--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Michael Scott <michael@opensourcefoundries.com>
+Date: Tue, 19 Jun 2018 16:44:06 -0700
+Subject: 6lowpan: iphc: reset mac_header after decompress to fix panic
+
+From: Michael Scott <michael@opensourcefoundries.com>
+
+[ Upstream commit 03bc05e1a4972f73b4eb8907aa373369e825c252 ]
+
+After decompression of 6lowpan socket data, an IPv6 header is inserted
+before the existing socket payload. After this, we reset the
+network_header value of the skb to account for the difference in payload
+size from prior to decompression + the addition of the IPv6 header.
+
+However, we fail to reset the mac_header value.
+
+Leaving the mac_header value untouched here, can cause a calculation
+error in net/packet/af_packet.c packet_rcv() function when an
+AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan
+interface.
+
+On line 2088, the data pointer is moved backward by the value returned
+from skb_mac_header(). If skb->data is adjusted so that it is before
+the skb->head pointer (which can happen when an old value of mac_header
+is left in place) the kernel generates a panic in net/core/skbuff.c
+line 1717.
+
+This panic can be generated by BLE 6lowpan interfaces (such as bt0) and
+802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan
+sources for compression and decompression.
+
+Signed-off-by: Michael Scott <michael@opensourcefoundries.com>
+Acked-by: Alexander Aring <aring@mojatatu.com>
+Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/6lowpan/iphc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/6lowpan/iphc.c
++++ b/net/6lowpan/iphc.c
+@@ -745,6 +745,7 @@ int lowpan_header_decompress(struct sk_b
+ hdr.hop_limit, &hdr.daddr);
+
+ skb_push(skb, sizeof(hdr));
++ skb_reset_mac_header(skb);
+ skb_reset_network_header(skb);
+ skb_copy_to_linear_data(skb, &hdr, sizeof(hdr));
+
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Mon, 2 Jul 2018 09:34:29 +0200
+Subject: alarmtimer: Prevent overflow for relative nanosleep
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 5f936e19cc0ef97dbe3a56e9498922ad5ba1edef ]
+
+Air Icy reported:
+
+ UBSAN: Undefined behaviour in kernel/time/alarmtimer.c:811:7
+ signed integer overflow:
+ 1529859276030040771 + 9223372036854775807 cannot be represented in type 'long long int'
+ Call Trace:
+ alarm_timer_nsleep+0x44c/0x510 kernel/time/alarmtimer.c:811
+ __do_sys_clock_nanosleep kernel/time/posix-timers.c:1235 [inline]
+ __se_sys_clock_nanosleep kernel/time/posix-timers.c:1213 [inline]
+ __x64_sys_clock_nanosleep+0x326/0x4e0 kernel/time/posix-timers.c:1213
+ do_syscall_64+0xb8/0x3a0 arch/x86/entry/common.c:290
+
+alarm_timer_nsleep() uses ktime_add() to add the current time and the
+relative expiry value. ktime_add() has no sanity checks so the addition
+can overflow when the relative timeout is large enough.
+
+Use ktime_add_safe() which has the necessary sanity checks in place and
+limits the result to the valid range.
+
+Fixes: 9a7adcf5c6de ("timers: Posix interface for alarm-timers")
+Reported-by: Team OWL337 <icytxw@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: John Stultz <john.stultz@linaro.org>
+Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1807020926360.1595@nanos.tec.linutronix.de
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/time/alarmtimer.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/time/alarmtimer.c
++++ b/kernel/time/alarmtimer.c
+@@ -786,7 +786,8 @@ static int alarm_timer_nsleep(const cloc
+ /* Convert (if necessary) to absolute time */
+ if (flags != TIMER_ABSTIME) {
+ ktime_t now = alarm_bases[type].gettime();
+- exp = ktime_add(now, exp);
++
++ exp = ktime_add_safe(now, exp);
+ }
+
+ if (alarmtimer_do_nsleep(&alarm, exp))
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Thu, 28 Jun 2018 15:28:24 +0800
+Subject: ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 1adca4b0cd65c14cb8b8c9c257720385869c3d5f ]
+
+This patch can make audio controller in AMD Raven Ridge gets runtime
+suspended to D3, to save ~1W power when it's not in use.
+
+Cc: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/hda_intel.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2349,7 +2349,8 @@ static const struct pci_device_id azx_id
+ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB },
+ /* AMD Raven */
+ { PCI_DEVICE(0x1022, 0x15e3),
+- .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB },
++ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB |
++ AZX_DCAPS_PM_RUNTIME },
+ /* ATI HDMI */
+ { PCI_DEVICE(0x1002, 0x0002),
+ .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS },
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Nicholas Mc Guire <hofrat@osadl.org>
+Date: Fri, 29 Jun 2018 19:07:42 +0200
+Subject: ALSA: snd-aoa: add of_node_put() in error path
+
+From: Nicholas Mc Guire <hofrat@osadl.org>
+
+[ Upstream commit 222bce5eb88d1af656419db04bcd84b2419fb900 ]
+
+ Both calls to of_find_node_by_name() and of_get_next_child() return a
+node pointer with refcount incremented thus it must be explicidly
+decremented here after the last usage. As we are assured to have a
+refcounted np either from the initial
+of_find_node_by_name(NULL, name); or from the of_get_next_child(gpio, np)
+in the while loop if we reached the error code path below, an
+x of_node_put(np) is needed.
+
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Fixes: commit f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/aoa/core/gpio-feature.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/aoa/core/gpio-feature.c
++++ b/sound/aoa/core/gpio-feature.c
+@@ -88,8 +88,10 @@ static struct device_node *get_gpio(char
+ }
+
+ reg = of_get_property(np, "reg", NULL);
+- if (!reg)
++ if (!reg) {
++ of_node_put(np);
+ return NULL;
++ }
+
+ *gpioptr = *reg;
+
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Kevin Hilman <khilman@baylibre.com>
+Date: Mon, 21 May 2018 13:08:32 -0700
+Subject: ARM: dts: dra7: fix DCAN node addresses
+
+From: Kevin Hilman <khilman@baylibre.com>
+
+[ Upstream commit 949bdcc8a97c6078f21c8d4966436b117f2e4cd3 ]
+
+Fix the DT node addresses to match the reg property addresses,
+which were verified to match the TRM:
+http://www.ti.com/lit/pdf/sprui30
+
+Cc: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Acked-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/dra7.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/dra7.dtsi
++++ b/arch/arm/boot/dts/dra7.dtsi
+@@ -1770,7 +1770,7 @@
+ };
+ };
+
+- dcan1: can@481cc000 {
++ dcan1: can@4ae3c000 {
+ compatible = "ti,dra7-d_can";
+ ti,hwmods = "dcan1";
+ reg = <0x4ae3c000 0x2000>;
+@@ -1780,7 +1780,7 @@
+ status = "disabled";
+ };
+
+- dcan2: can@481d0000 {
++ dcan2: can@48480000 {
+ compatible = "ti,dra7-d_can";
+ ti,hwmods = "dcan2";
+ reg = <0x48480000 0x2000>;
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Dave Gerlach <d-gerlach@ti.com>
+Date: Thu, 21 Jun 2018 14:43:08 +0530
+Subject: ARM: hwmod: RTC: Don't assume lock/unlock will be called with irq enabled
+
+From: Dave Gerlach <d-gerlach@ti.com>
+
+[ Upstream commit 6d609b35c815ba20132b7b64bcca04516bb17c56 ]
+
+When the RTC lock and unlock functions were introduced it was likely
+assumed that they would always be called from irq enabled context, hence
+the use of local_irq_disable/enable. This is no longer true as the
+RTC+DDR path makes a late call during the suspend path after irqs
+have been disabled to enable the RTC hwmod which calls both unlock and
+lock, leading to IRQs being reenabled through the local_irq_enable call
+in omap_hwmod_rtc_lock call.
+
+To avoid this change the local_irq_disable/enable to
+local_irq_save/restore to ensure that from whatever context this is
+called the proper IRQ configuration is maintained.
+
+Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
+Signed-off-by: Keerthy <j-keerthy@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap2/omap_hwmod_reset.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/arch/arm/mach-omap2/omap_hwmod_reset.c
++++ b/arch/arm/mach-omap2/omap_hwmod_reset.c
+@@ -92,11 +92,13 @@ static void omap_rtc_wait_not_busy(struc
+ */
+ void omap_hwmod_rtc_unlock(struct omap_hwmod *oh)
+ {
+- local_irq_disable();
++ unsigned long flags;
++
++ local_irq_save(flags);
+ omap_rtc_wait_not_busy(oh);
+ omap_hwmod_write(OMAP_RTC_KICK0_VALUE, oh, OMAP_RTC_KICK0_REG);
+ omap_hwmod_write(OMAP_RTC_KICK1_VALUE, oh, OMAP_RTC_KICK1_REG);
+- local_irq_enable();
++ local_irq_restore(flags);
+ }
+
+ /**
+@@ -110,9 +112,11 @@ void omap_hwmod_rtc_unlock(struct omap_h
+ */
+ void omap_hwmod_rtc_lock(struct omap_hwmod *oh)
+ {
+- local_irq_disable();
++ unsigned long flags;
++
++ local_irq_save(flags);
+ omap_rtc_wait_not_busy(oh);
+ omap_hwmod_write(0x0, oh, OMAP_RTC_KICK0_REG);
+ omap_hwmod_write(0x0, oh, OMAP_RTC_KICK1_REG);
+- local_irq_enable();
++ local_irq_restore(flags);
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Ethan Tuttle <ethan@ethantuttle.com>
+Date: Tue, 19 Jun 2018 21:31:08 -0700
+Subject: ARM: mvebu: declare asm symbols as character arrays in pmsu.c
+
+From: Ethan Tuttle <ethan@ethantuttle.com>
+
+[ Upstream commit d0d378ff451a66e486488eec842e507d28145813 ]
+
+With CONFIG_FORTIFY_SOURCE, memcpy uses the declared size of operands to
+detect buffer overflows. If src or dest is declared as a char, attempts to
+copy more than byte will result in a fortify_panic().
+
+Address this problem in mvebu_setup_boot_addr_wa() by declaring
+mvebu_boot_wa_start and mvebu_boot_wa_end as character arrays. Also remove
+a couple addressof operators to avoid "arithmetic on pointer to an
+incomplete type" compiler error.
+
+See commit 54a7d50b9205 ("x86: mark kprobe templates as character arrays,
+not single characters") for a similar fix.
+
+Fixes "detected buffer overflow in memcpy" error during init on some mvebu
+systems (armada-370-xp, armada-375):
+
+(fortify_panic) from (mvebu_setup_boot_addr_wa+0xb0/0xb4)
+(mvebu_setup_boot_addr_wa) from (mvebu_v7_cpu_pm_init+0x154/0x204)
+(mvebu_v7_cpu_pm_init) from (do_one_initcall+0x7c/0x1a8)
+(do_one_initcall) from (kernel_init_freeable+0x1bc/0x254)
+(kernel_init_freeable) from (kernel_init+0x8/0x114)
+(kernel_init) from (ret_from_fork+0x14/0x2c)
+
+Signed-off-by: Ethan Tuttle <ethan@ethantuttle.com>
+Tested-by: Ethan Tuttle <ethan@ethantuttle.com>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-mvebu/pmsu.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/arm/mach-mvebu/pmsu.c
++++ b/arch/arm/mach-mvebu/pmsu.c
+@@ -116,8 +116,8 @@ void mvebu_pmsu_set_cpu_boot_addr(int hw
+ PMSU_BOOT_ADDR_REDIRECT_OFFSET(hw_cpu));
+ }
+
+-extern unsigned char mvebu_boot_wa_start;
+-extern unsigned char mvebu_boot_wa_end;
++extern unsigned char mvebu_boot_wa_start[];
++extern unsigned char mvebu_boot_wa_end[];
+
+ /*
+ * This function sets up the boot address workaround needed for SMP
+@@ -130,7 +130,7 @@ int mvebu_setup_boot_addr_wa(unsigned in
+ phys_addr_t resume_addr_reg)
+ {
+ void __iomem *sram_virt_base;
+- u32 code_len = &mvebu_boot_wa_end - &mvebu_boot_wa_start;
++ u32 code_len = mvebu_boot_wa_end - mvebu_boot_wa_start;
+
+ mvebu_mbus_del_window(BOOTROM_BASE, BOOTROM_SIZE);
+ mvebu_mbus_add_window_by_id(crypto_eng_target, crypto_eng_attribute,
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Liam Girdwood <liam.r.girdwood@linux.intel.com>
+Date: Thu, 14 Jun 2018 20:26:42 +0100
+Subject: ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs
+
+From: Liam Girdwood <liam.r.girdwood@linux.intel.com>
+
+[ Upstream commit e01b4f624278d5efe5fb5da585ca371947b16680 ]
+
+Sometime a component or topology may configure a DAI widget with no
+private data leading to a dev_dbg() dereferencne of this data.
+
+Fix this to check for non NULL private data and let users know if widget
+is missing DAI.
