mtu_work(struct
+ struct enic *enic = container_of(work, struct enic, change_mtu_work);
+ struct net_device *netdev = enic->netdev;
+ int new_mtu = vnic_dev_mtu(enic->vdev);
+- int err;
+- unsigned int i;
+-
+- new_mtu = max_t(int, ENIC_MIN_MTU, min_t(int, ENIC_MAX_MTU, new_mtu));
+
+ rtnl_lock();
+-
+- /* Stop RQ */
+- del_timer_sync(&enic->notify_timer);
+-
+- for (i = 0; i < enic->rq_count; i++)
+- napi_disable(&enic->napi[i]);
+-
+- vnic_intr_mask(&enic->intr[0]);
+- enic_synchronize_irqs(enic);
+- err = vnic_rq_disable(&enic->rq[0]);
+- if (err) {
+- rtnl_unlock();
+- netdev_err(netdev, "Unable to disable RQ.\n");
+- return;
+- }
+- vnic_rq_clean(&enic->rq[0], enic_free_rq_buf);
+- vnic_cq_clean(&enic->cq[0]);
+- vnic_intr_clean(&enic->intr[0]);
+-
+- /* Fill RQ with new_mtu-sized buffers */
+- netdev->mtu = new_mtu;
+- vnic_rq_fill(&enic->rq[0], enic_rq_alloc_buf);
+- /* Need at least one buffer on ring to get going */
+- if (vnic_rq_desc_used(&enic->rq[0]) == 0) {
+- rtnl_unlock();
+- netdev_err(netdev, "Unable to alloc receive buffers.\n");
+- return;
+- }
+-
+- /* Start RQ */
+- vnic_rq_enable(&enic->rq[0]);
+- napi_enable(&enic->napi[0]);
+- vnic_intr_unmask(&enic->intr[0]);
+- enic_notify_timer_start(enic);
+-
++ (void)_enic_change_mtu(netdev, new_mtu);
+ rtnl_unlock();
+
+ netdev_info(netdev, "interface MTU set as %d\n", netdev->mtu);
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+Date: Wed, 25 Jul 2018 14:31:20 +0100
+Subject: fscache: Allow cancelled operations to be enqueued
+
+From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+
+[ Upstream commit d0eb06afe712b7b103b6361f40a9a0c638524669 ]
+
+Alter the state-check assertion in fscache_enqueue_operation() to allow
+cancelled operations to be given processing time so they can be cleaned up.
+
+Also fix a debugging statement that was requiring such operations to have
+an object assigned.
+
+Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
+Reported-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fscache/operation.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/fscache/operation.c
++++ b/fs/fscache/operation.c
+@@ -37,7 +37,8 @@ void fscache_enqueue_operation(struct fs
+ ASSERT(op->processor != NULL);
+ ASSERT(fscache_object_is_available(op->object));
+ ASSERTCMP(atomic_read(&op->usage), >, 0);
+- ASSERTCMP(op->state, ==, FSCACHE_OP_ST_IN_PROGRESS);
++ ASSERTIFCMP(op->state != FSCACHE_OP_ST_IN_PROGRESS,
++ op->state, ==, FSCACHE_OP_ST_CANCELLED);
+
+ fscache_stat(&fscache_n_op_enqueue);
+ switch (op->flags & FSCACHE_OP_TYPE) {
+@@ -401,7 +402,8 @@ void fscache_put_operation(struct fscach
+ struct fscache_cache *cache;
+
+ _enter("{OBJ%x OP%x,%d}",
+- op->object->debug_id, op->debug_id, atomic_read(&op->usage));
++ op->object ? op->object->debug_id : 0,
++ op->debug_id, atomic_read(&op->usage));
+
+ ASSERTCMP(atomic_read(&op->usage), >, 0);
+
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: "mpubbise@codeaurora.org" <mpubbise@codeaurora.org>
+Date: Mon, 2 Jul 2018 15:40:14 +0530
+Subject: mac80211: add stations tied to AP_VLANs during hw reconfig
+
+From: "mpubbise@codeaurora.org" <mpubbise@codeaurora.org>
+
+[ Upstream commit 19103a4bfb42f320395daa5616ece3e89e759d63 ]
+
+As part of hw reconfig, only stations linked to AP interfaces are added
+back to the driver ignoring those which are tied to AP_VLAN interfaces.
+
+It is true that there could be stations tied to the AP_VLAN interface while
+serving 4addr clients or when using AP_VLAN for VLAN operations; we should
+be adding these stations back to the driver as part of hw reconfig, failing
+to do so can cause functional issues.
+
+In the case of ath10k driver, the following errors were observed.
+
+ath10k_pci : failed to install key for non-existent peer XX:XX:XX:XX:XX:XX
+Workqueue: events_freezable ieee80211_restart_work [mac80211]
+(unwind_backtrace) from (show_stack+0x10/0x14)
+(show_stack) (dump_stack+0x80/0xa0)
+(dump_stack) (warn_slowpath_common+0x68/0x8c)
+(warn_slowpath_common) (warn_slowpath_null+0x18/0x20)
+(warn_slowpath_null) (ieee80211_enable_keys+0x88/0x154 [mac80211])
+(ieee80211_enable_keys) (ieee80211_reconfig+0xc90/0x19c8 [mac80211])
+(ieee80211_reconfig]) (ieee80211_restart_work+0x8c/0xa0 [mac80211])
+(ieee80211_restart_work) (process_one_work+0x284/0x488)
+(process_one_work) (worker_thread+0x228/0x360)
+(worker_thread) (kthread+0xd8/0xec)
+(kthread) (ret_from_fork+0x14/0x24)
+
+Also while bringing down the AP VAP, WARN_ONs and errors related to peer
+removal were observed.
