--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 8 Aug 2018 10:30:03 +0200
+Subject: ACPI / scan: Initialize status to ACPI_STA_DEFAULT
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 5971b0c1594d6c34e257101ed5fdffec65205c50 ]
+
+Since commit 63347db0affa "ACPI / scan: Use acpi_bus_get_status() to
+initialize ACPI_TYPE_DEVICE devs" the status field of normal acpi_devices
+gets set to 0 by acpi_bus_type_and_status() and filled with its actual
+value later when acpi_add_single_object() calls acpi_bus_get_status().
+
+This means that any acpi_match_device_ids() calls in between will always
+fail with -ENOENT.
+
+We already have a workaround for this, which temporary forces status to
+ACPI_STA_DEFAULT in drivers/acpi/x86/utils.c: acpi_device_always_present()
+and the next commit in this series adds another acpi_match_device_ids()
+call between status being initialized as 0 and the acpi_bus_get_status()
+call.
+
+Rather then adding another workaround, this commit makes
+acpi_bus_type_and_status() initialize status to ACPI_STA_DEFAULT, this is
+safe to do as the only code looking at status between the initialization
+and the acpi_bus_get_status() call is those acpi_match_device_ids() calls.
+
+Note this does mean that we need to (re)set status to 0 in case the
+acpi_bus_get_status() call fails.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/scan.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -1599,7 +1599,8 @@ static int acpi_add_single_object(struct
+ * Note this must be done before the get power-/wakeup_dev-flags calls.
+ */
+ if (type == ACPI_BUS_TYPE_DEVICE)
+- acpi_bus_get_status(device);
++ if (acpi_bus_get_status(device) < 0)
++ acpi_set_device_status(device, 0);
+
+ acpi_bus_get_power_flags(device);
+ acpi_bus_get_wakeup_device_flags(device);
+@@ -1677,7 +1678,7 @@ static int acpi_bus_type_and_status(acpi
+ * acpi_add_single_object updates this once we've an acpi_device
+ * so that acpi_bus_get_status' quirk handling can be used.
+ */
+- *sta = 0;
++ *sta = ACPI_STA_DEFAULT;
+ break;
+ case ACPI_TYPE_PROCESSOR:
+ *type = ACPI_BUS_TYPE_PROCESSOR;
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Fri, 24 Aug 2018 16:06:34 +0100
+Subject: ARM: rockchip: Force CONFIG_PM on Rockchip systems
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+[ Upstream commit d1558dfd9f22c99a5b8e1354ad881ee40749da89 ]
+
+A number of the Rockchip-specific drivers (IOMMU, display controllers)
+are now assuming that CONFIG_PM is set, and may completely misbehave
+if that's not the case.
+
+Since there is hardly any reason for this configuration option not
+to be selected anyway, let's require it (in the same way Tegra already
+does).
+
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-rockchip/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/mach-rockchip/Kconfig
++++ b/arch/arm/mach-rockchip/Kconfig
+@@ -18,6 +18,7 @@ config ARCH_ROCKCHIP
+ select ARM_GLOBAL_TIMER
+ select CLKSRC_ARM_GLOBAL_TIMER_SCHED_CLOCK
+ select ZONE_DMA if ARM_LPAE
++ select PM
+ help
+ Support for Rockchip's Cortex-A9 Single-to-Quad-Core-SoCs
+ containing the RK2928, RK30xx and RK31xx series.
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Fri, 24 Aug 2018 16:06:35 +0100
+Subject: arm64: rockchip: Force CONFIG_PM on Rockchip systems
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+[ Upstream commit 7db7a8f5638a2ffe0c0c0d55b5186b6191fd6af7 ]
+
+A number of the Rockchip-specific drivers (IOMMU, display controllers)
+are now assuming that CONFIG_PM is set, and may completely misbehave
+if that's not the case.
+
+Since there is hardly any reason for this configuration option not
+to be selected anyway, let's require it (in the same way Tegra already
+does).
+
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/Kconfig.platforms | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm64/Kconfig.platforms
++++ b/arch/arm64/Kconfig.platforms
+@@ -148,6 +148,7 @@ config ARCH_ROCKCHIP
+ select GPIOLIB
+ select PINCTRL
+ select PINCTRL_ROCKCHIP
++ select PM
+ select ROCKCHIP_TIMER
+ help
+ This enables support for the ARMv8 based Rockchip chipsets,
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Matthias Kaehlcke <mka@chromium.org>
+Date: Tue, 7 Aug 2018 10:19:40 -0700
+Subject: ASoC: rt5677: Fix initialization of rt5677_of_match.data
+
+From: Matthias Kaehlcke <mka@chromium.org>
+
+[ Upstream commit f861e3e28a3016a2064d9f600eaa92a530b732b4 ]
+
+The driver expects to find the device id in rt5677_of_match.data, however
+it is currently assigned to rt5677_of_match.type. Fix this.
+
+The problem was found with the help of clang:
+ sound/soc/codecs/rt5677.c:5010:36: warning: expression which evaluates to
+ zero treated as a null pointer constant of type 'const void *'
+ [-Wnon-literal-null-conversion]
+ { .compatible = "realtek,rt5677", RT5677 },
+ ^~~~~~
+
+Fixes: ddc9e69b9dc2 ("ASoC: rt5677: Hide platform data in the module sources")
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/rt5677.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/codecs/rt5677.c
++++ b/sound/soc/codecs/rt5677.c
+@@ -5017,7 +5017,7 @@ static const struct i2c_device_id rt5677
+ MODULE_DEVICE_TABLE(i2c, rt5677_i2c_id);
+
+ static const struct of_device_id rt5677_of_match[] = {
+- { .compatible = "realtek,rt5677", RT5677 },
++ { .compatible = "realtek,rt5677", .data = (const void *)RT5677 },
+ { }
+ };
+ MODULE_DEVICE_TABLE(of, rt5677_of_match);
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Greg Edwards <gedwards@ddn.com>
+Date: Wed, 8 Aug 2018 13:27:53 -0600
+Subject: block: bvec_nr_vecs() returns value for wrong slab
+
+From: Greg Edwards <gedwards@ddn.com>
+
+[ Upstream commit d6c02a9beb67f13d5f14f23e72fa9981e8b84477 ]
+
+In commit ed996a52c868 ("block: simplify and cleanup bvec pool
+handling"), the value of the slab index is incremented by one in
+bvec_alloc() after the allocation is done to indicate an index value of
+0 does not need to be later freed.
+
+bvec_nr_vecs() was not updated accordingly, and thus returns the wrong
+value. Decrement idx before performing the lookup.
+
+Fixes: ed996a52c868 ("block: simplify and cleanup bvec pool handling")
+Signed-off-by: Greg Edwards <gedwards@ddn.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/bio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -156,7 +156,7 @@ out:
+
+ unsigned int bvec_nr_vecs(unsigned short idx)
+ {
+- return bvec_slabs[idx].nr_vecs;
++ return bvec_slabs[--idx].nr_vecs;
+ }
+
+ void bvec_free(mempool_t *pool, struct bio_vec *bv, unsigned int idx)
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Qu Wenruo <wqu@suse.com>
+Date: Fri, 22 Jun 2018 12:35:00 +0800
+Subject: btrfs: Don't remove block group that still has pinned down bytes
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 43794446548730ac8461be30bbe47d5d027d1d16 ]
+
+[BUG]
+Under certain KVM load and LTP tests, it is possible to hit the
+following calltrace if quota is enabled:
+
+BTRFS critical (device vda2): unable to find logical 8820195328 length 4096
+BTRFS critical (device vda2): unable to find logical 8820195328 length 4096
+
+WARNING: CPU: 0 PID: 49 at ../block/blk-core.c:172 blk_status_to_errno+0x1a/0x30
+CPU: 0 PID: 49 Comm: kworker/u2:1 Not tainted 4.12.14-15-default #1 SLE15 (unreleased)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
+Workqueue: btrfs-endio-write btrfs_endio_write_helper [btrfs]
+task: ffff9f827b340bc0 task.stack: ffffb4f8c0304000
+RIP: 0010:blk_status_to_errno+0x1a/0x30
+Call Trace:
+ submit_extent_page+0x191/0x270 [btrfs]
+ ? btrfs_create_repair_bio+0x130/0x130 [btrfs]
+ __do_readpage+0x2d2/0x810 [btrfs]
+ ? btrfs_create_repair_bio+0x130/0x130 [btrfs]
+ ? run_one_async_done+0xc0/0xc0 [btrfs]
+ __extent_read_full_page+0xe7/0x100 [btrfs]
+ ? run_one_async_done+0xc0/0xc0 [btrfs]
+ read_extent_buffer_pages+0x1ab/0x2d0 [btrfs]
+ ? run_one_async_done+0xc0/0xc0 [btrfs]
+ btree_read_extent_buffer_pages+0x94/0xf0 [btrfs]
+ read_tree_block+0x31/0x60 [btrfs]
+ read_block_for_search.isra.35+0xf0/0x2e0 [btrfs]
+ btrfs_search_slot+0x46b/0xa00 [btrfs]
+ ? kmem_cache_alloc+0x1a8/0x510
+ ? btrfs_get_token_32+0x5b/0x120 [btrfs]
+ find_parent_nodes+0x11d/0xeb0 [btrfs]
+ ? leaf_space_used+0xb8/0xd0 [btrfs]
+ ? btrfs_leaf_free_space+0x49/0x90 [btrfs]
+ ? btrfs_find_all_roots_safe+0x93/0x100 [btrfs]
+ btrfs_find_all_roots_safe+0x93/0x100 [btrfs]
+ btrfs_find_all_roots+0x45/0x60 [btrfs]
+ btrfs_qgroup_trace_extent_post+0x20/0x40 [btrfs]
+ btrfs_add_delayed_data_ref+0x1a3/0x1d0 [btrfs]
+ btrfs_alloc_reserved_file_extent+0x38/0x40 [btrfs]
+ insert_reserved_file_extent.constprop.71+0x289/0x2e0 [btrfs]
+ btrfs_finish_ordered_io+0x2f4/0x7f0 [btrfs]
+ ? pick_next_task_fair+0x2cd/0x530
+ ? __switch_to+0x92/0x4b0
+ btrfs_worker_helper+0x81/0x300 [btrfs]
+ process_one_work+0x1da/0x3f0
+ worker_thread+0x2b/0x3f0
+ ? process_one_work+0x3f0/0x3f0
+ kthread+0x11a/0x130
+ ? kthread_create_on_node+0x40/0x40
+ ret_from_fork+0x35/0x40
+
+BTRFS critical (device vda2): unable to find logical 8820195328 length 16384
+BTRFS: error (device vda2) in btrfs_finish_ordered_io:3023: errno=-5 IO failure
+BTRFS info (device vda2): forced readonly
+BTRFS error (device vda2): pending csums is 2887680
+
+[CAUSE]
+It's caused by race with block group auto removal:
+
+- There is a meta block group X, which has only one tree block
+ The tree block belongs to fs tree 257.
+- In current transaction, some operation modified fs tree 257
+ The tree block gets COWed, so the block group X is empty, and marked
+ as unused, queued to be deleted.
+- Some workload (like fsync) wakes up cleaner_kthread()
+ Which will call btrfs_delete_unused_bgs() to remove unused block
+ groups.
+ So block group X along its chunk map get removed.
+- Some delalloc work finished for fs tree 257
+ Quota needs to get the original reference of the extent, which will
+ read tree blocks of commit root of 257.
+ Then since the chunk map gets removed, the above warning gets
+ triggered.
+
+[FIX]
+Just let btrfs_delete_unused_bgs() skip block group which still has
+pinned bytes.
+
+However there is a minor side effect: currently we only queue empty
+blocks at update_block_group(), and such empty block group with pinned
+bytes won't go through update_block_group() again, such block group
+won't be removed, until it gets new extent allocated and removed.
+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent-tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -10757,7 +10757,7 @@ void btrfs_delete_unused_bgs(struct btrf
+ /* Don't want to race with allocators so take the groups_sem */
+ down_write(&space_info->groups_sem);
+ spin_lock(&block_group->lock);
+- if (block_group->reserved ||
++ if (block_group->reserved || block_group->pinned ||
+ btrfs_block_group_used(&block_group->item) ||
+ block_group->ro ||
+ list_is_singular(&block_group->list)) {
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Qu Wenruo <wqu@suse.com>
+Date: Wed, 1 Aug 2018 10:37:20 +0800
+Subject: btrfs: Exit gracefully when chunk map cannot be inserted to the tree
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 64f64f43c89aca1782aa672e0586f6903c5d8979 ]
+
+It's entirely possible that a crafted btrfs image contains overlapping
+chunks.
+
+Although we can't detect such problem by tree-checker, it's not a
+catastrophic problem, current extent map can already detect such problem
+and return -EEXIST.
+
+We just only need to exit gracefully and fail the mount.
+
+Reported-by: Xu Wen <wen.xu@gatech.edu>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=200409
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -6492,10 +6492,14 @@ static int read_one_chunk(struct btrfs_f
+ write_lock(&map_tree->map_tree.lock);
+ ret = add_extent_mapping(&map_tree->map_tree, em, 0);
+ write_unlock(&map_tree->map_tree.lock);
+- BUG_ON(ret); /* Tree corruption */
++ if (ret < 0) {
++ btrfs_err(fs_info,
++ "failed to add chunk map, start=%llu len=%llu: %d",
++ em->start, em->len, ret);
++ }
+ free_extent_map(em);
+
+- return 0;
++ return ret;
+ }
+
+ static void fill_device_from_item(struct extent_buffer *leaf,
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Qu Wenruo <wqu@suse.com>
+Date: Tue, 3 Jul 2018 17:10:07 +0800
+Subject: btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 389305b2aa68723c754f88d9dbd268a400e10664 ]
+
+Invalid reloc tree can cause kernel NULL pointer dereference when btrfs
+does some cleanup of the reloc roots.
+
+It turns out that fs_info::reloc_ctl can be NULL in
+btrfs_recover_relocation() as we allocate relocation control after all
+reloc roots have been verified.
+So when we hit: note, we haven't called set_reloc_control() thus
+fs_info::reloc_ctl is still NULL.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=199833
+Reported-by: Xu Wen <wen.xu@gatech.edu>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Tested-by: Gu Jinxiang <gujx@cn.fujitsu.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/relocation.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -1334,18 +1334,19 @@ static void __del_reloc_root(struct btrf
+ struct mapping_node *node = NULL;
+ struct reloc_control *rc = fs_info->reloc_ctl;
+
+- spin_lock(&rc->reloc_root_tree.lock);
+- rb_node = tree_search(&rc->reloc_root_tree.rb_root,
+- root->node->start);
+- if (rb_node) {
+- node = rb_entry(rb_node, struct mapping_node, rb_node);
+- rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root);
++ if (rc) {
++ spin_lock(&rc->reloc_root_tree.lock);
++ rb_node = tree_search(&rc->reloc_root_tree.rb_root,
++ root->node->start);
++ if (rb_node) {
++ node = rb_entry(rb_node, struct mapping_node, rb_node);
++ rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root);
++ }
++ spin_unlock(&rc->reloc_root_tree.lock);
++ if (!node)
++ return;
++ BUG_ON((struct btrfs_root *)node->data != root);
+ }
+- spin_unlock(&rc->reloc_root_tree.lock);
+-
+- if (!node)
+- return;
+- BUG_ON((struct btrfs_root *)node->data != root);
+
+ spin_lock(&fs_info->trans_lock);
+ list_del_init(&root->root_list);
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
+Date: Tue, 31 Jul 2018 16:20:21 +0900
+Subject: btrfs: replace: Reset on-disk dev stats value after replace
+
+From: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
+
+[ Upstream commit 1e7e1f9e3aba00c9b9c323bfeeddafe69ff21ff6 ]
+
+on-disk devs stats value is updated in btrfs_run_dev_stats(),
+which is called during commit transaction, if device->dev_stats_ccnt
+is not zero.
+
+Since current replace operation does not touch dev_stats_ccnt,
+on-disk dev stats value is not updated. Therefore "btrfs device stats"
+may return old device's value after umount/mount
+(Example: See "btrfs ins dump-t -t DEV $DEV" after btrfs/100 finish).
+
+Fix this by just incrementing dev_stats_ccnt in
+btrfs_dev_replace_finishing() when replace is succeeded and this will
+update the values.
+
+Signed-off-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/dev-replace.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/btrfs/dev-replace.c
++++ b/fs/btrfs/dev-replace.c
+@@ -589,6 +589,12 @@ static int btrfs_dev_replace_finishing(s
+ btrfs_rm_dev_replace_unblocked(fs_info);
+
+ /*
++ * Increment dev_stats_ccnt so that btrfs_run_dev_stats() will
++ * update on-disk dev stats value during commit transaction
++ */
++ atomic_inc(&tgt_device->dev_stats_ccnt);
++
++ /*
+ * this is again a consistent state where no dev_replace procedure
+ * is running, the target device is part of the filesystem, the
+ * source device is not part of the filesystem anymore and its 1st
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Tue, 7 Aug 2018 16:17:29 -0700
+Subject: cfq: Suppress compiler warnings about comparisons
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+[ Upstream commit f7ecb1b109da1006a08d5675debe60990e824432 ]
+
+This patch does not change any functionality but avoids that gcc
+reports the following warnings when building with W=1:
+
+block/cfq-iosched.c: In function ?cfq_back_seek_max_store?:
+block/cfq-iosched.c:4741:13: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
+ if (__data < (MIN)) \
+ ^
+block/cfq-iosched.c:4756:1: note: in expansion of macro ?STORE_FUNCTION?
+ STORE_FUNCTION(cfq_back_seek_max_store, &cfqd->cfq_back_max, 0, UINT_MAX, 0);
+ ^~~~~~~~~~~~~~
+block/cfq-iosched.c: In function ?cfq_slice_idle_store?:
+block/cfq-iosched.c:4741:13: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
+ if (__data < (MIN)) \
+ ^
+block/cfq-iosched.c:4759:1: note: in expansion of macro ?STORE_FUNCTION?
+ STORE_FUNCTION(cfq_slice_idle_store, &cfqd->cfq_slice_idle, 0, UINT_MAX, 1);
+ ^~~~~~~~~~~~~~
+block/cfq-iosched.c: In function ?cfq_group_idle_store?:
+block/cfq-iosched.c:4741:13: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
+ if (__data < (MIN)) \
+ ^
+block/cfq-iosched.c:4760:1: note: in expansion of macro ?STORE_FUNCTION?
