--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Afzal Mohammed <afzal.mohd.ma@gmail.com>
+Date: Sat, 7 Jan 2017 17:48:10 +0100
+Subject: ARM: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM
+
+From: Afzal Mohammed <afzal.mohd.ma@gmail.com>
+
+
+[ Upstream commit 8a792e9afbce84a0fdaf213fe42bb97382487094 ]
+
+REMAP_VECTORS_TO_RAM depends on DRAM_BASE, but since DRAM_BASE is a
+hex, REMAP_VECTORS_TO_RAM could never get enabled. Also depending on
+DRAM_BASE is redundant as whenever REMAP_VECTORS_TO_RAM makes itself
+available to Kconfig, DRAM_BASE also is available as the Kconfig
+gets sourced on !MMU.
+
+Signed-off-by: Afzal Mohammed <afzal.mohd.ma@gmail.com>
+Reviewed-by: Vladimir Murzin <vladimir.murzin@arm.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/Kconfig-nommu | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/arm/Kconfig-nommu
++++ b/arch/arm/Kconfig-nommu
+@@ -34,8 +34,7 @@ config PROCESSOR_ID
+ used instead of the auto-probing which utilizes the register.
+
+ config REMAP_VECTORS_TO_RAM
+- bool 'Install vectors to the beginning of RAM' if DRAM_BASE
+- depends on DRAM_BASE
++ bool 'Install vectors to the beginning of RAM'
+ help
+ The kernel needs to change the hardware exception vectors.
+ In nommu mode, the hardware exception vectors are normally
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Richard Guy Briggs <rgb@redhat.com>
+Date: Tue, 17 Jan 2017 11:07:15 -0500
+Subject: audit: log 32-bit socketcalls
+
+From: Richard Guy Briggs <rgb@redhat.com>
+
+
+[ Upstream commit 62bc306e2083436675e33b5bdeb6a77907d35971 ]
+
+32-bit socketcalls were not being logged by audit on x86_64 systems.
+Log them. This is basically a duplicate of the call from
+net/socket.c:sys_socketcall(), but it addresses the impedance mismatch
+between 32-bit userspace process and 64-bit kernel audit.
+
+See: https://github.com/linux-audit/audit-kernel/issues/14
+
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+Acked-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/audit.h | 20 ++++++++++++++++++++
+ net/compat.c | 17 ++++++++++++++---
+ 2 files changed, 34 insertions(+), 3 deletions(-)
+
+--- a/include/linux/audit.h
++++ b/include/linux/audit.h
+@@ -273,6 +273,20 @@ static inline int audit_socketcall(int n
+ return __audit_socketcall(nargs, args);
+ return 0;
+ }
++
++static inline int audit_socketcall_compat(int nargs, u32 *args)
++{
++ unsigned long a[AUDITSC_ARGS];
++ int i;
++
++ if (audit_dummy_context())
++ return 0;
++
++ for (i = 0; i < nargs; i++)
++ a[i] = (unsigned long)args[i];
++ return __audit_socketcall(nargs, a);
++}
++
+ static inline int audit_sockaddr(int len, void *addr)
+ {
+ if (unlikely(!audit_dummy_context()))
+@@ -398,6 +412,12 @@ static inline int audit_socketcall(int n
+ {
+ return 0;
+ }
++
++static inline int audit_socketcall_compat(int nargs, u32 *args)
++{
++ return 0;
++}
++
+ static inline void audit_fd_pair(int fd1, int fd2)
+ { }
+ static inline int audit_sockaddr(int len, void *addr)
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -22,6 +22,7 @@
+ #include <linux/filter.h>
+ #include <linux/compat.h>
+ #include <linux/security.h>
++#include <linux/audit.h>
+ #include <linux/export.h>
+
+ #include <net/scm.h>
+@@ -796,14 +797,24 @@ COMPAT_SYSCALL_DEFINE5(recvmmsg, int, fd
+
+ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args)
+ {
+- int ret;
+- u32 a[6];
++ u32 a[AUDITSC_ARGS];
++ unsigned int len;
+ u32 a0, a1;
++ int ret;
+
+ if (call < SYS_SOCKET || call > SYS_SENDMMSG)
+ return -EINVAL;
+- if (copy_from_user(a, args, nas[call]))
++ len = nas[call];
++ if (len > sizeof(a))
++ return -EINVAL;
++
++ if (copy_from_user(a, args, len))
+ return -EFAULT;
++
++ ret = audit_socketcall_compat(len / sizeof(a[0]), a);
++ if (ret)
++ return ret;
++
+ a0 = a[0];
+ a1 = a[1];
+
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Date: Tue, 13 Dec 2016 11:09:16 +0100
+Subject: drm: bridge: add DT bindings for TI ths8135
+
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+
+
+[ Upstream commit 2e644be30fcc08c736f66b60f4898d274d4873ab ]
+
+THS8135 is a configurable video DAC. Add DT bindings for this chip.
+
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Acked-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Archit Taneja <architt@codeaurora.org>
+Link: http://patchwork.freedesktop.org/patch/msgid/1481623759-12786-3-git-send-email-bgolaszewski@baylibre.com
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/display/bridge/ti,ths8135.txt | 46 ++++++++++
+ 1 file changed, 46 insertions(+)
+ create mode 100644 Documentation/devicetree/bindings/display/bridge/ti,ths8135.txt
+
+--- /dev/null
++++ b/Documentation/devicetree/bindings/display/bridge/ti,ths8135.txt
+@@ -0,0 +1,46 @@
++THS8135 Video DAC
++-----------------
++
++This is the binding for Texas Instruments THS8135 Video DAC bridge.
++
++Required properties:
++
++- compatible: Must be "ti,ths8135"
++
++Required nodes:
++
++This device has two video ports. Their connections are modelled using the OF
++graph bindings specified in Documentation/devicetree/bindings/graph.txt.
++
++- Video port 0 for RGB input
++- Video port 1 for VGA output
++
++Example
++-------
++
++vga-bridge {
++ compatible = "ti,ths8135";
++ #address-cells = <1>;
++ #size-cells = <0>;
++
++ ports {
++ #address-cells = <1>;
++ #size-cells = <0>;
++
++ port@0 {
++ reg = <0>;
++
++ vga_bridge_in: endpoint {
++ remote-endpoint = <&lcdc_out_vga>;
++ };
++ };
++
++ port@1 {
++ reg = <1>;
++
++ vga_bridge_out: endpoint {
++ remote-endpoint = <&vga_con_in>;
++ };
++ };
++ };
++};
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Thibault Saunier <thibault.saunier@osg.samsung.com>
+Date: Wed, 1 Feb 2017 18:05:21 -0200
+Subject: [media] exynos-gsc: Do not swap cb/cr for semi planar formats
+
+From: Thibault Saunier <thibault.saunier@osg.samsung.com>
+
+
+[ Upstream commit d7f3e33df4fbdc9855fb151f4a328ec46447e3ba ]
+
+In the case of semi planar formats cb and cr are in the same plane
+in memory, meaning that will be set to 'cb' whatever the format is,
+and whatever the (packed) order of those components are.
+
+Suggested-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Thibault Saunier <thibault.saunier@osg.samsung.com>
+Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Acked-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/exynos-gsc/gsc-core.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/media/platform/exynos-gsc/gsc-core.c
++++ b/drivers/media/platform/exynos-gsc/gsc-core.c
+@@ -846,9 +846,7 @@ int gsc_prepare_addr(struct gsc_ctx *ctx
+
+ if ((frame->fmt->pixelformat == V4L2_PIX_FMT_VYUY) ||
+ (frame->fmt->pixelformat == V4L2_PIX_FMT_YVYU) ||
+- (frame->fmt->pixelformat == V4L2_PIX_FMT_NV61) ||
+ (frame->fmt->pixelformat == V4L2_PIX_FMT_YVU420) ||
+- (frame->fmt->pixelformat == V4L2_PIX_FMT_NV21) ||
+ (frame->fmt->pixelformat == V4L2_PIX_FMT_YVU420M))
+ swap(addr->cb, addr->cr);
+
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Tue, 27 Dec 2016 14:15:07 -0800
+Subject: hwmon: (gl520sm) Fix overflows and crash seen when writing into limit attributes
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+
+[ Upstream commit 87cdfa9d60f4f40e6d71b04b10b36d9df3c89282 ]
+
+Writes into limit attributes can overflow due to multplications and
+additions with unbound input values. Writing into fan limit attributes
+can result in a crash with a division by zero if very large values are
+written and the fan divider is larger than 1.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/gl520sm.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+--- a/drivers/hwmon/gl520sm.c
++++ b/drivers/hwmon/gl520sm.c
+@@ -208,11 +208,13 @@ static ssize_t get_cpu_vid(struct device
+ }
+ static DEVICE_ATTR(cpu0_vid, S_IRUGO, get_cpu_vid, NULL);
+
+-#define VDD_FROM_REG(val) (((val) * 95 + 2) / 4)
+-#define VDD_TO_REG(val) clamp_val((((val) * 4 + 47) / 95), 0, 255)
+-
+-#define IN_FROM_REG(val) ((val) * 19)
+-#define IN_TO_REG(val) clamp_val((((val) + 9) / 19), 0, 255)
++#define VDD_FROM_REG(val) DIV_ROUND_CLOSEST((val) * 95, 4)
++#define VDD_CLAMP(val) clamp_val(val, 0, 255 * 95 / 4)
++#define VDD_TO_REG(val) DIV_ROUND_CLOSEST(VDD_CLAMP(val) * 4, 95)
++
++#define IN_FROM_REG(val) ((val) * 19)
++#define IN_CLAMP(val) clamp_val(val, 0, 255 * 19)
++#define IN_TO_REG(val) DIV_ROUND_CLOSEST(IN_CLAMP(val), 19)
+
+ static ssize_t get_in_input(struct device *dev, struct device_attribute *attr,
+ char *buf)
+@@ -349,8 +351,13 @@ static SENSOR_DEVICE_ATTR(in4_max, S_IRU
+
+ #define DIV_FROM_REG(val) (1 << (val))
+ #define FAN_FROM_REG(val, div) ((val) == 0 ? 0 : (480000 / ((val) << (div))))
+-#define FAN_TO_REG(val, div) ((val) <= 0 ? 0 : \
+- clamp_val((480000 + ((val) << ((div)-1))) / ((val) << (div)), 1, 255))
++
++#define FAN_BASE(div) (480000 >> (div))
++#define FAN_CLAMP(val, div) clamp_val(val, FAN_BASE(div) / 255, \
++ FAN_BASE(div))
++#define FAN_TO_REG(val, div) ((val) == 0 ? 0 : \
++ DIV_ROUND_CLOSEST(480000, \
++ FAN_CLAMP(val, div) << (div)))
+
+ static ssize_t get_fan_input(struct device *dev, struct device_attribute *attr,
+ char *buf)
+@@ -513,9 +520,9 @@ static SENSOR_DEVICE_ATTR(fan2_div, S_IR
+ static DEVICE_ATTR(fan1_off, S_IRUGO | S_IWUSR,
+ get_fan_off, set_fan_off);
+
+-#define TEMP_FROM_REG(val) (((val) - 130) * 1000)
+-#define TEMP_TO_REG(val) clamp_val(((((val) < 0 ? \
+- (val) - 500 : (val) + 500) / 1000) + 130), 0, 255)
++#define TEMP_FROM_REG(val) (((val) - 130) * 1000)
++#define TEMP_CLAMP(val) clamp_val(val, -130000, 125000)
++#define TEMP_TO_REG(val) (DIV_ROUND_CLOSEST(TEMP_CLAMP(val), 1000) + 130)
+
+ static ssize_t get_temp_input(struct device *dev, struct device_attribute *attr,
+ char *buf)
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Feras Daoud <ferasda@mellanox.com>
+Date: Wed, 28 Dec 2016 14:47:22 +0200
+Subject: IB/ipoib: Fix deadlock over vlan_mutex
+
+From: Feras Daoud <ferasda@mellanox.com>
+
+
+[ Upstream commit 1c3098cdb05207e740715857df7b0998e372f527 ]
+
+This patch fixes Deadlock while executing ipoib_vlan_delete.