+
+ath10k_pci : failed to clear all peer wep keys for vdev 0: -2
+ath10k_pci : failed to disassociate station: 8c:fd:f0:0a:8c:f5 vdev 0: -2
+(unwind_backtrace) (show_stack+0x10/0x14)
+(show_stack) (dump_stack+0x80/0xa0)
+(dump_stack) (warn_slowpath_common+0x68/0x8c)
+(warn_slowpath_common) (warn_slowpath_null+0x18/0x20)
+(warn_slowpath_null) (sta_set_sinfo+0xb98/0xc9c [mac80211])
+(sta_set_sinfo [mac80211]) (__sta_info_flush+0xf0/0x134 [mac80211])
+(__sta_info_flush [mac80211]) (ieee80211_stop_ap+0xe8/0x390 [mac80211])
+(ieee80211_stop_ap [mac80211]) (__cfg80211_stop_ap+0xe0/0x3dc [cfg80211])
+(__cfg80211_stop_ap [cfg80211]) (cfg80211_stop_ap+0x30/0x44 [cfg80211])
+(cfg80211_stop_ap [cfg80211]) (genl_rcv_msg+0x274/0x30c)
+(genl_rcv_msg) (netlink_rcv_skb+0x58/0xac)
+(netlink_rcv_skb) (genl_rcv+0x20/0x34)
+(genl_rcv) (netlink_unicast+0x11c/0x204)
+(netlink_unicast) (netlink_sendmsg+0x30c/0x370)
+(netlink_sendmsg) (sock_sendmsg+0x70/0x84)
+(sock_sendmsg) (___sys_sendmsg.part.3+0x188/0x228)
+(___sys_sendmsg.part.3) (__sys_sendmsg+0x4c/0x70)
+(__sys_sendmsg) (ret_fast_syscall+0x0/0x44)
+
+These issues got fixed by adding the stations which are
+tied to AP_VLANs back to the driver.
+
+Signed-off-by: Manikanta Pubbisetty <mpubbise@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/util.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -1876,7 +1876,8 @@ int ieee80211_reconfig(struct ieee80211_
+ if (!sta->uploaded)
+ continue;
+
+- if (sta->sdata->vif.type != NL80211_IFTYPE_AP)
++ if (sta->sdata->vif.type != NL80211_IFTYPE_AP &&
++ sta->sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
+ continue;
+
+ for (state = IEEE80211_STA_NOTEXIST;
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Mon, 23 Jul 2018 14:39:33 -0700
+Subject: media: staging: omap4iss: Include asm/cacheflush.h after generic includes
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 0894da849f145af51bde88a6b84f95b9c9e0bc66 ]
+
+Including asm/cacheflush.h first results in the following build error
+when trying to build sparc32:allmodconfig, because 'struct page' has not
+been declared, and the function declaration ends up creating a separate
+(private) declaration of struct page (as a result of function arguments
+being in the scope of the function declaration and definition, not in
+global scope).
+
+The C scoping rules do not just affect variable visibility, they also
+affect type declaration visibility.
+
+The end result is that when the actual call site is seen in
+<linux/highmem.h>, the 'struct page' type in the caller is not the same
+'struct page' that the function was declared with, resulting in:
+
+ In file included from arch/sparc/include/asm/page.h:10:0,
+ ...
+ from drivers/staging/media/omap4iss/iss_video.c:15:
+ include/linux/highmem.h: In function 'clear_user_highpage':
+ include/linux/highmem.h:137:31: error:
+ passing argument 1 of 'sparc_flush_page_to_ram' from incompatible
+ pointer type
+
+Include generic includes files first to fix the problem.
+
+Fixes: fc96d58c10162 ("[media] v4l: omap4iss: Add support for OMAP4 camera interface - Video devices")
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: David S. Miller <davem@davemloft.net>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+[ Added explanation of C scope rules - Linus ]
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/omap4iss/iss_video.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/media/omap4iss/iss_video.c
++++ b/drivers/staging/media/omap4iss/iss_video.c
+@@ -11,7 +11,6 @@
+ * (at your option) any later version.
+ */
+
+-#include <asm/cacheflush.h>
+ #include <linux/clk.h>
+ #include <linux/mm.h>
+ #include <linux/pagemap.h>
+@@ -22,6 +21,8 @@
+ #include <media/v4l2-dev.h>
+ #include <media/v4l2-ioctl.h>
+
++#include <asm/cacheflush.h>
++
+ #include "iss_video.h"
+ #include "iss.h"
+
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: "jie@chenjie6@huwei.com" <jie@chenjie6@huwei.com>
+Date: Fri, 10 Aug 2018 17:23:06 -0700
+Subject: mm/memory.c: check return value of ioremap_prot
+
+From: "jie@chenjie6@huwei.com" <jie@chenjie6@huwei.com>
+
+[ Upstream commit 24eee1e4c47977bdfb71d6f15f6011e7b6188d04 ]
+
+ioremap_prot() can return NULL which could lead to an oops.
+
+Link: http://lkml.kernel.org/r/1533195441-58594-1-git-send-email-chenjie6@huawei.com
+Signed-off-by: chen jie <chenjie6@huawei.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Li Zefan <lizefan@huawei.com>
+Cc: chenjie <chenjie6@huawei.com>
+Cc: Yang Shi <shy828301@gmail.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memory.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -3522,6 +3522,9 @@ int generic_access_phys(struct vm_area_s
+ return -EINVAL;
+
+ maddr = ioremap_prot(phys_addr, PAGE_ALIGN(len + offset), prot);
++ if (!maddr)
++ return -ENOMEM;
++
+ if (write)
+ memcpy_toio(maddr + offset, buf, len);
+ else
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Date: Tue, 24 Jul 2018 10:09:53 +0530
+Subject: net: axienet: Fix double deregister of mdio
+
+From: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+
+[ Upstream commit 03bc7cab7d7218088412a75e141696a89059ab00 ]
+
+If the registration fails then mdio_unregister is called.
+However at unbind the unregister ia attempted again resulting
+in the below crash
+
+[ 73.544038] kernel BUG at drivers/net/phy/mdio_bus.c:415!
+[ 73.549362] Internal error: Oops - BUG: 0 [#1] SMP
+[ 73.554127] Modules linked in:
+[ 73.557168] CPU: 0 PID: 2249 Comm: sh Not tainted 4.14.0 #183
+[ 73.562895] Hardware name: xlnx,zynqmp (DT)
+[ 73.567062] task: ffffffc879e41180 task.stack: ffffff800cbe0000
+[ 73.572973] PC is at mdiobus_unregister+0x84/0x88
+[ 73.577656] LR is at axienet_mdio_teardown+0x18/0x30
+[ 73.582601] pc : [<ffffff80085fa4cc>] lr : [<ffffff8008616858>]
+pstate: 20000145
+[ 73.589981] sp : ffffff800cbe3c30
+[ 73.593277] x29: ffffff800cbe3c30 x28: ffffffc879e41180
+[ 73.598573] x27: ffffff8008a21000 x26: 0000000000000040
+[ 73.603868] x25: 0000000000000124 x24: ffffffc879efe920
+[ 73.609164] x23: 0000000000000060 x22: ffffffc879e02000
+[ 73.614459] x21: ffffffc879e02800 x20: ffffffc87b0b8870
+[ 73.619754] x19: ffffffc879e02800 x18: 000000000000025d
+[ 73.625050] x17: 0000007f9a719ad0 x16: ffffff8008195bd8
+[ 73.630345] x15: 0000007f9a6b3d00 x14: 0000000000000010
+[ 73.635640] x13: 74656e7265687465 x12: 0000000000000030
+[ 73.640935] x11: 0000000000000030 x10: 0101010101010101
+[ 73.646231] x9 : 241f394f42533300 x8 : ffffffc8799f6e98
+[ 73.651526] x7 : ffffffc8799f6f18 x6 : ffffffc87b0ba318
+[ 73.656822] x5 : ffffffc87b0ba498 x4 : 0000000000000000
+[ 73.662117] x3 : 0000000000000000 x2 : 0000000000000008
+[ 73.667412] x1 : 0000000000000004 x0 : ffffffc8799f4000
+[ 73.672708] Process sh (pid: 2249, stack limit = 0xffffff800cbe0000)
+
+Fix the same by making the bus NULL on unregister.