+ STORE_FUNCTION(cfq_group_idle_store, &cfqd->cfq_group_idle, 0, UINT_MAX, 1);
+ ^~~~~~~~~~~~~~
+block/cfq-iosched.c: In function ?cfq_low_latency_store?:
+block/cfq-iosched.c:4741:13: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
+ if (__data < (MIN)) \
+ ^
+block/cfq-iosched.c:4765:1: note: in expansion of macro ?STORE_FUNCTION?
+ STORE_FUNCTION(cfq_low_latency_store, &cfqd->cfq_latency, 0, 1, 0);
+ ^~~~~~~~~~~~~~
+block/cfq-iosched.c: In function ?cfq_slice_idle_us_store?:
+block/cfq-iosched.c:4775:13: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
+ if (__data < (MIN)) \
+ ^
+block/cfq-iosched.c:4782:1: note: in expansion of macro ?USEC_STORE_FUNCTION?
+ USEC_STORE_FUNCTION(cfq_slice_idle_us_store, &cfqd->cfq_slice_idle, 0, UINT_MAX);
+ ^~~~~~~~~~~~~~~~~~~
+block/cfq-iosched.c: In function ?cfq_group_idle_us_store?:
+block/cfq-iosched.c:4775:13: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
+ if (__data < (MIN)) \
+ ^
+block/cfq-iosched.c:4783:1: note: in expansion of macro ?USEC_STORE_FUNCTION?
+ USEC_STORE_FUNCTION(cfq_group_idle_us_store, &cfqd->cfq_group_idle, 0, UINT_MAX);
+ ^~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/cfq-iosched.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+--- a/block/cfq-iosched.c
++++ b/block/cfq-iosched.c
+@@ -4741,12 +4741,13 @@ USEC_SHOW_FUNCTION(cfq_target_latency_us
+ static ssize_t __FUNC(struct elevator_queue *e, const char *page, size_t count) \
+ { \
+ struct cfq_data *cfqd = e->elevator_data; \
+- unsigned int __data; \
++ unsigned int __data, __min = (MIN), __max = (MAX); \
++ \
+ cfq_var_store(&__data, (page)); \
+- if (__data < (MIN)) \
+- __data = (MIN); \
+- else if (__data > (MAX)) \
+- __data = (MAX); \
++ if (__data < __min) \
++ __data = __min; \
++ else if (__data > __max) \
++ __data = __max; \
+ if (__CONV) \
+ *(__PTR) = (u64)__data * NSEC_PER_MSEC; \
+ else \
+@@ -4775,12 +4776,13 @@ STORE_FUNCTION(cfq_target_latency_store,
+ static ssize_t __FUNC(struct elevator_queue *e, const char *page, size_t count) \
+ { \
+ struct cfq_data *cfqd = e->elevator_data; \
+- unsigned int __data; \
++ unsigned int __data, __min = (MIN), __max = (MAX); \
++ \
+ cfq_var_store(&__data, (page)); \
+- if (__data < (MIN)) \
+- __data = (MIN); \
+- else if (__data > (MAX)) \
+- __data = (MAX); \
++ if (__data < __min) \
++ __data = __min; \
++ else if (__data > __max) \
++ __data = __max; \
+ *(__PTR) = (u64)__data * NSEC_PER_USEC; \
+ return count; \
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Wed, 22 Aug 2018 12:19:24 +1000
+Subject: cifs: check if SMB2 PDU size has been padded and suppress the warning
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+[ Upstream commit e6c47dd0da1e3a484e778046fc10da0b20606a86 ]
+
+Some SMB2/3 servers, Win2016 but possibly others too, adds padding
+not only between PDUs in a compound but also to the final PDU.
+This padding extends the PDU to a multiple of 8 bytes.
+
+Check if the unexpected length looks like this might be the case
+and avoid triggering the log messages for :
+
+ "SMB2 server sent bad RFC1001 len %d not %d\n"
+
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2misc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/cifs/smb2misc.c
++++ b/fs/cifs/smb2misc.c
+@@ -212,6 +212,13 @@ smb2_check_message(char *buf, unsigned i
+ return 0;
+
+ /*
++ * Some windows servers (win2016) will pad also the final
++ * PDU in a compound to 8 bytes.
++ */
++ if (((clc_len + 7) & ~7) == len)
++ return 0;
++
++ /*
+ * MacOS server pads after SMB2.1 write response with 3 bytes
+ * of junk. Other servers match RFC1001 len to actual
+ * SMB2/SMB3 frame length (header + smb2 response specific data)
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Levin Du <djw@t-chip.com.cn>
+Date: Sat, 4 Aug 2018 15:31:02 +0800
+Subject: clk: rockchip: Add pclk_rkpwm_pmu to PMU critical clocks in rk3399
+
+From: Levin Du <djw@t-chip.com.cn>
+
+[ Upstream commit 640332d1a089909df08bc9f3e42888a2019c66e2 ]
+
+PWM2 is commonly used to control voltage of PWM regulator of VDD_LOG in
+RK3399. On the Firefly-RK3399 board, PWM2 outputs 40 KHz square wave
+from power on and the VDD_LOG is about 0.9V. When the kernel boots
+normally into the system, the PWM2 keeps outputing PWM signal.
+
+But the kernel hangs randomly after "Starting kernel ..." line on that
+board. When it happens, PWM2 outputs high level which causes VDD_LOG
+drops to 0.4V below the normal operating voltage.
+
+By adding "pclk_rkpwm_pmu" to the rk3399_pmucru_critical_clocks array,
+PWM clock is ensured to be prepared at startup and the PWM2 output is
+normal. After repeated tests, the early boot hang is gone.
+
+This patch works on both Firefly-RK3399 and ROC-RK3399-PC boards.
+
+Signed-off-by: Levin Du <djw@t-chip.com.cn>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/rockchip/clk-rk3399.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/clk/rockchip/clk-rk3399.c
++++ b/drivers/clk/rockchip/clk-rk3399.c
+@@ -1522,6 +1522,7 @@ static const char *const rk3399_pmucru_c
+ "pclk_pmu_src",
+ "fclk_cm0s_src_pmu",
+ "clk_timer_src_pmu",
++ "pclk_rkpwm_pmu",
+ };
+
+ static void __init rk3399_clk_init(struct device_node *np)
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: John Pittman <jpittman@redhat.com>
+Date: Mon, 6 Aug 2018 15:53:12 -0400
+Subject: dm kcopyd: avoid softlockup in run_complete_job
+
+From: John Pittman <jpittman@redhat.com>
+
+[ Upstream commit 784c9a29e99eb40b842c29ecf1cc3a79e00fb629 ]
+
+It was reported that softlockups occur when using dm-snapshot ontop of
+slow (rbd) storage. E.g.:
+
+[ 4047.990647] watchdog: BUG: soft lockup - CPU#10 stuck for 22s! [kworker/10:23:26177]
+...
+[ 4048.034151] Workqueue: kcopyd do_work [dm_mod]
+[ 4048.034156] RIP: 0010:copy_callback+0x41/0x160 [dm_snapshot]
+...
+[ 4048.034190] Call Trace:
+[ 4048.034196] ? __chunk_is_tracked+0x70/0x70 [dm_snapshot]
+[ 4048.034200] run_complete_job+0x5f/0xb0 [dm_mod]
+[ 4048.034205] process_jobs+0x91/0x220 [dm_mod]
+[ 4048.034210] ? kcopyd_put_pages+0x40/0x40 [dm_mod]
+[ 4048.034214] do_work+0x46/0xa0 [dm_mod]
+[ 4048.034219] process_one_work+0x171/0x370
+[ 4048.034221] worker_thread+0x1fc/0x3f0
+[ 4048.034224] kthread+0xf8/0x130
+[ 4048.034226] ? max_active_store+0x80/0x80
+[ 4048.034227] ? kthread_bind+0x10/0x10
+[ 4048.034231] ret_from_fork+0x35/0x40
+[ 4048.034233] Kernel panic - not syncing: softlockup: hung tasks
+
+Fix this by calling cond_resched() after run_complete_job()'s callout to
+the dm_kcopyd_notify_fn (which is dm-snap.c:copy_callback in the above
+trace).
+
+Signed-off-by: John Pittman <jpittman@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-kcopyd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/md/dm-kcopyd.c
++++ b/drivers/md/dm-kcopyd.c
+@@ -484,6 +484,8 @@ static int run_complete_job(struct kcopy
+ if (atomic_dec_and_test(&kc->nr_jobs))
+ wake_up(&kc->destroyq);
+
++ cond_resched();
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Chao Yu <yuchao0@huawei.com>
+Date: Sun, 29 Jul 2018 12:16:59 +0800
+Subject: f2fs: fix to clear PG_checked flag in set_page_dirty()
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit 66110abc4c931f879d70e83e1281f891699364bf ]
+
+PG_checked flag will be set on data page during GC, later, we can
+recognize such page by the flag and migrate page to cold segment.
+
+But previously, we don't clear this flag when invalidating data page,
+after page redirtying, we will write it into wrong log.
+
+Let's clear PG_checked flag in set_page_dirty() to avoid this.
+
+Signed-off-by: Weichao Guo <guoweichao@huawei.com>
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/data.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -2190,6 +2190,10 @@ static int f2fs_set_data_page_dirty(stru
+ if (!PageUptodate(page))
+ SetPageUptodate(page);
+
++ /* don't remain PG_checked flag which was set during GC */
++ if (is_cold_data(page))
++ clear_cold_data(page);
++
+ if (f2fs_is_atomic_file(inode) && !f2fs_is_commit_atomic_write(inode)) {
+ if (!IS_ATOMIC_WRITTEN_PAGE(page)) {
+ register_inmem_page(inode, page);
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Date: Tue, 21 Aug 2018 21:59:44 -0700
+Subject: fat: validate ->i_start before using
+
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+
+[ Upstream commit 0afa9626667c3659ef8bd82d42a11e39fedf235c ]
+
+On corrupted FATfs may have invalid ->i_start. To handle it, this checks
+->i_start before using, and return proper error code.
+
+Link: http://lkml.kernel.org/r/87o9f8y1t5.fsf_-_@mail.parknet.co.jp
+Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Tested-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Cc: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fat/cache.c | 19 ++++++++++++-------
+ fs/fat/fat.h | 5 +++++
+ fs/fat/fatent.c | 6 +++---
+ 3 files changed, 20 insertions(+), 10 deletions(-)
+
+--- a/fs/fat/cache.c
++++ b/fs/fat/cache.c
+@@ -225,7 +225,8 @@ static inline void cache_init(struct fat
+ int fat_get_cluster(struct inode *inode, int cluster, int *fclus, int *dclus)
+ {
+ struct super_block *sb = inode->i_sb;
+- const int limit = sb->s_maxbytes >> MSDOS_SB(sb)->cluster_bits;
++ struct msdos_sb_info *sbi = MSDOS_SB(sb);
++ const int limit = sb->s_maxbytes >> sbi->cluster_bits;
+ struct fat_entry fatent;
+ struct fat_cache_id cid;
+ int nr;
+@@ -234,6 +235,12 @@ int fat_get_cluster(struct inode *inode,
+
+ *fclus = 0;
+ *dclus = MSDOS_I(inode)->i_start;
++ if (!fat_valid_entry(sbi, *dclus)) {
++ fat_fs_error_ratelimit(sb,
++ "%s: invalid start cluster (i_pos %lld, start %08x)",
++ __func__, MSDOS_I(inode)->i_pos, *dclus);
++ return -EIO;
++ }
+ if (cluster == 0)
+ return 0;
+
+@@ -250,9 +257,8 @@ int fat_get_cluster(struct inode *inode,
+ /* prevent the infinite loop of cluster chain */
+ if (*fclus > limit) {
+ fat_fs_error_ratelimit(sb,
+- "%s: detected the cluster chain loop"
+- " (i_pos %lld)", __func__,
+- MSDOS_I(inode)->i_pos);
++ "%s: detected the cluster chain loop (i_pos %lld)",
++ __func__, MSDOS_I(inode)->i_pos);
+ nr = -EIO;
+ goto out;
+ }
+@@ -262,9 +268,8 @@ int fat_get_cluster(struct inode *inode,
+ goto out;
+ else if (nr == FAT_ENT_FREE) {
+ fat_fs_error_ratelimit(sb,
+- "%s: invalid cluster chain (i_pos %lld)",
+- __func__,
+- MSDOS_I(inode)->i_pos);
++ "%s: invalid cluster chain (i_pos %lld)",
++ __func__, MSDOS_I(inode)->i_pos);
+ nr = -EIO;
+ goto out;
+ } else if (nr == FAT_ENT_EOF) {
+--- a/fs/fat/fat.h
++++ b/fs/fat/fat.h
+@@ -348,6 +348,11 @@ static inline void fatent_brelse(struct
+ fatent->fat_inode = NULL;
+ }
+
++static inline bool fat_valid_entry(struct msdos_sb_info *sbi, int entry)
++{
++ return FAT_START_ENT <= entry && entry < sbi->max_cluster;
++}
++
+ extern void fat_ent_access_init(struct super_block *sb);
+ extern int fat_ent_read(struct inode *inode, struct fat_entry *fatent,
+ int entry);
+--- a/fs/fat/fatent.c
++++ b/fs/fat/fatent.c
+@@ -23,7 +23,7 @@ static void fat12_ent_blocknr(struct sup
+ {
+ struct msdos_sb_info *sbi = MSDOS_SB(sb);
+ int bytes = entry + (entry >> 1);
+- WARN_ON(entry < FAT_START_ENT || sbi->max_cluster <= entry);
++ WARN_ON(!fat_valid_entry(sbi, entry));
+ *offset = bytes & (sb->s_blocksize - 1);
+ *blocknr = sbi->fat_start + (bytes >> sb->s_blocksize_bits);
+ }
+@@ -33,7 +33,7 @@ static void fat_ent_blocknr(struct super
+ {
+ struct msdos_sb_info *sbi = MSDOS_SB(sb);
+ int bytes = (entry << sbi->fatent_shift);
+- WARN_ON(entry < FAT_START_ENT || sbi->max_cluster <= entry);
++ WARN_ON(!fat_valid_entry(sbi, entry));
+ *offset = bytes & (sb->s_blocksize - 1);
+ *blocknr = sbi->fat_start + (bytes >> sb->s_blocksize_bits);
+ }
+@@ -353,7 +353,7 @@ int fat_ent_read(struct inode *inode, st
+ int err, offset;
+ sector_t blocknr;
+
+- if (entry < FAT_START_ENT || sbi->max_cluster <= entry) {
++ if (!fat_valid_entry(sbi, entry)) {
+ fatent_brelse(fatent);
+ fat_fs_error(sb, "invalid access to FAT (entry 0x%08x)", entry);
+ return -EIO;
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Jann Horn <jannh@google.com>
+Date: Tue, 21 Aug 2018 22:00:58 -0700
+Subject: fork: don't copy inconsistent signal handler state to child
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit 06e62a46bbba20aa5286102016a04214bb446141 ]
+
+Before this change, if a multithreaded process forks while one of its
+threads is changing a signal handler using sigaction(), the memcpy() in
+copy_sighand() can race with the struct assignment in do_sigaction(). It
+isn't clear whether this can cause corruption of the userspace signal
+handler pointer, but it definitely can cause inconsistency between
+different fields of struct sigaction.
+
+Take the appropriate spinlock to avoid this.
+
+I have tested that this patch prevents inconsistency between sa_sigaction
+and sa_flags, which is possible before this patch.
+
+Link: http://lkml.kernel.org/r/20180702145108.73189-1-jannh@google.com
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/fork.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1350,7 +1350,9 @@ static int copy_sighand(unsigned long cl
+ return -ENOMEM;
+
+ atomic_set(&sig->count, 1);
++ spin_lock_irq(¤t->sighand->siglock);
+ memcpy(sig->action, current->sighand->action, sizeof(sig->action));
++ spin_unlock_irq(¤t->sighand->siglock);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 17 Aug 2018 15:44:34 -0700
+Subject: fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit 6cd00a01f0c1ae6a852b09c59b8dd55cc6c35d1d ]
+
+Since only dentry->d_name.len + 1 bytes out of DNAME_INLINE_LEN bytes
+are initialized at __d_alloc(), we can't copy the whole size
+unconditionally.
+
+ WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (ffff8fa27465ac50)
+ 636f6e66696766732e746d70000000000010000000000000020000000188ffff
+ i i i i i i i i i i i i i u u u u u u u u u u i i i i i u u u u
+ ^
+ RIP: 0010:take_dentry_name_snapshot+0x28/0x50
+ RSP: 0018:ffffa83000f5bdf8 EFLAGS: 00010246
+ RAX: 0000000000000020 RBX: ffff8fa274b20550 RCX: 0000000000000002
+ RDX: ffffa83000f5be40 RSI: ffff8fa27465ac50 RDI: ffffa83000f5be60
+ RBP: ffffa83000f5bdf8 R08: ffffa83000f5be48 R09: 0000000000000001
+ R10: ffff8fa27465ac00 R11: ffff8fa27465acc0 R12: ffff8fa27465ac00
+ R13: ffff8fa27465acc0 R14: 0000000000000000 R15: 0000000000000000
+ FS: 00007f79737ac8c0(0000) GS:ffffffff8fc30000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: ffff8fa274c0b000 CR3: 0000000134aa7002 CR4: 00000000000606f0
+ take_dentry_name_snapshot+0x28/0x50
+ vfs_rename+0x128/0x870
+ SyS_rename+0x3b2/0x3d0
+ entry_SYSCALL_64_fastpath+0x1a/0xa4
+ 0xffffffffffffffff
+
+Link: http://lkml.kernel.org/r/201709131912.GBG39012.QMJLOVFSFFOOtH@I-love.SAKURA.ne.jp
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: Vegard Nossum <vegard.nossum@gmail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dcache.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -291,7 +291,8 @@ void take_dentry_name_snapshot(struct na
+ spin_unlock(&dentry->d_lock);
+ name->name = p->name;
+ } else {
+- memcpy(name->inline_name, dentry->d_iname, DNAME_INLINE_LEN);
++ memcpy(name->inline_name, dentry->d_iname,
++ dentry->d_name.len + 1);
+ spin_unlock(&dentry->d_lock);
+ name->name = name->inline_name;
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: James Morse <james.morse@arm.com>
+Date: Tue, 21 Aug 2018 21:54:48 -0700
+Subject: fs/proc/kcore.c: use __pa_symbol() for KCORE_TEXT list entries
+
+From: James Morse <james.morse@arm.com>
+
+[ Upstream commit df865e8337c397471b95f51017fea559bc8abb4a ]
+
+elf_kcore_store_hdr() uses __pa() to find the physical address of
+KCORE_RAM or KCORE_TEXT entries exported as program headers.