+
+The function takes the vlan_rwsem semaphore and calls
+unregister_netdevice. The later function calls
+ipoib_mcast_stop_thread that cause workqueue flush.
+
+When the queue has one of the ipoib_ib_dev_flush_xxx events,
+a deadlock occur because these events also tries to catch the
+same vlan_rwsem semaphore.
+
+To fix, unregister_netdevice should be called after releasing
+the semaphore.
+
+Fixes: cbbe1efa4972 ("IPoIB: Fix deadlock between ipoib_open() and child interface create")
+Signed-off-by: Feras Daoud <ferasda@mellanox.com>
+Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
+Reviewed-by: Alex Vesker <valex@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
+@@ -187,7 +187,6 @@ int ipoib_vlan_delete(struct net_device
+ list_for_each_entry_safe(priv, tpriv, &ppriv->child_intfs, list) {
+ if (priv->pkey == pkey &&
+ priv->child_type == IPOIB_LEGACY_CHILD) {
+- unregister_netdevice(priv->dev);
+ list_del(&priv->list);
+ dev = priv->dev;
+ break;
+@@ -195,6 +194,11 @@ int ipoib_vlan_delete(struct net_device
+ }
+ up_write(&ppriv->vlan_rwsem);
+
++ if (dev) {
++ ipoib_dbg(ppriv, "delete child vlan %s\n", dev->name);
++ unregister_netdevice(dev);
++ }
++
+ rtnl_unlock();
+
+ if (dev) {
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Feras Daoud <ferasda@mellanox.com>
+Date: Wed, 28 Dec 2016 14:47:27 +0200
+Subject: IB/ipoib: Replace list_del of the neigh->list with list_del_init
+
+From: Feras Daoud <ferasda@mellanox.com>
+
+
+[ Upstream commit c586071d1dc8227a7182179b8e50ee92cc43f6d2 ]
+
+In order to resolve a situation where a few process delete
+the same list element in sequence and cause panic, list_del
+is replaced with list_del_init. In this case if the first
+process that calls list_del releases the lock before acquiring
+it again, other processes who can acquire the lock will call
+list_del_init.
+
+Fixes: b63b70d87741 ("IPoIB: Use a private hash table for path lookup")
+Signed-off-by: Feras Daoud <ferasda@mellanox.com>
+Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
+Reviewed-by: Alex Vesker <valex@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+@@ -958,7 +958,7 @@ static void __ipoib_reap_neigh(struct ip
+ rcu_dereference_protected(neigh->hnext,
+ lockdep_is_held(&priv->lock)));
+ /* remove from path/mc list */
+- list_del(&neigh->list);
++ list_del_init(&neigh->list);
+ call_rcu(&neigh->rcu, ipoib_neigh_reclaim);
+ } else {
+ np = &neigh->hnext;
+@@ -1121,7 +1121,7 @@ void ipoib_neigh_free(struct ipoib_neigh
+ rcu_dereference_protected(neigh->hnext,
+ lockdep_is_held(&priv->lock)));
+ /* remove from parent list */
+- list_del(&neigh->list);
++ list_del_init(&neigh->list);
+ call_rcu(&neigh->rcu, ipoib_neigh_reclaim);
+ return;
+ } else {
+@@ -1206,7 +1206,7 @@ void ipoib_del_neighs_by_gid(struct net_
+ rcu_dereference_protected(neigh->hnext,
+ lockdep_is_held(&priv->lock)));
+ /* remove from parent list */
+- list_del(&neigh->list);
++ list_del_init(&neigh->list);
+ call_rcu(&neigh->rcu, ipoib_neigh_reclaim);
+ } else {
+ np = &neigh->hnext;
+@@ -1248,7 +1248,7 @@ static void ipoib_flush_neighs(struct ip
+ rcu_dereference_protected(neigh->hnext,
+ lockdep_is_held(&priv->lock)));
+ /* remove from path/mc list */
+- list_del(&neigh->list);
++ list_del_init(&neigh->list);
+ call_rcu(&neigh->rcu, ipoib_neigh_reclaim);
+ }
+ }
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Feras Daoud <ferasda@mellanox.com>
+Date: Wed, 28 Dec 2016 14:47:24 +0200
+Subject: IB/ipoib: rtnl_unlock can not come after free_netdev
+
+From: Feras Daoud <ferasda@mellanox.com>
+
+
+[ Upstream commit 89a3987ab7a923c047c6dec008e60ad6f41fac22 ]
+
+The ipoib_vlan_add function calls rtnl_unlock after free_netdev,
+rtnl_unlock not only releases the lock, but also calls netdev_run_todo.
+The latter function browses the net_todo_list array and completes the
+unregistration of all its net_device instances. If we call free_netdev
+before rtnl_unlock, then netdev_run_todo call over the freed device causes
+panic.
+To fix, move rtnl_unlock call before free_netdev call.
+
+Fixes: 9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support")
+Cc: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: Feras Daoud <ferasda@mellanox.com>
+Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
+Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
+@@ -162,11 +162,11 @@ int ipoib_vlan_add(struct net_device *pd
+ out:
+ up_write(&ppriv->vlan_rwsem);
+
++ rtnl_unlock();
++
+ if (result)
+ free_netdev(priv->dev);
+
+- rtnl_unlock();
+-
+ return result;
+ }
+
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Gwendal Grignou <gwendal@chromium.org>
+Date: Fri, 3 Mar 2017 09:00:09 -0800
+Subject: libata: transport: Remove circular dependency at free time
+
+From: Gwendal Grignou <gwendal@chromium.org>
+
+
+[ Upstream commit d85fc67dd11e9a32966140677d4d6429ca540b25 ]
+
+Without this patch, failed probe would not free resources like irq.
+
+ata port tdev object currently hold a reference to the ata port
+object. Therefore the ata port object release function will not get
+called until the ata_tport_release is called. But that would never
+happen, releasing the last reference of ata port dev is done by
+scsi_host_release, which is called by ata_host_release when the ata
+port object is released.
+
+The ata device objects actually do not need to explicitly hold a
+reference to their real counterpart, given the transport objects are
+the children of these objects and device_add() is call for each child.
+We know the parent will not be deleted until we call the child's
+device_del().
+
+Reported-by: Matthew Whitehead <tedheadster@gmail.com>
+Tested-by: Matthew Whitehead <tedheadster@gmail.com>
+Suggested-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-transport.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/ata/libata-transport.c
++++ b/drivers/ata/libata-transport.c
+@@ -223,7 +223,6 @@ static DECLARE_TRANSPORT_CLASS(ata_port_
+
+ static void ata_tport_release(struct device *dev)
+ {
+- put_device(dev->parent);
+ }
+
+ /**
+@@ -283,7 +282,7 @@ int ata_tport_add(struct device *parent,
+ device_initialize(dev);
+ dev->type = &ata_port_type;
+
+- dev->parent = get_device(parent);
++ dev->parent = parent;
+ dev->release = ata_tport_release;
+ dev_set_name(dev, "ata%d", ap->print_id);
+ transport_setup_device(dev);
+@@ -347,7 +346,6 @@ static DECLARE_TRANSPORT_CLASS(ata_link_
+
+ static void ata_tlink_release(struct device *dev)
+ {
+- put_device(dev->parent);
+ }
+
+ /**
+@@ -409,7 +407,7 @@ int ata_tlink_add(struct ata_link *link)
+ int error;
+
+ device_initialize(dev);
+- dev->parent = get_device(&ap->tdev);
++ dev->parent = &ap->tdev;
+ dev->release = ata_tlink_release;
+ if (ata_is_host_link(link))
+ dev_set_name(dev, "link%d", ap->print_id);
+@@ -587,7 +585,6 @@ static DECLARE_TRANSPORT_CLASS(ata_dev_c
+
+ static void ata_tdev_release(struct device *dev)
+ {
+- put_device(dev->parent);
+ }
+
+ /**
+@@ -660,7 +657,7 @@ static int ata_tdev_add(struct ata_devic
+ int error;
+
+ device_initialize(dev);
+- dev->parent = get_device(&link->tdev);
++ dev->parent = &link->tdev;
+ dev->release = ata_tdev_release;
+ if (ata_is_host_link(link))
+ dev_set_name(dev, "dev%d.%d", ap->print_id,ata_dev->devno);
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Shaohua Li <shli@fb.com>
+Date: Thu, 23 Feb 2017 12:26:41 -0800
+Subject: md/raid10: submit bio directly to replacement disk
+
+From: Shaohua Li <shli@fb.com>
+
+
+[ Upstream commit 6d399783e9d4e9bd44931501948059d24ad96ff8 ]
+
+Commit 57c67df(md/raid10: submit IO from originating thread instead of
+md thread) submits bio directly for normal disks but not for replacement
+disks. There is no point we shouldn't do this for replacement disks.