+
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c
++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c
+@@ -219,6 +219,7 @@ issue:
+ ret = of_mdiobus_register(bus, np1);
+ if (ret) {
+ mdiobus_free(bus);
++ lp->mii_bus = NULL;
+ return ret;
+ }
+ return 0;
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 19 Jul 2018 10:27:13 +0800
+Subject: net: caif: Add a missing rcu_read_unlock() in caif_flow_cb
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 64119e05f7b31e83e2555f6782e6cdc8f81c63f4 ]
+
+Add a missing rcu_read_unlock in the error path
+
+Fixes: c95567c80352 ("caif: added check for potential null return")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/caif/caif_dev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/caif/caif_dev.c
++++ b/net/caif/caif_dev.c
+@@ -131,8 +131,10 @@ static void caif_flow_cb(struct sk_buff
+ caifd = caif_get(skb->dev);
+
+ WARN_ON(caifd == NULL);
+- if (caifd == NULL)
++ if (!caifd) {
++ rcu_read_unlock();
+ return;
++ }
+
+ caifd_hold(caifd);
+ rcu_read_unlock();
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Date: Sun, 8 Jul 2018 09:57:22 +0000
+Subject: nl80211: Add a missing break in parse_station_flags
+
+From: Bernd Edlinger <bernd.edlinger@hotmail.de>
+
+[ Upstream commit 5cf3006cc81d9aa09a10aa781fc065546b12919d ]
+
+I was looking at usually suppressed gcc warnings,
+[-Wimplicit-fallthrough=] in this case:
+
+The code definitely looks like a break is missing here.
+However I am not able to test the NL80211_IFTYPE_MESH_POINT,
+nor do I actually know what might be :)
+So please use this patch with caution and only if you are
+able to do some testing.
+
+Signed-off-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+[johannes: looks obvious enough to apply as is, interesting
+ though that it never seems to have been a problem]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/nl80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -3490,6 +3490,7 @@ static int parse_station_flags(struct ge
+ params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
+ BIT(NL80211_STA_FLAG_MFP) |
+ BIT(NL80211_STA_FLAG_AUTHORIZED);
++ break;
+ default:
+ return -EINVAL;
+ }
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: "Rafał Miłecki" <rafal@milecki.pl>
+Date: Fri, 27 Jul 2018 13:13:39 +0200
+Subject: Revert "MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum"
+
+From: "Rafał Miłecki" <rafal@milecki.pl>
+
+[ Upstream commit d5ea019f8a381f88545bb26993b62ec24a2796b7 ]
+
+This reverts commit 2a027b47dba6 ("MIPS: BCM47XX: Enable 74K Core
+ExternalSync for PCIe erratum").
+
+Enabling ExternalSync caused a regression for BCM4718A1 (used e.g. in
+Netgear E3000 and ASUS RT-N16): it simply hangs during PCIe
+initialization. It's likely that BCM4717A1 is also affected.
+
+I didn't notice that earlier as the only BCM47XX devices with PCIe I
+own are:
+1) BCM4706 with 2 x 14e4:4331
+2) BCM4706 with 14e4:4360 and 14e4:4331
+it appears that BCM4706 is unaffected.
+
+While BCM5300X-ES300-RDS.pdf seems to document that erratum and its
+workarounds (according to quotes provided by Tokunori) it seems not even
+Broadcom follows them.
+
+According to the provided info Broadcom should define CONF7_ES in their
+SDK's mipsinc.h and implement workaround in the si_mips_init(). Checking
+both didn't reveal such code. It *could* mean Broadcom also had some
+problems with the given workaround.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Reported-by: Michael Marley <michael@michaelmarley.com>
+Patchwork: https://patchwork.linux-mips.org/patch/20032/
+URL: https://bugs.openwrt.org/index.php?do=details&task_id=1688
+Cc: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+Cc: Hauke Mehrtens <hauke@hauke-m.de>
+Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/bcm47xx/setup.c | 6 ------
+ arch/mips/include/asm/mipsregs.h | 3 ---
+ 2 files changed, 9 deletions(-)
+
+--- a/arch/mips/bcm47xx/setup.c
++++ b/arch/mips/bcm47xx/setup.c
+@@ -269,12 +269,6 @@ static int __init bcm47xx_cpu_fixes(void
+ */
+ if (bcm47xx_bus.bcma.bus.chipinfo.id == BCMA_CHIP_ID_BCM4706)
+ cpu_wait = NULL;
+-
+- /*
+- * BCM47XX Erratum "R10: PCIe Transactions Periodically Fail"
+- * Enable ExternalSync for sync instruction to take effect
+- */
+- set_c0_config7(MIPS_CONF7_ES);
+ break;
+ #endif
+ }
+--- a/arch/mips/include/asm/mipsregs.h
++++ b/arch/mips/include/asm/mipsregs.h
+@@ -667,8 +667,6 @@
+ #define MIPS_CONF7_WII (_ULCAST_(1) << 31)
+
+ #define MIPS_CONF7_RPS (_ULCAST_(1) << 2)
+-/* ExternalSync */
+-#define MIPS_CONF7_ES (_ULCAST_(1) << 8)
+
+ #define MIPS_CONF7_IAR (_ULCAST_(1) << 10)
+ #define MIPS_CONF7_AR (_ULCAST_(1) << 16)
+@@ -1865,7 +1863,6 @@ __BUILD_SET_C0(status)
+ __BUILD_SET_C0(cause)
+ __BUILD_SET_C0(config)
+ __BUILD_SET_C0(config5)
+-__BUILD_SET_C0(config7)
+ __BUILD_SET_C0(intcontrol)
+ __BUILD_SET_C0(intctl)
+ __BUILD_SET_C0(srsmap)
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Tue, 31 Jul 2018 15:46:02 +0200
+Subject: scsi: fcoe: drop frames in ELS LOGO error path
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+[ Upstream commit 63d0e3dffda311e77b9a8c500d59084e960a824a ]
+
+Drop the frames in the ELS LOGO error path instead of just returning an
+error.