+
+This trips CONFIG_DEBUG_VIRTUAL's checks, as the KCORE_TEXT entries are
+not in the linear map.
+
+Handle these two cases separately, using __pa_symbol() for the KCORE_TEXT
+entries.
+
+Link: http://lkml.kernel.org/r/20180711131944.15252-1-james.morse@arm.com
+Signed-off-by: James Morse <james.morse@arm.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Omar Sandoval <osandov@fb.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/kcore.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/proc/kcore.c
++++ b/fs/proc/kcore.c
+@@ -384,8 +384,10 @@ static void elf_kcore_store_hdr(char *bu
+ phdr->p_flags = PF_R|PF_W|PF_X;
+ phdr->p_offset = kc_vaddr_to_offset(m->addr) + dataoff;
+ phdr->p_vaddr = (size_t)m->addr;
+- if (m->type == KCORE_RAM || m->type == KCORE_TEXT)
++ if (m->type == KCORE_RAM)
+ phdr->p_paddr = __pa(m->addr);
++ else if (m->type == KCORE_TEXT)
++ phdr->p_paddr = __pa_symbol(m->addr);
+ else
+ phdr->p_paddr = (elf_addr_t)-1;
+ phdr->p_filesz = phdr->p_memsz = m->size;
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: "Ernesto A. FernĂ¡ndez" <ernesto.mnd.fernandez@gmail.com>
+Date: Thu, 23 Aug 2018 17:00:31 -0700
+Subject: hfs: prevent crash on exit from failed search
+
+From: "Ernesto A. FernĂ¡ndez" <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit dc2572791d3a41bab94400af2b6bca9d71ccd303 ]
+
+hfs_find_exit() expects fd->bnode to be NULL after a search has failed.
+hfs_brec_insert() may instead set it to an error-valued pointer. Fix
+this to prevent a crash.
+
+Link: http://lkml.kernel.org/r/53d9749a029c41b4016c495fc5838c9dba3afc52.1530294815.git.ernesto.mnd.fernandez@gmail.com
+Signed-off-by: Ernesto A. FernĂ¡ndez <ernesto.mnd.fernandez@gmail.com>
+Cc: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Cc: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/hfs/brec.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/hfs/brec.c
++++ b/fs/hfs/brec.c
+@@ -75,9 +75,10 @@ int hfs_brec_insert(struct hfs_find_data
+ if (!fd->bnode) {
+ if (!tree->root)
+ hfs_btree_inc_height(tree);
+- fd->bnode = hfs_bnode_find(tree, tree->leaf_head);
+- if (IS_ERR(fd->bnode))
+- return PTR_ERR(fd->bnode);
++ node = hfs_bnode_find(tree, tree->leaf_head);
++ if (IS_ERR(node))
++ return PTR_ERR(node);
++ fd->bnode = node;
+ fd->record = -1;
+ }
+ new_node = NULL;
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Tue, 21 Aug 2018 21:59:12 -0700
+Subject: hfsplus: don't return 0 when fill_super() failed
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit 7464726cb5998846306ed0a7d6714afb2e37b25d ]
+
+syzbot is reporting NULL pointer dereference at mount_fs() [1]. This is
+because hfsplus_fill_super() is by error returning 0 when
+hfsplus_fill_super() detected invalid filesystem image, and mount_bdev()
+is returning NULL because dget(s->s_root) == NULL if s->s_root == NULL,
+and mount_fs() is accessing root->d_sb because IS_ERR(root) == false if
+root == NULL. Fix this by returning -EINVAL when hfsplus_fill_super()
+detected invalid filesystem image.
+
+[1] https://syzkaller.appspot.com/bug?id=21acb6850cecbc960c927229e597158cf35f33d0
+
+Link: http://lkml.kernel.org/r/d83ce31a-874c-dd5b-f790-41405983a5be@I-love.SAKURA.ne.jp
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+01ffaf5d9568dd1609f7@syzkaller.appspotmail.com>
+Reviewed-by: Ernesto A. FernĂ¡ndez <ernesto.mnd.fernandez@gmail.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/hfsplus/super.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -524,8 +524,10 @@ static int hfsplus_fill_super(struct sup
+ goto out_put_root;
+ if (!hfs_brec_read(&fd, &entry, sizeof(entry))) {
+ hfs_find_exit(&fd);
+- if (entry.type != cpu_to_be16(HFSPLUS_FOLDER))
++ if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
++ err = -EINVAL;
+ goto out_put_root;
++ }
+ inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id));
+ if (IS_ERR(inode)) {
+ err = PTR_ERR(inode);
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: "Ernesto A. FernĂ¡ndez" <ernesto.mnd.fernandez@gmail.com>
+Date: Thu, 23 Aug 2018 17:00:25 -0700
+Subject: hfsplus: fix NULL dereference in hfsplus_lookup()
+
+From: "Ernesto A. FernĂ¡ndez" <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit a7ec7a4193a2eb3b5341243fc0b621c1ac9e4ec4 ]
+
+An HFS+ filesystem can be mounted read-only without having a metadata
+directory, which is needed to support hardlinks. But if the catalog
+data is corrupted, a directory lookup may still find dentries claiming
+to be hardlinks.
+
+hfsplus_lookup() does check that ->hidden_dir is not NULL in such a
+situation, but mistakenly does so after dereferencing it for the first
+time. Reorder this check to prevent a crash.
+
+This happens when looking up corrupted catalog data (dentry) on a
+filesystem with no metadata directory (this could only ever happen on a
+read-only mount). Wen Xu sent the replication steps in detail to the
+fsdevel list: https://bugzilla.kernel.org/show_bug.cgi?id=200297
+
+Link: http://lkml.kernel.org/r/20180712215344.q44dyrhymm4ajkao@eaf
+Signed-off-by: Ernesto A. FernĂ¡ndez <ernesto.mnd.fernandez@gmail.com>
+Reported-by: Wen Xu <wen.xu@gatech.edu>
+Cc: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/hfsplus/dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/hfsplus/dir.c
++++ b/fs/hfsplus/dir.c
+@@ -78,13 +78,13 @@ again:
+ cpu_to_be32(HFSP_HARDLINK_TYPE) &&
+ entry.file.user_info.fdCreator ==
+ cpu_to_be32(HFSP_HFSPLUS_CREATOR) &&
++ HFSPLUS_SB(sb)->hidden_dir &&
+ (entry.file.create_date ==
+ HFSPLUS_I(HFSPLUS_SB(sb)->hidden_dir)->
+ create_date ||
+ entry.file.create_date ==
+ HFSPLUS_I(d_inode(sb->s_root))->
+- create_date) &&
+- HFSPLUS_SB(sb)->hidden_dir) {
++ create_date)) {
+ struct qstr str;
+ char name[32];
+
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
+Date: Wed, 15 Aug 2018 22:54:49 -0700
+Subject: IB/hfi1: Invalid NUMA node information can cause a divide by zero
+
+From: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
+
+[ Upstream commit c513de490f808d8480346f9a58e6a4a5f3de12e7 ]
+
+If the system BIOS does not supply NUMA node information to the
+PCI devices, the NUMA node is selected by choosing the current
+node.
+
+This can lead to the following crash:
+
+divide error: 0000 SMP
+CPU: 0 PID: 4 Comm: kworker/0:0 Tainted: G IOE
+------------ 3.10.0-693.21.1.el7.x86_64 #1
+Hardware name: Intel Corporation S2600KP/S2600KP, BIOS
+SE5C610.86B.01.01.0005.101720141054 10/17/2014
+Workqueue: events work_for_cpu_fn
+task: ffff880174480fd0 ti: ffff880174488000 task.ti: ffff880174488000
+RIP: 0010: [<ffffffffc020ac69>] hfi1_dev_affinity_init+0x129/0x6a0 [hfi1]
+RSP: 0018:ffff88017448bbf8 EFLAGS: 00010246
+RAX: 0000000000000011 RBX: ffff88107ffba6c0 RCX: ffff88085c22e130
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880824ad0000
+RBP: ffff88017448bc48 R08: 0000000000000011 R09: 0000000000000002
+R10: ffff8808582b6ca0 R11: 0000000000003151 R12: ffff8808582b6ca0
+R13: ffff8808582b6518 R14: ffff8808582b6010 R15: 0000000000000012
+FS: 0000000000000000(0000) GS:ffff88085ec00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007efc707404f0 CR3: 0000000001a02000 CR4: 00000000001607f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Call Trace:
+ hfi1_init_dd+0x14b3/0x27a0 [hfi1]
+ ? pcie_capability_write_word+0x46/0x70
+ ? hfi1_pcie_init+0xc0/0x200 [hfi1]
+ do_init_one+0x153/0x4c0 [hfi1]
+ ? sched_clock_cpu+0x85/0xc0
+ init_one+0x1b5/0x260 [hfi1]
+ local_pci_probe+0x4a/0xb0
+ work_for_cpu_fn+0x1a/0x30
+ process_one_work+0x17f/0x440
+ worker_thread+0x278/0x3c0
+ ? manage_workers.isra.24+0x2a0/0x2a0
+ kthread+0xd1/0xe0
+ ? insert_kthread_work+0x40/0x40
+ ret_from_fork+0x77/0xb0
+ ? insert_kthread_work+0x40/0x40
+
+If the BIOS is not supplying NUMA information:
+ - set the default table count to 1 for all possible nodes
+ - select node 0 (instead of current NUMA) node to get consistent
+ performance
+ - generate an error indicating that the BIOS should be upgraded
+
+Reviewed-by: Gary Leshner <gary.s.leshner@intel.com>
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/hfi1/affinity.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/affinity.c
++++ b/drivers/infiniband/hw/hfi1/affinity.c
+@@ -146,7 +146,7 @@ int node_affinity_init(void)
+ while ((dev = pci_get_device(ids->vendor, ids->device, dev))) {
+ node = pcibus_to_node(dev->bus);
+ if (node < 0)
+- node = numa_node_id();
++ goto out;
+
+ hfi1_per_node_cntr[node]++;
+ }
+@@ -154,6 +154,18 @@ int node_affinity_init(void)
+ }
+
+ return 0;
++
++out:
++ /*
++ * Invalid PCI NUMA node information found, note it, and populate
++ * our database 1:1.
++ */
++ pr_err("HFI: Invalid PCI NUMA node. Performance may be affected\n");
++ pr_err("HFI: System BIOS may need to be upgraded\n");
++ for (node = 0; node < node_affinity.num_possible_nodes; node++)
++ hfi1_per_node_cntr[node] = 1;
++
++ return 0;
+ }
+
+ void node_affinity_destroy(void)
+@@ -227,8 +239,14 @@ int hfi1_dev_affinity_init(struct hfi1_d
+ const struct cpumask *local_mask;
+ int curr_cpu, possible, i;
+
+- if (node < 0)
+- node = numa_node_id();
++ /*
++ * If the BIOS does not have the NUMA node information set, select
++ * NUMA 0 so we get consistent performance.
++ */
++ if (node < 0) {
++ dd_dev_err(dd, "Invalid PCI NUMA node. Performance may be affected\n");
++ node = 0;
++ }
+ dd->node = node;
+
+ local_mask = cpumask_of_node(dd->node);
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 6 Aug 2018 15:10:40 -0700
+Subject: Input: do not use WARN() in input_alloc_absinfo()
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit 100294cee9a98bfd4d6cb2d1c8a8aef0e959b0c4 ]
+
+Some of fuzzers set panic_on_warn=1 so that they can handle WARN()ings
+the same way they handle full-blown kernel crashes. We used WARN() in
+input_alloc_absinfo() to get a better idea where memory allocation
+failed, but since then kmalloc() and friends started dumping call stack on
+memory allocation failures anyway, so we are not getting anything extra
+from WARN().
+
+Because of the above, let's replace WARN with dev_err(). We use dev_err()
+instead of simply removing message and relying on kcalloc() to give us
+stack dump so that we'd know the instance of hardware device to which we
+were trying to attach input device.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Acked-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/input.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/input/input.c
++++ b/drivers/input/input.c
+@@ -480,11 +480,19 @@ EXPORT_SYMBOL(input_inject_event);
+ */
+ void input_alloc_absinfo(struct input_dev *dev)
+ {
+- if (!dev->absinfo)
+- dev->absinfo = kcalloc(ABS_CNT, sizeof(*dev->absinfo),
+- GFP_KERNEL);
++ if (dev->absinfo)
++ return;
+
+- WARN(!dev->absinfo, "%s(): kcalloc() failed?\n", __func__);
++ dev->absinfo = kcalloc(ABS_CNT, sizeof(*dev->absinfo), GFP_KERNEL);
++ if (!dev->absinfo) {
++ dev_err(dev->dev.parent ?: &dev->dev,
++ "%s: unable to allocate memory\n", __func__);
++ /*
++ * We will handle this allocation failure in
++ * input_register_device() when we refuse to register input
++ * device with ABS bits but without absinfo.
++ */
++ }
+ }
+ EXPORT_SYMBOL(input_alloc_absinfo);
+
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Ralf Goebel <ralf.goebel@imago-technologies.com>
+Date: Mon, 6 Aug 2018 17:00:36 +0200
+Subject: iommu/omap: Fix cache flushes on L2 table entries
+
+From: Ralf Goebel <ralf.goebel@imago-technologies.com>
+
+[ Upstream commit 04c532a1cdc7e423656c07937aa4b5c1c2b064f9 ]
+
+The base address used for DMA operations on the second-level table
+did incorrectly include the offset for the table entry. The offset
+was then added again which lead to incorrect behavior.
+
+Operations on the L1 table are not affected.
+
+The calculation of the base address is changed to point to the
+beginning of the L2 table.
+
+Fixes: bfee0cf0ee1d ("iommu/omap: Use DMA-API for performing cache flushes")
+Acked-by: Suman Anna <s-anna@ti.com>
+Signed-off-by: Ralf Goebel <ralf.goebel@imago-technologies.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/omap-iommu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iommu/omap-iommu.c
++++ b/drivers/iommu/omap-iommu.c
+@@ -529,7 +529,7 @@ static u32 *iopte_alloc(struct omap_iomm
+
+ pte_ready:
+ iopte = iopte_offset(iopgd, da);
+- *pt_dma = virt_to_phys(iopte);
++ *pt_dma = iopgd_page_paddr(iopgd);
+ dev_vdbg(obj->dev,
+ "%s: da:%08x pgd:%p *pgd:%08x pte:%p *pte:%08x\n",
+ __func__, da, iopgd, *iopgd, iopte, *iopte);
+@@ -717,7 +717,7 @@ static size_t iopgtable_clear_entry_core
+ }
+ bytes *= nent;
+ memset(iopte, 0, nent * sizeof(*iopte));
+- pt_dma = virt_to_phys(iopte);
++ pt_dma = iopgd_page_paddr(iopgd);
+ flush_iopte_range(obj->dev, pt_dma, pt_offset, nent);
+
+ /*
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Tan Hu <tan.hu@zte.com.cn>
+Date: Wed, 25 Jul 2018 15:23:07 +0800
+Subject: ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest()
+
+From: Tan Hu <tan.hu@zte.com.cn>
+
+[ Upstream commit a53b42c11815d2357e31a9403ae3950517525894 ]
+
+We came across infinite loop in ipvs when using ipvs in docker
+env.
+
+When ipvs receives new packets and cannot find an ipvs connection,
+it will create a new connection, then if the dest is unavailable
+(i.e. IP_VS_DEST_F_AVAILABLE), the packet will be dropped sliently.
+
+But if the dropped packet is the first packet of this connection,
+the connection control timer never has a chance to start and the
+ipvs connection cannot be released. This will lead to memory leak, or
+infinite loop in cleanup_net() when net namespace is released like
+this:
+
+ ip_vs_conn_net_cleanup at ffffffffa0a9f31a [ip_vs]
+ __ip_vs_cleanup at ffffffffa0a9f60a [ip_vs]
+ ops_exit_list at ffffffff81567a49
+ cleanup_net at ffffffff81568b40
+ process_one_work at ffffffff810a851b
+ worker_thread at ffffffff810a9356
+ kthread at ffffffff810b0b6f
+ ret_from_fork at ffffffff81697a18
+
+race condition:
+ CPU1 CPU2
+ ip_vs_in()
+ ip_vs_conn_new()
+ ip_vs_del_dest()
+ __ip_vs_unlink_dest()
+ ~IP_VS_DEST_F_AVAILABLE
+ cp->dest && !IP_VS_DEST_F_AVAILABLE
+ __ip_vs_conn_put
+ ...
+ cleanup_net ---> infinite looping
+
+Fix this by checking whether the timer already started.
+
+Signed-off-by: Tan Hu <tan.hu@zte.com.cn>
+Reviewed-by: Jiang Biao <jiang.biao2@zte.com.cn>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipvs/ip_vs_core.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -1960,13 +1960,20 @@ ip_vs_in(struct netns_ipvs *ipvs, unsign
+ if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
+ /* the destination server is not available */
+
+- if (sysctl_expire_nodest_conn(ipvs)) {
++ __u32 flags = cp->flags;
++
++ /* when timer already started, silently drop the packet.*/
++ if (timer_pending(&cp->timer))
++ __ip_vs_conn_put(cp);
++ else
++ ip_vs_conn_put(cp);
++
++ if (sysctl_expire_nodest_conn(ipvs) &&
++ !(flags & IP_VS_CONN_F_ONE_PACKET)) {
+ /* try to expire the connection immediately */
+ ip_vs_conn_expire_now(cp);
+ }
+- /* don't restart its timer, and silently
+- drop the packet. */
+- __ip_vs_conn_put(cp);
++
+ return NF_DROP;
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Jonas Gorski <jonas.gorski@gmail.com>
+Date: Thu, 9 Aug 2018 10:59:01 +0200
+Subject: irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit 0702bc4d2fe793018ad9aa0eb14bff7f526c4095 ]
+
+When compiling bmips with SMP disabled, the build fails with:
+
+drivers/irqchip/irq-bcm7038-l1.o: In function `bcm7038_l1_cpu_offline':
+drivers/irqchip/irq-bcm7038-l1.c:242: undefined reference to `irq_set_affinity_locked'
+make[5]: *** [vmlinux] Error 1
+
+Fix this by adding and setting bcm7038_l1_cpu_offline only when actually
+compiling for SMP. It wouldn't have been used anyway, as it requires
+CPU_HOTPLUG, which in turn requires SMP.