+
+Cc: NeilBrown <neilb@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid10.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -1514,11 +1514,24 @@ retry_write:
+ mbio->bi_private = r10_bio;
+
+ atomic_inc(&r10_bio->remaining);
++
++ cb = blk_check_plugged(raid10_unplug, mddev,
++ sizeof(*plug));
++ if (cb)
++ plug = container_of(cb, struct raid10_plug_cb,
++ cb);
++ else
++ plug = NULL;
+ spin_lock_irqsave(&conf->device_lock, flags);
+- bio_list_add(&conf->pending_bio_list, mbio);
+- conf->pending_count++;
++ if (plug) {
++ bio_list_add(&plug->pending, mbio);
++ plug->pending_cnt++;
++ } else {
++ bio_list_add(&conf->pending_bio_list, mbio);
++ conf->pending_count++;
++ }
+ spin_unlock_irqrestore(&conf->device_lock, flags);
+- if (!mddev_check_plugged(mddev))
++ if (!plug)
+ md_wakeup_thread(mddev->thread);
+ }
+ }
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Paul Burton <paul.burton@imgtec.com>
+Date: Mon, 7 Nov 2016 11:52:19 +0000
+Subject: MIPS: Ensure bss section ends on a long-aligned address
+
+From: Paul Burton <paul.burton@imgtec.com>
+
+
+[ Upstream commit 3f00f4d8f083bc61005d0a1ef592b149f5c88bbd ]
+
+When clearing the .bss section in kernel_entry we do so using LONG_S
+instructions, and branch whilst the current write address doesn't equal
+the end of the .bss section minus the size of a long integer. The .bss
+section always begins at a long-aligned address and we always increment
+the write pointer by the size of a long integer - we therefore rely upon
+the .bss section ending at a long-aligned address. If this is not the
+case then the long-aligned write address can never be equal to the
+non-long-aligned end address & we will continue to increment past the
+end of the .bss section, attempting to zero the rest of memory.
+
+Despite this requirement that .bss end at a long-aligned address we pass
+0 as the end alignment requirement to the BSS_SECTION macro and thus
+don't guarantee any particular alignment, allowing us to hit the error
+condition described above.
+
+Fix this by instead passing 8 bytes as the end alignment argument to
+the BSS_SECTION macro, ensuring that the end of the .bss section is
+always at least long-aligned.
+
+Signed-off-by: Paul Burton <paul.burton@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/14526/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/kernel/vmlinux.lds.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/vmlinux.lds.S
++++ b/arch/mips/kernel/vmlinux.lds.S
+@@ -141,7 +141,7 @@ SECTIONS
+ * Force .bss to 64K alignment so that .bss..swapper_pg_dir
+ * gets that alignment. .sbss should be empty, so there will be
+ * no holes after __init_end. */
+- BSS_SECTION(0, 0x10000, 0)
++ BSS_SECTION(0, 0x10000, 8)
+
+ _end = . ;
+
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Date: Wed, 23 Nov 2016 14:43:50 +0100
+Subject: MIPS: kexec: Do not reserve invalid crashkernel memory on boot
+
+From: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+
+
+[ Upstream commit a8f108d70c74d83574c157648383eb2e4285a190 ]
+
+Do not reserve memory for the crashkernel if the commandline argument
+points to a wrong location. This can happen if the location is specified
+wrong or if the same commandline is reused when starting the crashkernel
+- in the latter case the reserved memory would point to the location
+from which the crashkernel is executing.
+
+Signed-off-by: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/14612/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/kernel/setup.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/mips/kernel/setup.c
++++ b/arch/mips/kernel/setup.c
+@@ -585,6 +585,11 @@ static void __init mips_parse_crashkerne
+ if (ret != 0 || crash_size <= 0)
+ return;
+
++ if (!memory_region_available(crash_base, crash_size)) {
++ pr_warn("Invalid memory region reserved for crash kernel\n");
++ return;
++ }
++
+ crashk_res.start = crash_base;
+ crashk_res.end = crash_base + crash_size - 1;
+ }
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Wed, 29 Mar 2017 20:54:37 +0200
+Subject: mmc: sdio: fix alignment issue in struct sdio_func
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+
+[ Upstream commit 5ef1ecf060f28ecef313b5723f1fd39bf5a35f56 ]
+
+Certain 64-bit systems (e.g. Amlogic Meson GX) require buffers to be
+used for DMA to be 8-byte-aligned. struct sdio_func has an embedded
+small DMA buffer not meeting this requirement.
+When testing switching to descriptor chain mode in meson-gx driver
+SDIO is broken therefore. Fix this by allocating the small DMA buffer
+separately as kmalloc ensures that the returned memory area is
+properly aligned for every basic data type.
+
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Tested-by: Helmut Klein <hgkr.klein@gmail.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/sdio_bus.c | 12 +++++++++++-
+ include/linux/mmc/sdio_func.h | 2 +-
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/core/sdio_bus.c
++++ b/drivers/mmc/core/sdio_bus.c
+@@ -265,7 +265,7 @@ static void sdio_release_func(struct dev
+ sdio_free_func_cis(func);
+
+ kfree(func->info);
+-
++ kfree(func->tmpbuf);
+ kfree(func);
+ }
+
+@@ -280,6 +280,16 @@ struct sdio_func *sdio_alloc_func(struct
+ if (!func)
+ return ERR_PTR(-ENOMEM);
+
++ /*
++ * allocate buffer separately to make sure it's properly aligned for
++ * DMA usage (incl. 64 bit DMA)
++ */
++ func->tmpbuf = kmalloc(4, GFP_KERNEL);
++ if (!func->tmpbuf) {
++ kfree(func);
++ return ERR_PTR(-ENOMEM);
++ }
++
+ func->card = card;
+
+ device_initialize(&func->dev);
+--- a/include/linux/mmc/sdio_func.h
++++ b/include/linux/mmc/sdio_func.h
+@@ -53,7 +53,7 @@ struct sdio_func {
+ unsigned int state; /* function state */
+ #define SDIO_STATE_PRESENT (1<<0) /* present in sysfs */
+
+- u8 tmpbuf[4]; /* DMA:able scratch buffer */
++ u8 *tmpbuf; /* DMA:able scratch buffer */
+
+ unsigned num_info; /* number of info strings */
+ const char **info; /* info strings */
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Myungho Jung <mhjungk@gmail.com>
+Date: Tue, 25 Apr 2017 11:58:15 -0700
+Subject: net: core: Prevent from dereferencing null pointer when releasing SKB
+
+From: Myungho Jung <mhjungk@gmail.com>
+
+
+[ Upstream commit 9899886d5e8ec5b343b1efe44f185a0e68dc6454 ]
+
+Added NULL check to make __dev_kfree_skb_irq consistent with kfree
+family of functions.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=195289
+
+Signed-off-by: Myungho Jung <mhjungk@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2225,6 +2225,9 @@ void __dev_kfree_skb_irq(struct sk_buff
+ {
+ unsigned long flags;
+
++ if (unlikely(!skb))
++ return;
++
+ if (likely(atomic_read(&skb->users) == 1)) {
+ smp_rmb();
+ atomic_set(&skb->users, 0);
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Alexander Potapenko <glider@google.com>
+Date: Tue, 25 Apr 2017 18:51:46 +0200
+Subject: net/packet: check length in getsockopt() called with PACKET_HDRLEN
+
+From: Alexander Potapenko <glider@google.com>
+
+
+[ Upstream commit fd2c83b35752f0a8236b976978ad4658df14a59f ]
+
+In the case getsockopt() is called with PACKET_HDRLEN and optlen < 4
+|val| remains uninitialized and the syscall may behave differently
+depending on its value, and even copy garbage to userspace on certain
+architectures. To fix this we now return -EINVAL if optlen is too small.
+
+This bug has been detected with KMSAN.
+
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3482,6 +3482,8 @@ static int packet_getsockopt(struct sock
+ case PACKET_HDRLEN:
+ if (len > sizeof(int))
+ len = sizeof(int);
++ if (len < sizeof(int))
++ return -EINVAL;
+ if (copy_from_user(&val, optval, len))
+ return -EFAULT;
+ switch (val) {
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Liping Zhang <zlpnobody@gmail.com>
+Date: Sat, 25 Mar 2017 08:53:12 +0800
+Subject: netfilter: invoke synchronize_rcu after set the _hook_ to NULL
+
+From: Liping Zhang <zlpnobody@gmail.com>
+
+
+[ Upstream commit 3b7dabf029478bb80507a6c4500ca94132a2bc0b ]
+
+Otherwise, another CPU may access the invalid pointer. For example:
+ CPU0 CPU1
+ - rcu_read_lock();
+ - pfunc = _hook_;
+ _hook_ = NULL; -
+ mod unload -
+ - pfunc(); // invalid, panic
+ - rcu_read_unlock();
+
+So we must call synchronize_rcu() to wait the rcu reader to finish.
+
+Also note, in nf_nat_snmp_basic_fini, synchronize_rcu() will be invoked
+by later nf_conntrack_helper_unregister, but I'm inclined to add a
+explicit synchronize_rcu after set the nf_nat_snmp_hook to NULL. Depend
+on such obscure assumptions is not a good idea.
+
+Last, in nfnetlink_cttimeout, we use kfree_rcu to free the time object,
+so in cttimeout_exit, invoking rcu_barrier() is not necessary at all,
+remove it too.