+
+This fixes the following kmemleak report:
+unreferenced object 0xffff880064cb1000 (size 424):
+ comm "kworker/0:2", pid 24, jiffies 4294904293 (age 68.504s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<(____ptrval____)>] _fc_frame_alloc+0x2c/0x180 [libfc]
+ [<(____ptrval____)>] fc_lport_enter_logo+0x106/0x360 [libfc]
+ [<(____ptrval____)>] fc_fabric_logoff+0x8c/0xc0 [libfc]
+ [<(____ptrval____)>] fcoe_if_destroy+0x79/0x3b0 [fcoe]
+ [<(____ptrval____)>] fcoe_destroy_work+0xd2/0x170 [fcoe]
+ [<(____ptrval____)>] process_one_work+0x7ff/0x1420
+ [<(____ptrval____)>] worker_thread+0x87/0xef0
+ [<(____ptrval____)>] kthread+0x2db/0x390
+ [<(____ptrval____)>] ret_from_fork+0x35/0x40
+ [<(____ptrval____)>] 0xffffffffffffffff
+
+which can be triggered by issuing
+echo eth0 > /sys/bus/fcoe/ctlr_destroy
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/fcoe/fcoe_ctlr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/fcoe/fcoe_ctlr.c
++++ b/drivers/scsi/fcoe/fcoe_ctlr.c
+@@ -752,9 +752,9 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr
+ case ELS_LOGO:
+ if (fip->mode == FIP_MODE_VN2VN) {
+ if (fip->state != FIP_ST_VNMP_UP)
+- return -EINVAL;
++ goto drop;
+ if (ntoh24(fh->fh_d_id) == FC_FID_FLOGI)
+- return -EINVAL;
++ goto drop;
+ } else {
+ if (fip->state != FIP_ST_ENABLED)
+ return 0;
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Varun Prakash <varun@chelsio.com>
+Date: Wed, 11 Jul 2018 22:09:52 +0530
+Subject: scsi: libiscsi: fix possible NULL pointer dereference in case of TMF
+
+From: Varun Prakash <varun@chelsio.com>
+
+[ Upstream commit a17037e7d59075053b522048742a08ac9500bde8 ]
+
+In iscsi_check_tmf_restrictions() task->hdr is dereferenced to print the
+opcode, it is possible that task->hdr is NULL.
+
+There are two cases based on opcode argument:
+
+1. ISCSI_OP_SCSI_CMD - In this case alloc_pdu() is called
+after iscsi_check_tmf_restrictions()
+
+iscsi_prep_scsi_cmd_pdu() -> iscsi_check_tmf_restrictions() -> alloc_pdu().
+
+Transport drivers allocate memory for iSCSI hdr in alloc_pdu() and assign
+it to task->hdr. In case of TMF task->hdr will be NULL resulting in NULL
+pointer dereference.
+
+2. ISCSI_OP_SCSI_DATA_OUT - In this case transport driver can free the
+memory for iSCSI hdr after transmitting the pdu so task->hdr can be NULL or
+invalid.
+
+This patch fixes this issue by removing task->hdr->opcode from the printk
+statement.
+
+Signed-off-by: Varun Prakash <varun@chelsio.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/libiscsi.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/scsi/libiscsi.c
++++ b/drivers/scsi/libiscsi.c
+@@ -283,11 +283,11 @@ static int iscsi_check_tmf_restrictions(
+ */
+ if (opcode != ISCSI_OP_SCSI_DATA_OUT) {
+ iscsi_conn_printk(KERN_INFO, conn,
+- "task [op %x/%x itt "
++ "task [op %x itt "
+ "0x%x/0x%x] "
+ "rejected.\n",
+- task->hdr->opcode, opcode,
+- task->itt, task->hdr_itt);
++ opcode, task->itt,
++ task->hdr_itt);
+ return -EACCES;
+ }
+ /*
+@@ -296,10 +296,10 @@ static int iscsi_check_tmf_restrictions(
+ */
+ if (conn->session->fast_abort) {
+ iscsi_conn_printk(KERN_INFO, conn,
+- "task [op %x/%x itt "
++ "task [op %x itt "
+ "0x%x/0x%x] fast abort.\n",
+- task->hdr->opcode, opcode,
+- task->itt, task->hdr_itt);
++ opcode, task->itt,
++ task->hdr_itt);
+ return -EACCES;
+ }
+ break;
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Jim Gill <jgill@vmware.com>
+Date: Thu, 2 Aug 2018 14:13:30 -0700
+Subject: scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED
+
+From: Jim Gill <jgill@vmware.com>
+
+[ Upstream commit e95153b64d03c2b6e8d62e51bdcc33fcad6e0856 ]
+
+Commands that are reset are returned with status
+SAM_STAT_COMMAND_TERMINATED. PVSCSI currently returns DID_OK |
+SAM_STAT_COMMAND_TERMINATED which fails the command. Instead, set hostbyte
+to DID_RESET to allow upper layers to retry.
+
+Tested by copying a large file between two pvscsi disks on same adapter
+while performing a bus reset at 1-second intervals. Before fix, commands
+sometimes fail with DID_OK. After fix, commands observed to fail with
+DID_RESET.
+
+Signed-off-by: Jim Gill <jgill@vmware.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/vmw_pvscsi.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/vmw_pvscsi.c
++++ b/drivers/scsi/vmw_pvscsi.c
+@@ -567,9 +567,14 @@ static void pvscsi_complete_request(stru
+ (btstat == BTSTAT_SUCCESS ||
+ btstat == BTSTAT_LINKED_COMMAND_COMPLETED ||
+ btstat == BTSTAT_LINKED_COMMAND_COMPLETED_WITH_FLAG)) {
+- cmd->result = (DID_OK << 16) | sdstat;
+- if (sdstat == SAM_STAT_CHECK_CONDITION && cmd->sense_buffer)
+- cmd->result |= (DRIVER_SENSE << 24);
++ if (sdstat == SAM_STAT_COMMAND_TERMINATED) {
++ cmd->result = (DID_RESET << 16);
++ } else {
++ cmd->result = (DID_OK << 16) | sdstat;
++ if (sdstat == SAM_STAT_CHECK_CONDITION &&
++ cmd->sense_buffer)
++ cmd->result |= (DRIVER_SENSE << 24);
++ }
+ } else
+ switch (btstat) {
+ case BTSTAT_SUCCESS:
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Sat, 14 Jul 2018 01:28:44 +0900
+Subject: selftests/ftrace: Add snapshot and tracing_on test case
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit 82f4f3e69c5c29bce940dd87a2c0f16c51d48d17 ]
+
+Add a testcase for checking snapshot and tracing_on
+relationship. This ensures that the snapshotting doesn't
+affect current tracing on/off settings.