+
+Fixes: 34c535793bcb ("irqchip/bcm7038-l1: Implement irq_cpu_offline() callback")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-bcm7038-l1.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/irqchip/irq-bcm7038-l1.c
++++ b/drivers/irqchip/irq-bcm7038-l1.c
+@@ -217,6 +217,7 @@ static int bcm7038_l1_set_affinity(struc
+ return 0;
+ }
+
++#ifdef CONFIG_SMP
+ static void bcm7038_l1_cpu_offline(struct irq_data *d)
+ {
+ struct cpumask *mask = irq_data_get_affinity_mask(d);
+@@ -241,6 +242,7 @@ static void bcm7038_l1_cpu_offline(struc
+ }
+ irq_set_affinity_locked(d, &new_affinity, false);
+ }
++#endif
+
+ static int __init bcm7038_l1_init_one(struct device_node *dn,
+ unsigned int idx,
+@@ -293,7 +295,9 @@ static struct irq_chip bcm7038_l1_irq_ch
+ .irq_mask = bcm7038_l1_mask,
+ .irq_unmask = bcm7038_l1_unmask,
+ .irq_set_affinity = bcm7038_l1_set_affinity,
++#ifdef CONFIG_SMP
+ .irq_cpu_offline = bcm7038_l1_cpu_offline,
++#endif
+ };
+
+ static int bcm7038_l1_map(struct irq_domain *d, unsigned int virq,
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Jim Mattson <jmattson@google.com>
+Date: Fri, 27 Jul 2018 09:18:50 -0700
+Subject: kvm: nVMX: Fix fault vector for VMX operation at CPL > 0
+
+From: Jim Mattson <jmattson@google.com>
+
+[ Upstream commit 36090bf43a6b835a42f515cb515ff6fa293a25fe ]
+
+The fault that should be raised for a privilege level violation is #GP
+rather than #UD.
+
+Fixes: 727ba748e110b4 ("kvm: nVMX: Enforce cpl=0 for VMX instructions")
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7590,7 +7590,7 @@ static int handle_vmon(struct kvm_vcpu *
+
+ /* CPL=0 must be checked manually. */
+ if (vmx_get_cpl(vcpu)) {
+- kvm_queue_exception(vcpu, UD_VECTOR);
++ kvm_inject_gp(vcpu, 0);
+ return 1;
+ }
+
+@@ -7654,7 +7654,7 @@ static int handle_vmon(struct kvm_vcpu *
+ static int nested_vmx_check_permission(struct kvm_vcpu *vcpu)
+ {
+ if (vmx_get_cpl(vcpu)) {
+- kvm_queue_exception(vcpu, UD_VECTOR);
++ kvm_inject_gp(vcpu, 0);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Mon, 23 Jul 2018 12:32:42 -0700
+Subject: KVM: vmx: track host_state.loaded using a loaded_vmcs pointer
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+[ Upstream commit bd9966de4e14fb559e89a06f7f5c9aab2cc028b9 ]
+
+Using 'struct loaded_vmcs*' to track whether the CPU registers
+contain host or guest state kills two birds with one stone.
+
+ 1. The (effective) boolean host_state.loaded is poorly named.
+ It does not track whether or not host state is loaded into
+ the CPU registers (which most readers would expect), but
+ rather tracks if host state has been saved AND guest state
+ is loaded.
+
+ 2. Using a loaded_vmcs pointer provides a more robust framework
+ for the optimized guest/host state switching, especially when
+ consideration per-VMCS enhancements. To that end, WARN_ONCE
+ if we try to switch to host state with a different VMCS than
+ was last used to save host state.
+
+Resolve an occurrence of the new WARN by setting loaded_vmcs after
+the call to vmx_vcpu_put() in vmx_switch_vmcs().
+
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -749,17 +749,21 @@ struct vcpu_vmx {
+ /*
+ * loaded_vmcs points to the VMCS currently used in this vcpu. For a
+ * non-nested (L1) guest, it always points to vmcs01. For a nested
+- * guest (L2), it points to a different VMCS.
++ * guest (L2), it points to a different VMCS. loaded_cpu_state points
++ * to the VMCS whose state is loaded into the CPU registers that only
++ * need to be switched when transitioning to/from the kernel; a NULL
++ * value indicates that host state is loaded.
+ */
+ struct loaded_vmcs vmcs01;
+ struct loaded_vmcs *loaded_vmcs;
++ struct loaded_vmcs *loaded_cpu_state;
+ bool __launched; /* temporary, used in vmx_vcpu_run */
+ struct msr_autoload {
+ struct vmx_msrs guest;
+ struct vmx_msrs host;
+ } msr_autoload;
++
+ struct {
+- int loaded;
+ u16 fs_sel, gs_sel, ldt_sel;
+ #ifdef CONFIG_X86_64
+ u16 ds_sel, es_sel;
+@@ -2336,10 +2340,11 @@ static void vmx_save_host_state(struct k
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+ int i;
+
+- if (vmx->host_state.loaded)
++ if (vmx->loaded_cpu_state)
+ return;
+
+- vmx->host_state.loaded = 1;
++ vmx->loaded_cpu_state = vmx->loaded_vmcs;
++
+ /*
+ * Set host fs and gs selectors. Unfortunately, 22.2.3 does not
+ * allow segment selectors with cpl > 0 or ti == 1.
+@@ -2390,11 +2395,14 @@ static void vmx_save_host_state(struct k
+
+ static void __vmx_load_host_state(struct vcpu_vmx *vmx)
+ {
+- if (!vmx->host_state.loaded)
++ if (!vmx->loaded_cpu_state)
+ return;
+
++ WARN_ON_ONCE(vmx->loaded_cpu_state != vmx->loaded_vmcs);
++
+ ++vmx->vcpu.stat.host_state_reload;
+- vmx->host_state.loaded = 0;
++ vmx->loaded_cpu_state = NULL;
++
+ #ifdef CONFIG_X86_64
+ if (is_long_mode(&vmx->vcpu))
+ rdmsrl(MSR_KERNEL_GS_BASE, vmx->msr_guest_kernel_gs_base);
+@@ -9944,8 +9952,8 @@ static void vmx_switch_vmcs(struct kvm_v
+ return;
+
+ cpu = get_cpu();
+- vmx->loaded_vmcs = vmcs;
+ vmx_vcpu_put(vcpu);
++ vmx->loaded_vmcs = vmcs;
+ vmx_vcpu_load(vcpu, cpu);
+ vcpu->cpu = cpu;
+ put_cpu();
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Fri, 3 Aug 2018 20:59:51 -0700
+Subject: mfd: sm501: Set coherent_dma_mask when creating subdevices
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 2f606da78230f09cf1a71fde6ee91d0c710fa2b2 ]
+
+Instantiating the sm501 OHCI subdevice results in a kernel warning.
+
+sm501-usb sm501-usb: SM501 OHCI
+sm501-usb sm501-usb: new USB bus registered, assigned bus number 1
+WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516
+ohci_init+0x194/0x2d8
+Modules linked in:
+
+CPU: 0 PID: 1 Comm: swapper Tainted: G W
+4.18.0-rc7-00178-g0b5b1f9a78b5 #1
+PC is at ohci_init+0x194/0x2d8
+PR is at ohci_init+0x168/0x2d8
+PC : 8c27844c SP : 8f81dd94 SR : 40008001
+TEA : 29613060
+R0 : 00000000 R1 : 00000000 R2 : 00000000 R3 : 00000202
+R4 : 8fa98b88 R5 : 8c277e68 R6 : 00000000 R7 : 00000000
+R8 : 8f965814 R9 : 8c388100 R10 : 8fa98800 R11 : 8fa98928
+R12 : 8c48302c R13 : 8fa98920 R14 : 8c48302c
+MACH: 00000096 MACL: 0000017c GBR : 00000000 PR : 8c278420
+
+Call trace:
+ [<(ptrval)>] usb_add_hcd+0x1e8/0x6ec
+ [<(ptrval)>] _dev_info+0x0/0x54
+ [<(ptrval)>] arch_local_save_flags+0x0/0x8
+ [<(ptrval)>] arch_local_irq_restore+0x0/0x24
+ [<(ptrval)>] ohci_hcd_sm501_drv_probe+0x114/0x2d8
+...
+
+Initialize coherent_dma_mask when creating SM501 subdevices to fix
+the problem.
+
+Fixes: b6d6454fdb66f ("mfd: SM501 core driver")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mfd/sm501.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mfd/sm501.c
++++ b/drivers/mfd/sm501.c
+@@ -714,6 +714,7 @@ sm501_create_subdev(struct sm501_devdata
+ smdev->pdev.name = name;
+ smdev->pdev.id = sm->pdev_id;
+ smdev->pdev.dev.parent = sm->dev;
++ smdev->pdev.dev.coherent_dma_mask = 0xffffffff;
+
+ if (res_count) {
+ smdev->pdev.resource = (struct resource *)(smdev+1);
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Fri, 17 Aug 2018 15:46:57 -0700
+Subject: mm/fadvise.c: fix signed overflow UBSAN complaint
+
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+
+[ Upstream commit a718e28f538441a3b6612da9ff226973376cdf0f ]
+
+Signed integer overflow is undefined according to the C standard. The
+overflow in ksys_fadvise64_64() is deliberate, but since it is signed
+overflow, UBSAN complains:
+
+ UBSAN: Undefined behaviour in mm/fadvise.c:76:10
+ signed integer overflow:
+ 4 + 9223372036854775805 cannot be represented in type 'long long int'
+
+Use unsigned types to do math. Unsigned overflow is defined so UBSAN
+will not complain about it. This patch doesn't change generated code.
+
+[akpm@linux-foundation.org: add comment explaining the casts]
+Link: http://lkml.kernel.org/r/20180629184453.7614-1-aryabinin@virtuozzo.com
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Reported-by: <icytxw@gmail.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/fadvise.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/mm/fadvise.c
++++ b/mm/fadvise.c
+@@ -71,8 +71,12 @@ SYSCALL_DEFINE4(fadvise64_64, int, fd, l
+ goto out;
+ }
+
+- /* Careful about overflows. Len == 0 means "as much as possible" */
+- endbyte = offset + len;
++ /*
++ * Careful about overflows. Len == 0 means "as much as possible". Use
++ * unsigned math because signed overflows are undefined and UBSan
++ * complains.
++ */
++ endbyte = (u64)offset + (u64)len;
+ if (!len || endbyte < len)
+ endbyte = -1;
+ else
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Date: Tue, 17 Jul 2018 19:14:45 -0700
+Subject: net/9p: fix error path of p9_virtio_probe
+
+From: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+
+[ Upstream commit 92aef4675d5b1b55404e1532379e343bed0e5cf2 ]
+
+Currently when virtio_find_single_vq fails, we go through del_vqs which
+throws a warning (Trying to free already-free IRQ). Skip del_vqs if vq
+allocation failed.
+
+Link: http://lkml.kernel.org/r/20180524101021.49880-1-jean-philippe.brucker@arm.com
+Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Cc: Eric Van Hensbergen <ericvh@gmail.com>
+Cc: Ron Minnich <rminnich@sandia.gov>
+Cc: Latchesar Ionkov <lucho@ionkov.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/9p/trans_virtio.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/9p/trans_virtio.c
++++ b/net/9p/trans_virtio.c
+@@ -571,7 +571,7 @@ static int p9_virtio_probe(struct virtio
+ chan->vq = virtio_find_single_vq(vdev, req_done, "requests");
+ if (IS_ERR(chan->vq)) {
+ err = PTR_ERR(chan->vq);
+- goto out_free_vq;
++ goto out_free_chan;
+ }
+ chan->vq->vdev->priv = chan;
+ spin_lock_init(&chan->lock);
+@@ -624,6 +624,7 @@ out_free_tag:
+ kfree(tag);
+ out_free_vq:
+ vdev->config->del_vqs(vdev);
++out_free_chan:
+ kfree(chan);
+ fail:
+ return err;
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+Date: Mon, 23 Jul 2018 20:42:53 +0200
+Subject: net/9p/trans_fd.c: fix race by holding the lock
+
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+
+[ Upstream commit 9f476d7c540cb57556d3cc7e78704e6cd5100f5f ]
+
+It may be possible to run p9_fd_cancel() with a deleted req->req_list
+and incur in a double del. To fix hold the client->lock while changing
+the status, so the other threads will be synchronized.
+
+Link: http://lkml.kernel.org/r/20180723184253.6682-1-tomasbortoli@gmail.com
+Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
+Reported-by: syzbot+735d926e9d1317c3310c@syzkaller.appspotmail.com
+To: Eric Van Hensbergen <ericvh@gmail.com>
+To: Ron Minnich <rminnich@sandia.gov>
+To: Latchesar Ionkov <lucho@ionkov.net>
+Cc: Yiwen Jiang <jiangyiwen@huwei.com>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/9p/trans_fd.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/9p/trans_fd.c
++++ b/net/9p/trans_fd.c
+@@ -199,15 +199,14 @@ static void p9_mux_poll_stop(struct p9_c
+ static void p9_conn_cancel(struct p9_conn *m, int err)
+ {
+ struct p9_req_t *req, *rtmp;
+- unsigned long flags;
+ LIST_HEAD(cancel_list);
+
+ p9_debug(P9_DEBUG_ERROR, "mux %p err %d\n", m, err);
+
+- spin_lock_irqsave(&m->client->lock, flags);
++ spin_lock(&m->client->lock);
+
+ if (m->err) {
+- spin_unlock_irqrestore(&m->client->lock, flags);
++ spin_unlock(&m->client->lock);
+ return;
+ }
+
+@@ -219,7 +218,6 @@ static void p9_conn_cancel(struct p9_con
+ list_for_each_entry_safe(req, rtmp, &m->unsent_req_list, req_list) {
+ list_move(&req->req_list, &cancel_list);
+ }
+- spin_unlock_irqrestore(&m->client->lock, flags);
+
+ list_for_each_entry_safe(req, rtmp, &cancel_list, req_list) {
+ p9_debug(P9_DEBUG_ERROR, "call back req %p\n", req);
+@@ -228,6 +226,7 @@ static void p9_conn_cancel(struct p9_con
+ req->t_err = err;
+ p9_client_cb(m->client, req, REQ_STATUS_ERROR);
+ }
++ spin_unlock(&m->client->lock);
+ }
+
+ static int
+@@ -385,8 +384,9 @@ static void p9_read_work(struct work_str
+ if (m->req->status != REQ_STATUS_ERROR)
+ status = REQ_STATUS_RCVD;
+ list_del(&m->req->req_list);
+- spin_unlock(&m->client->lock);
++ /* update req->status while holding client->lock */
+ p9_client_cb(m->client, m->req, status);
++ spin_unlock(&m->client->lock);
+ m->rc.sdata = NULL;
+ m->rc.offset = 0;
+ m->rc.capacity = 0;
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Xi Wang <wangxi11@huawei.com>
+Date: Tue, 14 Aug 2018 17:13:13 +0100
+Subject: net: hns3: Fix for command format parsing error in hclge_is_all_function_id_zero
+
+From: Xi Wang <wangxi11@huawei.com>
+
+[ Upstream commit 6c39d5278e62956238a681e4cfc69fae5507fc57 ]
+
+According to the functional specification of hardware, the first
+descriptor of response from command 'lookup vlan talbe' is not valid.
+Currently, the first descriptor is parsed as normal value, which will
+cause an expected error.
+
+This patch fixes this problem by skipping the first descriptor.
+
+Fixes: 46a3df9f9718 ("net: hns3: Add HNS3 Acceleration Engine & Compatibility Layer Support")
+Signed-off-by: Xi Wang <wangxi11@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Salil Mehta <salil.mehta@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -3105,7 +3105,7 @@ static bool hclge_is_all_function_id_zer
+ #define HCLGE_FUNC_NUMBER_PER_DESC 6
+ int i, j;
+
+- for (i = 0; i < HCLGE_DESC_NUMBER; i++)
++ for (i = 1; i < HCLGE_DESC_NUMBER; i++)
+ for (j = 0; j < HCLGE_FUNC_NUMBER_PER_DESC; j++)
+ if (desc[i].data[j])
+ return false;
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Jian Shen <shenjian15@huawei.com>
+Date: Tue, 14 Aug 2018 17:13:15 +0100
+Subject: net: hns3: Fix for phy link issue when using marvell phy driver
+
+From: Jian Shen <shenjian15@huawei.com>
+
+[ Upstream commit 60081dcc4fce385ade26d3145b2479789df0b7e5 ]
+
+For marvell phy m88e1510, bit SUPPORTED_FIBRE of phydev->supported
+is default on. Both phy_resume() and phy_suspend() will check the
+SUPPORTED_FIBRE bit and write register of fibre page.
+
+Currently in hns3 driver, the SUPPORTED_FIBRE bit will be cleared
+after phy_connect_direct() finished. Because phy_resume() is called
+in phy_connect_direct(), and phy_suspend() is called when disconnect
+phy device, so the operation for fibre page register is not symmetrical.
+It will cause phy link issue when reload hns3 driver.
+
+This patch fixes it by disable the SUPPORTED_FIBRE before connecting
+phy.
+
+Fixes: 256727da7395 ("net: hns3: Add MDIO support to HNS3 Ethernet driver for hip08 SoC")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Salil Mehta <salil.mehta@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+@@ -187,6 +187,8 @@ int hclge_mac_start_phy(struct hclge_dev
+ if (!phydev)
+ return 0;
+
++ phydev->supported &= ~SUPPORTED_FIBRE;
++
+ ret = phy_connect_direct(netdev, phydev,
+ hclge_mac_adjust_link,
+ PHY_INTERFACE_MODE_SGMII);
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 31 Jul 2018 13:41:23 +0200
+Subject: netfilter: fix memory leaks on netlink_dump_start error
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 3e673b23b541b8e7f773b2d378d6eb99831741cd ]
+
+Shaochun Chen points out we leak dumper filter state allocations
+stored in dump_control->data in case there is an error before netlink sets
+cb_running (after which ->done will be called at some point).
+
+In order to fix this, add .start functions and move allocations there.
+
+Same pattern as used in commit 90fd131afc565159c9e0ea742f082b337e10f8c6
+("netfilter: nf_tables: move dumper state allocation into ->start").