+
+Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/netfilter/nf_nat_snmp_basic.c | 1 +
+ net/netfilter/nf_conntrack_ecache.c | 2 ++
+ net/netfilter/nf_conntrack_netlink.c | 1 +
+ net/netfilter/nf_nat_core.c | 2 ++
+ net/netfilter/nfnetlink_cttimeout.c | 1 +
+ 5 files changed, 7 insertions(+)
+
+--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
++++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
+@@ -1304,6 +1304,7 @@ static int __init nf_nat_snmp_basic_init
+ static void __exit nf_nat_snmp_basic_fini(void)
+ {
+ RCU_INIT_POINTER(nf_nat_snmp_hook, NULL);
++ synchronize_rcu();
+ nf_conntrack_helper_unregister(&snmp_trap_helper);
+ }
+
+--- a/net/netfilter/nf_conntrack_ecache.c
++++ b/net/netfilter/nf_conntrack_ecache.c
+@@ -200,6 +200,7 @@ void nf_conntrack_unregister_notifier(st
+ BUG_ON(notify != new);
+ RCU_INIT_POINTER(net->ct.nf_conntrack_event_cb, NULL);
+ mutex_unlock(&nf_ct_ecache_mutex);
++ /* synchronize_rcu() is called from ctnetlink_exit. */
+ }
+ EXPORT_SYMBOL_GPL(nf_conntrack_unregister_notifier);
+
+@@ -236,6 +237,7 @@ void nf_ct_expect_unregister_notifier(st
+ BUG_ON(notify != new);
+ RCU_INIT_POINTER(net->ct.nf_expect_event_cb, NULL);
+ mutex_unlock(&nf_ct_ecache_mutex);
++ /* synchronize_rcu() is called from ctnetlink_exit. */
+ }
+ EXPORT_SYMBOL_GPL(nf_ct_expect_unregister_notifier);
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3242,6 +3242,7 @@ static void __exit ctnetlink_exit(void)
+ #ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
+ RCU_INIT_POINTER(nfq_ct_hook, NULL);
+ #endif
++ synchronize_rcu();
+ }
+
+ module_init(ctnetlink_init);
+--- a/net/netfilter/nf_nat_core.c
++++ b/net/netfilter/nf_nat_core.c
+@@ -888,6 +888,8 @@ static void __exit nf_nat_cleanup(void)
+ #ifdef CONFIG_XFRM
+ RCU_INIT_POINTER(nf_nat_decode_session_hook, NULL);
+ #endif
++ synchronize_rcu();
++
+ for (i = 0; i < NFPROTO_NUMPROTO; i++)
+ kfree(nf_nat_l4protos[i]);
+ synchronize_net();
+--- a/net/netfilter/nfnetlink_cttimeout.c
++++ b/net/netfilter/nfnetlink_cttimeout.c
+@@ -578,6 +578,7 @@ static void __exit cttimeout_exit(void)
+ #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+ RCU_INIT_POINTER(nf_ct_timeout_find_get_hook, NULL);
+ RCU_INIT_POINTER(nf_ct_timeout_put_hook, NULL);
++ synchronize_rcu();
+ #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+ }
+
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Liping Zhang <zlpnobody@gmail.com>
+Date: Sun, 19 Mar 2017 22:35:59 +0800
+Subject: netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max
+
+From: Liping Zhang <zlpnobody@gmail.com>
+
+
+[ Upstream commit ae5c682113f9f94cc5e76f92cf041ee624c173ee ]
+
+The helper->expect_class_max must be set to the total number of
+expect_policy minus 1, since we will use the statement "if (class >
+helper->expect_class_max)" to validate the CTA_EXPECT_CLASS attr in
+ctnetlink_alloc_expect.
+
+So for compatibility, set the helper->expect_class_max to the
+NFCTH_POLICY_SET_NUM attr's value minus 1.
+
+Also: it's invalid when the NFCTH_POLICY_SET_NUM attr's value is zero.
+1. this will result "expect_policy = kzalloc(0, GFP_KERNEL);";
+2. we cannot set the helper->expect_class_max to a proper value.
+
+So if nla_get_be32(tb[NFCTH_POLICY_SET_NUM]) is zero, report -EINVAL to
+the userspace.
+
+Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nfnetlink_cthelper.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -161,6 +161,7 @@ nfnl_cthelper_parse_expect_policy(struct
+ int i, ret;
+ struct nf_conntrack_expect_policy *expect_policy;
+ struct nlattr *tb[NFCTH_POLICY_SET_MAX+1];
++ unsigned int class_max;
+
+ ret = nla_parse_nested(tb, NFCTH_POLICY_SET_MAX, attr,
+ nfnl_cthelper_expect_policy_set);
+@@ -170,19 +171,18 @@ nfnl_cthelper_parse_expect_policy(struct
+ if (!tb[NFCTH_POLICY_SET_NUM])
+ return -EINVAL;
+
+- helper->expect_class_max =
+- ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM]));
+-
+- if (helper->expect_class_max != 0 &&
+- helper->expect_class_max > NF_CT_MAX_EXPECT_CLASSES)
++ class_max = ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM]));
++ if (class_max == 0)
++ return -EINVAL;
++ if (class_max > NF_CT_MAX_EXPECT_CLASSES)
+ return -EOVERFLOW;
+
+ expect_policy = kzalloc(sizeof(struct nf_conntrack_expect_policy) *
+- helper->expect_class_max, GFP_KERNEL);
++ class_max, GFP_KERNEL);
+ if (expect_policy == NULL)
+ return -ENOMEM;
+
+- for (i=0; i<helper->expect_class_max; i++) {
++ for (i = 0; i < class_max; i++) {
+ if (!tb[NFCTH_POLICY_SET+i])
+ goto err;
+
+@@ -191,6 +191,8 @@ nfnl_cthelper_parse_expect_policy(struct
+ if (ret < 0)
+ goto err;
+ }
++
++ helper->expect_class_max = class_max - 1;
+ helper->expect_policy = expect_policy;
+ return 0;
+ err:
+@@ -377,10 +379,10 @@ nfnl_cthelper_dump_policy(struct sk_buff
+ goto nla_put_failure;
+
+ if (nla_put_be32(skb, NFCTH_POLICY_SET_NUM,
+- htonl(helper->expect_class_max)))
++ htonl(helper->expect_class_max + 1)))
+ goto nla_put_failure;
+
+- for (i=0; i<helper->expect_class_max; i++) {
++ for (i = 0; i < helper->expect_class_max + 1; i++) {
+ nest_parms2 = nla_nest_start(skb,
+ (NFCTH_POLICY_SET+i) | NLA_F_NESTED);
+ if (nest_parms2 == NULL)
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Tue, 14 Mar 2017 15:24:51 +0530
+Subject: parisc: perf: Fix potential NULL pointer dereference
+
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+
+
+[ Upstream commit 74e3f6e63da6c8e8246fba1689e040bc926b4a1a ]
+
+Fix potential NULL pointer dereference and clean up
+coding style errors (code indent, trailing whitespaces).
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/perf.c | 94 +++++++++++++++++++++++-----------------------
+ 1 file changed, 49 insertions(+), 45 deletions(-)
+
+--- a/arch/parisc/kernel/perf.c
++++ b/arch/parisc/kernel/perf.c
+@@ -39,7 +39,7 @@
+ * the PDC INTRIGUE calls. This is done to eliminate bugs introduced
+ * in various PDC revisions. The code is much more maintainable
+ * and reliable this way vs having to debug on every version of PDC
+- * on every box.
++ * on every box.
+ */
+
+ #include <linux/capability.h>
+@@ -195,8 +195,8 @@ static int perf_config(uint32_t *image_p
+ static int perf_release(struct inode *inode, struct file *file);
+ static int perf_open(struct inode *inode, struct file *file);
+ static ssize_t perf_read(struct file *file, char __user *buf, size_t cnt, loff_t *ppos);
+-static ssize_t perf_write(struct file *file, const char __user *buf, size_t count,
+- loff_t *ppos);
++static ssize_t perf_write(struct file *file, const char __user *buf,
++ size_t count, loff_t *ppos);
+ static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
+ static void perf_start_counters(void);
+ static int perf_stop_counters(uint32_t *raddr);
+@@ -222,7 +222,7 @@ extern void perf_intrigue_disable_perf_c
+ /*
+ * configure:
+ *
+- * Configure the cpu with a given data image. First turn off the counters,
++ * Configure the cpu with a given data image. First turn off the counters,
+ * then download the image, then turn the counters back on.
+ */
+ static int perf_config(uint32_t *image_ptr)
+@@ -234,7 +234,7 @@ static int perf_config(uint32_t *image_p
+ error = perf_stop_counters(raddr);
+ if (error != 0) {
+ printk("perf_config: perf_stop_counters = %ld\n", error);
+- return -EINVAL;
++ return -EINVAL;
+ }
+
+ printk("Preparing to write image\n");
+@@ -242,7 +242,7 @@ printk("Preparing to write image\n");
+ error = perf_write_image((uint64_t *)image_ptr);
+ if (error != 0) {
+ printk("perf_config: DOWNLOAD = %ld\n", error);
+- return -EINVAL;
++ return -EINVAL;
+ }
+
+ printk("Preparing to start counters\n");
+@@ -254,7 +254,7 @@ printk("Preparing to start counters\n");
+ }
+
+ /*
+- * Open the device and initialize all of its memory. The device is only
++ * Open the device and initialize all of its memory. The device is only
+ * opened once, but can be "queried" by multiple processes that know its
+ * file descriptor.
+ */
+@@ -298,8 +298,8 @@ static ssize_t perf_read(struct file *fi
+ * called on the processor that the download should happen
+ * on.
