--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 2 Nov 2017 15:27:48 +0000
+Subject: afs: Connect up the CB.ProbeUuid
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit f4b3526d83c40dd8bf5948b9d7a1b2c340f0dcc8 ]
+
+The handler for the CB.ProbeUuid operation in the cache manager is
+implemented, but isn't listed in the switch-statement of operation
+selection, so won't be used. Fix this by adding it.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/cmservice.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/afs/cmservice.c
++++ b/fs/afs/cmservice.c
+@@ -127,6 +127,9 @@ bool afs_cm_incoming_call(struct afs_cal
+ case CBProbe:
+ call->type = &afs_SRXCBProbe;
+ return true;
++ case CBProbeUuid:
++ call->type = &afs_SRXCBProbeUuid;
++ return true;
+ case CBTellMeAboutYourself:
+ call->type = &afs_SRXCBTellMeAboutYourself;
+ return true;
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 2 Nov 2017 15:27:51 +0000
+Subject: afs: Fix total-length calculation for multiple-page send
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 1199db603511d7463d9d3840f96f61967affc766 ]
+
+Fix the total-length calculation in afs_make_call() when the operation
+being dispatched has data from a series of pages attached.
+
+Despite the patched code looking like that it should reduce mathematically
+to the current code, it doesn't because the 32-bit unsigned arithmetic
+being used to calculate the page-offset-difference doesn't correctly extend
+to a 64-bit value when the result is effectively negative.
+
+Without this, some FS.StoreData operations that span multiple pages fail,
+reporting too little or too much data.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/rxrpc.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/fs/afs/rxrpc.c
++++ b/fs/afs/rxrpc.c
+@@ -377,8 +377,17 @@ int afs_make_call(struct in_addr *addr,
+ */
+ tx_total_len = call->request_size;
+ if (call->send_pages) {
+- tx_total_len += call->last_to - call->first_offset;
+- tx_total_len += (call->last - call->first) * PAGE_SIZE;
++ if (call->last == call->first) {
++ tx_total_len += call->last_to - call->first_offset;
++ } else {
++ /* It looks mathematically like you should be able to
++ * combine the following lines with the ones above, but
++ * unsigned arithmetic is fun when it wraps...
++ */
++ tx_total_len += PAGE_SIZE - call->first_offset;
++ tx_total_len += call->last_to;
++ tx_total_len += (call->last - call->first - 1) * PAGE_SIZE;
++ }
+ }
+
+ /* create a call */
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 15 Nov 2017 15:25:30 -0800
+Subject: apparmor: fix leak of null profile name if profile allocation fails
+
+From: John Johansen <john.johansen@canonical.com>
+
+
+[ Upstream commit 4633307e5ed6128975595df43f796a10c41d11c1 ]
+
+Fixes: d07881d2edb0 ("apparmor: move new_null_profile to after profile lookup fns()")
+Reported-by: Seth Arnold <seth.arnold@canonical.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/policy.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -502,7 +502,7 @@ struct aa_profile *aa_new_null_profile(s
+ {
+ struct aa_profile *p, *profile;
+ const char *bname;
+- char *name;
++ char *name = NULL;
+
+ AA_BUG(!parent);
+
+@@ -562,6 +562,7 @@ out:
+ return profile;
+
+ fail:
++ kfree(name);
+ aa_free_profile(profile);
+ return NULL;
+ }
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Tue, 14 Nov 2017 13:42:38 +0530
+Subject: atm: horizon: Fix irq release error
+
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+
+
+[ Upstream commit bde533f2ea607cbbbe76ef8738b36243939a7bc2 ]
+
+atm_dev_register() can fail here and passed parameters to free irq
+which is not initialised. Initialization of 'dev->irq' happened after
+the 'goto out_free_irq'. So using 'irq' insted of 'dev->irq' in
+free_irq().
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/atm/horizon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/atm/horizon.c
++++ b/drivers/atm/horizon.c
+@@ -2803,7 +2803,7 @@ out:
+ return err;
+
+ out_free_irq:
+- free_irq(dev->irq, dev);
++ free_irq(irq, dev);
+ out_free:
+ kfree(dev);
+ out_release:
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Tue, 17 Oct 2017 18:29:22 -0400
+Subject: audit: Allow auditd to set pid to 0 to end auditing
+
+From: Steve Grubb <sgrubb@redhat.com>
+
+
+[ Upstream commit 33e8a907804428109ce1d12301c3365d619cc4df ]
+
+The API to end auditing has historically been for auditd to set the
+pid to 0. This patch restores that functionality.
+
+See: https://github.com/linux-audit/audit-kernel/issues/69
+
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Steve Grubb <sgrubb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/audit.c | 29 ++++++++++++++++-------------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -1197,25 +1197,28 @@ static int audit_receive_msg(struct sk_b
+ pid_t auditd_pid;
+ struct pid *req_pid = task_tgid(current);
+
+- /* sanity check - PID values must match */
+- if (new_pid != pid_vnr(req_pid))
++ /* Sanity check - PID values must match. Setting
++ * pid to 0 is how auditd ends auditing. */
++ if (new_pid && (new_pid != pid_vnr(req_pid)))
+ return -EINVAL;
+
+ /* test the auditd connection */
+ audit_replace(req_pid);
+
+ auditd_pid = auditd_pid_vnr();
+- /* only the current auditd can unregister itself */
+- if ((!new_pid) && (new_pid != auditd_pid)) {
+- audit_log_config_change("audit_pid", new_pid,
+- auditd_pid, 0);
+- return -EACCES;
+- }
+- /* replacing a healthy auditd is not allowed */
+- if (auditd_pid && new_pid) {
+- audit_log_config_change("audit_pid", new_pid,
+- auditd_pid, 0);
+- return -EEXIST;
++ if (auditd_pid) {
++ /* replacing a healthy auditd is not allowed */
++ if (new_pid) {
++ audit_log_config_change("audit_pid",
++ new_pid, auditd_pid, 0);
++ return -EEXIST;
++ }
++ /* only current auditd can unregister itself */
++ if (pid_vnr(req_pid) != auditd_pid) {
++ audit_log_config_change("audit_pid",
++ new_pid, auditd_pid, 0);
++ return -EACCES;
++ }
+ }
+
+ if (new_pid) {
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Paul Moore <paul@paul-moore.com>
+Date: Fri, 1 Sep 2017 09:44:34 -0400
+Subject: audit: ensure that 'audit=1' actually enables audit for PID 1
+
+From: Paul Moore <paul@paul-moore.com>
+
+
+[ Upstream commit 173743dd99a49c956b124a74c8aacb0384739a4c ]
+
+Prior to this patch we enabled audit in audit_init(), which is too
+late for PID 1 as the standard initcalls are run after the PID 1 task
+is forked. This means that we never allocate an audit_context (see
+audit_alloc()) for PID 1 and therefore miss a lot of audit events
+generated by PID 1.
+
+This patch enables audit as early as possible to help ensure that when
+PID 1 is forked it can allocate an audit_context if required.
+
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/audit.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -85,13 +85,13 @@ static int audit_initialized;
+ #define AUDIT_OFF 0
+ #define AUDIT_ON 1
+ #define AUDIT_LOCKED 2
+-u32 audit_enabled;
+-u32 audit_ever_enabled;
++u32 audit_enabled = AUDIT_OFF;
++u32 audit_ever_enabled = !!AUDIT_OFF;
+
+ EXPORT_SYMBOL_GPL(audit_enabled);
+
+ /* Default state when kernel boots without any parameters. */
+-static u32 audit_default;
++static u32 audit_default = AUDIT_OFF;
+
+ /* If auditing cannot proceed, audit_failure selects what happens. */
+ static u32 audit_failure = AUDIT_FAIL_PRINTK;
+@@ -1552,8 +1552,6 @@ static int __init audit_init(void)
+ register_pernet_subsys(&audit_net_ops);
+
+ audit_initialized = AUDIT_INITIALIZED;
+- audit_enabled = audit_default;
+- audit_ever_enabled |= !!audit_default;
+
+ kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
+ if (IS_ERR(kauditd_task)) {
+@@ -1575,6 +1573,8 @@ static int __init audit_enable(char *str
+ audit_default = !!simple_strtol(str, NULL, 0);
+ if (!audit_default)
+ audit_initialized = AUDIT_DISABLED;
++ audit_enabled = audit_default;
++ audit_ever_enabled = !!audit_enabled;
+
+ pr_info("%s\n", audit_default ?
+ "enabled (after initialization)" : "disabled (until reboot)");
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Wed, 8 Nov 2017 10:23:45 -0800
+Subject: blk-mq: Avoid that request queue removal can trigger list corruption
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+
+[ Upstream commit aba7afc5671c23beade64d10caf86e24a9105dab ]
+
+Avoid that removal of a request queue sporadically triggers the
+following warning:
+
+list_del corruption. next->prev should be ffff8807d649b970, but was 6b6b6b6b6b6b6b6b
+WARNING: CPU: 3 PID: 342 at lib/list_debug.c:56 __list_del_entry_valid+0x92/0xa0
+Call Trace:
+ process_one_work+0x11b/0x660
+ worker_thread+0x3d/0x3b0
+ kthread+0x129/0x140
+ ret_from_fork+0x27/0x40
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Hannes Reinecke <hare@suse.com>
+Cc: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -339,6 +339,7 @@ void blk_sync_queue(struct request_queue
+ struct blk_mq_hw_ctx *hctx;
+ int i;
+
++ cancel_delayed_work_sync(&q->requeue_work);
+ queue_for_each_hw_ctx(q, hctx, i)
+ cancel_delayed_work_sync(&hctx->run_work);
+ } else {
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Ming Lei <ming.lei@redhat.com>
+Date: Thu, 16 Nov 2017 08:08:44 +0800
+Subject: block: wake up all tasks blocked in get_request()
+
+From: Ming Lei <ming.lei@redhat.com>
+
+
+[ Upstream commit 34d9715ac1edd50285168dd8d80c972739a4f6a4 ]
+
+Once blk_set_queue_dying() is done in blk_cleanup_queue(), we call
+blk_freeze_queue() and wait for q->q_usage_counter becoming zero. But
+if there are tasks blocked in get_request(), q->q_usage_counter can
+never become zero. So we have to wake up all these tasks in
+blk_set_queue_dying() first.
+
+Fixes: 3ef28e83ab157997 ("block: generic request_queue reference counting")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -605,8 +605,8 @@ void blk_set_queue_dying(struct request_
+ spin_lock_irq(q->queue_lock);
+ blk_queue_for_each_rl(rl, q) {
+ if (rl->rq_pool) {
+- wake_up(&rl->wait[BLK_RW_SYNC]);
+- wake_up(&rl->wait[BLK_RW_ASYNC]);
++ wake_up_all(&rl->wait[BLK_RW_SYNC]);
++ wake_up_all(&rl->wait[BLK_RW_ASYNC]);
+ }
+ }
+ spin_unlock_irq(q->queue_lock);
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
+Date: Fri, 3 Nov 2017 02:39:04 +0530
+Subject: bnxt_re: changing the ip address shouldn't affect new connections
+
+From: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
+
+
+[ Upstream commit 063fb5bd1a01937094f40169a20e4aa5ca030db1 ]
+
+While adding a new gid, the driver currently does not return the context
+back to the stack. A subsequent del_gid() (e.g, when ip address is changed)
+doesn't find the right context in the driver and it ends up dropping that
+request. This results in the HW caching a stale gid entry and traffic fails
+because of that. Fix by returning the proper context in bnxt_re_add_gid().
+
+Signed-off-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -394,6 +394,7 @@ int bnxt_re_add_gid(struct ib_device *ib
+ ctx->idx = tbl_idx;
+ ctx->refcnt = 1;
+ ctx_tbl[tbl_idx] = ctx;
++ *context = ctx;
+
+ return rc;
+ }
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 14 Nov 2017 17:15:50 -0800
+Subject: bpf: fix lockdep splat
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 89ad2fa3f043a1e8daae193bcb5fe34d5f8caf28 ]
+
+pcpu_freelist_pop() needs the same lockdep awareness than
+pcpu_freelist_populate() to avoid a false positive.
+
+ [ INFO: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected ]
+
+ switchto-defaul/12508 [HC0[0]:SC0[6]:HE0:SE0] is trying to acquire:
+ (&htab->buckets[i].lock){......}, at: [<ffffffff9dc099cb>] __htab_percpu_map_update_elem+0x1cb/0x300
+
+ and this task is already holding:
+ (dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2){+.-...}, at: [<ffffffff9e135848>] __dev_queue_xmit+0
+x868/0x1240
+ which would create a new lock dependency:
+ (dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2){+.-...} -> (&htab->buckets[i].lock){......}
+
+ but this new dependency connects a SOFTIRQ-irq-safe lock:
+ (dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2){+.-...}
+ ... which became SOFTIRQ-irq-safe at:
+ [<ffffffff9db5931b>] __lock_acquire+0x42b/0x1f10
+ [<ffffffff9db5b32c>] lock_acquire+0xbc/0x1b0
+ [<ffffffff9da05e38>] _raw_spin_lock+0x38/0x50
+ [<ffffffff9e135848>] __dev_queue_xmit+0x868/0x1240
+ [<ffffffff9e136240>] dev_queue_xmit+0x10/0x20
+ [<ffffffff9e1965d9>] ip_finish_output2+0x439/0x590
+ [<ffffffff9e197410>] ip_finish_output+0x150/0x2f0
+ [<ffffffff9e19886d>] ip_output+0x7d/0x260
+ [<ffffffff9e19789e>] ip_local_out+0x5e/0xe0
+ [<ffffffff9e197b25>] ip_queue_xmit+0x205/0x620
+ [<ffffffff9e1b8398>] tcp_transmit_skb+0x5a8/0xcb0
+ [<ffffffff9e1ba152>] tcp_write_xmit+0x242/0x1070
+ [<ffffffff9e1baffc>] __tcp_push_pending_frames+0x3c/0xf0
+ [<ffffffff9e1b3472>] tcp_rcv_established+0x312/0x700
+ [<ffffffff9e1c1acc>] tcp_v4_do_rcv+0x11c/0x200
+ [<ffffffff9e1c3dc2>] tcp_v4_rcv+0xaa2/0xc30
+ [<ffffffff9e191107>] ip_local_deliver_finish+0xa7/0x240
+ [<ffffffff9e191a36>] ip_local_deliver+0x66/0x200
+ [<ffffffff9e19137d>] ip_rcv_finish+0xdd/0x560
+ [<ffffffff9e191e65>] ip_rcv+0x295/0x510
+ [<ffffffff9e12ff88>] __netif_receive_skb_core+0x988/0x1020
+ [<ffffffff9e130641>] __netif_receive_skb+0x21/0x70
+ [<ffffffff9e1306ff>] process_backlog+0x6f/0x230
+ [<ffffffff9e132129>] net_rx_action+0x229/0x420
+ [<ffffffff9da07ee8>] __do_softirq+0xd8/0x43d
+ [<ffffffff9e282bcc>] do_softirq_own_stack+0x1c/0x30
+ [<ffffffff9dafc2f5>] do_softirq+0x55/0x60
+ [<ffffffff9dafc3a8>] __local_bh_enable_ip+0xa8/0xb0
+ [<ffffffff9db4c727>] cpu_startup_entry+0x1c7/0x500
+ [<ffffffff9daab333>] start_secondary+0x113/0x140
+
+ to a SOFTIRQ-irq-unsafe lock:
+ (&head->lock){+.+...}
+ ... which became SOFTIRQ-irq-unsafe at:
+ ... [<ffffffff9db5971f>] __lock_acquire+0x82f/0x1f10
+ [<ffffffff9db5b32c>] lock_acquire+0xbc/0x1b0
+ [<ffffffff9da05e38>] _raw_spin_lock+0x38/0x50
+ [<ffffffff9dc0b7fa>] pcpu_freelist_pop+0x7a/0xb0
+ [<ffffffff9dc08b2c>] htab_map_alloc+0x50c/0x5f0
+ [<ffffffff9dc00dc5>] SyS_bpf+0x265/0x1200
+ [<ffffffff9e28195f>] entry_SYSCALL_64_fastpath+0x12/0x17
+
+ other info that might help us debug this:
+
+ Chain exists of:
+ dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2 --> &htab->buckets[i].lock --> &head->lock
+
+ Possible interrupt unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&head->lock);
+ local_irq_disable();
+ lock(dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2);
+ lock(&htab->buckets[i].lock);
+ <Interrupt>
+ lock(dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2);
+
+ *** DEADLOCK ***
+
+Fixes: e19494edab82 ("bpf: introduce percpu_freelist")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/percpu_freelist.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/kernel/bpf/percpu_freelist.c
++++ b/kernel/bpf/percpu_freelist.c
+@@ -78,8 +78,10 @@ struct pcpu_freelist_node *pcpu_freelist
+ {
+ struct pcpu_freelist_head *head;
+ struct pcpu_freelist_node *node;
++ unsigned long flags;
+ int orig_cpu, cpu;
+
++ local_irq_save(flags);
+ orig_cpu = cpu = raw_smp_processor_id();
+ while (1) {
+ head = per_cpu_ptr(s->freelist, cpu);
+@@ -87,14 +89,16 @@ struct pcpu_freelist_node *pcpu_freelist
+ node = head->first;
+ if (node) {
+ head->first = node->next;
+- raw_spin_unlock(&head->lock);
++ raw_spin_unlock_irqrestore(&head->lock, flags);
+ return node;
+ }
+ raw_spin_unlock(&head->lock);
+ cpu = cpumask_next(cpu, cpu_possible_mask);
+ if (cpu >= nr_cpu_ids)
+ cpu = 0;
+- if (cpu == orig_cpu)
++ if (cpu == orig_cpu) {
++ local_irq_restore(flags);
+ return NULL;
++ }
+ }
+ }
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Zhong Kaihua <zhongkaihua@huawei.com>
+Date: Mon, 7 Aug 2017 22:51:56 +0800
+Subject: clk: hi3660: fix incorrect uart3 clock freqency
+
+From: Zhong Kaihua <zhongkaihua@huawei.com>
+
+
+[ Upstream commit d33fb1b9f0fcb67f2b9f8b1891465a088a9480f8 ]
+
+UART3 clock rate is doubled in previous commit.