+
+Reported-by: shaochun chen <cscnull@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 26 +++++++++++++++++---------
+ net/netfilter/nfnetlink_acct.c | 29 +++++++++++++----------------
+ 2 files changed, 30 insertions(+), 25 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -788,6 +788,21 @@ ctnetlink_alloc_filter(const struct nlat
+ #endif
+ }
+
++static int ctnetlink_start(struct netlink_callback *cb)
++{
++ const struct nlattr * const *cda = cb->data;
++ struct ctnetlink_filter *filter = NULL;
++
++ if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
++ filter = ctnetlink_alloc_filter(cda);
++ if (IS_ERR(filter))
++ return PTR_ERR(filter);
++ }
++
++ cb->data = filter;
++ return 0;
++}
++
+ static int ctnetlink_filter_match(struct nf_conn *ct, void *data)
+ {
+ struct ctnetlink_filter *filter = data;
+@@ -1194,19 +1209,12 @@ static int ctnetlink_get_conntrack(struc
+
+ if (nlh->nlmsg_flags & NLM_F_DUMP) {
+ struct netlink_dump_control c = {
++ .start = ctnetlink_start,
+ .dump = ctnetlink_dump_table,
+ .done = ctnetlink_done,
++ .data = (void *)cda,
+ };
+
+- if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
+- struct ctnetlink_filter *filter;
+-
+- filter = ctnetlink_alloc_filter(cda);
+- if (IS_ERR(filter))
+- return PTR_ERR(filter);
+-
+- c.data = filter;
+- }
+ return netlink_dump_start(ctnl, skb, nlh, &c);
+ }
+
+--- a/net/netfilter/nfnetlink_acct.c
++++ b/net/netfilter/nfnetlink_acct.c
+@@ -238,29 +238,33 @@ static const struct nla_policy filter_po
+ [NFACCT_FILTER_VALUE] = { .type = NLA_U32 },
+ };
+
+-static struct nfacct_filter *
+-nfacct_filter_alloc(const struct nlattr * const attr)
++static int nfnl_acct_start(struct netlink_callback *cb)
+ {
+- struct nfacct_filter *filter;
++ const struct nlattr *const attr = cb->data;
+ struct nlattr *tb[NFACCT_FILTER_MAX + 1];
++ struct nfacct_filter *filter;
+ int err;
+
++ if (!attr)
++ return 0;
++
+ err = nla_parse_nested(tb, NFACCT_FILTER_MAX, attr, filter_policy,
+ NULL);
+ if (err < 0)
+- return ERR_PTR(err);
++ return err;
+
+ if (!tb[NFACCT_FILTER_MASK] || !tb[NFACCT_FILTER_VALUE])
+- return ERR_PTR(-EINVAL);
++ return -EINVAL;
+
+ filter = kzalloc(sizeof(struct nfacct_filter), GFP_KERNEL);
+ if (!filter)
+- return ERR_PTR(-ENOMEM);
++ return -ENOMEM;
+
+ filter->mask = ntohl(nla_get_be32(tb[NFACCT_FILTER_MASK]));
+ filter->value = ntohl(nla_get_be32(tb[NFACCT_FILTER_VALUE]));
++ cb->data = filter;
+
+- return filter;
++ return 0;
+ }
+
+ static int nfnl_acct_get(struct net *net, struct sock *nfnl,
+@@ -275,18 +279,11 @@ static int nfnl_acct_get(struct net *net
+ if (nlh->nlmsg_flags & NLM_F_DUMP) {
+ struct netlink_dump_control c = {
+ .dump = nfnl_acct_dump,
++ .start = nfnl_acct_start,
+ .done = nfnl_acct_done,
++ .data = (void *)tb[NFACCT_FILTER],
+ };
+
+- if (tb[NFACCT_FILTER]) {
+- struct nfacct_filter *filter;
+-
+- filter = nfacct_filter_alloc(tb[NFACCT_FILTER]);
+- if (IS_ERR(filter))
+- return PTR_ERR(filter);
+-
+- c.data = filter;
+- }
+ return netlink_dump_start(nfnl, skb, nlh, &c);
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 25 Jul 2018 21:38:43 +0200
+Subject: netfilter: ip6t_rpfilter: set F_IFACE for linklocal addresses
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit da786717e0894886301ed2536843c13f9e8fd53e ]
+
+Roman reports that DHCPv6 client no longer sees replies from server
+due to
+
+ip6tables -t raw -A PREROUTING -m rpfilter --invert -j DROP
+
+rule. We need to set the F_IFACE flag for linklocal addresses, they
+are scoped per-device.
+
+Fixes: 47b7e7f82802 ("netfilter: don't set F_IFACE on ipv6 fib lookups")
+Reported-by: Roman Mamedov <rm@romanrm.net>
+Tested-by: Roman Mamedov <rm@romanrm.net>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/netfilter/ip6t_rpfilter.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/netfilter/ip6t_rpfilter.c
++++ b/net/ipv6/netfilter/ip6t_rpfilter.c
+@@ -26,6 +26,12 @@ static bool rpfilter_addr_unicast(const
+ return addr_type & IPV6_ADDR_UNICAST;
+ }
+
++static bool rpfilter_addr_linklocal(const struct in6_addr *addr)
++{
++ int addr_type = ipv6_addr_type(addr);
++ return addr_type & IPV6_ADDR_LINKLOCAL;
++}
++
+ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb,
+ const struct net_device *dev, u8 flags)
+ {
+@@ -48,7 +54,11 @@ static bool rpfilter_lookup_reverse6(str
+ }
+
+ fl6.flowi6_mark = flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0;
+- if ((flags & XT_RPFILTER_LOOSE) == 0)
++
++ if (rpfilter_addr_linklocal(&iph->saddr)) {
++ lookup_flags |= RT6_LOOKUP_F_IFACE;
++ fl6.flowi6_oif = dev->ifindex;
++ } else if ((flags & XT_RPFILTER_LOOSE) == 0)
+ fl6.flowi6_oif = dev->ifindex;
+
+ rt = (void *) ip6_route_lookup(net, &fl6, lookup_flags);
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Thu, 2 Aug 2018 05:42:04 +0000
+Subject: NFSv4: Fix error handling in nfs4_sp4_select_mode()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 72bf75cfc00c02aa66ef6133048f37aa5d88825c ]
+
+Error code is set in the error handling cases but never used. Fix it.
+
+Fixes: 937e3133cd0b ("NFSv4.1: Ensure we clear the SP4_MACH_CRED flags in nfs4_sp4_select_mode()")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -7497,7 +7497,7 @@ static int nfs4_sp4_select_mode(struct n
+ }
+ out:
+ clp->cl_sp4_flags = flags;
+- return 0;
++ return ret;
+ }
+
+ struct nfs41_exchange_id_data {
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Date: Fri, 3 Aug 2018 16:38:44 +0200
+Subject: PCI: mvebu: Fix I/O space end address calculation
+
+From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+
+[ Upstream commit dfd0309fd7b30a5baffaf47b2fccb88b46d64d69 ]
+
+pcie->realio.end should be the address of last byte of the area,
+therefore using resource_size() of another resource is not correct, we
+must substract 1 to get the address of the last byte.
+
+Fixes: 11be65472a427 ("PCI: mvebu: Adapt to the new device tree layout")
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/host/pci-mvebu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/host/pci-mvebu.c
++++ b/drivers/pci/host/pci-mvebu.c
+@@ -1220,7 +1220,7 @@ static int mvebu_pcie_probe(struct platf
+ pcie->realio.start = PCIBIOS_MIN_IO;
+ pcie->realio.end = min_t(resource_size_t,
+ IO_SPACE_LIMIT,
+- resource_size(&pcie->io));
++ resource_size(&pcie->io) - 1);
+ } else
+ pcie->realio = pcie->io;
+
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Sandipan Das <sandipan@linux.ibm.com>
+Date: Thu, 9 Aug 2018 21:49:29 +0530
+Subject: perf probe powerpc: Fix trace event post-processing
+
+From: Sandipan Das <sandipan@linux.ibm.com>
+
+[ Upstream commit 354b064b8ebc1e1ede58550ca9e08bfa81e6af43 ]
+
+In some cases, a symbol may have multiple aliases. Attempting to add an
+entry probe for such symbols results in a probe being added at an
+incorrect location while it fails altogether for return probes. This is
+only applicable for binaries with debug information.
+
+During the arch-dependent post-processing, the offset from the start of
+the symbol at which the probe is to be attached is determined and added
+to the start address of the symbol to get the probe's location. In case
+there are multiple aliases, this offset gets added multiple times for
+each alias of the symbol and we end up with an incorrect probe location.
+
+This can be verified on a powerpc64le system as shown below.
+
+ $ nm /lib/modules/$(uname -r)/build/vmlinux | grep "sys_open$"
+ ...
+ c000000000414290 T __se_sys_open
+ c000000000414290 T sys_open
+
+ $ objdump -d /lib/modules/$(uname -r)/build/vmlinux | grep -A 10 "<__se_sys_open>:"
+
+ c000000000414290 <__se_sys_open>:
+ c000000000414290: 19 01 4c 3c addis r2,r12,281
+ c000000000414294: 70 c4 42 38 addi r2,r2,-15248
+ c000000000414298: a6 02 08 7c mflr r0
+ c00000000041429c: e8 ff a1 fb std r29,-24(r1)
+ c0000000004142a0: f0 ff c1 fb std r30,-16(r1)
+ c0000000004142a4: f8 ff e1 fb std r31,-8(r1)
+ c0000000004142a8: 10 00 01 f8 std r0,16(r1)
+ c0000000004142ac: c1 ff 21 f8 stdu r1,-64(r1)
+ c0000000004142b0: 78 23 9f 7c mr r31,r4
+ c0000000004142b4: 78 1b 7e 7c mr r30,r3
+
+ For both the entry probe and the return probe, the probe location
+ should be _text+4276888 (0xc000000000414298). Since another alias
+ exists for 'sys_open', the post-processing code will end up adding
+ the offset (8 for powerpc64le) twice and perf will attempt to add
+ the probe at _text+4276896 (0xc0000000004142a0) instead.
+
+Before:
+
+ # perf probe -v -a sys_open
+
+ probe-definition(0): sys_open
+ symbol:sys_open file:(null) line:0 offset:0 return:0 lazy:(null)
+ 0 arguments
+ Looking at the vmlinux_path (8 entries long)
+ Using /lib/modules/4.18.0-rc8+/build/vmlinux for symbols
+ Open Debuginfo file: /lib/modules/4.18.0-rc8+/build/vmlinux
+ Try to find probe point from debuginfo.
+ Symbol sys_open address found : c000000000414290
+ Matched function: __se_sys_open [2ad03a0]
+ Probe point found: __se_sys_open+0
+ Found 1 probe_trace_events.
+ Opening /sys/kernel/debug/tracing/kprobe_events write=1
+ Writing event: p:probe/sys_open _text+4276896
+ Added new event:
+ probe:sys_open (on sys_open)
+ ...
+
+ # perf probe -v -a sys_open%return $retval
+
+ probe-definition(0): sys_open%return
+ symbol:sys_open file:(null) line:0 offset:0 return:1 lazy:(null)
+ 0 arguments
+ Looking at the vmlinux_path (8 entries long)
+ Using /lib/modules/4.18.0-rc8+/build/vmlinux for symbols
+ Open Debuginfo file: /lib/modules/4.18.0-rc8+/build/vmlinux
+ Try to find probe point from debuginfo.
+ Symbol sys_open address found : c000000000414290
+ Matched function: __se_sys_open [2ad03a0]
+ Probe point found: __se_sys_open+0
+ Found 1 probe_trace_events.
+ Opening /sys/kernel/debug/tracing/README write=0
+ Opening /sys/kernel/debug/tracing/kprobe_events write=1
+ Parsing probe_events: p:probe/sys_open _text+4276896
+ Group:probe Event:sys_open probe:p
+ Writing event: r:probe/sys_open__return _text+4276896
+ Failed to write event: Invalid argument
+ Error: Failed to add events. Reason: Invalid argument (Code: -22)
+
+After:
+
+ # perf probe -v -a sys_open
+
+ probe-definition(0): sys_open
+ symbol:sys_open file:(null) line:0 offset:0 return:0 lazy:(null)
+ 0 arguments
+ Looking at the vmlinux_path (8 entries long)
+ Using /lib/modules/4.18.0-rc8+/build/vmlinux for symbols
+ Open Debuginfo file: /lib/modules/4.18.0-rc8+/build/vmlinux
+ Try to find probe point from debuginfo.
+ Symbol sys_open address found : c000000000414290
+ Matched function: __se_sys_open [2ad03a0]
+ Probe point found: __se_sys_open+0
+ Found 1 probe_trace_events.
+ Opening /sys/kernel/debug/tracing/kprobe_events write=1
+ Writing event: p:probe/sys_open _text+4276888
+ Added new event:
+ probe:sys_open (on sys_open)
+ ...
+
+ # perf probe -v -a sys_open%return $retval
+
+ probe-definition(0): sys_open%return
+ symbol:sys_open file:(null) line:0 offset:0 return:1 lazy:(null)
+ 0 arguments
+ Looking at the vmlinux_path (8 entries long)
+ Using /lib/modules/4.18.0-rc8+/build/vmlinux for symbols
+ Open Debuginfo file: /lib/modules/4.18.0-rc8+/build/vmlinux
+ Try to find probe point from debuginfo.
+ Symbol sys_open address found : c000000000414290
+ Matched function: __se_sys_open [2ad03a0]
+ Probe point found: __se_sys_open+0
+ Found 1 probe_trace_events.
+ Opening /sys/kernel/debug/tracing/README write=0
+ Opening /sys/kernel/debug/tracing/kprobe_events write=1
+ Parsing probe_events: p:probe/sys_open _text+4276888
+ Group:probe Event:sys_open probe:p
+ Writing event: r:probe/sys_open__return _text+4276888
+ Added new event:
+ probe:sys_open__return (on sys_open%return)
+ ...
+
+Reported-by: Aneesh Kumar <aneesh.kumar@linux.vnet.ibm.com>
+Signed-off-by: Sandipan Das <sandipan@linux.ibm.com>
+Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Cc: Aneesh Kumar <aneesh.kumar@linux.vnet.ibm.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Fixes: 99e608b5954c ("perf probe ppc64le: Fix probe location when using DWARF")
+Link: http://lkml.kernel.org/r/20180809161929.35058-1-sandipan@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/arch/powerpc/util/sym-handling.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/arch/powerpc/util/sym-handling.c
++++ b/tools/perf/arch/powerpc/util/sym-handling.c
+@@ -141,8 +141,10 @@ void arch__post_process_probe_trace_even
+ for (i = 0; i < ntevs; i++) {
+ tev = &pev->tevs[i];
+ map__for_each_symbol(map, sym, tmp) {
+- if (map->unmap_ip(map, sym->start) == tev->point.address)
++ if (map->unmap_ip(map, sym->start) == tev->point.address) {
+ arch__fix_tev_from_maps(pev, tev, map, sym);
++ break;
++ }
+ }
+ }
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Benno Evers <bevers@mesosphere.com>
+Date: Fri, 10 Aug 2018 15:36:13 +0200
+Subject: perf tools: Check for null when copying nsinfo.
+
+From: Benno Evers <bevers@mesosphere.com>
+
+[ Upstream commit 3f4417d693b43fa240ac8bde4487f67745ca23d8 ]
+
+The argument to nsinfo__copy() was assumed to be valid, but some code paths
+exist that will lead to NULL being passed.
+
+In particular, running 'perf script -D' on a perf.data file containing an
+PERF_RECORD_MMAP event associating the '[vdso]' dso with pid 0 earlier in
+the event stream will lead to a segfault.
+
+Since all calling code is already checking for a non-null return value,
+just return NULL for this case as well.
+
+Signed-off-by: Benno Evers <bevers@mesosphere.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Krister Johansen <kjlx@templeofstupid.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20180810133614.9925-1-bevers@mesosphere.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/namespaces.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/tools/perf/util/namespaces.c
++++ b/tools/perf/util/namespaces.c
+@@ -138,6 +138,9 @@ struct nsinfo *nsinfo__copy(struct nsinf
+ {
+ struct nsinfo *nnsi;
+
++ if (nsi == NULL)
++ return NULL;
++
+ nnsi = calloc(1, sizeof(*nnsi));
+ if (nnsi != NULL) {
+ nnsi->pid = nsi->pid;
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Aleh Filipovich <aleh@vaolix.com>
+Date: Fri, 10 Aug 2018 22:07:25 +0200
+Subject: platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360
+
+From: Aleh Filipovich <aleh@vaolix.com>
+
+[ Upstream commit 880b29ac107d15644bf4da228376ba3cd6af6d71 ]
+
+Add entry to WMI keymap for lid flip event on Asus UX360.
+
+On Asus Zenbook ux360 flipping lid from/to tablet mode triggers
+keyscan code 0xfa which cannot be handled and results in kernel
+log message "Unknown key fa pressed".
+
+Signed-off-by: Aleh Filipovich<aleh@appnexus.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/asus-nb-wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/platform/x86/asus-nb-wmi.c
++++ b/drivers/platform/x86/asus-nb-wmi.c
+@@ -487,6 +487,7 @@ static const struct key_entry asus_nb_wm
+ { KE_KEY, 0xC4, { KEY_KBDILLUMUP } },
+ { KE_KEY, 0xC5, { KEY_KBDILLUMDOWN } },
+ { KE_IGNORE, 0xC6, }, /* Ambient Light Sensor notification */
++ { KE_KEY, 0xFA, { KEY_PROG2 } }, /* Lid flip action */
+ { KE_END, 0},
+ };
+
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Wed, 15 Aug 2018 09:12:07 -0700
+Subject: platform/x86: intel_punit_ipc: fix build errors
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 340fd4cff43f18bace9358d4decdc9b6ed0715be ]
+
+Fix build errors by #including <linux/io.h>.