+ */
+-static ssize_t perf_write(struct file *file, const char __user *buf, size_t count,
+- loff_t *ppos)
++static ssize_t perf_write(struct file *file, const char __user *buf,
++ size_t count, loff_t *ppos)
+ {
+ int err;
+ size_t image_size;
+@@ -307,11 +307,11 @@ static ssize_t perf_write(struct file *f
+ uint32_t interface_type;
+ uint32_t test;
+
+- if (perf_processor_interface == ONYX_INTF)
++ if (perf_processor_interface == ONYX_INTF)
+ image_size = PCXU_IMAGE_SIZE;
+- else if (perf_processor_interface == CUDA_INTF)
++ else if (perf_processor_interface == CUDA_INTF)
+ image_size = PCXW_IMAGE_SIZE;
+- else
++ else
+ return -EFAULT;
+
+ if (!capable(CAP_SYS_ADMIN))
+@@ -331,22 +331,22 @@ static ssize_t perf_write(struct file *f
+
+ /* First check the machine type is correct for
+ the requested image */
+- if (((perf_processor_interface == CUDA_INTF) &&
+- (interface_type != CUDA_INTF)) ||
+- ((perf_processor_interface == ONYX_INTF) &&
+- (interface_type != ONYX_INTF)))
++ if (((perf_processor_interface == CUDA_INTF) &&
++ (interface_type != CUDA_INTF)) ||
++ ((perf_processor_interface == ONYX_INTF) &&
++ (interface_type != ONYX_INTF)))
+ return -EINVAL;
+
+ /* Next check to make sure the requested image
+ is valid */
+- if (((interface_type == CUDA_INTF) &&
++ if (((interface_type == CUDA_INTF) &&
+ (test >= MAX_CUDA_IMAGES)) ||
+- ((interface_type == ONYX_INTF) &&
+- (test >= MAX_ONYX_IMAGES)))
++ ((interface_type == ONYX_INTF) &&
++ (test >= MAX_ONYX_IMAGES)))
+ return -EINVAL;
+
+ /* Copy the image into the processor */
+- if (interface_type == CUDA_INTF)
++ if (interface_type == CUDA_INTF)
+ return perf_config(cuda_images[test]);
+ else
+ return perf_config(onyx_images[test]);
+@@ -360,7 +360,7 @@ static ssize_t perf_write(struct file *f
+ static void perf_patch_images(void)
+ {
+ #if 0 /* FIXME!! */
+-/*
++/*
+ * NOTE: this routine is VERY specific to the current TLB image.
+ * If the image is changed, this routine might also need to be changed.
+ */
+@@ -368,9 +368,9 @@ static void perf_patch_images(void)
+ extern void $i_dtlb_miss_2_0();
+ extern void PA2_0_iva();
+
+- /*
++ /*
+ * We can only use the lower 32-bits, the upper 32-bits should be 0
+- * anyway given this is in the kernel
++ * anyway given this is in the kernel
+ */
+ uint32_t itlb_addr = (uint32_t)&($i_itlb_miss_2_0);
+ uint32_t dtlb_addr = (uint32_t)&($i_dtlb_miss_2_0);
+@@ -378,21 +378,21 @@ static void perf_patch_images(void)
+
+ if (perf_processor_interface == ONYX_INTF) {
+ /* clear last 2 bytes */
+- onyx_images[TLBMISS][15] &= 0xffffff00;
++ onyx_images[TLBMISS][15] &= 0xffffff00;
+ /* set 2 bytes */
+ onyx_images[TLBMISS][15] |= (0x000000ff&((dtlb_addr) >> 24));
+ onyx_images[TLBMISS][16] = (dtlb_addr << 8)&0xffffff00;
+ onyx_images[TLBMISS][17] = itlb_addr;
+
+ /* clear last 2 bytes */
+- onyx_images[TLBHANDMISS][15] &= 0xffffff00;
++ onyx_images[TLBHANDMISS][15] &= 0xffffff00;
+ /* set 2 bytes */
+ onyx_images[TLBHANDMISS][15] |= (0x000000ff&((dtlb_addr) >> 24));
+ onyx_images[TLBHANDMISS][16] = (dtlb_addr << 8)&0xffffff00;
+ onyx_images[TLBHANDMISS][17] = itlb_addr;
+
+ /* clear last 2 bytes */
+- onyx_images[BIG_CPI][15] &= 0xffffff00;
++ onyx_images[BIG_CPI][15] &= 0xffffff00;
+ /* set 2 bytes */
+ onyx_images[BIG_CPI][15] |= (0x000000ff&((dtlb_addr) >> 24));
+ onyx_images[BIG_CPI][16] = (dtlb_addr << 8)&0xffffff00;
+@@ -405,24 +405,24 @@ static void perf_patch_images(void)
+
+ } else if (perf_processor_interface == CUDA_INTF) {
+ /* Cuda interface */
+- cuda_images[TLBMISS][16] =
++ cuda_images[TLBMISS][16] =
+ (cuda_images[TLBMISS][16]&0xffff0000) |
+ ((dtlb_addr >> 8)&0x0000ffff);
+- cuda_images[TLBMISS][17] =
++ cuda_images[TLBMISS][17] =
+ ((dtlb_addr << 24)&0xff000000) | ((itlb_addr >> 16)&0x000000ff);
+ cuda_images[TLBMISS][18] = (itlb_addr << 16)&0xffff0000;
+
+- cuda_images[TLBHANDMISS][16] =
++ cuda_images[TLBHANDMISS][16] =
+ (cuda_images[TLBHANDMISS][16]&0xffff0000) |
+ ((dtlb_addr >> 8)&0x0000ffff);
+- cuda_images[TLBHANDMISS][17] =
++ cuda_images[TLBHANDMISS][17] =
+ ((dtlb_addr << 24)&0xff000000) | ((itlb_addr >> 16)&0x000000ff);
+ cuda_images[TLBHANDMISS][18] = (itlb_addr << 16)&0xffff0000;
+
+- cuda_images[BIG_CPI][16] =
++ cuda_images[BIG_CPI][16] =
+ (cuda_images[BIG_CPI][16]&0xffff0000) |
+ ((dtlb_addr >> 8)&0x0000ffff);
+- cuda_images[BIG_CPI][17] =
++ cuda_images[BIG_CPI][17] =
+ ((dtlb_addr << 24)&0xff000000) | ((itlb_addr >> 16)&0x000000ff);
+ cuda_images[BIG_CPI][18] = (itlb_addr << 16)&0xffff0000;
+ } else {
+@@ -434,7 +434,7 @@ static void perf_patch_images(void)
+
+ /*
+ * ioctl routine
+- * All routines effect the processor that they are executed on. Thus you
++ * All routines effect the processor that they are executed on. Thus you
+ * must be running on the processor that you wish to change.
+ */
+
+@@ -460,7 +460,7 @@ static long perf_ioctl(struct file *file
+ }
+
+ /* copy out the Counters */
+- if (copy_to_user((void __user *)arg, raddr,
++ if (copy_to_user((void __user *)arg, raddr,
+ sizeof (raddr)) != 0) {
+ error = -EFAULT;
+ break;
+@@ -488,7 +488,7 @@ static const struct file_operations perf
+ .open = perf_open,
+ .release = perf_release
+ };
+-
++
+ static struct miscdevice perf_dev = {
+ MISC_DYNAMIC_MINOR,
+ PA_PERF_DEV,
+@@ -595,7 +595,7 @@ static int perf_stop_counters(uint32_t *
+ /* OR sticky2 (bit 1496) to counter2 bit 32 */
+ tmp64 |= (userbuf[23] >> 8) & 0x0000000080000000;
+ raddr[2] = (uint32_t)tmp64;
+-
++
+ /* Counter3 is bits 1497 to 1528 */
+ tmp64 = (userbuf[23] >> 7) & 0x00000000ffffffff;
+ /* OR sticky3 (bit 1529) to counter3 bit 32 */
+@@ -617,7 +617,7 @@ static int perf_stop_counters(uint32_t *
+ userbuf[22] = 0;
+ userbuf[23] = 0;
+
+- /*
++ /*
+ * Write back the zeroed bytes + the image given
+ * the read was destructive.
+ */
+@@ -625,13 +625,13 @@ static int perf_stop_counters(uint32_t *
+ } else {
+
+ /*
+- * Read RDR-15 which contains the counters and sticky bits
++ * Read RDR-15 which contains the counters and sticky bits
+ */
+ if (!perf_rdr_read_ubuf(15, userbuf)) {
+ return -13;
+ }
+
+- /*
++ /*
+ * Clear out the counters
+ */
+ perf_rdr_clear(15);
+@@ -644,7 +644,7 @@ static int perf_stop_counters(uint32_t *
+ raddr[2] = (uint32_t)((userbuf[1] >> 32) & 0x00000000ffffffffUL);
+ raddr[3] = (uint32_t)(userbuf[1] & 0x00000000ffffffffUL);
+ }
+-
++
+ return 0;
+ }
+
+@@ -682,7 +682,7 @@ static int perf_rdr_read_ubuf(uint32_t r
+ i = tentry->num_words;
+ while (i--) {
+ buffer[i] = 0;
+- }
++ }
+
+ /* Check for bits an even number of 64 */
+ if ((xbits = width & 0x03f) != 0) {
+@@ -808,18 +808,22 @@ static int perf_write_image(uint64_t *me
+ }
+
+ runway = ioremap_nocache(cpu_device->hpa.start, 4096);
++ if (!runway) {
++ pr_err("perf_write_image: ioremap failed!\n");
++ return -ENOMEM;
++ }
+
+ /* Merge intrigue bits into Runway STATUS 0 */
+ tmp64 = __raw_readq(runway + RUNWAY_STATUS) & 0xffecfffffffffffful;
+- __raw_writeq(tmp64 | (*memaddr++ & 0x0013000000000000ul),
++ __raw_writeq(tmp64 | (*memaddr++ & 0x0013000000000000ul),
+ runway + RUNWAY_STATUS);
+-
++
+ /* Write RUNWAY DEBUG registers */
+ for (i = 0; i < 8; i++) {
+ __raw_writeq(*memaddr++, runway + RUNWAY_DEBUG);
+ }
+
+- return 0;
++ return 0;
+ }
+
+ /*
+@@ -843,7 +847,7 @@ printk("perf_rdr_write\n");
+ perf_rdr_shift_out_U(rdr_num, buffer[i]);
+ } else {
+ perf_rdr_shift_out_W(rdr_num, buffer[i]);
+- }
++ }
+ }
+ printk("perf_rdr_write done\n");
+ }
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Alden Tondettar <alden.tondettar@gmail.com>
+Date: Sun, 15 Jan 2017 15:31:56 -0700
+Subject: partitions/efi: Fix integer overflow in GPT size calculation
+
+From: Alden Tondettar <alden.tondettar@gmail.com>
+
+
+[ Upstream commit c5082b70adfe8e1ea1cf4a8eff92c9f260e364d2 ]
+
+If a GUID Partition Table claims to have more than 2**25 entries, the
+calculation of the partition table size in alloc_read_gpt_entries() will
+overflow a 32-bit integer and not enough space will be allocated for the
+table.