+
+This error is not detected until recently a mezzanine board which makes
+real use of uart3 port (through LS connector of 96boards) was setup
+and tested on hi3660-hikey960 board.
+
+This patch changes clock source rate of clk_factor_uart3 to 100000000.
+
+Signed-off-by: Zhong Kaihua <zhongkaihua@huawei.com>
+Signed-off-by: Guodong Xu <guodong.xu@linaro.org>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/hisilicon/clk-hi3660.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/hisilicon/clk-hi3660.c
++++ b/drivers/clk/hisilicon/clk-hi3660.c
+@@ -34,7 +34,7 @@ static const struct hisi_fixed_rate_cloc
+
+ /* crgctrl */
+ static const struct hisi_fixed_factor_clock hi3660_crg_fixed_factor_clks[] = {
+- { HI3660_FACTOR_UART3, "clk_factor_uart3", "iomcu_peri0", 1, 8, 0, },
++ { HI3660_FACTOR_UART3, "clk_factor_uart3", "iomcu_peri0", 1, 16, 0, },
+ { HI3660_CLK_FACTOR_MMC, "clk_factor_mmc", "clkin_sys", 1, 6, 0, },
+ { HI3660_CLK_GATE_I2C0, "clk_gate_i2c0", "clk_i2c0_iomcu", 1, 4, 0, },
+ { HI3660_CLK_GATE_I2C1, "clk_gate_i2c1", "clk_i2c1_iomcu", 1, 4, 0, },
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Johan Hovold <johan@kernel.org>
+Date: Sat, 11 Nov 2017 17:29:28 +0100
+Subject: clk: qcom: common: fix legacy board-clock registration
+
+From: Johan Hovold <johan@kernel.org>
+
+
+[ Upstream commit 43a51019cc8ff1b1cd2ba72e86563beb40d356fc ]
+
+Make sure to search only the child nodes of "/clocks", rather than the
+whole device-tree depth-first starting at "/clocks" when determining
+whether to register a fixed clock in the legacy board-clock registration
+helper.
+
+Fixes: ee15faffef11 ("clk: qcom: common: Add API to register board clocks backwards compatibly")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/qcom/common.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/clk/qcom/common.c
++++ b/drivers/clk/qcom/common.c
+@@ -143,8 +143,10 @@ static int _qcom_cc_register_board_clk(s
+ int ret;
+
+ clocks_node = of_find_node_by_path("/clocks");
+- if (clocks_node)
+- node = of_find_node_by_name(clocks_node, path);
++ if (clocks_node) {
++ node = of_get_child_by_name(clocks_node, path);
++ of_node_put(clocks_node);
++ }
+
+ if (!node) {
+ fixed = devm_kzalloc(dev, sizeof(*fixed), GFP_KERNEL);
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Gabriel Fernandez <gabriel.fernandez@st.com>
+Date: Wed, 11 Oct 2017 08:57:24 +0200
+Subject: clk: stm32h7: fix test of clock config
+
+From: Gabriel Fernandez <gabriel.fernandez@st.com>
+
+
+[ Upstream commit c1ea839c41d049604a3f64ef72712d1c7c6639d0 ]
+
+fix test of composite clock config (bad copy / past)
+
+Signed-off-by: Gabriel Fernandez <gabriel.fernandez@st.com>
+Fixes: 3e4d618b0722 ("clk: stm32h7: Add stm32h743 clock driver")
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/clk-stm32h7.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/clk/clk-stm32h7.c
++++ b/drivers/clk/clk-stm32h7.c
+@@ -384,7 +384,7 @@ static void get_cfg_composite_div(const
+ mux_ops = div_ops = gate_ops = NULL;
+ mux_hw = div_hw = gate_hw = NULL;
+
+- if (gcfg->mux && gcfg->mux) {
++ if (gcfg->mux && cfg->mux) {
+ mux = _get_cmux(base + cfg->mux->offset,
+ cfg->mux->shift,
+ cfg->mux->width,
+@@ -410,7 +410,7 @@ static void get_cfg_composite_div(const
+ }
+ }
+
+- if (gcfg->gate && gcfg->gate) {
++ if (gcfg->gate && cfg->gate) {
+ gate = _get_cgate(base + cfg->gate->offset,
+ cfg->gate->bit_idx,
+ gcfg->gate->flags, lock);
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Mylene JOSSERAND <mylene.josserand@free-electrons.com>
+Date: Sun, 5 Nov 2017 17:51:34 +0100
+Subject: clk: sunxi-ng: a83t: Fix i2c buses bits
+
+From: Mylene JOSSERAND <mylene.josserand@free-electrons.com>
+
+
+[ Upstream commit cc54c0955d6f8618a38a999eecdc3d95306b90de ]
+
+i2c1 and i2c2 bits for CCU are not bit 0 but bit 1 and bit 2.
+Because of that, the i2c0 (bit 0) was not correctly configured.
+Fixed the correct bits for i2c1 and i2c2.
+
+Fixes: 05359be1176b ("clk: sunxi-ng: Add driver for A83T CCU")
+
+Signed-off-by: Mylène Josserand <mylene.josserand@free-electrons.com>
+Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/sunxi-ng/ccu-sun8i-a83t.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/clk/sunxi-ng/ccu-sun8i-a83t.c
++++ b/drivers/clk/sunxi-ng/ccu-sun8i-a83t.c
+@@ -354,9 +354,9 @@ static SUNXI_CCU_GATE(bus_tdm_clk, "bus-
+ static SUNXI_CCU_GATE(bus_i2c0_clk, "bus-i2c0", "apb2",
+ 0x06c, BIT(0), 0);
+ static SUNXI_CCU_GATE(bus_i2c1_clk, "bus-i2c1", "apb2",
+- 0x06c, BIT(0), 0);
++ 0x06c, BIT(1), 0);
+ static SUNXI_CCU_GATE(bus_i2c2_clk, "bus-i2c2", "apb2",
+- 0x06c, BIT(0), 0);
++ 0x06c, BIT(2), 0);
+ static SUNXI_CCU_GATE(bus_uart0_clk, "bus-uart0", "apb2",
+ 0x06c, BIT(16), 0);
+ static SUNXI_CCU_GATE(bus_uart1_clk, "bus-uart1", "apb2",
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Thu, 5 Oct 2017 11:32:59 +0900
+Subject: clk: uniphier: fix DAPLL2 clock rate of Pro5
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+
+[ Upstream commit 67affb78a4e4feb837953e3434c8402a5c3b272f ]
+
+The parent of DAPLL2 should be DAPLL1. Fix the clock connection.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/uniphier/clk-uniphier-sys.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/uniphier/clk-uniphier-sys.c
++++ b/drivers/clk/uniphier/clk-uniphier-sys.c
+@@ -123,7 +123,7 @@ const struct uniphier_clk_data uniphier_
+ const struct uniphier_clk_data uniphier_pro5_sys_clk_data[] = {
+ UNIPHIER_CLK_FACTOR("spll", -1, "ref", 120, 1), /* 2400 MHz */
+ UNIPHIER_CLK_FACTOR("dapll1", -1, "ref", 128, 1), /* 2560 MHz */
+- UNIPHIER_CLK_FACTOR("dapll2", -1, "ref", 144, 125), /* 2949.12 MHz */
++ UNIPHIER_CLK_FACTOR("dapll2", -1, "dapll1", 144, 125), /* 2949.12 MHz */
+ UNIPHIER_CLK_FACTOR("uart", 0, "dapll2", 1, 40),
+ UNIPHIER_CLK_FACTOR("i2c", 1, "spll", 1, 48),
+ UNIPHIER_PRO5_SYS_CLK_NAND(2),
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Tue, 14 Nov 2017 20:38:07 +0900
+Subject: coccinelle: fix parallel build with CHECK=scripts/coccicheck
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+
+[ Upstream commit d7059ca0147adcd495f3c5b41f260e1ac55bb679 ]
+
+The command "make -j8 C=1 CHECK=scripts/coccicheck" produces
+lots of "coccicheck failed" error messages.
+
+Julia Lawall explained the Coccinelle behavior as follows:
+"The problem on the Coccinelle side is that it uses a subdirectory
+with the name of the semantic patch to store standard output and
+standard error for the different threads. I didn't want to use a
+name with the pid, so that one could easily find this information
+while Coccinelle is running. Normally the subdirectory is cleaned
+up when Coccinelle completes, so there is only one of them at a time.
+Maybe it is best to just add the pid. There is the risk that these
+subdirectories will accumulate if Coccinelle crashes in a way such
+that they don't get cleaned up, but Coccinelle could print a warning
+if it detects this case, rather than failing."
+
+When scripts/coccicheck is used as CHECK tool and -j option is given
+to Make, the whole of build process runs in parallel. So, multiple
+processes try to get access to the same subdirectory.
+
+I notice spatch creates the subdirectory only when it runs in parallel
+(i.e. --jobs <N> is given and <N> is greater than 1).
+
+Setting NPROC=1 is a reasonable solution; spatch does not create the
+subdirectory. Besides, ONLINE=1 mode takes a single file input for
+each spatch invocation, so there is no reason to parallelize it in
+the first place.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Acked-by: Julia Lawall <Julia.Lawall@lip6.fr>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/coccicheck | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/scripts/coccicheck
++++ b/scripts/coccicheck
+@@ -30,12 +30,6 @@ else
+ VERBOSE=0
+ fi
+
+-if [ -z "$J" ]; then
+- NPROC=$(getconf _NPROCESSORS_ONLN)
+-else
+- NPROC="$J"
+-fi
+-
+ FLAGS="--very-quiet"
+
+ # You can use SPFLAGS to append extra arguments to coccicheck or override any
+@@ -70,6 +64,9 @@ if [ "$C" = "1" -o "$C" = "2" ]; then
+ # Take only the last argument, which is the C file to test
+ shift $(( $# - 1 ))
+ OPTIONS="$COCCIINCLUDE $1"
++
++ # No need to parallelize Coccinelle since this mode takes one input file.
++ NPROC=1
+ else
+ ONLINE=0
+ if [ "$KBUILD_EXTMOD" = "" ] ; then
+@@ -77,6 +74,12 @@ else
+ else
+ OPTIONS="--dir $KBUILD_EXTMOD $COCCIINCLUDE"
+ fi
++
++ if [ -z "$J" ]; then
++ NPROC=$(getconf _NPROCESSORS_ONLN)
++ else
++ NPROC="$J"
++ fi
+ fi
+
+ if [ "$KBUILD_EXTMOD" != "" ] ; then
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Heinz Mauelshagen <heinzm@redhat.com>
+Date: Thu, 2 Nov 2017 19:58:28 +0100
+Subject: dm raid: fix panic when attempting to force a raid to sync
+
+From: Heinz Mauelshagen <heinzm@redhat.com>
+
+
+[ Upstream commit 233978449074ca7e45d9c959f9ec612d1b852893 ]
+
+Requesting a sync on an active raid device via a table reload
+(see 'sync' parameter in Documentation/device-mapper/dm-raid.txt)
+skips the super_load() call that defines the superblock size
+(rdev->sb_size) -- resulting in an oops if/when super_sync()->memset()
+is called.
+
+Fix by moving the initialization of the superblock start and size
+out of super_load() to the caller (analyse_superblocks).
+
+Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-raid.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -2143,13 +2143,6 @@ static int super_load(struct md_rdev *rd
+ struct dm_raid_superblock *refsb;
+ uint64_t events_sb, events_refsb;
+
+- rdev->sb_start = 0;
+- rdev->sb_size = bdev_logical_block_size(rdev->meta_bdev);
+- if (rdev->sb_size < sizeof(*sb) || rdev->sb_size > PAGE_SIZE) {
+- DMERR("superblock size of a logical block is no longer valid");
+- return -EINVAL;
+- }
+-
+ r = read_disk_sb(rdev, rdev->sb_size, false);
+ if (r)
+ return r;
+@@ -2494,6 +2487,17 @@ static int analyse_superblocks(struct dm
+ if (test_bit(Journal, &rdev->flags))
+ continue;
+
++ if (!rdev->meta_bdev)
++ continue;
++
++ /* Set superblock offset/size for metadata device. */
++ rdev->sb_start = 0;
++ rdev->sb_size = bdev_logical_block_size(rdev->meta_bdev);
++ if (rdev->sb_size < sizeof(struct dm_raid_superblock) || rdev->sb_size > PAGE_SIZE) {
++ DMERR("superblock size of a logical block is no longer valid");
++ return -EINVAL;
++ }
++
+ /*
+ * Skipping super_load due to CTR_FLAG_SYNC will cause
+ * the array to undergo initialization again as
+@@ -2506,9 +2510,6 @@ static int analyse_superblocks(struct dm
+ if (test_bit(__CTR_FLAG_SYNC, &rs->ctr_flags))
+ continue;
+
+- if (!rdev->meta_bdev)
+- continue;
+-
+ r = super_load(rdev, freshest);
+
+ switch (r) {
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Fri, 17 Nov 2017 15:37:57 -0800
+Subject: drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in 'rio_dma_transfer()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit b1402dcb5643b7a27d46a05edd7491d49ba0e248 ]
+
+If 'dma_map_sg()', we should branch to the existing error handling path
+to free some resources before returning.