+
+Link: http://lkml.kernel.org/r/153149932412.11274.15289227592627901488.stgit@devbox
+
+Cc: Tom Zanussi <tom.zanussi@linux.intel.com>
+Cc: Hiraku Toyooka <hiraku.toyooka@cybertrust.co.jp>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: linux-kselftest@vger.kernel.org
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/ftrace/test.d/00basic/snapshot.tc | 28 ++++++++++++++
+ 1 file changed, 28 insertions(+)
+ create mode 100644 tools/testing/selftests/ftrace/test.d/00basic/snapshot.tc
+
+--- /dev/null
++++ b/tools/testing/selftests/ftrace/test.d/00basic/snapshot.tc
+@@ -0,0 +1,28 @@
++#!/bin/sh
++# description: Snapshot and tracing setting
++# flags: instance
++
++[ ! -f snapshot ] && exit_unsupported
++
++echo "Set tracing off"
++echo 0 > tracing_on
++
++echo "Allocate and take a snapshot"
++echo 1 > snapshot
++
++# Since trace buffer is empty, snapshot is also empty, but allocated
++grep -q "Snapshot is allocated" snapshot
++
++echo "Ensure keep tracing off"
++test `cat tracing_on` -eq 0
++
++echo "Set tracing on"
++echo 1 > tracing_on
++
++echo "Take a snapshot again"
++echo 1 > snapshot
++
++echo "Ensure keep tracing on"
++test `cat tracing_on` -eq 1
++
++exit 0
sched-sysctl-check-user-input-value-of-sysctl_sched_time_avg.patch
cipso-cipso_v4_optptr-enter-infinite-loop.patch
+xfrm-fix-missing-dst_release-after-policy-blocking-lbcast-and-multicast.patch
+xfrm-free-skb-if-nlsk-pointer-is-null.patch
+mac80211-add-stations-tied-to-ap_vlans-during-hw-reconfig.patch
+nl80211-add-a-missing-break-in-parse_station_flags.patch
+scsi-libiscsi-fix-possible-null-pointer-dereference-in-case-of-tmf.patch
+drm-re-enable-error-handling.patch
+drm-imx-imx-ldb-disable-ldb-on-driver-bind.patch
+drm-imx-imx-ldb-check-if-channel-is-enabled-before-printing-warning.patch
+usb-gadget-r8a66597-fix-two-possible-sleep-in-atomic-context-bugs-in-init_controller.patch
+usb-gadget-r8a66597-fix-a-possible-sleep-in-atomic-context-bugs-in-r8a66597_queue.patch
+usb-phy-fix-ppc64-build-errors-in-phy-fsl-usb.c.patch
+tools-usb-ffs-test-fix-build-on-big-endian-systems.patch
+usb-gadget-f_uac2-fix-endianness-of-struct-cntrl_-_lay3.patch
+tools-power-turbostat-fix-s-on-up-systems.patch
+net-caif-add-a-missing-rcu_read_unlock-in-caif_flow_cb.patch
+atl1c-reserve-min-skb-headroom.patch
+can-mpc5xxx_can-check-of_iomap-return-before-use.patch
+media-staging-omap4iss-include-asm-cacheflush.h-after-generic-includes.patch
+bnx2x-fix-invalid-memory-access-in-rss-hash-config-path.patch
+net-axienet-fix-double-deregister-of-mdio.patch
+fscache-allow-cancelled-operations-to-be-enqueued.patch
+cachefiles-fix-refcounting-bug-in-backing-file-read-monitoring.patch
+cachefiles-wait-rather-than-bug-ing-on-unexpected-object-collision.patch
+selftests-ftrace-add-snapshot-and-tracing_on-test-case.patch
+zswap-re-check-zswap_is_full-after-do-zswap_shrink.patch
+tools-power-turbostat-read-extended-processor-family-from-cpuid.patch
+revert-mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch
+enic-handle-mtu-change-for-vf-properly.patch
+arc-fix-build-errors-in-arc-include-asm-delay.h.patch
+arc-fix-type-warnings-in-arc-mm-cache.c.patch
+drivers-net-lmc-fix-case-value-for-target-abort-error.patch
+scsi-fcoe-drop-frames-in-els-logo-error-path.patch
+scsi-vmw_pvscsi-return-did_reset-for-status-sam_stat_command_terminated.patch
+mm-memory.c-check-return-value-of-ioremap_prot.patch
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Len Brown <len.brown@intel.com>
+Date: Fri, 20 Jul 2018 14:47:03 -0400
+Subject: tools/power turbostat: fix -S on UP systems
+
+From: Len Brown <len.brown@intel.com>
+
+[ Upstream commit 9d83601a9cc1884d1b5706ee2acc661d558c6838 ]
+
+The -S (system summary) option failed to print any data on a 1-processor system.
+
+Reported-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -605,9 +605,7 @@ void format_all_counters(struct thread_d
+ if (!printed || !summary_only)
+ print_header();
+
+- if (topo.num_cpus > 1)
+- format_counters(&average.threads, &average.cores,
+- &average.packages);
++ format_counters(&average.threads, &average.cores, &average.packages);
+
+ printed = 1;
+
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Calvin Walton <calvin.walton@kepstin.ca>
+Date: Fri, 27 Jul 2018 07:50:53 -0400
+Subject: tools/power turbostat: Read extended processor family from CPUID
+
+From: Calvin Walton <calvin.walton@kepstin.ca>
+
+[ Upstream commit 5aa3d1a20a233d4a5f1ec3d62da3f19d9afea682 ]
+
+This fixes the reported family on modern AMD processors (e.g. Ryzen,
+which is family 0x17). Previously these processors all showed up as
+family 0xf.
+
+See the document
+https://support.amd.com/TechDocs/56255_OSRR.pdf
+section CPUID_Fn00000001_EAX for how to calculate the family
+from the BaseFamily and ExtFamily values.