+
+../drivers/platform/x86/intel_punit_ipc.c: In function 'ipc_read_status':
+../drivers/platform/x86/intel_punit_ipc.c:55:2: error: implicit declaration of function 'readl' [-Werror=implicit-function-declaration]
+ return readl(ipcdev->base[type][BASE_IFACE]);
+../drivers/platform/x86/intel_punit_ipc.c: In function 'ipc_write_cmd':
+../drivers/platform/x86/intel_punit_ipc.c:60:2: error: implicit declaration of function 'writel' [-Werror=implicit-function-declaration]
+ writel(cmd, ipcdev->base[type][BASE_IFACE]);
+
+Fixes: 447ae3166702 ("x86: Don't include linux/irq.h from asm/hardirq.h")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Zha Qipeng <qipeng.zha@intel.com>
+Cc: platform-driver-x86@vger.kernel.org
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/intel_punit_ipc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/platform/x86/intel_punit_ipc.c
++++ b/drivers/platform/x86/intel_punit_ipc.c
+@@ -17,6 +17,7 @@
+ #include <linux/bitops.h>
+ #include <linux/device.h>
+ #include <linux/interrupt.h>
++#include <linux/io.h>
+ #include <linux/platform_device.h>
+ #include <asm/intel_punit_ipc.h>
+
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Thu, 26 Jul 2018 22:42:44 +1000
+Subject: powerpc/64s: Make rfi_flush_fallback a little more robust
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit 78ee9946371f5848ddfc88ab1a43867df8f17d83 ]
+
+Because rfi_flush_fallback runs immediately before the return to
+userspace it currently runs with the user r1 (stack pointer). This
+means if we oops in there we will report a bad kernel stack pointer in
+the exception entry path, eg:
+
+ Bad kernel stack pointer 7ffff7150e40 at c0000000000023b4
+ Oops: Bad kernel stack pointer, sig: 6 [#1]
+ LE SMP NR_CPUS=32 NUMA PowerNV
+ Modules linked in:
+ CPU: 0 PID: 1246 Comm: klogd Not tainted 4.18.0-rc2-gcc-7.3.1-00175-g0443f8a69ba3 #7
+ NIP: c0000000000023b4 LR: 0000000010053e00 CTR: 0000000000000040
+ REGS: c0000000fffe7d40 TRAP: 4100 Not tainted (4.18.0-rc2-gcc-7.3.1-00175-g0443f8a69ba3)
+ MSR: 9000000002803031 <SF,HV,VEC,VSX,FP,ME,IR,DR,LE> CR: 44000442 XER: 20000000
+ CFAR: c00000000000bac8 IRQMASK: c0000000f1e66a80
+ GPR00: 0000000002000000 00007ffff7150e40 00007fff93a99900 0000000000000020
+ ...
+ NIP [c0000000000023b4] rfi_flush_fallback+0x34/0x80
+ LR [0000000010053e00] 0x10053e00
+
+Although the NIP tells us where we were, and the TRAP number tells us
+what happened, it would still be nicer if we could report the actual
+exception rather than barfing about the stack pointer.
+
+We an do that fairly simply by loading the kernel stack pointer on
+entry and restoring the user value before returning. That way we see a
+regular oops such as:
+
+ Unrecoverable exception 4100 at c00000000000239c
+ Oops: Unrecoverable exception, sig: 6 [#1]
+ LE SMP NR_CPUS=32 NUMA PowerNV
+ Modules linked in:
+ CPU: 0 PID: 1251 Comm: klogd Not tainted 4.18.0-rc3-gcc-7.3.1-00097-g4ebfcac65acd-dirty #40
+ NIP: c00000000000239c LR: 0000000010053e00 CTR: 0000000000000040
+ REGS: c0000000f1e17bb0 TRAP: 4100 Not tainted (4.18.0-rc3-gcc-7.3.1-00097-g4ebfcac65acd-dirty)
+ MSR: 9000000002803031 <SF,HV,VEC,VSX,FP,ME,IR,DR,LE> CR: 44000442 XER: 20000000
+ CFAR: c00000000000bac8 IRQMASK: 0
+ ...
+ NIP [c00000000000239c] rfi_flush_fallback+0x3c/0x80
+ LR [0000000010053e00] 0x10053e00
+ Call Trace:
+ [c0000000f1e17e30] [c00000000000b9e4] system_call+0x5c/0x70 (unreliable)
+
+Note this shouldn't make the kernel stack pointer vulnerable to a
+meltdown attack, because it should be flushed from the cache before we
+return to userspace. The user r1 value will be in the cache, because
+we load it in the return path, but that is harmless.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/exceptions-64s.S | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/powerpc/kernel/exceptions-64s.S
++++ b/arch/powerpc/kernel/exceptions-64s.S
+@@ -1452,6 +1452,8 @@ TRAMP_REAL_BEGIN(stf_barrier_fallback)
+ TRAMP_REAL_BEGIN(rfi_flush_fallback)
+ SET_SCRATCH0(r13);
+ GET_PACA(r13);
++ std r1,PACA_EXRFI+EX_R12(r13)
++ ld r1,PACAKSAVE(r13)
+ std r9,PACA_EXRFI+EX_R9(r13)
+ std r10,PACA_EXRFI+EX_R10(r13)
+ std r11,PACA_EXRFI+EX_R11(r13)
+@@ -1486,12 +1488,15 @@ TRAMP_REAL_BEGIN(rfi_flush_fallback)
+ ld r9,PACA_EXRFI+EX_R9(r13)
+ ld r10,PACA_EXRFI+EX_R10(r13)
+ ld r11,PACA_EXRFI+EX_R11(r13)
++ ld r1,PACA_EXRFI+EX_R12(r13)
+ GET_SCRATCH0(r13);
+ rfid
+
+ TRAMP_REAL_BEGIN(hrfi_flush_fallback)
+ SET_SCRATCH0(r13);
+ GET_PACA(r13);
++ std r1,PACA_EXRFI+EX_R12(r13)
++ ld r1,PACAKSAVE(r13)
+ std r9,PACA_EXRFI+EX_R9(r13)
+ std r10,PACA_EXRFI+EX_R10(r13)
+ std r11,PACA_EXRFI+EX_R11(r13)
+@@ -1526,6 +1531,7 @@ TRAMP_REAL_BEGIN(hrfi_flush_fallback)
+ ld r9,PACA_EXRFI+EX_R9(r13)
+ ld r10,PACA_EXRFI+EX_R10(r13)
+ ld r11,PACA_EXRFI+EX_R11(r13)
++ ld r1,PACA_EXRFI+EX_R12(r13)
+ GET_SCRATCH0(r13);
+ hrfid
+
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 8 Aug 2018 14:57:24 +0300
+Subject: powerpc: Fix size calculation using resource_size()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit c42d3be0c06f0c1c416054022aa535c08a1f9b39 ]
+
+The problem is the the calculation should be "end - start + 1" but the
+plus one is missing in this calculation.
+
+Fixes: 8626816e905e ("powerpc: add support for MPIC message register API")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/sysdev/mpic_msgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/sysdev/mpic_msgr.c
++++ b/arch/powerpc/sysdev/mpic_msgr.c
+@@ -196,7 +196,7 @@ static int mpic_msgr_probe(struct platfo
+
+ /* IO map the message register block. */
+ of_address_to_resource(np, 0, &rsrc);
+- msgr_block_addr = ioremap(rsrc.start, rsrc.end - rsrc.start);
++ msgr_block_addr = ioremap(rsrc.start, resource_size(&rsrc));
+ if (!msgr_block_addr) {
+ dev_err(&dev->dev, "Failed to iomap MPIC message registers");
+ return -EFAULT;
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Sun, 15 Jul 2018 10:34:46 -0700
+Subject: powerpc/platforms/85xx: fix t1042rdb_diu.c build errors & warning
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit f5daf77a55ef0e695cc90c440ed6503073ac5e07 ]
+
+Fix build errors and warnings in t1042rdb_diu.c by adding header files
+and MODULE_LICENSE().
+
+../arch/powerpc/platforms/85xx/t1042rdb_diu.c:152:1: warning: data definition has no type or storage class
+ early_initcall(t1042rdb_diu_init);
+../arch/powerpc/platforms/85xx/t1042rdb_diu.c:152:1: error: type defaults to 'int' in declaration of 'early_initcall' [-Werror=implicit-int]
+../arch/powerpc/platforms/85xx/t1042rdb_diu.c:152:1: warning: parameter names (without types) in function declaration
+
+and
+WARNING: modpost: missing MODULE_LICENSE() in arch/powerpc/platforms/85xx/t1042rdb_diu.o
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Scott Wood <oss@buserror.net>
+Cc: Kumar Gala <galak@kernel.crashing.org>
+Cc: linuxppc-dev@lists.ozlabs.org
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/85xx/t1042rdb_diu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/powerpc/platforms/85xx/t1042rdb_diu.c
++++ b/arch/powerpc/platforms/85xx/t1042rdb_diu.c
+@@ -9,8 +9,10 @@
+ * option) any later version.
+ */
+
++#include <linux/init.h>
+ #include <linux/io.h>
+ #include <linux/kernel.h>
++#include <linux/module.h>
+ #include <linux/of.h>
+ #include <linux/of_address.h>
+
+@@ -150,3 +152,5 @@ static int __init t1042rdb_diu_init(void
+ }
+
+ early_initcall(t1042rdb_diu_init);
++
++MODULE_LICENSE("GPL");
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+Date: Wed, 4 Jul 2018 23:27:02 +0530
+Subject: powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX.
+
+From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+
+[ Upstream commit 74e96bf44f430cf7a01de19ba6cf49b361cdfd6e ]
+
+The global mce data buffer that used to copy rtas error log is of 2048
+(RTAS_ERROR_LOG_MAX) bytes in size. Before the copy we read
+extended_log_length from rtas error log header, then use max of
+extended_log_length and RTAS_ERROR_LOG_MAX as a size of data to be copied.
+Ideally the platform (phyp) will never send extended error log with
+size > 2048. But if that happens, then we have a risk of buffer overrun
+and corruption. Fix this by using min_t instead.
+
+Fixes: d368514c3097 ("powerpc: Fix corruption when grabbing FWNMI data")
+Reported-by: Michal Suchanek <msuchanek@suse.com>
+Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/pseries/ras.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/pseries/ras.c
++++ b/arch/powerpc/platforms/pseries/ras.c
+@@ -371,7 +371,7 @@ static struct rtas_error_log *fwnmi_get_
+ int len, error_log_length;
+
+ error_log_length = 8 + rtas_error_extended_log_length(h);
+- len = max_t(int, error_log_length, RTAS_ERROR_LOG_MAX);
++ len = min_t(int, error_log_length, RTAS_ERROR_LOG_MAX);
+ memset(global_mce_data_buf, 0, RTAS_ERROR_LOG_MAX);
+ memcpy(global_mce_data_buf, h, len);
+ errhdr = (struct rtas_error_log *)global_mce_data_buf;
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Tue, 10 Jul 2018 16:20:56 +1000
+Subject: powerpc/uaccess: Enable get_user(u64, *p) on 32-bit
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit f7a6947cd49b7ff4e03f1b4f7e7b223003d752ca ]
+
+Currently if you build a 32-bit powerpc kernel and use get_user() to
+load a u64 value it will fail to build with eg:
+
+ kernel/rseq.o: In function `rseq_get_rseq_cs':
+ kernel/rseq.c:123: undefined reference to `__get_user_bad'
+
+This is hitting the check in __get_user_size() that makes sure the
+size we're copying doesn't exceed the size of the destination:
+
+ #define __get_user_size(x, ptr, size, retval)
+ do {
+ retval = 0;
+ __chk_user_ptr(ptr);
+ if (size > sizeof(x))
+ (x) = __get_user_bad();
+
+Which doesn't immediately make sense because the size of the
+destination is u64, but it's not really, because __get_user_check()
+etc. internally create an unsigned long and copy into that:
+
+ #define __get_user_check(x, ptr, size)
+ ({
+ long __gu_err = -EFAULT;
+ unsigned long __gu_val = 0;
+
+The problem being that on 32-bit unsigned long is not big enough to
+hold a u64. We can fix this with a trick from hpa in the x86 code, we
+statically check the type of x and set the type of __gu_val to either
+unsigned long or unsigned long long.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/uaccess.h | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/include/asm/uaccess.h
++++ b/arch/powerpc/include/asm/uaccess.h
+@@ -223,10 +223,17 @@ do { \
+ } \
+ } while (0)
+
++/*
++ * This is a type: either unsigned long, if the argument fits into
++ * that type, or otherwise unsigned long long.
++ */
++#define __long_type(x) \
++ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
++
+ #define __get_user_nocheck(x, ptr, size) \
+ ({ \
+ long __gu_err; \
+- unsigned long __gu_val; \
++ __long_type(*(ptr)) __gu_val; \
+ const __typeof__(*(ptr)) __user *__gu_addr = (ptr); \
+ __chk_user_ptr(ptr); \
+ if (!is_kernel_addr((unsigned long)__gu_addr)) \
+@@ -239,7 +246,7 @@ do { \
+ #define __get_user_check(x, ptr, size) \
+ ({ \
+ long __gu_err = -EFAULT; \
+- unsigned long __gu_val = 0; \
++ __long_type(*(ptr)) __gu_val = 0; \
+ const __typeof__(*(ptr)) __user *__gu_addr = (ptr); \
+ might_fault(); \
+ if (access_ok(VERIFY_READ, __gu_addr, (size))) \
+@@ -251,7 +258,7 @@ do { \
+ #define __get_user_nosleep(x, ptr, size) \
+ ({ \
+ long __gu_err; \
+- unsigned long __gu_val; \
++ __long_type(*(ptr)) __gu_val; \
+ const __typeof__(*(ptr)) __user *__gu_addr = (ptr); \
+ __chk_user_ptr(ptr); \
+ __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Wed, 1 Aug 2018 12:57:20 +0200
+Subject: pwm: meson: Fix mux clock names
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit b96e9eb62841c519ba1db32d036628be3cdef91f ]
+
+Current clock name looks like this:
+/soc/bus@ffd00000/pwm@1b000#mux0
+
+This is bad because CCF uses the clock to create a directory in clk debugfs.
+With such name, the directory creation (silently) fails and the debugfs
+entry end up being created at the debugfs root.
+
+With this change, the clock name will now be:
+ffd1b000.pwm#mux0
+
+This matches the clock naming scheme used in the ethernet and mmc driver.
+It also fixes the problem with debugfs.
+
+Fixes: 36af66a79056 ("pwm: Convert to using %pOF instead of full_name")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Acked-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pwm/pwm-meson.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/pwm/pwm-meson.c
++++ b/drivers/pwm/pwm-meson.c
+@@ -432,7 +432,6 @@ static int meson_pwm_init_channels(struc
+ struct meson_pwm_channel *channels)
+ {
+ struct device *dev = meson->chip.dev;
+- struct device_node *np = dev->of_node;
+ struct clk_init_data init;
+ unsigned int i;
+ char name[255];
+@@ -441,7 +440,7 @@ static int meson_pwm_init_channels(struc
+ for (i = 0; i < meson->chip.npwm; i++) {
+ struct meson_pwm_channel *channel = &channels[i];
+
+- snprintf(name, sizeof(name), "%pOF#mux%u", np, i);
++ snprintf(name, sizeof(name), "%s#mux%u", dev_name(dev), i);
+
+ init.name = name;
+ init.ops = &clk_mux_ops;
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Gal Pressman <pressmangal@gmail.com>
+Date: Thu, 9 Aug 2018 22:00:47 +0300
+Subject: RDMA/hns: Fix usage of bitmap allocation functions return values
+
+From: Gal Pressman <pressmangal@gmail.com>
+
+[ Upstream commit a1ceeca679dccc492235f0f629d9e9f7b3d51ca8 ]
+
+hns bitmap allocation functions return 0 on success and -1 on failure.
+Callers of these functions wrongly used their return value as an errno,
+fix that by making a proper conversion.
+
+Fixes: a598c6f4c5a8 ("IB/hns: Simplify function of pd alloc and qp alloc")
+Signed-off-by: Gal Pressman <pressmangal@gmail.com>
+Acked-by: Lijun Ou <oulijun@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_pd.c | 2 +-
+ drivers/infiniband/hw/hns/hns_roce_qp.c | 5 ++++-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/hns/hns_roce_pd.c
++++ b/drivers/infiniband/hw/hns/hns_roce_pd.c
+@@ -35,7 +35,7 @@
+
+ static int hns_roce_pd_alloc(struct hns_roce_dev *hr_dev, unsigned long *pdn)
+ {
+- return hns_roce_bitmap_alloc(&hr_dev->pd_bitmap, pdn);
++ return hns_roce_bitmap_alloc(&hr_dev->pd_bitmap, pdn) ? -ENOMEM : 0;
+ }
+
+ static void hns_roce_pd_free(struct hns_roce_dev *hr_dev, unsigned long pdn)
+--- a/drivers/infiniband/hw/hns/hns_roce_qp.c
++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
+@@ -114,7 +114,10 @@ static int hns_roce_reserve_range_qp(str
+ {
+ struct hns_roce_qp_table *qp_table = &hr_dev->qp_table;
+
+- return hns_roce_bitmap_alloc_range(&qp_table->bitmap, cnt, align, base);
++ return hns_roce_bitmap_alloc_range(&qp_table->bitmap, cnt, align,
++ base) ?
++ -ENOMEM :
++ 0;
+ }
+
+ enum hns_roce_qp_state to_hns_roce_state(enum ib_qp_state state)
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 7 Aug 2018 19:34:16 +0800
+Subject: RDS: IB: fix 'passing zero to ERR_PTR()' warning
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 5941923da29e84bc9e2a1abb2c14fffaf8d71e2f ]
+
+Fix a static code checker warning:
+ net/rds/ib_frmr.c:82 rds_ib_alloc_frmr() warn: passing zero to 'ERR_PTR'
+
+The error path for ib_alloc_mr failure should set err to PTR_ERR.
+
+Fixes: 1659185fb4d0 ("RDS: IB: Support Fastreg MR (FRMR) memory registration mode")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/ib_frmr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rds/ib_frmr.c
++++ b/net/rds/ib_frmr.c
+@@ -61,6 +61,7 @@ static struct rds_ib_mr *rds_ib_alloc_fr
+ pool->fmr_attr.max_pages);
+ if (IS_ERR(frmr->mr)) {
+ pr_warn("RDS/IB: %s failed to allocate MR", __func__);
++ err = PTR_ERR(frmr->mr);
+ goto out_no_cigar;
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 21 Aug 2018 21:59:34 -0700
+Subject: reiserfs: change j_timestamp type to time64_t
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 8b73ce6a4bae4fe12bcb2c361c0da4183c2e1b6f ]
+
+This uses the deprecated time_t type but is write-only, and could be
+removed, but as Jeff explains, having a timestamp can be usefule for
+post-mortem analysis in crash dumps.
+
+In order to remove one of the last instances of time_t, this changes the
+type to time64_t, same as j_trans_start_time.