+
+Link: http://lkml.kernel.org/r/61292a4f369229eee03394247385e955027283f8.1505687047.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Alexandre Bounine <alexandre.bounine@idt.com>
+Cc: Lorenzo Stoakes <lstoakes@gmail.com>
+Cc: Jesper Nilsson <jesper.nilsson@axis.com>
+Cc: Christian K_nig <christian.koenig@amd.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rapidio/devices/rio_mport_cdev.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/rapidio/devices/rio_mport_cdev.c
++++ b/drivers/rapidio/devices/rio_mport_cdev.c
+@@ -963,7 +963,8 @@ rio_dma_transfer(struct file *filp, u32
+ req->sgt.sgl, req->sgt.nents, dir);
+ if (nents == -EFAULT) {
+ rmcd_error("Failed to map SG list");
+- return -EFAULT;
++ ret = -EFAULT;
++ goto err_pg;
+ }
+
+ ret = do_dma_request(req, xfer, sync, nents);
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 9 Nov 2017 18:07:17 +0100
+Subject: dt-bindings: usb: fix reg-property port-number range
+
+From: Johan Hovold <johan@kernel.org>
+
+
+[ Upstream commit f42ae7b0540937e00fe005812997f126aaac4bc2 ]
+
+The USB hub port-number range for USB 2.0 is 1-255 and not 1-31 which
+reflects an arbitrary limit set by the current Linux implementation.
+
+Note that for USB 3.1 hubs the valid range is 1-15.
+
+Increase the documented valid range in the binding to 255, which is the
+maximum allowed by the specifications.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/usb/usb-device.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/usb/usb-device.txt
++++ b/Documentation/devicetree/bindings/usb/usb-device.txt
+@@ -11,7 +11,7 @@ Required properties:
+ be used, but a device adhering to this binding may leave out all except
+ for usbVID,PID.
+ - reg: the port number which this device is connecting to, the range
+- is 1-31.
++ is 1-255.
+
+ Example:
+
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Fri, 17 Nov 2017 15:27:35 -0800
+Subject: dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+
+[ Upstream commit 1f3c790bd5989fcfec9e53ad8fa09f5b740c958f ]
+
+line-range is supposed to treat "1-" as "1-endoffile", so
+handle the special case by setting last_lineno to UINT_MAX.
+
+Fixes this error:
+
+ dynamic_debug:ddebug_parse_query: last-line:0 < 1st-line:1
+ dynamic_debug:ddebug_exec_query: query parse failed
+
+Link: http://lkml.kernel.org/r/10a6a101-e2be-209f-1f41-54637824788e@infradead.org
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Acked-by: Jason Baron <jbaron@akamai.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/dynamic_debug.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/lib/dynamic_debug.c
++++ b/lib/dynamic_debug.c
+@@ -360,6 +360,10 @@ static int ddebug_parse_query(char *word
+ if (parse_lineno(last, &query->last_lineno) < 0)
+ return -EINVAL;
+
++ /* special case for last lineno not specified */
++ if (query->last_lineno == 0)
++ query->last_lineno = UINT_MAX;
++
+ if (query->last_lineno < query->first_lineno) {
+ pr_err("last-line:%d < 1st-line:%d\n",
+ query->last_lineno,
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Chao Yu <yuchao0@huawei.com>
+Date: Mon, 13 Nov 2017 17:32:39 +0800
+Subject: f2fs: fix to clear FI_NO_PREALLOC
+
+From: Chao Yu <yuchao0@huawei.com>
+
+
+[ Upstream commit 28cfafb73853f0494b06649716687a3ea07681d5 ]
+
+We need to clear FI_NO_PREALLOC flag in error path of f2fs_file_write_iter,
+otherwise we will lose the chance to preallocate blocks in latter write()
+at one time.
+
+Fixes: dc91de78e5e1 ("f2fs: do not preallocate blocks which has wrong buffer")
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/file.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -2697,6 +2697,7 @@ static ssize_t f2fs_file_write_iter(stru
+
+ err = f2fs_preallocate_blocks(iocb, from);
+ if (err) {
++ clear_inode_flag(inode, FI_NO_PREALLOC);
+ inode_unlock(inode);
+ return err;
+ }
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Jeff Layton <jlayton@redhat.com>
+Date: Tue, 14 Nov 2017 14:43:56 -0500
+Subject: fcntl: don't leak fd reference when fixup_compat_flock fails
+
+From: Jeff Layton <jlayton@redhat.com>
+
+
+[ Upstream commit 9280a601e6080c9ff658468c1c775ff6514099a6 ]
+
+Currently we just return err here, but we need to put the fd reference
+first.
+
+Fixes: 94073ad77fff (fs/locks: don't mess with the address limit in compat_fcntl64)
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fcntl.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/fs/fcntl.c
++++ b/fs/fcntl.c
+@@ -632,9 +632,8 @@ COMPAT_SYSCALL_DEFINE3(fcntl64, unsigned
+ if (err)
+ break;
+ err = fixup_compat_flock(&flock);
+- if (err)
+- return err;
+- err = put_compat_flock(&flock, compat_ptr(arg));
++ if (!err)
++ err = put_compat_flock(&flock, compat_ptr(arg));
+ break;
+ case F_GETLK64:
+ case F_OFD_GETLK:
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Wed, 15 Nov 2017 09:43:09 +0800
+Subject: geneve: fix fill_info when link down
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+
+[ Upstream commit fd7eafd02121d6ef501ef1a4a891e6061366c952 ]
+
+geneve->sock4/6 were added with geneve_open and released with geneve_stop.
+So when geneve link down, we will not able to show remote address and
+checksum info after commit 11387fe4a98 ("geneve: fix fill_info when using
+collect_metadata").
+
+Fix this by avoid passing *_REMOTE{,6} for COLLECT_METADATA since they are
+mutually exclusive, and always show UDP_ZERO_CSUM6_RX info.
+
+Fixes: 11387fe4a98 ("geneve: fix fill_info when using collect_metadata")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/geneve.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -1503,6 +1503,7 @@ static int geneve_fill_info(struct sk_bu
+ {
+ struct geneve_dev *geneve = netdev_priv(dev);
+ struct ip_tunnel_info *info = &geneve->info;
++ bool metadata = geneve->collect_md;
+ __u8 tmp_vni[3];
+ __u32 vni;
+
+@@ -1511,32 +1512,24 @@ static int geneve_fill_info(struct sk_bu
+ if (nla_put_u32(skb, IFLA_GENEVE_ID, vni))
+ goto nla_put_failure;
+
+- if (rtnl_dereference(geneve->sock4)) {
++ if (!metadata && ip_tunnel_info_af(info) == AF_INET) {
+ if (nla_put_in_addr(skb, IFLA_GENEVE_REMOTE,
+ info->key.u.ipv4.dst))
+ goto nla_put_failure;
+-
+ if (nla_put_u8(skb, IFLA_GENEVE_UDP_CSUM,
+ !!(info->key.tun_flags & TUNNEL_CSUM)))
+ goto nla_put_failure;
+
+- }
+-
+ #if IS_ENABLED(CONFIG_IPV6)
+- if (rtnl_dereference(geneve->sock6)) {
++ } else if (!metadata) {
+ if (nla_put_in6_addr(skb, IFLA_GENEVE_REMOTE6,
+ &info->key.u.ipv6.dst))
+ goto nla_put_failure;
+-
+ if (nla_put_u8(skb, IFLA_GENEVE_UDP_ZERO_CSUM6_TX,
+ !(info->key.tun_flags & TUNNEL_CSUM)))
+ goto nla_put_failure;
+-
+- if (nla_put_u8(skb, IFLA_GENEVE_UDP_ZERO_CSUM6_RX,
+- !geneve->use_udp6_rx_checksums))
+- goto nla_put_failure;
+- }
+ #endif
++ }
+
+ if (nla_put_u8(skb, IFLA_GENEVE_TTL, info->key.ttl) ||
+ nla_put_u8(skb, IFLA_GENEVE_TOS, info->key.tos) ||
+@@ -1546,10 +1539,13 @@ static int geneve_fill_info(struct sk_bu
+ if (nla_put_be16(skb, IFLA_GENEVE_PORT, info->key.tp_dst))
+ goto nla_put_failure;
+
+- if (geneve->collect_md) {
+- if (nla_put_flag(skb, IFLA_GENEVE_COLLECT_METADATA))
++ if (metadata && nla_put_flag(skb, IFLA_GENEVE_COLLECT_METADATA))
+ goto nla_put_failure;
+- }
++
++ if (nla_put_u8(skb, IFLA_GENEVE_UDP_ZERO_CSUM6_RX,
++ !geneve->use_udp6_rx_checksums))
++ goto nla_put_failure;
++
+ return 0;
+
+ nla_put_failure:
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Date: Fri, 17 Nov 2017 19:16:17 +0300
+Subject: gre6: use log_ecn_error module parameter in ip6_tnl_rcv()
+
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+
+
+[ Upstream commit 981542c526ecd846920bc500e9989da906ee9fb9 ]
+
+After commit 308edfdf1563 ("gre6: Cleanup GREv6 receive path, call
+common GRE functions") it's not used anywhere in the module, but
+previously was used in ip6gre_rcv().
+
+Fixes: 308edfdf1563 ("gre6: Cleanup GREv6 receive path, call common GRE functions")
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_gre.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -461,7 +461,7 @@ static int ip6gre_rcv(struct sk_buff *sk
+ &ipv6h->saddr, &ipv6h->daddr, tpi->key,
+ tpi->proto);
+ if (tunnel) {
+- ip6_tnl_rcv(tunnel, skb, tpi, NULL, false);
++ ip6_tnl_rcv(tunnel, skb, tpi, NULL, log_ecn_error);
+
+ return PACKET_RCVD;
+ }
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Mark Bloch <markb@mellanox.com>
+Date: Thu, 2 Nov 2017 15:22:26 +0200
+Subject: IB/mlx4: Increase maximal message size under UD QP
+
+From: Mark Bloch <markb@mellanox.com>
+
+
+[ Upstream commit 5f22a1d87c5315a98981ecf93cd8de226cffe6ca ]
+
+Maximal message should be used as a limit to the max message payload allowed,
+without the headers. The ConnectX-3 check is done against this value includes
+the headers. When the payload is 4K this will cause the NIC to drop packets.
+
+Increase maximal message to 8K as workaround, this shouldn't change current
+behaviour because we continue to set the MTU to 4k.
+
+To reproduce;
+set MTU to 4296 on the corresponding interface, for example:
+ifconfig eth0 mtu 4296 (both server and client)
+
+On server:
+ib_send_bw -c UD -d mlx4_0 -s 4096 -n 1000000 -i1 -m 4096
+
+On client:
+ib_send_bw -d mlx4_0 -c UD <server_ip> -s 4096 -n 1000000 -i 1 -m 4096
+
+Fixes: 6e0d733d9215 ("IB/mlx4: Allow 4K messages for UD QPs")
+Signed-off-by: Mark Bloch <markb@mellanox.com>
+Reviewed-by: Majd Dibbiny <majd@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx4/qp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx4/qp.c
++++ b/drivers/infiniband/hw/mlx4/qp.c
+@@ -2216,7 +2216,7 @@ static int __mlx4_ib_modify_qp(void *src
+ context->mtu_msgmax = (IB_MTU_4096 << 5) |
+ ilog2(dev->dev->caps.max_gso_sz);
+ else
+- context->mtu_msgmax = (IB_MTU_4096 << 5) | 12;
++ context->mtu_msgmax = (IB_MTU_4096 << 5) | 13;
+ } else if (attr_mask & IB_QP_PATH_MTU) {
+ if (attr->path_mtu < IB_MTU_256 || attr->path_mtu > IB_MTU_4096) {
+ pr_err("path MTU (%u) is invalid\n",
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Majd Dibbiny <majd@mellanox.com>
+Date: Mon, 30 Oct 2017 14:23:13 +0200
+Subject: IB/mlx5: Assign send CQ and recv CQ of UMR QP
+
+From: Majd Dibbiny <majd@mellanox.com>
+
+
+[ Upstream commit 31fde034a8bd964a5c7c1a5663fc87a913158db2 ]
+
+The UMR's QP is created by calling mlx5_ib_create_qp directly, and
+therefore the send CQ and the recv CQ on the ibqp weren't assigned.
+
+Assign them right after calling the mlx5_ib_create_qp to assure
+that any access to those pointers will work as expected and won't
+crash the system as might happen as part of reset flow.
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: Majd Dibbiny <majd@mellanox.com>
+Reviewed-by: Yishai Hadas <yishaih@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -3097,6 +3097,8 @@ static int create_umr_res(struct mlx5_ib
+ qp->real_qp = qp;
+ qp->uobject = NULL;
+ qp->qp_type = MLX5_IB_QPT_REG_UMR;
++ qp->send_cq = init_attr->send_cq;
++ qp->recv_cq = init_attr->recv_cq;
+
+ attr->qp_state = IB_QPS_INIT;
+ attr->port_num = 1;
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Fri, 10 Nov 2017 15:59:17 +0800
+Subject: ide: ide-atapi: fix compile error with defining macro DEBUG
+
+From: Hongxu Jia <hongxu.jia@windriver.com>
+
+
+[ Upstream commit 8dc7a31fbce5e2dbbacd83d910da37105181b054 ]
+
+Compile ide-atapi failed with defining macro "DEBUG"
+...
+|drivers/ide/ide-atapi.c:285:52: error: 'struct request' has
+no member named 'cmd'; did you mean 'csd'?
+| debug_log("%s: rq->cmd[0]: 0x%x\n", __func__, rq->cmd[0]);
+...
+
+Since we split the scsi_request out of struct request, it missed
+do the same thing on debug_log
+
+Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request")
+
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ide/ide-atapi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/ide/ide-atapi.c
++++ b/drivers/ide/ide-atapi.c
+@@ -282,7 +282,7 @@ int ide_cd_expiry(ide_drive_t *drive)
+ struct request *rq = drive->hwif->rq;
+ unsigned long wait = 0;
+
+- debug_log("%s: rq->cmd[0]: 0x%x\n", __func__, rq->cmd[0]);
++ debug_log("%s: scsi_req(rq)->cmd[0]: 0x%x\n", __func__, scsi_req(rq)->cmd[0]);
+
+ /*
+ * Some commands are *slow* and normally take a long time to complete.
+@@ -463,7 +463,7 @@ static ide_startstop_t ide_pc_intr(ide_d
+ return ide_do_reset(drive);
+ }
+
+- debug_log("[cmd %x]: check condition\n", rq->cmd[0]);
++ debug_log("[cmd %x]: check condition\n", scsi_req(rq)->cmd[0]);
+
+ /* Retry operation */
+ ide_retry_pc(drive);
+@@ -531,7 +531,7 @@ static ide_startstop_t ide_pc_intr(ide_d
+ ide_pad_transfer(drive, write, bcount);
+
+ debug_log("[cmd %x] transferred %d bytes, padded %d bytes, resid: %u\n",
+- rq->cmd[0], done, bcount, scsi_req(rq)->resid_len);
++ scsi_req(rq)->cmd[0], done, bcount, scsi_req(rq)->resid_len);
+
+ /* And set the interrupt handler again */
+ ide_set_handler(drive, ide_pc_intr, timeout);
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Keefe Liu <liuqifa@huawei.com>
+Date: Thu, 9 Nov 2017 20:09:31 +0800
+Subject: ipvlan: fix ipv6 outbound device
+
+From: Keefe Liu <liuqifa@huawei.com>
+
+
+[ Upstream commit ca29fd7cce5a6444d57fb86517589a1a31c759e1 ]
+
+When process the outbound packet of ipv6, we should assign the master
+device to output device other than input device.