+
+This matches the code in arch/x86/lib/cpu.c
+
+Signed-off-by: Calvin Walton <calvin.walton@kepstin.ca>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -2009,7 +2009,9 @@ void check_cpuid()
+ family = (fms >> 8) & 0xf;
+ model = (fms >> 4) & 0xf;
+ stepping = fms & 0xf;
+- if (family == 6 || family == 0xf)
++ if (family == 0xf)
++ family += (fms >> 20) & 0xff;
++ if (family >= 6)
+ model += ((fms >> 16) & 0xf) << 4;
+
+ if (verbose)
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Peter Senna Tschudin <peter.senna@gmail.com>
+Date: Tue, 10 Jul 2018 16:01:45 +0200
+Subject: tools: usb: ffs-test: Fix build on big endian systems
+
+From: Peter Senna Tschudin <peter.senna@gmail.com>
+
+[ Upstream commit a2b22dddc7bb6110ac3b5ed1a60aa9279836fadb ]
+
+The tools/usb/ffs-test.c file defines cpu_to_le16/32 by using the C
+library htole16/32 function calls. However, cpu_to_le16/32 are used when
+initializing structures, i.e in a context where a function call is not
+allowed.
+
+It works fine on little endian systems because htole16/32 are defined by
+the C library as no-ops. But on big-endian systems, they are actually
+doing something, which might involve calling a function, causing build
+failures, such as:
+
+ ffs-test.c:48:25: error: initializer element is not constant
+ #define cpu_to_le32(x) htole32(x)
+ ^~~~~~~
+ ffs-test.c:128:12: note: in expansion of macro ‘cpu_to_le32’
+ .magic = cpu_to_le32(FUNCTIONFS_DESCRIPTORS_MAGIC_V2),
+ ^~~~~~~~~~~
+
+To solve this, we code cpu_to_le16/32 in a way that allows them to be
+used when initializing structures. This fix was imported from
+meta-openembedded/android-tools/fix-big-endian-build.patch written by
+Thomas Petazzoni <thomas.petazzoni@free-electrons.com>.
+
+CC: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Signed-off-by: Peter Senna Tschudin <peter.senna@gmail.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/usb/ffs-test.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/tools/usb/ffs-test.c
++++ b/tools/usb/ffs-test.c
+@@ -44,12 +44,25 @@
+
+ /******************** Little Endian Handling ********************************/
+
+-#define cpu_to_le16(x) htole16(x)
+-#define cpu_to_le32(x) htole32(x)
++/*
++ * cpu_to_le16/32 are used when initializing structures, a context where a
++ * function call is not allowed. To solve this, we code cpu_to_le16/32 in a way
++ * that allows them to be used when initializing structures.
++ */
++
++#if __BYTE_ORDER == __LITTLE_ENDIAN
++#define cpu_to_le16(x) (x)
++#define cpu_to_le32(x) (x)
++#else
++#define cpu_to_le16(x) ((((x) >> 8) & 0xffu) | (((x) & 0xffu) << 8))
++#define cpu_to_le32(x) \
++ ((((x) & 0xff000000u) >> 24) | (((x) & 0x00ff0000u) >> 8) | \
++ (((x) & 0x0000ff00u) << 8) | (((x) & 0x000000ffu) << 24))
++#endif
++
+ #define le32_to_cpu(x) le32toh(x)
+ #define le16_to_cpu(x) le16toh(x)
+
+-
+ /******************** Messages and Errors ***********************************/
+
+ static const char argv0[] = "ffs-test";
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Eugeniu Rosca <roscaeugeniu@gmail.com>
+Date: Mon, 2 Jul 2018 23:46:47 +0200
+Subject: usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3'
+
+From: Eugeniu Rosca <roscaeugeniu@gmail.com>
+
+[ Upstream commit eec24f2a0d4dc3b1d95a3ccd2feb523ede3ba775 ]
+
+The list [1] of commits doing endianness fixes in USB subsystem is long
+due to below quote from USB spec Revision 2.0 from April 27, 2000:
+
+------------
+8.1 Byte/Bit Ordering
+
+Multiple byte fields in standard descriptors, requests, and responses
+are interpreted as and moved over the bus in little-endian order, i.e.
+LSB to MSB.
+------------
+
+This commit belongs to the same family.
+
+[1] Example of endianness fixes in USB subsystem:
+commit 14e1d56cbea6 ("usb: gadget: f_uac2: endianness fixes.")
+commit 42370b821168 ("usb: gadget: f_uac1: endianness fixes.")
+commit 63afd5cc7877 ("USB: chaoskey: fix Alea quirk on big-endian hosts")
+commit 74098c4ac782 ("usb: gadget: acm: fix endianness in notifications")
+commit cdd7928df0d2 ("ACM gadget: fix endianness in notifications")
+commit 323ece54e076 ("cdc-wdm: fix endianness bug in debug statements")
+commit e102609f1072 ("usb: gadget: uvc: Fix endianness mismatches")
+ list goes on
+
+Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Reviewed-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_uac2.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_uac2.c
++++ b/drivers/usb/gadget/function/f_uac2.c
+@@ -941,14 +941,14 @@ static struct usb_descriptor_header *hs_
+ };
+
+ struct cntrl_cur_lay3 {
+- __u32 dCUR;
++ __le32 dCUR;
+ };
+
+ struct cntrl_range_lay3 {
+- __u16 wNumSubRanges;
+- __u32 dMIN;
+- __u32 dMAX;
+- __u32 dRES;
++ __le16 wNumSubRanges;
++ __le32 dMIN;
++ __le32 dMAX;
++ __le32 dRES;
+ } __packed;
+
+ static inline void
+@@ -1274,9 +1274,9 @@ in_rq_cur(struct usb_function *fn, const
+ struct cntrl_cur_lay3 c;
+
+ if (entity_id == USB_IN_CLK_ID)
+- c.dCUR = p_srate;
++ c.dCUR = cpu_to_le32(p_srate);
+ else if (entity_id == USB_OUT_CLK_ID)
+- c.dCUR = c_srate;
++ c.dCUR = cpu_to_le32(c_srate);
+
+ value = min_t(unsigned, w_length, sizeof c);
+ memcpy(req->buf, &c, value);
+@@ -1314,15 +1314,15 @@ in_rq_range(struct usb_function *fn, con
+
+ if (control_selector == UAC2_CS_CONTROL_SAM_FREQ) {
+ if (entity_id == USB_IN_CLK_ID)
+- r.dMIN = p_srate;
++ r.dMIN = cpu_to_le32(p_srate);
+ else if (entity_id == USB_OUT_CLK_ID)
+- r.dMIN = c_srate;
++ r.dMIN = cpu_to_le32(c_srate);
+ else
+ return -EOPNOTSUPP;
+
+ r.dMAX = r.dMIN;
+ r.dRES = 0;
+- r.wNumSubRanges = 1;
++ r.wNumSubRanges = cpu_to_le16(1);
+
+ value = min_t(unsigned, w_length, sizeof r);
+ memcpy(req->buf, &r, value);
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Wed, 20 Jun 2018 11:55:08 +0800
+Subject: usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit f36b507c14c4b6e634463a610294e9cb0065c8ea ]
+
+The driver may sleep in an interrupt handler.