+
+Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/soc-dapm.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -3913,6 +3913,13 @@ int snd_soc_dapm_link_dai_widgets(struct
+ continue;
+ }
+
++ /* let users know there is no DAI to link */
++ if (!dai_w->priv) {
++ dev_dbg(card->dev, "dai widget %s has no DAI\n",
++ dai_w->name);
++ continue;
++ }
++
+ dai = dai_w->priv;
+
+ /* ...find all widgets with the same stream and link them */
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Ben Greear <greearb@candelatech.com>
+Date: Mon, 18 Jun 2018 17:00:56 +0300
+Subject: ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock
+
+From: Ben Greear <greearb@candelatech.com>
+
+[ Upstream commit 168f75f11fe68455e0d058a818ebccfc329d8685 ]
+
+While debugging driver crashes related to a buggy firmware
+crashing under load, I noticed that ath10k_htt_rx_ring_free
+could be called without being under lock. I'm not sure if this
+is the root cause of the crash or not, but it seems prudent to
+protect it.
+
+Originally tested on 4.16+ kernel with ath10k-ct 10.4 firmware
+running on 9984 NIC.
+
+Signed-off-by: Ben Greear <greearb@candelatech.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/htt_rx.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
+@@ -214,11 +214,12 @@ int ath10k_htt_rx_ring_refill(struct ath
+ spin_lock_bh(&htt->rx_ring.lock);
+ ret = ath10k_htt_rx_ring_fill_n(htt, (htt->rx_ring.fill_level -
+ htt->rx_ring.fill_cnt));
+- spin_unlock_bh(&htt->rx_ring.lock);
+
+ if (ret)
+ ath10k_htt_rx_ring_free(htt);
+
++ spin_unlock_bh(&htt->rx_ring.lock);
++
+ return ret;
+ }
+
+@@ -230,7 +231,9 @@ void ath10k_htt_rx_free(struct ath10k_ht
+ skb_queue_purge(&htt->rx_in_ord_compl_q);
+ skb_queue_purge(&htt->tx_fetch_ind_q);
+
++ spin_lock_bh(&htt->rx_ring.lock);
+ ath10k_htt_rx_ring_free(htt);
++ spin_unlock_bh(&htt->rx_ring.lock);
+
+ dma_free_coherent(htt->ar->dev,
+ (htt->rx_ring.size *
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: "Ondrej Mosnáček" <omosnace@redhat.com>
+Date: Tue, 5 Jun 2018 11:00:10 +0200
+Subject: audit: Fix extended comparison of GID/EGID
+
+From: "Ondrej Mosnáček" <omosnace@redhat.com>
+
+[ Upstream commit af85d1772e31fed34165a1b3decef340cf4080c0 ]
+
+The audit_filter_rules() function in auditsc.c used the in_[e]group_p()
+functions to check GID/EGID match, but these functions use the current
+task's credentials, while the comparison should use the credentials of
+the task given to audit_filter_rules() as a parameter (tsk).
+
+Note that we can use group_search(cred->group_info, ...) as a
+replacement for both in_group_p and in_egroup_p as these functions only
+compare the parameter to cred->fsgid/egid and then call group_search.
+
+In fact, the usage of in_group_p was even more incorrect: it compares to
+cred->fsgid (which is usually equal to cred->egid) and not cred->gid.
+
+GitHub issue:
+https://github.com/linux-audit/audit-kernel/issues/82
+
+Fixes: 37eebe39c973 ("audit: improve GID/EGID comparation logic")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/auditsc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -488,20 +488,20 @@ static int audit_filter_rules(struct tas
+ result = audit_gid_comparator(cred->gid, f->op, f->gid);
+ if (f->op == Audit_equal) {
+ if (!result)
+- result = in_group_p(f->gid);
++ result = groups_search(cred->group_info, f->gid);
+ } else if (f->op == Audit_not_equal) {
+ if (result)
+- result = !in_group_p(f->gid);
++ result = !groups_search(cred->group_info, f->gid);
+ }
+ break;
+ case AUDIT_EGID:
+ result = audit_gid_comparator(cred->egid, f->op, f->gid);
+ if (f->op == Audit_equal) {
+ if (!result)
+- result = in_egroup_p(f->gid);
++ result = groups_search(cred->group_info, f->gid);
+ } else if (f->op == Audit_not_equal) {
+ if (result)
+- result = !in_egroup_p(f->gid);
++ result = !groups_search(cred->group_info, f->gid);
+ }
+ break;
+ case AUDIT_SGID:
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Jian-Hong Pan <jian-hong@endlessm.com>
+Date: Fri, 25 May 2018 17:54:52 +0800
+Subject: Bluetooth: Add a new Realtek 8723DE ID 0bda:b009
+
+From: Jian-Hong Pan <jian-hong@endlessm.com>
+
+[ Upstream commit 45ae68b8cfc25bdbffc11248001c47ab1b76ff6e ]
+
+Without this patch we cannot turn on the Bluethooth adapter on HP
+14-bs007la.
+
+T: Bus=01 Lev=02 Prnt=03 Port=00 Cnt=01 Dev#= 4 Spd=12 MxCh= 0
+D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=0bda ProdID=b009 Rev= 2.00
+S: Manufacturer=Realtek
+S: Product=802.11n WLAN Adapter
+S: SerialNumber=00e04c000001
+C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+
+Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -349,6 +349,7 @@ static const struct usb_device_id blackl
+ { USB_DEVICE(0x7392, 0xa611), .driver_info = BTUSB_REALTEK },
+
+ /* Additional Realtek 8723DE Bluetooth devices */
++ { USB_DEVICE(0x0bda, 0xb009), .driver_info = BTUSB_REALTEK },
+ { USB_DEVICE(0x2ff8, 0xb011), .driver_info = BTUSB_REALTEK },
+
+ /* Additional Realtek 8821AE Bluetooth devices */
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Stafford Horne <shorne@gmail.com>
+Date: Mon, 25 Jun 2018 21:45:37 +0900
+Subject: crypto: skcipher - Fix -Wstringop-truncation warnings
+
+From: Stafford Horne <shorne@gmail.com>
+
+[ Upstream commit cefd769fd0192c84d638f66da202459ed8ad63ba ]
+
+As of GCC 9.0.0 the build is reporting warnings like:
+
+ crypto/ablkcipher.c: In function ‘crypto_ablkcipher_report’:
+ crypto/ablkcipher.c:374:2: warning: ‘strncpy’ specified bound 64 equals destination size [-Wstringop-truncation]
+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<default>",
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ sizeof(rblkcipher.geniv));
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This means the strnycpy might create a non null terminated string. Fix this by
+explicitly performing '\0' termination.
+
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Max Filippov <jcmvbkbc@gmail.com>
+Cc: Eric Biggers <ebiggers3@gmail.com>
+Cc: Nick Desaulniers <nick.desaulniers@gmail.com>
+Signed-off-by: Stafford Horne <shorne@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/ablkcipher.c | 2 ++
+ crypto/blkcipher.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/crypto/ablkcipher.c
++++ b/crypto/ablkcipher.c
+@@ -367,6 +367,7 @@ static int crypto_ablkcipher_report(stru
+ strncpy(rblkcipher.type, "ablkcipher", sizeof(rblkcipher.type));
+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<default>",
+ sizeof(rblkcipher.geniv));
++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0';
+
+ rblkcipher.blocksize = alg->cra_blocksize;
+ rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize;
+@@ -441,6 +442,7 @@ static int crypto_givcipher_report(struc
+ strncpy(rblkcipher.type, "givcipher", sizeof(rblkcipher.type));
+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<built-in>",
+ sizeof(rblkcipher.geniv));
++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0';
+
+ rblkcipher.blocksize = alg->cra_blocksize;
+ rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize;
+--- a/crypto/blkcipher.c
++++ b/crypto/blkcipher.c
+@@ -510,6 +510,7 @@ static int crypto_blkcipher_report(struc
+ strncpy(rblkcipher.type, "blkcipher", sizeof(rblkcipher.type));
+ strncpy(rblkcipher.geniv, alg->cra_blkcipher.geniv ?: "<default>",
+ sizeof(rblkcipher.geniv));
++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0';
+
+ rblkcipher.blocksize = alg->cra_blocksize;
+ rblkcipher.min_keysize = alg->cra_blkcipher.min_keysize;
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+Date: Tue, 12 Jun 2018 12:36:25 +0800
+Subject: drivers/tty: add error handling for pcmcia_loop_config
+
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+
+[ Upstream commit 85c634e919bd6ef17427f26a52920aeba12e16ee ]
+
+When pcmcia_loop_config fails, the lack of error-handling code may
+cause unexpected results.
+
+This patch adds error-handling code after calling pcmcia_loop_config.
+
+Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/serial_cs.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/8250/serial_cs.c
++++ b/drivers/tty/serial/8250/serial_cs.c
+@@ -637,8 +637,10 @@ static int serial_config(struct pcmcia_d
+ (link->has_func_id) &&
+ (link->socket->pcmcia_pfc == 0) &&
+ ((link->func_id == CISTPL_FUNCID_MULTI) ||
+- (link->func_id == CISTPL_FUNCID_SERIAL)))
+- pcmcia_loop_config(link, serial_check_for_multi, info);
++ (link->func_id == CISTPL_FUNCID_SERIAL))) {
++ if (pcmcia_loop_config(link, serial_check_for_multi, info))
++ goto failed;
++ }
+
+ /*
+ * Apply any multi-port quirk.
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Jernej Skrabec <jernej.skrabec@siol.net>
+Date: Mon, 25 Jun 2018 14:02:46 +0200
+Subject: drm/sun4i: Fix releasing node when enumerating enpoints
+
+From: Jernej Skrabec <jernej.skrabec@siol.net>
+
+[ Upstream commit 367c359aa8637b15ee8df6335c5a29b7623966ec ]
+
+sun4i_drv_add_endpoints() has a memory leak since it uses of_node_put()
+when remote is equal to NULL and does nothing when remote has a valid
+pointer.
+
+Invert the logic to fix memory leak.
+
+Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180625120304.7543-7-jernej.skrabec@siol.net
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/sun4i/sun4i_drv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/sun4i/sun4i_drv.c
++++ b/drivers/gpu/drm/sun4i/sun4i_drv.c
+@@ -283,7 +283,6 @@ static int sun4i_drv_add_endpoints(struc
+ remote = of_graph_get_remote_port_parent(ep);
+ if (!remote) {
+ DRM_DEBUG_DRIVER("Error retrieving the output node\n");
+- of_node_put(remote);
+ continue;
+ }
+
+@@ -297,11 +296,13 @@ static int sun4i_drv_add_endpoints(struc
+
+ if (of_graph_parse_endpoint(ep, &endpoint)) {
+ DRM_DEBUG_DRIVER("Couldn't parse endpoint\n");
++ of_node_put(remote);
+ continue;
+ }
+
+ if (!endpoint.id) {
+ DRM_DEBUG_DRIVER("Endpoint is our panel... skipping\n");
++ of_node_put(remote);
+ continue;
+ }
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 12 Jun 2018 14:43:34 +0200
+Subject: EDAC: Fix memleak in module init error path
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 4708aa85d50cc6e962dfa8acf5ad4e0d290a21db ]
+
+Make sure to use put_device() to free the initialised struct device so
+that resources managed by driver core also gets released in the event of
+a registration failure.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Cc: Denis Kirjanov <kirjanov@gmail.com>
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Fixes: 2d56b109e3a5 ("EDAC: Handle error path in edac_mc_sysfs_init() properly")
+Link: http://lkml.kernel.org/r/20180612124335.6420-1-johan@kernel.org
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/edac_mc_sysfs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/edac/edac_mc_sysfs.c
++++ b/drivers/edac/edac_mc_sysfs.c
+@@ -1059,14 +1059,14 @@ int __init edac_mc_sysfs_init(void)
+
+ err = device_add(mci_pdev);
+ if (err < 0)
+- goto out_dev_free;
++ goto out_put_device;
+
+ edac_dbg(0, "device %s created\n", dev_name(mci_pdev));
+
+ return 0;
+
+- out_dev_free:
+- kfree(mci_pdev);
++ out_put_device:
++ put_device(mci_pdev);
+ out:
+ return err;
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 12 Jun 2018 14:43:35 +0200
+Subject: EDAC, i7core: Fix memleaks and use-after-free on probe and remove
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 6c974d4dfafe5e9ee754f2a6fba0eb1864f1649e ]
+
+Make sure to free and deregister the addrmatch and chancounts devices
+allocated during probe in all error paths. Also fix use-after-free in a
+probe error path and in the remove success path where the devices were
+being put before before deregistration.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Fixes: 356f0a30860d ("i7core_edac: change the mem allocation scheme to make Documentation/kobject.txt happy")
+Link: http://lkml.kernel.org/r/20180612124335.6420-2-johan@kernel.org
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/i7core_edac.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+--- a/drivers/edac/i7core_edac.c
++++ b/drivers/edac/i7core_edac.c
+@@ -1177,15 +1177,14 @@ static int i7core_create_sysfs_devices(s
+
+ rc = device_add(pvt->addrmatch_dev);
+ if (rc < 0)
+- return rc;
++ goto err_put_addrmatch;
+
+ if (!pvt->is_registered) {
+ pvt->chancounts_dev = kzalloc(sizeof(*pvt->chancounts_dev),
+ GFP_KERNEL);
+ if (!pvt->chancounts_dev) {
+- put_device(pvt->addrmatch_dev);
+- device_del(pvt->addrmatch_dev);
+- return -ENOMEM;
++ rc = -ENOMEM;
++ goto err_del_addrmatch;
+ }
+
+ pvt->chancounts_dev->type = &all_channel_counts_type;
+@@ -1199,9 +1198,18 @@ static int i7core_create_sysfs_devices(s
+
+ rc = device_add(pvt->chancounts_dev);
+ if (rc < 0)
+- return rc;
++ goto err_put_chancounts;
+ }
+ return 0;
++
++err_put_chancounts:
++ put_device(pvt->chancounts_dev);
++err_del_addrmatch:
++ device_del(pvt->addrmatch_dev);
++err_put_addrmatch:
++ put_device(pvt->addrmatch_dev);
++
++ return rc;
+ }
+
+ static void i7core_delete_sysfs_devices(struct mem_ctl_info *mci)
+@@ -1211,11 +1219,11 @@ static void i7core_delete_sysfs_devices(
+ edac_dbg(1, "\n");
+
+ if (!pvt->is_registered) {
+- put_device(pvt->chancounts_dev);
+ device_del(pvt->chancounts_dev);
++ put_device(pvt->chancounts_dev);
+ }
+- put_device(pvt->addrmatch_dev);
+ device_del(pvt->addrmatch_dev);
++ put_device(pvt->addrmatch_dev);
+ }
+
+ /****************************************************************************
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Nadav Amit <namit@vmware.com>
+Date: Mon, 4 Jun 2018 06:58:14 -0700
+Subject: gpio: Fix wrong rounding in gpio-menz127
+
+From: Nadav Amit <namit@vmware.com>
+
+[ Upstream commit 7279d9917560bbd0d82813d6bf00490a82c06783 ]
+
+men_z127_debounce() tries to round up and down, but uses functions which
+are only suitable when the divider is a power of two, which is not the
+case. Use the appropriate ones.