+
+Nothing seems to get written out of bounds, but later efi_partition() will
+read up to 32768 bytes from a 128 byte buffer, possibly OOPSing or exposing
+information to /proc/partitions and uevents.
+
+The problem exists on both 64-bit and 32-bit platforms.
+
+Fix the overflow and also print a meaningful debug message if the table
+size is too large.
+
+Signed-off-by: Alden Tondettar <alden.tondettar@gmail.com>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/partitions/efi.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/block/partitions/efi.c
++++ b/block/partitions/efi.c
+@@ -293,7 +293,7 @@ static gpt_entry *alloc_read_gpt_entries
+ if (!gpt)
+ return NULL;
+
+- count = le32_to_cpu(gpt->num_partition_entries) *
++ count = (size_t)le32_to_cpu(gpt->num_partition_entries) *
+ le32_to_cpu(gpt->sizeof_partition_entry);
+ if (!count)
+ return NULL;
+@@ -352,7 +352,7 @@ static int is_gpt_valid(struct parsed_pa
+ gpt_header **gpt, gpt_entry **ptes)
+ {
+ u32 crc, origcrc;
+- u64 lastlba;
++ u64 lastlba, pt_size;
+
+ if (!ptes)
+ return 0;
+@@ -434,13 +434,20 @@ static int is_gpt_valid(struct parsed_pa
+ goto fail;
+ }
+
++ /* Sanity check partition table size */
++ pt_size = (u64)le32_to_cpu((*gpt)->num_partition_entries) *
++ le32_to_cpu((*gpt)->sizeof_partition_entry);
++ if (pt_size > KMALLOC_MAX_SIZE) {
++ pr_debug("GUID Partition Table is too large: %llu > %lu bytes\n",
++ (unsigned long long)pt_size, KMALLOC_MAX_SIZE);
++ goto fail;
++ }
++
+ if (!(*ptes = alloc_read_gpt_entries(state, *gpt)))
+ goto fail;
+
+ /* Check the GUID Partition Entry Array CRC */
+- crc = efi_crc32((const unsigned char *) (*ptes),
+- le32_to_cpu((*gpt)->num_partition_entries) *
+- le32_to_cpu((*gpt)->sizeof_partition_entry));
++ crc = efi_crc32((const unsigned char *) (*ptes), pt_size);
+
+ if (crc != le32_to_cpu((*gpt)->partition_entry_array_crc32)) {
+ pr_debug("GUID Partitition Entry Array CRC check failed.\n");
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Markus Elfring <elfring@users.sourceforge.net>
+Date: Thu, 12 Jan 2017 16:51:00 +0100
+Subject: pinctrl: mvebu: Use seq_puts() in mvebu_pinconf_group_dbg_show()
+
+From: Markus Elfring <elfring@users.sourceforge.net>
+
+
+[ Upstream commit 420dc61642920849d824a0de2aa853db59f5244f ]
+
+Strings which did not contain data format specifications should be put
+into a sequence. Thus use the corresponding function "seq_puts".
+
+This issue was detected by using the Coccinelle software.
+
+Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/mvebu/pinctrl-mvebu.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/pinctrl/mvebu/pinctrl-mvebu.c
++++ b/drivers/pinctrl/mvebu/pinctrl-mvebu.c
+@@ -195,11 +195,12 @@ static void mvebu_pinconf_group_dbg_show
+ seq_printf(s, "o");
+ seq_printf(s, ")");
+ }
+- } else
+- seq_printf(s, "current: UNKNOWN");
++ } else {
++ seq_puts(s, "current: UNKNOWN");
++ }
+
+ if (grp->num_settings > 1) {
+- seq_printf(s, ", available = [");
++ seq_puts(s, ", available = [");
+ for (n = 0; n < grp->num_settings; n++) {
+ if (curr == &grp->settings[n])
+ continue;
+@@ -222,7 +223,7 @@ static void mvebu_pinconf_group_dbg_show
+ seq_printf(s, ")");
+ }
+ }
+- seq_printf(s, " ]");
++ seq_puts(s, " ]");
+ }
+ return;
+ }
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Zhu Yanjun <yanjun.zhu@oracle.com>
+Date: Tue, 7 Mar 2017 02:48:36 -0500
+Subject: rds: ib: add error handle
+
+From: Zhu Yanjun <yanjun.zhu@oracle.com>
+
+
+[ Upstream commit 3b12f73a5c2977153f28a224392fd4729b50d1dc ]
+
+In the function rds_ib_setup_qp, the error handle is missing. When some
+error occurs, it is possible that memory leak occurs. As such, error
+handle is added.
+
+Cc: Joe Jin <joe.jin@oracle.com>
+Reviewed-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: Guanglei Li <guanglei.li@oracle.com>
+Signed-off-by: Zhu Yanjun <yanjun.zhu@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/ib_cm.c | 47 ++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 36 insertions(+), 11 deletions(-)
+
+--- a/net/rds/ib_cm.c
++++ b/net/rds/ib_cm.c
+@@ -298,7 +298,7 @@ static int rds_ib_setup_qp(struct rds_co
+ ret = PTR_ERR(ic->i_send_cq);
+ ic->i_send_cq = NULL;
+ rdsdebug("ib_create_cq send failed: %d\n", ret);
+- goto out;
++ goto rds_ibdev_out;
+ }
+
+ ic->i_recv_cq = ib_create_cq(dev, rds_ib_recv_cq_comp_handler,
+@@ -308,19 +308,19 @@ static int rds_ib_setup_qp(struct rds_co
+ ret = PTR_ERR(ic->i_recv_cq);
+ ic->i_recv_cq = NULL;
+ rdsdebug("ib_create_cq recv failed: %d\n", ret);
+- goto out;
++ goto send_cq_out;
+ }
+
+ ret = ib_req_notify_cq(ic->i_send_cq, IB_CQ_NEXT_COMP);
+ if (ret) {
+ rdsdebug("ib_req_notify_cq send failed: %d\n", ret);
+- goto out;
++ goto recv_cq_out;
+ }
+
+ ret = ib_req_notify_cq(ic->i_recv_cq, IB_CQ_SOLICITED);
+ if (ret) {
+ rdsdebug("ib_req_notify_cq recv failed: %d\n", ret);
+- goto out;
++ goto recv_cq_out;
+ }
+
+ /* XXX negotiate max send/recv with remote? */
+@@ -344,7 +344,7 @@ static int rds_ib_setup_qp(struct rds_co
+ ret = rdma_create_qp(ic->i_cm_id, ic->i_pd, &attr);
+ if (ret) {
+ rdsdebug("rdma_create_qp failed: %d\n", ret);
+- goto out;
++ goto recv_cq_out;
+ }
+
+ ic->i_send_hdrs = ib_dma_alloc_coherent(dev,
+@@ -354,7 +354,7 @@ static int rds_ib_setup_qp(struct rds_co
+ if (!ic->i_send_hdrs) {
+ ret = -ENOMEM;
+ rdsdebug("ib_dma_alloc_coherent send failed\n");
+- goto out;
++ goto qp_out;
+ }
+
+ ic->i_recv_hdrs = ib_dma_alloc_coherent(dev,
+@@ -364,7 +364,7 @@ static int rds_ib_setup_qp(struct rds_co
+ if (!ic->i_recv_hdrs) {
+ ret = -ENOMEM;
+ rdsdebug("ib_dma_alloc_coherent recv failed\n");
+- goto out;
++ goto send_hdrs_dma_out;
+ }
+
+ ic->i_ack = ib_dma_alloc_coherent(dev, sizeof(struct rds_header),
+@@ -372,7 +372,7 @@ static int rds_ib_setup_qp(struct rds_co
+ if (!ic->i_ack) {
+ ret = -ENOMEM;
+ rdsdebug("ib_dma_alloc_coherent ack failed\n");
+- goto out;
++ goto recv_hdrs_dma_out;
+ }
+
+ ic->i_sends = vzalloc_node(ic->i_send_ring.w_nr * sizeof(struct rds_ib_send_work),
+@@ -380,7 +380,7 @@ static int rds_ib_setup_qp(struct rds_co
+ if (!ic->i_sends) {
+ ret = -ENOMEM;
+ rdsdebug("send allocation failed\n");
+- goto out;
++ goto ack_dma_out;
+ }
+
+ ic->i_recvs = vzalloc_node(ic->i_recv_ring.w_nr * sizeof(struct rds_ib_recv_work),
+@@ -388,7 +388,7 @@ static int rds_ib_setup_qp(struct rds_co
+ if (!ic->i_recvs) {
+ ret = -ENOMEM;
+ rdsdebug("recv allocation failed\n");
+- goto out;
++ goto sends_out;
+ }
+
+ rds_ib_recv_init_ack(ic);
+@@ -396,8 +396,33 @@ static int rds_ib_setup_qp(struct rds_co
+ rdsdebug("conn %p pd %p mr %p cq %p %p\n", conn, ic->i_pd, ic->i_mr,
+ ic->i_send_cq, ic->i_recv_cq);
+
+-out:
++ return ret;
++
++sends_out:
++ vfree(ic->i_sends);
++ack_dma_out:
++ ib_dma_free_coherent(dev, sizeof(struct rds_header),
++ ic->i_ack, ic->i_ack_dma);
++recv_hdrs_dma_out:
++ ib_dma_free_coherent(dev, ic->i_recv_ring.w_nr *
++ sizeof(struct rds_header),
++ ic->i_recv_hdrs, ic->i_recv_hdrs_dma);
++send_hdrs_dma_out:
++ ib_dma_free_coherent(dev, ic->i_send_ring.w_nr *
++ sizeof(struct rds_header),
++ ic->i_send_hdrs, ic->i_send_hdrs_dma);
++qp_out:
++ rdma_destroy_qp(ic->i_cm_id);
++recv_cq_out:
++ if (!ib_destroy_cq(ic->i_recv_cq))
++ ic->i_recv_cq = NULL;
++send_cq_out:
++ if (!ib_destroy_cq(ic->i_send_cq))
++ ic->i_send_cq = NULL;
++rds_ibdev_out:
++ rds_ib_remove_conn(rds_ibdev, conn);
+ rds_ib_dev_put(rds_ibdev);
++
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Date: Thu, 18 Feb 2016 20:06:47 -0800
+Subject: RDS: RDMA: Fix the composite message user notification
+
+From: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+
+
+[ Upstream commit 941f8d55f6d613a460a5e080d25a38509f45eb75 ]
+
+When application sends an RDS RDMA composite message consist of
+RDMA transfer to be followed up by non RDMA payload, it expect to
+be notified *only* when the full message gets delivered. RDS RDMA
+notification doesn't behave this way though.