+The function call path (from bottom to top) in Linux-4.16.7 is:
+
+[FUNC] r8a66597_queue(GFP_KERNEL)
+drivers/usb/gadget/udc/r8a66597-udc.c, 1193:
+ r8a66597_queue in get_status
+drivers/usb/gadget/udc/r8a66597-udc.c, 1301:
+ get_status in setup_packet
+drivers/usb/gadget/udc/r8a66597-udc.c, 1381:
+ setup_packet in irq_control_stage
+drivers/usb/gadget/udc/r8a66597-udc.c, 1508:
+ irq_control_stage in r8a66597_irq (interrupt handler)
+
+To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC.
+
+This bug is found by my static analysis tool (DSAC-2) and checked by
+my code review.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/r8a66597-udc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/udc/r8a66597-udc.c
++++ b/drivers/usb/gadget/udc/r8a66597-udc.c
+@@ -1193,7 +1193,7 @@ __acquires(r8a66597->lock)
+ r8a66597->ep0_req->length = 2;
+ /* AV: what happens if we get called again before that gets through? */
+ spin_unlock(&r8a66597->lock);
+- r8a66597_queue(r8a66597->gadget.ep0, r8a66597->ep0_req, GFP_KERNEL);
++ r8a66597_queue(r8a66597->gadget.ep0, r8a66597->ep0_req, GFP_ATOMIC);
+ spin_lock(&r8a66597->lock);
+ }
+
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Wed, 20 Jun 2018 11:54:53 +0800
+Subject: usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 0602088b10a7c0b4e044a810678ef93d7cc5bf48 ]
+
+The driver may sleep with holding a spinlock.
+The function call paths (from bottom to top) in Linux-4.16.7 are:
+
+[FUNC] msleep
+drivers/usb/gadget/udc/r8a66597-udc.c, 839:
+ msleep in init_controller
+drivers/usb/gadget/udc/r8a66597-udc.c, 96:
+ init_controller in r8a66597_usb_disconnect
+drivers/usb/gadget/udc/r8a66597-udc.c, 93:
+ spin_lock in r8a66597_usb_disconnect
+
+[FUNC] msleep
+drivers/usb/gadget/udc/r8a66597-udc.c, 835:
+ msleep in init_controller
+drivers/usb/gadget/udc/r8a66597-udc.c, 96:
+ init_controller in r8a66597_usb_disconnect
+drivers/usb/gadget/udc/r8a66597-udc.c, 93:
+ spin_lock in r8a66597_usb_disconnect
+
+To fix these bugs, msleep() is replaced with mdelay().
+
+This bug is found by my static analysis tool (DSAC-2) and checked by
+my code review.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/r8a66597-udc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/udc/r8a66597-udc.c
++++ b/drivers/usb/gadget/udc/r8a66597-udc.c
+@@ -835,11 +835,11 @@ static void init_controller(struct r8a66
+
+ r8a66597_bset(r8a66597, XCKE, SYSCFG0);
+
+- msleep(3);
++ mdelay(3);
+
+ r8a66597_bset(r8a66597, PLLC, SYSCFG0);
+
+- msleep(1);
++ mdelay(1);
+
+ r8a66597_bset(r8a66597, SCKE, SYSCFG0);
+
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Sun, 15 Jul 2018 10:37:37 -0700
+Subject: usb/phy: fix PPC64 build errors in phy-fsl-usb.c
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit a39ba90a1cc7010edb0a7132e1b67f3d80b994e9 ]
+
+Fix build errors when built for PPC64:
+These variables are only used on PPC32 so they don't need to be
+initialized for PPC64.
+
+../drivers/usb/phy/phy-fsl-usb.c: In function 'usb_otg_start':
+../drivers/usb/phy/phy-fsl-usb.c:865:3: error: '_fsl_readl' undeclared (first use in this function); did you mean 'fsl_readl'?
+ _fsl_readl = _fsl_readl_be;
+../drivers/usb/phy/phy-fsl-usb.c:865:16: error: '_fsl_readl_be' undeclared (first use in this function); did you mean 'fsl_readl'?
+ _fsl_readl = _fsl_readl_be;
+../drivers/usb/phy/phy-fsl-usb.c:866:3: error: '_fsl_writel' undeclared (first use in this function); did you mean 'fsl_writel'?
+ _fsl_writel = _fsl_writel_be;
+../drivers/usb/phy/phy-fsl-usb.c:866:17: error: '_fsl_writel_be' undeclared (first use in this function); did you mean 'fsl_writel'?
+ _fsl_writel = _fsl_writel_be;
+../drivers/usb/phy/phy-fsl-usb.c:868:16: error: '_fsl_readl_le' undeclared (first use in this function); did you mean 'fsl_readl'?
+ _fsl_readl = _fsl_readl_le;
+../drivers/usb/phy/phy-fsl-usb.c:869:17: error: '_fsl_writel_le' undeclared (first use in this function); did you mean 'fsl_writel'?
+ _fsl_writel = _fsl_writel_le;
+
+and the sysfs "show" function return type should be ssize_t, not int:
+
+../drivers/usb/phy/phy-fsl-usb.c:1042:49: error: initialization of 'ssize_t (*)(struct device *, struct device_attribute *, char *)' {aka 'long int (*)(struct device *, struct device_attribute *, char *)'} from incompatible pointer type 'int (*)(struct device *, struct device_attribute *, char *)' [-Werror=incompatible-pointer-types]
+ static DEVICE_ATTR(fsl_usb2_otg_state, S_IRUGO, show_fsl_usb2_otg_state, NULL);
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Felipe Balbi <balbi@kernel.org>
+Cc: linux-usb@vger.kernel.org
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: linuxppc-dev@lists.ozlabs.org
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/phy/phy-fsl-usb.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/phy/phy-fsl-usb.c
++++ b/drivers/usb/phy/phy-fsl-usb.c
+@@ -913,6 +913,7 @@ int usb_otg_start(struct platform_device
+ if (pdata->init && pdata->init(pdev) != 0)
+ return -EINVAL;
+
++#ifdef CONFIG_PPC32
+ if (pdata->big_endian_mmio) {
+ _fsl_readl = _fsl_readl_be;
+ _fsl_writel = _fsl_writel_be;
+@@ -920,6 +921,7 @@ int usb_otg_start(struct platform_device
+ _fsl_readl = _fsl_readl_le;
+ _fsl_writel = _fsl_writel_le;
+ }
++#endif
+
+ /* request irq */
+ p_otg->irq = platform_get_irq(pdev, 0);
+@@ -1010,7 +1012,7 @@ int usb_otg_start(struct platform_device
+ /*
+ * state file in sysfs
+ */
+-static int show_fsl_usb2_otg_state(struct device *dev,
++static ssize_t show_fsl_usb2_otg_state(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+ struct otg_fsm *fsm = &fsl_otg_dev->fsm;
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+Date: Thu, 21 Jun 2018 09:30:47 +0300
+Subject: xfrm: fix missing dst_release() after policy blocking lbcast and multicast
+
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+
+[ Upstream commit 8cc88773855f988d6a3bbf102bbd9dd9c828eb81 ]
+
+Fix missing dst_release() when local broadcast or multicast traffic is
+xfrm policy blocked.