+
+Found by static check. Compile tested.
+
+Fixes: f436bc2726c64 ("gpio: add driver for MEN 16Z127 GPIO controller")
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-menz127.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpio/gpio-menz127.c
++++ b/drivers/gpio/gpio-menz127.c
+@@ -56,9 +56,9 @@ static int men_z127_debounce(struct gpio
+ rnd = fls(debounce) - 1;
+
+ if (rnd && (debounce & BIT(rnd - 1)))
+- debounce = round_up(debounce, MEN_Z127_DB_MIN_US);
++ debounce = roundup(debounce, MEN_Z127_DB_MIN_US);
+ else
+- debounce = round_down(debounce, MEN_Z127_DB_MIN_US);
++ debounce = rounddown(debounce, MEN_Z127_DB_MIN_US);
+
+ if (debounce > MEN_Z127_DB_MAX_US)
+ debounce = MEN_Z127_DB_MAX_US;
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+Date: Thu, 14 Jun 2018 21:37:17 +0800
+Subject: HID: hid-ntrig: add error handling for sysfs_create_group
+
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+
+[ Upstream commit 44d4d51de9a3534a2b63d69efda02a10e66541e4 ]
+
+When sysfs_create_group fails, the lack of error-handling code may
+cause unexpected results.
+
+This patch adds error-handling code after calling sysfs_create_group.
+
+Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-ntrig.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/hid/hid-ntrig.c
++++ b/drivers/hid/hid-ntrig.c
+@@ -955,6 +955,8 @@ static int ntrig_probe(struct hid_device
+
+ ret = sysfs_create_group(&hdev->dev.kobj,
+ &ntrig_attribute_group);
++ if (ret)
++ hid_err(hdev, "cannot create sysfs group\n");
+
+ return 0;
+ err_free:
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Jul 2018 12:32:12 +0300
+Subject: IB/core: type promotion bug in rdma_rw_init_one_mr()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit c2d7c8ff89b22ddefb1ac2986c0d48444a667689 ]
+
+"nents" is an unsigned int, so if ib_map_mr_sg() returns a negative
+error code then it's type promoted to a high unsigned int which is
+treated as success.
+
+Fixes: a060b5629ab0 ("IB/core: generic RDMA READ/WRITE API")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/rw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/rw.c
++++ b/drivers/infiniband/core/rw.c
+@@ -87,7 +87,7 @@ static int rdma_rw_init_one_mr(struct ib
+ }
+
+ ret = ib_map_mr_sg(reg->mr, sg, nents, &offset, PAGE_SIZE);
+- if (ret < nents) {
++ if (ret < 0 || ret < nents) {
+ ib_mr_pool_put(qp, &qp->rdma_mrs, reg->mr);
+ return -EINVAL;
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Zhen Lei <thunder.leizhen@huawei.com>
+Date: Wed, 6 Jun 2018 10:18:46 +0800
+Subject: iommu/amd: make sure TLB to be flushed before IOVA freed
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 3c120143f584360a13614787e23ae2cdcb5e5ccd ]
+
+Although the mapping has already been removed in the page table, it maybe
+still exist in TLB. Suppose the freed IOVAs is reused by others before the
+flush operation completed, the new user can not correctly access to its
+meomory.
+
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Fixes: b1516a14657a ('iommu/amd: Implement flush queue')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/amd_iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -2452,9 +2452,9 @@ static void __unmap_single(struct dma_op
+ }
+
+ if (amd_iommu_unmap_flush) {
+- dma_ops_free_iova(dma_dom, dma_addr, pages);
+ domain_flush_tlb(&dma_dom->domain);
+ domain_flush_complete(&dma_dom->domain);
++ dma_ops_free_iova(dma_dom, dma_addr, pages);
+ } else {
+ queue_add(dma_dom, dma_addr, pages);
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Guoqing Jiang <gqjiang@suse.com>
+Date: Mon, 2 Jul 2018 16:26:24 +0800
+Subject: md-cluster: clear another node's suspend_area after the copy is finished
+
+From: Guoqing Jiang <gqjiang@suse.com>
+
+[ Upstream commit 010228e4a932ca1e8365e3b58c8e1e44c16ff793 ]
+
+When one node leaves cluster or stops the resyncing
+(resync or recovery) array, then other nodes need to
+call recover_bitmaps to continue the unfinished task.
+
+But we need to clear suspend_area later after other
+nodes copy the resync information to their bitmap
+(by call bitmap_copy_from_slot). Otherwise, all nodes
+could write to the suspend_area even the suspend_area
+is not handled by any node, because area_resyncing
+returns 0 at the beginning of raid1_write_request.
+Which means one node could write suspend_area while
+another node is resyncing the same area, then data
+could be inconsistent.
+
+So let's clear suspend_area later to avoid above issue
+with the protection of bm lock. Also it is straightforward
+to clear suspend_area after nodes have copied the resync
+info to bitmap.
+
+Signed-off-by: Guoqing Jiang <gqjiang@suse.com>
+Reviewed-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md-cluster.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+--- a/drivers/md/md-cluster.c
++++ b/drivers/md/md-cluster.c
+@@ -302,15 +302,6 @@ static void recover_bitmaps(struct md_th
+ while (cinfo->recovery_map) {
+ slot = fls64((u64)cinfo->recovery_map) - 1;
+
+- /* Clear suspend_area associated with the bitmap */
+- spin_lock_irq(&cinfo->suspend_lock);
+- list_for_each_entry_safe(s, tmp, &cinfo->suspend_list, list)
+- if (slot == s->slot) {
+- list_del(&s->list);
+- kfree(s);
+- }
+- spin_unlock_irq(&cinfo->suspend_lock);
+-
+ snprintf(str, 64, "bitmap%04d", slot);
+ bm_lockres = lockres_init(mddev, str, NULL, 1);
+ if (!bm_lockres) {
+@@ -329,6 +320,16 @@ static void recover_bitmaps(struct md_th
+ pr_err("md-cluster: Could not copy data from bitmap %d\n", slot);
+ goto clear_bit;
+ }
++
++ /* Clear suspend_area associated with the bitmap */
++ spin_lock_irq(&cinfo->suspend_lock);
++ list_for_each_entry_safe(s, tmp, &cinfo->suspend_list, list)
++ if (slot == s->slot) {
++ list_del(&s->list);
++ kfree(s);
++ }
++ spin_unlock_irq(&cinfo->suspend_lock);
++
+ if (hi > 0) {
+ if (lo < mddev->recovery_cp)
+ mddev->recovery_cp = lo;
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Date: Tue, 15 May 2018 05:21:45 -0400
+Subject: media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt()
+
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+
+[ Upstream commit 7c1b9a5aeed91bef98988ac0fcf38c8c1f4f9a3a ]
+
+This patch fixes potential NULL pointer dereference as indicated
+by the following static checker warning:
+
+drivers/media/platform/exynos4-is/fimc-isp-video.c:408 isp_video_try_fmt_mplane()
+error: NULL dereference inside function '__isp_video_try_fmt(isp, &f->fmt.pix_mp, (0))()'.
+
+Fixes: 34947b8aebe3: ("[media] exynos4-is: Add the FIMC-IS ISP capture DMA driver")
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/exynos4-is/fimc-isp-video.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/platform/exynos4-is/fimc-isp-video.c
++++ b/drivers/media/platform/exynos4-is/fimc-isp-video.c
+@@ -384,12 +384,17 @@ static void __isp_video_try_fmt(struct f
+ struct v4l2_pix_format_mplane *pixm,
+ const struct fimc_fmt **fmt)
+ {
+- *fmt = fimc_isp_find_format(&pixm->pixelformat, NULL, 2);
++ const struct fimc_fmt *__fmt;
++
++ __fmt = fimc_isp_find_format(&pixm->pixelformat, NULL, 2);
++
++ if (fmt)
++ *fmt = __fmt;
+
+ pixm->colorspace = V4L2_COLORSPACE_SRGB;
+ pixm->field = V4L2_FIELD_NONE;
+- pixm->num_planes = (*fmt)->memplanes;
+- pixm->pixelformat = (*fmt)->fourcc;
++ pixm->num_planes = __fmt->memplanes;
++ pixm->pixelformat = __fmt->fourcc;
+ /*
+ * TODO: double check with the docmentation these width/height
+ * constraints are correct.
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Fri, 29 Jun 2018 17:49:22 -0400
+Subject: media: fsl-viu: fix error handling in viu_of_probe()
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+[ Upstream commit 662a99e145661c2b35155cf375044deae9b79896 ]
+
+viu_of_probe() ignores fails in i2c_get_adapter(),
+tries to unlock uninitialized mutex on error path.