+
+Thanks to Venkat for debug and root casuing the issue
+where only first part of the message(RDMA) was
+successfully delivered but remainder payload delivery failed.
+In that case, application should not be notified with
+a false positive of message delivery success.
+
+Fix this case by making sure the user gets notified only after
+the full message delivery.
+
+Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/ib_send.c | 25 +++++++++++++++----------
+ net/rds/rdma.c | 10 ++++++++++
+ net/rds/rds.h | 1 +
+ net/rds/send.c | 4 +++-
+ 4 files changed, 29 insertions(+), 11 deletions(-)
+
+--- a/net/rds/ib_send.c
++++ b/net/rds/ib_send.c
+@@ -102,16 +102,6 @@ static void rds_ib_send_complete(struct
+ complete(rm, notify_status);
+ }
+
+-static void rds_ib_send_unmap_data(struct rds_ib_connection *ic,
+- struct rm_data_op *op,
+- int wc_status)
+-{
+- if (op->op_nents)
+- ib_dma_unmap_sg(ic->i_cm_id->device,
+- op->op_sg, op->op_nents,
+- DMA_TO_DEVICE);
+-}
+-
+ static void rds_ib_send_unmap_rdma(struct rds_ib_connection *ic,
+ struct rm_rdma_op *op,
+ int wc_status)
+@@ -172,6 +162,21 @@ static void rds_ib_send_unmap_atomic(str
+ rds_ib_stats_inc(s_ib_atomic_fadd);
+ }
+
++static void rds_ib_send_unmap_data(struct rds_ib_connection *ic,
++ struct rm_data_op *op,
++ int wc_status)
++{
++ struct rds_message *rm = container_of(op, struct rds_message, data);
++
++ if (op->op_nents)
++ ib_dma_unmap_sg(ic->i_cm_id->device,
++ op->op_sg, op->op_nents,
++ DMA_TO_DEVICE);
++
++ if (rm->rdma.op_active && rm->data.op_notify)
++ rds_ib_send_unmap_rdma(ic, &rm->rdma, wc_status);
++}
++
+ /*
+ * Unmap the resources associated with a struct send_work.
+ *
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -625,6 +625,16 @@ int rds_cmsg_rdma_args(struct rds_sock *
+ }
+ op->op_notifier->n_user_token = args->user_token;
+ op->op_notifier->n_status = RDS_RDMA_SUCCESS;
++
++ /* Enable rmda notification on data operation for composite
++ * rds messages and make sure notification is enabled only
++ * for the data operation which follows it so that application
++ * gets notified only after full message gets delivered.
++ */
++ if (rm->data.op_sg) {
++ rm->rdma.op_notify = 0;
++ rm->data.op_notify = !!(args->flags & RDS_RDMA_NOTIFY_ME);
++ }
+ }
+
+ /* The cookie contains the R_Key of the remote memory region, and
+--- a/net/rds/rds.h
++++ b/net/rds/rds.h
+@@ -360,6 +360,7 @@ struct rds_message {
+ } rdma;
+ struct rm_data_op {
+ unsigned int op_active:1;
++ unsigned int op_notify:1;
+ unsigned int op_nents;
+ unsigned int op_count;
+ struct scatterlist *op_sg;
+--- a/net/rds/send.c
++++ b/net/rds/send.c
+@@ -425,12 +425,14 @@ void rds_rdma_send_complete(struct rds_m
+ struct rm_rdma_op *ro;
+ struct rds_notifier *notifier;
+ unsigned long flags;
++ unsigned int notify = 0;
+
+ spin_lock_irqsave(&rm->m_rs_lock, flags);
+
++ notify = rm->rdma.op_notify | rm->data.op_notify;
+ ro = &rm->rdma;
+ if (test_bit(RDS_MSG_ON_SOCK, &rm->m_flags) &&
+- ro->op_active && ro->op_notify && ro->op_notifier) {
++ ro->op_active && notify && ro->op_notifier) {
+ notifier = ro->op_notifier;
+ rs = rm->m_rs;
+ sock_hold(rds_rs_to_sk(rs));
--- /dev/null
+drm-bridge-add-dt-bindings-for-ti-ths8135.patch
+rds-rdma-fix-the-composite-message-user-notification.patch
+mips-ensure-bss-section-ends-on-a-long-aligned-address.patch
+mips-kexec-do-not-reserve-invalid-crashkernel-memory-on-boot.patch
+sh_eth-use-correct-name-for-ecmr_mpde-bit.patch
+hwmon-gl520sm-fix-overflows-and-crash-seen-when-writing-into-limit-attributes.patch
+arm-8635-1-nommu-allow-enabling-remap_vectors_to_ram.patch
+tty-goldfish-fix-a-parameter-of-a-call-to-free_irq.patch
+ib-ipoib-fix-deadlock-over-vlan_mutex.patch
+ib-ipoib-rtnl_unlock-can-not-come-after-free_netdev.patch
+ib-ipoib-replace-list_del-of-the-neigh-list-with-list_del_init.patch
+usb-serial-mos7720-fix-control-message-error-handling.patch
+usb-serial-mos7840-fix-control-message-error-handling.patch
+pinctrl-mvebu-use-seq_puts-in-mvebu_pinconf_group_dbg_show.patch
+partitions-efi-fix-integer-overflow-in-gpt-size-calculation.patch
+audit-log-32-bit-socketcalls.patch
+net-core-prevent-from-dereferencing-null-pointer-when-releasing-skb.patch
+net-packet-check-length-in-getsockopt-called-with-packet_hdrlen.patch
+team-fix-memory-leaks.patch
+usb-plusb-add-support-for-pl-27a1.patch
+mmc-sdio-fix-alignment-issue-in-struct-sdio_func.patch
+netfilter-invoke-synchronize_rcu-after-set-the-_hook_-to-null.patch
+exynos-gsc-do-not-swap-cb-cr-for-semi-planar-formats.patch
+netfilter-nfnl_cthelper-fix-incorrect-helper-expect_class_max.patch
+parisc-perf-fix-potential-null-pointer-dereference.patch
+rds-ib-add-error-handle.patch
+md-raid10-submit-bio-directly-to-replacement-disk.patch
+xfs-remove-kmem_zalloc_greedy.patch
+libata-transport-remove-circular-dependency-at-free-time.patch
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Date: Mon, 9 Jan 2017 16:34:04 +0100
+Subject: sh_eth: use correct name for ECMR_MPDE bit
+
+From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+
+
+[ Upstream commit 6dcf45e514974a1ff10755015b5e06746a033e5f ]
+
+This bit was wrongly named due to a typo, Sergei checked the SH7734/63
+manuals and this bit should be named MPDE.
+
+Suggested-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/renesas/sh_eth.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/renesas/sh_eth.h
++++ b/drivers/net/ethernet/renesas/sh_eth.h
+@@ -326,7 +326,7 @@ enum FELIC_MODE_BIT {
+ ECMR_DPAD = 0x00200000, ECMR_RZPF = 0x00100000,
+ ECMR_ZPF = 0x00080000, ECMR_PFR = 0x00040000, ECMR_RXF = 0x00020000,
+ ECMR_TXF = 0x00010000, ECMR_MCT = 0x00002000, ECMR_PRCEF = 0x00001000,
+- ECMR_PMDE = 0x00000200, ECMR_RE = 0x00000040, ECMR_TE = 0x00000020,
++ ECMR_MPDE = 0x00000200, ECMR_RE = 0x00000040, ECMR_TE = 0x00000020,
+ ECMR_RTM = 0x00000010, ECMR_ILB = 0x00000008, ECMR_ELB = 0x00000004,
+ ECMR_DM = 0x00000002, ECMR_PRM = 0x00000001,
+ };
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Pan Bian <bianpan2016@163.com>
+Date: Mon, 24 Apr 2017 18:29:16 +0800
+Subject: team: fix memory leaks
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 72ec0bc64b9a5d8e0efcb717abfc757746b101b7 ]
+
+In functions team_nl_send_port_list_get() and
+team_nl_send_options_get(), pointer skb keeps the return value of
+nlmsg_new(). When the call to genlmsg_put() fails, the memory is not
+freed(). This will result in memory leak bugs.
+
+Fixes: 9b00cf2d1024 ("team: implement multipart netlink messages for options transfers")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2331,8 +2331,10 @@ start_again:
+
+ hdr = genlmsg_put(skb, portid, seq, &team_nl_family, flags | NLM_F_MULTI,
+ TEAM_CMD_OPTIONS_GET);
+- if (!hdr)
++ if (!hdr) {
++ nlmsg_free(skb);
+ return -EMSGSIZE;
++ }
+
+ if (nla_put_u32(skb, TEAM_ATTR_TEAM_IFINDEX, team->dev->ifindex))
+ goto nla_put_failure;
+@@ -2599,8 +2601,10 @@ start_again:
+
+ hdr = genlmsg_put(skb, portid, seq, &team_nl_family, flags | NLM_F_MULTI,
+ TEAM_CMD_PORT_LIST_GET);
+- if (!hdr)
++ if (!hdr) {
++ nlmsg_free(skb);
+ return -EMSGSIZE;
++ }
+
+ if (nla_put_u32(skb, TEAM_ATTR_TEAM_IFINDEX, team->dev->ifindex))
+ goto nla_put_failure;
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Mon, 9 Jan 2017 01:26:37 +0100
+Subject: tty: goldfish: Fix a parameter of a call to free_irq
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 1a5c2d1de7d35f5eb9793266237903348989502b ]
+
+'request_irq()' and 'free_irq()' should be called with the same dev_id.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/goldfish.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/goldfish.c
++++ b/drivers/tty/goldfish.c
+@@ -295,7 +295,7 @@ static int goldfish_tty_probe(struct pla
+
+ tty_unregister_device(goldfish_tty_driver, i);
+ err_tty_register_device_failed:
+- free_irq(irq, pdev);
++ free_irq(irq, qtty);
+ err_request_irq_failed:
+ goldfish_tty_current_line_count--;
+ if (goldfish_tty_current_line_count == 0)
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Roman Spychała <roed@onet.eu>
+Date: Thu, 20 Apr 2017 12:04:10 +0200
+Subject: usb: plusb: Add support for PL-27A1
+
+From: Roman Spychała <roed@onet.eu>
+
+
+[ Upstream commit 6f2aee0c0de65013333bbc26fe50c9c7b09a37f7 ]
+
+This patch adds support for the PL-27A1 by adding the appropriate
+USB ID's. This chip is used in the goobay Active USB 3.0 Data Link
+and Unitek Y-3501 cables.