+
+Signed-off-by: Keefe Liu <liuqifa@huawei.com>
+Acked-by: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipvlan/ipvlan_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -409,7 +409,7 @@ static int ipvlan_process_v6_outbound(st
+ struct dst_entry *dst;
+ int err, ret = NET_XMIT_DROP;
+ struct flowi6 fl6 = {
+- .flowi6_iif = dev->ifindex,
++ .flowi6_oif = dev->ifindex,
+ .daddr = ip6h->daddr,
+ .saddr = ip6h->saddr,
+ .flowi6_flags = FLOWI_FLAG_ANYSRC,
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 17 Nov 2017 18:35:53 +0000
+Subject: irqchip/qcom: Fix u32 comparison with value less than zero
+
+From: Colin Ian King <colin.king@canonical.com>
+
+
+[ Upstream commit e9990d70e8a063a7b894c5cbb99f630a0f41200d ]
+
+The comparison of u32 nregs being less than zero is never true since
+nregs is unsigned. Fix this by making nregs a signed integer.
+
+Fixes: f20cc9b00c7b ("irqchip/qcom: Add IRQ combiner driver")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: kernel-janitors@vger.kernel.org
+Cc: Jason Cooper <jason@lakedaemon.net>
+Link: https://lkml.kernel.org/r/20171117183553.2739-1-colin.king@canonical.com
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/qcom-irq-combiner.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/irqchip/qcom-irq-combiner.c
++++ b/drivers/irqchip/qcom-irq-combiner.c
+@@ -238,7 +238,7 @@ static int __init combiner_probe(struct
+ {
+ struct combiner *combiner;
+ size_t alloc_sz;
+- u32 nregs;
++ int nregs;
+ int err;
+
+ nregs = count_registers(pdev);
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Jason Baron <jbaron@akamai.com>
+Date: Mon, 13 Nov 2017 16:48:47 -0500
+Subject: jump_label: Invoke jump_label_test() via early_initcall()
+
+From: Jason Baron <jbaron@akamai.com>
+
+
+[ Upstream commit 92ee46efeb505ead3ab06d3c5ce695637ed5f152 ]
+
+Fengguang Wu reported that running the rcuperf test during boot can cause
+the jump_label_test() to hit a WARN_ON(). The issue is that the core jump
+label code relies on kernel_text_address() to detect when it can no longer
+update branches that may be contained in __init sections. The
+kernel_text_address() in turn assumes that if the system_state variable is
+greter than or equal to SYSTEM_RUNNING then __init sections are no longer
+valid (since the assumption is that they have been freed). However, when
+rcuperf is setup to run in early boot it can call kernel_power_off() which
+sets the system_state to SYSTEM_POWER_OFF.
+
+Since rcuperf initialization is invoked via a module_init(), we can make
+the dependency of jump_label_test() needing to complete before rcuperf
+explicit by calling it via early_initcall().
+
+Reported-by: Fengguang Wu <fengguang.wu@intel.com>
+Signed-off-by: Jason Baron <jbaron@akamai.com>
+Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/1510609727-2238-1-git-send-email-jbaron@akamai.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/jump_label.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/jump_label.c
++++ b/kernel/jump_label.c
+@@ -769,7 +769,7 @@ static __init int jump_label_test(void)
+
+ return 0;
+ }
+-late_initcall(jump_label_test);
++early_initcall(jump_label_test);
+ #endif /* STATIC_KEYS_SELFTEST */
+
+ #endif /* HAVE_JUMP_LABEL */
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Thu, 12 Oct 2017 18:22:25 +0900
+Subject: kbuild: do not call cc-option before KBUILD_CFLAGS initialization
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+
+[ Upstream commit 433dc2ebe7d17dd21cba7ad5c362d37323592236 ]
+
+Some $(call cc-option,...) are invoked very early, even before
+KBUILD_CFLAGS, etc. are initialized.
+
+The returned string from $(call cc-option,...) depends on
+KBUILD_CPPFLAGS, KBUILD_CFLAGS, and GCC_PLUGINS_CFLAGS.
+
+Since they are exported, they are not empty when the top Makefile
+is recursively invoked.
+
+The recursion occurs in several places. For example, the top
+Makefile invokes itself for silentoldconfig. "make tinyconfig",
+"make rpm-pkg" are the cases, too.
+
+In those cases, the second call of cc-option from the same line
+runs a different shell command due to non-pristine KBUILD_CFLAGS.
+
+To get the same result all the time, KBUILD_* and GCC_PLUGINS_CFLAGS
+must be initialized before any call of cc-option. This avoids
+garbage data in the .cache.mk file.
+
+Move all calls of cc-option below the config targets because target
+compiler flags are unnecessary for Kconfig.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Makefile | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -373,9 +373,6 @@ LDFLAGS_MODULE =
+ CFLAGS_KERNEL =
+ AFLAGS_KERNEL =
+ LDFLAGS_vmlinux =
+-CFLAGS_GCOV := -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,)
+-CFLAGS_KCOV := $(call cc-option,-fsanitize-coverage=trace-pc,)
+-
+
+ # Use USERINCLUDE when you must reference the UAPI directories only.
+ USERINCLUDE := \
+@@ -394,21 +391,19 @@ LINUXINCLUDE := \
+ -I$(objtree)/include \
+ $(USERINCLUDE)
+
+-KBUILD_CPPFLAGS := -D__KERNEL__
+-
++KBUILD_AFLAGS := -D__ASSEMBLY__
+ KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
+ -fno-strict-aliasing -fno-common -fshort-wchar \
+ -Werror-implicit-function-declaration \
+ -Wno-format-security \
+- -std=gnu89 $(call cc-option,-fno-PIE)
+-
+-
++ -std=gnu89
++KBUILD_CPPFLAGS := -D__KERNEL__
+ KBUILD_AFLAGS_KERNEL :=
+ KBUILD_CFLAGS_KERNEL :=
+-KBUILD_AFLAGS := -D__ASSEMBLY__ $(call cc-option,-fno-PIE)
+ KBUILD_AFLAGS_MODULE := -DMODULE
+ KBUILD_CFLAGS_MODULE := -DMODULE
+ KBUILD_LDFLAGS_MODULE := -T $(srctree)/scripts/module-common.lds
++GCC_PLUGINS_CFLAGS :=
+
+ # Read KERNELRELEASE from include/config/kernel.release (if it exists)
+ KERNELRELEASE = $(shell cat include/config/kernel.release 2> /dev/null)
+@@ -421,7 +416,7 @@ export MAKE AWK GENKSYMS INSTALLKERNEL P
+ export HOSTCXX HOSTCXXFLAGS LDFLAGS_MODULE CHECK CHECKFLAGS
+
+ export KBUILD_CPPFLAGS NOSTDINC_FLAGS LINUXINCLUDE OBJCOPYFLAGS LDFLAGS
+-export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE CFLAGS_GCOV CFLAGS_KCOV CFLAGS_KASAN CFLAGS_UBSAN
++export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE CFLAGS_KASAN CFLAGS_UBSAN
+ export KBUILD_AFLAGS AFLAGS_KERNEL AFLAGS_MODULE
+ export KBUILD_AFLAGS_MODULE KBUILD_CFLAGS_MODULE KBUILD_LDFLAGS_MODULE
+ export KBUILD_AFLAGS_KERNEL KBUILD_CFLAGS_KERNEL
+@@ -622,6 +617,12 @@ endif
+ # Defaults to vmlinux, but the arch makefile usually adds further targets
+ all: vmlinux
+
++KBUILD_CFLAGS += $(call cc-option,-fno-PIE)
++KBUILD_AFLAGS += $(call cc-option,-fno-PIE)
++CFLAGS_GCOV := -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,)
++CFLAGS_KCOV := $(call cc-option,-fsanitize-coverage=trace-pc,)
++export CFLAGS_GCOV CFLAGS_KCOV
++
+ # The arch Makefile can set ARCH_{CPP,A,C}FLAGS to override the default
+ # values of the respective KBUILD_* variables
+ ARCH_CPPFLAGS :=
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Wed, 15 Nov 2017 18:17:07 +0900
+Subject: kbuild: pkg: use --transform option to prefix paths in tar
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+
+[ Upstream commit 2dbc644ac62bbcb9ee78e84719953f611be0413d ]
+
+For rpm-pkg and deb-pkg, a source tar file is created. All paths in
+the archive must be prefixed with the base name of the tar so that
+everything is contained in the directory when you extract it.
+
+Currently, scripts/package/Makefile uses a symlink for that, and
+removes it after the tar is created.
+
+If you terminate the build during the tar creation, the symlink is
+left over. Then, at the next package build, you will see a warning
+like follows:
+
+ ln: '.' and 'kernel-4.14.0+/.' are the same file
+
+It is possible to fix it by adding -n (--no-dereference) option to
+the "ln" command, but a cleaner way is to use --transform option
+of "tar" command. This option is GNU extension, but it should not
+hurt to use it in the Linux build system.
+
+The 'S' flag is needed to exclude symlinks from the path fixup.
+Without it, symlinks in the kernel are broken.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/package/Makefile | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/scripts/package/Makefile
++++ b/scripts/package/Makefile
+@@ -39,10 +39,9 @@ if test "$(objtree)" != "$(srctree)"; th
+ false; \
+ fi ; \
+ $(srctree)/scripts/setlocalversion --save-scmversion; \
+-ln -sf $(srctree) $(2); \
+ tar -cz $(RCS_TAR_IGNORE) -f $(2).tar.gz \
+- $(addprefix $(2)/,$(TAR_CONTENT) $(3)); \
+-rm -f $(2) $(objtree)/.scmversion
++ --transform 's:^:$(2)/:S' $(TAR_CONTENT) $(3); \
++rm -f $(objtree)/.scmversion
+
+ # rpm-pkg
+ # ---------------------------------------------------------------------------
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Sat, 30 Sep 2017 10:10:09 +0900
+Subject: kbuild: rpm-pkg: fix jobserver unavailable warning
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+
+[ Upstream commit 606625be47bc87b6fab0af10cd57aaa675cb9e42 ]
+
+If "make rpm-pkg" or "make binrpm-pkg" is run with -j[jobs] option,
+the following warning message is displayed.
+
+ warning: jobserver unavailable: using -j1. Add '+' to parent make rule.
+
+Follow the suggestion.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/package/Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/scripts/package/Makefile
++++ b/scripts/package/Makefile
+@@ -49,7 +49,7 @@ rpm-pkg rpm: FORCE
+ $(MAKE) clean
+ $(CONFIG_SHELL) $(MKSPEC) >$(objtree)/kernel.spec
+ $(call cmd,src_tar,$(KERNELPATH),kernel.spec)
+- rpmbuild $(RPMOPTS) --target $(UTS_MACHINE) -ta $(KERNELPATH).tar.gz
++ +rpmbuild $(RPMOPTS) --target $(UTS_MACHINE) -ta $(KERNELPATH).tar.gz
+ rm $(KERNELPATH).tar.gz kernel.spec
+
+ # binrpm-pkg
+@@ -57,7 +57,7 @@ rpm-pkg rpm: FORCE
+ binrpm-pkg: FORCE
+ $(MAKE) KBUILD_SRC=
+ $(CONFIG_SHELL) $(MKSPEC) prebuilt > $(objtree)/binkernel.spec
+- rpmbuild $(RPMOPTS) --define "_builddir $(objtree)" --target \
++ +rpmbuild $(RPMOPTS) --define "_builddir $(objtree)" --target \
+ $(UTS_MACHINE) -bb $(objtree)/binkernel.spec
+ rm binkernel.spec
+
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Stephen Bates <sbates@raithlin.com>
+Date: Fri, 17 Nov 2017 15:28:16 -0800
+Subject: lib/genalloc.c: make the avail variable an atomic_long_t
+
+From: Stephen Bates <sbates@raithlin.com>
+
+
+[ Upstream commit 36a3d1dd4e16bcd0d2ddfb4a2ec7092f0ae0d931 ]
+
+If the amount of resources allocated to a gen_pool exceeds 2^32 then the
+avail atomic overflows and this causes problems when clients try and
+borrow resources from the pool. This is only expected to be an issue on
+64 bit systems.
+
+Add the <linux/atomic.h> header to pull in atomic_long* operations. So
+that 32 bit systems continue to use atomic32_t but 64 bit systems can
+use atomic64_t.
+
+Link: http://lkml.kernel.org/r/1509033843-25667-1-git-send-email-sbates@raithlin.com
+Signed-off-by: Stephen Bates <sbates@raithlin.com>
+Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
+Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Reviewed-by: Daniel Mentz <danielmentz@google.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/genalloc.h | 3 ++-
+ lib/genalloc.c | 10 +++++-----
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+--- a/include/linux/genalloc.h
++++ b/include/linux/genalloc.h
+@@ -32,6 +32,7 @@
+
+ #include <linux/types.h>
+ #include <linux/spinlock_types.h>
++#include <linux/atomic.h>
+
+ struct device;
+ struct device_node;
+@@ -71,7 +72,7 @@ struct gen_pool {
+ */
+ struct gen_pool_chunk {
+ struct list_head next_chunk; /* next chunk in pool */
+- atomic_t avail;
++ atomic_long_t avail;
+ phys_addr_t phys_addr; /* physical starting address of memory chunk */
+ unsigned long start_addr; /* start address of memory chunk */
+ unsigned long end_addr; /* end address of memory chunk (inclusive) */
+--- a/lib/genalloc.c
++++ b/lib/genalloc.c
+@@ -194,7 +194,7 @@ int gen_pool_add_virt(struct gen_pool *p
+ chunk->phys_addr = phys;
+ chunk->start_addr = virt;
+ chunk->end_addr = virt + size - 1;
+- atomic_set(&chunk->avail, size);
++ atomic_long_set(&chunk->avail, size);
+
+ spin_lock(&pool->lock);
+ list_add_rcu(&chunk->next_chunk, &pool->chunks);
+@@ -304,7 +304,7 @@ unsigned long gen_pool_alloc_algo(struct
+ nbits = (size + (1UL << order) - 1) >> order;
+ rcu_read_lock();
+ list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk) {
+- if (size > atomic_read(&chunk->avail))
++ if (size > atomic_long_read(&chunk->avail))
+ continue;
+
+ start_bit = 0;
+@@ -324,7 +324,7 @@ retry:
+
+ addr = chunk->start_addr + ((unsigned long)start_bit << order);
+ size = nbits << order;
+- atomic_sub(size, &chunk->avail);
++ atomic_long_sub(size, &chunk->avail);
+ break;
+ }
+ rcu_read_unlock();
+@@ -390,7 +390,7 @@ void gen_pool_free(struct gen_pool *pool
+ remain = bitmap_clear_ll(chunk->bits, start_bit, nbits);
+ BUG_ON(remain);
+ size = nbits << order;
+- atomic_add(size, &chunk->avail);
++ atomic_long_add(size, &chunk->avail);
+ rcu_read_unlock();
+ return;
+ }
+@@ -464,7 +464,7 @@ size_t gen_pool_avail(struct gen_pool *p
+
+ rcu_read_lock();
+ list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk)
+- avail += atomic_read(&chunk->avail);
++ avail += atomic_long_read(&chunk->avail);
+ rcu_read_unlock();
+ return avail;
+ }
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Fri, 10 Nov 2017 18:48:50 +0000
+Subject: mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl()
+
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+
+
+[ Upstream commit 67bd52386125ce1159c0581cbcd2740addf33cd4 ]
+
+hwsim_new_radio_nl() now copies the name attribute in order to add a
+null-terminator. mac80211_hwsim_new_radio() (indirectly) copies it
+again into the net_device structure, so the first copy is not used or
+freed later. Free the first copy before returning.