+
+Link: http://lkml.kernel.org/r/20180622133315.221210-1-arnd@arndb.de
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/reiserfs/reiserfs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/reiserfs/reiserfs.h
++++ b/fs/reiserfs/reiserfs.h
+@@ -271,7 +271,7 @@ struct reiserfs_journal_list {
+
+ struct mutex j_commit_mutex;
+ unsigned int j_trans_id;
+- time_t j_timestamp;
++ time64_t j_timestamp; /* write-only but useful for crash dump analysis */
+ struct reiserfs_list_bitmap *j_list_bitmap;
+ struct buffer_head *j_commit_bh; /* commit buffer head */
+ struct reiserfs_journal_cnode *j_realblock;
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Stefan Haberland <sth@linux.ibm.com>
+Date: Wed, 25 Jul 2018 14:00:47 +0200
+Subject: s390/dasd: fix hanging offline processing due to canceled worker
+
+From: Stefan Haberland <sth@linux.ibm.com>
+
+[ Upstream commit 669f3765b755fd8739ab46ce3a9c6292ce8b3d2a ]
+
+During offline processing two worker threads are canceled without
+freeing the device reference which leads to a hanging offline process.
+
+Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/block/dasd_eckd.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -2032,8 +2032,11 @@ static int dasd_eckd_basic_to_ready(stru
+
+ static int dasd_eckd_online_to_ready(struct dasd_device *device)
+ {
+- cancel_work_sync(&device->reload_device);
+- cancel_work_sync(&device->kick_validate);
++ if (cancel_work_sync(&device->reload_device))
++ dasd_put_device(device);
++ if (cancel_work_sync(&device->kick_validate))
++ dasd_put_device(device);
++
+ return 0;
+ };
+
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Stefan Haberland <sth@linux.ibm.com>
+Date: Wed, 25 Jul 2018 13:27:10 +0200
+Subject: s390/dasd: fix panic for failed online processing
+
+From: Stefan Haberland <sth@linux.ibm.com>
+
+[ Upstream commit 7c6553d4db03350dad0110c3224194c19df76a8f ]
+
+Fix a panic that occurs for a device that got an error in
+dasd_eckd_check_characteristics() during online processing.
+For example the read configuration data command may have failed.
+
+If this error occurs the device is not being set online and the earlier
+invoked steps during online processing are rolled back. Therefore
+dasd_eckd_uncheck_device() is called which needs a valid private
+structure. But this pointer is not valid if
+dasd_eckd_check_characteristics() has failed.
+
+Check for a valid device->private pointer to prevent a panic.
+
+Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/block/dasd_eckd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -1778,6 +1778,9 @@ static void dasd_eckd_uncheck_device(str
+ struct dasd_eckd_private *private = device->private;
+ int i;
+
++ if (!private)
++ return;
++
+ dasd_alias_disconnect_device_from_lcu(device);
+ private->ned = NULL;
+ private->sneq = NULL;
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Philipp Rudo <prudo@linux.ibm.com>
+Date: Mon, 13 Aug 2018 11:16:57 +0200
+Subject: s390/kdump: Fix memleak in nt_vmcoreinfo
+
+From: Philipp Rudo <prudo@linux.ibm.com>
+
+[ Upstream commit 2d2e7075b87181ed0c675e4936e20bdadba02e1f ]
+
+The vmcoreinfo of a crashed system is potentially fragmented. Thus the
+crash kernel has an intermediate step where the vmcoreinfo is copied into a
+temporary, continuous buffer in the crash kernel memory. This temporary
+buffer is never freed. Free it now to prevent the memleak.
+
+While at it replace all occurrences of "VMCOREINFO" by its corresponding
+macro to prevent potential renaming issues.
+
+Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
+Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/crash_dump.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/arch/s390/kernel/crash_dump.c
++++ b/arch/s390/kernel/crash_dump.c
+@@ -404,11 +404,13 @@ static void *get_vmcoreinfo_old(unsigned
+ if (copy_oldmem_kernel(nt_name, addr + sizeof(note),
+ sizeof(nt_name) - 1))
+ return NULL;
+- if (strcmp(nt_name, "VMCOREINFO") != 0)
++ if (strcmp(nt_name, VMCOREINFO_NOTE_NAME) != 0)
+ return NULL;
+ vmcoreinfo = kzalloc_panic(note.n_descsz);
+- if (copy_oldmem_kernel(vmcoreinfo, addr + 24, note.n_descsz))
++ if (copy_oldmem_kernel(vmcoreinfo, addr + 24, note.n_descsz)) {
++ kfree(vmcoreinfo);
+ return NULL;
++ }
+ *size = note.n_descsz;
+ return vmcoreinfo;
+ }
+@@ -418,15 +420,20 @@ static void *get_vmcoreinfo_old(unsigned
+ */
+ static void *nt_vmcoreinfo(void *ptr)
+ {
++ const char *name = VMCOREINFO_NOTE_NAME;
+ unsigned long size;
+ void *vmcoreinfo;
+
+ vmcoreinfo = os_info_old_entry(OS_INFO_VMCOREINFO, &size);
+- if (!vmcoreinfo)
+- vmcoreinfo = get_vmcoreinfo_old(&size);
++ if (vmcoreinfo)
++ return nt_init_name(ptr, 0, vmcoreinfo, size, name);
++
++ vmcoreinfo = get_vmcoreinfo_old(&size);
+ if (!vmcoreinfo)
+ return ptr;
+- return nt_init_name(ptr, 0, vmcoreinfo, size, "VMCOREINFO");
++ ptr = nt_init_name(ptr, 0, vmcoreinfo, size, name);
++ kfree(vmcoreinfo);
++ return ptr;
+ }
+
+ /*
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Wed, 15 Aug 2018 12:30:38 -0700
+Subject: scripts: modpost: check memory allocation results
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 1f3aa9002dc6a0d59a4b599b4fc8f01cf43ef014 ]
+
+Fix missing error check for memory allocation functions in
+scripts/mod/modpost.c.
+
+Fixes kernel bugzilla #200319:
+https://bugzilla.kernel.org/show_bug.cgi?id=200319
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Yuexing Wang <wangyxlandq@gmail.com>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/mod/modpost.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/scripts/mod/modpost.c
++++ b/scripts/mod/modpost.c
+@@ -677,7 +677,7 @@ static void handle_modversions(struct mo
+ if (ELF_ST_TYPE(sym->st_info) == STT_SPARC_REGISTER)
+ break;
+ if (symname[0] == '.') {
+- char *munged = strdup(symname);
++ char *munged = NOFAIL(strdup(symname));
+ munged[0] = '_';
+ munged[1] = toupper(munged[1]);
+ symname = munged;
+@@ -1329,7 +1329,7 @@ static Elf_Sym *find_elf_symbol2(struct
+ static char *sec2annotation(const char *s)
+ {
+ if (match(s, init_exit_sections)) {
+- char *p = malloc(20);
++ char *p = NOFAIL(malloc(20));
+ char *r = p;
+
+ *p++ = '_';
+@@ -1349,7 +1349,7 @@ static char *sec2annotation(const char *
+ strcat(p, " ");
+ return r;
+ } else {
+- return strdup("");
++ return NOFAIL(strdup(""));
+ }
+ }
+
+@@ -2050,7 +2050,7 @@ void buf_write(struct buffer *buf, const
+ {
+ if (buf->size - buf->pos < len) {
+ buf->size += len + SZ;
+- buf->p = realloc(buf->p, buf->size);
++ buf->p = NOFAIL(realloc(buf->p, buf->size));
+ }
+ strncpy(buf->p + buf->pos, s, len);
+ buf->pos += len;
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 8 Aug 2018 17:29:09 +0300
+Subject: scsi: aic94xx: fix an error code in aic94xx_init()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 0756c57bce3d26da2592d834d8910b6887021701 ]
+
+We accidentally return success instead of -ENOMEM on this error path.
+
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Reviewed-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/aic94xx/aic94xx_init.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/aic94xx/aic94xx_init.c
++++ b/drivers/scsi/aic94xx/aic94xx_init.c
+@@ -1030,8 +1030,10 @@ static int __init aic94xx_init(void)
+
+ aic94xx_transport_template =
+ sas_domain_attach_transport(&aic94xx_transport_functions);
+- if (!aic94xx_transport_template)
++ if (!aic94xx_transport_template) {
++ err = -ENOMEM;
+ goto out_destroy_caches;
++ }
+
+ err = pci_register_driver(&aic94xx_pci_driver);
+ if (err)
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Breno Leitao <leitao@debian.org>
+Date: Tue, 7 Aug 2018 11:15:39 -0300
+Subject: selftests/powerpc: Kill child processes on SIGINT
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 7c27a26e1ed5a7dd709aa19685d2c98f64e1cf0c ]
+
+There are some powerpc selftests, as tm/tm-unavailable, that run for a long
+period (>120 seconds), and if it is interrupted, as pressing CRTL-C
+(SIGINT), the foreground process (harness) dies but the child process and
+threads continue to execute (with PPID = 1 now) in background.
+
+In this case, you'd think the whole test exited, but there are remaining
+threads and processes being executed in background. Sometimes these
+zombies processes are doing annoying things, as consuming the whole CPU or
+dumping things to STDOUT.
+
+This patch fixes this problem by attaching an empty signal handler to
+SIGINT in the harness process. This handler will interrupt (EINTR) the
+parent process waitpid() call, letting the code to follow through the
+normal flow, which will kill all the processes in the child process group.
+
+This patch also fixes a typo.
+
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Signed-off-by: Gustavo Romero <gromero@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/powerpc/harness.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/tools/testing/selftests/powerpc/harness.c
++++ b/tools/testing/selftests/powerpc/harness.c
+@@ -85,13 +85,13 @@ wait:
+ return status;
+ }
+
+-static void alarm_handler(int signum)
++static void sig_handler(int signum)
+ {
+- /* Jut wake us up from waitpid */
++ /* Just wake us up from waitpid */
+ }
+
+-static struct sigaction alarm_action = {
+- .sa_handler = alarm_handler,
++static struct sigaction sig_action = {
++ .sa_handler = sig_handler,
+ };
+
+ void test_harness_set_timeout(uint64_t time)
+@@ -106,8 +106,14 @@ int test_harness(int (test_function)(voi
+ test_start(name);
+ test_set_git_version(GIT_VERSION);
+
+- if (sigaction(SIGALRM, &alarm_action, NULL)) {
+- perror("sigaction");
++ if (sigaction(SIGINT, &sig_action, NULL)) {
++ perror("sigaction (sigint)");
++ test_error(name);
++ return 1;
++ }
++
++ if (sigaction(SIGALRM, &sig_action, NULL)) {
++ perror("sigaction (sigalrm)");
+ test_error(name);
+ return 1;
+ }
act_ife-move-tcfa_lock-down-to-where-necessary.patch
act_ife-fix-a-potential-deadlock.patch
net-sched-action_ife-take-reference-to-meta-module.patch
+cifs-check-if-smb2-pdu-size-has-been-padded-and-suppress-the-warning.patch
+hfsplus-don-t-return-0-when-fill_super-failed.patch
+hfs-prevent-crash-on-exit-from-failed-search.patch
+sunrpc-don-t-use-stack-buffer-with-scatterlist.patch
+fork-don-t-copy-inconsistent-signal-handler-state-to-child.patch
+reiserfs-change-j_timestamp-type-to-time64_t.patch
+hfsplus-fix-null-dereference-in-hfsplus_lookup.patch
+fs-proc-kcore.c-use-__pa_symbol-for-kcore_text-list-entries.patch
+fat-validate-i_start-before-using.patch
+scripts-modpost-check-memory-allocation-results.patch
+virtio-pci-legacy-validate-queue-pfn.patch
+x86-mce-add-notifier_block-forward-declaration.patch
+ib-hfi1-invalid-numa-node-information-can-cause-a-divide-by-zero.patch
+pwm-meson-fix-mux-clock-names.patch
+mm-fadvise.c-fix-signed-overflow-ubsan-complaint.patch
+fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_snapshot.patch
+platform-x86-intel_punit_ipc-fix-build-errors.patch
+netfilter-ip6t_rpfilter-set-f_iface-for-linklocal-addresses.patch
+s390-kdump-fix-memleak-in-nt_vmcoreinfo.patch
+ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_dest.patch
+mfd-sm501-set-coherent_dma_mask-when-creating-subdevices.patch
+tracing-handle-cc_flags_ftrace-more-accurately.patch
+platform-x86-asus-nb-wmi-add-keymap-entry-for-lid-flip-action-on-ux360.patch
+netfilter-fix-memory-leaks-on-netlink_dump_start-error.patch
+tcp-ulp-add-alias-for-all-ulp-modules.patch
+rdma-hns-fix-usage-of-bitmap-allocation-functions-return-values.patch
+net-hns3-fix-for-command-format-parsing-error-in-hclge_is_all_function_id_zero.patch
+net-hns3-fix-for-phy-link-issue-when-using-marvell-phy-driver.patch
+perf-tools-check-for-null-when-copying-nsinfo.patch
+irqchip-bcm7038-l1-hide-cpu-offline-callback-when-building-for-smp.patch
+net-9p-trans_fd.c-fix-race-by-holding-the-lock.patch
+net-9p-fix-error-path-of-p9_virtio_probe.patch
+f2fs-fix-to-clear-pg_checked-flag-in-set_page_dirty.patch
+powerpc-uaccess-enable-get_user-u64-p-on-32-bit.patch
+powerpc-fix-size-calculation-using-resource_size.patch
+perf-probe-powerpc-fix-trace-event-post-processing.patch
+block-bvec_nr_vecs-returns-value-for-wrong-slab.patch
+s390-dasd-fix-hanging-offline-processing-due-to-canceled-worker.patch
+s390-dasd-fix-panic-for-failed-online-processing.patch
+acpi-scan-initialize-status-to-acpi_sta_default.patch
+scsi-aic94xx-fix-an-error-code-in-aic94xx_init.patch
+nfsv4-fix-error-handling-in-nfs4_sp4_select_mode.patch
+input-do-not-use-warn-in-input_alloc_absinfo.patch
+xen-balloon-fix-balloon-initialization-for-pvh-dom0.patch
+pci-mvebu-fix-i-o-space-end-address-calculation.patch
+dm-kcopyd-avoid-softlockup-in-run_complete_job.patch
+staging-comedi-ni_mio_common-fix-subdevice-flags-for-pfi-subdevice.patch
+asoc-rt5677-fix-initialization-of-rt5677_of_match.data.patch
+iommu-omap-fix-cache-flushes-on-l2-table-entries.patch
+selftests-powerpc-kill-child-processes-on-sigint.patch
+rds-ib-fix-passing-zero-to-err_ptr-warning.patch
+cfq-suppress-compiler-warnings-about-comparisons.patch
+smb3-fix-reset-of-bytes-read-and-written-stats.patch
+smb3-number-of-requests-sent-should-be-displayed-for-smb3-not-just-cifs.patch
+powerpc-platforms-85xx-fix-t1042rdb_diu.c-build-errors-warning.patch
+powerpc-64s-make-rfi_flush_fallback-a-little-more-robust.patch
+powerpc-pseries-avoid-using-the-size-greater-than-rtas_error_log_max.patch
+clk-rockchip-add-pclk_rkpwm_pmu-to-pmu-critical-clocks-in-rk3399.patch
+kvm-vmx-track-host_state.loaded-using-a-loaded_vmcs-pointer.patch
+kvm-nvmx-fix-fault-vector-for-vmx-operation-at-cpl-0.patch
+btrfs-exit-gracefully-when-chunk-map-cannot-be-inserted-to-the-tree.patch
+btrfs-replace-reset-on-disk-dev-stats-value-after-replace.patch
+btrfs-relocation-only-remove-reloc-rb_trees-if-reloc-control-has-been-initialized.patch
+btrfs-don-t-remove-block-group-that-still-has-pinned-down-bytes.patch
+arm64-rockchip-force-config_pm-on-rockchip-systems.patch
+arm-rockchip-force-config_pm-on-rockchip-systems.patch
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Steve French <stfrench@microsoft.com>
+Date: Wed, 1 Aug 2018 00:56:12 -0500
+Subject: smb3: fix reset of bytes read and written stats
+
+From: Steve French <stfrench@microsoft.com>
+
+[ Upstream commit c281bc0c7412308c7ec0888904f7c99353da4796 ]
+
+echo 0 > /proc/fs/cifs/Stats is supposed to reset the stats
+but there were four (see example below) that were not reset
+(bytes read and witten, total vfs ops and max ops
+at one time).
+
+...
+0 session 0 share reconnects
+Total vfs operations: 100 maximum at one time: 2
+
+1) \\localhost\test
+SMBs: 0
+Bytes read: 502092 Bytes written: 31457286
+TreeConnects: 0 total 0 failed
+TreeDisconnects: 0 total 0 failed
+...
+
+This patch fixes cifs_stats_proc_write to properly reset
+those four.
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifs_debug.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/cifs/cifs_debug.c
++++ b/fs/cifs/cifs_debug.c
+@@ -289,6 +289,10 @@ static ssize_t cifs_stats_proc_write(str
+ atomic_set(&totBufAllocCount, 0);
+ atomic_set(&totSmBufAllocCount, 0);
+ #endif /* CONFIG_CIFS_STATS2 */
++ spin_lock(&GlobalMid_Lock);
++ GlobalMaxActiveXid = 0;
++ GlobalCurrentXid = 0;
++ spin_unlock(&GlobalMid_Lock);
+ spin_lock(&cifs_tcp_ses_lock);
+ list_for_each(tmp1, &cifs_tcp_ses_list) {
+ server = list_entry(tmp1, struct TCP_Server_Info,
+@@ -301,6 +305,10 @@ static ssize_t cifs_stats_proc_write(str
+ struct cifs_tcon,
+ tcon_list);
+ atomic_set(&tcon->num_smbs_sent, 0);
++ spin_lock(&tcon->stat_lock);
++ tcon->bytes_read = 0;
++ tcon->bytes_written = 0;
++ spin_unlock(&tcon->stat_lock);
+ if (server->ops->clear_stats)
+ server->ops->clear_stats(tcon);
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Steve French <stfrench@microsoft.com>
+Date: Mon, 23 Jul 2018 09:15:18 -0500
+Subject: SMB3: Number of requests sent should be displayed for SMB3 not just CIFS
+
+From: Steve French <stfrench@microsoft.com>
+
+[ Upstream commit 289131e1f1e6ad8c661ec05e176b8f0915672059 ]
+
+For SMB2/SMB3 the number of requests sent was not displayed
+in /proc/fs/cifs/Stats unless CONFIG_CIFS_STATS2 was
+enabled (only number of failed requests displayed). As
+with earlier dialects, we should be displaying these
+counters if CONFIG_CIFS_STATS is enabled. They
+are important for debugging.