+
+The patch streamlining the error handling in viu_of_probe().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/fsl-viu.c | 38 +++++++++++++++++++++++---------------
+ 1 file changed, 23 insertions(+), 15 deletions(-)
+
+--- a/drivers/media/platform/fsl-viu.c
++++ b/drivers/media/platform/fsl-viu.c
+@@ -1417,7 +1417,7 @@ static int viu_of_probe(struct platform_
+ sizeof(struct viu_reg), DRV_NAME)) {
+ dev_err(&op->dev, "Error while requesting mem region\n");
+ ret = -EBUSY;
+- goto err;
++ goto err_irq;
+ }
+
+ /* remap registers */
+@@ -1425,7 +1425,7 @@ static int viu_of_probe(struct platform_
+ if (!viu_regs) {
+ dev_err(&op->dev, "Can't map register set\n");
+ ret = -ENOMEM;
+- goto err;
++ goto err_irq;
+ }
+
+ /* Prepare our private structure */
+@@ -1433,7 +1433,7 @@ static int viu_of_probe(struct platform_
+ if (!viu_dev) {
+ dev_err(&op->dev, "Can't allocate private structure\n");
+ ret = -ENOMEM;
+- goto err;
++ goto err_irq;
+ }
+
+ viu_dev->vr = viu_regs;
+@@ -1449,16 +1449,21 @@ static int viu_of_probe(struct platform_
+ ret = v4l2_device_register(viu_dev->dev, &viu_dev->v4l2_dev);
+ if (ret < 0) {
+ dev_err(&op->dev, "v4l2_device_register() failed: %d\n", ret);
+- goto err;
++ goto err_irq;
+ }
+
+ ad = i2c_get_adapter(0);
++ if (!ad) {
++ ret = -EFAULT;
++ dev_err(&op->dev, "couldn't get i2c adapter\n");
++ goto err_v4l2;
++ }
+
+ v4l2_ctrl_handler_init(&viu_dev->hdl, 5);
+ if (viu_dev->hdl.error) {
+ ret = viu_dev->hdl.error;
+ dev_err(&op->dev, "couldn't register control\n");
+- goto err_vdev;
++ goto err_i2c;
+ }
+ /* This control handler will inherit the control(s) from the
+ sub-device(s). */
+@@ -1476,7 +1481,7 @@ static int viu_of_probe(struct platform_
+ vdev = video_device_alloc();
+ if (vdev == NULL) {
+ ret = -ENOMEM;
+- goto err_vdev;
++ goto err_hdl;
+ }
+
+ *vdev = viu_template;
+@@ -1497,7 +1502,7 @@ static int viu_of_probe(struct platform_
+ ret = video_register_device(viu_dev->vdev, VFL_TYPE_GRABBER, -1);
+ if (ret < 0) {
+ video_device_release(viu_dev->vdev);
+- goto err_vdev;
++ goto err_unlock;
+ }
+
+ /* enable VIU clock */
+@@ -1505,12 +1510,12 @@ static int viu_of_probe(struct platform_
+ if (IS_ERR(clk)) {
+ dev_err(&op->dev, "failed to lookup the clock!\n");
+ ret = PTR_ERR(clk);
+- goto err_clk;
++ goto err_vdev;
+ }
+ ret = clk_prepare_enable(clk);
+ if (ret) {
+ dev_err(&op->dev, "failed to enable the clock!\n");
+- goto err_clk;
++ goto err_vdev;
+ }
+ viu_dev->clk = clk;
+
+@@ -1521,7 +1526,7 @@ static int viu_of_probe(struct platform_
+ if (request_irq(viu_dev->irq, viu_intr, 0, "viu", (void *)viu_dev)) {
+ dev_err(&op->dev, "Request VIU IRQ failed.\n");
+ ret = -ENODEV;
+- goto err_irq;
++ goto err_clk;
+ }
+
+ mutex_unlock(&viu_dev->lock);
+@@ -1529,16 +1534,19 @@ static int viu_of_probe(struct platform_
+ dev_info(&op->dev, "Freescale VIU Video Capture Board\n");
+ return ret;
+
+-err_irq:
+- clk_disable_unprepare(viu_dev->clk);
+ err_clk:
+- video_unregister_device(viu_dev->vdev);
++ clk_disable_unprepare(viu_dev->clk);
+ err_vdev:
+- v4l2_ctrl_handler_free(&viu_dev->hdl);
++ video_unregister_device(viu_dev->vdev);
++err_unlock:
+ mutex_unlock(&viu_dev->lock);
++err_hdl:
++ v4l2_ctrl_handler_free(&viu_dev->hdl);
++err_i2c:
+ i2c_put_adapter(ad);
++err_v4l2:
+ v4l2_device_unregister(&viu_dev->v4l2_dev);
+-err:
++err_irq:
+ irq_dispose_mapping(viu_irq);
+ return ret;
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Sat, 9 Jun 2018 08:22:45 -0400
+Subject: media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data
+
+From: Javier Martinez Canillas <javierm@redhat.com>
+
+[ Upstream commit 2ec7debd44b49927a6e2861521994cc075a389ed ]
+
+The struct clk_init_data init variable is declared in the isp_xclk_init()
+function so is an automatic variable allocated in the stack. But it's not
+explicitly zero-initialized, so some init fields are left uninitialized.
+
+This causes the data structure to have undefined values that may confuse
+the common clock framework when the clock is registered.
+
+For example, the uninitialized .flags field could have the CLK_IS_CRITICAL
+bit set, causing the framework to wrongly prepare the clk on registration.
+This leads to the isp_xclk_prepare() callback being called, which in turn
+calls to the omap3isp_get() function that increments the isp dev refcount.
+
+Since this omap3isp_get() call is unexpected, this leads to an unbalanced
+omap3isp_get() call that prevents the requested IRQ to be later enabled,
+due the refcount not being 0 when the correct omap3isp_get() call happens.
+
+Fixes: 9b28ee3c9122 ("[media] omap3isp: Use the common clock framework")
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/omap3isp/isp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/platform/omap3isp/isp.c
++++ b/drivers/media/platform/omap3isp/isp.c
+@@ -304,7 +304,7 @@ static struct clk *isp_xclk_src_get(stru
+ static int isp_xclk_init(struct isp_device *isp)
+ {
+ struct device_node *np = isp->dev->of_node;
+- struct clk_init_data init;
++ struct clk_init_data init = { 0 };
+ unsigned int i;
+
+ for (i = 0; i < ARRAY_SIZE(isp->xclks); ++i)
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Sun, 10 Jun 2018 11:42:01 -0400
+Subject: media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+[ Upstream commit 30ed2b83343bd1e07884ca7355dac70d25ffc158 ]
+
+When the subdevice doesn't provide s_power core ops callback, the
+v4l2_subdev_call for s_power returns -ENOIOCTLCMD. If the subdevice
+doesn't have the special handling for its power saving mode, the s_power
+isn't required. So -ENOIOCTLCMD from the v4l2_subdev_call should be
+ignored.
+
+Cc: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Acked-by: Sylwester Nawrocki <sylvester.nawrocki@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/s3c-camif/camif-capture.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/platform/s3c-camif/camif-capture.c
++++ b/drivers/media/platform/s3c-camif/camif-capture.c
+@@ -117,6 +117,8 @@ static int sensor_set_power(struct camif
+
+ if (camif->sensor.power_count == !on)
+ err = v4l2_subdev_call(sensor->sd, core, s_power, on);
++ if (err == -ENOIOCTLCMD)
++ err = 0;
+ if (!err)
+ sensor->power_count += on ? 1 : -1;
+
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Sun, 10 Jun 2018 11:42:26 -0400
+Subject: media: soc_camera: ov772x: correct setting of banding filter
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+[ Upstream commit 22216ec41e919682c15345e95928f266e8ba6f9e ]
+
+The banding filter ON/OFF is controlled via bit 5 of COM8 register. It
+is attempted to be enabled in ov772x_set_params() by the following line.
+
+ ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, 1);
+
+But this unexpectedly results disabling the banding filter, because the
+mask and set bits are exclusive.
+
+On the other hand, ov772x_s_ctrl() correctly sets the bit by:
+
+ ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, BNDF_ON_OFF);
+
+The same fix was already applied to non-soc_camera version of ov772x
+driver in the commit commit a024ee14cd36 ("media: ov772x: correct setting
+of banding filter")
+
+Cc: Jacopo Mondi <jacopo+renesas@jmondi.org>
+Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Cc: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/soc_camera/ov772x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/soc_camera/ov772x.c
++++ b/drivers/media/i2c/soc_camera/ov772x.c
+@@ -834,7 +834,7 @@ static int ov772x_set_params(struct ov77
+ * set COM8
+ */
+ if (priv->band_filter) {
+- ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, 1);
++ ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, BNDF_ON_OFF);
+ if (!ret)
+ ret = ov772x_mask_set(client, BDBASE,
+ 0xff, 256 - priv->band_filter);
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+Date: Mon, 11 Jun 2018 00:39:20 -0400
+Subject: media: tm6000: add error handling for dvb_register_adapter
+
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+
+[ Upstream commit e95d7c6eb94c634852eaa5ff4caf3db05b5d2e86 ]
+
+When dvb_register_adapter fails, the lack of error-handling code may
+cause unexpected results.
+
+This patch adds error-handling code after calling dvb_register_adapter.
+
+Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
+[hans.verkuil@cisco.com: use pr_err and fix typo: adater -> adapter]
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/tm6000/tm6000-dvb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/media/usb/tm6000/tm6000-dvb.c
++++ b/drivers/media/usb/tm6000/tm6000-dvb.c
+@@ -273,6 +273,11 @@ static int register_dvb(struct tm6000_co
+
+ ret = dvb_register_adapter(&dvb->adapter, "Trident TVMaster 6000 DVB-T",
+ THIS_MODULE, &dev->udev->dev, adapter_nr);
++ if (ret < 0) {
++ pr_err("tm6000: couldn't register the adapter!\n");
++ goto err;
++ }
++
+ dvb->adapter.priv = dev;
+
+ if (dvb->frontend) {
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Jessica Yu <jeyu@kernel.org>
+Date: Tue, 5 Jun 2018 10:22:52 +0200
+Subject: module: exclude SHN_UNDEF symbols from kallsyms api
+
+From: Jessica Yu <jeyu@kernel.org>
+
+[ Upstream commit 9f2d1e68cf4d641def734adaccfc3823d3575e6c ]
+
+Livepatch modules are special in that we preserve their entire symbol
+tables in order to be able to apply relocations after module load. The
+unwanted side effect of this is that undefined (SHN_UNDEF) symbols of
+livepatch modules are accessible via the kallsyms api and this can
+confuse symbol resolution in livepatch (klp_find_object_symbol()) and
+cause subtle bugs in livepatch.
+
+Have the module kallsyms api skip over SHN_UNDEF symbols. These symbols
+are usually not available for normal modules anyway as we cut down their
+symbol tables to just the core (non-undefined) symbols, so this should
+really just affect livepatch modules. Note that this patch doesn't
+affect the display of undefined symbols in /proc/kallsyms.
+
+Reported-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Tested-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Jessica Yu <jeyu@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/module.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -4011,7 +4011,7 @@ static unsigned long mod_find_symname(st
+
+ for (i = 0; i < kallsyms->num_symtab; i++)
+ if (strcmp(name, symname(kallsyms, i)) == 0 &&
+- kallsyms->symtab[i].st_info != 'U')
++ kallsyms->symtab[i].st_shndx != SHN_UNDEF)
+ return kallsyms->symtab[i].st_value;
+ return 0;
+ }
+@@ -4057,6 +4057,10 @@ int module_kallsyms_on_each_symbol(int (
+ if (mod->state == MODULE_STATE_UNFORMED)
+ continue;
+ for (i = 0; i < kallsyms->num_symtab; i++) {
++
++ if (kallsyms->symtab[i].st_shndx == SHN_UNDEF)
++ continue;
++
+ ret = fn(data, symname(kallsyms, i),
+ mod, kallsyms->symtab[i].st_value);
+ if (ret != 0)
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Brandon Maier <brandon.maier@rockwellcollins.com>
+Date: Tue, 26 Jun 2018 12:50:48 -0500
+Subject: net: phy: xgmiitorgmii: Check phy_driver ready before accessing
+
+From: Brandon Maier <brandon.maier@rockwellcollins.com>
+
+[ Upstream commit ab4e6ee578e88a659938db8fbf33720bc048d29c ]
+
+Since a phy_device is added to the global mdio_bus list during
+phy_device_register(), but a phy_device's phy_driver doesn't get
+attached until phy_probe(). It's possible of_phy_find_device() in
+xgmiitorgmii will return a valid phy with a NULL phy_driver. Leading to
+a NULL pointer access during the memcpy().
+
+Fixes this Oops:
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000000
+pgd = c0004000
+[00000000] *pgd=00000000
+Internal error: Oops: 5 [#1] PREEMPT SMP ARM
+Modules linked in:
+CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.40 #1
+Hardware name: Xilinx Zynq Platform
+task: ce4c8d00 task.stack: ce4ca000
+PC is at memcpy+0x48/0x330
+LR is at xgmiitorgmii_probe+0x90/0xe8
+pc : [<c074bc68>] lr : [<c0529548>] psr: 20000013
+sp : ce4cbb54 ip : 00000000 fp : ce4cbb8c
+r10: 00000000 r9 : 00000000 r8 : c0c49178
+r7 : 00000000 r6 : cdc14718 r5 : ce762800 r4 : cdc14710
+r3 : 00000000 r2 : 00000054 r1 : 00000000 r0 : cdc14718
+Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 18c5387d Table: 0000404a DAC: 00000051
+Process swapper/0 (pid: 1, stack limit = 0xce4ca210)
+...