+
+Fixes: ff4dd73dd2b4 ("mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length")
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -3108,6 +3108,7 @@ static int hwsim_new_radio_nl(struct sk_
+ {
+ struct hwsim_new_radio_params param = { 0 };
+ const char *hwname = NULL;
++ int ret;
+
+ param.reg_strict = info->attrs[HWSIM_ATTR_REG_STRICT_REG];
+ param.p2p_device = info->attrs[HWSIM_ATTR_SUPPORT_P2P_DEVICE];
+@@ -3147,7 +3148,9 @@ static int hwsim_new_radio_nl(struct sk_
+ param.regd = hwsim_world_regdom_custom[idx];
+ }
+
+- return mac80211_hwsim_new_radio(info, ¶m);
++ ret = mac80211_hwsim_new_radio(info, ¶m);
++ kfree(hwname);
++ return ret;
+ }
+
+ static int hwsim_del_radio_nl(struct sk_buff *msg, struct genl_info *info)
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Thu, 28 Sep 2017 11:18:53 +0100
+Subject: mailbox: mailbox-test: don't rely on rx_buffer content to signal data ready
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+
+[ Upstream commit e339c80af95e14de3712d69ddea09a3868fa14cd ]
+
+Currently we rely on the first byte of the Rx buffer to check if there's
+any data available to be read. If the first byte of the received buffer
+is zero (i.e. null character), then we fail to signal that data is
+available even when it's available.
+
+Instead introduce a boolean variable to track the data availability and
+update it in the channel receive callback as ready and clear it when the
+data is read.
+
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mailbox/mailbox-test.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/mailbox/mailbox-test.c
++++ b/drivers/mailbox/mailbox-test.c
+@@ -30,6 +30,7 @@
+ #define MBOX_HEXDUMP_MAX_LEN (MBOX_HEXDUMP_LINE_LEN * \
+ (MBOX_MAX_MSG_LEN / MBOX_BYTES_PER_LINE))
+
++static bool mbox_data_ready;
+ static struct dentry *root_debugfs_dir;
+
+ struct mbox_test_device {
+@@ -152,16 +153,14 @@ out:
+
+ static bool mbox_test_message_data_ready(struct mbox_test_device *tdev)
+ {
+- unsigned char data;
++ bool data_ready;
+ unsigned long flags;
+
+ spin_lock_irqsave(&tdev->lock, flags);
+- data = tdev->rx_buffer[0];
++ data_ready = mbox_data_ready;
+ spin_unlock_irqrestore(&tdev->lock, flags);
+
+- if (data != '\0')
+- return true;
+- return false;
++ return data_ready;
+ }
+
+ static ssize_t mbox_test_message_read(struct file *filp, char __user *userbuf,
+@@ -223,6 +222,7 @@ static ssize_t mbox_test_message_read(st
+ *(touser + l) = '\0';
+
+ memset(tdev->rx_buffer, 0, MBOX_MAX_MSG_LEN);
++ mbox_data_ready = false;
+
+ spin_unlock_irqrestore(&tdev->lock, flags);
+
+@@ -292,6 +292,7 @@ static void mbox_test_receive_message(st
+ message, MBOX_MAX_MSG_LEN);
+ memcpy(tdev->rx_buffer, message, MBOX_MAX_MSG_LEN);
+ }
++ mbox_data_ready = true;
+ spin_unlock_irqrestore(&tdev->lock, flags);
+
+ wake_up_interruptible(&tdev->waitq);
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Zdenek Kabelac <zkabelac@redhat.com>
+Date: Wed, 8 Nov 2017 13:44:56 +0100
+Subject: md: free unused memory after bitmap resize
+
+From: Zdenek Kabelac <zkabelac@redhat.com>
+
+
+[ Upstream commit 0868b99c214a3d55486c700de7c3f770b7243e7c ]
+
+When bitmap is resized, the old kalloced chunks just are not released
+once the resized bitmap starts to use new space.
+
+This fixes in particular kmemleak reports like this one:
+
+unreferenced object 0xffff8f4311e9c000 (size 4096):
+ comm "lvm", pid 19333, jiffies 4295263268 (age 528.265s)
+ hex dump (first 32 bytes):
+ 02 80 02 80 02 80 02 80 02 80 02 80 02 80 02 80 ................
+ 02 80 02 80 02 80 02 80 02 80 02 80 02 80 02 80 ................
+ backtrace:
+ [<ffffffffa69471ca>] kmemleak_alloc+0x4a/0xa0
+ [<ffffffffa628c10e>] kmem_cache_alloc_trace+0x14e/0x2e0
+ [<ffffffffa676cfec>] bitmap_checkpage+0x7c/0x110
+ [<ffffffffa676d0c5>] bitmap_get_counter+0x45/0xd0
+ [<ffffffffa676d6b3>] bitmap_set_memory_bits+0x43/0xe0
+ [<ffffffffa676e41c>] bitmap_init_from_disk+0x23c/0x530
+ [<ffffffffa676f1ae>] bitmap_load+0xbe/0x160
+ [<ffffffffc04c47d3>] raid_preresume+0x203/0x2f0 [dm_raid]
+ [<ffffffffa677762f>] dm_table_resume_targets+0x4f/0xe0
+ [<ffffffffa6774b52>] dm_resume+0x122/0x140
+ [<ffffffffa6779b9f>] dev_suspend+0x18f/0x290
+ [<ffffffffa677a3a7>] ctl_ioctl+0x287/0x560
+ [<ffffffffa677a693>] dm_ctl_ioctl+0x13/0x20
+ [<ffffffffa62d6b46>] do_vfs_ioctl+0xa6/0x750
+ [<ffffffffa62d7269>] SyS_ioctl+0x79/0x90
+ [<ffffffffa6956d41>] entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+Signed-off-by: Zdenek Kabelac <zkabelac@redhat.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bitmap.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/md/bitmap.c
++++ b/drivers/md/bitmap.c
+@@ -2158,6 +2158,7 @@ int bitmap_resize(struct bitmap *bitmap,
+ for (k = 0; k < page; k++) {
+ kfree(new_bp[k].map);
+ }
++ kfree(new_bp);
+
+ /* restore some fields from old_counts */
+ bitmap->counts.bp = old_counts.bp;
+@@ -2208,6 +2209,14 @@ int bitmap_resize(struct bitmap *bitmap,
+ block += old_blocks;
+ }
+
++ if (bitmap->counts.bp != old_counts.bp) {
++ unsigned long k;
++ for (k = 0; k < old_counts.pages; k++)
++ if (!old_counts.bp[k].hijacked)
++ kfree(old_counts.bp[k].map);
++ kfree(old_counts.bp);
++ }
++
+ if (!init) {
+ int i;
+ while (block < (chunks << chunkshift)) {
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Ursula Braun <ursula.braun@de.ibm.com>
+Date: Tue, 21 Nov 2017 13:23:53 +0100
+Subject: net/smc: use sk_rcvbuf as start for rmb creation
+
+From: Ursula Braun <ursula.braun@de.ibm.com>
+
+
+[ Upstream commit 4e1061f4a2bba1669c7297455c73ddafbebf2b12 ]
+
+Commit 3e034725c0d8 ("net/smc: common functions for RMBs and send buffers")
+merged handling of SMC receive and send buffers. It introduced sk_buf_size
+as merged start value for size determination. But since sk_buf_size is not
+used at all, sk_sndbuf is erroneously used as start for rmb creation.
+This patch makes sure, sk_buf_size is really used as intended, and
+sk_rcvbuf is used as start value for rmb creation.
+
+Fixes: 3e034725c0d8 ("net/smc: common functions for RMBs and send buffers")
+Signed-off-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
+Reviewed-by: Hans Wippel <hwippel@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/smc_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/smc/smc_core.c
++++ b/net/smc/smc_core.c
+@@ -571,7 +571,7 @@ static int __smc_buf_create(struct smc_s
+ /* use socket send buffer size (w/o overhead) as start value */
+ sk_buf_size = smc->sk.sk_sndbuf / 2;
+
+- for (bufsize_short = smc_compress_bufsize(smc->sk.sk_sndbuf / 2);
++ for (bufsize_short = smc_compress_bufsize(sk_buf_size);
+ bufsize_short >= 0; bufsize_short--) {
+
+ if (is_rmb) {
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
+Date: Thu, 16 Nov 2017 17:06:39 -0800
+Subject: nfp: fix flower offload metadata flag usage
+
+From: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
+
+
+[ Upstream commit 6c3ab204f4ca00374a374bc0fc9a275b64d1bcbb ]
+
+Hardware has no notion of new or last mask id, instead it makes use of the
+message type (i.e. add flow or del flow) in combination with a single bit
+in metadata flags to determine when to add or delete a mask id. Previously
+we made use of the new or last flags to indicate that a new mask should be
+allocated or deallocated, respectively. This incorrect behaviour is fixed
+by making use single bit in metadata flags to indicate mask allocation or
+deallocation.
+
+Fixes: 43f84b72c50d ("nfp: add metadata to each flow offload")
+Signed-off-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
+Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/main.h | 3 +--
+ drivers/net/ethernet/netronome/nfp/flower/metadata.c | 7 +++++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/flower/main.h
++++ b/drivers/net/ethernet/netronome/nfp/flower/main.h
+@@ -52,8 +52,7 @@ struct nfp_app;
+ #define NFP_FLOWER_MASK_ELEMENT_RS 1
+ #define NFP_FLOWER_MASK_HASH_BITS 10
+
+-#define NFP_FL_META_FLAG_NEW_MASK 128
+-#define NFP_FL_META_FLAG_LAST_MASK 1
++#define NFP_FL_META_FLAG_MANAGE_MASK BIT(7)
+
+ #define NFP_FL_MASK_REUSE_TIME_NS 40000
+ #define NFP_FL_MASK_ID_LOCATION 1
+--- a/drivers/net/ethernet/netronome/nfp/flower/metadata.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/metadata.c
+@@ -282,7 +282,7 @@ nfp_check_mask_add(struct nfp_app *app,
+ id = nfp_add_mask_table(app, mask_data, mask_len);
+ if (id < 0)
+ return false;
+- *meta_flags |= NFP_FL_META_FLAG_NEW_MASK;
++ *meta_flags |= NFP_FL_META_FLAG_MANAGE_MASK;
+ }
+ *mask_id = id;
+
+@@ -299,6 +299,9 @@ nfp_check_mask_remove(struct nfp_app *ap
+ if (!mask_entry)
+ return false;
+
++ if (meta_flags)
++ *meta_flags &= ~NFP_FL_META_FLAG_MANAGE_MASK;
++
+ *mask_id = mask_entry->mask_id;
+ mask_entry->ref_cnt--;
+ if (!mask_entry->ref_cnt) {
+@@ -306,7 +309,7 @@ nfp_check_mask_remove(struct nfp_app *ap
+ nfp_release_mask_id(app, *mask_id);
+ kfree(mask_entry);
+ if (meta_flags)
+- *meta_flags |= NFP_FL_META_FLAG_LAST_MASK;
++ *meta_flags |= NFP_FL_META_FLAG_MANAGE_MASK;
+ }
+
+ return true;
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
+Date: Thu, 16 Nov 2017 17:06:41 -0800
+Subject: nfp: inherit the max_mtu from the PF netdev
+
+From: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
+
+
+[ Upstream commit 743ba5b47f7961fb29f2e06bb694fb4f068ac58f ]
+
+The PF netdev is used for data transfer for reprs, so reprs inherit the
+maximum MTU settings of the PF netdev.
+
+Fixes: 5de73ee46704 ("nfp: general representor implementation")
+Signed-off-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
+Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/nfp_net_repr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/netronome/nfp/nfp_net_repr.c
++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_repr.c
+@@ -297,6 +297,8 @@ int nfp_repr_init(struct nfp_app *app, s
+ netdev->netdev_ops = &nfp_repr_netdev_ops;
+ netdev->ethtool_ops = &nfp_port_ethtool_ops;
+
++ netdev->max_mtu = pf_netdev->max_mtu;
++
+ SWITCHDEV_SET_OPS(netdev, &nfp_port_switchdev_ops);
+
+ if (nfp_app_has_tc(app)) {
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Mon, 6 Nov 2017 15:28:04 -0500
+Subject: NFS: Fix a typo in nfs_rename()
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+
+[ Upstream commit d803224c84be067754db7fa58a93f36f61566493 ]
+
+On successful rename, the "old_dentry" is retained and is attached to
+the "new_dir", so we need to call nfs_set_verifier() accordingly.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -2064,7 +2064,7 @@ out:
+ * should mark the directories for revalidation.
+ */
+ d_move(old_dentry, new_dentry);
+- nfs_set_verifier(new_dentry,
++ nfs_set_verifier(old_dentry,
+ nfs_save_change_attribute(new_dir));
+ } else if (error == -ENOENT)
+ nfs_dentry_handle_enoent(old_dentry);
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Israel Rukshin <israelr@mellanox.com>
+Date: Sun, 5 Nov 2017 08:43:01 +0000
+Subject: nvmet-rdma: update queue list during ib_device removal
+
+From: Israel Rukshin <israelr@mellanox.com>
+
+
+[ Upstream commit 43b92fd27aaef0f529c9321cfebbaec1d7b8f503 ]
+
+A NULL deref happens when nvmet_rdma_remove_one() is called more than once
+(e.g. while connected via 2 ports).
+The first call frees the queues related to the first ib_device but
+doesn't remove them from the queue list.
+While calling nvmet_rdma_remove_one() for the second ib_device it goes over
+the full queue list again and we get the NULL deref.
+
+Fixes: f1d4ef7d ("nvmet-rdma: register ib_client to not deadlock in device removal")
+Signed-off-by: Israel Rukshin <israelr@mellanox.com>
+Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
+Reviewed-by: Sagi Grimberg <sagi@grmberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/target/rdma.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/nvme/target/rdma.c
++++ b/drivers/nvme/target/rdma.c
+@@ -1512,15 +1512,17 @@ static struct nvmet_fabrics_ops nvmet_rd
+
+ static void nvmet_rdma_remove_one(struct ib_device *ib_device, void *client_data)
+ {
+- struct nvmet_rdma_queue *queue;
++ struct nvmet_rdma_queue *queue, *tmp;
+
+ /* Device is being removed, delete all queues using this device */
+ mutex_lock(&nvmet_rdma_queue_mutex);
+- list_for_each_entry(queue, &nvmet_rdma_queue_list, queue_list) {
++ list_for_each_entry_safe(queue, tmp, &nvmet_rdma_queue_list,
++ queue_list) {
+ if (queue->dev->device != ib_device)
+ continue;
+
+ pr_info("Removing queue %d\n", queue->idx);
++ list_del_init(&queue->queue_list);
+ __nvmet_rdma_queue_disconnect(queue);
+ }
+ mutex_unlock(&nvmet_rdma_queue_mutex);
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Joe Lawrence <joe.lawrence@redhat.com>
+Date: Fri, 17 Nov 2017 15:29:17 -0800
+Subject: pipe: match pipe_max_size data type with procfs
+
+From: Joe Lawrence <joe.lawrence@redhat.com>
+
+
+[ Upstream commit 98159d977f71c3b3dee898d1c34e56f520b094e7 ]
+
+Patch series "A few round_pipe_size() and pipe-max-size fixups", v3.