+
+e.g. when you cat /proc/fs/cifs/Stats (before the patch)
+Resources in use
+CIFS Session: 1
+Share (unique mount targets): 2
+SMB Request/Response Buffer: 1 Pool size: 5
+SMB Small Req/Resp Buffer: 1 Pool size: 30
+Operations (MIDs): 0
+
+0 session 0 share reconnects
+Total vfs operations: 690 maximum at one time: 2
+
+1) \\localhost\test
+SMBs: 975
+Negotiates: 0 sent 0 failed
+SessionSetups: 0 sent 0 failed
+Logoffs: 0 sent 0 failed
+TreeConnects: 0 sent 0 failed
+TreeDisconnects: 0 sent 0 failed
+Creates: 0 sent 2 failed
+Closes: 0 sent 0 failed
+Flushes: 0 sent 0 failed
+Reads: 0 sent 0 failed
+Writes: 0 sent 0 failed
+Locks: 0 sent 0 failed
+IOCTLs: 0 sent 1 failed
+Cancels: 0 sent 0 failed
+Echos: 0 sent 0 failed
+QueryDirectories: 0 sent 63 failed
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2pdu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -393,7 +393,7 @@ small_smb2_init(__le16 smb2_command, str
+ pdu->hdr.smb2_buf_length = cpu_to_be32(total_len);
+
+ if (tcon != NULL) {
+-#ifdef CONFIG_CIFS_STATS2
++#ifdef CONFIG_CIFS_STATS
+ uint16_t com_code = le16_to_cpu(smb2_command);
+ cifs_stats_inc(&tcon->stats.smb2_stats.smb2_com_sent[com_code]);
+ #endif
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 6 Aug 2018 11:05:13 +0100
+Subject: staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+[ Upstream commit e083926b3e269d4064825dcf2ad50c636fddf8cf ]
+
+The PFI subdevice flags indicate that the subdevice is readable and
+writeable, but that is only true for the supported "M-series" boards,
+not the older "E-series" boards. Only set the SDF_READABLE and
+SDF_WRITABLE subdevice flags for the M-series boards. These two flags
+are mainly for informational purposes.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/ni_mio_common.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/ni_mio_common.c
++++ b/drivers/staging/comedi/drivers/ni_mio_common.c
+@@ -5453,11 +5453,11 @@ static int ni_E_init(struct comedi_devic
+ /* Digital I/O (PFI) subdevice */
+ s = &dev->subdevices[NI_PFI_DIO_SUBDEV];
+ s->type = COMEDI_SUBD_DIO;
+- s->subdev_flags = SDF_READABLE | SDF_WRITABLE | SDF_INTERNAL;
+ s->maxdata = 1;
+ if (devpriv->is_m_series) {
+ s->n_chan = 16;
+ s->insn_bits = ni_pfi_insn_bits;
++ s->subdev_flags = SDF_READABLE | SDF_WRITABLE | SDF_INTERNAL;
+
+ ni_writew(dev, s->state, NI_M_PFI_DO_REG);
+ for (i = 0; i < NUM_PFI_OUTPUT_SELECT_REGS; ++i) {
+@@ -5466,6 +5466,7 @@ static int ni_E_init(struct comedi_devic
+ }
+ } else {
+ s->n_chan = 10;
++ s->subdev_flags = SDF_INTERNAL;
+ }
+ s->insn_config = ni_pfi_insn_config;
+
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Laura Abbott <labbott@redhat.com>
+Date: Fri, 17 Aug 2018 14:43:54 -0700
+Subject: sunrpc: Don't use stack buffer with scatterlist
+
+From: Laura Abbott <labbott@redhat.com>
+
+[ Upstream commit 44090cc876926277329e1608bafc01b9f6da627f ]
+
+Fedora got a bug report from NFS:
+
+kernel BUG at include/linux/scatterlist.h:143!
+...
+RIP: 0010:sg_init_one+0x7d/0x90
+..
+ make_checksum+0x4e7/0x760 [rpcsec_gss_krb5]
+ gss_get_mic_kerberos+0x26e/0x310 [rpcsec_gss_krb5]
+ gss_marshal+0x126/0x1a0 [auth_rpcgss]
+ ? __local_bh_enable_ip+0x80/0xe0
+ ? call_transmit_status+0x1d0/0x1d0 [sunrpc]
+ call_transmit+0x137/0x230 [sunrpc]
+ __rpc_execute+0x9b/0x490 [sunrpc]
+ rpc_run_task+0x119/0x150 [sunrpc]
+ nfs4_run_exchange_id+0x1bd/0x250 [nfsv4]
+ _nfs4_proc_exchange_id+0x2d/0x490 [nfsv4]
+ nfs41_discover_server_trunking+0x1c/0xa0 [nfsv4]
+ nfs4_discover_server_trunking+0x80/0x270 [nfsv4]
+ nfs4_init_client+0x16e/0x240 [nfsv4]
+ ? nfs_get_client+0x4c9/0x5d0 [nfs]
+ ? _raw_spin_unlock+0x24/0x30
+ ? nfs_get_client+0x4c9/0x5d0 [nfs]
+ nfs4_set_client+0xb2/0x100 [nfsv4]
+ nfs4_create_server+0xff/0x290 [nfsv4]
+ nfs4_remote_mount+0x28/0x50 [nfsv4]
+ mount_fs+0x3b/0x16a
+ vfs_kern_mount.part.35+0x54/0x160
+ nfs_do_root_mount+0x7f/0xc0 [nfsv4]
+ nfs4_try_mount+0x43/0x70 [nfsv4]
+ ? get_nfs_version+0x21/0x80 [nfs]
+ nfs_fs_mount+0x789/0xbf0 [nfs]
+ ? pcpu_alloc+0x6ca/0x7e0
+ ? nfs_clone_super+0x70/0x70 [nfs]
+ ? nfs_parse_mount_options+0xb40/0xb40 [nfs]
+ mount_fs+0x3b/0x16a
+ vfs_kern_mount.part.35+0x54/0x160
+ do_mount+0x1fd/0xd50
+ ksys_mount+0xba/0xd0
+ __x64_sys_mount+0x21/0x30
+ do_syscall_64+0x60/0x1f0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+This is BUG_ON(!virt_addr_valid(buf)) triggered by using a stack
+allocated buffer with a scatterlist. Convert the buffer for
+rc4salt to be dynamically allocated instead.
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1615258
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/auth_gss/gss_krb5_crypto.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/sunrpc/auth_gss/gss_krb5_crypto.c
++++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
+@@ -169,7 +169,7 @@ make_checksum_hmac_md5(struct krb5_ctx *
+ struct scatterlist sg[1];
+ int err = -1;
+ u8 *checksumdata;
+- u8 rc4salt[4];
++ u8 *rc4salt;
+ struct crypto_ahash *md5;
+ struct crypto_ahash *hmac_md5;
+ struct ahash_request *req;
+@@ -183,14 +183,18 @@ make_checksum_hmac_md5(struct krb5_ctx *
+ return GSS_S_FAILURE;
+ }
+
++ rc4salt = kmalloc_array(4, sizeof(*rc4salt), GFP_NOFS);
++ if (!rc4salt)
++ return GSS_S_FAILURE;
++
+ if (arcfour_hmac_md5_usage_to_salt(usage, rc4salt)) {
+ dprintk("%s: invalid usage value %u\n", __func__, usage);
+- return GSS_S_FAILURE;
++ goto out_free_rc4salt;
+ }
+
+ checksumdata = kmalloc(GSS_KRB5_MAX_CKSUM_LEN, GFP_NOFS);
+ if (!checksumdata)
+- return GSS_S_FAILURE;
++ goto out_free_rc4salt;
+
+ md5 = crypto_alloc_ahash("md5", 0, CRYPTO_ALG_ASYNC);
+ if (IS_ERR(md5))
+@@ -258,6 +262,8 @@ out_free_md5:
+ crypto_free_ahash(md5);
+ out_free_cksum:
+ kfree(checksumdata);
++out_free_rc4salt:
++ kfree(rc4salt);
+ return err ? GSS_S_FAILURE : 0;
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Thu, 16 Aug 2018 21:49:06 +0200
+Subject: tcp, ulp: add alias for all ulp modules
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 037b0b86ecf5646f8eae777d8b52ff8b401692ec ]
+
+Lets not turn the TCP ULP lookup into an arbitrary module loader as
+we only intend to load ULP modules through this mechanism, not other
+unrelated kernel modules:
+
+ [root@bar]# cat foo.c
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <linux/tcp.h>
+ #include <linux/in.h>
+
+ int main(void)
+ {
+ int sock = socket(PF_INET, SOCK_STREAM, 0);
+ setsockopt(sock, IPPROTO_TCP, TCP_ULP, "sctp", sizeof("sctp"));
+ return 0;
+ }
+
+ [root@bar]# gcc foo.c -O2 -Wall
+ [root@bar]# lsmod | grep sctp
+ [root@bar]# ./a.out
+ [root@bar]# lsmod | grep sctp
+ sctp 1077248 4
+ libcrc32c 16384 3 nf_conntrack,nf_nat,sctp
+ [root@bar]#
+
+Fix it by adding module alias to TCP ULP modules, so probing module
+via request_module() will be limited to tcp-ulp-[name]. The existing
+modules like kTLS will load fine given tcp-ulp-tls alias, but others
+will fail to load:
+
+ [root@bar]# lsmod | grep sctp
+ [root@bar]# ./a.out
+ [root@bar]# lsmod | grep sctp
+ [root@bar]#
+
+Sockmap is not affected from this since it's either built-in or not.
+
+Fixes: 734942cc4ea6 ("tcp: ULP infrastructure")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tcp.h | 4 ++++
+ net/ipv4/tcp_ulp.c | 2 +-
+ net/tls/tls_main.c | 1 +
+ 3 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -2063,6 +2063,10 @@ int tcp_set_ulp(struct sock *sk, const c
+ void tcp_get_available_ulp(char *buf, size_t len);
+ void tcp_cleanup_ulp(struct sock *sk);
+
++#define MODULE_ALIAS_TCP_ULP(name) \
++ __MODULE_INFO(alias, alias_userspace, name); \
++ __MODULE_INFO(alias, alias_tcp_ulp, "tcp-ulp-" name)
++
+ /* Call BPF_SOCK_OPS program that returns an int. If the return value
+ * is < 0, then the BPF op failed (for example if the loaded BPF
+ * program does not support the chosen operation or there is no BPF
+--- a/net/ipv4/tcp_ulp.c
++++ b/net/ipv4/tcp_ulp.c
+@@ -39,7 +39,7 @@ static const struct tcp_ulp_ops *__tcp_u
+ #ifdef CONFIG_MODULES
+ if (!ulp && capable(CAP_NET_ADMIN)) {
+ rcu_read_unlock();
+- request_module("%s", name);
++ request_module("tcp-ulp-%s", name);
+ rcu_read_lock();
+ ulp = tcp_ulp_find(name);
+ }
+--- a/net/tls/tls_main.c
++++ b/net/tls/tls_main.c
+@@ -44,6 +44,7 @@
+ MODULE_AUTHOR("Mellanox Technologies");
+ MODULE_DESCRIPTION("Transport Layer Security Support");
+ MODULE_LICENSE("Dual BSD/GPL");
++MODULE_ALIAS_TCP_ULP("tls");
+
+ static struct proto tls_base_prot;
+ static struct proto tls_sw_prot;
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Mon, 6 Aug 2018 15:17:42 +0200
+Subject: tracing: Handle CC_FLAGS_FTRACE more accurately
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+[ Upstream commit f28bc3c32c059ab4d13f52155fabd3e20f477f65 ]
+
+CC_FLAGS_FTRACE is exported and later used to remove ftrace relevant
+build flags from files which should be built without ftrace support.
+For that reason add -mfentry to CC_FLAGS_FTRACE as well. That fixes
+a problem with vdso32 build on s390, where -mfentry could not be used
+together with -m31 flag.
+
+At the same time flags like -pg and -mfentry are not relevant for asm
+files, so avoid adding them to KBUILD_AFLAGS.
+
+Introduce CC_FLAGS_USING instead of CC_USING_FENTRY to collect
+-DCC_USING_FENTRY (and future alike) which are relevant for both
+KBUILD_CFLAGS and KBUILD_AFLAGS.
+
+Link: http://lkml.kernel.org/r/patch-1.thread-aa7b8d.git-42971afe87de.your-ad-here.call-01533557518-ext-9465@work.hours
+
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Makefile | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -767,12 +767,15 @@ ifdef CONFIG_FUNCTION_TRACER
+ ifndef CC_FLAGS_FTRACE
+ CC_FLAGS_FTRACE := -pg
+ endif
+-export CC_FLAGS_FTRACE
+ ifdef CONFIG_HAVE_FENTRY
+-CC_USING_FENTRY := $(call cc-option, -mfentry -DCC_USING_FENTRY)
++ ifeq ($(call cc-option-yn, -mfentry),y)
++ CC_FLAGS_FTRACE += -mfentry
++ CC_FLAGS_USING += -DCC_USING_FENTRY
++ endif
+ endif
+-KBUILD_CFLAGS += $(CC_FLAGS_FTRACE) $(CC_USING_FENTRY)
+-KBUILD_AFLAGS += $(CC_USING_FENTRY)
++export CC_FLAGS_FTRACE
++KBUILD_CFLAGS += $(CC_FLAGS_FTRACE) $(CC_FLAGS_USING)
++KBUILD_AFLAGS += $(CC_FLAGS_USING)
+ ifdef CONFIG_DYNAMIC_FTRACE
+ ifdef CONFIG_HAVE_C_RECORDMCOUNT
+ BUILD_C_RECORDMCOUNT := y
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Wed, 18 Jul 2018 10:18:45 +0100
+Subject: virtio: pci-legacy: Validate queue pfn
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+[ Upstream commit 69599206ea9a3f8f2e94d46580579cbf9d08ad6c ]
+
+Legacy PCI over virtio uses a 32bit PFN for the queue. If the
+queue pfn is too large to fit in 32bits, which we could hit on
+arm64 systems with 52bit physical addresses (even with 64K page
+size), we simply miss out a proper link to the other side of
+the queue.
+
+Add a check to validate the PFN, rather than silently breaking
+the devices.
+
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Christoffer Dall <cdall@kernel.org>
+Cc: Peter Maydel <peter.maydell@linaro.org>
+Cc: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/virtio/virtio_pci_legacy.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/virtio/virtio_pci_legacy.c
++++ b/drivers/virtio/virtio_pci_legacy.c
+@@ -122,6 +122,7 @@ static struct virtqueue *setup_vq(struct
+ struct virtqueue *vq;
+ u16 num;
+ int err;
++ u64 q_pfn;
+
+ /* Select the queue we're interested in */
+ iowrite16(index, vp_dev->ioaddr + VIRTIO_PCI_QUEUE_SEL);
+@@ -141,9 +142,17 @@ static struct virtqueue *setup_vq(struct
+ if (!vq)
+ return ERR_PTR(-ENOMEM);
+
++ q_pfn = virtqueue_get_desc_addr(vq) >> VIRTIO_PCI_QUEUE_ADDR_SHIFT;
++ if (q_pfn >> 32) {
++ dev_err(&vp_dev->pci_dev->dev,
++ "platform bug: legacy virtio-mmio must not be used with RAM above 0x%llxGB\n",
++ 0x1ULL << (32 + PAGE_SHIFT - 30));
++ err = -E2BIG;
++ goto out_del_vq;
++ }
++
+ /* activate the queue */
+- iowrite32(virtqueue_get_desc_addr(vq) >> VIRTIO_PCI_QUEUE_ADDR_SHIFT,
+- vp_dev->ioaddr + VIRTIO_PCI_QUEUE_PFN);
++ iowrite32(q_pfn, vp_dev->ioaddr + VIRTIO_PCI_QUEUE_PFN);
+
+ vq->priv = (void __force *)vp_dev->ioaddr + VIRTIO_PCI_QUEUE_NOTIFY;
+
+@@ -160,6 +169,7 @@ static struct virtqueue *setup_vq(struct
+
+ out_deactivate:
+ iowrite32(0, vp_dev->ioaddr + VIRTIO_PCI_QUEUE_PFN);
++out_del_vq:
+ vring_del_virtqueue(vq);
+ return ERR_PTR(err);
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 17 Aug 2018 12:01:36 +0200
+Subject: x86/mce: Add notifier_block forward declaration
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 704ae091b061082b37a9968621af4c290c641d50 ]
+
+Without linux/irq.h, there is no declaration of notifier_block, leading to
+a build warning:
+
+In file included from arch/x86/kernel/cpu/mcheck/threshold.c:10:
+arch/x86/include/asm/mce.h:151:46: error: 'struct notifier_block' declared inside parameter list will not be visible outside of this definition or declaration [-Werror]
+
+It's sufficient to declare the struct tag here, which avoids pulling in
+more header files.
+
+Fixes: 447ae3166702 ("x86: Don't include linux/irq.h from asm/hardirq.h")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Nicolai Stange <nstange@suse.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20180817100156.3009043-1-arnd@arndb.de
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/mce.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/include/asm/mce.h
++++ b/arch/x86/include/asm/mce.h
+@@ -200,6 +200,7 @@ enum mce_notifier_prios {
+ MCE_PRIO_LOWEST = 0,
+ };
+
++struct notifier_block;
+ extern void mce_register_decode_chain(struct notifier_block *nb);
+ extern void mce_unregister_decode_chain(struct notifier_block *nb);
+
--- /dev/null
+From foo@baz Tue Sep 11 12:07:47 CEST 2018
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Wed, 8 Aug 2018 13:46:41 +0200
+Subject: xen/balloon: fix balloon initialization for PVH Dom0
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+[ Upstream commit 3596924a233e45aa918c961a902170fc4916461b ]
+
+The current balloon code tries to calculate a delta factor for the
+balloon target when running in HVM mode in order to account for memory
+used by the firmware.
+
+This workaround for memory accounting doesn't work properly on a PVH
+Dom0, that has a static-max value different from the target value even
+at startup. Note that this is not a problem for DomUs because guests are
+started with a static-max value that matches the amount of RAM in the
+memory map.
+
+Fix this by forcefully setting target_diff for Dom0, regardless of
+it's mode.
+
+Reported-by: Gabriel Bercarug <bercarug@amazon.com>
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/xen-balloon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/xen/xen-balloon.c
++++ b/drivers/xen/xen-balloon.c
+@@ -81,7 +81,7 @@ static void watch_target(struct xenbus_w
+ static_max = new_target;
+ else
+ static_max >>= PAGE_SHIFT - 10;
+- target_diff = xen_pv_domain() ? 0
++ target_diff = (xen_pv_domain() || xen_initial_domain()) ? 0
+ : static_max - balloon_stats.target_pages;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