+[<c074bc68>] (memcpy) from [<c0529548>] (xgmiitorgmii_probe+0x90/0xe8)
+[<c0529548>] (xgmiitorgmii_probe) from [<c0526a94>] (mdio_probe+0x28/0x34)
+[<c0526a94>] (mdio_probe) from [<c04db98c>] (driver_probe_device+0x254/0x414)
+[<c04db98c>] (driver_probe_device) from [<c04dbd58>] (__device_attach_driver+0xac/0x10c)
+[<c04dbd58>] (__device_attach_driver) from [<c04d96f4>] (bus_for_each_drv+0x84/0xc8)
+[<c04d96f4>] (bus_for_each_drv) from [<c04db5bc>] (__device_attach+0xd0/0x134)
+[<c04db5bc>] (__device_attach) from [<c04dbdd4>] (device_initial_probe+0x1c/0x20)
+[<c04dbdd4>] (device_initial_probe) from [<c04da8fc>] (bus_probe_device+0x98/0xa0)
+[<c04da8fc>] (bus_probe_device) from [<c04d8660>] (device_add+0x43c/0x5d0)
+[<c04d8660>] (device_add) from [<c0526cb8>] (mdio_device_register+0x34/0x80)
+[<c0526cb8>] (mdio_device_register) from [<c0580b48>] (of_mdiobus_register+0x170/0x30c)
+[<c0580b48>] (of_mdiobus_register) from [<c05349c4>] (macb_probe+0x710/0xc00)
+[<c05349c4>] (macb_probe) from [<c04dd700>] (platform_drv_probe+0x44/0x80)
+[<c04dd700>] (platform_drv_probe) from [<c04db98c>] (driver_probe_device+0x254/0x414)
+[<c04db98c>] (driver_probe_device) from [<c04dbc58>] (__driver_attach+0x10c/0x118)
+[<c04dbc58>] (__driver_attach) from [<c04d9600>] (bus_for_each_dev+0x8c/0xd0)
+[<c04d9600>] (bus_for_each_dev) from [<c04db1fc>] (driver_attach+0x2c/0x30)
+[<c04db1fc>] (driver_attach) from [<c04daa98>] (bus_add_driver+0x50/0x260)
+[<c04daa98>] (bus_add_driver) from [<c04dc440>] (driver_register+0x88/0x108)
+[<c04dc440>] (driver_register) from [<c04dd6b4>] (__platform_driver_register+0x50/0x58)
+[<c04dd6b4>] (__platform_driver_register) from [<c0b31248>] (macb_driver_init+0x24/0x28)
+[<c0b31248>] (macb_driver_init) from [<c010203c>] (do_one_initcall+0x60/0x1a4)
+[<c010203c>] (do_one_initcall) from [<c0b00f78>] (kernel_init_freeable+0x15c/0x1f8)
+[<c0b00f78>] (kernel_init_freeable) from [<c0763d10>] (kernel_init+0x18/0x124)
+[<c0763d10>] (kernel_init) from [<c0112d74>] (ret_from_fork+0x14/0x20)
+Code: ba000002 f5d1f03c f5d1f05c f5d1f07c (e8b151f8)
+---[ end trace 3e4ec21905820a1f ]---
+
+Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/xilinx_gmii2rgmii.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/phy/xilinx_gmii2rgmii.c
++++ b/drivers/net/phy/xilinx_gmii2rgmii.c
+@@ -84,6 +84,11 @@ static int xgmiitorgmii_probe(struct mdi
+ return -EPROBE_DEFER;
+ }
+
++ if (!priv->phy_dev->drv) {
++ dev_info(dev, "Attached phy not ready\n");
++ return -EPROBE_DEFER;
++ }
++
+ priv->addr = mdiodev->addr;
+ priv->phy_drv = priv->phy_dev->drv;
+ memcpy(&priv->conv_phy_drv, priv->phy_dev->drv,
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Brandon Maier <brandon.maier@rockwellcollins.com>
+Date: Tue, 26 Jun 2018 12:50:50 -0500
+Subject: net: phy: xgmiitorgmii: Check read_status results
+
+From: Brandon Maier <brandon.maier@rockwellcollins.com>
+
+[ Upstream commit 8d0752d11312be830c33e84dfd1016e6a47c2938 ]
+
+We're ignoring the result of the attached phy device's read_status().
+Return it so we can detect errors.
+
+Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/xilinx_gmii2rgmii.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/phy/xilinx_gmii2rgmii.c
++++ b/drivers/net/phy/xilinx_gmii2rgmii.c
+@@ -40,8 +40,11 @@ static int xgmiitorgmii_read_status(stru
+ {
+ struct gmii2rgmii *priv = phydev->priv;
+ u16 val = 0;
++ int err;
+
+- priv->phy_drv->read_status(phydev);
++ err = priv->phy_drv->read_status(phydev);
++ if (err < 0)
++ return err;
+
+ val = mdiobus_read(phydev->mdio.bus, priv->addr, XILINX_GMII2RGMII_REG);
+ val &= ~XILINX_GMII2RGMII_SPEED_MASK;
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Wed, 13 Jun 2018 15:21:35 -0400
+Subject: nfsd: fix corrupted reply to badly ordered compound
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+[ Upstream commit 5b7b15aee641904ae269be9846610a3950cbd64c ]
+
+We're encoding a single op in the reply but leaving the number of ops
+zero, so the reply makes no sense.
+
+Somewhat academic as this isn't a case any real client will hit, though
+in theory perhaps that could change in a future protocol extension.
+
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4proc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1725,6 +1725,7 @@ nfsd4_proc_compound(struct svc_rqst *rqs
+ if (status) {
+ op = &args->ops[0];
+ op->status = status;
++ resp->opcnt = 1;
+ goto encode_op;
+ }
+
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Tue, 5 Jun 2018 08:38:45 -0700
+Subject: perf/x86/intel/lbr: Fix incomplete LBR call stack
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 0592e57b24e7e05ec1f4c50b9666c013abff7017 ]
+
+LBR has a limited stack size. If a task has a deeper call stack than
+LBR's stack size, only the overflowed part is reported. A complete call
+stack may not be reconstructed by perf tool.
+
+Current code doesn't access all LBR registers. It only read the ones
+below the TOS. The LBR registers above the TOS will be discarded
+unconditionally.
+
+When a CALL is captured, the TOS is incremented by 1 , modulo max LBR
+stack size. The LBR HW only records the call stack information to the
+register which the TOS points to. It will not touch other LBR
+registers. So the registers above the TOS probably still store the valid
+call stack information for an overflowed call stack, which need to be
+reported.
+
+To retrieve complete call stack information, we need to start from TOS,
+read all LBR registers until an invalid entry is detected.
+0s can be used to detect the invalid entry, because:
+
+ - When a RET is captured, the HW zeros the LBR register which TOS points
+ to, then decreases the TOS.
+ - The LBR registers are reset to 0 when adding a new LBR event or
+ scheduling an existing LBR event.
+ - A taken branch at IP 0 is not expected
+
+The context switch code is also modified to save/restore all valid LBR
+registers. Furthermore, the LBR registers, which don't have valid call
+stack information, need to be reset in restore, because they may be
+polluted while swapped out.
+
+Here is a small test program, tchain_deep.
+Its call stack is deeper than 32.
+
+ noinline void f33(void)
+ {
+ int i;
+
+ for (i = 0; i < 10000000;) {
+ if (i%2)
+ i++;
+ else
+ i++;
+ }
+ }
+
+ noinline void f32(void)
+ {
+ f33();
+ }
+
+ noinline void f31(void)
+ {
+ f32();
+ }
+
+ ... ...
+
+ noinline void f1(void)
+ {
+ f2();
+ }
+
+ int main()
+ {
+ f1();
+ }
+
+Here is the test result on SKX. The max stack size of SKX is 32.
+
+Without the patch:
+
+ $ perf record -e cycles --call-graph lbr -- ./tchain_deep
+ $ perf report --stdio
+ #
+ # Children Self Command Shared Object Symbol
+ # ........ ........ ........... ................ .................
+ #
+ 100.00% 99.99% tchain_deep tchain_deep [.] f33
+ |
+ --99.99%--f30
+ f31
+ f32
+ f33
+
+With the patch:
+
+ $ perf record -e cycles --call-graph lbr -- ./tchain_deep
+ $ perf report --stdio
+ # Children Self Command Shared Object Symbol
+ # ........ ........ ........... ................ ..................
+ #
+ 99.99% 0.00% tchain_deep tchain_deep [.] f1
+ |
+ ---f1
+ f2
+ f3
+ f4
+ f5
+ f6
+ f7
+ f8
+ f9
+ f10
+ f11
+ f12
+ f13
+ f14
+ f15
+ f16
+ f17
+ f18
+ f19
+ f20
+ f21
+ f22
+ f23
+ f24
+ f25
+ f26
+ f27
+ f28
+ f29
+ f30
+ f31
+ f32
+ f33
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: acme@kernel.org
+Cc: eranian@google.com
+Link: https://lore.kernel.org/lkml/1528213126-4312-1-git-send-email-kan.liang@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/lbr.c | 32 ++++++++++++++++++++++++++------
+ arch/x86/events/perf_event.h | 1 +
+ 2 files changed, 27 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/events/intel/lbr.c
++++ b/arch/x86/events/intel/lbr.c
+@@ -342,7 +342,7 @@ static void __intel_pmu_lbr_restore(stru
+
+ mask = x86_pmu.lbr_nr - 1;
+ tos = task_ctx->tos;
+- for (i = 0; i < tos; i++) {
++ for (i = 0; i < task_ctx->valid_lbrs; i++) {
+ lbr_idx = (tos - i) & mask;
+ wrlbr_from(lbr_idx, task_ctx->lbr_from[i]);
+ wrlbr_to (lbr_idx, task_ctx->lbr_to[i]);
+@@ -350,6 +350,15 @@ static void __intel_pmu_lbr_restore(stru
+ if (x86_pmu.intel_cap.lbr_format == LBR_FORMAT_INFO)
+ wrmsrl(MSR_LBR_INFO_0 + lbr_idx, task_ctx->lbr_info[i]);
+ }
++
++ for (; i < x86_pmu.lbr_nr; i++) {
++ lbr_idx = (tos - i) & mask;
++ wrlbr_from(lbr_idx, 0);
++ wrlbr_to(lbr_idx, 0);
++ if (x86_pmu.intel_cap.lbr_format == LBR_FORMAT_INFO)
++ wrmsrl(MSR_LBR_INFO_0 + lbr_idx, 0);
++ }
++
+ wrmsrl(x86_pmu.lbr_tos, tos);
+ task_ctx->lbr_stack_state = LBR_NONE;
+ }
+@@ -357,7 +366,7 @@ static void __intel_pmu_lbr_restore(stru
+ static void __intel_pmu_lbr_save(struct x86_perf_task_context *task_ctx)
+ {
+ unsigned lbr_idx, mask;
+- u64 tos;
++ u64 tos, from;
+ int i;
+
+ if (task_ctx->lbr_callstack_users == 0) {
+@@ -367,13 +376,17 @@ static void __intel_pmu_lbr_save(struct
+
+ mask = x86_pmu.lbr_nr - 1;
+ tos = intel_pmu_lbr_tos();
+- for (i = 0; i < tos; i++) {
++ for (i = 0; i < x86_pmu.lbr_nr; i++) {
+ lbr_idx = (tos - i) & mask;
+- task_ctx->lbr_from[i] = rdlbr_from(lbr_idx);
++ from = rdlbr_from(lbr_idx);
++ if (!from)
++ break;
++ task_ctx->lbr_from[i] = from;
+ task_ctx->lbr_to[i] = rdlbr_to(lbr_idx);
+ if (x86_pmu.intel_cap.lbr_format == LBR_FORMAT_INFO)
+ rdmsrl(MSR_LBR_INFO_0 + lbr_idx, task_ctx->lbr_info[i]);
+ }
++ task_ctx->valid_lbrs = i;
+ task_ctx->tos = tos;
+ task_ctx->lbr_stack_state = LBR_VALID;
+ }
+@@ -522,7 +535,7 @@ static void intel_pmu_lbr_read_32(struct
+ */
+ static void intel_pmu_lbr_read_64(struct cpu_hw_events *cpuc)
+ {
+- bool need_info = false;
++ bool need_info = false, call_stack = false;
+ unsigned long mask = x86_pmu.lbr_nr - 1;
+ int lbr_format = x86_pmu.intel_cap.lbr_format;
+ u64 tos = intel_pmu_lbr_tos();
+@@ -533,7 +546,7 @@ static void intel_pmu_lbr_read_64(struct
+ if (cpuc->lbr_sel) {
+ need_info = !(cpuc->lbr_sel->config & LBR_NO_INFO);
+ if (cpuc->lbr_sel->config & LBR_CALL_STACK)
+- num = tos;
++ call_stack = true;
+ }
+
+ for (i = 0; i < num; i++) {
+@@ -546,6 +559,13 @@ static void intel_pmu_lbr_read_64(struct
+ from = rdlbr_from(lbr_idx);
+ to = rdlbr_to(lbr_idx);
+
++ /*
++ * Read LBR call stack entries
++ * until invalid entry (0s) is detected.
++ */
++ if (call_stack && !from)
++ break;
++
+ if (lbr_format == LBR_FORMAT_INFO && need_info) {
+ u64 info;
+
+--- a/arch/x86/events/perf_event.h
++++ b/arch/x86/events/perf_event.h
+@@ -633,6 +633,7 @@ struct x86_perf_task_context {
+ u64 lbr_to[MAX_LBR_ENTRIES];
+ u64 lbr_info[MAX_LBR_ENTRIES];
+ int tos;
++ int valid_lbrs;
+ int lbr_callstack_users;
+ int lbr_stack_state;
+ };
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Mon, 25 Jun 2018 09:51:48 +0200
+Subject: power: remove possible deadlock when unregistering power_supply
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+[ Upstream commit 3ffa6583e24e1ad1abab836d24bfc9d2308074e5 ]
+
+If a device gets removed right after having registered a power_supply node,
+we might enter in a deadlock between the remove call (that has a lock on
+the parent device) and the deferred register work.
+
+Allow the deferred register work to exit without taking the lock when
+we are in the remove state.
+
+Stack trace on a Ubuntu 16.04:
+
+[16072.109121] INFO: task kworker/u16:2:1180 blocked for more than 120 seconds.