+
+While backporting Michael's "pipe: fix limit handling" patchset to a
+distro-kernel, Mikulas noticed that current upstream pipe limit handling
+contains a few problems:
+
+ 1 - procfs signed wrap: echo'ing a large number into
+ /proc/sys/fs/pipe-max-size and then cat'ing it back out shows a
+ negative value.
+
+ 2 - round_pipe_size() nr_pages overflow on 32bit: this would
+ subsequently try roundup_pow_of_two(0), which is undefined.
+
+ 3 - visible non-rounded pipe-max-size value: there is no mutual
+ exclusion or protection between the time pipe_max_size is assigned
+ a raw value from proc_dointvec_minmax() and when it is rounded.
+
+ 4 - unsigned long -> unsigned int conversion makes for potential odd
+ return errors from do_proc_douintvec_minmax_conv() and
+ do_proc_dopipe_max_size_conv().
+
+This version underwent the same testing as v1:
+https://marc.info/?l=linux-kernel&m=150643571406022&w=2
+
+This patch (of 4):
+
+pipe_max_size is defined as an unsigned int:
+
+ unsigned int pipe_max_size = 1048576;
+
+but its procfs/sysctl representation is an integer:
+
+ static struct ctl_table fs_table[] = {
+ ...
+ {
+ .procname = "pipe-max-size",
+ .data = &pipe_max_size,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &pipe_proc_fn,
+ .extra1 = &pipe_min_size,
+ },
+ ...
+
+that is signed:
+
+ int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
+ size_t *lenp, loff_t *ppos)
+ {
+ ...
+ ret = proc_dointvec_minmax(table, write, buf, lenp, ppos)
+
+This leads to signed results via procfs for large values of pipe_max_size:
+
+ % echo 2147483647 >/proc/sys/fs/pipe-max-size
+ % cat /proc/sys/fs/pipe-max-size
+ -2147483648
+
+Use unsigned operations on this variable to avoid such negative values.
+
+Link: http://lkml.kernel.org/r/1507658689-11669-2-git-send-email-joe.lawrence@redhat.com
+Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: Michael Kerrisk <mtk.manpages@gmail.com>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/pipe.c | 2 +-
+ kernel/sysctl.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -1125,7 +1125,7 @@ int pipe_proc_fn(struct ctl_table *table
+ {
+ int ret;
+
+- ret = proc_dointvec_minmax(table, write, buf, lenp, ppos);
++ ret = proc_douintvec_minmax(table, write, buf, lenp, ppos);
+ if (ret < 0 || !write)
+ return ret;
+
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -1822,7 +1822,7 @@ static struct ctl_table fs_table[] = {
+ {
+ .procname = "pipe-max-size",
+ .data = &pipe_max_size,
+- .maxlen = sizeof(int),
++ .maxlen = sizeof(pipe_max_size),
+ .mode = 0644,
+ .proc_handler = &pipe_proc_fn,
+ .extra1 = &pipe_min_size,
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Date: Wed, 22 Nov 2017 10:45:38 +0530
+Subject: powerpc/perf: Fix pmu_count to count only nest imc pmus
+
+From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+
+
+[ Upstream commit de34787f1096cce38e2590be0013b44418d14546 ]
+
+"pmu_count" in opal_imc_counters_probe() is intended to hold
+the number of successful nest imc pmu registerations. But
+current code also counts other imc units like core_imc and
+thread_imc. Patch add a check to count only nest imc pmus.
+
+Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/opal-imc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/platforms/powernv/opal-imc.c
++++ b/arch/powerpc/platforms/powernv/opal-imc.c
+@@ -191,8 +191,10 @@ static int opal_imc_counters_probe(struc
+ break;
+ }
+
+- if (!imc_pmu_create(imc_dev, pmu_count, domain))
+- pmu_count++;
++ if (!imc_pmu_create(imc_dev, pmu_count, domain)) {
++ if (domain == IMC_DOMAIN_NEST)
++ pmu_count++;
++ }
+ }
+
+ return 0;
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+Date: Thu, 24 Aug 2017 00:28:41 +0530
+Subject: powerpc/powernv/idle: Round up latency and residency values
+
+From: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+
+
+[ Upstream commit 8d4e10e9ed9450e18fbbf6a8872be0eac9fd4999 ]
+
+On PowerNV platforms, firmware provides exit latency and
+target residency for each of the idle states in nano
+seconds. Cpuidle framework expects the values in micro
+seconds. Round up to nearest micro seconds to avoid errors
+in cases where the values are defined as fractional micro
+seconds.
+
+Default idle state of 'snooze' has exit latency of zero. If
+other states have fractional micro second exit latency, they
+would get rounded down to zero micro second and make cpuidle
+framework choose deeper idle state when snooze loop is the
+right choice.
+
+Reported-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+Reviewed-by: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpuidle/cpuidle-powernv.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/cpuidle/cpuidle-powernv.c
++++ b/drivers/cpuidle/cpuidle-powernv.c
+@@ -384,9 +384,9 @@ static int powernv_add_idle_states(void)
+ * Firmware passes residency and latency values in ns.
+ * cpuidle expects it in us.
+ */
+- exit_latency = latency_ns[i] / 1000;
++ exit_latency = DIV_ROUND_UP(latency_ns[i], 1000);
+ if (!rc)
+- target_residency = residency_ns[i] / 1000;
++ target_residency = DIV_ROUND_UP(residency_ns[i], 1000);
+ else
+ target_residency = 0;
+
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Leon Romanovsky <leon@kernel.org>
+Date: Wed, 25 Oct 2017 23:10:19 +0300
+Subject: RDMA/cxgb4: Annotate r2 and stag as __be32
+
+From: Leon Romanovsky <leon@kernel.org>
+
+
+[ Upstream commit 7d7d065a5eec7e218174d5c64a9f53f99ffdb119 ]
+
+Chelsio cxgb4 HW is big-endian, hence there is need to properly
+annotate r2 and stag fields as __be32 and not __u32 to fix the
+following sparse warnings.
+
+ drivers/infiniband/hw/cxgb4/qp.c:614:16:
+ warning: incorrect type in assignment (different base types)
+ expected unsigned int [unsigned] [usertype] r2
+ got restricted __be32 [usertype] <noident>
+ drivers/infiniband/hw/cxgb4/qp.c:615:18:
+ warning: incorrect type in assignment (different base types)
+ expected unsigned int [unsigned] [usertype] stag
+ got restricted __be32 [usertype] <noident>
+
+Cc: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Reviewed-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/cxgb4/t4fw_ri_api.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/cxgb4/t4fw_ri_api.h
++++ b/drivers/infiniband/hw/cxgb4/t4fw_ri_api.h
+@@ -675,8 +675,8 @@ struct fw_ri_fr_nsmr_tpte_wr {
+ __u16 wrid;
+ __u8 r1[3];
+ __u8 len16;
+- __u32 r2;
+- __u32 stag;
++ __be32 r2;
++ __be32 stag;
+ struct fw_ri_tpte tpte;
+ __u64 pbl[2];
+ };
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Fri, 17 Nov 2017 14:27:18 +0800
+Subject: route: also update fnhe_genid when updating a route cache
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit cebe84c6190d741045a322f5343f717139993c08 ]
+
+Now when ip route flush cache and it turn out all fnhe_genid != genid.
+If a redirect/pmtu icmp packet comes and the old fnhe is found and all
+it's members but fnhe_genid will be updated.
+
+Then next time when it looks up route and tries to rebind this fnhe to
+the new dst, the fnhe will be flushed due to fnhe_genid != genid. It
+causes this redirect/pmtu icmp packet acutally not to be applied.
+
+This patch is to also reset fnhe_genid when updating a route cache.
+
+Fixes: 5aad1de5ea2c ("ipv4: use separate genid for next hop exceptions")
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -651,9 +651,12 @@ static void update_or_create_fnhe(struct
+ struct fnhe_hash_bucket *hash;
+ struct fib_nh_exception *fnhe;
+ struct rtable *rt;
++ u32 genid, hval;
+ unsigned int i;
+ int depth;
+- u32 hval = fnhe_hashfun(daddr);
++
++ genid = fnhe_genid(dev_net(nh->nh_dev));
++ hval = fnhe_hashfun(daddr);
+
+ spin_lock_bh(&fnhe_lock);
+
+@@ -676,6 +679,8 @@ static void update_or_create_fnhe(struct
+ }
+
+ if (fnhe) {
++ if (fnhe->fnhe_genid != genid)
++ fnhe->fnhe_genid = genid;
+ if (gw)
+ fnhe->fnhe_gw = gw;
+ if (pmtu) {
+@@ -700,7 +705,7 @@ static void update_or_create_fnhe(struct
+ fnhe->fnhe_next = hash->chain;
+ rcu_assign_pointer(hash->chain, fnhe);
+ }
+- fnhe->fnhe_genid = fnhe_genid(dev_net(nh->nh_dev));
++ fnhe->fnhe_genid = genid;
+ fnhe->fnhe_daddr = daddr;
+ fnhe->fnhe_gw = gw;
+ fnhe->fnhe_pmtu = pmtu;
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Fri, 17 Nov 2017 14:27:06 +0800
+Subject: route: update fnhe_expires for redirect when the fnhe exists
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit e39d5246111399dbc6e11cd39fd8580191b86c47 ]
+
+Now when creating fnhe for redirect, it sets fnhe_expires for this
+new route cache. But when updating the exist one, it doesn't do it.
+It will cause this fnhe never to be expired.
+
+Paolo already noticed it before, in Jianlin's test case, it became
+even worse:
+
+When ip route flush cache, the old fnhe is not to be removed, but
+only clean it's members. When redirect comes again, this fnhe will
+be found and updated, but never be expired due to fnhe_expires not
+being set.
+
+So fix it by simply updating fnhe_expires even it's for redirect.
+
+Fixes: aee06da6726d ("ipv4: use seqlock for nh_exceptions")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -683,10 +683,9 @@ static void update_or_create_fnhe(struct
+ fnhe->fnhe_genid = genid;
+ if (gw)
+ fnhe->fnhe_gw = gw;
+- if (pmtu) {
++ if (pmtu)
+ fnhe->fnhe_pmtu = pmtu;
+- fnhe->fnhe_expires = max(1UL, expires);
+- }
++ fnhe->fnhe_expires = max(1UL, expires);
+ /* Update all cached dsts too */
+ rt = rcu_dereference(fnhe->fnhe_rth_input);
+ if (rt)
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 16 Nov 2017 17:39:18 +0000
+Subject: rsi: fix memory leak on buf and usb_reg_buf
+
+From: Colin Ian King <colin.king@canonical.com>
+
+
+[ Upstream commit d35ef8f846c72d84bfccf239c248c84f79c3a7e8 ]
+
+In the cases where len is too long, the error return path fails to
+kfree allocated buffers buf and usb_reg_buf. The simplest fix is to
+perform the sanity check on len before the allocations to avoid having
+to do the kfree'ing in the first place.
+
+Detected by CoverityScan, CID#1452258,1452259 ("Resource Leak")
+
+Fixes: 59f73e2ae185 ("rsi: check length before USB read/write register")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/rsi/rsi_91x_usb.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
+@@ -162,13 +162,13 @@ static int rsi_usb_reg_read(struct usb_d
+ u8 *buf;
+ int status = -ENOMEM;
+
++ if (len > RSI_USB_CTRL_BUF_SIZE)
++ return -EINVAL;
++
+ buf = kmalloc(RSI_USB_CTRL_BUF_SIZE, GFP_KERNEL);
+ if (!buf)
+ return status;
+
+- if (len > RSI_USB_CTRL_BUF_SIZE)
+- return -EINVAL;
+-
+ status = usb_control_msg(usbdev,
+ usb_rcvctrlpipe(usbdev, 0),
+ USB_VENDOR_REGISTER_READ,
+@@ -207,13 +207,13 @@ static int rsi_usb_reg_write(struct usb_
+ u8 *usb_reg_buf;
+ int status = -ENOMEM;
+
++ if (len > RSI_USB_CTRL_BUF_SIZE)
++ return -EINVAL;
++
+ usb_reg_buf = kmalloc(RSI_USB_CTRL_BUF_SIZE, GFP_KERNEL);
+ if (!usb_reg_buf)
+ return status;
+
+- if (len > RSI_USB_CTRL_BUF_SIZE)
+- return -EINVAL;
+-
+ usb_reg_buf[0] = (value & 0x00ff);
+ usb_reg_buf[1] = (value & 0xff00) >> 8;
+ usb_reg_buf[2] = 0x0;
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Wed, 15 Nov 2017 16:55:54 +0800
+Subject: sctp: do not free asoc when it is already dead in sctp_sendmsg
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit ca3af4dd28cff4e7216e213ba3b671fbf9f84758 ]
+
+Now in sctp_sendmsg sctp_wait_for_sndbuf could schedule out without
+holding sock sk. It means the current asoc can be freed elsewhere,
+like when receiving an abort packet.
+
+If the asoc is just created in sctp_sendmsg and sctp_wait_for_sndbuf
+returns err, the asoc will be freed again due to new_asoc is not nil.
+An use-after-free issue would be triggered by this.
+
+This patch is to fix it by setting new_asoc with nil if the asoc is
+already dead when cpu schedules back, so that it will not be freed
+again in sctp_sendmsg.
+
+v1->v2:
+ set new_asoc as nil in sctp_sendmsg instead of sctp_wait_for_sndbuf.
+
+Suggested-by: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1963,8 +1963,14 @@ static int sctp_sendmsg(struct sock *sk,
+ timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
+ if (!sctp_wspace(asoc)) {
+ err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
+- if (err)
++ if (err) {
++ if (err == -ESRCH) {
++ /* asoc is already dead. */
++ new_asoc = NULL;
++ err = -EPIPE;
++ }
+ goto out_free;
++ }
+ }
+
+ /* If an address is passed with the sendto/sendmsg call, it is used
+@@ -7839,10 +7845,11 @@ static int sctp_wait_for_sndbuf(struct s
+ for (;;) {
+ prepare_to_wait_exclusive(&asoc->wait, &wait,
+ TASK_INTERRUPTIBLE);
++ if (asoc->base.dead)
++ goto do_dead;
+ if (!*timeo_p)
+ goto do_nonblock;
+- if (sk->sk_err || asoc->state >= SCTP_STATE_SHUTDOWN_PENDING ||
+- asoc->base.dead)
++ if (sk->sk_err || asoc->state >= SCTP_STATE_SHUTDOWN_PENDING)
+ goto do_error;
+ if (signal_pending(current))
+ goto do_interrupted;
+@@ -7867,6 +7874,10 @@ out:
+
+ return err;
+
++do_dead:
++ err = -ESRCH;
++ goto out;
++
+ do_error:
+ err = -EPIPE;
+ goto out;
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Wed, 15 Nov 2017 16:57:26 +0800
+Subject: sctp: use the right sk after waking up from wait_buf sleep
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit cea0cc80a6777beb6eb643d4ad53690e1ad1d4ff ]
+
+Commit dfcb9f4f99f1 ("sctp: deny peeloff operation on asocs with threads
+sleeping on it") fixed the race between peeloff and wait sndbuf by
+checking waitqueue_active(&asoc->wait) in sctp_do_peeloff().
+
+But it actually doesn't work, as even if waitqueue_active returns false
+the waiting sndbuf thread may still not yet hold sk lock. After asoc is
+peeled off, sk is not asoc->base.sk any more, then to hold the old sk
+lock couldn't make assoc safe to access.
+
+This patch is to fix this by changing to hold the new sk lock if sk is
+not asoc->base.sk, meanwhile, also set the sk in sctp_sendmsg with the
+new sk.
+
+With this fix, there is no more race between peeloff and waitbuf, the
+check 'waitqueue_active' in sctp_do_peeloff can be removed.