+
+Signed-off-by: Roman Spychała <roed@onet.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/Kconfig | 2 +-
+ drivers/net/usb/plusb.c | 15 +++++++++++++--
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/usb/Kconfig
++++ b/drivers/net/usb/Kconfig
+@@ -350,7 +350,7 @@ config USB_NET_NET1080
+ optionally with LEDs that indicate traffic
+
+ config USB_NET_PLUSB
+- tristate "Prolific PL-2301/2302/25A1 based cables"
++ tristate "Prolific PL-2301/2302/25A1/27A1 based cables"
+ # if the handshake/init/reset problems, from original 'plusb',
+ # are ever resolved ... then remove "experimental"
+ depends on USB_USBNET
+--- a/drivers/net/usb/plusb.c
++++ b/drivers/net/usb/plusb.c
+@@ -102,7 +102,7 @@ static int pl_reset(struct usbnet *dev)
+ }
+
+ static const struct driver_info prolific_info = {
+- .description = "Prolific PL-2301/PL-2302/PL-25A1",
++ .description = "Prolific PL-2301/PL-2302/PL-25A1/PL-27A1",
+ .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT,
+ /* some PL-2302 versions seem to fail usb_set_interface() */
+ .reset = pl_reset,
+@@ -139,6 +139,17 @@ static const struct usb_device_id produc
+ * Host-to-Host Cable
+ */
+ .driver_info = (unsigned long) &prolific_info,
++
++},
++
++/* super speed cables */
++{
++ USB_DEVICE(0x067b, 0x27a1), /* PL-27A1, no eeprom
++ * also: goobay Active USB 3.0
++ * Data Link,
++ * Unitek Y-3501
++ */
++ .driver_info = (unsigned long) &prolific_info,
+ },
+
+ { }, // END
+@@ -158,5 +169,5 @@ static struct usb_driver plusb_driver =
+ module_usb_driver(plusb_driver);
+
+ MODULE_AUTHOR("David Brownell");
+-MODULE_DESCRIPTION("Prolific PL-2301/2302/25A1 USB Host to Host Link Driver");
++MODULE_DESCRIPTION("Prolific PL-2301/2302/25A1/27A1 USB Host to Host Link Driver");
+ MODULE_LICENSE("GPL");
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:17 +0100
+Subject: USB: serial: mos7720: fix control-message error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+
+[ Upstream commit 0d130367abf582e7cbf60075c2a7ab53817b1d14 ]
+
+Make sure to log an error on short transfers when reading a device
+register.
+
+Also clear the provided buffer (which if often an uninitialised
+automatic variable) on errors as the driver currently does not bother to
+check for errors.
+
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/mos7720.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/mos7720.c
++++ b/drivers/usb/serial/mos7720.c
+@@ -236,11 +236,16 @@ static int read_mos_reg(struct usb_seria
+
+ status = usb_control_msg(usbdev, pipe, request, requesttype, value,
+ index, buf, 1, MOS_WDR_TIMEOUT);
+- if (status == 1)
++ if (status == 1) {
+ *data = *buf;
+- else if (status < 0)
++ } else {
+ dev_err(&usbdev->dev,
+ "mos7720: usb_control_msg() failed: %d\n", status);
++ if (status >= 0)
++ status = -EIO;
++ *data = 0;
++ }
++
+ kfree(buf);
+
+ return status;
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:18 +0100
+Subject: USB: serial: mos7840: fix control-message error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+
+[ Upstream commit cd8db057e93ddaacbec025b567490555d2bca280 ]
+
+Make sure to detect short transfers when reading a device register.
+
+The modem-status handling had sufficient error checks in place, but move
+handling of short transfers into the register accessor function itself
+for consistency.
+
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/mos7840.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/serial/mos7840.c
++++ b/drivers/usb/serial/mos7840.c
+@@ -285,9 +285,15 @@ static int mos7840_get_reg_sync(struct u
+ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), MCS_RDREQ,
+ MCS_RD_RTYPE, 0, reg, buf, VENDOR_READ_LENGTH,
+ MOS_WDR_TIMEOUT);
++ if (ret < VENDOR_READ_LENGTH) {
++ if (ret >= 0)
++ ret = -EIO;
++ goto out;
++ }
++
+ *val = buf[0];
+ dev_dbg(&port->dev, "%s offset is %x, return val %x\n", __func__, reg, *val);
+-
++out:
+ kfree(buf);
+ return ret;
+ }
+@@ -353,8 +359,13 @@ static int mos7840_get_uart_reg(struct u
+ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), MCS_RDREQ,
+ MCS_RD_RTYPE, Wval, reg, buf, VENDOR_READ_LENGTH,
+ MOS_WDR_TIMEOUT);
++ if (ret < VENDOR_READ_LENGTH) {
++ if (ret >= 0)
++ ret = -EIO;
++ goto out;
++ }
+ *val = buf[0];
+-
++out:
+ kfree(buf);
+ return ret;
+ }
+@@ -1518,10 +1529,10 @@ static int mos7840_tiocmget(struct tty_s
+ return -ENODEV;
+
+ status = mos7840_get_uart_reg(port, MODEM_STATUS_REGISTER, &msr);
+- if (status != 1)
++ if (status < 0)
+ return -EIO;
+ status = mos7840_get_uart_reg(port, MODEM_CONTROL_REGISTER, &mcr);
+- if (status != 1)
++ if (status < 0)
+ return -EIO;
+ result = ((mcr & MCR_DTR) ? TIOCM_DTR : 0)
+ | ((mcr & MCR_RTS) ? TIOCM_RTS : 0)
--- /dev/null
+From foo@baz Thu Oct 5 10:58:04 CEST 2017
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Mon, 6 Mar 2017 11:58:20 -0800
+Subject: xfs: remove kmem_zalloc_greedy
+
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+
+
+[ Upstream commit 08b005f1333154ae5b404ca28766e0ffb9f1c150 ]
+
+The sole remaining caller of kmem_zalloc_greedy is bulkstat, which uses
+it to grab 1-4 pages for staging of inobt records. The infinite loop in
+the greedy allocation function is causing hangs[1] in generic/269, so
+just get rid of the greedy allocator in favor of kmem_zalloc_large.
+This makes bulkstat somewhat more likely to ENOMEM if there's really no
+pages to spare, but eliminates a source of hangs.
+
+[1] http://lkml.kernel.org/r/20170301044634.rgidgdqqiiwsmfpj%40XZHOUW.usersys.redhat.com
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+v2: remove single-page fallback
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/kmem.c | 18 ------------------
+ fs/xfs/kmem.h | 2 --
+ fs/xfs/xfs_itable.c | 6 ++----
+ 3 files changed, 2 insertions(+), 24 deletions(-)
+
+--- a/fs/xfs/kmem.c
++++ b/fs/xfs/kmem.c
+@@ -24,24 +24,6 @@
+ #include "kmem.h"
+ #include "xfs_message.h"
+
+-/*
+- * Greedy allocation. May fail and may return vmalloced memory.
+- */
+-void *
+-kmem_zalloc_greedy(size_t *size, size_t minsize, size_t maxsize)
+-{
+- void *ptr;
+- size_t kmsize = maxsize;
+-
+- while (!(ptr = vzalloc(kmsize))) {
+- if ((kmsize >>= 1) <= minsize)
+- kmsize = minsize;
+- }
+- if (ptr)
+- *size = kmsize;
+- return ptr;
+-}
+-
+ void *
+ kmem_alloc(size_t size, xfs_km_flags_t flags)
+ {
+--- a/fs/xfs/kmem.h
++++ b/fs/xfs/kmem.h
+@@ -66,8 +66,6 @@ extern void *kmem_realloc(const void *,
+ extern void kmem_free(const void *);
+
+
+-extern void *kmem_zalloc_greedy(size_t *, size_t, size_t);
+-
+ static inline void *
+ kmem_zalloc(size_t size, xfs_km_flags_t flags)
+ {
+--- a/fs/xfs/xfs_itable.c
++++ b/fs/xfs/xfs_itable.c
+@@ -356,7 +356,6 @@ xfs_bulkstat(
+ xfs_agino_t agino; /* inode # in allocation group */
+ xfs_agnumber_t agno; /* allocation group number */
+ xfs_btree_cur_t *cur; /* btree cursor for ialloc btree */
+- size_t irbsize; /* size of irec buffer in bytes */
+ xfs_inobt_rec_incore_t *irbuf; /* start of irec buffer */
+ int nirbuf; /* size of irbuf */
+ int ubcount; /* size of user's buffer */
+@@ -383,11 +382,10 @@ xfs_bulkstat(
+ *ubcountp = 0;
+ *done = 0;
+
+- irbuf = kmem_zalloc_greedy(&irbsize, PAGE_SIZE, PAGE_SIZE * 4);
++ irbuf = kmem_zalloc_large(PAGE_SIZE * 4, KM_SLEEP);
+ if (!irbuf)
+ return -ENOMEM;
+-
+- nirbuf = irbsize / sizeof(*irbuf);
++ nirbuf = (PAGE_SIZE * 4) / sizeof(*irbuf);
+
+ /*
+ * Loop over the allocation groups, starting from the last
projects / thirdparty / kernel / stable-queue.git / commitdiff