+[16072.109127] Not tainted 4.13.0-41-generic #46~16.04.1-Ubuntu
+[16072.109129] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+[16072.109132] kworker/u16:2 D 0 1180 2 0x80000000
+[16072.109142] Workqueue: events_power_efficient power_supply_deferred_register_work
+[16072.109144] Call Trace:
+[16072.109152] __schedule+0x3d6/0x8b0
+[16072.109155] schedule+0x36/0x80
+[16072.109158] schedule_preempt_disabled+0xe/0x10
+[16072.109161] __mutex_lock.isra.2+0x2ab/0x4e0
+[16072.109166] __mutex_lock_slowpath+0x13/0x20
+[16072.109168] ? __mutex_lock_slowpath+0x13/0x20
+[16072.109171] mutex_lock+0x2f/0x40
+[16072.109174] power_supply_deferred_register_work+0x2b/0x50
+[16072.109179] process_one_work+0x15b/0x410
+[16072.109182] worker_thread+0x4b/0x460
+[16072.109186] kthread+0x10c/0x140
+[16072.109189] ? process_one_work+0x410/0x410
+[16072.109191] ? kthread_create_on_node+0x70/0x70
+[16072.109194] ret_from_fork+0x35/0x40
+[16072.109199] INFO: task test:2257 blocked for more than 120 seconds.
+[16072.109202] Not tainted 4.13.0-41-generic #46~16.04.1-Ubuntu
+[16072.109204] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+[16072.109206] test D 0 2257 2256 0x00000004
+[16072.109208] Call Trace:
+[16072.109211] __schedule+0x3d6/0x8b0
+[16072.109215] schedule+0x36/0x80
+[16072.109218] schedule_timeout+0x1f3/0x360
+[16072.109221] ? check_preempt_curr+0x5a/0xa0
+[16072.109224] ? ttwu_do_wakeup+0x1e/0x150
+[16072.109227] wait_for_completion+0xb4/0x140
+[16072.109230] ? wait_for_completion+0xb4/0x140
+[16072.109233] ? wake_up_q+0x70/0x70
+[16072.109236] flush_work+0x129/0x1e0
+[16072.109240] ? worker_detach_from_pool+0xb0/0xb0
+[16072.109243] __cancel_work_timer+0x10f/0x190
+[16072.109247] ? device_del+0x264/0x310
+[16072.109250] ? __wake_up+0x44/0x50
+[16072.109253] cancel_delayed_work_sync+0x13/0x20
+[16072.109257] power_supply_unregister+0x37/0xb0
+[16072.109260] devm_power_supply_release+0x11/0x20
+[16072.109263] release_nodes+0x110/0x200
+[16072.109266] devres_release_group+0x7c/0xb0
+[16072.109274] wacom_remove+0xc2/0x110 [wacom]
+[16072.109279] hid_device_remove+0x6e/0xd0 [hid]
+[16072.109284] device_release_driver_internal+0x158/0x210
+[16072.109288] device_release_driver+0x12/0x20
+[16072.109291] bus_remove_device+0xec/0x160
+[16072.109293] device_del+0x1de/0x310
+[16072.109298] hid_destroy_device+0x27/0x60 [hid]
+[16072.109303] usbhid_disconnect+0x51/0x70 [usbhid]
+[16072.109308] usb_unbind_interface+0x77/0x270
+[16072.109311] device_release_driver_internal+0x158/0x210
+[16072.109315] device_release_driver+0x12/0x20
+[16072.109318] usb_driver_release_interface+0x77/0x80
+[16072.109321] proc_ioctl+0x20f/0x250
+[16072.109325] usbdev_do_ioctl+0x57f/0x1140
+[16072.109327] ? __wake_up+0x44/0x50
+[16072.109331] usbdev_ioctl+0xe/0x20
+[16072.109336] do_vfs_ioctl+0xa4/0x600
+[16072.109339] ? vfs_write+0x15a/0x1b0
+[16072.109343] SyS_ioctl+0x79/0x90
+[16072.109347] entry_SYSCALL_64_fastpath+0x24/0xab
+[16072.109349] RIP: 0033:0x7f20da807f47
+[16072.109351] RSP: 002b:00007ffc422ae398 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+[16072.109353] RAX: ffffffffffffffda RBX: 00000000010b8560 RCX: 00007f20da807f47
+[16072.109355] RDX: 00007ffc422ae3a0 RSI: 00000000c0105512 RDI: 0000000000000009
+[16072.109356] RBP: 0000000000000000 R08: 00007ffc422ae3e0 R09: 0000000000000010
+[16072.109357] R10: 00000000000000a6 R11: 0000000000000246 R12: 0000000000000000
+[16072.109359] R13: 00000000010b8560 R14: 00007ffc422ae2e0 R15: 0000000000000000
+
+Reported-and-tested-by: Richard Hughes <rhughes@redhat.com>
+Tested-by: Aaron Skomra <Aaron.Skomra@wacom.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Fixes: 7f1a57fdd6cb ("power_supply: Fix possible NULL pointer dereference on early uevent")
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/power_supply_core.c | 11 +++++++++--
+ include/linux/power_supply.h | 1 +
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/power/supply/power_supply_core.c
++++ b/drivers/power/supply/power_supply_core.c
+@@ -14,6 +14,7 @@
+ #include <linux/types.h>
+ #include <linux/init.h>
+ #include <linux/slab.h>
++#include <linux/delay.h>
+ #include <linux/device.h>
+ #include <linux/notifier.h>
+ #include <linux/err.h>
+@@ -138,8 +139,13 @@ static void power_supply_deferred_regist
+ struct power_supply *psy = container_of(work, struct power_supply,
+ deferred_register_work.work);
+
+- if (psy->dev.parent)
+- mutex_lock(&psy->dev.parent->mutex);
++ if (psy->dev.parent) {
++ while (!mutex_trylock(&psy->dev.parent->mutex)) {
++ if (psy->removing)
++ return;
++ msleep(10);
++ }
++ }
+
+ power_supply_changed(psy);
+
+@@ -944,6 +950,7 @@ EXPORT_SYMBOL_GPL(devm_power_supply_regi
+ void power_supply_unregister(struct power_supply *psy)
+ {
+ WARN_ON(atomic_dec_return(&psy->use_cnt));
++ psy->removing = true;
+ cancel_work_sync(&psy->changed_work);
+ cancel_delayed_work_sync(&psy->deferred_register_work);
+ sysfs_remove_link(&psy->dev.kobj, "powers");
+--- a/include/linux/power_supply.h
++++ b/include/linux/power_supply.h
+@@ -249,6 +249,7 @@ struct power_supply {
+ spinlock_t changed_lock;
+ bool changed;
+ bool initialized;
++ bool removing;
+ atomic_t use_cnt;
+ #ifdef CONFIG_THERMAL
+ struct thermal_zone_device *tzd;
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Mon, 18 Jun 2018 16:54:32 +0100
+Subject: power: vexpress: fix corruption in notifier registration
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit 09bebb1adb21ecd04adf7ccb3b06f73e3a851e93 ]
+
+Vexpress platforms provide two different restart handlers: SYS_REBOOT
+that restart the entire system, while DB_RESET only restarts the
+daughter board containing the CPU. DB_RESET is overridden by SYS_REBOOT
+if it exists.
+
+notifier_chain_register used in register_restart_handler by design
+relies on notifiers to be registered once only, however vexpress restart
+notifier can get registered twice. When this happen it corrupts list
+of notifiers, as result some notifiers can be not called on proper
+event, traverse on list can be cycled forever, and second unregister
+can access already freed memory.
+
+So far, since this was the only restart handler in the system, no issue
+was observed even if the same notifier was registered twice. However
+commit 6c5c0d48b686 ("watchdog: sp805: add restart handler") added
+support for SP805 restart handlers and since the system under test
+contains two vexpress restart and two SP805 watchdog instances, it was
+observed that during the boot traversing the restart handler list looped
+forever as there's a cycle in that list resulting in boot hang.
+
+This patch fixes the issues by ensuring that the notifier is installed
+only once.
+
+Cc: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Fixes: 46c99ac66222 ("power/reset: vexpress: Register with kernel restart handler")
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/reset/vexpress-poweroff.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/power/reset/vexpress-poweroff.c
++++ b/drivers/power/reset/vexpress-poweroff.c
+@@ -35,6 +35,7 @@ static void vexpress_reset_do(struct dev
+ }
+
+ static struct device *vexpress_power_off_device;
++static atomic_t vexpress_restart_nb_refcnt = ATOMIC_INIT(0);
+
+ static void vexpress_power_off(void)
+ {
+@@ -99,10 +100,13 @@ static int _vexpress_register_restart_ha
+ int err;
+
+ vexpress_restart_device = dev;
+- err = register_restart_handler(&vexpress_restart_nb);
+- if (err) {
+- dev_err(dev, "cannot register restart handler (err=%d)\n", err);
+- return err;
++ if (atomic_inc_return(&vexpress_restart_nb_refcnt) == 1) {
++ err = register_restart_handler(&vexpress_restart_nb);
++ if (err) {
++ dev_err(dev, "cannot register restart handler (err=%d)\n", err);
++ atomic_dec(&vexpress_restart_nb_refcnt);
++ return err;
++ }
+ }
+ device_create_file(dev, &dev_attr_active);
+
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Hari Bathini <hbathini@linux.ibm.com>
+Date: Thu, 28 Jun 2018 10:49:56 +0530
+Subject: powerpc/kdump: Handle crashkernel memory reservation failure
+
+From: Hari Bathini <hbathini@linux.ibm.com>
+
+[ Upstream commit 8950329c4a64c6d3ca0bc34711a1afbd9ce05657 ]
+
+Memory reservation for crashkernel could fail if there are holes around
+kdump kernel offset (128M). Fail gracefully in such cases and print an
+error message.
+
+Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
+Tested-by: David Gibson <dgibson@redhat.com>
+Reviewed-by: Dave Young <dyoung@redhat.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/machine_kexec.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/machine_kexec.c
++++ b/arch/powerpc/kernel/machine_kexec.c
+@@ -186,7 +186,12 @@ void __init reserve_crashkernel(void)
+ (unsigned long)(crashk_res.start >> 20),
+ (unsigned long)(memblock_phys_mem_size() >> 20));
+
+- memblock_reserve(crashk_res.start, crash_size);
++ if (!memblock_is_region_memory(crashk_res.start, crash_size) ||
++ memblock_reserve(crashk_res.start, crash_size)) {
++ pr_err("Failed to reserve memory for crashkernel!\n");
++ crashk_res.start = crashk_res.end = 0;
++ return;
++ }
+ }
+
+ int overlaps_crashkernel(unsigned long start, unsigned long size)
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Fri, 1 Jun 2018 18:06:16 +1000
+Subject: powerpc/powernv/ioda2: Reduce upper limit for DMA window size
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+[ Upstream commit d3d4ffaae439981e1e441ebb125aa3588627c5d8 ]
+
+We use PHB in mode1 which uses bit 59 to select a correct DMA window.
+However there is mode2 which uses bits 59:55 and allows up to 32 DMA
+windows per a PE.
+
+Even though documentation does not clearly specify that, it seems that
+the actual hardware does not support bits 59:55 even in mode1, in other
+words we can create a window as big as 1<<58 but DMA simply won't work.
+
+This reduces the upper limit from 59 to 55 bits to let the userspace know
+about the hardware limits.
+
+Fixes: 7aafac11e3 "powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested"
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/pci-ioda.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/powernv/pci-ioda.c
++++ b/arch/powerpc/platforms/powernv/pci-ioda.c
+@@ -2623,7 +2623,7 @@ static long pnv_pci_ioda2_table_alloc_pa
+ level_shift = entries_shift + 3;
+ level_shift = max_t(unsigned, level_shift, PAGE_SHIFT);
+
+- if ((level_shift - 3) * levels + page_shift >= 60)
++ if ((level_shift - 3) * levels + page_shift >= 55)
+ return -EINVAL;
+
+ /* Allocate TCE table */
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 5 Jun 2018 14:31:39 +0300
+Subject: rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit ae636fb1554833ee5133ca47bf4b2791b6739c52 ]
+
+This is a static checker fix, not something I have tested. The issue
+is that on the second iteration through the loop, we jump forward by
+le32_to_cpu(auth_req->length) bytes. The problem is that if the length
+is more than "buflen" then we end up with a negative "buflen". A
+negative buflen is type promoted to a high positive value and the loop
+continues but it's accessing beyond the end of the buffer.
+
+I believe the "auth_req->length" comes from the firmware and if the
+firmware is malicious or buggy, you're already toasted so the impact of
+this bug is probably not very severe.
+
+Fixes: 030645aceb3d ("rndis_wlan: handle 802.11 indications from device")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/rndis_wlan.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/rndis_wlan.c
++++ b/drivers/net/wireless/rndis_wlan.c
+@@ -2921,6 +2921,8 @@ static void rndis_wlan_auth_indication(s
+
+ while (buflen >= sizeof(*auth_req)) {
+ auth_req = (void *)buf;
++ if (buflen < le32_to_cpu(auth_req->length))
++ return;
+ type = "unknown";
+ flags = le32_to_cpu(auth_req->flags);
+ pairwise_error = false;
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Sun, 17 Jun 2018 00:30:43 +0200
+Subject: s390/extmem: fix gcc 8 stringop-overflow warning
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+[ Upstream commit 6b2ddf33baec23dace85bd647e3fc4ac070963e8 ]
+
+arch/s390/mm/extmem.c: In function '__segment_load':
+arch/s390/mm/extmem.c:436:2: warning: 'strncat' specified bound 7 equals
+source length [-Wstringop-overflow=]
+ strncat(seg->res_name, " (DCSS)", 7);
+
+What gcc complains about here is the misuse of strncat function, which
+in this case does not limit a number of bytes taken from "src", so it is
+in the end the same as strcat(seg->res_name, " (DCSS)");
+
+Keeping in mind that a res_name is 15 bytes, strncat in this case
+would overflow the buffer and write 0 into alignment byte between the
+fields in the struct. To avoid that increasing res_name size to 16,
+and reusing strlcat.