+
+Thanks Marcelo and Neil for making this clear.
+
+v1->v2:
+ fix it by changing to lock the new sock instead of adding a flag in asoc.
+
+Suggested-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -83,8 +83,8 @@
+ /* Forward declarations for internal helper functions. */
+ static int sctp_writeable(struct sock *sk);
+ static void sctp_wfree(struct sk_buff *skb);
+-static int sctp_wait_for_sndbuf(struct sctp_association *, long *timeo_p,
+- size_t msg_len);
++static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
++ size_t msg_len, struct sock **orig_sk);
+ static int sctp_wait_for_packet(struct sock *sk, int *err, long *timeo_p);
+ static int sctp_wait_for_connect(struct sctp_association *, long *timeo_p);
+ static int sctp_wait_for_accept(struct sock *sk, long timeo);
+@@ -1962,7 +1962,8 @@ static int sctp_sendmsg(struct sock *sk,
+
+ timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
+ if (!sctp_wspace(asoc)) {
+- err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
++ /* sk can be changed by peel off when waiting for buf. */
++ err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len, &sk);
+ if (err) {
+ if (err == -ESRCH) {
+ /* asoc is already dead. */
+@@ -4949,12 +4950,6 @@ int sctp_do_peeloff(struct sock *sk, sct
+ if (!asoc)
+ return -EINVAL;
+
+- /* If there is a thread waiting on more sndbuf space for
+- * sending on this asoc, it cannot be peeled.
+- */
+- if (waitqueue_active(&asoc->wait))
+- return -EBUSY;
+-
+ /* An association cannot be branched off from an already peeled-off
+ * socket, nor is this supported for tcp style sockets.
+ */
+@@ -7828,7 +7823,7 @@ void sctp_sock_rfree(struct sk_buff *skb
+
+ /* Helper function to wait for space in the sndbuf. */
+ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+- size_t msg_len)
++ size_t msg_len, struct sock **orig_sk)
+ {
+ struct sock *sk = asoc->base.sk;
+ int err = 0;
+@@ -7862,11 +7857,17 @@ static int sctp_wait_for_sndbuf(struct s
+ release_sock(sk);
+ current_timeo = schedule_timeout(current_timeo);
+ lock_sock(sk);
++ if (sk != asoc->base.sk) {
++ release_sock(sk);
++ sk = asoc->base.sk;
++ lock_sock(sk);
++ }
+
+ *timeo_p = current_timeo;
+ }
+
+ out:
++ *orig_sk = sk;
+ finish_wait(&asoc->wait, &wait);
+
+ /* Release the association's refcnt. */
crypto-talitos-fix-ctr-aes-talitos.patch
arm-bug-if-jumping-to-usermode-address-in-kernel-mode.patch
arm-avoid-faulting-on-qemu.patch
+irqchip-qcom-fix-u32-comparison-with-value-less-than-zero.patch
+net-smc-use-sk_rcvbuf-as-start-for-rmb-creation.patch
+kbuild-pkg-use-transform-option-to-prefix-paths-in-tar.patch
+coccinelle-fix-parallel-build-with-check-scripts-coccicheck.patch
+powerpc-perf-fix-pmu_count-to-count-only-nest-imc-pmus.patch
+apparmor-fix-leak-of-null-profile-name-if-profile-allocation-fails.patch
+x86-mpx-selftests-fix-up-weird-arrays.patch
+mac80211_hwsim-fix-memory-leak-in-hwsim_new_radio_nl.patch
+gre6-use-log_ecn_error-module-parameter-in-ip6_tnl_rcv.patch
+route-also-update-fnhe_genid-when-updating-a-route-cache.patch
+route-update-fnhe_expires-for-redirect-when-the-fnhe-exists.patch
+rsi-fix-memory-leak-on-buf-and-usb_reg_buf.patch
+drivers-rapidio-devices-rio_mport_cdev.c-fix-resource-leak-in-error-handling-path-in-rio_dma_transfer.patch
+pipe-match-pipe_max_size-data-type-with-procfs.patch
+lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch
+dynamic-debug-howto-fix-optional-omitted-ending-line-number-to-be-large-instead-of-0.patch
+nfs-fix-a-typo-in-nfs_rename.patch
+sunrpc-fix-rpc_task_begin-trace-point.patch
+nfp-inherit-the-max_mtu-from-the-pf-netdev.patch
+nfp-fix-flower-offload-metadata-flag-usage.patch
+xfs-fix-forgotten-rcu-read-unlock-when-skipping-inode-reclaim.patch
+dt-bindings-usb-fix-reg-property-port-number-range.patch
+block-wake-up-all-tasks-blocked-in-get_request.patch
+sparc64-mm-set-fields-in-deferred-pages.patch
+zsmalloc-calling-zs_map_object-from-irq-is-a-bug.patch
+slub-fix-sysfs-duplicate-filename-creation-when-slub_debug-o.patch
+sctp-do-not-free-asoc-when-it-is-already-dead-in-sctp_sendmsg.patch
+sctp-use-the-right-sk-after-waking-up-from-wait_buf-sleep.patch
+fcntl-don-t-leak-fd-reference-when-fixup_compat_flock-fails.patch
+geneve-fix-fill_info-when-link-down.patch
+bpf-fix-lockdep-splat.patch
+clk-stm32h7-fix-test-of-clock-config.patch
+clk-sunxi-ng-a83t-fix-i2c-buses-bits.patch
+clk-qcom-common-fix-legacy-board-clock-registration.patch
+clk-uniphier-fix-dapll2-clock-rate-of-pro5.patch
+clk-hi3660-fix-incorrect-uart3-clock-freqency.patch
+mailbox-mailbox-test-don-t-rely-on-rx_buffer-content-to-signal-data-ready.patch
+kbuild-rpm-pkg-fix-jobserver-unavailable-warning.patch
+atm-horizon-fix-irq-release-error.patch
+jump_label-invoke-jump_label_test-via-early_initcall.patch
+tls-use-kzalloc-for-aead_request-allocation.patch
+xfrm-copy-policy-family-in-clone_policy.patch
+f2fs-fix-to-clear-fi_no_prealloc.patch
+bnxt_re-changing-the-ip-address-shouldn-t-affect-new-connections.patch
+ib-mlx4-increase-maximal-message-size-under-ud-qp.patch
+ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch
+afs-fix-total-length-calculation-for-multiple-page-send.patch
+afs-connect-up-the-cb.probeuuid.patch
+kbuild-do-not-call-cc-option-before-kbuild_cflags-initialization.patch
+powerpc-powernv-idle-round-up-latency-and-residency-values.patch
+ipvlan-fix-ipv6-outbound-device.patch
+ide-ide-atapi-fix-compile-error-with-defining-macro-debug.patch
+blk-mq-avoid-that-request-queue-removal-can-trigger-list-corruption.patch
+nvmet-rdma-update-queue-list-during-ib_device-removal.patch
+audit-allow-auditd-to-set-pid-to-0-to-end-auditing.patch
+audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch
+dm-raid-fix-panic-when-attempting-to-force-a-raid-to-sync.patch
+md-free-unused-memory-after-bitmap-resize.patch
+rdma-cxgb4-annotate-r2-and-stag-as-__be32.patch
+x86-intel_rdt-fix-potential-deadlock-during-resctrl-unmount.patch
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Miles Chen <miles.chen@mediatek.com>
+Date: Wed, 15 Nov 2017 17:32:25 -0800
+Subject: slub: fix sysfs duplicate filename creation when slub_debug=O
+
+From: Miles Chen <miles.chen@mediatek.com>
+
+
+[ Upstream commit 11066386efa692f77171484c32ea30f6e5a0d729 ]
+
+When slub_debug=O is set. It is possible to clear debug flags for an
+"unmergeable" slab cache in kmem_cache_open(). It makes the "unmergeable"
+cache became "mergeable" in sysfs_slab_add().
+
+These caches will generate their "unique IDs" by create_unique_id(), but
+it is possible to create identical unique IDs. In my experiment,
+sgpool-128, names_cache, biovec-256 generate the same ID ":Ft-0004096" and
+the kernel reports "sysfs: cannot create duplicate filename
+'/kernel/slab/:Ft-0004096'".
+
+To repeat my experiment, set disable_higher_order_debug=1,
+CONFIG_SLUB_DEBUG_ON=y in kernel-4.14.
+
+Fix this issue by setting unmergeable=1 if slub_debug=O and the the
+default slub_debug contains any no-merge flags.
+
+call path:
+kmem_cache_create()
+ __kmem_cache_alias() -> we set SLAB_NEVER_MERGE flags here
+ create_cache()
+ __kmem_cache_create()
+ kmem_cache_open() -> clear DEBUG_METADATA_FLAGS
+ sysfs_slab_add() -> the slab cache is mergeable now
+
+ sysfs: cannot create duplicate filename '/kernel/slab/:Ft-0004096'
+ ------------[ cut here ]------------
+ WARNING: CPU: 0 PID: 1 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x60/0x7c
+ Modules linked in:
+ CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.14.0-rc7ajb-00131-gd4c2e9f-dirty #123
+ Hardware name: linux,dummy-virt (DT)
+ task: ffffffc07d4e0080 task.stack: ffffff8008008000
+ PC is at sysfs_warn_dup+0x60/0x7c
+ LR is at sysfs_warn_dup+0x60/0x7c
+ pc : lr : pstate: 60000145
+ Call trace:
+ sysfs_warn_dup+0x60/0x7c
+ sysfs_create_dir_ns+0x98/0xa0
+ kobject_add_internal+0xa0/0x294
+ kobject_init_and_add+0x90/0xb4
+ sysfs_slab_add+0x90/0x200
+ __kmem_cache_create+0x26c/0x438
+ kmem_cache_create+0x164/0x1f4
+ sg_pool_init+0x60/0x100
+ do_one_initcall+0x38/0x12c
+ kernel_init_freeable+0x138/0x1d4
+ kernel_init+0x10/0xfc
+ ret_from_fork+0x10/0x18
+
+Link: http://lkml.kernel.org/r/1510365805-5155-1-git-send-email-miles.chen@mediatek.com
+Signed-off-by: Miles Chen <miles.chen@mediatek.com>
+Acked-by: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/slub.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -5704,6 +5704,10 @@ static int sysfs_slab_add(struct kmem_ca
+ return 0;
+ }
+
++ if (!unmergeable && disable_higher_order_debug &&
++ (slub_debug & DEBUG_METADATA_FLAGS))
++ unmergeable = 1;
++
+ if (unmergeable) {
+ /*
+ * Slabcache can never be merged so we can use the name proper.
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Pavel Tatashin <pasha.tatashin@oracle.com>
+Date: Wed, 15 Nov 2017 17:36:18 -0800
+Subject: sparc64/mm: set fields in deferred pages
+
+From: Pavel Tatashin <pasha.tatashin@oracle.com>
+
+
+[ Upstream commit 2a20aa171071a334d80c4e5d5af719d8374702fc ]
+
+Without deferred struct page feature (CONFIG_DEFERRED_STRUCT_PAGE_INIT),
+flags and other fields in "struct page"es are never changed prior to
+first initializing struct pages by going through __init_single_page().
+
+With deferred struct page feature enabled there is a case where we set
+some fields prior to initializing:
+
+mem_init() {
+ register_page_bootmem_info();
+ free_all_bootmem();
+ ...
+}
+
+When register_page_bootmem_info() is called only non-deferred struct
+pages are initialized. But, this function goes through some reserved
+pages which might be part of the deferred, and thus are not yet
+initialized.
+
+mem_init
+register_page_bootmem_info
+register_page_bootmem_info_node
+ get_page_bootmem
+ .. setting fields here ..
+ such as: page->freelist = (void *)type;
+
+free_all_bootmem()
+free_low_memory_core_early()
+ for_each_reserved_mem_region()
+ reserve_bootmem_region()
+ init_reserved_page() <- Only if this is deferred reserved page
+ __init_single_pfn()
+ __init_single_page()
+ memset(0) <-- Loose the set fields here
+
+We end up with similar issue as in the previous patch, where currently
+we do not observe problem as memory is zeroed. But, if flag asserts are
+changed we can start hitting issues.
+
+Also, because in this patch series we will stop zeroing struct page
+memory during allocation, we must make sure that struct pages are
+properly initialized prior to using them.
+
+The deferred-reserved pages are initialized in free_all_bootmem().
+Therefore, the fix is to switch the above calls.
+
+Link: http://lkml.kernel.org/r/20171013173214.27300-4-pasha.tatashin@oracle.com
+Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com>
+Reviewed-by: Steven Sistare <steven.sistare@oracle.com>
+Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Reviewed-by: Bob Picco <bob.picco@oracle.com>
+Acked-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Sam Ravnborg <sam@ravnborg.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/mm/init_64.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/arch/sparc/mm/init_64.c
++++ b/arch/sparc/mm/init_64.c
+@@ -2540,10 +2540,17 @@ void __init mem_init(void)
+ {
+ high_memory = __va(last_valid_pfn << PAGE_SHIFT);
+
+- register_page_bootmem_info();
+ free_all_bootmem();
+
+ /*
++ * Must be done after boot memory is put on freelist, because here we
++ * might set fields in deferred struct pages that have not yet been
++ * initialized, and free_all_bootmem() initializes all the reserved
++ * deferred pages for us.
++ */
++ register_page_bootmem_info();
++
++ /*
+ * Set up the zero page, mark it reserved, so that page count
+ * is not manipulated when freeing the page from user ptes.
+ */
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Fri, 3 Nov 2017 13:46:06 -0400
+Subject: sunrpc: Fix rpc_task_begin trace point
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+
+[ Upstream commit b2bfe5915d5fe7577221031a39ac722a0a2a1199 ]
+
+The rpc_task_begin trace point always display a task ID of zero.
+Move the trace point call site so that it picks up the new task ID.
+
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/sched.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/sunrpc/sched.c
++++ b/net/sunrpc/sched.c
+@@ -274,10 +274,9 @@ static inline void rpc_task_set_debuginf
+
+ static void rpc_set_active(struct rpc_task *task)
+ {
+- trace_rpc_task_begin(task->tk_client, task, NULL);
+-
+ rpc_task_set_debuginfo(task);
+ set_bit(RPC_TASK_ACTIVE, &task->tk_runstate);
++ trace_rpc_task_begin(task->tk_client, task, NULL);
+ }
+
+ /*
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Ilya Lesokhin <ilyal@mellanox.com>
+Date: Mon, 13 Nov 2017 10:22:44 +0200
+Subject: tls: Use kzalloc for aead_request allocation
+
+From: Ilya Lesokhin <ilyal@mellanox.com>
+
+
+[ Upstream commit 61ef6da622aa7b66bf92991bd272490eea6c712e ]
+
+Use kzalloc for aead_request allocation as
+we don't set all the bits in the request.