+
+For IPv4 this results to dst leak: ip_route_output_flow() allocates
+dst_entry via __ip_route_output_key() and passes it to
+xfrm_lookup_route(). xfrm_lookup returns ERR_PTR(-EPERM) that is
+propagated. The dst that was allocated is never released.
+
+IPv4 local broadcast testcase:
+ ping -b 192.168.1.255 &
+ sleep 1
+ ip xfrm policy add src 0.0.0.0/0 dst 192.168.1.255/32 dir out action block
+
+IPv4 multicast testcase:
+ ping 224.0.0.1 &
+ sleep 1
+ ip xfrm policy add src 0.0.0.0/0 dst 224.0.0.1/32 dir out action block
+
+For IPv6 the missing dst_release() causes trouble e.g. when used in netns:
+ ip netns add TEST
+ ip netns exec TEST ip link set lo up
+ ip link add dummy0 type dummy
+ ip link set dev dummy0 netns TEST
+ ip netns exec TEST ip addr add fd00::1111 dev dummy0
+ ip netns exec TEST ip link set dummy0 up
+ ip netns exec TEST ping -6 -c 5 ff02::1%dummy0 &
+ sleep 1
+ ip netns exec TEST ip xfrm policy add src ::/0 dst ff02::1 dir out action block
+ wait
+ ip netns del TEST
+
+After netns deletion we see:
+[ 258.239097] unregister_netdevice: waiting for lo to become free. Usage count = 2
+[ 268.279061] unregister_netdevice: waiting for lo to become free. Usage count = 2
+[ 278.367018] unregister_netdevice: waiting for lo to become free. Usage count = 2
+[ 288.375259] unregister_netdevice: waiting for lo to become free. Usage count = 2
+
+Fixes: ac37e2515c1a ("xfrm: release dst_orig in case of error in xfrm_lookup()")
+Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_policy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -2291,6 +2291,9 @@ struct dst_entry *xfrm_lookup_route(stru
+ if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE)
+ return make_blackhole(net, dst_orig->ops->family, dst_orig);
+
++ if (IS_ERR(dst))
++ dst_release(dst_orig);
++
+ return dst;
+ }
+ EXPORT_SYMBOL(xfrm_lookup_route);
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 25 Jun 2018 14:00:07 +0200
+Subject: xfrm: free skb if nlsk pointer is NULL
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 86126b77dcd551ce223e7293bb55854e3df05646 ]
+
+nlmsg_multicast() always frees the skb, so in case we cannot call
+it we must do that ourselves.
+
+Fixes: 21ee543edc0dea ("xfrm: fix race between netns cleanup and state expire notification")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_user.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -955,10 +955,12 @@ static inline int xfrm_nlmsg_multicast(s
+ {
+ struct sock *nlsk = rcu_dereference(net->xfrm.nlsk);
+
+- if (nlsk)
+- return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC);
+- else
+- return -1;
++ if (!nlsk) {
++ kfree_skb(skb);
++ return -EPIPE;
++ }
++
++ return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC);
+ }
+
+ static inline size_t xfrm_spdinfo_msgsize(void)
--- /dev/null
+From foo@baz Tue Aug 28 16:08:28 CEST 2018
+From: Li Wang <liwang@redhat.com>
+Date: Thu, 26 Jul 2018 16:37:42 -0700
+Subject: zswap: re-check zswap_is_full() after do zswap_shrink()
+
+From: Li Wang <liwang@redhat.com>
+
+[ Upstream commit 16e536ef47f567289a5699abee9ff7bb304bc12d ]
+
+/sys/../zswap/stored_pages keeps rising in a zswap test with
+"zswap.max_pool_percent=0" parameter. But it should not compress or
+store pages any more since there is no space in the compressed pool.
+
+Reproduce steps:
+ 1. Boot kernel with "zswap.enabled=1"
+ 2. Set the max_pool_percent to 0
+ # echo 0 > /sys/module/zswap/parameters/max_pool_percent
+ 3. Do memory stress test to see if some pages have been compressed
+ # stress --vm 1 --vm-bytes $mem_available"M" --timeout 60s
+ 4. Watching the 'stored_pages' number increasing or not
+
+The root cause is:
+
+ When zswap_max_pool_percent is set to 0 via kernel parameter,
+ zswap_is_full() will always return true due to zswap_shrink(). But if
+ the shinking is able to reclain a page successfully the code then
+ proceeds to compressing/storing another page, so the value of
+ stored_pages will keep changing.
+
+To solve the issue, this patch adds a zswap_is_full() check again after
+ zswap_shrink() to make sure it's now under the max_pool_percent, and to
+ not compress/store if we reached the limit.
+
+Link: http://lkml.kernel.org/r/20180530103936.17812-1-liwang@redhat.com
+Signed-off-by: Li Wang <liwang@redhat.com>
+Acked-by: Dan Streetman <ddstreet@ieee.org>
+Cc: Seth Jennings <sjenning@redhat.com>
+Cc: Huang Ying <huang.ying.caritas@gmail.com>
+Cc: Yu Zhao <yuzhao@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/zswap.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/mm/zswap.c
++++ b/mm/zswap.c
+@@ -662,6 +662,15 @@ static int zswap_frontswap_store(unsigne
+ ret = -ENOMEM;
+ goto reject;
+ }
++
++ /* A second zswap_is_full() check after
++ * zswap_shrink() to make sure it's now
++ * under the max_pool_percent
++ */
++ if (zswap_is_full()) {
++ ret = -ENOMEM;
++ goto reject;
++ }
+ }
+
+ /* allocate entry */
projects / thirdparty / kernel / stable-queue.git / commitdiff