+
+Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/mm/extmem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/mm/extmem.c
++++ b/arch/s390/mm/extmem.c
+@@ -79,7 +79,7 @@ struct qin64 {
+ struct dcss_segment {
+ struct list_head list;
+ char dcss_name[8];
+- char res_name[15];
++ char res_name[16];
+ unsigned long start_addr;
+ unsigned long end;
+ atomic_t ref_count;
+@@ -432,7 +432,7 @@ __segment_load (char *name, int do_nonsh
+ memcpy(&seg->res_name, seg->dcss_name, 8);
+ EBCASC(seg->res_name, 8);
+ seg->res_name[8] = '\0';
+- strncat(seg->res_name, " (DCSS)", 7);
++ strlcat(seg->res_name, " (DCSS)", sizeof(seg->res_name));
+ seg->res->name = seg->res_name;
+ rc = seg->vm_segtype;
+ if (rc == SEG_TYPE_SC ||
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Sun, 24 Jun 2018 12:17:43 +0200
+Subject: s390/mm: correct allocate_pgste proc_handler callback
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+[ Upstream commit 5bedf8aa03c28cb8dc98bdd32a41b66d8f7d3eaa ]
+
+Since proc_dointvec does not perform value range control,
+proc_dointvec_minmax should be used to limit value range, which is
+clearly intended here, as the internal representation of the value:
+
+unsigned int alloc_pgste:1;
+
+In fact it currently works, since we have
+
+ mm->context.alloc_pgste = page_table_allocate_pgste || ...
+
+... since commit 23fefe119ceb5 ("s390/kvm: avoid global config of vm.alloc_pgste=1")
+
+Before that it was
+
+ mm->context.alloc_pgste = page_table_allocate_pgste;
+
+which was broken. That was introduced with commit 0b46e0a3ec0d7 ("s390/kvm:
+remove delayed reallocation of page tables for KVM").
+
+Fixes: 0b46e0a3ec0d7 ("s390/kvm: remove delayed reallocation of page tables for KVM")
+Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/mm/pgalloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/mm/pgalloc.c
++++ b/arch/s390/mm/pgalloc.c
+@@ -26,7 +26,7 @@ static struct ctl_table page_table_sysct
+ .data = &page_table_allocate_pgste,
+ .maxlen = sizeof(int),
+ .mode = S_IRUGO | S_IWUSR,
+- .proc_handler = proc_dointvec,
++ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &page_table_allocate_pgste_min,
+ .extra2 = &page_table_allocate_pgste_max,
+ },
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+Date: Tue, 12 Jun 2018 11:13:00 +0800
+Subject: scsi: bnx2i: add error handling for ioremap_nocache
+
+From: Zhouyang Jia <jiazhouyang09@gmail.com>
+
+[ Upstream commit aa154ea885eb0c2407457ce9c1538d78c95456fa ]
+
+When ioremap_nocache fails, the lack of error-handling code may cause
+unexpected results.
+
+This patch adds error-handling code after calling ioremap_nocache.
+
+Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Acked-by: Manish Rangankar <Manish.Rangankar@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/bnx2i/bnx2i_hwi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/bnx2i/bnx2i_hwi.c
++++ b/drivers/scsi/bnx2i/bnx2i_hwi.c
+@@ -2742,6 +2742,8 @@ int bnx2i_map_ep_dbell_regs(struct bnx2i
+ BNX2X_DOORBELL_PCI_BAR);
+ reg_off = (1 << BNX2X_DB_SHIFT) * (cid_num & 0x1FFFF);
+ ep->qp.ctx_base = ioremap_nocache(reg_base + reg_off, 4);
++ if (!ep->qp.ctx_base)
++ return -ENOMEM;
+ goto arm_cq;
+ }
+
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Breno Leitao <leitao@debian.org>
+Date: Tue, 26 Jun 2018 17:35:16 -0300
+Subject: scsi: ibmvscsi: Improve strings handling
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 1262dc09dc9ae7bf4ad00b6a2c5ed6a6936bcd10 ]
+
+Currently an open firmware property is copied into partition_name variable
+without keeping a room for \0.
+
+Later one, this variable (partition_name), which is 97 bytes long, is
+strncpyed into ibmvcsci_host_data->madapter_info->partition_name, which is
+96 bytes long, possibly truncating it 'again' and removing the \0.
+
+This patch simply decreases the partition name to 96 and just copy using
+strlcpy() which guarantees that the string is \0 terminated. I think there
+is no issue if this there is a truncation in this very first copy, i.e,
+when the open firmware property is read and copied into the driver for the
+very first time;
+
+This issue also causes the following warning on GCC 8:
+
+ drivers/scsi/ibmvscsi/ibmvscsi.c:281:2: warning: strncpy output may be truncated copying 96 bytes from a string of length 96 [-Wstringop-truncation]
+ ...
+ inlined from ibmvscsi_probe at drivers/scsi/ibmvscsi/ibmvscsi.c:2221:7:
+ drivers/scsi/ibmvscsi/ibmvscsi.c:265:3: warning: strncpy specified bound 97 equals destination size [-Wstringop-truncation]
+
+CC: Bart Van Assche <bart.vanassche@wdc.com>
+CC: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Acked-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ibmvscsi/ibmvscsi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ibmvscsi/ibmvscsi.c
++++ b/drivers/scsi/ibmvscsi/ibmvscsi.c
+@@ -93,7 +93,7 @@ static int max_requests = IBMVSCSI_MAX_R
+ static int max_events = IBMVSCSI_MAX_REQUESTS_DEFAULT + 2;
+ static int fast_fail = 1;
+ static int client_reserve = 1;
+-static char partition_name[97] = "UNKNOWN";
++static char partition_name[96] = "UNKNOWN";
+ static unsigned int partition_number = -1;
+
+ static struct scsi_transport_template *ibmvscsi_transport_template;
+@@ -259,7 +259,7 @@ static void gather_partition_info(void)
+
+ ppartition_name = of_get_property(of_root, "ibm,partition-name", NULL);
+ if (ppartition_name)
+- strncpy(partition_name, ppartition_name,
++ strlcpy(partition_name, ppartition_name,
+ sizeof(partition_name));
+ p_number_ptr = of_get_property(of_root, "ibm,partition-no", NULL);
+ if (p_number_ptr)
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Fri, 22 Jun 2018 14:54:49 -0700
+Subject: scsi: klist: Make it safe to use klists in atomic context
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+[ Upstream commit 624fa7790f80575a4ec28fbdb2034097dc18d051 ]
+
+In the scsi_transport_srp implementation it cannot be avoided to
+iterate over a klist from atomic context when using the legacy block
+layer instead of blk-mq. Hence this patch that makes it safe to use
+klists in atomic context. This patch avoids that lockdep reports the
+following:
+
+WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
+ Possible interrupt unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&(&k->k_lock)->rlock);
+ local_irq_disable();
+ lock(&(&q->__queue_lock)->rlock);
+ lock(&(&k->k_lock)->rlock);
+ <Interrupt>
+ lock(&(&q->__queue_lock)->rlock);
+
+stack backtrace:
+Workqueue: kblockd blk_timeout_work
+Call Trace:
+ dump_stack+0xa4/0xf5
+ check_usage+0x6e6/0x700
+ __lock_acquire+0x185d/0x1b50
+ lock_acquire+0xd2/0x260
+ _raw_spin_lock+0x32/0x50
+ klist_next+0x47/0x190
+ device_for_each_child+0x8e/0x100
+ srp_timed_out+0xaf/0x1d0 [scsi_transport_srp]
+ scsi_times_out+0xd4/0x410 [scsi_mod]
+ blk_rq_timed_out+0x36/0x70
+ blk_timeout_work+0x1b5/0x220
+ process_one_work+0x4fe/0xad0
+ worker_thread+0x63/0x5a0
+ kthread+0x1c1/0x1e0
+ ret_from_fork+0x24/0x30
+
+See also commit c9ddf73476ff ("scsi: scsi_transport_srp: Fix shost to
+rport translation").
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: James Bottomley <jejb@linux.vnet.ibm.com>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/klist.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/lib/klist.c
++++ b/lib/klist.c
+@@ -336,8 +336,9 @@ struct klist_node *klist_prev(struct kli
+ void (*put)(struct klist_node *) = i->i_klist->put;
+ struct klist_node *last = i->i_cur;
+ struct klist_node *prev;
++ unsigned long flags;
+
+- spin_lock(&i->i_klist->k_lock);
++ spin_lock_irqsave(&i->i_klist->k_lock, flags);
+
+ if (last) {
+ prev = to_klist_node(last->n_node.prev);
+@@ -356,7 +357,7 @@ struct klist_node *klist_prev(struct kli
+ prev = to_klist_node(prev->n_node.prev);
+ }
+
+- spin_unlock(&i->i_klist->k_lock);
++ spin_unlock_irqrestore(&i->i_klist->k_lock, flags);
+
+ if (put && last)
+ put(last);
+@@ -377,8 +378,9 @@ struct klist_node *klist_next(struct kli
+ void (*put)(struct klist_node *) = i->i_klist->put;
+ struct klist_node *last = i->i_cur;
+ struct klist_node *next;
++ unsigned long flags;
+
+- spin_lock(&i->i_klist->k_lock);
++ spin_lock_irqsave(&i->i_klist->k_lock, flags);
+
+ if (last) {
+ next = to_klist_node(last->n_node.next);
+@@ -397,7 +399,7 @@ struct klist_node *klist_next(struct kli
+ next = to_klist_node(next->n_node.next);
+ }
+
+- spin_unlock(&i->i_klist->k_lock);
++ spin_unlock_irqrestore(&i->i_klist->k_lock, flags);
+
+ if (put && last)
+ put(last);
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
+Date: Mon, 4 Jun 2018 03:45:10 -0700
+Subject: scsi: megaraid_sas: Update controller info during resume
+
+From: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
+
+[ Upstream commit c3b10a55abc943a526aaecd7e860b15671beb906 ]
+
+There is a possibility that firmware on the controller was upgraded before
+system was suspended. During resume, driver needs to read updated
+controller properties.
+
+Signed-off-by: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/megaraid/megaraid_sas_base.c
++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
+@@ -6193,6 +6193,9 @@ megasas_resume(struct pci_dev *pdev)
+ goto fail_init_mfi;
+ }
+
++ if (megasas_get_ctrl_info(instance) != DCMD_SUCCESS)
++ goto fail_init_mfi;
++
+ tasklet_init(&instance->isr_tasklet, instance->instancet->tasklet,
+ (unsigned long)instance);
+
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Fri, 22 Jun 2018 14:53:01 -0700
+Subject: scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+[ Upstream commit 35bea5c84fd13c643cce63f0b5cd4b148f8c901d ]
+
+Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Reviewed-by: Mike Christie <mchristi@redhat.com>
+Cc: Mike Christie <mchristi@redhat.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/iscsi/iscsi_target_tpg.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_tpg.c
++++ b/drivers/target/iscsi/iscsi_target_tpg.c
+@@ -637,8 +637,7 @@ int iscsit_ta_authentication(struct iscs
+ none = strstr(buf1, NONE);
+ if (none)
+ goto out;
+- strncat(buf1, ",", strlen(","));
+- strncat(buf1, NONE, strlen(NONE));
++ strlcat(buf1, "," NONE, sizeof(buf1));
+ if (iscsi_update_param_value(param, buf1) < 0)
+ return -EINVAL;
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Alistair Strachan <astrachan@google.com>
+Date: Tue, 19 Jun 2018 17:57:35 -0700
+Subject: staging: android: ashmem: Fix mmap size validation
+
+From: Alistair Strachan <astrachan@google.com>
+
+[ Upstream commit 8632c614565d0c5fdde527889601c018e97b6384 ]
+
+The ashmem driver did not check that the size/offset of the vma passed
+to its .mmap() function was not larger than the ashmem object being
+mapped. This could cause mmap() to succeed, even though accessing parts
+of the mapping would later fail with a segmentation fault.
+
+Ensure an error is returned by the ashmem_mmap() function if the vma
+size is larger than the ashmem object size. This enables safer handling
+of the problem in userspace.
+
+Cc: Todd Kjos <tkjos@android.com>
+Cc: devel@driverdev.osuosl.org
+Cc: linux-kernel@vger.kernel.org
+Cc: kernel-team@android.com
+Cc: Joel Fernandes <joel@joelfernandes.org>
+Signed-off-by: Alistair Strachan <astrachan@google.com>
+Acked-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Reviewed-by: Martijn Coenen <maco@android.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/android/ashmem.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -383,6 +383,12 @@ static int ashmem_mmap(struct file *file
+ goto out;
+ }
+
++ /* requested mapping size larger than object size */
++ if (vma->vm_end - vma->vm_start > PAGE_ALIGN(asma->size)) {
++ ret = -EINVAL;
++ goto out;
++ }
++
+ /* requested protection bits must match our allowed protection mask */
+ if (unlikely((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask, 0)) &
+ calc_vm_prot_bits(PROT_MASK, 0))) {
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Mon, 2 Jul 2018 14:27:35 +0100
+Subject: staging: rts5208: fix missing error check on call to rtsx_write_register
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit c5fae4f4fd28189b1062fb8ef7b21fec37cb8b17 ]
+
+Currently the check on error return from the call to rtsx_write_register
+is checking the error status from the previous call. Fix this by adding
+in the missing assignment of retval.