+
+Fixes: 3c4d7559159b ('tls: kernel TLS support')
+Signed-off-by: Ilya Lesokhin <ilyal@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_sw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -219,7 +219,7 @@ static int tls_do_encryption(struct tls_
+ struct aead_request *aead_req;
+ int rc;
+
+- aead_req = kmalloc(req_size, flags);
++ aead_req = kzalloc(req_size, flags);
+ if (!aead_req)
+ return -ENOMEM;
+
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Reinette Chatre <reinette.chatre@intel.com>
+Date: Fri, 20 Oct 2017 02:16:58 -0700
+Subject: x86/intel_rdt: Fix potential deadlock during resctrl unmount
+
+From: Reinette Chatre <reinette.chatre@intel.com>
+
+
+[ Upstream commit 36b6f9fcb8928c06b6638a4cf91bc9d69bb49aa2 ]
+
+Lockdep warns about a potential deadlock:
+
+[ 66.782842] ======================================================
+[ 66.782888] WARNING: possible circular locking dependency detected
+[ 66.782937] 4.14.0-rc2-test-test+ #48 Not tainted
+[ 66.782983] ------------------------------------------------------
+[ 66.783052] umount/336 is trying to acquire lock:
+[ 66.783117] (cpu_hotplug_lock.rw_sem){++++}, at: [<ffffffff81032395>] rdt_kill_sb+0x215/0x390
+[ 66.783193]
+ but task is already holding lock:
+[ 66.783244] (rdtgroup_mutex){+.+.}, at: [<ffffffff810321b6>] rdt_kill_sb+0x36/0x390
+[ 66.783305]
+ which lock already depends on the new lock.
+
+[ 66.783364]
+ the existing dependency chain (in reverse order) is:
+[ 66.783419]
+ -> #3 (rdtgroup_mutex){+.+.}:
+[ 66.783467] __lock_acquire+0x1293/0x13f0
+[ 66.783509] lock_acquire+0xaf/0x220
+[ 66.783543] __mutex_lock+0x71/0x9b0
+[ 66.783575] mutex_lock_nested+0x1b/0x20
+[ 66.783610] intel_rdt_online_cpu+0x3b/0x430
+[ 66.783649] cpuhp_invoke_callback+0xab/0x8e0
+[ 66.783687] cpuhp_thread_fun+0x7a/0x150
+[ 66.783722] smpboot_thread_fn+0x1cc/0x270
+[ 66.783764] kthread+0x16e/0x190
+[ 66.783794] ret_from_fork+0x27/0x40
+[ 66.783825]
+ -> #2 (cpuhp_state){+.+.}:
+[ 66.783870] __lock_acquire+0x1293/0x13f0
+[ 66.783906] lock_acquire+0xaf/0x220
+[ 66.783938] cpuhp_issue_call+0x102/0x170
+[ 66.783974] __cpuhp_setup_state_cpuslocked+0x154/0x2a0
+[ 66.784023] __cpuhp_setup_state+0xc7/0x170
+[ 66.784061] page_writeback_init+0x43/0x67
+[ 66.784097] pagecache_init+0x43/0x4a
+[ 66.784131] start_kernel+0x3ad/0x3f7
+[ 66.784165] x86_64_start_reservations+0x2a/0x2c
+[ 66.784204] x86_64_start_kernel+0x72/0x75
+[ 66.784241] verify_cpu+0x0/0xfb
+[ 66.784270]
+ -> #1 (cpuhp_state_mutex){+.+.}:
+[ 66.784319] __lock_acquire+0x1293/0x13f0
+[ 66.784355] lock_acquire+0xaf/0x220
+[ 66.784387] __mutex_lock+0x71/0x9b0
+[ 66.784419] mutex_lock_nested+0x1b/0x20
+[ 66.784454] __cpuhp_setup_state_cpuslocked+0x52/0x2a0
+[ 66.784497] __cpuhp_setup_state+0xc7/0x170
+[ 66.784535] page_alloc_init+0x28/0x30
+[ 66.784569] start_kernel+0x148/0x3f7
+[ 66.784602] x86_64_start_reservations+0x2a/0x2c
+[ 66.784642] x86_64_start_kernel+0x72/0x75
+[ 66.784678] verify_cpu+0x0/0xfb
+[ 66.784707]
+ -> #0 (cpu_hotplug_lock.rw_sem){++++}:
+[ 66.784759] check_prev_add+0x32f/0x6e0
+[ 66.784794] __lock_acquire+0x1293/0x13f0
+[ 66.784830] lock_acquire+0xaf/0x220
+[ 66.784863] cpus_read_lock+0x3d/0xb0
+[ 66.784896] rdt_kill_sb+0x215/0x390
+[ 66.784930] deactivate_locked_super+0x3e/0x70
+[ 66.784968] deactivate_super+0x40/0x60
+[ 66.785003] cleanup_mnt+0x3f/0x80
+[ 66.785034] __cleanup_mnt+0x12/0x20
+[ 66.785070] task_work_run+0x8b/0xc0
+[ 66.785103] exit_to_usermode_loop+0x94/0xa0
+[ 66.786804] syscall_return_slowpath+0xe8/0x150
+[ 66.788502] entry_SYSCALL_64_fastpath+0xab/0xad
+[ 66.790194]
+ other info that might help us debug this:
+
+[ 66.795139] Chain exists of:
+ cpu_hotplug_lock.rw_sem --> cpuhp_state --> rdtgroup_mutex
+
+[ 66.800035] Possible unsafe locking scenario:
+
+[ 66.803267] CPU0 CPU1
+[ 66.804867] ---- ----
+[ 66.806443] lock(rdtgroup_mutex);
+[ 66.808002] lock(cpuhp_state);
+[ 66.809565] lock(rdtgroup_mutex);
+[ 66.811110] lock(cpu_hotplug_lock.rw_sem);
+[ 66.812608]
+ *** DEADLOCK ***
+
+[ 66.816983] 2 locks held by umount/336:
+[ 66.818418] #0: (&type->s_umount_key#35){+.+.}, at: [<ffffffff81229738>] deactivate_super+0x38/0x60
+[ 66.819922] #1: (rdtgroup_mutex){+.+.}, at: [<ffffffff810321b6>] rdt_kill_sb+0x36/0x390
+
+When the resctrl filesystem is unmounted the locks should be obtain in the
+locks in the same order as was done when the cpus came online:
+
+ cpu_hotplug_lock before rdtgroup_mutex.
+
+This also requires to switch the static_branch_disable() calls to the
+_cpulocked variant because now cpu hotplug lock is held already.
+
+[ tglx: Switched to cpus_read_[un]lock ]
+
+Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+Acked-by: Vikas Shivappa <vikas.shivappa@linux.intel.com>
+Acked-by: Fenghua Yu <fenghua.yu@intel.com>
+Acked-by: Tony Luck <tony.luck@intel.com>
+Link: https://lkml.kernel.org/r/cc292e76be073f7260604651711c47b09fd0dc81.1508490116.git.reinette.chatre@intel.com
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/intel_rdt_rdtgroup.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
++++ b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
+@@ -1297,9 +1297,7 @@ static void rmdir_all_sub(void)
+ kfree(rdtgrp);
+ }
+ /* Notify online CPUs to update per cpu storage and PQR_ASSOC MSR */
+- get_online_cpus();
+ update_closid_rmid(cpu_online_mask, &rdtgroup_default);
+- put_online_cpus();
+
+ kernfs_remove(kn_info);
+ kernfs_remove(kn_mongrp);
+@@ -1310,6 +1308,7 @@ static void rdt_kill_sb(struct super_blo
+ {
+ struct rdt_resource *r;
+
++ cpus_read_lock();
+ mutex_lock(&rdtgroup_mutex);
+
+ /*Put everything back to default values. */
+@@ -1317,11 +1316,12 @@ static void rdt_kill_sb(struct super_blo
+ reset_all_ctrls(r);
+ cdp_disable();
+ rmdir_all_sub();
+- static_branch_disable(&rdt_alloc_enable_key);
+- static_branch_disable(&rdt_mon_enable_key);
+- static_branch_disable(&rdt_enable_key);
++ static_branch_disable_cpuslocked(&rdt_alloc_enable_key);
++ static_branch_disable_cpuslocked(&rdt_mon_enable_key);
++ static_branch_disable_cpuslocked(&rdt_enable_key);
+ kernfs_kill_sb(sb);
+ mutex_unlock(&rdtgroup_mutex);
++ cpus_read_unlock();
+ }
+
+ static struct file_system_type rdt_fs_type = {
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Fri, 10 Nov 2017 16:12:29 -0800
+Subject: x86/mpx/selftests: Fix up weird arrays
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+
+[ Upstream commit a6400120d042397675fcf694060779d21e9e762d ]
+
+The MPX hardware data structurse are defined in a weird way: they define
+their size in bytes and then union that with the type with which we want
+to access them.
+
+Yes, this is weird, but it does work. But, new GCC's complain that we
+are accessing the array out of bounds. Just make it a zero-sized array
+so gcc will stop complaining. There was not really a bug here.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20171111001229.58A7933D@viggo.jf.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/mpx-hw.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/x86/mpx-hw.h
++++ b/tools/testing/selftests/x86/mpx-hw.h
+@@ -52,14 +52,14 @@
+ struct mpx_bd_entry {
+ union {
+ char x[MPX_BOUNDS_DIR_ENTRY_SIZE_BYTES];
+- void *contents[1];
++ void *contents[0];
+ };
+ } __attribute__((packed));
+
+ struct mpx_bt_entry {
+ union {
+ char x[MPX_BOUNDS_TABLE_ENTRY_SIZE_BYTES];
+- unsigned long contents[1];
++ unsigned long contents[0];
+ };
+ } __attribute__((packed));
+
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 10 Nov 2017 14:14:06 +1100
+Subject: xfrm: Copy policy family in clone_policy
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+
+[ Upstream commit 0e74aa1d79a5bbc663e03a2804399cae418a0321 ]
+
+The syzbot found an ancient bug in the IPsec code. When we cloned
+a socket policy (for example, for a child TCP socket derived from a
+listening socket), we did not copy the family field. This results
+in a live policy with a zero family field. This triggers a BUG_ON
+check in the af_key code when the cloned policy is retrieved.
+
+This patch fixes it by copying the family field over.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_policy.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1306,6 +1306,7 @@ static struct xfrm_policy *clone_policy(
+ newp->xfrm_nr = old->xfrm_nr;
+ newp->index = old->index;
+ newp->type = old->type;
++ newp->family = old->family;
+ memcpy(newp->xfrm_vec, old->xfrm_vec,
+ newp->xfrm_nr*sizeof(struct xfrm_tmpl));
+ spin_lock_bh(&net->xfrm.xfrm_policy_lock);
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 14 Nov 2017 16:34:44 -0800
+Subject: xfs: fix forgotten rcu read unlock when skipping inode reclaim
+
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+
+
+[ Upstream commit 962cc1ad6caddb5abbb9f0a43e5abe7131a71f18 ]
+
+In commit f2e9ad21 ("xfs: check for race with xfs_reclaim_inode"), we
+skip an inode if we're racing with freeing the inode via
+xfs_reclaim_inode, but we forgot to release the rcu read lock when
+dumping the inode, with the result that we exit to userspace with a lock
+held. Don't do that; generic/320 with a 1k block size fails this
+very occasionally.
+
+================================================
+WARNING: lock held when returning to user space!
+4.14.0-rc6-djwong #4 Tainted: G W
+------------------------------------------------
+rm/30466 is leaving the kernel with locks still held!
+1 lock held by rm/30466:
+ #0: (rcu_read_lock){....}, at: [<ffffffffa01364d3>] xfs_ifree_cluster.isra.17+0x2c3/0x6f0 [xfs]
+------------[ cut here ]------------
+WARNING: CPU: 1 PID: 30466 at kernel/rcu/tree_plugin.h:329 rcu_note_context_switch+0x71/0x700
+Modules linked in: deadline_iosched dm_snapshot dm_bufio ext4 mbcache jbd2 dm_flakey xfs libcrc32c dax_pmem device_dax nd_pmem sch_fq_codel af_packet [last unloaded: scsi_debug]
+CPU: 1 PID: 30466 Comm: rm Tainted: G W 4.14.0-rc6-djwong #4
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-1ubuntu1djwong0 04/01/2014
+task: ffff880037680000 task.stack: ffffc90001064000
+RIP: 0010:rcu_note_context_switch+0x71/0x700
+RSP: 0000:ffffc90001067e50 EFLAGS: 00010002
+RAX: 0000000000000001 RBX: ffff880037680000 RCX: ffff88003e73d200
+RDX: 0000000000000002 RSI: ffffffff819e53e9 RDI: ffffffff819f4375
+RBP: 0000000000000000 R08: 0000000000000000 R09: ffff880062c900d0
+R10: 0000000000000000 R11: 0000000000000000 R12: ffff880037680000
+R13: 0000000000000000 R14: ffffc90001067eb8 R15: ffff880037680690
+FS: 00007fa3b8ce8700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f69bf77c000 CR3: 000000002450a000 CR4: 00000000000006e0
+Call Trace:
+ __schedule+0xb8/0xb10
+ schedule+0x40/0x90
+ exit_to_usermode_loop+0x6b/0xa0
+ prepare_exit_to_usermode+0x7a/0x90
+ retint_user+0x8/0x20
+RIP: 0033:0x7fa3b87fda87
+RSP: 002b:00007ffe41206568 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff02
+RAX: 0000000000000000 RBX: 00000000010e88c0 RCX: 00007fa3b87fda87
+RDX: 0000000000000000 RSI: 00000000010e89c8 RDI: 0000000000000005
+RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000
+R10: 000000000000015e R11: 0000000000000246 R12: 00000000010c8060
+R13: 00007ffe41206690 R14: 0000000000000000 R15: 0000000000000000
+---[ end trace e88f83bf0cfbd07d ]---
+
+Fixes: f2e9ad212def50bcf4c098c6288779dd97fff0f0
+Cc: Omar Sandoval <osandov@fb.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Omar Sandoval <osandov@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_inode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/xfs/xfs_inode.c
++++ b/fs/xfs/xfs_inode.c
+@@ -2378,6 +2378,7 @@ retry:
+ */
+ if (ip->i_ino != inum + i) {
+ xfs_iunlock(ip, XFS_ILOCK_EXCL);
++ rcu_read_unlock();
+ continue;
+ }
+ }
--- /dev/null
+From foo@baz Tue Dec 12 10:32:42 CET 2017
+From: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
+Date: Wed, 15 Nov 2017 17:34:03 -0800
+Subject: zsmalloc: calling zs_map_object() from irq is a bug
+
+From: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
+
+
+[ Upstream commit 1aedcafbf32b3f232c159b14cd0d423fcfe2b861 ]
+
+Use BUG_ON(in_interrupt()) in zs_map_object(). This is not a new
+BUG_ON(), it's always been there, but was recently changed to
+VM_BUG_ON(). There are several problems there. First, we use use
+per-CPU mappings both in zsmalloc and in zram, and interrupt may easily
+corrupt those buffers. Second, and more importantly, we believe it's
+possible to start leaking sensitive information. Consider the following
+case:
+
+-> process P
+ swap out
+ zram
+ per-cpu mapping CPU1
+ compress page A
+-> IRQ
+
+ swap out
+ zram
+ per-cpu mapping CPU1
+ compress page B
+ write page from per-cpu mapping CPU1 to zsmalloc pool
+ iret
+
+-> process P
+ write page from per-cpu mapping CPU1 to zsmalloc pool [*]
+ return
+
+* so we store overwritten data that actually belongs to another
+ page (task) and potentially contains sensitive data. And when
+ process P will page fault it's going to read (swap in) that
+ other task's data.
+
+Link: http://lkml.kernel.org/r/20170929045140.4055-1-sergey.senozhatsky@gmail.com
+Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Acked-by: Minchan Kim <minchan@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/zsmalloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/zsmalloc.c
++++ b/mm/zsmalloc.c
+@@ -1349,7 +1349,7 @@ void *zs_map_object(struct zs_pool *pool
+ * pools/users, we can't allow mapping in interrupt context
+ * because it can corrupt another users mappings.
+ */
+- WARN_ON_ONCE(in_interrupt());
++ BUG_ON(in_interrupt());
+
+ /* From now on, migration cannot move the object */
+ pin_tag(handle);
projects / thirdparty / kernel / stable-queue.git / commitdiff