+
+Detected by CoverityScan, CID#709877
+
+Fixes: fa590c222fba ("staging: rts5208: add support for rts5208 and rts5288")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rts5208/sd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rts5208/sd.c
++++ b/drivers/staging/rts5208/sd.c
+@@ -4976,7 +4976,7 @@ int sd_execute_write_data(struct scsi_cm
+ goto SD_Execute_Write_Cmd_Failed;
+ }
+
+- rtsx_write_register(chip, SD_BYTE_CNT_L, 0xFF, 0x00);
++ retval = rtsx_write_register(chip, SD_BYTE_CNT_L, 0xFF, 0x00);
+ if (retval != STATUS_SUCCESS) {
+ rtsx_trace(chip);
+ goto SD_Execute_Write_Cmd_Failed;
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+Date: Fri, 8 Jun 2018 23:58:15 -0700
+Subject: tsl2550: fix lux1_input error in low light
+
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+
+[ Upstream commit ce054546cc2c26891cefa2f284d90d93b52205de ]
+
+ADC channel 0 photodiode detects both infrared + visible light,
+but ADC channel 1 just detects infrared. However, the latter is a bit
+more sensitive in that range so complete darkness or low light causes
+a error condition in which the chan0 - chan1 is negative that
+results in a -EAGAIN.
+
+This patch changes the resulting lux1_input sysfs attribute message from
+"Resource temporarily unavailable" to a user-grokable lux value of 0.
+
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/tsl2550.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/tsl2550.c
++++ b/drivers/misc/tsl2550.c
+@@ -177,7 +177,7 @@ static int tsl2550_calculate_lux(u8 ch0,
+ } else
+ lux = 0;
+ else
+- return -EAGAIN;
++ return 0;
+
+ /* LUX range check */
+ return lux > TSL2550_MAX_LUX ? TSL2550_MAX_LUX : lux;
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 4 Jul 2018 17:02:18 +0200
+Subject: USB: serial: kobil_sct: fix modem-status error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit a420b5d939ee58f1d950f0ea782834056520aeaa ]
+
+Make sure to return -EIO in case of a short modem-status read request.
+
+While at it, split the debug message to not include the (zeroed)
+transfer-buffer content in case of errors.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/kobil_sct.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/kobil_sct.c
++++ b/drivers/usb/serial/kobil_sct.c
+@@ -408,12 +408,20 @@ static int kobil_tiocmget(struct tty_str
+ transfer_buffer_length,
+ KOBIL_TIMEOUT);
+
+- dev_dbg(&port->dev, "%s - Send get_status_line_state URB returns: %i. Statusline: %02x\n",
+- __func__, result, transfer_buffer[0]);
++ dev_dbg(&port->dev, "Send get_status_line_state URB returns: %i\n",
++ result);
++ if (result < 1) {
++ if (result >= 0)
++ result = -EIO;
++ goto out_free;
++ }
++
++ dev_dbg(&port->dev, "Statusline: %02x\n", transfer_buffer[0]);
+
+ result = 0;
+ if ((transfer_buffer[0] & SUSBCR_GSL_DSR) != 0)
+ result = TIOCM_DSR;
++out_free:
+ kfree(transfer_buffer);
+ return result;
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+Date: Sun, 1 Jul 2018 19:32:04 +0200
+Subject: usb: wusbcore: security: cast sizeof to int for comparison
+
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+
+[ Upstream commit d3ac5598c5010a8999978ebbcca3b1c6188ca36b ]
+
+Comparing an int to a size, which is unsigned, causes the int to become
+unsigned, giving the wrong result. usb_get_descriptor can return a
+negative error code.
+
+A simplified version of the semantic match that finds this problem is as
+follows: (http://coccinelle.lip6.fr/)
+
+// <smpl>
+@@
+int x;
+expression e,e1;
+identifier f;
+@@
+
+*x = f(...);
+... when != x = e1
+ when != if (x < 0 || ...) { ... return ...; }
+*x < sizeof(e)
+// </smpl>
+
+Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/wusbcore/security.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/wusbcore/security.c
++++ b/drivers/usb/wusbcore/security.c
+@@ -230,7 +230,7 @@ int wusb_dev_sec_add(struct wusbhc *wusb
+
+ result = usb_get_descriptor(usb_dev, USB_DT_SECURITY,
+ 0, secd, sizeof(*secd));
+- if (result < sizeof(*secd)) {
++ if (result < (int)sizeof(*secd)) {
+ dev_err(dev, "Can't read security descriptor or "
+ "not enough data: %d\n", result);
+ goto out;
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Anton Vasilyev <vasilyev@ispras.ru>
+Date: Fri, 6 Jul 2018 15:32:53 +0300
+Subject: uwb: hwa-rc: fix memory leak at probe
+
+From: Anton Vasilyev <vasilyev@ispras.ru>
+
+[ Upstream commit 11b71782c1d10d9bccc31825cf84291cd7588a1e ]
+
+hwarc_probe() allocates memory for hwarc, but does not free it
+if uwb_rc_add() or hwarc_get_version() fail.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/uwb/hwa-rc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/uwb/hwa-rc.c
++++ b/drivers/uwb/hwa-rc.c
+@@ -873,6 +873,7 @@ error_get_version:
+ error_rc_add:
+ usb_put_intf(iface);
+ usb_put_dev(hwarc->usb_dev);
++ kfree(hwarc);
+ error_alloc:
+ uwb_rc_put(uwb_rc);
+ error_rc_alloc:
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Jul 2018 12:33:34 +0300
+Subject: vmci: type promotion bug in qp_host_get_user_memory()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 7fb2fd4e25fc1fb10dcb30b5519de257cfeae84c ]
+
+The problem is that if get_user_pages_fast() fails and returns a
+negative error code, it gets type promoted to a high positive value and
+treated as a success.
+
+Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/vmw_vmci/vmci_queue_pair.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c
++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c
+@@ -755,7 +755,7 @@ static int qp_host_get_user_memory(u64 p
+ retval = get_user_pages_fast((uintptr_t) produce_uva,
+ produce_q->kernel_if->num_pages, 1,
+ produce_q->kernel_if->u.h.header_page);
+- if (retval < produce_q->kernel_if->num_pages) {
++ if (retval < (int)produce_q->kernel_if->num_pages) {
+ pr_debug("get_user_pages_fast(produce) failed (retval=%d)",
+ retval);
+ qp_release_pages(produce_q->kernel_if->u.h.header_page,
+@@ -767,7 +767,7 @@ static int qp_host_get_user_memory(u64 p
+ retval = get_user_pages_fast((uintptr_t) consume_uva,
+ consume_q->kernel_if->num_pages, 1,
+ consume_q->kernel_if->u.h.header_page);
+- if (retval < consume_q->kernel_if->num_pages) {
++ if (retval < (int)consume_q->kernel_if->num_pages) {
+ pr_debug("get_user_pages_fast(consume) failed (retval=%d)",
+ retval);
+ qp_release_pages(consume_q->kernel_if->u.h.header_page,
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Tony Lindgren <tony@atomide.com>
+Date: Tue, 19 Jun 2018 02:43:35 -0700
+Subject: wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 4ec7cece87b3ed21ffcd407c62fb2f151a366bc1 ]
+
+Otherwise we can get:
+
+WARNING: CPU: 0 PID: 55 at drivers/net/wireless/ti/wlcore/io.h:84
+
+I've only seen this few times with the runtime PM patches enabled
+so this one is probably not needed before that. This seems to
+work currently based on the current PM implementation timer. Let's
+apply this separately though in case others are hitting this issue.
+
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ti/wlcore/cmd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/wireless/ti/wlcore/cmd.c
++++ b/drivers/net/wireless/ti/wlcore/cmd.c
+@@ -35,6 +35,7 @@
+ #include "wl12xx_80211.h"
+ #include "cmd.h"
+ #include "event.h"
++#include "ps.h"
+ #include "tx.h"
+ #include "hw_ops.h"
+
+@@ -191,6 +192,10 @@ int wlcore_cmd_wait_for_event_or_timeout
+
+ timeout_time = jiffies + msecs_to_jiffies(WL1271_EVENT_TIMEOUT);
+
++ ret = wl1271_ps_elp_wakeup(wl);
++ if (ret < 0)
++ return ret;
++
+ do {
+ if (time_after(jiffies, timeout_time)) {
+ wl1271_debug(DEBUG_CMD, "timeout waiting for event %d",
+@@ -222,6 +227,7 @@ int wlcore_cmd_wait_for_event_or_timeout
+ } while (!event);
+
+ out:
++ wl1271_ps_elp_sleep(wl);
+ kfree(events_vector);
+ return ret;
+ }
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Jan Beulich <JBeulich@suse.com>
+Date: Mon, 2 Jul 2018 04:47:57 -0600
+Subject: x86/entry/64: Add two more instruction suffixes
+
+From: Jan Beulich <JBeulich@suse.com>
+
+[ Upstream commit 6709812f094d96543b443645c68daaa32d3d3e77 ]
+
+Sadly, other than claimed in:
+
+ a368d7fd2a ("x86/entry/64: Add instruction suffix")
+
+... there are two more instances which want to be adjusted.
+
+As said there, omitting suffixes from instructions in AT&T mode is bad
+practice when operand size cannot be determined by the assembler from
+register operands, and is likely going to be warned about by upstream
+gas in the future (mine does already).
+
+Add the other missing suffixes here as well.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/5B3A02DD02000078001CFB78@prv1-mh.provo.novell.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/entry/entry_64.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/entry/entry_64.S
++++ b/arch/x86/entry/entry_64.S
+@@ -91,7 +91,7 @@ ENDPROC(native_usergs_sysret64)
+ .endm
+
+ .macro TRACE_IRQS_IRETQ_DEBUG
+- bt $9, EFLAGS(%rsp) /* interrupts off? */
++ btl $9, EFLAGS(%rsp) /* interrupts off? */
+ jnc 1f
+ TRACE_IRQS_ON_DEBUG
+ 1:
+@@ -485,7 +485,7 @@ retint_kernel:
+ #ifdef CONFIG_PREEMPT
+ /* Interrupts are off */
+ /* Check if we need preemption */
+- bt $9, EFLAGS(%rsp) /* were interrupts off? */
++ btl $9, EFLAGS(%rsp) /* were interrupts off? */
+ jnc 1f
+ 0: cmpl $0, PER_CPU_VAR(__preempt_count)
+ jnz 1f
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Fri, 6 Jul 2018 09:08:01 -0700
+Subject: x86/numa_emulation: Fix emulated-to-physical node mapping
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+[ Upstream commit 3b6c62f363a19ce82bf378187ab97c9dc01e3927 ]
+
+Without this change the distance table calculation for emulated nodes
+may use the wrong numa node and report an incorrect distance.
+
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Wei Yang <richard.weiyang@gmail.com>
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/153089328103.27680.14778434392225818887.stgit@dwillia2-desk3.amr.corp.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/numa_emulation.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/mm/numa_emulation.c
++++ b/arch/x86/mm/numa_emulation.c
+@@ -60,7 +60,7 @@ static int __init emu_setup_memblk(struc
+ eb->nid = nid;
+
+ if (emu_nid_to_phys[nid] == NUMA_NO_NODE)
+- emu_nid_to_phys[nid] = nid;
++ emu_nid_to_phys[nid] = pb->nid;
+
+ pb->start += size;
+ if (pb->start >= pb->end) {
--- /dev/null
+From foo@baz Sat Sep 29 04:29:21 PDT 2018
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Fri, 29 Jun 2018 22:31:10 +0300
+Subject: x86/tsc: Add missing header to tsc_msr.c
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit dbd0fbc76c77daac08ddd245afdcbade0d506e19 ]
+
+Add a missing header otherwise compiler warns about missed prototype:
+
+CC arch/x86/kernel/tsc_msr.o
+arch/x86/kernel/tsc_msr.c:73:15: warning: no previous prototype for ‘cpu_khz_from_msr’ [-Wmissing-prototypes]
+ unsigned long cpu_khz_from_msr(void)
+ ^~~~~~~~~~~~~~~~
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Pavel Tatashin <pasha.tatashin@oracle.com>
+Link: https://lkml.kernel.org/r/20180629193113.84425-4-andriy.shevchenko@linux.intel.com
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/tsc_msr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kernel/tsc_msr.c
++++ b/arch/x86/kernel/tsc_msr.c
+@@ -12,6 +12,7 @@
+ #include <asm/setup.h>
+ #include <asm/apic.h>
+ #include <asm/param.h>
++#include <asm/tsc.h>
+
+ #define MAX_NUM_FREQS 9
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
